| opendevreview | Merged openstack/keystone master: Materialize limit backend queries in read sessions https://review.opendev.org/c/openstack/keystone/+/992974 | 07:10 |
|---|---|---|
| *** benj_5 is now known as benj_ | 08:10 | |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Enforce domain scope for domain-targeted role grants https://review.opendev.org/c/openstack/keystone/+/993764 | 14:36 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Enforce domain scope for domain-targeted role grants https://review.opendev.org/c/openstack/keystone/+/993764 | 14:42 |
| dmendiza[m] | 🙋 | 15:03 |
| gtema | oh, where is Dave Wilde (d34dh0r53) | 15:05 |
| d34dh0r53 | o/ sorry, I'll get it started | 15:05 |
| d34dh0r53 | #startmeeting keystone | 15:06 |
| opendevmeet | Meeting started Wed Jun 17 15:06:31 2026 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:06 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:06 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:06 |
| d34dh0r53 | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:06 |
| xek | o/ | 15:06 |
| d34dh0r53 | #link https://openinfra.dev/legal/code-of-conduct | 15:06 |
| d34dh0r53 | #topic roll call | 15:07 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra | 15:07 |
| dmendiza[m] | 🙋 | 15:07 |
| gtema | o/ | 15:07 |
| d34dh0r53 | #topic review past meeting work items | 15:08 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-10-15.04.html | 15:08 |
| d34dh0r53 | nothing to review from last week | 15:08 |
| d34dh0r53 | #topic liaison updates | 15:08 |
| d34dh0r53 | nothing from me | 15:08 |
| gtema | neither from me | 15:08 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza) | 15:09 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:09 |
| d34dh0r53 | 2026.1 Release Timeline | 15:09 |
| dmendiza[m] | Yeah, so I updated the devstack patch, still waiting for reviews | 15:09 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:09 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:09 |
| d34dh0r53 | Devstack still defaults to enforce_scope = False https://opendev.org/openstack/devstack/src/branch/master/lib/keystone#L120 | 15:10 |
| d34dh0r53 | Patch to default to true: https://review.opendev.org/c/openstack/devstack/+/956210 | 15:10 |
| d34dh0r53 | Fix config options in keystone-tempest-plugin https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/930829 | 15:10 |
| d34dh0r53 | okay, so just need reviews on this devstack patch? | 15:11 |
| gmaan | I will check that today, I opened it but got distracted | 15:11 |
| dmendiza[m] | Yeah, after that we should be good for when oslo.policy removes the option | 15:11 |
| dmendiza[m] | Thanks gmaan | 15:11 |
| d34dh0r53 | Yeah, thanks gmaan | 15:12 |
| d34dh0r53 | #topic specification Secuirty Compliance Testing (dmendiza) | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/devstack/+/957969 | 15:12 |
| dmendiza[m] | No updates on this one ... maybe I'll look at it during my PTO when I get bored. 😅 | 15:12 |
| d34dh0r53 | cool, thanks dmendiza | 15:12 |
| d34dh0r53 | #topic keystone-rs | 15:12 |
| d34dh0r53 | #link https://github.com/openstack-experimental/keystone | 15:12 |
| gtema | I am deeply in the implementing universal mappng engine. Generally it is done and I am migrating already implemented spiffe/k8s/oidc to it - bit of monkey job | 15:14 |
| gtema | wrote few ADRs for adding audit framework, adding hardcore encryption in the raft, adding rate limiting | 15:14 |
| gtema | and wondering about another funny things with fields nullable in current database schema | 15:15 |
| gtema | like for access rules, which literally cannot exist without user the field is an index and still nullable | 15:15 |
| gtema | to report - students are pretty productive and I have such a huge PR velocity now in RS that I start thinking that in 3 month now it would have more progress than in the last 1.5 years | 15:16 |
| gtema | in my company we were trying today to rollout to stage, but stuck on ubuntu 22.04 issues and incredibly outdated podman not willing to start podman pods | 15:17 |
| gtema | so another "refinement" round | 15:18 |
| gtema | that's it this week | 15:18 |
| d34dh0r53 | cool, thank you gtema | 15:18 |
| d34dh0r53 | #topic open discussion | 15:19 |
| gtema | nothing from me this week | 15:19 |
| dmendiza[m] | Yeah | 15:19 |
| dmendiza[m] | Ade is out on PTO for a few weeks | 15:19 |
| dmendiza[m] | but he asked me to shepherd his specs | 15:19 |
| dmendiza[m] | I think we just need more reviews (mine included) | 15:20 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone-specs/+/991489 | 15:20 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone-specs/+/983440 | 15:20 |
| gtema | oh man, I need to come back to it, I only went through like half of it raising comments | 15:20 |
| gtema | it's huge. And there are concerns about different areas (projects/domains/users). What if we split it into one for projects and one for users | 15:21 |
