| *** phuongnh has joined #openstack-keystone | 00:48 | |
| *** phuongnh has quit IRC | 01:32 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 01:51 | |
| openstackgerrit | wangxiyuan proposed openstack/oslo.policy master: Add policy-upgrade tool https://review.openstack.org/613906 | 01:51 |
|---|---|---|
| openstackgerrit | wangxiyuan proposed openstack/oslo.policy master: Add policy-upgrade tool https://review.openstack.org/613906 | 01:57 |
| *** Dinesh_Bhor has quit IRC | 02:03 | |
| *** sapd1_ has quit IRC | 02:20 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 02:30 | |
| openstackgerrit | Merged openstack/oslo.policy master: Unit test for CLI https://review.openstack.org/614356 | 03:18 |
| *** prometheanfire has left #openstack-keystone | 03:19 | |
| *** sapd1 has joined #openstack-keystone | 03:24 | |
| *** erus has quit IRC | 03:41 | |
| *** david-lyle has joined #openstack-keystone | 04:08 | |
| *** itlinux has quit IRC | 04:09 | |
| *** dklyle has quit IRC | 04:09 | |
| *** erus has joined #openstack-keystone | 04:20 | |
| openstackgerrit | Arica Chakraborty proposed openstack/keystone master: changed the port numbers https://review.openstack.org/614966 | 04:23 |
| *** jpm__ has quit IRC | 04:53 | |
| *** nels has quit IRC | 05:37 | |
| *** nelsnelson has joined #openstack-keystone | 05:40 | |
| *** threestrands has quit IRC | 05:40 | |
| *** Ebukha has joined #openstack-keystone | 05:45 | |
| *** Ebukha has quit IRC | 06:09 | |
| *** Dinesh_Bhor has quit IRC | 06:15 | |
| openstackgerrit | Arica Chakraborty proposed openstack/keystone master: Changed the port numbers. No more seperate ports. https://review.openstack.org/615044 | 06:58 |
| *** pcaruana has joined #openstack-keystone | 07:20 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 07:21 | |
| openstackgerrit | wangxiyuan proposed openstack/oslo.policy master: Add policy-upgrade tool https://review.openstack.org/613906 | 08:22 |
| *** Dinesh_Bhor has quit IRC | 08:53 | |
| *** xek__ has joined #openstack-keystone | 09:08 | |
| *** wangy has joined #openstack-keystone | 09:21 | |
| wxy-xiyuan | ping vishakha | 09:30 |
| wxy-xiyuan | for https://review.openstack.org/#/c/588211/, any process? | 09:30 |
| *** Dinesh_Bhor has joined #openstack-keystone | 09:31 | |
| wxy-xiyuan | vishakha: added my thought in the patch. | 09:35 |
| wxy-xiyuan | cc cmurphy lbragstad | 09:35 |
| wxy-xiyuan | BTW, I'd like to get your thoughts about https://bugs.launchpad.net/keystone/+bug/1801309 | 09:36 |
| openstack | Launchpad bug 1801309 in OpenStack Identity (keystone) "Support configurable saml assertion property" [Undecided,New] - Assigned to wangxiyuan (wangxiyuan) | 09:36 |
| wxy-xiyuan | kmalloc: ^ | 09:36 |
| *** wangy has quit IRC | 09:38 | |
| cmurphy | wxy-xiyuan: i don't think we should support exposing the user's extra column, and there aren't any other user attributes that we can expose besides group | 09:40 |
| cmurphy | role description is not a property of a user | 09:40 |
| wxy-xiyuan | cmurphy: the example maybe unsuitable. I just want to point a case that the SP may need more info. | 09:44 |
| wxy-xiyuan | not sure commnity accept this kind of usage or not. | 09:46 |
| openstackgerrit | Arica Chakraborty proposed openstack/keystone master: Changed the port numbers https://review.openstack.org/615044 | 09:58 |
| *** Dinesh_Bhor has quit IRC | 10:41 | |
| *** wy has joined #openstack-keystone | 10:43 | |
| wy | 1 | 10:43 |
| *** dave-mccowan has joined #openstack-keystone | 11:30 | |
| *** raildo has joined #openstack-keystone | 11:45 | |
| *** erus has quit IRC | 11:51 | |
| openstackgerrit | Merged openstack/keystone master: changed port in argument '--bootstrap-admin-url' https://review.openstack.org/614620 | 11:58 |
| *** zul has quit IRC | 12:06 | |
| openstackgerrit | Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability to pass in target data for the oslopolicy-checker https://review.openstack.org/613313 | 12:14 |
| openstackgerrit | Juan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check https://review.openstack.org/614224 | 12:14 |
| openstackgerrit | Juan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check https://review.openstack.org/614224 | 12:31 |
