Monday, 2019-03-04

« Sunday, 2019-03-03 Index Tuesday, 2019-03-05 »
*** jamesmcarthur has quit IRC00:00
*** jamesmcarthur has joined #openstack-keystone00:00
*** jamesmcarthur has quit IRC00:02
*** vishwanathj has joined #openstack-keystone00:20
*** jamesmcarthur has joined #openstack-keystone00:32
*** jmlowe has joined #openstack-keystone00:37
*** ileixe has joined #openstack-keystone00:47
*** jamesmcarthur has quit IRC01:01
*** markvoelker has joined #openstack-keystone01:02
*** markvoelker has quit IRC01:07
*** markvoelker has joined #openstack-keystone02:03
*** erus has quit IRC02:06
*** markvoelker has quit IRC02:06
*** erus has joined #openstack-keystone02:07
*** Dinesh_Bhor has joined #openstack-keystone02:31
*** erus has quit IRC02:31
*** Dinesh_Bhor has quit IRC02:31
*** erus has joined #openstack-keystone02:32
*** vishwanathj has quit IRC02:35
*** chason has quit IRC02:36
*** chason has joined #openstack-keystone02:38
*** Dinesh_Bhor has joined #openstack-keystone02:41
*** vishwanathj has joined #openstack-keystone02:55
*** jamesmcarthur has joined #openstack-keystone03:01
*** jamesmcarthur has quit IRC03:05
*** erus has quit IRC03:08
*** erus has joined #openstack-keystone03:09
*** jamesmcarthur has joined #openstack-keystone03:27
*** jamesmcarthur has quit IRC03:41
*** vishwanathj has quit IRC03:52
*** jmlowe has quit IRC04:29
*** lbragstad has quit IRC04:44
*** lbragstad has joined #openstack-keystone04:54
*** ChanServ sets mode: +o lbragstad04:54
*** tkajinam_ has joined #openstack-keystone06:36
*** tkajinam has quit IRC06:38
*** markvoelker has joined #openstack-keystone06:48
*** imus has joined #openstack-keystone07:06
*** markvoelker has quit IRC07:21
*** markvoelker has joined #openstack-keystone08:18
openstackgerritColleen Murphy proposed openstack/keystone master: Add manager support for app cred access rules  https://review.openstack.org/62819308:22
openstackgerritColleen Murphy proposed openstack/keystone master: Add API changes for app cred access rules  https://review.openstack.org/62816808:22
openstackgerritColleen Murphy proposed openstack/keystone master: Add access rules to token validation  https://review.openstack.org/63199308:22
openstackgerritColleen Murphy proposed openstack/keystone master: WIP: Add role check to access rules  https://review.openstack.org/64003408:22
*** pcaruana has joined #openstack-keystone08:25
openstackgerritIslam Musleh proposed openstack/keystone master: Converting the API tests to use flask's test_client  https://review.openstack.org/64069208:27
openstackgerritMerged openstack/oslo.limit master: Add py36 and py37 tox envs  https://review.openstack.org/63906308:40
*** lbragstad has quit IRC08:46
*** tkajinam_ has quit IRC08:48
*** markvoelker has quit IRC08:50
openstackgerritMerged openstack/oslo.policy master: Add py36 and py37 tox envs  https://review.openstack.org/63906008:53
*** awalende has joined #openstack-keystone08:53
*** shyamb has joined #openstack-keystone09:00
*** jaosorior has joined #openstack-keystone09:41
*** jistr is now known as jistr|sick09:42
*** markvoelker has joined #openstack-keystone09:47
*** imus has quit IRC09:48
*** erus has quit IRC10:16
*** erus has joined #openstack-keystone10:17
*** markvoelker has quit IRC10:21
*** erus has quit IRC10:41
*** erus has joined #openstack-keystone10:42
openstackgerritColleen Murphy proposed openstack/keystone master: Switch federation check jobs to opensuse  https://review.openstack.org/64072410:43
*** markvoelker has joined #openstack-keystone11:18
*** ileixe has quit IRC11:19
*** erus has quit IRC11:19
*** erus has joined #openstack-keystone11:20
*** shyamb has quit IRC11:30
*** shyamb has joined #openstack-keystone11:30
*** shyamb has quit IRC11:45
*** markvoelker has quit IRC11:50
*** erus has quit IRC11:50
*** erus has joined #openstack-keystone11:51
*** shyamb has joined #openstack-keystone12:02
*** dave-mccowan has joined #openstack-keystone12:22
*** erus has quit IRC12:34
*** HD|Laptop has joined #openstack-keystone12:34
HD|Laptophello all12:34
