*** dklyle has joined #openstack-keystone | 00:16 | |
*** dklyle has quit IRC | 00:31 | |
*** whoami-rajat has joined #openstack-keystone | 00:49 | |
*** ileixe has joined #openstack-keystone | 00:54 | |
*** jistr has quit IRC | 01:00 | |
*** jistr has joined #openstack-keystone | 01:01 | |
*** Dinesh_Bhor has joined #openstack-keystone | 01:36 | |
*** markvoelker has joined #openstack-keystone | 01:39 | |
*** markvoelker has quit IRC | 02:12 | |
*** tkajinam_ has joined #openstack-keystone | 02:19 | |
*** tkajinam has quit IRC | 02:21 | |
*** ileixe has left #openstack-keystone | 02:54 | |
*** whoami-rajat has quit IRC | 03:09 | |
*** markvoelker has joined #openstack-keystone | 03:09 | |
*** markvoelker has quit IRC | 03:42 | |
*** Dinesh_Bhor has quit IRC | 04:15 | |
*** Dinesh_Bhor has joined #openstack-keystone | 04:16 | |
*** spsurya has joined #openstack-keystone | 04:28 | |
*** lifeless has quit IRC | 04:31 | |
*** markvoelker has joined #openstack-keystone | 04:39 | |
*** lifeless has joined #openstack-keystone | 04:51 | |
*** imacdonn has quit IRC | 04:59 | |
*** imacdonn has joined #openstack-keystone | 04:59 | |
*** tkajinam_ is now known as tkajinam | 05:03 | |
*** markvoelker has quit IRC | 05:11 | |
*** tkajinam has quit IRC | 05:31 | |
*** shyamb has joined #openstack-keystone | 05:34 | |
*** tkajinam has joined #openstack-keystone | 06:13 | |
*** vishakha has joined #openstack-keystone | 06:18 | |
*** imacdonn has quit IRC | 06:34 | |
*** shyamb has quit IRC | 06:43 | |
*** shyamb has joined #openstack-keystone | 06:50 | |
*** markvoelker has joined #openstack-keystone | 07:09 | |
*** shyamb has quit IRC | 07:21 | |
*** shyamb has joined #openstack-keystone | 07:27 | |
*** bnemec has quit IRC | 07:40 | |
*** markvoelker has quit IRC | 07:42 | |
*** awalende has joined #openstack-keystone | 08:00 | |
*** pcaruana has joined #openstack-keystone | 08:01 | |
*** shyamb has quit IRC | 08:14 | |
*** tkajinam has quit IRC | 08:15 | |
*** bnemec has joined #openstack-keystone | 08:35 | |
*** markvoelker has joined #openstack-keystone | 08:39 | |
*** shyamb has joined #openstack-keystone | 09:03 | |
*** jaosorior has joined #openstack-keystone | 09:10 | |
*** markvoelker has quit IRC | 09:12 | |
*** xek has joined #openstack-keystone | 09:15 | |
*** whoami-rajat has joined #openstack-keystone | 09:18 | |
*** markvoelker has joined #openstack-keystone | 10:10 | |
*** shyamb has quit IRC | 10:13 | |
*** shyamb has joined #openstack-keystone | 10:19 | |
*** shyamb has quit IRC | 10:32 | |
*** markvoelker has quit IRC | 10:43 | |
*** mvkr has joined #openstack-keystone | 11:11 | |
*** szaher has quit IRC | 11:26 | |
*** szaher has joined #openstack-keystone | 11:29 | |
*** shyamb has joined #openstack-keystone | 11:31 | |
*** Dinesh_Bhor has quit IRC | 11:32 | |
*** markvoelker has joined #openstack-keystone | 11:40 | |
*** bnemec has quit IRC | 11:40 | |
*** bnemec has joined #openstack-keystone | 11:42 | |
*** whoami-rajat has quit IRC | 11:45 | |
*** ileixe has joined #openstack-keystone | 12:02 | |
ileixe | Hi guys, I got a simple question about fernet token. I will be appreciated a lot for anyone who can answer me. | 12:03 |
---|---|---|
ileixe | The problem is keystonemiddleware auth_token cache does not update token until the expiration time reached, even though user added new endpoints. | 12:04 |
ileixe | Is it acting on normal? It seems to UUID token be invalidate itself when token endpoint is changed. | 12:05 |
