#openstack-meeting-alt log

16:00:11 <cmurphy> #startmeeting keystone
16:00:12 <openstack> Meeting started Tue Dec  3 16:00:11 2019 UTC and is due to finish in 60 minutes.  The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:13 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:15 <openstack> The meeting name has been set to 'keystone'
16:00:21 <gagehugo> o/
16:00:23 <cmurphy> #link https://etherpad.openstack.org/p/keystone-weekly-meeting agenda
16:00:33 <lbragstad> o/
16:00:33 <knikolla> o/
16:00:59 <bnemec> o/
16:02:29 <cmurphy> I didn't have to make up the agenda today \o/
16:02:35 <cmurphy> #topic review requests
16:02:42 <cmurphy> there are two already in the agenda
16:02:56 <cmurphy> #link https://review.opendev.org/#/c/687990/ Stop adding entry in local_user while updating ephemerals
16:03:12 <cmurphy> #link https://review.opendev.org/#/c/693838/
16:03:14 <cmurphy> Update OIDC documentation to handle bearer access token flow
16:03:19 <cmurphy> #undo
16:03:20 <openstack> Removing item from minutes: #link https://review.opendev.org/#/c/693838/
16:03:24 <cmurphy> #link https://review.opendev.org/#/c/693838/
16:03:33 <cmurphy> >.>
16:03:35 <cmurphy> #undo
16:03:36 <openstack> Removing item from minutes: #link https://review.opendev.org/#/c/693838/
16:03:43 <cmurphy> #link https://review.opendev.org/#/c/693838/
16:03:47 <cmurphy> i give up
16:04:29 * knikolla gives cmurphy a cup of coffee
16:04:37 <lbragstad> i was just going to say - it's early
16:04:39 <cmurphy> thanks :)
16:04:55 <cmurphy> this is already my second hour of meetings
16:05:05 <lbragstad> 0.o
16:05:35 <cmurphy> i'll check out the oidc doc change soon
16:05:58 <cmurphy> any comment on these changes? any other review requests?
16:09:23 <cmurphy> #topic OpenID Connect Authentication Plugin
16:09:30 <cmurphy> I don't think aloga is here
16:09:38 <cmurphy> I wonder if knikolla has context for this?
16:09:57 <knikolla> i had a conversation with them about a week ago
16:10:26 <knikolla> they weren't able to satisfy their use case with the current way that oidc works with apache
16:10:42 <knikolla> hence needing a custom plugin
16:11:15 <knikolla> i'll hunt for an irc log
16:12:07 <knikolla> #link http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-11-26.log.html#t2019-11-26T16:52:49
16:12:09 <vishakha> o/
16:12:17 <cmurphy> if the redirect behavior changed when flask was introduced that sounds like a regression that should be fixed, no argument there
16:13:28 <knikolla> agree on that.
16:16:27 <cmurphy> i can comment on the bug
16:16:39 <cmurphy> not sure there's anything else to discuss on this?
16:16:57 <aloga> howdy
16:17:05 <cmurphy> aloga: hi
16:17:10 <aloga> cmurphy: hello
16:17:17 <cmurphy> we were just discussing your topic
16:17:39 <aloga> sorry, I did not realise the time
16:17:44 <cmurphy> it sounded like a regression was introduced when we moved to flask, i have no objection to fixing the regression
16:18:09 <cmurphy> would be good to have more information, like versions where it worked and didn't work and steps to reproduce
16:18:25 <aloga> cmurphy: the point is that IIRC, it was possible to raise HTTP errors in the past, and those were rendered properly to the users
16:18:38 <aloga> so for instance a redirect would actually redirect the user
16:18:57 <aloga> cmurphy: hmm, I would need to check with my team, as I was not directly involved
16:19:40 <aloga> cmurphy: this is useful for instance for an OpenID Connect plugin for Keystone, as redirects are required
16:19:49 <cmurphy> aloga: was there some concern that we wouldn't want the bugfix?
16:19:51 <aloga> cmurphy: in order to complete the flow, etc.
