Wednesday, 2019-06-26

« Tuesday, 2019-06-25 Index Thursday, 2019-06-27 »
*** lbragstad has quit IRC00:23
*** ayoung has joined #openstack-keystone01:32
*** openstackgerrit has joined #openstack-keystone02:02
openstackgerritzhenmei proposed openstack/keystone master: Fix create nonlocal user issue  https://review.opendev.org/66118302:02
*** Dinesh_Bhor has joined #openstack-keystone02:05
*** ayoung has quit IRC02:48
*** whoami-rajat has joined #openstack-keystone03:04
*** Dinesh_Bhor has quit IRC03:33
*** liushuo has joined #openstack-keystone03:35
*** liushuo has quit IRC04:08
*** liushuo has joined #openstack-keystone04:08
*** joshualyle has joined #openstack-keystone04:09
*** viks___ has joined #openstack-keystone04:18
*** jhesketh has quit IRC04:19
*** jhesketh has joined #openstack-keystone04:19
*** dave-mccowan has quit IRC04:23
*** liushuo_ has joined #openstack-keystone04:45
*** liushuo has quit IRC04:48
*** eivis has joined #openstack-keystone05:05
*** vishakha has joined #openstack-keystone06:04
*** pcaruana has joined #openstack-keystone06:26
*** rcernin has quit IRC07:06
eivisProbably most of you still asleep, but you might answer when wake up07:09
eivisas kmalloc said i can filter branches with user_filter, but as im doing it i get en error which says  "UnicodeDecodeError: 'ascii' codec can't decode byte 0xc5 in position 24: ordinal not in range(128)"07:11
*** tesseract has joined #openstack-keystone07:16
eivisdoes it mean that python can handle non-latin letters in user_tree_dn but it fails on user_filter?07:16
eivisuser_tree_dn= OU=Informacinių technologijų ir sistemų centras,OU=one,DC=example,DC=com07:16
*** liushuo_ has quit IRC07:52
*** liushuo_ has joined #openstack-keystone07:52
*** liushuobj__ has joined #openstack-keystone08:11
*** liushuo_ has quit IRC08:14
*** tkajinam has quit IRC08:16
kmalloceivis: it is possible the ldap driver cannot handle unicode letter in the user_tree_dn. i'd need to see the whole traceback to know if it's an issue in python-ldap or in keystone (or some other lib we lean on)08:18
*** liushuo_ has joined #openstack-keystone08:29
*** liushuobj__ has quit IRC08:32
*** tesseract has quit IRC08:38
*** tesseract has joined #openstack-keystone08:40
*** imacdonn has quit IRC08:42
*** imacdonn has joined #openstack-keystone08:43
*** liushuobj__ has joined #openstack-keystone08:44
*** rcernin has joined #openstack-keystone08:46
*** liushuo has joined #openstack-keystone08:47
*** liushuo_ has quit IRC08:48
*** liushuobj__ has quit IRC08:49
*** liushuo_ has joined #openstack-keystone08:55
*** liushuo has quit IRC08:58
*** rcernin has quit IRC09:07
*** eivis has quit IRC09:11
*** jaosorior has quit IRC09:22
*** jaosorior has joined #openstack-keystone09:24
*** eivis has joined #openstack-keystone09:26
eiviswell I think with user_tree_dn everything fine cuz, when i comment out user_filter I am getting response with users. (Openstack queens)09:29
eivishttps://pastebin.com/baKcDece there is traceback09:29
*** xek has joined #openstack-keystone09:55
openstackgerritVishakha Agarwal proposed openstack/python-keystoneclient master: Follow bandit B105: hardcoded_password_string  https://review.opendev.org/66730410:36
openstackgerritVishakha Agarwal proposed openstack/python-keystoneclient master: Blacklist bandit 1.6.0 & cap sphinx for 2.7  https://review.opendev.org/66060910:38
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove [signing] config  https://review.opendev.org/65943410:56
*** liushuobj__ has joined #openstack-keystone11:36
*** liushuo_ has quit IRC11:40
*** raildo has joined #openstack-keystone11:43
*** liushuo_ has joined #openstack-keystone11:54
*** liushuo_ has quit IRC11:55
*** liushuobj__ has quit IRC11:57
*** lbragstad has joined #openstack-keystone12:17
*** dave-mccowan has joined #openstack-keystone12:52
openstackgerritRaildo Mascena proposed openstack/keystone master: Fixing dn_to_id function for cases were id is not in the DN  https://review.opendev.org/64917712:58
