15:02:16 <d34dh0r53> #startmeeting keystone
15:02:16 <opendevmeet> Meeting started Wed Feb 28 15:02:16 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:16 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:16 <opendevmeet> The meeting name has been set to 'keystone'
15:02:42 <d34dh0r53> #topic roll call
15:02:44 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema
15:02:48 <d34dh0r53> o/
15:02:58 <gtema> o/
15:03:17 <dmendiza[m]> 🙋‍♂️
15:04:28 <d34dh0r53> #topic review past meeting work items
15:04:31 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-14-15.02.html
15:05:03 <d34dh0r53> no updates from me, I was out of town for a week and didn't have much time to do anything
15:05:24 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:05:38 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:05:43 <d34dh0r53> next up
15:05:50 <d34dh0r53> #topic liaison updates
15:06:18 <d34dh0r53> Caracal feature freeze starts next week
15:06:35 <d34dh0r53> Friday actually
15:07:06 <d34dh0r53> and I don't have anything from VMT
15:07:46 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:07:54 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:07:56 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:07:58 <d34dh0r53> External OAuth 2.0 Specification
15:08:00 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:08:02 <d34dh0r53> OAuth 2.0 Implementation
15:08:04 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:08:06 <d34dh0r53> OAuth 2.0 Documentation
15:08:08 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:08:10 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:09:10 <d34dh0r53> I haven't seen hiromu around in a while
15:10:05 <d34dh0r53> we're really close to finishing these specs so hopefully we'll hear back from them
15:10:07 <d34dh0r53> next up
15:10:24 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:10:32 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:10:34 <d34dh0r53> 2024.1 Release Timeline
15:10:36 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:10:38 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:10:40 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)
15:10:42 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713
15:11:07 <dmendiza[m]> 🙋‍♂️
15:11:26 <dmendiza[m]> I think we've merged everything we needed for Phase 1
15:11:40 <d34dh0r53> sweet!
15:12:38 <d34dh0r53> so phase 2 in 2024.2?
15:16:48 <d34dh0r53> next up
15:16:58 <d34dh0r53> #topic specification Improve federated users management (gtema)
15:17:04 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews
15:17:16 <gtema> still waiting for reviews ;-)
15:17:34 <d34dh0r53> I just added mine, maybe dmendiza[m] or xek can take a look
15:17:51 <gtema> awesome, thanks
15:17:56 <d34dh0r53> np
15:18:14 <d34dh0r53> #topic open discussion
15:18:28 <d34dh0r53> passlib
15:18:30 <d34dh0r53> unmaintained
15:18:32 <d34dh0r53> bcrypt issues with newer releases
15:18:34 <d34dh0r53> python3.12 issues
15:18:45 <d34dh0r53> I moved this to open discussion since it's not a spec
15:18:47 <gtema> so I started looking into it
15:18:53 <d34dh0r53> There is an open issue https://foss.heptapod.net/python-libs/passlib/-/issues/187 regardging the maintenance status of passlib
15:19:09 <d34dh0r53> I've been looking into it as well
15:19:11 <gtema> thanks Dave,  I have seen that issue and it sadly is not really very promising
15:19:39 <gtema> Ansible stick to passlib means the chances are that someone will at some point take it over
15:19:41 <d34dh0r53> yeah, I replied to a comment on there and voted but it looks like the maintainer is essentially AWOL
15:19:52 <gtema> but when this happens is unknown
15:20:13 <gtema> I started playing around with kicking passlib away
15:20:28 <d34dh0r53> oh cool, any luck?
15:20:32 <gtema> for  default bcrypt there is absolutely no issue in using bcrypt directly
15:20:51 <gtema> for bcrypt_sha256 (and others) the issue is absolutely different
15:21:14 <gtema> while it is absolutely no problem to calculate hashes using cryptography or hashlib itself
15:21:31 <gtema> it is a problem to have support for old passwords hashed by passlib
15:21:52 <gtema> passlib is using black magic playing with charset, bincode, ...
15:22:13 <gtema> I really really dislike how it does all of that, especially that there is no need for that
15:22:34 <gtema> so basically we need to think which "compatibility" do we need
15:22:51 <gtema> (remembering this is the case for non-default hash method)
15:23:20 <d34dh0r53> yeah, I didn't know it was that bad
15:23:24 <gtema> we could make passlib something like a "fallback", that is used when we see that password was hashed with it
15:23:37 <gtema> otherwise hash new password without passlib
15:23:46 <gtema> then at some point we would be able to drop it
15:23:50 <d34dh0r53> yeah, that still means modifying requirements
15:23:56 <gtema> but that still keeps passlib in our dependencies
15:24:08 <gtema> no, we do not need to change depencies
15:24:17 <gtema> bcrypt and cryptography are already there
15:25:01 <d34dh0r53> I haven't been able to get keystone to deploy without changing the upper requirements to bcrypt==4.0.1
15:25:08 <d34dh0r53> is there a way around that?
15:25:29 <gtema> ah, you mean that.
15:25:47 <gtema> don't know, I just played with what is in deps right now
15:26:19 <gtema> I mean venv from few month ago
15:27:03 <d34dh0r53> let me try something, I may be working with something incorrectly
15:27:04 <gtema> technically I can continue looking into passlib and finally revere-engineer all the voodoo they do
15:27:22 <gtema> then we would be able to drop it completely
15:27:42 <gtema> just after 8h invested I was still not able to get all this uncovered
15:27:53 <d34dh0r53> if ansible is going to require it, there is no way that it will continue to be unmaintained
15:28:19 <gtema> right, but the code is very ugly and still has so much from py2
15:28:43 <gtema> and on the other side it seems to be also a blocker for py3.12
15:29:31 <gtema> I think passlib is something we need to solve asap for the next release (not for the 2024.1)
15:29:40 <d34dh0r53> right, I think so too
15:29:50 <d34dh0r53> it's a priority for 2024.2
15:30:04 <gtema> I'll continue digging in next days
15:30:13 <d34dh0r53> ok, thanks
15:30:20 <gtema> wlcm
15:31:28 <d34dh0r53> anything else for open discussion?
15:31:49 <gtema> don't forget to submit your candidacy into elections repo
15:32:44 <d34dh0r53> thank you!
15:33:36 <d34dh0r53> #topic bug review
15:33:40 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:33:41 <gtema> thanks for going for the next round, I already started worying
15:34:13 <d34dh0r53> yeah, just been super busy and didn't realize that the date was coming up so quickly
15:34:47 <d34dh0r53> we have a couple of new bugs for keystone, one looks like a docs bug that may or may not be complete
15:35:00 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2054800
15:35:20 <d34dh0r53> and the second is an LDAP error that may also be incomplete
15:35:29 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2053297
15:35:52 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:36:15 <d34dh0r53> python-keystoneclient is good
15:36:17 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:36:49 <d34dh0r53> a docs bug has also been filed in keystoneauth
15:37:01 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bug/2054740
15:37:56 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:38:17 <d34dh0r53> oops, there is also this bug for keystoneauth which has a fix up already
15:38:41 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/909561
15:38:58 <d34dh0r53> keystonemiddleware is good
15:39:09 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:39:27 <d34dh0r53> pycadf is good
15:39:29 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:39:42 <d34dh0r53> as is ldappool
15:39:48 <d34dh0r53> that does it for bug review
15:39:55 <d34dh0r53> #topic conclusion
15:40:51 <d34dh0r53> I'm running again for PTL, and I just wanted to say thanks for all the help this cycle
15:41:07 <d34dh0r53> It was a good one and I'm looking forward to a successful 2024.2 :)
15:41:24 <d34dh0r53> #endmeeting