Tuesday, 2019-12-03

« Monday, 2019-12-02 Index Wednesday, 2019-12-04 »
*** jistr has quit IRC00:07
*** jistr has joined #openstack-keystone00:08
*** ivve has quit IRC00:16
*** gyee has quit IRC01:48
*** awalende has joined #openstack-keystone02:00
*** awalende has quit IRC02:04
adriantNot sure who the best person to ask is, but I'm not 100% sure my use of Keystonemiddleware is correct.04:15
adriantI always seem to get the following log entries: http://paste.openstack.org/show/787015/04:15
adriantI looked at the code a while back and it looked like the middle ware complained about those values... but cheerfully passed them along to Keystoneauth or whatever underneath to connect to keystone itself, but the fact that it complains like that about values which 'are' used always felt weird to me.04:16
adriantAs if I was doing something wrong, or like I should turn some warning off. Despite them, the service works.04:17
adriantthis is where I wrap my Django app with the keystone middleware: https://github.com/openstack/adjutant/blob/master/adjutant/wsgi.py04:17
adriantThe other question I have, how do I pass a verify=False config to this? So that when the middleware connects to keystone it doesn't bother verifying the cert.04:18
adriantI tried adding 'verify': False to it, but it didn't seem to work04:18
*** tkajinam has quit IRC05:02
*** tkajinam has joined #openstack-keystone05:33
*** tkajinam_ has joined #openstack-keystone07:18
*** tkajinam_ has quit IRC07:19
*** tkajinam_ has joined #openstack-keystone07:20
*** tkajinam has quit IRC07:21
*** Blinkiz9 has joined #openstack-keystone07:50
*** trident has quit IRC07:51
*** johanssone has quit IRC07:51
*** Blinkiz has quit IRC07:51
*** Blinkiz9 has quit IRC07:51
*** trident has joined #openstack-keystone07:51
*** Blinkiz has joined #openstack-keystone07:52
*** johanssone has joined #openstack-keystone07:52
*** Blinkiz has quit IRC07:53
*** Blinkiz has joined #openstack-keystone07:53
openstackgerritMerged openstack/keystonemiddleware master: Remove v2.0 functionality  https://review.opendev.org/66970607:54
openstackgerritMerged openstack/keystonemiddleware master: Change ec2 URLs to v3  https://review.opendev.org/67838607:54
*** awalende has joined #openstack-keystone08:14
*** tesseract has joined #openstack-keystone08:16
*** amoralej|off is now known as amoralej08:46
*** ivve has joined #openstack-keystone08:51
*** tkajinam_ has quit IRC09:20
*** gshippey has joined #openstack-keystone09:25
*** dasp has quit IRC09:42
*** dasp has joined #openstack-keystone09:43
*** rcernin has quit IRC10:06
*** pcaruana has joined #openstack-keystone10:08
*** dmellado has quit IRC10:33
*** dmellado has joined #openstack-keystone10:35
*** vishalmanchanda has joined #openstack-keystone11:34
*** awalende_ has joined #openstack-keystone11:37
*** trident has quit IRC11:40
*** awalende has quit IRC11:41
*** trident has joined #openstack-keystone11:43
*** raildo has joined #openstack-keystone11:56
*** amoralej is now known as amoralej|lunch12:30
*** dasp has quit IRC13:12
*** dasp has joined #openstack-keystone13:12
*** amoralej|lunch is now known as amoralej13:57
*** dave-mccowan has joined #openstack-keystone14:02
*** trident has quit IRC14:24
*** trident has joined #openstack-keystone14:25
*** jhesketh has quit IRC14:27
*** jhesketh has joined #openstack-keystone14:28
*** pcaruana has quit IRC14:33
*** dave-mccowan has quit IRC14:42
*** pcaruana has joined #openstack-keystone15:04
*** awalende_ has quit IRC15:25
*** awalende has joined #openstack-keystone15:26
*** awalende has quit IRC15:30
knikollao/15:34
cmurphyteam meeting in about 25 minutes15:35
*** tesseract has quit IRC15:37
*** tesseract has joined #openstack-keystone15:48
*** jmlowe has quit IRC15:52
*** aloga has joined #openstack-keystone15:55
cmurphyteam meeting now in #openstack-meeting-alt16:02
cmurphyaloga: hi, do you want to discuss your agenda item with us in #openstack-meeting-alt?16:07
*** jmlowe has joined #openstack-keystone16:09
*** cmart has joined #openstack-keystone16:11
*** ivve has quit IRC16:15
*** cmart has quit IRC16:17
alogacmurphy: sure16:17
*** ade_lee_ has joined #openstack-keystone16:19
*** gyee has joined #openstack-keystone16:19
*** dave-mccowan has joined #openstack-keystone16:19
*** tesseract has quit IRC17:03
lbragstadcmurphy are we planning on starting office hours right now?17:04
