Thursday, 2019-01-31

« Wednesday, 2019-01-30 Index Friday, 2019-02-01 »
*** imacdonn has quit IRC00:00
*** imacdonn has joined #openstack-keystone00:01
*** ileixe has joined #openstack-keystone00:52
*** gyee has quit IRC01:33
*** Dinesh_Bhor has joined #openstack-keystone01:48
*** whoami-rajat has joined #openstack-keystone02:11
*** dims has quit IRC02:38
*** dims has joined #openstack-keystone02:55
*** ileixe has quit IRC04:38
*** lbragstad has quit IRC05:16
*** ileixe has joined #openstack-keystone05:18
*** shyamb has joined #openstack-keystone05:30
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion  https://review.openstack.org/58821106:23
*** shyamb has quit IRC06:31
*** zzzeek has quit IRC06:33
*** zzzeek has joined #openstack-keystone06:37
openstackgerritVishakha Agarwal proposed openstack/keystone master: Replace 'tenant_id' with 'project_id'  https://review.openstack.org/63170607:04
openstackgerritVishakha Agarwal proposed openstack/keystone master: Replace 'tenant_id' with 'project_id'  https://review.openstack.org/63170607:07
*** markvoelker has joined #openstack-keystone07:26
*** takamatsu has joined #openstack-keystone07:46
*** shyamb has joined #openstack-keystone07:59
*** markvoelker has quit IRC07:59
*** tkajinam has quit IRC08:14
*** shyam89 has joined #openstack-keystone08:37
*** shyamb has quit IRC08:40
*** shyam89 has quit IRC08:42
*** Dinesh_Bhor has quit IRC08:44
*** Dinesh_Bhor has joined #openstack-keystone08:44
*** awalende has joined #openstack-keystone08:45
*** shyamb has joined #openstack-keystone08:46
*** markvoelker has joined #openstack-keystone08:56
*** shyamb has quit IRC09:05
*** shyamb has joined #openstack-keystone09:09
*** markvoelker has quit IRC09:29
*** awalende has quit IRC09:39
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion  https://review.openstack.org/58821109:40
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion  https://review.openstack.org/58821109:52
*** shyamb has quit IRC09:58
*** xek_ has joined #openstack-keystone09:59
*** shyamb has joined #openstack-keystone10:08
openstackgerritVishakha Agarwal proposed openstack/keystone master: Test case for bad type user in assertion  https://review.openstack.org/63419310:09
*** shyamb has quit IRC10:25
*** shyamb has joined #openstack-keystone10:25
*** markvoelker has joined #openstack-keystone10:26
*** jistr is now known as jistr|chat10:31
*** shyamb has quit IRC10:40
*** shyamb has joined #openstack-keystone10:43
*** Dinesh_Bhor has quit IRC10:54
*** shyamb has quit IRC10:55
*** markvoelker has quit IRC10:59
*** jistr|chat is now known as jistr11:05
*** shyamb has joined #openstack-keystone11:08
*** yan0s has joined #openstack-keystone11:16
*** sapd1_ has quit IRC11:18
*** ileixe has quit IRC11:20
*** mchlumsky has quit IRC11:33
*** mchlumsky has joined #openstack-keystone11:35
*** shyamb has quit IRC11:40
*** awalende has joined #openstack-keystone11:40
*** shyamb has joined #openstack-keystone11:41
*** awalende has quit IRC11:44
*** markvoelker has joined #openstack-keystone11:57
*** shyamb has quit IRC12:02
*** shyamb has joined #openstack-keystone12:03
*** shyamb has quit IRC12:14
*** markvoelker has quit IRC12:29
*** shyamb has joined #openstack-keystone12:34
*** erus1 has quit IRC13:01
*** shyamb has quit IRC13:16
*** jistr is now known as jistr|call13:25
*** markvoelker has joined #openstack-keystone13:26
*** jistr|call is now known as jistr13:31
*** shyamb has joined #openstack-keystone13:36
*** xek_ has quit IRC13:45
*** xek_ has joined #openstack-keystone13:45
*** pcaruana has quit IRC13:52
*** takamatsu has quit IRC13:54
*** lbragstad has joined #openstack-keystone13:57
*** ChanServ sets mode: +o lbragstad13:57
*** markvoelker has quit IRC13:58
*** pcaruana has joined #openstack-keystone14:02
brtknrubuntu@devstack-master:/opt/stack$ openstack trust create demo service-user --project demo --role member14:03
