Wednesday, 2024-10-16

« Tuesday, 2024-10-15 Index Thursday, 2024-10-17 »
opendevreviewOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/keystone/+/93066304:08
stanislav-zHello 👋. A while ago a spec was proposed to "Include bad password details in audit messages" - https://review.opendev.org/c/openstack/keystone-specs/+/915482. I was working on it recently, including spec update and possible implementation for it https://review.opendev.org/c/openstack/keystone/+/932423 - would you please have a look at both and provide your feedback/reviews here or in the changes? I'm also open for suggestion10:58
stanislav-zfor how to move it forward. Thanks!10:58
bbobrovcardoe: re your question about inherited roles: yes, they do work like that. Inherited role assignments on a domain provide assignments on all its project12:07
gtemaDave Wilde (d34dh0r53): I'm on PTO this will not participate this week13:14
admiyoI am here, for once...14:03
admiyobbobrov, is that new?  I have to refresh on how it works, but I thought domain roles and project roles were separate, and you needed to have an assignment on domain-as-a-project for that to work.14:06
cardoeThere's an inherited API endpoint.14:06
admiyohttps://adam.younglogic.com/2016/11/keystone-domains-are-projects/14:06
cardoeWhich I can confirm does work like bbobrov mentioned.14:06
* admiyo needs to update that article14:07
cardoehttps://docs.openstack.org/api-ref/identity/v3/#assign-role-to-group-on-projects-owned-by-a-domain14:07
admiyoCool.  THat is a nice extension.  Well done14:08
admiyoAre we still in meeting mode?14:09
opendevreviewDmitriy Rabotyagov proposed openstack/keystone master: Re-initiate OSA rolling upgrade tests  https://review.opendev.org/c/openstack/keystone/+/93251214:11
opendevreviewDmitriy Rabotyagov proposed openstack/keystone master: [DNM] Ensure that upgrade test fails  https://review.opendev.org/c/openstack/keystone/+/93251314:13
opendevreviewDmitriy Rabotyagov proposed openstack/keystone master: [DNM] Ensure that upgrade test fails  https://review.opendev.org/c/openstack/keystone/+/93251314:16
d34dh0r53#startmeeting keystone15:05
opendevmeetMeeting started Wed Oct 16 15:05:22 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:05
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:05
opendevmeetThe meeting name has been set to 'keystone'15:05
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:05
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:05
d34dh0r53#topic roll call15:06
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe15:06
d34dh0r53o/15:06
mheno/15:07
d34dh0r53#topic review past meeting work items15:08
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-09-15.05.html15:08
d34dh0r53no action items from last week15:08
d34dh0r53#topic liaison updates15:08
d34dh0r53nothing from VMT or releases15:09
cardoe\o15:10
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:11
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:11
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:11
d34dh0r53External OAuth 2.0 Specification15:11
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:11
d34dh0r53OAuth 2.0 Implementation15:11
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:11
d34dh0r53OAuth 2.0 Documentation15:11
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:11
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:11
d34dh0r53no updates from me on any of this15:12
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:12
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:12
d34dh0r532024.1 Release Timeline15:12
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:12
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:12
d34dh0r53not sure if dmendiza is around, he messaged me that he might be away-ish this morning15:12
d34dh0r53ok, moving on15:15
d34dh0r53#topic specification OpenAPI support (gtema)15:15
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:15
d34dh0r53https://review.opendev.org/c/openstack/keystone/+/925020 could now also land to ease api-ref work15:15
d34dh0r53gtema: api-ref work started15:15
d34dh0r53I think I also saw that gtema (Artem Goncharov) is on PTO15:16
d34dh0r53looks like it, moving on15:17
d34dh0r53#topic specification domain manager (mhen)15:17
d34dh0r53#link https://review.opendev.org/q/topic:%22domain-manager%2215:17
d34dh0r53tempest core lib patch has been merged, only keystone-tempest-plugin left15:17
d34dh0r53created a patchset for documentation: https://review.opendev.org/c/openstack/keystone/+/92813515:17
mhenyes, only tempest plugin and documentation patchsets are left15:18
