15:00:56 <d34dh0r53> #startmeeting keystone 15:00:56 <opendevmeet> Meeting started Tue Nov 1 15:00:56 2022 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:56 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:56 <opendevmeet> The meeting name has been set to 'keystone' 15:01:05 <d34dh0r53> #topic Roll Call 15:01:08 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek 15:01:54 <knikolla[m]> o/ 15:02:06 <hiromu> o/ 15:03:07 <d34dh0r53> Hi folks! 15:03:23 <d34dh0r53> #topic Review past meeting work items 15:03:44 <d34dh0r53> We had a few, first up is 15:03:54 <d34dh0r53> dmendiza[m] will look at https://bugs.launchpad.net/keystone/+bug/1990987 15:04:03 <d34dh0r53> dmendiza[m]: any update? 15:04:08 <dmendiza[m]> 👀 15:04:11 <dmendiza[m]> Still looking 15:04:49 <d34dh0r53> ack 15:04:53 <d34dh0r53> next up is 15:04:59 <d34dh0r53> d34dh0r53 look into user-defined attribute access control 15:05:06 <d34dh0r53> no updates 15:05:26 <d34dh0r53> we have some reviewathon items that we were going to look at 15:05:43 <d34dh0r53> reviewathon review https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:05:45 <d34dh0r53> reviewathon review https://review.opendev.org/c/openstack/keystone/+/838108 15:05:47 <d34dh0r53> reviewathon review https://review.opendev.org/c/openstack/keystone/+/822601 15:05:49 <d34dh0r53> reviewathon review https://review.opendev.org/c/openstack/keystone-specs/+/818616 15:06:15 <d34dh0r53> We didn't get to the first one 15:06:27 <d34dh0r53> nor the second 15:07:06 <d34dh0r53> the third has -1's and commentary so that is in progress 15:07:25 <d34dh0r53> the fourth is the default service role 15:07:54 <d34dh0r53> next up is dmendiza[m] and d34dh0r53 make some time to start the gap analysis between CLI and OSC. 15:08:02 <d34dh0r53> we didn't get to that 15:08:22 <d34dh0r53> and finally we have d34dh0r53 try to reproduce https://bugs.launchpad.net/python-keystoneclient/+bug/1993614 15:08:28 <d34dh0r53> which I wasn't able to get to 15:08:33 <knikolla[m]> the gap analysis is about sdk and the client 15:08:44 <knikolla[m]> we don't have any other cli besides osc already :) 15:09:36 <d34dh0r53> knikolla[m]: right 15:11:12 <d34dh0r53> #action dmendiza[m] and d34dh0r53 make some time to start the gap analysis between SDK and the Client 15:11:28 <d34dh0r53> #action dmendiza[m] will look at https://bugs.launchpad.net/keystone/+bug/1990987 15:11:41 <d34dh0r53> #action reviewathon review https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:11:50 <d34dh0r53> #action reviewathon review https://review.opendev.org/c/openstack/keystone/+/838108 15:12:14 <d34dh0r53> #action d34dh0r53 look into user-defined attribute access control 15:12:35 <d34dh0r53> ok, next up we have 15:12:37 <d34dh0r53> #topic Liaison Updates 15:12:46 <d34dh0r53> Nothing from VMT 15:12:58 <d34dh0r53> dmendiza[m], knikolla[m] anything from Release Management? 15:13:47 <dmendiza[m]> I can't think of anything 15:13:58 <d34dh0r53> ok, thanks 15:14:08 <d34dh0r53> #help still looking for additional cross-project liaisons 15:14:38 <d34dh0r53> any other liaison updates? 15:15:19 <d34dh0r53> #topic specification OAuth 2.0 (hiromu) 15:15:48 <hiromu> thanks for the remind. 15:15:56 <hiromu> first, i've updated the spec 15:16:01 <hiromu> https://review.opendev.org/c/openstack/keystone-specs/+/861554/2..3 15:16:37 <hiromu> I think it's now ready for the first review. 15:17:00 <hiromu> and I have a question 15:17:25 <d34dh0r53> ok 15:17:27 <hiromu> that i wrote on the etherpad. 15:18:23 <d34dh0r53> the etherpad is here: https://etherpad.opendev.org/p/keystone-weekly-meeting 15:18:35 <d34dh0r53> The question is, which is better? 