#openstack-keystone log

15:03:35 <d34dh0r53> #startmeeting keystone
15:03:35 <opendevmeet> Meeting started Wed Jan 22 15:03:35 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:03:35 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:03:35 <opendevmeet> The meeting name has been set to 'keystone'
15:03:43 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct
15:03:51 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct
15:04:02 <d34dh0r53> #topic roll call
15:04:10 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe
15:04:17 <xek> o/
15:04:18 <d34dh0r53> and a special ding for dmendiza
15:04:21 <gtema> o/
15:04:23 <d34dh0r53> o/
15:04:41 <dmendiza[m]> 🙋‍♂️
15:04:59 <dmendiza[m]> I appreciate the special treatment 🥰
15:06:43 <d34dh0r53> :)
15:06:46 <d34dh0r53> #topic liaison updates
15:06:52 <d34dh0r53> nothing from VMT or releases
15:07:08 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:07:17 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:07:18 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:07:19 <d34dh0r53> External OAuth 2.0 Specification
15:07:19 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)
15:07:24 <d34dh0r53> OAuth 2.0 Implementation
15:07:26 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:07:28 <d34dh0r53> OAuth 2.0 Documentation
15:07:34 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)
15:07:38 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)
15:07:43 <d34dh0r53> no updates from me on this
15:07:50 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:07:52 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:07:55 <d34dh0r53> 2024.1 Release Timeline
15:07:58 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:08:01 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:08:27 <dmendiza[m]> I have to review the Domain Manager patches still 😅
15:08:33 <dmendiza[m]> Not much in the way of updates this week.
15:09:18 <d34dh0r53> Ack, thanks dmendiza
15:09:22 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:09:24 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:09:54 <gtema> over the weekend I found one of the merged changes introduced bug. The fix is https://review.opendev.org/c/openstack/keystone/+/939583
15:10:08 <gtema> schema was too permissive to capture the issue
15:10:35 <gtema> would appreciate a quick approval since it weirdly now block codegenerator due to that broken schema
15:10:55 <xek> +2
15:10:56 * gtema wonders why codegenerator test didn't catch this
15:11:45 <d34dh0r53> approved
15:11:52 <gtema> thks a lot
15:12:02 <d34dh0r53> np
15:12:21 <d34dh0r53> anything else regarding OpenAPI support?
15:12:58 <gtema> not this week
15:13:00 <gtema> thanks
15:13:44 <d34dh0r53> 👍️
15:13:51 <d34dh0r53> #topic specification domain manager (mhen)
15:13:53 <d34dh0r53> still unmerged are:
15:13:55 <d34dh0r53> documentation: https://review.opendev.org/c/openstack/keystone/+/928135
15:13:58 <d34dh0r53> tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222
15:14:31 <dmendiza[m]> I need to look through these
15:14:34 <mharley[m]> o/
15:15:11 <d34dh0r53> hi mharley! Welcome
15:15:19 <d34dh0r53> thanks dmendiza
15:15:23 <d34dh0r53> next up
15:15:26 <mharley[m]> Thanks, Dave Wilde (d34dh0r53) !
15:15:27 <d34dh0r53> #topic specification Include bad password details in audit messages (stanislav-z)
15:15:31 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/915482
15:15:33 <d34dh0r53> #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22
15:15:34 <d34dh0r53> 21-Jan update: review feedback incorporated, looking for reviews
15:16:19 <gtema> I had already a look and I indeed like naming config option "report_invalid_password_hash"
15:16:33 <d34dh0r53> yeah, that's much better
15:17:03 <gtema> now it was renamed from invalid_password_hash_include to log_invalid_password_hash. But I think report_invalid_password_hash is more universal
15:17:24 <stanislav-z> I'll update it now :) thanks
15:17:35 <gtema> thanks Stanislav Zaprudskiy
15:17:44 <d34dh0r53> thank you Stanislav Zaprudskiy !
15:17:52 <d34dh0r53> #topic open discussion
15:18:03 <gtema> I am first :)
15:18:09 <gtema> https://github.com/gtema/oslo.policy.opa
15:18:41 <gtema> I was able to create a plugin for oslo.policy and even auto-generate oslo_policies into the OpenPolicyAgent language
15:18:49 <d34dh0r53> wow
15:19:20 <dmendiza[m]> Nice
15:19:24 <gtema> in the meanwhile even found ancient blogpost https://jaosorior.dev/2018/rewriting-openstack-policy-files-in-open-policy-agent-rego-language/ that specilated about this idea back in 2018
15:20:09 <gtema> and while my convertor was working I thought some of the policies in keystone are not really working like human would understand them due to the priority of AND and OR that oslo_policy applies
15:20:27 <gtema> those are especially tricky in the role assignements (wrt domain manager)
15:20:39 <gtema> can't say with confidence, just have a feeling those might be wrong
15:21:30 <gtema> I was able to auto-convert keystone and barbican policies, would try others later
15:21:43 <gtema> I LOVE possibility to test policies very explicitly
15:21:54 <gtema> this is something I miss in oslo_policy
15:22:38 <gtema> that's it so far from me on that
15:22:49 <dmendiza[m]> Oh hey that's Ozz's blog.  I know that guy.
