| *** vishakha has quit IRC | 00:02 | |
| *** xek_ has quit IRC | 00:32 | |
| *** gyee has quit IRC | 00:33 | |
| *** rcernin has quit IRC | 00:34 | |
| *** rcernin has joined #openstack-keystone | 00:39 | |
| *** markvoelker has joined #openstack-keystone | 02:13 | |
| *** markvoelker has quit IRC | 02:18 | |
| *** also_stingrayza has joined #openstack-keystone | 03:06 | |
| *** stingrayza has quit IRC | 03:09 | |
| *** markvoelker has joined #openstack-keystone | 03:48 | |
| *** markvoelker has quit IRC | 03:53 | |
| *** vishalmanchanda has joined #openstack-keystone | 04:01 | |
| *** diurnalist has quit IRC | 04:23 | |
| *** rcernin has quit IRC | 04:47 | |
| *** rcernin has joined #openstack-keystone | 04:57 | |
| *** rcernin has quit IRC | 05:12 | |
| *** rcernin has joined #openstack-keystone | 05:20 | |
| *** shyamb has joined #openstack-keystone | 05:29 | |
| *** shyamb has quit IRC | 05:45 | |
| *** markvoelker has joined #openstack-keystone | 05:49 | |
| *** shyamb has joined #openstack-keystone | 05:53 | |
| *** markvoelker has quit IRC | 05:54 | |
| *** shyam89 has joined #openstack-keystone | 06:03 | |
| sri_ | lbragstad: ack, | 06:05 |
|---|---|---|
| *** shyamb has quit IRC | 06:06 | |
| *** rcernin has quit IRC | 06:19 | |
| *** rcernin has joined #openstack-keystone | 06:32 | |
| *** rcernin has quit IRC | 06:46 | |
| *** diurnalist has joined #openstack-keystone | 06:47 | |
| *** diurnalist has quit IRC | 06:51 | |
| *** rcernin has joined #openstack-keystone | 06:53 | |
| *** rcernin has quit IRC | 07:06 | |
| *** bengates has joined #openstack-keystone | 07:10 | |
| *** shyam89 has quit IRC | 07:17 | |
| *** rcernin has joined #openstack-keystone | 07:34 | |
| *** rcernin has quit IRC | 07:42 | |
| *** rcernin has joined #openstack-keystone | 07:46 | |
| *** rcernin has quit IRC | 07:50 | |
| *** diurnalist has joined #openstack-keystone | 07:58 | |
| *** diurnalist has quit IRC | 08:03 | |
| *** also_stingrayza is now known as stingrayza | 08:08 | |
| *** carthaca has joined #openstack-keystone | 08:12 | |
| *** shyamb has joined #openstack-keystone | 08:24 | |
| *** shyam89 has joined #openstack-keystone | 08:36 | |
| *** shyamb has quit IRC | 08:39 | |
| *** spatel has joined #openstack-keystone | 08:49 | |
| *** xek_ has joined #openstack-keystone | 08:51 | |
| *** spatel has quit IRC | 08:53 | |
| *** diurnalist has joined #openstack-keystone | 09:10 | |
| *** diurnalist has quit IRC | 09:14 | |
| *** shyamb has joined #openstack-keystone | 09:24 | |
| *** shyam89 has quit IRC | 09:25 | |
| *** rcernin has joined #openstack-keystone | 09:29 | |
| *** shyam89 has joined #openstack-keystone | 09:41 | |
| *** shyamb has quit IRC | 09:44 | |
| *** rcernin has quit IRC | 09:48 | |
| *** tkajinam has quit IRC | 09:52 | |
| *** shyamb has joined #openstack-keystone | 09:56 | |
| *** shyam89 has quit IRC | 10:00 | |
| *** shyamb has quit IRC | 10:12 | |
| *** shyamb has joined #openstack-keystone | 10:32 | |
| *** shyamb has quit IRC | 10:47 | |
| *** shyamb has joined #openstack-keystone | 11:20 | |
| *** raildo has joined #openstack-keystone | 11:41 | |
| *** diurnalist has joined #openstack-keystone | 11:45 | |
| *** xek_ has quit IRC | 11:50 | |
| *** diurnalist has quit IRC | 11:50 | |
| *** vishakha has joined #openstack-keystone | 12:11 | |
| *** shyamb has quit IRC | 12:13 | |
| vishakha | knikolla cmurphy I wanted to have your opinions on the bug #link https://bugs.launchpad.net/keystone/+bug/1862802. Is it feasible to raise exception when no domain_id is being passed while created user or any other entity? | 12:13 |
| openstack | Launchpad bug 1862802 in OpenStack Identity (keystone) "Avoid the default domain usage when the Domain is not specified in the project creation" [Wishlist,Triaged] - Assigned to Vishakha Agarwal (vishakha.agarwal) | 12:13 |
| *** spatel has joined #openstack-keystone | 12:50 | |
| *** spatel has quit IRC | 12:55 | |
| *** diurnalist has joined #openstack-keystone | 12:57 | |
| *** diurnalist has quit IRC | 13:01 | |
