Wednesday, 2016-11-16

*** guoshan has quit IRC00:04
openstackgerritMerged openstack/keystone: Fixes remaining nits in endpoint_policy tests  https://review.openstack.org/39792800:05
*** henrynash has quit IRC00:22
*** henrynash has joined #openstack-keystone00:24
*** ChanServ sets mode: +v henrynash00:24
*** lamt has quit IRC00:25
*** lamt has joined #openstack-keystone00:30
*** spzala has joined #openstack-keystone00:32
*** spzala has quit IRC00:37
*** browne has quit IRC00:42
*** guoshan has joined #openstack-keystone00:53
*** hoangcx has joined #openstack-keystone00:54
*** guoshan has quit IRC00:58
*** browne has joined #openstack-keystone01:33
*** browne has quit IRC01:34
*** tqtran has quit IRC01:41
*** guoshan has joined #openstack-keystone01:42
*** phalmos has quit IRC01:44
openstackgerritChuck Short proposed openstack/keystone: Add py35 support  https://review.openstack.org/39802001:48
*** links has joined #openstack-keystone01:55
*** lamt has quit IRC01:57
*** zhangjl has joined #openstack-keystone01:59
*** annp has joined #openstack-keystone02:00
*** tonytan4ever has joined #openstack-keystone02:01
*** links has quit IRC02:07
*** nkinder has joined #openstack-keystone02:43
*** spzala has joined #openstack-keystone03:16
*** spzala has quit IRC03:20
*** udesale has joined #openstack-keystone03:25
*** spzala has joined #openstack-keystone03:30
*** adrian_otto has joined #openstack-keystone03:50
*** deep_1 has joined #openstack-keystone03:59
*** spzala has quit IRC04:03
*** guoshan has quit IRC04:04
*** spzala has joined #openstack-keystone04:04
*** spzala has quit IRC04:05
*** guoshan has joined #openstack-keystone04:07
*** GB21 has joined #openstack-keystone04:12
*** adrian_otto has quit IRC04:22
*** tonytan4ever has quit IRC04:23
*** tonytan4ever has joined #openstack-keystone04:23
*** adrian_otto has joined #openstack-keystone04:24
*** adrian_otto has quit IRC04:26
*** adrian_otto has joined #openstack-keystone04:27
*** tonytan4ever has quit IRC04:28
*** nicolasbock has quit IRC04:28
*** rdo has quit IRC04:34
*** rdo has joined #openstack-keystone04:36
*** nkinder has quit IRC04:37
*** khamtamtun has joined #openstack-keystone04:40
*** khamtamtun has quit IRC04:44
*** guoshan has quit IRC04:45
*** adrian_otto has quit IRC04:47
*** adrian_otto has joined #openstack-keystone04:49
*** guoshan has joined #openstack-keystone05:15
*** diazjf has joined #openstack-keystone05:17
*** darrenc is now known as darrenc_afk05:19
*** guoshan has quit IRC05:19
*** diazjf has quit IRC05:20
*** dims has quit IRC05:20
*** adrian_otto has quit IRC05:46
*** adrian_otto has joined #openstack-keystone05:50
*** harlowja has quit IRC05:55
*** darrenc_afk is now known as darrenc05:57
*** adrian_otto has quit IRC05:58
*** dims has joined #openstack-keystone05:59
*** guoshan has joined #openstack-keystone06:09
*** guoshan has quit IRC06:14
*** guoshan has joined #openstack-keystone06:15
*** jaosorior has joined #openstack-keystone06:16
*** adriant has quit IRC06:28
*** markvoelker has quit IRC06:28
*** jaosorior has quit IRC06:41
*** jaosorior has joined #openstack-keystone06:41
*** richm has quit IRC06:41
*** guoshan has quit IRC07:01
*** GB21 has quit IRC07:16
*** guoshan has joined #openstack-keystone07:22
*** GB21 has joined #openstack-keystone07:29
*** jaosorior has quit IRC07:34
*** pcaruana has joined #openstack-keystone07:41
*** rha has joined #openstack-keystone07:42
*** jaosorior has joined #openstack-keystone07:54
*** amoralej|off is now known as amoralej08:20
*** markvoelker has joined #openstack-keystone08:29
*** jpich has joined #openstack-keystone08:31
*** markvoelker has quit IRC08:34
*** GB21 has quit IRC08:38
*** GB21 has joined #openstack-keystone08:51
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:03
*** henrynash has quit IRC09:05
openstackgerrithoward lee proposed openstack/keystoneauth: Use assertIs(Not)None to check for None  https://review.openstack.org/39820909:10
*** deep_1 has quit IRC09:35
*** henrynash has joined #openstack-keystone09:46
*** ChanServ sets mode: +v henrynash09:46
*** deep_1 has joined #openstack-keystone09:50
*** henrynash has quit IRC10:02
*** henrynash has joined #openstack-keystone10:04
*** ChanServ sets mode: +v henrynash10:04
*** henrynash has quit IRC10:07
openstackgerritzhangyanxian proposed openstack/python-keystoneclient: Fix typo in access.py  https://review.openstack.org/39824410:12
openstackgerritzhangyanxian proposed openstack/python-keystoneclient: Fix typo in access.py  https://review.openstack.org/39824410:13
*** henrynash has joined #openstack-keystone10:15
*** ChanServ sets mode: +v henrynash10:15
*** henrynash has quit IRC10:16
*** hoangcx has quit IRC10:16
odyssey4mestevemar dolphm An RFE which I think would be very useful to operators to implement: https://bugs.launchpad.net/keystone/+bug/164221210:18
openstackLaunchpad bug 1642212 in OpenStack Identity (keystone) "RFE: keystone-manage db_sync --check" [Undecided,New]10:18
odyssey4meit'd be great if keystone could set the precedent that other projects follow10:18
*** pnavarro has joined #openstack-keystone10:21
*** GB21 has quit IRC10:22
*** asettle has joined #openstack-keystone10:23
*** udesale has quit IRC10:26
*** mvk has quit IRC10:30
*** markvoelker has joined #openstack-keystone10:30
*** GB21 has joined #openstack-keystone10:34
*** markvoelker has quit IRC10:35
*** zhangjl has quit IRC10:45
*** guoshan has quit IRC10:51
*** mvk has joined #openstack-keystone10:54
*** richm has joined #openstack-keystone11:12
openstackgerrithoward lee proposed openstack/keystoneauth: Add __ne__ built-in function  https://review.openstack.org/39829411:17
