*** gyee has quit IRC | 00:23 | |
*** oikiki has quit IRC | 00:26 | |
*** oikiki has joined #openstack-keystone | 00:26 | |
*** lbragstad has quit IRC | 00:39 | |
*** gongysh has joined #openstack-keystone | 00:44 | |
*** AlexeyAbashkin has joined #openstack-keystone | 00:45 | |
*** zhurong has joined #openstack-keystone | 00:45 | |
*** gongysh has quit IRC | 00:48 | |
*** AlexeyAbashkin has quit IRC | 00:50 | |
*** david-lyle has quit IRC | 00:53 | |
*** david-lyle has joined #openstack-keystone | 00:56 | |
*** gongysh has joined #openstack-keystone | 01:08 | |
*** zhurong has quit IRC | 01:11 | |
*** zhurong has joined #openstack-keystone | 01:46 | |
*** annp has joined #openstack-keystone | 01:51 | |
*** gongysh has quit IRC | 01:52 | |
*** daidv_ has joined #openstack-keystone | 01:53 | |
*** namnh has joined #openstack-keystone | 01:54 | |
*** david-lyle has quit IRC | 01:57 | |
*** oikiki has quit IRC | 01:58 | |
*** daidv_ has quit IRC | 02:18 | |
*** itlinux has joined #openstack-keystone | 02:44 | |
*** AlexeyAbashkin has joined #openstack-keystone | 02:45 | |
*** harlowja has quit IRC | 02:49 | |
*** AlexeyAbashkin has quit IRC | 02:49 | |
*** nicolasbock has quit IRC | 02:57 | |
openstackgerrit | Merged openstack/keystone master: Fix formatting of ImportError https://review.openstack.org/549870 | 03:02 |
---|---|---|
*** germs has quit IRC | 03:32 | |
*** germs has joined #openstack-keystone | 03:33 | |
*** germs has quit IRC | 03:33 | |
*** germs has joined #openstack-keystone | 03:33 | |
*** spilla has joined #openstack-keystone | 03:46 | |
*** spilla has quit IRC | 04:10 | |
*** jmlowe_ has joined #openstack-keystone | 04:23 | |
*** jmlowe has quit IRC | 04:23 | |
*** dave-mccowan has quit IRC | 04:26 | |
*** zhurong has quit IRC | 04:32 | |
*** harlowja has joined #openstack-keystone | 04:37 | |
*** edmondsw has joined #openstack-keystone | 04:37 | |
*** edmondsw has quit IRC | 04:37 | |
*** jappleii__ has joined #openstack-keystone | 04:42 | |
*** jappleii__ has quit IRC | 04:43 | |
*** threestrands_ has quit IRC | 04:44 | |
*** akrzos has quit IRC | 04:59 | |
*** links has joined #openstack-keystone | 04:59 | |
*** links has quit IRC | 04:59 | |
*** threestrands has joined #openstack-keystone | 05:00 | |
*** threestrands has quit IRC | 05:00 | |
*** threestrands has joined #openstack-keystone | 05:00 | |
*** jaosorior has quit IRC | 05:02 | |
*** karthi has joined #openstack-keystone | 05:14 | |
*** links has joined #openstack-keystone | 05:16 | |
*** threestrands has quit IRC | 05:25 | |
*** Supun has joined #openstack-keystone | 05:50 | |
*** pcaruana has joined #openstack-keystone | 05:57 | |
*** karthi has quit IRC | 06:03 | |
*** masber has joined #openstack-keystone | 06:03 | |
*** harlowja has quit IRC | 06:05 | |
*** Supun has quit IRC | 06:05 | |
*** pcaruana has quit IRC | 06:08 | |
*** david-lyle has joined #openstack-keystone | 06:09 | |
*** Supun has joined #openstack-keystone | 06:11 | |
*** germs has quit IRC | 06:17 | |
*** zhurong has joined #openstack-keystone | 06:18 | |
*** karthi has joined #openstack-keystone | 06:20 | |
*** germs has joined #openstack-keystone | 06:22 | |
*** dims has quit IRC | 06:24 | |
*** dims has joined #openstack-keystone | 06:30 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/550711 | 06:31 |
*** germs has quit IRC | 06:33 | |
*** karthi has quit IRC | 06:37 | |
*** karthi has joined #openstack-keystone | 06:37 | |
*** masber has quit IRC | 06:55 | |
*** gus has quit IRC | 07:14 | |
*** gus has joined #openstack-keystone | 07:15 | |
*** gongysh has joined #openstack-keystone | 07:19 | |
*** rcernin has quit IRC | 07:22 | |
*** masber has joined #openstack-keystone | 07:23 | |
*** karthi has quit IRC | 07:31 | |
*** martinus__ has joined #openstack-keystone | 07:43 | |
*** AlexeyAbashkin has joined #openstack-keystone | 07:45 | |
openstackgerrit | wangxiyuan proposed openstack/keystone master: Do not return all the limits for GET/PUT request. https://review.openstack.org/550736 | 07:48 |