| *** zul has joined #openstack-keystone | 12:36 | |
| *** raildo has quit IRC | 12:53 | |
| *** raildo has joined #openstack-keystone | 12:54 | |
| *** jmlowe has quit IRC | 13:05 | |
| *** jmlowe has joined #openstack-keystone | 13:08 | |
| openstackgerrit | Juan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Add test case for overridding both old and deprecated policy names https://review.openstack.org/615183 | 13:22 |
| openstackgerrit | Merged openstack/ldappool master: Handle retry logic for timeouts with multiple LDAP servers https://review.openstack.org/614586 | 13:26 |
| *** mchlumsky has quit IRC | 13:36 | |
| *** mchlumsky has joined #openstack-keystone | 13:37 | |
| openstackgerrit | Merged openstack/keystone-specs master: fix wrong spelling of "configuration" https://review.openstack.org/613889 | 13:39 |
| openstackgerrit | Colleen Murphy proposed openstack/ldappool master: Add release notes jobs https://review.openstack.org/615190 | 13:46 |
| *** izake has joined #openstack-keystone | 13:47 | |
| izake | Hi all | 13:47 |
| izake | we are currently using openstack with LDAP backend on domains and users for authentication | 13:48 |
| izake | we can create domains and project | 13:48 |
| izake | and users can authenticate against the LDAP back-end server | 13:48 |
| kmalloc | Please do not expose the extra column in new places wxy-xiyuan | 13:48 |
| izake | but when we try to delete the domain by revoking the users from the domain and removing the LDAP domain configuration | 13:49 |
| izake | we get a 500 internal server error | 13:49 |
| izake | it seems like keystone is creating a local mapping of remote LDAP users in the user table | 13:49 |
| izake | which causes the domain deletion to break as the local user is still linked on the keystone db | 13:50 |
| izake | any advice on how keystone will not map remote users from LDAP to a domain in the user table | 13:50 |
| cmurphy | izake: what version of keystone? we fixed that i believe | 13:54 |
| *** nels has joined #openstack-keystone | 13:59 | |
| izake | @cmurphy, is there a quick way to get version of keystone, we are running Pike in development and Queens in staging? | 13:59 |
| izake | We are just the developers on the paltform so not so familiar with the openstack side | 14:00 |
| *** nelsnelson has quit IRC | 14:00 | |
| izake | we are using V3 of openstack keystone | 14:01 |
| izake | we are using V3 of openstack keystone API | 14:01 |
| cmurphy | izake: not really an easy way to see the release, you can curl the /v3 endpoint and see what the minor version of the 3.X API is and that will give a hint about what version is on the server | 14:03 |
| cmurphy | izake: I think you're hitting https://bugs.launchpad.net/keystone/+bug/1718747 which we fixed in ocata it looks like | 14:04 |
| openstack | Launchpad bug 1718747 in OpenStack Identity (keystone) pike "Unable to delete domain with users in it" [High,Fix committed] - Assigned to Colleen Murphy (krinkle) | 14:04 |
| openstackgerrit | Merged openstack/oslo.policy master: Pass in policy name as part of the oslopolicy-check check call https://review.openstack.org/614223 | 14:06 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Implement auth receipts spec https://review.openstack.org/611230 | 14:07 |
| izake | @cmurphy "id": "v3.8" | 14:09 |
| izake | yes, I have also found that bug report | 14:10 |
| izake | but like you mentioned it has been implemented, but we are still experiencing this issue | 14:10 |
| cmurphy | izake: can you file a new bug report? and can you attach the traceback from the logs or get your operator to attach the logs? | 14:11 |
| *** dansmith is now known as SteelyDan | 14:13 | |
| *** nels has quit IRC | 14:13 | |
| izake | @cmurphy, yeah we can do | 14:14 |
| izake | thanks | 14:15 |
| *** nelsnelson has joined #openstack-keystone | 14:16 | |
| openstackgerrit | Colleen Murphy proposed openstack/ldappool master: Add release notes jobs https://review.openstack.org/615190 | 14:19 |
| *** nels has joined #openstack-keystone | 14:23 | |
| *** nelsnelson has quit IRC | 14:23 | |
| *** izake has quit IRC | 14:27 | |
