| *** spotz has joined #openstack-keystone | 00:25 | |
| *** markvoelker has joined #openstack-keystone | 01:25 | |
| *** markvoelker has quit IRC | 01:29 | |
| *** __ministry has joined #openstack-keystone | 02:06 | |
| *** __ministry has quit IRC | 02:16 | |
| *** __ministry has joined #openstack-keystone | 02:31 | |
| *** cp- has quit IRC | 02:56 | |
| *** rcernin_ has joined #openstack-keystone | 02:58 | |
| *** rcernin has quit IRC | 02:59 | |
| *** cp- has joined #openstack-keystone | 03:02 | |
| *** rcernin_ has quit IRC | 03:16 | |
| *** markvoelker has joined #openstack-keystone | 03:26 | |
| *** markvoelker has quit IRC | 03:30 | |
| *** rcernin_ has joined #openstack-keystone | 03:32 | |
| *** rcernin_ has quit IRC | 03:45 | |
| *** rcernin has joined #openstack-keystone | 03:45 | |
| *** markvoelker has joined #openstack-keystone | 04:14 | |
| *** markvoelker has quit IRC | 04:19 | |
| *** vishalmanchanda has joined #openstack-keystone | 04:29 | |
| *** evrardjp has quit IRC | 04:33 | |
| *** evrardjp has joined #openstack-keystone | 04:33 | |
| *** abdysn has joined #openstack-keystone | 05:00 | |
| *** rcernin has quit IRC | 05:32 | |
| *** rcernin has joined #openstack-keystone | 05:40 | |
| *** jbalciunas has joined #openstack-keystone | 06:11 | |
| *** markvoelker has joined #openstack-keystone | 06:15 | |
| *** markvoelker has quit IRC | 06:20 | |
| *** markvoelker has joined #openstack-keystone | 06:54 | |
| *** markvoelker has quit IRC | 06:59 | |
| *** bengates has joined #openstack-keystone | 07:20 | |
| *** stingrayza has joined #openstack-keystone | 07:23 | |
| *** also_stingrayza has quit IRC | 07:25 | |
| *** xek_ has joined #openstack-keystone | 07:30 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Remove an assignment from domain and project https://review.opendev.org/737225 | 07:34 |
|---|---|---|
| *** bengates_ has joined #openstack-keystone | 07:44 | |
| *** bengates has quit IRC | 07:46 | |
| *** rcernin_ has joined #openstack-keystone | 07:47 | |
| *** rcernin has quit IRC | 07:47 | |
| *** rcernin_ has quit IRC | 07:54 | |
| *** markvoelker has joined #openstack-keystone | 08:24 | |
| *** markvoelker has quit IRC | 08:29 | |
| *** manuvakery has joined #openstack-keystone | 08:30 | |
| *** rajivmucheli has joined #openstack-keystone | 08:52 | |
| *** rajivmucheli has quit IRC | 09:13 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Remove an assignment from domain and project https://review.opendev.org/737225 | 09:14 |
| *** tkajinam has quit IRC | 09:21 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Add "explicit_domain_id" to api-ref https://review.opendev.org/737248 | 09:52 |
| openstackgerrit | Merged openstack/keystone master: ldap: fix config option docs for *_tree_dn https://review.opendev.org/734893 | 10:06 |
| *** markvoelker has joined #openstack-keystone | 10:25 | |
| *** markvoelker has quit IRC | 10:30 | |
| *** manuvakery has quit IRC | 10:40 | |
| *** xek has joined #openstack-keystone | 11:01 | |
| *** xek_ has quit IRC | 11:01 | |
| *** raildo has joined #openstack-keystone | 11:48 | |
| *** markvoelker has joined #openstack-keystone | 12:26 | |
| *** markvoelker has quit IRC | 12:31 | |
| *** markvoelker has joined #openstack-keystone | 12:34 | |
| *** markvoelker has quit IRC | 12:39 | |
| *** lbragstad has joined #openstack-keystone | 13:12 | |
| Anticimex | i have a customer on pike (soc 9) with SAML2 federation (ADFS) as well as kerberos federation. I haven't still wrapped my head exactly around how this works out, but the customer ask is: we want same authZ regardless if you click in through Horizon or kerberos from cli. | 13:50 |
| Anticimex | i'm thinking the answer is to define mappings for the SAML2 (which I know where to find) and something equivalent for the kerberos auth, but that's not nearly as well documented | 13:50 |
| Anticimex | how do you apply role memberships for identities logging in with kerberos? | 13:51 |
