Thursday, 2018-11-08

« Wednesday, 2018-11-07 Index Friday, 2018-11-09 »
*** gyee has quit IRC00:55
*** felipemonteiro has joined #openstack-keystone01:19
*** ayoung has quit IRC01:29
openstackgerritwangxiyuan proposed openstack/keystone master: nit: remove some useless code  https://review.openstack.org/61262501:31
*** Dinesh_Bhor has joined #openstack-keystone01:49
*** felipemonteiro has quit IRC02:33
*** markvoelker has joined #openstack-keystone02:45
*** markvoelker has quit IRC02:45
*** markvoelker has joined #openstack-keystone02:45
*** markvoelker has quit IRC02:50
*** felipemonteiro has joined #openstack-keystone02:55
*** markvoelker has joined #openstack-keystone02:55
*** fungi has quit IRC03:06
*** erus has joined #openstack-keystone03:06
*** fungi has joined #openstack-keystone03:09
*** fungi has quit IRC03:10
openstackgerritMerged openstack/keystone master: Add abstract method in trusts base.py  https://review.openstack.org/61471603:34
*** felipemonteiro has quit IRC03:35
*** felipemonteiro has joined #openstack-keystone03:36
*** Dinesh_Bhor has quit IRC03:38
*** fungi has joined #openstack-keystone03:40
*** fungi has quit IRC03:41
*** fungi has joined #openstack-keystone03:45
openstackgerritMerged openstack/keystone master: Remove redundant variables from context class  https://review.openstack.org/61619803:48
*** sapd1 has quit IRC03:58
*** sapd1 has joined #openstack-keystone03:58
*** felipemonteiro has quit IRC04:11
*** Dinesh_Bhor has joined #openstack-keystone04:42
*** Dinesh_Bhor has quit IRC05:15
*** Dinesh_Bhor has joined #openstack-keystone05:20
openstackgerritMorgan Fainberg proposed openstack/keystone master: Remove "crypt_strength" option  https://review.openstack.org/61321806:23
openstackgerritMorgan Fainberg proposed openstack/keystone master: Drop the compatibility password column  https://review.openstack.org/61351306:23
*** pcaruana has joined #openstack-keystone07:34
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove deprecated "bind" in token  https://review.openstack.org/61389107:43
*** bnemec has quit IRC08:00
*** Dinesh_Bhor has quit IRC08:11
*** Dinesh_Bhor has joined #openstack-keystone08:12
*** amoralej|off is now known as amoralej08:18
*** sapd1 has quit IRC08:20
*** sapd1 has joined #openstack-keystone08:20
openstackgerritVishakha Agarwal proposed openstack/keystone master: Update more info of vhost file  https://review.openstack.org/61645708:26
*** bnemec has joined #openstack-keystone08:26
vishakhacmurphy: Hello. I was doing K2K federation, in which I logged in the horizon of my IDP and tried switching to my SP through drop down but getting unauthorized. I am not able to get the issue. These are the logs I am getting.08:47
vishakhahttps://www.irccloud.com/pastebin/m9MqcoB0/08:47
*** sapd1_ has joined #openstack-keystone08:47
cmurphyvishakha: you'll have to turn on insecure_debug in keystone.conf to get it to tell you why you're not authorized08:48
vishakhacmurphy: sure08:48
vishakhacmurphy: I will do that08:48
*** sapd1 has quit IRC08:49
vishakhacmurphy: it is not accepting the idp token09:06
vishakhahttps://www.irccloud.com/pastebin/Lafw7kEC/09:06
cmurphyvishakha: "auth_context did not decode anything useful" I think that means it couldn't process the assertion from the apache service provider09:08
cmurphyvishakha: these logs are from the SP right?09:08
vishakhacmurphy: No from IDP09:08
cmurphyvishakha: oh okay, maybe check the logs on the SP too to see if there is more information09:09
cmurphysome things it could be off the top of my head are 1) the user attributes aren't being passed through by mod_shib, you can check the shibd logs on the SP to see if there are warnings 2) the mapping rules are wrong09:10
cmurphyvishakha: are you using shibboleth or mellon for the SP?09:11
