Wednesday, 2023-11-29

« Tuesday, 2023-11-28 Index Thursday, 2023-11-30 »
opendevreviewTrent Lloyd proposed openstack/keystone master: Improve application credential validation speed  https://review.opendev.org/c/openstack/keystone/+/88045602:15
opendevreviewTakashi Kajinami proposed openstack/keystone master: Fix bindep.txt for python 3.11 job(Debian Bookworm)  https://review.opendev.org/c/openstack/keystone/+/90044003:43
opendevreviewTakashi Kajinami proposed openstack/keystone master: Drop compatibility code for Python 2.y  https://review.opendev.org/c/openstack/keystone/+/90188603:43
tkajinamxek, knikolla  seems I had to update a few unit tests to workaround failures caused by warning messages. please check the updated version ^^^03:43
*** blarnath is now known as d34dh0r5315:00
d34dh0r53#startmeeting keystone15:00
opendevmeetMeeting started Wed Nov 29 15:00:28 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'keystone'15:00
d34dh0r53#topic roll call15:00
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m]15:00
d34dh0r53o/15:00
bbobrovhello15:00
xeko/15:01
hiromuo/15:01
dmendiza[m]🙋‍♂️15:02
d34dh0r53#topic review past meeting work items15:03
d34dh0r53two action items assigned to me, no updates15:04
d34dh0r53#action d34dh0r53 Look into adding/restoring a known issues section to our documentation15:04
d34dh0r53#action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation15:04
d34dh0r53#topic liaison updates15:04
d34dh0r53nothing from VMT or Release Management15:05
d34dh0r53anyone else have anything?15:05
gtemaspecs?15:05
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:06
hiromuI wrote one topic on the etherpad15:06
hiromuhttps://etherpad.opendev.org/p/keystone-weekly-meeting15:06
d34dh0r53External OAuth 2.0 Specification15:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/86155415:06
d34dh0r53OAuth 2.0 Implementation15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:06
d34dh0r53OAuth 2.0 Documentation15:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/83810815:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/83810415:06
d34dh0r53ack hiromu, reading it now15:07
hiromuin short, we gave up to reload oslo config without restarting services (i.e., hot-reloading) and decided to restart services in Zuul job15:10
d34dh0r53I think the service restart is probably the best option15:10
hiromuokay15:11
hiromuwe'll implement Zuul job with that option15:11
hiromubtw, you mentioned job spin up is expensive in the second last meeting. What does that mean specifically?15:12
d34dh0r53As to job spin up, I think that was referring to the time it takes to setup VMs, install packages, clone repos, etc...15:12
d34dh0r53all the things that Zuul needs to do before the actual testing of code15:12
hiromuI see, but I think sping up happens in parallel.15:13
hiromu /sping/spin/15:13
d34dh0r53It does, but parallel jobs also require more nodes which takes away from the resource pool, we just need to be good citizens and minimize our footprint as much as possible.15:14
d34dh0r53But if that's the only way we can do it, then that is how we'll do it15:14
hiromuI agree. We'll try the way that can minimize the resources usage first15:15
d34dh0r53excellent, thanks hiromu!15:15
hiromu:)15:15
d34dh0r53anything else for OAuth 2.0?15:16
hiromunothing else. thanks.15:16
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:16
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:16
d34dh0r532024.1 Release Timeline15:16
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:16
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:16
dmendiza[m]I don't have anything to report. 😅15:17
d34dh0r53no worries, thanks dmendiza[m] 15:17
bbobrovi just want to say that none of our services can live with these options =True. For all services we have to make them =False15:17
bbobrovbut we have an old cloud with own policies15:18
dmendiza[m]Yeah, those options only apply to the default policy values15:19
d34dh0r53right15:21
d34dh0r53gtema: I added your spec under the specifications section of the doc and I've updated the wiki page with the correct meeting information15:23
d34dh0r53gtema: thank you for pointing that out15:23
d34dh0r53#topic specification Add schema version and support to "domain" attribute in mapping rules (gtema)15:23
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/74804215:24
gtemaright, basically it is a long runner15:24
gtemait was put on hold and forgotten. Now we try to revivew15:24
d34dh0r53I noticed that, I'll take a look at it this week15:24
gtemarevive it15:24
gtemain PTG it was promised to land it asap and Kristi already reviewed it15:24
gtemaok, thanks. We really depend on it and need some progress finally15:25
d34dh0r53yep, sorry it slipped through the cracks15:25
d34dh0r53it's on the etherpad now :)15:26
gtemabtw, which time is the review session fridays? I was not able to find it 15:26
d34dh0r53I think I'll add that to the wiki, 15:00 UTC on Fridays15:26
d34dh0r53I can send a calendar invite if you'd like15:26
gtemayes, pls (artem.goncharov@gmail.com)15:27
d34dh0r53ack15:28
d34dh0r53#action d34dh0r53 email gtema (artem.goncharov@gmail.com) a reviewathon invite15:29
