17:01:30 #startmeeting keystone-office-hours 17:01:31 Meeting started Tue Jun 26 17:01:30 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:32 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:35 The meeting name has been set to 'keystone_office_hours' 17:01:48 if anyone has questions on the RBACEnforcer, i know it's super dense. 17:02:00 I can speak to it and a lot of the quirks in our policy code. 17:03:35 awesome 17:03:44 i'm going to grab lunch quick and i'll be right back 17:03:56 knikolla: and i were going to try and tag team a few bugs today 17:04:01 #link https://bugs.launchpad.net/keystone/+bug/1658641 17:04:01 Launchpad bug 1658641 in OpenStack Identity (keystone) "Moving/disabling LDAP users break Keystone queries depending on role ID" [Medium,In progress] - Assigned to Kristi Nikolla (knikolla) 17:04:10 #link https://bugs.launchpad.net/keystone/+bug/1757022 17:04:10 Launchpad bug 1757022 in OpenStack Identity (keystone) ""keystone-manage mapping_purge" ignores --type option" [Undecided,In progress] - Assigned to Dai Hanada (dai-hanada) 17:04:18 #link https://bugs.launchpad.net/keystone/+bug/1775207 17:04:18 Launchpad bug 1775207 in OpenStack Identity (keystone) "Fetching all mappings may become too slow" [Undecided,In progress] - Assigned to Pavlo Shchelokovskyy (pshchelo) 17:05:26 * knikolla going for lunch 17:05:29 lbragstad: i'm going to try and get the "move an API" patch up today. 17:05:45 so its easier to see how the flask stuff actually shakes out. 17:05:48 o/ 17:06:07 that'd help 17:23:17 lbragstad: yeah, so working on the scaffolding update patches now and then api move will be soon 18:01:24 lbragstad: hi, re bug 1775207, I noticed you've put an 'office-hours' tag on it - wdym and is my attention required/expected? 18:01:24 bug 1775207 in OpenStack Identity (keystone) "Fetching all mappings may become too slow" [Undecided,In progress] https://launchpad.net/bugs/1775207 - Assigned to Pavlo Shchelokovskyy (pshchelo) 18:01:56 pas-ha: we use the office-hours tag as a way to focus on a specific set of bugs or reviews 18:02:17 oh, ok, just saw it mentioned in the scrollback :) 18:02:26 we had a user come through the channel yesterday and we noticed a few reviews related to keystone-manage that could use some attention 18:02:40 i added the tag to it so that we could hopefully get some eyes on it 18:09:07 lbragstad: i have a meeting now, but will join you in 1 hr or so for the ldap stuff 18:09:27 sounds good - cleaning up one of the patches now, should be ready for review by then 19:15:47 Lance Bragstad proposed openstack/keystone master: Fix keystone-manage mapping_purge with --type option https://review.openstack.org/554397 19:16:09 knikolla: ^ those could be a bit more dry - but they're functional 20:03:14 Morgan Fainberg proposed openstack/keystone master: Add support for enforce_call to set value on flask.g https://review.openstack.org/578189 20:03:14 Morgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents https://review.openstack.org/578190 20:04:04 Morgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents https://review.openstack.org/578190 20:10:34 lbragstad: looking 20:28:13 lbragstad: looks good to me. +2 20:29:28 knikolla: cool - thanks 20:29:39 i'm a little worried about the duplication 20:30:06 but i'm open to refactoring it if we can find a better way 20:30:28 i generally like tests to be verbose. 20:31:29 duplication in that case should be fine as it makes it pretty clear what the test is doing. 