Wednesday, 2018-06-27

« Tuesday, 2018-06-26 Index Thursday, 2018-06-28 »
*** lifeless has quit IRC00:38
*** lifeless has joined #openstack-keystone00:45
*** pcichy has quit IRC00:45
*** pcichy has joined #openstack-keystone00:46
*** Dinesh_Bhor has joined #openstack-keystone00:49
*** pcichy has quit IRC00:50
*** pcichy has joined #openstack-keystone00:50
*** blake has joined #openstack-keystone00:51
*** blake has quit IRC00:55
*** pcichy has quit IRC01:05
*** pcichy has joined #openstack-keystone01:11
*** pcichy has quit IRC01:20
*** larsks has joined #openstack-keystone01:30
*** gongysh has joined #openstack-keystone01:32
lbragstadkmalloc: yeah - where in the world the self.test_client get setup?01:38
kmallocPart of flask, and in core I use our custom client that does the expected response check01:39
kmallocIt's a feature of flask 1.0+01:39
*** pcichy has joined #openstack-keystone01:50
*** gyee has quit IRC01:51
*** pcichy_ has joined #openstack-keystone02:01
*** pcichy has quit IRC02:04
*** pcichy has joined #openstack-keystone02:05
*** pcichy_ has quit IRC02:08
*** jmlowe_ has joined #openstack-keystone02:09
lbragstadnice - that's awesome02:09
*** pcichy has quit IRC02:09
*** jmlowe has quit IRC02:10
*** gongysh has quit IRC02:16
*** gongysh has joined #openstack-keystone02:35
*** sapd has quit IRC02:36
*** sapd has joined #openstack-keystone02:39
*** itlinux has joined #openstack-keystone02:44
*** annp has joined #openstack-keystone02:50
*** blake has joined #openstack-keystone02:51
openstackgerritMerged openstack/keystone master: Override oauthlib docstrings that fail with Sphinx 1.7.5  https://review.openstack.org/57812102:55
*** blake has quit IRC02:56
*** dklyle has quit IRC03:32
*** bhagyashris has joined #openstack-keystone03:43
*** gongysh has quit IRC04:06
*** dklyle has joined #openstack-keystone04:11
*** gongysh has joined #openstack-keystone04:15
*** AlexeyAbashkin has joined #openstack-keystone04:20
*** viks_ has joined #openstack-keystone04:27
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780704:47
*** AlexeyAbashkin has quit IRC04:49
*** dklyle has quit IRC04:52
*** dklyle has joined #openstack-keystone04:57
*** gongysh has quit IRC04:59
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780705:15
*** rha has quit IRC05:17
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780705:27
*** gongysh has joined #openstack-keystone05:36
*** blake has joined #openstack-keystone05:51
*** martinus__ has joined #openstack-keystone06:14
*** threestrands has quit IRC06:19
*** namnh has joined #openstack-keystone06:28
*** issp has joined #openstack-keystone06:28
*** dmellado has joined #openstack-keystone06:29
*** blake has quit IRC06:31
*** AlexeyAbashkin has joined #openstack-keystone06:35
*** AlexeyAbashkin has quit IRC06:37
*** chrome0 has quit IRC06:39
*** nicolasbock has joined #openstack-keystone06:40
*** chrome0 has joined #openstack-keystone06:41
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780706:42
*** pcaruana has joined #openstack-keystone06:44
*** pcaruana has quit IRC07:02
*** peereb has joined #openstack-keystone07:03
*** peereb has quit IRC07:04
*** peereb has joined #openstack-keystone07:04
*** peereb has quit IRC07:05
*** peereb has joined #openstack-keystone07:06
*** tesseract has joined #openstack-keystone07:07
openstackgerritNeha Alhat proposed openstack/keystonemiddleware master: Register session conf options from keystoneauth  https://review.openstack.org/57800807:21
*** jaosorior has quit IRC07:23
*** tosky has joined #openstack-keystone07:40
*** amoralej|off is now known as amoralej07:42
*** issp has quit IRC07:42
*** rcernin has quit IRC07:51
*** rcernin has joined #openstack-keystone07:52
*** pcaruana has joined #openstack-keystone07:57
*** issp has joined #openstack-keystone08:11
openstackgerritwangxiyuan proposed openstack/keystone master: Strict two level limit model  https://review.openstack.org/55769608:42
*** rcernin has quit IRC08:47
*** d0ugal has quit IRC08:54
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780709:09
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers  https://review.openstack.org/57780709:10
*** BlackDex has quit IRC09:13
*** Dinesh_Bhor has quit IRC09:14
*** BlackDex has joined #openstack-keystone09:26
*** parthiban has joined #openstack-keystone09:34
*** threestrands has joined #openstack-keystone09:45
*** threestrands has quit IRC09:45
*** threestrands has joined #openstack-keystone09:45
*** threestrands has quit IRC09:46
*** threestrands has joined #openstack-keystone09:47
parthibanHello all, I would like to know if the guideline (key revocation system to quickly deactivate potentially compromised keys in OpenStack - https://wiki.openstack.org/wiki/Security/Guidelines#key_revocation) is already fixed or is in roadmap?09:56
parthibanCan someone help me on this?09:56
*** jaosorior has joined #openstack-keystone10:18
*** pcaruana has quit IRC10:31
*** namnh has quit IRC10:40
*** tellesnobrega has left #openstack-keystone11:15
*** amoralej is now known as amoralej|lunch11:37
*** raildo has joined #openstack-keystone11:55
*** mvk has quit IRC12:07
*** ispp has quit IRC12:20
*** mvk has joined #openstack-keystone12:37
*** gongysh has quit IRC12:37
*** edmondsw has joined #openstack-keystone12:57
*** edmondsw has quit IRC12:57
*** edmondsw has joined #openstack-keystone12:57
*** amoralej|lunch is now known as amoralej13:18
*** vegarl has quit IRC13:24
*** vegarl has joined #openstack-keystone13:26
*** itlinux has quit IRC13:35
lbragstadparthiban: i'm not sure i understand what that is supposed to be doing. that looks like something someone on the security team might be able to answer though13:45
