17:00:28 #startmeeting keystone 17:00:28 Meeting started Tue Dec 15 17:00:28 2020 UTC and is due to finish in 60 minutes. The chair is knikolla. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:29 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:31 The meeting name has been set to 'keystone' 17:00:32 o/ 17:00:49 \o 17:08:16 cmurphy, lbragstad, gagehugo: around? 17:08:28 o/ 17:08:31 i am - sorry 17:08:52 o/ 17:09:09 o/ I'm on vacation but usually around :) 17:09:25 gagehugo: enjoy your vacation! 17:09:39 #topic Lower-constraints job failing 17:09:57 The new pip dependency resolver is much stricter and is causing our lower-constraints job to fail 17:10:41 I am working on fixing it, but I'm not super well versed in it, so it's taking me quite some time of whackamoling. 17:12:00 it looks like other projects are facing the same problem 17:12:16 yeah, there is a discussion on the mailing list 17:12:29 there didn't seem to be any consensus on how best to approach it though 17:12:38 Yes, I fixed for cloudkitty 17:13:12 but I took the lazy route, and just bumped them up as most of them were pretty outdated already 17:13:52 I'm trying to be more conservative, since a lot of things import keystoneauth or client 17:14:18 so I'm relaxing some constraints and trying to bump a few things 17:14:31 not fun 17:15:08 I miss the requirements bot 17:17:47 #topic Open Discussion 17:20:31 cmurphy: did you get a chance to re-review rafaelweingartne specs? 17:24:19 i left some feedback earlier but i don't really have time to keep going back and forth on it, i'll support what the rest of the cores agree with. my only discomfort with 748042 was that it seems to make the domain attribute of a mapping behave differently from the project attribute, i.e. project is for role assignments but domain is the default namespace for users and groups rather than a 17:24:21 target for role assignments. if other cores are okay with those semantics i won't fuss over it. 17:27:23 rafaelweingartne: the projects_json spec depends only on the versioned mappings or also by the domain attribute? 17:27:38 only on the versioned mappings 17:27:55 but if you want to use more complex things, such as a default domain, and then overriding it in some projects 17:28:02 then, yes, you would need it as well 17:28:29 but without it, the default domain would be implied to be the domain of the idp 17:28:33 right? 17:28:56 if we remove that, yes 17:29:03 I did not implement this way though 17:29:51 I really do not see the problem on using the domain on projects definition as well. That domain element is already used by the group definition 17:30:28 that's very different, that's part of the group object 17:30:40 groups and users are always identified by a name and domain 17:30:48 so the group object contains a domain reference 17:31:07 but projects also have a domain, don't they? 17:31:15 they belong to a domain 17:32:10 is it possible to create a project without a domain? I have not checked that 17:32:44 if i understand cmurphy reservation correctly, is that in the mapping definition project/group have a domain attribute. project and group are themselves top-level objects in the mapping. 17:33:04 yes 17:33:07 right 17:33:13 however domain as a top level attribute would act fundamentally differently, since it would change things of other objects in the mapping. 17:33:24 it is already like that 17:33:36 you can define a domain in the top level of the mapping 17:34:13 also, this behavior would only be activated in the 1.1 version. Therefore, for everybody using it, they would still get the behavior we have right now 17:34:19 https://github.com/openstack/keystone/blob/a98f006f854be02e5682390012d8bb917f4f3940/keystone/federation/utils.py#L118 17:34:22 i believe you're referring to this 17:34:31 the fact that we already accept a domain in the mapping, but it doesn't do anything 17:34:32 yes 17:34:39 exactly 17:36:44 I do see cmurphy's reservation, and I do share it. However I think none of the cores have either felt too strongly against it, or super okay with it, and are therefore waiting on someone else to take the charge in either approving or shutting it down. 17:37:08 if it currently doesn't do anything then there is no "already" to set any precedent, so now is when we define what it should be doing and i think the proposed definition doesn't make sense 17:38:03 I disagree, I really do not see why so much resistance on this one. It would not be activated by default. 17:38:26 rafaelweingartne: one question. if the domain is specified for the whole mapping, and you have one mapping per protocol/idp, why not use the idp domain as the default? 17:39:52 rafaelweingartne: I don't think the reservation is not with it being enabled by default. It is with it not matching the way that the other attributes/objects are defined in the mapping. 17:41:12 that domain value is used here: https://github.com/openstack/keystone/blob/a98f006f854be02e5682390012d8bb917f4f3940/keystone/federation/utils.py#L591 17:43:12 Probably I am misinterpreting things because I see groups and projects being bound to a domain; therefore, I would expect them to use/adopt this "domain" option in the same manner 17:47:38 rafaelweingartne: i need to dig deeper in that section of the code. so you've found that the domain there does provide a domain to the groups, but not projects 17:47:54 exactly 17:47:56 meaning, the top-level domain does provide the default domain for the groups, attribute 17:48:02 yes 17:48:04 exactly 17:48:18 and we extended it further, and provided this to projects as well 17:48:33 and then, also a method to override it in the project if needed 17:48:48 cmurphy: does it make more sense to you in this context? 17:50:01 if it's the case that that domain is already used that way then yes that makes in this context, before we were saying that domain attribute doesn't get used so i was confused 17:50:48 yeah, sorry for causing the confusion. i had misunderstood. 17:50:50 well, to be fair 17:50:55 it is the first sentence I have there 17:51:05 Currently, Keystone identity provider (IdP) attribute mapping schema onlyuses the "domain" attribute mapping as a default configuration for the domainof groups being mapped 17:51:35 rafaelweingartne: you are completely right! 17:53:03 any other questions concerns while we're here? 17:53:10 https://review.opendev.org/c/openstack/keystone-specs/+/748042/4/specs/keystone/wallaby/versioning-for-attribute-mapping-schema.rst#38 "The default domain definition in the "local" property of the attribute mapping rule was not being used." was where i interpreted that, sorry for the confusion 17:53:26 ++, i think that's what got me too 17:54:44 rafaelweingartne: so domain provides a default for the groups attribute. does it provide a default for "group" as well? 17:55:24 or in that one if only name is provided, the domain attribute must be inside the group object? 17:55:31 it has been a while that I did this implementation 17:55:36 (i should already know these things, sorry for asking) 17:55:39 I do not remember by heart, I would need to check 17:56:01 I would like to say yes 17:56:18 but that part of the code is a bit hard to me to read, so I would rather check it first 17:56:47 if we are having that be the default for projects, it feels like it should be the default for group as well, otherwise there is inconsistency 17:57:24 i will do some poking as well 17:58:10 In our implementation that is how it is working now, but in master I am not sure 17:58:10 sorry for taking this long to providing more feedback on the specs 17:58:37 we normalized the use of that variable, then it became consistent across the different elements 17:58:59 i see 17:59:21 alright, we're out of time. thanks all! thanks rafaelweingartne and cmurphy for the discussion. 17:59:32 welcome 17:59:42 we can keep exchanging in the spec there 17:59:53 #endmeeting