Wednesday, 2016-11-23

« Tuesday, 2016-11-22 Index Thursday, 2016-11-24 »
stevemarmorgan_: i was, but i'm online now00:12
stevemarmorgan_: in a metal tube!00:12
morgan_sec. need to plug in lkaptop00:13
*** jperry has quit IRC00:15
*** browne has joined #openstack-keystone00:17
openstackgerritMerged openstack/keystoneauth: Add reauthenticate to generic plugins  https://review.openstack.org/40055000:19
*** diazjf has joined #openstack-keystone00:48
*** browne has quit IRC00:51
*** anush has quit IRC00:52
*** guoshan has joined #openstack-keystone00:52
*** guoshan has quit IRC00:57
*** diazjf has quit IRC00:58
*** agrebennikov has quit IRC01:00
stevemarrodrigods: lbragstad breton last of the doc patches: https://review.openstack.org/#/c/399781/01:12
*** chrisplo has quit IRC01:17
*** guoshan has joined #openstack-keystone01:28
*** chrisplo has joined #openstack-keystone01:30
*** Alagar has joined #openstack-keystone01:31
*** dave-mccowan has joined #openstack-keystone01:34
*** chrisplo has quit IRC01:35
*** anush has joined #openstack-keystone01:41
*** ravelar has quit IRC01:45
*** ravelar has joined #openstack-keystone01:46
*** diazjf has joined #openstack-keystone02:01
*** zhangjl has joined #openstack-keystone02:08
*** anush has quit IRC02:09
*** dave-mcc_ has joined #openstack-keystone02:11
*** dave-mccowan has quit IRC02:12
*** anush has joined #openstack-keystone02:13
*** dave-mccowan has joined #openstack-keystone02:13
*** chrisplo has joined #openstack-keystone02:14
*** dave-mcc_ has quit IRC02:16
*** dave-mccowan has quit IRC02:18
*** tqtran has quit IRC02:21
*** jamielennox is now known as jamielennox|away02:30
*** dave-mccowan has joined #openstack-keystone02:39
*** anush has quit IRC02:39
*** ravelar has quit IRC02:43
*** asettle has joined #openstack-keystone02:45
*** dave-mccowan has quit IRC02:48
*** asettle has quit IRC02:50
*** Alagar has quit IRC02:52
*** Alagar has joined #openstack-keystone02:53
*** Alagar has quit IRC02:55
*** Alagar has joined #openstack-keystone02:58
*** jamielennox|away is now known as jamielennox02:59
*** adriant has quit IRC03:03
*** ravelar has joined #openstack-keystone03:11
*** ravelar has quit IRC03:11
*** anush has joined #openstack-keystone03:24
*** catintheroof has joined #openstack-keystone03:27
*** udesale has joined #openstack-keystone03:34
*** adriant has joined #openstack-keystone03:37
*** catintheroof has quit IRC03:40
*** links has joined #openstack-keystone03:42
openstackgerritMerged openstack/keystone: Improvements in error messages  https://review.openstack.org/40071503:59
*** markvoelker has quit IRC04:02
openstackgerritSteve Martinelli proposed openstack/keystone: clean up developer docs  https://review.openstack.org/39978104:07
*** guoshan has quit IRC04:07
stevemarthanks davechen :)04:09
stevemarjamielennox: please comment on the bug you and lbragstad were chatting about04:10
*** GB21 has joined #openstack-keystone04:17
*** anush has quit IRC04:18
*** GB21 has quit IRC04:22
*** guoshan has joined #openstack-keystone04:23
*** Alagar has quit IRC04:24
openstackgerritAdrian Turjak proposed openstack/keystone: adding combined password and totp auth plugin  https://review.openstack.org/34342204:33
*** guoshan has quit IRC04:34
*** GB21 has joined #openstack-keystone04:34
*** Alagar has joined #openstack-keystone04:44
*** arunkant__ has joined #openstack-keystone04:44
*** arunkant_ has quit IRC04:48
*** diazjf has quit IRC04:48
*** diazjf has joined #openstack-keystone04:48
*** diazjf has quit IRC04:50
openstackgerritMerged openstack/ldappool: Expose SERVER_DOWN if connection fails  https://review.openstack.org/39501304:53
openstackgerritMerged openstack/ldappool: update README to reflect actual ldap dependency  https://review.openstack.org/39690804:53
*** josecastroleon has joined #openstack-keystone04:56
*** guoshan has joined #openstack-keystone05:02
*** guoshan has quit IRC05:12
*** Alagar has quit IRC05:16
*** Alagar has joined #openstack-keystone05:20
*** Alagar has quit IRC05:52
*** adriant has quit IRC06:02
*** markvoelker has joined #openstack-keystone06:02
*** adu has joined #openstack-keystone06:06
*** guoshan has joined #openstack-keystone06:06
*** markvoelker has quit IRC06:08
*** Alagar has joined #openstack-keystone06:12
*** richm has quit IRC06:42
*** qwertyco has joined #openstack-keystone07:08
*** adu has quit IRC07:11
*** tesseract has joined #openstack-keystone07:12
*** Alagar has quit IRC07:12
*** Alagar has joined #openstack-keystone07:12
*** tesseract is now known as Guest5952807:13
*** GB21 has quit IRC07:21
*** arunkant_ has joined #openstack-keystone07:39
*** arunkant__ has quit IRC07:43
*** GB21 has joined #openstack-keystone07:53
*** josecastroleon has quit IRC07:57
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947208:07
