| *** mhen_ is now known as mhen | 02:13 | |
| opendevreview | Artem Goncharov proposed openstack/keystone stable/2024.2: Invalidate token of user disabled in readonly backend https://review.opendev.org/c/openstack/keystone/+/969994 | 08:20 |
|---|---|---|
| opendevreview | Artem Goncharov proposed openstack/keystone stable/2025.2: Import LOG where it is used https://review.opendev.org/c/openstack/keystone/+/970340 | 08:22 |
| opendevreview | Merged openstack/keystone master: api-ref: Add (deprecated) endpoint name docs https://review.opendev.org/c/openstack/keystone/+/970164 | 08:34 |
| opendevreview | Artem Goncharov proposed openstack/keystone stable/2025.1: Import LOG where it is used https://review.opendev.org/c/openstack/keystone/+/970342 | 08:42 |
| opendevreview | Merged openstack/keystonemiddleware master: Update master for stable/2025.2 https://review.opendev.org/c/openstack/keystonemiddleware/+/959455 | 08:44 |
| opendevreview | Merged openstack/keystonemiddleware master: Remove unused bandit target https://review.opendev.org/c/openstack/keystonemiddleware/+/962840 | 10:20 |
| opendevreview | Merged openstack/keystonemiddleware master: reno: Update master for unmaintained/2024.1 https://review.opendev.org/c/openstack/keystonemiddleware/+/965773 | 10:20 |
| opendevreview | Merged openstack/keystonemiddleware master: Replace CRLF by LF https://review.opendev.org/c/openstack/keystonemiddleware/+/906930 | 10:20 |
| opendevreview | Merged openstack/keystone master: Ignore codegenerator working directory https://review.opendev.org/c/openstack/keystone/+/970165 | 10:25 |
| opendevreview | Stephen Finucane proposed openstack/oslo.limit master: typing: Accept None project ID https://review.opendev.org/c/openstack/oslo.limit/+/970247 | 11:06 |
| opendevreview | Stephen Finucane proposed openstack/oslo.limit master: typing: Be looser in what we accept https://review.opendev.org/c/openstack/oslo.limit/+/970248 | 11:06 |
| opendevreview | Merged openstack/pycadf master: ruff: Enable missing E5 check https://review.opendev.org/c/openstack/pycadf/+/970255 | 11:50 |
| opendevreview | Merged openstack/oslo.limit master: Fix region query https://review.opendev.org/c/openstack/oslo.limit/+/969413 | 12:46 |
| opendevreview | Rafael Weingartner proposed openstack/keystone master: Keystone identity mapping to support project definition as a JSON https://review.opendev.org/c/openstack/keystone/+/742235 | 13:17 |
| opendevreview | Rafael Weingartner proposed openstack/keystone master: Keystone identity mapping to support project definition as a JSON https://review.opendev.org/c/openstack/keystone/+/742235 | 13:29 |
| opendevreview | Winicius Allan Bezerra da Silva proposed openstack/keystone master: api-ref: Add description field in Endpoint https://review.opendev.org/c/openstack/keystone/+/970170 | 13:38 |
| opendevreview | Doug Goldstein proposed openstack/keystoneauth master: Add v3websso OpenID Connect Web SSO authentication plugin https://review.opendev.org/c/openstack/keystoneauth/+/970328 | 14:34 |
| opendevreview | Takashi Kajinami proposed openstack/keystoneauth master: uff: Enable E5 check https://review.opendev.org/c/openstack/keystoneauth/+/970399 | 14:38 |
| dmendiza[m] | 🙋♂️ | 15:04 |
| gtema | right dmendiza | 15:07 |
| gtema | ok, let's start without Dave | 15:12 |
| gtema | #startmeeting keystone | 15:12 |
| opendevmeet | Meeting started Wed Dec 10 15:12:10 2025 UTC and is due to finish in 60 minutes. The chair is gtema. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:12 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:12 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:12 |
| gtema | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:12 |
| gtema | #link https://openinfra.dev/legal/code-of-conduct | 15:12 |
| xek | o/ | 15:12 |
| gtema | #topic roll call | 15:12 |
| gtema | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra | 15:12 |
| cardoe | o/ | 15:13 |
| gtema | #topic review past meeting work items | 15:13 |
| gtema | #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-12-03-15.02.txt | 15:13 |
| gtema | no AIs | 15:13 |
| gtema | #topic liaison updates | 15:14 |
| gtema | I do not have anything, anyone else? | 15:14 |
| cardoe | I've just got those federation docs. | 15:14 |
| cardoe | And I'm happy to help fix it up more. | 15:15 |
| gtema | thks cardoe. | 15:15 |
| cardoe | I'm just wanting to make it easier for folks to setup and follow. | 15:15 |
| gtema | I have generally personal "negative" feeling about those docs since in my eyes the whole federation how it is right now should be just dropped | 15:16 |
