17:00:28 #startmeeting keystone 17:00:29 Meeting started Tue Jan 7 17:00:28 2020 UTC and is due to finish in 60 minutes. The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:30 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:32 The meeting name has been set to 'keystone' 17:00:39 #link https://etherpad.openstack.org/p/keystone-weekly-meeting agenda 17:00:42 o/ 17:01:02 o/ 17:01:34 o/ 17:01:38 o/ 17:02:51 welcome back everyone 17:02:56 how were your holidays? 17:03:25 busier than I wanted, but not bad 17:04:31 went by too quickly 17:04:56 ^ 17:05:25 i didn't take much time off but it was nice and quiet :) 17:06:06 They were good :) how was yours? 17:06:52 not bad :) 17:07:02 #topic Reminder: spec freeze week of Feb 10 17:07:21 over a month away but just a reminder to help with reviews 17:07:34 #link https://review.opendev.org/#/q/status:open+project:openstack/keystone-specs+path:%22%255Especs/.*/ussuri.*%2524%22 17:08:13 #topic L1 duty rotation 17:08:22 #link https://etherpad.openstack.org/p/keystone-l1-duty 17:08:49 last time was vishakha - any bugs triaged that you want to discuss? 17:09:43 Yes i wanted to discuss about the bug 17:09:48 https://bugs.launchpad.net/keystone/+bug/1857086 17:09:48 Launchpad bug 1857086 in OpenStack Identity (keystone) "Trying to update user options field for ldap user gives 403 forbidden" [Undecided,Invalid] 17:10:51 * lbragstad walks in late 17:10:53 I wasn’t sure about mfa with ldap user 17:11:29 * cmurphy waves to lbragstad 17:11:33 I was wondering if anyone can share some knowledge over this 17:11:49 vishakha sorry - i jumped on that and tried triaging it yesterday 17:13:32 IMO - all the resource option for identity APIs is specific to SQL... i don't think we can support MFA with ldap without some serious thought 17:13:39 lbragstad: does mfa works differently for ldap user as compared to normal user? 17:13:46 abhishek makes a good point, totp is an auth method and not a property of a user 17:14:02 ++, i also feel like if we're delegating auth to ldap, we shouldn't hack mfa on top of that. 17:14:21 from a philosophical standpoint. 17:14:22 we store MFA keys on the user reference though 17:14:25 but with the ldap backend auth isn't delegated, it's handled by keystone 17:14:46 we have to find a way to toggle MFA on and off for ldap, which we don't write to 17:14:46 we're just passing the username/password to the ldap server though. 17:14:56 not doing much on top of that. 17:14:58 but that's still the 'password' auth method 17:15:22 do we not store user options separately for mapped users? 17:15:34 that "enabled" setting will always fail for ldap 17:16:00 i think user options is a different table 17:16:10 but maybe the "enabled" option is why they're getting the 403 17:16:27 that's what I was thinking 17:17:28 IIRC, and from what lbragstad linked, the entire update_user function is 403 17:17:57 correct - i think we'd have to generalize that up in the manager somehow? 17:18:20 ah ok 17:18:32 but - it should have left an "ldap doesn't support writes" 403... not a permission 403 17:18:36 which kinda threw me off 17:18:46 right 17:19:20 that's why i wanted to ask about credentials, just to make sure, since that error looks similar to a permission thing 17:19:30 hmmm... good call. 17:21:54 so I don't think this is an invalid bug because I think auth methods are separate from identity driver, but the question is whether it's an issue with the credentials they're using, a broken policy rule, an issue with using the "enabled" parameter in PATCH, or a bug in the ldap manager 17:21:58 does that sum it up? 17:22:50 I think so 17:22:56 Imo it does sum it up 17:23:25 ah, i see what you mean now. ldap uses the password auth method. 17:24:22 can someone reopen the bug and add a comment? 17:24:52 Sure i will do it 17:25:13 thanks vishakha 17:25:16 thanks for updating 17:25:54 anyone want to volunteer to take the next bug duty rotation? 17:26:28 i can't do the next one, but can do the one after. 17:27:27 okay I'll take this week 17:27:58 thanks cmurphy :) 17:28:06 :) 17:28:09 anything else on this topic? 17:29:23 #topic review requests 17:29:30 anyone working on anything that they want eyes on? 17:30:20 curious if anyone would like to take another look at https://review.opendev.org/#/c/699743/ ? 17:30:49 I got https://review.opendev.org/#/c/699013/ if anyone has time 17:31:05 mordred had a ksa patch he wanted to get reviews on, too 17:32:16 lbragstad: lgtm 17:32:19 gagehugo: will review today 17:32:31 https://review.opendev.org/#/c/662734/ was the other one he had 17:32:37 ty cmurphy 17:32:46 ty cmurphy 17:32:50 i discovered a fun bug while working on functional protection tests for the assignments api https://review.opendev.org/700826 17:33:35 also easy rst fix https://review.opendev.org/700780 17:35:09 lbragstad: oh that's an interesting one 17:35:17 it depends on a devstack change that hasn't merged yet though 17:35:28 yeah... mordred was asking for feedback 17:36:38 * mordred waves to the nice people 17:36:42 i think there was either a mailing list discussion or a discussion on another patch about this, i think one of the questions was whether the default should be 'internal' or 'public' 17:36:44 for the record, that change is fricklers 17:37:09 if end users are supposed to use it - i would think it should be public... 17:38:40 are end users supposed to use it? or is it for service-to-service communication? 17:39:23 keystonemiddleware is supposed to be service-to-service no? 17:40:35 right, i think the only user-facing parameter is the www-authenticate-uri parameter, so i think internal is right for this 17:41:38 yeah - that should work in most of the contexts - if people have both public and internal, they likely want services to talk to internal - if they don't, usually they set internal to the same as public, so it should still work for smaller ... as long as it isn't admin :) 17:41:57 ++ 17:44:17 the change needs a release note, what else do we need to move forward on it? is the devstack change controversial? 17:46:02 oh - apparently there is a heat change down in teh depends-on change that's a blocker 17:46:33 ah :/ 17:46:43 https://review.opendev.org/#/c/675778/ 17:46:50 yeah - that's heat using keystoneclient 17:47:08 man this is a rat's nest isn't it? 17:48:16 ksa has support for interface as a list - that doesn't flow through to ksc does it? 17:49:10 if it did, we could update that heat patch to be interface=['internal', 'admin', 'public'] or something - and ksa would then select the right interface in that preference order 17:49:46 (at least I'm pretty sure we landed that list support in ksa right?) 17:49:53 i think so 17:49:56 and it looks like frickler tried to fix ksc https://review.opendev.org/675870 17:50:18 i'm not sure why that didn't go anywhere 17:50:48 hrm 17:51:06 cmurphy: should I try to pick up frickler's ksc patch? maybe update it to default to a list? 17:51:42 if we can fix that, then we can drop the heat patch, since it should flow through 17:52:12 mordred: sounds good to me 17:52:37 k. I'll see if I can add that to my list 17:53:05 thanks mordred 17:53:22 \o/ progress! 17:54:40 #topic open discussion 17:55:03 anyone else working on something they want to discuss for these last few minutes? 17:57:07 i know at our last few retrospectives we talked about having more frequent checkins or retrospectives throughout the cycle to try to keep up development momentum, tbh i don't really have time to prepare for big video calls like that these days, but maybe we could use our meeting time to go through the roadmap board every once in a while to check our progress? 17:59:42 i'll let you mull it over 17:59:47 thanks for the good discussions today 17:59:50 #endmeeting