Thursday, 2019-06-06

« Wednesday, 2019-06-05 Index Friday, 2019-06-07 »
*** markvoelker has quit IRC00:07
*** markvoelker has joined #openstack-keystone00:07
*** markvoelker has quit IRC00:12
openstackgerritColleen Murphy proposed openstack/keystone master: Add user_id, external_id to access rules table  https://review.opendev.org/66344000:43
openstackgerritColleen Murphy proposed openstack/keystone master: Add manager support for app cred access rules  https://review.opendev.org/66346200:43
*** rcernin has joined #openstack-keystone00:45
*** rcernin has quit IRC00:45
*** rcernin has joined #openstack-keystone00:45
*** lbragstad has quit IRC00:58
*** spsurya has joined #openstack-keystone01:01
*** rcernin has quit IRC01:21
*** rcernin has joined #openstack-keystone01:21
*** itlinux has joined #openstack-keystone01:25
*** ayoung has quit IRC01:30
*** dave-mccowan has joined #openstack-keystone01:32
*** whoami-rajat has joined #openstack-keystone02:07
*** markvoelker has joined #openstack-keystone02:08
*** jamesmcarthur has joined #openstack-keystone02:41
*** markvoelker has quit IRC02:42
*** jamesmcarthur has quit IRC03:08
*** shyamb has joined #openstack-keystone03:29
*** dave-mccowan has quit IRC03:50
*** shyamb has quit IRC04:29
*** schaney__ has quit IRC04:46
*** shyamb has joined #openstack-keystone04:47
*** pcaruana has joined #openstack-keystone04:50
*** tkajinam has quit IRC05:00
*** shyamb has quit IRC05:25
*** shyamb has joined #openstack-keystone05:28
*** shyamb has quit IRC05:55
*** shyamb has joined #openstack-keystone05:57
*** markvoelker has joined #openstack-keystone05:58
*** tkajinam has joined #openstack-keystone06:00
*** markvoelker has quit IRC06:02
*** xek has joined #openstack-keystone06:16
*** dklyle has quit IRC06:38
*** dklyle has joined #openstack-keystone06:38
*** shyamb has quit IRC06:46
*** shyamb has joined #openstack-keystone07:00
*** gyee has quit IRC07:04
*** tesseract has joined #openstack-keystone07:12
*** rcernin has quit IRC07:14
*** shyamb has quit IRC07:47
*** markvoelker has joined #openstack-keystone07:58
*** markvoelker has quit IRC08:32
*** shyamb has joined #openstack-keystone08:32
*** tkajinam has quit IRC09:01
*** jistr is now known as jistr|lnl09:28
*** markvoelker has joined #openstack-keystone09:29
*** shyamb has quit IRC09:34
*** shyamb has joined #openstack-keystone09:48
*** shyamb has quit IRC09:58
*** markvoelker has quit IRC10:03
*** shyamb has joined #openstack-keystone10:28
*** vishalmanchanda has joined #openstack-keystone10:28
*** markvoelker has joined #openstack-keystone10:59
*** takamatsu has quit IRC11:01
*** takamatsu has joined #openstack-keystone11:02
*** jistr|lnl is now known as jistr11:18
*** markvoelker has quit IRC11:32
*** raildo has joined #openstack-keystone11:36
*** shyamb has quit IRC11:40
*** shyamb has joined #openstack-keystone11:41
*** lbragstad has joined #openstack-keystone12:16
*** trident has quit IRC12:21
*** trident has joined #openstack-keystone12:26
*** markvoelker has joined #openstack-keystone12:29
*** dave-mccowan has joined #openstack-keystone12:29
*** Emine has joined #openstack-keystone12:32
*** pcaruana has quit IRC12:52
*** markvoelker has quit IRC13:03
*** shyamb has quit IRC13:06
*** bnemec has joined #openstack-keystone13:11
*** shyamb has joined #openstack-keystone13:16
*** vishalmanchanda has quit IRC13:28
*** mloza has joined #openstack-keystone13:29
*** whoami-rajat has quit IRC13:47
*** jaosorior has joined #openstack-keystone13:47
knikollao/13:49
*** jaosorior has quit IRC13:51
lbragstado/13:55
*** whoami-rajat has joined #openstack-keystone13:57
*** markvoelker has joined #openstack-keystone13:59
*** jamesmcarthur has joined #openstack-keystone14:05
openstackgerritKristi Nikolla proposed openstack/keystone master: Report correct domain in federated user token  https://review.opendev.org/65306814:13
openstackgerritKristi Nikolla proposed openstack/keystone master: Deprecate [federation] federated_domain_name  https://review.opendev.org/65161414:16