mhengot a lot of upvotes by now - is there anything missing still?15:19
d34dh0r53ok, I'll bug dmendiza and Grzegorz Grasza to push those through15:19
mhennice, thanks15:19
d34dh0r53mhen: I think we're just waiting on final reviews15:19
d34dh0r53ack, YW15:19
mhenok15:19
d34dh0r53next up15:20
d34dh0r53#topic specification Type annotations (stephenfin)15:20
d34dh0r53#link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing15:20
d34dh0r53This is just pending reviews now. I will push the remaining patches as soon as a sufficient quantity of the current ones land.15:20
d34dh0r53many reviews are owed 15:20
admiyoSorry I missed the secure RBAC topic...I was distracted by discussing it over in #openstack-nova15:22
d34dh0r53ahh, no worries admiyo 15:23
admiyoSo...while I am not 100% certain, I think the solution in place means we should close bug 9686915:23
Vivek-vnetpopsDear community.15:23
admiyoIt is the longest open bug in the tracker, and it is addrtessed, I think, but the secure RBAC approach.  I don't feel 100% certain there.15:24
admiyomaybe like, 55%15:24
d34dh0r53nooooo that bug is legendary15:24
admiyoI think that the solution is kinda wrong15:25
admiyoand I am pretty sure that nova is self contradictory by ignoring the project Id for the operation, but requiring a project scoped token15:25
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/96869615:25
admiyoand they are certainly wrong for marking it 'wishlist" and "won't fix"15:25
admiyoBUT....15:26
d34dh0r53that's the bug being referred to15:26
admiyoAye.  sorry for missing the lin15:26
admiyok15:26
admiyoI think that ...if and only iff ADMIN is reserved  for operations that should never be allowed to be granted to managers of projects, then it is OK to say that they have addressed it15:27
d34dh0r53dmendiza: is really the one to talk to about this15:27
admiyoas I recall, there were cases where reources got orphaned and you had to be aadmin to clean them up, which means that a project MANAGER would  not have been able to clean up after a mistake, and thuse projects were not self maintaining15:28
admiyoIt is a PTL issue.  It is an openstack wide issue, and it limits adoption.  They are pushing the fix back on keystone.15:28
admiyoAnd I don't know that Keystone alone can fix it, and I would argue that the fix is very fragile15:29
cardoeSo with Secure RBAC being a top level priority, I think this is something we can work to clean up.15:29
opendevreviewDmitriy Rabotyagov proposed openstack/keystone master: Re-initiate OSA rolling upgrade tests  https://review.opendev.org/c/openstack/keystone/+/93251215:30
cardoeI'd like to work with some folks on defining some more user personas which I think would be helpful.15:30
admiyoSo if ANY service in openstack requires ADMIN for any user-level operation, and they assign it, they have opened up a security hole in Nova15:30
cardoeWe don't have to craft roles for each one but we can say "this persona should not ever have admin role" or some such.15:30
admiyoSo, from a keystone perspective, we can be dilligent and avoid things like we used  to do:15:32
cardoeI think that might help downstream or operators by understanding those personas. Cause I feel like those leaks happen from downstream / operators trying to make something work how they think and then nova accepting a band aid.15:32
admiyoyou needed admin to add a user to a project15:32
admiyowhich means projects were not self managing15:32
admiyobut that has to be true of every service in the catalog15:32
admiyoand, yeah, just default policy.  People can always break things via custom policy15:33
admiyoAre nested projects still a thing?15:33
admiyoThat actually helped with a lot of the operators concerns15:34
cardoeThey are documented and the Red Hat docs talk about them.15:36
admiyoAnyway,I had a long write up of this from when I was assigned the bug:  https://adam.younglogic.com/2017/05/fixing-bug-96869/15:36
admiyoThe issue was that operators wanted to be able to use a single, project scoped token to do operations across the whole tree.  It was, and is, a mess15:37
d34dh0r53Let me talk with dmendiza about this, there may be a case for finally closing that bug with the domain manager role15:37
admiyoBecause they don't want to have to authenticate to each project15:37
admiyoNo...it still does'nt handle it.  Apologies, pulling stuff from long term memory....15:38
d34dh0r53What is lacking in that role?15:39
admiyothe token is scoped to a project but they want to do a global operation, and there is no way for Nova to know that a given project is nested under another project15:39
