Friday, 2017-04-07

*** jistr has joined #openstack-keystone00:01
*** david-lyle has quit IRC00:03
*** david-lyle has joined #openstack-keystone00:07
*** thorst has joined #openstack-keystone00:11
*** markvoelker has joined #openstack-keystone00:13
*** lamt has quit IRC00:14
*** edmondsw has joined #openstack-keystone00:15
*** thorst has quit IRC00:15
*** edmondsw has quit IRC00:19
*** thorst has joined #openstack-keystone00:21
*** thorst has quit IRC00:28
*** david-lyle has quit IRC00:36
*** jlvillal is now known as jlvillal_pto00:42
*** zhurong has joined #openstack-keystone00:43
*** charz has joined #openstack-keystone00:48
*** thorst has joined #openstack-keystone00:52
*** thorst has quit IRC00:52
*** dave-mcc_ has joined #openstack-keystone00:56
*** lucasxu has joined #openstack-keystone01:17
*** lucasxu has quit IRC01:20
*** thorst has joined #openstack-keystone01:26
*** liujiong has joined #openstack-keystone01:26
*** lucasxu has joined #openstack-keystone01:30
*** shuyingya has joined #openstack-keystone01:36
*** xuhaigang has joined #openstack-keystone01:36
*** dave-mccowan has joined #openstack-keystone01:37
*** dave-mcc_ has quit IRC01:39
xuhaiganghi, can someone tell me how to restart keystone service?01:41
xuhaigangkeystone service in devstack01:43
*** spzala has quit IRC01:48
*** spzala has joined #openstack-keystone02:09
*** spzala has quit IRC02:13
*** jrist has joined #openstack-keystone02:20
*** lwanderley has quit IRC02:40
*** spzala has joined #openstack-keystone02:46
*** spzala has quit IRC02:51
*** namnh has joined #openstack-keystone02:59
*** stingaci has joined #openstack-keystone03:12
*** rderose has quit IRC03:13
*** stingaci has quit IRC03:17
*** spzala has joined #openstack-keystone03:27
*** spzala has quit IRC03:32
*** david-lyle has joined #openstack-keystone03:35
*** akrzos has joined #openstack-keystone03:39
*** dave-mccowan has quit IRC03:39
*** david-lyle has quit IRC03:42
*** Dinesh_Bhor has joined #openstack-keystone03:46
*** links has joined #openstack-keystone03:47
*** zhurong has quit IRC03:51
*** voelzmo has joined #openstack-keystone04:02
*** zhurong has joined #openstack-keystone04:04
*** spzala has joined #openstack-keystone04:06
*** voelzmo has quit IRC04:10
*** spzala has quit IRC04:11
*** markvoelker has quit IRC04:11
*** jamielennox is now known as jamielennox|away04:18
*** voelzmo has joined #openstack-keystone04:20
*** spzala has joined #openstack-keystone04:27
*** spzala has quit IRC04:32
*** lucasxu has quit IRC04:33
*** voelzmo has quit IRC04:43
*** rcernin has joined #openstack-keystone04:48
*** lamt has joined #openstack-keystone04:53
*** melwitt has joined #openstack-keystone04:54
*** rcernin has quit IRC04:55
*** rcernin has joined #openstack-keystone04:55
*** rcernin is now known as rcernin|wfh04:55
*** spzala has joined #openstack-keystone05:09
*** markvoelker has joined #openstack-keystone05:12
*** spzala has quit IRC05:14
*** markvoelker has quit IRC05:17
*** browne has quit IRC05:20
*** lamt has quit IRC05:33
*** richm has quit IRC05:44
*** spzala has joined #openstack-keystone05:46
*** spzala has quit IRC05:50
*** zhurong has quit IRC05:55
*** zhurong has joined #openstack-keystone06:16
*** lamt has joined #openstack-keystone06:18
*** spzala has joined #openstack-keystone06:22
*** spzala has quit IRC06:27
*** pcaruana has joined #openstack-keystone06:34
*** voelzmo has joined #openstack-keystone06:42
*** spzala has joined #openstack-keystone06:49
*** belmoreira has joined #openstack-keystone06:51
*** spzala has quit IRC06:54
bretonxuhaigang: service apache2 restart06:57
*** Shunli has joined #openstack-keystone07:05
*** aloga has joined #openstack-keystone07:06
*** tesseract has joined #openstack-keystone07:07
bretonRock or Rex?07:13
*** markvoelker has joined #openstack-keystone07:13
*** aojea_ has joined #openstack-keystone07:16
*** markvoelker has quit IRC07:17
*** rha has joined #openstack-keystone07:22
*** spzala has joined #openstack-keystone07:26
*** spzala has quit IRC07:30
*** liujiong has quit IRC07:33
*** liujiong has joined #openstack-keystone07:33
*** lwanderley has joined #openstack-keystone07:39
*** lwanderley has quit IRC07:41
*** dulek has joined #openstack-keystone07:50
*** stingaci has joined #openstack-keystone07:54
*** spzala has joined #openstack-keystone07:57
*** stingaci has quit IRC07:58
*** zzzeek has joined #openstack-keystone08:00
*** spzala has quit IRC08:02
*** zigo has joined #openstack-keystone08:18
xuhaigangbreton: ok, thx!08:33
