Thursday, 2018-06-28

*** liuzz has quit IRC		00:00
*** alex_xu has joined #openstack-keystone		00:04
*** felipemonteiro_ has joined #openstack-keystone		00:12
*** itlinux has joined #openstack-keystone		00:23
*** felipemonteiro_ has quit IRC		00:26
*** gyee has quit IRC		00:39
*** Dinesh_Bhor has joined #openstack-keystone		01:01
*** spotz has quit IRC		01:04
*** itlinux has quit IRC		01:08
*** itlinux has joined #openstack-keystone		01:12
*** edmondsw has joined #openstack-keystone		01:16
*** edmondsw has quit IRC		01:20
*** spotz has joined #openstack-keystone		01:20
*** raildo has quit IRC		01:22
*** gongysh has joined #openstack-keystone		01:35
*** liuzz has joined #openstack-keystone		01:37
*** liuzz_ has joined #openstack-keystone		01:40
*** liuzz has quit IRC		01:40
*** AlexeyAbashkin has joined #openstack-keystone		02:10
*** links has joined #openstack-keystone		02:30
*** links has quit IRC		02:30
*** AlexeyAbashkin has quit IRC		02:39
*** edmondsw has joined #openstack-keystone		03:03
*** tonytan4ever has quit IRC		03:07
*** edmondsw has quit IRC		03:08
*** tonytan4ever has joined #openstack-keystone		03:46
*** tonytan4ever has quit IRC		03:50
*** sonuk has joined #openstack-keystone		04:07
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Added check to avoid keyerror "user['name']" https://review.openstack.org/576433	04:22
*** tonytan4ever has joined #openstack-keystone		04:24
*** AlexeyAbashkin has joined #openstack-keystone		04:32
*** edmondsw has joined #openstack-keystone		04:52
openstackgerrit	wu.chunyang proposed openstack/python-keystoneclient master: Add release note link in README https://review.openstack.org/578652	04:56
*** edmondsw has quit IRC		04:57
*** gongysh has quit IRC		05:06
*** AlexeyAbashkin has quit IRC		05:25
*** gongysh has joined #openstack-keystone		05:31
*** openstackgerrit has quit IRC		05:34
*** openstackstatus has quit IRC		05:51
*** openstackstatus has joined #openstack-keystone		05:52
*** ChanServ sets mode: +v openstackstatus		05:52
*** vishakha has quit IRC		05:56
*** parthiban has joined #openstack-keystone		05:59
*** vishakha has joined #openstack-keystone		06:08
parthiban	Hello all, Can someone help me out on key revocation system to quickly deactivate potentially compromised keys in OpenStack - https://wiki.openstack.org/wiki/Security/Guidelines#key_revocation	06:19
*** liuzz_ has quit IRC		06:19
*** liuzz has joined #openstack-keystone		06:19
*** AlexeyAbashkin has joined #openstack-keystone		06:29
*** edmondsw has joined #openstack-keystone		06:40
*** AlexeyAbashkin has quit IRC		06:41
*** nicolasbock has joined #openstack-keystone		06:43
*** edmondsw has quit IRC		06:46
*** martinus__ has joined #openstack-keystone		06:55
parthiban	Hello all, Can someone help me out on key revocation system to quickly deactivate potentially compromised keys in OpenStack - https://wiki.openstack.org/wiki/Security/Guidelines#key_revocation	07:02
*** peereb has joined #openstack-keystone		07:09
*** pcaruana has joined #openstack-keystone		07:10
*** tesseract has joined #openstack-keystone		07:11
*** amoralej\|off is now known as amoralej		07:26
*** liuzz_ has joined #openstack-keystone		07:37
*** liuzz has quit IRC		07:39
*** ispp has joined #openstack-keystone		07:54
*** openstackgerrit has joined #openstack-keystone		07:55
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers https://review.openstack.org/577807	07:55
*** tosky has joined #openstack-keystone		07:58
*** threestrands has joined #openstack-keystone		08:06
*** d0ugal has joined #openstack-keystone		08:08
*** threestrands has quit IRC		08:13
*** tonytan4ever_brb has joined #openstack-keystone		08:15
*** tonytan4ever has quit IRC		08:19
*** tonytan4ever_brb has quit IRC		08:20
*** tonytan4ever has joined #openstack-keystone		08:20
*** dansmith has quit IRC		08:20
*** dansmith has joined #openstack-keystone		08:21
*** dansmith is now known as Guest88823		08:21
*** edmondsw has joined #openstack-keystone		08:29
*** edmondsw has quit IRC		08:34
*** d0ugal has quit IRC		09:16
*** d0ugal has joined #openstack-keystone		09:16
*** pcichy has joined #openstack-keystone		09:30
*** Dinesh_Bhor has quit IRC		09:34
*** evrardjp has quit IRC		09:35
*** pcichy has quit IRC		09:35
*** pcichy has joined #openstack-keystone		09:35
openstackgerrit	wu.chunyang proposed openstack/python-keystoneclient master: Add release note link in README https://review.openstack.org/578652	09:38
