#openstack-keystone log

14:59:50 <d34dh0r53> #startmeeting keystone
14:59:50 <opendevmeet> Meeting started Wed Jul 19 14:59:50 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:59:50 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:59:50 <opendevmeet> The meeting name has been set to 'keystone'
15:01:11 <xek> o/
15:02:23 <d34dh0r53> #topic roll call
15:02:25 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m]
15:02:32 <d34dh0r53> o/
15:03:11 <hiromu> o/
15:03:36 <zaitcev> o/
15:03:43 <zaitcev> I'm here, but also not really.
15:04:07 <d34dh0r53> :)
15:04:27 <d34dh0r53> #topic review past meeting work items
15:04:38 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-07-11-14.59.html
15:05:06 <d34dh0r53> d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:05:17 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:05:36 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:07:00 <d34dh0r53> d34dh0r53 pin keystone-tempest-plugin to wallaby for keystone stable/wallaby
15:07:20 <d34dh0r53> this was done in https://review.opendev.org/c/openstack/keystone/+/887072, thanks stephenfin
15:07:55 <d34dh0r53> I'll try to get to the known issues documentation stuff this week
15:08:11 <d34dh0r53> #topic liaison updates
15:08:19 <d34dh0r53> nothing from VMT
15:11:56 <d34dh0r53> moving on
15:12:08 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:12:17 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:12:19 <d34dh0r53> External OAuth 2.0 Specification
15:12:21 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:12:23 <d34dh0r53> OAuth 2.0 Implementation
15:12:25 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:12:27 <d34dh0r53> OAuth 2.0 Documentation
15:12:29 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:12:31 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:13:58 <hiromu> Recently, we submitted patches that add system-scoped token and caching to ext OAuth2.0 https://review.opendev.org/c/openstack/keystonemiddleware/+/888523
15:15:00 <d34dh0r53> ack, thank you hiromu
15:15:16 <d34dh0r53> I will start reviewing them
15:15:35 <hiromu> thanks
15:16:42 <d34dh0r53> next up
15:16:56 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:17:05 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:17:07 <d34dh0r53> Service Role Implementation
15:17:09 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/863420
15:17:11 <d34dh0r53> Manager Role Implementation
15:17:13 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/822601
15:17:15 <d34dh0r53> Keystone Tempest Plugin Updates
15:17:17 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/885799
15:17:43 <d34dh0r53> I saw that there is a new patch to add a default service role to the keystone-manage bootstrap command
15:17:52 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/863420
15:18:49 <d34dh0r53> thanks for the reviews on that
15:20:33 <d34dh0r53> cool, moving on
15:21:01 <d34dh0r53> #topic specification SQLAlchemy 2.0 (stephenfin)
15:21:07 <d34dh0r53> #link https://review.opendev.org/q/topic:sqlalchemy-20+is:open+project:openstack/keystone
15:21:28 <d34dh0r53> there is only one patch left and it's a doc fix, awesome work by all getting all of these patches in, thank you!
15:21:59 <stephenfin> Awesome work indeed. FYI there are still barbican patches that need to get in so maybe that link should be updated?
15:22:12 <stephenfin> https://review.opendev.org/q/topic:sqlalchemy-20+is:open+project:openstack/barbican
15:22:48 <stephenfin> (there's a low-prio bug in sqlalchemy that is causing the two last patches to fail: we've worked around it in oslo.db and will cut a release shortly)
15:22:57 <d34dh0r53> xek, dmendiza[m] what do you think?
15:23:00 <knikolla> stephenfin: we owe you a beer/juice/seltzer. thanks for all the amazing work.
15:23:01 <xek> @stephenfin Hey, I saw your patches and mentioned them on the barbican meeting
15:23:14 <d34dh0r53> indeed knikolla
15:24:46 <stephenfin> :w
15:24:58 <stephenfin> whoops
15:25:19 <stephenfin> xek: d34dh0r53: Great, we can probably remove that from the keystone meeting agenda so if it's being tracked elsewhere
15:25:34 <xek> Yeah, Barbican is a separate project
15:25:56 <d34dh0r53> sweet
15:26:27 <d34dh0r53> :wq ing the SQLAlchemy section on the etherpad
15:27:08 <d34dh0r53> #topic open discussion
15:27:18 <d34dh0r53> (drencrom) Remove cache invalidation when using expired token
15:27:20 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystonemiddleware/+/884738
15:27:31 <stephenfin> :)
15:28:13 <d34dh0r53> just issued a recheck on that job, if zuul still won't vote I'll ping infra about it
15:29:03 <d34dh0r53> (mustafakemalgilor) PooledLdapHandler message.clean() patch backports
15:29:34 <d34dh0r53> those are all merged, I'll :wq that section as well, unless there's something else we need to look at
15:30:55 <d34dh0r53> next up
15:30:57 <d34dh0r53> (reqa) Add openstack cli support for OAuth 2.0 Device Authorization Grant with PKCE:
15:30:59 <d34dh0r53> review request
15:31:01 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/883852
15:31:03 <d34dh0r53> Reasoning: When switching wsgi-keystone.conf to use PKCE for WebSSO, this also applies to the CLI (e.g. ForgeRock implemented the same)
15:31:53 <d34dh0r53> I'm going to test this as we're starting work on some CLI stuff with OIDC and it likely dovetails
15:32:44 <d34dh0r53> #topic bug review
15:32:52 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:33:36 <d34dh0r53> 1 new bug in keystone https://bugs.launchpad.net/keystone/+bug/2027729
15:34:11 <d34dh0r53> knikolla: anything to add?
15:34:33 <d34dh0r53> I think we just need to remove the offending line in the docs?
15:36:16 <d34dh0r53> just read the RFC, really good to know
15:37:25 <d34dh0r53> I was wrong, there is actually a 2nd bug in keystone that is new
15:37:30 <d34dh0r53> https://bugs.launchpad.net/keystone/+bug/2026345
15:38:14 <d34dh0r53> based on my reading we need to fix our pillow version in docs/requirements.txt
15:38:40 <d34dh0r53> please assign those bugs to yourself if you're interested in fixing them
15:38:49 <d34dh0r53> next up python-keystoneclient
15:38:55 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:39:09 <d34dh0r53> no new bugs there
15:39:20 <d34dh0r53> keystoneauth?
15:39:22 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:39:32 <d34dh0r53> nothing new
15:39:38 <d34dh0r53> on to keystonemiddleware
15:39:51 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:39:57 <d34dh0r53> no new bugs there either
15:40:07 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:40:24 <d34dh0r53> pycadf is clean
15:40:27 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:40:32 <d34dh0r53> as is ldappool
15:40:38 <d34dh0r53> #topic conclusion
15:41:09 <d34dh0r53> Hopefully this Wednesday time works for everyone, please let me know any feedback on the change
15:41:28 <d34dh0r53> That's all I have this week, hope to see folks at the reviewathon
15:41:35 <d34dh0r53> Thanks all!
15:41:45 <d34dh0r53> #endmeeting