*** shyamb has quit IRC14:18
openstackgerritKristi Nikolla proposed openstack/keystone master: Deprecate [federation] federated_domain_name  https://review.opendev.org/65161414:21
*** markvoelker has quit IRC14:33
*** jaosorior has joined #openstack-keystone14:37
*** jaosorior has quit IRC14:39
*** jaosorior has joined #openstack-keystone14:41
*** xek_ has joined #openstack-keystone14:42
*** xek has quit IRC14:43
cmurphyo/14:49
gagehugoo/14:54
*** jaosorior has quit IRC14:55
*** jaosorior has joined #openstack-keystone14:57
*** gyee has joined #openstack-keystone15:16
*** notq has joined #openstack-keystone15:24
*** markvoelker has joined #openstack-keystone15:29
*** aloga has quit IRC15:32
*** aloga has joined #openstack-keystone15:34
notqI think I placed this bug in the wrong place, https://bugs.launchpad.net/keystonemiddleware/+bug/1831791 - I think it's actually in keystone, I think it's missing the auditing for ec2 credentials. I don't look at keystone much, if someone has a second to look at it. I'm trying to dig through it and figure out where it should go.15:38
openstackLaunchpad bug 1831791 in keystonemiddleware "openstack ec2 credentials not audited" [Undecided,New]15:39
notqcontrib/ec2/controllers seems right.15:43
kmalloclbragstad: I can do that today15:43
notqso then it's figuring out the correct syntax/details for each piece. ok15:43
kmallocRe the testing.15:43
lbragstadkmalloc ok15:44
kmallocNot traveling, just chilling inside in NYC15:44
kmallocErm... Upstate NY15:44
kmallocNYC is like 5 hrs South of me :P15:44
lbragstadnice15:48
lbragstadfeel free to push changes to that patch i have15:48
lbragstadi don't have anything locally that i currently working on15:48
lbragstadfor that patch anyway15:49
*** jaosorior has quit IRC15:50
*** markvoelker has quit IRC16:02
*** tesseract has quit IRC16:03
kmallocyeah it's some work to be done.16:03
kmalloci think i can re-do the key repository16:03
kmallocugh... looks like my laptop is trying to give up the ghost......16:04
kmallocbattery is dying :(16:04
gagehugothe x1?16:04
kmallocyeah16:04
kmallocit's the low end x1c6 though16:04
kmalloc(corp. issued)16:04
gagehugo:/16:04
kmalloci've found that the lower end machines don't do as well.16:05
kmallocalso this is the latest firmware.16:05
notqmade the bug, wasn't sure if it was a security issue or not. It is for us, because it's untracked auditing tokens, but perhaps not in regards to keystone in general https://bugs.launchpad.net/keystonemiddleware/+bug/183179116:05
openstackLaunchpad bug 1831791 in keystonemiddleware "openstack ec2 credentials not audited" [Undecided,New]16:05
kmallocnotq: thanks16:05
kmallocnotq: appreciate reporting it. it's on the edge if it's a security issue16:05
kmallocbut it's not a CVE.16:05
kmallocor anything like that.16:05
gagehugoyeah16:06
notqmakes sense. I'm going to keep trying to make sense of it for another hour to try and fix. I just don't work on keystone or python much so it's a bit of a challenge.16:06
kmalloci would probably just classify it as a case we could improve security (VMT classification D, https://security.openstack.org/vmt-process.html#incident-report-taxonomy)16:06
kmallocnotq: well, we really appreciate the work you're putting in :)16:07
notqso i'll update it as a security issue? like i said, it absolutely is for us.16:07
*** whoami-rajat has quit IRC16:07
notqbut I don't know how much people rely on the auditing as a core security aspect.16:07
gagehugonotq: we do16:07
gagehugoauditing is something we rely on quite a bit16:08
kmallocnotq: you're welcome to, don't mark it private16:08
kmallocnotq: like i said, it is at most a class-D16:08
kmallocnotq: and if you can't get it fixed i'm sure we can help (though it may be a bit slow for us to generate the code)16:09
kmallochey gagehugo, sending you a DM. need to ask you a couple questions16:09
gagehugouh oh16:09