*** ileixe has quit IRC | 12:08 | |
*** ileixe has joined #openstack-keystone | 12:09 | |
*** markvoelker has quit IRC | 12:13 | |
*** pcaruana has quit IRC | 12:36 | |
*** pcaruana has joined #openstack-keystone | 12:37 | |
*** shyamb has quit IRC | 12:38 | |
*** shyamb has joined #openstack-keystone | 12:38 | |
*** whoami-rajat has joined #openstack-keystone | 13:26 | |
*** shyamb has quit IRC | 13:29 | |
*** shyamb has joined #openstack-keystone | 13:30 | |
*** pcaruana has quit IRC | 13:32 | |
*** shyamb has quit IRC | 13:47 | |
*** pcaruana has joined #openstack-keystone | 13:50 | |
*** ileixe has quit IRC | 13:53 | |
*** jmlowe has quit IRC | 14:03 | |
*** dave-mccowan has joined #openstack-keystone | 14:09 | |
*** erus has joined #openstack-keystone | 14:17 | |
*** lbragstad has joined #openstack-keystone | 14:20 | |
*** ChanServ sets mode: +o lbragstad | 14:20 | |
lbragstad | o/ | 14:31 |
*** awalende has quit IRC | 14:35 | |
*** awalende has joined #openstack-keystone | 14:36 | |
*** itlinux has quit IRC | 14:37 | |
*** awalende has quit IRC | 14:40 | |
*** mvkr has quit IRC | 14:44 | |
openstackgerrit | erus proposed openstack/keystone master: Add experimental job for CentOS https://review.openstack.org/633378 | 14:44 |
*** jmlowe has joined #openstack-keystone | 15:06 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Handle special cases with msgpack and python3 https://review.openstack.org/633288 | 15:10 |
*** mvkr has joined #openstack-keystone | 15:19 | |
knikolla | o/ | 15:23 |
erus | o/ | 15:24 |
erus | hi knikolla how are you? | 15:24 |
knikolla | hey erus, i'm good. what about you? | 15:24 |
erus | i'm really good, but dying :) it's very hot t.t | 15:25 |
knikolla | erus: it's the opposite here, haha. | 15:32 |
erus | haha i want snoow | 15:33 |
*** mchlumsky has joined #openstack-keystone | 15:33 | |
erus | knikolla today the thermal sensation is 40 grades :( | 15:34 |
knikolla | wow. | 15:34 |
erus | i'm literally dying T.T | 15:34 |
knikolla | it's a nice -3C here. | 15:35 |
erus | i envy you(?) xD | 15:35 |
*** mchlumsky has quit IRC | 15:36 | |
knikolla | erus: there's good and bad days. thursday will be -11C. | 15:36 |
*** mchlumsky has joined #openstack-keystone | 15:37 | |
erus | knikolla woow, well tomorrow it will be 37 grades but we'll see what about the thermal sensation and the humidity :( | 15:38 |
*** mvkr has quit IRC | 15:39 | |
knikolla | erus: probably lbragstad has the worst in terms of weather, haha. | 15:48 |
lbragstad | ha - it's not too bad | 15:49 |
erus | haha | 15:49 |
erus | really? | 15:49 |
knikolla | gotta love that -36C on wednesday, am i right? | 15:49 |
erus | wooow | 15:49 |
erus | -36C?? | 15:49 |
erus | where are you lbragstad? | 15:50 |
lbragstad | North Dakota, USA | 15:50 |
lbragstad | aka... middle. of. no. where. | 15:50 |
knikolla | Mount Bragstad, lol | 15:50 |
lbragstad | :) | 15:50 |
erus | ohh right, a lot of snow i guess :) | 15:51 |
*** openstackgerrit has quit IRC | 15:51 | |
lbragstad | knikolla does BU use keycloak? | 15:52 |
knikolla | lbragstad: yes. as an idp proxy. | 15:53 |
*** mvkr has joined #openstack-keystone | 15:53 | |
lbragstad | does BU issue certificates to authenticate to it? | 15:54 |
knikolla | lbragstad: hmmm... let me reiterate the answer. BU uses Shibboleth-IdP. And service providers use SAML to talk to it. For it's own services, BU does certificates and other things, but for external things it's strictly SAML and AFAIK doesn't issue certs. MOC uses Keycloak as an IdP proxy to our services. | 15:56 |
lbragstad | ah | 15:57 |
knikolla | lbragstad: i have no internal insight into BU IT. That's a separate department entirely. | 15:57 |
lbragstad | i was thinking about the x509 stuff we stumbled across last week and was wondering if it would tie into BUs federation story at all | 15:57 |
