Monday, 2019-03-18

*** shyamb has quit IRC00:28
*** dave-mccowan has joined #openstack-keystone00:28
*** dave-mccowan has quit IRC00:31
*** jamesmcarthur has joined #openstack-keystone00:58
*** itlinux has joined #openstack-keystone00:59
*** erus has quit IRC01:28
*** lbragstad has joined #openstack-keystone01:40
*** ChanServ sets mode: +o lbragstad01:40
*** jamesmcarthur has quit IRC01:45
*** jamesmcarthur has joined #openstack-keystone01:55
*** jamesmcarthur has quit IRC02:06
*** jamesmcarthur_ has joined #openstack-keystone02:06
*** lbragstad has quit IRC02:17
*** irclogbot_1 has quit IRC02:23
adriantoh, also cmurphy: I guess we can look at: "default_project_id" on the user model as a precedent :P02:25
*** edmondsw has quit IRC02:26
*** jamesmcarthur_ has quit IRC02:59
*** shyamb has joined #openstack-keystone03:05
*** shyam89 has joined #openstack-keystone03:11
*** shyam89 has quit IRC03:14
*** shyamb has quit IRC03:14
openstackgerritMerged openstack/keystone master: Small refactor for create nonlocal user
*** whoami-rajat has joined #openstack-keystone03:46
*** itlinux has quit IRC04:15
*** rodrigods has quit IRC05:01
*** rcernin has quit IRC05:43
*** jaosorior has joined #openstack-keystone05:45
*** rcernin has joined #openstack-keystone05:59
*** phasespace has quit IRC06:54
*** jaosorior has quit IRC06:58
*** tkajinam_ has joined #openstack-keystone07:11
*** jaosorior has joined #openstack-keystone07:11
*** tkajinam has quit IRC07:13
*** pcaruana has joined #openstack-keystone07:19
*** jaosorior has quit IRC07:35
*** jaosorior has joined #openstack-keystone07:44
*** jaosorior has quit IRC07:44
*** xek has joined #openstack-keystone07:45
*** rexor has quit IRC07:58
*** awalende has joined #openstack-keystone08:02
*** phasespace has joined #openstack-keystone08:11
*** tkajinam_ has quit IRC08:24
cmurphyadriant: i don't think default_project_id should be taken as a precedent for anything, that's an artifact of keystone v2 and not meant to be used for presentation (i guess you know that)08:49
cmurphyadriant: maybe horizon should grow its own database for things like this? i mean nova for instance doesn't try to store user ssh keys in keystone's database, it uses its own08:50
cmurphywhat if horizon had an optional crud component for storing user options, and a setting in local settings to point to that mini database or some other user info source like adjutant?08:50
openstackgerritFrode Nordahl proposed openstack/keystone master: PY3: Ensure LDAP searches use unicode attributes
openstackgerritzhufl proposed openstack/keystone master: Use ForbiddenAction for invalid action instead of Forbidden
*** shyamb has joined #openstack-keystone09:41
*** shyamb has quit IRC10:04
*** shyamb has joined #openstack-keystone10:14
*** shyamb has quit IRC10:30
*** shyamb has joined #openstack-keystone10:30
*** shyamb has quit IRC11:31
*** rcernin has quit IRC11:46
*** edmondsw has joined #openstack-keystone11:50
*** jaosorior has joined #openstack-keystone11:51
*** raildo has joined #openstack-keystone11:52
*** shyamb has joined #openstack-keystone11:56
*** erus has joined #openstack-keystone12:14
openstackgerritCorey Bryant proposed openstack/keystone master: PY3: Ensure LDAP searches use unicode attributes
openstackgerriterus proposed openstack/keystone master: Add new attribute to the federation protocol API
*** markvoelker has quit IRC12:22
*** whoami-rajat has quit IRC12:35
*** yan0s has joined #openstack-keystone12:43
*** shyamb has quit IRC12:48
*** pcaruana|afk| has joined #openstack-keystone12:54
*** pcaruana has quit IRC12:56
*** erus has quit IRC12:56
*** erus has joined #openstack-keystone12:56
*** whoami-rajat has joined #openstack-keystone13:08
*** erus has quit IRC13:08
*** erus has joined #openstack-keystone13:09
*** mchlumsky has joined #openstack-keystone13:14
*** lbragstad has joined #openstack-keystone13:18
*** ChanServ sets mode: +o lbragstad13:18
*** needssleep is now known as TheJulia13:18
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add domain scope support for group policies
cmurphylbragstad: ^13:23
cmurphythose are...a lot of work13:23
lbragstadit makes me wish i had a better approach or solution to the *entire* situation13:24
lbragstadit's very developer expensive :(13:24
