Tuesday, 2019-03-26

*** mailingsam_ has quit IRC		00:05
*** gyee has quit IRC		00:13
*** lbragstad has quit IRC		00:18
*** jamesmcarthur has joined #openstack-keystone		00:53
*** dustinc\|away has quit IRC		00:56
*** awalende has joined #openstack-keystone		01:04
*** awalende has quit IRC		01:08
openstackgerrit	Merged openstack/keystone master: Update system grant policies for system admin https://review.openstack.org/645022	01:28
openstackgerrit	Merged openstack/keystone master: Test domain users against system assignment API https://review.openstack.org/645023	01:28
openstackgerrit	Merged openstack/keystone master: Test project users against system assignment API https://review.openstack.org/645024	01:28
*** jamesmcarthur has quit IRC		01:30
openstackgerrit	Merged openstack/keystone master: Update system group assignment policies for reader and member https://review.openstack.org/645309	01:31
openstackgerrit	Merged openstack/keystone master: Update group system grant policies for admins https://review.openstack.org/645310	01:31
openstackgerrit	Merged openstack/keystone master: Test domain and project users against group system assignment API https://review.openstack.org/645311	01:31
openstackgerrit	Merged openstack/keystone master: Remove system assignment policies from policy.v3cloudsample.json https://review.openstack.org/645312	01:31
*** jamesmcarthur has joined #openstack-keystone		01:38
*** whoami-rajat has joined #openstack-keystone		01:57
*** jamesmcarthur has quit IRC		02:13
*** lbragstad has joined #openstack-keystone		02:29
*** ChanServ sets mode: +o lbragstad		02:29
*** erus has quit IRC		02:29
*** erus has joined #openstack-keystone		02:30
*** jamesmcarthur has joined #openstack-keystone		02:48
*** jamesmcarthur has quit IRC		02:51
*** jamesmcarthur has joined #openstack-keystone		02:52
*** shyamb has joined #openstack-keystone		03:00
*** shyamb has quit IRC		03:06
*** jamesmcarthur has quit IRC		03:14
*** jamesmcarthur has joined #openstack-keystone		03:44
*** jamesmcarthur has quit IRC		03:48
*** lbragstad has quit IRC		04:34
*** tkajinam_ has joined #openstack-keystone		05:06
*** tkajinam has quit IRC		05:08
*** shyamb has joined #openstack-keystone		05:09
*** markvoelker has joined #openstack-keystone		05:17
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Add support for previous TOTP windows https://review.openstack.org/647655	05:26
*** shyamb has quit IRC		05:27
adriant	cmurphy, kmalloc: ^ i'm working on some internal TOTP features and will as I do them push them upstream	05:34
adriant	mostly so they are there for Train, and because I like to keep my internal work in sync with or base on any upstream work	05:35
adriant	and I should probably make some RFE bugs for those?	05:36
adriant	First is adding previous window support to TOTP (for at least one previous window) since that keeps tripping people up when the totp code just ticks over. 1 previous window is safe and better UX.	05:37
*** erus has quit IRC		05:37
adriant	Then TOTP backup codes.	05:37
adriant	Not sure if i want to do backup codes upstream as a separate auth plugin, or build the logic into the existing auth plugin.	05:37
*** erus has joined #openstack-keystone		05:37
adriant	essentially the logic would be: "if user has creds type totp-backup, see if any match given passcode, if match, mark auth method as valid, and delete matching totp-backup credential"	05:39
*** vishakha has joined #openstack-keystone		05:40
adriant	not sure if the delete part should be after the whole auth process is done, and if we want it to only delete on successful auth.	05:40
adriant	I think on successful auth is unsafe because with a totp-backup code you can otherwise brute force passwords.	05:40
*** shyamb has joined #openstack-keystone		05:41
adriant	If a match is found, successful auth or not, that backup-code is gone.	05:41
*** ileixe has joined #openstack-keystone		06:06
*** shyamb has quit IRC		06:41
openstackgerrit	Merged openstack/keystone master: Add role assignment testing for project users https://review.openstack.org/639718	06:42
openstackgerrit	Merged openstack/keystone master: Remove assignment policies from policy.v3cloudsample.json https://review.openstack.org/640943	06:42