| *** nels has quit IRC | 14:29 | |
| *** nelsnelson has joined #openstack-keystone | 14:30 | |
| *** nelsnelson has quit IRC | 14:33 | |
| *** nelsnelson has joined #openstack-keystone | 14:35 | |
| *** nels has joined #openstack-keystone | 14:38 | |
| *** nelsnelson has quit IRC | 14:39 | |
| kmalloc | cmurphy: yay release notes! | 14:49 |
| openstackgerrit | Merged openstack/keystoneauth master: fix wrong spelling of "unnecessary" https://review.openstack.org/614178 | 15:01 |
| *** xek has joined #openstack-keystone | 15:05 | |
| *** xek__ has quit IRC | 15:06 | |
| johnthetubaguy | lbragstad: I think jaypipes is working on things too, but finally got a chance to sort out some unified quota stuff nova side | 15:10 |
| lbragstad | johnthetubaguy awesome! | 15:11 |
| lbragstad | that's good news | 15:11 |
| johnthetubaguy | https://review.openstack.org/#/c/615180 | 15:11 |
| johnthetubaguy | so I added TODOs where I want to call oslo limit, and the counting function I want to pass into oslo_limit | 15:11 |
| johnthetubaguy | finally got this stuff out of my head onto paper, to see if its horrid or simple | 15:12 |
| lbragstad | i was just looking at those | 15:12 |
| lbragstad | wxy-xiyuan was waiting to get some things merged into openstack-sdk before we could continue merging https://review.openstack.org/#/q/project:openstack/oslo.limit+status:open | 15:13 |
| lbragstad | and it looks like that happened, so we should be picking those up again soon | 15:13 |
| lbragstad | we were waiting to get some feedback from someone on the nova side about https://review.openstack.org/#/c/600266/ | 15:13 |
| johnthetubaguy | I was just looking at that, realized I don't have enough context to tell if its what I want or not | 15:14 |
| johnthetubaguy | need to do a bit more reading on what is there already, didn't see example usage in the published docs yet | 15:14 |
| wxy-xiyuan | lbragstad: It has been done. I refreshed the olso.limit patch already | 15:14 |
| lbragstad | wxy-xiyuan awesome - i'll make a note to review those today then | 15:15 |
| lbragstad | wxy-xiyuan thanks! | 15:15 |
| lbragstad | johnthetubaguy I don't think we have docs for usage yet, only because the code for enforcement hasn't landed yet | 15:16 |
| johnthetubaguy | yeah, that makes sense | 15:16 |
| lbragstad | i'm sure you've already seen it - but https://docs.openstack.org/oslo.limit/latest/user/usage.html | 15:17 |
| *** wy has quit IRC | 15:17 | |
| wxy-xiyuan | kmalloc: cmurphy:about saml assertion, I'll add more content next week. thanks for response. | 15:17 |
| lbragstad | the way we're doing things currently, is having Claims be an object that you pass to the enforcer | 15:18 |
| openstackgerrit | Merged openstack/keystone master: Remove compatability shim https://review.openstack.org/614361 | 15:18 |
| lbragstad | johnthetubaguy these were the examples we were working through at the PTG - https://gist.github.com/lbragstad/69d28dca8adfa689c00b272d6db8bde7#file-cleanup-in-service-py-L6 | 15:19 |
| johnthetubaguy | ah, so I see the point of the patch now, a project claim represents multiple resources, got it | 15:19 |
| johnthetubaguy | just been looking through enforcer | 15:20 |
| lbragstad | it can, yes... | 15:20 |
| lbragstad | the idea was services would build a "claim" and then pass that to the enforcer | 15:20 |
| lbragstad | and the claim would contain information about what is being claimed, obviously... but it would associate to the unified limit information in keystone | 15:20 |
| johnthetubaguy | FWIW, I just worked out the context manager thing is much less of a big deal than I first through, and sorry about that... | 15:21 |
| lbragstad | less of a big deal? | 15:22 |
| johnthetubaguy | essentially, where we need that pattern in nova is for limits we don't expect to move into Keystone | 15:22 |
| lbragstad | oh - things that have quota but don't actually protect a physical resource? | 15:22 |
| lbragstad | like keypairs? | 15:22 |
| johnthetubaguy | yes, although... | 15:23 |
| johnthetubaguy | its more like things where you can't sensible tell anyone how much a project is using currently | 15:23 |
