Tuesday, 2017-04-04

« Monday, 2017-04-03 Index Wednesday, 2017-04-05 »
*** agrebennikov has quit IRC00:07
*** catintheroof has joined #openstack-keystone00:25
*** thorst has quit IRC00:31
*** thorst has joined #openstack-keystone00:31
*** thorst has quit IRC00:35
*** adrian_otto has joined #openstack-keystone00:41
*** bjornar_ has quit IRC00:42
*** stingaci has quit IRC01:00
*** stingaci has joined #openstack-keystone01:00
*** catintheroof has quit IRC01:02
*** adrian_otto has quit IRC01:04
*** thorst has joined #openstack-keystone01:07
*** thorst has quit IRC01:15
*** dave-mccowan has quit IRC01:17
*** knangia has quit IRC01:51
*** niteshnarayanlal has joined #openstack-keystone01:54
*** harlowja has quit IRC02:06
*** adrian_otto has joined #openstack-keystone02:09
*** ravelar has quit IRC02:10
*** thorst has joined #openstack-keystone02:15
*** aojea has joined #openstack-keystone02:21
*** adrian_otto has quit IRC02:23
*** aojea has quit IRC02:25
*** adrian_otto has joined #openstack-keystone02:25
*** blake has joined #openstack-keystone02:26
blakeDoes anyone have an example of how to properly utilize the _saml2.v3.ADFSPassword driver?02:28
*** swatson has quit IRC02:34
*** thorst has quit IRC02:35
*** Shunli has joined #openstack-keystone02:46
*** adrian_otto has quit IRC02:47
*** harlowja has joined #openstack-keystone02:50
*** nicolasbock has quit IRC02:55
*** blake has quit IRC03:01
*** wuyanjun has joined #openstack-keystone03:03
*** Elaine_wu has quit IRC03:06
*** links has joined #openstack-keystone03:08
*** Shunli has quit IRC03:20
*** niteshnarayanlal has quit IRC03:39
*** harlowja has quit IRC03:56
*** adrian_otto has joined #openstack-keystone03:56
*** harlowja has joined #openstack-keystone04:07
*** niteshnarayanlal has joined #openstack-keystone04:17
*** blake has joined #openstack-keystone04:23
*** thorst has joined #openstack-keystone04:32
*** harlowja has quit IRC04:33
*** thorst has quit IRC04:37
openstackgerritSean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile.  https://review.openstack.org/45258504:37
*** rderose_ has joined #openstack-keystone04:41
*** rderose has quit IRC04:43
*** rcernin has joined #openstack-keystone04:45
*** blake_ has joined #openstack-keystone04:51
*** blake has quit IRC04:52
openstackgerritSean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile.  https://review.openstack.org/45258504:55
*** adrian_otto has quit IRC05:00
*** stingaci has quit IRC05:03
*** Aurelgad1o has joined #openstack-keystone05:09
*** John341 has joined #openstack-keystone05:09
*** rcernin has quit IRC05:09
*** szaher_ has joined #openstack-keystone05:10
*** rcernin has joined #openstack-keystone05:11
*** harlowja has joined #openstack-keystone05:11
*** rodrigod` has joined #openstack-keystone05:12
*** evrardjp_ has joined #openstack-keystone05:13
*** NikitaKonovalov2 has joined #openstack-keystone05:13
*** szaher has quit IRC05:14
*** Dinesh_Bhor has quit IRC05:14
*** Guest74869 has quit IRC05:14
*** Aurelgadjo has quit IRC05:14
*** Krenair has quit IRC05:14
*** akrzos has quit IRC05:14
*** NikitaKonovalov has quit IRC05:14
*** rodrigods has quit IRC05:14
*** John341_ has quit IRC05:14
*** evrardjp has quit IRC05:14
*** NikitaKonovalov2 is now known as NikitaKonovalov05:14
*** sigmavirus has joined #openstack-keystone05:15
*** jamielennox is now known as jamielennox|away05:15
*** akrzos has joined #openstack-keystone05:15
*** sigmavirus is now known as Guest9415505:15
*** rderose_ has quit IRC05:16
*** Krenair has joined #openstack-keystone05:17
*** Dinesh_Bhor has joined #openstack-keystone05:21
*** thorst has joined #openstack-keystone05:33
*** aojea has joined #openstack-keystone05:34
*** jamielennox|away is now known as jamielennox05:37
*** thorst has quit IRC05:38
*** madgoat has joined #openstack-keystone05:41
*** aojea has quit IRC05:41
*** madgoat has left #openstack-keystone05:41
*** richm has quit IRC05:43
*** mtreinish has quit IRC05:49
*** mtreinish has joined #openstack-keystone05:50
*** mtreinish has quit IRC05:52
*** mtreinish has joined #openstack-keystone05:56
*** jaosorior_away is now known as jaosorior06:01
*** harlowja has quit IRC06:02
*** knangia has joined #openstack-keystone06:04
*** niteshnarayanlal has quit IRC06:17
*** voelzmo has joined #openstack-keystone06:19
*** blake_ has quit IRC06:19
*** voelzmo has quit IRC06:24
*** tesseract has joined #openstack-keystone06:26
*** voelzmo has joined #openstack-keystone06:27
*** thorst has joined #openstack-keystone06:34
*** thorst has quit IRC06:38
*** krypto has joined #openstack-keystone06:46
kryptohi is there a way to automatically add a particular user with role "admin" to all new projects.06:50