*** GB21 has quit IRC11:18
*** annp has quit IRC11:24
*** fmarco76 has joined #openstack-keystone11:24
*** fmarco76 has quit IRC11:25
*** jaosorior is now known as jaosorior_lunch11:25
*** nicolasbock has joined #openstack-keystone11:31
*** GB21 has joined #openstack-keystone11:31
*** deep_1 has quit IRC11:31
*** guoshan has joined #openstack-keystone11:35
*** guoshan_ has joined #openstack-keystone11:39
*** guoshan has quit IRC11:39
*** tqtran has joined #openstack-keystone11:41
*** guoshan_ has quit IRC11:44
*** tqtran has quit IRC11:45
stevemarodyssey4me: thanks for the tip about oslo validator!12:01
*** vgridnev has joined #openstack-keystone12:03
*** chrisplo has quit IRC12:06
*** jaosorior_lunch is now known as jaosorior12:09
openstackgerritDavid Stanek proposed openstack/keystone: WIP - Add validation for totp credentials  https://review.openstack.org/28352212:13
*** vgridnev has left #openstack-keystone12:14
odyssey4mestevemar :) that's the product of many discussions which started at the Tokyo summit - I'm looking forward to see it come to fruition12:20
openstackgerritDavid Stanek proposed openstack/keystone-specs: Add spec for native SAML2  https://review.openstack.org/39786012:21
*** GB21 has quit IRC12:22
*** catintheroof has joined #openstack-keystone12:23
*** deep_1 has joined #openstack-keystone12:29
*** guoshan has joined #openstack-keystone12:33
*** guoshan has quit IRC12:40
*** deep_1 has quit IRC12:46
samueldmqmorning keystone12:55
samueldmqdstanek: hi12:55
dstaneksamueldmq: good morning12:58
samueldmqdstanek: hi, good morning12:58
samueldmqdstanek: just posted a few comments on your spec12:58
samueldmqdstanek: I had a question but left it there12:59
*** vgridnev has joined #openstack-keystone13:02
dstaneksamueldmq: responding now13:08
dstanekkk:113:11
dstaneksamueldmq: done13:12
samueldmqdstanek: nice, replied again. I'd be okay with the link in the working items section13:13
samueldmqdstanek: I do not have a reason to not +2 after that13:14
samueldmqdstanek: spec looks pretty clear and simple13:14
*** asettle__ has joined #openstack-keystone13:15
*** asettle has quit IRC13:18
*** nk2527 has joined #openstack-keystone13:23
*** lamt has joined #openstack-keystone13:23
openstackgerritDavid Stanek proposed openstack/keystone-specs: Add spec for native SAML2  https://review.openstack.org/39786013:24
*** jamielennox is now known as jamielennox|away13:25
*** dave-mccowan has joined #openstack-keystone13:25
*** asettle__ is now known as asettle13:25
*** GB21 has joined #openstack-keystone13:27
*** guoshan has joined #openstack-keystone13:28
*** guoshan has quit IRC13:32
*** nkinder has joined #openstack-keystone13:33
stevemaro/13:39
samueldmqstevemar: morning13:39
*** rodrigods has quit IRC13:42
*** tqtran has joined #openstack-keystone13:42
*** rodrigods has joined #openstack-keystone13:42
*** edmondsw has joined #openstack-keystone13:43
*** markvoelker has joined #openstack-keystone13:44
*** tqtran has quit IRC13:47
*** Administrator_ has quit IRC13:51
*** Administrator_ has joined #openstack-keystone13:52
*** amoralej is now known as amoralej|lunch13:52
*** nkinder has quit IRC13:53
*** jdennis has joined #openstack-keystone13:55
*** udesale has joined #openstack-keystone13:56
*** nkinder has joined #openstack-keystone13:58
samueldmqdstanek: have you seen https://review.openstack.org/#/c/373983 ?14:10
samueldmq"OpenID Connect improved support"14:10
*** deep_1 has joined #openstack-keystone14:11
*** Administrator_ has quit IRC14:13
*** Administrator_ has joined #openstack-keystone14:14
samueldmqdstanek:  I've commented on it. I think it's very similar (same idea) to the work you're doing. I suggested him to talk to you14:15
*** jperry has joined #openstack-keystone14:16
dstaneksamueldmq: i haven't, but it looks interesting14:17
samueldmqdstanek: ++14:17
lbragstadmorning14:21
samueldmqayoung: please reply to https://review.openstack.org/#/c/396331/ and https://review.openstack.org/#/c/396634 whenever you get a chance14:21
samueldmqayoung: the author's replied your comments14:21
*** vgridnev has quit IRC14:22
*** guoshan has joined #openstack-keystone14:22
samueldmqayoung: I wonder if we could enhance our OAUTH to support the new needs (that would be more than OAUTH though)14:22
samueldmqlbragstad: morning14:22
*** lamt has quit IRC14:23
*** guoshan has quit IRC14:26
*** dave-mccowan has quit IRC14:30
*** amoralej|lunch is now known as amoralej14:32
stevemarrodrigods: you were looking for the ksc functional test failure: http://logs.openstack.org/44/398244/2/check/gate-keystoneclient-dsvm-functional-ubuntu-xenial/a23535b/testr_results.html.gz14:35
stevemarhappens again14:35
rodrigodsstevemar, sigh14:35
rodrigodsstevemar, will take a look14:35
stevemarrodrigods: :)14:36
stevemarrodrigods: you're the functional test guy now!14:36
dstanek"not it"14:36
rodrigodsstevemar, i like it! not sure if i should be scared14:37
stevemarrodrigods: be very afraid14:38
*** jaosorior has quit IRC14:41
*** lamt has joined #openstack-keystone14:41
*** jaosorior has joined #openstack-keystone14:41
*** chris_hultin|AWA is now known as chris_hultin14:45
*** jaosorior has quit IRC14:47
*** agrebennikov has joined #openstack-keystone14:48
rodrigodsrderose, can you take a look at https://review.openstack.org/#/c/378624/ ? tempest ppl didn't review yet, maybe they will feel more confident after some reviews14:49
*** richm has quit IRC14:53
*** GB21 has quit IRC14:54
*** ravelar has joined #openstack-keystone14:56
*** adrian_otto has joined #openstack-keystone14:57
rderoserodrigods: sure, we'll look at today15:03
rderose*will15:03
rderose:)15:03
rodrigodsrderose, thx15:03
