Wednesday, 2024-10-09

« Tuesday, 2024-10-08 Index Thursday, 2024-10-10 »
*** mhen_ is now known as mhen01:58
opendevreviewTakashi Kajinami proposed openstack/oslo.limit master: Declare Python 3.12 support  https://review.opendev.org/c/openstack/oslo.limit/+/93192813:41
opendevreviewTakashi Kajinami proposed openstack/oslo.policy master: Declare Python 3.12 support  https://review.opendev.org/c/openstack/oslo.policy/+/93193213:43
opendevreviewArtem Goncharov proposed openstack/keystone master: Ruff the code  https://review.opendev.org/c/openstack/keystone/+/93195914:36
opendevreviewArtem Goncharov proposed openstack/keystone master: Ruff the code  https://review.opendev.org/c/openstack/keystone/+/93195914:37
d34dh0r53#startmeeting keystone15:05
opendevmeetMeeting started Wed Oct  9 15:05:08 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:05
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:05
opendevmeetThe meeting name has been set to 'keystone'15:05
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:05
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:05
d34dh0r53#topic roll call15:05
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe15:05
gtemao/15:05
cardoeo/15:06
jpho/15:06
d34dh0r53o/15:06
d34dh0r53#topic review past meeting work items15:07
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-02-15.00.html15:08
xeko/15:08
d34dh0r53only one15:08
d34dh0r53reviewathon discuss and hopefully perform the removal of passlib https://review.opendev.org/q/topic:%22passlib%2215:08
d34dh0r53we merged just about everything, gtema (Artem Goncharov) do you think we're good to pull the bandaid off or should we wait?15:08
gtemaI do not have strong preference15:09
gtemamaybe lets rip it off now to detect problems earlier15:09
d34dh0r53sounds good, I'll push the button after this meeting15:12
gtemaperfect, thanks15:12
d34dh0r53#topic liaison updates15:12
d34dh0r53nothing from VMT or releases15:13
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:13
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:13
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:13
d34dh0r53External OAuth 2.0 Specification15:13
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:13
d34dh0r53OAuth 2.0 Implementation15:14
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:14
d34dh0r53OAuth 2.0 Documentation15:14
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:14
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:14
d34dh0r53no updates this week15:15
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:15
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:15
d34dh0r532024.1 Release Timeline15:15
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:15
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:15
d34dh0r53dmendiza: is on PTO for the rest of the week15:15
d34dh0r53next up15:15
d34dh0r53#topic specification OpenAPI support (gtema)15:15
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:15
d34dh0r53https://review.opendev.org/c/openstack/keystone/+/925020 could now also land to ease api-ref work15:16
d34dh0r53gtema: api-ref work started15:16
gtemaunder api-ref work I mean start rendering generated openapi as api-ref15:16
d34dh0r53ahh, cool15:16
gtemathere is series of dependency-hell issues that I currently stuck on (openstackdocstheme need first upgrade of bootstrap from 5years old version)15:17
gtemabootstrap upgrade breaks current os-api-ref15:17
gtemaand my sphinx plugin also needs openapi first, so api-ref job would first need to generate openapi doc15:17
gtemaanyway, with the fact that first openapi changes landed I now have a better overview what is there and what is missing15:18
gtemamaybe my friday I will have some changes with depends-on (like 5-6 dependent changes ;-) to demo overall flow15:18
gtemas/my/by/15:19
d34dh0r53okay, cool, ping me for reviews15:19
gtemasure, is somebody here also owning core reviewers in openstackdocstheme/os-api-ref projects?15:20
d34dh0r53I don't know15:20
gtemaok15:20
gtemathat's it for now on openapi15:21
d34dh0r53thanks gtema (Artem Goncharov) 15:22
d34dh0r53next up15:22
d34dh0r53#topic specification domain manager (mhen)15:22
d34dh0r53#link https://review.opendev.org/q/topic:%22domain-manager%2215:22
d34dh0r53tempest core lib patch has been merged, only keystone-tempest-plugin left15:23
d34dh0r53created a patchset for documentation: https://review.opendev.org/c/openstack/keystone/+/92813515:23
d34dh0r53mhen_: are you around?15:24
d34dh0r53ok, cores, please review the tempest plugin and docs patch for this15:26
d34dh0r53moving on15:26
d34dh0r53#topic specification Type annotations (stephenfin)15:26
d34dh0r53#link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing15:26
d34dh0r53This is just pending reviews now. I will push the remaining patches as soon as a sufficient quantity of the current ones land.15:26
gtemaI reviewed some portion of those today15:27
gtemathis is not trivial, so take your time15:27
