Thursday, 2019-01-10

« Wednesday, 2019-01-09 Index Friday, 2019-01-11 »
prometheanfiretonyb: ya00:17
*** itlinux has joined #openstack-keystone00:17
prometheanfiretonyb: https://github.com/openstack/ldappool/commit/459000d7aa3fa1ace05c800ff1273b99fbd8babe in https://github.com/openstack/ldappool/compare/2.2.0...2.3.100:17
prometheanfiretonyb: deps got updated, python-ldap>=3.0.0 which is not in queens upper-constraints00:18
lbragstadtonyb yep!00:22
tonybprometheanfire: Interesting so we can't use that release on queens and possibly need to revert that change?00:22
tonybthe github UI is confusing for that kind of thing00:23
prometheanfiretonyb: no, just can't bump the version in queens because the deps of ldap-pool changed00:25
prometheanfire15:12 <  prometheanfire > dep was updated python-ldap>=3.0.0, not sure if that'll conflict with other stuff in queens00:26
tonybprometheanfire: Okay that sounds wrong00:26
prometheanfirenamely that python-ldap doesn't exist in queens00:26
tonybOkay now I;m really confused00:26
prometheanfireya, looking at pike it's not there too...00:27
prometheanfirehttps://github.com/openstack/ldappool/commit/f1d30bce9b48cd01f8421afe72a220662ce5f8ed00:28
prometheanfirethat was part of 2.3.0, and the fix they want to consume is in 2.3.100:29
prometheanfireI'm still not sure how we don't have it00:30
prometheanfirepython-ldap is in master at least00:30
tonybprometheanfire: but that chnage is part of 2.3.X which is for rocky not queens why are we talking about queens?00:31
tonybqueens should be comsuming ldappool 2.2.X releases, rocky 2.3.X and stein 2.4.X00:32
prometheanfireldappool in queens is 2.200:32
prometheanfirethey want to updated it to at least the rocky version00:32
tonybOh00:32
prometheanfirebecause it contains https://github.com/openstack/ldappool/commit/459000d7aa3fa1ace05c800ff1273b99fbd8babe00:32
tonybthey can't00:32
prometheanfireyep00:32
tonybthey need to backport that to 2.2 without needed python-ldap00:33
prometheanfireyep00:33
prometheanfirenwilburn is gone from here though00:33
tonybOkay.00:34
tonybprometheanfire: I was confused becauise I said00:34
tonyb"so we can't use that release on queens" and you said "no" which I thought menat you were okay with using that release on queens00:35
prometheanfireoh, 'no, we can't use it on queens'00:35
tonybprometheanfire: Okay00:35
prometheanfireyay:D00:35
tonybSeems to me if pyldap exposes INVALID_CREDENTIALS then it's a simple backport + release00:37
tonyband then bump to 2.2.1 on queens00:37
prometheanfireanyway, off to kill a dragon or lich or something00:38
*** gmann_pto is now known as gmann01:07
*** markvoelker has joined #openstack-keystone01:40
*** markvoelker has quit IRC01:45
*** gyee has quit IRC01:50
*** erus_ has joined #openstack-keystone02:10
*** Dinesh_Bhor has joined #openstack-keystone02:28
*** whoami-rajat has joined #openstack-keystone02:31
openstackgerritAdrian Turjak proposed openstack/keystone master: Add documentation for Auth Receipts and MFA  https://review.openstack.org/58053502:34
*** markvoelker has joined #openstack-keystone02:51
*** raildo has quit IRC02:51
*** mhen has quit IRC02:57
*** mhen has joined #openstack-keystone02:58
*** jdennis has quit IRC03:29
*** jdennis has joined #openstack-keystone03:34
*** markvoelker has quit IRC03:53
*** Dinesh_Bhor has quit IRC04:07
*** eandersson has joined #openstack-keystone04:29
*** annp_ has joined #openstack-keystone04:42
eanderssonAnyone know an obvious reason why we would get a ton of "user is not a trustee" errors after upgrading to Rocky?04:51
