Tuesday, 2020-01-21

« Monday, 2020-01-20 Index Wednesday, 2020-01-22 »
*** jamesmcarthur has quit IRC00:12
*** jamesmcarthur has joined #openstack-keystone00:12
*** jamesmcarthur has quit IRC00:18
*** jamesmcarthur has joined #openstack-keystone00:24
*** ayoung has quit IRC00:54
*** ayoung has joined #openstack-keystone00:57
*** jamesmcarthur has quit IRC01:04
*** jamesmcarthur has joined #openstack-keystone01:04
*** jamesmcarthur has quit IRC01:06
*** jamesmcarthur has joined #openstack-keystone01:06
*** jistr has quit IRC01:17
*** jistr has joined #openstack-keystone01:19
*** jamesmcarthur has quit IRC01:56
*** jamesmcarthur has joined #openstack-keystone01:57
*** jamesmcarthur has quit IRC02:02
*** hoonetorg has quit IRC02:17
*** jamesmcarthur has joined #openstack-keystone02:24
*** hoonetorg has joined #openstack-keystone02:31
*** awalende has joined #openstack-keystone02:50
*** awalende has quit IRC02:55
*** jamesmcarthur has quit IRC03:04
*** jamesmcarthur has joined #openstack-keystone03:05
*** jamesmcarthur has quit IRC03:11
*** jamesmcarthur has joined #openstack-keystone03:30
*** jamesmcarthur has quit IRC03:33
vishakhaabdysn I cannot find any [ssl] section in http://paste.openstack.org/show/788596/04:23
vishakhaor I cannot find any ssl = true04:29
*** jamesmcarthur has joined #openstack-keystone04:42
*** shyamb has joined #openstack-keystone05:19
*** evrardjp has quit IRC05:34
*** evrardjp has joined #openstack-keystone05:34
*** jamesmcarthur has quit IRC05:35
*** jamesmcarthur has joined #openstack-keystone05:37
*** openstackgerrit has joined #openstack-keystone05:39
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Run keystone grenade jobs  https://review.opendev.org/70354105:39
*** jamesmcarthur has quit IRC05:43
*** shyamb has quit IRC06:00
*** jamesmcarthur has joined #openstack-keystone06:06
*** renich has joined #openstack-keystone06:09
*** shyamb has joined #openstack-keystone06:12
*** jamesmcarthur has quit IRC06:13
*** renich has quit IRC06:18
*** renich has joined #openstack-keystone06:19
*** renich has quit IRC06:20
*** abdysn has joined #openstack-keystone06:24
*** adriant has quit IRC06:40
*** adriant has joined #openstack-keystone06:41
*** shyamb has quit IRC06:52
*** jamesmcarthur has joined #openstack-keystone07:09
*** jamesmcarthur has quit IRC07:14
*** shyamb has joined #openstack-keystone07:36
*** shyamb has quit IRC07:47
*** bnemec has joined #openstack-keystone08:06
*** awalende has joined #openstack-keystone08:07
*** jamesmcarthur has joined #openstack-keystone08:10
*** tkajinam has quit IRC08:10
*** jamesmcarthur has quit IRC08:14
*** tesseract has joined #openstack-keystone08:20
*** dancn has joined #openstack-keystone08:21
*** abdysn has quit IRC08:32
*** abdysn has joined #openstack-keystone08:32
*** shyamb has joined #openstack-keystone08:33
*** jaosorior has joined #openstack-keystone09:19
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion  https://review.opendev.org/58821109:24
*** xek has joined #openstack-keystone09:24
*** jaosorior has quit IRC09:54
*** shyamb has quit IRC09:58
*** ivve has joined #openstack-keystone10:07
*** openstackgerrit has quit IRC10:12
*** shyamb has joined #openstack-keystone10:21
*** openstackgerrit has joined #openstack-keystone10:32
openstackgerritVishakha Agarwal proposed openstack/keystone master: Updating tox -e all-plugin command  https://review.opendev.org/70357810:32
*** shyamb has quit IRC11:06
*** raildo has joined #openstack-keystone11:06
*** shyamb has joined #openstack-keystone11:12
*** awalende has quit IRC11:13
*** raildo_ has joined #openstack-keystone11:14
*** awalende has joined #openstack-keystone11:14
*** raildo has quit IRC11:17
*** tkajinam has joined #openstack-keystone12:14
*** rcernin has quit IRC12:28
*** Luzi has joined #openstack-keystone12:28
*** shyamb has quit IRC12:48
*** jamesmcarthur has joined #openstack-keystone13:18
*** jamesmcarthur has quit IRC13:33
*** jamesmcarthur has joined #openstack-keystone13:45
*** awalende has quit IRC14:16
*** abdysn has quit IRC14:20
*** ayoung has quit IRC14:30
*** Luzi has quit IRC14:46
*** tkajinam has quit IRC15:16
*** jamesmcarthur has quit IRC15:25
gagehugoo/15:34
*** jamesmcarthur has joined #openstack-keystone15:35
hrybackio/15:43
hrybackilbragstad: do you know where we have role inheritance documented? I'm only seeing a passing reference to it here in a sample: https://docs.openstack.org/keystone/latest/admin/cli-manage-projects-users-and-roles.html15:57
hrybackialso, since you can specify both a role and a domain when creating a role, should it ever be possible that the project argument is actually a domain id?15:58
