| *** zigo has quit IRC | 00:05 | |
| *** mvkr has quit IRC | 00:27 | |
| *** mvkr has joined #openstack-keystone | 00:38 | |
| *** aning_ has joined #openstack-keystone | 01:01 | |
| *** aning has quit IRC | 01:04 | |
| *** aning has joined #openstack-keystone | 01:05 | |
| *** aning_ has quit IRC | 01:07 | |
| *** aning_ has joined #openstack-keystone | 01:08 | |
| *** aning has quit IRC | 01:11 | |
| *** aning has joined #openstack-keystone | 01:11 | |
| *** aning_ has quit IRC | 01:13 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 01:41 | |
| *** Dinesh_Bhor has quit IRC | 01:41 | |
| *** felipemonteiro has joined #openstack-keystone | 02:01 | |
| *** felipemonteiro has quit IRC | 02:02 | |
| adriant | lbragstad, kmalloc, gagehugo: I'm reading through release notes again and came across the fact that we allow a user to change their password without first getting token now if they know the original password. We haven't I don't think added any MFA support on top of that. | 02:13 |
|---|---|---|
| adriant | Because right now you can lock someone out of their account if you know their password, but not their totp code. | 02:14 |
| kmalloc | We always allowed password change without token. | 02:17 |
| adriant | Oh, but with that change we also allowed it for expired ones? | 02:17 |
| kmalloc | Correct | 02:18 |
| adriant | kmalloc: should we consider adding MFA based protections on top of that? | 02:18 |
| kmalloc | Unsure. | 02:18 |
| kmalloc | Maybe. Let's get the auth receipts first. | 02:19 |
| adriant | oh yeah | 02:19 |
| kmalloc | We can enhance other APIs independently | 02:19 |
| adriant | this would be follow up | 02:19 |
| adriant | we're just finally doing a keystone upgrade and this is giving me a good reason to read through all the release notes as I go | 02:19 |
| adriant | and thought I'd ask about this | 02:20 |
| adriant | kmalloc: https://review.openstack.org/#/c/404022 but this change dropped the @controller.protected() decorator, i thought that (until that patch) meant it needed a token? | 02:24 |
| adriant | so only in Ocata did we allow a no token method to change password? | 02:24 |
| kmalloc | adriant: v2 vs. v3. | 02:25 |
| kmalloc | It was always intended for no token. So maybe in ocata. | 02:26 |
| adriant | Oh so v2 always let you do it without token, but only in Ocata did we make v3 let you? Maybe? | 02:27 |
| kmalloc | Possibly | 02:27 |
| kmalloc | Related to pci-dss. | 02:27 |
| gagehugo | yeah pci-dss related | 02:28 |
| kmalloc | But needing a token breaks the self-service password change functionality | 02:28 |
| *** felipemonteiro has joined #openstack-keystone | 02:28 | |
| *** dave-mccowan has quit IRC | 02:29 | |
| adriant | but no sensible system with MFA support would let you change password if you don't meet all the other auth requirements, so we may need to consider a middle ground were you can supply an auth receipt and the old expired password | 02:30 |
| adriant | or something potentially less silly :/ | 02:30 |
| adriant | I assumed this was mostly in the context of expired passwords, because surely if your password isn't expired you can always get a token | 02:31 |
| adriant | yeah, before that patch the API was protected, and then eventually we remembered to remove the policy: https://github.com/openstack/keystone/commit/77bf1ad0b8991abb6c7ebba608fde27a3fd01c09 | 02:37 |
| *** sapd1_ has quit IRC | 02:37 | |
| *** sapd1 has joined #openstack-keystone | 02:39 | |
| *** felipemonteiro has quit IRC | 02:43 | |
| *** imacdonn has quit IRC | 02:50 | |
| *** imacdonn has joined #openstack-keystone | 02:50 | |
| *** felipemonteiro has joined #openstack-keystone | 03:11 | |
| *** felipemonteiro has quit IRC | 03:30 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 03:46 | |
| *** Dinesh_Bhor has quit IRC | 03:48 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 03:49 | |
| *** Dinesh_Bhor has quit IRC | 04:01 | |
| *** rcernin has quit IRC | 04:24 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 04:34 | |
| *** rcernin has joined #openstack-keystone | 04:37 | |
| *** Dinesh_Bhor has quit IRC | 05:00 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 05:08 | |
| *** shyamb has joined #openstack-keystone | 05:14 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Purge soft-deleted trusts https://review.openstack.org/604970 | 05:16 |
| *** rcernin_ has joined #openstack-keystone | 05:17 | |
| *** lbragstad has quit IRC | 05:18 | |
| *** lbragstad has joined #openstack-keystone | 05:18 | |
| *** ChanServ sets mode: +o lbragstad | 05:18 | |
| *** rcernin has quit IRC | 05:19 | |
| *** jaosorior has joined #openstack-keystone | 05:20 | |
