Thursday, 2019-02-21

*** jamesmcarthur has quit IRC		00:01
*** itlinux has joined #openstack-keystone		00:05
*** itlinux has quit IRC		00:06
*** erus has quit IRC		00:06
*** erus has joined #openstack-keystone		00:06
*** markvoelker has joined #openstack-keystone		00:19
*** erus has quit IRC		00:36
*** erus has joined #openstack-keystone		00:37
*** mvkr has quit IRC		00:40
*** mvkr has joined #openstack-keystone		00:42
*** marst has joined #openstack-keystone		00:50
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement system reader for role_assignments https://review.openstack.org/609210	01:08
openstackgerrit	Lance Bragstad proposed openstack/keystone master: WIP: Additional work for testing assignment protection https://review.openstack.org/636825	01:08
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Reorganize role assignment tests for system users https://review.openstack.org/638309	01:08
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add role assignment test coverage for system members https://review.openstack.org/638310	01:08
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add role assignment test coverage for system admin https://review.openstack.org/638311	01:08
*** whoami-rajat has joined #openstack-keystone		01:12
*** erus has quit IRC		01:44
*** erus has joined #openstack-keystone		01:45
*** gyee has quit IRC		02:06
*** jamesmcarthur has joined #openstack-keystone		02:10
lbragstad	pas-ha https://pasted.tech/pastes/ec9618b32aa49b7bbca9c4f32a014c83995d79da.raw	02:21
*** jamesmcarthur has quit IRC		02:37
*** Dinesh_Bhor has joined #openstack-keystone		02:41
*** jamesmcarthur has joined #openstack-keystone		02:42
*** marst has quit IRC		02:46
*** erus has quit IRC		02:46
*** erus has joined #openstack-keystone		02:47
*** dklyle has quit IRC		03:03
*** jamesmcarthur has quit IRC		03:08
lbragstad	pas-ha http://eavesdrop.openstack.org/irclogs/%23openstack-ansible/%23openstack-ansible.2019-02-21.log.html#t2019-02-21T02:03:38	03:13
*** dklyle has joined #openstack-keystone		03:17
*** vishakha has joined #openstack-keystone		03:18
*** markvoelker has quit IRC		03:20
*** jamesmcarthur has joined #openstack-keystone		03:32
*** spsurya has joined #openstack-keystone		03:34
*** imus has joined #openstack-keystone		03:48
*** imus has quit IRC		03:56
*** jamesmcarthur has quit IRC		04:00
*** jamesmcarthur has joined #openstack-keystone		04:01
*** jamesmcarthur has quit IRC		04:05
*** markvoelker has joined #openstack-keystone		04:21
lbragstad	pas-ha https://review.openstack.org/#/c/638327/	04:25
*** gagehugo has joined #openstack-keystone		04:29
*** markvoelker has quit IRC		04:55
*** erus has quit IRC		05:04
*** erus has joined #openstack-keystone		05:05
*** shyamb has joined #openstack-keystone		05:19
*** erus has quit IRC		05:41
*** erus has joined #openstack-keystone		05:42
*** erus has quit IRC		05:48
*** erus has joined #openstack-keystone		05:48
*** markvoelker has joined #openstack-keystone		05:52
*** lbragstad_ has joined #openstack-keystone		05:53
*** ChanServ sets mode: +o lbragstad_		05:53
*** lbragstad has quit IRC		05:55
*** lbragstad has joined #openstack-keystone		06:04
*** ChanServ sets mode: +o lbragstad		06:04
*** lbragstad_ has quit IRC		06:04
*** lbragstad_ has joined #openstack-keystone		06:09
*** ChanServ sets mode: +o lbragstad_		06:09
*** lbragstad has quit IRC		06:10
*** lbragstad has joined #openstack-keystone		06:16
*** ChanServ sets mode: +o lbragstad		06:16
*** lbragstad_ has quit IRC		06:18
*** markvoelker has quit IRC		06:25
*** spsurya has quit IRC		06:25
*** erus has quit IRC		06:26
*** erus has joined #openstack-keystone		06:26
*** shyamb has quit IRC		06:55
*** shyamb has joined #openstack-keystone		07:06
*** rcernin has quit IRC		07:13
*** spsurya has joined #openstack-keystone		07:17
*** pcaruana has joined #openstack-keystone		07:19
*** markvoelker has joined #openstack-keystone		07:22
*** shyamb has quit IRC		07:37
*** Dinesh_Bhor has quit IRC		07:49
*** markvoelker has quit IRC		07:55
*** jaosorior has quit IRC		08:08
*** awalende has joined #openstack-keystone		08:15
*** erus has quit IRC		08:23
*** tkajinam has quit IRC		08:23
*** erus has joined #openstack-keystone		08:23
*** lbragstad has quit IRC		08:25
*** josecastroleon has quit IRC		08:34
*** aloga has quit IRC		08:48
*** erus has quit IRC		08:48
*** aloga has joined #openstack-keystone		08:48
*** erus has joined #openstack-keystone		08:48
*** markvoelker has joined #openstack-keystone		08:52
*** shyamb has joined #openstack-keystone		08:58
openstackgerrit	Merged openstack/keystone master: Add tests for project users interacting with mappings https://review.openstack.org/619616	08:59
