Thursday, 2018-12-06

« Wednesday, 2018-12-05 Index Friday, 2018-12-07 »
*** jdennis has quit IRC00:00
*** erus has quit IRC00:02
*** erus has joined #openstack-keystone00:05
openstackgerritMerged openstack/keystoneauth master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62276500:16
*** jdennis has joined #openstack-keystone00:17
*** gyee has quit IRC00:17
*** raildo has quit IRC00:17
*** dnguyen has quit IRC00:33
*** jaosorior has quit IRC00:37
*** Belgar81 has joined #openstack-keystone00:54
*** markvoelker has quit IRC01:33
*** sapd1 has quit IRC01:40
*** sapd1 has joined #openstack-keystone01:40
*** david-lyle has joined #openstack-keystone01:48
*** itlinux has joined #openstack-keystone01:49
*** dklyle has quit IRC01:51
openstackgerritayoung proposed openstack/keystone master: Alternative Replace UUID with id_generator for Federated users  https://review.openstack.org/62311701:59
openstackgerritayoung proposed openstack/keystone master: Alternative Replace UUID with id_generator for Federated users  https://review.openstack.org/62311702:01
*** Dinesh_Bhor has joined #openstack-keystone02:16
*** erus has quit IRC02:44
*** erus has joined #openstack-keystone02:46
*** imacdonn has quit IRC02:53
*** erus has quit IRC02:53
*** imacdonn has joined #openstack-keystone02:53
*** erus has joined #openstack-keystone02:56
*** Dinesh_Bhor has quit IRC03:15
*** erus has quit IRC03:22
*** erus has joined #openstack-keystone03:23
*** Dinesh_Bhor has joined #openstack-keystone03:23
*** erus has quit IRC03:29
*** erus has joined #openstack-keystone03:35
*** erus has quit IRC03:42
openstackgerritwangxiyuan proposed openstack/keystone master: Ensure change is addressed for unified limit table  https://review.openstack.org/62149703:47
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain_id column for limit  https://review.openstack.org/62020203:47
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - Manager  https://review.openstack.org/62146803:47
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add domain level limit support - API  https://review.openstack.org/62277303:47
*** erus has joined #openstack-keystone03:50
*** erus has quit IRC03:57
*** erus has joined #openstack-keystone04:05
openstackgerritMerged openstack/oslo.policy master: Prevent sensitive target data from being logged  https://review.openstack.org/62308104:10
*** erus has quit IRC04:12
*** erus has joined #openstack-keystone04:20
*** erus has quit IRC04:26
*** erus has joined #openstack-keystone04:35
*** erus has quit IRC04:42
*** erus has joined #openstack-keystone04:53
*** erus has quit IRC05:26
*** erus has joined #openstack-keystone05:28
*** erus has quit IRC05:35
*** Dinesh_Bhor has quit IRC05:36
*** Dinesh_Bhor has joined #openstack-keystone05:42
*** erus has joined #openstack-keystone05:43
*** Dinesh_Bhor has quit IRC05:57
*** erus has quit IRC06:04
*** erus has joined #openstack-keystone06:05
*** erus has quit IRC06:12
*** Dinesh_Bhor has joined #openstack-keystone06:12
*** Dinesh_Bhor has quit IRC06:18
*** erus has joined #openstack-keystone06:20
*** Dinesh_Bhor has joined #openstack-keystone06:36
*** markvoelker has joined #openstack-keystone07:00
*** markvoelker has quit IRC07:05
openstackgerritMerged openstack/keystone master: Add registered limit protection tests  https://review.openstack.org/62101407:41
*** aojea has joined #openstack-keystone07:52
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - API  https://review.openstack.org/62277307:53
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP] Add domain level support for strict-two-level-model  https://review.openstack.org/62315307:53
