Wednesday, 2024-04-17

« Tuesday, 2024-04-16 Index Thursday, 2024-04-18 »
*** mhen_ is now known as mhen01:13
opendevreviewMatúš Jenča proposed openstack/keystonemiddleware master: Support Redis and Redis Sentinel Cache  https://review.opendev.org/c/openstack/keystonemiddleware/+/91587208:35
opendevreviewTakashi Kajinami proposed openstack/keystone master: Remove tempest plugin directory  https://review.opendev.org/c/openstack/keystone/+/91605209:23
opendevreviewMarkus Hentsch proposed openstack/keystone-specs master: Add identity spec for domain-manager role  https://review.opendev.org/c/openstack/keystone-specs/+/90317212:44
opendevreviewMarkus Hentsch proposed openstack/keystone-specs master: Add identity spec for domain-manager role  https://review.opendev.org/c/openstack/keystone-specs/+/90317212:47
opendevreviewMarkus Hentsch proposed openstack/keystone-specs master: Add identity spec for domain-manager role  https://review.opendev.org/c/openstack/keystone-specs/+/90317212:49
opendevreviewMarkus Hentsch proposed openstack/keystone-specs master: Add identity spec for Domain Manager persona  https://review.opendev.org/c/openstack/keystone-specs/+/90317212:54
dmendiza[m]🙋15:02
mhen\o/15:02
dmendiza[m]d34dh0r53 👋15:03
gtemaisn't it 1 hour too late or is my clock wrong?15:03
blarnatho15:03
bbobrovah the sweet post-clock-change moments15:04
dmendiza[m]gtema: possibly? 🤔  My work calendar has an entry for now.15:04
dmendiza[m]But that could be wrong.15:04
* dmendiza[m] checks the officiall listing15:04
mhenhttps://meetings.opendev.org/#Keystone_Team_Meeting15:04
mhenit says 15 UTC15:04
mhenand web search says that is right now15:04
dmendiza[m]#link https://meetings.opendev.org/#Keystone_Team_Meeting15:04
dmendiza[m]JINX!15:04
*** blarnath is now known as d34dh0r5315:04
d34dh0r53freaking nickserv15:05
gtemahmm, ok15:05
d34dh0r53sorry15:05
d34dh0r53#startmeeting keystone15:05
opendevmeetMeeting started Wed Apr 17 15:05:21 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:05
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:05
opendevmeetThe meeting name has been set to 'keystone'15:05
d34dh0r53#topic roll call15:05
xeko/15:05
mheno/15:05
dmendiza[m]🙋‍♂️15:05
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema15:05
bbobrov\o15:06
d34dh0r53o/15:06
d34dh0r53#topic review past meeting work items15:06
d34dh0r53no updates from me15:07
d34dh0r53#action d34dh0r53 Look into adding/restoring a known issues section to our documentation15:07
d34dh0r53#action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation15:08
d34dh0r53next up15:08
d34dh0r53#topic liaison updates15:08
d34dh0r53nothing from VMT15:08
d34dh0r53nor releases15:08
d34dh0r53moving on to specifications15:09
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:09
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:09
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:09
d34dh0r53External OAuth 2.0 Specification15:09
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/86155415:09
d34dh0r53OAuth 2.0 Implementation15:09
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:09
d34dh0r53OAuth 2.0 Documentation15:09
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/83810815:09
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/83810415:09
d34dh0r53did anyone see hiromu or anyone from Tacker at the PTG?15:10
d34dh0r53Tacker did not have a session that I saw15:10
d34dh0r53welp, if you see hiromu or anyone from Tacker online have them ping me15:12
d34dh0r53next up15:12
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:12
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:12
d34dh0r532024.1 Release Timeline15:12
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:12
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:12
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)15:12
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 (Merged)15:13
d34dh0r53#link ttps://review.opendev.org/c/openstack/tempest/+/91248915:13
dmendiza[m]Things are looking good15:13
dmendiza[m]most of the patches I've submitted have merged15:13
dmendiza[m]I want to say we are again enforcing the SRBAC job in Keystone which is great15:13
dmendiza[m]The only outstanding patch I have is for Tempest where I enable SRBAC on Keystone15:14
dmendiza[m]#link https://review.opendev.org/c/openstack/tempest/+/91248915:14
