*** openstack has joined #openstack-keystone | 06:57 | |
*** aloga has quit IRC | 07:01 | |
*** aloga has joined #openstack-keystone | 07:01 | |
*** shuyingya has joined #openstack-keystone | 07:08 | |
*** belmoreira has joined #openstack-keystone | 07:12 | |
*** adriant has quit IRC | 07:29 | |
*** aojea has joined #openstack-keystone | 07:30 | |
*** thorst_afk has joined #openstack-keystone | 07:35 | |
*** thorst_afk has quit IRC | 07:40 | |
*** masber has quit IRC | 07:45 | |
*** rcernin has joined #openstack-keystone | 07:47 | |
*** pcaruana has joined #openstack-keystone | 07:47 | |
*** zzzeek has quit IRC | 08:00 | |
*** zzzeek has joined #openstack-keystone | 08:00 | |
*** jaosorior has joined #openstack-keystone | 08:09 | |
*** faizy_ has quit IRC | 08:16 | |
*** faizy_ has joined #openstack-keystone | 08:16 | |
odyssey4me_ | morning everyone, I've raised a bug about some ambiguity related to cache settings that I'd like to get straightened out and would appreciate some eyes: https://bugs.launchpad.net/keystone/+bug/1690756 | 08:36 |
---|---|---|
openstack | Launchpad bug 1690756 in oslo.cache "cache 'backend' argument description is ambiguous" [Undecided,New] | 08:36 |
*** thorst_afk has joined #openstack-keystone | 08:36 | |
*** odyssey4me_ is now known as odyssey4me | 08:36 | |
*** andymccr_ is now known as andymccr | 08:36 | |
openstackgerrit | zhengliuyang proposed openstack/keystone master: Update explains about credentials https://review.openstack.org/463970 | 08:47 |
*** rha has quit IRC | 08:48 | |
*** rha has joined #openstack-keystone | 08:49 | |
*** thorst_afk has quit IRC | 08:55 | |
openstackgerrit | Hemanth Nakkina proposed openstack/keystone master: Change url scheme passed to oauth signature verifier https://review.openstack.org/464577 | 09:03 |
openstackgerrit | rocky proposed openstack/keystonemiddleware master: Remove log translations in keystonemiddle https://review.openstack.org/464543 | 09:23 |
*** jistr_ is now known as jistr | 09:30 | |
*** zsli_ has quit IRC | 09:38 | |
*** thorst_afk has joined #openstack-keystone | 10:13 | |
*** szaher_ has quit IRC | 10:14 | |
*** szaher has joined #openstack-keystone | 10:15 | |
*** mariusv has quit IRC | 10:17 | |
*** thorst_afk has quit IRC | 10:18 | |
*** piliman974 has joined #openstack-keystone | 10:25 | |
*** lunarlamp has joined #openstack-keystone | 10:26 | |
*** belmoreira has quit IRC | 10:28 | |
*** nicolasbock has joined #openstack-keystone | 10:33 | |
*** namnh has quit IRC | 10:34 | |
*** vaishali has joined #openstack-keystone | 10:45 | |
*** basilAB has joined #openstack-keystone | 10:45 | |
*** gongysh has quit IRC | 10:49 | |
*** raildo has joined #openstack-keystone | 10:56 | |
*** gongysh has joined #openstack-keystone | 10:56 | |
*** dikonoor has joined #openstack-keystone | 10:58 | |
*** lamt has joined #openstack-keystone | 10:59 | |
*** lamt has quit IRC | 11:00 | |
*** mvk has quit IRC | 11:11 | |
*** thorst_afk has joined #openstack-keystone | 11:14 | |
*** thorst_afk has quit IRC | 11:15 | |
*** thorst_afk has joined #openstack-keystone | 11:16 | |
*** gongysh has quit IRC | 11:21 | |
*** shuyingya has quit IRC | 11:32 | |
*** shuyingy_ has joined #openstack-keystone | 11:32 | |
*** lunarlamp is now known as mariusv | 11:32 | |
*** mvk has joined #openstack-keystone | 11:40 | |
breton | i have a token. How do i make all requests with it using keystoneauth sessions? | 12:07 |
breton | i cannot fetch another one with it because it is trust-scoped, so i cannot use "token" plugin | 12:09 |
jamielennox | breton: so you can use TokenEndpoint - but as implied you need to know the endpoints | 12:12 |
jamielennox | i mean there's no catalog so you have to specify what to actually communicate to | 12:12 |
breton | jamielennox: what i am trying to solve is https://bugs.launchpad.net/mistral/+bug/1690787 . In Mistral novaclient is created here: https://github.com/openstack/mistral/blob/e6a1ac2b5371d1887122571b209d4154218b9c05/mistral/actions/openstack/actions.py#L63 | 12:14 |
openstack | Launchpad bug 1690787 in Mistral "cron trigger uses trust-scoped token to create another token" [High,New] | 12:14 |
breton | jamielennox: i guess they are passing a token id and auth_url | 12:17 |
breton | jamielennox: can we tell keystoneauth to just fetch token body, without re-auth? | 12:18 |
*** edmondsw has joined #openstack-keystone | 12:20 | |
breton | why doesn't keystone allow to use a trust-scoped token for getting another token? | 12:21 |
*** edmondsw has quit IRC | 12:25 | |
*** edmondsw has joined #openstack-keystone | 12:26 | |
jamielennox | breton: i think there is actually a way to do that now - but it never got implemented | 12:27 |
jamielennox | breton: there's a way you can fetch at least the catalog of an existing token | 12:28 |
jamielennox | but it wasn't around when we started | 12:28 |
