Thursday, 2019-07-25

*** xek has joined #openstack-keystone		00:01
*** whoami-rajat has quit IRC		00:01
*** jistr has quit IRC		00:15
*** jistr has joined #openstack-keystone		00:15
*** gyee has quit IRC		00:49
*** wxy-xiyuan has joined #openstack-keystone		01:11
*** mvkr_ has quit IRC		01:41
*** mvkr_ has joined #openstack-keystone		01:54
*** whoami-rajat has joined #openstack-keystone		03:06
*** rcernin has quit IRC		03:55
*** etp has joined #openstack-keystone		04:07
*** pcaruana has joined #openstack-keystone		04:44
*** vishalmanchanda has joined #openstack-keystone		04:46
*** pcaruana has quit IRC		04:56
*** aning_ has joined #openstack-keystone		05:03
*** aning__ has quit IRC		05:07
*** aning has joined #openstack-keystone		05:07
*** aning_ has quit IRC		05:09
*** rcernin has joined #openstack-keystone		05:33
openstackgerrit	Chason Chan proposed openstack/keystone master: Deprecate keystone.conf.memcache socket_timeout https://review.opendev.org/672629	05:56
*** jaosorior has quit IRC		06:03
*** rcernin has quit IRC		06:03
*** rcernin has joined #openstack-keystone		06:18
*** jaosorior has joined #openstack-keystone		06:20
*** pcaruana has joined #openstack-keystone		06:21
*** rcernin has quit IRC		06:21
*** rcernin has joined #openstack-keystone		06:21
-openstackstatus- NOTICE: The git service on opendev.org is currently down.		06:49
*** ChanServ changes topic to "The git service on opendev.org is currently down."		06:49
*** jamesmcarthur has joined #openstack-keystone		07:04
*** rcernin has quit IRC		07:06
*** tesseract has joined #openstack-keystone		07:15
*** adriant has quit IRC		07:17
*** adriant has joined #openstack-keystone		07:18
*** tkajinam has quit IRC		07:53
*** tkajinam has joined #openstack-keystone		07:53
*** jaosorior has quit IRC		07:57
-openstackstatus- NOTICE: Services at opendev.org like our git server and at openstack.org are currently down, looks like an outage in one of our cloud providers.		08:32
*** ChanServ changes topic to "Services at opendev.org like our git server and at openstack.org are currently down, looks like an outage in one of our cloud providers."		08:32
*** tkajinam has quit IRC		08:36
*** ChanServ changes topic to "Train release schedule: https://releases.openstack.org/train/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/ClKW9C8x/keystone-train-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"		08:39
-openstackstatus- NOTICE: The problem in our cloud provider has been fixed, services should be working again		08:39
*** jamesmcarthur has quit IRC		08:48
*** ivve has joined #openstack-keystone		09:08
*** brtknr has quit IRC		10:27
*** brtknr has joined #openstack-keystone		10:33
*** etp has quit IRC		10:46
*** jaosorior has joined #openstack-keystone		10:47
*** brtknr has quit IRC		10:56
*** brtknr has joined #openstack-keystone		10:56
*** adriant has quit IRC		11:07
*** adriant has joined #openstack-keystone		11:07
*** jaosorior has quit IRC		11:08
*** kplant has joined #openstack-keystone		11:14
*** raildo has quit IRC		11:33
*** raildo has joined #openstack-keystone		11:33
*** pcaruana has quit IRC		11:42
*** sapd1_ has joined #openstack-keystone		11:59
*** sapd1 has quit IRC		11:59
*** pcaruana has joined #openstack-keystone		12:22
*** raildo has quit IRC		12:42
*** raildo has joined #openstack-keystone		12:42
*** joshualyle has joined #openstack-keystone		13:06
*** mvkr_ has quit IRC		13:17
*** jhesketh has quit IRC		13:22
*** jaosorior has joined #openstack-keystone		13:23
*** jhesketh has joined #openstack-keystone		13:26
*** jaosorior has quit IRC		13:43
kplant	i've configured keystone as an sp with mellon and my local keycloak as the idp via saml2. i've gotten to the point where horizon will property redirect to keycloak, after i login keycloak then redirects back to keystone and i get: "Expecting to find application/json in Content-Type header. The server could not comply with the request since it is either malformed or otherwise incorrect. The	13:44