| cardoe | oh and I've been using my websso patch above for now the 2nd day. I'll deploy it locally for more folks to ue. | 15:16 |
| cardoe | gtema: I totally understand and I agree with you. But what I'd like to do is document the current state of things. | 15:16 |
| cardoe | I think that'll help us get a better implementation in the next version that you're working on. | 15:16 |
| gtema | sure, go for it | 15:17 |
| cardoe | Because it'll be clearer what people are trying to achieve. | 15:17 |
| cardoe | So if I can help in that area please let me know. | 15:17 |
| gtema | then have a look into the new implementation and try to digest whether it fits your expectations and/or whether something is missing | 15:18 |
| gtema | and maybe we find a better way of having a "smooth migration" to it | 15:18 |
| gtema | ok, going next the agenda | 15:18 |
| gtema | #topic specification | 15:18 |
| gtema | OAuth 2.0 (hiromu) | 15:19 |
| gtema | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:19 |
| gtema | I think this item should be dropped from the agenda - there is no change since years | 15:20 |
| gtema | going next | 15:21 |
| gtema | * Secure RBAC (dmendiza) | 15:21 |
| gtema | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:21 |
| gtema | are | 15:21 |
| gtema | there any updates? | 15:21 |
| gtema | doesn't seem so | 15:23 |
| gtema | - Secuirty Compliance Testing (dmendiza) | 15:23 |
| gtema | #link https://review.opendev.org/c/openstack/devstack/+/957969 | 15:23 |
| gtema | dmendiza, I am really lost in the dependencies between related changes. What is open? | 15:24 |
| dmendiza[m] | 🙋♂️ | 15:29 |
| dmendiza[m] | Hmm... let me see | 15:29 |
| dmendiza[m] | Right, so | 15:30 |
| dmendiza[m] | We need this change in devstack to turn off Security Compliance by default - this makes it opt-in instead of running it everywhere. | 15:31 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/devstack/+/957969 | 15:31 |
| d34dh0r53 | o/ sorry, had a conflict this morning | 15:31 |
| dmendiza[m] | It had the necessary +2s, but it's failing the gate for some reason | 15:31 |
| dmendiza[m] | There's a new Keystone gate job that will turn on the flag, and it depends on that first one: | 15:33 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone/+/961726 | 15:33 |
| dmendiza[m] | they may be stale, so I should probably rebase those | 15:33 |
| dmendiza[m] | There's also a patch for tempest that adds new tests ... let me find that one | 15:34 |
| gtema | gmaan mentioned that the keystone change times out consistently | 15:34 |
| gtema | and tempest change has -1 review | 15:35 |
| gtema | as well as it is failing | 15:35 |
| dmendiza[m] | Yeah, looks like the whole thing needs some TLC | 15:36 |
| gtema | dmendiza - are you going to look at that and do something thing month? | 15:37 |
| gtema | I mean EOY is not the most efficient time | 15:38 |
| dmendiza[m] | Yes, I'll get those fixed up | 15:38 |
| gtema | cool, thks | 15:38 |
| dmendiza[m] | My New Year's resolution will be to review more upstream patches in 2026. 😅 | 15:39 |
| gtema | lol | 15:39 |
| gtema | ok, next | 15:39 |
| gtema | #topic specification OpenAPI support (gtema) | 15:39 |
| gtema | I need to fix the domain schema for extra props, but the disabling of the schema validation was proposed for back ports | 15:40 |
| gtema | other than that there is nothing on the topic | 15:40 |
| gtema | and so we come to | 15:40 |
| gtema | #topic open discussion | 15:40 |
| gtema | I have one topic | 15:40 |
| gtema | I have figured out, like few hours ago, we have no proper index on the application credentials table | 15:41 |
| gtema | the PK is the internal_id, but the most frequent usecase is with the id | 15:41 |
| gtema | have anybody noticed that as well or am I just seeing ghosts? | 15:41 |
| opendevreview | Milana Levy proposed openstack/keystone master: Add devstack-identity-security-compliance job https://review.opendev.org/c/openstack/keystone/+/961726 | 15:44 |
| gtema | maybe this is the root cause for the bugreport we had like a year ago or so where token validation of appcred token was taking much longer compared to the password token | 15:46 |
| gtema | unlikely that this is the sole problem, but it is the problem in my eyes. I have checked in our cloud there are ~500 records only so it is not a big deal for a full scan, but ... | 15:47 |
| gtema | when user authenticates with userid and app_cred_name - there is at least unique index, but in the token we store the appcred_id and it would be again fetched for every token validation with a full table scan | 15:48 |
