Tuesday, 2019-01-08

*** eRus is now known as erus		00:02
*** erus is now known as eRus		00:04
*** eRus is now known as erus		00:04
*** erus is now known as erus_		00:13
*** erus_ has quit IRC		00:29
*** erus_ has joined #openstack-keystone		00:42
*** ileixe has joined #openstack-keystone		00:43
*** erus_ has quit IRC		00:49
*** erus1 has joined #openstack-keystone		00:49
*** erus1 is now known as erus_		00:49
*** erus1 has joined #openstack-keystone		00:50
*** erus1 is now known as erus_		00:50
*** erus_ has quit IRC		01:06
*** itlinux has joined #openstack-keystone		01:08
*** erus has joined #openstack-keystone		01:14
*** ileixe has quit IRC		02:01
*** ileixe has joined #openstack-keystone		02:02
*** ileixe has quit IRC		02:04
*** ileixe has joined #openstack-keystone		02:04
*** ileixe has quit IRC		02:58
*** mhen has quit IRC		02:59
*** ileixe has joined #openstack-keystone		02:59
*** mhen has joined #openstack-keystone		03:02
*** whoami-rajat has joined #openstack-keystone		03:16
*** spsurya has joined #openstack-keystone		04:22
*** wxy-xiyuan has quit IRC		04:24
*** bzhao__ has quit IRC		04:26
*** dims has quit IRC		04:47
*** dims has joined #openstack-keystone		04:48
*** erus has quit IRC		04:54
*** erus has joined #openstack-keystone		04:56
*** dims has quit IRC		04:56
*** dims has joined #openstack-keystone		04:56
*** erus has quit IRC		05:02
*** erus has joined #openstack-keystone		05:08
*** spsurya has quit IRC		05:10
*** spsurya has joined #openstack-keystone		05:13
*** erus has quit IRC		05:14
*** erus has joined #openstack-keystone		05:23
*** erus has quit IRC		05:29
*** shyamb has joined #openstack-keystone		05:37
*** erus has joined #openstack-keystone		05:38
*** shyamb has quit IRC		05:43
*** erus has quit IRC		05:44
*** shyamb has joined #openstack-keystone		05:51
*** erus has joined #openstack-keystone		05:53
*** erus has quit IRC		06:00
*** erus has joined #openstack-keystone		06:08
*** erus has quit IRC		06:14
*** erus has joined #openstack-keystone		06:23
*** gyee has quit IRC		06:24
*** erus has quit IRC		06:29
*** erus has joined #openstack-keystone		06:38
*** erus has quit IRC		06:44
*** shyamb has quit IRC		06:50
*** erus has joined #openstack-keystone		06:53
*** bzhao__ has joined #openstack-keystone		06:58
*** rcernin has quit IRC		06:58
*** erus has quit IRC		06:59
*** shyamb has joined #openstack-keystone		07:03
*** shyamb has quit IRC		07:05
*** shyamb has joined #openstack-keystone		07:06
*** erus has joined #openstack-keystone		07:08
*** erus has quit IRC		07:14
*** erus has joined #openstack-keystone		07:23
*** shyamb has quit IRC		07:25
*** erus has quit IRC		07:30
*** wxy-xiyuan has joined #openstack-keystone		07:32
*** shyamb has joined #openstack-keystone		07:32
*** erus has joined #openstack-keystone		07:38
*** pcaruana has joined #openstack-keystone		07:42
*** erus has quit IRC		07:44
*** shyamb has quit IRC		07:46
*** sapd1_ has quit IRC		07:50
*** sapd1_ has joined #openstack-keystone		07:50
*** erus has joined #openstack-keystone		07:53
*** erus has quit IRC		07:59
*** erus has joined #openstack-keystone		08:08
*** erus has quit IRC		08:14
*** erus has joined #openstack-keystone		08:23
*** xek has joined #openstack-keystone		08:24
*** yan0s has joined #openstack-keystone		08:25
*** erus has quit IRC		08:30
*** erus has joined #openstack-keystone		08:38
yan0s	Hi all, I'm having some trouble setting up federated keystone with shibboleth	08:41
yan0s	in keystone.log I get the following:	08:41
yan0s	(keystone.federation.utils): 2019-01-08 08:37:59,144 DEBUG identity_values: []	08:42
yan0s	(keystone.federation.utils): 2019-01-08 08:37:59,144 WARNING Could not map any federated user properties to identity values. Check debug logs or the mapping used for additional details.	08:43
yan0s	and in horizon GUI:	08:43
yan0s	{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}	08:43
yan0s	for starters there should be a user in shibboleth and a corresponding user in OpenStack. Is that correct?	08:44
