Friday, 2019-02-22

« Thursday, 2019-02-21 Index Saturday, 2019-02-23 »
*** vishwanathj has joined #openstack-keystone00:01
*** dave-mccowan has joined #openstack-keystone00:04
*** s10 has quit IRC00:22
*** lbragstad has quit IRC00:35
*** lbragstad has joined #openstack-keystone00:39
*** ChanServ sets mode: +o lbragstad00:39
openstackgerritLance Bragstad proposed openstack/keystone master: Update introduction of external services doc  https://review.openstack.org/63856000:53
*** ileixe has joined #openstack-keystone00:53
*** markvoelker has joined #openstack-keystone00:53
*** dave-mccowan has quit IRC00:53
*** gyee has quit IRC00:54
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Add service developer documentation for scopes  https://review.openstack.org/63856301:12
lbragstadmelwitt i took a stab at outlining what additional documentation we would need to make understand authorization scopes easier01:12
lbragstadthey kinda fall into two categories - with each bullet point being a section that needs to be filled out01:13
lbragstadif you get a chance - i'd be curious to know if you think there are other areas that could be added01:13
*** takamatsu_ has joined #openstack-keystone01:26
*** markvoelker has quit IRC01:26
*** takamatsu has quit IRC01:26
melwittlbragstad: sure, I'll take a look01:40
lbragstadthanks01:43
*** Dinesh_Bhor has joined #openstack-keystone02:04
*** markvoelker has joined #openstack-keystone02:23
*** lbragstad_ has joined #openstack-keystone02:54
*** ChanServ sets mode: +o lbragstad_02:54
*** lbragstad has quit IRC02:55
*** markvoelker has quit IRC02:57
*** whoami-rajat has joined #openstack-keystone02:57
*** vishakha has joined #openstack-keystone02:58
openstackgerritMerged openstack/keystone master: Implement JWS token provider  https://review.openstack.org/61454903:53
openstackgerritMerged openstack/keystone master: Add JWS token provider documentation  https://review.openstack.org/63383103:53
openstackgerritMerged openstack/keystone master: Update idp policies for system admin  https://review.openstack.org/61937303:53
openstackgerritMerged openstack/keystone master: Add tests for domain users interacting with idps  https://review.openstack.org/61937403:53
openstackgerritMerged openstack/keystone master: Add tests for project users interacting with idps  https://review.openstack.org/61937503:53
openstackgerritMerged openstack/keystone master: Address follow-up comments in contributor guide for specs  https://review.openstack.org/63756703:53
*** markvoelker has joined #openstack-keystone03:54
*** Dinesh_Bhor has quit IRC03:55
*** erus has quit IRC03:55
*** erus has joined #openstack-keystone03:56
*** Dinesh_Bhor has joined #openstack-keystone04:00
*** ileixe has quit IRC04:13
*** ileixe has joined #openstack-keystone04:15
openstackgerritMerged openstack/keystone master: Update service policies for system reader  https://review.openstack.org/61927704:26
*** erus has quit IRC04:26
openstackgerritMerged openstack/keystone master: Add service tests for system member role  https://review.openstack.org/61927804:26
*** erus has joined #openstack-keystone04:26
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader for role_assignments  https://review.openstack.org/60921004:27
openstackgerritVishakha Agarwal proposed openstack/keystone master: WIP: Additional work for testing assignment protection  https://review.openstack.org/63682504:27
openstackgerritVishakha Agarwal proposed openstack/keystone master: Reorganize role assignment tests for system users  https://review.openstack.org/63830904:27
*** markvoelker has quit IRC04:27
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader for role_assignments  https://review.openstack.org/60921004:39
openstackgerritVishakha Agarwal proposed openstack/keystone master: WIP: Additional work for testing assignment protection  https://review.openstack.org/63682504:45
*** Dinesh_Bhor has quit IRC04:47
openstackgerritVishakha Agarwal proposed openstack/keystone master: Additional work for testing assignment protection  https://review.openstack.org/63682504:49
openstackgerritVishakha Agarwal proposed openstack/keystone master: Reorganize role assignment tests for system users  https://review.openstack.org/63830904:54
*** Dinesh_Bhor has joined #openstack-keystone04:54
openstackgerritVishakha Agarwal proposed openstack/keystone master: Reorganize role assignment tests for system users  https://review.openstack.org/63830905:00
