Tuesday, 2019-08-06

*** jamesmcarthur has quit IRC		00:09
*** jamesmcarthur has joined #openstack-keystone		00:16
*** gyee has quit IRC		00:19
kmalloc	cmurphy: i think you're going to have the same issue w/ filtering on that one	00:21
kmalloc	cmurphy: really, the best bet is a toggle to just disable it, batched is going to still be rough unless we can be sure we've already warned at some point and just avoid warning again.	00:22
*** jamesmcarthur has quit IRC		00:38
openstackgerrit	zhufl proposed openstack/keystone master: Fix missing print format and missing ws between words https://review.opendev.org/674521	00:41
*** markvoelker has joined #openstack-keystone		00:41
*** markvoelker has quit IRC		00:51
*** markvoelker has joined #openstack-keystone		01:17
*** spsurya has joined #openstack-keystone		01:17
*** altlogbot_3 has quit IRC		01:37
*** altlogbot_0 has joined #openstack-keystone		01:38
*** markvoelker has quit IRC		01:38
*** jamesmcarthur has joined #openstack-keystone		01:44
*** jamesmcarthur has quit IRC		01:49
*** jamesmcarthur has joined #openstack-keystone		02:18
*** markvoelker has joined #openstack-keystone		02:42
*** jamesmcarthur has quit IRC		02:53
*** jamesmcarthur has joined #openstack-keystone		02:54
*** jamesmcarthur has quit IRC		02:59
*** jamesmcarthur has joined #openstack-keystone		03:04
*** whoami-rajat has joined #openstack-keystone		03:07
*** markvoelker has quit IRC		03:15
*** jamesmcarthur has quit IRC		03:17
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Add support for previous TOTP windows https://review.opendev.org/647655	03:19
adriant	kmalloc: ^ as discussed, max is 10, default is 1, and it has tests now	03:22
adriant	not sure if I need to use the timefixture there, but I am using freezegun to make my passcodes in the past	03:22
*** jamesmcarthur has joined #openstack-keystone		03:40
cmurphy	kmalloc: not sure why there would be the same issue with filtering, isn't the inefficiency due to the number of warnings being emitted that need to be scanned and filtered? if there was just one warning for every 50 we have now wouldn't that be more efficient?	03:57
openstackgerrit	Chason Chan proposed openstack/keystone master: Specify keystone is OS user for fernet and credential setup https://review.opendev.org/674725	04:05
kmalloc	cmurphy: it is stilla ton of notifications	04:21
kmalloc	cmurphy: honestly i think we're still going to cause CI pressure in unfun ways.	04:22
kmalloc	annnnd IRCCloud is broken on my phone =/	04:33
*** jamesmcarthur has quit IRC		04:40
*** jhesketh has joined #openstack-keystone		04:54
*** jamesmcarthur has joined #openstack-keystone		05:09
openstackgerrit	Adrian Turjak proposed openstack/keystone-specs master: Reparent Projects https://review.opendev.org/618144	05:10
*** jamesmcarthur has quit IRC		05:15
adriant	kmalloc, cmurphy: ^ cleaned up that spec to get the discussion going. I still stand by "No real security impact." and that this is very much a needed feature if we actually want people using sub-projects.	05:18
adriant	and that the supposed security impacts are just features of how project trees and assignments work.	05:18
openstackgerrit	Adrian Turjak proposed openstack/keystone-specs master: Reparent Projects https://review.opendev.org/618144	05:25
*** markvoelker has joined #openstack-keystone		05:28
*** markvoelker has quit IRC		05:33
*** tkajinam has quit IRC		05:38
*** tkajinam has joined #openstack-keystone		05:38
kmalloc	adriant: I am still not happy with an API that does this. But whatever. I feel like it isn’t worth arguing against.	05:42
adriant	kmalloc: I understand why, but at the same time I think that it's not something we can live without if we want people to use project trees. Otherwise projects are immutable.	05:44
