Wednesday, 2018-09-26

« Tuesday, 2018-09-25 Index Thursday, 2018-09-27 »
*** stewie925 has joined #openstack-keystone00:21
stewie925hey guys i have a question/ issue about keystone roles and tenants00:22
*** felipemonteiro has joined #openstack-keystone00:24
*** mbeierl has quit IRC00:29
lbragstadstewie925 what's up?00:39
stewie925hi lbragstad00:42
stewie925let me post it in pastern and share the link - very strange00:42
stewie925lbragstad: here it is :  paste.openstack.org/show/73091000:44
lbragstadand this is just a basic devstack installation?00:46
stewie925um yeah00:46
lbragstadwhat's the outcome you're expecting?00:46
stewie925Im expecting that the policy would see the role:admin  under tenant admin00:47
stewie925lines 3 and 4 of the log shows Checking against policy role:admin  - role check result: True00:48
stewie925but 5 and 6 says Checking tenant:admin - Tenant check result: False.00:49
lbragstadok00:49
lbragstadso you have a custom policy that you're testing this against?00:49
stewie925yes I do00:49
stewie925let me get it00:50
stewie925lbragstad: here it is :  paste.openstack.org/show/73091200:53
lbragstadand this with master/00:54
stewie925master?00:55
lbragstadwhat version of keystone are you using?00:55
stewie925version 300:55
lbragstadok - cool00:55
lbragstadwhat release?00:55
stewie925here is my openstack role assignment list results -  paste.openstack.org/show/73091300:56
stewie925sorry how do i check the release00:56
stewie925I ran pip freeze and grepped keystone - it shows:  keystoneauth1==2.18.000:57
*** felipemonteiro has quit IRC00:57
lbragstadno worries00:57
lbragstadyou might want to try referencing project instead of tenant00:57
stewie925its strange cause my other teammate ran and he passed the policy check00:58
stewie925we compared notes and we did the same :(00:58
lbragstadstrange00:59
lbragstadwe renamed tenant -> project along time ago00:59
stewie925ahhh00:59
lbragstadbut we do have some documentation in oslo.policy that goes through how some of this works nge cause m00:59
lbragstadbag... bad paste00:59
lbragstadhttps://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html01:00
*** mbeierl has joined #openstack-keystone01:01
stewie925lbragstad:  thank you - let me check01:04
*** wxy-xiyuan has joined #openstack-keystone01:05
*** Dinesh_Bhor has joined #openstack-keystone01:23
lbragstad#endmeeting01:36
*** openstack changes topic to "Stein release schedule: https://releases.openstack.org/stein/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/rj0ECz2c/keystone-stein-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"01:36
openstackMeeting ended Wed Sep 26 01:36:47 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)01:36
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-09-25-17.03.html01:36
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-09-25-17.03.txt01:36
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-09-25-17.03.log.html01:36
*** stewie925 has quit IRC01:40
*** Dinesh_Bhor has quit IRC02:02
*** adriant has quit IRC02:05
ayoungkmalloc, how do I provider?02:08
ayoungI want to have the shadow_users backend call the id_generator provider02:08
ayoungand not hard code it02:08
kmallocsec,02:11
*** Dinesh_Bhor has joined #openstack-keystone02:11
kmallocayoung: you can reference the id generator at keystone.common.provider_apis.ProviderAPIs02:12
kmallocsee https://github.com/openstack/keystone/blob/master/keystone/identity/generator.py#L3302:12
kmallocit automatically registers the manager as a provider here with the manager code02:13
kmallochttps://github.com/openstack/keystone/blob/master/keystone/server/backends.py#L5302:13
kmallocso you can just call it the same as you do from the other places that use it02:14
*** adriant has joined #openstack-keystone02:14
kmallocayoung: it's designed to be as centralized and automatic as reasonably possible02:14
*** adriant has quit IRC02:15
ayoungkmalloc, like this02:15
ayoungPROVIDERS = provider_api.ProviderAPIs02:15
ayoungand then02:15
ayoung public_id = PROVIDERS.id_mapping_api.get_public_id(local_entity)02:16
kmallocyep02:17
kmallocthat is it02:17
ayoungtests fail like this02:17
*** adriant has joined #openstack-keystone02:17
ayoungholdon type02:17
ayoungtypo02:17
ayoungI think I need some sort of setup in the tests02:19
kmallocthe restful testcase should stand up the providers02:19
kmallocbut if you're doing it in isolation, yes you'll need to do the backends.setup02:19
kmallocetc02:19
kmallockeystone.server.backends bit02:19
