Wednesday, 2018-11-28

« Tuesday, 2018-11-27 Index Thursday, 2018-11-29 »
*** jaosorior has quit IRC00:05
*** hoonetorg has quit IRC00:09
*** ayoung has joined #openstack-keystone00:10
*** hoonetorg has joined #openstack-keystone00:22
*** erus has joined #openstack-keystone00:42
*** annp has joined #openstack-keystone01:14
*** erus has quit IRC01:35
*** erus has joined #openstack-keystone01:40
*** Dinesh_Bhor has joined #openstack-keystone02:33
lbragstadgagehugo yep02:56
lbragstadyou're correct02:56
lbragstadthose policies previously required admin for all of them by default03:02
lbragstadnow they are broken up a bit03:03
lbragstadso you don't have to give someone admin just to do readable things03:03
lbragstadmember = readable operations + update03:04
lbragstadadmin = readable and writable operations (just like before)03:04
openstackgerritVishakha Agarwal proposed openstack/python-keystoneclient master: DNM: Test jobs running on bionic instead of xenial  https://review.openstack.org/62044503:23
*** pcaruana has joined #openstack-keystone05:09
openstackgerritVishakha Agarwal proposed openstack/keystone master: DNM: Test jobs running on bionic instead of xenial  https://review.openstack.org/61156305:09
openstackgerritVishakha Agarwal proposed openstack/keystone master: DNM: Test jobs running on bionic instead of xenial  https://review.openstack.org/61156305:11
openstackgerritVishakha Agarwal proposed openstack/keystone master: DNM: Test jobs running on bionic instead of xenial  https://review.openstack.org/61156305:27
*** imacdonn has quit IRC05:30
*** imacdonn has joined #openstack-keystone05:30
*** imacdonn has quit IRC05:38
*** imacdonn has joined #openstack-keystone05:38
*** gyee has quit IRC06:20
*** jaosorior has joined #openstack-keystone06:36
*** rcernin has quit IRC06:57
*** alexchadin has joined #openstack-keystone08:22
*** amoralej|off is now known as amoralej08:22
*** xek_ has joined #openstack-keystone08:22
*** alexchadin has quit IRC09:41
*** alexchadin has joined #openstack-keystone09:53
*** tobias-urdin has quit IRC10:10
*** tobias-urdin has joined #openstack-keystone10:15
*** shrasool has joined #openstack-keystone10:32
*** jistr is now known as jistr|mtg10:34
*** shrasool has quit IRC10:38
*** shrasool has joined #openstack-keystone10:38
openstackgerritJens Harbott (frickler) proposed openstack/python-keystoneclient master: Fix keystoneclient-devstack-functional job  https://review.openstack.org/62055310:40
openstackgerritJens Harbott (frickler) proposed openstack/keystone master: DNM: Test patch to verify ksc job  https://review.openstack.org/62055410:41
fricklerlbragstad: cmurphy: fyi ^^ not sure yet whether it will do the right thing, but we'll see10:41
cmurphyfrickler: i'm confused that the original patch seemed to work10:42
cmurphyi just got back from vacation so haven't dug into it yet10:42
fricklercmurphy: the original patch works fine when running against python-keystoneclient, but not when running against keystone. the latter sadly was never tested before it got merged10:44
cmurphyyeah :(10:45
fricklercmurphy: see http://eavesdrop.openstack.org/irclogs/%23openstack-infra/%23openstack-infra.2018-11-27.log.html#t2018-11-27T18:07:35 for some discussion related to it10:45
cmurphyfrickler: oh thanks for that10:46
cmurphyfrickler: do the unit test jobs run this test-setup.sh script?10:50
cmurphyi'm wondering if we could just rename or delete it from keystone10:51
cmurphylooks like yes the unittests playbook uses it10:53
fricklercmurphy: I didn't look into that yet, that might work too. but actually not running test-setup.sh at all when it isn't needed seems the cleaner solution.10:56
fricklercmurphy: in addition you also do not want to run the tox-consumer version of the job against keystone, since a patch there may cause the devstack setup to fail. so devstack should run in the main phase and not in pre10:57
cmurphyfrickler: oh that makes sense10:58
cmurphyfrickler: but that should also cause the tempest jobs to fail10:58
fricklercmurphy: it will, so the issue wouldn't go unnoticed. but it will trigger retries, as zuul will assume a non-permanent error when failing in the pre phase10:59
cmurphyfrickler: oh gotcha11:00
