Wednesday, 2024-05-29

*** dasm is now known as Guest789500:38
tkajinamo/ https://review.opendev.org/c/openstack/keystone/+/919717 needs some attention to restore functional tests09:56
tkajinamd34dh0r53, dmendiza[m] ^^^ fyi09:58
*** whoami-rajat_ is now known as whoami-rajat14:07
d34dh0r53#startmeeting keystone15:02
opendevmeetMeeting started Wed May 29 15:02:24 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:02
opendevmeetThe meeting name has been set to 'keystone'15:02
d34dh0r53#topic roll call15:02
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema15:02
gtemao/15:02
mharley[m]o/15:02
d34dh0r53o/15:02
d34dh0r53#topic review past meeting work items15:04
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-22-15.01.html15:04
d34dh0r53I've been thinking about my action item and I think it's best to handle those things with release notes and not have a known issues as I don't think anyone has the bandwidth to maintain it15:04
d34dh0r53So...without any objections I'll punt on the known issues section15:05
gtemawfm15:06
d34dh0r53cool15:06
d34dh0r53moving on15:06
d34dh0r53#topic liaison updates15:07
d34dh0r53nothing from VMT or releases15:07
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:08
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/kdtXgbfJHgyeUToLyMzvoNEp>)15:08
d34dh0r53I'm going to work on rebasing the last outstanding patch and see how it goes15:09
d34dh0r53next up we have15:09
d34dh0r53#topic specification Secure RBAC (dmendiza[m])... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/pHxYbHZRGakynbkUtTdYMcJo>)15:10
d34dh0r53dmendiza: you around?15:11
dmendiza[m]🙋15:13
dmendiza[m]I don't htink we have any SRBAC udpates this week?15:13
dmendiza[m]Maybe just the tempest-plugin 0.16.0 release?15:13
d34dh0r53Yeah, we released a new version of keystone-tempest-plugin last week, it contains the latest SRBAC testing fixes15:14
dmendiza[m]#link https://releases.openstack.org/dalmatian/index.html#keystone-tempest-plugin15:15
d34dh0r53awesome, thanks dmendiza !15:17
d34dh0r53next up15:18
d34dh0r53#topic specification Improve federated users management (gtema) (on-hold until 05/29)15:18
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/74874815:18
d34dh0r53gtema: revoke support for the approach15:18
gtemathis one is going to be long15:18
gtemaI was thinking long time, prototyping, modelling15:18
gtematalking also to mnasser on his tour across Europe15:19
gtemaand came to conclusion, that the approach is wrong. You should not try to model roles/projects/users/groups/domains mapping outside of Keystone15:19
gtemaand leave IdP to take care of users and groups15:19
gtemawith https://github.com/vexxhost/keystone-keycloak-backend it is very easy to get users visible in Keystone15:20
gtemaand once user is disabled in Keycloak (external IdP) it becomes immediately applied on Keystone side and user is not able to continue accessing cloud i.e. using ApplicationCredentials15:20
gtemanote: this is not the case with ephemeral users15:21
gtemaBUT15:21
gtemaKeystone docs recommend to create out-of tree drivers for cases like that  - all good15:21
gtemathe problem comes with configuration of out-of-tree backend drivers15:21
gtemaoption a) FS (as domain_specific configs)15:22
gtemathis option works great except that it requires restart of keystone once you add new domain - this is a no go15:22
gtemaoption b) DB 15:22
gtemahere there is a problem that current implementation does not allow having drivers their own configuration15:23
gtemaand more then that, the API of domain_configs is hardcoding options that can be set15:23
gtemaso now let's come to questions:15:23
gtemawhat is the preferred/recommended way dealing with config here: FS or DB?15:24
gtemafor the reference: https://docs.openstack.org/keystone/latest/admin/configuration.html#domain-specific-configuration15:25
gtemaStatement from docs: "Unlike the file-based method of specifying domain-specific configurations, options specified via the Identity API will become active without needing to restart the keystone server."15:26
d34dh0r53Right, may have to wait for the cache to expire but no restart needed15:27
gtemaright15:27
