Monday, 2018-12-10

« Sunday, 2018-12-09 Index Tuesday, 2018-12-11 »
*** dave-mccowan has quit IRC00:23
*** sapd1_ has joined #openstack-keystone00:36
*** sapd1_ has quit IRC00:44
*** erus has quit IRC00:50
*** erus has joined #openstack-keystone01:00
*** Nel1x has quit IRC01:02
*** sapd1_ has joined #openstack-keystone01:07
*** sapd1_ has quit IRC01:19
*** markvoelker has quit IRC01:21
*** markvoelker has joined #openstack-keystone01:22
*** markvoelker has quit IRC01:26
*** sapd1_ has joined #openstack-keystone01:50
*** lbragstad has quit IRC02:13
*** Dinesh_Bhor has joined #openstack-keystone02:15
*** lbragstad has joined #openstack-keystone02:16
*** ChanServ sets mode: +o lbragstad02:16
*** Dinesh_Bhor has quit IRC02:17
*** erus has quit IRC02:28
*** itlinux has quit IRC02:29
*** mhen has quit IRC02:32
*** mhen has joined #openstack-keystone02:34
*** Dinesh_Bhor has joined #openstack-keystone02:35
*** erus has joined #openstack-keystone02:43
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level support for strict-two-level-model  https://review.openstack.org/62315302:44
*** wxy-xiyuan has joined #openstack-keystone02:54
*** lbragstad has quit IRC03:38
*** Dinesh_Bhor has quit IRC03:46
*** erus has quit IRC03:49
*** erus has joined #openstack-keystone03:55
*** Dinesh_Bhor has joined #openstack-keystone03:55
openstackgerritwangxiyuan proposed openstack/keystone master: Update project depth check  https://review.openstack.org/62398403:56
*** zzzeek has quit IRC04:41
*** zzzeek has joined #openstack-keystone04:41
*** sapd1_ has quit IRC05:05
*** sapd1_ has joined #openstack-keystone05:18
*** sapd1_ has quit IRC05:23
*** sapd1_ has joined #openstack-keystone06:03
*** sapd1_ has quit IRC06:48
*** sapd__ has joined #openstack-keystone06:48
*** sapd__ has quit IRC06:55
*** alexchadin has joined #openstack-keystone07:16
*** nehaalhat_ has joined #openstack-keystone07:20
*** rcernin has quit IRC07:23
*** nehaalhat_ has quit IRC07:25
*** Dinesh_Bhor has quit IRC07:57
*** trident has quit IRC08:10
*** amoralej|off is now known as amoralej08:11
*** trident has joined #openstack-keystone08:13
*** xek has joined #openstack-keystone08:18
*** imacdonn has quit IRC08:22
*** imacdonn has joined #openstack-keystone08:22
*** nehaalhat has joined #openstack-keystone08:27
*** ShilpaSD has joined #openstack-keystone08:30
*** nehaalhat has quit IRC08:31
openstackgerritwangxiyuan proposed openstack/keystone master: Release note for domain level limit  https://review.openstack.org/62401908:32
*** nehaalhat_ has joined #openstack-keystone08:34
*** nehaalhat_ has quit IRC08:38
*** nehaalhat has joined #openstack-keystone08:46
nehaalhatShilpaSD: Hi08:47
*** Dinesh_Bhor has joined #openstack-keystone09:00
*** Dinesh_Bhor has quit IRC09:09
*** shrasool has joined #openstack-keystone09:25
*** Dinesh_Bhor has joined #openstack-keystone09:46
*** Dinesh_Bhor has quit IRC09:47
*** sapd1_ has joined #openstack-keystone09:54
*** sapd1_ has quit IRC10:06
*** sapd1_ has joined #openstack-keystone10:52
*** sapd1_ has quit IRC10:58
*** sapd1_ has joined #openstack-keystone11:39
*** sapd1_ has quit IRC11:43
*** raildo has joined #openstack-keystone12:05
openstackgerritColleen Murphy proposed openstack/keystone master: Consolidate tokenless X.509 docs  https://review.openstack.org/62407212:41
openstackgerritColleen Murphy proposed openstack/keystone master: Move "Public ID Generators" to relevant docs  https://review.openstack.org/62407612:55