*** zhurong has quit IRC08:41
xuhaigangbreton: I try  this command, but it does not work in devstack.08:43
*** johnthetubaguy has joined #openstack-keystone08:45
*** andymccr has joined #openstack-keystone08:45
*** spzala has joined #openstack-keystone08:49
xuhaigangbreton: sorry, my breakpoint is wrong, it's ok now :)08:53
*** spzala has quit IRC08:54
*** voelzmo has quit IRC08:58
*** tovin07 has joined #openstack-keystone08:59
*** frickler has joined #openstack-keystone08:59
*** voelzmo has joined #openstack-keystone09:05
*** voelzmo has quit IRC09:06
*** freerunner has joined #openstack-keystone09:22
*** Shunli has quit IRC09:30
*** lamt has quit IRC09:36
*** lwanderley has joined #openstack-keystone09:40
*** lwanderley has quit IRC09:41
*** Aurelgad1o has joined #openstack-keystone09:44
*** zhurong has joined #openstack-keystone09:54
*** zhurong has quit IRC09:55
*** liujiong has quit IRC10:01
*** nicolasbock has joined #openstack-keystone10:02
*** richm has joined #openstack-keystone10:13
*** jaosorior has joined #openstack-keystone10:15
*** links has quit IRC10:16
*** tesseract has quit IRC10:30
*** links has joined #openstack-keystone10:32
*** tesseract has joined #openstack-keystone10:44
openstackgerritHuangsm proposed openstack/keystone-specs master: List Users Filter By Some Information
*** jaosorior has quit IRC10:53
*** jaosorior has joined #openstack-keystone10:53
*** jaosorior has quit IRC10:53
*** jaosorior has joined #openstack-keystone10:56
*** shuyingya has quit IRC10:57
*** shuyingya has joined #openstack-keystone10:58
*** jaosorior_ has joined #openstack-keystone11:00
*** jaosorior has quit IRC11:01
*** links has quit IRC11:04
*** links has joined #openstack-keystone11:05
*** voelzmo has joined #openstack-keystone11:05
*** spzala has joined #openstack-keystone11:10
*** markvoelker has joined #openstack-keystone11:14
*** spzala has quit IRC11:16
*** raildo has joined #openstack-keystone11:16
*** openstackgerrit has quit IRC11:18
*** markvoelker has quit IRC11:19
*** pcaruana has quit IRC11:22
*** namnh has quit IRC11:27
*** jaosorior_ is now known as jaosorior11:37
*** lamt has joined #openstack-keystone11:38
*** spzala has joined #openstack-keystone11:47
*** thorst has joined #openstack-keystone11:47
*** spzala has quit IRC11:52
*** stingaci has joined #openstack-keystone11:56
*** lamt has quit IRC11:57
*** stingaci has quit IRC12:00
*** rmascena has joined #openstack-keystone12:03
*** raildo has quit IRC12:05
*** jaosorior has quit IRC12:09
*** jaosorior has joined #openstack-keystone12:09
*** edmondsw has joined #openstack-keystone12:09
*** markvoelker has joined #openstack-keystone12:14
*** spzala has joined #openstack-keystone12:23
*** zeus has joined #openstack-keystone12:25
*** spzala has quit IRC12:28
*** spilla has joined #openstack-keystone12:33
*** shuyingya has quit IRC12:34
*** lamt has joined #openstack-keystone12:35
*** spilla has quit IRC12:36
*** spilla has joined #openstack-keystone12:48
*** spzala has joined #openstack-keystone12:49
*** spzala has quit IRC12:49
*** spzala has joined #openstack-keystone12:49
*** stingaci has joined #openstack-keystone12:54
*** stingaci has quit IRC12:59
*** catintheroof has joined #openstack-keystone13:03
*** openstackgerrit has joined #openstack-keystone13:21
openstackgerritDinesh Bhor proposed openstack/python-keystoneclient master: Add wrapper classes for return-request-id-to-caller
*** ravelar has joined #openstack-keystone13:22
dstanekxuhaigang: what OS are you running? Fedora? you just have to restart apache, which may be called httpd in your environment13:22
*** kencjohnston has joined #openstack-keystone13:24
lbragstadfor those of you who write, I found this guide informative -
*** ayoung has joined #openstack-keystone13:32
ayoungHeh...just noticed I got kickbanned.  Someone was having fun.13:33
dstanekayoung: fun day yesterday. sorry you missed it13:34
dstaneki guess today is a 1.5 cup of coffee day. i just realized that i only have 8g of coffee left13:37
