15:02:15 #startmeeting keystone 15:02:15 Meeting started Tue Apr 26 15:02:15 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:15 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:15 The meeting name has been set to 'keystone' 15:02:29 o/ 15:02:36 O/ 15:02:46 o/ 15:02:46 #topic Roll Call 15:03:00 Hi everyone! 15:03:13 long time no see admiyo :) 15:03:13 Doing double duty right now, as I am listening in on the poicy popup meeting 15:03:33 poicy! 15:03:58 Heyo. Just popped in to see whazzup 15:04:01 there's a policy popup meeting? 15:04:07 yeah 15:04:15 #link https://meetpad.opendev.org/secure-rbac 15:04:23 started at 1430 UTC 15:04:49 Courtesy ping for https://meetpad.opendev.org/secure-rbac 15:04:52 oops 15:05:03 Courtesy ping for admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe 15:05:04 A topic near and dear to my heart 15:05:50 would be better if I could hear in the secure RBAC meeting... 15:07:55 We can listenin in and postpone this until the policy meeting wraps up. 15:09:05 I can't hear anything there. 15:09:42 admiyo: Firefox? 15:10:17 i don't think there has been one time using meetpad/jitsi that everyone could hear everyone 15:12:52 Yeah, I've had issues with Firefox and Jitsi quite a bit 15:15:41 Hi, is there any Keystone meeting currently in progress ? 15:15:51 derailed atm 15:16:56 yeah, we're listening in on the Policy meeting in Meetpad 15:17:02 We'll resume the keystone meeting shortly 15:21:01 OK, resuming 15:21:01 All done there 15:21:07 #topic Review Past Meeting Action Items 15:21:23 > dmendiza[m] to look into updating the keystone-stable-maint group 15:21:31 I did not do this yet, but I will do it this week for sure 15:21:48 I'll remove anyone who has not reviewed anything in the last 90 days. 15:21:53 Then notify the ML 15:22:13 oh oops 15:22:26 I meant that for this: 15:22:27 > dmendiza[m] to clean up core reviewers group, notify ML 15:22:29 but I also am not on the maintenance team yet 15:22:32 so I need to sort that hout 15:22:37 *that out 15:22:57 > dmendiza[m] to set up a doodle poll to review OAuth 2.0 patches 15:23:05 and lastly, h_asahina helped out with this 15:23:15 so...I have not, and it is because the only things I've been notified about are already broken. Is there really so little activity these days? 15:23:31 pretty much 15:23:44 Yeah, pretty low activity so far 15:23:45 ok 15:23:54 We definitely need help with bugsquashing though 15:24:04 I mean, I'm not a core reviewer anymore, so no risk to me 15:25:02 We definitely want your input on reviews 15:25:08 would help if you could build keystone...but we'll get to that in the agenda 15:26:26 #link https://doodle.com/meeting/participate/id/b68Yl49e/vote 15:26:41 ^^^ this is the doodle that h_asahina set up for us 15:26:55 looking like Thursday might be the best day for me 15:27:18 knikolla you probably haven't had a chance to find it in your email 15:27:36 but it would be good if we could get together on Thursday... if not we may need to kick to next week 15:28:31 Yes. If you all not are not avalable this week, I'll create the doodle pool again. 15:28:39 filled out the doodle, thanks! 15:28:52 admiyo: how's your OAuth chops? 15:28:56 thanks! knikolla: 15:28:57 Not bad 15:29:16 Are we looking to replace Keystone tokens with OAuth2? 15:29:32 we sort of already have, keystone supports jwt tokens 15:29:41 but not the oauth 2.0 api to emit and validate them 15:29:44 So we can get reid of keystone altogether 15:30:09 :) 15:30:15 Doodle is for reviewing https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:30:26 get rid of keystone???? i want it to be the center of the world and support all oauth 2.0 and openid connect clients, mwhahahaha 15:30:39 keystonemiddleware suports jwt? 15:31:23 https://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/json-web-tokens.html 15:33:16 If keystonemiddleware can handle JWT, can we have it talk to a source otherthan keystone? 15:33:49 I realize there is all the service catalog implied in the token validation call, ignore that for a moment 15:34:16 if a company already has oauth2.0 set up, could they use that to validate when talking to openstack services? 15:34:44 the latter, the nfv clients depend on oauth 2.0 15:35:01 so we're enabling that, and allowing oauth 2.0 clients to talk to openstack services. 15:36:10 getting openstack services to use a different authorization servers is a very far stretch goal that isn't an immediate priority. 15:37:10 OK, I've responded to the doodle as well 15:38:09 OK, let's keep it moving since we're on a crunch today 15:38:16 thanks, dmendiza: looks Thu 9:00 am would be better. 