Thursday, 2018-03-29

« Wednesday, 2018-03-28 Index Friday, 2018-03-30 »
*** tmcm_ has joined #openstack-keystone00:00
*** oikiki has joined #openstack-keystone00:01
*** oikiki has quit IRC00:02
*** tmcm has quit IRC00:02
*** tmcm_ is now known as tmcm00:02
*** felipemonteiro has joined #openstack-keystone00:07
*** ilush has quit IRC00:30
*** gyankum has joined #openstack-keystone00:32
*** Dinesh_Bhor has joined #openstack-keystone00:32
*** zhurong has joined #openstack-keystone00:32
*** blake has joined #openstack-keystone00:44
*** gyankum has quit IRC00:44
*** odyssey4me has quit IRC00:53
*** odyssey4me has joined #openstack-keystone00:53
*** AlexeyAbashkin has joined #openstack-keystone01:08
*** r-daneel has quit IRC01:11
*** dikonoo has joined #openstack-keystone01:12
*** gyankum has joined #openstack-keystone01:12
*** blake has quit IRC01:12
*** AlexeyAbashkin has quit IRC01:13
*** dikonoo has quit IRC01:33
*** dikonoor has joined #openstack-keystone01:33
*** blake has joined #openstack-keystone01:36
*** zhongjun_ has joined #openstack-keystone01:41
*** dikonoor has quit IRC01:42
wxylbragstad: cool. I was reading it last few days as well. Seems we may have more things to discuss.01:46
lbragstadyeah - that's exactly what i was thinking01:46
lbragstadi found this, too01:47
lbragstadwhich was interesting https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid01:47
wxythe title is interesting. lol01:49
lbragstad:)01:49
lbragstadhttp://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ is another interesting one01:50
lbragstadboth of those articles reference https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/01:51
lbragstadwhich i included in the security section of the reproposed specification01:51
*** tmcm has quit IRC01:52
Dinesh_Bhorlbragstad: Hi if you have time then could you please take a look at these two patches. Both are having one +2:  https://review.openstack.org/#/c/329913/12 , https://review.openstack.org/#/c/267456/02:01
*** blake has quit IRC02:18
*** ykarel|away has joined #openstack-keystone02:20
*** ykarel|away has quit IRC02:30
*** felipemonteiro has quit IRC02:31
*** ykarel|away has joined #openstack-keystone02:32
*** cheran has joined #openstack-keystone02:32
*** ykarel|away has quit IRC02:38
*** itlinux has joined #openstack-keystone02:43
*** gongysh has joined #openstack-keystone02:45
*** daidv has quit IRC03:09
*** jrist has quit IRC03:11
*** jrist has joined #openstack-keystone03:12
*** links has joined #openstack-keystone03:12
*** harlowja has quit IRC03:24
*** daidv has joined #openstack-keystone03:24
*** cheran has quit IRC03:29
*** nicolasbock has quit IRC03:47
*** zeus has quit IRC03:49
*** annp has quit IRC03:49
*** zeus has joined #openstack-keystone03:51
*** zeus is now known as Guest8890203:51
*** Krenair has quit IRC03:51
*** Krenair has joined #openstack-keystone03:54
*** dave-mccowan has quit IRC03:56
*** dave-mccowan has joined #openstack-keystone03:58
kmalloclbragstad: we are mostly stateful tokens (live check each step) and appear to be more immune to the concerns in that article than implied as a straight session management.03:59
*** harlowja has joined #openstack-keystone03:59
kmallocThat said, if we encryption not just signed (mirroring fernet) we are pretty darn safe, minus normal beaerer token issues. We are using JWT as a claim transport, not as a all encompassing session manager -- and we don't rely on js to pull the data in.04:00
kmallocThe link in the spec is good to have04:00
kmallocI'll do more analysis when not on a phone and trying to read/irc at the same time.04:01
