Friday, 2017-12-15

*** masber has joined #openstack-keystone00:12
*** markvoelker has quit IRC00:36
*** AlexeyAbashkin has joined #openstack-keystone00:45
*** AlexeyAbashkin has quit IRC00:50
*** PramodJ has joined #openstack-keystone00:52
*** PramodJ has quit IRC00:55
*** Pramod has quit IRC00:56
*** r-daneel has quit IRC01:26
*** oomichi_afk is now known as oomichi01:36
*** linkmark has quit IRC01:40
*** sapd has joined #openstack-keystone01:45
*** sapd has quit IRC01:55
*** sapd has joined #openstack-keystone01:57
*** sticker has quit IRC01:58
*** lbragstad_ has joined #openstack-keystone02:05
*** masber has quit IRC02:10
*** lbragstad_ has quit IRC02:14
openstackgerritMerged openstack/keystone master: Remove Dependency Injection
*** markvoelker has joined #openstack-keystone02:37
*** annp has joined #openstack-keystone02:40
*** harlowja has joined #openstack-keystone02:41
*** harlowja has quit IRC02:42
*** harlowja has joined #openstack-keystone02:43
*** namnh has joined #openstack-keystone02:45
*** markvoelker has quit IRC03:11
*** aselius has quit IRC03:13
*** harlowja has quit IRC03:15
kmalloclbragstad: +2 on limits spe03:17
kmallocbut we have something that needs to be added/updated03:17
*** jappleii__ has joined #openstack-keystone03:17
*** jappleii__ has quit IRC03:19
*** jappleii__ has joined #openstack-keystone03:19
*** threestrands_ has quit IRC03:20
wxykmalloc: Thanks!!. I'll add a new patch later.03:20
kmallocwxy: you can add my suggestion in a follow-up03:21
kmallocthe spec as is looks good, we should just add some clarification(S)03:21
wxykmalloc: sure03:21
*** masber has joined #openstack-keystone03:38
*** gyee has quit IRC03:43
*** r-daneel has joined #openstack-keystone03:52
*** jappleii__ has quit IRC03:56
openstackgerritwangxiyuan proposed openstack/keystone master: Deprecate member_role_id and member_role_name
openstackgerritwangxiyuan proposed openstack/keystone master: Remove useless function
openstackgerritwangxiyuan proposed openstack/keystone master: Remove rolling_upgrade_password_hash_compat
openstackgerritwangxiyuan proposed openstack/keystone master: Expose a bug when authorize request token
openstackgerritwangxiyuan proposed openstack/keystone master: Add schema check for authorize request token
openstackgerritwangxiyuan proposed openstack/keystone master: Add role name support for authorize request token
*** r-daneel has quit IRC04:07
*** markvoelker has joined #openstack-keystone04:08
*** jmlowe_ has joined #openstack-keystone04:12
*** jmlowe has quit IRC04:14
*** harlowja has joined #openstack-keystone04:36
*** markvoelker has quit IRC04:42
*** rmcall_ has joined #openstack-keystone04:43
*** harlowja has quit IRC04:45
*** rmcall_ has quit IRC04:49
*** zhurong has joined #openstack-keystone04:56
lbragstadkmalloc: wxy awesome!05:13
*** harlowja has joined #openstack-keystone05:21
*** harlowja has quit IRC05:22
*** harlowja has joined #openstack-keystone05:24
*** harlowja has quit IRC05:29
*** harlowja has joined #openstack-keystone05:38
*** markvoelker has joined #openstack-keystone05:39
*** sapd_ has joined #openstack-keystone06:01
*** sapd has quit IRC06:01
*** markvoelker has quit IRC06:11
*** links has joined #openstack-keystone06:18
*** harlowja has quit IRC06:32
*** rcernin has quit IRC06:47
*** magicboiz has joined #openstack-keystone07:08
*** markvoelker has joined #openstack-keystone07:09
*** magicboiz has quit IRC07:13
*** magicboiz has joined #openstack-keystone07:14
*** izombie has joined #openstack-keystone07:31
izombieHow do I start keystone in developer mode?07:31
*** markvoelker has quit IRC07:42
*** izombie has quit IRC07:46
*** zhurong has quit IRC07:54
*** AlexeyAbashkin has joined #openstack-keystone07:59
*** markvoelker has joined #openstack-keystone08:39
*** markvoelker has quit IRC09:13
*** magicboiz has quit IRC09:23
*** magicboiz has joined #openstack-keystone09:29
openstackgerritwangxiyuan proposed openstack/keystone master: Add new tables for unified limits