*** jrist has quit IRC04:54
*** Dinesh_Bhor has joined #openstack-keystone04:55
*** markvoelker has joined #openstack-keystone04:59
*** vishakha has joined #openstack-keystone05:01
*** jrist has joined #openstack-keystone05:07
*** xek_ has joined #openstack-keystone05:11
*** xek has quit IRC05:12
*** lbragstad has quit IRC05:12
*** erus_ has quit IRC05:16
*** itlinux has quit IRC05:18
*** shyamb has joined #openstack-keystone05:42
*** markvoelker has quit IRC06:03
*** markvoelker has joined #openstack-keystone06:05
*** dave-mccowan has quit IRC06:41
*** Dinesh_Bhor has quit IRC06:41
*** prometheanfire has left #openstack-keystone06:43
*** Dinesh_Bhor has joined #openstack-keystone06:44
*** rcernin has quit IRC06:44
*** rcernin has joined #openstack-keystone06:44
*** Dinesh_Bhor has quit IRC06:58
*** rcernin has quit IRC07:03
*** shyamb has quit IRC07:09
*** pcaruana has joined #openstack-keystone07:51
*** shyamb has joined #openstack-keystone08:45
*** nsmeds has quit IRC08:51
*** markvoelker has quit IRC08:52
*** shyam89 has joined #openstack-keystone08:54
*** shyamb has quit IRC08:57
*** shyam89 has quit IRC09:05
*** shyam89 has joined #openstack-keystone09:05
openstackgerritwangxiyuan proposed openstack/keystone master: Fix app_cred schema spell nit  https://review.openstack.org/62980009:17
*** shyam89 has quit IRC09:29
*** shyamb has joined #openstack-keystone09:38
*** markvoelker has joined #openstack-keystone09:49
*** markvoelker has quit IRC09:51
*** jaosorior has quit IRC10:00
*** itlinux has joined #openstack-keystone10:01
*** shyamb has quit IRC10:02
*** itlinux has quit IRC10:05
*** shyamb has joined #openstack-keystone10:06
*** yan0s has joined #openstack-keystone10:45
yan0sHi all10:46
yan0sI have a question on keystone  federation10:46
yan0sshould mappings be modified dynamically?10:47
yan0sfor example if I want to extend a whitelist10:47
yan0sor should they be defined once and never change?10:48
cmurphyyan0s: you can change them after you define them10:51
*** jaosorior has joined #openstack-keystone11:01
*** openstackgerrit has quit IRC11:05
yan0sand this ok as a practice too?11:06
*** shyamb has quit IRC11:29
cmurphyyan0s: yes I would say so, same as regular users need new role assignments or new groups. you can use keystone-manage mapping_engine to test the new rules before you apply them for a tiny bit of extra safety11:30
*** shyamb has joined #openstack-keystone11:42
*** shyamb has quit IRC11:44
*** shyamb has joined #openstack-keystone11:44
*** itlinux has joined #openstack-keystone12:01
*** itlinux has quit IRC12:06
*** shyamb has quit IRC12:12
*** shyamb has joined #openstack-keystone12:12
*** raildo has joined #openstack-keystone12:29
*** shyamb has quit IRC12:57
*** nwilburn has joined #openstack-keystone12:59
*** raildo has quit IRC13:13
*** dave-mccowan has joined #openstack-keystone13:18
*** raildo has joined #openstack-keystone13:24
*** vishakha has quit IRC13:39
*** dave-mccowan has quit IRC13:48
*** GregWaines has joined #openstack-keystone13:49
*** lbragstad has joined #openstack-keystone13:56
*** ChanServ sets mode: +o lbragstad13:56
*** lbragstad has quit IRC13:56
*** lbragstad has joined #openstack-keystone13:58
*** ChanServ sets mode: +o lbragstad13:58
lbragstado/14:02
cmurphy\o14:02
*** jmlowe has quit IRC14:16
*** mvkr has quit IRC14:29
*** jmlowe has joined #openstack-keystone14:33
*** vishakha has joined #openstack-keystone14:44
*** erus_ has joined #openstack-keystone14:49
*** jmlowe has quit IRC14:58
*** jmlowe has joined #openstack-keystone14:59
*** itlinux has joined #openstack-keystone15:01
*** itlinux has quit IRC15:06
*** mvkr has joined #openstack-keystone15:15
*** prometheanfire has joined #openstack-keystone15:39
prometheanfireI'm not sure when it happened, but was requests-oauthlib a dep that was removed?15:41
lbragstadwe had an interesting case there15:42
lbragstadwe had issues with linting15:42
lbragstadhttps://github.com/oauthlib/oauthlib/issues/55815:43
prometheanfirelbragstad: specifically talking about requests-oauthlib, I guess it's a dep of a dep since it's in upper-constraints and not in gr15:44
prometheanfirehttps://github.com/requests/requests-oauthlib/issues/35615:44
prometheanfirethat said, oauthlib-3.0.0 is released (but held back due to co-installability)15:45
* prometheanfire needs to make a new etherpad for all the caps deps are putting in place...15:45
lbragstadahh - nevermind15:47
prometheanfireI could hold requests-oauthlib back instead (and will)15:47
*** GregWaines has quit IRC15:53
*** openstackgerrit has joined #openstack-keystone16:13
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement scope_type checking for role_assignments  https://review.openstack.org/60921016:13
