Friday, 2018-09-21

« Thursday, 2018-09-20 Index Saturday, 2018-09-22 »
*** imacdonn has quit IRC01:15
*** imacdonn has joined #openstack-keystone01:16
openstackgerritTao Li proposed openstack/keystone master: Use uuidutils instead of uuid.uuid4()  https://review.openstack.org/60354201:25
openstackgerritwangxiyuan proposed openstack/keystone master: Update log translation hacking check  https://review.openstack.org/60424501:47
*** Dinesh_Bhor has joined #openstack-keystone01:50
*** errr has quit IRC02:12
*** Dinesh_Bhor has quit IRC02:26
openstackgerritVishakha Agarwal proposed openstack/keystone master: Mapped Groups don't exist breaks WebSSO  https://review.openstack.org/59799202:28
*** errr has joined #openstack-keystone02:37
*** Dinesh_Bhor has joined #openstack-keystone02:38
*** hoonetorg has quit IRC02:48
openstackgerritVishakha Agarwal proposed openstack/keystone master: Mapped Groups don't exist breaks WebSSO  https://review.openstack.org/59799202:52
openstackgerritVishakha Agarwal proposed openstack/keystone master: Mapped Groups don't exist breaks WebSSO  https://review.openstack.org/59799202:54
openstackgerritVishakha Agarwal proposed openstack/keystone master: Mapped Groups don't exist breaks WebSSO  https://review.openstack.org/59799202:57
*** hoonetorg has joined #openstack-keystone03:02
*** rodrigods has quit IRC03:02
openstackgerritwangxiyuan proposed openstack/keystone master: Update log translation hacking check  https://review.openstack.org/60424503:03
*** jmccrory has quit IRC03:32
*** jmccrory has joined #openstack-keystone03:37
*** jamielennox has quit IRC03:37
*** jamielennox has joined #openstack-keystone03:38
*** rcernin has quit IRC03:48
*** rcernin has joined #openstack-keystone03:49
*** edmondsw has quit IRC03:56
*** Dinesh_Bhor has quit IRC03:58
*** jhesketh_ has joined #openstack-keystone04:32
*** Dinesh_Bhor has joined #openstack-keystone04:34
*** d34dh0r53 has quit IRC04:34
*** d34dh0r53 has joined #openstack-keystone04:34
*** jhesketh has quit IRC04:36
kmallocadriant: part of the default roles and documented rules in code, we can make changes so admin_or_owner can be changed.05:08
adriantkmalloc: oh yeah, it's just going to take time, and require a shift in mindset05:08
kmallocyep.05:10
adriantbecause until we do shift away from the idea of "any role on a project" being the standard, RBAC is pretty limited. Although with the way the policy in code is now will make it somewhat easier for operators to do such changes themselves05:11
*** Dinesh_Bhor has quit IRC05:12
adriantbut yeah, it will take time. And in the meantime, we'll play with our own deployment's policy and see what works :)05:13
*** Dinesh_Bhor has joined #openstack-keystone05:16
*** jhesketh_ is now known as jhesketh05:25
openstackgerritVishakha Agarwal proposed openstack/python-keystoneclient master: create() call in v3.regions.py is wrong  https://review.openstack.org/59492105:33
*** shyamb has joined #openstack-keystone05:51
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: POC: Add Open Policy Agent driver  https://review.openstack.org/60403805:54
openstackgerritTao Li proposed openstack/keystone master: Use uuidutils instead of uuid.uuid4()  https://review.openstack.org/60354205:58