lbragstadlooks like there is a new patch set for the OpenStack mission ->
lbragstadayoung i spent yesterday reading the NIST RBAC model13:38
ayoungdstanek, I use a french press, which is 2 scoops per cup13:39
ayounglbragstad, learn anything?13:39
lbragstadayoung yeah - i thought it was good13:39
lbragstadayoung i'm going to parse it again this weekend13:39
ayounglbragstad, OK, so a couple things as I mentioned prior13:39
ayoungWe do Scoped RBAC, which is different from NIST13:39
ayoungTHe best example I can give is in NIST Role=MAYOR_OF_CHIGAGO13:40
ayoungin ours Role=Mayor, Project=Chicago13:40
lbragstadayoung right13:40
*** lwanderley has joined #openstack-keystone13:40
ayoungours is more scalable, but you can do a one-to-one translation between them if you need.13:40
ayounglbragstad, also, I chose not to use the term hierarchical roles instead used implied roles for a couple reasons13:40
ayoung1.  we used hierarchical for the project hierarchy13:41
ayoung2. role inference  really is a DAG13:41
ayounglbragstad, dstanek I think I have an analogy for you guys.13:41
ayoungSay You want to borrow my car, one of the two actually13:41
*** lwanderley has quit IRC13:41
ayoungI have a Hyundai and a Suburu, and you want the Subaru cuz you are going skiing13:42
ayounglets say this crazy car is a remote start...(my Hyundai is, actually, but lets say the Subaru is too)13:42
ayoungI always get into the car with my whole Key ring in my pocket13:43
ayoungand that is how I start the car...push the button, and I have no idea which Key I have actually starts the car13:43
ayoungin order to let you use my car, I could give you the whole key ring13:43
ayoungor I could figure out which key actually starts it....13:43
dstanekayoung: i also use a french press. i usually use about 17g of grounds and 289g water per cup13:44
ayoungto do that,  I have to take my key ring apart, and try each key in turn to start it13:44
ayoungdstanek, I still use Imperial Measure for Coffee.13:44
ayoungtwo tablespoons13:44
ayoungnot sure what that maps to in grams...13:44
dstanekayoung: :-) my scale only does grams afaik13:44
* ayoung suspects you take coffee a bit more seriously than I13:45
lbragstadit depends on the bean and the grind13:45
* ayoung has no scale13:45
ayoungheh...much more fun to talk about than RBAC13:45 Keys are Roles13:45
ayoungand the Car is the API we want to call13:45
ayoungAnd lending you the car is setting up some autonomous system to call the API on my behalf13:46
ayoungI want to know which Key to give you to lend you my car13:46
ayoungand I want to know which role to add to the delegation agreement to set up the autonomous system13:46
ayoungI don't want to have to give every role I am assigned to the system13:46
ayoungjust the minimal...13:46
*** spzala has quit IRC13:47
ayoungthat is what I am trying to get at here:  the need to put the ROLE on the outside of the API, to make it discoverable.  To figure out which key we need without starting the car.13:47
* ayoung looks into Amazon Drone Coffee deliver services for dstanek 13:47
lbragstadayoung so that was something that stuck out to me in the symmetric RBAC model13:48
lbragstadbecause it requires the ability to review roles and permissions13:48
*** dave-mccowan has joined #openstack-keystone13:49
ayoungYeah...of course, we are not really doing the constrained part that depends upon, but yes.13:50
lbragstadideally - we need to be in order to get to the symmetric model13:50
ayoungwe don't enforce "Role A implies your cannot have Role B"13:50
*** shuyingya has joined #openstack-keystone13:50
ayoungthat is kindof like "if you can order supplies, you cannot sign off on releasing the Money for those supplies"13:50
lbragstadin the constrained model - it leaves a lot of stuff open to interpretation13:51
ayoungso that illegal purchases get caught, or at least more than one person needs to collude.13:51
*** zhurong has joined #openstack-keystone13:51
ayoungI think we are OK without that for now, but we could, in theory add that in the future.  It would be the opposite of an inference rule, I think13:52
lbragstadayoung do you remember that role map idea we talked about a long time ago?13:52
ayoungrefresh my memory13:52
lbragstadayoung it's pretty much implied roles13:52
