Thursday, 2018-08-23

« Wednesday, 2018-08-22 Index Friday, 2018-08-24 »
*** felipemonteiro has joined #openstack-keystone00:09
*** gyee has quit IRC00:13
*** Nel1x has joined #openstack-keystone00:45
*** felipemonteiro has quit IRC00:46
*** imacdonn has quit IRC00:49
*** imacdonn has joined #openstack-keystone00:50
*** markvoelker has joined #openstack-keystone01:06
*** harlowja has quit IRC01:06
*** markvoelker has quit IRC01:40
*** deepak_mourya__ has joined #openstack-keystone02:21
*** wlmbasson_ has joined #openstack-keystone02:22
*** vishakha_ has joined #openstack-keystone02:22
*** BlackDex_ has joined #openstack-keystone02:26
*** dave-mccowan has quit IRC02:27
*** dansmith has joined #openstack-keystone02:28
*** BlackDex has quit IRC02:29
*** wlmbasson has quit IRC02:29
*** viks_ has quit IRC02:29
*** toddnni has quit IRC02:29
*** vishakha has quit IRC02:29
*** deepak_mourya_ has quit IRC02:29
*** htimsnad has quit IRC02:29
*** deepak_mourya__ is now known as deepak_mourya_02:29
*** vishakha_ is now known as vishakha02:29
*** wlmbasson_ is now known as wlmbasson02:29
*** toddnni has joined #openstack-keystone02:30
*** felipemonteiro has joined #openstack-keystone02:35
*** markvoelker has joined #openstack-keystone02:37
openstackgerritwangxiyuan proposed openstack/keystone master: ADD a test for idp and federated user cascade deleting  https://review.openstack.org/59194602:41
*** Nel1x has quit IRC02:53
*** markvoelker has quit IRC03:11
*** nicolasbock has quit IRC03:44
*** felipemonteiro has quit IRC03:45
openstackgerritMerged openstack/oslo.limit master: add lib-forward-testing-python3 test job  https://review.openstack.org/59118503:48
openstackgerritwangxiyuan proposed openstack/keystone master: Enable foreign keys for unit test  https://review.openstack.org/55819303:52
openstackgerritwangxiyuan proposed openstack/keystone master: ADD a test for idp and federated user cascade deleting  https://review.openstack.org/59194603:52
*** markvoelker has joined #openstack-keystone04:08
*** felipemonteiro has joined #openstack-keystone04:14
*** viks_ has joined #openstack-keystone04:35
*** markvoelker has quit IRC04:41
*** shyamb has joined #openstack-keystone05:14
*** felipemonteiro has quit IRC05:17
*** dmellado has joined #openstack-keystone05:27
*** markvoelker has joined #openstack-keystone05:38
openstackgerritDeepak Mourya proposed openstack/keystone master: Added support for a ``description`` attribute for Identity Roles  https://review.openstack.org/48434805:39
deepak_mourya_wxy-xiyuan: I have rebased the patch,  please review the same.  https://review.openstack.org/#/c/484348/12 https://review.openstack.org/#/c/484355/05:47
*** mbuil has joined #openstack-keystone06:03
*** markvoelker has quit IRC06:12
*** shyamb has quit IRC06:13
*** shyamb has joined #openstack-keystone06:14
wxy-xiyuandeepak_mourya_: the migration script version need to be bumped.06:28
*** pcaruana has joined #openstack-keystone06:33
deepak_mourya_wxy-xiyuan: ok, can you please point it out the same on the above specified patch also, so that it will be easy to update.06:37
wxy-xiyuandeepak_mourya_: sure06:37
deepak_mourya_wxy-xiyuan: Thank you. :)06:38
openstackgerritwangxiyuan proposed openstack/keystone master: Enable foreign keys for unit test  https://review.openstack.org/55819306:47
openstackgerritwangxiyuan proposed openstack/keystone master: ADD a test for idp and federated user cascade deleting  https://review.openstack.org/59194606:47
openstackgerritwangxiyuan proposed openstack/keystone master: Change unique_last_password_count default to 0  https://review.openstack.org/59347606:48
wxy-xiyuanlbragstad: we lost db migration placeholder for Rocky. Is it the time to add them now and backport them to stable-R?06:50
mbuilcmurphy: I am ready with the logs. If you had some time to help, it would be great if you could help me understand what is failing06:58
*** shyamb has quit IRC06:59
*** rcernin has quit IRC06:59
*** shyamb has joined #openstack-keystone07:04
*** markvoelker has joined #openstack-keystone07:09
*** hoonetorg has quit IRC07:17
*** shyamb has quit IRC07:22
*** shyamb has joined #openstack-keystone07:22
*** hoonetorg has joined #openstack-keystone07:29
cmurphymbuil: okay I'm here07:35
