#openstack-keystone log

15:02:15 <dmendiza[m]> #startmeeting keystone
15:02:15 <opendevmeet> Meeting started Tue Apr 26 15:02:15 2022 UTC and is due to finish in 60 minutes.  The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:15 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:15 <opendevmeet> The meeting name has been set to 'keystone'
15:02:29 <knikolla> o/
15:02:36 <admiyo> O/
15:02:46 <h-asahina> o/
15:02:46 <dmendiza[m]> #topic Roll Call
15:03:00 <dmendiza[m]> Hi everyone!
15:03:13 <knikolla> long time no see admiyo :)
15:03:13 <dmendiza[m]> Doing double duty right now, as I am listening in on the poicy popup meeting
15:03:33 <admiyo> poicy!
15:03:58 <admiyo> Heyo.  Just popped in to see whazzup
15:04:01 <knikolla> there's a policy popup meeting?
15:04:07 <dmendiza[m]> yeah
15:04:15 <dmendiza[m]> #link https://meetpad.opendev.org/secure-rbac
15:04:23 <dmendiza[m]> started at 1430 UTC
15:04:49 <dmendiza[m]> Courtesy ping for https://meetpad.opendev.org/secure-rbac
15:04:52 <dmendiza[m]> oops
15:05:03 <dmendiza[m]> Courtesy ping for admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe
15:05:04 <admiyo> A topic near and dear to my heart
15:05:50 <admiyo> would be better if I could hear in the secure RBAC meeting...
15:07:55 <dmendiza[m]> We can listenin in and postpone this until the policy meeting wraps up.
15:09:05 <admiyo> I can't hear anything there.
15:09:42 <dmendiza[m]> admiyo: Firefox?
15:10:17 <knikolla> i don't think there has been one time using meetpad/jitsi that everyone could hear everyone
15:12:52 <dmendiza[m]> Yeah, I've had issues with Firefox and Jitsi quite a bit
15:15:41 <alistarle> Hi, is there any Keystone meeting currently in progress ?
15:15:51 <admiyo> derailed atm
15:16:56 <dmendiza[m]> yeah, we're listening in on the Policy meeting in Meetpad
15:17:02 <dmendiza[m]> We'll resume the keystone meeting shortly
15:21:01 <dmendiza[m]> OK, resuming
15:21:01 <admiyo> All done there
15:21:07 <dmendiza[m]> #topic Review Past Meeting Action Items
15:21:23 <dmendiza[m]> > dmendiza[m] to look into updating the keystone-stable-maint group
15:21:31 <dmendiza[m]> I did not do this yet, but I will do it this week for sure
15:21:48 <dmendiza[m]> I'll remove anyone who has not reviewed anything in the last 90 days.
15:21:53 <dmendiza[m]> Then notify the ML
15:22:13 <dmendiza[m]> oh oops
15:22:26 <dmendiza[m]> I meant that for this:
15:22:27 <dmendiza[m]> > dmendiza[m] to clean up core reviewers group, notify ML
15:22:29 <dmendiza[m]> but I also am not on the maintenance team yet
15:22:32 <dmendiza[m]> so I need to sort that hout
15:22:37 <dmendiza[m]> *that out
15:22:57 <dmendiza[m]> > dmendiza[m] to set up a doodle poll to review OAuth 2.0 patches
15:23:05 <dmendiza[m]> and lastly, h_asahina helped out with this
15:23:15 <admiyo> so...I have not, and it is because the only things I've been notified about are already broken.  Is there really so little activity these days?
15:23:31 <knikolla> pretty much
15:23:44 <dmendiza[m]> Yeah, pretty low activity so far
15:23:45 <admiyo> ok
15:23:54 <dmendiza[m]> We definitely need help with bugsquashing though
15:24:04 <admiyo> I mean, I'm not a core reviewer anymore, so no risk to me
15:25:02 <dmendiza[m]> We definitely want your input on reviews
15:25:08 <admiyo> would help if you could build keystone...but we'll get to that in the agenda
15:26:26 <dmendiza[m]> #link https://doodle.com/meeting/participate/id/b68Yl49e/vote
15:26:41 <dmendiza[m]> ^^^ this is the doodle that h_asahina set up for us
15:26:55 <dmendiza[m]> looking like Thursday might be the best day for me
15:27:18 <dmendiza[m]> knikolla you probably haven't had a chance to find it in your email
15:27:36 <dmendiza[m]> but it would be good if we could get together on Thursday... if not we may need to kick to next week
15:28:31 <h-asahina> Yes. If you all not are not avalable this week, I'll create the doodle pool again.