lbragstadbut operations in openstack have other things they require in order to work13:53
lbragstadlike nova needing to be able to get a port from neutron in order to boot a server13:53
*** zhurong has quit IRC13:53
lbragstadsome time back we talked about building a map of those operations (like a big tree of which operations *needed* which operations in order to work)13:54
lbragstadso - because you're allowed to boot instances, its implied that you can create a port in neutron13:54
dstanekto have a concrete openstack case.... one example i have been using is that i was to delegate the ability to reboot a specific VM. i was hoping that the capabilities api would allow me to understand what role that means and that we'd be able to scope to an instance somehow13:54
*** shuyingya has quit IRC13:55
lbragstaddstanek not sure if you've had the chance to parse the doc yet13:55
lbragstaddstanek but it breaks RBAC into four levels13:55
lbragstadflat (level 1), hierarchical (level 2), constrained (level 3), and symmetric (level 4)13:56
dstaneklbragstad: yes, i did a read through yesterday13:56
lbragstadto me - level 4 makes sense13:56
lbragstadbut i'm not quite sure how we'd apply level 313:56
dstaneklbragstad: what level 3 hierarchical or constrained?13:57
lbragstadand i was thinking of that operation map as a way to do that somehow - but ran out of steam yesterday13:57
lbragstaddstanek hierarchical is level 213:57
lbragstadconstrained is level 313:57
lbragstaddstanek level 2 is just the ability to imply roles really13:58
lbragstad(i.e. because I have the project lead role I can do project developer operations)13:58
dstanekwhat's interesting to me is the read-only case. we is this idea attached to a role instead of attached to a poicy?14:00
dstaneki've been trying to dig into the amazon policy model as i have time and it actually very interesting14:01
lbragstad did a pretty good job of describing it14:03
dstanek i think is just missing a principal that constrains the policy to a role14:03
*** peterstac has joined #openstack-keystone14:04
dstanekwhat's interesting here is that people seem to be grouping policy statements by policy and not by service14:04
lbragstadsdb:GetAttributes for example14:05
dstanekright, so in their policy you can say this user/group/whatever can perform some_action on this resource/set of resources/all resources14:06
dstaneki want the devs to have read-only access to arn:aws:s3:::images, but ops to have full access of that resource14:07
ayoungI think 4 does not really require 3, more that it builds on it for use cases we don't really care about here14:07
ayoungdstanek, and that grouping is where OpenStack started, with the Project as the means of grouping14:08
dstanekayoung: lbragstad: i took notes during that initial reading...i really need to go back over it again14:08
lbragstadi need to reread levels 3 and 414:09
ayounglbragstad, dstanek I think NIST has an implied "This all applies to our one organization" built into its approach14:09
dstanekayoung: groupd you mean user/group/whatever?14:09
knikollamorning o/14:09
ayoungknikolla, hey...14:09
lbragstadi think 3 is hard to fit in our model today - but I won't rule out the fact we might care about it in the future14:09
dstanekayoung: yes, i think you are correct about the organization semantics of the doc from what i've seen14:10
dstaneklbragstad: when you say have to fit in, do you mean because conflicts would be hard to find?14:12
lbragstaddstanek i seem to understand the ability to stack roles on top of each other, using implied roles14:13
lbragstadbut in the case where you can't do something because you have a *specific* role is kind of confusing for me to think about in our situation14:13
ayoungI think level 3 would require the unified delegation model14:14
lbragstadand the way we do things in openstack all bubbles up to a global/cloud admin14:14
lbragstadwhich is kinda like the director role from the examples in the NIST RBAC model14:14
dstaneklbragstad: yeah, in my mind it's hard because you have to unwind the role hierarchy and evaluate policy for them. and since policy is all over the place some situations are impossible today14:15
*** thorst has quit IRC14:15
lbragstadlevel 3 attempts to limit the damage done by one person having too much power14:15