jamielennox | breton: i'm guessing you can't rescope to something else, i'm not sure exactly | 12:28 |
jamielennox | but you don't want to allow a delegated token to be reused for a different purpose | 12:29 |
*** edmondsw_ has joined #openstack-keystone | 12:29 | |
jamielennox | any reason you have a token_id, it's a painful way to do things as it can expire any itme | 12:29 |
*** edmondsw has quit IRC | 12:30 | |
breton | jamielennox: https://review.openstack.org/gitweb?p=openstack/keystone.git;a=blob;f=keystone/auth/plugins/token.py;h=8c8be5233804bae745723c2aff9d619fd1638b50;hb=HEAD#l68 | 12:30 |
breton | 68 # Do not allow tokens used for delegation to | 12:30 |
breton | 69 # create another token, or perform any changes of | 12:30 |
breton | 70 # state in Keystone. To do so is to invite elevation of | 12:30 |
breton | 71 # privilege attacks | 12:30 |
jamielennox | yea, makes sense | 12:31 |
breton | i tried to track this in git history, and it goes back to 2013 :) i still couldn't find the commit that introduced this message | 12:31 |
jamielennox | realistically we should never have allowed tokens to be rescoped from project to project - but that was super hard to remove | 12:31 |
jamielennox | there was a config flag to prevent token rescoping in keystone - it broke a lot of things | 12:31 |
breton | so i guess what mistral should do it switch to sessions and plugins | 12:32 |
breton | *do is | 12:32 |
jamielennox | breton: yes! | 12:33 |
jamielennox | gah, if you're trying to work around that then absolutely switch | 12:33 |
*** erhudy has joined #openstack-keystone | 12:36 | |
*** belmoreira has joined #openstack-keystone | 12:43 | |
*** flaper87 has quit IRC | 12:43 | |
*** flaper87 has joined #openstack-keystone | 12:44 | |
*** flaper87 has quit IRC | 12:45 | |
*** flaper87 has joined #openstack-keystone | 12:47 | |
*** flaper87 has quit IRC | 12:47 | |
*** flaper87 has joined #openstack-keystone | 12:48 | |
*** thorst_afk has quit IRC | 12:49 | |
*** dave-mccowan has joined #openstack-keystone | 12:51 | |
breton | jamielennox: that's hard. They have 21 clients and each needs to be switched. | 12:52 |
ayoung | breton, I'm responsible for that rule. | 12:53 |
ayoung | A trust scoped token is a fixed scope. | 12:53 |
ayoung | It can neither get a wider nor narrower scope | 12:54 |
ayoung | narrower actually should be allowed, but due to mechanism is not implemented | 12:54 |
ayoung | wider is, well, problematic for obvious reasons, as I hope you can see | 12:54 |
ayoung | so, the only thing a user could do is re auth as them selves and re-execute the trust: | 12:54 |
breton | ayoung: well, in my case it tries to get exactly the same scope | 12:55 |
ayoung | breton, for what purpose? Just to get the service catalog? | 12:55 |
ayoung | cuz there is another rule that shows a token can't be used to get another token just to lengthen its lifespan | 12:55 |
breton | ayoung: due to a bug in client. | 12:55 |
breton | ayoung: keystoneauth's Token plugin uses a token to authenticate with the token | 12:56 |
ayoung | breton, I wonder if what we really need is a "fetch service catalog for token" in that case? jamielennox ? | 12:57 |
breton | ayoung: yes, that's what i'd like to see in keystoneauth auth plugins. And we'll also have to teach other clients to use that. | 12:58 |
*** shuyingy_ has quit IRC | 12:59 | |
jamielennox | yea, i would be ok with that | 13:00 |
jamielennox | it has definitely come up before | 13:00 |
jamielennox | just for 99% of cases the rescope works, and for everyone else i try and make them use sessions properly | 13:01 |
jamielennox | my main problem i don't have a solution for is after RPC | 13:01 |
jamielennox | i got buy in to fix that, but it just isn't on my priorites ATM | 13:01 |
jamielennox | anywhere else there's a plugin you can use from auth_token | 13:02 |
jamielennox | of just build your own plugin | 13:02 |
* jamielennox out | 13:06 | |
*** jaosorior has quit IRC | 13:15 | |
*** arturb has quit IRC | 13:17 | |
*** ducttape_ has joined #openstack-keystone | 13:18 | |
*** faizy has joined #openstack-keystone | 13:22 | |
*** lbragstad has joined #openstack-keystone | 13:24 | |
*** ChanServ sets mode: +o lbragstad | 13:24 | |
*** johnthetubaguy has left #openstack-keystone | 13:24 | |
*** faizy_ has quit IRC | 13:25 | |
*** johnthetubaguy has joined #openstack-keystone | 13:26 | |
*** johnthetubaguy has quit IRC | 13:27 | |
lbragstad | o/ | 13:28 |
