Wednesday, 2025-07-23

« Tuesday, 2025-07-22 Index Thursday, 2025-07-24 »
*** mhen_ is now known as mhen01:48
*** ykarel_ is now known as ykarel07:52
*** darmach1 is now known as darmach13:15
d34dh0r53#startmeeting keystone15:08
opendevmeetMeeting started Wed Jul 23 15:08:18 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:08
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:08
opendevmeetThe meeting name has been set to 'keystone'15:08
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:08
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:08
d34dh0r53#topic roll call15:09
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra15:09
d34dh0r53dmendiza: o/15:09
gtemaop/15:09
d34dh0r53#topic review past meeting work items15:10
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-07-09-15.20.html15:11
d34dh0r53We had one action item: @Greg to look at the ldap failures15:11
d34dh0r53He's on PTO this week, so I'll push that to next week15:11
gtemathat was done15:12
d34dh0r53oh, cool15:12
gtemaand fixed. Sadly not all necessary devstack changes are merged yet15:12
d34dh0r53I think I reviewed those15:12
gtemayes15:12
dmendiza[m]🙋15:13
d34dh0r53#topic liaison updates15:14
d34dh0r53hi dmendiza 15:14
d34dh0r53nothing from me for liaison updates15:14
gtemanothing on my side either15:15
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:15
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:15
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:15
d34dh0r53External OAuth 2.0 Specification15:15
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:15
d34dh0r53OAuth 2.0 Implementation15:15
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged)15:16
d34dh0r53OAuth 2.0 Documentation15:16
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:16
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:16
d34dh0r53no idea where this is, probably just waiting for tacker, et al, to merge things so we can merge the tests15:16
d34dh0r53#topic specification Secure RBAC (dmendiza)15:16
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:16
d34dh0r532025.2 Release Timeline15:16
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:16
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:16
dmendiza[m]Yeah... I'm not sure if there's anything else we need right now. 15:18
d34dh0r53Should we remove this, can we consider it done?15:19
dmendiza[m]Possibly? The only thing I'm unsure about is whether Devstack defaults to SRBAC on? 🤔15:19
d34dh0r53I'm asking AI 😜15:21
d34dh0r53Unclear15:25
gtemait tells you all the history of SRBAC in OpenStack perhaps instead of giving the answer, right?15:26
gtema;)15:26
d34dh0r53yeah, and then I tried having it collate each of the core projects and it wouldn't15:27
d34dh0r53maybe if I pointed cursor at it15:27
gtemaits faster to dig ourselves ;-)15:28
d34dh0r53#topic specification OpenAPI support (gtema)15:28
d34dh0r53indeed15:28
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:28
gtemano news on that front sadly15:28
gtemawas busy with openpolicyagent as wasm crashing15:28
d34dh0r53ack, did you figure out the wasm thing?15:30
gtemanot really15:31
gtemafound few articles on how to debug it, but haven't tried yet15:31
d34dh0r53ack15:32
gtemathe only fact is that this starts happening from a certain number of rules 15:32
d34dh0r53no memory errors because rust doesn't give you enough memory? ;)15:32
gtemaneah. In general wasm itself is like a programming language15:33
gtemaand the rust implementation for it has an invalid memory access once the wasm for openpolicyagent reaches certain count of rules (functions or whatsoever)15:34
gtemathe size of binary does not matter though, so I assume it really has to do with the number of rules15:34
d34dh0r53ahh15:34
gtematill now I implemented calling of OPA using http15:34
gtemawhat is anyway a recommended approach with slightly more features15:35
gtemait also apparently has nearly no influence on the performance, so ... who cares15:35
gtemaI will definitely continue trying to debug it though15:36
gtemathe policies in OPA are so much greater than oslo.policy15:36
d34dh0r53Yeah, it's very promising, keep us posted15:37
d34dh0r53#topic open discussion15:37
d34dh0r53drencrom15:37
d34dh0r53Review patch proposal: https://review.opendev.org/c/openstack/keystone/+/95179215:37
d34dh0r53Can I help with ldap tests? How hard it is to run them locally?15:37
gtemawe just need to have devstack change on restarting slapd landed15:38
d34dh0r53Yeah, that's what I figured15:38