*** erus has quit IRC		08:44
yan0s	and somehow mapping rules should match them	08:45
*** evrardjp_ has joined #openstack-keystone		08:48
*** evrardjp__ has joined #openstack-keystone		08:49
*** evrardjp has quit IRC		08:51
*** evrardjp_ has quit IRC		08:52
*** erus has joined #openstack-keystone		08:53
*** evrardjp__ has quit IRC		08:53
cmurphy	yan0s: there doesn't have to already be a corresponding user in openstack, it can create a special "shadow" user if there is no local user to map to	08:54
cmurphy	yan0s: have you already seen https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html#mapping-rules ?	08:54
*** shyamb has joined #openstack-keystone		08:56
*** erus has quit IRC		09:00
yan0s	cmurphy: Thanks! This is my rule: https://pastebin.com/D0NjXq5Z	09:00
cmurphy	yan0s: is your IdP sending an attribute called "username"?	09:01
yan0s	I have tried with and without existing user in OpenStack and it fails	09:01
yan0s	yes	09:01
yan0s	also in /etc/shibboleth/attribute-map.xml I have added this line	09:02
yan0s	<Attribute name="username" id="username"/>	09:02
*** evrardjp has joined #openstack-keystone		09:03
cmurphy	yan0s: the debug logs should show the saml assertion values and several more lines about how it is rendering the mapping	09:03
yan0s	is that enough?	09:03
cmurphy	yan0s: if you're sure that the IdP is sending "username" then that should be fine	09:03
cmurphy	you might need to turn on insecure_debug to get more detailed logs about the assertion and the mapping	09:03
*** erus has joined #openstack-keystone		09:08
yan0s	here is the full logs for a failed login: https://pastebin.com/zHTN7HWi	09:10
yan0s	do you know how can I read the idp attributes sent in keystone?	09:11
*** erus has quit IRC		09:14
cmurphy	yan0s: it is not sending "username"	09:17
cmurphy	yan0s: you can look in /var/log/shibboleth/shibd_warn.log or shibd.log and look for messages about unmapped attributes on your SP	09:18
cmurphy	you can also check the IdP documentation, if you're using simplesamlphp then it looks like these are some attributes you can use https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_5	09:18
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Optimize fernet token and receipts in cli.py https://review.openstack.org/627364	09:19
*** erus has joined #openstack-keystone		09:23
*** erus has quit IRC		09:29
yan0s	thanks this is very helpful	09:33
yan0s	how do you know it is not sending "username"?	09:33
cmurphy	yan0s: because I don't see it in the "assertion data" log	09:34
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove duplicated TOC in configuration guide https://review.openstack.org/629115	09:37
*** erus has joined #openstack-keystone		09:38
*** ileixe has left #openstack-keystone		09:42
*** erus has quit IRC		09:44
*** erus has joined #openstack-keystone		09:53
*** erus has quit IRC		10:00
*** shyamb has quit IRC		10:00
*** shyamb has joined #openstack-keystone		10:05
*** erus has joined #openstack-keystone		10:08
*** shyamb has quit IRC		10:33
*** erus has quit IRC		11:23
*** erus has joined #openstack-keystone		11:23
*** erus has quit IRC		11:29
*** erus has joined #openstack-keystone		11:36
*** shyamb has joined #openstack-keystone		11:48
*** shyamb has quit IRC		12:30
*** shyamb has joined #openstack-keystone		12:42
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Update doc for token_setup and token_rotate https://review.openstack.org/629168	12:46
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Update doc for token_setup and token_rotate https://review.openstack.org/629168	12:47
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Update doc for token_setup and token_rotate https://review.openstack.org/629168	12:48
