Thursday, 2019-01-24

« Wednesday, 2019-01-23 Index Friday, 2019-01-25 »
*** aloga has quit IRC00:12
*** aloga has joined #openstack-keystone00:25
*** dklyle has quit IRC00:42
*** ileixe has joined #openstack-keystone00:53
*** erus_ has quit IRC01:22
eanderssonlbragstad, do you know the state of s3/ec3 tokens with keystone/rocky?01:25
eanderssonWe are unable to get it working in Rocky.01:26
*** whoami-rajat has joined #openstack-keystone01:53
lbragstadeandersson what kind of issues are you seeing?02:03
lbragstadi'm not aware of anything, but iirc the testing isn't that great for those02:03
eanderssonStill pretty early in the investigation, but we basically had Keystone Mitaka with Swift Rocky and it worked fine.02:04
eanderssonAfter upgrading Keystone to Rocky, we can still create / list s3/ec2 credentials02:04
eanderssonbut Swift fails to authenticate02:04
eanderssonSetting up a lab env now so we can get more logs02:05
lbragstadhmm02:05
lbragstaddoes swift have middleware that changed?02:05
eanderssonSo that was my first instict as they recently merged swift302:06
lbragstadwe used to maintain s3 middleware in keystone for swift, but after some time i thought it was pulled under their repos02:06
eanderssonbut confirmed the swift config is correct02:06
lbragstadhuh02:06
eanderssonand the only thing that changed was keystone02:06
lbragstadbut you're still able to get s3 tokens?02:06
lbragstadusing keystone/rocky?02:06
eanderssonYea02:06
lbragstaddid the responses change at all (they shouldn't have)?02:07
lbragstadbetween stable/mitaka and stable/rockY?02:07
eanderssonnot that we can see, but far from an expert02:07
eanderssonI am trying to figure out how to use a s3/ec2 token manually against keystone02:07
eanderssonwas looking for a tempest test or similar to use as a reference02:07
lbragstadafaik there isn't any s3 tempest testing02:08
lbragstadbut i could be wrong02:08
eanderssonYea wasn't able to find one :p02:08
lbragstadi'm not all that familiar with the s3 middlware swift maintains, but isn't not doing anything crazy outside of validating the token against keystone is ti?02:09
eanderssonnot that I am aware02:09
eanderssonhttps://github.com/openstack/swift/tree/master/swift/common/middleware/s3api02:09
lbragstaddumb question: you're using v3, right?02:10
eanderssonYea02:11
eanderssonWe disabled v2 before the upgrade02:11
lbragstadok02:11
lbragstadi was just looking at https://github.com/openstack/swift3/blob/master/swift3/s3_token_middleware.py02:11
lbragstadis swift3 just used in front of swift or is the in-tree version used?02:14
eanderssonswift3 is legacy, in-tree version is used now02:14
lbragstadah02:14
lbragstadare you seeing a 401?02:14
lbragstador something else?02:15
eandersson40102:15
lbragstadinteresting02:16
lbragstadnothing is jumping out at me off the top of my head02:18
lbragstadi'd be curious to know if you get more logs02:18
eanderssonWe are gonna re-create it in the lab tomorrow02:18
eanderssonI can probably provide some logs from that02:18
lbragstadsounds good02:24
*** Dinesh_Bhor has joined #openstack-keystone02:27
eandersson> Keystone reply error: status=404 reason=Not Found02:49
eandersson> Received error, rejecting request with error: 401 Unauthorized02:49
eanderssonnvm lab specific02:50
openstackgerritMerged openstack/keystone master: Update endpoint policies for system reader  https://review.openstack.org/61932902:51
eandersson> Keystone reply error: status=401 reason=Unauthorized02:51
eanderssonOn the keystone side02:53
eandersson> Authorization failed for None. Credential signature mismatch02:53
lbragstadhmm02:55
eanderssonhttp://eavesdrop.openstack.org/irclogs/%23openstack-swift/%23openstack-swift.2018-11-09.log.html02:56
eanderssonsounds like the same issue02:56
lbragstadyeah - it does02:59
lbragstadotherwise - we did land a migration in newton to encrypt credentials at rest03:00
lbragstad(using symmetric encryption)03:00
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/sql/data_migration_repo/versions/003_migrate_unencrypted_credentials.py?h=newton-eol03:01
lbragstadthat only caught my eye because you're coming from mitaka03:01
lbragstadbut - we wrote logic in that migration and the credential api for that migration to be pretty graceful03:02
eanderssonnvm we figured it out03:02
lbragstadoh?03:03
eandersson> authtoken s3api03:03
