#openstack-keystone log

15:00:53 <dmendiza[m]> #startmeeting keystone
15:00:53 <opendevmeet> Meeting started Tue Aug 30 15:00:53 2022 UTC and is due to finish in 60 minutes.  The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:53 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:53 <opendevmeet> The meeting name has been set to 'keystone'
15:01:00 <dmendiza[m]> #topic Roll Call
15:01:11 <dmendiza[m]> Courtesy ping for admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek
15:02:08 <knikolla> o/
15:02:30 <h_asahina> o/
15:02:36 <d34dh0r53> o/
15:02:50 <dmendiza[m]> Hi y'all!
15:02:52 <dmendiza[m]> Let's get started
15:03:07 <dmendiza[m]> #topic Review Past Meeting Action Items
15:04:01 <dmendiza[m]> #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-08-23-15.01.html
15:04:03 <dmendiza[m]> we didn't have any
15:04:14 <dmendiza[m]> #topic Liaison Updates
15:04:20 <dmendiza[m]> This week is Zed-3 milestone
15:04:23 <dmendiza[m]> and Feature Freeze
15:04:40 <dmendiza[m]> we should try to merge anything we need this week to try to avoid Feature Freeze Exceptions
15:06:00 <dmendiza[m]> Any questions/comments about Zed-3 or FF?
15:09:05 <dmendiza[m]> OK, moving on
15:09:22 <dmendiza[m]> #topic OAuth 2.0
15:09:29 <dmendiza[m]> We merged a couple of patches last week
15:09:51 <dmendiza[m]> We also asked the release team for a new middleware release to include the patch we merged
15:10:11 <knikolla> the keystoneauth patch needs to merge by sept 1
15:10:22 <h_asahina> I confirmed it. thank you for reviwing those patches.
15:10:37 <dmendiza[m]> knikolla: ack, I'll try to get a review in today
15:11:06 <knikolla> thanks, i think things are looking in good shape, so we shouldn't have problems
15:11:15 <dmendiza[m]> #link https://review.opendev.org/c/openstack/releases/+/854843
15:11:22 <dmendiza[m]> looks like the release request was approved and merged
15:12:04 <h_asahina> regarding keystoneauth, we've updated based on knikolla's comments.
15:12:49 <h_asahina> https://review.opendev.org/c/openstack/keystoneauth/+/830734
15:16:58 <dmendiza[m]> great
15:17:11 <dmendiza[m]> we'll hopefully get that merged today or tomorrow
15:17:19 <dmendiza[m]> Anything else on this topic h_asahina ?
15:19:20 <h_asahina> should we wait merging the spec until the next release?
15:19:54 <dmendiza[m]> h_asahina: we don't need to stop working on it, but we will likely need to change it to target the next release
15:20:13 <knikolla> yeah, just need to target it for A / 2023.1
15:20:46 <h_asahina> okey.
15:21:07 <knikolla> thanks for all your work :)
15:21:24 <h_asahina> thanks too. I really appreciate it.
15:21:29 <h_asahina> regareding spec
15:21:43 <h_asahina> let me confirm the uasage of mapping API
15:22:43 <h_asahina> in the last meeting, you mentioned we can define multiple rules for multiple CAs
15:22:52 <knikolla> i've started work on a demo, but I've not finished yet. my apologies.
15:23:19 <h_asahina> it's okey.
15:24:09 <h_asahina> I just looking for an example of that to get an idea of it.
15:24:20 <h_asahina> and I think this: https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html#multiple-rules can be an example
15:24:31 <h_asahina> does this match your thought
15:24:33 <h_asahina> ?
15:24:46 <h_asahina> I think we do have to add codes to this purpose
15:25:03 <h_asahina> s/to this/for this/
15:25:13 <knikolla> each CA can be its own identity provider.
15:25:57 <knikolla> Keystone looks in a specific field for the issuer and looks for an identity provider with that id
15:27:15 <knikolla> i'll make a note to have two CAs in the demo
15:28:04 <h_asahina> thanks.
15:28:37 <dmendiza[m]> cool, let's move on.
15:28:43 <dmendiza[m]> #topic Secure RBAC
15:28:56 <dmendiza[m]> I didn't see any patches come in from gmann
15:29:27 <dmendiza[m]> I'll keep an eye out or maybe try to get the patches up myself
15:29:28 <gmann> working on that but some difficulties in my dev env.
15:29:36 <dmendiza[m]> oh hey!
15:29:38 <gmann> I will ping once I will have it up and ready
15:29:45 <dmendiza[m]> sounds good gmann thanks
15:31:37 <dmendiza[m]> OK, moving on ...
15:32:01 <dmendiza[m]> #topic Open Discussion
15:32:11 <dmendiza[m]> Anything y'all want to talk about before we look at the bug reports?
15:32:18 <gmann> dmendiza[m]: knikolla can you check this review, it has been open for long https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/838070
15:32:52 <knikolla> gmann: +2-ed, thanks.
15:33:02 <gmann> thanks
15:33:12 <drencrom> Hi, I have a bug report that would like to check with you
15:33:51 <dmendiza[m]> gmann: merged
15:33:59 <dmendiza[m]> drencrom: hi!  sure, which one?
15:34:03 <gmann> thanks
15:34:14 <drencrom> this one: https://bugs.launchpad.net/keystonemiddleware/+bug/1987355
15:34:46 <drencrom> I'm not sure if the bug is in keystone or elsewhere but things do not work as I expect
15:36:45 <dmendiza[m]> hmm... interesting scenario
15:36:50 <dmendiza[m]> lots of stuff happening
15:38:24 <drencrom> Yes, it is a race condition that sometimes leave volumes in reserved or attaching state
15:39:23 <drencrom> In this case the client is talking to nova to attach or dettach volumes
15:45:13 <dmendiza[m]> I'll try to take a look and see what I can find
15:45:28 <dmendiza[m]> unless knikolla has an idea
15:46:04 <knikolla> i'll take a look when i have some time this week
15:46:10 <dmendiza[m]> cool
15:46:16 <dmendiza[m]> thanks drencrom
15:46:27 <drencrom> Ok, thanks. I have a go code that just attaches and detaches a volume taht can be used to reproduce this
15:47:04 <dmendiza[m]> that might be useful if you can share it
15:48:07 <drencrom> The code just copies parts of this: Kubernetes CSI Attacher v3.4.0: https://github.com/kubernetes-csi/external-attacher/tree/v3.4.0 that is the one causing the problems in production
15:48:59 <drencrom> I'll upload it and share the link
15:49:10 <knikolla> that would be helpful, thanks :)
15:52:57 <drencrom> Here it is: https://people.canonical.com/~jorge.merlino/test.go
15:54:08 <drencrom> The openstack auth is inside the code. It requieres the id of a volume and two instances in the command line and moves the volume endlessly between the two
15:55:17 <drencrom> I changed the token duration to 10 minutes to test in order to get it to fail faster
15:56:44 <dmendiza[m]> Awesome, thanks for sharing drencrom
15:57:22 <dmendiza[m]> We don't have enough time to go through all the bug lists
15:57:33 <dmendiza[m]> but do take a look at this one if y'all get a chance
15:57:34 <dmendiza[m]> https://bugs.launchpad.net/keystone/+bug/1988168
15:57:52 <dmendiza[m]> theres' a patch with it also
15:58:02 <dmendiza[m]> https://review.opendev.org/c/openstack/keystone/+/855198
15:59:13 <dmendiza[m]> And that's all we have time for today.
15:59:17 <dmendiza[m]> Thanks for joining, y'all!
15:59:21 <dmendiza[m]> #endmeeting