Tuesday, 2019-12-10

« Monday, 2019-12-09 Index Wednesday, 2019-12-11 »
*** rcernin_ has joined #openstack-keystone00:04
*** rcernin has quit IRC00:07
*** rcernin_ has quit IRC00:19
*** gyee has quit IRC00:24
*** rcernin has joined #openstack-keystone00:27
*** jamesmcarthur has joined #openstack-keystone00:28
*** awalende has joined #openstack-keystone00:28
*** dave-mccowan has joined #openstack-keystone00:29
*** gshippey has quit IRC00:29
*** dave-mccowan has quit IRC00:33
*** awalende has quit IRC00:33
*** jamesmcarthur has quit IRC01:07
*** jamesmcarthur has joined #openstack-keystone01:24
*** jamesmcarthur has quit IRC01:24
*** jamesmcarthur has joined #openstack-keystone01:24
*** jamesmcarthur has quit IRC01:32
*** dmellado has quit IRC02:45
*** vesper11 has quit IRC02:45
*** tridde has joined #openstack-keystone02:45
*** trident has quit IRC02:46
*** vesper11 has joined #openstack-keystone02:46
*** dmellado has joined #openstack-keystone02:48
*** awalende has joined #openstack-keystone03:39
*** jamesmcarthur has joined #openstack-keystone03:40
*** awalende has quit IRC03:44
*** jamesmcarthur has quit IRC04:32
*** jamesmcarthur has joined #openstack-keystone06:01
*** Luzi has joined #openstack-keystone06:04
*** jamesmcarthur has quit IRC06:06
*** pawan-gupta has joined #openstack-keystone06:37
*** ayoung has quit IRC06:59
*** ayoung has joined #openstack-keystone06:59
*** dancn has joined #openstack-keystone07:08
*** pcaruana has joined #openstack-keystone07:39
*** rcernin has quit IRC07:54
*** tkajinam has quit IRC08:06
*** awalende has joined #openstack-keystone08:18
*** tesseract has joined #openstack-keystone08:27
*** amoralej|off is now known as amoralej08:32
*** vishakha has joined #openstack-keystone08:50
*** Luzi has quit IRC09:11
*** spsurya has joined #openstack-keystone09:25
*** Luzi has joined #openstack-keystone09:26
*** gshippey has joined #openstack-keystone10:01
*** pawan-gupta has quit IRC10:15
*** raildo has joined #openstack-keystone11:42
*** amoralej is now known as amoralej|lunch12:25
*** spsurya has quit IRC12:35
*** ayoung has quit IRC12:41
*** ayoung has joined #openstack-keystone12:42
*** jamesmcarthur has joined #openstack-keystone13:15
*** jamesmcarthur has quit IRC13:28
*** jamesmcarthur has joined #openstack-keystone13:30
*** jamesmcarthur has quit IRC13:34
*** amoralej|lunch is now known as amoralej13:44
*** jamesmcarthur has joined #openstack-keystone13:46
*** tkajinam has joined #openstack-keystone14:01
*** awalende has quit IRC14:13
*** awalende has joined #openstack-keystone14:14
*** awalende has quit IRC14:14
*** awalende has joined #openstack-keystone14:14
*** Luzi has quit IRC14:29
*** pcaruana has quit IRC14:36
*** tkajinam has quit IRC14:52
*** lbragsta_ has joined #openstack-keystone15:00
*** pcaruana has joined #openstack-keystone15:01
*** jamesmcarthur has quit IRC15:03
*** jamesmcarthur has joined #openstack-keystone15:15
*** jamesmcarthur has quit IRC15:15
*** bnemec has quit IRC15:15
*** jamesmcarthur_ has joined #openstack-keystone15:15
*** lbragsta_ has quit IRC15:36
*** lbragsta_ has joined #openstack-keystone15:37
*** adriant has quit IRC15:40
cmurphyteam meeting in 20 minutes in #openstack-meeting-alt15:40
openstackgerritVishakha Agarwal proposed openstack/keystone-specs master: Alembic Migrations Specification  https://review.opendev.org/69827915:46
*** spatel has joined #openstack-keystone15:50
spatelHi15:51
spatelgood morning, I want to assign network permission to one of specific user in project, how do i do that15:52
spatelI am trying to avoid edit policy file.15:52
spatelcurrently i doing this "openstack role add --project myproject --user spatel --user-domain myproject _member_"15:54
*** lbragsta_ has quit IRC15:55
spatelhow do i tell user spatel can have _member_ + neutron15:56
*** jmlowe has joined #openstack-keystone16:00
cmurphyspatel: you need to create a new role and edit your policy files, there's no other way16:02
spatelpolicy file on neutron server?16:03
gagehugospatel: yeah, the neutron policy16:04
spatelwhat is the path of policy file?16:05
gagehugousually /etc/<service>/policy.yaml16:06
spatelgagehugo: no file found16:07
spatells -l /etc/neutron/policy.*16:07
*** awalende has quit IRC16:08
*** awalende has joined #openstack-keystone16:08
gagehugoit might be using default policy in-code then16:09
gagehugootherwise the policy file can be located somewhere else, ususally the path is specified in the <service>.conf file16:10
