Thursday, 2018-11-29

« Wednesday, 2018-11-28 Index Friday, 2018-11-30 »
*** erus has quit IRC00:44
*** erus has joined #openstack-keystone00:45
*** jistr has quit IRC01:00
*** jistr has joined #openstack-keystone01:01
*** erus has quit IRC01:05
*** erus has joined #openstack-keystone01:05
*** markvoelker has joined #openstack-keystone01:23
*** markvoelker has quit IRC01:28
*** dklyle has joined #openstack-keystone01:32
*** blake has quit IRC01:33
*** blake has joined #openstack-keystone01:46
*** trident has quit IRC01:50
*** blake has quit IRC01:51
vishakhalbragstad, cmurphy : The query is regarding  with K2K usage in production. Do the remote user always login through horizon or  use CLI for issuing token . I was just looking for some live examples of k2K  running  in production. Thank you.01:54
*** gyee has quit IRC01:54
*** trident has joined #openstack-keystone01:55
*** blake has joined #openstack-keystone01:57
*** blake has quit IRC02:02
*** Dinesh_Bhor has joined #openstack-keystone02:11
*** Dinesh_Bhor has quit IRC02:12
*** Dinesh_Bhor has joined #openstack-keystone02:15
*** markvoelker has joined #openstack-keystone02:30
lbragstadkonetzed i'd probably start here https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L42402:47
lbragstadthe TokenModel object is meant to represent a keystone token in a pythonic way02:48
lbragstadso calling token.roles() on a application credential token should give you the roles that application credential has via the user's direct and indirect role assignment via group membership02:49
lbragstadwe're hitting this bit - https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L433-L43402:49
lbragstadwe could elaborate on this method - https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L409-L41902:50
lbragstador we could extend the logic that creates application credentials to populate group memberships unless explicitly restricted to a set of roles.02:50
*** rcernin has quit IRC02:58
konetzedlbragstad: thank you! I am just about to give up for the night but your second link is exactly where I was hacking.  I did borrow some code from https://github.com/openstack/keystone/blob/master/keystone/models/token_model.py#L396-L405 which works but it seem to grant same roles as the user has no any subset the app cred might have.  Probably not the best solution but it was what i hacked out tonight :D03:23
konetzedthanks for all your help!03:23
*** openstackgerrit has joined #openstack-keystone03:36
openstackgerritGage Hugo proposed openstack/keystone master: Clarify docstrings for domain flask refactor  https://review.openstack.org/62040903:36
*** rcernin has joined #openstack-keystone03:38
*** dklyle has quit IRC03:58
*** dave-mccowan has quit IRC04:34
*** dave-mccowan has joined #openstack-keystone04:35
*** dave-mccowan has quit IRC04:49
vishakhalbragstad gmann frickler I have updated etherpad regarding the successful run of jobs of keystone repos on bionic. https://etherpad.openstack.org/p/devstack-bionic05:26
*** imacdonn has quit IRC05:38
*** imacdonn has joined #openstack-keystone05:39
*** jackivanov has joined #openstack-keystone05:49
gmannvishakha: frickler thanks. may be you can remove the DNM from this and merge the federation job keep running on xenial. and later you can check with lbragstad about how to fix that by installation from source etc - https://review.openstack.org/#/c/611563/05:55
*** blake has joined #openstack-keystone05:58
*** blake has quit IRC06:02
*** ondrejme has quit IRC06:40
*** nehaalhat__ has joined #openstack-keystone07:13
*** shrasool has quit IRC07:18
*** rcernin has quit IRC07:35
cmurphyvishakha: you can use the cli with k2k, example here https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html#testing-it-all-out07:37
cmurphykonetzed: that's been on my list to look at for a while, if you get something working ping me and i'll review asap :D07:40
*** amoralej|off is now known as amoralej08:31
*** takamatsu has quit IRC08:31
*** dims has quit IRC08:32
*** dims has joined #openstack-keystone08:33
openstackgerritwangxiyuan proposed openstack/python-keystoneclient master: Add release notes for return-request-id-to-caller  https://review.openstack.org/27664408:43
*** pcaruana has joined #openstack-keystone08:48
*** markvoelker has quit IRC08:50
openstackgerritMerged openstack/keystone master: Move test utility to common location  https://review.openstack.org/62015509:00
