Monday, 2018-04-16

« Sunday, 2018-04-15 Index Tuesday, 2018-04-17 »
*** d0ugal_ has quit IRC00:10
*** panbalag has joined #openstack-keystone00:14
*** d0ugal_ has joined #openstack-keystone00:24
*** lbragstad has joined #openstack-keystone00:34
*** ChanServ sets mode: +o lbragstad00:34
*** dims has quit IRC00:42
*** lbragstad has quit IRC00:49
*** edmondsw has joined #openstack-keystone00:56
*** fiddletwix has quit IRC00:57
*** fiddletwix has joined #openstack-keystone00:57
*** lbragstad has joined #openstack-keystone00:59
*** ChanServ sets mode: +o lbragstad00:59
*** chenyb4 has joined #openstack-keystone01:07
*** d0ugal__ has joined #openstack-keystone01:08
*** d0ugal_ has quit IRC01:11
*** d0ugal has joined #openstack-keystone01:14
*** lbragstad has quit IRC01:14
*** d0ugal__ has quit IRC01:16
*** edmondsw has quit IRC01:33
*** edmondsw has joined #openstack-keystone01:33
*** edmondsw has quit IRC01:38
*** masuberu has joined #openstack-keystone01:54
*** masber has quit IRC01:58
*** masber has joined #openstack-keystone02:00
*** masuberu has quit IRC02:01
*** gongysh has joined #openstack-keystone02:06
*** masber has quit IRC02:13
*** panbalag has quit IRC02:21
openstackgerritwangxiyuan proposed openstack/keystone master: Update IdP sql model  https://review.openstack.org/55967602:35
*** edmondsw has joined #openstack-keystone02:48
*** edmondsw has quit IRC02:52
*** sonuk has joined #openstack-keystone03:18
*** dklyle has quit IRC03:18
*** lbragstad has joined #openstack-keystone03:48
*** ChanServ sets mode: +o lbragstad03:48
*** masber has joined #openstack-keystone03:49
*** ayoung has quit IRC03:50
*** bhagyashris has joined #openstack-keystone04:19
*** edmondsw has joined #openstack-keystone04:36
*** edmondsw has quit IRC04:40
cmurphylbragstad: I don't think we really need a forum session for app creds, I don't think there's much to discuss on the direction04:41
lbragstadcmurphy: ack - just wanted to double check04:42
*** gongysh has quit IRC05:09
*** gongysh has joined #openstack-keystone05:12
*** gongysh has quit IRC05:24
*** d0ugal has quit IRC05:27
*** d0ugal has joined #openstack-keystone05:29
*** gongysh has joined #openstack-keystone05:45
*** mvk has quit IRC06:10
*** mvk has joined #openstack-keystone06:10
*** Horrorcat has left #openstack-keystone06:15
*** edmondsw has joined #openstack-keystone06:24
*** edmondsw has quit IRC06:28
*** rcernin has quit IRC06:56
*** pcaruana has joined #openstack-keystone07:13
*** tesseract has joined #openstack-keystone07:21
*** tesseract has quit IRC07:33
*** tesseract has joined #openstack-keystone07:35
*** threestrands has quit IRC07:47
*** itlinux has joined #openstack-keystone07:47
*** evrardjp has joined #openstack-keystone07:55
*** pcichy has joined #openstack-keystone07:55
*** AlexeyAbashkin has joined #openstack-keystone07:58
*** sonuk_ has joined #openstack-keystone07:58
*** itlinux_ has joined #openstack-keystone08:02
*** sonuk has quit IRC08:02
*** itlinux has quit IRC08:04
*** itlinux_ has quit IRC08:06
*** jaosorior has joined #openstack-keystone08:10
*** edmondsw has joined #openstack-keystone08:13
*** edmondsw has quit IRC08:17
*** gongysh has quit IRC08:22
*** gongysh has joined #openstack-keystone08:25
*** h3yduck has joined #openstack-keystone08:27
h3yduckhey folks, We are trying to configure an environment where users log in via SAML2 and get their group names in 'niifEduPersonAttendedCourse' attribute, which is an array of course names in the SAML response. It works well when there are groups already for all course names. However we cannot create all groups, only some of them unfortunately. Therefore authentication fails if someone logs in with a course name assigned that has no corresponding08:31
