Wednesday, 2026-01-07

« Tuesday, 2026-01-06 Index Thursday, 2026-01-08 »
*** mhen_ is now known as mhen02:16
opendevreviewStephen Finucane proposed openstack/keystoneauth master: Run mypy from tox  https://review.opendev.org/c/openstack/keystoneauth/+/97046110:18
opendevreviewStephen Finucane proposed openstack/keystoneauth master: WIP: typing: Add hints to fixtures  https://review.opendev.org/c/openstack/keystoneauth/+/97046210:18
opendevreviewStephen Finucane proposed openstack/keystoneauth master: Run mypy from tox  https://review.opendev.org/c/openstack/keystoneauth/+/97046111:59
opendevreviewStephen Finucane proposed openstack/keystoneauth master: WIP: typing: Add hints to fixtures  https://review.opendev.org/c/openstack/keystoneauth/+/97046211:59
*** darmach3 is now known as darmach12:55
d34dh0r53#startmeeting keystone15:03
opendevmeetMeeting started Wed Jan  7 15:03:51 2026 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:03
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:03
opendevmeetThe meeting name has been set to 'keystone'15:03
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:04
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:04
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra15:04
gtemao/15:04
d34dh0r53dmendiza: bespoke ping15:04
dmendiza[m]🙋‍♂️15:06
d34dh0r53#topic review past meeting work items15:09
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-12-10-15.12.html15:09
d34dh0r53no action items to review15:09
d34dh0r53#topic liaison updates15:10
d34dh0r53nothing from me15:10
gtemafrom me: Happy New Year folks15:10
dmendiza[m]gtema: Happy New Year to you too! 🎉15:11
d34dh0r53happy new year!15:11
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:11
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:11
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:11
d34dh0r53no updates15:11
d34dh0r53I think we can remove this, I'm pretty sure it went a year without any updates15:12
gtemaright15:12
d34dh0r53#action d34dh0r53 remove OAuth 2.0 section from weekly meeting doc15:13
d34dh0r53#topic specification OAuth 2.0 (hiromu) Secure RBAC (dmendiza)15:13
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:13
d34dh0r532026.1 Release Timeline15:13
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:13
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:13
d34dh0r53dmendiza: any updates?15:16
d34dh0r53moving on15:18
d34dh0r53#topic specification OAuth 2.0 (hiromu) Secuirty Compliance Testing (dmendiza)15:18
d34dh0r53#link https://review.opendev.org/c/openstack/devstack/+/95796915:18
d34dh0r53also for dmendiza 15:19
dmendiza[m]🙋‍♂️15:19
dmendiza[m]Sorry, got distracted for a second.  15:19
d34dh0r53no worries15:19
dmendiza[m]No updates from me this week as I'm just getting back into the swing of things after taking some time off for the holidays.15:19
dmendiza[m]But one of my New Year's resolutions is to be a better open source maintainer this year. 😅15:20
d34dh0r53That is a great resolution!15:20
d34dh0r53I'll join you :)15:20
gtemalol15:20
dmendiza[m]🥳15:20
d34dh0r53next up15:21
d34dh0r53#topic specification OAuth 2.0 (hiromu) OpenAPI support (gtema)15:21
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:21
d34dh0r53that's not right15:21
gtemano changes here. There were few backports, but I think nothing should be open now15:21
d34dh0r53#undo15:21
opendevmeetRemoving item from minutes: #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:21
d34dh0r53OpenAPI support (gtema)15:21
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:22
gtemaI am much more focused on the rust reimpl15:22
gtemamaybe we want/should add this to the weekly agenda as well?15:22
gtemaI got many more necessary approvals and start working on deploying it on our cloud. Current focus in only auth and token validation15:23
gtemawas busy adding support for trust and system scope token15:23
d34dh0r53I'm okay with it15:23
gtemaI have a new independent contributor - party15:24
d34dh0r53woo hoo!15:24
gtemaanyway, I will then add the topic for agenda for the next week15:24
* dmendiza[m] adds "Re-learn Rust" to his resolutions15:24
gtemahahaha15:24
d34dh0r53awesome, thanks gtema !15:24
d34dh0r53#topic open discussion15:25
d34dh0r53I see that stephenfin has added a future topic, do you want to discuss that now?15:25
stephenfinif it suits15:25
gtemait is technically now on the TC level to decide - I left my review for the governance change15:26
d34dh0r53(stephenfin) Move ksa to OpenStackSDK governance15:26
d34dh0r53Proposal and rationale https://review.opendev.org/c/openstack/governance/+/97117815:26
d34dh0r53I previously proposed this on IRC during the week and gtema seemed okay with the idea15:26
gtemabut, stephenfin, if we move further this way half of OpenStack will land in SDK team :-)15:26
d34dh0r53https://meetings.opendev.org/irclogs/%23openstack-keystone/%23openstack-keystone.2025-12-10.log.html#openstack-keystone.2025-12-10.log.html#t2025-12-10T16:37:1915:26
