Wednesday, 2024-11-13

« Tuesday, 2024-11-12 Index Thursday, 2024-11-14 »
*** fungi is now known as Guest924901:33
*** kinrui is now known as fungi01:41
*** mhen_ is now known as mhen02:35
opendevreviewStanislav Zaprudskiy proposed openstack/keystone master: Support emitting partial hash of invalid password  https://review.opendev.org/c/openstack/keystone/+/93242315:01
d34dh0r53#startmeeting keystone15:02
opendevmeetMeeting started Wed Nov 13 15:02:26 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:02
opendevmeetThe meeting name has been set to 'keystone'15:02
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:02
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:03
d34dh0r53#topic roll call15:03
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe15:03
cardoeo/15:04
gtemao/15:04
d34dh0r53o/15:04
d34dh0r53#topic review past meeting work items15:06
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-30-15.05.html15:06
d34dh0r53no action items from our last meeting15:06
d34dh0r53#topic liaison updates15:07
d34dh0r53nothing from VMT or releases15:07
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:09
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:09
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:09
d34dh0r53External OAuth 2.0 Specification15:09
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:09
d34dh0r53OAuth 2.0 Implementation15:09
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:09
d34dh0r53OAuth 2.0 Documentation15:09
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:09
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:09
d34dh0r53no updates from me unfortunately, stuck in federation land15:10
d34dh0r53next up15:10
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:10
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:10
d34dh0r532024.1 Release Timeline15:10
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:10
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:10
d34dh0r53not sure if dmendiza is around or not15:10
d34dh0r53guess not, next up15:12
d34dh0r53#topic specification OpenAPI support (gtema)15:12
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:12
d34dh0r53https://review.opendev.org/c/openstack/keystone/+/925020 could now also land to ease api-ref work15:12
gtemanot so many changes from my pov except that statement above15:12
gtemarevieving changes15:12
gtema * reviewing changes students produce15:13
d34dh0r53ack, I'll look over your changes in that one15:13
d34dh0r53thanks gtema (Artem Goncharov) 15:14
d34dh0r53next up15:14
d34dh0r53#topic specification domain manager (mhen)15:14
d34dh0r53still unmerged are:15:14
d34dh0r53documentation: https://review.opendev.org/c/openstack/keystone/+/92813515:14
d34dh0r53tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/92422215:14
opendevreviewArtem Goncharov proposed openstack/keystone master: Add new keystone.wsgi module  https://review.opendev.org/c/openstack/keystone/+/93206015:14
d34dh0r53cores, please look at the domain manager things dmendiza ,15:15
d34dh0r53Grzegorz Grasza: ^^15:16
d34dh0r53next up15:16
d34dh0r53#topic specification Type annotations (stephenfin)15:16
d34dh0r53#link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing15:16
d34dh0r53This is just pending reviews now. I will push the remaining patches as soon as a sufficient quantity of the current ones land.15:16
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/931959 - ruffing the keystone misses +W15:16
gtemaDave Wilde (d34dh0r53): you missed to approve few changes15:16
gtemaI mean from the keystoneauth series15:16
gtematherefore 4 changes are still open15:17
gtemaand release patch was proposed last week which I "-1"-ed15:17
d34dh0r53oh snap, my bad, I'll get to those today15:17
gtemagreat15:17
gtemaand ruff for keystone - you +2ed, but another one with +W is still missing15:18
gtemaand that one is with huge merge-conflicts potential15:18
gtemaso we need to get it quickly15:19
d34dh0r53I'm the only reviewer on the ruff patch, I'd like another core to take a look if possible, dmendiza or Grzegorz Grasza 15:19
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/93195915:19
opendevreviewArtem Goncharov proposed openstack/keystone master: Enable projects pagination  https://review.opendev.org/c/openstack/keystone/+/93359815:21
d34dh0r53next up15:21
d34dh0r53#topic specification Include bad password details in audit messages (stanislav-z)15:21
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/91548215:21
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/93242315:21
d34dh0r5330-Oct update: significant spec update including feedback during PTG. WIP implementation test are WIP.15:22
d34dh0r5306-Nov update: some implementation tests are added, more tests TBD (WIP). Spec is looking for reviews.15:22
d34dh0r5313-Nov update: spec needs reviews, implementation now includes tests.15:22
stanislav-zYeap, the spec is ready and is looking for reviews. The implementation is linked too - it's ready in accordance with what's currently written in the spec.15:22
gtemaStanislav Zaprudskiy: have you talked internally about the sha512_crypt?15:23
gtemaor was it sha256 we talked about during PTG?15:24