*** jaosorior has joined #openstack-keystone08:29
*** jpich has joined #openstack-keystone08:30
*** amoralej|off is now known as amoralej08:43
*** josecastroleon has joined #openstack-keystone08:46
*** Alagar has quit IRC08:48
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:02
*** asettle has joined #openstack-keystone09:05
*** StefanPaetowJisc has joined #openstack-keystone09:06
*** udesale has quit IRC09:09
*** udesale has joined #openstack-keystone09:10
*** StefanPaetowJisc has quit IRC09:16
*** StefanPaetowJisc has joined #openstack-keystone09:16
*** markvoelker has joined #openstack-keystone09:32
*** markvoelker has quit IRC09:37
*** StefanPaetowJisc has quit IRC10:01
*** zhangjl has quit IRC10:11
*** jamielennox is now known as jamielennox|away10:21
*** guoshan has quit IRC10:22
*** qwertyco has quit IRC10:40
*** udesale has quit IRC10:50
*** rakhmerov has quit IRC11:01
*** rakhmerov has joined #openstack-keystone11:05
*** richm has joined #openstack-keystone11:13
*** GB21 has quit IRC11:14
*** guoshan has joined #openstack-keystone11:22
*** guoshan has quit IRC11:27
*** GB21 has joined #openstack-keystone11:30
openstackgerritJohannes Grassler proposed openstack/keystone-specs: Added spec on standalone trusts  https://review.openstack.org/39663411:38
*** josecastroleon has quit IRC11:40
*** mvk has quit IRC11:49
*** nicolasbock has joined #openstack-keystone11:54
*** openstackgerrit has quit IRC12:03
*** openstackgerrit has joined #openstack-keystone12:03
*** raildo has joined #openstack-keystone12:05
*** GB21 has quit IRC12:05
*** catintheroof has joined #openstack-keystone12:09
*** GB21 has joined #openstack-keystone12:12
*** catintheroof has quit IRC12:15
*** GB21 has quit IRC12:17
*** mvk has joined #openstack-keystone12:19
*** catintheroof has joined #openstack-keystone12:20
*** guoshan has joined #openstack-keystone12:23
*** josecastroleon has joined #openstack-keystone12:24
*** guoshan has quit IRC12:28
*** spligak has quit IRC12:35
*** spligak has joined #openstack-keystone12:36
*** GB21 has joined #openstack-keystone12:43
*** catintheroof has quit IRC12:44
*** arunkant__ has joined #openstack-keystone12:49
*** arunkant_ has quit IRC12:52
*** links has quit IRC12:54
*** arunkant_ has joined #openstack-keystone13:01
*** arunkant__ has quit IRC13:05
*** GB21 has quit IRC13:06
*** arunkant__ has joined #openstack-keystone13:07
*** anush has joined #openstack-keystone13:09
*** arunkant_ has quit IRC13:11
*** rmstar has quit IRC13:16
*** Guest59528 has quit IRC13:19
*** amoralej is now known as amoralej|lunch13:20
*** anush has quit IRC13:26
*** markvoelker has joined #openstack-keystone13:28
*** lamt has joined #openstack-keystone13:39
*** arunkant_ has joined #openstack-keystone13:41
*** arunkant__ has quit IRC13:45
*** udesale has joined #openstack-keystone13:58
*** udesale has quit IRC13:58
*** udesale has joined #openstack-keystone13:59
*** udesale has quit IRC13:59
*** udesale has joined #openstack-keystone14:00
*** anush has joined #openstack-keystone14:02
*** pcaruana has quit IRC14:14
*** code-R has joined #openstack-keystone14:20
*** amoralej|lunch is now known as amoralej14:22
*** arunkant__ has joined #openstack-keystone14:25
*** arunkant_ has quit IRC14:28
*** tesseract has joined #openstack-keystone14:32
*** tesseract is now known as Guest4865314:33
stevemaro/14:33
* stevemar wonders if anyone is online today :)14:33
*** Guest48653 has quit IRC14:39
raildostevemar, I believe just the brazilian guys :P14:39
*** tesseract- has joined #openstack-keystone14:39
EmilienMstevemar: hey!14:39
stevemarEmilienM: hey yourself :)14:40
EmilienMstevemar: I was curious why Keystone itself doesn't want to deal with Fernet keys rotations (using Swift for example)14:40
EmilienMto me, it's bad UX for operators that run Keystone in multiple nodes, since they have to deal with fernet keys rotations themselves14:40
dstanekEmilienM: there are much better tools to manage rotation of secrets/certs/etc14:42
stevemarEmilienM: yeah, there are a lot of options you can use, rsync, redis whatever you want14:44
stevemarwe didnt want to make anything a hard dependency14:44
EmilienMmhh ok. I was just curious why we don't have this thing in keystone as a tool14:44
EmilienMmaybe using swift or something14:44
dstanekEmilienM: it's also best not to push our deployment biases on users14:46
*** tesseract- has quit IRC14:49
*** jaosorior has quit IRC14:53
*** jaosorior has joined #openstack-keystone14:54
bretono/15:07
