Monday, 2018-08-13

*** Nel1x has quit IRC		01:33
*** shyamb has joined #openstack-keystone		01:37
*** elibrokeit has left #openstack-keystone		01:43
*** lbragstad has joined #openstack-keystone		01:58
*** ChanServ sets mode: +o lbragstad		01:58
*** shyamb has quit IRC		02:21
lbragstad	knikolla: ping	03:01
knikolla	lbragstad: o/	03:02
*** lbragstad has quit IRC		03:06
*** lbragstad has joined #openstack-keystone		03:06
*** ChanServ sets mode: +o lbragstad		03:06
lbragstad	knikolla: sorry - i'm having connectivity issues i think :)	03:07
lbragstad	did my question come through?	03:09
knikolla	lbragstad: nope, i don't see it	03:09
lbragstad	i was curious if you had a baseline for how long it takes to do federated authetication in your public cloud deployment?	03:10
knikolla	like a benchmark?	03:11
lbragstad	yeah	03:11
lbragstad	using WebSSO and/or CLI	03:11
knikolla	never measured it, though i can do some profiling tomorrow	03:12
lbragstad	no worries - i was just curious if you had a general idea	03:13
knikolla	it's not particularly slower than plain sql	03:13
lbragstad	would it be weird if it was taking longer than 8 seconds using sso?	03:13
lbragstad	ok - so yeah, 8 seconds would seem slow?	03:13
knikolla	i think so	03:15
lbragstad	ok	03:15
lbragstad	that's about as good of an answer i need i think	03:15
lbragstad	apparently we have an internal team doing some prototypes of federation and they reported some slow authentication times	03:16
* lbragstad doesn't have any details about how things are configured		03:16
knikolla	hmmm	03:17
lbragstad	i plan to ask for specific when wxy-xiyuan and i meet with them, though	03:18
lbragstad	specifics*	03:18
knikolla	sure	03:18
knikolla	websso is a lot of redirects. running a profiler would point which part is slow.	03:19
lbragstad	right	03:19
lbragstad	i don't really have any idea of how much of that time is spent in shib/mellon versus on the wire	03:19
lbragstad	i assume once things hit keystone-proper, it's pretty similar to a local user authentication flow	03:20
knikolla	probably faster since it doesn't have to hash the password	03:20
lbragstad	++ true	03:21
lbragstad	but that's really the only difference, keystone either deals with the password hash or pull attributes exposed from shib and runs it through a mapping	03:22
knikolla	lbragstad: i did get about 5 seconds	03:28
knikolla	with websso through horizon	03:28
knikolla	with horizon taking half of that time.	03:28
lbragstad	interesting	03:28
lbragstad	i assume part of that is spent in shib	03:29
lbragstad	since it has to verify the assertion and expose the mapped attributes as ENVs	03:30
lbragstad	this is totally dependent on the deployment/network, but it would be interesting to setup a test environment with osprofiler enabed and just see how much of that time is actually in keystone	03:31
knikolla	this was with openid connect and mod_auth_openidc	03:31
lbragstad	aha	03:31
lbragstad	would you expect results using mod_shib to be a lot different?	03:31
knikolla	lbragstad: don't know.	03:32
* lbragstad nods		03:32
knikolla	would make for an interesting comparison thouhg.	03:33
lbragstad	this is good to know, if we do get general performance "patterns" then it would be good to add this kinda stuff to docs	03:33
lbragstad	yeah - absolutely	03:33
lbragstad	i would stay away from putting numbers in the results, but just abstract them to percentages if we get useful patterns	03:34
knikolla	definitely.	03:34
knikolla	logging off now, talk to you tomorrow! goodnight.	03:37
lbragstad	thanks for the info knikolla - talk to you tomorrow!	03:37
*** redrobot has quit IRC		03:55
*** dklyle has joined #openstack-keystone		04:23
*** jaosorior has joined #openstack-keystone		04:28
*** dave-mccowan has quit IRC		04:28
*** dklyle has quit IRC		04:38
*** viks_ has joined #openstack-keystone		04:47
*** rcernin has quit IRC		04:54
*** rcernin has joined #openstack-keystone		04:54
*** shyamb has joined #openstack-keystone		05:01
*** shyamb has quit IRC		05:12
*** shyamb has joined #openstack-keystone		05:12
*** openstackgerrit has quit IRC		05:18
*** lbragstad has quit IRC		05:40
*** lbragstad has joined #openstack-keystone		05:42
*** ChanServ sets mode: +o lbragstad		05:42
*** jaosorior has quit IRC		05:59
*** pcaruana has joined #openstack-keystone		05:59
*** shyamb has quit IRC		06:03
*** pcaruana has quit IRC		06:05
*** pcaruana has joined #openstack-keystone		06:19
*** shyamb has joined #openstack-keystone		06:40
*** openstackgerrit has joined #openstack-keystone		06:41
openstackgerrit	Merged openstack/oslo.policy master: add python 3.6 unit test job https://review.openstack.org/589603	06:41
