| *** mhen_ is now known as mhen | 01:33 | |
| opendevreview | Merged openstack/oslo.limit master: Added ability to select identity interface https://review.opendev.org/c/openstack/oslo.limit/+/946128 | 10:57 |
|---|---|---|
| cardoe | I was over scheduled on PTG so I wasn't able to join but I wanted to ask about the OAuth 2.0 bits. | 15:03 |
| cardoe | We're really interested in using something like Keycloak for auth so that work looks great. | 15:04 |
| cardoe | Ultimately looking how to make configuring the CLI easy cause it seems tough. | 15:04 |
| gtema | cardoe, is tomorrow 13 UTC ok for you? We are done but still have 1h slot tomorrow | 15:04 |
| cardoe | yes. I'll be there. my neutron topic is at 1400 UTC however. | 15:12 |
| gtema | great. From Keystone pov we do not have any topics, so we can talk about your one for the whole hour. If that is still not enough we can talk outside of regular hours | 15:13 |
| cardoe | The other thing I've been tinkering with is a keystonemiddleware. I'm running all my OpenStack services in Kubernetes. Each service's pods are running with their own Kubernetes ServiceAccount. What I was playing with was having Ironic for example read its ServiceAccount token and use that as the auth token when talking to say Neutron. Then Neutron uses my keystonemiddleware to validate it as having permissions. | 15:14 |
| cardoe | But in all other cases I want auth to go the normal keystone route. | 15:15 |
| gtema | you should have been today in the Rust discussion - I am POCing with advanced auth flows and building a dedicated standalone service with token capabilities. It maybe help you in certain ways | 15:17 |
| stanislav-z | <cardoe> "The other thing I've been..." <- I'm interested to learn more. I was playing with authentication in Keystone using Kubernetes SA tokens, using Keystone Federation configuration. There are certain things that are missing to run it at scale, but initial POC was quite nice in my case. | 15:20 |
| stanislav-z | btw, are the PTG sessions recorded? would be happy to re-watch some, as I can't always join | 15:20 |
| gtema | not really, but the one was recorded by Dave Wilde (d34dh0r53) . You can watch my webinar on ruty-auth things at https://www.youtube.com/watch?v=0Hx4Q22ZNFU It is not directly focusing federation auth, but rather keystone rustification and auth with yubikey | 15:22 |
| gtema | but we also talked about service accounts in Keystone what also relates to what you guys are saying | 15:22 |
| gtema | s/ruty/rusty/ | 15:23 |
| *** dansmith is now known as dansmith_pto | 16:52 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!