Wednesday, 2023-12-13

« Tuesday, 2023-12-12 Index Thursday, 2023-12-14 »
opendevreviewYi Feng proposed openstack/keystonemiddleware master: [WIP] Add FT for External OAuth2.0 Server Support  https://review.opendev.org/c/openstack/keystonemiddleware/+/89991101:34
*** mhen_ is now known as mhen02:11
*** jph5 is now known as jph108:19
*** jph1 is now known as jph08:20
zigoDeprecated use of the datetime module is all over the place in Keystone, which fails unit tests with Python 3.12 ... :(09:35
opendevreviewRafael Weingartner proposed openstack/keystone master: Keystone to honor the "domain" attribute mapping rules.  https://review.opendev.org/c/openstack/keystone/+/73996610:45
opendevreviewRafael Weingartner proposed openstack/keystone master: Keystone to honor the "domain" attribute mapping rules.  https://review.opendev.org/c/openstack/keystone/+/73996612:04
bbobrovzigo: lets talk about it at the meeting today14:56
zigoThanks. I wont be there though ...14:56
*** d34dh0r5- is now known as d34dh0r5314:59
d34dh0r53#startmeeting keystone15:00
opendevmeetMeeting started Wed Dec 13 15:00:38 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'keystone'15:00
d34dh0r53#topic roll call15:00
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m],mharley15:00
xeko/15:01
d34dh0r53o/15:01
bbobrovo/15:01
d34dh0r53#topic review past meeting work items15:03
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-11-29-15.00.html15:03
d34dh0r53d34dh0r53 Look into adding/restoring a known issues section to our documentation15:03
d34dh0r53no update on this15:03
d34dh0r53#action d34dh0r53 Look into adding/restoring a known issues section to our documentation15:03
d34dh0r53d34dh0r53 Look into adding/restoring a known issues section to our documentation15:03
d34dh0r53nor this :/15:03
d34dh0r53#action d34dh0r53 Look into adding/restoring a known issues section to our documentation15:03
d34dh0r53d34dh0r53 email gtema (artem.goncharov@gmail.com) a reviewathon invite15:04
d34dh0r53this has been done15:04
d34dh0r53d34dh0r53 add reviewathon information to the Keystone Meetings page on the Openstack Wiki15:04
d34dh0r53this one is done as well15:04
d34dh0r53That does it for the past meeting action items15:04
mharleyo/15:04
gtemathks15:04
d34dh0r53next up we have liaison updates15:04
d34dh0r53#topic liaison updates15:04
zigoDidn't know that meeting was now... so: o/15:04
d34dh0r53nothing from release or vmt15:04
d34dh0r53o/ zigo, welcome15:05
d34dh0r53any other liaison updates?15:05
d34dh0r53cool15:06
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:06
d34dh0r53External OAuth 2.0 Specification15:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/86155415:06
d34dh0r53OAuth 2.0 Implementation15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:06
d34dh0r53OAuth 2.0 Documentation15:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/83810815:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/83810415:06
d34dh0r53hiromu: any updates or needs?15:07
d34dh0r53ok, moving on15:09
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:09
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:09
d34dh0r532024.1 Release Timeline15:09
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:09
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:09
dmendiza[m]🙋15:12
d34dh0r53o/ dmendiza[m] 15:12
dmendiza[m]Heya!15:12
dmendiza[m]Sorry, only half paying attention.  Currently also trying to listen to a company meeting.15:13
dmendiza[m]Yeah, so I've been updating the policies to allow project-admin to do system things.15:13
d34dh0r53ack, me too15:13
dmendiza[m]I've got a patch up that is (expectedly) failing tempest because of the policy change:15:13
dmendiza[m]#link https://review.opendev.org/c/openstack/keystone/+/90273015:13
dmendiza[m]Working on the tempest patch next, and then I'll update this to make the srbac job non-voting15:14
dmendiza[m]then a follow up to make it voting again once the tempest patch lands15:14
d34dh0r53sweet, thanks for the work on that and good find :)15:15
d34dh0r53next up15:16
d34dh0r53#topic specification Add schema version and support to "domain" attribute in mapping rules (gtema)15:17
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/74804215:17
d34dh0r53this has merged15:17
d34dh0r53woot15:17
gtemathanks15:17
d34dh0r53I saw a follow on patch that I need to review15:17
gtemayes, now that spec needs implementation and Rafael revived old change15:18
d34dh0r53sweet, do you happen to have a link handy?15:18
gtemahttps://review.opendev.org/c/openstack/keystone/+/73996615:19
