Wednesday, 2025-12-03

« Tuesday, 2025-12-02 Index Thursday, 2025-12-04 »
*** mhen_ is now known as mhen02:20
*** EugenMayer4401809 is now known as EugenMayer44018010:49
opendevreviewTakashi Kajinami proposed openstack/oslo.limit stable/2025.2: fixture: Mock out services, regions  https://review.opendev.org/c/openstack/oslo.limit/+/96940612:52
opendevreviewTakashi Kajinami proposed openstack/oslo.limit stable/2025.2: Handle missing endpoint, region, service  https://review.opendev.org/c/openstack/oslo.limit/+/96940712:52
opendevreviewTakashi Kajinami proposed openstack/oslo.limit master: Fix region query  https://review.opendev.org/c/openstack/oslo.limit/+/96941313:11
opendevreviewTakashi Kajinami proposed openstack/oslo.limit master: Fix region query  https://review.opendev.org/c/openstack/oslo.limit/+/96941313:55
opendevreviewTakashi Kajinami proposed openstack/oslo.limit master: Delay string interpolations at logging calls  https://review.opendev.org/c/openstack/oslo.limit/+/96944213:55
opendevreviewTakashi Kajinami proposed openstack/oslo.policy master: Delay string interpolations at logging calls  https://review.opendev.org/c/openstack/oslo.policy/+/96944814:03
opendevreviewTakashi Kajinami proposed openstack/oslo.policy master: Delay string interpolations at logging calls  https://review.opendev.org/c/openstack/oslo.policy/+/96944814:38
opendevreviewTakashi Kajinami proposed openstack/oslo.limit master: Delay string interpolations at logging calls  https://review.opendev.org/c/openstack/oslo.limit/+/96944214:38
d34dh0r53#startmeeting keystone15:02
opendevmeetMeeting started Wed Dec  3 15:02:02 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:02
opendevmeetThe meeting name has been set to 'keystone'15:02
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:02
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:02
d34dh0r53#topic roll call15:02
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra15:02
cardoeo/ (been a while since I've been able to listen in)15:03
gtemaO/15:03
moutazchaara[m]O/15:05
cardoebe curious to ask some questions of you folks during the free time15:05
moutazchaara[m]gtema: Hi, [you were right about the token invalidation process as it should be part of the group changes.](https://review.opendev.org/c/openstack/keystone/+/967048/comments/abbdbb21_811d0a29)... (full message at <https://matrix.org/oftc/media/v1/media/download/AUNTxPSWNk-4tZUPaDAx94By_GFKtEcvc6Wi056FxTcCD3MrF-Vvm0ZTtwB8phqVs1jQ1jBhnkMAeQ827lzIUUlCebLN2eCwAG1hdHJpeC5vcmcvYlNqUUVDaVJYd2lvWlF5ZWVlYndvblJv>)15:11
gtemaI have seen that. I am this week on the PTO and not really having enough time to review the stuff. Your explanation looks like I was expecting, so it should be correct. Maybe we will have some code review comments, but functionally it should be correct15:12
moutazchaara[m]gtema: np, ok so it make sense. i only found this out while doing manual testing. These scenarios are very hard to cover it with unit tests. Will try to add more coverage in the mean time...15:13
gtemaI know, I am not going to insist on the unittests15:14
d34dh0r53sorry, got pulled away for a minute15:15
gtemaall good Dave15:16
d34dh0r53#topic review past meeting work items15:16
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-11-26-15.07.html15:16
d34dh0r53no action items from the last meeting15:16
d34dh0r53#topic liaison updates15:16
d34dh0r53nothing from me15:16
gtemanothing here as well15:17
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:17
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:17
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:17
d34dh0r53no updates from me on this one15:17
d34dh0r53#topic specification Secure RBAC (dmendiza)15:17
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:17
d34dh0r532026.1 Release Timeline15:17
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:18
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:18
d34dh0r53I didn't do my bespoke dmendiza ping15:18
gtemaoh lol15:18
cardoeSo that OAuth 2.0 parts just seem tests?15:22
gtemayes, should be15:24
opendevreviewTakashi Kajinami proposed openstack/oslo.limit stable/2025.2: fixture: Mock out services, regions  https://review.opendev.org/c/openstack/oslo.limit/+/96940615:26