stevemaro\15:08
lbragstadstevemar jamielennox|away was there a spec or bug for keystoneauth to use the identity entry in the service catalog instead of the one in configuration?15:09
*** josecastroleon has quit IRC15:09
*** jaosorior has quit IRC15:09
*** jaosorior has joined #openstack-keystone15:10
*** josecastroleon has joined #openstack-keystone15:11
lbragstadstevemar jamielennox|away i'm not seeing one, but I assume the reason behind using the identity entry in the service catalog was for discovery purposes?15:12
*** ravelar has joined #openstack-keystone15:14
*** chris_hultin|AWA is now known as chris_hultin15:15
stevemarlbragstad: no bug that i know of15:16
zzzeekheya, getting this keystone test failure related to passlib : http://paste.openstack.org/show/590221/15:16
lbragstadstevemar it's simply a side effect of automatic discovery15:16
zzzeekis that happening anywhere else?  this is in my sqlalchemy-specific suite15:16
stevemarsounds uunlikely we would make that backwards incompatible15:16
stevemarlbragstad: ^15:17
stevemarzzzeek: considering passlib 170 released on 2016-11-23 ...15:18
dstanekzzzeek: looks like release a new vesion of passlib today15:18
zzzeekdstanek / stevemar yep15:18
stevemarwe'll probably have a broken gate soon :)15:18
zzzeekstevemar: well, you heard it here first ! :)15:19
dstanekzzzeek: i'm taking a look. it should be something easy for us to merge15:20
zzzeekdstanek: ya15:20
lbragstadzzzeek dstanek working on a patch now, running tests locally15:20
stevemarzzzeek: file a bug>?15:20
zzzeekok15:20
*** agrebennikov has joined #openstack-keystone15:21
dstaneklbragstad: nice15:21
zzzeekhttps://bugs.launchpad.net/keystone/+bug/164426315:21
openstackLaunchpad bug 1644263 in OpenStack Identity (keystone) "passlib 1.7.0 deprecates sha512_crypt.encrypt() " [Undecided,New]15:21
knikollaayoung: found an old paper notebook of yours in the drawer here15:23
ayoungknikolla, the one with all the dirty pictures in it?15:24
ayoungactually, don't answer that15:24
knikollaayoung: if by dirty pictures you mean federation diagrams, yes15:25
ayoungknikolla, what does the cover look like?  And, are there only a few pages filled in at the front?  It might have been something I grabgbed specifically for a meeting15:25
ayoungnot sure if it is something I'd like to have back or not15:25
*** chlong has joined #openstack-keystone15:25
knikolla ayoung: it's completely filled out. sending you a picture by email.15:27
ayoungknikolla, thanks15:27
knikollaayoung: sent.15:29
*** pnavarro has joined #openstack-keystone15:30
*** pnavarro has quit IRC15:30
dstanekknikolla: federation diagrams? that's disgusting ayoung, you have a dirty mind15:31
ayoungdstanek, that is the light stuff.  It was the "dynamic policy" stuff that got me banned in Boston15:31
*** udesale has quit IRC15:32
lbragstaddstanek lol15:33
dstanekayoung: :-)15:34
*** chlong has quit IRC15:34
dstaneki heard that dynamic policy is illegal in 28 states15:35
lbragstaddstanek *only* 28? I hear colorado's makling a killing off taxing it15:35
*** anush has quit IRC15:37
openstackgerritMerged openstack/keystone: clean up developer docs  https://review.openstack.org/39978115:40
*** josecastroleon has quit IRC15:41
*** josecastroleon has joined #openstack-keystone15:42
ayoungknikolla, Oh, I definitely want that one15:43
ayoungthat notebook actually means something to me15:43
ayoungnot the book itself, but the binder it is in.  Grab it and I will get it from you after Thanksgiving15:43
*** nkinder has quit IRC15:45
knikollaayoung: ok, sure.15:46
*** spilla has joined #openstack-keystone15:49
*** chlong has joined #openstack-keystone15:49
lbragstadreminder that the policy meeting will be starting in 5 minutes15:55
openstackgerritLance Bragstad proposed openstack/keystone: Use sha512.hash() instead of .encrypt()  https://review.openstack.org/40132815:56
gagehugolbragstad what channel is the meeting in? Here again?15:57
lbragstadgagehugo nope it will be in #openstack-meeting-cp15:58
gagehugoah ok ty15:58
lbragstadgagehugo official ical is here http://eavesdrop.openstack.org/#Keystone_Policy_Meeting15:58
gagehugook cool15:59
lbragstadayoung policy meeting in #openstack-meeting-cp if you're interested16:04
ayounglbragstad, ah, thanks.  Was thinking it was here16:04
*** code-R has quit IRC16:07
*** arunkant_ has joined #openstack-keystone16:08
*** thinrichs has joined #openstack-keystone16:09
*** cnf has left #openstack-keystone16:10
*** thinrichs has quit IRC16:11
*** arunkant__ has quit IRC16:12
openstackgerritAndrew Bogott proposed openstack/keystone: Send the identity.deleted.role_assignment after the deletion  https://review.openstack.org/40133216:12
