Wednesday, 2016-12-07

« Tuesday, 2016-12-06 Index Thursday, 2016-12-08 »
*** asettle has joined #openstack-keystone00:02
*** chris_hultin is now known as chris_hultin|AWA00:05
*** asettle has quit IRC00:07
*** lamt has quit IRC00:14
*** ravelar has quit IRC00:20
*** catintheroof has quit IRC00:23
*** catintheroof has joined #openstack-keystone00:24
*** catintheroof has quit IRC00:28
*** nkinder has quit IRC00:29
*** diazjf has joined #openstack-keystone00:39
morganayoung: yeah it hasn't changed much00:43
morganjust some minor rename stuff00:43
*** chrisplo has quit IRC00:44
*** tovin07 has joined #openstack-keystone00:52
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers  https://review.openstack.org/39968400:58
*** asettle has joined #openstack-keystone01:03
*** dave-mccowan has joined #openstack-keystone01:04
*** jamielennox is now known as jamielennox|away01:07
*** asettle has quit IRC01:07
*** Trident has joined #openstack-keystone01:09
*** lamt has joined #openstack-keystone01:11
*** zhangjl has joined #openstack-keystone01:14
*** liujiong has joined #openstack-keystone01:21
*** jamielennox|away is now known as jamielennox01:21
*** guoshan has joined #openstack-keystone01:24
morganrderose: i am a fan of that change (in principle) ^01:24
*** zhangjl has quit IRC01:24
rderosemorgan: cool01:24
rderosemorgan: it will be backwards compatible as well01:25
morganhmm.01:25
morganyes01:25
morganabsolutely looks like it01:25
morgangood stuff :)01:25
* morgan needs to lazyweb ask a question...01:25
rderoseif you don't explicitly provide the domain_id, then the IdP will be mapped to the default 'Federated' domain01:26
rderosemorgan ^01:26
morganrderose: nice. that is a good design01:31
morgansince it mirrors "today"01:31
rderosemorgan: exactly01:32
*** david-lyle has joined #openstack-keystone01:33
*** hanchao has joined #openstack-keystone01:34
hanchaohello keystone experts, don't know if this is an security issue that I found in openstack. The thing that I found was once an user is nominated as an admin of a project, this user will have full admin access of everything, even out of his/her project. The more horrible thing is that he/she can even remove the real admin of the whole cloud. Are there anything wrong of my use case? Or anyone who can explain me the reason b01:35
hanchaoA similar question has also been posted in security team.01:36
dstanekhanchao: sadly that's the default policy01:36
dstanekthe cloud sample is much better for a large cloud01:37
hanchaoHowever, from my understanding, an project admin should only have the full access for its own project but not over to the others.01:39
hanchaoOtherwise, it's too dangerous...01:39
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers  https://review.openstack.org/39968401:42
dstanekhanchao: that's all controlled in the policy files and at least in keystone there is only one level of admin by default01:44
morganhanchao: that is V2, right?01:45
morgandstanek: ++01:45
morganhanchao: or are you using keystone v3?01:45
morganbecause it is not really customizable in V201:45
morganin V3, policy is customizable01:45
hanchaoActually I have both versions, namely two environments. But what I have tried is based on v2.01:46
dstanekmorgan: yeah, that's super unfortunate01:46
dstanekhanchao: for v3 you want to checkout http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json01:46
dstanekit's more robust, but you should still read through and see if it fits your needs01:46
morgandstanek: thankfully... V2 is dying.01:47
morgandstanek: we can really consider removing it in Q release!01:47
dstanekhanchao: but as morgan said if you are using v3 then you are stuck in what i've been calling "small cloud mode"01:47
morganhanchao: V2*01:47
morganerm dstanek V2*01:47
morganor do you mean defaults in V3?01:48
morgandstanek: unrelated, snow yet?01:48
dstanekooops...yes meant to say v201:48
dstanekmorgan: nope, hasn't really been below 32 degrees all that much01:49
hanchaoWell, so v3 is customizable where in the policy file I can define the access for different roles in different projects?01:50
morganhanchao: polciy by default (i think) is /etc/keystone/policy.json01:51
morganbut that can be configured in keystone.conf01:51
morganthe link dstanek gave you is a good starting place for a "real" policy file01:51
hanchaoThanks for your kindly replies, I'll firstly check the file you provided. And will post questions later if I'm still confused. :p01:51
morgan:)01:51
morganyou will need to create the extra roles01:51
morganthey are not created by default01:51
morgan(for reverse compat reasons)01:51
dstanekhanchao: sounds good01:52
morgandstanek: do you think once v2 goes away, and with ayoung's RBAC thing we can get away from the bad default policy?01:52
morgandstanek: i'm trying to think of how to do that01:53
hanchaosure, if a self-defined role can be created, I suppose this would be nice.01:53
morganhanchao: so at the moment roles are global (should only be defined / created by the cloud admin)01:53
hanchaoOh, it means no project oriented role can be defined?01:54
hanchaoWhat we are expecting the use case is that there has an admin user who have the full control of the entire cloud; then project admin users who have the full access of dedicated projects which the cloud admin user defined for that; and project members who have limited access for the projects where project admin authorized.01:58
morganhanchao: so use v3.01:58
dstanekmorgan: if v2 goes away we should be able to do that01:58
morganhanchao: and I actually recommend disabling V2 completly if you have the option to01:59
morganhanchao: (read: probably an Ocata release before you can do this)01:59
morganhanchao: and you can use the is_admin flag options to restrict cloud-admin actions.01:59
morgandstanek: ++ that is my hope01:59
morgandstanek: i would be very very happy to make the crappy policy defaults go away02:00
hanchaoWe are currently testing on Mitaka release... A bit behind of the upstream...02:00
morganhanchao: ok so, disabling V2 might be hard with Nova and Neutron (and possibly glance?)02:00
morganif you move to NEwton... i think it's all fixed/working, but in Ocata we actually are doing a full suite of tests guarenteeing v2 is disabled for them.02:01
morganhanchao: likely your service users will still need to be V2 based for some services. (keystonemiddleware configuration in say nova/neutron/etc)02:01
morganbut your end users can all be V3-only.02:01
morganwhich should allow you to have the rich(er) policy02:02
*** asettle has joined #openstack-keystone02:04
morganstevemar, topol: PHRASING!02:04
hanchaoall right, I think I should check the policy firstly, and post questions later here. :p thanks for your help. @morgan & dstanek.02:04
morganhanchao: happy to help!02:05
dstanekhanchao: no problem02:06
stevemarjamielennox: no excuses for missing meetings, you're de-cored now02:08
morganstevemar: shush.02:08
morgan;)02:08
hanchao:D02:08
*** asettle has quit IRC02:08
morganstevemar: do you ski? or snowboard?02:08
morganstevemar: i ask cause you live in that cold-place...02:09
stevemarmorgan: skied when i was a kid, haven't done it in 20 years. snowboarded once and bruised/cracked a rib02:09
stevemarhave avoided ever since (8 years ago)02:09
dstaneksnowboard ftw!02:11
ayoungOK...so here is what I think will happen with RBAC and policy...02:11
ayoung1.  We start by ignoring the existing policy files...Treat them like code.  Maybe move them into the Keystone server defaults the way Nova did02:12
ayoung2.  Make mnost APIs "Member" as the default role02:12
ayoungthis is safe because it means any thing that is admin only is enforced by the policy files.  Member is just the most general rule.02:12
ayoung3.  We invent a new role for the audit use case.  Call it reader.  Use implied roles to makes Member imply REader.  CHange a bunch of APIs from Member to REader02:13
ayounghanchao, so, that should support what you want.  We also need the fix for bug 968696 to be completed02:13
openstackbug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)02:13
morgandstanek: if you 'board, you should do a trip to Whistler ;)02:16
* morgan says this cause having another excuse to hit those slopes will be epic02:16
morgandstanek: also.. i need advice on good softgear for this season02:17
