Tuesday, 2018-12-04

« Monday, 2018-12-03 Index Wednesday, 2018-12-05 »
lbragstadinteresting...00:03
lbragstadi think only a trust id would be required00:04
*** lbragstad has quit IRC01:07
*** takamatsu has quit IRC01:37
*** Dinesh_Bhor has joined #openstack-keystone01:40
openstackgerritzhongshengping proposed openstack/oslo.limit master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62179501:47
openstackgerritzhongshengping proposed openstack/oslo.policy master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62181201:47
*** Dinesh_Bhor has quit IRC01:56
openstackgerritzhongshengping proposed openstack/keystone master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62182402:00
*** gyee has quit IRC02:14
*** itlinux has joined #openstack-keystone02:23
*** itlinux has quit IRC02:33
*** itlinux has joined #openstack-keystone02:34
*** Dinesh_Bhor has joined #openstack-keystone02:36
*** itlinux has quit IRC02:36
eanderssonbtw pretty sure we were hitting this https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L53502:48
eanderssonI do feel like this should be logged as a warning or something, because difficult to know as an admin if this is a widespread issue02:48
eanderssonand no obvious way to fix it besides rotating out all the trusts02:48
*** imacdonn has quit IRC02:52
*** imacdonn has joined #openstack-keystone02:52
openstackgerritBrin Zhang proposed openstack/keystone-specs master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62189302:59
*** jmlowe has joined #openstack-keystone03:22
*** dklyle has joined #openstack-keystone03:23
*** david-lyle has quit IRC03:25
*** dave-mccowan has quit IRC03:53
*** itlinux has joined #openstack-keystone04:14
*** Nel1x has quit IRC04:15
*** Dinesh_Bhor has quit IRC05:50
*** Dinesh_Bhor has joined #openstack-keystone05:54
*** aojea has joined #openstack-keystone06:50
*** takamatsu has joined #openstack-keystone06:53
*** aojea has quit IRC07:04
*** pcaruana has joined #openstack-keystone07:10
*** rcernin has quit IRC07:38
openstackgerritVishakha Agarwal proposed openstack/keystone master: Fix URL resulting 404 for v2 API  https://review.openstack.org/62207807:55
*** jdennis has quit IRC08:05
*** awalende has joined #openstack-keystone08:07
*** takamatsu has quit IRC08:15
*** trident has quit IRC08:31
*** trident has joined #openstack-keystone08:32
*** erus has quit IRC08:38
*** amoralej|off is now known as amoralej08:39
*** erus has joined #openstack-keystone08:40
*** hoonetorg has quit IRC08:45
*** takamatsu has joined #openstack-keystone08:46
*** hoonetorg has joined #openstack-keystone08:58
*** takamatsu has quit IRC09:14
*** takamatsu has joined #openstack-keystone09:16
*** lbragstad has joined #openstack-keystone09:24
*** ChanServ sets mode: +o lbragstad09:24
*** takamatsu has quit IRC09:49
*** takamatsu has joined #openstack-keystone09:50
*** takamatsu has quit IRC10:13
*** takamatsu has joined #openstack-keystone10:50
*** Dinesh_Bhor has quit IRC10:52
*** Dinesh_Bhor has joined #openstack-keystone10:53
*** Dinesh_Bhor has quit IRC11:00
*** takamatsu has quit IRC11:04
*** takamatsu has joined #openstack-keystone11:05
*** dave-mccowan has joined #openstack-keystone12:11
*** lbragstad has quit IRC12:21
openstackgerritmelissaml proposed openstack/pycadf master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62228612:22
*** lbragstad has joined #openstack-keystone12:23
*** ChanServ sets mode: +o lbragstad12:23
*** lbragstad has quit IRC12:23
*** lbragstad has joined #openstack-keystone12:24
*** ChanServ sets mode: +o lbragstad12:24
*** lbragsta_ has joined #openstack-keystone12:26
*** ChanServ sets mode: +o lbragsta_12:26
*** shrasool has joined #openstack-keystone12:29
*** lbragsta_ has quit IRC12:31
*** lbragstad has quit IRC12:31
*** lbragstad has joined #openstack-keystone12:38
*** ChanServ sets mode: +o lbragstad12:38
*** amoralej is now known as amoralej|lunch12:42
*** shrasool has quit IRC12:47
*** shrasool has joined #openstack-keystone12:52
knikollao/13:07
lbragstadgood UGT13:08
cmurphy\o13:15
knikollawe do store group ids in the token, right?13:22
knikollahttps://github.com/openstack/keystone/blob/master/keystone/token/token_formatters.py#L14813:23
