| *** mhen_ is now known as mhen | 02:28 | |
| *** mklejn__ is now known as mklejn | 09:05 | |
| opendevreview | Takashi Kajinami proposed openstack/keystone master: Update regex to detect closed branch https://review.opendev.org/c/openstack/keystone/+/912727 | 10:27 |
|---|---|---|
| opendevreview | Takashi Kajinami proposed openstack/keystone master: Deprecate templated catalog driver https://review.opendev.org/c/openstack/keystone/+/912766 | 13:10 |
| tkajinam | xek, dmendiza[m] I wonder what you think about ^^^. if that makes sense then we may want to merge it before 2024.1 rc | 13:11 |
| tkajinam | (it seems d34dh0r53 is not online now | 13:11 |
| opendevreview | Josephine Seifert proposed openstack/keystone-specs master: Add identity spec for domain-manager persona https://review.opendev.org/c/openstack/keystone-specs/+/903172 | 13:43 |
| Luzi | dmendiza[m], if you have some time, could you look at this spec^ ? thank you | 13:43 |
| *** blarnath is now known as d34dh0r53 | 14:51 | |
| d34dh0r53 | #startmeeting keystone | 15:01 |
| opendevmeet | Meeting started Wed Mar 13 15:01:32 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:01 |
| d34dh0r53 | #topic roll call | 15:01 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema | 15:01 |
| d34dh0r53 | o/ | 15:01 |
| gtema | o/ | 15:02 |
| dmendiza[m] | 🙋 | 15:02 |
| d34dh0r53 | #topic review past meeting work items | 15:03 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-28-15.02.html | 15:03 |
| d34dh0r53 | no updates on my action items | 15:03 |
| d34dh0r53 | #action d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:03 |
| d34dh0r53 | d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation | 15:03 |
| d34dh0r53 | #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation | 15:03 |
| d34dh0r53 | moving on | 15:03 |
| d34dh0r53 | #topic liaison updates | 15:04 |
| d34dh0r53 | nothing from VMT, | 15:04 |
| d34dh0r53 | working on approving all of the caracal-1 things | 15:04 |
| d34dh0r53 | for release management | 15:04 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:04 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:05 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability | 15:05 |
| d34dh0r53 | External OAuth 2.0 Specification | 15:05 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 | 15:05 |
| d34dh0r53 | OAuth 2.0 Implementation | 15:05 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls | 15:05 |
| d34dh0r53 | OAuth 2.0 Documentation | 15:05 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/838108 | 15:05 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 | 15:05 |
| d34dh0r53 | hmm, hiromu hasn't been around in quite a while, anyone know what the status of this work is? | 15:06 |
| d34dh0r53 | ok, next up | 15:08 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:08 |
| d34dh0r53 | Secure RBAC (dmendiza[m]) | 15:08 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:08 |
| d34dh0r53 | 2024.1 Release Timeline | 15:08 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:08 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:08 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged) | 15:08 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 | 15:08 |
| mharley | o/ | 15:08 |
| d34dh0r53 | hi mharley, welcome :) | 15:08 |
| dmendiza[m] | ^^ was also merged. | 15:08 |
| d34dh0r53 | woot | 15:09 |
| mharley | Hi. Thanks! | 15:09 |
| dmendiza[m] | Next, I'm working on getting Keystone tested in the Tempest repo | 15:09 |
| dmendiza[m] | Tempest already has an SRBAC test, but it is not currently testing Keystone | 15:09 |
| dmendiza[m] | WIP patch is here: | 15:10 |
| d34dh0r53 | ahh | 15:10 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/tempest/+/912489 | 15:10 |
| dmendiza[m] | Two issues so far | 15:10 |
| dmendiza[m] | First, I'm trying to figure out how Tempest decides the scope of the admin clients | 15:10 |
| dmendiza[m] | Tempest has an option to auto-create networks when dynamically creating accounts | 15:10 |
| dmendiza[m] | but it's using the wrong scope to do it | 15:11 |
| dmendiza[m] | so it is currently failing for SRBAC | 15:11 |
| dmendiza[m] | There seem to be some inconsistencies in the devstack plugin that sets up srbac for keystone | 15:12 |
| d34dh0r53 | that's not surprising :) | 15:12 |
| dmendiza[m] | I am unsure why policy.yaml needs to be set here: | 15:12 |
| dmendiza[m] | #link https://opendev.org/openstack/keystone/src/branch/master/devstack/lib/scope.sh#L18 | 15:12 |
| dmendiza[m] | Also admin_system is supposed to be set to all, but it is currently set to true: | 15:12 |
| dmendiza[m] | #link https://opendev.org/openstack/keystone/src/branch/master/devstack/lib/scope.sh#L24 | 15:12 |
| dmendiza[m] | We also probably want to use... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/SZzFqKcjIZODNjTeQrtWdcIL>) | 15:13 |
| d34dh0r53 | hmm | 15:13 |
| dmendiza[m] | instead of what we currently use: [identity-feature-enabled] enforce_scope = true | 15:13 |
| dmendiza[m] | #link https://opendev.org/openstack/keystone/src/branch/master/devstack/lib/scope.sh#L23 | 15:14 |
| d34dh0r53 | yeah, I think we definitely want to switch to that | 15:14 |
| d34dh0r53 | although the docs are pretty confusing | 15:14 |
| dmendiza[m] | So yeah, more work to do in SRBAC | 15:14 |
