Wednesday, 2018-11-21

ayoung	jamielennox, depends on what stage of the development cycle we clone.	00:23
ayoung	jamielennox, good to hear from you. Did you read the context? Horizon is doing something unsavory with the user_id and the client	00:24
ayoung	rafaelweingartne, for K2K?	00:24
jamielennox	i didn't really look, something about context?	00:24
rafaelweingartne	k2k?	00:30
rafaelweingartne	well, I would like to integrate OpenStack in a federation	00:30
rafaelweingartne	we already have IdPs, which are implemented with Keycloak	00:30
rafaelweingartne	Therefore, OpenStack would be an SP	00:30
rafaelweingartne	I need to know the endpoints that OpenStack uses to configure in Keycloak (as a client), and it is always easier to get that data from a metadata file that describer the provider (IdP or SP)	00:31
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion https://review.openstack.org/588211	01:00
*** vishakha has joined #openstack-keystone		01:05
cmurphy	rafaelweingartne: for keystone as a saml identity provider then the metadata endpoint is /v3/OS-FEDERATION/saml2/metadata, for keystone as a service provider it depends on the auth module you're using, for shibboleth it's /Shibboleth.sso/Metadata i think, for mellon it's something different	01:36
rafaelweingartne	Thanks	01:39
vishakha	cmurphy: Hey!	01:48
cmurphy	hi vishakha	01:52
vishakha	cmurphy: Again a question from federation	01:56
vishakha	cmurphy: I was trying with samltest.id. But after logging with my saml credentials in horizon, I am getting unauthorized user	01:57
vishakha	cmurphy: I have set up my keystone apache	01:57
*** rafaelweingartne has quit IRC		01:57
vishakha	cmurphy: Have setup my shibholeth2.xml, but only error I am getting is of authorization	01:58
cmurphy	vishakha: which part is giving you the unauthorized message, is it the samltest.id site, or the horizon dashboard, or is it from keystone? you should be able to tell based on the url in the browser bar	02:00
*** Dinesh_Bhor has joined #openstack-keystone		02:02
cmurphy	vishakha: i suspect it's coming from keystone, in which case you can set insecure_debug=true and it should tell you more	02:02
vishakha	cmurphy: I have set insecure_debug = True, But still the same error . No more information	02:05
cmurphy	vishakha: can you tell where it's coming from? is it keystone, shibboleth/apache, horizon, or is it on the samltest.id site itself?	02:10
vishakha	cmurphy: getting these logs from horizon_error	02:23
vishakha	https://www.irccloud.com/pastebin/p5480Vmw/	02:23
vishakha	cmurphy: No logs in keystone	02:23
cmurphy	vishakha: those tracebacks in horizon are normal actually	02:24
cmurphy	it's weird :(	02:24
vishakha	cmurphy: when logging , no logs are there in keystone.	02:25
cmurphy	vishakha: when you see the unauthorized message in the browser, does the url in the browser bar have a /identity path in it? or /dashboard? or is it coming from the samltest.id site itself?	02:25
vishakha	cmurphy: http://127.0.0.1/identity/v3/auth/OS-FEDERATION/websso/saml2?origin=http://localhost:5440/dashboard/auth/websso/	02:25
cmurphy	vishakha: okay, so it's coming from keystone	02:26
cmurphy	keystone or shib	02:26
vishakha	https://www.irccloud.com/pastebin/C5T4K5FN/	02:26
cmurphy	vishakha: is there any error in /var/log/shibboleth/shibd.log or shibd_warn.log?	02:26
cmurphy	or in the main apache error log	02:27
cmurphy	or sometimes those logs end up in the horizon logs so keep looking for other errors in the horizon logs	02:27
vishakha	cmurphy: Yes I looked in all the log files,No error like log	02:28
vishakha	cmurphy: let me share with you	02:28
openstackgerrit	wangxiyuan proposed openstack/keystone master: Update contributor doc https://review.openstack.org/617513	02:29
vishakha	cmurphy: In shibholeth, no logs for today	02:31
vishakha	cmurphy: I dont understand why there are so less logs	02:33
cmurphy	:/	02:37
vishakha	cmurphy, wxy-xiyuan : Also updated patch for adding openstack_groups in SAML. https://review.openstack.org/#/c/588211/. Pl review	02:39
cmurphy	vishakha: thanks for that, will take a look soon	02:39
vishakha	cmurphy: :)	02:41
*** Dinesh_Bhor has quit IRC		02:44
*** Dinesh_Bhor has joined #openstack-keystone		02:52
*** jmlowe has quit IRC		02:59
*** jmlowe has joined #openstack-keystone		03:00
*** itlinux has joined #openstack-keystone		04:33
openstackgerrit	Merged openstack/keystone master: Document user options https://review.openstack.org/618823	05:35
