*** dasm is now known as Guest7895 | 00:38 | |
tkajinam | o/ https://review.opendev.org/c/openstack/keystone/+/919717 needs some attention to restore functional tests | 09:56 |
---|---|---|
tkajinam | d34dh0r53, dmendiza[m] ^^^ fyi | 09:58 |
*** whoami-rajat_ is now known as whoami-rajat | 14:07 | |
d34dh0r53 | #startmeeting keystone | 15:02 |
opendevmeet | Meeting started Wed May 29 15:02:24 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:02 |
opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:02 |
opendevmeet | The meeting name has been set to 'keystone' | 15:02 |
d34dh0r53 | #topic roll call | 15:02 |
d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema | 15:02 |
gtema | o/ | 15:02 |
mharley[m] | o/ | 15:02 |
d34dh0r53 | o/ | 15:02 |
d34dh0r53 | #topic review past meeting work items | 15:04 |
d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-22-15.01.html | 15:04 |
d34dh0r53 | I've been thinking about my action item and I think it's best to handle those things with release notes and not have a known issues as I don't think anyone has the bandwidth to maintain it | 15:04 |
d34dh0r53 | So...without any objections I'll punt on the known issues section | 15:05 |
gtema | wfm | 15:06 |
d34dh0r53 | cool | 15:06 |
d34dh0r53 | moving on | 15:06 |
d34dh0r53 | #topic liaison updates | 15:07 |
d34dh0r53 | nothing from VMT or releases | 15:07 |
d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:08 |
d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/kdtXgbfJHgyeUToLyMzvoNEp>) | 15:08 |
d34dh0r53 | I'm going to work on rebasing the last outstanding patch and see how it goes | 15:09 |
d34dh0r53 | next up we have | 15:09 |
d34dh0r53 | #topic specification Secure RBAC (dmendiza[m])... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/pHxYbHZRGakynbkUtTdYMcJo>) | 15:10 |
d34dh0r53 | dmendiza: you around? | 15:11 |
dmendiza[m] | 🙋 | 15:13 |
dmendiza[m] | I don't htink we have any SRBAC udpates this week? | 15:13 |
dmendiza[m] | Maybe just the tempest-plugin 0.16.0 release? | 15:13 |
d34dh0r53 | Yeah, we released a new version of keystone-tempest-plugin last week, it contains the latest SRBAC testing fixes | 15:14 |
dmendiza[m] | #link https://releases.openstack.org/dalmatian/index.html#keystone-tempest-plugin | 15:15 |
d34dh0r53 | awesome, thanks dmendiza ! | 15:17 |
d34dh0r53 | next up | 15:18 |
d34dh0r53 | #topic specification Improve federated users management (gtema) (on-hold until 05/29) | 15:18 |
d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 | 15:18 |
d34dh0r53 | gtema: revoke support for the approach | 15:18 |
gtema | this one is going to be long | 15:18 |
gtema | I was thinking long time, prototyping, modelling | 15:18 |
gtema | talking also to mnasser on his tour across Europe | 15:19 |
gtema | and came to conclusion, that the approach is wrong. You should not try to model roles/projects/users/groups/domains mapping outside of Keystone | 15:19 |
gtema | and leave IdP to take care of users and groups | 15:19 |
gtema | with https://github.com/vexxhost/keystone-keycloak-backend it is very easy to get users visible in Keystone | 15:20 |
gtema | and once user is disabled in Keycloak (external IdP) it becomes immediately applied on Keystone side and user is not able to continue accessing cloud i.e. using ApplicationCredentials | 15:20 |
gtema | note: this is not the case with ephemeral users | 15:21 |
gtema | BUT | 15:21 |
gtema | Keystone docs recommend to create out-of tree drivers for cases like that - all good | 15:21 |
gtema | the problem comes with configuration of out-of-tree backend drivers | 15:21 |
gtema | option a) FS (as domain_specific configs) | 15:22 |
gtema | this option works great except that it requires restart of keystone once you add new domain - this is a no go | 15:22 |
gtema | option b) DB | 15:22 |
gtema | here there is a problem that current implementation does not allow having drivers their own configuration | 15:23 |
gtema | and more then that, the API of domain_configs is hardcoding options that can be set | 15:23 |
gtema | so now let's come to questions: | 15:23 |
gtema | what is the preferred/recommended way dealing with config here: FS or DB? | 15:24 |
gtema | for the reference: https://docs.openstack.org/keystone/latest/admin/configuration.html#domain-specific-configuration | 15:25 |
gtema | Statement from docs: "Unlike the file-based method of specifying domain-specific configurations, options specified via the Identity API will become active without needing to restart the keystone server." | 15:26 |
d34dh0r53 | Right, may have to wait for the cache to expire but no restart needed | 15:27 |
gtema | right | 15:27 |
