Wednesday, 2024-09-25

« Tuesday, 2024-09-24 Index Thursday, 2024-09-26 »
*** mhen_ is now known as mhen01:16
*** whoami-rajat_ is now known as whoami-rajat13:58
d34dh0r53#startmeeting keystone15:01
opendevmeetMeeting started Wed Sep 25 15:01:48 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:01
opendevmeetThe meeting name has been set to 'keystone'15:01
d34dh0r53#topic roll call15:03
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema, cardoe15:03
gtemao/15:03
cardoe\o15:05
d34dh0r53o/15:05
d34dh0r53let's get started15:05
d34dh0r53#topic review past meeting work items15:06
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-09-11-15.04.html15:06
d34dh0r53no action items from last meeting15:06
d34dh0r53#topic liaison updates15:06
d34dh0r53nothing from VMT15:06
d34dh0r53We're nearing dalmatian release date15:06
d34dh0r53#topic specification15:07
d34dh0r53#undo15:07
opendevmeetRemoving item from minutes: #topic specification15:07
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:07
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:07
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:07
d34dh0r53External OAuth 2.0 Specification15:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:08
d34dh0r53OAuth 2.0 Implementation15:08
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:08
d34dh0r53OAuth 2.0 Documentation15:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:08
d34dh0r53I worked on a couple of these before my PTO, I'll take a look again this week and try to get them passing the gates15:09
d34dh0r53next up15:09
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:09
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:09
d34dh0r532024.1 Release Timeline15:09
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:09
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:09
d34dh0r53I don't think dmendiza is around today, so moving on15:11
d34dh0r53#topic specification OpenAPI support (gtema)15:11
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:11
d34dh0r53gtema: changes awaiting review15:12
gtemayou haven't reloaded page where I added please please please15:12
d34dh0r53lol15:13
gtemait is frustrating not to see any movement15:13
d34dh0r53one sec15:13
d34dh0r53I will try to get folks to review these, Grzegorz Grasza is on PTO until next week though15:13
cardoewrt to OAuth 2.0, I'm using OIDC (or at least trying to) and was hoping to ask some questions there15:13
d34dh0r53pertaining to the spec itself or support for your deployment cardoe ?15:14
cardoeYes. :)15:15
gtemalol15:15
gtemaquestion: A or B? Answer: yes15:15
cardoeHappy to wait until the agenda items are over.15:15
cardoeThe answer is really both.15:15
cardoeSo the docs for OIDC aren't correct. I've started to write some patches... https://review.opendev.org/c/openstack/keystone/+/929315 is the first.15:16
cardoeThe mapping docs page is wrong from what the code expect and then the jsonschema patches alter things even further as well.15:16
gtemacardoe - I suggest really not to do this now. I have a huge agenda for the PTG to discuss on the federation support as whole15:16
gtemathere are plenty of things done wrong afaik15:17
cardoeokay I'll go back to my observation corner15:17
d34dh0r53Thank you for that docs patch though, I've known the docs use some incorrect terminology but haven't gotten around to fixing them15:17
gtemait's not about observation corner, it's about that current functionality on its own is pretty limited and having many issues that I wanted to discuss broadly. I am doing a huge research among different CSPs for their usecases and complains15:18
d34dh0r53So back to openapi suport, I will review and try to get some movement on the patches15:19
gtemawould appreciate Dave Wilde (d34dh0r53) 15:19
d34dh0r53next up15:20
d34dh0r53#topic specification domain manager (mhen)15:20
d34dh0r53#link https://review.opendev.org/q/topic:%22domain-manager%2215:20
d34dh0r53tempest core lib patch has been merged, only keystone-tempest-plugin left15:21
d34dh0r53created a patchset for documentation: https://review.opendev.org/c/openstack/keystone/+/92813515:21
d34dh0r53awesome, thanks mhen_ 15:21
gtemadoc looks good, I will review offline in detail15:24
d34dh0r53thanks gtema (Artem Goncharov) 15:26
d34dh0r53#topic specification Type annotations (stephenfin)15:26
gtemabunch of changes merged already15:26
d34dh0r53#link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing15:26