| johnthetubaguy | ... like the number of metadata items a server has | 15:24 |
| lbragstad | mmm | 15:24 |
| johnthetubaguy | its really a rate limit / db protection thing | 15:24 |
| *** wy has joined #openstack-keystone | 15:24 | |
| lbragstad | right - yeah that's ringing a bell | 15:24 |
| wy | Hi all | 15:24 |
| johnthetubaguy | we have two types of those it turns out, but that's not really interesting here | 15:24 |
| wy | I am configuring keystone for federation in pike according to this web(https://docs.openstack.org/keystone/pike/advanced-topics/federation/configure_federation.html) | 15:24 |
| openstackgerrit | Colleen Murphy proposed openstack/ldappool master: Add release notes jobs https://review.openstack.org/615190 | 15:25 |
| *** dave-mccowan has quit IRC | 15:25 | |
| wy | I met a problem | 15:25 |
| wy | I used the Shibboleth and make a k2k federation. | 15:25 |
| wy | I followed the last step https://docs.openstack.org/keystone/pike/advanced-topics/federation/configure_federation.html#testing-it-all-out | 15:25 |
| lbragstad | johnthetubaguy and those are going to stay configuration options in nova, right? | 15:25 |
| wy | Then I got the token.But when I used the token to obtain a new token, the response returned 401. | 15:25 |
| wy | What's the problem?Please help me | 15:25 |
| *** dave-mccowan has joined #openstack-keystone | 15:26 | |
| *** gyee has joined #openstack-keystone | 15:26 | |
| wy | Can someone help me,thanks | 15:27 |
| johnthetubaguy | lbragstad: yes, +1 | 15:28 |
| johnthetubaguy | lbragstad: added a comment here to try link all the patches together: https://review.openstack.org/#/c/596520/19/oslo_limit/limit.py | 15:28 |
| wy | Oh,sorry, it's no 401. it was 404(Could not find token) | 15:29 |
| openstackgerrit | Merged openstack/keystone master: Fix spelling 'unnecessary' https://review.openstack.org/613913 | 15:29 |
| lbragstad | johnthetubaguy count_dynamic_limits has a limits param, are those the same as claims? | 15:31 |
| johnthetubaguy | lbragstad: should really say resource_name | 15:38 |
| johnthetubaguy | or rather resource_names | 15:38 |
| lbragstad | ok | 15:38 |
| *** wy has quit IRC | 15:42 | |
| lbragstad | johnthetubaguy i'm going to review the oslo.limit patches and refresh myself on those, then I'll see if i can figure out how they map to the patch you have for nova | 15:43 |
| johnthetubaguy | lbragstad: thanks | 15:44 |
| lbragstad | thanks for the ping :) | 15:44 |
| *** xek_ has joined #openstack-keystone | 15:48 | |
| *** xek has quit IRC | 15:51 | |
| *** jaosorior has quit IRC | 15:58 | |
| *** wnagy has joined #openstack-keystone | 15:59 | |
| *** bnemec is now known as beekneemech | 16:00 | |
| *** wnagy has quit IRC | 16:09 | |
| *** imacdonn has quit IRC | 16:15 | |
| *** imacdonn has joined #openstack-keystone | 16:15 | |
| johnthetubaguy | lbragstad: I think this would link the two parts together, but I am not sure: https://github.com/JohnGarbutt/oslo.limit/blob/limit-callback/oslo_limit/limit.py | 16:16 |
| lbragstad | this? https://github.com/JohnGarbutt/oslo.limit/commit/1c0e0f89db52087f6be375b97144ccd5dbf28d4a | 16:16 |
| johnthetubaguy | lbragstad: the previous commit is more important I think | 16:17 |
| *** pcaruana has quit IRC | 16:17 | |
| lbragstad | https://github.com/JohnGarbutt/oslo.limit/commit/81dc3b7dfd8e91bae17d30e5e7e1e2f8c5b92ae1#diff-0766eeec835e4f691c335a86b858b788 | 16:17 |
| lbragstad | ? | 16:17 |
| johnthetubaguy | thats the bit | 16:17 |
| lbragstad | cool - maybe we can work that into wxy-xiyuan's patch? | 16:18 |
| johnthetubaguy | sure thing | 16:18 |
| kmalloc | lbragstad: the more i think about it the more i want to rip KSM out of keystone server again | 16:18 |
| kmalloc | i am not in love with the auth extraction bits | 16:18 |
| kmalloc | it really feels like we went through a ton of hoops to to wedge it in because keystone has a faster path to the data | 16:19 |
| kmalloc | and it does feel very wedged in | 16:19 |
| openstackgerrit | Morgan Fainberg proposed openstack/keystonemiddleware master: Fix revocation list/PKI[z] removal nits. https://review.openstack.org/615232 | 16:30 |
| kmalloc | lbragstad: ^ the previous review was just broken | 16:31 |
