| *** rcernin has quit IRC | 00:02 | |
| openstackgerrit | Gage Hugo proposed openstack/keystone master: WIP - Make fernet config and utils generic https://review.openstack.org/523200 | 00:02 |
|---|---|---|
| *** rcernin has joined #openstack-keystone | 00:02 | |
| *** rcernin has quit IRC | 00:07 | |
| *** rcernin has joined #openstack-keystone | 00:07 | |
| *** thorst has joined #openstack-keystone | 00:11 | |
| *** david-lyle has quit IRC | 00:15 | |
| *** thorst has quit IRC | 00:15 | |
| *** aselius has quit IRC | 00:16 | |
| *** jmlowe has quit IRC | 00:23 | |
| *** david-lyle has joined #openstack-keystone | 00:29 | |
| *** david-lyle has quit IRC | 00:34 | |
| *** thorst has joined #openstack-keystone | 00:57 | |
| *** thorst has quit IRC | 01:02 | |
| *** sticker has joined #openstack-keystone | 01:25 | |
| *** thorst has joined #openstack-keystone | 01:30 | |
| *** thorst has quit IRC | 01:35 | |
| *** zhurong has joined #openstack-keystone | 01:35 | |
| *** panbalag has joined #openstack-keystone | 01:51 | |
| *** panbalag has left #openstack-keystone | 01:53 | |
| openstackgerrit | wangxiyuan proposed openstack/keystone master: Deprecate member_role_id and member_role_name https://review.openstack.org/522461 | 01:54 |
| *** thorst has joined #openstack-keystone | 02:01 | |
| *** thorst has quit IRC | 02:07 | |
| *** gmann_afk is now known as gmann | 02:07 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 02:12 | |
| *** rcernin_ has joined #openstack-keystone | 02:14 | |
| *** EmilienM_ has joined #openstack-keystone | 02:15 | |
| *** thorst has joined #openstack-keystone | 02:15 | |
| *** thorst has quit IRC | 02:16 | |
| *** slunkad_ has joined #openstack-keystone | 02:16 | |
| *** AlexeyAbashkin has quit IRC | 02:16 | |
| *** bigjools_ has joined #openstack-keystone | 02:17 | |
| *** Anticime1 has joined #openstack-keystone | 02:18 | |
| *** gagehugo_ has joined #openstack-keystone | 02:19 | |
| *** annp has joined #openstack-keystone | 02:20 | |
| *** rcernin has quit IRC | 02:21 | |
| *** magicboiz has quit IRC | 02:21 | |
| *** magicboiz has joined #openstack-keystone | 02:21 | |
| *** Dinesh__Bhor has joined #openstack-keystone | 02:21 | |
| *** mattoliverau_ has joined #openstack-keystone | 02:21 | |
| *** zhurong has quit IRC | 02:22 | |
| *** jrist has quit IRC | 02:22 | |
| *** markvoelker has quit IRC | 02:22 | |
| *** gagehugo has quit IRC | 02:22 | |
| *** EmilienM has quit IRC | 02:22 | |
| *** Dinesh_Bhor has quit IRC | 02:22 | |
| *** mattoliverau has quit IRC | 02:22 | |
| *** Anticimex has quit IRC | 02:22 | |
| *** bigjools has quit IRC | 02:22 | |
| *** zigo has quit IRC | 02:22 | |
| *** slunkad has quit IRC | 02:22 | |
| *** EmilienM_ is now known as EmilienM | 02:22 | |
| *** EmilienM has quit IRC | 02:22 | |
| *** EmilienM has joined #openstack-keystone | 02:22 | |
| *** mattoliverau_ is now known as mattoliverau | 02:23 | |
| *** jrist has joined #openstack-keystone | 02:23 | |
| *** gagehugo_ has quit IRC | 02:23 | |
| *** gagehugo has joined #openstack-keystone | 02:26 | |
| *** zigo has joined #openstack-keystone | 02:27 | |
| *** markvoelker has joined #openstack-keystone | 02:27 | |
| *** zigo is now known as Guest13268 | 02:29 | |
| *** nicolasbock has quit IRC | 02:30 | |
| *** dave-mccowan has joined #openstack-keystone | 02:30 | |
| *** jmlowe has joined #openstack-keystone | 02:42 | |
| *** thorst has joined #openstack-keystone | 02:44 | |
| *** thorst has quit IRC | 02:44 | |
| *** daidv has joined #openstack-keystone | 02:45 | |
| *** daidv_ has joined #openstack-keystone | 02:45 | |
| *** dave-mccowan has quit IRC | 02:51 | |
| *** itlinux has joined #openstack-keystone | 02:53 | |
| openstackgerrit | wangxiyuan proposed openstack/keystone master: Refresh the Controller list https://review.openstack.org/524449 | 02:58 |
| *** ricolin_ has joined #openstack-keystone | 03:04 | |
| *** masber has joined #openstack-keystone | 03:14 | |
| *** thorst has joined #openstack-keystone | 03:25 | |
| *** thorst has quit IRC | 03:29 | |
| *** rcernin has joined #openstack-keystone | 03:50 | |
| *** rcernin_ has quit IRC | 03:51 | |
| *** namnh has joined #openstack-keystone | 03:52 | |
| *** links has joined #openstack-keystone | 03:55 | |
| *** thorst has joined #openstack-keystone | 04:04 | |
| *** thorst has quit IRC | 04:08 | |
| *** threestrands_ has joined #openstack-keystone | 04:24 | |
| *** threestrands_ has quit IRC | 04:24 | |
| *** threestrands_ has joined #openstack-keystone | 04:24 | |
| *** threestrands has quit IRC | 04:26 | |
| *** daidv has quit IRC | 04:29 | |
| *** itlinux has quit IRC | 04:40 | |
| *** thorst has joined #openstack-keystone | 04:44 | |
| *** thorst has quit IRC | 04:49 | |
| *** rcernin_ has joined #openstack-keystone | 05:09 | |
| *** rcernin has quit IRC | 05:09 | |
| *** david-lyle has joined #openstack-keystone | 05:13 | |
