#openstack-meeting log

18:00:05 <stevemar__> #startmeeting keystone
18:00:06 <openstack> Meeting started Tue Nov 29 18:00:05 2016 UTC and is due to finish in 60 minutes.  The chair is stevemar__. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:07 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:09 <stevemar__> howdy!
18:00:10 <openstack> The meeting name has been set to 'keystone'
18:00:12 <gagehugo> o/
18:00:34 <lbragstad> o/
18:00:36 <henrynash> tally-ho, chaps
18:00:50 <stevemar__> henrynash: chip chip
18:00:55 <stevemar__> #agenda https://etherpad.openstack.org/p/keystone-weekly-meeting
18:00:59 <adriant> o/
18:01:07 <stevemar__> pokes amakarov, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lbragstad, kbaikov, ktychkova, morgan, nisha, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh, srwilkers, stevemar, topol, StefanPaetowJisc, agrebennikov
18:01:13 <rderose> o/
18:01:23 <morgan_> o/
18:01:25 <rodrigods> stevemar__, why are you stevemar__ and not stevemar?
18:01:25 <knikolla> o/
18:01:28 <browne> o/
18:01:33 <jgrassler> o/
18:01:33 <jamielennox> o/
18:01:35 <morgan_> rodrigods: he grew a tail
18:01:35 <jaugustine> hello
18:01:39 <cbits> Hi
18:01:40 <stevemar__> rodrigods: cause my bouncer and/or vm are not working
18:01:44 <rodrigods> morgan_, you too
18:01:50 <knikolla> stevemar____________________________________________
18:01:53 <gagehugo> ^
18:01:58 <morgan_> rodrigods: because i'm lazy after reconfiguring irccloud
18:02:07 <morgan_> rodrigods: and haven't typed /nick morgan
18:02:09 <stevemar__> hi cbits, you're new around these parts :)
18:02:11 <lamt> o/
18:02:24 <ayoung> My F25 update broke and I am on a different machine...monitoring but bouncing back and forth to try and fix
18:02:30 <cbits> Yes I am..  Nice to meet you all
18:02:30 <stevemar__> #topic release status
18:02:37 <rodrigods_> ayoung, lol, had the same issue
18:02:39 <henrynash> hi. cibts, welcome
18:02:49 <stevemar__> just a reminder that Next milestone is Ocata-2 -- Week of Dec 12-16
18:02:50 <lbragstad> cbits o/
18:02:57 <stevemar__> This is also spec freeze week, specs must merge by then
18:03:05 <stevemar__> such a short release :(
18:03:11 <ayoung> rodrigods_, did you fix, or still dealing, too?
18:03:13 <samueldmq> o/
18:03:20 <dstanek> o/
18:03:40 <rodrigods_> ayoung, fixed by wiping everything and re installing f24
18:03:50 <stevemar__> let's try and land all the bps and bugs that touch a lot of things earlier than later
18:04:16 <stevemar__> #topic Spec: "Extend user API to support federated attributes"
18:04:19 <stevemar__> rderose: ^
18:04:35 <rderose> Cool
18:04:36 <rderose> https://review.openstack.org/#/c/397410/
18:04:50 <rderose> The problem: I have a federated user and I want to do delegation or make a concrete role assignment, however in order to do that, I need the local user ID.
18:05:00 <rderose> And there is no way to query Keystone to get the user ID for federated users.
18:05:07 <rderose> Likewise, federated users don’t exist in Keystone until after they authenticate.
18:05:18 <rderose> Proposal: Let's simply extend the user API to support a federated object, allowing operators to:
18:05:25 <rderose> Query users based on federated attributes (unique_id…)
18:05:26 <ayoung> rderose, so, I don't like the formate:  we should do it likethis:
18:05:32 <rderose> Create federated users by including a federated object
18:05:48 <rderose> ayoung: what format would you suggest
18:05:53 <ayoung> idp: "name" : protocols [ ...]
18:06:02 <ayoung> need to support multiple idps and multiple protocols
18:06:13 <rderose> ah, good point
18:06:23 <ayoung> something that reflects that, linked to the same account.
18:06:30 <ayoung> other than that, you are on the right track
18:06:48 <rodrigods_> don't get it... we fetch the users without having them in the backend?
18:06:54 <ayoung> rodrigods_, nah
18:07:10 <stevemar__> rderose: if i make a post requet to /v3/users with federated bits in my request, it'll only create the entry in the federated_users table?