lbragstadayoung for step 1 i assume you are referencing nova's work to get policy coded into oslo-policy, right?02:17
morganhard gear (board/bindings/boots) is much easier.02:17
hanchaoayoung: exactly, the bug actually reproduces my concerns.02:19
*** zhangjl has joined #openstack-keystone02:22
adriantmorgan: Whistler is north of Vancouver right?02:23
adriantBeen there once ages ago. Mostly went to Cypress while living in Vancouver since we lived right down the hill from it.02:25
hanchaomorgan: why not try this in northern Finland, where you can skiing, downhill and so forth. Besides, you can also have the opportunity to witness fantastic aurora and warm traditional Finnish sauna. ;)02:27
hanchaoAnd glogi with vodka is super tasty and warm drink for the cold winter :D02:28
*** guoshan has quit IRC02:31
*** guoshan has joined #openstack-keystone02:32
*** browne has quit IRC02:33
*** Zer0Byte__ has quit IRC02:36
*** hogepodge has quit IRC02:38
ayounglbragstad, yes02:39
ayoungsorry for the delays...putting kids to bed is NP-Hard02:40
*** code-R has joined #openstack-keystone02:41
lbragstadayoung no worries02:44
ayounglbragstad, so,  yeahm, the idea is the default policy really should be focused on the scope check02:45
ayoungwe probably want to make some of the APIs that are admin only capable of being run by Member, but default to admin in the RBAC check.  But that can happen over time.02:45
lbragstadayoung that sounds like loosening the policy around specific admin-only calls02:48
lbragstads/calls/operations/02:48
*** gyee has quit IRC02:49
dstanekmorgan: it's been so long since i've been boarding.03:00
dstanekonce i broke my arm...and then my ankle a few years later i toned it down03:00
*** zhangjl has quit IRC03:02
*** asettle has joined #openstack-keystone03:04
*** guoshan has quit IRC03:06
*** guoshan has joined #openstack-keystone03:07
*** g2 has quit IRC03:07
*** asettle has quit IRC03:09
*** diazjf has quit IRC03:09
*** phalmos has quit IRC03:11
stevemarayoung: looks like someone fixed the bug you issued: https://review.openstack.org/#/c/407331/103:12
*** phalmos has joined #openstack-keystone03:12
ayoungstevemar, nice03:12
stevemarjust verified it manually03:12
*** BrAsS_mOnKeY has joined #openstack-keystone03:13
ayoungstevemar, can I run that multiple times, or do I need to blow away my DB?03:13
stevemarayoung: you can run it a few times but you'll see conflict errors all over the place03:14
ayoungstevemar, yeah, since there is not test, I want to do so, too, before OKing03:14
stevemarbut you won't see the error you reported03:15
*** zhangjl has joined #openstack-keystone03:17
ayoungstevemar, I wonder if the error I saw was due to poor reporting, and bootstrap not run with all the pre-set options03:18
ayoungseems to be running now03:19
ayoungsomeone just got voting rights in the next Keystone election.03:19
*** browne has joined #openstack-keystone03:21
*** links has joined #openstack-keystone03:22
*** BrAsS_mOnKeY has quit IRC03:24
*** dave-mccowan has quit IRC03:25
*** dave-mccowan has joined #openstack-keystone03:27
stevemarayoung: woo hoo03:28
*** GB21 has joined #openstack-keystone03:29
*** udesale has joined #openstack-keystone03:31
*** BrAsS_mOnKeY has joined #openstack-keystone03:31
openstackgerritMerged openstack/keystone-specs: Extend user API to support federated attributes  https://review.openstack.org/39741003:33
openstackgerritGage Hugo proposed openstack/keystone: WIP - Allow user to change own expired password  https://review.openstack.org/40402203:34
*** BrAsS_mOnKeY is now known as g203:36
*** GB21 has quit IRC03:36
*** browne has quit IRC03:37
*** spzala has quit IRC03:42
*** spzala has joined #openstack-keystone03:42
*** spzala has quit IRC03:47
*** edmondsw has joined #openstack-keystone03:52
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: [WIP] Remove old method of creating a client  https://review.openstack.org/35970703:53
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Remove generic client  https://review.openstack.org/35970603:53
*** edmondsw has quit IRC03:57
stevemarjamielennox: i think we have to deprecate that ^03:57
stevemaror does it not work?03:57
jamielennoxstevemar: yea, we should deprecate the generic but noone uses it03:58
stevemarjamielennox: give it 1 cycle deprecation then03:58
jamielennoxi was just rebasing the WIP to see what was going to break next03:58
*** tqtran has quit IRC03:58
*** spzala has joined #openstack-keystone04:00
*** spzala has quit IRC04:00
jamielennoxok i will deprecate it04:00
*** guoshan has quit IRC04:03
*** asettle has joined #openstack-keystone04:05
*** dave-mccowan has quit IRC04:06
*** asettle has quit IRC04:10
*** links has quit IRC04:20
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Deprecate the generic client  https://review.openstack.org/40784404:22
stevemarjamielennox: add a note that we can remove it in Pike too, please.04:27
jamielennoxstevemar: just a comment?04:28
stevemarjamielennox: yeah04:28
jamielennoxi put queen in the bug.04:28
jamielennoxaren't we about to do pike?04:28
stevemareh fine04:29
stevemari'm trying to help you here :P04:29
jamielennoxi'm fine making it soon04:29
jamielennoxbut i think i'm mixing up my code names04:29
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Deprecate the generic client  https://review.openstack.org/40784404:30
*** faizy_ has joined #openstack-keystone04:31
openstackgerritMerged openstack/keystone: Corrects sample-data incorrect credential call  https://review.openstack.org/40733104:36
*** huhaoran has joined #openstack-keystone04:36
*** code-R has quit IRC04:37
*** huhaoran has quit IRC04:41
stevemarjamielennox: you want to say 3.9.0.... 3.8.0 is already out04:52
stevemarjamielennox: also, release note04:53
*** code-R has joined #openstack-keystone04:53
*** GB21 has joined #openstack-keystone04:55
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Deprecate the generic client  https://review.openstack.org/40784404:55
jamielennoxstevemar: at least the review cycle is really quick04:55
stevemar:P04:55
* stevemar tosses jamielennox an upvote04:56
*** links has joined #openstack-keystone04:57
*** tqtran has joined #openstack-keystone04:59
*** tqtran has quit IRC05:00
*** guoshan has joined #openstack-keystone05:04
*** diazjf has joined #openstack-keystone05:04
stevemarokay, bed time05:04
stevemaro\05:04
*** asettle has joined #openstack-keystone05:06
*** nicolasbock has quit IRC05:07
*** guoshan has quit IRC05:08
*** asettle has quit IRC05:11
*** GB21 has quit IRC05:13
*** hyakuhei has quit IRC05:14
*** robcresswell has quit IRC05:14
*** pkoraca_ has joined #openstack-keystone05:14
*** lbragstad has quit IRC05:14
*** AndyWojo has quit IRC05:14
*** mgagne has quit IRC05:15
*** mjb has quit IRC05:15
*** samueldmq_ has joined #openstack-keystone05:15
*** ChanServ sets mode: +v samueldmq_05:15
*** DuncanT_ has joined #openstack-keystone05:15
*** morgan has quit IRC05:15
*** wasmum has quit IRC05:15
*** hrybacki has quit IRC05:15
*** pkoraca has quit IRC05:15
*** DuncanT has quit IRC05:15
*** spligak has quit IRC05:16
*** pkoraca_ is now known as pkoraca05:16
*** DuncanT_ is now known as DuncanT05:16
*** jamielennox has quit IRC05:16
*** samueldmq has quit IRC05:16
*** samueldmq_ is now known as samueldmq05:17
*** robcresswell has joined #openstack-keystone05:17
*** hrybacki has joined #openstack-keystone05:18
*** AndyWojo has joined #openstack-keystone05:19
*** lbragstad has joined #openstack-keystone05:20
*** mjb has joined #openstack-keystone05:20
*** wasmum has joined #openstack-keystone05:20
*** morgan has joined #openstack-keystone05:23
*** jamielennox has joined #openstack-keystone05:31
*** ChanServ sets mode: +v jamielennox05:31
*** hyakuhei has joined #openstack-keystone05:31
*** GB21 has joined #openstack-keystone05:33
openstackgerritMerged openstack/keystone: Domain included for role in list_role_assignment  https://review.openstack.org/37351605:45