*** takamatsu has joined #openstack-keystone09:13
*** sapd1 has quit IRC09:36
*** sapd1 has joined #openstack-keystone09:36
*** shrasool has joined #openstack-keystone09:44
*** markvoelker has joined #openstack-keystone09:51
*** blake has joined #openstack-keystone09:58
openstackgerritMerged openstack/oslo.policy master: Enhance test to prevent JSON parsing regression  https://review.openstack.org/62017309:59
*** blake has quit IRC10:03
*** shrasool has quit IRC10:24
*** markvoelker has quit IRC10:24
*** nehaalhat__ has quit IRC10:27
*** sayalilunkad has quit IRC10:33
*** mbuil has quit IRC10:33
*** Dinesh_Bhor has quit IRC10:44
*** sayalilunkad has joined #openstack-keystone11:12
*** markvoelker has joined #openstack-keystone11:21
*** takamatsu has quit IRC11:25
*** takamatsu has joined #openstack-keystone11:31
*** aloga has quit IRC11:33
*** aloga has joined #openstack-keystone11:33
*** nehaalhat has joined #openstack-keystone11:34
*** raildo has joined #openstack-keystone11:45
*** rafaelweingartne has joined #openstack-keystone11:48
rafaelweingartneIs somebody here using OpenStack federation with multiple IdPs?11:48
*** markvoelker has quit IRC11:55
*** erus has quit IRC11:57
*** erus has joined #openstack-keystone11:57
*** amoralej is now known as amoralej|lunch11:58
*** takamatsu has quit IRC12:06
*** xek_ has joined #openstack-keystone12:12
*** dave-mccowan has joined #openstack-keystone12:15
*** xek_ has quit IRC12:21
*** erus has quit IRC12:22
*** erus has joined #openstack-keystone12:28
*** Nel1x has joined #openstack-keystone12:38
rafaelweingartneIs somebody here using OpenStack federation (using OIDC protocol) with multiple IdPs?12:40
openstackgerritJens Harbott (frickler) proposed openstack/keystone master: Keep federation jobs running on Xenial  https://review.openstack.org/61156312:40
fricklerlbragstad: cmurphy: amended as gmann suggested, so this should be able to be merged now with no impact, allowing QA to migrate to bionic without impacting keystone12:41
cmurphyfrickler: zuul doesn't seem to like that12:47
fricklercmurphy: ah, yes, I'm introducing the new nodeset in devstack together with the bionic patch. need to split that probably12:48
*** markvoelker has joined #openstack-keystone12:52
openstackgerritJens Harbott (frickler) proposed openstack/keystone master: Keep federation jobs running on Xenial  https://review.openstack.org/61156313:00
rafaelweingartneIs somebody here using OpenStack federation (using OIDC protocol) with multiple IdPs?13:19
*** markvoelker has quit IRC13:24
*** shrasool has joined #openstack-keystone13:34
*** blake has joined #openstack-keystone13:35
*** shrasool has quit IRC13:38
*** blake has quit IRC13:40
cmurphyrafaelweingartne: sorry I haven't, do you have a specific question about it? are you just wondering how to set it up?13:41
rafaelweingartneI have a specific question regarding the WAYF process13:42
rafaelweingartnemore specifically about the design implemented13:42
rafaelweingartneI deployed it, and it is indeed working, but the WAYF process is a little odd13:42
*** awalende has joined #openstack-keystone13:42
cmurphyyou might ask the mod_auth_openidc maintainers or forums/ml/issue tracker about it13:42
rafaelweingartnethe user selects the IdP to authenticate in Horizon (I have more then one), then horizon redirects the user to keystone to execute the authentication13:42
rafaelweingartnethen, in Keystone the authentication is handled by the modOIDC of apache, and this module has its own WAYF process13:43
rafaelweingartnethis means, the users is telling the system twice where he/she wants to authenticate13:43
rafaelweingartneI do not know if I miss something, but I have not found anything related to this in the docs13:43
*** amoralej|lunch is now known as amoralej13:43
rafaelweingartneso I was wondering if the problem is my setup or if it like that by design, and people are not using multiple IdPs, or handling this issue in some other manner13:44
cmurphyi don't really know how WAYF works, but if the apache module is handling the discovery of other idps then you could just not add them all to horizon and just configure it with one13:45
awalendeHi there, if I have an valid OIDC-AccessToken, can I transform it for an Keystone-Token via the REST-API? If yes, how?13:45