openstackgerrit	Merged openstack/keystone master: Remove mapping policies from policy.v3cloudsample.json https://review.openstack.org/619617	08:59
*** markvoelker has quit IRC		09:25
*** shyamb has quit IRC		09:41
*** shyamb has joined #openstack-keystone		09:50
*** awalende has quit IRC		09:52
*** awalende has joined #openstack-keystone		09:52
*** awalende has quit IRC		09:57
*** jaosorior has joined #openstack-keystone		09:57
*** awalende has joined #openstack-keystone		09:59
*** markvoelker has joined #openstack-keystone		10:17
*** spsurya has quit IRC		10:22
*** shyamb has quit IRC		10:46
*** jaosorior has quit IRC		10:55
*** erus has quit IRC		10:56
*** erus has joined #openstack-keystone		10:57
*** yan0s has joined #openstack-keystone		11:02
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP: Additional work for testing assignment protection https://review.openstack.org/636825	11:04
*** jaosorior has joined #openstack-keystone		11:15
*** shyamb has joined #openstack-keystone		11:15
openstackgerrit	Pavlo Shchelokovskyy proposed openstack/keystone master: Add hint for order of keys during distribution. https://review.openstack.org/638397	11:17
openstackgerrit	Pavlo Shchelokovskyy proposed openstack/keystone master: Mention allow_expired_window in fernet FAQ https://review.openstack.org/638398	11:17
vishakha	lbragstad: Added few more test cases in https://review.openstack.org/#/c/636825.	11:25
vishakha	lbragstad: Do I need to update anything in https://review.openstack.org/#/c/609210?	11:26
*** erus has quit IRC		11:27
*** erus has joined #openstack-keystone		11:28
*** awalende has quit IRC		11:28
*** awalende has joined #openstack-keystone		11:30
*** raildo has joined #openstack-keystone		11:33
*** FlorianFa has joined #openstack-keystone		11:47
*** FlorianFa has quit IRC		11:51
*** awalende has quit IRC		11:52
*** erus has quit IRC		11:52
openstackgerrit	erus proposed openstack/keystone master: Add new attribute to the federation protocol API https://review.openstack.org/637305	11:52
*** awalende has joined #openstack-keystone		11:52
*** erus has joined #openstack-keystone		11:52
*** FlorianFa has joined #openstack-keystone		11:54
*** FlorianFa has quit IRC		11:56
*** FlorianFa has joined #openstack-keystone		11:56
*** awalende has quit IRC		11:57
*** shyamb has quit IRC		12:41
*** errr has joined #openstack-keystone		12:47
*** awalende has joined #openstack-keystone		12:50
errr	hello, Im using queens and have federation setup using shibboleth. When I try to login my IDP is successfully giving me a valid session. But I dont seem to be getting redirected to horizon..	12:50
errr	I am instead stuck at a page that says "Please wait..." its like https://mysite.com:5000/v3/auth/OS-FEDERATION/websso/mapped?origin=https://mysite.com/auth/websso/	12:51
errr	does this mean I am missing the sso callback file in horizon? Im not sure where to look to fix this problem..	12:52
cmurphy	errr: the "Please wait..." message comes from the callback file so you are not missing it, there should be some javascript embedded in it that POSTs the token to horizon which should trigger the login, so check the horizon logs to see if horizon didn't handle the request for some reason	12:59
*** erus has quit IRC		13:00
*** erus has joined #openstack-keystone		13:01
errr	cmurphy: I see the POST happen, but no errors or anything show up after that.. it just shows the POST and thats it	13:02
cmurphy	errr: not sure what it is then, seems like an issue on horizon's side :( you could try turning up the debug logging in horizon if you haven't already	13:04
errr	cmurphy: I havent, what is the directive I use to enable debug?	13:05
cmurphy	errr: in local_settings.py there is a LOGGING variable with a python dict in it, i usually set LOGGING -> handlers -> console -> level to DEBUG but there are a whole lot of knobs in there	13:09
errr	ah, well it looks like I do already have that all set to DEBUG	13:09
