Monday, 2019-03-18

*** shyamb has quit IRC		00:28
*** dave-mccowan has joined #openstack-keystone		00:28
*** dave-mccowan has quit IRC		00:31
*** jamesmcarthur has joined #openstack-keystone		00:58
*** itlinux has joined #openstack-keystone		00:59
*** erus has quit IRC		01:28
*** lbragstad has joined #openstack-keystone		01:40
*** ChanServ sets mode: +o lbragstad		01:40
*** jamesmcarthur has quit IRC		01:45
*** jamesmcarthur has joined #openstack-keystone		01:55
*** jamesmcarthur has quit IRC		02:06
*** jamesmcarthur_ has joined #openstack-keystone		02:06
*** lbragstad has quit IRC		02:17
*** irclogbot_1 has quit IRC		02:23
adriant	oh, also cmurphy: I guess we can look at: "default_project_id" on the user model as a precedent :P	02:25
*** edmondsw has quit IRC		02:26
*** jamesmcarthur_ has quit IRC		02:59
*** shyamb has joined #openstack-keystone		03:05
*** shyam89 has joined #openstack-keystone		03:11
*** shyam89 has quit IRC		03:14
*** shyamb has quit IRC		03:14
openstackgerrit	Merged openstack/keystone master: Small refactor for create nonlocal user https://review.openstack.org/643457	03:21
*** whoami-rajat has joined #openstack-keystone		03:46
*** itlinux has quit IRC		04:15
*** rodrigods has quit IRC		05:01
*** rcernin has quit IRC		05:43
*** jaosorior has joined #openstack-keystone		05:45
*** rcernin has joined #openstack-keystone		05:59
*** phasespace has quit IRC		06:54
*** jaosorior has quit IRC		06:58
*** tkajinam_ has joined #openstack-keystone		07:11
*** jaosorior has joined #openstack-keystone		07:11
*** tkajinam has quit IRC		07:13
*** pcaruana has joined #openstack-keystone		07:19
*** jaosorior has quit IRC		07:35
*** jaosorior has joined #openstack-keystone		07:44
*** jaosorior has quit IRC		07:44
*** xek has joined #openstack-keystone		07:45
*** rexor has quit IRC		07:58
*** awalende has joined #openstack-keystone		08:02
*** phasespace has joined #openstack-keystone		08:11
*** tkajinam_ has quit IRC		08:24
cmurphy	adriant: i don't think default_project_id should be taken as a precedent for anything, that's an artifact of keystone v2 and not meant to be used for presentation (i guess you know that)	08:49
cmurphy	adriant: maybe horizon should grow its own database for things like this? i mean nova for instance doesn't try to store user ssh keys in keystone's database, it uses its own	08:50
cmurphy	what if horizon had an optional crud component for storing user options, and a setting in local settings to point to that mini database or some other user info source like adjutant?	08:50
openstackgerrit	Frode Nordahl proposed openstack/keystone master: PY3: Ensure LDAP searches use unicode attributes https://review.openstack.org/643670	08:51
openstackgerrit	zhufl proposed openstack/keystone master: Use ForbiddenAction for invalid action instead of Forbidden https://review.openstack.org/643890	09:15
*** shyamb has joined #openstack-keystone		09:41
*** shyamb has quit IRC		10:04
*** shyamb has joined #openstack-keystone		10:14
*** shyamb has quit IRC		10:30
*** shyamb has joined #openstack-keystone		10:30
*** shyamb has quit IRC		11:31
*** rcernin has quit IRC		11:46
*** edmondsw has joined #openstack-keystone		11:50
*** jaosorior has joined #openstack-keystone		11:51
*** raildo has joined #openstack-keystone		11:52
*** shyamb has joined #openstack-keystone		11:56
*** erus has joined #openstack-keystone		12:14
openstackgerrit	Corey Bryant proposed openstack/keystone master: PY3: Ensure LDAP searches use unicode attributes https://review.openstack.org/643670	12:20
openstackgerrit	erus proposed openstack/keystone master: Add new attribute to the federation protocol API https://review.openstack.org/637305	12:21