*** aojea_ has joined #openstack-keystone13:28
*** shrasool has quit IRC13:31
lbragstadknikolla for federated tokens, yes13:36
knikollalbragstad: yup, thanks.13:37
knikollai woke up early to make sure i finish polishing up the app creds spec before the meeting13:37
knikollaso i don't fully trust my bran yet13:37
knikollahaha13:37
knikollabrain*13:38
lbragstadnice13:38
*** jaosorior has joined #openstack-keystone13:45
*** aojea_ has quit IRC13:47
*** amoralej|lunch is now known as amoralej14:03
openstackgerritKristi Nikolla proposed openstack/keystone-specs master: Renewable Application Credentials  https://review.openstack.org/60420114:04
knikollalbragstad: didn't see your feedback on a prior review, will incorporate it in a later patchset.14:05
lbragstadsounds good14:06
*** raildo_ has joined #openstack-keystone14:11
*** raildo_ has quit IRC14:13
*** raildo has joined #openstack-keystone14:13
*** aojea_ has joined #openstack-keystone14:15
*** irclogbot_1 has quit IRC14:15
*** trident has quit IRC14:18
*** trident has joined #openstack-keystone14:21
larsksWhy does the 'password' table in the keystone database permit multiple password entries for a given user?14:24
cmurphylarsks: if you use [security_complaicne/unique_last_password_count for pci-dss compliance keystone needs to keep the last N passwords in the db, it doesn't mean users are allowed to use them14:28
larskscmurphy: okay, I thought it might be some sort of history mechanism. Thanks.14:28
*** wxy| has joined #openstack-keystone14:30
*** aojea_ has quit IRC14:33
*** imus has joined #openstack-keystone14:34
cmurphyhi imus o/14:34
imushi14:36
*** aojea_ has joined #openstack-keystone14:40
*** xek has quit IRC14:45
*** irclogbot_1 has joined #openstack-keystone14:54
*** jdennis has joined #openstack-keystone14:54
*** awalende has quit IRC14:58
*** itlinux has quit IRC15:18
*** jmlowe has quit IRC15:26
*** xek has joined #openstack-keystone15:30
*** imus has quit IRC15:45
*** imus has joined #openstack-keystone15:46
*** jmlowe has joined #openstack-keystone15:50
*** shrasool has joined #openstack-keystone15:50
kmalloco/15:54
kmalloclbragstad: i have the start of an arch diagram, but realistically due to more car insurance issues i haven't had it completed15:54
kmalloclbragstad: it's about 1/3 of the way done (and it needs a lot of love)15:55
kmallocthe next bits are the DB / internal architecture15:55
kmallocit also needs to be split into a couple use cases. it was late when i was doing it :P15:56
kmalloci'll keep iterating but here we go15:56
*** jmlowe has quit IRC15:57
erusHi o/15:57
cmurphyhi erus15:57
*** jmlowe has joined #openstack-keystone15:57
kmalloclbragstad:15:57
erusHello cmurphy how are you?15:57
kmallocfirst-pass https://usercontent.irccloud-cdn.com/file/6uy9UKfb/Keystone%20IDP%20(initial)%20Diagram.svg15:57
cmurphyI'm good, how are you erus ?15:57
kmallochrm not as intended meant to use the png15:58
kmallocFirst pass https://usercontent.irccloud-cdn.com/file/Au4e3DXb/Keystone%20IDP%20(initial)%20Diagram.png15:58
kmallocthere we go15:58
erusI'm really fine cmurphy :)15:58
lbragstadgood deal15:58
kmalloc^ lbragstad15:58
lbragstadcc ildikov ^15:59
kmallocand that is really rough showing what we're aiming for15:59
lbragstadi imagine once it gets smoothed out we can put it somewhere more official15:59
kmallocand general data flow15:59
kmallocyeah, and I plan to have a real DB architecture with the principal object soon as well as cover auto-provision information16:00
kmallocbut i wanted *something* to reference for today16:00
ildikov+116:00
* ildikov likes diagrams :)16:00
kmallocildikov: this diagram is not meant to be official. it's so rough it just gives us some framing16:01
kmallocildikov: it will get better as I iterate on it16:01
lbragstadreminder - the keystone meeting is starting in #openstack-meeting-alt16:01
kmallocyay draw.io being super easy to use.16:01
ildikovkmalloc: in my experience starting to draw it is the hardest16:01
kmallocildikov: i'm just happy i found a nice online tool that i can export to pdf/png etc and it saves as a super small .xml that i can re-upload16:02
ildikovIt's easier when people can see it and add comments, etc16:02
*** shrasool has quit IRC16:02
*** wxy| has quit IRC16:02
ildikovI think I've heard about that one before, didn't use it too often though16:03