*** s10 has joined #openstack-keystone14:11
*** spilla has joined #openstack-keystone14:22
*** itlinux has joined #openstack-keystone14:22
*** threestrands has quit IRC14:30
*** felipemonteiro has joined #openstack-keystone14:33
*** felipemonteiro_ has joined #openstack-keystone14:34
*** felipemonteiro_ has quit IRC14:37
*** felipemonteiro_ has joined #openstack-keystone14:37
*** felipemonteiro has quit IRC14:38
*** evrardjp has quit IRC14:45
*** evrardjp has joined #openstack-keystone14:45
gagehugoo/14:54
*** tonytan4ever has joined #openstack-keystone15:00
*** evrardjp has quit IRC15:02
*** evrardjp has joined #openstack-keystone15:03
openstackgerritLance Bragstad proposed openstack/keystone master: Remove token bind capabilities  https://review.openstack.org/57752415:10
openstackgerritLance Bragstad proposed openstack/keystone master: Introduce new TokenModel object  https://review.openstack.org/55912915:10
openstackgerritLance Bragstad proposed openstack/keystone master: Simplify the token provider API  https://review.openstack.org/54545015:10
openstackgerritLance Bragstad proposed openstack/keystone master: Cleanup keystone.token.providers.common  https://review.openstack.org/57750715:10
openstackgerritLance Bragstad proposed openstack/keystone master: Remove KeystoneToken object  https://review.openstack.org/57756715:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add serialization for TokenModel object  https://review.openstack.org/57843415:10
openstackgerritLance Bragstad proposed openstack/keystone master: Remove remnants of token bind  https://review.openstack.org/57843515:10
kmalloclbragstad: going to spin a change to address the comments for the Enforcer15:15
kmalloclbragstad: anything else needed for your comments at this point?15:15
kmalloclbragstad: i think the rest were just addressed in-line15:16
kmalloclbragstad: and do you want me to merge the flask bump with restful add?15:17
kmalloclbragstad: i'd prefer not to touch the bottom of that stack, but you have a -1 on the flask req bump15:17
kmalloclbragstad: do you have an example of the deprecated action[s] i don't think we have one in keystone15:19
lbragstadyep - i included a bunch of examples in the oslo.policy docs - https://docs.openstack.org/oslo.policy/queens/reference/api/oslo_policy.policy.html#oslo_policy.policy.DeprecatedRule15:21
kmallocah15:22
kmallocso just a single deprecated rule15:22
kmallocnot a list of deprecated rules15:22
kmallocok that is easy.15:22
*** mvk has quit IRC15:23
*** jmlowe_ has quit IRC15:23
kmalloclbragstad: but bah, it isn't as elegant as a simple list comprehension15:26
lbragstadno - it's not15:26
kmalloci mean, i could do it in a really ugly nested list comp with itertools.chain15:31
kmalloc(lets not)15:31
*** edmondsw has quit IRC15:33
*** peereb has quit IRC15:35
*** gyee has joined #openstack-keystone15:42
kmallocgyee: psst.15:43
kmallocgyee: i want your eyes on some code.15:43
kmallocgyee: because i know you're one of the few people who *ever* understood @protected.15:44
gyeekmalloc, sure, which review?15:44
kmallocgyee: sec15:46
kmallocgyee: trying to post an updated one15:46
kmalloclbragstad: uh. i think your oslo.policy example(S) look weird.15:46
kmalloclbragstad: oh nvm15:47
kmalloci mis-read that15:47
kmallocor... wait i don't understand this...15:48
kmalloclbragstad: oh.. ok, so explain to me why deprecated_reason and deprecated_since are on the undeprecated rule?15:49
kmalloclbragstad: that makes absolutely no sense.15:49
kmallocit seems like values that should be on the deprecatedRule object15:49
kmalloclbragstad: it *looks* like the ruledefault is deprecated15:50
kmallocwith the way it's setup now.15:50
lbragstadthe deprecated rule is just an object that holds the name and check string of the deprecated thing15:50
lbragstadmmm15:51
kmalloclbragstad: right.15:51
kmalloclbragstad: and i should still be able to use the deprecated rule, right?15:51
lbragstadwe do some aliasing, yes15:52
lbragstadthere is kind of something similar here https://docs.openstack.org/oslo.config/latest/reference/cfg.html#option-deprecation15:52
kmallochmm. i'm getting some bugs15:52
kmalloclike my main ruledefault is now failing once i add a deprecated rule15:52
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Add functional testing gate  https://review.openstack.org/53101415:53
lbragstadcan you paste a diff?15:53
kmallocoh.15:53
kmallocoh wow, DeprecatedRule just adds a logical OR?15:53
lbragstadyeah15:53
kmallocso you can't deprecate an open-enforcement rule15:54
kmallocor a closed enforcement rule15:54
lbragstadwhat do you mean?15:54
kmalloccheck_str=''15:54
kmallocis open enforcement15:54
kmallocsame with True15:54
kmallocclosed enforcement false or false:false15:54
kmallocthey will always succeed or always fail15:54
lbragstaddo you want to deprecate it for removal?15:54
lbragstador rename it?15:54
kmallocfor removal, right?15:55
lbragstadyes - that's supported15:55
lbragstadyou just need to set deprecated_for_removal=True15:55
lbragstadand don't worry about supplying a deprecated rule object15:55
kmallocugh oh wow15:56
kmallocuhm, can i say that this interface is hard to work with15:56
lbragstadyeah - sorry15:56
kmalloc=/15:56
lbragstadthe permutations for deprecating policies was non-trivial i found15:56
kmallocok i don't care about deprecated for removal... i need to explicitly NOT add those to the possible actions15:56
