*** jamesmcarthur has quit IRC | 00:01 | |
*** itlinux has joined #openstack-keystone | 00:05 | |
*** itlinux has quit IRC | 00:06 | |
*** erus has quit IRC | 00:06 | |
*** erus has joined #openstack-keystone | 00:06 | |
*** markvoelker has joined #openstack-keystone | 00:19 | |
*** erus has quit IRC | 00:36 | |
*** erus has joined #openstack-keystone | 00:37 | |
*** mvkr has quit IRC | 00:40 | |
*** mvkr has joined #openstack-keystone | 00:42 | |
*** marst has joined #openstack-keystone | 00:50 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Implement system reader for role_assignments https://review.openstack.org/609210 | 01:08 |
---|---|---|
openstackgerrit | Lance Bragstad proposed openstack/keystone master: WIP: Additional work for testing assignment protection https://review.openstack.org/636825 | 01:08 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Reorganize role assignment tests for system users https://review.openstack.org/638309 | 01:08 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add role assignment test coverage for system members https://review.openstack.org/638310 | 01:08 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add role assignment test coverage for system admin https://review.openstack.org/638311 | 01:08 |
*** whoami-rajat has joined #openstack-keystone | 01:12 | |
*** erus has quit IRC | 01:44 | |
*** erus has joined #openstack-keystone | 01:45 | |
*** gyee has quit IRC | 02:06 | |
*** jamesmcarthur has joined #openstack-keystone | 02:10 | |
lbragstad | pas-ha https://pasted.tech/pastes/ec9618b32aa49b7bbca9c4f32a014c83995d79da.raw | 02:21 |
*** jamesmcarthur has quit IRC | 02:37 | |
*** Dinesh_Bhor has joined #openstack-keystone | 02:41 | |
*** jamesmcarthur has joined #openstack-keystone | 02:42 | |
*** marst has quit IRC | 02:46 | |
*** erus has quit IRC | 02:46 | |
*** erus has joined #openstack-keystone | 02:47 | |
*** dklyle has quit IRC | 03:03 | |
*** jamesmcarthur has quit IRC | 03:08 | |
lbragstad | pas-ha http://eavesdrop.openstack.org/irclogs/%23openstack-ansible/%23openstack-ansible.2019-02-21.log.html#t2019-02-21T02:03:38 | 03:13 |
*** dklyle has joined #openstack-keystone | 03:17 | |
*** vishakha has joined #openstack-keystone | 03:18 | |
*** markvoelker has quit IRC | 03:20 | |
*** jamesmcarthur has joined #openstack-keystone | 03:32 | |
*** spsurya has joined #openstack-keystone | 03:34 | |
*** imus has joined #openstack-keystone | 03:48 | |
*** imus has quit IRC | 03:56 | |
*** jamesmcarthur has quit IRC | 04:00 | |
*** jamesmcarthur has joined #openstack-keystone | 04:01 | |
*** jamesmcarthur has quit IRC | 04:05 | |
*** markvoelker has joined #openstack-keystone | 04:21 | |
lbragstad | pas-ha https://review.openstack.org/#/c/638327/ | 04:25 |
*** gagehugo has joined #openstack-keystone | 04:29 | |
*** markvoelker has quit IRC | 04:55 | |
*** erus has quit IRC | 05:04 | |
*** erus has joined #openstack-keystone | 05:05 | |
*** shyamb has joined #openstack-keystone | 05:19 | |
*** erus has quit IRC | 05:41 | |
*** erus has joined #openstack-keystone | 05:42 | |
*** erus has quit IRC | 05:48 | |
*** erus has joined #openstack-keystone | 05:48 | |
*** markvoelker has joined #openstack-keystone | 05:52 | |
*** lbragstad_ has joined #openstack-keystone | 05:53 | |
*** ChanServ sets mode: +o lbragstad_ | 05:53 | |
*** lbragstad has quit IRC | 05:55 | |
*** lbragstad has joined #openstack-keystone | 06:04 | |
*** ChanServ sets mode: +o lbragstad | 06:04 | |
*** lbragstad_ has quit IRC | 06:04 | |
*** lbragstad_ has joined #openstack-keystone | 06:09 | |
*** ChanServ sets mode: +o lbragstad_ | 06:09 | |
*** lbragstad has quit IRC | 06:10 | |
*** lbragstad has joined #openstack-keystone | 06:16 | |
*** ChanServ sets mode: +o lbragstad | 06:16 | |
*** lbragstad_ has quit IRC | 06:18 | |
*** markvoelker has quit IRC | 06:25 | |
*** spsurya has quit IRC | 06:25 | |
*** erus has quit IRC | 06:26 | |
*** erus has joined #openstack-keystone | 06:26 | |
*** shyamb has quit IRC | 06:55 | |
*** shyamb has joined #openstack-keystone | 07:06 | |
*** rcernin has quit IRC | 07:13 | |
*** spsurya has joined #openstack-keystone | 07:17 | |
*** pcaruana has joined #openstack-keystone | 07:19 | |
*** markvoelker has joined #openstack-keystone | 07:22 | |
*** shyamb has quit IRC | 07:37 | |
*** Dinesh_Bhor has quit IRC | 07:49 | |
*** markvoelker has quit IRC | 07:55 | |
*** jaosorior has quit IRC | 08:08 | |
*** awalende has joined #openstack-keystone | 08:15 | |
*** erus has quit IRC | 08:23 | |
*** tkajinam has quit IRC | 08:23 | |
*** erus has joined #openstack-keystone | 08:23 | |
*** lbragstad has quit IRC | 08:25 | |
*** josecastroleon has quit IRC | 08:34 | |
*** aloga has quit IRC | 08:48 | |
*** erus has quit IRC | 08:48 | |
*** aloga has joined #openstack-keystone | 08:48 | |
*** erus has joined #openstack-keystone | 08:48 | |
*** markvoelker has joined #openstack-keystone | 08:52 | |
*** shyamb has joined #openstack-keystone | 08:58 | |
openstackgerrit | Merged openstack/keystone master: Add tests for project users interacting with mappings https://review.openstack.org/619616 | 08:59 |
