| *** erus has joined #openstack-keystone | 01:02 | |
| *** dave-mccowan has quit IRC | 01:23 | |
| *** markvoelker has quit IRC | 01:26 | |
| *** markvoelker has joined #openstack-keystone | 01:26 | |
| *** markvoelker has quit IRC | 01:31 | |
| *** mhen has quit IRC | 02:06 | |
| *** mhen has joined #openstack-keystone | 02:12 | |
| *** markvoelker has joined #openstack-keystone | 02:27 | |
| *** dave-mccowan has joined #openstack-keystone | 02:50 | |
| *** markvoelker has quit IRC | 02:50 | |
| *** markvoelker has joined #openstack-keystone | 02:50 | |
| *** jrist has quit IRC | 03:07 | |
| *** cfriesen has quit IRC | 03:30 | |
| *** dave-mccowan has quit IRC | 04:56 | |
| *** whoami-rajat has joined #openstack-keystone | 05:05 | |
| *** erus has quit IRC | 05:06 | |
| *** erus has joined #openstack-keystone | 05:07 | |
| *** markvoelker has quit IRC | 05:17 | |
| *** markvoelker has joined #openstack-keystone | 05:49 | |
| *** shyamb has joined #openstack-keystone | 05:51 | |
| *** shyamb has quit IRC | 05:58 | |
| *** shyamb has joined #openstack-keystone | 06:16 | |
| *** markvoelker has quit IRC | 06:22 | |
| *** markvoelker has joined #openstack-keystone | 06:23 | |
| *** markvoelker has quit IRC | 06:27 | |
| *** shyamb has quit IRC | 07:06 | |
| *** rcernin has quit IRC | 07:09 | |
| *** shyamb has joined #openstack-keystone | 07:22 | |
| *** shyamb has quit IRC | 08:12 | |
| *** markvoelker has joined #openstack-keystone | 08:23 | |
| *** shyamb has joined #openstack-keystone | 08:51 | |
| *** xek has joined #openstack-keystone | 08:51 | |
| *** whoami-rajat has quit IRC | 09:13 | |
| *** whoami-rajat has joined #openstack-keystone | 09:25 | |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Remove duplicate RBAC logging from enforcer https://review.openstack.org/624799 | 09:40 |
|---|---|---|
| *** shyamb has quit IRC | 09:41 | |
| *** shyamb has joined #openstack-keystone | 09:41 | |
| openstackgerrit | wangxiyuan proposed openstack/keystone master: Invalidate shadow_federated_user cache when deleting protocol https://review.openstack.org/628132 | 09:42 |
| openstackgerrit | wangxiyuan proposed openstack/keystone-tempest-plugin master: Clean up the auto generated domain https://review.openstack.org/579063 | 09:43 |
| *** shyamb has quit IRC | 09:50 | |
| *** sayalilunkad has joined #openstack-keystone | 10:04 | |
| *** shyamb has joined #openstack-keystone | 10:49 | |
| *** erus has quit IRC | 11:07 | |
| *** erus has joined #openstack-keystone | 11:09 | |
| openstackgerrit | weizj proposed openstack/python-keystoneclient master: Update hacking version https://review.openstack.org/627713 | 11:12 |
| *** shyamb has quit IRC | 11:16 | |
| *** erus has quit IRC | 11:16 | |
| *** erus has joined #openstack-keystone | 11:21 | |
| *** erus has quit IRC | 11:28 | |
| *** erus has joined #openstack-keystone | 11:36 | |
| *** shyamb has joined #openstack-keystone | 11:40 | |
| *** erus has quit IRC | 11:43 | |
| *** whoami-rajat has quit IRC | 11:43 | |
| *** erus has joined #openstack-keystone | 11:50 | |
| *** erus has quit IRC | 11:56 | |
| *** erus has joined #openstack-keystone | 12:07 | |
| *** raildo has joined #openstack-keystone | 12:13 | |
| openstackgerrit | Moisés Guimarães proposed openstack/oslo.policy master: Fixes file access using with statements. https://review.openstack.org/628165 | 12:29 |
| openstackgerrit | Moisés Guimarães proposed openstack/oslo.policy master: Fixes file access using with statements. https://review.openstack.org/628165 | 12:30 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: [WIP] Add API changes for app cred capabilities https://review.openstack.org/628168 | 12:39 |
