Friday, 2025-05-30

*** mhen_ is now known as mhen01:22
zigoandrewbogott_: stephenfin: I've uploaded Keystone 27.0.0-2 to unstable with https://review.opendev.org/c/openstack/keystone/+/951282 hopefully it will make it to Debian 13 (and yes, Trixie will come with Epoxy).08:28
stephenfinack08:28
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Rename, reorder tempest jobs  https://review.opendev.org/c/openstack/keystone/+/95138008:40
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Remove keystone-tox-patch_cover job  https://review.opendev.org/c/openstack/keystone/+/95138108:40
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Bump fips jobs to CentOS Stream 10, Ubuntu 24.04 (Noble)  https://review.opendev.org/c/openstack/keystone/+/95138208:40
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Rename, reorder tempest jobs  https://review.opendev.org/c/openstack/keystone/+/95138008:46
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Remove keystone-tox-patch_cover job  https://review.opendev.org/c/openstack/keystone/+/95138108:46
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Bump fips jobs to CentOS Stream 10, Ubuntu 24.04 (Noble)  https://review.opendev.org/c/openstack/keystone/+/95138208:46
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Remove deprecated job aliases  https://review.opendev.org/c/openstack/keystone/+/95138308:46
opendevreviewStephen Finucane proposed openstack/keystone-tempest-plugin master: zuul: Migrate to new job names  https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/95138408:49
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Rename, reorder tempest jobs  https://review.opendev.org/c/openstack/keystone/+/95138008:55
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Remove keystone-tox-patch_cover job  https://review.opendev.org/c/openstack/keystone/+/95138108:55
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Remove deprecated job aliases  https://review.opendev.org/c/openstack/keystone/+/95138308:55
opendevreviewStephen Finucane proposed openstack/keystone master: zuul: Bump fips jobs to CentOS Stream 10, Ubuntu 24.04 (Noble)  https://review.opendev.org/c/openstack/keystone/+/95138208:55
opendevreviewStephen Finucane proposed openstack/keystone-tempest-plugin master: zuul: Migrate to new job names  https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/95138408:57
gtemastephenfin - your bug from yesterday with appcred token reauth is indeed very interesting. I was even first not able to reproduce it until I (cough-cough) - restarted. Since then I see it and can't figure out what has changed. I see where things go wrong but I can't explain how this was never seen before (or what the heck has changed so that it started happening)09:31
stephenfingtema: I traced it down to here https://review.opendev.org/c/openstack/keystone/+/95133109:43
gtemaYeha, I know. But that is definitely not a solution09:43
stephenfinwe seem to expand the set of methods when we unpack the tokens. idk why we do that, but it seems like the wrong thing to do when using token auth09:43
stephenfinI figured it might not be :)09:43
gtemanope, it is not. Otherwise the user is able to escape app cred constraints09:44
gtemasadly the same seems to be valid also for other auth things, so I am now very confused09:44
stephenfinI was under the impression most of the relevant context was encoded in the fernet token09:45
gtemayes, and in the case of app_cred it is its id09:45
stephenfinI notice, for example, that the tokens are noticeably longer when created with application credential credentials09:45
gtemaso I know where to get it from, just wondering why the heck it went unnoticed09:45
stephenfinit's probably a very uncommon path09:46
stephenfinI mean, if you are already using the v3applicationcredential auth method, you probably don't need to use the v3token auth method09:46
gtemaand that is what confuses me most. On my rust cli/tui I am exactly going this way and always trying to extend auth using the token09:47
stephenfin(The reason I even noticed it is that I am testing token auth in various k8s/OpenShift components and our internal cloud does not allowed v3password auth)09:47
gtemai.e. if you auth with pwd you can't rely on that for re-auth since it may require MFA and then it sucks09:47
gtemathe same for oauth09:47
gtemathat's all reasons why I reimplement it now all in rust from scratch09:48
gtemaI mean keystone part09:48
opendevreviewArtem Goncharov proposed openstack/keystone master: Fix getting token from application credentials token  https://review.opendev.org/c/openstack/keystone/+/95139210:50
opendevreviewArtem Goncharov proposed openstack/keystone master: Split role assignment request/response schemas  https://review.opendev.org/c/openstack/keystone/+/95139712:09
