*** jaosorior has quit IRC | 00:05 | |
*** hoonetorg has quit IRC | 00:09 | |
*** ayoung has joined #openstack-keystone | 00:10 | |
*** hoonetorg has joined #openstack-keystone | 00:22 | |
*** erus has joined #openstack-keystone | 00:42 | |
*** annp has joined #openstack-keystone | 01:14 | |
*** erus has quit IRC | 01:35 | |
*** erus has joined #openstack-keystone | 01:40 | |
*** Dinesh_Bhor has joined #openstack-keystone | 02:33 | |
lbragstad | gagehugo yep | 02:56 |
---|---|---|
lbragstad | you're correct | 02:56 |
lbragstad | those policies previously required admin for all of them by default | 03:02 |
lbragstad | now they are broken up a bit | 03:03 |
lbragstad | so you don't have to give someone admin just to do readable things | 03:03 |
lbragstad | member = readable operations + update | 03:04 |
lbragstad | admin = readable and writable operations (just like before) | 03:04 |
openstackgerrit | Vishakha Agarwal proposed openstack/python-keystoneclient master: DNM: Test jobs running on bionic instead of xenial https://review.openstack.org/620445 | 03:23 |
*** pcaruana has joined #openstack-keystone | 05:09 | |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: DNM: Test jobs running on bionic instead of xenial https://review.openstack.org/611563 | 05:09 |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: DNM: Test jobs running on bionic instead of xenial https://review.openstack.org/611563 | 05:11 |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: DNM: Test jobs running on bionic instead of xenial https://review.openstack.org/611563 | 05:27 |
*** imacdonn has quit IRC | 05:30 | |
*** imacdonn has joined #openstack-keystone | 05:30 | |
*** imacdonn has quit IRC | 05:38 | |
*** imacdonn has joined #openstack-keystone | 05:38 | |
*** gyee has quit IRC | 06:20 | |
*** jaosorior has joined #openstack-keystone | 06:36 | |
*** rcernin has quit IRC | 06:57 | |
*** alexchadin has joined #openstack-keystone | 08:22 | |
*** amoralej|off is now known as amoralej | 08:22 | |
*** xek_ has joined #openstack-keystone | 08:22 | |
*** alexchadin has quit IRC | 09:41 | |
*** alexchadin has joined #openstack-keystone | 09:53 | |
*** tobias-urdin has quit IRC | 10:10 | |
*** tobias-urdin has joined #openstack-keystone | 10:15 | |
*** shrasool has joined #openstack-keystone | 10:32 | |
*** jistr is now known as jistr|mtg | 10:34 | |
*** shrasool has quit IRC | 10:38 | |
*** shrasool has joined #openstack-keystone | 10:38 | |
openstackgerrit | Jens Harbott (frickler) proposed openstack/python-keystoneclient master: Fix keystoneclient-devstack-functional job https://review.openstack.org/620553 | 10:40 |
openstackgerrit | Jens Harbott (frickler) proposed openstack/keystone master: DNM: Test patch to verify ksc job https://review.openstack.org/620554 | 10:41 |
frickler | lbragstad: cmurphy: fyi ^^ not sure yet whether it will do the right thing, but we'll see | 10:41 |
cmurphy | frickler: i'm confused that the original patch seemed to work | 10:42 |
cmurphy | i just got back from vacation so haven't dug into it yet | 10:42 |
frickler | cmurphy: the original patch works fine when running against python-keystoneclient, but not when running against keystone. the latter sadly was never tested before it got merged | 10:44 |
cmurphy | yeah :( | 10:45 |
frickler | cmurphy: see http://eavesdrop.openstack.org/irclogs/%23openstack-infra/%23openstack-infra.2018-11-27.log.html#t2018-11-27T18:07:35 for some discussion related to it | 10:45 |
cmurphy | frickler: oh thanks for that | 10:46 |
cmurphy | frickler: do the unit test jobs run this test-setup.sh script? | 10:50 |
cmurphy | i'm wondering if we could just rename or delete it from keystone | 10:51 |
cmurphy | looks like yes the unittests playbook uses it | 10:53 |
frickler | cmurphy: I didn't look into that yet, that might work too. but actually not running test-setup.sh at all when it isn't needed seems the cleaner solution. | 10:56 |
frickler | cmurphy: in addition you also do not want to run the tox-consumer version of the job against keystone, since a patch there may cause the devstack setup to fail. so devstack should run in the main phase and not in pre | 10:57 |
