Thursday, 2020-07-16

« Wednesday, 2020-07-15 Index Friday, 2020-07-17 »
*** jamesmcarthur has joined #openstack-keystone00:05
*** rcernin has quit IRC00:06
*** jamesmcarthur has quit IRC00:10
*** jamesmcarthur has joined #openstack-keystone00:12
*** rcernin has joined #openstack-keystone00:13
*** jamesmcarthur has quit IRC00:16
*** jamesmcarthur has joined #openstack-keystone00:18
*** jamesmcarthur has quit IRC00:21
*** jamesmcarthur has joined #openstack-keystone00:21
*** tkajinam has quit IRC01:55
*** tkajinam has joined #openstack-keystone01:55
openstackgerritMerged openstack/keystone master: Cap jsonschema 3.2.0 as the minimal version  https://review.opendev.org/73095202:08
*** jamesmcarthur has quit IRC02:11
*** jamesmcarthur has joined #openstack-keystone02:11
*** jamesmcarthur has quit IRC02:16
*** jamesmcarthur has joined #openstack-keystone03:29
*** dave-mccowan has quit IRC03:30
*** jamesmcarthur has quit IRC03:32
*** jamesmcarthur has joined #openstack-keystone03:32
*** jamesmcarthur has quit IRC04:08
*** jamesmcarthur has joined #openstack-keystone04:08
*** jamesmcarthur has quit IRC04:09
*** jamesmcarthur_ has joined #openstack-keystone04:09
*** jamesmcarthur_ has quit IRC04:11
*** gyee has quit IRC04:15
*** diurnalist has quit IRC04:16
*** abdysn has joined #openstack-keystone04:56
*** diurnalist has joined #openstack-keystone06:13
*** diurnalist has quit IRC06:18
*** shyamb has joined #openstack-keystone07:05
*** shyam89 has joined #openstack-keystone07:18
*** shyamb has quit IRC07:21
*** bengates has joined #openstack-keystone07:22
*** bengates has quit IRC07:22
*** bengates has joined #openstack-keystone07:22
*** shyam89 has quit IRC07:28
*** bengates_ has joined #openstack-keystone07:39
*** bengates has quit IRC07:43
*** rcernin has quit IRC07:48
*** shyamb has joined #openstack-keystone07:59
*** shyam89 has joined #openstack-keystone08:13
*** bnemec has quit IRC08:14
*** rcernin has joined #openstack-keystone08:14
*** shyamb has quit IRC08:16
*** bnemec has joined #openstack-keystone08:17
*** stingrayza has joined #openstack-keystone08:23
*** also_stingrayza has quit IRC08:24
*** shyam89 has quit IRC08:30
*** xek has joined #openstack-keystone08:38
*** shyamb has joined #openstack-keystone08:47
*** bengates_ has quit IRC08:56
*** bengates has joined #openstack-keystone08:57
*** xek has quit IRC09:01
*** rcernin has quit IRC09:07
*** shyamb has quit IRC09:22
*** bengates has quit IRC09:35
*** bengates has joined #openstack-keystone09:36
*** shyamb has joined #openstack-keystone09:45
*** dmellado has quit IRC09:59
*** xek has joined #openstack-keystone10:06
*** dmellado has joined #openstack-keystone10:07
*** rcernin has joined #openstack-keystone10:15
*** rcernin has quit IRC10:30
*** shyamb has quit IRC10:36
*** shyamb has joined #openstack-keystone10:55
*** xek has quit IRC11:47
*** raildo has joined #openstack-keystone11:59
*** takamatsu has joined #openstack-keystone12:11
*** shyamb has quit IRC12:13
*** rcernin has joined #openstack-keystone12:21
*** xek has joined #openstack-keystone12:53
*** xek_ has joined #openstack-keystone12:55
*** xek has quit IRC12:58
*** lbragstad has quit IRC12:58
*** lbragstad has joined #openstack-keystone13:01
*** spatel has joined #openstack-keystone13:05
*** dave-mccowan has joined #openstack-keystone13:24
*** rcernin has quit IRC13:31
sri_Hi team, quick question , is it possible to create isolated domain admin user in  ussuri release ?13:39
knikollasri_: by isolated domain admin you mean someone that has admin permissions on that domain only?13:45
sri_knikolla: Yes, Domain administrators aren’t allowed to access system-specific resources or resources outside their domain.13:47