*** edmondsw has joined #openstack-keystone05:53
*** edmondsw has quit IRC05:57
*** diazjf has quit IRC06:01
*** jaosorior has joined #openstack-keystone06:02
*** guoshan has joined #openstack-keystone06:04
*** markvoelker has quit IRC06:05
*** markvoelker has joined #openstack-keystone06:05
*** guoshan has quit IRC06:09
*** markvoelker has quit IRC06:10
*** mrsoul has quit IRC06:15
*** mrsoul has joined #openstack-keystone06:16
*** adriant has quit IRC06:22
*** guoshan has joined #openstack-keystone06:24
*** huhaoran has joined #openstack-keystone06:30
*** cburgess has quit IRC06:30
*** cburgess has joined #openstack-keystone06:33
*** richm has quit IRC06:41
*** voelzmo has joined #openstack-keystone06:43
*** josecastroleon has joined #openstack-keystone06:43
*** voelzmo has quit IRC06:45
*** voelzmo has joined #openstack-keystone06:46
*** huhaoran has quit IRC06:46
*** huhaoran has joined #openstack-keystone06:49
*** voelzmo has quit IRC06:50
*** masber has joined #openstack-keystone06:51
*** markvoelker has joined #openstack-keystone07:06
*** asettle has joined #openstack-keystone07:08
*** markvoelker has quit IRC07:10
*** jamielennox is now known as jamielennox|away07:11
*** asettle has quit IRC07:12
*** sileht has quit IRC07:13
*** spligak has joined #openstack-keystone07:16
*** jaosorior has quit IRC07:22
*** jaosorior has joined #openstack-keystone07:23
*** zhangjl1 has joined #openstack-keystone07:27
*** zhangjl has quit IRC07:28
*** zhangjl1 has quit IRC07:31
*** zhangjl has joined #openstack-keystone07:32
*** rcernin has joined #openstack-keystone07:34
*** voelzmo has joined #openstack-keystone07:39
*** pcaruana has joined #openstack-keystone07:41
*** voelzmo has quit IRC07:44
*** voelzmo has joined #openstack-keystone07:44
*** voelzmo has quit IRC07:45
*** voelzmo has joined #openstack-keystone07:46
*** voelzmo has quit IRC07:48
*** voelzmo has joined #openstack-keystone07:49
*** mvk has quit IRC07:51
*** code-R has quit IRC07:51
*** rybridges2 has quit IRC07:54
*** mfisch has quit IRC07:54
*** voelzmo has quit IRC07:55
*** voelzmo has joined #openstack-keystone07:55
*** voelzmo has quit IRC08:01
*** voelzmo has joined #openstack-keystone08:04
*** markvoelker has joined #openstack-keystone08:07
*** rybridges2 has joined #openstack-keystone08:07
*** asettle has joined #openstack-keystone08:08
*** markvoelker has quit IRC08:11
*** pnavarro has joined #openstack-keystone08:13
*** asettle has quit IRC08:13
*** xiaoyang has joined #openstack-keystone08:16
*** magic has quit IRC08:20
*** code-R has joined #openstack-keystone08:21
*** magic has joined #openstack-keystone08:23
*** mvk has joined #openstack-keystone08:26
*** sileht has joined #openstack-keystone08:26
*** xiaoyang has quit IRC08:26
*** amoralej|off is now known as amoralej08:29
*** davechen has quit IRC08:42
*** josecastroleon has quit IRC08:45
*** josecastroleon has joined #openstack-keystone08:57
*** daemontool_ has quit IRC08:59
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:01
*** code-R_ has joined #openstack-keystone09:01
*** mfisch has joined #openstack-keystone09:01
*** mfisch has quit IRC09:02
*** mfisch has joined #openstack-keystone09:02
*** code-R has quit IRC09:04
*** markvoelker has joined #openstack-keystone09:07
*** asettle has joined #openstack-keystone09:09
*** markvoelker has quit IRC09:12
*** asettle has quit IRC09:14
*** zhangjl1 has joined #openstack-keystone09:17
*** zhangjl has quit IRC09:20
*** eandersson has joined #openstack-keystone09:22
*** tobberydberg has joined #openstack-keystone09:26
*** eandersson has quit IRC09:28
*** tobberydberg has quit IRC09:28
*** odyssey4me_ is now known as odyssey4me09:30
*** tobberydberg has joined #openstack-keystone09:31
*** code-R_ has quit IRC09:52
*** asettle has joined #openstack-keystone09:52
*** code-R has joined #openstack-keystone09:52
*** mvk has quit IRC09:54
*** mvk has joined #openstack-keystone09:55
*** GB21 has quit IRC09:55
*** baffle_ is now known as baffle09:57
*** tqtran has joined #openstack-keystone10:01
*** code-R_ has joined #openstack-keystone10:03
*** tqtran has quit IRC10:05
*** code-R has quit IRC10:06
*** huhaoran has quit IRC10:07
*** markvoelker has joined #openstack-keystone10:08
*** markvoelker has quit IRC10:13
*** GB21 has joined #openstack-keystone10:19
*** liujiong has quit IRC10:25
*** DuncanT has quit IRC10:33
*** josecastroleon has quit IRC10:33
*** DuncanT has joined #openstack-keystone10:33
*** david-lyle_ has joined #openstack-keystone10:35
*** david-lyle has quit IRC10:37
*** guoshan has quit IRC10:42
*** jaosorior has quit IRC10:42
*** mgagne has joined #openstack-keystone10:47
*** mgagne is now known as Guest261510:47
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers  https://review.openstack.org/39968410:48
samueldmqmorning keystoners!10:55
*** udesale has quit IRC10:59
*** erhudy has quit IRC11:00
*** erhudy has joined #openstack-keystone11:00
bretonsamueldmq: o/11:06
samueldmqbreton: hey11:07
*** richm has joined #openstack-keystone11:09
*** GB21 has quit IRC11:10
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Invalidate token cache after token delete  https://review.openstack.org/31699111:14
*** zhangjl1 has quit IRC11:14
*** GB21 has joined #openstack-keystone11:24
*** kamal___ has quit IRC11:27
*** kamal___ has joined #openstack-keystone11:27
*** openstackgerrit has quit IRC11:32
*** guoshan has joined #openstack-keystone11:43
samueldmqlbragstad: morning. do you consider your comments in https://review.openstack.org/#/c/390948 as blockers ?11:46
*** code-R_ has quit IRC11:46
samueldmqlbragstad: I like them, the tests would be much better11:46
*** guoshan has quit IRC11:47
*** hyakuhei has quit IRC11:51
*** hyakuhei has joined #openstack-keystone11:51
*** hyakuhei has quit IRC11:51
*** hyakuhei has joined #openstack-keystone11:51
*** openstackgerrit has joined #openstack-keystone11:51
openstackgerritchenyingnan proposed openstack/keystone-specs: Typo fixing  https://review.openstack.org/40804111:51
*** tobberyd_ has joined #openstack-keystone11:53
*** catintheroof has joined #openstack-keystone11:55
*** tobberydberg has quit IRC11:56
*** pnavarro has quit IRC11:58
*** code-R has joined #openstack-keystone12:00
*** nicolasbock has joined #openstack-keystone12:01
*** tqtran has joined #openstack-keystone12:02
*** tqtran has quit IRC12:07
*** dave-mccowan has joined #openstack-keystone12:09
*** markvoelker has joined #openstack-keystone12:09
*** edmondsw has joined #openstack-keystone12:12
*** markvoelker has quit IRC12:15
*** edmondsw_ has joined #openstack-keystone12:26
*** GB21 has quit IRC12:28
*** pnavarro has joined #openstack-keystone12:31
*** xiaoyang has joined #openstack-keystone12:31
*** catintheroof has quit IRC12:32
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add test to expose bug 1625230  https://review.openstack.org/40755812:32
openstackbug 1625230 in OpenStack Identity (keystone) "Role Assignment Incorrectly Reports Inheritance when --name is Used" [Medium,In progress] https://launchpad.net/bugs/1625230 - Assigned to Kanika Singh (kanikasingh-1490)12:32
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Get assignments with names honors inheritance flag  https://review.openstack.org/38097312:32
*** jaosorior has joined #openstack-keystone12:32
*** catintheroof has joined #openstack-keystone12:32
*** magic has quit IRC12:33
*** magic has joined #openstack-keystone12:34
*** xiaoyang has quit IRC12:36
*** faizy_ has quit IRC12:36
*** catintheroof has quit IRC12:37
*** asettle has quit IRC12:37
*** asettle has joined #openstack-keystone12:38
*** xiaoyang has joined #openstack-keystone12:40
*** magic has quit IRC12:42
*** magic has joined #openstack-keystone12:43
*** guoshan has joined #openstack-keystone12:44
*** xiaoyang has quit IRC12:45
*** guoshan has quit IRC12:48
*** edmondsw_ has quit IRC12:50
*** catintheroof has joined #openstack-keystone12:54
stevemaro/12:54
*** jaosorior has quit IRC12:59
*** lamt has quit IRC13:01
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactors _get_names_from_role_assignments  https://review.openstack.org/40807413:01
*** voelzmo has quit IRC13:02
*** guoshan has joined #openstack-keystone13:04
*** amoralej is now known as amoralej|lunch13:08
*** jaosorior has joined #openstack-keystone13:10
*** markvoelker has joined #openstack-keystone13:12
*** code-R has quit IRC13:12
*** catinthe_ has joined #openstack-keystone13:14
*** guoshan has quit IRC13:15
*** catintheroof has quit IRC13:16
*** markvoelker has quit IRC13:16
*** voelzmo has joined #openstack-keystone13:17
*** markvoelker has joined #openstack-keystone13:19
*** code-R has joined #openstack-keystone13:19
*** faizy_ has joined #openstack-keystone13:21
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Get assignments with names honors inheritance flag  https://review.openstack.org/38097313:22
