| opendevreview | Doug Goldstein proposed openstack/keystoneauth master: remove pbr as runtime dependency https://review.opendev.org/c/openstack/keystoneauth/+/988373 | 02:28 |
|---|---|---|
| opendevreview | Doug Goldstein proposed openstack/keystoneauth master: tox: switch to recommended constraints parameter https://review.opendev.org/c/openstack/keystoneauth/+/988374 | 02:33 |
| *** ykarel_ is now known as ykarel | 05:04 | |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Clarify that access rules are not enforced on Keystone's own API https://review.opendev.org/c/openstack/keystone/+/978054 | 07:05 |
| opendevreview | Takashi Kajinami proposed openstack/python-keystoneclient master: Remove unused Makefile for doc https://review.opendev.org/c/openstack/python-keystoneclient/+/977518 | 08:37 |
| gtema | #startmeeting keystone | 15:00 |
| opendevmeet | Meeting started Wed May 13 15:00:28 2026 UTC and is due to finish in 60 minutes. The chair is gtema. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:00 |
| gtema | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:00 |
| gtema | #link https://openinfra.dev/legal/code-of-conduct | 15:00 |
| gtema | #topic roll call | 15:00 |
| gtema | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra | 15:01 |
| dmendiza[m] | 🙋 | 15:01 |
| moutazchaara[m] | 👋🏼 | 15:01 |
| gtema | wow, no special invite for dmendiza, it worked | 15:02 |
| xek | o/ | 15:02 |
| gtema | ok, looks like we are complete | 15:03 |
| gtema | #topic review past meeting work items | 15:03 |
| gtema | #link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-05-06-15.05.html | 15:03 |
| gtema | was one action to list that 400 takes precedence over 404 | 15:03 |
| gtema | I don't think something has happened, but I double checked that we do not have it documented anywere, apparently it was discussed in the chat | 15:04 |
| dmendiza[m] | Ah yes, not sure if anyone took ownership of that action? 🤔 | 15:04 |
| gtema | no really, but I can do it since it is "my fault" we have this change ;-) | 15:05 |
| dmendiza[m] | sounds good | 15:05 |
| gtema | then we also had to items on dmendiza to check the enforce_new_defaults and enforce_scope | 15:05 |
| dmendiza[m] | Yeah, did not get a chance to do that yet. Personal life has been hectic, but things should be normalizing now. | 15:06 |
| gtema | good to hear that, man | 15:06 |
| gtema | let's go on | 15:06 |
| gtema | #topic liaison updates | 15:06 |
| gtema | I do not have anything | 15:06 |
| gtema | so moving on | 15:07 |
| gtema | #topic specification | 15:07 |
| gtema | Secure RBAC (dmendiza) | 15:08 |
| gtema | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:08 |
| dmendiza[m] | Just need a +A on this patch: | 15:08 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/986031 | 15:08 |
| dmendiza[m] | and as we just mentioned, I'll be checking to make sure we get rid of overrides to enforce_scope | 15:09 |
| gtema | perfect. @xek, can you have a look here as well, Dave and myself left +2 here | 15:09 |
| gtema | ok, next | 15:11 |
| gtema | #topic Secuirty Compliance Testing (dmendiza) | 15:11 |
| gtema | #link https://review.opendev.org/c/openstack/devstack/+/957969 | 15:11 |
| dmendiza[m] | Started peeking at this again | 15:11 |
| gtema | good | 15:11 |
| dmendiza[m] | I tried to rebase that patch, but it looks like the Depends-On has a conflict now | 15:12 |
| gtema | yes, it does | 15:12 |
| dmendiza[m] | so I need to sort that out before we can get back to the patch in question ... | 15:12 |
| gtema | and gmaan wanted an RN | 15:12 |
| gtema | good, you are on it, roger | 15:13 |
| gtema | #topic keystone-rs | 15:13 |
| gtema | I was busy adding the real integration with SPIFFE and achieved that | 15:13 |
| gtema | so e.g., openpolicyagent is able to reach keystone to query whether the user has a specific role on the project | 15:14 |
| gtema | but while working on that I noticed that the auth context was enabling a lot of logic errors | 15:14 |
| gtema | like we had recently with CVEs | 15:14 |
| gtema | since the auth context is heavily focused on the Token it has no place for alternative principles | 15:15 |
| gtema | and a lot of optional references make it possible to have those coding errors | 15:15 |
| gtema | so I was busy reworking this context by strictly splitting the Identity from the scope information in it | 15:16 |
| gtema | as you may guess the most interesting part is trust ;-) | 15:16 |
