#openstack-keystone log

15:01:08 <d34dh0r53> #startmeeting keystone
15:01:08 <opendevmeet> Meeting started Tue Feb 28 15:01:08 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:08 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:08 <opendevmeet> The meeting name has been set to 'keystone'
15:01:30 <d34dh0r53> #topic roll call
15:01:35 <zaitcev> o/
15:01:40 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, arequate, dmendiza[m]
15:01:42 <d34dh0r53> o/
15:01:48 <knikolla[m]> o/
15:02:10 <hiromu> o/
15:03:12 <dmendiza[m]> 🙋‍♂️
15:03:21 <d34dh0r53> Hi all, thanks for joining
15:03:40 * d34dh0r53 is wondering how Doug's dog liked the snow? :)
15:04:26 <d34dh0r53> #topic review past meeting work items
15:04:54 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-02-21-15.00.html
15:05:22 <d34dh0r53> same work item as last week which I haven't had a chance to look deeper into, so pushing
15:05:40 <d34dh0r53> #action d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more
15:06:01 <d34dh0r53> #topic liaison updates
15:06:07 <d34dh0r53> nothing from VMT
15:08:17 <dmendiza[m]> > * <@_oftc_d34dh0r53:matrix.org> is wondering how Doug's dog liked the snow? :)
15:08:17 <dmendiza[m]> Doggo was not interested in a snowy walk
15:08:37 <d34dh0r53> lol
15:09:25 <d34dh0r53> #topic specifications OAuth 2.0 (hiromu)
15:09:46 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:09:48 <d34dh0r53> External OAuth 2.0 Specification
15:09:50 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:09:52 <d34dh0r53> OAuth 2.0 Implementation
15:09:54 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:09:56 <d34dh0r53> OAuth 2.0 Documentation
15:09:58 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:10:00 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:10:05 <d34dh0r53> dmendiza[m] and I tried to look at this yesterday but gerrit was down :/
15:10:25 <d34dh0r53> we have another meeting scheduled for this afternoon to revisit
15:11:00 <hiromu> got it. please let me know if you have any additional quiestions.
15:11:15 <d34dh0r53> will do, thanks hiromu
15:11:21 <hiromu> :)
15:11:39 <d34dh0r53> next up
15:11:43 <d34dh0r53> #topic Secure RBAC (dmendiza[m])
15:11:55 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:11:57 <d34dh0r53> Service Role Implementation
15:11:59 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/863420
15:12:01 <d34dh0r53> Manager Role Implementation
15:12:03 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/822601
15:12:21 <dmendiza[m]> I don't have any updates ... still haven't gotten up to speed as to the latest SRBAC goings-on
15:12:27 <d34dh0r53> ack
15:14:15 <d34dh0r53> sounds good, let us know if you need anything
15:14:27 <d34dh0r53> #topic open discussion
15:14:39 <d34dh0r53> (drencrom) Need some reviews for this backport:
15:14:41 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystonemiddleware/+/873924
15:15:16 <d34dh0r53> cores, please review
15:16:59 <d34dh0r53> anything else we need to discuss before bug review?
15:17:23 <dmendiza[m]> Not sure if we want to talk about Federation + Role assignments here?
15:18:05 <d34dh0r53> yeah, go ahead
15:18:38 <dmendiza[m]> I'm sure we can just test this, but we were wondering what happens when you use Keystone roles API to assign roles to a federated user?
15:18:57 <knikolla[m]> they act as normal users, it works fine
15:19:11 <knikolla[m]> behave*
15:19:32 <dmendiza[m]> I see ...  so we just merge assigned roles + whatever roles the mapping adds?
15:19:54 <knikolla[m]> the roles the mapping adds are not persisted
15:19:59 <knikolla[m]> unless they are specified in the project section
15:20:30 <knikolla[m]> or unless they are group memberships, and the operator has configured expiring group memberships
15:21:38 <knikolla[m]> otherwise, the mapping authorization is only valid for the duration of the token
15:23:14 <d34dh0r53> I was wondering that
15:23:37 <dmendiza[m]> Sweet.  So if we change mappings, the next token will have the updated mapped roles
15:24:36 <knikolla[m]> yes
15:25:20 <dmendiza[m]> Cool.  I think that answers my questions.  Thanks, knikolla
15:25:43 <d34dh0r53> Thanks knikolla[m]
15:25:46 <knikolla[m]> cool. i have a talk accepted for Vancouver where I go into much more detail into the above options
15:26:10 <d34dh0r53> excellent
15:26:17 <dmendiza[m]> Nice!  Looking forward to that ... (although probably watching after the fact on video)
15:28:55 <d34dh0r53> indeed
15:28:59 <d34dh0r53> moving on to
15:29:04 <d34dh0r53> #topic bug review
15:29:27 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:30:07 <d34dh0r53> no new bugs but we have a couple of bugs from the last couple of weeks
15:30:14 <d34dh0r53> that could use a look if anyone has time
15:30:32 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2007982
15:30:47 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2006631
15:31:32 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:31:58 <d34dh0r53> python-keystoneclient is clean
15:32:01 <d34dh0r53> next up
15:32:14 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:32:38 <d34dh0r53> nothing new for keystoneauth
15:32:44 <d34dh0r53> next we have:
15:33:47 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:33:55 <d34dh0r53> sorry, nuked my IRC client :/
15:34:09 <d34dh0r53> no new bugs in keystonemiddleware
15:34:25 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:34:31 <d34dh0r53> pycadf is clean
15:34:35 <d34dh0r53> and...
15:34:39 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:34:55 <d34dh0r53> ldappool also has no new bugs
15:35:02 <d34dh0r53> #topic conclusion
15:35:14 <d34dh0r53> Anyone have anything else before we go?
15:35:16 <arequate> Late for open discussion, but would like to raise interest in https://review.opendev.org/c/openstack/keystoneauth/+/869876
15:36:33 <d34dh0r53> arequate: yeah, I saw that you updated that and am going to review it today
15:36:48 <d34dh0r53> knikolla[m], dmendiza[m], xek ^^ if you get a chance
15:37:03 <d34dh0r53> arequate: anything specific you'd like to raise?
15:37:08 <knikolla[m]> ++, it's on my task list for today
15:37:12 <d34dh0r53> thanks knikolla[m]
15:38:39 <zaitcev> I'm still struggling with writing tests. Fixed bug 1999068, in https://review.opendev.org/c/openstack/keystone/+/874346, but now I have to form tokens by hand for testing, etc.
15:44:15 <d34dh0r53> zaitcev: ack, let me see what I can come up with and I'll paste it in the review
15:44:54 <d34dh0r53> anything else before we close?
15:45:55 <d34dh0r53> thanks all!
15:46:03 <d34dh0r53> have a great rest of your week :)
15:46:07 <d34dh0r53> #endmeeting