16:00:39 <lbragstad> #startmeeting keystone 16:00:40 <openstack> Meeting started Tue Dec 4 16:00:39 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:41 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:43 <openstack> The meeting name has been set to 'keystone' 16:00:46 <cmurphy> o/ 16:00:46 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting 16:00:49 <lbragstad> agenda ^ 16:00:50 <lbragstad> o/ 16:01:42 <knikolla> o/ 16:01:52 <kmalloc> o/ 16:01:52 <lbragstad> we'll give folks a minute or two 16:01:59 * kmalloc drinks coffee 16:02:11 <gagehugo> o/ 16:03:56 <lbragstad> alright 16:04:13 <lbragstad> #topic Welcome Outreachy Interns 16:04:16 <lbragstad> cmurphy o/ 16:04:16 <wxy|> o/ 16:04:18 <cmurphy> hello 16:04:33 <cmurphy> So for this outreachy round we have two interns, erus and imus 16:04:38 <cmurphy> please give them a warm welcome 16:04:42 <lbragstad> awesome! 16:04:47 <lbragstad> hi erus and imus 16:04:59 <imus> hi 16:05:00 <cmurphy> erus will be working on some federation improvements and imus will be working on the api unit test refactor 16:05:03 <wxy|> welcome~ 16:05:08 <gagehugo> hey! 16:05:09 <kmalloc> woohoo! great to have you all 16:05:14 <erus> Hi everyone thanks o/ 16:05:14 <imus> Thanks 16:05:16 <knikolla> welcome :) 16:05:19 * kmalloc cheers for imus and erus 16:05:38 <imus> :) 16:05:48 <cmurphy> that's about all I had for that, glad to have erus and imus on board :) 16:06:13 <erus> Glad to have the opportunity :) 16:06:19 <lbragstad> imus erus i'm located in utc-6, don't hesitate to reach out if you have questions 16:06:22 <erus> Thanks cmurphy 16:06:45 <kmalloc> we have pretty good coverage 16:06:47 <cmurphy> erus: imus: by the way lbragstad is the Project Technical Lead so he knows everything 16:06:52 <lbragstad> false 16:06:56 <cmurphy> ;) 16:07:02 <lbragstad> i "pretend" to know everything 16:07:03 <erus> Haha 16:07:21 <lbragstad> but i end up leaning on everyone else when i'm wrong ;) 16:07:22 <erus> I'm in utc-3 16:07:33 <erus> XD 16:07:44 <lbragstad> erus cool - that sounds good 16:07:48 <kmalloc> i'll probably be awake later than most folks, hm.. Pacific is UTC-8 now? 16:07:56 <kmalloc> so i'll be around probably later than most folks. 16:08:02 <erus> Cool 16:08:12 <kmalloc> also lbragstad does know everything 16:08:14 <kmalloc> :P 16:08:24 <erus> I'm always awake too xd 16:08:50 <erus> So good to have a mixed utc team :) 16:09:00 * kmalloc is just trying to make everyone to not look at git blame and see "Morgan" name on everything 16:09:32 <lbragstad> alright - few more things on the agenda 16:09:40 <lbragstad> #topic Summit recap 16:09:57 <kmalloc> yeah. it's a great team. i'm super happy we got to add both of you to it (at least for now! hopefully longer after outreachy finishes this cycle) 16:10:17 <lbragstad> in case you haven't noticed, the foundation has updated all the recorded content from the summit 16:10:20 <erus> Yeah it would be great! 16:10:38 <imus> happy to be here and yes hopefully for longer 16:10:54 <lbragstad> i've put together a short summary of keystone and TC related content https://www.lbragstad.com/blog/openstack-summit-berlin-recap 16:11:00 <kmalloc> the thumbnail for the talk ayoung, knikolla, and I did is perfect :P 16:11:20 <lbragstad> does anyone else know of recaps floating around? 