| d34dh0r53 | #startmeeting keystone | 15:02 |
|---|---|---|
| opendevmeet | Meeting started Wed Feb 25 15:02:02 2026 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:02 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:02 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:02 |
| d34dh0r53 | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:03 |
| d34dh0r53 | #link https://openinfra.dev/legal/code-of-conduct | 15:03 |
| d34dh0r53 | #topic roll call | 15:04 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra | 15:04 |
| gtema | o/ | 15:04 |
| d34dh0r53 | hi gtema , good pto? | 15:04 |
| gtema | still there ;-) | 15:05 |
| gtema | using time to work on keystone-rs | 15:05 |
| d34dh0r53 | nice | 15:05 |
| d34dh0r53 | #topic review past meeting work items | 15:06 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-02-11-15.05.html | 15:06 |
| d34dh0r53 | nothing to review from the last meeting | 15:06 |
| d34dh0r53 | #topic liaison updates | 15:06 |
| d34dh0r53 | no updates from me | 15:06 |
| gtema | nothing from me | 15:07 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza) | 15:08 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:08 |
| d34dh0r53 | 2026.1 Release Timeline | 15:08 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:08 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:08 |
| d34dh0r53 | I just saw dmendiza a minute ago | 15:09 |
| d34dh0r53 | guess he's not around | 15:10 |
| d34dh0r53 | #topic specification Secuirty Compliance Testing (dmendiza) | 15:10 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/devstack/+/957969 | 15:10 |
| dmendiza[m] | 🙋♂️ | 15:10 |
| d34dh0r53 | 👋 | 15:10 |
| dmendiza[m] | Sorry, was afk | 15:11 |
| dmendiza[m] | Right, so RE: SRBAC, looks like the functional tests are non-voting | 15:11 |
| dmendiza[m] | which sucks, because I broke some stuff not too long ago and didn't notice because non-voting == non-caring | 15:11 |
| gtema | every day something is broken, who cares ;-) | 15:12 |
| dmendiza[m] | We also have some duplication in SRBAC flags for testing | 15:12 |
| dmendiza[m] | I submitted a few patches but things are failing all over the place | 15:13 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone/+/976709 | 15:13 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/976710 | 15:13 |
| dmendiza[m] | For that second patch, note that SRBAC test failures are currently at 36 failures | 15:14 |
| dmendiza[m] | Anyway, I need to find some time to fix this stuff | 15:14 |
| dmendiza[m] | There was also a patch from gmaan for adding SRBAC unit tests as well? | 15:14 |
| dmendiza[m] | let me see if I can find it | 15:15 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone/+/886434 | 15:15 |
| dmendiza[m] | also failing | 15:15 |
| d34dh0r53 | I just workflow'd the keystone-tempest-plugin patch | 15:15 |
| dmendiza[m] | Dave Wilde (d34dh0r53): I appreciate it, but it won't go anywhere because the Depends-On patch is failing. | 15:16 |
| d34dh0r53 | yep, I know, but at least it's done for when the other one passes | 15:16 |
| gtema | and why is this protection job now failing? | 15:18 |
| gtema | "AttributeError: module 'keystone.common.policies.base' has no attribute 'RULE_SYSTEM_READER_OR_OWNER'" - was there something renamed? | 15:18 |
| dmendiza[m] | Possibly? Like I mentioned earlier, the protection job is non-voting so who knows how long it has been failing --- changes like that would not have been caught | 15:19 |
| gtema | ack | 15:20 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/760478 | 15:21 |
| d34dh0r53 | 5 years :o | 15:21 |
| dmendiza[m] | heh | 15:22 |
| d34dh0r53 | I always though that protection-functional was a superset, but I guess that's not the case | 15:22 |
| bbobrov | i think that's about when they stopped working on openstack | 15:23 |
| gtema | I am so terribly frustrated over all the different jobs and those different assumptions that for me personally it does not worth of any use - full rewrite is necessary. Everything is leaking heavily | 15:23 |
| d34dh0r53 | yeah, there's 10+ years of cruft | 15:25 |
| dmendiza[m] | Hoping to get some upstream time on Friday, so I'll keep digging at this | 15:26 |
| dmendiza[m] | For the Security Compliance testing -- no progress since last week. | 15:27 |
| d34dh0r53 | thanks dmendiza | 15:27 |
| d34dh0r53 | #topic keystone-rs | 15:27 |
| d34dh0r53 | #link https://github.com/openstack-experimental/keystone | 15:28 |
| gtema | cardoe should be happy, I am finishing implementation for the k8s token review auth | 15:28 |
| gtema | I have also implemented the raft based distributed storage that would help making things much more smooth | 15:29 |
| gtema | also now ensuring local development with the k8s is usable with skaffold - let the tests run in the real k8 | 15:30 |
| gtema | they are also executed in the CI same way | 15:30 |
| gtema | my zero-trust concept passed the internal review in the company with people saying - go for it | 15:31 |
| gtema | and the k8 auth makes pretty much sense in combination with grpc and mtls communication between services | 15:32 |
| gtema | that's it so far | 15:32 |
| d34dh0r53 | wow, that sounds awesome, maybe I'll try to compile it and play around with it on Friday | 15:33 |
