Thursday, 2018-04-12

*** felipemonteiro_ has joined #openstack-keystone		00:00
*** harlowja has quit IRC		00:08
*** zhurong has quit IRC		00:14
*** r-daneel has quit IRC		00:22
*** itlinux has joined #openstack-keystone		00:42
*** dtruong_ has joined #openstack-keystone		00:42
*** dtruong has quit IRC		00:46
*** felipemonteiro_ has quit IRC		00:48
*** odyssey4me has quit IRC		00:51
*** odyssey4me has joined #openstack-keystone		00:51
*** chenyb4 has joined #openstack-keystone		01:01
*** panbalag has left #openstack-keystone		01:21
*** namnh has joined #openstack-keystone		01:25
*** markvoelker has quit IRC		01:52
*** kmalloc has quit IRC		02:06
*** edmondsw has joined #openstack-keystone		02:19
*** gongysh has joined #openstack-keystone		02:23
*** edmondsw has quit IRC		02:24
*** d0ugal has quit IRC		02:40
*** d0ugal has joined #openstack-keystone		02:48
*** nobody_ has joined #openstack-keystone		02:52
*** markvoelker has joined #openstack-keystone		02:53
*** Krenair has quit IRC		03:08
*** itlinux has quit IRC		03:08
*** Supun has joined #openstack-keystone		03:11
openstackgerrit	Gage Hugo proposed openstack/keystone master: WIP Handle LDAP Server Down in Pool https://review.openstack.org/560724	03:13
*** Krenair has joined #openstack-keystone		03:14
*** germs has quit IRC		03:16
*** germs has joined #openstack-keystone		03:17
*** germs has quit IRC		03:17
*** germs has joined #openstack-keystone		03:17
*** dave-mccowan has quit IRC		03:18
*** Supun has quit IRC		03:21
*** markvoelker has quit IRC		03:26
openstackgerrit	jessegler proposed openstack/keystone master: Corrects spelling of MacOS https://review.openstack.org/560730	03:27
*** sonuk has joined #openstack-keystone		03:29
*** gyee has quit IRC		03:33
*** d0ugal has quit IRC		03:39
openstackgerrit	wangxiyuan proposed openstack/keystone master: Unified limit update APIs Refactor https://review.openstack.org/559552	03:40
*** Supun has joined #openstack-keystone		03:44
*** gongysh has quit IRC		03:48
*** d0ugal has joined #openstack-keystone		03:49
*** nicolasbock has quit IRC		03:49
*** Supun has quit IRC		04:06
*** Supun has joined #openstack-keystone		04:06
*** edmondsw has joined #openstack-keystone		04:07
openstackgerrit	wangxiyuan proposed openstack/keystonemiddleware master: Double quote www_authenticate_uri https://review.openstack.org/559925	04:07
*** edmondsw has quit IRC		04:12
*** markvoelker has joined #openstack-keystone		04:23
*** markvoelker has quit IRC		04:27
pooja_jadhav	kmalloc: I am not passing logger object explicitly. I am getting session object from line https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L82 and then I am just setting seesion object with split_logger parameter like (_SESSION._split_loggers = True).	04:29
*** Supun has quit IRC		04:34
*** Supun has joined #openstack-keystone		04:34
*** markvoelker has joined #openstack-keystone		04:38
*** links has joined #openstack-keystone		05:09
*** gongysh has joined #openstack-keystone		05:12
*** Supun has quit IRC		05:20
*** jaosorior has quit IRC		05:26
*** markvoelker has quit IRC		05:29
*** markvoelker has joined #openstack-keystone		05:30
*** markvoelker has quit IRC		05:34
*** d0ugal has quit IRC		05:41
*** Supun has joined #openstack-keystone		05:45
*** d0ugal has joined #openstack-keystone		05:48
*** openstackgerrit has quit IRC		05:48
*** Supun has quit IRC		05:53
*** jaosorior has joined #openstack-keystone		05:55
*** edmondsw has joined #openstack-keystone		05:56
*** AlexeyAbashkin has joined #openstack-keystone		05:58
*** edmondsw has quit IRC		06:00
*** threestrands has joined #openstack-keystone		06:05
*** threestrands has quit IRC		06:05
*** threestrands has joined #openstack-keystone		06:05
*** markvoelker has joined #openstack-keystone		06:11
*** alex_xu has quit IRC		06:11
*** markvoelker has quit IRC		06:16
*** alex_xu has joined #openstack-keystone		06:16
*** germs has quit IRC		06:18
*** germs has joined #openstack-keystone		06:18
*** germs has quit IRC		06:18
*** germs has joined #openstack-keystone		06:18
*** AlexeyAbashkin has quit IRC		06:24
*** Supun has joined #openstack-keystone		06:25
*** marius1 has joined #openstack-keystone		06:31
*** AlexeyAbashkin has joined #openstack-keystone		06:35
*** Supun has quit IRC		06:40
*** AlexeyAbashkin has quit IRC		06:44
*** martinus__ has joined #openstack-keystone		06:51
*** belmoreira has joined #openstack-keystone		06:53
*** belmoreira has quit IRC		06:54
*** openstackgerrit has joined #openstack-keystone		06:55
openstackgerrit	wangxiyuan proposed openstack/keystone master: Do not return all the limits for POST request. https://review.openstack.org/550736	06:55
openstackgerrit	wangxiyuan proposed openstack/keystone master: Unified limit update APIs Refactor https://review.openstack.org/559552	06:55
