Friday, 2018-06-22

*** felipemonteiro has joined #openstack-keystone00:02
*** gyee has quit IRC00:17
*** Dinesh_Bhor has joined #openstack-keystone00:28
*** itlinux has quit IRC00:34
adriantknikolla: No Adjutant doesn't do federated invites, but I'm curious how you're doing that in ksproj. Keytstone can't create a user in an external source, so I was going to add support for a pluggable user store which would talk to an external source for users/roles/groups, and handle the keystone parts in keystone.00:42
knikollaadriant: I don't do anything to the external source. We are part of a federation of academic institutions, and allow login from any of their identity providers.00:45
knikollaBut when a user logs in, they won't have any projects. So invites just assign the logged in federated user to the invited project.00:46
adrianthmmm, in theory then if a shadow user already exists in keystone, Adjutant can potentially 'invite' it and assign a role.00:47
knikollayep. when someone click on the invite link with the token, they log in, ksproj figures out which user they are based on the token they received from keystone and assigns them.00:47
knikollaso the identity of the token is what defines who is the invited user, rather than their username/email.00:48
adriantoh ok, so until they login, they don't exist in keystone, but once they do, then ksproj can act00:50
adriantso we'd potentially need a similar variant of the invite process in Adjutant that handles a case like that.00:51
* adriant needs to play with federation00:51
knikollaadriant: yep, ksproj -> keystone -> external idp -> keystone (create shadow user) -> ksproj with unscoped token and no roles -> ksproj assign role based on the invite link00:53
adriantknikolla: yeah, I think we can probably do something very similar in Adjutant, and potentially have it dynamic based on what the domain is configured for.00:55
adriante.g if sql backend, then invite/create user as per normal, if external source, require login and shadow user creation before invite00:55
adriantthe Task/action workflow can figure that out, set the token to require certain fields which the gui will interpret in Horizon, and handle that part differently.00:56
adriantor just have two variants of the invite process which you can turn on.00:57
knikollaadriant: i'd be for the latter. We're moving away entirely from SQL users, so we'd want to disable that.00:57
knikollaand enable the federated invite only.00:58
adriantCool. Yeah, there would be a bunch of work to make it play nice, but I don't think it'd be that painful. And a lot of the code would be the same for both invite processes00:59
adriantand yeah, the way Adjutant's APIs and such are configured you'd effectively have the same API as two different pluggable variants you can turn on.00:59
adriantknikolla: there will hopefully be a lot of work later this year as I refactor a lot of the Adjutant internals, but if you're interested in helping me with features like that, I won't turn you away ;)01:02
knikollaadriant: cool. I'd be happy to help if that avoids me having to maintain another tool.01:02
knikollabut i'd have to finish this up in the coming month or so.01:02
adriantknikolla: no rush, Adjutant should be nicer to work with when I get done with the refactors I have planned anyway, and trying for feature parity with what you end up with in ksproj as the first step you do would be a sensible plan01:05
*** blake has quit IRC02:00
*** blake has joined #openstack-keystone02:01
*** blake has quit IRC02:05
*** felipemonteiro has quit IRC02:09
*** felipemonteiro has joined #openstack-keystone02:19
*** felipemonteiro has quit IRC02:21
*** annp has joined #openstack-keystone02:23
*** namnh has joined #openstack-keystone02:26
*** dikonoor has joined #openstack-keystone02:30
*** dikonoor has quit IRC02:44
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add auto increase primary key for unified limit
*** sonuk has joined #openstack-keystone02:58
*** ykarel|away has joined #openstack-keystone03:35
*** ykarel|away is now known as ykarel04:02
*** itlinux has joined #openstack-keystone04:22
*** sonuk_ has joined #openstack-keystone04:25
*** sonuk has quit IRC04:29
*** felipemonteiro has joined #openstack-keystone05:17
*** itlinux has quit IRC05:23
*** blake has joined #openstack-keystone05:41
openstackgerritMerged openstack/keystone master: Expose duplicate role names bug in trusts
