17:00:07 <knikolla> #startmeeting keystone
17:00:08 <openstack> Meeting started Tue Jun 16 17:00:07 2020 UTC and is due to finish in 60 minutes.  The chair is knikolla. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:09 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:11 <openstack> The meeting name has been set to 'keystone'
17:00:13 <knikolla> o/
17:00:15 <lbragstad> o/
17:00:18 <vishakha> o/
17:00:18 <gagehugo> o/
17:00:39 <cmurphy> o/ on another call for a minute
17:00:41 <raildo> o/
17:02:49 <knikolla> how's everyone? no traveling or jetlag returning from ptg for once.
17:04:06 <vishakha> Yeah
17:04:49 <gagehugo> debating about working from outside this afternoon
17:05:13 <knikolla> do it! if your screen is bright enough.
17:05:44 <knikolla> i print out everything as pdf on my eink tablet and do some disconnected work and code reviews by the park.
17:06:48 <knikolla> #topic Announcements
17:07:07 <knikolla> We're already at M-1 this week. Time flies.
17:07:20 <knikolla> I've set out some time this afternoon to organize bugs that we can target for M-2.
17:08:23 <knikolla> I will also send out a doodle poll for a retrospective, since we didn't do one during the PTG. (We usually have beer with them)
17:09:23 <knikolla> #topic Review Requests
17:10:03 <vishakha> I have some reviews for the team #link https://review.opendev.org/#/c/731087/
17:10:16 <vishakha> #link https://review.opendev.org/#/c/720789/
17:10:27 <vishakha> and https://review.opendev.org/#/c/734549/
17:12:05 <knikolla> thanks vishakha :)
17:12:29 <knikolla> I will have a look later today
17:12:47 <vishakha> Thanks knikolla
17:13:31 <alistarle> About https://review.opendev.org/#/c/726929/ what is the status then ?
17:14:22 <alistarle> Look like there is proposition to make to different section for oslo_limit, oslo.limit and oslo.limit-ksa, I don't know if any other oslo library are doing the same
17:15:14 <bnemec> I don't know that we have any other libraries that talk to Keystone.
17:15:43 <bnemec> https://review.opendev.org/#/c/733881/ is the proposed solution based on our PTG discussions.
17:16:14 <alistarle> Oh so there was PTG discussion about that ? I miss that
17:17:24 <bnemec> Yeah, it was a brief part of the unified limits topic.
17:17:37 <bnemec> There wasn't much dissension so it wrapped up quickly. :-)
17:18:47 <alistarle> Ok, so if it is a consensus it is ok for me too, my only point is, as an operator, I find it a bit heavy to configure two separate section, and my question was does it was already done during openstack history
17:19:14 <alistarle> and if not, does we agree to do it for oslo_limit
17:21:35 <bnemec> I believe it is an existing pattern (feel free to correct me), and we have to have separate configs in any case because we can't rely on the ksa opts in oslo.limit for the reasons I outlined in the commit message.
17:23:55 <alistarle> It's ok for me too then
17:24:30 <alistarle> I will update the patch and the user guide accordingly, and try to check with openstacksdk when will the next release published
17:24:45 <bnemec> Sounds good, thanks!
17:25:01 <knikolla> cool :)
17:25:53 <knikolla> anything else on the topic? or additional review requests?
17:29:00 <gshippey> jeez i am on the wrong timezone! completely missed this
17:29:07 <knikolla> #topic Open Floor
17:29:15 <knikolla> gshippey: you are perfectly in time
17:29:33 <gshippey> https://bugs.launchpad.net/keystone/+bug/1883247
17:29:33 <openstack> Launchpad bug 1883247 in OpenStack Identity (keystone) "Able to assign users to projects/groups across different domains" [Undecided,New]
17:30:39 <gshippey> is there a firm decision here? anyone currently deploying federation with OSA currently will be using assignations across domains
17:31:28 <knikolla> i do have it set up like that. our projects are in default, our users are in the default domain and the domain of the idp.
17:32:25 <knikolla> as i responded in the bug report, i am missing the historical context for why it is possible, or if it shouldn't have been possible. either way, it is what it is.
17:32:50 <gshippey> so i am hoping I can just assume what we are doing is fine then :)
17:33:27 <knikolla> yes, i guess the action item out of this is to document that this is possible.
17:34:15 <gshippey> cool, perhaps that wiki i reference should be updated too
17:34:26 <gshippey> if possible
17:34:34 <vishakha> +1
17:34:54 <gshippey> great, thanks :)
17:35:07 <knikolla> yeah, we haven't really used wikis in the past 4 years so everything keystone related in them is definitely stale.
17:36:35 <vishakha> #link https://bugs.launchpad.net/keystone/+bug/1800161
17:36:35 <openstack> Launchpad bug 1800161 in OpenStack Identity (keystone) "Policy names need to be updated for consistency" [Medium,In progress] - Assigned to Vishakha Agarwal (vishakha.agarwal)
17:37:01 <vishakha> I just wanted to know, is this still in focus for keystone.
17:37:03 <vishakha> ?
17:37:28 <vishakha> Should we update all the policies name as per the https://docs.openstack.org/oslo.policy/latest/user/usage.html#naming-policies
17:38:23 <knikolla> good question. i assume it still is.
17:38:36 <bnemec> You might run into problems with double deprecations if you rename a policy that's already deprecated.
17:39:10 <knikolla> ++, this may need to hold off until we can consume the policy improvements.
17:39:14 <vishakha> I am concerned it might break the operators
17:40:46 <vishakha> Yeah it might need to hold off
17:41:49 <knikolla> i don't think that is a concern since the police in code will handle reading the deprecated policy if people don't update it.
17:42:02 <knikolla> correct me if i'm wrong :)
17:42:42 <vishakha> Hoping lbragstad can give some inputs on it
17:43:25 <lbragstad> i don't think it's as high of a priority atm
17:43:50 <knikolla> ++
17:43:57 <lbragstad> i think it's probably better to get things working wrt consistent RBAC and then reassess the naming
17:44:09 <cmurphy> ++
17:44:15 <lbragstad> for context...
17:44:42 <vishakha> sure. Thanks knikolla lbragstad
17:44:43 <lbragstad> i opened that because using a convention across names made things easier for people using the http_check
17:44:43 * gagehugo put operator hat on
17:44:46 <gagehugo> I would want to make sure that any policy name changes make it into the release notes and have high visibility in the docs for upgrading to the release that it lands
17:45:20 <gagehugo> a fallback to deprecated names would be good too
17:45:42 <lbragstad> that said - i think consistent names are pretty much moot until we find a way to expose them (e.g., a capabilities API)
17:47:13 <vishakha> okay
17:48:20 <vishakha> #link https://bugs.launchpad.net/keystone/+bug/1804041. I  wanted to gain some information about nginx
17:48:20 <openstack> Launchpad bug 1804041 in OpenStack Identity (keystone) "Federation documentation should include examples for nginx" [Medium,Triaged]
17:48:41 <vishakha> So that I can help in upating this documentaion.
17:49:05 <vishakha> I am not sure from where to learn about it.
17:49:34 <vishakha> Mostly nginx is used in keystone
17:54:33 <cmurphy> vishakha: not sure what suggestion to offer besides to look up the nginx documentation
17:56:04 <vishakha> Thanka cmurphy I will dig more into it
17:58:20 <knikolla> I guess we can call the meeting to a close, thanks everyone :)
17:58:22 <knikolla> #endmeeting