Tuesday, 2018-12-18

« Monday, 2018-12-17 Index Wednesday, 2018-12-19 »
*** itlinux has quit IRC00:02
*** Emine has quit IRC00:04
*** dave-mccowan has joined #openstack-keystone00:10
*** dave-mccowan has quit IRC00:18
*** Emine has joined #openstack-keystone00:34
*** dmellado has joined #openstack-keystone00:53
*** gyee has quit IRC01:18
*** Dinesh_Bhor has joined #openstack-keystone01:48
*** erus has quit IRC01:54
*** Dinesh_Bhor has quit IRC01:55
*** Emine has quit IRC02:00
*** mhen has quit IRC02:22
*** mhen has joined #openstack-keystone02:25
*** erus has joined #openstack-keystone02:44
*** Dinesh_Bhor has joined #openstack-keystone02:57
*** Dinesh_Bhor has quit IRC03:10
*** Dinesh_Bhor has joined #openstack-keystone03:18
*** rcernin has quit IRC03:25
*** rcernin has joined #openstack-keystone03:27
*** rcernin has quit IRC03:28
*** rcernin has joined #openstack-keystone03:28
*** Dinesh_Bhor has quit IRC03:43
*** Dinesh_Bhor has joined #openstack-keystone04:10
*** kmalloc has quit IRC05:14
*** itlinux has joined #openstack-keystone05:45
*** gagehugo has quit IRC06:23
*** mgagne_ has quit IRC06:35
*** mgagne has joined #openstack-keystone06:39
*** Dinesh_Bhor has quit IRC07:01
*** Dinesh_Bhor has joined #openstack-keystone07:03
*** imacdonn has quit IRC07:29
*** imacdonn has joined #openstack-keystone07:29
*** gagehugo has joined #openstack-keystone08:20
*** Dinesh_Bhor has quit IRC08:21
*** Dinesh_Bhor has joined #openstack-keystone08:27
*** amoralej|off is now known as amoralej08:38
*** Dinesh_Bhor has quit IRC09:05
*** rcernin has quit IRC09:18
*** Dinesh_Bhor has joined #openstack-keystone09:25
*** xek has joined #openstack-keystone09:42
*** Dinesh_Bhor has quit IRC10:02
*** erus has quit IRC10:11
*** gary_perkins has joined #openstack-keystone10:17
*** yan0s has joined #openstack-keystone10:32
*** Dinesh_Bhor has joined #openstack-keystone10:34
*** Dinesh_Bhor has quit IRC10:36
*** jmlowe has quit IRC11:37
*** jmlowe has joined #openstack-keystone11:41
*** ileixe has joined #openstack-keystone11:46
ileixehi forks11:49
*** raildo has joined #openstack-keystone12:01
*** jrist has quit IRC13:12
*** imus has joined #openstack-keystone13:17
*** jrist has joined #openstack-keystone13:30
*** yan0s has quit IRC13:35
*** yan0s has joined #openstack-keystone13:50
*** amoralej is now known as amoralej|lunch13:50
*** ileixe_ has joined #openstack-keystone13:55
*** ayoung has quit IRC13:56
*** ileixe_ has quit IRC14:17
*** yan0s has quit IRC14:18
lbragstado/14:22
cmurphy\o14:22
*** yan0s has joined #openstack-keystone14:36
*** amoralej|lunch is now known as amoralej14:43
*** ileixe_ has joined #openstack-keystone14:58
*** itlinux has quit IRC15:00
*** wxy| has joined #openstack-keystone15:07
*** mchlumsky has joined #openstack-keystone15:22
lbragstadpretty easy review if anyone wants to take a look https://review.openstack.org/#/c/624972/15:24
cmurphyugh damn15:25
* lbragstad is a troll15:30
lbragstadi figured you'd be the one to bite, too15:30
cmurphyit's that point in the afternoon where i can only handle easy tasks15:31
lbragstadyeah... i hear ya15:32
lbragstadi hit that yesterday15:32
lbragstadafternoon15:32
*** mchlumsky has quit IRC15:34
*** mchlumsky has joined #openstack-keystone15:47
*** ileixe has quit IRC15:54
*** ileixe_ is now known as ileixe15:54
*** yan0s has quit IRC15:59
*** itlinux has joined #openstack-keystone16:04
*** itlinux_ has joined #openstack-keystone16:08
*** itlinux has quit IRC16:12
*** dave-mccowan has joined #openstack-keystone16:13
*** dave-mccowan has quit IRC16:18
*** spa-87 has joined #openstack-keystone16:26
*** dave-mccowan has joined #openstack-keystone16:26
*** jonher has quit IRC16:34
*** jonher has joined #openstack-keystone16:35
*** jonher has quit IRC16:36
*** jonher has joined #openstack-keystone16:37
*** jonher_ has joined #openstack-keystone16:40
*** jonher has quit IRC16:43
*** jonher_ is now known as jonher16:43
ileixe@lbragstad hello17:01
gagehugoileixe: restrict resources per project right?17:01
lbragstado/17:01
ileixeyes exactly17:02
ileixewe can restrict per only one project and we need to grouping scheme17:02
*** wxy| has quit IRC17:03
lbragstadso - you want to tag a project with something and that only allows certain users to call that api in neutron?17:05
ileixeyes. user in a project with tagging can only access the resource matching the tag17:05