openstackgerrit	Merged openstack/keystone master: Add missing ws seperator between words https://review.openstack.org/618689	05:35
openstackgerrit	Merged openstack/keystone master: changed port in tools/sample_data.sh https://review.openstack.org/618196	06:01
*** annp has joined #openstack-keystone		06:17
*** artem_vasilyev has joined #openstack-keystone		06:49
openstackgerrit	Shuayb Popoola proposed openstack/keystone master: Fix --bootstrap-password's default password error https://review.openstack.org/619101	07:01
*** rcernin has quit IRC		07:26
*** sapd1__ has quit IRC		08:54
*** sapd1 has joined #openstack-keystone		08:55
*** jaosorior has quit IRC		09:26
*** pcaruana has joined #openstack-keystone		09:48
*** jaosorior has joined #openstack-keystone		10:03
*** breton has quit IRC		10:08
*** Emine has joined #openstack-keystone		10:10
*** Emine has quit IRC		10:31
*** shrasool has joined #openstack-keystone		10:34
openstackgerrit	Shuayb Popoola proposed openstack/keystone master: Fix --bootstrap-password's default password error https://review.openstack.org/619101	10:44
*** Emine has joined #openstack-keystone		10:54
*** mvkr has quit IRC		11:03
*** Dinesh_Bhor has quit IRC		11:37
*** xek has quit IRC		11:39
*** mvkr has joined #openstack-keystone		11:43
*** mugsie has joined #openstack-keystone		11:49
*** raildo has joined #openstack-keystone		11:59
*** erus has quit IRC		12:01
*** xek has joined #openstack-keystone		12:04
*** pvradu has joined #openstack-keystone		12:31
*** pvradu has quit IRC		12:32
*** pvradu has joined #openstack-keystone		12:33
lbragstad	kmalloc yeah - i was more or less curious if we should have bugs open for that	12:36
lbragstad	but i think that answers my question and that we should	12:36
lbragstad	originally - i was just opening bugs for keystone subsystems that didn't take into account system-scope, but there are parts that do but don't use the new default roles	12:37
mbuil	vishakha: did you manage to switch to the SP in horizon successfully?	12:38
lbragstad	vishakha i responded to your comments here - let me know if you have further questions https://review.openstack.org/#/c/605851/4	12:39
*** amoralej is now known as amoralej\|lunch		13:13
*** artem_vasilyev has quit IRC		13:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add region protection tests for system readers https://review.openstack.org/619085	13:43
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update region policies to include system member https://review.openstack.org/619086	13:43
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update region policies to use system admin https://review.openstack.org/619241	13:43
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with regions https://review.openstack.org/619242	13:43
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with regions https://review.openstack.org/619243	13:43
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove region policies from policy.v3cloudsample.json https://review.openstack.org/619244	13:43
*** erus has joined #openstack-keystone		13:49
*** BlackDex has quit IRC		14:02
*** pvradu_ has joined #openstack-keystone		14:03
*** BlackDex has joined #openstack-keystone		14:04
*** pvradu has quit IRC		14:07
*** pvradu_ has quit IRC		14:07
*** pvradu has joined #openstack-keystone		14:08
*** amoralej\|lunch is now known as amoralej		14:13
*** jaosorior has quit IRC		14:25
openstackgerrit	John Dennis proposed openstack/oslo.policy master: Fully log RBAC enforcement data https://review.openstack.org/619260	14:31
openstackgerrit	Jens Harbott (frickler) proposed openstack/keystone master: DNM: Test jobs running on bionic instead of xenial https://review.openstack.org/611563	14:41
lbragstad	jdennis nice - thanks the for the patch	14:44
lbragstad	for the*	14:44
lbragstad	i'm clearly under-caffeinated	14:45
jdennis	lbragstad: you're welcome	14:53
*** shrasool has quit IRC		15:13
*** Emine has quit IRC		15:17
*** Emine has joined #openstack-keystone		15:18
*** jaosorior has joined #openstack-keystone		15:24
kmalloc	jdennis: woot!	15:25
kmalloc	lbragstad: yep	15:25
lbragstad	did gerrit just die?	15:32
lbragstad	oh - nevermind	15:32
lbragstad	it's back	15:32
kmalloc	lbragstad: hehe	15:37
*** erus has quit IRC		15:38
kmalloc	jdennis: the patch looks good. the mask_password / mask_dict_password should solve dhellman's concerns	15:47
