opendevreview | Merged openstack/keystone master: reno: Update master for unmaintained/zed https://review.opendev.org/c/openstack/keystone/+/918617 | 05:51 |
---|---|---|
opendevreview | Pedro Henrique Pereira Martins proposed openstack/keystoneauth master: Add OTP to v3OIDCpassword plugin https://review.opendev.org/c/openstack/keystoneauth/+/697348 | 08:30 |
*** thuvh1 is now known as thuvh | 11:02 | |
*** whoami-rajat_ is now known as whoami-rajat | 14:00 | |
d34dh0r53 | #startmeeting keystone | 15:01 |
opendevmeet | Meeting started Wed Jul 3 15:01:48 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
opendevmeet | The meeting name has been set to 'keystone' | 15:01 |
d34dh0r53 | #topic roll call | 15:02 |
d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema | 15:02 |
xek | o/ | 15:02 |
gtema | o/ | 15:03 |
d34dh0r53 | o/ | 15:03 |
d34dh0r53 | #topic review past meeting work items | 15:04 |
d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-26-15.01.html | 15:05 |
d34dh0r53 | no work items of note | 15:05 |
d34dh0r53 | #topic liaison updates | 15:05 |
d34dh0r53 | from the VMT side of things | 15:07 |
d34dh0r53 | #link https://security.openstack.org/ossa/OSSA-2024-001.html | 15:07 |
gtema | a nasty thing, but which does not affect Keystone, anyway important for people to know | 15:07 |
d34dh0r53 | was released yesterday, it doesn't affect keystone per se, but it does impact openstack significantly which is why I'm calling it out here | 15:07 |
d34dh0r53 | yep | 15:07 |
d34dh0r53 | for releases, Dalmatian-2 was this week | 15:08 |
d34dh0r53 | no blockers from us so everything has progressed | 15:08 |
d34dh0r53 | that's it for liaison updates | 15:08 |
d34dh0r53 | moving on | 15:08 |
Luzi | o/ | 15:09 |
d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:09 |
d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:09 |
d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability | 15:09 |
mhen | o/ | 15:09 |
d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls | 15:09 |
d34dh0r53 | no updates from me on this | 15:09 |
d34dh0r53 | Hi Luzi and mhen o/ | 15:10 |
d34dh0r53 | next up | 15:10 |
d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:10 |
d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:10 |
d34dh0r53 | dmendiza: is on PTO today so no updates on SRBAC | 15:10 |
d34dh0r53 | #topic specification Improve federated users management (gtema) | 15:11 |
d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/920892 | 15:11 |
d34dh0r53 | I started reviewing this but haven't finished yet | 15:11 |
gtema | still waiting for reviews ;-) | 15:11 |
gtema | sounds good | 15:11 |
gtema | anything found so far | 15:12 |
gtema | ? | 15:12 |
gtema | I mean conceptually | 15:12 |
d34dh0r53 | not that I can see | 15:12 |
gtema | ok, that's promising, because it is more conceptually a question then implementation | 15:13 |
d34dh0r53 | right | 15:13 |
d34dh0r53 | next up | 15:14 |
d34dh0r53 | #topic specification OpenAPI support (gtema) | 15:14 |
d34dh0r53 | #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone | 15:14 |
gtema | so | 15:14 |
d34dh0r53 | Are these ready for reviews or still WIP? | 15:14 |
gtema | I pushed first wip changes for people to see what it is | 15:15 |
gtema | well, 2 first are ready | 15:15 |
gtema | I mean adding job for openapi generator and adding a validation framework as such | 15:15 |
gtema | adding schemas as WIP and there is one thing to discuss | 15:15 |
gtema | also stephenfin noticed that as well: with this style that we are adding across all services we have a small change in behavior | 15:16 |
gtema | namely that we need to validate input first and evaluate policy after that | 15:16 |
gtema | so with invalid input user is getting 403 now, but will get 400 with new validation | 15:17 |
gtema | and so the question is: do we agree that it make sense to do first a routing and understand whether the input is valid before we evaluate whether user is allowed to perform that operation | 15:17 |
gtema | basically this is how other services work | 15:18 |
gtema | otherwise, if that is nok and we want to keep the behavior, I would also need to rework policy evaluation and convert it to decorators as well | 15:18 |
mhen | "valid" as in a) "is number or string" or b) "project id exists"? | 15:19 |
