Monday, 2017-02-20

« Sunday, 2017-02-19 Index Tuesday, 2017-02-21 »
*** IRCFrEAK has joined #openstack-keystone00:53
*** IRCFrEAK has left #openstack-keystone00:53
*** hoangcx has joined #openstack-keystone00:53
*** edmondsw has quit IRC00:54
*** martinlopes has quit IRC00:54
*** martinlopes has joined #openstack-keystone00:56
*** markvoelker_ has quit IRC01:05
*** chlong has joined #openstack-keystone01:06
*** liujiong has joined #openstack-keystone01:16
*** ngupta has quit IRC01:22
*** rdo has quit IRC01:22
*** rdo has joined #openstack-keystone01:30
*** bjolo_ has quit IRC01:51
*** guoshan has joined #openstack-keystone01:54
*** martinlopes has quit IRC02:06
*** thorst has joined #openstack-keystone02:11
*** thorst has quit IRC02:11
*** hoangcx has quit IRC02:16
*** ngupta has joined #openstack-keystone02:22
*** hoangcx has joined #openstack-keystone02:22
*** hoangcx_ has joined #openstack-keystone02:25
*** ngupta has quit IRC02:26
*** hoangcx has quit IRC02:28
*** tovin07 has joined #openstack-keystone02:35
*** tovin07 has left #openstack-keystone02:38
*** tovin07 has joined #openstack-keystone02:43
openstackgerritShan Guo proposed openstack/keystone master: Fix typo in config doc  https://review.openstack.org/43583002:43
*** edmondsw has joined #openstack-keystone02:54
*** edmondsw has quit IRC02:59
*** obedmr has quit IRC03:19
*** obedmr has joined #openstack-keystone03:20
*** edmondsw has joined #openstack-keystone03:30
*** edmondsw has quit IRC03:35
*** madgoat has joined #openstack-keystone03:59
*** madgoat has left #openstack-keystone03:59
*** guoshan has quit IRC04:15
*** nicolasbock has quit IRC04:27
*** dave-mccowan has quit IRC04:29
*** martinlopes has joined #openstack-keystone04:39
*** nkinder has joined #openstack-keystone04:56
*** adriant has quit IRC04:58
*** guoshan has joined #openstack-keystone05:02
*** nkinder has quit IRC05:09
*** ngupta has joined #openstack-keystone05:40
*** guoshan has quit IRC05:45
*** jaosorior has joined #openstack-keystone05:49
*** guoshan has joined #openstack-keystone05:58
*** thorst has joined #openstack-keystone06:11
*** thorst has quit IRC06:15
openstackgerritMerged openstack/keystonemiddleware master: Remove unused logging import  https://review.openstack.org/43520306:19
openstackgerritMerged openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/43195906:19
openstackgerritMerged openstack/keystone master: Updated from global requirements  https://review.openstack.org/43188606:22
openstackgerritMerged openstack/keystoneauth master: Fix ClientException message property not set properly  https://review.openstack.org/28575706:23
openstackgerritMerged openstack/keystoneauth master: Updated from global requirements  https://review.openstack.org/43195806:47
openstackgerritMerged openstack/keystoneauth master: Fixed multiple target Auth warning in docstring  https://review.openstack.org/43118406:48
*** martinlopes has quit IRC07:13
*** tesseract has joined #openstack-keystone07:17
openstackgerritMerged openstack/keystone master: Fix typo in config doc  https://review.openstack.org/43583007:28
*** edmondsw has joined #openstack-keystone07:32
*** edmondsw has quit IRC07:36
openstackgerritRichard Avelar proposed openstack/python-keystoneclient master: do not merge: test ksc gate  https://review.openstack.org/43549207:47
*** pcaruana has joined #openstack-keystone08:28
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:01
*** xek_ is now known as xek09:07
*** arunkant has quit IRC09:16
*** thorst has joined #openstack-keystone09:19
*** masber has joined #openstack-keystone09:21
*** arunkant has joined #openstack-keystone09:22
*** h5t4 has joined #openstack-keystone09:30
*** iljal has joined #openstack-keystone09:31
*** thorst has quit IRC09:56
*** tovin07 has quit IRC10:10
*** guoshan has quit IRC10:14
*** hoangcx_ has quit IRC10:25
*** liujiong has quit IRC10:30
*** thorst has joined #openstack-keystone10:32
*** mvk has quit IRC10:34
*** hoonetorg has quit IRC10:37
*** hoonetorg has joined #openstack-keystone10:59
openstackgerritMerged openstack/keystone master: Rename protocol cascade delete migration file  https://review.openstack.org/43364411:05