knikolla | lbragstad: there is a separate service, called CILogon, which issues x509 certs for university logins called https://www.cilogon.org/home | 15:59 |
knikolla | it acts as an IdP proxy to NSF funded SPs | 15:59 |
lbragstad | huh | 16:00 |
lbragstad | interesting | 16:00 |
*** dklyle has joined #openstack-keystone | 16:06 | |
*** itlinux has joined #openstack-keystone | 16:06 | |
knikolla | erus: approved your two patches adding centos support to fed testing. great work! | 16:43 |
erus | oh thanks knikolla o/ | 16:43 |
erus | i'm with suse now :) | 16:44 |
knikolla | what do you mean? | 16:44 |
erus | i'm working with opensuse i mean for adding support for suse | 16:45 |
knikolla | cool! | 16:45 |
erus | will the script work with mellon? i mean is it planned? | 16:46 |
*** pcaruana has quit IRC | 16:47 | |
knikolla | definitely. | 16:48 |
erus | great :D | 16:48 |
*** openstackgerrit has joined #openstack-keystone | 16:49 | |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Drop ephemeral user_type support https://review.openstack.org/633553 | 16:49 |
*** erus has quit IRC | 16:52 | |
*** dims has quit IRC | 17:08 | |
*** gyee has joined #openstack-keystone | 17:09 | |
lbragstad | gagehugo do you have thoughts on this? https://bugs.launchpad.net/python-keystoneclient/+bug/1808305 | 17:23 |
openstack | Launchpad bug 1808305 in python-keystoneclient "discrepancy in response of "check_*" methods" [Undecided,New] | 17:23 |
lbragstad | i'm inclined to say the tags API might not be a good example for that bug | 17:23 |
*** whoami-rajat has quit IRC | 17:35 | |
*** bnemec has quit IRC | 17:39 | |
*** erus has joined #openstack-keystone | 17:41 | |
*** mvkr has quit IRC | 17:51 | |
*** mvkr has joined #openstack-keystone | 17:58 | |
*** whoami-rajat has joined #openstack-keystone | 18:02 | |
*** bnemec has joined #openstack-keystone | 18:03 | |
*** mvkr has quit IRC | 18:51 | |
*** ayoung has joined #openstack-keystone | 18:56 | |
ayoung | I need to find a way to get Hexchat to automatically connect with the FreeNode anti-spam check thing. | 18:56 |
knikolla | ayoung: best thing i did was $5/month for irc cloud. | 18:59 |
knikolla | ayoung: btw i was hanging out in arlington yesterday. | 18:59 |
ayoung | knikolla, I heard there was a troublemaker in town | 18:59 |
ayoung | knikolla, you back at work yet, or still on Gov't enforced Sabatical | 19:00 |
*** dave-mccowan has quit IRC | 19:00 | |
knikolla | ayoung: I'm back at work now. It wasn't govt enforced at all. BU filed late. The govt did a great job approving it on time, saving me the trouble. | 19:01 |
ayoung | Esxcellent | 19:01 |
knikolla | Thankfully immigration is mostly self funded by application fees. | 19:01 |
ayoung | knikolla, got a MOC access question for you. Care if I ask it in here? | 19:01 |
knikolla | sure, go ahead. | 19:02 |
ayoung | Got a server with a public IP. Can't ssh in. My security group is "all open." Is there something wonky going on with public IPs, or did I just mess things up?> | 19:03 |
* kmalloc wakes up sick and now tries to get goin. | 19:04 | |
knikolla | ayoung: not aware of anything wonky going on, though sometimes the neutron agent in specific compute nodes likes to play games. File a ticket here https://osticket.massopen.cloud with vm name and ip and we'll look into it. | 19:04 |
kmalloc | ayoung: uh. i found that i had to explicitly open all ports sometimes the default "all allowed" doesn't work | 19:04 |
ayoung | let me get back to a functional set of nodes...I tore them down last night...and messed up my playbook....1 sec | 19:05 |
kmalloc | knikolla: i don't like irccloud, but it works and it works well. | 19:05 |
