Tuesday, 2022-05-03

*** dasm\|ruck\|bbl is now known as dasm\|ruck\|off		03:11
*** ministry is now known as __ministry		07:44
*** dviroel\|out is now known as dviroel		11:18
*** dasm\|ruck\|off is now known as dasm\|ruck		12:17
gmann	RBAC meeting started now, details https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Meeting	14:01
dmendiza[m]	knikolla: around? ☝️	14:06
knikolla	dmendiza[m]: yes	14:07
knikolla	Joining	14:07
dmendiza[m]	Waiting until the SRBAC meeting is over to start the Keystone Weekly meeting ...	15:01
dmendiza[m]	gmann knikolla dansmith https://meet.google.com/qax-tkne-dmk	15:03
alexYefimov_	I have a question about the para "minimum_password_age" in keystone. Does this parameter effect admin and non-admin users exactly the same way?	15:23
dmendiza[m]	#startmeeting Keystone	15:26
opendevmeet	Meeting started Tue May 3 15:26:29 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.	15:26
opendevmeet	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	15:26
opendevmeet	The meeting name has been set to 'keystone'	15:26
dmendiza[m]	#topic Roll Call	15:26
dmendiza[m]	Courtesy ping for admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe	15:26
dmendiza[m]	As usual the agenda is over here:	15:27
dmendiza[m]	#link https://etherpad.opendev.org/p/keystone-weekly-meeting	15:27
knikolla	o/	15:28
d34dh0r53	o/	15:29
dmendiza[m]	OK, let's get started	15:30
dmendiza[m]	#topic Review Past Meeting Action Items	15:30
dmendiza[m]	#link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-04-26-15.02.html	15:30
dmendiza[m]	Looks like we didn't have any	15:30
dmendiza[m]	#topic Liaison Updates	15:31
dmendiza[m]	I don't have any updates this week.	15:31
dmendiza[m]	#topic OAuth 2.0	15:33
dmendiza[m]	We had a review session last week	15:33
dmendiza[m]	#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext	15:34
dmendiza[m]	I don't think we have any updates for today	15:34
dmendiza[m]	moving on ...	15:39
dmendiza[m]	#topic Secure RBAC	15:39
dmendiza[m]	In case you missed the Google Meet session, we did discuss the "service" role a bit	15:39
dmendiza[m]	We'll continue discussions next week.	15:40
dmendiza[m]	#topic Guidance for storing user tokens	15:40
dmendiza[m]	dansmith asked this in the channel a while back (sorry we didn't get to it last week)	15:40
dmendiza[m]	He's basically looking for guidance in handling user tokens.	15:41
dmendiza[m]	IIRC, they're wanting to log them or store them in the DB	15:41
dmendiza[m]	presumable to be reused again, during long-running tasks.	15:41
dmendiza[m]	*presumably	15:41
knikolla	Hmmm, interesting	15:43
knikolla	My initial gut reaction is no	15:43
knikolla	But I can see the need for it	15:45
d34dh0r53	Can we set an expiry on issued tokens?	15:47
knikolla	That’s the way it aready is. Configurable but defaults to 45 mins I think	15:49
dmendiza[m]	d34dh0r53: yeah, tokens expire, but some services can still use them for context when doing long running tasks	15:49
d34dh0r53	but not overrideable during the issue?	15:49
knikolla	No, you can’t ask for a longer living token than the config	15:50
knikolla	No, you can’t ask for a longer living token than the config	15:51
d34dh0r53	hmm, ack	15:51
dmendiza[m]	We may need to think about it for a bit	15:52
dmendiza[m]	but it would be good to have an opinion on best practices for what to do with the tokens	15:53
*** dviroel is now known as dviroel\|lunch		15:53
knikolla	Agree, i can spend some time thinking about this	15:53
dansmith	dmendiza[m]: to be clear, I want to neither store nor log them	15:54
dansmith	I just want there to be some guidance about that being a bad idea that I can point to whilst arguing :P	15:54
d34dh0r53	:)	15:55
knikolla	That’s easier :)	15:56
dmendiza[m]	ack, I missed that last time, haha	15:57
knikolla	Store tokens, bad. You can link to this irc log, haha.	15:57
dansmith	knikolla: ack, I'll take it as better than nothing, but.. seems like it might be good to capture some of those sorts of recommendation somewhere.. I know, easy for me to say	15:59
knikolla	I’m sure there’s something in the docs and if not I’ll put it there	16:00
dmendiza[m]	OK, we're just about out of time.	16:00
dmendiza[m]	No bug review this week.	16:00
dmendiza[m]	We'll get back to normal once the Secure RBAC sessions start winding down.	16:01
dmendiza[m]	Thanks for joining, everyone!	16:01
dmendiza[m]	#endmeeting	16:01
opendevmeet	Meeting ended Tue May 3 16:01:18 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	16:01
opendevmeet	Minutes: https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-05-03-15.26.html	16:01
opendevmeet	Minutes (text): https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-05-03-15.26.txt	16:01
opendevmeet	Log: https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-05-03-15.26.log.html	16:01
*** dasm\|ruck is now known as dasm\|ruck\|bbl		16:50
*** dviroel\|lunch is now known as dviroel		16:56
opendevreview	Boris Bobrov proposed openstack/keystone-specs master: Prepare for Zed https://review.opendev.org/c/openstack/keystone-specs/+/839873	16:57
opendevreview	Boris Bobrov proposed openstack/keystone-specs master: Gate inherited assignments from parent https://review.opendev.org/c/openstack/keystone-specs/+/334364	16:58
*** dasm\|ruck\|bbl is now known as dasm\|ruck		18:01
*** dviroel is now known as dviroel\|out		21:30

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!