gtema | #link the discussion is in https://review.opendev.org/c/openstack/keystone/+/923181 | 15:19 |
gtema | a) number or string | 15:19 |
gtema | this is purely jsonschema based input validation | 15:19 |
gtema | no access to DB or whatsoever | 15:19 |
mhen | good, otherwise it would be a risk to expose things before authorizing users | 15:19 |
gtema | I repeat - this is how other services work, so it is not something unique | 15:20 |
gtema | one point to underline here is that sometimes the body is influencing routing | 15:20 |
gtema | and we can't properly route the request before we actually analyze the input | 15:20 |
d34dh0r53 | I'm okay with the 400, it's a bit outside of what the RFC states but an argument can be made that it is malformed | 15:21 |
gtema | 400 is what we also use now, just that it is thrown after policy evaluation take place | 15:22 |
d34dh0r53 | I see | 15:22 |
gtema | more or less I need to know now whether it is ok for us to change order (and thus behavior) because it influences dramatically how I should address the changes | 15:23 |
d34dh0r53 | I'm good with changing the order, I can't think of a reason not to | 15:26 |
gtema | ok, great. I would appreciate if you can add small comment on that in the referred change for protocoling | 15:27 |
d34dh0r53 | I will do that | 15:27 |
gtema | thanks | 15:27 |
d34dh0r53 | thank you! | 15:28 |
d34dh0r53 | next up | 15:28 |
d34dh0r53 | #topic open discussion | 15:28 |
d34dh0r53 | move reviewaton to 14:00 during Daylight time (d34dh0r53) | 15:28 |
d34dh0r53 | any objections? | 15:28 |
d34dh0r53 | UTC time | 15:28 |
gtema | that is very desired by me, cause I have mentoring meeting at 15 and it is nearly impossible to move it | 15:28 |
d34dh0r53 | ack | 15:29 |
d34dh0r53 | cool, I'll move the meeting to 14:00 UTC | 15:32 |
gtema | perfect, thanks a lot | 15:32 |
d34dh0r53 | #action d34dh0r53 move reviewathon to 14:00 UTC for Daylight time | 15:32 |
d34dh0r53 | we'll revisit the time once DST rolls around for everyone | 15:32 |
d34dh0r53 | next up | 15:32 |
d34dh0r53 | domain manager (mhen) | 15:32 |
d34dh0r53 | https://review.opendev.org/c/openstack/keystone-specs/+/903172 | 15:33 |
mhen | spec freeze is approaching - can we still make it? | 15:33 |
gtema | we agreed last week to do the best possible to squeeze it | 15:33 |
gtema | in | 15:33 |
d34dh0r53 | Grzegorz Grasza: can you review this today? | 15:34 |
gtema | Dave Wilde (d34dh0r53): do you happen to know if dmendiza is in PTO only today or longer? | 15:34 |
d34dh0r53 | The rest of the week | 15:34 |
gtema | uh, ok | 15:35 |
gtema | from my pov all his comments were addressed and landing spec is not landing implementation | 15:36 |
d34dh0r53 | I'll see if I can get Grzegorz Grasza to do it | 15:36 |
mhen | thank you d34dh0r53 | 15:36 |
d34dh0r53 | np | 15:37 |
d34dh0r53 | #topic bug review | 15:38 |
d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:38 |
d34dh0r53 | no new bugs for keystone | 15:38 |
d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:38 |
d34dh0r53 | python-keystoneclient is good to go | 15:39 |
d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:39 |
d34dh0r53 | nothing new in keystoneauth | 15:39 |
d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:39 |
d34dh0r53 | nor in keystonemiddleware | 15:39 |
d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:39 |
d34dh0r53 | pycadf is good | 15:40 |
d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:40 |
d34dh0r53 | so is ldappool | 15:40 |
d34dh0r53 | #topic conclusion | 15:40 |
d34dh0r53 | Tomorrow is a US holiday so I'll be out | 15:40 |
gtema | oh yeah. Have fun | 15:41 |
d34dh0r53 | Thank you! | 15:41 |
d34dh0r53 | Thanks folks! | 15:41 |
d34dh0r53 | #endmeeting | 15:41 |
opendevmeet | Meeting ended Wed Jul 3 15:41:46 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:41 |
opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-03-15.01.html | 15:41 |
opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-03-15.01.txt | 15:41 |
opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-03-15.01.log.html | 15:41 |
gtema | thanks Dave Wilde (d34dh0r53) See ya on Friday | 15:42 |
opendevreview | Artem Goncharov proposed openstack/keystone master: Add JsonSchema to `credentials` https://review.opendev.org/c/openstack/keystone/+/923324 | 19:46 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!