*** code-R has quit IRC13:23
*** code-R has joined #openstack-keystone13:28
*** code-R has quit IRC13:32
*** code-R has joined #openstack-keystone13:35
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Get assignments with names honors inheritance flag  https://review.openstack.org/38097313:36
*** code-R has quit IRC13:38
*** lamt has joined #openstack-keystone13:41
*** rcernin has quit IRC13:49
*** hanchao has quit IRC13:50
*** rcernin has joined #openstack-keystone13:51
*** tobberyd_ is now known as tobberydberg13:52
*** Guest2615 is now known as mgagne13:54
*** mgagne has quit IRC13:54
*** mgagne has joined #openstack-keystone13:54
*** links has quit IRC13:59
*** catintheroof has joined #openstack-keystone14:02
*** faizy_ has quit IRC14:02
*** lamt has quit IRC14:03
*** tqtran has joined #openstack-keystone14:04
*** catinthe_ has quit IRC14:04
*** lamt has joined #openstack-keystone14:06
*** amoralej|lunch is now known as amoralej14:07
*** tqtran has quit IRC14:09
lbragstadsamueldmq i think it would make the tests better, right now the tests don't really do much14:25
samueldmqlbragstad: agreed, would you mind to put some weight there?14:26
lbragstadsure i can review14:26
*** edmondsw has quit IRC14:27
stevemaro/14:28
*** phalmos has quit IRC14:36
*** edmondsw has joined #openstack-keystone14:41
*** jaosorior has quit IRC14:43
*** nkinder has joined #openstack-keystone14:57
*** links has joined #openstack-keystone15:03
*** voelzmo has quit IRC15:04
*** voelzmo_ has joined #openstack-keystone15:07
*** tobberydberg has quit IRC15:07
*** ravelar has joined #openstack-keystone15:15
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/40809415:16
*** nkinder has quit IRC15:17
*** guoshan has joined #openstack-keystone15:17
*** guoshan has quit IRC15:21
*** daemontool has joined #openstack-keystone15:23
*** dave-mccowan has quit IRC15:23
*** udesale has joined #openstack-keystone15:26
*** catintheroof has quit IRC15:26
*** catintheroof has joined #openstack-keystone15:26
*** nkinder has joined #openstack-keystone15:30
*** catintheroof has quit IRC15:31
*** spilla has joined #openstack-keystone15:37
*** dave-mccowan has joined #openstack-keystone15:41
*** jaugustine has joined #openstack-keystone15:42
*** spzala has joined #openstack-keystone15:46
*** hogepodge has joined #openstack-keystone15:50
*** phalmos has joined #openstack-keystone15:51
ayounglbragstad, we meeting in 10 minutes?15:51
lbragstadayoung yeah - in #openstack-meeting-cp15:52
ayoungCool.  Do we have an agenda?15:52
ayounghttps://etherpad.openstack.org/p/keystone-policy-meeting15:52
lbragstadwe have one15:53
lbragstadit just wasn't dated15:53
lbragstadayoung that wasn't a past agenda15:53
*** chris_hultin|AWA is now known as chris_hultin15:54
ayounglbragstad, OK now?15:54
lbragstadyep15:54
lbragstadwfm15:54
*** chris_hultin is now known as chris_hultin|AWA15:57
*** catintheroof has joined #openstack-keystone15:57
*** chlong has joined #openstack-keystone15:58
*** chris_hultin|AWA is now known as chris_hultin15:59
*** voelzmo_ has quit IRC16:03
*** adrian_otto has joined #openstack-keystone16:04
*** ravelar1 has joined #openstack-keystone16:06
*** ravelar has quit IRC16:07
*** links has quit IRC16:13
*** ravelar1 has quit IRC16:16
*** ravelar has joined #openstack-keystone16:16
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389816:17
*** guoshan has joined #openstack-keystone16:18
*** pcaruana has quit IRC16:18
*** spzala has quit IRC16:19
*** rcernin has quit IRC16:19
*** udesale has quit IRC16:19
*** spzala has joined #openstack-keystone16:20
*** guoshan has quit IRC16:22
*** spzala has quit IRC16:23
*** spzala has joined #openstack-keystone16:31
*** mvk has quit IRC16:31
*** spzala has quit IRC16:35
*** spzala has joined #openstack-keystone16:37
openstackgerritSamuel Pilla proposed openstack/keystone: API Documentation for user password expires  https://review.openstack.org/40557416:40
*** spzala has quit IRC16:41
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389816:44
*** spzala has joined #openstack-keystone16:48
*** adrian_otto has quit IRC16:49
*** spzala has quit IRC16:53
*** spzala has joined #openstack-keystone16:54
openstackgerritRichard Avelar proposed openstack/keystone: Add doctor check for debug mode enabled  https://review.openstack.org/40821816:56
*** chlong has quit IRC16:56
*** diazjf has joined #openstack-keystone16:57
*** browne has joined #openstack-keystone16:58
*** spzala has quit IRC16:59
dstanekayoung: that's all good stuff and i want to get as much of that captured as we can17:00
ayounglbragstad, is your concern management?17:01
*** Ephur has joined #openstack-keystone17:01
lbragstadwell - management is *a* concern but I had another one that i commented one last night17:01
*** kfox1111 has quit IRC17:01
*** Ephur has quit IRC17:02
lbragstadline 245 https://review.openstack.org/#/c/391624/15/specs/keystone/ongoing/role-check-from-middleware.rst17:02
lbragstadand line 9517:02
openstackgerritGage Hugo proposed openstack/keystone: WIP - Allow user to change own expired password  https://review.openstack.org/40402217:04
openstackgerritSamuel Pilla proposed openstack/keystone: API Documentation for user password expires  https://review.openstack.org/40557417:05
*** spzala has joined #openstack-keystone17:06
*** asettle has quit IRC17:07
edmondswlbragstad re: line 95, the RBAC check would have to pass... if we're trying to separate RBAC and ABAC, then RBAC checks that you MIGHT be allowed to do this depending on ABAC vs. we already know you can't even without trying ABAC, then if you got past the RBAC check you proceed to check ABAC17:07
edmondswayoung agreed?17:07
lbragstadedmondsw right17:08
lbragstadedmondsw my confusion is that if PATCH /servers/{service_id} requests admin_or_owner and I only have the Member role, but I am the resource owner, what happens?17:08
lbragstads/requests/requires/17:09
lbragstadwe'd have to do the ownership check *before* the RBAC check, right/17:09
*** spzala has quit IRC17:11
*** rcernin has joined #openstack-keystone17:11
ayoungOK..just put this in the review but...17:11
ayoungadmin_or_owner will still pass.  3 cases ( I think)17:11
ayoungA. admin role on admin project17:11
ayoungB. admin role on resource's project17:11
ayoungC. member role on resource's project17:11
ayoungAdmin -> Member means that any of these roles will pass the RBAC check in middleware.17:11
ayoungA. policy will enforce on is_admin/admin project as the override, and that will pass17:11
ayoungB & C. policy will enforce that the role is a supported role, and the project matches17:11
*** spzala has joined #openstack-keystone17:12
ayoungThat is what is meant by admin_or_owner in most projects17:12
ayoungKeystone is different17:12
ayoungbut the additional check is "userid on the project matches"  is still performed in policy17:13
ayoungnot in RBAC17:13
*** chrisplo has joined #openstack-keystone17:14
edmondswayoung what you're describing isn't RBAC... it's RBAC with a little ABAC included17:14
ayoungedmondsw, yes.  the RBAC stuff is just the part in middleware17:14
edmondswI think you've still got some ABAC in middleware... the project check17:14
ayounglbragstad, if an API currently requires "no" role and we say it now requires the "Member" role, there is no change it what happens in essence17:15
edmondswproject is an attribute of the resource... i.e. ABAC17:15
dstanekayoung: so the middleware will check to see if the user is admin or member before getting to the service policy?17:15
ayoungedmondsw, project check happens in policy, not not in middleware17:15
ayoungdstanek, right17:15
ayoungit is only the role check17:15
ayoungedmondsw, right, but that is not checked in middleware because we don't have the resource out of the database yet17:16
edmondswayoung admin_or_owner can't be checked in middleware then17:16
lbragstadso i'm failing to see how this works... if I *own* a resource and i go to do something on it, and the policy for the operation that i want to do is admin_or_owner, how does the whole request not fail becuase I'm not admin?17:16
*** spzala has quit IRC17:16
dstanekayoung: and then the policy would do both RBAC-like things and ABAC-like things17:16
dstanek?17:17
ayounghmmm17:18
ayounglbragstad, which API are you looking at?  I can walk you through that17:18