notqI see what the code looks like for other pieces, I see theoretically where it should go, but the fact it's contrib and a different structure makes it a bit more difficult than copy paste edit16:10
notqand i pasted the wrong bug, it's here https://bugs.launchpad.net/keystone/+bug/1831918 - setting to close the previous one in the wrong area16:12
openstackLaunchpad bug 1831918 in OpenStack Identity (keystone) "ec2 credentials do not create audit notifications" [Undecided,New]16:12
*** whoami-rajat has joined #openstack-keystone16:12
gagehugonotq: marked the ksm one as invalid and left a link to the keystone one16:27
notqgagehugo++16:27
kmallocnotq: as a point the ec2 token management is super wonky compared to the rest of the keystone subsystems16:28
notqstill untangling this, it seems different pieces use different ways to the notifications. there's a simple way, used by most of them. But I'm trying to understand how credentials does it, since it works and ec2 doesn't, and I'm still searching.16:28
kmallocit has not received the love that much of the rest of keystone has, so i am not surprised it is missing something like this16:28
kmallocnotq: it also isnt' really the same as credentials. we just happen to store the ec2 bits in the credentials backend16:29
notqgood times... you can imagine my difficulty right now :)16:29
kmallocyup. i totally get it :)16:29
*** xek_ has quit IRC16:45
*** Emine has quit IRC16:50
*** markvoelker has joined #openstack-keystone16:59
kmalloclbragstad, cmurphy: ok, I should have a couple patches up soon for the resource option changes. I think this is looking good.17:27
cmurphykmalloc: sweet17:27
kmalloclbragstad, cmurphy: I'm going to setup an enum-like block (frozenset) for the allowed resources to use the various options.17:28
kmallocso that we can reuse something like "immutable" across all resources we want.17:28
kmallocand not need a different definition for user vs group vs role17:28
kmallocobviously the API will still need the code to support the option, but this will help us DRY as much as possible17:29
kmallocand each resource will just define which thing it is for purposes of storing the data17:30
* kmalloc has a better idea even than that, but will try it in code to make sure it's not "too clever" 17:30
*** markvoelker has quit IRC17:32
*** jamesmcarthur has quit IRC17:33
*** spsurya has quit IRC17:40
cmurphywhat was the retrospective tool we used at the last denver ptg?18:14
cmurphythe keystone trello team is about to hit the limit on free boards since the new change to trello's ToS18:15
cmurphyby last denver ptg i mean the last stapleton one18:15
cmurphyhrybacki: ^18:16
cmurphyactually probably easiest to just use etherpad18:17
kmallocjust capture an image of the old trello boards and nuke them?18:19
cmurphythat doesn't capture comments, checklists, attachments, relationships18:21
kmallocit might be worth capturing that metadata, it's not needed to keep the fully interactive forms. i'm seeing if trello has a nice "oh you're an open source project, we'll give you some freebies" thing before we move to another tool.18:22
kmalloccmurphy: another option is one of the FOSS ones. mnaser has been awesome and granted me some credit, i could stand up the board on vexxhost and then we can use that until we settle on another tool we like.18:23
kmalloclike tiaga or kanboard18:24
kmalloccmurphy: also tiaga is free for public boards. (hosted) if we don't want our own.18:25
cmurphyfor this particular case i'm inclined to just use etherpad, for ongoing planning i'll investigate those other options18:26
kmallocwfm. i'm checking out tiaga (https://tree.taiga.io/) now will report back my findings. but it seems nice at first glance18:26
cmurphyawesome18:26
cmurphyis it open source?18:26
kmallocyup18:27
cmurphywoot18:27
kmallocalso... you can import directly from trello18:27
cmurphyA+18:27
cmurphynice18:27
kmallocexactly18:27
cmurphythey anticipated us having this exact scenario18:27
