Tuesday, 2019-07-23

« Monday, 2019-07-22 Index Wednesday, 2019-07-24 »
*** jamesmcarthur has joined #openstack-keystone00:05
*** gyee has quit IRC00:07
*** tkajinam has quit IRC00:10
*** jamesmcarthur has quit IRC00:15
*** dancn has quit IRC00:16
*** ayoung has quit IRC01:11
*** imacdonn has quit IRC01:18
*** imacdonn has joined #openstack-keystone01:18
*** jamesmcarthur has joined #openstack-keystone01:24
*** jamesmcarthur_ has joined #openstack-keystone01:32
*** jamesmcarthur has quit IRC01:34
*** whoami-rajat has joined #openstack-keystone01:43
*** jamesmcarthur_ has quit IRC02:35
*** ayoung has joined #openstack-keystone03:14
*** rcernin has quit IRC04:13
*** rcernin has joined #openstack-keystone04:14
*** rcernin has quit IRC04:20
*** etp has joined #openstack-keystone04:25
*** etp has quit IRC04:26
*** etp has joined #openstack-keystone04:27
*** pcaruana has joined #openstack-keystone04:43
*** vishwanathj has quit IRC04:51
*** vishwanathj has joined #openstack-keystone04:52
openstackgerritAndreas Jaeger proposed openstack/keystone master: Update api-ref location  https://review.opendev.org/67209604:56
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove [signing] config  https://review.opendev.org/65943405:17
*** jamesmcarthur has joined #openstack-keystone05:55
*** vishwanathj has quit IRC05:55
*** jamesmcarthur has quit IRC05:56
*** vishwanathj has joined #openstack-keystone05:56
*** jamesmcarthur has joined #openstack-keystone06:09
*** jhesketh has quit IRC06:11
*** jhesketh has joined #openstack-keystone06:11
*** jamesmcarthur has quit IRC06:13
*** jamesmcarthur has joined #openstack-keystone06:16
*** jamesmcarthur_ has joined #openstack-keystone06:28
*** jamesmca_ has joined #openstack-keystone06:31
*** etp has quit IRC06:31
*** etp_ has joined #openstack-keystone06:31
*** jamesmcarthur has quit IRC06:32
*** etp_ has quit IRC06:35
*** jamesmcarthur_ has quit IRC06:35
*** etp has joined #openstack-keystone06:35
*** etp has quit IRC06:36
*** etp_ has joined #openstack-keystone06:36
*** jamesmca_ has quit IRC06:38
*** etp_ has quit IRC06:40
*** jamesmcarthur has joined #openstack-keystone06:43
*** etp has joined #openstack-keystone06:45
*** jamesmcarthur has quit IRC06:51
*** jamesmcarthur has joined #openstack-keystone06:53
*** tesseract has joined #openstack-keystone07:09
*** irclogbot_1 has quit IRC07:20
*** jdennis has quit IRC07:20
*** openstackstatus has quit IRC07:20
*** jdennis has joined #openstack-keystone07:21
*** irclogbot_1 has joined #openstack-keystone07:21
*** dansmith has quit IRC07:23
*** cwright has quit IRC07:23
*** dansmith has joined #openstack-keystone07:24
*** Anticimex has quit IRC07:24
*** jamesmcarthur has quit IRC07:24
*** cwright has joined #openstack-keystone07:24
*** Anticimex has joined #openstack-keystone07:29
*** ivve has joined #openstack-keystone08:22
*** ileixe has quit IRC08:49
*** jojoda has quit IRC09:45
*** jaosorior has joined #openstack-keystone09:52
*** rdopiera has joined #openstack-keystone11:14
rdopierahello there, I'm working on adding the ability to change expired password to horizon, and I have some problems calling the change_password API with keystoneclient without authenticating11:15
rdopierathe docs say that this API doesn't require authentication, but I still get keystoneauth1.exceptions.auth.AuthorizationFailure from keystone client when I try to call it11:15
rdopierawith "o valid authentication is available"11:16
rdopieradoes anybody know how to call that API without auth properly?11:16
*** raildo has joined #openstack-keystone11:35
*** markvoelker has quit IRC11:58
*** kplant has joined #openstack-keystone12:06
*** etp has quit IRC12:11
*** markvoelker has joined #openstack-keystone12:16
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove [signing] config  https://review.opendev.org/65943412:45
*** jamesmcarthur has joined #openstack-keystone13:08
cmurphyo/13:11
*** jamesmcarthur has quit IRC13:18
*** openstackstatus has joined #openstack-keystone13:21
*** ChanServ sets mode: +v openstackstatus13:21
*** jamesmcarthur has joined #openstack-keystone13:39
cmurphystarting the second midcycle session in a few minutes in https://global.gotomeeting.com/join/67215776513:52
*** jamesmcarthur has quit IRC13:58
*** lbragstad has joined #openstack-keystone14:00
kmallocFew14:01
kmallocMinutes late. But will be there.14:01
lbragstadhttps://bugs.launchpad.net/keystone/+bugs?field.tag=policy14:07
lbragstadhttps://bugs.launchpad.net/keystone/+bugs?field.tag=default-roles14:08