d34dh0r53I just reviewed that one15:14
dmendiza[m]Got one +2 for now (thanks gmann!)15:14
dmendiza[m]d34dh0r53: thanks!15:14
d34dh0r53I need to figure out the correct way to release keystone-tempest-plugin15:14
dmendiza[m]That's all for now15:14
d34dh0r53thanks dmendiza[m] 15:14
dmendiza[m]I still have not caught up on SRBAC PTG things15:14
d34dh0r53next up15:14
dmendiza[m]so maybe more next week15:14
d34dh0r53#topic specification Improve federated users management (gtema)15:15
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews15:15
gtemaI am stuck in a conflict with the spec author15:15
gtemaI think the proposed API change is dangerous and error prone while he apparently not sees the problem15:16
gtemaapparently someone from cores need to step up to decide15:17
d34dh0r53yeah, reading the thread now15:19
d34dh0r53we'll discuss this in the reviewathon this Friday15:20
bbobrovdo i understand correctly, that the author proposes to get projects and assignments as a json from an IdP?15:20
gtemayes15:20
gtemabut the point is HOW15:21
gtemathere is "projects" field15:21
gtemaand he proposes adding projects_json field which will be string and merged in Keystone15:21
gtemaINSTEAD of making "projects" field being oneOf: [object, string]15:21
d34dh0r53I'm going to defer this to the reviewathon, I'd really like to hear the other cores opinion on this one15:25
gtemaok, thks. Just for reference: all OpenStack apis are relying on polymorphism15:26
gtemaand here it is proposed to go back to "counter_str" and "counter_int" style15:26
d34dh0r53that's a good point15:27
gtemaand especially splitting user data between static config on the Keystone side and data coming from external IdP and merge it is especially dangerous15:27
gtemapurpose of the changes in the ephemeral users mgmt is to have 1 system (external IdP) responsible for the data15:28
gtemasplitting it feels like a knife in the back during the security audits15:29
gtemaok, we can go on15:30
d34dh0r53food for thought15:31
d34dh0r53moving on15:31
d34dh0r53#topic specification OpenAPI support (gtema)15:32
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/91058415:32
gtemai checked, stephenfin linked my spec for PTG, so we are really talking about singe thing and single spec15:32
d34dh0r53ack, this spec is the only one now, correct?15:33
gtemaright15:33
d34dh0r53cool15:33
gtemameans: spec is there and needs reviews15:34
d34dh0r53will do15:34
gtemathks15:35
d34dh0r53np15:35
d34dh0r53#topic open discussion15:35
d34dh0r53passlib update15:35
d34dh0r53The maintainer responded to the bug, and one of the top priorities is to fix the bcrypt version bug15:35
d34dh0r53#link https://foss.heptapod.net/python-libs/passlib/-/issues/19015:35
d34dh0r53Targeted to 1.7.515:35
d34dh0r53I pinged on the bug again last week for an update on 1.7.5 and we still don't have one15:36
d34dh0r53The maintainer really needs to hand over the reigns to someone15:36
gtemayupp15:36
d34dh0r53I'll continue to ping in the issue15:37
bbobrovinternet_infrastructure_and_overworked_maintainer.jpg15:37
d34dh0r53domain manager (mhen)15:37
d34dh0r53https://review.opendev.org/c/openstack/keystone-specs/+/90317215:37
d34dh0r53addressed review comments15:37
d34dh0r53rebased on 2024.1, renamed to domain-manager-persona (from "...-role")15:37
mhenas mentioned in the PTG this one needs new reviews15:38
mhenI rebased it and also cleaned up existing comments15:38
d34dh0r53ack, I didn't look but it failed some checks15:38
gtematoday I looked at it and I feel like it again talks about ...-role15:38
mhenwait ... did I mess up?15:39
gtemai think so15:39
gtemathe file got renamed, but the content tells different15:39
mhenoh shoot15:39
mhenthanks for bringing this up15:39
mhensomething got rolled back during my git-review commands it seems15:40
gtemasure15:40
mhenwill clear this up asap15:40
mhenyea sorry about that, I will fix it - we can move on15:41
d34dh0r53thank you mhen 15:42
d34dh0r53next up15:42
d34dh0r53domain list scoping fix (mhen)15:42
d34dh0r53the main fix was merged a while ago: https://review.opendev.org/c/openstack/keystone/+/90002815:42
d34dh0r53Q: is https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/900545 still applicable?15:42
d34dh0r53it would have been a necessary adjustment to the tempest tests after the above merge but tests have been restructured in the meantime (mentioned at PTG)15:42
