Wednesday, 2024-07-24

« Tuesday, 2024-07-23 Index Thursday, 2024-07-25 »
*** mhen_ is now known as mhen01:13
opendevreviewLajos Katona proposed openstack/keystone master: Don't fail for role_assignment list for bad project id  https://review.opendev.org/c/openstack/keystone/+/92374906:53
ygk_12345hi all13:56
ygk_12345i am facing an issue while upgrading from yoga to zed 13:56
ygk_12345while running the keystone  playbook for upgrade, I am facing this message https://paste.opendev.org/show/bi006rJ8LgohPWh65J65/13:58
ygk_12345can someone advise me please13:58
opendevreviewMarkus Hentsch proposed openstack/keystone master: Implement the Domain Manager Persona for Keystone  https://review.opendev.org/c/openstack/keystone/+/92413214:33
opendevreviewMarkus Hentsch proposed openstack/keystone-tempest-plugin master: Update tests for new Domain Manager Persona  https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/92422214:35
d34dh0r53#startmeeting keystone15:00
opendevmeetMeeting started Wed Jul 24 15:00:21 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'keystone'15:00
xeko/15:00
gtemao/15:01
d34dh0r53#topic roll call15:01
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema15:01
mheno/15:01
* zaitcev peeks15:02
d34dh0r53#topic review past meeting work items15:03
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-10-15.00.html15:03
d34dh0r53no action items from the last meeting15:03
d34dh0r53#topic liaison updates15:03
d34dh0r53nothing from VMT or releases15:04
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:07
d34dh0r53External OAuth 2.0 Specification15:07
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:07
d34dh0r53OAuth 2.0 Implementation15:07
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:07
d34dh0r53OAuth 2.0 Documentation15:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:08
d34dh0r53no updates, hopefully I can get a chance to rebase those last tempest tests this week and get this off the agenda15:08
d34dh0r53next up we have15:08
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:09
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:09
mharley[m]o/15:09
d34dh0r532024.1 Release Timeline15:09
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:09
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:09
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)15:09
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 (Merged)15:09
d34dh0r53#link https://review.opendev.org/c/openstack/tempest/+/912489 (Merged)15:09
d34dh0r53dmendiza: you around?15:11
d34dh0r53o/15:12
dmendiza[m]🙋‍♂️15:12
dmendiza[m]Heya!  15:12
dmendiza[m]Let me see .... I don't think I have any updates.  IIRC we did merge the Domain-Manager spec?15:12
d34dh0r53we did15:13
gtemashould we move the notes for domain-manager15:14
gtemafrom open-discussion to ..here..?15:14
dmendiza[m]Yeah, I see domain-manager as part of SRBAC15:15
d34dh0r53yeah, I was just thinking about that15:15
d34dh0r53moved15:16
gtemagreat15:16
gtemaMarkus (mhen) - do you have updates here? I heard that from you already today, but ...15:16
mhenas written in the etherpad, implementation of policies is pretty much done (from my POV)15:17
d34dh0r53yep, we'll pivot into15:17
mhenI'm currently filling remaining gaps in keystone-tempest-plugin15:17
d34dh0r53#topic specification domain manager (mhen)15:17
gtemamhen - the stuff with domain specific roles is important to discuss here imho15:17
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/90317215:18
d34dh0r53implementation has started in keystone, tempest and keystone-tempest-plugin15:18
d34dh0r53#link https://review.opendev.org/q/topic:%22domain-manager%2215:18
d34dh0r53keystone15:18
d34dh0r53all applicable policies implemented for SRBAC (enforce_new_defaults and enforce_scope enabled)15:18
d34dh0r53TODO: fix policy variable naming (they got quite long, exceeding character limit in some places)15:18
d34dh0r53tempest15:18
d34dh0r53library updated to create pre-provisioned domain manager user for tests15:18
d34dh0r53keystone-tempest-plugin15:18
d34dh0r53fixed existing RBAC tests to incorporate changes done to API15:18
d34dh0r53TODO: filling remaining gaps in tests to consider the new persona in all applicable places15:18
mhenyea, about domain-specific roles: I initially added domain role management capabilites to the domain manager persona but upon further inspection and testing I realized that it actually made no sense so I removed it again15:19
mhenfor the long story expand the second comment here: https://review.opendev.org/c/openstack/keystone/+/924132/comment/d13d5bc4_540fd19a/15:20
mhenthe spec actually didn't consider domain roles (only global roles and their assignment within domains)15:21
mhen... and it seems it is best to keep it this way, i.e. not allowing the domain manager persona to use the domain role endpoints15:22
mhenit might sound contradicting at first but please read the linked comment15:23
mhenon that note I realized that the naming of the role set rule for domain managers ("domain_managed_target_role") might not be the best considering it could be confused with domain roles, which is a different functionality15:25
mhenref: https://github.com/openstack/keystone-specs/blob/master/specs/keystone/2024.1/domain-manager-persona.rst?plain=1#L139-L15315:25
gtemaok, so a short summary - domain manager is not going to manage domain specific roles15:30
mhenbased on the current patchset, yes15:31
mhenthey will be limited to assign/revoke a fixed set of global roles within a domain15:32
mhenin order to manage user/project/group relations15:32
gtemaok15:32
d34dh0r53ack15:33
d34dh0r53that makes sense to me, I think we should target 924132 for the reviewathon to go over it though15:34
gtema👍️15:34
d34dh0r53#action reviewathon look at https://review.opendev.org/c/openstack/keystone/+/92413215:34
d34dh0r53moving on15:34