*** shyamb has quit IRC06:01
*** shyamb has joined #openstack-keystone06:02
*** shyamb has quit IRC06:13
*** shyamb has joined #openstack-keystone06:14
*** shyamb has quit IRC06:21
*** shyamb has joined #openstack-keystone06:22
*** shyamb has quit IRC06:38
*** belmoreira has joined #openstack-keystone06:42
*** shyamb has joined #openstack-keystone06:58
*** rcernin has quit IRC07:02
*** shyamb has quit IRC07:13
*** shyamb has joined #openstack-keystone07:13
*** shyamb has quit IRC07:20
*** shyamb has joined #openstack-keystone07:20
*** mattgo has joined #openstack-keystone07:23
*** shyamb has quit IRC07:39
*** dims has quit IRC08:11
*** dims has joined #openstack-keystone08:12
*** shyamb has joined #openstack-keystone08:13
*** belmoreira has quit IRC08:37
*** Dinesh_Bhor has quit IRC08:37
*** shyamb has quit IRC08:41
*** Emine has joined #openstack-keystone08:45
openstackgerritVishakha Agarwal proposed openstack/keystone master: Adding test case for MappingEngineTester  https://review.openstack.org/60353908:45
*** belmoreira has joined #openstack-keystone08:46
openstackgerritVishakha Agarwal proposed openstack/keystone master: Adding test case for MappingEngineTester  https://review.openstack.org/60353908:55
*** Dinesh_Bhor has joined #openstack-keystone08:55
*** sapd1 has quit IRC09:00
*** sapd1_ has joined #openstack-keystone09:01
*** shyamb has joined #openstack-keystone09:08
*** hoonetorg has quit IRC09:08
*** Emine has quit IRC09:09
*** jaosorior is now known as jaosorior_lunch09:09
*** Dinesh_Bhor has quit IRC09:16
*** Emine has joined #openstack-keystone09:21
*** hoonetorg has joined #openstack-keystone09:25
*** shyamb has quit IRC09:40
openstackgerritVishakha Agarwal proposed openstack/keystone master: Adresses LDAP case-sensitive issue  https://review.openstack.org/60334509:55
*** Dinesh_Bhor has joined #openstack-keystone09:56
*** shyamb has joined #openstack-keystone10:03
*** Dinesh_Bhor has quit IRC10:20
*** shyamb has quit IRC10:32
openstackgerritVishakha Agarwal proposed openstack/keystone master: Adresses LDAP case-sensitive issue  https://review.openstack.org/60334510:32
*** shyamb has joined #openstack-keystone10:33
*** shyamb has quit IRC10:42
*** Emine has quit IRC10:44
*** shyamb has joined #openstack-keystone11:22
*** jaosorior_lunch is now known as jaosorior12:11
*** raildo has joined #openstack-keystone12:16
*** shyamb has quit IRC12:29
cmurphyany ptg recaps I should include in the update email? kmalloc knikolla gagehugo hrybacki12:39
knikollacmurphy: nothing from me. You and Lance do an amazing job every time :)12:53
lbragstado/13:02
*** trevormc has joined #openstack-keystone13:07
lbragstadawesome summary cmurphy13:20
lbragstadi just noticed you published it13:20
*** jistr is now known as jistr|call13:31
*** belmoreira has quit IRC13:33
openstackgerritayoung proposed openstack/keystone master: Comment out un-runnable tests  https://review.openstack.org/60345913:35
*** felipemonteiro has joined #openstack-keystone13:43
johnthetubaguylbragstad: this is the unified limits spec in Nova I promised: https://review.openstack.org/#/c/602201 Not finished, but has a lot of detail in there now (probably too much)13:44
lbragstadjohnthetubaguy awesome - thanks!13:49
*** dansmith is now known as SteelyDan13:50
*** felipemonteiro has quit IRC13:56
*** openstackgerrit has quit IRC14:07
*** mchlumsky has quit IRC14:09
*** mchlumsky has joined #openstack-keystone14:18
*** lbragstad is now known as elbragstad14:24
kmallochrybacki: o/14:33
raildokmalloc, Harry is ofline-ish today, helping a friend to get in their house after the Hurricane Florence in the NC coast14:35
raildobut he is responding emails :)14:35
kmallocraildo: yeah, not surprised14:35
raildoknikolla, gagehugo hey guys, do you have some time to review this patch? https://review.openstack.org/#/c/597992/ John and me already take a look on it, and we think that it's in a good shape right now14:37