Horrorcat	so we’re looking into reselling with openstack. (I asked over in #openstack last week, but haven’t gotten a chance to work on this until today. I was directed here.) From web searches, it isn’t entirely clear to me how the domain/project hierarchy should be set up for reselling and how to do that.	07:00
*** AlexeyAbashkin has joined #openstack-keystone		07:01
Horrorcat	specifically, we want to have a domain/project in which the admin is allowed to create subprojects, manage their quotas (but not surpass the quota assigned to the domain/project), does not have access to manage cloud-wide resources.	07:02
Horrorcat	I thought that creating a sub-domain would be the correct path, but openstack domain create appears to actually not support that.	07:02
Horrorcat	(and shouldn’t be able to see other projects not belonging to their domain)	07:03
Horrorcat	this in on pike btw	07:04
*** markvoelker has joined #openstack-keystone		07:15
Horrorcat	okay so if I’m reading this correctly, nested domains never were actually merged.	07:26
*** marius11 has joined #openstack-keystone		07:32
*** marius1 has quit IRC		07:35
openstackgerrit	wangxiyuan proposed openstack/keystone master: Enable Foreign keys for sql backend unit test https://review.openstack.org/558029	07:36
*** tesseract has joined #openstack-keystone		07:39
*** edmondsw has joined #openstack-keystone		07:44
*** edmondsw has quit IRC		07:48
*** frickler has quit IRC		07:56
*** gongysh has quit IRC		08:01
*** frickler has joined #openstack-keystone		08:03
*** h3yduck has joined #openstack-keystone		08:11
*** pcaruana has joined #openstack-keystone		08:12
*** d0ugal has quit IRC		08:14
*** d0ugal has joined #openstack-keystone		08:17
*** gongysh has joined #openstack-keystone		08:23
*** AlexeyAbashkin has quit IRC		08:29
*** AlexeyAbashkin has joined #openstack-keystone		08:30
h3yduck	https://paste.gnome.org/p2hvfliga	08:31
*** marius11 has quit IRC		08:32
h3yduck	hey folks, We are trying to configure an environment where users log in via SAML2 and get their group names in 'niifEduPersonAttendedCourse' attribute, which is an array of course names in the SAML response. It works well when there are groups already for all course names. However we cannot create all groups, only some of them unfortunately. Therefore authentication fails if someone logs in with a course name assigned that has no corresponding	08:33
h3yduck	group in OpenStack yet. A working solution for us would be if Keystone would create the group if it didn't exist yet or if Keystone would map the authentication to already existing groups only, ignoring unexistent ones. Here is our mapping: https://pastebin.com/0rumqE0t. Could you guys suggest a solution for this?	08:33
*** linkmark has joined #openstack-keystone		08:53
*** marius1 has joined #openstack-keystone		08:59
*** Xinran has joined #openstack-keystone		09:12
Xinran	hi guys. I'm doing the quota management in cyborg. please allow me to ask a question here.	09:13
Xinran	have you already implement the unified limits in keystone?	09:14
wxy	Xinran: Sorry, Unified limits is not ready for other services to adopt. We are trying to make it available in Rocky.	09:15
wxy	Now Keystone has the APIs to allow services store the limit. But the enforcement part is still missing. And the hierarchical limit model is still under designing . Once it's done, I think Cyborg can call oslo.limit library to enforce the resource usage.	09:19
*** rha has joined #openstack-keystone		09:21
wxy	Xinran: here are two related specs: https://review.openstack.org/#/c/540803/ https://review.openstack.org/#/c/549766/ feel free to leave any opinions	09:23
*** marius1 has quit IRC		09:25
*** panbalag has joined #openstack-keystone		09:43
*** panbalag has quit IRC		09:44
*** kmalloc has joined #openstack-keystone		10:01
pooja_jadhav	kmalloc : Hello	10:04
*** chenyb4 has quit IRC		10:04
*** panbalag has joined #openstack-keystone		10:05
*** namnh has quit IRC		10:06
*** panbalag has left #openstack-keystone		10:08
*** AlexeyAbashkin has quit IRC		10:10
*** marius1 has joined #openstack-keystone		10:22
*** threestrands has quit IRC		10:24
*** sonuk has quit IRC		10:31
*** AlexeyAbashkin has joined #openstack-keystone		10:53
*** odyssey4me has quit IRC		10:55
*** odyssey4me has joined #openstack-keystone		10:55
*** odyssey4me has quit IRC		11:00
*** odyssey4me has joined #openstack-keystone		11:00
*** gongysh has quit IRC		11:06
*** nobody_ has quit IRC		11:08
*** edmondsw has joined #openstack-keystone		11:20
Horrorcat	Am I undestanding this correctly that nested Projects acting as Domains (or nested Domains in general) are not a thing yet? In the sense that it’s not possible to have a user which is able to manage resources and users within a subtree of projects, but not outside of that subtree?	11:23
