| *** mhen_ is now known as mhen | 02:30 | |
| opendevreview | Ghanshyam proposed openstack/oslo.policy master: WIP: Remove enforce_scope config option https://review.opendev.org/c/openstack/oslo.policy/+/968271 | 02:36 |
|---|---|---|
| opendevreview | Quentin GROLLEAU proposed openstack/keystone master: Add a new index on revocation_event table https://review.opendev.org/c/openstack/keystone/+/929736 | 08:02 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Apply sql db expand from 2025.02 https://review.opendev.org/c/openstack/keystone/+/968300 | 09:22 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Rename the migration folder https://review.opendev.org/c/openstack/keystone/+/968301 | 09:22 |
| amorin | gtema the glance thing that dmsimard[m] is talking about is: https://review.opendev.org/c/openstack/glance/+/967371 | 12:38 |
| amorin | on our side, we are creating a lot of glance images (instances snapshots), so this increased a lot the revocation table size | 12:39 |
| amorin | if zigo is around, maybe he could explain the first index on https://review.opendev.org/c/openstack/keystone/+/929736 ? | 12:40 |
| zigo | I am. Reading. | 12:40 |
| gtema | oh, that's interesting | 12:40 |
| zigo | Well, I believe the patch header says it all, no ? | 12:41 |
| gtema | zigo: it doesn't explain one of 2 indexes | 12:42 |
| zigo | I just asked my colleague, let's see what he says. | 12:44 |
| zigo | amorin: My colleague replied in the PR. Is this enough? | 13:20 |
| amorin | oh thanks, will check! | 13:24 |
| opendevreview | Takashi Kajinami proposed openstack/oslo.policy master: Remove support for JSON format policy file https://review.opendev.org/c/openstack/oslo.policy/+/929715 | 13:45 |
| opendevreview | Takashi Kajinami proposed openstack/oslo.policy master: Remove support for JSON format policy file https://review.opendev.org/c/openstack/oslo.policy/+/929715 | 13:48 |
| opendevreview | Takashi Kajinami proposed openstack/oslo.policy master: Remove support for JSON format policy file https://review.opendev.org/c/openstack/oslo.policy/+/929715 | 13:49 |
| Mc- | Hi! Small question about federated users with mapped groups : while users seem to have most of the right privileges for the mapped groups when logging in from horizon, the users do not seem to be "actually" added to the groups in the databases (openstack group list --user does not show them) and the creation of application credential fails because (as reported in horizon) | 13:55 |
| Mc- | the user does not have the role assignment for the project, that it got from a mapped group at login - I'm absolutely not sure it's correct but it is as if the federated login issues a temporary token with the rights from the mapping, but does not actually grant them to the user - any idea how to circumvent this ? | 13:55 |
| gtema | if you say groups are not updated for the user (note that for federated users it is an expiring group membership, not the permanent) - this would explain missing permission. Such group membership is only renewed/refreshed after login for the configured amount of time - maybe this is the problem? | 14:00 |
| Mc- | I'm not sure but would a expiring group membership fully prevent the creation of application credentials for roles of that group ? | 14:15 |
| Mc- | (cannot create them even "just" after login) | 14:15 |
| gtema | not fully, I mean that if user loged in some time ago the group membership might expire - that would indeed render appcreds unusable. But the point is that you do not see user being member of the group | 14:16 |
| gtema | from how how reverse engineered the current logic it is expected that you have groups pre-provisioned. You grant them all necessary roles on projects. The users are then "just" becoming members of that group on the login | 14:17 |
| Mc- | it absolutely "works" within horizon, in the sense that I can do stuff in several projects based on several groups | 14:21 |
| Mc- | ah I'll try to set default_authorization_ttl to non-zero | 14:22 |
| Mc- | ... better :D | 14:25 |
| gtema | this is what I meant with expiring membership. But the user must re-login before this ttl expires or appcred stop working | 14:26 |
| Mc- | that's fine | 14:26 |
| Mc- | gtema: thanks a lot ! | 14:29 |
| gtema | welcome. It should have not been this complex anyway - thats why I completely redo this in keystone ng | 14:29 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Apply sql db expand from 2025.02 https://review.opendev.org/c/openstack/keystone/+/968300 | 16:15 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Rename the migration folder https://review.opendev.org/c/openstack/keystone/+/968301 | 16:15 |
| opendevreview | Moutaz Chaara proposed openstack/keystone master: Fix role assignment cache for federated users https://review.opendev.org/c/openstack/keystone/+/967048 | 16:18 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Rename the migration folder https://review.opendev.org/c/openstack/keystone/+/968301 | 16:57 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Add a new index on revocation_event table https://review.opendev.org/c/openstack/keystone/+/929736 | 16:57 |
| opendevreview | Moutaz Chaara proposed openstack/keystone master: Fix role assignment cache for federated users https://review.opendev.org/c/openstack/keystone/+/967048 | 18:44 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Apply sql db expand from 2025.02 https://review.opendev.org/c/openstack/keystone/+/968300 | 19:00 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Rename the migration folder https://review.opendev.org/c/openstack/keystone/+/968301 | 19:00 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Add a new index on revocation_event table https://review.opendev.org/c/openstack/keystone/+/929736 | 19:00 |
| opendevreview | Stephen Finucane proposed openstack/oslo.limit master: DNM: Revert "Add typing" https://review.opendev.org/c/openstack/oslo.limit/+/968375 | 19:08 |
| opendevreview | Stephen Finucane proposed openstack/oslo.limit master: DNM: Revert "Fix endpoint query" https://review.opendev.org/c/openstack/oslo.limit/+/968376 | 19:08 |
| opendevreview | Stephen Finucane proposed openstack/oslo.limit master: DNM: Unrevert "Add typing" https://review.opendev.org/c/openstack/oslo.limit/+/968411 | 21:29 |
| opendevreview | Moutaz Chaara proposed openstack/keystone master: Fix role assignment cache for federated users https://review.opendev.org/c/openstack/keystone/+/967048 | 23:08 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!