Wednesday, 2019-02-06

« Tuesday, 2019-02-05 Index Thursday, 2019-02-07 »
*** gagehugo has joined #openstack-keystone00:01
*** whoami-rajat has quit IRC00:08
*** Emine has quit IRC00:23
*** lbragsta_ has joined #openstack-keystone00:50
*** ChanServ sets mode: +o lbragsta_00:50
*** lbragsta_ is now known as lbragstad__00:52
*** erus has quit IRC01:17
*** erus has joined #openstack-keystone01:18
*** dims has quit IRC01:40
*** dims has joined #openstack-keystone02:11
*** Dinesh_Bhor has joined #openstack-keystone02:15
*** dims has quit IRC02:25
*** dims has joined #openstack-keystone02:33
*** lbragstad__ has quit IRC02:52
*** gyee has quit IRC03:00
*** vishakha has joined #openstack-keystone03:23
*** erus has quit IRC03:23
*** erus has joined #openstack-keystone03:25
openstackgerritVishakha Agarwal proposed openstack/keystone master: Correcting tests with project_id  https://review.openstack.org/63439403:26
*** itlinux has joined #openstack-keystone03:42
*** itlinux has quit IRC04:41
*** itlinux has joined #openstack-keystone04:53
*** shyamb has joined #openstack-keystone05:24
*** shyamb has quit IRC05:29
*** shyamb has joined #openstack-keystone05:31
*** tkajinam_ has joined #openstack-keystone05:41
*** tkajinam has quit IRC05:43
*** tkajinam_ is now known as tkajinam06:34
*** markvoelker has joined #openstack-keystone06:38
*** markvoelker has quit IRC06:43
openstackgerritArtem Vasilyev proposed openstack/keystone master: Added request_id and global_request_id to basic notifications  https://review.openstack.org/63466306:51
*** whoami-rajat has joined #openstack-keystone06:53
*** shyamb has quit IRC06:54
*** tkajinam_ has joined #openstack-keystone07:03
openstackgerritArtem Vasilyev proposed openstack/keystone master: Seperated CADF notifications tests for request_id  https://review.openstack.org/63510107:04
*** shyamb has joined #openstack-keystone07:04
*** tkajinam has quit IRC07:05
*** jmccrory has quit IRC07:06
*** jmccrory has joined #openstack-keystone07:06
*** pcaruana has joined #openstack-keystone07:29
*** markvoelker has joined #openstack-keystone07:39
*** Emine has joined #openstack-keystone07:49
*** awalende has joined #openstack-keystone08:11
*** Emine has quit IRC08:12
*** markvoelker has quit IRC08:12
*** shyamb has quit IRC08:14
*** tkajinam_ has quit IRC08:15
*** yan0s has joined #openstack-keystone08:27
*** erus has quit IRC08:49
*** erus has joined #openstack-keystone08:50
*** erus has quit IRC08:58
*** erus has joined #openstack-keystone09:03
*** xek has joined #openstack-keystone09:09
*** erus has quit IRC09:09
*** markvoelker has joined #openstack-keystone09:09
*** shyamb has joined #openstack-keystone09:18
*** mgheorghe has joined #openstack-keystone09:26
*** markvoelker has quit IRC09:43
*** erus has joined #openstack-keystone09:47
mgheorghehi everyone. I have a question about keystone v3 policy. I have a queens deployement in HA that is using keystonev3 API. I need to give some users the ability to create users and projects within their domain. The problem is that if I give them 'admin' role on thier respective domain, that user can also list/edit/delete neutron networks and glance images cloudwise (i belive this happens because neutron/glance policies are not domain aware and09:52
mgheorghejust follow the 'role:admin' rule, whether it is a domain or project admin). To overcome this a created a new role 'domain-admin', and modified keystone policy.json to include this role. What i did was add "admin_required": "role:admin or role:domain-admin". But there seems to be a problem with this approach in the CLI and horizon. The CLI only works for the domain-admin user to list users/projects/etc. only by specifying the domain ID09:52
mgheorghe(domain name does not work) using '--domain' flag like : 'openstack user list --domain my_domain_id'. Otherwise, the user gets a 'You are not authorized to perform the requested action: identity:list_users'. This happens because, without the '--domain' flag, the rule "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s" never applies. The expected behaviour would be that if no domain flag is provided, the domain09:52