cmurphy | frickler: oh that makes sense | 10:58 |
cmurphy | frickler: but that should also cause the tempest jobs to fail | 10:58 |
frickler | cmurphy: it will, so the issue wouldn't go unnoticed. but it will trigger retries, as zuul will assume a non-permanent error when failing in the pre phase | 10:59 |
cmurphy | frickler: oh gotcha | 11:00 |
*** chason has quit IRC | 11:31 | |
*** chason has joined #openstack-keystone | 11:36 | |
*** Dinesh_Bhor has quit IRC | 11:42 | |
*** dave-mccowan has joined #openstack-keystone | 11:45 | |
*** raildo has joined #openstack-keystone | 11:48 | |
*** erus has quit IRC | 11:53 | |
*** erus has joined #openstack-keystone | 11:53 | |
*** erus has quit IRC | 12:34 | |
*** erus has joined #openstack-keystone | 12:36 | |
*** takamatsu has quit IRC | 12:37 | |
*** takamatsu has joined #openstack-keystone | 12:43 | |
*** amoralej is now known as amoralej|lunch | 13:12 | |
*** jistr|mtg is now known as jistr | 13:21 | |
*** takamatsu has quit IRC | 13:29 | |
*** takamatsu has joined #openstack-keystone | 13:30 | |
*** Dinesh_Bhor has joined #openstack-keystone | 13:43 | |
*** takamatsu has quit IRC | 13:44 | |
*** takamatsu has joined #openstack-keystone | 13:48 | |
*** amoralej|lunch is now known as amoralej | 14:05 | |
*** Dinesh_Bhor has quit IRC | 14:10 | |
lbragstad | interesting, thanks frickler | 14:16 |
frickler | cmurphy: lbragstad: as I feared this is running keystone functional tests now instead of ksc ones. maybe one of you can pick this up http://logs.openstack.org/54/620554/1/check/keystoneclient-devstack-functional/b2350d5/testr_results.html.gz | 14:16 |
frickler | lbragstad: regarding bionic, coreycb suggested switching to libapache2-mod-auth-mellon, see https://bugs.launchpad.net/keystone/+bug/1802901 . I don't know the details of what is needed for federation testing, would switching to that be an option? | 14:18 |
openstack | Launchpad bug 1802901 in OpenStack Identity (keystone) "Federation functional job failing on Bionic" [Undecided,New] | 14:18 |
cmurphy | frickler: i can try to take a look at the ksc tests | 14:19 |
cmurphy | frickler: lbragstad we could switch to testing with mellon instead of shibboleth but it is disturbing that shibboleth is fundamentally broken in the package, our users rely heavily on it | 14:20 |
lbragstad | ++ | 14:21 |
lbragstad | looks like this broke those tests https://review.openstack.org/#/c/498091/ | 14:21 |
lbragstad | i accidentally copy/pasta'd an exception without the translation bit | 14:22 |
lbragstad | but not thing in our tests actually caught it | 14:22 |
lbragstad | (or tried asking for a token using multiple scopes, apparently) | 14:22 |
cmurphy | lbragstad: i'm confused, what's broken? | 14:23 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add missing translation import to common.auth.py https://review.openstack.org/620610 | 14:25 |
lbragstad | cmurphy i was just looking at the errors here - http://logs.openstack.org/54/620554/1/check/keystoneclient-devstack-functional/b2350d5/testr_results.html.gz | 14:25 |
frickler | cmurphy: btw, does keystoneclient-devstack-functional really need a full devstack deployment with all projects? or would just keystone be enough? | 14:26 |
frickler | lbragstad: no, the issue is that this job should run ksc func tests, not keystone | 14:26 |
cmurphy | frickler: i'm pretty sure just keystone would be enough | 14:26 |
lbragstad | oh - hmm | 14:27 |
lbragstad | we accidentally uncovered a bug in common.auth.py then | 14:27 |
frickler | nice, even broken tests are good tests ;) | 14:28 |
cmurphy | i think we haven't been running those functional tests for a while | 14:28 |
lbragstad | i think you're right cmurphy | 14:28 |
lbragstad | i wonder if they broke for the flask bits | 14:29 |
cmurphy | "name '_' is not defined" is not really flask specific, that's just a problem with the test code itself | 14:30 |
lbragstad | true, the other errors about status codes are interesting though | 14:31 |
lbragstad | the translation error was my fault ;) | 14:31 |