*** evrardjp has joined #openstack-keystone		09:41
*** rcernin has quit IRC		09:56
evrardjp	hello	10:02
*** edmondsw has joined #openstack-keystone		10:17
*** edmondsw has quit IRC		10:22
*** ispp has quit IRC		10:25
*** peereb has quit IRC		10:43
*** ispp has joined #openstack-keystone		10:49
*** gongysh has quit IRC		10:52
evrardjp	cmurphy: could you help me a little?	11:23
evrardjp	https://review.openstack.org/#/c/574414/7	11:23
evrardjp	that would be great to see this bad boy in :)	11:23
cmurphy	evrardjp: done	11:28
*** sapd_ has joined #openstack-keystone		11:33
*** sapd has quit IRC		11:33
*** gongysh has joined #openstack-keystone		11:36
evrardjp	cool thanks	11:37
*** pcichy has quit IRC		11:43
*** amoralej is now known as amoralej\|lunch		11:54
*** pcaruana has quit IRC		11:56
*** mvk has quit IRC		11:56
*** raildo has joined #openstack-keystone		12:00
*** edmondsw has joined #openstack-keystone		12:06
*** sheel has joined #openstack-keystone		12:06
*** edmondsw has quit IRC		12:11
parthiban	Hello all, Can someone help me out on key revocation system to quickly deactivate potentially compromised keys in OpenStack - https://wiki.openstack.org/wiki/Security/Guidelines#key_revocation	12:14
jaosorior	lbragstad, hrybacki, cmurphy: Is anything using policy scoping at the moment?	12:17
jaosorior	I don't see anywhere in the codebase where the key 'system' for the credentials that are passed to the enforcer would be set. which is what oslo.policy actually checks.	12:18
jaosorior	instead, keystone middleware seems to pass a 'system_scope'	12:19
*** vrv_ has joined #openstack-keystone		12:26
*** neha_alhat has joined #openstack-keystone		12:27
*** mvk has joined #openstack-keystone		12:28
cmurphy	jaosorior: are you talking about things like this? http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_request.py#n67	12:28
cmurphy	parthiban: keystone isn't a key storage service, what are you actually looking to do?	12:29
neha_alhat	cmurphy, mordred, kmalloc: can you help me to understand why this job legacy-tempest-dsvm-neutron-src failing on patch: https://review.openstack.org/#/c/578008/	12:30
jaosorior	cmurphy: exactly	12:31
jaosorior	cmurphy: I don't see that actually being used for policy	12:31
cmurphy	neha_alhat: http://logs.openstack.org/08/578008/2/check/legacy-tempest-dsvm-neutron-src/0500c4c/logs/screen-g-api.txt.gz?level=ERROR	12:32
cmurphy	jaosorior: hmm i don't really know, lbragstad will	12:35
jaosorior	ok	12:35
jaosorior	well for reference, this is what oslo.context will actually output https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L320	12:36
jaosorior	and this is what oslo.policy will check https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L834	12:36
jaosorior	lbragstad: ^^	12:36
jaosorior	hrybacki: ^^	12:37
neha_alhat	cmurphy: Thanks, I will fix this	12:39
*** pcaruana has joined #openstack-keystone		12:44
*** rcernin has joined #openstack-keystone		12:52
*** edmondsw has joined #openstack-keystone		13:01
*** rcernin has quit IRC		13:08
*** amoralej\|lunch is now known as amoralej		13:14
*** mchlumsky has joined #openstack-keystone		13:16
*** mchlumsky has quit IRC		13:16
*** mchlumsky has joined #openstack-keystone		13:18
lbragstad	parthiban: the looks like the OpenStack security wiki, which keystone doesn't maintain directly. it might be worth checking with the openstack-security team directly	13:38
lbragstad	jaosorior: system scope should be working for things that specify it	13:40