brtknrYou are not authorized to perform the requested action: identity:create_trust. (HTTP 403) (Request-ID: req-6d767713-0ae2-46ac-9c8d-ddedb5148cbf)14:03
brtknrubuntu@devstack-master:/opt/stack$ openstack trust create demo service-user --project demo --role member14:03
brtknrYou are not authorized to perform the requested action: identity:create_trust. (HTTP 403) (Request-ID: req-6d767713-0ae2-46ac-9c8d-ddedb5148cbf)14:03
brtknrIs anyone able to help me debug why I cant create trust as non-admin user14:03
*** shyamb has quit IRC14:17
*** dave-mccowan has joined #openstack-keystone14:18
*** dave-mccowan has quit IRC14:41
yan0s"identity:create_trust": "user_id:%(trust.trustor_user_id)s",14:45
yan0sbrtknr: this is the default policy for creating trust in keystone policy.json14:46
yan0sbrtknr: not sure how to translate it14:47
yan0sbrtknr: but setting it to : "identity:create_trust": "",14:48
yan0sbrtknr: should allow everyone to create trusts regardless of their role14:48
brtknryan0s: is there any downside to allowing this?14:49
yan0salso you may need to restart apache2 service to apply the rule14:49
yan0snot sure about downsides..14:50
brtknryan0s: what does "user_id:%(trust.trustor_user_id)s" even mean?14:52
brtknrwho is currently allowed to create trust?14:52
brtknri mean, who is it currently allowing to create trust?14:52
cmurphydon't disable the create_trust policy, that would allow anyone to create trusts for anyone14:53
cmurphythe default policy is supposed to only allow a user to create a trust for themselves14:53
cmurphybut the client has a strange issue with names because looking up a user by name requires admin privileges14:53
yan0sbrtknr: I don't know what this means, if someone can explain this I would be very interested to know too14:54
cmurphyso it returns a confusing forbidden error14:54
cmurphythe way around it is to use user IDs and not names14:54
yan0scmurphy: can you explain the "user_id" and "%(trust.trustor_user_id)s" parts of the filter?14:55
yan0scmurphy: I really need to be able to know what filters I can use in the policy files14:56
*** markvoelker has joined #openstack-keystone14:56
cmurphyyan0s: it looks at the token payload for user_id and matches the value to the trustor_user_id value in the trust body14:57
yan0scmurphy: what is the trust body?14:58
brtknrcmurphy: great! that finally worked, using id istead of username14:58
cmurphyyan0s: the json you use to create the trust14:58
openstackgerritVishakha Agarwal proposed openstack/keystone master: Replace 'tenant_id' with 'project_id'  https://review.openstack.org/63170614:58
cmurphybrtknr: great14:58
brtknrso the trustor gives control of their account to the trustee correct?14:59
brtknrwhat is impersonation?14:59
cmurphyno not of their account, just their role on the project14:59
*** mvkr has quit IRC15:00
yan0scmurphy: so all the variables I can use in a filter exist in the token payload?15:00
brtknrcmurphy: oops thats what i meant15:00
brtknrcmurphy: what is the difference between having impersonation on and off, its not very well documented afaics15:01
cmurphyimpersonation i think means that it will use the trustor's name/id for things so for auditing it looks like they themselves were acting, nonimpersonation means the other user has permission to do things but they're stilling their own name15:01
cmurphyi think, i'm a little fuzzy on that part15:01
brtknr --impersonate         Tokens generated from the trust will represent15:01
brtknr                        <trustor> (defaults to False)15:01
brtknras opposed to represting someone else?15:02
cmurphyyan0s: i think so yes15:02
cmurphybrtknr: yes as opposed to representing the trustee15:02
yan0scmurphy: thanks!15:02
brtknrinteresting, so its main implication is for auditing15:03
