Friday, 2017-12-01

*** rcernin has quit IRC00:02
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Make fernet config and utils generic
*** rcernin has joined #openstack-keystone00:02
*** rcernin has quit IRC00:07
*** rcernin has joined #openstack-keystone00:07
*** thorst has joined #openstack-keystone00:11
*** david-lyle has quit IRC00:15
*** thorst has quit IRC00:15
*** aselius has quit IRC00:16
*** jmlowe has quit IRC00:23
*** david-lyle has joined #openstack-keystone00:29
*** david-lyle has quit IRC00:34
*** thorst has joined #openstack-keystone00:57
*** thorst has quit IRC01:02
*** sticker has joined #openstack-keystone01:25
*** thorst has joined #openstack-keystone01:30
*** thorst has quit IRC01:35
*** zhurong has joined #openstack-keystone01:35
*** panbalag has joined #openstack-keystone01:51
*** panbalag has left #openstack-keystone01:53
openstackgerritwangxiyuan proposed openstack/keystone master: Deprecate member_role_id and member_role_name
*** thorst has joined #openstack-keystone02:01
*** thorst has quit IRC02:07
*** gmann_afk is now known as gmann02:07
*** AlexeyAbashkin has joined #openstack-keystone02:12
*** rcernin_ has joined #openstack-keystone02:14
*** EmilienM_ has joined #openstack-keystone02:15
*** thorst has joined #openstack-keystone02:15
*** thorst has quit IRC02:16
*** slunkad_ has joined #openstack-keystone02:16
*** AlexeyAbashkin has quit IRC02:16
*** bigjools_ has joined #openstack-keystone02:17
*** Anticime1 has joined #openstack-keystone02:18
*** gagehugo_ has joined #openstack-keystone02:19
*** annp has joined #openstack-keystone02:20
*** rcernin has quit IRC02:21
*** magicboiz has quit IRC02:21
*** magicboiz has joined #openstack-keystone02:21
*** Dinesh__Bhor has joined #openstack-keystone02:21
*** mattoliverau_ has joined #openstack-keystone02:21
*** zhurong has quit IRC02:22
*** jrist has quit IRC02:22
*** markvoelker has quit IRC02:22
*** gagehugo has quit IRC02:22
*** EmilienM has quit IRC02:22
*** Dinesh_Bhor has quit IRC02:22
*** mattoliverau has quit IRC02:22
*** Anticimex has quit IRC02:22
*** bigjools has quit IRC02:22
*** zigo has quit IRC02:22
*** slunkad has quit IRC02:22
*** EmilienM_ is now known as EmilienM02:22
*** EmilienM has quit IRC02:22
*** EmilienM has joined #openstack-keystone02:22
*** mattoliverau_ is now known as mattoliverau02:23
*** jrist has joined #openstack-keystone02:23
*** gagehugo_ has quit IRC02:23
*** gagehugo has joined #openstack-keystone02:26
*** zigo has joined #openstack-keystone02:27
*** markvoelker has joined #openstack-keystone02:27
*** zigo is now known as Guest1326802:29
*** nicolasbock has quit IRC02:30
*** dave-mccowan has joined #openstack-keystone02:30
*** jmlowe has joined #openstack-keystone02:42
*** thorst has joined #openstack-keystone02:44
*** thorst has quit IRC02:44
*** daidv has joined #openstack-keystone02:45
*** daidv_ has joined #openstack-keystone02:45
*** dave-mccowan has quit IRC02:51
*** itlinux has joined #openstack-keystone02:53
openstackgerritwangxiyuan proposed openstack/keystone master: Refresh the Controller list