*** pnavarro has quit IRC15:05
*** adrian_otto has quit IRC15:06
stevemarlbragstad: oh policy meeting isn't on irc?15:09
lbragstadstevemar I didn't schedule it for IRC - but wanted to have face-to-face conversation15:09
*** richm has joined #openstack-keystone15:09
lbragstadif folks want to have it on IRC - i'll find a time and propose it for next week15:09
stevemarlbragstad: do what you intended first, if its working out then keep doing it15:10
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Refactor test_domain_configs  https://review.openstack.org/39840715:10
stevemarlbragstad: i will be unable to join cause at jury duty15:10
lbragstadstevemar :(15:11
rodrigodsstevemar, ^ think it fixes the issue, couldn't run the tests because i'm having a fight with kvm here15:11
rodrigodslet's see what jenkins says15:11
stevemarlbragstad: no worries15:14
stevemarlbragstad: let me know who attends and what happens15:14
lbragstadstevemar will do15:15
*** guoshan has joined #openstack-keystone15:23
*** guoshan has quit IRC15:27
knikollao/15:30
*** udesale has quit IRC15:35
*** phalmos has joined #openstack-keystone15:37
*** spzala has joined #openstack-keystone15:39
*** diazjf has joined #openstack-keystone15:40
*** deep_1 has quit IRC15:43
openstackgerritGage Hugo proposed openstack/keystone: Change "Change User Password" request example  https://review.openstack.org/39842115:43
*** tqtran has joined #openstack-keystone15:44
*** diazjf has quit IRC15:45
*** tqtran has quit IRC15:48
openstackgerritRon De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes  https://review.openstack.org/39741015:53
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Refactor test_domain_configs  https://review.openstack.org/39840715:55
*** phalmos has quit IRC15:55
openstackgerritSteve Martinelli proposed openstack/keystone: remove release note about LDAP write removal  https://review.openstack.org/39843615:55
openstackgerritRon De Rose proposed openstack/keystone-specs: Extend user API to support federated attributes  https://review.openstack.org/39741015:56
stevemarlbragstad: dstanek rderose rodrigods can i get this pushed thourgh please: https://review.openstack.org/#/c/398436/ i want to tag ocata-1 today and that's the only piece holding it up15:56
rodrigodsstevemar, +2ed15:57
*** phalmos has joined #openstack-keystone15:58
dstanekstevemar: pushed15:58
*** diazjf has joined #openstack-keystone15:59
stevemarty ty16:00
lbragstadlink to hangout for those interested in policy meeting - https://etherpad.openstack.org/p/keystone-policy-meeting16:01
lbragstader...16:01
lbragstadhttps://hangouts.google.com/call/pd36j4qv5zfbldmhxeeatq6f7ae16:01
*** phalmos has quit IRC16:02
*** dave-mccowan has joined #openstack-keystone16:04
dolphmlbragstad: so, the call is full. i can't rejoin :)16:06
lbragstadhttps://hangouts.google.com/hangouts/_/pd36j4qv5zfbldmhxeeatq6f7ae16:07
lbragstaddolphm try again?16:07
dolphmlbragstad: no really... the limit is 10 people. it's full16:07
*** phalmos has joined #openstack-keystone16:09
*** thinrichs has joined #openstack-keystone16:09
gagehugoboo16:10
lbragstadWoo!16:10
dstanekwoot, policy takeover16:10
lbragstadimpromptu IRC meeting!16:10
thinrichsHi all16:10
lbragstadroll call!16:10
dolphmha16:10
gagehugoo/16:10
*** ruan_02 has joined #openstack-keystone16:10
*** artmr has joined #openstack-keystone16:10
knikollao/16:10
raildoo/16:11
lamto/16:11
lbragstadwell - looks like google hangouts capped us at 10 people, so..16:11
edmondswlbragstad, I haven't been able to get into that hangouts... will keep trying16:11
htrutao/16:11
ktychkovaο/16:11
artmro/16:11
lbragstadedmondsw no worries - we are going to scrap the hangouts16:11
edmondswcool16:11
lbragstadbecause we got capped at 10 people16:11
ruan_02o/16:11
edmondswo/16:11
stevemarwe're doing it here eh :P16:11
*** clenimar has joined #openstack-keystone16:11
rderoseo/16:11
dstanek\o/16:12
lbragstadso - we'll do an IRC meeting and if we want to stick with that (or can't find a workaround for face-to-face) I'll propose an official meeting time16:12
stevemarroom #openstack-meeting-cp is open -- but i'll allow this to happen16:12
stevemari won't ban you all for spamming16:12
dstanekstevemar: you didn't want to work in here did you? :-P16:12
stevemar:)16:12
lbragstadstevemar you're welcome :P16:12
* stevemar zips his mouth and goes back to work16:13
raildolbragstad, what about use hangouts air, in the next time? you can have more than 10 people at the same link(at least to watch)16:13
lbragstadalright - so for the definitions - do those make sense or does anyone have questions on the ones in the list? (https://etherpad.openstack.org/p/keystone-policy-meeting)16:13
*** ruan_02 has left #openstack-keystone16:13
lbragstadraildo i was really hoping we'd be able to use it for discussion, i don't want to have folks not be able to speak up if they want to be a part of the discussion16:14
stevemarthey seem fine16:14
lbragstadok - cool16:14
raildolbragstad, makes sense16:14
*** ruan_04 has joined #openstack-keystone16:14
dolphmcould use a voice only solution like mumble16:14
lbragstaddolphm ++16:14
gagehugoventrilo16:15
dstanekdolphm: ++ almost everyone had video off anyway16:15
edmondswonly issue I have with the definitions is scope check... policy is one element of a scope check, but not the only one16:15
edmondsws/policy/project/16:16
*** jaypipes has joined #openstack-keystone16:16
edmondswnot sure what my fingers were thinking there...16:16
thinrichsDefs look fine, though I'd probably put the Role check and Scope check under the Openstack part since there's no notion of a 'project' or 'rule' in pure RBAC or ABAC16:16
lbragstadthinrichs true - i thought of that just before the meeting16:16