18:07:19 <ayoung> rodrigods_, say a user comes in by one Idp/prtotocl, and then later  via a different one...we should see how they link back to their IDP accounts
18:07:34 <stevemar__> rderose: the querying parts i don't mind
18:07:35 <ayoung> rderose, does maybe it feel like this should be a separate API?
18:07:44 <rderose> stevemar__: no, it will create a user in the user table and federated_user table
18:07:49 <stevemar__> ayoung: a bit yes
18:07:56 <stevemar__> rderose: two eh
18:08:05 <rderose> ayoung: why not utilize the user API?
18:08:05 <rodrigods> looks like it should be a different API
18:08:09 <stevemar__> rderose: why isn't that an issue?
18:08:17 <ayoung> rderose, its related...but different eentities.
18:08:17 <rodrigods> at least... we are exposing how things are implemented underneath
18:08:25 <lbragstad> it does the same thing as a shadow user being created through the federation authentication flow
18:08:26 <rodrigods> which usually is not a good thing
18:08:28 <rderose> a federated user is a user
18:08:31 <ayoung> something like user/<id>/idps  or something?
18:08:52 <rderose> lbragstad: ++
18:09:03 <ayoung> OK, for a user show...it probably is OK to have in there as is.
18:09:10 <stevemar__> lbragstad: thats a better explanation :)
18:09:13 <ayoung> for affecting change...lets see what you have...
18:09:24 <rodrigods> so the problem is to create role assignments prior the user has even been authenticated?
18:09:29 <rderose> ayoung: and GET /v3/users/?unique_id={unique_id}
18:09:32 <jamielennox> this seems limiting in any situation where the saem user has more that one login method
18:09:35 <lbragstad> ayoung you mean it's ok to return federated attributes via the identity API?
18:09:53 <ayoung> lbragstad, I'm wavering... don't think it would brek anything
18:09:58 <lbragstad> i don't think we've tackled the account linking story yet...
18:10:03 <rderose> jamielennox: this is the opposite of limiting, this is giving operators full control
18:10:24 <ayoung> OK...what if we said we don;t want it as a POST, but had to be a PUT?
18:10:26 <rderose> jamielennox: POST /v3/users/{id}/federated
18:10:27 <rderose> {
18:10:27 <rderose> "federated": {
18:10:27 <rderose> "idp_id": "1789d1",
18:10:27 <rderose> "protocol_id": saml2,
18:10:28 <morgan> ayoung: it shouldn't break anything
18:10:28 <rderose> "unique_id": "jdoe",
18:10:29 <rderose> "display_name": "James Doe"
18:10:31 <rderose> }
18:10:33 <rderose> }
18:10:39 <jamielennox> but in which case there is the possibility on multiple federated blocks
18:10:58 <ayoung> what if we used the OS_FEDERATED URL scheme instead?
18:11:17 <stevemar__> ayoung: thats what i was thinking,
18:11:27 <rderose> jamielennox: multiple federated blocks are okay for different IdPs
18:11:41 <stevemar__> can anyone think of the implications of this?
18:11:44 <rodrigods> rderose, so this is to create the user prior they authenticate, right?
18:11:47 <lbragstad> jamielennox are you proposing that is how we link accounts?
18:11:54 <ayoung> PUT /v3/OS-FEDERATE/idp/"1789d1",/protocol/saml2,/user_unique_id/"jdoe"   ...
18:11:56 <rderose> rodrigods: yes
18:12:01 <ayoung> I know, jdoe not guaranteed to be URL safe
18:12:12 <rodrigods> rderose, how can we be sure they will be correctly linked?
18:12:34 <rodrigods> i mean... once the user authenticate, it won't create a different entry
18:12:34 <jamielennox> lbragstad: no, but i'm thinking of a situation where we have linked accounts and in which case there are multiple of these per user
18:12:40 <ayoung> if we  had the user ID, we could do
18:12:58 <rderose> ayoung stevemar__: we could use OS_FEDERATED, but I just think lets treat federated users like any other users and stop making them special
18:13:00 <lbragstad> jamielennox right
18:13:11 <jamielennox> also i'm not sure i see the need for unique_id
18:13:15 <ayoung> PUT /v3/OS-FEDERATE/idp/1789d1/protocol/saml2,/user_id  with a payload of  "unique_id": "jdoe",
18:13:15 <ayoung> <rderose>             "display_name": "James Doe"
18:13:19 <ayoung> rderose, yes and no
18:13:35 <morgan> jamielennox: it is because we need the bit from the federated idp to create the mapping
18:13:38 <ayoung> rderose, I want FEderation to be the dfault way we work with KEystone's identity
18:13:41 <rderose> rodrigods: no, because they will already be created; once they auth, we'll pull the existing user
18:13:59 <ayoung> I kindof hate the OS-FEDARTION part but that was not my doing ....
