| opendevreview | Douglas Mendizábal proposed openstack/keystone-specs master: spec: Explicit IDs for projects, users, domains https://review.opendev.org/c/openstack/keystone-specs/+/997320 | 02:46 |
|---|---|---|
| *** ykarel_ is now known as ykarel | 09:13 | |
| opendevreview | Artem Goncharov proposed openstack/keystone master: Ban ec2credential tokens from Keystone API https://review.opendev.org/c/openstack/keystone/+/997369 | 11:17 |
| opendevreview | Artem Goncharov proposed openstack/keystone master: Invalidate assignment cache on modify operations https://review.opendev.org/c/openstack/keystone/+/997392 | 12:53 |
| opendevreview | Douglas Mendizábal proposed openstack/keystone-specs master: spec: Explicit IDs for projects and domains https://review.opendev.org/c/openstack/keystone-specs/+/997320 | 13:24 |
| opendevreview | Mauricio Harley proposed openstack/python-keystoneclient master: Remove legacy CMS module https://review.opendev.org/c/openstack/python-keystoneclient/+/997044 | 13:35 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Fix token chain revocation and add user-scoped revocation API https://review.opendev.org/c/openstack/keystone/+/997402 | 14:29 |
| opendevreview | Merged openstack/keystone master: Avoid refetching credentials in list API https://review.opendev.org/c/openstack/keystone/+/996623 | 14:57 |
| d34dh0r53 | #startmeeting keystone | 15:02 |
| opendevmeet | Meeting started Wed Jul 15 15:02:20 2026 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:02 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:02 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:02 |
| d34dh0r53 | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:03 |
| d34dh0r53 | #link https://openinfra.dev/legal/code-of-conduct | 15:03 |
| d34dh0r53 | #topic roll call | 15:03 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra | 15:03 |
| gtema | o/ | 15:03 |
| d34dh0r53 | forgot the bespoke dmendiza ping :) | 15:05 |
| gtema | xek was also around | 15:06 |
| d34dh0r53 | ack | 15:07 |
| d34dh0r53 | let's get started | 15:07 |
| d34dh0r53 | #topic review past meeting work items | 15:08 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-08-15.05.html | 15:08 |
| d34dh0r53 | no action items from last week | 15:08 |
| d34dh0r53 | #topic liaison updates | 15:08 |
| d34dh0r53 | nothing from me | 15:08 |
| dmendiza[m] | 🙋 | 15:08 |
| gtema | nothing from me either | 15:09 |
| d34dh0r53 | cool | 15:09 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza) | 15:09 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:09 |
| d34dh0r53 | 2026.1 Release Timeline | 15:10 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:10 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:10 |
| d34dh0r53 | Devstack still defaults to enforce_scope = False https://opendev.org/openstack/devstack/src/branch/master/lib/keystone#L120 | 15:10 |
| d34dh0r53 | Patch to default to true: https://review.opendev.org/c/openstack/devstack/+/956210 | 15:10 |
| d34dh0r53 | Fix config options in keystone-tempest-plugin https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/930829 | 15:10 |
| dmendiza[m] | A couple of those already merged | 15:10 |
| dmendiza[m] | Iirc, the change in oslo policy merged and the gate is broken? 🤔 | 15:11 |
| d34dh0r53 | different from yesterdays breakage? | 15:12 |
| gtema | the gate was broken due to other issues that were stacked on top of each other | 15:12 |
| gtema | 2 landed. Hopefully the last one is https://review.opendev.org/c/openstack/keystone/+/997392 | 15:12 |
| d34dh0r53 | cool | 15:13 |
| d34dh0r53 | next up | 15:13 |
| d34dh0r53 | #topic specification Secuirty Compliance Testing (dmendiza) | 15:13 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/devstack/+/957969 | 15:14 |
| d34dh0r53 | anything on this one dmendiza ? | 15:15 |
| dmendiza[m] | Nope | 15:16 |
| d34dh0r53 | ack | 15:16 |
| d34dh0r53 | #topic keystone-rs | 15:17 |
| d34dh0r53 | #link https://github.com/openstack-experimental/keystone | 15:17 |
| gtema | as I mentioned last week the SCIM is now ready. I was thinking about good compliance testing, but it seems not to be possilbe in CI since major compat testers require scim server to be available through internet. So I stick to the normal interpretation of the RFC | 15:19 |