frickler | cmurphy: o.k., I think I'll do a standalone job definition in https://review.openstack.org/620553 then | 14:35 |
cmurphy | frickler: what's the right way to run keystoneclient's tests on a keystone job? it seems like the tox role is just not smart enough to run tox on not-this-repo | 14:40 |
cmurphy | so we'll still have an issue whether we use -consumer or not | 14:40 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update endpoint policies for system reader https://review.openstack.org/619329 | 14:44 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update endpoint policies for system member https://review.openstack.org/619330 | 14:44 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update endpoint policies for system admin https://review.openstack.org/619331 | 14:44 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with endpoints https://review.openstack.org/619332 | 14:44 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with endpoints https://review.openstack.org/619281 | 14:44 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove endpoint policies from policy.v3cloudsample.json https://review.openstack.org/619333 | 14:44 |
cmurphy | frickler: seems like maybe we need separate jobs, one in keystoneclient and one in keystone that defines a chdir: {{ keystoneclient src dir }} | 14:45 |
*** dklyle has quit IRC | 14:47 | |
openstackgerrit | Jens Harbott (frickler) proposed openstack/python-keystoneclient master: Fix keystoneclient-devstack-functional job https://review.openstack.org/620553 | 14:47 |
frickler | cmurphy: ^^ I hope that should cover both cases | 14:47 |
cmurphy | frickler: oh excellent | 14:48 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update mapping policies for system reader https://review.openstack.org/619612 | 14:49 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update mapping policies for system member https://review.openstack.org/619613 | 14:49 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update mapping policies for system admin https://review.openstack.org/619614 | 14:49 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with mappings https://review.openstack.org/619615 | 14:49 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with mappings https://review.openstack.org/619616 | 14:49 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove mapping policies from policy.v3cloudsample.json https://review.openstack.org/619617 | 14:49 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Move test utility to common location https://review.openstack.org/620155 | 14:55 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update service provider policies for system reader https://review.openstack.org/620156 | 14:55 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update service provider policies for system member https://review.openstack.org/620157 | 14:55 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update service provider policies for system admin https://review.openstack.org/620158 | 14:55 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with sps https://review.openstack.org/620159 | 14:55 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with sps https://review.openstack.org/620160 | 14:55 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove service provider policies from v3cloudsample.json https://review.openstack.org/620161 | 14:55 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update service policies for system reader https://review.openstack.org/619277 | 15:05 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update service policies for system member https://review.openstack.org/619278 | 15:05 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update service policies for system admin https://review.openstack.org/619279 | 15:05 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with services https://review.openstack.org/619280 | 15:05 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove service policies from policy.v3cloudsample.json https://review.openstack.org/619282 | 15:05 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with services https://review.openstack.org/620623 | 15:05 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update idp policies for system reader https://review.openstack.org/619371 | 15:10 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update idp policies for system member https://review.openstack.org/619372 | 15:10 |
