16:00:30 <lbragstad> #startmeeting keystone
16:00:31 <openstack> Meeting started Tue Mar  5 16:00:30 2019 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:34 <openstack> The meeting name has been set to 'keystone'
16:00:49 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
16:00:51 <hrybacki> o/
16:00:55 <lbragstad> o/
16:01:01 <vishakha> o/
16:01:14 <kmalloc> o/
16:01:25 <gagehugo> o/
16:03:25 <lbragstad> we have a light agenda - so lets give people a few minutes
16:04:15 <knikolla> o/
16:05:30 <lbragstad> #topic feature freeze
16:05:54 <lbragstad> reminder that this week is feature freeze
16:06:15 <lbragstad> #link https://releases.openstack.org/stein/schedule.html
16:08:05 <ayoung> Jefferson: What did I miss
16:09:46 <ayoung> Did this freeze?
16:11:49 <lbragstad> feature freeze starts friday
16:14:34 <cmurphy> o/ sorry i'm late
16:16:45 <lbragstad> does anyone have comments or questions?
16:17:09 <vishakha> No.
16:17:20 <cmurphy> the main thing we have left is limits stuff right?
16:17:37 <lbragstad> i think so
16:17:55 <cmurphy> easy enough
16:20:16 <lbragstad> #topic action items from last week
16:20:44 <lbragstad> i don't think we have anything pending
16:22:04 <lbragstad> #topic reviews
16:22:17 <lbragstad> does anyone have reviews they want to discuss?
16:22:37 <cmurphy> some easy ones https://review.openstack.org/640183 https://review.openstack.org/640024
16:22:46 <vishakha> https://review.openstack.org/#/q/topic:drop-py35+status:open here too
16:22:52 <cmurphy> ayoung: could you ack https://review.openstack.org/639182
16:23:40 <kmalloc> we need to really work on killing KSC.
16:23:50 <kmalloc> probably should be a train target :P
16:24:40 <cmurphy> keystonemiddleware still relies on it i found out
16:25:26 <kmalloc> yeah =/
16:26:04 <kmalloc> thats the CMS stuff, right?
16:26:22 <kmalloc> thankfully that is mostly just a "we get to remove it eventually"
16:27:05 <kmalloc> i'll rebase my remove PKI(z) patrch today
16:27:13 <cmurphy> CMS? no it's part of its basic token validation functionality
16:27:49 <cmurphy> http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_identity.py#n19
16:28:55 <kmalloc> oh i'll rework that to just straight use KSA
16:29:06 <kmalloc> there is ZERO reason to use ksc in middleware
16:29:32 <lbragstad> wxy-xiyuan are you ok addressing https://review.openstack.org/#/c/623153/15 in a followup?
16:30:04 <kmalloc> cmurphy: ooh and we can drop all the v2-support
16:30:18 <cmurphy> lbragstad: what's the problem with that one? why are we holding back on +2s?
16:30:45 <lbragstad> i wasn't sure if there was another revision coming that addressed your comments
16:32:08 <cmurphy> those were minor nitpicks, not worth holding up the patch
16:32:22 <lbragstad> wfm
16:33:38 <lbragstad> looks like we should have all of that merged by EOD tomorrow, then
16:33:49 <cmurphy> \o/
16:34:04 <lbragstad> is there anything else we need to have merged by Thursday?
16:35:28 <lbragstad> what do we want to do with the system-scope + default roles patches?
16:35:47 <lbragstad> we are going to continue pursuing those while in RC? or what are people's thoughts there?
16:36:00 <kmalloc> i have no issues with that.
16:36:02 <cmurphy> how many are left? is it just the ones that depend on the tempest fix?
16:36:18 <lbragstad> yeah - those
16:36:21 <lbragstad> and a few others..
16:36:38 <cmurphy> we can aim for merging the others this week at least
16:36:42 <cmurphy> i think the list is getting small
16:36:43 <lbragstad> https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:implement-default-roles
16:36:48 <vishakha> EC2 Api  remaining in system scope. I havnt pushed patches for that
16:37:13 <lbragstad> ^ keep in mind, that list isn't conclusive of every API in keystone
16:37:22 <lbragstad> there are still bug reports that haven't been started yet :(
16:38:20 <vishakha> yup :(
16:39:04 <lbragstad> we might not get everything done until the train release
16:39:35 <lbragstad> is anyone opposed to merging these types of fixes in the RC period?