| gtema | at the moment I am finishing implementing oauth2 OP role - huge thing | 15:19 |
| gtema | now polishing sharp angles, improving test coverage and docs | 15:19 |
| d34dh0r53 | very cool | 15:20 |
| gtema | not so much progress since was very busy with those ugly races in python keystone | 15:20 |
| gtema | yeah, I like it also | 15:20 |
| gtema | the ADR proposes the draft for the keystonemiddleware to switch to the proper oauth2 tokens (built over the current jws), so there is a strategy how to deploy keystone-rs in parallel to python with fernets, gradually switch to jwt and at the end completely switch over to rust with only jwt | 15:22 |
| gtema | that's it this week | 15:22 |
| d34dh0r53 | okay, thanks gtema | 15:22 |
| d34dh0r53 | #topic open discussion | 15:23 |
| dmendiza[m] | Yeah, I need to ass Ade's specs to the recurring agenda | 15:23 |
| dmendiza[m] | I did start splitting the UUID spec | 15:23 |
| dmendiza[m] | The project and domain spec is here: | 15:24 |
| * d34dh0r53 starts thinking about Ace Ventura | 15:24 | |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone-specs/+/997320 | 15:24 |
| gtema | lol | 15:24 |
| dmendiza[m] | I did change a few things | 15:25 |
| d34dh0r53 | okay | 15:25 |
| d34dh0r53 | I'm adding it to the agenda now | 15:25 |
| dmendiza[m] | I did not like that the previos version added a separate RBAC rule. So I changed that to just update the existing rule. | 15:25 |
| gtema | damn, it's half of the function of the original spec and still 1000+ lines | 15:27 |
| dmendiza[m] | Yeah, it's a bit of a slog to get through all the extra stuff the AI model added. | 15:28 |
| gtema | switch to sonnet 5 and ask it to reduce it ;-) | 15:28 |
| dmendiza[m] | Haha | 15:28 |
| gtema | let the AI process itself | 15:29 |
| d34dh0r53 | lol | 15:29 |
| d34dh0r53 | anything else for open discussion? | 15:31 |
| gtema | not from me | 15:31 |
| cardoe | I'm just interested in the project_id creation spec making it. | 15:31 |
| cardoe | So if the author isn't updating it, I was gonna take a swag at some point. | 15:32 |
| dmendiza[m] | cardoe excellent, please review it as you have time. | 15:32 |
| d34dh0r53 | sweet | 15:32 |
| cardoe | dmendiza[m]: is https://review.opendev.org/c/openstack/keystone-specs/+/997320 your replacement for the other person's? | 15:33 |
| dmendiza[m] | Yeah, Ade is on a long PTO, but I'm shepherding this one and the soft delete specs while he's out. | 15:33 |
| cardoe | We've just had cases where a project gets deleted and not all the resources got cleaned up... (thanks rally) and we need to add it back just to clean up. | 15:33 |
| dmendiza[m] | cardoe: yes, we're splitting the original into two. This one is half. The other half will be for Users | 15:33 |
| cardoe | sounds good. I'll have to re-read and get caught up. | 15:34 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Deprecate allow_rescope_scoped_token and default to False https://review.opendev.org/c/openstack/keystone/+/997418 | 15:34 |
| dmendiza[m] | You might be interested in the soft delete spec for that use case | 15:34 |
| cardoe | neck deep in a neutron policy/rbac bug atm. | 15:34 |
| cardoe | Yeah it sounds like we would be. | 15:35 |
| cardoe | We're also interested in furthering the system scope tokens. | 15:35 |
| cardoe | but that's another topic entirely. | 15:35 |
| d34dh0r53 | What's your timeframe for that cardoe ? | 15:35 |
| cardoe | uhh yes | 15:36 |
| cardoe | :) | 15:36 |
| d34dh0r53 | lol | 15:36 |
| d34dh0r53 | industry standard :) | 15:36 |
| cardoe | So gmann posted something on the ML that I believe I followed up on for openstack exporter | 15:36 |
| cardoe | I've also had round and round convos with neutron folks about some of this | 15:37 |
| gtema | with keystone-rs system scope becomes a proper thing on it's own :-) | 15:37 |
| cardoe | There's resources that are "global" in deployment scope... like VNI / VLAN ranges. | 15:37 |
| gtema | wrt ML - I raised my hand to be working also on some of the neutron/nova stuff but had 0 time yet | 15:37 |
| cardoe | it makes no sense that ANY project admin can configure those. | 15:37 |
| cardoe | gtema: unfortunately it'll require the participation of the various projects themselves. | 15:38 |
| gtema | indeed, I know | 15:38 |