*** Aqsa has joined #openstack-keystone06:59
*** pcaruana has joined #openstack-keystone07:19
*** Aqsam has joined #openstack-keystone07:23
*** aojea has joined #openstack-keystone07:24
*** Aqsa has quit IRC07:24
*** aojea_ has joined #openstack-keystone07:27
*** aojea has quit IRC07:30
*** adriant has quit IRC07:32
*** thorst has joined #openstack-keystone07:34
*** rvba has quit IRC07:37
*** thorst has quit IRC07:39
*** rvba has joined #openstack-keystone07:42
*** rvba has quit IRC07:43
*** rvba has joined #openstack-keystone07:43
*** jamielennox is now known as jamielennox|away07:45
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** toddnni has quit IRC08:28
*** knangia has quit IRC08:31
*** toddnni has joined #openstack-keystone08:33
*** thorst has joined #openstack-keystone08:35
bretonout of the box no08:48
bretonyou can write a script to read messages from oslo_messaging and create the assignment when project creation happens08:50
*** thorst has quit IRC08:55
*** haplo37_ has quit IRC09:04
*** haplo37_ has joined #openstack-keystone09:04
*** slunkad has joined #openstack-keystone09:05
*** edmondsw has joined #openstack-keystone09:14
*** edmondsw has quit IRC09:18
*** szaher_ has quit IRC09:19
*** szaher has joined #openstack-keystone09:19
*** mvk has quit IRC09:31
*** bjornar_ has joined #openstack-keystone09:37
*** thorst has joined #openstack-keystone09:52
*** thorst has quit IRC09:56
*** evrardjp_ has quit IRC09:57
*** evrardjp has joined #openstack-keystone09:57
*** mvk has joined #openstack-keystone10:00
*** richm has joined #openstack-keystone10:13
*** nicolasbock has joined #openstack-keystone10:33
*** krypto has quit IRC10:49
*** jamielennox|away is now known as jamielennox11:03
*** ayoung_dadmode is now known as ayoung11:15
*** dave-mccowan has joined #openstack-keystone11:20
*** thorst has joined #openstack-keystone11:30
*** bjornar_ has quit IRC11:46
*** voelzmo has quit IRC11:58
*** rodrigod` is now known as rodrigods12:01
*** rodrigods has joined #openstack-keystone12:01
*** rodrigods has quit IRC12:01
*** voelzmo has joined #openstack-keystone12:01
*** rodrigods has joined #openstack-keystone12:02
*** rodrigods has quit IRC12:03
*** rodrigods has joined #openstack-keystone12:03
*** catintheroof has joined #openstack-keystone12:05
*** edmondsw has joined #openstack-keystone12:06
*** chlong has joined #openstack-keystone12:10
*** stingaci has joined #openstack-keystone12:29
*** stingaci has quit IRC12:33
*** voelzmo has quit IRC12:41
*** voelzmo has joined #openstack-keystone12:43
*** voelzmo has quit IRC12:46
*** voelzmo has joined #openstack-keystone12:49
*** spilla has joined #openstack-keystone12:54
*** ravelar has joined #openstack-keystone12:54
*** stradling has joined #openstack-keystone13:00
*** links has quit IRC13:04
*** belmoreira has joined #openstack-keystone13:07
*** dikonoor has joined #openstack-keystone13:32
*** rderose has joined #openstack-keystone13:34
*** jaosorior is now known as jaosorior_away13:36
johnthetubaguylbragstad: I am going to need help understanding the problems with this one, when you have a spare moment: https://review.openstack.org/#/c/42787214:00
lbragstadjohnthetubaguy reading it now14:01
lbragstadjohnthetubaguy we had a long discussion yesterday - http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-04-03.log.html#t2017-04-03T19:17:5514:02
rodrigodslbragstad, samueldmq do we have a sequence to review these: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/policy-docs ?14:02
*** lamt has joined #openstack-keystone14:02
lbragstadrodrigods not necessarily14:03
johnthetubaguylbragstad: it seems we have to let any service create their own roles, as I thought that was the whole idea, but I am curious what I am missing14:03
rodrigodslbragstad, ok, so i'll start with the oldest ones14:03
lbragstadrodrigods i leave the priority to antwash14:03
rodrigodsantwash, ^ please let me know if there is a priority :)14:04
lbragstadrodrigods if he tells me a certain subset of those patachs are good to go, then i review those first, and we iterate on them14:04
lbragstadinstead of reviewing all of them and making him respin 20 patches every hour14:04
lbragstadjohnthetubaguy I was under a similar assumption14:05
lbragstadjohnthetubaguy where as a group, we would go through each role and determine what that means in each project14:05
lbragstadI would expect each project to go through this exercise in order to get better rbac support by default14:05
rodrigodslbragstad, ++ that's why i was asking :)14:06
johnthetubaguylbragstad: I was thinking each service should eventually not allow any access to it be default, and we let the impled rolls make that less hard work. But I am not 100% sure really.14:08
lbragstadjohnthetubaguy yeah - that would be an interesting approach to vet out14:08
johnthetubaguyI think thats the way I am current heading, probably the best thing is to take this to the operators at the forum14:09
lbragstadjohnthetubaguy yeah - that would be a good idea regardless i think14:10
