Thursday, 2021-02-25

*** tosky has quit IRC00:00
*** bengates has joined #openstack-keystone00:50
*** bengates has quit IRC00:56
*** hamalq has quit IRC00:56
*** cp- has quit IRC01:58
*** cp- has joined #openstack-keystone02:04
*** rcernin has quit IRC02:06
*** zzzeek has quit IRC02:23
*** zzzeek has joined #openstack-keystone02:24
*** bengates has joined #openstack-keystone02:32
*** bengates has quit IRC02:38
*** rcernin has joined #openstack-keystone02:38
*** zzzeek has quit IRC02:44
*** cp- has quit IRC02:45
*** zzzeek has joined #openstack-keystone02:46
*** cp- has joined #openstack-keystone02:46
*** zzzeek has quit IRC02:51
*** zzzeek has joined #openstack-keystone02:53
*** zzzeek has quit IRC03:13
*** zzzeek has joined #openstack-keystone03:15
*** bengates has joined #openstack-keystone03:43
*** bengates has quit IRC03:49
*** timburke has quit IRC04:01
*** timburke has joined #openstack-keystone04:12
*** whoami-rajat has joined #openstack-keystone04:18
*** dviroel has quit IRC04:45
*** gyee has quit IRC05:20
*** yoctozepto0 has joined #openstack-keystone06:05
*** yoctozepto has quit IRC06:05
*** yoctozepto0 is now known as yoctozepto06:05
*** xek has joined #openstack-keystone07:16
*** rcernin has quit IRC07:22
*** rcernin has joined #openstack-keystone07:52
*** bengates has joined #openstack-keystone08:08
*** bengates has quit IRC08:11
*** bengates has joined #openstack-keystone08:12
*** bengates has quit IRC08:28
*** bengates has joined #openstack-keystone08:29
*** tosky has joined #openstack-keystone08:38
*** yoctozepto9 has joined #openstack-keystone09:55
*** jhesketh_ has joined #openstack-keystone09:57
*** yoctozepto has quit IRC10:03
*** zzzeek has quit IRC10:03
*** jhesketh has quit IRC10:03
*** irclogbot_0 has quit IRC10:03
*** yoctozepto9 is now known as yoctozepto10:03
*** zzzeek has joined #openstack-keystone10:05
*** irclogbot_0 has joined #openstack-keystone10:07
*** dviroel has joined #openstack-keystone11:03
stephenfinknikolla: I think I need your ack for a new release of ldappool if you have a moment12:49
*** Luzi has joined #openstack-keystone13:01
*** bengates has quit IRC13:14
*** bengates has joined #openstack-keystone13:20
*** tkajinam has quit IRC13:36
*** iurygregory has quit IRC13:43
*** iurygregory has joined #openstack-keystone13:44
*** gshippey has joined #openstack-keystone13:57
*** yoctozepto has quit IRC14:01
*** yoctozepto has joined #openstack-keystone14:01
*** Luzi has quit IRC14:28
*** whoami-rajat has quit IRC14:38
*** zzzeek has quit IRC14:51
*** zzzeek has joined #openstack-keystone14:53
*** jmlowe has quit IRC14:54
*** jmlowe has joined #openstack-keystone15:15
*** yuxing has joined #openstack-keystone15:37
*** bengates has quit IRC17:17
*** bengates has joined #openstack-keystone17:47
*** bengates has quit IRC17:52
*** bengates has joined #openstack-keystone18:28
*** bengates has quit IRC18:34
*** raildo has joined #openstack-keystone19:07
*** zzzeek has quit IRC19:29
*** zzzeek has joined #openstack-keystone19:29
*** hamalq has joined #openstack-keystone20:02
andrewbogottI'm trying to figure out about scoped roles in Keystone Train.  I had the impression that I could give a user the admin role in system=all scope and then it would be able to see everything in every project but that seems to not  be the case in my test install.  Is here some flag I have to set to enable scoped roles?20:23
andrewbogottI was expecting this to be the be-all/end-all:20:23
andrewbogottbut that user still can't do anything at all20:23
gagehugoenforce_scope under [oslo_policy]20:29
gagehugosystem scope is generally reserved for more "system" roles:
andrewbogottthank you!  Trying...20:35
andrewbogottyeah — right now I'm just experimenting.  I have a system user that's hacked into every project and I would love to have it just work without that :)20:35
*** lbragstad_ has joined #openstack-keystone20:35
*** raildo_ has joined #openstack-keystone20:35
*** beekneemech has joined #openstack-keystone20:35
*** mugsie_ has joined #openstack-keystone20:36
*** benj_- has joined #openstack-keystone20:36
*** zigo_ has joined #openstack-keystone20:36
*** adriant has quit IRC20:36
*** benj_ has quit IRC20:36
*** zigo has quit IRC20:36
*** gary_perkins has quit IRC20:36
*** stephenfin has quit IRC20:36
andrewbogotthm, I'm still missing something20:36