*** thorst has quit IRC11:13
*** mvk has joined #openstack-keystone11:22
*** thorst has joined #openstack-keystone11:29
*** martinus- has quit IRC11:30
*** martinus__ has joined #openstack-keystone11:30
*** edmondsw has joined #openstack-keystone11:33
*** thorst has quit IRC11:33
*** edmondsw has quit IRC11:37
*** iljal has quit IRC11:44
*** iljal has joined #openstack-keystone11:49
*** iljal_ has joined #openstack-keystone11:49
*** iljal has quit IRC11:53
*** nicolasbock has joined #openstack-keystone11:56
*** edmondsw has joined #openstack-keystone12:02
*** iljal_ has quit IRC12:11
*** catintheroof has joined #openstack-keystone12:39
*** catinthe_ has joined #openstack-keystone12:41
*** catintheroof has quit IRC12:45
*** nishaYadav_ has joined #openstack-keystone13:07
*** markvoelker has joined #openstack-keystone13:09
*** markvoelker_ has joined #openstack-keystone13:11
*** markvoelker has quit IRC13:14
*** dave-mccowan has joined #openstack-keystone13:15
*** chlong has quit IRC13:16
*** markvoelker has joined #openstack-keystone13:19
*** markvoelker_ has quit IRC13:21
*** markvoelker_ has joined #openstack-keystone13:21
*** markvoelker has quit IRC13:24
*** darrenc_ has joined #openstack-keystone13:34
*** markvoelker has joined #openstack-keystone13:34
*** darrenc has quit IRC13:35
*** jhesketh has quit IRC13:35
*** markvoelker_ has quit IRC13:35
*** raildo has joined #openstack-keystone13:35
*** lucasxu has joined #openstack-keystone13:35
*** iljal has joined #openstack-keystone13:35
*** v1k0d3n has joined #openstack-keystone13:35
*** jhesketh has joined #openstack-keystone13:37
*** lucasxu has quit IRC13:39
*** lucasxu has joined #openstack-keystone13:40
*** spilla has joined #openstack-keystone13:45
*** lucasxu has quit IRC13:46
*** dikonoor has joined #openstack-keystone13:57
*** jamielennox|away is now known as jamielennox14:06
dikonoorlbragstad: hi..14:07
lbragstaddikonoor14:07
lbragstadhello14:07
dikonoorlbragstad: Good Morning :) this is about https://bugs.launchpad.net/keystone/+bug/1662514, which is causing a bit of pain in the brain as group revocations are causing havoc.14:08
openstackLaunchpad bug 1662514 in OpenStack Identity (keystone) "Revoking a non-existing role revokes token for users of same role" [Undecided,New]14:08
*** akrzos is now known as akrzos-ptg14:08
dikonoorlbragstad: You and dstanek and morgan had a discussion with praskre on this last week.14:09
dikonoorlbragstad: the basic problem as listed are q) revocation events getting generated if you try to remove non-existent role assignment14:10
dikonoorlbragstad: b) the other main problem being the revocation event generated for group revocation generates and event with only project/domain id and role14:11
lbragstaddikonoor yeah - that sounds accurate14:11
dikonoorwhich basically means that after that all tokens with that project/domain and role gets revoked14:11
dikonoorirrespective of which group they have assignment to14:12
*** edmondsw has quit IRC14:12
dikonoorSO if I have two groups - group A and B , both with admin role assignment to the same project, and if I revoke role grant from any of them..all user within both these groups + users with direct role assignment against this project/domain with the same role - all get revokes14:13
dikonoormass revocation happens..14:14
dikonoorOne of the solutions that praskre suggested the other day was to add a new column to the revocation_event table . the new colume will be named group_id14:14
*** edmondsw has joined #openstack-keystone14:16
*** thiagolib has joined #openstack-keystone14:16
dikonoorlbragstad: so that the group_id also gets added into the revocation events table when group grant is removed14:16
*** edmondsw_ has joined #openstack-keystone14:17
openstackgerritJamie Lennox proposed openstack/keystoneauth master: Add loading mock fixtures  https://review.openstack.org/43601214:17
dikonoorlbragstad : When the token check happens against the revocaton events, we then check if the user belongs to this group .14:19
*** edmondsw_ has quit IRC14:19
*** edmondsw_ has joined #openstack-keystone14:19
*** nishaYadav_ has quit IRC14:19
dikonoorlbragstad: dstanek:morgan: Do you see any challenges with this approach ?14:19
lbragstadI'd try solving the first problem14:21