kmalloc(and cleanup)02:19
ayoungkmalloc, is this the norm?  https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_shadow_users.py#L5102:22
kmalloci... i think that is the norm02:23
ayoungso I am running tox -e py35 -- keystone.tests.unit.test_shadow_users02:23
ayoungand that looks like it should be setting up the providers02:23
kmallocit looks like it should02:24
kmallocwhat is the issue you're seeing?02:24
ayoungno userid generated02:24
ayoungI think it is getting a None or something like that02:24
kmalloci'll bet we're doing something stupid in the id generator02:24
kmallocsec02:24
ayoung b"sqlalchemy.exc.SAWarning: Column 'user.id' is marked as a member of the primary key for table 'user', but has no Python-side or server-side default generator indicated, nor does it indicate 'autoincrement=True' or 'nullable=True', and no explicit value is passed.  Primary key columns typically may not store NULL."02:25
kmalloclike... 99% sure we are02:25
kmallocyep02:26
kmallochttps://github.com/openstack/keystone/blob/master/keystone/identity/mapping_backends/sql.py#L5502:26
kmallocso basically you're getting a None because nothing was created02:26
kmallocor well... nothing was created that a "get" works on02:27
kmallocayoung: oh wait02:27
kmallocayoung: are you using .get_public_id?02:27
kmallocayoung: because... creation is explicit and create will return the id if it exists02:28
ayoungyes02:28
kmallocthe simplest solution is to always call create, unless you *know* you need to do a get02:28
kmallocso a get doesn't create the record02:28
kmallocah02:28
kmallocand you are doing a generate explicitly.02:29
kmalloci think?02:29
kmallocis the code posted / in a paste so i can see?02:29
ayoungpublic_id = PROVIDERS.id_generator_api.generate_public_ID(local_entity)02:30
ayoungThat worked02:30
kmallocright02:30
kmallocand it should02:30
ayoungyeah, I was calling the wrong provider02:30
kmallocaha02:31
kmalloc:)02:31
ayoungwe don't want the mapped backend02:31
kmallocwell then.02:31
*** adriant has quit IRC02:31
kmallocyeah that'll do it02:31
ayoungthat seems like, well, a lot of code there02:31
kmallocyes. and it should be ... minimized/cleaned up02:31
kmalloci think we can ultimately remove that pivot point and eliminate the "mapped" bit02:31
kmallocand just use a known hashing mechanism02:31
ayoungwell, there is the likelihood that someone is still running the LDAP backend, and not SQL02:31
ayoungand thus need that code to munge their user data if they do go to sql, right?02:32
kmallocyes and a "id alias" mechanism02:32
kmallocso old ldap DN (bad) ids work still02:32
ayounglike, that whole "old style userids" from LDAP-does-cname dumbness that I wrote02:32
kmallocyeh02:32
kmallocbut doable02:32
kmallocwouldn't be too terrible02:33
kmallocwe can revisit that cleanup soon(ish)(02:33
ayoungOK, I'll have an updated patch here shortly02:35
ayoungrunning the tests, but Zuul seems to be stuck02:35
openstackgerritayoung proposed openstack/keystone master: Replace UUID with id_generator for Federated users  https://review.openstack.org/60516902:41
ayoungthat should look a little better02:42
kmalloc=/02:42
openstackgerritVishakha Agarwal proposed openstack/python-keystoneclient master: create() call in v3.regions.py is wrong  https://review.openstack.org/59492102:42
kmallocfor the stuck zuul02:42
kmallocayoung: looks good, needs a release note, and an in-line comment that would be nice to have a TODO/comment regarding the "this is an exception to the 'don't call providers from drivers'" general rule.02:47
kmallocayoung: but as long as things aren't broken test wise, this is a good direction forward.02:48
*** imacdonn has quit IRC02:50
*** imacdonn has joined #openstack-keystone02:50
*** felipemonteiro has joined #openstack-keystone03:02
*** adriant has joined #openstack-keystone03:07
ayoungkmalloc, Thanks.03:09
*** felipemonteiro has quit IRC03:19
*** dave-mccowan has joined #openstack-keystone03:46
*** itlinux has joined #openstack-keystone03:56
*** felipemonteiro has joined #openstack-keystone04:06
*** pcaruana has joined #openstack-keystone04:14
*** shyamb has joined #openstack-keystone04:26
*** shyamb has quit IRC04:31
*** shyamb has joined #openstack-keystone04:34
*** pcaruana has quit IRC04:38
*** Dinesh_Bhor has quit IRC04:47
*** Dinesh_Bhor has joined #openstack-keystone04:54
vishakhawxy-xiyuan: HI, For Patch https://review.openstack.org/#/c/603539/04:59
