Tuesday, 2019-02-05

« Monday, 2019-02-04 Index Wednesday, 2019-02-06 »
lbragstadbut that might be a good question for them (zaneb or ricolin)00:00
brtknrhmmm00:02
*** opetrenko__ has quit IRC00:25
*** N3l1x has joined #openstack-keystone00:32
*** Nel1x has quit IRC00:32
*** whoami-rajat has joined #openstack-keystone01:18
openstackgerritMerged openstack/keystone master: Update endpoint  policies for system admin  https://review.openstack.org/61933102:17
openstackgerritguang-yee proposed openstack/keystone master: Fixes incorrect params passing  https://review.openstack.org/63481602:23
*** Dinesh_Bhor has joined #openstack-keystone02:32
*** gyee has quit IRC02:35
*** awalende has joined #openstack-keystone02:44
openstackgerritguang-yee proposed openstack/keystone master: Fixes incorrect params  https://review.openstack.org/63481602:46
*** awalende has quit IRC02:49
*** Dinesh_Bhor has quit IRC02:58
*** Dinesh_Bhor has joined #openstack-keystone03:04
*** dave-mccowan has quit IRC03:44
*** Dinesh_Bhor has quit IRC03:54
*** lbragstad has quit IRC03:59
openstackgerritMerged openstack/keystone master: Replace 'tenant_id' with 'project_id'  https://review.openstack.org/63170604:04
*** Dinesh_Bhor has joined #openstack-keystone04:42
*** dims has quit IRC04:58
*** shyamb has joined #openstack-keystone05:06
*** N3l1x has quit IRC05:19
*** shyamb has quit IRC05:48
*** shyamb has joined #openstack-keystone06:01
*** shyamb has quit IRC06:10
*** shyamb has joined #openstack-keystone06:10
*** markvoelker has joined #openstack-keystone06:45
*** dims has joined #openstack-keystone06:48
*** dims has quit IRC06:52
*** dims has joined #openstack-keystone06:54
*** dims has quit IRC06:59
*** dims has joined #openstack-keystone07:02
*** markvoelker has quit IRC07:18
*** Emine has joined #openstack-keystone07:43
*** pcaruana has joined #openstack-keystone07:45
*** shyamb has quit IRC07:58
*** tkajinam has quit IRC08:06
*** awalende has joined #openstack-keystone08:08
*** markvoelker has joined #openstack-keystone08:15
*** shyamb has joined #openstack-keystone08:45
*** markvoelker has quit IRC08:49
*** xek__ has joined #openstack-keystone09:01
*** Dinesh_Bhor has quit IRC09:35
*** Dinesh_Bhor has joined #openstack-keystone09:36
*** markvoelker has joined #openstack-keystone09:46
*** markvoelker has quit IRC10:19
opetrenkoHi all. Is there any possibility to add ability to use one scoped token in several keystones with single idp?10:30
*** shyamb has quit IRC10:32
brtknrzaneb? ricolin?10:32
*** shyamb has joined #openstack-keystone10:43
*** aloga has quit IRC11:05
*** Dinesh_Bhor has quit IRC11:11
*** Dinesh_Bhor has joined #openstack-keystone11:13
*** markvoelker has joined #openstack-keystone11:15
*** erus1 has joined #openstack-keystone11:30
brtknrAnyone here can tell me why I am able to create a heat stack only as a trustor, not11:39
brtknras the trustee but then able to make changes and delete a stack even as a trustee as11:39
brtknrexpected?11:39
cmurphyopetrenko: no that is not possible and we're probably not going to add it, what's your use case for it?11:48
cmurphybrtknr: that sounds like it may be due to the policy configuration, you might ask the heat team in #openstack-heat11:48
*** markvoelker has quit IRC11:48
brtknrThanks for getting back cmurphy, I am also trying to get hold of somebody in #heat to answer the question but its pretty quiet in there today11:50
opetrenkocmurphy: We have deployment with severals regions, spread worldwide. The thing is, user can use horizon and then switch region. After this user is being logged out. It's not user-friendly.11:51
*** aloga has joined #openstack-keystone11:52
opetrenkocmurphy: another possible solution is to add horizon an ability to store both scoped and unscoped tokens, so when you change region, horizon can scope unscoped token in another region. This way, from keystone side consistent uuids for federated users should be added.12:02
