Thursday, 2019-11-14

« Wednesday, 2019-11-13 Index Friday, 2019-11-15 »
*** spatel has joined #openstack-keystone00:24
*** spatel has quit IRC00:28
*** ileixe has joined #openstack-keystone01:00
openstackgerritMerged openstack/keystone master: Revert "Resource backend is SQL only now"  https://review.opendev.org/68775601:11
*** gyee has quit IRC01:46
*** ileixe has left #openstack-keystone01:50
*** awalende has joined #openstack-keystone03:34
*** kumar_biplab has joined #openstack-keystone03:38
*** awalende has quit IRC03:39
cmurphyadriant: is https://review.opendev.org/618144 something you'd want to take on this cycle?04:41
adriantcmurphy: maybe... but in all likelihood I'll be too busy with internal work before may04:43
adriantand I still need to try and find the time to add MFA support to horizon :/04:44
adriantreview and testing I can commit to, but not doing the implementation myself04:45
cmurphyadriant: okay good to know04:47
*** spatel has joined #openstack-keystone05:15
*** spatel has quit IRC05:20
*** Luzi has joined #openstack-keystone06:08
*** kumar_biplab has quit IRC06:23
*** rcernin has quit IRC06:53
*** dancn has joined #openstack-keystone07:40
*** tesseract has joined #openstack-keystone08:17
*** ivve has joined #openstack-keystone08:20
*** dmellado has quit IRC08:21
*** awalende has joined #openstack-keystone08:22
*** dmellado has joined #openstack-keystone08:23
*** dmellado has quit IRC08:25
*** dmellado has joined #openstack-keystone08:27
*** tkajinam has quit IRC08:29
*** trident has quit IRC09:16
*** dmellado has quit IRC09:20
*** dmellado has joined #openstack-keystone09:24
*** trident has joined #openstack-keystone09:26
*** spatel has joined #openstack-keystone09:50
*** pcaruana has joined #openstack-keystone09:54
*** spatel has quit IRC09:55
*** dancn has quit IRC10:22
openstackgerritMerged openstack/keystone master: Stop testing Python 2  https://review.opendev.org/68860110:28
openstackgerritSlawek Kaplonski proposed openstack/keystone master: Drop old neutron-grenade job  https://review.opendev.org/69423910:39
*** dancn has joined #openstack-keystone10:40
*** yan0s has joined #openstack-keystone10:43
*** dancn has quit IRC10:55
*** raildo has joined #openstack-keystone11:22
*** jaosorior has joined #openstack-keystone11:25
*** dave-mccowan has joined #openstack-keystone12:01
*** trident has quit IRC12:09
*** trident has joined #openstack-keystone12:18
*** tesseract has quit IRC12:28
*** tesseract has joined #openstack-keystone12:29
*** Luzi has quit IRC12:51
*** jistr has quit IRC12:52
*** d34dh0r53 has quit IRC12:52
*** vishalmanchanda has quit IRC12:52
*** ianw has quit IRC12:52
*** wdoekes has quit IRC12:52
*** amotoki has quit IRC12:52
*** Anticimex has quit IRC12:52
*** rha has quit IRC12:52
*** coreycb has quit IRC12:52
*** knikolla has quit IRC12:52
*** ildikov has quit IRC12:52
*** openstackstatus has quit IRC12:53
*** Luzi has joined #openstack-keystone12:53
*** jistr has joined #openstack-keystone12:53
*** wdoekes has joined #openstack-keystone12:53
*** d34dh0r53 has joined #openstack-keystone12:53
*** vishalmanchanda has joined #openstack-keystone12:53
*** amotoki has joined #openstack-keystone12:53
*** ianw has joined #openstack-keystone12:53
*** Anticimex has joined #openstack-keystone12:53
*** rha has joined #openstack-keystone12:53
*** coreycb has joined #openstack-keystone12:53
*** ildikov has joined #openstack-keystone12:53
*** knikolla has joined #openstack-keystone12:53
*** spatel has joined #openstack-keystone13:30
*** spatel has quit IRC13:34
*** spatel has joined #openstack-keystone13:47
spatelMorning folks13:57
spatelI am working on keystone + LDAP integration and i have few question13:57
spatelIs it possible to run hybrid auth so first check SQL and then LDAP13:58
spateli don't want to touch my service accounts which is currently in SQL13:58
cmurphyspatel: it's not supported in keystone upstream, we recommend using domain-specific backends https://docs.openstack.org/keystone/latest/admin/configuration.html#domain-specific-configuration14:02
