Monday, 2017-11-27

*** masuberu has joined #openstack-keystone		00:28
*** masber has quit IRC		00:29
*** dave-mccowan has joined #openstack-keystone		00:41
*** dave-mccowan has quit IRC		01:09
*** dave-mccowan has joined #openstack-keystone		01:24
*** masuberu has quit IRC		01:43
*** gmann_afk is now known as gmann		02:37
*** threestrands_ has joined #openstack-keystone		02:49
*** threestrands_ has quit IRC		02:49
*** threestrands_ has joined #openstack-keystone		02:49
openstackgerrit	wangxiyuan proposed openstack/keystone master: Remove member role assignment https://review.openstack.org/523005	02:49
*** threestrands_ has quit IRC		02:50
*** threestrands has quit IRC		02:50
*** threestrands_ has joined #openstack-keystone		02:50
*** masber has joined #openstack-keystone		02:54
openstackgerrit	wangxiyuan proposed openstack/keystonemiddleware master: Remove kwargs_to_fetch_token https://review.openstack.org/513273	02:54
*** dave-mccowan has quit IRC		03:01
*** dave-mccowan has joined #openstack-keystone		03:07
*** masber has quit IRC		03:09
*** dave-mccowan has quit IRC		03:18
openstackgerrit	wangxiyuan proposed openstack/keystone-specs master: Limits API https://review.openstack.org/455709	03:23
*** masber has joined #openstack-keystone		03:29
*** daidv has joined #openstack-keystone		04:00
*** hoonetorg has quit IRC		04:11
*** Dinesh_Bhor has joined #openstack-keystone		04:21
*** links has joined #openstack-keystone		04:26
*** jaosorior has joined #openstack-keystone		05:19
*** sticker has quit IRC		05:33
*** dklyle has joined #openstack-keystone		05:47
*** david-lyle has quit IRC		05:48
*** d0ugal has quit IRC		06:35
*** annp has joined #openstack-keystone		06:39
openstackgerrit	wangxiyuan proposed openstack/keystone master: Expose a bug when create trust with roles https://review.openstack.org/522705	06:39
openstackgerrit	wangxiyuan proposed openstack/keystone master: Fix 500 error when create trust with invalid role key https://review.openstack.org/522706	06:39
*** spectr has joined #openstack-keystone		06:44
*** namnh has joined #openstack-keystone		06:47
*** rcernin has quit IRC		06:47
*** d0ugal has joined #openstack-keystone		06:48
*** rcernin has joined #openstack-keystone		06:49
*** spectr has quit IRC		06:55
openstackgerrit	wangxiyuan proposed openstack/keystone master: Remove member role assignment https://review.openstack.org/523005	07:00
*** rcernin has quit IRC		07:28
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add new tables for unified limits https://review.openstack.org/523041	07:30
*** AlexeyAbashkin has joined #openstack-keystone		07:57
*** aojea has joined #openstack-keystone		08:01
*** aojea has quit IRC		08:06
*** pcaruana has joined #openstack-keystone		08:11
*** magicboiz has joined #openstack-keystone		08:21
*** belmoreira has joined #openstack-keystone		08:22
*** magicboiz has quit IRC		08:28
*** magicboiz has joined #openstack-keystone		08:28
*** josecastroleon has joined #openstack-keystone		08:40
*** gmann is now known as gmann_afk		09:13
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add new tables for unified limits https://review.openstack.org/523041	09:30
*** spectr has joined #openstack-keystone		09:37
*** spectr has quit IRC		09:37
*** aloga has quit IRC		09:41
*** aloga has joined #openstack-keystone		09:41
*** magicboiz has quit IRC		09:55
*** annp has quit IRC		10:03
*** mvk has joined #openstack-keystone		10:05
*** magicboiz has joined #openstack-keystone		10:11
*** magicboiz has quit IRC		10:17
*** magicboiz has joined #openstack-keystone		10:17
*** spectr has joined #openstack-keystone		10:22
*** spectr has quit IRC		10:23
*** namnh has quit IRC		10:25
*** pcaruana has quit IRC		10:55
*** pcaruana has joined #openstack-keystone		10:59
*** ianw has quit IRC		11:03
*** ianw_ has joined #openstack-keystone		11:03
*** ianw_ is now known as ianw		11:04
openstackgerrit	wangxiyuan proposed openstack/keystone master: Expose a bug when create trust with roles https://review.openstack.org/522705	11:25
openstackgerrit	wangxiyuan proposed openstack/keystone master: Fix 500 error when create trust with invalid role key https://review.openstack.org/522706	11:25
