| opendevreview | Ivan Anfimov proposed openstack/keystone stable/2024.2: fix(pep8): pin setuptools<82 for flake8-import-order compatibility https://review.opendev.org/c/openstack/keystone/+/982658 | 05:53 |
|---|---|---|
| opendevreview | Ivan Anfimov proposed openstack/keystone stable/2025.1: fix(pep8): pin setuptools<82 for flake8-import-order compatibility https://review.opendev.org/c/openstack/keystone/+/982656 | 06:57 |
| opendevreview | Ivan Anfimov proposed openstack/keystone stable/2025.1: fix(pep8): pin setuptools<82 for flake8-import-order compatibility https://review.opendev.org/c/openstack/keystone/+/982656 | 07:00 |
| opendevreview | Lajos Katona proposed openstack/keystone master: LDAP: add new cfg option for pw expiry format https://review.opendev.org/c/openstack/keystone/+/976618 | 08:42 |
| opendevreview | David Wilde proposed openstack/keystone stable/2025.1: fix ldap 'enabled' setting not interpreted as boolean https://review.opendev.org/c/openstack/keystone/+/982408 | 08:50 |
| opendevreview | Ivan Anfimov proposed openstack/keystone stable/2025.1: Fix OIDC federation UTF-8 double-encoding of non-ASCII characters https://review.opendev.org/c/openstack/keystone/+/982761 | 08:50 |
| opendevreview | Artem Goncharov proposed openstack/keystone stable/2025.1: Prevent unauthorized EC2 credential creation and deletion https://review.opendev.org/c/openstack/keystone/+/983589 | 08:51 |
| opendevreview | Adrian Jarvis proposed openstack/keystone stable/2024.2: Replace the random library with secrets in oauth1 https://review.opendev.org/c/openstack/keystone/+/961902 | 08:53 |
| opendevreview | Artem Goncharov proposed openstack/keystone stable/2024.2: Prevent unauthorized EC2 credential creation and deletion https://review.opendev.org/c/openstack/keystone/+/983591 | 08:53 |
| opendevreview | David Wilde proposed openstack/keystone stable/2024.2: fix ldap 'enabled' setting not interpreted as boolean https://review.opendev.org/c/openstack/keystone/+/982409 | 08:54 |
| opendevreview | Merged openstack/oslo.policy master: typing: Fix compatibility with typed testtools, oslotest https://review.opendev.org/c/openstack/oslo.policy/+/983397 | 13:02 |
| *** bbobrov_ is now known as bbobrov | 15:00 | |
| d34dh0r53 | #startmeeting keystone | 15:05 |
| opendevmeet | Meeting started Wed Apr 8 15:05:03 2026 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:05 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:05 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:05 |
| d34dh0r53 | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:05 |
| d34dh0r53 | #link https://openinfra.dev/legal/code-of-conduct | 15:05 |
| d34dh0r53 | #topic roll call | 15:05 |
| gtema | o/ | 15:06 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra | 15:06 |
| bbobrov | henlo | 15:06 |
| cardoe | o/ | 15:06 |
| d34dh0r53 | dmendiza: o/ | 15:06 |
| moutazchaara[m] | o/ | 15:07 |
| d34dh0r53 | hi all, let's get started | 15:07 |
| d34dh0r53 | #topic upcoming PTG | 15:07 |
| d34dh0r53 | #link https://etherpad.opendev.org/p/apr2026-ptg-keystone | 15:07 |
| d34dh0r53 | reminder to add topics to the PTG etherpad | 15:07 |
| d34dh0r53 | #topic review past meeting work items | 15:08 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-03-25-15.04.html | 15:09 |
| d34dh0r53 | no items from last week to review | 15:09 |
| d34dh0r53 | #topic liaison updates | 15:09 |
| d34dh0r53 | nothing from me | 15:09 |
| gtema | neither from me | 15:09 |
| d34dh0r53 | cool | 15:10 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza) | 15:10 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:10 |
| d34dh0r53 | 2026.1 Release Timeline | 15:10 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:10 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:10 |
