Thursday, 2018-08-16

« Wednesday, 2018-08-15 Index Friday, 2018-08-17 »
*** dklyle has quit IRC00:03
*** _ix has joined #openstack-keystone00:17
*** zzzeek has quit IRC00:31
*** zzzeek has joined #openstack-keystone00:31
*** lbragstad has joined #openstack-keystone01:02
*** ChanServ sets mode: +o lbragstad01:02
*** imacdonn has quit IRC01:04
openstackgerritlvxianguo proposed openstack/python-keystoneclient master: fix misspelling of 'default'  https://review.openstack.org/57736801:04
*** dave-mccowan has joined #openstack-keystone01:06
*** r-daneel has joined #openstack-keystone01:13
*** zzzeek has quit IRC01:14
*** zzzeek has joined #openstack-keystone01:16
*** imacdonn has joined #openstack-keystone01:16
*** r-daneel has quit IRC01:29
lbragstadkmalloc: thoughts on https://review.openstack.org/#/c/589950/5 ?01:41
*** _ix has quit IRC01:53
*** shyamb has joined #openstack-keystone03:40
*** shyamb has quit IRC03:52
*** dave-mccowan has quit IRC04:04
*** shyamb has joined #openstack-keystone04:20
kmallocIt is all deprecated04:29
kmallocWe missed some04:29
kmalloclbragstad: ^cc04:29
kmallocKeystone is a bad distribution point for policy files, and those APIs are hard UX to be useful.04:30
kmallocThat said ep.policy is checked by tempest. I tried making it disabled by default a whilr ago.04:31
lbragstadhmm05:10
lbragstadok05:10
lbragstadso we should formally deprecate the OS-ENDPOINT-POLICY API?05:11
lbragstadbecause according to the code it was just before i moved it to flask05:11
*** pcaruana has quit IRC05:26
*** shyamb has quit IRC05:43
*** shyamb has joined #openstack-keystone05:46
*** shyamb has quit IRC06:01
*** hoonetorg has quit IRC06:45
*** pcaruana has joined #openstack-keystone06:48
*** hoonetorg has joined #openstack-keystone06:57
*** ispp has joined #openstack-keystone06:59
*** rha has joined #openstack-keystone07:04
*** rcernin has quit IRC07:20
*** ispp has quit IRC07:22
*** sayalilunkad has joined #openstack-keystone07:51
*** knikolla[m] has quit IRC08:11
openstackgerritMerged openstack/python-keystoneclient master: fix misspelling of 'default'  https://review.openstack.org/57736808:16
*** rha has quit IRC08:52
*** mbuil has joined #openstack-keystone08:54
*** shyamb has joined #openstack-keystone08:55
*** josecastroleon has quit IRC09:01
*** josecastroleon has joined #openstack-keystone09:01
*** redrobot has quit IRC09:08
*** jaosorior has quit IRC09:10
*** redrobot has joined #openstack-keystone09:11
*** d0ugal has quit IRC09:14
*** d0ugal has joined #openstack-keystone09:18
openstackgerritMerged openstack/keystoneauth master: Update reno for stable/rocky  https://review.openstack.org/58608309:20
openstackgerritMerged openstack/keystonemiddleware master: Update reno for stable/rocky  https://review.openstack.org/58608609:23
mbuilcmurphy, lbragstad: in the K2K deployment, when the SP receives the "Assertion", this one contains the auth-url ==> http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth, right? So I guess the SP fetches that when verifying the "ECP SAML Response" from the User Agent, right?09:29
mbuilcmurphy, lbragstad: wait, that is a bit strange because the auth-url points to the SP itself... I am trying to understand how IdP and SP exchange the metadata to create the trust09:31
cmurphymbuil: in the k2k case trust only goes in one direction, only the SP needs to trust the IdP, and with shibboleth that's done by setting the MetadataProvider in /etc/shibboleth/shibboleth2.xml to either a remote URL or a local file where it can find the IdP's metadata which contains its public key09:34
*** josecastroleon has quit IRC09:38
mbuilcmurphy: aaaah I see. An Shibboleth at the SP side fetches the metadata when it gets the assertion from the User Agent?09:39
cmurphymbuil: I think it fetches it when the shibd daemon is started but not 100% sure09:41
mbuilcmurphy: thanks09:42
mbuilcmurphy: if I want to list the images that I have in my sp, this command should work right ==> openstack --os-service-provider mysp --os-remote-project-name federated_project --os-remote-project-domain-name federated_domain image list09:47