*** markvoelker has quit IRC		13:17
*** markvoelker has joined #openstack-keystone		13:18
*** markvoelker has quit IRC		13:22
*** shyamb has joined #openstack-keystone		13:35
*** jamesmcarthur has joined #openstack-keystone		13:43
*** erus has quit IRC		13:44
*** shyamb has quit IRC		13:44
*** erus has joined #openstack-keystone		13:45
*** erus has quit IRC		13:56
*** erus has joined #openstack-keystone		13:56
*** lbragstad has joined #openstack-keystone		13:57
*** ChanServ sets mode: +o lbragstad		13:57
*** jamesmcarthur has quit IRC		13:58
*** jamesmcarthur has joined #openstack-keystone		13:58
*** erus has quit IRC		14:03
*** jamesmcarthur has quit IRC		14:03
*** aning has quit IRC		14:04
*** erus has joined #openstack-keystone		14:04
*** aning has joined #openstack-keystone		14:08
*** jaosorior has quit IRC		14:08
*** erus has quit IRC		14:10
*** erus has joined #openstack-keystone		14:10
*** markvoelker has joined #openstack-keystone		14:18
openstackgerrit	Merged openstack/keystone master: Deprecate cache_on_issue configuration option https://review.openstack.org/635690	14:24
*** jamesmcarthur has joined #openstack-keystone		14:29
*** jaosorior has joined #openstack-keystone		14:30
*** erus has quit IRC		14:30
*** imacdonn has quit IRC		14:31
*** erus has joined #openstack-keystone		14:31
*** jamesmcarthur has quit IRC		14:34
gagehugo	o/	14:46
erus	\o	14:46
lbragstad	o/	14:48
*** markvoelker has quit IRC		14:53
*** erus has quit IRC		14:54
*** erus has joined #openstack-keystone		14:55
*** mvkr has quit IRC		15:00
*** erus has quit IRC		15:04
*** erus has joined #openstack-keystone		15:04
*** jaosorior has quit IRC		15:08
*** jamesmcarthur has joined #openstack-keystone		15:10
*** awalende has quit IRC		15:12
*** awalende has joined #openstack-keystone		15:13
vishakha	o/	15:16
*** jamesmcarthur has quit IRC		15:17
*** awalende_ has joined #openstack-keystone		15:17
*** awalende_ has quit IRC		15:17
*** awalende has quit IRC		15:17
*** jistr is now known as jistr\|afk		15:22
*** erus has quit IRC		15:23
*** mvkr has joined #openstack-keystone		15:24
*** erus has joined #openstack-keystone		15:24
vishakha	lbragstad: Added few more test cases in https://review.openstack.org/#/c/636825.	15:29
vishakha	Do I need to update anything in https://review.openstack.org/#/c/609210?	15:29
lbragstad	vishakha if you wanted to consolidate those patches with git rebase, you could	15:30
lbragstad	so long as you feel comfortable with those changes	15:31
*** jistr\|afk is now known as jistr		15:32
vishakha	ok. Doin the same	15:32
*** erus has quit IRC		15:34
*** erus has joined #openstack-keystone		15:35
zzzeek	kmalloc: I'm being told that dogpile.cache 0.7.x was uncapped in oslo.cache and the whole world is breaking now : https://bugs.launchpad.net/oslo.cache/+bug/1817032	15:39
openstack	Launchpad bug 1817032 in oslo.cache "Unit test fails during cache region testing" [Undecided,New] - Assigned to Herve Beraud (herveberaud)	15:39
zzzeek	kmalloc: do you recall the dicsussion we wer having about use of the decorator module, and someone was abusing it in some way we decided should be fixed downstream ?	15:39
*** erus has quit IRC		15:40
*** dave-mccowan has joined #openstack-keystone		15:41
*** erus has joined #openstack-keystone		15:41
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Additional work for testing assignment protection https://review.openstack.org/636825	15:43
lbragstad	vishakha from there - we should be able to keep stacking commits in that series	15:45
lbragstad	it looks like we have everything for system users	15:45
lbragstad	s/everything/tests/	15:45
*** dave-mccowan has quit IRC		15:45
lbragstad	so - we can try and take those tests and reuse some of them for domain users (admins, members, and readers)	15:45
lbragstad	and then fill in the gaps that make sense	15:46
*** jaosorior has joined #openstack-keystone		15:46
vishakha	Yeah for system users all patches are up. After rebasing I can update for domain users	15:46
zzzeek	kmalloc: I found the thread, that was about openstacksdk.	15:48
*** jamesmcarthur has joined #openstack-keystone		15:48
*** markvoelker has joined #openstack-keystone		15:50
*** jamesmcarthur has quit IRC		15:53
lbragstad	vishakha cool - that sounds good	15:54
lbragstad	the series starting at https://review.openstack.org/#/c/619373/5 and https://review.openstack.org/#/c/619277/4 close a few bugs (and already have a +2)	15:56
lbragstad	if anyone is looking for reviews	15:57
*** jamesmcarthur has joined #openstack-keystone		15:58
*** jamesmcarthur has quit IRC		15:58
*** jamesmcarthur has joined #openstack-keystone		15:58
knikolla	o.	15:59
knikolla	o/	15:59
kmalloc	zzzeek: cool .	16:07
kmalloc	zzzeek: it was, as I recall, silly behavior someone was doing.	16:08
kmalloc	And dogpile just started doing more correct things.	16:08
kmalloc	I am a little pre-coffee ATM.	16:09
kmalloc	So brain fuzzed	16:09
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Implement system reader for role_assignments https://review.openstack.org/609210	16:10
erus	hii knikolla and kmalloc o/	16:10
knikolla	hi erus!	16:10