*** jmlowe has quit IRC16:25
gagehugolbragstad: additionalproperties defaults to true16:26
*** jmlowe has joined #openstack-keystone16:32
*** itlinux has joined #openstack-keystone16:34
*** nsmeds has joined #openstack-keystone16:37
*** erus_ has quit IRC16:43
*** imacdonn has quit IRC16:51
aning_In keystonemiddleware/auth_token/__init__.py, when a request is processed, there is code to check "service token". What is "service token"?16:51
*** imacdonn has joined #openstack-keystone16:51
aning_I know what user token is, but a bit confused by the "service token"16:52
*** prometheanfire has left #openstack-keystone16:52
aning_And I haven't seen the service token checking code get executed in log.16:53
*** aning_ is now known as aning16:53
aningjamielennox: I saw your comments in keystonemiddleware/auth_token/__init__.py, any idea what's a service token?17:01
*** yan0s has quit IRC17:03
lbragstada service token is a token that is used by an openstack service17:21
lbragstador - a user that represents an openstack service (e.g., nova, cinder, neutron, glance, etc...)17:21
aninglbragstad: so this is the token presented by the service (nova for example) to keystone when it verify a client request?17:23
lbragstadwe have a bug to add more documentation around service tokens, and how to use them https://bugs.launchpad.net/keystone/+bug/177988917:23
openstackLaunchpad bug 1779889 in OpenStack Identity (keystone) "Lack of documentation for validating expired tokens with service users" [Medium,In progress] - Assigned to Irina Anyusheva (anyushevai)17:23
*** gyee has joined #openstack-keystone17:24
lbragstadaning right - for example, a service token for nova would be used for nova to get information over the API from another service17:24
lbragstadif nova needed an image from glance in order to boot an instance17:26
lbragstadit could grab that information from glance via the API, which it would need a token to do17:26
aninglbragstad: I'm not sure ... in this case, is nova's token becomes the user token to the other service? And would be passed as "X-Auth-Token"?17:26
lbragstadwhen that happens, we call the token that nova grabs to make that request a "service token"17:26
lbragstadi believe nova sends it's own token when making that request17:32
aninglbragstad: well, good enough for now ... will be back on this if I see issues. :)17:32
lbragstadyou have to modify keystonemiddleware configuration if you want to use service tokens though17:33
lbragstadjust as a heads up17:33
lbragstadand that's the part we need to document better17:33
aninglbragstad: oh, that's something new to me ...17:35
aningwaiting for the documentation to have this info in it ...17:37
aninglbragstad: reading from the bug, looks like token service is seldomly used ...17:38
lbragstadservice tokens are useful, especially for long-running operations17:38
aningright17:38
lbragstadfor example, if you're taking a backup17:38
lbragstador anything that takes longer than the token expiration window17:38
aningand during the operation, user's token expires ...17:39
lbragstadyeah - exaclty17:39
lbragstadservice tokens can validate expired users tokens to get around that issue17:39
aningthen?17:39
aningEh? the expired user token still valid?17:40
lbragstadnot directly17:40
lbragstadbut if an operation was started with it and it expires during that operation, we handle that case by checking to see if it is still valid17:40
lbragstadif so - the service operation can continue17:40
lbragstadhttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html17:41
aninglbragstad: ok, got it. The service token is from "X-Service-Token" header, and if it presends, the middleware will use it.17:44
lbragstadyeah17:45
lbragstadi believe so - i need to dig into the implementation a bit more so we can actually document it17:45
lbragstad(that document is specification)17:45
aningIn not configured, the "X-Service-Token" doesn't exist.17:46
aninglbragstad: all makes sense so far.17:46
aninglbragstad: thx17:46
lbragstadyep17:46
*** jrist is now known as jrist__18:16
*** jrist has joined #openstack-keystone18:17
*** jrist__ has quit IRC18:18
*** mvkr has quit IRC18:19
gyeelbragstad, can you please help me understand system scope? I am trying to sort out this patch https://review.openstack.org/#/c/629692/118:20