*** ricolin_ has joined #openstack-keystone03:04
*** masber has joined #openstack-keystone03:14
*** thorst has joined #openstack-keystone03:25
*** thorst has quit IRC03:29
*** rcernin has joined #openstack-keystone03:50
*** rcernin_ has quit IRC03:51
*** namnh has joined #openstack-keystone03:52
*** links has joined #openstack-keystone03:55
*** thorst has joined #openstack-keystone04:04
*** thorst has quit IRC04:08
*** threestrands_ has joined #openstack-keystone04:24
*** threestrands_ has quit IRC04:24
*** threestrands_ has joined #openstack-keystone04:24
*** threestrands has quit IRC04:26
*** daidv has quit IRC04:29
*** itlinux has quit IRC04:40
*** thorst has joined #openstack-keystone04:44
*** thorst has quit IRC04:49
*** rcernin_ has joined #openstack-keystone05:09
*** rcernin has quit IRC05:09
*** david-lyle has joined #openstack-keystone05:13
*** itlinux has joined #openstack-keystone05:17
*** thorst has joined #openstack-keystone05:20
*** thorst has quit IRC05:25
*** sticker has quit IRC05:36
*** thorst has joined #openstack-keystone05:54
*** thorst has quit IRC06:00
openstackgerritwangxiyuan proposed openstack/keystone master: Refresh the Controller list
*** pcaruana has joined #openstack-keystone06:10
*** itlinux has quit IRC06:22
*** threestrands_ has quit IRC06:24
*** thorst has joined #openstack-keystone06:29
*** david-lyle has quit IRC06:30
*** thorst has quit IRC06:38
*** wxy_ is now known as wxy06:51
*** thorst has joined #openstack-keystone07:09
*** thorst has quit IRC07:13
*** rcernin_ has quit IRC07:29
*** thorst has joined #openstack-keystone07:47
*** thorst has quit IRC07:52
*** AlexeyAbashkin has joined #openstack-keystone08:15
*** thorst has joined #openstack-keystone08:25
*** thorst has quit IRC08:29
openstackgerritAndreas Jaeger proposed openstack/oslo.policy master: Avoid for constraints support
*** magicboiz has quit IRC08:51
*** magicboiz has joined #openstack-keystone08:52
*** gmann is now known as gmann_afk08:54
*** thorst has joined #openstack-keystone08:57
*** thorst has quit IRC09:01
*** Dinesh__Bhor has quit IRC09:18
*** Dinesh__Bhor has joined #openstack-keystone09:19
*** thorst has joined #openstack-keystone09:29
*** thorst has quit IRC09:34
*** markvoelker has quit IRC09:55
*** jaosorior has quit IRC09:55
*** daidv_ has quit IRC10:06
*** thorst has joined #openstack-keystone10:07
*** thorst has quit IRC10:11
*** namnh has quit IRC10:20
*** openstackgerrit has quit IRC10:33
*** thorst has joined #openstack-keystone10:44
*** thorst has quit IRC10:48
*** markvoelker has joined #openstack-keystone10:55
*** Mani__ has joined #openstack-keystone11:09
Mani__Hello Everyone11:10
Mani__I need your valuable suggestions on integration of Active Directory with Openstack11:11
Mani__we are using keystone V2 how can  I integrate AD with openstack11:11
Mani__Can any one help me?11:11
*** thorst has joined #openstack-keystone11:17
*** thorst has quit IRC11:22
*** Dinesh__Bhor has quit IRC11:30
*** nicolasbock has joined #openstack-keystone11:43
*** raildo has joined #openstack-keystone11:53
*** thorst has joined #openstack-keystone11:57
*** thorst has quit IRC12:01
*** magicboiz has quit IRC12:04
cmurphyMani__: we have documentation on it here
*** thorst has joined #openstack-keystone12:11
*** magicboiz has joined #openstack-keystone12:11
*** magicboiz has quit IRC12:15
*** magicboiz has joined #openstack-keystone12:16
*** ricolin_ has quit IRC12:23
*** Jack_Iv has joined #openstack-keystone12:27
Mani__cmurphy: In the document they are using domain conecpt. do we have any process without domains I mean by using keystone v213:06
*** magicboiz has quit IRC13:07
cmurphyMani__: that document accounts for both a fully ldap-backed setup or a domain-independent setup, for example the section "To integrate one Identity back end with LDAP" covers what you want13:12
cmurphyMani__: however there is absolutely no reason you should need to use only keystone v2, v3 has been available for many many releases and v2 is taken out in queens13:13
