| *** mhen_ is now known as mhen | 02:05 | |
| *** mhen_ is now known as mhen | 03:06 | |
| opendevreview | Luca Miccini proposed openstack/keystonemiddleware master: WIP DNM Switch from python-memcache to pymemcache https://review.opendev.org/c/openstack/keystonemiddleware/+/942202 | 07:39 |
|---|---|---|
| opendevreview | Luca Miccini proposed openstack/keystonemiddleware master: WIP DNM Switch from python-memcache to pymemcache https://review.opendev.org/c/openstack/keystonemiddleware/+/942202 | 07:50 |
| opendevreview | Ivan Anfimov proposed openstack/keystone master: Add a new index on project_endpoint_group https://review.opendev.org/c/openstack/keystone/+/927799 | 14:21 |
| keekz | hi all. i'm having a weird problem with application credentials. we're using keystone with federation to azure. i can create an application credential and use it successfully for some time, then after a while the app cred suddenly stops working with error "Authorization failed. User has no access to project". the app cred appears to stop working until i auth as my normal user which the app cred was created from, then the | 14:47 |
| keekz | app cred is usable again for a while. my keystone conf, logs, etc are in: https://gist.github.com/nicholaskuechler/a44304e6ae380f21be26970e9fe1402c | 14:47 |
| gtema | I would assume some other user based auth is overwriting role assignments unless you re-auth. Depending on how you setup the federation any login attempt may overwrite any user related data including role assignments. So if i.e. there is some login without scope (which means keystone gets empty assignments) it will persist them this way | 14:50 |
| keekz | some other user is overwriting my personal user's role assignments? how can i see if that's happening? | 14:55 |
| gtema | no, not other user. maybe some of your processes reauth with partial or wrong info. This is just a potential explanation | 14:56 |
| gtema | the point is that when you have a mapper in the federation that also writes/overwrites project access every time it is invoked without necessary project info it would be reset | 14:56 |
| gtema | ideally mapping should not contain any project related information (no authz) | 14:57 |
| keekz | i don't have any of that. i only use either horizon or openstack cli. the problem appears if i don't use cli/horizon for say a weekend, then i come in on monday and see the logs showing terraform-cred can't do anything | 14:57 |
| gtema | are you having admin access or are you just a regular user? | 14:58 |
| keekz | regular user | 14:58 |
| gtema | then you should ask you operator to debug. Eventually they are overwriting assignments from some other source | 14:59 |
| keekz | i suspected it's something with cache or expiration times, but i've tweaked those as well, and the problem still persists | 14:59 |
| keekz | i _am_ the operator, trying to debug.. | 14:59 |
| gtema | ah ok | 14:59 |
| gtema | next time when access is broken check role assignments for the user in question on the project in question | 15:00 |
| gtema | if those are gone you need to figure out why | 15:00 |
| keekz | ok, thanks | 15:00 |
| gtema | and this is the only "reasonable" explanation for me for the moment | 15:00 |
| gtema | because when you say that after you re-login with federation (this is the moment when assignments may be updated) it starts to work again | 15:01 |
| gtema | also: how is your federation mapping rule look like? | 15:01 |
| keekz | it's here: https://github.com/rackerlabs/understack/blob/main/components/keystone/values.yaml#L36-L100 | 15:03 |
| gtema | hm, it does not deal with assignments at all | 15:04 |
| gtema | then you should try to figure out how assignments are managed at all | 15:04 |
| gtema | maybe the group membership disappears | 15:05 |
| keekz | yeah that's what it seems like, it's disappearing, and that's what i was suspecting some kind of cache or expiration timer 🤷♂️ | 15:06 |
| gtema | not something that comes from keystone by default. Most likely deployment configuration | 15:07 |
| keekz | it's not happening currently, but probably monday it'll be goofed again and i should be able to see the role assignments | 15:07 |
| gtema | check pls not only role assignment but also group membership | 15:08 |
| gtema | and eventually role assignment to the group | 15:08 |
| gtema | basically check now all effective role assignments of the user (https://docs.openstack.org/api-ref/identity/v3/index.html#list-role-assignments) and compare it when it stops working | 15:09 |
| keekz | hmm i don't see any role assignments for the user/project currently. | 15:14 |
| gtema | That's not cool | 15:16 |
| keekz | i added them to the gist: https://gist.github.com/nicholaskuechler/a44304e6ae380f21be26970e9fe1402c#file-gistfile1-txt-L69-L135 | 15:18 |
| opendevreview | Merged openstack/keystone master: Add JSON Schema to `services` and validation decorators to services resource. https://review.opendev.org/c/openstack/keystone/+/927523 | 16:32 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!