Monday, 2019-04-15

« Sunday, 2019-04-14 Index Tuesday, 2019-04-16 »
*** lbragstad has joined #openstack-keystone00:29
*** ChanServ sets mode: +o lbragstad00:29
openstackgerritGhanshyam Mann proposed openstack/oslo.policy master: Dropping the py35 testing  https://review.openstack.org/65245301:17
*** Dinesh__Bhor has quit IRC01:19
*** Dinesh_Bhor has joined #openstack-keystone01:21
*** lbragstad has quit IRC01:50
*** masayukig has joined #openstack-keystone01:55
*** dave-mccowan has quit IRC02:03
*** masayukig has quit IRC02:10
*** masayukig has joined #openstack-keystone02:10
*** lbragstad has joined #openstack-keystone02:12
*** ChanServ sets mode: +o lbragstad02:12
*** dave-mccowan has joined #openstack-keystone02:13
*** dave-mccowan has quit IRC02:17
*** jamesmcarthur has joined #openstack-keystone02:19
*** jamesmcarthur has quit IRC02:26
*** jamesmcarthur has joined #openstack-keystone02:26
*** jamesmcarthur has quit IRC02:32
*** jamesmcarthur has joined #openstack-keystone02:46
*** jamesmcarthur has quit IRC02:49
*** jamesmcarthur has joined #openstack-keystone02:50
*** jamesmcarthur has quit IRC02:54
*** jamesmcarthur has joined #openstack-keystone03:31
*** jamesmcarthur has quit IRC03:32
*** imacdonn has quit IRC04:05
*** imacdonn has joined #openstack-keystone04:06
*** whoami-rajat has joined #openstack-keystone04:37
openstackgerritColleen Murphy proposed openstack/keystone master: Fix federated unscoped federated token formatter  https://review.openstack.org/65252004:38
*** jaosorior has joined #openstack-keystone04:48
*** vishakha has joined #openstack-keystone04:58
*** rcernin has quit IRC05:08
*** rcernin has joined #openstack-keystone05:10
*** tkajinam has quit IRC05:28
*** tkajinam has joined #openstack-keystone05:54
openstackgerritVishakha Agarwal proposed openstack/keystone-specs master: NIT : Fix broken link  https://review.openstack.org/65256906:17
*** pcaruana has joined #openstack-keystone06:19
*** tkajinam_ has joined #openstack-keystone06:48
*** tkajinam has quit IRC06:51
*** lbragstad has quit IRC06:52
openstackgerritzhufl proposed openstack/keystone master: Add missing ws separator between words  https://review.openstack.org/65257606:55
*** rcernin has quit IRC07:05
*** spotz has joined #openstack-keystone07:22
*** shyamb has joined #openstack-keystone07:44
*** shyamb has quit IRC07:51
*** phasespace has quit IRC08:08
*** nkinder has quit IRC08:10
*** nkinder has joined #openstack-keystone08:13
*** starborn has joined #openstack-keystone08:16
*** tkajinam_ has quit IRC08:20
*** awalende has joined #openstack-keystone08:22
*** shyamb has joined #openstack-keystone08:23
*** shyamb has quit IRC08:50
*** sapd1 has quit IRC08:59
*** shyamb has joined #openstack-keystone09:01
*** shyamb has quit IRC09:23
*** shyamb has joined #openstack-keystone09:23
pas-hahi all, I have a question on this option -`[security_compliance]disable_user_account_days_inactive`. When user is 'disabled' - what is affected? Is user is being still able to authorize? Can this setting be overridden by some user option (like ignore_password_expiry)?10:19
openstackgerritMerged openstack/keystone master: Add missing ws separator between words  https://review.openstack.org/65257610:20
pas-haIn fact there are more options in this section that when set may currently affect other projects - mostly those that create temporary users on the fly (Heat is the main example that comes to mind right now).10:21
*** shyamb has quit IRC10:56
fricklerkmalloc: cmurphy: thanks for digging through that middleware issue. now I'm wondering whether when we plan to actually merge that, we would want/need to be able to make a choice between internal/public and maybe admin for backwards compatibility. and also whether that would be one option used in both locations or possibly two different options11:01
fricklermordred: ^^ too11:02
*** shyamb has joined #openstack-keystone11:15
*** raildo has joined #openstack-keystone11:30
*** sapd1 has joined #openstack-keystone11:44
*** mvkr has joined #openstack-keystone11:48
*** thomasmckay has quit IRC11:50
openstackgerritJens Harbott (frickler) proposed openstack/keystonemiddleware master: Add a new option to choose the Identity endpoint  https://review.openstack.org/65179012:00
fricklerkmalloc: cmurphy: mordred: ^^ something like this maybe, though I'm not sure yet whether it might be better to be conservative and keep "admin" as the default. moving to "public" might require a major version bump?12:02