HD|LaptopI am trying to get Octavia running, but keep hitting keystone problems12:34
HD|Laptopa simple openstack loadbalancer create --name lb1 --vip-network-id xxx yields "Authentication cannot be scoped to multiple targets. Pick one of: project, domain, trust or unscoped"12:34
HD|Laptophttp://paste.debian.net/1071373/ => this is my config12:34
*** erus has joined #openstack-keystone12:34
*** shyamb has quit IRC12:35
cmurphyHD|Laptop: in [service_auth] you should remove domain_name = default, as that implies you want to scope to a domain when you probably want to scope to the project named 'service'12:40
cmurphyHD|Laptop: you should also change project_domain_name and user_domain_name to Default (capital D)12:40
*** markvoelker has joined #openstack-keystone12:48
HD|Laptopcmurphy: ah, okay. now it at least doesn't crash with keystone errors anymore, now it only fails to locate the amphora flavor in nova...12:48
HD|Laptopthanks :)12:48
*** edmondsw has joined #openstack-keystone12:49
cmurphynp12:49
*** awalende has quit IRC12:56
*** jistr|sick is now known as jistr|sick|mtg13:01
*** awalende has joined #openstack-keystone13:05
*** markvoelker has quit IRC13:21
*** jamesmcarthur has joined #openstack-keystone13:24
*** jamesmcarthur has quit IRC13:32
*** jamesmcarthur has joined #openstack-keystone13:33
*** jamesmcarthur has quit IRC13:38
knikollao/13:42
*** erus has quit IRC13:42
cmurphy\o13:43
*** erus has joined #openstack-keystone13:43
*** lbragstad has joined #openstack-keystone13:49
*** ChanServ sets mode: +o lbragstad13:49
lbragstado/13:52
*** jamesmcarthur has joined #openstack-keystone14:03
*** jamesmcarthur has quit IRC14:06
*** jamesmcarthur has joined #openstack-keystone14:06
*** jmlowe has joined #openstack-keystone14:18
*** markvoelker has joined #openstack-keystone14:18
*** jamesmcarthur has quit IRC14:24
*** pcaruana has quit IRC14:31
*** erus has quit IRC14:32
*** beekneemech is now known as bnemec14:33
*** erus has joined #openstack-keystone14:33
*** jamesmcarthur has joined #openstack-keystone14:38
*** markvoelker has quit IRC14:50
*** jistr|sick|mtg is now known as jistr|sick15:02
lbragstadjust a heads up - https://review.openstack.org/#/c/622589/ is probably gonna be a pain with merge conflicts15:24
lbragstadwith all the other policy patches in flight15:24
*** pcaruana has joined #openstack-keystone15:25
cmurphyshould we wait to merge that one until all the others are in?15:26
lbragstadgood question15:34
*** erus has quit IRC15:34
*** erus has joined #openstack-keystone15:34
lbragstadi could start rebasing patches like https://review.openstack.org/#/c/619282/15:35
lbragstadand wip 622589 until we get through those?15:35
openstackgerritLance Bragstad proposed openstack/keystone master: Remove service policies from policy.v3cloudsample.json  https://review.openstack.org/61928215:40
cmurphywfm15:40
*** markvoelker has joined #openstack-keystone15:48
*** shyamb has joined #openstack-keystone16:11
*** erus has quit IRC16:12
*** erus has joined #openstack-keystone16:12
gagehugoo/16:17
*** markvoelker has quit IRC16:21
eruso.16:26
eruso/16:26
*** gyee has joined #openstack-keystone16:32
*** imacdonn_ has joined #openstack-keystone16:35
*** imacdonn_ is now known as imacdonn16:35
*** ayoung has joined #openstack-keystone16:49
*** shyamb has quit IRC16:59
lbragstadso - for the unified limit policy/protection testing17:17
lbragstaddo we want domain users to be able to list all limits for the domain and projects within the domain they have authorization on?17:17
*** markvoelker has joined #openstack-keystone17:18
*** erus has quit IRC17:18
*** erus has joined #openstack-keystone17:19
ayoungno]17:19
ayounglist all limits is one level up17:19
lbragstadcurrently - if GET /v3/limits is called with a domain-scoped token, the response is filtered by that domain (instead of including all project limits within that domain)17:19
ayoungknee jerk reaction there17:19
ayoungits not the users limit, it is the domains, right?17:20
ayounghmmm17:20
lbragstadyeah - project and domain limits17:20
ayoungdoes not map neatly to unix concepts, does it17:20