lbragstad	with scope_typse	13:40
lbragstad	jaosorior: last i checked, at least in the keystone code, the creds dictionary gets populated based on the token	13:54
openstackgerrit	Stephen Finucane proposed openstack/keystone master: Replace support matrix ext with common library https://review.openstack.org/527808	13:55
*** Guest88823 is now known as dansmith		14:01
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove KeystoneToken object https://review.openstack.org/577567	14:01
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add new "How Can I Help?" contributor guide https://review.openstack.org/578814	14:09
*** lbragstad has quit IRC		14:10
*** ispp has quit IRC		14:14
kmalloc	jaosorior: the token is mostly what populates the creds dict. It is just the auth_context dict.	14:19
*** itlinux has quit IRC		14:26
*** lbragstad has joined #openstack-keystone		14:38
*** ChanServ sets mode: +o lbragstad		14:38
knikolla	larsks: https://review.openstack.org/#/c/529914	14:42
knikolla	this is in queens	14:43
larsks	knikolla: yes, I was already looking at that :)	14:43
knikolla	awesome	14:43
knikolla	larsks: i changed the bug to incomplete, after trying that out report back and i'll set it to invalid if everything works fine.	14:44
larsks	Will do. I'll try to patch that into our environment this afternoon.	14:44
jaosorior	kmalloc, lbragstad: Alright, I was just reading the code and didn't understand where that was happening. Where is that set?	14:46
lbragstad	so - when keystone processes a request	14:48
lbragstad	we override the call to keystone in keystonemiddleware, because that wouldn't make sense, right?	14:48
jaosorior	right	14:50
lbragstad	jaosorior: instead we just load the token provider api directly	14:50
lbragstad	and ask it to validate	14:50
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/auth.py#n47	14:50
jaosorior	ok, that makes sense	14:50
lbragstad	so - the contents of ^ get set in the context, yeah?	14:50
jaosorior	uhm	14:50
jaosorior	sure, I guess	14:50
lbragstad	s/, yeah?//	14:50
lbragstad	sorry	14:50
jaosorior	but you still have the context	14:50
jaosorior	which is what actually populates the creds (from what I could see from the code)	14:51
openstackgerrit	Matthew Thode proposed openstack/keystone master: pycrypto is not used by keystone https://review.openstack.org/578833	14:51
lbragstad	yeah - so it gets put into the require environment	14:51
lbragstad	request environment&	14:51
jaosorior	yes	14:52
lbragstad	we pull that token out of that environment later on, which ends up building the creds dictionary which is passed to oslo.policy	14:52
jaosorior	that's the bit I'm missing	14:52
lbragstad	(kmalloc and i were both just digging around in this code)	14:52
lbragstad	it's crazy confusing right now :( at least IMO	14:53
jaosorior	it sure is :D	14:53
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py#n134	14:53
lbragstad	^ that is suppose to get called if you wrap a methed with @controller.protected	14:53
jaosorior	sure	14:53
jaosorior	_build_policy_check_credentials basically is just a call to get AUTH_CONTEXT_ENV	14:54
lbragstad	which should call this https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py#n64	14:54
lbragstad	yep	14:54
jaosorior	but that one (as far as I can tell) gets populated with the context	14:54
jaosorior	not with the token	14:54
lbragstad	:)	14:55
kmalloc	The token is in the context, and the context is based upon the token.	14:55
jaosorior	kmalloc: right	14:55
kmalloc	And not the subject token.	14:55
lbragstad	jaosorior: it's this bit https://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/auth.py#n219	14:56
kmalloc	That is in the target dict (and limited values of it)	14:56
lbragstad	^ which really threw me off	14:56
lbragstad	keystone validate the token based on the ID	14:56
lbragstad	and technically gets back this token response, which is a dictionary	14:56
lbragstad	then it gets passed to the KeystoneTOken object...	14:56
