#openstack-keystone log

15:00:25 <d34dh0r53> #startmeeting keystone
15:00:25 <opendevmeet> Meeting started Tue Mar  7 15:00:25 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:25 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:25 <opendevmeet> The meeting name has been set to 'keystone'
15:00:29 <d34dh0r53> #topic roll-call
15:00:35 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, arequate, dmendiza[m]
15:00:37 <xek> o/
15:00:41 <hiromu> o/
15:00:49 <zaitcev> o/
15:01:10 <dmendiza[m]> 🙋‍♂️
15:02:21 <knikolla[m]> o/
15:02:39 <d34dh0r53> hi folks, thanks for joining :)
15:03:16 <d34dh0r53> #topic review past meeting work items
15:03:26 <d34dh0r53> d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more
15:03:36 <d34dh0r53> I didn't get a chance to look at this yet again
15:03:42 <d34dh0r53> :/
15:03:48 <d34dh0r53> #action d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more
15:03:57 <dmendiza[m]> d34dh0r53: we could check the project-config repo to see what gerrit groups are still in use
15:03:57 <d34dh0r53> that's all for the past meeting work items
15:04:05 <d34dh0r53> dmendiza[m]: ack
15:04:07 <d34dh0r53> good idea
15:04:57 <d34dh0r53> dmendiza[m]: I might reach out to you for help on that this week
15:05:15 <dmendiza[m]> Sure, just ping me whenever
15:05:27 <d34dh0r53> thanks
15:05:36 <d34dh0r53> #topic liaison updates
15:05:44 <d34dh0r53> nothing from VMT
15:06:30 <d34dh0r53> knikolla[m], dmendiza[m], xek I added our highlights this morning, https://review.opendev.org/c/openstack/releases/+/876729
15:07:02 <d34dh0r53> let me know if I missed anything or if they need to be reworded
15:07:08 <dmendiza[m]> Nice
15:07:48 <d34dh0r53> that's it for liaison updates
15:08:27 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:08:42 <d34dh0r53> External OAuth 2.0 Specification
15:08:44 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:08:46 <d34dh0r53> OAuth 2.0 Implementation
15:08:48 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:08:50 <d34dh0r53> OAuth 2.0 Documentation
15:08:52 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:08:54 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:09:00 <d34dh0r53> we're very close to merging everything
15:09:15 <hiromu> Thanks a lot! I just submitted backport patches for keystoneauth and keystonemiddleware.
15:09:26 <d34dh0r53> excellent! thanks hiromu
15:09:32 <hiromu> https://review.opendev.org/c/openstack/keystoneauth/+/876746
15:09:39 <hiromu> https://review.opendev.org/c/openstack/keystonemiddleware/+/876745
15:10:13 <hiromu> Keystone's master branch already includes the mTLS patch.
15:10:49 <hiromu> So I didn't submit a backport patch to Keystone.
15:12:45 <coreycb> o/ ohh is this a community meeting? if so can I put this on the agenda? https://bugs.launchpad.net/keystone/+bug/2009600
15:13:22 <dmendiza[m]> hiromu: I think we might need to backport into the stable/2023.1 branch.  We do have these under review: https://review.opendev.org/c/openstack/keystone/+/876722/
15:13:48 <d34dh0r53> coreycb: sure, I'll add it
15:14:01 <coreycb> d34dh0r53: thanks
15:14:42 <hiromu> Oh, okay. I'll check commit tree again.
15:15:24 <hiromu> https://github.com/openstack/keystone/commits/master
15:15:38 <dmendiza[m]> hiromu: do a `git review -d 876722` to pull down the start of the stable/2023.1 branch and then cherry-pick the oauth patches to that chain
15:15:43 <hiromu> sorry it's worng. https://github.com/openstack/keystone/commits/stable/2023.1
15:16:14 <dmendiza[m]> Oh sweet!  Looks like it's already there
15:16:17 <dmendiza[m]> (I think?)
15:17:07 <hiromu> yeah, I thought so. wrong?
15:18:21 <dmendiza[m]> I think we're good.  My mistake
15:18:51 <hiromu> good :)
15:18:53 <hiromu> ls
15:18:55 <hiromu> sorry
15:19:25 <hiromu> by the way, I'd like to talk about Ext. Authorization Server Support today.
15:19:44 <d34dh0r53> ack, I'll add that as well
15:19:53 <d34dh0r53> anything else with mTLS?
15:20:26 <hiromu> No. That' all. thanks.
15:22:00 <d34dh0r53> thanks, moving on to
15:22:14 <d34dh0r53> #topic Secure RBAC (dmendiza[m])
15:22:29 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:22:31 <d34dh0r53> Service Role Implementation
15:22:33 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/863420
15:22:35 <d34dh0r53> Manager Role Implementation
15:22:37 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/822601
15:22:50 <dmendiza[m]> No updates, sorry.  I'm not even susre if gmann is still having the pop-up meetings?
