15:26:29 <dmendiza[m]> #startmeeting Keystone
15:26:29 <opendevmeet> Meeting started Tue May  3 15:26:29 2022 UTC and is due to finish in 60 minutes.  The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:26:29 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:26:29 <opendevmeet> The meeting name has been set to 'keystone'
15:26:39 <dmendiza[m]> #topic Roll Call
15:26:57 <dmendiza[m]> Courtesy ping for admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe
15:27:21 <dmendiza[m]> As usual the agenda is over here:
15:27:22 <dmendiza[m]> #link https://etherpad.opendev.org/p/keystone-weekly-meeting
15:28:10 <knikolla> o/
15:29:53 <d34dh0r53> o/
15:30:33 <dmendiza[m]> OK, let's get started
15:30:42 <dmendiza[m]> #topic Review Past Meeting Action Items
15:30:45 <dmendiza[m]> #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-04-26-15.02.html
15:30:48 <dmendiza[m]> Looks like we didn't have any
15:31:04 <dmendiza[m]> #topic Liaison Updates
15:31:12 <dmendiza[m]> I don't have any updates this week.
15:33:22 <dmendiza[m]> #topic OAuth 2.0
15:33:36 <dmendiza[m]> We had a review session last week
15:34:43 <dmendiza[m]> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:34:57 <dmendiza[m]> I don't think we have any updates for today
15:39:21 <dmendiza[m]> moving on ...
15:39:29 <dmendiza[m]> #topic Secure RBAC
15:39:54 <dmendiza[m]> In case you missed the Google Meet session, we did discuss the "service" role a bit
15:40:05 <dmendiza[m]> We'll continue discussions next week.
15:40:22 <dmendiza[m]> #topic Guidance for storing user tokens
15:40:40 <dmendiza[m]> dansmith asked this in the channel a while back (sorry we didn't get to it last week)
15:41:18 <dmendiza[m]> He's basically looking for guidance in handling user tokens.
15:41:30 <dmendiza[m]> IIRC, they're wanting to log them or store them in the DB
15:41:41 <dmendiza[m]> presumable to be reused again, during long-running tasks.
15:41:47 <dmendiza[m]> *presumably
15:43:07 <knikolla> Hmmm, interesting
15:43:39 <knikolla> My initial gut reaction is no
15:45:38 <knikolla> But I can see the need for it
15:47:35 <d34dh0r53> Can we set an expiry on issued tokens?
15:49:04 <knikolla> That’s the way it aready is. Configurable but defaults to 45 mins I think
15:49:18 <dmendiza[m]> d34dh0r53: yeah, tokens expire, but some services can still use them for context when doing long running tasks
15:49:27 <d34dh0r53> but not overrideable during the issue?
15:50:19 <knikolla> No, you can’t ask for a longer living token than the config
15:51:11 <knikolla> No, you can’t ask for a longer living token than the config
15:51:28 <d34dh0r53> hmm, ack
15:52:47 <dmendiza[m]> We may need to think about it for a bit
15:53:14 <dmendiza[m]> but it would be good to have an opinion on best practices for what to do with the tokens
15:53:50 <knikolla> Agree, i can spend some time thinking about this
15:54:47 <dansmith> dmendiza[m]: to be clear, I want to neither store nor log them
15:54:59 <dansmith> I just want there to be some guidance about that being a bad idea that I can point to whilst arguing :P
15:55:12 <d34dh0r53> :)
15:56:38 <knikolla> That’s easier :)
15:57:17 <dmendiza[m]> ack, I missed that last time, haha
15:57:18 <knikolla> Store tokens, bad. You can link to this irc log, haha.
15:59:32 <dansmith> knikolla: ack, I'll take it as better than nothing, but.. seems like it might be good to capture some of those sorts of recommendation somewhere.. I know, easy for me to say
16:00:09 <knikolla> I’m sure there’s something in the docs and if not I’ll put it there
16:00:46 <dmendiza[m]> OK, we're just about out of time.
16:00:51 <dmendiza[m]> No bug review this week.
16:01:04 <dmendiza[m]> We'll get back to normal once the Secure RBAC sessions start winding down.
16:01:15 <dmendiza[m]> Thanks for joining, everyone!
16:01:18 <dmendiza[m]> #endmeeting