*** markvoelker has joined #openstack-keystone | 00:24 | |
*** jamesmcarthur has joined #openstack-keystone | 00:29 | |
*** jamesmcarthur has quit IRC | 00:35 | |
openstackgerrit | guang-yee proposed openstack/keystoneauth master: Generate pdf documentation https://review.opendev.org/682272 | 00:52 |
---|---|---|
*** gyee has quit IRC | 00:52 | |
*** markvoelker has quit IRC | 01:08 | |
*** tkajinam has quit IRC | 01:24 | |
*** tkajinam has joined #openstack-keystone | 01:24 | |
*** Ben78 has quit IRC | 02:00 | |
openstackgerrit | Colleen Murphy proposed openstack/keystone master: Allow domain users to access the limit API https://review.opendev.org/621023 | 02:25 |
openstackgerrit | Colleen Murphy proposed openstack/keystone master: Add tests for project users interacting with limits https://review.opendev.org/621024 | 02:25 |
openstackgerrit | Colleen Murphy proposed openstack/keystone master: Remove limit policies from policy.v3cloudsample.json https://review.opendev.org/621025 | 02:25 |
*** markvoelker has joined #openstack-keystone | 02:35 | |
*** markvoelker has quit IRC | 02:40 | |
*** dave-mccowan has quit IRC | 02:53 | |
*** jaosorior has joined #openstack-keystone | 04:56 | |
*** shyam89 has joined #openstack-keystone | 05:47 | |
*** dancn has joined #openstack-keystone | 06:03 | |
*** pcaruana has joined #openstack-keystone | 06:42 | |
*** markvoelker has joined #openstack-keystone | 06:47 | |
*** dancn has quit IRC | 06:48 | |
*** markvoelker has quit IRC | 06:52 | |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Release note for domain scope limits API https://review.opendev.org/684531 | 06:54 |
*** shyam89 has quit IRC | 06:54 | |
*** tesseract has joined #openstack-keystone | 07:01 | |
*** shyam89 has joined #openstack-keystone | 07:07 | |
*** xek has joined #openstack-keystone | 07:14 | |
*** shyam89 has quit IRC | 07:27 | |
*** shyam89 has joined #openstack-keystone | 07:40 | |
*** shyam89 has quit IRC | 07:56 | |
*** ivve has joined #openstack-keystone | 08:01 | |
*** jaosorior has quit IRC | 08:32 | |
*** shyam89 has joined #openstack-keystone | 08:34 | |
*** dancn has joined #openstack-keystone | 08:38 | |
*** markvoelker has joined #openstack-keystone | 08:48 | |
*** tkajinam has quit IRC | 08:52 | |
openstackgerrit | Vishakha Agarwal proposed openstack/keystonemiddleware master: Generate pdf documentation https://review.opendev.org/682271 | 08:53 |
*** markvoelker has quit IRC | 08:53 | |
*** markvoelker has joined #openstack-keystone | 08:56 | |
*** markvoelker has quit IRC | 09:00 | |
*** shyam89 has quit IRC | 09:00 | |
openstackgerrit | Vishakha Agarwal proposed openstack/keystoneauth master: Generate pdf documentation https://review.opendev.org/682272 | 09:02 |
*** shyam89 has joined #openstack-keystone | 09:04 | |
*** jaosorior has joined #openstack-keystone | 09:10 | |
*** new_student1411 has joined #openstack-keystone | 09:41 | |
*** shyam89 has quit IRC | 09:56 | |
*** shyam89 has joined #openstack-keystone | 10:03 | |
*** flwang1 has joined #openstack-keystone | 10:05 | |
*** new_student1411 has quit IRC | 10:22 | |
*** pcaruana has quit IRC | 10:23 | |
*** rcernin has quit IRC | 10:23 | |
*** dancn has quit IRC | 10:34 | |
*** pcaruana has joined #openstack-keystone | 10:36 | |
*** markvoelker has joined #openstack-keystone | 10:57 | |
*** markvoelker has quit IRC | 11:01 | |
*** raildo has joined #openstack-keystone | 11:24 | |
*** xek_ has joined #openstack-keystone | 11:38 | |
*** xek has quit IRC | 11:39 | |
*** markvoelker has joined #openstack-keystone | 11:42 | |
*** shyam89 has quit IRC | 11:55 | |
*** xek_ has quit IRC | 12:06 | |
*** yoctozepto has quit IRC | 12:10 | |
*** dancn has joined #openstack-keystone | 12:13 | |
*** yoctozepto has joined #openstack-keystone | 12:15 | |
*** shyam89 has joined #openstack-keystone | 12:21 | |
*** dave-mccowan has joined #openstack-keystone | 12:22 | |
*** dave-mccowan has quit IRC | 12:26 | |
*** yoctozepto has quit IRC | 12:26 | |
*** yoctozepto has joined #openstack-keystone | 12:26 | |
*** dave-mccowan has joined #openstack-keystone | 12:28 | |
*** dave-mccowan has quit IRC | 12:42 | |
*** dave-mccowan has joined #openstack-keystone | 12:43 | |
*** shyam89 has quit IRC | 12:54 | |
*** Ben78 has joined #openstack-keystone | 12:57 | |
*** new_student1411 has joined #openstack-keystone | 12:59 | |
new_student1411 | Since `Account ACLs are not currently supported by Keystone auth`, is there an alternative so that I can give limited permissions at account level if I am using keystone auth? | 13:01 |