15:28:39 <knikolla> filled out the doodle, thanks!
15:28:52 <dmendiza[m]> admiyo: how's your OAuth chops?
15:28:56 <h-asahina> thanks! knikolla:
15:28:57 <admiyo> Not bad
15:29:16 <admiyo> Are we looking to replace Keystone tokens with OAuth2?
15:29:32 <knikolla> we sort of already have, keystone supports jwt tokens
15:29:41 <knikolla> but not the oauth 2.0 api to emit and validate them
15:29:44 <admiyo> So we can get reid of keystone altogether
15:30:09 <admiyo> :)
15:30:15 <dmendiza[m]> Doodle is for reviewing https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:30:26 <knikolla> get rid of keystone???? i want it to be the center of the world and support all oauth 2.0 and openid connect clients, mwhahahaha
15:30:39 <admiyo> keystonemiddleware suports jwt?
15:31:23 <knikolla> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/json-web-tokens.html
15:33:16 <admiyo> If keystonemiddleware can handle JWT, can we have it talk to a source otherthan keystone?
15:33:49 <admiyo> I realize there is all the service catalog implied in the token validation call, ignore that for a moment
15:34:16 <admiyo> if a company already has oauth2.0 set up, could they use that to validate when talking to openstack services?
15:34:44 <knikolla> the latter, the nfv clients depend on oauth 2.0
15:35:01 <knikolla> so we're enabling that, and allowing oauth 2.0 clients to talk to openstack services.
15:36:10 <knikolla> getting openstack services to use a different authorization servers is a very far stretch goal that isn't an immediate priority.
15:37:10 <dmendiza[m]> OK, I've responded to the doodle as well
15:38:09 <dmendiza[m]> OK, let's keep it moving since we're on a crunch today
15:38:16 <h-asahina> thanks, dmendiza: looks Thu 9:00 am would be better.
15:38:16 <dmendiza[m]> #topic Security RBAC
15:38:24 <admiyo> I am trying to understand what the actual priority is here; I assume  keystonemiddleware based servers still need to call to Keystone for JWT validation
15:39:20 <h-asahina> BTW, we submitted BP for keystonemidleware to communicate with an external authorization server: https://blueprints.launchpad.net/keystone/+spec/enhance-oauth2-interoperability
15:39:24 <knikolla> admiyo: https://specs.openstack.org/openstack/keystone-specs/specs/keystone/yoga/oauth2-client-credentials-ext.html
15:39:43 <h-asahina> for admiyo:
15:39:47 <admiyo> Cool. I'll read up
15:40:14 <dmendiza[m]> Awesome ... hopefully you can join on Thursday admiyo
15:40:23 <dmendiza[m]> OK, moving on
15:40:38 <dmendiza[m]> For SRBAC we did just meet for the Policy Pop-up
15:40:44 <dmendiza[m]> looks like the next one will be next week
15:40:56 <dmendiza[m]> at 1400 UTC, so hopefully it won't bleed into our meeting again.
15:41:21 <dmendiza[m]> Hopefully we'll get to a decision re: Heat, but also about the "service" role
15:41:23 <admiyo> dmendiza[m], did my little speech there at the end make any sense?  I can try to summarize
15:41:38 <dmendiza[m]> Sure, go ahead
15:41:55 <admiyo> OK....lets assume for a second that we  have no clue about what goes on in our customer organizations
15:42:10 <dmendiza[m]> that's not hard
15:42:11 <admiyo> instead of trying to force roles on them, lets assume that, at a start, they already have something
15:42:24 <admiyo> what we need to do it to map workflows to roles
15:42:35 <admiyo> a workflow is a set of API calls
15:42:53 <admiyo> and, possible more granular than that, but lets not quibble just yet
15:43:08 <admiyo> so there is a 3 tier architecture:  role->workflow->resource
15:43:26 <admiyo> if you lock role->resource, you cannot let end users modify things properly
15:43:55 <admiyo> so, we take every API and give it its own role...(stick with me here)
15:43:57 <knikolla> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/capabilities-app-creds.html
15:44:26 <admiyo> and use the role assignement inference rules
15:44:33 <knikolla> we already support restricting access to a set of api calls for a client
15:44:45 <admiyo> yeah, but not of breaking the API apart
15:45:00 <admiyo> thats only for app creds, not for end users
15:46:01 <admiyo> can app creds be re-delegated?
