15:02:26 #startmeeting keystone 15:02:26 Meeting started Wed Nov 13 15:02:26 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:26 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:26 The meeting name has been set to 'keystone' 15:02:38 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:03:11 #link https://openinfra.dev/legal/code-of-conduct 15:03:19 #topic roll call 15:03:33 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe 15:04:05 o/ 15:04:15 o/ 15:04:17 o/ 15:06:26 #topic review past meeting work items 15:06:40 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-30-15.05.html 15:06:51 no action items from our last meeting 15:07:07 #topic liaison updates 15:07:13 nothing from VMT or releases 15:09:03 #topic specification OAuth 2.0 (hiromu) 15:09:18 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:09:23 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:09:29 External OAuth 2.0 Specification 15:09:34 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:09:39 OAuth 2.0 Implementation 15:09:44 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:09:49 OAuth 2.0 Documentation 15:09:54 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:09:57 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:10:13 no updates from me unfortunately, stuck in federation land 15:10:16 next up 15:10:20 #topic specification Secure RBAC (dmendiza[m]) 15:10:23 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:10:27 2024.1 Release Timeline 15:10:33 Update oslo.policy in keystone to enforce_new_defaults=True 15:10:34 Update oslo.policy in keystone to enforce_scope=True 15:10:53 not sure if dmendiza is around or not 15:12:05 guess not, next up 15:12:07 #topic specification OpenAPI support (gtema) 15:12:12 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:12:17 https://review.opendev.org/c/openstack/keystone/+/925020 could now also land to ease api-ref work 15:12:48 not so many changes from my pov except that statement above 15:12:59 revieving changes 15:13:14 * reviewing changes students produce 15:13:21 ack, I'll look over your changes in that one 15:14:19 thanks gtema (Artem Goncharov) 15:14:20 next up 15:14:24 #topic specification domain manager (mhen) 15:14:30 still unmerged are: 15:14:34 documentation: https://review.opendev.org/c/openstack/keystone/+/928135 15:14:38 tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222 15:14:53 Artem Goncharov proposed openstack/keystone master: Add new keystone.wsgi module https://review.opendev.org/c/openstack/keystone/+/932060 15:15:44 cores, please look at the domain manager things dmendiza , 15:16:01 Grzegorz Grasza: ^^ 15:16:10 next up 15:16:15 #topic specification Type annotations (stephenfin) 15:16:20 #link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing 15:16:24 This is just pending reviews now. I will push the remaining patches as soon as a sufficient quantity of the current ones land. 15:16:29 #link https://review.opendev.org/c/openstack/keystone/+/931959 - ruffing the keystone misses +W 15:16:38 Dave Wilde (d34dh0r53): you missed to approve few changes 15:16:51 I mean from the keystoneauth series 15:17:04 therefore 4 changes are still open 15:17:20 and release patch was proposed last week which I "-1"-ed 15:17:37 oh snap, my bad, I'll get to those today 15:17:45 great 15:18:12 and ruff for keystone - you +2ed, but another one with +W is still missing 15:18:50 and that one is with huge merge-conflicts potential 15:19:06 so we need to get it quickly 15:19:44 I'm the only reviewer on the ruff patch, I'd like another core to take a look if possible, dmendiza or Grzegorz Grasza 15:19:59 #link https://review.opendev.org/c/openstack/keystone/+/931959 15:21:16 Artem Goncharov proposed openstack/keystone master: Enable projects pagination https://review.opendev.org/c/openstack/keystone/+/933598 15:21:45 next up 15:21:52 #topic specification Include bad password details in audit messages (stanislav-z) 15:21:54 #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 15:21:59 #link https://review.opendev.org/c/openstack/keystone/+/932423 15:22:02 30-Oct update: significant spec update including feedback during PTG. WIP implementation test are WIP. 15:22:05 06-Nov update: some implementation tests are added, more tests TBD (WIP). Spec is looking for reviews. 