15:01:36 <dmendiza[m]> #startmeeting keystone 15:01:36 <opendevmeet> Meeting started Tue Jan 25 15:01:36 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:36 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:36 <opendevmeet> The meeting name has been set to 'keystone' 15:01:56 <dmendiza[m]> #topic Roll Call 15:02:01 <dmendiza[m]> Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, ruan_he, wxy, sonuk, vishakha,Ajay, rafaelweingartner, xek 15:02:07 <knikolla> o/ 15:02:09 <d34dh0r53> o/ 15:02:48 <dmendiza[m]> As usual, the agenda etherpad is over here: https://etherpad.opendev.org/p/keystone-weekly-meeting 15:03:21 <dmendiza[m]> OK, let's get started 15:03:31 <dmendiza[m]> #topic Review Past Meeting Action Items 15:03:57 <xek> o/ 15:03:59 <dmendiza[m]> #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-18-15.00.html 15:04:01 <dmendiza[m]> We didn't have any 15:04:03 <dmendiza[m]> #topic Liaison Updates 15:04:09 <dmendiza[m]> knikolla: any updates this week? 15:04:29 <knikolla> no updates, need to catch up 15:04:41 <dmendiza[m]> You need some help with that? 15:04:47 <dmendiza[m]> I need to catch up on Oslo stuff 15:04:51 <dmendiza[m]> for Barbican 15:05:08 <dmendiza[m]> I could definitely keep an eye out for Keystone stuff too 15:06:49 <knikolla> thanks! we used to have a rotating bug duty position which involved keeping up with mailing list, bugs, etc. we can bring that back. 15:07:32 <dmendiza[m]> Yeah, that sounds interesting. I'm sure d34dh0r53 would want to help out too 15:07:35 * dmendiza[m] nudges d34dh0r53 15:08:09 <knikolla> the etherpad is linked in the meeting agenda https://etherpad.opendev.org/p/keystone-l1-duty 15:08:16 <d34dh0r53> yeah, that sounds like something I can help with 15:09:57 <dmendiza[m]> Let's try to do that this week. 15:10:06 <dmendiza[m]> I'll take this week, and we can do a handoff next week 15:10:11 <dmendiza[m]> during this meeting 15:10:43 <dmendiza[m]> #info dmendiza[m] is on L1 duty this week 15:11:17 <dmendiza[m]> OK, moving on ... 15:11:37 <dmendiza[m]> #topic Specs 15:11:46 <dmendiza[m]> Let's start with OAuth 2.0 15:11:54 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone-specs/+/813152 15:12:08 <dmendiza[m]> Looks like knikolla has a +2 review on it 15:12:26 <dmendiza[m]> maybe we can get gagehugo to take a look this week 15:12:37 <dmendiza[m]> it would be awesome to get that landed so h_asahina can start work on that 15:14:09 <dmendiza[m]> Moving on to S-RBAC 15:14:11 <dmendiza[m]> #link https://review.opendev.org/c/openstack/governance/+/815158 15:14:22 <dmendiza[m]> looks like the follow-up to the Yoga goals is still under review 15:14:28 <dmendiza[m]> I need to go review this myself 15:16:36 <dmendiza[m]> There's also two more specs that need review 15:16:41 <dmendiza[m]> related to S-RBAC 15:16:52 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone-specs/+/818603 15:17:02 <dmendiza[m]> > Describe the need for a default manager role 15:17:05 <dmendiza[m]> and also 15:17:11 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone-specs/+/818616 15:17:27 <dmendiza[m]> > Describe the need for a default service role 15:17:36 <dmendiza[m]> Both will be needed for S-RBAC 15:18:36 <dmendiza[m]> There's one more spec that is < 90 days old 15:18:41 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone-specs/+/618144 15:19:46 <dmendiza[m]> > Reparent Projects 15:20:04 <dmendiza[m]> I have not looked into that last one at all. I'll try to catch up on specs this week 15:21:09 <dmendiza[m]> #topic Open Discussion 15:21:22 <dmendiza[m]> Any other topics before we move on to the Bug Review? 15:26:04 <dmendiza[m]> OK, moving on ... 