*** spectr has joined #openstack-keystone		11:35
*** spectr has quit IRC		11:35
*** threestrands_ has quit IRC		11:42
*** kong has quit IRC		11:53
*** samueldmq has quit IRC		11:53
*** ying_zuo has quit IRC		11:53
*** kmalloc has quit IRC		11:54
*** hrybacki has quit IRC		11:54
*** ildikov has quit IRC		11:54
*** Chealion has quit IRC		11:54
*** magicboiz has quit IRC		11:54
*** samueldmq has joined #openstack-keystone		11:55
*** hrybacki has joined #openstack-keystone		11:55
*** kong has joined #openstack-keystone		11:55
*** Chealion has joined #openstack-keystone		11:56
*** ildikov has joined #openstack-keystone		11:56
*** cloudnull has quit IRC		11:56
*** kmalloc has joined #openstack-keystone		11:56
*** magicboiz has joined #openstack-keystone		11:57
*** cloudnull has joined #openstack-keystone		11:59
*** magicboiz has quit IRC		12:01
*** magicboiz has joined #openstack-keystone		12:02
*** raildo has joined #openstack-keystone		12:05
*** dave-mccowan has joined #openstack-keystone		12:08
*** dave-mcc_ has joined #openstack-keystone		12:09
*** dave-mccowan has quit IRC		12:12
*** fried_turkey is now known as efried		12:18
*** magicboiz has quit IRC		12:21
*** szaher has quit IRC		12:22
*** panbalag has joined #openstack-keystone		12:25
*** panbalag has left #openstack-keystone		12:25
*** szaher has joined #openstack-keystone		12:25
*** links has quit IRC		12:29
*** links has joined #openstack-keystone		12:43
*** jdennis has quit IRC		13:01
*** jdennis has joined #openstack-keystone		13:02
*** markvoelker has quit IRC		13:16
*** markvoelker has joined #openstack-keystone		13:16
*** magicboiz has joined #openstack-keystone		13:33
*** daidv has quit IRC		13:38
*** magicboiz has quit IRC		13:38
*** magicboiz has joined #openstack-keystone		13:39
openstackgerrit	wangxiyuan proposed openstack/keystone master: Fix 500 error when create trust with invalid role key https://review.openstack.org/522706	13:47
*** ying_zuo has joined #openstack-keystone		13:51
lbragstad	o/	14:20
cmurphy	\o	14:23
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Expose a bug when create trust with roles https://review.openstack.org/522705	14:25
*** josecastroleon1 has joined #openstack-keystone		14:30
*** josecastroleon has quit IRC		14:30
*** links has quit IRC		14:32
*** belmoreira has quit IRC		14:33
*** panbalag has joined #openstack-keystone		14:38
*** panbalag has left #openstack-keystone		14:38
*** rmascena has joined #openstack-keystone		14:45
*** raildo has quit IRC		14:48
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Fix 500 error when create trust with invalid role key https://review.openstack.org/522706	15:11
knikolla	o/	15:11
*** panbalag has joined #openstack-keystone		15:18
*** panbalag has left #openstack-keystone		15:19
*** rmascena has quit IRC		15:25
knikolla	lbragstad: we're offering the cloud computing course again this spring. any ideas/desire for proposing a keystone related project we can mentor?	15:25
lbragstad	knikolla: that's a good question - we have plenty of work to do	15:26
knikolla	lbragstad: jan-may, that would be early in the rocky cycle.	15:30
lbragstad	yeah	15:31
*** phalmos has joined #openstack-keystone		15:31
gagehugo	o/	15:50
knikolla	gagehugo: o/	15:56
*** josecastroleon1 has quit IRC		16:04
lbragstad	knikolla: we do any stuff on our roadmap that will push into rocky i'm sure	16:07
*** belmoreira has joined #openstack-keystone		16:09
*** alex_xu has quit IRC		16:11
*** magicboiz has quit IRC		16:14
*** magicboiz has joined #openstack-keystone		16:16
*** magicboiz has quit IRC		16:21
*** magicboiz has joined #openstack-keystone		16:21
*** alex_xu has joined #openstack-keystone		16:27
*** raildo has joined #openstack-keystone		16:32
*** belmoreira has quit IRC		16:35
*** AlexeyAbashkin has quit IRC		16:59
*** gyee_ has joined #openstack-keystone		17:00
*** pcaruana has quit IRC		17:09
*** jmlowe has quit IRC		17:16
openstackgerrit	Merged openstack/keystone master: Expose a bug when create trust with roles https://review.openstack.org/522705	17:30