opendevreviewTakashi Kajinami proposed openstack/oslo.limit stable/2025.2: Handle missing endpoint, region, service  https://review.opendev.org/c/openstack/oslo.limit/+/96940715:26
cardoeokay if I ask questions?15:27
d34dh0r53Yeah, the OAuth 2.0 is tests that are blocked waiting on tacker15:27
d34dh0r53cardoe: please do15:27
cardoeSo I previously mentioned I'm working with OIDC and with the keystone-ng work I just wanted to see if my approach to things was lining up with a use case.15:28
gtemacool15:29
cardoeSo we've got folks that'll be assigned into different groups on the identity system and they'll get a groups claim for those groups.15:29
cardoeI also want to have a good flow for device auth (for the CLI) but I also need machine authentication and that's one place where things are a little gross.15:30
gtemathe rust cli (osc) does support the cli flow15:30
cardoelink?15:31
gtemathe machine access is to be solved with service accounts, but in the meanwhile you can use jwt auth15:31
gtemahttps://github.com/gtema/openstack/15:31
cardoeI've attempted to use v3oidcdeviceauthz but I use mnaser's websso plugin that I previously suggested we merge in.15:32
gtemaI also started updating docs for that - i.e. https://openstack-experimental.github.io/keystone/federation/keycloak.html15:32
gtemathe rust cli also support the websso plugin15:32
cardoeWe'll be getting websso into gophercloud soon as well.15:33
cardoeSo you think I should make a static account and then map the OIDC to it with client credentials?15:33
gtemafrom my pov this is a no-go. I mean gophercloud itself is ok, but you can't have this in the TF or anything without a human attached15:34
gtemawhich credentials do you mean?15:34
cardoeother terraform providers have an option for web client auth15:34
cardoeOIDC client credentials15:34
cardoeAs far as keycloak, I'd really hope we test against something other than keycloak. There's a number of keycloak-isms that I've tried to battle in keystone today.15:35
gtemahmm, okay15:35
mnaserwe (historically) have told people to use app creds if they want to use terraform or whatnot15:35
gtemawrt keycloak - my docs describe the okta as well15:35
gtemaand I am willing to add that for others (like Entra, etc), just need to find whether others offer dev-based accounts15:36
cardoeYeah making a service account and using app creds is what we do today.15:36
gtemamnaser - that is also my "perception" right now15:36
cardoeOIDC users can use app creds as well but they stop working once the expiration hits15:36
cardoegtema: dex is probably an easy test as well.15:37
gtemacardoe - under service account I really mean service account - not a regular user with just the jwt login15:37
gtemayeah, right, will look at dex soon15:37
cardoegtema: explain the service account... in keystone or you're saying in keycloak/etc?15:37
gtemamaybe even tomorrow - I am adding the "enabled" flag to idp and mapping in the v4 now and will check how complex it would be to add dex functests15:38
cardoeSo the last item is really the projects and how to map it all out.15:38
mnaserwe have built this gross use case once for a customer lol - https://vexxhost.github.io/atmosphere/user/auth.html#using-external-token-from-identity-provider15:38
cardoeThere's a want so that all the project_ids are identical across the different regions.15:39
gtemacardoe - I was briefly describing this during the summit and also during the ptg. Conceptually this is a new type of account that can only auth using the jwt and has the logic similar to appcreds (binds to scopes with roles) and certain additional protection15:39
cardoeSo I've got a global keystone that's really just my official project store and group mapping.15:39
cardoegtema: ah okay. yeah I missed that session cause I was triple booked :/15:39
gtemawrt project_id - just yesterday I was writing here that we can extend project creation api with specifying the id upon creation in v415:40
cardoethen regional keystones and have a custom auth plugin that's really just grabbing the projects so that they're in scope during the mapping time to creaet them15:41
