Wednesday, 2019-09-25

« Tuesday, 2019-09-24 Index Thursday, 2019-09-26 »
*** markvoelker has joined #openstack-keystone00:24
*** jamesmcarthur has joined #openstack-keystone00:29
*** jamesmcarthur has quit IRC00:35
openstackgerritguang-yee proposed openstack/keystoneauth master: Generate pdf documentation  https://review.opendev.org/68227200:52
*** gyee has quit IRC00:52
*** markvoelker has quit IRC01:08
*** tkajinam has quit IRC01:24
*** tkajinam has joined #openstack-keystone01:24
*** Ben78 has quit IRC02:00
openstackgerritColleen Murphy proposed openstack/keystone master: Allow domain users to access the limit API  https://review.opendev.org/62102302:25
openstackgerritColleen Murphy proposed openstack/keystone master: Add tests for project users interacting with limits  https://review.opendev.org/62102402:25
openstackgerritColleen Murphy proposed openstack/keystone master: Remove limit policies from policy.v3cloudsample.json  https://review.opendev.org/62102502:25
*** markvoelker has joined #openstack-keystone02:35
*** markvoelker has quit IRC02:40
*** dave-mccowan has quit IRC02:53
*** jaosorior has joined #openstack-keystone04:56
*** shyam89 has joined #openstack-keystone05:47
*** dancn has joined #openstack-keystone06:03
*** pcaruana has joined #openstack-keystone06:42
*** markvoelker has joined #openstack-keystone06:47
*** dancn has quit IRC06:48
*** markvoelker has quit IRC06:52
openstackgerritVishakha Agarwal proposed openstack/keystone master: Release note for domain scope limits API  https://review.opendev.org/68453106:54
*** shyam89 has quit IRC06:54
*** tesseract has joined #openstack-keystone07:01
*** shyam89 has joined #openstack-keystone07:07
*** xek has joined #openstack-keystone07:14
*** shyam89 has quit IRC07:27
*** shyam89 has joined #openstack-keystone07:40
*** shyam89 has quit IRC07:56
*** ivve has joined #openstack-keystone08:01
*** jaosorior has quit IRC08:32
*** shyam89 has joined #openstack-keystone08:34
*** dancn has joined #openstack-keystone08:38
*** markvoelker has joined #openstack-keystone08:48
*** tkajinam has quit IRC08:52
openstackgerritVishakha Agarwal proposed openstack/keystonemiddleware master: Generate pdf documentation  https://review.opendev.org/68227108:53
*** markvoelker has quit IRC08:53
*** markvoelker has joined #openstack-keystone08:56
*** markvoelker has quit IRC09:00
*** shyam89 has quit IRC09:00
openstackgerritVishakha Agarwal proposed openstack/keystoneauth master: Generate pdf documentation  https://review.opendev.org/68227209:02
*** shyam89 has joined #openstack-keystone09:04
*** jaosorior has joined #openstack-keystone09:10
*** new_student1411 has joined #openstack-keystone09:41
*** shyam89 has quit IRC09:56
*** shyam89 has joined #openstack-keystone10:03
*** flwang1 has joined #openstack-keystone10:05
*** new_student1411 has quit IRC10:22
*** pcaruana has quit IRC10:23
*** rcernin has quit IRC10:23
*** dancn has quit IRC10:34
*** pcaruana has joined #openstack-keystone10:36
*** markvoelker has joined #openstack-keystone10:57
*** markvoelker has quit IRC11:01
*** raildo has joined #openstack-keystone11:24
*** xek_ has joined #openstack-keystone11:38
*** xek has quit IRC11:39
*** markvoelker has joined #openstack-keystone11:42
*** shyam89 has quit IRC11:55
*** xek_ has quit IRC12:06
*** yoctozepto has quit IRC12:10
*** dancn has joined #openstack-keystone12:13
*** yoctozepto has joined #openstack-keystone12:15
*** shyam89 has joined #openstack-keystone12:21
*** dave-mccowan has joined #openstack-keystone12:22
*** dave-mccowan has quit IRC12:26
*** yoctozepto has quit IRC12:26
*** yoctozepto has joined #openstack-keystone12:26
*** dave-mccowan has joined #openstack-keystone12:28
*** dave-mccowan has quit IRC12:42
*** dave-mccowan has joined #openstack-keystone12:43
*** shyam89 has quit IRC12:54
*** Ben78 has joined #openstack-keystone12:57
*** new_student1411 has joined #openstack-keystone12:59
new_student1411Since `Account ACLs are not currently supported by Keystone auth`, is there an alternative so that I can give limited permissions at account level if I am using keystone auth?13:01