cmurphypart of it is just wrapping your brain around what should be system vs domain vs project scope and there's no way around that except to think about it13:25
cmurphybut finding some way to dry up the unit testing would be cool13:25
cmurphybut anyways i think getting all the system-scope-tagged bugs done in before train is probably a little too ambitious13:26
lbragstadi guess it comes down to which couple we think are important13:27
lbragstadand targeting those13:27
lbragstadre DRY: we have a whole bunch of this everywhere13:28
lbragstadevery resource has a SystemAdminTests, SystemMemberTest, SystemReaderTests, DomainAdminTests, etc...13:29
lbragstadwe could just have a single test module for SystemAdminTests and import all test classes for it13:29
* lbragstad probably should have done that originally 13:29
lbragstadbut that would cut down on some of the copy/pastad code13:30
lbragstadfyi - we're still waiting on to merge for the project and user APIs13:37
*** mchlumsky has quit IRC13:37
*** mchlumsky has joined #openstack-keystone13:40
*** pcaruana|afk| has quit IRC13:48
*** pcaruana has joined #openstack-keystone14:33
openstackgerritOpenStack Release Bot proposed openstack/keystoneauth master: Update master for stable/stein
openstackgerritOpenStack Release Bot proposed openstack/keystonemiddleware master: Update master for stable/stein
*** shyamb has joined #openstack-keystone14:41
openstackgerritOpenStack Release Bot proposed openstack/oslo.policy master: Update master for stable/stein
openstackgerritOpenStack Release Bot proposed openstack/python-keystoneclient master: Update master for stable/stein
*** awalende has quit IRC14:59
*** awalende has joined #openstack-keystone15:00
*** jamesmcarthur has joined #openstack-keystone15:02
*** shyamb has quit IRC15:03
*** phasespace has quit IRC15:03
*** awalende has quit IRC15:04
efriedmordred: Just so you're not surprised: It occurred to me that it makes sense to factor out *all* the conf-loading logic, whatever that may be now or in the future, into this helper.15:24
efriedthat will change the complexion of the from_conf method in sdk nontrivially. But makes the most sense imo.15:26
mordredefried: kk. wfm15:28
openstackgerritEric Fried proposed openstack/keystoneauth master: Factor Adapter conf-processing logic into a helper
efriedmordred: ^15:42
efriedmordred: q: should we put a keystoneauth1.loading.shim_in_here?15:43
mordredefried: nah. I think it's fine for us to reach in - I mean, it's an interface, but it's not an interface most people should be touching15:45
efriedmordred: one update to make a docstring more precise, then Ima update the sdk patch to use it mkay?15:45
openstackgerritEric Fried proposed openstack/keystoneauth master: Factor Adapter conf-processing logic into a helper
mordredefried: looks great to me15:46
cmurphywe need and asap, open question on the latter about whether we should keep doing that15:58
*** yan0s has quit IRC16:21
*** shyamb has joined #openstack-keystone16:28
*** shyamb has quit IRC16:46
*** itlinux has joined #openstack-keystone16:58
*** jamesmcarthur has quit IRC17:38
*** jamesmcarthur has joined #openstack-keystone17:39
*** mvkr has quit IRC17:43
*** erus has quit IRC17:43
*** erus has joined #openstack-keystone17:43
*** itlinux has quit IRC17:50
*** itlinux has joined #openstack-keystone17:54
*** gyee has joined #openstack-keystone17:58
*** jmlowe has joined #openstack-keystone18:02
openstackgerritCorey Bryant proposed openstack/keystone master: PY3: Ensure LDAP searches use unicode attributes
*** itlinux has quit IRC18:10
*** dustinc is now known as dustinc|lunch18:13
*** itlinux has joined #openstack-keystone18:15
*** gmann is now known as gmann_afk18:34
*** itlinux has quit IRC18:34
*** bbobrov has joined #openstack-keystone18:36
*** itlinux has joined #openstack-keystone18:38
*** jamesmcarthur has quit IRC18:41
*** jamesmcarthur has joined #openstack-keystone18:56
*** gmann_afk is now known as gmann18:56
*** jamesmcarthur has quit IRC19:00
*** dave-mccowan has joined #openstack-keystone19:05
*** jmlowe has quit IRC19:13
*** itlinux has quit IRC19:15
*** jamesmcarthur has joined #openstack-keystone19:18
*** jamesmcarthur has quit IRC19:19
*** jamesmcarthur has joined #openstack-keystone19:23
*** dustinc|lunch is now known as dustinc19:23
*** itlinux has joined #openstack-keystone19:24
mnaserok i'm really stuck on this request and i really feel like its quite wrong its as complex as i think it is19:42