*** blake has quit IRC05:43
*** blake has joined #openstack-keystone05:44
*** nicolasbock has joined #openstack-keystone05:53
*** AlexeyAbashkin has joined #openstack-keystone05:54
*** masber has joined #openstack-keystone05:57
*** felipemonteiro has quit IRC05:59
*** ispp has joined #openstack-keystone06:08
*** AlexeyAbashkin has quit IRC06:13
openstackgerritVishakha Agarwal proposed openstack/keystone master: Added check to avoid keyerror "user['name']"
*** samueldmq has quit IRC06:28
*** samueldmq has joined #openstack-keystone06:28
*** pcaruana has joined #openstack-keystone06:30
*** ykarel_ has joined #openstack-keystone06:34
*** ykarel has quit IRC06:36
*** ykarel_ is now known as ykarel06:38
*** martinus__ has joined #openstack-keystone06:43
*** sonuk_ has quit IRC06:52
*** rcernin has quit IRC07:08
*** AlexeyAbashkin has joined #openstack-keystone07:10
*** tesseract has joined #openstack-keystone07:11
*** tosky has joined #openstack-keystone07:18
*** blake has quit IRC07:21
*** jistr|off is now known as jistr07:34
openstackgerritwangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit
*** amoralej|off is now known as amoralej07:39
*** d0ugal_ has quit IRC08:03
*** d0ugal has joined #openstack-keystone08:04
*** peereb has joined #openstack-keystone08:05
*** rcernin has joined #openstack-keystone08:05
*** namnh has quit IRC08:09
*** ispp has quit IRC08:13
*** ykarel is now known as ykarel|lunch08:23
*** ispp has joined #openstack-keystone08:25
openstackgerritlvxianguo proposed openstack/python-keystoneclient master: fix misspelling of 'default'
*** AlexeyAbashkin has quit IRC08:29
*** josecastroleon has quit IRC08:30
*** rcernin has quit IRC08:41
*** Dinesh__Bhor has joined #openstack-keystone09:04
*** josecastroleon has joined #openstack-keystone09:05
*** Dinesh_Bhor has quit IRC09:05
*** ykarel|lunch is now known as ykarel09:07
*** ykarel has quit IRC09:14
*** AlexeyAbashkin has joined #openstack-keystone09:36
*** Dinesh__Bhor has quit IRC09:48
*** d0ugal has quit IRC09:55
*** d0ugal has joined #openstack-keystone09:56
*** s10 has joined #openstack-keystone10:14
*** ispp has quit IRC10:15
*** bigdogstl has joined #openstack-keystone10:17
*** bigdogstl has quit IRC10:17
*** ispp has joined #openstack-keystone10:21
openstackgerrityanpuqing proposed openstack/python-keystoneclient master: Delete keystoneclient.client.HTTPClient and request
*** s10 has quit IRC10:23
openstackgerrityanpuqing proposed openstack/python-keystoneclient master: Delete keystoneclient.client.HTTPClient and request
*** annp has quit IRC10:30
*** sapd_ has quit IRC11:16
*** ygl has joined #openstack-keystone11:17
yglhi all11:20
yglcan someone guide me to a good link on how to configure keystone-to-keystone federation in openstack ?11:20
cmurphyygl: did you see already?11:25
yglcmurphy: thanks a lot. I will check it11:26
cmurphyygl: i have a blog post too that might be helpful
yglcmurphy: thanks11:30
*** raildo has joined #openstack-keystone11:45
openstackgerritMerged openstack/keystone master: Fix duplicate role names in trusts bug
*** ygl has quit IRC11:56
*** AlexeyAbashkin has quit IRC11:57
*** ygl has joined #openstack-keystone11:59
yglcmurphy: can a LDAP be considered as an IdP ?12:00
yglcmurphy: if that is the case then , can we say a keystone with an LDAP backend as a federated keystone  ?12:01
cmurphyygl: only if you're using Active Directory ADFS which provides a SAML endpoint12:02
cmurphyygl: LDAP can be used as a regular identity backend for keystone but we wouldn't really call it federated12:02
cmurphyit's more like a drop in replacement for the sql database12:02
*** amoralej is now known as amoralej|lunch12:07
yglcmurphy: so in the regular AD as  identity backend for keystone case. is keystone involved to some extent in managing the authentication ?12:08
*** sapd has joined #openstack-keystone12:10
*** AlexeyAbashkin has joined #openstack-keystone12:11
cmurphyygl: yes, keystone has to accept credentials and pass them on to AD to do the authentication12:12
yglcmurphy: ahh ! in that sense it is not a true federation. got it now :)  thanks a lot12:12
cmurphyno problem :)12:13
*** ygl has quit IRC12:15
*** zhongjun__ has quit IRC12:52
*** jistr is now known as jistr|mtg13:20
*** amoralej|lunch is now known as amoralej13:22
*** efried_pto is now known as fried_rice13:27
*** felipemonteiro has joined #openstack-keystone13:27
*** jistr|mtg is now known as jistr13:37
*** jistr is now known as jistr|mtg13:43
*** r-daneel has joined #openstack-keystone13:48
*** r-daneel has quit IRC13:48
*** r-daneel has joined #openstack-keystone13:52
*** lbragstad is now known as elbragstad13:52
*** ispp has quit IRC13:57
*** ispp has joined #openstack-keystone13:59
*** ispp has quit IRC14:00
*** belmorei_ has joined #openstack-keystone14:00
*** ispp has joined #openstack-keystone14:00
*** ispp has quit IRC14:01
*** ispp has joined #openstack-keystone14:01
*** belmoreira has quit IRC14:01
*** josecastroleon has quit IRC14:01
*** josecastroleon has joined #openstack-keystone14:02
*** brad[] has quit IRC14:02
*** spilla has joined #openstack-keystone14:03
*** jistr|mtg is now known as jistr14:09
*** peereb has quit IRC14:10
hrybackilbragstad[m]: okay first draft is up ( but I need to double check things and make some 'cosmetic changes' that I implemented half way through the audit14:33