*** lamt has quit IRC14:10
lbragstadjohnthetubaguy but i don't think this is something that is being done in a vacuum14:10
lbragstadI've proposed a spec to keystone that closely modeled this14:10
johnthetubaguylbragstad: yeah, appreciate all the time you lovely folks have spend thinking through this with us, we are in a better spot now because of all that14:11
lbragstadjohnthetubaguy thanks for all the guidance14:11
johnthetubaguylbragstad: so the main bit is, I don't it changes the scope work, which is probably enough to keep us busy this cycle anyways!14:12
lbragstadjohnthetubaguy maybe we need a time slot in tomorrow's policy meeting14:12
lbragstadjohnthetubaguy because the alternative is being proposed for pike - https://review.openstack.org/#/c/452198/14:13
johnthetubaguylbragstad: something came up with adrian_otto the other day around magnum stuff, they were talking about an RBAC service because most projects don't do RBAC, so clearly there is something we are not get right here. The middleware does sound interesting for brand new projects to adopt oslo.policy14:13
lbragstadjohnthetubaguy interesting - i'd like to visit with him about that14:14
johnthetubaguylbragstad: ah, so I can add my comments on the previous merged spec14:14
lbragstadjohnthetubaguy your comments from the perviously merged spec to the proposed one?14:14
johnthetubaguyoops, yeah, thats what I mean14:15
lbragstadjohnthetubaguy ++14:15
johnthetubaguywill be tomorrow I think, focusing on the Nova spec review day today14:16
lbragstadjohnthetubaguy sounds good14:16
lbragstadjohnthetubaguy did you have that conversation with adrian in -containers?14:17
johnthetubaguylbragstad: it was in vidyo I am afraid, its more about the ideas around per VM users that get access to resources in barbican, and how you bootstrap getting them API tokens, dolphm may have better context on all that14:18
lbragstadjohnthetubaguy ok - i can make a note to follow up14:18
lbragstadjohnthetubaguy i'd love to get those discussions aired out before we start committing to solutions14:18
johnthetubaguylbragstad: here we go: https://etherpad.openstack.org/p/WA9strlvxy14:19
lbragstadjohnthetubaguy nice14:20
*** bjornar_ has joined #openstack-keystone14:25
openstackgerritSamriddhi proposed openstack/keystoneauth master: Updated inconsistent value of scope parameter  https://review.openstack.org/45265214:26
openstackgerritSamriddhi proposed openstack/keystone master: Updated scope parameter description in v3 API-ref  https://review.openstack.org/45003814:26
antwashrodrigods : hey there, I wouldn't say there's a priority, but I like getting the ones out the way that passed the gate and have the correct commit message. Heres a link of the ones ready for review :) https://etherpad.openstack.org/p/readypolicy14:32
antwashOnce those get merged, I'll make changes to the other policy patches and update the etherpad with the next set -- I find placing them in the etherpad the best approach for reviewing.14:35
openstackgerritSean McCully proposed openstack/keystoneauth master: KeystoneAuth should default to system CAFile.  https://review.openstack.org/45258514:36
*** bjornar_ has quit IRC14:46
*** jlopezgu_ has joined #openstack-keystone14:47
*** erhudy has joined #openstack-keystone14:48
*** lamt has joined #openstack-keystone14:48
*** dikonoor has quit IRC14:48
rodrigodsthanks antwash, will take a look on them today :)14:54
antwashrodrigods : great, thanks!14:54
rodrigodsantwash, take a look in my comment at https://review.openstack.org/#/c/449341/6, you can fix in a follow up patch14:59
rodrigodslbragstad was faster14:59
antwashrodrigods : gotcha15:00
lbragstadantwash i pulled the workflow in case you want to respin15:01
*** lucasxu has joined #openstack-keystone15:04
openstackgerritAnthony Washington proposed openstack/keystone master: Move mapping to DocumentedRuleDefault  https://review.openstack.org/44934115:04
openstackgerritAnthony Washington proposed openstack/keystone master: Move policy policies to DocumentedRuleDefault  https://review.openstack.org/44924815:05
lbragstadrodrigods can't a mapping consist of multiple rules?15:05
openstackgerritAnthony Washington proposed openstack/keystone master: Move mapping to DocumentedRuleDefault  https://review.openstack.org/44934115:07
*** knangia has joined #openstack-keystone15:09
*** andymccr has joined #openstack-keystone15:18
*** raj_sing- has joined #openstack-keystone15:19
andymccrmorning all - follow up on the PTG discussion. I know odyssey4me discussed integration of OSA's upgrade tasks on keystone commits - what is needed from our side and what we can do to help.15:21
lbragstadandymccr o/15:21
lbragstadandymccr afaik https://review.openstack.org/#/c/432449/ was the last thing needed15:22
lbragstadwhich would allow keystone to propose a gate job that could checkout the keystone patch in review and place is somewhere on the deploy host, and osa would do the rest15:22