*** sayalilunkad has quit IRC		12:51
*** vishakha has joined #openstack-keystone		12:51
*** raildo has joined #openstack-keystone		12:51
*** sayalilunkad has joined #openstack-keystone		12:51
*** rcherrueau has joined #openstack-keystone		12:52
*** szaher has joined #openstack-keystone		13:08
*** yan0s has quit IRC		13:09
*** erus has quit IRC		13:13
*** erus has joined #openstack-keystone		13:13
*** yan0s has joined #openstack-keystone		13:24
*** erus_ has joined #openstack-keystone		13:30
*** zigo has joined #openstack-keystone		13:30
*** rcherrueau has quit IRC		13:40
*** trident has quit IRC		13:41
*** trident has joined #openstack-keystone		13:42
*** jhesketh has quit IRC		13:45
*** szaher has quit IRC		13:47
*** jhesketh has joined #openstack-keystone		13:47
*** szaher has joined #openstack-keystone		13:52
*** trident has quit IRC		14:03
*** trident has joined #openstack-keystone		14:03
erus_	hello	14:07
*** yan0s has quit IRC		14:09
*** yan0s has joined #openstack-keystone		14:10
lbragstad	o/	14:10
cmurphy	\o	14:10
erus_	how are you today?	14:14
erus_	:D	14:14
erus_	here is really hot today!	14:15
lbragstad	i'm well :)	14:16
erus_	great!	14:16
erus_	i'm a little frustrated xD i can't figure out what's wrong with my idp configuration. Right now i have this error	14:17
erus_	ERROR Shibboleth.SSO.SAML2 [2]: failed to decrypt assertion: Unable to resolve any key decryption keys.	14:18
erus_	that is from shibboleth logs	14:18
erus_	and in apache logs says	14:18
erus_	2019-01-08 11:14:23.047400 A valid authentication statement was not found in the incoming message.	14:19
erus_	I ran out of ideas xD	14:19
cmurphy	erus_: it seems like maybe you didn't configure the IdP's metadata correctly	14:20
cmurphy	erus_: what do you have for MetadataProvider in shibboleth2.xml?	14:20
erus_	<MetadataProvider type="XML" url="https://samltest.id/saml/idp" backingFile="samltest-metadata.xml"/>	14:21
cmurphy	erus_: did you restart the shibd daemon after you edited shibboleth2.xml?	14:22
erus_	yep	14:23
knikolla	o/	14:23
erus_	hello knikolla :)	14:23
knikolla	Hi everyone, hope you had great holidays :)	14:23
knikolla	hi erus	14:23
erus_	yay o/	14:23
erus_	how are you doing?	14:24
cmurphy	erus_: did you check the logs on samltest.id to see if anything strange was happening on that side?	14:24
knikolla	erus_: I'm good, thank you for asking :) what about you?	14:26
erus_	Looking up message encoder based on binding URI: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST	14:28
erus_	I'm fine, we are in summer and it's really hot :(	14:29
*** shyamb has quit IRC		14:29
erus_	and trying to have things working with samltest as idp :D	14:30
erus_	and have this one too cmurphy No SAMLBindingContext or binding URI available, error must be handled locally	14:30
cmurphy	maybe knikolla has an idea	14:31
knikolla	does this happen during authentication?	14:34
erus_	yep	14:35
erus_	when i try to authenticate it goes to the redirecction, i enter the credentials and then it says opensaml::FatalProfileException	14:36
erus_	redirection*	14:37
knikolla	This error is on the SP side or IdP side?	14:37
erus_	in shibboleth logs says: ERROR Shibboleth.SSO.SAML2 [2]: failed to decrypt assertion: Unable to resolve any key decryption keys.	14:37
*** abhi89 has joined #openstack-keystone		14:37
openstackgerrit	Merged openstack/oslo.policy master: Fix sample config value when set_defaults is used https://review.openstack.org/623292	14:39
erus_	i think is on the SP side	14:39
abhi89	Hi All.. I am having a fernet token with me & now I want to extract username & project out of this.. even session..any leads on which methods I can choose from keystone code? or any sample code already available.. need help!	14:40
lbragstad	abhi89 can you call the GET /v3/auth/tokens API with that token?	14:41
lbragstad	the response body should contain all that information	14:41
abhi89	lbragstad: thanks!	14:42
erus_	opensaml::FatalProfileException at (http://192.168.122.11/Shibboleth.sso/SAML2/POST)	14:44
erus_	A valid authentication statement was not found in the incoming message.	14:44
knikolla	erus_: did you register the SP metadata with samltest.id?	14:44
*** erus_ has quit IRC		14:49
*** wxy\| has joined #openstack-keystone		14:54
erus	Did you mean if i uploaded it?	14:59