eanderssonapparently order in the swift config is important03:03
eanderssonwas > s3api authtoken03:03
eanderssonmakes no sense why it works against old keystone03:03
lbragstadstrange...03:03
lbragstadsomething with how the pipeline processes the request?03:03
eanderssonYea probably03:04
lbragstadinteresting03:04
lbragstadwell - glad y'all were able to figure it out03:07
*** dklyle has joined #openstack-keystone03:07
*** Dinesh_Bhor has quit IRC03:11
*** Dinesh_Bhor has joined #openstack-keystone03:20
*** dklyle has quit IRC03:21
*** awalende has joined #openstack-keystone03:23
*** awalende has quit IRC03:31
openstackgerritwangxiyuan proposed openstack/keystone master: Ensure change is addressed for unified limit table  https://review.openstack.org/62149703:35
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain_id column for limit  https://review.openstack.org/62020203:35
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - Manager  https://review.openstack.org/62146803:35
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - API  https://review.openstack.org/62277303:35
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level support for strict-two-level-model  https://review.openstack.org/62315303:35
openstackgerritwangxiyuan proposed openstack/keystone master: Update project depth check  https://review.openstack.org/62398403:35
openstackgerritwangxiyuan proposed openstack/keystone master: Release note for domain level limit  https://review.openstack.org/62401903:35
openstackgerritwangxiyuan proposed openstack/keystone master: [api-ref] add domain level limit support  https://review.openstack.org/62456203:35
eanderssonlbragstad, https://bugs.launchpad.net/keystone/+bug/156641603:40
openstackLaunchpad bug 1566416 in OpenStack Security Advisory "Keystone does not validate that s3tokens requests came from s3_token middleware" [Undecided,Incomplete]03:40
eanderssonThat is where we found the solution btw03:40
eandersson(the last comments)03:41
lbragstadawesome03:47
*** Dinesh_Bhor has quit IRC04:06
*** Dinesh_Bhor has joined #openstack-keystone04:07
*** dklyle has joined #openstack-keystone04:20
*** ileixe has quit IRC04:33
*** spsurya has joined #openstack-keystone04:33
*** irclogbot_1 has quit IRC04:35
*** Dinesh_Bhor has quit IRC04:41
*** Dinesh_Bhor has joined #openstack-keystone04:42
*** lbragstad has quit IRC04:57
*** gyee has quit IRC05:01
*** ileixe has joined #openstack-keystone05:02
*** tkajinam has quit IRC05:02
*** tkajinam has joined #openstack-keystone05:07
*** tkajinam has quit IRC05:18
*** tkajinam has joined #openstack-keystone05:18
*** vishakha has joined #openstack-keystone05:21
*** Dinesh_Bhor has quit IRC05:30
*** Dinesh_Bhor has joined #openstack-keystone05:31
*** shyamb has joined #openstack-keystone05:36
*** imacdonn has joined #openstack-keystone05:54
*** shyamb has quit IRC06:07
*** shyamb has joined #openstack-keystone06:11
*** markvoelker has joined #openstack-keystone06:16
*** markvoelker has quit IRC06:45
*** shyamb has quit IRC07:12
*** shyamb has joined #openstack-keystone07:13
*** markvoelker has joined #openstack-keystone07:42
*** shyamb has quit IRC07:48
*** shyamb has joined #openstack-keystone07:49
*** shyamb has quit IRC07:59
*** tkajinam_ has joined #openstack-keystone08:04
*** tkajinam has quit IRC08:06
*** awalende has joined #openstack-keystone08:09
*** markvoelker has quit IRC08:15
*** xek has joined #openstack-keystone08:17
*** rcernin has quit IRC08:29
*** tkajinam_ has quit IRC08:31
*** shyamb has joined #openstack-keystone08:52
*** Dinesh_Bhor has quit IRC09:29
*** Dinesh_Bhor has joined #openstack-keystone09:36
*** markvoelker has joined #openstack-keystone10:12
*** shyamb has quit IRC10:15
*** markvoelker has quit IRC10:46
*** Dinesh_Bhor has quit IRC11:07
*** markvoelker has joined #openstack-keystone11:43
*** shyamb has joined #openstack-keystone11:57
*** markvoelker has quit IRC12:16
*** takamatsu has joined #openstack-keystone12:31
*** pcaruana has quit IRC12:40
*** shyamb has quit IRC12:44
*** shyamb has joined #openstack-keystone12:51
*** yan0s has joined #openstack-keystone13:08
*** markvoelker has joined #openstack-keystone13:13
*** pcaruana has joined #openstack-keystone13:20
*** jrosser has quit IRC13:20
*** shyamb has quit IRC13:23
*** markvoelker has quit IRC13:23
*** shyamb has joined #openstack-keystone13:23
*** markvoelker has joined #openstack-keystone13:23
*** jrosser has joined #openstack-keystone13:24
*** shyamb has quit IRC13:36
*** GregWaines has joined #openstack-keystone13:43
*** shyamb has joined #openstack-keystone13:43
*** shyamb has quit IRC13:46
*** shyamb has joined #openstack-keystone13:47
*** vishakha has quit IRC13:49
*** ileixe has quit IRC14:04
*** lbragstad has joined #openstack-keystone14:20
*** ChanServ sets mode: +o lbragstad14:20
knikollao/14:20