*** AlexeyAbashkin has quit IRC | 07:49 | |
*** Supun has quit IRC | 07:57 | |
*** pcaruana has joined #openstack-keystone | 08:04 | |
*** karthi has joined #openstack-keystone | 08:17 | |
*** namnh has quit IRC | 08:17 | |
*** tesseract has joined #openstack-keystone | 08:36 | |
*** gongysh has quit IRC | 08:39 | |
*** pcaruana has quit IRC | 08:43 | |
*** tesseract has quit IRC | 08:43 | |
*** gongysh has joined #openstack-keystone | 08:49 | |
*** pcaruana has joined #openstack-keystone | 08:52 | |
*** tesseract has joined #openstack-keystone | 08:52 | |
*** pcaruana has quit IRC | 09:02 | |
*** tesseract has quit IRC | 09:02 | |
*** pcaruana has joined #openstack-keystone | 09:15 | |
*** tesseract has joined #openstack-keystone | 09:16 | |
*** pcichy has quit IRC | 09:26 | |
*** tesseract has quit IRC | 09:32 | |
*** pcaruana has quit IRC | 09:32 | |
*** zhurong has quit IRC | 09:40 | |
*** akrzos has joined #openstack-keystone | 09:42 | |
*** pcaruana has joined #openstack-keystone | 09:45 | |
*** tesseract has joined #openstack-keystone | 09:46 | |
*** dmellado has quit IRC | 10:08 | |
*** Suramya has joined #openstack-keystone | 10:08 | |
*** karthi has quit IRC | 10:10 | |
*** dmellado has joined #openstack-keystone | 10:13 | |
*** annp has quit IRC | 10:13 | |
*** karthi has joined #openstack-keystone | 10:40 | |
*** karthi has quit IRC | 10:44 | |
*** karthi has joined #openstack-keystone | 10:44 | |
*** raildo has joined #openstack-keystone | 11:01 | |
*** pcichy has joined #openstack-keystone | 11:15 | |
*** gongysh has quit IRC | 11:23 | |
*** rarora has joined #openstack-keystone | 11:25 | |
*** karthi has quit IRC | 11:31 | |
*** karthi has joined #openstack-keystone | 11:39 | |
*** felipemonteiro has joined #openstack-keystone | 11:41 | |
*** karthi has quit IRC | 11:44 | |
*** ayoung has quit IRC | 11:56 | |
*** nicolasbock has joined #openstack-keystone | 12:01 | |
*** ayoung has joined #openstack-keystone | 12:07 | |
*** jaosorior has joined #openstack-keystone | 12:09 | |
*** jaosorior has quit IRC | 12:11 | |
*** felipemonteiro has quit IRC | 12:16 | |
openstackgerrit | wangxiyuan proposed openstack/keystone master: Do not return all the limits for GET/PUT request. https://review.openstack.org/550736 | 12:20 |
*** akrzos_ has joined #openstack-keystone | 12:27 | |
*** masuberu has joined #openstack-keystone | 12:27 | |
*** akrzos has quit IRC | 12:30 | |
*** masber has quit IRC | 12:31 | |
*** r-daneel has joined #openstack-keystone | 12:43 | |
*** ayoung has quit IRC | 13:03 | |
*** r-daneel has quit IRC | 13:05 | |
*** germs has joined #openstack-keystone | 13:14 | |
*** germs has quit IRC | 13:14 | |
*** germs has joined #openstack-keystone | 13:14 | |
*** edmondsw has joined #openstack-keystone | 13:14 | |
*** ayoung has joined #openstack-keystone | 13:16 | |
*** germs has quit IRC | 13:25 | |
*** guys has quit IRC | 13:26 | |
*** karthi has joined #openstack-keystone | 13:29 | |
*** karthi has quit IRC | 13:36 | |
openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Remove tox_install.sh and align with constraints consumption https://review.openstack.org/550837 | 13:46 |
*** dave-mccowan has joined #openstack-keystone | 13:48 | |
knikolla | o/ | 13:49 |
cmurphy | o/ | 13:50 |
*** links has quit IRC | 13:51 | |
*** lbragstad has joined #openstack-keystone | 13:54 | |
*** ChanServ sets mode: +o lbragstad | 13:54 | |
*** karthi has joined #openstack-keystone | 13:57 | |
*** McClymontS has joined #openstack-keystone | 14:00 | |
openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Remove tox_install.sh and align with constraints consumption https://review.openstack.org/550837 | 14:01 |