openstackgerritwangxiyuan proposed openstack/keystone master: Add db operation for unified limit
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Expose unified limit APIs
*** annp has quit IRC09:52
*** mvk has quit IRC09:59
*** markvoelker has joined #openstack-keystone10:10
openstackgerritMerged openstack/oslo.policy master: Fix string injection for InvalidScope
*** mvk has joined #openstack-keystone10:28
*** namnh has quit IRC10:31
*** daidv has quit IRC10:39
*** daidv has joined #openstack-keystone10:39
*** markvoelker has quit IRC10:44
*** daidv has quit IRC10:50
*** daidv has joined #openstack-keystone10:51
*** daidv has quit IRC10:58
*** sapd_ has quit IRC11:28
*** sapd_ has joined #openstack-keystone11:28
*** markvoelker has joined #openstack-keystone11:41
*** iurygregory has quit IRC12:08
*** raildo has joined #openstack-keystone12:10
*** iurygregory has joined #openstack-keystone12:12
*** markvoelker has quit IRC12:13
*** dave-mccowan has joined #openstack-keystone12:19
*** mvenesio has joined #openstack-keystone12:21
*** dave-mcc_ has joined #openstack-keystone12:23
*** dave-mccowan has quit IRC12:24
*** magicboiz has quit IRC12:27
*** catintheroof has joined #openstack-keystone12:31
*** markvoelker has joined #openstack-keystone12:56
*** markvoelker has quit IRC12:58
*** melwitt has quit IRC13:23
*** melwitt has joined #openstack-keystone13:25
*** melwitt is now known as Guest7554713:25
*** clayton has quit IRC13:29
*** clayton has joined #openstack-keystone14:22
*** links has quit IRC14:31
*** markvoelker has joined #openstack-keystone14:31
*** apuimedo has joined #openstack-keystone14:31
*** openstackgerrit has quit IRC14:48
*** rcernin has joined #openstack-keystone14:57
*** ayoung has joined #openstack-keystone14:58
*** jmlowe_ has quit IRC15:05
apuimedolbragstad: Hi. I am looking for some way to have a tenant be able to perform actions on the different endpoints but restrict some others or specific paths. Doing some research I saw that the Route object was abandoned after discussion in Denver. Do we have something in Pike/Queens that could help with what I want to do?15:11
*** harlowja has joined #openstack-keystone15:11
apuimedoOriginally I though that trust tokens would allow me to restrict entire endpoints, but it seems trust tokens are for the whole role (at least the impression I get from the API).15:12
lbragstadapuimedo: there is an endpoint filter in keystone15:12
lbragstadwhich allows you to associate specific endpoints to certain projects15:12
lbragstadthen when users get tokens scoped to that project, they get those endpoints in their catalog15:12
*** harlowja has quit IRC15:13
lbragstadapuimedo: is the API reference for using this feature15:13
apuimedothanks lbragstad15:13
apuimedowhat I'm trying to achieve is to have the following15:13
apuimedoKuryr-kubernetes is an openstack controller that runs on a tenant VM and it needs to perform actions on behalf of the project, but I don't want it to have credentials for the whole range of things the project member can do15:14
apuimedorather I'd like it to just be restricted to some Neutron actions15:15
lbragstadso you want the controller to be able to authenticate but not have all the powers of the user that set it up, right?15:15
lbragstadapuimedo: this will help you15:16
apuimedooriginally I was told that a trust token would help15:16
lbragstadit's something we're working on this release15:16
apuimedoand IIRC there was a list on endpoints in the token POST15:16
lbragstadcc mordred cmurphy ^15:16
apuimedobut it seems it is not there anymore15:16
apuimedoapplication credentials seem like a good fit15:17
apuimedohow's the progress going on that?15:17
lbragstadthere are patches underway15:17
apuimedolbragstad: chances for making it to queens?15:18
lbragstadyeah - we're planning on implementing this for queens15:18
lbragstadthe specification i linked above goes into detail about what we're delivering for queens and what will come in a subsequent release15:19
