Wednesday, 2019-04-24

« Tuesday, 2019-04-23 Index Thursday, 2019-04-25 »
*** ganso has quit IRC00:08
*** ganso has joined #openstack-keystone00:08
*** jamesmcarthur has joined #openstack-keystone00:52
*** jamesmcarthur has quit IRC00:54
*** jamesmcarthur has joined #openstack-keystone00:58
*** zbitter is now known as zaneb01:00
*** hoonetorg has quit IRC01:01
eanderssonbtw for predictable ids and keystone01:01
eanderssonHow about just letting users choose the uuid when creating resources?01:02
eandersson> openstack project create my_project --uuid <my-uuid>01:03
*** markvoelker has joined #openstack-keystone01:13
*** jamesmcarthur has quit IRC01:14
*** hoonetorg has joined #openstack-keystone01:15
*** whoami-rajat has joined #openstack-keystone01:16
*** jamesmcarthur_ has joined #openstack-keystone01:18
*** zaneb has quit IRC01:25
*** mvkr has quit IRC01:32
*** jamesmcarthur_ has quit IRC01:34
kmalloceandersson: there are a lot of reasons to not do that, most of them revolve around predictability and squatting on IDs that are convienent.01:40
kmalloceandersson: it is generally better if keystone can control the generation based upon data provided and something ekystone controls01:41
kmalloceandersson: also, in a federated environment, you can create (with the right access) data that could provide an escalation/access to resources unintended.01:42
kmallocthe inclusion of data owned by keystone at least limits the scope.01:42
kmallocif we allow for --uuid in your example we would need to SHA it with the domain_id. we could include a "user-supplied-seed" that is used in future replication/autoprovisioning in remote environments (and default to using the name if no seed is provided)01:43
kmallocin short, we can't do user supplied without potential issue(s) down the line.01:44
eanderssonInteresting01:44
openstackgerritColleen Murphy proposed openstack/keystone-specs master: Add role implication note to basic-default-roles  https://review.opendev.org/57514401:46
*** jamesmcarthur has joined #openstack-keystone02:05
*** jamesmcarthur has quit IRC02:12
*** gmann_afk is now known as gmann02:16
*** jamesmcarthur has joined #openstack-keystone02:18
*** mvkr has joined #openstack-keystone02:21
*** vishakha has joined #openstack-keystone02:27
*** ileixe has quit IRC02:50
*** ileixe has joined #openstack-keystone02:53
*** ileixe has quit IRC02:53
vishakhao/02:58
*** lbragstad has quit IRC03:08
*** ileixe has joined #openstack-keystone03:22
*** whoami-rajat has quit IRC03:35
*** erus has joined #openstack-keystone03:43
openstackgerritzhongshengping proposed openstack/keystone master: Replace git.openstack.org URLs with opendev.org URLs  https://review.opendev.org/65429603:51
*** whoami-rajat has joined #openstack-keystone04:06
*** jamesmcarthur has quit IRC04:17
*** jamesmcarthur has joined #openstack-keystone04:18
*** jamesmcarthur has quit IRC04:23
*** ileixe has quit IRC04:28
*** jamesmcarthur has joined #openstack-keystone04:29
*** ileixe has joined #openstack-keystone04:31
*** jamesmcarthur has quit IRC04:45
*** jamesmcarthur has joined #openstack-keystone04:45
*** jamesmcarthur has quit IRC04:50
*** jamesmcarthur has joined #openstack-keystone04:50
*** jamesmcarthur has quit IRC04:54
*** erus has quit IRC04:57
*** sapd1_ has quit IRC05:03
*** jamesmcarthur has joined #openstack-keystone05:06
*** ileixe has quit IRC05:06
*** ileixe has joined #openstack-keystone05:09
*** markvoelker has quit IRC05:10
*** jamesmcarthur has quit IRC05:11
*** sapd1 has joined #openstack-keystone05:14
*** jamesmcarthur has joined #openstack-keystone05:17
*** jamesmcarthur has quit IRC05:22
*** shyamb has joined #openstack-keystone05:23
*** jamesmcarthur has joined #openstack-keystone05:25
*** sapd1 has quit IRC05:29
*** jamesmcarthur has quit IRC05:32
*** sapd1 has joined #openstack-keystone05:37
*** mvkr has quit IRC05:40