*** markvoelker has quit IRC07:42
*** shyamb has quit IRC07:43
mbuilcmurphy: good morning! I logged with user "demo" to Horizon. I created that user in the IdP side. When switching to 'mysp' these are the logs that I get in the /var/log/keystone.log from IdP: https://hastebin.com/dexubuqiti.cs. Note the "Invalid user token" message07:44
mbuilcmurphy: I guess that message is the response from "POST http://172.29.236.11:5000/v3/auth/OS-FEDERATION/saml2/ecp", right?07:45
cmurphylooks like it07:47
*** hoonetorg has quit IRC07:48
cmurphymbuil: is 172.29.236.11 the SP?07:48
mbuilcmurphy: not exactly, should it be?07:49
cmurphyno I guess not07:53
mbuilcmurphy: When I registered the SP into the IdP, I registered it using mysp.exmaple.com:5000 and that points to 10.10.100.29:5000. 172.29.236.11:500 points to the local keystone07:55
cmurphyso in my env I get a 200 for POST http://192.168.122.196/identity/v3/auth/OS-FEDERATION/saml2/ecp and then that's the end of the story on the IdP, so something is wrong on the SP07:56
cmurphyso any interesting logs on the SP?07:56
mbuilcmurphy: however, note that both deployments use 172.29.236.11:5000 to point to their local keystone. I was afraid that perhaps it is trying to POST to the remote SP keystone and somehow it is using the local keystone IP from the SP. However, in theory, that is not possible and so it should use "POST http://mysp.examle.com:5000/v3/auth/OS-FEDERATION/saml2/ecp"07:58
mbuilcmurphy: is 192.168.122.196 the ip pointing to the local keystone in IdP?07:59
cmurphymbuil: yes that's my IdP08:00
*** hoonetorg has joined #openstack-keystone08:01
mbuilcmurphy: in the SP I get this (note that I added myself some logs to get list the AUTH_METHODS): https://hastebin.com/alevinapev.py08:01
mbuiland the assertion08:01
cmurphymbuil: if you turn on debug = true in keystone.conf it should log the assertion data on its own08:04
cmurphyand should also give response codes08:05
cmurphymbuil: is 23c7f532cc0f4ee38db65439521027c4 a project on the SP or the IdP?08:09
*** jaosorior has quit IRC08:10
mbuilcmurphy:let me check08:18
mbuilcmurphy it is a project on the SP08:20
mbuil| 23c7f532cc0f4ee38db65439521027c4 | federated_project |08:20
mbuilcmurphy: I am in a call until 11, so I might be a bit slow, sorry08:20
cmurphymbuil: okay, if you're able to get logs with debug=true and insecure_debug=true on the SP when you have a chance that would help, I can't really tell what's going on from these logs08:22
mbuilcmurphy: I did it but it does not show much more ==> https://hastebin.com/luwitohura.py that is weird08:25
mbuilright after restarting keystone service I can see DEBUG logs08:25
openstackgerritDeepak Mourya proposed openstack/keystone master: Added support for a ``description`` attribute for Identity Roles  https://review.openstack.org/48434808:26
deepak_mourya_@wxy-xiyuan I have updated the patch as per your reviews .  https://review.openstack.org/#/c/484348/08:28
*** obre has joined #openstack-keystone08:30
*** shyamb has joined #openstack-keystone08:38
*** markvoelker has joined #openstack-keystone08:39
openstackgerritDeepak Mourya proposed openstack/keystone master: Added support for a ``description`` attribute for Identity Roles  https://review.openstack.org/48434808:44
wxy-xiyuandeepak_mourya_: thanks for the update. left some comments there. And since I'm one of the co-author, I'll leave +2 to other reviewers.08:57
*** jaosorior has joined #openstack-keystone09:08
*** markvoelker has quit IRC09:13
*** shyamb has quit IRC09:20
openstackgerritColleen Murphy proposed openstack/keystone master: Add placeholder migrations for Stein  https://review.openstack.org/59555609:22
deepak_mourya_wxy-xiyuan:  ok no issue, thanks for the help09:26