knikollalooks like my visa was approved, so i won't have any work interruptions.14:21
lbragstadnice!14:22
lbragstadcmurphy so - i was finally able to confirm https://bugs.launchpad.net/keystone/+bug/1811605 - at least to some extent, but i noticed a couple of other things too14:26
openstackLaunchpad bug 1811605 in OpenStack Identity (keystone) "Tokenless authentication is broken" [High,Triaged]14:26
lbragstadi started putting some of my thoughts for how we might improve the documentation in etherpad https://etherpad.openstack.org/p/keystone-tokenless-auth-documentation-overhaul14:28
lbragstadwhich gyee might use in fixing https://bugs.launchpad.net/keystone/+bug/181305714:28
openstackLaunchpad bug 1813057 in OpenStack Identity (keystone) "The tokenless authentication documentation is opaque" [Medium,Triaged]14:28
lbragstadbut - i'm not sure if i'm doing something wrong or if things are still broken, but i can't seem to use x509 certificates with a auto-provisioned mapping14:29
lbragstad(oauth's ultimate autoprovisioning case)14:29
cmurphylbragstad: did it work for group membership mapping?14:34
cmurphyI admit I don't think I actually tried autoprovisioning, just assumed it worked14:34
lbragstadcmurphy not that i know of14:35
lbragstadi tried a mapping with a group, but i only got back unscoped tokens14:35
cmurphyhmm strange14:35
cmurphyi don't think i have that environment still around or i would check it out14:36
*** shyamb has quit IRC14:36
lbragstadno worries14:37
lbragstadi didn't open a bug for the auto-provisioning stuff, yet14:38
lbragstadbut i also wasn't able to get a scoped token authenticating with a certificate14:38
lbragstadwhich i didn't open up a bug for either14:38
lbragstadmostly out of my own ignorance around mappings14:38
cmurphyI remember I tried to set it up with keystonemiddleware and it didn't work at all because the project scope headers weren't being passed properly14:39
cmurphyI thought it worked with just curling keystone directly but it's more than possible I just assumed it worked and didn't check the scope14:40
lbragstadyeah - i didn't get to the ksm part14:41
lbragstadi suppose i can open placeholder bugs for now - and we can close them as invalid if they actually do work14:41
lbragstadi assumed i was being dense though14:42
*** takamatsu has quit IRC15:00
*** awalende has quit IRC15:13
*** awalende has joined #openstack-keystone15:13
*** awalende has quit IRC15:17
*** kukacz_ has quit IRC15:20
*** kukacz has joined #openstack-keystone15:31
*** pcaruana has quit IRC15:35
*** dklyle has quit IRC15:41
*** kukacz has quit IRC15:42
*** kukacz has joined #openstack-keystone15:46
gagehugoo/15:48
lbragstadcmurphy https://bugs.launchpad.net/keystone/+bug/1813183 is what I did to try and recreate the auto-provisioning bug with certs15:51
openstackLaunchpad bug 1813183 in OpenStack Identity (keystone) "Tokenless authentication doesn't work with auto-provisioning" [Undecided,New]15:51
lbragstadi eluded to the scoping issue as well in that report, but i could pull that into another bug report15:51
cmurphylbragstad: do you need to s/tokenless/x.509/ ?15:53
cmurphytokenless means not using X-Auth-Token to do something15:54
*** yan0s has quit IRC15:54
cmurphyyou're actually trying to get a token which is not tokenless15:54
lbragstadoh - you're right15:54
*** pcaruana has joined #openstack-keystone15:55
lbragstadfixed15:55
cmurphyI'm having a slightly crazy week but I'll try to verify this weekend possibly15:56
lbragstadno rush - i'm just try to at least document the gaps15:56
cmurphygood idea15:57
*** jmlowe has joined #openstack-keystone15:57
lbragstadif we can get everything in bug reports like the one you opened, i'd like to send a note to the -discuss and -edge mailing lists15:57
lbragstadthe whole x509 authentication + auto-provisioning thing pretty much does exactly what oath wants15:58
cmurphyyep15:58