d34dh0r53thanks gtema !15:19
d34dh0r53cool, moving on15:21
d34dh0r53#topic open discussion15:21
d34dh0r53domain scoping for "GET /v3/domains" (mhen)15:21
d34dh0r53bug: #link https://bugs.launchpad.net/keystone/+bug/204161115:21
d34dh0r53patch: #link https://review.opendev.org/c/openstack/keystone/+/90002815:21
d34dh0r53looking for reviewers15:21
d34dh0r53Zuul tests fail15:21
d34dh0r53"keystone_tempest_plugin.tests.rbac" seems to be the culprit15:21
d34dh0r53how can patches of the keystone_tempest_plugin be integrated in a way that the patchset above incorporates it in its testing? (i.e. interlinked patchsets between keystone and keystone_tempest_plugin that depend on each other)15:21
d34dh0r53I think this may be an old open discussion item but I wanted to raise it just in case15:22
bbobrovi am actually not sure that it is a good thing to merge15:22
d34dh0r53I'm not either15:23
bbobrovit feels like a violation of an API stability contract15:23
bbobrovthis is an old broadly used endpoint, and i am sure there are deployments that use the current response15:23
bbobrovi have a feeling that there was a discussion about this several years ago...15:24
zigoIs it time to talk about py3.12 ? :)15:26
d34dh0r53yeah, I think we can remove the previous topic from the open discussion list and see if mhen gets back to us on bbobrov's comments on the review15:27
bbobrovhttps://meetings.opendev.org/meetings/keystone/2021/keystone.2021-11-09-15.00.html - it was discussed here15:27
bbobrovzigo: i think we shall get to it during the bug review, i have filed https://bugs.launchpad.net/keystone/+bug/204635515:27
zigoI tried building Keystone in Unstable, and this lead me to 2000+ unit test failures.15:28
zigoMost seem due to the way Keystone uses datetime.15:28
zigoFor example utcfromtimestamp() is removed from Py 3.12.15:28
zigoSee https://docs.python.org/3/whatsnew/3.12.html15:28
bbobrovprevious discussion about the scope for listing domains: #link https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-11-09-15.00.html15:28
zigoI unfortunately didn't have enough time to investigate it enough though ...15:29
zigoBut if there's a bunch of you with enough time to try unit testing with 3.12, that'd be super useful.15:29
zigoSee how many bugs I need to deal with: https://bugs.debian.org/cgi-bin/pkgreport.cgi?which=maint&data=team%2Bopenstack%40tracker.debian.org&archive=no&raw=yes&bug-rev=yes&pend-exc=fixed&pend-exc=done15:29
bbobrovzigo: i think that utcfromtimestamp is not removed, but deprecated15:29
zigoWe're at 47, we were at 66 yesterday ...15:29
zigobbobrov: Correctly, but that makes the unit tests fail...15:30
zigoSo it got to be fixed.15:30
bbobrovwell, we can probably mute it for now somehow15:30
zigoWhy not fixing completely? It didn't seem that hard to do...15:30
dmendiza[m]zigo we can start by adding a py312 gate, but it's not in scope for 2024.1 15:30
dmendiza[m]#link https://governance.openstack.org/tc/reference/runtimes/2024.1.html15:30
zigoatetime.datetime.utcnow() -> datetime.datetime.now(datetime.UTC)15:31
bbobrovzigo: well, first of all, they return different string representations15:31
zigo(this is an example from keystone/identity/backends/sql.py line 135, but there are more ...)15:31
bbobrovzigo: it also needs to be fixed in oslo.utils15:31
zigoWhatever you feel like works will work for me! :)15:32
d34dh0r53that's what I was looking for, thanks dmendiza[m] 15:32
dmendiza[m]I would think 2024.2 will have 3.12 as a tested runtime, and we'll likely run into all those issues then.15:32
zigoOnce these 2000+ failures are silenced, I believe there will be more to fix, but I have no idea what and how much.15:34
zigobbobrov: Are you volunteering to try fixing all py3.12 issues ? :)15:34
bbobrovwhere do i find py3.12 for that...15:34
zigodmendiza[m]: It's always been the case that I've been annoying everyone early with interpreter versions, and fixing them early has always been good ... :)15:35
zigobbobrov: In Debian Unstable for example.15:35
zigoNot sure of the Ubuntu status.15:35
zigoIn Unstable, it's as "available version", ie not the default yet.15:35
bbobrovi am afraid to get out of my debian stable15:35
zigoUse a chroot then.15:36
zigoThat works very well for testing.15:36
bbobrovzigo: i am volunteering, but i cannot promise you any timelines15:36
zigoThat's very nice already. I'll see what I can do too.15:36
zigoI need to run, bye !15:37
d34dh0r53thanks bbobrov and zigo, we'll track this in the bug and reviews15:37
d34dh0r53#topic bug review15:37