kmalloc	on the "logged data" bit the best we can.	15:48
*** devx has quit IRC		15:48
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update service policies for system reader https://review.openstack.org/619277	15:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update service policies for system member https://review.openstack.org/619278	15:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update service policies for system admin https://review.openstack.org/619279	15:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with services https://review.openstack.org/619280	15:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with services https://review.openstack.org/619281	15:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove service policies from policy.v3cloudsample.json https://review.openstack.org/619282	15:49
jdennis	kmalloc: I see I added comments essentially echoing your thoughts just after you posted	15:50
kmalloc	:)	15:52
kmalloc	jdennis: whelp, i think we're on the same page. that's easy :)	15:53
lbragstad	if anyone is looking to do some reviews	16:20
lbragstad	https://review.openstack.org/#/c/605539/ is the start of several linear series of reviews	16:20
lbragstad	to incorporate default roles into APIs, implement system scope, and start removing the policy.v3cloudsample.json file	16:20
lbragstad	https://review.openstack.org/#/c/603319/ also fixes a bug	16:22
kmalloc	lbragstad: <whine>but i just did reviews last week</whine> -- i'll add them to my list :)	16:26
lbragstad	cool - thanks	16:26
kmalloc	lbragstad: probably will have some comments/score for them before lunch	16:26
lbragstad	i should have the entire catalog api squared away by EOD	16:26
lbragstad	incorporating default roles, system-scope, and removing obsolete policies from policy.v3cloudsample.json	16:27
kmalloc	cool.	16:43
kmalloc	and like i said i should be able to generate an architecture diagram for next week so that should help for forward looking planning	16:44
*** shrasool has joined #openstack-keystone		16:48
*** pcaruana has quit IRC		16:50
*** xek_ has joined #openstack-keystone		16:54
*** xek has quit IRC		16:57
*** Emine has quit IRC		17:05
*** pvradu has quit IRC		17:08
*** erus has joined #openstack-keystone		17:13
*** xek_ is now known as xek		17:18
tobias-urdin	i've been talking about ip restricting users before, is this a super bad idea?	17:19
tobias-urdin	http://paste.openstack.org/show/735912/	17:19
*** prashkre has joined #openstack-keystone		17:21
prashkre	lbragstad: Hi. Have you got a chance to look at https://bugs.launchpad.net/keystone/+bug/1800077?	17:22
openstack	Launchpad bug 1800077 in OpenStack Identity (keystone) "LDAP Referrals were returned and ignored" [Undecided,New]	17:22
prashkre	lbragstad: If not, could you please take a look?	17:22
*** prashkre has quit IRC		17:30
*** shrasool has quit IRC		17:30
*** prashkre has joined #openstack-keystone		17:31
*** jaosorior has quit IRC		17:41
lbragstad	prashkre just wrapping something up now, and then i can take a look	17:50
lbragstad	tobias-urdin that use case came up again last week	17:50
lbragstad	specifically if it would be possible to restrict users access to projects based on IP addresses	17:51
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with endpoints https://review.openstack.org/619281	17:51
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update endpoint policies for system reader https://review.openstack.org/619329	17:51
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update endpoint policies for system member https://review.openstack.org/619330	17:51
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update endpoint policies for system admin https://review.openstack.org/619331	17:51
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with endpoints https://review.openstack.org/619332	17:51
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove endpoint policies from policy.v3cloudsample.json https://review.openstack.org/619333	17:51
prashkre	lbragstad: sure. will be waiting for you update.	17:53
lbragstad	prashkre in that bug report	17:54
lbragstad	are you just expecting an update to the log message?	17:55
lbragstad	it looks like the code is only expecting to deal with a single referral and not multiple	17:55
lbragstad	prashkre is ^ the direction you're looking for	18:01