kmallocBut tl;dr of that article is "bearer tokens are bad, mmmkay, and have security concerns" esp. when coupled with using js to load data from local store.04:03
*** germs has quit IRC04:04
*** germs has joined #openstack-keystone04:04
*** germs has quit IRC04:04
*** germs has joined #openstack-keystone04:04
*** germs has quit IRC04:04
*** germs has joined #openstack-keystone04:05
*** germs has quit IRC04:05
*** germs has joined #openstack-keystone04:05
kmallocre: the vuln... i think we can be smarter than the libraries and just wrap the alg bit ourselves and throw out bad tokens.04:06
kmalloclbragstad: ^ not that we should have to... but i want keystone to explictly only allow algs we say we support (aka, I would violate the standard and not allow None)04:07
*** germs has quit IRC04:09
*** AlexeyAbashkin has joined #openstack-keystone04:09
wxykmalloc: ++ yeah. We can add deeper limit or function in Keystone to enhance the libraries.04:10
kmallocwxy: :)04:10
*** sticker has quit IRC04:12
*** AlexeyAbashkin has quit IRC04:14
*** dave-mcc_ has joined #openstack-keystone04:16
*** dave-mccowan has quit IRC04:16
*** ykarel|away has joined #openstack-keystone04:17
*** ykarel_ has joined #openstack-keystone04:22
*** ykarel|away has quit IRC04:24
*** dklyle has quit IRC04:26
*** daidv has quit IRC04:28
*** daidv has joined #openstack-keystone04:28
*** dave-mcc_ has quit IRC04:46
*** daidv has quit IRC04:50
*** daidv has joined #openstack-keystone04:50
*** rcernin_ has joined #openstack-keystone04:59
*** rcernin has quit IRC05:00
*** zhurong has quit IRC05:04
*** belmoreira has joined #openstack-keystone05:30
*** r-daneel has joined #openstack-keystone05:38
*** r-daneel has quit IRC05:42
*** dangtrinhnt has joined #openstack-keystone05:44
*** zhurong has joined #openstack-keystone05:48
*** dangtrinhnt has quit IRC06:00
*** germs has joined #openstack-keystone06:05
*** germs has quit IRC06:05
*** germs has joined #openstack-keystone06:05
*** harlowja has quit IRC06:06
*** germs has quit IRC06:10
*** rcernin_ has quit IRC06:14
*** rcernin has joined #openstack-keystone06:17
openstackgerritMerged openstack/oslo.policy master: add lower-constraints job  https://review.openstack.org/55606806:23
*** dangtrinhnt has joined #openstack-keystone06:27
*** ykarel__ has joined #openstack-keystone06:34
*** ykarel_ has quit IRC06:36
*** martinus__ has joined #openstack-keystone06:38
*** d0ugal_ has joined #openstack-keystone06:39
*** d0ugal has quit IRC06:42
*** rcernin has quit IRC07:03
*** gyan_ has joined #openstack-keystone07:03
*** ykarel_ has joined #openstack-keystone07:03
*** blake has joined #openstack-keystone07:04
*** gyankum has quit IRC07:04
*** ykarel__ has quit IRC07:04
*** gyan__ has joined #openstack-keystone07:05
*** links has quit IRC07:05
*** links has joined #openstack-keystone07:06
*** ykarel__ has joined #openstack-keystone07:06
*** ykarel_ has quit IRC07:09
*** gyan_ has quit IRC07:09
*** oikiki has joined #openstack-keystone07:20
*** tesseract has joined #openstack-keystone07:22
*** jrist has quit IRC07:27
*** jrist has joined #openstack-keystone07:28
*** blake has quit IRC07:40
*** daidv has quit IRC07:46
*** ykarel__ is now known as ykarel07:49
*** ykarel_ has joined #openstack-keystone07:51
*** ykarel has quit IRC07:53
*** oikiki has quit IRC08:00
*** AlexeyAbashkin has joined #openstack-keystone08:00
*** daidv has joined #openstack-keystone08:03
*** germs has joined #openstack-keystone08:06
*** germs has quit IRC08:06
*** germs has joined #openstack-keystone08:06
*** AlexeyAbashkin has quit IRC08:07
*** AlexeyAbashkin