kplant	client is assumed to be in error."	13:44
kplant	i can't seem to track down what the source of this is, maybe keycloak supplying xml instead of json? the logs aren't much help as they just reiterate what the error message says	13:45
*** mvkr_ has joined #openstack-keystone		13:58
*** ayoung has joined #openstack-keystone		14:10
*** ayoung has quit IRC		14:37
*** jmlowe has quit IRC		14:42
*** lbragstad has joined #openstack-keystone		14:51
*** jmlowe has joined #openstack-keystone		15:07
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update the caching guide https://review.opendev.org/672120	15:07
*** dklyle has quit IRC		15:17
*** dklyle has joined #openstack-keystone		15:18
*** gyee has joined #openstack-keystone		15:44
cmurphy	kplant: does the apache access log say which path exactly is producing the 400?	15:47
cmurphy	lbragstad: bnemec want to take a look at http://lists.openstack.org/pipermail/openstack-discuss/2019-July/008021.html i don't understand how that works	15:47
*** altlogbot_3 has quit IRC		15:48
*** altlogbot_0 has joined #openstack-keystone		15:50
bnemec	Heh, I read that and hoped someone from Keystone was going to say "oh, that's happening because..."	15:50
cmurphy	bah	15:50
lbragstad	it's for backwards compatibility	15:50
*** tesseract has quit IRC		15:50
bnemec	I'm confused by the self-referential rule though. "identity:list_users": "rule:identity:list_users" doesn't make sense, does it?	15:51
* lbragstad is finding a patch		15:52
bnemec	I see in the unit tests that we do this if we deprecate a rule in favor of another one: "foo:post_bar": "rule:foo:create_bar"	15:58
bnemec	I'm not sure it makes sense when a _value_ is deprecated though.	15:58
lbragstad	looks like this is the code that does it - https://opendev.org/openstack/oslo.policy/src/branch/master/oslo_policy/generator.py#L182-L201	16:04
*** jmlowe has quit IRC		16:04
bnemec	lbragstad: So maybe if old_name == name we should not do the aliasing? In that case the deprecation warning is more informational.	16:06
lbragstad	https://review.opendev.org/#/c/568687/ landed after the original deprecation logic in generator.py	16:07
bnemec	That's not what does the aliasing though.	16:09
lbragstad	right - just digging through the git log	16:09
lbragstad	i thought someone came by and brought this case up specifically and we rolled a patch to handed the aliasing	16:10
lbragstad	handle*	16:10
bnemec	I vaguely recall the same, but I think the assumption was the name of the rule would change.	16:10
bnemec	I also feel like we've had the conversation about deprecating rules vs. deprecating values before. :-)	16:11
lbragstad	yeah...	16:13
* lbragstad tries to recreate locally		16:17
bnemec	Yeah, the example in https://bugs.launchpad.net/oslo.policy/+bug/1742569 is with a name change.	16:17
openstack	Launchpad bug 1742569 in oslo.policy "Including deprecated policy names in sample file" [Undecided,Fix released] - Assigned to Lance Bragstad (lbragstad)	16:17
bnemec	FWIW, I also see "identity:list_users": "rule:identity:list_users" in my locally generated sample policy.	16:18
lbragstad	ok - so it's because we're not detecting a deprecated value from a deprecated name... right?	16:19
bnemec	Yeah, it's because of the ORing that we do in the policy check. Adding a deprecated rule with the same name allows both rules to be in place during the deprecation period, but it confuses the generator.	16:20
bnemec	I think we just need to drop the aliasing if the names match.	16:20
lbragstad	right - only alias if the name is changing to maintain backwards compatibility	16:20
openstackgerrit	Lance Bragstad proposed openstack/oslo.policy master: Only alias when policy names change https://review.opendev.org/672781	16:29
lbragstad	^ works for me locally?	16:29
lbragstad	needs tests	16:30
bnemec	I'm writing a test right now. :-)	16:30
cmurphy	how does the policy even work if it's self referential though?	16:31
bnemec	The policy itself isn't self-referential, just the generated sample is.	16:32
