Wednesday, 2025-01-22

« Tuesday, 2025-01-21 Index Thursday, 2025-01-23 »
*** mhen_ is now known as mhen02:15
opendevreviewJames Page proposed openstack/keystone master: Switch to using oslo.utils secretutils  https://review.opendev.org/c/openstack/keystone/+/93973908:09
opendevreviewJames Page proposed openstack/keystone master: Drop the sha512_crypt module  https://review.opendev.org/c/openstack/keystone/+/93977810:16
d34dh0r53#startmeeting keystone15:03
opendevmeetMeeting started Wed Jan 22 15:03:35 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:03
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:03
opendevmeetThe meeting name has been set to 'keystone'15:03
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:03
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:03
d34dh0r53#topic roll call15:04
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe15:04
xeko/15:04
d34dh0r53and a special ding for dmendiza 15:04
gtemao/15:04
d34dh0r53o/15:04
dmendiza[m]🙋‍♂️15:04
dmendiza[m]I appreciate the special treatment 🥰15:04
d34dh0r53:)15:06
d34dh0r53#topic liaison updates15:06
d34dh0r53nothing from VMT or releases15:06
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:07
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:07
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:07
d34dh0r53External OAuth 2.0 Specification15:07
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:07
d34dh0r53OAuth 2.0 Implementation15:07
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:07
d34dh0r53OAuth 2.0 Documentation15:07
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:07
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:07
d34dh0r53no updates from me on this15:07
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:07
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:07
d34dh0r532024.1 Release Timeline15:07
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:07
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:08
dmendiza[m]I have to review the Domain Manager patches still 😅15:08
dmendiza[m]Not much in the way of updates this week.15:08
d34dh0r53Ack, thanks dmendiza 15:09
d34dh0r53#topic specification OpenAPI support (gtema)15:09
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:09
gtemaover the weekend I found one of the merged changes introduced bug. The fix is https://review.opendev.org/c/openstack/keystone/+/93958315:09
gtemaschema was too permissive to capture the issue15:10
gtemawould appreciate a quick approval since it weirdly now block codegenerator due to that broken schema15:10
xek+215:10
* gtema wonders why codegenerator test didn't catch this 15:10
d34dh0r53approved15:11
gtemathks a lot15:11
d34dh0r53np15:12
d34dh0r53anything else regarding OpenAPI support?15:12
gtemanot this week15:12
gtemathanks15:13
d34dh0r53👍️15:13
d34dh0r53#topic specification domain manager (mhen)15:13
d34dh0r53still unmerged are:15:13
d34dh0r53documentation: https://review.opendev.org/c/openstack/keystone/+/92813515:13
d34dh0r53tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/92422215:13
dmendiza[m]I need to look through these15:14
mharley[m]o/15:14
d34dh0r53hi mharley! Welcome15:15
d34dh0r53thanks dmendiza 15:15
d34dh0r53next up15:15
mharley[m]Thanks, Dave Wilde (d34dh0r53) !15:15
d34dh0r53#topic specification Include bad password details in audit messages (stanislav-z)15:15
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/91548215:15
d34dh0r53#link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%2215:15
d34dh0r5321-Jan update: review feedback incorporated, looking for reviews15:15
gtemaI had already a look and I indeed like naming config option "report_invalid_password_hash"15:16
d34dh0r53yeah, that's much better15:16
gtemanow it was renamed from invalid_password_hash_include to log_invalid_password_hash. But I think report_invalid_password_hash is more universal15:17
stanislav-zI'll update it now :) thanks15:17
gtemathanks Stanislav Zaprudskiy 15:17
d34dh0r53thank you Stanislav Zaprudskiy !15:17
d34dh0r53#topic open discussion15:17
gtemaI am first :)15:18
gtemahttps://github.com/gtema/oslo.policy.opa15:18
gtemaI was able to create a plugin for oslo.policy and even auto-generate oslo_policies into the OpenPolicyAgent language15:18
d34dh0r53wow15:18
dmendiza[m]Nice15:19
gtemain the meanwhile even found ancient blogpost https://jaosorior.dev/2018/rewriting-openstack-policy-files-in-open-policy-agent-rego-language/ that specilated about this idea back in 201815:19
gtemaand while my convertor was working I thought some of the policies in keystone are not really working like human would understand them due to the priority of AND and OR that oslo_policy applies15:20
gtemathose are especially tricky in the role assignements (wrt domain manager)15:20
gtemacan't say with confidence, just have a feeling those might be wrong15:20
gtemaI was able to auto-convert keystone and barbican policies, would try others later15:21
gtemaI LOVE possibility to test policies very explicitly15:21
gtemathis is something I miss in oslo_policy15:21
gtemathat's it so far from me on that15:22
dmendiza[m]Oh hey that's Ozz's blog.  I know that guy.15:22
gtemawith that it is possible to have very preciese fine-graned policies in Keystone without role explosion15:24
mharley[m]gtema: when you say "test policies", are you referring something like this (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html)?15:25