cmurphyopetrenko: the word region is a little overloaded, a single keystone can have multiple regions and the same token should work on all of them. are you using keystone-to-keystone and switching keystone service providers?12:04
opetrenkocmurphy: I have this test setup: 2 keystones both look into one shibboleth as IdP that uses openldap.12:06
cmurphyopetrenko: oh got it, so you mean that the user has to log out explicitly so they can choose another IdP in the login screen12:07
opetrenkoNo. We have one IdP, where both keystones looks into12:08
opetrenkokeystones are bootstraped as two different regions.12:08
opetrenkobut this is test setup.12:08
opetrenkoThe use case of this, is when you use horizon with multiple keystones configured to use one IdP.12:09
opetrenkoWhen user tries to change the region, he's being force logged out from horizon, since it can't use the same scoped token for different keystone, despite both keystones are configured to use the same shibboleth(IdP).12:12
*** erus1 has quit IRC12:12
opetrenkocmurphy: that's it12:12
*** erus1 has joined #openstack-keystone12:12
cmurphyI see. You can't use an unscoped token from one keystone on another keystone so I don't think that would solve the issue.12:13
opetrenkoIf we can add some consistency in user uuids, we would be able to use the same unscoped token12:14
opetrenkoimagine, we have shared fernet repo, so both keystones use the same fernet keys; both looks into the same idp.12:15
opetrenkoThe problem is, when you want to scope in one keystone unscoped token that you got in another one, keystone will response with "cant find user with `#####` id"12:16
opetrenkoif we can set up the same federated users in both keystones, the token will have all needed information to identify who is this user, and later scope this token to some project.12:20
cmurphyopetrenko: yeah I think that would work12:20
opetrenkocmurphy:So consistent uuids and reworks from horizon side is preferred to use one scoped token in several keystones?12:22
*** raildo has joined #openstack-keystone12:22
cmurphyopetrenko: the thing is you could already achieve this now if you configure your keystones as a keystone-to-keystone configuration, while still also having the external IdP, then you wouldn't have to use the same token on multiple keystones12:25
cmurphyI think with predictable uuids we will be able to use the same token but i'm not sure we want to encourage that12:25
opetrenkoAs I can see, Adam Young have 2 patches for consistent uuids12:26
cmurphyhe will probably be around later today so we can discuss it more with him12:26
opetrenkohttps://review.openstack.org/#/c/623117/ and https://review.openstack.org/#/c/605169/12:26
opetrenkoYeah, I would like to discuss possibilities to add this in keystone12:27
*** markvoelker has joined #openstack-keystone12:46
*** shyamb has quit IRC13:03
*** lbragstad has joined #openstack-keystone13:05
*** ChanServ sets mode: +o lbragstad13:05
*** jmlowe has quit IRC13:17
*** markvoelker has quit IRC13:19
*** Dinesh_Bhor has quit IRC13:30
*** jmlowe has joined #openstack-keystone13:35
*** mvkr has quit IRC13:52
*** dave-mccowan has joined #openstack-keystone14:09
*** dave-mccowan has quit IRC14:13
*** markvoelker has joined #openstack-keystone14:16
*** mvkr has joined #openstack-keystone14:20
brtknrRevisiting this patch https://review.openstack.org/#/c/126897/31/keystone/tests/test_v3_auth.py, does allow_redelegation flag have a CLI toggle?14:32
*** markvoelker has quit IRC14:49
*** awalende has quit IRC14:54
*** erus1 has quit IRC14:54
*** awalende has joined #openstack-keystone14:55
*** erus1 has joined #openstack-keystone14:55
*** Nel1x has joined #openstack-keystone14:59
*** awalende has quit IRC14:59
*** lbragstad has quit IRC15:35
*** lbragstad has joined #openstack-keystone15:35
*** ChanServ sets mode: +o lbragstad15:35
brtknrcmurphy: have you much experience with devstack?15:39