stephenfingtema: agreed (on both counts /o\)15:27
stephenfinI'm mainly bringing it up here since I don't want anyone to feel blindsided or ignored15:28
stephenfinbut as I mentioned in the PR, it feels like the more natural place for it nowadays15:28
stephenfins/PR/proposed change/15:28
d34dh0r53thanks stephenfin15:32
d34dh0r53anything else for open discussion?15:35
gtemanot from me15:35
stephenfinnope15:36
d34dh0r53#topic bug review15:36
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:36
d34dh0r53several new bugs in keystone15:36
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/213459615:37
d34dh0r53maybe something that could be assisted with AI?15:38
gtemais such header exist at all?15:39
d34dh0r53I feel like I've seen it before, but I'm not 100% certain15:39
gtemaI am sure sdk and all other clients do not set anything like that15:40
gtemaso I do not really even understand what should that do15:40
gtemawow, it is really present in the code (keystone)15:41
gtemabut as said - the clients are not sending it - they do not have access to it (unless explicitly querying)15:42
gtemaand comment hints that it is maybe some outdated stuff15:43
gtema"# Header set by versions of keystonemiddleware that understand application15:44
gtema# credential access rules15:44
d34dh0r53hmm15:44
d34dh0r53I wonder what version the reporter is running15:45
stephenfinThat's from my team15:45
* stephenfin tries to find the relevant gophercloud ticket15:46
stephenfinhttps://github.com/gophercloud/gophercloud/pull/357615:46
stephenfinkeystone insists on that header being present if the application credential has access rules associated with it15:47
gtemaassisted by: claude - the world is crazy15:47
stephenfinkeystonemiddleware will do that in most cases for us, which is why you're likely not aware of it (nor was I when I looked)15:48
gtemaI have never experienced any issues without this header15:48
stephenfin*looked first15:48
stephenfinright, because you have keystonemiddleware in the loop15:48
stephenfinhowever, I don't believe that's the case with keystone itself?15:49
stephenfiniirc, you can trigger this by trying to validate a token against keystone using an application credential with access_rules set15:49
gtemaI would need to play around with that explicitly, but I think I was also playing around locally with bare keystone and appcreds when implementing it in rust15:49
stephenfinthe access_rules bit is key15:50
gtemaI get it15:50
d34dh0r53let's move the discussion to the bug, we've got several more to get through15:50
stephenfinack15:50
gtemaok15:50
d34dh0r53thx15:50
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/213460715:50
gtemathe pagination strikes again - I would need to go back to that beast15:51
d34dh0r53indeed15:51
d34dh0r53guess what :)15:52
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/213487115:52
gtemaI think I meant exactly this - remember that I have seen something end of last year15:52
gtemait is so hard to force myself to go back to insane python after reimplementing this features in rust15:53
d34dh0r53:) lumps of coal in your stocking15:53
d34dh0r53next up15:54
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/213492515:54
gtemano - that is the bug I was refering to15:54
d34dh0r53ahh15:54
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/213525015:58
gtema😮‍💨15:59
d34dh0r53it looks like someone is going to investigate that one16:00
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/213677116:00
gtemahttps://bugs.launchpad.net/keystone/+bug/2135250 is something we were discussing with stephenfin in a bit different context - it is possible to screw the data in the database even through API. In this case the validation of responses fail. I think this bug should be "invalid" with the disablment of the response validation that merged recently16:02
d34dh0r53ack16:08
d34dh0r53sorry, getting pinged elsewhere16:08
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=016:08
d34dh0r53no new bugs for python-keystoneclient16:09
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=016:09
d34dh0r53keystoneauth is good16:09
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=016:09
d34dh0r53keystonemiddleware is also good16:12
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=016:12
d34dh0r53pycadf is good16:13
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=016:13
d34dh0r53so is ldappool16:13
d34dh0r53#topic conclusion16:13
d34dh0r53happy new year folks :)16:13
d34dh0r53#endmeeting16:13
opendevmeetMeeting ended Wed Jan  7 16:13:52 2026 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:13
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-01-07-15.03.html16:13
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-01-07-15.03.txt16:13
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-01-07-15.03.log.html16:13
gtemathanks folks16:14
gtemahave a nice day/evening16:14
« Tuesday, 2026-01-06 Index Thursday, 2026-01-08 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!