rafaelweingartneyes that is what I thought, but I wanted a complete solution. So, I am wondering, should I fix this in Keystone or Horizon.13:46
rafaelweingartneThen, I can push this fix to the community13:46
cmurphyrafaelweingartne: what do you think needs to be fixed? just don't add all the idps in your local_settings.py13:46
rafaelweingartnethat is shallow13:46
rafaelweingartneHorizon can use "auth_request_params" from modOIDC13:46
rafaelweingartneto tell it what IDPs to use13:47
rafaelweingartneotherwise, I will need to customize the WAYF page in modOIDC13:47
rafaelweingartneHorizon page is nice already13:47
rafaelweingartneby using that parameter when building the authentication request URL to keystone, we can configure that parameter and tell modOID which IdP to use13:48
rafaelweingartnethen, the WAYF process is not executed in Keystone, and everything will work nicely as if we had only a single IdP13:48
knikollao/13:48
*** shrasool has joined #openstack-keystone13:50
rafaelweingartne\send13:51
rafaelweingartnecmurphy I guess this would need to be coordinated with people that work with Horizon and Keystone. Do you have an idea how to check if this problem indeed exist, or if I am doing some misconfiguration?13:53
cmurphyrafaelweingartne: as far as I know we don't already have a solution for that in either keystone or horizon13:54
rafaelweingartneso, you guys were aware of this problem already then?13:55
cmurphylike I said I don't really have experience with WAYF in openidc so I can't offer much advice but it sounds like a reasonable thing to implement in horizon13:55
cmurphymaybe knikolla has thoughts13:55
*** takamatsu has joined #openstack-keystone13:56
knikollareading back13:56
knikollarafaelweingartne: so you have multiple idps in horizon, and when the user is redirected to keystone, they have to reselect the idp in the discovery page?14:03
rafaelweingartneYes14:03
rafaelweingartnethat is it14:03
rafaelweingartneI do understand why that is happening, because the module OIDC has no idea that the whole process started in Horizon14:03
rafaelweingartneit is protecting a resource in "Keystone only"14:04
knikollahorizon needs a way to pass a "hint"14:04
knikollain oidc that is iss=14:04
rafaelweingartneyes14:04
rafaelweingartnethat is it14:04
knikollayou could do some apache redirect hackery14:04
rafaelweingartnethat sounds nasty in the long run to maintain it14:04
rafaelweingartneis that how you do it?14:05
knikollano, because i have one idp14:05
knikollawhich does brokering with multiple idps14:05
knikollabut that is something that horizon needs to add.14:06
knikollasupport for passing hints.14:06
knikollado you have sql users as well as federated users?14:07
rafaelweingartneno14:07
rafaelweingartneI mean, yes14:08
rafaelweingartnein theory we might use in in the future14:08
rafaelweingartnebut for now, the idea is to start with federated users14:08
rafaelweingartneThanks Knikolla, you clarified my doubt14:09
knikollabecause horizon doesn't really save any state on that initial page. all that matters is when a user gets posted back to https://horizon/auth/websso/14:09
rafaelweingartneso the problem exist, and I can then modify Horizon to create the URL for OIDC with a hint regarding the IdP14:09
knikollaso you could have the user be redirected to keystone directly and skip the first horizon step14:09
rafaelweingartneyes14:09
rafaelweingartnebut horizon has a nice screen already :)14:09
rafaelweingartneI would not like to implement a maitain another page to provide a nice WAYF page14:10
knikollai know. though because i don't have insight into horizon, workarounds is all i can suggest :)14:10
rafaelweingartneah no proble14:11
rafaelweingartneI can manage that14:11
knikollacool14:11
rafaelweingartneI only wanted to confirm that I was not missng something14:11
rafaelweingartneand that the problem indeed exist14:11
knikollacmurphy: i'm working on the renewable app creds spec and would like to get a second opinion if you have time14:12
cmurphyknikolla: sure14:13
*** tosky has joined #openstack-keystone14:14
knikollacmurphy: my first thought is to extend the current application credential model with the fields "expiring_roles", "roles_expire_at", and "roles_last_renewed_at"14:15
knikollathe other option would be to have a different type of app cred14:15
