#openstack-keystone log

19:05:36 <lbragstad> #startmeeting keystone-office-hours
19:05:37 <openstack> Meeting started Tue Mar  6 19:05:36 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:05:38 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
19:05:40 <openstack> The meeting name has been set to 'keystone_office_hours'
19:07:20 <kmalloc> sorry for being a bit late for office hours/missing meeting
19:07:42 <hamzy> I took a stab http://paste.openstack.org/show/693357/ but seem to be missing something. How do you get it to actually try and load a driver and throw an exception if not found?
19:09:45 <lbragstad> kmalloc: no worries
19:09:51 <lbragstad> hamzy: i can take a look today
19:10:36 <hamzy> sure, I know you are busy... I was also trying to get other input as well
19:12:10 <hamzy> I know pretend running things in mock is challenging
19:16:27 <kmalloc> lbragstad: i was cleaning up tempered glass :( it's been hours of finding yet again more glass on the floor
19:16:44 <lbragstad> that doesn't sound fun
19:18:30 <kmalloc> nope, it has not been fun
20:09:32 <cmurphy> o/
20:10:20 <cmurphy> we're not going over roadmap stuff in this office hours?
20:27:33 <ayoung> cmurphy, https://review.openstack.org/#/c/396331/7/specs/keystone/rocky/trust-scope-extensions.rst  is almost exactly my RBAC in middleware spec
20:28:20 <knikolla> ayoung: yep, more or less.
20:28:31 <knikolla> but only for application credentials.
20:28:31 <cmurphy> ayoung: it has a lot of the same elements
20:28:58 <ayoung> I was trying to avoid "get a whitelist during token validation" but beyond that...it just adds the ability to lock it down to a specific instance of a templatized URL, which I totally dig
20:29:09 <cmurphy> awesome
20:29:35 <ayoung> cmurphy, so I think we can automate some of the "map from URL to policy" that was a sticking point
20:29:46 <ayoung> https://adam.younglogic.com/2018/03/inspecting-keystone-routes/
20:29:56 <ayoung> that means we can get a list of the URL routes:
20:30:08 <ayoung> a little more probing and I think I can generate a list like this:
20:30:42 <ayoung> GET /users/{user_id}  keystone.identity.controllers.Controller#get_user
20:31:17 <ayoung> to be able to figure out what function is called.  Then...maybe I can use some of the same techniques as the callgraph package to figure out what policy gets called
20:31:36 <knikolla> ayoung: would that work for services outside of keystone?
20:31:38 <ayoung> I tried pycallgraph but it got too much in it
20:31:43 <ayoung> knikolla, I think so?
20:32:05 <ayoung> knikolla, it would have to be adapted to each, of course, but once we get the mechanism down, I don't think it would be too bad
20:32:51 <cmurphy> ayoung: why is that mapping a requirement?
20:33:05 <cmurphy> this spec proposes a layer before even hitting policy
20:33:30 <ayoung> cmurphy, so was mine, and there was the argument that it was not sufficient
20:33:37 <ayoung> sometimes the policy is deep in the code.
20:33:59 <ayoung> for example,  we might want to have different policy for someone creating a project under a domain/top level than nested under another project
20:34:30 <knikolla> ayoung: the rbac-in-middleware proposed restricting an entire users access. this is just about whitelisting **just** an app cred to a specific operation. scope is broadly different.
20:34:45 <ayoung> so, yeah, I wanted to enforce RBAC in middleware, just like he is proposing
20:34:58 <ayoung> knikolla, heh...his is the degenerate case.
20:35:10 <ayoung> knikolla, and I don't want to do it just for app creds
20:35:25 <ayoung> get it down to 1 role per operation
20:35:44 <ayoung> make a Fernet token format that can have exactly one role specified in it
20:35:57 <ayoung> and make it possible to request tokens with a subset of a users roles
20:36:15 <ayoung> so, yeah, we can build a whole new mechanism, or we can build on top of what we have
20:36:25 <lbragstad> cmurphy:  i think hrybacki was planning on doing that next week during office hours
20:36:52 <ayoung> knikolla, you aslo need to know "what role do I need to perform this operation" in the first place
20:37:07 <ayoung> otherwise, the app-cred thing is going to break if the roles are ever updated
20:37:27 <cmurphy> ayoung: we don't want to deal with roles at all here
20:37:27 <ayoung> we would have built a parallel strucutre and locked us in to the current role scheme
20:37:38 <cmurphy> we don't want to solve the "what role do i need" question yet
20:37:52 <cmurphy> it's just a simple front end layer in front of the current rbac implementation
20:37:56 <ayoung> cmurphy, Heh
20:37:58 <ayoung> just?
20:38:09 <cmurphy> heh
20:38:53 <ayoung> So, yeah, we are going to screw with RBAC no matter what, either implicitly or explicitly
20:39:09 <ayoung> I'd rather have a single access control mechanism than two
20:39:32 <cmurphy> I disagree in the short term
20:39:44 <ayoung> cmurphy, there is no short term in keystone
20:39:58 <ayoung> I worked on this longer than my wife was in Grad school
20:41:21 <ayoung> cmurphy, OK,  here's an example where things will break
20:42:32 <ayoung> say I want to delegate to another user the ability to create a server, but, unknown to me, nova makes a Cinder call to mount the volume.  If I only delegate Nova /server/create  it will fail, and I won't know when it fails.
