| *** mhen_ is now known as mhen | 02:53 | |
| *** ykarel_ is now known as ykarel | 10:44 | |
| d34dh0r53 | #startmeeting keystone | 15:01 |
|---|---|---|
| opendevmeet | Meeting started Wed Mar 5 15:01:00 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:01 |
| d34dh0r53 | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:01 |
| d34dh0r53 | #link https://openinfra.dev/legal/code-of-conduct | 15:02 |
| d34dh0r53 | #topic roll call | 15:02 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra | 15:02 |
| d34dh0r53 | dmendiza | 15:02 |
| gtema | o/ but stick in another meeting | 15:02 |
| dmendiza[m] | 👋 | 15:03 |
| d34dh0r53 | #topic review past meeting work items | 15:06 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-02-26-15.05.html | 15:06 |
| d34dh0r53 | no action items from the last meeting | 15:06 |
| d34dh0r53 | #topic liaison updates | 15:06 |
| d34dh0r53 | nothing from VMT or Releases | 15:07 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:08 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:08 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability | 15:09 |
| d34dh0r53 | External OAuth 2.0 Specification | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) | 15:09 |
| d34dh0r53 | OAuth 2.0 Implementation | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged) | 15:09 |
| d34dh0r53 | OAuth 2.0 Documentation | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) | 15:09 |
| d34dh0r53 | no updates from me on this one | 15:09 |
| d34dh0r53 | next up | 15:09 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:10 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:10 |
| d34dh0r53 | 2024.1 Release Timeline | 15:10 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:10 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:10 |
| d34dh0r53 | dmendiza: supplemental ping ;) | 15:12 |
| dmendiza[m] | No updates 😅 | 15:13 |
| d34dh0r53 | 👍 | 15:13 |
| d34dh0r53 | next up | 15:13 |
| d34dh0r53 | #topic specification OpenAPI support (gtema) | 15:13 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone | 15:14 |
| gtema | sorry, no updates. Due to FF also no hard work done | 15:14 |
| d34dh0r53 | ack, no worries | 15:14 |
| d34dh0r53 | #topic specification Include bad password details in audit messages (stanislav-z) | 15:14 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22 | 15:15 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged) | 15:15 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/932423 (to be reviewed) | 15:15 |
| d34dh0r53 | 18-Feb update: the implementation has been updated to reflect the merged spec state | 15:15 |
| d34dh0r53 | I owe you reviews on your patch | 15:16 |
| stanislav-z | perhaps it just needs to wait for someone reviews it | 15:16 |
| d34dh0r53 | yeah, cores, if you can review this please | 15:18 |
| gtema | +1 | 15:18 |
| d34dh0r53 | Thank you | 15:19 |
| d34dh0r53 | #topic open discussion | 15:19 |
| d34dh0r53 | I don't have anything | 15:20 |
| stanislav-z | if I may :) I have use case, for which I need an advice | 15:20 |
| d34dh0r53 | Go ahead | 15:20 |
| stanislav-z | In order to reduce password authentication usage along with its associated peculiarities, there is an idea to switch to application credentials auth as much as possible in cases where technical/service users are utilized (non-humans, applications, systems, etc). Along with that, there is an idea to use short-lived application credentials for these cases all the time to improve security - something like 7d or so. Finally, the | 15:20 |
| stanislav-z | idea is to have the application credentials created upon application start-up - which should generally increase start-up time a bit. Given all that, would you come up with anything that speaks against it? Or something worth keeping in mind? Generally, are application credentials suitable/designed for such use cases? It may result to tens of thousands of app credentials being created/expiring/deleted all the time - do you think | 15:20 |
| stanislav-z | it could impact performance noticeably? | 15:20 |
| d34dh0r53 | I think it would impact performance, but I don't know how much | 15:24 |
| d34dh0r53 | gtema would know better as he operates clouds at a scale where it would be noticeable | 15:24 |
| stanislav-z | all right. I'm open to comments to it after the call as well :) unless anyone wants to add something now, I suggest we move on. thanks! | 15:26 |
| d34dh0r53 | ack, thanks Stanislav Zaprudskiy | 15:26 |
| d34dh0r53 | #topic bug review | 15:28 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:28 |
| d34dh0r53 | no new bugs for keystone | 15:28 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:28 |
| d34dh0r53 | python-keystoneclient is good | 15:28 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:29 |
| d34dh0r53 | no new bugs for keystoneauth | 15:29 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:29 |
| d34dh0r53 | keystonemiddleware is good to go | 15:29 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:29 |
| d34dh0r53 | nothing new in pycadf | 15:30 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:30 |
| d34dh0r53 | ldappool is good | 15:30 |
| d34dh0r53 | #topic conclusion | 15:30 |
| d34dh0r53 | nothing else from me, thanks folks! | 15:30 |
| gtema | thks and sorry for mostly only reading | 15:31 |
| d34dh0r53 | no problem | 15:33 |
| d34dh0r53 | #endmeeting | 15:33 |
| opendevmeet | Meeting ended Wed Mar 5 15:33:24 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:33 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-05-15.01.html | 15:33 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-05-15.01.txt | 15:33 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-05-15.01.log.html | 15:33 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!