Wednesday, 2019-12-04

*** dklyle has quit IRC01:58
*** dklyle has joined #openstack-keystone02:11
*** gyee has quit IRC02:25
*** erolg has quit IRC03:40
*** johnthetubaguy has quit IRC03:42
*** jmlowe has quit IRC04:37
*** jmlowe has joined #openstack-keystone04:40
*** dasp has quit IRC04:41
*** dasp has joined #openstack-keystone04:41
*** dave-mccowan has quit IRC05:14
*** lbragstad_ has joined #openstack-keystone05:27
*** lbragstad has quit IRC05:28
*** lbragstad has joined #openstack-keystone05:30
*** lbragstad_ has quit IRC05:31
*** lbragstad_ has joined #openstack-keystone05:39
*** lbragstad has quit IRC05:41
*** pcaruana has joined #openstack-keystone06:01
*** Luzi has joined #openstack-keystone06:53
*** rcernin has quit IRC07:09
*** renich has quit IRC07:59
*** tesseract has joined #openstack-keystone08:00
*** amoralej|off is now known as amoralej08:11
*** awalende has joined #openstack-keystone08:15
*** tkajinam has quit IRC08:17
*** spotz has quit IRC08:23
*** tesseract has quit IRC08:24
*** pcaruana has quit IRC08:24
*** stokvis has quit IRC08:24
*** johanssone has quit IRC08:24
*** hoonetorg has quit IRC08:24
*** irclogbot_2 has quit IRC08:24
*** bnemec has quit IRC08:24
*** benj_ has quit IRC08:24
*** cp- has quit IRC08:24
*** ianw has quit IRC08:24
*** sapd1_ has quit IRC08:24
*** gagehugo has quit IRC08:24
*** szaher has quit IRC08:24
*** obre has quit IRC08:24
*** larsks has quit IRC08:24
*** jmccrory has quit IRC08:24
*** Krenair has quit IRC08:24
*** lbragstad_ has quit IRC08:24
*** dasp has quit IRC08:24
*** jmlowe has quit IRC08:24
*** vishalmanchanda has quit IRC08:24
*** dmellado has quit IRC08:24
*** gshippey has quit IRC08:24
*** Guest62786 has quit IRC08:24
*** mugsie has quit IRC08:24
*** rha has quit IRC08:24
*** lamt has quit IRC08:24
*** TheJulia has quit IRC08:24
*** mnasiadka has quit IRC08:24
*** gregwork has quit IRC08:24
*** frickler has quit IRC08:24
*** masayukig has quit IRC08:24
*** ade_lee has quit IRC08:24
*** aloga has quit IRC08:24
*** trident has quit IRC08:24
*** d34dh0r53 has quit IRC08:24
*** openstackgerrit has quit IRC08:24
*** brtknr has quit IRC08:24
*** hugokuo has quit IRC08:24
*** evrardjp has quit IRC08:24
*** cmurphy has quit IRC08:24
*** mloza has quit IRC08:24
*** stingrayza has quit IRC08:24
*** manuvakery has quit IRC08:24
*** amotoki has quit IRC08:24
*** Anticimex has quit IRC08:24
*** coreycb has quit IRC08:24
*** knikolla has quit IRC08:24
*** ildikov has quit IRC08:24
*** awalende has quit IRC08:24
*** jroll has quit IRC08:24
*** lxkong has quit IRC08:24
*** jamespage has quit IRC08:24
*** wxy-xiyuan has quit IRC08:24
*** amoralej has quit IRC08:24
*** jrist has quit IRC08:24
*** fungi has quit IRC08:24
*** gmann has quit IRC08:24
*** dustinc has quit IRC08:24
*** DinaBelova has quit IRC08:24
*** Luzi has quit IRC08:24
*** Blinkiz has quit IRC08:24
*** jistr has quit IRC08:24
*** mvkr has quit IRC08:24
*** adriant has quit IRC08:24
*** kukacz_ has quit IRC08:24
*** dansmith has quit IRC08:24
*** tobberydberg has quit IRC08:24
*** gary_perkins has quit IRC08:24
*** freerunner has quit IRC08:24
*** timburke has quit IRC08:24
*** tristanC has quit IRC08:24
*** jhesketh has quit IRC08:24
*** hemna_ has quit IRC08:24
*** mattoliverau has quit IRC08:24
*** ebbex has quit IRC08:24
*** rodrigods has quit IRC08:24
*** baffle has quit IRC08:24
*** viks___ has quit IRC08:24
*** dtruong has quit IRC08:24
*** andreaf has quit IRC08:24
*** csatari has quit IRC08:24
*** johnsom has quit IRC08:24
*** dklyle has quit IRC08:24
*** vesper11 has quit IRC08:24
*** f0o has quit IRC08:24
*** jrosser has quit IRC08:24
*** vishakha has quit IRC08:24
*** redrobot has quit IRC08:24
*** mgagne has quit IRC08:24
*** lifeless has quit IRC08:24
*** zzzeek has quit IRC08:24
*** guilhermesp has quit IRC08:24
*** kmalloc has quit IRC08:24
*** mordred has quit IRC08:24
*** ab-a has quit IRC08:24
*** hrybacki has quit IRC08:24
*** mnaser has quit IRC08:24
*** cjloader has quit IRC08:24
*** rm_work has quit IRC08:24
*** melwitt has quit IRC08:24
*** awestin1 has quit IRC08:24
