Thursday, 2018-02-15

« Wednesday, 2018-02-14 Index Friday, 2018-02-16 »
*** oikiki has quit IRC00:03
*** oikiki has joined #openstack-keystone00:03
*** spilla has quit IRC00:05
*** oikiki has quit IRC00:17
*** rmcall has joined #openstack-keystone00:20
*** rmcall has quit IRC00:20
*** dave-mccowan has joined #openstack-keystone00:54
*** r-daneel has quit IRC00:56
*** lbragstad has quit IRC01:45
*** itlinux has joined #openstack-keystone01:47
*** harlowja has quit IRC03:08
*** itlinux has quit IRC03:37
openstackgerritmelissaml proposed openstack/keystone-specs master: Replace Chinese quotes to English quotes  https://review.openstack.org/54477303:58
*** itlinux has joined #openstack-keystone04:00
*** agrebennikov has quit IRC04:13
*** gyee has quit IRC04:14
*** itlinux has quit IRC04:17
*** dave-mccowan has quit IRC04:25
*** masber has joined #openstack-keystone04:33
*** links has joined #openstack-keystone04:34
*** links has quit IRC04:42
*** links has joined #openstack-keystone04:45
*** r-daneel has joined #openstack-keystone04:57
*** threestrands_ has joined #openstack-keystone05:09
*** threestrands_ has quit IRC05:09
*** threestrands_ has joined #openstack-keystone05:09
*** threestrands has quit IRC05:09
*** threestrands_ has quit IRC05:10
*** threestrands_ has joined #openstack-keystone05:11
*** harlowja has joined #openstack-keystone05:15
*** threestrands has joined #openstack-keystone05:15
*** threestrands has quit IRC05:15
*** threestrands has joined #openstack-keystone05:15
*** threestrands_ has quit IRC05:18
*** threestrands has quit IRC05:28
*** jaosorior has quit IRC05:37
*** jaosorior has joined #openstack-keystone05:44
*** harlowja has quit IRC06:14
*** rcernin has quit IRC06:44
openstackgerritMerged openstack/keystone master: Add docs for application credentials  https://review.openstack.org/54364306:45
*** martinus__ has joined #openstack-keystone06:52
*** hoonetorg has quit IRC06:56
*** hoonetorg has joined #openstack-keystone06:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata  https://review.openstack.org/54479607:08
*** threestrands has joined #openstack-keystone07:09
*** threestrands has quit IRC07:09
*** threestrands has joined #openstack-keystone07:09
*** rcernin has joined #openstack-keystone07:28
*** pcaruana has joined #openstack-keystone07:40
*** edmondsw has joined #openstack-keystone07:41
*** edmondsw has quit IRC07:45
*** belmoreira has joined #openstack-keystone07:55
*** AlexeyAbashkin has joined #openstack-keystone08:08
*** tesseract has joined #openstack-keystone08:17
*** links has quit IRC08:35
*** links has joined #openstack-keystone08:52
*** sambetts|afk has quit IRC09:03
*** sambetts_ has joined #openstack-keystone09:07
*** threestrands_ has joined #openstack-keystone09:21
*** threestrands has quit IRC09:21
*** edmondsw has joined #openstack-keystone09:29
*** edmondsw has quit IRC09:34
*** sambetts_ is now known as sambetts10:21
*** d0ugal has quit IRC10:30
*** d0ugal has joined #openstack-keystone10:33
*** jistr is now known as jistr|mtg11:00
*** d0ugal has quit IRC11:20
*** d0ugal has joined #openstack-keystone11:39
*** dave-mccowan has joined #openstack-keystone12:10
*** raildo has joined #openstack-keystone12:14
*** jistr|mtg is now known as jistr12:23
*** edmondsw has joined #openstack-keystone13:06
*** edmondsw has quit IRC13:10
*** edmondsw has joined #openstack-keystone13:24
*** panbalag has joined #openstack-keystone13:47
*** McClymontS has joined #openstack-keystone13:56
*** jmlowe has quit IRC14:09
*** jmlowe has joined #openstack-keystone14:20
*** ayoung has quit IRC14:20
*** rmcall has joined #openstack-keystone14:21
*** dave-mccowan has quit IRC14:23
*** jaosorior has quit IRC14:23
*** lbragstad has joined #openstack-keystone14:29
*** ChanServ sets mode: +o lbragstad14:29
*** threestrands_ has quit IRC14:39
*** dtruong has quit IRC14:40
*** dtruong has joined #openstack-keystone14:41
*** ayoung has joined #openstack-keystone14:41
*** McClymontS has quit IRC14:53
*** rcernin has quit IRC15:01
*** r-daneel has quit IRC15:09
lbragstadkmalloc now that things settled down a bit https://goo.gl/k7Wxs9 should be the last of the stable reviews for RC215:12