16:11:25 <knikolla> can't imagine it happening accidentally 16:11:29 <cmurphy> I didn't do one this time 16:11:42 <lbragstad> ack - just double checking 16:12:28 <lbragstad> #topic Outstanding Reviews 16:12:31 * kmalloc didn't do a keystone IDP recap... but next summit/ptg expects to. 16:12:38 <kmalloc> since we'll be further along 16:12:43 <lbragstad> kmalloc good idea 16:12:58 <lbragstad> alright - does anyone have patches up for review that they need eyes on? 16:13:33 <lbragstad> specification reviews included 16:14:02 <cmurphy> https://review.openstack.org/615190 16:14:05 <kmalloc> https://review.openstack.org/#/c/605043/ 16:14:21 <cmurphy> https://review.openstack.org/615847 16:14:36 <cmurphy> poor ldappool gets no love 16:14:38 <kmalloc> cmurphy: +2/A on ldappool 16:14:48 <kmalloc> done 16:14:58 <kmalloc> the keystoneauth rate-limit patch needs eyes 16:15:14 <kmalloc> it has a functional cross-over test with SDK, we should eventually have a first-party in-tree test too 16:15:23 <kmalloc> but i'm ok with it as long as we have eyes on the code 16:15:26 <cmurphy> also it's not ready yet but i wouldn't mind feedback on https://review.openstack.org/615384 16:15:48 <lbragstad> cmurphy ah - i was going to start looking at that earlier today, but saw it was still WIP 16:15:58 <lbragstad> kmalloc ack - i can take a look today 16:16:37 <wxy|> cmurphy: the guide is awesome, I'm waiting for the TODO part. :) 16:16:55 <cmurphy> :) 16:17:03 <cmurphy> need to find some extra time to get back to it 16:17:15 <kmalloc> it's amazing how there always seems to be no time 16:17:23 <lbragstad> fact 16:17:39 <lbragstad> any other reviews people want to draw attention to? 16:18:36 <lbragstad> #link https://review.openstack.org/#/c/614195/ will unblock some patches for us in keystone 16:18:52 <lbragstad> same iwth 16:18:54 <lbragstad> #link https://review.openstack.org/#/c/611443/ 16:19:46 <lbragstad> i also re-spun all the patches for implementing default roles late last week 16:19:54 <lbragstad> those should be passing and ready for some eyes 16:19:57 <lbragstad> #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:implement-default-roles 16:20:16 <lbragstad> and some patches to cleanup the policy.v3cloudsample.json 16:20:21 <lbragstad> #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:clean-up-v3-cloud-sample 16:21:34 <lbragstad> alright - moving on 16:21:48 <lbragstad> #topic Renewable Application Credentials 16:21:50 <lbragstad> knikolla o/ 16:21:54 <knikolla> o/ 16:21:59 <knikolla> spec is up 16:22:01 <knikolla> #link https://review.openstack.org/#/c/604201/ 16:22:06 <kmalloc> hooray! 16:22:12 <knikolla> i have reworked it a bit from the discussion we had last week 16:22:16 * kmalloc quickly +2/+As it before anyone can -1 it :P 16:22:25 <knikolla> mainly i kept one list of roles instead of two 16:22:25 * kmalloc adds this to a list to review today 16:22:42 <kmalloc> knikolla: ok, i'm interested in how that ends up working. 16:22:52 <knikolla> and added `last_renewed` and `identity_provider` 16:22:56 <knikolla> to the app cred model 16:22:58 <kmalloc> hm. 16:23:20 <kmalloc> but how does it work with knowing if a role is conferred via the IDP vs concretely on creation? 16:23:24 <lbragstad> i missed that discussion last week, but i'll take a pass at the spec before i start firing off questions 16:23:25 <knikolla> the entire app cred deactivates when it's not renewed. 16:23:26 <kmalloc> so we know what roles might change. 16:23:50 <knikolla> to prevent users from indefinitely logging in even though their account in the idp has been disabled 16:24:00 <knikolla> (this one was influenced by our cloud admin) 16:24:01 <kmalloc> or do we not care and just look when the IDP conferred roles change to see if the app cred's roles are valid? 16:24:14 <kmalloc> so if a role changes and no longer available just invalidate? 16:24:18 <knikolla> on renew we expand the group membership and see if it has all the roles 16:24:23 <knikolla> if it doesn't. fail renew 16:24:28 <knikolla> yup 16:24:30 <kmalloc> ok. 16:24:51 <knikolla> on concrete roles, the current logic disables the app cred already if i'm not mistaked. 16:24:53 <kmalloc> and it is still possible to create an unexpired/non-renewable app cred based upon concrete roles? 