*** shyamb has quit IRC		06:47
*** shyamb has joined #openstack-keystone		06:47
openstackgerrit	Merged openstack/oslo.policy master: Move _capture_stdout to a common place https://review.openstack.org/534440	06:48
*** ispp has joined #openstack-keystone		06:52
*** rcernin has quit IRC		07:03
*** evrardjp has joined #openstack-keystone		07:08
*** shyamb has quit IRC		07:24
*** shyamb has joined #openstack-keystone		07:37
*** pcaruana has quit IRC		07:43
*** jaosorior has joined #openstack-keystone		07:46
lbragstad	kmalloc: the migration to flask has got me thinking if we can remove APIs in favor of making RBAC more granular	07:52
lbragstad	e.g. do we really need the domain-roles API/	07:52
lbragstad	?	07:52
*** shyamb has quit IRC		07:52
* cmurphy waves at lbragstad		07:54
*** lbragstad_ has joined #openstack-keystone		07:55
*** ChanServ sets mode: +o lbragstad_		07:55
* lbragstad_ is having connectivity issues		07:56
lbragstad_	cmurphy: did you happen to see my reply to your newsletter last week?	07:56
cmurphy	lbragstad_: i did, i don't totally understand though	07:56
*** pcaruana has joined #openstack-keystone		07:57
*** lbragstad has quit IRC		07:57
cmurphy	don't we rev the major version anyway just for the cycle?	07:57
lbragstad_	oh - i should have clarified the API version	07:57
lbragstad_	(e.g. 3.10)	07:57
cmurphy	oh gotcha	07:57
cmurphy	but that's not really part of the REST API?	07:58
lbragstad_	right	07:58
lbragstad_	but something we guarantee now?	07:58
lbragstad_	bah - i guess someone can delete them after install	07:58
cmurphy	yeah - also if they're upgrading they're not guaranteed to run bootstrap again	07:59
lbragstad_	which would be misleading - if we say "yep, 3.11 has these roles by default"	07:59
lbragstad_	then someone deletes them because $reason	07:59
lbragstad_	and someone queries the API and sees 3.11 in the response	07:59
lbragstad_	yeah - then my email doesn't really make sense	08:00
mbuil	cmurphy: I am a bit stuck with Shibboleth, when you have some time, it would be great if you could give me a hand :)	08:00
cmurphy	mbuil: sure what's up	08:01
mbuil	cmurphy: I think I had configured everything as stated in the documentation. However, when starting the shibd service or the apache2 service, I get: "Could not load a transcoding service". Logs from apache show nothing else and logs from shibd show nothing	08:03
mbuil	cmurphy: do you have an example of how conf.d/shib.conf should look like?	08:05
cmurphy	mbuil: hmm that error is totally unfamiliar to me but it might be from the language settings http://shibboleth.net/pipermail/users/2014-December/018662.html	08:05
cmurphy	mbuil: i don't, i don't think i've ever had to change it from the default	08:05
*** ispp has quit IRC		08:11
mbuil	cmurphy: it is apparently something related to systemd. When starting them processes manually, they start correctly. weird... anyway, for a prototype should be enough ;)	08:31
cmurphy	:)	08:32
mbuil	s/them/the	08:32
mbuil	cmurphy: regarding the Service Provider’s metadata file. Documentation says that: "If keystone is your Identity Provider you do not need to upload this file.". However, how would the SP and IdP trust each other then?	08:34
*** jaosorior_ has joined #openstack-keystone		08:36
cmurphy	mbuil: in the K2K case, the IdP doesn't need to trust the SP since it's never accepting requests from the SP	08:39
*** jaosorior has quit IRC		08:40
mbuil	cmurphy: the SP will query the IdP to verify a user, right? Shouldn't the IdP do a security check on the SP to verify that it is not a rogue one? Maybe it is stupid :P	08:42
*** shyamb has joined #openstack-keystone		08:44
cmurphy	mbuil: no, the SP never talks to the IdP in K2K (it's part of why K2K is so weird). The SP gets a signed SAML assertion from the IdP, and so the SP needs to trust the IdP, but all the data about the user needs to be contained in that SAML assertion so the SP should never have to ask the IdP for anything else	08:45
mbuil	cmurphy: when does the SP get the signed SAML assertion from the IdP?	08:46
cmurphy	mbuil: it goes through the user's client, they have to authenticate with the IdP and pass the response to the SP	08:48