| kmalloc | this is fixed | 16:31 |
| kmalloc | and i don't know why, something i did wrong i'm sure. | 16:31 |
| lbragstad | ack - will do | 16:31 |
| lbragstad | thanks | 16:31 |
| kmalloc | and the other keystone/ksm fixes should be ready to land | 16:31 |
| johnthetubaguy | lbragstad: the more I wire up the interface, the less I like it, will let you know what comes together... | 16:39 |
| johnthetubaguy | lbragstad: apologies, I should have done this months ago! | 16:39 |
| lbragstad | no worries - we haven't released oslo.limit yet and it's not close to 1.0 yet, so we can be flexible | 16:40 |
| lbragstad | if there are larger concerns with the keystone specific API for limits, we can be flexible there, too | 16:40 |
| openstackgerrit | Shuayb Popoola proposed openstack/keystone master: use port 5000 and keystone-wsgi-public https://review.openstack.org/614734 | 16:42 |
| johnthetubaguy | lbragstad: its just oslo_limits at this point, its only a tweak I think, just trying to type out my thoughts now | 16:43 |
| kmalloc | adriant, cmurphy: +2/+A on auth receipts still lots of comments but nothing that needs to be done in that review | 16:45 |
| kmalloc | all can be done as followup | 16:45 |
| openstackgerrit | Nathan Kinder proposed openstack/ldappool master: Allow pool status to be printed as a table https://review.openstack.org/614842 | 16:51 |
| *** zul has quit IRC | 16:53 | |
| lbragstad | johnthetubaguy sounds good | 16:55 |
| openstackgerrit | Arica Chakraborty proposed openstack/keystone master: Changed the port numbers https://review.openstack.org/614966 | 16:55 |
| *** nkinder has joined #openstack-keystone | 17:28 | |
| nkinder | kmalloc, cmurphy: would you like me to change the output for that ldappool __str__() patch? | 17:30 |
| nkinder | I have a modified version that doesn't use PrettyTable (but would allow the caller to easily parse it for a nicely formatted output) | 17:30 |
| nkinder | kmalloc, cmurphy: This is what the modified patch does - http://paste.openstack.org/show/734049/ | 17:35 |
| kmalloc | nkinder: i don't mind prettytable really | 17:38 |
| kmalloc | nkinder: it's just not my preference | 17:38 |
| kmalloc | note the +2, i'm fine with it as is | 17:38 |
| kmalloc | nkinder: i think the only case(s) where we'd be doing printing (where __str__ is useful) is where it's being debugged | 17:42 |
| kmalloc | so pretty table makes sense in that regard. | 17:43 |
| nkinder | kmalloc, What I have in mind is allowing a way to have keystone log the table on an interval for debugging | 17:53 |
| nkinder | kmalloc, we run into scenarios where we are trying to troubleshoot issues for prod systems, and we can't access the environment or run a debugger session there | 17:53 |
| nkinder | having a way to see the connection pool state over time would be really valuable | 17:54 |
| nkinder | kmalloc, for example, I have heard reports of keystone claiming it can't connect to the LDAP server, yet ldapsearch on the same system works using the same settings that keystone uses | 17:55 |
| nkinder | ^^^ that is with pooling enabled. Seeing the state of the connections in the pool would help figure out what is going on. | 17:56 |
| *** itlinux has joined #openstack-keystone | 17:58 | |
| *** itlinux has quit IRC | 18:06 | |
| johnthetubaguy | lbragstad: so I think something like this could work: https://github.com/JohnGarbutt/oslo.limit/blob/0d6fa80ab5548af3ed5beda96ba381f0eddf8fdd/oslo_limit/limit.py#L107 | 18:06 |
| johnthetubaguy | lbragstad: attempted to show how it could get wired up into nova: https://review.openstack.org/#/c/615180/4/nova/limit.py | 18:09 |
| -openstackstatus- NOTICE: OpenStack infra's mirror nodes stopped accepting connections on ports 8080, 8081, and 8082. We will notify when this is fixed and jobs can be rechecked if they failed to communicate with a mirror on these ports. | 18:09 | |
| lbragstad | johnthetubaguy oh - sure | 18:10 |
| lbragstad | that's an option | 18:10 |
| *** blake has joined #openstack-keystone | 18:10 | |
| *** pcaruana has joined #openstack-keystone | 18:27 | |
| openstackgerrit | Merged openstack/keystone master: Implement auth receipts spec https://review.openstack.org/611230 | 18:30 |
