Wednesday, 2026-06-24

« Tuesday, 2026-06-23 Index
*** ykarel_ is now known as ykarel04:24
opendevreviewStephen Finucane proposed openstack/oslo.policy master: pre-commit: Bump versions  https://review.opendev.org/c/openstack/oslo.policy/+/99463410:18
opendevreviewStephen Finucane proposed openstack/oslo.policy master: zuul: Use openstack-python3-next-jobs template  https://review.opendev.org/c/openstack/oslo.policy/+/99463510:18
opendevreviewStephen Finucane proposed openstack/oslo.limit master: pre-commit: Bump versions  https://review.opendev.org/c/openstack/oslo.limit/+/99467010:25
opendevreviewStephen Finucane proposed openstack/oslo.limit master: zuul: Use openstack-python3-next-jobs template  https://review.opendev.org/c/openstack/oslo.limit/+/99467110:25
opendevreviewStephen Finucane proposed openstack/keystoneauth master: trivial: Declare attributes on _BaseAdapter  https://review.opendev.org/c/openstack/keystoneauth/+/99409011:43
opendevreviewMerged openstack/keystoneauth master: Remove get_oslo_config helper  https://review.opendev.org/c/openstack/keystoneauth/+/99448812:11
opendevreviewMerged openstack/keystoneauth master: pre-commit: Bump versions  https://review.opendev.org/c/openstack/keystoneauth/+/99447112:11
opendevreviewMerged openstack/keystoneauth master: zuul: Use openstack-python3-next-jobs template  https://review.opendev.org/c/openstack/keystoneauth/+/99447212:11
opendevreviewStephen Finucane proposed openstack/keystoneauth master: Drop Python 3.10 support  https://review.opendev.org/c/openstack/keystoneauth/+/99469412:28
opendevreviewGrzegorz Grasza proposed openstack/keystone master: ec2: enforce timestamp presence in _check_timestamp  https://review.opendev.org/c/openstack/keystone/+/99390712:30
opendevreviewStephen Finucane proposed openstack/keystoneauth master: typing: Use objects from typing  https://review.opendev.org/c/openstack/keystoneauth/+/99471312:55
opendevreviewElod Illes proposed openstack/keystonemiddleware master: DNM: gate health test  https://review.opendev.org/c/openstack/keystonemiddleware/+/99471813:19
opendevreviewElod Illes proposed openstack/python-keystoneclient master: DNM: gate health test  https://review.opendev.org/c/openstack/python-keystoneclient/+/99472813:21
d34dh0r53#startmeeting keystone15:20
opendevmeetMeeting started Wed Jun 24 15:20:20 2026 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:20
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:20
opendevmeetThe meeting name has been set to 'keystone'15:20
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:21
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:21
d34dh0r53#topic roll call15:21
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra15:21
bbobrovo/15:21
d34dh0r53sorry I'm late15:21
gtemao/15:21
d34dh0r53lot's of PTO this week, so probably a light meeting15:22
d34dh0r53#topic review past meeting work items15:22
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-17-15.06.html15:23
d34dh0r53no action items from last week to review15:23
d34dh0r53#topic liaison updates15:23
d34dh0r53nothing from me15:23
gtemaneither from me15:23
d34dh0r53#topic specification Secure RBAC (dmendiza)15:24
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:24
d34dh0r532026.1 Release Timeline15:24
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:24
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:24
d34dh0r53Devstack still defaults to enforce_scope = False https://opendev.org/openstack/devstack/src/branch/master/lib/keystone#L12015:24
d34dh0r53Patch to default to true: https://review.opendev.org/c/openstack/devstack/+/95621015:24
d34dh0r53Fix config options in keystone-tempest-plugin https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/93082915:24
bbobrovI have a question about srbac.15:25
bbobrovI have a pretty old deployment. I think it even predates system scope. In the deployment, bug 968696 is solved via a "superadmin" project.15:25
bbobrovHowever now the whole openstack decided to take the concept of "admin" being a "cloud admin" role and "manager" being the "project master".15:25
bbobrovI am wondering what my migration path now is.15:26
bbobrovMy first idea is to start giving out "manager" role to users, add it to policies, let it soak and then remove admin at some point.15:26
