Wednesday, 2019-07-17

« Tuesday, 2019-07-16 Index Thursday, 2019-07-18 »
openstackgerritguang-yee proposed openstack/keystone master: implement system scope for application credential  https://review.opendev.org/67092600:48
*** gyee has quit IRC00:48
*** imacdonn has quit IRC01:16
*** imacdonn has joined #openstack-keystone01:16
openstackgerritQiu Fossen proposed openstack/oslo.policy master: Add Python 3 Train unit tests  https://review.opendev.org/66965801:29
*** jamesmcarthur has joined #openstack-keystone02:48
*** jamesmcarthur has quit IRC02:48
*** jamesmcarthur has joined #openstack-keystone02:48
*** jamesmcarthur has quit IRC03:26
*** jamesmcarthur has joined #openstack-keystone03:28
*** jamesmcarthur has quit IRC03:31
*** jamesmcarthur has joined #openstack-keystone03:32
*** jamesmcarthur has quit IRC04:33
*** shyamb has joined #openstack-keystone04:46
*** vishakha has joined #openstack-keystone05:19
*** vishalmanchanda has joined #openstack-keystone05:29
*** new_student1411 has joined #openstack-keystone05:47
*** shyamb has quit IRC05:59
*** shyamb has joined #openstack-keystone06:06
*** whoami-rajat has joined #openstack-keystone06:06
*** pcaruana has joined #openstack-keystone06:20
*** shyam89 has joined #openstack-keystone06:35
*** shyamb has quit IRC06:36
*** shyam89 has quit IRC06:44
*** shyamb has joined #openstack-keystone06:52
*** joshualyle has joined #openstack-keystone07:13
*** shyamb has quit IRC07:22
*** shyam89 has joined #openstack-keystone07:22
*** dancn has joined #openstack-keystone07:25
*** xek has joined #openstack-keystone07:26
*** shyam89 has quit IRC07:32
openstackgerritMerged openstack/keystone master: Update unified limit documentation  https://review.opendev.org/66493307:53
*** rcernin has quit IRC07:56
*** rcernin has joined #openstack-keystone08:12
*** shyam89 has joined #openstack-keystone08:29
*** new_student1411 has quit IRC08:49
*** new_student1411 has joined #openstack-keystone08:56
*** tkajinam has quit IRC09:09
*** new_student1411 has quit IRC09:18
*** shyam89 has quit IRC09:24
*** ayoung has quit IRC09:32
*** shyamb has joined #openstack-keystone09:33
*** new_student1411 has joined #openstack-keystone09:38
*** ayoung has joined #openstack-keystone09:44
ileixeHi keystone! Could someone please explan the purpose of mapping in federations ?09:51
ileixeTo be specific, I wonder why only 'mapped' plugin for federation has the features creating projects automatically.09:52
*** shyamb has quit IRC09:57
*** shyamb has joined #openstack-keystone09:59
vishakhaHi ileixe. Mapping file is created in the keystone acting as service provider to map the remote attributes received from the keystone acting as identity provider to give that user some authorization on sp10:07
ileixeThanks for the answer, vishaka. I found the feature has auto-creation of project for whom external system (IdP?) manages10:10
ileixeHow do you think of other (LDAP for exmple) identity plugin has simliar logic?10:10
ileixeI think it's quite general usecase not only for federation10:11
ileixeOr am I missunderstanding something10:11
ileixe*vishakha sorry10:11
vishakhaileixe AFAIK mappings in keystone is for federation only. It does not auto-create a project. You can check more about mappings  #link https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html10:18
vishakhaI hope this helps10:19
ileixeHm.. https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html#auto-provisioning it says it do auto creates a project.10:20
vishakhaileixe Mappings is a json file created by the admin on SP. So if the mapping file contains the projects section and if that project does not exist , in that case the project will be created on keystone as service provider and the user existing in IDP will have roles over that project. Yes it will create the project only when projects section is mentioned in mapping file.10:29