*** josecastroleon has joined #openstack-keystone09:51
cmurphymbuil: i think so09:53
mbuilcmurphy: I am getting a Unauthorized (HTTP 401), even though token issue works09:54
cmurphymbuil: hmm :/09:55
*** shyambiradar has joined #openstack-keystone09:57
cmurphymbuil: is it coming from the IdP or the SP?09:58
cmurphymbuil: you can turn on insecure_debug in keystone.conf in both keystones and see if it gives you a reason09:58
mbuilI am looking at /var/log/keystone.log in the SP but I see nothing wrong. I can see the federation stuff going on and I see exactly the same when I do "token issue" instead09:59
mbuilcmurphy: ok, let me try that09:59
*** shyamb has quit IRC10:00
mbuilcmurphy: I see a message in the IdP keystone.log saying: "This is not a recognized Fernet token"10:01
mbuilso probably the token is created and fetched but the IdP does not recognize it (even though the request is targeting the sp)10:02
*** d0ugal has quit IRC10:07
cmurphymbuil: yeah something is pointing it back to the wrong keystone, not sure why though :/10:08
*** rha has joined #openstack-keystone10:12
*** d0ugal has joined #openstack-keystone10:13
mbuilcmurphy: in the IdP I have the service provider 'mysp' registered correctly pointing to the correct Auth URL10:14
mbuilcmurphy: there must be somewhere in the code a "switch" that tries the remote endpoint instead of the "local" one, right? Any idea where that code is?10:15
*** s10 has joined #openstack-keystone10:15
cmurphymbuil: it's either in the client or in keystonemiddleware10:25
*** lbragstad has quit IRC10:25
cmurphymbuil: I think it's a client issue actually, since you have OS_AUTH_URL pointing to the IdP10:26
cmurphymbuil: I would try retrieving the token and then just using the token directly with OS_TOKEN and OS_URL pointing to the SP instead of the IdP10:27
*** jaosorior has joined #openstack-keystone10:28
mbuilcmurphy: right. That's what is happening. Can I force that behaviour with just modifying stuff in my openrc?10:28
mbuilyou mean: 1 - fetch a token with "token issue". 2 - export OS_TOKEN=token_id 3 - export OS_URL=AUTH_SP ? Should I remove OS_AUTH_URL from my env?10:29
cmurphymbuil: yes to all, in fact clean all OS_* variables from your env after step 1 before step 2 just to be safe10:31
mbuilcmurphy10:31
mbuilcmurphy ok!10:31
*** shyambiradar has quit IRC10:35
*** shyambiradar has joined #openstack-keystone10:35
mbuilcmurphy: for OS_URL, I wrote exactly what I had in OS_AUTH_URL but changing the ip (http://10.10.100.29:5000/v3/). I guess this is wrong because when doing 'image list' it tries to fetch something from the URL ==> http://10.10.100.29:5000/v3/v2/images10:50
*** shyambiradar has quit IRC10:51
cmurphymbuil: oh it's trying to use it as the glance URL, I might be wrong about how that command works10:54
*** mvkr has quit IRC10:54
cmurphylet me try to reproduce10:55
*** shyambiradar has joined #openstack-keystone11:02
*** ravirjn has joined #openstack-keystone11:09
mbuilcmurphy: reading the code I can see that what I get makes sense. When using tokens, auth_ref is None because of this ==> https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/token_endpoint.py#L69-L7611:09
mbuilcmurphy: as a consequence, the endpoint is taken from OS_URL ==> https://github.com/openstack/osc-lib/blob/stable/queens/osc_lib/clientmanager.py#L294-L29711:10
ravirjnHi Everyone, I am unable to allocate floating IP using admin user, it seems some permission issue with keystone... can anyone please help me.. here is log http://paste.openstack.org/show/728181/11:12
*** dave-mccowan has joined #openstack-keystone11:16
*** shyambiradar has quit IRC11:17
*** shyambiradar has joined #openstack-keystone11:23
*** mvkr has joined #openstack-keystone11:25
*** josecastroleon has quit IRC11:28
*** josecastroleon has joined #openstack-keystone11:28
cmurphymbuil: still not sure exactly what the issue is but I think this is a better test and works for me: `curl -H "x-auth-token: $OS_TOKEN" <glance endpoint>/images`11:28