*** jistr is now known as jistr|medchk12:57
*** dave-mccowan has joined #openstack-keystone13:13
*** amoralej is now known as amoralej|lunch13:23
*** nehaalhat has quit IRC13:28
*** sapd1_ has joined #openstack-keystone13:32
*** sapd1_ has quit IRC13:36
*** erus has quit IRC13:40
*** erus has joined #openstack-keystone13:41
*** jmlowe has quit IRC13:45
*** aojea_ has joined #openstack-keystone13:48
*** jistr|medchk is now known as jistr13:56
*** imus has joined #openstack-keystone13:57
*** aojea_ has quit IRC14:06
*** lbragstad has joined #openstack-keystone14:17
*** ChanServ sets mode: +o lbragstad14:17
*** openstackstatus has joined #openstack-keystone14:17
*** ChanServ sets mode: +v openstackstatus14:17
*** amoralej|lunch is now known as amoralej14:19
*** jmlowe has joined #openstack-keystone14:24
*** jmlowe has quit IRC14:24
*** jmlowe has joined #openstack-keystone14:25
*** jmlowe has quit IRC14:30
*** shrasool has quit IRC14:34
*** jmlowe has joined #openstack-keystone14:35
*** alexchadin has quit IRC14:42
*** aojea_ has joined #openstack-keystone14:43
*** aojea_ has quit IRC14:48
*** sapd1_ has joined #openstack-keystone14:51
*** gagehugo has joined #openstack-keystone14:53
*** mvkr has quit IRC14:55
openstackgerritColleen Murphy proposed openstack/keystone master: Move SSL recommendation to installation guide  https://review.openstack.org/62410014:57
gagehugoo/15:20
*** mvkr has joined #openstack-keystone15:25
lbragstadhola15:28
openstackgerritLance Bragstad proposed openstack/keystone master: Use auth_context in issue_token exclusively  https://review.openstack.org/58263515:43
*** itlinux has joined #openstack-keystone15:44
*** jmlowe has quit IRC15:46
*** itlinux has quit IRC15:46
openstackgerritLance Bragstad proposed openstack/keystone master: Use request_body_json function  https://review.openstack.org/61249215:53
openstackgerritColleen Murphy proposed openstack/keystone master: Move supported clients section to user guide  https://review.openstack.org/62411515:53
*** jmlowe has joined #openstack-keystone16:24
*** jmlowe has quit IRC16:34
*** openstackgerrit has quit IRC16:35
*** gyee has joined #openstack-keystone16:47
*** itlinux has joined #openstack-keystone16:56
*** raildo has quit IRC16:57
*** jmlowe has joined #openstack-keystone18:12
*** raildo has joined #openstack-keystone18:17
*** sapd1_ has quit IRC18:24
*** vishwanathj has joined #openstack-keystone18:28
vishwanathjHi, What is the default lifespan for a keystone token? Is there a way to change the default lifespan to say 8 hours? Also, is there a setting that needs to be changes on other services such as nova, neutron and heat that needs to be updated for the token lifespan to be enhanced? Thanks in advance for all your help18:32
*** ayoung has joined #openstack-keystone18:32
ayoungkmalloc, cache backend dogpile (Pike era) would be replaced with oslo.cache by now (Queens and later) right?18:38
*** amoralej is now known as amoralej|off18:41
lbragstadvishwanathj token expiration is configurable https://docs.openstack.org/keystone/latest/configuration/config-options.html#token.expiration18:43
vishwanathjlbragstad appreciate the response18:45
*** raildo has quit IRC18:45
vishwanathjlbragstad what setting on nova, neutron, glance and heat do I need to change to increase the token expiration time18:46
*** openstackgerrit has joined #openstack-keystone18:46
openstackgerritMorgan Fainberg proposed openstack/keystone-specs master: Add resource-options-for-all specification  https://review.openstack.org/62416218:46
kmallocayoung: yes it should be18:47
kmalloclbragstad: ^18:47
kmalloclbragstad: should be an easy spec to accept.18:47
lbragstadvishwanathj token expiration is only controllable via keystone18:47
openstackgerritMorgan Fainberg proposed openstack/keystone-specs master: Add resource-options-for-all specification  https://review.openstack.org/62416218:48
kmallocgagehugo: got the nvidia driver working. its annoying but it stoped the crashing18:49
gagehugokmalloc: nice18:50
gagehugoit's not the greatest, but it works a lot better than it used to :/18:50
kmallocgagehugo: it was still annoying and xiccd isn't starting when i login. but that is a totally unrelated issue wrt display calibration18:50