erus	how are you?	16:10
knikolla	i'm good. took the day off today. i have too many vacation days accumulated which will go to waste if i didn't use them soon.	16:11
knikolla	how are you?	16:11
erus	hahaha ohh vacation great	16:12
erus	i'm really hungry :D	16:12
knikolla	more like drink coffee and play super mario odyssey day. :p	16:12
erus	but i'm fine, in my last weeks :( haha	16:13
zzzeek	kmalloc: yeah i found it, just shared w/ the oslo.cache person in case they have similar issues	16:13
kmalloc	knikolla: good plan.	16:13
kmalloc	zzzeek: ++	16:13
*** jamesmcarthur has quit IRC		16:13
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Additional work for testing assignment protection https://review.openstack.org/636825	16:13
kmalloc	Oh gotta send you a message, sec.	16:13
erus	ohh sounds really good, just play super mario odyssey once	16:13
knikolla	my video game backlog is almost as bad as my code review backlog :)	16:14
erus	hahaha	16:15
erus	the last game i played was life is strange	16:17
erus	i don't play since december :(	16:17
knikolla	what platform do you play on?	16:19
kmalloc	knikolla: I think the next game for me is mankind divided, its been on my.list for a couple years. Or Shadow of the Tomb raider	16:19
knikolla	kmalloc: i think i got that for free on ps plus a while back. haven't booted it yet.	16:21
erus	right now in my notebook knikolla	16:21
erus	only pc for now	16:21
*** markvoelker has quit IRC		16:23
lbragstad	https://playwarcraft3.com/en-us/ is coming out this year and was built/hosted/will be hosted using OpenStack	16:24
lbragstad	so...	16:25
* lbragstad thanks eandersson		16:27
*** jamesmcarthur has joined #openstack-keystone		16:27
knikolla	lbragstad: whoaaaa... hopefully they don't screw it up	16:32
knikolla	i have lost complete faith in activision/blizzard.	16:32
knikolla	and warcraft 3 is a childhood classic.	16:32
erus	woow great lbragstad	16:32
lbragstad	eandersson works for blizzard ;)	16:32
erus	hahaha	16:32
lbragstad	i was a huge fan of warcraft 2 and 3	16:33
knikolla	the blizzard side is fine, activision not so much, haha.	16:33
* gagehugo is waiting for classic wow		16:33
lbragstad	diablo 3 was fun, too	16:33
knikolla	i guess the only thing i'm really waiting is bayonetta 3.	16:33
knikolla	i'm pretty much stocked up for this year.	16:34
gagehugo	knikolla: do you play smash ultimate?	16:34
knikolla	gagehugo: don't really have anyone in my circle who plays that, so i mostly skipped on the smash train.	16:35
knikolla	every social opportunity was mostly FIFA/PES, haha.	16:35
knikolla	if anyone wants to add me as a friend on PSN/Switch/Steam, do send me a message	16:36
cmurphy	oh man did I accidentally /join #nerd	16:37
lbragstad	welcome	16:37
knikolla	there's a strong correlation	16:38
cmurphy	lol warcraft2 was pretty good	16:38
*** imacdonn has joined #openstack-keystone		16:38
lbragstad	"pretty good" she says ;)	16:38
lbragstad	cmurphy how was BF2?	16:39
erus	what is your steam user knikolla? haha xD	16:40
cmurphy	lbragstad: not bad, i was slightly underwhelmed	16:40
cmurphy	i liked the campaign but it was too short	16:40
* lbragstad nods		16:40
*** rafaelweingartne has joined #openstack-keystone		16:40
lbragstad	that's the feedback i heard from others, too	16:40
knikolla	erus: sent u a private message	16:40
rafaelweingartne	Hello Guys, when using identity federation with keystone, can't I map my federated users to specific domains (that I already have), instead of mapping them to Default	16:41
rafaelweingartne	and then OpenStack creates a domain to represents the IdP?	16:41
knikolla	rafaelweingartne: when you create the identity provider, you specify which domain to use	16:41
lbragstad	rafaelweingartne when you create an identity provider you can specify a domain in the request	16:42
rafaelweingartne	hmm	16:42
lbragstad	rafaelweingartne if a domain isn't supplied, keystone will automatically generate one for you	16:42
rafaelweingartne	I did not know that	16:42
rafaelweingartne	I thought that was done in the mapping	16:42
rafaelweingartne	what is the domain in the mapping used for then?	16:42
lbragstad	it depends on what you want your users to do when they access your service provider	16:43
lbragstad	the domain for the identity provider is really just a name space for the users coming from that identity provider	16:43
rafaelweingartne	yes, that is our idea, to bind the users from an identity provider to a domain	16:43
rafaelweingartne	that is why we have defined the domain in the mapping	16:43
