Wednesday, 2019-07-10

« Tuesday, 2019-07-09 Index Thursday, 2019-07-11 »
ayoungexternal predated federation.  I don't think we ever deprecated it.  We should00:01
gyeeayoung, amen, brother!00:02
*** jamesmcarthur has joined #openstack-keystone00:03
*** jamesmcarthur has quit IRC00:07
gyeecmurphy, lbragstad, kmalloc, https://bugs.launchpad.net/keystone/+bug/1813336 so we can directly get a scoped federated token now?00:16
openstackLaunchpad bug 1813336 in OpenStack Identity (keystone) "Requesting a scoped token when using x509 authentication is redundant" [Medium,Triaged]00:16
gyeeI thought with federation, we always start with an unscoped token, then use that to exchange for a scoped token00:16
cmurphygyee: that example is with external not federation00:19
cmurphyit's going through the regular /v3/auth/tokens endpoint which should allow a scope00:20
cmurphyfederated auth always goes through an idp-specific or protocol-specific endpoint00:20
*** jamesmcarthur has joined #openstack-keystone00:21
gyeecmurphy, then I don't understand that bug00:22
gyeeare we mixing up password auth with x.509 certificate auth?00:22
*** altlogbot_0 has joined #openstack-keystone00:28
cmurphygyee: i think it has to do with this part of the tokenless docs https://docs.openstack.org/keystone/latest/admin/configure_tokenless_x509.html#test-it-out-with-curl00:36
cmurphyit's a confusing example because it's validating a token00:36
cmurphybut with external auth you would expect not to need the X-Project-Id header at all and regular scoped auth would work00:36
cmurphybut for some reason it's requiring the header00:37
gyeecmurphy, yes, understood, I've taken that part out00:37
*** altlogbot_0 has quit IRC00:37
*** jamesmcarthur has quit IRC00:38
gyeetokenless auth is designed for middleware to keystone interaction to validate user tokens00:39
*** jamesmcarthur has joined #openstack-keystone00:47
*** jamesmcarthur has quit IRC00:52
*** jamesmcarthur has joined #openstack-keystone00:55
*** altlogbot_3 has joined #openstack-keystone01:06
*** jamesmcarthur has quit IRC01:09
*** imacdonn has quit IRC01:13
*** imacdonn has joined #openstack-keystone01:14
*** jamesmcarthur has joined #openstack-keystone01:14
*** altlogbot_3 has quit IRC01:15
*** jamesmcarthur has quit IRC01:19
*** jamesmcarthur_ has joined #openstack-keystone01:21
openstackgerritguang-yee proposed openstack/keystone master: discourage using X.509 with external auth  https://review.opendev.org/66995901:21
*** gyee has quit IRC01:22
*** jamesmcarthur_ has quit IRC01:23
*** jamesmcarthur has joined #openstack-keystone01:27
*** jamesmcarthur has quit IRC01:32
*** jamesmcarthur has joined #openstack-keystone01:36
*** jamesmcarthur has quit IRC01:41
*** jamesmcarthur has joined #openstack-keystone01:43
*** jamesmcarthur has quit IRC01:45
*** jamesmcarthur has joined #openstack-keystone01:50
*** jamesmcarthur has quit IRC01:54
*** lbragstad has quit IRC01:57
*** jamesmcarthur has joined #openstack-keystone02:07
*** jamesmcarthur has quit IRC02:09
*** jamesmcarthur has joined #openstack-keystone02:09
*** jamesmcarthur has quit IRC02:14
*** altlogbot_2 has joined #openstack-keystone02:18
*** irclogbot_2 has joined #openstack-keystone02:18
*** jamesmcarthur_ has joined #openstack-keystone02:22
*** altlogbot_2 has quit IRC02:25
*** irclogbot_2 has quit IRC02:26
*** jamesmcarthur_ has quit IRC02:26
*** tkajinam has quit IRC02:29
*** tkajinam has joined #openstack-keystone02:29
*** awalende has joined #openstack-keystone02:36
*** awalende has quit IRC02:41
*** jamesmcarthur has joined #openstack-keystone02:56
*** dklyle has quit IRC03:19
*** jamesmcarthur has quit IRC03:19
*** jamesmcarthur has joined #openstack-keystone03:20
*** vishakha has joined #openstack-keystone03:45
*** njohnston has quit IRC03:53
*** irclogbot_1 has joined #openstack-keystone04:07