*** shyamb has joined #openstack-keystone09:34
*** jaosorior has quit IRC09:54
*** markvoelker has joined #openstack-keystone10:10
*** shyamb has quit IRC10:16
*** chason has quit IRC10:39
*** chason has joined #openstack-keystone10:41
*** markvoelker has quit IRC10:43
*** dave-mccowan has joined #openstack-keystone10:46
*** raildo has joined #openstack-keystone11:02
*** raildo_ has joined #openstack-keystone11:15
*** raildo has quit IRC11:15
*** nicolasbock has joined #openstack-keystone11:22
*** shyamb has joined #openstack-keystone11:29
*** markvoelker has joined #openstack-keystone11:40
lbragstadwxy-xiyuan: oh - good call, yeah we should be able to do that and release an rc211:48
*** shyamb has quit IRC11:52
openstackgerritColleen Murphy proposed openstack/keystone master: Add placeholder migrations for Rocky  https://review.openstack.org/59555611:53
cmurphylbragstad: ^11:53
*** jaosorior has joined #openstack-keystone11:54
*** shyamb has joined #openstack-keystone11:55
lbragstadcmurphy: oh - nice12:00
lbragstadi literally just wrote my commit message12:00
cmurphyheh sorry12:00
lbragstadno worries at all, thanks!12:00
lbragstadwe don't really do a standard number  of placeholders do we?12:01
cmurphyheh12:01
lbragstad4 should be good, right?12:02
cmurphyi think so, we didn't use any of them last time12:02
lbragstadtrue, we also didn't do many migrations in Rocky12:02
lbragstadbackport https://review.openstack.org/59561912:04
lbragstadany other core willing to kick https://review.openstack.org/#/q/4d3cdd5d21597f796432363155dad81463f70fca through?12:08
knikollao/12:09
lbragstadwe should kick https://review.openstack.org/#/c/590404/1 through too12:10
*** markvoelker has quit IRC12:14
*** pcaruana has quit IRC12:16
*** pcaruana has joined #openstack-keystone12:16
*** raildo_ is now known as raildo12:16
*** dims_ is now known as dims12:37
*** shyamb has quit IRC12:46
*** jaosorior has quit IRC13:09
*** BlackDex_ is now known as BlackDex13:26
*** marvin_mhg has joined #openstack-keystone13:30
*** raildo has quit IRC13:35
*** felipemonteiro has joined #openstack-keystone13:35
*** raildo has joined #openstack-keystone13:36
*** breton has left #openstack-keystone13:44
openstackgerritLance Bragstad proposed openstack/keystone master: Make policy file support in fixture optional  https://review.openstack.org/59527913:44
*** breton has joined #openstack-keystone13:44
openstackgerritLance Bragstad proposed openstack/keystone master: Move loadapp to a generic place  https://review.openstack.org/59537113:44
*** felipemonteiro has quit IRC13:46
*** viks_ has quit IRC13:49
*** r-daneel has joined #openstack-keystone14:07
*** raildo_ has joined #openstack-keystone14:11
*** raildo has quit IRC14:12
*** r-daneel has quit IRC14:37
openstackgerritMerged openstack/keystone master: Add placeholder migrations for Rocky  https://review.openstack.org/59555615:02
*** itlinux__ has joined #openstack-keystone15:06
*** itlinux__ is now known as itlinux15:15
*** itlinux is now known as 59NAABP8D15:15
*** 59NAABP8D has quit IRC15:17
*** itlinux has joined #openstack-keystone15:18
*** dklyle has quit IRC15:20
*** pcaruana has quit IRC15:36
*** dklyle has joined #openstack-keystone15:37
*** raildo has joined #openstack-keystone15:50
*** raildo_ has quit IRC15:51
lbragstadkmalloc: can you kick https://review.openstack.org/#/c/595619/ though as soon as you have a minute?15:51
lbragstaddependent for rc ^15:51
gagehugoo/15:57
*** itlinux is now known as itlinux-away15:58
*** gyee has joined #openstack-keystone15:59
*** itlinux-away is now known as itlinux16:00
*** itlinux is now known as itlinux-away16:00
*** itlinux-away is now known as itlinux16:05
*** itlinux is now known as itlinux-away16:05
*** itlinux-away is now known as itlinux16:06
*** itlinux is now known as itlinux-away16:07
*** itlinux-away is now known as itlinux16:13
*** itlinux is now known as itlinux-away16:14
*** harlowja has joined #openstack-keystone16:17
*** itlinux-away is now known as itlinux16:18
*** itlinux is now known as itlinux-away16:18
*** itlinux-away is now known as itlinux16:21
kmalloclbragstad: looking16:33
kmalloclbragstad: don't hesitate to comment on things like that and self approve imo16:34
kmalloclbragstad: it's critical / low risk / needed red tape bits.16:34
kmalloclbragstad: i would 100% support self-approval of those things.16:34
