Monday, 2018-12-03

« Sunday, 2018-12-02 Index Tuesday, 2018-12-04 »
kmallocknikolla: oh no00:30
kmallochahaha00:30
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain_id column for limit  https://review.openstack.org/62020201:59
*** imacdonn has joined #openstack-keystone02:52
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - Manager  https://review.openstack.org/62146803:05
*** Nel1x has quit IRC04:39
*** nehaalhat has joined #openstack-keystone05:13
nehaalhatwxy-xiyuan: Hi, I want your suggestion on: https://blueprints.launchpad.net/python-keystoneclient/+spec/return-request-id-to-caller05:14
nehaalhatwxy-xiyuan: As patches submitted to implement this are not suffient, I am going to propose one or two patch..... should I push those patches under same BP, as bp is not marked as implemented yet.05:22
nehaalhatwxy-xiyuan: or I need to report a bug for this05:22
*** elbragstad has quit IRC06:03
wxy-xiyuannehaalhat: Hi, A follow-up for the BP is fine I think06:32
nehaalhatwxy-xiyuan: ok, thank you06:34
*** rcernin has quit IRC06:57
*** pcaruana has joined #openstack-keystone07:25
*** Dinesh_Bhor has joined #openstack-keystone07:43
*** mkrai has joined #openstack-keystone07:47
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain_id column for limit  https://review.openstack.org/62020207:48
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add domain level limit support - Manager  https://review.openstack.org/62146807:48
openstackgerritwangxiyuan proposed openstack/keystone master: Ensure change is addressed for unified limit table  https://review.openstack.org/62149707:48
mkraiHi, I am getting this error http://paste.openstack.org/show/736563/ while setting up devstack. Can someone help?07:49
*** Dinesh_Bhor has quit IRC07:55
*** Dinesh_Bhor has joined #openstack-keystone08:04
*** amoralej|off is now known as amoralej08:23
*** trident has quit IRC08:28
*** trident has joined #openstack-keystone08:30
*** alexchadin has joined #openstack-keystone08:58
*** xek has joined #openstack-keystone08:59
*** mkrai has quit IRC09:35
*** awalende has joined #openstack-keystone09:44
*** Dinesh_Bhor has quit IRC09:46
*** awalende_ has joined #openstack-keystone09:53
*** awalende has quit IRC09:56
*** Dinesh_Bhor has joined #openstack-keystone10:14
*** awalende has joined #openstack-keystone10:45
*** awalende_ has quit IRC10:49
*** shrasool has joined #openstack-keystone10:49
*** Dinesh_Bhor has quit IRC10:50
*** shrasool has quit IRC11:24
*** awalende_ has joined #openstack-keystone11:41
*** awalende has quit IRC11:44
*** awalende_ has quit IRC11:58
*** awalende has joined #openstack-keystone11:59
openstackgerritMerged openstack/keystone master: Keep federation jobs running on Xenial  https://review.openstack.org/61156312:26
*** awalende has quit IRC12:33
*** alexchadin has quit IRC12:44
*** awalende has joined #openstack-keystone12:45
*** alexchadin has joined #openstack-keystone12:59
*** amoralej is now known as amoralej|lunch13:22
*** alexchadin has quit IRC13:29
*** jroll has quit IRC13:38
*** jroll has joined #openstack-keystone13:38
*** jaosorior has joined #openstack-keystone13:47
*** amoralej|lunch is now known as amoralej14:00
*** Nel1x has joined #openstack-keystone14:08
openstackgerritMerged openstack/oslo.policy master: oslopolicy-checker: iterate through rules in sorted order  https://review.openstack.org/61972414:25
*** jmlowe has quit IRC14:25
*** jmlowe has joined #openstack-keystone14:26
*** SteelyDan is now known as dansmith14:28
*** raildo has joined #openstack-keystone14:43
*** lbragstad has joined #openstack-keystone14:49
*** ChanServ sets mode: +o lbragstad14:49
lbragstadso - i think my x1c just died on me...14:50
cmurphyoh no :_(14:51
*** dave-mccowan has joined #openstack-keystone14:53
*** awalende has quit IRC14:55
*** lbragstad has quit IRC14:58
*** lbragstad has joined #openstack-keystone15:00
*** ChanServ sets mode: +o lbragstad15:00
lbragstadyeah - i'm pretty surprised... looks like it fails reading from the drive, so i might try a new hard drive...15:01
*** beekneemech is now known as bnemec15:01
*** awalende has joined #openstack-keystone15:02
*** awalende has quit IRC15:07
*** jdennis has joined #openstack-keystone15:17
*** mchlumsky has joined #openstack-keystone15:24
*** mchlumsky has quit IRC15:28
*** mchlumsky has joined #openstack-keystone15:29
*** itlinux has quit IRC15:34
*** jhesketh has quit IRC15:55
*** jhesketh has joined #openstack-keystone15:57
*** jmlowe has quit IRC16:04
*** gyee has joined #openstack-keystone16:04
*** raildo_ has joined #openstack-keystone16:06
*** erus has joined #openstack-keystone16:06
erusHi everyone :)16:07
