Wednesday, 2026-07-08

fricklerkeekz: commented on the bug report, please add some more info about your real issue11:02
dmendiza[m]🙋‍♂️15:01
gtemaIs Dave Wilde (d34dh0r53) still PTO?15:02
dmendiza[m]Yep15:02
dmendiza[m]I think he's back tomorrow15:02
gtemaOkay15:02
gtemaDamn VPN broke my matrix connection. From mobile making meeting is insane15:04
dmendiza[m]womp womp15:04
dmendiza[m]I can chair 15:04
dmendiza[m]#startmeeting keystone15:05
opendevmeetMeeting started Wed Jul  8 15:05:00 2026 UTC and is due to finish in 60 minutes.  The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.15:05
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:05
opendevmeetThe meeting name has been set to 'keystone'15:05
dmendiza[m]Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:05
dmendiza[m]#link https://openinfra.dev/legal/code-of-conduct15:05
dmendiza[m]#topic Roll Call15:06
gtemao/15:06
xeko/15:06
dmendiza[m]Pings for the people: admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra15:06
cardoeo/15:06
dmendiza[m]OK, let's get started15:07
dmendiza[m]#topic review past meeting work items15:07
dmendiza[m]#link 15:07
dmendiza[m]#link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-06-24-15.20.html15:07
dmendiza[m]Looks like there were none15:07
dmendiza[m]moving on 15:07
dmendiza[m]#topic liaison updates15:08
gtemano updates from my side, but I am not sure our gates are healty15:08
dmendiza[m]Hmm... nothing obvious at a glance on the gates15:11
dmendiza[m]Stay tuned, I guess ... 😅15:11
gtemasome changes show weird repeated failures on federation jobs15:12
gtemabut yeah - stay tuned. If not yet then in few days15:12
dmendiza[m]OK, moving on to the agenda topics15:13
dmendiza[m]#topic Secure RBAC15:13
dmendiza[m]let me see if there's been any movement on my patches ...15:13
dmendiza[m]#link https://review.opendev.org/c/openstack/devstack/+/95621015:14
dmendiza[m]The patch for devstack to default to using SRBAC merged15:14
dmendiza[m]Config options patch still needs review:15:15
dmendiza[m]#link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/93082915:15
dmendiza[m]I can probably take a look at that one15:15
dmendiza[m]I think we should be good to go for when oslo.policy removes the enforce_scope option.15:15
gmaanthis is whole set of changes keystone needs ohterwise gate will be broken once oslo.release new version will be in uc15:16
gmaan#link https://review.opendev.org/q/hashtag:%22remove-enforce-scope-flag%22+AND+hashtag:%22keystone%22+(status:open+OR+status:merged)15:16
gmaanits been waiting for review for long time15:16
dmendiza[m]ack, we should add those to the agenda15:17
dmendiza[m]I'll take a look but probably not until Friday15:17
dmendiza[m]OK, moving on ...15:18
gmaanoslo.policy change is merged and release change is up. once it is in constraints, i think it will break keystone15:18
gmaananyways, we know what fix to merge when it will start failing, maybe today or tomorrow.15:20
dmendiza[m]ack, will keep an eye out 👁️15:22
dmendiza[m]#topic Security Compliance Testing15:22
dmendiza[m]no progress on this, sorry y'all 😅15:22
dmendiza[m]#topic keystone-rs gtema 15:22
gtemaoh, and I had a lot of progress:15:23
gtemaI landed audit support which is now on 2 layers: http layer and provider layer emiting audit data. The audit entries themselves are signed with the key to eliminate tampering15:24
gtemathey are not sent to rabbitMQ so far, or actually only saved as jsonl files now, but this can be extended when hands are free15:25
gtema- finished envelope encryption of the raft storage. The KEK can be now retrieved from HSM (pkcs#11) or TPM15:25
gtema- finished with api-key auth for SCIM15:26
gtema- nearly finished with the scim implementation (where found another "great" things about keystone)15:26
gtema- in progress with adding WASM auth plugins15:26
gtema- completed credentials support15:27
gtemanow only thinking and trying to align with the functional changes we are now having around vulnerabilities in that area15:27
dmendiza[m]nice15:28
gtemaah, last but not least: finished the unified mapping engine which now covers federation, spiffe, oauth, etc15:28
gtemaand have now ADR to make keystone an oauth2 OP15:28
gtema#link https://github.com/openstack-experimental/keystone/blob/main/doc/src/adr/0026-oauth2-oidc-provider.md15:28
gtemareviews welcome15:28
gtemathat's it for now15:29
dmendiza[m]thanks, gtema 15:29
dmendiza[m]OK, moving on 15:29
dmendiza[m]#topic Ade's specs15:29
dmendiza[m]I'm shepherding these while Ade is out on PTO15:29