ayoung | lbragstad, you slacker | 15:10 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update idp policies for system admin https://review.openstack.org/619373 | 15:10 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with idps https://review.openstack.org/619374 | 15:10 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with idps https://review.openstack.org/619375 | 15:10 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove idp policies from policy.v3cloudsample.json https://review.openstack.org/619376 | 15:10 |
lbragstad | wanna do some reviews ayoung? | 15:11 |
knikolla | o/ | 15:11 |
lbragstad | mornin' knikolla | 15:16 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add region protection tests for system readers https://review.openstack.org/619085 | 15:17 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update region policies to include system member https://review.openstack.org/619086 | 15:17 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update region policies to use system admin https://review.openstack.org/619241 | 15:17 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with regions https://review.openstack.org/619242 | 15:17 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with regions https://review.openstack.org/619243 | 15:17 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove region policies from policy.v3cloudsample.json https://review.openstack.org/619244 | 15:17 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system reader role in domains API https://review.openstack.org/605485 | 15:23 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system member role in domains API https://review.openstack.org/605849 | 15:23 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system admin role in domains API https://review.openstack.org/605850 | 15:23 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Allow domain users to access the GET domain API https://review.openstack.org/605851 | 15:23 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Allow project users to retrieve domains https://review.openstack.org/605871 | 15:23 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json https://review.openstack.org/605876 | 15:23 |
lbragstad | ok - done... i promise | 15:26 |
lbragstad | everything should be rebased and topic branches are updated | 15:26 |
openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Add support for client-side rate limiting https://review.openstack.org/605043 | 16:05 |
mordred | kmalloc: ^^ updated per your review | 16:06 |
openstackgerrit | Monty Taylor proposed openstack/keystoneauth master: Add support for client-side rate limiting https://review.openstack.org/605043 | 16:07 |
kmalloc | Nice | 16:16 |
kmalloc | Thnx | 16:16 |
ayoung | lbragstad, I'd be happy to. But it will cost you...I have a few patches malingering. | 16:17 |
openstackgerrit | ayoung proposed openstack/keystone master: Replace UUID with id_generator for Federated users https://review.openstack.org/605169 | 16:18 |
*** erus has quit IRC | 16:18 | |
ayoung | lbragstad, lets get that in as is, and refactor as we move on. | 16:19 |
kmalloc | mordred: I will see if I can help build a functional test against a real service for ksa | 16:22 |
kmalloc | mordred: but looks good otherwise | 16:22 |
lbragstad | ack - i can review | 16:23 |
mordred | kmalloc: cool. I also added a depends-on link for the openstacksdk change that consumes it- but I think that's maybe too much to count for the functional? | 16:24 |
*** erus has joined #openstack-keystone | 16:24 | |
kmalloc | Yeah | 16:27 |
*** gyee has joined #openstack-keystone | 16:27 | |
kmalloc | It might be | 16:27 |
kmalloc | I'll 2x confirm tonight tomorrow and re-score it if it is ok with sdk | 16:27 |
kmalloc | :) | 16:27 |
kmalloc | I do want a direct functional test... Eventually | 16:27 |
