Wednesday, 2026-07-15

opendevreviewDouglas Mendizábal proposed openstack/keystone-specs master: spec: Explicit IDs for projects, users, domains  https://review.opendev.org/c/openstack/keystone-specs/+/99732002:46
*** ykarel_ is now known as ykarel09:13
opendevreviewArtem Goncharov proposed openstack/keystone master: Ban ec2credential tokens from Keystone API  https://review.opendev.org/c/openstack/keystone/+/99736911:17
opendevreviewArtem Goncharov proposed openstack/keystone master: Invalidate assignment cache on modify operations  https://review.opendev.org/c/openstack/keystone/+/99739212:53
opendevreviewDouglas Mendizábal proposed openstack/keystone-specs master: spec: Explicit IDs for projects and domains  https://review.opendev.org/c/openstack/keystone-specs/+/99732013:24
opendevreviewMauricio Harley proposed openstack/python-keystoneclient master: Remove legacy CMS module  https://review.opendev.org/c/openstack/python-keystoneclient/+/99704413:35
opendevreviewGrzegorz Grasza proposed openstack/keystone master: Fix token chain revocation and add user-scoped revocation API  https://review.opendev.org/c/openstack/keystone/+/99740214:29
opendevreviewMerged openstack/keystone master: Avoid refetching credentials in list API  https://review.opendev.org/c/openstack/keystone/+/99662314:57
d34dh0r53#startmeeting keystone15:02
opendevmeetMeeting started Wed Jul 15 15:02:20 2026 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:02
opendevmeetThe meeting name has been set to 'keystone'15:02
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:03
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:03
d34dh0r53#topic roll call15:03
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra15:03
gtemao/15:03
d34dh0r53forgot the bespoke dmendiza ping :)15:05
gtemaxek was also around15:06
d34dh0r53ack15:07
d34dh0r53let's get started15:07
d34dh0r53#topic review past meeting work items15:08
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-08-15.05.html15:08
d34dh0r53no action items from last week15:08
d34dh0r53#topic liaison updates15:08
d34dh0r53nothing from me15:08
dmendiza[m]🙋 15:08
gtemanothing from me either15:09
d34dh0r53cool15:09
d34dh0r53#topic specification Secure RBAC (dmendiza)15:09
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:09
d34dh0r532026.1 Release Timeline15:10
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:10
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:10
d34dh0r53Devstack still defaults to enforce_scope = False https://opendev.org/openstack/devstack/src/branch/master/lib/keystone#L12015:10
d34dh0r53Patch to default to true: https://review.opendev.org/c/openstack/devstack/+/95621015:10
d34dh0r53Fix config options in keystone-tempest-plugin https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/93082915:10
dmendiza[m]A couple of those already merged 15:10
dmendiza[m]Iirc, the change in oslo policy merged and the gate is broken? 🤔 15:11
d34dh0r53different from yesterdays breakage?15:12
gtemathe gate was broken due to other issues that were stacked on top of each other15:12
gtema2 landed. Hopefully the last one is https://review.opendev.org/c/openstack/keystone/+/99739215:12
d34dh0r53cool15:13
d34dh0r53next up15:13
d34dh0r53#topic specification Secuirty Compliance Testing (dmendiza)15:13
d34dh0r53#link https://review.opendev.org/c/openstack/devstack/+/95796915:14
d34dh0r53anything on this one dmendiza ?15:15
dmendiza[m]Nope 15:16
d34dh0r53ack15:16
d34dh0r53#topic keystone-rs15:17
d34dh0r53#link https://github.com/openstack-experimental/keystone15:17
gtemaas I mentioned last week the SCIM is now ready. I was thinking about good compliance testing, but it seems not to be possilbe in CI since major compat testers require scim server to be available through internet. So I stick to the normal interpretation of the RFC15:19
gtemaat the moment I am finishing implementing oauth2 OP role - huge thing15:19
gtemanow polishing sharp angles, improving test coverage and docs15:19
d34dh0r53very cool15:20
gtemanot so much progress since was very busy with those ugly races in python keystone15:20
gtemayeah, I like it also15:20
gtemathe ADR proposes the draft for the keystonemiddleware to switch to the proper oauth2 tokens (built over the current jws), so there is a strategy how to deploy keystone-rs in parallel to python with fernets, gradually switch to jwt and at the end completely switch over to rust with only jwt15:22
gtemathat's it this week15:22
d34dh0r53okay, thanks gtema 15:22
d34dh0r53#topic open discussion15:23
dmendiza[m]Yeah, I need to ass Ade's specs to the recurring agenda15:23
dmendiza[m]I did start splitting the UUID spec15:23
dmendiza[m]The project and domain spec is here:15:24
* d34dh0r53 starts thinking about Ace Ventura15:24
dmendiza[m]#link https://review.opendev.org/c/openstack/keystone-specs/+/99732015:24
gtemalol15:24
dmendiza[m]I did change a few things 15:25
d34dh0r53okay15:25
d34dh0r53I'm adding it to the agenda now15:25
dmendiza[m]I did not like that the previos version added a separate RBAC rule. So I changed that to just update the existing rule. 15:25
gtemadamn, it's half of the function of the original spec and still 1000+ lines15:27
dmendiza[m]Yeah, it's a bit of a slog to get through all the extra stuff the AI model added. 15:28
gtemaswitch to sonnet 5 and ask it to reduce it ;-)15:28
dmendiza[m]Haha15:28
gtemalet the AI process itself15:29
d34dh0r53lol15:29
d34dh0r53anything else for open discussion?15:31
gtemanot from me15:31
cardoeI'm just interested in the project_id creation spec making it.15:31
cardoeSo if the author isn't updating it, I was gonna take a swag at some point.15:32
dmendiza[m]cardoe excellent, please review it as you have time. 15:32
d34dh0r53sweet15:32
cardoedmendiza[m]: is https://review.opendev.org/c/openstack/keystone-specs/+/997320 your replacement for the other person's?15:33