*** links has quit IRC13:17
*** efried is now known as fried_rice13:22
*** markvoelker has quit IRC13:25
*** markvoelker has joined #openstack-keystone13:25
*** jdennis has quit IRC13:26
Mani__cmurhy: We are buying the cloud from cloud provider , they are not giving the support for v3 so we have to use v2 only :(13:27
*** jdennis has joined #openstack-keystone13:28
Mani__cmurphy: "To integrate one Identity back end with LDAP" if we are using this one, we dont have sql backend right? Actually our requirement is we need AD and sql backend as well13:28
cmurphyMani__: it is not possible to not use domains and use both sql and ldap13:29
cmurphynot with anything we have in keystone, you could write a custom identity driver to combine them13:30
cmurphyMani__: if you are buying this from a cloud provider i'm surpised you are setting this up yourself, ldap integration can only be done by modifying the server side config so i would expect the cloud vendor to take care of it for you13:31
Mani__we have agrement that he can provide the support after one year :(13:32
cmurphy("ldap integration can only be done by modifying the server side config" actually that's not entirely true but you still need v3 to do it with the REST API)13:34
Mani__cmurphy: ohh .. Then we cant done with v2 right?13:36
cmurphyMani__: no, with v2 you are stuck, you can only make it 100% ldap or 100% sql and you need to edit your keystone.conf to do it13:37
cmurphythe new shiny things were only added in v313:37
Mani__ok Thanks cmurphy for the help13:38
Mani__Thank you so much13:38
cmurphyno problem13:38
*** jaypipes is now known as leakypipes13:43
-openstackstatus- NOTICE: gerrit has been restarted to get it back to its normal speed.13:51
*** itlinux has joined #openstack-keystone13:53
*** links has joined #openstack-keystone13:58
*** nicolasbock has quit IRC13:59
*** AlexeyAbashkin has quit IRC14:02
*** MeltedLux has quit IRC14:03
*** panbalag has joined #openstack-keystone14:05
*** Mani__ has quit IRC14:12
*** jmlowe has quit IRC14:16
*** ildikov is now known as coffee_cat14:20
*** dansmith is now known as superdan14:25
sudodudei am working on AD integration and it looks like I can at least list users in AD (that I've created in AD) but when I try to delete a user, or create a user, for instance, I get a HTTP 403 error. What could be wrong?14:26
*** links has quit IRC14:26
lbragstadcouple pretty easy reviews here if anyone is interested
cmurphysudodude: we removed write access from the ldap backend, it is read-only now14:28
cmurphysudodude: so you have to add and delete users directly with AD14:28
sudodudeoh ok14:28
sudodudeso are my tenants and roles in AD as well or are these only in OS?14:29
cmurphysudodude: no those should only be in openstack14:29
sudodudeok great14:29
cmurphybut your groups would be in AD14:29
*** Jack_Iv has quit IRC14:30
sudodudeso I should be able to assign an AD user a role and a project in OS and then just log in to horizon, right?14:30
cmurphysudodude: yep14:33
*** phalmos has joined #openstack-keystone14:33
*** phalmos has quit IRC14:44
*** openstackgerrit has joined #openstack-keystone14:52
openstackgerritMerged openstack/oslo.policy master: Avoid for constraints support
sudodudelooks like after assigning a project and role to an AD user, I am able to log in and see the project and whatnot. What I can't seem to get working is the groups. I create a group (grp-openstack) in the same container I use for the other openstack users in AD but when I try to list groups from the domain, list comes up empty14:55
*** d0ugal has quit IRC14:56
cmurphysudodude: check the [ldap]/group_* conf options?