*** abdysn has quit IRC13:48
sri_Domain admin should be only allow to create project's and user within the domain,13:50
sri_knikolla: ^13:50
knikollasri_: it's... complicated. it is possible if you set the option to enforce_scope to True.13:59
sri_knikolla:  this document describes about what domain admin role supposed to do. https://docs.openstack.org/keystone/latest/admin/service-api-protection.html14:01
sri_knikolla: But I don't understand how to that.    can you please point to me right direction,  where do i start ? where do i set this "enforce_scope to True" in keystone.conf14:03
*** alistarle has joined #openstack-keystone14:07
knikollasri_: you can find a sample keystone.conf with comments for each option here https://docs.openstack.org/keystone/latest/configuration/samples/keystone-conf.html14:10
knikollathere is an enforce_scope option in the [oslo_policy] section.14:10
sri_knikolla: one I add enforce_scope option, then should i also need to write policy to  keystone policy.json file ? to create domain admin account ?14:13
knikollathat shouldn't be necessary, since the policy defaults are specified in code.14:14
knikollalbragstad: did i get ^ right?14:20
*** alistarle has quit IRC14:33
sri_knikolla: when I added the option enforce_scope = True,  I can't create a project's or users14:41
*** tkajinam has quit IRC14:47
*** bengates has quit IRC14:49
*** bengates has joined #openstack-keystone14:50
knikollasri_: That is because admin operations now require system level permissions and scoping. So before flipping the enforce_scope switch, add yourself as admin on system.14:53
*** hoonetorg has quit IRC14:55
*** irclogbot_3 has quit IRC14:55
*** hoonetorg has joined #openstack-keystone14:57
*** irclogbot_3 has joined #openstack-keystone14:57
*** aning_ has quit IRC15:00
*** diurnalist has joined #openstack-keystone15:01
*** spatel has quit IRC15:04
*** aning has joined #openstack-keystone15:06
*** johnthetubaguy has quit IRC15:16
*** johnthetubaguy has joined #openstack-keystone15:20
*** gyee has joined #openstack-keystone15:25
*** dave-mccowan has quit IRC15:28
*** kmalloc has joined #openstack-keystone15:35
sri_knikolla: I need to do some reading,  i didn't get what i wanted, but at-least I am on right path,  I really appreciate your help. thank you :)15:40
*** xek_ has quit IRC15:47
*** bengates has quit IRC16:08
*** johnthetubaguy has quit IRC16:17
*** johnthetubaguy has joined #openstack-keystone16:20
*** vishakha has joined #openstack-keystone16:21
sri_knikolla:  let me rephrase that ("i didn't get what i wanted") properly, *I am not able to make it work yet.16:21
*** manuvakery has joined #openstack-keystone17:59
*** carthaca has quit IRC18:00
openstackgerritMerged openstack/keystone master: Support regexes in whitelists/blacklists  https://review.opendev.org/73042320:03
*** manuvakery has quit IRC20:09
*** vesper11 has quit IRC20:20
*** vesper11 has joined #openstack-keystone20:21
*** xek_ has joined #openstack-keystone20:57
sri_lbragstad: quick question, is policy.v3cloudsample.json deprecated ?21:00
*** raildo has quit IRC21:00
lbragstadsri_ yes - it's technically obsolete in newer branches because we've improved the policy checks21:01
sri_lbragstad: ack, I was trying to create domain admin, where domain admin can only manage projects and users within the domain, to archive that do i have to create custom policy's ?21:03
lbragstadsri_ it depends on the release you're using21:06
lbragstadi think that's supported with stein - if you explicitly opt into using the new policies21:07
sri_lbragstad: I am using ussuri release21:07
lbragstadok - then you should be able to use the new policies21:08