openstackgerrit | Merged openstack/keystone master: Remove mapping policies from policy.v3cloudsample.json https://review.openstack.org/619617 | 08:59 |
*** markvoelker has quit IRC | 09:25 | |
*** shyamb has quit IRC | 09:41 | |
*** shyamb has joined #openstack-keystone | 09:50 | |
*** awalende has quit IRC | 09:52 | |
*** awalende has joined #openstack-keystone | 09:52 | |
*** awalende has quit IRC | 09:57 | |
*** jaosorior has joined #openstack-keystone | 09:57 | |
*** awalende has joined #openstack-keystone | 09:59 | |
*** markvoelker has joined #openstack-keystone | 10:17 | |
*** spsurya has quit IRC | 10:22 | |
*** shyamb has quit IRC | 10:46 | |
*** jaosorior has quit IRC | 10:55 | |
*** erus has quit IRC | 10:56 | |
*** erus has joined #openstack-keystone | 10:57 | |
*** yan0s has joined #openstack-keystone | 11:02 | |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: WIP: Additional work for testing assignment protection https://review.openstack.org/636825 | 11:04 |
*** jaosorior has joined #openstack-keystone | 11:15 | |
*** shyamb has joined #openstack-keystone | 11:15 | |
openstackgerrit | Pavlo Shchelokovskyy proposed openstack/keystone master: Add hint for order of keys during distribution. https://review.openstack.org/638397 | 11:17 |
openstackgerrit | Pavlo Shchelokovskyy proposed openstack/keystone master: Mention allow_expired_window in fernet FAQ https://review.openstack.org/638398 | 11:17 |
vishakha | lbragstad: Added few more test cases in https://review.openstack.org/#/c/636825. | 11:25 |
vishakha | lbragstad: Do I need to update anything in https://review.openstack.org/#/c/609210? | 11:26 |
*** erus has quit IRC | 11:27 | |
*** erus has joined #openstack-keystone | 11:28 | |
*** awalende has quit IRC | 11:28 | |
*** awalende has joined #openstack-keystone | 11:30 | |
*** raildo has joined #openstack-keystone | 11:33 | |
*** FlorianFa has joined #openstack-keystone | 11:47 | |
*** FlorianFa has quit IRC | 11:51 | |
*** awalende has quit IRC | 11:52 | |
*** erus has quit IRC | 11:52 | |
openstackgerrit | erus proposed openstack/keystone master: Add new attribute to the federation protocol API https://review.openstack.org/637305 | 11:52 |
*** awalende has joined #openstack-keystone | 11:52 | |
*** erus has joined #openstack-keystone | 11:52 | |
*** FlorianFa has joined #openstack-keystone | 11:54 | |
*** FlorianFa has quit IRC | 11:56 | |
*** FlorianFa has joined #openstack-keystone | 11:56 | |
*** awalende has quit IRC | 11:57 | |
*** shyamb has quit IRC | 12:41 | |
*** errr has joined #openstack-keystone | 12:47 | |
*** awalende has joined #openstack-keystone | 12:50 | |
errr | hello, Im using queens and have federation setup using shibboleth. When I try to login my IDP is successfully giving me a valid session. But I dont seem to be getting redirected to horizon.. | 12:50 |
errr | I am instead stuck at a page that says "Please wait..." its like https://mysite.com:5000/v3/auth/OS-FEDERATION/websso/mapped?origin=https://mysite.com/auth/websso/ | 12:51 |
errr | does this mean I am missing the sso callback file in horizon? Im not sure where to look to fix this problem.. | 12:52 |
cmurphy | errr: the "Please wait..." message comes from the callback file so you are not missing it, there should be some javascript embedded in it that POSTs the token to horizon which should trigger the login, so check the horizon logs to see if horizon didn't handle the request for some reason | 12:59 |
*** erus has quit IRC | 13:00 | |
*** erus has joined #openstack-keystone | 13:01 | |
errr | cmurphy: I see the POST happen, but no errors or anything show up after that.. it just shows the POST and thats it | 13:02 |
cmurphy | errr: not sure what it is then, seems like an issue on horizon's side :( you could try turning up the debug logging in horizon if you haven't already | 13:04 |
errr | cmurphy: I havent, what is the directive I use to enable debug? | 13:05 |
cmurphy | errr: in local_settings.py there is a LOGGING variable with a python dict in it, i usually set LOGGING -> handlers -> console -> level to DEBUG but there are a whole lot of knobs in there | 13:09 |
errr | ah, well it looks like I do already have that all set to DEBUG | 13:09 |