*** markvoelker has quit IRC		12:22
*** whoami-rajat has quit IRC		12:35
*** yan0s has joined #openstack-keystone		12:43
*** shyamb has quit IRC		12:48
*** pcaruana\|afk\| has joined #openstack-keystone		12:54
*** pcaruana has quit IRC		12:56
*** erus has quit IRC		12:56
*** erus has joined #openstack-keystone		12:56
*** whoami-rajat has joined #openstack-keystone		13:08
*** erus has quit IRC		13:08
*** erus has joined #openstack-keystone		13:09
*** mchlumsky has joined #openstack-keystone		13:14
*** lbragstad has joined #openstack-keystone		13:18
*** ChanServ sets mode: +o lbragstad		13:18
*** needssleep is now known as TheJulia		13:18
openstackgerrit	Colleen Murphy proposed openstack/keystone master: [WIP] Add domain scope support for group policies https://review.openstack.org/643937	13:23
cmurphy	lbragstad: ^	13:23
cmurphy	those are...a lot of work	13:23
lbragstad	\o/	13:23
lbragstad	inoright?	13:24
lbragstad	it makes me wish i had a better approach or solution to the entire situation	13:24
lbragstad	it's very developer expensive :(	13:24
cmurphy	part of it is just wrapping your brain around what should be system vs domain vs project scope and there's no way around that except to think about it	13:25
cmurphy	but finding some way to dry up the unit testing would be cool	13:25
cmurphy	but anyways i think getting all the system-scope-tagged bugs done in https://launchpad.net/keystone/+milestone/stein-rc1 before train is probably a little too ambitious	13:26
lbragstad	yeah	13:27
lbragstad	i guess it comes down to which couple we think are important	13:27
lbragstad	and targeting those	13:27
cmurphy	yeah	13:27
lbragstad	re DRY: we have a whole bunch of this everywhere	13:28
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/protection/v3/test_users.py#n170	13:28
lbragstad	every resource has a SystemAdminTests, SystemMemberTest, SystemReaderTests, DomainAdminTests, etc...	13:29
lbragstad	we could just have a single test module for SystemAdminTests and import all test classes for it	13:29
* lbragstad probably should have done that originally		13:29
lbragstad	but that would cut down on some of the copy/pastad code	13:30
cmurphy	++	13:30
lbragstad	fyi - we're still waiting on https://review.openstack.org/#/c/624794/ to merge for the project and user APIs	13:37
*** mchlumsky has quit IRC		13:37
*** mchlumsky has joined #openstack-keystone		13:40
*** pcaruana\|afk\| has quit IRC		13:48
*** pcaruana has joined #openstack-keystone		14:33
openstackgerrit	OpenStack Release Bot proposed openstack/keystoneauth master: Update master for stable/stein https://review.openstack.org/643996	14:39
openstackgerrit	OpenStack Release Bot proposed openstack/keystonemiddleware master: Update master for stable/stein https://review.openstack.org/643999	14:40
*** shyamb has joined #openstack-keystone		14:41
openstackgerrit	OpenStack Release Bot proposed openstack/oslo.policy master: Update master for stable/stein https://review.openstack.org/644075	14:45
openstackgerrit	OpenStack Release Bot proposed openstack/python-keystoneclient master: Update master for stable/stein https://review.openstack.org/644158	14:52
*** awalende has quit IRC		14:59
*** awalende has joined #openstack-keystone		15:00
*** jamesmcarthur has joined #openstack-keystone		15:02
*** shyamb has quit IRC		15:03
*** phasespace has quit IRC		15:03
*** awalende has quit IRC		15:04
efried	mordred: Just so you're not surprised: It occurred to me that it makes sense to factor out all the conf-loading logic, whatever that may be now or in the future, into this helper.	15:24
efried	that will change the complexion of the from_conf method in sdk nontrivially. But makes the most sense imo.	15:26
mordred	efried: kk. wfm	15:28
knikolla	o/	15:40
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Factor Adapter conf-processing logic into a helper https://review.openstack.org/644251	15:42
efried	mordred: ^	15:42
efried	mordred: q: should we put a keystoneauth1.loading.shim_in_here?	15:43
mordred	efried: nah. I think it's fine for us to reach in - I mean, it's an interface, but it's not an interface most people should be touching	15:45
efried	ight	15:45