lbragstad	but you're not limited to keeping all role assignments for a user within the domain they are namespaced to	16:44
gagehugo	knikolla: I played a LOT of gamecube smash so I tend to keep picking it back up each release	16:44
rafaelweingartne	what do you mean by that?	16:44
rafaelweingartne	I am actually assigining the permissions/roles to a group	16:45
rafaelweingartne	and then I assign users to that group	16:45
lbragstad	rafaelweingartne for example, if you have a user in the Default domain, they can have direct or indirect role assignments on other domains in the deployment	16:45
rafaelweingartne	ok	16:47
*** dave-mccowan has joined #openstack-keystone		16:47
rafaelweingartne	you mean, users from default domain (root) can have assignemtn (permissions) to other domain, is that it?	16:47
lbragstad	correct	16:48
*** gyee has joined #openstack-keystone		16:48
rafaelweingartne	ok, and the other way around is not possible	16:48
lbragstad	both ways are possible	16:48
rafaelweingartne	ah	16:48
rafaelweingartne	but talking about the attribute mapping, if I define a domain that already exist there	16:49
lbragstad	i'm just saying we don't have anything in keystone that restricts assignments across domains depending on the user's domain (associated to their user reference)	16:49
rafaelweingartne	why is openstack always creating a domain for the IdP?	16:49
knikolla	rafaelweingartne: the domain is created upon creating an idp	16:49
knikolla	even before you create a mapping	16:49
lbragstad	correct ^	16:49
lbragstad	so - one thing you might do instead	16:49
knikolla	you can have multiple idps with one domain though	16:49
lbragstad	is to create an identity provider and specify the domain you want user to map into	16:50
knikolla	by using an existing one	16:50
lbragstad	then - create a mapping using that same domain	16:50
knikolla	there's a `--domain <domain>` property when creating an idp.	16:50
rafaelweingartne	ah	16:50
rafaelweingartne	ok	16:50
rafaelweingartne	now I get it	16:50
rafaelweingartne	I need to define a domain for the IdP	16:50
lbragstad	users coming in through federation will be namespaced to the same domain that is used in the mapping	16:50
rafaelweingartne	othewise, Openstack aways creates one	16:50
lbragstad	correct - we leave that up to you	16:51
rafaelweingartne	got it	16:51
rafaelweingartne	I have another question now	16:51
lbragstad	keystone just needs to have a domain for the users coming in, so that we namespace them properly	16:51
knikolla	you shouldn't use the domain property for users in mappings. for groups and projects it's fine.	16:51
rafaelweingartne	hmm	16:52
rafaelweingartne	I was trying to use it, because that is what is shown in the documentation	16:52
rafaelweingartne	so, we are not supposed to use it?	16:52
lbragstad	rafaelweingartne what docs were you using?	16:52
rafaelweingartne	https://docs.openstack.org/keystone/rocky/advanced-topics/federation/federated_identity.html	16:53
lbragstad	gotcha - nearly that entire document has been revised and updated	16:53
lbragstad	https://docs.openstack.org/keystone/latest/admin/federation/federated_identity.html	16:54
lbragstad	^ that is the newer version	16:54
rafaelweingartne	ah	16:54
rafaelweingartne	that is better	16:54
rafaelweingartne	so, now I have other question, if I map the e-mail attribute from the IdP to the username in OpenStack, and if there is already a user with that username in the same domain	16:55
knikolla	rafaelweingartne: when you set the user type to local. you can map to an actual existing user in the keystone db. that is when you use domain.	16:55
rafaelweingartne	got you	16:55
rafaelweingartne	So, it was not working here, because I did not register a domain when registering an IdP	16:55
lbragstad	it could be due to the fact the domains were mismatched? cmurphy or knikolla could correct me though	16:56
*** erus has quit IRC		16:56
*** erus has joined #openstack-keystone		16:57
knikolla	rafaelweingartne: it type is set to local. the user will get that user. but every user not matching will get denied.	16:58
knikolla	rafaelweingartne: if type is set to not local. a new user will be created with the same email / username.	16:58
knikolla	i know, that is confusing.	16:58
knikolla	the uniqueness contraint on federated users is on the entity id coming from the idp.	16:59
rafaelweingartne	by type, you mean the "local" property of the mapping attribute, right?	16:59
openstackgerrit	erus proposed openstack/keystone master: Add new attribute to the federation protocol API https://review.openstack.org/637305	16:59
knikolla	rafaelweingartne: "type": "local" in "local": "user": {}	17:01
