Tuesday, 2022-01-11

opendevreviewGrzegorz Grasza proposed openstack/keystone master: Change the min value of pool_retry_max to 1  https://review.opendev.org/c/openstack/keystone/+/82414010:41
*** whoami-rajat__ is now known as whoami-rajat13:36
dmendiza[m]#startmeeting keystone15:00
opendevmeetMeeting started Tue Jan 11 15:00:13 2022 UTC and is due to finish in 60 minutes.  The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'keystone'15:00
dmendiza[m]#topic Roll Call15:00
dmendiza[m]Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, ruan_he, wxy, sonuk, vishakha,Ajay, rafaelweingartner, xek15:00
knikollao/15:01
d34dh0r53o/15:01
dmendiza[m]Hi y'all!15:02
* dmendiza[m] is the dev formerly known as redrobot15:02
dmendiza[m]in case anyone is wondering15:02
dmendiza[m]Let's get started.15:02
dmendiza[m]#topic Review Last Year's Action Items15:03
dmendiza[m]#link https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-12-07-15.04.html15:03
dmendiza[m]We didn't have any15:03
dmendiza[m]#topic Liaison Updates15:03
dmendiza[m]knikolla: any updates for us?15:03
knikollaNo updates. Still getting back in the rhythm of things after PTO15:03
dmendiza[m]Same15:04
dmendiza[m]Okay, let's move on15:04
dmendiza[m]#topic Specs15:04
*** xek_ is now known as xek15:04
dmendiza[m]Let's start with OAuth 2.0 spec15:04
dmendiza[m]#link https://review.opendev.org/c/openstack/keystone-specs/+/81315215:04
dmendiza[m]Looks like there's a new patch up for review15:05
dmendiza[m]I have not had a chance to look at it yet15:05
dmendiza[m](I just came back from PTO yesterday)15:05
knikollaI haven’t had a chance to review the new patchset either.15:06
h_asahinao/15:07
dmendiza[m]Do we have a spec freeze?  I see Cinder and Manila have Spec freezes in R-15 https://releases.openstack.org/yoga/schedule.html15:07
h_asahinaI'd like to discuss bout that update later15:07
dmendiza[m]hi h_asahina ! 15:08
h_asahinahi15:08
dmendiza[m]Now would be a good time for updates if you have any15:09
dmendiza[m]since OAuth is the current topic15:09
h_asahinaokey15:09
h_asahinaToday I'd like to talk bout four topics as I wrote in the etherpad15:10
h_asahinaThe first three topics are not heavy, which are basically confirmations.15:10
h_asahinaand the last topic is discussion.15:11
h_asahinaThe fist topic is about `scope` function.15:11
h_asahinaWe'd like to omit the scope function of OAuth2.0 in Yoga release. 15:12
h_asahinaThe reason behind this is that the scope definition in OAuth2.0 and that in Application credentials are different and thus we have to further discuss how to map the OAuth scope to Application credentials scope.15:13
h_asahinabut we don't have enough time to do that. So, we've dicided to omit it. If you feel any concern please tell me.15:14
h_asahinaThis is the first topic. any comments?15:15
dmendiza[m]Seems reasonable to reduce the scope (no pun intended) of the implementation for Yoga15:15
knikollaif 'scope' is an optional word in an authentication request for oauth 2.0 client credentials, sure. 15:16
knikollai'll have to reread the spec. my memory is rusty from before the new year's break. 15:16
h_asahinaYes it's an optional parameter. :knikolla.15:17
knikollaok, works for me then. 15:17
h_asahinathanks, I've already removed scope from the spec.15:19
h_asahinaPlease put a comment on the spec if you find a problem on the new version.15:19
h_asahinaSo, I'll move on to the next topic.15:20
h_asahinaThe second topic is about the permission.15:20
h_asahinaAs the OAuth2.0 APIs uses Application credential APIs as its backend, users have to get permissions to access both OAuth2.0 APIs and Application credential APIs. This is the straight forward way to manage the users' permission for the OAuth2.0 that I thought.15:22
h_asahinaDo you agree with this?15:22
h_asahinaIf you have any other options, please kindly tell me.15:23
knikollayeah, the application credentials are created through the application credential api. and authenticating with them will use the oauth 2.0 api, so makes sense. 15:23
h_asahinaThanks.15:24
h_asahinabut please note that we are going to create a new application credential automatically when an OAuth2.0 client is created.15:25
knikollacan you elaborate on that? why does an oauth 2.0 client need to be created and how is that different from an application credential? 15:26
h_asahinaThis is beacuse the OAuth2.0 client has some different attributes like `token_endpoint_auth_method`, `grant_type`, etc, which are not available on the application credentials.15:27
knikollacan you describe what those attributes mean and why they are necessary?15:28
h_asahinaokey. These attributes are necessary to distinguish the grant type basically that is how a client get an OAuth2.0 token.15:30
knikollabut the only grant type that we are supporting is client_credentials15:30
h_asahinayes15:30
h_asahinaIf we'll not extend that in the future, we can fix this to client_credentials15:31
knikollaare there any reasons not to treat all application credentials as clients?15:31
