#openstack-meeting-alt log

16:00:02 <lbragstad> #startmeeting keystone
16:00:03 <openstack> Meeting started Tue Apr 10 16:00:02 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:06 <openstack> The meeting name has been set to 'keystone'
16:00:07 <lbragstad> ping ayoung, breton, cmurphy, dstanek, gagehugo, henrynash, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rderose, rodrigods, samueldmq, spilla, aselius, dpar, jdennis, ruan_he, wxy, sonuk
16:00:16 <gagehugo> o/
16:00:18 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
16:00:20 <lbragstad> o/
16:00:23 <lbragstad> agenda ^
16:00:24 <hrybacki> o/
16:00:25 <ayoung> Hey Ho.  Lets go.
16:00:28 <wxy|> o/
16:00:54 <lbragstad> give folks another minute or two to show up
16:00:58 <kmalloc> o/
16:01:01 <kmalloc> i'm here...
16:01:18 <sonuk> o/
16:01:29 <lbragstad> sonuk: welcome
16:01:39 <jgrassler> o/
16:01:44 <sonuk> lbragstad: thanks
16:01:57 <lbragstad> #topic specifications
16:02:35 <lbragstad> things are moving and we had some good iterations over the last week
16:02:58 <lbragstad> i'll likely keep specs as an item on the meeting agenda until we get things where we want them
16:03:10 <lbragstad> #info specification proposal freeze is going to be next week
16:03:26 <lbragstad> just a reminder in case there is anything we're missing for Rocky
16:03:32 <lbragstad> #topic Application Credentials
16:03:39 <lbragstad> #link https://review.openstack.org/#/c/396331/
16:04:06 <lbragstad> i've reviewed this a few times and my comments are getting really nit picky :)
16:04:15 <lbragstad> i think this is looking good
16:04:20 <jgrassler> I take that as a good sign :-)
16:04:25 <lbragstad> jgrassler: yep!
16:04:41 <lbragstad> i'd like to have a few other reviews give it a once over though
16:04:50 <lbragstad> just to make sure we're not missing anything before we merge it
16:05:41 <kmalloc> lbragstad: +2/+A'd that spec
16:05:49 <kmalloc> lbragstad: just reviewed it again
16:05:56 <kmalloc> if you want me to rescind my +A i will
16:05:57 <lbragstad> fastest review ever
16:05:59 <kmalloc> but it looks ready
16:06:10 <kmalloc> he had to change 1 thing from the last round for me to +2.
16:06:12 <kmalloc> it was ready.
16:06:16 <jgrassler> kmalloc: thanks :-)
16:06:24 <lbragstad> cool
16:06:26 <lbragstad> looks good to me
16:06:38 <lbragstad> if anyone sees anything in that spec, please say something
16:06:40 <lbragstad> or leave a comment
16:06:49 <kmalloc> or propose a followup
16:06:50 <lbragstad> we can address things in a follow up if needed
16:07:17 <ayoung> Yeah...App Creds looks good
16:07:44 <lbragstad> #topic default roles
16:07:48 <lbragstad> hrybacki: around?
16:07:51 <hrybacki> o/ Alright so, after discussions w/ Adam yesterday I'm in support of using implied roles for default roles. I had a basic misunderstanding how he envisioned them being used. Since all of the work will be on our end*, and it clears up the policy files I think it's the best move.
16:08:00 <ayoung> We really should get a lighter process, where we approve the spec in a general sense, and then start ones and twos on it.
16:08:24 <kmalloc> ayoung: that was at the PTG
16:08:26 <hrybacki> all-in-all I think the spec is shaping up nicely though. Lots of feedback coming in
16:08:40 <kmalloc> ayoung: "this is something we want, we like it, now iterate on it and get it ready to merge"
16:09:03 <ayoung> to be clear, I really only see three roles, with 2 an inference rules between them
16:09:20 <ayoung> admin -> member  and member -> reader
16:09:24 <lbragstad> admin -> member -> auditor right?
