| *** darmach10026 is now known as darmach1002 | 00:25 | |
| opendevreview | Grzegorz Grasza proposed openstack/keystone stable/2025.2: Move keystone-tempest-federation to noble https://review.opendev.org/c/openstack/keystone/+/990895 | 09:36 |
|---|---|---|
| xek | ^ this should unblock the gate | 09:37 |
| opendevreview | Artem Goncharov proposed openstack/keystone stable/2025.2: Add audience mapper to devstack Keycloak client https://review.opendev.org/c/openstack/keystone/+/990618 | 09:57 |
| frickler | xek: thanks, I think this ^^ will to be squashed to make all jobs pass at the same time, but we can wait for CI results first | 09:58 |
| frickler | *will need to | 09:58 |
| opendevreview | Merged openstack/keystone master: Fix user impersonation through application credentials (CVE-2026-42998) https://review.opendev.org/c/openstack/keystone/+/990486 | 11:08 |
| opendevreview | Merged openstack/keystone master: Forbid trust operations using application credentials (CVE-2026-43000) https://review.opendev.org/c/openstack/keystone/+/990487 | 11:08 |
| opendevreview | Merged openstack/keystone master: Preserve expires_at when rescoping federated tokens (CVE-2026-44394) https://review.opendev.org/c/openstack/keystone/+/990488 | 11:08 |
| opendevreview | Merged openstack/keystone master: Prevent RBAC policy bypass via JSON body and query filters (CVE-2026-42999) https://review.opendev.org/c/openstack/keystone/+/990489 | 11:08 |
| opendevreview | Merged openstack/keystone stable/2026.1: Enforce delegation project boundary for delegated tokens https://review.opendev.org/c/openstack/keystone/+/990490 | 11:08 |
| frickler | xek: gtema: in addition to the above two fixes for 2025.2, it looks like another one is needed for keystone-protection-functional failing in keystone_tempest_plugin.tests.rbac.v3.test_limit.DomainAdminTests.test_identity_list_limits https://zuul.opendev.org/t/openstack/build/4668c5606b1a43c8b77aff60659ff55b | 11:11 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone stable/2025.2: Make keystone-protection-functional non-voting on stable/2025.2 https://review.opendev.org/c/openstack/keystone/+/990908 | 11:51 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone stable/2025.2: Make keystone-protection-functional non-voting on stable/2025.2 https://review.opendev.org/c/openstack/keystone/+/990908 | 11:54 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone stable/2025.2: Update hard-coded policy for GET /v3/limits https://review.opendev.org/c/openstack/keystone/+/990914 | 12:17 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone stable/2025.2: Update hard-coded policy for GET /v3/limits https://review.opendev.org/c/openstack/keystone/+/990914 | 12:21 |
| opendevreview | Artem Goncharov proposed openstack/keystone stable/2025.2: Add audience mapper to devstack Keycloak client https://review.opendev.org/c/openstack/keystone/+/990618 | 12:22 |
| opendevreview | Merged openstack/keystone stable/2026.1: Fix user impersonation through application credentials (CVE-2026-42998) https://review.opendev.org/c/openstack/keystone/+/990491 | 12:23 |
| mgariepy | tobias-urdin: do you mind if i update your patch for last weeks cves to depends on https://review.opendev.org/c/openstack/keystone/+/990631 ? | 12:30 |
| mgariepy | on the 2024.1 branch that is. | 12:31 |
| opendevreview | Merged openstack/keystone stable/2026.1: Forbid trust operations using application credentials (CVE-2026-43000) https://review.opendev.org/c/openstack/keystone/+/990492 | 12:37 |
| tobias-urdin | mgariepy: no, please do, the patches is part of large chain since they contain the older keystone cve fixes as well – please rebase the entire chain so we can get all of them merged if they look good | 12:47 |
| mgariepy | i wonder i adding the depends on the first patch that fails will fix the whole chain. | 12:50 |