*** chason has quit IRC11:31
*** chason has joined #openstack-keystone11:36
*** Dinesh_Bhor has quit IRC11:42
*** dave-mccowan has joined #openstack-keystone11:45
*** raildo has joined #openstack-keystone11:48
*** erus has quit IRC11:53
*** erus has joined #openstack-keystone11:53
*** erus has quit IRC12:34
*** erus has joined #openstack-keystone12:36
*** takamatsu has quit IRC12:37
*** takamatsu has joined #openstack-keystone12:43
*** amoralej is now known as amoralej|lunch13:12
*** jistr|mtg is now known as jistr13:21
*** takamatsu has quit IRC13:29
*** takamatsu has joined #openstack-keystone13:30
*** Dinesh_Bhor has joined #openstack-keystone13:43
*** takamatsu has quit IRC13:44
*** takamatsu has joined #openstack-keystone13:48
*** amoralej|lunch is now known as amoralej14:05
*** Dinesh_Bhor has quit IRC14:10
lbragstadinteresting, thanks frickler14:16
fricklercmurphy: lbragstad: as I feared this is running keystone functional tests now instead of ksc ones. maybe one of you can pick this up http://logs.openstack.org/54/620554/1/check/keystoneclient-devstack-functional/b2350d5/testr_results.html.gz14:16
fricklerlbragstad: regarding bionic, coreycb suggested switching to libapache2-mod-auth-mellon, see https://bugs.launchpad.net/keystone/+bug/1802901 . I don't know the details of what is needed for federation testing, would switching to that be an option?14:18
openstackLaunchpad bug 1802901 in OpenStack Identity (keystone) "Federation functional job failing on Bionic" [Undecided,New]14:18
cmurphyfrickler: i can try to take a look at the ksc tests14:19
cmurphyfrickler: lbragstad we could switch to testing with mellon instead of shibboleth but it is disturbing that shibboleth is fundamentally broken in the package, our users rely heavily on it14:20
lbragstad++14:21
lbragstadlooks like this broke those tests https://review.openstack.org/#/c/498091/14:21
lbragstadi accidentally copy/pasta'd an exception without the translation bit14:22
lbragstadbut not thing in our tests actually caught it14:22
lbragstad(or tried asking for a token using multiple scopes, apparently)14:22
cmurphylbragstad: i'm confused, what's broken?14:23
openstackgerritLance Bragstad proposed openstack/keystone master: Add missing translation import to common.auth.py  https://review.openstack.org/62061014:25
lbragstadcmurphy i was just looking at the errors here - http://logs.openstack.org/54/620554/1/check/keystoneclient-devstack-functional/b2350d5/testr_results.html.gz14:25
fricklercmurphy: btw, does keystoneclient-devstack-functional really need a full devstack deployment with all projects? or would just keystone be enough?14:26
fricklerlbragstad: no, the issue is that this job should run ksc func tests, not keystone14:26
cmurphyfrickler: i'm pretty sure just keystone would be enough14:26
lbragstadoh - hmm14:27
lbragstadwe accidentally uncovered a bug in common.auth.py then14:27
fricklernice, even broken tests are good tests ;)14:28
cmurphyi think we haven't been running those functional tests for a while14:28
lbragstadi think you're right cmurphy14:28
lbragstadi wonder if they broke for the flask bits14:29
cmurphy"name '_' is not defined" is not really flask specific, that's just a problem with the test code itself14:30
lbragstadtrue, the other errors about status codes are interesting though14:31
lbragstadthe translation error was my fault ;)14:31
fricklercmurphy: o.k., I think I'll do a standalone job definition in https://review.openstack.org/620553 then14:35
cmurphyfrickler: what's the right way to run keystoneclient's tests on a keystone job? it seems like the tox role is just not smart enough to run tox on not-this-repo14:40
cmurphyso we'll still have an issue whether we use -consumer or not14:40
openstackgerritLance Bragstad proposed openstack/keystone master: Update endpoint policies for system reader  https://review.openstack.org/61932914:44
openstackgerritLance Bragstad proposed openstack/keystone master: Update endpoint policies for system member  https://review.openstack.org/61933014:44
openstackgerritLance Bragstad proposed openstack/keystone master: Update endpoint  policies for system admin  https://review.openstack.org/61933114:44
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with endpoints  https://review.openstack.org/61933214:44
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with endpoints  https://review.openstack.org/61928114:44
openstackgerritLance Bragstad proposed openstack/keystone master: Remove endpoint policies from policy.v3cloudsample.json  https://review.openstack.org/61933314:44