cmurphy	yes	15:00
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion https://review.openstack.org/588211	15:05
*** itlinux has quit IRC		15:21
*** markvoelker has joined #openstack-keystone		15:23
*** markvoelker has quit IRC		15:26
*** markvoelker has joined #openstack-keystone		15:27
*** markvoelker has quit IRC		15:27
erus	Yes i uploaded it	15:34
knikolla	erus: can I have a look at it?	15:34
erus	Yay give me a minute I'm in the subway :)	15:35
openstackgerrit	Merged openstack/keystone master: Consolidate WebSSO guide into SP instructions https://review.openstack.org/627976	15:41
*** szaher has quit IRC		16:08
*** szaher has joined #openstack-keystone		16:09
*** pcaruana has quit IRC		16:20
*** itlinux has joined #openstack-keystone		16:20
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Optimize fernet token and receipts in cli.py https://review.openstack.org/627364	16:22
*** gyee has joined #openstack-keystone		16:38
*** imacdonn has quit IRC		16:50
*** imacdonn has joined #openstack-keystone		16:51
*** wxy\| has quit IRC		17:00
*** yan0s has quit IRC		17:20
*** erus_ has joined #openstack-keystone		17:24
gyee	lbragstad, cmurphy, https://bugs.launchpad.net/keystone/+bug/1810983. Looks like we'll need to make the fix directly to stable/rocky and backport to stable/queens.	17:35
openstack	Launchpad bug 1810983 in OpenStack Identity (keystone) "domain admin unable to fetch domain" [Undecided,New]	17:35
lbragstad	gyee https://launchpad.net/bugs/1794864	17:39
openstack	Launchpad bug 1794864 in OpenStack Identity (keystone) "Calling GET /v3/domains/{domain_id} with a project-scoped or domain-scoped token fails" [Medium,In progress] - Assigned to Lance Bragstad (lbragstad)	17:39
lbragstad	looks similar to that	17:39
lbragstad	https://review.openstack.org/#/c/605851/8 and https://review.openstack.org/#/c/605871/8	17:40
gyee	oh	17:41
gyee	lbragstad, that won't fix it in stable/rocky	17:42
gyee	problem is in stable/rocky token was never in the auth_context	17:42
gyee	we add it back in there in this patch https://review.openstack.org/#/c/605539/24/keystone/common/context.py	17:42
lbragstad	i don't think we'll be able to pass context objects on stable branches since oslo.policy won't know how to understand them	17:44
gyee	used to work in stable/pike	17:45
lbragstad	passing a RequestContext object to enforce()?	17:45
gyee	https://github.com/openstack/keystone/blob/stable/pike/keystone/common/authorization.py#L68	17:46
gyee	we pass the TokenModel	17:46
lbragstad	ah... yeah	17:47
lbragstad	that's a subclass of dict	17:47
gyee	so we can use things like token.project.id or token.project.domain.id	17:47
gyee	we switched over to oslo_context around stable/queens time frame and the TokenModel was left out of the auth_context	17:48
*** erus has quit IRC		17:49
lbragstad	we do put a the token in the context still https://review.openstack.org/#/c/605539/24/keystone/server/flask/request_processing/middleware/auth_context.py	17:50
lbragstad	https://review.openstack.org/#/c/605539/24/keystone/common/context.py@65	17:50
gyee	yes, in master branch only	17:51
gyee	we need it in stable/rocky and stable/queens also	17:51
gyee	master branch is OK, stable/rocky and queens are broken	17:52
*** erus has joined #openstack-keystone		17:52
lbragstad	so - sometime in queens we stopped passing the tokenmodel?	17:53
gyee	yes	17:53
lbragstad	https://review.openstack.org/#/c/577567/	17:53
lbragstad	that was only six weeks ago though	17:54
gyee	in stable/pike, we pass the tokenmodel here https://github.com/openstack/keystone/blob/stable/pike/keystone/common/authorization.py#L68	17:54
lbragstad	so that can't be it	17:54
gyee	but in stable/queens, we removed that code in favor on oslo_context.to_policy_values()	17:54
lbragstad	ah	17:54
lbragstad	can we rewrite those policies to use the to_policy_values() instead?	17:54
gyee	yes, that's one solution	17:55