kmallocwell no, the interface should have been, imo, deprecatedRule(for_removal/not_for_removal/name/check_str/reason/since)15:57
kmallocand RuleDefault(deprecated_rules=[...])15:57
kmallocso the deprecation is all contained in the deprecatedRule object15:58
kmallocand you could support a rename and supersede of different rules, or even collapsing multiple rules in15:58
kmalloclbragstad: so anyway.. let me confirm15:58
kmalloclbragstad: -- Deprecated For Removal = Can no longer be used.15:59
kmalloclbragstad: Deprecated - Both Action names work? and it's a logical or?15:59
lbragstadi believe so15:59
lbragstadi'd need to pull up the code15:59
kmalloctrying to figure out what to put in the "possible actions" set16:00
kmallocrule.name and rule.deprecated_rule.name if not rule.deprecated_for_removal ?16:00
kmallocand if rule.deprecateD_rule16:00
lbragstadwould you want it in all cases?16:00
*** mvenesio has joined #openstack-keystone16:01
lbragstadbecause it's a name that we could be referencing somewhere in keystone16:01
kmallochold on here is the diff.16:01
mvenesioHi guys, i'm trying to configure keystone federation using the mellon auth module in REDHAT, and i'm having some issues, is there anyone that can help me with this ?16:02
*** parthiban has quit IRC16:02
lbragstadkmalloc: if you want to open a bug against oslo.policy (eventually) for adding the deprecated options to the deprecatedrule object, i can clean that up16:03
kmalloclbragstad: http://paste.openstack.org/show/724419/16:03
kmalloclbragstad: ignore the minor nit fixes16:03
lbragstadwe'll need to support both ways of doing it, but... at least we can offer a better path16:03
kmalloclook at test_rbac_enforcer changes16:03
kmallocand i'm getting http://paste.openstack.org/show/724420/16:04
kmallocI have also tried without deprece for removal16:05
lbragstadare you wanting to deprecate example:subject_token for removal or replace it?16:06
kmallocI want to deprecate example: deprecated16:06
kmallocSee how the interface doesn't make sense?16:06
lbragstadyeah - i see it16:06
lbragstadbut what you're saying is that example:subject_token is deprecated for removal16:07
kmallocThat is going by your Oslo policy docs16:07
kmallocAfaict16:07
lbragstadi don't think it is because there isn't an example that uses a deprecated rule object and deprecated_for_removal16:08
lbragstadwhich is probably something i should fix by adding another example16:08
kmallocI tried without for removal in many permutations didn't work.16:09
kmallocI was looking at the role:bang example16:09
*** edmondsw has joined #openstack-keystone16:09
kmallocSo, fwiw, I just don't know what actions should be valid with this deprecation and... If I need to do something to load the rule properly to the enforcer16:10
lbragstadso - what does the enforce need to know?16:10
lbragstadenforcer*16:10
lbragstadall the possible policy names, right?16:11
kmallocOne thing: policy names16:11
lbragstadok16:11
kmallocBut.. I want to make sure if we have a deprecated action name that should still work, enforxe_call can be used with it.16:11
*** s10 has quit IRC16:11
kmallocSo, the test needs to standup a reasonable example.16:11
lbragstadhttp://paste.openstack.org/show/724421/ should work - but it sounds like you've tried that16:14
kmallocok so i have 2 examples i need to cover16:14
kmalloc1) deprecated rule, simple rename16:14
kmalloc2) deprecated rule, new check_str default16:14
kmallocand ignore "deprecated_for_removal"16:14
*** issp has quit IRC16:15
lbragstadok - so16:15
kmallocwith a rename, same check_str, i just copy the check_str?16:15
kmallocor can both of those be covered in the same test.16:15
lbragstadhttp://paste.openstack.org/show/724422/16:17
lbragstadhttps://bugs.launchpad.net/keystone/+bug/177894516:20
openstackLaunchpad bug 1778945 in OpenStack Identity (keystone) "Complexity in token provider APIs" [Medium,Triaged]16:20
kmallochmm.16:21
kmalloclbragstad: ok i got the parsing error solved16:22
kmalloclbragstad: it looks like deprecatedRule doesn't get loaded inot the enforcer (oslo_policy) object16:22
kmallochttps://www.irccloud.com/pastebin/tAXkpzXy/16:22
kmalloclbragstad: do i need to add the deprecated rule to the rule_list as well?16:23
lbragstadno - it should be picked up by oslo.policy if it's passed into a rule as .deprecated_rule16:24
kmallochttps://www.irccloud.com/pastebin/jSe4rXSK/16:25
kmallocright?16:25
kmallocand i tried example:deprecated and the action check succeeds now16:25
kmallocbut i get Rule [example:deprecated] does not exist16:25
lbragstadwhat's asking for example:deprecated?16:26
kmalloci'm doing an explicit enforce.enforce_call(action='example:deprecated')16:26
kmallocto test that the action is in-fact valid16:26
lbragstadoh16:27
lbragstadhttps://bugs.launchpad.net/oslo.policy/+bug/177894916:27
openstackLaunchpad bug 1778949 in oslo.policy "Deprecated rule is confusing" [Undecided,New]16:27
kmallocthat is a good bug report16:28
kmallocand yes, that will help avoid confusion16:28
kmallocbut right now i'm worried you can't reference the old action16:28
lbragstadok so16:28
kmalloc*or* is it just that we logical or and load from policy.json?16:29
lbragstadlet's say we have example:foo16:29
*** tosky has quit IRC16:29
lbragstadand we use that to enforce some method create_foo16:29
kmallocright.16:29
lbragstadbut we decide we want to change it to example:create_foo instead16:29
*** tosky has joined #openstack-keystone16:29
kmallocyep.16:30
kmallocwith you so far.16:30
* lbragstad is getting a paste16:30