cmurphyhi erus :D16:07
erusHow are you doing?16:07
*** jdennis has quit IRC16:08
*** raildo has quit IRC16:09
*** fiddletwix has joined #openstack-keystone16:14
*** dklyle has joined #openstack-keystone16:15
*** jdennis has joined #openstack-keystone16:25
*** itlinux has joined #openstack-keystone16:33
*** itlinux has quit IRC16:33
*** itlinux has joined #openstack-keystone16:34
*** itlinux_ has joined #openstack-keystone16:50
*** itlinux has quit IRC16:54
*** itlinux_ has quit IRC16:55
*** itlinux has joined #openstack-keystone16:56
*** erus has quit IRC16:56
*** erus has joined #openstack-keystone16:59
nsmedsmorning/evening everyone. Making some progress getting v3cloudpolicy working - but one issue I'm trying to understand. When I run `openstack token issue`, the token does not have `domain_id` attribute, which is required for the `cloud_admin` policy.17:15
nsmedsThe user I'm running this with was created in the "cloud_admin" domain, and has admin role at the system and domain level.17:16
nsmedsany ideas?17:16
lbragstadnsmeds i think it depends on the environment variables osc is using to get the token17:32
kmalloco/17:33
nsmedsthat's what I'd expect as well... https://gist.github.com/nikosmeds/885b6456f2c5823a65fb843921e43fe317:34
nsmedssolved. missing `export OS_DOMAIN_NAME=cloud_admin`17:39
lbragstadyep17:40
nsmedsthat one line has likely caused all my problems for last like 5 days17:40
nsmedsgg17:40
*** raildo_ has quit IRC17:42
lbragstadoh - i suppose, you were getting a domain scoped token to actually pass the domain policies in policy.v3cloudsample.json17:43
kmallocoh17:45
kmallocman17:45
kmallocthat is annoying17:45
kmalloc:P17:45
kmallocerus: Hi! :)17:46
nsmeds<3 appreciate your help guys - hopefully smoother sailing going forward17:46
kmallocnsmeds: yes, very much hopefully so17:46
erusHi kmalloc how are you? :)17:56
kmallocerus: good17:56
kmallochow about yourself?17:56
* kmalloc is trying to wake up.17:57
* kmalloc is finally drinking coffee.17:57
eruskmalloc: very well, so excited about starting with keystone :)18:00
lbragstadwelcome erus :)18:01
erusI little nervous but doing my best18:01
erusThanks lbragstad :)18:01
lbragstadkmalloc have you hit this with your x1? https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/2100-Detection-Error-on-Storage-Device-M-2/td-p/416086518:08
kmalloclbragstad: nope18:15
kmalloclbragstad: i've had next to zero issues with the hardware on the X1C6 *except* linux kernel support problems18:15
lbragstadhmm18:15
*** amoralej is now known as amoralej|off18:24
lbragstadlooks like some of the recordings from berlin are making it up18:26
*** erus has quit IRC18:30
*** jmlowe has joined #openstack-keystone18:36
*** erus has joined #openstack-keystone18:37
*** jmlowe has quit IRC18:39
*** raildo has joined #openstack-keystone18:57
aningHi, question about token revocation, how are "issued_before" and "revoked_at" of revcation_event table used in determining token validation?19:00
*** jmlowe has joined #openstack-keystone19:06
aningI couldn't find where in the source code they are used.19:07
lbragstadit might depend on the event, but those are used in https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n14319:09
aninglbragstad: And I found there could be multiple entries for the same project for example19:13
aningin that revocation_event table.19:14
lbragstadit depends on the type of event19:14
lbragstadfor example, keystone persists a revocation event when you change your password19:15
lbragstador if you explicitly revoke a token19:15
aningI bet the latest one, the one with the latest "issued_before" is the one that are used ultimatle.19:15
lbragstad(using DELETE /v3/auth/tokens)19:15
aningYeah, I understand how these events are created, but not sure which of the mutilple entries are ultimately effective/19:16
lbragstadhow do you mean?19:17
aningI could create a revoke event by disable a project, then I can create another one by delete the project.19:17
aningthey have different issued_before19:18
aningwhich one is used in determining the a fernet token received?19:18
aningI would think it's the latest one, but not 100% sure.19:19
lbragstadwell - fernet will validate the project (if it's a project-scoped token) on line19:19