openstackgerrit	Merged openstack/keystone master: Replace URL name to the correct one in Keystone Docs https://review.openstack.org/647606	06:42
*** shyamb has joined #openstack-keystone		06:54
*** tkajinam__ has joined #openstack-keystone		07:05
*** tkajinam_ has quit IRC		07:07
*** pcaruana has joined #openstack-keystone		07:10
*** shyamb has quit IRC		07:19
*** shyamb has joined #openstack-keystone		07:19
*** shyamb has quit IRC		07:38
*** awalende has joined #openstack-keystone		08:11
*** shyamb has joined #openstack-keystone		08:20
*** xek has joined #openstack-keystone		08:23
*** tkajinam__ has quit IRC		08:25
*** shyamb has quit IRC		08:27
*** shyamb has joined #openstack-keystone		08:27
*** rcernin has quit IRC		08:36
*** shyamb has quit IRC		09:14
*** shyamb has joined #openstack-keystone		09:17
*** shyamb has quit IRC		09:38
*** shyamb has joined #openstack-keystone		09:42
*** rcernin has joined #openstack-keystone		09:44
*** shyamb has quit IRC		10:21
*** rcernin has quit IRC		10:24
*** xek_ has joined #openstack-keystone		10:37
openstackgerrit	Merged openstack/keystone master: Implement system reader functionality for grants https://review.openstack.org/645889	10:38
*** xek has quit IRC		10:39
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP: implement domain reader support for grants https://review.openstack.org/645968	10:46
*** shyamb has joined #openstack-keystone		11:06
*** ileixe has quit IRC		11:20
*** mvkr has joined #openstack-keystone		11:22
*** shyamb has quit IRC		11:30
*** shyamb has joined #openstack-keystone		11:31
*** shyamb has quit IRC		12:09
*** shyamb has joined #openstack-keystone		12:21
*** markvoelker has quit IRC		12:31
*** shyamb has quit IRC		12:36
*** mchlumsky has joined #openstack-keystone		12:43
*** lbragstad has joined #openstack-keystone		12:46
*** ChanServ sets mode: +o lbragstad		12:46
*** jamesmcarthur has joined #openstack-keystone		12:46
*** jmlowe has quit IRC		12:52
cmurphy	morning lbragstad	12:53
lbragstad	hey cmurphy	12:53
lbragstad	thanks for proposing the backports for grants	12:54
cmurphy	no problem	12:54
cmurphy	do you think I should break up https://review.openstack.org/643937 into reader/member/admin patches? it felt a little more natural to write it together but i could see how it's a beast to review	12:54
lbragstad	i'm pretty familiar with the flow so i should be able to review it as one patch	12:56
cmurphy	mmk	12:56
lbragstad	i suppose we could revisit the approach, too	12:57
lbragstad	maybe 6 patches for each resources isn't needed anymore?	12:57
cmurphy	might be a tiny bit excessive	12:58
cmurphy	otoh your stackalytics stats are through the roof so that's something ;)	12:58
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Consolidate user protection tests https://review.openstack.org/623323	12:58
* lbragstad pads stats		12:58
lbragstad	the credential API was all one patch and it was about 1500+ lines	12:59
lbragstad	at the time i was like "there is no way i'm going to get people to review all these" :)	13:00
*** erus has quit IRC		13:00
cmurphy	this one is +762,-51 so still pretty big but it's all in the unit tests	13:00
lbragstad	yeah	13:00
lbragstad	fwiw - i did a count of master yesterday	13:00
*** awalende has quit IRC		13:01
lbragstad	we've added about 750 additional protection tests 0.0	13:01
*** erus has joined #openstack-keystone		13:01
*** awalende has joined #openstack-keystone		13:01
cmurphy	i think all this code is slowing down our pep8 tests, it's been feeling really sluggish for the last few weeks	13:01
lbragstad	it is..	13:01
lbragstad	if you run `tox -e py37 -- keystone.tests.unit.protection` you can time just the protection tests	13:02
lbragstad	750 tests took 256 seconds to run yesterday for me	13:02
lbragstad	but... something we might be able to revisit now that we're using all the flask utilities for these tests...	13:05
*** awalende has quit IRC		13:05
lbragstad	is proper test classes and using setupClass() effectively instead of duplicating all the steps for each test	13:05
cmurphy	++	13:06
lbragstad	the last time I tried to make that change with our tests we were still using all of our own utilities and sharing them through inheritance, which caused a whole bunch of issues	13:06