ileixeusers in dev project only access to dev_network for example17:06
lbragstadare networks in neutron not project-specific?17:06
ileixeyes provider network17:06
ileixewe have a giant provivder network17:06
ileixeall users can acceess the network since it has shared tag17:07
ileixeI'm not sure it's general architecture, but we are currenlty operating like that.17:07
lbragstadok - so you have a provider network that maps to some physical network space, which is shared across all projects...17:08
ileixeyes exactly17:08
gagehugoah17:08
lbragstadretracing steps here, but you have two of them, then?17:09
lbragstadyou have one for prod and one for dev17:10
ileixeyes17:10
lbragstadbut you don't have prod or dev projects, instead you may have project foo which is tagged as 'dev' and project bar which is tagged as 'prod'17:10
ileixewe have many projects17:11
ileixeprojects does not restricted to 'dev', 'prod'17:11
ileixeconceptually belongs to 'dev', 'prod' though..17:11
lbragstadok - but it sounds like you're using tags to control access to which provider network needs to be used for a given project?17:11
ileixeyes17:12
gagehugoso a dev & prod domain?17:12
ileixeFrom my understanding17:12
ileixedomain scope has seperate users right?17:12
lbragstadyeah - i guess that would require neutron to treat provider networks as domain-specific resources17:12
ileixebut I think we want global scope for users.17:13
ileixeuser can access dev resource, prod resource17:13
ileixeproject is container for ACL17:13
lbragstadif you have production instances, those have to live in a 'prod' project though?17:14
lbragstador production volumes17:14
ileixeyes17:15
lbragstadso production resources are still scoped to a project17:15
ileixeUm.. but in fact currenlty one project can access prod/dev at the same time17:16
ileixeadmin project for example..17:16
ileixeso my point is project can be tagged 'dev' or 'prod' or ['dev', 'prod']17:17
lbragstadyou mean someone with a token scoped to the admin project can access prod and dev resources?17:17
ileixeconceptually admin17:18
lbragstadthat kinda sounds like system scope17:18
lbragstadnot totally, but a little17:18
ileixeyes I investigate that more17:19
ileixei will17:19
lbragstadtraditionally, keystone doesn't really allow you to view resources from multiple projects at once17:19
ileixeyes, our architecture seems to be a little weird..17:19
*** spa-87 has quit IRC17:20
lbragstadbut - currently, tokens to the admin project can theoretically do that kind of thing (e.g., GET /v2/servers?all_tenants=True)17:20
ileixeyes17:20
lbragstadand i'm sure you're aware, tokens scoped to the admin project also allow you to manage things like hypervisors, services, endpoints, etc...17:21
lbragstadsystem scope is an attempt to solve the second case17:21
lbragstadwhere resources that are specific to the infrastructure of the deployment have a construct that protects them in the same way instances are accessible with project-scoped tokens17:22
ileixesounds good17:23
ileixeCan I use the system-scope for our 'dev' 'prod' conecpt?17:23
lbragstadfor some things, maybe17:23
ileixeActually we mapped the 'dev'/'prod' things to nova aggregate also17:23
ileixeI will be very happy to use general building block for the purpose17:24
lbragstaddo you expose resources tagged with ['dev', 'prod'] to end users/customers?17:24
ileixeyes17:24
ileixeit's mapped to nova availality zone17:25
ileixeso end user can choose17:25
ileixe(when they are in project with both tags)17:25
lbragstadare they allowed to make writeable changes to those resources?17:25
ileixeno17:25
lbragstadok17:25
ileixechange is not allowed17:25
ileixeit's for admin17:25
lbragstadso you reserve that information for people managing the deployment - got it17:26
ileixeyep17:26
lbragstads/information/functionality/17:26
lbragstadi'm not sure if you've stumbled across this information yet17:26
lbragstadbut we do have some documentation that details the concepts a little better than what i described17:26
lbragstadhttps://docs.openstack.org/keystone/latest/admin/tokens.html17:26
lbragstadhttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html (specification)17:27
lbragstadhttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-security-roadmap.html (conceptual overview of how all this should work together)17:27
