Tuesday, 2019-09-24

« Monday, 2019-09-23 Index Wednesday, 2019-09-25 »
*** Ben78 has joined #openstack-keystone00:13
*** jamesmcarthur has joined #openstack-keystone01:11
*** jamesmcarthur has quit IRC01:14
*** jamesmcarthur has joined #openstack-keystone01:21
*** bzhao__ has quit IRC02:12
*** jamesmcarthur has quit IRC02:22
*** jamesmcarthur has joined #openstack-keystone02:23
*** Ben78 has quit IRC02:24
*** jamesmcarthur_ has joined #openstack-keystone02:27
*** jamesmcarthur_ has quit IRC02:27
*** jamesmcarthur has quit IRC02:28
*** markvoelker has joined #openstack-keystone02:41
*** bnemec has quit IRC05:09
*** Luzi has joined #openstack-keystone05:13
*** markvoelker has quit IRC05:14
*** bnemec has joined #openstack-keystone05:15
*** dancn has joined #openstack-keystone06:01
*** dancn has quit IRC06:22
*** dancn has joined #openstack-keystone06:27
*** pcaruana has joined #openstack-keystone06:56
*** awalende has joined #openstack-keystone07:04
*** shyam89 has joined #openstack-keystone07:07
*** tesseract has joined #openstack-keystone07:07
*** markvoelker has joined #openstack-keystone07:15
*** xek has joined #openstack-keystone07:16
*** Luzi has quit IRC07:18
*** markvoelker has quit IRC07:19
*** shyam89 has quit IRC07:45
*** shyam89 has joined #openstack-keystone07:45
*** shyam89 has quit IRC07:51
*** ivve has joined #openstack-keystone07:52
*** tkajinam has quit IRC08:14
*** shyam89 has joined #openstack-keystone08:41
*** freerunner has quit IRC08:43
*** frickler has quit IRC08:45
*** freerunner has joined #openstack-keystone08:45
*** frickler has joined #openstack-keystone08:46
*** rcernin has quit IRC09:04
openstackgerritVishakha Agarwal proposed openstack/keystoneauth master: Generate pdf documentation  https://review.opendev.org/68227209:16
openstackgerritVishakha Agarwal proposed openstack/keystonemiddleware master: Generate pdf documentation  https://review.opendev.org/68227109:22
*** shyam89 has quit IRC09:26
*** shyam89 has joined #openstack-keystone09:40
*** openstackstatus has quit IRC10:12
*** openstack has joined #openstack-keystone10:13
*** ChanServ sets mode: +o openstack10:13
*** shyam89 has quit IRC10:23
*** pcaruana has quit IRC10:24
*** shyam89 has joined #openstack-keystone10:33
*** dancn has quit IRC10:36
*** markvoelker has joined #openstack-keystone10:40
*** pcaruana has joined #openstack-keystone10:48
*** shyam89 has quit IRC10:48
*** shyam89 has joined #openstack-keystone11:27
*** jamesmcarthur has joined #openstack-keystone11:39
*** jamesmcarthur has quit IRC11:49
*** dancn has joined #openstack-keystone11:56
*** jamesmcarthur has joined #openstack-keystone12:02
*** jamesmcarthur_ has joined #openstack-keystone12:03
*** jamesmcarthur has quit IRC12:07
*** awalende_ has joined #openstack-keystone12:09
*** awalende has quit IRC12:09
*** jamesmcarthur_ has quit IRC12:20
*** shyam89 has quit IRC12:37
*** jaosorior has quit IRC12:59
*** raildo has joined #openstack-keystone13:04
*** Ben78 has joined #openstack-keystone13:16
*** starborn has joined #openstack-keystone13:25
*** Ben78 has quit IRC13:55
*** awalende_ has quit IRC14:43
*** starborn has quit IRC14:46
*** pcaruana has quit IRC15:01
*** ivve has quit IRC15:30
cmurphyteam meeting in 20 minutes in #openstack-meeting-alt15:40
*** gyee has joined #openstack-keystone15:44
cmurphymeeting now in #openstack-meeting-alt16:00
*** jaosorior has joined #openstack-keystone16:29
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Try to recreate 1843464  https://review.opendev.org/68439716:35
*** yoctozepto has quit IRC16:35
cmurphywoot thanks for the reviews y'all16:37
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Try to recreate 1843464  https://review.opendev.org/68439716:37
lbragstadcmurphy np - thanks for cleaning all that up16:38
*** yoctozepto has joined #openstack-keystone16:40
*** markvoelker has quit IRC16:40
*** tesseract has quit IRC16:46
*** jaosorior has quit IRC16:51
*** dancn has quit IRC16:57
*** markvoelker has joined #openstack-keystone16:59
*** efried has joined #openstack-keystone17:23
efriedo/ keystoners17:23
efriedWould you be able to confirm the behavior of the auth_section ksa opt for me, please?17:24
efriedafaict, it causes ksa to ignore the remainder of the auth opts from whatever group I'm in, and instead load them up from whatever group I named via auth_section17:24
*** jamesmcarthur has joined #openstack-keystone17:25
openstackgerritColleen Murphy proposed openstack/keystone master: Allow domain users to access the limit API  https://review.opendev.org/62102317:30
openstackgerritColleen Murphy proposed openstack/keystone master: Add tests for project users interacting with limits  https://review.opendev.org/62102417:30
