Wednesday, 2024-01-31

« Tuesday, 2024-01-30 Index Thursday, 2024-02-01 »
*** jph7 is now known as jph01:40
opendevreviewTakashi Kajinami proposed openstack/oslo.policy master: Add flag to skip undefined rule check  https://review.opendev.org/c/openstack/oslo.policy/+/90719601:41
opendevreviewDouglas Mendizábal proposed openstack/keystone-tempest-plugin master: Consistent and Secure RBAC (Phase 1)  https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/90371305:03
*** zigo_ is now known as zigo09:43
opendevreviewMerged openstack/oslo.policy master: Add flag to skip undefined rule check  https://review.opendev.org/c/openstack/oslo.policy/+/90719611:57
d34dh0r5|#startmeeting keystone15:01
opendevmeetMeeting started Wed Jan 31 15:01:30 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r5|. Information about MeetBot at http://wiki.debian.org/MeetBot.15:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:01
opendevmeetThe meeting name has been set to 'keystone'15:01
*** d34dh0r5| is now known as d34dh0r5315:01
dmendiza[m]🙋‍♂️15:02
d34dh0r53#topic roll call15:02
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph15:02
xeko/15:07
d34dh0r53#topic review past meeting work items15:08
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-17-15.00.html15:08
d34dh0r53no updates on my stuff15:09
d34dh0r53#action d34dh0r53 Look into adding/restoring a known issues section to our documentation15:09
d34dh0r53#action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation15:09
d34dh0r53#topic liaison updates15:09
d34dh0r53nothing from release management or VMT15:10
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:12
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:12
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:12
d34dh0r53External OAuth 2.0 Specification15:13
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/86155415:13
d34dh0r53OAuth 2.0 Implementation15:13
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:13
d34dh0r53OAuth 2.0 Documentation15:13
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/83810815:13
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/83810415:13
Luzio/15:13
d34dh0r53doesn't look like hiromu is around15:15
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:15
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:16
d34dh0r532024.1 Release Timeline15:16
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:16
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:16
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)15:16
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/90371315:16
dmendiza[m]Yeah, still working on the tempest tests15:18
dmendiza[m]but the policy changes have already merged all the way back to antelope15:19
d34dh0r53awesome, thanks for the work on that15:20
d34dh0r53let me know when the tempest tests are ready for review15:21
d34dh0r53#topic specification Improve federated users management (previously: Add schema version and support to "domain" attribute in mapping rules) (gtema)15:23
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/748042 (merged)15:23
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/739966 (Merged)15:23
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/74874815:23
gtemaI have added link to the next spec here15:23
gtemathanks for finally merging the change15:23
d34dh0r53yep, I'll take a look at the next one15:24
gtemaso now we should do next step and allow also management of the user roles in the federated identity15:24
gtemaotherwise it is required to have additional software that manages roles for ephemeral users15:24
gtemaand that really sucks15:24
gtemaI know the spec is currently tied to 2024.1 and it is no chance it can be made in this cycle15:25
gtemabut I really appreciate we do not wait with review so that implementation is not blocked15:25
gtemathanks15:26
d34dh0r53np, thank you15:27
d34dh0r53#topic open discussion15:28
bbobrovi have topics15:28
d34dh0r53go ahead bbobrov 15:28
bbobrova topic about unified limits. The page in the docs says that they are experimental - https://docs.openstack.org/keystone/latest/admin/unified-limits.html . Since the Nova 28.0.0 (2023.2 Bobcat) release, it is recommended to use Keystone unified limits for Nova quota limits - https://docs.openstack.org/nova/latest/admin/unified-limits.html15:28
bbobrovAre the limits experimental or are they already stable?15:28
d34dh0r53I do not know, that is before my time and I'm surprised that it's still marked as experimental15:34
bbobrovan idea just came to me to search in gerrit: https://review.opendev.org/c/openstack/keystone/+/89312015:37
bbobrovok, good, then i will consider them to be stable15:37
d34dh0r53yeah, I think that's safe at this point15:38
bbobrovthen the next topic, about password truncation15:39
bbobrovAfter upgrade to Zed, we got flooded with messages "Truncating password to algorithm specific maximum length 72 characters." and "Truncating user password". They happen even though there is no config about password length. They happen even when somebody is authenticating with application credentials, because it seems that the code path leads to the method that prints the warning.15:39
bbobrovI will file a bugreport about this soon-ish; my question is: what is this all about? Or, more specific, can i just upgrade from Zed to Antilope, or do i need to care about the length of the secrets of application credentials and passwords?15:39
d34dh0r53I think this has to do with the intrinsic limitation in bcrypt15:42
d34dh0r53there were some bugs that I fixed in zed time frame that probably need some adjustment15:43
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/82859515:44
d34dh0r53is that what you're seeing?15:44
bbobrovyes15:45
bbobrovi found that the limit got raised in https://review.opendev.org/c/openstack/keystone/+/89093615:46
bbobrov#link https://review.opendev.org/c/openstack/keystone/+/89093615:46
bbobrovbut i still don't fully understand whether the issue with the upgrade has been fixed or not15:46
d34dh0r53I don't think upgrading will eliminate the messages, the truncation means that only the first 72 characters of a password are validated (https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues) and in the case of application credentials this probably happens more often15:50
bbobrovbut will upgrading break the application credentials?15:51
bbobrovwith long secrets15:51
d34dh0r53I don't think so, just the whole secret won't be used15:51
bbobrovok then, thanks.15:55
d34dh0r53I would test that though :)15:55
d34dh0r53#topic bug review15:55
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:55
d34dh0r53no new bugs for keystone15:56
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:56
d34dh0r53python-keystoneclient is good15:56
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:56
d34dh0r53nothing new for keystoneauth15:56
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:56
d34dh0r53nor keystonemiddleware15:56
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:56
Luzijust a short question (other topic): did anyone of the Keystone team got time to review the domain manager role spec?: https://review.opendev.org/c/openstack/keystone-specs/+/90317215:57
d34dh0r53pycadf is GTG15:57
d34dh0r53dmendiza[m] and I can take a look15:57
d34dh0r53Luzi: ^15:57
Luzithank you :)15:58
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:58
d34dh0r53no new bugs for ldappool either15:58
d34dh0r53#undo15:58
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:58
d34dh0r53Luzi: np15:58
d34dh0r53#topic conclusion15:58
d34dh0r53sign up for the vPTG, April 8-1215:59
d34dh0r53#link https://openinfra.dev/ptg/15:59
d34dh0r53I'll shoot out the agenda in next weeks meeting15:59
d34dh0r53Thanks everyone!15:59
d34dh0r53#endmeeting16:00
bbobrovthank you16:00
*** d34dh0r53 is now known as d34dh0r5|16:01
d34dh0r5|#endmeeting16:01
opendevmeetMeeting ended Wed Jan 31 16:01:06 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:01
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-31-15.01.html16:01
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-31-15.01.txt16:01
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-31-15.01.log.html16:01
*** d34dh0r5| is now known as d34dh0r5316:01
bbobrovso... it seems that it is not the participants who should sign up for the ptg16:01
bbobrovbut rather a group you represent16:02
bbobrovno?16:02
d34dh0r53I've signed up the group but I believe the participants need to register16:07
d34dh0r53ahh, I don't think they have the link for individual registrations up yet16:08
d34dh0r53sorry16:08
opendevreviewDouglas Mendizábal proposed openstack/keystone-tempest-plugin master: Consistent and Secure RBAC (Phase 1)  https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/90371321:01
*** blarnath is now known as d34dh0r5322:17
« Tuesday, 2024-01-30 Index Thursday, 2024-02-01 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!