18:00:06 #startmeeting keystone 18:00:07 Meeting started Tue Nov 22 18:00:06 2016 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:08 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:11 The meeting name has been set to 'keystone' 18:00:14 amakarov, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lbragstad, kbaikov, ktychkova, morgan, nisha, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh, srwilkers, stevemar, topol, StefanPaetowJisc 18:00:21 hello 18:00:22 o/ 18:00:23 o/ 18:00:25 #agenda https://etherpad.openstack.org/p/keystone-weekly-meeting 18:00:25 o/ 18:00:26 o/ 18:00:26 o/ 18:00:32 howdy 18:00:41 o/ 18:00:45 ah... 18:00:46 #link agenda https://etherpad.openstack.org/p/keystone-weekly-meeting 18:00:46 * crinkle not really around 18:00:47 o/ 18:01:08 * stevemar is also not really around, but in a different place thank crinkle 18:01:13 than* 18:01:24 thanks lbragstad ;) 18:01:29 stevemar np 18:01:40 o/ 18:02:14 o/ 18:02:27 lbragstad, So I'd really like to get the RBAC spec in to Ocata 18:03:00 ayoung cool - let's talk about it at the end of the meeting - since we have a quick agenda anyway 18:03:04 o/ 18:03:13 lbragstad, first item is specs. 18:03:55 Announcements [stevemar] 18:03:56 Next milestone is Ocata-2 -- Week of Dec 12-16 -- This is also spec freeze week, specs must merge by then! 18:04:24 ayoung looks like a request for reviews - but we can talk about 18:04:25 https://review.openstack.org/#/c/391624/ 18:04:46 #optic Announcements 18:04:55 #topic Announcements 18:05:01 Next milestone is Ocata-2 -- Week of Dec 12-16 -- This is also spec freeze week, specs must merge by then! 18:05:19 also - looks like we 18:05:29 are going to stick with the etherpad format for the meeting 18:05:43 at least according to the current responses - https://goo.gl/forms/Gs4lZxgktRzlwHAn2 18:06:00 Reminder that we have the policy meeting tomorrow 18:06:16 #link https://review.openstack.org/#/c/398500/ merged 18:06:45 so there should be an ical published http://eavesdrop.openstack.org/ by EOD 18:07:23 ayoung can we breeze through breton's topic before the RBAC spec since it was on the agenda last week and we didn't get to it? 18:07:33 check 18:07:40 ayoung htanks 18:07:53 #topic Request id chaining in keystoneclient 18:07:55 o/ 18:07:57 breton you're up 18:08:05 there was that spec with request-id chaining 18:08:18 the idea was to send the same request-id to all services 18:08:24 so that actions could be tracked 18:08:35 we have a plan in place to fix? 18:08:42 it was a cross-project spec and there was a huge discussion 18:08:55 breton is there a link to the spec? 18:09:02 and, apparently, it was broken in ksc for ~2 major releases 18:09:24 lbragstad: http://specs.openstack.org/openstack/openstack-specs/specs/return-request-id.html 18:09:26 and...since everything starts with a keystone token, people thought the request ID should come from Keystone, but since token can be used on multiple requests, even the auditID is not an appropriate value 18:09:40 lbragstad: i couldn't find the spec for reusing request-id though 18:09:42 ayoung: i remember this 18:09:49 and we can't trust the client to generate it as they could fake it out 18:09:50 ayoung: the convo went in a lot of circles for that 18:10:03 we have to pick *something* to trust 18:10:09 and we don't know, after the token is requested, what the right place to generate the request ID is 18:10:15 we removed the last bits of this broken request-id thing in https://review.openstack.org/#/c/396260/ 18:10:16 so a request ID needs to be a combination of the token + operation? 18:10:20 honestly, i think the client can generate it just fine. 18:10:37 seems like it has to be in keystonemiddleware, and passed down the reuqest hierarchy. But...hmmm 18:10:37 and released yesterday after some discussion 18:10:41 it's better to have a request-id than not. 18:10:58 there is no way to prevent a bad actore from faking the ID 18:10:59 someone should bring it back to keystoneclient 18:11:03 ayoung: ++ 18:11:11 i am not sure that it works in other clients though. 18:11:18 I wonder if this could be piggybacked with jamielennoxs service token approach 18:11:41 ayoung: possibly 18:11:50 it seems that the request ID should be generated at the edge, so if a service is calling another service, we trust it to generate the ID and pass it along 18:11:51 please review https://review.openstack.org/#/q/topic:bp/return-request-id-to-caller+project:openstack/python-keystoneclient that should bring it back. 18:12:00 breton, kill it 18:12:09 breton: i would rather see it in KSA than ksc in this case 18:12:12 it is not a keystoneclient problem to solve. It might be keystonemiddleware, though 18:12:13 ayoung: done 18:12:19 keystoneclient is the wrong place regardless 18:12:28 might need KSA support, but I think it is middleware 18:12:38 the way i see it, ksa supports it 18:12:41 ksm uses it 18:12:48 uses it? 18:12:49 for what? 18:12:55 uses/makes use of the support 