ayoungAdmin is pretty much the definition of that.14:16
lbragstadwe treat admin as the admin of the cloud (i.e. God-mode) and we imply with great power comes great responsibility14:16
lbragstadright - the way we apply rbac kind of conflicts with that specific level of RBAC as defined in the NIST document14:17
ayoungyeah, so we really should revisit the idea that a user can get a token with a subset of their roles14:17
ayoungcuz if you are admin, you don't always want to be acting as admin14:17
lbragstadayoung that'd effectively be the dynamic separation of duty14:17
lbragstadbecause you're limiting each session (i.e. token) to a specific scope14:17
ayoungeffectively me not giving you my whole key ring to lend you my car....14:18
*** spzala has joined #openstack-keystone14:18
dstanekayoung: ++ it's the same reason i use sudo instead of logging is as root everywhere14:18
lbragstadayoung i think that part comes in level 414:18
ayoung  needs to be approved, not -2ed stevemar14:18
lbragstadbecause you as a user need to be able to figure out which key starts your car first14:18
ayoungjust a spec freeze -2 that needs to be removed...that one and14:18
*** thorst has joined #openstack-keystone14:18
ayoungthen this...14:19
*** spzala_ has joined #openstack-keystone14:19
ayounglbragstad, you see the logic14:19
dstaneki'd love to be able to delegate something like computed:vm:reboot:1234514:20
ayoungdstanek, you mean an individual VM?14:20
ayoungI think the best we can get from Keystone alone is the ability to perform a single operation on all of a class of resources in a project14:21
dstanekyes, as a user i want to give my team the ability to do a few targeted actions14:21
ayoungso computed:vm:reboot14:21
dstanekayoung: yeah, it has to be evaluated at policy time *and* to some extent grant time14:21
ayoungyou want it to only reboot a single VM, needs to be in its own project.  Anything beyond that requires support from Nova to imp[lement, but I think it is still a huge improvement14:22
openstackgerritayoung proposed openstack/keystone master: Fernet token formatter with explicit role
*** spzala has quit IRC14:22
ayoungstevemar, please remove -2 on as well14:22
knikollaayoung: theoretically we can expand role-check-from-middleware for that /servers/12345/action14:23
dstanekayoung: totally agree. i just trying to define what we should be doing overall. then real world constraints would dictate how we get there14:23
ayoungknikolla, yeah, I think so14:23
ayoungknikolla, need to think it through.  If there are multiple paths for the same URL, they all need to be evaluated14:24
ayoungotherwise, there is a potential hack14:24
dstanekayoung: this is why i want to stay away from URL14:25
*** david-lyle has joined #openstack-keystone14:25
knikollaalso scope-check14:25
*** links has quit IRC14:25
ayoungdstanek, you have to provie a viable alternative14:25
dstanekask nova about compute:vm:reboot - they already know all 4 urls that can trigger that action14:25
ayoungknikolla, nah, scope check is not our problem14:25
ayoungdstanek, OpenStack is not Nova14:25
ayoungKeystone cares Bugger All about Nova14:26
ayoungNova is just the biggest consumer14:26
ayoungbut the same things we say about Nova have to be true of any service that uses Keystone14:26
dstaneknova is just a concrete example14:26
ayoungdstanek, you can't tell an end user that in order to find out what role they need, they have to read the code14:26
lbragstadit doesn't really matter what the operation is, we just need a way to ask the service about the operation14:26
knikollaayoung: by scope check i mean, can this user restrict access to the url of this resource. is it his resource to do that?14:26
ayoungthey might not actually have access to the code14:26
dstanekayoung: why would they have to do that? they know they want to reboot a vm14:27
ayoungdstanek, no, they want to tell another system It can reboot a VM14:27
ayoungand in doing so, are going to create a trust.14:27
ayoungAnd what role do they assigned to that trust?14:27
dstanekwhat role do you need for compute:vm:reboot?14:28
ayoungdstanek, right14:28
ayoungdstanek, or, take the case of something like Trove14:28
ayoungit wants to do a bunch of stuff on your behalf14:28