cmurphyknikolla: why does it need expiring_roles? wouldn't the regular roles list and a second expiration field do the trick?14:19
cmurphyhaving a different type of app cred sounds like it could get confusing for users14:20
*** hoonetorg has quit IRC14:20
knikollacmurphy: there is a check that the user has that role in the project by querying the assignments.14:22
knikollacmurphy: for ephemeral roles it would only check the token.14:23
knikollaanother option would be to have a "renewable" bool, and have the current "expires_at" be the expiration time14:23
knikollawe do allow users to have app_creds that don't expire in the current implementation. with roles from the mapping, we want them to be short lived, and require periodic renewal.14:29
cmurphyi don't think we should reuse expires_at14:32
cmurphythat one should be controllable by the user, this new one should be forced i think14:33
*** hoonetorg has joined #openstack-keystone14:33
knikollahowever i don't think we want to enforce expiration for app creds that don't have mapped roles.14:34
cmurphyright14:34
knikollahence my dilemma.14:35
knikollai don't want to make this confusing.14:35
cmurphyi think adding new fields will work14:36
knikollaalright. i'll write the spec now and elaborate on the "alternatives" section14:41
* knikolla runs to pick up laundry14:41
*** awalende has quit IRC14:52
*** awalende has joined #openstack-keystone14:53
*** awalende has quit IRC14:53
*** awalende has joined #openstack-keystone14:53
*** xek has joined #openstack-keystone15:00
*** rafaelweingartne has quit IRC15:35
*** shrasool has quit IRC15:36
*** itlinux has quit IRC15:38
openstackgerritLance Bragstad proposed openstack/keystone master: Update service provider policies for system reader  https://review.openstack.org/62015615:43
openstackgerritLance Bragstad proposed openstack/keystone master: Update service provider policies for system member  https://review.openstack.org/62015715:43
openstackgerritLance Bragstad proposed openstack/keystone master: Update service provider  policies for system admin  https://review.openstack.org/62015815:43
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with sps  https://review.openstack.org/62015915:43
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with sps  https://review.openstack.org/62016015:43
openstackgerritLance Bragstad proposed openstack/keystone master: Remove service provider policies from v3cloudsample.json  https://review.openstack.org/62016115:43
*** awalende has quit IRC15:51
*** awalende has joined #openstack-keystone15:52
*** awalende has quit IRC15:56
*** dklyle has joined #openstack-keystone16:01
*** awalende has joined #openstack-keystone16:02
* lbragstad finds more coffee16:03
*** awalende_ has joined #openstack-keystone16:04
*** awalende_ has quit IRC16:05
*** awalende has quit IRC16:07
*** ayoung has joined #openstack-keystone16:09
*** erus has quit IRC16:17
*** erus has joined #openstack-keystone16:29
*** blake has joined #openstack-keystone16:30
*** blake has quit IRC16:30
*** fiddletwix has joined #openstack-keystone16:43
*** itlinux has joined #openstack-keystone16:54
*** ayoung has quit IRC16:56
nsmedsmorning/evening. difference between `limit` and `registered limit`? appears that registered limit is system default and limit is project specific overrides17:02
nsmedsjust wanting to confirm17:02
*** david-lyle has joined #openstack-keystone17:04
*** dklyle has quit IRC17:05
*** gyee has joined #openstack-keystone17:09
cmurphynsmeds: that's correct17:27
kmalloccmurphy, knikolla: hmm17:27
kmalloci really am unsure if we need *another* mechanism for communicating when an app cred expires17:27
kmallocadded fields for "ephemeral roles" and "refreshable" are things17:27
kmallocbut really we should lean on the technology / code we already have for pure expiration17:28
kmallocexpiry time is not changable after an app cred is created (they are "immutable" outside of the refresh parts)17:28
cmurphykmalloc: what if a federated user wants to set a non-refreshable expiration on an app cred17:29
kmallocknikolla, cmurphy: also the question is for emphemerally communicated roles, do we invalidate the cred (in whole) if the roles are gone or do we minimize the app cred roles to what has been removed.17:29
kmalloccmurphy: if it doesn't contain ephemeral roles, no problem.17:29
kmallocephemerally communicated roles (IDP supplied) would require expiration17:30