*** josecastroleon has quit IRC11:31
*** josecastroleon has joined #openstack-keystone11:31
cmurphyravirjn: that doesn't look like anything to do with keystone to me, that looks like an issue between horizon and neutron11:32
cmurphymbuil: hmm well now going through the client with OS_URL=<glance endpoint> works for me, not sure what i changed11:41
*** aloga has joined #openstack-keystone11:42
cmurphymbuil: I was using a token obtained from the IdP not the SP, maybe that's what you were doing too11:48
*** aloga has quit IRC11:49
*** aloga has joined #openstack-keystone11:50
mbuilcmurphy: using OS_URL=<glance endpoint> works for me too. Therefore, when a remote service must be used, the OS_URL needs to be change for each service12:00
mbuilI wonder why it does not use the catalog when doing the token authentication...12:01
cmurphyi guess it's just cutting out that round trip to keystone12:01
mbuilcmurphy: the code says "# token plugin does not have an auth ref, because it's a "static" authentication using a pre-existing token.... not sure what static means here :/12:06
cmurphymbuil: i guess in a dynamic authentication you would go to keystone first and exchange your credentials for a token which in the process also gives you a catalog, maybe by "static" they mean you don't get the chance to refresh your catalog since you're not going to keystone first12:09
mbuilcmurphy: ok. Time to switch to other things. Thanks a lot for the help! Tomorrow more :)12:11
cmurphymbuil: cool :)12:13
*** jaosorior has quit IRC12:25
*** jaosorior has joined #openstack-keystone12:25
*** raildo has joined #openstack-keystone12:30
*** josecastroleon has quit IRC12:34
*** josecastroleon has joined #openstack-keystone12:37
*** rha has quit IRC12:42
*** shyambiradar has quit IRC13:08
*** jaosorior has quit IRC13:14
*** jaosorior has joined #openstack-keystone13:15
*** jaosorior has quit IRC13:20
*** imacdonn has quit IRC13:29
*** nicolasbock has joined #openstack-keystone13:32
*** imacdonn has joined #openstack-keystone13:42
*** mvkr has quit IRC14:02
*** josecastroleon has quit IRC14:02
*** josecastroleon has joined #openstack-keystone14:06
*** josecastroleon has quit IRC14:10
*** josecastroleon has joined #openstack-keystone14:18
*** ayoung has joined #openstack-keystone14:21
ayoungkmalloc, I realize that Git blame is going to make the entire Keystone code base look like it was written by you.14:22
cmurphyi already plan on blaming kmalloc for all keystone bugs14:26
knikollao/14:27
knikollalol14:27
kmalloccmurphy: <314:30
kmallocayoung: yep, I knew that going into the huge refactor.14:30
ayoungkmalloc, that is why I wanted to move the files first, or in a stand alone git commit14:31
ayoungIts too late now14:32
ayoungbut I would prefer it if we could maintain history, especially on some of the more chaotice files, like auth and such14:32
*** jaosorior has joined #openstack-keystone14:32
ayoungI usually just want to look to see if I was at fault for a certain commit, like the LDAP pool locking people out.14:33
kmallocExcept, history would still show me mostly doing all the work. Since the files change too much14:33
kmallocYou're going to have to run back a few commits in either case :(14:33
*** mvkr has joined #openstack-keystone14:33
openstackgerritColleen Murphy proposed openstack/keystone master: Do not log token string  https://review.openstack.org/59250514:36
*** d0ugal has quit IRC14:39
kmallocayoung: thankfully, most all of the code here is controller code, most of the logic is all further down... With exception of auth and discovery.14:39
ayoungkmalloc, yeah, for most of the files it should be OK.  It was the trust code that was most controlled embedded.14:40
ayoungauth is also a bit of spaghetti14:40
kmallocThe next move will be just file moving (moving bits from top level to keystone.subsystem)14:41
kmallocSo it will be keystone.subsystem.trusts.14:41