has joined #openstack-keystone08:10
*** germs has quit IRC08:11
*** rcernin has joined #openstack-keystone08:48
*** Alexey_Abashkin has joined #openstack-keystone08:52
*** AlexeyAbashkin has quit IRC08:54
*** Alexey_Abashkin is now known as AlexeyAbashkin08:54
*** AlexeyAbashkin has quit IRC08:55
*** AlexeyAbashkin has joined #openstack-keystone08:58
*** zhurong has quit IRC09:00
*** kukacz_ has joined #openstack-keystone09:10
*** dangtrinhnt has quit IRC09:15
*** Dinesh_Bhor has quit IRC09:23
*** mvk has quit IRC09:34
*** kukacz_ has quit IRC09:41
*** kukacz_ has joined #openstack-keystone09:42
*** ykarel_ is now known as ykarel09:51
*** kukacz_ is now known as kukacz09:52
*** dulek has left #openstack-keystone10:00
*** germs has joined #openstack-keystone10:07
*** germs has quit IRC10:07
*** germs has joined #openstack-keystone10:07
*** gyan__ has quit IRC10:09
*** aojea has joined #openstack-keystone10:09
*** germs has quit IRC10:12
*** raildo has joined #openstack-keystone10:15
*** aojea has quit IRC10:23
*** nicolasbock has joined #openstack-keystone10:32
*** abhi89 has joined #openstack-keystone10:42
*** AlexeyAbashkin has quit IRC10:53
*** voelzmo has joined #openstack-keystone10:55
*** ilush has joined #openstack-keystone11:00
*** voelzmo has quit IRC11:01
*** voelzmo has joined #openstack-keystone11:01
*** dangtrinhnt has joined #openstack-keystone11:03
*** aojea has joined #openstack-keystone11:05
*** mvk has joined #openstack-keystone11:05
*** deepak_ has quit IRC11:06
*** aojea has quit IRC11:10
*** dangtrinhnt has quit IRC11:16
*** AlexeyAbashkin has joined #openstack-keystone11:18
*** deepak_ has joined #openstack-keystone11:19
*** abhi89 has quit IRC11:25
*** edmondsw has joined #openstack-keystone11:30
*** ilush has quit IRC11:30
*** aojea has joined #openstack-keystone11:34
*** belmoreira has quit IRC11:37
*** belmoreira has joined #openstack-keystone11:41
*** ykarel has quit IRC11:46
*** ykarel has joined #openstack-keystone11:46
*** martinus__ has quit IRC11:49
*** links has quit IRC11:49
*** ilush has joined #openstack-keystone11:50
*** gongysh has quit IRC11:53
*** links has joined #openstack-keystone11:54
*** nicolasbock has quit IRC11:54
*** rcernin has quit IRC12:05
*** germs has joined #openstack-keystone12:08
*** germs has quit IRC12:08
*** germs has joined #openstack-keystone12:08
*** germs has quit IRC12:12
*** ykarel is now known as ykarel|afk12:13
*** tmcm has joined #openstack-keystone12:28
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add hierarchical limit  https://review.openstack.org/55769612:32
*** aojea has quit IRC12:32
*** aojea has joined #openstack-keystone12:33
*** voelzmo has quit IRC12:42
*** panbalag has joined #openstack-keystone12:44
*** panbalag has left #openstack-keystone12:44
*** NM has joined #openstack-keystone12:44
*** sapd has joined #openstack-keystone12:46
sapdhi everyone. Why keystone on Queens release is listen on 5000 only instead of 5000 & 35357? thanks12:46
*** aojea has quit IRC12:50
*** odyssey4me has quit IRC12:57
*** odyssey4me has joined #openstack-keystone12:57
*** edmondsw has quit IRC12:58
*** edmondsw has joined #openstack-keystone12:59
*** edmondsw has quit IRC13:03
*** ykarel|afk is now known as ykarel13:03
*** edmondsw has joined #openstack-keystone13:05
*** McClymontS has joined #openstack-keystone13:07
*** belmoreira has quit IRC13:13
*** aojea has joined #openstack-keystone13:20
*** voelzmo has joined #openstack-keystone13:32
knikollasapd: because we removed keystone v2.0. In keystone v2.0 5000 and 35357 server different functions but in keystone v3 they are the same so it is not necessary to have both anymore.13:34
