| redrobot | #startmeeting keystone | 15:00 |
|---|---|---|
| opendevmeet | Meeting started Tue Nov 9 15:00:02 2021 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:00 |
| redrobot | #topic Roll Call | 15:00 |
| redrobot | Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, ruan_he, wxy, sonuk, vishakha,Ajay, raildo, rafaelweingartner, xek | 15:00 |
| d34dh0r53 | o/ | 15:00 |
| lbragstad | o/ | 15:01 |
| lbragstad | double booked atm | 15:01 |
| knikolla | o/ | 15:01 |
| redrobot | Yeah, I had a lot of fun sorting out my schedule today. Thanks, Daylight Savings Time. | 15:02 |
| redrobot | #topic Review Past Meeting Action Items | 15:02 |
| redrobot | #link https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-11-02-15.00.html | 15:02 |
| redrobot | We didn't have any | 15:02 |
| redrobot | #topic Liaison Updates | 15:03 |
| redrobot | knikolla anything on your radar? | 15:03 |
| knikolla | i don't think so | 15:03 |
| redrobot | OK, moving on | 15:04 |
| redrobot | #topic OAuth 2.0 | 15:05 |
| redrobot | #link https://review.opendev.org/c/openstack/keystone-specs/+/813152 | 15:05 |
| redrobot | Thanks for reviewing knikolla. Still looking for gagehugo and lbragstad reviews | 15:05 |
| lbragstad | ack | 15:09 |
| lbragstad | i'm not sure i'll be able to review it | 15:09 |
| redrobot | 😔 | 15:10 |
| redrobot | Yeah, I don't know enough OAuth to give it a proper review | 15:10 |
| redrobot | I'll keep bugging y'all 'til we merge this thing though. 😜 | 15:11 |
| redrobot | OK, let's move on | 15:12 |
| redrobot | #topic Secure RBAC | 15:12 |
| redrobot | lbragstad any updates? | 15:12 |
| lbragstad | yep - i spent a bunch of time last week reworking https://review.opendev.org/c/openstack/governance/+/815158 | 15:13 |
| lbragstad | i'd love to get some reviews on that | 15:13 |
| lbragstad | and it is time sensitive since we're in Yoga and that goal is targeted for Yoga | 15:13 |
| knikolla | i'm going through it today | 15:13 |
| lbragstad | knikolla thank you | 15:13 |
| redrobot | I'll try to get to that today as well | 15:15 |
| redrobot | #topic Open Discussion | 15:17 |
| redrobot | Any other topics y'all want to talk about before we look at the mountain 'o bugs? | 15:17 |
| redrobot | OK,moving on | 15:28 |
| redrobot | #topic Bug Review | 15:29 |
| redrobot | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:29 |
| redrobot | #link https://bugs.launchpad.net/keystone/+bug/1950325 | 15:29 |
| redrobot | > domain list via projects api with domain-scoped token is always empty | 15:29 |
| redrobot | This one is fresh out the bug factory | 15:29 |
| lbragstad | i'm not sure listing domains with a domain-scoped token is the right thing | 15:33 |
| lbragstad | i think you should have a system-scoped token to do that | 15:33 |
| knikolla | hmmm, i think i feel that way too. | 15:34 |
| lbragstad | that bug could be a filtering issue | 15:35 |
| knikolla | though should it display the domains that are further down the tree, if the domain scoped token has the admin role on that domain? | 15:35 |
| lbragstad | where it's getting a list of domains and then trying to filter out the domains outside of context | 15:35 |
| lbragstad | knikolla i don't think you can have nested domains | 15:35 |
| lbragstad | domains are top-level project trees | 15:35 |
| knikolla | ah okay. i misremembered. | 15:36 |
| redrobot | > you should have a system-scoped token < - I kind of think so too | 15:36 |
| redrobot | seems like the correct response should be a 403 - Forbidden? | 15:36 |
| lbragstad | well - i could see if i listed domains using a domain-scoped token, i could get back the domain i have a token to | 15:37 |
| lbragstad | so - a list of one | 15:38 |
| lbragstad | or maybe a list of the domains i have a role assignment on? | 15:38 |
| lbragstad | i'm not sure which would be the right response | 15:38 |
| lbragstad | that's typically covered by the /v3/auth/domains API | 15:38 |