dmendiza[m]#link https://review.opendev.org/c/openstack/keystone-specs/+/98344015:29
dmendiza[m]Currently looking into bbobrov 's comments -- I must admit federation is a weak spot for me, so I'm spinning up on some of it so I can better understand the concerns15:30
dmendiza[m]#link https://review.opendev.org/c/openstack/keystone-specs/+/991489 15:31
dmendiza[m]Is the other one15:31
gtemaI still think we should split the spec into 2 parts: for projects and one for users15:31
dmendiza[m]reviews requested/appreciated15:31
dmendiza[m]gtema: hmm... I could do that if it'll help get more traction15:32
gtemaI think it just have too many "conflicting" comments making it hard to get a full picture15:33
dmendiza[m]k, i'll work on getting those separated and try to address some of the comments on the new drafts15:36
dmendiza[m]that's it for Ade's specs15:37
dmendiza[m]moving on 15:37
dmendiza[m]#topic Open Discussion15:37
dmendiza[m]anyone want to talk about something not on the agenda?15:37
gtemaa short side question related to scim15:38
gtemain scim there are userName and displayName which is already an interesting point - which one do we use15:38
gtemabut the more interesting issue is that implementing SCIM I can only provision nonlocal users and not the federated one, because, you know, the user can login using any federation protocol15:39
gtemathat means that potentially some users can be federated (when they logged in before the scim run) and some are nonlocal15:40
gtemawhich is a mess15:40
gtemaI managed to find a working approach here, but it is still a mess. And the fact that in scim you have userName and displayName makes it not better15:40
gtemaso does anyone have thoughts on this?15:41
dmendiza[m]I don't know enough SCIM to make educated comments, but my uneducated comment would be to use userName.  Given the name, I would assume that  displayName is to be used for UI display purposes and subject to change15:43
gtemayeah, now I am saving displayName in user extras, so that it stays, but depending on the mapping configuration it may flip when user logs in through federation where the displayName is used instead15:44
gtemathe "conflict" is that in the federation table we explicitly have column "display_name" while everywhere else it is like a user_name15:45
gtemaok, we do not need to spend much time on this. It just repeats some new features require bigger rethinking than simply adding few columns to the table15:46
dmendiza[m]right on 15:48
dmendiza[m]OK, moving on to bug review15:48
dmendiza[m]#topic Bug Review15:48
dmendiza[m]No new bugs in keystone15:48
dmendiza[m]#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:49
dmendiza[m]No new bugs in python-keystoneclient15:49
dmendiza[m]#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:49
dmendiza[m]No new bugs in keystoneauth15:50
dmendiza[m]#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:50
dmendiza[m]Nothing in keystonemiddleware either:15:50
dmendiza[m]#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:51
dmendiza[m]Nothing new in pycadf either15:51
dmendiza[m]#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:51
dmendiza[m]Nothing in ldappool either:15:52
dmendiza[m]#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:52
dmendiza[m]That's it for this week, thanks for joining15:52
dmendiza[m]#endmeeting15:52
opendevmeetMeeting ended Wed Jul  8 15:52:26 2026 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:52
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-08-15.05.html15:52
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-08-15.05.txt15:52
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-08-15.05.log.html15:52
gtemathanks dmendiza for taking over 15:52
keekzi had opened a bug: https://bugs.launchpad.net/keystoneauth/+bug/2158143 that turns out to be user error. how do i close the bug?17:14
gtemaset status to invalid if you can, otherwise I do it17:14
keekzi cannot17:15
keekzerr, maybe it did let me change status17:15
gtemapost comment describing something so that it doesn't look like I just close it without a reason17:16
gtemayeah - it did17:16
gmaangtema: dmendiza[m] d34dh0r53 it seems keystone gate is blocked, keystone-protection-functional job is failing 100% https://zuul.opendev.org/t/openstack/builds?job_name=keystone-protection-functional&skip=019:03
gtemagmaan Lol, I was just saying today I have a feeling gate is broken, but different job. Will look my tomorrow if nobody looks before20:03
gmaan:) thanks20:42

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!