| *** shyamb has quit IRC | 05:26 | |
| *** shyamb has joined #openstack-keystone | 05:31 | |
| *** pcaruana has joined #openstack-keystone | 05:41 | |
| *** belmoreira has joined #openstack-keystone | 05:59 | |
| *** shyamb has quit IRC | 06:05 | |
| *** shyamb has joined #openstack-keystone | 06:09 | |
| *** shyamb has quit IRC | 06:12 | |
| *** shyamb has joined #openstack-keystone | 06:13 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Purge soft-deleted trusts https://review.openstack.org/604970 | 06:34 |
| *** shyamb has quit IRC | 06:50 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Adding test case for MappingEngineTester https://review.openstack.org/603539 | 06:54 |
| openstackgerrit | Merged openstack/keystoneauth master: Cache root urls with and without trailing slashes https://review.openstack.org/604635 | 07:03 |
| *** shyamb has joined #openstack-keystone | 07:04 | |
| *** rcernin_ has quit IRC | 07:05 | |
| *** Dinesh_Bhor has quit IRC | 07:07 | |
| *** mattgo has joined #openstack-keystone | 07:28 | |
| *** shyamb has quit IRC | 07:32 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 07:36 | |
| *** shyamb has joined #openstack-keystone | 07:45 | |
| *** shyamb has quit IRC | 07:56 | |
| *** Dinesh_Bhor has quit IRC | 08:28 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 08:53 | |
| *** shyamb has joined #openstack-keystone | 08:53 | |
| *** Emine has joined #openstack-keystone | 09:18 | |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Convert legacy functional jobs to Zuul-v3-native https://review.openstack.org/602452 | 09:19 |
| openstackgerrit | Vishakha Agarwal proposed openstack/python-keystoneclient master: create() call in v3.regions.py is wrong https://review.openstack.org/594921 | 09:27 |
| *** vishakha has joined #openstack-keystone | 09:37 | |
| *** shyamb has quit IRC | 09:38 | |
| *** shyamb has joined #openstack-keystone | 10:29 | |
| *** rcernin_ has joined #openstack-keystone | 10:43 | |
| *** rcernin_ has quit IRC | 10:52 | |
| *** Dinesh_Bhor has quit IRC | 10:56 | |
| *** shyamb has quit IRC | 11:12 | |
| *** pcaruana has quit IRC | 11:15 | |
| openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Reformat Adapter docstring https://review.openstack.org/605042 | 11:24 |
| openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Add support for client-side rate limiting https://review.openstack.org/605043 | 11:24 |
| mordred | cmurphy, kmalloc, adriant: ^^ I **clearly** need to add tests for that, but I believe that will let us remove the TaskManager from openstacksdk and nodepool and expose the fancy extra goodness we've been doing there to all of the consumers | 11:25 |
| cmurphy | mordred: that sounds exciting | 11:29 |
| mordred | cmurphy: yah - I'm pretty pleased so far - it only required writing one class that should be in the standard library | 11:30 |
| mordred | but otherwise is shockingly straightforward- unless I'm *completely* missing a logic | 11:30 |
| * cmurphy looks at it | 11:31 | |
| cmurphy | oh, adding thread locking to a requests lib, totally straightforward | 11:32 |
| mordred | yah. now - writing the unit tests for it, on the other hand... | 11:33 |
| mordred | will probably take the rest of the week | 11:33 |
| cmurphy | mordred: are you sure this belongs in ksa and not back in openstacksdk? | 11:34 |
| mordred | cmurphy: I've got a patch for it for openstacksdk too ... so it can live either place - but I figured I'd float it over here to see what people think | 11:35 |
| *** mattgo has quit IRC | 11:35 | |
| mordred | cmurphy: https://review.openstack.org/#/c/604926 fwiw | 11:36 |
| cmurphy | i have a little bit of hesitation about this feature creep | 11:37 |
| cmurphy | interested in how kmalloc feels | 11:37 |
| mordred | yah - and totally fair | 11:37 |
| mordred | I'm good either way - kinda whatever folks think | 11:37 |
| mordred | there isn't an explicit need for it to be down in ksa like there was for discovery stuff | 11:38 |
| kmalloc | cmurphy: I am perfectly fine with this in KSA if it can be encapsulated nicely | 11:41 |
| kmalloc | Ineed to look at the code and see how it fits, but it isn't outside of something I see as valuable. | 11:41 |
| kmalloc | I also might look and say "yeah, this is sdk clearly" | 11:42 |
| kmalloc | So, ... Let me look at the code today :) | 11:43 |
| kmalloc | (will be not pre-5am insomnia code review though) | 11:43 |
| cmurphy | kmalloc: i was wondering why you and mordred appeared at the same time | 11:44 |
| kmalloc | Have been awake for 4 hours | 11:45 |
| cmurphy | :O | 11:46 |
| kmalloc | Lot on my mind and busy couple days this week | 11:46 |