*** markvoelker has quit IRC | 13:17 | |
*** markvoelker has joined #openstack-keystone | 13:18 | |
*** markvoelker has quit IRC | 13:22 | |
*** shyamb has joined #openstack-keystone | 13:35 | |
*** jamesmcarthur has joined #openstack-keystone | 13:43 | |
*** erus has quit IRC | 13:44 | |
*** shyamb has quit IRC | 13:44 | |
*** erus has joined #openstack-keystone | 13:45 | |
*** erus has quit IRC | 13:56 | |
*** erus has joined #openstack-keystone | 13:56 | |
*** lbragstad has joined #openstack-keystone | 13:57 | |
*** ChanServ sets mode: +o lbragstad | 13:57 | |
*** jamesmcarthur has quit IRC | 13:58 | |
*** jamesmcarthur has joined #openstack-keystone | 13:58 | |
*** erus has quit IRC | 14:03 | |
*** jamesmcarthur has quit IRC | 14:03 | |
*** aning has quit IRC | 14:04 | |
*** erus has joined #openstack-keystone | 14:04 | |
*** aning has joined #openstack-keystone | 14:08 | |
*** jaosorior has quit IRC | 14:08 | |
*** erus has quit IRC | 14:10 | |
*** erus has joined #openstack-keystone | 14:10 | |
*** markvoelker has joined #openstack-keystone | 14:18 | |
openstackgerrit | Merged openstack/keystone master: Deprecate cache_on_issue configuration option https://review.openstack.org/635690 | 14:24 |
*** jamesmcarthur has joined #openstack-keystone | 14:29 | |
*** jaosorior has joined #openstack-keystone | 14:30 | |
*** erus has quit IRC | 14:30 | |
*** imacdonn has quit IRC | 14:31 | |
*** erus has joined #openstack-keystone | 14:31 | |
*** jamesmcarthur has quit IRC | 14:34 | |
gagehugo | o/ | 14:46 |
erus | \o | 14:46 |
lbragstad | o/ | 14:48 |
*** markvoelker has quit IRC | 14:53 | |
*** erus has quit IRC | 14:54 | |
*** erus has joined #openstack-keystone | 14:55 | |
*** mvkr has quit IRC | 15:00 | |
*** erus has quit IRC | 15:04 | |
*** erus has joined #openstack-keystone | 15:04 | |
*** jaosorior has quit IRC | 15:08 | |
*** jamesmcarthur has joined #openstack-keystone | 15:10 | |
*** awalende has quit IRC | 15:12 | |
*** awalende has joined #openstack-keystone | 15:13 | |
vishakha | o/ | 15:16 |
*** jamesmcarthur has quit IRC | 15:17 | |
*** awalende_ has joined #openstack-keystone | 15:17 | |
*** awalende_ has quit IRC | 15:17 | |
*** awalende has quit IRC | 15:17 | |
*** jistr is now known as jistr|afk | 15:22 | |
*** erus has quit IRC | 15:23 | |
*** mvkr has joined #openstack-keystone | 15:24 | |
*** erus has joined #openstack-keystone | 15:24 | |
vishakha | lbragstad: Added few more test cases in https://review.openstack.org/#/c/636825. | 15:29 |
vishakha | Do I need to update anything in https://review.openstack.org/#/c/609210? | 15:29 |
lbragstad | vishakha if you wanted to consolidate those patches with git rebase, you could | 15:30 |
lbragstad | so long as you feel comfortable with those changes | 15:31 |
*** jistr|afk is now known as jistr | 15:32 | |
vishakha | ok. Doin the same | 15:32 |
*** erus has quit IRC | 15:34 | |
*** erus has joined #openstack-keystone | 15:35 | |
zzzeek | kmalloc: I'm being told that dogpile.cache 0.7.x was uncapped in oslo.cache and the whole world is breaking now : https://bugs.launchpad.net/oslo.cache/+bug/1817032 | 15:39 |
openstack | Launchpad bug 1817032 in oslo.cache "Unit test fails during cache region testing" [Undecided,New] - Assigned to Herve Beraud (herveberaud) | 15:39 |
zzzeek | kmalloc: do you recall the dicsussion we wer having about use of the decorator module, and someone was abusing it in some way we decided should be fixed downstream ? | 15:39 |
*** erus has quit IRC | 15:40 | |
*** dave-mccowan has joined #openstack-keystone | 15:41 | |
*** erus has joined #openstack-keystone | 15:41 | |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Additional work for testing assignment protection https://review.openstack.org/636825 | 15:43 |
lbragstad | vishakha from there - we should be able to keep stacking commits in that series | 15:45 |
lbragstad | it looks like we have everything for system users | 15:45 |
lbragstad | s/everything/tests/ | 15:45 |
*** dave-mccowan has quit IRC | 15:45 | |
lbragstad | so - we can try and take those tests and reuse some of them for domain users (admins, members, and readers) | 15:45 |
lbragstad | and then fill in the gaps that make sense | 15:46 |
*** jaosorior has joined #openstack-keystone | 15:46 | |
vishakha | Yeah for system users all patches are up. After rebasing I can update for domain users | 15:46 |
zzzeek | kmalloc: I found the thread, that was about openstacksdk. | 15:48 |
*** jamesmcarthur has joined #openstack-keystone | 15:48 | |
*** markvoelker has joined #openstack-keystone | 15:50 | |
*** jamesmcarthur has quit IRC | 15:53 | |
lbragstad | vishakha cool - that sounds good | 15:54 |
lbragstad | the series starting at https://review.openstack.org/#/c/619373/5 and https://review.openstack.org/#/c/619277/4 close a few bugs (and already have a +2) | 15:56 |
lbragstad | if anyone is looking for reviews | 15:57 |
*** jamesmcarthur has joined #openstack-keystone | 15:58 | |
*** jamesmcarthur has quit IRC | 15:58 | |
*** jamesmcarthur has joined #openstack-keystone | 15:58 | |
knikolla | o. | 15:59 |
knikolla | o/ | 15:59 |
kmalloc | zzzeek: cool . | 16:07 |
kmalloc | zzzeek: it was, as I recall, silly behavior someone was doing. | 16:08 |
kmalloc | And dogpile just started doing more correct things. | 16:08 |
kmalloc | I am a little pre-coffee ATM. | 16:09 |
kmalloc | So brain fuzzed | 16:09 |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Implement system reader for role_assignments https://review.openstack.org/609210 | 16:10 |
erus | hii knikolla and kmalloc o/ | 16:10 |