lbragstadincluded the app creds documentation patch since we should be able to include that, too15:13
cmurphy\o/15:13
*** dave-mccowan has joined #openstack-keystone15:13
cmurphylbragstad: were you waiting for this translations patch too? https://review.openstack.org/#/c/544796/15:14
lbragstadcmurphy to back port it?15:14
lbragstadi've been trying to get in touch with the backports team about backports - https://review.openstack.org/#/c/543573/15:15
lbragstadbased on what ian said, it sounds like don't have to backport translations? i asked for clarification ^15:16
cmurphylbragstad: okay got it15:17
lbragstadstill waiting on a response though15:17
*** jaosorior has joined #openstack-keystone15:27
openstackgerritLance Bragstad proposed openstack/keystone master: Address FIXMEs for listing revoked tokens  https://review.openstack.org/54500915:34
*** dave-mccowan has quit IRC15:43
knikollao/15:45
*** spilla has joined #openstack-keystone15:45
gagehugoo/15:45
*** agrebennikov has joined #openstack-keystone15:56
openstackgerritMerged openstack/keystone master: Imported Translations from Zanata  https://review.openstack.org/54479615:56
lbragstadkmalloc are you around yet? i'm in the middle of refactoring the token provider and i have a couple ideas (probably bad ideas) about the token model15:57
*** r-daneel has joined #openstack-keystone15:58
lbragstadi think it would be beneficial to try and apply an MVC pattern15:58
lbragstadso - instead of generating version specific token data to generate the token model, it would work the other way around15:59
lbragstadyou pass a bunch of things to the token model and it gives you an object you and use to reason about the token response15:59
lbragstadthen the v3 token controller would build the token response based on the information provided in the model object16:00
lbragstaddoes that seem sane/16:00
lbragstadso - that would mean the whole V3TokenDataHelper object would get moved up to the controller layer16:02
lbragstador if anyone else has thought, comments, concerns?16:03
*** pcaruana has quit IRC16:09
knikollalbragstad: how is it handled currently?16:16
lbragstadwell - right now, we have an auth controller, a token provider (manager), a token driver (provider), and a token formatter16:16
lbragstadfrom top down, in that order16:17
lbragstadthe token controller pull information from the request and asks the token provider Manager for a token and a token response16:17
lbragstad(e.g. the project id, user id, trust information, domain info, etc...)_16:18
lbragstadso - that part would stay the same16:18
lbragstadsince the controller would be responsible for pulling that information from the actual authentication request16:18
lbragstadbut instead of *expecting*  a versioned response back from the token provider Manager, it would get a token_obj16:18
lbragstadso - it wouldn't just pass it back through to the user... instead, the controller would get more responsibility16:19
lbragstadand that would be to translate the token_obj to a v3 token response16:20
lbragstadso - essentially all this stuff https://github.com/openstack/keystone/blob/4732c67792e7d991b1296941992353551c686d93/keystone/token/providers/common.py#L87-L53216:20
* lbragstad hopes he is making sense 16:21
*** links has quit IRC16:22
knikollalbragstad: makes sense.16:22
lbragstadthe token provider would only really care about taking some values from the controller, generating an object, getting a token id from a provider, and passing all that back to the controller16:23
knikollaand than the controller would call a view to render the token16:23
knikollathen*16:23
lbragstadso all version specific opinions about how a token should look in a response is isolated to the controller16:23
knikollafrom the model object16:23
lbragstadyes - exactly16:23
lbragstadso when we go to add a new version or a different token provider16:23
lbragstadit's kept separate from each other16:23
knikollamakes sense16:25
lbragstadok - cool16:25
lbragstadi feel better knowing if i've gone off the deep end, at least i'm not alone :)16:26