* kmalloc is getting the impression that nothing needed to change in the test_rbac_enforcer file to support deprecated actions.16:30
kmallocthat it's just to load from policy.json16:31
lbragstadthis is the policy we have16:31
lbragstadhttp://paste.openstack.org/show/724423/16:31
lbragstadbut this is what we change to16:32
lbragstadhttp://paste.openstack.org/show/724424/16:32
lbragstadwhen we make ^ change16:32
lbragstadcode in keystone starts enforcing on example:create_foo right?16:32
kmallocand keystone never uses the action "example:foo"16:33
lbragstadyeah16:33
kmallocbut we load it from policy.json16:33
lbragstadand we pull the check_str16:33
kmallocok, then enforcer and potential actions didn't need to change16:33
lbragstadin that case - maybe not16:34
kmallocsince enforcer is only caring about what keystone [internally] calls the action16:34
kmallocwe would always call it example:create_foo16:34
kmallocand the rest is just leaning on oslo_policy16:34
kmalloccool.16:34
*** tesseract has quit IRC16:34
lbragstadok - is there any other place where that isn't true?16:34
lbragstadif we deprecate a policy for removal16:35
lbragstadwe should be enforcing on it's replacement, right?16:35
kmallocright16:36
lbragstadok16:36
kmallocbasically once a policy is deprecated we never should reference it in keystone16:36
lbragstadsorry for the wild goose chase :(16:36
*** felipemonteiro__ has joined #openstack-keystone16:36
kmalloc*BUT* deprecated_for_removal is still added to the action names16:36
kmalloci can filter those16:37
kmalloclet me do that.16:37
kmallocok, so i am now filtering out any rule that is .deprecated_for_removal16:38
*** jmlowe has joined #openstack-keystone16:38
kmallocit wont be a valid action to call16:38
kmalloclbragstad: that sound correct?16:38
*** jmlowe has quit IRC16:39
lbragstadi think so - if it's been deprecated for removal, we shouldn't be protecting APIs with it IMO16:39
kmallocodne16:39
kmallocdone*16:39
lbragstadso if we have identity:foo16:39
kmalloclet me run pep8 and test_rbac_enforcer again16:39
kmallocthen will post.16:39
*** jmlowe has joined #openstack-keystone16:39
lbragstadand we deprecate it for removal because we no longer support the foo API16:40
kmallocthere is no reason to refer to the action16:40
* kmalloc nods.16:40
lbragstadright16:40
*** felipemonteiro_ has quit IRC16:40
lbragstadthat's kind of a weird example, but...16:40
lbragstadseems rare16:40
kmallochey, whatever.16:40
kmallocwe need to fix oslo.policy to emit [in logs] the paths16:41
kmallocnot just the action:name16:41
lbragstadwhy the paths?16:42
kmallocbecause action:name is wonky16:42
kmallocshould i emit the path in our enforcer?16:42
kmalloci mean, i can do it...16:42
lbragstadthose are only there in instances of DocumentedRuleDefaults16:42
kmallocright. sorry in our enforcer16:42
kmalloci could emit the request path in the debug log16:42
kmalloc(easily)16:42
* kmalloc will revisit that thought later.16:43
lbragstadalso - let me know if you have additional things to add to https://bugs.launchpad.net/keystone/+bug/1778945 or if it makes sense16:43
openstackLaunchpad bug 1778945 in OpenStack Identity (keystone) "Complexity in token provider APIs" [Medium,Triaged]16:43
*** edmondsw has quit IRC16:43
* kmalloc nods.16:43
kmallocwill look shortly16:43
kmallocas soon as i post this and make gyee review it16:44
kmalloc;)16:44
lbragstadwfm16:44
*** edmondsw has joined #openstack-keystone16:44
kmallocoh goodie here it goes :)16:44
*** edmondsw has quit IRC16:44
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer  https://review.openstack.org/57663916:44
kmallocgyee: ^ that16:44
kmallocgyee: new enforcer to break apart @protected to something usable16:45
kmallocyes it is Flask-only, but we're moving APIs to flask.16:45
kmalloclbragstad: ok let me rebase a couple changes and then look at that bug.16:45
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add support for enforce_call to set value on flask.g  https://review.openstack.org/57818916:47
openstackgerritMorgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents  https://review.openstack.org/57819016:47
kmalloclbragstad: that bug looks 100% accurate and complete16:49
lbragstadcool16:49
*** spilla has quit IRC16:49
kmallocwell it looks like i'm merging the requirements update[s]16:50
kmallocbecause requirements check is complaining =/16:50
lbragstadsounds good16:53
lbragstadi'm going to step away to get a run in over lunch, but i'll rebase the token provider refactor and associate it to https://bugs.launchpad.net/keystone/+bug/1778945 once i get back16:54
openstackLaunchpad bug 1778945 in OpenStack Identity (keystone) "Complexity in token provider APIs" [Medium,Triaged]16:54
lbragstadi need a release note for it anyway16:54
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add Flask-RESTful and update flask minimum(s)  https://review.openstack.org/57441416:55
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement scaffolding for Flask-RESTful use  https://review.openstack.org/57441516:55
openstackgerritMorgan Fainberg proposed openstack/keystone master: Keystone adheres to public_endpoint opt only  https://review.openstack.org/57450216:55
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert json_home and version discovery to Flask  https://review.openstack.org/57473616:55
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add support for before and after request functions  https://review.openstack.org/57663716:56