| *** itlinux has joined #openstack-keystone | 05:17 | |
| *** thorst has joined #openstack-keystone | 05:20 | |
| *** thorst has quit IRC | 05:25 | |
| *** sticker has quit IRC | 05:36 | |
| *** thorst has joined #openstack-keystone | 05:54 | |
| *** thorst has quit IRC | 06:00 | |
| openstackgerrit | wangxiyuan proposed openstack/keystone master: Refresh the Controller list https://review.openstack.org/524449 | 06:08 |
| *** pcaruana has joined #openstack-keystone | 06:10 | |
| *** itlinux has quit IRC | 06:22 | |
| *** threestrands_ has quit IRC | 06:24 | |
| *** thorst has joined #openstack-keystone | 06:29 | |
| *** david-lyle has quit IRC | 06:30 | |
| *** thorst has quit IRC | 06:38 | |
| *** wxy_ is now known as wxy | 06:51 | |
| *** thorst has joined #openstack-keystone | 07:09 | |
| *** thorst has quit IRC | 07:13 | |
| *** rcernin_ has quit IRC | 07:29 | |
| *** thorst has joined #openstack-keystone | 07:47 | |
| *** thorst has quit IRC | 07:52 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 08:15 | |
| *** thorst has joined #openstack-keystone | 08:25 | |
| *** thorst has quit IRC | 08:29 | |
| openstackgerrit | Andreas Jaeger proposed openstack/oslo.policy master: Avoid tox_install.sh for constraints support https://review.openstack.org/524515 | 08:48 |
| *** magicboiz has quit IRC | 08:51 | |
| *** magicboiz has joined #openstack-keystone | 08:52 | |
| *** gmann is now known as gmann_afk | 08:54 | |
| *** thorst has joined #openstack-keystone | 08:57 | |
| *** thorst has quit IRC | 09:01 | |
| *** Dinesh__Bhor has quit IRC | 09:18 | |
| *** Dinesh__Bhor has joined #openstack-keystone | 09:19 | |
| *** thorst has joined #openstack-keystone | 09:29 | |
| *** thorst has quit IRC | 09:34 | |
| *** markvoelker has quit IRC | 09:55 | |
| *** jaosorior has quit IRC | 09:55 | |
| *** daidv_ has quit IRC | 10:06 | |
| *** thorst has joined #openstack-keystone | 10:07 | |
| *** thorst has quit IRC | 10:11 | |
| *** namnh has quit IRC | 10:20 | |
| *** openstackgerrit has quit IRC | 10:33 | |
| *** thorst has joined #openstack-keystone | 10:44 | |
| *** thorst has quit IRC | 10:48 | |
| *** markvoelker has joined #openstack-keystone | 10:55 | |
| *** Mani__ has joined #openstack-keystone | 11:09 | |
| Mani__ | Hello Everyone | 11:10 |
| Mani__ | I need your valuable suggestions on integration of Active Directory with Openstack | 11:11 |
| Mani__ | we are using keystone V2 how can I integrate AD with openstack | 11:11 |
| Mani__ | Can any one help me? | 11:11 |
| *** thorst has joined #openstack-keystone | 11:17 | |
| *** thorst has quit IRC | 11:22 | |
| *** Dinesh__Bhor has quit IRC | 11:30 | |
| *** nicolasbock has joined #openstack-keystone | 11:43 | |
| *** raildo has joined #openstack-keystone | 11:53 | |
| *** thorst has joined #openstack-keystone | 11:57 | |
| *** thorst has quit IRC | 12:01 | |
| *** magicboiz has quit IRC | 12:04 | |
| cmurphy | Mani__: we have documentation on it here https://docs.openstack.org/keystone/latest/admin/identity-integrate-with-ldap.html | 12:10 |
| *** thorst has joined #openstack-keystone | 12:11 | |
| *** magicboiz has joined #openstack-keystone | 12:11 | |
| *** magicboiz has quit IRC | 12:15 | |
| *** magicboiz has joined #openstack-keystone | 12:16 | |
| *** ricolin_ has quit IRC | 12:23 | |
| *** Jack_Iv has joined #openstack-keystone | 12:27 | |
| Mani__ | cmurphy: In the document they are using domain conecpt. do we have any process without domains I mean by using keystone v2 | 13:06 |
| *** magicboiz has quit IRC | 13:07 | |
| cmurphy | Mani__: that document accounts for both a fully ldap-backed setup or a domain-independent setup, for example the section "To integrate one Identity back end with LDAP" covers what you want | 13:12 |
| cmurphy | Mani__: however there is absolutely no reason you should need to use only keystone v2, v3 has been available for many many releases and v2 is taken out in queens | 13:13 |
| *** links has quit IRC | 13:17 | |
| *** efried is now known as fried_rice | 13:22 | |
| *** markvoelker has quit IRC | 13:25 | |
| *** markvoelker has joined #openstack-keystone | 13:25 | |
| *** jdennis has quit IRC | 13:26 | |
| Mani__ | cmurhy: We are buying the cloud from cloud provider , they are not giving the support for v3 so we have to use v2 only :( | 13:27 |
| *** jdennis has joined #openstack-keystone | 13:28 | |
| Mani__ | cmurphy: "To integrate one Identity back end with LDAP" if we are using this one, we dont have sql backend right? Actually our requirement is we need AD and sql backend as well | 13:28 |
| cmurphy | Mani__: it is not possible to not use domains and use both sql and ldap | 13:29 |
| cmurphy | not with anything we have in keystone, you could write a custom identity driver to combine them | 13:30 |
