| *** dklyle has quit IRC | 01:58 | |
| *** dklyle has joined #openstack-keystone | 02:11 | |
| *** gyee has quit IRC | 02:25 | |
| *** erolg has quit IRC | 03:40 | |
| *** johnthetubaguy has quit IRC | 03:42 | |
| *** jmlowe has quit IRC | 04:37 | |
| *** jmlowe has joined #openstack-keystone | 04:40 | |
| *** dasp has quit IRC | 04:41 | |
| *** dasp has joined #openstack-keystone | 04:41 | |
| *** dave-mccowan has quit IRC | 05:14 | |
| *** lbragstad_ has joined #openstack-keystone | 05:27 | |
| *** lbragstad has quit IRC | 05:28 | |
| *** lbragstad has joined #openstack-keystone | 05:30 | |
| *** lbragstad_ has quit IRC | 05:31 | |
| *** lbragstad_ has joined #openstack-keystone | 05:39 | |
| *** lbragstad has quit IRC | 05:41 | |
| *** pcaruana has joined #openstack-keystone | 06:01 | |
| *** Luzi has joined #openstack-keystone | 06:53 | |
| *** rcernin has quit IRC | 07:09 | |
| *** renich has quit IRC | 07:59 | |
| *** tesseract has joined #openstack-keystone | 08:00 | |
| *** amoralej|off is now known as amoralej | 08:11 | |
| *** awalende has joined #openstack-keystone | 08:15 | |
| *** tkajinam has quit IRC | 08:17 | |
| *** spotz has quit IRC | 08:23 | |
| *** tesseract has quit IRC | 08:24 | |
| *** pcaruana has quit IRC | 08:24 | |
| *** stokvis has quit IRC | 08:24 | |
| *** johanssone has quit IRC | 08:24 | |
| *** hoonetorg has quit IRC | 08:24 | |
| *** irclogbot_2 has quit IRC | 08:24 | |
| *** bnemec has quit IRC | 08:24 | |
| *** benj_ has quit IRC | 08:24 | |
| *** cp- has quit IRC | 08:24 | |
| *** ianw has quit IRC | 08:24 | |
| *** sapd1_ has quit IRC | 08:24 | |
| *** gagehugo has quit IRC | 08:24 | |
| *** szaher has quit IRC | 08:24 | |
| *** obre has quit IRC | 08:24 | |
| *** larsks has quit IRC | 08:24 | |
| *** jmccrory has quit IRC | 08:24 | |
| *** Krenair has quit IRC | 08:24 | |
| *** lbragstad_ has quit IRC | 08:24 | |
| *** dasp has quit IRC | 08:24 | |
| *** jmlowe has quit IRC | 08:24 | |
| *** vishalmanchanda has quit IRC | 08:24 | |
| *** dmellado has quit IRC | 08:24 | |
| *** gshippey has quit IRC | 08:24 | |
| *** Guest62786 has quit IRC | 08:24 | |
| *** mugsie has quit IRC | 08:24 | |
| *** rha has quit IRC | 08:24 | |
| *** lamt has quit IRC | 08:24 | |
| *** TheJulia has quit IRC | 08:24 | |
| *** mnasiadka has quit IRC | 08:24 | |
| *** gregwork has quit IRC | 08:24 | |
| *** frickler has quit IRC | 08:24 | |
| *** masayukig has quit IRC | 08:24 | |
| *** ade_lee has quit IRC | 08:24 | |
| *** aloga has quit IRC | 08:24 | |
| *** trident has quit IRC | 08:24 | |
| *** d34dh0r53 has quit IRC | 08:24 | |
| *** openstackgerrit has quit IRC | 08:24 | |
| *** brtknr has quit IRC | 08:24 | |
| *** hugokuo has quit IRC | 08:24 | |
| *** evrardjp has quit IRC | 08:24 | |
| *** cmurphy has quit IRC | 08:24 | |
| *** mloza has quit IRC | 08:24 | |
| *** stingrayza has quit IRC | 08:24 | |
| *** manuvakery has quit IRC | 08:24 | |
| *** amotoki has quit IRC | 08:24 | |
| *** Anticimex has quit IRC | 08:24 | |
| *** coreycb has quit IRC | 08:24 | |
| *** knikolla has quit IRC | 08:24 | |
| *** ildikov has quit IRC | 08:24 | |
| *** awalende has quit IRC | 08:24 | |
| *** jroll has quit IRC | 08:24 | |
| *** lxkong has quit IRC | 08:24 | |
| *** jamespage has quit IRC | 08:24 | |
| *** wxy-xiyuan has quit IRC | 08:24 | |