stanislav-zit was sha256 during the PTG. but I decided to go with scrypt + PBDKF2 - as these are very tunable (with option to control the parameters via conf) - it's mentioned in the spec15:25
stanislav-zand also I went on with hashlib - it turned out to be faster than cryptography15:26
stanislav-z(I also referenced benchmark results in the spec)15:26
gtemaok15:27
d34dh0r53thank you Stanislav Zaprudskiy 15:30
gtemaah, we talked about sha256_hmac15:30
gtemaI can't find any records of what we have discussed15:30
stanislav-zit's doing pbkdf2_hmac(sha512) + scrypt on top by default15:32
gtemaas I mentioned during PTG I am still "uncomfortable" with partial hash15:33
stanislav-zwhy so? it's a hash of an invalid password. it's partial. it's hashed with functions used to hash passwords in DB. I had another review of the spec by our security expert, and from his perspective just sha-256 would have been enough as long as it's partial (5 chars or so)15:35
gtemaI explained during PTG quite detailed about so. Of course it is "safe" if you just expose part of info, but other tools like vault simply output hmac-sha256 and do not care about any slicing what avoids any possible collision by definition15:37
stanislav-zconfig allows to not slice the hash, but return it in full15:38
gtemaanyway - lets move discussion back to the spec 15:39
stanislav-zgood, thanks15:39
d34dh0r53cool15:40
d34dh0r53please review the spec15:41
d34dh0r53next up15:41
d34dh0r53#topic open discussion15:41
d34dh0r53pagination (gtema)15:41
d34dh0r53#link https://review.opendev.org/q/topic:%22pagination%22+project:openstack/keystone15:41
d34dh0r53it is bit more complex than I thought since all DB queries need to be executed with pagination while some internal calls right now expect to get ALL entries (i.e. list_domains/list_projects) 15:41
gtemathis appears to be quite a beast. But my push some minutes ago hopefully addresses all cornercases15:42
gtemabiggest issue is that pagination in DB must be applied unconditionally. I mean there is no way to re-apply pagination after fetching results15:42
gtemaand some parts of the code assume that when they invoke internal methods (like list_domains) bypassing the API will get all results15:43
gtemathere are explicit tests on that15:43
gtemait is not trivial to deal with that but hopefully I have found a way15:44
gtemaon the other hand - I have not much clue how to deal with pagination for the ldap15:44
d34dh0r53yeah, not sure about that either15:47
gtemathe only solution to that I see is to forcibly fetch all data (respecting all other filters) and simulate pagination15:48
gtemaso it will not save keystone<->ldap traffic, but user<->keystone15:48
gtemawell - that is very close to what happens now since keystone will truncate entries at configured limit15:49
d34dh0r53yeah, that's what I was thinking, huge LDAP databases might present a performance problem though15:51
gtemaI mean that it will not be more then what we have right now (I mean we still get all entries and truncate results)15:51
gtemabut maybe the more funny question is how to paginate when some results come from DB while others from ldap?15:52
gtemaI was not looking in detail over there yet, this is just speculative thought15:52
d34dh0r53I guess that's true15:52
d34dh0r53Need to move on for time15:53
d34dh0r53#topic bug review15:53
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:53
d34dh0r53no new bugs in keystone15:53
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:53
d34dh0r53nor python-keystoneclient15:53
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:53
d34dh0r53keystoneauth is good15:53
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:53
d34dh0r53nothing new in keystonemiddleware15:53
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:54
d34dh0r53pycadf is good15:54
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?ordterby=-id&start=015:54
d34dh0r53so is ldappool15:54
d34dh0r53#topic conclusion15:54
d34dh0r53Thanks everyone! Nothing else from me today15:54
d34dh0r53#endmeeting15:54
opendevmeetMeeting ended Wed Nov 13 15:54:41 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:54
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-11-13-15.02.html15:54
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-11-13-15.02.txt15:54
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-11-13-15.02.log.html15:54
opendevreviewAntonia Gaete proposed openstack/keystone master: Add JSON Schema to `endpoints` and validation decorators to endpoints resource.  https://review.opendev.org/c/openstack/keystone/+/92785618:48
opendevreviewAntonia Gaete proposed openstack/keystone master: Add JSON schema to `trust` and validation decorators to trust resource.  https://review.opendev.org/c/openstack/keystone/+/93036119:10
opendevreviewAntonia Gaete proposed openstack/keystone master: Add JSON Schema to `endpoint groups` and validation decorators to endpoint groups resource.  https://review.opendev.org/c/openstack/keystone/+/92968619:18
opendevreviewAntonia Gaete proposed openstack/keystone master: Add JSON schema to `trust` and validation decorators to trust resource.  https://review.opendev.org/c/openstack/keystone/+/93036119:47
*** tkajinam is now known as Guest933822:33
« Tuesday, 2024-11-12 Index Thursday, 2024-11-14 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!