Tuesday, 2019-04-23

« Monday, 2019-04-22 Index Wednesday, 2019-04-24 »
*** tetsuro has joined #openstack-meeting-alt00:12
*** tetsuro_ has joined #openstack-meeting-alt00:14
*** tetsuro has quit IRC00:16
*** ijw has quit IRC00:17
*** ttsiouts has joined #openstack-meeting-alt00:19
*** ttsiouts_ has joined #openstack-meeting-alt00:26
*** ttsiouts has quit IRC00:28
*** gyee has quit IRC00:29
*** ttsiouts has joined #openstack-meeting-alt00:34
*** ttsiouts_ has quit IRC00:36
*** ttsiouts has quit IRC00:41
*** ttsiouts has joined #openstack-meeting-alt00:43
*** tetsuro_ has quit IRC00:50
*** ttsiouts has quit IRC00:51
*** markvoelker has joined #openstack-meeting-alt00:51
*** jamesmcarthur has quit IRC00:54
*** whoami-rajat has joined #openstack-meeting-alt01:01
*** masahito has joined #openstack-meeting-alt01:11
*** baojg has quit IRC01:11
*** diablo_rojo has quit IRC01:16
*** masahito has quit IRC01:16
*** _erlon_ has quit IRC02:05
*** lbragstad has joined #openstack-meeting-alt02:39
*** dklyle has quit IRC02:45
*** dklyle has joined #openstack-meeting-alt02:46
*** ttsiouts has joined #openstack-meeting-alt02:48
*** yamahata has quit IRC03:03
*** bhavikdbavishi has joined #openstack-meeting-alt03:04
*** iyamahat has quit IRC03:04
*** hongbin has joined #openstack-meeting-alt03:10
*** bhavikdbavishi has quit IRC03:10
*** ttsiouts has quit IRC03:21
*** bhavikdbavishi has joined #openstack-meeting-alt03:28
*** lpetrut has joined #openstack-meeting-alt03:50
*** yamamoto has quit IRC04:11
*** yamamoto has joined #openstack-meeting-alt04:12
*** lpetrut has quit IRC04:13
*** yamamoto has quit IRC04:19
*** yamamoto has joined #openstack-meeting-alt04:33
*** hongbin has quit IRC04:33
*** lbragstad has quit IRC04:47
*** markvoelker has quit IRC04:57
*** sridharg has joined #openstack-meeting-alt05:11
*** ttsiouts has joined #openstack-meeting-alt05:18
*** yamamoto has quit IRC05:21
*** yamamoto has joined #openstack-meeting-alt05:23
*** yamamoto has quit IRC05:26
*** yamamoto has joined #openstack-meeting-alt05:27
*** yamamoto has quit IRC05:27
*** ttsiouts_ has joined #openstack-meeting-alt05:43
*** ttsiouts has quit IRC05:45
*** ccamacho has quit IRC05:46
*** ttsiouts has joined #openstack-meeting-alt05:47
*** ttsiouts_ has quit IRC05:49
*** yamamoto has joined #openstack-meeting-alt05:51
*** ttsiouts has quit IRC05:52
*** iyamahat has joined #openstack-meeting-alt05:56
*** lpetrut has joined #openstack-meeting-alt06:00
*** slaweq has joined #openstack-meeting-alt06:21
*** yamamoto has quit IRC06:22
*** yamamoto has joined #openstack-meeting-alt06:25
*** yamamoto has quit IRC06:25
*** yamamoto has joined #openstack-meeting-alt06:26
*** yamamoto has quit IRC06:29
*** yamamoto has joined #openstack-meeting-alt06:29
*** yamamoto has quit IRC06:29
*** bhavikdbavishi has quit IRC06:39
*** bhavikdbavishi has joined #openstack-meeting-alt06:41
*** markvoelker has joined #openstack-meeting-alt06:52
*** ircuser-1 has quit IRC06:53
*** ircuser-1 has joined #openstack-meeting-alt06:56
*** yamamoto has joined #openstack-meeting-alt07:03
*** yamahata has joined #openstack-meeting-alt07:11
*** yamamoto has quit IRC07:11
*** ccamacho has joined #openstack-meeting-alt07:13
*** _pewp_ has quit IRC07:15
*** _pewp_ has joined #openstack-meeting-alt07:15
*** rdopiera has joined #openstack-meeting-alt07:19
*** ttsiouts has joined #openstack-meeting-alt07:22
*** ccamacho has quit IRC07:27
*** ccamacho has joined #openstack-meeting-alt07:27
*** yamamoto has joined #openstack-meeting-alt07:31
*** yamamoto has quit IRC07:31
*** yamamoto has joined #openstack-meeting-alt07:33
*** vishalmanchanda has joined #openstack-meeting-alt07:38
*** lseki has joined #openstack-meeting-alt08:12
*** tssurya has joined #openstack-meeting-alt08:12
*** ttsiouts_ has joined #openstack-meeting-alt08:21
