15:00:35 <d34dh0r53> #startmeeting keystone
15:00:35 <opendevmeet> Meeting started Tue Jan 10 15:00:35 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:35 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:35 <opendevmeet> The meeting name has been set to 'keystone'
15:00:42 <d34dh0r53> #topic roll call
15:00:46 <knikolla[m]> o/
15:00:52 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev
15:01:26 <xek> o/
15:01:42 <d34dh0r53> o/
15:01:59 <d34dh0r53> good time off knikolla[m] ?
15:02:15 <knikolla[m]> yes! thank you :)
15:03:32 <d34dh0r53> awesome
15:03:43 <d34dh0r53> #topic review past meeting work items
15:04:11 <d34dh0r53> I thought I was going crazy because the log was missing, turns out it's in the 2023 folder :)
15:04:26 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-01-03-15.03.html
15:07:35 <d34dh0r53> I'm going to skip the reviewathon items as it was only me and hiromu
15:08:10 <d34dh0r53> d34dh0r53 update the CrossProjectLiaisons wiki https://wiki.openstack.org/wiki/CrossProjectLiaisons
15:08:20 <d34dh0r53> didn't get to this yet
15:08:23 <d34dh0r53> #action d34dh0r53 update the CrossProjectLiaisons wiki https://wiki.openstack.org/wiki/CrossProjectLiaisons
15:08:36 <d34dh0r53> d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more
15:08:53 <d34dh0r53> nor this, will try to take care of the housekeeping stuff this week
15:08:57 <d34dh0r53> #action d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more
15:09:23 <d34dh0r53> next up we have
15:09:25 <d34dh0r53> #topic liaison updates
15:09:39 <d34dh0r53> no updates from VMT
15:10:03 <d34dh0r53> As far as release management goes I think we're good on keystoneauth, xek do you need any more reviews there?
15:11:41 <d34dh0r53> ok, moving on to spec review
15:12:00 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:12:26 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:12:28 <d34dh0r53> External OAuth 2.0 Specification
15:12:30 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:12:32 <d34dh0r53> OAuth 2.0 Implementation
15:12:34 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:12:36 <d34dh0r53> OAuth 2.0 Documentation
15:12:38 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:12:40 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:13:59 <d34dh0r53> After speaking with hiromu they would like to get the External OAuth 2.0 specification and code merged before Antelope-3 so I'd like to prioritize those reviews if possible
15:14:54 <hiromu> yes. thanks d34dh0r53. Aslo, I told it to d34dh0r53 the last week, we need to merge mTLS OAuth2.0 path for keystoneauth to implement External OAuth2.0 specification.
15:15:05 <hiromu> /Aslo/Also/
15:15:57 <hiromu> https://review.opendev.org/c/openstack/keystonemiddleware/+/868734
15:16:09 <hiromu> the above patch depends on https://review.opendev.org/c/openstack/keystoneauth/+/860614
15:16:32 <knikolla[m]> hiromu: we can try, but while I'm sure we'll be able to merge all the mTLS patches, I'm not confident we can get External Auth in time.
15:17:35 <hiromu> I think the patches for the external oauth2.0 are lighter than the mTLS ones.
15:18:39 <hiromu> only changed keystonemidleware and keystoneauth. both are the client side.
15:19:04 <hiromu> and 1 spec: https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:19:45 <knikolla[m]> I agree with you that the patches may be lighter. But it's significantly changing way things can work by removing Keystone from the picture.
15:20:05 <knikolla[m]> We need to define a standard for how project information is read from the token endpoint
15:20:43 <hiromu> i see
15:20:55 <knikolla[m]> Code is easy, APIs are hard because we need to maintain compatibility once it's merged
15:21:45 <d34dh0r53> That's a good point knikolla[m]
15:22:11 <hiromu> only I can say is we made codes generic as much as possible.
15:23:29 <hiromu> so that users can configre how attributes obtained from the introspection responses mapped to openstack environment variables
15:24:50 <knikolla[m]> I will comment in the spec with my feedback
15:25:01 <hiromu> okey
15:25:02 <knikolla[m]> There's a lot of things that are not obvious
15:25:31 <knikolla[m]> And removing Keystone entirely from the picture doesn't give you a lot that the current mechanisms that you have implemented do.
15:25:59 <knikolla[m]> For example: you can authenticate using oauth 2.0, and you can send a request using bearer token as per oauth 2.0 to any service, and that will work
15:26:26 <knikolla[m]> That is all without implementing external oauth 2.0. do you agree?
15:27:05 <hiromu> yes
15:27:35 <hiromu> you're right. we are targeting the users who already have another authn server
15:27:54 <hiromu> and use it for standalone openstack services.
15:28:43 <knikolla[m]> Exactly, it introduces an improvement in experience for operators who have clouds that have 1-2 services and don't want to run keystone.