knikolla | hi erus! | 16:10 |
erus | how are you? | 16:10 |
knikolla | i'm good. took the day off today. i have too many vacation days accumulated which will go to waste if i didn't use them soon. | 16:11 |
knikolla | how are you? | 16:11 |
erus | hahaha ohh vacation great | 16:12 |
erus | i'm really hungry :D | 16:12 |
knikolla | more like drink coffee and play super mario odyssey day. :p | 16:12 |
erus | but i'm fine, in my last weeks :( haha | 16:13 |
zzzeek | kmalloc: yeah i found it, just shared w/ the oslo.cache person in case they have similar issues | 16:13 |
kmalloc | knikolla: good plan. | 16:13 |
kmalloc | zzzeek: ++ | 16:13 |
*** jamesmcarthur has quit IRC | 16:13 | |
openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Additional work for testing assignment protection https://review.openstack.org/636825 | 16:13 |
kmalloc | Oh gotta send you a message, sec. | 16:13 |
erus | ohh sounds really good, just play super mario odyssey once | 16:13 |
knikolla | my video game backlog is almost as bad as my code review backlog :) | 16:14 |
erus | hahaha | 16:15 |
erus | the last game i played was life is strange | 16:17 |
erus | i don't play since december :( | 16:17 |
knikolla | what platform do you play on? | 16:19 |
kmalloc | knikolla: I think the next game for me is mankind divided, its been on my.list for a couple years. Or Shadow of the Tomb raider | 16:19 |
knikolla | kmalloc: i think i got that for free on ps plus a while back. haven't booted it yet. | 16:21 |
erus | right now in my notebook knikolla | 16:21 |
erus | only pc for now | 16:21 |
*** markvoelker has quit IRC | 16:23 | |
lbragstad | https://playwarcraft3.com/en-us/ is coming out this year *and* was built/hosted/will be hosted using OpenStack | 16:24 |
lbragstad | so... | 16:25 |
* lbragstad thanks eandersson | 16:27 | |
*** jamesmcarthur has joined #openstack-keystone | 16:27 | |
knikolla | lbragstad: whoaaaa... hopefully they don't screw it up | 16:32 |
knikolla | i have lost complete faith in activision/blizzard. | 16:32 |
knikolla | and warcraft 3 is a childhood classic. | 16:32 |
erus | woow great lbragstad | 16:32 |
lbragstad | eandersson works for blizzard ;) | 16:32 |
erus | hahaha | 16:32 |
lbragstad | i was a huge fan of warcraft 2 and 3 | 16:33 |
knikolla | the blizzard side is fine, activision not so much, haha. | 16:33 |
* gagehugo is waiting for classic wow | 16:33 | |
lbragstad | diablo 3 was fun, too | 16:33 |
knikolla | i guess the only thing i'm really waiting is bayonetta 3. | 16:33 |
knikolla | i'm pretty much stocked up for this year. | 16:34 |
gagehugo | knikolla: do you play smash ultimate? | 16:34 |
knikolla | gagehugo: don't really have anyone in my circle who plays that, so i mostly skipped on the smash train. | 16:35 |
knikolla | every social opportunity was mostly FIFA/PES, haha. | 16:35 |
knikolla | if anyone wants to add me as a friend on PSN/Switch/Steam, do send me a message | 16:36 |
cmurphy | oh man did I accidentally /join #nerd | 16:37 |
lbragstad | welcome | 16:37 |
knikolla | there's a strong correlation | 16:38 |
cmurphy | lol warcraft2 was pretty good | 16:38 |
*** imacdonn has joined #openstack-keystone | 16:38 | |
lbragstad | "pretty good" she says ;) | 16:38 |
lbragstad | cmurphy how was BF2? | 16:39 |
erus | what is your steam user knikolla? haha xD | 16:40 |
cmurphy | lbragstad: not bad, i was slightly underwhelmed | 16:40 |
cmurphy | i liked the campaign but it was too short | 16:40 |
* lbragstad nods | 16:40 | |
*** rafaelweingartne has joined #openstack-keystone | 16:40 | |
lbragstad | that's the feedback i heard from others, too | 16:40 |
knikolla | erus: sent u a private message | 16:40 |
rafaelweingartne | Hello Guys, when using identity federation with keystone, can't I map my federated users to specific domains (that I already have), instead of mapping them to Default | 16:41 |
rafaelweingartne | and then OpenStack creates a domain to represents the IdP? | 16:41 |
knikolla | rafaelweingartne: when you create the identity provider, you specify which domain to use | 16:41 |
lbragstad | rafaelweingartne when you create an identity provider you can specify a domain in the request | 16:42 |
rafaelweingartne | hmm | 16:42 |
lbragstad | rafaelweingartne if a domain isn't supplied, keystone will automatically generate one for you | 16:42 |
rafaelweingartne | I did not know that | 16:42 |
rafaelweingartne | I thought that was done in the mapping | 16:42 |
rafaelweingartne | what is the domain in the mapping used for then? | 16:42 |
lbragstad | it depends on what you want your users to do when they access your service provider | 16:43 |
lbragstad | the domain for the identity provider is really just a name space for the users coming from that identity provider | 16:43 |
rafaelweingartne | yes, that is our idea, to bind the users from an identity provider to a domain | 16:43 |
rafaelweingartne | that is why we have defined the domain in the mapping | 16:43 |
