Monday, 2020-07-06

« Sunday, 2020-07-05 Index Tuesday, 2020-07-07 »
*** spatel has joined #openstack-keystone00:16
*** dave-mccowan has joined #openstack-keystone02:55
*** dave-mccowan has quit IRC03:00
*** markvoelker has quit IRC03:43
*** markvoelker has joined #openstack-keystone03:44
*** markvoelker has quit IRC03:48
*** markvoelker has joined #openstack-keystone04:13
*** markvoelker has quit IRC04:18
*** evrardjp has quit IRC04:33
*** evrardjp has joined #openstack-keystone04:33
*** vishakha has joined #openstack-keystone04:58
*** abdysn has joined #openstack-keystone05:11
*** rcernin has quit IRC05:14
*** rcernin has joined #openstack-keystone05:39
*** rcernin has quit IRC05:47
*** rcernin has joined #openstack-keystone05:48
*** markvoelker has joined #openstack-keystone05:58
*** markvoelker has quit IRC06:03
*** spatel has quit IRC06:20
*** xek has joined #openstack-keystone07:17
*** bengates has joined #openstack-keystone07:18
*** bengates has quit IRC07:21
*** bengates has joined #openstack-keystone07:22
*** hoonetorg has joined #openstack-keystone07:52
*** rcernin has quit IRC07:57
*** markvoelker has joined #openstack-keystone07:59
*** markvoelker has quit IRC08:04
*** xek has quit IRC08:14
*** bengates_ has joined #openstack-keystone08:17
*** bengates has quit IRC08:21
*** shyamb has joined #openstack-keystone09:37
*** markvoelker has joined #openstack-keystone10:00
*** xek has joined #openstack-keystone10:02
*** markvoelker has quit IRC10:05
*** xek has quit IRC10:10
*** shyamb has quit IRC10:10
*** also_stingrayza has joined #openstack-keystone10:22
*** stingrayza has quit IRC10:25
*** rcernin has joined #openstack-keystone10:33
*** tkajinam has quit IRC10:37
openstackgerritMerged openstack/keystonemiddleware master: Change the default Identity endpoint to internal  https://review.opendev.org/66273410:43
*** shyamb has joined #openstack-keystone10:49
*** rcernin has quit IRC11:04
*** shyamb has quit IRC11:06
*** shyamb has joined #openstack-keystone11:20
*** dave-mccowan has joined #openstack-keystone11:30
*** Luzi has joined #openstack-keystone11:31
*** raildo has joined #openstack-keystone11:38
*** shyam89 has joined #openstack-keystone11:54
*** shyamb has quit IRC11:56
*** markvoelker has joined #openstack-keystone11:57
*** xek has joined #openstack-keystone12:13
*** xek has quit IRC12:18
*** shyam89 has quit IRC12:19
*** hemna_ has quit IRC12:41
*** lbragstad has joined #openstack-keystone12:47
*** hemna has joined #openstack-keystone12:54
*** markvoelker has quit IRC13:04
*** xek has joined #openstack-keystone13:30
*** Luzi has quit IRC13:31
*** redrobot has joined #openstack-keystone13:33
*** abdysn has quit IRC14:05
vishakhalbragstad: o/. I wanted to discuss regarding  #link https://bugs.launchpad.net/keystone/+bug/188601714:27
openstackLaunchpad bug 1886017 in OpenStack Identity (keystone) ""allow expired" feature is broken against json web token" [Medium,Confirmed] - Assigned to Vishakha Agarwal (vishakha.agarwal)14:27
lbragstadvishakha sure - what's up?14:31
vishakhalbragstad: As described in the bug in json web token we are not able to view fetch the expired token info. I happened to see that first, it tries to validate the token [1] https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L145 . Inside validation while doing decoding of the token  [2]14:49
vishakhahttps://github.com/openstack/keystone/blob/3eb8cafb8d19b7f9ff9bb99e82b84a4a0722d5f4/keystone/token/providers/jws/core.py#L180 , it raises expired signature [3] https://github.com/jpadilla/pyjwt/blob/617831697f87207533cca2d85f9924855a875a6e/jwt/api_jwt.py#L196 because the signature is expired.14:49
vishakhaIn fernet token, it works fine because it gets successfully validated. And after validation, it increases the expiration time [4] https://github.com/openstack/keystone/blob/3eb8cafb8d19b7f9ff9bb99e82b84a4a0722d5f4/keystone/token/provider.py#L191 after validation [5]https://github.com/openstack/keystone/blob/3eb8cafb8d19b7f9ff9bb99e82b84a4a0722d5f4/keystone/token/provider.py#L14614:49