*** efried is now known as efried_rollin		17:38
*** harlowja has joined #openstack-keystone		17:47
*** belmoreira has joined #openstack-keystone		18:04
*** markvoelker has quit IRC		18:10
*** spilla has joined #openstack-keystone		18:31
*** AlexeyAbashkin has joined #openstack-keystone		18:52
*** belmoreira has quit IRC		18:52
*** belmoreira has joined #openstack-keystone		18:53
*** AlexeyAbashkin has quit IRC		18:56
*** jmlowe has joined #openstack-keystone		18:59
*** linkmark has joined #openstack-keystone		19:04
cmurphy	lbragstad: mordred kmalloc could you take another look at https://review.openstack.org/#/c/512505 ?	19:12
lbragstad	cmurphy: yep - i have that slated for my things to do this afternoon	19:13
cmurphy	ty	19:13
*** pcaruana has joined #openstack-keystone		19:16
*** AlexeyAbashkin has joined #openstack-keystone		19:17
*** AlexeyAbashkin has quit IRC		19:22
openstackgerrit	Lance Bragstad proposed openstack/oslo.policy master: Add scope_types to RuleDefault objects https://review.openstack.org/510222	19:23
openstackgerrit	Gage Hugo proposed openstack/keystone master: WIP - Add JSON Web Token functionality https://review.openstack.org/523200	19:29
lbragstad	lol - nice	19:32
lbragstad	gagehugo: i was just about to send a follow-up email regarding JWT from the summit :)	19:32
gagehugo	lbragstad I threw that together at the SF airport :)	19:33
gagehugo	didn't have much time to work on it since, but now that the holiday is over should be more available	19:35
kmalloc	cmurphy: it looks pretty good	19:48
kmalloc	i'll do another longer pass in a bit	19:48
kmalloc	and score it	19:48
cmurphy	thanks kmalloc	19:52
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Remove role check from middleware from specs https://review.openstack.org/523210	20:02
*** dave-mcc_ is now known as dave-mccowan		20:04
*** AlexeyAbashkin has joined #openstack-keystone		20:17
lbragstad	is anyone here interested in the totp auth stuff?	20:20
lbragstad	https://review.openstack.org/#/q/topic:totp-auth+(status:open+OR+status:merged)	20:20
lbragstad	a couple of those patches are coming up on a year without an update	20:21
*** AlexeyAbashkin has quit IRC		20:21
lbragstad	and i figured i'd ask if anyone wants to take them over before abandoning them	20:21
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Validate disabled domains and projects online https://review.openstack.org/253273	20:26
cmurphy	missing context on what the end goal was there	20:26
cmurphy	i remember adriant had worked on totp stuff at some point	20:28
lbragstad	yeah - i think that was to make it so end users could update their totp secrets, versus having an admin do it	20:30
lbragstad	^ that was one of the problems i remember with it, not sure if that is what dstanek was working on though	20:30
gagehugo	yeah I have no idea what those were going for	20:31
*** jmlowe has quit IRC		20:31
lbragstad	it could have been just general cleanup, too	20:31
*** threestrands_ has joined #openstack-keystone		20:32
*** threestrands_ has quit IRC		20:32
*** threestrands_ has joined #openstack-keystone		20:32
*** threestrands_ has quit IRC		20:33
*** threestrands_ has joined #openstack-keystone		20:34
*** threestrands has joined #openstack-keystone		20:34
*** threestrands has quit IRC		20:34
*** threestrands has joined #openstack-keystone		20:34
kmalloc	in theory anyone can update their totp secrets via the credentials api -- IIRC	20:36
*** efried_rollin is now known as efried		20:38
*** threestrands_ has quit IRC		20:44
lbragstad	updated unified limits spec is up https://review.openstack.org/#/c/455709/	20:49
*** spilla has quit IRC		20:56
adriant	lbragstad, cmurphy: good timing! Just got to my computer	21:10
adriant	yeah, I've been sort of doing some totp stuff, but we're mostly doing it right now with a auth plugin for keystone to enforce password + totp	21:11
adriant	and I'm doing user setup of totp (or will soon) via workflow in our admin tasks service (adjutant)	21:12
adriant	My plan is to submit a spec to keystone for some things I'm missing for real MFA in keystone in the next few days.	21:13
adriant	Even if the spec isn't approved for Queens I'll probably start playing with some prototyping for it.	21:13
adriant	kmalloc: given the current default policy, you can list your own, but not create.	21:17
adriant	that said for totp creds... it's not as easy as just create. You need to realistically confirm you can generate a passcode for it otherwise you will give keystone something unsafe, or something that stops you from being able to auth.	21:18