kmallocgagehugo: now i just wait for my 3rd monitor to arrive and i'll have everything setup properly18:51
*** sapd1_ has joined #openstack-keystone18:51
kmallocgagehugo: 3x 2160p monitors in portrait mode is nice for development18:51
gagehugooh my18:51
kmallocgagehugo: got a good deal on the dell u2718q monitors :)18:52
gagehugothose thin bezels look nice18:53
kmallocgagehugo: yeah and they're almost the same size top and bottom18:54
kmallocgagehugo: so it works really well in portrait18:54
gagehugowe just have 22" 1080p ones here in the office :(18:54
kmallocgagehugo: my biggest issue is finding wallpaper that is 3840p in size :P18:55
gagehugoheh18:55
gagehugoat that point I'd just throw something together in paint.net18:55
*** sapd1_ has quit IRC18:55
kmallocgagehugo: :)18:56
kmallocgagehugo: the best part is 3x2160p in portrait is still 16:9 ratio :)18:56
gagehugooh, true18:56
gagehugothat makes it easier18:56
kmallocyup18:57
* kmalloc did the maths18:57
kmalloc:P18:57
kmalloclbragstad: i... i thought of a rather glaring hole in application credentials (cc cmurphy)18:57
gagehugouh oh18:58
*** sapd1_ has joined #openstack-keystone18:58
kmalloclbragstad, cmurphy: when we have MFA rules enabled, app-creds may not work. do we want to explicitly allow them like we do token type auth?18:58
kmallocbasically today if someone enables MFA rules, it could exempt application creds from working at all.18:58
kmallocgagehugo: feel free to weigh in as well18:58
lbragstadhow do you mean?19:00
kmalloclbragstad: token auth type is always allowed19:01
kmallocexplicitly, even with MFA rules enabled19:01
kmallocdo we want to force the MFA rules to explicitly deliniate app creds as a type?19:01
kmallocwhich does allow for TOTP/HOTP + app cred19:02
kmallocor do we want to treat app creds like tokens, implicitly valid/allowed19:02
lbragstadhmm19:09
*** mvkr has quit IRC19:09
gagehugoallowing TOTP/HOTP + app cred sounds reasonable19:09
gagehugoI think19:09
kmalloci'm generally leaning towards app creds not needing / allowing MFA.19:17
kmallocadriant: ^ cc19:17
kmalloclbragstad: also. omg... vacation...soon19:17
gagehugothe use case for app cred + MFA sounds weird though if it's something automated19:17
gagehugohmm19:18
kmallocyeah19:18
kmalloci think the correct answer is app creds are implicitly allowed like token is when it comes to MFA Rules.19:18
kmallocI also am thinking that we need to have a way of blocking users from creating app creds for specific scopes (e.g. a project has a resource option that prohibits app creds)19:19
aning_Are there any waya ro revoke all existing fernet tokens?19:19
kmallocaning_: you can do an explicit delete on the token id (not recommended) at /v3/auth/tokens19:19
kmallocaning_: you can also do some things such as change the user's password.19:20
lbragstadaning_ you can just rotate all your fernet keys19:20
kmalloc^ that too19:20
aning_right, rotate keys will revoke all at once shot19:21
lbragstadaning_ any previously issued token will be unusable since the keys used to encrypt it will be gone19:21
aning_Yep, got it.19:21
kmallocoh i miss-read all tokens19:21
kmallochah19:21
kmallocyeah rotating keys is the only real option19:22
aning_kmalloc: but your answers are good too +119:22
lbragstadaning_ just be prepared for a possible uptick in traffic19:22
lbragstadif clients automatically reauth if they get a 401 (which they will)19:22
aning_got it.19:22
aning_thx19:23
kmalloclbragstad: working on digging into shadow users ... it's really kindof all over. i am feeling like replacing it is going to be about as much work as completing it atm :(19:23
lbragstadnp19:23
lbragstadkmalloc are you keeping notes of any of that analysis?19:26
*** aojea has joined #openstack-keystone19:27
kmalloclbragstad: not a lot of notes atm. i'm just tying to understand it before making a recommendation19:30