openstackgerritMorgan Fainberg proposed openstack/keystone master: Don't replace the whole app just the wsgi_app backing  https://review.openstack.org/57758716:56
openstackgerritMorgan Fainberg proposed openstack/keystone master: Make it easy to identify a 404 from Flask  https://review.openstack.org/57762716:56
openstackgerritMorgan Fainberg proposed openstack/keystone master: Address minor comments to 404 error detection  https://review.openstack.org/57821616:56
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer  https://review.openstack.org/57663916:56
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add support for enforce_call to set value on flask.g  https://review.openstack.org/57818916:56
openstackgerritMorgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents  https://review.openstack.org/57819016:56
kmalloclbragstad: ^ AND rebased.16:57
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add Flask-RESTful and update flask minimum(s)  https://review.openstack.org/57441416:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement scaffolding for Flask-RESTful use  https://review.openstack.org/57441516:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Keystone adheres to public_endpoint opt only  https://review.openstack.org/57450216:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert json_home and version discovery to Flask  https://review.openstack.org/57473616:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add support for before and after request functions  https://review.openstack.org/57663716:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Don't replace the whole app just the wsgi_app backing  https://review.openstack.org/57758716:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Make it easy to identify a 404 from Flask  https://review.openstack.org/57762716:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer  https://review.openstack.org/57663916:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add support for enforce_call to set value on flask.g  https://review.openstack.org/57818916:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents  https://review.openstack.org/57819016:58
*** spilla has joined #openstack-keystone16:59
* kmalloc grumps about working in a review-set 11 reviews deep17:00
kmallocgyee: let me know if you have questions, but def. would like your input :)17:01
*** felipemonteiro__ has quit IRC17:16
*** felipemonteiro_ has joined #openstack-keystone17:16
*** amoralej is now known as amoralej|off17:29
*** vishakha has quit IRC17:50
lbragstadnice17:52
*** edmondsw has joined #openstack-keystone18:01
*** vishakha has joined #openstack-keystone18:03
*** edmondsw has quit IRC18:06
gyeekmalloc, just got back to my desk. I'll take a look.18:09
openstackgerritGage Hugo proposed openstack/keystone master: Refactor trust roles check  https://review.openstack.org/57850918:17
*** TheJulia has joined #openstack-keystone18:25
TheJuliao/ curious.... are there any known issues where keystone is sporadically not responding in CI jobs?18:26
mvenesioHi guys, i'm trying to configure keystone federation using the mellon auth module in REDHAT, and i'm having some issues, is there anyone that can help me with this ?18:31
larsksmvenesio: have you seen the docs on that topic? https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html-single/federate_with_identity_service/#add_the_rh_sso_fqdn_to_each_controller18:34
larsksmvenesio: fwiw, I've spent the last couple of weeks improving the state of openid federation support in tripleo. Similarly improving the experience with mellon is next on my list.18:35
lbragstadmvenesio: jdennis is really knowledgeable on that topic, too18:39
lbragstadTheJulia: do you have a link?18:39
lbragstadto a failure?18:40
TheJulialbragstad: http://logs.openstack.org/06/575206/7/check/ipa-tempest-dsvm-wholedisk-bios-ipmi-iscsi-coreos-src/208599f/logs/screen-ir-cond.txt.gz?level=WARNING#_Jun_27_14_17_19_33600018:41
TheJulianothing in the keystone lines up time wise, it is like the request disappeared into the ether18:41
mvenesiolarsks: yes i've saw it, but the document assumes that you're using a RH-SSO server, and we are authenticating through an Apareo CAS18:42
TheJuliaI've seen a couple different variations like that over the last day or two18:42
lbragstadhmm18:43
lbragstadthese are the only errors i'm seeing in the keystone logs http://logs.openstack.org/06/575206/7/check/ipa-tempest-dsvm-wholedisk-bios-ipmi-iscsi-coreos-src/208599f/logs/screen-keystone.txt.gz?level=ERROR18:43
mvenesiolarsks: nevertheless, we are connecting with the CAS from horizon, but once we put the user and password then the CAS redirects to an horizon URL that fails with a bad reuest18:44
lbragstadwhich don't actually emit an error response via the API18:44
lbragstadthey're warning specifically for operators about how they have roles setup18:44
mvenesiolarsks: this is te error we are getting from keystone : https://pastebin.com/BKX2S4dF18:45
mvenesiolarsks: and this is the response we are getting from CAS once we doing the authentication: https://pastebin.com/SeJKnBjV18:46
jdennismvenesio: We have a very detailed knowledge base article on setting up federation with mellon, do you have access to the customer portal? If so I'll send you a link, otherwise I can point you to a preliminary version on my public page.18:46
*** felipemonteiro_ has quit IRC18:46
mvenesiojdennis: i have access please send me the link18:46
jdennismvenesio: Also you should know there is currently work going on to add support for configuring federation in tripleo18:47