mharley[m]Just to establish a parallel with your sentence. :-) 15:25
gtemamharley: I refer to https://github.com/gtema/oslo.policy.opa?tab=readme-ov-file#policy-testing and https://www.openpolicyagent.org/docs/latest/policy-testing/15:25
gtemabut yeah, it is something similar15:26
gtemabasically you can write unittest that will evaluate the authorization decision based on inputs15:26
mharley[m]Got it.  Something more "roots". :-) 15:26
gtemain OpenPolicyAgent you also have a decision log what helps you to track down how OPA resolved the request15:27
cardoeSince it's quiet I'll ask what I asked after the meeting last week..  I'm really just wanting to provide documentation updates for usage. I've tried to dip my toe in the water with https://review.opendev.org/c/openstack/keystone/+/929315 but just unsure what I need to do to keep advancing things.15:30
cardoeI just want to have the docs correct for existing installations. Today the docs talk about Ubuntu 16.04 in many places and the packages involved have changed. Their configuration has changed as well.15:31
gtema+W-ed15:31
d34dh0r53thanks gtema 15:32
d34dh0r53and thank you cardoe for this, those docs were indeed lacking15:32
gtemacardoe: this OpenPolicyAgent work that I described is very helpful in the OIDC improvements since it allows us to properly decouple auth from authz15:32
gtemaI am generally still on the topic, so haven't forgotten15:32
cardoe100% agree gtema. I was actually looking at what you did and this nails what I'm going to want to explore in the future in a wayyyy better way.15:33
gtemathks :)15:33
d34dh0r53awesome, anything else for open discussion before we move on?15:34
stanislav-zI have one, too.15:34
stanislav-zhttps://bugs.launchpad.net/keystone/+bug/1914260 - I wanted to start working on this one. Especially for cases when resources are *deleted* (e.g. project, or user, etc), only their ID and typeURI are reported in audit events (under `target`) - which makes it difficult to handle cases e.g. when a real user comes and wants to know who deleted their resource, but all they have is the resource' name/project/domain - which is at15:34
stanislav-zthat point not possible to translate to ID (or vice-versa) as the corresponding resource was already gone. I thought of extending the `delete` events with some additional details. Does anybody have suggestions, or objections against it?15:34
gtemaStanislav Zaprudskiy: I think we also lack generally a doc on how all this is intended to be captured/processed. I want to start looking into audit area for my employer as well and so far miss some basics15:36
gtemasince you work on that maybe you can also propose some doc improvements so that we all are on the same page15:36
stanislav-zI could potentially share how it's being used in our set-up, which might be a starting point for the doc15:39
gtemayeah, that will help understanding where are the requirements for improvements coming from15:39
stanislav-zjfr, there is another service on top - https://github.com/sapcc/hermes. and some more things, too :) I'll try to come up with something, and will have a look where would be a good place for the doc15:40
gtemacool15:41
gtema"It is named after the Futurama character, not the Greek god." - lol15:41
d34dh0r53Thank you Stanislav Zaprudskiy !15:42
d34dh0r53#topic bug review15:42
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:42
d34dh0r53no new bugs for keystone15:42
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:42
d34dh0r53nor python-keystoneclient15:43
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:43
d34dh0r53no new bugs in keystoneauth15:43
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:43
d34dh0r53nothing new in keystonemiddleware15:43
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:43
d34dh0r53pycadf is good15:43
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:43
d34dh0r53so is ldappool15:43
d34dh0r53#topic conclusion15:43
d34dh0r53I won't be able to make the reviewathon this week, but other than that I've got nothing15:44
d34dh0r53please reach out if you need anything15:44
gtemathks guys, need to run15:44
d34dh0r53Thanks folks!15:47
d34dh0r53#endmeeting15:47
opendevmeetMeeting ended Wed Jan 22 15:47:51 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:47
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-01-22-15.03.html15:47
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-01-22-15.03.txt15:47
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-01-22-15.03.log.html15:47
opendevreviewStanislav Zaprudskiy proposed openstack/keystone-specs master: Include invalid password details in audit messages  https://review.opendev.org/c/openstack/keystone-specs/+/91548216:30
opendevreviewMerged openstack/keystone master: Fix invalid jsonschema for trusts  https://review.opendev.org/c/openstack/keystone/+/93958317:36
opendevreviewMerged openstack/keystone master: extend docs explaining OIDC  https://review.opendev.org/c/openstack/keystone/+/92931518:26
-opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline momentarily for a restart to put some database compaction config changes into effect, and will return within a few minutes22:54
« Tuesday, 2025-01-21 Index Thursday, 2025-01-23 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!