ayoungI retract...I think read only for a member would be appropriate, change for admins, no?17:21
lbragstadwell - only system administrators can create, modify, or delete limits for projects or domains17:21
ayoungis this a question of how to filter, or what the user should access?17:21
*** awalende has quit IRC17:21
lbragstadbut users with role assignments on a project or domain should be able to call GET /v3/limits and get a list of limits for things they have authorization on, no?17:22
*** awalende has joined #openstack-keystone17:22
ayoungyeah...I think so.  I guess that not knowing that would prevent you from being able to make decent decisions17:23
ayoung you could find out the same info by creating until you ran out of resources, then deleting.17:23
ayoungbetter to tell you up front17:23
lbragstadyeah - at the expense of u-x i would say17:23
lbragstadbut for the case of domain users17:24
lbragstadif i call GET /v3/limits with a domain-scoped token17:24
ayoungDomains should have the same rules as proejcts, just for different resources17:24
lbragstadshould the response contain all limits for the domain and all limits for projects of that domain?17:24
ayounghmmm17:25
lbragstador should it only contain limits for the domain relayed through token scope (sans projects of the domain)?17:25
*** rafaelweingartne has joined #openstack-keystone17:25
ayoungby defautl?  I mean, you should be able to get all those things with difereent params, right?17:26
rafaelweingartneHello Keystone folks, do I need to enable somethign to use app credentials?17:26
lbragstadrafaelweingartne no - they should be available by default17:26
rafaelweingartnewhen I try to use them, I get: "Attempted to authenticate with an unsupported method. (HTTP 401)"17:26
*** awalende has quit IRC17:26
ayounglbragstad, do they have to go in the token list of auth types?17:27
lbragstadoh - maybe?17:27
lbragstadlemme double check17:27
ayoung1 sec17:27
cmurphyrafaelweingartne: add application_credential to [auth]/methods17:28
lbragstadlooks like they are by default17:28
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/auth.py#n2117:28
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/constants.py#n2017:28
ayoungmight not get that in an upgrade, tho17:28
lbragstadright17:28
ayoungor some deployment tool my strip it out17:28
lbragstadi'd double check to make sure ``keystone.conf [auth] methods`` contains application_credentials17:28
ayoungrafaelweingartne, how are you deploying?  Is this an upgrade?  And what Keystone release?17:28
rafaelweingartnehmm17:29
rafaelweingartne[auth] methods = external,password,token,mapped,openid17:29
rafaelweingartneso that is the problem17:29
lbragstadyeah17:29
rafaelweingartneI am using kolla-ansible17:29
rafaelweingartnebut I have added a featuer to enable kolla-ansible to integrate Keystone with IdPs automatically, so we do not need to worry about all of the moving parts17:30
rafaelweingartneand when I did that, I have overriden the default "auth" section17:31
rafaelweingartnethanks for the help17:31
lbragstadno problem17:31
rafaelweingartneI now get, "Error authenticating with application credential: Application credentials cannot request a scope"17:32
rafaelweingartnewhat does that mean?17:32
rafaelweingartneI am issuing a simple "openstack user list"17:32
lbragstadi'm pretty sure that means the project associated to your application credential mismatches the project you're attempting to authenticate a token for17:38
rafaelweingartnehmm17:38
rafaelweingartnebut I am actually using the openrc generated in Horizon17:39
rafaelweingartnelet me check17:39
lbragstadwe have some good documentation on this - https://docs.openstack.org/keystone/latest/user/application_credentials.html17:39
lbragstadthat walks through the process, in case you haven't seen that yet17:39
cmurphyyou shouldn't have a project set at all17:40
cmurphythe openrc file for app creds from horizon shouldn't include one17:40
*** erus has quit IRC17:41
*** erus has joined #openstack-keystone17:41
rafaelweingartneyes, it does not have a project there17:42
