15:02:56 #startmeeting keystone 15:02:56 Meeting started Wed May 8 15:02:56 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:56 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:56 The meeting name has been set to 'keystone' 15:03:58 #topic roll call 15:04:15 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema 15:04:24 o/ 15:04:27 o/ 15:07:13 o/ 15:07:28 #topic review past meeting work items 15:08:13 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-01-14.59.html 15:08:21 no updates from me 15:08:48 #action d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:08:58 moving on 15:09:10 #topic liaison updates 15:09:19 nothing from VMT or Releases 15:12:17 next up 15:12:40 #topic specification OAuth 2.0 (hiromu) 15:12:57 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext... (full message at ) 15:13:21 not sure if hiromu is around 15:14:22 moving on 15:14:37 #topic specification Secure RBAC (dmendiza[m]) 15:14:50 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_... (full message at ) 15:15:16 dmendiza: is on PTO this week, so no SRBAC update 15:15:28 next up 15:15:42 #topic specification Improve federated users management (gtema) 15:15:50 #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 15:15:50 gtema: clearly against of introducing bad API precedent, desperately waiting for other opinions 15:16:26 as stated in etherpad - against of bad api design, but desperately waiting for feedback from others 15:17:08 and btw - thinking further (next step) I am actually wondering how external IdP should represent projects and roles 15:18:30 yeah, I'm not sure, I think it would likely be IdP dependent and might make keystones job very difficult 15:19:26 right, and I do not want to invent workarounds. On the other side IdP is not really responsible for tracking of provider resources. It just takes care of user/group/role 15:19:44 but anyway - now there is a problem that any sort of info must come from IdP 15:20:50 today I started thinking about introducing a plugin to keystone that may be invoked to sync some group/project/role data with external system 15:20:57 this is just thinking at the moment 15:21:43 so imagine user wants to login and pre-auth plugin does the job to manage groups for the user in question (or just syncs data with some external system) 15:22:33 there is definitely a performance issue to keep in mind 15:23:24 anyway - please please please do review the spec (wrt my comments) 15:23:53 any opinions are better then silence, because it stuck 15:24:34 ack, I'll add my thoughts as well 15:24:36 next up 15:25:07 #topic specification OpenAPI support (gtema) 15:25:10 #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 15:25:10 gtema: waiting for reviews 15:25:57 yupp, 2 weeks ago dimendiza added comments and stephenfin updated the change (sadly breaking it). But now it passes and following reviews are necessary 15:26:13 Yeah, I read this but forgot to review, I'm all for it 15:26:29 awesome, thanks Dave Wilde (d34dh0r53) 15:26:59 np 15:27:18 #topic open discussion 15:27:36 passlib update... (full message at ) 15:29:30 no update, the maintainer is missing again, we may have to pin requirements until either we can a) find a maintainer for passlib or b) replace it with something else. Option a is vastly superior as replacing passlib will be difficult to say the least and might break existing deployments. 15:30:00 several projects rely on passlib and my hope is for a takeover of the maintenance 15:30:10 I am really wondering that after all discussion it again got stuck 15:34:45 I just bumped the maintenance thread on passlib 15:34:58 #link https://foss.heptapod.net/python-libs/passlib/-/issues/187 15:34:59 cool 15:35:23 next up 15:35:25 domain manager (mhen)... (full message at ) 15:35:57 yupp, here few +1 15:36:32 yeah, I'm good with that, I'll let dmendiza give the final +2 15:36:43 awesome, thanks 15:37:00 domain list scoping fix (mhen)... (full message at ) 15:38:40 I think it does not harm 15:38:53 it extends verification 15:39:48 ack 15:39:50 ah, but dmendiza wrote this was already adapted recently 15:40:21 and still he was not against of that (just asking for rebase) 15:40:21 Yeah, that's the question I have, I'll bug dmendiza about it when he gets back 15:41:40 next up 15:41:42 Enforcing scope in keystone breaks heat (and probably magnum) (tkajinam)... (full message at ) 15:42:31 ok the first one got 2nd +2. that's nice 15:42:45 I'm going to merge 914759, I just saw that dmendiza gave it a 15:42:46 +c 15:42:56 keyboard fail +2 15:42:56 thx. I'll submit backport once these are merged in master. 15:43:12 thank you tkajinam ! 15:43:45 :-) 15:43:51 I'll go through the rest of the reviews after the meeting 15:44:03 thanks 15:44:05 FYI. Some of the post-release patches are still open (tkajinam)... (full message at ) 15:44:08 ditto for these 15:44:17 anything that needs special attention? 15:44:21 yeah. I think you already gave your +2 to these. 15:44:38 because these are automated patches, I'd suggest single core approval rather than leaving these for long 15:44:52 but it's basically up to the team. I just want to make sure these are in radar of cores 15:45:06 that's it 15:45:31 no, I owe reviews for these, I'll take care of them today 15:45:32 thanks 15:45:33 moving on 15:45:39 #topic bug review 15:45:54 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:46:15 no new bugs for keystone 15:46:24 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:46:36 keystoneclient is good 15:46:48 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:47:01 no new bugs in keystoneauth 15:47:13 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:47:26 keystonemiddleware is also good 15:47:36 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:48:00 pycadf is clean 15:48:02 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:48:12 as is ldappool 15:48:19 #topic conclusion 15:48:37 Thanks everyone! 15:49:00 Anyone have anything before we close? 15:49:11 nothing from me 15:49:43 it'd be nice if https://review.opendev.org/c/openstack/keystonemiddleware/+/909322 can be merged soon. we are quite close to get rid of six which has been unnecessary for long. 15:49:48 that's all from me :-) 15:50:05 indeed 15:51:04 I left +2, d34dh0r53 - feel free to +w 15:51:18 done 15:51:36 thanks, both :-D 15:51:45 Awesome, thanks again all! 15:51:48 #endmeeting