kmalloc | most of the time. | 19:05 |
kmalloc | ayoung: i'm excited. our new place is going to have fruit trees soon (planting them this weekend) | 19:06 |
*** jmlowe has quit IRC | 19:08 | |
*** dave-mccowan has joined #openstack-keystone | 19:09 | |
*** spsurya has quit IRC | 19:14 | |
*** dims has joined #openstack-keystone | 19:15 | |
ayoung | kmalloc, very nice. What are you planting? | 19:15 |
gyee | kmalloc, make sure you have both male and female trees for pollination :-) | 19:17 |
kmalloc | ayoung: ranier cherry, lapins cherry, and dwarf nectarine | 19:18 |
kmalloc | ayoung: for now. probably 1 or 2 more cherry trees once we have the rest of the yard/garden in order | 19:18 |
kmalloc | maybe an apple or pomegranate | 19:19 |
ayoung | gyee, I know you are joking, but there is a kernel of truth. Certain types of trees need to pollinate with slightly different other breeds to bear fruit | 19:19 |
gyee | that's how the people at the nursery described that to me once | 19:19 |
kmalloc | yeah ranier cherry and lapins cross polinate well. nectarine is self-polinating (for now) | 19:19 |
knikolla | interesting | 19:20 |
kmalloc | interestingly, seattle is an 8B zone just shy of being able to support citrus... which is a weird thought considering how far north we are | 19:22 |
*** dave-mccowan has quit IRC | 19:34 | |
*** imacdonn has joined #openstack-keystone | 19:35 | |
*** xek has quit IRC | 19:37 | |
*** xek has joined #openstack-keystone | 19:37 | |
lbragstad | kmalloc jaosorior isn't this similar to what you were working on https://bugs.launchpad.net/python-keystoneclient/+bug/1457702 ? | 19:41 |
openstack | Launchpad bug 1457702 in python-keystoneclient "The default endpoint interface type for Keystone v3 should be 'public'" [Low,Won't fix] | 19:41 |
kmalloc | lbragstad: i think different that is ksc specific in how it processes the catalog | 19:43 |
jaosorior | lbragstad: what? | 19:43 |
*** jmlowe has joined #openstack-keystone | 19:44 | |
hrybacki | kmalloc: for caching of fernet tokens -- do we need to have both `memcache_servers` /and/ `backend_argument` set to point at the memcache server? | 19:44 |
kmalloc | lbragstad: jaosorior is/was working on issues with hard-coded ednpoints | 19:44 |
jaosorior | lbragstad: it is kinda similar | 19:44 |
kmalloc | hrybacki: no. it's two ways to configure the same thing | 19:44 |
jaosorior | I was planning to change the internal one I set to public | 19:44 |
jaosorior | but hadn't had time. | 19:44 |
kmalloc | memcache_servers takes priority | 19:44 |
kmalloc | hrybacki: backend_argument is... flawed in many ways. | 19:45 |
hrybacki | kmalloc: hmm. let me verify something weird on my end before continuing | 19:45 |
kmalloc | backend_argument is the "new way", but until recently didn't work at all | 19:46 |
kmalloc | especially with the memcache backend. | 19:46 |
hrybacki | kmalloc: so in queens I'm seeing that backend_command is taking priority (backend = dogpile.cache.memcached) | 19:48 |
hrybacki | I setup two instances of memcached running on 11211 and 11212 respectively to verify | 19:48 |
kmalloc | memcached_servers implies dogpile.cache.memcache iirc. | 19:49 |
kmalloc | let me check, I was almost certain we made memcache_servers take priority | 19:49 |
kmalloc | i might be wrong. | 19:50 |
hrybacki | kmalloc: can you point me at the section of code you look at? | 19:50 |
kmalloc | this is from memory, when i wrote the code for keystone and then ported to oslo.cache :P | 19:51 |
kmalloc | looking at the code now | 19:51 |
kmalloc | https://github.com/openstack/oslo.cache/blob/master/oslo_cache/core.py#L141 looks like memcache_servers is the fallback | 19:52 |
