| *** mhen_ is now known as mhen | 02:30 | |
| opendevreview | OpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata https://review.opendev.org/c/openstack/keystone/+/944309 | 04:41 |
|---|---|---|
| gtema | hey guys, I am on the train (soon disembarking), may be offline any time | 15:01 |
| d34dh0r53 | ack, thanks for the heads up gtema | 15:01 |
| d34dh0r53 | #startmeeting keystone | 15:01 |
| opendevmeet | Meeting started Wed Mar 26 15:01:29 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:01 |
| d34dh0r53 | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:01 |
| d34dh0r53 | #link https://openinfra.dev/legal/code-of-conduct | 15:01 |
| d34dh0r53 | #topic roll call | 15:01 |
| gtema | o/ | 15:01 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra | 15:02 |
| xek | o/ | 15:02 |
| d34dh0r53 | superfluous dmendiza ping | 15:02 |
| dmendiza[m] | 🙋♂️ | 15:05 |
| d34dh0r53 | o/ | 15:05 |
| d34dh0r53 | #topic review past meeting work items | 15:06 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-19-15.01.html | 15:06 |
| d34dh0r53 | no action items from last week | 15:06 |
| d34dh0r53 | #topic liaison updates | 15:06 |
| d34dh0r53 | nothing from releases or VMT | 15:06 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:06 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:06 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability | 15:06 |
| d34dh0r53 | External OAuth 2.0 Specification | 15:06 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) | 15:07 |
| d34dh0r53 | OAuth 2.0 Implementation | 15:07 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged) | 15:07 |
| d34dh0r53 | OAuth 2.0 Documentation | 15:07 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) | 15:07 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) | 15:07 |
| d34dh0r53 | I might try and rebase the last couple of patches we have, get them in early this cycle | 15:07 |
| d34dh0r53 | it's some tempest tests for keystone and we're waiting on other projects to merge their patches before we add functional testing | 15:09 |
| d34dh0r53 | next up | 15:09 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:09 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:09 |
| d34dh0r53 | 2024.1 Release Timeline | 15:09 |
| d34dh0r53 | 'v | 15:09 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:09 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:10 |
| d34dh0r53 | dmendiza: any updates? | 15:10 |
| dmendiza[m] | Negative. Still nothing on this, but I do need to review SRBAC status before PTG | 15:10 |
| d34dh0r53 | ack, thanks | 15:10 |
| d34dh0r53 | #topic specification OpenAPI support (gtema) | 15:10 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone | 15:11 |
| gtema | stephenfin noticed failing gophercloud tests due to jsonschemas being restrictive | 15:11 |
| gtema | well, they "broke" undocumented things like "?name__contains=foo" | 15:12 |
| gtema | and so the question to discussion (we agreed he makes a change releasing restriction for the moment) - how do we deal with undocumented things being broken | 15:12 |
| xek | we deprecate? | 15:13 |
| xek | we can alsa always reverse the process of deprecation | 15:13 |
| xek | *also | 15:13 |
| gtema | stephenfin and I discussed raising the api ver (to 3.15), but that only after we complete the works, cause every jsonschema is restricting undocumented properties | 15:13 |
| stephenfin | I was just writing exactly what gtema said | 15:14 |
| stephenfin | I personally don't care whether we keep (and document) or remove these comparator-style filters, but we should have a signal that users can check for if we do remove them | 15:14 |
| gtema | anyone of you know ANY customer or so relying on "?PARAM__contains=foo" sort of queries? | 15:14 |
| stephenfin | As I said yesterday, gophercloud uses them in tests and documents them as _the_ example of passing a Filter argument to various keystone calls | 15:15 |
| dmendiza[m] | Weird, I've never seen the double underscore filtering before | 15:16 |
| dmendiza[m] | only the stuff the api-wg documented: https://specs.openstack.org/openstack/api-wg/guidelines/pagination_filter_sort.html#filtering | 15:17 |
| gtema | dmendiza - that's the point - we have undocumented feature that nearly nobody knows about | 15:17 |