*** josecastroleon has quit IRC16:15
*** arunkant__ has joined #openstack-keystone16:15
*** josecastroleon has joined #openstack-keystone16:17
*** arunkant_ has quit IRC16:19
*** daemontool has joined #openstack-keystone16:32
*** josecastroleon has quit IRC16:51
*** josecastroleon has joined #openstack-keystone16:53
*** diazjf has joined #openstack-keystone16:57
*** ruan_06 has joined #openstack-keystone17:00
ayoungktychkova, you understand my concern?17:00
lbragstadpolicy meeting overflow!17:00
ayoungnot on caching, but on scoping?17:00
*** thinrichs_ has joined #openstack-keystone17:00
*** thinrichs1 has joined #openstack-keystone17:01
ayoungktychkova, let me ask it this way:17:01
*** thinrichs_ has quit IRC17:01
ktychkovaayoung: no projects in AF17:01
ktychkovathe picture is like this: https://2.bp.blogspot.com/-OXBN4KtR4fw/V7l5i0RXPZI/AAAAAAAAHKc/gHjIvTEhTPE5Z3N7vv3oBDHWzv71MTm7ACLcB/s1600/fig4.png17:01
ayoungHow do you define a role, or assign a role, in Fortress17:01
thinrichs1ayoung: the blog is pretty good at showing that.17:01
ktychkovayou have Object, Operation and a Role17:01
thinrichs1A place to define user-role assignments and role-permission assignments (and role-hierarchicies if I remember right)17:02
ruan_06ktychkova:  do you mean that one role in AF works for all projects?17:02
ktychkovaUser have a Role do perform Operation with Object17:02
ayoungok, so what Fortress calls a role in Keystone is really a role assignment:17:02
ayoungor a part of the role assignment:17:02
ayoungrole is a reusable label17:02
ayoungbut the role as Fortress defines it (and NIST RBAC) is the tuple (role, project)17:03
ayoungktychkova, Do you see the disconnect?17:03
ktychkovaYes, I see17:04
ruan_06can we make one AF per project?17:06
ktychkovaruan_06 - you don't need it17:06
ayoungruan_06, no17:06
thinrichs1It's not clear to me that Keystone's notion of roles matters here b/c all the roles/users/rights would be handled by AF.17:06
ayoungthinrichs1, heh17:06
ayoungyou might be right, but it would be a disconnect with much of the API17:07
thinrichs1Keystone would validate tokens (authenticate), and AF would handle access control (authorization).  Or am I missing something?17:07
ktychkovathinrichs1: it is my point17:07
ayoungenumeration and operations are typically done based on the project17:07
ayoungIt would be a parallel authentication scheme, and, I think, not very scalable17:08
ayoungit would provide no insulation for multi-tenancy17:08
ruan_06ktychkova: yes, this is also what ayoung called baseline + external PDP17:08
ktychkovaso, operators can have project1_admin role and project2_admin role17:08
ayoungah, but then there is no scope check17:08
thinrichs1parallel authentication?  or authorization17:08
ayoungthat is the problem: the scope of the resource is in the database, and needs to be passed to oslo policy explicitly17:09
ayoungand those rules, as hard coded as they seem, really should not be externalized from policy17:09
ayoungso I think we would have to leave those rules in place.17:09
ruan_06ayoung:  agree, the key issue is that scope and role information are not in the good place now17:09
ayoungoslo could pass something like:  resource.project_name to apache fortress, but then fortress would need to know how to map that to the global role17:10
thinrichs1So you're saying that when user 'alice' asks for 'delete' rights on server 'foo', some database knows that 'foo' belongs to project 'p' and therefore the decision needs to be based on 'alice', 'delete', 'foo', and 'p'.  Correct?17:10
ruan_06we can define some roles like project1_admin, project2_admin, etc17:10
lbragstadthinrichs1 yeah - something like that... alice shouldn't be able to delete servers in project 'bar' even though she has the role to do so17:11
ayoungthinrichs1, right on17:12
lbragstadthinrichs1 so policy in this cases consists of a role check (does this user have the required role to perform the action) and a scope check (does the user have the required role on the project that owners the resource they want to act on)17:12
ayoungthinrichs1, and  that database varies from service to service17:12
ayoungone of the reason for my proposal was based on earlier feedback from a dynamic policy proposal that ran afoul of lots of these issues17:13
thinrichs1Definitely not straight up RBAC then.  Best I could see is ayoung's suggestion of forwarding that project that the resource belongs to to the external PDP.17:13
ayoungsamueldmq did a proof of concept, even.  Demoed it to the Keystone midcycle in Boston 1.5 years ago17:13