| cmurphy | Mani__: if you are buying this from a cloud provider i'm surpised you are setting this up yourself, ldap integration can only be done by modifying the server side config so i would expect the cloud vendor to take care of it for you | 13:31 |
| Mani__ | we have agrement that he can provide the support after one year :( | 13:32 |
| cmurphy | ("ldap integration can only be done by modifying the server side config" actually that's not entirely true but you still need v3 to do it with the REST API) | 13:34 |
| Mani__ | cmurphy: ohh .. Then we cant done with v2 right? | 13:36 |
| cmurphy | Mani__: no, with v2 you are stuck, you can only make it 100% ldap or 100% sql and you need to edit your keystone.conf to do it | 13:37 |
| cmurphy | the new shiny things were only added in v3 | 13:37 |
| Mani__ | ok Thanks cmurphy for the help | 13:38 |
| Mani__ | Thank you so much | 13:38 |
| cmurphy | no problem | 13:38 |
| *** jaypipes is now known as leakypipes | 13:43 | |
| -openstackstatus- NOTICE: gerrit has been restarted to get it back to its normal speed. | 13:51 | |
| *** itlinux has joined #openstack-keystone | 13:53 | |
| *** links has joined #openstack-keystone | 13:58 | |
| *** nicolasbock has quit IRC | 13:59 | |
| *** AlexeyAbashkin has quit IRC | 14:02 | |
| *** MeltedLux has quit IRC | 14:03 | |
| *** panbalag has joined #openstack-keystone | 14:05 | |
| *** Mani__ has quit IRC | 14:12 | |
| *** jmlowe has quit IRC | 14:16 | |
| *** ildikov is now known as coffee_cat | 14:20 | |
| *** dansmith is now known as superdan | 14:25 | |
| sudodude | i am working on AD integration and it looks like I can at least list users in AD (that I've created in AD) but when I try to delete a user, or create a user, for instance, I get a HTTP 403 error. What could be wrong? | 14:26 |
| *** links has quit IRC | 14:26 | |
| lbragstad | couple pretty easy reviews here if anyone is interested https://review.openstack.org/#/q/topic:bug/1733754+(status:open+OR+status:merged) | 14:27 |
| cmurphy | sudodude: we removed write access from the ldap backend, it is read-only now | 14:28 |
| cmurphy | sudodude: so you have to add and delete users directly with AD | 14:28 |
| sudodude | oh ok | 14:28 |
| sudodude | so are my tenants and roles in AD as well or are these only in OS? | 14:29 |
| cmurphy | sudodude: no those should only be in openstack | 14:29 |
| sudodude | ok great | 14:29 |
| cmurphy | but your groups would be in AD | 14:29 |
| *** Jack_Iv has quit IRC | 14:30 | |
| sudodude | so I should be able to assign an AD user a role and a project in OS and then just log in to horizon, right? | 14:30 |
| cmurphy | sudodude: yep | 14:33 |
| *** phalmos has joined #openstack-keystone | 14:33 | |
| *** phalmos has quit IRC | 14:44 | |
| *** openstackgerrit has joined #openstack-keystone | 14:52 | |
| openstackgerrit | Merged openstack/oslo.policy master: Avoid tox_install.sh for constraints support https://review.openstack.org/524515 | 14:52 |
| sudodude | looks like after assigning a project and role to an AD user, I am able to log in and see the project and whatnot. What I can't seem to get working is the groups. I create a group (grp-openstack) in the same container I use for the other openstack users in AD but when I try to list groups from the domain, list comes up empty | 14:55 |
| *** d0ugal has quit IRC | 14:56 | |
| cmurphy | sudodude: check the [ldap]/group_* conf options? https://docs.openstack.org/keystone/latest/configuration/config-options.html#ldap.group_tree_dn | 15:00 |
| cmurphy | the keystone debug logs should show the queries it is making to ldap so you can check that those are right | 15:01 |
| *** phalmos has joined #openstack-keystone | 15:04 | |
| *** david-lyle has joined #openstack-keystone | 15:07 | |
| lbragstad | cmurphy: i took a stab at airing out my concerns on https://review.openstack.org/#/c/455709/13 | 15:15 |
| lbragstad | kmalloc: ^ | 15:15 |
| cmurphy | lbragstad: cool | 15:17 |
| lbragstad | i guess the way i think about it... if we make regions optional, we should probably change limits to have a uuid | 15:17 |
| lbragstad | which changes the representation and how people interact with the API | 15:18 |
| *** d0ugal has joined #openstack-keystone | 15:18 | |
| lbragstad | but it will be flexible enough to allow people to limit services if those services don't have regions (lower barrier to entry) | 15:18 |
| lbragstad | but it doesn't prevent anyone from putting all the things in regions and still using limits | 15:18 |
| cmurphy | i'm +1 on making limits have ids | 15:19 |
| cmurphy | everything else in keystone has ids | 15:19 |
| cmurphy | even when it's silly like for domains | 15:19 |
| lbragstad | yeah... | 15:19 |
| lbragstad | i think we could possibly *not* have id iff we knew regions would *always* be present | 15:19 |
| lbragstad | but, i don't think that is the case | 15:20 |
| cmurphy | yeah | 15:20 |
