Friday, 2017-11-17

openstackgerritayoung proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations
openstackgerritayoung proposed openstack/keystone master: Add is_admin_project check to policy for token validations
*** itlinux has quit IRC00:07
*** gyee_ has quit IRC00:13
openstackgerritMerged openstack/oslo.policy master: Remove setting of version/release from releasenotes
*** sticker has joined #openstack-keystone00:25
*** daidv has quit IRC00:30
*** daidv has joined #openstack-keystone00:31
*** markvoelker has quit IRC00:31
*** zhurong has joined #openstack-keystone00:34
*** markvoelker has joined #openstack-keystone00:43
*** gmann_afk is now known as gmann00:50
*** panbalag has joined #openstack-keystone01:14
*** daniepar has quit IRC01:19
*** zhurong has quit IRC01:34
*** annp has joined #openstack-keystone02:30
*** namnh has joined #openstack-keystone02:45
*** itlinux has joined #openstack-keystone02:53
*** links has joined #openstack-keystone03:03
*** aselius has quit IRC03:04
*** _ix has joined #openstack-keystone03:27
*** jrist has quit IRC03:29
*** itlinux has quit IRC03:36
*** itlinux has joined #openstack-keystone03:45
*** jrist has joined #openstack-keystone03:53
*** dave-mccowan has quit IRC04:19
*** itlinux has quit IRC04:24
*** itlinux has joined #openstack-keystone04:33
*** itlinux has quit IRC04:33
*** daidv has quit IRC04:42
openstackgerritDeepak Mourya proposed openstack/keystoneauth master: Remove setting of version/release from releasenotes
*** daidv has joined #openstack-keystone04:42
*** sticker has quit IRC04:46
*** aojea has joined #openstack-keystone04:46
*** itlinux has joined #openstack-keystone04:49
*** aojea has quit IRC04:52
openstackgerritDeepak Mourya proposed openstack/keystone master: Remove setting of version/release from releasenotes
*** jaosorior has joined #openstack-keystone05:12
*** itlinux has quit IRC05:35
*** itlinux has joined #openstack-keystone05:38
*** _ix has quit IRC05:48
*** itlinux has quit IRC05:51
*** aojea has joined #openstack-keystone05:53
*** aojea has quit IRC05:58
*** wes_dillingham has quit IRC06:04
*** zhurong has joined #openstack-keystone06:41
*** belmoreira has joined #openstack-keystone06:43
*** aojea has joined #openstack-keystone06:54
*** aojea has quit IRC06:58
*** markvoelker has quit IRC06:59
*** pcaruana has joined #openstack-keystone07:04
*** rcernin has quit IRC07:18
*** namnh has quit IRC07:27
*** zhurong has quit IRC07:43
*** kmalloc has quit IRC07:54
*** aojea has joined #openstack-keystone07:54
*** markvoelker has joined #openstack-keystone08:00
*** aojea has quit IRC08:00
*** AlexeyAbashkin has joined #openstack-keystone08:01
*** jmlowe has quit IRC08:27
*** belmoreira has quit IRC08:47
*** aojea has joined #openstack-keystone08:56
*** aojea has quit IRC09:01
openstackgerritAndreas Jaeger proposed openstack/keystonemiddleware master: Remove setting of version/release from releasenotes
*** aojea has joined #openstack-keystone09:57
*** aojea has quit IRC10:01
*** sapd__ has quit IRC10:09
*** sapd__ has joined #openstack-keystone10:14
*** magicboiz has quit IRC10:16
*** daidv has quit IRC10:26
*** gmann is now known as gmann_afk10:37
*** annp has quit IRC10:37
*** magicboiz has joined #openstack-keystone10:48
*** magicboiz has quit IRC10:52
*** aojea has joined #openstack-keystone10:58
*** magicboiz has joined #openstack-keystone10:59
*** aojea has quit IRC11:02
*** aojea has joined #openstack-keystone11:59
*** aojea has quit IRC12:03
*** raildo has joined #openstack-keystone12:05
*** panbalag has quit IRC12:23
*** clayton has quit IRC12:44
*** efried is now known as fried_rice12:55
*** aojea has joined #openstack-keystone12:59
*** magicboiz has quit IRC13:04
*** aojea has quit IRC13:04
*** edmondsw has joined #openstack-keystone13:17
*** links has quit IRC13:19
*** wes_dillingham has joined #openstack-keystone13:23
*** clayton has joined #openstack-keystone13:29
*** swain has