Thursday, 2020-03-05

« Wednesday, 2020-03-04 Index Friday, 2020-03-06 »
*** joshualyle has joined #openstack-keystone00:06
*** mvkr has quit IRC00:41
*** mvkr has joined #openstack-keystone01:06
*** gyee has quit IRC01:10
*** lbragstad_ has joined #openstack-keystone01:34
*** lbragstad has quit IRC01:36
*** tkajinam has quit IRC01:49
*** tkajinam has joined #openstack-keystone01:50
*** openstackgerrit has joined #openstack-keystone01:58
openstackgerritMerged openstack/keystone master: Ignore SQLAlchemy RemovedIn20Warning  https://review.opendev.org/71108401:58
*** spatel has joined #openstack-keystone03:04
*** lbragstad_ has quit IRC03:09
*** joshualyle has quit IRC03:34
*** cp- has quit IRC04:01
*** cp- has joined #openstack-keystone04:03
*** spatel has quit IRC04:05
*** cp- has quit IRC04:06
*** spatel has joined #openstack-keystone04:06
*** cp- has joined #openstack-keystone04:07
*** cp- has quit IRC04:07
*** cp- has joined #openstack-keystone04:08
*** cwright_ has quit IRC05:26
*** cwright has joined #openstack-keystone05:26
*** evrardjp has quit IRC05:35
*** evrardjp has joined #openstack-keystone05:35
*** spatel has quit IRC06:07
*** joshualyle has joined #openstack-keystone06:35
*** threestrands has quit IRC06:48
*** abdysn has joined #openstack-keystone07:10
*** abdysn has quit IRC07:50
*** abdysn has joined #openstack-keystone07:51
*** tesseract has joined #openstack-keystone07:52
*** dancn has joined #openstack-keystone08:10
*** tkajinam has quit IRC08:16
*** joshualyle has quit IRC08:35
*** gagehugo has quit IRC09:07
*** irclogbot_2 has quit IRC09:08
*** gagehugo has joined #openstack-keystone09:43
*** irclogbot_2 has joined #openstack-keystone09:43
*** openstackstatus has quit IRC09:45
*** gshippey has joined #openstack-keystone10:24
*** spatel has joined #openstack-keystone10:28
*** spatel has quit IRC10:33
*** tesseract-RH has joined #openstack-keystone11:40
*** tesseract has quit IRC11:43
*** joshualyle has joined #openstack-keystone11:56
*** raildo has joined #openstack-keystone12:08
*** kplant has joined #openstack-keystone12:21
*** joshualyle has quit IRC13:04
*** dave-mccowan has joined #openstack-keystone13:10
*** jamesmcarthur has joined #openstack-keystone13:20
*** takamatsu has joined #openstack-keystone13:22
*** jamesmcarthur has quit IRC13:38
*** jamesmcarthur has joined #openstack-keystone13:40
*** jamesmcarthur has quit IRC13:45
*** jamesmcarthur has joined #openstack-keystone14:09
*** lbragstad has joined #openstack-keystone14:13
*** jamesmcarthur has quit IRC14:15
*** spatel has joined #openstack-keystone14:21
*** spatel has quit IRC14:26
*** jamesmcarthur has joined #openstack-keystone14:35
*** jamesmcarthur has quit IRC14:41
*** jamesmcarthur has joined #openstack-keystone14:42
*** spatel has joined #openstack-keystone14:54
*** abdysn has quit IRC14:57
*** jamesmcarthur has quit IRC14:58
*** jamesmcarthur has joined #openstack-keystone14:58
*** dancn has quit IRC15:09
*** jaosorior has quit IRC15:20
*** jamesmcarthur has quit IRC15:23
*** jamesmcarthur has joined #openstack-keystone15:27
*** jamesmcarthur has quit IRC15:36
knikollakplant: not sure if it helps, but this is why it needs to be authtype auth-openidc15:39
knikollahttps://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications#allowing-both-oauth-20-and-openid-connect15:39
knikollayou can't do openid connect over the CLI/API, so it need to fall back to oauth 2.015:39
knikollahence you need to allow oauth 2.0 over that endpoint15:40
knikollaeither via authtype oauth20, or auth-openidc15:40
*** jamesmcarthur has joined #openstack-keystone15:45
*** jamesmcarthur has quit IRC15:45
*** jamesmcarthur has joined #openstack-keystone15:45
kplantknikolla: that makes sense to me since openid-connect expects a full blown browser15:50
kplanti'm just at the point now where oauth20 comes back as 401 and auth-openidc returns a 50015:51
*** spatel has quit IRC15:52
*** spatel has joined #openstack-keystone15:54
*** spatel has quit IRC15:59
*** gyee has joined #openstack-keystone16:18
*** rcernin has quit IRC16:55
*** tesseract-RH has quit IRC17:01
*** dancn has joined #openstack-keystone17:17
*** jamesmcarthur_ has joined #openstack-keystone17:21
*** jamesmcarthur has quit IRC17:24
*** evrardjp has quit IRC17:35
*** evrardjp has joined #openstack-keystone17:35
*** jamesmcarthur_ has quit IRC18:10
knikollakplant: can i see your apache config?18:28
kplantsure, one second18:29
kplantknikolla: http://paste.openstack.org/show/790355/18:31
kplanti'm running keystone in a kolla container, it's using wsgi18:31
knikollakplant: if it helps, this is what we're currently running18:35
knikollahttps://github.com/CCI-MOC/rhosp-director-config/blob/5078e4b17a5a3077ca8cacf5bd39ff1a1075d0fb/playbooks/roles/deploy-config/templates/controller_extraconfig.j2.yaml#L35-L7418:35
knikollaare you depending on some claims on the mapping that may not be present in an oauth access token?18:38
kplantoooo18:39
kplantlet me check my mapping real fast18:39
kplantand yes that config definitely helps as ooo uses the same kolla container for keystone18:39
kplant*same-ish18:39
kplantyeah i'm grabbing OIDC-preferred_username, OIDC-email and OIDC-groups18:40
kplantso what i do is map a keycloak role, which shows in the OIDC-groups list, to a group in keystone18:40
kplantwould the OIDC-* information not be present in an oauth token?18:41
