*** jdennis has quit IRC | 00:00 | |
*** erus has quit IRC | 00:02 | |
*** erus has joined #openstack-keystone | 00:05 | |
openstackgerrit | Merged openstack/keystoneauth master: Change openstack-dev to openstack-discuss https://review.openstack.org/622765 | 00:16 |
---|---|---|
*** jdennis has joined #openstack-keystone | 00:17 | |
*** gyee has quit IRC | 00:17 | |
*** raildo has quit IRC | 00:17 | |
*** dnguyen has quit IRC | 00:33 | |
*** jaosorior has quit IRC | 00:37 | |
*** Belgar81 has joined #openstack-keystone | 00:54 | |
*** markvoelker has quit IRC | 01:33 | |
*** sapd1 has quit IRC | 01:40 | |
*** sapd1 has joined #openstack-keystone | 01:40 | |
*** david-lyle has joined #openstack-keystone | 01:48 | |
*** itlinux has joined #openstack-keystone | 01:49 | |
*** dklyle has quit IRC | 01:51 | |
openstackgerrit | ayoung proposed openstack/keystone master: Alternative Replace UUID with id_generator for Federated users https://review.openstack.org/623117 | 01:59 |
openstackgerrit | ayoung proposed openstack/keystone master: Alternative Replace UUID with id_generator for Federated users https://review.openstack.org/623117 | 02:01 |
*** Dinesh_Bhor has joined #openstack-keystone | 02:16 | |
*** erus has quit IRC | 02:44 | |
*** erus has joined #openstack-keystone | 02:46 | |
*** imacdonn has quit IRC | 02:53 | |
*** erus has quit IRC | 02:53 | |
*** imacdonn has joined #openstack-keystone | 02:53 | |
*** erus has joined #openstack-keystone | 02:56 | |
*** Dinesh_Bhor has quit IRC | 03:15 | |
*** erus has quit IRC | 03:22 | |
*** erus has joined #openstack-keystone | 03:23 | |
*** Dinesh_Bhor has joined #openstack-keystone | 03:23 | |
*** erus has quit IRC | 03:29 | |
*** erus has joined #openstack-keystone | 03:35 | |
*** erus has quit IRC | 03:42 | |
openstackgerrit | wangxiyuan proposed openstack/keystone master: Ensure change is addressed for unified limit table https://review.openstack.org/621497 | 03:47 |
openstackgerrit | wangxiyuan proposed openstack/keystone master: Add domain_id column for limit https://review.openstack.org/620202 | 03:47 |
openstackgerrit | wangxiyuan proposed openstack/keystone master: Add domain level limit support - Manager https://review.openstack.org/621468 | 03:47 |
openstackgerrit | wangxiyuan proposed openstack/keystone master: [WIP]Add domain level limit support - API https://review.openstack.org/622773 | 03:47 |
*** erus has joined #openstack-keystone | 03:50 | |
*** erus has quit IRC | 03:57 | |
*** erus has joined #openstack-keystone | 04:05 | |
openstackgerrit | Merged openstack/oslo.policy master: Prevent sensitive target data from being logged https://review.openstack.org/623081 | 04:10 |
*** erus has quit IRC | 04:12 | |
*** erus has joined #openstack-keystone | 04:20 | |
*** erus has quit IRC | 04:26 | |
*** erus has joined #openstack-keystone | 04:35 | |
*** erus has quit IRC | 04:42 | |
*** erus has joined #openstack-keystone | 04:53 | |
*** erus has quit IRC | 05:26 | |
*** erus has joined #openstack-keystone | 05:28 | |
*** erus has quit IRC | 05:35 | |
*** Dinesh_Bhor has quit IRC | 05:36 | |
*** Dinesh_Bhor has joined #openstack-keystone | 05:42 | |
*** erus has joined #openstack-keystone | 05:43 | |
*** Dinesh_Bhor has quit IRC | 05:57 | |
*** erus has quit IRC | 06:04 | |
*** erus has joined #openstack-keystone | 06:05 | |
*** erus has quit IRC | 06:12 | |
*** Dinesh_Bhor has joined #openstack-keystone | 06:12 | |
*** Dinesh_Bhor has quit IRC | 06:18 | |
*** erus has joined #openstack-keystone | 06:20 | |
*** Dinesh_Bhor has joined #openstack-keystone | 06:36 | |
*** markvoelker has joined #openstack-keystone | 07:00 | |
*** markvoelker has quit IRC | 07:05 | |
openstackgerrit | Merged openstack/keystone master: Add registered limit protection tests https://review.openstack.org/621014 | 07:41 |