rderoseWhere did the defs come from?16:17
lbragstadrderose google :)16:17
stevemar:)16:17
lbragstadI can't remember where i pulled that from16:18
rderoselbragstad: I've seen PAP, PDP, PEP... from an IBM talk, but not sure where this design originated16:18
thinrichsPAP/PDP/PEP/PIP are all standard XACML terms, though they may have originated elsewhere16:18
rderoseah ha, thx16:18
ruan_04PIP, PDP... come from the standard XACML16:18
lbragstadI can try and find the source I used16:18
lbragstadunder the definitions I tried to highlight where those particular systems apply in the openstack world16:19
*** asettle has quit IRC16:20
edmondswPIP is not just keystone... the service endpoints also add things16:20
lbragstadPDP and PEP is handled by oslo.policy, keystone just supplies information to oslo.policy, and the policy administration part is essentially a PIP and PAP16:20
*** asettle has joined #openstack-keystone16:20
lbragstadedmondsw ++16:21
ktychkovaRBAC defs: http://profsandhu.com/journals/tissec/ANSI+INCITS+359-2004.pdf16:21
rderosebut we're starting from scratch; not necessarily following the xacml architecture, right?16:21
dstanekedmondsw: as in the polic-in-code discussions?16:21
ruan_04XACML doesn't conform to cloud16:21
edmondswdstanek not exactly, no16:21
dstanekedmondsw: other things too?16:22
edmondswe.g. context_is_admin16:22
edmondswused to set isadmin:True16:22
dstanekah16:22
edmondswand information about the target resource16:22
dstanekrderose: it's a good base to understand and start from16:22
lbragstadthe nova folks were working on codifying their policy into oslo.policy (making it backwards-compat by allowing policy.json files to override the default policy in oslo)16:22
dstaneknot sure i'd want to try to invent something completely new here16:23
edmondswlbragstad, they did that in newton16:23
edmondswexcept it's not in oslo.policy, it's in nova/policies16:23
rderosedstanek: good point16:23
*** stlbigdog has joined #openstack-keystone16:23
lbragstadedmondsw ah - so is nova/policies a hook into oslo.policy somehow?16:23
*** guoshan has joined #openstack-keystone16:24
*** erhudy has joined #openstack-keystone16:24
edmondswlbragstad the first thing they do is load the policies defined in nova/policies, then they allow you to override from policy.json16:24
stevemarlbragstad: yes, the defaults are in code16:25
*** deep_1 has joined #openstack-keystone16:25
edmondswI think there was some oslo.policy work to make that possible but I don't recall the details16:25
lbragstadoslo.policy loads nova/policies?16:25
edmondswI think nova does, actually16:25
edmondswlet me find it16:25
lbragstadgot it16:25
lbragstadthat makes sense16:25
*** adrian_otto has joined #openstack-keystone16:26
*** henrynash has joined #openstack-keystone16:26
*** ChanServ sets mode: +v henrynash16:26
edmondswhttps://github.com/openstack/nova/blob/master/nova/policy.py#L20616:27
*** henrynash has quit IRC16:27
edmondswcalled from https://github.com/openstack/nova/blob/master/nova/policy.py#L7416:27
lbragstadedmondsw ah - interesting16:28
*** guoshan has quit IRC16:28
lbragstadok - so given the existing system and the list of existing painpoints, does anyone have anything else to add?16:28
ruan_04dynamic policy configuration and enforcement16:29
lbragstadruan_04 so administration of the policy16:30
lbragstadright?16:30
ruan_04yes16:30
thinrichsBiggest pain points I've heard are around Administration and Fine-grained policies, both of which we have.  People don't want to touch the policies and they want more control over who can do what.16:30
lbragstadfrom an operator perspective (not that I'm an operator) but that seems to be the big one16:30
ruan_04yes, I confirm you from the operator perspective16:31
lbragstadthinrichs fine grained policies, meaning being able to define specific roles for specific things (not fine grained in the sense of resources, right?)16:31
ruan_04fine grain means control at the resources level but not at the API level16:32
edmondswI can also confirm that16:32
thinrichsOkay maybe I should say "richness" then.  Example from summit: "never open port 25 on any  server"16:33
edmondswa lot (most?) of the problems we have with policy are things that need to be fixed in the individual service endpoints. like too many places that hardcode that you have to be admin, or something like that (I think this is what dstanek was referring to earlier)16:33
lbragstadwe can't create policies for specific resources today, can we?16:33
raildoanother point is the policy validation/customization (maybe included in the administration of the policy point) it's hard for operators to validate their changes in the default policies16:33
edmondswlbragstad no16:33
edmondswbut you can refer to resource properties in policy.json16:33
lbragstadedmondsw right16:34
thinrichsedmondsw: what kind of properties?16:34
lbragstadthinrichs https://github.com/openstack/keystone/blob/3f92a97b5a16b0877cba815d8dff966da18792a4/etc/policy.v3cloudsample.json#L3716:34
lbragstadlike ^ there we are looking at the target's project domain id in the policy check16:35
ruan_04in policy admnistration, also centrialized management instead of eacho policy.json files16:35
edmondswthinrichs e.g. user_id https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L6816:35
*** diazjf has quit IRC16:35
ayoungsamueldmq, in the words of the late Leonard Cohen: "i've been here before16:35
ayoungi've seen this room and i've walked this floor16:35
ayoungi used to live (work on  this) alone before i knew you "16:35
thinrichsSo properties of  (a) request that comes in (e.g. user id)16:36