*** melwitt has quit IRC20:36
*** gregwork has quit IRC20:36
*** mugsie has quit IRC20:36
*** melwitt has joined #openstack-keystone20:36
*** benj_- is now known as benj_20:37
*** jmccrory_ has joined #openstack-keystone20:37
*** tosky_ has joined #openstack-keystone20:37
*** jmccrory has quit IRC20:37
*** jmccrory_ is now known as jmccrory20:38
*** bbobrov has quit IRC20:38
*** cp- has quit IRC20:38
*** raildo has quit IRC20:38
*** zzzeek has quit IRC20:40
*** jrosser has quit IRC20:40
*** tosky has quit IRC20:40
*** noonedeadpunk has quit IRC20:40
*** trident has quit IRC20:40
*** ricolin has quit IRC20:40
*** bnemec has quit IRC20:40
*** jrosser has joined #openstack-keystone20:40
*** mnasiadka has quit IRC20:41
*** zzzeek has joined #openstack-keystone20:41
*** bbobrov has joined #openstack-keystone20:41
andrewbogottodd, I've removed my policy.yaml file entirely but still get a deprecation warning.20:41
andrewbogottIs that a clue?20:41
*** tosky_ is now known as tosky20:42
*** lifeless_ has joined #openstack-keystone20:42
*** trident has joined #openstack-keystone20:42
*** mnasiadka has joined #openstack-keystone20:42
*** dasp has quit IRC20:43
*** lifeless has quit IRC20:43
*** lbragstad has quit IRC20:43
*** cp- has joined #openstack-keystone20:43
*** dasp has joined #openstack-keystone20:45
*** xek_ has joined #openstack-keystone20:54
*** xek has quit IRC20:56
andrewbogottgagehugo: do you have time to walk me through this a bit?  I have "identity:list_endpoints": "" and my user has system=all admin and I have  enforce_scope = True in keystone.conf20:58
andrewbogottand yet20:58
andrewbogottAm I totally misunderstanding how this is meant to work?20:59
*** xek_ has quit IRC21:05
gagehugoI think you need to specify system scope in your clouds.yaml, but Im struggling to find documentation atm21:06
andrewbogottI'm not sure I know what a 'clouds.yaml' is — do you mean in the custom policy?21:07
andrewbogottFor what it's worth, I tried removing my policy.yaml and letting it fall back on all defaults and get the same behavior21:08
andrewbogottthank you for looking!21:10
gagehugowhatever credentials you are using for "openstack"21:10
*** rcernin has quit IRC21:12
openstackgerritBen Nemec proposed openstack/oslo.policy master: Reinstate double deprecation test logic
andrewbogottoh, I see… I'm doing all this via environment variables but it's likely equivalent21:15
andrewbogottI gave my 'testadmin' user admin role in a single project and I can access things there.  So I'm convinced that I'm not just making a typo in the password :)21:17
gagehugoTry setting OS_SYSTEM_SCOPE to "all"21:17
andrewbogottno change21:19
*** xek has joined #openstack-keystone21:21
gagehugomight need to make sure OS_PROJECT_* are all unset21:23
*** xek has quit IRC21:25
gagehugofor that "testadmin" user21:25
andrewbogottthat did it21:25
andrewbogottThe fact that that works suggests that I don't understand what system scope actually means21:26
andrewbogottLike, having system admin doesn't confer admin on projects?21:26
gagehugoI've not used it much myself yet, but it's more for operations that don't necessarily involve projects/domains21:29
gagehugomodifying endpoints, service management, or listing information about hypervisors21:31
andrewbogottyep, that makes sense as a scope21:31
gagehugoavoiding giving someone "admin" in a project just so they can tweak those things21:31
andrewbogottI just read the sentence 'System administrators are allowed to manage every resource in keystone' and thought they really meant it21:31
andrewbogottI guess maybe what I want is 'admin' on the default domain21:31
andrewbogotthm,  nope21:32
andrewbogottI kind of thought that the original use case for scoped roles was to provide a univeral reader.  If a system reader can only read system things but not things /in/ the system, and a domain reader can only read domain things but not things /in/ the domain...21:34
andrewbogottthen I have misunderstood what this years-long initiative was about :(21:34
andrewbogottBut, anyway, not your problem!  Thank you for helping me sort this out, I will read some more docs and code and see if what I need is supported.21:34
gagehugoour docs need some improving on system scopes, I had to dig into the osc code to see what value it was looking for21:39
*** rcernin has joined #openstack-keystone22:09
*** rcernin has quit IRC22:15
*** rcernin has joined #openstack-keystone22:15
*** lbragstad_ is now known as lbragstad22:26
*** adriant has joined #openstack-keystone22:54
*** tkajinam has joined #openstack-keystone22:58
adriantknikolla: any chance of getting looked at again? :)22:59
*** gshippey has quit IRC23:33

Generated by 2.17.2 by Marius Gedminas - find it at!