*** belmoreira has quit IRC15:24
*** agrebennikov has joined #openstack-keystone15:27
*** raj_sing- is now known as raj_singh15:27
andymccrlbragstad: ahh sweet! thanks i'll take a look and try progress that a bit15:28
lbragstadandymccr awesome - i thought i remember odyssey4me saying there was something he wanted to do to that yep15:29
lbragstadyet*15:29
lbragstadandymccr but i can't remember exactly what it was15:29
lbragstadandymccr but once that merges, we should be good to put together a new gate job15:29
lbragstadantwash updated https://etherpad.openstack.org/p/readypolicy with the latest status15:38
antwashlbragstad: looking now15:39
openstackgerritRichard Avelar proposed openstack/keystone master: Move and refactor test_revoke_by_audit_chain_id  https://review.openstack.org/45322915:39
openstackgerritAnthony Washington proposed openstack/keystone master: Move policy association to DocumentedRuleDefault  https://review.openstack.org/44934415:40
antwashping samueldmq15:42
*** lucasxu has quit IRC15:44
openstackgerritAnthony Washington proposed openstack/keystone master: Move policy association to DocumentedRuleDefault  https://review.openstack.org/44934415:45
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused code in test_revoke  https://review.openstack.org/45323515:47
*** aojea_ has quit IRC15:49
openstackgerritAnthony Washington proposed openstack/keystone master: Move role assignment to DocumentedRuleDefault  https://review.openstack.org/44925315:50
openstackgerritAnthony Washington proposed openstack/keystone master: Move role assignment to DocumentedRuleDefault  https://review.openstack.org/44925315:52
*** jlvillal_pto is now known as jlvillal15:54
*** pcaruana has quit IRC16:01
*** voelzmo has quit IRC16:03
openstackgerritAnthony Washington proposed openstack/keystone master: Move role assignment to DocumentedRuleDefault  https://review.openstack.org/44925316:05
openstackgerritAnthony Washington proposed openstack/keystone master: Move mapping to DocumentedRuleDefault  https://review.openstack.org/44934116:07
openstackgerritAnthony Washington proposed openstack/keystone master: Move credential policies to DocumentedRuleDefault  https://review.openstack.org/44923316:11
openstackgerritAnthony Washington proposed openstack/keystone master: Move access token to DocumentedRuleDefault  https://review.openstack.org/44926516:12
openstackgerritAnthony Washington proposed openstack/keystone master: Move protocol to DocumentedRuleDefault  https://review.openstack.org/44934516:12
openstackgerritAnthony Washington proposed openstack/keystone master: Move region policies to DocumentedRuleDefault  https://review.openstack.org/44921316:14
openstackgerritThomas Bechtold proposed openstack/keystonemiddleware master: Remove deprecated oslo.messaging aliases parameter  https://review.openstack.org/45324516:14
openstackgerritAnthony Washington proposed openstack/keystone master: Move region policies to DocumentedRuleDefault  https://review.openstack.org/44921316:14
antwashlbragstad, rodrigods -- updated etherpad with new set for review when you have time https://etherpad.openstack.org/p/readypolicy16:15
lbragstadantwash working on them now16:15
lbragstadantwash thanks!16:15
antwashwe keep it up, we'll have them all merged by the thursday16:15
lbragstadantwash that's a good goal16:16
lbragstadFYI - https://review.openstack.org/#/c/448826/ should be the last patch needed to implement policy-in-code16:16
knikolladoes it mean no-one when the check_str is an empty string?16:17
antwashlbragstad: forgot about that one, it was buried in the policy-docs patchset lol16:17
openstackgerritThomas Bechtold proposed openstack/keystonemiddleware master: Remove deprecated oslo.messaging aliases parameter  https://review.openstack.org/45324516:17
lbragstadknikolla example?16:18
knikollalbragstad: https://github.com/openstack/keystone/blob/master/keystone/common/policies/trust.py#L21-L3216:18
lbragstadknikolla it means that all that is needed is a valid token16:19
lbragstadknikolla the reason why the trust API has that is because the policy for it is essentially coded into the controller/manager16:19
knikollalbragstad: gotcha16:19
lbragstadknikolla it's not really enforced using the protected method16:20
lbragstadknikolla a better example might be the get auth projects API, which has an empty check string16:20
*** Aqsam has quit IRC16:21
lbragstadit makes the protected method ensure the token being used is valid, then it uses that user context to build a list of role assignments16:21
knikollalbragstad: thanks for the clear explanation.16:21
lbragstadknikolla anytime, i had to spend a bunch of time unwinding that once16:22
knikollalbragstad: saved me some time hunting down controller logic.16:22
