| opendevreview | Yusuke Niimi proposed openstack/keystone master: Add doc of OAuth2.0 Client Credentials Grant Flow https://review.opendev.org/c/openstack/keystone/+/838108 | 00:40 |
|---|---|---|
| alistarle | d34dh0r53 We add the spec about the project_json mapping attribute in the today meeting agenda: https://review.opendev.org/c/openstack/keystone-specs/+/748748 | 09:17 |
| alistarle | we found this spec can be merged standalone (without a schema versionning) because it doesn't break anything and only add new field, and we also propose a simple and working implementation: https://review.opendev.org/c/openstack/keystone/+/844098 to move on on this topic | 09:18 |
| alistarle | let us know if you want more information about the topic before the meeting :) | 09:20 |
| *** dviroel|out is now known as dviroel | 11:37 | |
| *** dasm|off is now known as dasm | 13:04 | |
| *** dviroel is now known as dviroel|biab | 13:52 | |
| *** dviroel|biab is now known as dviroel | 14:21 | |
| stephenfin | zzzeek_: When you've a moment, can you response to Grzegorz here? As far as I'm aware (from the docs), batch mode only has an effect with SQLite https://review.opendev.org/c/openstack/keystone/+/825844/comment/0a4df7ae_592dc8be | 14:35 |
| zzzeek_ | stephenfin: in a meeting atm, will look in a while | 14:36 |
| stephenfin | no rush (y) | 14:36 |
| *** dviroel is now known as dviroel|afk|lunch | 14:52 | |
| dmendiza[m] | #startmeeting keystone | 15:00 |
| opendevmeet | Meeting started Tue Jun 28 15:00:59 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:00 |
| dmendiza[m] | #topic Roll Call | 15:01 |
| xek | o/ | 15:01 |
| h_asahin1 | o/ | 15:02 |
| knikolla | o/ | 15:02 |
| dmendiza[m] | Hi y'all! | 15:02 |
| dmendiza[m] | as usual the agenda is over here: | 15:02 |
| dmendiza[m] | #link https://etherpad.opendev.org/p/keystone-weekly-meeting | 15:02 |
| *** h_asahina is now known as Guest3528 | 15:02 | |
| *** h_asahin1 is now known as h_asahina | 15:02 | |
| dmendiza[m] | #topic Review Past Meeting Action Items | 15:03 |
| dmendiza[m] | #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-06-21-15.03.html | 15:03 |
| dmendiza[m] | > dmendiza[m] to try to run keystone from a fresh clone | 15:03 |
| * dmendiza[m] kicks the can down the road again | 15:04 | |
| dmendiza[m] | #action dmendiza[m] to try to run keystone from a fresh clone | 15:04 |
| dmendiza[m] | #topic Liaison Updates | 15:04 |
| dmendiza[m] | I don't have any updates | 15:05 |
| dmendiza[m] | #topic OAuth 2.0 | 15:05 |
| dmendiza[m] | h_asahina: any updates this week? | 15:05 |
| h_asahina | yes. I have two questions | 15:06 |
| h_asahina | I've confirmed the feasibility of credentials API | 15:06 |
| h_asahina | I'd like to confirm whether my understanding is correct or not. | 15:07 |
| dmendiza[m] | sure | 15:08 |
| h_asahina | thanks, I think this API basically creates the credential for a user. | 15:08 |
| h_asahina | which is a user can register its own certificate to DB with this API. Am I correct? | 15:09 |
| h_asahina | In my understanding, it works like the AWS secret manager. | 15:10 |
| h_asahina | though the difference from the barbican is not clear for me. | 15:11 |
| dmendiza[m] | knikolla: ^^ 🤔 | 15:11 |
| knikolla | In a world before barbican, and in which nova also supported an EC2-compatible API, keystone needed (and still needs for Swift's S3 API) a way to support authenticating like in AWS | 15:11 |
| knikolla | So I think the Credential API was created to allow a way to create EC2 credentials for a user | 15:12 |
| knikolla | I don't think we're using it for anything else, but the way the API was written, is a bit more general purpose. | 15:12 |
| h_asahina | that's why it also support certificates? | 15:13 |
| knikolla | Perhaps? | 15:15 |
| knikolla | I would have to look at the code and try to figure out what it does with the payload | 15:15 |
| knikolla | I'm not familiar with that part of Keystone | 15:15 |
| dmendiza[m] | I should probably take a look and we can check back next week | 15:16 |
| * dmendiza[m] is also not familiar | 15:16 | |
| h_asahina | alright. that's not important for us. it's okey. | 15:16 |
| h_asahina | things important for us is how to manage OAuth2.0 client with this API. | 15:17 |
| h_asahina | In OAuth2.0, the credentials are created for a client but not for a user. | 15:17 |
| h_asahina | In this sense, we have to use ``id`` of credentials created by credentials API as ``client id``. does that make sense? | 15:18 |
| knikolla | yes, in your case "a client" would be "a credential" | 15:18 |
| h_asahina | thanks. that what I want to confirm. | 15:19 |
| dmendiza[m] | Cool. | 15:20 |
| h_asahina | naturally the second question is gone, but let me confirm just in case. | 15:20 |