cmurphy	the token getting with flask can definitely be dried up	13:06
lbragstad	yeah - same with calling bootstrap	13:07
lbragstad	we call that on every test	13:07
lbragstad	but i don't think those tests actually modify the data from bootstrap	13:07
*** jistr is now known as jistr\|afk		13:16
openstackgerrit	Lance Bragstad proposed openstack/keystonemiddleware master: Run lower-constraints job on Xenial https://review.openstack.org/647604	13:26
openstackgerrit	Lance Bragstad proposed openstack/keystonemiddleware master: Run lower-constraints on Bionic and update python-keystoneclient https://review.openstack.org/647736	13:26
openstackgerrit	Lance Bragstad proposed openstack/keystonemiddleware master: Run lower-constraints job on Xenial https://review.openstack.org/647604	13:29
*** awalende has joined #openstack-keystone		13:30
openstackgerrit	Lance Bragstad proposed openstack/keystonemiddleware master: Run lower-constraints job on Xenial https://review.openstack.org/647604	13:31
*** awalende has quit IRC		13:34
openstackgerrit	Lance Bragstad proposed openstack/keystonemiddleware master: Run lower-constraints job on Xenial https://review.openstack.org/647604	13:35
*** jmlowe has joined #openstack-keystone		13:37
openstackgerrit	Lance Bragstad proposed openstack/keystonemiddleware master: Run lower-constraints on Bionic and update python-keystoneclient https://review.openstack.org/647736	13:38
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add release prelude about changing policies https://review.openstack.org/647737	13:41
cmurphy	lbragstad: ^	13:41
lbragstad	sweet	13:42
*** vishakha has quit IRC		13:45
lbragstad	i might be double booked on saturday during the PTG	13:55
cmurphy	yeah i figured	13:56
cmurphy	we're also scheduled to start later on thursday	13:56
cmurphy	should we ask if we can move our slot up so we get a full thursday and friday?	13:57
*** mvkr has quit IRC		13:59
lbragstad	cmurphy up to you - but don't bend over backwards on my account	14:05
lbragstad	i'm also not sure how full our days are going to be?	14:05
lbragstad	https://etherpad.openstack.org/p/DEN-keystone-forum-sessions looks like it's kind of set - so it could be grouped into a rough schedule?	14:06
cmurphy	i feel like everyone is going to want to leave early or listen in on the tc session on saturday so might as well see if we can move it up unless it conflicts with something else	14:07
lbragstad	++	14:07
cmurphy	agreed that we can start coming up with a schedule	14:08
cmurphy	i was going to do that...soonish...	14:08
* lbragstad waves hands		14:08
lbragstad	"this is not the droid you're looking for"	14:09
cmurphy	lol	14:09
*** jamesmcarthur has quit IRC		14:11
cmurphy	looks like the edge group is meeting thursday morning so not sure we want to overlap with that	14:11
lbragstad	looks like we have a bullet in our forum section dedicated to edge stuff	14:12
lbragstad	if we have things to talk about with them, maybe we can use the same time on thursday?	14:12
*** jamesmcarthur has joined #openstack-keystone		14:13
*** jamesmcarthur has quit IRC		14:14
cmurphy	sure	14:15
*** jistr\|afk is now known as jistr		14:15
lbragstad	do you want me to self-approve? https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/stein+topic:implement-default-roles since your +1 is on it?	14:16
cmurphy	maybe kmalloc can approve if he's around today	14:17
* lbragstad nods		14:17
kmalloc	I am	14:17
cmurphy	lbragstad: were there specific things we want to touch on with the edge group at the ptg? there's not a lot of details in the etherpad	14:18
lbragstad	https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/stein+topic:bug/1806762 needs stable reviews, too	14:18
lbragstad	well - i know they have questions about the federation testing stuff and the athenz approach, because that comes up weekly during the edge call	14:19
lbragstad	(which is happening right now)	14:19
cmurphy	yeah i'm on it	14:19
lbragstad	oh - you're hiding	14:20
lbragstad	if i knew that was you'd i wouldn't have answered the keystone question ;)	14:20
*** erus has quit IRC		14:20
cmurphy	well she called you :P	14:21