15:26:08 <dmendiza[m]> #topic Bug Review 15:26:21 <dmendiza[m]> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:28:03 <dmendiza[m]> Hmm... Not sure how far back we need to look 15:28:09 <dmendiza[m]> let's start with mid-december 15:28:13 <dmendiza[m]> since it's been a while 15:28:16 <dmendiza[m]> #link https://bugs.launchpad.net/keystone/+bug/1954425 15:28:33 <dmendiza[m]> > Administrator can't create trusts on behalf of users 15:32:33 <dmendiza[m]> Interesting case 15:32:44 <dmendiza[m]> I don't have any historical context to answer why admins are not allowed 15:34:49 <knikolla> I know there are limitations with system scoped tokens when the operation requires a project_id in the context, but this bug seems to mention that this wouldn't be the case since all required parameters are in the request. 15:35:17 <knikolla> I don't have a strong opinion whether to allow admins to create trusts for users, or not. 15:35:29 <dmendiza[m]> Yeah, I was going to say, in the context of S-RBAC, a project-admin would be a persona that is used by an operator 15:35:41 <dmendiza[m]> so it would make sense for an operator to allow the creation of trusts 15:35:51 <dmendiza[m]> *to allow an operator to create them 15:36:13 <dmendiza[m]> and maybe it also makes sense for a project-manager to be able to create trusts for users in their project? 15:39:33 <dmendiza[m]> I'll take this bug 15:39:50 <dmendiza[m]> Next 15:39:51 <dmendiza[m]> #link https://bugs.launchpad.net/keystone/+bug/1954665 15:39:52 <knikolla> i'm a bit hesitant, just because a trust delegates permissions from a user to another user, and my spider sense is tingling when you're delegating someone else's permissions, even if you're an admin. 15:40:48 <dmendiza[m]> perhaps a better option would be to move the hard-coded deny to a policy 15:41:04 <dmendiza[m]> then someone who wants to do it can create a custom policy for that trust endpoint 15:42:23 <knikolla> I delegate to people with more of a security background than I have on this. 15:42:44 <knikolla> You can accomplish a lot of what they're trying to do by using other mechanisms already. 15:43:01 <knikolla> Groups, new users, application credentials, etc. 15:44:26 <knikolla> I think this also the only mechanism that we have that allows impersonation, with the token actually getting the user_id of the trustor. 15:45:48 <dmendiza[m]> Hmmm... good points 15:46:02 <dmendiza[m]> Maybe we can talk about it some more for the Friday reviewathon 15:47:01 <knikolla> sounds good 15:47:51 <dmendiza[m]> OK, moving on to 15:47:52 <dmendiza[m]> > default opt out from non-existing event (authenticate.failed) 15:48:03 <dmendiza[m]> (linked above) 15:48:18 <dmendiza[m]> Seems pretty straightforward 15:48:28 <dmendiza[m]> looks like there may be a mismatch in queue names 15:51:11 <knikolla> even though there was a typo, we're still changing default behavior 15:51:54 <knikolla> At the very minimum it requires a release note 15:52:37 <knikolla> On the other hand of the spectrum we can update the config text to mention that only authentication failures are sent. 16:00:18 <dmendiza[m]> I think the issue is that we're using the string as defined in pycadf 16:00:35 <dmendiza[m]> #link https://opendev.org/openstack/keystone/src/branch/master/keystone/notifications.py#L587-L589 16:00:51 <dmendiza[m]> which is defined as "failure" 16:00:54 <dmendiza[m]> #link https://opendev.org/openstack/pycadf/src/branch/master/pycadf/cadftaxonomy.py#L76 16:01:04 <dmendiza[m]> so we will never emit an event called "failed" 16:01:56 <dmendiza[m]> In any case, we're out of time for the week 16:01:59 <dmendiza[m]> we can pick this again next week 16:02:06 <dmendiza[m]> thanks for joining, y'all! 16:02:14 <dmendiza[m]> #endmeeting