*** mchlumsky has quit IRC14:40
*** mchlumsky has joined #openstack-keystone14:41
cmurphykmalloc: do you think you could write up a proposal for outreachy on the flask test_client and subsystem reorg ideas? i can volunteer to mentor if you don't want to14:41
cmurphys/a proposal/proposals14:41
kmallocSure. But it won't be until 1st week of October probably.14:42
cmurphyokay, the deadline is oct 914:42
*** nick_kar has quit IRC14:43
kmallocYeah I can have it by then14:50
cmurphyo714:50
kmallocIt prob will be oct 3 or 414:50
kmallocBut def. doable by the 9th14:50
kmallocSince I want to take my birthday off work :P14:51
cmurphy:D14:51
gagehugoo/14:53
knikollaraildo: o/, reviewed and left a question15:09
*** jistr|call is now known as jistr15:11
*** bnemec is now known as beekneemech15:21
raildoknikolla, thank you sir!15:21
*** openstackgerrit has joined #openstack-keystone15:52
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Repropose JWT specification for Stein  https://review.openstack.org/54190315:52
*** felipemonteiro has joined #openstack-keystone16:25
*** felipemonteiro has quit IRC16:30
*** felipemonteiro has joined #openstack-keystone16:30
*** mattgo has quit IRC16:41
*** gyee has joined #openstack-keystone17:01
*** nicolasbock_ has joined #openstack-keystone17:03
*** sonuk has quit IRC17:05
*** spsurya has quit IRC17:05
*** etp has quit IRC17:41
*** etp has joined #openstack-keystone17:44
*** etp has quit IRC17:55
*** etp has joined #openstack-keystone17:56
*** nicolasbock_ has quit IRC18:12
*** felipemonteiro has quit IRC18:24
trevormchi all, I have a policy question :) I'm trying to hit the TARGET_DOMAIN portion of the get_domain policy so that I can move this test in tempest https://review.openstack.org/#/c/525244/, but it appears it is not possible http://paste.openstack.org/show/730556/ can someone describe what kind of setup I need to show the default domain with a non-admin user?18:37
trevormchere is the policy for reference https://github.com/openstack/keystone/blob/582cab391a10714a4ec8bab1a6cce9b49867f8d4/keystone/common/policies/domain.py#L2018:38
elbragstadthis one specifically? https://github.com/openstack/keystone/blob/582cab391a10714a4ec8bab1a6cce9b49867f8d4/keystone/common/policies/base.py#L21-L2318:42
trevormcYes!18:42
elbragstadit doesn't look like the target attr information is getting passed into policy check function18:45
*** trevormc_ has joined #openstack-keystone18:47
trevormc_sorry i got disconnected :(18:47
elbragstadactually - gagehugo just modified a bunch of code in the area18:47
elbragstadhttps://github.com/openstack/keystone/commit/296f20f0a7e26784b6414ddbe12e0218087a9f5118:47
elbragstadare you using master?18:47
*** felipemonteiro has joined #openstack-keystone18:48
trevormc_yes i have the changes as of Monday this week.18:48
trevormc_commit: c96c7fd03b7afab033bcb31465390f46e56089c518:48
*** felipemonteiro has quit IRC18:49
elbragstadcool - https://git.openstack.org/cgit/openstack/keystone/commit/keystone?id=c96c7fd03b7afab033bcb31465390f46e56089c518:49
*** trevormc has quit IRC18:49
*** felipemonteiro has joined #openstack-keystone18:49
elbragstadso you're actually hitting this https://github.com/openstack/keystone/blob/ba459352d8d2b54807a591312bc0b65aa1498b86/keystone/api/domains.py#L7818:50
elbragstadthat call is what's protecting the get_domain API18:51
elbragstadwith policy18:51
elbragstadand it doesn't look like it's passing in any sort of target informatino18:51
elbragstadinformation*18:51
elbragstadwhich is an option argument to that method - https://github.com/openstack/keystone/blob/master/keystone/common/rbac_enforcer/enforcer.py#L246-L24818:52