*** belmoreira has joined #openstack-keystone13:36
*** McClymontS has left #openstack-keystone13:36
*** ykarel is now known as ykarel|away13:37
*** ykarel|away has quit IRC13:42
lbragstadkmalloc: wxy yeah, i added a section about that in the spec13:43
lbragstadthe questions i'm thinking about now is, "do we care if we sign versus just encrypting?"13:43
*** felipemonteiro_ has joined #openstack-keystone13:46
lbragstadsapd: the v2.0 API was removed in queens13:46
sapdthanks knikolla and lbragstad , because I don't see any information in the docs or release note, and install guide is still using port 35357, that make me confused13:47
lbragstadsapd: the v2.0 was designed around the concept of two different applications, or endpoints, one for administrator functionality (port 35357) and one for end user functionality (port 5000)13:47
sapdlbragstad:  how about security if we use same port for admin and normal user?13:47
lbragstadwe do list it in the release notes - https://docs.openstack.org/releasenotes/keystone/queens.html13:48
lbragstadsapd: the v3 API processes all requests the same way13:48
lbragstadand it handles admin and end user functionality in the application13:48
lbragstadinstead of using the deployment architecture to solve the problem13:48
sapdlbragstad: I don't see any information about remove v2.0 api in this release notes.13:51
*** felipemonteiro_ has quit IRC13:51
lbragstadsapd: https://docs.openstack.org/releasenotes/keystone/queens.html#other-notes13:52
lbragstadhttps://blueprints.launchpad.net/keystone/+spec/removed-as-of-queens13:52
sapdyep. lbragstad I don't go to blueprint link, So I don't understand it. Thanks again13:53
lbragstadyep13:53
*** r-daneel has joined #openstack-keystone13:58
*** dave-mccowan has joined #openstack-keystone14:02
*** r-daneel_ has joined #openstack-keystone14:04
*** r-daneel has quit IRC14:04
*** r-daneel_ is now known as r-daneel14:04
*** ykarel|away has joined #openstack-keystone14:05
*** germs has joined #openstack-keystone14:09
*** germs has quit IRC14:09
*** germs has joined #openstack-keystone14:09
*** germs has quit IRC14:13
*** NM has quit IRC14:13
*** ykarel|away is now known as ykarel14:14
*** jlvillal has quit IRC14:15
*** itlinux has quit IRC14:22
*** links has quit IRC14:26
lbragstadwe should get https://review.openstack.org/#/c/557060/ merged soon so that it's out of the way for other specs looking to land soon (api creds)14:26
gagehugolbragstad done14:33
gagehugos/done/reviewed14:34
lbragstadgagehugo: thank you14:34
*** david-lyle has joined #openstack-keystone14:45
*** aojea has quit IRC15:02
openstackgerritMerged openstack/keystone-specs master: Log queens specifications with previous releases  https://review.openstack.org/55706015:04
*** aojea has joined #openstack-keystone15:05
*** ilush has quit IRC15:07
*** felipemonteiro_ has joined #openstack-keystone15:09
*** aojea has quit IRC15:09
*** jlvillal has joined #openstack-keystone15:12
*** spilla has joined #openstack-keystone15:14
*** itlinux has joined #openstack-keystone15:19
*** itlinux has quit IRC15:26
*** itlinux has joined #openstack-keystone15:37
*** aojea has joined #openstack-keystone15:46
*** aojea has quit IRC15:51
*** links has joined #openstack-keystone15:54
*** voelzmo has quit IRC15:57
*** voelzmo has joined #openstack-keystone15:57
*** belmoreira has quit IRC16:02
*** voelzmo has quit IRC16:02
*** itlinux has quit IRC16:03
*** itlinux has joined #openstack-keystone16:06
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Repropose JWT specification for Rocky  https://review.openstack.org/54190316:09