Horrorcat	(which includes not seeing those users at all, ideally)	11:23
*** edmondsw has quit IRC		11:24
kmalloc	pooja_jadhav: hello	11:24
kmalloc	Horrorcat: projects acting as domains can only exist at the top level. The main reason for this is due to some complications in how domains work. Right now there is no plan to allow a domain to be nested under another domain **	11:25
kmalloc	Horrorcat: there is one exception. We have an internal "domain" that is our	11:26
kmalloc	root-domain	11:26
kmalloc	that is hidden from users [may be exposed for administration reasons in the future]	11:26
kmalloc	the root-domain is the parent of all other domains	11:26
Horrorcat	okay. so our use-case is essentially reselling. is there another sane way to do this without resorting to federation?	11:26
kmalloc	Horrorcat: but, in short: no domains cannot be nested under other domains.	11:26
Horrorcat	thanks for the replies :)	11:27
kmalloc	hmm.	11:27
kmalloc	I don't think you can do reselling with domains as the container. you could have users in a domain and resell/only give access to project trees under that domain	11:28
Horrorcat	I can’t quite follow. what "container" do you mean?	11:29
kmalloc	here is how it would need to work right now:	11:29
kmalloc	Reseller owns a domain and can add/manage users in the domain	11:29
kmalloc	reseller creates a user and gives the user access to a specific tree of projects (and "project-admin" rights)	11:30
*** nicolasbock has joined #openstack-keystone		11:30
kmalloc	that user, unfortunately cannot manage her own users.	11:30
Horrorcat	I think that might be sufficient for our use case actually.	11:30
kmalloc	it just means that all accounts for the "user" must be managed/maintained by the reseller	11:31
kmalloc	user-accounts*	11:31
kmalloc	man, sometimes our terminology is confusing (overloaded words)	11:31
kmalloc	i hope that helps you out	11:31
Horrorcat	this is already helpful insofar that I don’t need to try to get that nested project/domain thing to work anymore ;)	11:32
kmalloc	:)	11:32
kmalloc	well glad i could help simplify it	11:32
kmalloc	you caught me at the right time, i was just poking at something because i couldn't sleep	11:32
Horrorcat	ha!	11:32
kmalloc	it's 0430 here =/	11:33
Horrorcat	how do quotas work in this setup? can we set quotas on the reseller domain the reseller themselves can’t change? so that the amount of resources they resell is restricted?	11:33
Horrorcat	13:30 waves at overseas	11:33
kmalloc	that is a tougher situation, hierarchical quotas are ... spotty at best.	11:33
kmalloc	and we're working on unified limits that are hierarchy aware	11:34
Horrorcat	mm, I already read that somewhere that it isn’t there yet.	11:34
kmalloc	but that is Rocky, S, and T release timeframes	11:34
Horrorcat	okay, thank you for all that input. gonna figure out now how we move on from here.	11:34
*** rcernin has quit IRC		11:35
kmalloc	:) you can write your own quota driver[s] (i know... i know... suboptimal) if that helps	11:35
kmalloc	but that is definitely a rabbit hole.	11:35
kmalloc	Horrorcat: def look into the hierarchical quotas, they may work -- but honestly i just don't know what the support in all the projects is.	11:36
Horrorcat	thanks. we figured that quota on the reseller domain is not a strict requirement for now. (I assume that the reseller can manage quotas of the resold-to users?)	11:40
kmalloc	i can't answer that, it is on Nova/Cinder/Etc to deal with quotas atm	11:43
pooja_jadhav	kmalloc: I am not passing logger object explicitly. I am getting session object from line https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L82 and then I am just setting seesion object with split_logger parameter like (_SESSION._split_loggers = True).	11:43
Horrorcat	kmalloc: okay, thanks	11:43
kmalloc	pooja_jadhav: ah.	11:43
kmalloc	pooja_jadhav: hm. so a logger was passed in on the session creation.	11:44
kmalloc	i think it would be fair to fix that to allow a clear override for split-loggers even if logger is passed in	11:44
pooja_jadhav	kmalloc: If I comment out the code of that if/else block and set the split_loggers=True Then i am able to see request-ids as well	11:46
kmalloc	pooja_jadhav: yeah, so i think we should allow an explicit split_loggers=True pass in.	11:46
kmalloc	pooja_jadhav: i'd be happy to take a bit of code like that: cc mordred ^ re ksa split-loggers	11:46
pooja_jadhav	kmalloc: Can you help how it can be done?? so that it will solve my issue :)	11:47
kmalloc	pooja_jadhav: i'll need to poke at it, but it's most likely changing how .request() works on the session	11:49