efried	mordred: one update to make a docstring more precise, then Ima update the sdk patch to use it mkay?	15:45
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Factor Adapter conf-processing logic into a helper https://review.openstack.org/644251	15:45
mordred	efried: looks great to me	15:46
cmurphy	we need https://review.openstack.org/641128 and https://review.openstack.org/642026 asap, open question on the latter about whether we should keep doing that	15:58
lbragstad	damn	15:59
cmurphy	lol	15:59
*** yan0s has quit IRC		16:21
*** shyamb has joined #openstack-keystone		16:28
*** shyamb has quit IRC		16:46
*** itlinux has joined #openstack-keystone		16:58
*** jamesmcarthur has quit IRC		17:38
*** jamesmcarthur has joined #openstack-keystone		17:39
*** mvkr has quit IRC		17:43
*** erus has quit IRC		17:43
*** erus has joined #openstack-keystone		17:43
*** itlinux has quit IRC		17:50
*** itlinux has joined #openstack-keystone		17:54
*** gyee has joined #openstack-keystone		17:58
*** jmlowe has joined #openstack-keystone		18:02
openstackgerrit	Corey Bryant proposed openstack/keystone master: PY3: Ensure LDAP searches use unicode attributes https://review.openstack.org/643670	18:08
*** itlinux has quit IRC		18:10
*** dustinc is now known as dustinc\|lunch		18:13
*** itlinux has joined #openstack-keystone		18:15
*** gmann is now known as gmann_afk		18:34
*** itlinux has quit IRC		18:34
*** bbobrov has joined #openstack-keystone		18:36
*** itlinux has joined #openstack-keystone		18:38
*** jamesmcarthur has quit IRC		18:41
*** jamesmcarthur has joined #openstack-keystone		18:56
*** gmann_afk is now known as gmann		18:56
*** jamesmcarthur has quit IRC		19:00
*** dave-mccowan has joined #openstack-keystone		19:05
*** jmlowe has quit IRC		19:13
*** itlinux has quit IRC		19:15
*** jamesmcarthur has joined #openstack-keystone		19:18
*** jamesmcarthur has quit IRC		19:19
*** jamesmcarthur has joined #openstack-keystone		19:23
*** dustinc\|lunch is now known as dustinc		19:23
*** itlinux has joined #openstack-keystone		19:24
mnaser	ok i'm really stuck on this request and i really feel like its quite wrong its as complex as i think it is	19:42
mnaser	queens deployment.. user needs a role which can do 2 specific things only against the compute service and nothing else	19:42
mnaser	does that mean we have to go and change the policies of ALL services to $some_default_involving_member_role and then overriding those specific ones to allow that extra role?	19:42
mnaser	isn't that.. how do you say, uh, insanely unreasonable?	19:42
*** itlinux has quit IRC		19:53
lbragstad	mnaser yeah - pretty much	19:53
lbragstad	so that role should only do 2 things and nothing else/	19:54
lbragstad	or should they still be allowed to do other member-ish type things?	19:54
mnaser	lbragstad: that's the goal, i.e. "a role for this user that can read server name and ip only"	19:54
mnaser	maybe more of a "reader" role i guess	19:54
lbragstad	++ sounds like a reader role capability	19:54
lbragstad	but someone with a reader role on a project shouldn't be able to do much anyway	19:55
mnaser	and we're far away from that eh :<	19:55
*** whoami-rajat has quit IRC		19:55
lbragstad	so - you could create a server-name-and-ip-reader role	19:55
lbragstad	and have reader imply that role	19:56
lbragstad	then just update the nova policies for that new role	19:56
mnaser	lbragstad: but i guess then we need to put in the work into nova policies	19:57
*** itlinux has joined #openstack-keystone		19:57
mnaser	which is probably too late in the cycle now i guess	19:57
lbragstad	yeah - probably	19:57
lbragstad	fwiw - i'm reworking one of the nova docs to elaborate on all of this	19:57
lbragstad	https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes is a general description of the process	19:58
*** erus has quit IRC		19:58
lbragstad	same with https://docs.openstack.org/keystone/latest/contributor/services.html#why-are-authorization-scopes-important	19:58