*** d0ugal has joined #openstack-keystone14:41
kmallocLong term the goal will be keystone top level is common code, API is controller/view code,and keystone.subsystem will be manager /driver bits.14:42
kmallocBut that is really just moving files, no additional refactoring.14:42
ayoungkmalloc, you knikolla and I need to sit down and plan the Edge talk.14:47
knikollaayoung: are you comind to devconf?14:48
knikollacoming*14:48
ayoungknikolla, I was not planning on it14:49
ayoungknikolla, I probably should, though14:49
*** mvkr has quit IRC15:06
*** r-daneel has joined #openstack-keystone15:07
*** dave-mccowan has quit IRC15:26
kmallocayoung: i can chat about the talk today15:46
*** d0ugal has quit IRC15:47
ayoungkmalloc, knikolla 2-3PM Eastern today OK to discuss?15:48
knikollaayoung: works for me15:48
*** dave-mccowan has joined #openstack-keystone15:49
*** gyee has joined #openstack-keystone15:53
kmallocSure15:56
*** d0ugal has joined #openstack-keystone16:00
*** fiddletwix has joined #openstack-keystone16:02
*** itlinux has joined #openstack-keystone16:11
*** fiddletwix has quit IRC16:15
*** fiddletwix has joined #openstack-keystone16:17
*** s10 has quit IRC16:32
*** pcaruana has quit IRC16:34
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert role_assignments API to flask native dispatching  https://review.openstack.org/59051816:44
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert system (role) api to flask native dispatching  https://review.openstack.org/59058816:44
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move json_home "extension" rel functions  https://review.openstack.org/59102516:44
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert OS-FEDERATION to flask native dispatching  https://review.openstack.org/59108216:45
openstackgerritMorgan Fainberg proposed openstack/keystone master: Refactor ProviderAPIs object to better design pattern  https://review.openstack.org/57195516:45
openstackgerritMorgan Fainberg proposed openstack/keystone master: Refactor ProviderAPIs object to better design pattern  https://review.openstack.org/57195516:45
openstackgerritMorgan Fainberg proposed openstack/keystone master: Fix RBACEnforcer get_member_from_driver mechanism  https://review.openstack.org/59114616:45
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert groups API to flask native dispatching  https://review.openstack.org/59114716:45
openstackgerritMorgan Fainberg proposed openstack/keystone master: Fix a translation of log  https://review.openstack.org/59116416:46
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert OS-INHERIT API to flask native dispatching  https://review.openstack.org/59116516:46
kmallocayoung: ^ the queryparam "is true" part was wrong, this is a fix of that and a rebase of the stack16:46
ayoungkmalloc, I thought that was fairly standard for boolean values16:46
kmallocit is16:48
kmalloci had the code wrong16:48
kmalloci had url?param = false16:48
*** openstackgerrit has quit IRC16:49
kmallocthe only cases that are false are: url16:49
kmallocand url?param=016:49
kmallocor should be*16:49
kmallocso existence of the param, without value == true16:49
kmalloc(now)16:49
kmallocno change in behavior from original code. it was a mistake I made when porting it.16:49
*** openstackgerrit has joined #openstack-keystone16:59
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add safety to the inferred target extraction during enforcement  https://review.openstack.org/59120316:59
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert role_assignments API to flask native dispatching  https://review.openstack.org/59051817:00
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert system (role) api to flask native dispatching  https://review.openstack.org/59058817:00
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move json_home "extension" rel functions  https://review.openstack.org/59102517:00
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert OS-FEDERATION to flask native dispatching  https://review.openstack.org/59108217:00