| lbragstad | s/don't think/know/ | 15:20 |
| *** MeltedLux has joined #openstack-keystone | 15:21 | |
| lbragstad | i'll propose a follow on that incorporates what that looks like... wxy can steal bits from it if he wants | 15:22 |
| *** d0ugal has quit IRC | 15:29 | |
| *** ianw has quit IRC | 15:34 | |
| mordred | fried_rice: if you get a sec, https://review.openstack.org/#/c/524647/ | 15:40 |
| fried_rice | mordred ... | 15:40 |
| fried_rice | mordred lgtm, +A | 15:41 |
| mordred | fried_rice: woot! thanks | 15:41 |
| *** thorst has quit IRC | 15:45 | |
| *** d0ugal has joined #openstack-keystone | 15:46 | |
| *** jmlowe has joined #openstack-keystone | 15:47 | |
| *** david-lyle has quit IRC | 15:53 | |
| openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Add osc-tox-unit-tips jobs https://review.openstack.org/524656 | 15:55 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone-specs master: Add IDs to limits https://review.openstack.org/524657 | 15:58 |
| lbragstad | cmurphy: ^ worked through most of the registered limit examples and one of the project limit apis | 15:58 |
| cmurphy | lbragstad: cool, will have a look this weekend | 15:59 |
| lbragstad | awesome - thanks! | 15:59 |
| openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Add shade and python-openstacksdk tips jobs https://review.openstack.org/524659 | 16:00 |
| mordred | lbragstad, cmurphy: ^^ those two patches add cross-testing between ksa and shade, sdk and osc - which should give us an *excellent* amount of functional coverage | 16:02 |
| lbragstad | sweet | 16:02 |
| *** thorst has joined #openstack-keystone | 16:15 | |
| *** thorst has quit IRC | 16:20 | |
| *** Neptu has quit IRC | 16:22 | |
| *** david-lyle has joined #openstack-keystone | 16:22 | |
| *** thorst has joined #openstack-keystone | 16:24 | |
| *** thorst has quit IRC | 16:28 | |
| ayoung | OK...I'm just going to paste here...don't feel the need to respond...I'm stuck debugging the oslo-context work. | 16:32 |
| ayoung | GOt most of the tests running ,but the cloudsample one is tripping me up | 16:32 |
| ayoung | it appears like a token that should not have is_admin_project set on it is getting that set | 16:32 |
| ayoung | requests a token for domain_id=self.domainA['id']) | 16:34 |
| ayoung | a domain scoped token should never get is_admin_project set...but maybe oslo-context doesn't know that? | 16:34 |
| openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Add osc, shade and sdk tips jobs https://review.openstack.org/524656 | 16:39 |
| ayoung | print request.token_info | 16:40 |
| ayoung | {'token': {'is_domain': False, 'methods': [u'password'], 'roles': [{'id': '62207a1de27d4a6b9510acc80d578bd7', 'name': 'admin'}], 'is_admin_project': True, 'project': {'domain': {'id': u'de39141c5960495ea6ad391d37b5c47b', 'name': u'ab4d174fdddb4058bb03df3df67a3800'}, 'id': 'ef4ffe61b1404c6bac3fc7d44e8faf78', 'name': 'efe0e47584e74f6d88c0ff6665069975'}, 'catalog': [], 'expires_at': '2017-12-01T17:39:33.000000Z', | 16:40 |
| ayoung | 'audit_ids': [u'aKMwwqjwS02JnbDvcDD0VQ'], 'issued_at': '2017-12-01T16:39:33.000000Z', 'user': {'domain': {'id': u'de39141c5960495ea6ad391d37b5c47b', 'name': u'ab4d174fdddb4058bb03df3df67a3800'}, 'password_expires_at': None, 'name': u'5b13a197d5244fcb971101328f171e32', 'id': u'8526a9ec58cf4c42b6ff6406d9dcd9a2'}}} | 16:40 |
| ayoung | that sure looks like it has is_admin_project set for a domain scoped token | 16:41 |
| *** thorst has joined #openstack-keystone | 16:41 | |
| *** Neptu has joined #openstack-keystone | 16:47 | |
| *** thorst has quit IRC | 16:50 | |
| sudodude | is it possible to have keystone query multiple user OUs? | 16:52 |
| *** itlinux has quit IRC | 16:53 | |
| ayoung | sudodude, if you can write the LDAP query, keystone can probably do it | 17:10 |
| *** AlexeyAbashkin has joined #openstack-keystone | 17:13 | |
| *** fried_rice is now known as fried_rolls | 17:14 | |
| *** AlexeyAbashkin has quit IRC | 17:17 | |
| *** itlinux has joined #openstack-keystone | 17:20 | |
| *** thorst has joined #openstack-keystone | 17:21 | |
| *** thorst has quit IRC | 17:26 | |
| *** thorst has joined #openstack-keystone | 17:28 | |
| *** thorst has quit IRC | 17:33 | |
| *** thorst has joined #openstack-keystone | 17:34 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 17:37 | |
| sudodude | ayoung: would you have an example of how this might be implemented? | 17:41 |
| *** AlexeyAbashkin has quit IRC | 17:41 | |
| ayoung | sudodude, nope. I'm just deducing from first principles. But I did write the LDAP support, so my opinion is suspect anyway. What are you trying to do> | 17:50 |
| sudodude | well, I have multiple user groups I need to be able to query, in different OUs. I can't seem to be able to query the entire directory by not specifying user_tree_dn so, right now, I can only have it working by specifying a single user_tree_dn | 17:54 |