openstackgerritColleen Murphy proposed openstack/keystone master: Remove limit policies from policy.v3cloudsample.json  https://review.opendev.org/62102517:30
*** jamesmcarthur has quit IRC17:31
cmurphyefried: that sounds correct based on my reading of https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/loading/conf.py#L66-L9417:33
efriedcmurphy: Okay, that's what I was reading as well. Thanks for the confirmation.17:34
*** jamesmcarthur has joined #openstack-keystone17:54
efriedcmurphy: so for example https://review.opendev.org/#/c/682565/10/devstack/lib/cyborg should mean that everything else is ignored and we configure auth based on the [keystone_authtoken] section in $CYBORG_CONF_FILE18:11
efriedwhich btw looks like this https://zuul.opendev.org/t/openstack/build/9965f8f829e84d69b050aa56f03d1286/log/controller/logs/etc/cyborg/cyborg_conf.txt.gz -- so it shouldn't work because [nova] (and for that matter [placement]) shouldn't be auth'able with username 'cyborg'18:13
efriedyet I have people telling me that at least the placement bit is actually working18:13
cmurphyefried: i'm pretty sure auth_section = keystone_authtoken is wrong although i see other people using it that way on http://codesearch.openstack.org/?q=auth_section&i=nope&files=&repos= if placement is working would it just be because it's using the admin credentials from [keystone_authtoken] which will work for everything?18:18
kmallocit is never recommended to just use keystoneauthtoken's information for anything but keystonemiddleware18:18
kmallocif someone is doing that, they're doing something very wrong18:19
openstackgerritguang-yee proposed openstack/keystoneauth master: Generate pdf documentation  https://review.opendev.org/68227218:21
openstackgerritMerged openstack/keystone master: DRY up credential policies  https://review.opendev.org/68248818:24
openstackgerritColleen Murphy proposed openstack/oslo.policy master: Modernize policy checker  https://review.opendev.org/68278318:26
efriedcmurphy, kmalloc: I agree it seems way wrong18:27
openstackgerritMerged openstack/keystone master: Add application_credential as a CADF type  https://review.opendev.org/66341018:27
efriedI actually just reproduced this locally.18:27
openstackgerritMerged openstack/keystone master: Fix relative links  https://review.opendev.org/67753418:33
openstackgerritMerged openstack/keystone master: Clean up UserGroups target enforcement callback  https://review.opendev.org/67777818:33
openstackgerritMerged openstack/keystone master: Use immutable roles in tests  https://review.opendev.org/68412818:33
openstackgerritMerged openstack/keystone master: Add notifications for deleting app creds by user  https://review.opendev.org/67778018:33
efriedSo I have a nice default devstack. I'm running this code18:38
efriedhttp://paste.openstack.org/show/779203/18:38
efriedagainst this conf18:38
efriedhttp://paste.openstack.org/show/779204/18:38
efriedAs you can see it's indeed ignoring the `bogus` stuff in the [placement] section18:38
efriedWhen I change the username from 'nova' to 'placement' it still works.18:41
efriedWhen I change the username to something bogus, I get 401 on POST /identity/v3/auth/tokens ("keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication.")18:41
efriedWhen I change the username to a different service, like 'neutron', I get 403 from placement itself ("Policy does not allow placement:resource_providers:list to be performed.")18:41
efriedThe latter two things are totally what I would expect18:41
efriedThe first thing is still a mystery. Why would placement accept nova creds?18:41
efriedI guess nova is, like, an admin user or something?18:41
efriedI don't even know how to figure that out.18:41
lbragstadprobably18:41
lbragstadcheck the roles in keystone18:42
lbragstad``openstack role assignments list --names18:42
lbragstad``18:42
*** jamesmcarthur has quit IRC18:42
efriedlbragstad: aha, this?18:43
efried| admin       | nova@Default      |                   | service@Default            |         |        | False     |18:43
*** jamesmcarthur has joined #openstack-keystone18:44
lbragstadefried yeah - https://pasted.tech/pastes/ffeac2cfbfcfe2a53210ab410c20f248484aee1d.raw18:45
lbragstadyou should see the placement and nova users there, and you can see what roles they have18:45
efriedokay, so in the cyborg case they must have cyborg set up as an admin user.18:46
efriedthanks lbragstad, this is starting to unwind for me.18:46
lbragstadyeah - you should see that in keystone's role assignment API18:46
lbragstadso - if a service needs to access a particular API in another service then that service user needs the `admin` role, unfortunately18:47