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Disambiguate between multiple referrals and config https://review.openstack.org/619336	18:01
lbragstad	er... ^	18:01
prashkre	lbragstad: I think your changes should be fine.	18:07
prashkre	looks good to me.	18:07
kmalloc	tobias-urdin: i thinkw e want to do this in the user-options functionality	18:07
kmalloc	based upon waht we talked abouty in berlin	18:07
lbragstad	or do we want to implement it in project options?	18:11
lbragstad	i guess it boils down to setting it on the project or the user...	18:11
lbragstad	gagehugo did https://review.openstack.org/#/c/616286/ make it to stable/rocky?	18:12
ayoung	$ openstack endpoint list	18:12
ayoung	You are not authorized to perform the requested action: identity:list_endpoints. (HTTP 403) (Request-ID: req-ba6d4ab2-aad5-40ec-bb30-730e9eb6332d)	18:12
ayoung	Gah	18:12
ayoung	"We'll give you all this info if you know where to look in the token data, but if you ask for it explicitly, we say 'NO' and slam the door."	18:13
ayoung	We are not very nice	18:13
lbragstad	gagehugo nevermind... i don't know how timestamps work	18:16
ayoung	lbragstad, the word of the day is Disambiguate. I did not even know that word existed. Thank you.	18:21
*** prashkre has quit IRC		18:31
tobias-urdin	lbragstad: kmalloc what i'm after is protecting all service and admin users which is a insane security risk since they have the admin role, i guess that one will have to do for now	18:32
cmurphy	tobias-urdin: lbragstad kmalloc i opened a placeholder bug for this https://bugs.launchpad.net/keystone/+bug/1804042	18:32
openstack	Launchpad bug 1804042 in OpenStack Identity (keystone) "RFE: Add ability to restrict auth by forwarded IP" [Undecided,New]	18:32
cmurphy	ayoung: it's openstack catalog show	18:33
tobias-urdin	cmurphy: thanks	18:35
cmurphy	tobias-urdin: if you want to write the spec there's still time ;)	18:37
lbragstad	ayoung :)	18:48
*** shrasool has joined #openstack-keystone		18:49
*** amoralej is now known as amoralej\|off		18:56
*** xek has quit IRC		19:00
kmalloc	cmurphy: NICE	19:05
kmalloc	lbragstad: i'd like to do it as project options and user options	19:05
kmalloc	both	19:05
kmalloc	tobias-urdin: ^	19:05
*** xek has joined #openstack-keystone		19:08
lbragstad	ack	19:12
ayoung	cmurphy, um, yeah, but quick, without looking, what do you put in there to show swift?	19:32
ayoung	the tools may be there, but they don't reflect how we've talked about this for years. endpoint list could do the same thing, or service list, and get the data from the token	19:33
ayoung	and if someone wants to do it using curl, as the API is supposed to be the first class citizen, it does not work	19:34
ayoung	and, by the way, the command is: openstack catalog show object-store	19:34
ayoung	which I was only able to figure out by parsing the token output	19:35
ayoung	I think that for catalog API calls, we should allow the member role to make those calls, but to implicitly add in the catalog filters for the token if they are not an admin. I'm not sure how to write that up.	19:36
*** dklyle has quit IRC		19:38
*** mvkr has quit IRC		19:40
*** nsmeds has joined #openstack-keystone		19:41
*** raildo has quit IRC		19:43
*** raildo has joined #openstack-keystone		19:43
*** dklyle has joined #openstack-keystone		19:46
*** shrasool has quit IRC		20:06
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Disambiguate between multiple referrals and config https://review.openstack.org/619336	20:17
jdennis	kmalloc: ping, https://github.com/openstack/oslo.policy/blob/f79650325f459e12bbac8f6967dcfabece1de7a4/oslo_policy/policy.py#L824	20:31
jdennis	kmalloc: but it's really oslo_context.context._DeprecatedPolicyValues	20:32
kmalloc	Yeah	20:32
jdennis	kmalloc: should the isintance test for both classes?	20:32
kmalloc	Hmm	20:32
kmalloc	Dunno	20:33
kmalloc	lbragstad: ^	20:33
kmalloc	I am not sure about that choice atm	20:33
kmalloc	I have to think on it. Lance might have more context to base an answer on immediately	20:33
jdennis	kmalloc: yeah, it's opaque to me atm as well	20:33
kmalloc	Exactly	20:33
*** raildo has quit IRC		20:35
*** mvkr has joined #openstack-keystone		20:35
jdennis	lbragstad: '_DeprecatedPolicyValues' object has no attribute 'to_policy_values'	20:39
lbragstad	_DeprecatedPolicyValues is kinda weird	20:43
lbragstad	i had to grok it for a while before i thought i understood it	20:43
jdennis	lbragstad: I think I have a solution, give me a moment to test it	20:44