gyeesystem scope is optional right?18:20
gyeeand how do we express that in the policy rules?18:20
gyeeI don't think we should hardcode that check18:21
lbragstadgyee system scope is an attempt at solving 96869618:51
gyeelbragstad, but we can optionally specify that in the rules, it's a global thing right?18:51
lbragstador the Bug That Shall Not Be Named18:52
gyeeI mean we can't specify it in the rules18:52
lbragstadwe can specify it in rules, yes18:52
gyeeif I understand the code correctly, its basically hardcoded in the code, which dictates which scope should be used18:52
lbragstadyes and no18:52
lbragstadunfortunately18:52
gyeecan you give me an example on how to do that in the rules?18:53
lbragstadsure18:53
lbragstadgive me one minute18:53
lbragstadok - so18:54
lbragstadmost of the policies we use in keystone rely on something like rule:admin_required, right?18:54
lbragstadwhich is really just a wrapper around making sure the user has a role called 'admin'18:54
lbragstadright?18:54
gyeeright18:55
lbragstadbut - that makes us susceptible to the admin issue we've fought for so long18:55
lbragstadwhere project administrators can do whatever, when that's not the behavior we want18:56
lbragstadso - system scope is another authorization target18:56
gyeeunderstood18:56
lbragstadand it's meant to protect system-level operations18:56
lbragstadlike protecting the /v3/services endpoint18:56
lbragstador /v3/endpoints18:57
lbragstador /v2/hypervisors18:57
gyeebut how do I express the scope in the rule? and I don't mean the rule registration code18:57
gyeein policy.json/yml18:57
lbragstadright - so18:57
lbragstadwhen we get a token we use it to populate an oslo.context RequestContext object18:57
lbragstadand we added support to oslo.context to understand system scope18:57
lbragstadmaking it a first-class attribute of context18:58
lbragstadin the policy check string, you can do something like `role:reader and system_scope:all`18:58
gyeethat part I get18:58
lbragstadwhich means, this policy can only be accessed by someone who has the reader role on the system18:58
gyeebingo! that's what I am looking for18:59
lbragstador `role:admin and system_scope:all` would be the same thing but for what we traditionally called cloud admins18:59
lbragstadthere is a large caveat though18:59
lbragstadand that is the scope check is still in the check string, which isn't what we want18:59
lbragstad(long term)18:59
gyeeso the allowed values are "all" or "project"19:00
lbragstadbut, putting that scope check in the check string of each policy protects us and operators if oslo_policy enforce_scope=False19:00
lbragstadno - right now the only value is "all"19:00
gyeewhat does this mean? https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L928-L93119:01
lbragstadeventually, when keystone defaults `keystone.conf [oslo_policy] enforce_scope = True` we can remove the system_scope:all bits from all the policy check strings because we define acceptable scope types in the actual rule definitions19:01
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/common/policies/service.py#L2119:02
*** vishakha has quit IRC19:02
lbragstadenforce_scope is an option in oslo_policy that tells the enforcer if it should make sure the policies defined in the rule objects needs to match19:02
lbragstad(e.g., ERROR: you attempted to call an API that requires a system-scoped token with a project-scoped token)19:02
gyeeunderstood19:03
lbragstadenforce_scope is going to be how operators upgrade to using system scope19:03
gyeewhat should we do with this patch then? https://review.openstack.org/#/c/629692/19:03
gyeeits basically allow project admin to access its own domain19:03
gyeeproject-scoped token to fetch its own domain19:03
gyeewithout it, some openstack CLI call will fail I think19:04
lbragstadthat might be fine - vishakha may have thought you made that against master19:05
lbragstadand not a stable branch?19:05
gyeemaster has this problem too19:05
gyeeright now project admin can't fetch its own domain19:05
lbragstadbut we landed a fix for that19:06
gyeewe did?19:06