*** ttsiouts has quit IRC08:23
*** derekh has joined #openstack-meeting-alt08:28
*** apetrich has joined #openstack-meeting-alt08:30
*** e0ne has joined #openstack-meeting-alt08:39
*** gibi_off is now known as gibi08:47
*** iyamahat has quit IRC08:52
*** ttsiouts has joined #openstack-meeting-alt08:53
*** ttsiouts_ has quit IRC08:56
*** jbadiapa has joined #openstack-meeting-alt09:02
*** lpetrut has quit IRC09:30
*** yamamoto has quit IRC09:40
*** yamamoto has joined #openstack-meeting-alt09:48
*** yamamoto has quit IRC09:53
*** jcoufal has joined #openstack-meeting-alt09:54
*** bhavikdbavishi has quit IRC09:59
*** lseki has quit IRC10:16
*** raildo has joined #openstack-meeting-alt10:29
*** bhavikdbavishi has joined #openstack-meeting-alt10:44
*** tetsuro has joined #openstack-meeting-alt10:56
*** bhavikdbavishi has quit IRC10:56
*** tetsuro has quit IRC11:03
*** yamamoto has joined #openstack-meeting-alt11:12
*** masahito has joined #openstack-meeting-alt11:15
*** yamamoto has quit IRC11:19
*** masahito has quit IRC11:20
*** bhavikdbavishi has joined #openstack-meeting-alt11:25
*** bhavikdbavishi has quit IRC11:25
*** bhavikdbavishi has joined #openstack-meeting-alt11:26
*** bhavikdbavishi1 has joined #openstack-meeting-alt11:30
*** bhavikdbavishi has quit IRC11:31
*** bhavikdbavishi1 is now known as bhavikdbavishi11:31
*** apetrich has quit IRC11:32
*** apetrich has joined #openstack-meeting-alt11:36
*** bhavikdbavishi has quit IRC11:42
*** bhavikdbavishi has joined #openstack-meeting-alt11:43
*** yamamoto has joined #openstack-meeting-alt11:57
*** panda is now known as panda|lunch11:57
*** markvoelker has quit IRC12:01
*** jbadiapa has quit IRC12:22
*** baojg has joined #openstack-meeting-alt12:24
*** bhavikdbavishi has quit IRC12:42
*** jamesmcarthur has joined #openstack-meeting-alt12:46
*** lseki has joined #openstack-meeting-alt12:46
*** lbragstad has joined #openstack-meeting-alt12:55
*** baojg has quit IRC13:01
*** vishalmanchanda has quit IRC13:10
*** jbadiapa has joined #openstack-meeting-alt13:15
*** jamesmcarthur has quit IRC13:18
*** lpetrut has joined #openstack-meeting-alt13:21
*** panda|lunch is now known as panda13:23
*** redrobot has joined #openstack-meeting-alt13:24
*** bhavikdbavishi has joined #openstack-meeting-alt13:35
*** bhavikdbavishi has quit IRC13:39
*** liuyulong has joined #openstack-meeting-alt13:43
*** jamesmcarthur has joined #openstack-meeting-alt13:46
*** jamesmcarthur has quit IRC13:47
*** baojg has joined #openstack-meeting-alt13:48
*** rdopiera has quit IRC13:51
*** jamesmcarthur has joined #openstack-meeting-alt13:52
*** rdopiera has joined #openstack-meeting-alt13:54
*** yamamoto has quit IRC13:56
*** carloss has joined #openstack-meeting-alt13:58
*** jrbalderrama has joined #openstack-meeting-alt14:04
*** sridharg has quit IRC14:17
*** lpetrut has quit IRC14:40
*** ccamacho has quit IRC14:46
*** lpetrut has joined #openstack-meeting-alt14:56
*** tetsuro has joined #openstack-meeting-alt14:59
*** tetsuro has quit IRC15:01
*** yamamoto has joined #openstack-meeting-alt15:07
*** gyee has joined #openstack-meeting-alt15:09
*** yamamoto has quit IRC15:14
*** ccamacho has joined #openstack-meeting-alt15:17
*** iyamahat has joined #openstack-meeting-alt15:18
*** lpetrut has quit IRC15:22
*** ttsiouts has quit IRC15:27
*** ttsiouts has joined #openstack-meeting-alt15:27
*** ttsiouts has quit IRC15:32
*** baojg has quit IRC15:33
*** vishakha has joined #openstack-meeting-alt15:35
*** iyamahat has quit IRC15:39
*** wxy| has joined #openstack-meeting-alt15:46
*** ccamacho has quit IRC15:46
*** ccamacho has joined #openstack-meeting-alt15:47
*** e0ne has quit IRC15:50
*** dave-mccowan has joined #openstack-meeting-alt15:57
* kmalloc yawns15:58
* hrybacki pokes kmalloc in the stomach (gently, but not too gently)15:58