ileixeThanks I will go though the specs17:27
lbragstadhttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals.html (more conceptual overview)17:27
lbragstadsounds good - come back and ask questions if you have any17:28
ileixeThanks it's very precise time for me17:28
ileixeAnd can I ask one more question for you..?17:28
ileixeit's not about the issue we talked about thoguh17:28
lbragstadsure17:29
ileixeIt's about configurable jsonschema17:29
ileixeI found you was author of https://bugs.launchpad.net/keystone/+bug/159954617:29
openstackLaunchpad bug 1599546 in OpenStack Identity (keystone) "Make validation patterns configurable" [Low,Opinion]17:29
ileixeand it's exactly what we want17:30
ileixeWas it abandoded at all?17:30
lbragstaddo you want configurable jsonschema for all of keystone's API?17:30
ileixeWhat we want to for now is17:30
ileixeproject17:30
ileixename17:30
lbragstadmmm17:31
ileixebut we also have17:31
ileixemany general cases17:31
ileixefor other project of course17:31
ileixee.g. instance name for nova17:31
lbragstadso.. iirc that bug was specific to a couple special cases17:31
lbragstadfor example, we let operators configure password strength using a regex17:32
ileixeum..17:32
ileixebut I think it's general enough for operator17:32
ileixethey ask me a lot17:32
ileixeto restrict the name of instance, name of project, all the other things..17:32
lbragstadthe effort wasn't abandoned17:33
ileixeimho , at least it worth to give the config..17:33
ileixethen can i purse on it?17:33
ileixeI really want the feature.17:34
lbragstadkmalloc (he's on vacation currently) might have ideas on how to achieve this with user options, too17:34
lbragstadhttps://bugs.launchpad.net/keystone/+bug/1599546/comments/517:35
openstackLaunchpad bug 1599546 in OpenStack Identity (keystone) "Make validation patterns configurable" [Low,Opinion]17:35
ileixeOkay then I will ask him later.17:35
ileixeMany thanks lbragstad!17:36
lbragstadileixe no problem - thanks for swinging by17:36
ileixeSee you later :)17:36
lbragstado/17:36
lbragstadzzzeek o/17:39
zzzeeklbragstad: hey17:39
lbragstadcurious if you'd be able to take a peak as a sql-specific question we have on https://review.openstack.org/#/c/623928/317:39
lbragstader... https://review.openstack.org/#/c/623928/217:40
zzzeeklbragstad: ok17:40
zzzeeklbragstad: i think i answered what was asked17:43
zzzeekyou wanted to konw if the ORDER BY would have negative perf imapct17:43
zzzeeki assume17:43
* lbragstad checks17:43
lbragstadso order_by sounds like a valid solution, pending we can recreate the issue17:43
zzzeeklbragstad: if you are doing any kind of LIMIT on this query then ORDER BY is mandatory17:44
lbragstadand if ``keystone.conf [identity] list_limit = 0`` then order_by is still negligible?17:49
*** jmlowe has quit IRC17:49
lbragstadthat case apparently isn't affected according to https://bugs.launchpad.net/keystone/+bug/180780517:50
openstackLaunchpad bug 1807805 in OpenStack Identity (keystone) "User list returns "none" for some user names" [Undecided,In progress] - Assigned to Zhongcheng Lao (zlao)17:50
*** imus has quit IRC17:53
*** ileixe has quit IRC17:54
* bnemec suspects Lance will never ping him in a keystone meeting again18:00
* bnemec hums Wrecking Ball :-)18:00
nsmedsstrange error started occurring https://gist.github.com/nikosmeds/93859f274a7332bd3f4a076981140eee18:02
nsmedsthe same command without `--names` is successful18:02
nsmedsand not seeing anything related in keystone logs18:03
nsmedsrecall updating `openstacksdk` last week, possibly introduced the issue18:05
*** jmlowe has joined #openstack-keystone18:06
lbragstadbnemec lol - not at all18:12
lbragstadbnemec i'm going to step away for lunch quick, but if you want to keep going through the upgrade path re: policy let me know18:12
bnemeclbragstad: Yeah, I haven't come up with anything great. Just the possibility of running the check twice, once with the or and once without.18:14
bnemecWhich I don't love.18:14
bnemecIt's complicated and potentially a significant amount of extra load.18:15
lbragstadyeah18:15
lbragstadwe also had https://review.openstack.org/#/c/614195/ which uncovered some other use cases18:16
* lbragstad biab18:16