| *** prashkre has joined #openstack-keystone | 17:58 | |
| sudodude | sorry, by "user groups" i actually meant user OUs | 18:02 |
| *** david-lyle has quit IRC | 18:02 | |
| *** david-lyle has joined #openstack-keystone | 18:04 | |
| kmalloc | sudodude: you might be able to do it with a filter, but a query from root | 18:13 |
| kmalloc | so you query and filter down to the OUs you need | 18:14 |
| *** gyee has joined #openstack-keystone | 18:18 | |
| openstackgerrit | Tin Lam proposed openstack/python-keystoneclient master: Add project tags to keystoneclient https://review.openstack.org/481223 | 18:20 |
| *** aselius has joined #openstack-keystone | 18:21 | |
| lbragstad | lamt: is there a patch to support tags in osc? | 18:26 |
| sudodude | kmalloc: sounds good, I'll give that a try | 18:36 |
| *** panbalag has left #openstack-keystone | 18:39 | |
| gagehugo | lbragstad https://review.openstack.org/#/c/481284/ | 18:47 |
| gagehugo | need to revisit that | 18:47 |
| lamt | lbragstad my irc has been flaky but yes, thats the patch set | 18:51 |
| lbragstad | lamt: cool- i'll pull both into an env and test things out | 18:52 |
| lbragstad | is anyone here familiar with OPA? http://www.openpolicyagent.org/docs/ | 18:58 |
| *** david-lyle has quit IRC | 19:05 | |
| ayoung | OK...back to my monologue. I think I figured out what is happening. It looks like the auth_ref used by keystonemiddleware has decided that the domain scoped token is_admin_project. | 19:10 |
| *** david-lyle has joined #openstack-keystone | 19:21 | |
| *** dklyle has joined #openstack-keystone | 19:36 | |
| *** david-lyle has quit IRC | 19:37 | |
| ayoung | and it looks like it is all the way down in keystoneauth1 plugin | 19:37 |
| *** leakypipes has quit IRC | 19:44 | |
| *** dklyle has quit IRC | 19:57 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 20:11 | |
| lbragstad | lamt: qq on the project tags client stuff | 20:14 |
| lbragstad | if i do --tag blue --tag green on a project, that project will be tagged with those tags | 20:14 |
| lbragstad | but it i do `openstack project set --tag azul --tag red development` the project will have all four tags (blue, azul, green, red) | 20:15 |
| lbragstad | is that suppose to do a whole rewrite? | 20:15 |
| *** AlexeyAbashkin has quit IRC | 20:15 | |
| *** MeltedLux has quit IRC | 20:16 | |
| ayoung | lbragstad, so keystoneauth1 plugin assumes that if a token response has nothing on it, it shouldset is_admin_project to true. Which, for most cases is correct, but not for domain scoped tokens | 20:17 |
| ayoung | and I'm tempted to fix this back in the keystone layer | 20:17 |
| lbragstad | why not fix it in keystoneauth? | 20:17 |
| ayoung | by explicitly putting is_admin_project on all tokens, | 20:17 |
| ayoung | because the rest of the world | 20:17 |
| lbragstad | .... that doesn't seem like it should be the fix | 20:17 |
| ayoung | what if someone is using a language not python | 20:17 |
| ayoung | like, we use CloudForms, which is a rails app, for 90% of our openstack work | 20:18 |
| ayoung | and...why not go to the source | 20:18 |
| ayoung | I think I backed off this when talking with jamielennox , but there is no reason it can't be done in both places | 20:18 |
| ayoung | Keystone should not have to depend on ksa, and vice versa, to do the right thing | 20:19 |
| *** thorst has quit IRC | 20:19 | |
| lbragstad | gagehugo: one comment so far on https://review.openstack.org/#/c/481284/10 | 20:21 |
| ayoung | lbragstad, I | 20:23 |
| ayoung | lbragstad, I'm scared of our tags implementation | 20:23 |
| ayoung | I think we are going to mess it up big time | 20:23 |
| ayoung | tags are not a resource of a project, they are something you use to classify a project, and as such, need their own rbac, | 20:23 |
| *** MeltedLux has joined #openstack-keystone | 20:24 | |
| *** fried_rolls is now known as fried_rice | 20:24 | |
| ayoung | I realize that people also want them to help manage their own projects, and hopefully that is all they are used for | 20:24 |
| ayoung | we need to communicate that, forcefully | 20:24 |
| ayoung | do not use tags to manage the capabilities of a project | 20:25 |
| *** pcaruana has quit IRC | 20:25 | |
| *** itlinux has quit IRC | 20:25 | |
| *** itlinux has joined #openstack-keystone | 20:26 | |
| lbragstad | ayoung: i'm not sure i'm following | 20:26 |
| ayoung | lbragstad, say you have a tag that indicates a project is somehow privileged | 20:27 |
| ayoung | like, VMs in a project tagged "powerful" can get access to resources that other projects cant | 20:27 |
| ayoung | you need to control who can tag a project as "powerful" | 20:28 |
| ayoung | but if all I need in order to tag a project is admin on that project, I can tag it with anything, including "powerful" | 20:28 |