lbragstadhttps://bugs.launchpad.net/keystone/+bugs?field.tag=system-scope14:08
lbragstadhttps://bugs.launchpad.net/keystone/+bug/180536314:09
openstackLaunchpad bug 1805363 in OpenStack Identity (keystone) "Oauth1 Consumer API doesn't use default roles" [Medium,Triaged]14:09
lbragstadhttps://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-oauth1-api14:12
lbragstadthis is the intended flow? https://developer.openstack.org/api-ref/identity/v3-ext/index.html#delegated-authentication-flow14:13
lbragstadhttps://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/consumer.py14:16
lbragstadhttps://bugs.launchpad.net/keystone/+bug/180536614:22
openstackLaunchpad bug 1805366 in OpenStack Identity (keystone) "Domain config API doesn't use default roles" [Medium,Triaged]14:22
*** gyee has joined #openstack-keystone14:23
lbragstadhttps://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/domain_config.py#L74-L10114:28
lbragstadhttps://bugs.launchpad.net/keystone/+bug/1750669 grant scope types bug14:36
openstackLaunchpad bug 1750669 in OpenStack Identity (keystone) "The v3 grant API should account for different scopes" [High,In progress] - Assigned to Lance Bragstad (lbragstad)14:36
cmurphylbragstad: you left us :'(14:37
*** lbragstad has quit IRC14:40
cmurphytaking a break, returning 14:5514:42
*** lbragstad has joined #openstack-keystone14:43
lbragstadare people still on the call?14:44
cmurphylbragstad: still here but taking a break, kmalloc is dogwalking14:44
lbragstadah14:44
vishakhalbragstad: we took 15 mins break14:44
lbragstadsorry - my network dropped me14:45
lbragstadare we starting at the top of the hour?14:45
cmurphylbragstad: 5 till14:45
lbragstadok14:45
lbragstadthanks14:45
* cmurphy calls everybody back14:55
kmallocwoof15:00
cmurphy:'D15:00
lbragstadhttps://bugs.launchpad.net/keystone/+bug/180537115:00
openstackLaunchpad bug 1805371 in OpenStack Identity (keystone) "Implied role API doesn't support default roles" [Medium,Triaged]15:00
lbragstadayoung just fyi - we're going through you comments on https://bugs.launchpad.net/keystone/+bug/1805371 and curious if you could clarify something15:13
openstackLaunchpad bug 1805371 in OpenStack Identity (keystone) "Implied role API doesn't support default roles" [Medium,Triaged]15:13
*** trident has quit IRC15:18
lbragstadhttps://bugs.launchpad.net/keystone/+bug/181872515:19
openstackLaunchpad bug 1818725 in OpenStack Identity (keystone) "Application credential API doesn't use default roles" [Medium,In progress] - Assigned to Guang Yee (guang-yee)15:19
*** trident has joined #openstack-keystone15:20
lbragstadhttps://bugs.launchpad.net/keystone/+bug/175061515:28
openstackLaunchpad bug 1750615 in OpenStack Identity (keystone) "The v3 application credential API should account for different scopes" [High,In progress] - Assigned to Guang Yee (guang-yee)15:28
lbragstadgyee https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/application_credential.py15:29
gyeehttps://github.com/openstack/keystone/blob/master/keystone/api/users.py#L596-#L59915:33
lbragstadhttps://bugs.launchpad.net/keystone/+bug/181873215:39
openstackLaunchpad bug 1818732 in OpenStack Identity (keystone) "EC2 credential API doesn't use default roles" [Low,Triaged]15:39
*** david-lyle is now known as dklyle15:40
*** trident has quit IRC15:52
*** jaosorior has quit IRC15:53
*** trident has joined #openstack-keystone15:55
*** Ben78 has joined #openstack-keystone16:01
Ben78I have an idea to improve Fernet token. I am looking for a collaborator.16:01
*** tesseract has quit IRC16:07
kmallocBen78: what idea are you thinking about, feel free to share it here and/or open an RFE bug at bugs.launchpad.net/keystone/+bugs16:11
kmallocBen78: also we (the keystone team) are participating in a virtual midcycle meeting right now, some folks may not respond as quickly16:12
kmallocthis will be over later today and everything should be back to more normal as of tomorrow.16:13
Ben78The idea is part of my PhD thesis. So, I am not allowed to publicly share it, before submitting a paper.16:15
kmallocBen78: can you give us an idea of what kind of changes you're looking at? without too many details. part of the open source process tends to push heavily for open communication about planning. I get that there are some limits when it comes to academia, but I'd need a little more than "i have an idea" to help give you some guidance :)16:18
kmallocif it's core to the Fernet protocol itself, it's different than how keystone utilizes it.16:18