gtemarest have one +215:27
d34dh0r53This came about from adding type hints to openstacksdk. Since we're based on/heavily use keystoneauth, we need these annotations to be able to type things correctly. After much blood and tears, I now have the thing fully typed (except for tests and fixtures) but have refrained from pushing the full ~50 patch series to avoid overloading CI/humans :)15:27
d34dh0r53How do we want to review these? They are generally non-functional changes, though I have reworked some logic (to avoid use of try-except pattern that mypy doesn't like) and added lots of asserts to narrow types (which I will eventually convert to proper exceptions). Can I just let gtema review them and rely on CI?15:27
d34dh0r53You'll see I've used ruff and ruff-format. I realise this might be somewhat controversial, but it removes significant friction (from having to manually rewrap stuff) when adding annotations at minimal inconvenience to others15:27
d34dh0r53cool, I'll take a look at these as well15:27
gtemamaybe on that one: do we want to apply ruff also to keystone (and yes, we just did that with black)15:28
gtema?15:28
cardoe+1 on the ruff stuff. Cause I agree with you it removes friction and just moves things along.15:28
cardoeAnd let's you enable a ton more lints15:29
d34dh0r53I'm good with moving keystone to ruff, how big is the effort going to be?15:30
gtematiny - we have already auto-formatting. So here it would be just swap black with ruff in one change15:31
gtemaI mean amount of code changes is going to be probably not so small, but all automatic15:31
gtemaall the "issues" are already polished out15:31
gtemaI can prepare the change, but I do not want to do that before we land our complex depending openapi stuff first, otherwise we are again in a pain of rebase15:33
d34dh0r53agreed, let's prioritize the openapi stuff, ruff is a nice to have for keystone15:36
gtemadeal15:36
d34dh0r53#topic open discussion15:36
d34dh0r53PTG planning15:37
d34dh0r53I'm thinking about 3 hours Tues and Wed but am open to an additional 3 on Thursday if we need it15:37
d34dh0r53The bot is ignoring me right now15:37
gtema:)15:37
gtemayou do not feed it, so it is angry at you15:38
gtemafrom my pov we would spend at least one full 3h slot talking about federation stuff15:39
d34dh0r53yeah15:41
d34dh0r53I think I'll book all three days and cancel what we don't need15:42
gtemaright15:42
d34dh0r53cool, anything else for open discussion?15:42
gtemasure - I added on agenda15:42
gtema#link https://review.opendev.org/q/topic:%22passlib%2215:42
gtemafarewell passlib15:42
gtemaI created series of patches getting rid of it completely15:43
d34dh0r53Oh yeah, I noticed those15:43
gtemaand noticed also that with sha512_crypt we would need to drop it once we start supporting py31315:43
d34dh0r53need to go look but the gates look promising, will this break backward compatability?15:44
gtemaanyway - in every change I switch 1 algo and add backwards compatibility tests (to passlib)15:44
gtemain the last change I drop passlib dep and those tests as well. I assume the last change is something we may want to wait a bit15:45
gtemathose unittests run 10 iterations of different inputs, cause there are some funny things happening depending on the input and I try to catch those with that.15:46
gtemaunfortunately that makes those pretty slow (well, cryptography is on purpose slow)15:46
gtemaoh, I missed your question15:46
gtemano - backward compatibility for now is guaranteed with those unittests that generate hash with passlib and try it with the new way15:47
gtemaso users are able to login with old hashes15:47
d34dh0r53cool15:48
gtemato be honest - this is dangerous, therefore in some change I added explicit releasenote warning about dragons15:48
gtemabut we can not do much about it. I tried to catch and workaround all known issues15:49
d34dh0r53yeah, that is the fear, that we break all of the users with the update, I agree we need to rip the bandaid off15:49
d34dh0r53passlib is dead15:49
gtemaright, and sadly it was doing lot of weird things which we may not see immediately15:50
d34dh0r53yeah, that's a bummer15:51
d34dh0r53almost out of time so moving on to bug review15:52
d34dh0r53#topic bug review15:52
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:52
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/208169515:52
