Wednesday, 2026-06-10

« Tuesday, 2026-06-09 Index Thursday, 2026-06-11 »
*** ykarel_ is now known as ykarel04:03
opendevreviewMerged openstack/keystone stable/2025.2: Prevent RBAC policy bypass via JSON body and query filters (CVE-2026-42999)  https://review.opendev.org/c/openstack/keystone/+/99049906:06
zigobbobrov: Hi there, are you around?12:22
zigoNot sure what's Artem Goncharov's nick...12:22
gtemait's gtema12:23
zigoAh, thanks ! :)12:23
gtemawelcome12:23
zigogtema: We're having issues with this last patch: https://review.opendev.org/c/openstack/keystone/+/99049412:23
zigoIt prevents our users to do something like this:12:23
zigoopenstack user set --multi-factor-auth-rule password,totp <USER_ID>12:23
zigoWe have a special policy checker, so in our policy we have:12:24
zigo"identity:update_user": "http://127.0.0.1:8000/keystone/users/update"12:24
zigoso that it can check if it's a request to enable TOTP.12:24
*** ricolin_ is now known as ricolin12:24
zigoThough with the patch, it doesn't work anymore ... :/12:25
zigo(and our users are always recieving a 403)12:25
*** TheJulia_ is now known as TheJulia12:25
zigogtema: Any idea what could be the cause ?12:25
gtemanot directly. I would rather ask why is the user allowed to do update_user - this is admin/domain_manager only operation by design12:26
zigogtema: We just want to allow them to enable TOTP if they want to.12:26
zigo(and nothing else)12:27
gtemabut you pass the full payload over there?12:27
zigoTo our policy checker ? Yes.12:27
gtemahm, okay. Will try to trace in 30 min12:27
zigoThanks.12:28
zigoI'm convince it's that one last patch btw, because I splitted the launchpad v4 patch into the 5 patches commited to Gerrit so I could revert them one by one util it would work again.12:29
gtemado you remember that now in some policies you need to check the data from the different key. Can you maybe check from logs whether you receive the data but just looking in the wrong place12:29
zigoYou mean in my external policy checker?12:29
zigoWell, its logs says it is reply 200, so it isn't it that's faulty.12:30
gtemayes12:30
zigo(gosh. grammar, sorry...)12:30
gtemawe adopted some policies since the keys of the data in the policy has changed12:30
opendevreviewLajos Katona proposed openstack/keystone master: LDAP: add new cfg option for pw expiry format  https://review.opendev.org/c/openstack/keystone/+/97661812:32
gtemazigo - I do not know how to react on your last message. Have you found an error on your side or whether it is just a statement to the grammar in the message12:33
zigogtema: It's a statement that I'm having English grammar issues when I write on IRC ! :)12:43
gtemaokay12:43
opendevreviewTakashi Kajinami proposed openstack/oslo.limit master: Remove Python 3.10 support  https://review.opendev.org/c/openstack/oslo.limit/+/99264413:32
opendevreviewTakashi Kajinami proposed openstack/oslo.policy master: Remove Python 3.10 support  https://review.opendev.org/c/openstack/oslo.policy/+/99264613:34
gtemazigo - can you trace a bit more your custom external check? It should not only return 200, but return "True" string in the text13:40
zigoOk, asking my colleague.13:44
gtemawould be nice if he can verify that it returns what expected and maybe also check whether it receives what is expected (I assume it would be target.user.... but maybe even target.target.user if I am interpreting the http check in oslo.policy correctly13:47
gtemaor perhaps target.request_body.user...13:47
zigogtema: Thanks a lot, I think we found out. Here's what we need to fix in our external policy checker:13:51
zigo    allowed_changes = {13:51
zigo-        "user.options.multi_factor_auth_enabled",13:51
zigo-        "user.options.multi_factor_auth_rules",13:51
zigo+        "request_body.user.options.multi_factor_auth_enabled",13:51
zigo+        "request_body.user.options.multi_factor_auth_rules",13:51
zigoNot sure why "request_body." is prefixed now ...13:51
gtemabecause this is literally what the change does - wraps the content of the body. From the OPA point of view that is used in NG I also question this decision now13:52
zigoOk, thanks a lot, we'll get our public deployment fixed really soon, this was very much helpful ! :)13:56
gtemayou are welcome13:56
d34dh0r53#startmeeting keystone15:04
opendevmeetMeeting started Wed Jun 10 15:04:04 2026 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:04
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:04
opendevmeetThe meeting name has been set to 'keystone'15:04
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:04
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:04
d34dh0r53#topic roll call15:04
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra15:04
gtemao/15:04
d34dh0r53dmendiza o/15:05
dmendiza[m]🙋‍♂️ (kinda)15:05
d34dh0r53#topic review past meeting work items15:05
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-05-27-15.02.html15:05
d34dh0r53nothing to review from last week15:06
d34dh0r53#topic liaison updates15:06
d34dh0r53nothing from me15:06
gtemanothing from me either15:07
d34dh0r53#topic specification Secure RBAC (dmendiza)15:07
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:07
d34dh0r532026.1 Release Timeline15:07
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:07
