*** dviroel|out is now known as dviroel | 01:56 | |
*** dviroel is now known as dviroel|out | 02:18 | |
*** h_asahin2 is now known as h_asahina | 08:00 | |
*** dviroel|out is now known as dviroel|rover | 11:29 | |
*** dasm|off is now known as dasm | 13:02 | |
opendevreview | Miguel Garcia proposed openstack/python-keystoneclient master: Regenerate example certificates using sha256 digest algorithm https://review.opendev.org/c/openstack/python-keystoneclient/+/849536 | 14:04 |
---|---|---|
dmendiza[m] | #startmeeting keystone | 15:00 |
opendevmeet | Meeting started Tue Jul 12 15:00:38 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
opendevmeet | The meeting name has been set to 'keystone' | 15:00 |
dmendiza[m] | #topic Roll Call | 15:00 |
knikolla | o/ | 15:01 |
dmendiza[m] | Courtesy ping for admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek | 15:01 |
dmendiza[m] | As usual teh agenda is over here | 15:01 |
h_asahina | o/ | 15:01 |
dmendiza[m] | #link https://etherpad.opendev.org/p/keystone-weekly-meeting | 15:01 |
d34dh0r53 | o/ lurking, in another meeting | 15:01 |
dmendiza[m] | Cool, let's get started | 15:02 |
dmendiza[m] | #topic Review Past Meeting Action Items | 15:03 |
dmendiza[m] | #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-07-05-15.11.html | 15:03 |
dmendiza[m] | I'm still kicking this can down the road | 15:04 |
dmendiza[m] | #action | 15:04 |
dmendiza[m] | dmendiza[m] to try to run keystone from a fresh clone | 15:04 |
dmendiza[m] | #action dmendiza[m] to try to run keystone from a fresh clone | 15:04 |
dmendiza[m] | #topic Liaison Updates | 15:05 |
dmendiza[m] | This week is milestone Zed-2 week | 15:05 |
dmendiza[m] | #link https://releases.openstack.org/zed/schedule.html | 15:06 |
dmendiza[m] | I haven't seen any automatic patches come through for the release | 15:07 |
dmendiza[m] | but I haven't looked very hard | 15:07 |
dmendiza[m] | I'll make sure we get a release out this week. | 15:07 |
dmendiza[m] | #action dmendiza[m] to make sure we get a Zed-2 release out | 15:07 |
dmendiza[m] | Any questions/comments about Zed-2 ? | 15:07 |
dmendiza[m] | OK, moving on | 15:10 |
dmendiza[m] | #topic OAuth 2.0 | 15:10 |
dmendiza[m] | h_asahina: any updates this week? | 15:10 |
h_asahina | yes, i've updated the patch. | 15:10 |
h_asahina | https://review.opendev.org/c/openstack/keystone-specs/+/843765 | 15:10 |
h_asahina | according to the comments you all given me. | 15:11 |
dmendiza[m] | Oh great. | 15:11 |
dmendiza[m] | We didn't have a reviewathon last week, but I'm happy to see xek_ was able to review it | 15:11 |
dmendiza[m] | We'll look at it again this week for the Reviewathon hopefully | 15:11 |
h_asahina | thanks | 15:12 |
h_asahina | do you have any comments now? | 15:12 |
h_asahina | or questions | 15:12 |
dmendiza[m] | I don't have any yet ... (haven't had a chance to dig into the spec) | 15:13 |
dmendiza[m] | knikolla: ? | 15:13 |
knikolla | no unfortunately | 15:14 |
h_asahina | okey. please do it on the gerrit if you have. I'll update the patch asap after you comment on it. | 15:15 |
dmendiza[m] | Thanks h_asahina | 15:16 |
dmendiza[m] | #topic Secure RBAC | 15:16 |
dmendiza[m] | #link https://review.opendev.org/c/openstack/governance/+/847418 | 15:16 |
dmendiza[m] | Just making sure y'all keep an eye out for this review | 15:16 |
dmendiza[m] | Looks like gmann is working through another set of refinements for the SRBAC goal | 15:17 |
dmendiza[m] | OK moving on | 15:19 |
dmendiza[m] | #topic Gate inherited assignments from parent (bbobrov) | 15:20 |
dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone-specs/+/334364 | 15:20 |
dmendiza[m] | bbobrov: around? | 15:20 |
dmendiza[m] | Looks like a no | 15:22 |
dmendiza[m] | le'ts move on | 15:22 |
dmendiza[m] | #topic Keystone identity mapping to support project definition as a JSON | 15:22 |
dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 | 15:22 |
dmendiza[m] | rafaelweingartner: around? | 15:23 |
dmendiza[m] | Looks like also no | 15:24 |
dmendiza[m] | OK, let's move on to the bug review | 15:25 |
dmendiza[m] | #topic Bug Review | 15:25 |
dmendiza[m] | There's a downstream bug I wanted to get your opinion on knikolla | 15:25 |
dmendiza[m] | The use case is: User has an application credential that expires in 5 minutes | 15:26 |
dmendiza[m] | Within those 5 min the user uses the appcred to get a token | 15:26 |
dmendiza[m] | the token is issued with the default token duration in keystone.conf (default 1hr) | 15:27 |
dmendiza[m] | From the bug reporter's point of view, this is an issue because the user is able to extend their access by the default token duration | 15:28 |
dmendiza[m] | knikolla: is it reasonable to expect that tokens issued using an appcred should expire at the same time the appcred expires | 15:28 |