16:40:56 <kmalloc> no opposition here. it is mostly waiting on a tempest fix
16:41:03 <kmalloc> otherwise it's pretty much ready
16:41:07 <kmalloc> minor stuff eotherweise.
16:41:07 <ayoung> cmurphy, App cred spec looks good.  I assume you need the * and ** for certain use cases, so I can accept that
16:41:10 <lbragstad> yeah
16:41:21 <lbragstad> oh - speaking on app creds
16:41:25 <lbragstad> what's left for that?
16:42:04 <cmurphy> a lot https://review.openstack.org/#/q/topic:bp/whitelist-extension-for-app-creds+(status:open)
16:42:58 <cmurphy> newest patch is https://review.openstack.org/640034 which implements the role check
16:43:16 <cmurphy> but it's a little weird because it doesn't account for scope
16:43:23 <lbragstad> aha
16:43:49 <lbragstad> i'm going to assume we don't *have* to get this all merged by friday since we're not opening this up to the API
16:43:49 <cmurphy> so need to get people's thoughts on that, but it doesn't block any of the other work
16:44:06 <kmalloc> if we are holding apis
16:44:09 <kmalloc> it can merge anytime
16:44:13 <lbragstad> ack
16:44:19 <cmurphy> would still be good to get a chunk merged if possible
16:44:23 <kmalloc> i think we decided to hold the APIs.
16:44:25 <lbragstad> ++
16:44:32 <kmalloc> land them first thing in train
16:44:39 <lbragstad> yeah - the earlier the better
16:44:52 <lbragstad> i'll make a note to revisit those reviews today
16:44:58 <kmalloc> we can land it as soon as we land the marker for stein branch
16:45:05 <kmalloc> the apis*
16:45:30 <ayoung> Heh...always said we should split scope and role check
16:45:52 <ayoung> should be OK, as the scope check should be done by policy already, no?
16:46:22 <vishakha> So is it possible to merge the scope things after feature freeze? or it will be merged in train?
16:46:49 <lbragstad> it will be available in stein, but the code path won't be accessible to users
16:46:55 <ayoung> app creds should be in addition to existing checks.  There should be no need for an additional scope check if we are not bypassing existing policy mech
16:48:51 <lbragstad> #topic open discussion
16:48:58 <lbragstad> about 12 minutes left
16:49:07 <kmalloc> Everyone thank lbragstad for being an awesome PTL!
16:49:13 <kmalloc> :)
16:49:17 * lbragstad blushes
16:49:25 <cmurphy> ayoung: we're not bypassing the existing checks, but i feel like there's a conflicting message if the app cred can be created for an api that requires a member role but the policy enforces system scope, for example
16:49:46 <cmurphy> lbragstad: thank you for all your work <3 please don't leave keystone
16:50:11 <lbragstad> :) i'm not going to stray too far - you're not rid of me, yet!
16:50:22 <cmurphy> *phew*
16:50:23 <vishakha> thanks lbragstad . Will miss you as a PTL :)
16:50:35 <kmalloc> and on that topic... PTL self-nomination is opening soon. Look for the announcement and toss your collective hat in the ring if you're interested.
16:50:41 <gagehugo> lbragstad: thanks :)
16:50:44 <lbragstad> ++ ^
16:51:01 <lbragstad> if you're considering running - this probably goes without saying
16:51:20 <lbragstad> but *this* team makes it really easy to be PTL - so pitch those hesitations aside if you have them ;)
16:51:28 <cmurphy> :)
16:51:44 <knikolla> lbragstad: thanks for all you've done :)
16:52:16 <lbragstad> thank *you* all for all the work you've done
16:53:08 <lbragstad> i look forward to reading some self-nominations this week
16:53:54 <lbragstad> anything else folks want to discuss?
16:54:01 <lbragstad> code, reviews, PTG planning?
16:54:04 <lbragstad> forum planning?
16:54:23 <lbragstad> ^ we should circle back up on that during office hours actually because forum submissions are due this week
16:54:31 <cmurphy> ++
16:54:48 <knikolla> cool
16:54:51 <vishakha> https://review.openstack.org/#/c/639718 I posted some comments in this. pl look whenever yoou have time
16:55:04 <lbragstad> despite the title
16:55:05 <lbragstad> #link https://etherpad.openstack.org/p/DEN-keystone-forum-sessions
16:55:15 <lbragstad> ^ is for the forum and the PTG
16:56:58 <lbragstad> looks like we can get some time back - thanks for the time, everyone!
16:57:06 <lbragstad> #endmeeting