*** kukacz has quit IRC15:58
lbragstadgyee and i had an interesting discussion on what you could do to solve the bearer token problem with this approach, too15:59
cmurphytokenless does solve the bearer token problem, or it would if it was fully implemented15:59
cmurphyi just don't think it solves the edge problem15:59
* cmurphy -> meeting15:59
*** kukacz has joined #openstack-keystone16:00
lbragstadsounds good - i'm super curious about your opinion on the edge bits16:00
lbragstadbut - lemme know if/when you have time and i'll try and write things down16:00
*** dave-mccowan has joined #openstack-keystone16:03
*** dklyle has joined #openstack-keystone16:04
*** gyee has joined #openstack-keystone16:06
lbragstadbnemec kmalloc curious if either of you have thoughts on dhellmann's comments here - https://review.openstack.org/#/c/614817/116:09
lbragstadi believe it is indirectly holding up https://review.openstack.org/#/c/630354/16:09
*** dave-mccowan has quit IRC16:09
*** takamatsu has joined #openstack-keystone16:12
*** gyee has quit IRC16:14
bnemechttp://codesearch.openstack.org/?q=pycadf.generate_uuid&i=nope&files=&repos=16:15
bnemecNothing for you, Dawg.16:15
bnemecSeems odd. _Something_ should be calling that, right?16:15
kmallocbnemec: not in pycadf16:20
kmallocOr well nothing yet*16:20
lbragstadok16:21
kmalloclbragstad: I don't think audit_ns needs to exit the API anywhere16:21
bnemeckmalloc: So changing the hash method shouldn't affect anyone?16:21
lbragstadi don't think doug wants to release that without at least a release note16:21
kmallocWe should protect that anyway.16:21
lbragstador that's at least how i interpreted his comment16:22
kmallocbnemec: it might, but we should really be ok overall.16:22
kmallocA clear release note indicating the change should be sufficient for non-openstack consumers (not many if any)16:22
lbragstadright16:23
kmallocIt won't impact us.16:23
bnemecThe only problem would be if people are expecting to call that and get the same value back every time.16:23
*** kukacz has quit IRC16:24
*** gyee has joined #openstack-keystone16:25
*** kukacz has joined #openstack-keystone16:26
lbragstadgyee o/16:26
lbragstadso - i updated https://bugs.launchpad.net/keystone/+bug/1811605 and opened https://bugs.launchpad.net/keystone/+bug/1813183 per what we talked about yesterdat16:27
openstackLaunchpad bug 1811605 in OpenStack Identity (keystone) "Tokenless authentication is broken" [High,Triaged]16:27
openstackLaunchpad bug 1813183 in OpenStack Identity (keystone) "x509 authentication doesn't work with auto-provisioning" [Undecided,New]16:27
lbragstadyesterday*16:27
*** ayoung has joined #openstack-keystone16:33
gyeelbragstad, hey16:34
gyeeI'll work on them. I was working on a ec2-api-metadata service bug yesterday. Took me all day to figure out what was going on. Did had time to working on Keystone stuff.16:35
lbragstadno worries - i'm not trying to rush you :)16:35
lbragstadi think the most important thing is at least filing the bugs and correcting the documentation16:36
lbragstadthen we can at least focus on fixing them for Stein (maybe after stein-3)16:36
gyeesounds good16:37
bnemeclbragstad: kmalloc: So what's our conclusion for https://review.openstack.org/#/c/614817 ? Add a reno and release?16:38
lbragstadbnemec i think that's a good idea16:38
kmallocYep16:40
bnemecOkay, I'll write something up quick.16:43
lbragstadthank you sir16:45
lbragstadi can review it16:45
*** pcaruana has quit IRC16:48
bnemecOh wow, I fail at using codesearch.16:49
bnemechttp://codesearch.openstack.org/?q=identifier.generate_uuid&i=nope&files=&repos=16:49
bnemecIt helps if you search for the right module name.16:49
*** takamatsu has quit IRC16:54
openstackgerritBen Nemec proposed openstack/pycadf master: Add release note for MD5 hash removal  https://review.openstack.org/63303716:59
bnemeclbragstad: kmalloc: ^17:00
* bnemec finally realized that the results from that function call are supposed to be random17:01
kmallocyes17:17
ayounglbragstad, I'm, looking at your JSW code.  It looks pretty OK.  Question:  can I dump the contents of a token?17:20
lbragstadayoung if i understand you correctly, yeah17:24
ayoungWhat are the steps?17:24
lbragstadayoung install the code locally, generate some keys (keystone-manage jwt_setup)17:25
lbragstadand grab a token17:25
ayoungall done17:25
ayoungI have a running Keystone with JWT token provider17:25
lbragstadhttps://jwt.io/17:25