ayoungit better tell you what roles you need to give it, otherwise you have to give it everything14:28
dstanekayoung: point is you use the string 'compute:vm:reboot' instead of a URL14:29
ayoungand that might not be legal.  In a, you know, Federal law meaning of the term14:29
ayoungdstanek, users never see that string14:29
ayoungthey see either a web UI or call the CLI14:29
ayoungand they need to be able to automatically map from what they are calling to the policy14:29
dstanekright, and they wouldn't really see the URL in those cases without --debug14:30
ayoungdstanek, I started with the policy rules.  Mapping them automatically is a much code in the way14:30
dstanekthey say 'openstack user list' and that is actually 'identity:user:list'14:30
ayoungdstanek, but their tooling knows the URL, and thus could deduce it for them14:30
ayoungdstanek, right, so say that has a switch14:30
ayoung'openstack user list  --test14:30
ayoungthat means don't actually run it, just tell me what would happen if I did14:31
lbragstadthat seems like a long way to do capabilities14:31
dstaneki would argue that you might not be able to know the URL. for example, when action (or multiple actions) are hidden behind URLs14:31
ayoungand it might be able to say "in order to do that, you need Role R"14:31
dstanekayoung: sure....but you still don't need URL14:32
ayoungdstanek, I know, but you need something14:32
ayoungand I need you to lay out what that alternative something is in a mechanism we can talk through from start to finish14:32
ayoungdstanek, if you need a role that Nova doesn't tell you in order to, say, fetch the image from glance, then, yes, the operation will fail14:33
ayoungthat was the idea of the map lbragstad was talking about before14:33
dstanekayoung: 'openstack user list --test' returns some roles by querying for the capabilities of a service - part of what comes back would like look the keys in policy14:33
ayoungideally, the role you need to perform the operation on Nova would be the course grained one that implies the fine grained ones for glance cinder and neutron14:33
*** Dinesh_Bhor has quit IRC14:34
ayoungdstanek, so now every service out there, including non-openstack ones need to implement our API?14:34
ayoungour capabilities API?14:34
ayoungif not, you are back to trial and error, and the security hole that implies14:35
dstanekayoung: yes, or provide a service that does it14:35
dstanekayoung: even with the URL approach there is something for them to do. it's not a freebe either14:35
ayoungdstanek, so, I am proposing Keystone as that service14:35
lbragstadi don't really see how providing a capability api would be a bad thing14:35
ayounglbragstad, providing it is fine.  Requiring it is not.14:36
lbragstadayoung sure14:36
*** lucasxu has joined #openstack-keystone14:36
lbragstadayoung if a service wants to leverage openstack infrastructure for providing better rbac, supply a capabilities API according to this specification14:36
dstanekayoung: is the theoretical service consuming keystone tokens?14:37
ayoungdstanek, yep14:37
*** stradling has joined #openstack-keystone14:37
lbragstadin that case wouldn't that be more of a reason to supply a capabilities API?14:38
dstanekayoung: so they've already somewhat committed to openstack.... if you don't have a capabilities API then you can get the fancy delegation14:39
lbragstads/can/can't/ ?14:39
*** eglute has joined #openstack-keystone14:39
*** thorst has quit IRC14:39
dstaneklbragstad: ++ can't14:39
lbragstaddstanek i was about to say - sweet! we're done!14:39
lbragstad+2/A let's go home14:40
*** lwanderley has joined #openstack-keystone14:40
dstanekayoung: lbragstad: i have a meeting in 20 and now i have an ideal related to this to hack together before that meeting :-) will you guys be around a little later to continue?14:40
dstaneklbragstad: the sad thing is that i am already home14:40
lbragstaddstanek ayoung yeah - i'll be around14:40
lbragstaddstanek ayoung let me know if you wanna do a hangout or something, that's always an option, too14:41
ayoungdstanek, lbragstad yep14:41
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused revocation check in revoke_models
