15:02:24 #startmeeting keystone 15:02:24 Meeting started Wed Aug 9 15:02:24 2023 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:24 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:24 The meeting name has been set to 'keystone' 15:02:33 #topic roll call 15:02:37 o/ 15:02:53 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m] 15:02:55 o/ 15:03:05 o/ 15:03:05 Sorry, I'll have to be in and out. 15:03:23 no problem zaitcev 15:03:27 o/ 15:03:31 🙋 15:06:10 #topic review past meeting work items 15:06:37 o/ 15:06:55 I didn't get to the docs last week 15:07:08 d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:07:42 #action d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:07:50 #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation 15:07:57 #topic liaison updates 15:08:03 nothing from VMT 15:10:08 moving on 15:10:15 #topic specification OAuth 2.0 (hiromu) 15:10:24 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:10:26 External OAuth 2.0 Specification 15:10:28 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 15:10:30 OAuth 2.0 Implementation 15:10:32 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:10:34 OAuth 2.0 Documentation 15:10:36 #link https://review.opendev.org/c/openstack/keystone/+/838108 15:10:38 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:11:16 We're looking for the appropriate place for the user guide of the ext authz server support in the keystonemiddleware user document 15:11:49 Do you have any recommandation? 15:12:22 https://docs.openstack.org/keystonemiddleware/latest/index.html 15:13:18 i) placing under Middleware Architecture; ii) creating a new page on the root 15:14:58 I think option 1, under the middleware architecture, after the delegated mode authentication component 15:15:59 ok, thanks 15:16:24 We'll submit a patch later 15:16:57 Also, is it possible to review this patch? within this cycle?https://review.opendev.org/c/openstack/keystonemiddleware/+/888523 15:17:25 Talking about oauth, hiromu maybe you have an idea on how to workaround/fix this regression caused supposedly by oauth mutual-tls patch? 15:17:29 #link https://bugs.launchpad.net/keystone/+bug/2029134 15:19:58 Looks caused by mTLS OAuth support, but I need to see the details. I'll check the bug report 15:20:34 awesome, would be great to improve upgrade path :) 15:21:19 indeed, thanks for raising that noonedeadpunk 15:21:42 hiromu: we'll start reviewing the patch you mentioned 15:22:09 I'm not sure if that was discussed previous meeting or not, but I'm even more bothered by this bug to be frank, as I have no idea how to workaround it 15:22:14 #link https://bugs.launchpad.net/keystone/+bug/2028809 15:22:28 great thank you :d34dh0r53. noonedeadpunk: thank you for pointing it out 15:23:11 as seems that if user was unaware enough about password length, after upgrade their passwords will be just invalidated 15:23:19 noonedeadpunk: that bug is on my radar but I haven't had a chance to dive into it yet 15:23:44 And this also kinda raises question, if bcrypt still should be default? 15:24:01 we can discuss more in the open discussion, I'd like to get through the specs 15:24:15 sure, sry 15:24:29 no worries :) 15:24:50 #topic specification Secure RBAC (dmendiza[m]) 15:24:54 Secure RBAC (dmendiza[m]) 15:24:56 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:24:58 Service Role Implementation 15:25:00 #link https://review.opendev.org/c/openstack/keystone/+/863420 15:25:02 Manager Role Implementation 15:25:04 #link https://review.opendev.org/c/openstack/keystone/+/822601 15:25:06 Keystone Tempest Plugin Updates 15:25:08 #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/885799 15:25:19 No updates this week 😅 15:25:20 the Service Role patch merged, dmendiza[m] any updates on the manager role testing? 15:25:41 ack, thanks dmendiza[m] 15:25:46 I've been busy with downstream things, but hope to do it this week 15:25:56 yep, likewise 15:26:09 #topic open discussion 15:26:21 first off I think we'll discuss the password truncation bug 15:26:31 #link https://bugs.launchpad.net/keystone/+bug/2028809 15:27:21 Yeah, so I was thinking if there are good reasons not to use scrypt hashing by default? 