*** new_student1411 has quit IRC10:40
*** new_student1411 has joined #openstack-keystone10:41
*** shyamb has quit IRC10:49
openstackgerritHervé Beraud proposed openstack/oslo.policy master: Add unit tests on the sphinxext indent function  https://review.opendev.org/67124110:51
*** xek has quit IRC10:55
*** xek has joined #openstack-keystone10:58
*** shyamb has joined #openstack-keystone11:12
*** shyam89 has joined #openstack-keystone11:16
*** shyamb has quit IRC11:17
*** raildo has joined #openstack-keystone11:22
*** tesseract has joined #openstack-keystone11:28
*** shyamb has joined #openstack-keystone11:29
*** shyam89 has quit IRC11:29
*** rcernin has quit IRC11:30
*** shyamb has quit IRC11:40
*** shyamb has joined #openstack-keystone12:41
*** kplant has joined #openstack-keystone12:56
kplantso i've followed https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#keystone-as-an-identity-provider-idp and when i try to curl the idp endpoint i get: "<p>The requested URL /v3/OS-FEDERATION/saml2/idp was not found on this server.</p>"12:58
kplantany suggestions of where i should start for troubleshooting this?12:58
*** shyamb has quit IRC13:00
knikollao/13:26
*** jamesmcarthur has joined #openstack-keystone13:32
*** vishakha has quit IRC13:39
*** jamesmcarthur has quit IRC13:54
*** jamesmcarthur has joined #openstack-keystone13:56
*** jamesmcarthur has quit IRC13:57
*** jamesmcarthur has joined #openstack-keystone13:58
*** altlogbot_1 has quit IRC14:09
*** hrybacki has joined #openstack-keystone14:10
*** irclogbot_0 has quit IRC14:17
*** altlogbot_3 has joined #openstack-keystone14:17
*** joshualyle has quit IRC14:18
*** joshualyle has joined #openstack-keystone14:19
*** altlogbot_3 has quit IRC14:22
*** jamesmcarthur has quit IRC14:26
*** altlogbot_1 has joined #openstack-keystone14:27
openstackgerritHervé Beraud proposed openstack/oslo.policy master: Adding tests on cache handler  https://review.opendev.org/67130914:30
*** altlogbot_1 has quit IRC14:32
*** altlogbot_3 has joined #openstack-keystone14:33
openstackgerritHervé Beraud proposed openstack/oslo.policy master: Manage cached file not found and adding tests on cache handler  https://review.opendev.org/67130914:37
*** altlogbot_3 has quit IRC14:38
*** altlogbot_3 has joined #openstack-keystone14:39
*** altlogbot_3 has quit IRC14:44
*** altlogbot_0 has joined #openstack-keystone14:45
*** jamesmcarthur has joined #openstack-keystone14:49
*** altlogbot_0 has quit IRC14:50
*** altlogbot_3 has joined #openstack-keystone14:51
*** altlogbot_3 has quit IRC14:56
*** altlogbot_1 has joined #openstack-keystone14:57
*** gyee has joined #openstack-keystone14:59
*** altlogbot_1 has quit IRC15:02
*** altlogbot_3 has joined #openstack-keystone15:04
*** altlogbot_3 has quit IRC15:08
*** altlogbot_3 has joined #openstack-keystone15:14
*** altlogbot_3 has quit IRC15:18
openstackgerritguang-yee proposed openstack/keystone master: update documentation for X.509 tokenless auth  https://review.opendev.org/66979015:18
*** mflynn has joined #openstack-keystone15:19
*** altlogbot_3 has joined #openstack-keystone15:19
*** altlogbot_3 has quit IRC15:24
*** jamesmcarthur has quit IRC15:24
*** joshualyle has quit IRC15:30
*** dancn has quit IRC15:32
*** altlogbot_1 has joined #openstack-keystone15:33
cmurphyileixe: did your question get answered? projects can be auto-created for federated users through mappings so that they can already have role assignments on projects without the admin having to create their role assignments directly15:37
*** altlogbot_1 has quit IRC15:38
*** altlogbot_3 has joined #openstack-keystone15:40
cmurphykplant: the example in that document with /v3/OS-FEDERATION/saml2/idp is part of the entity ID and not part of a real URL15:40
