| *** blarnath is now known as d34dh0r53 | 13:31 | |
| vishalmanchanda | hello Keystone team, Is there any detailed blog or document which I can refer to enable Time-based One-time Password (TOTP) in my devstack env.? | 14:07 |
|---|---|---|
| vishalmanchanda | thanks | 14:07 |
| dmendiza[m] | 🙋 | 15:01 |
| d34dh0r53 | vishalmanchanda: not that I'm aware of, that's kind of a choose your own adventure at this point | 15:01 |
| d34dh0r53 | #startmeeting keystone | 15:01 |
| opendevmeet | Meeting started Wed Aug 16 15:01:42 2023 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:01 |
| d34dh0r53 | #topic roll call | 15:01 |
| noonedeadpunk | o/ | 15:01 |
| hiromu | o/ | 15:02 |
| dmendiza[m] | 🙋 | 15:02 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m] | 15:02 |
| d34dh0r53 | o/ | 15:02 |
| knikolla | o/ | 15:02 |
| d34dh0r53 | #topic review past meeting work items | 15:02 |
| d34dh0r53 | d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:03 |
| d34dh0r53 | I've started looking into this, we don't have a section and I'm investigating adding one | 15:03 |
| d34dh0r53 | so I'll carry it forward | 15:03 |
| d34dh0r53 | #action d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:03 |
| d34dh0r53 | the next item as well | 15:04 |
| noonedeadpunk | isn't that part of release notes? | 15:04 |
| noonedeadpunk | except - you'd need to move renos between releases to keep known issues there | 15:04 |
| d34dh0r53 | #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation | 15:05 |
| d34dh0r53 | yeah, I think it's for more long lived known issues, stuff that is idiosyncratic to keystone, and issues that are likely not to be fixed with well known workarounds | 15:06 |
| d34dh0r53 | d34dh0r53 investigate switching the default hashing algo to scrypt in 2024.x | 15:06 |
| d34dh0r53 | is next up, noonedeadpunk I know you did some work related to this AI this past week, I haven't had a chance to look at anything | 15:07 |
| noonedeadpunk | yeah, patch for https://bugs.launchpad.net/keystone/+bug/2029134 proposed and needs to be reviewed | 15:08 |
| noonedeadpunk | it also needs to be backported to 2023.1 | 15:08 |
| noonedeadpunk | Fix for https://bugs.launchpad.net/openstack-ansible/+bug/2028809 has merged on master and backports proposed to affected stable branches | 15:09 |
| noonedeadpunk | #link https://review.opendev.org/q/Iea95a3c2df041a0046647b3d3dadead1a6d054d1 | 15:10 |
| noonedeadpunk | I didn't look into this one though | 15:10 |
| noonedeadpunk | #link https://bugs.launchpad.net/keystone/+bug/2030061 | 15:10 |
| d34dh0r53 | ack | 15:11 |
| d34dh0r53 | I think maybe a good first step to the hashing algo is to get https://review.opendev.org/c/openstack/keystone/+/891024/3 tested and merged | 15:13 |
| d34dh0r53 | We can then look into perhaps making that the default in 2024.x | 15:13 |
| d34dh0r53 | Since there is no length limitation with the additional hash and we're still using bcrypt I'm thinking that is a good way to go. | 15:14 |
| d34dh0r53 | #action d34dh0r53 test https://review.opendev.org/c/openstack/keystone/+/891024/3 | 15:15 |
| d34dh0r53 | next up | 15:15 |
| d34dh0r53 | noonedeadpunk and d34dh0r53 are looking for a workaround/fix for https://bugs.launchpad.net/keystone/+bug/2028809 | 15:15 |
| d34dh0r53 | I think this has been resolved in https://review.opendev.org/c/openstack/keystone/+/890936 | 15:16 |
| noonedeadpunk | yup | 15:16 |
| d34dh0r53 | thank you for the patch noonedeadpunk | 15:16 |
| d34dh0r53 | next up we have hiromu is going to look at https://bugs.launchpad.net/keystone/+bug/2029134 | 15:16 |
| d34dh0r53 | this has a patch up https://review.opendev.org/c/openstack/keystone/+/891521 | 15:17 |
| d34dh0r53 | hiromu: were you able to look at this patch? | 15:17 |
| hiromu | sure | 15:17 |
| d34dh0r53 | thank you! | 15:18 |
| hiromu | :) | 15:18 |
| d34dh0r53 | #action hiromu test and review https://review.opendev.org/c/openstack/keystone/+/891521 | 15:18 |
| d34dh0r53 | ok, that does it for the past week action items | 15:18 |
| d34dh0r53 | next up | 15:18 |
| d34dh0r53 | #topic liaison updates | 15:18 |
| d34dh0r53 | nothing from VMT | 15:18 |
| d34dh0r53 | cool, moving on | 15:21 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:21 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:22 |
| d34dh0r53 | External OAuth 2.0 Specification | 15:22 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 | 15:23 |
