Wednesday, 2020-02-05

« Tuesday, 2020-02-04 Index Thursday, 2020-02-06 »
*** jamesmcarthur has joined #openstack-keystone00:45
openstackgerritColleen Murphy proposed openstack/keystone-tempest-plugin master: WIP/PoC:Add RBAC tests  https://review.opendev.org/68630500:50
*** jamesmcarthur has quit IRC01:00
*** rcernin has joined #openstack-keystone01:06
*** jamesmcarthur has joined #openstack-keystone01:10
*** jamesmcarthur has quit IRC01:22
*** vesper has joined #openstack-keystone01:38
*** vesper11 has quit IRC01:39
*** jamesmcarthur has joined #openstack-keystone01:45
*** gyee has quit IRC02:00
*** vishalmanchanda has joined #openstack-keystone02:10
*** jamesmcarthur has quit IRC02:22
*** rcernin has quit IRC03:31
*** gagehugo has quit IRC03:45
*** gagehugo has joined #openstack-keystone03:59
*** adriant has quit IRC04:45
*** adriant has joined #openstack-keystone04:50
*** bnemec has joined #openstack-keystone04:53
*** rcernin has joined #openstack-keystone04:57
*** rcernin has quit IRC04:58
*** rcernin has joined #openstack-keystone04:58
*** evrardjp has quit IRC05:33
*** evrardjp has joined #openstack-keystone05:34
*** rcernin has quit IRC06:03
openstackgerritVishakha Agarwal proposed openstack/keystone-tempest-plugin master: Drop py3.5 from tempest plugins  https://review.opendev.org/70588706:04
*** redrobot has quit IRC06:04
*** abdysn has joined #openstack-keystone06:06
*** redrobot has joined #openstack-keystone06:06
*** jaosorior has joined #openstack-keystone07:38
*** jaosorior has quit IRC07:53
*** jaosorior has joined #openstack-keystone08:06
*** tkajinam has quit IRC08:12
*** dancn has joined #openstack-keystone08:16
*** tesseract has joined #openstack-keystone08:16
*** rcernin has joined #openstack-keystone08:31
*** gshippey has joined #openstack-keystone08:45
*** rcernin has quit IRC08:48
*** rcernin has joined #openstack-keystone08:53
*** xek has joined #openstack-keystone08:54
*** rcernin has quit IRC09:07
*** rcernin has joined #openstack-keystone09:16
*** rcernin has quit IRC09:20
*** rcernin has joined #openstack-keystone09:26
*** rcernin has quit IRC09:33
*** shyamb has joined #openstack-keystone10:06
*** shyamb has quit IRC10:38
*** shyamb has joined #openstack-keystone11:15
*** wxy-xiyuan has quit IRC11:36
*** pcaruana has quit IRC11:37
*** pcaruana has joined #openstack-keystone11:50
*** shyamb has quit IRC12:13
*** raildo has joined #openstack-keystone12:43
*** shyamb has joined #openstack-keystone12:54
*** shyamb has quit IRC13:18
*** jamesmcarthur has joined #openstack-keystone13:20
openstackgerritHervĂ© Beraud proposed openstack/oslo.limit master: [ussuri][goal] Drop python 2.7 support and testing  https://review.opendev.org/70571213:24
*** abdysn has quit IRC13:29
*** jamesmcarthur has quit IRC13:37
*** jamesmcarthur has joined #openstack-keystone13:47
*** pcaruana has quit IRC14:17
*** jmlowe has joined #openstack-keystone15:13
*** jmlowe has quit IRC15:17
*** jmlowe has joined #openstack-keystone15:17
*** awestin1 has quit IRC15:19
*** awestin1 has joined #openstack-keystone15:20
*** pcaruana has joined #openstack-keystone15:49
cmurphylbragstad: stable review if you have a sec https://review.opendev.org/705862 it happens to fix the broken federation jobs by adding the xmlsec1 package15:52
lbragstadcmurphy nice - thanks15:53
*** dancn has quit IRC16:04
*** openstackstatus has joined #openstack-keystone16:05
*** ChanServ sets mode: +v openstackstatus16:05
*** jmlowe has quit IRC16:08
*** njohnston has joined #openstack-keystone16:09
njohnstoncmurphy: Hi!  I was wondering if you could take another look at https://review.opendev.org/#/c/508659/ whenever it is convenient for you.16:09