*** awalende has quit IRC16:13
*** dancn has quit IRC16:14
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add name in GET API of application credentials  https://review.opendev.org/69651916:20
cmurphyneutron probably has policy-in-code if you're not on too old of a release, which means to change its policy you need to create the file16:20
cmurphycheck https://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html for info on the policy file16:21
*** pmatulis has joined #openstack-keystone16:22
pmatuliswhy is it i do not see 'reader' in the output of 'openstack role list'?16:23
pmatulisi installed Train16:23
gmanncmurphy: lbragstad ^^ i can get reader in my train env(its devstack default env) but pmatulis cannot see.16:24
lbragstadpmatulis how did you install your deployment?16:26
lbragstaddid your run keystone-manage bootstrap?16:26
pmatulislbragstad, i installed via Juju charms. i've never heard of 'keystone-manage bootstrap'16:27
lbragstadpmatulis keystone-manage bootstrap is a commandline utility to bootstrap new deployesr16:27
lbragstaddeployments*16:27
lbragstadit's also responsible for creating default roles, and building role implications16:27
lbragstadif you're missing a role, bootstrap probably wasn't run16:28
pmatulisok, i guess i'll have to look at the keystone charm. it's odd that i do get some roles: 'Member' and 'Admin' and 'service'16:29
lbragstadpmatulis the keystone charm is probably responsible for that16:29
spatelgagehugo: how do i generate policy.yaml file? is there any utility?16:31
spatelcmurphy: how do i generate default policy file?16:37
*** gyee has joined #openstack-keystone16:37
gagehugospatel: https://docs.openstack.org/oslo.policy/latest/cli/index.html#oslopolicy-sample-generator sorry took me a bit to find the command16:38
gagehugoa sample neutron policy file can be found here: https://docs.openstack.org/neutron/train/configuration/policy-sample.html <-- that's for train16:39
pmatulisfwiw, i have oslopolicy-config-generator but not oslopolicy-sample-generator16:42
spatelThis command works for me "/openstack/venvs/neutron-19.0.6.dev13/bin/oslopolicy-sample-generator --namespace neutron"16:44
*** awalende has joined #openstack-keystone16:45
spatelso all i need to create /etc/neutron/policy.yaml and edit file as per my need right?16:45
cmurphythere should be no such thing as oslopolicy-config-generator https://opendev.org/openstack/oslo.policy/src/branch/master/setup.cfg#L39-L4216:45
cmurphyspatel: yes you can copy the sample to /etc/neutron/policy.yaml and uncomment the policy you want to edit16:45
cmurphyspatel: you may need to change the policy_file config in /etc/neutron/neutron.conf to point to the .yaml file, it might default to looking for a .json file16:46
spatelall i need that my users can create neutron port and attach to instance.16:47
spatelcmurphy: i will create .json file if that is default extension16:47
cmurphyspatel: it would be better to use the .yaml, as the policy sample file has yaml comments16:48
spatelOk16:48
spateldefault policy for create port is -> "create_port": "",16:49
spatellook like empty ""16:49
*** jmlowe has quit IRC16:50
*** awalende has quit IRC16:50
cmurphyspatel: that means the default is anyone can do that action, so your user with the _member_ role should already have that permission16:50
spatelhttps://pastebin.com/wDHkM4T616:50
*** jaosorior has joined #openstack-keystone16:50
spatelUsers getting error - https://pastebin.com/e10rPqD716:52
spatelI believe i need to adjust following two policy16:53
-spatel- "create_port:binding:host_id": "rule:admin_only",16:53
-spatel- "create_port:binding:profile": "rule:admin_only",16:53
spatelis it ok i can make them empty like "" ?16:54
cmurphyspatel: that would let any user perform those actions, is that what you want?16:55
spatelI think yes.. because everyone from my team.16:56
spatelwhat if i want to give permission to specific user or project?  <-- just for my knowledge ?16:56
cmurphyspatel: you need to create a new role, change the policy string to have role:newrole, and you would also have to change other "" policy rules for other services to have "not role:newrole" it's a hassle :/16:58
*** tesseract has quit IRC16:58
spatelcmurphy: totally get it now :)16:59
spatelcmurphy: do i need to reload any services after change in policy file?16:59
cmurphyspatel: i don't think so, it should be picked up automatically as long as your neutron.conf is already pointing to the right file17:00
spatelcmurphy: Thank you so much!17:00