spatelcmurphy: thanks for link reading...  I have two openstack private cloud in datacenter and i want to integrate in LDAP and both has different creds etc.. so wan't sure how they will fit in LDAP if both cloud has nova account.14:04
cmurphyspatel: I don't understand what you mean by a "nova account"14:07
cmurphyif you use the same ldap directory for both datacenters then the same users could log into both clouds14:07
spatelI have same LDAP but i have different password for all service account like nova,glance etc..14:09
spatelthat is why i wanted to keep service account in SQL so i don't need to create them in LDAP14:09
cmurphythe service accounts should use one domain backed by sql and the regular users should use a different domain backed by ldap14:09
spatelso you are saying i can keep service account in SQL for A domain and create B domain in same cloud and their users will be in LDAP ?14:11
spatelam i missing anything here?14:11
cmurphyspatel: yes that is correct14:11
cmurphythe document will explain how14:11
spatelcurrently my cloud in production can i do this?14:11
spateli meant moving account here and there in separate domain14:12
cmurphyyou will have to tell your users that they need to authenticate under a new domain and you will have to recreate role assignments for them14:12
spateloh!! so in short this domain is own namespace /users/role/ etc..14:13
spateli need to play in lab and see how it goes :)14:14
cmurphyspatel: it's a namespace for users, you don't have to change the roles themselves but just the role assignments14:14
cmurphyspatel: yes using a lab first is a good idea :)14:14
spatelI was reading this and thought its easy to implement SQL + LDAP hybrid :)14:15
spatelhttps://www.mattfischer.com/blog/archives/57614:15
cmurphythat hybrid backend isn't maintained anymore and won't work on latest versions of keystone, and we don't have a backend like that in upstream keystone14:15
*** Luzi has quit IRC14:33
lbragstadcmurphy thoughts on https://review.opendev.org/#/c/694096/ - i'm trying to uncover what the contentious parts were of the original patch14:42
cmurphylbragstad: it's documented in the comment history in https://review.opendev.org/65516615:02
lbragstadoh - the federated bit?15:02
cmurphylbragstad: right15:03
BlinkizHello. Am trying to get Password authentication with scoped authorization (/v3/auth/tokens) to work. Am using Postman with first system-scoped example on the page https://docs.openstack.org/api-ref/identity/v3/?expanded=password-authentication-with-scoped-authorization-detail#password-authentication-with-scoped-authorization15:06
BlinkizI get back error 400, Expecting to find domain in user. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.15:06
BlinkizIt seems that the keystone is always trying without scope. Why is this?15:06
lbragstadBlinkiz i left a comment on the story you linked to yesterday that should help explain what you need to do15:06
Blinkizoh.. Let me see15:07
lbragstadBlinkiz if you reference a user by their name in the request - you'll need to supply the corresponding domain15:07
lbragstadif you reference them by their ID, you don't need the domain15:08
lbragstadcmurphy https://review.opendev.org/#/c/604201/ wasn't backported - so that's only in train i believe15:08
lbragstadso - stein and rocky would be in the same boat as queens, right?15:08
BlinkizOh my.. ID instead of name.. :)15:09
lbragstadBlinkiz you can certainly use both, but if you use username, you'll need to supply the domain id15:10
lbragstadBlinkiz the same is true for project names if you're requesting a project-scoped token, projects and users are both scoped to domains, so you'll need to namespace them by their domain if you're relying on names15:11
lbragstadproject ID and user ID are globally unique15:11
Blinkizlbragstad: thank you for the explanation.15:11
lbragstadno problem15:12
*** ayoung has joined #openstack-keystone15:28
cmurphylbragstad: I know, but there was a lot of misunderstanding about it and how it worked initially15:35