lbragstador we have one up for review19:06
gyeethis one? https://review.openstack.org/#/c/605876/19:06
lbragstadhttps://review.openstack.org/#/c/605851/19:06
lbragstadhttps://review.openstack.org/#/c/605871/819:07
gyeethat won't fix the issue19:07
lbragstadthe two before that - yeah19:07
lbragstadnot on stable/rocky, no19:07
gyeewhich two?19:09
gyeethis one? https://review.openstack.org/#/c/605871/819:09
gyeeahhh, sorry19:09
gyeethis is still wrong, 'token.project.domain.id:%(target.domain.id)s'19:10
gyeeshould be 'token.project.domain_id'19:10
gyeeI commented on the patch19:12
lbragstadweird - https://review.openstack.org/#/c/605871/8/keystone/tests/unit/protection/v3/test_domains.py@133 appears to pass19:13
lbragstadwith the current check string19:13
lbragstadusing token.project.domain.id19:13
gyeereally?!19:13
lbragstadif i'm looking at the code correctly - https://review.openstack.org/#/c/605871/8/keystone/tests/unit/protection/v3/test_domains.py@39219:14
lbragstaddomain setup - https://review.openstack.org/#/c/605871/8/keystone/tests/unit/protection/v3/test_domains.py@40519:14
gyeebut not testing GET /domain/<id>19:15
gyeemaybe incorporating these? https://review.openstack.org/#/c/629692/1/keystone/tests/unit/test_v3_protection.py19:16
gyeeso I can abandon my patch19:16
lbragstadisn't it? https://review.openstack.org/#/c/605871/8/keystone/tests/unit/protection/v3/test_domains.py@13519:16
lbragstad^ that test class is tested with project users19:17
lbragstadtest_user_can_get_a_domain is testing GET /v3/domains/{domain_id} with a project scoped token19:17
*** mvkr has joined #openstack-keystone19:21
*** tellesnobrega has joined #openstack-keystone19:24
gyeelbragstad, no that only test project reader19:24
gyeenot project admin19:24
gyeetest succeeded with this rule '(role:reader and system_scope:all)'19:25
gyeeif project admin implies project reader then the above rule is redundant19:26
tellesnobregalbragstad, quick question regarding policies, we have a experimental API with some policy definitions, can we simply change the policy since the api is not stable yet? or do you know of some ruling that we need to follow on that ?19:31
*** jeremyfreudberg has joined #openstack-keystone19:33
*** tosky has joined #openstack-keystone19:34
openstackgerritCorey Bryant proposed openstack/keystone master: PY3: switch to using unicode text values  https://review.openstack.org/61119019:35
mnaserhow do folks feel about a patch to keystonemiddleware which includes a setting inside `keystone_authtoken` that determines the roles which are allowed to talk to that service?19:51
mnaserwhich greatly simplifies enforcing access to a specific service, without diving into wild policy files19:52
mnaserbecause there would a very large impact on the # of things changed if you want to globally allow a certain role to access a service19:53
gyeemnaser, how are you going to enforce *resource* access at middleware?20:01
gyeetarget.resource.id20:01
*** tellesnobrega has left #openstack-keystone20:02
*** tellesnobrega has joined #openstack-keystone20:03
lbragstadtellesnobrega we've done that in keystone before20:04
lbragstadwhere we have an experimental API and we've changed the policies without deprecating them, but we still include a release note saying what changed, why, and that it wasn't deprecated because it was protecting an experimental API20:05
mnasergyee: well, that's a bit of another problem that can solved further down but i feel is a much bigger/fundamental problem to be resolved20:05
lbragstadgyee project reader won't pass 'role:reader and system_scope:all20:06
lbragstad'role:reader and system_scope:all'20:06
gyeebut user has reader role20:06
lbragstadbut they don't have it on the system20:06
tellesnobregalbragstad, sounds good20:07
tellesnobregathanks20:07
lbragstadtellesnobrega no problem20:07
gyeelbragstad, is use project admin, I can't tell from the code20:08
gyeemnaser, not sure if I understand, you are proposing two level authorization, one at middleware and another at the service?20:09
mnasergyee: yes, the middleware level one would be far simpler to implement, the service level would be much more policy based as we have today20:09