knikollalbragstad: that's me usually during refactoring16:28
*** jaosorior has quit IRC16:29
knikollalbragstad: would it make any sense at all to associate policy strings like identity:list_users to roles in keystone instead of having them in the policy.json files of projects?16:32
knikollasimilar to what we saw on aws16:33
lbragstadlike pulling all policies in to keystone?16:34
knikollalbragstad: yeah.16:34
lbragstadif i remember correctly, that's what the policy api was meant for16:35
knikollalbragstad: not really. as all it did was accept a blob of json.16:35
lbragstadright - i think it was meant for that kind of use case, but it was never really finished16:36
lbragstador completed16:36
knikollalbragstad: this is a one-to-many mapping between role -> action16:36
knikollakeystonemiddleware gets the role of the token, expands the list of actions the user can do16:36
knikollaand passes that to the service16:36
knikollaservice checks if action in list of actions.16:37
*** AlexeyAbashkin has quit IRC16:37
lbragstadits the rbac in middleware appraoch16:39
knikollalbragstad: rbac in middleware had enforcement in the middleware. this doesn't .16:39
lbragstadthe enforcement would be in keystone, then?16:40
knikollalbragstad: the enforcement will be in the service in the form of. keystonemiddleware expands role to list of actions; service checks if action is in list of actions provided by keystonemiddleware.16:41
knikollathe actions that a role can do are in keystone16:42
knikollasimilar to oauth scopes. https://auth0.com/docs/scopes/current16:43
lbragstadso - keystone has to maintain the mapping of roles -> actions16:44
knikollayes16:44
lbragstadwhat happens when new operations are added to the service?16:46
lbragstador actions?16:46
lbragstadsomething has to update keystone, right?16:47
knikollalbragstad: yes, this is also a question for the current approach when we introduce some default roles that are openstack-wide.16:48
knikollawe can exploit those default roles to provide sane defaults.16:48
lbragstadkeystone would have to add those during bootstrap16:49
lbragstadi guess we need to work through the upgrade case, in both situations16:50
knikollalbragstad: another approach exploits the current system scoping16:51
knikollanova for example gets access to system:nova:policy16:51
lbragstadi think this would be good to run by other projects at the PTG16:51
lbragstadnova gets that by default?16:52
knikollalbragstad: the admin would grant it on the nova service user16:52
lbragstadyeah - i think moving to something like that would be useful16:54
lbragstadit would be nice to restrict service users to only what they need to do in other services16:54
lbragstadknikolla adding a snippet for this in https://etherpad.openstack.org/p/baremetal-vm-rocky-ptg16:56
knikollalbragstad: i'll sketch out a spec16:56
* knikolla goes for lunch16:57
lbragstadcool16:57
lbragstadi'll read the auth0 doc16:57
lbragstadsometime today16:57
*** oikiki has joined #openstack-keystone17:04
*** sambetts is now known as sambetts|afk17:19
*** harlowja has joined #openstack-keystone17:19
*** pcaruana has joined #openstack-keystone17:20
*** belmoreira has quit IRC17:27
*** itlinux has joined #openstack-keystone17:47
*** tesseract has quit IRC17:52
*** AlexeyAbashkin has joined #openstack-keystone18:01
*** AlexeyAbashkin has quit IRC18:06
*** kukacz has quit IRC18:15
*** kukacz_ has joined #openstack-keystone18:20
*** oikiki has quit IRC18:28
*** oikiki has joined #openstack-keystone18:29
openstackgerritMerged openstack/keystone-specs master: Fix typos in keystone-specs  https://review.openstack.org/54201018:37
*** rmascena has joined #openstack-keystone18:43
*** panbalag has left #openstack-keystone18:43
*** raildo has quit IRC18:46
*** rmcall has quit IRC18:55
*** harlowja has quit IRC19:00
*** gyee has joined #openstack-keystone19:03
openstackgerritColleen Murphy proposed openstack/keystoneauth master: Add pep8 import order validation  https://review.openstack.org/54509419:09
mordredcmurphy: ^^ TIL19:12
cmurphymordred: :D19:13
cmurphywas looking at another change and wondering why the hell that wasn't being caught19:14