adriant	Which we know isn't the case	05:44
kmalloc	I do not agree with the no security impact	05:44
adriant	I know :P	05:45
kmalloc	There is inherently concerns and anyone doing this must be aware of the potential new access or removed access if roles are inherited.	05:45
kmalloc	You will also need to deal with all app creds for the project when it happens	05:45
kmalloc	And revalidate access or revoke all of them.	05:46
kmalloc	And trusts	05:46
adriant	Don't app creds and trusts change based on the role assignments?	05:46
kmalloc	App creds might revalidate them but no they don’t auto change	05:46
kmalloc	Live-validate*	05:47
kmalloc	But, please be 100% sure	05:47
adriant	That's why I'm leaning towards option 2 the NEW api	05:48
adriant	with a GET that returns the full impact of the reparenting	05:48
kmalloc	Iirc we explicitly invalidate app creds when a role changes.	05:48
adriant	and a post to do it	05:48
kmalloc	Eh, probably a post to validate/check impact and a patch to relate to	05:48
kmalloc	Easier to send a body than an ugly get url ;)	05:49
kmalloc	Patch to reparent*	05:49
adriant	post to me implies a creation to me, so get with an optional param felt like a safer bet	05:49
adriant	unless we actually want to track the 're-parent action' and then confirm it	05:50
kmalloc	Eh. But patch is update of resource	05:50
* adriant isn't fussed too muct		05:50
kmalloc	I’d do reparent/project_id body {new-parent}	05:50
kmalloc	But really	05:51
kmalloc	This is bike shedding	05:51
adriant	much*	05:51
adriant	yeah	05:51
adriant	I just want a way to audit the change, and a way to do it	05:51
kmalloc	Propose it, I won’t block it. I’m done with fighting this battle. If it is needed and cores beside me sign off on it, so be it	05:51
adriant	and that satisfies that we have done all we can to limit a loss of a metaphorical toe	05:51
kmalloc	And then I’ll review the code as I would any other approved spec’s code.	05:52
adriant	I wish we didn't need this feature, but it's one that keeps coming up. :(	05:53
*** jamesmcarthur has joined #openstack-keystone		06:11
*** jamesmcarthur has quit IRC		06:16
*** joshualyle has joined #openstack-keystone		06:28
*** vishalmanchanda has joined #openstack-keystone		06:36
*** markvoelker has joined #openstack-keystone		06:36
*** jamesmcarthur has joined #openstack-keystone		06:46
*** jamesmcarthur has quit IRC		06:51
*** xek has joined #openstack-keystone		07:00
*** jamesmcarthur has joined #openstack-keystone		07:00
*** xek has quit IRC		07:03
*** jamesmcarthur has quit IRC		07:05
*** markvoelker has quit IRC		07:09
*** tesseract has joined #openstack-keystone		07:30
*** jaosorior has quit IRC		07:34
*** jamesmcarthur has joined #openstack-keystone		07:39
*** jamesmcarthur has quit IRC		07:43
*** rcernin has quit IRC		08:04
*** xek has joined #openstack-keystone		08:06
*** tkajinam has quit IRC		08:06
*** jamesmcarthur has joined #openstack-keystone		08:08
*** jamesmcarthur has quit IRC		08:12
*** jamesmcarthur has joined #openstack-keystone		08:14
*** jamesmcarthur has quit IRC		08:20
*** jaosorior has joined #openstack-keystone		08:35
*** jaosorior has quit IRC		08:37
*** jaosorior has joined #openstack-keystone		08:41
*** jamesmcarthur has joined #openstack-keystone		08:44
*** jamesmcarthur has quit IRC		09:18
*** shyamb has joined #openstack-keystone		09:22
*** dancn has joined #openstack-keystone		09:44
*** jamesmcarthur has joined #openstack-keystone		09:55
*** jamesmcarthur has quit IRC		09:59
*** shyamb has quit IRC		10:19
*** shyamb has joined #openstack-keystone		10:50
*** jamesmcarthur has joined #openstack-keystone		10:55
*** jamesmcarthur has quit IRC		11:00
*** jaosorior has quit IRC		11:02
*** shyamb has quit IRC		11:12
*** shyam89 has joined #openstack-keystone		11:12
*** shyamb has joined #openstack-keystone		11:17
*** shyam89 has quit IRC		11:17
*** ivve has joined #openstack-keystone		11:22
*** jaosorior has joined #openstack-keystone		11:31
*** jamesmcarthur has joined #openstack-keystone		11:31
*** jamesmcarthur has quit IRC		11:35
openstackgerrit	Radosław Piliszek proposed openstack/keystone master: Honor group_members_are_ids for user_enabled_emulation https://review.opendev.org/674782	11:35