lbragstad	s/you'd/you/	14:21
*** redrobot has joined #openstack-keystone		14:21
*** erus has joined #openstack-keystone		14:21
cmurphy	the qa team's slot starts thursday morning so may be can invade them during that time	14:22
kmalloc	+2/+A and +2 where it made sense (no other +2)	14:22
cmurphy	thanks kmalloc	14:23
lbragstad	oh - good call	14:23
*** xek_ has quit IRC		14:24
*** xek_ has joined #openstack-keystone		14:24
erus	o/	14:24
cmurphy	\o	14:24
lbragstad	https://review.openstack.org/#/c/647553/ and https://review.openstack.org/#/c/647552/ could use some stable eyes	14:25
*** mvkr has joined #openstack-keystone		14:26
lbragstad	kmalloc ^	14:27
gagehugo	o/	14:32
*** vishakha has joined #openstack-keystone		14:35
*** jamesmcarthur has joined #openstack-keystone		14:36
*** erus has quit IRC		14:36
*** erus has joined #openstack-keystone		14:37
knikolla	o/	14:48
*** xek_ has quit IRC		14:53
*** jmlowe has quit IRC		15:02
*** jmlowe has joined #openstack-keystone		15:07
redrobot	Hello keystone friends!	15:08
*** jmlowe has quit IRC		15:09
redrobot	I'm trying to debug a failing barbican gate. It seems to be failing when trying to find keystone-manage	15:09
redrobot	http://logs.openstack.org/57/645857/1/check/barbican-dogtag-devstack-functional-fedora-latest/6670b03/logs/devstacklog.txt.gz#_2019-03-22_20_03_07_092	15:09
redrobot	Has there been recent changes to the way Keystone is installed in DevStack?	15:09
openstackgerrit	Merged openstack/keystone master: Make system admin policies consistent for grants https://review.openstack.org/645890	15:12
*** shyamb has joined #openstack-keystone		15:17
lbragstad	redrobot o/	15:22
lbragstad	not that i am aware of	15:22
redrobot	ohai lbragstad!	15:23
redrobot	dang... I was hoping y'all would have some awesome insight. :-P	15:23
*** jmlowe has joined #openstack-keystone		15:25
lbragstad	i wonder if that job is doing anything different with keystone?	15:26
lbragstad	i haven't seen that error before	15:26
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add domain scope support for group policies https://review.openstack.org/643937	15:32
openstackgerrit	Merged openstack/keystone master: Replace openstack.org git:// URLs with https:// https://review.openstack.org/646432	15:35
openstackgerrit	Merged openstack/keystone master: Remove external-dev and consolidate to contributor https://review.openstack.org/645640	15:35
*** shyam89 has joined #openstack-keystone		15:59
cmurphy	keystone meeting now in #openstack-meeting-alt	16:01
*** shyamb has quit IRC		16:03
*** jmlowe has quit IRC		16:21
*** gyee has joined #openstack-keystone		16:25
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP: implement domain reader support for grants https://review.openstack.org/645968	16:26
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Make domain admin policies consistent for grants https://review.openstack.org/647801	16:26
*** shyam89 has quit IRC		16:34
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP: implement domain reader support for grants https://review.openstack.org/645968	16:38
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add keystone's technical vision reflection https://review.openstack.org/641374	16:39
*** erus has quit IRC		16:46
*** erus has joined #openstack-keystone		16:47
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP: implement domain reader support for grants https://review.openstack.org/645968	16:51
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP: implement domain reader support for grants https://review.openstack.org/645968	16:55
lbragstad	cmurphy kmalloc picked up the last two in the grant chain and proposed them to stable/stein https://etherpad.openstack.org/p/keystone-stein-rc2-tracking	17:02
lbragstad	lines 72 and 73	17:02
cmurphy	oh good	17:02
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP: implement domain reader support for grants https://review.openstack.org/645968	17:05
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP: implement domain reader support for grants https://review.openstack.org/645968	17:09
cmurphy	lbragstad: weird, i thought i already fixed the tests on https://review.openstack.org/647586 but maybe i forgot to git review	17:25