*** karthi has quit IRC | 14:02 | |
*** edmondsw_ has joined #openstack-keystone | 14:17 | |
*** edmondsw has quit IRC | 14:18 | |
*** r-daneel has joined #openstack-keystone | 14:20 | |
*** panbalag has quit IRC | 14:26 | |
*** panbalag1 has joined #openstack-keystone | 14:26 | |
*** spilla has joined #openstack-keystone | 14:33 | |
*** gongysh has joined #openstack-keystone | 14:34 | |
*** gongysh has quit IRC | 14:34 | |
*** McClymontS has quit IRC | 14:39 | |
*** McClymontS has joined #openstack-keystone | 14:40 | |
*** thomasduval has joined #openstack-keystone | 14:42 | |
*** jaosorior has joined #openstack-keystone | 14:45 | |
*** McClymontS has quit IRC | 14:56 | |
*** masber has joined #openstack-keystone | 14:56 | |
*** guys has joined #openstack-keystone | 14:58 | |
*** melwitt has quit IRC | 14:59 | |
*** masuberu has quit IRC | 14:59 | |
*** hamzy has quit IRC | 15:05 | |
*** melwitt has joined #openstack-keystone | 15:06 | |
*** melwitt is now known as Guest70075 | 15:07 | |
*** itlinux has quit IRC | 15:17 | |
*** masber has quit IRC | 15:22 | |
*** edmondsw_ is now known as edmondsw | 15:24 | |
*** germs has joined #openstack-keystone | 15:26 | |
*** germs has quit IRC | 15:26 | |
*** germs has joined #openstack-keystone | 15:26 | |
*** hamzy has joined #openstack-keystone | 15:30 | |
*** germs has quit IRC | 15:30 | |
*** hamzy has quit IRC | 15:35 | |
*** edmondsw has quit IRC | 15:50 | |
*** edmondsw has joined #openstack-keystone | 15:51 | |
*** edmondsw has quit IRC | 15:55 | |
*** ayoung has quit IRC | 15:58 | |
*** pcaruana has quit IRC | 16:06 | |
*** m3m0 has quit IRC | 16:08 | |
*** david-lyle has quit IRC | 16:10 | |
*** ayoung has joined #openstack-keystone | 16:11 | |
*** jaosorior has quit IRC | 16:12 | |
*** germs has joined #openstack-keystone | 16:13 | |
*** germs has quit IRC | 16:13 | |
*** germs has joined #openstack-keystone | 16:13 | |
*** germs has quit IRC | 16:18 | |
openstackgerrit | Russell Tweed proposed openstack/keystone master: Use different labels for user and project names https://review.openstack.org/550884 | 16:21 |
*** itlinux has joined #openstack-keystone | 16:26 | |
*** itlinux has quit IRC | 16:31 | |
*** Supun has joined #openstack-keystone | 16:31 | |
*** germs has joined #openstack-keystone | 16:32 | |
*** r-daneel has quit IRC | 16:32 | |
*** germs has quit IRC | 16:33 | |
*** germs has joined #openstack-keystone | 16:36 | |
*** germs has quit IRC | 16:36 | |
*** germs has joined #openstack-keystone | 16:36 | |
*** itlinux has joined #openstack-keystone | 16:41 | |
*** harlowja has joined #openstack-keystone | 16:54 | |
*** david-lyle has joined #openstack-keystone | 17:04 | |
*** Supun has quit IRC | 17:04 | |
*** jrist has quit IRC | 17:10 | |
*** thomasduval has quit IRC | 17:11 | |
*** gyee has joined #openstack-keystone | 17:17 | |
openstackgerrit | Russell Tweed proposed openstack/keystone master: Use different labels for user and project names https://review.openstack.org/550884 | 17:22 |
*** jrist has joined #openstack-keystone | 17:32 | |
*** jrist has quit IRC | 17:37 | |
*** oikiki has joined #openstack-keystone | 17:42 | |
*** edmondsw has joined #openstack-keystone | 17:47 | |
*** edmondsw has quit IRC | 17:50 | |
*** Supun has joined #openstack-keystone | 17:57 | |
*** Supun has quit IRC | 18:02 | |
*** Supun has joined #openstack-keystone | 18:03 | |
*** felipemonteiro has joined #openstack-keystone | 18:05 | |
*** edmondsw has joined #openstack-keystone | 18:07 | |
*** r-daneel has joined #openstack-keystone | 18:10 | |
*** harlowja has quit IRC | 18:26 | |
*** edmondsw has quit IRC | 18:27 | |
*** felipemonteiro has quit IRC | 18:28 | |
*** Suramya has quit IRC | 18:31 | |
*** edmondsw has joined #openstack-keystone | 18:33 | |
*** r-daneel_ has joined #openstack-keystone | 18:35 | |
*** edmondsw has quit IRC | 18:35 | |
*** edmondsw_ has joined #openstack-keystone | 18:35 | |
*** r-daneel has quit IRC | 18:35 | |
*** r-daneel_ is now known as r-daneel | 18:35 | |
*** Supun has quit IRC | 18:38 | |
*** germs has quit IRC | 18:48 | |
*** tesseract has quit IRC | 18:49 | |
*** edmondsw_ has quit IRC | 18:53 | |
*** edmondsw has joined #openstack-keystone | 18:53 | |
*** pcichy has quit IRC | 18:55 | |
*** david-lyle has quit IRC | 18:56 | |
*** germs has joined #openstack-keystone | 18:56 | |
*** germs has quit IRC | 18:56 | |
*** germs has joined #openstack-keystone | 18:56 | |
openstackgerrit | Nicolas Helgeson proposed openstack/python-keystoneclient master: Extends tags comparator support to KSC https://review.openstack.org/525792 | 18:56 |