*** johnthetubaguy has joined #openstack-keystone | 13:29 | |
*** lbragstad has quit IRC | 13:29 | |
*** lbragstad has joined #openstack-keystone | 13:30 | |
*** ChanServ sets mode: +o lbragstad | 13:30 | |
*** johnthetubaguy has quit IRC | 13:33 | |
*** johnthetubaguy has joined #openstack-keystone | 13:34 | |
*** johnthetubaguy has quit IRC | 13:37 | |
*** piliman974 has quit IRC | 13:37 | |
*** piliman974 has joined #openstack-keystone | 13:39 | |
*** gongysh has joined #openstack-keystone | 13:44 | |
*** lamt has joined #openstack-keystone | 13:44 | |
*** gongysh has quit IRC | 13:44 | |
*** johnthetubaguy has joined #openstack-keystone | 13:47 | |
*** johnthetubaguy has quit IRC | 13:48 | |
*** jdennis1 has quit IRC | 13:48 | |
*** jdennis has joined #openstack-keystone | 13:49 | |
*** gongysh has joined #openstack-keystone | 13:58 | |
*** nkinder has quit IRC | 14:03 | |
*** johnthetubaguy has joined #openstack-keystone | 14:04 | |
*** shuyingya has joined #openstack-keystone | 14:04 | |
*** Trident has joined #openstack-keystone | 14:06 | |
*** johnthetubaguy has quit IRC | 14:07 | |
*** johnthetubaguy has joined #openstack-keystone | 14:07 | |
*** johnthetubaguy has quit IRC | 14:08 | |
*** gongysh has quit IRC | 14:09 | |
*** shuyingya has quit IRC | 14:09 | |
*** johnthetubaguy has joined #openstack-keystone | 14:10 | |
*** johnthetubaguy has quit IRC | 14:10 | |
openstackgerrit | Merged openstack/pycadf master: Updated from global requirements https://review.openstack.org/464459 | 14:10 |
*** johnthetubaguy has joined #openstack-keystone | 14:10 | |
*** gagehugo_ is now known as gagehugo | 14:14 | |
*** nkinder has joined #openstack-keystone | 14:15 | |
*** johnthetubaguy has quit IRC | 14:17 | |
*** johnthetubaguy has joined #openstack-keystone | 14:17 | |
*** rderose has joined #openstack-keystone | 14:36 | |
*** shuyingya has joined #openstack-keystone | 14:38 | |
*** thorst_afk has joined #openstack-keystone | 14:41 | |
openstackgerrit | Hemanth Nakkina proposed openstack/keystone master: Change url scheme passed to oauth signature verifier https://review.openstack.org/464577 | 14:42 |
*** thorst_afk has quit IRC | 14:46 | |
*** raildo has quit IRC | 14:47 | |
*** raildo has joined #openstack-keystone | 14:49 | |
*** piliman974 has quit IRC | 14:51 | |
*** dikonoor has quit IRC | 14:52 | |
*** dikonoor has joined #openstack-keystone | 14:54 | |
knikolla | o/ | 15:01 |
*** thorst_afk has joined #openstack-keystone | 15:03 | |
*** tobberyd_ has joined #openstack-keystone | 15:05 | |
*** tobberydberg has quit IRC | 15:06 | |
*** rcernin has quit IRC | 15:07 | |
*** tobberyd_ has quit IRC | 15:11 | |
*** MonkXmode has joined #openstack-keystone | 15:19 | |
MonkXmode | Hi there. Is anyone using keystone-LDAP I can pester for a few moments? | 15:19 |
*** hemna has joined #openstack-keystone | 15:20 | |
MonkXmode | I have it set up, and connecting. However, I'm experiencing a few difficulties in getting the users authenticated to the project. | 15:20 |
MonkXmode | I'm trying to understand the mapping of LDAP users to projects. | 15:21 |
MonkXmode | Am I correct in assuming a relationship between the nonlocal_user entries and the project? | 15:21 |
*** pcaruana has quit IRC | 15:25 | |
breton | MonkXmode: well, LDAP user id is stored in nonlocal_user. But it's hidden from you. Assignments are for User - Role - Project. | 15:28 |
breton | (actually, afaik nonlocal_user is not even an LDAP entity, it's an id_mapping_api entity) | 15:29 |
MonkXmode | breton: Thanks. I came across this when keystone was complaining of duplicate entries. | 15:30 |
MonkXmode | How can I sort the "admin" account from being looked up in ldap? | 15:30 |
MonkXmode | As it stands, keystone says the admin account is not assigned to any projects. Given my expectations are that the admin is "authenticated" by LDAP and admin already exists in the authorization aspect... | 15:32 |
MonkXmode | Seems like a catch22 scenario; or i'm misunderstanding something fundamental. | 15:33 |
*** rmascena has joined #openstack-keystone | 15:35 | |
*** raildo has quit IRC | 15:35 | |
*** shuyingya has quit IRC | 15:36 | |
breton | MonkXmode: there is no such thing as "admin" | 15:38 |
breton | MonkXmode: a user can have role admin in a project | 15:38 |
breton | MonkXmode: and, if that role has permissions in policy.json, they will be able to perform that action | 15:39 |
*** tobberydberg has joined #openstack-keystone | 15:40 | |
*** lbragstad has quit IRC | 15:40 | |
breton | MonkXmode: today there is a bug in default policy.json; a user that has role admin on project X automatically has permissions for other projects. But that's a bug and doesn't work for other roles. | 15:40 |
*** lbragstad has joined #openstack-keystone | 15:40 | |
*** ChanServ sets mode: +o lbragstad | 15:40 | |
breton | MonkXmode: so, in order to get a user with access to many things, the user needs to have role "admin" on project that has is_admin_project=True | 15:41 |
*** tobberydberg has quit IRC | 15:44 | |
MonkXmode | breton: I initially set up the "admin" user with admin role for the "default" domain. Now that user (admin) is within LDAP to be looked up, it's not able to see any projects. So, in order to allow the LDAP "admin" user admin permissions.. | 15:44 |