lbragstadgyee sorry - i'm not sure what you mean?20:10
*** jeremyfreudberg has left #openstack-keystone20:10
gyeelbragstad, https://review.openstack.org/#/c/605871/8/keystone/tests/unit/protection/v3/test_domains.py#L41620:12
gyeeI only see reader role on project20:13
gyeeis that the token used to fetch the domain?20:13
lbragstadyeah - so the setUp there is just creating a new user and giving them the 'reader' role on a project20:14
lbragstadthen it builds an authentication request, grabs a token, and creates a set of headers to use in tests (line 432)20:14
gyeebut is system_scoped enforcement enabled at that point?20:15
gyeeI thought system-scoped enforcement is disabled by default20:15
lbragstadat line 400 we are setting enforce_scope to True20:15
lbragstadin the same setUp class20:15
*** jeremyfreudberg has joined #openstack-keystone20:18
lbragstadwhich just checks to make sure the scope_types for the rule match the token scope in oslo.policy20:18
jeremyfreudberglbragstad: clarification on your answer to tellesnobrega, are you referring to deprecation of policy names or default policy check strings?20:19
lbragstadjeremyfreudberg for policies protecting experimental APIs?20:19
jeremyfreudberglbragstad, yeah, if we have service:foo:get_all protecting some experimental API endpoint, and we'd rather call it service:fooooooo:get_all, must there be a deprecation period?20:20
lbragstadjeremyfreudberg if the API is experimental, I think you have the flexibility to change those without a deprecation period - at least based on the definition of experimental that we've defined in OpenStack20:21
lbragstadlet me see if i can dig up the link20:22
lbragstadhttps://developer.openstack.org/api-guide/quick-start/ and https://wiki.openstack.org/wiki/VersionDiscovery20:23
lbragstadi think mordred pointed me to a link somewhere that had a more complete definition20:23
mordredone sec20:23
lbragstadof the meaning of "experimental" as we know it with APIs20:23
mordredhttp://specs.openstack.org/openstack/api-sig/guidelines/consuming-catalog.html#consuming-catalog20:25
mordredhttp://specs.openstack.org/openstack/api-sig/guidelines/microversion_specification.html20:25
mordredoh - experimental20:25
mordredso - experimental is a bit tricky20:25
mordredan experimental MAJOR api version will not be returned by keystoneauth version discovery unless it is explicitly request20:26
mordredrequested20:26
mordredhowever, there isn't such a thing for microversions - once it's out in a microversion, it's there - it could be removed in a future microversion, but since it's a microversion it would need to remain there until the end of time20:27
lbragstadjeremyfreudberg we also have a set of guidelines for naming policies - if you're going to be doing that https://docs.openstack.org/oslo.policy/latest/user/usage.html#naming-policies20:27
mordredfor specific portions of an API - I don't know that there is any particularly strong mechanism we have to have an experimental api20:28
jeremyfreudberglbragstad: yes, i saw the naming guide, that's part of my reasoning for wanting to rename these policies now (we previously were ignoring the guidelines about singular/plural nouns).20:29
lbragstadto be fair, those guidelines are relatively fresh, so there is a lot of work to do on that front20:30
lbragstadbut yeah - following those would be a huge plus20:30
gyeelbragstad, what does this mean? https://github.com/openstack/keystone/blob/master/keystone/common/policies/domain.py#L5820:30
lbragstadand if you're doing it for an experimental API, i don't think you'll need to deprecate them20:30
gyeedoes 'all' implies both system and project?20:31
lbragstadgyee nope - all just means the "entire deployment system"20:31
lbragstadgyee we designed the system scope stuff to be hierarchical20:31
lbragstadgyee because we thought it would be a good idea to try and incorporate the hierarchical attributes of the service catalog into the idea of system scope20:32
gyeewhere does the 'all' enforcement coming from? I don't see that code in oslo.policy20:32
jeremyfreudberglbragstad: thanks.20:32