*** edmondsw has quit IRC14:21
lbragstadwhich should be a matter of validating the role before creating the revocation event14:21
lbragstadand start with that14:21
morganwill need to think about it. headed to the airport ATM.14:21
morgancan talk when I arrive.14:22
*** nishaYadav has joined #openstack-keystone14:22
dikonoorlbragstad: you mean validate if the group has that role before creating the event..Agree..that way no event is created14:22
nishaYadavo/14:22
dikonoorlbragstad: Now comes the second problem of mass revocation of any user/group within that domain/project with the same role..14:23
lbragstaddikonoor and this is when you remove a role from a group, right?14:24
dikonooryes right >> openstack role remove --group abc --project abc admin for eg.14:25
dikonoorlbragstad : the bug description shows the revocation event in the table for this >> https://bugs.launchpad.net/keystone/+bug/166251414:25
openstackLaunchpad bug 1662514 in OpenStack Identity (keystone) "Revoking a non-existing role revokes token for users of same role" [Undecided,New]14:25
*** lucasxu has joined #openstack-keystone14:28
dikonoorlbragstad: we tries removing a role assignment with project scope14:28
*** r1chardj0n3s has quit IRC14:29
*** darrenc_ has quit IRC14:29
*** darrenc has joined #openstack-keystone14:29
*** r1chardj0n3s has joined #openstack-keystone14:30
lbragstaddikonoor another possible option would be to determine the list of projects a user has access to at token validation time and return a 401 if the token context has a different set of groups than what they have at time of validation14:32
openstackgerritNisha Yadav proposed openstack/keystone-specs master: Fix typos and grammatical errors  https://review.openstack.org/43602614:33
lbragstadthat still might be too broad for revoking other tokens too though14:33
nishaYadavlbragstad, can you please look at the patch once, its a trivial patch ^14:34
lbragstadnishaYadav yeah - i can take a look14:34
dikonoorlbragstad : the group_id column should take care of all cases except one.14:35
*** tqtran has joined #openstack-keystone14:35
nishaYadavlbragstad, thank you :)14:35
lbragstaddikonoor and what case is that?14:35
dikonoorwell..I dont know if this is how the behavior should be.. LEts say i have a user with a direct role assignment to a project with some role say admin..The user is part of a group..I then add a group role assignment for this group with same role, same project/domain14:37
dikonoorSo , now user has 2 role assignments - one ddirect and the other inherited14:38
*** John341 has joined #openstack-keystone14:38
dikonoorThen we remove the group role assignment, which generates the revocation evetn (and lets say we now have a group id column and that has the group_id)14:38
dikonoorThe token corresponding to this user will be revoked14:39
John341Hi all! Can anyone please clarify, when I issue a fernet token, do I use 'id' found in the body in subsequent requests as X-Auth-Token:, or do I use 'X-Subject-Token' from the header?14:39
dikonooreven though the direct role assignment of the user is not14:39
John341The documentation here claims that the 'id' should be provided in subsequent requests, https://developer.openstack.org/api-ref/identity/v3/?expanded=password-authentication-with-unscoped-authorization-detail,token-authentication-with-scoped-authorization-detail#authentication-and-token-management14:40
dikonoorlbragstad: but if we do it the other way around..the behavior is different..for eg. if i revoke the user role grant, it generates a revocation event very specific to the user ..The check_token checks checking for is_revoked of the token will fail only for that specific user14:42
lbragstaddikonoor hmm14:42
lbragstadright - i would expect the token to be valid in both cases14:42
dikonoorlbragstad : In short ..group role revokes ensures that all users within that group are revoked (even if one or more users have direct role assignments)14:43
dikonoorSo effectively we have 3 problems..Not sure if we need 3 LP bugs..14:43
*** jperry has joined #openstack-keystone14:43
dikonoorI got to step out now..Will be back soon..Problem 1 and problem 2 can be fixed..I am not sure of how problem 3 can be tackled14:44
