15:02:02 #startmeeting keystone 15:02:02 Meeting started Wed Jan 15 15:02:02 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:02 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:02 The meeting name has been set to 'keystone' 15:02:21 o/ 15:02:27 o/ 15:02:43 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:02:46 #link https://openinfra.dev/legal/code-of-conduct 15:02:50 #topic roll call 15:02:58 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe 15:03:05 and a special ding for dmendiza 15:03:15 :) 15:03:25 🙋‍♂️ 15:03:30 o/ 15:03:32 lol 15:04:16 o/ 15:04:22 #topic review past meeting work items 15:05:03 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-01-08-15.01.html 15:05:10 had to update the link 15:05:18 no action items from the last meeting 15:05:23 #topic liaison updates 15:05:30 nothing from releases or vmt 15:07:52 #topic specification OAuth 2.0 (hiromu) 15:08:03 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:08:06 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:08:08 External OAuth 2.0 Specification 15:08:12 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:08:15 OAuth 2.0 Implementation 15:08:19 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:08:24 OAuth 2.0 Documentation 15:08:26 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:08:29 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:08:33 no updates 15:10:00 #topic specification Secure RBAC (dmendiza[m]) 15:10:07 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:10:08 2024.1 Release Timeline 15:10:08 Update oslo.policy in keystone to enforce_new_defaults=True 15:10:14 Update oslo.policy in keystone to enforce_scope=True 15:10:20 dmendiza: any SRBAC updates? 15:11:18 Negative... 15:11:27 I shoudl get back to that some time soon hopefully 15:11:55 cool, thanks dmendiza 15:11:59 #topic specification OpenAPI support (gtema) 15:12:02 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:12:19 thanks Dave for reviewing some changes 15:12:29 generally - there are things to review and land 15:12:35 further work is in progress 15:12:56 I'll get to reviewing those soon 15:13:03 btw, I started work on building openapi for barbican, which is not trivial ;-) 15:13:33 woot 15:13:41 Oh, yeah, Barbican API is kinda ugly in some parts 15:14:16 not only that, I mean introspecting the code is not really possible without hardcoding routing table due to the extensive use of dynamic routing 15:14:31 because of that I can only natively find only half of the routes 15:15:04 I got request from somebody in the community to add this 15:15:29 so anyway, will look further in next days, but keystone jsonschemas are in progress but need reviews ;-) 15:15:33 nothing else on that 15:16:22 thanks gtema 15:16:25 #topic specification domain manager (mhen) 15:16:29 still unmerged are: 15:16:32 documentation: https://review.opendev.org/c/openstack/keystone/+/928135 15:16:34 tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222 15:16:42 dmendiza: mind taking a look at those? 15:17:10 Yeah... I need to get back to reviewing things 😅 15:18:06 No worries, it's been a busy few months 15:18:29 yeah, Christmas, New Year and such sort of things ;-) 15:19:02 #topic specification Include bad password details in audit messages (stanislav-z) 15:19:05 #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 15:19:08 #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22 15:19:10 15-Jan update: there are some open conversations in the spec - would appreciate the feedback and general reviews 15:19:55 yes, turned out I had my responses in the keystone-spec submitted weeks ago, but not published 😞. but I did it today 15:20:23 ok, will have a look this week (if nothing explodes) 15:21:13 thanks gtema 15:21:19 #topic open discussion 15:21:23 nothing from me 15:21:28 I have few things 15:21:58 I mentioned last friday I joined SysEleven and there is interesting usage of OpenFGA for managing authorization externally 15:22:19 so I created role-assignment plugin for communicating with openfga 15:22:58 but noticed that if we want to delegate role assignments to the external system which itself is capable dealing with role inference and inheritance there is no way to do this in driver 15:23:28 basically keystone role-assignment provider is enforcing lots of things which can be done in the external system (openfga/aws cedar/opa/etc) 15:23:46 O 15:23:48 O 15:23:51 I think it would make sense to have possibility to externalize this more natively 15:23:55 I've got something too 15:24:37 i.e. there is a call to list_role_assignments which gets bazilion of params and is being invoked few times 15:25:18 which this is not necessary if external system can deal with that and it doesn't differentiate between "effective" roles and direct what might be necessary 15:25:58 so: are you guys ok reworking role-assignment provider slightly to allow to put all logic to the external system if such system support that? 15:26:53 basically for now it means splitting some methods to allow more granular overloading and having possibility to disable auth caching to allow roles being read dynamically from external system 15:27:43 I'm for it +1 15:28:12 cool, thks. This is more or less for now to allow external system to make decision which roles are assigned to the user 15:29:04 and a second question: here they do not use domains at all and (together with keycloak and openfga) manage user/projects directly under the default domain 15:29:56 I am struggling at the moment to find enough arguments against that (to start using domains for better segregation). Do you know any reasons why this should be preferred in a public cloud? 15:30:31 statement "it is not scalable" is not sufficient, I need something with more weight 15:31:26 The main use of Domains is to group Projects together. In a public cloud you could map a client's account to be their domain. That way a single account could own many projects while being insulated from other accounts. 15:32:05 right, but it is also possible to grant user(s) access to projects directly bypassing domains grouping 15:32:47 I think the main argument for Domains would be the Domain Manager persona whereby you could have an end user manage permissions for their domain as opposed to having to call the deployer every time. 15:32:50 I was thinking more into the performance of certain queries, quotas/limits or similar stuff 15:33:36 correct, domain manager is here a perfect fit, but if permissions are managed externally (because they want to unify authz for openstack/kubernetes/ceph/etc all the other things) 15:34:30 then domain manager becomes somehow unnecessary (or better to say not appliable). Anyway, I definitely ack that and it is one of the arguments, but I need a bit more 15:37:54 Yeah, I'm not sure about performance implications. 🤔 15:38:20 when domain_id is part of the index then it is definitely faster to find entry 15:38:38 but whether it is "noticable" I have no clue 15:39:24 and since all other services do not deal with domains, but only with projects it is hard to justify 15:41:19 anyway, if there are no known things - thanks 15:41:42 will still try to convince from the "upstream and all other CSPs" do it this way 15:42:38 On my end, I still need to file a LP bug for this, but we found a breaking bug in the LDAP backend 15:43:10 Bugfix patch is here, but it's currently failing the gate jobs: https://review.opendev.org/c/openstack/keystone/+/939172 15:45:16 I haven't looked yet, any idea what's failing? 15:45:49 looks mypy is now complaining in pep8 checks 15:46:16 I will have a look today/tomorrow whether there is a new gate blocker due to updated additional SW 15:46:31 thanks gtema 15:46:40 anything else for open discussion? 15:46:51 not from me 15:47:45 cool 15:47:46 #topic bug review 15:47:49 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:47:56 no new bugs in keystone 15:48:01 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:48:12 python-keystoneclient has no new bugs 15:48:15 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:48:22 nothing in keystoneauth either 15:48:25 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:48:30 keystonemiddleware is good 15:48:34 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:48:45 pycadf is also good 15:48:48 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:48:54 no new bugs in ldappool 15:49:00 #topic conclusion 15:49:03 Thanks everyone! 15:49:13 thks guys 15:49:16 #endmeeting