lbragstador are we going to wait for the folks from at&t?17:06
cmurphylbragstad: i was waiting to hear from gagehugo, i'm not sure what the agenda is but i thought it was mostly to get info from the at&t people?17:07
lbragstadok - that sounds good17:07
lbragstadi'm going to grab lunch really quick - back in 5 minutes17:07
cmurphyok17:07
* lbragstad back17:13
cmurphylightning lunch speed17:14
lbragstadit's a super power17:14
lbragstadnobigdeal17:14
cmurphylol17:15
bnemecIt's easy to do a liquid lunch in five minutes. ;-)17:16
bnemecNot that I would know...17:16
lbragstadssshh!17:17
lbragstadgiving away my secrets17:18
gagehugolbragstad: think he might join here in a bit17:19
lbragstadsweet17:21
*** rick_bartra has joined #openstack-keystone17:27
gagehugorick_bartra: o/17:27
rick_bartragagehugo hello17:28
cmurphyo/17:28
lbragstado/17:28
lbragstadade_lee_ o/17:28
ade_lee_lbragstad, ack17:29
gagehugothanks for hopping in on short notice17:29
rick_bartragagehugo np17:29
*** lamt has joined #openstack-keystone17:31
gagehugorick_bartra: I believe lbragstad and ade_lee_ had some questions on patrole17:31
rick_bartragagehugo sure I can try my best to answer17:32
lbragstadwell, it sounds like a lot of it came up during the summit17:32
lbragstadi know cmurphy ade_lee_ and a few others were there17:33
cmurphywe didn't talk that much about patrole tbh17:33
lbragstadbut - we have a significant effort to redo policy across openstack - and keystone completed the majority of the effort last cycle17:33
lbragstadwe're testing the functionality we introduced with "protection" tests, but they're currently specific to keystone17:34
lbragstadin the discussions we've had with other projects, like barbican, we've been asked if patrole could ease some of the testing effort required to make these changes17:34
ade_lee_I'm interested as to why keystone chose to write policy specific unit tests as opposed to using something like patrole to generate the tests17:34
redrobot👀17:35
ade_lee_and whether you guys have done any of this keystone testing using patrole17:35
lbragstadnot to my knowledge17:35
gagehugoade_lee_ iirc we looked previously at patrole in one of the denver ptgs, but that was a while ago17:36
lbragstadat the time, i had two concerns17:36
rick_bartraas far as I know, none of the Patrole tests have been updated and no new tests have been added to Patrole to test the changes made in Keystone17:36
gagehugoI don't think we ever got too far past a conceptual idea17:36
lbragstadrick_bartra i have a question about gating on patrole17:37
ade_lee_gagehugo, I got the impression from lbragstad that you guys had started using patrole a lot more internally to test policy?17:37
lbragstadade_lee_ keystone? or AT&T?17:37
ade_lee_at&t17:37
gagehugoyeah17:37
ade_lee_so I'm trying to understand whether its worth using it to test -- for instance -- barbican policy17:38
rick_bartraWe do use it internally because we make a lot of policy overrides and use Patrole to verify that our changes are in line with our requirements17:38
lbragstadrick_bartra so you supply patrole with a copy of the policy files that are deployed, right?17:39
gagehugolbragstad: yeah17:40
rick_bartralbragstad our internal testing approach follow this: https://docs.openstack.org/patrole/latest/framework/requirements_authority.html17:40
ade_lee_and if so, presumably we could generate the default policy files and pass those to patrole in the gate?17:41
rick_bartraso we actually don't provide the policy file, we provide a "golden" requirements yaml file and test against that17:41
rick_bartrathere are two ways of testing in patrole, one way is you provide the policy file, and the other is you test against a requirements file17:41
rick_bartrain the Patrole gate we test with the policy file or policy in code17:42
rick_bartrait is just internally that we test against the requirements file17:42
*** jhesketh has quit IRC17:42
lbragstadrick_bartra so - if we want to incorporate this into the gate for barbican or keystone, how would we protect against bad policy changes?17:43
lbragstad(e.g., i propose a patch the unprotects the identity:list_users policy by setting it to ""_17:43
lbragstads/_/)17:43
*** jhesketh has joined #openstack-keystone17:44
ade_lee_interesting -- it seems like the requirements file is yet another way of expressing policy?17:44