*** aojea has joined #openstack-keystone | 07:52 | |
openstackgerrit | wangxiyuan proposed openstack/keystone master: Add domain level limit support - API https://review.openstack.org/622773 | 07:53 |
openstackgerrit | wangxiyuan proposed openstack/keystone master: [WIP] Add domain level support for strict-two-level-model https://review.openstack.org/623153 | 07:53 |
*** rcernin has quit IRC | 07:56 | |
*** pcaruana has joined #openstack-keystone | 07:58 | |
*** pcaruana is now known as muttley | 07:58 | |
*** aojea has quit IRC | 08:00 | |
*** rcernin has joined #openstack-keystone | 08:03 | |
*** awalende has joined #openstack-keystone | 08:13 | |
*** rcernin has quit IRC | 08:33 | |
*** Dinesh_Bhor has quit IRC | 08:41 | |
*** Dinesh_Bhor has joined #openstack-keystone | 08:54 | |
*** markvoelker has joined #openstack-keystone | 09:01 | |
*** awalende has quit IRC | 09:01 | |
*** awalende has joined #openstack-keystone | 09:02 | |
*** awalende has quit IRC | 09:06 | |
*** awalende has joined #openstack-keystone | 09:08 | |
*** nehaalhat has quit IRC | 09:22 | |
*** markvoelker has quit IRC | 09:34 | |
*** markvoelker has joined #openstack-keystone | 10:31 | |
*** mvkr has joined #openstack-keystone | 10:36 | |
*** Dinesh_Bhor has quit IRC | 10:37 | |
*** Belgar81 has quit IRC | 10:54 | |
*** markvoelker has quit IRC | 11:05 | |
*** awalende has quit IRC | 11:15 | |
*** awalende has joined #openstack-keystone | 11:20 | |
*** awalende has quit IRC | 11:24 | |
*** awalende has joined #openstack-keystone | 11:53 | |
*** awalende has quit IRC | 11:58 | |
*** awalende has joined #openstack-keystone | 12:09 | |
*** shrasool has joined #openstack-keystone | 12:23 | |
*** awalende has quit IRC | 12:29 | |
*** awalende has joined #openstack-keystone | 12:50 | |
*** muttley has quit IRC | 13:08 | |
*** rcernin has joined #openstack-keystone | 13:17 | |
*** awalende has quit IRC | 13:18 | |
*** muttley has joined #openstack-keystone | 13:21 | |
*** muttley has quit IRC | 13:25 | |
*** muttley has joined #openstack-keystone | 13:26 | |
*** rcernin has quit IRC | 13:29 | |
*** muttley has quit IRC | 13:29 | |
*** jdennis has quit IRC | 13:33 | |
*** pcaruana has joined #openstack-keystone | 13:34 | |
*** awalende has joined #openstack-keystone | 13:38 | |
*** pcaruana has quit IRC | 13:39 | |
*** awalende has quit IRC | 13:40 | |
*** awalende has joined #openstack-keystone | 13:41 | |
*** pcaruana has joined #openstack-keystone | 13:43 | |
*** erus has quit IRC | 13:44 | |
*** pcaruana has quit IRC | 13:47 | |
*** erus has joined #openstack-keystone | 13:47 | |
*** awalende has quit IRC | 13:52 | |
*** dr_gogeta86 has joined #openstack-keystone | 13:55 | |
dr_gogeta86 | hi guys | 13:55 |
dr_gogeta86 | anyone here got some experience with mod_auth_keystone | 13:56 |
*** awalende has joined #openstack-keystone | 14:01 | |
*** jdennis has joined #openstack-keystone | 14:02 | |
*** shrasool has quit IRC | 14:06 | |
*** raildo has joined #openstack-keystone | 14:11 | |
*** jaosorior has joined #openstack-keystone | 14:23 | |
*** jdennis has quit IRC | 14:24 | |
*** shrasool has joined #openstack-keystone | 14:27 | |
*** mchlumsky has joined #openstack-keystone | 14:30 | |
*** mchlumsky has quit IRC | 14:33 | |
*** mchlumsky has joined #openstack-keystone | 14:34 | |
*** jdennis has joined #openstack-keystone | 14:42 | |
bnemec | lbragstad: Do we need to release oslo.policy again then? | 14:44 |
lbragstad | bnemec yep - i can do that | 14:44 |
lbragstad | 1.44.0 or 1.43.1? | 14:45 |
bnemec | lbragstad: It's just a bug fix so I'd say 1.43.1. | 14:47 |
lbragstad | ok | 14:47 |
bnemec | Unless something else merged in the meantime, but I don't think so. | 14:47 |