| *** amoralej has quit IRC | 08:24 | |
| *** jrist has quit IRC | 08:24 | |
| *** fungi has quit IRC | 08:24 | |
| *** gmann has quit IRC | 08:24 | |
| *** dustinc has quit IRC | 08:24 | |
| *** DinaBelova has quit IRC | 08:24 | |
| *** Luzi has quit IRC | 08:24 | |
| *** Blinkiz has quit IRC | 08:24 | |
| *** jistr has quit IRC | 08:24 | |
| *** mvkr has quit IRC | 08:24 | |
| *** adriant has quit IRC | 08:24 | |
| *** kukacz_ has quit IRC | 08:24 | |
| *** dansmith has quit IRC | 08:24 | |
| *** tobberydberg has quit IRC | 08:24 | |
| *** gary_perkins has quit IRC | 08:24 | |
| *** freerunner has quit IRC | 08:24 | |
| *** timburke has quit IRC | 08:24 | |
| *** tristanC has quit IRC | 08:24 | |
| *** jhesketh has quit IRC | 08:24 | |
| *** hemna_ has quit IRC | 08:24 | |
| *** mattoliverau has quit IRC | 08:24 | |
| *** ebbex has quit IRC | 08:24 | |
| *** rodrigods has quit IRC | 08:24 | |
| *** baffle has quit IRC | 08:24 | |
| *** viks___ has quit IRC | 08:24 | |
| *** dtruong has quit IRC | 08:24 | |
| *** andreaf has quit IRC | 08:24 | |
| *** csatari has quit IRC | 08:24 | |
| *** johnsom has quit IRC | 08:24 | |
| *** dklyle has quit IRC | 08:24 | |
| *** vesper11 has quit IRC | 08:24 | |
| *** f0o has quit IRC | 08:24 | |
| *** jrosser has quit IRC | 08:24 | |
| *** vishakha has quit IRC | 08:24 | |
| *** redrobot has quit IRC | 08:24 | |
| *** mgagne has quit IRC | 08:24 | |
| *** lifeless has quit IRC | 08:24 | |
| *** zzzeek has quit IRC | 08:24 | |
| *** guilhermesp has quit IRC | 08:24 | |
| *** kmalloc has quit IRC | 08:24 | |
| *** mordred has quit IRC | 08:24 | |
| *** ab-a has quit IRC | 08:24 | |
| *** hrybacki has quit IRC | 08:24 | |
| *** mnaser has quit IRC | 08:24 | |
| *** cjloader has quit IRC | 08:24 | |
| *** rm_work has quit IRC | 08:24 | |
| *** melwitt has quit IRC | 08:24 | |
| *** awestin1 has quit IRC | 08:24 | |
| *** ChanServ has quit IRC | 08:24 | |
| *** awalende has joined #openstack-keystone | 08:24 | |
| *** tesseract has joined #openstack-keystone | 08:24 | |
| *** Luzi has joined #openstack-keystone | 08:24 | |
| *** pcaruana has joined #openstack-keystone | 08:24 | |
| *** lbragstad_ has joined #openstack-keystone | 08:24 | |
| *** dasp has joined #openstack-keystone | 08:24 | |
| *** jmlowe has joined #openstack-keystone | 08:24 | |
| *** dklyle has joined #openstack-keystone | 08:24 | |
| *** stokvis has joined #openstack-keystone | 08:24 | |
| *** ade_lee has joined #openstack-keystone | 08:24 | |
| *** vesper11 has joined #openstack-keystone | 08:24 | |
| *** vishalmanchanda has joined #openstack-keystone | 08:24 | |
| *** jhesketh has joined #openstack-keystone | 08:24 | |
| *** lamt has joined #openstack-keystone | 08:24 | |
| *** aloga has joined #openstack-keystone | 08:24 | |
| *** trident has joined #openstack-keystone | 08:24 | |
| *** dmellado has joined #openstack-keystone | 08:24 | |
| *** gshippey has joined #openstack-keystone | 08:24 | |
| *** Blinkiz has joined #openstack-keystone | 08:24 | |
| *** johanssone has joined #openstack-keystone | 08:24 | |
| *** jistr has joined #openstack-keystone | 08:24 | |
| *** f0o has joined #openstack-keystone | 08:24 | |
| *** Guest62786 has joined #openstack-keystone | 08:24 | |
| *** cmurphy has joined #openstack-keystone | 08:24 | |
| *** mugsie has joined #openstack-keystone | 08:24 | |