mgheorghethat the user belongs to should be used, except that it is not used. Is this a bug or the intended behaviour? Also, this only works when the rc file does not export OS_PROJECT_DOMAIN_NAME and OS_PROEJECT_NAME. Otherwise, we get a warning in keystone logs that the requested operation identity:list_users requires a system scope token (from what i can gather, a system scope token = domain scope token).09:52
mgheorgheAlso this applies to Horizon as well, where i cannot specify the '--domain' flag anymore. So here, the new role becomes useless. In fact, what i have observed is that horizon always sends 'is_admin_project:True', whether it is an admin project/domain or not. So any user that has the 'admin' role on any project in any domain, instantly becomes a 'cloud_admin' because it falls in the cloud_admin rule with 'role:admin' and 'is_admin_project:True09:52
mgheorghe' when using Horizon. This could be easily fixed by removing the 'is_admin_project:True' from keystone policy.09:52
*** takamatsu_ has joined #openstack-keystone09:57
*** takamatsu has quit IRC09:57
*** takamatsu_ has quit IRC10:00
*** takamatsu_ has joined #openstack-keystone10:03
*** Emine has joined #openstack-keystone10:14
*** mgheorghe has quit IRC10:17
*** Emine has quit IRC10:18
*** Emine has joined #openstack-keystone10:21
*** shyamb has quit IRC10:31
*** markvoelker has joined #openstack-keystone10:40
*** shyamb has joined #openstack-keystone10:46
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion  https://review.openstack.org/58821110:49
*** Emine has quit IRC10:58
*** shyamb has quit IRC11:02
*** mgheorghe has joined #openstack-keystone11:10
*** markvoelker has quit IRC11:13
*** shyamb has joined #openstack-keystone11:42
*** takamatsu_ has quit IRC11:48
*** takamatsu_ has joined #openstack-keystone11:52
*** Emine has joined #openstack-keystone12:06
*** raildo has joined #openstack-keystone12:09
*** markvoelker has joined #openstack-keystone12:09
*** shyamb has quit IRC12:23
*** Dinesh_Bhor has quit IRC12:24
*** takamatsu_ has quit IRC12:24
*** takamatsu has joined #openstack-keystone12:24
*** shyamb has joined #openstack-keystone12:25
*** shyamb has quit IRC12:31
*** markvoelker has quit IRC12:42
*** markvoelker has joined #openstack-keystone13:39
*** mvkr has quit IRC13:48
*** markvoelker has quit IRC14:13
*** mvkr has joined #openstack-keystone14:19
*** mvkr has quit IRC14:37
*** mvkr has joined #openstack-keystone14:37
*** mchlumsky has joined #openstack-keystone14:45
*** markvoelker has joined #openstack-keystone15:10
*** awalende has quit IRC15:23
*** awalende has joined #openstack-keystone15:24
*** awalende has quit IRC15:28
*** vishakha has quit IRC15:35
*** markvoelker has quit IRC15:43
kmalloco/ morning all15:54
gagehugoo/15:55
*** awalende has joined #openstack-keystone15:56
kmallocgagehugo: hows it goin?15:57
gagehugokmalloc: it's been alright15:58
gagehugohows the snow?15:58
*** raildo has quit IRC15:58
kmalloccrazy. it's pretty insanely cold for seattle and we have a ton of ice on the ground now (unheard of). plus more snow on the way.15:58
gagehugoit's been 60 here and rainy every day15:59
kmalloccurrently ~24F, ~60% humidity15:59
gagehugooh wow15:59
kmallocand clear skys.15:59
kmallocwas down as low as 21F around 3am at my house16:00
*** awalende has quit IRC16:00
gagehugoIt got -9F last week for a couple days16:00
kmalloc(Brie bought me one of those awesome home weather stations, so I get to see real numbers at my house)16:00
gagehugonot as bad as around Chicago though16:00
kmallocyeah chicago was brutal i hear16:00
gagehugonice16:00
kmallocour poor hummingbirds (yes we have winter humming birds) are not happy little critters atm.16:01
kmallocwe had to get another external/window mounted feeder so it wont freeze16:01
kmalloclandlord left a feeder out year-round so a couple don't migrate.16:01