mbuil	cmurphy: ok, thanks. Hopefully all will be clearer when I see it working :)	08:49
openstackgerrit	Merged openstack/keystone master: Migrate OS-EP-FILTER to flask native dispatching https://review.openstack.org/589274	08:50
cmurphy	mbuil: yeah i found just tcpdumping everywhere after i had it all set up made it start making sense	08:50
openstackgerrit	Merged openstack/keystone master: Convert OS-SIMPLE-CERT to flask dispatching https://review.openstack.org/589282	08:51
openstackgerrit	Merged openstack/keystone master: Pass path into full_url and base_url https://review.openstack.org/589546	08:51
*** shyamb has quit IRC		09:00
*** shyamb has joined #openstack-keystone		09:12
*** shyamb has quit IRC		09:14
*** shyamb has joined #openstack-keystone		09:14
*** jaosorior_ is now known as jaosorior		09:39
mbuil	cmurphy: I am at the mapping step: https://docs.openstack.org/keystone/latest/advanced-topics/federation/configure_federation.html#mapping. In the remote part, I should write a couple of keystone users from the IdP keystone, right? (in the example, instead of 'demo' and 'alt_demo'). Should I leave the type as 'openstack_user'?	09:39
cmurphy	mbuil: you could make it even simpler by omitting the any_one_of part and just having [{"type": "openstack_user"}]	09:42
cmurphy	for a demo it won't really matter but the mapping rules are supposed to give you pretty fine-grained control over who can log in and what they can do https://docs.openstack.org/keystone/latest/advanced-topics/federation/mapping_combinations.html	09:43
mbuil	cmurphy: if I omit the 'any_one_of', all users that appear when typing "openstack user list" in keystone-IdP will be mapped to the "federated_users" group?	09:48
cmurphy	mbuil: right	09:48
*** shyamb has quit IRC		10:07
*** shyamb has joined #openstack-keystone		10:09
*** jaosorior has quit IRC		10:09
*** jaosorior has joined #openstack-keystone		10:11
*** lbragstad_ has quit IRC		10:14
*** shyamb has quit IRC		10:36
*** dmellado has quit IRC		10:46
*** shyamb has joined #openstack-keystone		11:00
*** shyamb has quit IRC		11:12
*** shyamb has joined #openstack-keystone		11:12
*** lbragstad has joined #openstack-keystone		11:15
*** ChanServ sets mode: +o lbragstad		11:15
*** sapd1 has joined #openstack-keystone		11:16
*** dave-mccowan has joined #openstack-keystone		11:51
*** raildo has joined #openstack-keystone		11:59
*** shyamb has quit IRC		12:03
*** shyamb has joined #openstack-keystone		12:11
*** shyamb has quit IRC		12:15
*** jaosorior has quit IRC		12:18
*** jaosorior has joined #openstack-keystone		12:19
*** mchlumsky has joined #openstack-keystone		12:22
*** jistr is now known as jistr\|call		12:32
*** nicolasbock has joined #openstack-keystone		12:48
*** dmellado has joined #openstack-keystone		12:50
*** redrobot has joined #openstack-keystone		12:51
*** jroll has quit IRC		12:59
*** jroll has joined #openstack-keystone		13:00
*** jistr\|call is now known as jistr		13:04
kmalloc	lbragstad: we prob could drop domain roles.	13:04
*** shyamb has joined #openstack-keystone		13:18
*** lbragstad has quit IRC		13:22
*** SteelyDan is now known as dansmith		13:25
*** mvkr has quit IRC		13:29
*** josecastroleon has quit IRC		13:29
*** mvkr has joined #openstack-keystone		13:59
*** shyamb has quit IRC		14:03
*** _ix has quit IRC		14:11
*** josecastroleon has joined #openstack-keystone		14:35
*** josecastroleon has quit IRC		14:36
*** josecastroleon has joined #openstack-keystone		14:36
*** _ix has joined #openstack-keystone		14:48
orange_julius	cmurphy: re ldappool bug comment. Do you mean catching ldap.invalid_credential above ldap.ldaperror and just breaking the while loop there? I agree that would be cleaner.	14:51
cmurphy	orange_julius: yes that's what i meant, if that works i'd prefer to do that	14:52
orange_julius	Ok perfect. I don't see why it wouldn't work. I'll test that change when I get home tonight just to be sure then submit it up	14:54
cmurphy	cool	14:55
gagehugo	o/	15:09
*** shyamb has joined #openstack-keystone		15:34
*** pcaruana has quit IRC		15:37
knikolla	o/	15:48
kmalloc	cmurphy: ++	15:49
openstackgerrit	Chason Chan proposed openstack/keystone master: Fix the incorrect file path of keystone apache2 configuration https://review.openstack.org/586930	16:07