vishakhacmurphy: shibboleth09:11
cmurphyokay09:11
vishakhacmurphy: these are from sp09:14
vishakhahttps://www.irccloud.com/pastebin/nh10MxMo/09:14
cmurphyhmm that all looks normal09:16
*** BlackDex has quit IRC09:20
cmurphyvishakha: do you have a log from 14:34 for the SP? that's when I see the unauthorized message on the IdP09:20
*** BlackDex has joined #openstack-keystone09:25
cmurphyvishakha: so my strategy would be first to get a correlation between the two keystone logs and see exactly what was happening on each of them at the time you're trying to switch the SP, then also look for error logs in /var/log/shibboleth/shibd.log and /var/log/shibboleth/shibd_warn.log on the SP, and also check for apache errors in /var/log/apache2/error.log on the SP, and also if you have09:26
cmurphyhorizon set up on the SP you might need to check /var/log/apache2/horizon_error.log because for some reason generic error logs get directed there on devstack sometimes09:26
vishakhacmurphy: yes I understand.09:28
vishakhacmurphy: I think i will quickly reproduce the issue again and will store all the logs in the above mentioned files09:29
cmurphyvishakha: sounds good09:30
vishakhacmurphy: these are new idp logs09:40
vishakhahttps://www.irccloud.com/pastebin/fr0dwLWS/09:40
vishakhaThese are SP logs09:41
vishakhahttps://www.irccloud.com/pastebin/T48F4gLb/09:41
cmurphyhmm still looks normal on the SP side09:43
vishakhahttps://www.irccloud.com/pastebin/1uBgKwOj/09:43
cmurphyI wonder if the new rbacenforcer broke this09:43
vishakhacmurphy: I am also wondering, because I am not able to find the solution09:45
vishakhacmurphy: I got no log in shibd_warm09:45
vishakhas/warm/warn09:46
cmurphyit's definitely weird because if there's an authorization problem it would usually be on the service provider09:46
cmurphyi'm gonna try to reproduce09:46
vishakhacmurphy:  Thanks. Pl let me know for any more info. I am also looking for same09:47
cmurphyvishakha: by the way we got samltest.id to work instead of testshib.org in case you still want to pursue setting up keystone with an external idp09:50
vishakhaAlso no logs in apache2/error09:50
vishakhacmurphy: Yes I am going to setup with samltest.id soon09:51
*** sapd1_ has quit IRC09:55
*** mvkr has quit IRC09:58
*** sapd1_ has joined #openstack-keystone10:05
*** jrist has quit IRC10:14
*** jrist has joined #openstack-keystone10:16
*** mvkr has joined #openstack-keystone10:26
*** Emine has joined #openstack-keystone10:32
*** mbuil has joined #openstack-keystone11:21
mbuilcmurphy: hello, I need a bit of extra help with keystone federation. ping me when you have 5 minutes please :)11:22
*** xek__ is now known as xek12:02
cmurphyhi mbuil what's up?12:03
*** emine__ has joined #openstack-keystone12:08
*** Emine has quit IRC12:11
*** raildo has joined #openstack-keystone12:17
*** Dinesh_Bhor has quit IRC12:43
*** emine__ has quit IRC13:00
*** emine__ has joined #openstack-keystone13:00
mbuilcmurphy: I deployed keystone federation again and I had one question but I found the answer in your blog ;)13:07
cmurphyvishakha: hmm i didn't reproduce, it works okay for me13:07
cmurphymbuil: haha cool13:07
cmurphyvishakha: maybe try with the cli instead of horizon?13:09
cmurphyvishakha: I think it must be related to this 'TokenNotFound: Could not recognize Fernet token' but I don't know offhand what would be wrong with the token13:19
mbuilcmurphy: one question, if I use export OS_TOKEN=token_id and export OS_URL=Service_endpoint, what should I remove from openrc?13:23
cmurphymbuil: everything except perhaps OS_IDENTITY_API_VERSION13:24
mbuilcmurphy: I've got this right now ==> https://hastebin.com/avunufovay.bash13:24
cmurphymbuil: almost all the OS_ variables will conflict if you try to use them with OS_TOKEN/OS_URL13:25
