Wednesday, 2024-06-26

« Tuesday, 2024-06-25 Index Thursday, 2024-06-27 »
*** mhen_ is now known as mhen01:30
opendevreviewRafael Weingartner proposed openstack/keystone-specs master: Keystone identity mapping to support project definition as a JSON  https://review.opendev.org/c/openstack/keystone-specs/+/74874811:31
d34dh0r53#startmeeting keystone15:01
opendevmeetMeeting started Wed Jun 26 15:01:28 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:01
opendevmeetThe meeting name has been set to 'keystone'15:01
d34dh0r53#topic roll call15:01
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema15:01
gtemao/15:02
Luzio/15:02
jpho/15:02
mheno/15:03
d34dh0r53Hello everyone, let's get started15:04
d34dh0r53#topic review past meeting work items15:04
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-12-15.03.html15:04
d34dh0r53no work items to review from two weeks ago15:05
d34dh0r53#topic liaison updates15:05
d34dh0r53nothing from releases or vmt15:05
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:07
d34dh0r53External OAuth 2.0 Specification15:07
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:07
d34dh0r53OAuth 2.0 Implementation15:07
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:07
d34dh0r53OAuth 2.0 Documentation15:07
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:07
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:07
d34dh0r53There are a few more to merge, I should have some cycles to work on these over the next couple of weeks15:08
gtemathere are some changes with merge conflict as of now15:08
gtemabut those are not in keystone15:09
d34dh0r53yeah, I'm not sure if I'll work on the non-keystone stuff15:09
d34dh0r53maybe I can sync with dmendiza on the barbican ones15:09
gtemaoh, the doc change for keystone is also in merge conflict15:09
gtemaI am not sure https://review.opendev.org/c/openstack/keystoneauth/+/876746 should land15:11
gtemait seems like a backport15:11
dmendiza[m]🙋15:12
d34dh0r53hi dmendiza 15:12
opendevreviewMarkus Hentsch proposed openstack/keystone-specs master: Add identity spec for Domain Manager persona  https://review.opendev.org/c/openstack/keystone-specs/+/90317215:15
Luziis this meeting still going on?15:20
gtemayes Luzi15:20
d34dh0r53Yeah, sorry, was sidetracked with the keystoneauth patch15:20
d34dh0r53moving on15:20
d34dh0r53#topic specification Secure RBAC ( dmendiza )15:21
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:21
d34dh0r532024.1 Release Timeline15:21
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:21
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:21
dmendiza[m]No updates from me.  We should probably look a the above patch15:21
dmendiza[m]for Domain Manager15:22
d34dh0r53Yeah, that's in the open discussion section, but we can talk about it now15:22
gtemayeah, lets do it15:22
mhenI just rebased it (hence the bot ping above). Should I move it to the 2024.2 subdirectory? (it's still in 2024.1)15:23
gtemaI would rather keep it since otherwise all precious reviews are gone15:23
gtemaand it takes so long to get them15:23
d34dh0r53I think 2024.1 is ok15:23
mhenok15:24
dmendiza[m]Not the branch, but the directory15:24
dmendiza[m]I would prefer it be updated to reflect when it merges15:24
dmendiza[m]I'm sure it can be updated in the same gerrit patch? 🤔15:24
gtemacan we then do the following: a follow-up that moves it to 2024.2?15:24
dmendiza[m]gtema (Artem Goncharov): sure, moving it after works for me15:25
d34dh0r53works for me15:25
gtemaperfect, then only your review is open dmendiza15:25
dmendiza[m]ack, will review asap15:27
gtemathks a lot15:27
mhenthank you :)15:27
mhenbtw, is there a spec freeze deadline for Keystone?15:27
d34dh0r53looking now15:29
gtemaactually a next week (milestone-2) is so to say a deadline for specs, but projects are capable in defining own deadline for specs15:29
gtemai.e. Nova does it bit later (+2 weeks)15:29
gtemahttps://releases.openstack.org/dalmatian/schedule.html15:30
d34dh0r53Yeah, we're next week15:30
gtemaso we should do everything possible to land it by that time15:30
dmendiza[m]+115:30
mhenthat would be very appreciated15:31
gtemamhen - I suggest you can start implementation15:31
gtemanot to waste time15:31
gtema"under expectation"15:32
gtemalet's please move on, time ticks15:33
d34dh0r53ack, I think we're good on that spec and SRBAC15:33
d34dh0r53next up15:33
d34dh0r53#topic specification Improve federated users management (gtema) 15:33
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/92089215:34
gtemaI am waiting (still) for reviews 15:34
d34dh0r53I'll review this week15:34
gtemathks a lot Dave Wilde (d34dh0r53) 15:34
d34dh0r53dmendiza, Grzegorz Grasza please take a look as well15:35
d34dh0r53next up15:35
d34dh0r53#topic specification OpenAPI support (gtema)15:35
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/910584 (merged)15:35
d34dh0r53gtema: design started15:35
gtemacool, we started similar stuff on Manila and Nova15:36