lbragstad | but you're not limited to keeping all role assignments for a user within the domain they are namespaced to | 16:44 |
gagehugo | knikolla: I played a LOT of gamecube smash so I tend to keep picking it back up each release | 16:44 |
rafaelweingartne | what do you mean by that? | 16:44 |
rafaelweingartne | I am actually assigining the permissions/roles to a group | 16:45 |
rafaelweingartne | and then I assign users to that group | 16:45 |
lbragstad | rafaelweingartne for example, if you have a user in the Default domain, they can have direct or indirect role assignments on other domains in the deployment | 16:45 |
rafaelweingartne | ok | 16:47 |
*** dave-mccowan has joined #openstack-keystone | 16:47 | |
rafaelweingartne | you mean, users from default domain (root) can have assignemtn (permissions) to other domain, is that it? | 16:47 |
lbragstad | correct | 16:48 |
*** gyee has joined #openstack-keystone | 16:48 | |
rafaelweingartne | ok, and the other way around is not possible | 16:48 |
lbragstad | both ways are possible | 16:48 |
rafaelweingartne | ah | 16:48 |
rafaelweingartne | but talking about the attribute mapping, if I define a domain that already exist there | 16:49 |
lbragstad | i'm just saying we don't have anything in keystone that restricts assignments across domains depending on the user's domain (associated to their user reference) | 16:49 |
rafaelweingartne | why is openstack always creating a domain for the IdP? | 16:49 |
knikolla | rafaelweingartne: the domain is created upon creating an idp | 16:49 |
knikolla | even before you create a mapping | 16:49 |
lbragstad | correct ^ | 16:49 |
lbragstad | so - one thing you might do instead | 16:49 |
knikolla | you can have multiple idps with one domain though | 16:49 |
lbragstad | is to create an identity provider and specify the domain you want user to map into | 16:50 |
knikolla | by using an existing one | 16:50 |
lbragstad | then - create a mapping using that same domain | 16:50 |
knikolla | there's a `--domain <domain>` property when creating an idp. | 16:50 |
rafaelweingartne | ah | 16:50 |
rafaelweingartne | ok | 16:50 |
rafaelweingartne | now I get it | 16:50 |
rafaelweingartne | I need to define a domain for the IdP | 16:50 |
lbragstad | users coming in through federation will be namespaced to the same domain that is used in the mapping | 16:50 |
rafaelweingartne | othewise, Openstack aways creates one | 16:50 |
lbragstad | correct - we leave that up to you | 16:51 |
rafaelweingartne | got it | 16:51 |
rafaelweingartne | I have another question now | 16:51 |
lbragstad | keystone just needs to have a domain for the users coming in, so that we namespace them properly | 16:51 |
knikolla | you shouldn't use the domain property for users in mappings. for groups and projects it's fine. | 16:51 |
rafaelweingartne | hmm | 16:52 |
rafaelweingartne | I was trying to use it, because that is what is shown in the documentation | 16:52 |
rafaelweingartne | so, we are not supposed to use it? | 16:52 |
lbragstad | rafaelweingartne what docs were you using? | 16:52 |
rafaelweingartne | https://docs.openstack.org/keystone/rocky/advanced-topics/federation/federated_identity.html | 16:53 |
lbragstad | gotcha - nearly that entire document has been revised and updated | 16:53 |
lbragstad | https://docs.openstack.org/keystone/latest/admin/federation/federated_identity.html | 16:54 |
lbragstad | ^ that is the newer version | 16:54 |
rafaelweingartne | ah | 16:54 |
rafaelweingartne | that is better | 16:54 |
rafaelweingartne | so, now I have other question, if I map the e-mail attribute from the IdP to the username in OpenStack, and if there is already a user with that username in the same domain | 16:55 |
knikolla | rafaelweingartne: when you set the user type to local. you can map to an actual existing user in the keystone db. that is when you use domain. | 16:55 |
rafaelweingartne | got you | 16:55 |
rafaelweingartne | So, it was not working here, because I did not register a domain when registering an IdP | 16:55 |
lbragstad | it could be due to the fact the domains were mismatched? cmurphy or knikolla could correct me though | 16:56 |
*** erus has quit IRC | 16:56 | |
*** erus has joined #openstack-keystone | 16:57 | |
knikolla | rafaelweingartne: it type is set to local. the user will get that user. but every user not matching will get denied. | 16:58 |
knikolla | rafaelweingartne: if type is set to not local. a new user will be created with the same email / username. | 16:58 |
knikolla | i know, that is confusing. | 16:58 |
knikolla | the uniqueness contraint on federated users is on the entity id coming from the idp. | 16:59 |
rafaelweingartne | by type, you mean the "local" property of the mapping attribute, right? | 16:59 |
openstackgerrit | erus proposed openstack/keystone master: Add new attribute to the federation protocol API https://review.openstack.org/637305 | 16:59 |
knikolla | rafaelweingartne: "type": "local" in "local": "user": {} | 17:01 |
