Friday, 2019-01-25

*** rcernin has quit IRC00:18
*** rcernin has joined #openstack-keystone00:19
kmallocadriant: the spec i linked is really just for the Resource options.00:19
kmallocadriant: the bug RFE should be where additional comments are made00:20
*** markvoelker has quit IRC00:20
*** aojea has quit IRC00:31
*** dklyle has quit IRC00:32
adriantkmalloc: that's what I was planning :)00:36
adriantah, it's a bug not a blueprint, missed that00:37
openstackgerritSergey Vilgelm proposed openstack/keystone master: Fix list projects for federated user
lbragstadadriant nice job on the mfa docs btw00:41
adriantlbragstad: thanks! And I saw your notes for followup00:42
*** dklyle has joined #openstack-keystone00:48
*** whoami-rajat has joined #openstack-keystone01:06
*** gyee has quit IRC01:10
*** dklyle has quit IRC01:10
*** awalende has joined #openstack-keystone01:15
*** awalende has quit IRC01:19
adrianthah, kmalloc, yes, your spec already included a point about per project auth rule requirements01:24
* adriant tips hat01:24
adriantI'll throw up a source_ip (or whatever name we decide on) auth-method spec, and I guess we should think about how we could do auto-promotion of auth methods.01:27
adriantbut really I need to find time to sit down and just make keystoneauth work with auth-receipts and multiple methods.01:28
*** aojea has joined #openstack-keystone01:41
*** aojea has quit IRC01:45
*** ileixe has joined #openstack-keystone01:51
*** lbragstad has quit IRC01:52
*** markvoelker has joined #openstack-keystone02:25
*** lbragstad has joined #openstack-keystone02:35
*** ChanServ sets mode: +o lbragstad02:35
*** Dinesh_Bhor has joined #openstack-keystone02:40
openstackgerritMerged openstack/pycadf master: Add release note for MD5 hash removal
*** markvoelker has quit IRC02:55
*** whoami-rajat has quit IRC03:15
*** dklyle has joined #openstack-keystone03:40
*** erus_ has joined #openstack-keystone03:44
*** whoami-rajat has joined #openstack-keystone03:45
*** itlinux has joined #openstack-keystone03:47
*** markvoelker has joined #openstack-keystone03:52
*** dklyle has quit IRC04:02
*** markvoelker has quit IRC04:25
*** ileixe has quit IRC04:26
*** shyamb has joined #openstack-keystone04:38
*** imacdonn has joined #openstack-keystone04:57
openstackgerritMerged openstack/keystone master: Add documentation for Auth Receipts and MFA
*** shyamb has quit IRC05:07
*** shyamb has joined #openstack-keystone05:07
*** ileixe has joined #openstack-keystone05:08
*** erus_ has quit IRC05:11
*** shyamb has quit IRC05:12
*** shyamb has joined #openstack-keystone05:13
*** markvoelker has joined #openstack-keystone05:22
*** shyamb has quit IRC05:32
*** shyamb has joined #openstack-keystone05:32
*** vishakha has joined #openstack-keystone05:40
*** spsurya has joined #openstack-keystone05:40
*** markvoelker has quit IRC05:54
*** shyamb has quit IRC05:55
*** shyamb has joined #openstack-keystone05:56
*** shyamb has quit IRC06:17
*** shyamb has joined #openstack-keystone06:21
*** shyamb has quit IRC06:34
*** shyamb has joined #openstack-keystone06:35
*** shyam89 has joined #openstack-keystone06:38
*** shyamb has quit IRC06:41
*** shyam89 has quit IRC06:42
*** shyamb has joined #openstack-keystone06:43
*** shyam89 has joined #openstack-keystone06:48
*** shyamb has quit IRC06:49
*** lbragstad has quit IRC07:45
*** shyam89 has quit IRC07:48
*** shyam89 has joined #openstack-keystone07:48
*** markvoelker has joined #openstack-keystone07:52
*** awalende has joined #openstack-keystone08:07
*** tkajinam has quit IRC08:15
*** shyam89 has quit IRC08:20
*** yan0s has joined #openstack-keystone08:23
*** markvoelker has quit IRC08:25
*** dklyle has joined #openstack-keystone08:50
*** shyamb has joined #openstack-keystone08:59
*** shyamb has quit IRC09:16
*** shyamb has joined #openstack-keystone09:16
*** shyamb has quit IRC09:20
*** shyamb has joined #openstack-keystone09:20
*** markvoelker has joined #openstack-keystone09:22
*** aojea has joined #openstack-keystone09:49
*** aojea has quit IRC09:54
*** markvoelker has quit IRC09:55
*** shyamb has quit IRC10:08
*** Dinesh_Bhor has quit IRC10:19
*** shyamb has joined #openstack-keystone10:21
*** shyamb has quit IRC10:28
*** shyamb has joined #openstack-keystone10:31
*** shyamb has quit IRC10:36
*** markvoelker has joined #openstack-keystone10:52
*** shyamb has joined #openstack-keystone10:55
*** jaosorior has quit IRC11:07
*** ileixe has quit IRC11:19
*** shyam89 has joined #openstack-keystone11:23
*** markvoelker has quit IRC11:25
*** shyamb has quit IRC11:26
*** shyam89 has quit IRC11:34
openstackgerritMerged openstack/keystone-specs master: Update inaccurate details in JWS specification