knikolla	read the mapping compinations documentation cause it describes that.	17:01
knikolla	combinations*	17:01
knikolla	https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html#mappings-examples	17:01
rafaelweingartne	sure got it	17:02
rafaelweingartne	In the other documentation I do not recall to have seen this "type: local"	17:02
rafaelweingartne	now I see how it works, but it creates a problem	17:02
rafaelweingartne	so, if I have already a few users in the domain	17:02
rafaelweingartne	the new users in the IdP would not be created	17:02
rafaelweingartne	can I have more than one attribute mapping for the same IdP?	17:03
knikolla	in the general mapping setup that i recommend (not using type: local) they would,.	17:03
knikolla	a new user will be created for every unique (entity id, protocol, idp).	17:04
rafaelweingartne	what do you consider the entity id? the "sub" attribute in OIDC?	17:06
*** erus has quit IRC		17:06
*** erus has joined #openstack-keystone		17:06
*** pcaruana has quit IRC		17:07
knikolla	rafaelweingartne: yes.	17:08
knikolla	i don't exactly remember the specifics at this moment.	17:09
knikolla	haven't played around in some time.	17:09
rafaelweingartne	ok, no problem	17:09
rafaelweingartne	but I get the picture	17:10
knikolla	it might be that it uses whatever you have mapped to the username attribute, as i don't quite recall a configuration setting for specifiying which attribute that is.	17:11
rafaelweingartne	ok, thanks	17:11
rafaelweingartne	it helped a lot	17:12
knikolla	rafaelweingartne: https://github.com/openstack/keystone/blob/ace45841943ed6b698b8a5aea35a80c119c3cae3/keystone/identity/backends/sql_model.py#L342	17:17
knikolla	as per sql model above, a federated user is unique on (unique_id, idp, protocol)	17:18
knikolla	so you can have multiple users with same email from different idps in same domain	17:18
knikolla	alright, enough info. i don't want to confuse you further.	17:19
*** erus has quit IRC		17:19
rafaelweingartne	aha, no worries	17:19
rafaelweingartne	now these tables are starting to make more sense	17:19
*** markvoelker has joined #openstack-keystone		17:20
knikolla	we like to keep the barrier to entry high. job security and stuff, haha.	17:21
*** yan0s has quit IRC		17:23
*** jamesmcarthur_ has joined #openstack-keystone		17:24
*** jamesmcarthur has quit IRC		17:27
rafaelweingartne	ahaha	17:27
rafaelweingartne	actually, I find it easier here, as you guys use the same terms as I am used to such as metadata, IdP, SP, and so on	17:28
rafaelweingartne	so, for someone with an academic background, it gets easier	17:28
rafaelweingartne	just the documentaation pages that I was reading, which were not very accurate, but with these new docs, I guess I will not have problems	17:29
*** erus has joined #openstack-keystone		17:29
rafaelweingartne	thanks for the help ;)	17:29
knikolla	no problem :)	17:29
knikolla	ping me if u have any more questions, i'm generally around.	17:29
rafaelweingartne	sure will	17:31
rafaelweingartne	I just need to learn how to ping people on IRC :P	17:31
rafaelweingartne	I am used to using @, but it does not work here	17:31
*** zzzeek has quit IRC		17:44
*** zzzeek has joined #openstack-keystone		17:49
*** markvoelker has quit IRC		17:53
*** rafaelweingartne has quit IRC		18:05
*** mvkr has quit IRC		18:12
gagehugo	lbragstad: one comment on https://review.openstack.org/#/c/614549/	18:37
lbragstad	gagehugo sure - debug logging ok?	18:40
lbragstad	but - remember that is going to get noisy	18:40
lbragstad	if you have many public keys on every token validation	18:41
gagehugo	hmm	18:41
*** erus has quit IRC		18:44
gagehugo	I was just thinking if I was trying to debug why auth was failing, it would be nice to see if keystone is unhappy with the pub keys	18:45
gagehugo	but yeah, I can see that getting quite chatty if there's old keys	18:45
lbragstad	or just many keys	18:45
lbragstad	if you have 40 APIs servers for example	18:45
lbragstad	also - since key rotation for JWT is quite different from fernet	18:50
lbragstad	we don't bother attempting to prune keys	18:50
gagehugo	yeah	18:50
*** markvoelker has joined #openstack-keystone		18:50
lbragstad	so - a server could have 40 valid keys and 100 invalid keys that are no longer used	18:50
gagehugo	maybe decodeerror could be a separate except and then log that, otherwise yeah there would be 100 log messages	18:51
gagehugo	for each invalid/expired	18:51
*** vishakha has quit IRC		18:52
gagehugo	lets leave it for now and see about it with a follow up change	18:52
lbragstad	sounds good	18:52