*** awalende has quit IRC | 15:17 | |
*** shrasool has quit IRC | 15:22 | |
*** jhesketh has quit IRC | 15:34 | |
*** jhesketh has joined #openstack-keystone | 15:35 | |
*** erus has quit IRC | 15:51 | |
*** erus has joined #openstack-keystone | 15:52 | |
*** ska has joined #openstack-keystone | 16:05 | |
lbragstad | ska o/ | 16:05 |
lbragstad | this one? http://paste.debian.net/hidden/f9fb8a48/ | 16:05 |
ska | I'm working on some software that needs read-only access to various parts of Openstack.'s API. This is for various domains. http://paste.debian.net/hidden/f9fb8a48/ | 16:06 |
ska | It seems I only need to deal with Keystone, which is where my focus is now. | 16:07 |
lbragstad | ok | 16:07 |
lbragstad | in your paste, it looks like you're only giving blue user a role on blue project? | 16:08 |
lbragstad | that said... the blue users won't be able to list endpoints because they don't have the blue role on the blue domain | 16:10 |
lbragstad | at least I don't think, anyway | 16:10 |
*** takamatsu has quit IRC | 16:10 | |
ska | Is that not covered in my command: `openstack role add --project blue_project --user blue blue_role` ? | 16:13 |
lbragstad | good question | 16:13 |
ska | (btw: is there some way to highlight text?) | 16:13 |
lbragstad | so there, you're giving the blue user a role called blue_role on a project | 16:13 |
lbragstad | highlight test in paste? | 16:14 |
lbragstad | text* | 16:14 |
ska | yea. Maybe its *client* dependent. | 16:15 |
lbragstad | for pasting content, i use https://pasted.tech/ | 16:16 |
lbragstad | which supports various synxtax highlighting and has a command line client | 16:16 |
lbragstad | so ``cat /etc/keystone/policy.yaml | pasted`` returns a link to a raw paste | 16:17 |
lbragstad | (it's also hosted and maintained by cloudnull, so that's a plus) | 16:17 |
ska | It looks like i've also broken the admin account as well. | 16:22 |
lbragstad | how so? | 16:31 |
ska | I can't access anything when I source keystone_admin and try to do a : openstack network list (for example) | 16:33 |
ska | I think I need to add the admin_required into all the rules somehow. | 16:34 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Bump oslo.policy and oslo.context versions https://review.openstack.org/623248 | 16:35 |
ska | Similar to what is done in: https://docs.openstack.org/security-guide/identity/policies.html | 16:35 |
lbragstad | what's the policy for listing networks? | 16:36 |
lbragstad | "rule:blue_admin" ? | 16:36 |
*** erus has quit IRC | 16:37 | |
lbragstad | for that, you might be able to do "rule:blue_admin or rule:admin_required" | 16:38 |
*** erus has joined #openstack-keystone | 16:39 | |
*** shrasool has joined #openstack-keystone | 16:49 | |
ska | I didn't include one yet. Just the endpoints and sevvices for now, mimicing that other URL. | 17:03 |
ska | My new iteration looks like: http://paste.debian.net/1054659/ . Now admin CAN list services. | 17:03 |
ska | But blue still cannot. | 17:03 |
openstackgerrit | Merged openstack/python-keystoneclient master: Add Python 3.6 classifier to setup.cfg https://review.openstack.org/621080 | 17:04 |
ska | Should my OS_USER_DOMAIN_NAME and OS_PROJECT_DOMAIN_NAME be the same? | 17:05 |
* lbragstad checks | 17:07 | |
lbragstad | your keystone_blue rc file is telling me you're still getting a project scoped token | 17:08 |
lbragstad | as far as i can tell, the blue_admin policy requires a domain-scoped token | 17:08 |
ska | lbragstad: Are you aware of any examples that provide a read-only access similar to what I am attempting? | 17:10 |
ska | Thats probably all I need at this point. | 17:11 |
lbragstad | i'm not aware of any examples that do all of this in policy - but there are other people that do it | 17:11 |
lbragstad | (that's why we're trying to do this natively) | 17:11 |
lbragstad | you just want your blue user to be able to list everything, right? | 17:12 |