| gtema | but now I use Enums heavily so that errors are much less probable | 15:17 |
| gtema | and in addition to that now there is a single place in the code where the boundary check is performed, not stretched across the code base but in a single function that covers all possible combinations in like 100-150 lines | 15:17 |
| gtema | makes testing such combinations (what auth method was used to auth and which scope is requested) very straight forward | 15:18 |
| gtema | I am finishing with that and would come back to adding the external (SPIFFE, JWT, K8s SA, etc) identities into the new context so that the mapping can be done easier | 15:19 |
| gtema | other than that storing the spiffe idenity mappings in raft is implemente | 15:20 |
| gtema | d | 15:20 |
| gtema | that's it on the RS | 15:20 |
| gtema | next up | 15:21 |
| gtema | #topic open discussion | 15:21 |
| gtema | #link https://review.opendev.org/c/openstack/keystone-specs/+/983993 | 15:21 |
| Muran | Yeah I added that one. Wanted to check if it could get some traction | 15:21 |
| gtema | leaving tab open for review | 15:21 |
| Muran | Alright thanks | 15:22 |
| gtema | quite lot happened since I last had a look at it | 15:22 |
| Muran | I did a reference implementation that is defined in the blueprint, not finished since I kinda want spec to land first before spending more time on it :) | 15:22 |
| Muran | Yeah there has been some discussions. The TLDR; is that it now defines user, user domain, project and project domain into the scope. | 15:23 |
| gtema | allright. As mentioned in the RS I have a strict separation of the interfaced what would also benefit here and you can have pretty much any level of protection, but it is sadly nearly impossible in the python keystone | 15:23 |
| Muran | Yeah and we are not using keystone-rs | 15:24 |
| Muran | (yet at least) | 15:24 |
| gtema | I mean RS technically listens on internal interface with a dedicated router allowing to hide certain APIs from public exposure | 15:24 |
| gtema | I know | 15:25 |
| gtema | okay, anything else on the open discussion except that LDAP pagination change that is still within the 100 tabs open in my browser? | 15:25 |
| gtema | #topic bug review | 15:26 |
| moutazchaara[m] | ok was going to post it again xD. good it is with your tabs | 15:26 |
| gtema | sure, I really do and had already a look but was distracted with security prio issues | 15:26 |
| gtema | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:27 |
| gtema | do not see any new bugs in keystone itself | 15:27 |
| moutazchaara[m] | np | 15:27 |
| gtema | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:27 |
| gtema | nothing in the client | 15:27 |
| gtema | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:27 |
| gtema | nothing in keystoneauth | 15:28 |
| gtema | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:28 |
| gtema | nothing (new) in the middleware | 15:28 |
| gtema | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:28 |
| gtema | neither in pycadf | 15:28 |
| gtema | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:29 |
| gtema | and finally nothing new in ldappool | 15:29 |
| gtema | which is great (not to have new things to take care) | 15:29 |
| gtema | #topic conclusion | 15:29 |
| gtema | that's all folks, final words? | 15:30 |
| moutazchaara[m] | Have great vacation for those who have it | 15:30 |
| gtema | thanks | 15:31 |
| gtema | have a great holidays if you have one | 15:31 |
| gtema | #endmeeting | 15:31 |
| opendevmeet | Meeting ended Wed May 13 15:31:35 2026 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:31 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-05-13-15.00.html | 15:31 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-05-13-15.00.txt | 15:31 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-05-13-15.00.log.html | 15:31 |
| opendevreview | Stephen Finucane proposed openstack/keystoneauth master: Drop unnecessary type: ignore https://review.opendev.org/c/openstack/keystoneauth/+/988507 | 17:33 |
| opendevreview | Merged openstack/keystone-tempest-plugin master: Make keystone-protection-functional job voting https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/986031 | 19:26 |
| opendevreview | Julia Kreger proposed openstack/keystoneauth master: Add minimum tls version and caller cipher controls https://review.opendev.org/c/openstack/keystoneauth/+/988544 | 21:53 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!