d34dh0r53this is a question for dmendiza[m] 15:42
d34dh0r53he might not be around, I still need to talk with him about the next topic so I'll raise this as well15:45
d34dh0r53policy API and OS-ENDPOINT-POLICY15:45
d34dh0r53policy API is deprecated15:45
d34dh0r53OS-ENDPOINT-POLICY depends on it15:45
d34dh0r53what is the status?15:45
d34dh0r53as I mentioned dmendiza[m] and I need to talk about this question, I'll have a meeting with him this afternoon15:45
bbobrovall right!15:46
d34dh0r53Enforcing scope in keystone breaks heat (and probably magnum) (tkajinam)15:46
d34dh0r53https://bugs.launchpad.net/keystone/+bug/205978015:46
d34dh0r53https://review.opendev.org/c/openstack/keystone/+/91475915:46
tkajinamI'm unsure if this was covered in the past meeting, but I wanted to make sure you are aware of this problem since you were talking about enforcing scope by default15:46
tkajinamI started testing heat with new defaults/scope enforcement enabled in all services and this is the first problem I'm hitting now. I suspect there can be a few more domain admin rules we have to fix but I'll test the scenario further to catch these15:47
tkajinamfyi. This is the problem I raised during the RBAC session during the last ptg, in case you were there.15:49
d34dh0r53thank you for the awareness tkajinam 15:49
d34dh0r53I missed the RBAC session15:49
d34dh0r53unfortunately, really kicking myself for missing that15:49
opendevreviewMarkus Hentsch proposed openstack/keystone-specs master: Add identity spec for Domain Manager persona  https://review.opendev.org/c/openstack/keystone-specs/+/90317215:49
tkajinamno problem :-)15:50
d34dh0r53I've added dmendiza[m] as a reviewer15:50
d34dh0r53moving on for the sake of time15:51
d34dh0r53#topic bug review15:51
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:51
d34dh0r53looks like a new bug about password length notifications15:52
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/206192215:52
bbobrovthat is a cover bug for my spec15:52
bbobrovoh15:53
bbobrovno15:53
bbobrovsorry15:53
bbobrovdisregard that15:53
d34dh0r53ahh, ok15:54
d34dh0r53this one is15:54
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/206097215:54
bbobrovre https://bugs.launchpad.net/keystone/+bug/2061922 - the uncertainty around these numbers and password length is one of the factors preventing me from upgrading from Zed15:54
d34dh0r53noted, I'll make sure it's consistent and correct15:55
d34dh0r53finally in keystone15:57
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/206045215:57
d34dh0r53it's being worked and will need reviews15:57
d34dh0r53 next up15:58
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:58
d34dh0r53no new bugs there15:58
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:58
d34dh0r53keystoneauth has no new bugs15:58
d34dh0r53keystonemiddleware is also good15:59
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:59
d34dh0r53sorry, link would be helpful for middleware ;)15:59
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:59
d34dh0r53nothing new for pycadf15:59
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=016:00
d34dh0r53ldappool is also good16:00
d34dh0r53that does it for bug review16:00
d34dh0r53#topic conclusion16:00
d34dh0r53Good to see folks at the PTG and I'm looking forward to this cycle16:00
d34dh0r53Reviewathon on Friday, please let me know if you'd like a calendar invite16:01
d34dh0r53That's it for me, anything else?16:01
d34dh0r53Thanks folks!16:01
d34dh0r53#endmeeting16:01
opendevmeetMeeting ended Wed Apr 17 16:01:47 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:01
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-04-17-15.05.html16:01
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-04-17-15.05.txt16:01
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-04-17-15.05.log.html16:01
bbobrovi have a small post-meeting note then16:01
bbobrovI would like to say that it is rather unfortunate that https://review.opendev.org/c/openstack/keystone/+/900028 got merged.16:01
bbobrovI am a domain admin of D-A. I would like to give a user from domain D-B a role assignment on my domain D-A. How do i now find out the user id from domain D-B, if i cannot find out the id of domain D-B? D-B now does not show up in the list.16:02