*** erus has joined #openstack-keystone		19:59
*** jamesmcarthur has quit IRC		20:00
mnaser	lbragstad: when was reader role created if you dont mind me asking?	20:04
lbragstad	rocky	20:04
lbragstad	http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html	20:04
mnaser	lbragstad: ok, i will need to push patches to the projects to get proper policy coverage. i will then use the built policy.json to use in a queens env	20:06
mnaser	im going to make a multi-project bug to track it too	20:07
*** jamesmcarthur has joined #openstack-keystone		20:09
*** jamesmcarthur has quit IRC		20:10
*** jamesmcarthur has joined #openstack-keystone		20:10
*** irclogbot_1 has joined #openstack-keystone		20:12
*** dklyle has quit IRC		20:14
mnaser	lbragstad: admin_or_owner becomes redundant at this point because role:admin implies role:member and role:reader anyways, correct?	20:16
*** dklyle has joined #openstack-keystone		20:18
lbragstad	well - imo owner means owner of a resource	20:18
mnaser	in nova world, owner is also someone who's part of that project i guess, but yeah that makes sense	20:18
*** jmlowe has joined #openstack-keystone		20:20
mnaser	https://github.com/openstack/nova/blob/master/nova/policies/base.py	20:20
mnaser	i'm pretty much trying to figure out what rules we need in place so i can go back and go over the policies	20:20
mnaser	i think i could add `RULE_ADMIN_OR_OWNER_AND_READER = 'rule:admin_or_owner and role:reader'`	20:21
*** irclogbot_1 has quit IRC		20:25
lbragstad	i think it depends on what you define an owner as	20:27
*** irclogbot_1 has joined #openstack-keystone		20:27
mnaser	in nova world, that's a user who's project == their project	20:27
lbragstad	ok - we can use that as an example	20:27
lbragstad	so	20:28
lbragstad	if you want to have someone be able to list servers	20:29
lbragstad	you could do "role:reader and project_id:%(server.project_id)s"	20:29
lbragstad	^ that would effectively be a PROJECT_READER policy check string	20:30
mnaser	i think fundamentally having project:$(project_id)s in the nova policy messes things up because that user obviously would already have access for the rest because they share the project_id	20:30
mnaser	so ADMIN_OR_OWNER would need to be revised somehow	20:30
lbragstad	so you want it to be more granular than project id?	20:31
mnaser	no, but if i add a user to a project_id with role:reader -- nothing checks for role:member in the default policy	20:31
lbragstad	member implies reader	20:31
lbragstad	and admin implies member	20:31
mnaser	right, but in nova, nothing checks for member specifically	20:31
mnaser	the most common check for non-admin API is.. `is_admin:True or project_id:%(project_id)s`	20:32
mnaser	so either you're an admin .. or you live in the same project	20:32
mnaser	so even if i give role 'bananaman' to an account, they'll still match admin_or_owner	20:32
lbragstad	sure	20:33
lbragstad	yeah - i see what you mean	20:33
lbragstad	that's something that i think projects need to move towards	20:33
mnaser	i think we would need to revise admin_or_owner rule to become: is_admin:True or (project_id:%(project_id)s and role:member)	20:33
lbragstad	I would refactor out the admin bits	20:33
lbragstad	but yea	20:33
mnaser	yeah is_admin:True is some context level check which can be replaced by role:admin	20:33
lbragstad	with system, domain, and project scope, admin can mean many different htings	20:34
lbragstad	you can be a system-admin, domain-admin, or project-admin	20:34
lbragstad	in fact, you can do that with every default role (admin, member, reader) across all scopes (system, domain, project)	20:34
mnaser	so really admin_or_owner replacement should be a project scoped member, right?	20:35
lbragstad	yes - i think so	20:35
lbragstad	at least the owner part	20:35
lbragstad	the admin part should be system_admin	20:35
mnaser	yep	20:35
lbragstad	so admin_or_owner == SYSTEM_ADMIN_OR_PROJECT_MEMBER	20:35