MonkXmode | I thought it was a catch22 scenario. So I assumed I can either set an ignore for that user (so will look up locally only) or somehow update the permissions for the LDAP admin user. | 15:45 |
breton | what is catch22 scenario? :) | 15:46 |
breton | MonkXmode: you have 2 options: | 15:46 |
MonkXmode | breton: To give user: Admin the correct permissions, I need to be an admin. And I can't do that without having an admin account via LDAP :-) | 15:46 |
breton | 1. Set up 2 domains. One domain for LDAP and one for local users (service users and cloud admin). https://docs.openstack.org/admin-guide/identity-domain-specific-config.html . This is the preffered option. | 15:47 |
breton | 2. Bootstrap things again. Use "keystone-manage bootstrap" and pass admin's username. From the code i see that if user admin is already there, it will attempt to create it again and will just use it. | 15:51 |
*** jaosorior has joined #openstack-keystone | 15:51 | |
breton | actually there is even option 3. User admin token. Look for "admin_token" it in your keystone.conf. Please don't forget to turn it off. | 15:52 |
breton | *Use admin token | 15:52 |
MonkXmode | waw. Thanks for taking the time to explain. Given there's a preferred option (I assume it's best practice rather than easier or whatever?) I should really go down that route. | 15:54 |
*** jose-phi_ has quit IRC | 15:55 | |
*** jose-phillips has joined #openstack-keystone | 15:56 | |
openstackgerrit | Hemanth Nakkina proposed openstack/keystone master: Change url scheme passed to oauth signature verifier https://review.openstack.org/464577 | 15:56 |
*** gyee has joined #openstack-keystone | 15:58 | |
*** aojea has quit IRC | 16:00 | |
openstackgerrit | Felipe Monteiro proposed openstack/keystone-specs master: Patrole (RBAC) Keystone Gating https://review.openstack.org/464678 | 16:07 |
*** rderose has quit IRC | 16:10 | |
*** belmoreira has quit IRC | 16:16 | |
*** piliman974 has joined #openstack-keystone | 16:16 | |
MonkXmode | breton: Seems to do the trick. Now I need to create a new domain. Should be simple, right? :-) | 16:19 |
breton | MonkXmode: boostrap will probably do that | 16:22 |
*** nicolasbock has quit IRC | 16:22 | |
breton | MonkXmode: yes, the first option is the best practice | 16:22 |
MonkXmode | breton: Thanks for confirming. | 16:23 |
MonkXmode | breton: If I do a bootstrap for keystone, will it blitz and start afresh? | 16:23 |
MonkXmode | in other words, will I lose anything, and how will bootstrap set up a new domain? :-/ :-) | 16:24 |
MonkXmode | Feel free to tell me to rtfm btw :-) | 16:24 |
MonkXmode | ooh, Is it as simple as appending the project name to the bootstrap? | 16:26 |
MonkXmode | ... --bootstrap-project-name foo ... | 16:27 |
lbragstad | dstanek: it looks like mordred is going to be taking over the api key spec | 16:29 |
*** jose-phillips has quit IRC | 16:31 | |
breton | MonkXmode: oh, i misunderstood things. I guess you will have to switch back to SQL where you already have user with role admin and create a domain from there | 16:32 |
MonkXmode | Yep. I'm at that point now. | 16:33 |
MonkXmode | I may get dragged away shortly for a couple hours. So if you aren't here when I return and (hopefully) get it working, i'd like to offer my thanks. | 16:34 |
breton | you're welcome | 16:34 |
*** jose-phillips has joined #openstack-keystone | 16:34 | |
*** dikonoor has quit IRC | 16:43 | |
*** harlowja has joined #openstack-keystone | 16:44 | |
mordred | lbragstad: yah - I'll do another rev on it probably tomorrow to try to incorporate stuff from the Forum | 16:44 |
*** david-lyle has quit IRC | 16:46 | |
*** dklyle has joined #openstack-keystone | 16:46 | |
dstanek | lbragstad: nice | 16:46 |
*** rderose has joined #openstack-keystone | 16:55 | |
lbragstad | mordred: awesome | 16:56 |
lbragstad | rderose: o/ | 16:58 |
lbragstad | rderose: just fyi - but after some conversations at the forum, mordred is going to try and pick up the spec work for api keys | 16:58 |
rderose | lbragstad: that's cool, especially since my approach is not really api keys anymore | 16:59 |
rderose | lbragstad: it's more application passwords | 16:59 |
rderose | or application credentials | 16:59 |
rderose | lbragstad: anyway... | 17:00 |
*** bkudryavtsev has joined #openstack-keystone | 17:01 | |
lbragstad | rderose: yeah - we might need some more discussion on it | 17:01 |
lbragstad | rderose: but it sounded like either would solve the issue we were talking about at the forum | 17:01 |
rderose | lbragstad: yeah, true | 17:01 |
lbragstad | which was to enable application developers writing things on top of openstack | 17:01 |
rderose | lbragstad: just feel like application passwords gets us there a lot faster | 17:02 |
rderose | lbragstad: I see | 17:02 |
lbragstad | rderose: true - that's totally something to consider | 17:02 |