| knikolla | Do you get any domains when you list for projects? with the appropriate system level scope? or just projects? | 15:38 |
| lbragstad | i'm not sure - i haven't tried | 15:39 |
| lbragstad | redeploying an environment now and I'll try | 15:40 |
| knikolla | i don't think i'm leaning on a 40x type response, because you're putting a filter on an action that you have permission to perform. | 15:41 |
| lbragstad | yeah | 15:41 |
| lbragstad | i think returning an empty list is appropriate and I thought there was a guideline about that somewhere? | 15:41 |
| lbragstad | maybe in the API working group? | 15:41 |
| knikolla | and it's either a list of 1, with the scoped domain being returned. or a list of 0, because while the token is scoped to that domain, you may not have permission to query it? (which we should check if it's the case) | 15:42 |
| lbragstad | https://specs.openstack.org/openstack/api-wg/guidelines/pagination_filter_sort.html#filtering | 15:42 |
| knikolla | also it would be, hmmm, weird if the non-filtered /projects query doesn't return the current domain, but the filtered version does. | 15:43 |
| lbragstad | right | 15:43 |
| lbragstad | i think if you list projects with a project-scoped token, you get the project your token is scoped to | 15:44 |
| lbragstad | yeah - listing projects with a project-scoped tokens only gives you the projects you have access to | 15:52 |
| lbragstad | it doesn't give you a full list | 15:52 |
| redrobot | is_domain is a valid filter key? | 15:52 |
| lbragstad | yeah | 15:53 |
| redrobot | so /v3/projects?is_domain=true should return the domains you have access to, you think? | 15:53 |
| lbragstad | https://docs.openstack.org/api-ref/identity/v3/index.html?expanded=list-projects-detail | 15:53 |
| lbragstad | sure? | 15:54 |
| lbragstad | the /v3/domains api does that i think | 15:54 |
| lbragstad | and so does /v3/auth/domains | 15:54 |
| knikolla | if the domain is included in the /projects query without the filter, yes. | 15:54 |
| knikolla | aka being incorrectly filtered out with the is_domain filter present. | 15:55 |
| redrobot | > If this is specified as true, then only projects acting as a domain are included. Otherwise, only projects that are not acting as a domain are included. < | 15:55 |
| lbragstad | https://paste.opendev.org/show/810880/ | 15:56 |
| knikolla | oh, interesting | 15:56 |
| knikolla | that's a weird filter | 15:56 |
| redrobot | sounds like GET /v3/projects?is_domain=true should be the same as GET /v3/domains | 15:57 |
| knikolla | ^ yes | 15:57 |
| lbragstad | well - this seems wrong | 15:57 |
| lbragstad | https://paste.opendev.org/show/810881/ | 15:57 |
| lbragstad | that user doesn't have a role assignment on the foo domain | 15:58 |
| knikolla | yeah, that shouldn't appear there | 15:58 |
| redrobot | Almost out of time | 15:59 |
| redrobot | but this does sound like a valid bug | 15:59 |
| lbragstad | i think there are probably workarounds for it though | 16:00 |
| lbragstad | like using the domains API - but those would be patches to terraform | 16:00 |
| redrobot | I'm going to leave a comment on the bug pointing to this discussion | 16:01 |
| redrobot | we can revisit next week | 16:01 |
| redrobot | That's all the time we have this week | 16:01 |
| redrobot | Thanks for joining, y'all! | 16:01 |
| redrobot | #endmeeting | 16:02 |
| opendevmeet | Meeting ended Tue Nov 9 16:02:20 2021 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:02 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-11-09-15.00.html | 16:02 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-11-09-15.00.txt | 16:02 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-11-09-15.00.log.html | 16:02 |
| prometheanfire | so..., does anyone mind taking a look at keystone failures with the new olso.policy-3.10.0 ? https://review.opendev.org/815820 | 19:09 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!