*** lwanderley has quit IRC14:41
ayoungdstanek, lbragstad but you could actually put auth-token middleware in front of a random API and get RBAC.  You'd only need to wire up the scope check, and that could be done via custom middleware, not altering the original application14:42
ayoungbut more likely that they are already looking at Keystone tokens and usiong them for auth14:42
ayoungcapabilites and RBAC are 2 different things, though14:42
ayoungcapabilities do not vary per user14:43
ayoungthey vary per service14:43
ayoungRBAC varies per Token14:43
*** thorst has joined #openstack-keystone14:43
*** thorst has quit IRC14:43
*** thorst has joined #openstack-keystone14:44
lbragstadayoung IFF the role the token is scoped to changes14:44
ayoungor the inference rules, which are maintained in Keystone, not the remote system14:44
*** belmoreira has quit IRC14:47
ayoungHeh, I still parse IFF as "Identify Friend or Foe" reinforced now by "The Expanse"14:50
*** rderose has joined #openstack-keystone14:50
lbragstadiff == if and only if14:51
lbragstadpeople messing with redefining acronyms14:51
*** rajpatel has joined #openstack-keystone14:53
*** chris_hultin|AWA is now known as chris_hultin14:54
*** lamt has quit IRC14:58
*** voelzmo has quit IRC15:02
*** chris_hultin is now known as chris_hultin|AWA15:04
*** rcernin|wfh has quit IRC15:04
*** rajpatel has quit IRC15:06
*** catintheroof has quit IRC15:06
*** catintheroof has joined #openstack-keystone15:06
*** catintheroof has quit IRC15:07
*** catintheroof has joined #openstack-keystone15:15
*** catintheroof has quit IRC15:16
*** catintheroof has joined #openstack-keystone15:26
*** catintheroof has quit IRC15:27
*** redrobot has joined #openstack-keystone15:33
*** aojea_ has quit IRC15:42
*** oomichi has joined #openstack-keystone15:43
*** jaosorior has quit IRC15:44
*** niteshnarayanlal has joined #openstack-keystone15:49
*** stingaci has joined #openstack-keystone15:53
*** rajpatel has joined #openstack-keystone16:15
*** voelzmo has joined #openstack-keystone16:18
*** lwanderley has joined #openstack-keystone16:19
*** lucasxu has quit IRC16:24
*** spzala_ has quit IRC16:29
*** ediardo has joined #openstack-keystone16:33
*** spzala has joined #openstack-keystone16:35
*** spzala has quit IRC16:39
*** spzala has joined #openstack-keystone16:41
*** rajpatel has quit IRC16:41
*** tesseract has quit IRC16:42
*** rajpatel has joined #openstack-keystone16:42
*** rajpatel has quit IRC16:45
*** spzala has quit IRC16:46
*** catintheroof has joined #openstack-keystone16:51
*** spzala has joined #openstack-keystone16:52
*** spzala has quit IRC16:57
*** catintheroof has quit IRC16:57
*** spzala has joined #openstack-keystone16:58
*** spzala has quit IRC17:03
*** samueldmq has joined #openstack-keystone17:06
samueldmqooh I got banned from keystone17:07
samueldmqfrom #openstack-keystone*17:07
samueldmqglad to be back17:07
*** spzala has joined #openstack-keystone17:17
*** ravelar has quit IRC17:17
*** spzala has quit IRC17:21
*** spzala has joined #openstack-keystone17:23
*** lucasxu has joined #openstack-keystone17:24
*** spzala has quit IRC17:27
*** spzala has joined #openstack-keystone17:29
*** ravelar has joined #openstack-keystone17:29
*** spzala has quit IRC17:33
*** spzala has joined #openstack-keystone17:35
*** spzala has quit IRC17:39
ayoungknikolla, got a WIP of the client changes for RBAC?17:39
*** cburgess has joined #openstack-keystone17:45
*** chlong_ has joined #openstack-keystone17:46
*** spzala has joined #openstack-keystone17:50
*** lwanderley has quit IRC17:55
*** lwanderley has joined #openstack-keystone18:02
*** rajpatel has joined #openstack-keystone18:04
*** stingaci has quit IRC18:12
*** rajpatel has quit IRC18:33
dstanekwelcome back samueldmq18:37
ayoungknikolla,  can you check to see if  will solve the issues you saw with
knikollaayoung: for the client, i hope to have something to show you by the end of today or tomorrow.18:42
knikollaayoung: should i rebase on top of your change for tempest?18:42
ayoungknikolla, cool.18:42
ayoungknikolla, my changes is not going to jhelp18:42
ayoungit is just unit tests.  I think I have to submit to devstack to stop enabling the config option by default18:42
ayoungor maybe it is how the test is run?  Is it gate option?18:43
knikollaayoung: i don't know18:44