lbragstad	if the API is writable	20:36
lbragstad	otherwise you could o	20:36
lbragstad	SYSTEM_ADMIN_OR_PROJECT_READER	20:36
mnaser	ok, is there any docs on writing scoped policy rules?	20:36
lbragstad	the actual check string would be "(role:admin and system_scope:all) or (role:reader and project_id:%(target.server.project_id)s"	20:37
lbragstad	we have some here - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope	20:37
lbragstad	but that is specific to scope	20:37
mnaser	ok well maybe we need to refactor the policies to include a scope_type before	20:38
lbragstad	scope_type is an attribute that is available on RuleDefault objects	20:38
ildikov	knikolla: ping	20:38
*** dave-mccowan has quit IRC		20:39
mnaser	o yikes the policy is not using named args but ordered ones in nova	20:39
lbragstad	yeah...	20:39
lbragstad	i noticed that, too	20:40
lbragstad	that would be a good low-hanging-fruit for a new contributor to fix	20:40
mnaser	ok ill try to talk to the nova team about this	20:41
mnaser	thanks for all the input lbragstad	20:41
lbragstad	i've been having an off and on discussion with nova (mriedem and melwitt) about policy for the last year or so	20:41
lbragstad	we're making progress	20:41
lbragstad	but the concepts are a bit confusing yet	20:41
mnaser	it is	20:42
lbragstad	which is why we've been dumping time into the docs to help describe how people can actually fix all this	20:42
lbragstad	we also have forum and ptg sessions	20:42
mnaser	once it makes sense, it seems to add up	20:42
lbragstad	so - if we wanna do another hoorah, i'm all for it	20:42
lbragstad	all the plumbing is in place	20:42
melwitt	lbragstad: what would be good low-hanging-fruit? changing from ordered args to named args?	20:42
lbragstad	yeah - for the RuleDefault and DocumentedRuleDefault objects in nova	20:43
lbragstad	mnaser more context in case you haven't parsed it yet - http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003788.html	20:43
mnaser	that's a really good tl;dr	20:44
lbragstad	tl;dr all the plumbing is in place in keystone, oslo.context, oslo.policy, ksm, ksa, clients, etc... for all projects and services to start moving towards a consistent set of RBAC roles	20:45
*** dave-mccowan has joined #openstack-keystone		20:45
lbragstad	i guess the email just includes more words and links	20:45
lbragstad	melwitt the RuleDefault object only has a couple of ordered args, everything is named	20:47
* lbragstad goes to get a cup of coffee quick		20:47
melwitt	lbragstad: ack, thanks	20:47
*** pcaruana has quit IRC		20:54
*** mchlumsky has quit IRC		20:55
lbragstad	melwitt np	20:57
*** itlinux has quit IRC		21:01
*** itlinux has joined #openstack-keystone		21:13
*** erus has quit IRC		21:13
*** itlinux has quit IRC		21:17
*** xek has quit IRC		21:17
openstackgerrit	Colleen Murphy proposed openstack/keystone master: [DNM] Fix WebSSO for new remote_id retrieval https://review.openstack.org/644426	21:20
*** itlinux has joined #openstack-keystone		21:25
*** irclogbot_1 has quit IRC		21:26
*** irclogbot_1 has joined #openstack-keystone		21:28
cmurphy	lbragstad: can you review https://review.openstack.org/643029 ?	21:33
lbragstad	cmurphy done	21:35
lbragstad	looks great	21:35
cmurphy	sweet	21:36
*** itlinux has quit IRC		21:43
*** itlinux has joined #openstack-keystone		21:45
*** mvkr has joined #openstack-keystone		21:47
*** raildo has quit IRC		21:48
*** itlinux has quit IRC		21:51
*** erus has joined #openstack-keystone		22:02
*** itlinux has joined #openstack-keystone		22:09
*** itlinux has quit IRC		22:20
*** tkajinam has joined #openstack-keystone		22:54
openstackgerrit	Corey Bryant proposed openstack/keystone master: PY3: Ensure LDAP searches use unicode attributes https://review.openstack.org/643670	23:03
*** rcernin has joined #openstack-keystone		23:04
*** erus has quit IRC		23:21
*** jamesmcarthur has quit IRC		23:51

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!