| ayoung | the ability to tag a project for security reasons needs to be outside the control of that project itself, right? | 20:28 |
| ayoung | lbragstad, lets say you have 3 tiers of cells inside a Nova cluster: gold, silver, bronze | 20:30 |
| ayoung | gold is for user that pay more, bronze is freemium | 20:30 |
| ayoung | and VM placement is done based on the tags on the project | 20:31 |
| ayoung | The ability to tag a project as "gold" is the ability to elevate the level of service for that project. | 20:31 |
| lbragstad | right - so you don't want to let members of that project do that, yeah? | 20:32 |
| ayoung | right | 20:32 |
| ayoung | its more than that | 20:32 |
| ayoung | you need ownership of the tag | 20:32 |
| ayoung | say there is a nother tag, with is for "encrypted drives" that are an security hardening thing for cinder | 20:33 |
| ayoung | but its managed by a different group. if I can tag a project for encrypteddrives, that does not mean I should be able to tag the project for "gold" | 20:33 |
| lbragstad | so - initially | 20:34 |
| ayoung | In cloudforms, tags are grouped into categories. I think that there needs to be a category for user tags that the project members can modify, and others that they cannot, for QOS type stuff | 20:34 |
| lbragstad | the ability to tag projects should be reserved by the deployment administrators | 20:34 |
| lbragstad | or limited to the deployment administrators | 20:35 |
| lbragstad | and not the actual owners of the project | 20:35 |
| lbragstad | or members of the project | 20:35 |
| ayoung | will tagging a project be done with a domain scoped token, then? | 20:35 |
| ayoung | or at least not a token scoped to the project to be tagged? | 20:35 |
| ayoung | lbragstad, what if... | 20:36 |
| ayoung | we grouped tags into categories. A given category would be associated with a role, and could be reserved for is_admin_project, or Service Roles in the future? | 20:37 |
| ayoung | tag assignment, that is | 20:37 |
| lbragstad | that's be predefining what people are going to use tags for | 20:37 |
| lbragstad | that'd* | 20:37 |
| ayoung | not really. So long as the mechanism is flexible, we just make it possible to manage it | 20:38 |
| lbragstad | if tag.name == "gold" and role.name != "super-admin"; raise exception | 20:38 |
| gagehugo | lbragstad ack | 20:38 |
| ayoung | it might mean a little more complexity on the object model | 20:38 |
| ayoung | more like: if tag.category.role not in user.roles raise | 20:39 |
| ayoung | categories also get a scope. We can,. first imple, only support project scoping | 20:39 |
| ayoung | I think that is what is most in demand | 20:39 |
| ayoung | so a project scoped category requires a project scoped role in order to assign | 20:40 |
| ayoung | a domain scoped category needs a domain scoped role in order to assign | 20:40 |
| ayoung | and we can have Service scoped categories in the future, too. | 20:40 |
| openstackgerrit | Nicolas Helgeson proposed openstack/keystonemiddleware master: Use oslo_cache in auth_token middleware https://review.openstack.org/268664 | 20:41 |
| ayoung | Think it through. For not much effort, we might save ourselves a lot of headache in the future. | 20:41 |
| ayoung | gagehugo, would that approach derail you? | 20:41 |
| lbragstad | yeah... | 20:41 |
| lbragstad | so - what if you used resource options on projects to denote the category of things project members can't do? | 20:41 |
| lbragstad | setting resource options would be a system-level adminstrator API call | 20:42 |
| gagehugo | ayoung for catagorizing tiers of projects? | 20:42 |
| ayoung | I think that is effectively saying that we name the tags something else. | 20:42 |
| ayoung | gagehugo, yeah. For controlling access to who can assign tags to what things. | 20:43 |
| lbragstad | the operator could set the categories on the project to be 'gold', 'silver', 'bronze' | 20:43 |
| lbragstad | and then have logic that makes it so that only system-level admins can modify those tags | 20:43 |
| lbragstad | or modify the tags in that "category" | 20:44 |
| ayoung | lbragstad, right. and even a provisioning engine can set the level by default for a new project | 20:44 |
| lbragstad | then, if i'm the project admin, my project-scoped token will fail that check | 20:44 |
| ayoung | 'whenever I create a new project, in the "QOS" category, assign the "bronze" tag' | 20:44 |
| lbragstad | if i try to bump my membership from "bronze" to "gold" | 20:44 |
| lbragstad | but - i can still tag my project "blue" and "green" because they aren't in the category | 20:45 |
| ayoung | Right. And we can even make is_admin_project/service scoped roles that are less than admin that can be used to modify the assignments so you don't have to give away a full "admin" to a user in order to do cross cutting concerns | 20:45 |