kmalloc | and backend_argument is the primary. | 19:52 |
hrybacki | I see. head spinny | 19:53 |
hrybacki | thanks kmalloc ! | 19:53 |
*** aojea has joined #openstack-keystone | 19:59 | |
kmalloc | hrybacki: having issues with cache? | 20:00 |
hrybacki | kmalloc: finally drafting that caching doc we spoke about months ago | 20:02 |
hrybacki | I shot you an email with the draft notes if you have a second (it's short) | 20:02 |
kmalloc | nice. | 20:05 |
kmalloc | will check | 20:05 |
kmalloc | @rh email or @gmail? | 20:05 |
hrybacki | kmalloc: RH -- I can forward it to your personal though | 20:06 |
kmalloc | no worries | 20:06 |
kmalloc | just making sure i'm looking at the right place | 20:06 |
hrybacki | ack, in general should I send things to one over the other? | 20:06 |
* kmalloc should go take some more cold meds first... it'll make groking caching documentation easier | 20:06 | |
hrybacki | don't cache a cold kmalloc | 20:07 |
*** jmlowe has quit IRC | 20:09 | |
*** aojea has quit IRC | 20:12 | |
lbragstad | vishakha do you know where the patch was that fixed this for keystone? https://bugs.launchpad.net/keystone/+bug/1615076 | 20:12 |
openstack | Launchpad bug 1615076 in python-keystoneclient "Keystone server does not define "enabled" attribute for Region but mentions in v3 regions.py" [Undecided,Fix released] - Assigned to Vishakha Agarwal (vishakha.agarwal) | 20:12 |
lbragstad | fyi - here is a relatively trivial review that fixes a bug https://review.openstack.org/#/c/633288/ | 20:18 |
*** aojea has joined #openstack-keystone | 20:20 | |
*** aojea has quit IRC | 20:20 | |
*** aojea has joined #openstack-keystone | 20:20 | |
*** jmlowe has joined #openstack-keystone | 20:28 | |
hrybacki | kmalloc: did anything major change in (token) caching between Newton and Queens that you recall? | 20:30 |
lbragstad | I thought I remember the cache_on_issue functionality landing back then sometime | 20:31 |
kmalloc | yeah that sounds right | 20:33 |
kmalloc | otherwise i think it's no major changes | 20:33 |
kmalloc | cache_on_issue was a nice improvement | 20:33 |
*** whoami-rajat has quit IRC | 20:35 | |
hrybacki | thanks kmalloc lbragstad -- cache_on_issue bumps performance a hair I would assume? | 20:38 |
lbragstad | yeah - it just pre-caches tokens when they are created | 20:38 |
hrybacki | bless whoever made an intuitive name for that | 20:38 |
lbragstad | since the most common use case for them is people use them in other services immediately | 20:38 |
* hrybacki nods | 20:38 | |
lbragstad | are you still working on federation in tripleo? | 20:40 |
hrybacki | by proxy of the team yeah. Pushing many things forward atm :) | 20:44 |
lbragstad | nice | 20:44 |
*** jmlowe has quit IRC | 20:50 | |
ayoung | lbragstad, kmalloc so, this is what knikolla and I were going for with the per API RBAC https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1/ | 21:12 |
ayoung | istio does it now, and it seems no one has complained about a cambrian explosion of URLs | 21:12 |
kmalloc | lbragstad: so.. with https://review.openstack.org/#/c/605485/17/keystone/tests/unit/protection/v3/test_users.py we have a test somewhere that verifies a standard user cannot get another user? | 21:13 |
ayoung | we could do something comparable with the app creds once cmurphy gets the feature in | 21:13 |
kmalloc | lbragstad: i'm inclined to add a similar test just in the common check *here* so it's clearly tested in the same place. | 21:13 |
kmalloc | lbragstad: otherwise that patch looks good. | 21:14 |
kmalloc | lbragstad: pinging you before scoring. | 21:14 |
lbragstad | kmalloc https://review.openstack.org/#/c/623322/4/keystone/tests/unit/protection/v3/test_users.py | 21:14 |