gagehugo | lbragstad: ok cool | 16:30 |
*** shrasool has quit IRC | 16:52 | |
*** lbragstad has quit IRC | 17:02 | |
*** pcaruana has quit IRC | 17:03 | |
*** lbragstad has joined #openstack-keystone | 17:05 | |
*** ChanServ sets mode: +o lbragstad | 17:05 | |
*** erus has quit IRC | 17:11 | |
*** erus has joined #openstack-keystone | 17:12 | |
*** jackivanov has quit IRC | 17:28 | |
*** shrasool has joined #openstack-keystone | 18:29 | |
*** amoralej is now known as amoralej|off | 18:36 | |
*** dklyle has joined #openstack-keystone | 19:03 | |
*** lbragstad has quit IRC | 19:08 | |
*** lbragstad has joined #openstack-keystone | 19:12 | |
*** ChanServ sets mode: +o lbragstad | 19:12 | |
*** lbragstad has quit IRC | 19:12 | |
*** lbragstad has joined #openstack-keystone | 19:14 | |
*** ChanServ sets mode: +o lbragstad | 19:14 | |
*** lbragstad has quit IRC | 19:14 | |
*** lbragstad has joined #openstack-keystone | 19:16 | |
*** ChanServ sets mode: +o lbragstad | 19:16 | |
*** lbragstad has quit IRC | 19:16 | |
*** dklyle has quit IRC | 19:27 | |
*** shrasool has quit IRC | 20:04 | |
*** shrasool has joined #openstack-keystone | 20:07 | |
*** shrasool has quit IRC | 20:16 | |
*** konetzed has joined #openstack-keystone | 20:22 | |
konetzed | using openstack rocky on centos 7 and getting this when using ldap auth "Fernet token created with length of 268 characters, which exceeds 255 characters" | 20:23 |
konetzed | any one have ideas on how to fix it or solve the problem of tokens not working? Only seems to be an issue with application crednetials | 20:24 |
*** lbragstad has joined #openstack-keystone | 20:30 | |
*** ChanServ sets mode: +o lbragstad | 20:30 | |
*** openstackgerrit has quit IRC | 20:36 | |
*** raildo has quit IRC | 20:54 | |
*** ayoung has quit IRC | 21:24 | |
nsmeds | hey guys, anyone familiar with https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json ? trying to understand difference between two similar policies | 21:25 |
*** mchlumsky has quit IRC | 21:25 | |
*** erus has quit IRC | 21:31 | |
lbragstad | nsmeds i can help | 21:32 |
nsmeds | the main issue I'm trying to understand is the `target` attribute. For example, difference between `admin_and_matching_target_project_domain_id` and `admin_and_matching_project_domain_id` | 21:34 |
lbragstad | the policy.v3cloudsample.json file was an attempt to provide more sophisticated policies to protect keystone's API | 21:34 |
lbragstad | nsmeds like this you mean? https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L7 | 21:34 |
*** erus has joined #openstack-keystone | 21:35 | |
nsmeds | your example is basically saying: user has `admin` role and is modifying resources in the domain which their token was authenticted for | 21:36 |
nsmeds | yes? | 21:36 |
lbragstad | yeah - so when the policy engine parses admin_or_owner | 21:36 |
lbragstad | it's going to make sure the user is has the "admin" role (defined by rule:admin_required) | 21:37 |
*** lbragstad has quit IRC | 21:37 | |
*** lbragstad has joined #openstack-keystone | 21:37 | |
*** ChanServ sets mode: +o lbragstad | 21:37 | |
lbragstad | and it's going to make sure the token used to make the call is domain scoped | 21:38 |
nsmeds | compared to `"rule:admin_required and domain_id:%(user.domain_id)s` ? | 21:39 |
lbragstad | where do you see that one? | 21:39 |
nsmeds | the `admin_and_matching_user_domain_id` rule | 21:39 |
lbragstad | oh "rule:admin_required and domain_id:%(domain_id)s" | 21:40 |
nsmeds | theres a few very similar looking rules, and just trying to understand what the actual differences are (plan to create our own custom roles but first need to understand what options are available) | 21:41 |
nsmeds | struggling a bit XD | 21:41 |
lbragstad | yeah - so the syntax can be a bit confusing | 21:42 |
nsmeds | can I give you an example of something I'd like to do but unsure how to write actual policy rule for it? | 21:44 |
nsmeds | I'd like to create an `almost_admin` role, which has full access to everything except the `Default` domain. | 21:44 |
lbragstad | what are you trying to restrict with the Default domain? | 21:47 |