*** guoshan has joined #openstack-keystone17:18
dstanekfor example, the policy needs to enfore ownership only for member role and not admin role17:19
edmondswremember that there is no "member" role by default (that's a devstack thing, not an openstack thing). And even if we start requiring that, it's pretty pointless for these purposes... if the check is going to be "admin or any other role" then you might as well not check at all17:19
ayoungdstanek, yes, you are correct.  The policy does the RBAC stuff specifically for admin operations all over the place.17:19
lbragstadayoung i left my comment inline at line 245 - https://review.openstack.org/#/c/391624/15/specs/keystone/ongoing/role-check-from-middleware.rst17:19
ayoungedmondsw, those are the defaults, but with this setup, it is going to much easier to modify those.17:19
dstanekayoung: so why split some of the RBAC stuff into middleware if you have to do it in policy anyway?17:20
ayoungWe start by saying everything is _member_ as that is the default role in policy17:20
edmondswayoung what are the defaults?17:20
ayounger17:20
edmondsw?17:20
ayoungthat is the default role from config17:20
edmondswI didnt' follow you17:20
edmondswthere is no default "member" role in config17:20
ayoungok...lets vback up to v217:20
knikollao/17:20
ayoungwhen you add a user to a proejct using the v2 apis, it usee the default role out of the config file17:21
edmondswthe only default role is admin, period17:21
ayoungwhich is what just about everyone is doing17:21
ayoungthat means that most people have _member_ as their sole role17:21
edmondswscrew v2...17:21
ayoungsome might have Member as that is what Horizson was doing17:21
ayoungbut that is the starting point.17:21
edmondswI don't agree17:21
ayoungSo we put an implied role in there which says17:21
edmondswI've got 1000 customers that DON'T have a member role17:21
ayoungadmin implies member17:21
ayoungedmondsw, what are  the role names that you are using?17:22
edmondswand even if the member role exists... it's essentially just an "everyone that's not an admin" role... admin + "everyone that's not an admin" = everyone17:22
*** spzala has joined #openstack-keystone17:22
edmondswayoung I've got a bunch... deployer, viewer (equiv to observer proposal), etc.17:22
dstanekedmondsw: you lost me with the maths17:23
dstanek:-P17:23
*** guoshan has quit IRC17:23
ayoungedmondsw, excellent.  so, the first thing to do is to say deployer implies viewer and so on17:23
ayoungset up the role inference rules that make sense for your deployment17:23
edmondswit's sets... you have a set of users with the admin role. you also have a set of users with member role, if that's the only other role. Add those 2 sets and you have all users with ANY role17:23
ayoungedmondsw, again, just a staring point....17:24
edmondswayoung I don't see how that's even related...17:24
ayoungedmondsw, heh heh heh17:24
*** mvk has joined #openstack-keystone17:24
ayoung that is the power of what we are trying to do here.17:24
edmondswyou're not answering my questions...17:24
ayoungok,  lets say you need to go from my simplistic view to your more realistic one17:24
ayoungI'm typing as fast as I can...17:25
ayoungto start, I don't want to break anyone out the gate17:25
ayoungso...for a deployment following the general trend (we'll get to yours in a moment"17:26
ayoungwe say that there are 2 main roles: admin  and member17:26
ayoungadmin implies member17:26
ayoungand we set all APIs to be RBAC checked by Member17:26
ayoungwith some minor adjustment for service roles etc...17:26
*** spzala has quit IRC17:27
*** Zer0Byte__ has joined #openstack-keystone17:27
ayoungin a deployment set up like this, that then activates the RBAC check, there is no change17:27
ayoungeverything still works as is17:27
ayoungnow..if they want to add an observer role, they do the following17:27
ayoung1. create the role observer17:27
ayoung2. create a role that says that member implies observer17:27
ayoung3.  modify the RBAC rules for any APIs that they want to be accessable to observers17:28
ayoungthey can do all this without breaking anything17:28
*** spzala has joined #openstack-keystone17:28
ayoungnow, they can create a user with only the Role Observer, and that new user is limited to only the APIs that have the observer role17:29
ayoungthe implied roles  Admin and member can still perform these apis, and thus all normal users have no change in access17:29
ayoungedmondsw, now, in your case, if you did custom policy already, you can either stick with just that, or roll the custom policy back to the base policy and use RBAC in middleware to do the role check17:30
edmondswayoung won't work... they'd also have to go modify policy.json since after the middleware that is going to be checked, and you had to leave it checking ownership tied to the member role since you didn't check project in middleware17:30
*** chlong has joined #openstack-keystone17:30
ayoungedmondsw, why would they have to modify the policy.json?17:30
edmondswbecause your policy.json still has the check for ownership tied to the member role17:31
*** spzala has quit IRC17:33
edmondswalso the implied roles stuff you're doing only makes sense if the new role is truly a subset of the old role, which often won't make sense17:33
*** dhellmann has quit IRC17:33
*** daemontool has quit IRC17:35
edmondswayoung if you didn't check ownership in the middleware, then you still have to be doing that through policy.json, right?17:36
ayoungedmondsw, so the scope check is already there17:36
edmondswthere = where?17:36
ayoungno one has to modify policy.json to do scope checks17:36
ayoungthey are already in the nova code, and the policy.json files in the rest of the proejcts17:36
edmondswthey do if they now want it to apply to new roles...17:37
ayoungedmondsw, nah, that is the cool thing, the current rules don;'t check roles17:37
edmondswthe scope check is tied to a role17:37
ayoungthey only check the scope17:37
ayoungyou would think. but no17:37
edmondsw?? why would you say that?17:37
ayounglet me get you and example17:37
ayounghttp://git.openstack.org/cgit/openstack/neutron/tree/etc/policy.json#n4  rule admin_or_owner17:38
ayoung    "owner": "tenant_id:%(tenant_id)s",17:38
ayoungno role check made17:38
ayoungthere are some role checks in that file, but they are service roles, and those APIs will need to be excepted in the RBAC layer17:39
edmondswyou're forgetting... the check isn't for "owner"... it's for "admin_or_owner"17:39
edmondswadmin = a role17:39
ayoungthat will pass, too17:39
ayoungas I said we need an implied rule that admin -> Member17:39
ayoungand then it passes the RBAC check17:39
ayoungreread the stuff I repasted from the review... that case is covered17:40
*** spzala has joined #openstack-keystone17:40
*** xiaoyang has joined #openstack-keystone17:40
edmondswok, then you have the opposite problem... where you add a role that you don't want to be scope checked17:40
edmondswwhy do you need an impled rule that admin -> member?17:41
*** magic has quit IRC17:43
*** spzala has quit IRC17:44
*** spzala has joined #openstack-keystone17:46
*** faizy has joined #openstack-keystone17:50
*** spzala has quit IRC17:50
ayoungedmondsw, at the Access rule you specify only one role per API17:53
ayoungif you don't use the implied roles, you need to explicitly assign any role a user would need for any API17:53
ayoungso admin can do anything a member can do, but the opposite is not true17:54
lbragstadbreaking for lunch - i'll catch the scrollback17:54
ayounglbragstad, edmondsw BTW, I got the implied role functionality working in openstack CLI this morning, finally17:55
ayoungplease take a look:17:55
ayounghttps://review.openstack.org/#/c/290253/17:55
*** diazjf has quit IRC17:56
edmondswayoung you intend to restrict that we only check one role per API?18:00
*** dhellmann has joined #openstack-keystone18:00
ayoungedmondsw, no18:00
ayoungedmondsw, I intent to restrict that we *specify* one role per api, then use implied roles to turn that into a set of roles18:00
ayoungyou always will specify the lowest level of access18:01
edmondswthat is gonna completely break me18:01
ayoungso if admin->member->observer, for a read only API, specify observer18:01
ayoungedmondsw, nah18:01
edmondswyeah, it will18:01
ayoungedmondsw, lay out your roles, please...we started on that earlier18:01