| d34dh0r53 | dmendiza: any updates on S-RBAC? | 15:11 |
| d34dh0r53 | moving on | 15:13 |
| d34dh0r53 | #topic specification Secuirty Compliance Testing (dmendiza) | 15:13 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/devstack/+/957969 | 15:13 |
| d34dh0r53 | next up | 15:14 |
| d34dh0r53 | #topic keystone-rs | 15:14 |
| d34dh0r53 | #link https://github.com/openstack-experimental/keystone | 15:14 |
| gtema | I am working on management of the raft cluster | 15:15 |
| gtema | added basic cli support for building a cluster | 15:15 |
| gtema | added tls support | 15:15 |
| gtema | now working on making backend driver (for webauthn) that will use raft instead of sql db | 15:16 |
| d34dh0r53 | cool | 15:17 |
| gtema | once that is done I start adding the domain whitelist acls and tls certificates, since it is more efficient to keep those in KV store compared to sql | 15:17 |
| gtema | will also add support of reading secrets from vault (i.e. the TLS for the raft cluster) | 15:17 |
| gtema | laughing loud from requests for new functionality that closely relates to what is done/planned in RS to be done in python. | 15:18 |
| gtema | other than that - nothing else on the topic | 15:19 |
| d34dh0r53 | hah, thanks gtema :) | 15:19 |
| d34dh0r53 | #topic open discussion | 15:20 |
| bbobrov | I would like to quickly discuss the vulnerability that became public yesterday | 15:21 |
| moutazchaara[m] | Hi ,I have a patch fixing LDAP pagination (bug #2146954):... (full message at <https://matrix.org/oftc/media/v1/media/download/AVdYVbKVY6AsLeUJUvgQmZShkbrBEsEJI8vcZeJAbWIedxgbRyf904u_5vwDVXTaEnIQ2MzIdbtYhYyiM-gKvbhCedtch-lgAG1hdHJpeC5vcmcvYkNrdWNqZlNIRmdoTHpxVGR0bmR5Sk9V>) | 15:21 |
| d34dh0r53 | Thanks moutaz.chaara, go ahead bbobrov | 15:22 |
| bbobrov | i tried it out and it works fine. ec2 _deletion_ is not fixed, but it is not a big issue i think | 15:22 |
| bbobrov | or maybe it is fixed but not tested... nevermind | 15:23 |
| bbobrov | but | 15:23 |
| bbobrov | there are no tests. Do we want to merge those patches right now and add tests later? | 15:23 |
| d34dh0r53 | I would err on the side of yes, we should merge those ASAP and add tests | 15:24 |
| gtema | same here | 15:25 |
| bbobrov | good. Then i would appreciate if you could get https://review.opendev.org/c/openstack/keystone/+/983587 merged so that i could cherry-pick it to my keystone then, thanks. | 15:25 |
| d34dh0r53 | I just gave it the +W | 15:26 |
| bbobrov | (yeah, deletion is still possible with restricted app creds; but that doesn't seem to be a major issue) | 15:26 |
| d34dh0r53 | maybe a follow-up bug to fix that | 15:26 |
| bbobrov | can restricted application credentials delete other application credentials? | 15:27 |
| gtema | should not by the definition | 15:28 |
| gtema | I am not 100% sure, but I think not even not-restricted should not be able to | 15:28 |
| gtema | or no, wrong. Since with unrestricted you can create new ac, you may be also able to delete ones | 15:29 |
| gtema | but most likely we should first define the proper behavior | 15:29 |
| d34dh0r53 | https://opendev.org/openstack/keystone/commit/29280b1f681ce2b7758e9cb3f9aa4b0154b10639 | 15:32 |
| d34dh0r53 | I think by design unrestricted app creds can delete | 15:33 |
| d34dh0r53 | anything else for open discussion? | 15:38 |
| d34dh0r53 | cool, moving on to bug review | 15:39 |
| d34dh0r53 | #topic bug review | 15:39 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:39 |
| d34dh0r53 | It looks like keystone has one new bug | 15:40 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2146954 | 15:40 |
| gtema | that was mentioned already today | 15:40 |
| d34dh0r53 | yep, I just assigned the bug to you moutaz.chaara | 15:41 |