cmurphyi have in my notes that i couldn't get the custom requirements file to work properly with implied roles17:46
rick_bartralbragstad I think that would require the requirement testing approach, so someone would need to define what is "good" policy. Then if someone changes an action to use a "bad" policy, then Patrole would fail the test for that policy action with either an underpermission (the role should have access but it doesn't) or an overpermission (the role has17:46
rick_bartraaccess but it shouldn't)17:46
lbragstadok - so this would require each service, or a pop-up team, to go through define what they should be for each role and API?17:47
gmannlbragstad: rick_bartra it will avoid you rename or change default  + over protection but not unprotection case (as long as jobs are tested with all possible defaults. currently patrole tests one role per job.   )17:47
rick_bartralbragstad yeah that would be required17:47
* lbragstad nods17:48
gmannfor example. if policy is changed as lbragstad mentioned then tests using any role will still pass as oslo will return the permission ok and so does API.17:48
lbragstad^ that's what i was worried about previously17:48
lbragstadbut it sounds like the "golden" requirements file is supposed to mitigate that?17:49
rick_bartragmann that is correct, but if you choose to test against a requirements file then it would perform the desired check17:49
rick_bartralbragstad that is correct17:49
lbragstadthe main problem that the requirements file sounds (based on how i understand it) is it seeds the projects with a known good behavior17:49
rick_bartrainternally we have a yaml file that defines which roles should have access to which policy actions and we test against that17:50
lbragstadinstead of generating the assertions from the defaults in code17:50
bnemecNo matter what tooling you use you would need to come up with the definition of the expected behavior.17:50
lbragstad(which would leave the defaults in code unprotected?)17:50
bnemecIn keystone that was done in the unit tests.17:50
bnemecIt sounds like in patrole that would be the requirements file.17:50
rick_bartrabnemec that is corret17:50
bnemecBut it sounds like there are some limitations to the requirements file.17:50
gmanni did not get the requirement file things ?17:50
lbragstadgmann https://docs.openstack.org/patrole/latest/framework/requirements_authority.html17:51
bnemecSpecifically cmurphy's comment above and the note at the bottom of https://docs.openstack.org/patrole/latest/framework/requirements_authority.html#custom-requirements-file17:51
bnemec(also that oslo.policy doc link is broken :-( )17:51
gmannohk, i thought requirement.txt17:52
lbragstadrick_bartra i have another question - does at&t validate requirements for domain users?17:52
lbragstador do you have deployments that need domains users of some kind?17:52
rick_bartrawe don't at the moment17:52
gagehugowe will though17:52
lbragstadok - i was curious if the requirement approach was granular enough to support "this user can list projects, but only projects within their domain"17:53
lbragstadin keystone we have a lot of tests like this - https://opendev.org/openstack/keystone/src/branch/master/keystone/tests/protection/v3/test_projects.py#L162-L17017:54
gmanni do not think we have any job on gate testing that ? rick_bartra you remember17:54
rick_bartragmann i don't think we do either17:55
gmannyeah that's should cover most of the cases. i am writing nova policy tests similar to that approach but with mock the operation .17:55
cmurphylbragstad: i don't think patrole supports that, iiuc all it can do is check the return code17:56
lbragstadrick_bartra do you know if there is a plan to support that at some point in the future? ^17:56
rick_bartralbragstad I don't think the requirements approach can handle that. Internally we did RBAC in such a way that we have role that are designed to have either global or tenant level access17:56
gmannI think such asserts are valid to do in current tests also. for example extend the tests to verify the response for such policy.17:57
lbragstadok - regardless of the level, do you think patrole will incorporate a "filtering" check of some kind?17:57
rick_bartralbragstad for the past year or so at&t hasn't been putting too much engineering effort into patrole, so I can't say if it will be done or not17:58
* lbragstad nods17:58