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add role assignment test coverage for system members  https://review.openstack.org/63831005:00
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add role assignment test coverage for system admin  https://review.openstack.org/63831105:01
*** markvoelker has joined #openstack-keystone05:24
*** gmann has quit IRC05:28
*** markvoelker has quit IRC05:58
*** shyamb has joined #openstack-keystone05:59
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] implement domain reader for role_assignments  https://review.openstack.org/63858706:11
*** shyamb has quit IRC06:26
*** shyamb has joined #openstack-keystone06:27
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] implement domain reader for role_assignments  https://review.openstack.org/63858706:50
*** markvoelker has joined #openstack-keystone06:55
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Add role assignment test coverage for domain members  https://review.openstack.org/63859307:03
*** shyamb has quit IRC07:09
*** shyamb has joined #openstack-keystone07:09
*** Dinesh_Bhor has quit IRC07:13
*** Dinesh_Bhor has joined #openstack-keystone07:15
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Add role assignment test coverage for domain admins  https://review.openstack.org/63859707:16
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] implement domain reader for role_assignments  https://review.openstack.org/63858707:17
*** erus has quit IRC07:17
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Add role assignment test coverage for domain members  https://review.openstack.org/63859307:17
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Add role assignment test coverage for domain admins  https://review.openstack.org/63859707:17
*** erus has joined #openstack-keystone07:18
*** erus has quit IRC07:23
*** erus has joined #openstack-keystone07:24
*** markvoelker has quit IRC07:28
*** shyamb has quit IRC07:41
*** erus has quit IRC07:44
*** erus has joined #openstack-keystone07:45
*** erus has quit IRC07:58
*** erus has joined #openstack-keystone07:59
*** lbragstad_ has quit IRC08:07
*** awalende has joined #openstack-keystone08:12
*** tkajinam has quit IRC08:13
*** shyamb has joined #openstack-keystone08:17
*** erus has quit IRC08:17
*** erus has joined #openstack-keystone08:18
*** markvoelker has joined #openstack-keystone08:25
*** markvoelker has quit IRC08:59
*** erus has quit IRC09:12
*** erus has joined #openstack-keystone09:12
*** shyamb has quit IRC09:27
*** jaosorior has quit IRC09:33
*** jaosorior has joined #openstack-keystone09:35
*** yan0s has joined #openstack-keystone09:41
*** shyamb has joined #openstack-keystone09:54
*** markvoelker has joined #openstack-keystone09:56
*** takamatsu_ has quit IRC10:04
*** takamatsu has joined #openstack-keystone10:05
*** shyam89 has joined #openstack-keystone10:10
*** shyamb has quit IRC10:12
*** Dinesh_Bhor has quit IRC10:23
*** takamatsu_ has joined #openstack-keystone10:23
*** ileixe has quit IRC10:24
*** takamatsu has quit IRC10:24
*** Dinesh_Bhor has joined #openstack-keystone10:25
*** markvoelker has quit IRC10:28
*** rcernin has quit IRC10:31
*** shyam89 has quit IRC10:32
*** shyamb has joined #openstack-keystone10:47
*** takamatsu_ has quit IRC10:48
*** takamatsu has joined #openstack-keystone10:49
*** takamatsu has quit IRC10:54
*** takamatsu has joined #openstack-keystone10:58
*** markvoelker has joined #openstack-keystone11:25
*** shyamb has quit IRC11:31
*** Dinesh_Bhor has quit IRC11:38
*** gmann has joined #openstack-keystone11:49
*** Dinesh_Bhor has joined #openstack-keystone11:55
*** Dinesh_Bhor has quit IRC11:57
*** shyamb has joined #openstack-keystone11:57
*** markvoelker has quit IRC11:59
errrcmurphy: Ive had no luck getting that federation issue I mentioned yesterday about horizon not loading working. Do you have any other ideas what could be wrong, or things I could check?12:10
*** raildo has joined #openstack-keystone12:11
cmurphyerrr: if you have debug logging turned on for both horizon and keystone and there is nothing there, I guess next thing I would do is check the network console in the developer tools on your browser and see if it's doing anything strange12:15
cmurphyerrr: i would also check whether it works with the CLI if you haven't already done that12:15
errrit does work via cli12:15
errrcmurphy: keystone will give me a token for the saml user12:16
errrits just horizon wont load.. it stops at that "Please wait..."12:16