*** edmondsw has quit IRC | 19:03 | |
*** edmondsw has joined #openstack-keystone | 19:03 | |
*** r-daneel has quit IRC | 19:04 | |
*** r-daneel has joined #openstack-keystone | 19:04 | |
*** harlowja has joined #openstack-keystone | 19:11 | |
openstackgerrit | Merged openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/550711 | 19:14 |
*** edmondsw has quit IRC | 19:18 | |
*** harlowja has quit IRC | 19:18 | |
*** edmondsw has joined #openstack-keystone | 19:18 | |
*** edmondsw has quit IRC | 19:23 | |
*** edmondsw has joined #openstack-keystone | 19:24 | |
*** edmondsw has quit IRC | 19:28 | |
*** edmondsw has joined #openstack-keystone | 19:28 | |
*** harlowja has joined #openstack-keystone | 19:33 | |
*** jrist has joined #openstack-keystone | 19:35 | |
*** edmondsw has quit IRC | 19:38 | |
*** jrist has quit IRC | 19:39 | |
*** oikiki has quit IRC | 19:41 | |
*** edmondsw has joined #openstack-keystone | 19:42 | |
*** jrist has joined #openstack-keystone | 19:42 | |
*** edmondsw has quit IRC | 19:43 | |
*** edmondsw has joined #openstack-keystone | 19:45 | |
*** edmondsw has quit IRC | 19:45 | |
*** r-daneel_ has joined #openstack-keystone | 19:47 | |
*** r-daneel has quit IRC | 19:47 | |
*** r-daneel_ is now known as r-daneel | 19:47 | |
*** r-daneel has quit IRC | 19:50 | |
*** r-daneel has joined #openstack-keystone | 19:51 | |
*** r-daneel has quit IRC | 19:52 | |
*** r-daneel has joined #openstack-keystone | 19:52 | |
*** mvk has quit IRC | 19:57 | |
*** r-daneel_ has joined #openstack-keystone | 20:07 | |
*** r-daneel has quit IRC | 20:08 | |
*** r-daneel_ is now known as r-daneel | 20:08 | |
jdennis | I'm wondering about some naming conventions in the code. What does the _ref suffix on a function/method name indicate? I was guessing "reference", but even if it's reference I'm not sure what that's trying to indicate. Are these naming conventions documented somewhere? | 20:11 |
lbragstad | jdennis: that's a good question - and they aren't documented :( | 20:13 |
lbragstad | it's essentially just saying the thing named *_ref is supposed to be a dictionary and is shorthand for "reference" | 20:13 |
jdennis | lbragstad: ok, good to know. I don't really get the association between dict and reference, I'm used to references in other languages but I'll take it for what it is. Any other naming conventions you think might be useful to know? | 20:16 |
lbragstad | jdennis: yeah - a lot of that pre-dates me... so i'm probably short on some historical context as well... | 20:17 |
lbragstad | _ref is probably the big one now that you mention it, but i'm sure there are others lurking around | 20:18 |
rodrigods | i even started to use _ref in other projects due that | 20:31 |
lbragstad | i'd love to see _ref go away in favor of just using `user = some_call()` | 20:33 |
lbragstad | instead of `user_ref = some_call()` | 20:33 |
lbragstad | and user should be some sort of python object that you can pass around | 20:34 |
jdennis | lbragstad: well if you mean we should be using Python classes instead of unstructured anonymous dicts I'm all for that. It can be really hard to figure out what data is being passed around for what purpose when the data is just a dict, dict's do carry any structural information | 20:37 |
jdennis | s/do carry/do not carry/ | 20:37 |
lbragstad | jdennis: right | 20:38 |
lbragstad | the token provider is really complicated due to that | 20:38 |
lbragstad | hooks get invoked based on the presence and values of keys in a dictionary | 20:38 |
jdennis | lbragstad: tell me about it! I get so lost in that code | 20:39 |
lbragstad | which in turn modifies the response | 20:39 |
lbragstad | so - the driver code is dictating what a response should look like (?!) | 20:39 |
lbragstad | super confusing :) | 20:39 |