elbragstadsounds good14:34
hrybackiif there is anything obvious missing please let me know14:34
hrybackibut we can use ^^ to map out (tentatively) all of our APIs to role/scope(s) and I'll start making changes to our policy accordingly14:34
elbragstadcool - i should be able to talk a look a little later today14:35
hrybackigreat -- I'll try to get all of my updates in this morning14:36
*** felipemonteiro_ has joined #openstack-keystone14:40
*** felipemonteiro has quit IRC14:44
*** afazekas has quit IRC15:00
*** afazekas has joined #openstack-keystone15:00
*** felipemonteiro_ has quit IRC15:00
*** felipemonteiro_ has joined #openstack-keystone15:01
*** r-daneel has quit IRC15:02
*** spilla has quit IRC15:06
*** itlinux has joined #openstack-keystone15:11
*** spilla has joined #openstack-keystone15:12
*** jistr is now known as jistr|afk15:30
*** jistr|afk is now known as jistr15:32
*** belmorei_ has quit IRC15:32
*** ispp has quit IRC15:33
*** gyee has joined #openstack-keystone15:41
elbragstadkmalloc: what should we do with bind?15:50
*** jistr is now known as jistr|off15:50
kmallocelbragstad: ?15:55
*** larsks has quit IRC15:55
kmallocReading up.15:55
*** josecastroleon has quit IRC15:56
*** r-daneel has joined #openstack-keystone15:56
kmallocelbragstad: not seeing reference to bind?15:59
*** tesseract has quit IRC16:02
*** ispp has joined #openstack-keystone16:03
*** pcaruana has quit IRC16:04
*** nicolasbock has quit IRC16:06
elbragstadthe fernet token provider doesn't support bind16:08
elbragstadand it's the only token provider16:08
elbragstadi'm checking to see what impact that has on x50916:10
kmallocbind is, iirc, mostly for krb5 stuff.16:10
kmallocit sounds like we need to just drop all the bind functionality16:11
kmallocsince we have nothing but fernet16:11
kmallocnon-api impacting.16:11
kmalloclets just drop token-bind code16:11
kmalloci can roll a patch shortly16:12
kmallocif you want16:12
*** spilla has quit IRC16:12
elbragstadso - removing bind won't impact ^16:13
elbragstadconfiguring service accounts to authenticate via x509?16:13
*** spilla has joined #openstack-keystone16:13
kmallocshould have zero effect16:13
kmallocbind was "did the token auth with form X and maintained it"16:13
elbragstadso we supported x509 via token bind and another patch for authentication via x509 that was unreleated16:14
kmallocright, bind was added enforcement to the token on top of auth16:14
elbragstadso we can drop bind code?16:14
kmallocwriting a patch to do so right now16:15
kmallocunless you want to do it16:15
kmallocwe should totally be able to drop the bind code16:15
elbragstadi'm in the middle of ripping everything apart16:15
elbragstadi should be able to work it into my patch16:15
elbragstadand pull it out later16:15
kmalloc[the fact that we use fernet only now means we can't even test the bind code]16:15
kmallocand with most everyone moving to fernet, clearly no one is using it16:15
elbragstadthat would include removing then16:16
elbragstadhow we want to track that removal? bug or removed blueprint?16:17
elbragstadtechnically it was never deprecated directly16:17
elbragstadit was deprecated indirectly via UUID token deprecation/removal16:17
kmallocthe code is unused [it's a unit test, totally synthetic]16:18
kmallocthe uuid deprecation explictly called bind out.16:18
kmallocit fakes the token and checks against the faked-token16:18
elbragstadok - i'm going to lump the removal into the abomination of a patch i have going, then propose it16:19
elbragstadagainst master as it's own isolated patch16:20
*** fried_rice is now known as fried_rolls16:31
kmallocelbragstad: annnnd now the slow part, writing these tests:16:35
elbragstadthat's usually the most refreshing part16:35
kmallocit's a lot of tests and a lot of mechanical work to set them up16:36
kmallocbecause enforce is such a blackbox16:36