mvenesiolarsks: seems like :5000/v3/OS-FEDERATION/identity_providers/CAS/protocols/mapped/auth/mellon/postResponse its not accepted by horizon and returns a BAD Request18:47
jdennisand work being done to support mod_auth_openidc18:47
mvenesiojdennis: in this case only mellon its supported regarding the REDHAT support, so if you have a link with a better explanation18:48
mvenesiojdennis: it will be great18:48
*** felipemonteiro_ has joined #openstack-keystone18:49
jdennismvenesio: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/federate_with_identity_service/18:50
lbragstadTheJulia: it looks like ironic is hitting keystone around that time frame http://logs.openstack.org/06/575206/7/check/ipa-tempest-dsvm-wholedisk-bios-ipmi-iscsi-coreos-src/208599f/logs/screen-keystone.txt.gz#_Jun_27_14_02_53_46632118:51
lbragstadbut that also look normal?18:51
jdennismvenesio: fwiw, the doc was written for customers using tripleo to deploy, if you18:52
mvenesiojdennis: but that guide is public, i'm configuring it manually, not with director18:52
jdennis're not using tripleo you'll have to factor some of the Puppet specific information, but it should be obvious18:52
lbragstadTheJulia: GET /identity/v3/auth/tokens => generated 3097 bytes in 31 msecs (HTTP/1.1 200)18:52
*** mvk has joined #openstack-keystone18:53
jdennismvenesio: if you're doing it manually the guide contains a lot of useful information18:53
mvenesiojdennis: yes but some other info seems missing18:54
lbragstadTheJulia: i can't seem to find a matching request ID from the ironic log in keystones, though...18:54
TheJulialbragstad: yeah, 15 minutes before the timeout :\18:54
lbragstadthat's so strange...18:55
lbragstadreq-d334e67b-79dc-4601-976c-1625fe9ecc68 doesn't appear in keystone logs either...18:55
jdennismvenesio: you might also want to check out the Mellon User Guide I wrote, it's now upstream at Mellon, here is the link: https://github.com/UNINETT/mod_auth_mellon/blob/master/doc/user_guide/mellon_user_guide.adoc18:56
jdennismvenesio: I accidentally nuked the last few minutes of chat in my irc client, what did you say about not enough information?18:57
mvenesiojdennis:  We've saw that guide, but the document assumes that you're using a RH-SSO server, and we are authenticating through an Apareo CAS, and seems that some info to do a manual configuration is missing18:59
mvenesiojdennis: horizon have to be using SSL to be integrated ? is that a mandatory requirement  ?19:01
jdennismvenesio: right, in theory SAML is a standard protocol things ought to be pretty close no matter which IdP you use, of course the process of adding an SP to your IdP will be IdP dependent, can't help you with an IdP I'm not familiar with19:01
mvenesiojdennis: horizon have to be using SSL to be integrated ? is that a mandatory requirement  ?19:02
TheJulialbragstad: I'm wodnering if something transient is going on, the dstat cpu utilization numebers don't make sense19:03
jdennismvenesio: only if you care about security :-) I can't remember which components enforce the use of SSL/TLS so I'm not sure if something will error out if you don't use TLS, but it would be a really really bad idea not to use TLS19:05
mvenesiojdennis: yes i know we are just in a lab19:06
lbragstadTheJulia: hmm19:07
jdennismvenesio: I'm pretty sure the SAML spec says you have to use some form of transport layer security, otherwise your assertions and identity data are in the open19:07
lbragstadTheJulia: like - the host is maxed out?19:07
TheJulialbragstad: my gut feeling is heavily throttled from the hypervisor19:07
lbragstadhuh - i wonder what's caused that recently...19:08
TheJuliaI've only looked at one dstat log, but it just seems really weird around the timeout failure19:08
TheJuliaand I've seen similar things when hypervisors are super busy19:09
mvenesiojdennis: understood, i think our issue now is that the AssertionConsumerServiceURL seems to be wrong and we don't know very well which to use19:09
jdennismvenesio: the Mellon User Guide covers that in a fair amount of detail, make sure your SP metadata is correct and loaded into the IdP, also see the troubleshooting sections of the User Guide19:11
mvenesiojdennis: i'll do thanks19:12
kmallocTheJulia, lbragstad: there have been a LOT of timeouts in py* tests as well19:17
kmallocat least in kyestone, like 40-50m runtimes which seems like busy hypervisors19:17
kmallocit wouldn't surprise me to see stuff like that outside of py* testing19:17
lbragstadthings have felt pretty slow lately wrt to the check and gate queues19:18
kmallocyeah.19:19
kmallocand the test runtimes tend to be "ok" when they don't timeout19:19
lbragstadnot sure if those things are related, but it is suspicious19:19
kmallocthe timeouts i've seen could be related to what TheJulia is seeing, just not a test-run timeout (whole job) but one test is hit particularly hard.19:20
lbragstadkmalloc: do we have any documentation outside of https://docs.openstack.org/keystone/latest/advanced-topics/external-auth.html for using bind?19:21
TheJuliakmalloc: interesting...19:21
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add __all__ for keystone modules  https://review.openstack.org/57853619:22
kmalloclbragstad: ^ i can debug/run tests in pycharm with that change :)19:22
kmalloc[yay!]19:22
TheJuliakmalloc: Also interesting is that I've not seen any change in the amount of time the ironic unit tests take19:24
kmallocIt is clearly VM based, since it is intermittent. The whole VM slows down.19:25
TheJuliayeah19:26