| *** xek_ has joined #openstack-keystone | 14:01 | |
| *** bengates has quit IRC | 14:02 | |
| *** bengates has joined #openstack-keystone | 14:04 | |
| *** diurnalist has joined #openstack-keystone | 14:08 | |
| *** bengates has quit IRC | 14:08 | |
| *** diurnalist has quit IRC | 14:13 | |
| sri_ | vishakha: hi, quick question, when i enabled the "enforce_scope = True" flag, domain admin is not able to assign a roles to users with in the domain, is the expected behavior ? | 14:13 |
| vishakha | sri_: Domain admins should be able to assign roles to user in the same domain. | 14:21 |
| sri_ | vishakha: when i try to assign role I am getting "You are not authorized to find role with the name 'admin'." http://paste.openstack.org/show/796049/ | 14:25 |
| sri_ | vishakha: it looks like i am missing something | 14:25 |
| vishakha | sri_: Are you able to list roe assignments for domain $ openstack role assignment list --names --domain <domain-name> ? | 14:31 |
| vishakha | role* | 14:32 |
| sri_ | vishakha: I can list the roles from system account, not from domain admin account | 14:34 |
| sri_ | https://www.irccloud.com/pastebin/8wYFfTbT/ | 14:34 |
| vishakha | Domain admin doesnt have the power to list roles in the whole system but it should be able to list role assignments in the domain over which the user is admin. | 14:36 |
| vishakha | sri_: ^^ | 14:36 |
| *** diurnalist has joined #openstack-keystone | 14:37 | |
| sri_ | vishakha: yes your right, but i am not able to list the roles in the domain also, http://paste.openstack.org/show/796051/ | 14:39 |
| *** xek_ has quit IRC | 14:41 | |
| vishakha | sri_: After sourcing keystonerc_user1 could you share the env variables? | 14:43 |
| sri_ | vishakha: http://paste.openstack.org/show/796052/ | 14:46 |
| *** bengates has joined #openstack-keystone | 14:53 | |
| *** bengates has quit IRC | 14:54 | |
| *** bengates has joined #openstack-keystone | 14:54 | |
| vishakha | sri_: I am not sure what is missing here. All is looking good to me | 15:09 |
| *** bnemec is now known as beekneemech | 15:10 | |
| vishakha | lbragstad ^^ need some help here | 15:10 |
| lbragstad | sri_ how are you creating the grant? | 15:13 |
| lbragstad | or the role assignment? | 15:13 |
| *** bengates has quit IRC | 15:14 | |
| sri_ | https://www.irccloud.com/pastebin/VaQld2Qf/ | 15:14 |
| sri_ | lbragstad: something like this ^^ | 15:15 |
| lbragstad | trying something quick, one sec | 15:15 |
| *** bengates has joined #openstack-keystone | 15:15 | |
| *** bengates_ has joined #openstack-keystone | 15:16 | |
| *** bengates_ has quit IRC | 15:17 | |
| *** bengates_ has joined #openstack-keystone | 15:17 | |
| *** bengates has quit IRC | 15:19 | |
| lbragstad | sri_ yeah - it works | 15:25 |
| *** gyee has joined #openstack-keystone | 15:26 | |
| lbragstad | i think the issue you're hitting is because python-openstackclient will attempt to list resources to figure out if you're giving it an ID or a name | 15:26 |
| lbragstad | and domain admins aren't allowed to list all resources in a deployment (like roles) | 15:26 |
| sri_ | lbragstad: I see, is it work workaround to fix the that issue ? | 15:28 |
| lbragstad | sri_ if you make the request to keystone directly, it will work | 15:29 |
| lbragstad | i'm working on a paste | 15:29 |
| sri_ | lbragstad: Ok, thanks :) | 15:29 |
| lbragstad | sri_ http://paste.openstack.org/show/796056/ | 15:35 |
| lbragstad | sri_ here is what i used for clouds.yaml http://paste.openstack.org/show/796057/ | 15:36 |
| lbragstad | this is the API i invoked manually - https://docs.openstack.org/api-ref/identity/v3/index.html?expanded=assign-role-to-user-on-project-detail#assign-role-to-user-on-project | 15:38 |
| sri_ | lbragstad: got it, we have talking keystone api, nice, do you want me file a bug report ? | 15:38 |
| lbragstad | sri_ if you do - i would make it against python-openstackclient since there isn't really anything to do in keystone | 15:38 |
| lbragstad | https://storyboard.openstack.org/#!/project/openstack/python-openstackclient | 15:39 |