lbragstad	which is a dict type object https://git.openstack.org/cgit/openstack/keystone/tree/keystone/models/token_model.py#n34	14:57
jaosorior	right, but I'm talking about creds, not the target dict	14:57
lbragstad	the creds contain that dictionary...	14:57
jaosorior	creds gets filled out from AUTH_CONTEXT.	14:57
lbragstad	which gets recursively parsed in oslo.policy	14:57
jaosorior	which gets filled out in that code... here https://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/auth.py#n223	14:57
jaosorior	which is the context's result of the to_policy_values function	14:58
*** alex_xu has quit IRC		14:58
lbragstad	and on https://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/auth.py#n233	14:58
lbragstad	we are amending the auth_context with a token variable, which is an instance of KeystoneToken	14:58
jaosorior	lbragstad: right, but that's just an update in case there are trust-related things to add	14:59
lbragstad	the token is always added though	14:59
jaosorior	sure	14:59
lbragstad	the trust values can be None	14:59
*** gongysh has quit IRC		15:00
jaosorior	alright, so we have the token there; sorry to be dense, but I still don't see where the system scope is added to the creds dictionary	15:00
jaosorior	there is a "system_scope" entry... which is not used at all in oslo.policy	15:00
jaosorior	oslo.policy itself expects a "system" entry in the creds dict, which is what I still don't know where it gets filled out	15:00
*** alex_xu has joined #openstack-keystone		15:00
lbragstad	so - you have auth_context['token'] right?	15:01
lbragstad	and it's an instance of KeystoneToken	15:01
jaosorior	I guess "D	15:01
jaosorior	:D	15:01
lbragstad	if you call auth_context['token']['system'] you get the system scope of the token, if it is system-scoped	15:01
jaosorior	OK	15:01
lbragstad	the KeystoneToken object uses reflection to model whatever dictionary is passed into it	15:02
lbragstad	and since it is of type dict, using oslo.policy token.get('system') on it works	15:02
lbragstad	=/	15:02
jaosorior	lbragstad: but it's not token.get('system')	15:02
jaosorior	it's creds.get('system')	15:02
jaosorior	we don't get the token from the creds (which is what would have worked)	15:03
jaosorior	sorry to be dense here, maybe I'm still not understanding something	15:03
lbragstad	https://github.com/openstack/oslo.policy/blob/master/oslo_policy/_checks.py#L302	15:03
lbragstad	because we hit this in oslo.policy ^	15:03
jaosorior	lbragstad: uhm... but, policy isn't converted into an oslo policy Check object, it's a dict directly https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L834	15:05
lbragstad	that code processes before we get to taht line https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L814	15:05
lbragstad	wait - nevermind	15:06
lbragstad	so - taking a step back	15:06
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/auth.py#n248	15:06
jaosorior	right	15:06
lbragstad	^ at that point we know auth_context['token'] is an instance of KeystoneToken	15:07
jaosorior	yes	15:07
lbragstad	and we see that we're setting it on the request environment of the request	15:07
jaosorior	yep	15:07
lbragstad	later on - we see that we're pulling out that auth_context in authorization.py	15:07
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py#n64	15:07
lbragstad	and that is populating the creds dictionary	15:08
jaosorior	yeah	15:08
lbragstad	so - creds == auth_context, right?	15:08
jaosorior	correct	15:08
* lbragstad is grabbing a trace		15:10
*** itlinux has joined #openstack-keystone		15:11
*** mvenesio has joined #openstack-keystone		15:14
lbragstad	jaosorior: you're right	15:19
lbragstad	we're missing a patch that I thought had merged	15:20
lbragstad	https://review.openstack.org/#/c/551336/1	15:20
lbragstad	it looks like https://review.openstack.org/#/c/551336/1/keystone/middleware/auth.py@170 would do it	15:20
jaosorior	ah!! now that makes sense! :D	15:20
lbragstad	who knew it'd be easier to put puzzles together with all the pieces	15:21