dikonoorAlso problem 2 - group_id column is what I think would be the best option..another option is to reuse the user_id column to populate group_id14:44
dikonoorlbargstad: I have to step out..I will login later..14:46
dikonoorlbargstad: prashkre is thinking of putting out a patch with a new group_id column..14:47
lbragstaddikonoor yeah - that'd be great!14:47
lbragstadif anything it will help us flush out other proposals14:47
lbragstadif we decide to go a different route14:47
lbragstaddikonoor i'm going to update the bugs and split them up a bit, so we track the right problems to the right bugs14:48
lbragstadJohn341 if you're using v3, when you authenticate for a token you'll have to pull the token out of the X-Subject-Token header14:55
*** darrenc has quit IRC14:55
*** chlong has joined #openstack-keystone14:55
*** darrenc has joined #openstack-keystone14:56
*** nishaYadav has quit IRC14:56
*** thorst has joined #openstack-keystone15:02
*** thorst has quit IRC15:05
*** thorst has joined #openstack-keystone15:06
*** thorst_ has joined #openstack-keystone15:07
*** thorst has quit IRC15:10
*** lucasxu has quit IRC15:11
*** chris_hultin|AWA is now known as chris_hultin15:21
*** lucasxu has joined #openstack-keystone15:22
*** lucasxu has quit IRC15:24
*** chris_hultin is now known as chris_hultin|AWA15:35
h5t4Hi, I see following problem. Project scoped, 'admin' named, role not recognized at all. And global 'admin' role allows domain_admin and project_admin delete VM's from another domain/project - included VM's from cloud_admin project. I am using keystone 'https://git.openstack.org/openstack/openstack-ansible-os_keyston' commit  'f4eabced3e96187bf5a3ffebaac4a14d15f30619' and15:40
h5t4'https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json' Is it known issue?15:40
h5t4sorry <Domain> scoped, 'admin' named15:41
*** thorst_ has quit IRC15:42
openstackgerritJamie Lennox proposed openstack/keystoneauth master: Add loading mock fixtures  https://review.openstack.org/43601215:43
*** browne has joined #openstack-keystone15:46
*** thorst has joined #openstack-keystone15:49
h5t4For me it seems that there can be only one admin role per cloud. _member_ role seems to work fine in multi domain environment.15:50
*** david-lyle has joined #openstack-keystone15:53
*** lucasxu has joined #openstack-keystone15:53
*** thorst has quit IRC15:54
*** lamt has joined #openstack-keystone15:54
*** thorst has joined #openstack-keystone15:57
*** iljal_ has joined #openstack-keystone15:58
*** iljal__ has joined #openstack-keystone15:59
*** lamt has quit IRC16:02
*** iljal has quit IRC16:02
*** iljal_ has quit IRC16:03
*** lamt has joined #openstack-keystone16:03
*** lamt has quit IRC16:08
*** david-lyle has quit IRC16:18
*** thiagolib has quit IRC16:21
*** iljal__ has quit IRC16:23
*** mvk has quit IRC16:27
*** iljal has joined #openstack-keystone16:33
dikonoorlbragstad: Thanks for updating the bug and splitting it into two parts.16:35
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code  https://review.openstack.org/43560916:36
lbragstaddikonoor no problem16:36
*** lucasxu has quit IRC16:37
dikonooribragstad : prashkre will send across changes with group_id shortly.16:38
*** h5t4 has quit IRC16:40
lbragstaddikonoor good deal!16:43
*** browne has quit IRC16:48
morganlbragstad: wait what was that about validation and 401s on group change?16:51
lbragstadmorgan when a role assignment is removed from a group, the revocation event that is persisted is too broad16:52
morganlbragstad: something sounds very wrong with that statement.16:52
morganthe 401 one16:52
morganwhat is too broad about it specifically?16:53
lbragstadmorgan https://bugs.launchpad.net/keystone/+bug/166251416:53
openstackLaunchpad bug 1662514 in OpenStack Identity (keystone) "Removing group role assignments results in overly broad revocation events" [Undecided,New]16:53
morganthere is another fix16:53
*** tqtran has quit IRC16:53
morganstop persisting uuid token data in the db, validate uuid tokens like fernet16:54
*** pcaruana has quit IRC16:54
lbragstadmorgan we do16:54
morganthen we can drop that type of rev event entirely16:54
morganthen that type of event shouldnt be ever created.16:54