| xek | we could open an issue in gophercloud, to ask them whether they would like to continue to use such filters | 15:17 |
| stephenfin | As as I also said yesterday, changing API behaviour arbitrarily is bad form for API consumers. We need some kind of signal | 15:17 |
| dmendiza[m] | Yeah, documented or not, we should keep the current behavior | 15:18 |
| dmendiza[m] | and then deprecate like Grzegorz Grasza suggested if we don't want to keep it | 15:18 |
| gtema | i am not fan of this style comparators, since afaik other services use different style | 15:19 |
| stephenfin | xek: It's entirely your prerogative to keep or remove it. We (clients/users) just need to signal it if we remove it. This should be a no brainer 🤞 | 15:19 |
| gtema | I would say - lets drop them and consider harmonizing style with other services later | 15:20 |
| stephenfin | sounds like a PTG session to me 0:) | 15:21 |
| gtema | in till we are done with jsonschemas release the restriction | 15:21 |
| gtema | yeah, makes sense stephenfin | 15:21 |
| stephenfin | in any case, here are the patches for master https://review.opendev.org/c/openstack/keystone/+/945504 and stable/2025.1 https://review.opendev.org/c/openstack/keystone/+/945509 | 15:21 |
| stephenfin | IMO we need to merge those asap to prevent this breaking users in the wild when we release epoxy | 15:21 |
| d34dh0r53 | PTG session sounds good, I'll review the patches to unblock epoxy today | 15:22 |
| gtema | I'm dropping off now, will read back in 1 hour or so | 15:22 |
| stephenfin | gtema: o/ thanks for bringing this up | 15:23 |
| gtema | wlcm | 15:23 |
| d34dh0r53 | thanks gtema | 15:23 |
| d34dh0r53 | next up | 15:24 |
| d34dh0r53 | #topic specification Include bad password details in audit messages (stanislav-z) | 15:24 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22 | 15:24 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged) | 15:24 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/932423 (to be reviewed) | 15:24 |
| d34dh0r53 | 11-Mar update: the implementation has been updated to incorporate the review feedback | 15:24 |
| d34dh0r53 | is there a link to the docs patch that was mentioned in the last review? | 15:24 |
| stanislav-z | no, there is no patch yet :) | 15:25 |
| stanislav-z | I'll work on it, and send for review | 15:25 |
| d34dh0r53 | ack, thank you! other than that the code changes look good to me | 15:25 |
| d34dh0r53 | Thanks for the work and follow through on this! | 15:27 |
| d34dh0r53 | that does it for specifications | 15:27 |
| d34dh0r53 | #topic open discussion | 15:27 |
| d34dh0r53 | nothing from me | 15:30 |
| d34dh0r53 | moving on | 15:30 |
| d34dh0r53 | #topic bug review | 15:30 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:30 |
| d34dh0r53 | this is the bug we were just talking about | 15:31 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2104185 | 15:31 |
| d34dh0r53 | thanks for the quick work on that stephenfin | 15:32 |
| d34dh0r53 | no more new bugs for keystone | 15:32 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:32 |
| d34dh0r53 | nothing new for python-keystoneclient | 15:32 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:32 |
| d34dh0r53 | keystoneauth has no new bugs | 15:33 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:33 |
| d34dh0r53 | nothing new in keystonemiddleware either | 15:33 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:33 |
| d34dh0r53 | no new bugs in pycadf | 15:33 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:33 |
| d34dh0r53 | ldappool is also clear | 15:34 |
| d34dh0r53 | #topic conclusion | 15:34 |
| d34dh0r53 | Not much from me, PTG is in a couple of weeks, looking forward to seeing everyone there | 15:34 |
| d34dh0r53 | Thanks!! | 15:34 |
| d34dh0r53 | #endmeeting | 15:34 |
| opendevmeet | Meeting ended Wed Mar 26 15:34:43 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:34 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-26-15.01.html | 15:34 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-26-15.01.txt | 15:34 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-26-15.01.log.html | 15:34 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!