| gtema | ok, doesn't seem anyone else spotted same | 15:49 |
| gtema | #topic bug review | 15:49 |
| gtema | there are no new bugs this week | 15:49 |
| gtema | Grzegorz Grasza: have you had a chance to look at the older keystonemiddleware bugs? | 15:50 |
| gtema | doesn't seem to be the case | 15:52 |
| gtema | @cardoe - I have added functests for federation with dex into keystone-ng. It is definitely not the primary citizen since it does not have own users database and is only proxying it somewhere else. But still there is a test now with the hardcoded internal users | 15:53 |
| gtema | oki | 15:55 |
| gtema | #topic conclusion | 15:55 |
| gtema | that's all folks | 15:55 |
| gtema | thanks and see ya | 15:55 |
| gtema | #endmeeting | 15:55 |
| opendevmeet | Meeting ended Wed Dec 10 15:55:58 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:55 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-12-10-15.12.html | 15:55 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-12-10-15.12.txt | 15:55 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-12-10-15.12.log.html | 15:55 |
| cardoe | gtema: you can define users statically with a password for testing purposes to not have to proxy else where. | 15:57 |
| gtema | yes, that is what I meant. But you can't i.e. test different mappings and group memberships | 15:57 |
| opendevreview | Rafael Weingartner proposed openstack/keystone master: Keystone identity mapping to support project definition as a JSON https://review.opendev.org/c/openstack/keystone/+/742235 | 16:03 |
| opendevreview | Stephen Finucane proposed openstack/oslo.limit stable/2025.2: Fix region query https://review.opendev.org/c/openstack/oslo.limit/+/970419 | 16:15 |
| opendevreview | Stephen Finucane proposed openstack/keystoneauth master: ruff: Enable E5 check https://review.opendev.org/c/openstack/keystoneauth/+/970399 | 16:16 |
| opendevreview | Takashi Kajinami proposed openstack/keystoneauth master: ruff: Enable E5 check https://review.opendev.org/c/openstack/keystoneauth/+/970399 | 16:35 |
| opendevreview | Arnaud Morin proposed openstack/keystone master: Fix small typo about ec2tokens in documentation https://review.opendev.org/c/openstack/keystone/+/970424 | 16:36 |
| stephenfin | gtema: d34dh0r53: xek: Can I get core on keystoneauth? It's pretty important for SDK, and I'd like to be able to approve more trivial things like the above two patches ^ | 16:37 |
| stephenfin | dmendiza[m]: too ^ | 16:37 |
| gtema | is ok for me and I got that initially exactly due to the sdk work | 16:38 |
| opendevreview | Takashi Kajinami proposed openstack/keystoneauth master: Use consistent name for logger instance https://review.opendev.org/c/openstack/keystoneauth/+/970427 | 16:41 |
| opendevreview | Merged openstack/keystoneauth master: Update master for stable/2025.2 https://review.opendev.org/c/openstack/keystoneauth/+/959452 | 16:52 |
| opendevreview | Merged openstack/keystoneauth master: reno: Update master for unmaintained/2024.1 https://review.opendev.org/c/openstack/keystoneauth/+/965771 | 16:52 |
| opendevreview | Takashi Kajinami proposed openstack/oslo.limit master: Enable logging related ruff checks https://review.opendev.org/c/openstack/oslo.limit/+/970435 | 16:57 |
| opendevreview | Stephen Finucane proposed openstack/keystoneauth master: ruff: Enable S checks https://review.opendev.org/c/openstack/keystoneauth/+/970458 | 18:23 |
| opendevreview | Stephen Finucane proposed openstack/keystoneauth master: docs: Update note on v2 API https://review.opendev.org/c/openstack/keystoneauth/+/970459 | 18:23 |
| opendevreview | Stephen Finucane proposed openstack/keystoneauth master: typing: Simplify mypy configuration https://review.opendev.org/c/openstack/keystoneauth/+/970460 | 18:23 |
| opendevreview | Stephen Finucane proposed openstack/keystoneauth master: Run mypy from tox https://review.opendev.org/c/openstack/keystoneauth/+/970461 | 18:23 |
| opendevreview | Stephen Finucane proposed openstack/keystoneauth master: WIP: typing: Add hints to fixtures https://review.opendev.org/c/openstack/keystoneauth/+/970462 | 18:23 |
| opendevreview | Merged openstack/keystone master: Fix small typo about ec2tokens in documentation https://review.opendev.org/c/openstack/keystone/+/970424 | 18:29 |
| opendevreview | Merged openstack/keystoneauth master: ruff: Enable E5 check https://review.opendev.org/c/openstack/keystoneauth/+/970399 | 20:04 |
| opendevreview | Merged openstack/keystoneauth master: Use consistent name for logger instance https://review.opendev.org/c/openstack/keystoneauth/+/970427 | 20:04 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!