16:00:13 <cmurphy> #startmeeting keystone
16:00:14 <openstack> Meeting started Tue Jul 30 16:00:13 2019 UTC and is due to finish in 60 minutes.  The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:18 <openstack> The meeting name has been set to 'keystone'
16:00:24 <cmurphy> anyone here for the keystone meeting?
16:00:34 <vishakha> o/
16:00:34 <gagehugo> o/
16:03:39 <cmurphy> seems like it will be a short meeting today
16:04:07 <gyee> I am trying to attend to meetings at the same time. Let's see how it goes. :-)
16:04:34 <cmurphy> gyee: just do what i did and skip the other meeting ;)
16:05:26 <gyee> yeah :-)
16:05:38 <cmurphy> #topic announcements
16:06:01 <cmurphy> if people are around, the topic for the office hours today will be a bug triage
16:06:17 <cmurphy> i started a list in https://etherpad.openstack.org/p/keystone-office-hours-topics
16:07:07 <cmurphy> also, reminder that feature proposal freeze is August 16, so a little under 3 weeks from now
16:08:25 * vishakha notes down the feature proposal freeze date
16:08:46 <cmurphy> feature proposal freeze means code is ready to review, no PoCs or WiP
16:09:31 <vishakha> ok :)
16:10:09 <cmurphy> but I think that will only apply to code that implements specs, we'll apply just the general feature freeze to things like system scope/default roles updates and smaller features
16:11:06 <vishakha> that makes sense
16:12:11 <cmurphy> #topic review requests
16:12:17 <cmurphy> anyone have any special requests for reviews?
16:12:27 <cmurphy> vishakha i'll take another look at your sdk change today
16:12:31 <vishakha> I have https://review.opendev.org/#/c/669331/ app creds
16:12:50 <gagehugo> I currently do not atm, need to update that ksm one I have
16:12:56 <vishakha> #link https://review.opendev.org/#/c/673476/ small one
16:14:31 <kmalloc> o/
16:14:34 <kmalloc> sorry, a little late
16:14:36 <kmalloc> here now
16:14:40 <cmurphy> hi kmalloc
16:14:55 <vishakha> cmurphy: thanks
16:15:30 <cmurphy> i need some more reviews on https://review.opendev.org/637305
16:16:05 <knikolla> o/
16:16:46 <cmurphy> hi knikolla
16:16:50 <cmurphy> also would be good to get the rest of https://review.opendev.org/#/q/status:open+topic:bp/whitelist-extension-for-app-creds+NOT+label:workflow%253D-1 in sooner rather than later so that we can also do client work this cycle
16:17:05 <knikolla> hi all, sorry for being late, had to run an errand.
16:17:20 <cmurphy> no worries
16:18:40 <cmurphy> i'm also hoping more of the team can chime in on https://review.opendev.org/669959 discouraging external auth with x.509
16:19:22 <gyee> I got Kerberos working, but it's kinda weird the way it is setup
16:19:50 <gyee> don't know if anyone is using it in a production environment, usability is not the best IMO
16:19:58 <cmurphy> could we just use basic auth as the example?
16:20:31 <kmalloc> cmurphy: 637305 +2/+A
16:20:32 <gyee> yeah, basic auth requires something else in conjunction i.e. ldap
16:20:57 <cmurphy> or just an htdigest file
16:20:58 <gyee> or some other pam module
16:21:00 <kmalloc> imo, you need something that translates krb5 -> saml.
16:21:21 <kmalloc> or similar, direct krb5 to keystone is icky/always going to be...weird.
16:21:22 <gyee> kmalloc, that's not how we advertise it
16:21:39 <kmalloc> gyee: doesn't matter HOW we advertise it, it should be the direction we take
16:22:02 <kmalloc> it's how most enterprise orgs manage SPs that aren't kerberized
16:22:09 <kmalloc> keystone should be no different on that front
16:22:17 <kmalloc> krb has never been well tested or maintained in keystone
16:22:49 <gyee> yeah, but with krb, we only have the principal to work with, no other attributes
16:23:07 <kmalloc> which is why you should be using a service that does the translation
16:23:16 <kmalloc> or front the idp with something directly that does saml
16:23:31 <kmalloc> keystone should drop/not care about krb support directly
16:23:44 <gyee> yeah make sense
16:23:47 <kmalloc> when we droped token bind (fernet), krb was mostly/is mostly dead (advanced features)
16:24:11 <gyee> afaik, there's no horizon support either
16:24:15 <kmalloc> exactly
16:24:17 <gyee> at least I can't find any doc on it
16:24:46 <kmalloc> just not worth putting energy in when it can be skinned another way, espe. with how difficult it is to do principal only -> keystone things.
16:25:19 <gyee> yeah, I like the federation route with krb
16:25:25 <kmalloc> :)
16:25:38 <kmalloc> trying to save you some headaches and also making keystone easier to maintain long-term
16:25:59 <gyee> no argument here :-)
16:27:16 <cmurphy> so consensus is not to use krb as the external auth example?
16:27:31 <cmurphy> what should be used instead, or should we start deprecating external auth altogether?
16:27:48 <gyee> ++ on deprecating external auth
16:27:57 <gyee> put it on the next user survey
16:27:57 <kmalloc> i'd deprecate external auth
16:28:06 <gyee> I am curious how many are using it in production
16:28:20 <cmurphy> i think we just missed the bus for the next user survey
16:28:30 <cmurphy> but i'm curious too
16:28:56 <cmurphy> i can query the ml
16:29:39 <gyee> sounds good
16:30:10 <cmurphy> #action cmurphy ask for ops feedback on deprecating external auth on the mailing list
16:30:27 <cmurphy> any other reviews to highlight?
16:32:32 <cmurphy> #topic open discussion
16:32:43 <cmurphy> any other business?
16:35:44 <cmurphy> i think we'll move straight into office hours after this because otherwise we lose people
16:36:36 <cmurphy> thanks everybody
16:36:42 <cmurphy> #endmeeting