knikolla | read the mapping compinations documentation cause it describes that. | 17:01 |
knikolla | combinations* | 17:01 |
knikolla | https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html#mappings-examples | 17:01 |
rafaelweingartne | sure got it | 17:02 |
rafaelweingartne | In the other documentation I do not recall to have seen this "type: local" | 17:02 |
rafaelweingartne | now I see how it works, but it creates a problem | 17:02 |
rafaelweingartne | so, if I have already a few users in the domain | 17:02 |
rafaelweingartne | the new users in the IdP would not be created | 17:02 |
rafaelweingartne | can I have more than one attribute mapping for the same IdP? | 17:03 |
knikolla | in the general mapping setup that i recommend (not using type: local) they would,. | 17:03 |
knikolla | a new user will be created for every unique (entity id, protocol, idp). | 17:04 |
rafaelweingartne | what do you consider the entity id? the "sub" attribute in OIDC? | 17:06 |
*** erus has quit IRC | 17:06 | |
*** erus has joined #openstack-keystone | 17:06 | |
*** pcaruana has quit IRC | 17:07 | |
knikolla | rafaelweingartne: yes. | 17:08 |
knikolla | i don't exactly remember the specifics at this moment. | 17:09 |
knikolla | haven't played around in some time. | 17:09 |
rafaelweingartne | ok, no problem | 17:09 |
rafaelweingartne | but I get the picture | 17:10 |
knikolla | it might be that it uses whatever you have mapped to the username attribute, as i don't quite recall a configuration setting for specifiying which attribute that is. | 17:11 |
rafaelweingartne | ok, thanks | 17:11 |
rafaelweingartne | it helped a lot | 17:12 |
knikolla | rafaelweingartne: https://github.com/openstack/keystone/blob/ace45841943ed6b698b8a5aea35a80c119c3cae3/keystone/identity/backends/sql_model.py#L342 | 17:17 |
knikolla | as per sql model above, a federated user is unique on (unique_id, idp, protocol) | 17:18 |
knikolla | so you can have multiple users with same email from different idps in same domain | 17:18 |
knikolla | alright, enough info. i don't want to confuse you further. | 17:19 |
*** erus has quit IRC | 17:19 | |
rafaelweingartne | aha, no worries | 17:19 |
rafaelweingartne | now these tables are starting to make more sense | 17:19 |
*** markvoelker has joined #openstack-keystone | 17:20 | |
knikolla | we like to keep the barrier to entry high. job security and stuff, haha. | 17:21 |
*** yan0s has quit IRC | 17:23 | |
*** jamesmcarthur_ has joined #openstack-keystone | 17:24 | |
*** jamesmcarthur has quit IRC | 17:27 | |
rafaelweingartne | ahaha | 17:27 |
rafaelweingartne | actually, I find it easier here, as you guys use the same terms as I am used to such as metadata, IdP, SP, and so on | 17:28 |
rafaelweingartne | so, for someone with an academic background, it gets easier | 17:28 |
rafaelweingartne | just the documentaation pages that I was reading, which were not very accurate, but with these new docs, I guess I will not have problems | 17:29 |
*** erus has joined #openstack-keystone | 17:29 | |
rafaelweingartne | thanks for the help ;) | 17:29 |
knikolla | no problem :) | 17:29 |
knikolla | ping me if u have any more questions, i'm generally around. | 17:29 |
rafaelweingartne | sure will | 17:31 |
rafaelweingartne | I just need to learn how to ping people on IRC :P | 17:31 |
rafaelweingartne | I am used to using @, but it does not work here | 17:31 |
*** zzzeek has quit IRC | 17:44 | |
*** zzzeek has joined #openstack-keystone | 17:49 | |
*** markvoelker has quit IRC | 17:53 | |
*** rafaelweingartne has quit IRC | 18:05 | |
*** mvkr has quit IRC | 18:12 | |
gagehugo | lbragstad: one comment on https://review.openstack.org/#/c/614549/ | 18:37 |
lbragstad | gagehugo sure - debug logging ok? | 18:40 |
lbragstad | but - remember that is going to get noisy | 18:40 |
lbragstad | if you have many public keys on every token validation | 18:41 |
gagehugo | hmm | 18:41 |
*** erus has quit IRC | 18:44 | |
gagehugo | I was just thinking if I was trying to debug why auth was failing, it would be nice to see if keystone is unhappy with the pub keys | 18:45 |
gagehugo | but yeah, I can see that getting quite chatty if there's old keys | 18:45 |
lbragstad | or just many keys | 18:45 |
lbragstad | if you have 40 APIs servers for example | 18:45 |
lbragstad | also - since key rotation for JWT is quite different from fernet | 18:50 |
lbragstad | we don't bother attempting to prune keys | 18:50 |
gagehugo | yeah | 18:50 |
*** markvoelker has joined #openstack-keystone | 18:50 | |
lbragstad | so - a server could have 40 valid keys and 100 invalid keys that are no longer used | 18:50 |
gagehugo | maybe decodeerror could be a separate except and then log that, otherwise yeah there would be 100 log messages | 18:51 |
gagehugo | for each invalid/expired | 18:51 |
*** vishakha has quit IRC | 18:52 | |
gagehugo | lets leave it for now and see about it with a follow up change | 18:52 |