lbragstadknikolla yeah - there is all sorts of policy coded into https://github.com/openstack/keystone/blob/master/keystone/trust/controllers.py#L11216:23
lbragstadknikolla another example - https://github.com/openstack/keystone/blob/master/keystone/trust/controllers.py#L19816:24
openstackgerritMerged openstack/keystone master: Move identity provider to DocumentedRuleDefault  https://review.openstack.org/44927516:24
knikollalbragstad: right, that sounds more complicated than what the policy engine can support.16:27
*** stingaci has joined #openstack-keystone16:32
openstackgerritRichard Avelar proposed openstack/keystone master: Add setup to test classes and private method  https://review.openstack.org/45325416:37
*** lucasxu has joined #openstack-keystone16:38
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused code in test_revoke  https://review.openstack.org/45323516:44
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused code in test_revoke  https://review.openstack.org/45323516:45
openstackgerritRichard Avelar proposed openstack/keystone master: Remove unused code in test_revoke  https://review.openstack.org/45323516:47
*** stradling has quit IRC17:00
openstackgerritMerged openstack/keystone master: Move auth to DocumentedRuleDefault  https://review.openstack.org/44933617:00
openstackgerritMerged openstack/keystone master: Move service policies to DocumentedRuleDefault  https://review.openstack.org/44921417:00
*** stradling has joined #openstack-keystone17:01
*** Aqsam has joined #openstack-keystone17:04
*** tesseract has quit IRC17:04
openstackgerritMerged openstack/keystone master: Move policy association to DocumentedRuleDefault  https://review.openstack.org/44934417:07
*** mvk has quit IRC17:15
*** ravelar1 has joined #openstack-keystone17:16
*** Aqsam has quit IRC17:20
*** Aqsa has joined #openstack-keystone17:25
*** voelzmo has joined #openstack-keystone17:30
*** lucasxu has quit IRC17:33
*** lucasxu has joined #openstack-keystone17:34
lbragstadoomichi ping17:35
*** voelzmo has quit IRC17:36
*** voelzmo has joined #openstack-keystone17:40
*** lucasxu has quit IRC17:40
*** lucasxu has joined #openstack-keystone17:41
*** ravelar1 has quit IRC17:41
*** d0ugal has quit IRC17:48
*** d0ugal has joined #openstack-keystone17:49
*** mvk has joined #openstack-keystone18:01
*** henrynash has joined #openstack-keystone18:03
oomichilbragstad: hi18:07
lbragstadoomichi o/ we're looking to have a policy discussion in today's keystone meeting (happening now in #openstack-keystone)18:08
lbragstadoomichi i know you had some questions/comments regarding one of our proposals, and I wanted to make sure you knew we were having conversations about18:08
lbragstadoomichi the agenda is here - https://etherpad.openstack.org/p/keystone-weekly-meeting18:08
lbragstadoomichi and we'd love to get your feedback in that discussion (RBAC from Middleware)18:09
oomichilbragstad: ok, are there any review for that now?18:09
oomichilbragstad: I'd like to put some comments if we have18:09
lbragstadoomichi https://review.openstack.org/#/c/452198/ is the spec proposing the work for pike18:09
lbragstadoomichi https://review.openstack.org/#/c/401808/ is the implementation18:10
oomichilbragstad: is it ok to put comments on https://review.openstack.org/#/c/452198 ? That seems to just move18:10
lbragstadoomichi the original proposal was here - https://review.openstack.org/#/c/391624/18:11
lbragstadoomichi which i know you reviewed at least once18:11
lbragstadbut it was merged to on-going18:11
*** mdavidson has joined #openstack-keystone18:11
oomichilbragstad: hehe, I forgot TBH. Yeah, it seems easy to get attention if putting comments on https://review.openstack.org/#/c/45219818:12
oomichilbragstad: I will do that now18:12
lbragstadoomichi awesome - thanks!18:13
oomichilbragstad: np :)18:13
*** rderose has quit IRC18:18
*** rderose has joined #openstack-keystone18:20
*** stradling has quit IRC18:20
*** stradling has joined #openstack-keystone18:21
dstanekrodrigods: all he is saying is that we don't like FKs between subsystems or am i missing something?18:25
rodrigodsdstanek, yes, there is no arguments there18:26
rodrigodsjust a "strong" opinion18:26
rodrigodsthe conversation happened in IRC18:26
rodrigodsdstanek, guess he will respond the ML thread, anyway18:26
dstanekrodrigods: our subsystems are highly coupled the data layer...we just refuse to admit to it18:26
*** Aqsa has quit IRC18:30
dstaneknotmorgan: rodrigods: yep, writing something up after the meeting18:32
openstackgerritAnthony Washington proposed openstack/keystone master: Move role assignment to DocumentedRuleDefault  https://review.openstack.org/44925318:33
dstanekit doesn't make sense to me not to use the DB to do the work that it's good at doing18:33
rodrigodsdstanek, true, but only if we are using the DB correctly18:34
