Thursday, 2018-09-20

*** gyee has quit IRC00:42
*** imacdonn has quit IRC00:49
*** yankcrime has quit IRC01:00
*** cloudnull has quit IRC01:00
*** tobias-urdin has quit IRC01:00
*** Guest58757 has joined #openstack-keystone01:03
*** imacdonn has joined #openstack-keystone01:09
*** imacdonn has quit IRC01:14
*** imacdonn has joined #openstack-keystone01:15
*** Dinesh_Bhor has joined #openstack-keystone02:04
*** hoonetorg has quit IRC02:04
*** hoonetorg has joined #openstack-keystone02:17
openstackgerritfupingxie proposed openstack/keystone master: Do not translate log messages.  https://review.openstack.org/60395302:23
*** Dinesh_Bhor has quit IRC03:11
*** Dinesh_Bhor has joined #openstack-keystone03:12
openstackgerritwangxiyuan proposed openstack/keystone master: Add hint back  https://review.openstack.org/60396403:28
*** sapd1_ has quit IRC03:45
*** sapd1 has joined #openstack-keystone03:45
*** Dinesh_Bhor has quit IRC03:50
vishakhawxy-xiyuan: Hello. Can you pl review this test caes https://review.openstack.org/#/c/603539/04:05
ayoungvishakha, you know how to run just the pep8 tests?04:06
vishakhaayoung:  use command tox  -epep804:08
ayoungvishakha, yeah, get that test case to run clean pep, so it passes check04:09
ayoungvishakha, also, your new test fails04:09
ayoungSystemExit: Error while parsing rules /tmp/tmpzYxfG1/tmpJ35T2c: No JSON object could be decoded04:10
ayoungvishakha, http://logs.openstack.org/39/603539/1/check/openstack-tox-py27/ed2cc94/testr_results.html.gz    you can see the test results there.  Get the tests to pass and pep8 clean.  Most people won04:10
ayoung't bother reviewing a broken patch04:10
ayoungOK?04:10
vishakhaayoung: ok thanks for the response04:11
ayoungadriant, I'm sorry I missed that meeting. I'm nort sure I understood correctly, but if you are doing rules like "don't allow if user has role noop" you are making a security hole.  With a trust (which all users can create) they can drop any role they have.04:12
ayoungand with that. I'm out.04:12
*** ayoung has quit IRC04:12
adriantbah, and he's gone before I can respond :P04:13
adriantthat isn't the point of the noop role, doing rules with "NOT role:noop" is a silly idea. Instead, just make all your policies require a role. No empty "auth'd only" policies.04:15
adriantso a noop role is really just a role that fulfils only empty policies (which you'd ensure there aren't many or any of them).04:15
adriantbut...04:15
adriantlbragstad, cmurphy: on the note of trusts and implied roles...04:16
adriantI assume a trust can't allow you to set a role you don't actually have, but are implied to have?04:16
adriante.g. I have reseller_member which implies member, can I make a trust for my user with just member?04:16
adriantif so, that's broken04:16
adriantbut I'd assume that doesn't work04:20
*** Dinesh_Bhor has joined #openstack-keystone04:46
*** jaosorior has quit IRC05:03
*** Guest58757 is now known as cloudnull05:32
*** shyamb has joined #openstack-keystone05:34
*** shyamb has quit IRC05:39
*** shyamb has joined #openstack-keystone05:48
*** shyamb has quit IRC06:03
*** shyamb has joined #openstack-keystone06:03
*** Dinesh_Bhor has quit IRC06:08
*** Dinesh_Bhor has joined #openstack-keystone06:15
*** jaosorior has joined #openstack-keystone06:25
*** Dinesh_Bhor has quit IRC06:38
*** belmoreira has joined #openstack-keystone06:39
wxy-xiyuanvishakha: lol, like ayoung said, please let the CI pass first. If you have problem about that, please let me know again. :)06:42
*** Dinesh_Bhor has joined #openstack-keystone06:42
*** shyamb has quit IRC06:55
openstackgerritwangxiyuan proposed openstack/keystone master: Add hint back  https://review.openstack.org/60396406:59
