VMware Pinniped Community Meeting, 21 Oct 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Pinniped Community Meeting - October 21, 2021

Description

Pinniped Community Meeting - October 21, 2021
We meet every 1st and 3rd Thursday of the month at 9:00am PT. We'd love for you to join us live!

This week we discussed some updates to the project roadmap, Helm chart discussion update, and AD upstream refresh Slack discussion. Full details found here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view#October-21-2021-Agenda

A

Hi everyone welcome to this week's edition of the pinniped community meeting. Today's date is october. 21St 2021, if you're watching this recording from home, just a reminder that we do meet every first and third thursday of the month at 9 a.m. Pacific time it's an opportunity for you to come and meet the maintainers, listen to what they're working on provide feedback and also bring up any questions that you might have on using the tools. The actual tool, if you do have something you wish to discuss with the team.

A

You'll just add that down at the discussion topic section in the agenda here, if you're unable to join us for any of these meetings live, you can find us in the kubernetes select workspace within the pendiped channel, and if you aren't already a member of the kubernetes select, workspace you'll just need to send a request for an invitation to gain access.

A

You can also find us on twitter at project pinniped whenever you're, interacting with us and the community, whether it be github or twitter or slack or in these meetings. We ask that you please read and abide by our code of conduct.

A

Also when you attend these meetings, we would like to list out who is attending and keep those lines of communication open and see who might be using, pin ipad. So we can kind of get a better understanding of some use cases there.

A

So just list out your name and any organization that you're representing as well as uh filling out this github discussion. Adding a comment here and how your organization is using pinpad, you can put your logo on there. We will add it to our adopters page for some cross promotion.

A

And on to announcements, uh pretty light on announcements this week, just a reminder: pinup is participating, participating in hacktoberfest and what hacktoberfest is is a month-long celebration, helping others who might not be familiar with open source or familiar with doing any pull requests within github, getting them more comfortable with contributing and getting started with an open source, and the way that piniped is helping out is that we have our repo labeled as hacktoberfest, showing that we are participating, and we have an issue here that has been labeled with oktoberfest and you will, if you're wanting to participate, you can go in here and look to see how you can work on it and add your own pull request to to this particular issue, and once you get four pull requests submitted throughout the month of october, you will be given a limited edition, t-shirt and some stickers via digitalocean.

A

Okay on to status updates regarding the project roadmap, so I just put in here the one thing that we have going on for october. The improving security posture supervisor token refresh fails when the upstream refresh token no longer works for oidc.

A

um Anybody want to go over that particular item and where we are with that.

B

uh Yeah, so I think uh I worked on a little earlier, but ryan's mostly been working on uh the uidc part of things. I think uh the initial uh story of just when you refresh making sure that the refresh token that you got from the upstream odc provider is valid um is done and uh now I believe, ryan's working on garbage collection um and making sure that everything's provoked properly.

B

B

Making good progress, I think.

B

I don't know exactly when we're thinking of really saying that, and maybe the ldap stuff, but um should.

B

I be know if I had to guess I'd say early november: okay,.

A

No worries, um thank you. Margo.

C

I was just going to make a comment, so I did uh review the initial work that ryan and margo have done, uh looks solid. I just I think I have.

C

I just need to go back and look at after I'd gone offline last night uh ryan had addressed some of my comments, uh so I think we're at a state where, like the very first part of the work, was basically ready to be immersed in um and then what that will enable is that ryan and margot, or it opens up more than one parallel track of work.

C

D

C

Can uh can work on that going forward? um I.

B

Yeah, uh I've sort of started working locally on um parallelizing, some of the work to get ldap and active directory upstream, refresh checks, um but once we have it on.

B

Once we have that in a good state and on main it makes it a little easier to do those two separately.

C

Yeah and we wanted to kind of get into the state, because uh various folks on the team will be uh on pgo are coming up, so we to we want to get into the state, get something merged in that it's still releasable we're not merging anything into maine that we could not like make a release out of this. Just uh it's a it's an intermediate state, that's still better than this there today.

C

So yeah things are looking good for a good practice there. um I I don't know margot. If you've seen the slack thread on the planet slack. I had.

C

Yeah, so to give anyone watson recording context, um uh I I just happen to think of um one concern with the active directory work. That's coming up is our our ci system for active directory. Is one durable singleton?

C

So it's you know one instance of a.d, that's in aws, I think somewhere, and you know it has a very particular config and it's very much a pet and not not a cattle uh and um the the uh it's okay today, because all of our tests against are completely redone.

C

So it's fine. You know it exists in a pristine state and we can sort of test against that pristine state and hit all of the functionality um with the ad upstream refresh one of the core things you want to check. Is you know if you're using pinpad, but during the act of using it once you already have logged in once?