vishakhawxy-xiyuan: Facing some error with python3. http://logs.openstack.org/39/603539/5/check/openstack-tox-py36/e81c9fc/testr_results.html.gz05:00
*** shyamb has quit IRC05:28
*** shyamb has joined #openstack-keystone05:36
*** dave-mccowan has quit IRC05:39
*** mbeierl has quit IRC05:43
*** pcaruana has joined #openstack-keystone05:43
*** felipemonteiro has quit IRC05:50
*** jistr has quit IRC05:55
*** jistr has joined #openstack-keystone05:56
*** blake has joined #openstack-keystone06:08
*** shyamb has quit IRC06:09
*** shyamb has joined #openstack-keystone06:11
wxy-xiyuanvishakha: looking.06:35
*** shyamb has quit IRC06:38
*** blake has quit IRC06:39
*** blake has joined #openstack-keystone06:40
*** qinglin has joined #openstack-keystone06:43
*** blake has quit IRC06:45
*** shyamb has joined #openstack-keystone06:58
*** rcernin has quit IRC07:02
*** qinglin has quit IRC07:03
*** Dinesh_Bhor has quit IRC07:15
wxy-xiyuanvishakha: "open" is different between py2 and py3. jsonutils.load can't work with "open" in py3 by default. https://github.com/openstack/keystone/blob/master/keystone/cmd/cli.py#L102207:24
wxy-xiyuanchange this line to: with open(path, "rb") as file:07:25
*** shyamb has quit IRC07:29
*** shyamb has joined #openstack-keystone07:35
*** shyamb has quit IRC07:45
*** rcernin has joined #openstack-keystone07:56
vishakhawxy-xiyuan:ok.  thanks07:58
*** Dinesh_Bhor has joined #openstack-keystone07:58
*** Emine has joined #openstack-keystone08:17
*** shyamb has joined #openstack-keystone08:26
*** jistr has quit IRC08:30
*** jistr has joined #openstack-keystone08:31
*** Dinesh_Bhor has quit IRC09:03
*** rcernin has quit IRC09:16
*** a-pugachev has joined #openstack-keystone09:18
*** Dinesh_Bhor has joined #openstack-keystone09:28
*** shyamb has quit IRC09:51
*** shyamb has joined #openstack-keystone10:04
*** Dinesh_Bhor has quit IRC10:10
*** shyamb has quit IRC10:16
*** Dinesh_Bhor has joined #openstack-keystone10:16
*** Dinesh_Bhor has quit IRC10:18
*** felipemonteiro has joined #openstack-keystone10:49
*** shyamb has joined #openstack-keystone10:55
*** felipemonteiro has quit IRC10:56
*** pcaruana has quit IRC11:15
*** pooja-jadhav is now known as pooja_jadhav11:33
openstackgerritColleen Murphy proposed openstack/keystone master: Add python3 functional test job  https://review.openstack.org/60540311:39
*** raildo has joined #openstack-keystone11:51
*** shyamb has quit IRC11:55
*** shyamb has joined #openstack-keystone12:00
*** aojea_ has joined #openstack-keystone12:29
*** blake has joined #openstack-keystone12:42
*** blake has quit IRC12:47
*** shyamb has quit IRC12:49
*** mbeierl has joined #openstack-keystone13:09
openstackgerritVishakha Agarwal proposed openstack/keystone master: Adding test case for MappingEngineTester  https://review.openstack.org/60353913:20
ayoungvishakha, when submitting a patch, it helps to add reviewers13:36
ayoungyou can always add me13:36
vishakhaayoung: Thanks. I will  take care of this from next time.13:37
ayoungvishakha, why did you need to change the code-under-test as well as adding the test?13:37
vishakhaayoung: also added you.13:37
vishakhaayoung: this class mappingtestengine was not having any unit test cases. Thus added those.13:38
ayoungI like what you have so far.  I think we need to talk about what we should actually be checking.  This test is good, in that it ensures the code runs without raising an exception, but we also should be looking at correctness13:38
ayoungI think I filed that bug...13:39
ayounghttps://bugs.launchpad.net/keystone/+bug/1782197  :)13:39
openstackLaunchpad bug 1782197 in OpenStack Identity (keystone) "Mapping Engine Tester is untested" [Medium,In progress] - Assigned to Vishakha Agarwal (vishakha.agarwal)13:39
ayoungAnd thank you for taking it13:39
vishakhaayoung: thanks for the appreciation13:39
ayoungvishakha, I assume you needed to change the CLI code to make it testable.  Is that right?13:40
ayoung with open(path, "rb")13:40
ayoungand13:40
ayoungassertion = self.assertion.splitlines()13:40
vishakhaayoung: It wasn't compatible with pythonn3.13:41
ayoungvishakha, excellent.  Can you add that to the commit message?  It is a big point13:41
vishakhaayoung: yes sure. I will update commit message13:41
ayoungvishakha, what is with the file writing in the test itself? Was that just for debugging?13:43
ayoung file = os.path.join(temp_dir.path, 'sample1.txt')13:43
ayoung        with open(file, 'w') as f:13:43
ayoung            f.write("\n")13:43
ayoung            f.write("UserName: me\n")13:43