h3yduckgroup in OpenStack yet. A working solution for us would be if Keystone would create the group if it didn't exist yet or if Keystone would map the authentication to already existing groups only, ignoring unexistent ones. Here is our mapping: https://pastebin.com/0rumqE0t. Could you guys suggest a solution for this?08:31
*** gongysh has quit IRC08:40
*** gongysh has joined #openstack-keystone08:43
hugokuomorning08:52
*** itlinux has joined #openstack-keystone08:53
hugokuois there a way to limit user to authenticate via v2 API of a specific?08:53
hugokuospecific project(tenant)08:53
hugokuothx08:53
*** itlinux has quit IRC08:54
*** itlinux has joined #openstack-keystone08:57
*** itlinux has quit IRC09:28
*** wxy has quit IRC09:30
*** bhagyashris has quit IRC09:34
*** gongysh has quit IRC09:51
openstackgerritDai Hanada proposed openstack/keystone master: Fix keystone-manage mapping_purge with --type option  https://review.openstack.org/55439709:58
*** wxy has joined #openstack-keystone09:58
*** bhagyashris has joined #openstack-keystone10:19
*** nicolasbock has joined #openstack-keystone10:33
*** chenyb4 has quit IRC10:36
*** nicolasbock has quit IRC10:39
*** pooja_jadhav has joined #openstack-keystone10:49
openstackgerritMerged openstack/python-keystoneclient master: add lower-constraints job  https://review.openstack.org/55614210:50
*** itlinux has joined #openstack-keystone11:16
*** nicolasbock has joined #openstack-keystone11:17
*** dave-mcc_ has joined #openstack-keystone11:58
*** markvoelker has joined #openstack-keystone11:59
*** dave-mccowan has quit IRC12:01
*** raildo has joined #openstack-keystone12:04
*** doxa has joined #openstack-keystone12:04
*** mvk has quit IRC12:05
doxaGood day ! Can anyone help me with a OpenStack TOTP Horizon/Keystone pluggin?12:05
*** d0ugal_ has joined #openstack-keystone12:13
*** h3yduck has quit IRC12:15
*** d0ugal has quit IRC12:15
*** edmondsw has joined #openstack-keystone12:21
*** prashkre has joined #openstack-keystone12:25
openstackgerritwangxiyuan proposed openstack/keystone master: Update IdP sql model  https://review.openstack.org/55967612:26
*** dims has joined #openstack-keystone12:30
*** panbalag has joined #openstack-keystone12:36
*** panbalag has left #openstack-keystone12:38
*** sonuk_ has quit IRC12:44
*** itlinux has quit IRC12:46
*** mvk has joined #openstack-keystone12:49
*** chenyb4 has joined #openstack-keystone12:51
*** chenyb4 has quit IRC12:56
*** dklyle has joined #openstack-keystone13:00
*** dklyle has quit IRC13:09
lbragstadhugokuo: I don't think there is with v2.013:12
lbragstadhugokuo: oh - actually i think i misunderstood you question13:13
lbragstadhugokuo: are you trying to limit a user to only being able to authenticate via v2.0?13:14
*** fabian_ has joined #openstack-keystone13:26
*** jroll has quit IRC13:26
*** jroll has joined #openstack-keystone13:27
*** superdan is now known as dansmith13:35
*** pcichy has quit IRC13:39
*** pcichy has joined #openstack-keystone13:39
*** d0ugal_ has quit IRC13:40
*** d0ugal has joined #openstack-keystone13:41
*** d0ugal has quit IRC13:41
*** d0ugal has joined #openstack-keystone13:41
*** pcichy has quit IRC13:45
*** pcichy has joined #openstack-keystone13:46
*** bhagyashris has quit IRC13:48
*** jmlowe_ has quit IRC13:49
*** bhagyashris has joined #openstack-keystone13:49
*** pcichy has quit IRC13:50
*** pcichy has joined #openstack-keystone13:50
*** pooja-jadhav has joined #openstack-keystone13:51
*** pooja_jadhav has quit IRC13:52
*** gongysh has joined #openstack-keystone13:53
*** jmlowe has joined #openstack-keystone13:54
*** r-daneel has quit IRC13:57
*** fabian_ has quit IRC13:57
*** ayoung has joined #openstack-keystone14:03
kmallocdoxa in what way do you need help?14:13