gyee	so instead of 'token.project.domain.id:%(target.domain.id)s', we could do this 'domain_id:%(target.domain.id)s'	17:56
lbragstad	i think i'd rather do that instead of using the v3 token contract in the syntax of policy check strings	17:56
lbragstad	right - i think so	17:56
gyee	but if there are any customer policies out there, people will continue to scream :-)	17:56
gyee	I would've imagined there are custom policies out there	17:57
lbragstad	probably	17:57
gyee	so this is essentially a backward compatibility issue	17:57
gyee	remember, openstack upgrades are rather slow. Not everybody is running off master branch in production :-)	17:58
lbragstad	right - but we also worked on deprecation tooling for this kind of thing, too	17:58
gyee	in the particular, I think its worth preserving backward compatibility since we've formally deprecated that syntax	17:59
gyee	I mean in this particular case	17:59
gyee	man I can't type and think at the same time :-)	17:59
openstackgerrit	Merged openstack/keystone master: Remove duplicated TOC in configuration guide https://review.openstack.org/629115	18:02
lbragstad	so you think the backported fix needs to incorporate token.project.domain.id back?	18:03
lbragstad	or token.domain.id	18:03
gyee	yes	18:04
lbragstad	ok - i was going to propose marking https://bugs.launchpad.net/keystone/+bug/1810983 as a duplicate of https://bugs.launchpad.net/keystone/+bug/1794864 but if that's the solution we're going for i'd rather keep them separate	18:04
openstack	Launchpad bug 1810983 in OpenStack Identity (keystone) "domain admin unable to fetch domain" [Undecided,New]	18:04
openstack	Launchpad bug 1794864 in OpenStack Identity (keystone) "Calling GET /v3/domains/{domain_id} with a project-scoped or domain-scoped token fails" [Medium,In progress] - Assigned to Lance Bragstad (lbragstad)	18:04
gyee	I think we just need to backport this one https://review.openstack.org/#/c/605539/24/keystone/common/context.py	18:04
lbragstad	just that file though... not everything else	18:05
lbragstad	since the oslo.policy versions of the stable branches won't understand context objects	18:05
lbragstad	gyee updated - https://bugs.launchpad.net/keystone/+bug/1810983	18:09
openstack	Launchpad bug 1810983 in OpenStack Identity (keystone) rocky "domain admin unable to fetch domain" [Medium,Triaged]	18:09
*** whoami-rajat has quit IRC		18:12
*** erus_ has quit IRC		18:16
*** erus_ has joined #openstack-keystone		18:17
*** erus_ has quit IRC		18:18
*** erus_ has joined #openstack-keystone		18:19
*** erus_ has quit IRC		18:20
gyee	lbragstad, sounds good, just that file should work	18:21
*** erus_ has joined #openstack-keystone		18:21
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Allow domain users to access the registered limits API https://review.openstack.org/621017	18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with registered limits https://review.openstack.org/621018	18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove registered limit policies from policy.v3cloudsample.json https://review.openstack.org/621019	18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add limit protection tests https://review.openstack.org/621020	18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add limit tests for system member role https://review.openstack.org/621021	18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update limit policies for system admin https://review.openstack.org/621022	18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with limits https://review.openstack.org/621023	18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with limits https://review.openstack.org/621024	18:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove limit policies from policy.v3cloudsample.json https://review.openstack.org/621025	18:24
