Friday, 2018-11-09

« Thursday, 2018-11-08 Index Saturday, 2018-11-10 »
*** mvkr has joined #openstack-keystone00:12
openstackgerritIan Wienand proposed openstack/keystoneauth master: Fair semaphore fixes  https://review.openstack.org/61671700:16
*** gyee has quit IRC00:16
*** pcaruana has quit IRC00:25
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add support for client-side rate limiting  https://review.openstack.org/60504300:27
*** Dinesh_Bhor has joined #openstack-keystone01:03
*** Dinesh_Bhor has quit IRC01:25
*** Dinesh_Bhor has joined #openstack-keystone01:31
openstackgerritVishakha Agarwal proposed openstack/keystone master: Update more info of vhost file  https://review.openstack.org/61645701:49
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove deprecated "bind" in token  https://review.openstack.org/61389101:53
*** jrist has quit IRC02:30
*** jrist has joined #openstack-keystone02:43
openstackgerrit98k proposed openstack/ldappool master: Add python 3.6 unit test job  https://review.openstack.org/61673902:54
*** Dinesh_Bhor has quit IRC03:17
*** Dinesh_Bhor has joined #openstack-keystone03:20
*** aojea has joined #openstack-keystone03:24
*** aojea has quit IRC03:29
openstackgerritVishakha Agarwal proposed openstack/keystone master: Update api-ref for set registered limits.  https://review.openstack.org/61675503:37
openstackgerritMerged openstack/keystone master: Replace usage of get_legacy_facade() with get_engine()  https://review.openstack.org/61574903:46
openstackgerritMerged openstack/keystone master: Change __all__ list to tuple  https://review.openstack.org/61636403:47
*** Dinesh_Bhor has quit IRC04:08
*** Dinesh_Bhor has joined #openstack-keystone04:40
*** openstackstatus has quit IRC04:59
*** openstack has joined #openstack-keystone07:07
*** ChanServ sets mode: +o openstack07:07
*** pcaruana has joined #openstack-keystone07:21
*** ebukha has quit IRC07:54
*** trident has quit IRC08:12
*** trident has joined #openstack-keystone08:14
mbuilvishakha: are you trying to deploy K2K federation?08:51
cmurphyvishakha: yes that's helpful, that says Unauthorized: User 099285cabca64ca68037d15f765536aa has no access to project 8d5c2f4c615941cc8f7a8969b361844508:57
cmurphywhich wasn't showing up in the logs yesterday08:57
cmurphyvishakha: double check that the group you created for federated users has a role assignment on that project08:58
vishakhacmurphy: Yes I also saw that error. Let me check once again08:58
vishakhambuil: Yes08:59
mbuilcmurphy: When doing K2K federation, why we don‘t need shibboleth in the IdP side. Does keystone already include code to handle SAML2 in IdP?09:00
cmurphymbuil: yes it does http://git.openstack.org/cgit/openstack/keystone/tree/keystone/federation/idp.py09:01
mbuilcmurphy: ah ok thanks. Is anyone trying to do the same for SP? Is Shibboleth going to disappear from the picture?09:03
cmurphymbuil: it's in the backlog http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/native-saml.html09:03
mbuilcmurphy: thanks!!09:03
cmurphypossibly one of my outreachy interns might be able to start work on it in the next few months09:04
cmurphymbuil: what's your interest in getting rid of the shibboleth sp?09:05
mbuilcmurphy: I was just curious, no reason :)09:06
cmurphy:)09:06
vishakhacmurphy: I got the token after giving admin role to group in thar project09:11
vishakhas/thar/that09:11
cmurphyvishakha: awesome09:12
*** Emine has joined #openstack-keystone09:18
cmurphyvishakha: so check again if it works in horizon, if it doesn't you can turn up the debug logging in logging -> handlers -> console -> level in horizon's local_settings.py which might give more information09:20
vishakhacmurphy: Now I can use this token on SP to create instances right?09:20
cmurphyvishakha: yes09:21
vishakhacmurphy: I  moved to SP Horizon  through drop down and I tried to list volumes, But n side its showing unable to retrieve volume list09:22
cmurphyvishakha: hmm well if the SP dropdown worked then that sounds like keystone is working at least :)09:24
vishakhacmurphy: yes it is :)09:24
vishakhacmurphy: thank you09:24
cmurphyyou're welcome09:24
cmurphyvishakha: are you going to be in Berlin next week?09:25
vishakhacmurphy:  No . My session wasn't selected.09:25
cmurphyvishakha: ah too bad :(09:26
vishakhacmurphy: Have a safe travel09:27
cmurphythanks :)09:27
*** Dinesh_Bhor has quit IRC09:34
*** Dinesh_Bhor has joined #openstack-keystone09:57
*** Dinesh_Bhor has quit IRC10:01
openstackgerritMerged openstack/keystone master: Remove deprecated "bind" in token  https://review.openstack.org/61389111:21
*** raildo has joined #openstack-keystone11:22
*** ebukha has joined #openstack-keystone12:23
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check  https://review.openstack.org/61422412:36
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Create OPA check  https://review.openstack.org/61422412:38