knikollaas in, if an application credentials is created, that can be used to authenticate through the oauth 2.0 api. without the need for new data models. 15:33
h_asahinaIf we make OAuth2.0 general, we should create a new API.15:33
d34dh0r53go 5515:33
d34dh0r53oops, sorry15:33
h_asahinathat what I thought. 15:34
h_asahinabut maybe you're right. 15:34
knikollaif we start implementing more grant types, yes. But that requires further thought in how to map the attributes between the two.15:35
knikollaespecially with regards to how to convey projects and roles, for which oauth 2.0 is very vague about. 15:36
knikollaapplication credentials already carry all the authorization information that we need and map very cleanly to client credentials. 15:36
h_asahinaI see. That's true. We don't have to implement redundant APIs for the future. 15:36
knikollaso, in my opinion, for now it's sufficient to just provide an authentication API for application credentials that looks like Oauth 2.0. 15:36
h_asahinaGot it. I'll discuss it with our development team.15:37
knikollaThanks. I'm just trying to reduce the attack surface that implementing a new authentication type introduces. 15:38
knikollaBut if there are obvious benefits to going all in and implementing more general oauth 2.0, i'm open to it. 15:38
h_asahinaThanks. I basically agree with your suggestion.15:39
knikollaThough I think we should be conservative about such an approach given out very small team size. 15:39
knikollaAnd I'd prefer starting with adding support for oidc in keystonemiddleware and bypassing keystone entirely, haha. 15:39
knikollafor that thing in specific. 15:39
h_asahinaActually, it's benefit for us as the implementation gets easier.15:40
h_asahinaokey, thanks. I'd like to move on to the next.15:41
h_asahinaThe third topic is the API endpoint.15:42
h_asahinaIn the current spec, I wrote `/identity/v3/auth/OS-OAUTH2/clients` as an endpoint URL for the OAuth2.0. is it okey?15:42
h_asahinaother options can be i)  `/identity/v3/auth/OS-OAUTH2/<user_id>/clients` ii) `/identity/v3/users/{user_id}/OS-AUTH2/clients`.15:43
h_asahinaCould you give me your opinion as it affects to keystone users.15:44
knikollaFor the authentication request? 15:44
h_asahinaAh, sorry, a token request considering the today's discussion.15:45
dmendiza[m]What is the benefit of having the user_id in the URL?  Is it not present in the body of the request?15:45
dmendiza[m]or can it not be inferred from the body of the request?15:45
h_asahinaI thought body doesn't contain user_id but we can obtain it from X-Auth-Token at least.15:46
h_asahinaThe reason why we put user_id is just following the URL of Application credentials.15:46
knikollaThat would have been for the CRUD of OAuth 2.0 requests, at this point we just need to decide on what we'll be the `token_endpoint` for OAuth 2.0. 15:47
knikollaAs that's the only API that is needed after today's discussion. 15:47
h_asahinaYes indeed. 15:48
knikollaPart of me thinks it shouldn't be in /v3 at all, as this is part of the OAuth 2.0 API, not the OpenStack Identity v3 API. 15:48
knikollaBut that might be troublesome given the auth_url usually including v3 in the path. 15:49
knikollaBut in this case it wouldn't be openstack clients authenticating, so maybe it doesn't matter. 15:49
h_asahinabut we'll implement token endpoint inside the keystone as well as the existing OAuth1.0 APIs. In this case, it's still better to remove v3?15:52
h_asahinahttps://docs.openstack.org/api-ref/identity/v3-ext/#os-oauth1-api15:53
knikollaperhaps /v3/auth/tokens, then. since oauth1.0 is using that as well? 15:53
knikollaor v3/OS-AUTH2/tokens15:54
knikollaor v3/oidc/tokens15:54
knikollaI'm don't have a strong opinion.15:55
h_asahina/v3/auth/tokens or v3/OS-AUTH2/tokens sound reasonable.15:55
h_asahinaIf it doesn't serious problem I'll choose from one of them.15:55
h_asahinait isn't15:55
dmendiza[m]5 minute warning15:56
knikollaI don't feel strongly about any of them.15:56
h_asahinaokey.15:56
dmendiza[m]We're almost out of time.15:57
dmendiza[m]h_asahina: maybe we can continue this next week, or after the meeting.15:58
h_asahinagot it. we don't have to discuss the last topic as it is soleved by today's discussion.15:58
dmendiza[m]Great15:58
knikollacool! 15:58
dmendiza[m]Thanks for joining, everyone!15:58
d34dh0r53I have something really quick, I'd like to host another reviewathon this Friday, the 14th.  Please let me know if you're interested15:58
dmendiza[m]#endmeeting15:58
opendevmeetMeeting ended Tue Jan 11 15:58:43 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:58
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-11-15.00.html15:58
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-11-15.00.txt15:58
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-11-15.00.log.html15:58
h_asahinathanks a lot. bye15:58
dmendiza[m]d34dh0r53: count me in for review-a-thon15:59
knikollad34dh0r53: sounds great! 15:59
knikollaoutside of 10-12 EST, i'm free. 15:59
d34dh0r53ack, thanks knikolla 16:00
d34dh0r53I'll send out the invite shortly16:00

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!