mordredcmurphy: you know what would be neat? a script that would fix those ...19:14
cmurphy;)19:15
lbragstaddid flake get updated recently?19:16
lbragstadi'm seeing a bunch of that stuff in keystone,t oo19:16
cmurphythe violations i found in ksa had been there a while19:20
lbragstadmust be the version i have locally then19:26
*** r-daneel has quit IRC19:27
mordredcmurphy, lbragstad: feel like +3ing https://review.openstack.org/#/c/505764 ?19:33
cmurphyyes will look19:34
cmurphysorry, i keep promising to look at it and then drop it on the floor19:34
*** harlowja has joined #openstack-keystone19:35
*** harlowja_ has joined #openstack-keystone19:37
*** harlowja has quit IRC19:39
openstackgerritMerged openstack/keystone master: Remove unused class variables from token provider  https://review.openstack.org/54452019:51
openstackgerritMerged openstack/keystoneauth master: Fix a spelling error  https://review.openstack.org/54194919:53
*** pcaruana has quit IRC20:03
mordredcmurphy: no worries - I promised to write a feature for keystone last cycle and i'm pretty sure you did 100% of the work, so I don't think I get to complain :)20:09
*** AlexeyAbashkin has joined #openstack-keystone20:15
*** kukacz_ has quit IRC20:17
*** AlexeyAbashkin has quit IRC20:19
cmurphymordred: :)20:19
*** r-daneel has joined #openstack-keystone20:31
*** panbalag has joined #openstack-keystone20:36
openstackgerritLance Bragstad proposed openstack/keystone master: Remove needs_persistence property from token providers  https://review.openstack.org/54451520:41
openstackgerritLance Bragstad proposed openstack/keystone master: Refactor token cache invalidation callbacks  https://review.openstack.org/54452820:41
openstackgerritLance Bragstad proposed openstack/keystone master: Simplify token persistence callbacks  https://review.openstack.org/54461620:41
openstackgerritLance Bragstad proposed openstack/keystone master: Simplify federation and oauth token callbacks  https://review.openstack.org/54473720:41
*** panbalag has left #openstack-keystone20:43
ayoungHolleee crap.  I might have just used Hierarchical Multi Tenancy to fix a disconnect between CloudForms and Nova....20:53
*** oikiki has quit IRC21:05
*** oikiki has joined #openstack-keystone21:06
*** oikiki has quit IRC21:10
openstackgerritMerged openstack/keystoneauth master: Split request logging into four different loggers  https://review.openstack.org/50576421:14
openstackgerritMerged openstack/keystoneauth master: Add some comments explaining split_loggers flag logic  https://review.openstack.org/54106621:14
openstackgerritMerged openstack/keystoneauth master: Remove PYTHONHASHSEED setting  https://review.openstack.org/53379821:23
*** oikiki has joined #openstack-keystone21:23
*** pcaruana has joined #openstack-keystone21:31
gagehugokmalloc ah the certs part makes sense21:32
kmallocgagehugo: yeah21:32
*** rmascena has quit IRC21:41
*** openstack has joined #openstack-keystone21:44
*** ChanServ sets mode: +o openstack21:44
*** pcaruana has quit IRC21:48
*** rcernin has joined #openstack-keystone21:50
*** martinus__ has quit IRC22:05
*** neex_io has joined #openstack-keystone22:07
*** belmoreira has joined #openstack-keystone22:11
*** neex_io has quit IRC22:25
openstackgerritMerged openstack/keystoneauth master: Add pep8 import order validation  https://review.openstack.org/54509422:29
*** threestrands has joined #openstack-keystone22:43
*** threestrands has quit IRC22:43
*** threestrands has joined #openstack-keystone22:43
lbragstadstepping away for a bit, i'll be back on tonight though23:06
*** itlinux has quit IRC23:09
*** spilla has quit IRC23:15
*** belmoreira has quit IRC23:17
*** r-daneel has quit IRC23:24
SamYapleif i wanted to compare x509 auth to fernet tokens, speed-wise, is there any existing tooling in the project that can help with that?23:41
*** oikiki has quit IRC23:42
SamYapleor, possibly, has this been tested and i can just go view the results?23:42
*** oikiki has joined #openstack-keystone23:42
« Wednesday, 2018-02-14 Index Friday, 2018-02-16 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!