lbragstadyou might need to set https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_new_defaults and https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope to True in your keystone.conf21:09
sri_lbragstad: I was adding  enforce_scope = True option as knikolla suggested, with that option enabled even admin user also not able to create user or domains21:09
lbragstadsri_ are you using a system-scoped token?21:10
lbragstador are you using a project-scoped token?21:10
sri_lbragstad: I am not sure, this my rc file http://paste.openstack.org/show/796027/21:11
lbragstadsri_ that's going to ask keystone for a project-scoped token, which isn't going to work if you want to opt into the new behavior21:12
lbragstadyou're going to need to set OS_SYSTEM_SCOPE=all instead of OS_PROJECT_NAME21:13
lbragstador you can use a clouds.yaml file21:13
sri_I see, I believe horizion doesn't work with new policies right ?21:14
sri_lbragstad: ^21:15
lbragstadsri_ correct, that work is still pending21:16
sri_lbragstad: understood, you saved my day, Thank you πŸ˜ƒ21:18
lbragstadsri_ were you able to get it working?21:18
sri_lbragstad: not yet, testing now !21:19
*** markvoelker has joined #openstack-keystone21:23
*** markvoelker has quit IRC21:26
sri_lbragstad: with system-scoped token I am able to create users,projects and domains21:32
*** markvoelker has joined #openstack-keystone21:33
lbragstadsri_ cool - good deal21:34
*** markvoelker has quit IRC21:38
lbragstadknikolla yes - i think you got that right (just following up on this)21:41
openstackgerritColleen Murphy proposed openstack/keystone-tempest-plugin master: WIP/PoC:Add RBAC tests  https://review.opendev.org/68630521:44
sri_lbragstad: sorry for silly question,  I've created new domain and user with admin role, http://paste.openstack.org/show/796030/ ,  new domain admin user can't create  any project's or users21:48
lbragstadsri_ are they using a domain scoped token?21:48
sri_oh, no21:49
sri_lbragstad: I've added OS_DOMAIN_SCOPE=lab to rc, file now I am getting The service catalog is empty.21:52
sri_lbragstad: keystone log's :  http://paste.openstack.org/show/796031/22:06
lbragstadsri_ i think you need to use OS_DOMAIN_NAME22:11
lbragstadand not OS_DOMAIN_SCOPE22:11
sri_lbragstad: sorry,   yes you're right22:14
sri_lbragstad: everything is working as i expected πŸŽ‰22:15
sri_lbragstad: let me say it again, you saved my day, Thank you πŸ˜ƒ22:15
sri_lbragstad: one small issue, I can create project and users but not able to assign any role to users with in the domain, is the expected behavior ?22:22
sri_lbragstad: do I have add to the role's to  user before enabling "enforce_scope = True" !22:37
*** rcernin has joined #openstack-keystone22:43
*** rcernin has quit IRC22:47
*** rcernin has joined #openstack-keystone22:54
sri_lbragstad: also when run the openstack network list in the new domain , it's showing default domain private network and router,  I think it not suppose  show other domain's resources right ?22:58
*** tkajinam has joined #openstack-keystone23:02
*** gyee has quit IRC23:16
*** hoonetorg has quit IRC23:16
*** irclogbot_3 has quit IRC23:16
*** gyee has joined #openstack-keystone23:22
*** hoonetorg has joined #openstack-keystone23:22
*** irclogbot_3 has joined #openstack-keystone23:22
lbragstadsri_ role assignments might not work unless you're using domain specific roles23:46
lbragstadbut i'd need to double check23:46
lbragstadalso neutron and other services are in the process of adopting all of this, so behavior is going to vary23:46
« Wednesday, 2020-07-15 Index Friday, 2020-07-17 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!