16:59:14 <knikolla> #startmeeting keystone
16:59:15 <openstack> Meeting started Tue Aug 18 16:59:14 2020 UTC and is due to finish in 60 minutes.  The chair is knikolla. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:59:16 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:59:18 <openstack> The meeting name has been set to 'keystone'
16:59:18 <knikolla> o/
17:00:04 <cmurphy> o/
17:00:20 <gagehugo> o/
17:00:25 <gagehugo> double booked meetings :(
17:00:47 <vishakha> o/
17:01:47 <knikolla> hope everyone is doing alright!
17:01:54 <knikolla> yeah, tuesday's are meeting hell for me as well.
17:04:26 <knikolla> are there any items/topics that you'd like to discuss besides the review requests?
17:05:10 <vishakha> I wanted to confirm and mark this #link https://bugs.launchpad.net/keystone/+bug/1305566 bug as invalid, since we dont store tokens anymore
17:05:11 <openstack> Launchpad bug 1305566 in OpenStack Identity (keystone) "the token still can be used if the EC2 credential has been deleted" [Low,Confirmed]
17:05:59 <gagehugo> Is there any way we can change https://github.com/openstack/keystone/blob/106b28ad4c30948c293dc9200adb908893b24a35/keystone/common/fernet_utils.py#L69 to not emit on every single authentication?
17:06:44 <cmurphy> vishakha: i think that is still worth investigating, you can replace "deleted" with "revoked" and it would be a valid concern
17:07:37 <cmurphy> gagehugo: chmod 700 /etc/keystone/fernet-keys ?
17:07:48 <knikolla> why is it world readable?
17:07:59 <gagehugo> We have it all containerized
17:08:21 <gagehugo> the keys are mounted separately in a read-only filesystem
17:08:28 <vishakha> cmurphy: sure, should I register another bug for revocation ?
17:08:53 <vishakha> or is it fine to explain investigation in the comment section for revocation?
17:09:50 <cmurphy> vishakha: no, it's not a different bug so it doesn't need a new bug report, in either case it's still about the validity of the token
17:10:07 <vishakha> cmurphy: okay, thanks
17:10:36 <cmurphy> gagehugo: you could still have the mode set correctly though?
17:13:38 <gagehugo> maybe, is there a reference for when the actual key dir is mounted separately in k8s as opposed to just a VM?
17:13:47 <gagehugo> volume-mounted*
17:14:44 <gagehugo> part of the issue is we have it all setup as readOnlyRootFilesystem and a specific "keystone" user that runs the service in the container
17:15:06 <knikolla> is this through openstack-helm?
17:16:33 <gagehugo> yup
17:16:48 <gagehugo> It's not really an "issue" just more of an annoyance
17:17:17 <cmurphy> hmm i guess there's not really a native way to set the mode in the volume mount in k8s but there are examples of running an init container that runs chmod on it
17:17:47 <gagehugo> might have to chown it too
17:18:09 <gagehugo> and hope it doesn't break the rotation job lol
17:18:11 <knikolla> given symmetric encryption, that does seem like the appropriate log level.
17:18:20 <knikolla> maybe not every authentication though.
17:18:29 <knikolla> might be a startup or keystone doctor thing.
17:18:30 <cmurphy> regardless i'm not sure it's reasonable to change that log message because i think it has to dynamically load keys on every auth so it has to validate the repo every time
17:18:33 <gagehugo> It's totally a valid security concern\
17:18:59 <gagehugo> but imo more on a VM deployment than something that is containerized
17:19:43 <gagehugo> lemme look into going the utility/init container route
17:19:53 <gagehugo> I was just curious
17:20:15 <knikolla> gagehugo: lemme know what you find
17:21:00 <gagehugo> hopefully I find more time to test things haha
17:22:36 <knikolla> i've been trying to play a bit more with k8s, so i might give it a go as well.
17:24:11 <bnemec> You could potentially make that a warning with a once filter.
17:27:11 <knikolla> #topic Review Requests
17:28:10 <vishakha> I got few requests
17:28:14 <cmurphy> https://review.opendev.org/686305 and all it's depends-on (some are in tempest)
17:28:30 <vishakha> #link https://review.opendev.org/#/c/737225/
17:28:45 <vishakha> #link https://review.opendev.org/#/c/745376/
17:29:05 <vishakha> #link https://review.opendev.org/#/c/731087/
17:29:18 <vishakha> #link https://review.opendev.org/#/c/746049/
17:29:31 <vishakha> #link https://review.opendev.org/#/c/745112/
17:30:41 <knikolla> Thanks. I'll be going through all of them after the meeting.
17:35:13 <knikolla> #topic Bugs
17:35:35 <knikolla> I haven't checked Launchpad in the past week or so.
17:35:47 <knikolla> Anything worth discussing?
17:40:01 <knikolla> #topic Open Floor
17:46:47 <knikolla> thanks all for coming! have a great rest of the week.
17:46:51 <knikolla> #endmeeting