lbragstad | is there a particular set of operations you don't want them to do? | 21:47 |
lbragstad | sorry - my network is giving me a hard time.. the policy.v3cloudsample.json file was an attempt to solve https://bugs.launchpad.net/keystone/+bug/968696 | 21:49 |
openstack | Launchpad bug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] - Assigned to Lance Bragstad (lbragstad) | 21:49 |
nsmeds | pretty much view/create anything in that domain - yet still allow them to create new domains and have full permissions within those domains | 21:49 |
nsmeds | I'm thinking that giving them their own domain and resticting them to full permissions within that 1 domain is easier to implement | 21:50 |
nsmeds | was exploring both options | 21:50 |
*** rcernin has joined #openstack-keystone | 21:50 | |
lbragstad | nsmeds are you familiar what the work we're doing around scopes? | 21:51 |
*** shrasool has joined #openstack-keystone | 21:51 | |
nsmeds | read something earlier, let me check my bookmarks | 21:51 |
nsmeds | believe it was about making permissions scoped to a domain/project ? | 21:53 |
lbragstad | as of the Queens release you can scope tokens to projects, domains, or the deployment system | 21:53 |
lbragstad | the idea is it use project-scoped tokens for project-specific resources (think instances or volumes) | 21:54 |
lbragstad | and domain-scoped tokens for domain-specific things (users and groups are a good example) | 21:55 |
lbragstad | and system-scoped tokens for resources that are specific to the deployment system itself (services and endpoints are good examples of system-specific resources) | 21:55 |
lbragstad | so - ultimately, giving someone 'admin' on a project is different from 'admin' on a domain, or 'admin' on the deployment system | 21:55 |
nsmeds | understood - and thats good, using queens | 21:56 |
lbragstad | which helps make roles a bit more reuseable, as opposed to having to use a 'project-admin' role, 'domain-admin' role, and 'cloud-admin' role | 21:56 |
lbragstad | traditionally, a lot of places in openstack were hardcoded to just look for the role 'admin' | 21:57 |
lbragstad | which would allow elevated privilege to do things | 21:58 |
lbragstad | and that didn't prevent someone who was an 'admin' of a project from creating new services in the service catalog, or viewing hypervisor information from nova | 21:58 |
*** shrasool has quit IRC | 22:00 | |
lbragstad | we're moving towards better policies, like this https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/credential.py#n18 | 22:02 |
lbragstad | and testing each permutation of role + scope (system admin, system member, system reader, domain admin, domain member, etc...) thoroughly through functional testing | 22:03 |
lbragstad | https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/protection/v3/test_credentials.py | 22:03 |
*** rcernin has quit IRC | 22:03 | |
lbragstad | ^ which is something we didn't really do as well with the policy.v3cloudsample.json file | 22:03 |
nsmeds | ok. I think it's clear I just need to do more reading | 22:04 |
nsmeds | if I can bug you about 1 more thing, can you explain https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L6 | 22:04 |
nsmeds | what's the difference between the two `user_id:` | 22:04 |
lbragstad | so - good question | 22:05 |
*** erus has quit IRC | 22:05 | |
lbragstad | the rule is comparing the user_id from the token used to make the request to the user being requested | 22:05 |
lbragstad | for example | 22:05 |
lbragstad | if my user ID is 746949fd15814ac5a4ebadb8aac97c3a | 22:06 |
lbragstad | and I get a token, it'll have my user reference in it response body | 22:07 |
lbragstad | when i call GET /v3/users/746949fd15814ac5a4ebadb8aac97c3a - keystone is going to compare the user ID from the token I supplied in the request header to the user id in the path | 22:07 |
lbragstad | if they match, I've effectively proved that I'm the "owner" of my user account | 22:07 |
lbragstad | if i try and use the same token to call GET /v3/users/de5cbfc473b647fcaef970eff8904521 | 22:08 |
lbragstad | it'll fail | 22:08 |