*** rcernin has quit IRC07:56
*** pcaruana has joined #openstack-keystone07:58
*** pcaruana is now known as muttley07:58
*** aojea has quit IRC08:00
*** rcernin has joined #openstack-keystone08:03
*** awalende has joined #openstack-keystone08:13
*** rcernin has quit IRC08:33
*** Dinesh_Bhor has quit IRC08:41
*** Dinesh_Bhor has joined #openstack-keystone08:54
*** markvoelker has joined #openstack-keystone09:01
*** awalende has quit IRC09:01
*** awalende has joined #openstack-keystone09:02
*** awalende has quit IRC09:06
*** awalende has joined #openstack-keystone09:08
*** nehaalhat has quit IRC09:22
*** markvoelker has quit IRC09:34
*** markvoelker has joined #openstack-keystone10:31
*** mvkr has joined #openstack-keystone10:36
*** Dinesh_Bhor has quit IRC10:37
*** Belgar81 has quit IRC10:54
*** markvoelker has quit IRC11:05
*** awalende has quit IRC11:15
*** awalende has joined #openstack-keystone11:20
*** awalende has quit IRC11:24
*** awalende has joined #openstack-keystone11:53
*** awalende has quit IRC11:58
*** awalende has joined #openstack-keystone12:09
*** shrasool has joined #openstack-keystone12:23
*** awalende has quit IRC12:29
*** awalende has joined #openstack-keystone12:50
*** muttley has quit IRC13:08
*** rcernin has joined #openstack-keystone13:17
*** awalende has quit IRC13:18
*** muttley has joined #openstack-keystone13:21
*** muttley has quit IRC13:25
*** muttley has joined #openstack-keystone13:26
*** rcernin has quit IRC13:29
*** muttley has quit IRC13:29
*** jdennis has quit IRC13:33
*** pcaruana has joined #openstack-keystone13:34
*** awalende has joined #openstack-keystone13:38
*** pcaruana has quit IRC13:39
*** awalende has quit IRC13:40
*** awalende has joined #openstack-keystone13:41
*** pcaruana has joined #openstack-keystone13:43
*** erus has quit IRC13:44
*** pcaruana has quit IRC13:47
*** erus has joined #openstack-keystone13:47
*** awalende has quit IRC13:52
*** dr_gogeta86 has joined #openstack-keystone13:55
dr_gogeta86hi guys13:55
dr_gogeta86anyone here got some experience with mod_auth_keystone13:56
*** awalende has joined #openstack-keystone14:01
*** jdennis has joined #openstack-keystone14:02
*** shrasool has quit IRC14:06
*** raildo has joined #openstack-keystone14:11
*** jaosorior has joined #openstack-keystone14:23
*** jdennis has quit IRC14:24
*** shrasool has joined #openstack-keystone14:27
*** mchlumsky has joined #openstack-keystone14:30
*** mchlumsky has quit IRC14:33
*** mchlumsky has joined #openstack-keystone14:34
*** jdennis has joined #openstack-keystone14:42
bnemeclbragstad: Do we need to release oslo.policy again then?14:44
lbragstadbnemec yep - i can do that14:44
lbragstad1.44.0 or 1.43.1?14:45
bnemeclbragstad: It's just a bug fix so I'd say 1.43.1.14:47
lbragstadok14:47
bnemecUnless something else merged in the meantime, but I don't think so.14:47
*** awalende has quit IRC15:17
*** shrasool has quit IRC15:22
*** jhesketh has quit IRC15:34
*** jhesketh has joined #openstack-keystone15:35
*** erus has quit IRC15:51
*** erus has joined #openstack-keystone15:52
*** ska has joined #openstack-keystone16:05
lbragstadska o/16:05
lbragstadthis one? http://paste.debian.net/hidden/f9fb8a48/16:05
skaI'm working on some software that needs read-only access to various parts of Openstack.'s API. This is for various domains. http://paste.debian.net/hidden/f9fb8a48/16:06
skaIt seems I only need to deal with Keystone, which is where my focus is now.16:07
lbragstadok16:07
lbragstadin your paste, it looks like you're only giving blue user a role on blue project?16:08
lbragstadthat said... the blue users won't be able to list endpoints because they don't have the blue role on the blue domain16:10
lbragstadat least I don't think, anyway16:10
*** takamatsu has quit IRC16:10
skaIs that not covered in my command: `openstack role add --project blue_project --user blue blue_role` ?16:13
lbragstadgood question16:13
ska(btw: is there some way to highlight text?)16:13
lbragstadso there, you're giving the blue user a role called blue_role on a project16:13
lbragstadhighlight test in paste?16:14
lbragstadtext*16:14
skayea. Maybe its *client* dependent.16:15
lbragstadfor pasting content, i use https://pasted.tech/16:16
lbragstadwhich supports various synxtax highlighting and has a command line client16:16
lbragstadso ``cat /etc/keystone/policy.yaml | pasted`` returns a link to a raw paste16:17
lbragstad(it's also hosted and maintained by cloudnull, so that's a plus)16:17
skaIt looks like i've also broken the admin account as well.16:22
lbragstadhow so?16:31
skaI can't access anything when I source keystone_admin and try to do a : openstack network list (for example)16:33
skaI think I need to add the admin_required into all the rules somehow.16:34
openstackgerritLance Bragstad proposed openstack/keystone master: Bump oslo.policy and oslo.context versions  https://review.openstack.org/62324816:35