lbragstadi think we have documentation that briefly describes it here - https://docs.openstack.org/keystone/latest/admin/service-api-protection.html15:58
lbragstadotherwise - the api reference is here https://docs.openstack.org/api-ref/identity/v3/index.html#list-implied-inference-roles-for-role15:59
lbragstadhrybacki are you asking if it should be possible to create project-specific roles?16:00
hrybackilbragstad: no I'm wondering if we have a bug in our sanity checks for new role creation (trying to determine if  a RHBZ is legit and I should file a LP)16:01
lbragstadoh - reparenting a project?16:02
hrybackilbragstad: nope, /me fetches16:02
hrybackilbragstad: https://bugzilla.redhat.com/show_bug.cgi?id=179059316:02
openstackbugzilla.redhat.com bug 1790593 in python-openstackclient ""openstack role add" command should not accept Domain ID in --project parameter" [Low,New] - Assigned to rhos-maint16:02
lbragstadwell - technically projects are domains, but i can see how that's confusing16:05
lbragstadbut since we also have --domain subcommands for openstack role add, i would say overloading --project isn't ideal16:06
hrybackiYeah, it's confusing at best, given you can specify the domain as well16:07
lbragstadright16:07
hrybackiAnd naturally, wouldn't the domain default to the parent domain for a given project (rather than a parent-project?)16:08
hrybackiassuming it's a nested project16:08
lbragstadsince we support domains as a first class citizen in that command with sub-arguments, i would say overloading --project is broken16:08
lbragstadIMO - a domain should always be a domain, and not a parent project16:09
* hrybacki nods16:09
hrybackiagreeed16:09
hrybackiwould there be case where admins may want to have differnt roles underneath different nested projects? That's the only wrinkle I can think of16:09
hrybackithat adds a lot of complexity16:10
cmurphyjust confirmed that it's possible to use --project with a domain id but then it breaks role assignment list --names16:12
cmurphyso +1 to fixing it16:12
*** openstackgerrit has quit IRC16:13
hrybackicmurphy++ thanks. I'll create a LP today16:14
hrybackithoughts on prio/sev?16:14
cmurphylow/medium imo16:14
* hrybacki nods16:14
lbragstadyeah - there's a documented workaround16:15
lbragstaddo we need a keystone fix and an python-openstackclient fix?16:15
cmurphyi'm worried if we change keystone it would be considered and api break16:18
hrybackilbragstad: TBD -- also, we should think about how far back we want to fix this16:18
hrybackihmm16:18
lbragstadcmurphy yeah - that's what i was thinking...16:19
hrybackieven if we are just correcting behavior to line up with what should have been the case?16:19
cmurphyi don't think it's severe enough to change keystone, it's technically correct behavior since a domain is a project16:19
cmurphyfor all i know that was intended behavior16:19
* lbragstad has a feeling this happened when projects and domains were mungled back together 16:19
hrybackianyone have a tenor sax we can use to summon the cores of years gone by?16:20
lbragstadbreaking --names in subsequent API calls isn't good16:21
hrybackiokay, so in a situation where we have a behavior (intended or not) that can break other expected behaviors (e.g. the roles list) how do we handle them?16:22
lbragstadi assume --names in keystone is expecting to only see projects16:22
hrybackiI get not want to break API16:22
lbragstadcmurphy do we consider fixing --names to properly handle domains a backwards incompatible fix?16:23
cmurphyi don't think fixing --names is backwards incompatible, only changing the behavior of --project is technically backwards incompatible16:24
lbragstadok - cool16:26
lbragstadi agree16:27
*** gyee has joined #openstack-keystone16:39
*** dancn has quit IRC16:39
cmurphyteam meeting in about 20 minutes in #openstack-meeting-alt16:40
knikollao/16:43
*** bnemec has quit IRC16:48
cmurphymeeting now in #openstack-meeting-alt17:01
*** tesseract has quit IRC17:01
cmurphylbragstad: hrybacki gyee ^17:03
*** raildo_ has quit IRC17:12
*** kplant has joined #openstack-keystone17:16
*** evrardjp has quit IRC17:34
*** evrardjp has joined #openstack-keystone17:34
*** jamesmcarthur has quit IRC18:00
*** ayoung has joined #openstack-keystone18:02
gyeecmurphy, lbragstad, gagehugo, can you please take a look? https://review.opendev.org/#/c/702262/18:04
gyeeI am trying to get the stable branches straighten out18:05
cmurphyyes18:05
gyeety18:05
kplanti'm trying to federate keystone to an external idp via openidc and am getting the error "Missing entity ID from environment". any ideas what that might be?18:15