lbragstad | i want to try and rip all that out this release - https://review.openstack.org/#/c/545450/ | 20:40 |
*** felipemonteiro has joined #openstack-keystone | 20:40 | |
*** d0ugal_ has joined #openstack-keystone | 20:42 | |
jdennis | lbragstad: another question if you don't mind, I see in keystoneauth1 that some methods (e.g. kerberos, oauth) send an empty auth_info dict. Is the assumption that those auth methods are "in front of keystone" (e.g. in Apache) and hence if the token request gets to Keystone auth has already occurred and hence no need for auth data? | 20:43 |
*** d0ugal has quit IRC | 20:44 | |
lbragstad | jdennis: that *might* be the case but I'd probably need to confirm with either knikolla, cmurphy, or jamielennox but that would seem sane | 20:44 |
knikolla | jdennis: i think so. the API for getting a token is protected from an apache mod, so if you get there you're golden. | 20:46 |
*** lucasxu has joined #openstack-keystone | 20:46 | |
knikolla | the auth info is in the environment variables that apache passes to you. | 20:46 |
knikolla | so /identity_providers/myidp/protocols/myprotocol/auth would be the protected endpoint for myidp and protocol myprotocol. | 20:47 |
knikolla | whatever mapping is configured for myidp-myprotocol will be triggered to convert the env variables to a user. | 20:48 |
*** edmondsw has joined #openstack-keystone | 20:49 | |
jdennis | knikolla: but you're talking about federation, as far as I can figure out the keystoneauth1 code uses the /v3/auth/token endpoint for most of it's methods | 20:49 |
*** edmondsw has quit IRC | 20:50 | |
*** edmondsw has joined #openstack-keystone | 20:51 | |
knikolla | jdennis: right. but i think keberos/etc are treated as "external" method of authentication. | 20:51 |
knikolla | and in that case it will look at the REMOTE_USER env variable | 20:51 |
knikolla | or whatever is configured in keystone.conf | 20:52 |
knikolla | take that with a grain of salt as this is from me reading something in the docs rather than playing around with that kind of authentication. | 20:53 |
jdennis | knikolla: ok sure. Can you define the difference between "external" and "federation" | 20:53 |
knikolla | https://github.com/openstack/keystone/blob/master/keystone/auth/plugins/external.py#L35-L38 | 20:54 |
knikolla | jdennis: external assumes that there will be a local user, and matches remote_user to a local user. | 20:54 |
knikolla | federation creates a shadow user with the attributes passed on from the idp. | 20:54 |
*** edmondsw has quit IRC | 20:55 | |
jdennis | knikolla: thanks | 20:56 |
knikolla | jdennis: sure, np. that is my understanding of how things work, but never really played around with it. ayoung might have more firsthand knowledge. | 20:59 |
ayoung | REading up | 20:59 |
ayoung | jdennis, the ref thing goes back to termie. No idea what he was thinking | 21:00 |
ayoung | kmalloc, and jamielennox are youre betst sources of info on the whys of keystoneauth1 | 21:01 |
jdennis | knikolla, lbragstad: while I've got your attention :-) I've been trying to figure out if there is ever a case where access will continue to be allowed after a token is revoked, (provided client token caching is disabled), is that true? What about service tokens that are allowed past their expiration? | 21:01 |
ayoung | jdennis, ok that last one I can answer | 21:01 |
ayoung | token revocation and token expiry are intended to be treated differently | 21:02 |
ayoung | however...Hmmm] | 21:02 |
lbragstad | jdennis: it's possible for a service user to validate an expired user token | 21:02 |
ayoung | I am not certain if we decided that, with service tokens, that we were going to accept revoked. I think not. | 21:02 |
lbragstad | but other than that, it should be treated as an invalid token | 21:02 |
ayoung | an expired token, on the other handm yes, that can be used in cionjunction with a service token for long lived work flows | 21:03 |
lbragstad | ^ | 21:03 |
ayoung | so a snapshot that tkaes an hour to uplaod, and then does some other operation should succeed even if the original token timed out | 21:03 |