15:24:00 <gtema> with that it is possible to have very preciese fine-graned policies in Keystone without role explosion
15:25:02 <mharley[m]> gtema: when you say "test policies", are you referring something like this (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html)?
15:25:17 <mharley[m]> Just to establish a parallel with your sentence. :-)
15:25:48 <gtema> mharley: I refer to https://github.com/gtema/oslo.policy.opa?tab=readme-ov-file#policy-testing and https://www.openpolicyagent.org/docs/latest/policy-testing/
15:26:09 <gtema> but yeah, it is something similar
15:26:32 <gtema> basically you can write unittest that will evaluate the authorization decision based on inputs
15:26:43 <mharley[m]> Got it.  Something more "roots". :-)
15:27:33 <gtema> in OpenPolicyAgent you also have a decision log what helps you to track down how OPA resolved the request
15:30:56 <cardoe> Since it's quiet I'll ask what I asked after the meeting last week..  I'm really just wanting to provide documentation updates for usage. I've tried to dip my toe in the water with https://review.opendev.org/c/openstack/keystone/+/929315 but just unsure what I need to do to keep advancing things.
15:31:37 <cardoe> I just want to have the docs correct for existing installations. Today the docs talk about Ubuntu 16.04 in many places and the packages involved have changed. Their configuration has changed as well.
15:31:54 <gtema> +W-ed
15:32:07 <d34dh0r53> thanks gtema
15:32:22 <d34dh0r53> and thank you cardoe for this, those docs were indeed lacking
15:32:36 <gtema> cardoe: this OpenPolicyAgent work that I described is very helpful in the OIDC improvements since it allows us to properly decouple auth from authz
15:32:49 <gtema> I am generally still on the topic, so haven't forgotten
15:33:45 <cardoe> 100% agree gtema. I was actually looking at what you did and this nails what I'm going to want to explore in the future in a wayyyy better way.
15:33:58 <gtema> thks :)
15:34:29 <d34dh0r53> awesome, anything else for open discussion before we move on?
15:34:34 <stanislav-z> I have one, too.
15:34:34 <stanislav-z> https://bugs.launchpad.net/keystone/+bug/1914260 - I wanted to start working on this one. Especially for cases when resources are *deleted* (e.g. project, or user, etc), only their ID and typeURI are reported in audit events (under `target`) - which makes it difficult to handle cases e.g. when a real user comes and wants to know who deleted their resource, but all they have is the resource' name/project/domain - which is at
15:34:34 <stanislav-z> that point not possible to translate to ID (or vice-versa) as the corresponding resource was already gone. I thought of extending the `delete` events with some additional details. Does anybody have suggestions, or objections against it?
15:36:28 <gtema> Stanislav Zaprudskiy: I think we also lack generally a doc on how all this is intended to be captured/processed. I want to start looking into audit area for my employer as well and so far miss some basics
15:36:58 <gtema> since you work on that maybe you can also propose some doc improvements so that we all are on the same page
15:39:14 <stanislav-z> I could potentially share how it's being used in our set-up, which might be a starting point for the doc
15:39:48 <gtema> yeah, that will help understanding where are the requirements for improvements coming from
15:40:49 <stanislav-z> jfr, there is another service on top - https://github.com/sapcc/hermes. and some more things, too :) I'll try to come up with something, and will have a look where would be a good place for the doc
15:41:24 <gtema> cool
15:41:44 <gtema> "It is named after the Futurama character, not the Greek god." - lol
15:42:21 <d34dh0r53> Thank you Stanislav Zaprudskiy !
15:42:39 <d34dh0r53> #topic bug review
15:42:41 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:42:46 <d34dh0r53> no new bugs for keystone
15:42:54 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:43:01 <d34dh0r53> nor python-keystoneclient
15:43:05 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:43:12 <d34dh0r53> no new bugs in keystoneauth
15:43:17 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:43:24 <d34dh0r53> nothing new in keystonemiddleware
15:43:28 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:43:34 <d34dh0r53> pycadf is good
15:43:37 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:43:40 <d34dh0r53> so is ldappool
15:43:45 <d34dh0r53> #topic conclusion
15:44:05 <d34dh0r53> I won't be able to make the reviewathon this week, but other than that I've got nothing
15:44:11 <d34dh0r53> please reach out if you need anything
15:44:50 <gtema> thks guys, need to run
15:47:50 <d34dh0r53> Thanks folks!
15:47:51 <d34dh0r53> #endmeeting