Wednesday, 2025-02-05

« Tuesday, 2025-02-04 Index Thursday, 2025-02-06 »
*** mhen_ is now known as mhen02:57
opendevreviewArtem Goncharov proposed openstack/keystone master: Add JSON Schema to `endpoint groups` and validation decorators to endpoint groups resource.  https://review.opendev.org/c/openstack/keystone/+/92968614:50
d34dh0r53#startmeeting keystone15:01
opendevmeetMeeting started Wed Feb  5 15:01:18 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:01
opendevmeetThe meeting name has been set to 'keystone'15:01
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:01
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:01
d34dh0r53#topic roll call15:01
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe15:01
gtemao/15:01
d34dh0r53Super special ping for dmendiza 15:01
xeko/15:02
d34dh0r53#topic review past meeting work items15:04
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-01-22-15.03.html15:04
d34dh0r53no action items to review15:04
d34dh0r53#topic liaison updates15:04
d34dh0r53no updates from VMT or release management15:04
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:05
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:05
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:05
d34dh0r53External OAuth 2.0 Specification15:05
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:05
d34dh0r53OAuth 2.0 Implementation15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged)15:06
d34dh0r53OAuth 2.0 Documentation15:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:06
d34dh0r53I did some review and the main thing we're waiting on are some functional jobs to be added in other projects, namely barbican and tacker15:07
d34dh0r53We're also missing two keystone-tempest-plugin patches that I'll try to rebase today15:07
d34dh0r53That's in on OAuth 2.015:08
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:08
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:08
d34dh0r532024.1 Release Timeline15:08
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:08
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:08
d34dh0r53i don't think dmendiza is around, but I'll give it a couple of minutes15:08
d34dh0r53next up15:10
d34dh0r53#topic specification OpenAPI support (gtema)15:10
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:10
d34dh0r53I see there are a couple of patches for me to review, will do that after this meeting15:10
gtemafew changes are up to review. I just retriggered recheck on them to see fresh results from codegenerator15:10
gtemasince it wasn't working due to corrupted schema landed15:11
gtemabut anyway - seen one pretty interesting case wrt schemas and internal implementation on the endpoint region vs region_id front15:11
gtemain our work we were reimplementing openstackclient to use sdk instead of keystoneclient and managed to end up with entry in the catalog with non empty region_id and region = Null15:12
gtemaI mean really explicit null value. 15:12
gtemain the normal API case this is not going to happen, but it was present in the catalog inside the token15:13
gtemanot something we should worry about here, just a fun fact of scrunity15:13
gtemaI am also frustrated by the fact that I am not able to land changes in the openstackdocstheme required to start rendering openapi specs15:14
gtemawas even thinking about starting just embedding swagger, but that is going to fail in the same way - collision of bootstrap versions15:14
gtemaso I was also thinking about tweaking api-ref job to build openapi separately and render it using custom theme and then copy it to the regular results so that we can publish it15:15
gtema(sort of invisible without direct link)15:15
gtemawhat do you think?15:16
d34dh0r53What's the resistance to landing changes directly in openstackdocstheme?15:17
d34dh0r53Just review capacity?15:17
gtemaits not a resistance, just nobody cares15:17
gtemait's on the TC table for more then a month already with still no change15:18
d34dh0r53hmm15:18
d34dh0r53How hard is the api-ref tweak?15:19
gtemain my rust poc I embedded the openapi directly into the binary so that it is rendered with the api (vendor) and it is so cooool15:19
gtemaapi-ref tweak should not be hard, but it introduces new steps into it and a dependency that might fail. I will try to implement it fail safe so that the normal build is not affected15:19
gtemait is just that it seems to be the only way to start publishing specs 15:20
gtemaat least for now15:20
d34dh0r53ack, I say go for it15:20
gtemaok, thks15:20
d34dh0r53anything else on openapi?15:21
gtemanope15:21
d34dh0r53#topic specification domain manager (mhen)15:21
d34dh0r53still unmerged are:15:21
d34dh0r53documentation: https://review.opendev.org/c/openstack/keystone/+/92813515:21
d34dh0r53tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/92422215:21
gtemathis now also has some followups - certain CSPs are relying on federation and then it becomes impossible to manage user/group relations (user - role - project is still fine)15:23
gtemawe try now to figure out what is the way to live properly with it15:23
gtemait is not of big problem for upstream, but is certainly a thing for CSPs and certifications15:24