kmallocdoxa: we might be able to help, but lets start with a bit more context in what you need :)14:13
*** jmlowe has quit IRC14:13
*** felipemonteiro has joined #openstack-keystone14:15
*** jmlowe has joined #openstack-keystone14:17
*** spilla has joined #openstack-keystone14:17
*** jmlowe has quit IRC14:32
gagehugoo/14:50
*** mugsie has quit IRC14:53
*** mugsie has joined #openstack-keystone14:53
*** mugsie has quit IRC14:53
*** mugsie has joined #openstack-keystone14:53
*** jmlowe has joined #openstack-keystone14:56
*** fabian_ has joined #openstack-keystone14:56
*** felipemonteiro_ has joined #openstack-keystone14:59
lbragstado/15:00
hrybackio/15:02
*** felipemonteiro has quit IRC15:02
ayounglbragstad, I rebased the CLI patch on top of one that runs pep8 clean15:02
hrybackilbragstad: I think default-roles spec is looking solid15:02
ayounghttps://review.openstack.org/#/c/560132/15:02
*** r-daneel has joined #openstack-keystone15:03
lbragstadayoung: oh - thanks15:03
lbragstadhrybacki: yeah - i think so too15:03
lbragstadi think ayoung just had a couple comments left15:03
ayounglooking....15:03
hrybackilbragstad: I think I got those addressed as well15:04
ayoungDeltas look good15:04
hrybackiwoo15:05
lbragstadoh - i'm an iteration behind15:05
lbragstadi'll have a look15:05
ayoungI can only +1, but I've done that.15:05
lbragstadcool - thanks15:06
lbragstadi'm in the same boat15:06
*** pcaruana has quit IRC15:09
*** prashkre has quit IRC15:24
*** prashkre has joined #openstack-keystone15:25
*** jistr is now known as jistr|mtg15:33
*** fabian_ has quit IRC15:35
*** felipemonteiro_ has quit IRC15:40
*** mgagne_ is now known as mgagne15:50
*** fiddletwix has quit IRC15:51
*** fiddletwix has joined #openstack-keystone15:51
ayounglbragstad, how would I go about fixing the formatting on this page?15:58
ayounghttps://specs.openstack.org/openstack/keystone-specs/specs/backlog/implied-roles.html15:58
ayoungis that really in backlog?15:58
lbragstadyeah - it probably needs to be cleaned up15:59
ayoungits not15:59
ayoungthere is nothing in backlog15:59
ayoungin git anywya15:59
lbragstadhmm16:00
ayoungits in mitaka16:00
lbragstadlooks like it is https://github.com/openstack/keystone-specs/tree/master/specs/keystone/backlog16:00
ayounghttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/mitaka/implied-roles.html16:00
ayoungand it formats nicely there16:00
lbragstadhmm16:00
lbragstadthat might be due to how we do docs now?16:01
lbragstads/do/build/16:01
ayoungah, ok I'm submitting a review to dro p it from backlog16:01
lbragstadayoung: it's not in the backlog in master, though16:01
lbragstadat least i don't see it here - https://github.com/openstack/keystone-specs/tree/master/specs/keystone/backlog16:02
ayoungyou are right16:02
lbragstadi bet we moved it out of backlog when we targetted it to mitaka16:02
ayoungright16:03
*** gongysh has quit IRC16:03
ayoungI just found the old one when doing a web search16:03
lbragstadah16:03
ayoungthis is not critical, as I know where the good one is, just took me til now to realize that\16:03
*** jistr|mtg is now known as jistr16:03
ayounglooks like someting needs to clean out the old files, probably left behind from old build/publishing16:04
lbragstadpossibly16:05
* lbragstad runs to grab lunch16:09
*** gyee has joined #openstack-keystone16:13
*** lbragstad has quit IRC16:24
*** jmlowe has quit IRC16:28
*** jrist has quit IRC16:39
hugokuolbragstad re: "are you trying to limit a user to only being able to authenticate via v2.0?"  The opposite, can an user or group of users in a tenant only auth via v3.0?16:44