gtemaI will push a change in next days to add a new job that generates OpenAPI spec15:36
gtemait will not be used so far, but necessary to see the progress of moving schemas into the Keystone code base15:36
gtemaso in next days changes will start appearing15:36
d34dh0r53great!15:36
gtemathat's it so far15:37
d34dh0r53#topic open discussion15:37
d34dh0r53passlib update15:37
d34dh0r53no movement upstream in the passlib project15:37
d34dh0r53in the meantime I've pinned bcrypt in the requirements15:38
gtemathat's a real crap with upstream15:38
d34dh0r53#link https://review.opendev.org/c/openstack/requirements/+/92187315:38
d34dh0r53yep, it sucks15:38
gtemaas I have tried to start switching it appeared to be quite a dirty work in some algorythms15:38
gtemabut apparently threre is no way around it - it feels like a dead end for passlib15:39
d34dh0r53there are several people willing to take over maintenance of passlib but the maintainer has gone dark again without giving anyone access15:40
d34dh0r53I'll keep pinging on the open tickets15:40
d34dh0r53maybe it's time for a fork15:40
gtemaah - not sure this is a good idea - there are too many very dirty things inside15:41
gtemaand it's imho better to get rid of it as such - that's going to be clearer15:41
d34dh0r53do you have the cycles to do that work?15:42
gtemawell, all depends on priorities15:42
d34dh0r53indeed :)15:42
gtemain principle - yes, but I can't commit it would be ready this cycle15:42
d34dh0r53I think the pin will suffice for this release15:43
gtemaI think we are good now with the pin and in the meanwhile I start (slowly) getting rid of passlib15:43
gtemacorrect15:43
d34dh0r53ack, thanks gtema (Artem Goncharov) !15:43
dmendiza[m]I'm curious, what are the alternatives to passlib ? 🤔15:43
gtemano alternatives. Basically passlib is just a wrapper around native things like bcrypt and scrypt15:44
gtemaso it's sort of single API for those15:44
dmendiza[m]Oh, so just rewrite in cryptography.io probably15:44
gtemathat's the point - I was able to achieve this15:44
gtemabut the most complex thing is that passlib does some black magic in bcrypt pass 15:45
gtemaand it is a problem to keep backward compatibility not forcing people changing their passwordds15:45
gtemajust start using cryptography is very simple in reality15:46
dmendiza[m]I see ... 🤔15:48
d34dh0r53moving on for time15:48
d34dh0r53we already talked about the domain manager patch15:48
d34dh0r53so the last item in open discussion is15:48
d34dh0r53domain list scoping fix (mhen)15:48
d34dh0r53the main fix was merged a while ago: https://review.opendev.org/c/openstack/keystone/+/90002815:48
d34dh0r53Q: is https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/900545 still applicable?15:48
d34dh0r53it would have been a necessary adjustment to the tempest tests after the above merge but tests have been restructured in the meantime (mentioned at PTG)15:49
gtemadmendiza's final blessing is required15:49
gtemaas he left few -1 in the past15:49
gtemagreat, it works ;-)15:51
d34dh0r53book15:51
d34dh0r53err, boom15:51
d34dh0r53thanks dmendiza 15:52
dmendiza[m]lgtm15:52
gtemanext thing in "open" - does the review-a-thon taking place? 2 last Fridays I waited in an empty meeting15:52
d34dh0r53For sure it will happen this week15:52
gtemaawesome15:53
d34dh0r53sorry, some unexpected PTO on my part15:53
gtemanp15:53
d34dh0r53#topic bug review15:53
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:53
d34dh0r53we have a new bug filed against keystone15:53
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/206996015:53
d34dh0r53That should be a pretty easy fix but I'm not sure about the backportability15:54
gtemaif that is going to happen it will influence my OpenAPI stuff and similar, since I have seen places around the OpenStack "consuming" tools with length limit (explicitly in the strong-typed languages)15:54
gtemagenerally I am not having any issues with that, but it definitely has an impact15:55
d34dh0r53yeah15:55
d34dh0r53I just looked, we don't have new bugs in any of the remaining projects15:57
d34dh0r53#topic conclusion15:58
d34dh0r53anything else before we go?15:58
gtemanot for me15:58
d34dh0r53thanks everyone!16:01
d34dh0r53#endmeeting16:01
opendevmeetMeeting ended Wed Jun 26 16:01:54 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:01
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-26-15.01.html16:01
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-26-15.01.txt16:01
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-26-15.01.log.html16:01
gtemathanks, see you16:02
opendevreviewMerged openstack/keystone-tempest-plugin master: Adjust domain tests for changed list_domains scoping behavior  https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/90054516:21
opendevreviewArtem Goncharov proposed openstack/keystone master: Enable non-voting OpenAPI build job  https://review.opendev.org/c/openstack/keystone/+/92285116:51
« Tuesday, 2024-06-25 Index Thursday, 2024-06-27 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!