Friday, 2019-01-18

« Thursday, 2019-01-17 Index Saturday, 2019-01-19 »
*** itlinux has joined #openstack-keystone00:11
*** whoami-rajat has quit IRC00:21
*** erus has quit IRC00:34
openstackgerritMerged openstack/keystone-tempest-plugin master: Clean up the auto generated domain  https://review.openstack.org/57906300:48
*** imacdonn has quit IRC01:20
*** whoami-rajat has joined #openstack-keystone01:21
openstackgerritMerged openstack/oslo.policy master: Fixes is_admin type from StrOpt to BoolOpt.  https://review.openstack.org/62820701:32
*** lifeless_ has joined #openstack-keystone01:55
*** erus has joined #openstack-keystone01:55
*** tridde has joined #openstack-keystone01:57
*** erus has quit IRC01:57
*** erus has joined #openstack-keystone01:58
*** dklyle has quit IRC02:00
*** lifeless has quit IRC02:00
*** larsks has quit IRC02:00
*** errr has quit IRC02:00
*** trident has quit IRC02:00
*** jrist has quit IRC02:00
*** larsks has joined #openstack-keystone02:00
*** openstackgerrit has quit IRC02:02
*** dims has quit IRC02:02
*** dims has joined #openstack-keystone02:05
*** errr has joined #openstack-keystone02:07
*** Dinesh_Bhor has joined #openstack-keystone02:27
*** mhen has quit IRC02:49
*** tridde is now known as trident03:06
*** Dinesh_Bhor has quit IRC03:29
*** Dinesh_Bhor has joined #openstack-keystone03:35
*** shyamb has joined #openstack-keystone03:41
*** tkajinam__ has joined #openstack-keystone04:58
*** shyamb has quit IRC04:58
*** shyamb has joined #openstack-keystone04:59
*** tkajinam_ has quit IRC05:00
*** shyamb has quit IRC05:01
*** shyamb has joined #openstack-keystone05:01
*** shyam89 has joined #openstack-keystone05:49
*** shyamb has quit IRC05:51
*** aojea has joined #openstack-keystone06:22
*** aojea has quit IRC06:23
*** jaosorior has joined #openstack-keystone06:33
*** Dinesh_Bhor has quit IRC06:35
*** Dinesh_Bhor has joined #openstack-keystone07:22
*** pcaruana has joined #openstack-keystone07:25
*** shyam89 has quit IRC07:39
*** shyamb has joined #openstack-keystone07:39
*** pcaruana has quit IRC07:55
*** pcaruana has joined #openstack-keystone07:55
*** yan0s has joined #openstack-keystone08:08
*** shyamb has quit IRC08:10
*** openstackgerrit has joined #openstack-keystone08:14
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader for role_assignments  https://review.openstack.org/60921008:14
*** Dinesh_Bhor has quit IRC08:17
*** tkajinam__ has quit IRC08:18
*** Dinesh_Bhor has joined #openstack-keystone08:25
*** Dinesh_Bhor has quit IRC08:34
*** yan0s has quit IRC08:45
*** yan0s has joined #openstack-keystone08:46
*** Dinesh_Bhor has joined #openstack-keystone08:47
*** shyamb has joined #openstack-keystone09:03
*** Dinesh_Bhor has quit IRC09:17
*** xek has joined #openstack-keystone09:28
*** shyamb has quit IRC09:34
*** erus has quit IRC09:38
*** erus has joined #openstack-keystone09:41
*** mvkr has joined #openstack-keystone09:41
*** shyamb has joined #openstack-keystone09:42
*** erus has quit IRC09:47
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader for role_assignments  https://review.openstack.org/60921009:49
*** erus has joined #openstack-keystone09:53
*** annp_ has quit IRC09:59
*** erus has quit IRC09:59
openstackgerritVishakha Agarwal proposed openstack/keystone master: Replace 'tenant_id' with 'project_id'  https://review.openstack.org/63170610:00
*** erus has joined #openstack-keystone10:08
*** erus has quit IRC10:15
*** erus has joined #openstack-keystone10:23
*** shyamb has quit IRC10:58
*** shyamb has joined #openstack-keystone11:16
openstackgerritMike Chen proposed openstack/keystone master: Fix wrong urls  https://review.openstack.org/63177911:28