| ayoung | a domain scoped role is really powerful there | 20:46 |
| ayoung | it means that I can assign those tags to projects in my domain, but not in others | 20:46 |
| lbragstad | yeah... | 20:46 |
| lbragstad | so - i think we're ok today | 20:47 |
| gagehugo | hmm | 20:47 |
| lbragstad | but as we fix rbac, we're going to need to coordinate that at the same time if we want to offer that level of protection | 20:47 |
| lbragstad | (for people that are using project tags like that) | 20:47 |
| lbragstad | which seems like a relatively advanced use case | 20:48 |
| ayoung | Ok, lets assume, for the moment, that we implement the existing plan | 20:48 |
| ayoung | now, next release, we introduct the concept of tag categories | 20:48 |
| ayoung | and we default all existing tags into the "Default" category | 20:48 |
| ayoung | that gives people a way to reshuffle them if they want the more specific RBAC. | 20:49 |
| lbragstad | or you can keep the tags as normal tags and just offer that ability to group them into resource options via the API | 20:49 |
| lbragstad | then it is completely opt in | 20:49 |
| ayoung | is "resource option" a new thing that I am not aware of? | 20:49 |
| lbragstad | yeah - morgan did it | 20:50 |
| ayoung | link? I can read up on them. | 20:50 |
| *** thorst has joined #openstack-keystone | 20:50 | |
| lbragstad | example usage https://github.com/openstack/keystone/commit/1896d1ba0d24d3780ce8c7652fa4c4378a02255d | 20:51 |
| lbragstad | i think you just need to provide a way to isolate some tags from other tags | 20:52 |
| lbragstad | iff you're using tags that way | 20:52 |
| lbragstad | otherwise it shouldn't matter | 20:52 |
| lbragstad | resource options might be a way to set a projects category to a specific set | 20:53 |
| lbragstad | then you can keep the enforcement logic relatively simple | 20:53 |
| gagehugo | there's 2 resource options currently right? | 20:54 |
| lbragstad | if tag in project.protected_tags and user.role not policy.role: raise Forbidden | 20:54 |
| lbragstad | gagehugo: yeah - something like that | 20:54 |
| lbragstad | gagehugo: but we should document project tags and say that future improvements might make those use cases easier and more secure | 20:54 |
| gagehugo | ok | 20:55 |
| lbragstad | (until then don't assume project tags are managed by their creating users) | 20:55 |
| *** thorst has quit IRC | 20:55 | |
| lbragstad | or don't expect to use them the way ayoung described | 20:55 |
| lbragstad | because security | 20:55 |
| lbragstad | if someone decides to do it, then we at least have it documented | 20:56 |
| gagehugo | Is there project resource options or just users right now? | 20:56 |
| ayoung | BTW, if we do categories for tags, nothing says that a category can only have one value | 20:56 |
| gagehugo | I think it might be just users? | 20:56 |
| lbragstad | ayoung: yeah - it could be a list | 20:56 |
| ayoung | IE, in my example, a project could be tagged as QOS:Gold, QOS:Silver and QOS:Bronze | 20:56 |
| ayoung | Also, tag names should only be unique within a category, but should be able to be reused outside a category | 20:57 |
| lbragstad | ayoung: that's true of all tags | 20:57 |
| lbragstad | and that's the way the current implementation works i believe | 20:57 |
| ayoung | do we have categories today? | 20:57 |
| lbragstad | no | 20:57 |
| lbragstad | i think that should be a future specification to enhance the usability of tags specifically for that use case | 20:58 |
| ayoung | right, so I think we are OK/future proof with what we have | 20:58 |
| lbragstad | yes | 20:58 |
| gagehugo | sure | 20:58 |
| ayoung | I'll write up a skeleton spec for the categories of tags, including a migration plan. | 20:58 |
| lbragstad | pending we have some docuemntation that says "hey, if you're using tags to control stuff like billing...." | 20:58 |
| lbragstad | don't expect it to be secure, that's future work | 20:59 |
| lbragstad | the initial implementation of tags doesn't account for all of those cases | 20:59 |
| ayoung | this is real SELinux type stuff | 20:59 |
| lbragstad | but it doesn't prevent us from doing that in the future | 20:59 |
| *** rmascena has joined #openstack-keystone | 21:00 | |
| ayoung | is "resource options" a keystone spec? kmalloc ? | 21:00 |
| kmalloc | it was something at some point | 21:01 |
| kmalloc | the framework is there | 21:01 |
| kmalloc | but we need to expand it to other resources | 21:01 |
| lbragstad | gagehugo: do we have that safety net documented somewhere? i thought we talked about that somewhere in the spec? | 21:01 |
| ayoung | kmalloc, at some point, I need to walk you through cloudforms, if you have not used it | 21:01 |
| gagehugo | lemme look | 21:01 |
| kmalloc | right now, i think resource options are not anything but users | 21:02 |
| lbragstad | kmalloc: correct | 21:02 |