d34dh0r53#action d34dh0r53 add reviewathon information to the Keystone Meetings page on the Openstack Wiki15:29
d34dh0r53#topic open discussion15:30
d34dh0r53domain scoping for "GET /v3/domains" (mhen)15:30
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/204161115:30
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/90002815:30
d34dh0r53I think we need to review this in the reviewathon15:32
d34dh0r53next up15:34
d34dh0r53PCI DSS: analyzing failed login attempts (bbobrov)15:34
bbobrovthat's me15:34
bbobrovPCI DSS requires us to analyze failed login attemps, for example, to catch bruteforce or password stuffing attacks15:34
d34dh0r53right15:35
bbobrovit is a bit hard to do right now with keystone15:35
bbobrovwe do have authenticate.failure events or even log messages15:35
bbobrovbut the logs messages don't say who failed to authenticate15:35
bbobrovthat is why we use the events15:35
bbobrovhowever, we ran into the fact that most failures are just users running their scripts with bad passwords15:36
bbobrovand we have many users. And chasing them one by one is not possible15:36
bbobrovso a typical attack would be trying many passwords. We obviously cannot log the passwords or their hashes. But maybe we could log/emit notification with, for example, one last hash digit15:37
bbobrovthe question is, how useful would this feature be in keystone, and how it could be implemented, if useful15:37
d34dh0r53yeah, I see the issue, differentiating between attacks and bad scripts15:38
d34dh0r53I'm thinking about how sshd handles it15:38
bbobrovi guess the general advice for sshd is to use keys instead of passwords15:39
bbobrovwhich would be also good for keystone, no doubt, and even implementable15:40
d34dh0r53right, but sshd logs that user-x tried y times IIRC15:40
d34dh0r53I think it would definitely be useful for keystone to have something that would help with this PCI requirement15:41
bbobrovanyway, i was thinking towards a logged_password auth plugin, that would replace the standard password auth15:41
bbobrovsince it would cover all password authentication, including via ldap15:42
bbobrovhow reasonable does it sound? Any obvious things against?15:42
d34dh0r53It sounds reasonable to me, and nothing obvious jumps out15:43
bbobrovcool, i will try to come up with a patch then15:44
bbobrov(and i guess this needs a spec)15:44
d34dh0r53yeah, this needs a spec, that's a good place to start15:45
bbobrovactually, i might see a problem with the auth plugin now - the notification is emitted elsewhere15:45
bbobrovthe auth plugin can log, but can not notify15:46
d34dh0r53ack, moving on for time15:50
d34dh0r53#topic bug review15:51
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:51
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/204274415:51
d34dh0r53I think there's a bad package in Ubuntu15:51
d34dh0r53but it may have been fixed15:52
d34dh0r53has anyone here run into this issue?15:52
d34dh0r53also #link https://bugs.launchpad.net/keystone/+bug/204462415:53
d34dh0r53thanks for submitting a fix for this bbobrov 15:53
bbobrovthere is actually an open question what the correct response would be15:54
bbobrov200 or 401, given that the user does not exist any more15:54
bbobroveasier was to just hide the error. The token at that point is useless anyway, since the user does note exist15:55
d34dh0r53yeah, that seems fine to me15:56
d34dh0r53I'll take a look at ubuntu and see if keystone-manage is still broken15:56
d34dh0r53next up keystoneauth15:56
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:57
d34dh0r53err, pyton-keystoneclient15:57
d34dh0r53which has no new issues15:57
d34dh0r53now it's keystoneauths turn15:57
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:57
d34dh0r53nothing new there, on to keystonemiddleware15:58
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:58
d34dh0r53no new bugs there either15:58
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:58
d34dh0r53pycadf is good15:58
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:58
d34dh0r53ldappool is also good15:58
d34dh0r53#topic conclusion15:58
d34dh0r53I'm updating the Wiki with the reviewathon information15:59
d34dh0r53if anyone would like an email invite please let me know15:59
bbobrovplease also update the wiki with the correct time and place for this meeting15:59
d34dh0r53already done :)15:59
d34dh0r53sorry about the confusion15:59
bbobrovthanks15:59
d34dh0r53Thanks all!16:00
d34dh0r53#endmeeting16:00
opendevmeetMeeting ended Wed Nov 29 16:00:09 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:00
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-11-29-15.00.html16:00
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-11-29-15.00.txt16:00
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-11-29-15.00.log.html16:00
opendevreviewMerged openstack/keystone master: Fix bindep.txt for python 3.11 job(Debian Bookworm)  https://review.opendev.org/c/openstack/keystone/+/90044016:35
-opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be restarting momentarily for a patch update to address a recently observed regression preventing some changes from merging21:09
« Tuesday, 2023-11-28 Index Thursday, 2023-11-30 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!