edmondswbecause that only works if your roles are supersets/subsets, and mine aren't18:01
edmondswtelling you the names isn't going to help you18:02
*** david-lyle_ is now known as david-lyle18:02
ayoungedmondsw, ah, but you can always introduce new roles, specific to an API, to make that work18:02
edmondswintroducing new roles != backward compatible18:02
ayoungedmondsw, it is with implied roles18:02
edmondswand quite a lot of work18:02
ayoungthink of it like a graph18:02
edmondswnot with the case I just laid out18:02
openstackgerritGage Hugo proposed openstack/keystone: Add reason to CADF notifications in docs  https://review.openstack.org/40088218:02
edmondswand adding a role per API is super ugly and unfriendly to users18:03
ayoungedmondsw, the feature is going to be optional, and off by default, but I am pretty confident we can make it work for your use case18:03
edmondswI wish I shared your optimism18:03
ayoungedmondsw, so do I, but I've been working through this for a long time, and it was based on use cases much like yours18:04
ayoungyes, there is ugliness here18:04
ayoungand we might need better tools for managing role definitions as the numbers rise18:04
ayoungI could see there being 3 classes of roles long term:18:05
ayoungat the lowest level, roles that are one-to-one with an API18:05
ayoungat the highest level, roles that are organizational18:05
ayoungin the middle, workflow roles18:05
ayoungso your organizational roles determines what workflows you can do, and the workflows determine what APIs you can call18:06
*** spzala has joined #openstack-keystone18:06
edmondswI don't like that idea at all18:08
edmondswas I said, ugly and unfriendly to users18:09
edmondswI cannot introduce more roles to my users18:09
ayoungedmondsw, you don't have to18:10
edmondsw?18:10
ayoungI think what you want is to not show the intermediate level roles to them on some UI?18:11
ayoungedmondsw, I need more information from you.18:11
edmondswnot have them18:12
*** spzala has quit IRC18:12
edmondswif they exist, they will be seen18:12
edmondswit's not a UI issue... I could hide them in the UI... but I can't hide them in REST and CLI18:12
*** Matias has joined #openstack-keystone18:12
*** spzala has joined #openstack-keystone18:12
edmondswand it's just ugly... that's not what roles are for18:12
edmondswwe're turning roles into permissions18:13
edmondswmaybe you need to create something called permissions18:13
ayoungedmondsw, I had considered that.  But basically, that would mean that everything that does roles now would need to do roles and permissions18:14
ayoungit is a lable18:14
ayounglabel18:14
Matiashi guys, I'm trying to fix a bug but I'm not sure if it should be fixed in keystoneclient or in os-client-config18:14
edmondswit's more than a label18:14
ayoungif you are not in to the British spelling18:14
MatiasI think it should be fixed in os-client-config, but I'd be grateful if someone could take a look and confirm that18:14
ayoungMatias, which one?18:14
*** dhellmann has quit IRC18:15
edmondswI have to run... good luck Matias!18:15
ayoungMatias, and most of the folks here don't know what os-client-config  is18:15
ayoungBut I do18:15
edmondswor stevemar18:15
Matiasayoung: I have initially reported to shade, but they said os-client-config was the culprit --> https://storyboard.openstack.org/#!/story/200076218:15
edmondswthere is an #openstack-sdks channel18:16
Matiasedmondsw: thanks18:16
ayoungnah, this belongs here, I think...18:16
*** spzala has quit IRC18:17
Matiasayoung: https://github.com/openstack/os-client-config/blob/59a96bb72c66426db8972acd3be55601b6135be0/os_client_config/cloud_config.py#L32418:17
Matiasif I add 'identity' to the tuple here, it works18:17
Matiasbut I'd like to know if this is right --> https://github.com/openstack/python-keystoneclient/blob/f7c1d45a04bb2b024a985b8e30245d38f2bf8442/keystoneclient/httpclient.py#L25318:17
ayoungMatias, what is that logic supposed to be doing?18:17
Matiasayoung: some clients receive $OS_INTERFACE as the 'interface' kwarg, others receive it as 'endpoint_type'18:18
ayoungconstructor_kwargs[interface_key] = interface18:18
MatiasI have the feeling receiving it as 'interface' is some legacy behaviour, but I'm not sure18:18
Matiascurrently the keystoneclient receives it as 'interface'18:18
*** guoshan has joined #openstack-keystone18:19
ayoungMatias, Do you know if that was a deliberate change at some point, or if this is one of those things that evolved separately?18:19
*** asettle has joined #openstack-keystone18:21
Matiasayoung: not really18:21
ayoungMatias, let me see....18:21
Matiascomments about glance seem to imply 'interface' is a legacy kwarg, but...18:22
Matiashttps://github.com/openstack/os-client-config/commit/9835daf9f684556c5aed4834dc086e932788f9bc18:22
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers  https://review.openstack.org/39968418:22
Matiashere they introduce the 'interface' param for the barbican client, which is relatively new18:22
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers  https://review.openstack.org/39968418:22
*** spzala has joined #openstack-keystone18:23
ayounglovely18:24
*** guoshan has quit IRC18:24
*** faizy has quit IRC18:25
*** amoralej is now known as amoralej|off18:25
ayoungMatias, so, lets assume that keystone want to keep using interface, then, and yes, change it in os-client-config18:26
ayoungI don;t think endpoint_type is in use anywere in keystoneclient code18:26
ayoungalthough that internal value is all over the place...18:27
*** spzala has quit IRC18:27
Matiasayoung: do you think it would be sensible to send the gerrit PR to os-client-config then?18:28
ayoungMatias, the person that knows this stuff code is jamielennox but he is asleep ATM18:29
ayoungHe's in australia, so he is upside down right now18:29
Matiasthen in approx 4h he should be available18:30
Matiasayoung: thanks, I'll talk to him18:30
ayoungMatias, lets see what he put into the session code...that would be how he was thinkgin about it18:31
ayoungMatias, so, it is not in KeystoneAuth...let me go back to client and look...18:32
ayoungMatias, so internally it looks like the python code calls it endpoint_type, but the config param  is interface.  I'd say go ahead and submit that change to os-client-config18:37
Matiasayoung: thanks18:37
*** chlong has quit IRC18:38
*** spzala has joined #openstack-keystone18:43
*** voelzmo has joined #openstack-keystone18:45
*** spzala_ has joined #openstack-keystone18:45
*** nicolasbock has quit IRC18:47
*** nicolasbock has joined #openstack-keystone18:47
*** spzala_ has quit IRC18:47
*** spzala_ has joined #openstack-keystone18:47
*** nicolasbock has quit IRC18:47
*** spzala has quit IRC18:48
*** nicolasbock has joined #openstack-keystone18:48
*** Nakato has quit IRC18:48
*** Nakato has joined #openstack-keystone18:48
*** pnavarro has quit IRC18:55
*** nicolasbock has quit IRC18:56
*** nicolasbock has joined #openstack-keystone18:56
*** chlong has joined #openstack-keystone18:57
openstackgerritayoung proposed openstack/keystone-specs: Role Check Check from Middleware  https://review.openstack.org/39162419:04
openstackgerritRichard Avelar proposed openstack/keystone: Print name with duplicate error on user creation  https://review.openstack.org/40510419:10
*** asettle has quit IRC19:21
*** ravelar has quit IRC19:22
openstackgerritayoung proposed openstack/keystone-specs: Role Check from Middleware  https://review.openstack.org/39162419:23
*** tqtran has joined #openstack-keystone19:26
*** diazjf has joined #openstack-keystone19:28
*** narasimha_SV has joined #openstack-keystone19:33
narasimha_SVafter adding this patch I was able to integrate LDAP as backend19:34
narasimha_SVbut when I execute any openstack command it is failing with 401 authorization failed19:34
narasimha_SVhttp://paste.openstack.org/show/591710/19:34
narasimha_SVthis is the log19:34
*** chlong has quit IRC19:36
narasimha_SVhow to enable user in LDAP19:37