edmondswayoung, and you couldn't solve it alone, so we'd better work on it together :)16:36
edmondswthinrichs, also properties of the target resource16:36
edmondswe.g. target.role.domain_id https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L11116:37
thinrichsedmondsw: that's the one I'm puzzling over.  If it were Nova, could we write policy about the number of CPUs on the VM?16:37
edmondswdepends on what the service_endpoint loads (back to my earlier point)16:37
lbragstadso that allows you the ability to apply attributes of a resource to the policy check16:37
edmondswyes16:37
thinrichsSo each service pushes resource properties into oslo.policy for whichever properties it thinks are important for writing policy over.  Yes?16:38
edmondswyes16:39
thinrichsGot it.  Thanks.16:39
lbragstadalright - what do we like about the existing system, if anything?16:39
lbragstads/if anything/in addition to what's already in the list/16:40
edmondswit's the target in https://github.com/openstack/nova/blob/master/nova/policy.py#L12616:40
thinrichsHandles the HA problem since services don't need to ping keystone to get a policy decision.  (Does each service need to hit keystone to do token validation?)16:41
edmondswlbragstad I like that nova has moved default policy into code... I'd like to see more services do that16:42
lbragstadthinrichs yeah16:42
edmondswgreatly simplifies the policy.json files16:42
thinrichsHA/performance—can run multiple policy checks for a single request without repeatedly hitting keystone16:42
lbragstadedmondsw so - the policy files essentially become a list of policies you want to override16:42
edmondswexactly16:42
ruan_04is it possible to centralize all policy.json files?16:43
lbragstadwith the existing format in policy - is there a way to make it apply to a specific resource?16:43
edmondswruan_04 several have suggested that, but it gets really tricky really fast16:43
ktychkovaIt is possible to do not use policy.json files :)16:44
ktychkovaFor example, to use LDAP as storage for policies or Apache Fortress16:44
edmondswlbragstad what exactly do you mean... maybe give a use case/16:44
thinrichsruan_04: I'd think you'd want (a) distributed enforcement with something like policy.json like we have now and (b) centralized administration.16:44
lbragstadedmondsw i want to apply a policy to a specific instance instead of all instances16:44
thinrichslbragstad: based on the discussion earlier, can't the service push in object properties that include say the ID of each resource and then write policy over that?16:45
edmondswif you got nova to add the instance's UUID to the target object it passes to authorize, then you could reference that UUID in your policy.json16:45
thinrichslbragstad: though I'd think you'd almost immediately want to build groups of resources and write policy over those groups.16:46
edmondswnot exactly pretty, though16:46
lbragstadthinrichs yeah - what i'm trying to figure out is if the lack of fine-grained policies is a limitation of the current syntax or a lack of policy administration16:46
dstanekthinrichs: i'd also think that as the owner of some resource i'd want to give a user permission to that resource (and i have to access to policy.json)16:46
*** henrynash has joined #openstack-keystone16:46
*** ChanServ sets mode: +v henrynash16:46
ruan_04I like Adam's idea, externalize all policies and properties of users and objects into a new service16:47
thinrichsI wouldn't think anyone would actually write a policy that enumerates UUIDs that are allowed16:47
*** arunkant has quit IRC16:47
lbragstadFYI - we're at the ten minute mark16:47
thinrichsThey'd use metadata like "people can only create VMs using blessed-images from glance" where the "blessed" tag is a group that people add to images somewhere else16:47
edmondswthe id of the resource probably isn't the best choice typically, but there could be other attributes on the resource that make more sense16:48
lbragstadtwo things quick 1.) do we think the list of painpoints is complete? 2.) do we like the direction of the items in our ideal policy system?16:48
*** jistr is now known as jistr|biab16:48
edmondswI'm sure the list of painpoints isn't complete... there are so many I can't keep them all in my head at one time :)16:48
dstanekthinrichs: i don't think a cloud admin would write a policy like that, but as a resource owner i would16:49
thinrichsIt might be useful to have a concrete, fine-grained policy to discuss and analyze tradeoffs.16:49
thinrichsdstanek: not sure who would write the policies at this point.16:49
dstaneki can't remember what ayoung called it, but it's basically layering policy16:49
lbragstadanyone here an expert on Apache Fortress?16:50
ayoungedmondsw, I have some fodder for today's policy meeting16:50
ktychkovao/16:50
ayoungis that happening now?16:51
lbragstadktychkova does AF allow fine-grained policy control as we've talked about it here?16:51
edmondswayoung this is that meeting16:51
lbragstadayoung yes16:51
edmondswabout to end16:51
ayoungAAAAH!16:51
ayoungMOther puss bucket....16:51
* lbragstad hands ayoung a schedule16:51
edmondswayoung I was wondering why you were so quiet...16:51
ayoungOK...so I was off by an hour16:51
ayoungOK...very fast...16:51
ktychkovaAbout Apache Fortress, please read : http://xuctarine.blogspot.ru/2016/08/apache-fortress-easiest-way-to-get-full.html16:52
ayoungI have to make a decision on the RBAC spec16:52
ayoung1.  policy check as part of the token validation is 116:52
ayoungin 116:52
ayoung2.  second API call to do the RBAC check16:52
ayoung3.  pull the data into middleware and do the RBAC check in there16:52
ayoungSpec is written for 1.  But Based on feedback, I am leaning toward 316:53