*** gagehugo has joined #openstack-meeting-alt15:58
* kmalloc considers another cup of coffee.16:00
* hrybacki nods in affirmation at kmalloc 16:00
cmurphy#startmeeting keystone16:00
openstackMeeting started Tue Apr 23 16:00:22 2019 UTC and is due to finish in 60 minutes.  The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
*** openstack changes topic to " (Meeting topic: keystone)"16:00
openstackThe meeting name has been set to 'keystone'16:00
lbragstado/16:00
cmurphy#link https://etherpad.openstack.org/p/keystone-weekly-meeting agenda16:00
vishakhao/16:00
cmurphyo/16:01
wxy|o/16:01
cmurphyokay let's get started16:02
cmurphy#topic next meetings16:02
hrybackio/16:02
*** openstack changes topic to "next meetings (Meeting topic: keystone)"16:02
gagehugoo/16:02
*** jrbalderrama has quit IRC16:02
cmurphynext week most of us will be at the summit so we will have to cancel that meeting16:02
cmurphywait16:02
cmurphyyes next week16:03
* cmurphy loses track of time16:03
cmurphythe following week i'm going to take a couple of days off, I could ask for a volunteer to chair the meeting but i think most of us are going to be toast anyway and we may as well cancel16:04
cmurphythoughts?16:04
lbragstadwfm16:04
lbragstadi'll likely be working on summaries anyway16:04
*** gagehugo has quit IRC16:06
cmurphyokay16:06
*** gagehugo has joined #openstack-meeting-alt16:06
cmurphy#agreed next two meetings canceled, resume meetings Tuesday 14 May16:06
vishakha ok16:06
gagehugowfm16:07
cmurphycool16:07
*** dave-mccowan has quit IRC16:07
cmurphy#topic reviews16:07
*** openstack changes topic to "reviews (Meeting topic: keystone)"16:07
cmurphyanyone want to highlight any reviews?16:07
cmurphyI noticed jose was working on https://review.opendev.org/655166 and wanted to bring it up16:09
cmurphywould that work? and would we need renewable app creds in that case?16:10
cmurphyknikolla: kmalloc ?16:10
knikollao/16:11
kmallocthat should be allowed, as long as if the group role assignment changes the app cred is likewise invalidated16:11
kmallocthere is no reason a group-conveyed role assignment should be restricted from use in an app cred16:11
*** jbadiapa has quit IRC16:11
kmallocdoesn't need renewable.16:11
kmallocassuming concrete group role assignment16:11
lbragstadit looks like they're generated at validation time16:11
knikollawe can't really check on group membership changes if they happen in idp16:12
knikollaand user only uses app cred to log in16:12
kmallocIDP/Federation allowed appcreds are not concrete assignments16:12
cmurphybut groups are concrete and have concrete role assignments16:13
lbragstad#link https://review.opendev.org/#/c/655166/1/keystone/models/token_model.py@41216:13
kmallocgroup roles can't be divined from the IDP in any case, group membership can. either a role is conveyed to the user directly in federation or it's a role assignment on a group within keystone16:13
kmallocso, no reason group role assignments shouldn't be allowed in app creds.16:14
kmallocafaict16:14
*** ijw has joined #openstack-meeting-alt16:14
lbragstadwell - i thought the main driver of renewable app creds was because we wanted to "force" the auditing of those groups16:15
lbragstadso that a federated user couldn't just create an application credential with access that gets out of sync from the idp in the future16:15
* lbragstad could be mis-remembering something though16:16
kmallocthat is fair16:16
kmallocbut this appears to be *any* group assignment16:16
cmurphyignoring auto-provisioned projects, when a federated user gets a scoped token the mapping gives them a membership in a group which gives them an effective role assignment16:16
cmurphyif they lose membership to the group because their saml attributes changed then they don't have the effective role assignment any more16:17