rodrigodsdon't you find strange the relationship between fed_users and idp/protocol?18:34
rodrigodsnot the relationship itself, the way it was done18:34
openstackgerritAnthony Washington proposed openstack/keystone master: Move mapping to DocumentedRuleDefault  https://review.openstack.org/44934118:34
*** rarora has quit IRC18:34
dstanekrodrigods: what is strange about it18:35
*** voelzmo has quit IRC18:35
rodrigodsdstanek, one FK idp_ip to idp.ID18:35
dstanekrodrigods: we currently have relationships between identity<->assignment and many others18:35
dstanekrodrigods: what's wrong with that?18:35
rodrigodsanother one from idp_id to protocol.idp_id and protocol_id to protocol.ID18:35
dstanekthat could have been made simpler18:36
rodrigodsdstanek, exactly18:36
rodrigodsbut... that's the issue i have with it18:36
rodrigodsnot talking about dependencies between subsystems18:36
dstanekrodrigods: so your issue that we shouldn't use the DB because we could do it wrong?18:37
rodrigodsdstanek, not at all, i'm just talking about the "use the DB since it is good in doing that" argument18:37
dstanekrodrigods: who had that argument18:37
dstanekrodrigods: the argument is use the DB for what *it* is good at18:37
antwashrodrigods : i'm confused about the -1, the commit message says the same thing though https://review.openstack.org/#/c/449233/18:37
openstackgerritSean Dague proposed openstack/keystone-specs master: Unified limits specification  https://review.openstack.org/44081518:38
rodrigodsantwash, it is not a strong -1, just payed attention on how that is written now18:39
rodrigodsdstanek, " the argument is use the DB for what *it* is good at" and what i'm saying is: for the DB do things correctly, we need to use it correctly18:40
dstanekrodrigods: exactly! and we are not18:40
dstanekrodrigods: are you arguing for or against FKs in between subsystems?18:40
rodrigodsdstanek, heh i don't have a strong opinion either way18:42
rodrigodsjust liked to argue about the way the fed_table relationships have been designed :P18:42
dstanekrodrigods: we can certainly change those if we can make it better....but removing would just make it worse18:43
rodrigodsdstanek, totally agree18:44
rodrigodsdstanek, not with "just make it worse" part18:44
*** rarora has joined #openstack-keystone18:45
rodrigodsthis is something i need to read and think about different opinions so I can finally have mine :P18:45
dstanekrodrigods: i'll start writign this up shortly after our meeting18:56
*** rderose has quit IRC19:00
ayounglbragstad, dstanek samueldmq lets talk about the constraints.19:01
* knikolla lurks19:01
ayoung1.  a baseline policy needs to be enforced everywhere in the system19:01
ayoungif that is not the case, than there is no way to add new roles that have limitations19:01
samueldmqayoung: I need 5 min to get coffe. Brb19:01
ayoungif you create a new role, today, it is essentially the same as the Member role.19:02
dstaneka new role would have access to nothing, right?19:02
ayoungdstanek, a new role would have access to everything19:03
ayoungsmall exceptions in Keystone19:03
ayoungand it owuld not be able to do `admin` limited operations19:03
ayoungSo a new role would essentially be equivalent to Member19:04
dstanekayoung: why would that be? do you have an example?19:04
*** rmascena__ has joined #openstack-keystone19:04
ayoungdstanek, because the way policy is enforced today, it only checks the scope, not the role, in the vast majority of rules19:04
ayoungand, if you were to go in and add a role check in a specific rule, you would not do much good19:05
ayoungas that role check would not be executed on any other rule in the system19:05
ayoungand it would not be executed in other remote services19:05
*** rmascena__ is now known as raildo19:06
ayoungdstanek, see why I want it in middleware?19:06
*** rmascena has quit IRC19:06
dstanekayoung: no, i see this in a much simplier light....maybe i don't know the problem that you are solving19:07
dstanekto me a baseline policy is a solution for some problem and not necessarily a constraint19:07
ayoungdstanek, people have been asking for a "read only" role19:07
*** lucasxu has quit IRC19:07
*** rderose has joined #openstack-keystone19:07
ayoungHow would you implement that?19:07
*** lucasxu has joined #openstack-keystone19:08
dstanekayoung: in today's world i would have each service update their policy...the challenge is having an agreement on roles or a way to configure them19:10
ayoungdstanek, right, so lets not do that19:10
lbragstadayoung why not?19:11
ayounginstead, move the RBAC checkout of policy and provide a reasonable default that the operators can customize without breaking policy19:11
ayounglbragstad, have you ever tried to get a change into every single other project in openstack?19:11
ayoungI have, and jamielennox has and it was not a pleasant experience19:11
ayoungand, it didn't work19:11