d34dh0r53hmm, so the domain manager role makes it harder to manage user/group relations? how so?15:24
gtemanot really. Certain CSPs want that users are only coming from let's say keycloak and groups are also managed there15:25
gtemathey want to prevent any changes locally15:25
gtemabtw, I have also a POC on implementing SCIM for synchronizing data from IdP to Keystone15:26
opendevreviewMerged openstack/keystoneauth master: typing: Simplify some types, other TODOs  https://review.opendev.org/c/openstack/keystoneauth/+/93576415:26
d34dh0r53Oh cool15:26
gtemait's a cool thinkg since it is a rust application using openstack_sdk (the rust one) and proxy requests to keystone directly15:26
gtemaI want to also implement it with direct DB access, but that (as said on Friday) is taking much more time15:27
d34dh0r53yeah15:28
gtemaI need to solve auth problem though15:28
gtemagenerally scim providers typically only allow you to send bearer token or oauth (but that is not what we support now)15:28
d34dh0r53Grzegorz Grasza: is working on that, although from a different perspective15:29
gtemaoh cool to know. Maybe then on Friday we can discuss details15:29
xekThat's actually what I briefly mentioned last Friday, further developing the external OAuth2.015:30
gtemayeah, I was just going through the spec and I miss there few critical things15:31
gtemaoauth is only authentication and not authorization15:31
xekright, we can discuss this further on Friday15:31
gtemaso that need/may need to be handled differently15:31
gtemaperfect15:31
d34dh0r53👍15:32
d34dh0r53next up15:34
d34dh0r53#topic specification Include bad password details in audit messages (stanislav-z)15:34
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged)15:34
d34dh0r53#link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%2215:34
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/93242315:34
d34dh0r535-Feb update: implementation to be updated to reflect merged spec state (WIP by @stanislav-z)15:34
stanislav-zthanks for the reviews of the spec 👍️ I'm on updating the implementation15:34
d34dh0r53Awesome, thank you Stanislav Zaprudskiy !15:35
d34dh0r53#topic open discussion15:35
d34dh0r53I don't have anything15:35
stanislav-zI wanted to join Friday's review sessions once, but was hanging in the lobby of the meeting - not sure, perhaps there was no meeting at all that Fri, or do I perhaps need some authorization to join?15:36
gtemadepends on when exactly15:37
gtemait was cancelled few times in Jan15:37
d34dh0r53Stanislav Zaprudskiy: if you /msg me your email address I'll add you to the invite15:38
stanislav-zI only wanted to be around in case my PRs fall into view - would that be a valid reason to connect?15:38
stanislav-zthanks!15:38
d34dh0r53no problem15:40
d34dh0r53moving on15:41
d34dh0r53#topic bug review15:41
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:41
d34dh0r53no new bugs for keystone15:41
d34dh0r53'v15:41
d34dh0r53oops15:41
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:41
d34dh0r53python-keystoneclient is good15:41
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:41
d34dh0r53nothing new in keystoneauth15:42
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:42
d34dh0r53keystonemiddleware has no new bugs15:42
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:42
d34dh0r53pycadf is good15:42
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:42
d34dh0r53so is ldappool15:42
d34dh0r53#topic conclusion15:43
d34dh0r53nothing from me, thanks everyone!!15:43
gtemathanks15:43
d34dh0r53#endmeeting15:43
opendevmeetMeeting ended Wed Feb  5 15:43:25 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:43
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-02-05-15.01.html15:43
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-02-05-15.01.txt15:43
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-02-05-15.01.log.html15:43
opendevreviewMerged openstack/keystoneauth master: Fix misuse of assertTrue  https://review.opendev.org/c/openstack/keystoneauth/+/93577716:27
opendevreviewMerged openstack/keystoneauth master: reno: Update master for unmaintained/2023.1  https://review.opendev.org/c/openstack/keystoneauth/+/93596116:27
opendevreviewMerged openstack/keystoneauth master: typing: Remove unused AuthMethod.get_auth_data arguments  https://review.opendev.org/c/openstack/keystoneauth/+/93576517:53
opendevreviewMerged openstack/keystoneauth master: typing: Remove unused BaseAuthPlugin.get_auth_ref kwargs  https://review.opendev.org/c/openstack/keystoneauth/+/93576617:53
opendevreviewMerged openstack/keystoneauth master: typing: Remove unused _Rescoped.get_unscoped_auth_ref kwargs  https://review.opendev.org/c/openstack/keystoneauth/+/93576717:53
opendevreviewMerged openstack/keystoneauth master: typing: Remove unused BaseAuthPlugin.get_headers kwargs  https://review.opendev.org/c/openstack/keystoneauth/+/93576817:53
opendevreviewMerged openstack/keystoneauth master: typing: Remove unused BaseAuthPlugin.get_token kwargs  https://review.opendev.org/c/openstack/keystoneauth/+/93576917:53
gmanndmendiza[m]: can we merge this, easy one https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/93347018:02
« Tuesday, 2025-02-04 Index Thursday, 2025-02-06 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!