cmurphythe nova and cinder ones are probably fine13:25
vishakhacmurphy: thank you . I will try that with CLI. One thing I wanted to confirm can it be a issue with my configuration also? I mean I just wanted to be sure that whatever I have changed in the configs files is good to go?13:26
mbuilcmurphy: ok. I am getting ==> __init__() got an unexpected keyword argument 'token'. I'll comment all13:26
cmurphymbuil: yeah setting OS_AUTH_TYPE=password will confuse it when you try to pass it OS_TOKEN13:27
cmurphyvishakha: it might be a configuration issue but I'm not sure what it would be, assuming you followed the docs13:27
vishakhacmurphy: Yes I have followed the docs13:27
cmurphyvishakha: there would usually be more information in the logs if it was a config issue13:27
cmurphyor warnings in the shib logs if that was misconfigured13:28
vishakhacmurphy: ok. Thank you for the early responses. I will check with CLI once.13:28
vishakhacmurphy: no warnings logs for now13:29
*** _cryptosignal_me has joined #openstack-keystone13:42
*** aojea_ has joined #openstack-keystone13:48
*** aojea_ has quit IRC14:02
*** bnemec has quit IRC14:02
*** kukacz has quit IRC14:02
*** jaosorior has quit IRC14:02
*** tonyb has quit IRC14:02
*** dmellado has quit IRC14:02
*** mattoliverau has quit IRC14:02
*** rook has quit IRC14:02
*** dmellado has joined #openstack-keystone14:04
*** kukacz has joined #openstack-keystone14:04
*** aojea_ has joined #openstack-keystone14:04
*** ebukha has joined #openstack-keystone14:04
*** tonyb has joined #openstack-keystone14:07
*** bnemec has joined #openstack-keystone14:07
*** jaosorior has joined #openstack-keystone14:08
*** jmlowe has quit IRC14:12
*** ebukha has quit IRC14:35
*** emine__ has quit IRC14:53
*** _cryptosignal_me has quit IRC14:55
*** Emine has joined #openstack-keystone15:02
lbragstado/15:03
cmurphy\o15:03
lbragstaddo folks know what days they'll be getting into and leaving Berlin?15:04
lbragstadI get in sometime on saturday afternoon15:04
*** mvkr has quit IRC15:04
*** jmlowe has joined #openstack-keystone15:04
* cmurphy sunday morning -> friday morning15:04
*** ebukha has joined #openstack-keystone15:06
lbragstadi'm leaving on saturday15:07
*** mvkr has joined #openstack-keystone15:20
*** jmlowe has quit IRC15:22
*** erus has quit IRC15:30
*** erus has joined #openstack-keystone15:32
*** mchlumsky has joined #openstack-keystone15:35
*** mchlumsky has quit IRC15:35
*** erus has quit IRC15:54
*** aojea_ has quit IRC15:56
*** aojea_ has joined #openstack-keystone15:56
*** aojea_ has quit IRC15:58
*** aojea_ has joined #openstack-keystone15:58
*** ebukha has quit IRC16:02
*** aojea_ has quit IRC16:03
*** aojea_ has joined #openstack-keystone16:09
openstackgerritLance Bragstad proposed openstack/keystone master: Refactor directory creation into a common place  https://review.openstack.org/61531416:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add keystone-manage jwt_setup functionality  https://review.openstack.org/61531516:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add test fixture for JWT key repository  https://review.openstack.org/61454716:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add PyJWT as a requirement  https://review.openstack.org/61454816:10
openstackgerritLance Bragstad proposed openstack/keystone master: Implement JSON Web Token provider  https://review.openstack.org/61454916:10
*** pcaruana has quit IRC16:14
*** mvkr has quit IRC16:16
*** dklyle has quit IRC16:17
*** imacdonn has quit IRC16:17
*** erus has joined #openstack-keystone16:17
*** imacdonn has joined #openstack-keystone16:18
*** gyee has joined #openstack-keystone16:18
*** dklyle has joined #openstack-keystone16:23
*** mvkr has joined #openstack-keystone16:28
kmallocI'll be arriving in Berlin on ... Monday, I think let me check17:04