ayoung            f.write("Email: me@example.com;you@example.com\n")13:43
vishakhaayoung: yes just the sample file input13:43
vishakhaayoung: to ensue mapping is happening13:44
vishakha*ensure13:44
ayoungvishakha, in the future, you can use pdb instead13:44
ayoungor rpdb if necessary13:44
ayoungOh, wait13:45
*** lbragstad has quit IRC13:45
ayoungso, no, that is not just for debugging.  The CLI needs to read an actual file...13:45
vishakhaayoung: yes cli reads an actal file13:46
*** lbragstad has joined #openstack-keystone13:50
*** ChanServ sets mode: +o lbragstad13:50
ayoungvishakha, good start.  Let me know if you have questions on my review comments.13:50
vishakhaayoung: sure. Let me check the comments.13:50
vishakhaayoung: I understood the comments. will get back to you after a patch update13:52
vishakhaayoung: thanks13:53
ayoungvishakha, thank you.  I think you are going to be a very valuable contributor moving forward.  Glad to have you aboard.13:53
cmurphy+113:53
vishakhaayoung, cmurphy Glad too :)13:54
lbragstad++13:57
ayounglbragstad, I'm going open bugs for the features I am working on.  It will give us something to track, but lighter than specs13:59
ayoungfeel free to tag them as wishlist14:00
ayoungor I will14:00
openstackgerritayoung proposed openstack/keystone master: Replace UUID with id_generator for Federated users  https://review.openstack.org/60516914:09
openstackgerritayoung proposed openstack/keystone master: Allow an explicit_domain_id parameter when creating a domain  https://review.openstack.org/60523514:15
openstackgerritayoung proposed openstack/keystone master: Replace UUID with id_generator for Federated users  https://review.openstack.org/60516914:18
ayoungcmurphy, thanks for the catch.  I updated the bug references14:20
cmurphyayoung: np14:20
cmurphyi happened to be scanning the bug list this afternoon and noticed that was familiar14:21
ayoungI added Steve Martinelli to the review just for nostalgia.14:22
cmurphyhaha :'(14:22
lbragstadhttps://twitter.com/CorinBragstad/status/104040688984514560014:30
lbragstadmake it so - please make it so14:31
ayounglbragstad, "Dad in a month" was posted about 2 weeks ago.  You in the "any day now" mode?14:36
lbragstadi'm on pins and needles...14:37
lbragstadif that's what you're asking :)14:37
ayounglbragstad, best of luck.  It is a magical time.  You do the best code reviews when sleep deprived.14:37
lbragstadapparently, our doctor said that she wouldn't be surprise if we went this week14:38
* lbragstad has been shopping for coffee subscriptions 14:38
lbragstadhrybacki do you use apple music?14:45
hrybackilbragstad: no -- I'm a 'Google Play' kinda guy14:46
lbragstadahh14:46
cmurphygoogle play ftw14:48
cmurphyhttps://review.openstack.org/602452 is ready to go, i checked it's running the right tests14:54
cmurphygagehugo: ^14:57
*** pcaruana has joined #openstack-keystone15:01
ayoungkmalloc, you awake yet?15:17
ayounghrybacki, https://bugs.launchpad.net/keystone/+bug/1794552  thanks15:23
openstackLaunchpad bug 1794552 in OpenStack Identity (keystone) "Flaskification broke ECP" [Undecided,New] - Assigned to Morgan Fainberg (mdrnstm)15:23
lbragstadayoung i think kmalloc's schedule is going to be hit or miss this week15:23
ayoungknikolla, I think your federation integration tests just showed a real error. ^^15:23
hrybackithanks ayoung -- and thanks knikolla :)15:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement scope_type checking for credentials  https://review.openstack.org/59454715:29
ayounghrybacki, it is probably a Python 3 specific issue.  I wonder if we could trigger that from a unit test15:35
kmallocayoung: I am, but doctor appointment15:35
ayoungGood luck15:35
kmallocI'll be around later today15:36
kmallocAnd I will be out most of Friday15:36
kmallocTomorrow is pretty much down time. This week has been really busy.15:36
aningcmurphy: A very detailed question, in my ECP SP setup, I do an openstack --debug ... image list, it works. But in the screen log show a GET request that seems to return a unscoped token. Is this correct?15:37
aningcmurphy: http://devstack-sp2.wrs.com:80 "GET /identity/v3/OS-FEDERATION/identity_providers/testidp/protocols/saml2/auth HTTP/1.1" 201 44215:37
aningRESP: [201] Connection: close Content-Length: 442 Content-Type: application/json Date: Wed, 26 Sep 2018 15:22:40 GMT Server: Apache/2.4.18 (Ubuntu) Vary: X-Auth-Token X-Subject-Token: {SHA1}c0d3d8be1a0d9286e454ab556e44f8b4867c4eb6 x-openstack-request-id: req-67f0792b-5d37-46b5-ba3f-f2fd81dd85cf15:37