lbragstadgyee for example, i'm a system administrator and i wanted to give you the `admin` role on the `compute` service - you would only be authorized to do admin actions within nova and not the other services20:32
gyeehttps://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L928-L94320:32
lbragstadjeremyfreudberg no problem - hopefully that helps20:33
lbragstadgyee https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L92820:33
*** jeremyfreudberg has left #openstack-keystone20:33
gyeeright, but later on its checking against the scope_types20:34
lbragstadright20:34
gyeewhich is registered as ['system', 'project']20:34
gyeehttps://github.com/openstack/keystone/blob/master/keystone/common/policies/domain.py#L5820:34
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/common/policies/project.py#L7420:35
lbragstadyep20:35
gyeethis is get_domain call20:35
gyeeso that rule would yield access granted20:36
lbragstadnot necessarily20:36
lbragstadhttps://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L93920:36
lbragstadenforce_scope just ensures the API is called a token of the proper type20:36
lbragstadfor example20:36
lbragstadif the identity:create_service policy is protected by `role:admin and system_scope:all` I can pass the enforce_scope check if I call the API with a system reader token20:37
lbragstadbut I'll still fail the policy check since I don't have the admin role20:37
gyeeman my head is spinning, but the get_domain API is registered with scope_types ['system', 'project']20:38
*** tellesnobrega has left #openstack-keystone20:38
gyeewith means both 'system' and 'project' scope are allow20:38
gyeeallowed20:38
lbragstadcorrect20:39
lbragstadremember - https://review.openstack.org/#/c/605851/8 and https://review.openstack.org/#/c/605871/8 haven't landed yet20:39
lbragstadso - https://github.com/openstack/keystone/blob/master/keystone/common/policies/domain.py#L51 is essentially the policy check string for system-scoped tokens20:39
lbragstadand https://github.com/openstack/keystone/blob/master/keystone/common/policies/domain.py#L52 is for everythign else20:39
lbragstadand because it expects a project in that policy's check string, it's essentially hardcoded to only work for project-scoped token20:40
gyeelets backup a bit20:41
lbragstadgyee do you want to use higher bandwidth communication?20:42
gyeeyou have a mumble server?20:43
lbragstadnope - but i can start a google hangout or something20:43
*** tosky has left #openstack-keystone20:43
*** jmlowe has quit IRC20:44
* lbragstad misses mumble 20:45
gyeelbragstad, k20:45
lbragstadhttps://hangouts.google.com/call/LG1QK_jVxJLfQaEBY3L7AEEE20:45
lbragstadit's open - so if anyone else wants to join in and listen/learn about scope checking, you're more than welcome20:46
lbragstadgyee grabbing a different mic20:47
lbragstadbrb20:47
*** openstackgerrit has quit IRC20:50
*** whoami-rajat has quit IRC21:01
*** jmlowe has joined #openstack-keystone21:07
*** aojea has joined #openstack-keystone21:20
gyeelbragstad, thanks again for untangling the stuff in my head! Definitely owe you beer there.21:20
lbragstadgyee happy to help :)21:20
mnaserok this might sound silly21:34
mnaseris there any policy around having a role to issue a token21:34
lbragstadno - there isn't21:34
mnaserif i create an appcred with role 'object-store', it creates it but fails to get a token21:34
lbragstadif you don't have a role assignment, you can ask for an unscoped token21:34
mnaserif i create one with role object-store + member, it can successfully get a token21:35
mnasererr, or in my case, _member_21:35
mnaserbecause its a v2-era cloud21:35
lbragstadoh - are you using app creds?21:35
mnaseryeah21:35
lbragstadin that case, i think application credentials expect a project21:35
lbragstadwhich means it makes sense that you have some authorization on the project you supply21:36
mnaserso user with _member_ and object-storage roles, tries to create appcred with object-storage only, it works but fails to authenticate21:36
mnaserif they create one without any limits (i.e. all), it works21:36
mnaserif they create one with object-storage AND _member_, it also works21:36
mnaserok, let me try specifying a project21:37
