Saturday, 2018-04-14

*** d0ugal has quit IRC00:05
*** d0ugal has joined #openstack-keystone00:06
*** hoonetorg has quit IRC00:08
*** hoonetorg has joined #openstack-keystone00:13
*** lbragstad has quit IRC00:30
*** harlowja has quit IRC00:41
*** germs has joined #openstack-keystone00:51
*** gyee has quit IRC00:55
*** panbalag has joined #openstack-keystone00:56
*** germs has quit IRC00:57
ayoungkmalloc,  so  desire was to have lock-password on a user-by-user basis01:24
ayoungare we going to modify the policy enforcement as well?01:25
kmallocNo, the policy is open for self service password changes01:25
kmallocIt has to be01:25
*** harlowja has joined #openstack-keystone01:25
kmallocThis doesn't impact admin password setting via patch01:25
kmallocOnly self service password changes.01:25
kmallocAnd yes, it is meant to disallow specific users from changing their own password.01:26
ayoungwhy does the policy have to be open?  Why can we not default to _member_ on a domain scoped token, as well?01:27
ayoungright. I get it now01:27
ayoungself service should be performed with an unscoped token01:28
kmallocPci-dss, password might be locked or require change. No token can be gained.01:28
ayoungso, more than just policy01:28
ayounghmmm  should policy be able to enforce stuff like this?01:28
kmallocSelf service password changes has a lot of extra logic and has to work sans token.01:29
ayoungI mean, it is far outside the set of stuff we enforce on today01:29
ayoungsure...but what is that logic like?01:29
kmallocPolicy might expand, but with @protected it was a nightmare to do with normal enforcement.01:29
ayoungwe still have a user object, just no scoped token01:29
ayoungwell, @controller.protected is no longer required01:30
ayoungwe  can use the functions now, they are just not the norm01:30
ayoungI need to figure out the next step, though.  the code is still too complex01:30
*** dangtrinhnt has joined #openstack-keystone01:31
kmallocRight. But enforcement on this one is weird. Most self service password changes are handled outside of standard rbac for these reasons, and you have flags that change behavior like lock-password, and min passowrd age, etc. You have to do authn at the same time as password change in our case.01:31
ayoungwell, not at the same time, just prior to return from the REST call, but I get you01:32
ayoungand we don't support basic-auth01:32
kmallocTyping on a phone so.  Little shorter responses.01:32
ayoungwe really should01:32
ayoungbasic auth, get an unscoped token.01:33
kmallocExactly. But we couldn't change that API contract anyway, it would need to be a new API with basic auth.01:33
ayoungput that in a session cookie01:33
kmallocBut we could totally do that.01:33
ayoungsubmit again for a scoped token01:33
kmallocThis is solving a direct bug/change from v2, where policy did work. But v3 is very different.01:34
ayoungits good stuff, just I missed a lot of the context and was surprised by the review01:34
kmallocSince we have user-level flags, I added it that way...also found a bug in our json schema01:34
kmallocYah, that's why I jumped to explain ;). I knew you were missing g some context.01:34
ayoungappreciated, and didn't realize it was compliance stuff, but makes sense01:35
ayoungon prep info,01:35
ayoungthe issue is that we end up with code like this:01:35
ayoungprep_info = {01:35
ayoung            'f_name': 'create_project',01:35
ayoung            'input_attr': {01:35
ayoung                'project': ref01:35
ayoung            }01:35
ayoung        }01:35
ayoung        authorization.check_protection(self, request, prep_info)01:35
ayoungthat is from
kmalloc(I have 7m before I need to run, FYI)01:35
kmallocUgh, that is kinda ugly.01:36
kmallocI get why you need it that way though.01:36
ayoungso even if I get rid of prep info, I can01:36
ayoungbut I next end up with01:36
kmallocStill better than @protected. ;)01:36
ayoungauthorization.check_protection(self, request, 'function_name',  prep_info={  'input_attr': {'project': ref})01:36
ayoungbecause that is what is used to enforce policy01:37
ayoungso I probably should go one further and build that, with01:37
kmallocCan we use a @partial to make it better?01:37
kmallocNot @partial, functools.partial01:37
ayoungauthorization.check_protection(self, request, 'function_name',  'input_attr' = project, ref=ref)01:37
ayoungI think I just need to make a few variations on the functions to make them unsurprising01:38
kmallocSounds good.01:38
ayoungso instead of check_protected I need something like01:38