16:24:56 <knikolla> when a concrete role is removed 16:25:07 <knikolla> yes, if not using a federated token 16:25:12 <lbragstad> iirc - that's handled with a callback 16:25:17 <knikolla> if federated token, enforce renewal 16:25:23 <kmalloc> and it looks like you are limiting an app cred to roles from a single IDP 16:25:27 <kmalloc> just from your description 16:25:36 <knikolla> because roles are in the token 16:25:40 <kmalloc> since the app-cred (not the roles) are linked to the IDP 16:25:40 <knikolla> through groups 16:25:51 * kmalloc is ok with this. 16:25:54 <knikolla> and user will present the token to get an app cred 16:26:02 <knikolla> can't really have a token with roles from multiple idps 16:26:12 <kmalloc> and the IDP still configures the refresh window/period then 16:26:22 <kmalloc> knikolla: true. 16:26:34 <kmalloc> we might need to revisit that with full IDP/autoprovision 16:26:40 <knikolla> yes, there is a default ttl for backwards compat with existing idps in the db, configurable 16:26:41 <kmalloc> but for now, this is a good starting place 16:26:51 <kmalloc> knikolla: perfect. 16:27:34 <knikolla> also the idp of the app cred changes if the user comes in through a different idp to renew but has same roles 16:27:39 <knikolla> and the ttl changes based on the last idp to renew 16:27:50 <kmalloc> hm. 16:28:21 <kmalloc> so, a new app cred is implicitly created if a renew is done via a different idp? 16:28:51 <kmalloc> or just idp updatE? 16:28:54 <knikolla> kmalloc: no, just the idp associated with it changes for calculating the expiration. 16:28:55 <kmalloc> because that sounds... broken 16:29:14 <kmalloc> i'll review the spec 16:29:16 <kmalloc> i want to think on that 16:29:35 <kmalloc> i am not sure i want to see app-creds change owning idp. $securityconcerns$ 16:29:50 <knikolla> ++, i don't feel strongly about it. 16:29:56 <knikolla> this was mostly for UX. 16:30:07 <knikolla> the roles are immutable either way. 16:30:13 <kmalloc> i might ask a lot more ux related questions on that front 16:30:18 <knikolla> can't add or remove after expiration. 16:30:24 <knikolla> creation* 16:30:28 <kmalloc> but i have security concerns, i'll comment on the spec 16:30:33 <knikolla> ok, cool. 16:30:35 <kmalloc> can be not-in-meeting :) 16:30:43 <knikolla> i'll be around office hours for all questions 16:30:48 * kmalloc nods. 16:30:59 <lbragstad> thanks knikolla 16:31:04 <lbragstad> anything else on this? 16:32:13 <knikolla> i think that's all i had, i'll be around in the office hours to discuss in more detail. 16:32:18 <knikolla> please review the spec 16:32:36 <lbragstad> sounds good 16:32:40 <lbragstad> #topic admin role deletion 16:32:42 <lbragstad> cmurphy again 16:32:45 <cmurphy> hi 16:33:08 <cmurphy> so a customer of ours had an outage where an inexperienced administrator accidentally deleted the admin role via horizon 16:33:22 <kmalloc> eek 16:33:29 <kmalloc> like... EEEEEK 16:33:29 <cmurphy> it's pretty destructive since usually service users use the admin role too 16:33:54 <knikolla> hmmm... do we want to take the next steps and make default roles immutable? 16:33:58 <kmalloc> knikolla: no. 16:34:05 <cmurphy> so my team mate was inquiring if this is something we can deal with upstream somehow 16:34:19 <knikolla> thought so 16:34:24 <kmalloc> i could see a "resource option" for immutable though 16:34:32 <lbragstad> cmurphy is there a particular solution your team is looking for? 16:34:40 <knikolla> like a "lock" 16:34:46 <kmalloc> but not inherently immutable 16:34:53 <kmalloc> as in, something that could be toggled. 16:34:54 <lbragstad> are they looking for a "confirm delete" workflow? 