| *** jrosser has joined #openstack-keystone | 08:24 | |
| *** jroll has joined #openstack-keystone | 08:24 | |
| *** masayukig has joined #openstack-keystone | 08:24 | |
| *** frickler has joined #openstack-keystone | 08:24 | |
| *** gregwork has joined #openstack-keystone | 08:24 | |
| *** mnasiadka has joined #openstack-keystone | 08:24 | |
| *** TheJulia has joined #openstack-keystone | 08:24 | |
| *** rha has joined #openstack-keystone | 08:24 | |
| *** spotz has joined #openstack-keystone | 08:24 | |
| *** mvkr has joined #openstack-keystone | 08:24 | |
| *** hoonetorg has joined #openstack-keystone | 08:24 | |
| *** baffle has joined #openstack-keystone | 08:24 | |
| *** vishakha has joined #openstack-keystone | 08:24 | |
| *** mloza has joined #openstack-keystone | 08:24 | |
| *** openstackgerrit has joined #openstack-keystone | 08:24 | |
| *** stingrayza has joined #openstack-keystone | 08:24 | |
| *** adriant has joined #openstack-keystone | 08:24 | |
| *** d34dh0r53 has joined #openstack-keystone | 08:24 | |
| *** orwell.freenode.net sets mode: +o cmurphy | 08:24 | |
| *** ab-a has joined #openstack-keystone | 08:24 | |
| *** redrobot has joined #openstack-keystone | 08:24 | |
| *** irclogbot_2 has joined #openstack-keystone | 08:24 | |
| *** bnemec has joined #openstack-keystone | 08:24 | |
| *** benj_ has joined #openstack-keystone | 08:24 | |
| *** cp- has joined #openstack-keystone | 08:24 | |
| *** mgagne has joined #openstack-keystone | 08:24 | |
| *** kukacz_ has joined #openstack-keystone | 08:24 | |
| *** ianw has joined #openstack-keystone | 08:24 | |
| *** lxkong has joined #openstack-keystone | 08:24 | |
| *** sapd1_ has joined #openstack-keystone | 08:24 | |
| *** manuvakery has joined #openstack-keystone | 08:24 | |
| *** lifeless has joined #openstack-keystone | 08:24 | |
| *** amoralej has joined #openstack-keystone | 08:24 | |
| *** evrardjp has joined #openstack-keystone | 08:24 | |
| *** hugokuo has joined #openstack-keystone | 08:24 | |
| *** brtknr has joined #openstack-keystone | 08:24 | |
| *** zzzeek has joined #openstack-keystone | 08:24 | |
| *** kmalloc has joined #openstack-keystone | 08:24 | |
| *** guilhermesp has joined #openstack-keystone | 08:24 | |
| *** jamespage has joined #openstack-keystone | 08:24 | |
| *** wxy-xiyuan has joined #openstack-keystone | 08:24 | |
| *** knikolla has joined #openstack-keystone | 08:24 | |
| *** ildikov has joined #openstack-keystone | 08:24 | |
| *** coreycb has joined #openstack-keystone | 08:24 | |
| *** Anticimex has joined #openstack-keystone | 08:24 | |
| *** amotoki has joined #openstack-keystone | 08:24 | |
| *** jrist has joined #openstack-keystone | 08:24 | |
| *** viks___ has joined #openstack-keystone | 08:24 | |
| *** fungi has joined #openstack-keystone | 08:24 | |
| *** mordred has joined #openstack-keystone | 08:24 | |
| *** gagehugo has joined #openstack-keystone | 08:24 | |
| *** jmccrory has joined #openstack-keystone | 08:24 | |
| *** dtruong has joined #openstack-keystone | 08:24 | |
| *** ebbex has joined #openstack-keystone | 08:24 | |
| *** szaher has joined #openstack-keystone | 08:24 | |
| *** andreaf has joined #openstack-keystone | 08:24 | |
| *** obre has joined #openstack-keystone | 08:24 | |
| *** dansmith has joined #openstack-keystone | 08:24 | |
