#openstack-keystone log

15:04:07 <d34dh0r53> #startmeeting keystone
15:04:07 <opendevmeet> Meeting started Tue Jun  6 15:04:07 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:04:07 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:04:07 <opendevmeet> The meeting name has been set to 'keystone'
15:04:27 <dmendiza[m]> 🙋‍♂️
15:04:30 <d34dh0r53> #topic roll call
15:04:36 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m]
15:04:38 <d34dh0r53> o/
15:04:42 <d34dh0r53> brb
15:04:48 <zaitcev> oh
15:04:51 <xek> o/
15:06:47 <d34dh0r53> back, hi everybody!
15:07:02 <d34dh0r53> #topic review past meeting work items
15:07:18 <d34dh0r53> https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-05-30-15.03.html
15:07:22 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-05-30-15.03.html
15:07:36 <knikolla> o/
15:07:43 <d34dh0r53> first up d34dh0r53 review https://bugs.launchpad.net/keystone/+bug/2009752
15:07:57 <d34dh0r53> I marked this as confirmed as I'm pretty sure it's an issue
15:08:08 <d34dh0r53> next up d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:08:22 <d34dh0r53> I still need to do this and the next one
15:08:26 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:08:37 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:08:47 <d34dh0r53> next up d34dh0r53 update https://review.opendev.org/c/openstack/keystonemiddleware/+/882401 to include test_ec2_token_middleware.py
15:09:01 <d34dh0r53> this has been added but the CI is failing, stevedore I think
15:09:25 <d34dh0r53> keystonemiddleware seems to be pretty broken due to stevedore and I don't know how to fix it
15:09:43 <d34dh0r53> I don't understand how those modules are being enumerated
15:10:53 <d34dh0r53> and I noticed that sahid was asking about keystonemiddleware earlier
15:11:23 <d34dh0r53> maybe dmendiza[m] and I can put our heads together this afternoon and figure out how to fix keystonemiddleware
15:11:43 <dmendiza[m]> Yeah, it's been a while since I looked under the hood at stevedore
15:11:52 <dmendiza[m]> some serious black magic going on there
15:11:58 <d34dh0r53> yeah, it's not pretty
15:12:30 <d34dh0r53> #action dmendiza[m] and d34dh0r53 to look at keystonemiddleware stevedore failures
15:12:42 <d34dh0r53> next up
15:12:54 <d34dh0r53> d34dh0r53 look at https://bugs.launchpad.net/keystone/+bug/2018644
15:13:00 <d34dh0r53> I haven't gotten to that one yet
15:13:03 <d34dh0r53> #action d34dh0r53 look at https://bugs.launchpad.net/keystone/+bug/2018644
15:13:12 <d34dh0r53> next up drencrom look at https://review.opendev.org/c/openstack/keystonemiddleware/+/878027 to see if we can add the test_ec2_token_middleware.py to it
15:13:28 <d34dh0r53> I think this is failing due to stevedore
15:14:03 <d34dh0r53> we'll see if we can get it passing if we're able to iron out the stevedore issue
15:14:32 <d34dh0r53> finally we have investigate dependency issue in this patch wallaby: https://review.opendev.org/c/openstack/keystone/+/874844
15:14:38 <d34dh0r53> not sure who was assigned to this one
15:15:10 <xek> https://review.opendev.org/c/openstack/keystonemiddleware/+/878027 is abandoned
15:15:26 <d34dh0r53> yep, thanks xek
15:17:27 <d34dh0r53> I think we need to re-submit that one once victoria is in better shape
15:17:36 <d34dh0r53> gerrit was rejecting it
15:19:00 <d34dh0r53> I'm not sure what's going on with the keystoneauth package version either, which is why https://review.opendev.org/c/openstack/keystone/+/874844 is failing
15:19:32 <d34dh0r53> #action d34dh0r53 figure out why https://review.opendev.org/c/openstack/keystone/+/874844 is failing
15:20:06 <d34dh0r53> #topic liaison update
15:20:13 <d34dh0r53> nothing from VMT this week
15:20:49 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:21:14 <d34dh0r53> External OAuth 2.0 Specification
15:21:16 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:21:18 <d34dh0r53> OAuth 2.0 Implementation
15:21:20 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:21:22 <d34dh0r53> OAuth 2.0 Documentation
15:21:24 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:21:26 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:23:22 <d34dh0r53> #topic Secure RBAC (dmendiza[m])
15:23:33 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:23:35 <d34dh0r53> Service Role Implementation
15:23:37 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/863420
15:23:39 <d34dh0r53> Manager Role Implementation
15:23:41 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/822601
15:25:32 <dmendiza[m]> Yeah, no progress on those, still working on Barbican SRBAC and some downstream Keystone SRBAC stuff... should hopefully get a chance to work on that stuff later this month
15:25:44 <d34dh0r53> ack, thanks dmendiza[m]
15:26:02 <d34dh0r53> #topic specification SQLAlchemy 2.0 (stephenfin)
15:26:18 <d34dh0r53> #link https://review.opendev.org/q/topic:sqlalchemy-20+is:open+project:openstack/keystone
15:26:19 <d34dh0r53> Can I get reviews on this, while I have context/time to close it out?
15:26:21 <d34dh0r53> What more do you need from me?