openstackgerritMerged openstack/oslo.policy master: set default python to python3  https://review.openstack.org/56132416:45
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Add LDAP-backed functional testing gate  https://review.openstack.org/55894016:50
*** jdennis has quit IRC16:54
*** jrist has joined #openstack-keystone17:01
*** jdennis has joined #openstack-keystone17:10
*** mvk has quit IRC17:13
kmallochugokuo: not possible to block v2/v3 for specific groups of users short of disabling v217:15
kmallochugokuo: globally that is.17:15
kmallochugokuo: from a design perspective, v3 (non-default domain) users were not intended to auth via v2, but... there were bugs and we couldn't change the behavior. The solution was to move away from v2 (As we have) and v3 only17:16
*** AlexeyAbashkin has quit IRC17:17
hugokuokmalloc: so Queens release would be the best option since the v2 was removed entirely since Q release17:17
kmallocyou can disable v2 before that, but everything in queens is sure to work without v217:18
hugokuokk17:18
hugokuogot it17:18
kmallociirc, pike was well tested with v2 removed.17:18
kmallocprior to Pike, you might run into weird bugs.17:18
hugokuonice point. I'll give it a shot tmr.17:18
hugokuoI just learned something about the non-default domain user should not be able to auth via v2.0.17:19
kmallocyeah. it's a known bug that, because people relied on it, we couldn't fix. so we just lived with v3 users (non-default domain) working via v217:20
kmallocand kept pushing on v2 removal17:20
*** jdennis has quit IRC17:21
*** felipemonteiro has joined #openstack-keystone17:21
*** jrist has quit IRC17:22
*** spilla has quit IRC17:25
openstackgerritPavlo Shchelokovskyy proposed openstack/keystoneauth master: Use defusedxml for XML parsing in SAML  https://review.openstack.org/53676117:27
*** jrist has joined #openstack-keystone17:32
*** jrist has quit IRC17:32
*** jrist has joined #openstack-keystone17:32
*** r-daneel has quit IRC17:34
*** r-daneel has joined #openstack-keystone17:35
*** jdennis has joined #openstack-keystone17:38
*** jmlowe has joined #openstack-keystone17:42
*** lbragstad has joined #openstack-keystone17:43
*** ChanServ sets mode: +o lbragstad17:43
*** felipemonteiro_ has joined #openstack-keystone17:45
*** felipemonteiro has quit IRC17:48
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Add LDAP-backed functional testing gate  https://review.openstack.org/55894017:55
*** spilla has joined #openstack-keystone17:56
*** jdennis has quit IRC18:24
*** tesseract has quit IRC18:36
*** jdennis has joined #openstack-keystone18:38
*** harlowja has joined #openstack-keystone18:40
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Add LDAP-backed functional testing gate  https://review.openstack.org/55894018:44
*** AlexeyAbashkin has joined #openstack-keystone18:44
*** AlexeyAbashkin has quit IRC18:49
*** AlexeyAbashkin has joined #openstack-keystone18:49
*** mvk has joined #openstack-keystone18:52
*** jmlowe has quit IRC18:58
*** AlexeyAbashkin has quit IRC18:59
*** openstackgerrit has quit IRC19:05
hrybackilbragstad: if you delete a project, should related security groups also be deleted? Or is that an additional step required to be done manually (I think this is right)19:07
lbragstadhrybacki: yeah - since keystone doesn't manage security groups we wouldn't be able to handle that case within keystone19:07
lbragstadnova would have to consume a notification and clean those things up19:08
hrybackilbragstad: ack, thank you for comfirming :)19:08
lbragstadyep19:08
*** pcichy has quit IRC19:15
*** openstackgerrit has joined #openstack-keystone19:28
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Add LDAP-backed functional testing gate  https://review.openstack.org/55894019:28