cmurphybecause the mapping wouldn't apply any more16:17
cmurphyright?16:17
lbragstadand that's driven by the assertion, yeah?16:17
cmurphyas i understand it16:17
kmallocright, but they could login with the app cred is the concern16:17
kmalloccircumventing that effective bit.16:17
lbragstadright16:17
lbragstadso if i have membership to an admin group in an idp somewhere16:17
kmallocso, exempt federation from effective until we have renewable?16:17
kmallocbut otherwise, this still feels like a gap in our functionality16:18
lbragstadi can use my assertion to generate an application credential to that corresponding OpenStack group16:18
lbragstadand nothing would force me to revisit that authorization, even if i'm removed from that group or company16:18
cmurphyokay that's right, i'm remembering now16:18
lbragstadiirc - renewability was our scapegoat16:19
lbragstadin order to prevent that specific foot-gun scenario16:20
kmallocwe could just do a "is_federated" and not do "effective"16:21
kmallocin that case. until we have renewable16:22
kmallocand we can do the same normal invalidation on group assignment change we do on direct assignment16:22
*** kopecmartin is now known as kopecmartin|off16:23
*** mrhillsman is now known as openlab16:23
*** openlab is now known as mrhillsman16:23
*** mrhillsman is now known as openlab16:24
*** openlab is now known as mrhillsman16:25
cmurphyokay i'm in agreement, can someone comment on the patch?16:25
kmallocI'll comment.16:25
cmurphythanks16:25
cmurphyi also wanted to mention https://review.opendev.org/649177 i haven't looked at the last revision but it seems like it fixes an important bug but needs some careful eyes on it16:26
cmurphy#topic open discussion16:27
*** openstack changes topic to "open discussion (Meeting topic: keystone)"16:27
cmurphyanything else anyone wants to bring up?16:27
lbragstadmy internal team is having a team dinner at some point next week, we just don't know when, where, or how.16:28
lbragstadso - i'm not sure if that will conflict with the keystone team dinner at anypoint16:28
cmurphylbragstad: based on the poll i was going to go for wednesday16:29
lbragstadsweet - if that's the consensus, i'll let my internal team know16:29
cmurphycool16:29
cmurphyi'll be trying to organize that properly today16:30
kmalloccommented.16:30
*** whoami-rajat has quit IRC16:30
lbragstadthanks cmurphy16:31
cmurphyhere's another question for the group, do we need branches for ldappool? see thierry's question https://review.opendev.org/65445516:34
*** baojg has joined #openstack-meeting-alt16:34
lbragstadinteresting16:35
kmallocwe had them for convenience not for any other reason16:36
kmallocprobably don't need the branching16:36
*** rcernin has quit IRC16:36
cmurphyi'll ask pas-ha since he had asked about the branch, i think we may as well drop them16:38
hrybackifrom a vendor perspective, branches are nice \0/16:38
*** baojg has quit IRC16:39
*** whoami-rajat has joined #openstack-meeting-alt16:39
cmurphyhrybacki: from another vendor perspective we don't use the branches for that lib16:39
cmurphy¯\_(ツ)_/¯16:39
hrybackiI don't have a strong argument tbh -- hence the weak shruggie :)16:40
cmurphyyeah doesn't seem like there's a strong rationale either way16:42
cmurphyseems like the meeting is winding down so let's go ahead and close it and get a few minutes back16:42
cmurphysee most of you next week!16:43
cmurphy#endmeeting16:43
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"16:43
hrybackio/ thanks cmurphy !16:43
openstackMeeting ended Tue Apr 23 16:43:07 2019 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:43
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone/2019/keystone.2019-04-23-16.00.html16:43
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone/2019/keystone.2019-04-23-16.00.txt16:43