18:14:04 <rodrigods> rderose, how will you assure this?
18:14:09 <ayoung> should be just /idp....
18:14:12 <rderose> morgan: with this, we don't need the mapping
18:14:16 <rderose> or mapping is optional
18:14:22 <henrynash> redrose: what do you mean by “pull”, you mean delete?
18:14:27 <ayoung> mapping needs to be pre-set
18:14:32 <lbragstad> rodrigods i think because we look up the user's federated bits and compare them to what we've already created, right?
18:14:36 <stevemar__> rderose: yep, i was realizing that :)
18:14:40 <rderose> rodrigods: shadow users first looks if the user exists and if they don't just pulls that user
18:14:41 <jamielennox> morgan: yea, was looking at the second post block where you already need the id, guess it makes sense from a new user perspective
18:14:46 <rderose> doesn't create a new user
18:14:55 <ayoung> I would liketo point Out that I suggested exactly this kind of API about a year ago....so, yeah, I like it.
18:15:18 <stevemar__> ayoung: < 1 year ago, in austin :)
18:15:25 <morgan> stevemar__: lol
18:15:26 <stevemar__> but yes, pretty much the same thing
18:15:34 <ayoung> rderose, what you are looking for is something that will pre-create the user, right?
18:15:44 <rderose> henrynash: I mean, when a federated user auth, we query for that user. if they exist, we user that user ID and if they don't, we create the user
18:15:57 <ayoung> 2 us case: one user has never visited, 2 link new protocol to existing user?
18:16:00 <henrynash> rderose: ok, got it
18:16:05 <rderose> ayoung: essentially allowing operators to do manual provisioning
18:16:10 <rderose> create user and assign role
18:16:16 <stevemar__> rderose: so hows the workflow for an operator? just create all X users one time?
18:16:33 <rderose> stevemar__: no, shadow mapping will create users in mass
18:16:38 <rderose> this will be for manual provisioning
18:16:48 <dstanek> rderose: shaddow mapping?
18:16:55 <rderose> or even things like get me the local user ID so that I can do delegation
18:17:11 <rderose> dstanek: Shadow mapping will do the auto provisioning, but I still can’t query for the user ID if I want to do delegation or make a concrete role assignment.
18:17:23 <rderose> dstanek: I see this going hand-in-hand with shadow mapping. Shadow mapping allows for provisioning in mass. While extending the API, allows for other common operations, such as delegation.
18:17:37 <henrynash> what about a create user taht takes the input expected from the IDP as parameters and then we use the mapper to generat the ID (or maybe that is what you are suggesting)
18:17:52 <rodrigods> henrynash, ++
18:17:52 <stevemar__> okay, so not a total replacment for mapping engine bits
18:17:59 <rodrigods> henrynash, that approach looks safer
18:18:04 <ayoung> rderose, ok, so to link an account to an existing user, you can do that all as a single PUT, where the data is the JSON version of the assertion
18:18:15 <lbragstad> more or less another way to solve a similar problem
18:18:16 <rderose> henrynash: either way, we will generate the user ID; ideally based on the federated attributes
18:18:29 <ayoung> and the URL is based on the OS-FEDERATION url scheme.  I'm OK if we drop the OS-FEDDERATION part from there though
18:18:42 <dstanek> rderose: shadow mapping doesn't create multiple users at at time right? it just extends mapping to provision projects, etc?
18:18:42 <ayoung> so /v3/idp  is fine
18:18:45 <rderose> ayoung: cool
18:18:59 <lbragstad> dstanek right
18:19:05 <dstanek> rderose: it must be based on the federated attributes
18:19:09 <rderose> dstanek: ah, right
18:19:16 <henrynash> rderose: if we do it the way I suggested then we are guarnteed to create the same ID, irrespective of whether it was generate by first auth or by this new api
18:19:27 <ayoung> same thing for creating a user:  use a POST, I think, is appropriate there.  Then the controller and the router don't conflict with the existing user controller
18:19:31 <rderose> dstanek: currently, it's uuid, but yes, it should be
18:19:49 <rderose> henrynash: agree
18:20:06 <rderose> ayoung: ++
18:20:10 <ayoung> for reporting information....  are we OK changing the output of the GET user ?
18:20:16 <ayoung> or should it be a separate API?