kmalloclbragstad: like right now... it's somewhere around 1/2 implemented in random places and not implemented but rferenced elsewhere19:31
kmallocit's very much all over the place.19:31
kmalloclegitimately my notes are something like "what the heck is going on here... wait wut?!"19:31
*** aojea has quit IRC19:33
*** aojea_ has joined #openstack-keystone19:33
*** ayoung has quit IRC19:34
kmalloclbragstad, gagehugo, cmurphy, knikolla: could you quickly weigh in on this RFE: https://bugs.launchpad.net/keystone/+bug/180213619:38
openstackLaunchpad bug 1802136 in OpenStack Identity (keystone) "RFE: Keystone SQL backend (and `user_create` API) should support prehashed passwords" [Undecided,New]19:38
kmalloci've gone back and forth with the submitter and i'm not opposed based upon the answers, but I still am hesitant19:39
kmallocit is so prone to errors when using.19:39
gagehugoI looked at that before, that's very weird19:39
knikollareading19:40
kmallocmy comments cover most everything needed, i think, to evaluate it19:40
kmalloci hesitate becasue it is likely the prehashed password wont conform (metadata or ident) in the way passlib would handle it19:41
kmallocmaybe as a condition to accepting that, have keystone-manage be used instead19:41
kmallocrather than via the API itself.19:41
kmallocalso: https://bugs.launchpad.net/keystone/+bug/1807697 -- that is another one i'm not really sure about. want a second voice on it.19:42
openstackLaunchpad bug 1807697 in OpenStack Identity (keystone) "[RFE] Token returns Project's extra properties" [Undecided,New]19:42
knikollai'm hesitant as it feels like there should be a better way to solve the problem then injecting hashes of passwords19:47
knikollathis is curing the symptom19:47
kmallocknikolla: the request is not unreasonable19:47
kmallocsupporting non-plaintext passwords for users via the API.19:48
kmallocbut....19:48
kmalloci see this feature simply generating a lot of "well i put the hash in, it didn't accept it...or i can't login"19:48
kmallocbecause we lean on passlib's $ident$metadata$hash form19:48
kmallocand that is just as likely to be mis-done when someone "tries" to do it outside of passlib19:49
knikollabut it becomes part of the api and something that we must support.19:51
*** xek has quit IRC19:52
*** xek has joined #openstack-keystone19:52
gagehugohow would keystone still be pci-dss compliant if we allow pre-hashed passwords?19:53
*** aojea_ has quit IRC19:54
kmallocwould need to be disabled in some cases19:56
kmallocbut we also exempt pci-dss checking when admins set the password19:56
gagehugoyou would have to have something keep track of the hashing algorithm between app X and keystone as well I assume19:59
lbragstadso  - https://bugs.launchpad.net/keystone/+bug/1802136 would require plaintext passwords in sql?20:00
openstackLaunchpad bug 1802136 in OpenStack Identity (keystone) "RFE: Keystone SQL backend (and `user_create` API) should support prehashed passwords" [Undecided,New]20:00
lbragstadi don't get the "stored in scripts" bit20:00
gagehugoI assume they have a script to auto-gen their admins and don't want to put the plaintext passwords in them20:01
kmallocgagehugo: we only ever support passlib hashing algos20:01
gagehugoand feel "safer" with the passwords hashed20:01
kmallocgagehugo: and for new passwords we support bcrypt or scrypt20:01
gagehugobut the end result of those getting compromised is the same20:01
kmallocfor older ones we support sha256 (pbkdf)20:01
gagehugoif someone gets a hold of the script, you're going to change the passwords, hashed or not20:02
kmalloclbragstad: no. it would require someone to hash the password and submit it to the API20:02
kmallocas requested20:02
kmallocthe RFE is to allow something-not-keystone to hash the password20:02