C

If your user was in some way disabled, deleted or otherwise put into a state that we don't consider to be valid, we want to observe that occurring and stop letting you benefit right, that in to do that in a real integration. Test inherently involves causing a mutation to actually direct you, okay, which then puts us into a strange place, because our ad system, which so far has been completely read only from the perspective of our tests, now has to have some kind of right semantics. Going on.

B

Yeah there's some we, it wouldn't be quite as good, but we could also consider uh doing a similar trick to what ryan did with his integration tests, where he modified the storage.

B

So we, you know, store the upstream refresh token, so we can so we can use it later and uh he modified the storage to make it uh garbage and then performed a refresh and showed that the garbage didn't work. um We could try to.

B

It's a little weird, but we could we could try to. You know, make the storage point at a deactivated user.

C

B

Already deactivated.

C

Yeah I thought that that seemed like a little strange and sketch like I did. I was a little worried that that would put us in a.

C

Like at that point, I would feel the need to have them like a manual test where, like I manually, went and like did something with a.d, and I was like all right cool like it actually works like when this happens for real uh but yeah. It's not it's not a bad approach.

C

um The the sort of discussion I'm thinking about is do we do we need to invest a little bit more in our 80 infrared and make it a little bit more flexible. So that way as we move forward, we don't like. I think the thing that ryan did for the upstream refresh is actually like effectively correct, because all it is is like. We have some arbitrary string that we've stored and if we just happen to make it slightly different, so the upstream won't be happy with it anymore.

C

For any, you know it sort of emulates that really well, um the the stuff with ad is gonna, be much more particular right, like you're gonna you're supposed to be fetching a user looking at a particular field, doing bit masks against it make sure you trick us through looking at the wrong music. Maybe it's fine.

B

Yeah and it still doesn't get at um testing password last password change time.

C

Oh yeah yeah, you can.

B

There's not really any way to do that if you're not entirely taking out dates everywhere like if we want to make sure that if, if you log in to pin a pad and then your password changes, and then we refresh, we should see that your password has changed since you've logged in and you should no longer be logged in, um and so that's kind of hard to fake out so yeah. It might be worth trying to look at like scott's scripps.

C

Yeah all right, yeah yeah, um I'm sure if we I'm sure, if we forced ourselves, we could maybe come up with the fake that one it's more of like. uh Would it make more sense to just bite the bullet and come up with a more robust way to set up our 80 stuff? What whether I I did really like scott's suggestion, which was uh basically make your active directory multi-tenant like have basically different ous or whatever for different tests or whatever, and you know, put everything inside that bucket. I really like that suggestion.

C

It's just that we we don't have the code to be like today.

B

Yeah, I'm sure there's some.

B

Way to do it with powershell or something.

C

Also wondering if there's some like higher order approach, where maybe we could somehow like somehow, we could maybe get.

C

Like basically kind of like global catalog, if we could get something like from aws where it was actually just a series of active directories and we could kind of get particular ones, I don't I don't know- maybe that doesn't make sense, but it's the same sort of idea, just maybe at a more active directory global level.

C

But I think this is all good stuff to think about, because.

C

The hope here is that um you know if you're using us with id that we behave like you would expect us to be hated within, um but the the whole like oidc stuff is just an implementation, which I write to an end user that is based on the system in the apron.

C

We want to go on to the home chart discussion.

A

Yeah, I'm just making sure there wasn't any further comments on that. uh So I was curious as if there was any updates regarding that helm. Chart discussion that we had in the last meeting last community meeting. If we heard anything from scott regarding his reaching out to bitnami or if there was any discussion you wanted to share with the community.

D

So uh we did reach out internally to vietnamese, and uh you know I had a chance to talk to some of their folks and uh we we really want to understand. um You know how uh they host the charts, what what sort of versions etc. So we have planned a discussion, um but uh not yet done yeah. So it's in the works.

A

Okay, that sounds great sounds like there's at least some movement. There.

A

um Is there anything else that y'all want to bring up before we end today's meeting.

D

uh Yeah, actually, uh if you can pull up the road map, nancy.

D

Yeah, if you scroll down I've, updated the roadmap with a lot of what we are thinking and focusing on um which is basically security, hardening and improving the security posture for the project. So we've come up with a list of features that will help and enhance the security.

D

Posture would definitely like contributions and from the community if, if there is any interest, if there are any use cases that this will solve, we'd be really happy to hear from them.

A

Okay, great thanks anjali.

A

Okay, anything else.

A

All right uh well, thank you again for joining today's meeting and if you're watching from home, I can encourage you to come and join us live again. We meet every first and third thursday of the month at 9 a.m. Pacific time, so we hope to hear from you soon. Thank you thanks.