Wednesday, 2019-07-31

« Tuesday, 2019-07-30 Index Thursday, 2019-08-01 »
*** jamesmcarthur has joined #openstack-keystone01:35
*** jamesmcarthur has quit IRC02:38
*** jamesmcarthur has joined #openstack-keystone02:45
*** rcernin has quit IRC02:57
*** joshualyle has quit IRC03:11
*** rcernin has joined #openstack-keystone03:13
*** wxy-xiyuan has joined #openstack-keystone03:15
*** jamesmcarthur has quit IRC03:22
*** jamesmcarthur has joined #openstack-keystone03:23
*** jamesmcarthur has quit IRC03:27
*** jamesmcarthur has joined #openstack-keystone03:53
*** jamesmcarthur has quit IRC04:00
openstackgerritwangxiyuan proposed openstack/keystone master: Run 'tempest-ipv6-only' job in gate  https://review.opendev.org/67190304:03
*** whoami-rajat has joined #openstack-keystone04:19
*** jamesmcarthur has joined #openstack-keystone04:30
*** jamesmcarthur has quit IRC04:38
*** tkajinam has quit IRC05:04
*** tkajinam has joined #openstack-keystone05:05
*** vishalmanchanda has joined #openstack-keystone05:13
*** gyee has quit IRC05:26
*** jaosorior has quit IRC05:31
*** jamesmcarthur has joined #openstack-keystone05:34
*** jamesmcarthur has quit IRC05:39
*** threestrands has joined #openstack-keystone05:44
*** jamesmcarthur has joined #openstack-keystone06:08
*** jamesmcarthur has quit IRC06:15
*** jaosorior has joined #openstack-keystone06:23
*** yoctozepto has joined #openstack-keystone06:34
yoctozeptohello keystoners, I want to bring https://bugs.launchpad.net/kolla-ansible/+bug/1833756 to your attention, this is pinned to k-a now and we can fix it but it seems a little inappropriate to me to spam logs with every keystone action - deprecation warnings should probably fire once the policies are parsed and not every time they are interpreted? would love some insight from you, cheers :D06:37
openstackLaunchpad bug 1833756 in kolla-ansible "Fresh Stein deployment - keystone logs flooded with each action" [Undecided,New]06:37
*** dancn has joined #openstack-keystone06:52
*** jamesmcarthur has joined #openstack-keystone06:57
*** rcernin has quit IRC07:02
*** jamesmcarthur has quit IRC07:03
*** xek has joined #openstack-keystone07:09
*** takamatsu has quit IRC07:17
*** tesseract has joined #openstack-keystone07:27
*** tssurya has joined #openstack-keystone07:31
*** pcaruana has quit IRC07:35
*** jaosorior has quit IRC08:03
*** pcaruana has joined #openstack-keystone08:13
*** tkajinam has quit IRC08:19
*** ondrejduchon has joined #openstack-keystone08:25
*** dancn has quit IRC08:27
*** takamatsu has joined #openstack-keystone08:32
*** takamatsu_ has joined #openstack-keystone08:48
*** threestrands has quit IRC08:48
*** takamatsu has quit IRC08:49
*** jaosorior has joined #openstack-keystone09:00
ondrejduchonHello, I am trying to connect rabbitmq and keystonemiddleware with CADF audit notifiations. I set up api-paste.ini (added there audit filter) and then pycacdf config file (from github), for nova_api. Everything works fine when I change 'self._notifier.info(..' to 'self._notifier.audit(..' in file keystonemiddleware/audit/_notifier.py, line 40. With info I cannot see any notifications in rabbitmq.09:09
ondrejduchonThank you for any tips09:11
*** ondrejduchon has quit IRC09:17
*** ondrejduchon has joined #openstack-keystone09:21
*** ivve has joined #openstack-keystone09:28
*** takamatsu_ has quit IRC09:30
*** takamatsu has joined #openstack-keystone09:37
*** jaosorior has quit IRC09:50
*** takamatsu has quit IRC10:08
*** takamatsu has joined #openstack-keystone10:24
*** jaosorior has joined #openstack-keystone10:34
*** pcaruana has quit IRC10:45
*** kplant has joined #openstack-keystone11:14
*** raildo has joined #openstack-keystone11:38
*** ivve has quit IRC11:40
*** jaosorior has quit IRC11:48
*** dancn has joined #openstack-keystone12:04
*** takamatsu has quit IRC12:10
*** pcaruana has joined #openstack-keystone12:10
*** ondrejduchon has quit IRC12:14