16:09:28 <hrybacki> ^^ +2
16:09:29 <ayoung> right
16:09:30 <ayoung> auditor
16:09:39 <ayoung> and then the policy files get simpler, you remove the ORs
16:09:48 <ayoung> it also gives you a tool to further refine things down the line:
16:09:49 <kmalloc> ah and fill in the policy behind the scenes
16:09:52 <hrybacki> a good point
16:09:55 <kmalloc> thats pretty solid
16:09:57 <hrybacki> kmalloc: aye.
16:10:05 <lbragstad> hrybacki: are you working that into the next revision?
16:10:19 <hrybacki> lbragstad: I am -- but wanted to discuss here before posting
16:10:24 <lbragstad> ack
16:10:26 <ayoung> want to break member up into smaller pieces? Start with a new role, then a new inference rule, and finally a new policy, and you've not broken anything
16:10:41 <hrybacki> +1
16:10:45 <kmalloc> ayoung: that is quite reasonable
16:10:45 <lbragstad> we're going to need to be ready to explain the concepts to other services
16:10:49 <ayoung> thanks
16:11:02 <kmalloc> lbragstad: i think this makes it easier
16:11:14 <lbragstad> right - but we're also a bunch of keystone developers :)
16:11:18 <hrybacki> and implied roles are the way we are asking deployments to handle edge cases
16:11:27 <ayoung> and the same mechanism that sets up the default roles sets up the rules.
16:12:17 <lbragstad> i can just see developers from other services having questions about what this exactly means for them
16:12:19 <ayoung> keystone-manage I assume
16:12:25 <lbragstad> and we'll need to be prepared to field those
16:12:36 <lbragstad> so that we can keep things moving
16:12:39 <ayoung> lbragstad, that is why we get it in the spec first:  the example policy should spell it out
16:13:33 <hrybacki> WRT domain scope -- I do not think we should integrate it into the spec. I understand that user/groups tie directly to the concept and are a sticky point but cmurphy made some very good points about it not being a 'real' scope and that we should err on the side of not misleading consumers
16:13:52 <ayoung> BTW, I see what y'all were saying about Domain level roles.  My last comment suggests dropping the user example, and just adding a note "leave these alone"
16:14:02 <lbragstad> yeah... i'm fine with that assessment
16:14:05 <ayoung> "they are Keystone only"
16:14:07 <hrybacki> ayoung: yeah, that's just a leftover I missed
16:14:12 <lbragstad> honestly, we have a good seam to work on that later
16:14:24 <ayoung> for a service level operation, suggest hypervisor management
16:14:45 <lbragstad> if we get the whole "project" scope and "system" scope work done, we can come through later and do all the domain stuff as it's own specification
16:14:52 <ayoung> https://developer.openstack.org/api-ref/compute/#hypervisors-os-hypervisors
16:15:20 <hrybacki> #link https://developer.openstack.org/api-ref/compute/#hypervisors-os-hypervisors
16:16:13 <lbragstad> we might need to clarify the intent that domain scope will be tackled later in the specification
16:16:23 <ayoung> #link http://git.openstack.org/cgit/openstack/nova/tree/nova/policies/hypervisors.py?h=stable/queens#n37
16:16:28 <hrybacki> lbragstad: I can add a 'future work' section
16:16:39 <ayoung> lbragstad, Domain scope would be in a Keystone specific spec, so we should be OK
16:16:49 <lbragstad> not necessarily
16:17:05 <lbragstad> i can see a case where using a domain-scoped token for other services would be useful
16:17:19 <ayoung> lbragstad, so can I, but they don't have the data stored to work on it
16:17:19 <lbragstad> e.g. using a domain scoped token to perform a GET /servers call
16:17:30 <hrybacki> yeah it's tricky. Users/groups should not necessarily be controlled by anyone with system scope (ideally)
16:17:51 <ayoung> yeah, but they don't have the tree today.  So, while it might be someday in the future, it would require a good be of reengineering to get there
16:18:19 <lbragstad> sure - that's a good candidate for future work
16:18:32 <lbragstad> but i wouldn't say domain-scope is "keystone" specific
16:18:40 <lbragstad> because then it seems like it's only something that we will use
16:19:50 <ayoung> Sounds good.  I think we see things from the same perspective
16:20:09 <hrybacki> ++
16:20:23 <lbragstad> i just don't want another service developer to automatically file "domain-scope" as something they don't have to ever think about
16:20:39 <lbragstad> but instead as something like "oh, yeah... we'll cross that bridge in the future"
16:21:39 <lbragstad> anything else we  want to talk about for default roles?