*** xek_ has joined #openstack-keystone13:05
*** xek has quit IRC13:07
*** raildo has quit IRC13:27
*** vishakha has quit IRC13:38
*** raildo has joined #openstack-keystone13:39
*** raildo has quit IRC13:44
*** raildo has joined #openstack-keystone13:46
*** mloza has quit IRC13:47
*** raildo has quit IRC13:52
*** mloza has joined #openstack-keystone13:56
*** jistr is now known as jistr|call14:05
*** jdennis has quit IRC14:11
*** ayoung has joined #openstack-keystone14:12
*** jistr|call is now known as jistr14:22
*** raildo has joined #openstack-keystone14:23
*** mloza has quit IRC14:40
*** jdennis has joined #openstack-keystone14:45
lbragstadcmurphy i'm reading https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials (linked from https://review.opendev.org/#/c/661790/1)14:49
lbragstadi'm a bit fuzzy on that topic14:50
lbragstadis the api traceability reason related to capability APIs? or was that something else?14:50
lbragstadoh - or that it's hard to use access rule configs because it's hard for operators to know what the dependency between API calls is?14:52
*** xek__ has joined #openstack-keystone15:03
cmurphylbragstad: the problem is we don't have a complete map of all APIs in openstack, the best we have is what is published in the api-ref, and moreover this could theoretically be used on !openstack, which means it would have to be left up the operator to curate thousands of API paths/methods for their deployment15:05
*** xek_ has quit IRC15:05
lbragstadaha15:06
lbragstadand for https://review.opendev.org/#/c/663440/7//COMMIT_MSG15:06
lbragstadbefore we weren't planning on exposing access rules as their own resource, right?15:06
cmurphyright15:06
lbragstadok - and the apparent benefit there is that it makes it easier for users to re-use things?15:07
cmurphythey're still not "exposed" they're just managed as their own resource internally15:07
lbragstadoh - but we plan to expose them as their own resource eventually through the api?15:07
openstackgerritBenoît Knecht proposed openstack/keystone master: backends/ldap: Fix auth for UTF-8 user names  https://review.opendev.org/66764515:07
cmurphywait no they are exposed15:07
cmurphysorry15:08
* cmurphy looks at the code15:08
cmurphyi need better commit messages >.>15:08
lbragstadso - access rules are going to be their own thing that users can create and query?15:09
lbragstadbut creation of access rules must be done using application credentials?15:10
cmurphywith this code you can only create access rules through an app cred, i also haven't exposed a way to directly query one's own access rules independently of an app cred - but maybe we should15:13
cmurphyhttps://review.opendev.org/#/c/628168/25/keystone/api/users.py@614 is the general idea of what it is now15:13
lbragstadok - that makes sense15:14
lbragstadi wasn't seeing the API to query it directly15:14
lbragstads/it/access rules/15:15
cmurphyright, i guess it probably makes sense to add that15:15
lbragstadso - is the main thing right now that access rules are completely separate from application credentials internally?15:15
lbragstadto users, they're still compounded together?15:15
cmurphyyes, and i don't think there is necessarily a need to be able to create access rules themselves independently from app creds15:16
* lbragstad nods15:16
cmurphyjust perhaps to query them15:16
lbragstadok - that makes sense15:17
lbragstadi think i agree15:17
cmurphycool15:17
lbragstadthe reverts look good - i just kicked a bunch of those through15:17
cmurphysweet15:17
lbragstadis the stuff we just talked about for access rules + application credentials documented somewhere?15:18
lbragstadif so, i clearly glazed over it15:18
cmurphyhttps://review.opendev.org/66178415:18
lbragstadoh - sure...15:18
cmurphy:)15:18
lbragstadi even said i was going to look at that15:19
*** whoami-rajat has quit IRC15:22
kmalloco/15:32
*** whoami-rajat has joined #openstack-keystone15:38
openstackgerritCorey Bryant proposed openstack/keystone master: Enable LDAP _dn_to_id() for non-default ID attrs  https://review.opendev.org/66657515:58
openstackgerritCorey Bryant proposed openstack/keystone master: Enable LDAP _dn_to_id() for non-default ID attrs  https://review.opendev.org/66657516:01