*** ChanServ has quit IRC08:24
*** awalende has joined #openstack-keystone08:24
*** tesseract has joined #openstack-keystone08:24
*** Luzi has joined #openstack-keystone08:24
*** pcaruana has joined #openstack-keystone08:24
*** lbragstad_ has joined #openstack-keystone08:24
*** dasp has joined #openstack-keystone08:24
*** jmlowe has joined #openstack-keystone08:24
*** dklyle has joined #openstack-keystone08:24
*** stokvis has joined #openstack-keystone08:24
*** ade_lee has joined #openstack-keystone08:24
*** vesper11 has joined #openstack-keystone08:24
*** vishalmanchanda has joined #openstack-keystone08:24
*** jhesketh has joined #openstack-keystone08:24
*** lamt has joined #openstack-keystone08:24
*** aloga has joined #openstack-keystone08:24
*** trident has joined #openstack-keystone08:24
*** dmellado has joined #openstack-keystone08:24
*** gshippey has joined #openstack-keystone08:24
*** Blinkiz has joined #openstack-keystone08:24
*** johanssone has joined #openstack-keystone08:24
*** jistr has joined #openstack-keystone08:24
*** f0o has joined #openstack-keystone08:24
*** Guest62786 has joined #openstack-keystone08:24
*** cmurphy has joined #openstack-keystone08:24
*** mugsie has joined #openstack-keystone08:24
*** jrosser has joined #openstack-keystone08:24
*** jroll has joined #openstack-keystone08:24
*** masayukig has joined #openstack-keystone08:24
*** frickler has joined #openstack-keystone08:24
*** gregwork has joined #openstack-keystone08:24
*** mnasiadka has joined #openstack-keystone08:24
*** TheJulia has joined #openstack-keystone08:24
*** rha has joined #openstack-keystone08:24
*** spotz has joined #openstack-keystone08:24
*** mvkr has joined #openstack-keystone08:24
*** hoonetorg has joined #openstack-keystone08:24
*** baffle has joined #openstack-keystone08:24
*** vishakha has joined #openstack-keystone08:24
*** mloza has joined #openstack-keystone08:24
*** openstackgerrit has joined #openstack-keystone08:24
*** stingrayza has joined #openstack-keystone08:24
*** adriant has joined #openstack-keystone08:24
*** d34dh0r53 has joined #openstack-keystone08:24
*** sets mode: +o cmurphy08:24
*** ab-a has joined #openstack-keystone08:24
*** redrobot has joined #openstack-keystone08:24
*** irclogbot_2 has joined #openstack-keystone08:24
*** bnemec has joined #openstack-keystone08:24
*** benj_ has joined #openstack-keystone08:24
*** cp- has joined #openstack-keystone08:24
*** mgagne has joined #openstack-keystone08:24
*** kukacz_ has joined #openstack-keystone08:24
*** ianw has joined #openstack-keystone08:24
*** lxkong has joined #openstack-keystone08:24
*** sapd1_ has joined #openstack-keystone08:24
*** manuvakery has joined #openstack-keystone08:24
*** lifeless has joined #openstack-keystone08:24
*** amoralej has joined #openstack-keystone08:24
*** evrardjp has joined #openstack-keystone08:24
*** hugokuo has joined #openstack-keystone08:24
*** brtknr has joined #openstack-keystone08:24
*** zzzeek has joined #openstack-keystone08:24
*** kmalloc has joined #openstack-keystone08:24
*** guilhermesp has joined #openstack-keystone08:24
*** jamespage has joined #openstack-keystone08:24
*** wxy-xiyuan has joined #openstack-keystone08:24
*** knikolla has joined #openstack-keystone08:24
*** ildikov has joined #openstack-keystone08:24
*** coreycb has joined #openstack-keystone08:24
*** Anticimex has joined #openstack-keystone08:24
*** amotoki has joined #openstack-keystone08:24
*** jrist has joined #openstack-keystone08:24
*** viks___ has joined #openstack-keystone08:24
*** fungi has joined #openstack-keystone08:24
*** mordred has joined #openstack-keystone08:24
*** gagehugo has joined #openstack-keystone08:24
*** jmccrory has joined #openstack-keystone08:24
*** dtruong has joined #openstack-keystone08:24
*** ebbex has joined #openstack-keystone08:24
*** szaher has joined #openstack-keystone08:24
*** andreaf has joined #openstack-keystone08:24
*** obre has joined #openstack-keystone08:24
*** dansmith has joined #openstack-keystone08:24
*** larsks has joined #openstack-keystone08:24
*** tobberydberg has joined #openstack-keystone08:24
*** Krenair has joined #openstack-keystone08:24
*** gary_perkins has joined #openstack-keystone08:24
*** freerunner has joined #openstack-keystone08:24
*** timburke has joined #openstack-keystone08:24
*** tristanC has joined #openstack-keystone08:24
*** cjloader has joined #openstack-keystone08:24
*** gmann has joined #openstack-keystone08:24
*** dustinc has joined #openstack-keystone08:24
*** ChanServ has joined #openstack-keystone08:24
*** mnaser has joined #openstack-keystone08:24
*** rm_work has joined #openstack-keystone08:24
*** melwitt has joined #openstack-keystone08:24
*** awestin1 has joined #openstack-keystone08:24
*** rodrigods has joined #openstack-keystone08:24
*** hemna_ has joined #openstack-keystone08:24
*** mattoliverau has joined #openstack-keystone08:24
*** hrybacki has joined #openstack-keystone08:24
*** johnsom has joined #openstack-keystone08:24
*** csatari has joined #openstack-keystone08:24
*** DinaBelova has joined #openstack-keystone08:24
*** sets mode: +o ChanServ08:24
*** ivve has joined #openstack-keystone08:36
*** rcernin has joined #openstack-keystone08:51
f0oI've a question about /v3/credentials endpoint... It seems like any authenticated user can read all credentials from any tenant (including blobs)... I'm running Stein and I only have a policy that allows the user to modify it's own object: "identity:update_user": "rule:admin_or_owner",09:49
f0oI believe this is not meant to happen, correct?09:49
f0oOr does identity:update_user rule has an effect to /v3/credentials? Then it would be a code issue that wont filter out the credentials per user as I'm presented other user's secrets without an issue from an unprivileged user (note, this user doesnt have any credentials himself)09:50
f0oShould this be a reported as security bug?09:51
*** rcernin has quit IRC09:53
f0oI just verified this with Stock Train. Any verified user can read anybody's credentials and data - Even when they dont share any projects and are just a `member` role. This is without any policy modifications whatsoever10:01
openstackf0o: Error: malone bug 1855080 not found10:16
*** Luzi has quit IRC10:38
*** lbragstad has joined #openstack-keystone11:12
*** lbragstad_ has quit IRC11:13
*** amoralej is now known as amoralej|lunch12:08
*** andreykurilin has joined #openstack-keystone12:23
andreykurilinhi folks! Can anyone help me with using keystoneauth1 lib for token + rollback to password authentication? I see separate AuthPlugins for Token and Password but can not find anything for combination...12:26
*** andreykurilin has left #openstack-keystone12:26
*** andreykurilin has joined #openstack-keystone12:27
*** raildo has joined #openstack-keystone12:35
*** vishalmanchanda has quit IRC13:04
*** amoralej|lunch is now known as amoralej13:21
*** lbragstad_ has joined #openstack-keystone13:38
*** lbragstad has quit IRC13:39
*** lbragstad has joined #openstack-keystone13:46
*** lbragstad_ has quit IRC13:48
*** lbragstad has quit IRC13:54
*** lbragstad has joined #openstack-keystone13:55
*** spotz has quit IRC14:04
*** spotz has joined #openstack-keystone14:09
*** spotz has quit IRC14:13
*** spotz has joined #openstack-keystone14:19
*** vishalmanchanda has joined #openstack-keystone14:27
*** aning_ has joined #openstack-keystone14:31
*** dasp has quit IRC15:02
*** dasp has joined #openstack-keystone15:03
*** lbragstad has quit IRC15:09
*** lbragstad has joined #openstack-keystone15:10
*** jaosorior has joined #openstack-keystone15:14
*** ayoung has joined #openstack-keystone15:14
ayoungcmurphy, (realizing it is early where you are)  following up on the policy checker thing.  I don't think there is functioanlity there that could be directly added to oslopolicy checker.  Instead, it makes use of it, but manages a separate set of policy files, allows someone to test and deploy them, etc.  Is bnemec leading up that effort?15:17
ayoungIt might fit in better with patrole15:18
ayoungade_lee, lbragstad reading up on yesterday's discussion.  You should look at what we did here:
ayoungI think it is more targetted at the problem you are trying to solve.  It is not 100%, but I think the goal is what you want:  provide an interim method to test policy prior to all projects doing it right.15:21
bnemecI think that has the same problem as Patrole. It can only give yes/no answers to policy questions. For the policy migration work most projects also need to be able to verify the returned data from an api call.15:24
bnemecAnd no, I'm not leading this. It's being done as a popup team:
*** ivve has quit IRC15:33
*** awalende_ has joined #openstack-keystone15:43
*** awalende has quit IRC15:46
*** awalende_ has quit IRC15:48
*** gyee has joined #openstack-keystone16:09
*** awalende has joined #openstack-keystone16:12
*** awalende has quit IRC16:16
ayoungbnemec, policy only gives yes or no answers.  That team is asking for an answer to a different question17:02
*** cmart has joined #openstack-keystone17:07
*** cmart has quit IRC17:08
*** jaosorior has quit IRC17:23
*** tesseract has quit IRC18:04
*** vishalmanchanda has quit IRC18:24
*** amoralej is now known as amoralej|off18:37
openstackgerritPedro Henrique Pereira Martins proposed openstack/keystoneauth master: Add OTP to v3OIDCpassword plugin
*** awalende has joined #openstack-keystone19:44
openstackgerritColleen Murphy proposed openstack/keystone master: Fix credential list for project members
*** awalende has quit IRC19:49
*** redrobot has quit IRC19:52
*** awalende has joined #openstack-keystone20:05
*** redrobot has joined #openstack-keystone20:15
* kmalloc sneaks in for a moment to wave at folks say baby is doing well and to disappear again.20:28
*** lbragstad_ has joined #openstack-keystone20:36
*** lbragstad has quit IRC20:37
*** awalende has quit IRC20:37
*** awalende has joined #openstack-keystone20:38
*** awalende has quit IRC20:42
*** lbragstad_ is now known as lbragstad20:43
openstackgerritMerged openstack/oslo.limit master: Pick between Flat and StrictTwoLevel enforcement
bnemecAlso \o/ for kmalloc's offspring!20:50
*** ayoung has quit IRC20:50
cmurphyyay baby ^.^20:53
cmurphylbragstad: could you please review
kmallocoh and i realized i didn't say this to anyone out in the open. i've moved on from red hat and my new employment does not involve openstack. I don't foresee being back with any regular time (esp. with a kiddo). cmurphy you may opt to drop me from core if you need. i can be reached (obv. not when on paternity leave) if you need ad-hoc review, but i haven't looked at keystone in ~2 months now.20:55
gagehugokmalloc: \o/20:56
gagehugobaby ^20:56
gagehugosadface for no openstack20:56
cmurphythanks kmalloc, glad you're moving on to better things but we miss you20:56
lbragstadcmurphy, looking20:56
lbragstado/ kmalloc20:56
*** ayoung has joined #openstack-keystone21:05
gyeekmalloc, congrats21:06
lbragstadcmurphy yeah - that look good to me, nice catch21:10
lbragstadkmalloc congrats (on two fronts!)21:10
cmurphythanks lbragstad21:10
openstackgerritColleen Murphy proposed openstack/keystone master: Fix application credential doc example
*** ayoung has quit IRC21:27
*** pcaruana has quit IRC21:32
*** raildo has quit IRC21:45
openstackgerritColleen Murphy proposed openstack/keystone master: Add docs for app cred access rules
*** jamesmcarthur has joined #openstack-keystone22:17
*** rcernin has joined #openstack-keystone22:19
*** jamesmcarthur has quit IRC22:59
*** jamesmcarthur has joined #openstack-keystone23:04
*** tkajinam has joined #openstack-keystone23:05
*** jamesmcarthur has quit IRC23:05
*** jamesmcarthur_ has joined #openstack-keystone23:05
cmurphylbragstad: hrm i figured out why we had that enforce_scope check in the old-style project admin can't list credentials without it23:34
cmurphybanging my head against it to try to find a workaround23:35
openstackgerritMerged openstack/oslo.limit master: Fetch unified limits from keystone
cmurphyright now i have (CONF.oslo_policy.enforce_scope or 'admin' not in self.oslo_context.roles) which is making me cringe23:46
*** jamesmcarthur_ has quit IRC23:53

Generated by 2.15.3 by Marius Gedminas - find it at!