gtemafrom my pov using FS for config is not really an option for out-of-tree drivers. That leaves only DB15:28
gtemaand here I need to change 2 things in Keystone:15:28
gtemaa) allow out-of-tree drivers to register custom options (so that at least Keystone doesn't crash once I place them into DB)15:29
gtemab) extend config to allow adding new driver specific options into the comain_config api15:29
gtemahttps://opendev.org/openstack/keystone/src/branch/master/keystone/resource/core.py#L104815:30
gtemathe link points to the place where current options are hardcoded15:30
gtemafixing a) is something like 5 lines of code15:30
gtemafixing b) seems also relatively strait forward15:30
gtemaBUT I need to know whether you are fine with that15:31
gtemabasically docs suggest people should go for out-of-tree drivers, but current code base makes it terrible hard to configure such drivers in such case15:31
d34dh0r53I'm fine with it, I think keystone is moving in this direction and making the configuration easier for out of tree drivers is a win-win15:33
gtemaperfect. Then I' polish my changes in next days15:33
d34dh0r53Excellent!15:33
d34dh0r53Thank you gtema (Artem Goncharov) !15:34
gtemawlcm.15:34
gtemaI am going to write better docs on how to establish federation for a real life once everything stabilizes15:34
d34dh0r53sweet15:35
gtemaand wrt the point on the tracker: I am pulling off my support for the mentioned spec15:35
gtemaand instead focus on this alternative way15:35
d34dh0r53okay15:35
gtemathat's it from me on the topic15:36
d34dh0r53thanks!15:36
d34dh0r53next up15:36
d34dh0r53#topic specification OpenAPI support (gtema)15:36
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/91058415:36
d34dh0r53gtema: waiting for reviews15:36
gtemawaitign for the spec to land. The one for Nova was merged recently15:37
d34dh0r53cool, dmendiza , Grzegorz Grasza ^ can y'all review?15:37
d34dh0r53#topic open discussion15:38
d34dh0r53'passlib update15:38
d34dh0r53no update from me, I'm going to pin in the upper-requirements for now15:38
d34dh0r53domain manager (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/LkRBdKyQlgcNtIMSmDMIFiWc>)15:39
d34dh0r53This needs reviews15:39
gtemai restored my +1, last changes are polishing phrasing15:40
gtemawould be really great to land this one soon, since it is also a one dependency of having federation to external IdP15:40
d34dh0r53indeed15:42
d34dh0r53domain list scoping fix (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/dgBmgIPIkmxSDHRtBPdfUGQf>)15:43
d34dh0r53I think this was on hold as well, can I remove the WIP?15:43
d34dh0r53I don't think mhen is around today, so we'll move on for the sake of time15:44
d34dh0r53Enforcing scope in keystone breaks heat (and probably magnum) (tkajinam)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/xPvMPjeJnSzhIGXjRjozjnPJ>)15:44
d34dh0r53I think this is mostly done, just a couple more reviews and perhaps backporting of 91670715:45
d34dh0r53cool, moving on15:47
d34dh0r53unless anyone has something not on the agenda for open discussion15:47
gtemanot from me15:47
d34dh0r53#topic bug review15:47
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:47
d34dh0r53no new bugs for keystone15:48
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:48
d34dh0r53nothing new for python-keystoneclient15:48
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:48
d34dh0r53no new bugs for keystoneauth15:49
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:49
d34dh0r53keystonemiddleware is good15:49
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:49
d34dh0r53pycadf doesn't have any new issues15:49
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:50
d34dh0r53nor does ldappool15:50
d34dh0r53#topic conclusion15:50
d34dh0r53Nothing from me, thanks all!15:50
gtemathanks15:50
d34dh0r53#endmeeting15:50
opendevmeetMeeting ended Wed May 29 15:50:55 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:50
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-29-15.02.html15:50
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-29-15.02.txt15:50
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-29-15.02.log.html15:50

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!