d34dh0r53indeed, I need to spend some time reviewing them15:27
stephenfinNothing to add. Per that note, just need reviews. The sooner we get them merged the better, so we can cut a release and iron out any kinks we see once it's in use15:28
gtemaon the topic: we were discussing ruff-ing the keystone15:28
d34dh0r53ack, thanks stephenfin 15:28
gtematoday I pushed https://review.opendev.org/c/openstack/keystone/+/931959 - and as you see it's mega huge15:28
d34dh0r53I'm good with ruff-ing the keystone15:28
gtemasadly here reformatted stuff started immediately violating hackings15:28
stephenfingtema: Don't forget to add a .git-blame-ignore-revs file once you're done15:29
gtemaso I needed to give a lovely human touch to lots of files15:29
gtemayes, sure15:29
gtemasad that bandit coverage under ruff is not too configurable15:30
stephenfingtema: I disabled much of the E class flake8 errors since they effectively duplicated what ruff was doing. ruff/black will do their best to respect line width15:30
gtemaotherwise I would have switched to that as well15:30
gtemastephenfin - in the unreleased hacking or where?15:30
stephenfinhttps://github.com/openstack/openstacksdk/blob/master/tox.ini#L143-L15115:31
stephenfinThe 'select' option is the important one15:31
gtemaah this way, ok15:31
gtemawell, I anyway already touched plenty of files and addressed the E501, so it's bit too late ;-)15:32
stephenfinyou know for next time :)15:32
gtemasure15:32
* stephenfin goes back to lurking15:32
d34dh0r53thanks stephenfin 15:34
d34dh0r53#topic open discussion15:34
noonedeadpunkI have https://review.opendev.org/c/openstack/keystone/+/930589 to talk to15:34
d34dh0r53I don't have anything, we already talked about saying bye-bye to passlib15:34
noonedeadpunkIn terms that - it's an annoying issue to have, but I can justify time to work on units tests for it, given that keystone-manage is basically not covered in tests currently15:35
* d34dh0r53 looking at noonedeadpunk 's patch15:35
noonedeadpunkso scope looks quite big15:35
noonedeadpunk(at least for me)15:35
noonedeadpunkthe issue was introduced with sqlalchemy 2 patches iirc15:36
d34dh0r53hmm, there are currently no unit tests with keystone-manage, but maybe a zuul job that checks this would suffice15:38
noonedeadpunkarte there upgrade jobs existing?15:39
d34dh0r53I thought so, but I'm not seeing any15:39
noonedeadpunkas I don't see anything like that either15:39
noonedeadpunkI _think_ last time keystone had an upgrade job - it was an OSA job15:39
d34dh0r53That could be what I'm thinking about15:40
noonedeadpunkofc I can work on adding it again :)15:40
d34dh0r53https://github.com/openstack/keystone/blob/f7ffacb7ad2d09da01b00cf50192a5c2b2d899a1/.zuul.yaml#L6815:40
cardoeQuestion around inherited permissions. I know that you can have sub-projects and give permissions on the parent project which can be inherited. But can I have a domain and have roles set on the domain and inherited to projects? Since a domain is really just a project now.15:40
noonedeadpunkbut I guess you might be in favor of grenade15:40
noonedeadpunkI can revive that testing fwiw15:41
d34dh0r53noonedeadpunk: yeah, let's revive that testing, it should suffice for your keystone-manage patch.15:41
noonedeadpunkbut the problem with the patch, is that command now reports "ok" whenever you ask it if migrations needed15:42
noonedeadpunkand upgrade job is jsut checking for the return code15:42
d34dh0r53because it's comparing the same thing15:42
noonedeadpunkso it's not catching the issue15:42
noonedeadpunkyeah15:42
d34dh0r53yeah15:42
noonedeadpunkso this specific issue won't be catched by such job15:43
d34dh0r53ok, I'll review that patch and add the note that you're going to work on an upgrade job to ensure it's correct going forward15:43
noonedeadpunk++15:43
noonedeadpunkupgrade job is on me15:43
d34dh0r53to your question cardoe , I'm not 100% sure15:44
d34dh0r53that's a question for dmendiza or mhen_ but neither of them are around15:44
cardoeokay I'll chase them down. It's not clear from the docs to me and the behavior is making me scratch my head using 2024.1 based on the domains.15:45
gtemathe best answer - try it out. My guess - it will not work15:45
gtemapoint of concern is that domain is not returned in list_projects and neither the opposite15:46
gtemaso for grant inheriting to work  there must be explicit logic which I have never seen15:47
cardoeMy idea might be stupid anyway. Hooking ironic to be authenticated via keystone for users. All the projects are just different teams having hardware. So wanted to give the admins permission to all the projects with hardware.15:47
noonedeadpunkI don't think it will work either....15:47
cardoeWithout having to explicitly give them permission to each project.15:47
noonedeadpunkyou can add them to group?15:47
cardoeI guess I could grant a group permission to each project. yeah that would be fine.15:48