lbragstad	jdennis well - to answer your question, we recently made a change to oslo.policy so that we overload creds to be two different types	20:45
lbragstad	it can either be a Context object or a dictionary	20:45
lbragstad	as much as i'm not a fan of overloading stuff, we did it so that it was easier for services to just pass their context objects into the enforcer as opposed to constructing a dictionary from scratch	20:46
lbragstad	(example - https://review.openstack.org/#/c/605539/ )	20:47
nsmeds	Hey guys, question of the curious. I'm looking to create a custom role, and any of the users in this role can create new domains and then have full admin powers within the domains they create (create/edit/delete projects, neutron resources, nova resources, cinder resources).	20:48
jdennis	lbragstad: heres the problem, strutils.mask_dict_password() only will accept a dict object, we expect creds to be a dict but sometimes it's a MutableMapping (apparently) so my fix is in the test for MutableMapping to convert it to a dict,	20:48
nsmeds	In the middle of reading anything related I can get my hands on - but if anyone has suggestions to point me in the right direction they'd be much appreciated.	20:48
jdennis	lbragstad: but the real fix is that strutils.mask_dict_password() should accept a MutableMapping because a dict is a MutableMapping	20:49
lbragstad	jdennis correct https://github.com/openstack/oslo.policy/blob/f79650325f459e12bbac8f6967dcfabece1de7a4/oslo_policy/policy.py#L825 should return a dict though	20:49
lbragstad	oh - wait...	20:49
lbragstad	ah - yeah.. i see what you mean	20:50
jdennis	lbragstad: I changed the sense of the test here: https://github.com/openstack/oslo.policy/blob/f79650325f459e12bbac8f6967dcfabece1de7a4/oslo_policy/policy.py#L832	20:50
lbragstad	we can operate on it like a dict because its an instance of MutableMapping	20:50
jdennis	and did the conversion to dict inside that test	20:51
lbragstad	sure - that makes sense after reading the comment i apparently wrote, too	20:52
lbragstad	that seems like it will be safe, i don't think anything is expecting to use `creds` after enforcement	20:53
lbragstad	so converting it to another type is probably fine?	20:53
lbragstad	(i know oslo.policy doesn't had it back to the service after enforcement)	20:53
lbragstad	hand it*	20:53
jdennis	lbragstad: yeah, I think the early code is responsible for assuring by the time you begin to use creds it's a dict	20:54
lbragstad	nsmeds we're currently in the middle of that work and we are tracking status in bugs	20:54
lbragstad	jdennis ++ yeah i agree.. the work to overload creds with something more standardized came later	20:55
lbragstad	nsmeds for example - https://bugs.launchpad.net/keystone/+bug/1794376	20:55
openstack	Launchpad bug 1794376 in OpenStack Identity (keystone) "Domains API should account for system-scope and default roles" [High,In progress] - Assigned to Lance Bragstad (lbragstad)	20:55
lbragstad	nsmeds we're tracking the rest of the work with https://bugs.launchpad.net/keystone/+bugs?field.tag=policy	20:58
nsmeds	lbragstad: appreciate the reply. I'll go read through the open issues now to try and better understand current state of things	21:00
lbragstad	nsmeds sounds good - ping if you have more questions	21:00
*** shrasool has joined #openstack-keystone		21:04
lbragstad	nsmeds some of the patches to do what you're looking for are actually up for review here - https://review.openstack.org/#/c/605485/10	21:17
openstackgerrit	Merged openstack/keystone master: Region update extra support https://review.openstack.org/517726	21:20
*** erus has quit IRC		21:20
tobias-urdin	kmalloc: that would be preferable to have on both	21:26
*** xek has quit IRC		21:40
lbragstad	our federated identity provider api is a bit weird	21:56
lbragstad	we implement it with a PUT	21:56
lbragstad	and return a 201	21:56
nsmeds	lbragstad: so you're working on creating separate roles: admin, member, reader - scoped either at system or domain level	22:01
lbragstad	nsmeds yep	22:01
nsmeds	but this means (as far as I can tell) that to make new domains, you'd need to be system admin	22:02
*** shrasool has quit IRC		22:02
lbragstad	by default yes	22:02
nsmeds	ah fair - you're improving the defaults	22:03
lbragstad	nsmeds that's not to say you couldn't implement a new role	22:03