admiyoit is fine for Keystone, not for the other services15:39
mhenI guess the problem is that domain-ownership awareness is not really there in other services for their resources15:39
admiyoI think the "is admin project" hack is still needed.15:40
admiyomhen, yes15:40
mhenit would require a lot more work for some services to properly adapt the domain manager persona then15:40
admiyoso...IF we create a majik ADMIN project, and if we add a flag to the token saying "this is an admin project" and if Nova checks for that as well as ADMIN then things would work15:40
admiyodomain tokens never go to other services15:41
admiyodomain were a mistake.  15:41
admiyoas was calling things projects instead of tennants15:41
admiyosins of the past that will be visted on our descendants....15:41
admiyobut anyway15:41
admiyoif a token is sent to nova with "is_admin_project=yes" and they chose to ignore it, that is on them15:42
admiyoIts not a hard check to implement, and it can be done in keystone middleware if we really want, but that is a whole nother approach that I abandoned15:43
admiyoThat way, if, say HEAT requires Admin for something, and that slips through, Nova could protect itself by also required is_admin_project15:44
admiyoanyway, I have said my piece, and will stop beat d34dh0r53 15:45
d34dh0r53lol15:45
d34dh0r53thanks for bringing it up, I mistakenly thought the domain manager work helped to fix this but I think there is still work to do15:46
admiyoalso...we never addressed how  to limit things that required acccess to two proejcts15:46
admiyoI think there was an issue  where deleting a project in keystone orphaned all the resources everywhere.15:47
admiyoAnd...I think I had a fix for that15:47
admiyobut I don';t thik that was RBAC15:47
mhenhttps://docs.openstack.org/python-openstackclient/latest/cli/command-objects/project-cleanup.html15:47
mhen:)15:47
admiyoAH yes15:47
admiyohttps://review.opendev.org/c/openstack/keystone/+/66474615:47
admiyoIt was KINDA an RBAC issue  in that you needed to get a system admin to do all your clean up.  This avoids that case.15:48
* admiyo really done now15:49
admiyomeeting over?15:52
d34dh0r53Thanks admiyo 15:52
d34dh0r53#topic specification Include bad password details in audit messages (stanislav-z)15:52
d34dh0r53# link https://review.opendev.org/c/openstack/keystone-specs/+/91548215:52
d34dh0r53# link https://review.opendev.org/c/openstack/keystone/+/93242315:52
d34dh0r53s///15:52
d34dh0r53s///15:53
stanislav-zHello! I'm looking for any feedback on both. And in the meantime was going to work on adding tests for the implementation15:53
admiyo@stanislav-z, is the idea that an admin can compare the hash to the hash in the database and say "yep they don't match?"15:54
stanislav-zthere is no relation to the database hash. the idea is that when there is a bruteforce attack the hash will be changing frequently. while if e.g. some end-user automation got stuck with the old password the hash won't be changing. so by checking the hash, it may be possible to perform a more educated guess if user is experiencing an attack or just has some broken automation15:57
stanislav-zby checking how hash is changing*15:57
admiyoAh. THat makes more sense.  But any change in the users passwords attempt end up as differnt hashes, and look like an attack?15:57
admiyopassword  pa$$word  p@$$word p@$$w0rd15:58
stanislav-zonly if something/someone would be continuing to submit the old (wrong) password. no hashes will be showing up for successful authentication events15:58
admiyobut is a user submits password  pa$$word  p@$$word p@$$w0rd  and they all get hashed, it is safe to put the first 5 chars of  the hash in the log?15:59
d34dh0r53According to the spec the N characters isn't logged, it's sent in a message, is that correct?16:00
stanislav-zwith the default hashing function from possible WIP the hash size would be 88 characters. providing just 5 (default; configurable) should be safe - and it will only appear in event notifications16:01
stanislav-zthat's correct. but N - is the number of character that would passed to the event (not how much would be truncated from the hash)16:02
admiyosame thing, though.  Written down somewhere not in ephemeral memory and the database.  Thus widening exposure to the hash.  If a user types the same thing 3 times, the partial hash will show up.  The the person notified will have access to that partial hash.  Which could itslef be used in a brute force  attack on the password.  16:02
admiyo"If the feature is enabled, it will expose N (N=5 by default) characters of hash16:03