*** spligak has quit IRC19:44
*** tobberydberg has joined #openstack-keystone19:45
*** voelzmo has quit IRC19:48
*** diazjf has quit IRC19:48
*** voelzmo has joined #openstack-keystone19:48
*** diazjf has joined #openstack-keystone19:49
*** lamt has quit IRC19:49
*** dhellmann_ has joined #openstack-keystone19:52
*** voelzmo has quit IRC19:53
*** voelzmo has joined #openstack-keystone19:54
*** raildo has left #openstack-keystone19:58
*** dhellmann_ is now known as dhellmann19:59
*** chlong has joined #openstack-keystone20:00
*** clenimar has quit IRC20:01
*** ravelar has joined #openstack-keystone20:08
*** Nakato has quit IRC20:11
*** Nakato has joined #openstack-keystone20:12
*** spzala_ has quit IRC20:16
*** spzala has joined #openstack-keystone20:17
*** guoshan has joined #openstack-keystone20:21
*** spzala has quit IRC20:21
*** asettle has joined #openstack-keystone20:25
*** guoshan has quit IRC20:25
*** Nakato has quit IRC20:28
*** Nakato has joined #openstack-keystone20:29
*** asettle has quit IRC20:30
*** voelzmo has quit IRC20:31
*** voelzmo has joined #openstack-keystone20:32
*** ravelar has quit IRC20:34
openstackgerritLance Bragstad proposed openstack/keystone-specs: Expose password requirements through API  https://review.openstack.org/40703620:34
lbragstadstevemar samueldmq updated ^20:35
lbragstadrderose ^20:35
lbragstadwe still need to figure out what we are going to do with the routers there.20:35
kamal___I am building a new service and would like to add role based access control using keystone. I understand the part where we need to setup users, roles, projects, services and roles. However, I am not sure what changes need to be made in the service itself to integrate keystone authentication. Any pointers?20:36
lbragstadanyone have any ideas?20:36
*** voelzmo has quit IRC20:36
lbragstadkamal___ are you planning on using oslo.policy or keystonemiddleware in your service?20:37
kamal___lbragstad: I'm not sure. Right now, I am evaluating different approaches. I am open to using oslo.policy though20:38
kamal___My impression was that all API calls will go to keystone and then it will get routed to the service. It seems like that is not the case.20:38
lbragstadkamal___ currently - managing policy is done in two steps20:39
kamal___I added my service as an endpoint in keystone and I am able to access it without any authentication. So it means, adding to the catalogue doesnt really enforce anything.20:39
kamal___lbragstad: could you elaborate20:40
lbragstadkamal___ sure20:40
lbragstadkamal___ the steps don't necessarily have to be done in an order but, first you have to ensure the role exists in keystone as an entity (i.e. using a client to create it `openstack role create <role_name>`)20:41
*** harlowja has quit IRC20:41
lbragstadthe 2nd step is to make sure the role exists in the various service policy files20:41
kamal___lbragstad: yes I did create users, roles, projects, services and endpoints20:41
*** ravelar has joined #openstack-keystone20:42
kamal___you mean policy.json20:42
lbragstadkamal___ so when a request comes into the service, and if that service is protected using keystonemiddleware and oslo.policy, those two pieces of software will validate the token of the user doing the operation and oslo.policy will compare the attributes of the token validation against the service's policy file20:43
lbragstadkamal___ yeah - exactly20:43
*** edmondsw has quit IRC20:43
kamal___again for a new service, how do I integrate the oslo.policy20:43
lbragstadkamal___ you'll need a way to give oslo.policy the rules your service wants to enforce around it's operations20:44
lbragstadkamal___ most projects do this using a policy.json file20:44
lbragstadhttps://github.com/openstack/keystone/blob/fc93521ed1fca2e8393cf2e53e0f79a61dec7222/etc/policy.json is keystone's for example20:44
lbragstadnext - you'll need to make sure keystonemiddleware is configured in front of the service20:45
kamal___yes that is policy.json file. I am using Pecan for the service. Do I need to integrate oslo.policy to get this working20:45
*** lamt has joined #openstack-keystone20:46
lbragstadkamal___ yeah - if you want to enforce policy using keystone, keystonemiddleware, and oslo.policy - http://docs.openstack.org/developer/keystone/devref/services.html#auth-token-middleware20:46
lbragstadkamal___ here is some additional documentation on configuring keystonemiddleware for your service http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html#configuration20:49
kamal___just to clarify. I've this standalone service and I added the endpoint to keystone. Now when I call my endpoint, does it go through a proxy or it goes directly to my service?20:50
*** spzala has joined #openstack-keystone20:51
kamal___The documentation gave me the impression that it goes thru a proxy and passes some environment variables to the service20:51
lbragstadkamal___ well - the request will go through a paste pipeline that will enforce policy for the service20:51
lbragstadbased on what the service tells oslo.policy to enforce20:52
kamal___lbragstad: how does that happen? Should I do something in the service to make it go through the paste pipeline20:52
lbragstadkamal___ a good example of this is looking at how other services deploy keystonemiddleware20:53
kamal___lbragstad: like neutron?20:53
lbragstadkamal___ yeah - like neuton,20:53
lbragstador cinder, or nova for exmaple20:53
lbragstadexample*20:54
kamal___lbragstad: is there difference between using keystonemiddleware vs oslo.policy?20:54
lbragstadkamal___ all of those services will have a section in their respective configuration files titled [keystone_authtoken]20:54
lbragstadkamal___ kind of20:54
kamal___ok I will check it. Thanks20:55
*** spzala has quit IRC20:55
lbragstadkamal___ think of keystonemiddleware as the thing that *talks* to keystone to get information about a specific user's token, and oslo.policy as the thing that enforces the policy20:55
*** Nakato has quit IRC20:55
kamal___lbragstad: I guess the question how does the service know about the keystonemiddleware. Is it done through a code change in the service?20:56
lbragstadkamal___ nope - let me find an example20:56
kamal___that will be great20:56
*** Nakato has joined #openstack-keystone20:56
lbragstadkamal___ are you familiar with paste piplines?20:56
lbragstadpipelines?20:56
kamal___not really.20:57
kamal___I am using PECAN. Would that change how paste pipeline is used?20:59
*** tqtran is now known as tqtran-afk20:59
lbragstadkamal___ so here - https://github.com/openstack/cinder/blob/master/etc/cinder/api-paste.ini#L71-L7520:59
openstackgerritRichard Avelar proposed openstack/keystone: Print name with duplicate error on user creation  https://review.openstack.org/40510421:00
lbragstadyou can see the cinder's paste pipeline includes those two definitions21:00
kamal___ok. Does that mean cinder will load those classes in different contexts21:01
lbragstadand if you scroll up, you can see they specify those filters in the pipeline for their application - https://github.com/openstack/cinder/blob/master/etc/cinder/api-paste.ini#L2721:01
*** spzala has joined #openstack-keystone21:01
kamal___should there be a corresponding code to process this file?21:02
*** spzala has quit IRC21:03
lbragstadkamal___ well - the project will typically point to is through configuration https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L2133-L214321:03
*** spzala has joined #openstack-keystone21:03
openstackgerritRichard Avelar proposed openstack/keystone: Add doctor check for debug mode enabled  https://review.openstack.org/40821821:03
lbragstadkamal___ ^ that's keystone's for example21:03
lbragstadkamal___ which looks similar to cinder's https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini21:04
kamal___ok. It kind of makes sense but I wish there was better doc on how it is done. I will poke around and see.21:04
lbragstadkamal___ my indepth description of the process might not be that great21:05
lbragstadkamal___ but the gist of it is that in order to use keystonemiddleware + oslo.policy + keystone for policy, you'll typically add keystonemiddleware to your service's paste pipeline and ensure your service's configuration has values for keystonemiddleware to be able to talk to keystone21:06
lbragstadand finally - make sure you have something like a policy.json file to describe your policy21:06
kamal___lbragstad: ok. thanks for the info. Let me check the links you provided.21:07
lbragstadkamal___ the website for Paste Deploy isn't loading for me - but this might help, too http://www.ianbicking.org/what-is-paste-yet-again.html21:07
*** spzala has quit IRC21:07
kamal___ok. thats great. Hope the site will come back soon21:08