*** odyssey4me has joined #openstack-keystone11:30
*** shyamb has quit IRC11:42
*** shyamb has joined #openstack-keystone11:42
*** shyamb has quit IRC11:52
*** shyamb has joined #openstack-keystone11:53
*** erus has quit IRC11:58
*** shyamb has quit IRC11:58
*** erus has joined #openstack-keystone12:00
*** shyamb has joined #openstack-keystone12:05
*** ignaziocassano1 has joined #openstack-keystone12:27
ignaziocassano1hello12:27
ignaziocassano1anyone can help mi on trust scoped token ?12:28
ignaziocassano1anyone can help me on trust scoped token ?12:28
ignaziocassano1please !12:28
*** shyamb has quit IRC12:32
*** erus has quit IRC12:32
*** erus has joined #openstack-keystone12:33
ignaziocassano1ou are not authorized to perform the requested action: Using trust-scoped token to create another token. Create a new trust-scoped token instead. (HTTP 403)12:33
ignaziocassano1When a trust scoped token is passed to cinder client to take a snapshot, I expect the client use the token to authenticate and perform the operation which cinder client does. However cinder volume service invokes novaclient as part of cinder nfs backend snapshot operation and novaclient tries to re-authenticate. Since keystone does not allow re-authentication using trust based tokens, cinder snapshot operation fails.12:35
*** erus has quit IRC12:40
*** TheJulia is now known as needssleep12:42
*** erus has joined #openstack-keystone12:46
*** erus has quit IRC12:53
*** erus has joined #openstack-keystone13:01
*** erus_ has joined #openstack-keystone13:08
*** erus has quit IRC13:13
*** erus has joined #openstack-keystone13:16
*** erus has quit IRC13:23
*** erus has joined #openstack-keystone13:31
*** erus has quit IRC13:37
*** erus has joined #openstack-keystone13:46
*** xek has quit IRC13:47
*** xek has joined #openstack-keystone13:48
*** erus has quit IRC13:53
*** erus has joined #openstack-keystone14:01
lbragstadignaziocassano1 i assume you don't have that issue if you try taking the snapshot with a project-scoped token?14:04
*** erus has quit IRC14:07
ignaziocassano1Yes I did not have problems with project-scoped14:08
ignaziocassano1I am using trilio backup software. Trilio support said there are issues with trust-scoped tokens14:10
*** imus has joined #openstack-keystone14:11
ignaziocassano1They use trust-scoped tokens14:12
ignaziocassano1So, I am asking this is unsupported and or buk in keystone or they should modify their code14:13
ignaziocassano1So, I am asking this is unsupported and or bugs in keystone or they should modify their code14:13
ignaziocassano1they got the error posted here http://paste.openstack.org/show/742944/14:15
ignaziocassano1lbragstad, can you read the above post ?14:16
*** erus has joined #openstack-keystone14:16
*** erus has quit IRC14:22
ignaziocassano1the code returning the error is here: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/remotefs.py#L147614:25
lbragstadignaziocassano1 have you tried using application credentials?14:30
lbragstadbased on your email and scrollback here, it sounds like it would work for what you're trying to do14:30
lbragstadignaziocassano1 https://docs.openstack.org/keystone/latest/user/application_credentials.html14:31
*** erus has joined #openstack-keystone14:31
ignaziocassano1No, I have not. I could suggest it to developers.14:34
lbragstadi'd suggest trying that, as opposed to trusts14:34
ignaziocassano1But do you think trust-scoped is not supported ?14:35
lbragstadthey're supported, it just might be the wrong application for it14:35
lbragstadwe developed application credentials as a way for developers to give authorization to software14:35
ignaziocassano1OK.14:35
ignaziocassano1I will suggest14:35
ignaziocassano1thanks14:35
lbragstadyep14:35
lbragstadthey were implemented in Queens14:36
*** erus has quit IRC14:38
*** mchlumsky has joined #openstack-keystone14:45
*** erus has joined #openstack-keystone14:47
*** erus has quit IRC14:54
ayoungIs the trust token issue a filed bug?14:56
lbragstadwhich issue ayoung ?14:56
