Friday, 2022-01-28

opendevreviewHiromu Asahina proposed openstack/keystone-specs master: OAuth2.0 Client Credentials Grant Flow Support  https://review.opendev.org/c/openstack/keystone-specs/+/81315205:21
*** dasm|off is now known as dasm13:30
*** dasm is now known as dasm|rover13:31
MuranHey. I ran into a bug in communication between octavia and keystone. I'm not sure where to file it or how we want to fix it as I don't have all the background. I have however tracked down where in code that it happens. It occurs if you try to add a terminated_https listener when you are authenticated using application credentials. What happens is that Octavia sends a token request to keystone with methods: token and14:06
Muran token.id set. In keystone, it dynamically adds application_credential as a method, then fails on a 500 error when trying to read application_credential['id'] from the payload.  For me it makes little sense that keystone after it itself added application_credential to methods enforces that you use it. If the client, octavia in this case asks for "token" method. Shouldn't it be allowed to do so?  14:06
MuranOctavia creates payload here: https://opendev.org/openstack/octavia/src/branch/master/octavia/certificates/common/auth/barbican_acl.py#L8714:07
MuranAnd here is where keystone adds application_credential to method and then failing when trying to read payload.application_credential.id https://opendev.org/openstack/keystone/src/branch/master/keystone/api/_shared/authentication.py#L206-L21214:08
MuranI guess the main question is if it's ok for a client to authenticate using token ID that was created from an application secret. If that is the case, keystone code needs to be changed a bit. It's fine to add application_secret as method, but it should only us it if it actually receives said credentials in the payload.14:17
opendevreviewGrzegorz Grasza proposed openstack/keystone master: Fix issue with LDAP backend returning bytes instead of string  https://review.opendev.org/c/openstack/keystone/+/81947714:57
opendevreviewMerged openstack/keystone master: Fix issue with LDAP backend returning bytes instead of string  https://review.opendev.org/c/openstack/keystone/+/81947720:23
*** dasm|rover is now known as dasm|off21:47

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!