| Anticimex | I'm guessing that mapping an identity regardless of authenticaiton method to the same group is the goal, but it does become a bit tricky.. (saw the older shadow-users/shadow-mapping blueprints as well) | 13:52 |
| *** markvoelker has joined #openstack-keystone | 14:07 | |
| *** markvoelker has quit IRC | 14:12 | |
| *** abdysn has quit IRC | 14:21 | |
| openstackgerrit | Merged openstack/keystoneauth master: Implement HTTP Basic client support in keystoneauth1 https://review.opendev.org/727562 | 14:34 |
| knikolla | mnaser: that is correct. you can use the token itself to introspect the token. i guess that's the way it has always been and no one made it a priority. | 14:43 |
| knikolla | Anticimex: I'm not that familiar with Kerberos, but I think you can set it up using federation too, instead of the dedicated driver. | 14:47 |
| lbragstad | mnaser you mean service users? | 14:48 |
| lbragstad | https://review.opendev.org/#/q/ad46262148e7b099e6c7239887e20ade5b8e6ac8 should be good for some reviews now | 14:52 |
| lbragstad | cc mordred ^ | 14:52 |
| mordred | lbragstad: I do not have stable core on ksa | 14:53 |
| lbragstad | mordred ahh | 14:53 |
| lbragstad | that surprises me | 14:53 |
| mordred | lbragstad: it's only keystone-core on it, not keystoneauth-core | 14:54 |
| lbragstad | mordred ack | 14:54 |
| mordred | or - rather - keystone-stable-main | 14:54 |
| mordred | or - rather - keystone-stable-maint | 14:54 |
| mordred | so - you and cmurphy - plus the stable-maint team plus release-managers | 14:55 |
| lbragstad | sorry for the rogue ping :) | 14:55 |
| mordred | lbragstad: no worries! sorry I can't be more help :) | 14:55 |
| *** beekneemech is now known as bnemec | 14:59 | |
| openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Drop python 3.5 support https://review.opendev.org/737285 | 15:06 |
| *** markvoelker has joined #openstack-keystone | 15:32 | |
| *** markvoelker has quit IRC | 15:36 | |
| *** manuvakery has joined #openstack-keystone | 15:42 | |
| *** gyee has joined #openstack-keystone | 15:55 | |
| openstackgerrit | Merged openstack/oslo.limit master: Add user guide about how to add a new service https://review.opendev.org/726930 | 16:04 |
| cmurphy | lbragstad: https://review.opendev.org/#/admin/groups/538,members | 16:10 |
| lbragstad | mm | 16:11 |
| lbragstad | thanks cmurphy | 16:11 |
| *** markvoelker has joined #openstack-keystone | 16:24 | |
| *** markvoelker has quit IRC | 16:29 | |
| *** bengates_ has quit IRC | 16:35 | |
| openstackgerrit | Merged openstack/keystoneauth master: Update lower-constraints versions https://review.opendev.org/734803 | 16:43 |
| *** markvoelker has joined #openstack-keystone | 16:44 | |
| *** markvoelker has quit IRC | 16:48 | |
| mnaser | knikolla, lbragstad: nah, i think knikolla was onto what i was saying. so rather than having a service user talk to keystone to validate the token, instead, the token provided in the header (X-Auth-Token) is used to talk to keystone and validating the token | 17:04 |
| mnaser | knikolla: is there a straight forward way of doing this? maybe another auth_plugin for the middleware? | 17:04 |
| mnaser | i'm happy to right it, it doesn't seem too.. wild | 17:04 |
| *** xek has quit IRC | 17:16 | |
| lbragstad | that might affect long running operations - https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/__init__.py#L374-L383 | 17:17 |
| lbragstad | i think service tokens get process differently | 17:17 |
| lbragstad | processed* | 17:17 |
| lbragstad | maybe not? | 17:18 |
| cmurphy | i thought service users existed before service tokens became special for long running operations, i'm struggling to rationalize why though | 17:19 |
| lbragstad | i thought jamie introduced the service token validation/expiry case so that deployments could use short token TTLs for everyone but service users | 17:20 |
| lbragstad | well - actually, service users would still have the same token expiration, but they'd be exempt from token invalidation that would cause long running operations to fail | 17:21 |
