15:00:11 <dmendiza[m]> #startmeeting keystone 15:00:11 <opendevmeet> Meeting started Tue Jan 18 15:00:11 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:11 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:11 <opendevmeet> The meeting name has been set to 'keystone' 15:00:18 <dmendiza[m]> #topic Roll Call 15:00:21 <xek> o/ 15:00:26 <dmendiza[m]> Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, ruan_he, wxy, sonuk, vishakha,Ajay, rafaelweingartner, xek 15:00:35 <d34dh0r53> o/ 15:01:24 <gagehugo> o/ 15:01:31 <h_asahina> o/ 15:01:42 <dmendiza[m]> Great, let's get started 15:01:50 <dmendiza[m]> #topic Review Past Meeting Action Items 15:02:13 <dmendiza[m]> #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-11-15.00.html 15:02:17 <dmendiza[m]> We didn't have any 15:02:20 <dmendiza[m]> Moving on 15:02:47 <dmendiza[m]> #topic Liaison Updates 15:02:52 <dmendiza[m]> knikolla: around? 15:03:30 <knikolla> o/ 15:03:42 <knikolla> no updates 15:04:10 <dmendiza[m]> Cool, thanks 15:04:23 <dmendiza[m]> #topic Secure RBAC 15:05:05 <dmendiza[m]> Not a whole lot of updates from me this week. We do have some TripleO Heat Template changes pending that need to get merged. I'll probably be harassing the owners this week. 15:05:22 <dmendiza[m]> Any questions/comments about SRBAC this week? 15:09:07 <dmendiza[m]> OK, moving on ... 15:09:13 <dmendiza[m]> #topic OAuth 2.0 15:09:21 <dmendiza[m]> h_asahina: around? 15:10:06 <h_asahina> yes 15:11:01 <h_asahina> Today, I'd like to talk about the necessity of OAuth2.0 Introspection API which I defined in the spec. 15:11:05 <h_asahina> Although I defined OAuth2.0 Introspection API in the current spec, maybe it can be omitted. 15:11:44 <h_asahina> The purpose of the introspection API is to get metadata and verify the token validity. 15:12:53 <h_asahina> As we decided to use X-Auth-Token as OAuth2.0 access token, this purpose can be accomplished through an existing identity API. 15:13:36 <h_asahina> So, I think we don't need OAuth2.0 Introspection API. Could you tell me your opinion? 15:14:23 <knikolla> I think we don't need it for now. But it would be a nice thing to have if we want to have more general support for keystone as an authorization server for oauth 2.0. 15:14:44 <h_asahina> I agree with that 15:15:32 <h_asahina> If we need to support additional token types, we should add it. 15:16:33 <knikolla> Probably more important with new grant types than with token types 15:17:41 <opendevreview> Merged openstack/keystone master: sql: Trivial formatting changes https://review.opendev.org/c/openstack/keystone/+/823660 15:18:56 <h_asahina> Could you tell me why? I think the situation where we need Introspection API is like when we want to use OAuth2.0 in keystone from the other services from the openstack. 15:20:29 <h_asahina> if we add a new grant type, we can use an existing API for the introspection as long as we use X-Auth-Token. Am I wrong? 15:20:39 <knikolla> Services within the OpenStack ecosystem already know how to authenticate to keystone and introspect endpoints (either through the keystoneauth, keystoneclient or keystonemiddleware). 15:20:54 <knikolla> For them an introspection endpoint already exists within the already defined API. 15:21:55 <knikolla> Thus it's services which don't "speak OpenStack" and use OAuth 2.0 entirely, that would require new OAuth 2.0 conforming endpoints and grant types. 15:22:28 <knikolla> The token type is less important, as it's usually treated as opaque. 15:25:24 <h_asahina> Is that the situation where we want to use keystone as just an OAuth2.0 authorization server? 