16:00:11 #startmeeting keystone 16:00:12 Meeting started Tue Dec 3 16:00:11 2019 UTC and is due to finish in 60 minutes. The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:13 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:15 The meeting name has been set to 'keystone' 16:00:21 o/ 16:00:23 #link https://etherpad.openstack.org/p/keystone-weekly-meeting agenda 16:00:33 o/ 16:00:33 o/ 16:00:59 o/ 16:02:29 I didn't have to make up the agenda today \o/ 16:02:35 #topic review requests 16:02:42 there are two already in the agenda 16:02:56 #link https://review.opendev.org/#/c/687990/ Stop adding entry in local_user while updating ephemerals 16:03:12 #link https://review.opendev.org/#/c/693838/ 16:03:14 Update OIDC documentation to handle bearer access token flow 16:03:19 #undo 16:03:20 Removing item from minutes: #link https://review.opendev.org/#/c/693838/ 16:03:24 #link https://review.opendev.org/#/c/693838/ 16:03:33 >.> 16:03:35 #undo 16:03:36 Removing item from minutes: #link https://review.opendev.org/#/c/693838/ 16:03:43 #link https://review.opendev.org/#/c/693838/ 16:03:47 i give up 16:04:29 * knikolla gives cmurphy a cup of coffee 16:04:37 i was just going to say - it's early 16:04:39 thanks :) 16:04:55 this is already my second hour of meetings 16:05:05 0.o 16:05:35 i'll check out the oidc doc change soon 16:05:58 any comment on these changes? any other review requests? 16:09:23 #topic OpenID Connect Authentication Plugin 16:09:30 I don't think aloga is here 16:09:38 I wonder if knikolla has context for this? 16:09:57 i had a conversation with them about a week ago 16:10:26 they weren't able to satisfy their use case with the current way that oidc works with apache 16:10:42 hence needing a custom plugin 16:11:15 i'll hunt for an irc log 16:12:07 #link http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-11-26.log.html#t2019-11-26T16:52:49 16:12:09 o/ 16:12:17 if the redirect behavior changed when flask was introduced that sounds like a regression that should be fixed, no argument there 16:13:28 agree on that. 16:16:27 i can comment on the bug 16:16:39 not sure there's anything else to discuss on this? 16:16:57 howdy 16:17:05 aloga: hi 16:17:10 cmurphy: hello 16:17:17 we were just discussing your topic 16:17:39 sorry, I did not realise the time 16:17:44 it sounded like a regression was introduced when we moved to flask, i have no objection to fixing the regression 16:18:09 would be good to have more information, like versions where it worked and didn't work and steps to reproduce 16:18:25 cmurphy: the point is that IIRC, it was possible to raise HTTP errors in the past, and those were rendered properly to the users 16:18:38 so for instance a redirect would actually redirect the user 16:18:57 cmurphy: hmm, I would need to check with my team, as I was not directly involved 16:19:40 cmurphy: this is useful for instance for an OpenID Connect plugin for Keystone, as redirects are required 16:19:49 aloga: was there some concern that we wouldn't want the bugfix? 16:19:51 cmurphy: in order to complete the flow, etc. 16:20:18 cmurphy: sorry? I do not understand 16:21:19 aloga: i'm just wondering what we need to discuss about this, assuming that the bug is valid and reproducible then the answer seems straightforward 16:21:43 i asked them to add the topic on the agenda to get a better feel of if there was something else we could do to provide better oidc support 16:21:48 cmurphy: I do not know, I was told to add this to the agenda 16:21:59 since deployments with that experience are hard to come by 16:22:14 cmurphy: but I think this was because OpenID connect was mentioned 16:22:35 I can try to make a rationale 16:23:03 I am working in an environment (European Open Science Cloud) where several OpenStack sites are federated 16:23:31 identity is based on OpenID, with a myriad of different IdPs 16:24:08 the current (Apache + mod_oidc + Keystone) is difficult and cumbersome to manage because of several reasons 16:24:29 OpenStack CLI is an OIDC client itself (i.e. it requires a client id and secret) 16:25:30 the CLI uses Oauth2 rather than OIDC, therefore there might be different claims at the server, as the Oauth2 introspection and the OIDC userinfo endpoint return different information 16:26:01 for operators, the configuration is done on Apache, and not on Keystone 16:26:39 and, last but not least, the mod_oidc does not allow to use several Oauth2 idps per server (it allows several OIDC though) 16:26:59 therefore we levearated the federated auth code in Keystone to build a native plugin (we have a prototype) 16:27:12 but, in order to get it fully working, we need to redirect from Keystone 16:27:42 is there anything else that you need besides redirect functionality? 16:27:44 (i.e. 302) 16:27:48 knikolla: nope 16:28:22 knikolla: actually the changes are minimal 16:28:46 cool 16:29:11 aloga: does this tie into https://review.opendev.org/373983 ? 16:29:34 cmurphy: yes, indeed 16:29:41 cmurphy: that was the seed of all of this 16:29:50 cmurphy: I guess that the spec is better explained 16:34:37 okay, so at a minimum we can fix the flask bug and get your external auth plugin working 16:34:43 I know that several of these things can be alleviated by implementing an IdP proxy, as some providers or national infrastructures do, but sometimes this is not an option 16:34:47 cmurphy: that would be awesome 16:35:02 we should also revisit this spec and maybe merge it to the backlog 16:35:27 tbh i don't know why it didn't get any feedback since 2018 16:35:45 cmurphy: tbh I could not follow it so closely as I would have liked to 16:37:54 aloga: would you want to continue driving it now? 16:37:59 cmurphy: yes 16:38:27 okay, team please review https://review.opendev.org/373983 and provide feedback 16:39:41 thanks aloga 16:39:43 anything else on this? 16:39:55 cmurphy, knikolla thanks 16:40:36 #topic next up for bug duty 16:40:43 #link https://etherpad.openstack.org/p/keystone-l1-duty 16:41:11 looks like gagehugo is up for bug duty this week starting today, gagehugo still up for it? 16:41:17 cmurphy: sure 16:41:32 following the rotation i'll be up next unless anyone else wants to take it ;) 16:41:53 I was going to offer too. 16:42:13 But I can go the week after that. 16:42:28 knikolla: by all means :) 16:43:32 #topic office hours 16:43:49 I think this is about our policy testing sync up after this meeting? 16:43:51 lbragstad: ? 16:44:34 I was curious if we're still planning on going through patrole stuff during office hours today? 16:45:22 I think so but I wasn't driving it, do we have everyone we need for that meeting? 16:46:45 gagehugo was going to bring someone in from AT&T i think? and ade was interested too? 16:47:27 cmurphy yeah - ade is hanging out in our channel 16:49:54 do we know if the patrole folks are still coming? 16:49:59 I can message him, idk if he will be around in irc 16:51:06 assuming we do have the meeting, do we want to do it over irc or jitsi? 16:52:01 i'm good with either 16:53:35 me too 16:54:01 i guess we can decide after gagehugo gets in touch with the patrole person 16:54:06 ++ 16:54:27 can follow up in #openstack-keystone in a few minutes 16:54:36 #topic open discussion 16:54:47 #info spec proposal freeze is next week 16:54:49 I pinged him to see if he's free 16:55:32 proposals for the alembic migration (vishakha) and federated attrs (knikolla) and renewable group membership (knikolla) are expected next week 16:55:48 right! roger! 16:56:03 #link https://releases.openstack.org/ussuri/schedule.html 16:56:21 :) 16:57:03 4 minutes left for any other discussion :) 16:58:32 okay will close it now, see you in #openstack-keystone 16:58:43 #endmeeting