skaSimilar to what is done in: https://docs.openstack.org/security-guide/identity/policies.html16:35
lbragstadwhat's the policy for listing networks?16:36
lbragstad"rule:blue_admin" ?16:36
*** erus has quit IRC16:37
lbragstadfor that, you might be able to do "rule:blue_admin or rule:admin_required"16:38
*** erus has joined #openstack-keystone16:39
*** shrasool has joined #openstack-keystone16:49
skaI didn't include one yet. Just the endpoints and sevvices for now, mimicing that other URL.17:03
skaMy new iteration looks like: http://paste.debian.net/1054659/ . Now admin CAN list services.17:03
skaBut blue still cannot.17:03
openstackgerritMerged openstack/python-keystoneclient master: Add Python 3.6 classifier to setup.cfg  https://review.openstack.org/62108017:04
skaShould my OS_USER_DOMAIN_NAME and OS_PROJECT_DOMAIN_NAME be the same?17:05
* lbragstad checks17:07
lbragstadyour keystone_blue rc file is telling me you're still getting a project scoped token17:08
lbragstadas far as i can tell, the blue_admin policy requires a domain-scoped token17:08
skalbragstad: Are you aware of any examples that provide a read-only access similar to what I am attempting?17:10
skaThats probably all I need at this point.17:11
lbragstadi'm not aware of any examples that do all of this in policy - but there are other people that do it17:11
lbragstad(that's why we're trying to do this natively)17:11
lbragstadyou just want your blue user to be able to list everything, right?17:12
lbragstadeven system-specific resources?17:12
skaYes, and it can be a subset of all objects.. Its proof-of-concept where we say a read-only user with finite (list) permissions can access certain things.17:14
skaI think I may have missed something in my domain/project/user creation.17:15
lbragstadso - they should be able to read everything in the deployment?17:15
lbragstadbut they should only have writable access to what things?17:15
skaNo writable access is required .17:20
skaThis user is for monitoring only, no write/modify access.17:20
lbragstadah17:22
lbragstadlet me see if i can write up an example17:24
*** shrasool has quit IRC17:34
skaI used domain_name instead of domain_id in my policy file.17:34
lbragstadska here is what i did locally17:40
lbragstadska https://pasted.tech/pastes/d67d43b360d8d0476017f9728461364fd1a72b3c.raw17:40
lbragstad^ that's a copy of my policy file17:41
lbragstadI kept all the default policies in place for writeable operations and overrode get and list operations to have a "role:reader" string in the policy check17:41
skaIs there a separate user for that reader role?17:44
lbragstadhere is a version without all the comments - https://pasted.tech/pastes/893fd8c419c4901eb3bce733f463d019ea84ae79.raw17:44
lbragstadyep - pasting what i did to set that up17:44
*** shrasool has joined #openstack-keystone17:45
lbragstadska https://pasted.tech/pastes/7f7b2664fa83c9e85fb0bd3e106416a0f4ea7bdb17:46
lbragstadthis is my clouds.yaml https://pasted.tech/pastes/b5faaf81672c01dea5837d5f0e76fab736246408.raw17:46
*** dnguyen has joined #openstack-keystone17:46
lbragstadso - my lbragstad user has the reader role and can do readable operations within keystone17:47
lbragstadkeep in mind, the policy i modified doesn't actually check what the user has a reader role on17:49
*** jmlowe has quit IRC17:49
lbragstadso - i'm able to list endpoints with a reader role on a project, which doesn't really make much sense17:49
lbragstadbut that's something that's being fixed with system scope17:49
*** gyee has joined #openstack-keystone17:55
*** shrasool has quit IRC18:09
*** shrasool has joined #openstack-keystone18:14
*** jmlowe has joined #openstack-keystone18:17
*** dave-mccowan has joined #openstack-keystone18:29
skalbragstad: thanks for that. The only difference in my setup is that I'm attempting to setup a different domain.18:35
lbragstadcorrect18:36
lbragstadso - you're "reader" policy rule is just a little more specific that mine, in that it's checking to make sure a specific role is on a specific domain in order to be a blue admin18:37
lbragstadwhere as mine is just looking for a specific role18:37