joined #openstack-keystone13:31
*** markvoelker has quit IRC13:34
*** markvoelker has joined #openstack-keystone13:34
*** sbezverk has quit IRC13:35
*** sbezverk has joined #openstack-keystone13:36
*** clayton has quit IRC13:38
*** clayton has joined #openstack-keystone13:39
*** panbalag has joined #openstack-keystone13:44
*** dklyle has quit IRC13:48
*** aojea has joined #openstack-keystone14:00
*** aojea has quit IRC14:05
*** dave-mcc_ has joined #openstack-keystone14:24
*** panbalag has left #openstack-keystone14:29
*** aojea has joined #openstack-keystone15:01
*** spilla has joined #openstack-keystone15:02
*** aojea has quit IRC15:05
*** rmascena has joined #openstack-keystone15:16
*** raildo has quit IRC15:19
*** jaosorior has quit IRC15:19
*** david-lyle has joined #openstack-keystone15:24
*** itlinux has joined #openstack-keystone15:31
*** swain has quit IRC15:41
*** itlinux has quit IRC15:42
*** itlinux has joined #openstack-keystone15:44
*** panbalag has joined #openstack-keystone15:47
*** ayoung has quit IRC15:48
*** ayoung has joined #openstack-keystone15:49
*** phalmos has joined #openstack-keystone15:59
*** aojea has joined #openstack-keystone16:02
*** david-lyle has quit IRC16:02
*** david-lyle has joined #openstack-keystone16:03
*** phalmos has quit IRC16:04
*** AlexeyAbashkin has quit IRC16:05
*** aojea has quit IRC16:06
*** gyee_ has joined #openstack-keystone16:09
*** panbalag has quit IRC16:18
*** panbalag has joined #openstack-keystone16:20
*** f13o has joined #openstack-keystone16:28
*** _ix has joined #openstack-keystone16:34
*** catmando has joined #openstack-keystone16:36
*** jistr has quit IRC16:39
*** panbalag has left #openstack-keystone16:41
openstackgerritGage Hugo proposed openstack/keystone master: Have project get domain_id from parent
*** jistr has joined #openstack-keystone16:43
*** f13o has quit IRC17:01
*** aojea has joined #openstack-keystone17:03
*** fried_rice is now known as fried_rolls17:06
*** aojea has quit IRC17:07
*** _ix has quit IRC17:21
*** catmando has quit IRC17:49
*** aselius has joined #openstack-keystone17:58
*** aojea has joined #openstack-keystone18:03
*** aojea has quit IRC18:07
*** _ix has joined #openstack-keystone18:29
*** aojea has joined #openstack-keystone18:51
*** aojea has quit IRC18:51
*** aojea has joined #openstack-keystone18:51
*** magicboiz has joined #openstack-keystone18:56
*** aojea has quit IRC19:02
*** _ix has quit IRC19:12
*** fried_rolls is now known as fried_rice19:17
*** itlinux has quit IRC19:31
*** itlinux has joined #openstack-keystone19:33
*** magicboiz has quit IRC19:35
*** itlinux has quit IRC19:50
*** itlinux has joined #openstack-keystone19:54
*** _ix has joined #openstack-keystone20:09
*** rmascena has quit IRC20:11
*** magicboiz has joined #openstack-keystone20:23
ayoungrodrigods, cmurphy Trying to figure out why this test is now failing:"
ayoung  is new to me, but cool20:33
ayoungtempest.api.identity.admin.v3.test_domains_negative.DomainsNegativeTestJSON.test_domain_create_duplicate[id-e6f9e4a2-4f36-4be8-bdbc-4e199ae29427,negative]  fails due to     b"Details: {'title': 'Forbidden', 'message': 'You are not authorized to perform the requested action: identity:create_domain.', 'code': 403}"20:34
ayounghrybacki, I'll ask you, too20:37
ayoungDid something change in how we are doing policy, such that my changes for is_admin_project are no longer inert by default?20:38
ayoungI don't see anything in Tempest that would have cause the change, so I'm guessing it is an assumption in Keystone that is no longer valid20:38
ayoungedmondsw, ?20:38
rodrigodshmm that's odd20:39
rodrigodscan you paste the review that is failing?20:39
ayoungrodrigods, ^^20:39
rodrigodswow, Dec 201520:40
ayoungrodrigods, it looks like the default is_admin_project=True  is not being kept20:41
ayoungrodrigods, yep20:41
ayoungrodrigods, so, here's the thing.  If that change affected default behavior, then the unit tests should fail.  They pass20:42