kmallocjust doing a test importing the keystone queens retro to see how it works.18:27
*** mvkr has quit IRC18:28
kmallocannnnd it can do auto-invite of users of the trello board18:28
kmallocwhich is badass.18:28
*** markvoelker has joined #openstack-keystone18:29
kmalloconly downside is taiga is AGPL... but since it's stand-alone, (django+python+angular) whocares18:30
kmalloclooks really good, seeing if there are limits on the public board side, if not, woo, even better18:31
hrybackicmurphy: that tool is no longer in existence unfortunately :(18:34
kmalloccmurphy: looks like taiga is no limits on boards if they are public (hosted). and we can totally run our own if we want18:34
kmallocso the biggest downside it looks like for the hosted taiga is webSSO is only github or gitlab18:37
kmalloc(i know... worst downside ever)18:37
kmallocand it mostly looks like it works just like trello.18:37
kmallocand has some nice additional bits that wont matter for us18:37
kmallocwe could probably use it for this retro and even convert train workboard over to it18:38
kmallocif you'd like etherpad though, we can explore this after this retro18:39
cmurphywebsso over github is a slight downer :/18:42
cmurphyi think etherpad will work fine for now, we don't really need a lot of advanced functionality imo18:42
kmallocyou can use a discreet password18:44
kmallocjust the only WebSSO options are github and gitlab18:44
kmallocs/discreet password/local account18:44
cmurphyoh got it18:45
cmurphythat's fine then18:45
kmalloc:) yeah18:46
kmalloci just like my google SSO because i haven't bothered to get something better that works as well for everything18:46
notqgoing to give up for today, will try some more tomorrow. maybe trying to just add the notifications and send audit in the ec2 controller and see if it works. Trying to untangle it isn't working for me, so I can just try it and see if anything works there. Need to setup a dev environment as well. I thought this would end up easier ;)18:49
kmallocnotq: what version of openstack are you running. I ask because a number of things changed (flask framework) in more recente releases18:52
kmallocnotq: it might be easier under flask to get those notifications. I can commit to taking a closer look once I'm back home.18:52
kmallocnotq: just to help give you some direction.18:53
notqrocky is the current one I'm working against.18:53
notqour custom sapcc build, but it looks mostly the same afaik18:54
* kmalloc nods18:56
kmallocyeah rocky is all flask, so that makes me less worried about old code vs new18:56
kmallocor.. wait..18:56
*** jamesmcarthur has joined #openstack-keystone18:56
kmallocmaybe stien was all flask. and rocky was 1st parts.18:56
* kmalloc checks18:56
notqto be fair, I just don't work inside keystone, or with openstack much. I work on a golang service for querying and handling audit events, so I only have a real light touch against the openstack code.18:57
kmallocah no, stein was where we ported to flask for the rest of the tuff18:57
kmallocstuff*18:57
kmallocthis might be a hard thing for upstream to backport to rocky.18:58
notqI did notice it looks like some stein prep was done in parts, but not done for ec2 yet. Seemed odd, but more tangles I didn't need to focus on18:58
kmallocbecause we'd need to do the change (possibly) in a totally different way for master and stein.18:58
kmalloclike i said, i'll be able to help give some more direction next week18:58
notqwe aggressively upgrade, so perhaps stein would be a reasonable solution18:58
kmallocstien with some code change to ensure we have the notifications going out*18:59
kmalloc:)18:59
notqSure. I'll be around, and I appreciate it. I will still likely spend some more time on it just to see, it's a real hole to not have it for us, but the time it may take for me to sort it out may not justify the benefit :)18:59
kmallocbut that would be easier backport from master18:59