ayoung | where as if it were revoked, it should fail. | 21:03 |
ayoung | I'd have to look at the code to see if that is what we actually enforce, but I think that is the case | 21:03 |
lbragstad | but once a token is revoked against keystone - it will be compared to a tokens upon request and if keystone receives a token matching the one that was revoked, we return a 401 | 21:04 |
ayoung | jdennis, external was the term used before federation | 21:04 |
lbragstad | s/a/all/ | 21:04 |
ayoung | that has my fingerprints on it, and was a way of saying "authenticated by HTTPD" but the user data was directly accessable, so think Kerberso and LDAP | 21:04 |
ayoung | or X509 and LDAP, or even, potentially basic auth. But that last was never done. | 21:05 |
ayoung | Federation kindof took over there, and we decided that all external stuff could be done with Federation. | 21:05 |
*** masber has joined #openstack-keystone | 21:05 | |
jdennis | lbragstad, ayoung: so to put this in context, I'm trying to write a security document that discusses PCI-DSS compliance, I've looked at all the Keystone docs on this topic and there is still unanswered questions, what I'm stuck on now is Requirement 8.1.3, "Immediately revoke access for any terminated users", it's not entirely clear to me this is enforced | 21:07 |
*** david-lyle has joined #openstack-keystone | 21:07 | |
lbragstad | by terminated - do you mean deleted? | 21:07 |
lbragstad | or disabled? | 21:07 |
ayoung | jdennis, ok, lets put LDAP aside for a moment | 21:07 |
ayoung | if the user is stored in the Keystone Database we can do that. If the user is stored in a Federated store, we cannot | 21:08 |
ayoung | LDAP....we kindof really can't either | 21:08 |
lbragstad | keep in mind pci-dss support was written with sql in the for front | 21:08 |
ayoung | FOr Federated/LDAP the best we can do is let tokens expire | 21:08 |
lbragstad | fore front* | 21:08 |
ayoung | Now, if we went with 5 minute tokens like I wanted to years ago.... | 21:09 |
jdennis | lbragstad: I believe you can use any combination of actions to achieve this, so I assume it would be delete the user and revoke any tokens he has | 21:09 |
ayoung | so that might be one way we could do it, but we would have to make sure than any nontrivial operation worked with service tokens | 21:09 |
*** lucasxu has quit IRC | 21:09 | |
lbragstad | jdennis: yeah - for sql a terminiation (being disabling the user or deleting the user) the tokens associated to that user will be considered revoked | 21:09 |
ayoung | if you deactivate a user, delete her, or change her password, all of her tokens are immediately revoked | 21:09 |
ayoung | she can perform no new operations | 21:10 |
ayoung | if you disable or delete, all trusts she set up are also deactivated | 21:10 |
* ayoung hopes that is true of app creds. Have to confirm with lbragstad and cmurphy | 21:10 | |
lbragstad | it is | 21:10 |
lbragstad | app creds are purged if the user is disabled or deleted | 21:10 |
jdennis | but there are two caveats though, right? Client token caching must be disabled and it does not apply to service accounts | 21:11 |
*** edmondsw has joined #openstack-keystone | 21:11 | |
*** edmondsw has quit IRC | 21:11 | |
lbragstad | jdennis: yeah - this is keeping online validation in mind, so hopefully mitigated by short lived caches | 21:11 |
*** edmondsw has joined #openstack-keystone | 21:12 | |
lbragstad | but still a margin for error there if you are caching for any length of time | 21:12 |
lbragstad | (client side that is) | 21:12 |
ayoung | edmondsw looked in, saw this convo, and fled.... | 21:14 |
ayoung | jdennis, I guess it would be possible for a remote system that sends out notifications to disable a user, so it might be beyond a Keystone boundary to meet compliance | 21:21 |
*** felipemonteiro has quit IRC | 21:22 | |
edmondsw | oh, you don't want me in that convo... I would tell you that even revoking tokens doesn't take effect immediately because of caching | 21:22 |
