15:00:53 #startmeeting keystone 15:00:53 Meeting started Tue Aug 30 15:00:53 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:53 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:53 The meeting name has been set to 'keystone' 15:01:00 #topic Roll Call 15:01:11 Courtesy ping for admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek 15:02:08 o/ 15:02:30 o/ 15:02:36 o/ 15:02:50 Hi y'all! 15:02:52 Let's get started 15:03:07 #topic Review Past Meeting Action Items 15:04:01 #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-08-23-15.01.html 15:04:03 we didn't have any 15:04:14 #topic Liaison Updates 15:04:20 This week is Zed-3 milestone 15:04:23 and Feature Freeze 15:04:40 we should try to merge anything we need this week to try to avoid Feature Freeze Exceptions 15:06:00 Any questions/comments about Zed-3 or FF? 15:09:05 OK, moving on 15:09:22 #topic OAuth 2.0 15:09:29 We merged a couple of patches last week 15:09:51 We also asked the release team for a new middleware release to include the patch we merged 15:10:11 the keystoneauth patch needs to merge by sept 1 15:10:22 I confirmed it. thank you for reviwing those patches. 15:10:37 knikolla: ack, I'll try to get a review in today 15:11:06 thanks, i think things are looking in good shape, so we shouldn't have problems 15:11:15 #link https://review.opendev.org/c/openstack/releases/+/854843 15:11:22 looks like the release request was approved and merged 15:12:04 regarding keystoneauth, we've updated based on knikolla's comments. 15:12:49 https://review.opendev.org/c/openstack/keystoneauth/+/830734 15:16:58 great 15:17:11 we'll hopefully get that merged today or tomorrow 15:17:19 Anything else on this topic h_asahina ? 15:19:20 should we wait merging the spec until the next release? 15:19:54 h_asahina: we don't need to stop working on it, but we will likely need to change it to target the next release 15:20:13 yeah, just need to target it for A / 2023.1 15:20:46 okey. 15:21:07 thanks for all your work :) 15:21:24 thanks too. I really appreciate it. 15:21:29 regareding spec 15:21:43 let me confirm the uasage of mapping API 15:22:43 in the last meeting, you mentioned we can define multiple rules for multiple CAs 15:22:52 i've started work on a demo, but I've not finished yet. my apologies. 15:23:19 it's okey. 15:24:09 I just looking for an example of that to get an idea of it. 15:24:20 and I think this: https://docs.openstack.org/keystone/pike/advanced-topics/federation/mapping_combinations.html#multiple-rules can be an example 15:24:31 does this match your thought 15:24:33 ? 15:24:46 I think we do have to add codes to this purpose 15:25:03 s/to this/for this/ 15:25:13 each CA can be its own identity provider. 15:25:57 Keystone looks in a specific field for the issuer and looks for an identity provider with that id 15:27:15 i'll make a note to have two CAs in the demo 15:28:04 thanks. 15:28:37 cool, let's move on. 15:28:43 #topic Secure RBAC 15:28:56 I didn't see any patches come in from gmann 15:29:27 I'll keep an eye out or maybe try to get the patches up myself 15:29:28 working on that but some difficulties in my dev env. 15:29:36 oh hey! 15:29:38 I will ping once I will have it up and ready 15:29:45 sounds good gmann thanks 15:31:37 OK, moving on ... 15:32:01 #topic Open Discussion 15:32:11 Anything y'all want to talk about before we look at the bug reports? 15:32:18 dmendiza[m]: knikolla can you check this review, it has been open for long https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/838070 15:32:52 gmann: +2-ed, thanks. 15:33:02 thanks 15:33:12 Hi, I have a bug report that would like to check with you 15:33:51 gmann: merged 15:33:59 drencrom: hi! sure, which one? 15:34:03 thanks 15:34:14 this one: https://bugs.launchpad.net/keystonemiddleware/+bug/1987355 15:34:46 I'm not sure if the bug is in keystone or elsewhere but things do not work as I expect 15:36:45 hmm... interesting scenario 15:36:50 lots of stuff happening 15:38:24 Yes, it is a race condition that sometimes leave volumes in reserved or attaching state 15:39:23 In this case the client is talking to nova to attach or dettach volumes 15:45:13 I'll try to take a look and see what I can find 15:45:28 unless knikolla has an idea 15:46:04 i'll take a look when i have some time this week 15:46:10 cool 15:46:16 thanks drencrom 15:46:27 Ok, thanks. I have a go code that just attaches and detaches a volume taht can be used to reproduce this 15:47:04 that might be useful if you can share it 15:48:07 The code just copies parts of this: Kubernetes CSI Attacher v3.4.0: https://github.com/kubernetes-csi/external-attacher/tree/v3.4.0 that is the one causing the problems in production 15:48:59 I'll upload it and share the link 15:49:10 that would be helpful, thanks :) 15:52:57 Here it is: https://people.canonical.com/~jorge.merlino/test.go 15:54:08 The openstack auth is inside the code. It requieres the id of a volume and two instances in the command line and moves the volume endlessly between the two 15:55:17 I changed the token duration to 10 minutes to test in order to get it to fail faster 15:56:44 Awesome, thanks for sharing drencrom 15:57:22 We don't have enough time to go through all the bug lists 15:57:33 but do take a look at this one if y'all get a chance 15:57:34 https://bugs.launchpad.net/keystone/+bug/1988168 15:57:52 theres' a patch with it also 15:58:02 https://review.opendev.org/c/openstack/keystone/+/855198 15:59:13 And that's all we have time for today. 15:59:17 Thanks for joining, y'all! 15:59:21 #endmeeting