lbragstad | it's later in the chain | 21:14 |
kmalloc | lbragstad: then +2 on that one | 21:14 |
lbragstad | all of those patches follow a basic pattern | 21:14 |
lbragstad | kmalloc check for testing holes though, let me know if you find any missing negative tests | 21:15 |
kmalloc | right. for now this is looking good | 21:15 |
lbragstad | most of those patches implement system reader -> system member -> system admin -> domain functionality -> project functionality | 21:15 |
lbragstad | which is why the tests initially start out as very system-specific | 21:16 |
kmalloc | ayoung: my brain can only context switch so far. | 21:16 |
kmalloc | ayoung: refresh me on the per-api RBAC thing | 21:16 |
kmalloc | ayoung: rememebr i had 34 days to expunge all state knowledge of in-flight things in keystone from active memory | 21:17 |
ayoung | kmalloc, impolied roles. admin implies memeber implies GET /v3/users | 21:17 |
kmalloc | sure..... | 21:17 |
kmalloc | keep going. | 21:17 |
ayoung | eforce RBAC in keystonemiddleware? | 21:18 |
ayoung | split the role check from the scope check | 21:18 |
ayoung | istio is doing just that, but for Kubernetes | 21:18 |
kmalloc | isn't this what we discussed with the app-cred restrictions? | 21:18 |
kmalloc | with capabilities? | 21:18 |
ayoung | that is where they ended up landing | 21:18 |
kmalloc | yeah, i'm still not opposed to it... except the following concerns: | 21:19 |
ayoung | juyst showing that the mechanism is adopted out there | 21:19 |
kmalloc | 1) Nova doesn't communicate URLs to mioddleware. | 21:19 |
ayoung | and it is fast becoming the norm | 21:19 |
kmalloc | so it's caveat emptor for the end user configuring | 21:20 |
kmalloc | aka, we can't validate if it would actually work... so just need to document it | 21:20 |
ayoung | kmalloc, I'll let you convince yourself that is a non issue | 21:20 |
kmalloc | no need, just need clear documentation. it's long been my only requirement on that front | 21:20 |
ayoung | heh | 21:21 |
ayoung | on a conf call, and someone just unmuted and was playing rock | 21:21 |
ayoung | anyway, there are two competing products at Red Hat that are doing just this, but for the app layer | 21:21 |
kmalloc | 2) we have had the request for a way to limit the urls administratively -- so allowable templates | 21:21 |
ayoung | the JBoss one is 3scale, the K8S one is Istio | 21:21 |
kmalloc | but that's been it. | 21:21 |
*** erus has quit IRC | 21:21 | |
kmalloc | iirc i've been a supporter of the limit-on-url mechanism from the original discussion | 21:22 |
ayoung | The thing that they don't realize is that they need to have the scope check, too | 21:22 |
kmalloc | scope check is something we do well. | 21:22 |
ayoung | unless the apps are written with the scope in the URL...which leads me to wonder if that should be the norm | 21:22 |
*** erus has joined #openstack-keystone | 21:22 | |
ayoung | define "we" | 21:22 |
kmalloc | keystone/openstack. | 21:23 |
ayoung | keystoine, yes, openstack, not so much | 21:23 |
ayoung | Nova has it now. | 21:23 |
ayoung | GLance...er um | 21:23 |
kmalloc | the core services do ok with it | 21:23 |
kmalloc | nova, neutron, glance, cinder. | 21:23 |
kmalloc | etc. | 21:23 |
ayoung | glance didnot last I looked. | 21:23 |
ayoung | actually, none of them do | 21:24 |
ayoung | that is 968696 | 21:24 |
kmalloc | ok, there are two bits | 21:24 |
kmalloc | a fundamental scope check, and ignore RBAC policy is bad (we are fixing that) | 21:24 |
ayoung | well...nova does either or | 21:24 |
ayoung | glance does nothing | 21:24 |
ayoung | cinder... let me see... | 21:24 |