lbragstadmorgan that's not the problem - we don't store revocation events based on group16:54
morganSec. let me switch to laptop.16:54
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code (part 2)  https://review.openstack.org/43575116:54
*** tqtran has joined #openstack-keystone16:54
lbragstadmorgan the problem is that we store revocation events with a role id and project id, which applies to direct role assignment and group role assignments16:55
*** thorst has quit IRC16:55
morganlbragstad: ok16:57
morganlbragstad: so if we validate *all* tokens like fernet, where we re-populate roles every time on validation16:57
lbragstadso if i have a project 'engineering' and a group called 'engineers' and they have the 'engineer' role, but Bob *also* has the 'engineer' role, then if I remove the 'engineer' role from the 'engineers' group, Bob's tokens scoped to 'engineering' are also revoked16:57
morganlbragstad: we should NEVER need to revoke on a role being removed from a group16:57
morganunless there is no longer a role at all on the project16:58
morganand even then... a null list of roles should net us the same effect.16:58
lbragstadroles can be calculated at validation time, and I completely agree with that approach16:58
morganin short, if we always validate in the same manner and repopulate the token data on validation, we can drop revocation events almost entirely.16:58
morganthe exceptions are: user password change16:58
morgangroup removal16:59
morganand like 1-2 others16:59
morganbut basically, don't try and fix revocation events, fix token validation16:59
morganit is a much narrower case and we can reduce reliance on revocations further16:59
morgantherefore making keysotne genrally more performant in more cases. revocation events are a real issue with performance at this point16:59
morgansorry, had to swithc to the laptop to type that out. doing it on the phone was getting frustrating17:00
morgan:P17:00
morganlets not lean more on revocations, which we know are painful17:01
*** lucasxu has joined #openstack-keystone17:04
*** thorst has joined #openstack-keystone17:05
lbragstadmorgan right - i don't disagree with you there17:05
lbragstadmorgan but i think we already calculate group assignments on the fly at validation time17:05
morganso then... just stop issuing those rev. events17:06
morgansee what breaks17:06
lbragstadwhen we ask the assignment api for a list of role assignments based on the user and the project17:06
morganuuid tokens iirc never were updated to validate like fernet tokens17:06
*** v1k0d3n has quit IRC17:06
morganwe still have two WILDLY different paths of validation17:06
lbragstadmorgan yes there were17:06
lbragstadmorgan not any more17:06
lbragstadmorgan i fixed all that last release17:06
morgangood, we should stop storing as much data as we do in the DB for uuid, and store the same data as the fernet payload then17:07
morgan:P17:07
morgani am surprised fwiw, i was shot down really hard when i suggested making uuid tokens validate that way17:07
lbragstadyeah - that would be the next steo17:07
lbragstadstep*17:07
morganeveryone told me they hated the idea and it would make uuid tokens suck.17:07
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code (part 2)  https://review.openstack.org/43575117:08
lbragstadmorgan https://review.openstack.org/#/q/status:merged+project:openstack/keystone+branch:master+topic:cleanup-token-provider17:08
morgannice17:08
*** markvoelker has quit IRC17:08
*** charz has quit IRC17:09
*** d0ugal has quit IRC17:09
*** iljal has quit IRC17:09
*** zzzeek has quit IRC17:09
*** jefrite_ has quit IRC17:09
*** chrome0_ has quit IRC17:09
*** tqtran has quit IRC17:09
morganjust store the fernet payload then merge all that code into something less all over the place17:09
*** charz_ has joined #openstack-keystone17:09
morganthen #win17:09
*** zzzeek has joined #openstack-keystone17:09
*** jamielennox is now known as jamielennox|away17:09
*** chrome0 has joined #openstack-keystone17:09
*** jefrite has joined #openstack-keystone17:09
*** h5t4 has joined #openstack-keystone17:09
*** thorst has quit IRC17:09
*** d0ugal has joined #openstack-keystone17:10
morganok logging back off to find my plane.17:12
lbragstadmorgan o/17:12