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:38
d34dh0r53a few new bugs for keystone15:40
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/204462415:41
d34dh0r53there is a fix proposed that looks good, but it's failing the checks15:42
d34dh0r53moving on15:42
bbobrov(please review the fix, the checks should be repaired now)15:42
d34dh0r53ack, will do15:43
d34dh0r53next up15:43
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/204597415:43
d34dh0r53hmm15:44
d34dh0r53I like option 2 but that is indeed boiling an ocean15:44
bbobrovwhat if one gets a domain-manager role on a project?15:45
d34dh0r53oops, I was commenting on the wrong link :o15:45
gtemaidea of domain-manager (domain-admin) is actually to bring roles allowing identity operations on the domain (in domain scope)15:46
gtemaI was not seeing the proposed spec, but what I wrote is a gist of discussions on the topic I was participating in15:47
gtemait is a must for any public cloud15:47
gtemaotherwise they end up hiding keystone apis from the end user15:47
bbobrovwhy not "manager" on a domain?15:48
gtemadoesn't matter what the name is. Or do I get your question wrong?15:49
d34dh0r53the spec says manager15:50
gtemaI see in the spec domain-manager role15:51
bbobrovi think the bugreport language could be a bit changed then:15:51
bbobrovand maybe in the spec15:51
bbobrovto: introduce a new "domain-manager" persona in Keystone15:51
gtemasounds reasonable15:52
bbobrovthe specs talk about personas defined via policies, and propose to create them via a combination of a new role (manager) and a scope (project)15:52
d34dh0r53ack, we need to move on for time, but I'll add this spec to that section of the agenda15:52
bbobrovthe bugreport kind of suggests to add "domain" as a potential scope for the role;15:53
gtemayou are talking about the "alternatives"?15:53
bbobrovgtema: lets talk after the meeting15:54
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/204599515:54
gtemaok15:54
d34dh0r53I prefer option 2 for this one but it's a lot of work15:54
d34dh0r53we're definitely missing tracebacks without that patch but I think we turned the volume up too high15:54
bbobrovalthough we miss them, we don't miss too many15:55
bbobrovwe send them to sentry, and there are almost none15:56
d34dh0r53ack15:56
bbobrovi also don't understand how to make sure, that, if option 2 is taken, i have suceeded in fixing the issue15:57
bbobrovi could refer to tempest15:57
d34dh0r53I think it's whack-a-mole honestly15:57
bbobrovbut how good is tempest in testing the negative scenarios?15:57
d34dh0r53I'm not sure15:58
bbobrovmaybe we could somehow catch it in our unit tests...15:58
d34dh0r53maybe, let's discuss in the bug15:58
bbobrovanyway, i am experimenting with option 1 right now.15:59
d34dh0r53I'm open to option 115:59
d34dh0r53let me know how it goes15:59
d34dh0r53finally for keystone15:59
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/204635515:59
bbobrovthis has been discussed earlier15:59
d34dh0r53we discussed this already15:59
d34dh0r53I checked the other projects and we don't have any new issues in any of them16:00
d34dh0r53#topic conclusion16:00
d34dh0r53Thanks for the lively discussion today, and for the heads up on py3.1216:00
d34dh0r53we'll get to work on that16:00
d34dh0r53anything else before we go?16:00
d34dh0r53next week will be the last weekly meeting of the year, have a great rest of your week folks!16:01
d34dh0r53#endmeeting16:01
opendevmeetMeeting ended Wed Dec 13 16:01:27 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:01
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-12-13-15.00.html16:01
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-12-13-15.00.txt16:01
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-12-13-15.00.log.html16:01
bbobrovgtema: so about the role16:01
gtemayupp16:01
bbobrovgtema: (i don't want to discuss whether it should be implemented or not, i just want to get the description in a bit better state)16:02
gtemaright16:02
gtemaso for public cloud there are few personas with corresponding rights16:02
gtemaplatform admin16:02
gtemadomain admin16:02
gtemaproject admin16:03
gtemaregular user16:03
gtemawhat is required is to have a domain_admin capability handed over to specific users that in the domain_scope allow this user to manage users/project inside this certain domain16:03
bbobrovgtema: the "Consistent and Secure Default RBAC" spec talks about role "manager" and persona "project-manager".16:04