*** altlogbot_3 has quit IRC15:44
*** altlogbot_2 has joined #openstack-keystone15:45
*** altlogbot_2 has quit IRC15:50
*** altlogbot_2 has joined #openstack-keystone15:51
*** altlogbot_2 has quit IRC15:58
*** altlogbot_1 has joined #openstack-keystone16:03
*** altlogbot_1 has quit IRC16:08
*** altlogbot_3 has joined #openstack-keystone16:09
*** irclogbot_2 has joined #openstack-keystone16:14
*** altlogbot_3 has quit IRC16:14
*** altlogbot_1 has joined #openstack-keystone16:15
*** irclogbot_2 has quit IRC16:17
*** efried is now known as efried_rollin16:21
*** irclogbot_0 has joined #openstack-keystone16:23
*** irclogbot_0 has quit IRC16:26
*** irclogbot_1 has joined #openstack-keystone16:27
*** irclogbot_1 has quit IRC16:30
*** irclogbot_0 has joined #openstack-keystone16:31
*** dancn has joined #openstack-keystone16:32
*** irclogbot_0 has quit IRC16:34
*** altlogbot_1 has quit IRC16:34
openstackgerritHervé Beraud proposed openstack/oslo.policy master: Manage cached file not found and adding tests on cache handler  https://review.opendev.org/67130916:34
*** irclogbot_1 has joined #openstack-keystone16:35
*** vishakha has joined #openstack-keystone16:35
*** altlogbot_0 has joined #openstack-keystone16:36
*** irclogbot_1 has quit IRC16:38
*** irclogbot_3 has joined #openstack-keystone16:39
*** irclogbot_3 has quit IRC16:42
*** irclogbot_2 has joined #openstack-keystone16:43
*** irclogbot_2 has quit IRC16:46
*** irclogbot_1 has joined #openstack-keystone16:47
*** irclogbot_1 has quit IRC16:50
*** irclogbot_1 has joined #openstack-keystone16:51
*** irclogbot_1 has quit IRC16:54
*** irclogbot_3 has joined #openstack-keystone16:55
*** irclogbot_3 has quit IRC16:58
*** irclogbot_3 has joined #openstack-keystone16:59
*** irclogbot_3 has quit IRC17:02
*** irclogbot_1 has joined #openstack-keystone17:03
kplantcmurphy: that makes sense, ty17:05
*** irclogbot_1 has quit IRC17:06
*** irclogbot_3 has joined #openstack-keystone17:07
kplantcmurphy: so if i'm trying to point a keystone towards another keystone for idp what url should i use?17:09
*** irclogbot_3 has quit IRC17:10
*** irclogbot_0 has joined #openstack-keystone17:11
*** irclogbot_0 has quit IRC17:14
cmurphykplant: by "point towards another keystone" what do you mean, which part of the documentation are you trying to follow?17:14
*** irclogbot_1 has joined #openstack-keystone17:15
kplantsure i'll give as much detail as i can, i'm trying to merge multiple clouds by way of k2k federation so...17:15
kplanti have two devstack environments for testing, i'm making keystone#1 an SP and using samltest.id for idp17:15
kplantkeystone#2 i'm trying to configure as an IdP and then add keystone#2 to keystone#1 as an idp17:16
kplantdoes that make sense?17:16
cmurphysure17:16
kplanti've chosen to use mellon for the auth module since that's already included in the kolla containers so i don't need to modify the containers (lazy bonus)17:17
kplantso i guess my current queston is if [saml]/idp_entity_id is not a real url for keystone#2 idp... what is?17:17
*** irclogbot_1 has quit IRC17:18
*** irclogbot_2 has joined #openstack-keystone17:19
openstackgerritMerged openstack/keystone master: Add exercises for intern applicants  https://review.opendev.org/66900417:19
*** jamesmcarthur has joined #openstack-keystone17:19
cmurphykeystone#2 isn't capable of acting as an idp the same way that samltest.id is, so actually the real URL doesn't matter, you actually need to point keystone#2 at keystone#117:20
cmurphythe weird auth flow is explained here https://docs.openstack.org/keystone/latest/admin/federation/introduction.html#id317:21
openstackgerritHervé Beraud proposed openstack/oslo.policy master: Remove useless strip code and add unit tests on the sphinxext indent function  https://review.opendev.org/67124117:21
