Tuesday, 2019-09-17

*** markvoelker has quit IRC		00:02
openstackgerrit	Merged openstack/keystoneauth master: Fix misspell word https://review.opendev.org/680600	00:09
*** gyee has quit IRC		00:14
*** jamesmcarthur has joined #openstack-keystone		00:21
*** jamesmcarthur has quit IRC		00:23
*** jamesmcarthur has joined #openstack-keystone		00:23
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add default roles and scope checking to project tags https://review.opendev.org/682503	00:30
lbragstad	gagehugo cmurphy ^ fixed up some of the tests - only 4 are failing and they're for domain and project users (filtering cases)	00:30
gagehugo	ack	00:45
*** masayukig has joined #openstack-keystone		00:47
*** Ben78 has quit IRC		01:03
*** Ben78 has joined #openstack-keystone		01:05
*** jamesmcarthur has quit IRC		01:05
openstackgerrit	zhufl proposed openstack/keystone master: Add remote_id definition in _perform_auth https://review.opendev.org/679706	01:39
*** markvoelker has joined #openstack-keystone		02:03
*** markvoelker has quit IRC		02:08
*** baffle has quit IRC		02:18
*** baffle has joined #openstack-keystone		02:25
*** Ben78 has quit IRC		02:30
*** jamesmcarthur has joined #openstack-keystone		02:38
*** jamesmcarthur has quit IRC		02:57
*** dave-mccowan has quit IRC		03:00
*** jamesmcarthur has joined #openstack-keystone		03:56
*** jamesmcarthur has quit IRC		03:56
*** jamesmcarthur has joined #openstack-keystone		03:57
*** etp has joined #openstack-keystone		04:19
*** jamesmcarthur has quit IRC		04:51
*** pcaruana has joined #openstack-keystone		05:16
*** Luzi has joined #openstack-keystone		05:16
*** jamesmcarthur has joined #openstack-keystone		05:21
*** pcaruana has quit IRC		05:29
*** adriant has quit IRC		05:54
*** spsurya has joined #openstack-keystone		05:55
*** jamesmcarthur has quit IRC		06:10
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add remote_id definition in _perform_auth https://review.opendev.org/679706	06:20
*** jamesmcarthur has joined #openstack-keystone		06:32
*** jamesmcarthur has quit IRC		06:37
*** jamesmcarthur has joined #openstack-keystone		06:45
*** markvoelker has joined #openstack-keystone		06:47
*** dancn has joined #openstack-keystone		06:51
*** markvoelker has quit IRC		06:52
*** xek has joined #openstack-keystone		06:57
*** xek has quit IRC		07:08
*** jamesmcarthur has quit IRC		07:17
*** ivve has joined #openstack-keystone		07:21
*** trident has quit IRC		07:22
*** trident has joined #openstack-keystone		07:31
*** vishakha has joined #openstack-keystone		07:34
*** trident has quit IRC		07:36
*** jamesmcarthur has joined #openstack-keystone		07:44
*** trident has joined #openstack-keystone		07:46
*** rcernin has quit IRC		07:47
*** jamesmcarthur has quit IRC		07:50
*** jamesmcarthur has joined #openstack-keystone		07:52
openstackgerrit	Bernhard M. Wiedemann proposed openstack/keystonemiddleware master: Make tests pass in 2020 https://review.opendev.org/657780	08:03
*** tkajinam has quit IRC		08:03
*** jamesmcarthur has quit IRC		08:15
*** jamesmcarthur has joined #openstack-keystone		08:16
*** dancn has quit IRC		08:24
openstackgerrit	Bernhard M. Wiedemann proposed openstack/keystonemiddleware master: Make tests pass in 2022 https://review.opendev.org/657780	08:37
*** dancn has joined #openstack-keystone		08:38
*** aloga has joined #openstack-keystone		08:59
*** pcaruana has joined #openstack-keystone		09:19
*** jamesmcarthur has quit IRC		09:31
*** jamesmcarthur has joined #openstack-keystone		09:32
*** jamesmcarthur has quit IRC		10:07
*** pcaruana has quit IRC		10:07
*** Luzi has quit IRC		10:13
*** Luzi has joined #openstack-keystone		10:29
*** dancn has quit IRC		10:33
*** f0o has joined #openstack-keystone		10:39
*** jamesmcarthur has joined #openstack-keystone		10:40
f0o	Hi, I've got a question regarding oslo-policy for identity:create_credential. I'm running Rocky and got the rule '"identity:create_credential": "rule:admin_or_owner or user_id:%(target.credential.user_id)s"' in my policy but I'm still getting a denied eventhough the debug logs from enforcer.py show the correct user_id in the target.credential object and the correct user_id in the context object.	10:42