| *** larsks has joined #openstack-keystone | 08:24 | |
| *** tobberydberg has joined #openstack-keystone | 08:24 | |
| *** Krenair has joined #openstack-keystone | 08:24 | |
| *** gary_perkins has joined #openstack-keystone | 08:24 | |
| *** freerunner has joined #openstack-keystone | 08:24 | |
| *** timburke has joined #openstack-keystone | 08:24 | |
| *** tristanC has joined #openstack-keystone | 08:24 | |
| *** cjloader has joined #openstack-keystone | 08:24 | |
| *** gmann has joined #openstack-keystone | 08:24 | |
| *** dustinc has joined #openstack-keystone | 08:24 | |
| *** ChanServ has joined #openstack-keystone | 08:24 | |
| *** mnaser has joined #openstack-keystone | 08:24 | |
| *** rm_work has joined #openstack-keystone | 08:24 | |
| *** melwitt has joined #openstack-keystone | 08:24 | |
| *** awestin1 has joined #openstack-keystone | 08:24 | |
| *** rodrigods has joined #openstack-keystone | 08:24 | |
| *** hemna_ has joined #openstack-keystone | 08:24 | |
| *** mattoliverau has joined #openstack-keystone | 08:24 | |
| *** hrybacki has joined #openstack-keystone | 08:24 | |
| *** johnsom has joined #openstack-keystone | 08:24 | |
| *** csatari has joined #openstack-keystone | 08:24 | |
| *** DinaBelova has joined #openstack-keystone | 08:24 | |
| *** orwell.freenode.net sets mode: +o ChanServ | 08:24 | |
| *** ivve has joined #openstack-keystone | 08:36 | |
| *** rcernin has joined #openstack-keystone | 08:51 | |
| f0o | Hi | 09:45 |
|---|---|---|
| f0o | I've a question about /v3/credentials endpoint... It seems like any authenticated user can read all credentials from any tenant (including blobs)... I'm running Stein and I only have a policy that allows the user to modify it's own object: "identity:update_user": "rule:admin_or_owner", | 09:49 |
| f0o | I believe this is not meant to happen, correct? | 09:49 |
| f0o | Or does identity:update_user rule has an effect to /v3/credentials? Then it would be a code issue that wont filter out the credentials per user as I'm presented other user's secrets without an issue from an unprivileged user (note, this user doesnt have any credentials himself) | 09:50 |
| f0o | Should this be a reported as security bug? | 09:51 |
| *** rcernin has quit IRC | 09:53 | |
| f0o | I just verified this with Stock Train. Any verified user can read anybody's credentials and data - Even when they dont share any projects and are just a `member` role. This is without any policy modifications whatsoever | 10:01 |
| f0o | https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/1855080 | 10:16 |
| openstack | f0o: Error: malone bug 1855080 not found | 10:16 |
| *** Luzi has quit IRC | 10:38 | |
| *** lbragstad has joined #openstack-keystone | 11:12 | |
| *** lbragstad_ has quit IRC | 11:13 | |
| *** amoralej is now known as amoralej|lunch | 12:08 | |
| *** andreykurilin has joined #openstack-keystone | 12:23 | |
| andreykurilin | hi folks! Can anyone help me with using keystoneauth1 lib for token + rollback to password authentication? I see separate AuthPlugins for Token and Password but can not find anything for combination... | 12:26 |
| *** andreykurilin has left #openstack-keystone | 12:26 | |
| *** andreykurilin has joined #openstack-keystone | 12:27 | |
| *** raildo has joined #openstack-keystone | 12:35 | |