*** jamesmcarthur has joined #openstack-keystone		11:35
* yoctozepto is to be contacted about ^		11:41
yoctozepto	happy to learn writing unit tests in here	11:42
*** markvoelker has joined #openstack-keystone		12:04
*** markvoelker has quit IRC		12:06
*** markvoelker has joined #openstack-keystone		12:06
*** shyamb has quit IRC		12:10
*** shyamb has joined #openstack-keystone		12:11
*** jamesmcarthur has quit IRC		12:20
*** mvkr has quit IRC		12:21
*** shyamb has quit IRC		12:27
*** mvkr has joined #openstack-keystone		13:11
*** jamesmcarthur has joined #openstack-keystone		13:17
*** kplant has joined #openstack-keystone		13:47
knikolla	o/	13:50
cmurphy	o/	13:52
gagehugo	o/	14:09
*** altlogbot_0 has quit IRC		14:12
*** altlogbot_0 has joined #openstack-keystone		14:14
*** joshualyle has quit IRC		14:20
*** Ben78 has joined #openstack-keystone		15:19
*** hoonetorg has quit IRC		15:24
*** hoonetorg has joined #openstack-keystone		15:25
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Add federated support for get user https://review.opendev.org/448730	15:27
*** gyee has joined #openstack-keystone		15:29
cmurphy	team meeting in 20 minutes in #openstack-meeting-alt	15:40
openstackgerrit	Merged openstack/oslo.policy master: Add attribute to suppress deprecation warnings https://review.opendev.org/673932	15:40
bnemec	I assume you would like ^ released ASAP.	15:42
cmurphy	bnemec: that would be wonderful	15:43
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Add federated support for get user https://review.opendev.org/448730	15:43
knikolla	oops, wrong rebase.	15:46
*** ivve has quit IRC		15:46
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Add federated support for get user https://review.opendev.org/448730	15:50
*** xek has quit IRC		15:54
*** dancn has quit IRC		15:57
cmurphy	any last minute topics to add to the agenda?	15:59
cmurphy	meeting now in #openstack-meeting-alt	16:03
*** mvkr has quit IRC		16:20
*** jamesmcarthur has quit IRC		16:31
*** markvoelker has quit IRC		16:32
*** markvoelker has joined #openstack-keystone		16:44
*** Ben78 has quit IRC		16:46
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Allows to use application credentials through group membership https://review.opendev.org/655166	16:54
*** spsurya has quit IRC		17:52
openstackgerrit	Merged openstack/keystone master: Fix websso auth loop https://review.opendev.org/674122	18:22
*** tesseract has quit IRC		18:52
*** xek has joined #openstack-keystone		18:57
*** jamesmcarthur has joined #openstack-keystone		18:57
*** jamesmcarthur has quit IRC		19:08
*** ivve has joined #openstack-keystone		19:32
*** mloza has joined #openstack-keystone		19:41
*** mloza is now known as atmark		19:41
kplant	should i be concerned that shibboleth is generating metadata with redirect URIs that are not correct? for instance: http://sp.keystone.example.org:5000/Shibboleth.sso/SAML2/POST	19:43
*** jamesmcarthur has joined #openstack-keystone		19:44
cmurphy	kplant: how are you querying the metadata?	19:47
kplant	curl -s http://sp.keystone.example.org:5000/Shibboleth.sso/Metadata	19:50
cmurphy	the url in the metadata is based on how you queried it	19:52
cmurphy	if shibboleth is accessible from port 5000 and you used port 5000 to query the metadata then that's how it will show up	19:53