lbragstad | sounds good | 18:52 |
gagehugo | it's fine for now tbh, I was just curious | 18:53 |
lbragstad | something to think about | 18:53 |
gagehugo | lbragstad: done, lgtm | 18:58 |
lbragstad | thanks gagehugo | 18:58 |
*** mvkr has joined #openstack-keystone | 18:59 | |
kmalloc | lbragstad: you know, asyncio is super rad. | 19:13 |
kmalloc | if it fits a usecase* | 19:13 |
* kmalloc has been looking at it. | 19:13 | |
*** markvoelker has quit IRC | 19:23 | |
*** s10 has joined #openstack-keystone | 19:36 | |
s10 | Hello. I have a question about LDAP integration. Is there any way to use LDAP identity driver _and_ sql backend for users in specific domain? | 19:48 |
*** jamesmcarthur_ has quit IRC | 19:56 | |
*** jamesmcarthur has joined #openstack-keystone | 19:57 | |
*** jamesmcarthur has quit IRC | 20:01 | |
*** whoami-rajat has quit IRC | 20:02 | |
*** jamesmcarthur has joined #openstack-keystone | 20:18 | |
*** markvoelker has joined #openstack-keystone | 20:21 | |
*** awalende has joined #openstack-keystone | 20:31 | |
*** awalende has quit IRC | 20:36 | |
*** jdennis has quit IRC | 20:38 | |
*** jamesmcarthur has quit IRC | 20:40 | |
*** jamesmcarthur has joined #openstack-keystone | 20:40 | |
*** jdennis has joined #openstack-keystone | 20:41 | |
*** jamesmcarthur has quit IRC | 20:45 | |
gagehugo | cmurphy: do we want to hold off on those ksa changes? | 20:48 |
*** jamesmcarthur has joined #openstack-keystone | 20:53 | |
*** markvoelker has quit IRC | 20:55 | |
cmurphy | gagehugo: I think https://review.openstack.org/636074 is fine to go in now, it's the one on top of that that I'm not sure about | 20:56 |
cmurphy | working on an email now | 20:56 |
gagehugo | okedoke | 20:57 |
ayoung | I think we lied in our policy 101 talk. What does "" mean in a policy file? | 21:04 |
ayoung | I thought it was "always true" same as @ but now I can't see where that parses | 21:05 |
ayoung | its default, right? | 21:06 |
ayoung | # Empty rule defaults to True | 21:08 |
ayoung | if not rule: | 21:08 |
ayoung | return _checks.TrueCheck() | 21:08 |
ayoung | I think Ozz got that confused | 21:08 |
gagehugo | The rule is an empty string meaning “always”. | 21:10 |
gagehugo | https://docs.openstack.org/oslo.policy/queens/admin/policy-json-file.html#examples | 21:10 |
*** rcernin has joined #openstack-keystone | 21:11 | |
ayoung | gagehugo, I know that is what we document, but I can't figure out how that happens | 21:12 |
gagehugo | ayoung: ah ok | 21:12 |
ayoung | it must be a compination of skipping the token and an empty rule defaults to true | 21:13 |
lbragstad | we should use gerrit for team presentation talk submissions ;) | 21:13 |
cmurphy | lbragstad ayoung kmalloc gagehugo knikolla http://lists.openstack.org/pipermail/openstack-discuss/2019-February/003031.html | 21:13 |
ayoung | got a customer seeins different behavior between CLI and Horizon, and I'm not sure what the rule is supposed to evaluate to | 21:13 |
ayoung | cmurphy, you rock | 21:15 |
lbragstad | holy email, batman | 21:15 |
kmalloc | cmurphy: whoa. | 21:15 |
kmalloc | cmurphy: that is going to take me a bit to parse | 21:16 |
cmurphy | yeah sorry | 21:16 |
ayoung | cmurphy, keying on service type means we can't have different policy per endpoint | 21:16 |
ayoung | cmurphy, I think you are on the right approach. Might suggest * be replaced with something that is not a greedy token as it is supposed to be stopped by a / | 21:18 |
ayoung | so /{1}/bla/{2} vs /*/bla/*/ But I am ok if you tink you can make that work | 21:18 |
ayoung | I do think, tho. that we are better off keeping with the keys that the services use for the Paths | 21:18 |
cmurphy | ayoung: you want different policy per endpoint? i never thought of that | 21:19 |
ayoung | so even if we don't match values from the token, please allow the old syntax. | 21:19 |
ayoung | cmurphy, it was one of the requests, yes | 21:19 |
cmurphy | ayoung: * here is not greedy, it doesn't include / | 21:19 |
cmurphy | ** includes / | 21:19 |
cmurphy | ayoung: in the spec? | 21:19 |
ayoung | ok...so no problem with that | 21:19 |
ayoung | I origianlly wanted to be able to seed the rules from the APIs policy | 21:19 |
ayoung | we'd have to convert from what nova produces to the * format | 21:20 |
ayoung | is there a way we can keep the format, and ignore the keys? | 21:20 |
cmurphy | ayoung: if it wasn't in the spec then I probably didn't remember and/or didn't read your mind | 21:20 |
ayoung | they will also be better documentation of intent, even if we don't use it | 21:20 |
ayoung | it was part of the discussion way back when, but it might not have made its way into the app creds spec. It was in the rbac-enforce-in -middleware spec | 21:21 |
cmurphy | we could probably keep the format and ignore the keys, it's just a different regex | 21:21 |
ayoung | that is not a deal killer: we could potentially have service nickanmes | 21:21 |
cmurphy | * and ** were nice because they are shell standards | 21:21 |