noonedeadpunkbut also - giving admin permissions to the project will give a global admin to all projects15:48
noonedeadpunkand all domains15:48
cardoewell I said "admin" but wasn't referring to keystone admin role but humans. giving them "member" on the projects15:49
noonedeadpunkah, I guess I misread 15:49
noonedeadpunk++15:49
gtemanoonedeadpunk - for that we have now domain manager - to not need granting admin for users15:49
noonedeadpunkoh, yes, I already use them in one place15:49
noonedeadpunkthough Horizon still needs to be patched...15:49
cardoeIt's so they can do stuff like baremetal service to upgrade firmware and such on machines.15:49
noonedeadpunkas it doesn;t like manager with domain only assignment15:50
gtemahttps://docs.openstack.org/api-ref/identity/v3/#assign-role-to-user-on-projects-owned-by-domain claims you grant to the use certain role on all projects owned by domain15:50
gtemauser15:50
noonedeadpunk`inherited_to_projects` - oh, nice15:51
cardoeSo it works when I make sub-projects and parent it to a project15:51
cardoethen have that project be a domain15:51
cardoeBut maybe that call will work straight away. Thank you gtema.15:51
gtemait looks you do not need any other stuff, you grant directly on the domain15:52
gtemabut - test whether it does what you need15:52
cardoeyeah will do thank you.15:52
d34dh0r53moving on for time, let us know how it works cardoe 15:52
cardoeI wanted to also bring up OpenID Connect. Would proposing keystoneauth-websso for inclusion be something that would be workable? There's at least 3 operators now that are using it. I know that there's work on changing the integration in the pipeline.15:52
d34dh0r53yeah, I would be very interested in that car15:53
d34dh0r53oops cardoe 15:53
noonedeadpunkwell, I'd say it's a bit weird one...15:53
noonedeadpunkAs basically it neglects all benefits of OIDC15:53
noonedeadpunksince you can't re-use token issued by oidc provider, nor you can use 2fa in oidc15:54
gtemano it doesn't, but other issue is that without token caching it doesn't bring you anything15:54
cardoeSo today the upstream version caches the token on disk just like kubelogin does.15:55
noonedeadpunkI think it does... As OIDC most usable is to have single interface and flow for authentication between different services15:55
cardoehttps://github.com/int128/kubelogin15:55
gtemaif you explicitly enable caching in the config and it has so may cornercases15:55
noonedeadpunkand what you do with keystoneauth-websso is hardly interoperable with other services, unless you just disable half of keycloack15:56
noonedeadpunkdunno15:56
gtemathis is a yet another case of half-knowledge on the complexity of federated logins :)15:56
noonedeadpunkyeah, could be easily15:57
gtemathat is why I placed topic on PTG for a much deeper discussion15:57
noonedeadpunkactually....15:57
noonedeadpunkI think I'm mixing this up with some other repo15:57
cardoeSo I don't disagree it'd be nice to have deeper integration federation15:57
cardoehttps://github.com/vexxhost/keystone-keycloak-backend is the backend that Vexxhost uses.15:58
noonedeadpunkoh, yes, I was all time talking about that ^15:58
noonedeadpunklol15:58
cardoeI'm not talking about the backend15:58
cardoeI'm talking about https://github.com/vexxhost/keystoneauth-websso15:58
noonedeadpunk++15:58
noonedeadpunkok, sure, sorry15:58
gtemaright, and for that in 2024.2 we now have possibility to configure it dynamically without needing to restart keystone (or let's say partially)15:58
* noonedeadpunk need to take some rest15:59
cardoeWhich causes my browser window to open and go to my OIDC provider15:59
cardoeand then it redirects me back to http://localhost:999915:59
noonedeadpunkthat's actualy nice15:59
cardoeand websso is listening on that port and it gets the id_token back15:59
gtemayes cardoe, it works, works great, but it doesn't cover all crazy usecases of federation16:00
cardoeIt's called websso cause it's implemented how horizon works afaik.16:00
cardoegtema: agreed it's not perfect16:00
noonedeadpunkbut maybe it's possible to work on that collaboratively to make it better16:00
gtemait works only for keycloak, that's one of the structural issues16:01
cardoeJust wondering if I could submit it for inclusion and if I'd get feedback on what to improve on it OR if it's -1 immediately.16:01
cardoegtema: nope. I use it with Azure and GitHub today.16:01
gtemacardoe - question for driver or the cliauth plugin?16:01
noonedeadpunkut also I can recall slightly different path in keystone code for okta vs keycloack16:01
cardoefor the cliauth piece16:01
noonedeadpunkso adding compatability is normal evolvment16:02
gtemaah ok. I meant that the backend is keycloak only16:02
cardoepip install python-openstackclient keystoneauth-websso locally on my machine16:02
d34dh0r53we're over time, I'll make sure that bugs are taken care of.  I'm going to end the meeting here, but please continue the conversation, this seems like a really good topic for the PTG.16:02