15:46:09 <admiyo> and re-broken down into finer grained things?
15:46:13 <knikolla> no
15:46:26 <admiyo> ok, so that capaiblity should move up the stack
15:46:56 <admiyo> we had a spec long ago about unified delegation, uising the sdame mechnism for role assignm,ents, trusts, an app-creds
15:47:32 <admiyo> if each "access-rule" in app creds are treated like a role, we can build them up to workflows, etc
15:47:39 <admiyo> we have most of the pieces we need already
15:47:56 <admiyo> do app-creds have wildcards?
15:48:00 <admiyo> they do, right?
15:48:03 <knikolla> yeah
15:48:51 <admiyo> so an app cred is kinda the abstraction we need.  Trust do this, too, but app-creds gets down to the URL, which is really what we need
15:49:16 <admiyo> so...if we can unify the concept of access rule and role, we have a very flexible RBAC structure
15:49:55 <admiyo> so,  then we use inference rules (already implemented) to go admin->reader->{
15:49:55 <admiyo> "path": "/v2.0/metrics",
15:49:55 <admiyo> "method": "GET"
15:49:55 <admiyo> },
15:50:05 <admiyo> where -> means "implies"
15:50:34 <admiyo> the issue, of course, is that RBAC is enforced at the end service side.
15:51:14 <admiyo> So they check "role == admin"  as opposed to "token allows GET '/v2.0/metrics' "
15:51:50 <admiyo> knikolla, am I giving you PTSD flashbacks yet?  We presented on this together, right?
15:52:16 <admiyo> https://www.openstack.org/videos/summits/boston-2017/per-api-role-based-access-control
15:52:21 <dmendiza[m]> Running low on time, y'all (and I gotta run at the top of the hour)
15:52:32 <admiyo> OK, one last issue, not related
15:52:40 <admiyo> I tired to build and run Keystone last night
15:52:47 <admiyo> ERROR: could not install deps [.[bandit], -chttps://releases.openstack.org/constraints/upper/master, -r/opt/openstack/keystone/test-requirements.txt, .[ldap,memcache,mongodb]]; v = InvocationError("/opt/openstack/keystone/.tox/pep8/bin/python -m pip install '.[bandit]' -chttps://releases.openstack.org/constraints/upper/master -r/opt/openstack/keystone/test-requirements.txt '.[ldap,memcache,mongodb]'", 1)
15:53:02 <admiyo> brand new clone, Ubuntu 21 and Fedora 35.  Same issue
15:53:04 <dmendiza[m]> via tox or ?
15:53:15 <admiyo> that was tox pep8 run
15:53:32 <admiyo> same thing for tox -e py...
15:53:40 <knikolla> admiyo: yeah, i was looking for the spec
15:53:41 <dmendiza[m]> gotcha... I can look into it but probably not until Friday
15:54:00 <admiyo> I think it might be a upper constraint mechanism thing?
15:54:39 <admiyo> no bandit in https://releases.openstack.org/constraints/upper/master
15:55:17 <admiyo> Can anyone build/run?  This seems like breakage across the board
15:56:50 <dmendiza[m]> trying tox -e pep8
15:57:38 <dmendiza[m]> Well, deps installed for me, but I got an actual pep8 failure
15:58:02 <dmendiza[m]> looks like it might be a python 3.10 issue on my end
15:58:10 <dmendiza[m]> admiyo: maybe you're missing some bindeps?
15:59:48 <dmendiza[m]> All out of time for today....  I'll pin the rest of the topics for next week.
15:59:52 <dmendiza[m]> Thanks for joining, y'all.
15:59:55 <dmendiza[m]> #endmeeting