jaosorior	hah :D	15:21
lbragstad	i apologize...	15:21
lbragstad	i was convinced all that had been ironed out..	15:21
lbragstad	that makes sense because i needed to have that in order to start doing https://review.openstack.org/#/c/551337/3	15:22
*** mchlumsky has quit IRC		15:23
jaosorior	lbragstad: so yeah, NOW it makes sense to me :D	15:24
lbragstad	me too	15:24
jaosorior	thanks for taking the time to look at it	15:24
lbragstad	yeah, thanks for asking the hard questions	15:24
*** gyee has joined #openstack-keystone		15:24
lbragstad	now that we both know way more about keystone enforcement path than we'd like...	15:24
lbragstad	do you think that is the way we should be going about it?	15:25
jaosorior	lbragstad: I actually am not very keen on having a "system" key in creds	15:25
lbragstad	yeah - me either...	15:25
jaosorior	I think it would be nicer to always have a "token_scope" key	15:25
jaosorior	that defaults to "project"	15:26
jaosorior	and set "system" there, when it's a system scoped call	15:26
lbragstad	i would like for https://review.openstack.org/#/c/551336/1 to not be required...	15:26
jaosorior	I can surely work with what's there now, no biggie :D. But it would be nice to have something else	15:26
lbragstad	so - for example	15:26
lbragstad	keystonemiddleware sits in front of us, and other services right?	15:27
jaosorior	yes	15:27
lbragstad	it does the whole validate token thing	15:27
lbragstad	and populates the context	15:27
lbragstad	and sets all that in the request environment for us	15:27
jaosorior	IMO this should be logic that's in oslo.context. Since we do get the token there, we could parse it for the needed values, and output it appropriately	15:27
jaosorior	that way that change propagates for all the projects.	15:28
lbragstad	++	15:28
lbragstad	rigyht	15:28
lbragstad	i think creds is kind of opaque	15:28
jaosorior	it sure is	15:28
lbragstad	s/kind of//	15:28
lbragstad	instead, what if we just pass oslo_policy enforce an instance of the context object	15:28
jaosorior	another option is, if you want to work with what's there already, we could check for system_scope from creds in oslo.policy	15:29
lbragstad	sure - we could support both ways	15:29
lbragstad	if services are setting creds.system_scope we'll validate that way	15:29
lbragstad	otherwise we can accept an instance of oslo.context	15:29
jaosorior	lbragstad: currently services are passing the bare minimum they can to creds	15:29
lbragstad	right	15:29
lbragstad	oslo.context already understands system_scope https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L52	15:30
lbragstad	https://github.com/openstack/oslo.context/commit/1a40b3d43bac5244bcba6bdbc4802fb76430d8d3	15:30
jaosorior	yes	15:30
jaosorior	and it's getting populated appropriately (at least in keystone)	15:30
lbragstad	and as long as they are building the context using from_environ()	15:30
jaosorior	most services are doing that	15:30
jaosorior	not sure if all	15:30
lbragstad	we'll likely have a sane object to parse in oslo.policy	15:30
lbragstad	i know nova uses oslo.context heavily	15:30
lbragstad	and builds it from environ iirc	15:31
jaosorior	nova's doing that	15:31
jaosorior	neutron too	15:31
lbragstad	nice	15:31
*** sonuk_ has joined #openstack-keystone		15:31
lbragstad	but - if we convert them to using oslo.context for this type of stuff, then it should be more consistent for us to rely on in oslo.policy	15:31
jaosorior	lbragstad: that would be a nice goal	15:32
lbragstad	versus handling a bunch of different snowflakes that is the current creds dictionary	15:32
jaosorior	and it makes sense, since everybody's using oslo.context	15:32
lbragstad	right	15:32
lbragstad	so - what would we need to do to make this happen?	15:33
lbragstad	ksm already validates the token and sets headers	15:33
jaosorior	lbragstad: if you want me to do it... for me to get back from vacations :D (last day today before that)	15:33
jaosorior	else	15:33