*** erus_ has quit IRC		18:28
*** erus_ has joined #openstack-keystone		18:29
*** erus_ has quit IRC		18:30
*** erus_ has joined #openstack-keystone		18:33
*** erus_ has quit IRC		18:34
*** erus_ has joined #openstack-keystone		18:36
*** erus_ has quit IRC		18:38
*** erus_ has joined #openstack-keystone		18:39
*** erus_ has quit IRC		18:41
*** erus_ has joined #openstack-keystone		18:42
*** lbragsta_ has joined #openstack-keystone		18:52
*** ChanServ sets mode: +o lbragsta_		18:52
*** lbragstad has quit IRC		18:52
*** lbragsta_ is now known as lbragstad		18:55
*** erus_ has quit IRC		19:00
*** erus_ has joined #openstack-keystone		19:01
*** erus_ has quit IRC		19:03
*** erus_ has joined #openstack-keystone		19:06
*** erus_ has quit IRC		19:10
*** erus_ has joined #openstack-keystone		19:11
*** erus_ has quit IRC		19:13
*** erus_ has joined #openstack-keystone		19:13
*** erus_ has joined #openstack-keystone		19:15
*** vishakha has quit IRC		19:16
*** erus_ has quit IRC		19:16
*** erus_ has joined #openstack-keystone		19:18
lbragstad	wxy-xiyuan http://lists.openstack.org/pipermail/openstack-discuss/2019-January/001518.html our action item from last week	19:21
*** erus_ has quit IRC		19:21
*** erus_ has joined #openstack-keystone		19:22
*** erus_ has quit IRC		19:23
*** erus_ has joined #openstack-keystone		19:27
*** erus_ has quit IRC		19:28
lbragstad	cmurphy i assume your +2 here means you're good with the wording of https://review.openstack.org/#/c/624217/4/releasenotes/notes/bug-1805403-c003627a64768716.yaml	19:28
lbragstad	if that's the case, i'll start respinning the other patches to match that wording	19:28
*** erus_ has joined #openstack-keystone		19:29
cmurphy	lbragstad: yeah I think it's fine, I'm not sure how to make it less of a wall of text while still making sure people get all the information they need	19:29
*** erus_ has quit IRC		19:29
lbragstad	right - i had the same problem	19:29
lbragstad	clearly	19:30
*** erus_ has joined #openstack-keystone		19:30
*** erus_ has quit IRC		19:31
*** erus_ has joined #openstack-keystone		19:31
*** erus_ has quit IRC		19:33
*** erus_ has joined #openstack-keystone		19:36
*** erus_ has quit IRC		19:37
*** erus_ has joined #openstack-keystone		19:38
*** erus_ has quit IRC		19:45
*** erus_ has joined #openstack-keystone		19:46
*** erus_ has quit IRC		19:49
*** erus_ has joined #openstack-keystone		19:49
*** erus_ has quit IRC		19:50
*** erus_ has joined #openstack-keystone		19:51
*** erus_ has quit IRC		19:52
mnaser	lbragstad: did you end up taking a decision wrt role names in openstack?	19:53
mnaser	i'm looking at creating a role of a user that can access swift.. and i'd like it to be reusable	19:53
mnaser	aka we don't have to tell everyone to change all their stuff to continue to work :)	19:53
lbragstad	we did	19:53
*** erus_ has joined #openstack-keystone		19:53
lbragstad	keystone-manage bootstrap creates three roles for you out of the box	19:53
lbragstad	admin, member, and reader	19:53
mnaser	lbragstad: right, but what about service-specific roles, like say i want an account that have swift access only for example	19:54
mnaser	so a user can create an application credential for example which has that role included	19:54
lbragstad	oh - gotcha	19:57
lbragstad	so you mean being able to grant someone a role on the swift service?	19:57
*** erus_ has quit IRC		19:57
*** erus_ has joined #openstack-keystone		19:58
mnaser	yes, lbragstad	19:58
cmurphy	we don't have that yet	19:58
*** erus_ has quit IRC		19:59
lbragstad	yeah - so being able to do that doesn't exist yet, but with the work cmurphy is doing, you should be able to make app creds specific to swift APIs	19:59
mnaser	so skillz_dat_swiftz as a role for now to a user is really the best way to go about it?	19:59
*** erus_ has joined #openstack-keystone		19:59
lbragstad	yeah - that would work	20:00
lbragstad	if your solution isn't user specific, you could leverage the application credential whitelist stuff	20:00
lbragstad	http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/capabilities-app-creds.html	20:00
cmurphy	well that would be use specific	20:01
cmurphy	it would be up to the user creating the application credential to restrict it	20:01