ayoungthe biggest issue was that the collection of policy files was damned near impossible17:14
samueldmqayoung: o/17:14
ayoungsamueldmq, you have a public git repo with the dynamic policy code?17:14
thinrichs1ruan_06: In AF the roles are hidden from the outside, so I don't see how adding the project1_admin, project2_admin roles would help17:14
lbragstadktychkova so just to summarize - AF doesn't do anything with the scope check, it essentially just does a role check, right?17:14
samueldmqayoung: I don't think I have that anymore17:14
ayoungsamueldmq, sad face17:14
samueldmqayoung: I had a few patches up with the code17:14
samueldmqayoung: but I've abandoned them a long time ago17:15
samueldmq:-(17:15
thinrichs1lbragstad: talk of role-check and scope-check makes more sense to me now.17:15
ayoungsamueldmq, so I did figure out how to deal with the "which policy do we fetch" question.   But it is academic for now17:15
*** jaosorior has quit IRC17:15
lbragstadthinrichs1 good deal... it takes a while to step back and really look at everything17:15
ktychkovalbragstad: ih such terms: yes, no project scope17:15
lbragstadktychkova but you worked around it somehow?17:15
samueldmqayoung: cool. how is it ?17:16
ayoungsamueldmq, instead of fetching by endpoint ID, we create a string and fetch by that string17:18
ktychkovalbragstad: by having roles like project1_admin17:18
ayoungthe strings can be pre-positioned in the config files17:18
ayoungfor most, it will be the service name17:18
ayoungbut it can really be anything17:18
ayoungso compute by default, but trusted-compute for those with extra security17:18
ayoungkind of like git tags17:19
ktychkovacould I ask all of you to write comment for my patch - so I can answer?17:19
samueldmqayoung: so basically we forget about the current endpoint classification17:19
lbragstadktychkova ah - got it... so you have to have to duplicate roles for each project, so that each project has their own admin role, etc...17:19
samueldmqayoung: and create a new one for fetching policies17:19
ayoungright17:19
ayoungsamueldmq, https://review.openstack.org/#/c/298788/17:19
lbragstadktychkova the oslo.policy patch? or the etherpad?17:20
ktychkovaoslo.policy patch would be best place, I think17:20
ktychkovahttps://review.openstack.org/#/c/237521/17:21
ruan_06I agree in principle, but can we make it more general instead of only AF?17:21
lbragstadktychkova cool17:22
ruan_06in order to support other external PDP17:22
ktychkova+ to support other external PDP, it would be great17:22
thinrichs1+1 to that17:22
*** josecastroleon has quit IRC17:23
thinrichs1Got to run.  Thanks all!17:23
ruan_06I think for the firsth step, some information may be dupliated in both Keystone and external PDP, we can deside later where is best place to store them17:23
*** josecastroleon has joined #openstack-keystone17:24
samueldmqayoung: allow operators to upload policy files to keystone via keystone manage17:26
samueldmqayoung: use middleware to distribute those files17:26
samueldmqayoung: upon upgrade, they decide how to merge the current policy in keystone with the new policy file coming with the new version of the service17:27
ayoungsamueldmq, yeah...but we can come back to that.  I still think that splitting RBAC into two layers is the right approach17:27
ayoungdo the RBAC check in middleware, the policy can be done later17:27
samueldmqayoung: for now, only allow policies fetch per service. I think that's how people use it anyways, one per service17:27
ayoungand it becomes a lot less compelling17:27
ayoungsamueldmq, that is why a TAG17:27
ayoungTHE DEFAULT tag is the service name17:27
samueldmqayoung: I see doing the check of roles in the middleware going orthogonal to distributing the policies17:28
*** hogepodge has joined #openstack-keystone17:28
ayoungsamueldmq, ++17:28
samueldmqayoung: we don't need to really split the file to split the checks17:28
samueldmqayoung: the role check can be done by looking at the roles in the rules and ignoring the rest of it17:29
ruan_06lbragstad:  conclusion for external PDP support?17:29
lbragstadruan_06 what do you mean?17:33
*** hogepodge has quit IRC17:33
ruan_06lbragstad:  if most of us agree, we enable the external PDP approch throught https://review.openstack.org/#/c/237521/17:34
lbragstadruan_06 yeah - I don't see a problem with that if we have a seemless way to work that into oslo.policy. I don't think we should *require* an external PDP or PEP by default, but I think it is a good enhancement to consider for sure17:35
ruan_06lbragstad: yes, as an option17:36