cmurphythe keystone debug logs should show the queries it is making to ldap so you can check that those are right15:01
*** phalmos has joined #openstack-keystone15:04
*** david-lyle has joined #openstack-keystone15:07
lbragstadcmurphy: i took a stab at airing out my concerns on
lbragstadkmalloc: ^15:15
cmurphylbragstad: cool15:17
lbragstadi guess the way i think about it... if we make regions optional, we should probably change limits to have a uuid15:17
lbragstadwhich changes the representation and how people interact with the API15:18
*** d0ugal has joined #openstack-keystone15:18
lbragstadbut it will be flexible enough to allow people to limit services if those services don't have regions (lower barrier to entry)15:18
lbragstadbut it doesn't prevent anyone from putting all the things in regions and still using limits15:18
cmurphyi'm +1 on making limits have ids15:19
cmurphyeverything else in keystone has ids15:19
cmurphyeven when it's silly like for domains15:19
lbragstadi think we could possibly *not* have id iff we knew regions would *always* be present15:19
lbragstadbut, i don't think that is the case15:20
lbragstads/don't think/know/15:20
*** MeltedLux has joined #openstack-keystone15:21
lbragstadi'll propose a follow on that incorporates what that looks like... wxy can steal bits from it if he wants15:22
*** d0ugal has quit IRC15:29
*** ianw has quit IRC15:34
mordredfried_rice: if you get a sec,
fried_ricemordred ...15:40
fried_ricemordred lgtm, +A15:41
mordredfried_rice: woot! thanks15:41
*** thorst has quit IRC15:45
*** d0ugal has joined #openstack-keystone15:46
*** jmlowe has joined #openstack-keystone15:47
*** david-lyle has quit IRC15:53
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add osc-tox-unit-tips jobs
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Add IDs to limits
lbragstadcmurphy: ^ worked through most of the registered limit examples and one of the project limit apis15:58
cmurphylbragstad: cool, will have a look this weekend15:59
lbragstadawesome - thanks!15:59
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add shade and python-openstacksdk tips jobs
mordredlbragstad, cmurphy: ^^ those two patches add cross-testing between ksa and shade, sdk and osc - which should give us an *excellent* amount of functional coverage16:02
*** thorst has joined #openstack-keystone16:15
*** thorst has quit IRC16:20
*** Neptu has quit IRC16:22
*** david-lyle has joined #openstack-keystone16:22
*** thorst has joined #openstack-keystone16:24
*** thorst has quit IRC16:28
ayoungOK...I'm just going to paste here...don't feel the need to respond...I'm stuck  debugging the oslo-context work.16:32
ayoungGOt most of the tests running ,but the cloudsample one is tripping me up16:32
ayoungit appears like a token that should not have is_admin_project set on it is getting that set16:32
ayoungrequests a token for  domain_id=self.domainA['id'])16:34
ayounga domain scoped token should never get is_admin_project set...but maybe oslo-context doesn't know that?16:34
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add osc, shade and sdk tips jobs
ayoungprint request.token_info16:40
ayoung{'token': {'is_domain': False, 'methods': [u'password'], 'roles': [{'id': '62207a1de27d4a6b9510acc80d578bd7', 'name': 'admin'}], 'is_admin_project': True, 'project': {'domain': {'id': u'de39141c5960495ea6ad391d37b5c47b', 'name': u'ab4d174fdddb4058bb03df3df67a3800'}, 'id': 'ef4ffe61b1404c6bac3fc7d44e8faf78', 'name': 'efe0e47584e74f6d88c0ff6665069975'}, 'catalog': [], 'expires_at': '2017-12-01T17:39:33.000000Z',16:40
ayoung'audit_ids': [u'aKMwwqjwS02JnbDvcDD0VQ'], 'issued_at': '2017-12-01T16:39:33.000000Z', 'user': {'domain': {'id': u'de39141c5960495ea6ad391d37b5c47b', 'name': u'ab4d174fdddb4058bb03df3df67a3800'}, 'password_expires_at': None, 'name': u'5b13a197d5244fcb971101328f171e32', 'id': u'8526a9ec58cf4c42b6ff6406d9dcd9a2'}}}16:40
ayoungthat sure looks like it has is_admin_project set for a domain scoped token16:41
*** thorst has joined #openstack-keystone16:41
*** Neptu has joined #openstack-keystone16:47
*** thorst has quit IRC16:50
sudodudeis it possible to have keystone query multiple user OUs?16:52
*** itlinux has quit IRC16:53
ayoungsudodude, if you can write the LDAP query, keystone can probably do it17:10