*** erus_ has quit IRC		20:01
cmurphy	user* specific	20:01
*** gary_perkins has quit IRC		20:01
mnaser	oh yeah that's fine	20:02
mnaser	that's so neat	20:02
*** erus_ has joined #openstack-keystone		20:02
lbragstad	yeah - i guess it depends on how much you'd trust your users	20:02
lbragstad	because they'd need the role to scope things down	20:02
mnaser	so for now, it would be best to just add a 'swift' role	20:02
mnaser	and then when we have stein	20:02
mnaser	we can have them switch over to using that	20:02
mnaser	and then get rid of swift role	20:02
mordred	yeah. that facet of the appcreds is awesoe	20:03
*** erus_ has quit IRC		20:03
mordred	awesome	20:03
lbragstad	well - if your swift capabilities require the 'member' role	20:03
*** abhi89 has quit IRC		20:03
lbragstad	and you trust that to your users	20:03
lbragstad	but the 'member' role also allows them to do things you do'	20:03
mnaser	yeah that's what we're tryin to avoid	20:03
lbragstad	you don't necessarily want them to do*	20:03
lbragstad	then you'll need to be cautious	20:03
mnaser	we want to restrict to only swift	20:03
lbragstad	since users will need the 'member' role to access swift	20:04
mnaser	yeah	20:04
lbragstad	in order to create app cred whitelists	20:04
lbragstad	but if you use a 'swift' role and implies the 'member' role, and modify the policies accordingly, you should be good	20:04
mnaser	lbragstad: thats the plan, for now	20:04
*** erus_ has joined #openstack-keystone		20:05
lbragstad	ok - sweet	20:05
*** erus_ has quit IRC		20:05
mnaser	i'll be ready to break the new appcred work :)	20:06
lbragstad	eventually - it would be neat to be able to do ``openstack role add --user mnaser --service compute admin``	20:06
mnaser	oooh that would be so neat	20:06
lbragstad	or ``openstack role add --user bob --service swift reader``	20:06
*** gary_perkins has joined #openstack-keystone		20:06
*** erus_ has joined #openstack-keystone		20:06
mnaser	not enough minerals to get that	20:06
mnaser	:(	20:06
lbragstad	inoright?	20:06
*** erus_ has quit IRC		20:07
mnaser	man	20:07
lbragstad	e:you_must_construct_additional_pylons	20:07
mnaser	implied roles are so sweet	20:07
*** erus_ has joined #openstack-keystone		20:07
*** erus_ has quit IRC		20:08
lbragstad	in case you're not aware yet - the admin, member, and reader roles have an implied relationship	20:09
lbragstad	we had to do that by default	20:09
*** erus_ has joined #openstack-keystone		20:09
*** erus_ has quit IRC		20:10
mnaser	lbragstad: that's even cooler	20:10
*** erus_ has joined #openstack-keystone		20:11
*** erus_ has quit IRC		20:12
*** erus_ has joined #openstack-keystone		20:13
lbragstad	yep - grabbing lunch quick	20:13
*** jmlowe has quit IRC		20:30
*** jmlowe has joined #openstack-keystone		20:32
lbragstad	back	20:34
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update protocol policies for system reader https://review.openstack.org/625352	20:40
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add protocol tests for system member role https://review.openstack.org/625353	20:40
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement system admin role in protocol API https://review.openstack.org/625354	20:40
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with protocols https://review.openstack.org/625355	20:40
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with protocols https://review.openstack.org/625356	20:41
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove protocol policies from v3cloudsample.json https://review.openstack.org/625357	20:41
*** spsurya has quit IRC		20:41
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Reuse common system role definitions for roles API https://review.openstack.org/626023	20:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update role policies for system admin https://review.openstack.org/622526	20:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with roles https://review.openstack.org/622527	20:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with roles https://review.openstack.org/622528	20:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove role policies from policy.v3cloudsample.json https://review.openstack.org/622529	20:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add region protection tests for system readers https://review.openstack.org/619085	20:55