*** hogepodge has joined #openstack-keystone17:43
*** daemontool has quit IRC17:46
*** thinrichs1 has quit IRC17:46
*** chlong has quit IRC17:50
*** spligak has quit IRC17:53
*** josecastroleon has quit IRC17:54
lbragstadyo - is anyone here planning on going to the horizon+keystone meeting tomorrow?17:54
*** josecastroleon has joined #openstack-keystone17:55
*** dave-mccowan has joined #openstack-keystone17:56
*** dave-mccowan has quit IRC17:57
*** thinrichs has joined #openstack-keystone17:58
rderoselbragstad: is that a trick question :)17:58
lbragstadO.o maybe?!17:59
rderoselbragstad: no, I'm not planning on attending :)17:59
*** amoralej is now known as amoralej|off18:02
openstackgerritLance Bragstad proposed openstack/keystone: Use sha512.hash() instead of .encrypt()  https://review.openstack.org/40132818:03
samueldmqlbragstad: so .encrypt is deprecated in 1.6 and the alternative is only available in 1.7 ?18:09
samueldmqlbragstad: sounds odd18:09
lbragstadsamueldmq yeah - kinda18:09
lbragstadthey suggest you to move to 1.7 but it seems like .encrypt was removed in 1.718:10
lbragstadand 1.6.5 doesn't have .using()18:10
lbragstadwhich is apparently the recommended way to use rounds18:10
* lbragstad shrug18:10
lbragstadi could be doing something wrong18:10
samueldmqlbragstad: maybe. I am ffine with that, just found it odd18:13
*** martinus__ has quit IRC18:13
samueldmqlbragstad: I left a comment there. we should add a test to make sure both approaches give the same result18:14
samueldmqlbragstad: otherwise existing encrypted passwords will become "uncheckable"18:14
*** martinus__ has joined #openstack-keystone18:16
samueldmqlbragstad: hmm, however we can't really check if the function is removed in 1.7. there should be a version with both deprecation and alternative approach18:17
samueldmqlbragstad the message in the bug report says: "crypt.encrypt() is deprecated as of Passlib 1.7, and will be removed in Passlib 2.0, use .hash() instead."18:19
samueldmqhowever we have 1.6 in requirements ... doesn't make sense to me18:19
samueldmqah passlib>=1.6 .. nevermid18:20
lbragstadsamueldmq we have a bunch of hash password tests here - https://github.com/openstack/keystone/blob/master/keystone/tests/unit/common/test_utils.py#L7418:21
samueldmqlbragstad: yes, but they'd still pass if we hashed it in a backward incompatible way18:21
lbragstadsamueldmq is there a way we can install two version of passlib for the same test?18:22
samueldmqlbragstad: no. but according to the bug report it's deprecated in 1.7 and removed only in 2.018:22
*** thinrichs has left #openstack-keystone18:22
samueldmqlbragstad: pinning it in 1.7 for sometime would allow us to verify the equivalency18:23
samueldmqif that makes sense for you18:23
*** diazjf has quit IRC18:24
lbragstadsamueldmq yeah - that makes sense18:25
*** josecastroleon has quit IRC18:25
lbragstadi don't think the problem is .encrypt being removed in 1.718:25
lbragstadit's a problem of 1.6.5 not having .using()18:25
lbragstadlet me try something else quick18:25
openstackgerritSteve Martinelli proposed openstack/keystone: Use sha512.hash() instead of .encrypt()  https://review.openstack.org/40132818:26
samueldmqlbragstad: yes. I agree with you on that18:26
*** josecastroleon has joined #openstack-keystone18:26
lbragstadah - stevemar already got it18:27
lbragstadnevermind18:27
stevemarlbragstad:  :)18:27
lbragstadi got mixed up reading the 1.7 documentation18:27
stevemarsamueldmq: lbragstad: i was thinking we could do a check for versions18:27
lbragstadi was looking at http://pythonhosted.org/passlib/lib/passlib.hash.sha256_crypt.html18:27
stevemarif < 1.7 then encrypt(), else hash18:28
lbragstadwhich specifies `.using()` when passing rounds18:28
samueldmqstevemar: yeah, but I believe we should have a test anyways18:28
*** tqtran has joined #openstack-keystone18:28
samueldmqstevemar: to make sure the new approach is backwards compatible18:28
samueldmqstevemar: you don't want to upgrade passlib and suddenly not being able to validate passwords anymore :-)18:29
stevemara test to make sure encrypt() and hash() return the same value?18:29
samueldmqstevemar: yeah ^18:29
samueldmqmakes sense ?18:29
stevemarmeh, at that point we're testing passlib :P18:30
stevemarand if they actually remove encrypt in 1.8.0 then we'll have another break18:30
samueldmqor at least the way we're using it18:30
stevemari mean, you can add the test, more tests are never a bad thing18:30
stevemarbut i'm not getting hung up on it18:30
samueldmqI'd like to at least validate somehow that we are making the right update on how we use passlib18:31
samueldmqmaybe a test. maybe pointing to the docs that say use Y instread of X now and you will have the same result18:31