16:21:50 * hrybacki shakes his head
16:21:59 <hrybacki> thanks all for the great feedback (and persistence!)
16:22:10 <lbragstad> thanks for keeping things updated
16:22:13 <lbragstad> #topic jwt
16:22:19 <lbragstad> #link https://review.openstack.org/#/c/541903/
16:22:25 <lbragstad> this still needs feedback
16:22:29 <lbragstad> and reviews
16:23:04 <lbragstad> i'll be available during office hours if people want to ask specific questions about it
16:23:28 <lbragstad> #topic hierarchical limits
16:23:37 <lbragstad> #link https://review.openstack.org/#/c/540803/
16:23:44 <lbragstad> #link https://review.openstack.org/#/c/549766/
16:23:48 <lbragstad> ^ those are in the same boat
16:24:03 <lbragstad> we need reviews on them - especially from a usability perspective
16:24:20 <ayoung> looking at all three of thoes reviews
16:24:27 <lbragstad> thanks ayoung
16:24:34 <ayoung> lbragstad, on JWT
16:24:40 <ayoung> do we have a size limit>
16:25:01 <ayoung> that was what made PKI painful, and are we sure we will be OK with JWT sizes?
16:25:02 <lbragstad> we plan to
16:25:17 <lbragstad> it will be similar to fernet size-wise
16:25:20 <lbragstad> but not as compat
16:25:23 <lbragstad> compact*
16:25:28 <ayoung> I'm actually OK if we don't
16:25:48 <ayoung> really, the limit is 8k which should be attainable
16:26:05 <ayoung> that is the size of the header between Apache and mod_wsgi, and where things break down
16:26:17 <ayoung> other than that, and so long as it is optional, I like the alternative
16:26:23 <ayoung> would JWT allow for PKI signing?
16:26:24 <lbragstad> right - but i would be opposed to including unbound things in the token
16:26:41 <lbragstad> because it opens that door up
16:26:53 <lbragstad> JWT has two different paths we can exercise
16:27:09 <lbragstad> JWS and JWE, which is signing and encryption respectively
16:27:30 <lbragstad> JWE is very similar to our fernet implementation
16:27:40 <lbragstad> JWS is kinda similar to what we had with PKI
16:28:19 <ayoung> Sounds good.  This review is just "move the spec to the next release" right?
16:28:32 <lbragstad> yeah - but we need to figure out some details
16:28:49 <ayoung> Can we approve the move, and do the details in a follow on spec?
16:28:50 <lbragstad> and we have to update them before we can merge it... since we did some investigation and found a few things that need to be looked at
16:28:54 <ayoung> or, follow on review
16:28:58 <ayoung> makes it easier to track
16:29:06 <lbragstad> probably not, they are significant to the actual design
16:29:25 <lbragstad> we'll have to talk about them at some point
16:30:17 <lbragstad> i attempted to highlight the main things i found in the reproposed version
16:30:33 <ayoung> Agreed.  hrybacki our team supports JOSE, right?
16:30:52 <lbragstad> i think nkinder was saying something like that
16:31:03 <lbragstad> or saying there was a connection there?
16:31:07 <hrybacki> JOSE?
16:31:11 * gagehugo needs to step away but will be back in a bit
16:31:11 <lbragstad> py-jose
16:31:37 <hrybacki> that doesn't ring a bell with me (but that doesn't mean we don't support it)
16:31:53 <lbragstad> #link https://pypi.python.org/pypi/python-jose/2.0.2
16:32:14 <ayoung> So...summary: we have 3 libraries we can use that do JWT only.