cmurphy	so it's not incorrect if that's how you want your browser to access it	19:53
kplant	oh yeah, i did notice that. i meant more specifically the path, where it's actually redirecting is: http://sp.keystone.example.org:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/saml2/websso?origin=http://sp.keystone.example.org/auth/websso/	19:54
kplant	and the idp isn't happy with the redirect uri not matching what's in the metadata	19:54
*** jamesmcarthur has quit IRC		19:54
kplant	actually if i manually add 'http://sp.keystone.example.org:5000/Shibboleth.sso/SLO/Redirect' as a valid redirect URI that seems to clear it up	19:57
cmurphy	those urls have totally different purposes	19:57
cmurphy	Shibboleth.sso/SAML2/POST is for the idp to submit the saml response, /v3/auth/OS-FEDERATION/blabla is the auth endpoint in keystone	19:57
kplant	yeah i was incorrect in where i thought it was redirecting	19:58
kplant	i added '*' as a valid redirect uri and i traced too far	19:58
kplant	looks like it was redirecting to 'http://sp.keystone.example.org:5000/Shibboleth.sso/SLO/Redirect'	19:58
kplant	or not, i'm getting invalid redirect uri again	20:00
kplant	i tried doing a samltrace to find where it's trying to redirect, any idea where i could find that out?	20:01
cmurphy	samltrace is where i would have started, not sure off the top of my head what would be using the HTTP-Redirect url	20:03
kplant	mind if i paste what i changed in the configs to try to get this working?	20:05
cmurphy	sure	20:05
kplant	http://paste.openstack.org/show/755584/	20:05
cmurphy	kplant: you probably want <Location /Shibboleth.sso> to be outside the *:5000 vhost and accessible just from port 80	20:07
cmurphy	it's possible that might be related to the weird redirects	20:08
kplant	if i did that i'd have to put it in the horizon container	20:08
kplant	horizon listens on :80 on this guy	20:08
cmurphy	it will still work with horizon, horizon doesn't pay attention to /Shibboleth.sso	20:08
kplant	i can definitely try that, just to add some more data... if i add '*' as a valid uri then the redirect does work	20:10
kplant	but then i'm met with: a 401 http://paste.openstack.org/show/755584/	20:10
kplant	err, wrong paste	20:10
kplant	"the request you have made requires authentication."	20:10
cmurphy	where are you putting '*' ?	20:10
kplant	just so it allows any uri and completes the redirect	20:11
kplant	if i do that it makes its way back to keystone	20:11
cmurphy	i mean where in the config	20:12
kplant	oh, sorry	20:12
kplant	i read "where" as "why"	20:12
kplant	in the IdP (keycloak)	20:12
kplant	there's a list of "Valid Redirect URIs"	20:12
*** jamesmcarthur has joined #openstack-keystone		20:14
cmurphy	in keycloak?	20:15
kplant	yes	20:15
*** jamesmcarthur has quit IRC		20:15
cmurphy	okay i'm not familiar with keycloak	20:15
cmurphy	but what you can do is turn on insecure_debug=true in keystone.conf	20:16
cmurphy	and then that will tell you exactly why you're getting a 401	20:16
kplant	is thaty under [DEFAULT] ?	20:16
cmurphy	which is probably that the url is going to is wrong	20:16
cmurphy	yes	20:16
kplant	awesome	20:16
kplant	i'll do that	20:16
kplant	"Could not map user while setting ephemeral user identity. Either mapping rules must specify user id/name or REMOTE_USER environment variable must be set. (Disable insecure_debug mode to suppress these details.)" <-- that's a much better error message	20:17
kplant	thank you!	20:17
cmurphy	:)	20:17
*** jamesmcarthur has joined #openstack-keystone		20:17
*** jamesmcarthur has quit IRC		20:19
*** jamesmcarthur has joined #openstack-keystone		20:25
*** dancn has joined #openstack-keystone		20:28
kplant	figured out the redirect uri issue, it was redirecting to the ip instead of the fqdn. hah	20:46
kplant	should have thought of that	20:46