| *** zul has joined #openstack-keystone | 18:41 | |
| -openstackstatus- NOTICE: The firewall situation with ports 8080, 8081, and 8082 on mirror nodes has been resolved. You can recheck jobs that have failed to communicate to the mirrors on those ports now. | 18:54 | |
| *** chudler has joined #openstack-keystone | 19:07 | |
| *** pcaruana has quit IRC | 19:08 | |
| *** nels has quit IRC | 19:35 | |
| *** jistr has quit IRC | 19:35 | |
| *** jistr has joined #openstack-keystone | 19:37 | |
| *** nelsnelson has joined #openstack-keystone | 19:37 | |
| chudler | I just installed keystone(Rocky) for the first time and use ldap driver. I am able to authenticate, but I dont understand how Roles/Assignments. | 20:09 |
| chudler | I bootstrapped with an admin user and sql driver. Can I reach admin status with my ldap user? I don't intend to use ldap driver for anything except users and groups. | 20:10 |
| chudler | I have many questions that I cannot find answered in docs.. for instance, how is userPassword used? does it really not BIND? | 20:13 |
| lbragstad | chudler you can assignment role to users regardless of them being in LDAP or SQL | 20:26 |
| lbragstad | assign roles* | 20:27 |
| *** blake has quit IRC | 20:27 | |
| chudler | I think I will create a User domain first, to house these end-users. I am realizing that I don't want all of the identities in a corporate directory server.. | 20:28 |
| lbragstad | you can back different domains to different LDAP servers | 20:29 |
| lbragstad | by default the "default" domain is backed to SQL | 20:29 |
| chudler | thanks. I will use sql for services and ldap for humans. I have too many conceptual gaps to bother this Good Channel with ;-) | 20:29 |
| lbragstad | do you have specific questions about roles or assignments that we can help you with now? | 20:30 |
| lbragstad | are you curious about them conceptually? or do you have more specific concerns? | 20:30 |
| chudler | I use posix groups in ldap with memberuid. keystone uses user_id_attribute when querying, e.g., "(&(memberUid=1001)(objectClass=posixGroup)(gidNumber=*))", but that will never match because the value is the user's id. | 20:36 |
| chudler | so, to make that work, I change user_id_attribute = uid, user_name_attribute = uidNumber(?), but now I am concerned about ldap uid that may match names that are used internally (services? "admin"?). | 20:38 |
| chudler | just now I meant so say the value is the user's rdn (uid in our environment) | 20:39 |
| lbragstad | you should be able to build specific queries depending on the user structure you have in ldap | 20:40 |
| chudler | I think group_filter is what you refer to. I have not understood it from the docs yet | 20:43 |
| *** imus_ has quit IRC | 20:43 | |
| lbragstad | this https://docs.openstack.org/keystone/latest/configuration/config-options.html#ldap.group_filter ? | 20:48 |
| chudler | "The LDAP search filter to use for groups." and it has no default. This is literally all that is offered tehre. | 20:48 |
| chudler | in the meantime, I experimented with group_members_are_ids = false and it does use full DN. I believe now that is the limit of what is offered. It is not how that attribute is populated, historically | 20:50 |
| lbragstad | there also isn't a default for https://docs.openstack.org/keystone/latest/configuration/config-options.html#ldap.user_filter | 20:52 |
| chudler | sorry, we've just been discussing an old issue: https://bugs.launchpad.net/keystone/+bug/1489105 | 20:52 |
| openstack | Launchpad bug 1526462 in OpenStack Identity (keystone) "duplicate for #1489105 Need support for OpenDirectory in LDAP driver" [Medium,Fix released] - Assigned to Andrey Grebennikov (agrebennikov) | 20:52 |
| chudler | I didn't know | 20:52 |
| *** imus has joined #openstack-keystone | 20:52 | |
| lbragstad | but that's probably because it's highly dependent on how users and groups are setup in ldap | 20:52 |
| chudler | supposing that I am successful in mapping uid to id and uid also to name, and I have a sql backed domain for service and admin users, shall I be concerned about id and name being identical but not in the same domain? Is it a security problem? | 20:58 |
