15:03:16 #startmeeting keystone 15:03:16 Meeting started Tue Oct 12 15:03:16 2021 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:16 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:03:16 The meeting name has been set to 'keystone' 15:03:22 #topic Roll Call 15:03:25 o/ 15:03:34 * redrobot needs to set his calendar to alert for this meeting 15:03:57 o/ 15:03:57 yes - currently i think i'm your alert system 15:04:01 :) 15:04:04 Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, jdennis, ruan_he, wxy, sonuk, vishakha,Ajay, raildo, rafaelweingartner, xek 15:04:14 o/ 15:04:24 o/ 15:04:32 lurking as I'm in another meeting 15:05:00 #link https://etherpad.opendev.org/p/keystone-weekly-meeting 15:05:07 thanks lbragstad 15:05:22 OK, let's get started 15:05:31 #topic Review Past Meeting Action Items 15:05:42 #link https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-10-05-15.01.html 15:05:45 we didn't have any 15:05:49 moving on .. 15:06:08 #topic Liaison Updates 15:06:32 knikolla 👋 15:07:13 I don't think knikolla is around ... let's move on 15:07:34 #topic Oauth 2.0 15:07:42 #link https://review.opendev.org/c/openstack/keystone-specs/+/813152 15:08:02 h_asahina ^^^ 15:08:03 o/ 15:08:27 yes. I submitted the spec. 15:08:33 looking at the agenda notes 15:08:56 I'd appreciate it if you could review it. 15:09:25 #help we need folks to review the Oauth 2.0 spec patch 15:10:03 I'd like to aske you about https support status in keystone because oauth2 needs it. 15:10:38 I guess the current keystone does not support TLS in general way, like just adding a cert file to config. Is that correct? 15:10:45 keystone doesn't implement https support natively, it's handled by the webserver 15:11:07 yeah the API is just a regular WSGI server 15:11:15 *WSGI app 15:11:20 got it. 15:12:00 added myself to that reivew I'll take a look when I have some time 15:12:34 thanks. 15:12:43 h_asahina this isn't much, but 15:12:43 https://docs.openstack.org/keystone/latest/install/keystone-install-rdo.html#ssl 15:12:54 Also adding ayoung since he was asking to be added to reviews 15:13:17 h_asahina it'll depend on the web server you're using though 15:13:44 great. i'll check it. 15:15:01 looks like the topic is already in the agenda for the PTG session next week 15:16:00 yeah. I added it. If you all have enough time, I'd like to discuss about the details of the above spec. 15:16:15 in PTG 15:16:26 Is that happening now? 15:17:18 BTW, admiyo == ayoung 15:17:18 admiyo no, PTG is next Monday 15:17:41 #link https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-assets-prod/Uploads/PTG-Oct-18-22-2021-Schedule-Rev2.pdf 15:17:56 does anyone know where the list of etherpads is? 15:18:25 Did they really name the rooms after the old releases? That is lovely 15:18:33 h_asahina anything else you want to talk about for your topic? 15:19:05 I think I had one question on the OAUTH stuff before 15:19:11 yes. I want to confirm naming rules for subcommand. 15:19:46 admiyo I added you to the spec gerrit change 15:19:52 found it #link https://ptg.opendev.org/etherpads.html 15:20:03 oauth2 is a good way to go, but is tough to implement correctly. What is the general idea of a library to use to implement? 15:21:00 BTW, the general idea of the AUTH suburl was going to be to support different auth mechanisms. 15:21:05 we're considering to use oauthlib https://oauthlib.readthedocs.io/en/latest/ 15:21:27 which is also used by the existing oauth1 ext. 15:21:38 so insteado of POST /OS-OAUTH2/introspect It would have been POST /auth/OS-OAUTH2/introspect 15:21:50 but really, no, that wshould be just for the actually authentication process 15:22:12 I'll review the spec 15:22:43 admiyo: thanks. please add your comments on the review :) 15:22:56 ++ I think this is a long time coming, and I love the concept 15:23:09 thanks for driving it forward 15:23:15 just FYI - i'm going to move the contents of #link https://etherpad.opendev.org/p/yoga-ptg-keystone to #link https://etherpad.opendev.org/p/oct2021-ptg-keystone 15:23:27 since that's the etherpad linked in #link https://ptg.opendev.org/etherpads.html 15:24:53 I'd like to back to the naming convention of the subcommand if you don't mind. 15:25:01 lbragstad I think we're stepping on each others toes 15:25:07 lbragstad I'll explain during PTG topic 15:25:18 redrobot ack 15:25:36 h_asahina do you have a specific question about the naming? 15:25:47 or just looking for style docs or some such? 15:26:17 for osc commands. like `openstack user` 15:27:06 we want to add new subcommands to OSC for OAuth2. 15:27:40 so, i'd like to know the rules in advance. 15:29:04 Currently, we are consindering either one of `openstack client`, `openstack oauth2 client` and `openstack consumer --oauth2` for the OAuth2.0 client registration. Which one is appropriate? 