*** harlowja has quit IRC16:40
kmalloccmurphy: is it ok if I fix the "attribute != id" bit in a patch along side of the current big chain17:09
kmalloccmurphy: i'm really trying to avoid massive test refactoring in a webob->flask change, just a high risk of introducing errors, and the changes are already complex enough17:09
kmalloclbragstad: https://review.openstack.org/#/c/591203/3 i'll get a test written in a separate patch soon17:09
openstackgerritMorgan Fainberg proposed openstack/keystone master: Re-Add scope.system to filters  https://review.openstack.org/59583717:11
openstackgerritMorgan Fainberg proposed openstack/keystone master: Re-Add scope.system to filters  https://review.openstack.org/59583717:12
openstackgerritMorgan Fainberg proposed openstack/keystone master: Re-Add scope.system to filters  https://review.openstack.org/59583717:13
kmalloclbragstad: ^ for role_assignments API17:13
kmalloclbragstad: https://review.openstack.org/#/c/589950/6 needs a followup, but can land as is.17:16
kmalloclbragstad: i need your brain for https://review.openstack.org/#/c/591147/917:16
kmalloclbragstad: and how we're moving forward on it17:17
lbragstadoh - sweet17:24
lbragstadi can take a look17:24
lbragstadi have a patch i need opinions on, too17:24
*** jrist has quit IRC17:26
kmalloclbragstad: fire away on the patch I need to look at.17:31
kmalloccmurphy: also, auth is not really straight forward to conver to flask. I tried it first and ran into so many pits i opted to run backwards for everything else (easier) and the attack auth specifically once the rest of the APIs are on flask.17:32
kmalloccmurphy: auth is... icky, especially with the way the auth plugins work and data is passed through them.17:32
kmalloccmurphy: i was 15 patches deep and ~2000+lines of change before i stopped and figured moving everything else was more straightforward.17:33
kmalloc:P17:33
kmallocit's also because we have some weird inter-dependencies on auth.17:33
*** jrist has joined #openstack-keystone17:41
cmurphykmalloc: okay that's fair17:48
kmalloccmurphy: if you're ok with a followup to fix the id vs name, i'll happily do it, just tying to keep massive test refactors and code changes out of a flask conversion patch (I can make the change either before or after, but after is a bit easier)17:50
cmurphykmalloc: you're talking about https://review.openstack.org/#/c/591082/13/keystone/server/flask/common.py right?17:50
kmallocyep17:51
kmallocand my response there.17:51
cmurphythat's fine and it's not really that important at all, it's just kind of gnarly looking17:51
kmallocyeah =/17:51
kmalloci'll do some cleanup passes once I get the current stack into shape. there is some stuff at the latter end that need massaging17:51
kmalloci think i can get all that ugliness cleaned up in a patch or two. then on to domains and *shudder* projects and users.17:52
kmallocthen ... auth17:52
*** N3l1x has joined #openstack-keystone18:03
*** r-daneel has joined #openstack-keystone18:24
*** r-daneel_ has joined #openstack-keystone18:38
*** r-daneel has quit IRC18:40
*** r-daneel_ is now known as r-daneel18:40
*** pcaruana has joined #openstack-keystone18:52
*** pcaruana has quit IRC19:09
*** jrist has quit IRC19:10
*** jrist has joined #openstack-keystone19:23
lbragstadi don't think system scoped tokens are getting the roles expanded like project scoped tokens are19:43
lbragstadyup - https://bugs.launchpad.net/keystone/+bug/178869420:09
openstackLaunchpad bug 1788694 in OpenStack Identity (keystone) "System scoped tokens don't expand role assignments" [Undecided,New]20:09
gagehugooh implied roles20:16
*** raildo has quit IRC20:23
*** david-lyle has joined #openstack-keystone21:15
*** dklyle has quit IRC21:17
*** rcernin has joined #openstack-keystone21:46
*** r-daneel_ has joined #openstack-keystone22:08
*** r-daneel has quit IRC22:10
*** r-daneel_ is now known as r-daneel22:10
*** N3l1x has quit IRC22:35
*** threestrands has joined #openstack-keystone22:53
kmallocgross23:16
kmalloc:(23:16
*** felipemonteiro has joined #openstack-keystone23:48
« Wednesday, 2018-08-22 Index Friday, 2018-08-24 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!