cmurphythe url of the keystone sp that you need to give to the keystone idp is here https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#creating-a-service-provider-resource17:21
kplantso just adding keystone#1 as an sp to keystone#2 will suffice?17:21
*** irclogbot_2 has quit IRC17:22
cmurphyyes it should17:22
*** irclogbot_1 has joined #openstack-keystone17:23
kplantalright, appreciate the answers for sure17:23
cmurphyoh you also need to add the idp's metadata to the sp17:23
kplantis there a url for that? or should i just grab the output from keystone-manage17:24
openstackgerritguang-yee proposed openstack/keystone master: implement system scope for application credential  https://review.opendev.org/67092617:25
cmurphyit's under https://developer.openstack.org/api-ref/identity/v3-ext/#retrieve-metadata-properties or you can just scp the file that was created by keystone-manage17:26
*** irclogbot_1 has quit IRC17:26
kplantgreat, ty17:26
cmurphyyw17:26
*** irclogbot_1 has joined #openstack-keystone17:27
kplantso my end goal here is to have all of the clouds using their local keystone for services but a user should be able to pop into the horizon instance in any region and switch to any other region17:27
kplantam i going down the right path with k2k federation?17:27
cmurphyyep that should work17:28
cmurphyyou'll have to make every keystone both an sp and idp for every other keystone17:28
kplantwould i be able to make all keystones SPs and use something like keycloak as an IdP?17:28
ayoungkplant, what is the source of user identity?17:29
kplantcurrently it's keystone, i would like to use freeipa down the line17:29
cmurphykplant: you wouldn't be able to switch keystones from horizion if only keycloak is the idp17:29
*** irclogbot_1 has quit IRC17:30
ayoungkplant, One Keystone server?17:30
kplanttoday it's one keystone instance (3 in HA)17:31
*** irclogbot_3 has joined #openstack-keystone17:31
kplantnext quarter our second region will be online17:31
ayoungIf you consolidate all of the users in a single place, then that becomes your Federated Identity Provider17:31
ayoungKeep all users in there, add second Keystone, K2K from first to second only17:31
ayoungSecond Keystone not allowed to add users, just consume from the first17:31
ayoungIf you extract to FreeIPA, the rules are the same17:32
ayoungOr with Keycloak17:32
kplantyeah ideally i'd like to be using keystone -saml-> keycloak -> freeipa17:33
kplantthat way if the one keystone instance that's also the idp with all of the users dies, the other clouds aren't impacted17:33
*** irclogbot_3 has quit IRC17:34
*** irclogbot_0 has joined #openstack-keystone17:35
*** irclogbot_0 has quit IRC17:38
*** irclogbot_2 has joined #openstack-keystone17:39
*** irclogbot_2 has quit IRC17:42
*** irclogbot_0 has joined #openstack-keystone17:43
*** irclogbot_0 has quit IRC17:46
*** irclogbot_0 has joined #openstack-keystone17:47
openstackgerritColleen Murphy proposed openstack/keystone master: Add new attribute to the federation protocol API  https://review.opendev.org/63730517:50
*** irclogbot_0 has quit IRC17:50
*** irclogbot_1 has joined #openstack-keystone17:51
*** irclogbot_1 has quit IRC17:54
*** irclogbot_1 has joined #openstack-keystone17:55
*** irclogbot_1 has quit IRC17:58
*** irclogbot_2 has joined #openstack-keystone17:59
*** irclogbot_2 has quit IRC18:02
*** irclogbot_0 has joined #openstack-keystone18:03
*** irclogbot_0 has quit IRC18:06
*** irclogbot_1 has joined #openstack-keystone18:07
*** irclogbot_1 has quit IRC18:10
*** irclogbot_2 has joined #openstack-keystone18:11
*** irclogbot_2 has quit IRC18:14
*** irclogbot_1 has joined #openstack-keystone18:15
*** irclogbot_1 has quit IRC18:18
*** irclogbot_3 has joined #openstack-keystone18:19
*** irclogbot_3 has