lbragstadhttp://cdn.pasteraw.com/kvyyau3b10uovf5cj3oop6pqrefh4qa18:32
samueldmqinstead18:32
samueldmqlbragstad: that's a completely different result18:32
samueldmqwe'd be breaking all local users with that :p18:33
lbragstadhmnm18:33
lbragstadso .encrypt() is deprecated...18:33
lbragstadand we have to move to .hash()18:33
lbragstadbut .hash() isn't backwards compatible18:33
samueldmqstevemar: see lbragstad's paste ^18:33
*** richm has quit IRC18:33
samueldmqlbragstad: we need to figure out what's the alternative which is backwards compatbile18:34
stevemarsamueldmq: run it again :)18:34
zzzeekif encrypt() / hash() don't produce the same results shouldnt a bug report be made in passlib?18:34
lbragstadstevemar http://pythonhosted.org/passlib/narr/hash-tutorial.html#password-hash-examples18:34
zzzeekbecause it breaks all password hashes made w/ the old system18:34
lbragstadzzzeek yeah - i would think so18:35
samueldmqzzzeek: ++ agreed, that's exactly the point18:35
* zzzeek avoids lots of these flashy "For Humans" libraries for reasons like these18:35
*** markvoelker has quit IRC18:35
stevemarsamueldmq: you'll get a different result every time you hash ;)18:36
zzzeekI say, take the source code of 1.6 and vendor it into oslo.passwordhash :)18:36
samueldmqstevemar: even better!18:36
stevemarsamueldmq: http://paste.openstack.org/show/590245/18:36
zzzeekalso what happened to good old bcrypt for password hashing18:37
samueldmqstevemar: so how does that work ? oO18:37
lbragstadso a proper test would be hashing with the new way and making sure we can verify with the old way18:37
samueldmqstevemar: if it was always like that, we shouldn't  be able to validate any password18:37
*** caiobrentano_ has joined #openstack-keystone18:38
samueldmqlbragstad: yes18:38
samueldmqlbragstad: no18:38
samueldmqlbragstad: passwords hashed in the old way can be verified in the new ay18:38
samueldmq:-)18:38
lbragstadsamueldmq sure18:38
stevemarlbragstad: samueldmq that would be a better test, yes18:39
caiobrentano_hi all... someone could give me some help troubleshooting healthcheck middleware in keystone?18:40
rodrigodsthe hash is not supposed to be equal, it has to be random somehow - otherwise we would be weak to dictionary attacks18:40
stevemarcaiobrentano_: just ask away :)18:41
stevemarcaiobrentano_: i think jlk uses it?18:41
caiobrentano_It is properly configured following the docs... but I'm getting 404 when I hit keystone:5000/healthcheck18:41
lbragstadso - just because the hashes don't match doesn't mean they aren't validatable http://cdn.pasteraw.com/o0kcw673hwss6bnru92sv1s2eyll9pb18:41
lbragstadsamueldmq stevemar ^18:42
rodrigodscaiobrentano_, devstack? maybe /identity/heathcheck18:42
caiobrentano_rodrigods it is not devstack... it is my keystone server18:42
lbragstadalright - i gotta run quick.18:42
stevemarlbragstad: alright18:42
stevemarsamueldmq: lbragstad thats a nice test18:43
samueldmqlbragstad: ok. I don't care of the magic behind it. let's just make sure it works for our usecase :_)18:43
stevemarsamueldmq: http://cdn.pasteraw.com/o0kcw673hwss6bnru92sv1s2eyll9pb18:43
caiobrentano_what I could debug is that oslo middleware is getting req.path = 'admin/healthcheck'... but it is expecting '/healthcheck'18:43
samueldmqstevemar: ++18:43
*** cnf has joined #openstack-keystone18:49
*** dave-mccowan has joined #openstack-keystone18:49
*** josecastroleon has quit IRC18:56
*** josecastroleon has joined #openstack-keystone18:57
*** dave-mcc_ has joined #openstack-keystone18:59
*** dave-mccowan has quit IRC19:02
*** stingaci has joined #openstack-keystone19:07
stingaciHello all. I have a question surrounding trusts and SAML auth. Anyone around familiar with these?19:11
stingacispecifically pertaining to this bug report https://bugs.launchpad.net/fuel/+bug/162604619:13
openstackLaunchpad bug 1626046 in Fuel for OpenStack "federated users cannot use Murano or Sahara" [High,Confirmed] - Assigned to Oleksii Chuprykov (ochuprykov)19:13
*** arunkant_ has joined #openstack-keystone19:13
*** arunkant__ has quit IRC19:17
*** asettle has quit IRC19:19
r1chardj0n3slbragstad: I was planning on holding the horizon+keystone meeting tomorrow - should I not?19:25
*** catintheroof has joined #openstack-keystone19:27
r1chardj0n3sstevemar: cancel the horizon+keystone meeting tomorrow yay/nay? I'm ok with cancelling since so many USians won't be around.19:28
*** josecastroleon has quit IRC19:28
*** josecastroleon has joined #openstack-keystone19:30
zzzeekalso what happened to good old bcrypt for password hashing19:32
zzzeekoops19:32