openstackgerritCorey Bryant proposed openstack/keystone master: Enable LDAP _dn_to_id() for non-default ID attrs  https://review.opendev.org/66657516:10
openstackgerritCorey Bryant proposed openstack/keystone master: Enable LDAP _dn_to_id() for non-default ID attrs  https://review.opendev.org/66657516:33
jrosserthis describes www_authenticate_uri as being a 'public' endpoint https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/_opts.py#L4216:34
*** tesseract has quit IRC16:35
jrosserbut almost universally in a non trivial deployment that has a concept of 'public' and 'internal' endpoints, it is necessary to set www_authenticate_uri to the 'internal' keystone endpoint16:35
* jrosser confused16:36
kmallocjrosser: www_authenticate_uri should be a response sent to the end user if they try and hit the endpoint with an invalid token or without a token at all. www_authenticate_uri is not intended for the service user16:46
kmallocjrosser: this populates the WWW-Authenticate header is populated on a 401.16:47
kmallocjrosser: https://github.com/openstack/keystonemiddleware/blob/3e62d25dacb4282609d897f8a9cf08c3603b12d7/doc/source/middlewarearchitecture.rst#exchanging-user-information16:48
jrosserbut does that differentiate a "client" that is inside or outside the control plane of the cloud?16:48
kmallocjrosser: it can't.16:48
jrossersorry if this is silly questions but in openstack-ansible we universally set that to the internal api endpoint16:48
jrosserand things just don't work if we do otherwise16:49
kmallocthe recommendation i can make is for public (end user) communication to an endpoint, have a version of the service with middleware configured to point at the public endpoint16:49
kmallocfor internal, have a separate process that points internal16:49
jrosseri.e run two sets of keystone with different configs16:49
kmallocno.16:49
kmalloctwo nova processes16:49
kmallocthis is keystonemiddleware16:50
kmallockeystone catalog can contain internal and external interfaces for each endpoint16:50
jrosserblimey - that config is in pretty much every service though, surely not two of everything?16:50
kmallocif you're relying on www-authenticate to know where to get a token, it needs to point to the place that is expected16:51
kmallocend users (external) may not be able to talk to an internal interface16:51
kmallocif you realkly have a differentiated environment, where some traffic is internal and some is external you need to either a) live with mix communication (not great), or b) run a separate process/middleware for each interface16:52
kmallocrealistically, www-authenticate-uri should only be used in the case of a 401. it should be 100% ok to use the public keystone interface in all cases.16:55
kmalloceven internal traffic should be able to auth on the public interface. it should only be used *if* a 401 occurs and the client doesn't already know where to get a token.16:56
jrossernot if the internal networks don't route to the external ones16:56
kmallocif your network is that isolated and you have internal clients that do not know the auth_uri a-priori and are leaning on www-authenticate, you will need a separately configured interface (nova, e.g.)16:58
kmallocit's a question of which clients you're breaking with a singularly configured endpoint with multiple interfaces.16:58
jrosserso auth_uri should be bootstrapping the internal clients to know where the internal auth endpoint is?17:01
kmallocideally.17:01
jrosserand www-authenticate-uri should only be used in for something that didnt have that bootstrap info, i.e an external user17:01
kmallocand only if the user doesn't have a token or has an expired token17:02
kmalloc401 Unauthorized17:02
jrosserok, great, thats really helpful17:02
kmallocnow, that may not actually be what is happening everywhere17:02
* jrosser returns to the heat/magnum code and digs some more17:02
kmallocbut that is the intent17:02
jrosserkmalloc: I think I might be seeing a sort  of second order thing, where service A wants to use service B internally, and service B redirects A to www-authenticate-uri which may not be accessible17:20
