15:03:15 <dmendiza[m]> #startmeeting keystone 15:03:15 <opendevmeet> Meeting started Tue Jun 21 15:03:15 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:15 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:03:15 <opendevmeet> The meeting name has been set to 'keystone' 15:03:52 <dmendiza[m]> #topic Roll Call 15:05:22 <knikolla> o/ 15:05:53 <dmendiza[m]> Hi knikolla ! 15:06:13 <h_asahina> o/ 15:08:48 <dmendiza[m]> OK, let's get started 15:08:55 <dmendiza[m]> #topic Review Past Meeting Action Items 15:08:57 <dmendiza[m]> #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-06-14-15.04.html 15:09:14 <dmendiza[m]> > dmendiza[m] to try to run keystone from a fresh clone 15:09:17 <dmendiza[m]> I did not do this 15:09:24 * dmendiza[m] kicks can down the road 15:09:40 <dmendiza[m]> #action dmendiza[m] to try to run keystone from a fresh clone 15:15:48 <dmendiza[m]> #topic Liaison Update 15:15:57 <dmendiza[m]> I don't have any 😅 15:16:03 <dmendiza[m]> #topic OAuth 2.0 15:16:11 <dmendiza[m]> h_asahina: any updates for this week? 15:17:23 <h_asahina> it's not update, but I'd like to discuss the contents of Spec. 15:17:30 <dmendiza[m]> sure 15:17:34 <h_asahina> thanks. 15:18:21 <h_asahina> As I described in the spec, We're going to implement RFC8705 in Zed. 15:19:47 <h_asahina> As you may know, RFC8705 is a kind of extension of OAuth2.0 which binds the client certificates to the OAuth2.0 access tokens to verify the identity of clients. 15:20:25 <h_asahina> The problem is to use rfc8705, we need to store the client certificates to DB in some way. 15:21:30 <h_asahina> Since we used the application credentials table for OAuth2.0 client management in Yoga, we can't change the DB schema easily. 15:22:36 <h_asahina> So I suggested that to simply store a client certificate as a secret of the application credentials as a workaround. 15:23:04 <h_asahina> Do you think it's possible? 15:23:41 <h_asahina> or do you have any other good idea other than adding a new table for the OAuth2.0 client management 15:24:40 <dmendiza[m]> Hmmm.... why are you trying to avoid schema changes? 15:25:47 <h_asahina> because I thought changing the application credentials table for OAuth2.0 is not good idea. 15:26:10 <h_asahina> it will be unrelated changes for the application credentials 15:27:12 <dmendiza[m]> Right, but we could add a new table for OAuth2.0 15:27:39 <dmendiza[m]> I can think of a few ways to solve this: 15:27:49 <dmendiza[m]> * save certs in the database by creating a new table 15:28:15 <dmendiza[m]> * save certs locally in the file system (this is probably a bad idea if we run multiple api nodes) 15:28:20 <dmendiza[m]> * save certs in etcd 15:28:26 <dmendiza[m]> * save certs in barbican 15:29:16 <h_asahina> `save certs in barbican`. This might be better. 15:29:23 <knikolla> i don't think we should use application credentials for this in particular. 15:30:46 <knikolla> as this is a different type of credential from a client/secret or username/password. 15:31:27 <knikolla> so we need to change the API to allow to associate a user with a certificate 15:32:08 <h_asahina> I understand that we shouldn't use application credentials for this, but if we add a new table, we need to add new OAuth2.0 API to manage the client. 15:34:10 <h_asahina> We have to do that because we're using the applicaton credentials API for client management now. is that ok to add new APIs for this purpose? 15:34:54 <knikolla> it's less about the database, and more about the API. I'm okay with associating some PKI with a user and then using that to authenticate. 15:35:13 <knikolla> I don't want keystone to have APIs specific to client management, but credential management is okay I think. 15:36:09 <knikolla> And requiring Barbican for this seems fair. 15:36:41 <h_asahina> I agree about Barbican. 15:37:22 <h_asahina> okey. I wrote the scenario for adding a new table in Alternatives block of Spec. Cloud you check that later? 15:38:47 <knikolla> yes, thanks! 15:39:10 <h_asahina> thanks. but, sorry, one more question. 15:39:54 <knikolla> keystone does have an API for associating credentials with a user https://docs.openstack.org/api-ref/identity/v3/#credentials, but i'm not familiar with it and it perhaps might be something we can use here. 15:40:44 <h_asahina> thanks 15:41:06 <h_asahina> I think Keystone also has authentication using PKI: https://docs.openstack.org/keystone/pike/advanced-topics/configure_tokenless_x509.html 15:42:48 <h_asahina> do you think we use it for this purpose. I don't understand the details of it. 15:43:08 <h_asahina> /purpose./purpose?/ 15:44:10 <knikolla> Correct. I'm not very familiar with it, however my understanding is that it can only work for certificates issued by trusted authorities, rather than allowing a user to upload their own self-signed certificate 15:44:29 <knikolla> Depending on your use case, it may work. 15:46:12 <h_asahina> > only work for certificates by trusted authorities. If so, it might be not suitable. 15:47:06 <h_asahina> thanks. I felt the use case of tokenless_x509 is a little bit different, so I'd like to confirm. that's why I asked. 15:47:49 <h_asahina> I'll check the Credentials API and update the Spec if necessary. 15:48:02 <dmendiza[m]> Thanks, h_asahina 15:48:25 <dmendiza[m]> #topic Gate inherited assignments from parent (bbobrov) 15:48:31 <dmendiza[m]> bbobrov: around? 15:54:39 <dmendiza[m]> I guess not 15:54:49 <dmendiza[m]> and that's almost the end of the hour 15:55:00 <dmendiza[m]> Thanks for joining, y'all 15:55:03 <dmendiza[m]> #endmeeting