| *** vishalmanchanda has quit IRC | 13:04 | |
| *** amoralej|lunch is now known as amoralej | 13:21 | |
| *** lbragstad_ has joined #openstack-keystone | 13:38 | |
| *** lbragstad has quit IRC | 13:39 | |
| *** lbragstad has joined #openstack-keystone | 13:46 | |
| *** lbragstad_ has quit IRC | 13:48 | |
| *** lbragstad has quit IRC | 13:54 | |
| *** lbragstad has joined #openstack-keystone | 13:55 | |
| *** spotz has quit IRC | 14:04 | |
| *** spotz has joined #openstack-keystone | 14:09 | |
| *** spotz has quit IRC | 14:13 | |
| *** spotz has joined #openstack-keystone | 14:19 | |
| *** vishalmanchanda has joined #openstack-keystone | 14:27 | |
| *** aning_ has joined #openstack-keystone | 14:31 | |
| *** dasp has quit IRC | 15:02 | |
| *** dasp has joined #openstack-keystone | 15:03 | |
| *** lbragstad has quit IRC | 15:09 | |
| *** lbragstad has joined #openstack-keystone | 15:10 | |
| *** jaosorior has joined #openstack-keystone | 15:14 | |
| *** ayoung has joined #openstack-keystone | 15:14 | |
| ayoung | cmurphy, (realizing it is early where you are) following up on the policy checker thing. I don't think there is functioanlity there that could be directly added to oslopolicy checker. Instead, it makes use of it, but manages a separate set of policy files, allows someone to test and deploy them, etc. Is bnemec leading up that effort? | 15:17 |
| ayoung | It might fit in better with patrole | 15:18 |
| ayoung | ade_lee, lbragstad reading up on yesterday's discussion. You should look at what we did here: https://pagure.io/openstack-access-policy | 15:20 |
| ayoung | I think it is more targetted at the problem you are trying to solve. It is not 100%, but I think the goal is what you want: provide an interim method to test policy prior to all projects doing it right. | 15:21 |
| bnemec | I think that has the same problem as Patrole. It can only give yes/no answers to policy questions. For the policy migration work most projects also need to be able to verify the returned data from an api call. | 15:24 |
| bnemec | And no, I'm not leading this. It's being done as a popup team: https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team | 15:24 |
| *** ivve has quit IRC | 15:33 | |
| *** awalende_ has joined #openstack-keystone | 15:43 | |
| *** awalende has quit IRC | 15:46 | |
| *** awalende_ has quit IRC | 15:48 | |
| *** gyee has joined #openstack-keystone | 16:09 | |
| *** awalende has joined #openstack-keystone | 16:12 | |
| *** awalende has quit IRC | 16:16 | |
| ayoung | bnemec, policy only gives yes or no answers. That team is asking for an answer to a different question | 17:02 |
| *** cmart has joined #openstack-keystone | 17:07 | |
| *** cmart has quit IRC | 17:08 | |
| *** jaosorior has quit IRC | 17:23 | |
| *** tesseract has quit IRC | 18:04 | |
| *** vishalmanchanda has quit IRC | 18:24 | |
| *** amoralej is now known as amoralej|off | 18:37 | |
| openstackgerrit | Pedro Henrique Pereira Martins proposed openstack/keystoneauth master: Add OTP to v3OIDCpassword plugin https://review.opendev.org/697348 | 19:18 |
| *** awalende has joined #openstack-keystone | 19:44 | |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Fix credential list for project members https://review.opendev.org/697355 | 19:45 |
| *** awalende has quit IRC | 19:49 | |
| *** redrobot has quit IRC | 19:52 | |