| lbragstad | ^ in case you need the link | 15:39 |
| lbragstad | i'm checking to see if there is already a story open for this | 15:40 |
| sri_ | lbragstad: sure, how to i found out which projects are currently working with ""enforce_scope = True"" this policy's | 15:41 |
| sri_ | lbragstad: testing one by one ? :) | 15:41 |
| lbragstad | sri_ there is a popup team focused on implementing this across projects - https://governance.openstack.org/tc/reference/popup-teams.html#secure-default-policies | 15:41 |
| lbragstad | they're probably the best folks to ask about progress across openstack | 15:42 |
| lbragstad | to date, nova and keystone have implemented scope checks | 15:42 |
| lbragstad | other projects are in different phases of adopting that work, though | 15:42 |
| sri_ | lbragstad: understood, thank you :) | 15:43 |
| sri_ | vishakha: thank you | 15:44 |
| lbragstad | sri_ no problem - good luck | 15:45 |
| lbragstad | https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team has more information | 15:46 |
| sri_ | lbragstad: 👍 | 15:48 |
| cmurphy | vishakha: note the part of the description "Since we can't change the current behavior of V3, because it will be api-breaking. We need to fix it in the Keystone microversion." and the tag "fix-requires-microversion" and the priority "wishlist" we're using the bug to document the behavior for now but we can't fix it unless we have a v4 API or microversions | 16:08 |
| *** kklimonda has quit IRC | 16:20 | |
| *** kklimonda has joined #openstack-keystone | 16:21 | |
| *** bengates_ has quit IRC | 16:24 | |
| *** markvoelker has joined #openstack-keystone | 16:59 | |
| *** vishalmanchanda has quit IRC | 17:20 | |
| *** TheJulia has quit IRC | 18:22 | |
| *** TheJulia has joined #openstack-keystone | 18:23 | |
| *** johnsom has quit IRC | 18:24 | |
| *** johnsom has joined #openstack-keystone | 18:25 | |
| *** kmalloc has quit IRC | 18:53 | |
| *** kmalloc has joined #openstack-keystone | 18:53 | |
| *** masayukig has quit IRC | 18:58 | |
| *** masayukig has joined #openstack-keystone | 18:59 | |
| *** jamespage has quit IRC | 19:24 | |
| *** jamespage has joined #openstack-keystone | 19:25 | |
| openstackgerrit | Ben Nemec proposed openstack/oslo.limit master: Move keystoneauth options to oslo_limit_keystoneauth https://review.opendev.org/733881 | 19:27 |
| *** johnthetubaguy has quit IRC | 19:56 | |
| *** johnthetubaguy has joined #openstack-keystone | 19:58 | |
| *** hemna has quit IRC | 19:59 | |
| *** hemna has joined #openstack-keystone | 19:59 | |
| *** johnthetubaguy has quit IRC | 20:05 | |
| *** johnthetubaguy has joined #openstack-keystone | 20:08 | |
| *** johnthetubaguy has quit IRC | 20:14 | |
| *** johnthetubaguy has joined #openstack-keystone | 20:17 | |
| *** johnthetubaguy has quit IRC | 20:32 | |
| *** sapd1_x has quit IRC | 20:32 | |
| *** sapd1_x has joined #openstack-keystone | 20:33 | |
| *** spatel has joined #openstack-keystone | 20:34 | |
| *** markvoelker has quit IRC | 20:42 | |
| *** vishakha has quit IRC | 20:48 | |
| *** raildo has quit IRC | 21:11 | |
| *** gyee has quit IRC | 21:40 | |
| *** gyee has joined #openstack-keystone | 21:45 | |
| *** also_stingrayza has joined #openstack-keystone | 21:49 | |
| *** melwitt is now known as jgwentworth | 21:49 | |
| *** stingrayza has quit IRC | 21:52 | |
| *** lbragstad has quit IRC | 21:56 | |
| *** lbragstad has joined #openstack-keystone | 21:56 | |
| *** markvoelker has joined #openstack-keystone | 22:22 | |
| *** markvoelker has quit IRC | 22:27 | |
| *** markvoelker has joined #openstack-keystone | 22:47 | |
| *** markvoelker has quit IRC | 22:52 | |
| *** gyee has quit IRC | 23:01 | |
| openstackgerrit | Jason Anderson proposed openstack/keystone master: Support for deprovisioning federated assignments https://review.opendev.org/741785 | 23:08 |
| *** diurnalist has quit IRC | 23:16 | |
| *** diurnalist has joined #openstack-keystone | 23:29 | |
| *** diurnalist has quit IRC | 23:38 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!