jrosserAnd that might be horizon<>everything, or magnum>heat as examples17:20
kmallocyeah. and magnum/heat/horizon is a special(ish) case17:30
jrosserkmalloc: is this documented anywhere, what keystone expects the contract between services to be for auth, and how these special cases should be handled?17:33
kmallocjrosser: mostly covered in https://github.com/openstack/keystonemiddleware/blob/3e62d25dacb4282609d897f8a9cf08c3603b12d7/doc/source/middlewarearchitecture.rst#exchanging-user-information17:43
cmurphykmalloc: lbragstad stable patch to fix the stein gate https://review.opendev.org/66710517:45
openstackgerritMerged openstack/keystone master: Revert "Add API for /v3/access_rules_config"  https://review.opendev.org/66179017:45
openstackgerritMerged openstack/keystone master: Revert "Add manager support for app cred access rules"  https://review.opendev.org/66179117:45
openstackgerritMerged openstack/keystone master: Revert "Add a permissive mode for access rules config"  https://review.opendev.org/66179217:45
lbragstadcmurphy done17:50
*** jistr_ has joined #openstack-keystone17:52
*** jistr has quit IRC17:53
cmurphyty17:55
*** altlogbot_0 has quit IRC17:55
*** altlogbot_2 has joined #openstack-keystone17:57
*** altlogbot_2 has quit IRC17:57
*** altlogbot_1 has joined #openstack-keystone17:59
*** altlogbot_1 has quit IRC18:01
*** altlogbot_0 has joined #openstack-keystone18:02
*** dklyle has quit IRC19:09
*** phughk has quit IRC19:18
*** whoami-rajat has quit IRC19:22
*** dklyle has joined #openstack-keystone19:36
*** altlogbot_0 has quit IRC19:46
*** altlogbot_0 has joined #openstack-keystone19:47
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader support for grants  https://review.opendev.org/64596820:01
*** altlogbot_0 has quit IRC20:15
*** altlogbot_3 has joined #openstack-keystone20:18
* kmalloc is back from dentist.20:30
*** altlogbot_3 has quit IRC20:43
*** altlogbot_2 has joined #openstack-keystone20:44
*** eivis has quit IRC20:53
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain admin support for grants  https://review.opendev.org/66773020:58
openstackgerritLance Bragstad proposed openstack/keystone master: Remove obsolete grant policies from policy.v3cloudsample.json  https://review.opendev.org/66773120:58
*** efried has left #openstack-keystone21:00
*** altlogbot_2 has quit IRC21:00
lbragstadthose ^ will need some release notes21:00
lbragstadotherwise - a set of eyes might be good, too21:00
lbragstadi'm starting to glaze over policy stuff... be prepared to see some mistakes21:01
*** altlogbot_2 has joined #openstack-keystone21:04
*** pcaruana has quit IRC21:05
*** raildo has quit IRC21:30
*** mloza has joined #openstack-keystone21:33
*** rcernin has joined #openstack-keystone22:00
*** xek__ has quit IRC22:10
*** rcernin has quit IRC22:19
*** rcernin has joined #openstack-keystone22:20
openstackgerritCorey Bryant proposed openstack/keystone master: Add Python 3 Train unit tests  https://review.opendev.org/66774622:43
openstackgerritCorey Bryant proposed openstack/keystoneauth master: Add Python 3 Train unit tests  https://review.opendev.org/66774722:44
openstackgerritCorey Bryant proposed openstack/keystonemiddleware master: Add Python 3 Train unit tests  https://review.opendev.org/66774822:44
*** tkajinam has joined #openstack-keystone23:05
openstackgerritCorey Bryant proposed openstack/keystone-specs master: Add Python 3 Train unit tests  https://review.opendev.org/66775523:29
openstackgerritCorey Bryant proposed openstack/ldappool master: Add Python 3 Train unit tests  https://review.opendev.org/66775623:30
openstackgerritCorey Bryant proposed openstack/pycadf master: Add Python 3 Train unit tests  https://review.opendev.org/66775723:30
openstackgerritCorey Bryant proposed openstack/python-keystoneclient master: Add Python 3 Train unit tests  https://review.opendev.org/66775823:31
« Tuesday, 2019-06-25 Index Thursday, 2019-06-27 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!