16:32:19 <lbragstad> its one of the three libraries we would use to implement JWS
16:32:27 <ayoung> Pretty sure simo championed it a few years back
16:32:42 <hrybacki> now this rings a bell. Yes, someone at RH is supporting one of those libraries (but I can't recall which)
16:33:08 <lbragstad> we won't be able to use JWCrypto because of licensing
16:33:21 * hrybacki is asking internally
16:33:25 <lbragstad> and that's the only one that supports JWE
16:33:44 <lbragstad> PyJWT and python-jose support JWS to date
16:33:58 <ayoung> lbragstad, so...suggest we start by driving on with JWT only, and we can look into JWE second.  IIUC, it is really JWT that has taken off, and it gives us new functionality
16:34:13 <ayoung> JWE sounds like a longer term effort, but would be a good 1-to-1 replacement for Fernet
16:34:26 <ayoung> so...split the spec, and do JWT this round?
16:34:42 <lbragstad> well - JWE and JWS are subsets of the JWT specification if i understand it correctly
16:34:46 <ayoung> And see if we can get an intern to build JWE into JOSE?
16:35:51 <lbragstad> if we want to do JWS, we can rework the specification to include that
16:36:05 <lbragstad> and retarget JWE when we actually have an implememtation that supports it
16:36:14 <lbragstad> implementation*
16:36:49 <ayoung> I think JWT is built on JWS.  I suspect the issue is symmetric versus asym, with JWT being built on Asym
16:36:56 <ayoung> lbragstad, ++
16:37:01 <ayoung> anyone have a counterpoint?
16:37:09 <lbragstad> either way - reviews on the spec will be needed
16:37:39 <lbragstad> i linked to a few security concerns with JWT in the specification, too
16:39:01 <ayoung> OK, I have the context I need
16:39:04 <lbragstad> if anyone wants to talk jwt after the meeting, let me know
16:39:06 <lbragstad> i'll be in -keystone
16:39:26 <lbragstad> happy to answer questions and get into the details
16:39:42 <lbragstad> #topic unique domain ids for identity providers
16:39:54 <ayoung> lbragstad, so on https://review.openstack.org/#/c/549766/  that is tagged WIP.  How aggressive are we in pursuing that
16:40:05 <ayoung> heh...you move too fast
16:40:12 <lbragstad> #undo
16:40:13 <openstack> Removing item from minutes: #topic unique domain ids for identity providers
16:40:15 <ayoung> :)
16:40:19 <lbragstad> backing up
16:40:21 <lbragstad> sorry
16:40:25 <lbragstad> #topic hierarchical limits
16:40:32 <lbragstad> we need reviews on it, that's for sure
16:40:39 <lbragstad> wxy|: has a specification up to
16:40:40 <ayoung> is it "either or" between those specs?
16:40:51 <wxy|> I'd like to pick it up if John has no time.
16:41:02 <lbragstad> people from cern are interested in it
16:41:15 <ayoung> so...two level is interesting
16:41:19 <lbragstad> they're really the only people who have said "this is how we expect limits to work in a hierarchical settign"
16:41:37 <ayoung> and...I think I can say that it smells right
16:41:50 <wxy|> John's is focus on the first model we'll support. Mine is focus on the whole enforce flow.
16:42:09 <lbragstad> yeah ^ that's an important distinction
16:42:37 <lbragstad> because what wxy| has in his specification includes work that needs to be done regardless of the enforcement model
16:43:23 <ayoung> so...it feels like 2 specs
16:43:43 <ayoung> one which is ``include_all_children=True``  and one is the "2 level hierarchy"
16:44:30 <ayoung> but...they don't really say why a 2 levle limit is essential,  do they?
16:45:00 <lbragstad> because the problem gets substantially harder with more than two levels
16:45:27 <ayoung> I get that...from years of discussion
16:45:41 <ayoung> but on the Nova side. a project still doesn't know its parent
16:45:43 <lbragstad> and the problem we discovered during the PTG was that we lack opinions on how things should behave with more than 2 levels
16:45:49 <ayoung> all a project is is a uuid on a vm
16:45:56 <lbragstad> right
16:47:17 <ayoung> ok...so I think if we are going to enforce 2 level project hierarchies, it has to be inside the resource backend, not limits
16:47:27 <ayoung> otherwise,  what happens if you have:
16:47:35 <ayoung> A->B->C
16:47:52 <ayoung> they can still create C as a child of B, but the quota for it is not based on B
16:48:14 <ayoung> I can see saying "ok, all preexsing get grandfathered in"
16:48:26 <ayoung> but how do you keep people from making deep trees in the future?