lbragstadayoung yes - that's something we're currently doing with nova and cinder19:11
ayoungcurrently19:12
ayounglbragstad, but not somethine we've done19:12
ayoungwe have been unsuccessful in fixing security holes19:12
lbragstadayoung the difference between then and now is that we're making progress19:12
lbragstadand we're having those discussions *between* projects19:12
dstanekright, i don't want to do something just because our inter-project communication isn't great. i want to make sure it's the right thing19:13
ayoungdstanek, it is, quite simply, what Keystone really exists to do19:14
ayoungFederation has shown we are really not supposed to own the user database19:14
ayoungkeysteon is a layer for delegation19:14
ayoungI'm tired.19:14
lbragstadayoung are there customers or operators that specifically asking for this approach?19:15
ayoungI am having a hard time gearing up to type all this in again, as I just went through it yesterday with lbragstad19:15
ayounglbragstad, there are customers and operators asking for what this approach gives, that we have not been able to deliver on, for years19:16
ayounglonger than you have worked on keystone19:16
ayounglet me find the first bug on it...19:16
lbragstadayoung completely agree19:16
lbragstadayoung have they signed off on the management of the rbac in middleware approach?19:16
dstanekayoung: so goal 1 is the ability to add a read-only role - what other goals are there?19:17
*** voelzmo has joined #openstack-keystone19:17
ayoungdstanek, the ability to tell a user what roles they need in order to perform an operation19:17
dstaneki don't want to talk about the specific spec right now. i want to understand just the problems19:17
ayoungdavid-lyle, asked me for that BEFORE he was Horizon PTL19:17
ayoungThere is no way to map from policy to operation today19:17
dstanekayoung: it's technically possible right?19:18
lbragstadayoung so I assume that was before any capability APIs were being proposed to the various projects19:18
*** lwanderley has joined #openstack-keystone19:18
dstaneklbragstad: i forgot that those discussions have been happening19:18
ayoungplease read the preamble to the spec https://review.openstack.org/#/c/452198/2/specs/keystone/pike/role-check-from-middleware.rst19:19
*** voelzmo has quit IRC19:19
lbragstadayoung you mean? http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/role-check-from-middleware.html#problem-description19:19
*** ravelar has quit IRC19:19
ayounglbragstad, yeo19:19
ayoungyep19:20
lbragstadis david-lyle's use case so that horizon can display the proper UI things for a user?19:22
lbragstadbased on what they can do?19:22
lbragstadbecause if so - i don't see how the rbac in middleware approach helps that, because keystone is going to have to store some operation -> url pattern -> role information19:23
ayounglbragstad, yes it will.  if you have a users token, you can query that information19:24
lbragstadso even if a user is allowed to do a live migration because they have the admin role, it doesn't make any sense to advertise that if nova is configured to use a virt driver that doesn't support live migrate19:24
ayounglbragstad, but that is a different use case19:24
*** aojea has joined #openstack-keystone19:24
lbragstadhow is that different?19:24
ayoungthat is not an authorization decision19:24
*** harlowja has joined #openstack-keystone19:24
ayoungits a different as having the keys to the car and knowing how to drive stick19:25
lbragstadright but does it change the fact that advertising live migration to a user when they can't do it is wrong?19:25
lbragstadi don't think it does19:25
lbragstadthere are a ton of things in nova, neutron, and cinder that would be susceptible to that case19:26
openstackgerritMerged openstack/keystone master: Move policy policies to DocumentedRuleDefault  https://review.openstack.org/44924819:27
*** voelzmo has joined #openstack-keystone19:27
*** ravelar has joined #openstack-keystone19:27
dstanekayoung: is that what a user would want an authz decision? or just an absolute yes/no about the capability?19:28
dstanekand what if policy and rbac are at odds19:28
lbragstadbased on the discussions i was having with robcresswell and david-lyle at the PTG, the yes/no on the capability is what they wanted19:28
lbragstadbecause they could use the capability endpoint of the service to figure out which options to gray out/enabled in the different horizon panels19:29
dstaneklbragstad: you'd have to check rbac, then policy, and then the service's capability to answer that question (not necessarily in that order)19:30
lbragstaddstanek if we put the url patterns in keystone?19:31
ayoungdstanek, if policy and rbac are at odds, the operator messed things up19:32
dstanekayoung: that happens when there are competing ways to do the same thing19:32
ayoungdstanek, it defaults to "no"19:32