edmondswayoung, I would probably also lean toward 3 with those options16:53
ayoungedmondsw, yeah, it leaves caching in tact16:53
thinrichsAre RBAC checks only ever done 1 time per request, or could they happen more than once?  If more than once, middleware seems like the clear win.16:53
ayoungthinrichs, it depends on the usage pattern16:53
ayoungfor CLI, each token is used roughly once per service, so caching buys little16:54
ayoungand doing it all in Keystone is prefereable16:54
ayoungbut for Horizon, tokens are reused, and thus caching is heavily used16:54
edmondswthinrichs ayoung it also depends on the API request... some have a check to see if you can call the API, and then run additional checks based on what your request body had in it or didn't have in it, or based on your query params16:54
ayoungso I was in process of re-writing the spec to call that out.  I think I will actually cover all three in the spec, but rank order then in implementation16:55
ayoung1. external check.  2. separate API check  3.  check RBAC with token validation16:55
edmondswe.g., yes you can create a port, but no you can't create THAT kind of port16:55
ayoungright.  this is not a catch all, but I suspect that the kind of extenal PDP you get with Fortress or the dynamic policy approach from last summer is not going to work for 98% of deployments out there16:56
ayoungit is really only going to work for teams that have a full time dedicated policy/security group16:56
ayoungI'm trying to lower the bar to make it easier to clear, not raise it16:57
edmondswbump that 98% higher :)16:57
ayoungso,let us not forget that we are dumb, and yet the rest of the world consideres *us* the experts16:57
ayoungI know I am dumb on this stuff.16:57
edmondsw3 minutes16:57
lbragstadalright - so action items16:58
lbragstadi'm going to create an official irc meeting for this instead of google hangouts16:58
ayoung++16:58
ayoungI'm going to post an updated RBAC spec with the external and separate API call options16:59
lbragstadaction item for the rest of the group to continue thinking about painpoints so that by next week we have a solid list of things we don't want the new approach to do16:59
lbragstadaction item for ayoung to follow up on his specs16:59
ayoungI'll also finish up the API proof of concept for generation and management of the URL patterns16:59
ayoungAnyone interested to see them they are here:17:00
lbragstadayoung this is the one you're talking about- https://review.openstack.org/#/c/391624/ ?17:00
lbragstadright?17:00
ayounghttps://github.com/admiyo/keystone/tree/url_patterns17:00
ayounglbragstad, yes17:00
lbragstadcool - is there *any* other policy related specs we need to be reviewing that haven't been mentioned here/17:01
*** Zer0Byte__ has joined #openstack-keystone17:01
lbragstadalrighty - that about sums things up then.17:02
thinrichslbragstad: no specific specs, but Congress has been talking about integrating with policy.json for a while17:02
lbragstadthinrichs i did some digging in congress this morning17:02
ayoungOn the apache fortress...someone did a proof of concept using it.  Do we have a link?17:02
ayoungah that was http://xuctarine.blogspot.ru/2016/08/apache-fortress-easiest-way-to-get-full.html17:02
ayoungcool17:02
lbragstadI'm going to document Congress and AF as action items for the group to get familiar with before next weeks meeting17:03
thinrichslbragstad: sounds good to me17:03
lbragstadktychkova is familiar with it so it would be nice to have an indepth discussion on it17:03
ayoungOne additional point for next week:  lets us start to think about providing services to the cloud instead of just managing it17:04
lbragstadsound good? anyone have anything else?17:04
ayoungalthough...that might be a full on Keystone discussion....17:04
ayoungas it touches on identity first.17:04
ayoungAre people looking for this form of Policy for the applications running in the cloud?17:04
lbragstadi'll end the meeting here but I'm going to hang around if anyone else wants to continue talking policy17:05
lbragstadthanks for coming! see you all next week17:05
* stevemar kicks everyone out17:06
ayoungstevemar, you might be physically larger than me, but you might want to rethink trying to show me the door....17:10
*** diazjf has joined #openstack-keystone17:10
openstackgerritKristi Nikolla proposed openstack/keystone-specs: Devstack Plugin  https://review.openstack.org/39584117:11
stevemaro_O17:11
stevemarayoung: you missed my joke earlier in the meeting17:12
stevemarabout lbragstad using the keystone room to run a meeting17:12
ayoungstevemar, I still don't see why we don't just use this room every week17:13
ayoungEach group with a dedicated room  makes more sense to use that then to limit the meetings based on official meeting rooms17:14
*** diazjf has quit IRC17:14
stevemarthe meeting rooms have the meet bot, and we could be helping someone with an issue in -keystone17:14
ayoungI mean, we have not exaclt deconflicted meeting times with 5 roomes...17:14
stevemari'm not super against it, i was mostly teasing lbragstad cause it was him17:14
ayoungI know.  I and I was teasing you because I'm me.17:15
stevemari fell for it :(17:15
ayoungI know the rest of Keystone core would pay money to watch, say a nerf-sword duel between us17:15
dstanekayoung: ++17:15
ayounghttp://www.timberdoodle.com/v/vspfiles/photos/483-030-4.jpg17:15
stevemarhehe17:15
ayoungI'd quote the Princess Bride and you'd quote Strange Brew17:16
dstaneknot exactly bloodsport17:16
ayoungdstanek, I don't want to hurt him.  And I don't want to hurt me.17:16
ayoungI'm like, old and stuff17:16
dstanekyou and me both17:17