cmurphy	ah	16:32
bnemec	The reason for the same names is so that when we evaluate the rule, we do the OR on the two targets.	16:32
*** Ben78 has joined #openstack-keystone		16:32
bnemec	Hello, fellow Ben. :-)	16:33
*** Ben78 has quit IRC		16:37
openstackgerrit	Ben Nemec proposed openstack/oslo.policy master: Add test for aliasing behavior when rule names match https://review.opendev.org/672783	16:38
bnemec	lbragstad: ^	16:39
bnemec	It's a little copy-pasty. :-/	16:39
bnemec	Although I guess about half of it needed to change between tests anyway, so it's not _that_ bad.	16:40
lbragstad	sweet	16:41
lbragstad	if those come back clean feel free to roll that together and put yourself as the author :)	16:41
bnemec	We maybe want to squash those?	16:41
lbragstad	++	16:42
bnemec	I intentionally didn't write much of a commit message with that in mind.	16:42
lbragstad	smart	16:42
* bnemec doesn't want to get yelled at by cmurphy ;-)		16:42
* lbragstad doesn't either		16:42
* lbragstad has to run		16:43
*** ayoung has joined #openstack-keystone		16:43
lbragstad	o/	16:43
bnemec	I'll reply to Bernd quick too.	16:45
cmurphy	lol	16:48
bnemec	Urgh. That tests passes when I run it alone, but as part of the full unit test run it fails.	16:49
bnemec	For some reason it's wrapping the description differently. :-/	16:49
bnemec	No, I'm just an idiot.	16:52
bnemec	It helps if you specify the correct test when you run just one test.	16:53
cmurphy	computers just need to be better at guessing what you meant	16:56
bnemec	A "do what I mean, not what I say" button would be _the_ killer feature.	16:59
openstackgerrit	Ben Nemec proposed openstack/oslo.policy master: Add test for aliasing behavior when rule names match https://review.opendev.org/672783	16:59
bnemec	Okay, that one may actually pass the unit tests.	16:59
*** ivve has quit IRC		17:01
openstackgerrit	Morgan Fainberg proposed openstack/oslo.policy master: Only alias when policy names change https://review.opendev.org/672781	17:11
kmalloc	bnemec: did i just over-write your fix...	17:11
kmalloc	bnemec: ugh sorry if i did.	17:11
openstackgerrit	Morgan Fainberg proposed openstack/oslo.policy master: Add test for aliasing behavior when rule names match https://review.opendev.org/672783	17:12
kmalloc	bnemec: ^ rebased.	17:13
*** jmlowe has joined #openstack-keystone		17:14
bnemec	kmalloc: All good, thanks. I think we're going to squash those two anyway once they are passing ci.	17:22
kplant	cmurphy: it does not but i believe it's after keycloak redirects back to http://sp.keystone.example.org:5000/v3/OS-FEDERATION/identity_providers/keycloak/protocols/saml2/auth/mellon/postResponse	17:23
kmalloc	bnemec: wfm, +2 on a squash if they are passing.	17:27
openstackgerrit	Merged openstack/keystone master: implement system scope for application credential https://review.opendev.org/670926	17:27
*** vishwanathj has quit IRC		17:30
*** vishwanathj has joined #openstack-keystone		17:34
*** mvkr_ has quit IRC		17:35
cmurphy	kplant: that url looks wrong, the auth url for keystone is just /v3/OS-FEDERATION/identity_providers/keycloak/protocols/saml2/auth and the SP postResponse endpoint should be /mellon/postResponse	17:46
kplant	aah so it's incorrectly appending /mellon/postResponse	17:47
gyee	hey guys, I finally have some success in getting Kerberos to work with external auth. But in a kinda unnatural way.	17:49
gyee	it doesn't seem to be supported in keystoneauth1, middleware, or Horizon so I don't know how useful it is	17:50
gyee	I can only get a token with 'curl --negotiate ...' after kinit on an interactive session	17:52
*** dklyle has quit IRC		18:11
*** dklyle has joined #openstack-keystone		18:12
*** jamesmcarthur has joined #openstack-keystone		18:17
*** joshualyle has quit IRC		18:17
kplant	cmurphy: that was the path generated by the mellon script in /usr/libexec/ - should i hand edit it?	18:19