ayoungTrust scoped tokens were written under a state of paranoia that lifted when Dolph left the project.14:56
ayoungUsing a trust scoped token to get another token is rightly denied14:57
ayoungwhy would Nova be trying to do that, and not just reuse the token instead?14:57
ayoungI get that App Scoped creds don't have that limitation, but that is actually a security hole14:57
ayoungand this is why I wanted to implement app creds via trusts, so we didn;t have a proliferation of security and code issues.14:58
ayoungwe should have modified the trust code to support app creds instead of reimplementing14:58
ayoungthe only difference betweenb a trust and an app cred should be that an app cred gets its own password.14:59
ignaziocassano1Wrong application or keystone bug ?15:01
*** erus has joined #openstack-keystone15:01
lbragstadayoung what's the security hole in application credentials?15:03
lbragstadi'm not sure i'm 100% following15:03
ayounglbragstad, using an app scoped token to get another token15:03
ayoungeither it provides 0 value or it is a security hole15:03
lbragstadhow so?15:04
ayoungwhat does the second token have that the first token does not?  Different roles?  Different expiry?15:04
lbragstada different expiry would be the main thing15:04
ayoungI'm sure it is not being paranoid and dropping roles (and I know it cannot)15:04
ayoungthere is a reason we did not allow that15:04
ayoungGo ask Russell Bryant, because  back before he was Nova PTL was when we had the discussion15:05
ayoungwhen a token is used to get a new token, it should have no longer an expiry than the original token.  I think that is still in effect15:06
ayoungotherwise, any service out there could bypass the expiration by constantly getting a new token.15:06
*** erus_ has quit IRC15:06
*** erus_ has joined #openstack-keystone15:07
*** erus has quit IRC15:08
ayoungThis is why I was pushing for a unified delegation model back when Alex M was on the project.  To have one view of what it means, and a maximum set of potential features.  Each of the mechanisms might shut off features, like App creds could say "we won't allow impersonation"15:08
lbragstadah - yeah.. nevermind expiration is carried forward15:08
ayoungso then why token-to-token?  My guess is provides nothing15:09
ayoungso, no security hole, but we could totally just ease up on that rule for trusts, too15:10
lbragstadi'd be curious to know why the rescoping is happening, then15:11
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n242 (expired at code)15:11
ayoungwhen you request and app scoped token, it explicitly states the roles you get, right?  No way to request a smaller set of roles?15:11
*** ignaziocassano1 has quit IRC15:12
*** erus has joined #openstack-keystone15:16
lbragstadayoung not yet15:17
lbragstadayoung actually - i lied15:17
lbragstadyou can request a smaller set15:17
lbragstadhttps://docs.openstack.org/keystone/latest/user/application_credentials.html#managing-application-credentials15:17
*** xek has quit IRC15:23
*** erus has quit IRC15:23
*** xek has joined #openstack-keystone15:23
*** erus has joined #openstack-keystone15:31
*** erus has quit IRC15:37
*** erus has joined #openstack-keystone15:46
*** dklyle has joined #openstack-keystone15:47
*** erus has quit IRC15:53
*** itlinux has quit IRC15:58
*** pcaruana has quit IRC16:00
*** erus has joined #openstack-keystone16:01
*** erus has quit IRC16:07
*** erus has joined #openstack-keystone16:16
*** sayalilunkad has quit IRC16:21
*** erus has quit IRC16:22
*** erus_ has quit IRC16:22
*** erus_ has joined #openstack-keystone16:23
*** sayalilunkad has joined #openstack-keystone16:30
*** sayalilunkad has quit IRC16:30
*** erus has joined #openstack-keystone16:31
*** erus has quit IRC16:37
*** yan0s has quit IRC16:42
*** erus has joined #openstack-keystone16:46
*** erus has