*** jamesmcarthur has quit IRC18:47
efriedlbragstad: uhm, I thought we could use the user's token to talk from service A to service B as long as that user has authority to do the needful against service B18:49
efriedlbragstad: pretty sure we're counting on it in nova for e.g. glance images.18:49
efriednova has some places it talks to service B as user (e.g. glance), some as admin (e.g. ironic, placement), and some as both (neutron).18:50
lbragstadso the second case is where it's using the creds from nova.conf, yeah?18:50
efriedthat's kind of orthogonal atm anyway; I was just trying to figure out how https://review.opendev.org/#/c/682565/10/devstack/lib/cyborg@202 could have possibly been working ever.18:51
lbragstadif nova needs something from another service to make an informed decision, then it needs to call that API with its own token18:51
efriedyes, the second (admin) case it's using admin creds from nova.conf18:51
lbragstadso - in that case the cyborg service is using the placement user to make requests?18:52
lbragstadbecause the keystone_authtoken section is setup with the placement user's credentials18:52
lbragstadright?18:52
efriedlbragstad: well, it *thought* it was using the placement user to make placement requests. But it was actually using the cyborg user, because that's what was set up in [keystone_authtoken] and that line I linked above makes ksa ignore everything else and just use [keystone_authtoken]18:53
efriedso the only thing I still need to confirm is that the cyborg user has the admin role. Which I imagine it probably does.18:53
efriedbecause this is devstack, and I reckon they copied their setup from nova18:54
lbragstadopenstack role assignment list --names --user cyborg18:54
lbragstadyeah - ^ that'll filter cyborg's assignments18:54
* lbragstad thinks the current setup with services users leaves a lot to be desired18:55
efriedYup, asked Sundar to look for that, still waiting (dude has like a full time job or something)18:55
lbragstadpsh - work...18:55
efriedlbragstad: Well, at least by default devstack doesn't give me any auth_sectionZ in my nova.conf, which is good.18:56
lbragstadit would be nice to completely transition service configs away from their own separate users...18:57
efriedlbragstad: Cool, you've got two days, go.19:00
lbragstadheh - next release maybe19:01
efried:P but srsly, this might be where we're going to end up with sdk if we're lucky.19:01
efried"away from their own separate users" ==> clouds.yaml anyone?19:01
lbragstadhow do you mean?19:01
efriedmaybe I'm thinking of the wrong thing.19:01
lbragstadso - right now, all services have their own users, right?19:02
lbragstadyou need to set it all up when you install and whatnot19:02
lbragstad(create a `placement` user in keystone, give them a role assignment, put their creds in placement.conf, etc..)19:02
efriedoh, and it's necessary that they have separate users?19:02
lbragstadno - it's not necessary, just how it was implemented19:03
lbragstadit would be nice to have a single "service" user19:03
efried"it" what, devstack?19:03
lbragstadyeah - devstack, osa, deployment tools, the installation guide19:03
efriedI mean, is anything stopping you from just making a 'service' user and putting the same creds in all the confs?19:03
efriedokay, gotcha, so it's possible, it's just not how we've been trained19:04
lbragstadyou could.. but if that user is compromised, it'll be bad19:04
efriedwait, so what are you suggesting then?19:04
lbragstadalso - if some services only require minimal permissions and your "service" user has "admin" because placement and nova need it19:04
lbragstadnow all services are using really powerful tokens19:04
lbragstadand that has authorization those services might not ever need or use (enlarged attack surface if one of those tokens are compromised)19:05
lbragstadwhat i think would be cool19:05
lbragstadis if we have a single service user, and then just generate application credentials for each service to use19:05
lbragstadeach application credential can be scoped to specific roles, so you can limit the attack surface19:06
lbragstadbut you get simplified auditing - because you're not chasing around a bunch of service users (e.g., nova, cinder, glance, placements, cyborg, etc...)19:06
lbragstadand - here's the cool part19:06
lbragstadif your deployment needs to rotate passwords you can do that gracefully with application credentials without incurring an outage (since rotating cyborgs password is going to cause a 401 if you don't update cyborg.conf before it needs to do something)19:07
efriedI guess I'm not understanding the distinction between "service user" and "application credentials".19:10
efriedIs a "credential" like a username/password pair?19:11
lbragstadyeah - kinda... it's a set of credentials that are specific for applications19:11