*** shyamb has quit IRC12:07
*** shyamb has joined #openstack-keystone12:11
kmallocAcross a release barrier it should be fine to change the default. It probably requires an option (might be doable today with some code changes, didn't look at your proposal yet, it is way pre-coffee for me...)12:16
*** shyamb has quit IRC12:19
*** jamesmcarthur has joined #openstack-keystone12:24
*** jamesmcarthur has quit IRC12:35
*** nicolasbock has joined #openstack-keystone12:35
*** shyamb has joined #openstack-keystone12:37
*** jamesmcarthur has joined #openstack-keystone12:46
*** jamesmcarthur has quit IRC13:12
*** shyamb has quit IRC13:14
*** shyamb has joined #openstack-keystone13:14
*** lbragstad has joined #openstack-keystone13:14
*** ChanServ sets mode: +o lbragstad13:14
*** ganso has joined #openstack-keystone13:17
*** jroll has quit IRC13:25
*** jroll has joined #openstack-keystone13:26
gansohi keystone folks! I have a question about domains and users and was wondering if anyone could help me. Before v3, the admin was an all-powerful user across all projects (there were no domains back then). Then, when domains were added, we could have domain admins that are not cloud admins (thus, not all-powerful). Having just upgrade from v2 to v3 I am having 2 problems:13:29
ganso1) my admin user, member of admin_domain, admin project can list users, create users, add roles, etc. I created a demo_domain, demo_project, demo_admin and demo_user. I added the admin role to the demo_admin, but still, my demo_admin cannot list users. Isn't it expected that a domain admin could list and create new users?13:32
ganso2) I am trying to emulate the old behavior, having the all-powerful admin see all resources of every project in every domain. I assigned the admin role for my admin (all-powerful) user of the demo_domain, demo_project, and also a member role of the demo_project, but still my admin cannot list volumes. In fact, I cannot even authenticate. Is this still possible? Am I missing something?13:34
*** shyamb has quit IRC13:34
*** jamesmcarthur has joined #openstack-keystone13:35
*** awalende has quit IRC13:38
*** jamesmcarthur_ has joined #openstack-keystone13:46
*** bnemec has joined #openstack-keystone13:46
*** jamesmcarthur has quit IRC13:49
openstackgerritJens Harbott (frickler) proposed openstack/keystonemiddleware master: Add a new option to choose the Identity endpoint  https://review.openstack.org/65179013:58
cmurphypas-ha: it sets the 'disabled' attribute on the user, so users can't authenticate (and therefore can't authorize)14:03
cmurphyfrickler: kmalloc i think it may be worth a deprecation cycle?14:03
cmurphyganso: have you changed your keystone policy files at all?14:04
gansocmurphy: no14:04
*** awalende has joined #openstack-keystone14:10
cmurphyganso: what version of openstack are you using?14:11
gansocmurphy: queens14:12
gansocmurphy: I just upgraded to queens, lost v2, and hence I have noticed the behavior above14:12
cmurphyganso: how are you authenticating? and what message does it give you when it fails to authenticate?14:13
*** awalende has quit IRC14:14
gansocmurphy: I am creating a pastebin, just a sec14:16
gansocmurphy: http://paste.openstack.org/show/749312/14:18
openstackgerritJens Harbott (frickler) proposed openstack/keystonemiddleware master: DNM: Test with admin-less devstack  https://review.openstack.org/65203714:18
lbragstadganso it looks like you're overriding the policies listed in policy.v3cloudsample.json (and not the default policies) for identity:list_users14:23
lbragstadhttps://opendev.org/openstack/keystone/src/branch/stable/queens/etc/policy.v3cloudsample.json#L6714:24
kmallocSure deprecation cycle.makes sense.14:25
gansolbragstad: hmm it is possible the charm did that... I will try to overwrite it with the value from the sample and see what happens. thanks!14:27
lbragstadganso with queens - you can just comment out that line too and the default in code will take over14:27
fricklercmurphy: kmalloc: how would you deprecate an implicit default? what I can see is: add the option and stick to the original default, change the default next cycle. but I wouldn't call that deprecation14:27
gansolbragstad: hold on a sec, the line I see different is "cloud_admin", not list_users.14:28
fricklerthough that would imply we still need added configuration in order to be able to drop the admin endpoint this cycle. may be worth the effort for stability reasons, though.14:29