dstanekayoung: i'm going to spend some time tonight reviewing http://csrc.nist.gov/rbac/sandhu-ferraiolo-kuhn-00.pdf19:32
ayoungrbac check comes first.19:32
ayoungif that fails, you don't get to policy19:32
ayoungif policy fails, still no19:33
ayoungso I am not proposing that we report, or provide any more information on policy19:33
ayoungcuz, you might recall I spent a few cycles on that and we got a solid NO there19:33
ayoungdstanek, ++19:34
ayoungdstanek, a couple caveats when you read that19:36
ayoungwhat they call hierarchical, I called implied roles19:36
ayoungbecause we used hierarchical when talking about HMT19:36
ayoungbut the nist definitnion of a role hierarchy is role A implies role B type stuff19:37
ayoungwe don't really care about sepraret of duties19:37
ayoungand NIST rbac does not have the concept of Scope like we do19:37
ayoungwhich is really a big shortcoming, but it is due to the RBAC as implemented there assuming scope into the equasion:19:37
ayounginstead of a role being "governor" it would be "governor_of_illinois"19:38
ayoungdstanek, make sense?19:40
dstaneki think so. i took down your notes for reference19:42
ayoungthanks19:44
*** lwanderley has quit IRC19:46
*** voelzmo has quit IRC19:46
dstanekayoung: no, thank you :-)19:49
ayoungknikolla, I'm going to turn my attention back to the implied roles patch, as we are going to want that for the RBAC stuff19:52
ayounghttps://review.openstack.org/#/c/290253/19:52
knikollaayoung: anything you need from me?19:55
knikolla(besides reading back the entire conversation which i had to miss now because of meetings)19:55
*** ediardo has quit IRC20:00
ayoungknikolla, more is there anything you need from me20:00
ayoungwe need to get the keystone client part going, and you were going to work on that20:01
*** ediardo has joined #openstack-keystone20:01
ayoungknikolla, I can help out if you need me to, but I want to get the cli piece of implied roles back on track20:01
knikollaayoung: i can get the client part done this week. looks trivial.20:03
*** dave-mccowan has quit IRC20:03
knikollai have a wip patch with the outline. i just need to fill in the methods20:03
ayoungknikolla, excellent.  shout if you need help.  the implied roles patch should be a decent starting point reference20:04
knikollaayoung: once we get to the ksm part i'll definitely ask for help. right now it's just basic CRUD.20:05
ayoungknikolla, cool20:05
*** voelzmo has joined #openstack-keystone20:18
*** voelzmo has quit IRC20:23
*** stradling has quit IRC20:30
*** thorst has quit IRC20:35
*** rcernin has quit IRC20:55
*** thorst has joined #openstack-keystone21:07
*** aojea has quit IRC21:11
*** spilla has quit IRC21:12
*** henrynash has quit IRC21:14
*** aojea has joined #openstack-keystone21:15
*** aojea_ has joined #openstack-keystone21:16
*** dave-mccowan has joined #openstack-keystone21:16
*** henrynash has joined #openstack-keystone21:16
*** aojea has quit IRC21:16
*** henrynash has quit IRC21:26
*** ravelar1 has joined #openstack-keystone21:27
*** edmondsw has quit IRC21:31
*** ravelar1 has quit IRC21:32
*** edmondsw has joined #openstack-keystone21:33
*** david-lyle has quit IRC21:35
*** edmondsw has quit IRC21:38
*** david-lyle has joined #openstack-keystone21:43
*** rmascena has joined #openstack-keystone21:51
*** raildo has quit IRC21:53
*** aojea_ has quit IRC21:57
ayoungknikolla, what if we tried to support a jq type match for the body of a post as an additional parameter?21:58
ayounglike, in a addition to21:58
ayoungPOST /url/server/<id>/action  we had an additional column which was body:  ".lock"21:59
ayoungand body was expected to be Null, only allowed to be non Null in POST/PUT/PATCH cases (I think) and is more specific than the cases where body is omitted22:00
*** thorst has quit IRC22:01
openstackgerritayoung proposed openstack/keystone-specs master: Commit ot RBAC in middleware in Pike release  https://review.openstack.org/45219822:17
openstackgerritGage Hugo proposed openstack/keystone master: Replace usages of SHA1 with SHA256  https://review.openstack.org/45335722:18
*** lucasxu has quit IRC22:27
*** hoonetorg has quit IRC22:43
*** hoonetorg has joined #openstack-keystone22:44
*** hoonetorg has quit IRC22:47
*** catintheroof has quit IRC22:57
*** hoonetorg has joined #openstack-keystone22:58
openstackgerritGage Hugo proposed openstack/python-keystoneclient master: Replace usages of SHA1 with SHA256  https://review.openstack.org/45336523:01
*** thorst has joined #openstack-keystone23:01
*** thorst has quit IRC23:06
*** lamt has quit IRC23:20
samueldmqantwash: hi, you around yet ?23:48
*** masterjcool has quit IRC23:49
*** stingaci has quit IRC23:49
*** spilla has joined #openstack-keystone23:53
*** gsilvis has quit IRC23:55
« Monday, 2017-04-03 Index Wednesday, 2017-04-05 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!