*** shyamb has joined #openstack-keystone04:11
*** irclogbot_1 has quit IRC04:12
*** altlogbot_3 has joined #openstack-keystone04:13
*** altlogbot_3 has quit IRC04:17
*** shyamb has quit IRC04:20
*** shyamb has joined #openstack-keystone04:20
*** jamesmcarthur has quit IRC04:32
*** shyamb has quit IRC04:37
*** jamesmcarthur has joined #openstack-keystone04:46
*** whoami-rajat has joined #openstack-keystone04:52
*** altlogbot_1 has joined #openstack-keystone05:02
*** irclogbot_0 has joined #openstack-keystone05:07
*** altlogbot_1 has quit IRC05:21
*** irclogbot_0 has quit IRC05:22
*** pcaruana has joined #openstack-keystone05:37
*** shyamb has joined #openstack-keystone05:45
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Generate PDF documentation  https://review.opendev.org/66998205:45
*** jamesmcarthur has quit IRC05:50
*** shyamb has quit IRC06:02
*** shyamb has joined #openstack-keystone06:02
*** shyamb has quit IRC06:06
*** rcernin has quit IRC06:10
*** rcernin has joined #openstack-keystone06:11
*** shyamb has joined #openstack-keystone06:14
*** pcaruana has quit IRC06:20
*** shyamb has quit IRC06:35
*** new_student1411 has joined #openstack-keystone06:37
*** xek has joined #openstack-keystone06:48
*** dancn has joined #openstack-keystone06:57
*** ivve has joined #openstack-keystone07:02
*** altlogbot_3 has joined #openstack-keystone07:03
*** altlogbot_3 has quit IRC07:08
*** shyamb has joined #openstack-keystone07:10
*** awalende has joined #openstack-keystone07:10
*** starborn has joined #openstack-keystone07:12
*** new_student1411 has quit IRC07:25
*** irclogbot_2 has joined #openstack-keystone07:39
*** irclogbot_2 has quit IRC07:43
*** pcaruana has joined #openstack-keystone07:54
*** shyamb has quit IRC07:57
*** shyamb has joined #openstack-keystone08:05
*** tkajinam has quit IRC08:14
*** shyamb has quit IRC08:54
*** irclogbot_0 has joined #openstack-keystone08:57
*** irclogbot_0 has quit IRC09:02
*** altlogbot_1 has joined #openstack-keystone09:11
*** shyamb has joined #openstack-keystone09:13
*** altlogbot_1 has quit IRC09:14
*** rcernin has quit IRC09:17
*** altlogbot_2 has joined #openstack-keystone09:25
*** altlogbot_2 has quit IRC09:28
*** altlogbot_0 has joined #openstack-keystone09:29
*** new_student1411 has joined #openstack-keystone09:33
*** altlogbot_0 has quit IRC09:34
*** irclogbot_1 has joined #openstack-keystone09:37
*** irclogbot_1 has quit IRC09:40
*** altlogbot_2 has joined #openstack-keystone09:45
*** altlogbot_2 has quit IRC09:50
*** new_student1411 has quit IRC09:59
*** shyamb has quit IRC10:22
*** irclogbot_1 has joined #openstack-keystone10:23
*** irclogbot_1 has quit IRC10:26
*** shyamb has joined #openstack-keystone10:45
*** new_student1411 has joined #openstack-keystone10:56
*** shyam89 has joined #openstack-keystone11:03
*** shyamb has quit IRC11:04
*** tesseract has joined #openstack-keystone11:08
*** raildo has joined #openstack-keystone11:40
*** shyamb has joined #openstack-keystone12:05
*** shyam89 has quit IRC12:08
*** mchlumsky has joined #openstack-keystone12:33
*** mchlumsky has quit IRC12:47
*** mchlumsky has joined #openstack-keystone12:49
*** irclogbot_1 has joined #openstack-keystone13:06
*** irclogbot_1 has quit IRC13:08
*** altlogbot_3 has joined #openstack-keystone13:11
*** lbragstad has joined #openstack-keystone13:16
*** altlogbot_3 has quit IRC13:16
*** shyamb has quit IRC13:17
*** irclogbot_1 has joined #openstack-keystone13:17
*** irclogbot_1 has quit IRC13:22
*** shyamb has joined #openstack-keystone13:27
*** vishakha has quit IRC13:36
*** altlogbot_2 has joined #openstack-keystone13:36
*** altlogbot_2 has quit IRC13:36
openstackgerritJose Castro Leon proposed openstack/keystone master: Allow to filter endpoint groups by name  https://review.opendev.org/65835913:51