kmalloc	and allowing for explicitly overriding the passed in logger	11:49
kmalloc	pooja_jadhav: if you want to take a stab at it, i'll review it, otherwise it'll need to be something I stare at a bit when it's not 4:49am ;)	11:50
kmalloc	and i've not had coffee	11:50
pooja_jadhav	kmalloc: np	11:50
*** sonuk has joined #openstack-keystone		12:06
*** r-daneel has joined #openstack-keystone		12:18
*** AlexeyAbashkin has quit IRC		12:28
*** AlexeyAbashkin has joined #openstack-keystone		12:29
*** dave-mccowan has joined #openstack-keystone		12:31
*** raildo has joined #openstack-keystone		12:33
*** panbalag has joined #openstack-keystone		12:37
*** panbalag has left #openstack-keystone		12:37
*** dklyle has quit IRC		12:51
*** spilla has joined #openstack-keystone		12:54
*** dklyle has joined #openstack-keystone		12:57
*** tobberydberg_ is now known as tobberydberg		13:01
*** edmondsw has joined #openstack-keystone		13:01
*** marius1 has quit IRC		13:04
*** dklyle has quit IRC		13:09
*** edmondsw has quit IRC		13:20
*** edmondsw has joined #openstack-keystone		13:21
*** edmondsw has quit IRC		13:21
*** links has quit IRC		13:27
*** jaosorior has quit IRC		13:29
*** chenyb4 has joined #openstack-keystone		13:39
*** dangtrinhnt has quit IRC		13:45
*** dangtrinhnt has joined #openstack-keystone		13:46
*** panbalag has joined #openstack-keystone		13:49
*** panbalag has left #openstack-keystone		13:56
*** panbalag has joined #openstack-keystone		14:03
*** jaosorior has joined #openstack-keystone		14:04
*** r-daneel has quit IRC		14:04
*** mugsie has quit IRC		14:08
*** panbalag has left #openstack-keystone		14:11
*** felipemonteiro_ has joined #openstack-keystone		14:12
*** andreykurilin_ has quit IRC		14:14
*** marius1 has joined #openstack-keystone		14:19
*** mvk has quit IRC		14:27
gagehugo	o/	14:31
*** itlinux has joined #openstack-keystone		14:31
*** r-daneel has joined #openstack-keystone		14:35
*** chenyb4 has quit IRC		14:35
*** dklyle has joined #openstack-keystone		14:36
*** marius1 has quit IRC		14:37
*** markvoelker has quit IRC		14:42
*** markvoelker has joined #openstack-keystone		14:42
*** AlexeyAbashkin has quit IRC		14:45
*** markvoelker has quit IRC		14:47
lbragstad	o/	14:52
*** mugsie has joined #openstack-keystone		14:54
*** mugsie has quit IRC		14:54
*** mugsie has joined #openstack-keystone		14:54
*** jessegler has joined #openstack-keystone		14:57
*** chenyb4 has joined #openstack-keystone		14:57
*** mvk has joined #openstack-keystone		14:58
knikolla	o/	14:59
*** freerunner has quit IRC		15:00
*** NikitaKonovalov has quit IRC		15:00
*** DinaBelova has quit IRC		15:00
*** r-daneel has quit IRC		15:02
*** mugsie has quit IRC		15:04
*** itlinux has quit IRC		15:05
*** mugsie has joined #openstack-keystone		15:06
*** mugsie has quit IRC		15:06
*** mugsie has joined #openstack-keystone		15:06
*** AlexeyAbashkin has joined #openstack-keystone		15:07
*** mugsie has quit IRC		15:08
*** mugsie has joined #openstack-keystone		15:08
*** mugsie has quit IRC		15:08
*** mugsie has joined #openstack-keystone		15:08
*** germs has quit IRC		15:08
*** germs has joined #openstack-keystone		15:09
*** germs has quit IRC		15:09
*** germs has joined #openstack-keystone		15:09
*** AlexeyAbashkin has quit IRC		15:12
*** DinaBelova has joined #openstack-keystone		15:15
*** jaosorior has quit IRC		15:15
*** NikitaKonovalov has joined #openstack-keystone		15:16
*** freerunner has joined #openstack-keystone		15:16
*** ayoung has joined #openstack-keystone		15:21
*** marius1 has joined #openstack-keystone		15:25
ayoung	lbragstad, can you update bug 968696 with the plan to close it out over time? A detailed document that we can point to that says both why this has taken so long to fix, and what the overall process is to eventually close it out? It needs to cover where we are, where we are going to be, and, most important, the stepes that are going to happen to get us there without breaking people's deployments	15:26
openstack	bug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)	15:26
ayoung	for example, how we will convert people from Admin on project to system scoped admin	15:27
ayoung	and where we need to check integrations, like making sure the openstack-cli and middleware all honor the system roles.	15:27
ayoung	I think we are close, and I'd like to be able to walk people through the steps that will get us to the end	15:28
lbragstad	most of that information exists in the system scope specification i think	15:28
* lbragstad starts planning a vacation for the day that bug closes		15:29