15:38:16 #topic Security RBAC 15:38:24 I am trying to understand what the actual priority is here; I assume keystonemiddleware based servers still need to call to Keystone for JWT validation 15:39:20 BTW, we submitted BP for keystonemidleware to communicate with an external authorization server: https://blueprints.launchpad.net/keystone/+spec/enhance-oauth2-interoperability 15:39:24 admiyo: https://specs.openstack.org/openstack/keystone-specs/specs/keystone/yoga/oauth2-client-credentials-ext.html 15:39:43 for admiyo: 15:39:47 Cool. I'll read up 15:40:14 Awesome ... hopefully you can join on Thursday admiyo 15:40:23 OK, moving on 15:40:38 For SRBAC we did just meet for the Policy Pop-up 15:40:44 looks like the next one will be next week 15:40:56 at 1400 UTC, so hopefully it won't bleed into our meeting again. 15:41:21 Hopefully we'll get to a decision re: Heat, but also about the "service" role 15:41:23 dmendiza[m], did my little speech there at the end make any sense? I can try to summarize 15:41:38 Sure, go ahead 15:41:55 OK....lets assume for a second that we have no clue about what goes on in our customer organizations 15:42:10 that's not hard 15:42:11 instead of trying to force roles on them, lets assume that, at a start, they already have something 15:42:24 what we need to do it to map workflows to roles 15:42:35 a workflow is a set of API calls 15:42:53 and, possible more granular than that, but lets not quibble just yet 15:43:08 so there is a 3 tier architecture: role->workflow->resource 15:43:26 if you lock role->resource, you cannot let end users modify things properly 15:43:55 so, we take every API and give it its own role...(stick with me here) 15:43:57 https://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/capabilities-app-creds.html 15:44:26 and use the role assignement inference rules 15:44:33 we already support restricting access to a set of api calls for a client 15:44:45 yeah, but not of breaking the API apart 15:45:00 thats only for app creds, not for end users 15:46:01 can app creds be re-delegated? 15:46:09 and re-broken down into finer grained things? 15:46:13 no 15:46:26 ok, so that capaiblity should move up the stack 15:46:56 we had a spec long ago about unified delegation, uising the sdame mechnism for role assignm,ents, trusts, an app-creds 15:47:32 if each "access-rule" in app creds are treated like a role, we can build them up to workflows, etc 15:47:39 we have most of the pieces we need already 15:47:56 do app-creds have wildcards? 15:48:00 they do, right? 15:48:03 yeah 15:48:51 so an app cred is kinda the abstraction we need. Trust do this, too, but app-creds gets down to the URL, which is really what we need 15:49:16 so...if we can unify the concept of access rule and role, we have a very flexible RBAC structure 15:49:55 so, then we use inference rules (already implemented) to go admin->reader->{ 15:49:55 "path": "/v2.0/metrics", 15:49:55 "method": "GET" 15:49:55 }, 15:50:05 where -> means "implies" 15:50:34 the issue, of course, is that RBAC is enforced at the end service side. 15:51:14 So they check "role == admin" as opposed to "token allows GET '/v2.0/metrics' " 15:51:50 knikolla, am I giving you PTSD flashbacks yet? We presented on this together, right? 15:52:16 https://www.openstack.org/videos/summits/boston-2017/per-api-role-based-access-control 15:52:21 Running low on time, y'all (and I gotta run at the top of the hour) 15:52:32 OK, one last issue, not related 15:52:40 I tired to build and run Keystone last night 15:52:47 ERROR: could not install deps [.[bandit], -chttps://releases.openstack.org/constraints/upper/master, -r/opt/openstack/keystone/test-requirements.txt, .[ldap,memcache,mongodb]]; v = InvocationError("/opt/openstack/keystone/.tox/pep8/bin/python -m pip install '.[bandit]' -chttps://releases.openstack.org/constraints/upper/master -r/opt/openstack/keystone/test-requirements.txt '.[ldap,memcache,mongodb]'", 1) 15:53:02 brand new clone, Ubuntu 21 and Fedora 35. Same issue 15:53:04 via tox or ? 15:53:15 that was tox pep8 run 15:53:32 same thing for tox -e py... 15:53:40 admiyo: yeah, i was looking for the spec 15:53:41 gotcha... I can look into it but probably not until Friday 15:54:00 I think it might be a upper constraint mechanism thing? 15:54:39 no bandit in https://releases.openstack.org/constraints/upper/master 15:55:17 Can anyone build/run? This seems like breakage across the board 15:56:50 trying tox -e pep8 15:57:38 Well, deps installed for me, but I got an actual pep8 failure 15:58:02 looks like it might be a python 3.10 issue on my end 15:58:10 admiyo: maybe you're missing some bindeps? 15:59:48 All out of time for today.... I'll pin the rest of the topics for next week. 15:59:52 Thanks for joining, y'all. 15:59:55 #endmeeting