gansolbragstad: is that correct?14:29
cmurphyfrickler: we'd have to add an explicit log warning for when the setting isn't overridden (plus release note)14:29
cmurphyoslo.config can't really handle it on its own14:29
fricklercmurphy: ah, I see. but that would imply that (a guessed 90%) of all deployments that would just be fine with the changed default, instead need to add the config option in just to drop it again next cycle14:32
cmurphyfrickler: oh, for some reason i was thinking there was already a config option that controls this14:33
fricklercmurphy: no, it was a static, hardcoded default14:33
cmurphyright, i remember now14:34
fricklercmurphy: I added it as a config option in the latest PS14:34
fricklerthough it still fails the lower-constraints job for some reason :( http://logs.openstack.org/90/651790/6/check/openstack-tox-lower-constraints/6e8204d/testr_results.html.gz14:34
gansolbragstad: ok I replaced the cloud_admin line, which was different, and I still have the same error while listing users14:38
gansolbragstad: as demo_admin14:38
lbragstadso - are you overriding identity:list_users?14:41
lbragstador are you using the default of rule:admin_required?14:43
cmurphykmalloc: lbragstad in light of the impending pike final release we need some reviews https://review.openstack.org/#/q/is:open+NOT+label:workflow%253D-1+branch:%22%255Estable/.*%2524%22+(project:openstack/keystone+OR+project:openstack/keystonemiddleware)14:51
kmallocDone14:56
cmurphythanks guys14:57
lbragstadmhmm14:57
gansolbragstad: my env shows: "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",15:08
gansolbragstad: and the sample policy file you linked shows "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",15:08
gansoso it is the same15:08
gansolbragstad: the only difference is in cloud_admin definition, my env shows: "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:d5ec723ddc5b40c89bfc4fce65ebea5a or project_id:768a425c965644f5a5884f19ef9ba302)",15:08
gansolbragstad: and the default is "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)",15:09
gansolbragstad: so I changed to the default, but it still did not change the outcome15:09
lbragstadok - so15:10
lbragstadthat's probably happening because demo_project isn't your is_admin_project15:10
lbragstadi'm not sure how familiar you are with the "admin_project" concept in keystone?15:10
lbragstadit looks like you're policy is still requiring the users to be a "cloud_admin"15:13
lbragstadyour*15:13
gansolbragstad: what about rule:admin_and_matching_domain_id ?15:13
lbragstadganso that's a workaround to allow domain administrators to list users within the domain they have authorization on15:13
gansomy demo_admin has the admin role for the project, and admin role for the demo_domain15:13
gansolbragstad: yes, that is what I expected to work. But my demo_admin cannot list users on its domain15:14
*** markvoelker has joined #openstack-keystone15:20
lbragstadganso unfortunately, i don't think domain admin support is fully baked in keystone with policy overrides alone15:27
lbragstadfor example15:27
lbragstadganso we have a bug fix in stein that fixes all of that15:28
lbragstadhttps://bugs.launchpad.net/keystone/+bug/174802715:28
openstackLaunchpad bug 1748027 in OpenStack Identity (keystone) "The v3 users API should account for different scopes" [High,Fix released] - Assigned to Lance Bragstad (lbragstad)15:28
lbragstadhttps://review.openstack.org/#/c/647550/15:28
lbragstadbut the fix wasn't completely isolated to policy overrides, we had to make some modifications to the actual API code that processes the requests to ensure we didn't leak users outside of the domain an administrator was scoped to15:29
*** erus has joined #openstack-keystone15:33
eruso/15:33
*** starborn has quit IRC15:36
*** gyee has joined #openstack-keystone15:38
gansolbragstad: hmmm I see, so the problem that I am observing in queens is not a configuration problem on my end. It is a known bug and due to that domain admins that are not cloud admins cannot list users, correct?15:40
lbragstadyeah - it's more of an RFE15:42
*** erus has quit IRC15:42
lbragstadganso but - domain admins can call GET /v3/users/{user_id} if that user is within their domain15:43
*** erus has joined #openstack-keystone15:43
lbragstadand that is supported by policy configuration15:44
lbragstadhttps://opendev.org/openstack/keystone/src/branch/stable/queens/etc/policy.v3cloudsample.json#L64 makes sure the user in the request ({user_id}) has the same domain id as the domain in the token scope used to make the request15:45