lbragstadso - keystone would blindly trust that what ever is passed to it has been hashed? or we have to attempt to validate the hash is actually a hash?20:03
kmallocand submit "hashed_password" vs "password" to the user_Create api20:03
*** shrasool has joined #openstack-keystone20:03
kmallocthe way we would do it is: check that ident and metadata is sane20:03
gagehugolbragstad: that is kinda what I'm thinking, having to maintain that sounds terrible imo20:03
kmallocand then blindly trust the hash20:03
kmallocident is easy to check20:03
kmallocwe check it on every auth anyway20:03
kmallocmetadata is harder...but doable20:03
kmallochash we can't ever know if anything about the password conforms to our rules beyond that20:04
kmallocjust that it is claimed to be a hash.20:04
lbragstadright20:04
kmalloci don't like it20:04
kmallocbut... i can see why this RFE exists.20:04
lbragstadi need to think about it20:04
*** aojea has joined #openstack-keystone20:04
gagehugoI don't think it really buys any real security20:04
kmallocpersonally, i'd rather support an "external validate" of password and/or vault storage of passwords20:04
gagehugo(vault) storage of passwords :p20:05
knikollarather than pushing the hash password to keystone, i'd rather keystone delegate the password to an external system20:05
kmallocvault->hashicorp valut20:05
lbragstadmy knee jerk reaction is to be really skeptical of accepting *anything* of that kind of importance without knowing keystone executed the code to perform the hash20:05
*** raildo has joined #openstack-keystone20:05
kmalloclbragstad: my reaction is "we did support this for ldap because $reasons$"20:05
kmallocand i get what people want20:05
kmalloci don't think it buys much of anything.20:06
kmallocbut folks don't want CMS to have to house plaintext passwords20:06
kmallocthat said, i think you just attack the other side then20:07
knikollacould they deploy an ldap for admin users and manage them there?20:07
kmallocthe consuming script/user is as much a target as keystone as a service for CMS to configure is.20:07
lbragstadthey could20:07
knikollaalso ansible and other CMS-es have plugins into vault, etc.20:08
knikollayou don't really need to store the plaintext on CMS.20:08
kmallocyah20:08
kmallocok sounds to be like "not in line with the project direction"20:08
gagehugocould use barbican refs if it's automated20:08
kmallocgagehugo: not really, but that is a separate concerns20:09
gagehugoit's not the best approach20:09
kmallocbecause passwords are needed to get data from barbican20:09
gagehugoyeah20:09
kmallocbarbican can't ever be in the auth path20:09
kmallocbarbican can hold secrets for non-auth stuff.20:09
knikollabut a password is needed anyway to access the api to store the hashed password.20:09
knikollathey need a way to validate the api call20:09
kmallocyeah so...20:09
* kmalloc goes with marking this as not accepted.20:10
kmallocand recommending using tools like vault integration with CMS etc.20:10
knikolla++20:10
kmallocsince this doesn't meaninfully reduce the surface area of attack20:10
gagehugo++20:12
gagehugothe token project extras sounds like they want to do custom policy?20:13
kmallocyou can see my last update20:15
kmallocand marked the bug as invalid20:16
kmalloclbragstad, gagehugo, knikolla: anyone have issues with me marking https://bugs.launchpad.net/keystone/+bug/1807697 as invalid? i don't like the extras stuff and don't want to bloat more responses with it20:16
openstackLaunchpad bug 1807697 in OpenStack Identity (keystone) "[RFE] Token returns Project's extra properties" [Undecided,New]20:16
*** mvkr has joined #openstack-keystone20:16
gagehugokmalloc: nope20:17
gagehugokmalloc: do we offically say anywhere that we do not support extras?20:17
kmalloci hope not20:17
gagehugosupport == implement new features20:17