nsmeds | yep, this makes sense | 22:08 |
lbragstad | because let's assume I'm not an administraotr | 22:08 |
lbragstad | and that condition doesn't evaluate to true, so i'm not the owner | 22:08 |
lbragstad | https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/credential.py#n20 is another example of ownership | 22:09 |
lbragstad | that allows any users to list credentials they've created in keystone | 22:09 |
lbragstad | user* | 22:09 |
lbragstad | but it gives system admins the ability to operations against any credentials for administrative purposes | 22:10 |
nsmeds | so `user_id:%(user_id)s` ensures that user_id in token matches user_id I'm trying to modify | 22:12 |
*** rcernin has joined #openstack-keystone | 22:12 | |
nsmeds | correct? | 22:13 |
lbragstad | that's this bit specifically - user_id:%(target.token.user_id)s | 22:13 |
lbragstad | user_id:%(user_id)s makes sure the user in the request matches what keystone populates in the request context | 22:13 |
lbragstad | it's kinda dense.. | 22:13 |
lbragstad | and not super intuitive | 22:13 |
nsmeds | the struggle is real | 22:14 |
nsmeds | I'll figure this all out - really appreciate your help | 22:14 |
lbragstad | not a problem | 22:14 |
lbragstad | so TL;DR | 22:14 |
lbragstad | keystone (and most openstack services) use oslo.policy for policy enforcement | 22:14 |
lbragstad | so just the thing that says either 'yes' or 'no' based on certain parameters | 22:15 |
lbragstad | but, it's up to the service to supply the enforcement data | 22:15 |
lbragstad | which could be information about an instance, volume, user, etc... | 22:16 |
lbragstad | this kinda of information is referred to as the "target" | 22:16 |
lbragstad | the other important piece is the information about the user making the request | 22:17 |
nsmeds | this entire conversation is being copy/pasted into my notes <3 | 22:18 |
lbragstad | so, target == the thing you're trying access, modify, create, or delete over the API, credentials == information about the user making the request | 22:19 |
*** xek_ has quit IRC | 22:19 | |
lbragstad | https://git.openstack.org/cgit/openstack/keystone/tree/keystone/api/credentials.py#n162 is a good example of how we use this | 22:19 |
lbragstad | the API for deleting credentials pull the credential reference that the user wants to delete and populates it as the policy "target" | 22:20 |
lbragstad | https://git.openstack.org/cgit/openstack/keystone/tree/keystone/api/credentials.py#n38 | 22:20 |
lbragstad | which eventually get to where keystone hands things off to oslo.policy | 22:22 |
lbragstad | https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/rbac_enforcer/enforcer.py#n82 | 22:22 |
lbragstad | the creds= argument there is actually passing an instance of oslo.context.RequestContext (which is just a python object that contains a bunch of information about the user who made the request) | 22:22 |
*** erus has joined #openstack-keystone | 22:22 | |
lbragstad | http://git.openstack.org/cgit/openstack/oslo.context/tree/oslo_context/context.py#n176 | 22:23 |
lbragstad | for example, the ID of the user, the scope associated to the token used to make the request, etc... | 22:23 |
lbragstad | oslo.policy evaluates that information in enforcement, which is where we get the user_id:%(user_id)s functionality exposed to us in policy files | 22:24 |
nsmeds | thanks lbragstad. gonna take some time and review everything you've shared here | 22:25 |
lbragstad | cool - i apologize it's so dense | 22:26 |
*** shrasool has joined #openstack-keystone | 22:39 | |
*** shrasool has quit IRC | 22:56 | |
konetzed | using Rocky on centos with domains and a ldap backed domain. Any idea why i can use a username/pass w/o issue to access my projects but I cannot use applicatoin credentials? I see in the logs Keystone says the public id which is a long string has no access to the project | 22:57 |
konetzed | or is this all just related to the farnet token being larger than 255 chars warning? | 23:00 |
konetzed | fernet | 23:00 |
lbragstad | the fernet warning is just a warning, it should affect the API | 23:11 |