aningRESP BODY: {"token": {"issued_at": "2018-09-26T15:22:40.000000Z", "audit_ids": ["HkfdmqGtRzulbbaEzsMchw"], "methods": ["saml2"], "expires_at": "2018-09-26T16:22:40.000000Z", "user": {"OS-FEDERATION": {"identity_provider": {"id": "testidp"}, "protocol": {"id": "saml2"}, "groups": [{"id": "b50d76b5767646f18ad1bb8b9fec293c"}]}, "domain": {"id": "Federated", "name": "Federated"}, "id": "bc7be976bb8e4d8a986f67bb711fa372", "name": "myself@testshib.org"15:37
aning}}}15:37
aningGET call to http://devstack-sp2.wrs.com/identity/v3/OS-FEDERATION/identity_providers/testidp/protocols/saml2/auth used request id req-67f0792b-5d37-46b5-ba3f-f2fd81dd85cf15:37
kmallocayoung: I've been battling federation stuff in flask because a) the test is somewhat flakey, and b) not voting.15:37
ayoungkmalloc, does that bug report help?15:38
kmallocSure. Mostly I'll be looking at our integration tests as well15:38
ayoung{"self": "http://149.202.181.254/identity/v3/OS-FEDERATION/identity_providers/<string:idp_id>/protocols/mapped",15:38
kmallocUnit tests are hard for this.15:38
cmurphyaning: best to use http://paste.openstack.org/ to paste debug output15:38
kmallocIf it is just a link issue15:38
kmallocLinks are a Trainwreck in keystone.15:39
kmallocThat is easy to fix.15:39
ayounganing, yes a federated token probably should be unscoped, and then converted to a scoped token15:39
cmurphyaning: i think that's correct, authing with federation is slightly roundabout because you have to request an unscoped token to auth and then use that to request a scoped token to authz15:39
kmallocayoung: I'll get on that bug once I am home.15:40
aningI've never know we could use a GET to request a token ... We always get a token (unscoped or scoped) with POST ...15:41
cmurphyaning: it works because that auth endpoint is protected by the apache sp mod, apache will require you to go through the auth process before it lets you through to keystone15:43
aningcmurphy: I've pasted the log snapshot of the first few steps in the request at http://paste.openstack.org/show/730951/15:44
*** dklyle has joined #openstack-keystone15:45
aningSo it's a GET->POST->POST->GET, the last GET returns a unscoped token.15:45
aningcmurphy: do you see anything that is incorrect there?15:47
cmurphyaning: sorry i'm in another meeting, let me look in a few minutes15:48
aningcmurphy: oh sorry for that ...15:48
cmurphyaning: but if it works i wouldn't be too suspicious of it ;)15:48
aningcmurphy: yeah, I just cruious of the messaging flow ...15:49
*** aojea_ has quit IRC15:55
*** eglute has joined #openstack-keystone15:56
*** aojea has joined #openstack-keystone15:56
*** dave-mccowan has joined #openstack-keystone16:00
cmurphyaning: that looks right to me, it has to try to GET the auth endpoint to initiate the process, then goes to the idp to auth, then comes back to the sp with the saml response and then finally gets a token16:07
*** blake has joined #openstack-keystone16:09
aningcmurphy: Thanks!16:10
*** Emine has quit IRC16:16
*** a-pugachev has quit IRC16:23
*** blake has quit IRC16:28
*** blake has joined #openstack-keystone16:28
*** blake has quit IRC16:29
*** dave-mccowan has quit IRC16:49
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role in domains API  https://review.openstack.org/60548516:49
openstackgerritLance Bragstad proposed openstack/keystone master: Make policy file support in fixture optional  https://review.openstack.org/59527917:33
openstackgerritLance Bragstad proposed openstack/keystone master: Move loadapp to a generic place  https://review.openstack.org/59537117:33
openstackgerritLance Bragstad proposed openstack/keystone master: Add test case for expanding implied roles in system tokens  https://review.openstack.org/59635617:33
openstackgerritLance Bragstad proposed openstack/keystone master: Expand implied roles in system-scoped tokens  https://review.openstack.org/59635717:33
openstackgerritLance Bragstad proposed openstack/keystone master: Loosen the assertion for logging scope type warnings  https://review.openstack.org/59718617:33
openstackgerritLance Bragstad proposed openstack/keystone master: Implement scope_type checking for credentials  https://review.openstack.org/59454717:34
openstackgerritLance Bragstad proposed openstack/keystone master: Remove obsolete credential policies  https://review.openstack.org/59718717:34
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role in domains API  https://review.openstack.org/60548517:34