*** markvoelker has joined #openstack-keystone		15:31
*** AlexeyAbashkin has joined #openstack-keystone		15:32
*** gyee has joined #openstack-keystone		15:32
*** chenyb4 has quit IRC		15:32
*** felipemonteiro__ has joined #openstack-keystone		15:33
*** felipemonteiro_ has quit IRC		15:37
openstackgerrit	jessegler proposed openstack/keystone master: Corrects spelling of MacOS https://review.openstack.org/560730	15:39
*** markvoelker_ has joined #openstack-keystone		15:40
lbragstad	kmalloc: re domains:identity provider requirements https://bugs.launchpad.net/keystone/+bug/1760843	15:40
openstack	Launchpad bug 1760843 in OpenStack Identity (keystone) "Identity Provider domain is not unique" [Undecided,In progress] - Assigned to wangxiyuan (wangxiyuan)	15:40
*** markvoelker has quit IRC		15:44
*** fiddletwix has quit IRC		15:49
*** edmondsw has joined #openstack-keystone		15:50
*** edmondsw has quit IRC		15:53
*** edmondsw has joined #openstack-keystone		15:58
*** felipemonteiro__ has quit IRC		16:00
*** spilla has quit IRC		16:01
*** efried has quit IRC		16:03
*** efried has joined #openstack-keystone		16:04
*** anyone is now known as eschwartz		16:09
*** jmccarthy1 has joined #openstack-keystone		16:10
*** jmccarthy1 has left #openstack-keystone		16:11
*** itlinux has joined #openstack-keystone		16:13
*** jessegler has quit IRC		16:17
*** jmccarthy1 has joined #openstack-keystone		16:30
*** jmccarthy1 has left #openstack-keystone		16:31
*** spilla has joined #openstack-keystone		16:33
*** sonuk has quit IRC		16:35
*** dtruong_ has quit IRC		16:56
*** dtruong has joined #openstack-keystone		16:57
*** dklyle has quit IRC		17:07
kmalloc	lbragstad: will look shortly, need foods. Late breakfast.	17:07
*** mugsie has quit IRC		17:14
*** mugsie has joined #openstack-keystone		17:15
*** mugsie has quit IRC		17:15
*** mugsie has joined #openstack-keystone		17:15
*** itlinux has quit IRC		17:30
*** itlinux has joined #openstack-keystone		17:53
*** tesseract has quit IRC		17:55
*** dklyle has joined #openstack-keystone		18:05
*** pcaruana has quit IRC		18:09
*** felipemonteiro has joined #openstack-keystone		18:17
*** felipemonteiro_ has joined #openstack-keystone		18:18
*** openstackgerrit has quit IRC		18:19
*** itlinux has quit IRC		18:20
*** mvk has quit IRC		18:20
*** breton_ is now known as breton		18:20
*** felipemonteiro has quit IRC		18:22
lbragstad	kmalloc: thanks	18:22
*** itlinux has joined #openstack-keystone		18:22
*** links has joined #openstack-keystone		18:31
*** felipemonteiro_ has quit IRC		18:37
*** itlinux has quit IRC		18:42
*** pcichy has joined #openstack-keystone		18:50
*** r-daneel has joined #openstack-keystone		18:54
*** AlexeyAbashkin has quit IRC		19:06
*** felipemonteiro has joined #openstack-keystone		19:13
*** felipemonteiro_ has joined #openstack-keystone		19:14
*** openstackgerrit has joined #openstack-keystone		19:15
openstackgerrit	Merged openstack/keystone master: Follow the new PTI for document build https://review.openstack.org/555196	19:15
*** felipemonteiro has quit IRC		19:17
kmalloc	lbragstad: is openstack user password change-password or patch?	19:36
lbragstad	mm let me chekc	19:36
kmalloc	lbragstad: because i think that is update user	19:36
kmalloc	not change-password api	19:36
kmalloc	which, should succeed	19:37
lbragstad	weird... because i used it as a non-admin user	19:37
lbragstad	interesting thing about token responses	19:40
lbragstad	if you get a trust scoped token, the list of roles will contain domain_ids	19:40
*** aojea has joined #openstack-keystone		19:41
lbragstad	that was probably backwards incompatible	19:41
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Allow blocking users from self-service password change https://review.openstack.org/559438	19:44
kmalloc	lbragstad: bug in the test(s) and min_password_age functionality	19:44
kmalloc	lbragstad: we're consistently broken -- new code and old. I'll get a patch spun up to fix the behavior and the tests as a followup.	19:45
*** links has quit IRC		19:46
lbragstad	i suppose we can't fix that	19:47
lbragstad	https://review.openstack.org/#/c/407587/1	19:47
ayoung	lbragstad, how are we going to migrate people from anyproject:admin to system:admin	19:47
lbragstad	support a compatibility window	19:48
ayoung	my approach with is_admin_project made it a deliberate choice in the config file	19:48
ayoung	what if...	19:48
ayoung	we added a utility that would create a system scope role assignment for a specific project?	19:48
ayoung	something off keystone-manage	19:48
lbragstad	https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope	19:48
lbragstad	"a system scope role assignment for a specific project?"	19:49
lbragstad	^ what do you mean?	19:49
ayoung	lbragstad, so we are going to default that to false starting now, and switch it to true after a deprecation-type period	19:49