notqwill also drag in our actual keystone guy, but ec2 cred seems like it's own beast.19:00
*** markvoelker has quit IRC19:02
kmallocec2 cred is it's own beast ;)19:05
*** jamesmcarthur has quit IRC19:12
kmallocnotq: are you looking to capture when keystone tokens are used to auth or when ec2 tokens are created (or both)?19:13
*** jamesmcarthur has joined #openstack-keystone19:14
notqjust creation/deletion19:18
notqi see how to make a notifications message similar to other services, but i couldn't sort out how normal credentials do it. I was trying to see if I could follow the trail to enable them for ec2 as well, or if it would make sense just attaching it's own notifications. Then I was just shaving yaks. So I thought tomorrow, try just attaching it's own notifications to it, and see if that just works.19:21
*** bnemec has quit IRC19:23
kmallocah19:23
kmallocthat is a lot easier than i was looking at19:23
notqyeah, i tried to tackle the complex ball of stuff. i've now given up, and will see if i can't just import notifications, and make a call to them. It's the weak, likely "incorrect" way out, but it is going to be faster if it works than understanding all of this19:24
kmalloci might have some quick guidance for you... if opendev will load (holy crap the internet at my inlaws is ... inconsistent)19:24
*** d34dh0r53 has quit IRC19:25
*** cloudnull has quit IRC19:25
*** bnemec has joined #openstack-keystone19:25
*** cloudnull has joined #openstack-keystone19:30
*** bnemec has quit IRC19:31
*** d34dh0r53 has joined #openstack-keystone19:31
*** bnemec has joined #openstack-keystone19:34
*** bnemec has quit IRC19:41
*** bnemec has joined #openstack-keystone19:42
*** imacdonn has quit IRC19:53
*** imacdonn has joined #openstack-keystone19:54
*** jamesmcarthur has quit IRC19:55
*** jamesmcarthur has joined #openstack-keystone19:56
*** markvoelker has joined #openstack-keystone19:59
kmallocnotq: i'll follow up with you later. but def have some ideas that should be quick/easy20:11
notqsweet malloc++20:12
notqkmalloc: just heard we are working on the stein upgrade now20:13
*** bnemec has quit IRC20:16
*** bnemec has joined #openstack-keystone20:17
*** jamesmcarthur has quit IRC20:24
*** jamesmcarthur has joined #openstack-keystone20:27
*** jamesmcarthur_ has joined #openstack-keystone20:29
*** jamesmcarthur has quit IRC20:31
*** markvoelker has quit IRC20:32
*** raildo has quit IRC20:58
*** jamesmcarthur_ has quit IRC21:03
*** jamesmcarthur has joined #openstack-keystone21:05
openstackgerritColleen Murphy proposed openstack/keystone master: Exclude constants from autodoc  https://review.opendev.org/66337321:10
cmurphyi think that's gonna work ^21:11
*** jamesmcarthur_ has joined #openstack-keystone21:16
*** jamesmcarthur has quit IRC21:18
*** whoami-rajat has quit IRC21:27
*** markvoelker has joined #openstack-keystone21:29
*** jamesmcarthur_ has quit IRC21:36
*** jamesmcarthur has joined #openstack-keystone21:37
*** jamesmcarthur has quit IRC21:46
*** cloudnull has quit IRC22:00
*** d34dh0r53 has quit IRC22:01
*** markvoelker has quit IRC22:03
*** rcernin has joined #openstack-keystone22:23
*** rcernin has quit IRC22:23
*** rcernin has joined #openstack-keystone22:24
*** notq has quit IRC22:26
*** rcernin has quit IRC22:26
*** cloudnull has joined #openstack-keystone22:27
*** rcernin has joined #openstack-keystone22:28
*** d34dh0r53 has joined #openstack-keystone22:28
*** tkajinam has joined #openstack-keystone22:53
*** markvoelker has joined #openstack-keystone22:59
*** jamesmcarthur has joined #openstack-keystone23:13
*** jamesmcarthur has quit IRC23:16
*** jamesmcarthur has joined #openstack-keystone23:17
*** markvoelker has quit IRC23:31
*** jamesmcarthur has quit IRC23:42
*** jamesmcarthur has joined #openstack-keystone23:45
*** rcernin has quit IRC23:55
*** rcernin has joined #openstack-keystone23:56
*** jamesmcarthur has quit IRC23:57
« Wednesday, 2019-06-05 Index Friday, 2019-06-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!