cmurphyfrickler: seems like maybe we need separate jobs, one in keystoneclient and one in keystone that defines a chdir: {{ keystoneclient src dir }}14:45
*** dklyle has quit IRC14:47
openstackgerritJens Harbott (frickler) proposed openstack/python-keystoneclient master: Fix keystoneclient-devstack-functional job  https://review.openstack.org/62055314:47
fricklercmurphy: ^^ I hope that should cover both cases14:47
cmurphyfrickler: oh excellent14:48
openstackgerritLance Bragstad proposed openstack/keystone master: Update mapping policies for system reader  https://review.openstack.org/61961214:49
openstackgerritLance Bragstad proposed openstack/keystone master: Update mapping policies for system member  https://review.openstack.org/61961314:49
openstackgerritLance Bragstad proposed openstack/keystone master: Update mapping policies for system admin  https://review.openstack.org/61961414:49
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with mappings  https://review.openstack.org/61961514:49
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with mappings  https://review.openstack.org/61961614:49
openstackgerritLance Bragstad proposed openstack/keystone master: Remove mapping policies from policy.v3cloudsample.json  https://review.openstack.org/61961714:49
openstackgerritLance Bragstad proposed openstack/keystone master: Move test utility to common location  https://review.openstack.org/62015514:55
openstackgerritLance Bragstad proposed openstack/keystone master: Update service provider policies for system reader  https://review.openstack.org/62015614:55
openstackgerritLance Bragstad proposed openstack/keystone master: Update service provider policies for system member  https://review.openstack.org/62015714:55
openstackgerritLance Bragstad proposed openstack/keystone master: Update service provider  policies for system admin  https://review.openstack.org/62015814:55
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with sps  https://review.openstack.org/62015914:55
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with sps  https://review.openstack.org/62016014:55
openstackgerritLance Bragstad proposed openstack/keystone master: Remove service provider policies from v3cloudsample.json  https://review.openstack.org/62016114:55
openstackgerritLance Bragstad proposed openstack/keystone master: Update service policies for system reader  https://review.openstack.org/61927715:05
openstackgerritLance Bragstad proposed openstack/keystone master: Update service policies for system member  https://review.openstack.org/61927815:05
openstackgerritLance Bragstad proposed openstack/keystone master: Update service policies for system admin  https://review.openstack.org/61927915:05
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with services  https://review.openstack.org/61928015:05
openstackgerritLance Bragstad proposed openstack/keystone master: Remove service policies from policy.v3cloudsample.json  https://review.openstack.org/61928215:05
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with services  https://review.openstack.org/62062315:05
openstackgerritLance Bragstad proposed openstack/keystone master: Update idp policies for system reader  https://review.openstack.org/61937115:10
openstackgerritLance Bragstad proposed openstack/keystone master: Update idp policies for system member  https://review.openstack.org/61937215:10
ayounglbragstad, you slacker15:10
openstackgerritLance Bragstad proposed openstack/keystone master: Update idp policies for system admin  https://review.openstack.org/61937315:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with idps  https://review.openstack.org/61937415:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with idps  https://review.openstack.org/61937515:10
openstackgerritLance Bragstad proposed openstack/keystone master: Remove idp policies from policy.v3cloudsample.json  https://review.openstack.org/61937615:10
lbragstadwanna do some reviews ayoung?15:11
knikollao/15:11
lbragstadmornin' knikolla15:16
openstackgerritLance Bragstad proposed openstack/keystone master: Add region protection tests for system readers  https://review.openstack.org/61908515:17
openstackgerritLance Bragstad proposed openstack/keystone master: Update region policies to include system member  https://review.openstack.org/61908615:17
openstackgerritLance Bragstad proposed openstack/keystone master: Update region policies to use system admin  https://review.openstack.org/61924115:17