kmallocNeed to run, will look when I get home at the backlog/links you send:)01:38
ayoungcheck_function_protected or check_attribute_protected01:38
kmallocTime to pick up the new puppy!01:38
ayoungjust talking it through, I think I know what I need to do01:38
ayoungWHat are you getting?01:39
kmallocShiba Inu01:39
ayoungOh those are gorgeous01:39
kmallocYeah :)01:39
kmallocPictures will happen tonight/tomorrow.01:39
ayoungOK, I'm totes going to Vancouver by way of Shiba Inu01:40
kmallocI need to book my hotel.01:40
kmallocNo plane this time though! Woo!01:40
*** panbalag has left #openstack-keystone01:51
*** tyvhf has joined #openstack-keystone02:04
*** tyvhf has quit IRC02:04
*** pooja_jadhav has quit IRC02:40
*** harlowja has quit IRC02:49
*** edmondsw has quit IRC02:56
*** germs has joined #openstack-keystone02:58
*** germs has quit IRC02:58
*** germs has joined #openstack-keystone02:58
*** germs has quit IRC03:03
*** fried_rice has quit IRC03:27
*** fried_rice has joined #openstack-keystone03:27
openstackgerritayoung proposed openstack/keystone master: Shift to check_policy for resource creation
*** harlowja has joined #openstack-keystone04:09
*** nicolasbock has quit IRC04:13
*** germs has joined #openstack-keystone04:59
*** germs has quit IRC04:59
*** germs has joined #openstack-keystone04:59
*** harlowja has quit IRC05:01
*** germs has quit IRC05:03
*** dklyle has quit IRC06:04
*** dklyle has joined #openstack-keystone06:05
*** harlowja has joined #openstack-keystone06:13
*** harlowja has quit IRC06:28
*** gongysh has joined #openstack-keystone06:53
*** gongysh has quit IRC07:05
*** gongysh has joined #openstack-keystone07:17
*** gongysh has quit IRC07:26
*** fabian has joined #openstack-keystone07:49
*** fabian has quit IRC09:28
*** martinus__ has joined #openstack-keystone11:06
*** panbalag has joined #openstack-keystone12:02
*** panbalag has quit IRC12:05
*** fabian has joined #openstack-keystone12:32
*** panbalag has joined #openstack-keystone13:17
*** fabian has quit IRC13:35
*** panbalag has quit IRC13:38
*** pcichy has joined #openstack-keystone13:49
*** fabian has joined #openstack-keystone14:31
*** lbragstad has joined #openstack-keystone15:05
*** ChanServ sets mode: +o lbragstad15:05
lbragstadjgrassler: are you going to be at the summit in Vancouver?15:20
lbragstadadriant: same question to you^15:20
lbragstadcmurphy: what are your thoughts on having a forum session on app creds at the summit? i think we have most of the design figured out15:26
lbragstadso we could have one to justify socializing capability lists15:26
lbragstadbut i'm not sure if you were going to incorporate a bit of that into your talk?15:28
*** nicolasbock has joined #openstack-keystone15:40
*** lbragstad has quit IRC15:43
*** fried_rice is now known as efried16:05
*** fabian has quit IRC16:13
openstackgerritMorgan Fainberg proposed openstack/keystone master: Fix json schema nullable to add None to ENUM
*** aojea has joined #openstack-keystone16:41
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow blocking users from self-service password change
-openstackstatus- NOTICE: The Gerrit service at will be offline for a minute while it is restarted to pick up a configuration change allowing it to start commenting on stories in StoryBoard, and will return to service momentarily16:51
*** aojea has quit IRC16:54
*** panbalag has joined #openstack-keystone16:55
*** jdennis has quit IRC17:08
*** jdennis has joined #openstack-keystone17:11
*** panbalag has quit IRC17:17
*** r-daneel has quit IRC17:30
*** aojea has joined #openstack-keystone17:37
*** aojea has quit IRC17:41
*** jdennis has quit IRC17:50
*** jdennis has joined #openstack-keystone17:51
*** pcichy has quit IRC17:54
*** r-daneel has joined #openstack-keystone18:17
*** r-daneel_ has joined #openstack-keystone18:20
*** r-daneel has quit IRC18:21
*** r-daneel_ is now known as r-daneel18:22
*** r-daneel has quit IRC18:47
*** r-daneel has joined #openstack-keystone19:00
*** itlinux has joined #openstack-keystone19:40
*** itlinux has quit IRC19:50
*** nicolasbock has quit IRC19:52
*** r-daneel has quit IRC20:08
*** r-daneel has joined #openstack-keystone20:09
*** r-daneel has quit IRC20:14
*** itlinux has joined #openstack-keystone20:43
*** pcaruana has quit IRC20:56
*** martinus__ has quit IRC21:10
*** aojea has joined #openstack-keystone21:13
*** itlinux has quit IRC21:16
*** aojea has quit IRC21:18
*** aojea has joined #openstack-keystone21:53
*** aojea has quit IRC22:31
*** aojea has joined #openstack-keystone23:18
*** aojea has quit IRC23:24

Generated by 2.15.3 by Marius Gedminas - find it at!