lbragstadcmurphy do we have any examples of application credentials being used from clouds.yaml?13:09
*** jamesmcarthur has joined #openstack-keystone13:19
*** dave-mccowan has quit IRC13:26
*** jamesmcarthur has quit IRC13:27
*** dancn has quit IRC13:31
*** xek has joined #openstack-keystone13:34
*** dancn has joined #openstack-keystone13:45
*** dancn has quit IRC13:55
*** xek has quit IRC14:05
*** xek has joined #openstack-keystone14:07
*** xek has quit IRC14:36
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Try to recreate 1843464  https://review.opendev.org/68439714:40
Ben78 In https://docs.openstack.org/keystone/stein/admin/tokens-overview.html#token-providers, it is written: "A deployment might consider using JWS tokens as opposed to fernet tokens if there are security concerns about sharing symmetric encryption keys across hosts". What do you mean by "hosts" here14:54
lbragstadhosts in that case are keystone nodes14:58
lbragstadfor example, if you have 3 keystone servers behind ha proxy and they all need to validate each others tokens14:59
lbragstadthen they all need to have the same fernet key repository to validate tokens issues by other keystone nodes14:59
Ben78lbragstad: Thanks. But, the same scenario is correct when you use JWS.15:00
lbragstadjws tokens are asymmetrically signed15:00
lbragstadfernet tokens are encrypted using symmetric cryptography15:01
lbragstadso - with jws you actually just share the public keys across all the keystone nodes15:03
lbragstadeach keystone node keeps its own private key15:03
Ben78I mean if you want to have several keystone host for issuing JWS tokens, you need to shared the private key between all hosts.15:03
lbragstadonly the public key is needed to validate jws tokens15:04
lbragstadthe private key is used to sign tokens though - which only happens when they're created15:04
Ben78Oh. I thought every service validate JWS token itself. So, If I understand correctly, you mean even if we use JWS tokens, every service needs to communicate to a Keystone node to validate a token.15:06
lbragstadyeah - even though that isn't a limitation of the implementation itself15:07
lbragstadit's more a limitation of what's in the token15:07
Ben78And there is only one keystone node which issues JWS token. Other Keystone nodes only validate tokens.15:07
lbragstadeach service needs to know what roles the user has, and that information isn't in the token (fernet or jws)15:08
lbragstadso online validation is needed for that information15:08
*** dancn has joined #openstack-keystone15:08
Ben78And for the revocation problem15:08
lbragstadyeah - that's a good point15:08
lbragstadhttps://www.youtube.com/watch?v=zxsrkABzwOg kinda gets into some of that15:08
lbragstadif you haven't seen it yet15:09
*** dancn has quit IRC15:12
*** openstackgerrit has quit IRC15:21
Ben78@lbragstad: Thanks for sharing the video. I watched it before and I did not like some of the reasoning why JWS is better than Fernet. At minute 8, the speaker says we are developers, not cryptographers and we do not want to maintain a cryptography library.15:22
Ben78JWS takes advantage of asymmetric  cryptography which is more complicated than symmetric15:23
lbragstadBen78 oh - i think the point Adam wanted to make there is that we didn't want to maintain the cryptography code manually15:26
lbragstadthat's what keystone was doing with the pki implementation15:27
lbragstadnow we're using a pyca/cryptography library that abstracts the crypto details away from keystone's token logic15:27
lbragstadthat specific library is maintained by folks who have a much better understanding of cryptography15:28
