Monday, 2019-09-23

« Sunday, 2019-09-22 Index Tuesday, 2019-09-24 »
*** jamesmcarthur has joined #openstack-keystone01:13
*** wxy-xiyuan has joined #openstack-keystone02:09
*** dklyle has quit IRC02:33
*** dklyle has joined #openstack-keystone02:48
*** jamesmcarthur has quit IRC02:58
*** jamesmcarthur has joined #openstack-keystone03:01
*** jamesmcarthur has quit IRC03:01
*** jamesmcarthur has joined #openstack-keystone03:01
*** dklyle has quit IRC03:20
*** markvoelker has joined #openstack-keystone03:54
openstackgerritzhufl proposed openstack/keystone master: Add missing ws between words in log messages  https://review.opendev.org/68384303:56
*** markvoelker has quit IRC03:58
openstackgerritMerged openstack/keystone master: Make policy deprecation reasons less verbose  https://review.opendev.org/67494004:25
*** dave-mccowan has quit IRC04:48
*** jamesmcarthur has quit IRC04:52
*** jamesmcarthur has joined #openstack-keystone04:53
*** Luzi has joined #openstack-keystone05:00
*** jamesmcarthur has quit IRC05:09
*** jamesmcarthur has joined #openstack-keystone05:09
*** jamesmcarthur has quit IRC05:13
*** jaosorior has joined #openstack-keystone05:43
*** jamesmcarthur has joined #openstack-keystone05:44
*** jamesmcarthur has quit IRC05:51
*** dancn has joined #openstack-keystone06:03
*** jamesmcarthur has joined #openstack-keystone06:20
*** jamesmcarthur has quit IRC06:25
*** tesseract has joined #openstack-keystone07:00
*** rcernin has quit IRC07:04
*** ivve has joined #openstack-keystone07:10
*** jamesmcarthur has joined #openstack-keystone07:13
*** xek has joined #openstack-keystone07:17
*** jamesmcarthur has quit IRC07:19
*** dancn has quit IRC07:26
*** dancn has joined #openstack-keystone07:29
*** pcaruana has joined #openstack-keystone07:41
*** f0o has quit IRC07:54
*** f0o has joined #openstack-keystone08:05
*** jamesmcarthur has joined #openstack-keystone08:15
*** jamesmcarthur has quit IRC08:20
*** dancn has quit IRC08:32
*** dancn has joined #openstack-keystone08:38
*** rcernin has joined #openstack-keystone08:45
*** markvoelker has joined #openstack-keystone08:57
*** markvoelker has quit IRC09:02
*** jamesmcarthur has joined #openstack-keystone09:16
*** jamesmcarthur has quit IRC09:21
*** awalende has joined #openstack-keystone09:39
*** dancn has quit IRC09:57
*** jamesmcarthur has joined #openstack-keystone10:17
*** jamesmcarthur has quit IRC10:23
*** jaosorior has quit IRC10:58
openstackgerritMerged openstack/keystone master: Allow system/domain scope for assignment tree list  https://review.opendev.org/68276211:05
*** dave-mccowan has joined #openstack-keystone11:07
*** dancn has joined #openstack-keystone11:14
*** raildo has joined #openstack-keystone11:18
*** jamesmcarthur has joined #openstack-keystone11:19
*** dave-mccowan has quit IRC11:21
*** dave-mccowan has joined #openstack-keystone11:23
*** jamesmcarthur has quit IRC11:24
*** rcernin has quit IRC11:49
*** markvoelker has joined #openstack-keystone12:03
*** jamesmcarthur has joined #openstack-keystone12:20
*** jamesmcarthur has quit IRC12:25
lbragstad_o/12:28
*** rcernin has joined #openstack-keystone12:33
*** lbragstad_ is now known as lbragstad12:39
*** jamesmcarthur has joined #openstack-keystone12:45
*** mloza has joined #openstack-keystone13:02
*** jaosorior has joined #openstack-keystone13:11
*** Luzi has quit IRC13:14
*** beekneemech is now known as bnemec13:24
*** dklyle has joined #openstack-keystone13:44
*** jamesmcarthur has quit IRC13:44
*** rcernin has quit IRC13:45
*** dklyle has quit IRC13:50
*** redrobot has quit IRC13:53
*** Guest30550 has joined #openstack-keystone14:05
*** Guest30550 is now known as redrobot14:08
*** dklyle has joined #openstack-keystone14:31
ivvegreetings! is /etc/keystone/credential-keys/ used if fernet is used?14:37
ivvekeystone complains about key_repository not having proper permissions (it doesn't exist)14:38
ivveimproper*14:38
lbragstadcmorpheus kmalloc we might need to sync on https://review.opendev.org/#/c/621023/12//COMMIT_MSG@1514:38
lbragstadivve fernet is an encryption strategy used in keystone, but we use it for tokens and credentials14:39
ivveye but other methods can be used14:39
ivveand i guess my question is if fernet is utilizing the directory from the error message14:39
lbragstadwhat's the error message?14:40
ivvemostly because it appeared now for me in a stein upgrade and i've been using fernet for a great while now14:40
ivveEither [None] key_repository does not exist or Keystone does not have sufficient permission to access it: /etc/keystone/credential-keys/14:40
ivvei skimmed through the code and well its just a check14:40
ivveim using kolla so the keystone containers (keystone & keystone_fernet) doesn't create that directory if using fernet keys14:41
ivveor tokens..14:41
lbragstadthe /etc/keystone/credentials-keys directory is only used if you're using the /v3/credentials API14:41
lbragstadall fernet keys for token encryption should live in /etc/keystone/fernet-keys by default14:42
ivveexactly14:42
ivveso they are where they should be14:42
ivveso what is credential-keys used for? :)14:42
lbragstadcredential-keys are used to encrypt credential secrets at rest14:43
ivveaaaaah14:43
lbragstadhttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/newton/credential-encryption.html14:43
ivvei see14:43
lbragstadspecifically the /v3/credentials API14:43