*** AlexeyAbashkin has joined #openstack-keystone17:13
*** fried_rice is now known as fried_rolls17:14
*** AlexeyAbashkin has quit IRC17:17
*** itlinux has joined #openstack-keystone17:20
*** thorst has joined #openstack-keystone17:21
*** thorst has quit IRC17:26
*** thorst has joined #openstack-keystone17:28
*** thorst has quit IRC17:33
*** thorst has joined #openstack-keystone17:34
*** AlexeyAbashkin has joined #openstack-keystone17:37
sudodudeayoung: would you have an example of how this might be implemented?17:41
*** AlexeyAbashkin has quit IRC17:41
ayoungsudodude, nope.  I'm just deducing from first principles.  But I did write the LDAP support, so my opinion is suspect anyway.  What are you trying to do>17:50
sudodudewell, I have multiple user groups I need to be able to query, in different OUs. I can't seem to be able to query the entire directory by not specifying user_tree_dn so, right now, I can only have it working by specifying a single user_tree_dn17:54
*** prashkre has joined #openstack-keystone17:58
sudodudesorry, by "user groups" i actually meant user OUs18:02
*** david-lyle has quit IRC18:02
*** david-lyle has joined #openstack-keystone18:04
kmallocsudodude: you might be able to do it with a filter, but a query from root18:13
kmallocso you query and filter down to the OUs you need18:14
*** gyee has joined #openstack-keystone18:18
openstackgerritTin Lam proposed openstack/python-keystoneclient master: Add project tags to keystoneclient
*** aselius has joined #openstack-keystone18:21
lbragstadlamt: is there a patch to support tags in osc?18:26
sudodudekmalloc: sounds good, I'll give that a try18:36
*** panbalag has left #openstack-keystone18:39
gagehugoneed to revisit that18:47
lamtlbragstad my irc has been flaky but yes, thats the patch set18:51
lbragstadlamt: cool- i'll pull both into an env and test things out18:52
lbragstadis anyone here familiar with OPA?
*** david-lyle has quit IRC19:05
ayoungOK...back to my monologue.  I think I figured out what is happening.  It looks like the auth_ref used by keystonemiddleware has decided that the domain scoped token is_admin_project.19:10
*** david-lyle has joined #openstack-keystone19:21
*** dklyle has joined #openstack-keystone19:36
*** david-lyle has quit IRC19:37
ayoungand it looks like it is all the way down in keystoneauth1 plugin19:37
*** leakypipes has quit IRC19:44
*** dklyle has quit IRC19:57
*** AlexeyAbashkin has joined #openstack-keystone20:11
lbragstadlamt: qq on the project tags client stuff20:14
lbragstadif i do --tag blue --tag green on a project, that project will be tagged with those tags20:14
lbragstadbut it i do `openstack project set --tag azul --tag red development` the project will have all four tags (blue, azul, green, red)20:15
lbragstadis that suppose to do a whole rewrite?20:15
*** AlexeyAbashkin has quit IRC20:15
*** MeltedLux has quit IRC20:16
ayounglbragstad, so keystoneauth1 plugin assumes that if a token response has nothing on it, it shouldset is_admin_project to true.  Which, for most cases is correct, but not for domain scoped tokens20:17
ayoungand I'm tempted to fix this back in the keystone layer20:17
lbragstadwhy not fix it in keystoneauth?20:17
ayoungby explicitly putting is_admin_project on all tokens,20:17
ayoungbecause the rest of the world20:17
lbragstad.... that doesn't seem like it should be the fix20:17
ayoungwhat if someone is using a language not python20:17
ayounglike, we use CloudForms, which is a rails app, for 90% of our openstack work20:18
ayoungand...why not go to the source20:18
ayoungI think I backed off this when talking with jamielennox , but there is no reason it can't be done in both places20:18
ayoungKeystone should not have to depend on ksa, and vice versa, to do the right thing20:19
*** thorst has quit IRC20:19
lbragstadgagehugo: one comment so far on
ayounglbragstad, I20:23
ayounglbragstad, I'm scared of our tags implementation20:23
ayoungI think we are going to mess it up big time20:23
ayoungtags are not a resource of a project, they are something you use to classify a project, and as such, need their own rbac,20:23
*** MeltedLux has joined #openstack-keystone20:24
*** fried_rolls is now known as fried_rice20:24
ayoungI realize that people also want them to help manage their own projects, and hopefully that is all they are used for20:24