20:31:36 that's fair 20:31:37 but that's just my opinion :) 20:36:02 Hi lbragstad, I use your fernet-inspector to inspect a fernent-token, the result is this: 20:36:05 fernet-inspector -k /opt/cgcs/keystone/fernet-keys gAAAAABbMpejHDDFLNkopYu5_PrFMKo16qidKmOXe5NvctVmja1FxqNBglzJcpma5CqiWG9L7YIVHuXlL29KotzdeHdA50IThiPhzKGREGhpVtKHFoRkGHRRHNK9VRpKSQpj7eTaKBDrRDc61NJ46H1Hh2VARmj1kv3andlwZ9ztHUYvipv86Ng 20:36:05 [2, [True, '\xd3]\xb3{\x1c{B\xed\x8e\x9b\xe8\xc1`\x81M`'], 2, [True, '\xe6\x99u\xe0\xf4\xbdI-\x8b\x9bF%J\xbd\\X'], 1530045875.0, ['NP0\xfe\x08TC\xa4\x83\xc2\xc5\xdb\xe4;\x88;']] 20:37:19 the Audit id from base64.urlsafe_b64encode('NP0\xfe\x08TC\xa4\x83\xc2\xc5\xdb\xe4;\x88;') is 20:37:31 'TlAw_ghUQ6SDwsXb5DuIOw==' 20:37:57 And the UUID from uuid.UUID(bytes='\xd3]\xb3{\x1c{B\xed\x8e\x9b\xe8\xc1`\x81M`').hex is 20:38:11 'd35db37b1c7b42ed8e9be8c160814d60' 20:38:58 [True, '\xe6\x99u\xe0\xf4\xbdI-\x8b\x9bF%J\xbd\\X'] in the middel after the second number 2, what is it? 20:39:27 and what's Audit id? 20:40:32 where are user id and project id hidden in the decoded data? 20:40:39 https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/token_formatters.py#n452 20:40:58 this is going to go into the implementation details a bit 20:41:14 but keystone users different payload classes to pack up the payload before encrypting it 20:41:24 which keeps the two things separate 20:41:36 (building of the payload from the thing that actually does the encryption) ] 20:41:47 each payload has a version 20:42:05 which is the first thing in the list when you decrypt a token 20:42:50 so - in your example, you're dealing with a ProjectScopedPayload because the first element of the list is an integer of 2 20:43:56 the ProjectScopedPayload returns a tuple which gets used here - https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/token_formatters.py#n158 20:44:14 notice that the version is coming from the payload classes that was used to build the payload 20:45:18 the second integer is a compressed representation of the authentication methods associated with that token 20:45:21 https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/token_formatters.py#n464 20:45:36 lbragstad: my brain is fried for now. i'll head home and then work on https://review.openstack.org/#/c/487579/ later tonight 20:45:44 we do this instead of passing method: ['password', 'token'] 20:45:47 knikolla: sounds good 20:46:39 aning_: because using methods: ['password', 'token'] in a token payload bloats it significantly, so we convert the configured authentication methods to a unique integer that can be reinflated at validation time 20:47:24 see https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/core.py#n46 20:47:33 and https://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/core.py#n63 21:12:03 Sorry I was pulled away for while ... these are very valuable information. 21:12:29 but jus from a high level, I saw three hex strings 21:12:53 The first one is UUID, the last one is Audit ID, what's the middle one? 21:15:08 If I guess, it should be password 21:16:21 this is the payload 21:16:23 https://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/token_formatters.py#n469 21:16:29 or the format of the payload 21:16:37 or token depends on the integer before it, since that integer is the auth method. 21:17:00 so version = 2 21:17:12 b_user_id is [True, '\xd3]\xb3{\x1c{B\xed\x8e\x9b\xe8\xc1`\x81M`'] 21:17:20 2 is the methods 21:17:22 right, version = 2 in my example. 21:17:35 b_project_id is [True, '\xe6\x99u\xe0\xf4\xbdI-\x8b\x9bF%J\xbd\\X'] 21:17:49 expires_at_int is 1530045875.0 21:18:02 and b_audit_ids is ['NP0\xfe\x08TC\xa4\x83\xc2\xc5\xdb\xe4;\x88;'] 21:18:18 Great 21:18:58 so audit id contains credentials? 21:19:26 nope - audit ids are a specific property of a token 21:19:31 probably not, since there is no need for credentials in token ... 