lbragstadkinda like an API key19:11
lbragstadhttps://docs.openstack.org/keystone/latest/user/application_credentials.html19:12
lbragstadusers can create them19:12
efriedSo there would be a single "service user" named "service".... but you would get at it with different credentials, which would presumably be scoped per service.19:12
lbragstadyeah - pretty much19:12
efriedmeaning that at some level, you still have nova, cinder, glance, placement, cyborg. etc...19:12
efriedI would think it would be more, not less, confusing if those names weren't present *somewhere* in the credential thingy.19:12
lbragstadyeah - you could give your credentials names (openstack application credential create nova --role admin)19:14
efriedanyway, I'm way late to feed my face. Thanks for the help lbragstad, this was very informative and useful.19:15
lbragstadawesome - anytime efried19:16
*** jamesmcarthur has joined #openstack-keystone19:39
openstackgerritguang-yee proposed openstack/keystonemiddleware master: Generate pdf documentation  https://review.opendev.org/68227119:51
*** jamesmcarthur has quit IRC19:54
*** jamesmcarthur has joined #openstack-keystone19:55
*** mlavalle has joined #openstack-keystone20:07
mlavallelbragstad: hey... in the Rocky release, was Keystone ready to handle reader role with system scope? Assuming of course the policies are modified properly20:08
mlavalleI mean the Keystone API20:08
lbragstadyou mean to ask if keystone honors system-scope and the reader role in stable/rocky?20:09
*** Ben78 has joined #openstack-keystone20:09
mlavalleyes20:09
mlavalleif I make a call to the keystone API with a system scope, will it undertsand?20:09
lbragstadit might... but we had to fix a bunch of stuff to get system-scope to work by default https://bit.ly/2lqQavK20:10
lbragstadwe tracked everything as a bug report per API that needed fixed20:10
lbragstadfixes*20:10
lbragstadand those fixes started landing in stein20:10
mlavallebut that was done for what relase?20:10
lbragstadstein - keystone's stable/rocky branch included the changes necessary to ensure basic roles were availabe after install20:11
lbragstadafter that came the patches that fixed keystone to start relying on those roles20:12
mlavalleand that was stein20:12
lbragstadyes - we fixed a little more than half of keystone entire API to honor system-scope and default roles20:12
lbragstadthe rest was done in Train20:12
mlavalledo you hava a gerrit topic where I can see all the patches?20:13
lbragstadyeah - i should be able to find one that is close20:13
lbragstadhttps://review.opendev.org/#/q/status:merged+project:openstack/keystone+branch:master+topic:implement-default-roles contains some of them20:14
lbragstadgranted - those patches are specific to changing default policies and getting keystone APIs to understand system-scope20:15
openstackgerritguang-yee proposed openstack/keystoneauth master: Generate pdf documentation  https://review.opendev.org/68227220:25
*** jamesmcarthur has quit IRC21:06
*** xek has quit IRC21:11
*** markvoelker has quit IRC21:52
*** raildo has quit IRC21:53
*** jamesmcarthur has joined #openstack-keystone22:06
*** rcernin has joined #openstack-keystone22:07
mlavallelbragstad: this is the set of Keystone calls that I need to enable with system reader in a Rocky release. Is there an easily identifiable set of patches that would help me to do that?22:11
mlavallehttp://paste.openstack.org/show/779216/22:11
mlavalleobvously https://review.opendev.org/#/c/62600722:12
mlavalleif not, I will go doing git blame around the repo22:12
*** jamesmcarthur has quit IRC22:13
mlavalleso it seems identity:get_auth_catalog is wide open22:16
*** aloga has quit IRC22:27
*** aloga has joined #openstack-keystone22:34
openstackgerritColleen Murphy proposed openstack/keystone master: Allow domain users to access the limit API  https://review.opendev.org/62102322:36
openstackgerritColleen Murphy proposed openstack/keystone master: Add tests for project users interacting with limits  https://review.opendev.org/62102422:36
openstackgerritColleen Murphy proposed openstack/keystone master: Remove limit policies from policy.v3cloudsample.json  https://review.opendev.org/62102522:36
*** tkajinam has joined #openstack-keystone22:51
mlavallelbragstad: it turns out that just adding the SYSTEM_READER rule to keystone/common/base.py, keystone/common/domain.py and keystone/common/policies/project.py I get the behavior I want \o/23:18
*** mlavalle has quit IRC23:33
*** jamesmcarthur has joined #openstack-keystone23:50
*** markvoelker has joined #openstack-keystone23:54
*** jamesmcarthur has quit IRC23:55
*** markvoelker has quit IRC23:58
« Monday, 2019-09-23 Index Wednesday, 2019-09-25 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!