17:00:23 #startmeeting keystone 17:00:24 Meeting started Tue Aug 4 17:00:23 2020 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:25 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:27 The meeting name has been set to 'keystone' 17:00:31 #link https://etherpad.opendev.org/p/keystone-weekly-meeting 17:00:39 o/ 17:00:40 o/ 17:00:40 o/ 17:01:05 we'll give folks a few minutes to show up 17:02:20 o/ 17:03:08 #topic Announcements 17:03:15 #info Last day to submit proposals for Open Infra Summit 17:03:32 in case you're planning on submitting a proposal, now is the time! 17:04:22 #topic Review Requests 17:04:47 looks like we have some reviews 17:05:01 #link https://review.opendev.org/#/c/743489/ 17:05:10 #link https://review.opendev.org/#/c/737225/ 17:05:18 #link https://review.opendev.org/#/c/742233/ 17:05:25 #link https://review.opendev.org/#/c/731087/ 17:05:55 Thanks lbragstad for listing them down 17:06:06 mhm - you're welcome, thanks for the patches 17:06:18 i've been working on https://review.opendev.org/686305 for a while, it's now just about ready to review 17:06:35 o.m.g. 17:07:01 its performance isn't quite as significant as i was hoping but the subunit tests are generally a bit faster than the unit version of them 17:07:12 fantastic 17:07:37 it's all in one big pile but i can split it up if it would be easier for people to review, not sure if it's actually easier 17:07:50 right 17:08:02 i agree 17:08:32 does this mean we can rip out all the unit testing in keystone? 17:08:37 protection unit testing? 17:08:45 i think so 17:08:48 awesome 17:09:24 the one thing this doesn't cover that the unit tests do cover is the enforce_scope=false tests 17:09:35 but i'm not sure we want to keep those around much longer anyway 17:09:43 yeah - that makes sense 17:10:32 fwiw - i was trying to figure out if it was possible to do self-paced policy evolution 17:11:34 s/evolution/deprecation/ 17:11:46 how did that go? 17:12:31 i think it's useful but only for system administrators 17:13:12 and i say that because i assumed that allowing unintended privilege escalation would be a deal breaker for operators 17:13:21 lol 17:13:32 psh who needs security 17:14:07 if we keep that assumption, or agree that it's important, then i don't think self-paced policy removal is going to be feasible 17:15:05 yeah 17:15:17 so - marginally useful? 17:16:27 or if we do allow it - we have to provide some sort of document saying projects move at their own pace and it's up to operators to ensure all services they deploy are using the new defaults 17:16:34 before they start giving people project admin 17:17:01 i'm bringing this up since it might affect if/when we remove the unit tests cmurphy ported over 17:19:07 any way - we can circle back to this later (i don't want to derail things) 17:19:21 thanks cmurphy and vishakha 17:19:26 any other reviews to discuss? 17:20:03 #topic Bugs 17:20:49 looks like we have 12 untriaged bugs https://bugs.launchpad.net/keystone/+bugs?search=Search&field.status=New 17:21:19 i will highlight prometheanfire's repeated requests for help with raising the upper-constraint for pymysql 17:21:57 I will look into it. I saw the failures 17:22:00 we fixed the lower-constraints job in keystone by pinning pymysql but the requirements team can't raise the upper-constraint for openstack until we fix our stuff 17:22:03 thanks vishakha 17:22:15 cool - that sounds good 17:22:38 i stumbled across https://bugs.launchpad.net/keystone/+bug/1889936 last week and i was curious if anyone else here has attempted AD integration? 17:22:39 Launchpad bug 1889936 in OpenStack Identity (keystone) "Using Microsoft AD's objectGUID attribute as user_id_attribute breaks" [Undecided,In progress] - Assigned to Lance Bragstad (lbragstad) 17:23:43 nope 17:23:57 * lbragstad nods 17:24:08 anything else on the bug front? 17:25:48 #topic Open Floor 17:25:55 I was thinking to work on bug #link https://bugs.launchpad.net/keystone/+bug/1816166 17:25:56 Launchpad bug 1816166 in OpenStack Identity (keystone) "RFE: Support tokens with subsets of roles" [Wishlist,Triaged] - Assigned to Vishakha Agarwal (vishakha.agarwal) 17:26:24 vishakha is that something you're planning to work on for this release? 17:26:28 I hope this is still in keystone's roadmap. 17:26:59 lbragstad: Yes I am for this release. 17:27:40 vishakha ok - do we have a specification for that proposed? 17:27:48 i believe specification proposal freeze was July 31 17:29:15 ohh I did not notice that it required a specification first. These is one https://review.opendev.org/#/c/186979/, but is abandoned. 17:29:40 yeah - it might need to be refreshed and reproposed to target the current release 17:29:53 knikolla will have to issue an exception for it 17:29:56 i believe 17:30:16 hmm is this an important feature? can't we accomplish this with app creds? 17:30:16 Thanks for reminding. I can work on that in another cycle then. 17:31:28 this request has been around for a long time, certainly before app creds were a thing 17:32:01 probably worth re-assessing the use case now that we have application credentials 17:32:31 yeah 17:33:31 I will put this on hold, and will re-assess this later 17:33:36 sounds good 17:33:45 anything else folks want to talk about? 17:36:15 alright - looks like we can get some time back 17:36:20 thanks folks 17:36:24 #endmeeting