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with regions  https://review.openstack.org/61924215:17
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with regions  https://review.openstack.org/61924315:17
openstackgerritLance Bragstad proposed openstack/keystone master: Remove region policies from policy.v3cloudsample.json  https://review.openstack.org/61924415:17
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role in domains API  https://review.openstack.org/60548515:23
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role in domains API  https://review.openstack.org/60584915:23
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in domains API  https://review.openstack.org/60585015:23
openstackgerritLance Bragstad proposed openstack/keystone master: Allow domain users to access the GET domain API  https://review.openstack.org/60585115:23
openstackgerritLance Bragstad proposed openstack/keystone master: Allow project users to retrieve domains  https://review.openstack.org/60587115:23
openstackgerritLance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json  https://review.openstack.org/60587615:23
lbragstadok - done... i promise15:26
lbragstadeverything should be rebased and topic branches are updated15:26
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add support for client-side rate limiting  https://review.openstack.org/60504316:05
mordredkmalloc: ^^ updated per your review16:06
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add support for client-side rate limiting  https://review.openstack.org/60504316:07
kmallocNice16:16
kmallocThnx16:16
ayounglbragstad, I'd be happy to.  But it will cost you...I have a few patches malingering.16:17
openstackgerritayoung proposed openstack/keystone master: Replace UUID with id_generator for Federated users  https://review.openstack.org/60516916:18
*** erus has quit IRC16:18
ayounglbragstad, lets get that in as is, and refactor as we move on.16:19
kmallocmordred: I will see if I can help build a functional test against a real service for ksa16:22
kmallocmordred: but looks good otherwise16:22
lbragstadack - i can review16:23
mordredkmalloc: cool. I also added a depends-on link for the openstacksdk change that consumes it- but I think that's maybe too much to count for the functional?16:24
*** erus has joined #openstack-keystone16:24
kmallocYeah16:27
*** gyee has joined #openstack-keystone16:27
kmallocIt might be16:27
kmallocI'll 2x confirm tonight tomorrow and re-score it if it is ok with sdk16:27
kmalloc:)16:27
kmallocI do want a direct functional test... Eventually16:27
gagehugolbragstad: ok cool16:30
*** shrasool has quit IRC16:52
*** lbragstad has quit IRC17:02
*** pcaruana has quit IRC17:03
*** lbragstad has joined #openstack-keystone17:05
*** ChanServ sets mode: +o lbragstad17:05
*** erus has quit IRC17:11
*** erus has joined #openstack-keystone17:12
*** jackivanov has quit IRC17:28
*** shrasool has joined #openstack-keystone18:29
*** amoralej is now known as amoralej|off18:36
*** dklyle has joined #openstack-keystone19:03
*** lbragstad has quit IRC19:08
*** lbragstad has joined #openstack-keystone19:12
*** ChanServ sets mode: +o lbragstad19:12
*** lbragstad has quit IRC19:12
*** lbragstad has joined #openstack-keystone19:14
*** ChanServ sets mode: +o lbragstad19:14
*** lbragstad has quit IRC19:14
*** lbragstad has joined #openstack-keystone19:16
*** ChanServ sets mode: +o lbragstad19:16
*** lbragstad has quit IRC19:16
*** dklyle has quit IRC19:27
*** shrasool has quit IRC20:04
*** shrasool has joined #openstack-keystone20:07
*** shrasool has quit IRC20:16
*** konetzed has joined #openstack-keystone20:22
konetzedusing openstack rocky on centos 7 and getting this when using ldap auth "Fernet token created with length of 268 characters, which exceeds 255 characters"20:23
konetzedany one have ideas on how to fix it or solve the problem of tokens not working?  Only seems to be an issue with application crednetials20:24
*** lbragstad has joined #openstack-keystone20:30
*** ChanServ sets mode: +o lbragstad20:30
*** openstackgerrit has quit IRC20:36
*** raildo has quit IRC20:54
*** ayoung has quit IRC21:24
nsmedshey guys, anyone familiar with https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json ? trying to understand difference between two similar policies21:25