cmurphyerrr: did you try for a scoped or unscoped token? like with setting OS_PROJECT_NAME12:17
errrI did the OS_PROJECT_NAME=myproject12:19
*** erus has quit IRC12:19
cmurphyokay12:19
*** erus has joined #openstack-keystone12:20
*** shyamb has quit IRC12:22
cmurphythe only thing i can think of is there is some issue with horizon connecting to keystone to turn the unscoped token it receives from that html form into a scoped token, but the only thing i can suggest for that is looking at the debug logs for both horizon and keystone :/ if it's some issue with the frontend javascript then you might see something in the browser console but i don't know of12:26
cmurphyanything specific that would cause a problem there12:26
*** shyamb has joined #openstack-keystone12:33
errrok thanks12:37
*** markvoelker has joined #openstack-keystone12:56
*** shyamb has quit IRC12:56
*** dave-mccowan has joined #openstack-keystone13:18
*** markvoelker has quit IRC13:28
*** jmlowe has quit IRC13:30
*** dave-mccowan has quit IRC13:43
*** dave-mccowan has joined #openstack-keystone13:43
*** dave-mccowan has quit IRC14:05
*** lbragstad_ has joined #openstack-keystone14:05
*** ChanServ sets mode: +o lbragstad_14:05
*** lbragstad_ is now known as lbragstad14:07
*** jamesmcarthur has joined #openstack-keystone14:17
*** erus has quit IRC14:20
*** erus has joined #openstack-keystone14:21
*** markvoelker has joined #openstack-keystone14:25
*** jamesmcarthur has quit IRC14:26
*** cmurphy is now known as cmorpheus14:27
cmorpheuslbragstad: morning o/ do you think you could take a stab at recapping the scope discussion you had with melwitt in https://etherpad.openstack.org/p/keystone-team-newsletter ?14:28
*** imus has joined #openstack-keystone14:29
lbragstadcmorpheus sure - when would you need my recap?14:29
* lbragstad is in another meeting14:29
cmorpheuslbragstad: some time today, no rush14:29
lbragstadok - i'll work on that once i'm done with this meeting14:29
cmorpheusthanks!14:30
lbragstadno problem - i've been itching to summarize that discussion anyway14:31
*** awalende has quit IRC14:37
*** awalende has joined #openstack-keystone14:38
*** dave-mccowan has joined #openstack-keystone14:38
*** bnemec is now known as beekneemech14:39
*** erus has quit IRC14:39
*** erus has joined #openstack-keystone14:39
*** jamesmcarthur has joined #openstack-keystone14:40
*** awalende has quit IRC14:43
*** erus has quit IRC14:45
*** erus has joined #openstack-keystone14:46
*** dklyle has quit IRC14:46
*** david-lyle has joined #openstack-keystone14:46
*** markvoelker has quit IRC14:59
openstackgerritMerged openstack/keystone master: Reuse common system role definitions for roles API  https://review.openstack.org/62602315:00
*** jmlowe has joined #openstack-keystone15:02
openstackgerritColleen Murphy proposed openstack/keystone master: Add shibboleth config to log output  https://review.openstack.org/63696615:06
*** mchlumsky has quit IRC15:08
*** mchlumsky has joined #openstack-keystone15:10
*** erus has quit IRC15:10
*** erus has joined #openstack-keystone15:10
openstackgerritColleen Murphy proposed openstack/keystone master: [DNM] Convert JSON: assertion strings  https://review.openstack.org/63868415:12
*** erus has quit IRC15:21
*** erus has joined #openstack-keystone15:22
eruso/15:26
*** david-lyle is now known as dklyle15:33
*** vishakha has quit IRC15:36
*** dklyle has quit IRC15:43
*** david-lyle has joined #openstack-keystone15:43
*** lbragstad is now known as elbragstad15:47
*** fiddletwix has quit IRC15:48
*** jmlowe has quit IRC15:49
*** markvoelker has joined #openstack-keystone15:56
*** jmlowe has joined #openstack-keystone16:03
elbragstadcmorpheus done?16:05
*** erus has quit IRC16:05
elbragstadlemme know if you'd like more or less context16:05
*** erus has joined #openstack-keystone16:05
cmorpheuselbragstad: perfect, thanks!16:08
elbragstadmhm!16:08
gagehugoo/16:12
*** yan0s has quit IRC16:19
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Remove shade jobs  https://review.openstack.org/63870416:28
*** markvoelker has quit IRC16:28
elbragstadcmorpheus your queries for the newsletter16:30
elbragstadhow are you counting the totals?16:30
elbragstad(e.g., we merged 38 changes this week)16:30
cmorpheuselbragstad: gerrit ssh api16:31
elbragstadaha16:31
cmorpheuselbragstad: https://gist.github.com/cmurphy/ee802fc0dc4bf57dffbea02265cc9e9216:31
elbragstadnice16:32
elbragstadi thought you were generating them in the ui somehow16:32