bbobrovis it really it? Is there anything that i have missed? Some other recipe prepared somewhere else?15:27
d34dh0r53That seems reasonable to me, but I am far from an expert on SRBAC, dmendiza would know more, but he's on PTO.15:27
gtemain my eyes it is correct15:28
dmendiza[m]🙋‍♂️15:28
dmendiza[m]Just so happened to be on my laptop signing some docs. 😄15:28
d34dh0r53ohai dmendiza !15:28
dmendiza[m]bbobrov: so, the main issue with admin anywhere is admin everywhere is that policies are not centrally managed.  Every project/service manages their own policies.15:29
dmendiza[m]Even though keystone issues tokens that include scope information, not every project uses that in their policies15:30
dmendiza[m]so, for a project that has not implemented scopes in their policies for whatever reason, a user that has the admin role on a project looks the same as a user that has the admin role on the system15:30
dmendiza[m]The manager role was introduced so that project can opt-in to modify their policies to both check for scope and this new role to allow administrative tasks on a narrower scope15:31
dmendiza[m]HOWEVER, I don't think any projects have actually adopted the manager role except for us (keystone)15:31
bbobrovoh they did.15:32
dmendiza[m]And we have only implemented the Domain Manager persona -- in other words, Keystone does allow some API access to users with a token that is scoped on a domain and has the manager role.15:32
bbobrovnova, neutron and ironic have project manager.15:32
dmendiza[m]So, I don't know the extent of the policy changes in other projects, so I can't recommend a migration path there.15:33
dmendiza[m]For Keystone, you can grant "manager" on a specific domain.  Then that user can request a domain-scoped token to create users/projects/role assignments that are allowed as long as they are created on that specific project15:33
dmendiza[m]A Domain Manager could create a user and a project within their domain, and then assign the manager role to that user on that project15:34
bbobrovthat all is with default policies, and default policies don't work for me, and it is fine for me to edit them heavily.15:35
dmendiza[m]Yeah, I mean, you can make policies to do whatever you want, HOWEVER15:35
dmendiza[m]Allowed scopes are hard-coded and can't be overwritten in a custom policy15:35
bbobrovi am concerned about a situation when a new API endpoint gets added, gets a default rule "role:admin", and in my deployment admin is project-contained.15:35
dmendiza[m]If you're only dealing with project-scoped things you should be fine.15:36
dmendiza[m]Yeah, unfortunately, we were unable to get community buy-in on scoping admin :(15:36
bbobrovok. I guess i will just go with my plan and let you know how it went in a year or so.15:37
dmendiza[m]Yeah, I would suggest modifying your custom policies to use Project Managers to avoid that15:37
bbobrovi'm done, thanks.15:39
dmendiza[m]you're welcome15:39
* dmendiza[m] goes back to PTO15:39
d34dh0r53cool, thanks dmendiza and bbobrov 15:39
d34dh0r53#topic specification Secuirty Compliance Testing (dmendiza)15:40
d34dh0r53#link https://review.opendev.org/c/openstack/devstack/+/95796915:40
dmendiza[m]Doug's not here, man. 😛15:40
d34dh0r53lol15:40
dmendiza[m]Heh, no updates because PTO15:40
d34dh0r53Enjoy the PTO :)15:41
d34dh0r53next up15:41
dmendiza[m]I'm moving, so no enjoyment to be had 😭15:41
d34dh0r53#topic keystone-rs15:41
d34dh0r53#link https://github.com/openstack-experimental/keystone15:41
d34dh0r53indeed, all the best on the move15:41
gtemaI was quite long time fighting the compiler, or actually a compilation performance penalty caused by creating mocks for complex traits15:42
gtemaand since students now are actively adding code the compilation again got worse15:42
gtemabut I was able to reduce compliation time of the central crate from 70s down to 15s, so now the local development is again possible15:43
gtemaall of that disturbed me from completing switching auth providers to the unified mapping engine15:43
gtemabut now I am back and now completing the final (and the biggest) step of migrating the oidc/jwt flow to this new mapping engine15:44