18:12:56 breton, to pass it on 18:12:59 ^^ 18:12:59 in a trusted manner 18:13:03 what ayoung said. 18:13:13 it is not auth thing 18:13:30 but keystoneauth *is* the session for a given set of requests 18:13:30 so...what we are really talking about here is an audit trail, but the ability to distinguish between two different requests using the same token 18:13:37 othewise, the token audit ID is sufficient 18:13:48 breton, it is an Audit thing 18:13:50 right now it is in all python-*client, not sure if it works 18:13:51 let it be part of the session object(s) that are passed around internally 18:14:12 so...to do it right (overdesign) we would do something like this: 18:14:36 first service that gets the request geneerates and ID and signes it (yeah PKI again...this is athought experiment, not reality, bear with me) 18:14:48 and then each service in the chain adds its own signature to it. 18:14:49 even if we started with audit id. that is a step in the right direction (just don't reference the audit-id as the audit-id, so if we want t change/enhance it we can) 18:15:27 ugh...not even that signing thing works. 18:15:40 The problem is that we have to treat services like Trove and Sahara as untrusted services 18:15:50 ayoung the request id would change every time it hits a new service, wouldn't it? 18:15:54 or add some other service outthere that is not under the big tent, and you get the same idea 18:16:04 so simple solution 18:16:16 lets start with the audit id. or a UUID seeded from the audit-id 18:16:25 now we have at least *some* level of tracking. 18:16:27 lbragstad, does it? I would not think that would be useful, but the id still then needs to be linked to the endpoint, or a hacked endpoint could modify 18:16:37 or audit_id+timestamp if request_id is none 18:16:49 I thought the idea of a request id, though, was to track the request across multiple services 18:16:49 (seeded into uuid) 18:16:55 request-id thing was cross-project. Before killing it and discussing something new we should talk to other projects. 18:17:02 audit_id+timestamp is pretty good 18:17:18 breton, I come to praise audit id, not to bury it 18:17:25 morgan_, I think that is it 18:17:29 audit_id + timestamp 18:17:44 the worst a service could do then is munge the timestamp 18:18:10 any other service can confirm that the audit_id on the token matches... 18:18:39 breton, would that work? request ID = (token['audi'id'], timestamp_of_initial_request) 18:18:52 ayoung: uuid.uuid5(audit_id, timestamp) (timestamp is namespace) 18:18:56 ayoung: or something like that 18:19:02 ayoung: no idea :) 18:19:08 morgan_, sha256? 18:19:15 it's sha1 18:19:22 but that is sufficient for a request_id 18:19:25 morgan_, it can always be a calculated value, so long as we capture the original request time 18:19:34 right 18:19:52 i'd rather populate a uuid (strings are easier to suss out in longs) if we're doing it. 18:19:58 logs* 18:20:03 but impl detail aside 18:20:08 so...original request timesamp now becomes an additional header? 18:20:12 audit_id + timestamp_of_request_at_edge 18:20:41 morgan_, sha256 as a string. Lets avoid any crypto discussion 18:20:41 ayoung: sure. or make it all the same header 18:21:10 OpenStack-Request-Id: , 18:21:12 morgan_, we need the initial time in order to confirm the hash. 18:21:22 if you want to re-calc it you can 18:21:38 breton, is that enough to go on? We don't need to design it all here, but you should be able to take that and run. Hit me or morgan_ up for ?s in #keystone if needs be 18:21:40 split is cheap in python and any other lang (maybe excluding C) 18:21:51 ayoung: ++ 18:22:12 and this can be encoded in keystoneauth (support for it) so it just exists 18:22:21 breton does that help? 18:22:51 #action breton to spec out new request id format based on token audit ID and timestamp of original request 18:23:11 since we are trying to get sessions to be passed in from middleware and reused when talking to subsequent services for the request 18:24:23 please comment on https://review.openstack.org/#/q/topic:bp/return-request-id-to-caller+project:openstack/python-keystoneclient too 18:24:31 so that the person doesn't work on them any more 18:25:03 alright - moving on 18:25:04 i was actually trying to notify people about the request-id thing :p 18:25:13 #topic PCI lockout and recovery 18:25:18 gagehugo you're up 18:25:25 ok 18:25:32 I saw people responded already 18:25:54 but basically, I was looking at this later yesterday: https://bugs.launchpad.net/keystone/+bug/1641645 18:25:54 Launchpad bug 1641645 in OpenStack Identity (keystone) "PCI: a locked out user must ask an admin to unlock their account" [Wishlist,Opinion] - Assigned to Gage Hugo (gagehugo) 18:25:59 breton, use that new -2 you have to stop any really bad decisions in their tracks 18:26:06 just, be nice when you do it 18:26:32 gagehugo, so...I would think a domain admin yes, but a locked account cannot be fixed by a user themself 18:26:55 a locked out