brtknrsounds like the desired behaviour is the default behaviour15:03
brtknrunless the trustee account is ephemeral15:03
vishakhacmurphy: hey, By any chance you have time we can discuss over https://review.openstack.org/#/c/588211/15:06
cmurphyvishakha: i need to take a closer look at that, not sure what to suggest offhand15:09
cmurphyit's on my list for when I have time15:10
vishakhasurr thanks15:10
vishakhaAlso pl have a look over https://review.openstack.org/#/c/631706/ will not take much time15:11
*** mvkr has joined #openstack-keystone15:13
gagehugoo/15:26
*** markvoelker has quit IRC15:29
brtknrvishakha: +115:46
*** jmlowe has quit IRC15:49
*** jmlowe has joined #openstack-keystone16:04
*** yan0s has quit IRC16:07
brtknrcmurphy: is there a way to delege trust without specifying the --role arg?16:26
brtknri want to delegate all roles16:26
*** markvoelker has joined #openstack-keystone16:27
brtknrbut I dont know what roles I'm assigned to as a non-admin user16:27
lbragstadbrtknr as a user, you can validate your token and see the role assignment you have associate to that token16:31
brtknrhow?16:31
*** imacdonn has quit IRC16:31
brtknrlbragstad: openstack token issue?16:32
lbragstadbrtknr yeah - that will issue you a token16:37
lbragstadif you use openstack token issue --debug, osc will print the actual response and request so you get the entire token body16:37
lbragstadwhich will contain the roles you have associated to that token16:37
*** imus has joined #openstack-keystone16:41
kmalloco/16:46
kmallocmornin16:46
brtknrlbragstad: excellent! that worked like a treat!!16:46
lbragstadgood deal16:47
lbragstado/ kmalloc16:47
*** spsurya has quit IRC16:54
*** markvoelker has quit IRC17:00
*** takamatsu has joined #openstack-keystone17:14
*** gyee has joined #openstack-keystone17:19
*** dave-mccowan has joined #openstack-keystone18:25
*** mvkr has quit IRC18:35
*** markvoelker has joined #openstack-keystone19:27
*** pcaruana has quit IRC19:30
*** sapd1 has joined #openstack-keystone19:42
*** sapd1 has quit IRC19:48
kmallochm.19:52
*** markvoelker has quit IRC20:00
*** jmlowe has quit IRC20:04
*** awalende has joined #openstack-keystone20:16
*** awalende has quit IRC20:20
*** jmlowe has joined #openstack-keystone20:24
*** markvoelker has joined #openstack-keystone20:57
*** xek_ has quit IRC21:19
*** xek has joined #openstack-keystone21:19
*** markvoelker has quit IRC21:30
openstackgerritLance Bragstad proposed openstack/keystone master: Add configuration options for JWS provider  https://review.openstack.org/62867621:33
openstackgerritLance Bragstad proposed openstack/keystone master: Add keystone-manage create_jws_keypair functionality  https://review.openstack.org/61531521:33
openstackgerritLance Bragstad proposed openstack/keystone master: Add test fixture for the JWS key repository  https://review.openstack.org/61454721:33
openstackgerritLance Bragstad proposed openstack/keystone master: Add PyJWT as a requirement  https://review.openstack.org/61454821:33
openstackgerritLance Bragstad proposed openstack/keystone master: Implement JWS token provider  https://review.openstack.org/61454921:33
openstackgerritLance Bragstad proposed openstack/keystone master: Add JWS token provider documentation  https://review.openstack.org/63383121:33
openstackgerritIslam Musleh proposed openstack/keystone master: Converting the API tests to use flask's test_client  https://review.openstack.org/63030121:40
*** mchlumsky has quit IRC21:51
*** markvoelker has joined #openstack-keystone22:27
*** erus1 has joined #openstack-keystone22:38
*** markvoelker has quit IRC22:41
*** tkajinam has joined #openstack-keystone22:56
*** whoami-rajat has quit IRC23:00
« Wednesday, 2019-01-30 Index Friday, 2019-02-01 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!