*** shyamb has joined #openstack-keystone11:47
*** erus_ has joined #openstack-keystone11:50
*** vishakha has quit IRC12:00
*** shyamb has quit IRC12:16
*** erus_ has quit IRC12:19
*** erus_ has joined #openstack-keystone12:20
*** erus_ has quit IRC12:39
*** erus_ has joined #openstack-keystone12:45
*** whoami-rajat has quit IRC12:55
*** awalende has quit IRC13:26
*** awalende has joined #openstack-keystone13:27
*** rcernin has quit IRC13:30
*** awalende has quit IRC13:31
*** imus has joined #openstack-keystone13:37
*** aojea has joined #openstack-keystone14:20
*** whoami-rajat has joined #openstack-keystone14:46
*** dave-mccowan has joined #openstack-keystone14:46
*** lbragstad has joined #openstack-keystone14:49
*** ChanServ sets mode: +o lbragstad14:49
*** dave-mccowan has quit IRC14:51
openstackgerritMerged openstack/keystone-tempest-plugin master: Update hacking version to latest
*** spsurya has quit IRC15:07
*** ayoung has quit IRC15:19
*** dklyle has quit IRC15:22
kmallocadriant: auto-promote (as you call it) should just be a keystone server side "always run" auth method.15:28
*** spsurya has joined #openstack-keystone15:30
lbragstadso - i was finally able to get a scoped token using an x509 certificate15:32
cmurphyoh good15:32
lbragstadi was getting things really confused15:32
lbragstadbut - think it might be broken, too?15:34
*** erus_ has quit IRC15:34
*** erus_ has joined #openstack-keystone15:34
*** jmlowe has joined #openstack-keystone15:34
cmurphynot possible15:35
lbragstadcheck this out
lbragstadi put scope in the request15:37
lbragstadbut i also had to define it in the header15:37
lbragstadand both have to match15:37
lbragstadif you don't define it in the header, it apparently short-circuits the request with a 400 validation error15:38
lbragstadbut if you don't define it in the request body, it doesn't actually pick it up, essentially ignoring the scope15:38
lbragstadbecause the AutoInfo object we use only looks for it in the request body (it knows nothing of headers)15:39
lbragstadi assume that is broken behavior15:40
lbragstadit's like the approach for tokenless authentication was smashed with the external authentication path...15:41
lbragstadthat said, i'm not sure if anyone is actually able to use this with having a firm understanding of the code... that's the only way i could piece this together, even with a fair amount of guess work15:42
lbragstadwithout having a firm understanding*15:43
*** bnemec has quit IRC15:43
*** lbragstad is now known as elbragstad15:43
cmurphyoh interesting15:49
cmurphyi could believe that we forgot about this feature and introduced some weirdness in the scoping logic15:50
elbragstadwe apparently had an x509 authentication plugin at one point (for tokenless auth), but that was renamed to external?15:50
elbragstadso i'm wondering if something went side ways in that refactor15:50
cmurphyno x509 maps to mapped just like all the other federation protocols15:51
*** cmurphy is now known as cmorpheus15:51
elbragstadyep - nevermind...15:51
elbragstadyou're right15:51
elbragstadi glazed over everything but the name on slide 8
*** imus has quit IRC15:55
elbragstadi don't have x509 in my configured authentication methods15:55
elbragstadjust token, password, and external15:55
elbragstadso i'm still a little confused as to how the mapping is getting invoked15:56
cmorpheuselbragstad: oh! i think you have a local user already created?15:57
cmorpheusat least i think I did when I was doing this15:57
elbragstadyep - i do15:57
cmorpheusbecause the example mapping had "local" in it15:58
cmorpheusdoes that user already have persistent role assignments?15:58
elbragstadthey do15:58
elbragstadso - that explains why there is mapping logging in there?15:59
cmorpheushmm well not really15:59
* cmorpheus unsure16:00
elbragstadall that mapping stuff is logged before it even really hits the authentication controller16:02
elbragstadi bet middleware is doing something16:02
*** dklyle has joined #openstack-keystone16:03
*** elbragstad has quit IRC16:06
*** lbragstad has joined #openstack-keystone16:07
*** ChanServ sets mode: +o lbragstad16:07
*** lbragstad is now known as elbragstad16:07
elbragstadwhich means we hit this method -
elbragstadand boom ->