lbragstad | cmurphy do we have any examples of application credentials being used from clouds.yaml? | 13:09 |
*** jamesmcarthur has joined #openstack-keystone | 13:19 | |
*** dave-mccowan has quit IRC | 13:26 | |
*** jamesmcarthur has quit IRC | 13:27 | |
*** dancn has quit IRC | 13:31 | |
*** xek has joined #openstack-keystone | 13:34 | |
*** dancn has joined #openstack-keystone | 13:45 | |
*** dancn has quit IRC | 13:55 | |
*** xek has quit IRC | 14:05 | |
*** xek has joined #openstack-keystone | 14:07 | |
*** xek has quit IRC | 14:36 | |
openstackgerrit | Gage Hugo proposed openstack/keystone master: [WIP] Try to recreate 1843464 https://review.opendev.org/684397 | 14:40 |
Ben78 | In https://docs.openstack.org/keystone/stein/admin/tokens-overview.html#token-providers, it is written: "A deployment might consider using JWS tokens as opposed to fernet tokens if there are security concerns about sharing symmetric encryption keys across hosts". What do you mean by "hosts" here | 14:54 |
lbragstad | hosts in that case are keystone nodes | 14:58 |
lbragstad | for example, if you have 3 keystone servers behind ha proxy and they all need to validate each others tokens | 14:59 |
lbragstad | then they all need to have the same fernet key repository to validate tokens issues by other keystone nodes | 14:59 |
Ben78 | lbragstad: Thanks. But, the same scenario is correct when you use JWS. | 15:00 |
lbragstad | jws tokens are asymmetrically signed | 15:00 |
lbragstad | fernet tokens are encrypted using symmetric cryptography | 15:01 |
lbragstad | so - with jws you actually just share the public keys across all the keystone nodes | 15:03 |
lbragstad | each keystone node keeps its own private key | 15:03 |
Ben78 | I mean if you want to have several keystone host for issuing JWS tokens, you need to shared the private key between all hosts. | 15:03 |
lbragstad | only the public key is needed to validate jws tokens | 15:04 |
lbragstad | the private key is used to sign tokens though - which only happens when they're created | 15:04 |
Ben78 | Oh. I thought every service validate JWS token itself. So, If I understand correctly, you mean even if we use JWS tokens, every service needs to communicate to a Keystone node to validate a token. | 15:06 |
lbragstad | yeah - even though that isn't a limitation of the implementation itself | 15:07 |
lbragstad | it's more a limitation of what's in the token | 15:07 |
Ben78 | And there is only one keystone node which issues JWS token. Other Keystone nodes only validate tokens. | 15:07 |
lbragstad | each service needs to know what roles the user has, and that information isn't in the token (fernet or jws) | 15:08 |
lbragstad | so online validation is needed for that information | 15:08 |
*** dancn has joined #openstack-keystone | 15:08 | |
Ben78 | And for the revocation problem | 15:08 |
lbragstad | yeah - that's a good point | 15:08 |
lbragstad | https://www.youtube.com/watch?v=zxsrkABzwOg kinda gets into some of that | 15:08 |
lbragstad | if you haven't seen it yet | 15:09 |
*** dancn has quit IRC | 15:12 | |
*** openstackgerrit has quit IRC | 15:21 | |
Ben78 | @lbragstad: Thanks for sharing the video. I watched it before and I did not like some of the reasoning why JWS is better than Fernet. At minute 8, the speaker says we are developers, not cryptographers and we do not want to maintain a cryptography library. | 15:22 |
Ben78 | JWS takes advantage of asymmetric cryptography which is more complicated than symmetric | 15:23 |
lbragstad | Ben78 oh - i think the point Adam wanted to make there is that we didn't want to maintain the cryptography code manually | 15:26 |
lbragstad | that's what keystone was doing with the pki implementation | 15:27 |
lbragstad | now we're using a pyca/cryptography library that abstracts the crypto details away from keystone's token logic | 15:27 |
lbragstad | that specific library is maintained by folks who have a much better understanding of cryptography | 15:28 |
Ben78 | and pyca/cryptography supports Fernet, too | 15:28 |
lbragstad | correct | 15:29 |