| *** shyamb has joined #openstack-keystone | 11:48 | |
| mordred | kmalloc: I haven't been up for 4 hours - but I have been up for 3 - because NO REASON | 11:57 |
| kmalloc | Stupid no reason no sleep ;) | 11:58 |
| * kmalloc shakes fist at no reason. | 11:58 | |
| mordred | kmalloc: no reason is the worst isn't it? | 11:59 |
| kmalloc | Totally. | 12:00 |
| *** aojea has joined #openstack-keystone | 12:00 | |
| kmalloc | Makes for less than fun following days | 12:00 |
| kmalloc | Often... Sleepy, moderately unproductive | 12:00 |
| *** mattgo has joined #openstack-keystone | 12:02 | |
| *** raildo has joined #openstack-keystone | 12:12 | |
| *** shyamb has quit IRC | 12:31 | |
| *** lbragstad has quit IRC | 12:47 | |
| *** aojea has quit IRC | 12:51 | |
| *** lbragstad has joined #openstack-keystone | 12:59 | |
| *** ChanServ sets mode: +o lbragstad | 12:59 | |
| *** belmoreira has quit IRC | 13:05 | |
| *** lbragstad has quit IRC | 13:09 | |
| *** lbragstad has joined #openstack-keystone | 13:23 | |
| *** ChanServ sets mode: +o lbragstad | 13:23 | |
| *** lbragstad has quit IRC | 13:24 | |
| *** lbragstad has joined #openstack-keystone | 13:24 | |
| *** ChanServ sets mode: +o lbragstad | 13:24 | |
| *** aojea has joined #openstack-keystone | 13:26 | |
| *** lbragstad has quit IRC | 13:26 | |
| *** lbragstad_ has joined #openstack-keystone | 13:26 | |
| *** ChanServ sets mode: +o lbragstad_ | 13:26 | |
| *** lbragstad_ has quit IRC | 13:26 | |
| *** lbragstad has joined #openstack-keystone | 13:27 | |
| *** ChanServ sets mode: +o lbragstad | 13:27 | |
| *** belmoreira has joined #openstack-keystone | 13:29 | |
| *** aojea has quit IRC | 13:30 | |
| *** wxy| has joined #openstack-keystone | 13:45 | |
| *** wxy| has quit IRC | 13:49 | |
| cmurphy | hrybacki: mind sending me an invite re the stein board? i would be a bit late but i'd like to join if possible | 14:49 |
| *** wxy-xiyuan has quit IRC | 14:50 | |
| hrybacki | cmurphy: https://trello.com/invite/b/rj0ECz2c/59eee4dde6cda539a345e91554a92fdc/keystone-stein-roadmap <3 | 14:50 |
| cmurphy | hrybacki: sorry i meant the bluejeans meeting | 14:53 |
| hrybacki | cmurphy: oh, we couldn't get it to work -- lbragstad is running me through the last few days of PTG on a hangout | 14:54 |
| hrybacki | https://hangouts.google.com/call/lE9L6UGJeNeqO3WqT4nLAAEE cmurphy | 14:54 |
| cmurphy | ah i probably don't need to be there then | 14:56 |
| hrybacki | you're welcome all the same cmurphy | 14:57 |
| hrybacki | cmurphy: we're about to go over the stein board now if you wanna join | 15:00 |
| cmurphy | hrybacki: okay i will in about 15 minutes, starting another meeting | 15:00 |
| *** felipemonteiro has joined #openstack-keystone | 15:00 | |
| *** david-lyle has quit IRC | 15:04 | |
| *** dklyle has joined #openstack-keystone | 15:05 | |
| *** felipemonteiro has quit IRC | 15:06 | |
| *** mattgo has quit IRC | 15:07 | |
| gagehugo | o/ | 15:08 |
| *** devx has joined #openstack-keystone | 15:14 | |
| hrybacki | cmurphy: we dropped btw | 15:24 |
| cmurphy | hrybacki: ya i noticed :) | 15:24 |
| kmalloc | lbragstad: prob going to miss the meeting today, Dr appointment | 15:31 |
| kmalloc | A lot fewer appointments starting next week. | 15:31 |
| kmalloc | Either Thursday or Friday I'll be offline for a large chunk of the day. | 15:32 |
| *** dave-mccowan has joined #openstack-keystone | 15:38 | |
| lbragstad | kmalloc, sounds good - thanks for the heads up | 15:39 |
| kmalloc | hrybacki: as of right now can't make that meeting tomorrow. | 15:39 |
| kmalloc | Might change today, but fwiw, Dr appointment is on the books until 10:30 Pacific (1.5 hours later than the meeting you set) | 15:40 |
| hrybacki | kmalloc: ohhh, I misread that time | 15:46 |
| hrybacki | kmalloc: hmm, so you and jaosorior are at odds when it comes to timezones | 15:47 |
| kmalloc | hrybacki: I will know in about 40 min if the appointment is cancelled for tomorrow. | 15:47 |
| hrybacki | kmalloc: thank you! | 15:48 |
| kmalloc | Yeah, Pacific time sucks for coordinating with folks across the smaller pond. | 15:48 |
| jaosorior | hrybacki: schedule it at a time where kmalloc can make it. I'm not required in that meeting until we actually start talking about deploying that. | 15:50 |
| hrybacki | jaosorior: ack. Waiting to hear back on this appt. If it's still going on I'll move the meeting to later and update you | 15:51 |
| *** belmoreira has quit IRC | 15:52 | |
| *** wlmbasson has quit IRC | 15:52 | |
| *** _d34dh0r53_ is now known as d34dh0r53 | 16:05 | |
| *** pcaruana has joined #openstack-keystone | 16:07 | |
| *** felipemonteiro has joined #openstack-keystone | 16:08 | |