*** asettle has joined #openstack-keystone21:09
*** asettle has quit IRC21:09
lbragstadkamal___ sounds good - ping if you have additional questions21:10
*** asettle has joined #openstack-keystone21:10
*** asettle has quit IRC21:12
*** asettle has joined #openstack-keystone21:12
*** narasimha_SV has quit IRC21:13
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/40809321:14
openstackgerritChetna proposed openstack/keystone: Fix mapping_purge failure  https://review.openstack.org/40830421:16
*** ravelar has quit IRC21:16
*** Nakato has quit IRC21:20
*** Nakato has joined #openstack-keystone21:20
*** guoshan has joined #openstack-keystone21:21
*** tobberydberg has quit IRC21:25
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers  https://review.openstack.org/39968421:25
openstackgerritRon De Rose proposed openstack/keystone: WIP - Require domain_id when registering Identity Providers  https://review.openstack.org/39968421:26
*** guoshan has quit IRC21:26
openstackgerritRon De Rose proposed openstack/keystone: Require domain_id when registering Identity Providers  https://review.openstack.org/39968421:29
openstackgerritGage Hugo proposed openstack/keystone: Fixed multiple warnings in tox -edocs  https://review.openstack.org/40831221:36
*** catintheroof has quit IRC21:37
*** diazjf has quit IRC21:38
*** catintheroof has joined #openstack-keystone21:38
openstackgerritGage Hugo proposed openstack/keystone: Fixed multiple warnings in tox -edocs  https://review.openstack.org/40831221:39
*** harlowja has joined #openstack-keystone21:41
*** catintheroof has quit IRC21:42
*** spligak has joined #openstack-keystone21:44
*** adriant has joined #openstack-keystone21:49
*** jamielennox|away is now known as jamielennox21:49
openstackgerritGage Hugo proposed openstack/keystone: Fixed multiple warnings in tox -edocs  https://review.openstack.org/40831221:51
openstackgerritGage Hugo proposed openstack/keystone: Fixed multiple warnings in tox -edocs  https://review.openstack.org/40831221:53
*** diazjf has joined #openstack-keystone21:55
stevemargagehugo: had a few comments you may have missed in ps221:59
gagehugostevemar: oh yeah I did22:01
openstackgerritMerged openstack/keystone-specs: Typo fixing  https://review.openstack.org/40804122:01
stevemargagehugo: ;)22:01
gagehugowill fix in a sec22:02
openstackgerritGage Hugo proposed openstack/keystone: Fixed multiple warnings in tox -edocs  https://review.openstack.org/40831222:03
*** kfox1111 has joined #openstack-keystone22:04
*** martinus- has quit IRC22:04
openstackgerritGage Hugo proposed openstack/keystone: Fixed multiple warnings in tox -edocs  https://review.openstack.org/40831222:05
*** slunkad has quit IRC22:05
*** martinus__ has joined #openstack-keystone22:05
*** slunkad has joined #openstack-keystone22:06
*** itisha has joined #openstack-keystone22:06
gagehugoalright, should be ok22:06
stevemargagehugo: you lost the bug in transition :O22:06
gagehugobah22:07
gagehugotoday is not my day, cant wait for friday22:07
stevemar:)22:07
openstackgerritGage Hugo proposed openstack/keystone: Fixed multiple warnings in tox -edocs  https://review.openstack.org/40831222:08
stevemargagehugo: i can't wait for feb 20th22:08
gagehugostevemar: Im excited for that too22:08
gagehugoneed to get past xmas first though22:09
*** dave-mccowan has quit IRC22:09
*** ravelar has joined #openstack-keystone22:09
stevemargagehugo: hmm, whats up with line 604 here: http://paste.openstack.org/show/591727/22:10
*** asettle has quit IRC22:10
stevemargagehugo: commented22:10
gagehugothx22:10
stevemargagehugo: hmm, looking at lines 457-463 here: http://paste.openstack.org/show/591727/22:12
gagehugooh that's the wrong paste, I had to cut it down22:12
stevemarohhh22:12
stevemargagehugo: does it still apply?22:12
gagehugocan only paste 900~ lines22:12
stevemar(seems like it would)22:12
*** tqtran-afk is now known as tqtran22:13
gagehugoI can pull it down and check22:13
gagehugooh yeah the commit message got reverted22:13
openstackgerritGage Hugo proposed openstack/keystone: Fixed multiple warnings in tox -edocs  https://review.openstack.org/40831222:14
*** diazjf has quit IRC22:16
*** edmondsw has joined #openstack-keystone22:16
openstackgerritMerged openstack/keystone-specs: Expose password requirements through API  https://review.openstack.org/40703622:19
stevemargagehugo: looks like it still applies :)22:19
gagehugoyeah its something I missed22:21
*** edmondsw has quit IRC22:21
*** guoshan has joined #openstack-keystone22:22
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/40833222:24
*** ravelar has quit IRC22:24
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users  https://review.openstack.org/40833222:25
*** guoshan has quit IRC22:27
openstackgerritGage Hugo proposed openstack/keystone: Fixed multiple warnings in tox -edocs  https://review.openstack.org/40831222:27
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users  https://review.openstack.org/40833222:27
gagehugostevemar: ok22:28
*** spzala has joined #openstack-keystone22:29
*** diazjf has joined #openstack-keystone22:30
gagehugoI put an updated paste link too22:32
lbragstadadriant are we holding off of https://review.openstack.org/#/c/345705/ for now?22:33
lbragstads/of/on/22:33
adriantlbragstad: yes because the MFA changes morgan is introducing will affect the MFA enable workflow. So best to change that first, then figure out the best UX for management.22:34
lbragstadadriant ok - cool22:34
lbragstadadriant thanks for the update22:34
adriantlbragstad: no problem22:35
*** spzala has quit IRC22:36
adriantmorgan: on that note, do we want to work out a implementation plan for the new spec? Just to work out who can/should do what parts.22:37
stevemargagehugo: thanks!22:41
stevemargagehugo: i think http://stackoverflow.com/questions/15249340/warning-document-isnt-included-in-any-toctree-for-included-file will fix some of the other warnings22:42
stevemargagehugo: for the "WARNING: document isn't included in any toctree " error22:43
stevemaryou can probably "Add :orphan: to the top of your document to get rid of the warning"22:43
gagehugostevemar: interesting22:43
stevemargagehugo: i think i did that to a few22:43
stevemarapparently not :(22:44
stevemaror actually stick them in a ToC22:44
stevemarbut... meh22:44
gagehugoI can take a look22:44
openstackgerritSteve Martinelli proposed openstack/keystone: Add doctor check for debug mode enabled  https://review.openstack.org/40821822:44
*** spilla has quit IRC22:46
*** rcernin has quit IRC22:48
*** ayoung has quit IRC22:48
*** lamt has quit IRC22:48
morganadriant: either or.22:50
morganI am flexible on that front.22:50
*** jaugustine has quit IRC22:50
openstackgerritRon De Rose proposed openstack/keystone: WIP - Set the domain for federated users  https://review.openstack.org/40833222:51
*** chris_hultin is now known as chris_hultin|AWA22:53
*** browne has quit IRC22:53
*** ravelar has joined #openstack-keystone22:56
adriantmorgan: Well I'm around most days, and respond to email as best I can. Not too fussed as to what, just would like to help if I can so you aren't stuck doing all of it. :)23:00
*** ravelar has quit IRC23:00
morgancool I'm working on moving ATM.23:00
adriantmorgan: plus trying to learn as much of the keystone codebase as I can23:01
adriantmorgan: no rush. I'm in the middle of my own project right now anyway that is at the 'soooo very close to done' stage.23:01
adriantSo that will keep me busy for the next week or so.23:02
morganwill have more time once this move stuff is going. just looking at places and getting ready to out a deposit on a place.23:05
*** chlong has quit IRC23:06
*** nkinder has quit IRC23:10
*** asettle has joined #openstack-keystone23:11
*** diazjf has quit IRC23:12
*** harlowja has quit IRC23:16
*** asettle has quit IRC23:16
*** david-lyle_ has joined #openstack-keystone23:20
*** david-lyle_ has quit IRC23:20
*** guoshan has joined #openstack-keystone23:23
*** jamielennox is now known as jamielennox|away23:27
*** guoshan has quit IRC23:27
*** jamielennox|away is now known as jamielennox23:28
*** phalmos has quit IRC23:37
*** browne has joined #openstack-keystone23:41
*** martinus__ has quit IRC23:45
*** martinus__ has joined #openstack-keystone23:45
« Tuesday, 2016-12-06 Index Thursday, 2016-12-08 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!