elbragstadi wasn't able to get https://github.com/dolph/gerrit-review-counts reporting with those queries (but it apparently works with dashboards in gerrit)16:33
*** imacdonn has quit IRC16:38
*** imacdonn has joined #openstack-keystone16:38
*** gyee has joined #openstack-keystone16:40
*** itlinux has joined #openstack-keystone16:47
*** erus has quit IRC16:47
*** erus has joined #openstack-keystone16:48
*** rafaelweingartne has joined #openstack-keystone16:51
rafaelweingartneHello keystone guys, I have a doubt that you might be able to help me with.16:51
rafaelweingartneLet's say I have a domain in OpenStack that has already been used, then, if I want to add an IdP to this domain16:52
rafaelweingartneI know that I can create a mapping with users "type=local" to map the IdP users to openstack ones16:52
rafaelweingartnehowever, this restrict me to use only local users. Therefore, new users that only exist in the IdP would not be able to access OpenStack via federated authentication, because they do not exist in OpenStack yet16:53
rafaelweingartneIs there a way to enable the use of local users type, and remote users (ephemeral ones) at the same time?16:53
rafaelweingartneI checked the documentation, but I could not find a similar user case. I am also trying to navigate the code, to see if that is possible, but I have not found anything as well16:54
openstackgerritLance Bragstad proposed openstack/keystone master: Update service policies for system admin  https://review.openstack.org/61927916:57
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with services  https://review.openstack.org/61928016:57
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with services  https://review.openstack.org/62062316:57
openstackgerritLance Bragstad proposed openstack/keystone master: Remove service policies from policy.v3cloudsample.json  https://review.openstack.org/61928216:57
*** evrardjp is now known as gatersaregonnaga16:58
*** gatersaregonnaga is now known as evrardjp17:00
elbragstadrafaelweingartne is the concern about the domain being used or if you can use multiple mappings?17:01
*** erus has quit IRC17:01
rafaelweingartneif I can use multiple mapping17:02
*** erus has joined #openstack-keystone17:02
rafaelweingartneI did not quite understand if it it possible to define a rule to decide when a mapping should be used17:02
rafaelweingartnefor instance, giving an attribute that comes from the IdP, which indicates if the user is expected to exist already in OpenStack17:03
rafaelweingartneI am also open to suggestions :)17:03
rafaelweingartneif you see some other way to use local andephemeral users at the same time17:03
rafaelweingartneand both of them authenticating via the IdP17:03
elbragstadyour mapping can contain multiple rules17:07
elbragstadhttps://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html#how-mappings-are-processed17:07
elbragstadit doesn't look like we have an example in documentation using multiple rules17:07
elbragstadbut when a mapping is processed, the engine starts with the first mapping and iterates through them and stops when it finds a match17:08
*** imacdonn has quit IRC17:08
rafaelweingartnedo is considered a match?17:09
rafaelweingartnewhat is considered a match? *17:09
rafaelweingartneI tried something like this: http://paste.openstack.org/show/745753/17:11
rafaelweingartneso, my first rule has a matching element17:11
rafaelweingartneand the second one does not, so I would assume it would be used as the default17:11
rafaelweingartneis that what you mean?17:12
elbragstadwith that mapping17:19
elbragstaddoes it only work for local users?17:20
elbragstadand not ephemeral users?17:20
*** jdennis has quit IRC17:21
rafaelweingartneit works with both17:22
rafaelweingartnebut from the documentation I was unsure about those matching rules17:22
*** jdennis has joined #openstack-keystone17:22
rafaelweingartneat first I thought they were used to restrict the value of "fields/PIIs/attributes" that are comming from IdP17:22
rafaelweingartnebut then, when I tried, it seemed that they are actually used to define if a mapping rule should be applied or not17:23
rafaelweingartneI was trying to check the code, but I got lost there ... :P17:23
elbragstadyeah - those rules are for "mapping" values from the thing that proves the identity of the user to something openstack understand (like a name of a local user)17:25
elbragstade.g., mapping attributes from a SAML assertion into something openstack understands17:25