*** nicolasbock has quit IRC | 21:23 | |
edmondsw | I see jdennis came to the same conclusion | 21:24 |
edmondsw | (now that eavesdrop has caught up) | 21:26 |
lbragstad | yup | 21:28 |
*** oikiki has joined #openstack-keystone | 21:29 | |
edmondsw | the clients used to check a revocation list, but that got whacked :( | 21:31 |
edmondsw | casualty of the PKI removal... it wasn't PKI-specific, but some of the comments made it sound like it was, and... | 21:31 |
*** oikiki has quit IRC | 21:31 | |
*** oikiki has joined #openstack-keystone | 21:32 | |
*** r-daneel has quit IRC | 21:34 | |
*** oikiki has quit IRC | 21:39 | |
*** david-lyle has quit IRC | 21:45 | |
*** threestrands has joined #openstack-keystone | 21:47 | |
*** r-daneel has joined #openstack-keystone | 21:52 | |
*** spilla has quit IRC | 21:57 | |
*** jrist has quit IRC | 21:58 | |
*** martinus__ has quit IRC | 21:59 | |
*** oikiki has joined #openstack-keystone | 22:05 | |
ayoung | edmondsw, heh | 22:09 |
ayoung | speak of the devil and he shall appear. We used to call termie "He who must not be named in IRC" | 22:09 |
edmondsw | ayoung :) | 22:09 |
ayoung | edmondsw, so I wonder what the PCI-DSS definition of Immediate is. Does 5 minutes lag count? | 22:10 |
*** marst has joined #openstack-keystone | 22:10 | |
edmondsw | ayoung if they have a definition :) | 22:11 |
ayoung | Heh | 22:11 |
edmondsw | argue that if you really had to make it truly immediate you can take the system offline for 5 min? ;) | 22:12 |
ayoung | Ha | 22:12 |
*** oikiki has quit IRC | 22:13 | |
*** aning has joined #openstack-keystone | 22:13 | |
*** oikiki has joined #openstack-keystone | 22:13 | |
aning | Hi guys, here is my question I posted to openstack ... | 22:14 |
aning | question, starting from Ocata, the keystone "user" table seems to be obsolete and I can see all users are in local_user table, but "user" table is still there, why that? | 22:15 |
aning | The reason I'm asking is that, when upgrade from Newton to Ocata, in 014_contract_add_domain_id_to_user_table.py ,it adds ForeignKeyConstraints to local_user table, with reference to "user" table | 22:15 |
aning | How could this work? | 22:15 |
ayoung | aning, not obsolute | 22:16 |
ayoung | obsolete | 22:16 |
ayoung | its for recording Federated users | 22:16 |
cmurphy | it's a converged view of local users, federated users, and ldap users | 22:17 |
ayoung | but users stored in the sql backend get users too | 22:17 |
aning | Ok, it is reserved for federated user if I'm not using federated auth. | 22:18 |
lbragstad | ayoung: our context -> authorization stuff is confusing | 22:18 |
lbragstad | ayoung: if i want to pull things out of the token model to populate in the context object, do i do that in auth/middleware.py? | 22:19 |
cmurphy | aning: the federated_users table is just for federated users but the users table is for all users | 22:19 |
aning | In my deployment, the "user" table is empty | 22:19 |
aning | services users are in local_user table. | 22:20 |
*** eandersson has joined #openstack-keystone | 22:20 | |
aning | I should see all users with domain_id in the "user" table as well? | 22:21 |
* cmurphy goes to check devstack | 22:21 | |
eandersson | lbragstad, could we re-evaluate this as a quick fix for templated v3 catalogs? https://review.openstack.org/#/c/482364/ | 22:21 |
eandersson | templated still hasn;t been marked as deprecated afaik | 22:21 |
lbragstad | eandersson: you're right - you can go ahead and restore it | 22:22 |
lbragstad | we didn't find someone jumping at the bit to implement the yaml stuff yet | 22:22 |
lbragstad | so we should at least fix that in the mean time | 22:22 |
eandersson | Yep | 22:22 |
lbragstad | thanks for the reminder | 22:22 |
eandersson | Thanks | 22:22 |
openstackgerrit | Erik Olof Gunnar Andersson proposed openstack/keystone master: Fixing multi-region support in templated v3 catalog https://review.openstack.org/482364 | 22:23 |