mnaserqueens deployment.. user needs a role which can do 2 specific things only against the compute service and nothing else19:42
mnaserdoes that mean we have to go and change the policies of ALL services to $some_default_involving_member_role and then overriding those specific ones to allow that extra role?19:42
mnaserisn't that.. how do you say, uh, insanely unreasonable?19:42
*** itlinux has quit IRC19:53
lbragstadmnaser yeah - pretty much19:53
lbragstadso that role should only do 2 things and nothing else/19:54
lbragstador should they still be allowed to do other member-ish type things?19:54
mnaserlbragstad: that's the goal, i.e. "a role for this user that can read server name and ip only"19:54
mnasermaybe more of a "reader" role i guess19:54
lbragstad++ sounds like a reader role capability19:54
lbragstadbut someone with a reader role on a project shouldn't be able to do much anyway19:55
mnaserand we're far away from that eh :<19:55
*** whoami-rajat has quit IRC19:55
lbragstadso - you could create a server-name-and-ip-reader role19:55
lbragstadand have reader imply that role19:56
lbragstadthen just update the nova policies for that new role19:56
mnaserlbragstad: but i guess then we need to put in the work into nova policies19:57
*** itlinux has joined #openstack-keystone19:57
mnaserwhich is probably too late in the cycle now i guess19:57
lbragstadyeah - probably19:57
lbragstadfwiw - i'm reworking one of the nova docs to elaborate on all of this19:57
lbragstad is a general description of the process19:58
*** erus has quit IRC19:58
lbragstadsame with
*** erus has joined #openstack-keystone19:59
*** jamesmcarthur has quit IRC20:00
mnaserlbragstad: when was reader role created if you dont mind me asking?20:04
mnaserlbragstad: ok, i will need to push patches to the projects to get proper policy coverage.  i will then use the built policy.json to use in a queens env20:06
mnaserim going to make a multi-project bug to track it too20:07
*** jamesmcarthur has joined #openstack-keystone20:09
*** jamesmcarthur has quit IRC20:10
*** jamesmcarthur has joined #openstack-keystone20:10
*** irclogbot_1 has joined #openstack-keystone20:12
*** dklyle has quit IRC20:14
mnaserlbragstad: admin_or_owner becomes redundant at this point because role:admin implies role:member and role:reader anyways, correct?20:16
*** dklyle has joined #openstack-keystone20:18
lbragstadwell - imo owner means owner of a resource20:18
mnaserin nova world, owner is also someone who's part of that project i guess, but yeah that makes sense20:18
*** jmlowe has joined #openstack-keystone20:20
mnaseri'm pretty much trying to figure out what rules we need in place so i can go back and go over the policies20:20
mnaseri think i could add `RULE_ADMIN_OR_OWNER_AND_READER = 'rule:admin_or_owner and role:reader'`20:21
*** irclogbot_1 has quit IRC20:25
lbragstadi think it depends on what you define an owner as20:27
*** irclogbot_1 has joined #openstack-keystone20:27
mnaserin nova world, that's a user who's project == their project20:27
lbragstadok - we can use that as an example20:27
lbragstadif you want to have someone be able to list servers20:29
lbragstadyou could do "role:reader and project_id:%(server.project_id)s"20:29
lbragstad^ that would effectively be a PROJECT_READER policy check string20:30
mnaseri think fundamentally having project:$(project_id)s in the nova policy messes things up because that user obviously would already have access for the rest because they share the project_id20:30
mnaserso ADMIN_OR_OWNER would need to be revised somehow20:30
lbragstadso you want it to be more granular than project id?20:31
mnaserno, but if i add a user to a project_id with role:reader -- nothing checks for role:member in the default policy20:31
lbragstadmember implies reader20:31
lbragstadand admin implies member20:31
mnaserright, but in nova, nothing checks for member specifically20:31
mnaserthe most common check for non-admin API is.. `is_admin:True or project_id:%(project_id)s`20:32
mnaserso either you're an admin .. or you live in the same project20:32
mnaserso even if i give role 'bananaman' to an account, they'll still match admin_or_owner20:32
lbragstadyeah - i see what you mean20:33
lbragstadthat's something that i think projects need to move towards20:33