knikollakplant: we're only using OIDC-preferred_username, and that seems to work fine18:53
knikollabut according to https://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/oidc-improved-support.html18:53
knikollagroup membership may not be there.18:53
kplantmakes sense since i had to also add jwt to the scope18:54
knikollai haven't tested it myself. i suggest you fetch a token and hit the introspection endpoint manually and see what comes out.18:54
kplantwell maybe what i'm doing is stupid, the reason i'm importing groups (keycloak roles) is to be able to define what projects a user belongs to in keycloak18:55
kplantis there a better way to do that?18:55
*** gshippey has quit IRC18:55
knikollakplant: i guess it depends on your use case and requirements. groups work well in the browser, but you can't create things like application_credentials for now.18:56
kplantyeah i noticed that, johnthetubaguy recommended application_credentials and they seem fantastic18:56
kplantbut since i'm using groups they don't work for me, as you said18:57
knikollain our case, we store the project membership in keystone, and only use keycloak for authentication. so we have different requirements.18:57
knikollai'm working on enabling application_credentials support for groups that a user is mapped to, but that will be in the next release, ussuri.18:59
kplanti might need to do the same, that would totally explain the 401s with the oauth endpoint18:59
knikollauntil then you might have to store the assignments into keystone.18:59
kplantyeah, just stinks since we have more than one keystone19:00
kplantwas hoping to federate those relatonships as well19:00
*** dancn has quit IRC19:03
*** jaosorior has joined #openstack-keystone19:08
kplantknikolla: thanks a lot for your help these last few days. i'm going to play around with the mapping19:10
kplanti think you're right, that makes too much sense19:10
knikollakplant: np :)19:10
kplantthanks for your config as well - i'm totally going to rip that off19:11
*** stingrayza has quit IRC20:18
*** stingrayza has joined #openstack-keystone20:19
kplantknikolla: stupid question, how did you add users from the keycloak idp into keystone projects? my keycloak users appear to be imported into a different domain20:22
knikollakplant: not a stupid question at all. i use adjutant to have users apply for projects and manage users in them.20:23
kplantthis looks excellent20:24
kplantthank you!20:24
kplantbut my question was a little different, i think20:25
kplanti have a "Default" domain20:25
kplantand the keycloak users appear to be federated in another domain20:25
knikollakplant: domain doesn't really matter. you can have people assigned to roles on projects in a different domain.20:25
kplantthat's what i thought, the dashboard doesn't seem to happy with that. unless i just need to enable multi-domain in local_settings20:25
kplanttoo*20:26
knikollayeah, horizon is a bit weird with that.20:26
knikollagive multi-domain a shot20:27
kplanti'm still getting 401s but i'm not actually believing the user was added20:27
kplanti'm going to remove the keycloak role and see if the dashboard still works20:27
knikolladoes the user appear via command-line?20:27
knikollai don't think they'll show up in horizon when you list users20:27
kplantyeah that's the behavior i see as well20:28
kplantyes to cli, no to dashboard20:28
knikollawhat release are you running?20:28
kplanttrain20:28
knikollacan't help you there. most of the management we do is from CLI, so that hasn't impacted us much.20:29
knikollawould have thought this to be fixed in horizon by now, but /shrug20:30
kplanti don't mind the dashboard being incomplete in this instance - just thought it may have represented the user not actually being added20:30
kplantbut it's definitely there, dashboard login for the user still works... but getting 401s on the cli20:30
*** vishalmanchanda has quit IRC20:31
kplantwas there any configuration you needed to do on the keycloak side?20:33
*** trident has quit IRC20:37
knikollajust the standard new client fare20:38
kplantfound something interesting20:41
kplantoidc_cache_shm_set: could not store value since key size is too large20:41
kplantand: -4005-91fc-9f6dcee242ac - - - - -] Could not map any federated user properties to identity values. Check debug logs or the mapping used for additional details.: AuthMethodNotSupported: Attempted to authenticate with an unsupported method.20:42
kplantgetting closer, i think20:42
kplanti'll play with this more tomorrow20:45
kplantknikolla: thanks again for all your help20:45
*** trident has joined #openstack-keystone20:47
*** kplant has quit IRC20:49
*** rcernin has joined #openstack-keystone20:53
*** jamesmcarthur has joined #openstack-keystone20:59
*** xek_ has quit IRC21:07
*** jamesmcarthur has quit IRC21:16
*** jamesmcarthur has joined #openstack-keystone21:18
*** rcernin has quit IRC21:18
*** stingrayza has quit IRC21:31
*** stingrayza has joined #openstack-keystone21:31
*** raildo has quit IRC21:47
*** tkajinam has joined #openstack-keystone22:45
*** jamesmcarthur has quit IRC23:14
*** jamesmcarthur has joined #openstack-keystone23:20
*** spatel has joined #openstack-keystone23:30
*** jamesmcarthur has quit IRC23:32
*** vishalmanchanda has joined #openstack-keystone23:34
*** spatel has quit IRC23:35
« Wednesday, 2020-03-04 Index Friday, 2020-03-06 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!