admiyo9116:03
admiyoof bad password. These symbols will not be communicated with the response, but16:03
admiyo9216:03
admiyowill be sent via messages."16:03
admiyoI think that this is OK16:03
admiyoif you have access  to event notification, you have access to  the user database  and the main password hash.16:03
admiyoI mean, likely.16:03
d34dh0r53yeah, likely16:03
admiyoif someone only had access to the event notification, it WOULD expand the attack window, but that has to be configured by Keystone admin, and so the end effect is the same16:04
d34dh0r53That's my concern is that a potentially good password hash will be written somewhere16:04
admiyoI think it is a valid concern16:04
admiyoIf you know that sha1 is used, and you brute force, you will end up with a few false positives, but it would still be enough info for you to crack simple passwords16:05
admiyoI wonder if a better approach would  be to keep this information internal.16:06
stanislav-zit also offers to provide a "personalization salt" in config - e.g. if event consumer doesn't have access to that config entry, it would be much more difficult to recover the password from partial hash16:06
stanislav-z(without knowing that salt)16:07
admiyoBut the only thing  they  are then finding out is "it is the same as previous" or different.  COuldn't keystone keep track of that?16:07
d34dh0r53Internally we could keep a counter of identical hash attempts and alert based on a threshold16:07
admiyoSo, I would not kill this effort outright, but I would suggest that the spec include a larger discussion about how this would be used, the security needed to protect it, and alternatives  and modifications to the approach?16:08
d34dh0r53indeed16:08
stanislav-zsound good, thanks16:09
d34dh0r53Thank you Stanislav Zaprudskiy !16:09
d34dh0r53#topic open discussion16:09
d34dh0r53nothing on the agenda, does anyone have anything?16:09
d34dh0r53we're over time, and I don't see any new bugs so I'll end it here16:11
d34dh0r53#endmeeting16:11
opendevmeetMeeting ended Wed Oct 16 16:11:16 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:11
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-16-15.05.html16:11
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-16-15.05.txt16:11
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-16-15.05.log.html16:11
d34dh0r53Thanks everyone!16:11
admiyod34dh0r53, it just occured to me that the mistake with 968696 was asking the operators.  Of course they said no.  It broke their workflows.  The right people to ask were the people that refused to adopt openstack for security reasons....16:13
d34dh0r53admiyo: yeah, that's a really good point16:13
admiyoI was tempted to submit a talk called "OpenStack is Doomed and Its ALL MY FAULT."  16:15
admiyohttps://review.opendev.org/c/openstack/keystone-specs/+/391624   Holy cow!  That merged,  I guess I better get on implementing it....heh16:26
admiyo9 years later16:26
d34dh0r53hah16:33
cardoegtema: I updated that OIDC documentation as you asked.16:34
opendevreviewOria Weng proposed openstack/keystone master: Add JSON schema to `limits`  https://review.opendev.org/c/openstack/keystone/+/93152819:27
*** gmann is now known as gmann_afk20:58
*** gmann_afk is now known as gmann_21:41
*** gmann_ is now known as gmann21:41
admiyod34dh0r53, so, I just had a long chat with sean-k-mooney[m]  and I think I get where this is going.  So the rule for Keystone grants needs to change.  I just generated the policy for it, and here is what it expands to21:58
admiyo#"identity:create_grant": "(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domai21:59
admiyon.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"21:59
admiyothe problem is that initial or21:59
admiyowell, actually, the problem is that the role required is admin, but that the policy rule is only going to get as far as that first check22:00
admiyoif I want to make it possible for the admiyo user to assign roles on the fubar project, I need  to grant admiyo the admin role.  If instead it was a more limited role (project_manager) then everything would work as expected22:01
admiyobut the way that rule is  written, nothing will ever get caught by any of the rules after the initial (rule:admin_required)22:01
admiyoSo, if you were to change the default policy today, you would break no one22:02
admiyobecause the only people able to use that already have the admin role22:02
admiyobut...moving forward, they would be able to make more localized role assignments22:02
« Tuesday, 2024-10-15 Index Thursday, 2024-10-17 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!