lbragstadmorgan have a safe flight17:12
*** browne has joined #openstack-keystone17:14
*** browne has quit IRC17:14
*** edmondsw_ has quit IRC17:15
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code (part 3)  https://review.openstack.org/43575417:15
*** mvk has joined #openstack-keystone17:17
*** edmondsw has joined #openstack-keystone17:18
*** edmondsw has quit IRC17:20
*** edmondsw has joined #openstack-keystone17:20
*** browne has joined #openstack-keystone17:25
*** edmondsw has quit IRC17:25
dikonoorlbragstad: Hi.. On your latest comments - "Another possible solution to this problem would be to stop persisting17:29
dikonoorrevocation events when removing group assignments. As of a release or17:29
dikonoortwo ago, we refactored all the token provider logic to validate tokens17:29
dikonoorthe same way [0]. This means that we rebuild the assignments at17:29
dikonoorvalidation time, which might mean we no longer need to persist a17:29
dikonoorrevocation event here."..17:29
lbragstaddikonoor yep17:30
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code  https://review.openstack.org/43560917:30
dikonoorlbragstad: you mean that everytime we check if the role assignment for that token is present in the assignments table..17:31
dikonoorlbragstad: which wouldn't work for the cases where that specific token has been revoked, in which case it still has to be checked against the revocation table17:32
lbragstaddikonoor we revoke individual tokens by audit id17:32
lbragstaddikonoor not user-project-role relationships17:32
dikonoorlbradstad- yeah right..so when a token comes up for is_revoked check, there still needs to be check against the revocation table to see if that specific token was revoked by its audit_id17:33
lbragstaddikonoor yes17:34
lbragstadeither way we have to check for revocations because there are some things we will only be able to accomplish by using revocation events17:34
*** jaosorior has quit IRC17:35
lbragstadfor example, fernet tokens aren't persisted, so we revoke them by audit_id since it's something we can guarantee to be in the token17:35
lbragstadversus revoking uuid tokens, in the past we use to just remove them from the database17:35
lbragstaddikonoor the point that morgan was making is that we should try to rebuild all authorization context at validation time instead of relying on revocation events17:36
dikonoorlbragstad : let me read morgan's comments17:37
lbragstadbecause technically - if we rebuild the authorization context at validation time, that should tell us exactly what we have access to because we are check the assignments in real time17:37
lbragstadwe shouldn't have to rely on a revocation event to tell us about group assignments17:37
lbragstadfor example - when we build a list of assignments when we validate a token, group assignments should be included in that list17:38
*** tesseract has quit IRC17:40
lbragstadsay a user has a group assignment on the 'accounting' project, if we remove that group assignment and that user validates a token scoped to that project, we should be able to determine at validation time that user doesn't have any role assignment on the 'accounting' project so we should return a 40117:40
lbragstadso - because we're building the list of assignments for a user at token validation time, we're handling revocation automatically due to the design17:41
lbragstad(revocation events were originally developed as a way to revoke cached token)17:42
*** lucasxu has quit IRC17:45
*** edmondsw has joined #openstack-keystone17:46
*** thorst has joined #openstack-keystone17:49
dikonoorlbragstad : I agree..this approach sounds better that the group_id approach17:50
lbragstaddikonoor so - the alternate approach might be to just start removing https://github.com/openstack/keystone/blob/4ef175926db6785f3c48d3b2c8ff43a3466d3344/keystone/assignment/core.py#L371 and seeing what breaks17:50
lbragstadin the tests17:51
*** edmondsw has quit IRC17:51
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code (part 4)  https://review.openstack.org/43575517:52
*** thorst has quit IRC17:53
dikonoorok..lbragstad : I hope the project and domain revoke api calls can be cleaned up from there and replaced with to pull the current role assignments and then check against that17:53