openstackgerritMorgan Fainberg proposed openstack/keystone master: Refactor ProviderAPIs object to better design pattern  https://review.openstack.org/57195517:01
openstackgerritMorgan Fainberg proposed openstack/keystone master: Fix RBACEnforcer get_member_from_driver mechanism  https://review.openstack.org/59114617:02
gyeekmalloc, Keystone doesn't use these functionality right? https://github.com/flask-restful/flask-restful/blob/master/flask_restful/utils/crypto.py17:13
kmallocgyee: not explicitly/implicitly there might be cases it would.17:15
gyeeI am not seeing them being used anywhere.17:16
gyeehttps://github.com/flask-restful/flask-restful/blob/master/setup.py#L917:16
gyeeI am trying to resolve a package dependency on pycrypto17:17
hrybackicmurphy: o/ -- there isn't a config option to enable app creds right?17:28
cmurphyhrybacki: not to enable the API but you have to have application_credential in [auth]/methods (which is there by default) in order to auth with them17:30
hrybackino issue creating them, but ran into issues authenticating with one. Watched (and followed along in Horizon) your Vancouver talk. Hit the same issue with the clouds.yaml so figured I'd raise it with you. "Error authenticating with application credential: Application credentials cannot request a scope. (HTTP 401)"17:30
hrybackilemme look there and make sure we didn't do anything weird in osp bits17:30
hrybackinope, definitely using the defaults. cmurphy have you seen that response before? Perhaps I mucked something else up ^^17:31
openstackgerritColleen Murphy proposed openstack/keystone master: Do not log token string  https://review.openstack.org/59250517:32
cmurphyhrybacki: you shouldn't have a scope object in the request17:33
cmurphyit takes the scope from the application credential itself17:34
cmurphyexample https://developer.openstack.org/api-ref/identity/v3/index.html#id9417:34
hrybackicmurphy: weird -- I'm simply invoking a `openstack token issue`17:35
hrybackiI'll dig into it deeper and get back. Thanks for the nudge :)17:35
cmurphyhrybacki: are you setting a project in your openrc/clouds.yaml?17:36
hrybackicmurphy: nope -- https://paste.fedoraproject.org/paste/cXr4WXccF9V3zJXOgs6TJA17:37
cmurphyhmm17:38
*** dave-mccowan has quit IRC17:39
hrybackiyeah, I'm scratching my head over here haha17:40
* hrybacki fetches coffeeeeee17:40
knikollacan you do an `openstack token issue --debug`?17:42
cmurphygood idea17:42
kmallocgyee: i don't see where pycrypto is coming from17:57
kmallocgyee: my tox environment, fwiw, doesn't have pycrypto17:57
openstackgerritMerged openstack/keystone master: Convert Roles API to flask native dispatching  https://review.openstack.org/59049417:58
openstackgerritMerged openstack/keystone master: Convert role_inferences API to flask native dispatching  https://review.openstack.org/59050217:58
gyeekmalloc, its the python-Flask-Restful package in openSuSE build server. For some reason it include pycrypto as a dependent. I am fixing it now. Thanks for verifying.18:01
hrybackiI can (just getting sucked back into meetings :()18:02
kmallocnp18:03
hrybackiI figured it out kmalloc cmurphy.. polluted environment variables from an early sourcing of an rc file -_-18:06
hrybackithe project scope was enough of a tip off -- so thanks :)18:07
cmurphycool :)18:07
kmallochrybacki: doh! hate it when that happens18:07
*** r-daneel has quit IRC18:20
kmalloccmurphy:18:24
kmallochttps://usercontent.irccloud-cdn.com/file/dJmnBEOP/IMG_20180816_112347.jpg18:24
cmurphysqueeee18:24
cmurphycomfy pup is comfy18:24
kmallocyesssss18:25
openstackgerritMerged openstack/keystone master: Add callback action back in  https://review.openstack.org/59059018:48
*** harlowja has joined #openstack-keystone18:51
*** r-daneel has joined #openstack-keystone18:56
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert role_assignments API to flask native dispatching  https://review.openstack.org/59051818:58