dmendiza[m] | ? | 15:28 |
knikolla | good question. | 15:29 |
knikolla | the application credential is an authentication method, therefore a user can authenticate until that method is valid. | 15:30 |
knikolla | a different question would be, does changing a user's password invalidate a user's tokens? | 15:30 |
d34dh0r53 | hmm | 15:32 |
dmendiza[m] | Gut feeling is yes | 15:32 |
dmendiza[m] | let's say you're changing the pw because you think the old pw might be compromised | 15:33 |
d34dh0r53 | yeah, you don't want old tokens being able to change the password again | 15:33 |
dmendiza[m] | in that case you'd want any outstanding tokens to be invalidated to make sure no one else is using your account | 15:33 |
knikolla | d34dh0r53: you also need the old password to change the password, just a token is not enough IIRC | 15:34 |
d34dh0r53 | ahh, I was just thinking about that, but regardless what dmendiza[m] said also applies | 15:34 |
dmendiza[m] | You kind of see it in some services that let you "sign out everywhere" when you change your pw | 15:35 |
knikolla | if changing a password (invalidating an old authentication method) revokes tokens, then i think there is a good argument for expiring app creds to revoke tokens. | 15:35 |
knikolla | (less about the general case, and more about the keystone case) | 15:35 |
dmendiza[m] | Yeah, that's a good argument. | 15:35 |
dmendiza[m] | OK, I was on the fence on this one, but you've convinced me that we should probably fix that | 15:36 |
*** dviroel|rover is now known as dviroel|rover|biab | 15:36 | |
dmendiza[m] | Moving on to upstream bugs ... | 15:37 |
dmendiza[m] | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:37 |
dmendiza[m] | #link https://bugs.launchpad.net/keystone/+bug/1981365 | 15:39 |
dmendiza[m] | > Do not allow updating ephemeral users attributes via API | 15:39 |
dmendiza[m] | Seems pretty straightforward | 15:40 |
knikolla | seems expected behavior to me | 15:40 |
knikolla | idp is the source of truth | 15:40 |
dmendiza[m] | This could be a good one for d34dh0r53 since he's our Federation guy. | 15:41 |
d34dh0r53 | ack | 15:41 |
knikolla | i'm against it | 15:41 |
dmendiza[m] | 🤔 | 15:42 |
knikolla | i think a documentation fix is more appropriate. the linked spec also proposes changing the api in a non backwards compatible way. | 15:43 |
knikolla | the fundamental thing to understand is that the IdP is the source of truth, it SHOULD overwrite | 15:43 |
knikolla | the CRUD API for federation is there mostly to provide a way to create users ahead of time and query them. | 15:44 |
dmendiza[m] | Hmm... I need to look into the API more to have an educated opinion. Is the API sued for both regular users and federated users? | 15:44 |
knikolla | yes | 15:45 |
knikolla | you can modify a users' "federation attributes" | 15:45 |
knikolla | hence turning a normal user into a federated user | 15:45 |
knikolla | there is no practical difference between an ephemeral user and a normal user created from the API with federated attributes. | 15:46 |
dmendiza[m] | > changing the api in a non backwards compatible way | 15:55 |
dmendiza[m] | Is that because there would be a new response status? 🤔 | 15:55 |
knikolla | yes, for a specific type of API call the behavior would change | 15:56 |
knikolla | but outside of that, i disagree with the direction | 15:57 |
dmendiza[m] | K, | 15:59 |
dmendiza[m] | Can you leave a comment on the bug? | 15:59 |
dmendiza[m] | And that's all the time we have | 15:59 |
knikolla | will do | 15:59 |
dmendiza[m] | Thanks for joining, y'all! | 15:59 |
dmendiza[m] | #endmeeting | 16:00 |
opendevmeet | Meeting ended Tue Jul 12 16:00:04 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:00 |
opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-07-12-15.00.html | 16:00 |
opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-07-12-15.00.txt | 16:00 |
opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-07-12-15.00.log.html | 16:00 |
d34dh0r53 | thanks all! | 16:00 |
d34dh0r53 | hopefully we'll see y'all at the reviewathon, let me know if you'd like an invite :) | 16:00 |
*** frickler is now known as frickler_pto | 16:00 | |
*** dviroel|rover|biab is now known as dviroel|rover | 16:42 | |
opendevreview | Pavlo Shchelokovskyy proposed openstack/keystonemiddleware master: Adapt to fixtures 4.x https://review.opendev.org/c/openstack/keystonemiddleware/+/849581 | 20:16 |
opendevreview | Pavlo Shchelokovskyy proposed openstack/keystonemiddleware master: Configure audit message publisher https://review.opendev.org/c/openstack/keystonemiddleware/+/848295 | 20:17 |
*** dasm is now known as dasm|off | 22:14 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!