*** germs has joined #openstack-keystone16:09
*** germs has quit IRC16:09
*** germs has joined #openstack-keystone16:09
*** germs has quit IRC16:14
lbragstadwell - it looks like we're only going to be able to implement jws if we do jwt16:16
lbragstadthe only library available that implements jwe is GPLv3 licensed16:16
gagehugohmm16:17
lbragstadunless we go help one of those libraries implement jwe16:20
*** links has quit IRC16:22
lbragstadlooks like both python-jose and pyjwt use pyca/cryptography for signing stuff16:32
*** spilla has quit IRC16:37
gagehugoyeah16:40
gagehugospec seems to look good, probably some discussion points though16:40
lbragstadyeah... lots to discuss16:43
lbragstadif i'm reading headless tokens correctly, the author is implying JWEs16:49
*** gyee has joined #openstack-keystone16:49
lbragstad"A JWT consists of a protected payload together with a plaintext "header" section."16:49
lbragstadwell.. if protected == encrypted16:50
lbragstadthen JWE is implied16:51
lbragstadotherwise, if protected == verified16:51
lbragstadthen JWS is a possibility16:51
lbragstadbut yeah - i suppose if we did do JWT and only used JWS, then headless would be a good option16:53
*** AlexeyAbashkin has quit IRC16:53
lbragstadbecause that would leave generating the head up to keystone16:53
lbragstadheader*16:53
lbragstadwhich means specifying the algorithm and everything16:54
*** jaosorior has quit IRC16:56
*** mvk has quit IRC16:57
*** itlinux has quit IRC16:57
lbragstadas far as signing goes... i think regardess we're going to be using the same library17:01
lbragstad(pyca/cryptography)17:01
lbragstadjwt uses cryptography exclusively for signing operations17:02
lbragstadpython-jose gives you the option to use either17:02
lbragstadpycrypto or cryptography17:02
lbragstadbut we've moved away from pycrypto (for python3 support iirc)17:02
lbragstadand i believe the fernet implementation in pyca/cryptography uses the signing bits of the same library17:03
lbragstadso - if there is ever a vulnerability in the signing implementation of cryptography, all our token formats would be susceptible17:04
lbragstadpaseto apparently uses a different signing approach17:10
lbragstadhttps://github.com/stef/pysodium17:11
*** david-lyle has quit IRC17:15
*** cheran has joined #openstack-keystone17:15
* lbragstad breaks for lunch17:25
*** felipemonteiro__ has joined #openstack-keystone17:30
*** felipemonteiro_ has quit IRC17:34
*** aojea has joined #openstack-keystone17:35
gagehugothe saltiest python library17:37
*** spilla has joined #openstack-keystone17:37
*** aojea has quit IRC17:39
*** germs has joined #openstack-keystone17:45
*** germs has quit IRC17:45
*** germs has joined #openstack-keystone17:45
*** germs has quit IRC17:45
*** germs has joined #openstack-keystone17:46
*** germs has quit IRC17:46
*** germs has joined #openstack-keystone17:46
*** r-daneel_ has joined #openstack-keystone17:51
*** r-daneel has quit IRC17:52
*** r-daneel_ is now known as r-daneel17:52
*** itlinux has joined #openstack-keystone17:56
*** r-daneel has quit IRC17:56
*** r-daneel has joined #openstack-keystone17:57
*** oikiki has joined #openstack-keystone17:59
*** sapd has quit IRC18:01
*** harlowja has joined #openstack-keystone18:01
*** david-lyle has joined #openstack-keystone18:05
*** AlexeyAbashkin has joined #openstack-keystone18:18
*** AlexeyAbashkin has quit IRC18:23
*** voelzmo has joined #openstack-keystone18:24
*** voelzmo_ has joined #openstack-keystone18:25
*** voelzmo has quit IRC18:28
*** mkosobucki has joined #openstack-keystone18:29
*** tesseract has quit IRC18:31
*** rmcall has joined #openstack-keystone18:32
*** aojea has joined #openstack-keystone18:33
*** oikiki has quit IRC18:35
*** oikiki has joined #openstack-keystone18:35
knikollalbragstad: do we have a policy option for adding a role assignment for a project?18:35