ayoungwe need to communicate that, forcefully20:24
ayoungdo not use tags to manage the capabilities of a project20:25
*** pcaruana has quit IRC20:25
*** itlinux has quit IRC20:25
*** itlinux has joined #openstack-keystone20:26
lbragstadayoung: i'm not sure i'm following20:26
ayounglbragstad, say you have a tag that indicates a project is somehow privileged20:27
ayounglike, VMs in a project tagged "powerful" can get access to resources that other projects cant20:27
ayoungyou need to control who can tag a project as "powerful"20:28
ayoungbut if all I need in order to tag a project is admin on that project, I can tag it with anything, including "powerful"20:28
ayoungthe ability to tag a project for security reasons needs to be outside the control of that project itself,  right?20:28
ayounglbragstad, lets say you have 3 tiers of cells inside a Nova cluster:  gold, silver, bronze20:30
ayounggold is for user that pay more, bronze is freemium20:30
ayoungand VM placement is done based on the tags on the project20:31
ayoungThe ability to tag a project as "gold" is the ability to elevate the level of service for that project.20:31
lbragstadright - so you don't want to let members of that project do that, yeah?20:32
ayoungits more than that20:32
ayoungyou need ownership of the tag20:32
ayoungsay there is a nother tag, with is for "encrypted drives" that are an security hardening thing for cinder20:33
ayoungbut its managed by a different group.  if I can tag a project for encrypteddrives, that does not mean I should be able to tag the project for "gold"20:33
lbragstadso - initially20:34
ayoungIn cloudforms, tags are grouped into categories.  I think that there needs to be a category for user tags that the project members can modify, and others that they cannot, for QOS type stuff20:34
lbragstadthe ability to tag projects should be reserved by the deployment administrators20:34
lbragstador limited to the deployment administrators20:35
lbragstadand not the actual owners of the project20:35
lbragstador members of the project20:35
ayoungwill tagging a project be done with a domain scoped token, then?20:35
ayoungor at least not a token scoped to the project to be tagged?20:35
ayounglbragstad, what if...20:36
ayoungwe grouped tags into categories.  A given category would be associated with a role, and could be reserved for is_admin_project, or Service Roles in the future?20:37
ayoungtag assignment, that is20:37
lbragstadthat's be predefining what people are going to use tags for20:37
ayoungnot really.  So long as the mechanism is flexible, we just make it possible to manage it20:38
lbragstadif == "gold" and != "super-admin"; raise exception20:38
gagehugolbragstad ack20:38
ayoungit might mean a little more complexity on the object model20:38
ayoungmore like:  if tag.category.role not in user.roles raise20:39
ayoungcategories also get a scope.  We can,. first imple, only support project scoping20:39
ayoungI think that is what is most in demand20:39
ayoungso a project scoped category requires a project scoped role in order to assign20:40
ayounga domain scoped category needs a domain scoped role in order to assign20:40
ayoungand we can have Service scoped categories in the future, too.20:40
openstackgerritNicolas Helgeson proposed openstack/keystonemiddleware master: Use oslo_cache in auth_token middleware
ayoungThink it through. For not much effort, we might save ourselves a lot of headache in the future.20:41
ayounggagehugo, would that approach derail you?20:41
lbragstadso - what if you used resource options on projects to denote the category of things project members can't do?20:41
lbragstadsetting resource options would be a system-level adminstrator API call20:42
gagehugoayoung for catagorizing tiers of projects?20:42
ayoungI think that is effectively saying that we name the tags something else.20:42
ayounggagehugo, yeah.  For controlling access to who can assign tags to what things.20:43
lbragstadthe operator could set the categories on the project to be 'gold', 'silver', 'bronze'20:43
lbragstadand then have logic that makes it so that only system-level admins can modify those tags20:43
lbragstador modify the tags in that "category"20:44