lbragstadas far as the functionality of application credentials go15:19
apuimedogood. Thanks lbragstad15:19
apuimedoif I wanted to do it somehow now, I suppose I'd have to create a specific role and go to all the policy.json of the different services, right?15:20
lbragstadunfortunately, yes...15:20
lbragstadthat'd be one way to do it15:20
lbragstadthen you'd create a trust scoped to that role15:20
apuimedolbragstad: any other way?15:21
lbragstadyou could create a service user, but you'd likely have to create a special role for it so that you don't give it the keys to the kingdom15:21
lbragstad(these are exactly the cases that drove the discussion for application credentials)15:22
*** samuelbartel has joined #openstack-keystone15:26
*** samuelbartel_ has joined #openstack-keystone15:26
apuimedothanks lbragstad15:28
lbragstadno problem15:28
*** markvoelker has quit IRC15:29
*** rcernin has quit IRC15:41
*** aloga_ has joined #openstack-keystone15:49
*** phalmos has joined #openstack-keystone15:57
*** mvk has quit IRC16:05
*** samuelbartel_ has quit IRC16:07
kmallocapuimedo: what lbragstad said, we are working on the tokens/app-creds with subsets of roles. There is no way (and limited support, mostly "you can but not recommended") to lock a user from a specific endpoint (planned or implemented). recommendation: don't use the endpoint filter.16:17
kmallocit doesn't add value, it just obscures some endpoints from the catalog.16:18
*** markvoelker has joined #openstack-keystone16:18
*** Guest75547 is now known as melwitt16:18
*** aselius has joined #openstack-keystone16:18
*** davidalles_ has joined #openstack-keystone16:26
*** davidalles_ has quit IRC16:28
*** davidalles_ has joined #openstack-keystone16:28
*** davidalles__ has joined #openstack-keystone16:30
*** davidalles_ has quit IRC16:30
*** davidalles_ has joined #openstack-keystone16:30
davidalles__hello lance16:32
lbragstaddavidalles__: o/16:32
davidalles__just synchronized with Ruan16:32
davidalles__he will propose a new update of the BP; will explain that Thomas, Samuel and him will propose the code16:32
davidalles__we all will be to the keystome weekly meeting next Tuesday16:33
davidalles__makes sense?16:33
lbragstadawesome - i did run across a couple links about the GDPR stuff16:33
lbragstadi'll leave a comment on the review16:33
lbragstadto see if we can include those16:33
*** itlinux has joined #openstack-keystone16:34
davidalles__Yep... I also requested Jamey from ATT to distribute the info on this BP to the LCOO usergroup16:34
lbragstadgood deal16:34
davidalles__have a nice weekend; time to leave in France:)16:35
lbragstaddavidalles__: have a good one - catch up with you next week!16:35
*** davidalles_ has quit IRC16:35
*** davidalles__ has quit IRC16:35
*** davidalles_ has joined #openstack-keystone16:39
*** davidalles_ has quit IRC16:40
*** AlexeyAbashkin has quit IRC16:41
*** d0ugal has quit IRC16:45
*** samuelbartel_ has joined #openstack-keystone16:51
*** samuelbartel__ has joined #openstack-keystone16:51
*** samuelbartel__ has quit IRC16:51
*** samuelbartel_ has quit IRC16:52
*** samuelbartel has quit IRC16:59
*** iurygregory has quit IRC17:02
*** d0ugal has joined #openstack-keystone17:04
*** sapd_ has quit IRC17:06
*** mvk has joined #openstack-keystone17:25
*** catintheroof has quit IRC18:07
*** catinthe_ has joined #openstack-keystone18:07
*** mvenesio has quit IRC18:11
*** jose-phillips has quit IRC18:15
*** jose-phillips has joined #openstack-keystone18:15
*** AlexeyAbashkin has joined #openstack-keystone18:16
*** AlexeyAbashkin has quit IRC18:21
*** AlexeyAbashkin has joined #openstack-keystone18:22
*** AlexeyAbashkin has quit IRC18:26
*** nicolasbock has joined #openstack-keystone18:29
*** jdennis has quit IRC18:49
*** rmcall_ has joined #openstack-keystone19:01
*** apuimedo has quit IRC19:02
*** szaher has quit IRC19:02
*** gyee has joined #openstack-keystone19:08
*** szaher has joined #openstack-keystone19:18
*** catinthe_ has quit IRC19:21
*** phalmos has quit IRC19:34
ayoungsamueldmq, knikolla,  dstanek, rodrigods, kmalloc, cmurphy can we move along the lbragstad reviews for System scope? Start here
