Wednesday, 2024-07-03

opendevreviewMerged openstack/keystone master: reno: Update master for unmaintained/zed  https://review.opendev.org/c/openstack/keystone/+/91861705:51
opendevreviewPedro Henrique Pereira Martins proposed openstack/keystoneauth master: Add OTP to v3OIDCpassword plugin  https://review.opendev.org/c/openstack/keystoneauth/+/69734808:30
*** thuvh1 is now known as thuvh11:02
*** whoami-rajat_ is now known as whoami-rajat14:00
d34dh0r53#startmeeting keystone15:01
opendevmeetMeeting started Wed Jul  3 15:01:48 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:01
opendevmeetThe meeting name has been set to 'keystone'15:01
d34dh0r53#topic roll call15:02
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema15:02
xeko/15:02
gtemao/15:03
d34dh0r53o/15:03
d34dh0r53#topic review past meeting work items15:04
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-26-15.01.html15:05
d34dh0r53no work items of note15:05
d34dh0r53#topic liaison updates15:05
d34dh0r53from the VMT side of things 15:07
d34dh0r53#link https://security.openstack.org/ossa/OSSA-2024-001.html15:07
gtemaa nasty thing, but which does not affect Keystone, anyway important for people to know15:07
d34dh0r53was released yesterday, it doesn't affect keystone per se, but it does impact openstack significantly which is why I'm calling it out here15:07
d34dh0r53yep15:07
d34dh0r53for releases, Dalmatian-2 was this week15:08
d34dh0r53no blockers from us so everything has progressed15:08
d34dh0r53that's it for liaison updates15:08
d34dh0r53moving on 15:08
Luzio/15:09
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:09
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:09
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:09
mheno/15:09
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:09
d34dh0r53no updates from me on this15:09
d34dh0r53Hi Luzi and mhen o/15:10
d34dh0r53next up15:10
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:10
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:10
d34dh0r53dmendiza: is on PTO today so no updates on SRBAC15:10
d34dh0r53#topic specification Improve federated users management (gtema) 15:11
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/92089215:11
d34dh0r53I started reviewing this but haven't finished yet15:11
gtemastill waiting for reviews ;-)15:11
gtemasounds good15:11
gtemaanything found so far15:12
gtema?15:12
gtemaI mean conceptually15:12
d34dh0r53not that I can see15:12
gtemaok, that's promising, because it is more conceptually a question then implementation15:13
d34dh0r53right15:13
d34dh0r53next up15:14
d34dh0r53#topic specification OpenAPI support (gtema)15:14
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:14
gtemaso15:14
d34dh0r53Are these ready for reviews or still WIP?15:14
gtemaI pushed first wip changes for people to see what it is15:15
gtemawell, 2 first are ready15:15
gtemaI mean adding job for openapi generator and adding a validation framework as such15:15
gtemaadding schemas as WIP and there is one thing to discuss15:15
gtemaalso stephenfin noticed that as well: with this style that we are adding across all services we have a small change in behavior15:16
gtemanamely that we need to validate input first and evaluate policy after that15:16
gtemaso with invalid input user is getting 403 now, but will get 400 with new validation15:17
gtemaand so the question is: do we agree that it make sense to do first a routing and understand whether the input is valid before we evaluate whether user is allowed to perform that operation15:17
gtemabasically this is how other services work15:18
gtemaotherwise, if that is nok and we want to keep the behavior, I would also need to rework policy evaluation and convert it to decorators as well15:18
mhen"valid" as in a) "is number or string" or b) "project id exists"?15:19
gtema#link the discussion is in https://review.opendev.org/c/openstack/keystone/+/92318115:19
gtemaa) number or string15:19
gtemathis is purely jsonschema based input validation15:19
gtemano access to DB or whatsoever15:19
mhengood, otherwise it would be a risk to expose things before authorizing users15:19
gtemaI repeat - this is how other services work, so it is not something unique15:20
gtemaone point to underline here is that sometimes the body is influencing routing15:20
gtemaand we can't properly route the request before we actually analyze the input15:20
d34dh0r53I'm okay with the 400, it's a bit outside of what the RFC states but an argument can be made that it is malformed15:21
gtema400 is what we also use now, just that it is thrown after policy evaluation take place15:22
d34dh0r53I see15:22
gtemamore or less I need to know now whether it is ok for us to change order (and thus behavior) because it influences dramatically how I should address the changes15:23
d34dh0r53I'm good with changing the order, I can't think of a reason not to15:26
gtemaok, great. I would appreciate if you can add small comment on that in the referred change for protocoling15:27
d34dh0r53I will do that15:27
gtemathanks15:27
d34dh0r53thank you!15:28
d34dh0r53next up15:28
d34dh0r53#topic open discussion15:28
d34dh0r53move reviewaton to 14:00 during Daylight time (d34dh0r53)15:28
d34dh0r53any objections?15:28
d34dh0r53UTC time15:28
gtemathat is very desired by me, cause I have mentoring meeting at 15 and it is nearly impossible to move it15:28
d34dh0r53ack15:29
d34dh0r53cool, I'll move the meeting to 14:00 UTC15:32
gtemaperfect, thanks a lot15:32
d34dh0r53#action d34dh0r53 move reviewathon to 14:00 UTC for Daylight time15:32
d34dh0r53we'll revisit the time once DST rolls around for everyone15:32
d34dh0r53next up15:32
d34dh0r53domain manager (mhen)15:32
d34dh0r53https://review.opendev.org/c/openstack/keystone-specs/+/90317215:33
mhenspec freeze is approaching - can we still make it?15:33
gtemawe agreed last week to do the best possible to squeeze it15:33
gtemain15:33
d34dh0r53Grzegorz Grasza: can you review this today?15:34
gtemaDave Wilde (d34dh0r53): do you happen to know if dmendiza is in PTO only today or longer?15:34
d34dh0r53The rest of the week15:34
gtemauh, ok15:35
gtemafrom my pov all his comments were addressed and landing spec is not landing implementation15:36
d34dh0r53I'll see if I can get Grzegorz Grasza to do it15:36
mhenthank you d34dh0r5315:36
d34dh0r53np15:37
d34dh0r53#topic bug review15:38
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:38
d34dh0r53no new bugs for keystone15:38
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:38
d34dh0r53python-keystoneclient is good to go15:39
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:39
d34dh0r53nothing new in keystoneauth15:39
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:39
d34dh0r53nor in keystonemiddleware15:39
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:39
d34dh0r53pycadf is good15:40
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:40
d34dh0r53so is ldappool15:40
d34dh0r53#topic conclusion15:40
d34dh0r53Tomorrow is a US holiday so I'll be out15:40
gtemaoh yeah. Have fun15:41
d34dh0r53Thank you!15:41
d34dh0r53Thanks folks!15:41
d34dh0r53#endmeeting15:41
opendevmeetMeeting ended Wed Jul  3 15:41:46 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:41
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-03-15.01.html15:41
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-03-15.01.txt15:41
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-03-15.01.log.html15:41
gtemathanks Dave Wilde (d34dh0r53)  See ya on Friday15:42
opendevreviewArtem Goncharov proposed openstack/keystone master: Add JsonSchema to `credentials`  https://review.opendev.org/c/openstack/keystone/+/92332419:46

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!