lbragstad	yes	19:49
*** linkmark has quit IRC		19:49
lbragstad	eventually down the road	19:49
ayoung	is_admin_project is tagged on one project, so convert every user and group with a role on that project to having a comparable system role assignment	19:50
lbragstad	give projects time to fix their policies, remove hardcoded admin checks, and implement scope types	19:50
ayoung	something like	19:50
kmalloc	ayoung: it's mirroring is_admin_project until ${deprecation}	19:50
ayoung	keystone-manage convert-project-roles-to-system --project-id=<uuid>	19:50
openstackgerrit	Gage Hugo proposed openstack/keystone master: Handle LDAP Server Down in Pool https://review.openstack.org/560724	19:51
ayoung	could even be outside keystone manage, just a code example, I guess	19:51
ayoung	could even be	19:51
kmalloc	ayoung: might need to be "copy-project-roles-to-system"	19:51
ayoung	keystone-manage convert-project-roles-to-system --project-id=<uuid> --role	19:51
kmalloc	since ... admin_project could need the roles for silly things	19:52
ayoung	copy...yeah that makes sense	19:52
kmalloc	so we need copy/not replace.	19:52
kmalloc	and sure. however we want to implement that	19:52
ayoung	and we might not want to do it for _member_ just for admin	19:52
kmalloc	implementation detail (might even be a migration)	19:52
kmalloc	to build the initial support	19:52
kmalloc	since we can already know what is_admin_project is	19:53
ayoung	migration...no, needs to read the config file, I think that it needs to be a deliberate step	19:53
kmalloc	migration can read the config	19:53
kmalloc	we did it for _member_	19:53
ayoung	we don't read the config files in other migrations, though	19:53
kmalloc	we don't anymore	19:53
kmalloc	but we did for a special one	19:53
ayoung	true	19:53
kmalloc	not saying it is a good idea	19:54
kmalloc	i'm mostly just saying "i don't care how we implement that, as long as we plan for it"	19:54
ayoung	they also might not have is_admin_project set up	19:54
ayoung	in fact, I would assume that they do not	19:54
ayoung	most people are running with the default policy etc	19:54
kmalloc	or add some extra bootstrap-system-roles	19:54
ayoung	and those are the people I want to help out here	19:54
kmalloc	if they are running standard policy, i wouldn't migrate any roles, i'd offer bootstrap-system-roles (or maybe we should do that regardless)	19:55
ayoung	role assignments	19:55
ayoung	we create the default set of roles regardless, I think	19:56
kmalloc	yeah, then we don't migrate.	19:56
ayoung	I kinda want to force the roleid == rolename	19:56
kmalloc	we create the roles and provide guidance on how to setup assignments appropriately	19:56
*** mvk has joined #openstack-keystone		19:56
ayoung	but I think henry trashed that with domain-specific roles now that I think of it	19:56
kmalloc	since ideally the system role assignments should be richer than default policy	19:56
ayoung	are we going to provide any system roles other than admin?	19:57
kmalloc	i hope so. but ... ask lbragstad	19:57
lbragstad	speaking of domain-specific roles, did we ever intend to leak domain_ids via the token API with trusts or was that an accident	19:57
kmalloc	in what context?	19:57
kmalloc	in a domain_scoped token?	19:57
lbragstad	in a trust scope token exclusively	19:57
kmalloc	wait... what is the bug?	19:57
lbragstad	every other token scope doesn't leak that information	19:57
*** pcichy has quit IRC		19:58
kmalloc	i don't think we meant to leak the domain_id, trust token body should be the same as any other scoped token body	19:58
lbragstad	only trust-scoped tokens copy references from the role API and inject them into the token response	19:58
lbragstad	huh - i was afraid of that	19:58
kmalloc	(with indication it was a trust)	19:58
lbragstad	https://review.openstack.org/#/c/407587/1	19:58
kmalloc	when did we break it?	19:58
lbragstad	i left a comment there	19:58
lbragstad	we broke it here - https://review.openstack.org/#/c/263064/19	19:59
lbragstad	or that's when we started leaking that info	19:59
kmalloc	ugh	19:59
kmalloc	lets ask for an exception for breaking the contract to undo that	19:59
kmalloc	otherwise...	19:59
lbragstad	https://github.com/openstack/keystone/blob/694ef627dd5a544b8200703fa4a42220d6f4784c/keystone/token/providers/common.py#L393-L394	19:59
kmalloc	not the patch, just the domain info leak	19:59
kmalloc	and lets backport as far as we can, if we get the exception.	20:00
lbragstad	it can only ever be domain_id: None	20:00
lbragstad	otherwise the role isn't appended	20:00
kmalloc	i think that was to support domain-scoped tokens	20:00
kmalloc	future looking.	20:01
kmalloc	but trusts never supported domain-scope	20:01
ayoung	wait...what is the problem?	20:01
