16:00:30 <lbragstad> #startmeeting keystone 16:00:31 <openstack> Meeting started Tue Mar 5 16:00:30 2019 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:34 <openstack> The meeting name has been set to 'keystone' 16:00:49 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting 16:00:51 <hrybacki> o/ 16:00:55 <lbragstad> o/ 16:01:01 <vishakha> o/ 16:01:14 <kmalloc> o/ 16:01:25 <gagehugo> o/ 16:03:25 <lbragstad> we have a light agenda - so lets give people a few minutes 16:04:15 <knikolla> o/ 16:05:30 <lbragstad> #topic feature freeze 16:05:54 <lbragstad> reminder that this week is feature freeze 16:06:15 <lbragstad> #link https://releases.openstack.org/stein/schedule.html 16:08:05 <ayoung> Jefferson: What did I miss 16:09:46 <ayoung> Did this freeze? 16:11:49 <lbragstad> feature freeze starts friday 16:14:34 <cmurphy> o/ sorry i'm late 16:16:45 <lbragstad> does anyone have comments or questions? 16:17:09 <vishakha> No. 16:17:20 <cmurphy> the main thing we have left is limits stuff right? 16:17:37 <lbragstad> i think so 16:17:55 <cmurphy> easy enough 16:20:16 <lbragstad> #topic action items from last week 16:20:44 <lbragstad> i don't think we have anything pending 16:22:04 <lbragstad> #topic reviews 16:22:17 <lbragstad> does anyone have reviews they want to discuss? 16:22:37 <cmurphy> some easy ones https://review.openstack.org/640183 https://review.openstack.org/640024 16:22:46 <vishakha> https://review.openstack.org/#/q/topic:drop-py35+status:open here too 16:22:52 <cmurphy> ayoung: could you ack https://review.openstack.org/639182 16:23:40 <kmalloc> we need to really work on killing KSC. 16:23:50 <kmalloc> probably should be a train target :P 16:24:40 <cmurphy> keystonemiddleware still relies on it i found out 16:25:26 <kmalloc> yeah =/ 16:26:04 <kmalloc> thats the CMS stuff, right? 16:26:22 <kmalloc> thankfully that is mostly just a "we get to remove it eventually" 16:27:05 <kmalloc> i'll rebase my remove PKI(z) patrch today 16:27:13 <cmurphy> CMS? no it's part of its basic token validation functionality 16:27:49 <cmurphy> http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_identity.py#n19 16:28:55 <kmalloc> oh i'll rework that to just straight use KSA 16:29:06 <kmalloc> there is ZERO reason to use ksc in middleware 16:29:32 <lbragstad> wxy-xiyuan are you ok addressing https://review.openstack.org/#/c/623153/15 in a followup? 16:30:04 <kmalloc> cmurphy: ooh and we can drop all the v2-support 16:30:18 <cmurphy> lbragstad: what's the problem with that one? why are we holding back on +2s? 16:30:45 <lbragstad> i wasn't sure if there was another revision coming that addressed your comments 16:32:08 <cmurphy> those were minor nitpicks, not worth holding up the patch 16:32:22 <lbragstad> wfm 16:33:38 <lbragstad> looks like we should have all of that merged by EOD tomorrow, then 16:33:49 <cmurphy> \o/ 16:34:04 <lbragstad> is there anything else we need to have merged by Thursday? 16:35:28 <lbragstad> what do we want to do with the system-scope + default roles patches? 16:35:47 <lbragstad> we are going to continue pursuing those while in RC? or what are people's thoughts there? 16:36:00 <kmalloc> i have no issues with that. 16:36:02 <cmurphy> how many are left? is it just the ones that depend on the tempest fix? 16:36:18 <lbragstad> yeah - those 16:36:21 <lbragstad> and a few others.. 16:36:38 <cmurphy> we can aim for merging the others this week at least 16:36:42 <cmurphy> i think the list is getting small 16:36:43 <lbragstad> https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:implement-default-roles 16:36:48 <vishakha> EC2 Api remaining in system scope. I havnt pushed patches for that 16:37:13 <lbragstad> ^ keep in mind, that list isn't conclusive of every API in keystone 16:37:22 <lbragstad> there are still bug reports that haven't been started yet :( 16:38:20 <vishakha> yup :( 16:39:04 <lbragstad> we might not get everything done until the train release 16:39:35 <lbragstad> is anyone opposed to merging these types of fixes in the RC period? 