jaosorior	we would need to modify the Enforcer's enforce function (from oslo.policy) to check creds	15:34
lbragstad	yeah - i suppose we'd need to teach oslo.policy how to deal with oslo.context objects	15:34
jaosorior	if creds is an oslo.context object, we could call to_dict (or to_policy_values), and get creds to be that	15:34
*** mvenesio has quit IRC		15:35
jaosorior	that would assure that we need to make the least changes	15:35
lbragstad	yeah	15:35
kmalloc	lbragstad: well.. a.flattened oslo.context	15:35
*** sonuk has quit IRC		15:35
kmalloc	I would keep the policy engine to natives, even if it just does a to_dict if it sees a oslo.context obkext.	15:35
lbragstad	that makes sense	15:36
lbragstad	that's going to allow services to keep doing what they do today, which is fine	15:36
kmalloc	Yep.	15:36
lbragstad	but it gives the flexibility to pass in oslo.context objects instead	15:36
lbragstad	which is a nice carrot	15:36
kmalloc	And keeps the engine as dumb as possible.	15:36
jaosorior	yeah, so, a call to to_dict or to_policy_values, is the way to go. Shouldn't be too big of a change :D	15:37
lbragstad	because it allows services to use the interactions between ksm and oslo.context to populate scope	15:37
kmalloc	Also, creds in keystoen's case isn't just oslo_context.	15:37
kmalloc	Just fyi	15:37
*** fiddletwix has quit IRC		15:37
jaosorior	it isn't?	15:37
kmalloc	No, auth_context is different	15:37
lbragstad	it's a mess of stuff...	15:37
*** fiddletwix has joined #openstack-keystone		15:37
jaosorior	kmalloc: you're right	15:37
jaosorior	it's a convination of to_policy_values and trust-related things	15:38
jaosorior	the plot thickens :D	15:38
kmalloc	I just rewrote the enforcement in keystone to something better	15:38
lbragstad	http://paste.openstack.org/raw/724535/	15:38
kmalloc	So it wasn't @protected	15:38
jaosorior	oh yeah, I was looking at that patch	15:38
lbragstad	jaosorior: since you know all of this, your eyes on that patch would be awesome ;)	15:38
lbragstad	patch series	15:39
jaosorior	sure :D	15:39
jaosorior	I can check it out in three weeks	15:39
jaosorior	you really don't want me to review your code while I'm drunk in Mexico	15:39
kmalloc	It might be useful for you, it has better docs what each thing passed to enforcer is	15:39
lbragstad	jaosorior: don't we though?	15:39
kmalloc	Regardless if you review it.	15:39
*** ispp has joined #openstack-keystone		15:40
kmalloc	And has tests you can look at to see the data structures.	15:40
kmalloc	;)	15:40
kmalloc	Drunk code review, that is the new sport, right? ;)	15:40
kmalloc	Coming to the Olympic Games near you!	15:40
lbragstad	lol	15:40
lbragstad	so - walking through this again	15:41
lbragstad	but all services would need to do would be to build context objects using oslo.context's from_environ() method	15:41
jaosorior	yes	15:41
lbragstad	since that knows to look for different scopes set by ksm	15:41
lbragstad	and sets them appropriately on the context object	15:42
lbragstad	then the service just passes it to oslo.policy in enforce	15:42
lbragstad	and oslo.policy learns to deal with oslo.context objects	15:42
lbragstad	(which is a better interface than a random dictionary, IMO)	15:42
jaosorior	that sounds like a plan	15:43
lbragstad	sweet	15:43
lbragstad	since the real piece of work is in oslo.policy	15:43
lbragstad	should we just keep this isolated to an RFE there?	15:43
jaosorior	yeah	15:43
lbragstad	there isn't any keystone, ksm, or oslo.context work to do, is there?	15:43
lbragstad	at least not from what i can tell	15:44
jaosorior	there isn't (at this moment)	15:44
jaosorior	MAYBE for oslo.context	15:44
lbragstad	cool	15:44
jaosorior	if we want to pass more specific info	15:44
lbragstad	right - at which point, we'll add to oslo.context and release	15:44
lbragstad	then consume it in oslo.policy	15:44
jaosorior	right	15:44
*** mchlumsky has joined #openstack-keystone		15:44
jaosorior	talking about oslo.policy	15:44
