15:05:21 <d34dh0r53> #startmeeting keystone
15:05:21 <opendevmeet> Meeting started Wed Apr 17 15:05:21 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:05:21 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:05:21 <opendevmeet> The meeting name has been set to 'keystone'
15:05:41 <d34dh0r53> #topic roll call
15:05:43 <xek> o/
15:05:49 <mhen> o/
15:05:51 <dmendiza[m]> 🙋‍♂️
15:05:56 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema
15:06:05 <bbobrov> \o
15:06:07 <d34dh0r53> o/
15:06:43 <d34dh0r53> #topic review past meeting work items
15:07:33 <d34dh0r53> no updates from me
15:07:45 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:08:03 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:08:08 <d34dh0r53> next up
15:08:23 <d34dh0r53> #topic liaison updates
15:08:32 <d34dh0r53> nothing from VMT
15:08:35 <d34dh0r53> nor releases
15:09:07 <d34dh0r53> moving on to specifications
15:09:25 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:09:27 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:09:29 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:09:31 <d34dh0r53> External OAuth 2.0 Specification
15:09:33 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:09:35 <d34dh0r53> OAuth 2.0 Implementation
15:09:37 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:09:39 <d34dh0r53> OAuth 2.0 Documentation
15:09:41 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:09:43 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:10:16 <d34dh0r53> did anyone see hiromu or anyone from Tacker at the PTG?
15:10:26 <d34dh0r53> Tacker did not have a session that I saw
15:12:21 <d34dh0r53> welp, if you see hiromu or anyone from Tacker online have them ping me
15:12:25 <d34dh0r53> next up
15:12:48 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:12:50 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:12:52 <d34dh0r53> 2024.1 Release Timeline
15:12:54 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:12:56 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:12:58 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)
15:13:00 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 (Merged)
15:13:02 <d34dh0r53> #link ttps://review.opendev.org/c/openstack/tempest/+/912489
15:13:15 <dmendiza[m]> Things are looking good
15:13:24 <dmendiza[m]> most of the patches I've submitted have merged
15:13:49 <dmendiza[m]> I want to say we are again enforcing the SRBAC job in Keystone which is great
15:14:01 <dmendiza[m]> The only outstanding patch I have is for Tempest where I enable SRBAC on Keystone
15:14:04 <dmendiza[m]> #link https://review.opendev.org/c/openstack/tempest/+/912489
15:14:13 <d34dh0r53> I just reviewed that one
15:14:23 <dmendiza[m]> Got one +2 for now (thanks gmann!)
15:14:29 <dmendiza[m]> d34dh0r53: thanks!
15:14:35 <d34dh0r53> I need to figure out the correct way to release keystone-tempest-plugin
15:14:36 <dmendiza[m]> That's all for now
15:14:46 <d34dh0r53> thanks dmendiza[m]
15:14:53 <dmendiza[m]> I still have not caught up on SRBAC PTG things
15:14:53 <d34dh0r53> next up
15:14:56 <dmendiza[m]> so maybe more next week
15:15:17 <d34dh0r53> #topic specification Improve federated users management (gtema)
15:15:19 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews
15:15:40 <gtema> I am stuck in a conflict with the spec author
15:16:05 <gtema> I think the proposed API change is dangerous and error prone while he apparently not sees the problem
15:17:35 <gtema> apparently someone from cores need to step up to decide
15:19:12 <d34dh0r53> yeah, reading the thread now
15:20:43 <d34dh0r53> we'll discuss this in the reviewathon this Friday
15:20:45 <bbobrov> do i understand correctly, that the author proposes to get projects and assignments as a json from an IdP?