cmurphygmann: at that point i wonder what patrole is really providing above and beyond what tempest does? you still have to write tests and assert state17:58
lbragstadade_lee_ redrobot do y'all have any questions? i feel like i'm being a time hog17:59
gmannyeah. tests need to modify or written to cover those asserts17:59
ade_lee_lbragstad, just listening right now -- for barbican though, I think this might be very useful17:59
gmannhow many such cases of policies are there in keystone? i mean filter one ?18:00
lbragstadgmann there are quite a few, we make sure users can't view things outside of their tenancy18:00
lbragstad(projects, users, groups, role assignments to name a few)18:00
gmanni see, you have user, groups level etc also18:01
ade_lee_we can easily create a requyirements file for barbican and I think most policy checks can be covered there.  we may still need additional policy tests, but those would be for things we've added -- like per-resource acls18:01
cmurphywouldn't it mean adding tests to patrole and having the qa/patrole teams own those barbican tests?18:01
cmurphyor can patrole tests be split out into their own plugins?18:02
gmannthat is good point. those should be own by barbarian team.18:02
ade_lee_that would certainly be preferable ..18:02
lbragstadgmann yeah - we definitely want certain users to see 200s when they call specific APIs, but we absolutely want to test they aren't able to violate tenancy18:02
gmannwe have not finalized the patrole plugin approach yet but discussed about that in denver PTG.18:02
ade_lee_rick_bartra, is patrole doing plugins?18:03
gmannlbragstad: yeah in nova, we have list servers case in same way18:03
gmannade_lee_: not yet.18:03
bnemecTurning it around, are there a lot of tests where you _don't_ care about the list of things returned?18:03
gmannone approach is to write the patrole tests in tempest plugin using patole framework18:03
bnemecSo you wouldn't necessarily have to write new tests.18:03
rick_bartraade_lee_ internally we Heat RBAC tests that use patrole as a plugin and we also have done this with contrail as well18:04
gmannbecause creating plugin framework for patrole will be two level plugin for Tempest as patrole itself is Tempest plugin18:04
rick_bartraade_lee_ I believe last year, Patrole was accepting some neutron plugin tests into Patrole itself18:04
ade_lee_thats not neccesarily an  issue though -- barbican already has functional tests to test the extra things -- we'd just keep those in our functional tests.  and just do standard patrole + requirements file for most of the permissions18:05
gmannyou mean in barbican tempest plugin right ?18:06
ade_lee_they're in the barbican functional tests iirc18:06
*** renich has joined #openstack-keystone18:06
* lbragstad is taking notes18:06
lbragstadhttps://etherpad.openstack.org/p/policy-rbac-patrole-evaluation18:07
gmanndoing in barbican functional tests will be different approach i think not actually using the patrole (tempest) like tests where you can benefit the common framework and run capability18:08
gmanndifferent approach or duplicating approach. if you do in barbican tempest plugin then you have all service clients available to interact to  API.18:09
ade_lee_gmann, ack -- its just whats there now .. we can move to tempest later or see what we can do in patrole.  Most of the policy though I think could be tested in patrole.18:10
gmanni was thinking to have under /policy/ in this - https://github.com/openstack/barbican-tempest-plugin/tree/master/barbican_tempest_plugin/tests18:11
ade_lee_gmann, indirectly, I think we do actually test our acls in the barbican-tempest-plugin because we test octavia type setups ..18:11
ade_lee_well maybe not there ..18:12
ade_lee_(I mean currently having tests) -- putting policy tests under where you described is not a bad idea18:13
lbragstadade_lee_ then would you invoke them as patrole tests or as tempest plugin tests?18:14
gmannyeah, if you are writing patrole tests then it can be explicit separate from other tests so that you can test them via different roles and requirement file18:14
ade_lee_rick_bartra, so if I understand how patrole works - we point it to a requirements file and it will create a bunch of users etc. and generate a bunch of api tests -- and confirm that all works as expected?18:15
*** jmlowe has quit IRC18:15
ade_lee_or do we need to explicitly write tests?18:15