ivveso im guessing kolla or kolla-ansible bug14:44
lbragstadunfortunately, the naming "credentials" is confusing with passwords and whatnot14:44
ivvesince they don't create the directory14:44
lbragstadthey technically don't need it - but yeah14:44
ivveyeah i guess thats what caught me14:44
ivvewell the check in the .py does spit an error if the dir doesn't exist and also with at least xx0 permissions14:44
ivveim guessiong even 600 is lowest possible14:45
ivveits just annoying and the loglevel is warning as you say, probably not needed14:46
ivvewell thanks for clearing that up lbragstad o714:47
lbragstadivve yep!14:48
*** jamesmcarthur has joined #openstack-keystone14:54
*** awalende has quit IRC14:58
*** pcaruana has quit IRC15:05
*** timburke_ is now known as timburke15:15
openstackgerritMerged openstack/oslo.policy master: Fix reference cycle caused by deprecated sample override  https://review.opendev.org/68215015:19
*** jamesmcarthur has quit IRC15:30
cmorpheuslbragstad: o/15:34
*** cmorpheus is now known as cmurphy15:34
lbragstadmornin' cmurphy15:34
gagehugoo/15:35
*** dklyle has quit IRC15:36
*** dklyle has joined #openstack-keystone15:36
cmurphylbragstad: do you have an example of the check string that that didn't work for limits?15:37
cmurphyi feel like strategic use of "and not" could help here15:38
lbragstadwell - i think the check string was fine15:39
lbragstadi think i was using "identity:get_limit"15:39
lbragstadbut the problem was that i was trying to use that check string for project *and* domain limits15:39
lbragstadand depending on the request - either a project or domain is going to be the target15:40
lbragstadand iirc oslo.policy didn't know to check for project as the target versus domain as the target15:40
cmurphyso it was something like 'project_id:%(target.limit.project_id)s or domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s' ?15:45
cmurphywhat if we build the target after checking the context for the scope in https://review.opendev.org/#/c/621023/12/keystone/api/limits.py ?15:48
*** dave-mccowan has quit IRC15:49
lbragstadso - with15:57
lbragstad'project_id:%(target.limit.project_id)s or domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s'15:57
lbragstadif you call GET /v3/limits/$DOMAIN_ID with a domain-scoped token, then the project_id:%(target.limit.project_id)s portion of the check is going to be successful15:58
lbragstadsorry - GET /v3/limits/$DOMAIN_LIMIT_ID15:58
cmurphybut there should be no project in the limit object in the target?15:59
lbragstadright15:59
lbragstadit's true because both are None15:59
cmurphyoh hrm16:00
cmurphyi think the policy engine can check for None16:00
lbragstadoh?16:01
lbragstadso we do something like (project_id:%(target.limit.project_id)s and project_id:!None)16:01
cmurphyhttps://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/grant.py#L3016:02
cmurphyso it might be more like (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)16:02
lbragstadoh - nice!16:02
lbragstadit's going to be one real long policy.. but o well16:03
lbragstadif that works that'd be awesome16:03
*** pcaruana has joined #openstack-keystone16:06
*** problem_v has joined #openstack-keystone16:41
*** dtruong has joined #openstack-keystone16:41
*** pcaruana has quit IRC16:46
*** dancn has quit IRC16:57
kmallocnot 100% sure the "None" is in-fact translated like that17:10
kmallocbecause there has historically been no way to look for non-existence17:10
kmalloci've been advocating for non-existence which a None check would be good enough to handle17:10
kmallocso... maybe you solved a concern I had17:11
*** jmlowe has quit IRC17:19
*** jamesmcarthur has joined #openstack-keystone17:25
*** jamesmcarthur_ has joined #openstack-keystone17:28
*** jamesmcarthur has quit IRC17:32
*** jamesmcarthur_ has quit IRC17:34
*** jamesmcarthur has joined #openstack-keystone17:34
*** jamesmcarthur has quit IRC17:39
*** jamesmcarthur has joined #openstack-keystone17:39
*** jmlowe has joined #openstack-keystone17:44
*** jamesmcarthur has quit IRC17:59
*** Ben78 has joined #openstack-keystone18:29
*** jmlowe has quit IRC19:42
*** pcaruana has joined #openstack-keystone19:43
*** dave-mccowan has joined #openstack-keystone19:50
*** markvoelker has quit IRC20:07
*** jmlowe has joined #openstack-keystone20:10
*** pcaruana has quit IRC20:12
*** Ben78 has quit IRC20:12
openstackgerritColleen Murphy proposed openstack/keystone master: WIP: use testresources for sharing across unit tests  https://review.opendev.org/68412720:20
cmurphylbragstad: kmalloc ^ been banging my head against that for a while, i think stestr is working against us wrt testresources20:21
openstackgerritColleen Murphy proposed openstack/keystone master: Use immutable roles in tests  https://review.opendev.org/68412820:26
*** xek has quit IRC21:05
*** tesseract has quit IRC21:23
*** rcernin has joined #openstack-keystone21:38
*** rcernin has quit IRC21:40
*** rcernin has joined #openstack-keystone21:40
*** raildo has quit IRC21:45
*** markvoelker has joined #openstack-keystone21:53
*** markvoelker has quit IRC21:58
*** adriant has quit IRC22:39
*** ivve has quit IRC22:40
*** tkajinam has joined #openstack-keystone23:01
*** adriant has joined #openstack-keystone23:12
« Sunday, 2019-09-22 Index Tuesday, 2019-09-24 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!