15:06:16 <d34dh0r53> #startmeeting keystone 15:06:16 <opendevmeet> Meeting started Wed Sep 27 15:06:16 2023 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:06:16 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:06:16 <opendevmeet> The meeting name has been set to 'keystone' 15:06:19 <hiromu> o/ 15:06:38 <d34dh0r53> #topic roll call 15:06:40 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m] 15:06:48 <d34dh0r53> o/ sorry I'm late today 15:08:18 <dmendiza[m]> 🙋♂️ 15:08:24 <d34dh0r53> #topic review past meeting work items 15:08:45 <d34dh0r53> we didn't have a meeting last week, so this is from a couple of weeks ago 15:08:51 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-09-13-15.03.html 15:09:21 <d34dh0r53> both of the actions items are on me, and I didn't get a chance to look at either as I was on unscheduled PTO for the majority of the week 15:09:29 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:09:38 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation 15:09:50 <d34dh0r53> moving on... 15:10:00 <d34dh0r53> #topic liaison updates 15:10:06 <d34dh0r53> nothing from VMT 15:11:47 <d34dh0r53> #topic specification OAuth 2.0 (hiromu) 15:12:00 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:12:02 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:12:04 <d34dh0r53> External OAuth 2.0 Specification 15:12:06 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 15:12:08 <d34dh0r53> OAuth 2.0 Implementation 15:12:10 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:12:12 <d34dh0r53> OAuth 2.0 Documentation 15:12:14 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 15:12:16 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:12:40 <hiromu> We're going to implement FT for ext. Auth server support for Keystone middleware 15:12:54 <hiromu> and I have a question about that 15:13:05 <d34dh0r53> sorry, FT? 15:13:23 <hiromu> I mean functional tests 15:13:29 <hiromu> like tempest 15:13:41 <hiromu> or integrated tests 15:14:05 <d34dh0r53> ahh 15:14:07 <d34dh0r53> thank you 15:14:36 <hiromu> no worry. that might be domestic term 15:14:55 <hiromu> anyway, we're looking for the right place for the tests 15:15:30 <d34dh0r53> keystone-tempest-tests I think 15:16:49 <hiromu> Yeah, but I think implementing the test in other projects that will use this feature can be another option 15:17:06 <d34dh0r53> I see 15:17:17 <hiromu> tacker-tempest-plugin for example, 15:17:28 <hiromu> although tacker doesn't have the tempest-plugin now 15:17:57 <hiromu> I think that might be better in terms of maintancability 15:19:55 <d34dh0r53> ok, I would like to see some tests in keystone-tempest-plugin as well so that we can run them in the gate 15:20:14 <d34dh0r53> and ensure we don't break anything with future code updates 15:20:25 <hiromu> ok 15:20:34 <hiromu> but what we should test? 15:20:58 <hiromu> I mean keystone middleware for ext. oauth server only works with Tacker, Barbican and Ironic 15:21:47 <hiromu> running integration tests of keystonemiddleware with those services at keystone-tempest-plugin is a little bit unnatural for me. 15:22:30 <d34dh0r53> hmm, I see your point 15:23:50 <d34dh0r53> maybe we can include those tests as part of our testing then 15:24:07 <hiromu> also, I'm afraid of that tests will fail due to changes of Tacker, Ironic and Barbican. In that case, Keystone maintainer have to fix Tacker, Ironic and Barbican's codes for keystone-tempest-plugin 15:24:35 <hiromu> which test you meant? 15:24:52 <d34dh0r53> maybe a non-voting or experimental test 15:25:24 <hiromu> non-voting make sense for me. 15:25:58 <d34dh0r53> ok, that sounds good, please let us know if we can assist with reviews 15:26:22 <hiromu> good. 15:26:25 <hiromu> thanks 15:26:32 <d34dh0r53> anything else hiromu? 15:27:00 <hiromu> no, but one thing. the implementation of that test might take time 15:27:44 <hiromu> so I want to put the target date of merging it to the end of release cycle 15:27:52 <d34dh0r53> ok 15:28:09 <d34dh0r53> that shouldn't be a problem 15:28:19 <hiromu> perfect. nothing else. thank you for your help. 15:29:01 <d34dh0r53> thank you hiromu! 15:29:02 <d34dh0r53> next up 15:29:20 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m]) 15:29:48 <d34dh0r53> I think we've done everything for now, do we still need to keep this on the agenda dmendiza[m]? 15:30:20 <dmendiza[m]> Yes, there is still work to do 15:30:41 <dmendiza[m]> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html 15:30:54 <dmendiza[m]> I think now that bobcat (2023.2) has branched we can move to the next phase 15:31:37 <d34dh0r53> ok 15:31:43 <dmendiza[m]> We can probably change our defaults to use SRBAC by default 15:32:00 <dmendiza[m]> i.e. enforce_new_defaults=True and enforce_Scope=True 15:33:31 <d34dh0r53> cool, updating the agenda 15:33:57 <d34dh0r53> Who is doing the oslo.policy work, or is that TBD? 15:35:48 <dmendiza[m]> not sure I understand your question. What work are you referring to? 15:36:34 <d34dh0r53> updating the defaults in oslo.policy, or did I misread? 15:38:59 <dmendiza[m]> Oh, we do that in keystone 15:39:14 <dmendiza[m]> there's a function called set_defaults where we can override what oslo.policy has as their default 15:39:23 <d34dh0r53> ahh, ok 15:39:44 <dmendiza[m]> I don't think we can change the defaults in oslo.policy until everyone is on-board 15:40:08 <d34dh0r53> I see, I misunderstood what the spec was saying 15:42:19 <dmendiza[m]> So yeah, I'll be working on that 15:42:32 <d34dh0r53> ok, cool 15:42:37 <d34dh0r53> thanks dmendiza[m] 15:42:56 <d34dh0r53> moving on 15:43:01 <d34dh0r53> #topic open discussion 15:43:08 <d34dh0r53> nothing on the agenda 15:43:15 <d34dh0r53> anyone have anything? 15:44:50 <d34dh0r53> cool, moving on 15:44:55 <d34dh0r53> #topic bug review 15:45:05 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:45:09 <d34dh0r53> there is one new bug in keystone 15:45:22 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2037052 15:45:47 <d34dh0r53> it has a patch up 15:46:07 <d34dh0r53> next up we have 15:46:08 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:46:24 <d34dh0r53> nothing new in python-keystoneclient 15:46:36 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:46:48 <d34dh0r53> keystoneauth is clean 15:47:06 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:47:32 <d34dh0r53> one new bug 15:47:35 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bug/2037177 15:47:48 <d34dh0r53> we have six still being imported, should be an easy fix 15:48:07 <d34dh0r53> that does it for keystonemiddleware 15:48:18 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:48:38 <d34dh0r53> nothing for pycadf 15:48:40 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:48:52 <d34dh0r53> and ldappool is looking good 15:48:58 <d34dh0r53> #topic conclusion 15:49:05 <d34dh0r53> anyone have anything before we go? 15:49:21 <d34dh0r53> thanks everyone! 15:49:24 <d34dh0r53> #endmeeting