*** mchlumsky has quit IRC21:25
*** erus has quit IRC21:31
lbragstadnsmeds i can help21:32
nsmedsthe main issue I'm trying to understand is the `target` attribute. For example, difference between `admin_and_matching_target_project_domain_id` and `admin_and_matching_project_domain_id`21:34
lbragstadthe policy.v3cloudsample.json file was an attempt to provide more sophisticated policies to protect keystone's API21:34
lbragstadnsmeds like this you mean? https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L721:34
*** erus has joined #openstack-keystone21:35
nsmedsyour example is basically saying: user has `admin` role and is modifying resources in the domain which their token was authenticted for21:36
nsmedsyes?21:36
lbragstadyeah - so when the policy engine parses admin_or_owner21:36
lbragstadit's going to make sure the user is has the "admin" role (defined by rule:admin_required)21:37
*** lbragstad has quit IRC21:37
*** lbragstad has joined #openstack-keystone21:37
*** ChanServ sets mode: +o lbragstad21:37
lbragstadand it's going to make sure the token used to make the call is domain scoped21:38
nsmedscompared to `"rule:admin_required and domain_id:%(user.domain_id)s` ?21:39
lbragstadwhere do you see that one?21:39
nsmedsthe `admin_and_matching_user_domain_id` rule21:39
lbragstadoh "rule:admin_required and domain_id:%(domain_id)s"21:40
nsmedstheres a few very similar looking rules, and just trying to understand what the actual differences are (plan to create our own custom roles but first need to understand what options are available)21:41
nsmedsstruggling a bit XD21:41
lbragstadyeah - so the syntax can be a bit confusing21:42
nsmedscan I give you an example of something I'd like to do but unsure how to write actual policy rule for it?21:44
nsmedsI'd like to create an `almost_admin` role, which has full access to everything except the `Default` domain.21:44
lbragstadwhat are you trying to restrict with the Default domain?21:47
lbragstadis there a particular set of operations you don't want them to do?21:47
lbragstadsorry - my network is giving me a hard time.. the policy.v3cloudsample.json file was an attempt to solve https://bugs.launchpad.net/keystone/+bug/96869621:49
openstackLaunchpad bug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] - Assigned to Lance Bragstad (lbragstad)21:49
nsmedspretty much view/create anything in that domain - yet still allow them to create new domains and have full permissions within those domains21:49
nsmedsI'm thinking that giving them their own domain and resticting them to full permissions within that 1 domain is easier to implement21:50
nsmedswas exploring both options21:50
*** rcernin has joined #openstack-keystone21:50
lbragstadnsmeds are you familiar what the work we're doing around scopes?21:51
*** shrasool has joined #openstack-keystone21:51
nsmedsread something earlier, let me check my bookmarks21:51
nsmedsbelieve it was about making permissions scoped to a domain/project ?21:53
lbragstadas of the Queens release you can scope tokens to projects, domains, or the deployment system21:53
lbragstadthe idea is it use project-scoped tokens for project-specific resources (think instances or volumes)21:54
lbragstadand domain-scoped tokens for domain-specific things (users and groups are a good example)21:55
lbragstadand system-scoped tokens for resources that are specific to the deployment system itself (services and endpoints are good examples of system-specific resources)21:55
lbragstadso - ultimately, giving someone 'admin' on a project is different from 'admin' on a domain, or 'admin' on the deployment system21:55
nsmedsunderstood - and thats good, using queens21:56
lbragstadwhich helps make roles a bit more reuseable, as opposed to having to use a 'project-admin' role, 'domain-admin' role, and 'cloud-admin' role21:56
lbragstadtraditionally, a lot of places in openstack were hardcoded to just look for the role 'admin'21:57
lbragstadwhich would allow elevated privilege to do things21:58
lbragstadand that didn't prevent someone who was an 'admin' of a project from creating new services in the service catalog, or viewing hypervisor information from nova21:58
*** shrasool has quit IRC22:00
lbragstadwe're moving towards better policies, like this https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/credential.py#n1822:02
lbragstadand testing each permutation of role + scope (system admin, system member, system reader, domain admin, domain member, etc...) thoroughly through functional testing22:03