cardoeCould we not allow project_id in v3 for a specific permission?15:42
cardoeI think domain_id can be set on a domain creation for a permission?15:42
gtemai don't think it is possible now15:43
gtemawith global and regional keystones you also do not have the same user_id15:43
gtemawell, the unique_id is same, but i.e. for nova/neutron it is still different15:44
cardoeSo dealing with OpenStack Helm15:44
cardoeI've tried to get the PTL to split up the service accounts... he's done nova, cinder, and neutron but a bit different than my goal.15:45
cardoeMy goal was each part of the service used its own... like nova-conductor vs nova-api15:45
cardoeSince I've got a keystone in each region, the different users aren't really an issue... but for OIDC I'm using the OIDC sub for the user_id in mapping so its consistent15:46
gtemashould we maybe try to get a sync call to discuss on that? it is not a tiny thing for typing15:46
gtemaI also want to understand how people are thinking to approach the multiregional keystone - I have too many ? in my head15:47
cardoesure thing. I'm happy to help.15:48
cardoeI just want an easy setup that follows along patterns that are in the goals of the project.15:48
cardoeDon't wanna go off on my own thing15:49
gtemaI was even thinking into something similar to SCIM just for provisioning domains/projects with one central keystone managing that and those pushing this info to the regions (or pull)15:49
gtemayou are right in time - I am gathering the functional requirements to address this properly with ng15:49
gtemasorry Dave Wilde (d34dh0r53) let's go back to the agenda to finish it quickly15:51
gtemaand we can continue chatting afterwards15:51
d34dh0r53ack, I was just about to jump in15:53
d34dh0r53next topic15:53
d34dh0r53#topic specification Secuirty Compliance Testing (dmendiza)15:53
d34dh0r53#link https://review.opendev.org/c/openstack/devstack/+/95796915:53
d34dh0r53I don't think dmendiza is around15:53
d34dh0r53#topic specification OpenAPI support (gtema)15:53
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:54
gtemanothing on that15:54
d34dh0r53#topic open discussion15:55
stanislav-zdo you review new bugs later? or now is the time?15:56
cardoemnaser: just looked at your link... that's exactly what we had to do..15:56
d34dh0r53we're about to do that Stanislav Zaprudskiy 15:56
d34dh0r53#topic bug review15:56
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:56
d34dh0r53looks like we have a couple of new bugs for Keystone15:57
d34dh0r53first up15:57
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/213165815:57
gtemaI have responded in them just an hour ago 15:57
d34dh0r53ack, reading that now15:57
moutazchaara[m]d34dh0r53: Seen that response thanks, and i think it can be included in the patch that i'm on. 15:59
d34dh0r53ack, thanks moutaz.chaara 15:59
d34dh0r53next up15:59
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/213370615:59
gtemawe touched that during the ptg iirc16:00
gtemait was a coincidence and I do not know how we could resolve that now16:00
gtemathe thing is gone now16:00
bbobrovi have an idea16:01
bbobrovwe could revert the change for 2025.1 only16:01
bbobrovactually leave the module deleted in 2025.2 and 2026.116:01
gtemathere was a proposal to backport the migration procedure to 2024.216:01
bbobrov2024.2 is a SLURP release - optional16:02
gtemaand 2024.1 is now gone - great16:02
bbobrovthe official openstack messaging is that people can skip and upgrade directly from 2024.1 to 2025.1 without any downsides16:02
d34dh0r53revert from 2025.1 seems reasonable, do you see downsides gtema ?16:04
bbobrovalso, 2025.1 is not supposed to run on python3.13 - https://governance.openstack.org/tc/reference/runtimes/2025.1.html16:04
bbobrovonly on 3.1216:04
gtemahmm. okay16:04
bbobrov3.13 is also not mandatory for 2025.2 - https://governance.openstack.org/tc/reference/runtimes/2025.2.html16:05
gtemahttps://review.opendev.org/c/openstack/keystone/+/959279 is the one I mentioned above16:06
gtemait was actually into the 2024.116:06
d34dh0r53could we backport that into 2025.1?16:07
gtemawe were both unsure in the approach anyway ;-)16:08