Ben78and pyca/cryptography supports Fernet, too15:28
lbragstadcorrect15:29
lbragstadjws uses another library called PyJWT - which has a dependency on pyca/cryptography15:30
lbragstadso - ultimately it boils down to pyca/cryptography15:30
*** pcaruana has quit IRC15:30
*** gyee has joined #openstack-keystone15:35
*** ivve has quit IRC15:45
*** markvoelker has quit IRC15:45
*** lbragstad_ has joined #openstack-keystone15:54
*** lbragstad has quit IRC15:55
*** lbragstad has joined #openstack-keystone15:57
*** itlinux has joined #openstack-keystone15:57
*** lbragstad_ has quit IRC15:58
*** spatel has joined #openstack-keystone16:03
*** spatel has quit IRC16:07
cmurphylbragstad: i don't think we have a clouds.yaml example in the docs, i have one in some old slides if you're just looking to crib from it16:10
* lbragstad nods16:11
lbragstadthanks cmurphy16:11
cmurphylbragstad: can you sanity check my changes in https://review.opendev.org/62102316:12
lbragstadyep - i can do that16:13
*** efried is now known as efried_rollin16:14
*** jmlowe has quit IRC16:24
*** markvoelker has joined #openstack-keystone16:38
*** markvoelker has quit IRC16:48
*** xek has joined #openstack-keystone16:49
*** jmlowe has joined #openstack-keystone16:50
*** markvoelker has joined #openstack-keystone16:53
*** ivve has joined #openstack-keystone16:53
*** xek_ has joined #openstack-keystone16:56
*** xek has quit IRC16:59
lbragstadcmurphy done - lemme know if you want me to kick https://review.opendev.org/#/c/621023/15 though17:18
lbragstadthrough*17:18
cmurphylbragstad: i'm just concerned the check string is still wrong17:19
lbragstadfor domain useres?17:19
lbragstadusers?17:19
lbragstador just in general?17:19
cmurphywith what you pointed out17:19
cmurphyif a project user could access a domain limit that wouldn't be good17:20
lbragstadhttps://review.opendev.org/#/c/621024/15/keystone/tests/protection/v3/test_limits.py@69917:22
lbragstadlooks like we have it covered?17:22
lbragstadi should have read those tests before reviewing the first patch17:22
cmurphyoh then i guess it's fine17:24
cmurphyyeah let's just go for it17:24
lbragstadyeah - apparently that works?17:25
lbragstadif we wanted to be ultra paranoid17:25
lbragstadwe could do (domain_id:%(target.limit.domain.id)s and not None:%(target.limit.domain_id)s)17:26
lbragstadbut...17:26
cmurphy¯\_(ツ)_/¯17:27
lbragstadyolo17:27
lbragstadwe have test coverage17:27
*** jmlowe has quit IRC17:35
*** xek has joined #openstack-keystone17:40
*** xek_ has quit IRC17:42
*** xek_ has joined #openstack-keystone17:44
*** xek has quit IRC17:46
*** jmlowe has joined #openstack-keystone17:48
*** tesseract has quit IRC18:08
larsksIs it possible to authenticate to keystone using the cli when using federated users (via openid)?18:27
larsksI've seen a few docs referencing --auth-type but I'm not clear on the details.18:28
*** xek_ has quit IRC18:32
*** gary_perkins has quit IRC18:57
*** gary_perkins has joined #openstack-keystone18:57
*** efried_rollin is now known as efried19:21
*** Ben78 has quit IRC19:28
*** new_student1411 has quit IRC20:37
*** flwang1 has quit IRC20:53
*** raildo has quit IRC21:04
*** rcernin has joined #openstack-keystone22:15
gyeelarsks, in theory, yes, according to https://osticket.massopen.cloud/kb/faq.php?id=1622:56
gyeebut in practice, it all depends on the IdP22:56
gyeegoogle, for example, does not appear to support the 'password' grant type. See https://accounts.google.com/.well-known/openid-configuration22:57
gyeefrom security perspective, the use case for password grant type seem very limited22:58
*** tkajinam has joined #openstack-keystone22:59
*** dave-mccowan has joined #openstack-keystone23:27
*** ivve has quit IRC23:28
*** dave-mccowan has quit IRC23:33
*** gyee has quit IRC23:44
« Tuesday, 2019-09-24 Index Thursday, 2019-09-26 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!