ayoung | so compute-gold is a nickname for compute, but only supports a higher class of service | 21:22 |
ayoung | so, of all your changes, the only one I request you roll back is the format of the paths. THe rest is golden | 21:23 |
cmurphy | ayoung: okay so the request is to switch eg /v2/servers/* to /v2/servers/{server_id} so it looks more like what's in the api-ref and existing policies correct? | 21:24 |
ayoung | yes | 21:24 |
cmurphy | okay wfm | 21:24 |
ayoung | I like your name choices | 21:24 |
cmurphy | we could support different policies for different endpoints by keying on endpoint url instead of service type | 21:25 |
ayoung | right now, an endpoiung does not know its service or endpoint ids anyway. We had a deployers rebellion when we suggested editing the config files post setup to put the uuids into them generated from keystone. My last thought was that we put the value into , say nova.conf that tells it "you are a compute server" and let that field be overridden | 21:26 |
ayoung | endpoints don't even know their URLs, so putting in a value a-priori is essential; | 21:27 |
cmurphy | yes, this hinges on having something set in [keystone_authtoken] or set in code in nova that tells the service who it is | 21:28 |
cmurphy | s/nova/the project | 21:28 |
ayoung | right | 21:28 |
ayoung | we can default those to the good names, but there is no reason they have to stick with them | 21:29 |
cmurphy | right | 21:29 |
ayoung | we couldalso do a naming scheme like policy | 21:29 |
ayoung | nova by default, or nova:gold | 21:29 |
ayoung | wehre :gold means grab the gold specific rules. That allos us to stick with the majority of the default policy, but layer on an additional check, too | 21:30 |
ayoung | so, I don't think that has to be this round. | 21:30 |
cmurphy | okay | 21:30 |
ayoung | just keep it in mind as you go, and we can revisit once we have a working code base. Think how a customer would be able to divide up a cloud so that some region was for a special class of customers. And that might be better done via K2K | 21:31 |
ayoung | on allow_chained.... | 21:31 |
kmalloc | hm. | 21:33 |
ayoung | I might be OK with killing that | 21:34 |
ayoung | If we don't make allowed_chained=True by default it might just break everywhere | 21:34 |
ayoung | or people will just add it to every call anyway | 21:34 |
ayoung | but | 21:34 |
ayoung | what if it is OK to createan ephemeral server, but not to create stoarge for it? | 21:34 |
cmurphy | ugh yeah we need to keep it for that | 21:36 |
cmurphy | i think we'll need to change it to be part of the capability rule and not an attribute of the app cred itself, since different apis will have different needs for chaining service calls | 21:38 |
*** erus has joined #openstack-keystone | 21:42 | |
lbragstad | allow_chained is really specific to if nova can reuse an cap cred token for something in another service, for example, right? | 21:42 |
cmurphy | that's one case but it could also be for if heat or magnum want to make requests to other services | 21:43 |
cmurphy | or if you want glance to store images in swift | 21:44 |
lbragstad | ok | 21:44 |
lbragstad | but it's specific to any service _behind_ the service the user made the request against? | 21:44 |
cmurphy | right | 21:44 |
* lbragstad nods | 21:44 | |
* cmurphy will try to think of better names for it | 21:46 | |
lbragstad | if it wasn't a boolean - it's almost easier to think of it as a depth | 21:47 |
lbragstad | er - service_depth | 21:47 |
lbragstad | but - that feels really complicated for users to have to deal with | 21:49 |
lbragstad | idk if something like that would even be discoverable | 21:49 |
cmurphy | yeah, i don't think the depth of the chaining is the issue, no matter how many services deep you are it's still some other service making a request on behalf of you | 21:50 |
lbragstad | tricky | 21:51 |
*** erus has quit IRC | 21:51 | |
*** erus has joined #openstack-keystone | 21:51 | |
*** markvoelker has joined #openstack-keystone | 21:53 | |
*** jamesmcarthur has quit IRC | 21:57 | |
*** erus has quit IRC | 21:57 | |
*** erus has joined #openstack-keystone | 21:58 | |
*** jamesmcarthur has joined #openstack-keystone | 22:05 | |
*** jamesmcarthur has quit IRC | 22:07 | |
*** markvoelker has quit IRC | 22:25 | |
*** dave-mccowan has quit IRC | 22:40 | |
*** dave-mccowan has joined #openstack-keystone | 22:40 | |
*** erus has quit IRC | 22:40 | |
*** erus has joined #openstack-keystone | 22:41 | |
*** dave-mccowan has quit IRC | 22:46 | |
*** tkajinam has joined #openstack-keystone | 23:01 | |
*** erus has quit IRC | 23:11 | |
*** erus has joined #openstack-keystone | 23:11 | |
*** markvoelker has joined #openstack-keystone | 23:22 | |
*** gyee has quit IRC | 23:38 | |
*** raildo has quit IRC | 23:39 | |
*** gyee has joined #openstack-keystone | 23:52 | |
*** markvoelker has quit IRC | 23:55 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!