15:20:57 <gtema> yes
15:21:01 <gtema> but the point is HOW
15:21:08 <gtema> there is "projects" field
15:21:26 <gtema> and he proposes adding projects_json field which will be string and merged in Keystone
15:21:48 <gtema> INSTEAD of making "projects" field being oneOf: [object, string]
15:25:54 <d34dh0r53> I'm going to defer this to the reviewathon, I'd really like to hear the other cores opinion on this one
15:26:20 <gtema> ok, thks. Just for reference: all OpenStack apis are relying on polymorphism
15:26:39 <gtema> and here it is proposed to go back to "counter_str" and "counter_int" style
15:27:26 <d34dh0r53> that's a good point
15:27:39 <gtema> and especially splitting user data between static config on the Keystone side and data coming from external IdP and merge it is especially dangerous
15:28:33 <gtema> purpose of the changes in the ephemeral users mgmt is to have 1 system (external IdP) responsible for the data
15:29:23 <gtema> splitting it feels like a knife in the back during the security audits
15:30:36 <gtema> ok, we can go on
15:31:41 <d34dh0r53> food for thought
15:31:44 <d34dh0r53> moving on
15:32:07 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:32:09 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/910584
15:32:47 <gtema> i checked, stephenfin linked my spec for PTG, so we are really talking about singe thing and single spec
15:33:15 <d34dh0r53> ack, this spec is the only one now, correct?
15:33:20 <gtema> right
15:33:35 <d34dh0r53> cool
15:34:38 <gtema> means: spec is there and needs reviews
15:34:59 <d34dh0r53> will do
15:35:05 <gtema> thks
15:35:13 <d34dh0r53> np
15:35:28 <d34dh0r53> #topic open discussion
15:35:50 <d34dh0r53> passlib update
15:35:52 <d34dh0r53> The maintainer responded to the bug, and one of the top priorities is to fix the bcrypt version bug
15:35:54 <d34dh0r53> #link https://foss.heptapod.net/python-libs/passlib/-/issues/190
15:35:56 <d34dh0r53> Targeted to 1.7.5
15:36:17 <d34dh0r53> I pinged on the bug again last week for an update on 1.7.5 and we still don't have one
15:36:34 <d34dh0r53> The maintainer really needs to hand over the reigns to someone
15:36:56 <gtema> yupp
15:37:11 <d34dh0r53> I'll continue to ping in the issue
15:37:32 <bbobrov> internet_infrastructure_and_overworked_maintainer.jpg
15:37:38 <d34dh0r53> domain manager (mhen)
15:37:40 <d34dh0r53> https://review.opendev.org/c/openstack/keystone-specs/+/903172
15:37:42 <d34dh0r53> addressed review comments
15:37:44 <d34dh0r53> rebased on 2024.1, renamed to domain-manager-persona (from "...-role")
15:38:09 <mhen> as mentioned in the PTG this one needs new reviews
15:38:22 <mhen> I rebased it and also cleaned up existing comments
15:38:48 <d34dh0r53> ack, I didn't look but it failed some checks
15:38:51 <gtema> today I looked at it and I feel like it again talks about ...-role
15:39:09 <mhen> wait ... did I mess up?
15:39:16 <gtema> i think so
15:39:28 <gtema> the file got renamed, but the content tells different
15:39:50 <mhen> oh shoot
15:39:57 <mhen> thanks for bringing this up
15:40:17 <mhen> something got rolled back during my git-review commands it seems
15:40:18 <gtema> sure
15:40:23 <mhen> will clear this up asap
15:41:12 <mhen> yea sorry about that, I will fix it - we can move on
15:42:01 <d34dh0r53> thank you mhen
15:42:07 <d34dh0r53> next up
15:42:18 <d34dh0r53> domain list scoping fix (mhen)
15:42:20 <d34dh0r53> the main fix was merged a while ago: https://review.opendev.org/c/openstack/keystone/+/900028
15:42:22 <d34dh0r53> Q: is https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/900545 still applicable?
