| opendevreview | Lajos Katona proposed openstack/keystone master: LDAP: add new cfg option for pw expiry format https://review.opendev.org/c/openstack/keystone/+/976618 | 11:35 |
|---|---|---|
| croelandt | Hello! Glance PTL here. I'm currently trying to review https://review.opendev.org/c/openstack/glance/+/967371 . The proposed patch seems wrong to me (see my comments: wrong type for the options, wrong... name for the options), and I'm not sure about the overall approach. Is glance supposed to manually call register_opt() for Keystone options? I'd appreciate help in understanding how we're | 13:20 |
| croelandt | supposed to use Keystone here | 13:20 |
| gtema | hey croelandt. I would need to have a look after I finish my current task. Just wanted to point out that we had a significant change in the trust behavior due to security issue and it is not possible to manage trusts with application credentials (and other way around). You definitely need to be aware of it | 13:23 |
| croelandt | Is there a document/release note that summarizes the changes I could read? | 13:31 |
| gtema | croelandt https://review.opendev.org/c/openstack/keystone/+/990502 | 13:32 |
| gtema | ah, this is one change without rn, lemme find the ossa for it | 13:32 |
| gtema | https://security.openstack.org/ossa/OSSA-2026-015.html | 13:33 |
| gtema | damn, this is also way too short | 13:34 |
| gtema | https://review.opendev.org/c/openstack/keystone/+/990500 is better | 13:35 |
| croelandt | gtema: so all projects using "trust" have changes to push right now? | 14:02 |
| gtema | croeland - not that all services need to make changes, but they need to be aware that trusts are a broken concept and should be avoided | 15:27 |
| croelandt | gtema: ok thanks I'll discuss that with the Glance team | 17:47 |
| croelandt | gtema: so moving forward, are you deprecating trusts? Thinking about removing them in a future release? | 17:47 |
| gtema | not now, it is just that they were from scratch considered a dirty workaround (as initial specs say) and we needed to cut functionality due to the architectural security vulnerabilities. People should just stop using them really. We still need a proper solution for that which does not seem to be possible without a big reimplementation that I am working on | 17:49 |
| croelandt | Any chance this becomes a PTG discussion in October? :) | 17:50 |
| gtema | the reimpl is a PTG and wide discussion since few years already (remember this mailinglist discussion with keywords keystone and rust). I am not sure we are able to implement a good replacement for trusts in keystone v3 | 17:51 |
| croelandt | I see | 18:02 |
| croelandt | I'll try to keep an eye on it | 18:02 |
| croelandt | and ideally wwe'll just remove that in Glance | 18:02 |
| croelandt | but I have to catch up on the whole concept of trusts and why we needed them in the first place :D | 18:03 |
| gtema | correct - this is the main | 18:06 |
| opendevreview | Oria Weng proposed openstack/keystone master: Remove `enabled` as a filter for endpoint groups https://review.opendev.org/c/openstack/keystone/+/994834 | 18:45 |
| opendevreview | Merged openstack/oslo.limit master: Honor -1 as unlimited in enforce_limits https://review.opendev.org/c/openstack/oslo.limit/+/994787 | 18:46 |
| opendevreview | Oria Weng proposed openstack/keystone master: Pre-commit: Use bandit through ruff https://review.opendev.org/c/openstack/keystone/+/994833 | 19:00 |
| opendevreview | Oria Weng proposed openstack/keystone master: Pre-commit: Use bandit through ruff https://review.opendev.org/c/openstack/keystone/+/994833 | 21:55 |
| opendevreview | Oria Weng proposed openstack/keystone master: Pre-commit: Add toml dependency for bandit https://review.opendev.org/c/openstack/keystone/+/994833 | 22:03 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!