15:22:53 <dmendiza[m]> *sure
15:23:34 <d34dh0r53> ack
15:24:22 <d34dh0r53> ok, moving on to
15:24:28 <d34dh0r53> #topic open discussion
15:24:42 <d34dh0r53> (drencrom) Need some reviews for this backport:
15:24:44 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystonemiddleware/+/873921
15:25:30 <d34dh0r53> I'll take a look at these today
15:26:25 <d34dh0r53> next up
15:26:27 <d34dh0r53> (coreycb) discuss mtls/cryptography bug
15:26:29 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2009600
15:27:16 <knikolla[m]> can we lower the cryptography version to the one they mentioned?
15:27:48 <d34dh0r53> that's what I'm wondering. hiromu, dmendiza[m] ?
15:28:26 <coreycb> I'm attempting a patch to do that
15:28:35 <coreycb> hopefully that'll be ok
15:28:49 <knikolla[m]> i see that the version that we included was just what was in upper-constraints, so it doesn't feel like there's anything special about it.
15:29:20 <coreycb> it's more about what the lower constraints are in requirements.txt
15:30:00 <coreycb> for context, I'm a maintainer for the ubuntu cloud archive. the antelope cloud archive (and the next 2 to 3 openstack releases) are based on ubuntu jammy which has python3-cryptography 3.4.8.
15:30:19 <knikolla[m]> I don't think we have any global lower constraints
15:30:53 <knikolla[m]> (all i meant by my previous comment was that i don't think that version has any significance besides being what was written in the requirements repo as an upper constraint)
15:32:20 <coreycb> I started going down the path of backporting cryptography 38.0.2 yesterday but it gets complicated very quickly (25+ rust library backports)
15:33:57 <hiromu> At least, I can say I can look for workarounds to avoid using the feature that is only available on recent cryptography.
15:35:04 <coreycb> do you know if attr_name_overrides is required? I can test the version of cryptography and either specify it or not. or maybe it can just be dropped.
15:36:04 <hiromu> It is required, but there's alternative way that doesn't use attr_name_overrides but brings the same effect.
15:36:57 <coreycb> ok, maybe I should defer to you to work on a fix. I was just going to drop the parameter for older cryptography versions which is probably naive.
15:38:44 <hiromu> I'm not sure which is easier
15:40:04 <hiromu> but, I think there's possiblity that this kinds of problems happen again.
15:40:17 <hiromu> so I think I should fix it.
15:41:57 <hiromu> is that in line with your thought?
15:42:25 <coreycb> that would be great, thank you. if I can help please let me know. I'll send an email for more global discussion about cryptography to the mailing list, not related specifically to this issue.
15:42:48 <hiromu> great. thanks
15:42:50 <d34dh0r53> awesome, thank you coreycb
15:42:54 <d34dh0r53> thanks hiromu
15:43:23 <d34dh0r53> next topic, is (hiromu) discuss Ext. Authorization Server Support
15:43:53 <hiromu> I added this topic to https://etherpad.opendev.org/p/keystone-weekly-meeting
15:44:18 <hiromu> We're planing to investigate if the following projects work with Ext. Authorizations, and how we can modify them to work with Ext. Authorization servers. Any other projects we must check?
15:44:26 <hiromu> heat
15:44:28 <hiromu> glance
15:44:30 <hiromu> nova
15:44:32 <hiromu> newtron
15:44:34 <hiromu> (placement) *low priority
15:44:36 <hiromu> (cinder) *low priority
15:45:01 <hiromu> These projects are selected based on DevStack minimal install.
15:46:13 <hiromu> Do you have any idea? knikolla:
15:47:41 <knikolla[m]> That's a good start. I don't have any other ideas at the moment, though I would add Ironic as well.
15:48:54 <d34dh0r53> and barbican? dmendiza[m]?
15:49:23 <hiromu> Sure. We have chance to discuss with ironic at vPTG. Depending on the result of that discussion, we might not have to check Ironic (hopefully barbican).
15:50:07 <d34dh0r53> ack
15:50:34 <d34dh0r53> That's a good start, I'll add this to the vPTG agenda for one of our sessions
15:50:56 <d34dh0r53> moving on as we're almost out of time
15:50:59 <d34dh0r53> #topic bug review
15:51:16 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:51:26 <d34dh0r53> we already discussed the cryptography bug
15:52:32 <d34dh0r53> another bug landed https://bugs.launchpad.net/keystone/+bug/2008890 but this looks to be kolla container specific
15:52:46 <d34dh0r53> I'll make sure that is the case
15:52:59 <d34dh0r53> #action d34dh0r53 ensure that https://bugs.launchpad.net/keystone/+bug/2008890 is kolla specific
15:53:18 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:53:29 <d34dh0r53> nothing new for python-keystoneclient
15:53:52 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:54:09 <d34dh0r53> keystoneauth is clean
15:54:19 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:54:34 <d34dh0r53> as is keystone middleware
15:54:42 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:55:01 <d34dh0r53> pycadf has no new bugs
15:55:08 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:55:19 <d34dh0r53> and ldappool is clean too
15:55:27 <d34dh0r53> #topic conclusion
15:55:44 <d34dh0r53> Thanks for all the hard work in getting mTLS merged the last few weeks!
15:55:54 <d34dh0r53> Anyone have anything else before we go?
15:57:03 <d34dh0r53> thanks folks!
15:57:07 <d34dh0r53> #endmeeting