| *** shyamb has joined #openstack-keystone | 16:11 | |
| *** Emine has quit IRC | 16:12 | |
| *** dave-mccowan has quit IRC | 16:13 | |
| *** shyamb has quit IRC | 16:25 | |
| gagehugo | lbragstad should we look into suppressing the system scope warnings if it helps infra for the time being? | 16:28 |
| lbragstad | gagehugo oh - is that causing issues specifically? | 16:29 |
| gagehugo | looks like they're asking if we can clean up any deprecation warnings, or rather anything that is overly chatty | 16:30 |
| lbragstad | sure - we can look for ways to suppress it | 16:30 |
| lbragstad | might just need a line to one of the setup classes in keystone | 16:31 |
| lbragstad | or are they specifically looking for suppressing it in oslo.policy? | 16:32 |
| *** ayoung has joined #openstack-keystone | 16:33 | |
| ayoung | lbragstad, kmalloc sorry I missed the meeting. I am going to try and make 2 changes to Keystone to support Edge: | 16:37 |
| ayoung | 1. Optional Domain ID on create domain | 16:37 |
| ayoung | 2. optional "use the same logic as LDAP for Federated Ids"4 | 16:38 |
| lbragstad | what's the usecase for #1? | 16:38 |
| ayoung | lbragstad, they go togeteher | 16:39 |
| ayoung | if I create the same domain in 2 keystones, and use the same ID, I can get matching userids | 16:39 |
| *** dklyle has quit IRC | 16:40 | |
| ayoung | its the way the LDAP code works for shadow users, and this means we can keep both LDAP and Federated IDs consistent without having to do Database level synchronization | 16:40 |
| ayoung | let me clarify | 16:40 |
| ayoung | optional to allow the user to specify the domain ID when creating a domain | 16:41 |
| ayoung | it was requested and denied under dolphm years ago, but at the project level | 16:41 |
| ayoung | we can punt on projects for the first go round, but for identity synch, it is kindof important | 16:41 |
| lbragstad | yeah... | 16:41 |
| lbragstad | this came up recently... | 16:42 |
| lbragstad | like in Sydney | 16:42 |
| ayoung | Its come up a few times | 16:43 |
| ayoung | I'd like to be able to run multiple Keystones within a single deployment, and not have to upgrade them in lock-step | 16:43 |
| *** dklyle has joined #openstack-keystone | 16:44 | |
| lbragstad | are you planning on using tokens between each region? | 16:45 |
| ayoung | lbragstad, probably not | 16:45 |
| ayoung | more likely K2K | 16:45 |
| ayoung | or something like a hub spoke setup | 16:45 |
| ayoung | Hub will only know about other keystones | 16:46 |
| ayoung | And Federated Identity will match, so the user will have to get a new token when going from hub to spoke, so hub tokens are not valid anywhere but hub keystone | 16:47 |
| lbragstad | hmmm | 16:47 |
| ayoung | lbragstad, tokens between would bring up lots of issues. Fernet means "If I can validate, I can sign" | 16:50 |
| ayoung | so spokes would need to call back to hub in order to validate. Might be OK, but means Hub has to be up | 16:50 |
| cmurphy | what is the motivation for allowing setting id on create then? in the past reusing tokens was the use case and we pushed back hard on that | 16:52 |
| cmurphy | why isn't basic k2k sufficient? we've been pushing either k2k or galera syncing as the right approach for edge | 16:53 |
| ayoung | cmurphy, so galera will work for , say 3 sites | 16:54 |
| ayoung | I am looking at deployments with 20 | 16:54 |
| ayoung | eventually Galera is going to get scaled out | 16:54 |
| ayoung | but lets look at K2K | 16:55 |
| ayoung | say I have 2 sites (BOS and SFO) and I create a project in BOS. I want to add an SFO user to it | 16:55 |
| ayoung | that has to happen completely in the BOS Keystone | 16:56 |
| ayoung | but what if I only have access to the SFO keystone? | 16:56 |
| ayoung | So, I think K2K will work for some manual cases, but the user Ids then end up being distinct | 16:56 |
| ayoung | which for Audit is tough: | 16:57 |
| ayoung | I need to got user U from IdP I1 on Keyston K1 is User UU from IdP I1 on Keystone K2 | 16:57 |
| ayoung | cmurphy, the big thing is the predictable IDs | 16:58 |
| cmurphy | is auditing the only reason? | 16:59 |
| ayoung | cmurphy, now, we could do predictable Ids with Domain Name instead of ID. Just we would have to change the LDAP code now, too, if we want to keep it consistent | 16:59 |
| ayoung | cmurphy, without predictable Ids, you can't do anything in a keystone for a user until they log in the first time | 16:59 |
| ayoung | no groups or role assignments are possible | 16:59 |
| cmurphy | we have the mapping api for that | 17:00 |
| ayoung | with a predictable ID, you can pre-populate a user (potentially) and their resources are there ahead of time | 17:00 |