d34dh0r53looks like this is being worked already15:53
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/208108215:53
d34dh0r53It's probably a good idea to add indexes to the revocation table15:54
d34dh0r53Not sure why they weren't already there15:54
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/208054215:56
d34dh0r53that does it for keystone bugs15:57
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:58
d34dh0r53no new bugs for python-keystoneclient15:59
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:59
d34dh0r53keystoneauth is good15:59
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:59
d34dh0r53nothing for keystonemiddleware either15:59
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=016:00
d34dh0r53pycadf is good16:00
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?ordterby=-id&start=016:00
d34dh0r53and ldappool is good as well16:00
d34dh0r53#topic conclusion16:00
d34dh0r53Nothing else from me, I'll publish the PTG etherpad this week16:01
d34dh0r53Thanks everyone!16:01
d34dh0r53#endmeeting16:01
opendevmeetMeeting ended Wed Sep 25 16:01:13 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:01
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-09-25-15.01.html16:01
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-09-25-15.01.txt16:01
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-09-25-15.01.log.html16:01
gtemagreat16:01
gtemathanks Dave Wilde (d34dh0r53) 16:01
cardoegtema: can you link me to the PTG bits? Specifically interested in the OIDC16:02
gtemaonce Dave Wilde (d34dh0r53) schedules it. I have no agenda yet, just in my head I have tons of observations and conclusions16:03
cardoeokay. You don't have those notes published anywhere?16:03
gtemacardoe - my item nr1 is to implement oidc in keystone natively without requiring mod_auth_oidc. That will save lots of problems16:04
cardoewell that would be good.16:04
gtemauhm, I have multiple notes, but they are mostly projects related. I will start sketching agenda once PTG etherpad is created16:04
cardoeokay.16:05
gtemaone more thing is that oidc is useless and dangerous without provisioning/deprovisioning. This can be solved in few ways but the modern standard on that is https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management which I think we need to implement16:06
gtemacardoe - some of the last notes/analysis on federation can be seen under https://input.scs.community/scs-federation?view16:08
cardoetoday I'm using mod_auth_oidc and mnaser's websso right now.16:09
gtemayeah, and vexxhost has a nice plugin for connecting KS to KeyCloak directly. That is one of the ways, but not very flexible (wrt IdP server)16:10
gtemain last release I added possibility to configure such plugin using API and mod_auth_oidc config can be also created dynamically (with regexp), but not all deployment tools allow you to skip need for restart16:11
gtemaand in a public cloud you understand it is absolutely inacceptable16:12
cardoeYeah that would be great.16:18
jrosserfrom an end user perspective it would be really nice to get websso into keystoneauth16:22
jrosserextra plugins to use the cli is a poor experience16:23
gtemaUse of federation in Cli is by design poor experience 16:24
jrosseris there an alternative?16:25
cardoeI mean there's many main tools that use OIDC with CLI. Like GitHub's CLI.16:25
jrosserwhat makes me most sad is that there are a bunch of plugins to make this work, so it's clearly something that people want/are using16:26
cardoeKubernetes has it with oidc-login, which behaves the same as the websso16:26
jrosserthere are even oidc flows specifically to support the use case, where you don't want a client id/secret 16:29
cardoeStock mod_oidc_auth + websso works fine for a static setup as you mentioned.16:29
gtemamaking cli use a nice experience requires totally different approach compared to what we have available now. And it is not a cli issue on it's own - it's a combination of the technologies16:30
cardoeI'm using OIDCResponseType "code" and have the client that mod_oidc_auth using marked as public16:31
cardoeI'm with jrosser. Folks want the support. Don't block good enough for perfect.16:36
jrosserwe've just enabled websso for our hasicorp vault deployment and it also works *exactly* the same16:36
jrossercli -> browser -> done16:37
« Tuesday, 2024-09-24 Index Thursday, 2024-09-26 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!