15:30:40 client is confusing 15:30:46 the whole app is known as the cli 15:30:51 and there are many clients. 15:31:32 What sort of commands would a user have to make? Are these oauth2 specific? 15:31:38 openstack oauth2 as the naming for subcommands seems to be in keeping with the norm for newer additions. I don't knopw if there is a strict convention 15:32:06 --oauth2 is non obvious to me. 15:32:27 openstack oauth2 client create 15:32:28 redrobot: these are oauth2 specific. the commands for users to register oauth2 client. 15:32:36 that seems to be the most consistent 15:32:49 openstack oauth2 client validate 15:32:57 openstack oauth2 token issue 15:33:29 namespace, entity, verb 15:33:40 openstack baremetal node create as an example 15:34:20 i see. make sense. 15:35:35 ok. we're going with `openstack oauth2 client`. thank you for your help admiyo. 15:35:47 great 15:35:52 anything else on this topic? 15:36:17 nothing from my side. 15:36:28 thanks h_asahina 15:36:32 #topic PTG 15:36:36 It's next week 15:37:02 #link https://etherpad.opendev.org/p/yoga-ptg-keystone 15:37:18 but it looks like we got moved. 😅 15:37:29 lbragstad I was trying to update the url on the PTG site 15:37:34 oh - sorry about that 15:37:35 It got moved moments ago by lbragstad 15:37:44 just FYI - i'm going to move the contents of #link https://etherpad.opendev.org/p/yoga-ptg-keystone to #link https://etherpad.opendev.org/p/oct2021-ptg-keystone 15:37:44 no worries 15:37:52 we can keep it there 15:37:58 I'll just have to update my bookmarks 15:38:01 and the link in the agenda 15:38:28 because I'm not sure the bot in #openinfra-events is working 15:38:32 or maybe it doesn't like me. 15:38:42 i think you need +v? 15:39:46 🤷 15:39:53 #link https://etherpad.opendev.org/p/oct2021-ptg-keystone 15:39:56 ^^^ going forward 15:40:14 We have one session: Monday October 18, 1400-1600 UTC 15:40:37 so far we have Oauth2 in the agenda as well as a status update for Secure RBAC 15:40:42 if we have time maybe we can triage bugs 15:41:35 please feel free to add any additional topics to the etherpad 15:42:02 Have we decidedon whether to use Zoom or Meetpad? 15:42:21 Also no weekly meeting next week since we'll be doing PTG things 15:42:31 I am fine with either 15:44:20 Looks like our URL just got changed back >_< 15:44:40 Let's plan for meetpad since it can just run in the browser 15:45:17 works for me 15:46:38 I'll get the urls fixed up in the PTG system 15:47:12 Any other questions/comments? 15:48:07 can I find meeting link at https://ptg.opendev.org/ptg.html? 15:49:58 h_asahina yes, I just updated the meeting url 15:49:58 I mean the meeting link will appear there 15:50:13 h_asahina the link is already there if you click on the "keystone" time slot in the schedule 15:50:16 but als you can bookmark this: 15:50:18 #link https://meetpad.opendev.org/oct2021-ptg-keystone 15:50:41 redrobot thank you 15:51:50 which is why I 🖤 meetpad/jitsi 15:52:18 We've only got a few minutes left 15:52:36 #topic Bug Review 15:52:57 :( 15:53:02 From the agenda, asking about bugfix: 15:53:06 #link https://bugs.launchpad.net/keystoneauth/+bug/1930194 15:53:34 h_asahina ^^^ 15:54:17 yes. we submitted that report few month ago. 15:54:40 I don't know if anyone has looked at it. 15:54:47 Which is why we have a bug triage topic for the PTG 15:55:47 lbragstad got time to stick around for rdopiera's topic? 15:56:22 i have a hard stop at 11 15:56:28 ack 15:56:36 sorry :( 15:57:03 lbragstad no worries 15:57:45 redrobt: sorry for the delay. got it. 15:58:09 #topic Help with System Scope APIS 15:58:19 We are working on imlpementing the new system scope token support in Horizon. As the first pass we are calling the APIs directly, but ultimately we would like to use keystoneclient and keystoneauth properly. Unfortunately, they are missing the required APIs. 15:58:27 I made two bugs about that, and I submitted a patch for keystoneclient that is probably wrong, but it's a start. I would like to ask for reviews and for help writing the patch for keystoneauth, as 15:58:31 this seems more complicated. Also, the keystoneclient patch seems to be failing CI on a completely unrelated doc bug, as well as all other patches in the queue. 15:59:00 lbragstad sounds like maybe something our dfg can do? 15:59:06 yeah 15:59:30 rdopiera let me talk to the powers that be and see if we can get our team at RH to help with this 15:59:51 redrobot: awesome, thank you 15:59:53 wouldn't it be lovely if we had some way to qery the policy in use of a given endpoint? 15:59:55 #action redrobot to ask for help on System-Scope implementation in keystoneauth 16:00:14 admiyo 100% would +1 that spec. 16:00:43 At one point, I toeyd with using a less-common verb from HTTP 16:01:12 aaand that's time. 16:01:13 OPTIONS 16:01:23 :-O 16:02:04 Thanks for joining, everyone! 16:02:08 #endmeeting