honzaWhat is morgan fainberg's irc nick?  does he usually hang out here?12:59
honzahm, github says he's in seattle so it might be too early still13:02
cmurphyhonza: his nick is kmalloc and yes it's a little early for him right now13:03
honzacmurphy: perfect, thanks13:06
*** Dinesh_Bhor has joined #openstack-keystone13:18
*** ebukha has quit IRC13:24
*** Dinesh_Bhor has quit IRC13:34
*** ebukha has joined #openstack-keystone13:41
*** aojea_ has joined #openstack-keystone14:01
*** Emine has quit IRC14:11
lbragstado/14:26
cmurphy\o14:28
mbuilcmurphy: I have the K2K federation working in CLI but I still get problems with horizon. When switching to "mysp" in Horizon, I see these logs in IdP's keystone_access.log: https://hastebin.com/kesecakozu.bash apparently, everything seems correct and Horizon(?) gets the SAML Response, or?14:34
cmurphymbuil: I don't see anything wrong there, what's the error you're seeing in horizon?14:38
openstackgerritMerged openstack/keystone master: Add a test for idp and federated user cascade deleting  https://review.openstack.org/59194614:41
mbuilError: "Switching to Keystone Provider mysp has failed. Service provider authentication failed. An error occurred authenticating. Please try again layer."14:41
cmurphymbuil: do the keystone logs on the SP have anything?14:42
mbuilcmurphy ^. I can't see anything happening in the logs of the SP... how is the flow? Once Horizon gets the SAML Response, it should contact the SP's keystone?14:42
lbragstadlooks like keystone's operator feedback is at the same time as https://www.openstack.org/summit/berlin-2018/summit-schedule/events/22785/change-of-ownership-of-resources14:44
cmurphymbuil: yeah the horizon server should contact the keystone SP directly14:47
mbuilcmurphy: ok, thanks. I think it is a connectivity issue14:47
*** aojea_ has quit IRC14:49
cmurphylbragstad: sadness, I was planning on going to that14:52
cmurphylbragstad: the resource deletion one is on a different day though, I think that's more relevant to us14:52
lbragstadyeah... we might have to divide and conquer14:52
lbragstadi have the other one on my schedule for sure14:52
honzakmalloc: hey, i noticed you worked on the flaskification of the keystone server --- i was hoping you could help me with a bug; i'm getting a 500 error on OPTIONS when requesting a new token14:55
honzakmalloc: here is the bug report, note especially the one comment before last https://bugs.launchpad.net/tripleo/+bug/180177814:56
openstackLaunchpad bug 1801778 in tripleo "Keystone circular reference on OPTIONS" [High,Triaged]14:56
honzakmalloc: any and all pointers would be much appreciated14:56
*** aojea_ has joined #openstack-keystone14:58
*** lbragstad has quit IRC15:02
*** lbragstad has joined #openstack-keystone15:03
*** ChanServ sets mode: +o lbragstad15:03
*** Emine has joined #openstack-keystone15:31
kmalloclbragstad: change of ownership is easy imo. Services are allowed to do so if they want. Keystone does not allow rehoming resources.15:39
kmallocBecause moving projects is bad news with inheritance15:39
kmallocOf roles.15:39
lbragstadyeah - i was more or less just curious to be in the room15:40
lbragstadi like being a fly on the wall15:40
kmallochonza: there is an error in keystone somewhere. The 500 is because rbac enforcement isn't called when that error happens. Request processing is probably a red herring in this case.15:40
kmallocA side effect, not the root cause.15:41
kmallocIt also means whatever issue is occuring was never tested in keystone, so it realistically is broken due to lack of direct testing on merges.15:42
honzakmalloc: any tips on finding the root cause?  dig through logs some more?  with the new flask stuff, do we need to change the way we do cors requests?15:42
kmallocI'll have to go look when I am more awake15:43
honzakmalloc: thanks15:43
kmallocI just woke up 1m ago15:43
honzakmalloc: https://media.giphy.com/media/DrJm6F9poo4aA/giphy.gif15:44
kmallocYup15:50
*** bnemec is now known as beekneemech15:53
mbuilcmurphy: I fixed the connectivity problem and now I see "You are not authorized to access this page" when switching to mysp15:54
cmurphymbuil: as in it doesn't let you switch, or as in after you've switched some page elements aren't accessible?15:55
mbuilcmurphy: it does not allow to switch. I mean, I did what is shown at the bottom of http://www.gazlene.net/demystifying-keystone-federation.html#Keystone%20to%20Keystone and now it shows mysp instead of Local Keystone. Hoever, that message appears and then a "Log in"15:59
*** jistr is now known as jistr|call16:00
cmurphymbuil: like this? http://www.gazlene.net/horizon.png16:08
mbuilcmurphy: exactly that16:08
cmurphymbuil: do you have a full openstack running on the service provider? nova glance etc? or just keystone?16:09
mbuilcmurphy: everything16:09