*** masber has quit IRC | 22:25 | |
*** rcernin has joined #openstack-keystone | 22:25 | |
cmurphy | aning: i have CONSTRAINT `local_user_user_id_fkey` FOREIGN KEY (`user_id`, `domain_id`) REFERENCES `user` (`id`, `domain_id`) ON DELETE CASCADE ON UPDATE CASCADE so i'm not sure how your user table could be empty | 22:27 |
*** david-lyle has joined #openstack-keystone | 22:32 | |
*** d0ugal_ has quit IRC | 22:34 | |
*** rcernin_ has joined #openstack-keystone | 22:34 | |
*** rcernin_ has quit IRC | 22:35 | |
*** rcernin_ has joined #openstack-keystone | 22:36 | |
*** rcernin has quit IRC | 22:36 | |
*** d0ugal_ has joined #openstack-keystone | 22:36 | |
*** rcernin_ has quit IRC | 22:37 | |
*** rcernin has joined #openstack-keystone | 22:40 | |
*** edmondsw has quit IRC | 22:44 | |
*** itlinux has quit IRC | 22:44 | |
*** edmondsw has joined #openstack-keystone | 22:44 | |
*** jrist has joined #openstack-keystone | 22:49 | |
*** raildo has quit IRC | 22:50 | |
*** edmondsw has quit IRC | 22:51 | |
*** edmondsw has joined #openstack-keystone | 22:52 | |
*** masber has joined #openstack-keystone | 22:54 | |
*** edmondsw has quit IRC | 22:56 | |
cmurphy | hrybacki: hi can we please make https://trello.com/b/Vo6dRALh/keystone-queens-retrospective public? | 23:02 |
eandersson | lbragstad, are you okey with just adding two more regions to the existing tests? | 23:07 |
lbragstad | sure - i'm not sure how much refactoring you'll have to do to get that to work - but maybe a new multiregion test case that uses a multi-region templated catalog? | 23:07 |
lbragstad | i gotta step out for a bit - but i'll be on later (hoping to catch jamielennox if i'm lucky to talk about oslo.context) | 23:11 |
*** oikiki has quit IRC | 23:11 | |
jamielennox | lbragstad: its 10:15 i'm around | 23:12 |
cmurphy | lol | 23:13 |
jamielennox | lbragstad: i had read your retro and wanted to mention that i did a fair bit of work around requiring certain policy attributes | 23:13 |
*** eschwartz is now known as anyone | 23:13 | |
*** jrist has quit IRC | 23:19 | |
*** oikiki has joined #openstack-keystone | 23:19 | |
lbragstad | ahh - i'm just trying to figure out how to add system scope to the context properties so taht i can get it into the policy creds dictionary | 23:26 |
* lbragstad has to run to fire training | 23:27 | |
lbragstad | i should be back in a couple hours though | 23:27 |
jdennis | fire drill? | 23:27 |
lbragstad | pretty much :) | 23:28 |
lbragstad | fire 1 & 2 training for the fire dept | 23:28 |
jdennis | you're hot stuff | 23:28 |
lbragstad | i think they'd be surprised at how many fire drills we deal with a day ;) | 23:28 |
lbragstad | jamielennox: i'll see if i can catch you in a few hours? | 23:30 |
jamielennox | i should be around, i'm out for the next say 2.5 hours, but after should be ok | 23:31 |
*** threestrands_ has joined #openstack-keystone | 23:33 | |
*** rcernin has quit IRC | 23:35 | |
*** rcernin has joined #openstack-keystone | 23:35 | |
*** threestrands has quit IRC | 23:36 | |
openstackgerrit | Erik Olof Gunnar Andersson proposed openstack/keystone master: Fixing multi-region support in templated v3 catalog https://review.openstack.org/482364 | 23:40 |
adriant | lbragstad: not sure if actually a bug.. but when doing role assignment list with include_names, and one of the assignments is a domain assignment, I'm getting a 400 | 23:43 |
adriant | "openstack role assignment list --role test" works, but "openstack role assignment list --role test --names" throws a 400 | 23:44 |
eandersson | lbragstad, it's a bit hacky, but does what it is supposed to at least :D let me know if you have any better suggestion | 23:44 |
adriant | lbragstad, and I'll add a blueprint for this, it would be nice for the project list API to have an include_domains filter, rather than having to do two API calls to get a full list of projects. | 23:45 |
adriant | lbragstad: yep, role assignment list with include_names when there is a domain level assignment is broken in my devstack (built from master 2 days ago) | 23:56 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!