lbragstad | even system-specific resources? | 17:12 |
ska | Yes, and it can be a subset of all objects.. Its proof-of-concept where we say a read-only user with finite (list) permissions can access certain things. | 17:14 |
ska | I think I may have missed something in my domain/project/user creation. | 17:15 |
lbragstad | so - they should be able to read everything in the deployment? | 17:15 |
lbragstad | but they should only have writable access to what things? | 17:15 |
ska | No writable access is required . | 17:20 |
ska | This user is for monitoring only, no write/modify access. | 17:20 |
lbragstad | ah | 17:22 |
lbragstad | let me see if i can write up an example | 17:24 |
*** shrasool has quit IRC | 17:34 | |
ska | I used domain_name instead of domain_id in my policy file. | 17:34 |
lbragstad | ska here is what i did locally | 17:40 |
lbragstad | ska https://pasted.tech/pastes/d67d43b360d8d0476017f9728461364fd1a72b3c.raw | 17:40 |
lbragstad | ^ that's a copy of my policy file | 17:41 |
lbragstad | I kept all the default policies in place for writeable operations and overrode get and list operations to have a "role:reader" string in the policy check | 17:41 |
ska | Is there a separate user for that reader role? | 17:44 |
lbragstad | here is a version without all the comments - https://pasted.tech/pastes/893fd8c419c4901eb3bce733f463d019ea84ae79.raw | 17:44 |
lbragstad | yep - pasting what i did to set that up | 17:44 |
*** shrasool has joined #openstack-keystone | 17:45 | |
lbragstad | ska https://pasted.tech/pastes/7f7b2664fa83c9e85fb0bd3e106416a0f4ea7bdb | 17:46 |
lbragstad | this is my clouds.yaml https://pasted.tech/pastes/b5faaf81672c01dea5837d5f0e76fab736246408.raw | 17:46 |
*** dnguyen has joined #openstack-keystone | 17:46 | |
lbragstad | so - my lbragstad user has the reader role and can do readable operations within keystone | 17:47 |
lbragstad | keep in mind, the policy i modified doesn't actually check what the user has a reader role on | 17:49 |
*** jmlowe has quit IRC | 17:49 | |
lbragstad | so - i'm able to list endpoints with a reader role on a project, which doesn't really make much sense | 17:49 |
lbragstad | but that's something that's being fixed with system scope | 17:49 |
*** gyee has joined #openstack-keystone | 17:55 | |
*** shrasool has quit IRC | 18:09 | |
*** shrasool has joined #openstack-keystone | 18:14 | |
*** jmlowe has joined #openstack-keystone | 18:17 | |
*** dave-mccowan has joined #openstack-keystone | 18:29 | |
ska | lbragstad: thanks for that. The only difference in my setup is that I'm attempting to setup a different domain. | 18:35 |
lbragstad | correct | 18:36 |
lbragstad | so - you're "reader" policy rule is just a little more specific that mine, in that it's checking to make sure a specific role is on a specific domain in order to be a blue admin | 18:37 |
lbragstad | where as mine is just looking for a specific role | 18:37 |
lbragstad | so - you're blue_admin rule it requiring domain-scoped tokens in order to access the APIs protected by that policy | 18:37 |
*** jmlowe has quit IRC | 18:37 | |
kmalloc | lbragstad: here, after dr appt | 18:51 |
kmalloc | reading backscroll to make sure i didn't miss anything important | 18:51 |
*** jmlowe has joined #openstack-keystone | 18:56 | |
gagehugo | o/ | 19:15 |
lbragstad | yo | 19:22 |
openstackgerrit | Ben Nemec proposed openstack/oslo.policy master: Fix sample config value when set_defaults is used https://review.openstack.org/623292 | 19:25 |