15:22:09 13-Nov update: spec needs reviews, implementation now includes tests. 15:22:28 Yeap, the spec is ready and is looking for reviews. The implementation is linked too - it's ready in accordance with what's currently written in the spec. 15:23:39 Stanislav Zaprudskiy: have you talked internally about the sha512_crypt? 15:24:09 or was it sha256 we talked about during PTG? 15:25:55 it was sha256 during the PTG. but I decided to go with scrypt + PBDKF2 - as these are very tunable (with option to control the parameters via conf) - it's mentioned in the spec 15:26:26 and also I went on with hashlib - it turned out to be faster than cryptography 15:26:58 (I also referenced benchmark results in the spec) 15:27:51 ok 15:30:13 thank you Stanislav Zaprudskiy 15:30:32 ah, we talked about sha256_hmac 15:30:46 I can't find any records of what we have discussed 15:32:19 it's doing pbkdf2_hmac(sha512) + scrypt on top by default 15:33:50 as I mentioned during PTG I am still "uncomfortable" with partial hash 15:35:41 why so? it's a hash of an invalid password. it's partial. it's hashed with functions used to hash passwords in DB. I had another review of the spec by our security expert, and from his perspective just sha-256 would have been enough as long as it's partial (5 chars or so) 15:37:13 I explained during PTG quite detailed about so. Of course it is "safe" if you just expose part of info, but other tools like vault simply output hmac-sha256 and do not care about any slicing what avoids any possible collision by definition 15:38:46 config allows to not slice the hash, but return it in full 15:39:23 anyway - lets move discussion back to the spec 15:39:38 good, thanks 15:40:57 cool 15:41:14 please review the spec 15:41:28 next up 15:41:33 #topic open discussion 15:41:36 pagination (gtema) 15:41:38 #link https://review.opendev.org/q/topic:%22pagination%22+project:openstack/keystone 15:41:40 it is bit more complex than I thought since all DB queries need to be executed with pagination while some internal calls right now expect to get ALL entries (i.e. list_domains/list_projects) 15:42:11 this appears to be quite a beast. But my push some minutes ago hopefully addresses all cornercases 15:42:52 biggest issue is that pagination in DB must be applied unconditionally. I mean there is no way to re-apply pagination after fetching results 15:43:25 and some parts of the code assume that when they invoke internal methods (like list_domains) bypassing the API will get all results 15:43:34 there are explicit tests on that 15:44:11 it is not trivial to deal with that but hopefully I have found a way 15:44:47 on the other hand - I have not much clue how to deal with pagination for the ldap 15:47:47 yeah, not sure about that either 15:48:20 the only solution to that I see is to forcibly fetch all data (respecting all other filters) and simulate pagination 15:48:45 so it will not save keystone<->ldap traffic, but user<->keystone 15:49:50 well - that is very close to what happens now since keystone will truncate entries at configured limit 15:51:06 yeah, that's what I was thinking, huge LDAP databases might present a performance problem though 15:51:45 I mean that it will not be more then what we have right now (I mean we still get all entries and truncate results) 15:52:09 but maybe the more funny question is how to paginate when some results come from DB while others from ldap? 15:52:33 I was not looking in detail over there yet, this is just speculative thought 15:52:53 I guess that's true 15:53:02 Need to move on for time 15:53:12 #topic bug review 15:53:17 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:53:19 no new bugs in keystone 15:53:28 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:53:31 nor python-keystoneclient 15:53:40 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:53:45 keystoneauth is good 15:53:49 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:53:59 nothing new in keystonemiddleware 15:54:06 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:54:11 pycadf is good 15:54:15 #link https://bugs.launchpad.net/ldappool/+bugs?ordterby=-id&start=0 15:54:21 so is ldappool 15:54:25 #topic conclusion 15:54:37 Thanks everyone! Nothing else from me today 15:54:41 #endmeeting