*** jdennis has joined #openstack-keystone19:43
*** smatzek has joined #openstack-keystone19:45
lbragstadayoung: o/20:10
lbragstadseveral folks are hitting holiday this week, it's been a bit slow20:10
ayounglbragstad, \o\    /o/    \o/20:10
lbragstadinterpretive dance, i like it20:11
ayounglbragstad, I didn't realize so many people celebrated Hanukah20:11
lbragstadwho knew!20:11
lbragstadayoung: i had a comment on one of my patches about how we go about the transition20:14
lbragstadayoung: this bit here -
ayounglbragstad, is this because we are pushing things that would have been in the policy file into the code now?20:16
lbragstadright - it's making keystone enforce scope on policies20:16
ayoungwhere did we put the config for is_admin_project....20:16
lbragstadi also have all these up for review, too20:16
ayoungwe really should gather a policy section in the config file....we have that?20:17
lbragstadwe use oslo.policy's configuration option section20:17
ayoungI think we might need more than that, over time.  Can we add on to what oslo gives us?  Otherwise, hmmm20:17
lbragstadwell - we could add a configuration option to oslo.policy20:18
lbragstadsomething like 'enforce_system_scope'20:18
lbragstador whatever20:18
lbragstadthen that would get populated in each service configuration file20:18
ayoungso, I think I want to make a clear distinction between oslo.policy, which is a rules engine, and oslo.context which is the common OpenStack policy data20:18
ayoungand I could see context being the right place to do things like a global rule to enforce scope20:19
ayoungand that would be across all systems, not just Keystone20:19
lbragstador we create a new configuration option next to is_admin_project that toggles enforce_scope in oslo.policy20:19
ayoungI think that is what jamielennox was driving at with oslo context, and Now that I get it, I am 100% on board20:19
ayoungright...I made the mistake of doing that as a standalone option.20:19
ayoungits in the token, I think20:20
ayounglbragstad, could we keep it in resource?  Or would that be wieieieird?20:22
lbragstadgood question20:22
lbragstadi think it would make more sense in default?20:22
lbragstadsince it seems to apply to more than just resource?20:22
ayounglets not put things in default.  The namespace helps focus the user on the set of problems being addressed20:23
ayoungthis is policy enforcement, and a new section for that seems to be called for20:23
lbragstadwhat about token?20:24
ayoungwe can put a comment in there about the admin_project  values20:24
ayoungI think token is more for format20:24
*** smatzek has quit IRC20:24
ayounglike, the token is a cookie that points to auth data20:24
ayoungstuff in there should be fernet vs uuid type options20:24
ayoungsince it is not authentication20:25
ayoungcould be authn for short, but I think spelled out will trip up fewer people20:25
ayoungI think I like how that reads20:26
lbragstadso we would default authorization.enforce_system_scope to False20:26
ayoungwould that carry over to other systems?  Would we add that value to context?  Maybe as a next step?20:27
lbragstadwhich would all project scoped tokens to do system-level things20:27
ayoungIf the system does not enforce it yet, it does nothing20:27
ayoungor is that something we need to enable system by system?  I'd rather it be all or nothing20:27
lbragstadso the way that it works with the current code20:28
lbragstadif is a policy has scope_types defined, it's going to enforce scope unless overridden by the project20:28
lbragstadlike it is here -
lbragstadthe tough part with that is that we're not sure when it's safe for us to remove that and go with the default of enforce_scope=True20:28