kmalloc	ayoung: we're leaking domain info into the token body	20:01
ayoung	trusts can delegate domain specific roles, I assume that is the start of the problem	20:01
lbragstad	but only for trust scoped tokens	20:01
kmalloc	^^	20:01
kmalloc	it is always null	20:01
kmalloc	but we don't strip the data	20:02
kmalloc	so we have a domain_id entry	20:02
lbragstad	get any type of token and the domain_id of the role won't be in the response, except for trust-scpoed token	20:02
kmalloc	but only in trust tokens	20:02
lbragstad	tokens*	20:02
ayoung	domain specific roles, though, should not show up in the trust scoped tokens	20:02
lbragstad	right	20:02
lbragstad	which is kinda were it doesn't make sense	20:02
kmalloc	ayoung: it's a leak of useless data, but it adds to the structure	20:02
ayoung	a standard domain role assignment should show up in a domain scoped token, but not a domain-scoped role assignment	20:02
lbragstad	i was digging through some old patches (https://review.openstack.org/#/c/407587/1) and recreated it	20:03
kmalloc	ayoung: yeah it's just a pointless data structure.	20:03
kmalloc	that shouldn't be there	20:03
*** felipemonteiro_ has quit IRC		20:03
kmalloc	but... we started leaking that 2yrs ago	20:03
kmalloc	so...	20:03
ayoung	If the role assignment is domain scoped, remove it from the token validation response across the board	20:03
*** felipemonteiro_ has joined #openstack-keystone		20:03
kmalloc	it's an exception to remove that data [it's technically an API break now to change it, even though it was a break 2 yrs ago]	20:04
ayoung	please open a bug before fixing it	20:04
kmalloc	regardless of bug, we need TC/API-WG sign off to fix it	20:04
ayoung	that is fine	20:04
lbragstad	fixed - http://paste.openstack.org/show/719090/	20:05
lbragstad	ayoung: right - this is only if the domain_id of the role is None	20:05
lbragstad	so a "global" role	20:05
lbragstad	which is good	20:05
ayoung	I wonder if that was not due to domain specific roles	20:05
ayoung	I wonder if that was from HTM	20:06
lbragstad	well	20:06
ayoung	HMT	20:06
lbragstad	when we extended the role reference to include another attribute, it was copied into the token response because of that code	20:06
lbragstad	so it would have been whenever we added that functionality for domain specific roles	20:06
ayoung	so...yeah, that looks like domain specific	20:07
lbragstad	at least from what i can tell based on the history of the code	20:07
ayoung	a270766eb9 (Henry Nash 2016-01-03 21:45:51 +0000 393) if role['domain_id'] is None:	20:08
ayoung	a270766eb9 (Henry Nash 2016-01-03 21:45:51 +0000 394) filtered_roles.append(role)	20:08
ayoung	Modify implied roles to honor domain specific roles	20:08
ayoung		20:08
ayoung	The logic for processing domain specific roles is the same as	20:08
ayoung	regular implied roles, except for the fact that domain specifc	20:08
ayoung	roles themselves should not be returned by the manager level	20:08
ayoung	list_role_assignments() in effective mode, hence ensuring that	20:08
ayoung	the won't be placed in the token.	20:08
ayoung	https://review.openstack.org/#/c/263064/	20:10
ayoung	I'll take the blame	20:10
ayoung	I signed off on it	20:10
ayoung	wait	20:10
ayoung	only roles whose domain_id is none are added	20:11
ayoung	that is not the problem	20:11
ayoung	its the case where roles who's domain_id is not none...	20:11
ayoung	so, the role.domain_id should never be in a token	20:11
ayoung	so do we ever have a case where role.domain_id != None?	20:12
*** itlinux has joined #openstack-keystone		20:17
lbragstad	probably not	20:19
lbragstad	the role is only ever copied directly into the token iff role.domain_id = None	20:19
lbragstad	but... if we ever added something else to the role schema	20:20
lbragstad	it would be subject to the same thing	20:20
lbragstad	since the representation of the role isn't being declared explicitly	20:20
lbragstad	it's just being copied from what is returned from the role_api	20:20
*** markvoelker_ has quit IRC		20:23
lbragstad	so - from a security perspective, i don't think there is an issue	20:24
lbragstad	it's just an oddity in the token response IMO	20:24
lbragstad	if a role is a domain-specific role, the role.domain_id != None, it should be the id of the domain it was created for	20:26
*** panbalag has joined #openstack-keystone		20:28
*** panbalag has left #openstack-keystone		20:28
lbragstad	cc ayoung^	20:29
lbragstad	kmalloc: ^	20:30
kmalloc	lbragstad: ++	20:30
kmalloc	yeah it is a leak of useless data structure	20:30
kmalloc	no security issue(s)	20:30
kmalloc	just something we shouild cleanup if we are allowed to	20:30
lbragstad	ok - i'll open a bug	20:32
ayoung	still, lets do it right. File a bug, get the TC signoff, remove	20:32
kmalloc	yep	20:34