gagehugo	it's fine for now tbh, I was just curious	18:53
lbragstad	something to think about	18:53
gagehugo	lbragstad: done, lgtm	18:58
lbragstad	thanks gagehugo	18:58
*** mvkr has joined #openstack-keystone		18:59
kmalloc	lbragstad: you know, asyncio is super rad.	19:13
kmalloc	if it fits a usecase*	19:13
* kmalloc has been looking at it.		19:13
*** markvoelker has quit IRC		19:23
*** s10 has joined #openstack-keystone		19:36
s10	Hello. I have a question about LDAP integration. Is there any way to use LDAP identity driver _and_ sql backend for users in specific domain?	19:48
*** jamesmcarthur_ has quit IRC		19:56
*** jamesmcarthur has joined #openstack-keystone		19:57
*** jamesmcarthur has quit IRC		20:01
*** whoami-rajat has quit IRC		20:02
*** jamesmcarthur has joined #openstack-keystone		20:18
*** markvoelker has joined #openstack-keystone		20:21
*** awalende has joined #openstack-keystone		20:31
*** awalende has quit IRC		20:36
*** jdennis has quit IRC		20:38
*** jamesmcarthur has quit IRC		20:40
*** jamesmcarthur has joined #openstack-keystone		20:40
*** jdennis has joined #openstack-keystone		20:41
*** jamesmcarthur has quit IRC		20:45
gagehugo	cmurphy: do we want to hold off on those ksa changes?	20:48
*** jamesmcarthur has joined #openstack-keystone		20:53
*** markvoelker has quit IRC		20:55
cmurphy	gagehugo: I think https://review.openstack.org/636074 is fine to go in now, it's the one on top of that that I'm not sure about	20:56
cmurphy	working on an email now	20:56
gagehugo	okedoke	20:57
ayoung	I think we lied in our policy 101 talk. What does "" mean in a policy file?	21:04
ayoung	I thought it was "always true" same as @ but now I can't see where that parses	21:05
ayoung	its default, right?	21:06
ayoung	# Empty rule defaults to True	21:08
ayoung	if not rule:	21:08
ayoung	return _checks.TrueCheck()	21:08
ayoung	I think Ozz got that confused	21:08
gagehugo	The rule is an empty string meaning “always”.	21:10
gagehugo	https://docs.openstack.org/oslo.policy/queens/admin/policy-json-file.html#examples	21:10
*** rcernin has joined #openstack-keystone		21:11
ayoung	gagehugo, I know that is what we document, but I can't figure out how that happens	21:12
gagehugo	ayoung: ah ok	21:12
ayoung	it must be a compination of skipping the token and an empty rule defaults to true	21:13
lbragstad	we should use gerrit for team presentation talk submissions ;)	21:13
cmurphy	lbragstad ayoung kmalloc gagehugo knikolla http://lists.openstack.org/pipermail/openstack-discuss/2019-February/003031.html	21:13
ayoung	got a customer seeins different behavior between CLI and Horizon, and I'm not sure what the rule is supposed to evaluate to	21:13
ayoung	cmurphy, you rock	21:15
lbragstad	holy email, batman	21:15
kmalloc	cmurphy: whoa.	21:15
kmalloc	cmurphy: that is going to take me a bit to parse	21:16
cmurphy	yeah sorry	21:16
ayoung	cmurphy, keying on service type means we can't have different policy per endpoint	21:16
ayoung	cmurphy, I think you are on the right approach. Might suggest * be replaced with something that is not a greedy token as it is supposed to be stopped by a /	21:18
ayoung	so /{1}/bla/{2} vs //bla// But I am ok if you tink you can make that work	21:18
ayoung	I do think, tho. that we are better off keeping with the keys that the services use for the Paths	21:18
cmurphy	ayoung: you want different policy per endpoint? i never thought of that	21:19
ayoung	so even if we don't match values from the token, please allow the old syntax.	21:19
ayoung	cmurphy, it was one of the requests, yes	21:19
cmurphy	ayoung: * here is not greedy, it doesn't include /	21:19
cmurphy	** includes /	21:19
cmurphy	ayoung: in the spec?	21:19
ayoung	ok...so no problem with that	21:19
ayoung	I origianlly wanted to be able to seed the rules from the APIs policy	21:19
ayoung	we'd have to convert from what nova produces to the * format	21:20
ayoung	is there a way we can keep the format, and ignore the keys?	21:20
cmurphy	ayoung: if it wasn't in the spec then I probably didn't remember and/or didn't read your mind	21:20
ayoung	they will also be better documentation of intent, even if we don't use it	21:20
ayoung	it was part of the discussion way back when, but it might not have made its way into the app creds spec. It was in the rbac-enforce-in -middleware spec	21:21
cmurphy	we could probably keep the format and ignore the keys, it's just a different regex	21:21
ayoung	that is not a deal killer: we could potentially have service nickanmes	21:21
cmurphy	* and ** were nice because they are shell standards	21:21