*** sapd1 has quit IRC05:42
*** mvkr has joined #openstack-keystone05:53
*** shyamb has quit IRC05:56
*** sapd1 has joined #openstack-keystone05:59
*** ileixe has quit IRC06:01
*** shyamb has joined #openstack-keystone06:01
*** shyamb has quit IRC06:03
*** jamesmcarthur has joined #openstack-keystone06:11
*** ileixe has joined #openstack-keystone06:12
*** jamesmcarthur has quit IRC06:15
*** sapd1 has quit IRC06:21
*** d34dh0r53 has quit IRC06:22
*** cloudnull has quit IRC06:22
*** eglute has quit IRC06:23
*** pcaruana has joined #openstack-keystone06:24
*** sapd1 has joined #openstack-keystone06:27
*** ileixe has quit IRC06:58
*** ileixe has joined #openstack-keystone07:00
*** rcernin has quit IRC07:05
*** markvoelker has joined #openstack-keystone07:12
*** sapd1 has quit IRC07:13
*** sapd1 has joined #openstack-keystone07:14
*** phasespace has joined #openstack-keystone07:28
openstackgerritcaoyuan proposed openstack/keystone-tempest-plugin master: Replace git.openstack.org URLs with opendev.org URLs  https://review.opendev.org/65501807:36
*** yan0s has joined #openstack-keystone07:59
yan0sHi, I am witnessing a weird behavior with application crdentials09:24
yan0sI create an app cred with admin user with scope on project A09:25
yan0sthe app cred gets project-id of project A09:25
yan0sI login via cli with this app cred and I am logged in the ADMIN project...09:26
*** d34dh0r53 has joined #openstack-keystone09:45
*** cloudnull has joined #openstack-keystone09:47
*** eglute has joined #openstack-keystone09:47
yan0sfalse alarm09:49
yan0sI still get a weird behavior though09:50
yan0sI can list all projects owned by the user that created the app cred09:50
*** tkajinam has quit IRC09:52
*** awestin1 has quit IRC09:54
*** pas-ha has quit IRC09:54
*** gmann has quit IRC09:54
*** pas-ha has joined #openstack-keystone09:54
*** awestin1_ has joined #openstack-keystone09:54
*** rm_work has quit IRC09:55
*** gmann has joined #openstack-keystone09:56
*** rm_work has joined #openstack-keystone10:06
*** raildo has joined #openstack-keystone10:21
*** gmann has quit IRC10:44
*** raildo has quit IRC10:58
*** raildo has joined #openstack-keystone11:00
openstackgerritjacky06 proposed openstack/python-keystoneclient master: Replace git.openstack.org URLs with opendev.org URLs  https://review.opendev.org/65476411:17
*** cloudnull has quit IRC11:36
*** cloudnull has joined #openstack-keystone11:37
*** Emine has joined #openstack-keystone11:44
*** markvoelker has quit IRC12:08
*** markvoelker has joined #openstack-keystone12:08
*** jamesmcarthur has joined #openstack-keystone12:10
*** jamesmcarthur has quit IRC12:15
*** jamesmcarthur has joined #openstack-keystone12:16
*** jamesmcarthur has quit IRC12:32
*** zaneb has joined #openstack-keystone12:36
*** jamesmcarthur has joined #openstack-keystone12:44
*** lbragstad has joined #openstack-keystone12:44
*** ChanServ sets mode: +o lbragstad12:44
yan0sHow can a user be considered as "admin" role in the Keystone policy context?12:49
yan0sI mean I want a user (other than THE admin user) to be able to create a project12:50
yan0sbut roles can only be given to a user per project12:50
*** zaneb has quit IRC12:52
*** irclogbot_3 has quit IRC12:55
*** irclogbot_0 has joined #openstack-keystone12:55
*** jistr is now known as jistr|afk12:56
*** altlogbot_2 has quit IRC12:57
*** altlogbot_0 has joined #openstack-keystone12:58
lbragstadcmurphy nice work on the restaurant choice - i'm cruising the menu and it looks awesome13:40
knikollao/13:43
knikollayup, really nice place!13:45
*** gmann has joined #openstack-keystone13:52
cmurphy:)13:54
cmurphyyan0s: by default only admins can create projects, you would have to change the create_project policy in /etc/keystone/policy.yaml to allow other users to do that13:56
yan0scmurphy: you mean user of role "admin" in a domain?13:58