| moutazchaara[m] | Yes, i thought it was in the open topic so i mentioned it there. | 15:41 |
| d34dh0r53 | cool, thanks moutaz.chaara we'll review your updated patches | 15:42 |
| d34dh0r53 | next up | 15:42 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:42 |
| d34dh0r53 | no new bugs in python-keystoneclient | 15:42 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:42 |
| d34dh0r53 | keystoneauth is good | 15:43 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:43 |
| d34dh0r53 | nothing new in keystonemiddleware | 15:43 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:43 |
| d34dh0r53 | pycadf is good | 15:43 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:43 |
| d34dh0r53 | ldappool is also good | 15:43 |
| d34dh0r53 | #topic conclusion | 15:44 |
| d34dh0r53 | thanks folks! PTG is in 12 days :) | 15:44 |
| gtema | yey | 15:44 |
| d34dh0r53 | #endmeeting | 15:44 |
| opendevmeet | Meeting ended Wed Apr 8 15:44:48 2026 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:44 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-04-08-15.05.html | 15:44 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-04-08-15.05.txt | 15:44 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-04-08-15.05.log.html | 15:44 |
| gtema | thanks Dave Wilde (d34dh0r53) | 15:45 |
| opendevreview | Merged openstack/keystone master: Prevent unauthorized EC2 credential creation and deletion https://review.opendev.org/c/openstack/keystone/+/983587 | 17:21 |
| opendevreview | Merged openstack/keystone stable/2026.1: Prevent unauthorized EC2 credential creation and deletion https://review.opendev.org/c/openstack/keystone/+/983593 | 17:22 |
| opendevreview | Merged openstack/keystone stable/2025.2: Prevent unauthorized EC2 credential creation and deletion https://review.opendev.org/c/openstack/keystone/+/983588 | 17:26 |
| opendevreview | Merged openstack/keystone-tempest-plugin master: tox: Drop basepython https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/970590 | 17:49 |
| opendevreview | Merged openstack/keystone stable/2024.2: fix(pep8): pin setuptools<82 for flake8-import-order compatibility https://review.opendev.org/c/openstack/keystone/+/982658 | 19:04 |
| opendevreview | Merged openstack/keystone stable/2024.2: Prevent unauthorized EC2 credential creation and deletion https://review.opendev.org/c/openstack/keystone/+/983591 | 19:04 |
| opendevreview | Merged openstack/keystone stable/2025.1: fix(pep8): pin setuptools<82 for flake8-import-order compatibility https://review.opendev.org/c/openstack/keystone/+/982656 | 19:04 |
| opendevreview | Merged openstack/keystone stable/2025.1: Prevent unauthorized EC2 credential creation and deletion https://review.opendev.org/c/openstack/keystone/+/983589 | 19:04 |
| opendevreview | Douglas Mendizábal proposed openstack/keystone-tempest-plugin master: Update ec2 tests for reader role https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/983797 | 20:29 |
| opendevreview | Adrian Jarvis proposed openstack/keystone stable/2024.2: Replace the random library with secrets in oauth1 https://review.opendev.org/c/openstack/keystone/+/961902 | 21:40 |
| opendevreview | Ivan Anfimov proposed openstack/keystone-tempest-plugin master: Use py3 as the default runtime for tox https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/787053 | 21:48 |
| opendevreview | Ivan Anfimov proposed openstack/keystone-tempest-plugin master: Use py3 as the default runtime for tox https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/787053 | 21:48 |
| opendevreview | Ivan Anfimov proposed openstack/keystone-tempest-plugin master: Use py3 as the default runtime for tox https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/787053 | 21:48 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!