*** markvoelker has joined #openstack-keystone17:25
elbragstadbut mappings can consist of multiple rules17:26
elbragstadit's a list of dictionaries, where each dictionary contains a local and remote key/value pair, where the value is another dictionary17:26
elbragstadi believe the mapping engine iterates each rule in the mapping until it finds one that works17:27
rafaelweingartnebut for instance, in my case there17:27
rafaelweingartneonly one attribute has a rule17:27
rafaelweingartneso if that rule, for that specific attribute is not met, the mapping rule is discarded17:28
rafaelweingartneand the system, will iterate to the next one17:28
rafaelweingartneis that it?17:28
rafaelweingartnein that case, it is silly because I only have two attributes there, but I could be dealing with many more provided by an IdP17:28
elbragstaddo you mean line 25 here - http://paste.openstack.org/show/745753/17:28
rafaelweingartneyes17:29
elbragstadi need to double check the code - but if the assertion you pass in doesn't match the first rule in the list, it should try the second17:30
rafaelweingartnehmm17:30
elbragstadneither rules are working, correct?17:31
rafaelweingartnebut the matchin rule there, is it just for the attribute where it is being applied, or is it for the whole rule?17:31
rafaelweingartnewell, that is what I am trying to understand17:31
rafaelweingartneit is indeed working17:31
rafaelweingartnebut I would like to clarify the implemented behavior, and the designed one17:31
rafaelweingartnereading the docs, I got the impression that it should not work...17:31
rafaelweingartnebut, I might be misinterpreting it17:32
elbragstadoh - because you have two attributes defined in remote (lines 21 - 29)17:33
*** erus has quit IRC17:33
*** erus has joined #openstack-keystone17:33
rafaelweingartneyes17:34
*** imus has quit IRC17:34
*** takamatsu_ has joined #openstack-keystone17:48
*** takamatsu has quit IRC17:48
*** jmlowe has quit IRC17:51
*** erus has quit IRC17:51
*** erus has joined #openstack-keystone17:52
*** markvoelker has quit IRC17:59
*** erus has quit IRC18:02
*** takamatsu_ has quit IRC18:03
*** takamatsu_ has joined #openstack-keystone18:06
*** rafaelweingartne has quit IRC18:13
*** dave-mccowan has quit IRC18:15
*** jamesmcarthur has quit IRC18:22
cmorpheusanyone want to +3 https://review.openstack.org/638704 so we can unbreak ksa?18:27
*** whoami-rajat has quit IRC18:27
kmallocdone18:36
cmorpheusty18:36
*** jamesmcarthur has joined #openstack-keystone18:51
*** markvoelker has joined #openstack-keystone18:56
*** jamesmcarthur has quit IRC19:12
*** jamesmcarthur has joined #openstack-keystone19:15
*** jamesmcarthur has quit IRC19:16
*** markvoelker has quit IRC19:28
*** itlinux has quit IRC19:41
*** dave-mccowan has joined #openstack-keystone19:43
openstackgerritMorgan Fainberg proposed openstack/oslo.limit master: Add python3.7 job on Stein+  https://review.openstack.org/61064119:53
*** itlinux has joined #openstack-keystone20:24
*** markvoelker has joined #openstack-keystone20:25
openstackgerritMerged openstack/keystoneauth master: Remove shade jobs  https://review.openstack.org/63870420:30
*** itlinux has quit IRC20:51
*** markvoelker has quit IRC20:59
*** itlinux has joined #openstack-keystone21:01
elbragstadtrivial review if anyone it looking for one: https://review.openstack.org/#/c/638560/21:02
*** itlinux has quit IRC21:02
*** itlinux has joined #openstack-keystone21:13
*** raildo has quit IRC21:15
*** erus has joined #openstack-keystone21:20
*** itlinux has quit IRC21:20
*** erus has quit IRC21:33
*** itlinux has joined #openstack-keystone21:40
*** dave-mccowan has quit IRC21:55
*** markvoelker has joined #openstack-keystone21:56
*** erus has joined #openstack-keystone22:07
eruswhere is the lord of coffee kmalloc? :P22:08
kmallocHah22:10
*** mchlumsky has quit IRC22:21
kmallocelbragstad: done.22:26
*** markvoelker has quit IRC22:30
erushaha how are you kmalloc? :D22:30
kmallocTired. :p22:31
*** mchlumsky has joined #openstack-keystone22:31
kmallocI need more coffee. Hehe.22:31
*** mchlumsky has quit IRC22:43
erusi'm tired too22:46
erushaha i buy today an artesanal intense coffee, it's a blend22:46
erusbought*22:46
eruswe'll see22:47
elbragstadkmalloc ty23:05
*** markvoelker has joined #openstack-keystone23:27
*** erus has quit IRC23:28
*** itlinux has quit IRC23:35
*** itlinux has joined #openstack-keystone23:57
*** markvoelker has quit IRC23:59
« Thursday, 2019-02-21 Index Saturday, 2019-02-23 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!