15:27:00 <d34dh0r53> Once we get the CI for keystonemiddleware a bit more healthy we'll circle back to these and get them merged
15:27:19 <d34dh0r53> #topic open discussion
15:27:53 <d34dh0r53> (drencrom) We need to merge these backports to fix pep8 tests
15:27:55 <d34dh0r53> wallaby #link https://review.opendev.org/c/openstack/keystonemiddleware/+/878026
15:27:57 <d34dh0r53> This is blocking #link https://review.opendev.org/c/openstack/keystonemiddleware/+/873921
15:27:59 <d34dh0r53> zed #link https://review.opendev.org/c/openstack/keystonemiddleware/+/878023
15:28:09 <d34dh0r53> we're working on getting these in, we reviewed quite a bit last Friday
15:28:43 <d34dh0r53> (drencrom) Remove cache invalidation when using expired token (ussuri backport)
15:28:44 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystonemiddleware/+/877398
15:28:46 <d34dh0r53> Zuul jobs seem to run but no +1 message
15:29:05 <d34dh0r53> we need to see if we can get that one merged as well
15:29:47 <d34dh0r53> dmendiza[m], xek already has a +2 on https://review.opendev.org/c/openstack/keystonemiddleware/+/877398, can you bump it?
15:30:14 <dmendiza[m]> d34dh0r53: needs Wallaby first
15:30:27 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystonemiddleware/+/873921
15:30:47 <d34dh0r53> ahh, ack
15:30:50 <dmendiza[m]> Hmm.. not sure why that's active still actually
15:30:54 <d34dh0r53> sorry, I missed that one
15:30:58 <dmendiza[m]> it's got the necessary +'es
15:31:41 <dmendiza[m]> I tried to add/remove the +W just now ... let'
15:31:48 <dmendiza[m]> s see if Zuul picks it up
15:31:58 <d34dh0r53> ok, does it need https://review.opendev.org/c/openstack/keystonemiddleware/+/878026/2 first?
15:32:38 * dmendiza[m] is confused
15:32:46 <d34dh0r53> me too
15:33:43 <drencrom> Yes, I think it needs 878026
15:34:14 <drencrom> which needs another +2
15:34:18 <dmendiza[m]> OK, less confused now, haha
15:34:29 <dmendiza[m]> merging 878026
15:35:07 <d34dh0r53> sweet, thanks
15:35:10 <d34dh0r53> let's see how that goes
15:35:41 <d34dh0r53> (mustafakemalgilor) PooledLdapHandler message.clean() patch backports
15:35:43 <d34dh0r53> review request
15:35:45 <d34dh0r53> #link ussuri: https://review.opendev.org/c/openstack/keystone/+/874846
15:35:47 <d34dh0r53> #link victoria: https://review.opendev.org/c/openstack/keystone/+/874847
15:35:49 <d34dh0r53> #link wallaby: https://review.opendev.org/c/openstack/keystone/+/874844
15:36:08 <d34dh0r53> the wallaby patch for this one is complaining about the keystoneauth package version
15:36:11 <zaitcev> At this point I'd actually make a little "spreadsheet" in a text file, with all the backports and what needs what. I just cannot keep up.
15:36:16 <d34dh0r53> so we have a mismatch somewhere
15:36:24 <d34dh0r53> zaitcev: that's a good idea
15:36:35 <d34dh0r53> I'll try to do that this afternoon
15:36:46 <zaitcev> Well... extensive bureaucracy has its costs, but my mind is too small.
15:38:39 <d34dh0r53> finally we have
15:38:42 <d34dh0r53> (reqa) Add openstack cli support for OAuth 2.0 Device Authorization Grant with PKCE:
15:38:44 <d34dh0r53> review request
15:38:46 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/883852
15:38:48 <d34dh0r53> Reasoning: When switching wsgi-keystone.conf to use PKCE for WebSSO, this also applies to the CLI (e.g. ForgeRock implemented the same)
15:38:56 <d34dh0r53> this looks reasonable at first glance
15:40:52 <d34dh0r53> depending on how the keystonemiddleware and keystoneauth issues we're facing in CI go this week, maybe we can review this patch during the reviewathon on Friday
15:41:15 <d34dh0r53> we need to get CI healthy first though
15:41:29 <d34dh0r53> anything else for open discussion?
15:42:28 <zaitcev> You know what I'll say, right? https://review.opendev.org/c/openstack/keystone/+/874346
15:42:46 <zaitcev> But I was remiss at looking at Hiromu's stuff too, so oh well
15:43:50 <d34dh0r53> indeed, we will look at this on Friday
15:44:24 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystone/+/874346
15:45:18 <d34dh0r53> #topic bug review
15:45:25 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:45:57 <d34dh0r53> no new bugs in keystone
15:46:06 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:46:24 <d34dh0r53> nothing new in python-keystoneclient
15:46:40 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:46:51 <d34dh0r53> nor is there anything new in keystoneauth
15:46:57 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:47:32 <d34dh0r53> looks like Sahid added https://bugs.launchpad.net/keystonemiddleware/+bug/2023015
15:48:05 <d34dh0r53> there is a fix proposed to master
15:48:27 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:48:47 <d34dh0r53> pycadf is clean
15:48:48 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:48:51 <d34dh0r53> so is ldappool
15:48:56 <d34dh0r53> #topic conclusion
15:49:25 <d34dh0r53> No meeting or reivewathon next week, OpenInfra Summit and PTG
15:49:46 <d34dh0r53> I'd like to focus on keystonemiddleware and the keystoneauth package version issues
15:50:52 <d34dh0r53> I'll start looking at those now and try to come up with a way to better track what we have in flight and what needs merging when
15:51:02 <d34dh0r53> anyone have anything else?
15:51:35 <d34dh0r53> thanks folks! Hope to see you in Vancouver :)
15:51:42 <d34dh0r53> dmendiza[m]: enjoy your PTO
15:51:51 <d34dh0r53> #endmeeting