18:20:17 <lbragstad> ok - so regardless of how a fedearted use is created, the ID will be the same
18:20:19 <stevemar__> okay, this topic has eaten enough time, rderose the spec is getting favorable feedback, lets hash out some minor bits there, look for it to get approved
18:20:26 <rodrigods> rderose, henrynash ++ that's was my concern
18:20:41 <ayoung> From scratch I think I would be OK with a GET user...but can we be cautious here and start by just providing a new API?
18:21:10 <rodrigods> ayoung, now that i understand better, i guess it should be the same API
18:21:14 <jamielennox> i dont think that makes sense with a shadow user, the shadow user id is not supposed to be reflective of a federated login info, it's just an id
18:21:15 <ayoung> I can put all those comments in the review.
18:21:26 <ayoung> rodrigods, related API, but different, just to avoid breaking things
18:21:28 <stevemar__> ayoung: please do!
18:21:42 <rderose> ayoung: we won't be breaking, just extending :)
18:21:54 <rderose> stevemar__ ++
18:22:02 <ayoung> rderose, maybe... better safe than sorry
18:22:13 <rderose> ayoung: :)
18:22:14 <stevemar__> adriant: you around?
18:22:20 <adriant> o/
18:22:25 <stevemar__> #topic Keystone MFA
18:22:26 <lbragstad> #link https://review.openstack.org/#/c/343422
18:22:37 <adriant> patch is here: https://review.openstack.org/#/c/343422/
18:22:41 <lbragstad> ^ implementation
18:22:46 <adriant> The patch itself is done, looks to have all the right things (docs release notes, etc), just needs people to play with it and test it to see how it works so they can confirm they are happy with it.
18:23:04 <adriant> There are some issues around the way I'm doing the testing (I need to test standard password auth without TOTP works), and while that works for now, other random unrelated broken tests may crop up.
18:23:09 <stevemar__> adriant: that is on my list of things to do soon. FWIW it looks good
18:23:32 <lbragstad> was there a specification for this?
18:23:33 <adriant> There isn't really too much to say, I just wanted to see if there were any last minute points anyone had I've missed.
18:23:41 <dstanek> last time i looked i think it was just about done. adriant i'll look again today.
18:23:52 <adriant> lbragstad: yes
18:23:57 <lbragstad> i'm not seeing one linked in the blueprint
18:24:09 <adriant> ah, spec came after the blueprint...
18:24:17 <stevemar__> lbragstad: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/password-totp-plugin.html
18:24:18 <lbragstad> #link http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/password-totp-plugin.html
18:24:20 <lbragstad> ah
18:24:27 <lbragstad> alright - updating the blueprint
18:24:39 <stevemar__> adriant: can we move to your next topic?
18:24:43 <adriant> yes :)
18:24:47 <stevemar__> #topic Spec: User Self Management of MFA
18:24:48 <adriant> as that's the odd one
18:24:56 <adriant> spec here: https://review.openstack.org/#/c/345705/
18:24:56 <stevemar__> adriant: thanks for getting up early btw
18:25:17 <adriant> stevemar__: haha, np
18:25:33 <adriant> After the passwordtotp patch is merged, Keystone will have MFA support. Problem is, users have no way to make use of it without an admin creating totp creds for them. This spec is about fixing that in a manner that doesn't break things or require a huge rework, but it does add new API features on top of the existing user API (exactly the same way EC2 does).
18:25:52 <adriant> There has been some discussion about this, and if this should be a new/extended user api, or we change the credentials API. I argue against the latter as it is harder and can break things.
18:26:07 <adriant> made notes just in case because it is early ^
18:26:27 <adriant> So yes, the last point, new API vs extend the credentials one is a point of contention
18:26:48 <adriant> we do need user self management for TOTP, otherwise TOTP is kind of useless as a feature
18:26:48 <dstanek> adriant: so first question... this can't be done as a policy change?
18:26:58 <ayoung> adriant, why is admin now required?
18:27:02 <stevemar__> dstanek: that was my first question in the spec! :)
18:27:20 <adriant> I've updated the spec itself, it sort of answers those questions.
18:27:23 <dstanek> stevemar__: don't keep me in suspense. what's the answer!
18:27:24 <ayoung> OK
18:27:38 <stevemar__> dstanek: hehe, on july 22 -- i forget why
18:27:39 <adriant> and there is more in the comments themselves
18:27:56 <adriant> A simple policy change isn't enough
18:28:06 <lbragstad> adriant because it's per resource?
18:28:11 <adriant> we've need to add code to the credentials controllers
18:28:18 <lbragstad> if you consider a credential a single resource in a tenant?
18:28:21 <dstanek> adriant: what's the limitation?