lbragstadso - you're blue_admin rule it requiring domain-scoped tokens in order to access the APIs protected by that policy18:37
*** jmlowe has quit IRC18:37
kmalloclbragstad: here, after dr appt18:51
kmallocreading backscroll to make sure i didn't miss anything important18:51
*** jmlowe has joined #openstack-keystone18:56
gagehugoo/19:15
lbragstadyo19:22
openstackgerritBen Nemec proposed openstack/oslo.policy master: Fix sample config value when set_defaults is used  https://review.openstack.org/62329219:25
*** shrasool has quit IRC19:55
*** aojea has joined #openstack-keystone20:02
*** aojea has quit IRC20:07
*** rcernin has joined #openstack-keystone20:12
*** david-lyle is now known as dklyle20:24
*** dnguyen has quit IRC20:59
*** dnguyen has joined #openstack-keystone21:01
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role for users  https://review.openstack.org/60548521:16
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role user test coverage  https://review.openstack.org/62331721:16
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in users API  https://review.openstack.org/62331821:16
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader functionality for user API  https://review.openstack.org/62331921:16
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain member functionality for user API  https://review.openstack.org/62332021:16
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain admin functionality for user API  https://review.openstack.org/62332121:16
openstackgerritLance Bragstad proposed openstack/keystone master: Add explicit testing for project users and the user API  https://review.openstack.org/62332221:16
openstackgerritLance Bragstad proposed openstack/keystone master: Remove user policies from policy.v3cloudsample.json  https://review.openstack.org/62332321:16
lbragstadi broke that out of one big patch, so hopefully it's easier to review21:16
lbragstadit also needs to consume newer versions of oslo.policy and oslo.content21:16
*** jmlowe has quit IRC21:16
*** jaosorior has quit IRC21:23
openstackgerritBen Nemec proposed openstack/oslo.policy master: Fix sample config value when set_defaults is used  https://review.openstack.org/62329221:24
kmalloclbragstad: nice21:35
lbragstadyeah - a lot of them are broken up and should be good to review21:37
lbragstadthere will be conflicts, but i can resolve them21:37
lbragstadas necessary21:37
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role domain test coverage  https://review.openstack.org/60584921:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in domains API  https://review.openstack.org/60585021:42
openstackgerritLance Bragstad proposed openstack/keystone master: Allow domain users to access the GET domain API  https://review.openstack.org/60585121:42
openstackgerritLance Bragstad proposed openstack/keystone master: Allow project users to retrieve domains  https://review.openstack.org/60587121:42
openstackgerritLance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json  https://review.openstack.org/60587621:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role in domains API  https://review.openstack.org/62333421:42
*** raildo has quit IRC21:53
*** dnguyen has quit IRC21:54
*** jmlowe has joined #openstack-keystone21:55
*** dnguyen has joined #openstack-keystone21:58
*** dnguyen has quit IRC22:00
*** dnguyen has joined #openstack-keystone22:01
*** dnguyen has quit IRC22:02
*** dnguyen has joined #openstack-keystone22:07
*** dnguyen has quit IRC22:08
*** shrasool has joined #openstack-keystone22:39
*** jdennis has quit IRC22:49
*** shrasool has quit IRC23:04
*** lbragstad has quit IRC23:08
*** lbragstad has joined #openstack-keystone23:09
*** ChanServ sets mode: +o lbragstad23:09
*** erus has quit IRC23:26
*** erus has joined #openstack-keystone23:34
*** shrasool has joined #openstack-keystone23:41
openstackgerritMerged openstack/keystone master: Remove deprecated secure_proxy_ssl_header config  https://review.openstack.org/49979823:44
openstackgerritMerged openstack/keystone master: Add registered limit tests for system member role  https://review.openstack.org/62101523:44
*** jdennis has joined #openstack-keystone23:56
« Wednesday, 2018-12-05 Index Friday, 2018-12-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!