ayoungBut Tempest fails, which means that, in a running system, the logic is no longer valid20:42
*** itlinux has quit IRC20:43
*** magicboiz has quit IRC20:51
*** jmlowe has joined #openstack-keystone20:55
edmondswgagehugo I think I remember you breaking is_admin_project briefly, but I thought we quickly reverted that, didn't we?21:00
gagehugoedmondsw heh21:00
gagehugoyes we did21:00
edmondswany other ideas on the above?21:00
*** jmlowe has quit IRC21:01
*** ianw has quit IRC21:02
*** wes_dillingham has quit IRC21:03
gagehugois tempest using a domain scoped token?21:03
gagehugoI have no idea how those tests are done under the hood, I'd have to look21:04
*** ianw has joined #openstack-keystone21:09
edmondswayoung keystoneauth still assumes is_admin_project=True if the token data doesn't include is_admin_project
edmondswI always thought that was the wrong place to put it... I'd prefer so that it's the same if something isn't using keystoneauth21:17
edmondswwould also help avoid what may be happening here... something started setting is_admin_project other than keystoneauth?21:17
*** AlexeyAbashkin has joined #openstack-keystone21:19
*** AlexeyAbashkin has quit IRC21:24
edmondswoh, ayoung, I think you have to say token.is_admin_project:True, not just is_admin_project:True21:38
ayoungedmondsw, I actually wrote exactly that, but jamielennox wrote the keystoneauth approach, and I let him win21:41
ayoungedmondsw, so I need to change my review?21:41
ayoungedmondsw, cool, let me change that.  Thanks21:42
ayoungedmondsw, this because Keystone is enforcing on token and not on the keystoneauth?21:43
ayoungI recall that beiung the case originally21:43
ayoungedmondsw, for example, there is another rule:21:44
ayoungRULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'21:44
ayoungand that is not  I think that token is not part of the context (not sure why that is) and thus can't be used for enforcing policy anymore.21:45
edmondswayoung the format of the target info that's passed to oslo.policy is totally different depending on the API implementation21:46
edmondswit's a mess21:46
edmondswone of the things lbragstad and I have been talking about needing to fix21:47
ayoungedmondsw, right.  But I am fairly certain that I had it the way you specified in an earlier version of the patch, and then jamielennox changed the policy enforcement in keystone to use auth.  I think something else is wrong here21:47
ayounglet me look.21:47
edmondswayoung I know in pike and previous you had to do token.is_admin_project because that's what I've done in my policy files21:48
ayoungedmondsw, I wrote some of this, and jamielennox affected changes , too:
ayoungOK  so the whole common path starts with authorization.check_protection21:50
ayoungthat calls check_policy21:51
ayoung creds = _build_policy_check_credentials21:51
ayoungreturn context['environment'].get(AUTH_CONTEXT_ENV, {})21:52
ayoungso I suspect that my token_to_auth_context  function is dead code.  Should try to remove it and see what happens.21:52
ayoungnope it is called in keystone/middleware/
ayoung  is where is_admin_project is set21:53
ayoungand...I was pretty sure that would work21:54
ayoungI guess jamielennox never got the Keystone server to use keystoneauth context for policy.  SHoemakers kids and all that21:54
edmondswI think that RULE_TRUST_OWNER is using trust.trustor_user_id instead of token.trustor_user_id because the former comes from the request body and the latter comes from the token used to make the request21:54
edmondsw(since you mentioned that above)21:55
ayoungOh, that may well be true21:55
edmondswpretty sure it is21:55
edmondswwill be much simpler when we hardcode things that nobody should ever be changing21:56
ayoungedmondsw, so if we do token.* in a policy rule, does that come from the environment instead?21:56
ayounglike this one?21:56
edmondswcomes from the token that was use to make the request21:56