openstackgerritLance Bragstad proposed openstack/keystone master: Update auto-provisioning example to use reader  https://review.openstack.org/60549617:57
openstackgerritColleen Murphy proposed openstack/keystone master: Convert legacy functional jobs to Zuul-v3-native  https://review.openstack.org/60245218:10
openstackgerritColleen Murphy proposed openstack/keystone master: Add python3 functional test job  https://review.openstack.org/60540318:10
*** pcaruana has quit IRC18:24
*** lbragstad has quit IRC18:24
*** lbragstad has joined #openstack-keystone18:25
*** ChanServ sets mode: +o lbragstad18:25
openstackgerritLance Bragstad proposed openstack/keystone master: Enable Foreign keys for sql backend unit test  https://review.openstack.org/55802918:34
openstackgerritLance Bragstad proposed openstack/keystone master: Enable foreign keys for unit test  https://review.openstack.org/55819318:34
openstackgerritLance Bragstad proposed openstack/keystone master: Make policy file support in fixture optional  https://review.openstack.org/59527918:34
openstackgerritLance Bragstad proposed openstack/keystone master: Move loadapp to a generic place  https://review.openstack.org/59537118:34
openstackgerritLance Bragstad proposed openstack/keystone master: Add test case for expanding implied roles in system tokens  https://review.openstack.org/59635618:34
openstackgerritLance Bragstad proposed openstack/keystone master: Expand implied roles in system-scoped tokens  https://review.openstack.org/59635718:34
openstackgerritLance Bragstad proposed openstack/keystone master: Loosen the assertion for logging scope type warnings  https://review.openstack.org/59718618:34
openstackgerritLance Bragstad proposed openstack/keystone master: Implement scope_type checking for credentials  https://review.openstack.org/59454718:34
openstackgerritLance Bragstad proposed openstack/keystone master: Remove obsolete credential policies  https://review.openstack.org/59718718:34
hrybackidang lbragstad18:58
hrybackiyou have like 60 fingers or something?18:59
openstackgerritJim Rollenhagen proposed openstack/keystone master: Fix command to verify role removal in docs  https://review.openstack.org/60550919:03
jroll^ super easy one :)19:03
*** dave-mccowan has joined #openstack-keystone19:05
lbragstadi only need ~5 to type `git review -x`19:07
hrybackilol19:09
openstackgerritayoung proposed openstack/keystone-specs master: Federated Query APIs  https://review.openstack.org/31360419:10
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role in domains API  https://review.openstack.org/60548519:18
*** Emine has joined #openstack-keystone19:26
*** jdennis has quit IRC19:41
cmurphyhttps://cloudblog.switch.ch/2018/09/26/enable-keystone-federated-users-to-use-cli-tools-with-application-credentials/19:54
openstackgerritayoung proposed openstack/keystone-specs master: Federated Query APIs  https://review.openstack.org/31360419:54
ayoungcmurphy, thanks for posting that19:55
lbragstadcmurphy nice!19:56
kmallocayoung: app-creds should work in KSM as long as we tell KSM to use the app-cred auth plugin19:58
kmallocayoung: so, looks like the change is simply needed in triple-o19:59
kmallocyay for KSM being not terrible.19:59
*** bnemec has quit IRC20:10
*** evrardjp has joined #openstack-keystone20:11
*** jdennis has joined #openstack-keystone20:13
*** bnemec has joined #openstack-keystone20:15
*** raildo has quit IRC20:36
*** aojea has quit IRC21:01
kmallocayoung: i should (shortly) have a fix for that fed bug21:27
*** blake has joined #openstack-keystone21:29
ayoungkmalloc, excellent.  If we get those tests green, we should consider making them voting21:31
openstackgerritayoung proposed openstack/keystone master: Added keystone identity provider installation to Devstack plugin  https://review.openstack.org/48412121:34
ayoungkmalloc, can we do openstackid for openidc Federation testing?21:35
kmallocwell not really21:38
kmallocanything we do needs to not be external.21:38
kmallocbasically we need to standup a provider for the test case and use that21:38
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role in domains API  https://review.openstack.org/60548521:38
openstackgerritLance Bragstad proposed openstack/keystone master: Pass context objects to policy enforcement  https://review.openstack.org/60553921:38
kmallocif it is an external service we run the risk of breaking the tests because external service is down21:38