cmurphykmalloc: invalidate the cred in whole, same as we do if one role is revoked17:30
kmalloccmurphy: ++ ok good on that.17:30
kmallocand expiration would be the fixed timeframe for refresh17:30
kmallocwe could go with an alternative with a create/refresh timestamp and a configuration (for the IDP) on how long the app cred is good for17:30
kmallocbut if you're going to do it as a strict expiration timestampe, use the column we have17:31
kmallocif that makes sense.17:31
* kmalloc is actually inclined to say we do it as creation/last-refreshed and the IDP...or somesuch supplies how long their app creds are good for17:31
cmurphyi don't think that makes sense, because i can imagine a user wants to create an app cred that expires at a certain time regardless of whether the user happens to log in to do other things17:31
kmallochm.17:31
kmalloci don't want to have two fixed expiration times... if that makes sense17:32
kmallocthe reason for the last-refreshed and a time communicated by the IDP means we can do a check17:32
kmallocIS_EXPIRED(expired_time), IS_EXPIRED(last-refreshed+IDP Window)17:33
kmallocin that order17:33
kmallocbut having a refresh_expires_at Timestamp seems contrary to the "this is a configurable value"17:33
kmallocbecause a misconfiguration could communicate a very very long refresh that is inappropriatly exempted from refreshing for much longer than expected17:34
* kmalloc is catching up.17:35
cmurphykmalloc: what is "IDP Window"? who sets that? is that a property on the app cred?17:36
kmalloca property on the source of Identity for the role(s)17:37
kmallocfor the user17:37
kmalloce.g. if the user adds a role communicated from an IDP, the app cred references that IDP's refresh requirements17:37
kmallocso the appcred has: expires_at (set by user). and *if* a role is included from an IDP source (that is also non-concretely assigned), the app cred has, Refreshable_roles(roleX,...) and RefreshTime()17:38
cmurphykmalloc: okay yes that sounds good17:39
kmallocwhen we check expiration we check expires_at *and* refreshed_at (RefreshTime()) + the shortest IDP "refresh time requirement" of the roles communicated17:39
kmallocthat way IDPs are configured with a timewindow that affects all app creds that use it's roles.17:39
kmallocand we don't end up with app creds that snuck in before/after the refresh-rquirement was changed17:39
cmurphyif expires_at is always user set and there's a whole other thing to do the refresh expiration that works for me17:40
kmallocyes17:40
kmallocand i want it tied to the IDP17:40
kmallocnot just a timestamp value17:40
cmurphysure17:40
kmalloci just didn't want expires_at(static timestamp) and refresh_expires_at(static timestamp)17:40
kmalloci think we're on the same page then.17:41
cmurphyyep17:42
*** amoralej is now known as amoralej|off18:05
*** david-lyle has quit IRC18:15
knikollakmalloc: thanks, i do see the issues with static timestamps18:19
*** jistr has quit IRC18:19
*** jistr has joined #openstack-keystone18:19
knikollaso new fields renewed_at, renewable_roles18:19
knikollaand app_cred_renew_window should be on a per idp basis18:20
kmallocyeah18:20
knikollawhen user tries to renew but doesn't have one or more of the roles, invalidate entire app cred18:21
kmallocthe renewable_roles should reference the static assignments (preferred if it exists) and then renewable roles.18:21
kmallocerm18:21
kmallocwait18:21
kmallocno18:21
kmallocapp_cred roles should reference concrete roles first if assigned. then renewable/communicated roles18:22
kmallocand we reference the IDPs configuration for the renewable time window18:22
kmallocif multiple IDPs communicate the role we should ... select which IDP for the refresh window?18:23
kmallocthis should be a reference that checks the IDP config each time not some static value on the app_Cred.18:23
knikollathen that means we need a per idp list in the app cred18:24
knikollaper idp role list18:24
knikollaor we can restrict it one app cred per 1 idp18:25
kmallocthat is what i'm not sure about.18:32
kmallocwe could chose to select the IDP with the longest expiration window18:32
kmallocfor each role18:33
kmallocwhich at least makes it easier.18:33
kmallocbut we probably need to communicate to the user which IDP communicated the role(s) anyway18:33
kmallocso they can be sure to refresh it18:34