jaosorior	hrybacki mentioned it to you the other day, but I'm doing some work on getting oslo.policy to be pluggable	15:45
jaosorior	would really apprecite your reviews here https://review.openstack.org/#/q/topic:bp/pluggable-policy-drivers+status:open	15:45
jaosorior	seems to be working :D	15:45
lbragstad	ah - that's right	15:45
jaosorior	(that's how I started looking at all of this in the first place)	15:45
lbragstad	is oslo in spec freeze?	15:45
jaosorior	no idea	15:45
jaosorior	I submitted it for stein anyways	15:46
jaosorior	but if it can merge this release	15:46
jaosorior	it would be better :D	15:46
lbragstad	oh - nice	15:46
lbragstad	yeah - i can take a look at this	15:46
*** parthiban has quit IRC		15:46
lbragstad	i'll get an oslo.policy bug opened describing the RFE	15:46
jaosorior	So... as I mentioned, I'll be gone 3 weeks. So, if you, or hrybacki, or someone can take over that work while I'm gone (in case it needs some small changes) it would be awesome	15:47
lbragstad	thsi work https://review.openstack.org/#/q/topic:bp/pluggable-policy-drivers+(status:open+OR+status:merged) ?	15:47
jaosorior	lbragstad: just asked bnemec, feature freeze is next week	15:47
jaosorior	lbragstad: yeah	15:47
lbragstad	ack	15:48
jaosorior	thanks	15:48
lbragstad	thank you	15:48
*** sheel has quit IRC		15:55
*** amoralej is now known as amoralej\|off		16:02
lbragstad	jaosorior: kmalloc hrybacki https://bugs.launchpad.net/oslo.policy/+bug/1779172	16:10
openstack	Launchpad bug 1779172 in oslo.policy "RFE: policy enforcement should accept context objects" [Undecided,New]	16:10
*** d0ugal has quit IRC		16:17
jaosorior	lbragstad++	16:19
*** ispp has quit IRC		16:20
*** raopajay has quit IRC		16:26
*** tesseract has quit IRC		16:38
*** jmlowe has quit IRC		16:41
*** vrv_ has quit IRC		16:55
*** jmlowe has joined #openstack-keystone		16:56
*** jaosorior has quit IRC		17:10
*** raildo has quit IRC		17:12
cmurphy	kmalloc: re https://review.openstack.org/#/c/576660/ remind me why we added a new password_hash column instead of just doing an alter column to increase the varchar size?	17:26
kmalloc	No downtime upgrades.	17:27
cmurphy	an alter column causes downtime?	17:27
kmalloc	Alter locks tables	17:27
kmalloc	So it has to be in contract phase.	17:27
kmalloc	Well alter in some forms	17:27
kmalloc	Changing a column def does.	17:27
kmalloc	Adding a column does not.	17:28
kmalloc	Really, it was a lot of headache :(, I would have preferred a straight alter and increase the varchar.	17:29
cmurphy	yeah it seems like a ton of hassle :(	17:33
kmalloc	Well, the other reason. Was because old keystoen's couldn't read bcrypt/scrypr	17:34
kmalloc	So we had to have a way to write old password (sha256)	17:34
*** tonytan4ever_brb has joined #openstack-keystone		17:34
kmalloc	For rolling upgrades	17:34
cmurphy	oh i see	17:35
cmurphy	that makes a little more sense	17:35
kmalloc	I could have backported a patch to decode bcrypt/scrypt	17:35
*** mvk has quit IRC		17:35
cmurphy	that would have violated stable policy i think	17:35
kmalloc	But both things made it just eaiser to do a new column.	17:35
kmalloc	Not if it didn't involve a new lib	17:35
cmurphy	it would have been adding a new feature	17:36
kmalloc	I could have done it in pure Python and it wouldn't have allowed new password hashing for storage.	17:36
kmalloc	Just "if you see bcrypt, do x"	17:36
kmalloc	Not really a feature, just data processing.	17:36
*** tonytan4ever has quit IRC		17:37
kmalloc	Since old keystone's couldn't be told to store passwords in bcrypt. That said. We didn't fight that battle	17:37
kmalloc	We went this way.	17:37
kmalloc	And in Stien, I'll drop the old column :)	17:37
*** jmlowe has quit IRC		17:46
*** raildo has joined #openstack-keystone		18:05
*** jmlowe has joined #openstack-keystone		18:08
larsks	knikolla: that patch sort of solves the problem, but it appear to break the client here: https://github.com/openstack/osc-lib/blob/master/osc_lib/utils/__init__.py#L267	18:11