| frickler | mgariepy: if all changes are in the same repo and branch, doing a git rebase would be seen as the better solution mostly, makes the stack more obvious. depends-on is better used only for cross-repo or cross-branch deps | 12:53 |
| frickler | and you'll want to trigger rechecks for all changes anyway, which this will implicitly do | 12:53 |
| mgariepy | well i added the depend and rebases all the changes :) | 12:54 |
| frickler | ah, I missed the updates because gerritbot doesn't mention them here. the stack actually starts at https://review.opendev.org/c/openstack/keystone/+/987061/1 and that will also need the gate fix. but maybe let's see CI results first now | 12:57 |
| mgariepy | ho, i didnt saw the first 2 were passing because they were almost a month old. :/ | 12:59 |
| opendevreview | Merged openstack/keystone stable/2026.1: Preserve expires_at when rescoping federated tokens (CVE-2026-44394) https://review.opendev.org/c/openstack/keystone/+/990493 | 13:00 |
| opendevreview | Merged openstack/keystone stable/2026.1: Prevent RBAC policy bypass via JSON body and query filters (CVE-2026-42999) https://review.opendev.org/c/openstack/keystone/+/990494 | 13:00 |
| mgariepy | frickler: do you think it will pass anyway ? or should i undo and rebase the base? | 13:10 |
| mgariepy | the real question is more, will all of them be check together on merge or they will be tested independently ? | 13:15 |
| bbobrov | I somehow missed the discussion around https://review.opendev.org/q/I8f59c59b4edd233e173274f1979e9a3ff0f3cfa5. Why was it decided to fix it this way? I am still not switched to the "new defaults", and maintain old-style policy, where "project admin" is confined to their own project, and "cloud admin" is something else, and now my project admins become superadmins for limits? | 13:19 |
| mgariepy | pep8.. 80 > 79. /o\ | 13:34 |
| frickler | bbobrov: I don't know how the original patch came about, but I agree this is questionable for a stable branch. cc gtema xek | 14:54 |
| mgariepy | do you have a guide to format the pep8 failing tests? some fails are only the comma or double-quote at the end of the line that exceed the 79 char limit. | 15:14 |
| mgariepy | 15:14 | |
| bbobrov | mgariepy: have you run tox -e pep8 locally? | 15:19 |
| mgariepy | https://review.opendev.org/c/openstack/keystone/+/990607?tab=change-view-tab-header-zuul-results-summary | 15:20 |
| mgariepy | just reading the logs from pep8 test | 15:20 |
| bbobrov | yes, but have you ran it locally? | 15:20 |
| mgariepy | nop. | 15:20 |
| bbobrov | on your computer | 15:20 |
| bbobrov | try it! | 15:20 |
| bbobrov | it will autoformat everything for you | 15:20 |
| mgariepy | i'll check it a bit later not currently setup for this it's not something i ususally do ;) | 15:25 |
| bbobrov | hmmm maybe it will not work on 2024.1 though. | 15:28 |
| mgariepy | not sure why the backport of the patch is not passing.. but pass on other branches. | 15:29 |
| frickler | maybe the switch to using pre-commit for pep8 did change this. stephenfin might know? | 15:37 |
| *** Unknown123 is now known as Mike-- | 17:43 | |
| mgariepy | master has also 80 char on the patch for theses lines and it passes. did the check moved away from 79char limit ? | 17:45 |
| *** Unknown123 is now known as Mike-- | 17:52 | |
| opendevreview | Ade Lee proposed openstack/keystone-specs master: spec: support caller-specified IDs for projects, users, and domains https://review.opendev.org/c/openstack/keystone-specs/+/990991 | 20:45 |
| opendevreview | Ade Lee proposed openstack/keystone-specs master: spec: support caller-specified IDs for projects, users, and domains https://review.opendev.org/c/openstack/keystone-specs/+/983440 | 20:51 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!