*** dklyle has joined #openstack-keystone		16:10
*** gyee has joined #openstack-keystone		16:23
*** pcaruana has joined #openstack-keystone		16:40
openstackgerrit	Merged openstack/keystone master: Remove unused util function https://review.openstack.org/587232	16:45
gagehugo	kmalloc flask question, do we enforce "identity:get_region" at all here? https://review.openstack.org/#/c/589640/3/keystone/api/regions.py	16:47
*** mvkr has quit IRC		16:48
gagehugo	oh, nvm I think I see the issue	16:49
*** openstackgerrit has quit IRC		17:19
*** NobodyCam has quit IRC		17:19
*** NobodyCam has joined #openstack-keystone		17:19
*** shyamb has quit IRC		17:23
*** aning has joined #openstack-keystone		17:29
*** eandersson has quit IRC		17:32
*** mvkr has joined #openstack-keystone		17:39
kmalloc	gagehugo: yeah good catch, thnx	17:43
*** pcaruana has quit IRC		17:59
*** imacdonn has quit IRC		18:26
*** imacdonn has joined #openstack-keystone		18:51
*** raildo_ has joined #openstack-keystone		18:59
*** raildo has quit IRC		19:00
*** rmascena__ has joined #openstack-keystone		19:06
*** rmascena__ is now known as raildo		19:06
*** raildo_ has quit IRC		19:08
*** wlmbasson_ has joined #openstack-keystone		19:17
*** mgagne_ has joined #openstack-keystone		19:24
*** knikolla has quit IRC		19:25
*** idlemind has quit IRC		19:25
*** adriant has quit IRC		19:25
*** robcresswell has quit IRC		19:25
*** wlmbasson has quit IRC		19:25
*** tommylikehu has quit IRC		19:25
*** jgrassler has quit IRC		19:25
*** mgagne has quit IRC		19:25
*** charz has quit IRC		19:25
*** wlmbasson_ is now known as wlmbasson		19:25
*** adriant has joined #openstack-keystone		19:26
*** knikolla has joined #openstack-keystone		19:26
knikolla	kmalloc: the os-federation flask patch is failing on the tempest federation tests	19:29
*** raildo has quit IRC		19:30
*** raildo has joined #openstack-keystone		19:31
kmalloc	knikolla: i figured it probably would.	19:42
kmalloc	knikolla: what part is failing?	19:43
knikolla	kmalloc: http://logs.openstack.org/82/591082/6/check/keystone-dsvm-functional-v3-only/0ab5d9b/logs/screen-keystone.txt.gz#_Aug_11_23_37_18_420588	19:43
kmalloc	knikolla: and you're testing the latest patchset?	19:43
knikolla	the /auth part	19:43
kmalloc	hmm	19:44
kmalloc	i didn't change the /auth paths	19:44
knikolla	identity_providers/testshib/protocols/mapped/auth	19:44
kmalloc	or is this the os-federation/auth ?	19:44
kmalloc	ah	19:45
kmalloc	that part	19:45
kmalloc	hm.	19:45
kmalloc	knikolla: we need to make that a voting job btw	19:45
kmalloc	i ignore non-voting 100% of the time	19:46
kmalloc	if it isn't voting, i assume it's superfluous	19:46
kmalloc	probably incorrect on my part, but still.	19:46
kmalloc	oh, i think this is the json-body check	19:46
kmalloc	oh, huh.	19:47
kmalloc	this is weird	19:47
rodrigods	i think it is not voting because it uses testshib	19:49
rodrigods	and we don't want to block our patches if an external service is down	19:49
kmalloc	rodrigods: right. we need to fix that asap imo	19:49
rodrigods	+1	19:49
kmalloc	because we don't gate on non-voting tests	19:49
kmalloc	aka, it really doesn't mean much, could break between check->gate and we wouldn't know	19:49
rodrigods	yep, rn is basically task of the reviewer to check if the failure is important or not	19:50
rodrigods	i can try to make this a project for the next outreachy round	19:50
kmalloc	++	19:50
kmalloc	that would be fantastic	19:50
kmalloc	it shouldn't be too bad to do	19:50
rodrigods	yep	19:50
rodrigods	lots of ramp up for the intern, but the result is very useful	19:51
cmurphy	do you have an idp implementation in mind?	19:51
cmurphy	shibboleth and keycloak are not trivial to set up afaik	19:51
knikolla	k2k tests have been up for review for a while. once we merge those i can shut down the testshib part.	19:52
kmalloc	knikolla: ++ that was my plan	19:52
rodrigods	but k2k is a different path, right	19:52
knikolla	no, we're using saml ecp for testshib too	19:52
rodrigods	cmurphy, i don't... but maybe it fits within the 3 month project	19:52
kmalloc	hm. so lets see...	19:52
kmalloc	it isn't finding mapped in identity	19:53
rodrigods	but k2k ecp is not "100% ecp"	19:53
rodrigods	it has some differences	19:53
kmalloc	weird.	19:53
knikolla	rodrigods: you mean in the assertion or in the flow?	19:53
kmalloc	found the bug	19:53
rodrigods	both?	19:53
knikolla	since shibboleth can parse it, it must conform to the standard.	19:54
knikolla	the flow, yes, is different. but is mostly client driven.	19:54
