Wednesday, 2025-08-06

« Tuesday, 2025-08-05 Index Thursday, 2025-08-07 »
bkranendonkhi folks. is it somehow possible to override a flask api method? I don't see setuptools entrypoints for it. Is there another way? cheers.09:01
bbobrovgood evening! Will the meeting happen today?15:02
d34dh0r53Yep, starting it now15:04
d34dh0r53#startmeeting keystone15:04
opendevmeetMeeting started Wed Aug  6 15:04:27 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:04
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:04
opendevmeetThe meeting name has been set to 'keystone'15:04
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:04
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:04
d34dh0r53#topic roll call15:05
dmendiza[m]🙋15:05
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra15:05
bbobrovo/15:05
d34dh0r53o/15:05
cardoeo/15:05
d34dh0r53I think gtema is still on PTO, so let's get started15:08
d34dh0r53#topic review past meeting work items15:08
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-07-30-15.20.html15:08
d34dh0r53one action item from last week:15:08
d34dh0r53dmendiza look into https://bugs.launchpad.net/keystone/+bug/211909115:08
dmendiza[m]I did not get a chance to look at it. Let's bump to next week 15:08
d34dh0r53ack15:09
d34dh0r53#action dmendiza look into https://bugs.launchpad.net/keystone/+bug/211909115:09
d34dh0r53#topic liaison updates15:09
d34dh0r53nothing from me15:09
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:11
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:12
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:12
d34dh0r53no updates15:12
d34dh0r53#topic specification Secure RBAC (dmendiza)15:12
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:12
d34dh0r532025.2 Release Timeline15:12
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:12
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:12
dmendiza[m]I mentioned last week that devstack is still not setting those15:13
dmendiza[m]or rather overriding to =False for both15:13
dmendiza[m]#link https://review.opendev.org/c/openstack/devstack/+/95621015:14
dmendiza[m]is the WIP.  I have not looked into the failures15:14
dmendiza[m]that's it for srbac this week15:14
d34dh0r53thanks dmendiza 15:15
d34dh0r53#topic specification OpenAPI support (gtema)15:15
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:15
d34dh0r53gtema is on PTO this week so no updates here15:15
d34dh0r53#topic open discussion15:15
d34dh0r53drencrom15:15
d34dh0r53Review patch proposal: https://review.opendev.org/c/openstack/keystone/+/95179215:15
d34dh0r53It is passing ldap tests with the devstack patches15:15
d34dh0r53I've reviewed this, other cores please take a look15:16
d34dh0r53anything else for open discussion?15:18
dmendiza[m]🙋‍♂️15:19
dmendiza[m]Still working on getting some tempest coverage of security copliance options that are not yet tested15:19
dmendiza[m]WIP patch for setting the password regex is here:15:19
dmendiza[m]#link https://review.opendev.org/c/openstack/devstack/+/95611115:20
dmendiza[m]Currently running into a few issues getting a test for password length to pass because:15:20
dmendiza[m]* Keystone must be configured in devstack - hence the devstack patch15:21
dmendiza[m]* devstack defaults to having security compliance tests turned on for all jobs - i.e. you have to opt out15:21
dmendiza[m]* Because of previous point, all jobs are running the new test.15:21
dmendiza[m]Initially we'd left the regex blank by default and then overriding in a security_compliance job15:22
dmendiza[m]but that had the side effect of only passing in that job while all other jobs failed15:22
dmendiza[m]currently stuck at trying to pick a better default15:22
dmendiza[m]the WIP patch I linked defaults to the same example we have in the docs15:22
dmendiza[m]#link https://docs.openstack.org/keystone/latest/admin/configuration.html#configuring-password-strength-requirements15:23
dmendiza[m]but there are a lot of default passwords that don't meet the criteria, which is why the patch is currently failing15:23
dmendiza[m]options to move forward are:... (full message at <https://matrix.org/oftc/media/v1/media/download/AfmrCOZr--2rcxDNJZl_93TqIEvCbNdf1s-Y_r5a5gYEEjF7NZY6FLFojZHehDnfGc5JUor8BVS40o7tn8B__PJCeYyBSP-wAG1hdHJpeC5vcmcveEFGdGFqbU5NZ3RpZmxwRWVMR1ZhSUdo>)15:24
d34dh0r53I'm in favor of option 215:24
d34dh0r53Updating the default passwords15:24
dmendiza[m]Me too, the only concern is that this may break other jobs that are outside of devstack and tempest (which is the two repos I will update for my patches)15:25
dmendiza[m]In the event that other jobs/repos break we could advise to either: 15:25
dmendiza[m]* update passwords15:25
dmendiza[m]* opt-out of running the security compliance suite15:25
dmendiza[m]If no one objects to that I'll move forward with this plan15:25
d34dh0r53Yeah, those are both very easy to implement solutions15:27
d34dh0r53any objections?15:27
d34dh0r53cool, option 2 dmendiza 15:32
dmendiza[m]ack, sounds good to me15:32
d34dh0r53anything else for open discussion?15:33
d34dh0r53guess not15:34
d34dh0r53#topic bug review15:34
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:34
d34dh0r53several new bugs for keystone15:35
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/211934615:35
d34dh0r53looks like there is a fix proposed and it's limited to python 3.1315:36
d34dh0r53moving on15:36
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/211954315:37
d34dh0r53I feel like this may be a dup15:37
d34dh0r53maybe not, this may have to do with the jsonschema stuff, gtema should have a look15:39
d34dh0r53next up15:39
bbobrovthe super secret bug15:39
d34dh0r53Yep, not talking about that here15:41
d34dh0r53that's it for keystone15:41
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:41
d34dh0r53nothing new on python-keystoneclient15:42
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:42
d34dh0r53keystoneauth is good15:42
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:42
d34dh0r53no new bugs in keystonemiddleware15:43
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:43
d34dh0r53pycadf is clean15:43
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:43
d34dh0r53so is ldappool15:43
d34dh0r53#topic conclusion15:43
d34dh0r53thanks all, nothing else from me15:44
d34dh0r53#endmeeting15:44
opendevmeetMeeting ended Wed Aug  6 15:44:32 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:44
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-08-06-15.04.html15:44
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-08-06-15.04.txt15:44
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-08-06-15.04.log.html15:44
« Tuesday, 2025-08-05 Index Thursday, 2025-08-07 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!