| ayoung | true | 17:00 |
| lbragstad | #startmeeting keystone-office-hours | 17:01 |
| openstack | lbragstad: Error: Can't start another meeting, one is in progress. Use #endmeeting first. | 17:01 |
| ayoung | Heh | 17:01 |
| * lbragstad sigh | 17:02 | |
| lbragstad | #endmeeting | 17:02 |
| *** openstack changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )" | 17:02 | |
| *** ChanServ changes topic to "Stein release schedule: https://releases.openstack.org/stein/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/rj0ECz2c/keystone-stein-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )" | 17:02 | |
| openstack | Meeting ended Tue Sep 25 17:02:26 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 17:02 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-09-18-17.20.html | 17:02 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-09-18-17.20.txt | 17:02 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-09-18-17.20.log.html | 17:02 |
| cmurphy | if the disk space on eavesdrop.o.o fills up i blame lbragstad | 17:02 |
| lbragstad | is that a challenge? | 17:02 |
| cmurphy | lol | 17:03 |
| * lbragstad accepts | 17:03 | |
| lbragstad | #startmeeting keystone-office-hours | 17:03 |
| openstack | Meeting started Tue Sep 25 17:03:16 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. | 17:03 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 17:03 |
| *** openstack changes topic to " (Meeting topic: keystone-office-hours)" | 17:03 | |
| *** ChanServ changes topic to "Stein release schedule: https://releases.openstack.org/stein/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/rj0ECz2c/keystone-stein-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )" | 17:03 | |
| openstack | The meeting name has been set to 'keystone_office_hours' | 17:03 |
| lbragstad | in reality though... i'm not sure meetbot is the best idea for office hours... | 17:03 |
| ayoung | cmurphy, we can map to a local account, I remember. What is the "force create a user" option? | 17:03 |
| cmurphy | ayoung: we can map to a local or ephemeral user | 17:04 |
| cmurphy | ayoung: explain what is "force create a user" ? | 17:04 |
| ayoung | cmurphy, I think that is what happened to Anakin in episode 1 | 17:04 |
| cmurphy | lol | 17:05 |
| * ayoung ducks | 17:05 | |
| ayoung | OK, so say I am trying to keep 19 different openstack deployments in sync | 17:05 |
| ayoung | I am using a handful of LDAP sources | 17:06 |
| ayoung | the user IDs from each one will be different | 17:06 |
| ayoung | If I can say "the LDAP domain_id is AABBCC123 then they will all have the same userid as well | 17:07 |
| ayoung | that is the absolute simplest case I can think of. | 17:07 |
| ayoung | I'd like to be able to match that logic in Federation, so I can get away from Simple Bind | 17:08 |
| ayoung | but not treat users as Ephemeral | 17:08 |
| ayoung | and not have to modify the mapping files for any user-to-group assignments | 17:08 |
| ayoung | I'd like to be able to say "The BOS Keystone can control the RedSox domain and the SFO Keystone can control the Giants domain" | 17:09 |
| ayoung | and so forth. Galera does not really let you do that. as all writes have to be synced everywhere | 17:10 |
| ayoung | before a commit is OKed | 17:10 |
| cmurphy | i'm not pushing galera i just know zzzeek we working on it | 17:10 |
| cmurphy | was* | 17:10 |
| ayoung | Galera is necessary, and will support a good number of use cases | 17:11 |
| ayoung | but not all | 17:11 |
| cmurphy | is this just a question of usability? mapping rules are complicated and annoying but as far as i can tell they accomplish what you're trying to do | 17:11 |
| ayoung | If you break the mapping, you break Keystone | 17:12 |
| ayoung | modifying the mapping rules for an Idp is going to be a no-no | 17:12 |
| ayoung | it would be like recompiling your kernel just to launch a new executable | 17:12 |
| ayoung | You don't have object level granularity, which denies RBAC access to manage it | 17:14 |
| cmurphy | I don't think it's fair to compare it to recompiling your kernel, it's more comparable to say modifying the mapping rules is like modifying your policy files, it's a pita and you could get it wrong but it's doable and sometimes necessary | 17:18 |
| kmalloc | hrybacki: appt is tomorrow, I expect to be free by 10am Pacific ( 1pm est) | 17:19 |
| kmalloc | hrybacki: that again might change later today (appt might be cancelled), but it is unlikely. | 17:20 |
| kmalloc | lbragstad: meetbot is useless for office hours, we already log the channel | 17:20 |
