#openstack-keystone log

15:02:19 <d34dh0r53> #startmeeting keystone
15:02:19 <opendevmeet> Meeting started Wed Feb  7 15:02:19 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:19 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:19 <opendevmeet> The meeting name has been set to 'keystone'
15:02:39 <d34dh0r53> #topic roll call
15:02:47 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph
15:02:50 <d34dh0r53> o/
15:03:05 <xek> o/
15:04:48 <Luzi> o/
15:05:07 <dmendiza[m]> 🙋
15:06:11 <d34dh0r53> #topic review past meeting work items
15:06:42 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-31-15.01.html
15:06:54 <d34dh0r53> no updates from my end
15:07:04 <d34dh0r53> #action d34dh0r53 d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:07:13 <d34dh0r53> #undo
15:07:13 <opendevmeet> Removing item from minutes: #action d34dh0r53 d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:07:22 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:07:31 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:07:45 <d34dh0r53> #topic liaison updates
15:07:49 <d34dh0r53> nothing from VMT
15:10:08 <gtema> from api-sig pov: https://review.opendev.org/c/openstack/keystone/+/908163
15:10:26 <gtema> I work on openapi generation and found that one
15:10:39 <d34dh0r53> we've moved Train and Ussuri to End-Of-Life and Yoga has transitioned to unmaintained status
15:11:12 <d34dh0r53> ack, thanks gtema I'll take a look at that one
15:12:09 <d34dh0r53> that should do it for liaison updates
15:12:12 <d34dh0r53> moving on
15:12:27 <d34dh0r53> #topic specifications OAuth 2.0 (hiromu)
15:12:39 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:12:41 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:12:43 <d34dh0r53> External OAuth 2.0 Specification
15:12:45 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:12:47 <d34dh0r53> OAuth 2.0 Implementation
15:12:49 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:12:51 <d34dh0r53> OAuth 2.0 Documentation
15:12:53 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:12:55 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:13:47 <d34dh0r53> I haven't seen hiromu around in a while
15:15:12 <d34dh0r53> it looks like the WIP patches are somewhat active, updates in the last 30 days
15:15:20 <d34dh0r53> moving on
15:15:29 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:15:37 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:15:39 <d34dh0r53> 2024.1 Release Timeline
15:15:41 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:15:43 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:15:45 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)
15:15:46 <dmendiza[m]> Making progress on Phase 1
15:15:47 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713
15:15:59 <dmendiza[m]> down to just a few more tests that need fixin in the tempest patch
15:16:29 <dmendiza[m]> Of course, spending so much time in the tempest code made me realize it sucks and I hate it. :-P
15:16:35 <d34dh0r53> lol
15:16:38 <d34dh0r53> yep
15:16:50 <dmendiza[m]> Needs a serious refactor for DRY principle
15:17:14 <d34dh0r53> indeed
15:17:23 <dmendiza[m]> Anyway, the tempest patch should be ready for review for Friday's reviewathon hopefully
15:17:41 <d34dh0r53> ack, thanks dmendiza[m]
15:17:51 <dmendiza[m]> I'm not refactoring anything right now, but it would be worth refactoring and removing duplication when we add the "manager" role tests
15:18:16 <d34dh0r53> good idea
15:19:16 <d34dh0r53> moving on
15:19:25 <d34dh0r53> #topic specification Improve federated users management (previously: Add schema version and support to "domain" attribute in mapping rules) (gtema)
15:19:32 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews
15:19:48 <gtema> right -waiting for spec reviews
15:19:54 <d34dh0r53> I gave that one a once over and will try to give it a deeper look this week
15:20:03 <gtema> great, thanks
15:20:05 <d34dh0r53> nothing jumped out at me
15:20:20 <gtema> sounds good
15:20:41 <d34dh0r53> next up
15:20:47 <d34dh0r53> #topic specification Dedicated domainmanager role
15:20:54 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/903172 -waiting for reviews
15:21:06 <gtema> so, I do not know whether you noticed or not
15:21:18 <gtema> earlier today someone posted a question here in room
15:21:33 <gtema> that admin on a domain is still capable of doing other dangerous operations
15:21:45 <gtema> that one more time proves necessity of improvements in the area
15:22:04 <gtema> and I know - it touches the RBAC topic as well (at least similar direction)
15:22:50 <gtema> so, what operators often need is some sort of domain manager (admin) role that they are able to give out to customers
15:22:51 <d34dh0r53> right, I agree
15:22:57 <gtema> but that should not be "admin"
15:23:41 <dmendiza[m]> gtema "admin" role is essentially root
15:23:58 <gtema> correct, and thus something new should be added
15:24:00 <dmendiza[m]> whether "admin" is assigned on a project, or on a domain, or on the system the result is the same
15:24:28 <dmendiza[m]> Have you read through the latest version of the Secure RBAC spec?