kmallocfor example16:18
kmalloccmurphy, lbragstad: cc ^16:20
cmurphy+1 we collaborate openly here, i'm happy to help in the open16:22
Ben78Thanks guys. As you know, Fernet token can be used in any modular system. Our proposal can be utilized in any modular system. We chose OpenStack as a test-bed and we believe that it can solve the bearer token problems. I can share the detail via email.16:28
Ben78We have breifly mentioned the idea in https://eprint.iacr.org/2018/602.pdf at page 79 (RAFT)16:32
*** trident has quit IRC17:07
*** trident has joined #openstack-keystone17:10
openstackgerritLance Bragstad proposed openstack/keystone master: Deprecate identity:revocation_list policy for removal  https://review.opendev.org/67233417:22
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader support for grants  https://review.opendev.org/64596817:56
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain admin support for grants  https://review.opendev.org/66773017:56
openstackgerritLance Bragstad proposed openstack/keystone master: Remove obsolete grant policies from policy.v3cloudsample.json  https://review.opendev.org/66773117:56
Ben78The main idea is as follows:18:23
Ben78- Keystone continues to issue Fernet tokens.18:23
Ben78- Each party does not pass the received token to any other party except Keystone ( for validation).18:23
Ben78- Whenever a party needs a service from any OpenStack module, it issues a Recursive Augmented Fernet Token (RAFT) .18:23
Ben78- A RAFT token is a self-descriptive cryptographic token, which is valid if the Original Fernet token is valid. Only, Keystone can extract the original Fernet token from a RAFT token.18:23
*** spilla has joined #openstack-keystone18:28
openstackgerritMerged openstack/keystone master: Fixing dn_to_id function for cases were id is not in the DN  https://review.opendev.org/64917718:52
*** Ben78 has quit IRC19:04
kplantis it possible to use openid for k2k instead of saml2 with mellon/shib?19:05
knikollakplant: are you referring to openid connect or plain openid?19:19
*** spilla has quit IRC19:20
cmurphykplant: knikolla either way keystone as an idp only supports saml19:20
knikollacmurphy: oh, i missed the k2k part of the question :)19:21
kplantknikolla: openidc19:21
kplantcmurphy: ty19:21
*** whoami-rajat has quit IRC19:22
kplantbah. the only thing i could get kind of working was keystone(sp) -> keycloak with openidc... i've had absolutely zero luck with saml219:26
kplanti see a lot of scripts and guides using 'mapped' instead of explicitly configuring saml2/openid as the auth type. is there a reason for that?19:27
cmurphykplant: it's a little jumbled because we created the 'mapped' plugin which works for all types of federated auth so we encouraged people to use that, but since the plugin is configured globally in keystone.conf it inhibits you from setting up more than one service provider per keystone so we kind of switched back19:31
kplantaaah that makes sense19:32
cmurphyif you use 'mapped' just make sure that all the protocol IDs are also named 'mapped' including in the apache paths, or same for 'saml2', just be consistent19:32
*** spilla has joined #openstack-keystone19:42
*** kplant has quit IRC19:54
*** lbragstad has quit IRC20:01
*** Ben78 has joined #openstack-keystone20:50
*** pcaruana has quit IRC20:50
*** spilla has quit IRC20:56
*** ayoung has quit IRC21:31
*** altlogbot_1 has quit IRC21:33
*** irclogbot_1 has quit IRC21:33
*** altlogbot_0 has joined #openstack-keystone21:34
*** irclogbot_2 has joined #openstack-keystone21:34
*** irclogbot_2 has quit IRC21:59
*** altlogbot_0 has quit IRC22:01
*** adriant has quit IRC22:11
*** altlogbot_1 has joined #openstack-keystone22:22
*** gyee has quit IRC22:23
*** altlogbot_1 has quit IRC22:27
*** raildo has quit IRC22:35
*** tkajinam has joined #openstack-keystone22:51
*** ayoung has joined #openstack-keystone22:53
*** gyee has joined #openstack-keystone23:10
*** altlogbot_0 has joined #openstack-keystone23:14
*** rcernin has joined #openstack-keystone23:16
*** altlogbot_0 has quit IRC23:19
*** altlogbot_0 has joined #openstack-keystone23:28
*** Ben78 has quit IRC23:31
*** irclogbot_3 has joined #openstack-keystone23:32
*** jamesmcarthur has joined #openstack-keystone23:36
*** spilla has joined #openstack-keystone23:38
*** jamesmcarthur has quit IRC23:52
« Monday, 2019-07-22 Index Wednesday, 2019-07-24 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!