ayounglbragstad, right.  and even a provisioning engine can set the level by default for a new project20:44
lbragstadthen, if i'm the project admin, my project-scoped token will fail that check20:44
ayoung'whenever I create a new project, in the "QOS" category, assign the "bronze" tag'20:44
lbragstadif i try to bump my membership from "bronze" to "gold"20:44
lbragstadbut - i can still tag my project "blue" and "green" because they aren't in the category20:45
ayoungRight.  And we can even make is_admin_project/service scoped roles that are less than admin that can be used to modify the assignments so you don't have to give away a full "admin" to a user in order to do cross cutting concerns20:45
ayounga domain scoped role is really powerful there20:46
ayoungit means that I can assign those tags to projects in my domain, but not in others20:46
lbragstadso - i think we're ok today20:47
lbragstadbut as we fix rbac, we're going to need to coordinate that at the same time if we want to offer that level of protection20:47
lbragstad(for people that are using project tags like that)20:47
lbragstadwhich seems like a relatively advanced use case20:48
ayoungOk, lets assume, for the moment, that we implement the existing plan20:48
ayoungnow, next release, we introduct the concept of tag categories20:48
ayoungand we default all existing tags into the "Default" category20:48
ayoungthat gives people a way to reshuffle them if they want the more specific RBAC.20:49
lbragstador you can keep the tags as normal tags and just offer that ability to group them into resource options via the API20:49
lbragstadthen it is completely opt in20:49
ayoungis "resource option" a new thing that I am not aware of?20:49
lbragstadyeah - morgan did it20:50
ayounglink?  I can read up on them.20:50
*** thorst has joined #openstack-keystone20:50
lbragstadexample usage
lbragstadi think you just need to provide a way to isolate some tags from other tags20:52
lbragstadiff you're using tags that way20:52
lbragstadotherwise it shouldn't matter20:52
lbragstadresource options might be a way to set a projects category to a specific set20:53
lbragstadthen you can keep the enforcement logic relatively simple20:53
gagehugothere's 2 resource options currently right?20:54
lbragstadif tag in project.protected_tags and user.role not policy.role: raise Forbidden20:54
lbragstadgagehugo: yeah - something like that20:54
lbragstadgagehugo: but we should document project tags and say that future improvements might make those use cases easier and more secure20:54
lbragstad(until then don't assume project tags are managed by their creating users)20:55
*** thorst has quit IRC20:55
lbragstador don't expect to use them the way ayoung described20:55
lbragstadbecause security20:55
lbragstadif someone decides to do it, then we at least have it documented20:56
gagehugoIs there project resource options or just users right now?20:56
ayoungBTW, if we do categories for tags, nothing says that a category can only have one value20:56
gagehugoI think it might be just users?20:56
lbragstadayoung: yeah - it could be a list20:56
ayoungIE, in my example, a project could be tagged as QOS:Gold, QOS:Silver and QOS:Bronze20:56
ayoungAlso, tag names should only be unique within a category, but should be able to be reused outside a category20:57
lbragstadayoung: that's true of all tags20:57
lbragstadand that's the way the current implementation works i believe20:57
ayoungdo we have categories today?20:57
lbragstadi think that should be a future specification to enhance the usability of tags specifically for that use case20:58
ayoungright, so I think we are OK/future proof with what we have20:58
ayoungI'll write up a skeleton spec for the categories of tags, including a migration plan.20:58
lbragstadpending we have some docuemntation that says "hey, if you're using tags to control stuff like billing...."20:58
lbragstaddon't expect it to be secure, that's future work20:59
lbragstadthe initial implementation of tags doesn't account for all of those cases20:59
ayoungthis is real SELinux type stuff20:59
lbragstadbut it doesn't prevent us from doing that in the future20:59
*** rmascena has joined #openstack-keystone21:00
ayoungis "resource options" a keystone spec?  kmalloc ?21:00
kmallocit was something at some point21:01
kmallocthe framework is there21:01