gtemaone student actually even created github action so we would have possibility to test it muct better in the CI finally giving end users possibility to interact with OpenStack from GitHub workflows easily. It was possible, but now is going to be even easier15:45
gtemaafter I complete that I will move to the encryption layer for raft storage since that is a pre-requisite for implementing api-key based auth which is a prerequisite for SCIM15:46
gtemasummary - everything is moving, moving pretty fast15:46
gtemastudents are great and the progress is great15:47
gtemathat's it for this week15:47
d34dh0r53thanks gtema 15:49
d34dh0r53#topic open discussion15:49
gtemaI do not have topics15:49
d34dh0r53neither do I15:50
d34dh0r53#topic bug review15:50
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:50
d34dh0r53two new bugs in keystone15:51
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/215734315:51
gtemalol15:51
d34dh0r53uhh15:52
gtemaclosed - invalid15:52
d34dh0r53thanks, beat me to it15:52
d34dh0r53next up15:52
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/215795815:53
gtemadoubt is also a "keystone" issue15:54
d34dh0r53yeah15:54
d34dh0r53I added Glance to the affected projects and saw your update15:56
d34dh0r53moving on15:56
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:56
d34dh0r53nothing new there15:56
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:56
d34dh0r53nothing new in keystoneauth either15:57
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:57
d34dh0r53keystonemiddleware is good15:57
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:57
d34dh0r53pycadf has no new bugs15:57
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:57
d34dh0r53ldappool is also clean15:58
d34dh0r53#topic conclusion15:58
d34dh0r53I'm on PTO for the next couple of weeks15:58
gtemaoh, ok15:58
gtemaenjoy it15:58
d34dh0r53thanks!15:59
d34dh0r53looking forward to it, heading to Southern California to see friends and family15:59
gtema:)16:00
d34dh0r53#endmeeting16:00
opendevmeetMeeting ended Wed Jun 24 16:00:13 2026 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:00
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-24-15.20.html16:00
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-24-15.20.txt16:00
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-24-15.20.log.html16:00
gtemathanks Dave Wilde (d34dh0r53) 16:00
opendevreviewArtem Goncharov proposed openstack/keystone master: Fix nullable enabled column security vulnerabilities for user and project  https://review.opendev.org/c/openstack/keystone/+/99320616:26
opendevreviewAbhishek Kekane proposed openstack/oslo.limit master: Honor -1 as unlimited in enforce_limits  https://review.opendev.org/c/openstack/oslo.limit/+/99478716:54
opendevreviewNicholas Kuechler proposed openstack/keystoneauth master: Exclude empty endpoint lists from get_endpoints result  https://review.opendev.org/c/openstack/keystoneauth/+/99480218:12
opendevreviewMerged openstack/oslo.policy master: pre-commit: Bump versions  https://review.opendev.org/c/openstack/oslo.policy/+/99463419:39
opendevreviewMerged openstack/oslo.limit master: pre-commit: Bump versions  https://review.opendev.org/c/openstack/oslo.limit/+/99467019:56
gmaand34dh0r53: dmendiza[m] can either of you check these enforce_scope removal changes https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/993835  https://review.opendev.org/c/openstack/keystone/+/993829  https://review.opendev.org/c/openstack/keystone/+/993852/220:12
opendevreviewMerged openstack/oslo.policy master: zuul: Use openstack-python3-next-jobs template  https://review.opendev.org/c/openstack/oslo.policy/+/99463521:03
opendevreviewMerged openstack/oslo.limit master: zuul: Use openstack-python3-next-jobs template  https://review.opendev.org/c/openstack/oslo.limit/+/99467121:36
opendevreviewOria Weng proposed openstack/keystone master: Pre-commit: Add toml dependency for bandit  https://review.opendev.org/c/openstack/keystone/+/99483323:20
opendevreviewOria Weng proposed openstack/keystone master: Remove `enabled` as a filter for endpoint groups  https://review.opendev.org/c/openstack/keystone/+/99483423:24
« Tuesday, 2026-06-23 Index

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!