15:42:24 <d34dh0r53> it would have been a necessary adjustment to the tempest tests after the above merge but tests have been restructured in the meantime (mentioned at PTG)
15:42:30 <d34dh0r53> this is a question for dmendiza[m]
15:45:13 <d34dh0r53> he might not be around, I still need to talk with him about the next topic so I'll raise this as well
15:45:29 <d34dh0r53> policy API and OS-ENDPOINT-POLICY
15:45:31 <d34dh0r53> policy API is deprecated
15:45:33 <d34dh0r53> OS-ENDPOINT-POLICY depends on it
15:45:35 <d34dh0r53> what is the status?
15:45:58 <d34dh0r53> as I mentioned dmendiza[m] and I need to talk about this question, I'll have a meeting with him this afternoon
15:46:12 <bbobrov> all right!
15:46:15 <d34dh0r53> Enforcing scope in keystone breaks heat (and probably magnum) (tkajinam)
15:46:17 <d34dh0r53> https://bugs.launchpad.net/keystone/+bug/2059780
15:46:19 <d34dh0r53> https://review.opendev.org/c/openstack/keystone/+/914759
15:46:56 <tkajinam> I'm unsure if this was covered in the past meeting, but I wanted to make sure you are aware of this problem since you were talking about enforcing scope by default
15:47:52 <tkajinam> I started testing heat with new defaults/scope enforcement enabled in all services and this is the first problem I'm hitting now. I suspect there can be a few more domain admin rules we have to fix but I'll test the scenario further to catch these
15:49:22 <tkajinam> fyi. This is the problem I raised during the RBAC session during the last ptg, in case you were there.
15:49:28 <d34dh0r53> thank you for the awareness tkajinam
15:49:34 <d34dh0r53> I missed the RBAC session
15:49:49 <d34dh0r53> unfortunately, really kicking myself for missing that
15:49:57 <opendevreview> Markus Hentsch proposed openstack/keystone-specs master: Add identity spec for Domain Manager persona  https://review.opendev.org/c/openstack/keystone-specs/+/903172
15:50:11 <tkajinam> no problem :-)
15:50:52 <d34dh0r53> I've added dmendiza[m] as a reviewer
15:51:13 <d34dh0r53> moving on for the sake of time
15:51:16 <d34dh0r53> #topic bug review
15:51:25 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:52:31 <d34dh0r53> looks like a new bug about password length notifications
15:52:35 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2061922
15:52:59 <bbobrov> that is a cover bug for my spec
15:53:07 <bbobrov> oh
15:53:07 <bbobrov> no
15:53:08 <bbobrov> sorry
15:53:13 <bbobrov> disregard that
15:54:07 <d34dh0r53> ahh, ok
15:54:20 <d34dh0r53> this one is
15:54:28 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2060972
15:54:56 <bbobrov> re https://bugs.launchpad.net/keystone/+bug/2061922 - the uncertainty around these numbers and password length is one of the factors preventing me from upgrading from Zed
15:55:36 <d34dh0r53> noted, I'll make sure it's consistent and correct
15:57:08 <d34dh0r53> finally in keystone
15:57:14 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2060452
15:57:55 <d34dh0r53> it's being worked and will need reviews
15:58:01 <d34dh0r53> next up
15:58:03 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:58:09 <d34dh0r53> no new bugs there
15:58:29 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:58:36 <d34dh0r53> keystoneauth has no new bugs
15:59:00 <d34dh0r53> keystonemiddleware is also good
15:59:05 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:59:31 <d34dh0r53> sorry, link would be helpful for middleware ;)
15:59:48 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:59:53 <d34dh0r53> nothing new for pycadf
16:00:13 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
16:00:18 <d34dh0r53> ldappool is also good
16:00:28 <d34dh0r53> that does it for bug review
16:00:35 <d34dh0r53> #topic conclusion
16:00:55 <d34dh0r53> Good to see folks at the PTG and I'm looking forward to this cycle
16:01:12 <d34dh0r53> Reviewathon on Friday, please let me know if you'd like a calendar invite
16:01:22 <d34dh0r53> That's it for me, anything else?
16:01:43 <d34dh0r53> Thanks folks!
16:01:47 <d34dh0r53> #endmeeting