*** ondrejduchon_ has joined #openstack-keystone12:14
*** takamatsu has joined #openstack-keystone12:31
*** mchlumsky has joined #openstack-keystone12:33
*** ivve has joined #openstack-keystone12:35
*** jaosorior has joined #openstack-keystone12:43
*** jamesmcarthur has joined #openstack-keystone12:46
*** dancn has quit IRC12:52
*** dancn has joined #openstack-keystone12:59
*** ivve has quit IRC13:06
*** tesseract has quit IRC13:20
*** tesseract has joined #openstack-keystone13:24
*** ivve has joined #openstack-keystone13:37
*** jamesmcarthur has quit IRC13:55
cmurphyyoctozepto: we have a bug for that filed here https://bugs.launchpad.net/keystone/+bug/1836568 i've just marked it as high priority14:19
openstackLaunchpad bug 1836568 in OpenStack Identity (keystone) "Logs filled with unnecessary policy deprecation warnings" [High,Triaged]14:19
cmurphyondrejduchon_: you may need to change the log levels for keystonemiddleware in your nova paste config14:20
yoctozeptocmurphy: thanks, tried searching bugs but did not find this one14:21
yoctozeptoah, because it had a typo in word 'logs' :D14:24
cmurphyhaha yeah14:26
*** takamatsu has quit IRC14:28
*** trident has quit IRC14:32
*** trident has joined #openstack-keystone14:36
*** trident has quit IRC14:47
*** trident has joined #openstack-keystone14:50
*** trident has quit IRC15:00
*** trident has joined #openstack-keystone15:03
*** trident has quit IRC15:08
*** trident has joined #openstack-keystone15:16
*** jamesmcarthur has joined #openstack-keystone15:18
*** trident has quit IRC15:24
*** trident has joined #openstack-keystone15:27
*** ondrejduchon_ has quit IRC15:28
*** trident has quit IRC15:35
*** trident has joined #openstack-keystone15:38
*** jamesmcarthur has quit IRC15:44
*** tssurya has quit IRC15:46
*** gyee has joined #openstack-keystone15:52
*** dancn has quit IRC15:54
*** gyee has quit IRC16:16
*** trident has quit IRC16:16
*** gyee has joined #openstack-keystone16:17
*** xek has quit IRC16:20
*** trident has joined #openstack-keystone16:21
*** jamesmcarthur has joined #openstack-keystone16:38
openstackgerritMerged openstack/keystone master: Fix python3 compatibility on LDAP search DN from id  https://review.opendev.org/67251916:45
*** takamatsu has joined #openstack-keystone16:47
*** trident has quit IRC16:48
*** trident has joined #openstack-keystone16:51
*** takamatsu has quit IRC16:59
*** jamesmcarthur has quit IRC17:00
*** tesseract has quit IRC18:05
*** altlogbot_2 has quit IRC18:19
*** altlogbot_0 has joined #openstack-keystone18:20
*** takamatsu has joined #openstack-keystone18:43
*** whoami-rajat has quit IRC19:08
*** takamatsu has quit IRC19:47
*** kplant has quit IRC19:47
*** mchlumsky has quit IRC20:06
*** trident has quit IRC20:44
*** trident has joined #openstack-keystone20:46
*** kplant has joined #openstack-keystone21:08
*** takamatsu has joined #openstack-keystone21:40
*** brtknr has quit IRC21:46
*** raildo has quit IRC22:00
*** rcernin has joined #openstack-keystone22:05
openstackgerritAdrian Turjak proposed openstack/keystone master: Add support for previous TOTP windows  https://review.opendev.org/64765522:11
cmurphyraising priority of https://bugs.launchpad.net/keystone/+bug/1836568 to critical22:19
openstackLaunchpad bug 1836568 in OpenStack Identity (keystone) "Logs filled with unnecessary policy deprecation warnings" [Critical,Triaged]22:19
adriantcmurphy: any interest in me finishing: https://review.opendev.org/#/c/647655 ?22:47
adriantI'm not sure if this needed a spec for what was ultimately a tiny quality of life patch22:47
adriantwhich needs tests...22:47
cmurphyadriant: looks worthwhile, i don't think it needs a spec22:49
*** gagehugo has quit IRC22:49
cmurphykmalloc: ^22:49
adriantcmurphy: cool, will add some tests to it and throw it up properly for review22:49
adriantI wrote it ages ago when doing the same code for our custom auth plugin, but never wrote tests for the upstream version22:50