stevemari feel old, does that count?17:17
dstanekno17:18
stevemarthough with the rest of the keystone contributors i'm probably in the older range now17:18
stevemarwhen compared*17:18
dstanekstevemar: how old are you?17:18
stevemar31 going on 4017:18
dstaneklol, give it a few more years17:19
stevemarat least my body is telling me that17:19
dstaneki'll be 40 much sooner than i'd like17:19
*** diazjf has joined #openstack-keystone17:24
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476917:25
*** raildo has quit IRC17:26
*** thinrichs has quit IRC17:28
dstanekdo we have an docs for using the cli with federation?17:30
*** guoshan has joined #openstack-keystone17:31
*** raildo has joined #openstack-keystone17:34
rodrigodsdstanek, good question17:34
dstanekrodrigods: is it even possible?17:35
rodrigodsdstanek, i think it is - hmm remembered17:35
rodrigodsdstanek, http://rodrigods.com/what-about-ecp/17:35
*** jistr|biab is now known as jistr17:36
*** guoshan has quit IRC17:36
rodrigodsdstanek, we pass the plugin as --os-auth-type, jamielennox|away has a blog post on how to find out the plugins names17:36
lbragstadlamt is your name Tin?17:43
lamtyes17:44
lbragstadlamt just trying to match up IRC nicks with names from the etherpad17:44
lbragstadlamt thank you17:44
lamtlbragstad: np17:44
*** david-lyle has quit IRC17:48
*** david-lyle has joined #openstack-keystone17:48
openstackgerritGage Hugo proposed openstack/keystone: WIP - Add reason to notifications for PCI-DSS  https://review.openstack.org/39675217:51
*** chris_hultin is now known as chris_hultin|AWA17:51
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Federated authentication via ECP functional tests  https://review.openstack.org/32476917:51
rodrigodsstevemar, https://review.openstack.org/#/c/398407/3 think it fixes the issues17:54
*** thinrichs has joined #openstack-keystone17:56
*** mvk has quit IRC17:58
*** diazjf has quit IRC17:59
*** deep_1 has quit IRC18:02
stevemardstanek: probably not18:06
*** jperry has quit IRC18:10
openstackgerritMerged openstack/keystone: remove release note about LDAP write removal  https://review.openstack.org/39843618:11
*** catinthe_ has joined #openstack-keystone18:13
*** tqtran has joined #openstack-keystone18:13
*** ravelar has quit IRC18:14
*** harlowja has joined #openstack-keystone18:14
*** catintheroof has quit IRC18:15
*** catintheroof has joined #openstack-keystone18:15
*** chrisplo has joined #openstack-keystone18:15
*** tqtran has quit IRC18:18
openstackgerritMatt Fischer proposed openstack/keystone: cache_on_issue default to true  https://review.openstack.org/38333318:18
*** catinthe_ has quit IRC18:18
*** jperry has joined #openstack-keystone18:24
*** thebloggu has joined #openstack-keystone18:25
*** Administrator_ has quit IRC18:32
rodrigodsbknudson, ping... re: usage of /identity instead of the port number in devstack18:32
*** guoshan has joined #openstack-keystone18:32
*** Administrator_ has joined #openstack-keystone18:32
lbragstaddstanek the mapping in the last couple comments here doesn't look off to you, does it? https://bugs.launchpad.net/keystone/+bug/155723818:33
openstackLaunchpad bug 1557238 in OpenStack Identity (keystone) "mapping yield no valid identity result in HTTP 500 error" [High,Fix released] - Assigned to Guang Yee (guang-yee)18:33
*** guoshan has quit IRC18:36
*** jpich has quit IRC18:36
*** stlbigdog has quit IRC18:45
stevemarlamt: lets see if we can figure out why that change is needed for notifications18:47
stevemarotherwise the change looks good18:47
* stevemar is afk for a bit18:47
*** nk2527 has quit IRC18:51
*** chlong has joined #openstack-keystone18:53
dstaneklbragstad: nothing stands out as wrong, but i agree with gyee that a no match is probably a 50018:53
dstanekwe problably do always expect a match18:54
dstaneki can test in my k2k in a little bit18:54
lbragstadyou mean a direct match from the assertion to the mapping18:54
dstaneklbragstad: he is saying if nothing in the mapping matches that we just explodel. i think that probable, but i'll have to check18:55
*** thebloggu has quit IRC19:09
*** chris_hultin|AWA is now known as chris_hultin19:10
*** amoralej is now known as amoralej|off19:12
*** tqtran has joined #openstack-keystone19:14
*** chris_hultin is now known as chris_hultin|AWA19:16
*** chris_hultin|AWA is now known as chris_hultin19:17
*** jamielennox|away is now known as jamielennox19:26
*** guoshan has joined #openstack-keystone19:26
*** guoshan has quit IRC19:30
lamtstevemar: planning to look at it this afternoon19:32
*** pcaruana has quit IRC19:51
morgan_stevemar: expect some ksa changes being reworked here shortly19:52
*** r1chardj0n3s_afk is now known as r1chardj0n3s19:53
*** thinrichs has quit IRC19:54
*** ravelar has joined #openstack-keystone19:55
stevemarmorgan_: rgr19:59
stevemarlamt: awesomeo19:59
morgan_stevemar: i just need to rebuild my dev environment  correctly for it.20:00
morgan_but it's not far odd20:00
morgan_off*20:00
morgan_have tests coming ready for task interface in ksa and will be going through the backlog of anything open20:00
*** edtubill has joined #openstack-keystone20:08
*** thinrichs has joined #openstack-keystone20:10
openstackgerritMerged openstack/python-keystoneclient: Refactor test_domain_configs  https://review.openstack.org/39840720:11
stevemarmorgan_: like that betamax failure lol20:15
stevemarmorgan_: i thought you were talking about that! :P20:15
morgan_stevemar: that is also part of the fixes i'll be digging into20:15
morgan_that one is wierd. some interaction between us, betamax, and requests20:15