| openstackgerrit | Moisés Guimarães proposed openstack/oslo.policy master: Add ability for policy-checker to read configuration https://review.openstack.org/616659 | 12:42 |
| *** szaher has joined #openstack-keystone | 12:50 | |
| *** shyamb has quit IRC | 13:04 | |
| *** dave-mccowan has joined #openstack-keystone | 13:18 | |
| *** markvoelker has quit IRC | 13:18 | |
| *** markvoelker has joined #openstack-keystone | 13:20 | |
| *** whoami-rajat has joined #openstack-keystone | 13:30 | |
| *** lbragstad has joined #openstack-keystone | 13:58 | |
| *** ChanServ sets mode: +o lbragstad | 13:58 | |
| lbragstad | o/ | 13:58 |
| cmurphy | \o | 13:58 |
| *** GregWaines has joined #openstack-keystone | 13:58 | |
| cmurphy | for anyone back from vacation, i have a doc fix series that i'd like to get in since i think it will help erus a lot https://review.openstack.org/#/q/topic:bug/1793374 | 14:01 |
| cmurphy | erus: if you want to review that ^ too to see if it makes any sense that would be great too :) | 14:01 |
| lbragstad | sounds good - i'll take a look today | 14:02 |
| cmurphy | lbragstad: i also left a couple of questions on your default roles changes for service provider, if you answer those i'll go through the rest of the stack | 14:03 |
| lbragstad | sweet | 14:03 |
| *** jistr is now known as jistr|mtg | 14:04 | |
| lbragstad | i'll put that on my list, too | 14:04 |
| erus | Hi everyone, happy new year | 14:38 |
| erus | cmurphy: I've already been checking it since you started to propose it :D thanks it has helped me o/ | 14:40 |
| cmurphy | erus: great :D | 14:40 |
| cmurphy | erus: feel free to leave comments and votes if you like | 14:40 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: [WIP] Add API changes for app cred capabilities https://review.openstack.org/628168 | 14:42 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: [WIP] Add manager support for app cred capabilities https://review.openstack.org/628193 | 14:42 |
| erus | Ok ok :) btw I couldn't achieve the external authentication yet, not sure what I am missing, I'm going to review what I did step by step again | 14:42 |
| cmurphy | erus: okay, let me know if you can't figure it out and we can walk through it | 14:47 |
| erus | Yay thanks, I think it's with entity ID, not sure why, the error says entity ID missing, the error before that was a missing path to the metadata file | 14:48 |
| cmurphy | erus: "missing entity ID" usually means it didn't hit the right path in your apache config, check that all the <Location ...> thingies are right | 14:50 |
| *** lbragstad has quit IRC | 14:50 | |
| erus | Ok I'll check that | 14:53 |
| *** lbragstad has joined #openstack-keystone | 14:53 | |
| *** ChanServ sets mode: +o lbragstad | 14:53 | |
| *** jistr|mtg is now known as jistr | 14:55 | |
| gagehugo | o/ | 14:55 |
| *** cfriesen has joined #openstack-keystone | 15:14 | |
| *** GregWaines has quit IRC | 15:30 | |
| lbragstad | hey gagehugo | 15:33 |
| openstackgerrit | Moisés Guimarães proposed openstack/oslo.policy master: Fixes is_admin type from StrOpt to BoolOpt. https://review.openstack.org/628207 | 15:39 |
| *** whoami-rajat has quit IRC | 15:39 | |
| gagehugo | lbragstad: o/ | 15:41 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Update service provider policies for system admin https://review.openstack.org/620158 | 15:46 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with sps https://review.openstack.org/620159 | 15:46 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add tests for project users interacting with sps https://review.openstack.org/620160 | 15:46 |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove service provider policies from v3cloudsample.json https://review.openstack.org/620161 | 15:46 |