d34dh0r53#endmeeting16:02
opendevmeetMeeting ended Wed Oct  9 16:02:47 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:02
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-09-15.05.html16:02
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-09-15.05.txt16:02
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-09-15.05.log.html16:02
noonedeadpunkthanks d34dh0r53!16:02
cardoed34dh0r53: thanks. sorry for blowing up the schedule. :/16:03
d34dh0r53not at all cardoe , this is why we have the open discussion time16:03
cardoeSo in my clouds.yaml I've got auth_type: v3websso \n identity_provider: github \n protocol: openid \n auth_url: https://mycloud.cardoe.com16:04
gtemaI have no problems with the getting the plugin in except that future improvements of federation in KS may break it16:05
cardoeAnd when I run any openstack CLI command if my token is expired or I don't have one my browser window opens and takes me to GitHub.com to login (if I'm not already logged in) and then approve the app. Once I approve I get redirected to http://localhost:9999 and it tells me I can close the browser tab.16:05
cardoeI go back to my shell and the command worked.16:05
gtemadon't forget that it requires special treatment of the keystone.conf16:08
gtemathis is what eventually not all CSPs are happy with and/or not with the exact value for the callback16:08
cardoeI'm all for future improvements. So happy to fix it up or even deprecate it.16:08
gtemasure, but you should not hurry merging some new functionality when you know that you are going to do major rework here and ready for deprecation of that freshly added functionality16:09
gtemawe have a huge problem across OpenStack in needing to support every buggy feature we accidentally introduced for backwards compatibility reasons16:10
cardoeI understand.16:13
cardoeI'm just trying to find a way to do OIDC auth that functions today and I ran across that plugin. I've learned that 3 operators use it so it seemed like there was a demand for something like that.16:14
gtemaI totally get it. But my big big ask: do not hurry things in the identity, it's a terribly sensitive and dangerous area where with a tiny change you can introduce huge vulnerabilities. It requires very deep knowledge16:16
cardoeSure. I understand. It's been an out of tree plugin for a while. https://github.com/IFCA-Advanced-Computing/keystoneauth-oidc that's where vexxhost's copy started from.16:19
gtemaI know the history of it16:19
opendevreviewMerged openstack/oslo.limit master: Declare Python 3.12 support  https://review.opendev.org/c/openstack/oslo.limit/+/93192816:32
opendevreviewMerged openstack/oslo.policy master: Declare Python 3.12 support  https://review.opendev.org/c/openstack/oslo.policy/+/93193216:40
opendevreviewArtem Goncharov proposed openstack/keystone master: Ruff the code  https://review.opendev.org/c/openstack/keystone/+/93195917:01
opendevreviewAntonia Gaete proposed openstack/keystone master: Add JSON schema to `trust` and validation decorators to trust resource.  https://review.opendev.org/c/openstack/keystone/+/93036117:16
opendevreviewAntonia Gaete proposed openstack/keystone master: Add JSON Schema to `endpoint groups` and validation decorators to endpoint groups resource.  https://review.opendev.org/c/openstack/keystone/+/92968618:06
opendevreviewAntonia Gaete proposed openstack/keystone master: WIP: Add JSON Schema to `endpoint groups` and validation decorators to endpoint groups resource.  https://review.opendev.org/c/openstack/keystone/+/92968618:06
opendevreviewMerged openstack/oslo.policy master: Remove fallback to DEFAULT section  https://review.opendev.org/c/openstack/oslo.policy/+/90831518:09
opendevreviewAntonia Gaete proposed openstack/keystone master: Add JSON Schema to `endpoints` and validation decorators to endpoints resource.  https://review.opendev.org/c/openstack/keystone/+/92785618:24
opendevreviewAntonia Gaete proposed openstack/keystone master: Add JSON Schema to `endpoint groups` and validation decorators to endpoint groups resource.  https://review.opendev.org/c/openstack/keystone/+/92968618:27
opendevreviewOria Weng proposed openstack/keystone master: Add JSON schema to `limits`  https://review.opendev.org/c/openstack/keystone/+/93152819:29
cardoeso fwiw, noonedeadpunk and gtema "openstack --debug role add --group <group> --inherited --domain <domain> <role>" seems to confirm that https://docs.openstack.org/api-ref/identity/v3/#assign-role-to-group-on-projects-owned-by-a-domain is called.23:39
cardoeI think my issue is that my user had manager on a domain but it wasn't inherited. So when member was inherited it wasn't working. At least that's my guess because I wiped everything and it's working consistently.23:41
« Tuesday, 2024-10-08 Index Thursday, 2024-10-10 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!