| ayoung | I would actually be happy to do that for the whole Keystone team. It gives some really interesting perspective | 21:02 |
| *** raildo has quit IRC | 21:02 | |
| gagehugo | bah forgot to update the table example in that last update | 21:02 |
| lbragstad | just so long as we have a big red sticker somewhere that informs users that RBAC on project tags isn't different from RBAC on projects | 21:03 |
| ayoung | I kinda want the category thing in there up front. Annoyed at myself that I did not see it until now. More churn... | 21:04 |
| gagehugo | lbragstad we mention it in the security impact | 21:06 |
| lbragstad | awesome | 21:07 |
| lbragstad | aha - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/project-tags.html#security-impact | 21:07 |
| gagehugo | and the policy defaults to the same as project | 21:07 |
| gagehugo | in-code | 21:07 |
| *** ianw has joined #openstack-keystone | 21:09 | |
| *** AlexeyAbashkin has joined #openstack-keystone | 21:11 | |
| ayoung | OK...back to my monologue. I was able to work around the problem with a one line change. | 21:15 |
| *** AlexeyAbashkin has quit IRC | 21:15 | |
| ayoung | well, four lines if you include the 3 lines of comments | 21:15 |
| ayoung | it would have beeen 5 but I already ha this check if token.domain_scoped: | 21:16 |
| ayoung | added in | 21:16 |
| ayoung | kwargs['is_admin_project'] = False | 21:16 |
| ayoung | and the gets passed to the creation of the oslo-context | 21:16 |
| *** linkmark has joined #openstack-keystone | 21:18 | |
| *** thorst has joined #openstack-keystone | 21:20 | |
| *** rcernin has joined #openstack-keystone | 21:22 | |
| *** thorst has quit IRC | 21:25 | |
| *** thorst has joined #openstack-keystone | 21:31 | |
| ayoung | an: 5440 tests in 411.0000 sec. | 21:35 |
| ayoung | - Passed: 4640 | 21:35 |
| ayoung | - Skipped: 800 | 21:35 |
| ayoung | - Expected Fail: 0 | 21:35 |
| ayoung | - Unexpected Success: 0 | 21:35 |
| ayoung | - Failed: 0 | 21:35 |
| ayoung | Sum of execute time for each test: 3195.3957 sec. | 21:35 |
| ayoung | W00t! | 21:36 |
| *** thorst has quit IRC | 21:36 | |
| lbragstad | nice - 16:37 on a friday, too | 21:37 |
| ayoung | lbragstad, problem is I can't run pep8 | 21:38 |
| ayoung | keep getting an out of space error on the device...got 7+ GB too | 21:39 |
| *** ayoung has quit IRC | 21:45 | |
| *** rmascena has quit IRC | 21:47 | |
| *** ayoung has joined #openstack-keystone | 21:47 | |
| ayoung | kmalloc, lbragstad OK, why is PIP blowing out my /tmp dir when trying to run pep8 and how do I work around it? | 21:48 |
| ayoung | tmpfs 7.7G 172K 7.7G 1% /tmp | 21:48 |
| ayoung | now, but was at | 21:48 |
| ayoung | tmpfs 7.7G 3.5G 4.3G 45% /tmp | 21:48 |
| ayoung | before I wiped: | 21:48 |
| ayoung | rm -rf /tmp/pip-oypalrr0-build/ | 21:48 |
| ayoung | and that failed with | 21:49 |
| ayoung | ERROR: pep8: could not install deps | 21:49 |
| *** thorst has joined #openstack-keystone | 21:49 | |
| ayoung | '/tmp/pip-oypalrr0-build/tox.ini', '[Errno 28] No space left on device')] | 21:49 |
| *** ayoung has quit IRC | 21:52 | |
| *** ayoung has joined #openstack-keystone | 21:56 | |
| ayoung | just increased my tmp size to 20 GB, but I should not have to do that to run pep8 | 21:56 |
| kmalloc | uhm | 21:57 |
| kmalloc | *blink* | 21:57 |
| *** prashkre has quit IRC | 22:01 | |
| openstackgerrit | ayoung proposed openstack/keystone master: Use oslo-context https://review.openstack.org/523650 | 22:03 |
| ayoung | hrybacki, take a look at that one, it should fill in some of the explanation for what we were talking a bout | 22:03 |
| *** thorst has quit IRC | 22:03 | |
| ayoung | after that one, I can hope to drop most of common/authorization.py | 22:04 |
| *** thorst has joined #openstack-keystone | 22:40 | |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: WIP Add Application Credentials controller https://review.openstack.org/524423 | 22:42 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: WIP Add Application Credentials manager https://review.openstack.org/524747 | 22:42 |
| *** thorst has quit IRC | 22:45 | |
| *** itlinux has quit IRC | 22:59 | |
| *** fried_rice is now known as efried | 22:59 | |
| openstackgerrit | ayoung proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations https://review.openstack.org/257636 | 23:03 |
| openstackgerrit | ayoung proposed openstack/keystone master: Add is_admin_project check to policy for token validations https://review.openstack.org/520845 | 23:03 |
| *** itlinux has joined #openstack-keystone | 23:08 | |
| *** thorst has joined #openstack-keystone | 23:14 | |
| *** thorst has quit IRC | 23:19 | |
| *** hoonetorg has quit IRC | 23:19 | |
| *** itlinux has quit IRC | 23:28 | |
| *** thorst has joined #openstack-keystone | 23:45 | |
| *** thorst has quit IRC | 23:50 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!