kmallocso yeah we need a list-per-idp18:34
kmallocwe have to track this information anyway.18:34
knikollamakes sense18:41
knikollai'll jot this down in the spec and maybe we can have a discussion with the rest of the team during next week's meeting.18:41
*** dklyle has joined #openstack-keystone18:45
*** ayoung has joined #openstack-keystone18:46
kmalloc++18:48
*** fiddletwix has quit IRC18:58
*** dklyle has quit IRC19:07
*** xek has quit IRC19:23
*** shrasool has joined #openstack-keystone19:26
*** markvoelker has joined #openstack-keystone19:36
*** markvoelker has quit IRC19:40
*** shrasool has quit IRC19:48
*** shrasool has joined #openstack-keystone19:49
*** shrasool has quit IRC19:51
*** itlinux has quit IRC19:56
*** markvoelker has joined #openstack-keystone20:00
*** fiddletwix has joined #openstack-keystone20:04
nsmedscurious about `is_admin_project:True`20:09
nsmedswhat can I query to find out if a project has this label?20:09
nsmedsI've attempted applying the v3cloudpolicy to Keystone but a user outside of the cloud_admin domain was able to create users in domains besides their own20:10
lbragstadis_admin_project was an attempt to try and isolate system-specific operations behind a project20:11
lbragstadfor example, if users had a role assignment on the "admin" project, they would be given elevated privileges to do things (even if they fell outside of project scope)20:11
lbragstadis_admin_project:True and system-scope are meant to solve the same problem20:12
nsmedsok. But how can I tell what project is the "admin" project?20:15
nsmedsusing python client, `openstack project show <project>` doesn't reveal anything20:15
*** awalende has joined #openstack-keystone20:17
*** awalende_ has joined #openstack-keystone20:18
*** shrasool has joined #openstack-keystone20:18
*** shrasool has quit IRC20:19
nsmedshttps://gist.github.com/nikosmeds/b643120db46736164cf67ebcb33bc1cf has some info - I'm able to create a user when I believe policy should restrict it20:20
*** awalende has quit IRC20:22
lbragstadnsmeds the admin_project is a configuration option20:23
lbragstadit's not consistent across deployments20:23
lbragstadhttps://docs.openstack.org/keystone/latest/configuration/config-options.html#resource.admin_project_name20:24
nsmedsjust grepped `keystone.conf` and dont have it configured20:26
nsmedsso, based on my rules in the above gist, unsure why I was able to create a user20:26
nsmedshmm20:27
*** awalende has joined #openstack-keystone20:30
*** awalend__ has joined #openstack-keystone20:30
*** awalende_ has quit IRC20:31
lbragstadnsmeds when you authenticate for a token, do you see the admin_project property set?20:33
*** awalende has quit IRC20:34
lbragstadlike, in the token response body?20:35
nsmedsso I just have `OS_` environment values set, and using python client to run `openstack ...` commands20:36
nsmedslet me see if I can find that20:36
lbragstadif you do something like ``openstack token issue --debug`` you'll see the actual response body because osc will log it for you20:36
lbragstadfor example - https://pasted.tech/pastes/a678e488f58bb3a2f98fde9796ee06f1372ed877.raw20:37
nsmedsamazing, thanks20:38
nsmedsopenstack token issue --help doesn't suggest --debug, but it works =)20:38
openstackgerritMerged openstack/python-keystoneclient master: Add return-request-id-to-caller function(v3/contrib)  https://review.openstack.org/26800320:40
openstackgerritMerged openstack/python-keystoneclient master: Add release notes for return-request-id-to-caller  https://review.openstack.org/27664420:40
nsmedsthis looks questionable (part of the response)20:41
nsmedshttps://gist.github.com/nikosmeds/e016954d80f0fe64f33e573dd0c0928220:41
nsmedsthe `project_domain_id` is set to `default`20:41
*** erus has quit IRC20:42
nsmedsnothing related to admin_project however20:42
lbragstadok - nevermind20:43
lbragstadthat might only be present if you have an admin project configured20:44
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/common/render_token.py#L94-L10120:44
nsmedsupdated https://gist.github.com/nikosmeds/e016954d80f0fe64f33e573dd0c09282 - token seems correctly scoped for the test domain/project20:47
nsmeds:shrug: I'll keep playing around and try to make sense of this world20:48
lbragstadare you use you're specifying the policy file through config?20:50