| hrybacki | kmalloc: okay, I'll move the meeting to that time (assuming I don't see others w/ conflicts) | 17:21 |
| lbragstad | yeah.. i agree | 17:21 |
| lbragstad | for the most part i think the pattern is established | 17:21 |
| lbragstad | i'm not sure how often people reference the meetbot logs though | 17:21 |
| * cmurphy runs away for a few minutes | 17:28 | |
| *** felipemonteiro has quit IRC | 17:28 | |
| lbragstad | FYI - http://lists.openstack.org/pipermail/openstack-dev/2018-September/135016.html | 17:41 |
| lbragstad | does anyone else have suggestions for https://etherpad.openstack.org/p/BER-keystone-forum-sessions ? | 17:43 |
| kmalloc | hrybacki: need to push back the flask thing until later today | 17:51 |
| kmalloc | Like... 1.5 hrs | 17:51 |
| kmalloc | If that is ok, just finished appointment and need food. | 17:51 |
| kmalloc | hrybacki: sorry. | 18:00 |
| hrybacki | kmalloc: no worries | 18:01 |
| *** aojea has joined #openstack-keystone | 18:13 | |
| ayoung | I wish we could hide deprecation warnings in the unit tests | 18:39 |
| openstackgerrit | Merged openstack/keystoneauth master: Reformat Adapter docstring https://review.openstack.org/605042 | 18:41 |
| ayoung | lbragstad, any reason to maintain a strict 255 limit for Fernet tokens? | 18:51 |
| *** dmellado has quit IRC | 18:53 | |
| *** raildo_ has joined #openstack-keystone | 18:53 | |
| jdennis | knikolla, cmurphy: I found the problem with your SAML ECP message (can't find signature) and send knikolla an email with the explanation. | 18:53 |
| *** raildo has quit IRC | 18:55 | |
| cmurphy | jdennis: \o/ | 18:55 |
| ayoung | jdennis, Did you ever tell me if/how it is possible to do SAML with HAProxy? | 18:55 |
| openstackgerrit | ayoung proposed openstack/keystone master: Replace UUID with sha256 generator for Federated users https://review.openstack.org/605169 | 18:56 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Convert legacy functional jobs to Zuul-v3-native https://review.openstack.org/602452 | 18:59 |
| ayoung | kmalloc, hrybacki ^^ is using the LDAP approach to generated IDs for Federated Identity. The LDAP code is wicked convoluted, due to the whole "Mapping Backend" legacy stuff...This one hard codes the ID generator (which is another provider API) but really it should be injected | 19:01 |
| jdennis | ayoung: it's in the federation doc I wrote: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/federate_with_identity_service/ | 19:01 |
| cmurphy | jdennis: knikolla can you give me a tldr or forward me the details (colleen@gazlene.net) ? i've been meaning to come back to that for a while | 19:01 |
| ayoung | jdennis, thanks. I was actually looking at that earlier today, and was wondering if that was the issue you had raised. Cool | 19:01 |
| jdennis | cmurphy: I just forwarded the email I sent to knikolla to you | 19:02 |
| cmurphy | jdennis: thanks | 19:02 |
| jdennis | ayoung: not sure what issue you're referring to ... | 19:02 |
| ayoung | jdennis, this, specifically https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/federate_with_identity_service/introduction#haproxy_overview | 19:03 |
| ayoung | jdennis, I know that you were working on a fix of mod_auth_mellon to address it, and was not sure if that was something in the future. | 19:03 |
| ayoung | I think you said that the mellon fix was an improvement over just assuming that you were hitting the same HA proxy instance. I need to present on this in a couple weeks, and had hoped to get that clarified before I lie to people on stage | 19:04 |
| jdennis | ayoung: oh, you mean supporting shared session caches? | 19:04 |
| kmalloc | ayoung: the backend is complex/indirect, the behavior is all i'd like to see. | 19:04 |
| kmalloc | ayoung: take a known value and a supplied (from assertion) value and generate from that | 19:04 |
| kmalloc | i don't care if we use the current code or something new/retro fit to make the current system suck less. | 19:05 |
| ayoung | kmalloc, that is basically what I did in that commit: | 19:05 |
| kmalloc | ++ | 19:05 |
| ayoung | just I don't have a clean way to swap sha256 for shawhatevercomesnext | 19:05 |
| jdennis | ayoung: if so, that code is 95% done, I'm in the process of testing it, then it will be sent upstream for review, so don't count on it soon (whatever soon means) | 19:05 |
| kmalloc | ayoung: look at how the pbkdf (bcrypt, scrypt) works, encode it like that | 19:05 |
| ayoung | jdennis, thank you. That confirms what I was suspecting | 19:06 |
| ayoung | kmalloc, look at the review. it is tiny | 19:06 |
| ayoung | https://review.openstack.org/605169 | 19:06 |
| kmalloc | right. follow up -> allow for shaxxxx -> newfangledhashingthing | 19:06 |