*** edmondsw_ has joined #openstack-keystone20:00
*** r-daneel has quit IRC20:01
*** edmondsw has quit IRC20:03
*** ayoung has quit IRC20:04
doxakmalloc: I am looking to add totp to openstack. OPenstack has this option since mitaka but not in horizon just keystone.20:09
doxaI need graphical interface20:09
*** r-daneel has joined #openstack-keystone20:19
openstackgerritMerged openstack/keystone master: Use consistent role schema in token response validation  https://review.openstack.org/40758720:28
*** dklyle has joined #openstack-keystone20:28
lbragstadhrybacki: +1 on the default roles spec20:29
lbragstadlooks great20:29
*** raildo has quit IRC20:31
*** AlexeyAbashkin has joined #openstack-keystone20:41
*** AlexeyAbashkin has quit IRC20:45
*** mtreinish has quit IRC20:51
*** harlowja has quit IRC20:55
*** edmondsw_ has quit IRC20:56
*** mtreinish has joined #openstack-keystone20:57
*** edmondsw has joined #openstack-keystone20:59
*** edmondsw has quit IRC21:03
lbragstadcurious if anyone else here has thoughts on this - https://review.openstack.org/#/c/559676/4 and https://bugs.launchpad.net/keystone/+bug/176084321:14
openstackLaunchpad bug 1760843 in OpenStack Identity (keystone) "Identity Provider domain is not unique" [Undecided,In progress] - Assigned to wangxiyuan (wangxiyuan)21:14
*** spilla has quit IRC21:17
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Add LDAP-backed functional testing gate  https://review.openstack.org/55894021:17
*** dklyle has quit IRC21:22
*** felipemonteiro_ has quit IRC21:23
*** jmlowe has joined #openstack-keystone21:36
*** dklyle has joined #openstack-keystone21:50
*** rcernin has joined #openstack-keystone21:51
openstackgerritLance Bragstad proposed openstack/keystone master: Remove the sample .conf file  https://review.openstack.org/52124921:53
kmallocdoxa: i don't think horizon has that implemented yet. We're working on some changes for Rocky to make it possible.22:00
*** BlackDex has quit IRC22:04
*** BlackDex has joined #openstack-keystone22:05
*** david-lyle has joined #openstack-keystone22:06
*** dklyle has quit IRC22:08
*** david-lyle has quit IRC22:11
*** jdennis has quit IRC22:15
*** jdennis has joined #openstack-keystone22:17
hrybackiawesome, thanks lbragstad :)22:30
kmalloclbragstad: re-cherry-picked the master ENUM nullable change22:32
*** panbalag has joined #openstack-keystone22:38
*** dklyle has joined #openstack-keystone22:40
lbragstadkmalloc: awesome - thanks22:40
*** panbalag has left #openstack-keystone22:47
*** ayoung has joined #openstack-keystone22:48
*** panbalag has joined #openstack-keystone22:56
*** dklyle has quit IRC22:58
*** dklyle has joined #openstack-keystone23:13
*** panbalag has quit IRC23:23
openstackgerritTin Lam proposed openstack/keystone master: [Do Not Merge] Adding debugging task  https://review.openstack.org/56175123:26
*** jaosorior has quit IRC23:26
*** jaosorior has joined #openstack-keystone23:27
*** r-daneel has quit IRC23:29
*** jaosorior has quit IRC23:34
*** jaosorior has joined #openstack-keystone23:34
*** d0ugal has quit IRC23:36
*** dklyle has quit IRC23:40
*** jroll has quit IRC23:42
*** gyee has quit IRC23:43
adriantkmalloc, lbragstad: Apologies re not any progress/news on auth receipts front. Busy with internal work, but new dev is joining us soon who can take over some of my current stuff while I dedicate 1-2 days a week to upstream work.23:45
adriantalso doxa: feel free to bug me regarding TOTP! I've looked quite a bit into how to setup MFA stuff in keystone/horizon23:46
*** d0ugal has joined #openstack-keystone23:52
« Sunday, 2018-04-15 Index Tuesday, 2018-04-17 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!