lbragstadhttps://docs.openstack.org/keystone/latest/configuration/config-options.html#oslo_policy.policy_file20:50
*** raildo has quit IRC20:50
*** raildo has joined #openstack-keystone20:51
*** raildo has quit IRC20:51
nsmedsnope (just using default). Deploy with openstack-ansible, which handles most of this for us. But my changes (via OSA) to the policy file have been applying, as I broke something else earlier20:51
nsmedsjust grepped keystone.conf, no overwriting `policy_file`, but overwrites are going to `policy.json` in same dir20:52
lbragstadok - so you should be picking up those changes in policy.json20:54
nsmedscorrect - all the v3cloud policy changes appear in policy.json20:55
nsmedsby default its an empty file20:55
nsmedshttps://gist.github.com/nikosmeds/d53e014365e444b62fcf08486b8f58a6 (just spamming the  channel with gists)20:56
nsmedssomehow related to running Queens? (though everything I've read suggests this should work on queens)21:00
*** erus has joined #openstack-keystone21:06
*** dklyle has joined #openstack-keystone21:10
nsmedsI'm wondering if openstack-ansible is somehow related. Ran into interesting error when trying to make small change https://gist.github.com/nikosmeds/6bc29b00c05222f94fa62a3adfffff5a . I'll bring this issue over to them21:20
lbragstadnsmeds that last error looks unrelated to policy?21:26
nsmedslbragstad: agreed - but it only occurs when I try to make that 1 line change21:27
openstackgerritLance Bragstad proposed openstack/keystone master: Add registered limit protection tests  https://review.openstack.org/62101421:34
openstackgerritLance Bragstad proposed openstack/keystone master: Update registered limit policies for system member  https://review.openstack.org/62101521:34
openstackgerritLance Bragstad proposed openstack/keystone master: Update registered limit policies for system admin  https://review.openstack.org/62101621:34
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with registered limits  https://review.openstack.org/62101721:34
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with registered limits  https://review.openstack.org/62101821:34
openstackgerritLance Bragstad proposed openstack/keystone master: Remove registered limit policies from policy.v3cloudsample.json  https://review.openstack.org/62101921:34
openstackgerritLance Bragstad proposed openstack/keystone master: Add limit protection tests  https://review.openstack.org/62102021:34
openstackgerritLance Bragstad proposed openstack/keystone master: Update limit policies for system member  https://review.openstack.org/62102121:34
openstackgerritLance Bragstad proposed openstack/keystone master: Update limit policies for system admin  https://review.openstack.org/62102221:34
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with limits  https://review.openstack.org/62102321:34
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with limits  https://review.openstack.org/62102421:34
openstackgerritLance Bragstad proposed openstack/keystone master: Remove limit policies from policy.v3cloudsample.json  https://review.openstack.org/62102521:34
*** markvoelker has quit IRC21:38
*** markvoelker has joined #openstack-keystone21:38
*** dklyle has quit IRC21:39
*** markvoelker has quit IRC21:43
*** rcernin has joined #openstack-keystone21:57
*** markvoelker has joined #openstack-keystone22:01
*** awalend__ has quit IRC22:05
*** xek has joined #openstack-keystone22:11
*** erus has quit IRC22:14
*** dklyle has joined #openstack-keystone22:19
*** dklyle has quit IRC22:24
*** dklyle has joined #openstack-keystone22:32
*** dklyle has quit IRC22:44
*** xek has quit IRC22:44
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Make upgrades more robust with policy overrides  https://review.openstack.org/61419522:45
nsmedslbragstad: found the underlying Ansible role and disabled `no_log`, https://gist.github.com/nikosmeds/6bc29b00c05222f94fa62a3adfffff5a has been udpated with the error22:57
nsmedslooks like something depends on the admin_project being configured22:57
lbragstadaha - interesting23:11
jdennislbragstad: is there a way to view the log file you pointed me with line breaks, it's hard to read with everything squashed toegher23:45
jdennislbragstad: never mind, getting rid of the query params in the url seemed to work23:47
« Wednesday, 2018-11-28 Index Friday, 2018-11-30 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!