f0o	Any ideas?	10:42
*** pcaruana has joined #openstack-keystone		10:55
*** jdwidari has joined #openstack-keystone		10:59
*** jamesmcarthur has quit IRC		11:12
openstackgerrit	Bernhard M. Wiedemann proposed openstack/keystonemiddleware master: Make tests pass in 2022 https://review.opendev.org/657780	11:19
openstackgerrit	Vishakha Agarwal proposed openstack/keystoneauth master: Generate pdf documentation https://review.opendev.org/682272	11:20
*** dancn has joined #openstack-keystone		11:51
*** takamatsu has joined #openstack-keystone		11:52
*** raildo has joined #openstack-keystone		11:59
*** etp has quit IRC		12:04
*** jamesmcarthur has joined #openstack-keystone		12:10
*** jamesmcarthur has quit IRC		12:10
*** jamesmcarthur_ has joined #openstack-keystone		12:10
*** markvoelker has joined #openstack-keystone		12:11
*** jamesmcarthur_ has quit IRC		12:26
*** pcaruana has quit IRC		12:27
*** openstackstatus has quit IRC		12:28
*** openstack has joined #openstack-keystone		12:29
*** ChanServ sets mode: +o openstack		12:29
*** jamesmcarthur has joined #openstack-keystone		12:29
*** openstackstatus has joined #openstack-keystone		12:29
*** ChanServ sets mode: +v openstackstatus		12:29
*** jmlowe has joined #openstack-keystone		12:33
lbragstad	f0o it doesn't look like the credential in the create request is being passed to the ENFORCER object https://opendev.org/openstack/keystone/src/branch/stable/rocky/keystone/api/credentials.py#L117	12:53
lbragstad	we changed that in stein - https://opendev.org/openstack/keystone/src/branch/master/keystone/api/credentials.py#L132-L137	12:55
lbragstad	so - the policy that you're trying to implement is actually the default in a newer release https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/credential.py#L81	12:58
lbragstad	but implementing that policy requires some code changes to the API that pass the credential reference from the request to the enforcement library	12:59
*** pcaruana has joined #openstack-keystone		12:59
*** pcaruana has quit IRC		13:28
*** Luzi has quit IRC		13:38
f0o	ah ok that makes sense	13:40
f0o	I'll try to patch upgrade keystone to stein then	13:40
*** jamesmcarthur has quit IRC		13:47
*** xek has joined #openstack-keystone		13:56
*** pcaruana has joined #openstack-keystone		13:59
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add default roles and scope checking to project tags https://review.opendev.org/682503	14:04
*** jamesmcarthur has joined #openstack-keystone		14:17
*** jamesmcarthur has quit IRC		14:22
*** lbragstad_ has joined #openstack-keystone		14:26
*** jamesmcarthur has joined #openstack-keystone		14:27
*** lbragstad has quit IRC		14:28
*** jamesmcarthur has quit IRC		14:32
*** jamesmcarthur has joined #openstack-keystone		14:38
*** jamesmcarthur has quit IRC		14:43
*** FlorianFa has quit IRC		14:44
*** jamesmcarthur has joined #openstack-keystone		14:48
*** dancn has quit IRC		14:50
*** pcaruana has quit IRC		14:55
*** noonedeadpunk has left #openstack-keystone		14:57
lbragstad_	f0o sounds good - let us know how it goes	14:59
cmurphy	I don't have much for the agenda today, anyone have topics to discuss at the meeting? https://etherpad.openstack.org/p/keystone-weekly-meeting	15:11
cmurphy	will anyone be around for office hours afterward?	15:11
*** sapd1 has quit IRC		15:14
*** sapd1 has joined #openstack-keystone		15:15
lbragstad_	i'll be around - but i don't have topics	15:17
gagehugo	I don't have anything	15:18
cmurphy	i was thinking we could do a bug triage and put together a list of rc1 priorities	15:18