18:28:29 <morgan> i really wish we could just force the system to require multiple auth plugins
18:28:32 <adriant> a user owns their own TOTP credentials
18:28:39 <morgan> instead of needing a new passwordtotp plugin explicitly
18:28:42 <ayoung> adriant, OK, I like the "type" argument you post there...
18:28:48 <lbragstad> morgan ++
18:28:53 <ayoung> looks like the right approach
18:28:55 <morgan> iirc that was what we discussed when we accepted the totp plugin in the first place
18:29:14 <morgan> because... lets be fair, the auth plugins if enabled do not ensure a specific one is used
18:29:20 <morgan> so it becomes an all or nothing deal
18:29:32 <morgan> everyone must use passwordtotp or you have to inspect the token to know if they did
18:29:32 <ayoung> mordred, auth plugins should be linked to idp/protocol
18:29:37 <adriant> morgan: I agree, and have ideas on that as an approach, but it's hard to enforce. I'll put a spec together for that in future.
18:29:48 <ayoung> er morgan
18:30:03 <ayoung> auth plugins should be linked to idp/protocol and not be a global list
18:30:03 <morgan> ayoung: i disagree, that is too limiting
18:30:07 <stevemar__> all the code would exist in the credentials layer, just the routes themselves would be /users/user_id first
18:30:39 <stevemar__> adriant: ^
18:30:44 <ayoung> morgan, everything should er done via the Federation style API, just Keystone is its own IdP
18:30:48 <morgan> ayoung: eh. i would be more inclined to say auth-plugins are user-by-user OR idp/protocol
18:30:49 <adriant> stevemar__: for this spec, pretty much
18:31:04 <morgan> ayoung: a user should eb able to require mfa not just be limited by what the protocol/idp list is
18:31:10 <stevemar__> adriant: looks OK to me
18:31:17 <stevemar__> any dissenters?
18:31:19 <morgan> ayoung: also... some users in an idp/protocol may not use this
18:31:20 <dstanek> adriant: i don't quite understand why the policy would be broken based on your description. couldn't we credential format based on type?
18:31:20 <morgan> stevemar__: me
18:31:25 <stevemar__> morgan: :O
18:31:27 <adriant> it's the extra routes and serverside generation/activation that make it useful
18:31:31 <ayoung> morgabra, wouldnt OTP be another protocol?
18:31:35 <mordred> what if a user does NOT want to use MFA?
18:31:42 <morgan> stevemar__: i do not like adding more plugins for this that is against the original design of the MFA inclusion
18:31:46 <mordred> like, you konw, if the user is an API-consuming automation script?
18:31:49 <morgan> stevemar__: this is going down the wrong path.
18:32:02 <lbragstad> so - throughout the discussion of this spec - we mentioned that there are several things about the existing credential api that prevent us from doing stuff like this
18:32:04 * mordred interjects insanity because he accidentally got pinged
18:32:05 <adriant> dstanek: it's not just policy, I want to add the generation of TOTP to the serverside
18:32:19 <morgan> stevemar__: we should be fixing the plugins so we can by user or by idp/protocol enforce required plugins to be used (if enabled)
18:32:26 <ayoung> Heh...single use tokens!
18:32:38 <morgan> mordred: you're not insane
18:32:41 <mordred> \o/
18:32:42 <lbragstad> to me, it would be easier to roadmap a way to fix what we have, clean it up, and elaborate on it later than to release yet another credential api and hope we can clean it up later
18:32:50 <morgan> lbragstad: that too
18:32:55 <mordred> lbragstad: ++
18:32:57 <lbragstad> the latter is much harder to do in my opinion
18:33:15 <adriant> but we then can't do the serverside generation, or the enable/delete needing a passcode
18:33:21 <adriant> or at least not easily
18:33:25 <dstanek> lbragstad: ++ i mentioned redesign in my review. i think we need to have a clear direction instead of bolting on something else
18:33:36 <morgan> i think the passwordtotp plugin is fundamentally the wrong approach here. we are diving down a bad direction that is now adding more credential apis
18:34:17 <dstanek> morgan: you want to have multiple auth plugins? like password and totp?
18:34:18 <morgan> so i dissent here and say we need to ratchet back and fix the system correctly
18:34:23 <morgan> dstanek: correct
18:34:27 <morgan> dstanek: you can do that now
18:34:34 <stevemar__> morgan: you volunteering? ;)
18:34:36 <morgan> ypou just can't enforce that multiple plugins are needed
18:34:43 <adriant> morgan, yes but not by breaking things
18:34:44 <ayoung> morgan, can you write up your objectiions?  THink they might be too big for this meeting, and I want to understand them
18:34:46 <morgan> mordred: ^ do I have time for this?