lbragstadwhich is what lead me to thinking we should use a configuration option, then an operator can switch it when they have system roles in place20:29
lbragstadand they don't lock themselves out of APIs because they didn't set up a system administrator20:29
rybridgesHello. I am seeing in openstack role assignment list that we have some role assignments where the user field = None. Meaning, the only fields that are occupied are project and role. Are these roles still valid? Ideally we should have a user associated with all role assignments right?20:39
rybridgesHow can I delete the role assignments?20:39
lbragstadrybridges: is there a group associated with the assignments that are missing users?20:41
lbragstadan assignment needs to have a target (project/domain) and an actor (user/group)20:42
*** itlinux has quit IRC20:59
*** jmlowe has joined #openstack-keystone21:11
rybridges@lbragstadL: there is no group21:11
rybridges@lbragstad: there is no group21:11
lbragstadrybridges: interesting21:12
rybridgesthis is ocata btw21:12
lbragstadrybridges: how is keystone setup?21:12
lbragstadare the backends using sql or ldap?21:12
lbragstadfor identity, resource, and assignment?21:13
rybridgeswhat do you mean?21:14
*** rmcall_ is now known as rmcall21:16
rybridgeswe use mysql for everything21:16
rybridgesno ldap anywhere21:16
*** jmlowe has quit IRC21:17
lbragstadinteresting - a role assignment should have a user or a group no matter what21:18
rybridgesotherwise it is useless21:18
rybridgesor meaningless21:18
lbragstadthat's a requirement in the upstream implementation21:18
lbragstadit's part of the primary key constraint on the backend
lbragstadwe also specifically require a user or a group when we validate the request -
rybridgeswell perhaps a pertinent piece of information is that we migrated this database from juno up to ocata21:20
rybridgesso maybe there was some left over crap21:20
rybridgesnow i am wondering if it is possible to delete this thing without touching the DB directly21:21
lbragstadhuh - i wonder....21:21
rybridgesif i do openstack role remove --project <project_id> <role_name> will that work?21:22
rybridgesit wont affect the other actual users under that project, will it?21:22
lbragstadyou could try it, but i expect you'll get a validation error21:22
lbragstadwe did have a bug a while back where role assignments weren't cleaned up when a user was deleted21:22
lbragstadsome i'm wondering if that might be the case here, prior to the upgrade21:23
lbragstadcc kmalloc21:23
rybridgesya i am getting Must specify either a domain or project21:24
kmallocthat would be odd21:24
kmallocbut yeah21:24
kmallocthat would make sense21:24
rybridgesyea i am thinking that the user was deleted at one point21:24
rybridgesbut role assignment was not cleaned up21:24
rybridgesthat would make a lot of sense21:24
lbragstadi remember that being a bug a long time ago21:25
rybridgesam i gonna have to go to the db to nuke this thing?21:25
* lbragstad cringes21:25
lbragstadunless kmalloc has a better suggestion?21:25
*** aloga_ has quit IRC21:32
*** rmcall has quit IRC21:33
*** rcernin has joined #openstack-keystone21:36
*** itlinux has joined #openstack-keystone21:40
*** jmlowe has joined #openstack-keystone21:44
*** jmlowe has quit IRC21:49
rybridgesI just deleted it from the db21:52
rybridgesseems to be ok21:53
lbragstadglad it worked21:53
*** raildo has quit IRC21:53
*** itlinux has quit IRC22:01
*** dave-mcc_ has quit IRC22:10
*** nicolasbock has quit IRC22:11
*** phalmos has joined #openstack-keystone22:25
*** catintheroof has joined #openstack-keystone22:29
*** phalmos_ has joined #openstack-keystone22:34
*** phalmos has quit IRC22:36
*** phalmos_ has quit IRC22:38
*** AlexeyAbashkin has joined #openstack-keystone22:42
*** AlexeyAbashkin has quit IRC22:47
*** efried_cya_jan has quit IRC23:37
*** efried_cya_jan has joined #openstack-keystone23:48
kmalloci didn't have a better option23:49

Generated by 2.15.3 by Marius Gedminas - find it at!