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/protection/v3/test_credentials.py22:03
*** rcernin has quit IRC22:03
lbragstad^ which is something we didn't really do as well with the policy.v3cloudsample.json file22:03
nsmedsok. I think it's clear I just need to do more reading22:04
nsmedsif I can bug you about 1 more thing, can you explain https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L622:04
nsmedswhat's the difference between the two `user_id:`22:04
lbragstadso - good question22:05
*** erus has quit IRC22:05
lbragstadthe rule is comparing the user_id from the token used to make the request to the user being requested22:05
lbragstadfor example22:05
lbragstadif my user ID is 746949fd15814ac5a4ebadb8aac97c3a22:06
lbragstadand I get a token, it'll have my user reference in it response body22:07
lbragstadwhen i call GET /v3/users/746949fd15814ac5a4ebadb8aac97c3a - keystone is going to compare the user ID from the token I supplied in the request header to the user id in the path22:07
lbragstadif they match, I've effectively proved that I'm the "owner" of my user account22:07
lbragstadif i try and use the same token to call GET /v3/users/de5cbfc473b647fcaef970eff890452122:08
lbragstadit'll fail22:08
nsmedsyep, this makes sense22:08
lbragstadbecause let's assume I'm not an administraotr22:08
lbragstadand that condition doesn't evaluate to true, so i'm not the owner22:08
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/credential.py#n20 is another example of ownership22:09
lbragstadthat allows any users to list credentials they've created in keystone22:09
lbragstaduser*22:09
lbragstadbut it gives system admins the ability to operations against any credentials for administrative purposes22:10
nsmedsso `user_id:%(user_id)s` ensures that user_id in token matches user_id I'm trying to modify22:12
*** rcernin has joined #openstack-keystone22:12
nsmedscorrect?22:13
lbragstadthat's this bit specifically - user_id:%(target.token.user_id)s22:13
lbragstaduser_id:%(user_id)s makes sure the user in the request matches what keystone populates in the request context22:13
lbragstadit's kinda dense..22:13
lbragstadand not super intuitive22:13
nsmedsthe struggle is real22:14
nsmedsI'll figure this all out - really appreciate your help22:14
lbragstadnot a problem22:14
lbragstadso TL;DR22:14
lbragstadkeystone (and most openstack services) use oslo.policy for policy enforcement22:14
lbragstadso just the thing that says either 'yes' or 'no' based on certain parameters22:15
lbragstadbut, it's up to the service to supply the enforcement data22:15
lbragstadwhich could be information about an instance, volume, user, etc...22:16
lbragstadthis kinda of information is referred to as the "target"22:16
lbragstadthe other important piece is the information about the user making the request22:17
nsmedsthis entire conversation is being copy/pasted into my notes <322:18
lbragstadso, target == the thing you're trying access, modify, create, or delete over the API, credentials == information about the user making the request22:19
*** xek_ has quit IRC22:19
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/api/credentials.py#n162 is a good example of how we use this22:19
lbragstadthe API for deleting credentials pull the credential reference that the user wants to delete and populates it as the policy "target"22:20
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/api/credentials.py#n3822:20
lbragstadwhich eventually get to where keystone hands things off to oslo.policy22:22
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/rbac_enforcer/enforcer.py#n8222:22
lbragstadthe creds= argument there is actually passing an instance of oslo.context.RequestContext (which is just a python object that contains a bunch of information about the user who made the request)22:22
*** erus has joined #openstack-keystone22:22
lbragstadhttp://git.openstack.org/cgit/openstack/oslo.context/tree/oslo_context/context.py#n17622:23
lbragstadfor example, the ID of the user, the scope associated to the token used to make the request, etc...22:23
lbragstadoslo.policy evaluates that information in enforcement, which is where we get the user_id:%(user_id)s functionality exposed to us in policy files22:24
nsmedsthanks lbragstad. gonna take some time and review everything you've shared here22:25