*** whoami-rajat has quit IRC13:54
*** whoami-rajat has joined #openstack-keystone13:54
*** dklyle has joined #openstack-keystone14:04
*** jamesmcarthur has joined #openstack-keystone14:04
*** jamesmcarthur has quit IRC14:05
*** jamesmcarthur has joined #openstack-keystone14:05
lbragstadcmurphy bnemec https://review.opendev.org/#/c/669914/ is passing now14:07
*** shyam89 has joined #openstack-keystone14:12
*** shyamb has quit IRC14:16
*** awalende has quit IRC14:19
*** awalende has joined #openstack-keystone14:20
*** awalende has quit IRC14:24
*** dklyle has quit IRC14:30
*** starborn has quit IRC14:34
*** dklyle has joined #openstack-keystone14:38
*** altlogbot_3 has joined #openstack-keystone14:39
*** altlogbot_3 has quit IRC14:42
*** shyam89 has quit IRC14:44
openstackgerritLance Bragstad proposed openstack/oslo.limit master: Add devstack job to .zuul.conf  https://review.opendev.org/67007914:44
lbragstadcmurphy i might need a sanity check on some of the .zuul.conf stuff14:45
lbragstadi have an idea for another approach, too14:45
cmurphylbragstad: zuul already commented14:46
cmurphylbragstad: is this job supposed to do anything other than just run devstack?14:47
lbragstadyeah - so i'm wondering if we need this?14:47
cmurphyyou don't need to defined a new project that inherits from devstack if it doesn't do anything beyond what the parent job does14:47
lbragstadright14:47
cmurphydo you would just need to add a new bullet point to check: and gate: in the jobs section14:48
cmurphyjobs section of project:14:48
lbragstadi was going to follow that up with another patch that filled in the blanks and added the limits specific functional setup14:48
cmurphyah14:48
cmurphywell i would just keep it in the same patch14:48
lbragstadbut... now i'm thinking14:48
cmurphyon its own this patch doesn't do anything14:48
*** awalende has joined #openstack-keystone14:48
lbragstadright14:49
lbragstadwhat if we just add oslo.limit functional tests to tempest?14:49
lbragstadand use devstack-tempest in oslo.limits's .zuul.conf?14:49
cmurphytempest is just for API testing14:49
cmurphyit has its own REST client for that14:50
cmurphyi think more likely you'd want to look at what openstacksdk is doing for functional tests and copy that14:50
lbragstadah14:50
lbragstadhttps://opendev.org/openstack/openstacksdk/src/branch/master/openstack/tests/functional14:51
*** altlogbot_3 has joined #openstack-keystone14:51
lbragstadso - https://opendev.org/openstack/openstacksdk/src/branch/master/.zuul.yaml#L100-L118 looks like an example functional definition14:53
*** awalende has quit IRC14:53
cmurphy++14:54
bnemec^What she said14:55
*** altlogbot_3 has quit IRC14:56
lbragstadwe could do something similar to https://opendev.org/openstack/openstacksdk/src/branch/master/openstack/tests/functional/base.py#L4614:57
lbragstadi guess at that point we don't really need anything outside of keystone (from devstack)14:57
lbragstadwhenever nova adds support for consuming unified limits, should those tests live in nova's functional tests then?14:58
lbragstadcc johnthetubaguy ^14:58
johnthetubaguyin my head I was leaving it to unit tests + tempest ones, but that does miss the idea of us hammering the edge cases15:01
cmurphynova should probably have tempest tests for whatever quota API it exposes to users15:01
cmurphyand yeah maybe some functionl tests for the edge cases15:01
johnthetubaguycmurphy: +115:02
johnthetubaguyin my head its like limit someone to two instance, boot three and make sure only two work, etc15:03
*** altlogbot_2 has joined #openstack-keystone15:07
lbragstad++15:07
lbragstadsince oslo.limit isn't really the thing implementing half of that code (the stuff in nova), i'm wonder if/where that should live?15:08