gtemaso that the user "company" is having self-service aministration capability without needing platform admin to perform operations or implement some sort of additional API workarounds16:04
gtemathe point is that it is not sufficient for public cloud16:05
bbobrovgtema: according the spec, persona project-manager is basically role manager on a project. They propose to do it via a common rule:project_manager: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#implement-support-for-project-manager-personas16:07
gtemaproject_manager is not the person who should be allowed to create users in the domain16:08
bbobrovgtema: the bugreport proposes to add a new role "domain-manager". I think that the language here should be changed. It should propose to add a new *persona* domain-manager. Which will be a combination of role manager on domain16:09
gtemabut technically you still end up just defining new role16:09
gtemathose persons are honestly speaking only confusing16:09
bbobrovno16:09
gtema"personas" I mean16:09
bbobrovthe role "manager" is the same role from the project-manager persona16:10
gtemahmm16:11
bbobrovplease note: the spec "Consistent and Secure Default RBAC" does not propose to add a role "project-manager".16:11
gtemayeah, but persona16:11
bbobrovwhich is a combination of scope on a project.16:12
gtemaI see that, and exactly that is confusing (matrix of policy, persona and role)16:12
gtemathat aside, do you agree that what I described above would require having a new role?16:12
bbobrovi do not have an opinion on the subject of the bugreport now, sorry16:13
bbobrovi just want to help set the wording right for now16:13
gtemaI do not ask for your opinion on the bugreport. I want to know whether (from the wording pov) you agree, that having possibility to grant certain people privileges to manage users of the domain will require creating new dedicated role16:14
bbobrovno16:15
gtemahow else you "could" implement that?16:16
bbobrovwe are stepping into the bugreport subject now :) i don't see how it is different from role admin on a domain. Domain admin is supposed to do exactly that.16:17
gtemabut there is no dedicated admin that you can hand over to the user owning a certain domain16:18
gtemathat is exactly what the spec/bug suggests to have16:18
bbobrov"Consistent and Secure Default RBAC" talks about adding a new role "manager". In order to implement the spec (that i don't fully agree with, but whatever), role "manager" is supposed to be added. This role can be reused for the issue in the bugreport.16:19
gtemanow consider following: you have an org with 5 team managers having "manager" role to manage their individual projects16:20
bbobrovgtema: why not? I could give a user "admin" on domain "abcd" and they can now manage users there (after small policies adjustment)16:20
gtemabut you need to have a dedicated person (security officer) allowing adding new users or managing who is actually getting project manager roles16:21
bbobrovthis is domain-manager persona. Which is role "manager" on a domain.16:22
gtemawrt "admin" - I do not know of any possibility right now to have a regular domain user managing users in the same domain (only in this domain)16:22
bbobrovi don't understand the problem16:28
bbobrovthe rule to create a user now is SYSTEM_ADMIN_OR_DOMAIN_ADMIN16:29
bbobrov(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)16:29
bbobrovwhich means "system scoped or domain admin" can create a user16:30
bbobrovif you want a non-admin user to allow to create users, it should be changed in policy.yaml to:16:30
bbobrov(role:member and token.domain.id:%(target.user.domain_id)s)16:30
gtemabut isn't it roughly what is being suggested? except of allocating a new role for that16:32
gtemain certain clouds from security pov there must be a person with capability to manage users of the domains and user roles, but not being admin to actually also own the resources16:33
gtema.. to not to own the resources16:34
bbobrovlets leave the wording like right now then16:34
gtemaI was just worying, that simply saying: "lets introduce a new persona" is not explaining what needs to be done. But I also understand your point that is may be rephrased16:35
opendevreviewMerged openstack/keystone master: Fix typo in cmd/status.py  https://review.opendev.org/c/openstack/keystone/+/89619318:56
opendevreviewDouglas Mendizábal proposed openstack/keystone master: Consistent and Secure RBAC (Phase 1)  https://review.opendev.org/c/openstack/keystone/+/90273020:04
« Tuesday, 2023-12-12 Index Thursday, 2023-12-14 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!