20:43:00 <ayoung> how do we determine: this is what you need to have in order to perform this operation
20:43:19 <ayoung> people will not be able to build fine grained delegations like these without a catalog of that
20:43:39 <ayoung> so, the thing that I am doing to pull out the policy?  It should also be able to pull out calls to other services
20:44:01 <ayoung> lets generate that graph, and work from that information
20:45:02 <ayoung> Please don't disregard all of the effort, time, and discussion that went in to the previous design because this one looks simpler at the surface.  There are rocks under the waves.
20:45:45 <ayoung> We are also leaving security holes open if we do not address the RBAC approach properly.
20:46:16 <cmurphy> ayoung: what if we could build on the service token support to delegate those implicit calls like mount volume?
20:46:43 <ayoung> cmurphy, that is still based on the original user having that permission
20:46:57 <cmurphy> ayoung: they do have that permission because they have a role that allows it
20:47:01 <ayoung> the ervice token just adds to it the constraint that it can only be done in conjunction with the service token
20:47:16 <ayoung> so either it is "all users can do this"  or "none"
20:48:21 <ayoung> somestimes you have to create the volume explicitly first, and do that by downloading an image from Glance.  Lots of use cases.  We don't want to hard code the access for them
20:48:54 <cmurphy> if the specific use case is an application that must create volumes and download glance images explicitly then the user would build that into their whitelist
20:49:38 <knikolla> i think using service tokens takes us to dangerous territory. what if we don't want that app cred to create volumes, but they can do so by creating a server and then shutting it down?
20:49:44 <cmurphy> if it's relying on nova implicitly doing things for them then i think we could finagle the service token to proxy the request for them when they already have a traditional role that allows them to do that
20:49:49 <ayoung> So...if we are willing to entertain the extensions he's proposing, we should be wiling to entertain the RBAC in middleware.  It is the more general solution, and can be extended to cover his use cases by providing "fill in the template with these values"
20:50:15 <ayoung> and it allows a user with Admin to not provide full admin when making an interactive call to a third party service
20:50:22 <ayoung> and supports trusts and oauth
20:51:21 <ayoung> and allows an admin to set up the delegations, not just the end user
20:51:34 <ayoung> win -win all around
20:54:51 <cmurphy> what i like about this approach is 1) it's not an overhaul of how things already work, we can work on converging them incrementally 2) the policy mapping isn't stored in keystone, it's all contained in the application credential (or trust)
20:55:33 <ayoung> the application credential is stored in keystone
20:55:47 <ayoung> you still need that knowledge somehow
20:56:16 <cmurphy> when you get a token with the application_credential method it could contain the whitelist
21:02:44 <cmurphy> ayoung: we also don't have a way right now for users to create their own roles, so we would need every possible role created out of the box in order for this to be self-service, and we don't even have a read-only role out of the box
21:04:13 <ayoung> cmurphy, which is a far more pressing request
21:04:20 <ayoung> we've had a request for a read only role for years
21:04:55 <cmurphy> ayoung: it's on the roadmap for this cycle too https://etherpad.openstack.org/p/rocky-PTG-keystone-policy-roadmap
21:05:18 <ayoung> essentially, you are saying that the existing stuff is so broken that you don't want to fix it, and instead bolt something on over the top.  I don't fault you for that attitude, as it is a painful path to fix.
21:05:41 <cmurphy> ayoung: i'm not saying i don't want to fix it, i'm saying we can take incremental realistic steps toward fixing it
21:05:56 <cmurphy> we can't overhaul it
21:06:13 <ayoung> cmurphy, and I am saying that if you pursue this approach without fixing the underlying RBAC you will paint yourself into a corner
21:06:37 <ayoung> yes, you can do it, but then you won;t be able to change roles, because this mechanism will assume the current role structure
21:06:48 <ayoung> lets focus on fixing RBAC, and then do this on top of that,
21:11:57 <cmurphy> "this mechanism will assume the current role structure" all of openstack assumes the current role structure, the only way we can change it is by doing it incrementally
21:13:14 <ayoung> cmurphy, and that is what I have spent years laying out
21:13:33 <ayoung> yeaahs as they say here in Boston
21:13:47 <ayoung> lets fix policy.
21:13:51 <ayoung> lets fix RBAC
21:14:06 <ayoung> no new mechanisms that work around the brokenness
21:14:58 <ayoung> GAh...callgraph needs full code...
21:18:32 <ayoung> cmurphy, so I origianlly had RBAC in middleware fetching the URLs during token validation phase.
21:19:01 <ayoung> either the data was too big
21:20:09 <ayoung> you coulod easily do a hash value in to token that, if it does not exist, fetch the data you need from Keystone.  It would be the equivalent to what he's doing there.
21:20:23 <ayoung> and store the rbac rules by the hash
21:20:31 <ayoung> in Memcache
21:21:14 <ayoung> so, reconcile the two and you'll have my full support.  Ignore me and work around me and I'll just be sad and grumpy
21:23:34 <cmurphy> ayoung: i think the data won't be too big because we're not fetching the whole mapping for all the policies, we're just fetching a short whitelist and we could even limit the list size
21:23:57 <ayoung> cmurphy and then your are limiting it to your use cases
21:28:36 <cmurphy> ayoung: i can't argue that, but i believe we can build something that solves the end-user case and works now and work in parallel on fixing rbac, i'm not convinced they're in conflict
21:44:06 <lbragstad> hamzy: i think you're missing a callable in http://paste.openstack.org/show/693357/
21:47:03 <lbragstad> hamzy: http://paste.openstack.org/show/693465/ works for me but it could be generalized instead of being a token test
21:47:12 <lbragstad> (since it doesn't really have anything to do with tokens anymore)
22:00:14 <lbragstad> #endmeeting