ayoung	so compute-gold is a nickname for compute, but only supports a higher class of service	21:22
ayoung	so, of all your changes, the only one I request you roll back is the format of the paths. THe rest is golden	21:23
cmurphy	ayoung: okay so the request is to switch eg /v2/servers/* to /v2/servers/{server_id} so it looks more like what's in the api-ref and existing policies correct?	21:24
ayoung	yes	21:24
cmurphy	okay wfm	21:24
ayoung	I like your name choices	21:24
cmurphy	we could support different policies for different endpoints by keying on endpoint url instead of service type	21:25
ayoung	right now, an endpoiung does not know its service or endpoint ids anyway. We had a deployers rebellion when we suggested editing the config files post setup to put the uuids into them generated from keystone. My last thought was that we put the value into , say nova.conf that tells it "you are a compute server" and let that field be overridden	21:26
ayoung	endpoints don't even know their URLs, so putting in a value a-priori is essential;	21:27
cmurphy	yes, this hinges on having something set in [keystone_authtoken] or set in code in nova that tells the service who it is	21:28
cmurphy	s/nova/the project	21:28
ayoung	right	21:28
ayoung	we can default those to the good names, but there is no reason they have to stick with them	21:29
cmurphy	right	21:29
ayoung	we couldalso do a naming scheme like policy	21:29
ayoung	nova by default, or nova:gold	21:29
ayoung	wehre :gold means grab the gold specific rules. That allos us to stick with the majority of the default policy, but layer on an additional check, too	21:30
ayoung	so, I don't think that has to be this round.	21:30
cmurphy	okay	21:30
ayoung	just keep it in mind as you go, and we can revisit once we have a working code base. Think how a customer would be able to divide up a cloud so that some region was for a special class of customers. And that might be better done via K2K	21:31
ayoung	on allow_chained....	21:31
kmalloc	hm.	21:33
ayoung	I might be OK with killing that	21:34
ayoung	If we don't make allowed_chained=True by default it might just break everywhere	21:34
ayoung	or people will just add it to every call anyway	21:34
ayoung	but	21:34
ayoung	what if it is OK to createan ephemeral server, but not to create stoarge for it?	21:34
cmurphy	ugh yeah we need to keep it for that	21:36
cmurphy	i think we'll need to change it to be part of the capability rule and not an attribute of the app cred itself, since different apis will have different needs for chaining service calls	21:38
*** erus has joined #openstack-keystone		21:42
lbragstad	allow_chained is really specific to if nova can reuse an cap cred token for something in another service, for example, right?	21:42
cmurphy	that's one case but it could also be for if heat or magnum want to make requests to other services	21:43
cmurphy	or if you want glance to store images in swift	21:44
lbragstad	ok	21:44
lbragstad	but it's specific to any service _behind_ the service the user made the request against?	21:44
cmurphy	right	21:44
* lbragstad nods		21:44
* cmurphy will try to think of better names for it		21:46
lbragstad	if it wasn't a boolean - it's almost easier to think of it as a depth	21:47
lbragstad	er - service_depth	21:47
lbragstad	but - that feels really complicated for users to have to deal with	21:49
lbragstad	idk if something like that would even be discoverable	21:49
cmurphy	yeah, i don't think the depth of the chaining is the issue, no matter how many services deep you are it's still some other service making a request on behalf of you	21:50
lbragstad	tricky	21:51
*** erus has quit IRC		21:51
*** erus has joined #openstack-keystone		21:51
*** markvoelker has joined #openstack-keystone		21:53
*** jamesmcarthur has quit IRC		21:57
*** erus has quit IRC		21:57
*** erus has joined #openstack-keystone		21:58
*** jamesmcarthur has joined #openstack-keystone		22:05
*** jamesmcarthur has quit IRC		22:07
*** markvoelker has quit IRC		22:25
*** dave-mccowan has quit IRC		22:40
*** dave-mccowan has joined #openstack-keystone		22:40
*** erus has quit IRC		22:40
*** erus has joined #openstack-keystone		22:41
*** dave-mccowan has quit IRC		22:46
*** tkajinam has joined #openstack-keystone		23:01
*** erus has quit IRC		23:11
*** erus has joined #openstack-keystone		23:11
*** markvoelker has joined #openstack-keystone		23:22
*** gyee has quit IRC		23:38
*** raildo has quit IRC		23:39
*** gyee has joined #openstack-keystone		23:52
*** markvoelker has quit IRC		23:55

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!