d34dh0r53#topic specification OpenAPI support (gtema)15:35
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/910584 (merged)15:35
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:35
gtemathanks for approving blackify Dave Wilde (d34dh0r53)  - that helps to avoid merge conflicts15:36
d34dh0r53indeed15:36
gtemawe have onboarded a Student to support me in that 15:36
gtemaso hopefully she is going to make her changes soon15:36
d34dh0r53awesome15:37
gtemaon the other side first chages are out there and the review is welcome15:37
gtemaGrzegorz Grasza had a look already, but we should have a more formal reviews15:37
d34dh0r53on which one?15:39
gtemain particular https://review.opendev.org/c/openstack/keystone/+/92306715:39
gtemathe framework addition itself15:39
gtema#link https://review.opendev.org/c/openstack/keystone/+/923324 covers credentials with schemas15:40
d34dh0r53ack15:41
d34dh0r53yeah, we can look at these on Friday as well15:41
gtemagreat15:41
d34dh0r53#action reviewathon https://review.opendev.org/c/openstack/keystone/+/923067 and https://review.opendev.org/c/openstack/keystone/+/92332415:42
d34dh0r53moving on15:42
d34dh0r53#topic open discussion15:42
d34dh0r53'v15:42
d34dh0r53codebase renovation (gtema)15:42
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/924522 - reformat patch. Would appretiate merge soon to reduce merge conflicts15:43
d34dh0r53#link https://review.opendev.org/q/topic:%22renovate%2215:43
d34dh0r53the first one is gating, it should merge in a couple of hours15:43
gtemaI'll add new change adding commit to ignore blame once blackify merges15:43
gtemaafterwards ensure other changes are fresh and mypy is not failing15:44
d34dh0r53great15:44
gtemaafterwards I would address py datetime.now() issue15:44
gtemaand hopefully fix the py312 job - at least that is the initial target15:44
d34dh0r53ok15:45
d34dh0r53thank you for this work!15:45
gtemawelcome :)15:46
d34dh0r53anything else for open discussion?15:46
gtemanot from me15:46
d34dh0r53#topic bug review15:48
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:48
d34dh0r53Looks like we have a couple for Keystone15:48
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/207337715:48
gtemathere is actuallychange proposed for that15:49
gtema#link https://review.opendev.org/c/openstack/keystone/+/92415315:49
d34dh0r53ahh, yeah15:49
d34dh0r53next up15:51
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/92415315:51
d34dh0r53oops, wrong link15:51
d34dh0r53#undo15:51
opendevmeetRemoving item from minutes: #link https://review.opendev.org/c/openstack/keystone/+/92415315:51
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/207294515:51
d34dh0r53Yeah, that looks like an unhandled exception to me15:53
d34dh0r53added a comment15:56
d34dh0r53finally15:57
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/207263915:57
d34dh0r53Thanks for the reply on that one mhen 15:57
d34dh0r53That does it for keystone15:58
d34dh0r53next up15:58
mhen:)15:58
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:58
d34dh0r53no new bugs for python-keystoneclient15:58
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:59
d34dh0r53this may be a new bug15:59
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bug/207248115:59
d34dh0r53I think we may need version bumps16:01
gtemahopefully it is sufficient. It's bit hard to understand what is going on there16:02
d34dh0r53yeah16:02
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=016:03
d34dh0r53no new bugs for keystonemiddleware16:04
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=016:04
d34dh0r53nothing new for pycadf16:04
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=016:04
d34dh0r53no ldappool16:05
d34dh0r53we're over time16:05
d34dh0r53#topic conclusion16:05
d34dh0r53thanks everyone, see y'all at the reviewathon16:05
d34dh0r53#endmeeting16:05
opendevmeetMeeting ended Wed Jul 24 16:05:25 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:05
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-24-15.00.html16:05
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-24-15.00.txt16:05
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-24-15.00.log.html16:05
gtemasee ya, thanks16:05
opendevreviewMerged openstack/keystone master: Blackify the keystone code base  https://review.opendev.org/c/openstack/keystone/+/92452217:15
daddycatHello all - The here https://docs.openstack.org/keystone/latest/contributor/set-up-keystone.html says python3.6 is required. Is this absolute essential or can you use the latest python version (3.10.x in my case) on your system?19:17
gtemadaddycat: it is moment snapshot in docs. Of course you can use newer versions (3.12 is not passing tests as of now)19:58
gtemaAnd actually I am not 100 sure 3.6 is supported now, you should be using 3.8 as min19:59
JayFgtema: daddycat: Likely that should be updated to reference https://governance.openstack.org/tc/reference/runtimes/ which is the source material for what releases support what python versions. For 2024.2 (current master), it is python 3.9, 3.10, 3.11 (and optional per-project 3.12)20:01
daddycatThanks guys. I am trying to set up keystone for development and keep running into the following issues, hence I was asking about python version in case there is some sort of mismatch.20:20
daddycatI am running into the following problems following the instructions here https://docs.openstack.org/keystone/latest/contributor/set-up-keystone.html20:23
daddycat1. keystone-manage bootstrap setp fails with the error below20:23
daddycat2. the USWGI command outlined here doesn't work, seems out of date.20:23
daddycat3. keystone-manage db_sync seems to run into the same error below.20:23
daddycatERROR keystone sqlalchemy.exc.NoSuchModuleError: Can't load plugin: sqlalchemy.plugins:dbcounter20:23
« Tuesday, 2024-07-23 Index Thursday, 2024-07-25 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!