kmallocildikov: my expectation is that in the nearish future we'll have a target diagram for data flow, a db diagram, and a UI "site-map" diagram16:03
ildikovSounds great!!16:03
*** wxy| has joined #openstack-keystone16:03
ildikovWill link those from the Edge wikis too16:04
kmallocildikov: perfect, yeah just don't use that one :P16:04
kmallocyet*16:04
kmalloc(the current one)16:04
ildikovNope, I'm a nice person and it's holiday season as well, I wouldn't do that to you :)16:05
kmallocildikov: <3! You *are* a nice person.16:05
kmalloc;)16:05
*** xek has quit IRC16:12
*** pcaruana has quit IRC16:12
ildikov:)16:12
*** itlinux has joined #openstack-keystone16:18
*** shrasool has joined #openstack-keystone16:19
nsmedsI doubt anyone will ever be as foolish as me - but I thought I'd share another realization that has caused me a great deal of confusion (related to implementing v3cloudsample)16:19
nsmedsa lot of the rules compare token's domain_id to target16:20
kmallocnsmeds: yes.16:20
nsmedsthus16:20
nsmedsTHUS16:20
kmallocquite a few actually.16:20
nsmedsi must provide the domain *ID* and not the domain name in the request XD16:20
kmallocyup.16:20
nsmedsI had expected, since they have a one-too-one relationship16:20
nsmedsthat providing a domain name would succeed16:20
* kmalloc can talk at end with absurd things we do with policy enforcement things.16:21
nsmedsnope.16:21
nsmedsholy hell I am happy now16:21
nsmedslol16:21
nsmedslife finally makes sense16:21
nsmedstbh, that kind of makes it a PITA when working with CLI clients - domain names are fairly easy to remember - domain IDs require the extra step of looking up and copy/pasting for each request16:25
nsmedsoh well :shrug:16:25
openstackgerritMerged openstack/ldappool master: Add release notes jobs  https://review.openstack.org/61519016:27
*** itlinux has quit IRC16:29
kmallocnsmeds: we could probably add the domain name to the context...16:32
kmallocand/or make the policy less sucky16:32
*** xek has joined #openstack-keystone16:32
*** itlinux has joined #openstack-keystone16:36
lbragstadyeah - that seems reasonable16:46
openstackgerritMerged openstack/ldappool master: Replacing the HTTP protocal with HTTPS in index.rst.  https://review.openstack.org/61782616:46
nsmedskmalloc: well, I get that the more things added to v3cloudsample the more difficult it becomes to read - and tbh I'd expect Keystone/olso.policy to make that conversion in the background - but yeah, having domain name in policy would prevent someone else from having this same issue16:47
nsmeds<316:47
*** gyee has joined #openstack-keystone16:47
openstackgerritMerged openstack/keystone master: Don't emit a notification for the root domain  https://review.openstack.org/61784616:57
* knikolla lunch...16:57
openstackgerritNate Johnston proposed openstack/keystone master: Remove neutron-grenade job  https://review.openstack.org/62242817:00
cmurphykmalloc: knikolla: not sure if you saw my email but erus was interested in doing a kick-off meeting for the internship, are you available to join that now?17:00
cmurphyif not it can just be me and erus17:01
*** wxy| has quit IRC17:01
*** shrasool has quit IRC17:02
*** shrasool has joined #openstack-keystone17:03
*** takamatsu has quit IRC17:06
kmalloccmurphy: yeah17:08
kmalloci can17:08
cmurphyerus: you still around?17:08
erusYup o/17:09
cmurphyi confirmed the openstack asterisk server still works or we could use kmalloc's bluejeans meeting17:09
kmalloclets use bluejeans17:09
kmalloci don't have SIP setup17:09
erusMe neither17:09
cmurphywfm17:09
kmallochttps://bluejeans.com/489792361586932517:10
*** pcaruana has joined #openstack-keystone17:12
cmurphyerus: joining? ^17:13
eruso/17:14
kmallocerus: and you can ignore the video part(s)/not enable it. we're just using it instead of asterisk or hangouts.17:14
kmallocerus: https://bluejeans.com/489792361586932517:14
erusOk ok17:15
erusSorry I'm downloading the app I have micro and camera disabled in my notebook17:16
*** xek has quit IRC17:16
cmurphyerus: we can do this another time if you want time to figure out your setup :)17:17
*** xek has joined #openstack-keystone17:17
cmurphyit should be doable in the browser though17:17