*** jamesmcarthur has quit IRC		17:25
lbragstad	i started tinkering with it locally, but your test coverage is exhaustive	17:41
lbragstad	afaict, they're failing because the group policies aren't being overridden	17:42
lbragstad	sidenote: those tests are hard to grok	17:42
aning_	lbragstad: what's the feature related to system assignment? where can I find document about it?	17:47
*** mvkr has quit IRC		17:50
lbragstad	aning_ http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html	17:50
lbragstad	http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals.html	17:51
lbragstad	http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-security-roadmap.html	17:51
lbragstad	and finally	17:51
lbragstad	http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html	17:51
*** jmlowe has joined #openstack-keystone		17:51
aning_	lbragstad: Thx. I guess these 3 specs are all related to system assignment, right?	17:52
lbragstad	the first one is pretty much the implementation spec	17:52
lbragstad	the next two are overall documents that describe the issues on a higher level	17:52
aning_	lbragstad: Great, thx again.	17:53
lbragstad	the last is another specification that we did after the system-scope work was in place that makes all that work more useful	17:53
lbragstad	also - this is written for developers as the audience	17:53
*** mvkr has joined #openstack-keystone		17:53
lbragstad	but it also describes a lot of detail around the problem and how system-scope fixes it	17:53
lbragstad	https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes	17:53
lbragstad	https://docs.openstack.org/keystone/latest/contributor/services.html#why-are-authorization-scopes-important	17:53
lbragstad	and finally https://docs.openstack.org/keystone/latest/contributor/services.html#how-do-i-incorporate-authorization-scopes-into-a-service	17:54
lbragstad	aning_ let us know if you have specific questions we can help you with	17:54
aning_	Wow, it is big	17:54
lbragstad	yeah... it's a complicated problem :(	17:54
aning_	lbragstad: sure.	17:54
aning_	lbragstad: need time to digest.	17:55
lbragstad	++	17:55
*** jamesmcarthur has joined #openstack-keystone		17:56
*** stevebot has joined #openstack-keystone		17:59
lbragstad	omg - a stevebot	18:00
stevebot	@lbragstad what year is this?!	18:01
lbragstad	i'm surprised your nick still works ;)	18:01
stevebot	no meeting?	18:01
lbragstad	meeting was two hours ago	18:02
stevebot	fuuuuu	18:02
gagehugo	lol	18:02
lbragstad	:)	18:02
lbragstad	wah wah...	18:02
stevebot	i wanted to congratulate @cmurphy :)	18:02
stevebot	i've clearly gotten too used to slack	18:02
lbragstad	s/congratulate/offer condolences/	18:03
lbragstad	re: slack i was bummed to hear the the irc gateway is no longer supported	18:04
*** dolphm has joined #openstack-keystone		18:07
dolphm	sorry i'm late	18:08
lbragstad	o..... m...... g.......	18:08
* lbragstad marks the calendar		18:08
dolphm	just wanted to drop in and say congrats to @cmurphy!	18:09
kmalloc	whoa	18:09
kmalloc	hi dolphm !	18:09
dolphm	kmalloc: o/	18:09
dolphm	does keystone still support 401's?	18:10
lbragstad	mostly just 503s	18:12
stevebot	the openstack channels for irc certainly gave me a 401 :P	18:12
lbragstad	followed promptly by a 302	18:13
kmalloc	dolphm: unuathorized, should be fine.	18:17
kmalloc	and supported	18:17
kmalloc	oh hah	18:18
kmalloc	wait dolphm AND stevebot, i mean we just need joe heck and termie.	18:18
kmalloc	and it'll be like old times.	18:18
dolphm	there, i did a code review	18:21
kmalloc	are you going to submit code change and get ATC again too?	18:22
dolphm	how many more code reviews until i get a prize?	18:22
* kmalloc hands dolphm a prize		18:22
dolphm	kmalloc: i mean, i guess i could. gotta keep voting in elections!	18:22
kmalloc	:)	18:22
* kmalloc hands dolphm a +2 for said code change (provisionally applied) even though it doesn't exist yet		18:23
*** jmlowe has quit IRC		18:23
stevebot	dolphm https://review.openstack.org/#/c/641374/ for an easy review	18:26
dolphm	that one sounds too important	18:27
stevebot	where are the job results for https://review.openstack.org/#/c/641374/3 ?	18:27
lbragstad	on your machine stevebot - just need to run them ;)	18:28