*** itlinux_ has quit IRC18:21
*** jmlowe has quit IRC18:21
*** itlinux has joined #openstack-keystone18:21
*** jmlowe has joined #openstack-keystone18:22
*** jmlowe has quit IRC18:36
*** jmlowe has joined #openstack-keystone18:43
*** gyee has joined #openstack-keystone18:48
*** jmlowe has quit IRC18:53
*** jmlowe has joined #openstack-keystone19:21
*** jmlowe has quit IRC19:53
*** amoralej is now known as amoralej|off19:57
*** jdennis has quit IRC20:01
*** jmlowe has joined #openstack-keystone20:11
openstackgerritLance Bragstad proposed openstack/keystone master: Add scope checks to common system role definitions  https://review.openstack.org/62600720:56
lbragstadcmurphy don't feel you need to review it now - but I can start rebasing things on ^ (re: upgrade path from today's meeting)20:57
cmurphylbragstad: mmk will look tomorrow20:57
lbragstadthanks20:58
openstackgerritMerged openstack/keystone master: Reorganize admin guide  https://review.openstack.org/62497221:04
openstackgerritLance Bragstad proposed openstack/keystone master: Update endpoint policies for system reader  https://review.openstack.org/61932921:18
openstackgerritLance Bragstad proposed openstack/keystone master: Add endpoint tests for system member role  https://review.openstack.org/61933021:18
openstackgerritLance Bragstad proposed openstack/keystone master: Update endpoint  policies for system admin  https://review.openstack.org/61933121:18
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with endpoints  https://review.openstack.org/61933221:18
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with endpoints  https://review.openstack.org/61928121:18
openstackgerritLance Bragstad proposed openstack/keystone master: Remove endpoint policies from policy.v3cloudsample.json  https://review.openstack.org/61933321:18
*** rcernin has joined #openstack-keystone21:22
*** raildo has quit IRC21:36
*** rcernin has quit IRC21:37
openstackgerritLance Bragstad proposed openstack/keystone master: Add scope checks to common system role definitions  https://review.openstack.org/62600721:50
openstackgerritLance Bragstad proposed openstack/keystone master: Update role policies for system admin  https://review.openstack.org/62252621:50
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with roles  https://review.openstack.org/62252721:50
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with roles  https://review.openstack.org/62252821:50
openstackgerritLance Bragstad proposed openstack/keystone master: Remove role policies from policy.v3cloudsample.json  https://review.openstack.org/62252921:50
openstackgerritLance Bragstad proposed openstack/keystone master: Reuse common system role definitions for roles API  https://review.openstack.org/62602321:50
openstackgerritLance Bragstad proposed openstack/keystone master: Update endpoint policies for system reader  https://review.openstack.org/61932921:52
openstackgerritLance Bragstad proposed openstack/keystone master: Add endpoint tests for system member role  https://review.openstack.org/61933021:52
openstackgerritLance Bragstad proposed openstack/keystone master: Update endpoint  policies for system admin  https://review.openstack.org/61933121:52
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with endpoints  https://review.openstack.org/61933221:52
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with endpoints  https://review.openstack.org/61928121:52
openstackgerritLance Bragstad proposed openstack/keystone master: Remove endpoint policies from policy.v3cloudsample.json  https://review.openstack.org/61933321:52
*** jdennis has joined #openstack-keystone21:52
*** rcernin has joined #openstack-keystone22:04
openstackgerritLance Bragstad proposed openstack/keystone master: Add region protection tests for system readers  https://review.openstack.org/61908522:04
openstackgerritLance Bragstad proposed openstack/keystone master: Add region tests for system member role  https://review.openstack.org/61908622:04
openstackgerritLance Bragstad proposed openstack/keystone master: Update region policies to use system admin  https://review.openstack.org/61924122:04
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with regions  https://review.openstack.org/61924222:04
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with regions  https://review.openstack.org/61924322:04
openstackgerritLance Bragstad proposed openstack/keystone master: Remove region policies from policy.v3cloudsample.json  https://review.openstack.org/61924422:04