| mordred | cmurphy, knikolla have a sec for https://review.opendev.org/#/c/737285/ ? | 17:44 |
| cmurphy | mordred: so we decided 3.5 was more work than it's worth? | 17:45 |
| mordred | cmurphy: sort of - also we have the ussuri release now which works with 3.5 and with a proper python-requires metadata on it | 17:48 |
| mordred | so if we need to backport something to someone still on 3.5 - we can backport it to stable/ussuri | 17:49 |
| mordred | and those people should be good to go at this point | 17:49 |
| mordred | so since there is another solution to the "we have downstream consumers on 3.5" problem, it seems like diverging from the rest of openstack no longer has any real value, yeah? | 17:50 |
| cmurphy | yeah agreed | 17:50 |
| knikolla | mnaser, lbragstad, cmurphy: yes, true, service users are allowed to validate expired tokens for long running operations, whereas using the same token would give you a 404 once it is expired. | 17:52 |
| *** manuvakery has quit IRC | 17:52 | |
| mnaser | knikolla, lbragstad, cmurphy: yeah i think the case here was that user foo takes a snapshot that takes 3 hours to create, upload fails if token expiration time was lapsed because nova would upload using the users' token | 18:23 |
| mnaser | i think that's a concern in the use case of the service in question doing asynchronous work. in my scenario, i just have a simple API that i want the user to talk to with auth tokens, i dont really mind/care about service users | 18:23 |
| lbragstad | mnaser i think that might also cause issue if policy isn't setup correctly | 18:36 |
| mordred | for a "normal" user token, keystoneauth should just re-auth as needed, no? the service issue was more that once the token has expired the servifce doesn't actually have the auth context from which to get a new token | 18:37 |
| mordred | or - I might need more coffee | 18:37 |
| mnaser | mordred: yeah, you're right. i think the issue here might be that keystonemiddleware with token-only auth (aka no service user) risks failing for services like nova, etc. | 18:48 |
| mnaser | in my case it's just a fully standalone api i'm building | 18:49 |
| mordred | yeah | 19:00 |
| openstackgerrit | Merged openstack/keystoneauth master: Drop python 3.5 support https://review.opendev.org/737285 | 19:19 |
| mordred | knikolla: https://review.opendev.org/#/c/737365/ | 19:32 |
| mordred | mnaser: oh - fwiw - do you know about the get-connection-from-oslo-config stuff in sdk that we added for nova? | 19:33 |
| mordred | mnaser: openstack.connection.from_config - along with the various keystonauth register_conf_options methods | 19:35 |
| mordred | mnaser: I'm not sure if you're having your service making calls to another service (I'm guessing based on context that you are not - but if you are - we should probably get you on the good juice from the beginning) | 19:36 |
| knikolla | mordred: done :) | 20:12 |
| *** vishalmanchanda has quit IRC | 20:16 | |
| *** markvoelker has joined #openstack-keystone | 20:55 | |
| *** markvoelker has quit IRC | 20:59 | |
| *** spatel has joined #openstack-keystone | 21:13 | |
| *** spatel has quit IRC | 21:36 | |
| *** spatel has joined #openstack-keystone | 21:42 | |
| *** spatel has quit IRC | 21:46 | |
| *** spatel has joined #openstack-keystone | 21:52 | |
| *** spatel has quit IRC | 22:10 | |
| *** spatel has joined #openstack-keystone | 22:28 | |
| *** spatel has quit IRC | 22:31 | |
| *** rcernin_ has joined #openstack-keystone | 22:33 | |
| *** rcernin_ has quit IRC | 22:47 | |
| *** tkajinam has joined #openstack-keystone | 22:51 | |
| *** markvoelker has joined #openstack-keystone | 22:56 | |
| *** markvoelker has quit IRC | 23:00 | |
| *** rcernin_ has joined #openstack-keystone | 23:02 | |
| *** rcernin_ has quit IRC | 23:16 | |
| *** rcernin has joined #openstack-keystone | 23:18 | |
| *** raildo has quit IRC | 23:30 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!