16:00:24 <lbragstad> #startmeeting keystone
16:00:25 <openstack> Meeting started Tue Jul 31 16:00:24 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:26 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:28 <openstack> The meeting name has been set to 'keystone'
16:00:34 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
16:00:36 <lbragstad> agenda ^
16:00:41 <lbragstad> ping ayoung, breton, cmurphy, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, aselius, dpar, jdennis, ruan_he, wxy, sonuk
16:01:19 <wxy|> o/
16:01:21 <lamt> o/
16:01:22 <gagehugo> o/
16:01:49 <hrybacki> o/
16:02:03 <hrybacki> in another meeting today so will review the minutes after y'all
16:02:25 <kmalloc> o/
16:02:38 <lbragstad> we don't have a lot on the agenda today
16:02:54 <lbragstad> so likely going to be a quick meeting unless people have things for open discussion
16:03:04 <lbragstad> #topic announcements
16:03:12 <lbragstad> #info we cut rocky-3 last week
16:03:24 <lbragstad> so - that means we're effectively in RC period
16:03:31 <lbragstad> and we're in string freeze
16:03:46 <lbragstad> just things to be aware of while reviewing and working through bugs
16:03:58 <lbragstad> #topic reviews
16:04:06 <lbragstad> i think there are still flask reviews that need eyes
16:04:12 <lbragstad> and same with the token provider API refactor
16:04:22 <lbragstad> does anyone have anything else they want eyes on?
16:05:01 <gagehugo> https://review.openstack.org/#/c/580780/ if anyone has time
16:06:02 <lbragstad> gagehugo: sounds good - i think colleen had some comments on the early revision of that
16:06:14 <lbragstad> were we able to determine if it was actually a bug?
16:06:33 <kmalloc> flask stuff is well on the way, but auth has been a beast
16:06:39 <kmalloc> just because os-federation
16:07:10 * kmalloc has to fix a patch then go back and finish porting auth
16:07:31 <lbragstad> kmalloc: the os-revoke patch i had that you rebased appears to be failing tests
16:07:37 <lbragstad> but that's later in the chain
16:08:15 <gagehugo> lbragstad: I think I put it in the bug report, but we were seeing logins to horizon with random uuids in the notifications, imo those should be the user id as the initiator
16:08:29 <gagehugo> initiator id*
16:09:05 <kmalloc> lbragstad: that is becasue of the previous one
16:09:16 <kmalloc> lbragstad: or two patches before, the fix will solve that as well.
16:09:35 <lbragstad> gagehugo: ack
16:09:49 <lbragstad> kmalloc: ok - sounds good
16:10:03 <gagehugo> but it happens for any identity.authentication event afaik
16:10:12 <lbragstad> i'm in the middle fixing some of my development environments, but i should be able to get around to reviewing it today
16:11:09 <gagehugo> wxy| was super helpful with the test case btw, it was kinda confusing at first
16:11:18 <lbragstad> awesome
16:12:04 <lbragstad> #topic open discussion
16:12:15 <lbragstad> that's about all i had... just a few reviews really
16:12:22 <lbragstad> does anyone have anything they'd like to bring up?
16:12:41 <kmalloc> i hate code that calls across controllers.
16:12:53 <kmalloc> e.g. federation controller -> auth controller
16:12:56 <lbragstad> https://bugs.launchpad.net/keystone/+bug/1779205 has an interesting comment on it (#68)
16:12:56 <openstack> Launchpad bug 1779205 in OpenStack Identity (keystone) rocky "[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)" [Critical,Fix released] - Assigned to Lance Bragstad (lbragstad)
16:12:56 <kmalloc> please don't do that.
16:13:16 <lbragstad> well - we already did :) to fix ^
16:13:21 <kmalloc> lbragstad: the comment is exactly why i recommended removing the "endpoint being enabled" part of the message
16:13:52 <kmalloc> lbragstad: no, we didn't there, i mean we do things like federation controller calls auth.authenticate_for_token
16:14:01 <lbragstad> oh
16:14:02 <kmalloc> controllers should not call another API like that
16:14:21 <kmalloc> because you get double enforcement issues
16:14:30 <kmalloc> a controller's logic should render the whole response.
16:14:31 <lbragstad> i suppose the messes with the routing
16:14:41 <lbragstad> er dispatching with flask
16:14:46 <kmalloc> if you need to share code, share it don't call another controller
16:14:55 <kmalloc> yeah i've been unwinding os-federation, it's a beast.
16:15:04 <kmalloc> i think we do this elsewhere too.
16:15:32 <kmalloc> lbragstad: anyway the comment on #1779205 is consistent with the confusion of what enabling the endpoint means
16:16:06 <kmalloc> lbragstad: we should have just eliminated that part of the impact statement, 99% of deployments don't muck with that stuff.
16:16:22 <lbragstad> can't you set the policy to "@" to blacklist it?
16:16:27 <kmalloc> you can.
16:16:37 <kmalloc> but almost no one does that kind of stuff.
16:16:55 <kmalloc> not for federation where they dind't deploy say shib or federated auth
16:17:23 <kmalloc> maybe we should have said: With default policy.json for entry get_projects_for_user
16:17:29 <kmalloc> erm list_projects_for_user*
16:17:37 <lbragstad> oh - sure
16:17:58 <kmalloc> the code / fixes did the right thing
16:18:16 <lbragstad> and it was thoroughly tested
16:18:18 <kmalloc> the comment is regarding the impact statement.
16:18:26 <kmalloc> and pre-patch testing afaict
16:18:58 <kmalloc> abhi<number> was confirming what kristi confirmed early on, non-federated tokens got complete lists
16:18:59 <kmalloc> :)
16:19:24 <kmalloc> but confused because the impact statement was not well worded for that sentence.
16:19:33 <kmalloc> basically.. we're all good nothing to see here :)
16:20:19 <lbragstad> ack
16:20:26 <lbragstad> anything else we want to discuss?
16:21:09 * kmalloc wants to discuss how the meeting can end so he can go make coffee.
16:21:46 <lbragstad> ++ we can end early... my home lab is completely hosed right now and i'm trying to fix it =/
16:22:02 <kmalloc> lbragstad: my home lab is ... torn apart, will be fixed later this week.
16:22:09 <lbragstad> wanna fix mine too?
16:22:12 <lbragstad> ;)
16:22:13 <kmalloc> (like, it's missing computers right now)
16:22:28 <kmalloc> ... only if i can "borrow" it ... i'll send a moving truck
16:22:33 <kmalloc> i swear you'll get it back.
16:22:37 <kmalloc> someday
16:22:40 <lbragstad> said no one ever
16:23:04 <lbragstad> alright - well thanks for coming everyone
16:23:07 <lbragstad> i appreciate the time
16:23:21 <lbragstad> reminder that we'll have office hours in about 40 minutes
16:23:29 <lbragstad> if anyone wants to work on things
16:23:45 <lbragstad> #endmeeting