elbragstadi think that path gets called when doing both tokenless authentication and authenticating for tokens with an x509 certificate because they share similar configuration for trusted issuers16:14
*** yan0s has quit IRC16:17
elbragstadthat also explains why using an auto-provisioned mapping doesn't work for x509 protocols16:20
*** shyamb has joined #openstack-keystone16:20
elbragstadthe mapping implementation for tokenless auth isn't using the mapped plugin16:21
elbragstadinstead - it does its own thing by getting the mapped properties from the federation api directly16:21
elbragstadi had no idea this existed... or worked this way, which kinda sucks because i'm sure i made the delta between the two worse when i did the autoprovisioning enhancements to the mapping API16:23
openstackgerritMerged openstack/keystone master: Update service provider  policies for system admin
openstackgerritMerged openstack/keystone master: Add tests for domain users interacting with sps
openstackgerritMerged openstack/keystone master: Add tests for project users interacting with sps
openstackgerritLance Bragstad proposed openstack/keystone master: Remove service provider policies from v3cloudsample.json
cmorpheuselbragstad: just means we need better test coverage for it16:44
cmorpheustribal knowledge passed down by word of unit test16:44
elbragstadyeah - exactly16:51
elbragstadi'm really surprised this broke and nothing failed...16:51
elbragstadthis is also one of the first times i've taken this hard of a look at the feature16:54
elbragstadbut some of the approaches in the x509 external auth code path might not be necessary anymore16:55
elbragstadfor example, we set the REMOTE_DOMAIN using an apache configuration value16:55
elbragstadbut we also auto-create domains for identity providers16:55
elbragstad(which you need to do when you setup x509 authentication)16:55
elbragstadi think if we want to be consistent with other federated approaches, we might consider using the domain for the x509 protocol/idp16:56
*** erus_ has quit IRC16:56
elbragstadinstead of having operators define it in apache16:56
*** erus_ has joined #openstack-keystone16:57
*** dklyle has quit IRC17:00
cmorpheusREMOTE_DOMAIN really confused me, i could barely find any reference to it online17:07
*** dklyle has joined #openstack-keystone17:07
*** shyamb has quit IRC17:07
*** gyee has joined #openstack-keystone17:11
*** aojea has quit IRC17:14
*** dklyle has quit IRC17:19
elbragstadgyee's here17:19
elbragstadi have so many questions17:19
gyeeelbragstad, yes sir17:23
elbragstadwe're working through
elbragstadturns out - the x509/tokenless authentication path doesn't use the Mapped plugin for mapping stuff (which is why we can't use auto-provisioning)17:29
gyeeelbragstad, right, for the second case, it doesn't use mapping17:29
gyeethe first case is federation, which should be using mapping17:30
elbragstadfirst case == x509?17:30
elbragstadsecond case == tokenless authentication?17:30
gyeewe are talking about the second case right?17:31
elbragstadwell - i was trying to do the first case17:32
elbragstadwhere i have an auto-provisioned mapping17:33
elbragstadand i'm using an x509 certificate to authenticate17:33
elbragstadthe mapping gets processed, but it doesn't actually provision anything17:34
elbragstadbecause the tokenless helper has it's own mapping logic17:35
elbragstadversus the mapped plugin17:35
elbragstadwhich is where that feature lives17:35
elbragstadyeah - exactly17:37
gyeetime to refactor to code I guess17:37
elbragstadi'll be honest, i haven't looked at this long enough to know where to start with the refactor, but i'll help out if i can17:38
elbragstador if we come up with a plan for how we want this to look when everything is said and done17:39
elbragstadideally - it would be nice to have x509 federated authentication exercise the same code path as SAML or OIDC17:39
elbragstadbut it seems to get mixed up with tokenless auth17:39
gyeeelbragstad, I need to refresh my memories on some of these things17:40
gyeeI completely agreed, we need to have the same code path17:40
elbragstadi do think it'll be sweet to get this working again though17:41
gyeeI thought the first case was using the saml code path17:41
elbragstadfor x509 federation (not tokenless authentication) i should be able to specify scope in the request body though, right?17:42
elbragstadx509 federation doesn't require X-Project-Id or scope to be in headers, should it? that's only for x509 tokenless authentication17:42