*** nicolasbock has joined #openstack-keystone | 17:03 | |
bkudryavtsev | Hello! Is this bug still an issue? https://bugs.launchpad.net/keystone/+bug/1671196 | 17:06 |
openstack | Launchpad bug 1671196 in OpenStack Identity (keystone) "user list for LDAP group does not contain all members" [Medium,Triaged] | 17:06 |
*** mvk has quit IRC | 17:07 | |
odyssey4me | I've raised a bug about some ambiguity related to cache settings that I'd like to get straightened out and would appreciate some eyes: https://bugs.launchpad.net/keystone/+bug/1690756 | 17:08 |
openstack | Launchpad bug 1690756 in oslo.cache "cache 'backend' argument description is ambiguous" [Undecided,New] | 17:08 |
breton | bkudryavtsev: probably yes | 17:11 |
lbragstad | odyssey4me: nice - i can take a look | 17:11 |
lbragstad | odyssey4me: i was just digging around in some of that code last week at the summit | 17:12 |
*** aselius has joined #openstack-keystone | 17:12 | |
lbragstad | odyssey4me: fwiw - i think morgan wrote some of that | 17:12 |
bkudryavtsev | I would like to work on bug 1671196. Any tips, suggestions? | 17:16 |
openstack | bug 1671196 in OpenStack Identity (keystone) "user list for LDAP group does not contain all members" [Medium,Triaged] https://launchpad.net/bugs/1671196 | 17:16 |
*** jose-phillips has quit IRC | 17:21 | |
*** jose-phillips has joined #openstack-keystone | 17:26 | |
*** dklyle is now known as david-lyle | 17:37 | |
*** jose-phillips has quit IRC | 17:39 | |
*** mvk has joined #openstack-keystone | 17:41 | |
*** bkudryavtsev has quit IRC | 17:47 | |
*** bkudryavtsev has joined #openstack-keystone | 17:47 | |
*** jose-phillips has joined #openstack-keystone | 17:47 | |
samueldmq | hi keystoners! | 17:57 |
samueldmq | o/ | 17:57 |
*** nicolasbock has quit IRC | 17:57 | |
lbragstad | samueldmq: o/ | 18:01 |
*** nicolasbock has joined #openstack-keystone | 18:05 | |
knikolla | looks like the ksm gate is broken | 18:07 |
*** piliman974 has quit IRC | 18:15 | |
knikolla | i do not understand what that specific failing unit test is meant to do | 18:16 |
knikolla | http://logs.openstack.org/27/455927/4/check/gate-keystonemiddleware-python27-ubuntu-xenial/c13409a/testr_results.html.gz | 18:16 |
samueldmq | lbragstad: o/ | 18:16 |
samueldmq | knikolla: looking | 18:16 |
knikolla | samueldmq: o/ | 18:18 |
samueldmq | knikolla: need to dig a bit on that, but perhaps the behavior might be changed in oslo_messaging ? | 18:18 |
samueldmq | knikolla: would need to look more carefully, but I am finishing off something else right now :( | 18:19 |
samueldmq | knikolla: a good step would be to try to reproduce it locally | 18:19 |
knikolla | samueldmq: i'll give it a try locally in a few minutes. | 18:21 |
samueldmq | knikolla: sweet, let me know how it goes | 18:21 |
*** nicolasbock has quit IRC | 18:22 | |
*** nishaYadav has joined #openstack-keystone | 18:24 | |
knikolla | samueldmq: same test failed locally. | 18:24 |
nishaYadav | o/ | 18:25 |
samueldmq | knikolla: that's great (that we can reproduce) | 18:25 |
samueldmq | knikolla: should be able to analyze what's going on to try to figure out what changed | 18:26 |
samueldmq | I mean, if you have time and are willing to solve this | 18:26 |
samueldmq | nishaYadav: hi, welcome back from the summit | 18:26 |
knikolla | samueldmq: i can spare some time. will go through the merged patches in oslo.messaging see if anything might be related. | 18:26 |
lbragstad | knikolla: samueldmq that looks kind of familiar - we had a bunch of things going in from oslo.config recently | 18:26 |
*** nicolasbock has joined #openstack-keystone | 18:27 | |
samueldmq | lbragstad: ++ | 18:27 |
samueldmq | knikolla: nice | 18:27 |
samueldmq | lbragstad: knikolla yeah my guess would be that it relates to config values being enforced somewhere | 18:27 |
samueldmq | that was the things that changed in Oslo config lately iirc | 18:27 |
lbragstad | gcb was doing some work recently to get the type checking taken care of | 18:28 |
lbragstad | before switching the default in oslo.config to enforce type checking by default | 18:28 |
knikolla | lbragstad: https://review.openstack.org/#/c/328692/8 | 18:30 |
knikolla | seems like the switch happened | 18:30 |
nishaYadav | samueldmq Thanks. It was great meeting fellow contributors :) | 18:36 |
rmascena | gagehugo, ping, are you around? | 18:36 |
rmascena | gagehugo, about your summit talk :) | 18:36 |
nishaYadav | @lbragstad, hi | 18:36 |
*** rmascena is now known as raildo | 18:37 | |
*** nishaYadav has quit IRC | 18:39 | |
*** spilla has joined #openstack-keystone | 18:39 | |
*** nishaYadav has joined #openstack-keystone | 18:39 | |
gagehugo | rmascena what's up? | 18:40 |
samueldmq | raildo: now I recognize that IRC nickname! | 18:41 |
*** jose-phillips has quit IRC | 18:41 | |
gagehugo | ah | 18:43 |
lbragstad | nishaYadav: o/ | 18:45 |