18:34:50 <morgan> mordred: :P
18:34:57 <dstanek> but you can't enforce that someone uses 2 of them. that's something we talked about in Austin (i think)
18:35:02 <adriant> this new plugin allows password+totp to with via password as normal
18:35:08 <morgan> dstanek: before austin
18:35:21 <adriant> I'm not using the totp plugin at all, I get the totp passcode from the password itself
18:35:25 <morgan> dstanek: every time MFA has been brought up we said we need to enforce this.
18:35:41 <dstanek> adriant: i think morgan's point is that we should need another plugin to do that
18:35:51 <adriant> sticking two auth methods together means ALL the services need a separate totp passcode
18:35:54 <lbragstad> yeah - i remember that discussion in austin
18:35:56 <morgan> we shou;dn't need a plugin for password+totp explicitly
18:35:56 <ayoung> seems like /credentials is kindof like OS-FEDERATION/idp/self/protocol/totp
18:36:19 <adriant> morgan, but the base password plugin needs to know to strip the passcode from itself
18:36:20 <morgan> we should be able to say UserX NEEDS to use both totp and password plugins
18:36:23 <morgan> to auth
18:36:24 <adriant> otherwise it fails
18:36:27 <dstanek> a cloud might have 3 auth plugins required and want the user to use any 2. with this implementation that would be a lot of subclassing
18:36:48 <chrisplo> well maybe user X needs these auth creds for a particular IdP
18:36:49 <lbragstad> i thought i had a really detailed discussion about this with dolphm at one point... a long time ago
18:36:51 <morgan> but user Y (service user) only needs password
18:37:08 <ayoung> should be on a per domain basis
18:37:13 <morgan> ayoung: hell npo
18:37:14 <morgan> no
18:37:17 <stevemar__> nah
18:37:30 <morgan> ayoung: how does  rescoping work then?
18:37:36 <ayoung> morgan, project-domain?
18:37:43 <morgan> ayoung: user or idp/protocol level
18:37:45 <adriant> there is nothing stopping us from doing that as well, my whole point with this patch was to allow totp to work with the standard default 'password' auth
18:37:46 <morgan> not domain by domain
18:37:53 <lbragstad> which boiled down to enforcing authentication factor on specific operations (ie. nova boot doesn't care how i authenticated so long as I used two separate authentication factors, like password and tongue print)
18:37:56 <ayoung> you need to use this Auth form to get access to your role assignments on D->P
18:38:17 <morgan> ayoung: please no. please please please no.
18:38:22 <adriant> the passwordtotp plugin strips the passcode from the password, that's all. Doing that as two plugins wouldn't work easily
18:38:42 <ayoung> morgan, my goal is to make the suggestions so wild that we give up on the whole idea all-together
18:38:45 <morgan> adriant: in the body of the auth request you have multiple plugins specified. this works today
18:38:46 <ayoung> not really
18:39:04 <morgan> adriant: but we can't say you MUST use both plugins
18:39:05 <ayoung> yes, that is part of the design
18:39:08 <adriant> morgan: yes, but that's not what I wanted with this, that breaks things
18:39:12 <dstanek> morgan: adriant was trying to not change the cli/horizon/etc for this
18:39:22 <adriant> morgan we can ALSO do that
18:39:30 <dstanek> adriant: nothing is broken. things would need to be updated
18:39:32 <adriant> yes, what dstanek said
18:39:52 <morgan> adriant: except if you are adding a specific plugin you can use any to auth
18:39:53 <adriant> yes, but updating across multiple projects takes time, and is akin to breaking :P
18:40:17 <morgan> so you're adding yet-another-auth method and not fixing the issue we said we needed to fix when totp was added
18:40:23 <dstanek> i think the plugin is reasonable, but not sufficient for the overall mfa needs
18:40:34 <adriant> morgan: I think we need both
18:40:39 <morgan> sorry, i'm on a soapbox here because we only accepted totp at all because the next step was fix the system
18:40:47 <adriant> morgan: I agree, we need a way to enforce: "these two together"
18:40:52 <morgan> i am against adding another plugin with the nebulous "we'll do this in the future" bit
18:41:10 <adriant> but this plugin is meant to work around that in the mean time, and allow a different password+totp auth method
18:41:18 <ayoung> So, do we have something actionable for the next week, or are we kicking this out of Ocata?
