Tuesday, 2020-08-18

« Monday, 2020-08-17 Index Wednesday, 2020-08-19 »
*** spatel has joined #openstack-keystone00:50
adriantnsmeds, one option is using Adjutant to handle some of those things through it without exposing the 'admin' role. At least for requesting new projects, and managing/inviting users to your projects without needing 'admin'. I have been hoping to add some support for managing projects/subprojects but I likely won't get to that until maybe next cycle.01:13
*** gyee has quit IRC01:49
nsmedsokay, thanks @adriant I'll look into it02:25
adriantnsmeds, you can probably solve a lot of your case with policy.json, but there are a lot of fine grained edge cases that don't really work too well. Adjutant was built to be able to act as a service where you can build admin-like apis which wrap around admin functionality in keystone and expose it in a more user friendly less powerful way that is02:28
adriantmore aligned with the business logic you might have in mind02:28
nsmedsoh - I've never even heard about this project, it looks really promising02:28
adriantI am the PTL and primary author of the service, so take my words with a grain of salt, as I'm biased :P02:28
nsmedsopenstack-ansible even has a role for it, I'm in luck :)02:29
nsmedsokay - I'll stick around this channel and try not to pester you too much with questions ^^02:29
adriantnsmeds, feel free to pop into #openstack-adjutant as well, and you can bug me there as well, but keystone peeps are definitely the ones to bug abouy keystone policy suggestions02:30
adriantoklhost is the one who wrote the ansible module, and he also hangs out in #openstack-adjutant :)02:30
*** mordred has quit IRC03:29
*** carthaca has quit IRC03:31
*** mordred has joined #openstack-keystone03:33
*** dave-mccowan has quit IRC03:47
*** evrardjp has quit IRC04:33
*** evrardjp has joined #openstack-keystone04:33
*** vishalmanchanda has joined #openstack-keystone04:47
*** spatel has quit IRC05:08
*** abdysn has joined #openstack-keystone05:11
openstackgerritJorhson Deng proposed openstack/keystonemiddleware master: support sasl for memcached  https://review.opendev.org/74370305:44
openstackgerritJorhson Deng proposed openstack/keystonemiddleware master: support sasl for memcached  https://review.opendev.org/74370305:45
*** carthaca has joined #openstack-keystone06:18
*** bengates has joined #openstack-keystone07:02
*** rcernin has quit IRC07:02
*** rcernin has joined #openstack-keystone07:03
*** bengates_ has joined #openstack-keystone07:13
*** bengates has quit IRC07:14
*** bengates has joined #openstack-keystone07:15
*** bengates_ has quit IRC07:19
*** bengates_ has joined #openstack-keystone07:19
*** bengates has quit IRC07:22
*** xek has joined #openstack-keystone07:51
*** mordred has quit IRC08:12
*** mordred has joined #openstack-keystone08:18
*** rcernin has quit IRC08:34
*** Luzi has joined #openstack-keystone09:53
*** tkajinam has quit IRC09:58
*** shyamb has joined #openstack-keystone11:09
*** raildo has joined #openstack-keystone11:48
*** dave-mccowan has joined #openstack-keystone12:02
*** zzzeek has quit IRC12:19
*** zzzeek has joined #openstack-keystone12:23
*** shyam89 has joined #openstack-keystone12:27
*** shyamb has quit IRC12:30
*** shyam89 has quit IRC12:42
*** Luzi has quit IRC13:34
*** vishakha has joined #openstack-keystone13:43
*** tkajinam has joined #openstack-keystone13:50
*** abdysn has quit IRC14:04
*** bengates_ has quit IRC14:10
*** bengates has joined #openstack-keystone14:11
nsmedsDoes anyone know why the `etc/policy.v3cloudsample.json` example file was removed after the Stein release?14:36
knikollansmeds: the policy defaults are now in code. you can generate a sample file using oslopolicy-policy-generator https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-policy-generator.html14:48
nsmedsok, I'll read into that - thanks @knikolla14:49
*** vishalmanchanda has quit IRC15:06
*** gyee has joined #openstack-keystone15:16
nsmedsand just to confirm: is there really no example policy for setting up a domain-level admin? It feels like this would be a fairly normal use-case, and it surprises me that we'll need to craft a new role from scratch for doing so15:23
nsmedsor am I misunderstanding?15:24
knikollansmeds: the default policy, when enforce_scope is enabled is exactly that.15:32
knikollahowever not all openstack services do support the different types of scope yet.15:32
knikollahence it is disabled by default.15:32
lbragstadnsmeds if you're using train or later, keystone supports domain admin use cases when you set `keystone.conf [oslo_policy] enforce_scope = True`15:37
lbragstadwe removed the policy.v3cloudsample.json file because the overrides it supplied were duplicates of the behavior we were using in code15:37
nsmedsBless you both - that's exactly what I was hoping to hear15:39
nsmedsI'll look into that setting15:39
lbragstadnsmeds https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes is pretty dense and it's written for other developers (not operators specifically)15:40
lbragstadbut it does describe the overall idea15:40
lbragstadand why it's important15:40
nsmedsok - I'll take the time to read through it :) thank you!15:41
nsmedswe're using Train thankfully15:42
lbragstadok - you might not be able to apply it to the entire deployment, but you can at least use it in keystone to get an idea of how things work15:43
*** bengates has quit IRC16:08
*** bengates has joined #openstack-keystone16:08
*** bengates has quit IRC16:14
knikollareminder for the meeting in ~18 minutes in #openstack-meeting-alt16:42
openstackgerritHervé Beraud proposed openstack/oslo.policy master: Add unit tests on cache handler  https://review.opendev.org/67111316:48
openstackgerritHervé Beraud proposed openstack/oslo.policy master: Add unit tests on cache handler  https://review.opendev.org/67111317:08
openstackgerritHervé Beraud proposed openstack/oslo.policy master: Correctly handle IO errors at policy file load  https://review.opendev.org/67057117:08
openstackgerritHervé Beraud proposed openstack/oslo.policy master: Adding tests on cache handler  https://review.opendev.org/67130917:08
*** dustinc has joined #openstack-keystone19:39
nsmeds@lbragstad thanks for that previous link - as an operator, it definitely provides helpful insight into authorization scopes and the current state of OpenStack+IAM. It's well written.19:40
lbragstadnsmeds good deal - glad you found it useful19:45
*** vishakha has quit IRC19:52
*** raildo has quit IRC21:14
*** rcernin has joined #openstack-keystone21:18
*** xek has quit IRC21:26
*** rcernin has quit IRC21:35
*** rcernin has joined #openstack-keystone21:52
*** rcernin has quit IRC21:57
*** rcernin has joined #openstack-keystone22:09
*** rcernin has quit IRC22:09
*** rcernin has joined #openstack-keystone22:33
*** lxkong has quit IRC22:42
*** pas-ha has quit IRC22:42
*** sri_ has quit IRC22:42
*** dviroel has quit IRC22:43
*** csatari has quit IRC22:43
*** knikolla has quit IRC22:43
*** sri_ has joined #openstack-keystone22:51
*** dviroel has joined #openstack-keystone22:55
*** lxkong has joined #openstack-keystone22:55
*** csatari has joined #openstack-keystone22:55
*** pas-ha has joined #openstack-keystone22:55
*** knikolla has joined #openstack-keystone22:56
*** ChanServ sets mode: +o knikolla22:56
« Monday, 2020-08-17 Index Wednesday, 2020-08-19 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!