| cardoe | The way I see it is like Kubernetes's resources. You've got Cluster and Namespaced resources. | 15:38 |
| gtema | that's also why I thought I will focus on building a good foundation for that in keystone-rs so that we can implement other services properly, and not as a usual "workaround" way | 15:39 |
| cardoe | Yeah that sounds good. | 15:39 |
| cardoe | I'd love to work with you folks on this stuff. | 15:39 |
| gtema | then just do it, I was calling you already for early feedback :-) | 15:40 |
| d34dh0r53 | Should we have a mid-cycle to discuss this virtually? | 15:40 |
| cardoe | Just wanted to share what's on my backlog. Unfortunately $ETIME is my life. | 15:40 |
| cardoe | gtema: feel free to ping me and call me out and I'll jump on it. | 15:40 |
| gtema | Dave Wilde (d34dh0r53) - good idea, why not | 15:41 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Fix token chain revocation and add user-scoped revocation API https://review.opendev.org/c/openstack/keystone/+/997402 | 15:41 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Deprecate allow_rescope_scoped_token and default to False https://review.opendev.org/c/openstack/keystone/+/997418 | 15:41 |
| d34dh0r53 | Okay, I'll try to get something on the calendar | 15:42 |
| d34dh0r53 | #action dwilde plan mid-cycle keystone virtual meetup | 15:42 |
| gtema | cardoe - ack. I will finish implementation of the oauth2 OP with docs and will go back to prototyping the keystonemiddleware so that we can have a base for discussion | 15:42 |
| cardoe | I'm happy to write up something about our use cases or what we're interested and why. Maybe that would help? | 15:42 |
| gtema | definitely | 15:43 |
| d34dh0r53 | cool! | 15:44 |
| cardoe | right now we use 3 keystoneauth plugins and they're all out of tree | 15:44 |
| gtema | btw: in keystone-rs I added the WASM auth plugins support | 15:45 |
| cardoe | I believe opendev / zuul is pip installing one of our plugins | 15:45 |
| cardoe | anyway, don't let me derail too much and keep ya | 15:46 |
| d34dh0r53 | cool, moving on the bug review for the sake of time. I'll work on a poll to figure out the best meeting time(s) | 15:47 |
| d34dh0r53 | #topic bug review | 15:47 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:47 |
| d34dh0r53 | nothing new in keystone | 15:47 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:47 |
| d34dh0r53 | python-keystoneclient has no new bugs | 15:47 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:47 |
| d34dh0r53 | keystoneauth is good | 15:48 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:48 |
| d34dh0r53 | so is keystonemiddleware | 15:48 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:48 |
| d34dh0r53 | nothing new in pycadf | 15:48 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:48 |
| d34dh0r53 | nor ldappool | 15:48 |
| d34dh0r53 | #topic conclusion | 15:48 |
| d34dh0r53 | thanks folks, great discussion today | 15:48 |
| gtema | thanks guys | 15:49 |
| d34dh0r53 | #endmeeting | 15:50 |
| opendevmeet | Meeting ended Wed Jul 15 15:50:01 2026 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:50 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-15-15.02.html | 15:50 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-15-15.02.txt | 15:50 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-15-15.02.log.html | 15:50 |
| opendevreview | Ghanshyam Maan proposed openstack/keystone master: Remove setting of oslo_policy[enforce_scope] flag https://review.opendev.org/c/openstack/keystone/+/993829 | 16:18 |
| opendevreview | Merged openstack/keystone master: Invalidate assignment cache on modify operations https://review.opendev.org/c/openstack/keystone/+/997392 | 18:38 |
| gmaan | gtema: can you re-add your +2 on this, i need to rebase on top of your gate fix https://review.opendev.org/c/openstack/keystone/+/993829 | 19:31 |
| opendevreview | Ghanshyam Maan proposed openstack/keystone master: Remove testing the oslo_policy[enforce_scope]=False https://review.opendev.org/c/openstack/keystone/+/993852 | 19:32 |
| gmaan | gtema: and +w here https://review.opendev.org/c/openstack/keystone/+/993852 | 19:32 |
| opendevreview | Merged openstack/keystone master: Remove setting of oslo_policy[enforce_scope] flag https://review.opendev.org/c/openstack/keystone/+/993829 | 21:34 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!