larsks	The osc_lib code is calling resource.get('id') here, but it really wants resource.id. `get` appears to do something different.	18:11
larsks	knikolla: http://termbin.com/r77e	18:12
*** pcaruana has quit IRC		18:14
*** pooja-jadhav has joined #openstack-keystone		18:44
*** bhagyashri_s has joined #openstack-keystone		18:44
*** bhagyashris has quit IRC		18:47
*** pooja_jadhav has quit IRC		18:47
*** pooja_jadhav has joined #openstack-keystone		18:51
*** neha_alhat has quit IRC		18:52
*** bhagyashris_ has joined #openstack-keystone		18:52
*** pooja-jadhav has quit IRC		18:54
*** bhagyashri_s has quit IRC		18:54
*** tonytan4ever_brb has quit IRC		18:56
*** tonytan4ever has joined #openstack-keystone		18:56
*** mvenesio has joined #openstack-keystone		19:17
*** itlinux has quit IRC		19:29
*** itlinux has joined #openstack-keystone		19:31
knikolla	larsks: did u try with the latest openstackclient from pip?	20:17
larsks	knikolla: No, because we're running pike and I was hoping the backport would Just Work.	20:17
knikolla	larsks: openstackclient should work regardless of server version	20:17
larsks	That broke basically everything everywhere (because everything uses that library), so I'm probably not going to pursue it at this point.	20:18
knikolla	virtualenv?	20:18
knikolla	from your pc?	20:18
larsks	When I modified the existing file to use .id instead of .get('id'), it was able to look up a federated user by name.	20:18
larsks	Sure, I can test it from a virtualenv, but we're not going to be able to run the patch on the servers in any case because it would require updated osc_lib everywhere, which has support implications.	20:19
*** itlinux has quit IRC		20:28
*** tonytan4ever_brb has joined #openstack-keystone		20:37
*** d0ugal has joined #openstack-keystone		20:38
*** tonytan4ever has quit IRC		20:39
openstackgerrit	Lance Bragstad proposed openstack/oslo.policy master: Pass dictionary as creds in policy tests https://review.openstack.org/578994	20:40
openstackgerrit	Lance Bragstad proposed openstack/oslo.policy master: Teach Enforcer.enforce to deal with context objects https://review.openstack.org/578995	20:40
*** martinus__ has quit IRC		20:40
lbragstad	kmalloc: ^ per our discussion with jaosorior	20:40
*** itlinux has joined #openstack-keystone		20:42
*** raildo has quit IRC		20:44
*** mvk has joined #openstack-keystone		20:47
*** raildo has joined #openstack-keystone		20:50
*** d0ugal has quit IRC		20:57
openstackgerrit	Raildo Mascena proposed openstack/keystone master: Exposing ambiguity bug when querying role assignments https://review.openstack.org/570438	20:57
openstackgerrit	Raildo Mascena proposed openstack/keystone master: Exposing ambiguity bug when querying role assignments https://review.openstack.org/570438	21:10
openstackgerrit	Lance Bragstad proposed openstack/oslo.policy master: Teach Enforcer.enforce to deal with context objects https://review.openstack.org/578995	21:13
*** edmondsw has quit IRC		21:31
*** raildo has quit IRC		21:40
*** rcernin has joined #openstack-keystone		21:42
*** mchlumsky has quit IRC		21:42
*** mchlumsky has joined #openstack-keystone		21:43
*** mvenesio has quit IRC		21:45
*** itlinux has quit IRC		21:50
*** raildo has joined #openstack-keystone		21:55
*** mchlumsky has quit IRC		22:00
lbragstad	wxy: https://review.openstack.org/#/q/status:open+project:openstack/python-openstackclient+branch:master+topic:bp/unified-limits should be fixed up and passing now	22:12
*** nicolasbock has quit IRC		22:14
*** linkmark has quit IRC		22:38
*** tosky has quit IRC		22:53
*** tonytan4ever_brb has quit IRC		23:03
*** tonytan4ever has joined #openstack-keystone		23:03
*** threestrands has joined #openstack-keystone		23:05
*** threestrands has quit IRC		23:05
*** threestrands has joined #openstack-keystone		23:05
kmalloc	lbragstad: nice.	23:14
*** threestrands has quit IRC		23:38
*** masber has quit IRC		23:48
*** gagehugo has quit IRC		23:56

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!