* lbragstad digs in the code19:19
aningI could be wrong, but would a fernet token checked against the revocation_event table to see if it's revoked or not?19:21
lbragstadonly in some cases19:22
lbragstadthe majority of fernet validation is done on line19:22
lbragstadmeaning, when a fernet token is validated, it's decrypted and the values are double checked19:22
lbragstadwhich is a different approach to what revocation events were originally used for19:22
lbragstadfor example - when UUID tokens were used, the information in the token wasn't validated in that way at validation time19:23
lbragstadinstead, during authentication, the token would get built and written to the data base19:23
lbragstadthen at validation time, it would get pulled out of the backend and returned to the user19:24
aningRight.19:24
lbragstadrevocation events were written to catch invalid tokens before leaving keystone19:24
lbragstadand since uuid tokens never validated anything at validation time, revocation events had to make up for that in their implementation19:24
lbragstadfor example, if you had a uuid token scoped to a project and an administrator took away your role assignment on that project, the revocation event would have the project ID and the time at which the role was removed19:25
lbragstadwhich was compared to the UUID token reference19:25
aningIf I explicitely revoke a fernet token by 'openstack token revoke', there will be a event created19:26
lbragstadnow, keystone just pull the project id + user id from the token and asks the assignment backend if the user has any role assignments on the project, if no.. then it's considered a 40119:26
aningwith an audit id in it.19:26
lbragstadaning yep - exactly19:26
lbragstadbecause we don't write fernet tokens down anywhere, explicit revocations have to happen with audit-ids19:26
aningOther than this case, revoke event are not actually used? I mean for fernet token.19:27
lbragstadwe can't flip a bit in the token table saying a particular token is deleted, or revoked, because fernet tokens are non-persistent19:27
lbragstadfernet tokens have to use them for password changes19:27
lbragstadbut yeah - those are the two big cases for revocations events19:27
lbragstadnow that only fernet is supported19:27
lbragstadeverything else should be validated online19:27
*** aojea has joined #openstack-keystone19:29
lbragstadthat said - you bring up a good point.. there is probably some work to be done with revocation events so that we're not writing them if we don't need them19:29
aningYeah, that make sense. Project deletion, disable, etc, can be done by checking project validation19:29
aninglbragstad: I would think for explicit revocation, we don't event need 'issued_before' and 'revoked_at', since audit_id are actually unique.19:47
aningFor user password change, probably we don't need to create multiple entries in the table. Just update the exsiting one.19:49
aningif there is one in the table already.19:50
lbragstadyeah - you're probably on to something there19:54
lbragstadthe data we persist for revocation events never really evolved after we implemented non-persistent tokens19:54
lbragstadso - i'm sure there are things we could optimize or just cut out completely19:55
aninglbragstad: thx. I may come back on this later on ...19:57
lbragstadaning sure thing... if you come up with any redundancies we should open them as bugs19:58
aninglbragstad: well, so far I see the multiple entries a bit confusing, and could be optimized.19:59
* lbragstad steps away to grab lunch quick19:59
*** david-lyle has joined #openstack-keystone20:16
*** dklyle has quit IRC20:18
*** jmlowe has quit IRC20:23
kmallocaning: a lot of the revocation table needed to be as it was due to PKI and UUID tokens20:28
kmallocwe could eliminate a number of the bits for it.20:28
aningkmalloc: right20:28
kmallocrevoke events are really only useful (at this point) for password changes and/or grant changes.20:29
aningkmalloc: what do you mean by grant changes, role assignment?20:29
kmallocwe've just not touched them (because they mostly just work) for a while.20:29
kmallocyeah role assignments.20:29
kmallocyou could issue a revoke event if a role is removed from a user20:30
kmallocoh, and explicit token revoke (don't do this... really, not worth the headache)20:30
aningbut I think role assignment can be checked online, since the ids are in token ...20:30