brtknri'd like to know how I can edit keystone.conf file15:39
cmurphybrtknr: it's in /etc/keystone/keystone.conf, you can edit that and then `systemctl restart devstack@keystone`15:40
brtknrive just run `tox -e genconfig` which claims to have generated /opt/stack/keystone/etc/keystone.conf15:40
cmurphydevstack puts its own config file in /etc/keystone/keystone.conf, tox -egenconfig just creates a sample file15:41
*** vishakha has joined #openstack-keystone15:45
*** markvoelker has joined #openstack-keystone15:46
brtknrcool, that explains why putting keystone.conf inside /opt/stack/keystone/etc/keystone.conf was causing errors15:47
brtknrhow do i check what is the currently loaded configuration?15:47
*** Emine has quit IRC15:47
brtknri am inspecting keystone.conf.CONF.items() but that does not show the boolean value that I modified15:56
cmurphybrtknr: if you have debug enabled then it shows up in the logs15:56
brtknrcmurphy: ah yes, in the debug logs, it allow_redelegation does appear to be enabled.15:58
*** gyee has joined #openstack-keystone16:02
brtknrcmurphy: however, its not having the effect I was expecting, heat stacks still refuse to be created as a redelegated user16:14
openstackgerritMorgan Fainberg proposed openstack/keystone master: Converting the application tests to use flask's test_client  https://review.openstack.org/63125516:15
openstackgerritMorgan Fainberg proposed openstack/keystone master: Converting the application tests to use flask's test_client  https://review.openstack.org/63125516:16
*** Emine has joined #openstack-keystone16:19
*** erus1 has quit IRC16:19
*** markvoelker has quit IRC16:19
*** erus1 has joined #openstack-keystone16:19
brtknrI dont understand why the point of allow_redelegation is if I cant use it to create heat stack...16:31
*** erus1 has quit IRC16:31
*** erus1 has joined #openstack-keystone16:32
*** openstackgerrit has quit IRC16:35
lbragstadcmurphy vishakha sorry - i didn't mean to cut you off there16:41
cmurphyno worries16:41
vishakhayeah no worries16:41
cmurphykmalloc: lbragstad: opetrenko brought something up a few hours ago in scrollback, where once user IDs are predictable then tokens could be used on different keystones, is that something we want?16:42
kmallocthat is a fine thing16:43
kmallocas long as the keys are shared.16:43
kmalloc(fernet/jse)16:43
cmurphyI recall we were pushing back on that for a while16:43
*** jmlowe has quit IRC16:44
kmallocright. but with the move towards the edge bits, looking at the oath model, it works to our favor16:44
kmallocoath effectively uses a token to generate user data in the distributed keystone with a predictable id16:44
kmallocwe've changed tack on this as the needs have changed. we're still requiring a keystone-provided bit to generate the id16:44
kmallocso it's not strictly "give me an id" and using that, the major concern was that without a keystone-provided data set for the hash, someone could squat on the id or worse setup a malicious user via another idp16:45
*** erus1 has quit IRC16:45
kmallocwith the keystone-supplied data, that is less of a concern, as all ids from given sources should be unique when hashed (if not, it's a misconfiguration)16:46
cmurphythat was one concern but the other was that allowing the token to be used on more than one keystone increases the attack surface16:46
kmallocit does.16:46
*** erus1 has joined #openstack-keystone16:46
kmallocbut that is now a configuration choice.16:46
kmallocif keys are not shared (and legitimately should not be shared if the token is not meant to be consumed by the remote keystone)16:46
kmallocit's the same as today16:46
lbragstadiirc - the attack surface was the main reason for not pursuing that approach16:47