mnaseri think we would need to revise admin_or_owner rule to become: is_admin:True or (project_id:%(project_id)s and role:member)20:33
lbragstadI would refactor out the admin bits20:33
lbragstadbut yea20:33
mnaseryeah is_admin:True is some context level check which can be replaced by role:admin20:33
lbragstadwith system, domain, and project scope, admin can mean many different htings20:34
lbragstadyou can be a system-admin, domain-admin, or project-admin20:34
lbragstadin fact, you can do that with every default role (admin, member, reader) across all scopes (system, domain, project)20:34
mnaserso really admin_or_owner replacement should be a project scoped member, right?20:35
lbragstadyes - i think so20:35
lbragstadat least the owner part20:35
lbragstadthe admin part should be system_admin20:35
lbragstadso admin_or_owner == SYSTEM_ADMIN_OR_PROJECT_MEMBER20:35
lbragstadif the API is writable20:36
lbragstadotherwise you could o20:36
mnaserok, is there any docs on writing scoped policy rules?20:36
lbragstadthe actual check string would be "(role:admin and system_scope:all) or (role:reader and project_id:%(target.server.project_id)s"20:37
lbragstadwe have some here -
lbragstadbut that is specific to scope20:37
mnaserok well maybe we need to refactor the policies to include a scope_type before20:38
lbragstadscope_type is an attribute that is available on RuleDefault objects20:38
ildikovknikolla: ping20:38
*** dave-mccowan has quit IRC20:39
mnasero yikes the policy is not using named args but ordered ones in nova20:39
lbragstadi noticed that, too20:40
lbragstadthat would be a good low-hanging-fruit for a new contributor to fix20:40
mnaserok ill try to talk to the nova team about this20:41
mnaserthanks for all the input lbragstad20:41
lbragstadi've been having an off and on discussion with nova (mriedem and melwitt) about policy for the last year or so20:41
lbragstadwe're making progress20:41
lbragstadbut the concepts are a bit confusing yet20:41
mnaserit is20:42
lbragstadwhich is why we've been dumping time into the docs to help describe how people can actually fix all this20:42
lbragstadwe also have forum and ptg sessions20:42
mnaseronce it makes sense, it seems to add up20:42
lbragstadso - if we wanna do another hoorah, i'm all for it20:42
lbragstadall the plumbing is in place20:42
melwittlbragstad: what would be good low-hanging-fruit? changing from ordered args to named args?20:42
lbragstadyeah - for the RuleDefault and DocumentedRuleDefault objects in nova20:43
lbragstadmnaser more context in case you haven't parsed it yet -
mnaserthat's a really good tl;dr20:44
lbragstadtl;dr all the plumbing is in place in keystone, oslo.context, oslo.policy, ksm, ksa, clients, etc... for all projects and services to start moving towards a consistent set of RBAC roles20:45
*** dave-mccowan has joined #openstack-keystone20:45
lbragstadi guess the email just includes more words and links20:45
lbragstadmelwitt the RuleDefault object only has a couple of ordered args, everything is named20:47
* lbragstad goes to get a cup of coffee quick20:47
melwittlbragstad: ack, thanks20:47
*** pcaruana has quit IRC20:54
*** mchlumsky has quit IRC20:55
lbragstadmelwitt np20:57
*** itlinux has quit IRC21:01
*** itlinux has joined #openstack-keystone21:13
*** erus has quit IRC21:13
*** itlinux has quit IRC21:17
*** xek has quit IRC21:17
openstackgerritColleen Murphy proposed openstack/keystone master: [DNM] Fix WebSSO for new remote_id retrieval
*** itlinux has joined #openstack-keystone21:25
*** irclogbot_1 has quit IRC21:26
*** irclogbot_1 has joined #openstack-keystone21:28
cmurphylbragstad: can you review ?21:33
lbragstadcmurphy done21:35
lbragstadlooks great21:35
*** itlinux has quit IRC21:43
*** itlinux has joined #openstack-keystone21:45
*** mvkr has joined #openstack-keystone21:47
*** raildo has quit IRC21:48
*** itlinux has quit IRC21:51
*** erus has joined #openstack-keystone22:02
*** itlinux has joined #openstack-keystone22:09
*** itlinux has quit IRC22:20
*** tkajinam has joined #openstack-keystone22:54
openstackgerritCorey Bryant proposed openstack/keystone master: PY3: Ensure LDAP searches use unicode attributes
*** rcernin has joined #openstack-keystone23:04
*** erus has quit IRC23:21
*** jamesmcarthur has quit IRC23:51

Generated by 2.15.3 by Marius Gedminas - find it at!