*** kklimonda has quit IRC16:22
*** kklimonda has joined #openstack-keystone16:22
*** jamesmcarthur has quit IRC16:24
cmurphynjohnston: will do16:29
*** jamesmcarthur has joined #openstack-keystone16:38
*** jamesmcarthur_ has joined #openstack-keystone16:41
*** jamesmcarthur has quit IRC16:44
njohnstonthanks cmurphy!16:46
*** jmlowe has joined #openstack-keystone16:47
*** jamesmcarthur_ has quit IRC16:55
*** jamesmcarthur has joined #openstack-keystone16:58
*** jamesmcarthur has quit IRC17:05
*** jamesmcarthur has joined #openstack-keystone17:27
*** gyee has joined #openstack-keystone17:29
raildocmurphy, hey, how you doing? I just added a topic in the next team meeting: https://etherpad.openstack.org/p/keystone-weekly-meeting we were discussing the possibility to avoid anyone who isn't using a domain-scoped token to create a project and doesn't supply domain_id in the project reference, to automatically place that project in the default domain17:30
raildocmurphy, I believe that we should raise an exception on this last scenario, but we can discuss more about it during the meeting :)17:31
*** evrardjp has quit IRC17:33
*** evrardjp has joined #openstack-keystone17:34
cmurphyraildo: okay thanks for the headsup17:42
*** jaosorior has quit IRC17:49
*** jmlowe has quit IRC17:54
*** jamesmcarthur has quit IRC17:56
*** TheJulia has quit IRC18:01
*** TheJulia has joined #openstack-keystone18:01
*** johnsom has quit IRC18:03
*** johnsom has joined #openstack-keystone18:03
*** jamesmcarthur has joined #openstack-keystone18:03
*** tesseract has quit IRC18:11
*** kmalloc has quit IRC18:27
*** kmalloc has joined #openstack-keystone18:27
*** masayukig has quit IRC18:34
*** masayukig has joined #openstack-keystone18:34
*** jamesmcarthur has quit IRC18:54
*** jamespage has quit IRC18:56
*** jamespage has joined #openstack-keystone18:56
*** gshippey has quit IRC19:01
*** jamesmcarthur has joined #openstack-keystone19:15
lbragstadcmurphy do we have a documented example of using application credentials from clouds.yaml?19:36
lbragstadi feel like i've asked this before, but i can't find it19:36
cmurphylbragstad: i don't think we do19:36
*** masayukig has quit IRC19:38
*** kmalloc has quit IRC19:39
*** awestin1 has quit IRC19:39
*** jamespage has quit IRC19:39
*** TheJulia has quit IRC19:39
*** spatel has joined #openstack-keystone19:40
*** johnsom has quit IRC19:40
*** kklimonda has quit IRC19:40
*** xek_ has joined #openstack-keystone19:48
*** xek has quit IRC19:51
*** jmlowe has joined #openstack-keystone20:00
*** jmlowe has quit IRC20:01
*** spatel has quit IRC20:09
*** jmlowe has joined #openstack-keystone20:15
*** jamesmcarthur has quit IRC20:21
*** raildo has quit IRC20:30
*** raildo has joined #openstack-keystone20:33
*** cmart has joined #openstack-keystone20:34
*** cmart has quit IRC20:35
*** jmlowe has quit IRC21:08
*** jmlowe has joined #openstack-keystone21:10
*** jmlowe has quit IRC21:22
openstackgerritLance Bragstad proposed openstack/keystone master: Add domain admin grant test cases  https://review.opendev.org/70612021:25
lbragstadcmurphy that should be possible right ^ ?21:25
*** xek_ has quit IRC21:27
lbragstadbecause if it is, we might want to consider changing the policy for list_roles?21:32
lbragstadhttps://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/role.py#L81-L9221:34
lbragstadpython-openstackclient seems to fail when domain admins do `openstack role add` commands regardless of using the role ID or the role name, because it attempts to list the roles21:35
cmurphycould've sworn we had a test for that21:39
cmurphybut makes sense that osc would behave that way, i think it does something similar for trusts that's very unfriendly21:39