*** ispp has quit IRC16:38
*** felipemonteiro__ has joined #openstack-keystone16:51
*** felipemonteiro_ has quit IRC16:55
*** jmlowe has quit IRC17:21
*** amoralej is now known as amoralej|off17:33
*** felipemonteiro__ has quit IRC17:58
*** felipemonteiro__ has joined #openstack-keystone17:59
*** r-daneel has quit IRC18:02
*** jmlowe has joined #openstack-keystone18:13
*** itlinux has quit IRC18:23
openstackgerritGage Hugo proposed openstack/keystone master: Add functional testing gate
tadams12083Does anyone know why my ocata openstack install will import ldap users and groups but the groups don't have the member information. From the little I can find online my keystone ldap group config looks correct and it is showing up in keystone.18:41
*** AlexeyAbashkin has quit IRC18:44
*** ckonstanski has joined #openstack-keystone18:55
*** fried_rolls is now known as efried_pto18:56
openstackgerritLance Bragstad proposed openstack/keystone master: Introduce new TokenModel object
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Simplify the issue token code path
openstackgerritLance Bragstad proposed openstack/keystone master: Cleanup keystone.token.providers.common
* elbragstad hits the "Save Game" buttom18:59
elbragstadkmalloc: it'll need more polish.. but it works19:05
openstackgerritGage Hugo proposed openstack/keystone master: Add functional testing gate
*** fiddletwix has joined #openstack-keystone19:13
*** DevX has quit IRC19:27
*** devx has joined #openstack-keystone19:28
*** cmurphy is now known as cmurphy_vacation19:31
openstackgerritLance Bragstad proposed openstack/keystone master: Remove token bind capabilities
elbragstadkmalloc:  ^19:32
gagehugo+6 -423, nice19:33
openstackgerritLance Bragstad proposed openstack/keystone master: Remove token bind capabilities
kmallocelbragstad: thnx19:36
kmallocelbragstad: i should have tests for @protected replacement19:36
kmallocthen i can fianlly start moving apis.19:36
elbragstadthat's exciting19:36
kmallocthis one has been painful.19:36
elbragstadi swear... "Rocky - the release of painful refactors"19:37
*** fiddletwix has quit IRC19:37
kmallocwe can talk about the massive code shuffle: ->keystone.subsystem19:37
kmallocfor the stuff that isn't .api19:37
*** fiddletwix has joined #openstack-keystone19:38
*** DHE has left #openstack-keystone19:47
kmallocelbragstad: want to see something awesome19:49
* elbragstad pushes his glasses up19:50
kmallocnow i just need to go figure out why were hard locked on sub 1.0 flask in openstack19:51
kmallocbecause THAT right there is badass.19:51
elbragstadhuh - nice19:52
elbragstadi bet that'd help with the plugin stuff we have19:52
kmallocturns out flask has been < 1.0 for ~3 years in our g-r20:07
kmallocso, before u-c/l-c work20:07
elbragstadhuh - nice20:07
kmallocelbragstad: hopefully we can get that landed and i can lean on the new testing bits, just so nice to be able to context manager for a client20:07
kmallocrather than the wonky stuff we currently do20:07
kmallocwith as c: do X20:08
kmallocgee whiz, that would make our test cases a LOT simpler20:08
kmallocno more ".admin_request" things.20:08
*** itlinux has joined #openstack-keystone20:08
kmalloc[well maybe, depending on if .client goes through the whole middleware stack]20:09
*** jmlowe has quit IRC20:24
*** spilla has quit IRC20:41
*** raildo has quit IRC20:52
*** AlexeyAbashkin has joined #openstack-keystone21:02
*** AlexeyAbashkin has quit IRC21:11
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Add functional testing gate
*** ayoung has quit IRC21:31
*** felipemonteiro__ has quit IRC21:37
*** ayoung has joined #openstack-keystone21:44
*** martinus__ has quit IRC21:45
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Remove KeystoneToken object
elbragstadkmalloc: ok - that one is really messed up ^22:04
elbragstadi think i have a bunch more unwinding to do :(22:04
elbragstadsomehow oslo.policy is failing because we changed from using KeystoneToken to TokenModel22:06
elbragstadwhich is in an internal only object22:06
elbragstadbut it gets set on the request context in keystonemiddleare, which we override22:06
kmallocelbragstad: @protected is weird.22:07
kmallocshow me a traceback, i bet i can show you why it's failing22:08
kmalloc[if you have one that isn't just a 401]22:08
kmallocthough my guess is that you're not extracting a sane bit of info about the subject-token.22:08
kmallocand booom splody22:08
*** edmondsw has joined #openstack-keystone22:09
elbragstadline 195 of that trace22:09
elbragstadthe credentials dictionary contains a 'token' key22:09
elbragstadwhich is an instance of KeystoneToken, which inherits from dict22:10
kmallocdon't look *there*22:10
kmallocthe policy_dict has a non-type that is unexpected22:10
elbragstadi didn't think i added anything that would put that in the credentials dict via middleware?