lbragstad | knikolla: yeah - that looks like the one | 18:46 |
knikolla | lbragstad: from the docstring and the code of oslo.config, None is not converted even if enforce_type is set to true. and the value we use is None. | 18:48 |
knikolla | lbragstad: https://github.com/openstack/oslo.config/blob/0b0200572d1c53041e7d795d3413be5b2f55e0cc/oslo_config/cfg.py#L2634-L2636 | 18:49 |
raildo | samueldmq, haha to make easier | 18:50 |
raildo | gagehugo, so, I saw your talk, and it was a (good) surprise for me :) I'm working on the Custodia project | 18:51 |
gagehugo | raildo awesome | 18:51 |
*** nishaYadav has quit IRC | 18:53 | |
raildo | gagehugo, and one my short goals would be implement the oslo.config PoC (that you already did) so, I would love to review the code and help with anything that I can :) | 18:53 |
lbragstad | knikolla: it looks like its failing on an oslo_messaging configuration option | 18:54 |
*** nishaYadav has joined #openstack-keystone | 18:54 | |
raildo | if you need some more explanation about Custodia, or how we are using it for other services | 18:54 |
lamt | knikolla lbragstad : setting driver=None seems to throw out this weird message: "Could not load s, n, m, i, g, e, a" in that test. | 18:55 |
raildo | gagehugo, did you not submitted upstream yet, right? | 18:55 |
gagehugo | raildo not yet, I think the changes are on a github fork though | 18:56 |
knikolla | lamt: it's pretty weird. it's one of the permutation of those letters | 18:57 |
lamt | knikolla: should that really be set to 'noop' | 18:57 |
gagehugo | raildo the changes def need some work before it's upstreamable | 18:57 |
raildo | gagehugo, do you know if will be necessary to write an spec for this feature? | 18:58 |
lamt | that gets rid of the cryptic msg, but the test still fails | 18:58 |
raildo | gagehugo, sure, no problem :) | 18:58 |
gagehugo | raildo I would say yes since it adds new logic into oslo.config | 18:58 |
gagehugo | if you are wanting to fetch values from remote locations via secret keys | 18:58 |
knikolla | lamt: yes, the test still fails. | 18:59 |
lbragstad | weird | 18:59 |
raildo | gagehugo, yeap, that what I excepted... so if you need some help, or want to someone else to put eyes on it, feel free to ping me :) | 18:59 |
*** jose-phillips has joined #openstack-keystone | 19:00 | |
knikolla | lamt: i got it to pass with setting it to 'messaging', but I think that defeats the purpose of the test. since there is actual configuration and the test tests for lacking configuration. | 19:00 |
gagehugo | raildo for sure! | 19:01 |
lamt | knikolla: it seems to be permuting over the oslo_messaging_notifications driver | 19:03 |
lamt | knikolla: if I do self.cfg.config(driver='log', group='oslo_messaging_notifications'), leaving audit_middleware_notifications to None | 19:04 |
lamt | knikolla I see Could not load o, g, l | 19:04 |
knikolla | lamt: i see. so messagging is s, n, m, i, g, e, a (or permutation) | 19:05 |
gagehugo | raildo I think one of the issues with the change is including something else between {oslo.config} and {secret store} that can talk between multiple {secret stores} vs just adding barbican logic in to oslo.config | 19:05 |
gagehugo | which we used custodia for in the PoC | 19:05 |
lbragstad | knikolla: lamt interesting | 19:05 |
lbragstad | knikolla: this is what you did? http://paste.openstack.org/show/609601/ | 19:05 |
knikolla | lbragstad: yes. test passed with that. | 19:06 |
lbragstad | knikolla: ok - same here | 19:06 |
knikolla | if i set the driver of oslo_messaging_notifications, I get "TypeError: argument of type 'NoneType' is not iterable" | 19:07 |
knikolla | not sure why it's trying to iterate over a string. | 19:08 |
knikolla | to None* | 19:08 |
knikolla | if i set the driver of oslo_messaging_notifications to None* | 19:08 |
raildo | gagehugo, yeah, that's a good point, I believe the right way to do this is having something in the middle, since there is a lot of clients with different secret stores instead of barbican, and we can just say: "hey, if you want to do this, stop using what you have and change now for barbican" | 19:08 |
gagehugo | raildo +1 | 19:09 |
lbragstad | knikolla: well - the oslo.messaging option defaults to an empty list | 19:09 |
*** aojea has joined #openstack-keystone | 19:09 | |
lbragstad | https://github.com/openstack/oslo.messaging/blob/master/oslo_messaging/notify/notifier.py#L35 | 19:09 |
knikolla | lbragstad: that makes sense | 19:10 |
raildo | gagehugo, actually, that's why we have projects like Custodia, to works like this "middleware" for this kind of system. | 19:10 |
lamt | lbragstad knikolla This works: http://paste.openstack.org/show/609602/ | 19:11 |
lamt | for me, | 19:11 |
lbragstad | knikolla: lamt it looks like the audit_middleware_notifications is attempting to pass the value from oslo through - but it gets munged | 19:11 |