16:34:58 <cmurphy> lbragstad: no we're not advocating anything specific, just make it harder to footgun like this 16:35:27 <cmurphy> i suggested maybe just make a "are you sure?" thing in horizon but that doesn't help if you accidentally do this with the cli 16:35:36 <lbragstad> yeah... 16:35:37 <cmurphy> which is a likely scenario in bad scripts 16:36:17 <kmalloc> i think a resource option with an immutable flag (or locked, whatever UX is best) would be great... this is a lot mroe work though since horizon doesn't understand Resource Options 16:36:44 <kmalloc> also, *wince* soft delete(s) in general make recovery easier. 16:37:30 <lbragstad> hmm 16:37:40 <kmalloc> if we implement a resource option for roles, i'd like to see the "cannot be changed/deleted" added to other resources as well via the same mechanism 16:38:08 <lbragstad> to be consistent with other resources, we could implement enabled/disabled for roles and have the default behavior for deleting a role be to disable it first 16:38:22 <cmurphy> lbragstad: the problem with that is it's not backwards compatible 16:38:31 <kmalloc> cmurphy: ++ 16:38:34 <lbragstad> true 16:38:42 <kmalloc> we could add an opt-in "this is locked" 16:38:48 <kmalloc> we cannot change basic delete behavior 16:38:51 <kmalloc> (in v3) 16:38:59 <cmurphy> but adding it as a resource option might work, but it would only be useful if the default behavior of bootstrap is to set that flag 16:39:11 <kmalloc> cmurphy: i'm ok with making that the default behavior 16:39:18 <kmalloc> or at least bootstrap to add that as an option 16:39:25 <kmalloc> --make-created-roles-immutable 16:39:25 <knikolla> we can also add keystone doctor checks 16:39:37 <knikolla> your admin role is not locked, an admin might accidentally delete it 16:39:39 <kmalloc> for the transition period 16:39:47 <kmalloc> so 1) add Resource Option 16:40:00 <kmalloc> 2) opt-in via bootstrap (doctor check saying "OMG LCOK THIS") 16:40:08 <kmalloc> 3) default behavior in bootstrap to set flag 16:40:15 <kmalloc> with an opt-out flag. 16:40:16 <knikolla> ++ 16:40:27 <kmalloc> over... a release barrier between 2/3 16:40:35 <cmurphy> sounds good to me 16:40:44 <lbragstad> cool - does someone want to write this up? 16:40:47 <cmurphy> i'll bring this back to my teammate to see what they think 16:40:51 <cmurphy> i can write it up as a backlog spec 16:40:56 <kmalloc> cmurphy: ++ 16:40:56 <lbragstad> awesome 16:40:57 <cmurphy> probably won't have time to implement it this cycle 16:41:09 <lbragstad> how high of a priority is this for your team? 16:41:10 <kmalloc> we have some need to do resource opptions for projects this cycle 16:41:21 <kmalloc> so it would be not a lot of work to add that construct to roles 16:41:25 <kmalloc> at the same time. 16:41:36 <cmurphy> lbragstad: well the customer recovered from it and the admin is now educated so not very high priority any more :) 16:41:55 <lbragstad> ack 16:42:09 <kmalloc> i also would like to lean on this before we expose the root-domain, so we can limit update and auto-set the immutable flag otherwise 16:42:17 <cmurphy> ++ 16:42:19 <lbragstad> at least until the next customer hits it 16:42:24 <kmalloc> rather than needing to exempt it from delete/update/etc apis 16:42:37 <lbragstad> makes sense 16:43:06 <lbragstad> cool - so long as we get the approach written down, that'll be a good start 16:43:29 <knikolla> ++ 16:43:35 <kmalloc> and later today (once I get my new monitor) i can start hacking on code/specs again for things this cycle 16:43:43 <lbragstad> anything else here? 16:43:48 <kmalloc> i can lump in resource option additions for roles 16:43:57 <kmalloc> and we can add the immutable work as a followup 16:44:05 <knikolla> kmalloc: uuu new monitor, nice 16:44:20 * kmalloc is planning to expand resource options as a default for all resources 16:44:26 <kmalloc> even if it's unused. 