*** oikiki has quit IRC18:35
knikollathe `openstack role add --user <user> --project <project>` call18:36
lbragstadknikolla: yeah - i believe that is classified as a grant policy18:42
lbragstadknikolla: https://github.com/openstack/keystone/blob/master/keystone/common/policies/grant.py#L89-L10118:43
knikollalbragstad: thanks, forgot about the word grant18:43
knikollawanted to see if we have enough granularity to say "allow people who have the project_admin role on a project to assign roles to people on that project" but that doesn't seem to be possible.18:44
lbragstadknikolla: right - we'd need to deprecate that create_grant policy and provide a substitute at the project, domain, and system levels18:51
*** voelzmo_ has quit IRC18:59
*** oikiki has joined #openstack-keystone18:59
*** aojea has quit IRC19:01
*** voelzmo has joined #openstack-keystone19:05
*** AlexeyAbashkin has joined #openstack-keystone19:08
*** aojea has joined #openstack-keystone19:09
*** AlexeyAbashkin has quit IRC19:13
*** r-daneel_ has joined #openstack-keystone19:14
*** r-daneel has quit IRC19:16
*** r-daneel_ is now known as r-daneel19:16
*** voelzmo has quit IRC19:21
*** mvk has joined #openstack-keystone19:53
gagehugolbragstad time to update that change19:57
gagehugoall hail stein19:57
lbragstadbah oh - really?19:58
lbragstadlol19:59
openstackgerritLance Bragstad proposed openstack/keystone master: Log warning when using token_flush  https://review.openstack.org/55688920:02
openstackgerritGage Hugo proposed openstack/keystone master: Refactor list_users and related functions  https://review.openstack.org/55388020:03
*** raildo has quit IRC20:05
gagehugolbragstad missed one :)20:15
openstackgerritLance Bragstad proposed openstack/keystone master: Log warning when using token_flush  https://review.openstack.org/55688920:15
lbragstadgagehugo: ah, thanks!20:16
*** aojea has quit IRC20:20
*** aojea has joined #openstack-keystone20:23
*** panbalag has joined #openstack-keystone20:34
*** panbalag has left #openstack-keystone20:35
*** tmcm has quit IRC20:38
*** ykarel is now known as ykarel|away20:45
*** edmondsw has quit IRC20:47
*** edmondsw has joined #openstack-keystone20:47
*** oikiki has quit IRC20:50
*** edmondsw has quit IRC20:52
*** spilla has quit IRC21:08
*** rmcall has quit IRC21:12
*** spilla has joined #openstack-keystone21:26
*** felipemonteiro__ has quit IRC21:37
*** tmcm has joined #openstack-keystone21:49
*** itlinux has quit IRC21:57
*** tmcm has quit IRC22:14
*** spilla has quit IRC22:17
*** edmondsw has joined #openstack-keystone22:20
*** edmondsw has quit IRC22:25
*** ykarel|away has quit IRC22:39
*** ykarel|away has joined #openstack-keystone22:39
*** r-daneel has quit IRC22:52
*** aojea has quit IRC22:52
*** aojea has joined #openstack-keystone22:55
*** ykarel|away has quit IRC23:06
*** AlexeyAbashkin has joined #openstack-keystone23:08
*** itlinux has joined #openstack-keystone23:10
*** AlexeyAbashkin has quit IRC23:12
*** aojea has quit IRC23:12
*** itlinux has quit IRC23:22
*** jroll has quit IRC23:37
*** marius1 has joined #openstack-keystone23:42
*** ediardo has joined #openstack-keystone23:45
« Wednesday, 2018-03-28 Index Friday, 2018-03-30 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!