gagehugoit doesn't normally get that cold there does it?16:02
kmallocnah, like a week a year below freezing (in aggregate) and 1-2 days of snow, with it washing away by the next day16:02
kmallocusually no colder than upper 30s16:02
gagehugoah, gotcha16:04
gagehugolol tomorrow high 55 low 1216:05
kmallocwe were going to plant some new fruit trees, but it is delayed until the ice melts.16:05
*** raildo has joined #openstack-keystone16:05
kmallocground is too hard for them to take root.16:05
gagehugoyeah, digging frozen ground isn't great16:06
kmallochopefully we will have warmer weather next week., this week is supposed to snow more.16:07
gagehugoI wouldn't mind more snow here, but I think it's all going to be rain16:08
*** raildo has quit IRC16:11
lbragstadhola16:14
gagehugolbragstad: o/16:15
*** raildo has joined #openstack-keystone16:18
*** xek has quit IRC16:26
*** xek has joined #openstack-keystone16:26
*** gyee has joined #openstack-keystone16:32
*** markvoelker has joined #openstack-keystone16:40
*** raildo has quit IRC16:46
*** raildo has joined #openstack-keystone16:53
knikollao/17:07
*** markvoelker has quit IRC17:13
*** mgheorghe has quit IRC17:16
*** pcaruana has quit IRC17:19
*** mvkr has quit IRC17:22
-openstackstatus- NOTICE: Any changes failed around 16:30 UTC today with a review comment from Zuul like "ERROR Unable to find playbook" can be safely rechecked; this was an unanticipated side effect of our work to move base job definitions between configuration repositories.17:27
*** mvkr has joined #openstack-keystone17:51
*** jmlowe has joined #openstack-keystone17:53
*** yan0s has quit IRC17:58
*** erus has quit IRC18:00
*** erus has joined #openstack-keystone18:01
*** xek_ has joined #openstack-keystone18:02
*** xek has quit IRC18:04
*** markvoelker has joined #openstack-keystone18:10
*** erus has quit IRC18:23
*** jmlowe has quit IRC18:35
*** erus has joined #openstack-keystone18:37
*** markvoelker has quit IRC18:43
*** jmlowe has joined #openstack-keystone18:50
*** markvoelker has joined #openstack-keystone19:40
*** Emine has quit IRC20:10
*** markvoelker has quit IRC20:12
*** jmlowe has quit IRC20:13
*** Ebukha has joined #openstack-keystone20:50
*** xek__ has joined #openstack-keystone20:50
*** xek_ has quit IRC20:52
*** raildo has quit IRC20:56
*** jmlowe has joined #openstack-keystone21:06
*** markvoelker has joined #openstack-keystone21:09
*** erus has quit IRC21:15
*** xek__ has quit IRC21:17
*** erus has joined #openstack-keystone21:18
*** markvoelker has quit IRC21:42
*** Ebukha has quit IRC21:49
*** erus has quit IRC21:53
*** erus has joined #openstack-keystone21:59
openstackgerritMerged openstack/keystone master: Implement system reader role for users  https://review.openstack.org/60548522:29
openstackgerritMerged openstack/keystone master: Implement system member role user test coverage  https://review.openstack.org/62331722:29
*** erus has quit IRC22:37
*** erus has joined #openstack-keystone22:39
*** markvoelker has joined #openstack-keystone22:40
*** erus has quit IRC22:46
*** erus1 has joined #openstack-keystone22:48
*** mchlumsky has quit IRC22:50
openstackgerritMerged openstack/keystone master: Implement system admin role in users API  https://review.openstack.org/62331822:50
*** erus has joined #openstack-keystone22:51
*** tkajinam has joined #openstack-keystone22:53
*** erus has quit IRC22:58
*** erus has joined #openstack-keystone23:06
*** erus has quit IRC23:13
*** markvoelker has quit IRC23:13
*** erus has joined #openstack-keystone23:21
*** awalende has joined #openstack-keystone23:25
*** erus has quit IRC23:27
*** awalende has quit IRC23:29
*** erus has joined #openstack-keystone23:36
*** erus has quit IRC23:43
*** itlinux has quit IRC23:48
*** imacdonn has quit IRC23:49
*** imacdonn has joined #openstack-keystone23:49
*** erus has joined #openstack-keystone23:51
*** erus has quit IRC23:55
« Tuesday, 2019-02-05 Index Thursday, 2019-02-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!