16:44:34 <kmalloc> silly not to 16:44:59 <kmalloc> that way it's trivial to add this type of stuff when needed. 16:45:25 * kmalloc is done with this topic. 16:45:34 <lbragstad> #topic identity provider proxy diagram 16:45:42 <kmalloc> ok so this is VERY rough 16:45:43 <kmalloc> and early on 16:45:49 <kmalloc> https://usercontent.irccloud-cdn.com/file/Au4e3DXb/Keystone%20IDP%20(initial)%20Diagram.png 16:46:15 <kmalloc> this will get massively refined and have a DB schema diagram added as well as a UI site-map-y target diagram 16:46:20 <cmurphy> #link https://usercontent.irccloud-cdn.com/file/Au4e3DXb/Keystone%20IDP%20(initial)%20Diagram.png IdP diagram 16:46:33 <kmalloc> and this one will be split into a single diagram per-workflow 16:46:41 <kmalloc> it doesn't show autoprovisioning 16:46:53 <kmalloc> with that said, this is starting to show what the target of Keystone should be 16:47:05 <kmalloc> and takes an initial stab at data-flows. 16:47:49 <kmalloc> please forgive the fact i did this at like... 3am in the morning 16:47:59 <cmurphy> i like the icons 16:48:14 <kmalloc> once i iterate a bit more we'll land this in a common/official place 16:48:14 <cmurphy> suitcase == assignment 16:48:18 <kmalloc> cmurphy: :) 16:48:33 <kmalloc> draw.io is pretty badass with the icons it has 16:48:59 <kmalloc> and i'll render this as an .svg for our official space so we can iterate on it as things change within keystone 16:49:53 <kmalloc> any questions/concerns.... happiness? 16:50:08 <knikolla> seems fairly standard federation 16:50:24 <kmalloc> yeah. it's just trying to give us an explicit target to reference 16:50:25 <lbragstad> what's the difference between black highlight and white highlighting in the flows? 16:50:36 <kmalloc> lbragstad: just so you could see the different ones 16:50:39 <kmalloc> lbragstad: grouping 16:50:54 <kmalloc> i will split those into separate diagrams down the line 16:50:58 <lbragstad> ok 16:51:12 <kmalloc> so non-openstack SPs, OpenStack SPs, Keystone Crud as an SP, and JS-UI 16:51:30 <kmalloc> those will be data flow, and indicate autoprovision where needed. 16:51:57 <kmalloc> i hope this is helping folks see what is in my head (as early as it is) 16:52:07 <kmalloc> and each will be it's own diagram 16:52:42 <lbragstad> ok 16:52:58 <lbragstad> kmalloc how do you want feedback, just pings for now? 16:53:11 <knikolla> devil will be in the details 16:53:30 <kmalloc> lbragstad: yeah 16:53:50 <kmalloc> since this is a first pass, it's just a "hey, everyone happy with the start of this direction?" 16:54:19 <lbragstad> ok 16:54:19 <lbragstad> i'll pick through this a bit more 16:54:26 <lbragstad> thanks for putting this together kmalloc 16:54:29 <kmalloc> expect it is missing most of the stuff still 16:54:31 <kmalloc> :) 16:54:39 <lbragstad> anything else on this? 16:54:40 <kmalloc> it will get better with iterations 16:54:44 <kmalloc> nothing else. i'm done 16:54:49 <lbragstad> #topic open discussion 16:55:19 <lbragstad> there has been a trend for people to just hold meetings in their respective IRC channels 16:55:34 <lbragstad> how do people here feel about that? 16:55:39 <cmurphy> -1 16:56:04 <cmurphy> it's nice to have it in a shared channel because we tend to pull in people from other projects randomly 16:56:27 <lbragstad> true 16:56:48 <cmurphy> also we get enough traffic in the main channel that i think it's better to split out the meeting so that people asking questions dont' feel like they have to wait for the meeting to be over 16:57:34 <lbragstad> ok - that's fair 16:57:55 <lbragstad> anything else for open discussion? 16:58:09 <kmalloc> -1 16:58:18 <kmalloc> same reason supplied as cmurphy 16:59:15 <lbragstad> alright - with that, we're about out of time 16:59:34 <lbragstad> thanks for attending 16:59:46 <lbragstad> #endmeeting