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone/2019/keystone.2019-04-23-16.00.log.html16:43
*** yamahata has quit IRC16:43
*** wxy| has quit IRC16:46
*** gagehugo has quit IRC16:48
*** altlogbot_2 has quit IRC16:50
*** gagehugo has joined #openstack-meeting-alt16:50
*** altlogbot_3 has joined #openstack-meeting-alt16:55
*** derekh has quit IRC16:57
*** iyamahat has joined #openstack-meeting-alt16:59
*** gagehugo has left #openstack-meeting-alt17:00
*** rdopiera has quit IRC17:03
*** jbadiapa has joined #openstack-meeting-alt17:05
*** ijw has quit IRC17:18
*** ijw has joined #openstack-meeting-alt17:19
*** yamahata has joined #openstack-meeting-alt17:19
*** ijw has quit IRC17:20
*** e0ne has joined #openstack-meeting-alt17:20
*** ijw has joined #openstack-meeting-alt17:20
*** ijw has quit IRC17:23
*** ijw has joined #openstack-meeting-alt17:23
*** e0ne has quit IRC17:24
*** diablo_rojo has joined #openstack-meeting-alt17:29
*** jamesmcarthur has quit IRC17:30
*** jamesmcarthur has joined #openstack-meeting-alt17:31
*** jamesmcarthur has quit IRC17:35
*** ccamacho has quit IRC17:54
*** lbragstad has quit IRC18:01
*** lbragstad has joined #openstack-meeting-alt18:03
*** tssurya has quit IRC18:07
*** tssurya has joined #openstack-meeting-alt18:10
*** e0ne has joined #openstack-meeting-alt18:29
*** jamesmcarthur has joined #openstack-meeting-alt18:44
*** jamesmcarthur_ has joined #openstack-meeting-alt18:45
*** tsmith2 has quit IRC18:48
*** jamesmcarthur has quit IRC18:49
*** dtrainor_ is now known as dtrainor19:01
*** vishakha has quit IRC19:01
*** e0ne has quit IRC19:01
*** tsmith2 has joined #openstack-meeting-alt19:06
*** igordc has joined #openstack-meeting-alt19:29
*** jamesmcarthur_ has quit IRC19:32
*** tssurya has quit IRC19:39
*** jamesmcarthur has joined #openstack-meeting-alt20:08
*** igordc has quit IRC20:10
*** jamesmcarthur has quit IRC20:12
*** igordc has joined #openstack-meeting-alt20:14
*** igordc has quit IRC20:15
*** jamesmcarthur has joined #openstack-meeting-alt20:39
*** jamesmcarthur has quit IRC20:46
*** jamesmcarthur has joined #openstack-meeting-alt20:57
*** jamesmcarthur has quit IRC21:01
*** jamesmcarthur has joined #openstack-meeting-alt21:06
*** igordc has joined #openstack-meeting-alt21:19
*** rfolco has quit IRC21:24
*** whoami-rajat has quit IRC21:40
*** ttsiouts has joined #openstack-meeting-alt21:42
*** raildo has quit IRC21:50
*** jcoufal has quit IRC21:55
*** jamesmcarthur has quit IRC21:55
*** jamesmcarthur has joined #openstack-meeting-alt21:58
*** jcoufal has joined #openstack-meeting-alt21:58
*** ijw has quit IRC22:01
*** slaweq has quit IRC22:12
*** slaweq has joined #openstack-meeting-alt22:14
*** jamesmcarthur has quit IRC22:15
*** carloss has quit IRC22:25
*** tonyb has joined #openstack-meeting-alt22:41
*** masahito has joined #openstack-meeting-alt23:09
*** jcoufal has quit IRC23:10
*** yamamoto has joined #openstack-meeting-alt23:14
*** diablo_rojo has quit IRC23:14
*** ttsiouts has quit IRC23:14
*** masahito has quit IRC23:15
*** ttsiouts has joined #openstack-meeting-alt23:15
*** jcoufal has joined #openstack-meeting-alt23:16
*** yamamoto has quit IRC23:18
*** diablo_rojo has joined #openstack-meeting-alt23:19
*** ttsiouts has quit IRC23:19
*** yamamoto has joined #openstack-meeting-alt23:20
*** rcernin has joined #openstack-meeting-alt23:20
*** lseki has quit IRC23:26
*** igordc has quit IRC23:32
*** jcoufal has quit IRC23:33
*** gyee has quit IRC23:39
*** yamamoto has quit IRC23:41
*** yamamoto has joined #openstack-meeting-alt23:42
*** yamamoto has quit IRC23:43
*** raildo has joined #openstack-meeting-alt23:53
*** raildo has quit IRC23:59
« Monday, 2019-04-22 Index Wednesday, 2019-04-24 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!