adrianttests will be easy22:50
*** gagehugo has joined #openstack-keystone22:50
kmallocadriant: it's expanding to allow for like... say one window back one window forward?22:51
adriantonly one back22:51
adriantnot sure we want forward?22:51
kmallocadriant: i don't see a reason it needs to be configurable22:51
kmallocjust do it always one back as ok22:51
adriantkmalloc: a config no one has to ever touch mostly, with a default of 122:52
kmallocand just one back is fine.22:52
kmallocnah, just make it hard set to one, we can add a config if needed22:52
kmallocbut i dislike extra configs if it is expected no one should be touching it22:52
kmallocand it feels like an good QOL change at face value22:52
adriantkmalloc: I'd still add the config because when doing this internally I kept being told "2 windows back" and had to fight for just the 122:53
adriantso I can assume most clouds would want to tweak it a little22:53
kmallocmake it 2 windows back then hard set ;)22:53
kmallocreally, i am more against extra configs for the sake of "someone may want to tweak it"22:53
kmallocwhat is kind-of the industry standard (besides U2F)? go with that.22:54
adriantkmalloc: first google result for 'totp previous windows': https://security.stackexchange.com/questions/113208/how-big-window-is-secure-and-practical-with-totp22:55
kmalloci wont -1 it with a config, just generally would much rather have less config in ekystone.22:55
adriantguy is suggesting 5 minutes of windows back...22:55
adriantso I bet some idiot will want to tweak this22:56
adriantand potentially for a valid reason22:56
kmallocand i want that idiot (or not so idiot) to come and make the case for why it's so important to tweak it22:56
kmallocwith that said, i wont hold this up if you really feel strongly the config is the only way22:56
kmallochowever... i want some controls if it is config, e.g. max window it can be set to22:57
*** tkajinam has joined #openstack-keystone22:57
kmallocand that can be very arbitrary (pick a number), but i def. want some upper limit22:57
adriantI'd feel more comfortable with a config, but would settle on hardcoded. Mostly because I would probably start with 1 window back and likely tweak it further based on feedback22:58
adriantkmalloc: 5min upper limit?22:58
kmallocsure.22:58
kmallocpick a number, any number you like22:58
kmallocmake that the upper limit22:59
adriant0-1022:59
adriantanyone who wants more than that can fight us22:59
kmallocand set the default to the place you think (gut feeling) is most appropriate22:59
adriantI mean, peacefully argue22:59
kmalloc:)22:59
kmallocwe are tending to issue kevlar shoes with keystone these days, less foot-gunning.22:59
kmallocwhich reminds me, i want to figure out if we can support u2f... i think we can't really because CLI.23:00
*** gagehugo has quit IRC23:01
kmallocyeah https://developers.yubico.com/libfido2/ doesn't look too friendly atm.23:02
*** gagehugo has joined #openstack-keystone23:04
adriantkmalloc: i was actually going to bring up u2f eventually :P23:10
adriantbut I think we need gui?23:10
kmallocyou can do it with a CLI.23:11
kmallocit's just really not super friendly.23:11
kmallocand fido2 vs u2f (same concept, but fido2 is the evolution/standard)23:12
kmallocu2f was rolled into fido223:12
adriantso could we do it as another auth plugin in Keystone?23:13
kmallocmaybe23:17
kmallocit has to tie into the CLI and apparently in linux udev needs special rules for it23:19
adrianthmmm, I'm curious because we have people at catalyst using the keys, so I wonder if they had to add the rules, or they were they by default23:21
adriantor if the tools they use add them23:21
*** jamesmcarthur has joined #openstack-keystone23:22
*** vishwanathj has quit IRC23:36
*** takamatsu has quit IRC23:59
« Tuesday, 2019-07-30 Index Thursday, 2019-08-01 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!