rafaelweingartneNo, I have not read the docs. I was hoping for it to be as simple as downloading, loading the variables, and then executing the commands17:42
*** mvkr has quit IRC17:48
*** markvoelker has quit IRC17:51
cmurphywell it should pretty much work out of the box, that error can only mean you have a stray project_name or project_id in your environment17:51
rafaelweingartneyou mean, a shell variable?17:55
rafaelweingartneshouldn't the project be in the app credential when it is created via horizon?17:57
ayoungyesh...unset OPENSTACK_PROJECT_ID and OPENSTACK_PROJECT_NAME in your shell env script17:57
ayoungproject is included when the app cred is made17:58
rafaelweingartneI am listing all variables with "printenv | grep OS" and there is nothing else18:01
rafaelweingartnethere is somethign odd here then, because the project is not in the app credentials18:02
rafaelweingartneit is showing as none18:02
rafaelweingartneand there is no "OPEN" variable (printenv | grep OPEN)18:03
cmurphyit's not OPENSTACK_PROJECT_ID/NAME it's OS_PROJECT_ID/OS_PROJECT_NAME18:08
cmurphyenv | grep OS_ would show it18:09
cmurphyif it was there18:09
rafaelweingartneenv and "printenv | grep OS" is the dame18:10
rafaelweingartneso, it is not there18:10
rafaelweingartnethe problem is something else I guess18:10
rafaelweingartneI just change keystone to print the scope that is beign requested18:11
*** whoami-rajat has quit IRC18:24
*** jamesmcarthur_ has joined #openstack-keystone18:32
*** jamesmcarthur has quit IRC18:35
*** jamesmcarthur_ has quit IRC18:41
kmalloco/18:48
*** markvoelker has joined #openstack-keystone18:48
*** jamesmcarthur has joined #openstack-keystone18:53
*** pcaruana has quit IRC18:56
*** whoami-rajat has joined #openstack-keystone18:58
*** jamesmcarthur has quit IRC18:59
*** jamesmcarthur has joined #openstack-keystone18:59
*** jamesmcarthur has quit IRC19:04
lbragstadi think the oslo.policy matching checks just broke my brain19:13
kmalloclbragstad: hahaha19:16
kmalloclbragstad: that is somewhat brutal code.19:16
lbragstadso - i have this code https://pasted.tech/pastes/3635c09add2eeab3400f0c75700c819c799027eb19:17
lbragstadand that policy check lets a domain user from domain A fetch limits out of a domain they have no authorization on19:18
lbragstadcan you guess why?19:18
kmallocsec.19:18
kmallocbecause you are a null on project_id and the limit doesn't have a project id?19:19
kmallocso none = none19:19
lbragstadfwiw - the test case is calling GET /v3/limits/(limit_id) with a domain scoped token19:19
kmalloc?>19:19
lbragstadhttps://pasted.tech/pastes/85a698668b89f76b0a7b07ab8ccb325deba427ac19:20
*** erus has quit IRC19:20
lbragstadyeah19:20
kmallochehe19:20
kmallocmaaaaybe have i worked in the policy checks :P19:20
kmalloci mean..... it doesn't surprise me at all19:20
* lbragstad blames kmalloc 19:20
kmallocthe OR needs to also check if domain is set19:20
*** erus has joined #openstack-keystone19:20
kmallocwhich, we don't have a policy DSL check for19:20
lbragstadhmmm19:21
kmallocwe need the KEY_EXISTS() check19:21
*** markvoelker has quit IRC19:21
kmallocso we can do  (project_id):%(....project_id) AND KEY_NOT_EXISTS(domain_id)19:21
kmallocthis is exactly one of the cases I was looking at for the expanded policy DSL checks.19:21
lbragstadoh - we do have a check for that i think?19:21
kmallocno we don't19:21
kmallocthe way policy works: before the ':' is an explicit lookup in the dict, and the part after the ':' is a literal string19:22
*** jamesmcarthur has joined #openstack-keystone19:22
lbragstadright19:22
kmallocbut there is no way to say "check if key exists in target dict"19:22
* lbragstad is grasping at straws19:23
kmallocbecause the pre-':' section is always a None or a value19:23
kmallocand there is no way to represent 'None' because you are a literal string.19:23
lbragstadmmm19:23
kmallocnot the None singleton19:23
*** rafaelweingartne has quit IRC19:23
*** awalende has joined #openstack-keystone19:23
kmallocso.. we need a way to say KEY_IN_TARGET_DICT but not care what the key is19:23