| *** awalende has joined #openstack-keystone | 20:05 | |
| *** redrobot has joined #openstack-keystone | 20:15 | |
| * kmalloc sneaks in for a moment to wave at folks say baby is doing well and to disappear again. | 20:28 | |
| *** lbragstad_ has joined #openstack-keystone | 20:36 | |
| *** lbragstad has quit IRC | 20:37 | |
| *** awalende has quit IRC | 20:37 | |
| *** awalende has joined #openstack-keystone | 20:38 | |
| *** awalende has quit IRC | 20:42 | |
| *** lbragstad_ is now known as lbragstad | 20:43 | |
| openstackgerrit | Merged openstack/oslo.limit master: Pick between Flat and StrictTwoLevel enforcement https://review.opendev.org/666444 | 20:48 |
| bnemec | \o/ | 20:50 |
| bnemec | Also \o/ for kmalloc's offspring! | 20:50 |
| *** ayoung has quit IRC | 20:50 | |
| cmurphy | yay baby ^.^ | 20:53 |
| cmurphy | lbragstad: could you please review https://review.opendev.org/697355 | 20:55 |
| kmalloc | oh and i realized i didn't say this to anyone out in the open. i've moved on from red hat and my new employment does not involve openstack. I don't foresee being back with any regular time (esp. with a kiddo). cmurphy you may opt to drop me from core if you need. i can be reached (obv. not when on paternity leave) if you need ad-hoc review, but i haven't looked at keystone in ~2 months now. | 20:55 |
| gagehugo | kmalloc: \o/ | 20:56 |
| gagehugo | baby ^ | 20:56 |
| gagehugo | sadface for no openstack | 20:56 |
| cmurphy | thanks kmalloc, glad you're moving on to better things but we miss you | 20:56 |
| lbragstad | cmurphy, looking | 20:56 |
| lbragstad | o/ kmalloc | 20:56 |
| *** ayoung has joined #openstack-keystone | 21:05 | |
| gyee | kmalloc, congrats | 21:06 |
| lbragstad | cmurphy yeah - that look good to me, nice catch | 21:10 |
| lbragstad | kmalloc congrats (on two fronts!) | 21:10 |
| cmurphy | thanks lbragstad | 21:10 |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Fix application credential doc example https://review.opendev.org/697367 | 21:19 |
| *** ayoung has quit IRC | 21:27 | |
| *** pcaruana has quit IRC | 21:32 | |
| *** raildo has quit IRC | 21:45 | |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Add docs for app cred access rules https://review.opendev.org/697375 | 21:53 |
| *** jamesmcarthur has joined #openstack-keystone | 22:17 | |
| *** rcernin has joined #openstack-keystone | 22:19 | |
| *** jamesmcarthur has quit IRC | 22:59 | |
| *** jamesmcarthur has joined #openstack-keystone | 23:04 | |
| *** tkajinam has joined #openstack-keystone | 23:05 | |
| *** jamesmcarthur has quit IRC | 23:05 | |
| *** jamesmcarthur_ has joined #openstack-keystone | 23:05 | |
| cmurphy | lbragstad: hrm i figured out why we had that enforce_scope check in https://review.opendev.org/697355 the old-style project admin can't list credentials without it | 23:34 |
| cmurphy | banging my head against it to try to find a workaround | 23:35 |
| gagehugo | hmm | 23:40 |
| openstackgerrit | Merged openstack/oslo.limit master: Fetch unified limits from keystone https://review.opendev.org/695724 | 23:45 |
| cmurphy | right now i have (CONF.oslo_policy.enforce_scope or 'admin' not in self.oslo_context.roles) which is making me cringe | 23:46 |
| *** jamesmcarthur_ has quit IRC | 23:53 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!