lbragstad^ kmalloc curious if you have thoughts on using oslo.context directly there21:40
*** dklyle has quit IRC22:02
kmallochmm22:05
lbragstadthat patch is going to fail tests22:19
lbragstadbut22:19
lbragstadthe idea would be to try and set a precedence for how we can do enforcement uniformly across projects22:19
lbragstad1. use requests objects to build an instance of RequestContext 2.) pass that to oslo.policy for enforcement22:20
kmalloci'm fine with that change22:21
kmalloci'd do it as a two step22:21
kmalloc1) enhance oslo.policy to allow for context to be passed (optionally) instead of creds.22:21
kmalloc2) fix RBACEnforcer to do so22:22
lbragstadhttps://review.openstack.org/#/c/578995/22:22
kmallocnow that is the auth context not just the oslo-context.22:22
kmallocso, you're going to have to do some hoop jumping in keystone to have a common place for auth context data to live22:23
kmallocright now it's something we've implemented on top of everything else22:23
lbragstadhttps://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L804-L80622:23
lbragstadyeah - we also do this weird thing where we put the entire token reference in the creds dictionary22:23
kmallocyep.22:24
kmallocwhich is broken22:24
kmallocwe also do wonky things with the subject token22:24
kmalloc*sigh* Synergy doesn't work with Wayland =/22:25
kmallocthat makes my workflow less "fun"22:25
lbragstadyou mean the app that lets you use the same peripheral devices across computers on the same network?22:25
kmallocyep22:25
lbragstadnice22:26
kmalloci was going to run it for my workstation. but workstation uses Wayland22:26
kmallocso synergy is... broken.22:26
kmallocthe mouse pointer doesn't actually render moved22:27
kmallocbut the pointer location does move22:27
kmallocand they moved to a pay-for-software model :(22:27
kmallocit's annoying22:27
lbragstadwayland did?22:27
kmallocno synergy22:27
kmallocwayland replaces xorg22:27
lbragstadoh22:30
* lbragstad just read the wayland faq22:30
kmallocit's the new tech22:30
kmallochehe22:30
kmallocyeah22:30
kmallocwayland is good stuff22:30
lbragstadinteresting22:30
lbragstadso - i wonder if we can rewrite policies that rely on tokens for comparisons22:31
lbragstador rely on them in the check strings, specifically22:31
kmallocsooooooo22:31
kmallocthis is where our policy DSL is... not so great22:31
kmallocbecause remember everything before the : is a direct lookup in the creds dict22:32
lbragstadwhich :22:32
kmallocexample: "user_id:%(user_id)s22:32
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/common/policies/base.py#L2322:32
lbragstadoh - sure22:33
lbragstadok22:33
kmallocthat means compare creds['user_id'] with '%(user_id)s' % target_dict22:33
kmallocthe reason for the whole token ref living in creds is because of silly things we used to do22:33
lbragstadyeah - so token.project.domain.id it ultimately a check string that has been hardcoded to the api contract for v3 tokens22:34
kmallocyep22:34
lbragstadwhen - correct me if i'm wrong22:34
lbragstadwe really should have just made that a hardcoded check as business logic?22:34
kmallocmaybe22:34
lbragstador - i suppose we could do22:35
kmallocmore likely, that should have been 'project.domain_id' and the creds should represent that if it exists22:35
lbragstad^ that22:35
kmallocthe token values should be exploded out22:35
lbragstadyes22:35
kmalloc*also* we should be able to take action on the target dict without needing a representation in creds22:35
*** rcernin has joined #openstack-keystone22:35
kmallocaka a way to say execute function instead of lookup creds()22:35
kmalloccreds[XXX]*22:35
kmallocright now there is never a way to act on data in the target dict without having a mirrored representation in the creds dict22:36
lbragstadthese usecases are going to make it harder to use context objects in policy enforcement22:37
kmallocnow, i could be clever and build a creds dict22:37
kmallocwith extra data22:37
kmallocbut ... thats painful22:37
lbragstadyeah - and every service has to do it22:37
kmallocbeing able to say something like 'exists():%{query_param_name)s22:38
kmalloccould be usefil22:38
kmallocuseful22:38
kmallocaka, require a filteron an api for a specific user22:38
kmallocno "listing all projects"22:38
lbragstadthe whole idea behind making policy understand context objects was to make it easier for services to offload building creds dictionaries (and possibly making mistakes with the information they provide)22:38
kmallocexactly22:38