openstackgerritVishakha Agarwal proposed openstack/keystone master: Adding test case for MappingEngineTester  https://review.openstack.org/60353907:01
*** rcernin has quit IRC07:02
openstackgerritTao Li proposed openstack/keystone master: Use uuidutils instead of uuid.uuid4()  https://review.openstack.org/60354207:03
vishakhawxy-xiyuan: yes it is not cleared yet. Uploaded a new patch for it.07:03
*** shyamb has joined #openstack-keystone07:08
*** Dinesh_Bhor has quit IRC07:39
*** shyamb has quit IRC07:41
*** shyamb has joined #openstack-keystone07:41
*** Dinesh_Bhor has joined #openstack-keystone07:49
*** Dinesh_Bhor has quit IRC07:54
*** shyamb has quit IRC07:59
*** Dinesh_Bhor has joined #openstack-keystone08:01
*** jaosorior has quit IRC08:12
*** yankcrime has joined #openstack-keystone08:17
*** nick_kar has quit IRC08:29
*** nick_kar has joined #openstack-keystone08:30
*** shyamb has joined #openstack-keystone08:34
*** jaosorior has joined #openstack-keystone08:58
*** Dinesh_Bhor has quit IRC09:01
*** Tahvok has left #openstack-keystone09:19
*** Dinesh_Bhor has joined #openstack-keystone09:19
*** tobias-urdin has joined #openstack-keystone09:35
*** belmoreira has quit IRC09:38
*** jaosorior has quit IRC09:53
*** jlvillal has quit IRC09:54
*** jlvillal has joined #openstack-keystone09:54
*** shyamb has quit IRC09:59
*** pcaruana has joined #openstack-keystone10:04
*** Dinesh_Bhor has quit IRC10:13
*** Dinesh_Bhor has joined #openstack-keystone10:15
*** Dinesh_Bhor has quit IRC10:16
*** shyamb has joined #openstack-keystone10:17
*** pgaxatte has quit IRC10:35
*** jlvillal has quit IRC10:50
*** jlvillal has joined #openstack-keystone10:53
*** belmoreira has joined #openstack-keystone10:57
*** jaosorior has joined #openstack-keystone10:58
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403811:06
*** shyamb has quit IRC11:12
*** shyamb has joined #openstack-keystone11:12
*** pcaruana has quit IRC11:15
*** shyamb has quit IRC11:16
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403811:16
*** pcaruana has joined #openstack-keystone11:20
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403811:23
*** pcaruana has quit IRC11:32
*** pcaruana has joined #openstack-keystone11:39
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403811:40
*** mattgo has joined #openstack-keystone11:47
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403811:48
*** pcaruana has quit IRC11:50
*** shyamb has joined #openstack-keystone11:57
*** jdennis has quit IRC12:18
*** aloga has quit IRC12:35
*** aloga has joined #openstack-keystone12:36
lbragstado/12:52
*** raildo has joined #openstack-keystone12:58
*** shyamb has quit IRC13:07
*** shyamb has joined #openstack-keystone13:07
*** shyamb has quit IRC13:23
*** jistr is now known as jistr|call13:32
*** jdennis has joined #openstack-keystone14:04
samueldmqo/14:27
samueldmqcmurphy: hi, sorry for late reply14:27
samueldmqcmurphy: applications are now open (since yesterday) and new projects can be submitted any time until October 9th according to the last agenda I have14:28
samueldmqcmurphy: I will update the info in that link, thanks!14:28
*** jistr|call is now known as jistr14:34
gagehugosamueldmq o/15:02
*** dklyle has joined #openstack-keystone15:04
*** etp has joined #openstack-keystone15:05
*** dave-mccowan has quit IRC15:25
*** dave-mccowan has joined #openstack-keystone15:31
*** mattgo has quit IRC15:39
kmallocadriant: sounds like something keystone specific. What is the point of noop in Nova?15:45
kmallocadriant: if it is just to setup things like mfa, we can do it as a system-scope, and I can modify our enforcer for some calls.15:46