stevebot	:O	18:29
stevebot	tox -e docs?	18:29
*** jmlowe has joined #openstack-keystone		18:29
lbragstad	yup	18:29
cmurphy	stevebot: dolphm omg <3	18:30
dolphm	\o/ congrats!	18:35
cmurphy	congrats to lbragstad for successfully conning me	18:35
lbragstad	i learnt from the best	18:36
cmurphy	lol	18:36
dolphm	i promise it won't hurt too bad after awhile	18:38
openstackgerrit	Dolph Mathews proposed openstack/keystone master: Update broken links to dogpile.cache docs https://review.openstack.org/647866	18:39
*** jmlowe has quit IRC		18:39
dolphm	BOOM	18:40
dolphm	ATC here i come	18:40
stevebot	openstack denver watch out	18:40
stevebot	+1	18:41
stevebot	damn, approved and gating already	18:42
stevebot	here i am stuck in a meeting	18:42
lbragstad	lemme guess, you and dolphm are in the same meeting?	18:43
stevebot	no, he skipped it	18:43
lbragstad	lol smart	18:43
lbragstad	lemme guess, you couldn't skip it?	18:43
stevebot	probably could have but glad i didn't, someone asked me for something	18:43
aning_	lbragstad: A quick question pop up in my mind, if admin@Default has a admin role in System, does admin implicitely have admin role (or other) in all projects and domains target?	18:43
*** jmlowe has joined #openstack-keystone		18:44
lbragstad	aning_ no - it only gets a role assignment on the system and a project created by `keystone-manage bootstrap`	18:44
lbragstad	s/it/admin@Default/	18:46
dolphm	why is Default capitalized?	18:47
* dolphm asking the hard questions		18:47
* lbragstad deflects to cmurphy		18:48
cmurphy	decisions somebody made before my time	18:48
lbragstad	#flawless	18:48
cmurphy	B)	18:49
aning_	lbragstad: the project created by 'keystone-manage bootstrap', you the "admin" project?	18:49
lbragstad	aning_ yep	18:49
stevebot	is "Default" the name and "default" the id?	18:49
aning_	stevebot: ++	18:49
kmalloc	stevebot: that sounds right	18:50
stevebot	i should leave before i start doing reviews haha	18:50
kmalloc	the real secret... trying to rope stevebot back into openstack :P	18:51
aning_	lbragstad: then how different is it from admin@Default has admin role in admin project? I know 'System' seems to be another layer of scope, but don't get it yet ...	18:53
*** jmlowe has quit IRC		18:54
lbragstad	aning_ system-scope was developed to move us away from having to use project-scoped tokens for everything	18:55
aning_	lbragstad: k, need continue digging	18:57
lbragstad	since openstack has APIs that operate on resources inside and outside of project-scope, we didn't really have a clean way of protecting APIs that fell outside of project-scope	18:57
aning_	lbragstad: that makes sense	18:58
lbragstad	system-scope (and domain-scope) should help us move towards better support for hard-tenancy	18:59
*** erus has quit IRC		18:59
*** erus has joined #openstack-keystone		19:00
aning_	lbragstad: by giving admin a role in system so that admin can access these resources outside of project-scope, like managing the deployed system	19:01
lbragstad	right	19:01
*** jmlowe has joined #openstack-keystone		19:01
lbragstad	for example: having admin on project Foo shouldn't let uses modify entries in the service catalog	19:02
lbragstad	users*	19:02
aning_	lbragstad: since service catalog is a system wide resource?	19:03
lbragstad	yeah	19:03
*** awalende has joined #openstack-keystone		19:03
aning_	lbragstad: BTW what's hard_tenancy?	19:03
lbragstad	or another example: having admin on project Foo shouldn't let users query hypervisor information from nova that instances from multiple projects could be running on	19:03
lbragstad	hard tenancy assumes users are malicious and untrustworthy (in a way)	19:05
aning_	Yeah, make sense since hypervisor is really a system resource.	19:05
lbragstad	e.g., you have to assume a user will do something if they have the ability to do so	19:06
*** erus has quit IRC		19:06
*** erus has joined #openstack-keystone		19:07
dolphm	sounds like that supersedes this then https://blueprints.launchpad.net/keystone/+spec/service-scoped-tokens	19:07
*** awalende has quit IRC		19:07
lbragstad	yeah - it would be really cool to get it to that point	19:07
lbragstad	jamielennox had a really cool idea during the Queens ptg	19:08