bbobrovIn our deployment domain list and their ids are basically public, anybody can read them.16:02
bbobrovThe change basically enforces new defaults and enforces scoping rules, completely ignoring the 2 options that control that.16:02
bbobrov(the API stability got broken, which is what i mentioned in the review)16:03
bbobrovI will open a bugreport about it.16:03
tkajinambbobrov, I'm not too sure (though I'm not an expert about these scope thing) if that is a bug. You are attempting cross domain operation which may be allowed for system scope in the initial design16:05
gtemain a bigger public cloud you should not be able to see foreign domain16:06
tkajinambbobrov, if you want to allow the domain admin of D-A to do that operation then the admin may need at least reader role for domain B16:06
tkajinamFirst use domain B scope to list that user and switch domain A scope to add role. that is a valid (and *appropriate*) method I think16:07
gtema+116:07
bbobrovtkajinam: i agree with you. And i agree that that should have been implemented differently initially. But the behavior is there, and i depend on it. Because there is a promise of API stability.16:07
tkajinamwe didn16:08
tkajinamwe didn't intend to keep all single policy behaviors when we introduced SRBAC concept. We deprecated the legacy policy rules so that we can change the behavior16:08
bbobrovtkajinam: enforcement of scopes happens via enforce_scope=True, which is still False even upstream, and big downstream clouds will live with it =False for much-much longer16:09
tkajinamwe, though, eventually decided to keep behavior of project admin, since project admin as cloud admin was something too many operators have relied on16:09
bbobrovgtema: i am not an operator of a big public cloud, i am an operator of a big old private cloud.16:09
gtemabbobrov, I understand. I am telling you the public cloud pov and requirements coming from there16:11
bbobrovgtema: and i am telling you about requirements coming from another place16:12
gtema:)16:12
tkajinambbobrov, I wonder if you can use project admin then ? it's less smart but I guess it would work16:12
tkajinamas project admin is retaining the permission to manage the whole cloud resources, even whole domain16:13
tkajinamhmm maybe not, if you don't want to limit the effect to keystone16:13
tkajinams/don't//g16:14
tkajinamgmann, ^^^ fyi... strict domain scope is killing one usage inf the field, it seems16:14
tkajinamI don't know why this is raised at the real last timing of several years of SRBAC work but this is how software used in the field works, I guess16:15
bbobrovtkajinam: a (usual) project admin cannot make domain assignments. There is an actual person, who is a domain admin, and might have no project-level assignments.16:15
bbobrovit is not like i am putting on one hat or another.16:16
tkajinamI could be wrong but the latest keystone may allow role assignments between user and domain since https://review.opendev.org/c/openstack/keystone/+/90273016:17
tkajinamallow project admin to manage domain-level role assignments, I mean16:18
gmannbbobrov: tkajinam: but scope things are something keystone want to make it strict wit new RBAC. I think plan will be to keep the enforce_scope as false until you are migrating tokens as per new RBAC and later once migration is done then we can remove enforce_scope itself 17:06
gmannthis is whole idea of SRBAC to have more secure permission by default17:07
bbobrovgmann: i understand that. When it is done and ready and has a release note and stuff like that. The merged change is silent and changes the behavior _now_.17:57
bbobrov(i still do not understand how to allow the domain admin perform the actions i described earlier, without making them switch the context for python-openstackclient)18:01
opendevreviewTakashi Kajinami proposed openstack/keystone master: Allow domain admin to view roles  https://review.opendev.org/c/openstack/keystone/+/91475918:17
opendevreviewTakashi Kajinami proposed openstack/keystone master: Allow domain users to manage credentials  https://review.opendev.org/c/openstack/keystone/+/91613018:17
gmannbbobrov: I see your point. dmendiza[m] might help you on releasenotes etc and keeping backward compatibility for some time18:36
« Tuesday, 2024-04-16 Index Thursday, 2024-04-18 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!