lbragstad	ayoung: you had a question on the systme scope stuff?	20:36
lbragstad	ayoung: right before i drug us into the weeds	20:36
ayoung	lbragstad, ah...lets see what state we left that	20:37
ayoung	" are we going to provide any system roles other than admin?"	20:37
ayoung	lbragstad, ^^ that was it	20:37
ayoung	lbragstad, my thinking is that if we dont' all system-scoped operations are going to require admin	20:37
ayoung	and...maybe that is ok?	20:38
ayoung	I mean, I realize that any role can be a system scoped role	20:38
ayoung	I meant more "roles that mean things only if they are system scoped"	20:38
ayoung	like...something specific for system scoped resources like hypervisors and nodes in Nova, or some such	20:38
lbragstad	well - each of the defaults that hrybacki is working on can be used on the system level	20:42
lbragstad	so if you have auditor on the system, you can list endpoints, for example	20:42
lbragstad	i wouldn't say all system-scoped operations are going to "require" admin	20:44
lbragstad	i think it would be nice to have policies only require auditor, or member, depending on the API, but then have them require scope	20:44
lbragstad	require system scope*	20:44
lbragstad	so - it'd be kinda like a matrix	20:44
lbragstad	kinda like this - https://imgur.com/a/XGMnW	20:46
lbragstad	^ that would include domain scope	20:47
lbragstad	which would be outside of context of the specification that hrybacki is working on, but eventually	20:47
lbragstad	you'd have 9 different personas you could use	20:47
*** spilla has quit IRC		20:52
*** raildo has quit IRC		20:55
*** itlinux has quit IRC		21:01
openstackgerrit	Merged openstack/keystone master: Corrects spelling of MacOS https://review.openstack.org/560730	21:02
*** marius1 has left #openstack-keystone		21:11
*** martinus__ has quit IRC		21:15
*** aojea has quit IRC		21:26
*** aojea has joined #openstack-keystone		21:26
*** openstackstatus has quit IRC		21:27
*** openstack has joined #openstack-keystone		21:28
*** ChanServ sets mode: +o openstack		21:28
*** openstackstatus has joined #openstack-keystone		21:28
*** ChanServ sets mode: +v openstackstatus		21:28
*** aojea has quit IRC		21:56
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Use consistent role schema in token response validation https://review.openstack.org/407587	22:01
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Make role reference across token scopes consistent https://review.openstack.org/561061	22:01
lbragstad	kmalloc: ayoung fixed ^	22:03
lbragstad	the first patch in the series could actually be merged	22:03
lbragstad	i reproposed it in a way that keeps the tests a bit more DRY, but doesn't force us to fix the bug	22:03
*** felipemonteiro__ has joined #openstack-keystone		22:08
*** felipemonteiro_ has quit IRC		22:12
*** felipemonteiro__ has quit IRC		22:15
*** felipemonteiro__ has joined #openstack-keystone		22:16
*** lbragstad has quit IRC		22:16
*** harlowja has joined #openstack-keystone		22:24
*** rcernin has joined #openstack-keystone		22:30
*** linkmark has joined #openstack-keystone		22:39
*** Pete_ has joined #openstack-keystone		23:01
Pete_	^[[1;31mError: /Stage[main]/Pra_openstack::Provision_dsm_user/Keystone_user[dsm]: Could not evaluate: Execution of '/bin/openstack token issue --format value' returned 1: Discovering versions from the identity service failed when creating the password p lugin. Attempting to determine version from URL.	23:03
Pete_	We saw error like this	23:03
Pete_	^[[1;31mError: /Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Service_identity[neutron]/Keystone_user[neutron]: Could not evaluate: Execution of '/bin/openstack token issue --format value' returned 1: Discovering versions from the identity ser vice failed when creating the password plugin. Attempting to determine version from URL.	23:04
Pete_	Error: /Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Service_identity[neutron]/Keystone_user[neutron]: Could not evaluate: Execution of '/bin/openstack token issue --format value' returned 1: Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. Error: /Stage[main]/Nova::Keystone::Auth/Keystone::Resource::Service_identity[nova]/Keystone_	23:05
Pete_	any idea what happened and how to fix it?	23:06
*** Pete_ has quit IRC		23:17
*** itlinux has joined #openstack-keystone		23:35
*** felipemonteiro_ has joined #openstack-keystone		23:39
-openstackstatus- NOTICE: The Etherpad service at https://etherpad.openstack.org/ is being restarted to pick up the latest release version; browsers should see only a brief ~1min blip before reconnecting automatically to active pads		23:39
*** felipemonteiro__ has quit IRC		23:43

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!