mnaserso what would be the difference between applications credentials and trusts?18:59
mnaseri don't really see that much of a difference somehow19:00
kmalloctrusts use normal auth mechanisms "username/password" claiming delegation in the trust19:03
kmallocapp creds supplant the standard username/password19:03
cmurphymnaser: a normal end user can't create a user to delegate a trust to19:03
kmalloccmurphy: ++ that too19:03
*** itlinux has quit IRC19:04
cmurphyapplication credentials are entirely self service19:04
mnasercmurphy, kmalloc: ok cool, so the idea is a user can grant application credentials without needing to create a new user?19:06
kmallocmnaser: yep, and limit the roles/project access19:06
mnasermy use case is a customer who needs to give access to different users to the same project, but because of the admin-ness bug and my not-wanting-to-modify-default-policy, they're unable to maintain their own users19:07
mnaserso my idea was: create application credentials and use those to authenticate (and hopefully openstackclient supports that part, or we might have to do some work to get it to)19:07
kmalloccmurphy: would you be opposed if i wrapped the hashing of the app-cred into the SQL model like I did for passwords? rather than needing to explicitly call "hash" it's done on Model.secret = XXX19:07
kmallocmnaser: that fits exactly what app creds are meant to solve (or one case)19:07
mnaserkmalloc: cool!  glad we're running queens then :D19:08
kmalloc:)19:08
mnaseron a seperate note where i should check this but it's easier to ask19:08
mnaserwill keystone forward the original user id in requests or the 'application credentials' one to services19:08
cmurphykmalloc: i vaguely remember using the user model as an example so i'm surprised it's not already the same19:08
mnaseri.e.: reboot a server will come from original_user_id or application_credential_user_id ?19:08
kmallocit generates a token for the user19:08
kmallocexplicitly scoped with roles assigned19:09
kmallocso the token is for the issuing user_id19:09
mnaserah so all requests will be identified as that user, so there won't really be the ability to know who-did-what19:09
mnaserdamrn19:09
kmallocyes.19:09
mnaserdarn*19:09
kmallocwell you know the token was generated with the app_cred19:09
kmalloc(or should) and you know the token was used19:09
mnaseryeah but for example things like instance action logs log user_id and project_id but not token19:10
kmallocso it should be doable to correlate, but that  is getting into audit trails19:10
kmallocyeah.19:10
kmalloci would offer the other option is to allow the user to use an external LDAP or similar for user management19:11
kmallocdomain-specific-config.19:11
mnaserkmalloc: that was exactly my idea19:11
mnaserso good to have it validated19:11
kmalloc:)19:11
mnaserdomain specific external ldap, my only concern is how roles are assigned19:11
mnaseri.e. i dont want them to give a role 'admin' to one of their users :-)19:11
knikollain that case trusts?19:11
mnasertrusts implies that the another user already exists19:12
knikollafrom the ldap store, yeah19:12
mnaserbut the user cant create another user, because they don't have the ability to do that (no admin rights)19:12
kmallocif you're using v3, grant them domain_admin and add a check in polcy that ensures they have the role before they can assign it19:12
kmalloci think i can help you come up with the check_str for policy.json for that19:12
mnaseri think the issue was having domain_admin could let you assign any roles to anyone so that was the concern at the time19:13
kmallocnah, we could craft a special check_string to help with that19:13
kmalloci've been deep in policy code lately, so give me a moment to see if we can do that easily19:13
mnaserthat'd be pretty sweet if that was the case, i can imagine this being something a lot of people needing19:14
kmallocit might already be part of our v3_cloud policy19:14
kmallocmnaser: ah, we lean on domain-specific roles for this19:16