15:28:58 <knikolla[m]> But it doesn't introduce any new thing for them that is impossible right now.
15:30:24 <hiromu> that't true
15:30:27 <knikolla[m]> I agree that adding support for external authorization servers to keystonemiddleware is important and makes a lot of sense for a next step. But I want to do it in a way that benefits all the openstack ecosystem as opposed to a small use case.
15:30:59 <knikolla[m]> So that's why I don't want to rush this through.
15:31:08 <knikolla[m]> Cause once we implement it like this, it will be really hard to change.
15:32:10 <hiromu> our proposal strongly depends on the client credentials grant. is that the point?
15:32:41 <hiromu> I said this because introspection itself is rfc-based
15:33:09 <knikolla[m]> Not entirely. It's about the user experience.
15:34:29 <hiromu> got it. basically, I agree with it affect to the future impelementation, but what kind of trigger or use cases we need to progress?
15:36:06 <knikolla[m]> That's a really good question. I need to think about this a bit more. But at the top of my mind it's the lack of support in tools like the openstack CLI/SDK, and other services.
15:36:59 <knikolla[m]> And in particular, figuring out authorization
15:37:00 <knikolla[m]> Keystone stores the list of projects, but without keystone, what projects exist?
15:37:19 <hiromu> hmm, at least we will experiment them with barbican.
15:37:41 <hiromu> we will try to deploy tacker and barbican without keystone.
15:38:25 <knikolla[m]> Please do.
15:38:34 <knikolla[m]> An ideal target would also be Ironic.
15:38:45 <knikolla[m]> Please reach out to that team and see if there's anything that may be beneficial to their use case.
15:39:55 <hiromu> okey. i got your point. we need a kind of consensus among several openstack projects.
15:40:50 <d34dh0r53> ok, great discussion, glad we had it.  We can continue during the reviewathon if needed
15:40:56 <d34dh0r53> thanks knikolla[m] and hiromu
15:41:10 <hiromu> thank your for the discussion.
15:41:30 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:41:42 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:41:43 <d34dh0r53> Service Role Implementation
15:41:45 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/863420
15:41:47 <d34dh0r53> Manager Role Implementation
15:41:49 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/822601
15:42:23 <d34dh0r53> Hoping to get some time to test the two -1's on the manager role implementation on Friday, I'd like to get those cleared up
15:44:20 <d34dh0r53> ok, moving on to open discussion
15:44:26 <d34dh0r53> #topic open discussion
15:44:44 <d34dh0r53> OIS2023 submission  (hiromu):
15:44:45 <d34dh0r53> - Manuscript: https://etherpad.opendev.org/p/ois2023-tacker-keystone
15:45:23 <hiromu> ah, i already got lgtm from knikolla. it's done.
15:45:32 <hiromu> thank you knikolla :)
15:45:35 <d34dh0r53> Excellent!
15:45:41 <knikolla[m]> hiromu: thanks for sending that.
15:46:02 <d34dh0r53> anything else before we move on to bug review?
15:46:39 <d34dh0r53> #topic bug review
15:46:47 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:47:22 <d34dh0r53> nothing new for keystone, going to clean up some more bugs here so don't be surprised by the emails :)
15:47:35 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:47:55 <d34dh0r53> nothing new for python-keystoneclient either
15:48:13 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:49:50 <d34dh0r53> nothing new there, we do have this one https://bugs.launchpad.net/keystoneauth/+bug/2000742 that came in at the end of the year
15:51:17 <d34dh0r53> moving on
15:51:20 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:51:31 <d34dh0r53> one new one https://bugs.launchpad.net/keystonemiddleware/+bug/2002203
15:51:51 <d34dh0r53> keystonemiddleware is missing the Yoga series release notes
15:54:15 <d34dh0r53> not sure that there were any which is probably why they're missing
15:54:21 <d34dh0r53> next up
15:54:30 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:54:36 <d34dh0r53> nothing new in pycadf
15:54:42 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:54:47 <d34dh0r53> ldappool also has nothing new
15:54:53 <d34dh0r53> #topic conclusion
15:55:01 <d34dh0r53> thanks for joining today folks!
15:55:26 <d34dh0r53> reminder the we have the reviewathon on Friday, please let me know if you'd like to be added to the invite
15:55:39 <d34dh0r53> any thing else before I close?
15:56:36 <d34dh0r53> thanks all!
15:56:45 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:56:56 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystone/+/838108
15:57:07 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystone/+/838108
15:57:13 <d34dh0r53> #undo
15:57:13 <opendevmeet> Removing item from minutes: #action reviewathon https://review.opendev.org/c/openstack/keystone/+/838108
15:57:22 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystone/+/860928
15:57:32 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystone/+/863420
15:57:41 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystoneauth/+/867603
15:57:43 <d34dh0r53> #endmeeting