adriant	because totp as a single auth method is useless by itself, it only really makes sense in context of MFA, and if you turn that on without confirming you can actually generate a passcode, then you're kind of screwed. That's why we are doing it as a workflow where you have to confirm a valid passcode before we turn it on for you in keystone.	21:20
*** aselius has joined #openstack-keystone		21:21
kmalloc	lbragstad: commented on limits	21:22
openstackgerrit	Gage Hugo proposed openstack/keystone master: Migrate legacy-tempest-dsvm-py35 job to zuulV3 https://review.openstack.org/523231	21:34
*** belmoreira has quit IRC		21:34
*** Tahvok has quit IRC		21:35
openstackgerrit	Gage Hugo proposed openstack/keystone master: Migrate legacy-tempest-dsvm-py35 job to zuulV3 https://review.openstack.org/523231	21:36
*** pcaruana has quit IRC		21:41
*** raildo has quit IRC		21:47
openstackgerrit	Merged openstack/keystone master: Fix 500 error when create trust with invalid role key https://review.openstack.org/522706	21:50
kmalloc	lbragstad: i'm going to abandon any patch that hasn't been touched in > 1 year with a comment.	21:53
kmalloc	lbragstad: FYI	21:53
kmalloc	lbragstad: looks like it was 1 patch in keystone.	21:53
lbragstad	kmalloc: yeah - i spent a bunch of time last week cleaning up the review queue	21:55
kmalloc	i think anything > 7 mo should be abandoned	21:55
kmalloc	but i'm just nuking 1yr + now	21:55
kmalloc	lbragstad: ok all patchsets a 12mo or more were abandoned	21:58
*** markvoelker has joined #openstack-keystone		22:09
*** aojea has joined #openstack-keystone		22:10
*** d0ugal has quit IRC		22:21
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add New in Pike note to using db_sync check https://review.openstack.org/523238	22:32
*** rcernin has joined #openstack-keystone		22:34
kmalloc	lbragstad: https://review.openstack.org/#/c/253273/44 needs correct exceptions raised, otherwise +2.	22:36
*** phalmos has quit IRC		22:42
kmalloc	cmurphy: reveiwed, no score. but responded to your and lbragstad's comments on identity-acting-app-creds	22:43
*** jmlowe has joined #openstack-keystone		22:43
lbragstad	kmalloc: quick question	22:47
lbragstad	kmalloc: is DomainNotFound accurate if the domain is disabled?	22:47
lbragstad	the domain technically exists, but it isn't enabled	22:49
lbragstad	ah - i think i see what you mean,	22:51
cmurphy	kmalloc: are you saying something like have POST /v3/users/{}/application_credentials and a special POST /v3/users/{}/identity_application_credentials ? re https://review.openstack.org/#/c/512505	22:52
lbragstad	so as long as it's still a 404 - we should be able to change from a TokenNotFound to DomainNotFOund	22:52
kmalloc	cmurphy: yes	22:59
kmalloc	lbragstad: yes, 404 still	22:59
kmalloc	cmurphy: that was my thinking on how we can address the issue.	23:00
*** sticker has joined #openstack-keystone		23:00
kmalloc	cmurphy: if we differentiate or disallow normal app-creds from working on identity... we pretty much need a new path so we can have policy that allows correct access to it	23:00
cmurphy	kmalloc: so what is the result of a POST /v3/users/{}/identity_app_cred? an object with a special flag?	23:00
kmalloc	cmurphy: the same exact cred, just with the "identity-actionable-whatever-we-call-it" flag	23:01
cmurphy	okay	23:01
kmalloc	s/exact/same object type/	23:01
kmalloc	cmurphy: if we go with the "shutup and let me do the insecure thing" for any user (not default), my comment is not relevant	23:01
kmalloc	it's just an alternative we could use to allow locking down app-creds for keystone to known classes of uses w/o specific IDs (et al) in config	23:02
cmurphy	kmalloc: aha, so what do you think about allowing users to do that?	23:02
kmalloc	i prefer normal users don't get that by default	23:02
kmalloc	i don't feel it is worthy of changing from a +2 once we address that specifically	23:02
kmalloc	in either way	23:02
cmurphy	well - normal users won't have roles that can really do anything on the identity api, so they wouldn't be able to grant their app creds anything special	23:03