*** whoami-rajat has quit IRC		20:56
*** kplant has quit IRC		21:02
*** xek has quit IRC		21:11
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Add support for previous TOTP windows https://review.opendev.org/647655	21:21
adriant	cmurphy: ty for explicit deadline!	21:26
cmurphy	adriant: yw ;)	21:26
adriant	I'm reading through the Keystoneauth code and figuring out how to do what I need to do...	21:26
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Fix list_mappings deprecation warning message https://review.opendev.org/674934	21:27
adriant	the problem is I need to make a 'multi-method' auth module, but that may either mean implementing a sub-module for each method, or... rewriting the existing modules to be able to be used together	21:27
adriant	since I think the existing code is focused heavily on 1 module 1 auth method per request	21:28
adriant	that's to allow MFA in one hit. So maybe that's for another time	21:28
adriant	maybe for now I just make the auth modules all be able to take an auth receipt	21:29
cmurphy	i would use kmalloc or mordred as a rubberduck for that one	21:29
adriant	I'll dig through the code and see what my options are	21:29
adriant	and ping kmalloc and mordred once I have some ideas :)	21:30
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Clean up irrelevant comment https://review.opendev.org/674935	21:32
*** markvoelker has quit IRC		21:38
*** jamesmcarthur has quit IRC		21:39
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Make policy deprecation reasons less verbose https://review.opendev.org/674940	21:49
*** raildo has quit IRC		21:57
*** dancn has quit IRC		22:18
*** jamesmcarthur has joined #openstack-keystone		22:20
kmalloc	adriant: i am fine with supporting multi-module where it crafts the json post like we would expect	22:37
kmalloc	adriant: the one-module one auth is mostly historical "no one needed this before"	22:37
adriant	kmalloc: mostly it's a question of how much I can get away with changing while still maintaining backward compatibility	22:49
*** tkajinam has joined #openstack-keystone		22:51
adriant	kmalloc: Ideally what I'd like to see is that the existing modules work as expected, but their internals change to be built off a new module class that can be given to a multi-method module	22:52
adriant	MultiMethodAuth(methods=[PasswordAuth(...), TOTPAuth(...)])	22:53
adriant	^ something like that	22:53
adriant	but... I'll wait till I've read through the full code path, and all the variants and made some notes before I actually propose something	22:54
adriant	What I expect the work to be is	22:55
adriant	1. add a new exception type for AuthReceipts	22:55
adriant	2. add a means to ANY existing single auth method to supply with it an auth receipt (likely in some base class)	22:55
adriant	3. add multimethod support so we can auth in one go	22:55
kmalloc	i think you should just modify the interface so that it works as does today, but also accepts a list/tuple/iterable of methods and builds the JSON as expected to auth	23:10
kmalloc	the exception handling for authreceipts is 100% new code and behavior you'd expect to grow as it's a new exception type	23:11
kmalloc	in the case of an authreceipt, new base-class (ABCMeta?) param for instantiating the auth method plugin that contains optional auth receipt	23:12
kmalloc	or a new method that adds in the auth receipt data to the baseclass plugin	23:12
kmalloc	i think that covers our "don't break anyone" and adds the new functionality	23:13
kmalloc	we can emit a warning (eventually) that a list-form of methods is always preferred	23:13
*** markvoelker has joined #openstack-keystone		23:13
kmalloc	even if we never remove the ability to pass a single auth plugin	23:13