cmurphy	but we could maybe do that during the meeting since the agenda is light	15:18
lbragstad_	fwiw - https://review.opendev.org/#/c/682503/ passes locally for me	15:19
lbragstad_	it should be ready for real reviews	15:20
cmurphy	woot	15:20
lbragstad_	with the gate in the state that it is, i didn't bother breaking it apart (sorry!)	15:20
cmurphy	maybe i've been looking at too many of these but i don't mind it being all in one patch	15:21
lbragstad_	same	15:23
*** lbragstad_ is now known as lbragstad		15:23
*** ivve has quit IRC		15:27
openstackgerrit	Ralf Haferkamp proposed openstack/keystone master: Fix PostgreSQL specifc issue with credentials encoding https://review.opendev.org/681736	15:27
*** gyee has joined #openstack-keystone		15:32
cmurphy	meeting in #openstack-meeting-alt in 6 minutes	15:54
*** jmlowe has quit IRC		15:55
cmurphy	meeting now in #openstack-meeting-alt	16:01
openstackgerrit	Merged openstack/keystonemiddleware master: Make tests pass in 2022 https://review.opendev.org/657780	16:25
openstackgerrit	Ben Nemec proposed openstack/oslo.policy master: Fix reference cycle caused by deprecated sample override https://review.opendev.org/682150	16:44
*** pcaruana has joined #openstack-keystone		16:55
cmurphy	office hours will start in a sec	17:00
* lbragstad grabs water		17:00
gagehugo	lemme grab water as well	17:01
cmurphy	https://meet.jit.si/keystone-office-hours	17:03
cmurphy	https://bugs.launchpad.net/keystone/+bugs?orderby=-datecreated&start=0	17:10
cmurphy	https://bit.ly/2kOdZxl	17:12
cmurphy	^ without incomplete bugs	17:12
*** jmlowe has joined #openstack-keystone		17:25
jrosser	if the db_sync one can merge that would be great, because the RDO packages are built with the bug included our gates are wedged up in OSA	17:37
lbragstad	cmurphy i resurrected my tool for generating this report https://pasted.tech/pastes/8a9e42a658ad7b387867d8ec394df9e9dce07d2f.raw	17:42
lbragstad	cmurphy bnemec gagehugo https://etherpad.openstack.org/p/keystone-train-rc-bug-traige	17:43
cmurphy	jrosser: that one is already approved https://review.opendev.org/682447	17:44
jrosser	cmurphy: ah great, should have checked again since I looked last!	17:46
*** jmlowe has quit IRC		18:02
lbragstad	train RC1 bug list https://launchpad.net/keystone/+milestone/train-rc1	18:04
lbragstad	fyi - this is what i used to generate the bug report https://github.com/lbragstad/launchpad-toolkit#recent-bugs	18:06
lbragstad	i had to tinker with dependency versions, but i'm pushing those fixes soo	18:07
lbragstad	soon*	18:07
cmurphy	i'd already been using the bug_report.py part of that but hadn't looked at the other scripts yet :)	18:07
lbragstad	recent_bugs.py needs to be refactored, it's old	18:08
lbragstad	but - it works (kinda?)	18:08
*** jmlowe has joined #openstack-keystone		18:31
openstackgerrit	Ben Nemec proposed openstack/oslo.policy master: Suppress deprecation warnings in oslopolicy-list-redundant https://review.opendev.org/682117	18:35
*** hemna_ is now known as hemna_afk		18:43
*** Ben78 has joined #openstack-keystone		18:46
*** Krenair has quit IRC		18:47
*** xek_ has joined #openstack-keystone		18:54
*** xek has quit IRC		18:57
openstackgerrit	Gage Hugo proposed openstack/keystone master: Specify keystone is OS user for fernet and credential setup https://review.opendev.org/674725	18:59
gagehugo	^ for https://bugs.launchpad.net/keystone/+bug/1838554	18:59
openstack	Launchpad bug 1838554 in OpenStack Identity (keystone) "Specify keystone is OS user for fernet and credential setup" [Low,In progress] - Assigned to Gage Hugo (gagehugo)	18:59
*** jdwidari has quit IRC		19:01
*** jmlowe has quit IRC		19:08
gyee	cmurphy, lbragstad, shouldn't the removal of an identity provider be automatically cleanup the auto generated federated domain for that IDP as well?	19:17
lbragstad	umm- i think so?	19:17
lbragstad	i thought ron fixed a bug for that a while ago	19:17