account is just that. 18:26:57 yeah, I think the title should probably have been more specific about expired password users vs locked out 18:26:58 locked out 18:27:04 ah 18:27:10 unless both are considered "locked out" 18:27:15 agreed 18:27:20 expired password should be resettable by the user. And that is a code/logic error, I bet 18:27:24 expired password is something valid to address. some systems require admin intervention on that front 18:27:27 some dont 18:27:32 morgan_ ++ 18:27:35 morgan_ yeah 18:27:44 we would need to re-work the password self-change i think 18:27:53 don't check the expiry when the user calls that API, and let it be called (only?) with basic auth 18:27:55 HA! 18:27:59 Basic-Auth middleware 18:28:00 but i am 100% ok with keystone supporting self-service change of expired password 18:28:16 ayoung: does self-service password change require a token? 18:28:19 if it does... 18:28:20 yes 18:28:24 morgan_, it does 18:28:31 then that is something we would need to address 18:28:38 morgan_, the only operation in openstack that does not require a token it to get a token 18:28:40 it would need to support a tokenless-mode 18:28:46 tokenless with x509 works 18:28:48 I left a comment about that on the bug listing, it was why I was concerned about what direction to take with it 18:29:08 it should be fine to make self-service password change not require a token 18:29:17 the API takes the old Password in the body of the request? 18:29:19 yeah 18:29:20 yes 18:29:56 you also need to know the user_id I believe 18:30:01 the expirationlogic was modeled after how other orgs handle the situation (we just dont' implement the grace period) 18:30:14 dstanek: and i think it's fine as is. 18:30:25 allow users to change when their password expires? we discussed this during development and the decision was that once a password expires, it requires a admin password reset. 18:30:26 dstanek I've worked in places that handle it either way 18:30:45 rderose: i've seen it both ways 18:30:57 rderose: i don't feelw e need to change it. 18:31:04 gagehugo: we didn't want to make it infinitely configurable so we opted for the most secure route 18:31:11 morgan_ true 18:31:14 but fwiw, i would be 100% ok with self-service change to work for expired passwords 18:31:14 dstanek I'm fine either way 18:31:23 since we can lock an account independantly 18:31:24 (disable) 18:31:34 we don't require a password or password expiry to change it 18:31:44 it also could allow an admin to force a password change on next login 18:31:52 here is your temp password, use this api and change it 18:32:03 since the password is "expired" to start 18:32:04 * dstanek just gave his last 2cents away before vacation brain sets in 18:32:22 looking at active directory style setup (and some LDAP impls) 18:32:53 there is definite use for forcing a password change so the user doesn't need to tell the admin the real password -- and the admin *cant* know it because the change is required 18:33:08 So... to do that would, I think, require a different Paste Pipeline 18:33:22 ayoung: no, we explicitly exempt some apis 18:33:26 i don't think admins need to know the old password, that's just self-service 18:33:33 aka no enforcement 18:33:54 dstanek: right, but in the case of admin-password set you're implicitly telling the admin a password to use 18:34:06 gagehugo, is that enough for you to go on? 18:34:06 often orgs have an admin set a temp password that must be changed 18:34:21 no enforcement and a very specific case that someone's password is expired 18:34:28 Fix just the expired case, make it skip the token request...that will require a change in Keystoneclient, too 18:34:43 ayoung: hm. yes minor change to ksc 18:34:44 and...do we have a way to get that URL to the end user without a token? 18:34:47 ayoung kinda? it's still a question of whether or not to change it 18:34:49 we actually talked about forced-reset and i think the concensus was that it was bad enough that we added PCI features to the keystone IdP that we didn't want to have any extras. the advice was to use a real IdP 18:34:57 but right now just requiring an admin to do it works 18:35:05 gagehugo, yes, change only the reset-password case, and only on expired, not locked 18:35:17 PCI was to be the bare minimum as opposed to a base for building an IdP 18:35:18 ayoung ok 18:35:34 like i said, don't feel we need to change it 18:35:39 it just has a real use case if we do 18:36:14 could we add a config option to disable users resetting their own passwords when expired? If whoever doesn't want that option? 