kmalloci would still recommend never configuring it that way and force local tokens to a given keystone16:47
kmallochowever, predictable IDs are more useful than "prevent someone from doing something somewhat silly"16:47
kmallocespecially leaning towards and into the edge use-cases.16:47
cmurphykmalloc: that opetrenko wants to do is enhance horizon so that it can use the same token on multiple keystones16:48
cmurphyi suggested k2k is a better approach16:48
kmalloci would really push for k2k16:48
lbragstaddoesn't opetrenko want to have all users in a single idp, though?16:48
kmallocso, if an IDP is truely shared, and single source with multiple discrete keystones i could see the benefit16:49
cmurphyI am pretty sure you could do both - external idp + k2k16:49
kmallocreally i would probably not even do k2k16:49
kmalloci would do a re-auth to the local region16:49
opetrenkok2k has several problems16:49
cmurphyit's not a local region, it's another keystone16:50
kmallocit's about the same amount of work to automate / make happen16:50
kmalloccmurphy: the distributed keystone* ignore my region16:50
kmalloci know ayoung has requests in for this same usecase16:51
kmalloctokens issued from one keystone usable elsewhere because idp is mirrored16:51
kmallocopetrenko: note, you still must make sure domain id, and project ids, etc are replicated in the remote keystones16:51
kmalloceven if you wanted to do this.16:51
kmallocit's a major hurdle that really just is easier if you create one identity control plane that all the sites use.16:52
opetrenkokmalloc: I guess, domain_id is not encoded in unscoped token16:52
kmallocand in that case -- shared tokens across deployments make a lot of sense.16:52
lbragstadif you're using a domain-scoped token, it will be16:52
lbragstad(because it's the scope target of the token)16:53
kmalloclbragstad: right but for that token to work in a remote keystone, the domain information must be there16:53
kmallocin the keystone db16:53
kmallocit's easier to setup a replicated or centralized keystone16:53
opetrenkocentralized keystone is not a solution16:53
*** mvkr has quit IRC16:53
opetrenkoimagine we have 2 keystones in different parts of the world16:54
kmallocyou can replicate between those.16:54
opetrenkoreplicate db?16:54
kmalloca small set of keystones can totally be replicated globally on a wan16:54
kmallocyes.16:54
opetrenkoit's too expensive and sometime hard to sync db's16:54
kmallocusually performance can tolerate, due to low transaction rate on identity sources, ~9-10 sites with galera16:55
kmallocas in, i wouldn't feel awful recommending a sub 10 site replicated galera db for production if it meets the needs16:56
*** erus1 has quit IRC16:56
kmallocand in that case you share keys and all data is consistent.16:56
kmalloctokens work anywhere.16:56
kmallocdeployments become regions in keystone parlance.16:56
*** erus1 has joined #openstack-keystone16:56
kmallocnow, if you can't do that, you are better treating the keystones as nothing shared, even if the identity source is the same. don't share keys and force re-auth to each keystone.16:57
kmallocthat way you aren't running into issues where ids/full data sets are not consistent16:57
opetrenkothat creates bad UX with horizon16:57
kmallock2k helps smooth that over.16:58
opetrenkowhen all the time you have to relogin16:58
opetrenkok2k means one master keystone?16:58
kmallocno, k2k means keystones are idps for eachother16:58
opetrenkothat's not the best solution for prod16:58
kmallocit's bi-directional16:58
opetrenkook, but what if I want shibboleth as id[?16:59
opetrenkoidp*16:59
kmallock2k relies on shibboleth in most deployments16:59
kmallocit's that keystone can also be an idp for another keystone16:59
opetrenkothat will be like that?: keystone ->keystone -> idp?16:59