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add region tests for system member role https://review.openstack.org/619086	20:55
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update region policies to use system admin https://review.openstack.org/619241	20:55
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with regions https://review.openstack.org/619242	20:55
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with regions https://review.openstack.org/619243	20:55
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove region policies from policy.v3cloudsample.json https://review.openstack.org/619244	20:55
*** xek has quit IRC		21:02
*** xek has joined #openstack-keystone		21:02
*** raildo has quit IRC		21:25
*** erus_ has quit IRC		21:29
*** erus has quit IRC		21:33
*** erus has joined #openstack-keystone		21:35
*** aojea_ has joined #openstack-keystone		21:42
*** aojea_ has quit IRC		21:43
*** aojea__ has joined #openstack-keystone		21:43
*** aojea__ has quit IRC		21:54
*** aojea_ has joined #openstack-keystone		21:56
*** erus has quit IRC		22:02
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update idp policies for system reader https://review.openstack.org/619371	22:16
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add idp tests for system member role https://review.openstack.org/619372	22:16
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update idp policies for system admin https://review.openstack.org/619373	22:16
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with idps https://review.openstack.org/619374	22:16
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with idps https://review.openstack.org/619375	22:16
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove idp policies from policy.v3cloudsample.json https://review.openstack.org/619376	22:16
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update mapping policies for system reader https://review.openstack.org/619612	22:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add mapping tests for system member role https://review.openstack.org/619613	22:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update mapping policies for system admin https://review.openstack.org/619614	22:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with mappings https://review.openstack.org/619615	22:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with mappings https://review.openstack.org/619616	22:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove mapping policies from policy.v3cloudsample.json https://review.openstack.org/619617	22:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update endpoint policies for system reader https://review.openstack.org/619329	22:33
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add endpoint tests for system member role https://review.openstack.org/619330	22:33
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update endpoint policies for system admin https://review.openstack.org/619331	22:33
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with endpoints https://review.openstack.org/619332	22:33
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with endpoints https://review.openstack.org/619281	22:33
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove endpoint policies from policy.v3cloudsample.json https://review.openstack.org/619333	22:33
*** erus_ has joined #openstack-keystone		22:41
*** itlinux has quit IRC		22:48
*** rcernin has joined #openstack-keystone		22:53
*** erus has joined #openstack-keystone		23:13
*** aojea_ has quit IRC		23:29

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!