*** erus has quit IRC17:05
*** erus has joined #openstack-keystone17:08
kmallocyeah17:08
*** nicolasbock_ has joined #openstack-keystone17:09
kmalloci leave saturday super early (after the summit)17:09
kmalloccmurphy: i responded to the domains refactor.17:11
*** erus has quit IRC17:11
kmalloccmurphy: it's different in that it combines some logic but the params are optional17:12
kmallocso it functions the same as previous. it's fine if we want to isolate and explicitly override with the previous code. not a big deal17:12
*** erus has joined #openstack-keystone17:14
*** irclogbot_1 has quit IRC17:31
*** aojea_ has quit IRC17:35
*** mvkr has quit IRC17:35
cmurphykmalloc: the docstring is wrong though18:00
*** irclogbot_1 has joined #openstack-keystone18:00
openstackgerritLance Bragstad proposed openstack/keystone master: Add keystone-manage jwt_setup functionality  https://review.openstack.org/61531518:01
openstackgerritLance Bragstad proposed openstack/keystone master: Add test fixture for JWT key repository  https://review.openstack.org/61454718:01
openstackgerritLance Bragstad proposed openstack/keystone master: Add PyJWT as a requirement  https://review.openstack.org/61454818:01
openstackgerritLance Bragstad proposed openstack/keystone master: Implement JSON Web Token provider  https://review.openstack.org/61454918:01
*** irclogbot_1 has quit IRC18:05
*** pcaruana has joined #openstack-keystone18:10
*** aojea_ has joined #openstack-keystone18:15
kmalloccmurphy: yeah18:17
kmalloccmurphy: and that we should totally fix if we're not keeping it separate18:17
*** amoralej is now known as amoralej|off18:19
*** ebukha has joined #openstack-keystone18:23
*** irclogbot_1 has joined #openstack-keystone18:25
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability for policy-checker to read configuration  https://review.openstack.org/61665918:27
cmurphykmalloc: knikolla want to sync up again on outreachy?18:30
*** jmlowe has joined #openstack-keystone18:31
*** irclogbot_1 has quit IRC18:32
*** irclogbot_1 has joined #openstack-keystone18:35
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability for policy-checker to read configuration  https://review.openstack.org/61665918:35
*** Emine has quit IRC18:40
*** aojea_ has quit IRC18:44
kmalloccmurphy: sure in a few mins18:58
kmalloclike 5 sound good?18:58
cmurphykmalloc: sure18:59
*** jmlowe has quit IRC18:59
kmalloccmurphy: same bluejeans link19:04
kmalloccan supply it again if needed19:04
*** Emine has joined #openstack-keystone19:04
*** aojea_ has joined #openstack-keystone19:17
*** Emine has quit IRC19:18
*** jmlowe has joined #openstack-keystone19:26
*** ebukha has quit IRC19:35
*** aojea_ has quit IRC19:49
*** dave-mccowan has joined #openstack-keystone19:56
*** dave-mccowan has quit IRC20:33
*** raildo has quit IRC20:37
*** jmlowe has quit IRC20:38
*** aojea has joined #openstack-keystone20:41
*** dklyle has quit IRC20:45
*** dklyle has joined #openstack-keystone20:45
*** dklyle has quit IRC20:46
*** jmlowe has joined #openstack-keystone21:05
*** erus has quit IRC21:11
*** erus has joined #openstack-keystone21:13
*** aojea has quit IRC21:14
*** nicolasbock_ has quit IRC21:32
*** Emine has joined #openstack-keystone21:36
*** aojea has joined #openstack-keystone21:47
*** aojea has quit IRC21:58
*** aojea has joined #openstack-keystone21:59
*** mattoliverau has joined #openstack-keystone22:06
*** Emine has quit IRC22:14
*** Emine has joined #openstack-keystone22:41
*** Emine has quit IRC23:06
*** dklyle has joined #openstack-keystone23:44
*** aojea has quit IRC23:50
« Wednesday, 2018-11-07 Index Friday, 2018-11-09 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!