#openstack-keystone log

15:02:17 <d34dh0r53> #startmeeting keystone
15:02:17 <opendevmeet> Meeting started Wed Mar 27 15:02:17 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:17 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:17 <opendevmeet> The meeting name has been set to 'keystone'
15:02:39 <d34dh0r53> #topic roll call
15:02:47 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema
15:02:49 <d34dh0r53> o/
15:03:38 <dmendiza[m]> 🙋
15:04:26 <d34dh0r53> #topic review past meeting work items
15:05:05 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-03-20-15.00.html
15:05:19 <d34dh0r53> no updates from me
15:05:27 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:05:34 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:05:45 <d34dh0r53> #topic liaison updates
15:07:08 <d34dh0r53> nothing much, on the VMT side, we've converted two private bugs to public, LMK if you want details
15:07:20 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:07:29 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:07:31 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:07:33 <d34dh0r53> External OAuth 2.0 Specification
15:07:35 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:07:37 <d34dh0r53> OAuth 2.0 Implementation
15:07:39 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:07:41 <d34dh0r53> OAuth 2.0 Documentation
15:07:43 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:07:45 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:08:50 <d34dh0r53> guess hiromu isn't around
15:09:07 <d34dh0r53> next up
15:09:37 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:09:49 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:09:51 <d34dh0r53> 2024.1 Release Timeline
15:09:51 <dmendiza[m]> 🙋
15:09:53 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:09:55 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:09:55 <dmendiza[m]> Yeah, lots of updates
15:09:57 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)
15:09:59 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 (Merged)
15:10:06 <d34dh0r53> awesome!
15:10:51 <dmendiza[m]> OK, first up, it looks like Tempest currently has an all-or-nothing approach for setting scope in the Admin clients.
15:11:03 <dmendiza[m]> That means that they're either all project-scope or all system-scope
15:11:29 <dmendiza[m]> Unfortunately that does not work since some projects (i.e. neutron) only allow project-scoped requests for admin APIs.
15:11:46 <dmendiza[m]> So, for now, we want to only run tests as project-scoped admins
15:11:56 <dmendiza[m]> which is what this patch does: (in keystone at least)
15:12:02 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone/+/913999
15:12:19 <dmendiza[m]> Still need another review (maybe from knikolla ?)
15:12:31 <dmendiza[m]> since Grzegorz Grasza is out on PTO this week
15:13:15 <dmendiza[m]> Now, for some reason, devstack also sets those same options
15:13:28 <dmendiza[m]> so we have duplicate code setting the same options in two repos
15:13:39 <dmendiza[m]> this is the patch to remove them from lib/tempest in the devstack repo:
15:13:45 <dmendiza[m]> #link https://review.opendev.org/c/openstack/devstack/+/914115
15:14:28 <dmendiza[m]> Next, I have a patch that modifies a couple of policies that were missed when we implemented Phase 1 of SRBAC:
15:14:36 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone/+/914520
15:14:57 <dmendiza[m]> That one is fresh out of the oven, so still waiting on CI to run the gate jobs
15:15:58 <dmendiza[m]> Additionally, we still have the "protection" aka SRBAC jobs disabled in Keystone.  I have a patch up to re-enable them, but I am not sure why it failed when I rebased... I'll look into that next:
15:16:00 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone/+/909238
15:16:57 <dmendiza[m]> Moving on, we do not have any tests that run the full tempest suite against Keystone with SRBAC turned on
15:17:55 <dmendiza[m]> Tempest does have an SRBAC job, but Keystone is not currently enforcing SRBAC.  I have a patch up to enable it in that existing job.  Currently failing the gate, but mostly due to needing some of the patches I've linked
15:18:00 <dmendiza[m]> #link https://review.opendev.org/c/openstack/tempest/+/912489
15:19:27 <dmendiza[m]> Lastly, I have a patch to rename the tempest option that enables SRBAC tests in keystone-tempest-plugin.  Currently it does its own thing, and my patch changes it to be in-line with the rest of the projects that use the [enforce_scope] section of tempest.conf
15:19:33 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/913593
15:20:48 <dmendiza[m]> Oh, and I also have a DNM test to keystone-tempest-plugin to pull everything together across all those related repos and run a full suite test of SRBAC using project-admin credentials:
15:20:54 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/914089
15:21:18 <dmendiza[m]> I still need to investigate why it's failing.  I think we may need to change some tests around in the srbac suite due to the change of admin scope.
15:21:22 <dmendiza[m]> That's all for now.
15:21:40 * dmendiza[m] feels like he's juggling spinning plates
15:22:54 <d34dh0r53> wow, that was a lot
15:22:57 <d34dh0r53> thanks dmendiza[m]
15:23:05 <d34dh0r53> I'll leave it open for questions for a minute or two
15:27:23 <d34dh0r53> #topic specification Improve federated users management (gtema)
15:27:27 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews
15:33:17 <d34dh0r53> next up
15:33:28 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:33:33 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/910584
15:35:28 <d34dh0r53> #topic open discussion
15:35:36 <d34dh0r53> passlib update
15:35:38 <d34dh0r53> The maintainer responded to the bug, and one of the top priorities is to fix the bcrypt version bug
15:35:40 <d34dh0r53> #link https://foss.heptapod.net/python-libs/passlib/-/issues/190
15:35:42 <d34dh0r53> Targeted to 1.7.5
15:36:20 <d34dh0r53> No updates on this, hopefully 1.7.5 will be released soon
15:39:33 <d34dh0r53> #topic bug review
15:39:40 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:39:47 <d34dh0r53> no new bugs for keystone
15:39:59 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:40:20 <d34dh0r53> python-keystoneclient is good
15:40:32 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:40:48 <d34dh0r53> nothing new in keystoneauth
15:40:55 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:42:06 <d34dh0r53> one new bug in keystonemiddleware
15:42:10 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bug/1940770
15:42:26 <d34dh0r53> it's actually not new, just recently updated
15:43:04 <d34dh0r53> I'll keep an eye on that one, maybe we should move to pymemcache
15:43:16 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:43:28 <d34dh0r53> no new bugs for pycadf
15:43:34 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:43:45 <d34dh0r53> ldappool is good
15:43:49 <d34dh0r53> #topic conclusion
15:44:05 <d34dh0r53> Nothing from me, add topics for the PTG to
15:44:15 <d34dh0r53> #link https://etherpad.opendev.org/p/dalmation-ptg-keystone
15:44:22 <d34dh0r53> Thanks all!
15:44:25 <d34dh0r53> #endmeeting