| opendevreview | Takashi Kajinami proposed openstack/keystone-tempest-plugin master: Use enforce_scope option from tempest https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/930829 | 03:54 |
|---|---|---|
| opendevreview | Douglas Mendizábal proposed openstack/keystone master: DNM: Test keystone gates with enforce_scope enabled https://review.opendev.org/c/openstack/keystone/+/991276 | 04:23 |
| *** ykarel__ is now known as ykarel | 04:46 | |
| opendevreview | Grzegorz Grasza proposed openstack/keystone stable/2025.2: Fix stable/2025.2 CI: nodeset, test skip, Keycloak audience mapper https://review.opendev.org/c/openstack/keystone/+/990618 | 08:48 |
| opendevreview | Merged openstack/keystone stable/2025.2: Fix stable/2025.2 CI: nodeset, test skip, Keycloak audience mapper https://review.opendev.org/c/openstack/keystone/+/990618 | 11:43 |
| d34dh0r53 | #starmeeting keystone | 15:04 |
| d34dh0r53 | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:05 |
| d34dh0r53 | #link https://openinfra.dev/legal/code-of-conduct | 15:05 |
| d34dh0r53 | #topic roll call | 15:06 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra | 15:06 |
| d34dh0r53 | dmendiza: o/ | 15:06 |
| dmendiza[m] | 🙋 | 15:06 |
| gtema | semi- o/ - am sick today | 15:06 |
| d34dh0r53 | feel better gtema :) | 15:07 |
| gtema | thks | 15:07 |
| d34dh0r53 | #topic review past meeting work items | 15:08 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-05-27-15.02.html | 15:08 |
| d34dh0r53 | no action items from last week | 15:08 |
| d34dh0r53 | #topic liaison updates | 15:08 |
| d34dh0r53 | nothing from me | 15:08 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza) | 15:09 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:09 |
| d34dh0r53 | 2026.1 Release Timeline | 15:09 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:09 |
| *** ralonsoh is now known as ralonsoh_ooo | 15:09 | |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:09 |
| d34dh0r53 | Devstack still defaults to enforce_scope = False https://opendev.org/openstack/devstack/src/branch/master/lib/keystone#L120 | 15:09 |
| dmendiza[m] | Hey alright, actually did some work on this this week | 15:09 |
| d34dh0r53 | Patch to default to true: https://review.opendev.org/c/openstack/devstack/+/956210 | 15:09 |
| d34dh0r53 | Fix config options in keystone-tempest-plugin https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/930829 | 15:09 |
| dmendiza[m] | RIght, so we want devstack to stop turning off scope by default | 15:11 |
| dmendiza[m] | and that's what #956210 is about | 15:11 |
| dmendiza[m] | I had it as a WIP because I wanted to run the keystone gate first | 15:12 |
| dmendiza[m] | which I did here: | 15:12 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone/+/991276 | 15:12 |
| dmendiza[m] | OIDC gate job failed, but I think it's unrelated | 15:13 |
| dmendiza[m] | and the pep8 failed because of the bogus change I put in, so I think we should be good to go to get that change merged into devstack | 15:13 |
| dmendiza[m] | I'll remove the WIP and maybe get gmaan to go bend some elbows | 15:14 |
| dmendiza[m] | Related to SRBAC, there is a cleanup patch to remove a redundant option from tempest | 15:14 |
| dmendiza[m] | That's what #930829 is about | 15:14 |
| dmendiza[m] | and I see Dave Wilde (d34dh0r53) +2'd so I'll get that merged after this | 15:15 |
| d34dh0r53 | Yeah, just looked at that one | 15:15 |
| dmendiza[m] | That's it for SRBAC this week | 15:15 |
| gmaan | dmendiza[m]: ack | 15:15 |
| d34dh0r53 | Thanks dmendiza | 15:16 |
| d34dh0r53 | #topic specification Secuirty Compliance Testing (dmendiza) | 15:16 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/devstack/+/957969 | 15:16 |
| dmendiza[m] | No updates on this one | 15:18 |
| d34dh0r53 | cool, thanks | 15:18 |
| d34dh0r53 | #topic keystone-rs | 15:18 |
| d34dh0r53 | #link https://github.com/openstack-experimental/keystone | 15:18 |
| gtema | I have finished work on the context. Now there is support for is_admin and "service" | 15:18 |
| d34dh0r53 | cool | 15:18 |
| gtema | with this and the admin inteface over the unix socket I am now working on bootstrap | 15:18 |
| gtema | and bootstrap uses the normal API to provision entities | 15:18 |
| gtema | and the policy now has a real "is_admin" support without any tweaks - absolutely native | 15:19 |
| gtema | which is what is used now to bootstrap the keystone | 15:19 |
| gtema | both admin and service rely on spiffe for mtls | 15:19 |
| gtema | so internal interface and admin interface (over UDS) both support mTLS natively | 15:20 |
| gtema | the whole work is necessary to provide an easier way to run API tests with real keystone running. Till now the test is running in k8 with python and rust keystones together, but I work now exactly on adding bootstrap so that the API test can be started easily without dependencies | 15:21 |
| gtema | that's it this week | 15:21 |
| d34dh0r53 | cool, thanks gtema | 15:22 |
| d34dh0r53 | #topic open discussion | 15:22 |
| d34dh0r53 | There is one topic | 15:23 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/983993 | 15:23 |
| gtema | this is still the old one - should be deleted. I am looking into it and have some comments that I didn't finish posting yet | 15:23 |
| gtema | but I also have some other ideas how something similar could be achieved in a more natural way (or better to say future-proof) | 15:24 |
| d34dh0r53 | avk | 15:24 |
| d34dh0r53 | ack | 15:24 |
| d34dh0r53 | anything else for open discussion? | 15:25 |
| d34dh0r53 | cool, moving on | 15:26 |
| d34dh0r53 | #topic bug review | 15:26 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:26 |
| d34dh0r53 | There are a couple of new bugs in Keystone | 15:26 |
| d34dh0r53 | 3 actually | 15:27 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2154629 | 15:27 |
| d34dh0r53 | That looks like a pretty straightforward race condition and a fix in progress | 15:29 |
| d34dh0r53 | next up | 15:29 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2154666 | 15:29 |
| d34dh0r53 | Good catch, and there is a fix in progress | 15:30 |
| d34dh0r53 | next up | 15:30 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2154808 | 15:30 |
| d34dh0r53 | Also a good catch, with a fix in progress, thanks bbobrov | 15:30 |
| d34dh0r53 | that's it for Keystone, moving on | 15:31 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:31 |
| d34dh0r53 | nothing new here | 15:31 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:31 |
| d34dh0r53 | nothing new in keystoneauth either | 15:31 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:31 |
| d34dh0r53 | keystonemiddleware is good | 15:32 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:32 |
| d34dh0r53 | no new pycadf bugs | 15:32 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:32 |
| d34dh0r53 | nor any new ldappool bugs | 15:32 |
| d34dh0r53 | #topic conclusion | 15:32 |
| d34dh0r53 | That's it from me, thanks all! | 15:33 |
| d34dh0r53 | #endmeeting | 15:33 |
| gtema | thks Dave Wilde (d34dh0r53) | 15:33 |
| opendevreview | Ade Lee proposed openstack/keystone-specs master: spec: Add soft delete for projects, users, and domains https://review.opendev.org/c/openstack/keystone-specs/+/991489 | 18:37 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!