kmalloci think the real answer is to extract out the RBACEnforcer into it's own lib or to oslo.policy22:39
kmallocand allow for an override of where to pull creds data22:39
kmallocso keystone uses flask22:39
lbragstadhmmm22:39
kmallocnova might pull from oslo_context[known_location]22:39
kmallocwe'll need to firm up some of the contract assumptions i made about flask to more generic22:40
kmallocbut ultimately doable22:40
lbragstadso - oslo.policy just calls the to_policy_values() method on context objects if it gets one22:41
kmallocbecause ultimately, services want to do "EnforceCall(action_name, creds, target)22:41
kmallocand that is the extent22:41
kmallocpretty much.22:42
lbragstadif we supply additional things on context objects, we'll need to make oslo.policy smarter about handling that?22:42
kmallocmake a helper method that the RBACEnforcer can lean on22:42
kmallocbasically "pull things from here" or "do something totally wacky"22:42
kmallocit could be as simple as lambda x: flask.request.args[x]22:43
kmallocit might be complex like "build a creds dict that pulls from all over the place"22:43
kmallocbut bake the default case down to very simple: get oslo_context and to_policy_values (naive data extraction)22:44
lbragstador...22:45
lbragstadwe subclass oslo.context22:45
lbragstadspecifically the RequestContext object22:45
lbragstadwe *could* override to_policy_values to be smarter about keystone specific things22:45
kmallocjust as long as we're careful that it's not Webob specific22:45
kmallocsome things are very webob specific22:46
kmallocrequestcontext might be safe22:46
lbragstadusing the subclassing in oslo.context is safe you mean?22:46
kmallocyeah it probably isn't a webob specific thing22:46
lbragstadyeah - it might make it so we don't have to make changes to oslo.policy22:46
lbragstadit just calls context_obj.to_policy_values()22:47
lbragstadand if its an instance of keystone.common.context.RequestContext, it'll get populated with things we need it to for policy enforcement22:47
lbragstadif oslo.policy just gets a plain old oslo_context.context.RequestContext, it calls the same method and gets generic policy values22:48
ayoungWhew22:53
ayoungI just caught up on that22:53
*** rcernin has quit IRC22:53
lbragstad:)22:54
*** rcernin has joined #openstack-keystone22:55
lbragstadit's interesting, i'll play with it in https://review.openstack.org/#/c/605539/1 and see if i can make it work22:55
* lbragstad steps away for a bit 22:55
ayoungI thinkg exists() should be implied.  If you do a test, and the variable does not exist, it fails22:56
ayoungand not in a Raise an exception sort of way22:56
ayoungso if you need an alternative, you do an "or"22:56
kmallocthat would the requirement22:56
kmallocit would fail enforcement, 40322:56
kmallocexplicitly exists means it *must* exist and must have a value22:57
kmallocthough the policy DSL would be easy to screw up22:57
kmallocsince the value after the colon in the DSL is literal22:57
kmallocso `exists():Blah` would be success22:57
kmallocbut `exists():%(user_id)s` may fail22:58
kmallocso i think there needs to be a re-thinking22:58
*** blake_ has joined #openstack-keystone23:02
kmallocor allow the value before the colon to also (in some cases) reference the target dict23:03
kmalloctarget_lookup(xxx):<value>23:03
kmallocand the second half would be exists() or notexists()23:03
kmallocetc23:03
*** blake has quit IRC23:05
jamielennoxto_policy_values was always designed to be overriden with service specific variables23:07
jamielennoxwhat was in the common was just what made sense everywhere - and in a lot of cases there wasn't anything else to check23:07
jamielennoxbut yea, ideally name it something rather than just drop a webob object in there, those policy values are a stable interface23:08
*** mbeierl has quit IRC23:08
openstackgerritGage Hugo proposed openstack/keystone master: Add build_target arguement to enforcer  https://review.openstack.org/60188123:11
jamielennoxeh - i read up for more context - you've got all this23:12
kmallochehe23:20
*** jlvillal has joined #openstack-keystone23:24
*** dklyle has joined #openstack-keystone23:26
*** blake_ has quit IRC23:26
*** rcernin_ has joined #openstack-keystone23:41
*** blake has joined #openstack-keystone23:41
*** rcernin has quit IRC23:43
*** blake has quit IRC23:45
*** openstackgerrit has quit IRC23:49
*** blake has joined #openstack-keystone23:55
« Tuesday, 2018-09-25 Index Thursday, 2018-09-27 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!