15:24:30 <dmendiza[m]> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
15:24:47 <dmendiza[m]> gtema: perhaps you want the "manager" role?
15:24:53 <gtema> yes, but it doesn't explicitly describe usecase with domains
15:25:57 <dmendiza[m]> Right ... there's a lot of confusion around scopes unfortunately.  If your use case is something that has more access than "member" but less than "admin" then the answer is the "manager" role.
15:26:19 <gtema> correct, so if also in the scope of your work we can consider "manager" role it would be great
15:26:37 <gtema> anyway, I wanted to put that spec on the table and if all opinions are welcome
15:27:09 <dmendiza[m]> Ack, I'll read through it and comment
15:27:14 <gtema> great, thanks
15:27:46 <d34dh0r53> thanks both!
15:28:04 <d34dh0r53> #topic open discussion
15:28:08 <d34dh0r53> nothing on the agenda
15:28:57 <Luzi> gtema there is a spec https://review.opendev.org/c/openstack/keystone-specs/+/903172
15:29:04 <Luzi> for a domain manager role
15:29:24 <gtema> correct, this is exactly the spec I mentioned
15:30:07 <Luzi> a collegue and me will be driving this, when the spec is accepted
15:30:27 <gtema> that's great
15:31:29 <Luzi> but concerning this: with feature freeze around, i doubt this will make it into this cycle - am I right d34dh0r53 ?
15:31:47 <d34dh0r53> that is correct, it will have to be 2024.2
15:32:23 <Luzi> okay, thank you for the information d34dh0r53 :)
15:32:57 <dmendiza[m]> TIL 2024.2 code name is Dalmatian
15:33:19 <d34dh0r53> oh sweet, I missed that
15:33:20 <dmendiza[m]> I assume @spotz had something to do with that.
15:33:36 <dmendiza[m]> Yeah, Schedule is already out:
15:33:38 <d34dh0r53> lol, I'm sure she did :)
15:33:38 <dmendiza[m]> #link https://releases.openstack.org/dalmatian/schedule.html
15:34:00 <d34dh0r53> woo woo
15:34:56 <d34dh0r53> err, woof woof?
15:35:15 <d34dh0r53> anything else for open discussion?
15:35:51 <dmendiza[m]> Feature Freeze is in a few weeks
15:36:02 <d34dh0r53> indeed, good call dmendiza[m]
15:36:10 <dmendiza[m]> Just a heads up in case there's things we want to land before then
15:36:45 <d34dh0r53> Feb 26 - Mar 01 is Caracal-3 and Feature freeze week
15:37:49 <dmendiza[m]> #info Feature Freeze is the week of Feb 20 - Mar 01
15:38:19 <dmendiza[m]> ☝️for folks who just get the tl;dr from the summary.
15:38:33 <d34dh0r53> yeah, forgot about that hashtag
15:39:58 <d34dh0r53> moving on
15:40:04 <d34dh0r53> #topic bug review
15:40:14 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:40:18 <d34dh0r53> no new bugs for keystone
15:40:25 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:40:44 <d34dh0r53> python-keystoneclient is also good
15:40:51 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:41:04 <d34dh0r53> nothing new for keystoneauth
15:41:17 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:41:34 <d34dh0r53> keystonemiddleware is also good
15:41:50 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:42:06 <d34dh0r53> pycadf has no new bugs
15:42:12 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:42:20 <d34dh0r53> nor does ldappool
15:42:24 <d34dh0r53> #topic conclusion
15:42:52 <tkajinam> this is not a bug, but it's known that you have to update a release note file for yoga after transitioning stable/yoga to unmaintained/yoga
15:43:05 <tkajinam> release note jobs are all broken until you merge the release patches proposed by bot
15:43:27 <tkajinam> some projects like barbican didn't get that update by bot so manual patch may be needed (I've created ones for barbican I believe)
15:43:43 <tkajinam> (assuming some people here may be interested in barbican as well :-P
15:43:58 <tkajinam> example: https://review.opendev.org/c/openstack/keystone/+/908150
15:44:54 <tkajinam> so I'd suggest you check your review queue and merge these patches asap before a different problem hit you
15:48:09 <d34dh0r53> ack, thanks tkajinam I'll get those in for keystone
15:48:25 <d34dh0r53> anything else for today?
15:48:51 <tkajinam> d34dh0r53, thanks :-)
15:48:55 <tkajinam> d34dh0r53, nothing else from me
15:49:06 <d34dh0r53> excellent, thanks everyone!
15:49:13 <d34dh0r53> have a great rest of your week :)
15:49:18 <d34dh0r53> #endmeeting