*** jmlowe has quit IRC19:42
larsksknikolla: https://bugs.launchpad.net/keystone/+bug/177898919:43
openstackLaunchpad bug 1778989 in OpenStack Identity (keystone) "Keystone client is unable to correctly look up names of federated users" [Undecided,New]19:43
knikollalarsks: cool, can you paste the debug logs showing the /v3/users?domain=<domain>&name=<name> failing for a federated user19:45
larsksknikolla: the whole thing, or just the final request?19:45
knikollajust the final request19:46
knikollai'll work later today on a unit test to expose it and then work on a fix19:46
larsksknikolla: posted.19:48
knikollalarsks: awesome, thanks!19:48
*** edmondsw has joined #openstack-keystone19:50
kmallocTheJulia: when everyting is happy, we clearly do not have any real increase in test runtime (actually the opposite, our tests are trending faster since we're doing less "standup" for each run as I move us closer to flask)19:52
*** edmondsw has quit IRC19:54
TheJuliakmalloc: by chance, has a happier time of the day been identified?19:55
*** ayoung has joined #openstack-keystone19:59
ayoungknikolla, about https://bugs.launchpad.net/keystone/+bug/1778989  (Federated user show) can you reproduce?20:00
openstackLaunchpad bug 1778989 in OpenStack Identity (keystone) "Keystone client is unable to correctly look up names of federated users" [Medium,Confirmed]20:00
knikollaayoung: yes20:00
knikollai was with larsks when we found it20:01
ayoungknikolla, you know how to debug using rpdb?20:01
ayoungI'd like to figure out where things are breaking down.20:01
ayoungI suspect it is somewhere between the user and the shadow user abstractions20:01
*** AlexeyAbashkin has joined #openstack-keystone20:02
knikollai suspects in how we translate it into a sql query20:02
ayoungah20:03
knikollaas searching by name in a domain does work for sql users and ldap users20:03
knikollabut doesn't for federated users20:03
knikollaand the name of a federated user is is federated_user table under display_name20:03
knikollain*20:04
kmallocTheJulia: not that i've seen, well late late at night it tends to be "better"20:04
TheJuliaThat is my feeling as well. *sigh*20:04
kmallocayoung: if you have bandwidth to review RBACEnforcer, it would be appreciated. you are on the short list of folks who understand policy at all20:04
ayoungkmalloc, link, please?20:05
kmallocs/at all/in depth/20:05
kmallochttps://review.openstack.org/#/c/576639/20:05
kmallocayoung: it is flask-only APIs, but it allows us to just do "enforcer.call_enforce(<args>)"20:05
kmallocrather than trying to make @protected bend to our will20:05
kmalloccall_enforce has a fairly rich interface20:06
kmallocand the following patch form that one has some assurances that an API can't be developed without calling enforcer.call_enforce at some point20:06
larsksknikolla: it's here, right? https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py#L19120:06
kmallocayoung: https://review.openstack.org/#/c/578189/4 [the following one]20:06
larsksWhere we never even join in the federated_users table...20:06
ayounglarsks, that is a pretty simple query, so I am guessing we've already messed it up by that point20:07
knikollalarsks: yup, looks like it.20:07
ayoungI think the Federated users don't go in that table20:07
larsksayoung: that was my point.20:07
larsksThere is a seperate table for federated users, and it's not part of that query.20:08
kmalloccorrect20:08
ayounglarsks, and now you reopen all my old wounds20:08
ayoungI want the ability to pre-populate users from Federated sources for reasons just like this20:08
kmallocayoung: this is the whole "shadow table has not been fully implemented"20:08
kmallocayoung: knikolla is working on real federated testing, it's so delayed, but its on the not-far-off work20:09
ayoungOK...so how *should* this work?20:09
ayoungTOday, not in my dream world20:09
kmalloci can't answer the "today question" right now, knikolla probably can.20:09
ayoungonce a user has authenticated via Fed, and been mapped in, we get an entry in the shadow table20:09
kmallocmy brain is off in another land and pivoting is probably not going to work.20:10
ayoungdo they have a username?20:10
ayoungkmalloc, ok, step out, I'll take this20:10
kmallocthanks!20:10
ayoungsince I stated the convo.20:10
knikollaayoung: i want to do so much but i'm burning cycles helping people and training interns who never really amount to any help20:10
ayoungbut I will review your RBAC stuff, it looks OK so far20:10
kmallocsummon me if you really need my brain, i'll work to context switch then20:10
ayoungdo Federated users have usernames?20:11
*** blake has joined #openstack-keystone20:11
lbragstadayoung: quick question before you leave, do we have any documentation on using bind with keystone outside of https://docs.openstack.org/keystone/latest/advanced-topics/external-auth.html ?20:11
knikollaayoung: display names20:11
larsksayoung: they have a display_name in the federated_user table.20:11
ayoungguarenteed?20:12
ayounghttps://github.com/openstack/keystone/blob/master/keystone/identity/shadow_backends/sql.py#L3220:12
ayounghttps://github.com/openstack/keystone/blob/master/keystone/identity/shadow_backends/sql.py#L14320:13
larsksayoung: I don't think that matters, right?  If they *have* a display_name, it's what we're showing e.g. the user list, we used it as the name attribute in https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql_model.py#L72, and it should work for queries.20:13
ayoungnew_nonlocal_user_dict = {20:13
ayoung            'name': user_dict['name']20:13
ayoung}20:13