stephenfingtema: Any chance of a +w on https://review.opendev.org/c/openstack/keystoneauth/+/951183 so I can cut a new patch release? https://review.opendev.org/c/openstack/keystoneauth/+/951310 is nice-to-have too12:31
gtemastephenfin, yes, will do this today. We have reviewaton in 1.5 hours for Keystone and we definitely will look at those12:32
stephenfinSweet. Those CI fixes should be on the reviewathon list too, in that case12:32
stephenfinthere are jobs currently broken due to use of Jammy + CentOS 9. I suspect there will be more work needed to get them working on Noble and CentOS 1012:33
gtemayou start keeping me away from other topics now also in keystone. Are you chasing me ;-) ?12:33
stephenfinNot yet. But if those patches don't get reviewed... 😈12:35
stephenfin(kidding :))12:35
gtemaah poor me12:35
opendevreviewArtem Goncharov proposed openstack/keystone master: Prevent MFA bypass  https://review.opendev.org/c/openstack/keystone/+/94542912:59
gtemastephenfin - would you mind joining our openapi meeting today so that we can perhaps discuss using voice different approaches dealing with responses?13:01
stephenfingtema: I was planning to finish earlier today as I've had a few very long evenings this week. I will set a reminder though and try to join for 15-20 mins. 13:02
gtemamore is not required for sure. If not - enjoy your evening13:03
stephenfind34dh0r53: Thanks for the reviews. There's just one more needed here for now https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/95138415:11
andrewbogott_thank you zigo!15:25
opendevreviewMerged openstack/keystoneauth master: typing: Correct type (redux)  https://review.opendev.org/c/openstack/keystoneauth/+/95118315:40
opendevreviewMerged openstack/keystone master: zuul: Rename, reorder tempest jobs  https://review.opendev.org/c/openstack/keystone/+/95138015:58
opendevreviewMerged openstack/keystone master: zuul: Remove keystone-tox-patch_cover job  https://review.opendev.org/c/openstack/keystone/+/95138115:58
opendevreviewMerged openstack/keystone master: api: Add log when creating unscoped token  https://review.opendev.org/c/openstack/keystone/+/95132716:08
opendevreviewMerged openstack/keystone master: docs: identity service now use https  https://review.opendev.org/c/openstack/keystone/+/94786116:08
opendevreviewMerged openstack/keystone master: Fix getting token from application credentials token  https://review.opendev.org/c/openstack/keystone/+/95139216:15
opendevreviewArtem Goncharov proposed openstack/keystone master: Split role assignment request/response schemas  https://review.opendev.org/c/openstack/keystone/+/95139716:20
opendevreviewArtem Goncharov proposed openstack/keystone master: Separate user response and request schema  https://review.opendev.org/c/openstack/keystone/+/95064716:20
opendevreviewArtem Goncharov proposed openstack/keystone master: Separate user response and request schema  https://review.opendev.org/c/openstack/keystone/+/95064716:24
opendevreviewMerged openstack/keystoneauth master: Drop support for Python 3.9  https://review.opendev.org/c/openstack/keystoneauth/+/94900816:56
opendevreviewMerged openstack/keystoneauth master: Add .git-blame-ignore-revs file  https://review.opendev.org/c/openstack/keystoneauth/+/95131016:56
opendevreviewMerged openstack/keystoneauth master: Bump Python version used for linters to 3.9  https://review.opendev.org/c/openstack/keystoneauth/+/94900916:56
opendevreviewStephen Finucane proposed openstack/keystone stable/2025.1: api: Add log when creating unscoped token  https://review.opendev.org/c/openstack/keystone/+/95142817:21
opendevreviewStephen Finucane proposed openstack/keystoneauth master: Bump Python version used for linters to 3.10  https://review.opendev.org/c/openstack/keystoneauth/+/94901017:23
opendevreviewMerged openstack/keystone master: Update pre-commit hook versions  https://review.opendev.org/c/openstack/keystone/+/95015718:11
opendevreviewArtem Goncharov proposed openstack/keystone master: Split role assignment request/response schemas  https://review.opendev.org/c/openstack/keystone/+/95139718:24
opendevreviewArtem Goncharov proposed openstack/keystone master: Separate user response and request schema  https://review.opendev.org/c/openstack/keystone/+/95064718:24
opendevreviewIvan Anfimov proposed openstack/keystone master: wip  https://review.opendev.org/c/openstack/keystone/+/95143919:39
opendevreviewIvan Anfimov proposed openstack/keystone master: wip  https://review.opendev.org/c/openstack/keystone/+/95143919:49
opendevreviewMerged openstack/keystoneauth master: Bump Python version used for linters to 3.10  https://review.opendev.org/c/openstack/keystoneauth/+/94901020:56
*** darmach9 is now known as darmach21:05

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!