dmendiza[m]Yeah, Ade is on a long PTO, but I'm shepherding this one and the soft delete specs while he's out. 15:33
cardoeWe've just had cases where a project gets deleted and not all the resources got cleaned up... (thanks rally) and we need to add it back just to clean up.15:33
dmendiza[m]cardoe: yes, we're splitting the original into two. This one is half. The other half will be for Users 15:33
cardoesounds good. I'll have to re-read and get caught up.15:34
opendevreviewGrzegorz Grasza proposed openstack/keystone master: Deprecate allow_rescope_scoped_token and default to False  https://review.opendev.org/c/openstack/keystone/+/99741815:34
dmendiza[m]You might be interested in the soft delete spec for that use case 15:34
cardoeneck deep in a neutron policy/rbac bug atm.15:34
cardoeYeah it sounds like we would be.15:35
cardoeWe're also interested in furthering the system scope tokens.15:35
cardoebut that's another topic entirely.15:35
d34dh0r53What's your timeframe for that cardoe ?15:35
cardoeuhh yes15:36
cardoe:)15:36
d34dh0r53lol15:36
d34dh0r53industry standard :)15:36
cardoeSo gmann posted something on the ML that I believe I followed up on for openstack exporter15:36
cardoeI've also had round and round convos with neutron folks about some of this15:37
gtemawith keystone-rs system scope becomes a proper thing on it's own :-)15:37
cardoeThere's resources that are "global" in deployment scope... like VNI / VLAN ranges.15:37
gtemawrt ML - I raised my hand to be working also on some of the neutron/nova stuff but had 0 time yet15:37
cardoeit makes no sense that ANY project admin can configure those.15:37
cardoegtema: unfortunately it'll require the participation of the various projects themselves.15:38
gtemaindeed, I know15:38
cardoeThe way I see it is like Kubernetes's resources. You've got Cluster and Namespaced resources.15:38
gtemathat's also why I thought I will focus on building a good foundation for that in keystone-rs so that we can implement other services properly, and not as a usual "workaround" way15:39
cardoeYeah that sounds good.15:39
cardoeI'd love to work with you folks on this stuff.15:39
gtemathen just do it, I was calling you already for early feedback :-)15:40
d34dh0r53Should we have a mid-cycle to discuss this virtually?15:40
cardoeJust wanted to share what's on my backlog. Unfortunately $ETIME is my life.15:40
cardoegtema: feel free to ping me and call me out and I'll jump on it.15:40
gtemaDave Wilde (d34dh0r53) - good idea, why not15:41
opendevreviewGrzegorz Grasza proposed openstack/keystone master: Fix token chain revocation and add user-scoped revocation API  https://review.opendev.org/c/openstack/keystone/+/99740215:41
opendevreviewGrzegorz Grasza proposed openstack/keystone master: Deprecate allow_rescope_scoped_token and default to False  https://review.opendev.org/c/openstack/keystone/+/99741815:41
d34dh0r53Okay, I'll try to get something on the calendar15:42
d34dh0r53#action dwilde plan mid-cycle keystone virtual meetup15:42
gtemacardoe - ack. I will finish implementation of the oauth2 OP with docs and will go back to prototyping the keystonemiddleware so that we can have a base for discussion15:42
cardoeI'm happy to write up something about our use cases or what we're interested and why. Maybe that would help?15:42
gtemadefinitely15:43
d34dh0r53cool!15:44
cardoeright now we use 3 keystoneauth plugins and they're all out of tree15:44
gtemabtw: in keystone-rs I added the WASM auth plugins support15:45
cardoeI believe opendev / zuul is pip installing one of our plugins15:45
cardoeanyway, don't let me derail too much and keep ya15:46
d34dh0r53cool, moving on the bug review for the sake of time. I'll work on a poll to figure out the best meeting time(s)15:47
d34dh0r53#topic bug review15:47
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:47
d34dh0r53nothing new in keystone15:47
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:47
d34dh0r53python-keystoneclient has no new bugs15:47
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:47
d34dh0r53keystoneauth is good15:48
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:48
d34dh0r53so is keystonemiddleware15:48
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:48
d34dh0r53nothing new in pycadf15:48
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:48
d34dh0r53nor ldappool15:48
d34dh0r53#topic conclusion15:48
d34dh0r53thanks folks, great discussion today15:48
gtemathanks guys15:49
d34dh0r53#endmeeting15:50
opendevmeetMeeting ended Wed Jul 15 15:50:01 2026 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:50
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-15-15.02.html15:50
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-15-15.02.txt15:50
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2026/keystone.2026-07-15-15.02.log.html15:50
opendevreviewGhanshyam Maan proposed openstack/keystone master: Remove setting of oslo_policy[enforce_scope] flag  https://review.opendev.org/c/openstack/keystone/+/99382916:18
opendevreviewMerged openstack/keystone master: Invalidate assignment cache on modify operations  https://review.opendev.org/c/openstack/keystone/+/99739218:38
gmaangtema: can you re-add your +2 on this, i need to rebase on top of your gate fix https://review.opendev.org/c/openstack/keystone/+/99382919:31
opendevreviewGhanshyam Maan proposed openstack/keystone master: Remove testing the oslo_policy[enforce_scope]=False  https://review.opendev.org/c/openstack/keystone/+/99385219:32
gmaangtema: and +w here https://review.opendev.org/c/openstack/keystone/+/99385219:32
opendevreviewMerged openstack/keystone master: Remove setting of oslo_policy[enforce_scope] flag  https://review.opendev.org/c/openstack/keystone/+/99382921:34

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!