gyee	I am seeing a bunch of auto generated federated domains leftover after a tempest run	19:18
gyee	this is stable/rocky btw	19:18
lbragstad	oh - interesting	19:18
gyee	maybe we need to backport a patch or two?	19:18
lbragstad	maybe... i'd see if that's the case with master	19:19
lbragstad	but i thought we had a discussion about cleaning up those domains when an IdP is deleted	19:19
gyee	let me fire up my keystone vagrant and see if this is happening in master branch as well	19:19
cmurphy	gyee: are you seeing it only with tempest or did you verify it with one idp/one domain?	19:20
gyee	I haven't try the second part yet	19:21
gyee	just the tempest ones	19:21
cmurphy	could be tempest doing something weird	19:21
gyee	I do see those delete domains calls in keystone access logs	19:23
lbragstad	actually - it looks like the relationship is the other way around	19:25
Ben78	A Fernet token is smaller than a PKI token because it contains less data. Can someone kindly explain why keystone community did not reduced the content of PKI token and replaced it with Fernet?	19:25
lbragstad	https://opendev.org/openstack/keystone/src/branch/master/keystone/federation/core.py#L52-L54	19:26
lbragstad	Ben78 the PKI implementation in keystone had some other issues that were security concerns - but we could also only make the tokens so small, i don't think it would have been possible to generate a pki token less than 1700 characters	19:27
lbragstad	when we implemented fernet, we compared the size of the two formats and pki token with a single entry in the service catalog would generate 1700 character tokens	19:28
gyee	cmurphy, manually deleting one identity provider from openstack CLI doesn't seem to cleanup the auto generated domain	19:28
lbragstad	gyee if you delete the domain it should clean up the idp	19:28
gyee	lbragstad, why design it this way?	19:29
gyee	from usability stand point, would it be easier for user to just delete the IDP?	19:29
cmurphy	i guess because the domain owns the idp	19:30
cmurphy	it would be like saying delete user should cause the user's domain to be deleted	19:30
cmurphy	but idk	19:31
lbragstad	well - a domain can be used my multiple idps, right?	19:32
lbragstad	by*	19:32
gyee	but this sounds weird, IdP was created before the auto generated domain though	19:32
cmurphy	seems so	19:32
cmurphy	https://opendev.org/openstack/keystone/src/branch/master/keystone/federation/core.py#L71-L77	19:32
cmurphy	the domain is either generated when the idp is created or the idp is created within an existing domain	19:33
lbragstad	yeah - so you could point two idps to the same domain	19:33
lbragstad	in theory	19:33
cmurphy	yeah	19:33
gyee	even with the auto generated ones?	19:33
cmurphy	seems like you could	19:34
gyee	I would think those auto generated ones are 1:1	19:34
cmurphy	create one idp with an autogenerated one, then create another using the same domain	19:34
gyee	alllrighty then, lets fix tempest :-)	19:35
cmurphy	++	19:35
*** problem_v has quit IRC		19:40
*** dtruong has quit IRC		19:40
*** problem_v has joined #openstack-keystone		19:40
*** dtruong has joined #openstack-keystone		19:40
*** spsurya has quit IRC		19:48
*** jmlowe has joined #openstack-keystone		19:48
Ben78	lbragstad: Thanks for the response. You do not store any service catalog in a Fernet token. Why do you need to put service catalog in a PKI token?! If you consider the same data and use the same key size, the size of the both format could be almost the same.	19:57
gyee	Ben78, are you sure they are the same? PKI token have the signature and the ASN.1 overhead. Fernet uses symmetric crypto.	20:15
lbragstad	Ben78 fernet tokens do not contain catalog data	20:16
lbragstad	Ben78 when PKI tokens were originally developed, the whole idea (long term) was to use them at the service and allow for offline validation	20:17