*** shrasool has quit IRC17:17
kmallocknikolla: ^17:19
kmallocknikolla: bluejeans17:19
*** aojea_ has quit IRC17:23
kmalloccmurphy: the meeting didn't drop you, did it?17:29
kmalloccmurphy: it shouldn't have17:29
cmurphykmalloc: nope we're good17:29
kmalloccool!17:29
*** shrasool has joined #openstack-keystone17:32
*** jmlowe has quit IRC17:38
cmurphykmalloc: btw if you could check my email to imus and see if my plan of action makes sense or if you want to suggest a different approach17:44
kmalloccmurphy: looking17:45
* cmurphy afk for a while17:45
kmalloci think the plan looks good17:45
*** amoralej is now known as amoralej|off17:54
*** pcaruana has quit IRC17:56
erusThanks kmalloc and cmurphy :)17:57
*** xek has quit IRC18:06
*** xek has joined #openstack-keystone18:06
openstackgerritMerged openstack/oslo.policy master: Make upgrades more robust with policy overrides  https://review.openstack.org/61419518:11
* knikolla back from lunch18:13
knikollasorry for missing the meeting.18:13
openstackgerritLance Bragstad proposed openstack/keystone master: Update role policies for system reader  https://review.openstack.org/62252418:25
openstackgerritLance Bragstad proposed openstack/keystone master: Add role tests for system member role  https://review.openstack.org/62252518:25
openstackgerritLance Bragstad proposed openstack/keystone master: Update role policies for system admin  https://review.openstack.org/62252618:25
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with roles  https://review.openstack.org/62252718:25
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with roles  https://review.openstack.org/62252818:25
openstackgerritLance Bragstad proposed openstack/keystone master: Remove role policies from policy.v3cloudsample.json  https://review.openstack.org/62252918:25
*** shrasool has quit IRC18:26
hrybackilbragstad: so, feedback from simo was to make the encryption algorithm configurable18:26
lbragstadahh - so supporting more than one algorithm...18:26
hrybackithat was if something goes wrong, the operator can adjust w/o waiting on us to add functionality (CVE)18:26
hrybackilbragstad: aye18:26
lbragstadwhat if they switch to fernet?18:27
*** shrasool has joined #openstack-keystone18:27
lbragstadit theoretically provides crypto-agility, but just using a different provider18:27
hrybackithat's an option -- unless they have a requirement for JWT (thinking like, two years down the road when someone has been using it and maybe built up tooling around it)18:27
lbragstadeyah18:27
hrybackilbragstad: I can type us as much in the review if that's best for you18:29
lbragstadi could probably add a follow on patch to the spec that explicitly clarifies the crypt-agility concern18:29
* hrybacki nods18:30
hrybackithat would be reasonable18:30
*** jrist has quit IRC18:32
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Add a note about crypto-agility with JWT  https://review.openstack.org/62254318:37
lbragstadhrybacki done ^18:37
hrybackiI'll pass it along lbragstad -- thanks!18:40
lbragstadno problem - thank you18:40
kmallocnice.18:43
lbragstadhrybacki i have a pile of default roles patches for you whenever you're interested ;)18:44
lbragstadjust FYI18:44
*** erus has quit IRC18:49
hrybackilbragstad: I've got some PTO starting the week after next ;) I'll start digging into them then18:50
openstackgerritMerged openstack/keystone master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62182418:50
*** jmlowe has joined #openstack-keystone18:50
lbragstadhrybacki naw - not that big of a deal18:51
lbragstaduse your PTO for PTO things18:51
lbragstaddefault roles reviews are not PTO things18:51
knikollalbragstad: good work on the JWT spec!18:51
lbragstadthanks :)18:51
*** erus has joined #openstack-keystone18:52
hrybackilbragstad: it's tough to find work time to actually engineer these days (years) :|18:52
kmalloclbragstad: oh FYI I'm going to be on PTO shortly until sometime mid january18:52
lbragstadkmalloc nice18:52
lbragstadhrybacki yeah - never enough hours in the day it seems18:52
kmalloclbragstad: not sure when it starts, but def wont be back until like Jan 1218:53
hrybackikmalloc: suck me up up into your office sometime so I can apprentice under you ;)18:53
kmallocerm 1418:53