16:20:18 <aloga> cmurphy: sorry? I do not understand
16:21:19 <cmurphy> aloga: i'm just wondering what we need to discuss about this, assuming that the bug is valid and reproducible then the answer seems straightforward
16:21:43 <knikolla> i asked them to add the topic on the agenda to get a better feel of if there was something else we could do to provide better oidc support
16:21:48 <aloga> cmurphy: I do not know, I was told to add this to the agenda
16:21:59 <knikolla> since deployments with that experience are hard to come by
16:22:14 <aloga> cmurphy: but I think this was because OpenID connect was mentioned
16:22:35 <aloga> I can try to make a rationale
16:23:03 <aloga> I am working in an environment (European Open Science Cloud) where several OpenStack sites are federated
16:23:31 <aloga> identity is based on OpenID, with a myriad of different IdPs
16:24:08 <aloga> the current (Apache + mod_oidc + Keystone) is difficult and cumbersome to manage because of several reasons
16:24:29 <aloga> OpenStack CLI is an OIDC client itself (i.e. it requires a client id and secret)
16:25:30 <aloga> the CLI uses Oauth2 rather than OIDC, therefore there might be different claims at the server, as the Oauth2 introspection and the OIDC userinfo endpoint return different information
16:26:01 <aloga> for operators, the configuration is done on Apache, and not on Keystone
16:26:39 <aloga> and, last but not least, the mod_oidc does not allow to use several Oauth2 idps per server (it allows several OIDC though)
16:26:59 <aloga> therefore we levearated the federated auth code in Keystone to build a native plugin (we have a prototype)
16:27:12 <aloga> but, in order to get it fully working, we need to redirect from Keystone
16:27:42 <knikolla> is there anything else that you need besides redirect functionality?
16:27:44 <aloga> (i.e. 302)
16:27:48 <aloga> knikolla: nope
16:28:22 <aloga> knikolla: actually the changes are minimal
16:28:46 <knikolla> cool
16:29:11 <cmurphy> aloga: does this tie into https://review.opendev.org/373983 ?
16:29:34 <aloga> cmurphy: yes, indeed
16:29:41 <aloga> cmurphy: that was the seed of all of this
16:29:50 <aloga> cmurphy: I guess that the spec is better explained
16:34:37 <cmurphy> okay, so at a minimum we can fix the flask bug and get your external auth plugin working
16:34:43 <aloga> I know that several of these things can be alleviated by implementing an IdP proxy, as some providers or national infrastructures do, but sometimes this is not an option
16:34:47 <aloga> cmurphy: that would be awesome
16:35:02 <cmurphy> we should also revisit this spec and maybe merge it to the backlog
16:35:27 <cmurphy> tbh i don't know why it didn't get any feedback since 2018
16:35:45 <aloga> cmurphy: tbh I could not follow it so closely as I would have liked to
16:37:54 <cmurphy> aloga: would you want to continue driving it now?
16:37:59 <aloga> cmurphy: yes
16:38:27 <cmurphy> okay, team please review https://review.opendev.org/373983 and provide feedback
16:39:41 <cmurphy> thanks aloga
16:39:43 <cmurphy> anything else on this?
16:39:55 <aloga> cmurphy, knikolla thanks
16:40:36 <cmurphy> #topic next up for bug duty
16:40:43 <cmurphy> #link https://etherpad.openstack.org/p/keystone-l1-duty
16:41:11 <cmurphy> looks like gagehugo is up for bug duty this week starting today, gagehugo still up for it?
16:41:17 <gagehugo> cmurphy: sure
16:41:32 <cmurphy> following the rotation i'll be up next unless anyone else wants to take it ;)
16:41:53 <knikolla> I was going to offer too.
16:42:13 <knikolla> But I can go the week after that.
16:42:28 <cmurphy> knikolla: by all means :)
16:43:32 <cmurphy> #topic office hours
16:43:49 <cmurphy> I think this is about our policy testing sync up after this meeting?
16:43:51 <cmurphy> lbragstad: ?
16:44:34 <lbragstad> I was curious if we're still planning on going through patrole stuff during office hours today?
16:45:22 <cmurphy> I think so but I wasn't driving it, do we have everyone we need for that meeting?
16:46:45 <cmurphy> gagehugo was going to bring someone in from AT&T i think? and ade was interested too?
16:47:27 <lbragstad> cmurphy yeah - ade is hanging out in our channel
16:49:54 <lbragstad> do we know if the patrole folks are still coming?
16:49:59 <gagehugo> I can message him, idk if he will be around in irc
16:51:06 <cmurphy> assuming we do have the meeting, do we want to do it over irc or jitsi?
16:52:01 <lbragstad> i'm good with either
16:53:35 <cmurphy> me too
16:54:01 <cmurphy> i guess we can decide after gagehugo gets in touch with the patrole person
16:54:06 <lbragstad> ++
16:54:27 <cmurphy> can follow up in #openstack-keystone in a few minutes
16:54:36 <cmurphy> #topic open discussion
16:54:47 <cmurphy> #info spec proposal freeze is next week
16:54:49 <gagehugo> I pinged him to see if he's free
16:55:32 <cmurphy> proposals for the alembic migration (vishakha) and federated attrs (knikolla) and renewable group membership (knikolla) are expected next week
16:55:48 <knikolla> right! roger!
16:56:03 <cmurphy> #link https://releases.openstack.org/ussuri/schedule.html
16:56:21 <cmurphy> :)
16:57:03 <cmurphy> 4 minutes left for any other discussion :)
16:58:32 <cmurphy> okay will close it now, see you in #openstack-keystone
16:58:43 <cmurphy> #endmeeting