*** guoshan has joined #openstack-keystone20:20
*** diazjf has joined #openstack-keystone20:21
*** diazjf has quit IRC20:22
*** guoshan has quit IRC20:25
*** artmr has quit IRC20:32
openstackgerritRon De Rose proposed openstack/keystone: Lockout ignore user list  https://review.openstack.org/39857120:33
openstackgerritRon De Rose proposed openstack/keystone: Lockout ignore user list  https://review.openstack.org/39857120:38
*** raildo has quit IRC20:50
*** nk2527 has joined #openstack-keystone20:51
*** rcernin has joined #openstack-keystone20:58
openstackgerritayoung proposed openstack/keystone-specs: Token Verify Role Check  https://review.openstack.org/39162420:59
*** tqtran is now known as tqtran-afk21:01
edmondswjamielennox, just found that nova's instantiation of glanceclient is not going to use SessionClient because nova doesn't pass the session kwarg. I know you've worked on things like that in the past. Know if anyone's addressing that or what the holdup is?21:04
edmondswhttps://github.com/openstack/nova/blob/master/nova/image/glance.py#L10421:04
jamielennoxedmondsw: there's no one i know working on it and there's no reason it shouldn't be changed21:05
jamielennoxlike, cool, would love you to fix it :)21:06
edmondswyeah :)21:06
*** nk2527 has quit IRC21:09
*** mvk has joined #openstack-keystone21:11
*** guoshan has joined #openstack-keystone21:14
edmondswjamielennox I also noticed that the way it instantiates cinderclient will sometimes use token-based auth: https://github.com/openstack/nova/blob/master/nova/context.py#L13521:15
edmondswcan you explain the note at https://github.com/openstack/nova/blob/master/nova/context.py#L39 and why it's not loading auth from keystone_authtoken section of conf?21:16
jamielennoxedmondsw: oh, so thats because you have to handle the case where context is created in the API service vs the conductor or scheduler or whatever21:16
jamielennoxat that point you are passing all that information over the RPC bus and you just have to reconstruct and do the best you can21:17
*** jdennis has quit IRC21:18
*** guoshan has quit IRC21:19
stevemarayoung: o/21:20
ayoungstevemar, \o21:21
stevemarayoung: whats the story with red hat and kerberos everywhere? would you be upset if the horizon team retired d-o-a-kerb?21:21
stevemarayoung: you can jump to #openstack-horizon where we are discussing this21:22
ayoungstevemar, if can die21:22
ayoungit21:22
ayoungKerberos will be handled via Federation21:22
stevemarcoolio21:23
*** thinrichs has quit IRC21:23
*** thinrichs has joined #openstack-keystone21:23
*** thinrichs has quit IRC21:26
*** thinrichs has joined #openstack-keystone21:28
*** catinthe_ has joined #openstack-keystone21:32
openstackgerritGage Hugo proposed openstack/keystone: WIP - Add reason to notifications for PCI-DSS  https://review.openstack.org/39675221:33
*** catintheroof has quit IRC21:36
*** thinrichs has quit IRC21:37
*** catintheroof has joined #openstack-keystone21:51
*** catinthe_ has quit IRC21:51
*** ayoung has quit IRC21:55
openstackgerritRichard Avelar proposed openstack/keystone: Fix typo in doc  https://review.openstack.org/39859921:58
openstackgerritMerged openstack/keystone: Change "Change User Password" request example  https://review.openstack.org/39842122:01
*** nkinder has quit IRC22:01
*** henrynash has quit IRC22:01
*** henrynash has joined #openstack-keystone22:06
*** ChanServ sets mode: +v henrynash22:06
*** guoshan has joined #openstack-keystone22:08
*** adrian_otto has quit IRC22:08
*** lifeless has quit IRC22:11
*** lifeless has joined #openstack-keystone22:12
*** guoshan has quit IRC22:13
*** henrynash has quit IRC22:21
openstackgerritTin Lam proposed openstack/keystone: Enable CADF notification format by default  https://review.openstack.org/39733922:21
openstackgerritGage Hugo proposed openstack/keystone: WIP - Add reason to notifications for PCI-DSS  https://review.openstack.org/39675222:28
*** adriant has joined #openstack-keystone22:31
*** diazjf has joined #openstack-keystone22:32
*** ravelar has quit IRC22:35
*** adrian_otto has joined #openstack-keystone22:35
*** ravelar has joined #openstack-keystone22:36
*** jperry has quit IRC22:42
*** thinrichs has joined #openstack-keystone22:43
*** ayoung has joined #openstack-keystone22:45
*** ChanServ sets mode: +v ayoung22:45
*** edtubill has quit IRC22:53
*** catintheroof has quit IRC22:54
*** chlong has quit IRC22:59
*** diazjf has quit IRC23:01
*** guoshan has joined #openstack-keystone23:02
*** spzala has quit IRC23:03
*** henrynash has joined #openstack-keystone23:04
*** ChanServ sets mode: +v henrynash23:04
*** dave-mccowan has quit IRC23:07
*** guoshan has quit IRC23:07
*** henrynash has quit IRC23:08
*** tqtran-afk is now known as tqtran23:13
*** chlong has joined #openstack-keystone23:17
*** edmondsw has quit IRC23:17
*** asettle has quit IRC23:23
*** thinrichs has quit IRC23:26
*** chlong has quit IRC23:27
*** chris_hultin is now known as chris_hultin|AWA23:29
*** lamt has quit IRC23:33
*** zhugaoxiao has joined #openstack-keystone23:38
*** chrisplo has quit IRC23:38
*** khamtamtun has joined #openstack-keystone23:39
*** Administrator_ has quit IRC23:40
*** khamtamtun has quit IRC23:42
*** diazjf has joined #openstack-keystone23:44
*** henrynash has joined #openstack-keystone23:47
*** ChanServ sets mode: +v henrynash23:47
*** david-lyle_ has joined #openstack-keystone23:50
*** erhudy has quit IRC23:51
*** david-lyle has quit IRC23:51
*** rcernin has quit IRC23:52
*** ravelar has quit IRC23:53
openstackgerritGage Hugo proposed openstack/keystone: Add reason to notifications for PCI-DSS  https://review.openstack.org/39675223:55
*** guoshan has joined #openstack-keystone23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!