21:19:35 right 21:19:52 Ok got it 21:19:58 an audit id is generated whenever you create a token 21:20:13 we call them audit ids because they help us track which tokens are related 21:20:19 so - for example 21:20:39 if you authenticate for a token using your username and password you'll get back a token 21:20:49 which will have an audit id 21:20:58 if you use that token to reauthenticate for a new token 21:21:17 your new token will contain a list of audit ids, one of which will be the audit id of the first token you authenticated for with your password 21:22:18 since tokens are non-persistent, audit ids help us when a user wants to "delete" a specific token 21:22:52 we can persist the audit id of the deleted token, and flag it as invalid if we ever attempt to validate a token with that audit (decrypted from the token payload) 21:23:55 ok 21:25:20 that's a lot of details about the internal guts of keystone token system... hopefully it makes sense 21:26:49 Yes, it all makes sense ... wouldn't get them anywhere else. Fantastic! 21:28:01 Rather complicated, need time to dig and digest. 21:28:17 lbragstad: i'm trying to avoid a massive rebase/reset the stack https://review.openstack.org/#/c/577586/ 21:28:19 thats all 21:28:25 Thanks a lot 21:28:43 Morgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents https://review.openstack.org/578190 21:29:16 aha 21:29:21 this stack is a bit unweildy as is. 21:29:28 just because it is a LOT of moving parts. 21:29:31 yeah 21:29:42 aning_: no problem 21:29:54 and keeping my brain in one place at a given time has been hard, touches a lot of really overly complex parts. 21:30:29 kmalloc: do we need this bit though? https://review.openstack.org/#/c/577586/1/requirements.txt 21:31:05 shouldn't we be able to get away with just Flask>=1.0.2 21:32:10 well, we need to adhere to what is in reqirements 21:32:16 i suck and forgot to remove that part :P 21:32:43 https://github.com/openstack/requirements/blob/master/global-requirements.txt#L62 21:32:47 *oops* 21:33:00 i dunno if the checker will get cranky or not with removing that 21:33:54 i know this stack is getting deep =/ 21:34:05 and it's not super easy to follow because of what it touches to begin with 21:34:54 but fwiw, the "dummy API" will be stood up in https://review.openstack.org/#/c/578190/ [the full end-to-end test] 21:35:00 ok 21:35:05 now that I have json_home scaffolding in place. 21:35:39 fwiw, my brain is fried as hell working on these now =/ testing the RBACEnforcer took 3 days to write the tests. 21:35:56 yeah... 21:36:07 the good thing is that most of the stack leading up to that looks good 21:36:11 at least IMO 21:37:03 getting those through the gate will give us time to parse the RBACEnforcer change 21:39:03 the NITs on the 404/418 one, do you want me to fix and rebase or as a side-addendum patch 21:39:16 i'm not sure i have a solution for it... 21:39:36 i'm not sure what the fix would be, it was just a concern 21:39:42 i meant the other nits 21:39:57 the 418 bit, i can pick another status_code [any] 21:40:14 i also added the expressive comment to explain this is a testing-only-thing and what it means 21:40:34 right below your review-comment (the code-comment is expressive that is) 21:40:43 ahh 21:40:58 that one is pretty late in the chain 21:41:11 if you rebase it's only going to affect 4 patches, right? 21:42:21 yeh, the enforcer patch and the newest ones on top of it 21:42:36 i am hesitant to rebase the enforcer if people are actively reviewing... 21:42:53 oh - sure 21:42:54 but i also realize that is unlikely with the current preceeding patches not fully reviewed 21:43:17 i'm just about to wrap up my review of the RBACEnforcer patch 21:43:28 cool. 21:43:56 i'll add an addendum patch to the 418 one to address the nits and we can swap out the expected_status bit to a different code if we want at anytime 21:44:14 it's 2 lines to swap to someting else... 4 if you count the comment and the error msg 21:48:04 Morgan Fainberg proposed openstack/keystone master: Address minor comments to 404 error detection https://review.openstack.org/578216 21:59:57 #endmeeting