vishakhaWithout token decode how can I fetch "expires_at" of token. And do something on it.14:55
vishakha?14:56
*** kplant_ has joined #openstack-keystone14:58
*** kplant has quit IRC14:58
lbragstadvishakha i think the fernet works because we're not letting the cryptography library validate token expiration14:58
vishakhalbragstad: Yes Fernet are not checking the expiration.14:59
*** kplant_ has quit IRC14:59
lbragstadvishakha one thing we might be able to do would be to break the ExpiredSignatureError exception into its own case14:59
lbragstadand handle it differently15:00
vishakhaBut If JWT library will raise this exception, It wont be decoded. We will not be able to change its expires_at.  I am still not sure how we can handle it differently?15:04
lbragstadi'm checking the pyjwt code quick15:09
lbragstadvishakha what if you try something like this?15:17
lbragstadhttp://paste.openstack.org/show/795577/15:17
lbragstadvishakha that should short-circuit the _validate_exp() method15:18
lbragstadand give you back the payload15:18
lbragstadfor an expired JWT15:18
vishakhalbragstad: True, Will work for this case. Thanks15:20
lbragstadvishakha yep - we'll just need to add some tests for it since it doesn't sound like we have any currently?15:21
vishakhaI think we wont have any test cases related to this.15:22
vishakha*dont15:22
lbragstadok - sounds good15:25
*** bengates_ has quit IRC16:06
mnaseris there an 'expected' issue with ussuri about TypeError's during auth?16:50
mnaserhttp://paste.openstack.org/show/795581/16:50
mnaseri'm running into this in a few keystone ussuri envs16:50
mnaserhttps://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L421-L42316:51
mnaserso i'm assuming get_role is returning a string for some reason, not a dict16:52
mnaser(sql backend)16:52
mnaserhttp://paste.openstack.org/show/795582/16:53
mnaseri also have this other one too16:53
mnaserwhich sounds like check_revocation_v3 is called with token = None16:54
mnaserhmm, _validate_token has `MEMOIZE_TOKENS` decorator16:56
mnaserand this env did have a memcache blip at some point16:56
mordredmnaser: I mean - the sqlbackend has return self._get_role(session, role_id).to_dict()16:58
mordredso I'd expect that to always return a dict - but yeah, if memoize is intercepting16:59
mnasermordred: i gues i'm looking at the 2nd traceback code down here https://github.com/openstack/keystone/blob/3eb8cafb8d19b7f9ff9bb99e82b84a4a0722d5f4/keystone/token/provider.py#L15416:59
mnaserso maybe for some reason memoize is returning 'None'16:59
mnaserlast time this happened, rolling out / restarting the memcache stopped the issue for a bit till it surfaced again (probably when memcache has some sorts of connectivity issue)17:00
mordredmnaser: yeah - looking at MEMOIZE_TOKENS this might be a place where oslo.cache needs to be improvied17:01
*** vishakha has quit IRC18:15
*** gregwork has quit IRC18:49
openstackgerritLance Bragstad proposed openstack/keystone master: Write a symptom for checking memcache connections  https://review.opendev.org/73757919:09
*** xek has quit IRC19:23
*** xek has joined #openstack-keystone19:24
openstackgerritMerged openstack/keystone master: Adding note for create a project without domain info  https://review.opendev.org/71965620:50
*** xek has quit IRC21:21
*** raildo has quit IRC21:21
*** markvoelker has joined #openstack-keystone22:07
*** markvoelker has quit IRC22:12
*** tkajinam has joined #openstack-keystone22:42
*** rcernin has joined #openstack-keystone23:01
*** rcernin has quit IRC23:07
*** rcernin has joined #openstack-keystone23:10
« Sunday, 2020-07-05 Index Tuesday, 2020-07-07 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!