kmalloci think we have stripped most of that crap from our docs20:17
kmallocor have said "Yo, don't do this"20:18
gagehugook20:18
kmalloci'd rather have a "vendor data" key that deployers can put whatever they want in20:18
kmallocand that None explicitly clears20:18
*** shrasool has quit IRC20:18
kmallocheck, we could use resource-options for that.20:18
kmallocjust have a vendor-data r-o20:18
knikollaextra agree with not using extras20:18
*** jmlowe has quit IRC20:26
*** ayoung has joined #openstack-keystone20:30
*** jmlowe has joined #openstack-keystone20:32
*** jmlowe has quit IRC20:33
*** aojea has quit IRC20:42
*** aojea has joined #openstack-keystone20:44
*** jmlowe has joined #openstack-keystone20:58
gagehugokmalloc: did anything change with this: https://review.openstack.org/#/c/616304/21:00
kmallocgagehugo: nothing yet. going to propose/work with it to land in dogpile directly21:08
gagehugook, I saw you had a PR merge21:10
*** sapd1_ has quit IRC21:21
*** sapd1_ has joined #openstack-keystone21:24
*** aojea has quit IRC21:28
*** aojea_ has joined #openstack-keystone21:28
kmallocgagehugo: ah. maybe it did merge21:28
kmalloci hadn't gotten around to it.21:36
kmalloclots going on21:37
*** sapd1_ has quit IRC21:58
*** sapd1_ has joined #openstack-keystone22:03
*** imus has quit IRC22:05
*** sapd1_ has quit IRC22:07
openstackgerritLance Bragstad proposed openstack/keystone master: Bump oslo.policy and oslo.context versions  https://review.openstack.org/62324822:23
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role for projects  https://review.openstack.org/62421522:23
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role project test coverage  https://review.openstack.org/62421622:23
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in project API  https://review.openstack.org/62421722:23
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader functionality for projects  https://review.openstack.org/62421822:23
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain member functionality for projects  https://review.openstack.org/62421922:23
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain admin functionality for projects  https://review.openstack.org/62422022:23
openstackgerritLance Bragstad proposed openstack/keystone master: Add explicit testing for project users and the project API  https://review.openstack.org/62422122:23
openstackgerritLance Bragstad proposed openstack/keystone master: Remove project policies from policy.v3cloudsample.json  https://review.openstack.org/62422222:23
*** aojea_ has quit IRC22:33
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role in domains API  https://review.openstack.org/62333422:36
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role domain test coverage  https://review.openstack.org/60584922:36
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in domains API  https://review.openstack.org/60585022:36
openstackgerritLance Bragstad proposed openstack/keystone master: Allow domain users to access the GET domain API  https://review.openstack.org/60585122:36
openstackgerritLance Bragstad proposed openstack/keystone master: Allow project users to retrieve domains  https://review.openstack.org/60587122:36
openstackgerritLance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json  https://review.openstack.org/60587622:36
lbragstadgagehugo i had to clean up one release note ^22:36
lbragstadcc rodrigods ^22:36
*** itlinux has quit IRC22:43
*** rcernin has joined #openstack-keystone22:59
gagehugokmalloc: gotcha, no rush was just curious23:00
gagehugolbragstad: ack23:00
*** dave-mccowan has quit IRC23:19
*** raildo has quit IRC23:46
*** itlinux has joined #openstack-keystone23:49
« Sunday, 2018-12-09 Index Tuesday, 2018-12-11 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!