elbragstadhttps://github.com/openstack/keystone/blob/master/keystone/common/rbac_enforcer/enforcer.py#L261-L26718:52
elbragstadso.. that method will actually attempt to populate it - https://github.com/openstack/keystone/blob/master/keystone/common/rbac_enforcer/enforcer.py#L340-L34118:53
elbragstadwhich means target_attr will be a dictionary or reference of the domain...18:54
trevormc_ok so it appears we need to pass the target information so we can check the TARGET_DOMAIN of the token, right?18:54
elbragstadeither that or we need to rewrite the check here18:54
elbragstadhttps://github.com/openstack/keystone/blob/ba459352d8d2b54807a591312bc0b65aa1498b86/keystone/common/policies/base.py#L2318:54
elbragstadbecause the check string is written like it's assuming target data to be coming from the token and not the domains API18:55
elbragstadif that makes sense?18:55
elbragstadbut yeah... that policy seems to be inconsistent with the logic in that API...18:55
elbragstadcc kmalloc gagehugo  ^18:55
elbragstadi guess you could test that by rewriting the policy18:56
trevormc_ok I can do that, i'm not following entirely but I think I have enough to get started. I can follow up with gagehugo if I have questions, we're in the same office :)18:58
elbragstadnice :)18:58
elbragstadflick a pencil at him for me18:58
trevormc_lol ok. :P18:59
*** dave-mccowan has quit IRC19:03
* gagehugo ducks19:03
openstackgerritayoung proposed openstack/keystone master: Comment out un-runnable tests  https://review.openstack.org/60345919:06
*** felipemonteiro has quit IRC19:14
*** dave-mccowan has joined #openstack-keystone19:14
knikollajdennis: does mod_auth_mellon require both the response and the assertion to be signed?19:18
jdennisknikolla: could you define response?19:22
knikollajdennis: <samlp:Response>19:23
knikollawhich is separate from the <saml:Assertion> signature.19:24
jdennisknikolla: response is relative to the party, please be more specific19:24
knikollajdennis: i'm trying to set up keystone as an IdP using ECP. When mellon receives the ECP message it complains that it doesn't have a signature19:25
knikollahttp://paste.openstack.org/show/jvbKqiFEjdIWY4YstemW/19:25
jdennisknikolla: thanks, that's better, let me check the code ...19:27
jdennisknikolla: a quick check of the code implies it does require the assertion to be signed, it would be a huge security risk if assertions were not signed btw.19:32
knikollajdennis: yes, i understand that. the keystone generated assertion does have a signature, i am trying to find out why mellon says it can't find the signature.19:34
knikollaassertion for reference http://paste.openstack.org/show/730566/19:34
jdennisknikolla: I'm reviewing the paste ...19:38
knikollathank you19:38
jdennisknikolla: I'd have to page in some of my xml signature knowledge but if I'm not mistaken your signature does not point to anything in the message19:45
jdennisknikolla: sorry, I misread the xml, forget that :-)19:48
gagehugoelbragstad: should get_domain not be checking from the token?19:53
gagehugosorry been pulled in many directions today19:53
*** felipemonteiro has joined #openstack-keystone19:53
jdennisknikolla: hmm... I don't see an obvious problem. I assume you have the IdP's metadata loaded into mellon, yes/no?19:54
knikollajdennis: yes, the first line here says so http://paste.openstack.org/show/jvbKqiFEjdIWY4YstemW/19:55
knikollametadata here http://paste.openstack.org/show/730567/19:55
knikollaapache config here http://paste.openstack.org/show/730568/19:56
knikollawas playing around with a few settings (including MellonSignatureMethod)19:57