15:28:03 as after some "poll" among operators, lik 95% of them were pretty much surprised that passwords are jsut got trimmed 15:28:43 and no matter what you place in your password after 54 symbols. 15:29:34 And if operators are not always aware of that, it becomes even more problematic to communicate this to end users I guess 15:30:14 but that's a bit "going forward" discussion, rather then "how to handle upgrades right now". 15:33:30 yeah, I'm surprised that this is breaking existing passwords 15:35:31 I wonder if settting BCRYPT_MAX_LENGTH to 72 would fix the fact that 55-72 are "not fully mixed" 15:35:53 We have upgrade jobs for antelope pretty much broken whenever we get password longer then 54... 15:36:46 But yeah, my guess was that when passowrd is just latin, it takes less "bytes" so it could be indeed up to 72 15:38:51 I will have time to play with that somewhere... friday-ish, so unless you fix it before then, I can take a look as well 15:38:55 noonedeadpunk: do you have the ability to test setting #link https://opendev.org/openstack/keystone/src/branch/master/keystone/common/password_hashing.py#L71 to 72 and see if that fixes the problem? 15:39:41 and as to your second point, based on my limited research thus far I don't see a reason why we can't switch to scrypt 15:39:45 I'd need to reproduce the env, but yeah, will do that 15:39:51 thanks noonedeadpunk 15:41:19 #action d34dh0r53 investigate switching the default hashing algo to scrypt in 2024.x 15:41:27 I did also pretty limited research, and the downside was increased memory consumption, but I don't think it matter for real deployments 15:41:49 And for devstack that can be switched back to bcrypt if this is a concern 15:42:10 but dunno... 15:42:14 yeah, I'm curious to see just how much larger those memory requirements are 15:45:36 next up 15:45:38 (drencrom) Remove cache invalidation when using expired token 15:45:40 #link https://review.opendev.org/c/openstack/keystonemiddleware/+/889191 15:46:22 I think everything has merged 15:46:29 we can remove this from the doc 15:47:28 next up 15:47:30 (reqa) Add openstack cli support for OAuth 2.0 Device Authorization Grant with PKCE: 15:47:32 review request 15:47:34 #link https://review.opendev.org/c/openstack/keystoneauth/+/883852 15:47:36 Reasoning: When switching wsgi-keystone.conf to use PKCE for WebSSO, this also applies to the CLI (e.g. ForgeRock implemented the same) 15:48:08 reviews on this one please 15:48:26 any thing else for open discussion before we move on to bug triage? 15:48:52 #topic bug review 15:49:00 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:49:40 of the three latest bugs for keystone we've discussed two already 15:50:00 #action hiromu is going to look at https://bugs.launchpad.net/keystone/+bug/2029134 15:50:23 #action noonedeadpunk and d34dh0r53 are looking for a workaround/fix for https://bugs.launchpad.net/keystone/+bug/2028809 15:50:59 finally we have #link https://bugs.launchpad.net/keystone/+bug/2030061 15:52:30 yeah, that's actually also interesting one... 15:53:29 OSA was quite slow with dropping _member_ role and historically it worked. But it's also kinda "upgrade" issue I'd say 15:55:40 hmm, yeah that is an interesting one 15:56:35 maybe dmendiza[m] or knikolla can look at that one ;) 15:57:10 moving on for time 15:57:18 #link #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:57:27 no new bugs for python-keystoneclient 15:57:42 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:57:53 keystoneauth is good 15:57:59 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:58:15 no new bugs for keystonemiddleware 15:58:22 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:58:37 pycadf is clean 15:58:39 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:58:42 as is ldappool 15:59:21 #topic conclusion 15:59:46 nothing from me, reviewathon will be Friday, let me know if you'd like a calendar invite or the link 16:00:23 thanks all 16:00:26 #endmeeting