15:18:45 <hiromu> yes 15:19:09 <d34dh0r53> supporting authentication with external OAuth 2.0 authorization servers (ext authz servers) by keystoneauth 15:19:20 <d34dh0r53> i.e., users can use openstack command as usual when using ext authn servers. 15:19:31 <d34dh0r53> or do not support ext authn servers by keystoneauth 15:19:38 <d34dh0r53> i.e., users set an access token as an environment variable, e.g., OS_TOKEN, to call API of OpenStack services. This is not unnatural, assuming the programmatic access which must be a major usecase of the client credentials grant. 15:19:54 <hiromu> thank you d34dh0r53 :) 15:20:01 <d34dh0r53> :) 15:21:00 <d34dh0r53> I think the second approach is simpler and consistent with the way many things already work 15:22:04 <hiromu> I agree with you 15:22:22 <d34dh0r53> knikolla[m], dmendiza[m] any thoughts? 15:23:10 <knikolla[m]> I also don't think we should worry about authenticating with external servers with keystoneauth 15:24:09 <d34dh0r53> ok, so we're in agreement 15:24:25 <hiromu> ok, i'll go with the second one. 15:24:34 <d34dh0r53> awesome! 15:24:34 <dmendiza[m]> 👍️ 15:24:42 <hiromu> thanks a lot 15:24:51 <d34dh0r53> thank you hiromu! 15:25:07 <d34dh0r53> #topic Secure RBAC (dmendiza[m]) 15:25:58 <dmendiza[m]> Not a whole lot of progress this week. I did bring up the next two tasks with my team downstream: 15:26:50 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone/+/822601 15:27:27 <dmendiza[m]> Getting the "manager" role patch updated/landed. 15:27:42 <dmendiza[m]> and 2) 15:28:19 <dmendiza[m]> The "service" role spec: 15:28:20 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone-specs/+/818616 15:28:29 <dmendiza[m]> followed by implementation 15:29:29 <dmendiza[m]> I'll try to help out as much as possible for the next +/-2 weeks before I take leave for a few months. 15:31:27 <d34dh0r53> ack, thanks dmendiza[m] 15:31:59 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystone-specs/+/818616 15:32:12 <d34dh0r53> we really need to get that spec reviewed and merged 15:32:45 <dmendiza[m]> Agreed. I'm going to read/comment in the next few days and maybe we can check progress on Friday 15:32:48 <dmendiza[m]> for the reviewathon 15:32:56 <d34dh0r53> ack 15:33:11 * d34dh0r53 needs to remember to look at the meeting log for the reviewathon action items 15:33:43 <d34dh0r53> #topic Open Discussion 15:34:02 <d34dh0r53> we don't have anything on the agenda, does anyone have anything before we do bug review? 15:34:52 <d34dh0r53> ok, moving on then 15:34:58 <d34dh0r53> #topic bug review 15:35:09 <d34dh0r53> First off we have keystone 15:35:16 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:35:25 <d34dh0r53> no new bugs here 15:35:34 <d34dh0r53> next up, python-keystoneclient 15:35:43 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:36:01 <d34dh0r53> no new bugs, I'll attempt to reproduce the create service bug this week 15:36:11 <d34dh0r53> keystoneauth is next 15:36:18 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:36:29 <d34dh0r53> no new bugs 15:36:46 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:37:08 <d34dh0r53> nothing new in keystonemiddleware 15:37:17 <d34dh0r53> pycadf 15:37:26 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:37:32 <d34dh0r53> nothing new 15:37:39 <d34dh0r53> finally we have ldappool 15:37:47 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:38:00 <d34dh0r53> no new bugs there either 15:38:30 <d34dh0r53> thanks for joining today everyone! Is there anything else before we close? 15:39:12 <d34dh0r53> have a great rest of your week then :) 15:39:16 <d34dh0r53> #endmeeting