lbragstad | shouldn't* | 23:11 |
konetzed | ah ok, thanks i wasnt sure if that was leading me down the wrong path or not | 23:11 |
konetzed | Application Credentials work fine for users in the default domain | 23:12 |
lbragstad | we've been bitten by long token ids in the past, so we decided to issue warnings for tokens exceeding a relatively strict length requirement | 23:12 |
konetzed | lbragstad: any way to force keystone to make smaller tokens? I tried setting max_token_size=255 but that didnt seem to help | 23:13 |
konetzed | though you said it doesnt matter so i guess its not the issue | 23:13 |
lbragstad | by default, keystone should issue tokens under 255 chars if you're using uuid4 formatted IDs | 23:13 |
lbragstad | if you're pulling ids from an external thing, like LDAP for example, your IDs might be longer | 23:14 |
konetzed | default domain, 2359a8a4643e4dc9a6179b1faba37f5c | glance | 23:14 |
konetzed | ldap domain: ef04e0bd96a83b083153e27169ff5cfa0f424acbc254069f1f154f9ffa15b994 | user | 23:15 |
lbragstad | aha - sure | 23:15 |
lbragstad | so that's going to generate a longer token | 23:15 |
lbragstad | which should be fine | 23:15 |
konetzed | its funny i see keystone look up the right user from the application creds just like it does when i use username/pass but then it says the creds dont have access | 23:16 |
lbragstad | hmm | 23:16 |
lbragstad | you're trying to get a token using an application credential and do something with it, right? | 23:16 |
lbragstad | and that's failing? | 23:16 |
konetzed | at the moment just trying to use them with the cli to do 'openstack image list' | 23:17 |
lbragstad | ah | 23:17 |
lbragstad | so you have envs set or you're using clouds.yaml which has been configured with your application credential? | 23:17 |
konetzed | envs set from the openrc file | 23:18 |
lbragstad | https://docs.openstack.org/keystoneauth/latest/plugin-options.html#v3applicationcredential | 23:19 |
lbragstad | does the application credential have the same roles the user who made it has? | 23:19 |
konetzed | yes | 23:19 |
*** shrasool has joined #openstack-keystone | 23:24 | |
konetzed | lbragstad: figured it out | 23:43 |
konetzed | so i am using group mappings from ldap to my projects and the groups have the role applied | 23:44 |
konetzed | i just gave my ldap user role of user on the project and application creds work w/o issue | 23:44 |
konetzed | now i am just not sure why group rules isnt working right with application credentials | 23:46 |
lbragstad | oh | 23:49 |
lbragstad | yeah - application credentials work with direct role assignments between the actual user and the target | 23:49 |
lbragstad | i don't believe application credentials take group membership into account | 23:50 |
konetzed | :( | 23:50 |
lbragstad | but cmurphy can keep me honest there | 23:50 |
lbragstad | i think we actually have a bug open for that | 23:50 |
lbragstad | yeah - we do | 23:50 |
lbragstad | https://bugs.launchpad.net/keystone/+bug/1773967 | 23:50 |
openstack | Launchpad bug 1773967 in OpenStack Identity (keystone) "Application credentials can't be used with group-only role assignments" [High,Confirmed] - Assigned to Vishakha Agarwal (vishakha.agarwal) | 23:50 |
lbragstad | sounds like that's what you're looking for konetzed ^ | 23:51 |
konetzed | lbragstad: exactly what i am seeing | 23:51 |
lbragstad | cool | 23:51 |
konetzed | yep, except it sucks for me :P | 23:52 |
lbragstad | looks like vishakha is tackling it | 23:52 |
konetzed | I am not seeing any code anywhere, hopeing i could patch in by hand for now. Am i missing something? | 23:52 |
lbragstad | according to ayoung, trusts have code that make them work with group assignments | 23:53 |
lbragstad | ideally, we can try and generalize that code and have app creds re-use it | 23:53 |
konetzed | lbragstad: any pointers on where to start looking? I am guessing /usr/lib/python2.7/site-packages/keystone/models/token_model.py:495 since thats the log line that says there is no access | 23:57 |
*** blake has joined #openstack-keystone | 23:58 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!