cmurphywe all eventually agreed it was fine but it took a while to land there15:36
* lbragstad nods 15:36
lbragstadthanks cmurphy15:36
Blinkizlbragstad: May I ask you another think? Do you know if Horizon support scopes? In login form I have Domain, username and password. This domain I supply, is that equal to user_domain or a domain that is in the scope section?15:42
Blinkizthing15:43
Blinkizor is "scope" like an attribute on a username + domain? How should I think?15:44
lbragstadBlinkiz it depends, if you supply a domain with a username in the identity portion of the request, it is specific to namespacing the user and completely separate from the scope of the request15:44
lbragstadfor example, you can have a request with a username + domain name in the identity portion of the request, and a project name + domain name in the scope portion of the request15:45
lbragstadthe result would be a project-scoped token15:45
lbragstadwe have some examples here - https://docs.openstack.org/api-ref/identity/v3/?expanded=password-authentication-with-scoped-authorization-detail#project-scoped-with-project-name-example15:46
lbragstadthe "scope" section is specific to what you want access to15:46
lbragstadthe "identity" portion is everything related to proving you are who you say you are15:47
Blinkizlbragstad: So when the user is clicking around in Horizon interface, how.. where.. how is the scope applied? is Horizon sending to keystone as in the example you linked to?15:47
lbragstadHorizon will imply scope based on the projects you have access to15:47
Blinkizaa, what I want to access. I see!15:47
BlinkizNow I get it15:47
Blinkiz:)15:48
lbragstadyou typically see a drop down menu in horizon that lists the projects you have access to15:48
Blinkizlbragstad: yeah, got it. Light bulb here now :-)15:48
lbragstadwhen you select one, horizon is going to start requesting scoped tokens for that project15:48
lbragstadcool15:48
lbragstadbut - to be explicit, i don't think horizon has system support currently15:48
Blinkizlbragstad: Thank you for guiding me :)15:49
lbragstadBlinkiz no problem - i'm happy to help15:49
Blinkiz:-)15:51
*** spatel has quit IRC15:59
*** ivve has quit IRC16:02
*** gyee has joined #openstack-keystone16:11
*** spatel has joined #openstack-keystone16:14
spatelcmurphy: this is the best document i found so far https://heig-cloud.github.io/article/2015-12-17%20ldap/16:14
spatelLove it16:14
knikollao/16:16
spatelcmurphy: question is i have running cloud and currently all my users in SQL and in default domain, if i create new domain foo then how existing VMs will be available in foo domain ?16:19
spateli meant can i give permission to foo domain users in default domain VMs?16:21
cmurphyspatel: your foo domain users can have role assignments on the default domain or projects under the default domain so they can have access to those VMs16:24
spatelcmurphy: thanks!!! let me try and see how it goes... anyway thank you so much!!!16:25
cmurphyspatel: no problem :)16:27
*** spatel has quit IRC16:30
*** yan0s has quit IRC16:40
*** cmart has joined #openstack-keystone16:45
*** gshippey has joined #openstack-keystone16:47
cmartHello. Does anyone know if I can get/use an *unscoped* application credential?16:47
cmurphycmart: application credentials can only be project scoped16:49
cmartcmurphy, OK, thank you. The broader goal: I would like some kind of long-lived token/credential that that allows me to authenticate as a user, obtain a list of projects that the user has access to, and generate application credentials for each of those projects.16:50
cmartDo you know of anything else in Keystone that might help me with that? I can do it if I store the user's password, but I want to avoid storing that in my application, if I can.16:51
cmurphycmart: you can use a scoped token to get the user's list of projects17:01
cmurphyi just checked and you can use an application credential token to do that as well, although i think that's actually a security problem ...17:02
