16:59:14 #startmeeting keystone 16:59:15 Meeting started Tue Aug 18 16:59:14 2020 UTC and is due to finish in 60 minutes. The chair is knikolla. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:59:16 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:59:18 The meeting name has been set to 'keystone' 16:59:18 o/ 17:00:04 o/ 17:00:20 o/ 17:00:25 double booked meetings :( 17:00:47 o/ 17:01:47 hope everyone is doing alright! 17:01:54 yeah, tuesday's are meeting hell for me as well. 17:04:26 are there any items/topics that you'd like to discuss besides the review requests? 17:05:10 I wanted to confirm and mark this #link https://bugs.launchpad.net/keystone/+bug/1305566 bug as invalid, since we dont store tokens anymore 17:05:11 Launchpad bug 1305566 in OpenStack Identity (keystone) "the token still can be used if the EC2 credential has been deleted" [Low,Confirmed] 17:05:59 Is there any way we can change https://github.com/openstack/keystone/blob/106b28ad4c30948c293dc9200adb908893b24a35/keystone/common/fernet_utils.py#L69 to not emit on every single authentication? 17:06:44 vishakha: i think that is still worth investigating, you can replace "deleted" with "revoked" and it would be a valid concern 17:07:37 gagehugo: chmod 700 /etc/keystone/fernet-keys ? 17:07:48 why is it world readable? 17:07:59 We have it all containerized 17:08:21 the keys are mounted separately in a read-only filesystem 17:08:28 cmurphy: sure, should I register another bug for revocation ? 17:08:53 or is it fine to explain investigation in the comment section for revocation? 17:09:50 vishakha: no, it's not a different bug so it doesn't need a new bug report, in either case it's still about the validity of the token 17:10:07 cmurphy: okay, thanks 17:10:36 gagehugo: you could still have the mode set correctly though? 17:13:38 maybe, is there a reference for when the actual key dir is mounted separately in k8s as opposed to just a VM? 17:13:47 volume-mounted* 17:14:44 part of the issue is we have it all setup as readOnlyRootFilesystem and a specific "keystone" user that runs the service in the container 17:15:06 is this through openstack-helm? 17:16:33 yup 17:16:48 It's not really an "issue" just more of an annoyance 17:17:17 hmm i guess there's not really a native way to set the mode in the volume mount in k8s but there are examples of running an init container that runs chmod on it 17:17:47 might have to chown it too 17:18:09 and hope it doesn't break the rotation job lol 17:18:11 given symmetric encryption, that does seem like the appropriate log level. 17:18:20 maybe not every authentication though. 17:18:29 might be a startup or keystone doctor thing. 17:18:30 regardless i'm not sure it's reasonable to change that log message because i think it has to dynamically load keys on every auth so it has to validate the repo every time 17:18:33 It's totally a valid security concern\ 17:18:59 but imo more on a VM deployment than something that is containerized 17:19:43 lemme look into going the utility/init container route 17:19:53 I was just curious 17:20:15 gagehugo: lemme know what you find 17:21:00 hopefully I find more time to test things haha 17:22:36 i've been trying to play a bit more with k8s, so i might give it a go as well. 17:24:11 You could potentially make that a warning with a once filter. 17:27:11 #topic Review Requests 17:28:10 I got few requests 17:28:14 https://review.opendev.org/686305 and all it's depends-on (some are in tempest) 17:28:30 #link https://review.opendev.org/#/c/737225/ 17:28:45 #link https://review.opendev.org/#/c/745376/ 17:29:05 #link https://review.opendev.org/#/c/731087/ 17:29:18 #link https://review.opendev.org/#/c/746049/ 17:29:31 #link https://review.opendev.org/#/c/745112/ 17:30:41 Thanks. I'll be going through all of them after the meeting. 17:35:13 #topic Bugs 17:35:35 I haven't checked Launchpad in the past week or so. 17:35:47 Anything worth discussing? 17:40:01 #topic Open Floor 17:46:47 thanks all for coming! have a great rest of the week. 17:46:51 #endmeeting