*** edmondsw has quit IRC22:13
kmallocno, but the credentials dict comes from auth context22:13
elbragstadi'll dig into this a bit more... i need to through through everything anyway and reorganize bits of it, it's all a mess still22:15
kmalloci'm not sure if it will be easier to do after @protected is gone, but somehow i think it will be22:16
kmallocjust because you have more knowledge of what the dict is going to end up looking like22:16
elbragstadit's all pretty opaque22:17
kmallocthough, just for your benefit you may want to add in a debug in the call to policy controller.enforce22:17
kmallocand print the creds/policy_dict/etc22:17
kmallocand see what changes between pre-patch/post patch22:18
kmalloci can only comment on the amount of time it's taken me to write a comparable bit of code that isn't full of suck22:18
kmallocat least a week or two, and this time we have usable docstrings.22:19
kmallocit's still super opaque22:19
kmallocjust less "fog" and more "black box"22:19
elbragstad^ before and after22:20
* kmalloc waits for paste to load22:20
elbragstadproject_id is None...22:20
elbragstadso, something must not be grabbing that from TokenModel property?22:21
kmallocthat is my guess.22:21
kmallocit helps that i've been digging around in that code for the last week22:23
kmallocso, you need to look at what is setting things in the policy_dict.22:23
elbragstadack - good call22:23
kmalloci *think* domains are magical callback related things.22:23
elbragstadthanks kmalloc22:23
kmallocso, it may not even be hitting @protected in the normal way22:23
elbragstadthat helps22:24
* kmalloc is going to be sad when your fix lands before enforcer does and the rebase hell22:24
elbragstadwe'll see22:24
elbragstadthere is a lot of cleanup left22:24
elbragstadi wanted to get to the oslo.limit stuff this week22:24
kmallocyeah. we're on colliding paths.22:24
kmallocjust because flask touches everything .22:24
elbragstadso does KeystoneToken apparently22:25
elbragstadand refactoring the entire token provider api22:25
kmalloceyah, sorry i wrote a ton of KeystoneToken code22:25
kmallocmy bad.22:25
elbragstadmeh - that's not the bad parts22:25
kmallocHAH i bet i know what is going on22:25
kmallocthe policy_dict has an explicit flatten22:26
kmallocyou're passing a non-dict item in22:26
elbragstadyeah - it's in utils22:26
kmalloc*OF_COURSE* oslo_policy is exploding22:26
elbragstadi was *just* lookinga t that22:26
kmallocit's not using the token key, it just can't figure out wtf to do with it22:26
kmallocyou need to make that flatten code do a token render into the policy dict22:27
elbragstadwhich is why the creds dict looks odd22:27
kmallocand you should be fine22:27
kmalloclook in common.authorization22:27
kmallocit might be set somewhere in there.22:27
elbragstadline 7622:27
elbragstadi'll go chase that in a day or two22:28
kmalloci have a serious appreciation for the insantiy of a RBAC enforcment model we built22:28
kmallocif i could totally re-write it, i would22:29
kmallocbut... i don't think i get that luxury22:29
kmallocmostly because of how "our published policy" works.22:29
elbragstadthanks again for the help kmalloc22:32
elbragstadi'm going afk for a bit22:32
*** ayoung has quit IRC22:33
*** tosky has quit IRC23:41

Generated by 2.15.3 by Marius Gedminas - find it at!