lbragstadwhat's the object-store role used on?21:37
lbragstadis it assigned to anyone?21:37
mnaserlbragstad: right now, nothing, its just an implied role of member_21:37
mnaserhmm21:37
mnaseri think i see the problem now21:37
mnaserlol21:37
mnaserobject-store implies _member_, we give _member_ access to project21:38
mnasercreating one that scopes object-store only means the app cred doesnt have access to anything at all21:38
mnaserbecause there is no object-store role assignments21:38
mnaserthat's a little blow to my idea in that case, having 'member' with a bunch of implied roles per service, then allowing a user to create app creds to specific services21:40
lbragstadright21:42
lbragstadi *think* i understand what you mean?21:43
mnaseri think its time i bite the bullet and start working on some policy updates to allow a 'domain admin'21:44
mnaserthat way, a project 'manager' can create a user and give it a specific role to a project21:44
mnasers/project/domain/21:44
lbragstadyeah21:45
mnaserugh, but then they would be able to give 'admin' role to a user21:45
*** pcaruana has quit IRC21:46
mnasernot sure how i'd be able to stop that in policy rules21:46
lbragstadwell - we have patches in flight that help with that https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:implement-default-roles21:46
mnaserlbragstad: ou those are sweet.  unfortunately, i think we're a bit far out from being able to use them.. even running up to date :p21:47
lbragstadsome have started merging - https://review.openstack.org/#/q/status:merged+project:openstack/keystone+branch:master+topic:implement-default-roles21:48
lbragstadyeah...21:48
lbragstadit'll likely require a migration for operations, but we want to make it so that default roles work across system, domains, and projects in ways that people expect (without having to roll a bunch of custom policy to get it to work)21:49
mnaseri think the biggest blocker is the fact that identity:create_grant can't check if they're trying to create a grant for admin or not21:49
mnaseri.e. it would have probably been nice to check for identity:create_grant:$role_name first and fall off to identity:create_grant21:49
mnaserthat way i could have identity:create_grant:admin  as rule:admin_required21:50
lbragstadmnaser well - we'd likely try and encode some of those checks into keystone directly21:52
lbragstadso that a domain administrator can't grant someone in their domain admin on the system21:52
lbragstador something like that21:52
lbragstadright? because that would be abd21:53
lbragstadbad*21:53
mnaserlbragstad: right, the biggest issue now is services arent aware of system and project scope i guess21:58
mnaserso i'm just trying to work around it :(21:58
lbragstadyeah - and that's a big reason why we're trying to implement all of that in keystone now - so that other projects can eventually use what we've done as a template21:59
mnaserlbragstad: i just feel very stuck now.  i have a customer who just wants a user that can access swift only (and they're settling for not resources specific, just ~swift~) and not everything and that seems to be such a basic ask that i can't find a way to deliver22:00
lbragstadso - if you create an object-store role22:03
lbragstadyou'd have to write custom policies for swift to use that role22:03
lbragstadbut i suppose you'll also need to exercise that role's usage against other service to make sure you can't do anything there either22:05
lbragstadwhich sounds like something patrole wants to verify at some point22:05
*** erus_ has joined #openstack-keystone22:20
*** erus has joined #openstack-keystone22:25
*** rcernin has joined #openstack-keystone22:38
*** aojea has quit IRC22:54
*** itlinux has quit IRC22:55
*** etp has quit IRC22:57
*** etp has joined #openstack-keystone22:59
*** gyee has quit IRC23:11
*** etp has quit IRC23:14
*** etp has joined #openstack-keystone23:16
*** edmondsw has quit IRC23:23
*** erus_ has quit IRC23:34
*** edmondsw has joined #openstack-keystone23:39
*** erus has quit IRC23:53
*** blake has joined #openstack-keystone23:58
« Wednesday, 2019-01-09 Index Friday, 2019-01-11 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!