*** dklyle has quit IRC15:09
*** altlogbot_2 has quit IRC15:12
*** irclogbot_0 has joined #openstack-keystone15:19
*** irclogbot_0 has quit IRC15:22
*** altlogbot_2 has joined #openstack-keystone15:31
*** altlogbot_2 has quit IRC15:34
*** ivve has quit IRC15:34
*** dancn has quit IRC15:38
*** irclogbot_2 has joined #openstack-keystone15:39
*** irclogbot_2 has quit IRC15:42
*** altlogbot_1 has joined #openstack-keystone15:45
kmallocok. so today is maybe coffee shop, they didn't finish construction until well past 6pm last night15:46
* kmalloc grumps about this for the next 2-3 months.15:47
*** altlogbot_1 has quit IRC15:48
*** altlogbot_0 has joined #openstack-keystone15:55
*** viks___ has quit IRC15:55
*** altlogbot_0 has quit IRC15:58
*** gyee has joined #openstack-keystone16:16
*** altlogbot_0 has joined #openstack-keystone16:49
cmurphycan I plead for reviews on https://review.opendev.org/636786 - we need to release that in order to get the ball rolling on https://review.opendev.org/633369 which is then needed for the access rules stack in keystone16:54
*** altlogbot_0 has quit IRC16:54
cmurphyand in general reviews of ksc/ksa/ksm would be good so we can get a release out16:55
lbragstaddamn17:01
cmurphylol17:01
openstackgerritLance Bragstad proposed openstack/oslo.limit master: Add devstack job to .zuul.conf  https://review.opendev.org/67007917:24
*** new_student1411 has quit IRC17:47
*** irclogbot_2 has joined #openstack-keystone18:05
*** irclogbot_2 has quit IRC18:08
openstackgerritMerged openstack/oslo.policy master: Add Python 3 Train unit tests  https://review.opendev.org/61012218:22
*** xek has quit IRC18:35
*** xek has joined #openstack-keystone18:36
*** dancn has joined #openstack-keystone18:37
*** jamesmcarthur has quit IRC18:57
*** altlogbot_1 has joined #openstack-keystone19:01
*** altlogbot_1 has quit IRC19:04
*** tesseract has quit IRC19:16
*** dancn has quit IRC19:17
*** ivve has joined #openstack-keystone19:18
*** irclogbot_3 has joined #openstack-keystone19:19
*** irclogbot_3 has quit IRC19:22
*** whoami-rajat has quit IRC19:24
cmurphykmalloc: could you review this backport to unbreak stable/stein https://review.opendev.org/66710519:31
kmalloccmurphy: looking19:31
kmallocdone19:32
cmurphyty19:33
bnemecHey, if anyone gets a chance, could you take a quick look at https://review.opendev.org/#/c/662830 ?19:42
bnemecIt looks reasonable to me, but I'm not a keystone auth expert so it would be nice if someone who is could sanity check what they're doing.19:42
*** openstackgerrit has quit IRC19:49
*** ivve has quit IRC20:14
*** openstackgerrit has joined #openstack-keystone20:15
openstackgerritMerged openstack/python-keystoneclient master: Add support for app cred access rules header  https://review.opendev.org/63678620:15
*** altlogbot_3 has joined #openstack-keystone20:27
*** jamesmcarthur has joined #openstack-keystone20:29
*** altlogbot_3 has quit IRC20:32
openstackgerritColleen Murphy proposed openstack/keystone master: Add exercises for intern applicants  https://review.opendev.org/66900420:42
*** pcaruana has quit IRC20:48
*** xek_ has joined #openstack-keystone20:51
*** xek has quit IRC20:52
*** dklyle has joined #openstack-keystone20:55
*** cloudnull has quit IRC21:01
*** cloudnull has joined #openstack-keystone21:02
*** altlogbot_0 has joined #openstack-keystone21:03
*** altlogbot_0 has quit IRC21:08
openstackgerritMerged openstack/python-keystoneclient master: Update the constraints url  https://review.opendev.org/66879621:10
*** xek_ has quit IRC21:11
*** altlogbot_0 has joined #openstack-keystone21:17
*** altlogbot_0 has quit IRC21:22
cmurphykmalloc: knikolla reviewing https://review.opendev.org/669886 which is a duplicate of ps1 of https://review.opendev.org/655166 i think we need to revisit jose's original work, or i need another refresher on why it's not acceptable21:26
cmurphygroup membership for federated users is still ephemeral and entirely depends on the mapping driver21:26