lbragstad	as opposed to having the service put the token on the wire back to keystone to validate, or alternatively have the service fetch the catalog repeatedly	20:17
gyee	and pushing token revocation list was PITA :-)	20:17
lbragstad	yeah - that was a whole other wart from that idea	20:18
lbragstad	Ben78 you can generate pki tokens on releases that support it by using the ?nocatalog query string	20:19
Ben78	lbragstad, gyee: So, the problem was token revocation not the size. Because, the size could be reduced if you eliminate service catalog entries	20:20
lbragstad	size was an attributing factor, for sure	20:21
lbragstad	by default - keystone was issuing tokens that exceed http header limits	20:21
gyee	I remember even with the nocatalog option, some tokens were still exceeding the http header limits	20:22
lbragstad	if you wanted to get around the issue you could recompile apache with settings to bump up that limit	20:23
Ben78	Maybe the newer public crypto scheme like ECDSA could solve it.	20:24
lbragstad	maybe, but at this point there are other open standards that implement that logic	20:25
lbragstad	https://jwt.io/	20:25
lbragstad	before - keystone was handling all the signing and validation locally by shelling out to openssl with subprocess	20:26
lbragstad	at least that's what the PKI implementation did	20:26
lbragstad	that actually introduced a couple of validation/revocation issues for us since we were maintaining that code, but since then there have been improvements in pyca/cryptography and RFCs to standardize token formas	20:27
lbragstad	formats*	20:27
lbragstad	https://www.rfc-editor.org/rfc/rfc7518.html goes into extensive detail on the algorithms used by RFC 7519	20:29
lbragstad	in fact - keystone has a token format today that uses ECDSA	20:29
gyee	lbragstad, really? which token?	20:30
lbragstad	jws	20:30
gyee	oh	20:30
Ben78	Is there a document that explains validation/revocation issues with PKI? (I need to explain to my advisory every detail)	20:31
lbragstad	we had a security advisory for an issue with pki	20:31
Ben78	*advisor	20:32
lbragstad	https://docs.openstack.org/keystone/latest/configuration/config-options.html#token describes the two token formats we offer today (in place of PKI)	20:32
lbragstad	https://docs.openstack.org/keystone/latest/admin/tokens.html helps, too	20:32
lbragstad	https://bugs.launchpad.net/keystonemiddleware/+bug/1490804	20:33
openstack	Launchpad bug 1490804 in OpenStack Security Notes "[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)" [Critical,Fix released] - Assigned to Nathan Kinder (nkinder)	20:33
lbragstad	^ that contains a lot of context	20:33
Ben78	Thanks	20:34
lbragstad	https://bugs.launchpad.net/keystonemiddleware/+bug/1490804/comments/73	20:34
openstack	Launchpad bug 1490804 in OpenStack Security Notes "[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)" [Critical,Fix released] - Assigned to Nathan Kinder (nkinder)	20:35
lbragstad	^ that's a good summary	20:35
cmurphy	lbragstad: i don't think we need to do anything for identity:list_role_assignments_for_tree	20:35
cmurphy	based on your comment https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/role_assignment.py#L52-L58	20:35
cmurphy	rule:admin_required actually seems right	20:36
lbragstad	ok - cool	20:36
lbragstad	i supppose we could simplify it to just "role:admin" thne	20:36
lbragstad	then*	20:36
cmurphy	yeah could do	20:37
cmurphy	i'll do that	20:37
lbragstad	but - if we do that and enforce_scope=False, i assume it will break with system-scoped and domain-scoped tokens	20:37
cmurphy	i think they already can't use that api, if the behavior is based on finding a project id in the token	20:38
lbragstad	ok - coo	20:38
lbragstad	cool*	20:38
cmurphy	we need tests for it too i guess	20:39
lbragstad	Ben78 what release of openstack are you using?	20:40
Ben78	lbragstad: Stein	20:47
*** trident has quit IRC		20:48
lbragstad	Ben78 were you looking to use PKI?	20:48