| d34dh0r53 | OAuth 2.0 Implementation | 15:23 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls | 15:23 |
| d34dh0r53 | OAuth 2.0 Documentation | 15:23 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/838108 | 15:23 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 | 15:23 |
| hiromu | no update this week. I hope topic https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability will be reviwered within this cycle if possible | 15:23 |
| d34dh0r53 | I will add it to the reviewathon | 15:24 |
| d34dh0r53 | thank you hiromu | 15:24 |
| d34dh0r53 | next up | 15:24 |
| d34dh0r53 | #topic Secure RBAC (dmendiza[m]) | 15:25 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:25 |
| d34dh0r53 | Manager Role Implementation | 15:25 |
| dmendiza[m] | Not a whole lot of progress | 15:25 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/822601 | 15:25 |
| d34dh0r53 | ack, thanks dmendiza[m] | 15:25 |
| dmendiza[m] | we had the pop-up meeting yesterday | 15:25 |
| dmendiza[m] | and I'll be helping gmann update an srbac patch | 15:25 |
| d34dh0r53 | cool | 15:26 |
| d34dh0r53 | #topic open discussion | 15:28 |
| d34dh0r53 | (reqa) Add openstack cli support for OAuth 2.0 Device Authorization Grant with PKCE: | 15:28 |
| d34dh0r53 | review request | 15:28 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/883852 | 15:28 |
| d34dh0r53 | Reasoning: When switching wsgi-keystone.conf to use PKCE for WebSSO, this also applies to the CLI (e.g. ForgeRock implemented the same) | 15:28 |
| d34dh0r53 | this has merged, thanks all! | 15:28 |
| d34dh0r53 | removing it from the doc | 15:29 |
| d34dh0r53 | next up | 15:29 |
| d34dh0r53 | OAuth2.0 External Authorization Server Support (hiromu) | 15:29 |
| d34dh0r53 | Where is an appropriate place to put the user guide | 15:29 |
| dmendiza[m] | https://opendev.org/openstack/keystone/src/branch/master/doc/source/user ? | 15:30 |
| hiromu | but it's about keystonemiddleware | 15:31 |
| d34dh0r53 | slightly off topic, is there a reason keystone isn't listed here: https://docs.openstack.org/2023.1/projects.html ? | 15:32 |
| hiromu | I think d34dh0r53 has given us the answer that https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html can be appropriate last week. | 15:33 |
| dmendiza[m] | hiromu https://opendev.org/openstack/keystonemiddleware/src/branch/master/doc/source | 15:33 |
| dmendiza[m] | d34dh0r53: seems like a doc site bug. For some reason Identity doesn't show up in the stable branches | 15:33 |
| d34dh0r53 | yes hiromu that is correct, I think that's where it should go and I should have moved that topic to the archive | 15:34 |
| zaitcev | indeed, this seems to contain Identity: https://docs.openstack.org/2023.2/projects.html | 15:34 |
| d34dh0r53 | #action d34dh0r53 look into doc bug of missing Identity section on https://docs.openstack.org/2023.1/projects.html | 15:34 |
| hiromu | thanks d34dh0r53: and dmendiza: | 15:35 |
| d34dh0r53 | ack, that does it for open discussion | 15:35 |
| d34dh0r53 | #topic bug review | 15:36 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:36 |
| d34dh0r53 | no new bugs for keystone | 15:36 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:36 |
| d34dh0r53 | nor for python-keystoneclient | 15:37 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:37 |
| d34dh0r53 | keystoneauth is good | 15:37 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:37 |
| d34dh0r53 | as it keystonemiddleware | 15:37 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:37 |
| d34dh0r53 | pycadf is clean | 15:38 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:38 |
| d34dh0r53 | and ldappool is also clean | 15:38 |
| d34dh0r53 | #topic conclusion | 15:38 |
| d34dh0r53 | No reviewathon this week as it's a recharge day for Red Hat | 15:39 |
| d34dh0r53 | anyone have anything else before we close? | 15:39 |
| zaitcev | Guess not. | 15:40 |
| d34dh0r53 | guess not :) | 15:42 |
| d34dh0r53 | thanks folks! | 15:42 |
| d34dh0r53 | #endmeeting | 15:42 |
| opendevmeet | Meeting ended Wed Aug 16 15:42:39 2023 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:42 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-08-16-15.01.html | 15:42 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-08-16-15.01.txt | 15:42 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-08-16-15.01.log.html | 15:42 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!