| kmalloc | hmm | 19:07 |
| kmalloc | ayoung: i worry, will that break anything for "current" federated users? | 19:07 |
| ayoung | kmalloc, nope | 19:07 |
| kmalloc | cool. | 19:07 |
| ayoung | kmalloc, the concern I have is that it will break fernet | 19:07 |
| kmalloc | hmm. | 19:07 |
| ayoung | as, I think, it makes IDs slightly longer | 19:07 |
| kmalloc | fernet doesn't care about strict id length | 19:08 |
| kmalloc | it cares about total token length | 19:08 |
| ayoung | but...that means fernet would fall down on LDAP ids, too | 19:08 |
| kmalloc | iirc. | 19:08 |
| kmalloc | i'll need to dig to be sure. | 19:08 |
| ayoung | I saw a few warnings that lenght was 289, longer than max of 255 | 19:08 |
| kmalloc | yeah, then it might be a concern | 19:08 |
| ayoung | is that for revocations? | 19:09 |
| ayoung | if so, it is going to be a problem for LDAP as well, as those IDs are already sha256 | 19:09 |
| errr | jdennis: on osp do you know if yall have plans to make it so you can set the needed bits in the haproxy config from one of the yaml puppet over ride files for the deploy-osp.sh file? | 19:12 |
| errr | jdennis: also the apache overrides.. | 19:12 |
| errr | jdennis: lots of manual steps to get federation working on that platform because of that :( | 19:13 |
| jdennis | errr: yes that is a well know issue. We do have plans to integrate it into tripleo sometime soon but the exact schedule has not been set yet | 19:15 |
| ayoung | kmalloc, what is interesting is that I saw that message before I changed the lengths in that test, but once I did, the lenght warning went away, too. | 19:15 |
| errr | jdennis: ok, well its good to know its at least on the radar | 19:15 |
| jdennis | errr: not to worry, customers are faced with the issue and customers get attention :-) | 19:16 |
| errr | ;) | 19:16 |
| ayoung | 'Fernet token created with length of 290 characters, which exceeds 255 characters' | 19:16 |
| ayoung | errr, from people like me | 19:16 |
| errr | ayoung: me too :) | 19:17 |
| hrybacki | kmalloc: I'm gonna have to depart in about ~45 mins. Think you'll have a chance to gander at my projects review on gerrit today? I've finally got it to where I can start to fix the failing tests but could use a sanity check before diving too deep | 19:46 |
| kmalloc | ok almost done | 19:46 |
| hrybacki | for simplicity: https://review.openstack.org/#/c/603451/ | 19:46 |
| kmalloc | sec. winding down a call | 19:46 |
| hrybacki | kmalloc: ack -- me fetches a quick coffee | 19:46 |
| kmalloc | ok done | 19:48 |
| kmalloc | i'll go get coffee too | 19:48 |
| kmalloc | then we can chat | 19:48 |
| kmalloc | hrybacki: sorry for the delay, has been a long day | 19:48 |
| hrybacki | kmalloc: no worries -- I live a life of sliding timelines :) | 19:51 |
| kmalloc | back | 19:58 |
| kmalloc | bluejeans? | 19:58 |
| kmalloc | or irc? | 19:58 |
| hrybacki | kmalloc: bluejeans is preferred (I'm visual) | 20:00 |
| hrybacki | https://bluejeans.com/u/hrybacki/ | 20:00 |
| *** dmellado has joined #openstack-keystone | 20:07 | |
| *** mcape has joined #openstack-keystone | 20:23 | |
| mcape | Hello all! | 20:28 |
| mcape | I've run into trouble after queens->rocky keystone upgrade. | 20:28 |
| mcape | My s3 authorization is broken, clients receive message '<Code>SignatureDoesNotMatch</Code>' | 20:28 |
| mcape | In keystone logs, i see many 404 like "POST /v2.0/s3tokens HTTP/1.1. " | 20:28 |
| mcape | I do not understand why swift proxy goes to the wrong address, any clues? Any help will be greatly appreciated. | 20:28 |
| lbragstad | mcape i believe the entire /v2.0/ path was removed in rocky, some of it was removed in queens but the s3 stuff was pulled afterwords | 20:30 |
| mcape | i just realized that probably this is wrong channel to ask support questions | 20:30 |
| mcape | thanks for your answer, and have a great day! | 20:31 |
| lbragstad | mcape yep! | 20:31 |
| cmurphy | mcape: no this is the right channel to ask questions about keystone | 20:35 |
| cmurphy | we don't bite | 20:35 |
| *** pcaruana has quit IRC | 20:43 | |
| kmalloc | mcape: please feel free to ask any questions about keystone, keystonemiddleware, keystoneauth, [and a myriad of other things we maintain] here... if it's thr wrong channel we're good about helping you find the right one | 20:47 |
| kmalloc | cmurphy: i wont tell Nori (teh shiba) this channel is teeth free. She'd be a sad pupper (but she'll share her cow sans head stuffie with you) | 20:48 |
| lbragstad | ok - i have two proposals for the forum submitted | 20:59 |
| lbragstad | one for generic operators and user feedback | 21:00 |