cmurphyyou're welcome17:01
spatelcmurphy: also i watched you youtube video about LDAP integration and its freaking awesome!!17:01
cmurphyspatel: that must be someone else, i don't think i've ever talked about ldap ;)17:02
spatelreally, i believe it was use because in video they used cmurphy username :) let me search and see if i am right or wrong17:05
cmurphymight have been about federation :)17:06
spatelhttps://www.youtube.com/watch?v=fm1pVRIpjjo17:07
spatelwhat is this person>17:07
cmurphyoh yeah that's me, that's about app creds17:08
spatelsorry it wasn't about ldap but something which i was badly looking for.17:08
cmurphy:)17:08
spatelmy app creds working great, but one problem. why i am not able to use nova client or any other client ?17:08
spatelwith app creds only openstack --os-cloud style working17:09
cmurphyspatel: you should be able to use them with any client that uses keystoneauth17:09
spateli was trying to load app creds in shell variable but that didn't work ( like source /root/openrc)17:10
spatelI download shell version and load in my linux bash variable but when i was trying to run command getting auth error17:10
spatelcmurphy: i believe keystone+ldap doesn't like that, i spent lots of hours to find out but no luck and then finally i end up using openstack --os-cloud way17:11
spatelmay be its LDAP+keystone implementation bug, but anyway its not a big deal so no worry17:13
cmurphythere should be no difference, they both use keystoneauth so as long as you have the right parameters set it shouldn't matter if it's environment variables or clouds.yaml17:13
spatelcmurphy: i will give it a try again later sometime and will give you full report.17:14
cmurphyokay :)17:14
*** pmatulis has left #openstack-keystone17:18
*** lbragstad_ has joined #openstack-keystone17:27
*** lbragstad has quit IRC17:30
openstackgerritMerged openstack/keystone master: Fix application credential doc example  https://review.opendev.org/69736717:42
spatelcmurphy: I don't have policy_file option in my /etc/neutron/neutron.conf  so if i want to add one in which section i should be adding it?17:45
cmurphyspatel: [oslo_policy]17:46
spatelI don't have that section anywhere in neutron.conf file17:46
cmurphyspatel: you can add it17:46
spateloh! got it :)17:47
spateldone ->  policy_file = policy.yaml17:49
spatelwhat if there is a typo in policy file does that create issue or just load default policy?17:50
*** jaosorior has quit IRC17:59
cmurphyspatel: it depends on the typo, if it's bad yaml i think it will cause an error18:03
spatelyes any kind of typo, can i use any kind of tool to validate yaml syntax check18:04
cmurphyyou can use any online tool to check that it's valid yaml, you can use https://docs.openstack.org/oslo.policy/latest/cli/index.html#oslopolicy-checker to try to validate your policies for different types of users18:09
spatelThanks!18:11
spatelcmurphy: my policy file works :) hurray!!!18:25
cmurphyyay \o/18:25
spatelcmurphy: you are life saver...18:25
cmurphy:)18:25
*** jamesmcarthur_ has quit IRC18:26
*** jamesmcarthur has joined #openstack-keystone18:26
*** jamesmcarthur has quit IRC18:36
cmurphylbragstad_: could you review this stable backport https://review.opendev.org/67696918:58
*** amoralej is now known as amoralej|off19:07
*** ayoung has quit IRC19:08
*** ayoung has joined #openstack-keystone19:10
*** ayoung has quit IRC19:14
*** spatel has quit IRC19:16
*** ayoung has joined #openstack-keystone19:16
*** spatel has joined #openstack-keystone19:33
cmurphythanks lbragstad_19:35
*** lbragstad_ is now known as lbragstad19:36
lbragstadcmurphy no problem19:36
*** gmann is now known as gmann_afk19:40
openstackgerritMerged openstack/keystonemiddleware master: Update master for stable/train  https://review.opendev.org/68346219:48
*** awalende has joined #openstack-keystone20:09
*** awalende has quit IRC20:14
*** rcernin has joined #openstack-keystone20:16
*** pcaruana has quit IRC20:16
*** jaosorior has joined #openstack-keystone21:05
*** adriant has joined #openstack-keystone21:26
*** raildo has quit IRC21:27
*** jaosorior has quit IRC22:01
*** spatel has quit IRC22:09
*** awalende has joined #openstack-keystone22:10
*** awalende has quit IRC22:15
*** awalende has joined #openstack-keystone22:30
*** awalende has quit IRC22:35
*** tkajinam has joined #openstack-keystone23:05
*** gmann_afk is now known as gmann23:06
« Monday, 2019-12-09 Index Wednesday, 2019-12-11 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!