kmalloc	so, in short, i'd prefer normal user not acting on identity with the "shut up and let me do it" flag (again, not default). but i would still +2 it	23:03
*** jmlowe has quit IRC		23:03
kmalloc	"normal" being <whatever role can create an app-cred, given they have an identity actionable role>	23:03
kmalloc	i just want to be clear we are either allowing differentiation so identity is not actionable with "normal" app creds. or we're not	23:04
kmalloc	right now it feels like we're saying "uh, maybe...? something"	23:04
kmalloc	i'd be happy enough to accept it in either case. but if we do explicitly differentiate (aka, need a specific user/role to make an app-cred that can identity things), we need to think hard about how that works.	23:05
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Validate disabled domains and projects online https://review.openstack.org/253273	23:06
kmalloc	lbragstad: +2	23:07
lbragstad	fastest +2 ever!	23:07
kmalloc	lbragstad: i also +A'd the spec (rbac thing) removal	23:07
kmalloc	lbragstad: we can revert/add it back in if needed at anypoint	23:07
lbragstad	oh nice	23:07
lbragstad	right	23:07
cmurphy	kmalloc: so in this revision i narrowed down the blocklist from blocking the whole identity API to just blocking the app cred creation for the reason i gave above, a non-admin user won't be able to grant the ability to do those things anyway	23:07
cmurphy	kmalloc: before talking about how to implement it do you think that's a mistake? (differentiating all identity API from app cred creation)	23:08
* lbragstad dangles https://review.openstack.org/#/c/464763/ out for people to review		23:08
kmalloc	cmurphy: i simply want to say we can't differentiate an ADMIN vs say normal user on the same api path	23:08
*** panbalag has joined #openstack-keystone		23:09
kmalloc	cmurphy: so we can't block for everyone but, say, heat to create more app-creds	23:09
kmalloc	if we allow no one to create app-creds with app-creds.. it means heat and similar use cases are unhappy/need another path we can lock down to specific users	23:09
kmalloc	if we allow anyone to create an app-cred that can make app-creds, it's fine as is.	23:10
kmalloc	i simply want to ensure we're not trying to do magic based upon a ... role or user that allows for this special circumstance	23:10
kmalloc	cmurphy: if that helps narrow down what i want.	23:10
*** panbalag has left #openstack-keystone		23:10
kmalloc	i am also 100% ok with simply not allowing app-creds being made with app-creds (Similar to how trusts work)	23:11
kmalloc	but i know it will disappoint heat	23:11
*** gmann_afk is now known as gmann		23:11
cmurphy	kmalloc: what i'm wondering is if you care whether e.g. POST /v3/projects is lumped in with POST /v3/users/{}/app_creds on the allow/block list, however that gets implemented	23:12
openstackgerrit	Merged openstack/keystone-specs master: Remove role check from middleware from specs https://review.openstack.org/523210	23:12
kmalloc	oh no i don't care really.	23:12
cmurphy	okay	23:12
kmalloc	i don't feel strongly either direction	23:12
kmalloc	i care at the basic level of what we block/allow	23:12
kmalloc	also... if we're blocking app-creds... we should block trusts from being created via app-creds	23:12
kmalloc	fwiw	23:12
kmalloc	because in theory you could then create a trust, then create an app-cred to do whatever you want	23:13
kmalloc	(or vice-versa, no app-creds from trusts)	23:13
cmurphy	that's true...	23:13
lbragstad	yeah....	23:13
kmalloc	there are a lot of edge cases we have addressed in trusts =/	23:13
kmalloc	and we have to do all the same work for app-creds really.	23:14
kmalloc	the easiest solution is: anyone can create an appcred that makes an app-cred	23:14
openstackgerrit	Merged openstack/pycadf master: Updated from global requirements https://review.openstack.org/520502	23:18
*** dave-mccowan has quit IRC		23:24
kmalloc	cmurphy: Nice summary in the notes	23:25
kmalloc	cmurphy: thanks I was about to circle back and comment about the IRC convo! :P you beat me to it	23:25
cmurphy	\o/	23:26
*** linkmark has quit IRC		23:26
*** aojea has quit IRC		23:31
*** jmlowe has joined #openstack-keystone		23:35

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!