*** openstackgerrit has joined #openstack-keystone		19:55
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert OS-FEDERATION to flask native dispatching https://review.openstack.org/591082	19:55
rodrigods	yes, but i think we can broke one or another in different ways that not necessarily are captured by a test	19:55
kmalloc	knikolla: ^ that should fix that error	19:55
rodrigods	so IMO we need both tests	19:55
kmalloc	rodrigods: we need at least to cover federation voting -- long term both, but ANY amount voting (functional) would be good now	19:56
rodrigods	yes, that's where i was going with my reasoning	19:56
knikolla	kmalloc: ah, good catch.	19:57
kmalloc	ugh i need to wait until tomorrow to install a new graphics card in this workstation so i can do looking-glass based VMs for development. i don't want to install all the dependencies to run tox/etc on the base OS [even as a desktop]	19:57
kmalloc	wonder if i can get the tox-in-docker thing to work	19:58
kmalloc	would be awesome.	19:58
knikolla	pci-passthrough for desktop vms, interesting.	20:00
kmalloc	knikolla: yes, it's awesome, i just ordered a SR-IOV compatible gpu	20:02
knikolla	kmalloc: i went an easier route. aliased tox to a script that rsyncs to a vm and runs tox through ssh.	20:03
kmalloc	knikolla: it's more about my IDE and not wanting to have to install all my dependencies	20:04
knikolla	true	20:05
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert regions API to flask native dispatching https://review.openstack.org/589640	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert services api to flask native dispatching https://review.openstack.org/589641	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert endpoints api to flask native dispatching https://review.openstack.org/589642	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert Roles API to flask native dispatching https://review.openstack.org/590494	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert role_inferences API to flask native dispatching https://review.openstack.org/590502	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Add safety to the inferred target extraction during enforcement https://review.openstack.org/591203	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert role_assignments API to flask native dispatching https://review.openstack.org/590518	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert system (role) api to flask native dispatching https://review.openstack.org/590588	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Move json_home "extension" rel functions https://review.openstack.org/591025	20:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert OS-FEDERATION to flask native dispatching https://review.openstack.org/591082	20:07
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Refactor ProviderAPIs object to better design pattern https://review.openstack.org/571955	20:07
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Fix RBACEnforcer get_member_from_driver mechanism https://review.openstack.org/591146	20:07
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert groups API to flask native dispatching https://review.openstack.org/591147	20:07
kmalloc	knikolla: ^ rebased a chunk of the change until i fix OS-INHERIT to be safer	20:08
*** itlinux has joined #openstack-keystone		20:15
*** raildo has quit IRC		20:28
kmalloc	knikolla: there is a keystone sec bug, i would like your eyes on	20:45
knikolla	kmalloc: sure	20:46
*** itlinux has quit IRC		21:26
*** rcernin has joined #openstack-keystone		22:01
openstackgerrit	Merged openstack/oslo.limit master: Fix CI https://review.openstack.org/586768	22:03
*** _ix has quit IRC		22:11
*** imacdonn has quit IRC		22:12
openstackgerrit	Doug Hellmann proposed openstack/oslo.limit master: fix gate https://review.openstack.org/591162	22:25
openstackgerrit	Doug Hellmann proposed openstack/oslo.limit master: import zuul job settings from project-config https://review.openstack.org/588697	22:25
openstackgerrit	Doug Hellmann proposed openstack/oslo.limit master: add python 3.6 unit test job https://review.openstack.org/589599	22:25
openstackgerrit	Doug Hellmann proposed openstack/oslo.limit master: add lib-forward-testing-python3 test job https://review.openstack.org/591185	22:25
*** imacdonn has joined #openstack-keystone		22:38

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!