| *** xek_ has joined #openstack-keystone | 15:46 | |
| *** xek has quit IRC | 15:48 | |
| *** itlinux has joined #openstack-keystone | 16:40 | |
| openstackgerrit | weizj proposed openstack/python-keystoneclient master: Update hacking version https://review.openstack.org/627713 | 16:46 |
| *** erus has quit IRC | 16:50 | |
| *** erus has joined #openstack-keystone | 16:51 | |
| *** gyee has joined #openstack-keystone | 17:25 | |
| *** imacdonn has quit IRC | 17:59 | |
| *** imacdonn has joined #openstack-keystone | 17:59 | |
| *** bnemec has quit IRC | 18:13 | |
| *** whoami-rajat has joined #openstack-keystone | 18:25 | |
| *** bnemec has joined #openstack-keystone | 18:26 | |
| *** bnemec has quit IRC | 18:30 | |
| *** bnemec has joined #openstack-keystone | 18:34 | |
| *** bnemec has quit IRC | 18:39 | |
| *** bnemec has joined #openstack-keystone | 18:52 | |
| *** bnemec has quit IRC | 18:58 | |
| gyee | lbragstad, we no longer permanently invalid the project-scoped token when the project domain is disable, and then subsequently re-enable? | 19:10 |
| gyee | I thought we always issue a new token when that happens, when did the design change? | 19:10 |
| lbragstad | correct | 19:11 |
| lbragstad | i want to say that happened around the fernet time frame | 19:11 |
| gyee | oh | 19:11 |
| lbragstad | iirc - uuid tokens needed a revocation event | 19:11 |
| lbragstad | but with fernet, we validate all the information about the authentication context online | 19:11 |
| lbragstad | at validation time | 19:11 |
| gyee | in real time | 19:12 |
| lbragstad | yep - exactly | 19:12 |
| gyee | ok, good, thanks for the confirmation | 19:12 |
| lbragstad | i also recall having discussions about whether or not that was a good thing to do | 19:12 |
| lbragstad | but at the time, i don't think we could come up with a valid use case for keeping a token revoked after a domain was re-enabled (thus making the token valid again) | 19:13 |
| gyee | I don't remember that far :-) | 19:13 |
| lbragstad | but we saw the benefit of not needing yet another revocation event and non-persistence | 19:13 |
| lbragstad | it kinda scares me that i do... | 19:14 |
| gyee | but so as long as we specify that in the API contract, we should be good | 19:14 |
| gyee | as the behavior is inconsistent | 19:14 |
| *** bnemec has joined #openstack-keystone | 19:14 | |
| gyee | API behavior should not be dictated by the backend configuration | 19:14 |
| lbragstad | right | 19:21 |
| lbragstad | but - no that we don't support a persistent token provider, it isn't ;) | 19:21 |
| lbragstad | s/no/now/ | 19:22 |
| *** irclogbot_1 has quit IRC | 19:24 | |
| *** irclogbot_1 has joined #openstack-keystone | 19:27 | |
| gyee | there's only one token provider now so we're good :-) | 19:42 |
| aning_ | lbragstad: At Berlin summit, kmalloc (I don't see him logged in) talked about predictable user ID and project ID generation in "Pushing Keystone over the Edge" | 20:04 |
| aning_ | lbragstad: is it planned already? Is there a blueprint for it? | 20:04 |
| aning_ | lbragstad: I found this one "https://blueprints.launchpad.net/keystone/+spec/admin-to-create-project-with-id" | 20:05 |
| aning_ | lbragstad: but it doesn't seem to be the same as what kmalloc talked/ | 20:05 |
| lbragstad | aning_ no - i think that is a stale specification from previous discussions | 20:06 |