| chudler | I have an LDAP user uid=nova that is a real human being. | 20:58 |
| lbragstad | i don't think that should be an issue... keystone namespaces groups and users to domains | 21:00 |
| lbragstad | so - nova within the "default" domain is different from nova in "users" domain. | 21:00 |
| lbragstad | keystone does the same thing with projects, which are namespaced to their containing domains | 21:00 |
| chudler | thanks. I am sure I read that somewhere but I am a newb with it | 21:02 |
| lbragstad | no worries | 21:02 |
| chudler | I am unsure if I will have api v2 clients and I am also unsure if others *always* specify the domain. In the case that they don't, I will put service accounts in the default domain and leave it named "default". | 21:08 |
| lbragstad | well - the rocky release doesn't support the v2.0 API anymore | 21:08 |
| lbragstad | that was actually removed in queens | 21:08 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add test fixture for JWT key repository https://review.openstack.org/614547 | 21:09 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add PyJWT as a requirement https://review.openstack.org/614548 | 21:09 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement JSON Web Token provider https://review.openstack.org/614549 | 21:09 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Refactor directory creation into a common place https://review.openstack.org/615314 | 21:09 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add keystone-manage jwt_setup functionality https://review.openstack.org/615315 | 21:09 |
| chudler | nice to know. I have almost no knowledge of openstack and its rude of me to be here, but I have read several books worth of material on it so far... | 21:09 |
| lbragstad | not a problem | 21:10 |
| *** raildo has quit IRC | 21:19 | |
| chudler | its working! amusing and excellent | 21:33 |
| *** dave-mccowan has quit IRC | 21:35 | |
| *** imus has quit IRC | 21:38 | |
| *** imus has joined #openstack-keystone | 21:39 | |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.policy master: Make upgrades more robust with policy overrides https://review.openstack.org/614195 | 21:46 |
| *** erus has joined #openstack-keystone | 21:51 | |
| erus | hello | 21:51 |
| erus | I'm trying to install devstack but having troubles :P is anybody there? | 21:53 |
| *** erus has quit IRC | 22:00 | |
| lbragstad | kmalloc re: oslo.limit context manager bits, would be good to get your eyes on https://review.openstack.org/#/c/596520/19 whenever you're available | 22:03 |
| kmalloc | looking | 22:19 |
| kmalloc | lbragstad: commented | 22:25 |
| openstackgerrit | Shuayb Popoola proposed openstack/keystone master: use port 5000 and keystone-wsgi-public https://review.openstack.org/614734 | 22:41 |
| openstackgerrit | Shuayb Popoola proposed openstack/keystone master: use port 5000, keystone-wsgi-public and --http-socket. The change in port and wsgi application isdue to v2 API removal. Also, the uswgi needs a flag for its command line, hence, --http-socket https://review.openstack.org/614734 | 23:00 |
| lbragstad | sweet - thanks | 23:01 |
| openstackgerrit | Irina Anyusheva proposed openstack/keystone master: Closes-bug: #1779889 https://review.openstack.org/615354 | 23:04 |
| openstack | bug 1779889 in OpenStack Identity (keystone) "Lack of documentation for validating expired tokens with service users" [Medium,In progress] https://launchpad.net/bugs/1779889 - Assigned to Irina Anyusheva (anyushevai) | 23:04 |
| openstackgerrit | Shuayb Popoola proposed openstack/keystone master: use port 5000, keystone-wsgi-public and --http-socket.Change in port and wsgi app are due to v2 API removal. Also,uswgi needs a flag for its command line: --http-socket https://review.openstack.org/614734 | 23:06 |
| *** markvoelker has quit IRC | 23:41 | |
| *** markvoelker has joined #openstack-keystone | 23:41 | |
| *** markvoelker has quit IRC | 23:46 | |
| *** gyee has quit IRC | 23:48 | |
| *** mchlumsky has quit IRC | 23:50 | |
| *** mchlumsky has joined #openstack-keystone | 23:51 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!