16:40:56 <kmalloc> no opposition here. it is mostly waiting on a tempest fix 16:41:03 <kmalloc> otherwise it's pretty much ready 16:41:07 <kmalloc> minor stuff eotherweise. 16:41:07 <ayoung> cmurphy, App cred spec looks good. I assume you need the * and ** for certain use cases, so I can accept that 16:41:10 <lbragstad> yeah 16:41:21 <lbragstad> oh - speaking on app creds 16:41:25 <lbragstad> what's left for that? 16:42:04 <cmurphy> a lot https://review.openstack.org/#/q/topic:bp/whitelist-extension-for-app-creds+(status:open) 16:42:58 <cmurphy> newest patch is https://review.openstack.org/640034 which implements the role check 16:43:16 <cmurphy> but it's a little weird because it doesn't account for scope 16:43:23 <lbragstad> aha 16:43:49 <lbragstad> i'm going to assume we don't *have* to get this all merged by friday since we're not opening this up to the API 16:43:49 <cmurphy> so need to get people's thoughts on that, but it doesn't block any of the other work 16:44:06 <kmalloc> if we are holding apis 16:44:09 <kmalloc> it can merge anytime 16:44:13 <lbragstad> ack 16:44:19 <cmurphy> would still be good to get a chunk merged if possible 16:44:23 <kmalloc> i think we decided to hold the APIs. 16:44:25 <lbragstad> ++ 16:44:32 <kmalloc> land them first thing in train 16:44:39 <lbragstad> yeah - the earlier the better 16:44:52 <lbragstad> i'll make a note to revisit those reviews today 16:44:58 <kmalloc> we can land it as soon as we land the marker for stein branch 16:45:05 <kmalloc> the apis* 16:45:30 <ayoung> Heh...always said we should split scope and role check 16:45:52 <ayoung> should be OK, as the scope check should be done by policy already, no? 16:46:22 <vishakha> So is it possible to merge the scope things after feature freeze? or it will be merged in train? 16:46:49 <lbragstad> it will be available in stein, but the code path won't be accessible to users 16:46:55 <ayoung> app creds should be in addition to existing checks. There should be no need for an additional scope check if we are not bypassing existing policy mech 16:48:51 <lbragstad> #topic open discussion 16:48:58 <lbragstad> about 12 minutes left 16:49:07 <kmalloc> Everyone thank lbragstad for being an awesome PTL! 16:49:13 <kmalloc> :) 16:49:17 * lbragstad blushes 16:49:25 <cmurphy> ayoung: we're not bypassing the existing checks, but i feel like there's a conflicting message if the app cred can be created for an api that requires a member role but the policy enforces system scope, for example 16:49:46 <cmurphy> lbragstad: thank you for all your work <3 please don't leave keystone 16:50:11 <lbragstad> :) i'm not going to stray too far - you're not rid of me, yet! 16:50:22 <cmurphy> *phew* 16:50:23 <vishakha> thanks lbragstad . Will miss you as a PTL :) 16:50:35 <kmalloc> and on that topic... PTL self-nomination is opening soon. Look for the announcement and toss your collective hat in the ring if you're interested. 16:50:41 <gagehugo> lbragstad: thanks :) 16:50:44 <lbragstad> ++ ^ 16:51:01 <lbragstad> if you're considering running - this probably goes without saying 16:51:20 <lbragstad> but *this* team makes it really easy to be PTL - so pitch those hesitations aside if you have them ;) 16:51:28 <cmurphy> :) 16:51:44 <knikolla> lbragstad: thanks for all you've done :) 16:52:16 <lbragstad> thank *you* all for all the work you've done 16:53:08 <lbragstad> i look forward to reading some self-nominations this week 16:53:54 <lbragstad> anything else folks want to discuss? 16:54:01 <lbragstad> code, reviews, PTG planning? 16:54:04 <lbragstad> forum planning? 16:54:23 <lbragstad> ^ we should circle back up on that during office hours actually because forum submissions are due this week 16:54:31 <cmurphy> ++ 16:54:48 <knikolla> cool 16:54:51 <vishakha> https://review.openstack.org/#/c/639718 I posted some comments in this. pl look whenever yoou have time 16:55:04 <lbragstad> despite the title 16:55:05 <lbragstad> #link https://etherpad.openstack.org/p/DEN-keystone-forum-sessions 16:55:15 <lbragstad> ^ is for the forum and the PTG 16:56:58 <lbragstad> looks like we can get some time back - thanks for the time, everyone! 16:57:06 <lbragstad> #endmeeting