| lbragstad | and another for a session dedicated to keystone as an identity provider proxy | 21:00 |
| mcape | kmalloc: thank you for your willingness to help! i'm still stuck trying to fix my upgrade | 21:01 |
| mcape | with help of @timburke i've managed to change the proxy' request to keystone to correct one | 21:02 |
| lbragstad | mcape so you're using v3 now instead of v2.0? | 21:02 |
| mcape | yes i've added "auth_version = 3" to the [filter:s3token] section of proxy-server.conf | 21:03 |
| cmurphy | kmalloc: :'D | 21:03 |
| mcape | but now i receive error 500 | 21:04 |
| mcape | <?xml version="1.0" encoding="UTF-8"?>#015#012<Error>#015#012 <Code>InvalidURI</Code>#015#012 <Message>Could not parse the specified URI</Message>#015#012</Error>#015#012: #012Traceback (most recent call last):#012 File "/usr/lib/python2.7/site-packages/swift3/middleware.py", line 80, in __call__#012 resp = self.handle_request(req)#012 File "/usr/lib/python2.7/site-packages/swift3/middleware.py", line 107, in handle_ | 21:04 |
| mcape | it is not complete, sorry | 21:05 |
| lbragstad | you might be able to throw it in paste.openstack.org | 21:05 |
| mcape | http://paste.openstack.org/show/730906/ | 21:06 |
| timburke | looks like a swift3 problem more than a keystone one -- we might want to move this to #openstack-swift (and get some proxy-server logs) | 21:08 |
| timburke | but while we're here... do we see the requests making it all the way to keystone? what's the response code if/when it gets there? | 21:09 |
| mcape | no, keystone is not receiving requests | 21:11 |
| timburke | mcape: mind hopping over to swift's channel? i'll write up a bug for the first and most-obvious problem, then we'll get to figuring out the next step :-) | 21:14 |
| mcape | okay, thanks! | 21:15 |
| openstackgerrit | ayoung proposed openstack/keystone master: Allow an explicit_domain_id parameter when creating a domain https://review.openstack.org/605235 | 21:15 |
| ayoung | hrybacki, kmalloc, there is the other one. I can file bugs or specs or whatever we want to do with them, or just release note it | 21:16 |
| *** raildo_ has quit IRC | 21:17 | |
| kmalloc | hm. | 21:18 |
| kmalloc | release note should be fine, but a bug for tracking is nice. | 21:18 |
| aning | cmurphy: I setup another devstack, this time it's stable/rocky. But when I type in user name and password (myself/myself), and click on Login, I got an error: | 21:20 |
| aning | cmurphy: Error Message: No peer endpoint available to which to send SAML response | 21:20 |
| aning | cmurphy: have you ever seen this? | 21:20 |
| cmurphy | aning: check the testshib logs, it seems like there's a mismatching url between the metadata you gave to testshib and the endpoint the request is trying to return to | 21:25 |
| aning | cmurphy: k | 21:27 |
| aning | cmurphy: so that could mean I misconfig my entityID in metadata ... | 21:28 |
| aning | cmurphy: on my SP side, which would be the "peer endpoint" that the Idp sends the SAML2 response? | 21:30 |
| cmurphy | aning: probably not the entityID, that's just a unique string and not a real URL, but it could be the keystone endpoint in horizon's local_settings.py | 21:31 |
| aning | cmurphy: that endpoint is serviced by the browser, or by shibboleth mod? | 21:32 |
| aning | cmurphy: or Horizon? | 21:32 |
| cmurphy | aning: it's horizon that generates the special auth url where the saml response gets sent, and that endpoint is the one you set up in the keystone vhost | 21:36 |
| *** mcape has quit IRC | 21:38 | |
| *** aojea has quit IRC | 21:58 | |
| *** mvkr has quit IRC | 22:22 | |
| *** mvkr has joined #openstack-keystone | 22:35 | |
| jdennis | aning: entityID's are URN's not URI's, they are just a name, the endpoints are defined in the metadata with the triplet <service, binding, url> | 22:47 |
| *** dklyle has quit IRC | 22:48 | |
| *** felipemonteiro has joined #openstack-keystone | 23:03 | |
| *** rcernin has joined #openstack-keystone | 23:07 | |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Add build_target arguement to enforcer https://review.openstack.org/601881 | 23:30 |
| *** aojea has joined #openstack-keystone | 23:31 | |
| openstackgerrit | Morgan Fainberg proposed openstack/keystone master: Add build_target arguement to enforcer https://review.openstack.org/601881 | 23:32 |
| *** stewie925 has joined #openstack-keystone | 23:33 | |
| *** aojea has quit IRC | 23:35 | |
| *** felipemonteiro has quit IRC | 23:41 | |
| stewie925 | hi keystonians | 23:46 |
| *** aojea has joined #openstack-keystone | 23:54 | |
| *** aojea has quit IRC | 23:59 | |
| *** stewie925 has quit IRC | 23:59 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!