dikonooror is there a better place to do that validation ?17:53
lbragstaddikonoor technically - it should be done when we validate a token17:54
dikonooribragstad: oh..right.. check_token calls is_revoked and putting it somewhere in that should help..and in the above flow, if we clean up adding revocation events for groups and user role removal, that should be good17:56
dikonoorhttps://github.com/openstack/keystone/blob/master/keystone/revoke/core.py#L19317:57
*** thorst has joined #openstack-keystone17:58
*** jamielennox|away is now known as jamielennox17:58
*** browne has quit IRC17:58
dikonoorhttps://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L144-L15017:59
lbragstaddikonoor actually - you shouldn't really need to do that anywhere17:59
dikonoorlbragstad : oh..you mean to say it should already be in place17:59
lbragstaddikonoor yeah - i think so18:00
lbragstaddikonoor this method gets called when we validate a token https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L25018:00
lbragstaddikonoor https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L327-L340 is the result if the user has no assignments on the project or domain they are claiming to have assignments on in the token scope18:01
lbragstadso - ^ that is what does the role validation at token validation time18:02
lbragstaddoes that make sense?18:02
*** edmondsw has joined #openstack-keystone18:02
*** thorst has quit IRC18:02
lbragstaddikonoor i'm going to step away for lunch quick - but I'll be back shortly18:03
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code (part 5)  https://review.openstack.org/43575718:03
*** tqtran has joined #openstack-keystone18:03
dikonoorlbragstad : ok sure.. I may log out and go hit the sack .. I am working from India.18:04
*** edmondsw has quit IRC18:06
dikonoorlbragstad : So, the LOC you pointed to already has the check for role assignments and throws a 401. So, the only changes needed would be a) no revocation events for remove removals for both users and groups18:08
dikonoorb) is_revoked flow should be modified if needed to check for only revoked tokens18:09
dikonoorlbragstad: Do you agree ?18:09
*** jose-phillips has joined #openstack-keystone18:10
*** chlong has quit IRC18:11
*** edmondsw has joined #openstack-keystone18:13
*** edmondsw has quit IRC18:13
*** edmondsw has joined #openstack-keystone18:13
dikonoorlbragstad: if any other solution comes up, please update the LP bug and i will take a look.18:13
*** markvoelker has joined #openstack-keystone18:23
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code  https://review.openstack.org/43560918:23
*** browne has joined #openstack-keystone18:25
*** thorst has joined #openstack-keystone18:26
*** thorst has quit IRC18:26
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code (part 2)  https://review.openstack.org/43575118:26
*** chlong has joined #openstack-keystone18:26
*** thorst has joined #openstack-keystone18:27
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code (part 3)  https://review.openstack.org/43575418:33
*** lucasxu has joined #openstack-keystone18:35
*** dikonoor has quit IRC18:36
*** david-lyle has joined #openstack-keystone18:47
openstackgerritNisha Yadav proposed openstack/keystone-specs master: Fix typos and grammatical errors  https://review.openstack.org/43602618:49
*** v1k0d3n has joined #openstack-keystone18:51
*** brad[]` is now known as brad[]18:56
*** tqtran has quit IRC18:59
*** tqtran has joined #openstack-keystone19:00
*** lucasxu has quit IRC19:09
*** david-lyle has quit IRC19:15
*** jerrygb has joined #openstack-keystone19:15
*** lucasxu has joined #openstack-keystone19:23
*** david-lyle has joined #openstack-keystone19:27
*** lucasxu has quit IRC19:38
*** lamt has joined #openstack-keystone19:48
*** jerrygb has quit IRC19:49
*** david-lyle_ has joined #openstack-keystone19:49
*** david-lyle has quit IRC19:50
*** david-lyle_ has quit IRC19:59
*** lucasxu has joined #openstack-keystone20:01
*** jerrygb has joined #openstack-keystone20:11
*** lamt has quit IRC20:15
*** jerrygb has quit IRC20:15
*** edmondsw has quit IRC20:20
*** lamt has joined #openstack-keystone20:20
*** lucasxu has