kmallocidp [SSO workflow]-> keystone [SSO workflow]-> keystone17:00
kmallocwhere the second case the first keysotne becomes the IDP and the second keystone is the SP17:00
kmallocyou really have 3 options today:17:00
kmalloc1) Share Nothing17:00
kmalloc(4 options)17:00
kmallocand in share-nothing you said UX sucks.17:00
kmalloc2) Autoprovisioning (limited support), use oath model or similar, (3rd party code)17:01
kmalloc3) K2K17:01
kmalloc-- ok maybe just those 3.17:01
opetrenkowell17:01
kmallocin the future it will get better.17:02
opetrenkole me ask about k2k since I do not understand this model17:02
kmallocwe are working on improving the #2 option17:02
kmallocsure, think of k2k as chained SSO17:02
kmallocand any keystone could be configured to be an IDP for another keystone.17:02
opetrenkowe have 2 keystones, where one is idp and another one is sp?17:02
opetrenkook got17:03
opetrenkoso they both can be configured as idps for each other?17:03
kmallocyes.17:03
opetrenkoand then I can configure them to use shibboleth as idp?17:03
kmallocIDs are, unfortunately different, but the k2k workflow helps to smooth the transition17:03
kmallocyes, you can use shibboleth as the original IDP on either side.17:04
opetrenkowell17:04
kmallocin the future we will work to make this easier where keystone can act as a IDP-broker/proxy.17:04
kmallocit will be much smoother.17:04
kmallocbut that is a ways down the line17:04
opetrenkoStill can't get how this works. If one keystone asks another(idp for first ks), and the second is configured to have first ks as idp, how can second keystone decide what to use as idp: shibboleth or first ks?17:06
kmallocin k2k it's always idp-initiated workflow17:07
kmallocrather than SP initiated17:07
opetrenkowhat do you mean?17:07
kmallocyou tell keystone1: I want to go to keystone2, keystone1 starts the process17:07
kmallocmost SSO forms you reach out to the SP and the SP redirects you to the IDP for auth17:08
kmallocIDP-initiated means you start from the IDP17:08
kmallocyou don't ask the second keystone what IDP to use, you explicitly supply the information because you started from the IDP side.17:08
opetrenkoso, I can setup two keystones with shibboleth with ldap, then go to first ks ask for unscoped token and then scope it in another keystone?17:09
kmalloclbragstad, cmurphy: ^ can you step in and help with some of this workflow, i need to go eat food -- going to fall over.17:10
kmallocopetrenko: i can try and help further if neither of them are available17:10
kmallocbut i need to eat first :)17:10
opetrenkosure17:10
opetrenkothx17:10
* cmurphy reads back17:11
lbragstadi'll be honest, i'm not as familiar with the federated flows as kmalloc and cmurphy are17:11
cmurphyoh i have a picture for this17:12
*** erus1 has quit IRC17:12
lbragstadthat documentation is already paying off17:12
cmurphyhttps://docs.openstack.org/keystone/latest/admin/federation/introduction.html#id317:12
*** erus1 has joined #openstack-keystone17:13
cmurphyso regular flow is you ask the keystone sp for a token, keystone forwards you to the idp to auth, you take your saml assertion back to keystone and then you get a token17:14
cmurphywith k2k you start at the idp, which is keystone, and get an assertion first17:14
cmurphyand then take that to your other keystone to get a token17:14
cmurphyso with this chained model you would start at say keystone A and treat it like an SP, get your assertion from your external IdP to get a token on keystone A, then turn the token on keystone A into an assertion and then take it to keystone B to get a token17:15
cmurphyand keystone A and keystone B could be configured as IdPs for each other so it wouldn't matter whether you started with A or B17:15
*** markvoelker has joined #openstack-keystone17:16
opetrenkook, does this somehow affects time/load?17:16