lbragstadput your token in there17:25
lbragstadand select the ES256 algorithm to verify it17:25
lbragstadit should give you an "unverified" payload17:25
lbragstadif you cat your our public key in /etc/keystone/jws-keys/ and put that in the public key input form, it'll validate the token signature against it17:26
lbragstadif you cat out your public key*17:26
ayoung signature verified17:27
lbragstadsweet17:27
ayounglbragstad, so this is the data17:27
lbragstadcorrect - the payload17:27
ayoung{17:27
ayoung  "sub": "69e0bf160b464b52a668ead15a0a7b7e",17:27
ayoung  "iat": 1548350418,17:27
ayoung  "exp": 1548354018,17:27
ayoung  "openstack_methods": [17:27
ayoung    "password"17:27
ayoung  ],17:27
ayoung  "openstack_audit_ids": [17:27
ayoung    "A9amiF_FQkSBCsXe3mrXzg"17:27
ayoung  ],17:27
ayoung  "openstack_project_id": "697b4a4675a04b42b563207e9cafefeb"17:27
ayoung}17:27
ayoungno roles?17:27
lbragstadthe roles are generated online when we validate the token17:27
lbragstadsince it's an unbound resource17:28
lbragstadwe take the same stance as with fernet tokens17:28
ayoungBut we are so close to not having to do online validation17:28
lbragstad(sub is the user id, per the specification)17:28
ayoungand for edge that would be a very big deal17:28
ayoungcan we add roles in optionally?17:28
lbragstadi think we'd need to do that as a separate spec17:29
ayoungeven if it is just ID, we can look up and cache them17:29
lbragstadsince it's a pretty big change from what we do today17:29
ayoungmethods is technically an array.  I wonder if we could somehow collapse that17:30
lbragstadwe can17:30
ayoungI think we are stuck with audit IDs as an array, but that is OK17:31
lbragstadi didn't since there are other things we don't really compress already in the payload17:31
lbragstadthe fernet provider reduces a list of unique methods to an integer and reinflates it17:31
lbragstadon validation17:31
ayoungSo, is the issue with roles that they are a list, and we want to bound the tokens?17:31
lbragstadwell - we just don't want to have token sizes explode if someone has 100 roles17:32
lbragstad(which is a thing, from what i've seen in the wild)17:32
ayoungok...so, what about role sets?  A unique ID for a set of roles, based on a hash so they are predictable>?17:32
lbragstadhow are you going to figure that out on the other side?17:33
lbragstadyou'd have to still call keystone17:33
ayoungonly for the first one17:33
ayoungcall and cache17:33
lbragstadso you still have to call keystone, rigth?17:33
*** imacdonn has quit IRC17:34
ayoungYou need to anyway.17:34
ayoungHmmm, the data in the token is not enough to expand the headers17:34
ayoungwe need project naame and user name etc17:34
lbragstadright17:34
lbragstadmost of that is for policy, too17:35
ayoungOK...this would be a sepate token then17:35
ayoungI'll ponder...good work thus far17:35
*** aojea has joined #openstack-keystone17:36
lbragstadthanks17:36
* lbragstad steps into a meeting17:36
*** dklyle has quit IRC17:40
*** whoami-rajat has quit IRC17:43
*** dims has quit IRC17:43
*** dims has joined #openstack-keystone17:48
*** dklyle has joined #openstack-keystone17:50
ayounglbragstad, I think I am going to propose we add an additional token format...  Something like JWSExpanded.  It won't have the service catalog, but it will have the token's auth data in full.  The goal is to support edge use cases.  Its going to get us back into all of the PKI token issues.  We can take it slowly, and do it right this time.17:50
ayoungNo revocations, smarter key exchange, all that.17:51
*** erus_ has joined #openstack-keystone17:53
*** dims has quit IRC17:54
*** dims has joined #openstack-keystone17:55
kmallocayoung: sorry got roped into some house stuff before i could respond to that email earlier18:13
kmalloctrying to get back into the groove of code/state of the world. you know how a long break makes you lose context :)18:13
ayoungYes I do18:14
*** takamatsu has joined #openstack-keystone18:15
kmallocayoung: audit ids are always an array, but a max length of 218:15
kmallocfyi. it's not unbounded18:15
ayoungyeah, that is fine18:15
kmallocand i agree with lbragstad we should consider embedding role information as a followup18:15
lbragstadayoung that worries me, but i need to work through the revocation cases and the like18:15
ayoungkmalloc, I was trying to get the online tool to show me the size of a JWS with some other data18:15