ayounga Federated user gets a nonlocal_user entry based on the user_dict20:14
ayoungright?20:14
* ayoung wanted to use the same table as LDAP...grrrr20:14
* ayoung back to "Keystone sux burn it to the ground" mode again20:15
knikollalol20:15
ayoungOK...so hack to solve this would be:  if nothing in the user table, fall back to shadow table.  Convince me why that is bad.20:16
ayoungwhat if...we looks at the domain_id and switch which query to do based on that?  Is there someway to know that it is a "Federated" domain?20:17
knikollano20:17
knikollaeven if an idp is assigned that domain, i don't think there is restriction on what it can have20:18
ayoungwe could put a "Federated" flag on it then20:20
ayounghttps://www.google.com/imgres?imgurl=https://upload.wikimedia.org/wikipedia/commons/thumb/e/e4/Flag_of_the_Federated_States_of_Micronesia.svg/2000px-Flag_of_the_Federated_States_of_Micronesia.svg.png&imgrefurl=https://en.wikipedia.org/wiki/Flag_of_the_Federated_States_of_Micronesia&h=1053&w=2000&tbnid=ewFNDXLcpDLh4M:&q=Federated+Flag&tbnh=160&tbnw=304&usg=__4xkg6Uu_GJSsOVIwsxFqU3GOh3s%3D&vet=10ahUKEwjl7vO-1fTbAhUSvlMKHTz20:20
ayoungIBqwQ9QEILTAA..i&docid=dy1Hgl4juJ7XEM&client=firefox-b-ab&sa=X&ved=0ahUKEwjl7vO-1fTbAhUSvlMKHTzIBqwQ9QEILTAA20:20
ayounghttps://upload.wikimedia.org/wikipedia/commons/thumb/e/e4/Flag_of_the_Federated_States_of_Micronesia.svg/2000px-Flag_of_the_Federated_States_of_Micronesia.svg.png20:20
ayoungIf a domain is a Federated domain, don't allow local users, only look in the shadow puppet table20:21
knikollathat seems like a breaking change20:22
ayoungYeah, so what20:22
ayoungsee previous veiws on the matter20:22
knikollawhat's wrong with joining the local user table with the federated user table in user list for sql?20:22
ayoungwell, that is also a breaking change20:22
ayoungbreak break breaky break break20:23
ayoungunless it stops things20:23
knikollayes, but but doesn't break existing deployments who have local users in a federated domain20:23
ayoungthen it is a braking change20:23
ayoungis that a likelihood?20:23
ayoungwhat is the default with Federation?  We were putting them in the "Federated" domain at one point20:24
knikollawhen u create an idp you have to specify a domain20:24
knikollaif u don't, a new domain is created20:24
knikollafor each idp20:24
knikollaand apparently `openstack identity provider create test --domain default` works20:25
*** jmlowe has joined #openstack-keystone20:29
*** AlexeyAbashkin has quit IRC20:45
ayoungknikolla, sorry, had to run and pick up kids...summer time camp pickups are earlier20:54
ayoungjust got back....so do we have a way to link the idp to the domain after it is created, or just via the mapping table?20:55
*** spilla has quit IRC20:57
knikollaayoung: all users from an idp go to the domain of that idp20:58
knikollaspecified on idp creation20:58
knikollathere's nothing enforcing anything that that domain is exclusive, and can be shared, or can even be the default domain20:59
knikollagiven that the domain driver will still be sql, i feel that making the identity driver for sql also query the federated_user table makes sense.20:59
*** AlexeyAbashkin has joined #openstack-keystone21:01
*** AlexeyAbashkin has quit IRC21:12
*** martinus__ has quit IRC21:13
*** mvenesio has quit IRC21:18
*** mvenesio has joined #openstack-keystone21:19
ayoungkmalloc, RBAC looks fine.  Pretty straight port from the old code, plus some decent new testing.  Minor nits in comments, fix those and I'll +221:23
*** mvenesio has quit IRC21:24
* lbragstad hands ayoung some popcorn21:26
lbragstadwait for it...21:26
openstackgerritLance Bragstad proposed openstack/keystone master: Remove token bind capabilities  https://review.openstack.org/57752421:38
openstackgerritLance Bragstad proposed openstack/keystone master: Introduce new TokenModel object  https://review.openstack.org/55912921:38
openstackgerritLance Bragstad proposed openstack/keystone master: Add serialization for TokenModel object  https://review.openstack.org/57843421:38
openstackgerritLance Bragstad proposed openstack/keystone master: Simplify the token provider API  https://review.openstack.org/54545021:38
openstackgerritLance Bragstad proposed openstack/keystone master: Remove remnants of token bind  https://review.openstack.org/57843521:38
openstackgerritLance Bragstad proposed openstack/keystone master: Cleanup keystone.token.providers.common  https://review.openstack.org/57750721:38
openstackgerritLance Bragstad proposed openstack/keystone master: Remove KeystoneToken object  https://review.openstack.org/57756721:38
*** felipemonteiro_ has quit IRC21:38
*** edmondsw has joined #openstack-keystone21:38
*** edmondsw has quit IRC21:43
*** tonytan4ever_brb has joined #openstack-keystone21:45
*** tonytan4ever has quit IRC21:45
*** itlinux has quit IRC21:50
*** rcernin has joined #openstack-keystone21:50
*** jmlowe has quit IRC21:56
*** blake has quit IRC22:18
*** jmlowe has joined #openstack-keystone22:28
*** nicolasbock has quit IRC22:29
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer  https://review.openstack.org/57663922:38
kmallocayoung: fixed22:44
*** blake has joined #openstack-keystone22:44
*** blake has quit IRC22:45
*** tonytan4ever_brb has quit IRC23:14
*** tonytan4ever has joined #openstack-keystone23:14
*** edmondsw has joined #openstack-keystone23:27
*** edmondsw has quit IRC23:32
*** tosky has quit IRC23:35
*** alex_xu has quit IRC23:59
« Tuesday, 2018-06-26 Index Thursday, 2018-06-28 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!