cmurphythere are a few round trips involved so it would take a bit of time to get your final token17:18
opetrenkook, do any db syncs needed?17:19
*** erus1 has quit IRC17:19
cmurphyno, the keystones would be completely independent from each other17:19
*** erus1 has joined #openstack-keystone17:19
opetrenkook, there will be no master as I understood?17:20
opetrenkonot master keystone*17:20
opetrenkono master keystone*17:20
cmurphyno there would be no need for one to be a master i don't think17:20
opetrenkook, thanks for help17:21
cmurphyno problem17:22
*** jmlowe has joined #openstack-keystone17:27
*** jmlowe has quit IRC17:36
*** markvoelker has quit IRC17:48
*** erus1 has quit IRC17:50
*** erus1 has joined #openstack-keystone17:50
*** jmlowe has joined #openstack-keystone17:57
*** dims has quit IRC18:06
*** openstackgerrit has joined #openstack-keystone18:09
openstackgerritMerged openstack/keystone master: Converting the API tests to use flask's test_client  https://review.openstack.org/63030118:09
*** dims has joined #openstack-keystone18:26
*** erus1 has quit IRC18:27
*** Nel1x has quit IRC18:29
*** erus has joined #openstack-keystone18:37
*** markvoelker has joined #openstack-keystone18:46
*** itlinux has joined #openstack-keystone18:49
lbragstadgyee i was able to verify https://bugs.launchpad.net/keystone/+bug/1814589 manually, but when i apply https://review.openstack.org/#/c/634816/ i get https://pasted.tech/pastes/990ff74d14542e7fbec84413854ebe7c42bbd4b7.raw18:49
openstackLaunchpad bug 1814589 in OpenStack Identity (keystone) "Tokenless auth: ephemeral user mapping is broken" [High,In progress] - Assigned to Guang Yee (guang-yee)18:49
lbragstadis that true for you, too?18:49
lbragstadthat's the same error as https://bugs.launchpad.net/keystone/+bug/181160518:51
openstackLaunchpad bug 1811605 in OpenStack Identity (keystone) "Tokenless authentication is broken" [High,Triaged]18:51
lbragstadso i assume we'll fix that separately18:51
gyeelbragstad, sorry, I haven't try master branch yet18:57
gyeestill waiting on the devstack fix18:57
gyeehttps://review.openstack.org/#/c/634833/18:57
gyeeI'll fix that part after I get devstack working again on master branch18:57
lbragstadoh - ncie18:58
lbragstadnice*18:58
gyeelbragstad, meanwhile I've pushed what I have to my github if you want to give it a spin18:58
gyeelbragstad, https://github.com/guangyee/keystone-devel18:59
gyeethat'll setup everything in one go18:59
lbragstadsweet19:00
gyeeI'll wire up the x.509 federation bit later today19:00
lbragstadreading through the plays now19:12
*** vishakha has quit IRC19:12
*** dims has quit IRC19:16
*** markvoelker has quit IRC19:19
*** dims has joined #openstack-keystone19:25
*** pcaruana has quit IRC19:27
*** mvkr has joined #openstack-keystone20:09
*** markvoelker has joined #openstack-keystone20:16
*** jmlowe has quit IRC20:29
*** markvoelker has quit IRC20:48
*** xek__ has quit IRC21:20
*** itlinux has quit IRC21:29
*** erus has quit IRC21:30
*** erus has joined #openstack-keystone21:34
*** raildo has quit IRC21:36
*** markvoelker has joined #openstack-keystone21:46
*** mchlumsky has quit IRC21:52
*** markvoelker has quit IRC22:20
*** tkajinam has joined #openstack-keystone22:55
*** erus has quit IRC22:58
*** erus has joined #openstack-keystone23:01
*** erus has quit IRC23:08
*** erus has joined #openstack-keystone23:13
*** markvoelker has joined #openstack-keystone23:16
*** erus has quit IRC23:45
*** erus has joined #openstack-keystone23:46
*** erus has quit IRC23:48
*** erus has joined #openstack-keystone23:48
*** imacdonn has quit IRC23:48
*** imacdonn has joined #openstack-keystone23:49
*** markvoelker has quit IRC23:50
*** erus has quit IRC23:52
*** erus has joined #openstack-keystone23:57
*** gagehugo has quit IRC23:59
« Monday, 2019-02-04 Index Wednesday, 2019-02-06 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!