ayoungstingaci, fix for that is happening19:33
ayoungbascially, the shadow user work is required in order for a federated user to have a guaranteed UserID to use for creating a trust19:33
*** catintheroof has quit IRC19:34
stingaci@ayoung Yeah, that makes sense. If shadow users are enabled, can this particular bug be circumvented?19:40
lbragstadr1chardj0n3s not sure if i'll be able to make the meeting tomorrow - our thanksgiving is scheduled for that time19:40
openstackgerritLance Bragstad proposed openstack/keystone: Use sha512.hash() instead of .encrypt()  https://review.openstack.org/40132819:42
*** dave-mcc_ has quit IRC19:49
*** phalmos has joined #openstack-keystone19:52
*** spligak has joined #openstack-keystone19:53
*** josecastroleon has quit IRC20:02
*** phalmos has quit IRC20:02
*** josecastroleon has joined #openstack-keystone20:03
*** diazjf has joined #openstack-keystone20:03
*** jpich has quit IRC20:03
*** mvk has quit IRC20:15
*** jperry has joined #openstack-keystone20:19
stevemarr1chardj0n3s: sure, i'm OK with that. I *may* be around20:20
*** caiobrentano_ has quit IRC20:28
*** josecastroleon has quit IRC20:33
*** nicolasbock has quit IRC20:33
*** josecastroleon has joined #openstack-keystone20:34
*** diazjf has quit IRC20:37
*** diazjf has joined #openstack-keystone20:40
*** anush has joined #openstack-keystone20:42
*** flaper87 has quit IRC20:52
*** mvk has joined #openstack-keystone20:53
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: Install shibboleth-idp with Devstack plugin  https://review.openstack.org/40142121:02
*** josecastroleon has quit IRC21:04
*** anush has quit IRC21:05
*** josecastroleon has joined #openstack-keystone21:05
lbragstadmfisch o/21:06
*** diazjf has quit IRC21:07
-openstackstatus- NOTICE: Due to a problem with the cinder volume backing the log server, jobs are failing with POST_FAILURE. Please avoid issuing 'recheck' commands until the issue is resolved.21:08
*** ChanServ changes topic to "Due to a problem with the cinder volume backing the log server, jobs are failing with POST_FAILURE. Please avoid issuing 'recheck' commands until the issue is resolved."21:08
*** catintheroof has joined #openstack-keystone21:08
lbragstadmfisch have you considered how https://review.openstack.org/#/c/382098/12 is going to affect your fernet key rotation?21:09
lbragstadif at all?21:09
*** anush has joined #openstack-keystone21:11
*** phalmos has joined #openstack-keystone21:19
*** jamielennox|away is now known as jamielennox21:22
*** diazjf has joined #openstack-keystone21:29
*** josecastroleon has quit IRC21:35
*** stingaci has quit IRC21:36
*** spilla has quit IRC21:37
*** stingaci has joined #openstack-keystone21:39
*** jperry has quit IRC21:40
*** catintheroof has quit IRC21:40
openstackgerritLance Bragstad proposed openstack/keystone: Use sha512.hash() instead of .encrypt()  https://review.openstack.org/40132821:46
*** anush has quit IRC21:59
*** adriant has joined #openstack-keystone22:17
openstackgerritTin Lam proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675222:18
*** chlong has joined #openstack-keystone22:19
*** chlong has quit IRC22:30
*** chris_hultin is now known as chris_hultin|AWA22:37
*** agrebennikov has quit IRC22:40
*** diazjf has quit IRC22:46
*** catintheroof has joined #openstack-keystone22:48
openstackgerritGage Hugo proposed openstack/keystone: Add reason to CADF notifications in docs  https://review.openstack.org/40088222:48
*** catintheroof has quit IRC22:52
*** ChanServ changes topic to "Meeting Agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Ocata goals: https://docs.google.com/spreadsheets/d/156q820cXcEc8Y9YWQgoc_hyOm3AZ2jtMQM3zdDhwGFU/edit?usp=sharing"22:52
-openstackstatus- NOTICE: The affected filesystems on the log server are repaired. Please leave 'recheck' comments on any changes which failed with POST_FAILURE.22:52
lbragstadalrighty - i'm out... see everyone Monday!22:55
*** arunkant__ has joined #openstack-keystone22:57
*** catintheroof has joined #openstack-keystone23:00
*** arunkant_ has quit IRC23:01
*** ravelar has quit IRC23:15
*** anush has joined #openstack-keystone23:20
*** catinthe_ has joined #openstack-keystone23:23
*** catintheroof has quit IRC23:26
stevemaro\ lbragstad23:31
*** anush has quit IRC23:37
*** lamt has quit IRC23:43
openstackgerritayoung proposed openstack/keystone: URL pattern based RBAC Management Interface  https://review.openstack.org/40180823:51
ayounglbragstad, ok, there is the management API for the new RBAC stuff23:51
*** catinthe_ has quit IRC23:55
« Tuesday, 2016-11-22 Index Thursday, 2016-11-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!