#openstack-keystone log

17:06:57 <lbragstad> #startmeeting keystone-office-hours
17:06:57 <openstack> Meeting started Tue Mar 13 17:06:57 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:06:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:07:00 <openstack> The meeting name has been set to 'keystone_office_hours'
17:07:17 <lbragstad> we do have a bluejeans session going
17:07:26 <lbragstad> folks can join at any time
17:07:56 <cmurphy> bluejeans is where?
17:08:02 <lbragstad> #link https://bluejeans.com/8559013623
17:08:08 <cmurphy> ty
17:08:17 <lbragstad> cmurphy: did you already make it home?
17:09:37 <hrybacki> gagehugo: wxy kmalloc knikolla ^^
17:36:45 <aning> lbragstad, cmurphy, knikolla: for the deadlock issue in 014 of upgrade, I'm experimenting a solution. Basiaclly in 014_contract_add_domain_id_to_user_table.py, I check if the uniqueconstraints and foreignkeyconstraints have created or not, and only create them if they don't exist yet. This way, the keystone-manage db_sync contract can be re-run and proceed  to the next transaction.
17:37:32 <aning> since deadlock is rare, so a re-run should succeed.
17:38:00 <aning> The code (in debugging mode) is posted here: http://paste.openstack.org/show/700152/
17:39:01 <aning> Could you please have a look and see if there is any problem in there, and your concerns about the solution overall ?
17:48:05 <lbragstad> cmurphy: kmalloc http://paste.openstack.org/show/700177/
18:10:25 <openstackgerrit> Erik Olof Gunnar Andersson proposed openstack/keystone master: Fixing multi-region support in templated v3 catalog  https://review.openstack.org/482364
18:29:32 <cmurphy> aning: if it doesn't consistently fail then i think retrying makes sense
18:29:47 <cmurphy> aning: i'm confused that just re-running the contract phase doesn't just work though
18:30:10 <cmurphy> aning: if you haven't already can you open a bug for it?
18:32:02 <aning> No. If I got a deadloack the first run, when re-run contract, it will fail and complain UniqueConstraint relation "ixu_user_id_domain_id" already exists
18:33:34 <aning> since the contract is not a atomic transaction.
18:34:42 <aning> it fails (deadlock in this case) at certain point, when re-run it will try to do some of the transactions already done in the previous run.
18:37:47 <aning> cmurphy: yes, I'll open a bug for it.
18:52:23 <cmurphy> aning: i see, so then yes adding some idempotency in that migration makes sense to me
18:54:07 <aning> ideally the whole contract, or at least each of the step (014 for example), should be in a atomic transaction.
18:55:05 <aning> or like I'm experimenting, just check before doing any transactions to ensure it doesn't repeat what have been done before.
18:56:57 <cmurphy> ++
18:58:38 <lbragstad> stepping away to grab tea quick - brb
19:19:11 <abhi89> Hi All.. I see that in queens release, we have changed 'auth_uri' to 'www_authenticate_uri' (https://review.openstack.org/#/c/508522/) to avoid the confusion with 'auth_url'.. why haven't we changed 'auth_uri' in places like https://github.com/openstack/cinder/blob/master/cinder/quota_utils.py#L28
19:20:18 <abhi89> if someone updates to queens, its likely that the cinder quota utils code will fail.. there are other references of 'auth_uri' too apart from this..
19:20:39 <abhi89> cmurphy
19:20:42 <cmurphy> abhi89: we didn't remove auth_uri, we just deprecated it
19:21:27 <cmurphy> we do still need to find all those places that reference it but in the meantime it should still work
19:22:54 <abhi89> cmurphy: yes.. that means if we don't change our [keystone_authtoken] section to have 'www_authenticate_uri', everything will work fine.. but if we do, then this quota_utils code will fail as there won't be any 'auth_uri' parameter..
19:25:44 <cmurphy> yeah :(
19:36:45 <cmurphy> abhi89: did you try it and run into an error? I'm reading through oslo.config and it seems like it might just do the right thing but that might just be wishful thinking
19:43:20 <abhi89> cmurphy: i didnot try but I think it will not find 'auth_uri'
20:00:31 <ayoung> https://adam.younglogic.com/2013/07/a-vision-for-keystone/  I think I still stand by this.  Coming up on 5 years.
20:03:56 <ayoung> cmurphy, what was that abount unencrypted JWT?
20:05:06 <cmurphy> ayoung: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/backlog/json-web-tokens.html
20:05:30 <cmurphy> ayoung: https://review.openstack.org/#/c/541903
20:05:43 <cmurphy> current ideas in there are to encrypt the token same as we do with fernet
20:06:05 <cmurphy> but that requires sharing the private keys between keystones
20:06:34 <cmurphy> so we were thinking of just signing and not encrypting
20:06:39 <ayoung> cmurphy, Out of curiousity, has anyone sized a JWT token with asym key signing?
20:08:18 <ayoung> when I last looked in to it, a fernet sized block signed with asym crypto came out to about 1K
20:09:29 <ayoung> I think signed without encrypting the body of a JWT makes sense.  But it will leak a little bit of information.  Still, it is no worse than if someone sniffs a token today....I think....I'd have to ruminate on that
20:10:32 <cmurphy> ayoung: no I'm not aware of any of us actually doing a PoC on the tokens to size them, though the jwt reference says "smaller than saml"
20:10:40 <cmurphy> ayoung: it is slightly worse than if someone sniffs a token today
20:10:42 <ayoung> cmurphy, signing requires a key
20:10:59 <ayoung> signing requires encryption, it is just a smaller encrypted document;  only the hash is encrypted.
20:11:11 <ayoung> doesn't avoid the need for a key
20:11:18 <cmurphy> it's slightly worse because if i have an expired encrypted token i can't return that to keystone to get information about it
20:12:05 <ayoung> for the same data, JWT is going to be smaller than SAML only (I think) due to the more concise document format
20:12:24 <ayoung> problem for PKI tokens was the service catalog
20:13:52 <ayoung> I was of the opinion that we should stick with the data that is in the Fernet body, and the keystonemiddleware could fetch and cache any data it needed in order to expand the tokens:  project names from IDs, etc.
20:14:50 <ayoung> it has all the keys distribution problems of PKI if you do, though, so I didn't push on it.
20:15:55 <lbragstad> #endmeeting