| d34dh0r53 | thanks gtema | 15:33 |
| d34dh0r53 | #topic open discussion | 15:33 |
| bbobrov | I would like to get your attention on https://bugs.launchpad.net/keystone/+bug/2140492 and the 2 patches related to it | 15:34 |
| bbobrov | Right now a user can create an app cred with secret "1" or "securesecret" right from the docs. Compliance people are not happy. | 15:34 |
| bbobrov | Compliance people are also unhappy that i cannot force everyone to rotate the secrets. | 15:34 |
| bbobrov | The patches add 2 opt-in settings to fix this. Feedback welcome. | 15:35 |
| gtema | ack | 15:35 |
| cardoe | gtema: awesome news | 15:35 |
| cardoe | I haven't had a chance to run skyline against keystone with some more debugging (my backlog is so long right now... :/) | 15:36 |
| cardoe | I just want to get to a place with bbobrov and gtema where we can merge the fix to that keystone function so that its impossible for it to return None when the code base requires it not to return None. | 15:36 |
| gtema | as pretty much for everyone ;-) That's why I took PTO to work without stress on keystone-rs | 15:37 |
| cardoe | gtema: as you know that code wouldn't compile if it was written in Rust since its possible to return a None when its defined as never returning None. | 15:37 |
| gtema | sure - all for rust - XD | 15:37 |
| bbobrov | cardoe: for your issue the most important thing is to have it easily reproduced in keystone only, without skyline | 15:38 |
| gtema | and with python we only see breakages now DAILY | 15:38 |
| cardoe | Yeah I gotta figure out what the payload that skyline is sending to keystone. | 15:38 |
| cardoe | Cause it'll happen with a curl call once I figure out that payload. | 15:39 |
| bbobrov | if you manage to get the actual token, you could cheat and decode it with the fernet keys from keystone to look at the payload | 15:39 |
| gtema | and it is not going to be very easy, since it passes the mod_auth_oidc and mapping engine first | 15:39 |
| bbobrov | or there is no fernet token yet? | 15:39 |
| gtema | it's not that skyline itself sends some trash | 15:39 |
| gtema | nope, from what I understand this happens in the authentication/re-authentication | 15:39 |
| gtema | when user switches the project scope or something similar - don't know the detail for sure, but the failure is exactly in the authentication code | 15:40 |
| gtema | at least it looks to me like that | 15:40 |
| cardoe | yeah so basically if I authenticate with skyline and click the drop down to pick a project... keystone throws a 500 | 15:42 |
| cardoe | skyline has a python backend API service that's doing some extra queries that the user might not have access to. | 15:43 |
| gtema | hmm, could it be the /v3/auth/projects call then? | 15:43 |
| cardoe | Yeah | 15:43 |
| cardoe | Unfortunately I need to flog the real people that are seeing this and having it happen engage rather than proxying through me. | 15:44 |
| gtema | well, we should get some debug log including what the initial http call exactly was | 15:44 |
| cardoe | I'll get you guys the debug logs. | 15:44 |
| gtema | thanks | 15:45 |
| d34dh0r53 | 👍️ | 15:45 |
| d34dh0r53 | let's move on to bug triage | 15:45 |
| d34dh0r53 | #topic bug review | 15:45 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:45 |
| d34dh0r53 | first one is sunbeam | 15:46 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2140579 | 15:46 |
| gtema | ehm, why do we have to deal with it? | 15:47 |
| d34dh0r53 | I was just thinking that this looks like an ubuntu bug | 15:47 |
| d34dh0r53 | marked it as invalid for keystone | 15:48 |
| d34dh0r53 | next up | 15:48 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2141713 | 15:48 |
| d34dh0r53 | #undo | 15:48 |
| opendevmeet | Removing item from minutes: #link https://bugs.launchpad.net/keystone/+bug/2141713 | 15:48 |
| d34dh0r53 | nevermind, that's flagged security, I'll review | 15:49 |
| d34dh0r53 | that's it for keystone | 15:50 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:50 |
| d34dh0r53 | nothing new in python-keystoneclient | 15:50 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:50 |
| d34dh0r53 | keystoneauth is good | 15:50 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:50 |
| d34dh0r53 | no new bugs in keystonemiddleware | 15:51 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:51 |
| d34dh0r53 | pycadf is good | 15:51 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:51 |
| d34dh0r53 | nothing new in ldappool | 15:51 |
| d34dh0r53 | #topic conclusion | 15:51 |
| d34dh0r53 | thanks everyone, that's all I have | 15:51 |
| gtema | are you going to join Friday? | 15:52 |
| d34dh0r53 | yes | 15:53 |
| gtema | good | 15:53 |
| d34dh0r53 | see you then | 15:53 |
| gtema | yupp, see you. Thanks | 15:54 |
| d34dh0r53 | #endmeeting | 15:54 |
| opendevmeet | Meeting ended Wed Feb 25 15:54:23 2026 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:54 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-02-25-15.02.html | 15:54 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-02-25-15.02.txt | 15:54 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-02-25-15.02.log.html | 15:54 |
| *** croeland1 is now known as croelandt | 22:39 | |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!