gtemaafterwards things are great again and we can come back to that change15:38
d34dh0r53this did pass keystone-tempest-ldap-domain-specific-driver, does that instantiate slapd?15:38
gtemaI see the change already sets depends-on and tests are now passing15:39
gtemaso we can review that 15:39
gtemayes, it does15:39
gtemabecause of that that job was failing for a very long time15:39
gtemawe just never looked at it15:40
d34dh0r53okay, I'll review it15:40
d34dh0r53who should we ping about the devstack patches?15:40
gtemano idea. I think frickler approved one change of both, but not the slapd restart15:41
gtemaso he should have rights15:42
gtemaoh crap. Now I see the other +Wed change did't land - need recheck15:42
d34dh0r53ahh, okay15:44
d34dh0r53#topic bug review15:46
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:46
d34dh0r53several new bugs for keystone, not sure if we've covered any yet, but I'll go through the list15:46
d34dh0r53first up15:46
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/211721715:47
d34dh0r53I thought this was fixed15:48
gtemamaybe this is a side-effect of the fix?15:48
d34dh0r53no, it just didn't address application credentials15:50
d34dh0r53commit e9513f8e4f25e1f20bc6fcab71d9177120000abf if anyone is interested15:50
gtemayeah, looks like that15:51
d34dh0r53I think we can confirm this one15:51
gtemaright15:51
d34dh0r53next up15:52
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/211694815:52
d34dh0r53Can we bump the requirements for epoxy?15:52
gtemahmm, I doubt15:53
gtemaI just wonder this is happening, since I use that command in github ci since months and haven't seen issues 15:54
d34dh0r53hmm15:55
gtemaso the problem is that we haven't raised the low constraint for that15:55
gtemaadditional issue is that the platform the reporter runs does not have a newer version15:55
gtemaalmalinux 9.615:56
gtemaif we just raise the constraint in Epoxy the reported would still fail to run it since the package is likely not there15:57
d34dh0r53ahh, do you mind responding to that bug?15:57
gtemait looks it can be updated only in el1015:58
gtemasure, I'll do15:58
d34dh0r53thanks15:58
d34dh0r53next up15:58
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/211693015:58
gtemaI remember stephenfin was complaining on limits that they require system scope tokens or so. 16:01
gtemaMaybe this is somehow related16:01
d34dh0r53I was just wondering about that16:01
stephenfinThat looks like the same issues, yes16:01
stephenfin*issue16:01
d34dh0r53ok, so that's confirmed16:02
gtemawell, works as designed as we figured out back those days 16:02
d34dh0r53yeah, thats true16:02
gtemabut that is definitely not how anybody would want to use the feature16:02
d34dh0r53especially for admin16:02
gtemaright16:03
d34dh0r53finally16:04
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/211675016:04
gtemaneeds further check - not sure this is the default policy16:06
gtemaat least my local checkout tells current policy for create_grant is an insanely long and complex rule16:06
gtemait's 3 lines on 32'' 4k monitor16:06
d34dh0r53wow16:07
dmendiza[m]I can take a look at that16:07
gtemaaddition to that ticket is wording: "when a project admin" - looks like they grant admin on project to non admin users16:09
d34dh0r53yeah, thanks dmendiza 16:10
d34dh0r53that does it for keystone16:10
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=016:11
d34dh0r53nothing new in python-keystoneclient16:11
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=016:11
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=016:11
d34dh0r53keystoneauth is good16:11
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=016:11
d34dh0r53so is keystonemiddleware16:11
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=016:11
d34dh0r53good here16:11
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=016:12
d34dh0r53and ldappool is good to go16:12
d34dh0r53'v16:12
d34dh0r53#topic conclusion16:12
d34dh0r53Thanks all! Nothing else from e16:12
d34dh0r53me16:12
gtemanothing on my side either16:12
d34dh0r53#endmeeting16:16
opendevmeetMeeting ended Wed Jul 23 16:16:09 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:16
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-07-23-15.08.html16:16
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-07-23-15.08.txt16:16
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-07-23-15.08.log.html16:16
gtemathanks folks, cu16:16
« Tuesday, 2025-07-22 Index Thursday, 2025-07-24 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!