ayoungknikolla, pretty sure it is devstack setting admin_project_name which is the problem18:44
ayoungit looks like it defaults it18:44
knikollaayoung: still that doesn't explain the non-deterministic failures18:45
mtreinishknikolla: the non deterministic failures are likely because the project is being reused18:46
mtreinishtempest tests are run in parallel and expect each class to have isolated projects18:46
mtreinishwhen you force all admin users to run in a single project the project scoped resources will change for all the tests running in parllel18:47
mtreinishand cause a bunch of random failures18:47
knikollamtreinish: wouldn't they be different resources?18:48
mtreinishknikolla: the easiest way to think about it is a list api call18:48
mtreinishif you have 2 tests creating and deleting resources in the same project and doing list calls that they're using to verify18:49
mtreinishthose tests will race against each other, and the lists will differ depending on the other tests18:50
knikollamtreinish: oh right, makes sense.18:50
*** rajpatel has joined #openstack-keystone18:53
ayoungdolphm, sure looks like it.18:55
ayoungdolphm, then again, people used to assume ayoung was andrew young, so maybe just a common name?18:55
dolphmayoung: i think so18:56
dolphmayoung: definitely not termie. there's trailing whitespace18:59
ayoungdolphm, there is an Andy Young at RH.  Think that is him.19:01
ayoungAndy Smith19:01
ayoungdolphm, yeah, and he's in the messaging group.  Not termie.  We can all relax19:02
*** thorst has quit IRC19:03
*** Aqsa has joined #openstack-keystone19:10
*** aojea has joined #openstack-keystone19:10
ayoungwhat is the release note process again?  Google searching just gives me the actual release notes, not the tool19:13
*** openstackgerrit has quit IRC19:19
knikollaayoung: what do you mean by release note process?19:20
lbragstadayoung you can use your tox environment19:24
lbragstadtox -e reno19:24
ayounglbragstad, thanks, I found it19:24
lbragstader.. releasenotes* ?19:24
ayoungtox -e venv -- reno new is_admin_project19:24
ayoungor summat like dat19:24
*** thorst has joined #openstack-keystone19:32
*** blake has joined #openstack-keystone19:37
*** chlong_ has quit IRC19:37
*** knikolla has left #openstack-keystone19:37
*** knikolla has joined #openstack-keystone19:37
*** lwanderley has quit IRC19:39
*** aojea has quit IRC19:39
*** aojea has joined #openstack-keystone19:40
*** chlong has joined #openstack-keystone19:42
*** aojea has quit IRC19:45
*** spzala has quit IRC20:09
*** spzala has joined #openstack-keystone20:12
*** spzala has quit IRC20:16
*** lucasxu has quit IRC20:17
*** spzala has joined #openstack-keystone20:17
*** voelzmo has quit IRC20:31
*** rajpatel has quit IRC20:37
*** lwanderley has joined #openstack-keystone20:43
*** aojea has joined #openstack-keystone20:45
*** stradling has quit IRC20:48
*** blake has quit IRC21:01
*** voelzmo has joined #openstack-keystone21:01
*** edmondsw has quit IRC21:02
*** edmondsw has joined #openstack-keystone21:02
*** mvk has joined #openstack-keystone21:04
*** voelzmo has quit IRC21:05
*** edmondsw has quit IRC21:07
*** spilla has quit IRC21:08
*** chlong has quit IRC21:08
*** catintheroof has joined #openstack-keystone21:12
*** catintheroof has quit IRC21:16
*** spzala has quit IRC21:20
*** thorst has quit IRC21:22
*** openstackgerrit has joined #openstack-keystone21:25
openstackgerritPeter Sabaini proposed openstack/keystone master: Only commit if we're not autocommitting
*** Aqsa has quit IRC21:30
*** aojea has quit IRC21:44
*** rajpatel has joined #openstack-keystone21:56
*** SamYaple has joined #openstack-keystone22:01
*** SamYaple has quit IRC22:06
*** SamYaple has joined #openstack-keystone22:06
*** thorst has joined #openstack-keystone22:22
*** sjain has joined #openstack-keystone22:23
*** sjain has quit IRC22:31
*** thorst has quit IRC22:41
*** shuyingya has joined #openstack-keystone22:47
*** shuyingya has quit IRC22:51
*** rajpatel is now known as rajpatel_away23:37
*** thorst has joined #openstack-keystone23:39
*** thorst has quit IRC23:43
*** thorst has joined #openstack-keystone23:56
morganayoung: <releasenotename>-deadbeefdeadbeefdeadbeef.yml23:56
*** thorst has quit IRC23:57

Generated by 2.14.0 by Marius Gedminas - find it at!