| gtema | maybe it will help to keep things more focused | 15:21 |
| bbobrov | i don't understand why this all is being done | 15:21 |
| bbobrov | it's like... poor man's db replication? | 15:21 |
| bbobrov | why not set up a proper db replication? | 15:22 |
| gtema | because many operators have complex IAM systems to cope with keystone limitations and they need to be able to inject IDs managed outside | 15:22 |
| d34dh0r53 | Yeah, we have very very large deployments asking for this at RH | 15:25 |
| d34dh0r53 | nothing else for open discussion? | 15:26 |
| andrewbogott__ | This is bordering on user support, but I have a question about the recent fixes for cve-2026-43001: they seem to have broken my workflow for creating a magnum cluster via opentofu (which uses application credentials to create a cluster which in turn creates a trust.) Does that seem possible? | 15:26 |
| andrewbogott__ | "You are not authorized to perform the requested action: Using method 'application_credential' is not allowed for managing trusts" <- new since upgrading to the latest point release of flamingo | 15:26 |
| gtema | we had introduced a backup option for making it possible which is off by default | 15:26 |
| andrewbogott__ | ooh! How do I enable that? | 15:27 |
| andrewbogott__ | (now this /really/ is user support :( ) | 15:27 |
| gtema | look for 2 new options in the security compliance section: allow_insecure_.... | 15:28 |
| gtema | for you I think it was allow_insecure_application_credential_trust_escalation | 15:28 |
| andrewbogott__ | ok, I'll look. Is that going to make it into the magnum release notes in the future or should I open a task/write a patch for that? | 15:28 |
| gtema | the point is that in general other systems should stop using trusts | 15:29 |
| gtema | but there is no good replacement in the current architecture | 15:29 |
| gtema | and it requires strategical rethinking what I do in keystone-rs | 15:29 |
| * andrewbogott__ nods | 15:30 | |
| andrewbogott__ | ok, I will hack around it for now and keep an eye out for radically different delegation models in the future | 15:30 |
| andrewbogott__ | thank you for your work! | 15:30 |
| gtema | wlcm | 15:31 |
| d34dh0r53 | cool, moving on to bug review if there isn't anything else | 15:32 |
| d34dh0r53 | #topic bug review | 15:33 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:33 |
| d34dh0r53 | One new bug | 15:33 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2156873 | 15:33 |
| d34dh0r53 | looks like a documentation bug and low hanging fruit | 15:34 |
| d34dh0r53 | next up | 15:34 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:34 |
| d34dh0r53 | no new bugs in python-keystoneclient | 15:34 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:35 |
| d34dh0r53 | We have a bug that just landed a few minutes ago in keystoneauth | 15:35 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bug/2157013 | 15:35 |
| d34dh0r53 | This looks more like an RFE than a bug | 15:36 |
| bbobrov | yeah, but everything explodes if 429 is returned. | 15:36 |
| d34dh0r53 | that's fair | 15:36 |
| d34dh0r53 | setting it to Confirmed/Medium | 15:38 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:38 |
| d34dh0r53 | nothing new in keystonemiddleware | 15:38 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:39 |
| d34dh0r53 | pycadf is good | 15:39 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:39 |
| d34dh0r53 | so is ldappool | 15:39 |
| d34dh0r53 | #topic conclusion | 15:39 |
| d34dh0r53 | Nothing else from me, thanks folks! | 15:39 |
| d34dh0r53 | #endmeeting | 15:41 |
| opendevmeet | Meeting ended Wed Jun 17 15:41:43 2026 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:41 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-17-15.06.html | 15:41 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-17-15.06.txt | 15:41 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-17-15.06.log.html | 15:41 |
| gtema | thanks Dave Wilde (d34dh0r53) | 15:45 |
| opendevreview | Ghanshyam Maan proposed openstack/keystone master: Remove setting of oslo_policy[enforce_scope] flag https://review.opendev.org/c/openstack/keystone/+/993829 | 19:54 |
| opendevreview | Ghanshyam Maan proposed openstack/keystone-tempest-plugin master: Use the new variable to enable the RBAC new defaults https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/993835 | 20:22 |
| opendevreview | Merged openstack/keystone stable/2025.1: Fix project policy allowing unauthorized access to root domains https://review.opendev.org/c/openstack/keystone/+/990615 | 21:20 |
| opendevreview | Ghanshyam Maan proposed openstack/keystone master: Remove testing the oslo_policy[enforce_scope]=False https://review.opendev.org/c/openstack/keystone/+/993852 | 21:42 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!