lbragstad | jws uses another library called PyJWT - which has a dependency on pyca/cryptography | 15:30 |
lbragstad | so - ultimately it boils down to pyca/cryptography | 15:30 |
*** pcaruana has quit IRC | 15:30 | |
*** gyee has joined #openstack-keystone | 15:35 | |
*** ivve has quit IRC | 15:45 | |
*** markvoelker has quit IRC | 15:45 | |
*** lbragstad_ has joined #openstack-keystone | 15:54 | |
*** lbragstad has quit IRC | 15:55 | |
*** lbragstad has joined #openstack-keystone | 15:57 | |
*** itlinux has joined #openstack-keystone | 15:57 | |
*** lbragstad_ has quit IRC | 15:58 | |
*** spatel has joined #openstack-keystone | 16:03 | |
*** spatel has quit IRC | 16:07 | |
cmurphy | lbragstad: i don't think we have a clouds.yaml example in the docs, i have one in some old slides if you're just looking to crib from it | 16:10 |
* lbragstad nods | 16:11 | |
lbragstad | thanks cmurphy | 16:11 |
cmurphy | lbragstad: can you sanity check my changes in https://review.opendev.org/621023 | 16:12 |
lbragstad | yep - i can do that | 16:13 |
*** efried is now known as efried_rollin | 16:14 | |
*** jmlowe has quit IRC | 16:24 | |
*** markvoelker has joined #openstack-keystone | 16:38 | |
*** markvoelker has quit IRC | 16:48 | |
*** xek has joined #openstack-keystone | 16:49 | |
*** jmlowe has joined #openstack-keystone | 16:50 | |
*** markvoelker has joined #openstack-keystone | 16:53 | |
*** ivve has joined #openstack-keystone | 16:53 | |
*** xek_ has joined #openstack-keystone | 16:56 | |
*** xek has quit IRC | 16:59 | |
lbragstad | cmurphy done - lemme know if you want me to kick https://review.opendev.org/#/c/621023/15 though | 17:18 |
lbragstad | through* | 17:18 |
cmurphy | lbragstad: i'm just concerned the check string is still wrong | 17:19 |
lbragstad | for domain useres? | 17:19 |
lbragstad | users? | 17:19 |
lbragstad | or just in general? | 17:19 |
cmurphy | with what you pointed out | 17:19 |
cmurphy | if a project user could access a domain limit that wouldn't be good | 17:20 |
lbragstad | https://review.opendev.org/#/c/621024/15/keystone/tests/protection/v3/test_limits.py@699 | 17:22 |
lbragstad | looks like we have it covered? | 17:22 |
lbragstad | i should have read those tests before reviewing the first patch | 17:22 |
cmurphy | oh then i guess it's fine | 17:24 |
cmurphy | yeah let's just go for it | 17:24 |
lbragstad | yeah - apparently that works? | 17:25 |
lbragstad | if we wanted to be ultra paranoid | 17:25 |
lbragstad | we could do (domain_id:%(target.limit.domain.id)s and not None:%(target.limit.domain_id)s) | 17:26 |
lbragstad | but... | 17:26 |
cmurphy | ¯\_(ツ)_/¯ | 17:27 |
lbragstad | yolo | 17:27 |
lbragstad | we have test coverage | 17:27 |
*** jmlowe has quit IRC | 17:35 | |
*** xek has joined #openstack-keystone | 17:40 | |
*** xek_ has quit IRC | 17:42 | |
*** xek_ has joined #openstack-keystone | 17:44 | |
*** xek has quit IRC | 17:46 | |
*** jmlowe has joined #openstack-keystone | 17:48 | |
*** tesseract has quit IRC | 18:08 | |
larsks | Is it possible to authenticate to keystone using the cli when using federated users (via openid)? | 18:27 |
larsks | I've seen a few docs referencing --auth-type but I'm not clear on the details. | 18:28 |
*** xek_ has quit IRC | 18:32 | |
*** gary_perkins has quit IRC | 18:57 | |
*** gary_perkins has joined #openstack-keystone | 18:57 | |
*** efried_rollin is now known as efried | 19:21 | |
*** Ben78 has quit IRC | 19:28 | |
*** new_student1411 has quit IRC | 20:37 | |
*** flwang1 has quit IRC | 20:53 | |
*** raildo has quit IRC | 21:04 | |
*** rcernin has joined #openstack-keystone | 22:15 | |
gyee | larsks, in theory, yes, according to https://osticket.massopen.cloud/kb/faq.php?id=16 | 22:56 |
gyee | but in practice, it all depends on the IdP | 22:56 |
gyee | google, for example, does not appear to support the 'password' grant type. See https://accounts.google.com/.well-known/openid-configuration | 22:57 |
gyee | from security perspective, the use case for password grant type seem very limited | 22:58 |
*** tkajinam has joined #openstack-keystone | 22:59 | |
*** dave-mccowan has joined #openstack-keystone | 23:27 | |
*** ivve has quit IRC | 23:28 | |
*** dave-mccowan has quit IRC | 23:33 | |
*** gyee has quit IRC | 23:44 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!