*** openstackgerrit has quit IRC19:23
lbragstadi wonder if we could pass something that isn't None?19:24
kmallocnot unless you explicitly populate the target dict19:24
lbragstadright19:24
kmallocand it is very fragile19:24
kmalloci'd rather fix olso.policy19:24
kmallochonesly19:24
lbragstadi should have found this a week or two ago19:24
* kmalloc has talked with you about this a few times this cycle19:24
lbragstadthis - specifically?19:25
lbragstadthis is the first time i've hit this issue working with policy19:25
kmallocnot this specific case19:25
kmallocbut similar cases19:25
kmalloci was talking about a very similar case when we talked policy DSL expansion19:25
lbragstadwe won't get another oslo.policy release for stein19:25
kmallocyou could do the dirty hack and populate a "IS_PROJECT_SCOPE" in the target dict19:26
kmallocand a "IS_DOMAIN_SCOPE" and "IS_SYSTEM_SCOPE"19:26
kmallocas appropriate, and then check for that19:26
kmallocin the rule19:26
lbragstadanother option might be to break up the get_limit implementation19:27
lbragstadand enforce policies for get_domain_limit or get_project_limit19:27
kmalloctrue19:27
lbragstadwhich might result in a less complicated check_str19:27
kmalloc*shrug*19:28
*** awalende has quit IRC19:28
lbragstadhmm19:28
lbragstadi'll continue to noodle on it19:28
lbragstadi thought i was going to lose my mind with how many times i thought i set domain_id:%(target.limit.domain_id)s wrong19:29
kmallocnope.19:29
kmallocsorry man.19:29
kmalloc:(19:29
lbragstadturns out None *is* equal to None19:29
kmallocfunny that :P19:31
* lbragstad takes lunch19:32
*** blake has joined #openstack-keystone19:46
erushi kmalloc o/20:03
kmallocerus: allo20:04
*** jmlowe has quit IRC20:08
*** markvoelker has joined #openstack-keystone20:18
*** jamesmcarthur has quit IRC20:19
*** jamesmcarthur has joined #openstack-keystone20:19
*** erus has quit IRC20:19
*** erus has joined #openstack-keystone20:20
lbragstadtrivial review: https://review.openstack.org/#/c/619282/20:27
cmurphyevery. time.20:27
lbragstadi'm a troll20:28
lbragstadi commend the enthusiasm though!20:29
cmurphy:)20:29
*** BlackDex has quit IRC20:39
*** jmlowe has joined #openstack-keystone20:46
*** BlackDex has joined #openstack-keystone20:48
*** markvoelker has quit IRC20:51
*** jamesmcarthur has quit IRC20:58
*** jamesmcarthur has joined #openstack-keystone20:59
*** jamesmcarthur has quit IRC20:59
*** jamesmcarthur has joined #openstack-keystone20:59
*** whoami-rajat has quit IRC21:04
*** jamesmcarthur has quit IRC21:06
*** mvkr has joined #openstack-keystone21:29
*** blake has quit IRC21:32
*** jamesmcarthur has joined #openstack-keystone21:37
*** markvoelker has joined #openstack-keystone21:49
*** zzzeek has quit IRC21:54
*** zzzeek has joined #openstack-keystone21:54
*** jamesmcarthur has quit IRC21:57
*** jamesmcarthur has joined #openstack-keystone21:58
*** dave-mccowan has quit IRC22:09
*** jamesmcarthur has quit IRC22:12
*** jamesmcarthur has joined #openstack-keystone22:13
*** eglute has joined #openstack-keystone22:18
*** markvoelker has quit IRC22:21
lbragstadstepping out for a bit - i'll be on later22:22
*** tkajinam has joined #openstack-keystone22:56
*** jamesmcarthur has quit IRC22:57
*** jamesmcarthur has joined #openstack-keystone22:58
*** jamesmcarthur has quit IRC23:00
*** erus has quit IRC23:00
*** erus has joined #openstack-keystone23:01
*** markvoelker has joined #openstack-keystone23:18
*** erus has quit IRC23:26
*** erus has joined #openstack-keystone23:27
*** dklyle has quit IRC23:39
*** openstackgerrit has joined #openstack-keystone23:50
openstackgerritMerged openstack/keystone master: Remove service policies from policy.v3cloudsample.json  https://review.openstack.org/61928223:50
*** markvoelker has quit IRC23:51
kmalloclbragstad, gagehugo, ayoung, knikolla: a change we should get landed, looks clean and ready: https://review.openstack.org/#/c/640724/23:56
« Sunday, 2019-03-03 Index Tuesday, 2019-03-05 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!