lamt | I think we have to pass in a list for oslo_messaging_notifications | 19:12 |
lbragstad | lamt: ah - sure | 19:12 |
lbragstad | that makes sense | 19:12 |
raildo | gagehugo, in addition, we don't need any keystone user/password for this operation, so we don't need a "password" to store "passwords", this is another reason that I prefer this approach. | 19:12 |
lbragstad | otherwise the string is treated like a list | 19:13 |
knikolla | lamt: you beat me by a few seconds. that worked for me too. | 19:13 |
lamt | lbragstad but I am not sure how other test seems to be okay - like the test before: test_conf_middleware_messaging_and_oslo_msg_as_log | 19:13 |
raildo | gagehugo, anyway, I'm really happy to see this coming up at this point :) | 19:13 |
knikolla | lamt: cause something weird is happening when no value is present. it will iterate over the previous option, treating a string as a list, therefore iterating over the letters. | 19:14 |
lbragstad | lamt: the behavior only appears to affect things when setting the audit_middleware_notification options to None | 19:14 |
lbragstad | knikolla: right | 19:14 |
lbragstad | it's something with how we're marshalling the data | 19:14 |
lamt | lbragstad knikolla: ah | 19:14 |
gagehugo | raildo yup! | 19:14 |
knikolla | and driver is a multistropt. so that's not entirely inaccurate. | 19:15 |
* lbragstad isn't a fan of multistring opts | 19:15 | |
knikolla | lamt: make the patch. i'll +1. | 19:16 |
lamt | sure - should I change all the other .cfg.config(driver= in other tests as well so they are consistently a list? | 19:17 |
lbragstad | lamt: i would | 19:17 |
lbragstad | lamt: knikolla do either of you know where that translation is happening? | 19:18 |
knikolla | lbragstad: which translation are you referring to? | 19:19 |
knikolla | lbragstad: i think oslo.messaging provides the driver option as is to stevedore. and stevedore iterates over it. | 19:19 |
lbragstad | hmm | 19:22 |
lbragstad | fwiw - maybe we should follow up with gcb when he's online | 19:22 |
lbragstad | i would consider this to be a unique case because we're defaulting to another groups configuration instead of a value (i.e. the default keyword) | 19:23 |
knikolla | lbragstad: yes. we should follow up. i still don't see any change which might be the root cause for this happening. | 19:24 |
lbragstad | knikolla: i think it's because oslo.config enforces type by default | 19:24 |
lbragstad | not | 19:24 |
lbragstad | now* | 19:24 |
knikolla | lbragstad: hmm… so maybe it would enforce a string to become a list of characters? | 19:25 |
knikolla | since the option is a multi string | 19:25 |
ayoung | gagehugo, isn't tin going to post his Custodia change for oslo-config? | 19:25 |
knikolla | sounds plausible | 19:25 |
lamt | ayoung working on that | 19:26 |
ayoung | lamt, Awesome. Very important work there. | 19:27 |
ayoung | lamt, I want to use that for a few thing: getting the mysql and Rabbit passwords out of the config file, dealing with Keys for Fernet and Credentials. | 19:28 |
openstackgerrit | Tin Lam proposed openstack/keystonemiddleware master: Update driver config parameter from string to list https://review.openstack.org/464732 | 19:29 |
*** piliman974 has joined #openstack-keystone | 19:31 | |
lamt | ayoung that's what I want to do as well - I think there might be a spec in oslo.config but of a different scope. I'll check | 19:31 |
ayoung | lamt, please share what you have with raildo, as he is looking into custodia stuff elsewhere already, and he knows enough about Keystone to be dangerous...er...helpful | 19:33 |
lamt | ayoung will do | 19:34 |
*** raildo has quit IRC | 19:34 | |
*** rmascena has joined #openstack-keystone | 19:34 | |
*** nkinder has quit IRC | 19:35 | |
*** rmascena has quit IRC | 19:36 | |
*** rmascena has joined #openstack-keystone | 19:36 | |
rmascena | ayoung, lamt when we code, we are always dangerous hahaha | 19:38 |
*** rmascena is now known as raildo | 19:38 | |
raildo | lamt, would be great to take a look on this spec :) | 19:39 |
*** raildo has quit IRC | 19:42 | |
lamt | raildo gagehugo we may need a separate spec - I think the existing one is about generating config and populate it using some kind of config management backend (e.g. database). It is in one of the forums' etherpad. I need to look. | 19:42 |
lamt | But we can probably throw a WIP out there though | 19:42 |
lbragstad | lamt: thanks for the quick fix | 19:43 |
lamt | lbragstad: np - I can revert the line break later | 19:44 |
*** raildo has joined #openstack-keystone | 19:45 | |
raildo | I hate my internet connection, right now... | 19:45 |
*** tobberydberg has joined #openstack-keystone | 19:46 | |
lbragstad | lamt: no worries - i don't mind it | 19:48 |
*** belmoreira has joined #openstack-keystone | 20:07 | |
*** belmoreira has quit IRC | 20:08 | |
lbragstad | we should really have better help text for keystone-manage | 20:10 |