lbragstadcool - i apologize it's so dense22:26
*** shrasool has joined #openstack-keystone22:39
*** shrasool has quit IRC22:56
konetzedusing Rocky on centos with domains and a ldap backed domain.  Any idea why i can use a username/pass w/o issue to access my projects but I cannot use applicatoin credentials?  I see in the logs Keystone says the public id which is a long string has no access to the project22:57
konetzedor is this all just related to the farnet token being larger than 255 chars warning?23:00
konetzedfernet23:00
lbragstadthe fernet warning is just a warning, it should affect the API23:11
lbragstadshouldn't*23:11
konetzedah ok, thanks i wasnt sure if that was leading me down the wrong path or not23:11
konetzedApplication Credentials work fine for users in the default domain23:12
lbragstadwe've been bitten by long token ids in the past, so we decided to issue warnings for tokens exceeding a relatively strict length requirement23:12
konetzedlbragstad: any way to force keystone to make smaller tokens?  I tried setting max_token_size=255 but that didnt seem to help23:13
konetzedthough you said it doesnt matter so i guess its not the issue23:13
lbragstadby default, keystone should issue tokens under 255 chars if you're using uuid4 formatted IDs23:13
lbragstadif you're pulling ids from an external thing, like LDAP for example, your IDs might be longer23:14
konetzeddefault domain, 2359a8a4643e4dc9a6179b1faba37f5c | glance23:14
konetzedldap domain: ef04e0bd96a83b083153e27169ff5cfa0f424acbc254069f1f154f9ffa15b994 | user23:15
lbragstadaha - sure23:15
lbragstadso that's going to generate a longer token23:15
lbragstadwhich should be fine23:15
konetzedits funny i see keystone look up the right user from the application creds just like it does when i use username/pass but then it says the creds dont have access23:16
lbragstadhmm23:16
lbragstadyou're trying to get a token using an application credential and do something with it, right?23:16
lbragstadand that's failing?23:16
konetzedat the moment just trying to use them with the cli to do 'openstack image list'23:17
lbragstadah23:17
lbragstadso you have envs set or you're using clouds.yaml which has been configured with your application credential?23:17
konetzedenvs set from the openrc file23:18
lbragstadhttps://docs.openstack.org/keystoneauth/latest/plugin-options.html#v3applicationcredential23:19
lbragstaddoes the application credential have the same roles the user who made it has?23:19
konetzedyes23:19
*** shrasool has joined #openstack-keystone23:24
konetzedlbragstad: figured it out23:43
konetzedso i am using group mappings from ldap to my projects and the groups have the role applied23:44
konetzedi just gave my ldap user role of user on the project and application creds work w/o issue23:44
konetzednow i am just not sure why group rules isnt working right with application credentials23:46
lbragstadoh23:49
lbragstadyeah - application credentials work with direct role assignments between the actual user and the target23:49
lbragstadi don't believe application credentials take group membership into account23:50
konetzed:(23:50
lbragstadbut cmurphy can keep me honest there23:50
lbragstadi think we actually have a bug open for that23:50
lbragstadyeah - we do23:50
lbragstadhttps://bugs.launchpad.net/keystone/+bug/177396723:50
openstackLaunchpad bug 1773967 in OpenStack Identity (keystone) "Application credentials can't be used with group-only role assignments" [High,Confirmed] - Assigned to Vishakha Agarwal (vishakha.agarwal)23:50
lbragstadsounds like that's what you're looking for konetzed ^23:51
konetzedlbragstad: exactly what i am seeing23:51
lbragstadcool23:51
konetzedyep, except it sucks for me :P23:52
lbragstadlooks like vishakha is tackling it23:52
konetzedI am not seeing any code anywhere, hopeing i could patch in by hand for now.  Am i missing something?23:52
lbragstadaccording to ayoung, trusts have code that make them work with group assignments23:53
lbragstadideally, we can try and generalize that code and have app creds re-use it23:53
konetzedlbragstad: any pointers on where to start looking? I am guessing /usr/lib/python2.7/site-packages/keystone/models/token_model.py:495 since thats the log line that says there is no access23:57
*** blake has joined #openstack-keystone23:58
« Tuesday, 2018-11-27 Index Thursday, 2018-11-29 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!