16:00:24 <lbragstad> #startmeeting keystone 16:00:25 <openstack> Meeting started Tue Jul 31 16:00:24 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:26 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:28 <openstack> The meeting name has been set to 'keystone' 16:00:34 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting 16:00:36 <lbragstad> agenda ^ 16:00:41 <lbragstad> ping ayoung, breton, cmurphy, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, aselius, dpar, jdennis, ruan_he, wxy, sonuk 16:01:19 <wxy|> o/ 16:01:21 <lamt> o/ 16:01:22 <gagehugo> o/ 16:01:49 <hrybacki> o/ 16:02:03 <hrybacki> in another meeting today so will review the minutes after y'all 16:02:25 <kmalloc> o/ 16:02:38 <lbragstad> we don't have a lot on the agenda today 16:02:54 <lbragstad> so likely going to be a quick meeting unless people have things for open discussion 16:03:04 <lbragstad> #topic announcements 16:03:12 <lbragstad> #info we cut rocky-3 last week 16:03:24 <lbragstad> so - that means we're effectively in RC period 16:03:31 <lbragstad> and we're in string freeze 16:03:46 <lbragstad> just things to be aware of while reviewing and working through bugs 16:03:58 <lbragstad> #topic reviews 16:04:06 <lbragstad> i think there are still flask reviews that need eyes 16:04:12 <lbragstad> and same with the token provider API refactor 16:04:22 <lbragstad> does anyone have anything else they want eyes on? 16:05:01 <gagehugo> https://review.openstack.org/#/c/580780/ if anyone has time 16:06:02 <lbragstad> gagehugo: sounds good - i think colleen had some comments on the early revision of that 16:06:14 <lbragstad> were we able to determine if it was actually a bug? 16:06:33 <kmalloc> flask stuff is well on the way, but auth has been a beast 16:06:39 <kmalloc> just because os-federation 16:07:10 * kmalloc has to fix a patch then go back and finish porting auth 16:07:31 <lbragstad> kmalloc: the os-revoke patch i had that you rebased appears to be failing tests 16:07:37 <lbragstad> but that's later in the chain 16:08:15 <gagehugo> lbragstad: I think I put it in the bug report, but we were seeing logins to horizon with random uuids in the notifications, imo those should be the user id as the initiator 16:08:29 <gagehugo> initiator id* 16:09:05 <kmalloc> lbragstad: that is becasue of the previous one 16:09:16 <kmalloc> lbragstad: or two patches before, the fix will solve that as well. 16:09:35 <lbragstad> gagehugo: ack 16:09:49 <lbragstad> kmalloc: ok - sounds good 16:10:03 <gagehugo> but it happens for any identity.authentication event afaik 16:10:12 <lbragstad> i'm in the middle fixing some of my development environments, but i should be able to get around to reviewing it today 16:11:09 <gagehugo> wxy| was super helpful with the test case btw, it was kinda confusing at first 16:11:18 <lbragstad> awesome 16:12:04 <lbragstad> #topic open discussion 16:12:15 <lbragstad> that's about all i had... just a few reviews really 16:12:22 <lbragstad> does anyone have anything they'd like to bring up? 16:12:41 <kmalloc> i hate code that calls across controllers. 16:12:53 <kmalloc> e.g. federation controller -> auth controller 16:12:56 <lbragstad> https://bugs.launchpad.net/keystone/+bug/1779205 has an interesting comment on it (#68) 16:12:56 <openstack> Launchpad bug 1779205 in OpenStack Identity (keystone) rocky "[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)" [Critical,Fix released] - Assigned to Lance Bragstad (lbragstad) 16:12:56 <kmalloc> please don't do that. 16:13:16 <lbragstad> well - we already did :) to fix ^ 16:13:21 <kmalloc> lbragstad: the comment is exactly why i recommended removing the "endpoint being enabled" part of the message 16:13:52 <kmalloc> lbragstad: no, we didn't there, i mean we do things like federation controller calls auth.authenticate_for_token 16:14:01 <lbragstad> oh 16:14:02 <kmalloc> controllers should not call another API like that 16:14:21 <kmalloc> because you get double enforcement issues 16:14:30 <kmalloc> a controller's logic should render the whole response. 16:14:31 <lbragstad> i suppose the messes with the routing 16:14:41 <lbragstad> er dispatching with flask 16:14:46 <kmalloc> if you need to share code, share it don't call another controller 16:14:55 <kmalloc> yeah i've been unwinding os-federation, it's a beast. 16:15:04 <kmalloc> i think we do this elsewhere too. 16:15:32 <kmalloc> lbragstad: anyway the comment on #1779205 is consistent with the confusion of what enabling the endpoint means 16:16:06 <kmalloc> lbragstad: we should have just eliminated that part of the impact statement, 99% of deployments don't muck with that stuff. 16:16:22 <lbragstad> can't you set the policy to "@" to blacklist it? 16:16:27 <kmalloc> you can. 16:16:37 <kmalloc> but almost no one does that kind of stuff. 16:16:55 <kmalloc> not for federation where they dind't deploy say shib or federated auth 16:17:23 <kmalloc> maybe we should have said: With default policy.json for entry get_projects_for_user 16:17:29 <kmalloc> erm list_projects_for_user* 16:17:37 <lbragstad> oh - sure 16:17:58 <kmalloc> the code / fixes did the right thing 16:18:16 <lbragstad> and it was thoroughly tested 16:18:18 <kmalloc> the comment is regarding the impact statement. 16:18:26 <kmalloc> and pre-patch testing afaict 16:18:58 <kmalloc> abhi<number> was confirming what kristi confirmed early on, non-federated tokens got complete lists 16:18:59 <kmalloc> :) 16:19:24 <kmalloc> but confused because the impact statement was not well worded for that sentence. 16:19:33 <kmalloc> basically.. we're all good nothing to see here :) 16:20:19 <lbragstad> ack 16:20:26 <lbragstad> anything else we want to discuss? 16:21:09 * kmalloc wants to discuss how the meeting can end so he can go make coffee. 16:21:46 <lbragstad> ++ we can end early... my home lab is completely hosed right now and i'm trying to fix it =/ 16:22:02 <kmalloc> lbragstad: my home lab is ... torn apart, will be fixed later this week. 16:22:09 <lbragstad> wanna fix mine too? 16:22:12 <lbragstad> ;) 16:22:13 <kmalloc> (like, it's missing computers right now) 16:22:28 <kmalloc> ... only if i can "borrow" it ... i'll send a moving truck 16:22:33 <kmalloc> i swear you'll get it back. 16:22:37 <kmalloc> someday 16:22:40 <lbragstad> said no one ever 16:23:04 <lbragstad> alright - well thanks for coming everyone 16:23:07 <lbragstad> i appreciate the time 16:23:21 <lbragstad> reminder that we'll have office hours in about 40 minutes 16:23:29 <lbragstad> if anyone wants to work on things 16:23:45 <lbragstad> #endmeeting