*** jmlowe has joined #openstack-keystone18:15
lbragstadafaict you still need to write tests18:16
rick_bartraade_lee_ you need to write the tests, create the roles, and define which roles are being tested in the tempest.conf18:16
lbragstadthese are patrole's existing tests18:16
lbragstadhttps://github.com/openstack/patrole/tree/master/patrole_tempest_plugin/tests/api18:16
cmurphyi think it uses tempests' default users18:16
ade_lee_ah .. then what is patrole providing then?18:16
cmurphyade_lee_: this is what i've been wondering :)18:17
rick_bartrathe framework for RBAC testing18:17
cmurphythere's also this issue with non-dynamic credentials https://storyboard.openstack.org/#!/story/171441318:17
gmannyeah non-dynamic cred case needs to be fixed.18:18
lbragstadbnemec getting back to your question - i feel like filtering is going to become more and more important18:19
lbragstadbnemec imo - that's the pattern i noticed when we introduced support for system, domain, and project scope with admin, member, and reader18:20
gmannade_lee_: basically, patrole switch the testing cred role as per configured role or requirement file and run the tests and assert accordingly. so you need to write the tests which call the API + do extra response verification. current tests are just call API.18:20
lbragstadbecause it makes behaviors less binary18:20
bnemecYeah, so maybe we need to focus on making it as easy as possible to write those tests.18:20
lbragstadcmurphy had a leg up on that i believe18:21
*** vishalmanchanda has quit IRC18:21
*** vishalmanchanda has joined #openstack-keystone18:21
cmurphyhttps://review.opendev.org/686073 https://review.opendev.org/68630618:22
*** jmlowe has quit IRC18:24
bnemecSo we're pretty much back to what cmurphy said in the first place. Patrole isn't a great fit for these tests and they probably need to be either Tempest or unit tests, depending on the project.18:26
*** awalende has joined #openstack-keystone18:27
gmannPatrole cover basic RBAC testing as of now but require 1. current tests perform the full operation so not suitable where API operations are heavy like nova create/evacuate server. 2. need to write tests for any new projects which can be done in tempest plugin 3. write or modify tests to cover filter cases 4. adopt system scope via tempest18:27
gmannif i am correct, 3rd and 4th are the only items required for keystone right?18:28
gmannbarbican need 2nd too. (hope API operation are not so heavy)18:28
lbragstadgiven our currently level of testing, yes.. i would think so18:29
lbragstadbut i'm curious to hear what others have to say18:29
gmannin nova, main obstacle to not gate patrole is 1st item18:30
ade_lee_gotta head out, guys - but its been very informative --I need to chew over what was said here18:30
ade_lee_thanks for the info18:31
*** awalende has quit IRC18:31
lbragstad++18:35
lbragstadthank you for the time rick_bartra18:35
cmurphy++ thank you18:35
lbragstadand answering our endless barrage of questions18:36
gagehugorick_bartra: ++ thanks!18:36
*** raildo has quit IRC18:37
*** raildo has joined #openstack-keystone18:38
*** jmlowe has joined #openstack-keystone18:39
rick_bartrano problem :)18:43
*** rick_bartra has quit IRC18:43
*** ayoung has quit IRC18:52
*** gmann is now known as gmann_afk19:00
*** amoralej is now known as amoralej|off19:20
*** awalende has joined #openstack-keystone19:20
*** awalende has quit IRC19:24
*** ivve has joined #openstack-keystone19:28
*** gmann_afk is now known as gmann20:25
*** vesper11 has quit IRC20:49
*** vesper11 has joined #openstack-keystone20:51
*** raildo has quit IRC21:16
*** awalende has joined #openstack-keystone22:00
*** awalende has quit IRC22:04
*** pcaruana has quit IRC22:06
*** cmart has joined #openstack-keystone22:40
*** cmart has quit IRC22:41
*** ade_lee__ has joined #openstack-keystone22:43
*** ade_lee_ has quit IRC22:46
*** ade_lee has joined #openstack-keystone22:50
*** cmart has joined #openstack-keystone22:50
*** ade_lee__ has quit IRC22:54
*** ade_lee has quit IRC22:56
*** tkajinam has joined #openstack-keystone22:56
*** rcernin has joined #openstack-keystone22:57
*** cmart has quit IRC23:02
*** ade_lee has joined #openstack-keystone23:18
*** stokvis has quit IRC23:29
*** stokvis has joined #openstack-keystone23:29
*** ivve has quit IRC23:47
« Monday, 2019-12-02 Index Wednesday, 2019-12-04 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!