| lbragstad | part of the work knikolla, kmalloc, and ayoung talked about is written up here - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/explicit-domains-ids.html | 20:07 |
| aning_ | It seems to be only for domain ID, but not user IDs and project IDs. | 20:11 |
| ayoung | aning_, you need it only for domain IDs so long as the external portion of the user id is consistaNT | 20:12 |
| ayoung | we want the ids to be predictable, not to be human chosen editable | 20:13 |
| *** raildo has quit IRC | 20:14 | |
| aning_ | ayoung: Does preditable mean I can tell the ID of a user or project before make a call to the region? | 20:14 |
| ayoung | aning_, yes | 20:15 |
| ayoung | aning_, userid = sha256 (domainid, federated_user_name) | 20:15 |
| ayoung | roughly that | 20:15 |
| aning_ | ayoung: ha, that's what I thought. Maybe its uuid5(domainid, federated_user_name)? | 20:16 |
| ayoung | aning_, well, yes, ldap is that today, I think | 20:17 |
| ayoung | we are talking about expanding it for projects, and to be able to update the hash algo | 20:17 |
| aning_ | ayoung: would like to see both user and project are covered. | 20:18 |
| ayoung | me too | 20:18 |
| aning_ | ayoung: Will project ID in stein? | 20:30 |
| *** whoami-rajat has quit IRC | 20:35 | |
| ayoung | aning_, no idea. I am not coding full time anymore, so I can't make it happen | 20:39 |
| *** xek_ has quit IRC | 21:07 | |
| aning_ | ayoung: fair enough. Thanks. | 21:11 |
| gyee | lbragstad, the response code for invalid token seem to have changed as well, used to be 401, but now its 404. Was that change around fernet token timeframe? | 21:13 |
| lbragstad | possibly | 21:14 |
| lbragstad | how are you invalidating the token? | 21:14 |
| gyee | just removing the role assignment | 21:16 |
| gyee | used to be 401 | 21:16 |
| aning_ | 404 is a user or project not found. | 21:17 |
| aning_ | 401 is unauthorized. | 21:17 |
| gyee | right, used to be 401 for invalid token | 21:18 |
| aning_ | as far as I know, if you use a token but the user is gone, you got a 404. | 21:18 |
| aning_ | if you send a expired token, you probably still get a 401 | 21:18 |
| openstackgerrit | Merged openstack/python-keystoneclient master: Update hacking version https://review.openstack.org/627713 | 21:24 |
| gyee | I remembered the design philosophy behind returning 401 for all invalid tokens was to not leak internal information. | 21:24 |
| lbragstad | gyee https://review.openstack.org/#/c/277436/ | 21:43 |
| lbragstad | looks like the opposite, but for the same reason | 21:48 |
| gyee | ah damn | 21:49 |
| gyee | lbragstad, 404 then | 21:49 |
| gyee | thanks for digging up that one | 21:49 |
| lbragstad | git blame pinned me again | 21:50 |
| lbragstad | but, you were on that review, too :) | 21:51 |
| gyee | /facepalm | 21:52 |
| aning_ | gyee: Sorry I missed the way you invalidate the token. | 22:14 |
| aning_ | I do see 404 when a user or project is removed. But that's not related to your case. | 22:14 |
| *** itlinux has quit IRC | 22:24 | |
| gyee | aning_: no worries | 22:33 |
| *** rcernin has joined #openstack-keystone | 22:42 | |
| openstackgerrit | Merged openstack/keystone master: Update service provider policies for system reader https://review.openstack.org/620156 | 23:09 |
| openstackgerrit | Merged openstack/keystone master: Add service provider tests for system member role https://review.openstack.org/620157 | 23:09 |
| openstackgerrit | Merged openstack/keystone master: Restructure federation guide https://review.openstack.org/627842 | 23:09 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!