#openstack-keystone log

15:01:03 <dmendiza[m]> #startmeeting keystone
15:01:03 <opendevmeet> Meeting started Tue Aug 16 15:01:03 2022 UTC and is due to finish in 60 minutes.  The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:03 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:03 <opendevmeet> The meeting name has been set to 'keystone'
15:01:11 <dmendiza[m]> #topic Roll Call
15:01:16 <dmendiza[m]> Courtesy ping for admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek
15:01:46 <d34dh0r53> o/ lurking
15:02:12 <xek> o/
15:02:28 <h-asahina> o/
15:02:54 <xek> -
15:04:22 <dmendiza[m]> Hi y'all!
15:04:25 <dmendiza[m]> Let's get started
15:04:38 <dmendiza[m]> #topic Review Previous Meeting Action Items
15:04:54 <dmendiza[m]> #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-08-09-15.02.html
15:04:58 <dmendiza[m]> We didn't have any
15:05:08 <dmendiza[m]> #topic Liaison  U pdates
15:05:25 <dmendiza[m]> Just a quick update from the release/maintenance side
15:05:35 <dmendiza[m]> We've marked the Pike branck as EOL
15:05:37 <dmendiza[m]> #link https://review.opendev.org/c/openstack/releases/+/851559
15:05:44 <dmendiza[m]> #info Pike is now EOL
15:10:22 <dmendiza[m]> OK, moving on
15:10:31 <dmendiza[m]> #topic OAuth 2.0
15:10:39 <dmendiza[m]> h_asahina 👋
15:10:45 <h-asahina> hi
15:10:47 <dmendiza[m]> Any updates this week?
15:11:15 <h-asahina> first of all, we submitted a patch for keystonemiddleware Zuul error   https://review.opendev.org/c/openstack/keystonemiddleware/+/852590
15:12:50 <h-asahina> please kindly reveiew it. by this patch we can merge https://review.opendev.org/c/openstack/keystonemiddleware/+/830737. of cource we have to reply knikolla's comment before doing that.
15:13:32 <h-asahina> I also updated the spec https://review.opendev.org/c/openstack/keystone-specs/+/843765, according to the previous meeting.
15:13:36 <dmendiza[m]> h-asahina: ac, merged the first patch
15:13:41 <dmendiza[m]> *ack
15:13:51 <h-asahina> thanks
15:14:18 <dmendiza[m]> h-asahina: yeah, last Friday was a day off for Red Hat, so we didn't get a chance to review your udpates
15:14:24 <dmendiza[m]> we'll review this Friday for the reviewathon
15:14:40 <h-asahina> got it thanks.
15:14:52 <h-asahina> can i confirm the schedule?
15:15:44 <h-asahina> I suppose this spec and 3 patches that we submitted during Yoga cycle can be merged within Zed cycle. do you feel it possible?
15:16:23 <dmendiza[m]> #link https://releases.openstack.org/zed/schedule.html
15:16:29 <dmendiza[m]> We have a couple of weeks before Zed-3
15:16:49 <dmendiza[m]> we should try to get everything reviewed this week so we can have some time to update patches if needed.
15:19:15 <h-asahina> okey. that's right. from our side, it would be helpful at least if these three patches will be merged in Zed: https://review.opendev.org/c/openstack/keystoneauth/+/830734; https://review.opendev.org/c/openstack/keystonemiddleware/+/830737; https://review.opendev.org/c/openstack/keystone/+/830739
15:21:27 <h-asahina> like you said, we have tiem. if you leave the comment this week, we'll update the patches next week.
15:21:42 <dmendiza[m]> great, thanks h-asahina
15:23:13 <h-asahina> thanks. that's all from my side :)
15:24:33 <dmendiza[m]> OK, moving on ...
15:24:51 <dmendiza[m]> #topic Secure RBAC
15:27:37 <dmendiza[m]> Looks like the pop-ups are not really happening anymore.
15:27:53 <dmendiza[m]> The patch to delay system scope did merge so I'll have to review that
15:27:58 <dmendiza[m]> #link https://review.opendev.org/c/openstack/governance/+/847418/14/goals/selected/consistent-and-secure-rbac.rst
15:31:59 <dmendiza[m]> #topic Open Discussion
15:32:13 <dmendiza[m]> Anything else y'all want to talk about before we look at bug reports?
15:36:09 <h-asahina> if you have time, i'd like to talk about my comment on the spec briefly
15:36:14 <h-asahina> :dmendiza
15:36:53 <h-asahina> if it's better to wait for the next review comment, i'll wait.
15:37:38 <dmendiza[m]> h-asahina: I think maybe it would be better to talk about it after folks have a had a chance to read it
15:37:48 * dmendiza[m] has not read the update yet 😅
15:38:39 <h-asahina> ah, sorry, i meant my reply comment which is the questions about the last meeting.
15:38:52 <dmendiza[m]> Sure go ahead
15:39:36 <h-asahina> thanks, I have two questions: (i) delegation of Users' permission; (ii) usage of mapping API in our case.
15:41:02 <h-asahina> (i) according to your suggestion, we are implementing mTLS OAuth2.0 so that User API is used for OAuth2.0 client management
15:42:00 <h-asahina> basically we think it'll work, but we have concerns that delegation of user permission is not possible.
15:42:34 <h-asahina> for example, it's not possible for non-admin user who is only allowed to access Tacker API to delegate it's role to a client
15:43:06 <h-asahina> but it's possible if we use credentials API and allow this user to access the credentials API.
15:44:29 <h-asahina> do you have any idea to solve this problem or justify this issue?
15:46:22 <dmendiza[m]> Hmm... I am not sure.  I'd like to find out what knikolla thinks...  we should follow-up with him and try to get an answer.
15:46:31 <h-asahina> ok
15:46:56 <h-asahina> (ii) You said we can look at mapping API as a reference
15:47:52 <h-asahina> but we feel we can just use it to manage mapping rules between DN in a client cert and keystone Users' attributes (e.g., username, project_id).
15:48:35 <h-asahina> do you feel it's reasonable?
15:50:22 <h-asahina> let me explain further, we thought we have to implement the similar codes from scratch but now we think we don't have to.
15:55:21 <h-asahina> it's also knikolla's comment https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-08-09-15.02.log.html#l-65, maybe it's better to wait for him?
15:58:33 <dmendiza[m]> Yeah ... I think he may be referring to mapping cert attributes -> user attributes so we can get the correct roles in the token
15:59:32 <dmendiza[m]> I'll ask knikolla about it if he joins the review on Friday
15:59:48 <dmendiza[m]> That's about all the time we have for the meeting this week.
15:59:53 <dmendiza[m]> Thanks for joining, everyone!
15:59:57 <dmendiza[m]> #endmeeting