quit IRC20:20
*** edmondsw has joined #openstack-keystone20:22
*** jamielennox is now known as jamielennox|away20:23
*** edmondsw_ has joined #openstack-keystone20:25
*** lamt has quit IRC20:27
*** edmondsw has quit IRC20:27
*** lucasxu has joined #openstack-keystone20:28
*** lucasxu has quit IRC20:29
*** lamt has joined #openstack-keystone20:31
*** lamt has quit IRC20:34
*** lamt has joined #openstack-keystone20:36
*** lucasxu has joined #openstack-keystone20:40
*** david-lyle has joined #openstack-keystone20:43
*** lucasxu has quit IRC20:46
*** david-lyle has quit IRC20:50
*** v1k0d3n has quit IRC20:51
*** dtroyer has quit IRC20:51
*** v1k0d3n has joined #openstack-keystone20:58
*** lamt has quit IRC20:58
*** thorst has quit IRC21:02
*** lamt has joined #openstack-keystone21:03
*** david-lyle has joined #openstack-keystone21:03
*** lucasxu has joined #openstack-keystone21:11
bknudsontalking about service catalog at the PTG: https://etherpad.openstack.org/p/service-catalog-pike21:12
* lbragstad follows along21:13
*** lucasxu has quit IRC21:14
bknudsonjamielennox|away and I are here. and a lot of nova people for some reason21:17
lbragstadbknudson has the session started?21:17
lbragstadoh - that's right, you guys are on eastern21:17
gagehugoyeah started about 45 mins ago21:18
lbragstadok - cool21:18
lbragstadi was confused for a second wonder if it was about to start in 1521:18
lbragstadwondering*21:18
EmilienMsamueldmq: https://review.openstack.org/#/c/436197/ FYI21:18
EmilienMsamueldmq: bootstraping the work that we talked about face to face21:19
lbragstadbknudson gagehugo am i seeing an action item for keystone to put version in the service?21:20
*** lucasxu has joined #openstack-keystone21:23
bknudsonlbragstad: see https://review.openstack.org/#/c/436178/121:23
bknudsonI was wondering why https://developer.openstack.org/api-ref/identity/ was messed up? it's not indenting subsections properly21:24
*** lucasxu has quit IRC21:24
bknudsonseems like https://developer.openstack.org/api-ref/identity/ is what identity should be pointing at21:25
lbragstadbknudson yeah - that's what sdague said in his note, too21:25
lbragstadbknudson i assume they don't want to point to the v2 documentation?21:26
*** edmondsw_ has quit IRC21:26
bknudsonI think they do want to point to the whole supported API21:26
rodrigodslbragstad, liked the feedback!21:27
rodrigods(user survey feedback)21:27
lbragstadrodrigods ++21:27
gagehugobknudson yeah that's what it looks like21:29
*** tqtran has quit IRC21:32
*** edmondsw has joined #openstack-keystone21:32
lbragstadgagehugo bknudson is STA a way to get users to use names instead of types? or are projects suppose to consume it somehow?21:32
bknudsonthe plan is to use types and not names (maybe don't even have name in the catalog)21:33
lbragstadbknudson ah - so STA is where that is defined,21:33
gagehugoyeah21:33
gagehugohttps://github.com/openstack/service-types-authority21:34
lbragstadso then we start changing clients and what-not to use type instead of name21:34
bknudsonI hope the clients are using type already!21:34
lbragstadbknudson me too21:34
*** edmondsw has quit IRC21:40
*** browne has quit IRC21:45
*** dtroyer has joined #openstack-keystone21:51
*** lamt has quit IRC21:51
*** david-lyle has quit IRC21:55
*** markvoelker has quit IRC22:01
*** v1k0d3n has quit IRC22:03
*** thorst has joined #openstack-keystone22:04
*** chlong has quit IRC22:04
samueldmqEmilienM: nice!22:06
*** spilla has quit IRC22:08
*** thorst has quit IRC22:08
*** edmondsw has joined #openstack-keystone22:17
*** edmondsw has quit IRC22:18
*** edmondsw has joined #openstack-keystone22:19
*** edmondsw has quit IRC22:23
*** martinlopes has joined #openstack-keystone22:28
*** dave-mccowan has quit IRC22:32
*** jose-phillips has quit IRC22:38
*** martinlopes has quit IRC22:39
*** martinlopes has joined #openstack-keystone22:43
*** adriant has joined #openstack-keystone22:44
*** jose-phillips has joined #openstack-keystone22:45
*** chris_hultin|AWA is now known as chris_hultin22:51
*** jperry has quit IRC23:14
*** dave-mccowan has joined #openstack-keystone23:25
« Sunday, 2017-02-19 Index Tuesday, 2017-02-21 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!