cmurphy	kplant: it would have been based on the endpoint url you provided it i think https://github.com/Uninett/mod_auth_mellon/blob/master/doc/user_guide/mellon_user_guide.adoc#using_mellon_create_metadata_sh	18:28
*** ivve has joined #openstack-keystone		18:35
kplant	that makes sense. i copied the example from here: https://docs.openstack.org/keystone/latest/admin/federation/mellon.html	18:37
kplant	and just s/samltest/keycloak	18:37
cmurphy	hmm i think that example is correct, at least that's what i have in my scripts	18:41
cmurphy	kplant: what do you have for MellonEndpointPath ?	18:42
kplant	/v3/mellon	18:45
kplant	i copied everything from the example	18:45
kplant	i only changed /etc/apache2 to /etc/httpd because centos	18:45
kplant	and samltest -> keycloak	18:45
*** lbragstad has quit IRC		18:51
cmurphy	my script has /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth/mellon as the MellonEndpointPath but i'd have to read the mellon_create_metadata script to figure out why	18:53
kplant	i will give that shot here in a second and let you know	18:55
cmurphy	i'm fairly sure i tested the example in the doc too	18:56
cmurphy	so not sure which one is wrong	18:56
kplant	i'll test both in a second	18:58
kplant	i'm redoing the environment from zero again	18:58
kplant	Bad Request	19:07
kplant	Your browser sent a request that this server could not understand.	19:07
kplant	blah	19:07
kplant	that's with 'MellonEndpointPath /v3/OS-FEDERATION/identity_providers/keycloak/protocols/saml2/auth/mellon'	19:09
*** xek_ has joined #openstack-keystone		19:15
*** xek has quit IRC		19:17
openstackgerrit	Ben Nemec proposed openstack/oslo.policy master: Only alias when policy names change https://review.opendev.org/672781	19:17
*** jamesmcarthur has quit IRC		19:40
*** jamesmcarthur has joined #openstack-keystone		19:41
*** vishwanathj has quit IRC		19:45
*** jamesmcarthur has quit IRC		19:46
cmurphy	kplant: hmm the other error sounded better	19:50
cmurphy	kplant: what are the paths in the <Location ...> stanzas?	19:50
*** dasp has quit IRC		19:51
kplant	http://paste.openstack.org/show/754872/	19:51
*** ayoung has quit IRC		19:52
*** dasp has joined #openstack-keystone		19:54
cmurphy	i don't see anything wrong, the /v3/OS-FEDERATION/identity_providers/keycloak/protocols/saml2/auth/mellon/postResponse url might actually be right now that i think about it	20:01
cmurphy	only thing i can say is "Expecting to find application/json in Content-Type header" is coming from keystone so i'd hunt in the keystone logs and the apache logs	20:02
kplant	yeah the keystone logs only repeat that error verbatim	20:03
kplant	:-\|	20:03
*** ayoung has joined #openstack-keystone		20:06
*** vishwanathj has joined #openstack-keystone		20:07
*** jamesmcarthur has joined #openstack-keystone		20:11
*** ayoung has quit IRC		20:13
*** kplant has quit IRC		20:18
*** jamesmcarthur has quit IRC		20:19
*** gyee has quit IRC		20:22
*** jamesmcarthur has joined #openstack-keystone		20:30
*** gyee has joined #openstack-keystone		20:59
*** jamesmcarthur has quit IRC		21:00
*** jamesmcarthur has joined #openstack-keystone		21:01
*** jamesmcarthur has quit IRC		21:13
*** kplant has joined #openstack-keystone		21:24
*** whoami-rajat has quit IRC		21:28
*** pcaruana has quit IRC		21:28
*** ivve has quit IRC		21:30
*** jamesmcarthur has joined #openstack-keystone		21:46
*** jamesmcarthur has quit IRC		21:51
*** rcernin has joined #openstack-keystone		22:16
*** jamesmcarthur has joined #openstack-keystone		22:38
*** jamesmcarthur has quit IRC		22:44
*** kplant has quit IRC		22:55
*** jamesmcarthur has joined #openstack-keystone		23:20
*** jamesmcarthur has quit IRC		23:24
*** Ben78 has joined #openstack-keystone		23:29
mnaser	is it possible to use keystonemiddleware without admin credentials?	23:43
mnaser	aka using the token itself to retrieve itself?	23:43
*** Ben78 has quit IRC		23:47
*** jamesmcarthur has joined #openstack-keystone		23:50
*** jamesmcarthur has quit IRC		23:55

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!