nsmeds	my goal of having 1 role which allows new domains created, then admin control within domains that user created	22:03
nsmeds	yep, I'll be making something custom	22:03
nsmeds	gotcha	22:03
*** shrasool has joined #openstack-keystone		22:04
lbragstad	nsmeds mind explaining the use case a bit more?	22:04
lbragstad	i'm just curious is all	22:04
nsmeds	sure. There's a team in company developing a product on openstack, they basically need "admin" permissions but we want to avoid giving them access to modify existing domains/resources in those domains	22:08
nsmeds	and part of their product will require being able to create new domains and have full control within those domains	22:08
nsmeds	(word of warning: joined only a few months ago and still getting familiar with Openstaack, so this is my basic understanding)	22:08
*** rcernin has joined #openstack-keystone		22:09
lbragstad	aha	22:10
lbragstad	intersting	22:10
lbragstad	so the whole requirement for creating a new domain is kinda like signing up new users who interface with the product?	22:10
nsmeds	yep, new user signs up and gets a new openstack domain	22:11
nsmeds	we'll need to fine-tune the rbac stuff more as this develops, but for now giving the team a "admin-but-not-admin" role which we can add their users to would be super helpful	22:12
nsmeds	so that's what I'm working on now	22:12
lbragstad	gothca	22:14
lbragstad	will customers be able to create new domains outside of the one they get at sign up?	22:15
nsmeds	tbh, not sure	22:16
*** shrasool has quit IRC		22:17
lbragstad	cool	22:17
lbragstad	well - one thing we're also working that might help is application credentials	22:17
lbragstad	for example	22:18
lbragstad	you could give an instance of your product an application credential with the system admin role, but tighting it down to only be able to call the POST /v3/domains API if you wanted	22:18
lbragstad	so you end up minimizing damage done if the product is compromised (not saying it would), just coding defensively	22:19
lbragstad	that's something we're trying to get done for Stein http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/capabilities-app-creds.html	22:19
nsmeds	ok gotcha =) saved lots of links you've shared, much appreciated.	22:24
nsmeds	somewhat related: what a user creates a domain, they gain "owner" role for anything inside that domain yes?	22:25
nsmeds	i'd like to get some short-term solution working for them right now, which I understand means I'm editing the policy file - and picturing this https://pastebin.com/QtdzYBFS	22:28
nsmeds	does that make sense? and I edit the policies for any actions they require	22:29
*** Dinesh_Bhor has joined #openstack-keystone		22:30
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Pass context objects to policy enforcement https://review.openstack.org/605539	22:30
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update idp policies for system reader https://review.openstack.org/619371	22:30
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update idp policies for system member https://review.openstack.org/619372	22:30
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update idp policies for system admin https://review.openstack.org/619373	22:30
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with idps https://review.openstack.org/619374	22:30
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with idps https://review.openstack.org/619375	22:30
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove idp policies from policy.v3cloudsample.json https://review.openstack.org/619376	22:30
lbragstad	nsmeds yeah - that's kinda the girst	22:31
lbragstad	gist*	22:31
lbragstad	you'd have to create some special role	22:31
lbragstad	and then explicitly override any policies (in policy files) that the user would expect to use	22:31
nsmeds	yep - understood. thanks a bunch =)	22:34
lbragstad	no problem	22:34
*** imacdonn has quit IRC		22:42
*** imacdonn has joined #openstack-keystone		22:42
*** prashkre has joined #openstack-keystone		22:56
*** Dinesh_Bhor has quit IRC		23:20
openstackgerrit	John Dennis proposed openstack/oslo.policy master: Fully log RBAC enforcement data https://review.openstack.org/619260	23:22
*** rm_work has quit IRC		23:33
*** rm_work has joined #openstack-keystone		23:33
*** lbragstad is now known as lbragstad_turkey		23:46
jdennis	gobble gobble	23:51
*** lbragstad_turkey has quit IRC		23:56

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!