15:26:53 <knikolla> Possibly, though it's less about that. It works both ways. If keystone supports open standards, then we can transition other openstack services to talk to keystone using those open standards. Which opens the door for allowing other authorization server to be used in place of keystone if so desired. 15:28:56 <h_asahina> You mean by supporting open standard like Introspection API makes the other components like keystonemiddleware to support the standard? 15:29:12 <knikolla> yes 15:29:36 <h_asahina> I got it. 15:29:53 <h_asahina> However, for now, we don't strongly need it. 15:30:03 <knikolla> Correct 15:30:18 <h_asahina> If we implement it, it is just a wrapper of an existing identity API. 15:31:10 <knikolla> Yes. 15:31:20 <h_asahina> It's redundant and confusing. So, do you agree with omitting it in Yoga release? 15:31:32 <knikolla> 100% 15:31:51 <h_asahina> Ok, thanks. I'll update spec. 15:32:08 <dmendiza[m]> Cool 15:32:12 <knikolla> Thanks! 15:32:19 <dmendiza[m]> Anything else on this topic h_asahina ? 15:32:32 <h_asahina> Nothing 15:32:40 <dmendiza[m]> OK, moving on 15:32:45 <dmendiza[m]> #topic Open Discussion 15:32:52 <dmendiza[m]> Any other topics y'all want to talk about? 15:33:03 <knikolla> The CFP for proposals for Berlin is open 15:33:14 <knikolla> Anybody planning to submit anything? Or planning to travel/ 15:33:40 <dmendiza[m]> Ah yes, the Summit. 15:33:54 <dmendiza[m]> I think it would be good to go talk about the Secure-RBAC work everyone has been doing 15:34:08 <dmendiza[m]> I've gotta talk to lbragstad about it. 15:35:57 <knikolla> cool 15:36:27 <knikolla> I have no clue what to propose to talk about yet. 15:38:31 <dmendiza[m]> h_asahina you should consider talking about the OAuth work you're doin g. 15:39:16 <d34dh0r53> I don't either 15:40:16 <h_asahina> Alright. it's first time for me to attend the Summit, but I'll consider it. 15:42:12 <h_asahina> What should I do if I propose something? 15:44:39 <gagehugo> hope it gets accepted then speak in front of a crowd :) 15:45:11 <dmendiza[m]> h_asahina: The CFP is over here: https://cfp.openinfra.dev/app/berlin-2022 15:45:20 <dmendiza[m]> If you do submit something let us know 15:45:39 <dmendiza[m]> In the past they've asked folks to vote for the talks that get selected 15:45:51 <dmendiza[m]> So I usually ask folks for votes here, haha 15:46:10 <h_asahina> thanks. I'll notify here if I submit something. 15:46:36 <dmendiza[m]> Cool, any other topics before we take a look at the bugs? 15:46:46 <knikolla> In the past, each project got it's own project update session too. I don't know if that's the case this year as well. 15:47:25 <d34dh0r53> I have two items, the first is with Lance's move this fell through the cracks https://bugs.launchpad.net/keystone/+bug/1901891 so I'll be working on a fix for #3 this week and may ping people for reviews. Second, let me know if you want to be added to the reviewathon invitees, planning on scheduling for this Friday the 21st so please let me know conflicts as well 15:48:46 <knikolla> d34dh0r53: sounds great! 15:48:52 <knikolla> also, my Friday is wide open this week. 15:49:11 <d34dh0r53> excellent knikolla 15:49:27 <dmendiza[m]> count me in for Friday as well 15:49:41 <d34dh0r53> thanks dmendiza[m] 15:52:12 <dmendiza[m]> We've only got a few minutes left 15:52:21 <dmendiza[m]> which is probably not enough for bug triage 15:52:37 <dmendiza[m]> So let's punt until next week (or Friday) 15:52:41 <dmendiza[m]> Thanks for joining, everyone! 15:52:56 <knikolla> Thanks! 15:52:58 <dmendiza[m]> #endmeeting