*** erus_ has quit IRC17:42
gyeeelbragstad, when federation was first design, it wasn't allowing scoped token directly17:42
gyeemaybe I got mixed up with K2K17:43
*** erus_ has joined #openstack-keystone17:43
elbragstadwell - we used group membership17:43
elbragstadto map ephemeral users into groups in keystone for assignments17:44
gyeeyeah you're right17:44
elbragstadbut now we also have the shadow users stuff17:44
elbragstadit would be nice to get that working with x509 federation, too17:45
gyeeyes, that part I need to catch up on17:45
*** aojea has joined #openstack-keystone17:46
gyeeelbragstad, maybe getting it working with devstack plugin and tempest plugin would be awesomer too17:48
elbragstadyeah - it would be nice to use that for some functional testing17:48
gyeestretch goal, as they said in corporate lango :-)17:48
elbragstadi mean... the "identity provider" is a cert17:48
elbragstadwe don't actually have to setup an external identity provider system, we just need a self-signed CA17:49
gyeeright, generating a self-signed CA is pretty easy17:49
elbragstadif all the federated implementation use the same code path, this might be a relatively low bar way to test federateion17:50
gyeeoh yeah17:50
elbragstadwithout having to stand up keystone as an idp, or some other thing that acts as the idp17:50
elbragstad(even though we should)17:50
gyeethat's how we test K2K today right? single instance acting both as IdP and SP17:51
*** erus_ has quit IRC17:51
elbragstadi'm not sure17:51
*** erus_ has joined #openstack-keystone17:51
elbragstadbut - to be on the same page, a request for a scoped token using x509 federation _shouldn't_ include scope in the headers, right?17:54
elbragstadthat should only be for tokenless authentication17:54
gyeefederation should strictly going through mapping17:54
elbragstadok - just wonder what way i should start with
openstackLaunchpad bug 1813336 in OpenStack Identity (keystone) "Requesting a scoped token when using x509 authentication is redundant" [Medium,Triaged]17:54
gyeewow, I didn't realized we did that17:55
elbragstadyeah... me either17:56
elbragstadi was trying to just use the docs to get a scoped token17:56
elbragstadbut it wasn't really working so i started reading the code, which is when cmorpheus and i start picking through all of these things17:56
elbragstad(e.g., finding out the gap with auto-provisioning, scoping redundancy, domain generation redundancy with x509 federation)17:57
* elbragstad grabs lunch quick17:59
*** dklyle has joined #openstack-keystone18:00
*** aojea has quit IRC18:20
*** whoami-rajat has quit IRC18:34
*** sapd1_ has quit IRC18:47
*** sapd1_ has joined #openstack-keystone18:47
*** aojea has joined #openstack-keystone18:51
*** bnemec has joined #openstack-keystone19:02
*** bnemec is now known as beekneemech19:11
*** aojea has quit IRC19:24
*** erus_ has quit IRC19:24
*** erus_ has joined #openstack-keystone19:24
*** beekneemech has quit IRC19:42
*** dklyle has quit IRC19:51
*** aojea has joined #openstack-keystone19:57
*** dklyle has joined #openstack-keystone20:13
*** spsurya has quit IRC20:37
*** dklyle has quit IRC20:55
*** dklyle has joined #openstack-keystone20:59
*** dklyle has quit IRC21:13
*** ayoung has joined #openstack-keystone21:51
ayoungknikolla, you still on Furlough?21:51
knikollaayoung: no, H1 got surprisingly approved as of yesterday.21:52
*** awalende has joined #openstack-keystone21:58
openstackgerritLance Bragstad proposed openstack/keystone master: Expose py3 bug in how non-uuid domain IDs are handled
openstackgerritLance Bragstad proposed openstack/keystone master: Handle special cases with msgpack and python3
elbragstadweird little corner case with py3 + msgpack22:11
elbragstadapparently msgpack doesn't really care about types as much on python3?22:11
openstackgerritLance Bragstad proposed openstack/keystone master: Handle special cases with msgpack and python3
*** awalende has quit IRC22:31
*** awalende has joined #openstack-keystone22:31
*** awalende has quit IRC22:35
*** jmlowe has quit IRC22:41
*** bnemec has joined #openstack-keystone23:12
*** dklyle has joined #openstack-keystone23:13
*** dklyle has quit IRC23:20
*** xek has quit IRC23:30
openstackgerritLance Bragstad proposed openstack/keystone master: Handle special cases with msgpack and python3
*** bnemec has quit IRC23:43
*** bnemec has joined #openstack-keystone23:44
*** elbragstad has quit IRC23:54
*** bnemec has quit IRC23:59
*** bnemec has joined #openstack-keystone23:59

Generated by 2.15.3 by Marius Gedminas - find it at!