| dmendiza[m] | OK, anything else on this topic? | 15:20 |
| knikolla | unfortunately, everything in openstack is a user, and introducing the concept of a client that is separate from the user would have unintended consequences. | 15:20 |
| h_asahina | sorry I have one more question | 15:20 |
| dmendiza[m] | go ahead | 15:21 |
| h_asahina | what is the reason of encrypting certificates? | 15:21 |
| knikolla | you mean certificates uploaded through the credential api? | 15:22 |
| h_asahina | yes | 15:22 |
| h_asahina | I think the certificate itself can be public | 15:22 |
| knikolla | i think it's because it doesn't make any assumptions about the credential being uploaded | 15:22 |
| knikolla | it can be a plain-text password, it can be a symmetric key, it can be PKI | 15:22 |
| knikolla | so it just encrypts everything anyway | 15:23 |
| h_asahina | I see. so even if it might not be needed the certificates are also encrypted. | 15:24 |
| knikolla | yeah, because credentials are just stored as a json blob if I remember correctly | 15:24 |
| h_asahina | yes it can also be a plane text. so there's a risk that user put sensitive information to there. | 15:26 |
| h_asahina | ok, thank you very much. everything become clear. I think I can update spec this week. | 15:27 |
| knikolla | glad i could help :) | 15:27 |
| dmendiza[m] | Awesome | 15:27 |
| dmendiza[m] | OK, moving on | 15:28 |
| dmendiza[m] | #topic Keystone identity mapping to support project definition as a JSON | 15:28 |
| alistarle | Hi :) | 15:28 |
| dmendiza[m] | I'm not sure who added this to the agenda? 🤔 | 15:28 |
| alistarle | It's me, we talked about it with d34dh0r53, but he doesn't seems to be here | 15:29 |
| alistarle | he asked us to bring back this spec before our patches get merged | 15:29 |
| dmendiza[m] | Gotcha | 15:30 |
| d34dh0r53 | sorry, tied up in an escalation | 15:30 |
| dmendiza[m] | OK, we'll review the spec for the next reviewathon | 15:30 |
| d34dh0r53 | dmendiza[m]: I forwarded you the email about this | 15:30 |
| dmendiza[m] | d34dh0r53: ack, I'll read up on it | 15:32 |
| alistarle | when is the next reviewathon then ? | 15:32 |
| alistarle | Indeed it would be good to have your opinion about this spec :) | 15:32 |
| dmendiza[m] | alistarle: reviewathons are on Fridays ... not sure about the exact UTC time | 15:36 |
| dmendiza[m] | d34dh0r53: what was the UTC time for the reviewathons? | 15:36 |
| d34dh0r53 | dmendiza[m]: 15:00 | 15:37 |
| d34dh0r53 | alistarle: ^ | 15:37 |
| alistarle | oh nice | 15:37 |
| alistarle | looks good to us to discuss about that friday yes | 15:38 |
| dmendiza[m] | cool | 15:39 |
| dmendiza[m] | we usually post the link here to the Google Meet video chat | 15:39 |
| dmendiza[m] | OK, moving on ... | 15:40 |
| dmendiza[m] | #link Gate inherited assignments from parent (bbobrov) | 15:40 |
| dmendiza[m] | Any updates on this? | 15:40 |
| dmendiza[m] | Sounds like no updates | 15:42 |
| dmendiza[m] | next | 15:43 |
| dmendiza[m] | #topic Secure RBAC | 15:43 |
| dmendiza[m] | we still have some work to do for the Zed cycle | 15:43 |
| dmendiza[m] | I haven't seen any updates on the pop-up meetings so far | 15:43 |
| dmendiza[m] | #topic Open Discussion | 15:47 |
| dmendiza[m] | Anything else y'all want to talk about before we look at bugs? | 15:47 |
| dmendiza[m] | #topic Bug Review | 15:50 |
| dmendiza[m] | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:55 |
| dmendiza[m] | Hot off the bug press | 15:55 |
| dmendiza[m] | #link https://bugs.launchpad.net/keystone/+bug/1980058 | 15:55 |
| dmendiza[m] | > Openstack keystone LDAP integration | openstack user list --domain domain.com | Internal server error (HTTP 500) | 15:56 |
| xek | > ldap.FILTER_ERROR: {'result': -7, 'desc': 'Bad search filter', 'ctrls': []} | 15:58 |
| xek | that might be a misconfiguration of some kind | 15:58 |
| xek | it's an AD server | 15:58 |
| xek | so it might be hard to replicate | 15:59 |
| xek | I'll post a comment in the bug | 16:01 |
| dmendiza[m] | Thanks, xek | 16:02 |
| dmendiza[m] | And that's time | 16:02 |
| dmendiza[m] | thanks for joining, everyone! | 16:02 |
| dmendiza[m] | #endmeeting | 16:02 |
| opendevmeet | Meeting ended Tue Jun 28 16:02:14 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:02 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-06-28-15.00.html | 16:02 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-06-28-15.00.txt | 16:02 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-06-28-15.00.log.html | 16:02 |
| *** dviroel|afk|lunch is now known as dviroel | 16:23 | |
| *** dasm is now known as dasm|afk | 19:34 | |
| *** dviroel is now known as dviroel|out | 21:19 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!