gtema | from my pov using FS for config is not really an option for out-of-tree drivers. That leaves only DB | 15:28 |
gtema | and here I need to change 2 things in Keystone: | 15:28 |
gtema | a) allow out-of-tree drivers to register custom options (so that at least Keystone doesn't crash once I place them into DB) | 15:29 |
gtema | b) extend config to allow adding new driver specific options into the comain_config api | 15:29 |
gtema | https://opendev.org/openstack/keystone/src/branch/master/keystone/resource/core.py#L1048 | 15:30 |
gtema | the link points to the place where current options are hardcoded | 15:30 |
gtema | fixing a) is something like 5 lines of code | 15:30 |
gtema | fixing b) seems also relatively strait forward | 15:30 |
gtema | BUT I need to know whether you are fine with that | 15:31 |
gtema | basically docs suggest people should go for out-of-tree drivers, but current code base makes it terrible hard to configure such drivers in such case | 15:31 |
d34dh0r53 | I'm fine with it, I think keystone is moving in this direction and making the configuration easier for out of tree drivers is a win-win | 15:33 |
gtema | perfect. Then I' polish my changes in next days | 15:33 |
d34dh0r53 | Excellent! | 15:33 |
d34dh0r53 | Thank you gtema (Artem Goncharov) ! | 15:34 |
gtema | wlcm. | 15:34 |
gtema | I am going to write better docs on how to establish federation for a real life once everything stabilizes | 15:34 |
d34dh0r53 | sweet | 15:35 |
gtema | and wrt the point on the tracker: I am pulling off my support for the mentioned spec | 15:35 |
gtema | and instead focus on this alternative way | 15:35 |
d34dh0r53 | okay | 15:35 |
gtema | that's it from me on the topic | 15:36 |
d34dh0r53 | thanks! | 15:36 |
d34dh0r53 | next up | 15:36 |
d34dh0r53 | #topic specification OpenAPI support (gtema) | 15:36 |
d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 | 15:36 |
d34dh0r53 | gtema: waiting for reviews | 15:36 |
gtema | waitign for the spec to land. The one for Nova was merged recently | 15:37 |
d34dh0r53 | cool, dmendiza , Grzegorz Grasza ^ can y'all review? | 15:37 |
d34dh0r53 | #topic open discussion | 15:38 |
d34dh0r53 | 'passlib update | 15:38 |
d34dh0r53 | no update from me, I'm going to pin in the upper-requirements for now | 15:38 |
d34dh0r53 | domain manager (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/LkRBdKyQlgcNtIMSmDMIFiWc>) | 15:39 |
d34dh0r53 | This needs reviews | 15:39 |
gtema | i restored my +1, last changes are polishing phrasing | 15:40 |
gtema | would be really great to land this one soon, since it is also a one dependency of having federation to external IdP | 15:40 |
d34dh0r53 | indeed | 15:42 |
d34dh0r53 | domain list scoping fix (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/dgBmgIPIkmxSDHRtBPdfUGQf>) | 15:43 |
d34dh0r53 | I think this was on hold as well, can I remove the WIP? | 15:43 |
d34dh0r53 | I don't think mhen is around today, so we'll move on for the sake of time | 15:44 |
d34dh0r53 | Enforcing scope in keystone breaks heat (and probably magnum) (tkajinam)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/xPvMPjeJnSzhIGXjRjozjnPJ>) | 15:44 |
d34dh0r53 | I think this is mostly done, just a couple more reviews and perhaps backporting of 916707 | 15:45 |
d34dh0r53 | cool, moving on | 15:47 |
d34dh0r53 | unless anyone has something not on the agenda for open discussion | 15:47 |
gtema | not from me | 15:47 |
d34dh0r53 | #topic bug review | 15:47 |
d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:47 |
d34dh0r53 | no new bugs for keystone | 15:48 |
d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:48 |
d34dh0r53 | nothing new for python-keystoneclient | 15:48 |
d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:48 |
d34dh0r53 | no new bugs for keystoneauth | 15:49 |
d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:49 |
d34dh0r53 | keystonemiddleware is good | 15:49 |
d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:49 |
d34dh0r53 | pycadf doesn't have any new issues | 15:49 |
d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:50 |
d34dh0r53 | nor does ldappool | 15:50 |
d34dh0r53 | #topic conclusion | 15:50 |
d34dh0r53 | Nothing from me, thanks all! | 15:50 |
gtema | thanks | 15:50 |
d34dh0r53 | #endmeeting | 15:50 |
opendevmeet | Meeting ended Wed May 29 15:50:55 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:50 |
opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-29-15.02.html | 15:50 |
opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-29-15.02.txt | 15:50 |
opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-29-15.02.log.html | 15:50 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!