kmalloc | glance does check ownership | 21:24 |
kmalloc | admin-ness not scoped is not an absence of a scope check | 21:25 |
kmalloc | we are actively fixing that. | 21:25 |
kmalloc | system-scope and default roles. | 21:25 |
ayoung | ah, cinder is generating policy now. excellent | 21:25 |
kmalloc | we do a good job at scope checking in most services. we do not do a good job of limiting admin-access-bleed-through | 21:25 |
kmalloc | and that is 968696 | 21:26 |
kmalloc | anyway. URL-matched restrictions is fine to add. | 21:26 |
ayoung | oooh, and cinder checks is_admuin_propejct! | 21:26 |
ayoung | http://git.openstack.org/cgit/openstack/cinder/tree/cinder/policies/base.py#n26 | 21:26 |
ayoung | http://git.openstack.org/cgit/openstack/glance/tree/etc/policy.json glance still broken | 21:27 |
ayoung | no scope check | 21:27 |
lbragstad | don't url restrictions require us to map all service APIs to roles? | 21:27 |
kmalloc | glance is going to be more work for system scope. | 21:27 |
kmalloc | lbragstad: no | 21:27 |
ayoung | lbragstad, yeah, but there were catch alls | 21:27 |
kmalloc | we can support templates if it helps (based on the conversations) | 21:28 |
ayoung | the default was to say admim implies anything not otherwise specified | 21:28 |
kmalloc | ayoung: if you're conflating admin-project-scope-check with a pure scope check we're talking across each other | 21:28 |
kmalloc | and it doesn't seem to be in anyway relevant to the URL-based restriction code. | 21:29 |
kmalloc | and as i said, we are actively working on the admin-bleed-through issue(s) | 21:29 |
ayoung | kmalloc, actually, I was not, just that the world seems to finally catch up with the need to fix policy. I give lbragstad props for that | 21:29 |
kmalloc | glance is going to be one of the hardest to fix. | 21:29 |
ayoung | and you... | 21:29 |
kmalloc | :) | 21:29 |
kmalloc | cool. | 21:29 |
ayoung | yeah, glance needs help. Last I checked there was like 1 person actively working on it | 21:29 |
ayoung | maybe 3, but not much more | 21:30 |
kmalloc | i do apologize for a bit of the coarseness on irc today. on massive doses of cold meds :( | 21:30 |
lbragstad | adding routes to roles in keystone is going to add some more complexity imo | 21:30 |
kmalloc | lbragstad: well, we're adding it at the app-cred layer afaik for now. | 21:30 |
lbragstad | i think we should still push services to consume scope properly | 21:30 |
kmalloc | we can extend to the roles once we have a mechanism to support it at an opt-in point | 21:30 |
lbragstad | and remove hardcoded admin checks | 21:30 |
ayoung | lbragstad, absolutely | 21:30 |
kmalloc | these are totally something to parallel | 21:31 |
kmalloc | app-creds basically lead the features of basic roles (in my view) for long term enhancements | 21:31 |
lbragstad | my fear is that we will build a short circuit that doesn't require services to fix things "now" | 21:31 |
lbragstad | and by "now" I just mean incrementally move in the same direction as a group of services | 21:31 |
kmalloc | since it's always pure-opt in for adding a functionality to an app-cred...and app creds are immutable | 21:32 |
kmalloc | so no "opting in an active app-cred" | 21:32 |
lbragstad | i could see the short-circuit getting used in some deployments and not in others, which might be super confusing for operators | 21:32 |
kmalloc | we can also decide if an app-cred feature is worth pushing down to base roles. | 21:32 |
lbragstad | (we also don't really know how to short circuit in middleware without scope information from the service)_ | 21:33 |
kmalloc | so, i think the workflow is: 1) keep pushing on scope checks | 21:34 |