kplanti thought entityID was a saml2 thing18:15
cmurphykplant: it's not, it's the unique identifier that you use with --remote-id when you create the idp resource in keystone18:16
cmurphykplant: that error usually means you set up the <Location ...> paths wrong in your apache config and they're not catching the auth requests before sending them to keystone18:17
cmurphycould also mean you didn't set remote_id_parameter correctly in keystone.conf18:17
kplantwait - should it be remote_id_parameter and not remote_id_attribute?18:23
cmurphykplant: er sorry remote_id_attribute18:23
kplantphew18:23
kplant:-)18:23
cmurphyi didn't look it up before i said it >.<18:23
kplanti was going to be happy/angry if that was my problem all along, heh18:24
cmurphylol18:25
kplantso i tried copying my location paths from https://docs.openstack.org/keystone/train/admin/federation/configure_federation.html#federation-openidc18:29
kplantand i also enabled insecure_debug18:29
kplanti don't see anything helpful in the keystone* logs, anywhere else i could maybe look?18:29
cmurphycheck the apache access logs to see where the request is really going and make sure it matches the path in <Location ...> for instance if you have keystone running on an /identity path then you'll need to change the example to start with /identity, or if you have different names for the idp or protocol then you should make sure they match in the path, or if you're running keystone one port :500018:33
cmurphymake sure the <Location> directive is inside that vhost definition18:33
kplantyep within <VirtualHost *:5000>; will check the apache access logs though18:34
kplantPeer's Certificate issuer is not recognized.18:36
ayoungI thought we got rid of remote-id in the conf?18:36
kplantthere we go18:36
cmurphyayoung: we didn't get rid of it, we just made it an option to make it part of the protocol api and fall back to the config... and i guess we didn't document that o\18:38
kplantmeh, the timestamp from that error is a while ago. that doesn't seem to be the issue19:01
kplantalso added 'OIDCSSLValidateServer Off' just in case19:01
*** dustinc|PTO is now known as dustinc19:13
hrybackilbragstad: cmurphy is it okay if I mark this as triaged and set the prio/sev? https://bugs.launchpad.net/keystone/+bug/186047819:20
openstackLaunchpad bug 1860478 in OpenStack Identity (keystone) "fetching role assignments should handle domain IDs in addition to project IDs " [Undecided,New]19:20
*** jamesmcarthur has joined #openstack-keystone19:20
cmurphyhrybacki: go for it19:20
hrybackicmurphy: I must lack some perms to do that19:21
cmurphyoh19:22
lbragstadi think you need to be a member of the keystone-drivers?19:22
cmurphyhrybacki: try now19:23
hrybackicmurphy++ thanks!19:24
hrybackilbragstad: weird: https://bugs.launchpad.net/python-openstackclient19:32
hrybackibut bugs do exist against python-opensackclient: https://bugs.launchpad.net/python-openstackclient/+bug/179518019:32
openstackLaunchpad bug 1795180 in python-openstackclient "openstack client router list does not filter by domain" [Undecided,New]19:32
lbragstadhrybacki they use storyboard19:32
hrybackiohhh19:32
*** jamesmcarthur has quit IRC19:46
*** jamesmcarthur has joined #openstack-keystone19:50
*** jamesmcarthur has quit IRC20:01
*** jamesmcarthur has joined #openstack-keystone20:01
*** jamesmcarthur has quit IRC20:08
*** jamesmcarthur has joined #openstack-keystone20:14
*** kplant has quit IRC20:38
hrybackilbragstad: cmurphy so interestingly, we don't allow 'domain names' in the same way that we do 'domain ids' to be passed through  during role assignment20:40
hrybackiwhich makes me believe we may not have expected domains to have come through in the first place?20:41
hrybackihttps://www.irccloud.com/pastebin/yPbybM93/20:41
lbragstadin osc or in keystone's api directly?20:41
hrybackiin osc20:41
*** rcernin has joined #openstack-keystone20:42
lbragstadit's probably tripping because it thinks its dealing with a project https://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v3/role.py#L92-L9520:44
*** openstackgerrit has joined #openstack-keystone20:46
openstackgerritMerged openstack/keystone master: Add docs for app cred access rules  https://review.opendev.org/69737520:46
*** jamesmcarthur has quit IRC20:58
*** jmlowe has joined #openstack-keystone21:00
*** jamesmcarthur has joined #openstack-keystone21:35
*** jmlowe has quit IRC22:09
*** jmlowe has joined #openstack-keystone22:13
*** jmlowe has quit IRC22:17
*** jamesmcarthur has quit IRC22:42
*** tkajinam has joined #openstack-keystone22:57
« Monday, 2020-01-20 Index Wednesday, 2020-01-22 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!