gtemabut yes, it can16:08
gtemait just need certain runtime for everything to be "migrated"16:08
bbobrovis it really a backport? The patch doesn't seem to be present in the current master. It seems to be a direct commit to a stable branch16:10
gtemaright - we were discussing back those days exactly that we commit it directly back to the branch16:11
gtemait SHOULD NOT exist in master16:11
bbobrovso both restoration and migration patches need to be applied to 2025.1, and nothing needs to be done with the rest of releases.16:11
bbobrov(except maybe a removal note moved to 2025.2)16:11
gtemathe main point of concern was and stays - this hashing method was marked deprecated 10 years ago. The fact that those are still there means nobody rotated password - this is just purely wrong16:12
d34dh0r53indeed16:13
d34dh0r53I'm good with either approach, but I think applying all of the patches to 2025.1 is the best option for long term maintainability16:14
gtemafrom the maintainability we should not do anything and mark that before upgrading to 2025.1 affected passwords must be rotated16:15
bbobrovkeystone deleted a supported hashing mechanism without any warning.16:16
gtemathat is the safest and most reasonable approach fmpov16:16
gtemabbobrov - people were warned 10 years ago that the hashing method is doomed16:16
bbobrovgtema: could you point me to the deprecation notice about it in keystone?16:16
gtemaI know what you mean, still16:16
gtemait was not such a deprecation how you would expect this, I wasn't with OpenStack back those days. Will try to grep through logs16:17
bbobrovit seems that the notice is OSSN-008116:19
gtemasee in https://docs.openstack.org/releasenotes/keystone/stein.html  "The deprecated option crypt_strength is removed now. It was only useful for sha512_crypt password hashes which has been superseded by more secure hashing implementations."16:20
gtemabut your hint to the OSSN is great16:21
gtemaanyway - I admit it was a mistake to land deprecation note and dropping in a single release though16:22
gtemajust a bad timing16:22
d34dh0r53poor timing16:25
gtemawe could backport the deprecation note to 2024.216:26
bbobrov2024.2 is a slurp release, it is usually skipped16:26
gtemaah damn16:26
d34dh0r53We could do as bbobrov suggested and just add a release note ensuring that folks rotate their passwords16:27
gtemamaybe add this as a pre-upgrade note to 2025.116:27
bbobrovthat's the problem - there are many people who "own" different users, and running after them convincing them to rotate is time-consuming.16:28
gtemafrom what we have seen this case usually affects service users and not the regular ones16:29
gtemain the security compliance we can now also enforce password rotation ;-)16:29
bbobrovstanislav-z: it is unclear from the bugreport - does keystone crash with a ValueError or is there a more graceful error handling?16:30
gtemaI think users are not able to login anymore, nothing else16:31
stanislav-zit doesn't crash16:31
bbobrovi see a huge traceback in the logs, but don't know what the users got - 401 or 50016:35
gtemashould be 401 - tracebacks are known16:35
gtemawe are heavily overtime now, let's come to the end pls16:38
gtemaDave Wilde (d34dh0r53): ??16:44
bbobrovmaybe he decided to end the meeting asynchronously and is already asleep :D16:45
gtemahe has a lunch time by now16:45
gtemaI think I can't even end the meeting since he started it16:45
gtemabut lemme try16:46
gtema#endmeeting16:46
opendevmeetMeeting ended Wed Dec  3 16:46:06 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:46
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-12-03-15.02.html16:46
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-12-03-15.02.txt16:46
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-12-03-15.02.log.html16:46
gtemawow, it worked16:46
gtemathanks everybody for participation. It was a surprisingly long meeting where last ones were empty16:46
d34dh0r53sorry16:46
d34dh0r53yeah, got pulled into another conversation16:46
d34dh0r53we didn't have any other bugs16:47
gtemagood16:47
« Tuesday, 2025-12-02 Index Thursday, 2025-12-04 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!