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with registered limits  https://review.openstack.org/62101722:28
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with registered limits  https://review.openstack.org/62101822:28
openstackgerritLance Bragstad proposed openstack/keystone master: Remove registered limit policies from policy.v3cloudsample.json  https://review.openstack.org/62101922:28
openstackgerritLance Bragstad proposed openstack/keystone master: Add limit protection tests  https://review.openstack.org/62102022:28
openstackgerritLance Bragstad proposed openstack/keystone master: Add limit tests for system member role  https://review.openstack.org/62102122:28
openstackgerritLance Bragstad proposed openstack/keystone master: Update limit policies for system admin  https://review.openstack.org/62102222:28
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with limits  https://review.openstack.org/62102322:28
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with limits  https://review.openstack.org/62102422:28
openstackgerritLance Bragstad proposed openstack/keystone master: Remove limit policies from policy.v3cloudsample.json  https://review.openstack.org/62102522:28
openstackgerritLance Bragstad proposed openstack/keystone master: Use common system role definitions for registered limits  https://review.openstack.org/62602822:29
*** rcernin has quit IRC22:37
*** rcernin has joined #openstack-keystone22:41
*** rcernin has quit IRC22:43
*** rcernin has joined #openstack-keystone22:45
*** itlinux has quit IRC22:56
openstackgerritLance Bragstad proposed openstack/keystone master: Update protocol policies for system reader  https://review.openstack.org/62535223:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add protocol tests for system member role  https://review.openstack.org/62535323:10
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in protocol API  https://review.openstack.org/62535423:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with protocols  https://review.openstack.org/62535523:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with protocols  https://review.openstack.org/62535623:10
openstackgerritLance Bragstad proposed openstack/keystone master: Remove protocol policies from v3cloudsample.json  https://review.openstack.org/62535723:10
*** jdennis has quit IRC23:15
openstackgerritLance Bragstad proposed openstack/keystone master: Update mapping policies for system reader  https://review.openstack.org/61961223:20
openstackgerritLance Bragstad proposed openstack/keystone master: Add mapping tests for system member role  https://review.openstack.org/61961323:20
openstackgerritLance Bragstad proposed openstack/keystone master: Update mapping policies for system admin  https://review.openstack.org/61961423:20
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with mappings  https://review.openstack.org/61961523:20
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with mappings  https://review.openstack.org/61961623:20
openstackgerritLance Bragstad proposed openstack/keystone master: Remove mapping policies from policy.v3cloudsample.json  https://review.openstack.org/61961723:20
openstackgerritLance Bragstad proposed openstack/keystone master: Update idp policies for system reader  https://review.openstack.org/61937123:31
openstackgerritLance Bragstad proposed openstack/keystone master: Add idp tests for system member role  https://review.openstack.org/61937223:31
openstackgerritLance Bragstad proposed openstack/keystone master: Update idp policies for system admin  https://review.openstack.org/61937323:31
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with idps  https://review.openstack.org/61937423:31
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with idps  https://review.openstack.org/61937523:31
openstackgerritLance Bragstad proposed openstack/keystone master: Remove idp policies from policy.v3cloudsample.json  https://review.openstack.org/61937623:31
lbragstadwxy-xiyuan because we're not deprecating the policies here - we're gonna see some failures i think https://review.openstack.org/#/c/626028/123:37
* lbragstad wanders off for a bit23:37
*** dave-mccowan has quit IRC23:56
« Monday, 2018-12-17 Index Wednesday, 2018-12-19 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!