*** jamesmcarthur has quit IRC14:00
gagehugoo/14:00
*** jamesmcarthur has joined #openstack-keystone14:00
cmurphyyan0s: it's a little complicated because we're in a transition period, right now by default you can have role "admin" on any scope - project, domain, or system - and have all admin privileges including the ability to create projects. in the future the default will be locked down so that you specifically have to have the admin role on the system scope to create any project or on a domain to create14:02
cmurphyprojects within that domain14:02
*** phasespace has quit IRC14:26
*** itlinux has quit IRC14:35
yan0scmurphy: I think this is the condition in the policy that is failing: domain_id:%(domain_id)s"14:35
yan0scmurphy: What is actually compared here?14:35
yan0s"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s"14:36
cmurphyyan0s: are you using the policy.v3cloudsample.json policy file?14:37
cmurphythe domain_id check is looking for the domain the token is scoped to14:38
yan0syes14:38
yan0sso the comparison is between the domain_id the token is scoped to and what?14:39
yan0sthe user domain id?14:39
lbragstadthe domain_id in the request if there is one14:40
lbragstadfor example GET /v3/domains/{domain_id}14:40
lbragstadthe domain_id from the path is compared to the domain_id in the token, if the token is domain-scoped14:40
*** erus has joined #openstack-keystone14:41
*** yan0s has quit IRC14:46
*** jamesmcarthur has quit IRC14:48
*** pcaruana has quit IRC15:06
*** imdigitaljim has joined #openstack-keystone15:07
*** jamesmcarthur has joined #openstack-keystone15:07
*** efried has joined #openstack-keystone15:08
efriedcmurphy: Can I get a PTL ack on https://review.opendev.org/#/c/653888/ please?15:09
cmurphyefried: sure, i didn't think the proposal bot needed ptl affirmation though?15:13
efriedcmurphy: turns out you're right, I wasn't sure, thanks for the look.15:14
cmurphynp15:15
*** itlinux has joined #openstack-keystone15:28
*** raildo_ has joined #openstack-keystone15:35
*** raildo has quit IRC15:35
*** itlinux has quit IRC15:41
*** pcaruana has joined #openstack-keystone15:46
kmalloco/15:51
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add yaml-loaded filesystem catalog backend  https://review.opendev.org/48351415:54
*** itlinux has joined #openstack-keystone15:56
bnemechttps://image.slidesharecdn.com/presentation-160623224549/95/kubernetes-101-31-638.jpg?cb=146672204515:58
*** efried is now known as efried_rollin16:04
*** altlogbot_0 has quit IRC16:09
*** altlogbot_1 has joined #openstack-keystone16:12
*** ybunker has joined #openstack-keystone16:31
*** itlinux has quit IRC16:33
kmallocbnemec: yeah, a number of folks still use the templated catalog. the current templated catalog is a trainwreck, yaml at least lets us make it comparable to the DB catalog.16:37
kmallocin functionality (minus the API create/update/delete)16:37
*** itlinux has joined #openstack-keystone16:37
bnemeckmalloc: I mostly just have a weakness for that meme. :-)16:39
bnemecIn my defense, I've spent a _lot_ of time staring at Heat/Ansible/Mistral/etc. YAML over the years.16:39
cmurphyi'm so sorry for you16:40
kmalloc^^ what cmurphy said.16:42
bnemecAppropriate: https://cdn3.whatculture.com/images/2015/05/1XvDIu6y.gif16:43
*** altlogbot_1 has quit IRC16:43
bnemecNow I get to go stare at Powerpoint slides for a few hours.16:43
* bnemec wonders what he did to deserve this16:43
*** gyee has joined #openstack-keystone16:44
*** altlogbot_0 has joined #openstack-keystone16:44
*** itlinux has quit IRC16:44
*** itlinux has joined #openstack-keystone16:50
*** altlogbot_0 has quit IRC16:53
*** altlogbot_1 has joined #openstack-keystone16:54
*** itlinux has quit IRC16:56
kmallocbnemec: you work in tech, apparently this is a requirement :P17:05
bnemecAt least they haven't made me a manager, so I only have to do this every six months. ;-)17:07