16:48:43 <lbragstad> that's where enforcement models come it
16:48:51 <lbragstad> come in*
16:48:53 <ayoung> would it make sense to tag an "allowed depth" field on the project record in the backend?
16:49:41 <lbragstad> we already have a configuration options for that
16:49:44 <lbragstad> i think
16:49:58 <lbragstad> some sort of max project level
16:50:02 <ayoung> if we do, the spec should reference how to use them in conjunction
16:50:36 <ayoung> wxy|, can you look in to that?
16:50:43 <wxy|> sure
16:50:49 <ayoung> ++
16:50:52 <lbragstad> well - i think we need to review his spec too :)
16:50:54 <ayoung> I'm good.
16:51:00 <ayoung> lbragstad, of course
16:51:28 <lbragstad> sounds like we have some actions to chase there
16:51:35 <lbragstad> any other questions on limits?
16:52:28 <lbragstad> #topic domains and identity provider uniqueness
16:52:40 <lbragstad> a while back we made it so that identity providers needed to have a domain
16:52:59 <lbragstad> that was part of the shadow user work
16:53:02 <lbragstad> #link https://review.openstack.org/#/c/559676/1
16:53:14 <lbragstad> wxy|: has a patch up to clarify that relationship
16:53:37 <lbragstad> do we have an opinion on that?
16:53:46 <lbragstad> do we want to have a hard constraint there?
16:53:49 <ayoung> so we are saying that an IdP has exactly one domain?
16:54:00 <lbragstad> ayoung: i think that's the question we need to answer
16:54:06 <ayoung> I wanted that years ago
16:54:19 <ayoung> I lost
16:54:31 <ayoung> OK...what is this going to break:
16:54:31 <lbragstad> i rememebr someone at the boston forum asking for the ability to associate multiple domains to a single identity provider
16:54:49 <ayoung> right now, we use Keycloak as a way to add additional providers
16:55:03 <ayoung> kinda like how CERN used ADFS
16:55:39 <ayoung> instad of changing the config on the Keystone server, we add additional providers at the WebSSO level.
16:55:52 <ayoung> My gut says that this patch is right, just trying to rationalize it
16:56:16 <ayoung> so...we configure Apapche once, and say that /OS-FEDERATION  is protected by WebSSO...
16:56:29 <ayoung> gah, that means that you cannot have any other provider....grrr
16:56:36 <lbragstad> right
16:56:44 <lbragstad> a provider would have a single domain
16:56:45 <ayoung> its backwards...if you wanted to do SAML AND KERBEROS
16:57:10 <ayoung> now, for a single IdP, we would want to map multiple protocols to the same Domain.
16:57:34 <lbragstad> three minute warning
16:57:37 <ayoung> But...from an Apache perspective, we could not have multiple protocols, which would be suboptimal.
16:57:48 <ayoung> OK, I'll chime in on that patch.  I think it does not affect anything
16:57:55 <lbragstad> thanks ayoung
16:58:10 <lbragstad> i didn't want to cut you off but gagehugo has some exciting new
16:58:12 <lbragstad> news8
16:58:14 <lbragstad> bah
16:58:20 <lbragstad> n-e-w-s-*
16:58:23 <lbragstad> nailed it
16:58:33 <lbragstad> #topic keystonemiddleware is now under VMT
16:58:35 <lbragstad> gagehugo: o/
16:58:43 <ayoung> Vermont?
16:58:49 <gagehugo> o/ i forgot i had irc on my phone
16:59:02 <gagehugo> ayoung tes
16:59:08 <gagehugo> Yes
16:59:29 <lbragstad> this has been over a year in the makig
16:59:31 <lbragstad> making*
16:59:38 <lbragstad> thanks gagehugo for pushing on this
16:59:51 <gagehugo> Np, it was an interesting experience
17:00:00 <lbragstad> #link https://review.openstack.org/#/c/555934/
17:00:05 <lbragstad> and with that
17:00:07 <lbragstad> we're out of time
17:00:10 <lbragstad> thanks for coming folks!
17:00:12 <lbragstad> #endmeeting