elbragstadgagehugo maybe it should be?19:57
knikollaremoving or adding it doesn't change the log output19:57
jdennisknikolla: if you send me the soap messge (yes I know it's in the paste), and the IdP metadata as attachments in an email to jdennis@redhat.com I'll try to debug it, but probably not until Monday or Tuesday19:58
jdennisknikolla: what version of mellon and lasso are you running?19:58
jdennisknikolla: MellonSignatureMethod only changes how mellon signs messages, it's independent of validating signatures20:00
knikollamod_auth_mellon-0.13.1-3.el7_5.x86_64, lasso-2.5.1-2.el7.x86_6420:01
knikollai see20:01
knikollai'll send you an email, thanks a lot.20:02
jdennisknikolla: ok great, those are current enough and I'm not aware of any signature bugs in them20:02
jdennisknikolla: sometimes lasso reports one error when actually it was a different error that triggered the failure20:03
knikollathat doesn't sound fun20:04
elbragstadkmalloc you use ipdb, right? do you know if there is a way to make it work with stestr?20:05
*** felipemonteiro has quit IRC20:05
openstackgerritMerged openstack/keystone master: Mapped Groups don't exist breaks WebSSO  https://review.openstack.org/59799220:32
*** trevormc_ has quit IRC20:32
elbragstadknikolla gagehugo vishakha ^ that should probably have a release note20:37
knikollaelbragstad: good point20:38
mbeierlknikolla: do you know if cmurphy's blog (http://www.gazlene.net/demystifying-keystone-federation.html) will work using keystone as the IdP instead of "http://idp.saml.demo"?20:44
knikollambeierl: the last section talks about that20:46
mbeierlfor some reason, I cannot get the metadata from the Keystone idP20:48
mbeierlknikolla: I'll keep plugging at it, thanks20:49
gagehugoknikolla I can write one real quick unless you are wanting to20:52
knikollagagehugo: go for it20:52
openstackgerritGage Hugo proposed openstack/keystone master: WIP/DNM Add domain target  https://review.openstack.org/60447121:00
gagehugotrevormc_ ^21:01
openstackgerritGage Hugo proposed openstack/keystone master: Add releasenote for bug fix 1789450  https://review.openstack.org/60447521:09
gagehugoknikolla ^21:09
gagehugoelbragstad ^21:09
elbragstadnice - thanks21:09
*** raildo has quit IRC21:15
*** mchlumsky has quit IRC21:30
openstackgerritGage Hugo proposed openstack/keystone master: Add releasenote for bug fix 1789450  https://review.openstack.org/60447521:34
openstackgerritGage Hugo proposed openstack/keystone master: Add releasenote for bug fix 1789450  https://review.openstack.org/60447521:35
gagehugospelling is hard21:35
*** felipemonteiro has joined #openstack-keystone21:35
elbragstadthanks gagehugo21:45
*** felipemonteiro has quit IRC21:45
*** felipemonteiro has joined #openstack-keystone21:50
*** felipemonteiro has quit IRC22:00
*** dave-mccowan has quit IRC22:04
*** felipemo_ has joined #openstack-keystone22:05
kmallocelbragstad: I use pycharm22:12
kmallocelbragstad: and I don't use stestr, I run tests individually if I need to debug22:12
elbragstadack22:12
elbragstadi figured out a workaround ;)22:12
kmallocGive me a sec on the other thing (on a phone)22:13
kmallocThe policy string bit22:13
elbragstadno worries - i'm about burnt out for the day ( i was trying to figure out tempest testing client stuff so that i can implement system scope)22:14
*** felipemo_ has quit IRC22:16
*** mbeierl has quit IRC22:50
kmallocOuch23:09
kmallocThat is some brain fry. For sure.23:09
*** jrist has quit IRC23:12
« Thursday, 2018-09-20 Index Saturday, 2018-09-22 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!