ayoungwell, I can always try it and see what happens21:56
ayoung-RULE_ADMIN_PROJECT_REQUIRED = '(rule:admin_required and is_admin_project:True)'21:57
ayoung+RULE_ADMIN_PROJECT_REQUIRED = '(rule:admin_required and token.is_admin_project:True)'21:57
ayoungedmondsw, that is what you are saying, right?21:57
edmondswayoung yes21:57
openstackgerritayoung proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations
ayoungFire in the hole!21:57
* edmondsw ducks21:57
ayoungedmondsw, so...the general approach is to get this one in, and the comparable one for nova.  In parallel, get Global roles written and working, and then get those into the authcontext, then modify these rules to use global role and or is_admin_propject, then deprecate.  Right?21:59
edmondswayoung s/Global roles/system scope/ but otherwise... sounds about right22:01
ayoungedmondsw,   that was version 1.  So, yeah, what you said.22:01
ayoungRight,  system scoped...22:01
ayoungpatch set 4 is where I droppped the token.  and I assume that was based IRC offline convos with jamielennox22:02
edmondswhe can't always be right :)22:03
*** spilla has quit IRC22:05
ayoungedmondsw, is  looking right to you?22:05
ayoungTHat is the nova one22:05
edmondswthe nova change is... complicated. I'll have to look at it later22:08
edmondswif you think you've addressed my comment from Dec 15...22:08
edmondswI've learned to assume that a new ayoung change set probably didn't address my comments from the previous change sets :)22:10
ayoungedmondsw, addressed, yes.  Accepted....22:10
edmondswif you at least commented back...22:10
ayoungneeds a release note. Also, need to look at where things check is_admin:True (a result of context_is_admin, which this leaves only looking for role:admin) and see if any of them also need to be checking for is_admin_project:True to block cross-project access.22:11
ayounglets see...22:11
ayoungit has a release note22:11
edmondswyep, that's the easy one22:11
ayoungso the APIs I tagged were only the ones that needed to be global22:12
ayoungit was certainly not every admin API22:12
ayoungI changed those to use the new rule GLOBAL_ADMIN22:13
ayoungother ones I left as22:13
ayoung        'rule:global_admin or (is_admin:True and project_id:%(project_id)s)',22:13
ayoungI think that addressed what you were saying, but would not mind a second set of eyes on the individual apis to see if they are the right set.  If I missed something, it would mean that a global opertation ended up being project scoped, too, and I don't think that breaks anything22:15
edmondswI think what I was getting at (a year ago, so fuzzy), is that sometimes nova may get a request from a user and then, realizing that user was an admin, use its own service token instead as X-Auth-Token on an API call to another service, which would be a problem with what we're trying to fix here22:15
edmondswnova has so many policy problems that it's so hard to keep things straight in your head22:16
edmondswanyway, I've gotta run22:16
ayoungedmondsw, thanks.22:17
edmondswayoung yw and have a good weekend22:17
*** edmondsw has quit IRC22:19
*** edmondsw has joined #openstack-keystone22:19
*** edmondsw_ has joined #openstack-keystone22:23
*** wes_dillingham has joined #openstack-keystone22:23
*** edmondsw has quit IRC22:24
*** edmondsw_ has quit IRC22:27
*** hoonetorg has quit IRC22:28
*** dave-mcc_ has quit IRC22:30
*** wes_dillingham has quit IRC22:32
*** spilla has joined #openstack-keystone22:33
*** _ix has quit IRC22:36
*** _ix has joined #openstack-keystone22:50
*** wes_dillingham has joined #openstack-keystone23:01
openstackgerritayoung proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations
*** ayoung has quit IRC23:24
*** edmondsw has joined #openstack-keystone23:44
*** edmondsw has quit IRC23:48
*** pcaruana has quit IRC23:54
*** wes_dillingham has quit IRC23:56

Generated by 2.15.3 by Marius Gedminas - find it at!