lbragstad	which was to reuse the hierarchical nature of the service catalog and expose services (in keystone) as grant targest	19:08
lbragstad	targets*	19:08
lbragstad	i could have `admin` on the compute service in the us-west region, but cmurphy could have `admin` on the entire deployment system	19:10
*** jmlowe has quit IRC		19:11
*** mvkr has quit IRC		19:15
aning_	lbragstad: so far region is not a scope yet	19:16
lbragstad	aning_ not for assignments, no	19:16
aning_	I can see region scope may have use cases though.	19:17
aning_	Region support is a whole big topic ...	19:18
lbragstad	++	19:19
lbragstad	while system-scope includes the entire deployment system today, we could break it into services in the future	19:19
stevebot	service assignments is something that folks have wanted for a while iirc	19:20
lbragstad	implementing another authorization scope is already a significant amount of work, so we thought it best to hold off on that part	19:20
stevebot	kinda worked around it with service accounts :\	19:20
kmalloc	yeah, system scope is much cleaner	19:21
*** erus has quit IRC		19:21
kmalloc	it's something we needed	19:21
lbragstad	i agree it would be nice to offer a way to minimize the attack surface an admin has	19:21
kmalloc	we can def. expand system scope	19:22
*** erus has joined #openstack-keystone		19:22
cmurphy	it was built with the idea that it might turn into the top level of a service or region scope	19:22
*** vishakha has quit IRC		19:25
*** jmlowe has joined #openstack-keystone		19:29
*** jmlowe has quit IRC		19:33
openstackgerrit	Merged openstack/keystonemiddleware master: Run lower-constraints job on Xenial https://review.openstack.org/647604	19:34
*** jamesmcarthur has quit IRC		19:45
lbragstad	gagehugo cmurphy kmalloc stable stein fix for ksm https://review.openstack.org/647907	20:05
openstackgerrit	Lance Bragstad proposed openstack/keystonemiddleware master: Revert "Run lower-constraints job on Xenial" https://review.openstack.org/647909	20:05
cmurphy	do we need to backport it to rocky too? or is rocky safe?	20:06
*** jmlowe has joined #openstack-keystone		20:06
cmurphy	if it's only a problem for stein then i think we can get away with doing the version bump there	20:07
lbragstad	i can't recreate it on stable/rocky locally?	20:09
lbragstad	but i'd trust whatever zuul tests on stable/rocky more than what i have setup locally	20:10
lbragstad	fwiw - the revert is rolled into https://review.openstack.org/#/c/647736/2	20:12
openstackgerrit	Merged openstack/keystone master: Added keystone identity provider installation to Devstack plugin https://review.openstack.org/484121	20:13
lbragstad	actually - the version bump is rolled into the revert*	20:13
openstackgerrit	Merged openstack/keystone master: Consolidate user protection tests https://review.openstack.org/623323	20:13
gagehugo	ack	20:20
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove redundant policies from v3cloudsample https://review.openstack.org/647586	20:25
cmurphy	ha just found the tab where git review was waiting for me to type 'yes'	20:25
kmalloc	hehehe	20:25
*** dustinc has joined #openstack-keystone		20:27
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add domain scope support for group policies https://review.openstack.org/643937	20:28
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove redundant policies from v3cloudsample https://review.openstack.org/647586	20:28
*** stevebot has quit IRC		20:37
*** lbragstad has quit IRC		21:01
*** pcaruana has quit IRC		21:33
*** whoami-rajat has quit IRC		21:37
*** mchlumsky has quit IRC		21:43
openstackgerrit	Merged openstack/keystonemiddleware master: Run lower-constraints on Bionic and update python-keystoneclient https://review.openstack.org/647736	22:09
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove redundant policies from v3cloudsample https://review.openstack.org/647586	22:27
*** rcernin has joined #openstack-keystone		22:38
*** tkajinam has joined #openstack-keystone		22:57
openstackgerrit	Merged openstack/keystone master: Update broken links to dogpile.cache docs https://review.openstack.org/647866	22:58
*** gyee has quit IRC		23:53

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!