kmallochrybacki: for "taking PTO"? :P18:53
hrybackikmalloc: no no, the other office18:53
kmallocthe only reason i actually burn the PTO is so i actually take time off18:53
lbragstadi imagine some folks will start trickling away for the holidays soon18:54
*** itlinux has quit IRC19:07
* lbragstad goes to find food19:09
*** itlinux has joined #openstack-keystone19:10
gagehugoI'll be around until xmas week19:16
openstackgerritVieri proposed openstack/ldappool master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62257119:20
*** itlinux has quit IRC19:23
*** jmlowe has quit IRC19:23
kmallocgagehugo: that is the original plan, but with having an extra 2 weeks (on top of what I'm already taking) to burn (and needing the down time)19:26
kmallocgagehugo: i might start my holiday a bit earlier.19:26
*** jrist has joined #openstack-keystone19:29
gagehugonice19:36
gagehugoI'd do that if I could :)19:36
* gagehugo unfortunately took too much vacation earlier this year19:36
kmallocyeah i didn't :P19:52
kmalloci should take vacation more spread out tbh19:53
*** itlinux has joined #openstack-keystone19:53
*** shrasool has quit IRC19:55
lbragstadpsa: once https://review.openstack.org/#/c/611443/ gets a couple more reviews, pending feedback, I can propose a new oslo.policy release20:14
*** jmlowe has joined #openstack-keystone20:24
*** xek has quit IRC20:31
*** jmlowe has quit IRC20:33
*** jrist has quit IRC20:39
*** hoonetorg has quit IRC20:39
*** aojea has joined #openstack-keystone20:39
*** takamatsu has joined #openstack-keystone20:44
*** shrasool has joined #openstack-keystone20:55
*** hoonetorg has joined #openstack-keystone20:57
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: remove redundant policies from policy.v3cloudsample.json  https://review.openstack.org/62258920:57
lbragstadnice - thanks gagehugo21:08
*** jmlowe has joined #openstack-keystone21:12
*** jrist has joined #openstack-keystone21:31
*** cosss_ has joined #openstack-keystone21:38
*** shrasool has quit IRC21:38
cosss_Hi! Is there a way to obtain the keystone api version (e.g. 3.11) with the keystoneclient?21:39
*** jdennis has quit IRC21:41
*** aojea has quit IRC21:43
*** jdennis has joined #openstack-keystone21:58
*** jaosorior has quit IRC22:00
*** shrasool has joined #openstack-keystone22:02
*** raildo has quit IRC22:02
*** timothyb89 has joined #openstack-keystone22:08
*** aojea has joined #openstack-keystone22:17
*** blake has joined #openstack-keystone22:27
*** takamatsu has quit IRC22:29
openstackgerritLance Bragstad proposed openstack/keystone master: Update role policies for system reader  https://review.openstack.org/62261522:32
openstackgerritLance Bragstad proposed openstack/keystone master: Update system grant policies for system reader  https://review.openstack.org/62261522:32
*** dave-mccowan has quit IRC22:33
*** rcernin has joined #openstack-keystone22:34
openstackgerritMerged openstack/oslo.policy master: Add domain scope support for scope types  https://review.openstack.org/61144322:37
lbragstadsweet!22:39
*** itlinux has quit IRC22:45
*** rcernin_ has joined #openstack-keystone22:45
*** rcernin has quit IRC22:45
*** shrasool has quit IRC22:46
*** jmlowe has quit IRC22:46
*** jmlowe has joined #openstack-keystone22:48
*** aojea has quit IRC22:50
nsmedsso - you guys have provided a great v3cloudpolicy example for Keystone. Am I correct in assuming nothing similar yet exists for Nova, Neutron, or Cinder?22:52
nsmedswas planning to use your example to create similar policy rules for the other services if so.22:52
kmalloccosss_: it should be on the discovery page for keystone, but i am unsure if keystoneclient can do it23:02
kmalloccosss_: keystoneauth should be able to tell you... i think23:02
openstackgerritMerged openstack/oslo.policy master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62181223:03
*** rcernin_ has quit IRC23:12
*** etp has quit IRC23:12
*** etp has joined #openstack-keystone23:13
*** rcernin has joined #openstack-keystone23:13
*** shrasool has joined #openstack-keystone23:29
*** shrasool has quit IRC23:30
*** aojea has joined #openstack-keystone23:42
« Monday, 2018-12-03 Index Wednesday, 2018-12-05 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!