kmallocbut we need to expand it to other resources21:01
lbragstadgagehugo: do we have that safety net documented somewhere? i thought we talked about that somewhere in the spec?21:01
ayoungkmalloc, at some point, I need to walk you through cloudforms, if you have not used it21:01
gagehugolemme look21:01
kmallocright now, i think resource options are not anything but users21:02
lbragstadkmalloc: correct21:02
ayoungI would actually be happy to do that for the whole Keystone team.  It gives some really interesting perspective21:02
*** raildo has quit IRC21:02
gagehugobah forgot to update the table example in that last update21:02
lbragstadjust so long as we have a big red sticker somewhere that informs users that RBAC on project tags isn't different from RBAC on projects21:03
ayoungI kinda want the category thing in there up front.  Annoyed at myself that I did not see it until now.  More churn...21:04
gagehugolbragstad we mention it in the security impact21:06
lbragstadaha -
gagehugoand the policy defaults to the same as project21:07
*** ianw has joined #openstack-keystone21:09
*** AlexeyAbashkin has joined #openstack-keystone21:11
ayoungOK...back to my monologue.  I was able to work around the problem with a one line change.21:15
*** AlexeyAbashkin has quit IRC21:15
ayoungwell, four lines if you include the 3 lines of comments21:15
ayoungit would have beeen 5 but I already ha this check if token.domain_scoped:21:16
ayoungadded in21:16
ayoung kwargs['is_admin_project'] = False21:16
ayoungand the gets passed to the creation of the oslo-context21:16
*** linkmark has joined #openstack-keystone21:18
*** thorst has joined #openstack-keystone21:20
*** rcernin has joined #openstack-keystone21:22
*** thorst has quit IRC21:25
*** thorst has joined #openstack-keystone21:31
ayoungan: 5440 tests in 411.0000 sec.21:35
ayoung - Passed: 464021:35
ayoung - Skipped: 80021:35
ayoung - Expected Fail: 021:35
ayoung - Unexpected Success: 021:35
ayoung - Failed: 021:35
ayoungSum of execute time for each test: 3195.3957 sec.21:35
*** thorst has quit IRC21:36
lbragstadnice - 16:37 on a friday, too21:37
ayounglbragstad, problem is I can't run pep821:38
ayoungkeep getting an out of space error on the 7+ GB too21:39
*** ayoung has quit IRC21:45
*** rmascena has quit IRC21:47
*** ayoung has joined #openstack-keystone21:47
ayoungkmalloc, lbragstad OK,  why is PIP blowing out my /tmp dir when trying to run pep8 and how do I work around it?21:48
ayoungtmpfs                    7.7G  172K  7.7G   1% /tmp21:48
ayoung  now, but was at21:48
ayoungtmpfs                    7.7G  3.5G  4.3G  45% /tmp21:48
ayoungbefore I wiped:21:48
ayoung rm -rf /tmp/pip-oypalrr0-build/21:48
ayoungand that failed with21:49
ayoungERROR:   pep8: could not install deps21:49
*** thorst has joined #openstack-keystone21:49
ayoung '/tmp/pip-oypalrr0-build/tox.ini', '[Errno 28] No space left on device')]21:49
*** ayoung has quit IRC21:52
*** ayoung has joined #openstack-keystone21:56
ayoungjust increased my tmp size to 20 GB, but I should not have to do that to run pep821:56
*** prashkre has quit IRC22:01
openstackgerritayoung proposed openstack/keystone master: Use oslo-context
ayounghrybacki, take a look at that one, it should fill in some of the explanation for what we were talking a bout22:03
*** thorst has quit IRC22:03
ayoungafter that one, I can hope to drop most of common/authorization.py22:04
*** thorst has joined #openstack-keystone22:40
openstackgerritColleen Murphy proposed openstack/keystone master: WIP Add Application Credentials controller
openstackgerritColleen Murphy proposed openstack/keystone master: WIP Add Application Credentials manager
*** thorst has quit IRC22:45
*** itlinux has quit IRC22:59
*** fried_rice is now known as efried22:59
openstackgerritayoung proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations
openstackgerritayoung proposed openstack/keystone master: Add is_admin_project check to policy for token validations
*** itlinux has joined #openstack-keystone23:08
*** thorst has joined #openstack-keystone23:14
*** thorst has quit IRC23:19
*** hoonetorg has quit IRC23:19
*** itlinux has quit IRC23:28
*** thorst has joined #openstack-keystone23:45
*** thorst has quit IRC23:50

Generated by 2.15.3 by Marius Gedminas - find it at!