lbragstadthat's harder to do with a call like identity:list_users GET /v3/users because there isn't anything to compare the domain id from the request to15:45
lbragstadand that's where we had to make changes to the API to make sure we filter the request according to the domain if the request was made with a domain-scoped token15:46
gansolbragstad: oh I understand now, thank you!15:47
gansolbragstad: and regarding my issue #2, where I am trying to have an all-powerful admin see every resource15:48
openstackgerritColleen Murphy proposed openstack/keystone master: Fix federated unscoped federated token formatter  https://review.openstack.org/65252015:50
lbragstadganso yeah - so that's another issue15:50
lbragstadbut - still something we're working on15:50
gansolbragstad: ok, thank you! thought that was misconfiguration on my end as well! =)15:50
lbragstadganso i should clarify, we're trying to pull support into keystone for a default `reader` role as a first-class citizen15:51
lbragstadhttps://bugs.launchpad.net/keystone/+bugs?field.tag=default-roles - are the bugs we're using to track that work15:51
lbragstadand most of that work started landing in Stein15:51
lbragstadhttps://docs.openstack.org/releasenotes/keystone/stein.html goes into detail exactly which APIs in keystone now have a read-only role15:52
*** vishakha has quit IRC16:38
*** jmlowe has joined #openstack-keystone16:40
cmurphyteam dinner poll https://framadate.org/BHNNU9S3f9N3lasH16:43
*** jmlowe has quit IRC16:50
*** erus has quit IRC16:50
*** erus has joined #openstack-keystone16:51
*** ayoung has joined #openstack-keystone17:08
ayoungI hjate that I don't get connected automagically anymore17:08
clarkbif you set up sasl it should still work17:26
clarkbmost clients do regular client auth concurrently with joining channels which is why the other thing doesn't work17:26
clarkbbut sasl auths on connection17:26
*** jmlowe has joined #openstack-keystone17:30
*** ayoung has quit IRC17:51
*** erus has quit IRC17:51
*** erus has joined #openstack-keystone17:52
*** jamesmcarthur_ has quit IRC18:04
*** markvoelker has quit IRC18:26
canori01hello, so I set admin_project_name and admin_project_domain_name in keystone.conf and see that the values are being set. However, when I assign a user admin role in horizon, they are able to see everything. Is this expected behavior still?18:31
*** jmlowe has quit IRC18:55
*** jamesmcarthur has joined #openstack-keystone19:01
*** markvoelker has joined #openstack-keystone19:04
openstackgerritColleen Murphy proposed openstack/keystone master: Support endpoint updates in bootstrap  https://review.openstack.org/44165219:26
*** jmlowe has joined #openstack-keystone20:10
lbragstadcanori01 it is a behavior we're working to address across projects20:23
*** jamesmcarthur has quit IRC20:37
*** erus has quit IRC20:37
*** pcaruana has quit IRC20:38
*** erus has joined #openstack-keystone20:38
*** jamesmcarthur has joined #openstack-keystone20:39
*** dave-mccowan has joined #openstack-keystone20:54
*** jamesmcarthur has quit IRC20:56
*** dave-mccowan has quit IRC20:57
*** ceryx has left #openstack-keystone21:01
*** ccstone has joined #openstack-keystone21:02
*** eglute has joined #openstack-keystone21:27
*** erus has quit IRC21:27
*** erus has joined #openstack-keystone21:27
*** jamesmcarthur has joined #openstack-keystone21:27
*** raildo has quit IRC21:29
openstackgerritColleen Murphy proposed openstack/keystone master: Make fetching all foreign keys in a join  https://review.openstack.org/34797221:36
*** mvkr has quit IRC21:38
*** awalende has joined #openstack-keystone21:40
*** awalende has quit IRC21:45
*** mvkr has joined #openstack-keystone21:51
*** erus has quit IRC21:51
*** jamesmcarthur has quit IRC21:52
*** erus has joined #openstack-keystone21:52
*** whoami-rajat has quit IRC21:54
*** jamesmcarthur has joined #openstack-keystone21:55
*** jamesmcarthur has quit IRC21:55
*** jamesmcarthur has joined #openstack-keystone22:00
*** jamesmcarthur has quit IRC22:25
*** erus has quit IRC22:51
*** tkajinam has joined #openstack-keystone22:53
*** markvoelker has quit IRC22:57
*** markvoelker has joined #openstack-keystone23:08
*** lbragstad has quit IRC23:13
*** rcernin has joined #openstack-keystone23:24
« Sunday, 2019-04-14 Index Tuesday, 2019-04-16 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!