| d34dh0r53 | ack, thanks dmendiza[m] | 15:15 |
| d34dh0r53 | next up | 15:15 |
| d34dh0r53 | #topic specification Improve federated users management (gtema) | 15:15 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews | 15:15 |
| gtema | so after you last review there were minor nits to the spec and it was updated | 15:16 |
| d34dh0r53 | I saw that, I'll take some to to re-review this week | 15:16 |
| gtema | and since there were also again questions about mess in federation setup I decided to do "-1" on the way of api change, since it only makes it more complex | 15:16 |
| gtema | but sadly after that Rafael is not responding | 15:16 |
| gtema | I would appreciate if you analyze this particular issue on your re-review | 15:17 |
| d34dh0r53 | yes, I will focus on that | 15:17 |
| gtema | perfect, thanks | 15:18 |
| d34dh0r53 | no problem, anything else on that? | 15:18 |
| gtema | btw, I proposed https://review.opendev.org/c/openstack/keystone-specs/+/910584 for next cycle to start improving openapi life | 15:18 |
| d34dh0r53 | great, I'll take a look at that as well | 15:18 |
| gtema | great. This is a "copy" of same for Nova, so it is not something totally crazy | 15:19 |
| d34dh0r53 | excellent | 15:19 |
| d34dh0r53 | #topic open discussion | 15:21 |
| d34dh0r53 | passlib update | 15:21 |
| d34dh0r53 | The maintainer responded to the bug, and one of the top priorities is to fix the bcrypt version bug | 15:21 |
| d34dh0r53 | #link https://foss.heptapod.net/python-libs/passlib/-/issues/190 | 15:21 |
| d34dh0r53 | The maintainer is working on setting up some more core reviewers and maintainers so the project so that the project will no longer be unmaintained | 15:21 |
| gtema | I noticed that today as well, great news | 15:21 |
| d34dh0r53 | I think we can just hold on and wait for an updated passlib which is nice and should save us quite a bit of work in trying to remove it | 15:21 |
| gtema | but also he himself admitted it got too complex - this is exactly what I observed looking at the code | 15:22 |
| gtema | its over-designed | 15:22 |
| d34dh0r53 | indeed, I think multiple project realized the same thing. Hopefully going forward it will be streamlined into what people use it for | 15:23 |
| gtema | right | 15:23 |
| d34dh0r53 | based on the feedback from the maintenance status bug I think several projects will step up to help maintain it as it's used in a *lot* of places | 15:24 |
| gtema | indeed. Would be great to see that | 15:24 |
| d34dh0r53 | anything else for open-discussion? | 15:24 |
| fungi | just a heads up that i proposed backports of https://review.opendev.org/c/openstack/keystone/+/908850 to all open branches because otherwise they're just going to lead to zuul configuration errors as soon as the node labels are removed (which for centos-7 will be friday, but the others will be soon as well) | 15:25 |
| fungi | in order to expedite things, i may just go ahead and bypass gating to merge those directly in gerrit, if there are no objections | 15:26 |
| fungi | #link https://review.opendev.org/q/topic:%22drop-centos-7%22 | 15:26 |
| d34dh0r53 | thanks fungi, I have no objections | 15:26 |
| fungi | appreciated | 15:26 |
| d34dh0r53 | likewise! | 15:27 |
| fungi | mainly, some branches are in a bad enough state that the cleanup simply can't be merged any other way without disabling or fixing lots of other jobs in the process | 15:27 |
| d34dh0r53 | yeah :/ | 15:29 |
| d34dh0r53 | moving on | 15:32 |
| d34dh0r53 | #topic bug review | 15:32 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:32 |
| d34dh0r53 | no new bugs for keystone | 15:32 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:32 |
| d34dh0r53 | nor for python-keystoneclient | 15:32 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:33 |
| d34dh0r53 | keystoneauth is good | 15:33 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:33 |
| d34dh0r53 | so is keystonemiddleware | 15:33 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:33 |
| d34dh0r53 | nothing new for pycadf | 15:34 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:34 |
| d34dh0r53 | ldappool is also good to go | 15:34 |
| d34dh0r53 | #topic conclusion | 15:34 |
| d34dh0r53 | Reminder to register for the PTG | 15:35 |
| d34dh0r53 | #link https://ptg2024.openinfra.dev | 15:35 |
| d34dh0r53 | It's free and virtual | 15:35 |
| d34dh0r53 | I'm thinking about hosting 2 1-hour sessions, but if we need more please let me know and I can add them | 15:35 |
| d34dh0r53 | That does it for me, thanks folks! | 15:36 |
| d34dh0r53 | #endmeeting | 15:37 |
| opendevmeet | Meeting ended Wed Mar 13 15:37:01 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:37 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-03-13-15.01.html | 15:37 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-03-13-15.01.txt | 15:37 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-03-13-15.01.log.html | 15:37 |
| tkajinam | d34dh0r53, oops sorry I wasn't aware we had irc meeting today... | 16:26 |
| tkajinam | was wondering if I can ask for your thoughts on https://review.opendev.org/c/openstack/keystone/+/912766 | 16:26 |
| tkajinam | mainly if we want to have it to 2024.1 so that we can make an early decision | 16:27 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!