quit IRC18:22
*** irclogbot_3 has joined #openstack-keystone18:23
*** irclogbot_3 has quit IRC18:26
*** irclogbot_2 has joined #openstack-keystone18:27
*** irclogbot_2 has quit IRC18:30
*** irclogbot_1 has joined #openstack-keystone18:31
*** irclogbot_1 has quit IRC18:34
*** irclogbot_0 has joined #openstack-keystone18:35
*** irclogbot_0 has quit IRC18:38
*** irclogbot_3 has joined #openstack-keystone18:39
*** irclogbot_3 has quit IRC18:42
*** irclogbot_1 has joined #openstack-keystone18:43
*** irclogbot_1 has quit IRC18:46
*** irclogbot_0 has joined #openstack-keystone18:47
*** irclogbot_0 has quit IRC18:50
*** irclogbot_2 has joined #openstack-keystone18:51
*** irclogbot_2 has quit IRC18:54
*** irclogbot_1 has joined #openstack-keystone18:55
*** irclogbot_1 has quit IRC18:58
*** irclogbot_2 has joined #openstack-keystone18:59
*** irclogbot_2 has quit IRC19:02
*** new_student1411 has quit IRC19:03
*** irclogbot_0 has joined #openstack-keystone19:03
*** irclogbot_0 has quit IRC19:06
*** irclogbot_2 has joined #openstack-keystone19:07
*** dancn has quit IRC19:09
*** irclogbot_2 has quit IRC19:10
*** irclogbot_2 has joined #openstack-keystone19:11
*** irclogbot_2 has quit IRC19:14
*** irclogbot_0 has joined #openstack-keystone19:15
*** irclogbot_0 has quit IRC19:18
*** irclogbot_2 has joined #openstack-keystone19:19
*** irclogbot_2 has quit IRC19:22
*** irclogbot_1 has joined #openstack-keystone19:23
*** irclogbot_1 has quit IRC19:26
*** irclogbot_3 has joined #openstack-keystone19:27
*** vishakha has quit IRC19:27
*** irclogbot_3 has quit IRC19:30
*** irclogbot_0 has joined #openstack-keystone19:31
*** irclogbot_0 has quit IRC19:34
*** irclogbot_1 has joined #openstack-keystone19:35
*** irclogbot_1 has quit IRC19:38
*** irclogbot_1 has joined #openstack-keystone19:39
*** irclogbot_1 has quit IRC19:42
*** irclogbot_2 has joined #openstack-keystone19:43
*** irclogbot_2 has quit IRC19:46
*** irclogbot_3 has joined #openstack-keystone19:47
*** gyee has quit IRC19:49
*** gyee has joined #openstack-keystone19:50
*** irclogbot_3 has quit IRC19:50
*** irclogbot_2 has joined #openstack-keystone19:51
*** kplant has quit IRC19:52
*** mflynn has quit IRC19:54
*** irclogbot_2 has quit IRC19:54
*** irclogbot_0 has joined #openstack-keystone19:55
*** irclogbot_0 has quit IRC19:58
*** irclogbot_1 has joined #openstack-keystone19:59
*** irclogbot_1 has quit IRC20:02
*** irclogbot_0 has joined #openstack-keystone20:03
*** irclogbot_0 has quit IRC20:06
*** irclogbot_2 has joined #openstack-keystone20:07
*** irclogbot_2 has quit IRC20:09
*** bnemec has quit IRC20:11
*** irclogbot_1 has joined #openstack-keystone20:11
*** irclogbot_1 has quit IRC20:14
*** bnemec has joined #openstack-keystone20:15
*** beekneemech has joined #openstack-keystone20:16
*** bnemec has quit IRC20:16
*** beekneemech has quit IRC20:16
*** bnemec has joined #openstack-keystone20:16
*** efried_rollin is now known as efried20:18
*** beekneemech has joined #openstack-keystone20:18
*** joshualyle has joined #openstack-keystone20:21
*** xek has quit IRC20:21
*** irclogbot_1 has joined #openstack-keystone20:44
*** irclogbot_1 has quit IRC20:46
*** pcaruana has quit IRC20:48
*** bnemec has quit IRC20:48
*** jamesmcarthur has quit IRC20:51
*** bnemec has joined #openstack-keystone20:51
*** beekneemech has quit IRC20:54
*** raildo has quit IRC21:06
*** irclogbot_3 has joined #openstack-keystone21:23
*** whoami-rajat has quit IRC21:36
*** tesseract has quit IRC22:40
*** rcernin has joined #openstack-keystone23:11
*** tkajinam has joined #openstack-keystone23:15
*** rcernin has quit IRC23:16
*** rcernin has joined #openstack-keystone23:17
*** jamesmcarthur has joined #openstack-keystone23:23
« Tuesday, 2019-07-16 Index Thursday, 2019-07-18 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!