ayoungyeah...I think a separate token format?18:16
kmallocah ++ yeah18:16
kmallocayoung: yes a different formatter.18:16
lbragstadfwiw - i was pleasantly surprised that the formatter in JWS was way simpler to implement than with fernet because we don't have to serialize anything18:16
lbragstad(at the expense of longer tokens, though)18:16
ayounghowever, we could use the same format and, if a system wanted to do inline validation, could either reject tokens with insufficient set of fields, or could query all the data that it needs:18:17
kmallocyeah, but we accepted that.18:17
ayounglength is not too bad:18:17
kmallocayoung: the fundamental bits are the same in the format with JWS expanded18:17
lbragstadis bad == 8k? ;)18:17
ayoung| id         | eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiI2OWUwYmYxNjBiNDY0YjUyYTY2OGVhZDE1YTBhN2I3ZSIsImlhdCI6MTU0ODM1MDQxOCwiZXhwIjoxNTQ4MzU0MDE4LCJvcGVuc3RhY2tfbWV0aG9kcyI6WyJwYXNzd29yZCJdLCJvcGVuc3RhY2tfYXVkaXRfaWRzIjpbIkE5YW1pRl9GUWtTQkNzWGUzbXJYemciXSwib3BlbnN0YWNrX3Byb2plY3RfaWQiOiI2OTdiNGE0Njc1YTA0YjQyYjU2MzIwN2U5Y2FmZWZlYiJ9.933v7cwqbfFzyR7iV4umBpoK-PjPpEiO-H_qcZYJzS8TEhFilhBb0ooM-_dq-tb9xlZK0dOYvFLvvTv9fCJCLA |18:17
kmallocbut it should be configured separately (at least for now) as a formatter in keystone18:17
kmalloclbragstad: 4k is bad, 8k is break the internet bad18:18
kmalloclbragstad: really we should be aiming for sub 1k if possible in most cases.18:18
lbragstadso 4k is bad and 8k is *real* bad?18:18
kmallocyeah18:18
kmalloc4k is the place some web servers tip over in headers18:18
lbragstadi'd like to keep it sub 50018:18
kmalloc8k is the hard-coded cap for others (can't be configured above)18:18
lbragstadfor copy/paste reasons18:19
kmalloci'm ok with pushing to 1k or less, but the goal should be to stay as close to sub 500 as possible18:19
kmallocbut we know that some cases the format will be longer (e.g. expanded roles)18:19
ayoung41318:19
kmallocand some other variations18:19
lbragstadfernet falls into a sweet spot with uuid copy/pasteability18:19
ayoung openstack token issue -f json | jq -r '.id' | wc -c18:19
kmallocreally JWS is a good format18:19
kmallocas long as we are careful how deep into the JWT/JWE/JWS/JOSE rabbithole of a spec we support18:20
ayoungcan I expand that with command line tools?18:20
*** whoami-rajat has joined #openstack-keystone18:20
kmallocayoung: a token get should expand the details18:20
kmalloc(validate)18:20
kmallocand you *should* be able to self-validate your token18:20
ayoungI mean the payload itself18:21
kmallocwith JWS you can, i am unsure the exact invocation (not openstack cli)18:21
kmallocif we go to JWE at any point, no, you can't expand it.18:21
kmallocit's opaque like fernet18:21
lbragstadright18:22
kmallocalso, we should not encourage folks to expand directly unless we have an explicit contracted format (not the default JWS)18:22
kmalloci want to start with "treat this like fernet"18:22
kmallocand expand from there18:22
kmallocthere might be reasons we want to adjust the payload format.18:22
ayounghttps://tools.ietf.org/html/rfc7515#page-718:23
kmalloce.g. maybe we don't want audit_ids to be an array.18:23
ayoungWe doing the compact serialization?18:23
kmallocso start is "this is a drop-in fernet compat, just different wire-format"18:23
kmallocthen we start adjusting things as we need (and expand / define the wire format/payload we want)18:23
ayoungkmalloc, I'm with you on "start like fernet."  I'm thinking about edge cases, tho, where Keystone is not accessable for periods of time18:23
kmallocright18:24
kmalloci absolutely want to get there18:24
kmallochowever, please note that we want to push towards at least a regional keystone (nothing-directly-shared)18:24
kmallocthe oath model, we can lean on further network segmentation/partition18:24
kmallocbut tokens still have a limited expiry.18:25
ayoungYep18:25
kmallocthe regional keystone will have app cred capabilities, and that will be the extension beyond the wire-ttl of the token itself.18:25
kmalloci think we're on the same page18:25
ayoungWe should do a presentation on this.18:25
ayoung:)18:25
kmallocyou have ... a day ? to submit a CFP for denver:P18:26
ayoungkmalloc, I think we did one last summit....18:26
kmallocan hour.18:26
ayounglbragstad, you presenting on JWT?18:26