*** ayoung has quit IRC17:09
*** ayoung has joined #openstack-keystone17:13
*** tesseract has quit IRC17:15
cmartcmurphy right, a project-scoped token (or application credential token) can get me a list of my user's projects. but I also want to then obtain project-scoped tokens for each of those projects. it seems like the only long-lived credential that will get me project-scoped tokens for any/all of my projects is my user's password. it would be nice to use some other kind of credential for this.. but it sounds like an application crede17:15
cmurphycmart: keystone can't support anything like that, application credentials are meant to be generated by humans, there's no concept of a global app cred that can unlock other app creds17:19
cmartcmurphy ok. thank you!17:21
cmurphynp17:22
*** ivve has joined #openstack-keystone17:24
*** mvkr has quit IRC18:10
*** baffle has quit IRC18:22
*** awalende has quit IRC18:25
*** awalende has joined #openstack-keystone18:25
*** dave-mccowan has quit IRC18:26
*** awalende has quit IRC18:29
*** dave-mccowan has joined #openstack-keystone18:33
*** jaosorior has quit IRC18:34
*** ayoung has quit IRC18:54
*** ayoung has joined #openstack-keystone18:57
*** ayoung has quit IRC19:16
*** ayoung has joined #openstack-keystone19:19
*** ayoung has quit IRC19:39
*** ayoung has joined #openstack-keystone19:41
*** ayoung has quit IRC19:57
*** ayoung has joined #openstack-keystone19:59
*** ayoung has quit IRC20:06
*** ayoung has joined #openstack-keystone20:08
*** ayoung has quit IRC20:13
*** ayoung has joined #openstack-keystone20:15
*** spatel has joined #openstack-keystone20:39
spatelcmurphy: do you know about this error, look like this driver is missing - ImportError: Unable to find 'keystone.identity.backends.ldap.Identity' driver in 'keystone.identity'20:40
spatelhow do i install it?20:40
cmurphyspatel: what document are you following?20:40
cmurphyyou don't need to install anything, you just need driver = ldap in your config20:40
spatelhttps://heig-cloud.github.io/article/2015-12-17%20ldap/20:40
cmurphyspatel: i recommend following the official docs20:41
spatelah!!20:41
cmurphythat document is four years old20:41
spatel"driver = ldap" in /etc/keystone/domains/keystone.foo.conf right?20:42
cmurphyspatel: right20:42
spatelok20:42
spatelcmurphy: thanks :) now getting different error, let me work my way.. will back if need your help :)20:44
lbragstadcmurphy based on your summary, it sounds like there is a pop-up team forming around the policy work across projects20:48
lbragstaddo you know what the next steps are for that?20:48
spatelcmurphy: cool, i can see openstack query LDAP.. progress :)20:49
*** ayoung has quit IRC20:49
*** ayoung has joined #openstack-keystone20:52
cmurphylbragstad: not really sure, i thought i'd start with creating a wiki page and a governance change and start a thread on the mailing list20:52
cmurphywas going to bring it up at the ptg meeting20:52
lbragstadok - cool20:53
lbragstadi thought a governance patch was supposed to be proposed somewhere...20:53
cmurphyhere https://governance.openstack.org/tc/reference/popup-teams.html20:53
cmurphywe'll need at least one more co-lead and a tc liaison20:54
*** gshippey has quit IRC21:09
*** raildo has quit IRC21:12
*** rcernin has joined #openstack-keystone21:28
*** spatel has quit IRC21:43
*** jaosorior has joined #openstack-keystone21:45
*** ayoung has quit IRC21:57
*** ayoung has joined #openstack-keystone21:59
*** jaosorior has quit IRC22:02
*** jaosorior has joined #openstack-keystone22:03
*** jaosorior has quit IRC22:51
*** tkajinam has joined #openstack-keystone22:54
*** dave-mccowan has quit IRC23:02
*** ayoung has quit IRC23:03
*** ayoung has joined #openstack-keystone23:05
*** mvkr has joined #openstack-keystone23:11
*** ivve has quit IRC23:14
*** dave-mccowan has joined #openstack-keystone23:17
*** ayoung has quit IRC23:52
*** ayoung has joined #openstack-keystone23:54
« Wednesday, 2019-11-13 Index Friday, 2019-11-15 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!