*** shrasool has quit IRC | 19:55 | |
*** aojea has joined #openstack-keystone | 20:02 | |
*** aojea has quit IRC | 20:07 | |
*** rcernin has joined #openstack-keystone | 20:12 | |
*** david-lyle is now known as dklyle | 20:24 | |
*** dnguyen has quit IRC | 20:59 | |
*** dnguyen has joined #openstack-keystone | 21:01 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system reader role for users https://review.openstack.org/605485 | 21:16 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system member role user test coverage https://review.openstack.org/623317 | 21:16 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system admin role in users API https://review.openstack.org/623318 | 21:16 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement domain reader functionality for user API https://review.openstack.org/623319 | 21:16 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement domain member functionality for user API https://review.openstack.org/623320 | 21:16 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement domain admin functionality for user API https://review.openstack.org/623321 | 21:16 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add explicit testing for project users and the user API https://review.openstack.org/623322 | 21:16 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove user policies from policy.v3cloudsample.json https://review.openstack.org/623323 | 21:16 |
lbragstad | i broke that out of one big patch, so hopefully it's easier to review | 21:16 |
lbragstad | it also needs to consume newer versions of oslo.policy and oslo.content | 21:16 |
*** jmlowe has quit IRC | 21:16 | |
*** jaosorior has quit IRC | 21:23 | |
openstackgerrit | Ben Nemec proposed openstack/oslo.policy master: Fix sample config value when set_defaults is used https://review.openstack.org/623292 | 21:24 |
kmalloc | lbragstad: nice | 21:35 |
lbragstad | yeah - a lot of them are broken up and should be good to review | 21:37 |
lbragstad | there will be conflicts, but i can resolve them | 21:37 |
lbragstad | as necessary | 21:37 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system member role domain test coverage https://review.openstack.org/605849 | 21:42 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system admin role in domains API https://review.openstack.org/605850 | 21:42 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Allow domain users to access the GET domain API https://review.openstack.org/605851 | 21:42 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Allow project users to retrieve domains https://review.openstack.org/605871 | 21:42 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json https://review.openstack.org/605876 | 21:42 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system reader role in domains API https://review.openstack.org/623334 | 21:42 |
*** raildo has quit IRC | 21:53 | |
*** dnguyen has quit IRC | 21:54 | |
*** jmlowe has joined #openstack-keystone | 21:55 | |
*** dnguyen has joined #openstack-keystone | 21:58 | |
*** dnguyen has quit IRC | 22:00 | |
*** dnguyen has joined #openstack-keystone | 22:01 | |
*** dnguyen has quit IRC | 22:02 | |
*** dnguyen has joined #openstack-keystone | 22:07 | |
*** dnguyen has quit IRC | 22:08 | |
*** shrasool has joined #openstack-keystone | 22:39 | |
*** jdennis has quit IRC | 22:49 | |
*** shrasool has quit IRC | 23:04 | |
*** lbragstad has quit IRC | 23:08 | |
*** lbragstad has joined #openstack-keystone | 23:09 | |
*** ChanServ sets mode: +o lbragstad | 23:09 | |
*** erus has quit IRC | 23:26 | |
*** erus has joined #openstack-keystone | 23:34 | |
*** shrasool has joined #openstack-keystone | 23:41 | |
openstackgerrit | Merged openstack/keystone master: Remove deprecated secure_proxy_ssl_header config https://review.openstack.org/499798 | 23:44 |
openstackgerrit | Merged openstack/keystone master: Add registered limit tests for system member role https://review.openstack.org/621015 | 23:44 |
*** jdennis has joined #openstack-keystone | 23:56 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!