cmurphyi think that's normal if you're just running keystone and you don't have an admin role16:09
cmurphynot sure about that then16:10
cmurphymight still be a permission issue16:10
mbuilcmurphy: Ok. I need to fix my networking issues permanently first. I did a hack and it does not work always :P. Then, I'll investigate further16:11
*** ayoung has joined #openstack-keystone16:12
*** lbragstad has quit IRC16:14
*** lbragstad has joined #openstack-keystone16:15
*** ChanServ sets mode: +o lbragstad16:15
*** jistr|call is now known as jistr16:17
*** imacdonn has quit IRC16:18
*** aojea_ has quit IRC16:20
*** aojea_ has joined #openstack-keystone16:21
*** etp has quit IRC16:21
*** gyee has joined #openstack-keystone16:22
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add introduction section to federation docs  https://review.openstack.org/61538416:23
*** etp has joined #openstack-keystone16:27
*** markvoelker has quit IRC17:30
*** imacdonn has joined #openstack-keystone17:32
ayoungcmurphy, kmalloc lbragstad knikolla gagehugo can we fast track Catalog for Unscoped tokens through?  https://review.openstack.org/#/c/607346/  It was originally approved, but then retracted.  This just reinstates it. jamielennox was not around to drive it on home when he wrote it.17:36
*** ebukha has quit IRC17:44
kmallochonza: i'm looking now, so, this indicates we have somehow failed in our circular reference checking, but more importantly i need to exempt that check from enforcement/change where enforcement occurs for that to ensure that our hard-check ensuring ALL apis are enforced doesn't get trigggered.17:55
kmallochonza: i bet i can have something proposed to fix that today.17:55
honzakmalloc: wonderful news, thank you for checking so quickly18:18
honzajrist: ^18:18
jristoh yeay18:20
jristgood work finding a bug honza18:20
jrist:)18:20
jristkmalloc++18:21
kmallocjrist: it really is something we weren't testing clearly18:29
kmallocand you are creating a bad set of roles18:29
kmallocsomehow18:29
kmallocbut we also are raising an exception before we run enforcement, so it wasn't marked as an enforced API18:29
kmallocthis is a good thing for us, means there is no way to accidently have an unenforced api call, it must be enforced or it raises a 500 (as it should)18:30
kmallocdrastic improvement to previous keystones18:30
kmallochonza: so... out of curoisity did OPTIONS actually ever work before flask?18:39
kmallochonza: for keystone?18:39
kmalloci'm inclined to say it never really did.18:39
kmallocit just didn't error.18:39
*** bigdogstl has joined #openstack-keystone18:50
honzakmalloc: it worked great before18:59
honzakmalloc: i mean, i was able to authenticate against keystone using cors in the browser19:01
honzakmalloc: no errors19:01
*** bigdogstl has quit IRC19:08
*** bigdogstl has joined #openstack-keystone19:12
*** zigo has quit IRC19:25
*** bigdogstl has quit IRC19:26
*** bigdogstl has joined #openstack-keystone19:30
kmallocyeah19:33
kmallocfigured no errors but not giving useful information19:33
*** bigdogstl has quit IRC19:35
*** Emine has quit IRC19:48
*** bigdogstl has joined #openstack-keystone19:53
*** bigdogstl has quit IRC19:57
*** bigdogstl has joined #openstack-keystone20:59
* lbragstad heads to the airport and puts some John Denver on the stereo 21:08
lbragstadsafe travels, all21:08
*** lbragstad has quit IRC21:08
*** bigdogstl has quit IRC21:09
*** bigdogstl has joined #openstack-keystone21:13
*** bigdogstl has quit IRC21:18
*** raildo has quit IRC22:00
*** bigdogstl has joined #openstack-keystone22:51
*** bigdogstl has quit IRC23:03
*** bigdogstl has joined #openstack-keystone23:05
*** erus has quit IRC23:08
*** bigdogstl has quit IRC23:10
*** erus has joined #openstack-keystone23:11
*** bigdogstl has joined #openstack-keystone23:11
*** erus has quit IRC23:17
openstackgerritMerged openstack/keystone master: Update more info of vhost file  https://review.openstack.org/61645723:18
openstackgerritMerged openstack/keystone master: Emit CADF notifications on authentication for invalid users  https://review.openstack.org/61345523:18
openstackgerritMerged openstack/keystone master: Remove unused lower constraints  https://review.openstack.org/61575023:20
openstackgerritMerged openstack/keystone master: Provide a Location on HTTP 300  https://review.openstack.org/61363323:20
*** erus has joined #openstack-keystone23:22
*** bigdogstl has quit IRC23:24
*** bigdogstl has joined #openstack-keystone23:27
*** erus has quit IRC23:29
*** bigdogstl has quit IRC23:32
*** erus has joined #openstack-keystone23:37
*** bigdogstl has joined #openstack-keystone23:43
*** erus has quit IRC23:43
*** erus has joined #openstack-keystone23:52
*** aojea_ has quit IRC23:52
*** bigdogstl has quit IRC23:54
*** erus has quit IRC23:59
« Thursday, 2018-11-08 Index Saturday, 2018-11-10 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!