* bnemec belatedly knocks on wood17:08
*** itlinux has joined #openstack-keystone17:10
*** jamesmcarthur_ has joined #openstack-keystone17:13
*** jamesmcarthur has quit IRC17:15
*** erus has quit IRC17:15
*** erus has joined #openstack-keystone17:16
*** markvoelker has quit IRC17:21
*** markvoelker has joined #openstack-keystone17:22
*** markvoelker has quit IRC17:26
*** phasespace has joined #openstack-keystone17:30
*** markvoelker has joined #openstack-keystone17:37
*** jamesmcarthur_ has quit IRC18:08
*** vishakha has quit IRC18:13
*** jamesmcarthur has joined #openstack-keystone18:19
*** itlinux has quit IRC18:50
*** itlinux has joined #openstack-keystone18:52
*** itlinux has quit IRC18:54
*** openstackgerrit has quit IRC18:57
*** itlinux has joined #openstack-keystone18:58
*** itlinux has quit IRC19:11
*** ybunker has quit IRC19:17
*** erus has quit IRC19:17
*** erus has joined #openstack-keystone19:18
*** itlinux has joined #openstack-keystone19:33
*** dave-mccowan has joined #openstack-keystone19:56
*** efried_rollin is now known as efried20:14
*** pcaruana has quit IRC20:39
*** itlinux has quit IRC21:16
*** itlinux has joined #openstack-keystone21:22
*** itlinux has quit IRC21:24
*** whoami-rajat has quit IRC21:25
*** itlinux has joined #openstack-keystone21:28
*** zaneb has joined #openstack-keystone21:35
*** itlinux has quit IRC21:41
*** itlinux has joined #openstack-keystone21:49
gmannlbragstad: cmurphy I am keeping system scope testing on Friday 9.30-10.00 - https://ethercalc.openstack.org/Train-PTG-QA-Schedule21:54
gmannlet me know if it is fine otherwise we can change that slot.21:55
gmannyou want to discuss this in keystone room or QA ? QA has shared room with infra team, so keystone room might be good ?21:56
lbragstadummm21:59
lbragstadi'm looking at https://etherpad.openstack.org/p/keystone-train-ptg21:59
lbragstadit looks like system-scope and unified limits are still on the schedule for friday morning, but iirc i thought that was moved to friday afternoon21:59
lbragstadper our discussion with efried22:00
lbragstadif that's the case, then we probably have availability on friday morning in the keystone room, but i'll have cmurphy confirm to make sure i'm not missing something22:00
gmannyeah that is at 15.15 - https://etherpad.openstack.org/p/nova-ptg-train22:00
efriedI've got Friday 1515-1615: Keystone XPROJ: https://etherpad.openstack.org/p/ptg-train-xproj-nova-keystone22:01
cmurphygmann: i thought we agreed to talk about tempest testing on Thursday morning22:01
cmurphythen system scope with nova on friday afternoon22:01
*** imacdonn has quit IRC22:01
gmanncmurphy: ohk Thursday morning also ok, 10.40 ok for that ?22:02
*** imacdonn has joined #openstack-keystone22:02
cmurphygmann: 10:40 should be okay for that, it will have to be in the QA room since keystone doesn't have a room till the afternoon22:02
*** itlinux has quit IRC22:03
cmurphylbragstad: we agreed keystone/nova meet friday afternoon but i didn't move the original sessions for those items for internal keystone discussion, i could move them to right before or after nova team meeting if that makes more sense22:04
gmanncmurphy: noted. update in schedule. thanks - https://ethercalc.openstack.org/Train-PTG-QA-Schedule22:04
gmannfor tempest testing.22:04
cmurphythanks gmann22:05
*** raildo_ has quit IRC22:08
*** itlinux has joined #openstack-keystone22:09
*** zaneb has quit IRC22:14
*** itlinux has quit IRC22:15
*** itlinux has joined #openstack-keystone22:25
*** tkajinam has joined #openstack-keystone22:53
*** rcernin has joined #openstack-keystone22:54
*** mvkr has quit IRC23:12
*** mchlumsky has quit IRC23:23
*** itlinux has quit IRC23:33
*** itlinux has joined #openstack-keystone23:37
*** itlinux has quit IRC23:50
« Tuesday, 2019-04-23 Index Thursday, 2019-04-25 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!