kmallocayoung: Jan 24 at 7:59 am UTC). if you want to present the JSE/JOSE/JWT edge case as a followup from last summit, we can do it.18:27
kmalloci'm happy to help again w/ that.18:27
kmallocand we can prob rope lbragstad into it too if we need a 3rd18:27
ayoungI'm on it18:27
kmallocso you have ~1hr to submit the CFP :P18:28
lbragstadlol18:31
kmalloclbragstad: starting the run through the JWT stuff.18:33
ayounghttps://www.openstack.org/summit/denver-2019/call-for-presentations/manage/23585/summary  lbragstad kmalloc18:38
ayoungits in18:38
kmalloccool18:41
erus_o/18:47
* lbragstad steps away18:49
lbragstadshoveling snow, back in a bit18:49
kmalloclbragstad: not jealous of the shoveling bit. jealous of the snow bit18:53
bnemecShoot, I didn't realize lbragstad isn't core on pycadf.18:55
bnemecShould've had him submit the release note then.18:55
* bnemec thought pycadf was an Oslo/Keystone joint custody project18:55
kmallocbnemec: we should add him.18:58
kmallocpycadf really is like oslo.policy.18:58
kmallocit should be keystone + oslo. (or oslo + keystone, more appropriately)18:58
bnemeckmalloc: Yeah, that's what I was thinking. Let me see if I can add keystone-core.18:59
kmalloci am sure i can.19:00
kmallocany core should be able to :P19:00
bnemecYeah, I added keystone-core and keystone-release to the pycadf-release group.19:01
bnemecWhich is where oslo-core was getting pulled in too.19:01
kmallockeystone-release isn't important afaik19:01
kmallocthat is mostly a legacy group pre-dating the release repo19:01
bnemecNeither is oslo-release, but it keeps my OCD happy to have them match. ;-)19:01
kmallochahaha19:01
kmalloci'd go the other way19:01
kmallocadd oslo-core explicitly and drop -release19:01
kmallocand i would have added it ot pycadf-core vs ... release? *shrug*19:02
bnemecYeah, there's no one in oslo-release that isn't also in -core.19:02
kmallocit doesn't matter.19:02
kmallocreally :)19:02
bnemecYeah, I just put it where oslo-core was.19:03
kmallocwfm.19:03
bnemecI did remove the -release groups so nobody thinks they're still relevant.19:06
* bnemec biab19:07
kmalloc:)19:07
bnemecPaypal is buying most of my lunch today because apparently they really want you to use Paypal at Subway. :-)19:07
kmallochahahaa19:07
kmallocnice.19:08
bnemecAs long as they keep giving me $5 free I'm going to keep taking it.19:08
*** takamatsu has quit IRC19:09
*** jmlowe has quit IRC19:12
*** dklyle has quit IRC19:37
*** jdennis has quit IRC19:58
*** jdennis has joined #openstack-keystone20:12
*** dklyle has joined #openstack-keystone20:15
*** xek has quit IRC20:43
*** whoami-rajat has quit IRC20:43
*** xek has joined #openstack-keystone20:43
lbragstadgyee you were saying yesterday that using SSL sends the public key in the request?20:46
lbragstadwith the certificate?20:46
lbragstadah - nevermind, i answered my own question20:50
*** erus_ has quit IRC20:58
*** jmlowe has joined #openstack-keystone21:02
*** rcernin has joined #openstack-keystone21:02
*** awalende has joined #openstack-keystone21:14
*** GregWaines has quit IRC21:17
*** awalende has quit IRC21:18
*** itlinux has joined #openstack-keystone21:19
gyeelbragstad, yeah :-)21:46
gyeeif the handshake is successful, the peer should have each other's cert21:47
lbragstadi should have googled before asking21:59
*** rcernin has quit IRC22:11
*** rcernin has joined #openstack-keystone22:12
*** jmlowe has quit IRC22:20
*** itlinux has quit IRC22:38
*** erus_ has joined #openstack-keystone22:40
*** jmlowe has joined #openstack-keystone22:41
*** jmlowe has quit IRC22:41
*** jmlowe has joined #openstack-keystone22:41
*** erus_ has quit IRC22:48
*** jmlowe has quit IRC22:51
*** dklyle has quit IRC22:52
*** jmlowe has joined #openstack-keystone22:52
*** tkajinam has joined #openstack-keystone22:57
*** spsurya has quit IRC23:04
tobias-urdinjust got amazed by the new MFA rules feature, read the whole pending docs that was in review, one question though; how is/will it be implemented in keystoneclient/openstackclient when using MFA rules?23:10
tobias-urdinif one for example uses password and totp auth with the auth receipts23:10
*** dklyle has joined #openstack-keystone23:11
tobias-urdinwould like to investigate the possibility of horizon integration with MFA rules for requiring just password + totp23:11
adrianttobias-urdin: that's a complicated one23:13
adriantand mostly amounts to me finding time to do it, but is all planned23:13