18:41:25 <morgan> adriant: except it is an all or nothing on the entire cloud
18:41:39 <morgan> adriant: if password is enabled, they can use password... circumventing totp
18:41:45 <morgan> even with the new plugin
18:41:51 <dstanek> morgan: the *only* reason i see this plugin as valuable is that a cloud operator won't have control over the libraries a customer is using and they may have to not use MFA until everything works with it
18:41:53 <adriant> so don't enable password? this is a replacement for password
18:41:59 <dstanek> this plugin makes it *just work*
18:42:05 <morgan> adriant: and then all service users cannot auth
18:42:13 <morgan> adriant: and keystonemiddleware is broken
18:42:16 <stevemar__> morgan: if you don't have the time to do the work, can you outline what needs to be fixed to adriant ? i'm not even clear how to make multiple auth work
18:42:31 <adriant> morgan: this plugin works as a replacement for password auth just fine
18:42:32 <morgan> stevemar__: i can probably do this. let me land the ksa changes.
18:42:39 <adriant> it does not break password auth without totp
18:42:44 <adriant> that was the point of it
18:42:50 <dstanek> morgan: service users can still auth... iirc the mfa is only enforced if you have a totp credential
18:42:51 <adriant> it allows OPTIONAL totp auth with a password
18:43:11 <stevemar__> morgan: yes, what dstanek said
18:43:15 <morgan> ugh. it scans the db on each auth-request to see if you have a totp cred?
18:43:17 <morgan> gross.
18:43:21 <morgan> double gross.
18:43:25 <adriant> it works though
18:43:26 <ayoung> Heh
18:43:33 <adriant> the totp auth plugin does the exact same thing
18:43:34 <ayoung> Federation
18:43:56 <ayoung> Even password should switch to Federation
18:43:58 <morgan> i'm actually really annoyed that we went down this path
18:43:58 <dstanek> ayoung: ++. here we debate another IdP feature
18:44:02 <morgan> but i wont block it.
18:44:27 <morgan> the only reason totp was included was because we were going to "fix" the auth mechanisms next
18:44:41 <morgan> otherwise i would have held on the -2 on totp
18:44:44 <stevemar__> morgan: can you elaborate how to fix auth in -keystone after?
18:44:50 <ayoung> dstanek, need a way to do "the keystone database is itself and IdP" and then the rest of this falls in to line
18:45:09 <morgan> stevemar__: yes it is not a hard-to-fix thing. but it requires expanding the api(s).
18:45:12 <dstanek> can we fake the password/totp split in the json payload?
18:45:20 <dstanek> password:totp or similar format?
18:45:41 <morgan> dstanek: we could in horizon and the in the cli.
18:45:47 <morgan> heck keystoneauth could do the work for us.
18:45:57 <morgan> the ksa authplugin could do the magic
18:46:15 <morgan> but the enforcement on keystone side isnt' there w/o adriant's plugin and changing keystone.conf to only allow the new plugin
18:46:28 <stevemar__> adriant: stick around -keystone and chat with morgan later?
18:46:37 <lbragstad> ping me, too
18:46:37 <adriant> the problem is how do you make MFA optional, but enforce it on users who have it?
18:46:38 <dstanek> morgan: ++
18:46:42 <morgan> like i said, i wont block this. i am lodging my dissent
18:46:50 <adriant> stevemar__: yeah I can stick around
18:46:51 <morgan> adriant: i want to fix that part :)
18:47:05 <stevemar__> okay, 15 minutes-ish left
18:47:06 <morgan> adriant: so we can make it optional/required etc.
18:47:17 <stevemar__> let's move on
18:47:22 <stevemar__> jgrassler: here?
18:47:26 <jgrassler> stevemar__: Yes
18:47:31 <stevemar__> #topic Spec: Trust Scope Extensions
18:47:48 <stevemar__> jgrassler: you're up!
18:47:52 * morgan crawls back under a rock so as not to derail the meeting too much.
18:47:52 <jgrassler> https://review.openstack.org/#/c/396331/
18:47:59 <jgrassler> This is the spec review
18:48:19 <jgrassler> tl;dr on it: I want to add an optional whitelist of capabilities to trusts
18:48:47 <jgrassler> If that whitelist is present for a trust only the listed operations (in terms of oslo.policy targets) are allowed
18:49:30 <ayoung> yeah, kill that
18:49:34 <lbragstad> jgrassler so - i could create a trust giving you the operation to list vms on a project, but *only* list vms
18:49:35 <jgrassler> I'd do the enforcement in oslo.policy since that is where all the information about policy targets (and even concrete objects) is available
18:49:41 <ayoung> trusts are not the right abstraction
18:49:44 <jgrassler> lbragstad: Exactly, yes
18:49:47 <lbragstad> jgrassler that was my next question
18:49:53 <lbragstad> this would be a cross project spec
18:50:00 <jgrassler> lbragstad: Yes, it would be
18:50:03 <ayoung> No
18:50:12 <ayoung> THis is unworkable
18:50:34 <ayoung> Please read the proposal i have for RBAC in Middleware before you pursue this any further
18:50:46 <lbragstad> ayoung link?