kmalloc	alternative is a way to just "add" a secondary plugin, and authreceipt is setup as a plugin	23:13
kmalloc	so primary is used then .add_auth_method_pluigin(authReceipt(receipt_data=xXXXXXX))	23:14
kmalloc	and you can add N plugins this way, JSON is built as expected for auth	23:14
kmalloc	adriant: ^	23:14
adriant	yeah, that sounds right :)	23:15
kmalloc	the latter option i outlined would be the lowest barrier to entry as no downstream auth plugins should need modification	23:16
kmalloc	to accept even an optional new param	23:16
adriant	yeah add_auth_method_plugin could be a good option	23:17
kmalloc	adriant: i trust your choice on approach in this manner. don't break people using KSA, and make the interface easy to use.	23:17
adriant	that's the goal	23:17
kmalloc	i think i like .add_auth_method the best.	23:18
*** markvoelker has quit IRC		23:18
kmalloc	the more i think about it	23:18
kmalloc	we should bounce this off mordred too (tomorrow probably, i think he is some timezone that means he's mostly done for the day)	23:18
adriant	kmalloc: what about the loader layer? I remember reading through some of that code ages ago. Doesn't that help things like the CLI build auth method requirements?	23:19
kmalloc	we provide new mechanisms to add in the new auth data needed	23:20
kmalloc	if the CLI and other loader things do not grow to accept this, they will not work with MFA	23:20
kmalloc	and auth receipts	23:20
kmalloc	you'll need to fix those consumers where possible	23:20
adriant	and they do need to	23:20
adriant	yep, that's the plan	23:20
adriant	at least for the OSC	23:20
kmalloc	where not possible, the new exception is fine.	23:20
adriant	(i won't touch any of the standalone CLIs)	23:20
kmalloc	make sure SDK handles this before osc, imo	23:21
kmalloc	order: KSA functionality + testing, SDK consume it + testing, osc consume it + testing	23:21
adriant	then finally horizon	23:21
adriant	yep	23:21
kmalloc	yup	23:21
adriant	that's the total roadmap for this feature, with KSA being targeted for train, and then the rest afterwards	23:22
kmalloc	horizon can be done concurrent with OSC or before SDK tbh	23:22
kmalloc	but i'd prob still do SDK before OSC or horizon	23:22
adriant	the U cycle can be the cycle where OS now finally supports MFA in all places that matter :P	23:22
adriant	I'll probably do all three concurrently	23:23
adriant	the worry with the CLI is the need to keep doing auth every command, so some better way of saving the token into an envvar or something would be good	23:23
adriant	which is how I do it for us currently: https://github.com/catalyst-cloud/adjutant-mfa/blob/master/horizon-plugin/adjutant_mfa_ui/mfa/templates/mfa/openrc_v3_mfa.sh.template	23:24
adriant	^ I fetch a token, then clear the password and such from the envvars	23:25
adriant	and set the auth type to token	23:25
*** rcernin has joined #openstack-keystone		23:26
cmurphy	schedule is out https://www.openstack.org/summit/shanghai-2019/summit-schedule	23:29
*** jamesmcarthur has quit IRC		23:42
mordred	kmalloc, adriant: I will read and digest the scrollback in the morning	23:44
mordred	ah. MFA. yeah - ksa support	23:45
mordred	:)	23:45
mordred	but I'll read in the morning	23:45
adriant	mordred: Then SDK, then OSC, then Horizon, and In Adjutant I'll add to core APIs for managing a users own MFA rules, and a horizon panel for!	23:46
*** joshualyle has joined #openstack-keystone		23:47
*** jamesmcarthur has joined #openstack-keystone		23:47
*** joshualyle has quit IRC		23:51
*** joshualyle has joined #openstack-keystone		23:53
*** jamesmcarthur_ has joined #openstack-keystone		23:54
*** jamesmcarthur has quit IRC		23:54
*** joshualyle has quit IRC		23:55
*** joshualyle has joined #openstack-keystone		23:55

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!