adriantfirst we need to make keystoneauth throw a new error that catches auth receipts, and supply a way to provide receipts with new auth methods. We also  want to make a true multi-method way to auth with keystoneauth.23:15
adriantthen once that is there, openstackclient and most likely the keystoneauth loaders need a way to ask for the missing auth method data when a receipt error is thrown23:15
adriantwith Horizon, much the same, except views for each auth method option23:16
adrianttobias-urdin: the auth rules feature has actually been in Keystone since Ocata.23:17
adriantthe missing bit was auth-receipts to make the likes of Horizon to be able to use it.23:18
adriantyeah, ocata: https://docs.openstack.org/releasenotes/keystone/ocata.html23:18
kmallocadriant: o/23:18
adriantkmalloc: hey!23:19
adriantI'm alive! Mostly23:19
*** dklyle has quit IRC23:19
tobias-urdinadriant: thanks! that's really cool23:20
tobias-urdinand work with resource options to get to this RFE that im very interested about https://bugs.launchpad.net/keystone/+bug/180404223:21
openstackLaunchpad bug 1804042 in OpenStack Identity (keystone) "RFE: Add ability to restrict auth by forwarded IP" [Wishlist,Triaged]23:21
*** erus_ has joined #openstack-keystone23:21
adrianthah23:21
kmalloctobias-urdin: yeah def. want to get that stuff landed23:21
adrianttobias-urdin: yes that's one of my other side projects23:21
tobias-urdini'm actually really happy right now, i'm going to bed with a smile on my face :)23:21
kmalloctobias-urdin: https://review.openstack.org/#/c/624162/ is the spec23:22
kmallocwill be a train target23:22
kmallocbut should enable by forwarded ip stuff23:22
adriantalthough i'm not sure resource-options is the best way to do that one23:22
adriantbecause I'd personally like to be able to do it with auth rules23:22
kmallocadriant: by forwarded ip? the request was to do it for an entire project or domain23:22
adriante.g.: [['password', 'ip'], ['password', 'totp']]23:22
kmallocin that case it would need to be in an RO.23:23
kmallocit might be the auth-rules RO23:23
kmallocbut it would be needed not just on user.23:23
adriantI mostly wanted it for service accounts, which can't totp23:23
adriantthat was my original design for it23:23
kmallocwould be easy to add an IP auth plugin that just extracts the data from the request23:24
kmallocwould still need to be passed as an auth-type explicitlyo.23:24
kmallocin the current state of keystone23:24
adriantyeah, but that's easy23:24
kmallocbut doable.23:24
adriantor we make an auth plugin which can auto-promote itself if in auth-rules23:24
adriantthose were my two ideas on how to do it, but explicitly including it is easy enough23:24
adriantand works with existing methods23:25
* tobias-urdin goes to bed -- with a smile23:26
kmallocyeah, just make it so an authplugin is auto-processed23:27
adrianttobias-urdin: see ya!23:27
adriantkmalloc: yeah, and the IP can be stored in an 'credential' of type CIDR23:27
adriantso you can do /24 s and such23:27
kmallocsure.23:27
kmallocbut realistically that requires RO expansion, i don't want to add more to just user.23:28
kmallocespecially when we already have requests for expanding the current ones.23:28
adriantyep23:28
*** erus_ has quit IRC23:28
adriantMy worry about something like this at the project level is that Horizon breaks the IP case23:28
adriantthat's why  [['password', 'ip'], ['password', 'totp']] works23:29
adriantbecause when you auth from Horizon it doesn't forward the IP I don't believe (it can't really).23:29
adriantplus you can't trust a forwarded IP from horizon23:30
adriantbut... how about23:30
*** erus_ has joined #openstack-keystone23:30
adriantwe make projects also have auth rules? a user can't scope to them unless their token matched a given set of rule options?23:31
adriantthe rules are still mostly on the user, but the project level scoping is built on top of that same layer23:31
*** dave-mccowan has joined #openstack-keystone23:32
adriantanyway, lunch. I'll add some notes to that blueprint later to capture my original thoughts on the idea.23:32
*** jmlowe has quit IRC23:36
*** erus_ has quit IRC23:46
*** dklyle has joined #openstack-keystone23:51
*** dave-mccowan has quit IRC23:59
« Wednesday, 2019-01-23 Index Friday, 2019-01-25 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!