18:50:51 <ayoung> it retreads groud we've been over, and it does not work with the current abstraction
18:50:57 <ayoung> lbragstad, in the etherpad
18:51:13 <ayoung> after Taskmnager
18:51:22 <lbragstad> #link https://review.openstack.org/#/c/391624/
18:51:29 <jgrassler> ayoung: Where does it break?
18:51:31 <ayoung> the short is "there is no way to tell a user wht they need to delegate"
18:51:56 <jgrassler> ayoung: Ah, you mean they do not know the name of the oslo.policy targets?
18:52:03 <ayoung> we have 9 minutes left..too long for this meeting
18:52:13 <ayoung> and the role needed for those policy targets
18:52:44 <ayoung> jgrassler, I had a proposal for operational scoped tokens about a year ago...fell apart on this issue
18:52:59 <ayoung> so... URL patterns
18:53:05 <dstanek> jgrassler: no a backup_vm target may under the hood use other targets to do its work. what happens there?
18:53:09 <ayoung> enforce RBAC on
18:53:19 <ayoung> gah..wrong computer
18:53:42 <jgrassler> dstanek: Yes, that problem is unsolved, currently :-/
18:53:53 <ayoung> enforce RBAC on  soemthing like  POST /v2.1/{project_id}/server/{server_id
18:54:10 <jgrassler> dstanek: It's the same issue with Barbican secret containers (they consist of multiple secrets)
18:54:28 <ayoung> jgrassler, so, work with me on the RBAC stuff and we'll get to what you want
18:55:34 <jgrassler> ayoung: But how do you get the thousands of roles this approach requires for the same granularity in place?
18:55:48 <ayoung> jgrassler, step by step....
18:56:00 <dstanek> so in the Z release :-P
18:56:10 <stevemar__> dstanek: we'll flip over by then
18:56:11 <lbragstad> dstanek hopefully
18:56:15 <ayoung> nah, we have something that will work based on all the restrictions
18:56:18 <jgrassler> ayoung: That one is my main objection to it. It requires a _lot_ of infrastructure to be in place :-/
18:56:33 <ayoung> please read through https://review.openstack.org/#/c/391624/
18:56:51 <ayoung> jgrassler, believe it or not, it is the path of least resistnace
18:57:00 <jgrassler> ayoung: Don't get me wrong, I like your RBAC proposal per se. But not for this purpose. At least not in 2016 :-)
18:57:02 <ayoung> it is all within code that the Keystone project manages
18:57:41 <ayoung> jgrassler, what you are proposing is unworkable.  You cannot enforce policy the way you propose without getting changes into every single project
18:57:54 <ayoung> just look at how long bug 968696 has been open
18:57:54 <openstack> bug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Matthew Edmonds (edmondsw)
18:58:05 <jgrassler> ayoung: oslo.policy would suffice.
18:58:10 <ayoung> Hey, assignemd to Matt...ah whatever...
18:58:13 <ayoung> jgrassler, hah
18:58:46 <ayoung> "Baby I've been here before I've seen this room and I've walked this floor I worked on this alone before I knew ya"
18:58:58 <ayoung> jgrassler, lets take it off line
18:59:06 <ayoung> I will be very happy to work through these things with you
18:59:14 <ayoung> meeting is almost over
18:59:22 <stevemar__> we left a lot on the agenda
18:59:27 <stevemar__> i'll add it to next weeks
18:59:28 <ayoung> I want to get the RBAC spec in this release
18:59:31 <jgrassler> ayoung: Agreed on that. I really don't want to rush through this in half a minute :-)
18:59:39 <agrebennikov> thank you very much for spending 40 mins on the second topic :(
18:59:40 <ayoung> please review
18:59:46 <ayoung> please read through https://review.openstack.org/#/c/391624/
18:59:50 <stevemar__> agrebennikov: happens dude
19:00:01 <morgan> agrebennikov: we can discuss your thing in -keystone after this meeting
19:00:04 <morgan> since i have the -2 on it.
19:00:08 <agrebennikov> exactly
19:00:16 <agrebennikov> and we have a customer online))
19:00:20 <stevemar__> #endmeeting