cmurphyrelatedly i was surprised that credentials don't work for domain users https://review.opendev.org/#/c/686305/18/keystone_tempest_plugin/tests/rbac/v3/test_credentials.py@35321:41
lbragstadyeah - i mean we allow domain users to add roles to things within their authorization, which is good... but we just don't let them discover the roles21:43
lbragstadso - they'd have to do it manually with curl21:43
lbragstadiff they know the role id21:43
cmurphyyuck21:45
lbragstadmhm21:46
lbragstadshould we let domain admins list all roles?21:56
lbragstadi mean - we'd be letting them see all roles in the deployment21:57
cmurphyi don't think domain admins should get special system-level powers just for being domain admins, i think the better question is should roles just be public information to anyone authenticated21:58
cmurphyto which - i'm not sure21:58
lbragstadi mean - i saw a lot of power in letting domain admins manage role assignments for entities within their domain21:59
lbragstadbut - if don't let them discover roles, then it shoots the usability of that out of the air22:00
lbragstadi'm torn22:00
cmurphyyeah22:00
cmurphyhmm i was gonna say operators could override it if they want to but they can't override scope_types22:01
lbragstadright22:04
lbragstadi mean, operators could have global roles around for other domains (circumventing domain-specific roles)22:05
lbragstadif we open that up for domain-admins, some might consider that a violation of tenancy22:05
cmurphyright, imo it is22:07
lbragstadi'm inclined to agree22:07
lbragstadso - do we keep the grant API open to domain users too?22:07
lbragstador do we leave it as is?22:07
cmurphywell i think it's too late to change it22:09
lbragstadi mean - if a system operator trusts a domain admin22:10
lbragstadthey could be like "here's the ID of the reader, member, and admin roles... dole them out to people within your jurisdiction as you see fit"22:11
cmurphyif we're only talking about the default roles then technically the domain admin could discover that themself by examining their own token, they would have all three ids in there22:12
lbragstadoh - yeah, great point22:12
lbragstadit's kinda like having to crawl under your car to start it, but whatever22:12
cmurphyand if we're talking about other roles and the system admin wants to grant domain admins rights on a case by case basis then they could do some legwork of mirroring certain roles into the domain22:13
lbragstadsure22:13
lbragstadand we have protection testing to make sure domain users can't do anything outside their domain22:13
lbragstadso it's still kinda self-service...22:14
cmurphyyeah22:14
lbragstadok - so TL;DR, leave it be22:15
cmurphythat'd be my vote22:16
lbragstadok22:16
lbragstadsweet - thanks for the help cmurphy22:16
cmurphyo722:16
cmurphylbragstad: while i have you here, some more stable backports: https://review.opendev.org/706087 https://review.opendev.org/706088 - second depends on the first22:20
lbragstadcmurphy cool - both look good to me22:25
*** raildo has quit IRC22:37
*** tkajinam has joined #openstack-keystone22:48
*** kklimonda has joined #openstack-keystone22:59
*** TheJulia has joined #openstack-keystone23:00
*** masayukig has joined #openstack-keystone23:00
*** jamespage has joined #openstack-keystone23:01
*** awestin1 has joined #openstack-keystone23:02
*** kmalloc has joined #openstack-keystone23:02
*** johnsom has joined #openstack-keystone23:02
*** jamesmcarthur has joined #openstack-keystone23:03
*** jamesmcarthur has quit IRC23:06
« Tuesday, 2020-02-04 Index Thursday, 2020-02-06 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!