mnaserkmalloc: im thinking out loud -- ldap for identity, sql for assignment, give `foo` group _member_ role to project, and let them add users to said group without giving them access to assign roles19:16
kmallocit'd be roles created with a domain=XXX19:16
kmallocmnaser: that would be pretty straightforward as well19:17
kmallocmnaser: it might actually be *easier* to manage.19:17
kmallocbecause it doesn't involve creating domain-specific roles.19:17
mnaseryeah, they just have to add users to a certain group and voila19:17
mnaserthe only thing is they are kinda part of the existing default domain19:17
kmallocyou could even simply make one group per role [if more than one role]19:17
mnaserso im not sure if how easy it would be to handle that19:18
kmallocwell, as long as they are using v3 api, conversion is straightforward19:18
kmallocadd stuff to new domain, tell them to use new domain stuff / migrate and they can manage users.19:19
mnasercan a group in domain `foo` be given access to a project in domain `bar` ?19:19
kmallocshould be doable19:19
kmalloci can't be 100% sure right this second though.19:19
mnaserso question is can role assignments span across domains?19:20
kmallocthey should be able to19:21
kmalloci'm looking at the code now19:21
kmallocbut, the whole concept that a user is in domain X, and owned by Domain X, doesn't mean all projects user works on should be required to be in Domain X19:21
kmalloci think the only case is for domain-specific roles19:22
kmallocwhere those roles can only be added to projects within that domain.19:22
kmallocbut not limited to users owned by that domain19:22
kmallocmnaser: looking at the code, i see no reason a grant cannot connect USER/GROUP from DOMAIN X to project in DOMAIN Y19:23
mnaserkmalloc: https://bugs.launchpad.net/keystone/+bug/1474284/comments/4 from 2015 seems to match19:24
openstackLaunchpad bug 1474284 in OpenStack Identity (keystone) "Adding users from different domain to a group" [Medium,Invalid]19:24
kmalloc++19:25
kmallocknikolla: i had to buy a smaller CPU cooler :( the one I had blocked PCIE-1, so i couldn't install the RADEON PRO GPU19:27
kmallocknikolla: aparantly 140MM is just too large if I want to use all the PCIE slots =/19:28
kmalloc(stupid "not workstation" motherboard)19:28
openstackgerritColleen Murphy proposed openstack/keystone master: Do not log token string  https://review.openstack.org/59250519:29
*** jrist has quit IRC19:40
*** HW_Peter has joined #openstack-keystone20:04
*** HW-Peter has quit IRC20:07
*** pcaruana has joined #openstack-keystone20:13
*** r-daneel has quit IRC20:36
*** jrist has joined #openstack-keystone20:39
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert system (role) api to flask native dispatching  https://review.openstack.org/59058820:48
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move json_home "extension" rel functions  https://review.openstack.org/59102520:49
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert OS-FEDERATION to flask native dispatching  https://review.openstack.org/59108220:49
openstackgerritMorgan Fainberg proposed openstack/keystone master: Refactor ProviderAPIs object to better design pattern  https://review.openstack.org/57195520:49
*** r-daneel has joined #openstack-keystone20:53
*** pcaruana has quit IRC20:53
*** ayoung has quit IRC21:09
*** mchlumsky has quit IRC21:11
*** mvkr has joined #openstack-keystone21:29
*** rcernin has joined #openstack-keystone21:49
*** itlinux has joined #openstack-keystone21:54
*** jrist has quit IRC21:55
*** harlowja has quit IRC22:14
*** edmondsw has quit IRC22:20
*** edmondsw has joined #openstack-keystone22:25
*** dklyle has joined #openstack-keystone22:33
*** raildo_ has joined #openstack-keystone22:53
*** raildo has quit IRC22:53
*** jrist has joined #openstack-keystone23:01
*** raildo_ has quit IRC23:01
*** gyee has quit IRC23:53
*** itlinux has quit IRC23:57
« Wednesday, 2018-08-15 Index Friday, 2018-08-17 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!