lbragstad	or was there a particular reason why you were looking into it?	20:48
Ben78	No, I am working on a new token format	20:48
lbragstad	oh - cool	20:49
lbragstad	i assume it does something different than what fernet or jws does?	20:49
cmurphy	lbragstad: i was wrong, the project id comes from a query filter https://opendev.org/openstack/keystone/src/branch/master/keystone/api/role_assignments.py#L91-L93	20:50
Ben78	I need to explain why my Format is better than UUID, PKI, and Fernet. And, now jws ;)	20:50
lbragstad	Ben78 heh - i've had to do that before, good luck!	20:50
lbragstad	:)	20:51
lbragstad	cmurphy that kinda sucks, i was hoping it would have just come from the token	20:51
lbragstad	would have made things easier	20:51
gyee	better has to be in the context of everything, support, troubleshoot, usability, upgrade, etc	20:51
Ben78	lbragstad: thanks!	20:51
gyee	performance, security, everything	20:51
cmurphy	lbragstad: yeah, well makes me think it probably makes sense for system/domain readers to have access to it?	20:51
lbragstad	yeah...	20:52
gyee	we often design features that is good at one thing and suck at others	20:52
lbragstad	cmurphy if it was hard-coded to come from the token, then system and domain users wouldn't really care, we'd just force them to get a project-scoped token	20:52
lbragstad	Ben78 what problems are you hoping to solve with your new token format?	20:52
lbragstad	we still might have some of those problems upstream	20:52
Ben78	lbragstad: bearer token	20:53
lbragstad	aha	20:53
lbragstad	the infamous bearer-token problem	20:53
gyee	lbragstad, anybody uses jws in production right now, just curious about its performance compare to fernet	20:55
Ben78	gyee: Mine improves security. I am little bit worry about the size	20:56
lbragstad	gyee i'm not sure if anyone is using it in production, yet	20:56
lbragstad	Ben78 how did you solve the bearer-token issue, request signing?	20:57
*** pcaruana has quit IRC		20:58
Ben78	lbragstad: Signing request with a trick (without signing request)	20:59
*** trident has joined #openstack-keystone		21:00
lbragstad	is the token format based on symmetric or asymmetric cryptography?	21:00
Ben78	It is based on symmetric crypto	21:00
lbragstad	did you reuse the fernet utilities?	21:00
lbragstad	or did you use another symmetric crypto provider?	21:02
Ben78	What do you mean? Keystone still issues Fernet tokens but users can change tokens in a way that only keystone can validate them	21:02
Ben78	we call it Recursive Augmented Fernet Token (RAFT)	21:03
lbragstad	so does each user get a shared secret key from keystone?	21:04
lbragstad	Ben78 have you open-sourced it?	21:04
lbragstad	i'd love to take a look	21:04
Ben78	No, each user continue to get Fernet token	21:04
*** raildo has quit IRC		21:12
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Fix validation of role assignment subtree list https://review.opendev.org/682750	21:24
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Fix validation of role assignment subtree list https://review.opendev.org/682750	21:30
*** markvoelker has quit IRC		21:35
openstackgerrit	Ben Nemec proposed openstack/oslo.policy master: Suppress deprecation warnings in oslopolicy-list-redundant https://review.opendev.org/682117	21:50
*** jamesmcarthur has quit IRC		22:13
*** xek_ has quit IRC		22:15
*** Krenair has joined #openstack-keystone		22:30
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Allow system/domain scope for assignment tree list https://review.opendev.org/682762	22:54
*** tkajinam has joined #openstack-keystone		23:04
*** markvoelker has joined #openstack-keystone		23:22
*** jamesmcarthur has joined #openstack-keystone		23:24
*** adriant has joined #openstack-keystone		23:35
*** rcernin has joined #openstack-keystone		23:44
*** jamesmcarthur has quit IRC		23:50

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!