kmallocit can be. this is a wider reaching bit behavior.20:30
kmalloci disagree with the dynamically change the roles within a token bit in fernet20:31
kmallocas it *could* change working behavior of a token mid-flight20:31
kmallocthat is a side conversation20:32
kmallocso, realistically we only need revocations for password changes (this could also be done implicitly based upon the password change time)20:32
kmallocand explicit revocations (which I really would like to see go away)20:32
kmallocdisabled user/project/domain is all live20:32
kmallocetc. etc.20:33
aningLooks like there are quite a bit that can be optimized around this.20:34
lbragstadwell - we use online validation for role assignment20:36
lbragstadassignments*20:36
*** jmlowe has joined #openstack-keystone20:39
*** jmlowe has quit IRC20:41
*** raildo has quit IRC20:47
*** raildo_ has joined #openstack-keystone20:47
*** erus has quit IRC21:09
*** erus has joined #openstack-keystone21:11
lbragstadkmalloc hrybacki were either of you able to ack this by simo one last time? https://review.openstack.org/#/c/541903/21:32
*** amoralej|off is now known as amoralej21:46
*** amoralej is now known as amoralej|off21:47
hrybackilbragstad: sure thing21:49
lbragstadcmurphy after watching a couple other project updates, i wish i would have included more contributor data22:03
lbragstadseems like an interesting data point I've always kinda glossed over22:04
cmurphylbragstad: that's a good idea22:04
*** jaosorior has quit IRC22:13
kmalloclbragstad: i have not been able to.22:16
*** jaosorior has joined #openstack-keystone22:16
kmallocaning: i think we can probably narrow revocation events down to a very small number22:17
kmallocaning: like... explicit revocations22:17
kmallocand thats it. [hopefully]22:17
aningThe ones with audit_ids?22:17
*** rcernin has joined #openstack-keystone22:18
*** pcaruana has quit IRC22:18
aningkmalloc: how would you handle user password change?22:18
lbragstadthose might still need revocation events22:20
kmalloclbragstad, aning: look at the user's password change timestamp and compare it to the tokens22:27
kmallocwe already have to load the user object22:27
kmallocwe have the password data from that22:27
kmalloc:)22:27
kmallocwe can eliminate another rev. event that way22:27
lbragstadoh - sure.. that might work22:28
kmallocyeah22:28
kmallocjust optimisations we didn't have originally22:28
lbragstadi suppose the PCI-DSS stuff might make that possible22:28
kmallocthe PCI-DSS work has added a lot of extra metadata that is useful22:28
kmalloc;)22:28
lbragstadyeah22:28
kmalloci only realized that bit when we talked about it earlier today22:28
kmallocsoooo yay aning helping us realize added benefits of code we already wrote22:29
aning;)22:29
*** itlinux has quit IRC22:38
lbragstadjaosorior nice work on https://www.youtube.com/watch?v=k6-ihXsNFEE22:41
*** irclogbot_1 has quit IRC22:47
*** aojea has quit IRC22:48
*** lbragstad has quit IRC22:51
*** lbragstad has joined #openstack-keystone22:52
*** ChanServ sets mode: +o lbragstad22:52
jaosoriorlbragstad: thanks!22:53
*** jaosorior has quit IRC22:53
*** irclogbot_1 has joined #openstack-keystone23:08
*** eandersson has joined #openstack-keystone23:17
hrybackilbragstad ASK IS OUT!23:17
hrybackiwow caps23:17
lbragstadsuper excited23:17
lbragstad<3 !!!!!!23:18
*** raildo_ has quit IRC23:24
eanderssonAnyone know why trustee would fail if e.g. heat_owner role was removed and re-created?23:30
openstackgerritMerged openstack/oslo.policy master: Fully log RBAC enforcement data  https://review.openstack.org/61926023:31
lbragstadeandersson did the role id change?23:33
eanderssonyea23:33
eanderssonfigured that would be it, but not sure how to fix it, manually change it back? :D23:33
lbragstadhmm23:35
lbragstadcould you create a new trust, or rotate it out/23:35
lbragstad?23:35
lbragstador use application credentials?23:37
lbragstadsince they are more "rotate-able"?23:38
*** jdennis has quit IRC23:40
lbragstadthat might not be possible depending on the release you're using i suppose23:46
*** jdennis has joined #openstack-keystone23:57
eanderssonthank lbragstad23:57
eanderssonIs this a normal implementation? https://github.com/openstack/senlin/blob/111ea8eabd2ec0f942c5a1f4ddb2fdcea8f98ba4/senlin/engine/service.py#L24023:58
eanderssonSeems Senlin stores some of the trustee data in the db?23:58
« Sunday, 2018-12-02 Index Tuesday, 2018-12-04 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!