quit IRC16:52
*** lbragstad is now known as elbragstad16:58
*** erus has joined #openstack-keystone17:01
*** itlinux has joined #openstack-keystone17:02
*** erus has quit IRC17:07
*** NM has joined #openstack-keystone17:08
*** erus has joined #openstack-keystone17:16
*** erus has quit IRC17:22
*** itlinux has quit IRC17:28
*** itlinux has joined #openstack-keystone17:28
*** itlinux has quit IRC17:29
*** erus has joined #openstack-keystone17:31
*** itlinux has joined #openstack-keystone17:34
*** erus has quit IRC17:39
*** erus has joined #openstack-keystone17:46
*** erus has quit IRC17:52
*** erus has joined #openstack-keystone18:02
*** erus has quit IRC18:08
*** aojea has joined #openstack-keystone18:09
*** jaosorior has quit IRC18:13
*** aojea has quit IRC18:14
*** erus has joined #openstack-keystone18:16
*** erus has quit IRC18:23
*** erus has joined #openstack-keystone18:31
*** hemna is now known as hemnaaway18:35
*** erus has quit IRC18:37
*** erus has joined #openstack-keystone18:46
*** erus has quit IRC18:52
*** erus has joined #openstack-keystone19:05
*** erus has quit IRC19:11
*** erus has joined #openstack-keystone19:16
*** erus has quit IRC19:23
*** erus has joined #openstack-keystone19:33
*** erus has quit IRC19:39
*** erus has joined #openstack-keystone19:46
*** erus has quit IRC19:53
*** imacdonn has joined #openstack-keystone19:53
*** NM has quit IRC20:01
*** erus has joined #openstack-keystone20:01
*** erus has quit IRC20:09
*** erus has joined #openstack-keystone20:17
*** erus has quit IRC20:23
*** whoami-rajat has quit IRC20:30
*** erus has joined #openstack-keystone20:31
*** NM has joined #openstack-keystone20:32
*** erus has quit IRC20:37
*** erus_ has quit IRC20:46
*** erus has joined #openstack-keystone20:46
*** erus_ has joined #openstack-keystone20:46
*** erus has quit IRC20:52
*** erus_ has quit IRC20:52
*** erus_ has joined #openstack-keystone20:53
*** erus has joined #openstack-keystone21:01
*** erus has quit IRC21:08
*** erus has joined #openstack-keystone21:16
*** erus has quit IRC21:23
*** erus has joined #openstack-keystone21:31
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Update inaccurate details in JWS specification  https://review.openstack.org/63188721:33
*** erus has quit IRC21:38
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Update inaccurate details in JWS specification  https://review.openstack.org/63188721:46
*** erus has joined #openstack-keystone21:47
*** itlinux has quit IRC21:49
*** erus has quit IRC21:53
*** erus has joined #openstack-keystone22:01
*** erus has quit IRC22:08
*** erus has joined #openstack-keystone22:16
*** erus has quit IRC22:23
*** xek has quit IRC22:25
*** erus has joined #openstack-keystone22:31
*** jistr has quit IRC22:32
*** erus_ has quit IRC22:32
*** erus_ has joined #openstack-keystone22:33
*** jistr has joined #openstack-keystone22:33
openstackgerritLance Bragstad proposed openstack/keystone master: Add configuration options for JWT provider  https://review.openstack.org/62867622:35
openstackgerritLance Bragstad proposed openstack/keystone master: Add keystone-manage jws_setup functionality  https://review.openstack.org/61531522:35
*** erus has quit IRC22:37
*** erus has joined #openstack-keystone22:46
*** jistr has quit IRC22:49
*** jistr has joined #openstack-keystone22:50
*** erus has quit IRC22:52
*** erus has joined #openstack-keystone23:01
*** erus has quit IRC23:08
*** erus has joined #openstack-keystone23:16
*** mchlumsky has quit IRC23:21
*** erus has quit IRC23:23
*** erus has joined #openstack-keystone23:31
*** erus has quit IRC23:35
*** erus has joined #openstack-keystone23:37
*** erus has quit IRC23:49
*** erus has joined #openstack-keystone23:50
*** erus has quit IRC23:57
« Thursday, 2019-01-17 Index Saturday, 2019-01-19 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!