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:08
d34dh0r53Devstack still defaults to enforce_scope = False https://opendev.org/openstack/devstack/src/branch/master/lib/keystone#L12015:08
d34dh0r53Patch to default to true: https://review.opendev.org/c/openstack/devstack/+/95621015:08
d34dh0r53Fix config options in keystone-tempest-plugin https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/93082915:08
dmendiza[m]I did not get to update the devstack pach 😅15:08
d34dh0r53ack, just remove the WIP label or is there more to do?15:08
dmendiza[m]Release notes, and a better explanation of why the change is needed15:09
d34dh0r53okay, cool15:09
d34dh0r53#topic specification Secuirty Compliance Testing (dmendiza)15:09
d34dh0r53#link https://review.opendev.org/c/openstack/devstack/+/95796915:10
d34dh0r53no updates on compliance, moving on15:12
d34dh0r53#topic keystone-rs15:12
d34dh0r53#link https://github.com/openstack-experimental/keystone15:12
dmendiza[m]No progress ... 😅15:12
gtema- students started producing PRs and some are already merged. Looking very promising to get a really good progress15:12
gtema- added internal notification mechanism so that providers can register hooks when e.g., user is deleted15:13
gtema- restarted thinking about SCIM implementation which leaded me into the SCIM auth challenge:15:13
d34dh0r53🥳15:13
gtema1) bearer token (bound to the user's domain scope)15:13
gtema2. oauth2 client credentials. python keystone uses application creds for that what means it is project scoped - no use15:14
gtemaoauth2-mtls - need to do tls termination directly (you can't rely on http proxy when giving customers self-service for that15:15
gtemaso this is another hard argument why we need to do termination directly in the app15:15
gtemaanyway, the oauth2-mtls leads me to a 4th mapping engine which means it is not practical, I need to rethink the mapping strategy, but I am definitely not going to reuse the mapping stlye of python keystone, it has too many flaws15:16
gtemaso I will perhaps introduce a new "universal" mapping engine to be primarily used for tls mappings to implement oauth2-mtls. Afterwards will switch existing oidc/jwt/k8s_auth/spiffe to the new mapping engine15:18
gtemait's really disappointing that oauth2-client-creds is useless15:19
gtemathat's it on the topic15:19
d34dh0r53ack, thanks gtema , that is indeed a bummer about oauth2-client-creds15:19
d34dh0r53next up15:19
d34dh0r53#topic open discussion15:20
gtemaI think I have one15:20
gtemahow open are we for extending use of user/project/domain options beyond what they are currently used for?15:20
gtemaone example in mind was related to the ACL protections. Imagine in the user_options we can require over which interface it can authenticate15:21
gtemaor the user ACLs, same for project ACLs and so on15:21
gtemasuch options feel more "native" for that15:22
gtemabut at the moment they are "hardcoded" in the code and we would need to decide whether we want to loosen this15:23
d34dh0r53on the surface that seems like a good idea15:23
gtemaI can start some prototyping to test the approach then15:24
d34dh0r53okay, sounds good, anything else for open discussion?15:24
gtemanot from me15:25
d34dh0r53cool, moving on15:26
d34dh0r53#topic bug review15:26
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:26
d34dh0r53no new keystone bugs 😌15:27
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:27
d34dh0r53nothing new in python-keystoneclient15:27
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:27
d34dh0r53keystoneauth is clean15:27
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:27
d34dh0r53keystonemiddleware is good to go15:28
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:28
d34dh0r53nothing new here15:28
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:28
d34dh0r53ldappool is good as well15:28
d34dh0r53#topic conclusion15:28
d34dh0r53Thanks all15:28
gtemathanks guys15:29
d34dh0r53#endmeeting15:29
opendevmeetMeeting ended Wed Jun 10 15:29:06 2026 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:29
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-10-15.04.html15:29
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-10-15.04.txt15:29
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-10-15.04.log.html15:29
opendevreviewBoris Bobrov proposed openstack/keystone master: Add release note for EC2 credential app cred guard fix  https://review.opendev.org/c/openstack/keystone/+/99274818:46
opendevreviewStephen Finucane proposed openstack/oslo.policy master: typing: Fix compatibility with typed oslo.config  https://review.opendev.org/c/openstack/oslo.policy/+/99276321:21
opendevreviewsean mooney proposed openstack/keystone master: Add regression tests for lazy query DB leaks  https://review.opendev.org/c/openstack/keystone/+/99278123:48
opendevreviewsean mooney proposed openstack/keystone master: Materialize lazy SQL backend queries  https://review.opendev.org/c/openstack/keystone/+/99278223:48
opendevreviewsean mooney proposed openstack/keystone master: Materialize lazy SQL backend queries  https://review.opendev.org/c/openstack/keystone/+/99278223:56
« Tuesday, 2026-06-09 Index Thursday, 2026-06-11 »

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!