lbragstad | like - we should be able to do `keystone-manage help bootstrap` | 20:10 |
*** nkinder has joined #openstack-keystone | 20:12 | |
bkudryavtsev | I cannot reproduce bug 167119 on my system. Users with id in format CN=LASTNAME\, FIRSTNAME are still displayed in group. Can someone see if that is correct? | 20:13 |
openstack | bug 167119 in Inkscape "SVG import" [Undecided,Invalid] https://launchpad.net/bugs/167119 | 20:13 |
*** ducttap__ has joined #openstack-keystone | 20:13 | |
bkudryavtsev | Sorry, bug 1671196 | 20:13 |
openstack | bug 1671196 in OpenStack Identity (keystone) "user list for LDAP group does not contain all members" [Medium,Triaged] https://launchpad.net/bugs/1671196 | 20:13 |
*** ducttape_ has quit IRC | 20:14 | |
*** jose-phillips has quit IRC | 20:19 | |
*** raildo has quit IRC | 20:22 | |
*** ducttap__ has quit IRC | 20:23 | |
*** ducttape_ has joined #openstack-keystone | 20:23 | |
*** ducttap__ has joined #openstack-keystone | 20:24 | |
*** ducttape_ has quit IRC | 20:25 | |
*** nkinder has quit IRC | 20:27 | |
*** jose-phillips has joined #openstack-keystone | 20:33 | |
MonkXmode | breton: Are you still around? | 20:40 |
MonkXmode | Or if anyone else can help me... I have an LDAP backend for a specific domain, and whilst I can assign an LDAP user's "id" to a project via openstack's cli - I would hope to be able to assign a role: "user" inherently | 20:44 |
MonkXmode | as it's part of the specified group. | 20:44 |
MonkXmode | Is this related to the masking values in the keystone's config? Cos I've read the explanation a few times and I'm out of coffee and it's not making too much sense :- ) | 20:45 |
MonkXmode | The question to follow is: How do I define a list of Admins in ldap for the project/domain with ldap attributes or a specified group. | 20:51 |
*** dave-mccowan has quit IRC | 20:52 | |
*** nishaYadav has quit IRC | 20:55 | |
breton | MonkXmode: assign role to group | 20:56 |
breton | MonkXmode: openstack role add --group <group> --project <project> admin | 20:57 |
*** spilla has quit IRC | 21:00 | |
*** tobberydberg has quit IRC | 21:00 | |
MonkXmode | breton: Wouldn't I still be in the same position of having to manually specify people into a group "users" or a group "admin" within that project though? | 21:01 |
MonkXmode | So, I want bob and alice to have admin privileges, and steve and martin to be user. How can I influence this directly via ldap schema/attributes rather than manually using the openstack cli? | 21:02 |
MonkXmode | (Perhaps my use case is superfluous - but I would assume this is common?) | 21:03 |
*** jose-phillips has quit IRC | 21:05 | |
*** aojea has quit IRC | 21:11 | |
*** edmondsw_ has quit IRC | 21:17 | |
*** edmondsw has joined #openstack-keystone | 21:18 | |
*** jose-phillips has joined #openstack-keystone | 21:18 | |
*** thorst_afk has quit IRC | 21:18 | |
*** thorst_afk has joined #openstack-keystone | 21:19 | |
*** edmondsw_ has joined #openstack-keystone | 21:20 | |
*** edmondsw has quit IRC | 21:22 | |
*** thorst_afk has quit IRC | 21:23 | |
*** edmondsw_ has quit IRC | 21:24 | |
*** nkinder has joined #openstack-keystone | 21:25 | |
*** gongysh has joined #openstack-keystone | 21:26 | |
*** gongysh has quit IRC | 21:27 | |
*** bkudryavtsev has quit IRC | 21:32 | |
MonkXmode | breton: I'll read more tomorow :-) | 21:35 |
MonkXmode | Thanks for the help today. I will keep learning :-) | 21:35 |
*** MonkXmode has quit IRC | 21:39 | |
*** edmondsw has joined #openstack-keystone | 21:48 | |
*** edmondsw has quit IRC | 21:53 | |
*** adriant has joined #openstack-keystone | 21:57 | |
*** thorst_afk has joined #openstack-keystone | 22:03 | |
*** ducttap__ has quit IRC | 22:04 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone-specs master: Specification for global roles https://review.openstack.org/464763 | 22:05 |
*** ducttape_ has joined #openstack-keystone | 22:06 | |
*** thorst_afk has quit IRC | 22:08 | |
*** ducttape_ has quit IRC | 22:10 | |
*** lamt has quit IRC | 22:15 | |
*** ducttape_ has joined #openstack-keystone | 22:16 | |
*** lamt has joined #openstack-keystone | 22:17 | |
*** lamt has quit IRC | 22:17 | |
*** piliman974 has quit IRC | 22:30 | |
*** gongysh has joined #openstack-keystone | 22:39 | |
*** gongysh has quit IRC | 22:40 | |
*** morgan_ has joined #openstack-keystone | 22:41 | |
*** pratapagoutham has quit IRC | 22:57 | |
*** tobberydberg has joined #openstack-keystone | 23:01 | |
*** tobberydberg has quit IRC | 23:05 | |
*** rderose has quit IRC | 23:06 | |
*** ducttape_ has quit IRC | 23:34 | |
*** ducttape_ has joined #openstack-keystone | 23:38 | |
*** ducttape_ has quit IRC | 23:43 | |
*** harlowja has quit IRC | 23:46 | |
*** hoonetorg has quit IRC | 23:54 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!