kmalloc | properly | 21:34 |
kmalloc | and enhance app-creds to be what we discussed. | 21:34 |
kmalloc | decide if we want to expand features and checks work once services are doing things more correctly. | 21:35 |
*** erus has quit IRC | 21:41 | |
*** erus has joined #openstack-keystone | 21:43 | |
kmalloc | lbragstad: changes for some testing needed for the system_scope support, namely .cleanup_instance is needed | 21:45 |
kmalloc | can be a followup, and will upgrade to +2 as needed | 21:45 |
kmalloc | the domain one looks like it's a related failure to the change (in tempest) will need to be looked into. | 21:45 |
lbragstad | yeah.. tempest is using domain admin == system admin :( | 21:46 |
lbragstad | through a configuration option that defaults to true | 21:46 |
lbragstad | so it assumes anyone with a domain-scoped token with 'admin' can do anything in the deployment | 21:46 |
lbragstad | so that's where it's breaking | 21:46 |
lbragstad | https://review.openstack.org/#/c/624794/ | 21:47 |
lbragstad | i have a patch for it | 21:47 |
lbragstad | if i use depends on from the keystone patches, they pass | 21:47 |
*** erus has quit IRC | 21:49 | |
*** erus has joined #openstack-keystone | 21:54 | |
ayoung | knikolla, OK, I am back to having nodes enabled | 22:00 |
ayoung | for exmaple: 87ff7a16-95f2-4349-af0d-30fc0a45fa43 | lapras.awx.fsi-moc | ACTIVE | awx-private-net_network=192.168.24.8, 128.31.24.191 | rhel-guest-image-7.5-1a | m1.medium | 22:01 |
ayoung | can't ping, can't ssh | 22:01 |
ayoung | traceroute ends with | 22:01 |
ayoung | 14 31-24-191.neu.massopencloud.org (128.31.24.191) 3026.273 ms !H 3024.599 ms !H 3026.138 ms !H | 22:01 |
*** aojea has quit IRC | 22:03 | |
ayoung | $ openstack security group show awx-rdu-all-open -f json | fpaste | 22:03 |
ayoung | Uploading (2.0KiB)... | 22:03 |
ayoung | https://paste.fedoraproject.org/paste/l1-RsypdzqDjVhAwMuM7KA | 22:03 |
ayoung | gah: sescaped json | 22:04 |
ayoung | escaped | 22:04 |
ayoung | hrm | 22:06 |
*** rcernin has joined #openstack-keystone | 22:13 | |
*** rcernin has quit IRC | 22:15 | |
*** rcernin has joined #openstack-keystone | 22:15 | |
*** aojea has joined #openstack-keystone | 22:20 | |
clarkb | ayoung: your icmp rule is a group rule so only works within the group | 22:23 |
clarkb | the tcp rule should allow for ssh from external though | 22:24 |
*** aojea has quit IRC | 22:24 | |
*** aojea has joined #openstack-keystone | 22:25 | |
clarkb | though that is ipv4 only, the ipv6 rules are group only, so ifyou are trying to hit it via ipv6 it would be sad too (doubt it based on the IPs above though) | 22:25 |
*** itlinux has quit IRC | 22:27 | |
lbragstad | alright - i just went through and updated milestones for old bug reports dating back to rocky | 22:27 |
lbragstad | if anyone sees anything that is Fix Released/Fix Committed and milestone isn't set, just let me know | 22:28 |
*** aojea has quit IRC | 22:29 | |
*** jmlowe has joined #openstack-keystone | 22:30 | |
lbragstad | looking at the summaries in launchpad | 22:31 |
lbragstad | there was 70 bugs fixed in pike, 38 in queens, 60 in rocky, and we've fixed 36 so far in stein | 22:32 |
*** eandersson has quit IRC | 22:45 | |
*** xek has quit IRC | 22:46 | |
*** eandersson has joined #openstack-keystone | 22:46 | |
*** tkajinam has joined #openstack-keystone | 23:09 | |
*** bnemec has quit IRC | 23:37 | |
*** erus1 has joined #openstack-keystone | 23:39 | |
*** ianw is now known as ianw_pto | 23:42 | |
*** mchlumsky has quit IRC | 23:46 | |
*** imacdonn has quit IRC | 23:55 | |
*** imacdonn has joined #openstack-keystone | 23:57 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!