kmallocadriant: and a system scope without role, should be sufficient for that. (aka non escalated permissions, but not project scoped)15:46
kmallocGenerally I don't like an explicit or implicit noop role.15:47
kmallocI generally want to down play unscoped tokens anyway with the advent of system scope.15:48
*** gyee has joined #openstack-keystone15:58
*** mattgo has joined #openstack-keystone16:58
knikollao/17:20
knikollatoday is one of those meeting after meeting days :(17:20
*** dave-mccowan has quit IRC17:44
*** dave-mccowan has joined #openstack-keystone17:46
gagehugoknikolla: yup17:47
knikollagagehugo: did you get my nintendo friend request?17:49
gagehugoyup!17:49
*** mattgo has quit IRC18:01
samueldmqgagehugo: o/18:50
*** raha has joined #openstack-keystone19:07
rahaCould anyone recommend me a good book about RESTfull api?19:08
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Add docs for developers testing APIs  https://review.openstack.org/60419219:09
*** belmoreira has quit IRC19:35
* raha 19:36
openstackgerritKristi Nikolla proposed openstack/keystone-specs master: [DRAFT] Refreshable Application Credentials  https://review.openstack.org/60420119:49
* knikolla considers renewable vs refreshable19:52
*** raha has quit IRC20:19
*** raildo has quit IRC21:02
openstackgerritLance Bragstad proposed openstack/keystone master: Implement scope_type checking for credentials  https://review.openstack.org/59454721:30
openstackgerritLance Bragstad proposed openstack/keystone master: Remove obsolete credential policies  https://review.openstack.org/59718721:30
lbragstadzuul's gettin' a workout today21:44
* lbragstad hands zuul a bottle of water and a towel21:44
lbragstadthat credentials patch should pass 100% now21:52
lbragstadneeded to redo a couple tests21:52
lbragstadbut it should be good to review21:52
*** DinaBelova has quit IRC22:04
*** DinaBelova has joined #openstack-keystone22:06
adriantkmalloc: did you by chance read the email I sent to follow up for Adam?22:14
cmurphythanks samueldmq22:14
adriantThe use case we have right now that customers are asking for: "I have a backup project, and I want to create a container per person, and give them access only to that container. They need to be able to auth, and scope to that project, but not do anything else in it other than see their own container." To achieve this is part Keystone's auth with ro22:18
adriantles, and part Swift ACLs. But with nova and other services having rules that amount to: "any role on a project lets you access all project resources" that makes it hard.22:18
adrianthttps://github.com/openstack/nova/blob/master/nova/policies/base.py#L31< is the default style role for Nova, and from memory, most of the other projects do it much the same22:20
adriantand glance: https://github.com/openstack/glance/blob/master/etc/policy.json which I assume then does per project filtering in code (and likely has hardcoded checks for is_admin?).22:22
adriantThe issue is that any new roles created, by default when assigned to a project, give a user full access to all project resources.22:22
adriantso what the role is doesn't matter beyond is the role admin22:23
adriantyeah, admin_or_owner is pretty much the norm: https://github.com/openstack/cinder/blob/master/cinder/policies/base.py#L2722:25
*** spsurya has quit IRC22:48
*** david-lyle has joined #openstack-keystone22:49
*** spsurya has joined #openstack-keystone22:50
*** dklyle has quit IRC22:51
*** rcernin has joined #openstack-keystone22:53
*** andreykurilin has quit IRC23:34
*** andreykurilin has joined #openstack-keystone23:35
*** rcernin has quit IRC23:36
*** rcernin has joined #openstack-keystone23:36
*** gyee has quit IRC23:41

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!