kmallocOh gah, making my brain work today21:27
kmalloc:P21:27
cmurphybut federated users first of all can't create application credentials at all because the application credential manager uses the list_role_assignments function which goes through the sql driver21:27
cmurphyand therefore doesn't pick up that group membership21:27
cmurphy(that's why we need renewable)21:27
kmallocSec, need to type not on mobile.21:27
cmurphyand so then even calling list_role_assignments in the token model wouldn't get those ephemeral group memberships21:28
kmallocok21:28
cmurphykmalloc: no problem i just needed to get that out21:28
kmallocright, so the reason for the fix was to allow for group permissions to create app creds. however, as i recall, fixing group permission of app-cred creation opened the door to federated users in general being able to, if thye use a group-granted-permission21:29
*** dklyle has quit IRC21:29
cmurphykmalloc: i have been playing with it and federated users with group-only permissions can't create app creds21:30
kmallocright, today no one with group perms can21:30
cmurphyincorrect21:30
cmurphyregular users can create them21:30
cmurphythey just are unable to use them21:30
kmallochmm.21:30
kmallocah21:30
kmallocthat was the weird bit.21:31
cmurphythat's what people keep trying to fix21:31
cmurphybut even with that fix in the token model, that doesn't let federated users create them21:31
cmurphybecause the group membership is ephemeral21:31
kmallocpart of CERN's iteration was federated user support as well21:31
kmalloci think one of the patchsets or some code we looked at was to address that.21:32
cmurphyi'm sure they also want that but https://review.opendev.org/#/c/655166/1/keystone/models/token_model.py doesn't do that21:32
kmallocand opened doors that couldn't be done until we have the expiration21:32
kmallochm. there was something else.21:33
kmallocshrug21:33
kmallocwe can land it, i certainly can't remember now. i know there was some reason we couldn't do it, but maybe that was other code21:34
kmallocas long as we are certain we aren't getting federated user app creds, we're good...until expiration21:35
cmurphyokay i'm gonna repropose ps1 of 655166 and we can continue the discussion there21:35
kmallocsure.21:35
* kmalloc gets back to code shuffling21:35
kmallocthe code shuffle is real for trying to get these resource options centralized21:35
kmalloc=/21:35
kmallocthe migrations were remarkably easy21:36
kmalloc it's ... the rest of the code that isn't21:36
cmurphy:)21:36
openstackgerritColleen Murphy proposed openstack/keystone master: Allows to use application credentials through group membership  https://review.opendev.org/65516621:47
*** irclogbot_2 has joined #openstack-keystone21:47
*** irclogbot_2 has quit IRC21:52
*** mchlumsky has quit IRC22:10
*** raildo has quit IRC22:14
cmurphyptg attendance show of hands http://lists.openstack.org/pipermail/openstack-discuss/2019-July/007639.html22:16
* kmalloc hides22:27
*** rcernin has joined #openstack-keystone22:48
*** altlogbot_3 has joined #openstack-keystone23:03
*** tkajinam has joined #openstack-keystone23:06
*** altlogbot_3 has quit IRC23:08
*** altlogbot_3 has joined #openstack-keystone23:13
*** jamesmcarthur has quit IRC23:16
*** altlogbot_3 has quit IRC23:18
*** jamesmcarthur has joined #openstack-keystone23:19
*** altlogbot_1 has joined #openstack-keystone23:19
*** jamesmcarthur has quit IRC23:24
*** altlogbot_1 has quit IRC23:24
*** jamesmcarthur has joined #openstack-keystone23:25
*** altlogbot_1 has joined #openstack-keystone23:25
*** altlogbot_1 has quit IRC23:30
*** hoonetorg has quit IRC23:38
*** hoonetorg has joined #openstack-keystone23:40
*** jamesmcarthur has quit IRC23:43
« Tuesday, 2019-07-09 Index Thursday, 2019-07-11 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!