18:36:16 ayoung: well, the auth request could return the URL for password change if password is expired (regardless of the value of the password) 18:36:22 morgan_: if we do change it then it would mean y'all were right and is was too slippery a slope 18:36:35 dstanek: i think we've already hit that slope 18:36:48 dstanek: we implemented basic PCI-DSS support 18:36:50 morgan_, I like that. Very rest. 18:36:51 * dstanek hi fives morgan_ 18:37:01 THat slope has snow on it 18:37:09 and it is forming moguls 18:37:12 ayoung: nah, sierra cement...and it's iced over 18:37:22 the avalanche started a few thousand feet above you.. 18:37:28 frozen moguls 18:37:30 you have no avalanche gear... 18:37:33 on Telemark skis 18:37:35 :P 18:37:41 I have Avalanche gear. I might be the only one that does 18:37:49 probe and beacon and collapsable shovel 18:38:00 annnyyway 18:38:01 next topic 18:38:04 ayoung: probably 18:38:05 ok 18:38:21 gagehugo want to take point on updating the bug with the discussion here? 18:38:27 will do 18:38:30 minus avalanche talk 18:38:34 aw 18:38:38 lol 18:38:45 gagehugo cool -thanks 18:38:46 #topic RBAC specification 18:38:49 ayoung 18:38:54 go ayoung go! 18:39:11 OK... RBAC 18:39:14 so I want this spec in 18:39:19 just the Keystone piece of it 18:39:29 and just the REST api to start 18:39:39 * morgan_ read that as "The Keystone Price" 18:39:39 #link https://review.openstack.org/#/c/391624/ 18:39:47 and i wondered when we entered the game of thrones 18:40:43 there are details to work out, so, should I split the spec into toe pieces and only putthe REST part in the first piece, and then the second is enforcement 18:41:16 enforcement is going to be done based on the REST API, and in middleware first, although the "RBAC during the token validation" has struck some interest and could still be done as a second piece 18:41:19 ayoung what specifically is the REST part? 18:41:36 because i was thinking the REST part was the enforcement part... 18:41:44 lbragstad, upload and fetch of mpping from URL patterns to roles 18:42:07 ayoung so the enforcement part would include the changes to the token validation api 18:42:09 you need a management interface before you can have enforcement 18:42:10 that's what you mean? 18:42:15 right 18:42:18 ok 18:42:51 lbragstad, and in fact, I am right now thinking that enforcement would be done in keystonemiddleware. Then, if e do the -enforce -during token validation" we would reuse the middleware code inside of Keystone 18:42:55 so there is a natural ordering: 18:42:58 1. management API 18:43:07 2. Enforce in middleware (leaves caching alone) 18:43:17 3. enforce in token API (optional, depends on 2) 18:43:48 and 3 would break caching... right? 18:43:59 It means that once the API is working for management, there will be follow on changes to middleware. 18:44:02 lbragstad, right 18:44:22 lbragstad, and I can make that its own spec, so we can judge it separately 18:44:45 so - right now policy has two places that it gets information from 18:44:46 1.) the policy file 18:44:48 2.) keystone's token response 18:45:08 introducing the management api essentially puts both of those pieces of information into keystone, right? 18:45:14 3) the service itself 18:45:25 lbragstad, so yes 18:45:48 lbragstad, as the new mechanism skips the service specific attributes 18:46:24 have other projects thought about this? I assume this would need a migration 18:46:45 or do they have an opinion? 18:48:21 there is a migration path, but to start, there would be no impact 18:48:33 it would be disabled by default. People could then enable it to test it out 18:48:41 as all good things should be; sportsmanlike 18:49:12 but we can probably pregenerate all the URL pattern mappings based on the API specs for the other projects, and just assign them the Memeber role 18:49:26 so long as admin implies member, that will continue to work as is 18:50:11 so - if a policy changes for a project, they have to update the policy as it is stored in keystone. 18:50:21 lbragstad, don't call it policy 18:50:22 is there a way to bootstrap this in keystone? 18:50:32 yes, there is a way: 18:50:54 one thing I have not done yet, and that nedsto be better clarified in the spec is how to specify a default rule if there is no match 18:51:22 we could then load up just the defaults on a per service basis. We could even generate those automatically based on the service catalog if we wanted 18:51:31 ayoung: that is probably the best bet 18:51:40 the per-serivce basis that is 18:52:07 So, lets get the management API spec approaved (I'll split it later today) and we can continue to work through the implementation details 18:52:32 everyone OK with this approach? 18:52:35 wfm 18:52:47 does anyone have reservations? 18:53:01 we can take the time to go through this in the policy meeting tomrrow too 18:53:06 if people have more questions 18:55:08 thinrichs isn't here is he? 18:55:22 or edmondsw 18:55:31 ruan? 18:56:48 ayoung would you be available to field questions at tomorrow's meeting if people have them? 18:57:00 yes I will 18:57:19 thinrichs, edmondsw, ruan, all seem to have a bunch of feedback on policy - so having their input would be nice 18:57:28 anything else? 18:57:33 we have two minutes left? 18:57:40 s/?// 18:58:43 alright - let's call it a minute early 18:58:44 thanks for coming! 18:58:45 #endmeeting