#openstack-keystone log

15:08:09 <d34dh0r53> #startmeeting keystone
15:08:09 <opendevmeet> Meeting started Wed Jun  5 15:08:09 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:08:09 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:08:09 <opendevmeet> The meeting name has been set to 'keystone'
15:08:33 <d34dh0r53> #topic roll call
15:08:42 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema
15:08:58 <xek> o/
15:09:00 <d34dh0r53> apologies for the late start, internal meeting ran over
15:09:03 <gtema> o/
15:10:19 <d34dh0r53> #topic review past meeting work items
15:10:44 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-29-15.02.html
15:10:52 <d34dh0r53> No action items from the last meeting, so we'll move on
15:11:03 <d34dh0r53> #topic liaison updates
15:11:12 <d34dh0r53> no updates from VMT or Releases
15:11:48 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/fvtpEMahbekNLRCfgoxzSTWG>)
15:12:24 <d34dh0r53> I need to get to rebasing the remaining patches to see if we can finish this up
15:12:53 <d34dh0r53> next up
15:13:12 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/uWeAyJusTMVCvAcmLqLAwxNC>)
15:13:30 <d34dh0r53> dmendiza: are you around? I didn't see you in the roll call
15:14:41 <dmendiza[m]> 🙋‍♂️
15:15:52 <d34dh0r53> guess not, moving on
15:16:17 <d34dh0r53> #topic specification Improve federated users management (gtema)
15:16:17 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/920892
15:16:17 <d34dh0r53> ready for review
15:16:19 <gtema> wait
15:16:39 <gtema> does somebody remember what is the state with SRBAC and Heat - there was something
15:17:10 <dmendiza[m]> gtema (Artem Goncharov): Yeah, there is some workflow in Heat where they send Keystone a domain-scoped token
15:17:39 <dmendiza[m]> policy for that specific API did not allow domain-scoped requests, so the request failed
15:18:45 <gtema> somebody is working on the fix?
15:19:06 <d34dh0r53> I'll give this a review this week, thanks gtema (Artem Goncharov)
15:19:10 <dmendiza[m]> The policy was fixed in this patch:
15:19:12 <d34dh0r53> next up
15:19:16 <dmendiza[m]> #link https://opendev.org/openstack/keystone/commit/dd785ee692118a56ea0e3aaaf7f5bd6c73ea9c91
15:19:24 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:19:24 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/910584
15:19:24 <d34dh0r53> gtema: waiting for reviews
15:19:30 <dmendiza[m]> gtema (Artem Goncharov) ☝️
15:19:57 <gtema> feels like a heavy un-sync between my element and Dave's
15:20:14 <dmendiza[m]> gtema (Artem Goncharov): 💯
15:20:20 <gtema> thks dmendiza
15:20:28 <dmendiza[m]> gtema (Artem Goncharov): pinging Dave Wilde (d34dh0r53) on a different channel
15:21:10 <d34dh0r53> I just found out I'm not seeing any of your messages, going to restart my client, BRB
15:21:19 <bbobrov> (just use irc, duh)
15:21:37 <gtema> nope - that's the problem: IRC bridge
15:21:44 <d34dh0r53> testing?
15:21:50 <bbobrov> d34dh0r53: passed
15:22:04 <dmendiza[m]> Dave Wilde (d34dh0r53): pong
15:22:10 <opendevreview> Artem Goncharov proposed openstack/keystone master: Improve configuration of out-of-tree identity drivers  https://review.opendev.org/c/openstack/keystone/+/920892
15:22:14 <d34dh0r53> hah, wow, really sorry about that
15:22:46 <d34dh0r53> I had an element update waiting for me and I'll bet it had expired my keys
15:23:01 <gtema> Dave Wilde (d34dh0r53): just pushed pep God's fix for the improving out-of-tree driver config (misread email that test failed before)
15:23:33 <gtema> the change itself is not big, added lots of comments and therefore it looks bigger then it is
15:23:50 <d34dh0r53> ok, cool
15:24:03 <gtema> struggled (as usual) convincing all the singletons my test is fine - it's a nightmare
15:24:40 <gtema> anyway - the change is ready for review and no race in tests should be added with the latest patchset
15:24:56 <gtema> tested explicitly with serial=1
15:25:24 <gtema> wrt openapi: waiting for the spec to land
15:26:21 <d34dh0r53> ack
15:26:28 <d34dh0r53> dmendiza: any srbac updates?
15:27:08 <dmendiza[m]> Only the link I shared earlier that allows domain-scoped tokens to /v3/domains
15:27:23 <dmendiza[m]> it was backported back to antelope
15:27:55 <d34dh0r53> ack
15:29:02 <bbobrov> (the one that i wanted reverted i guess)
15:30:37 <d34dh0r53> No, I think it was a different one bbobrov
15:31:41 <bbobrov> https://review.opendev.org/q/I8ee50efc3b4850060cce840fc904bae17f1503a9 ?
15:32:20 <d34dh0r53> Yeah
15:32:54 <bbobrov> yes, it is the one
15:33:58 <bbobrov> i don't know. I managed to work around this in our cloud, so i am not broken any more. But i still think that this change breaks API stability and should not have been merged like that.
15:34:06 <dmendiza[m]> Yeah, IIRC, your disagreement was about the filtering, not necessarily the policy?
15:34:35 <bbobrov> yes, it was about the filtering, but filtering got backported too
15:35:46 <bbobrov> i am not broken with the change. I know a company that will get broken with this. Maybe they will come with a bugreport later.
15:40:25 <d34dh0r53> Sorry, was looking for your comment, and I just found it, I thought it was a -1
15:42:10 <bbobrov> yeah, i should have put a -1
15:42:47 <d34dh0r53> I would argue that the previous behavior was a bug and this fixes it, but my gut feeling is that 'domain' means different things to different people.  Let's see if a bug is filed.
15:43:40 <d34dh0r53> I think the only spec we haven't visited yet is
15:43:54 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:43:54 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/910584
15:43:54 <d34dh0r53> gtema: waiting for reviews
15:44:02 <d34dh0r53> Grzegorz Grasza:
15:44:10 <d34dh0r53> can you take a look at that one?
15:46:51 <d34dh0r53> moving on
15:46:56 <d34dh0r53> #topic open discussion
15:47:04 <d34dh0r53> passlib update... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/enFOUAKlodnKOxTDbwCwmyOA>)
15:47:20 <d34dh0r53> no update, I need to propose a patch to pin upper-constraints
15:47:25 <d34dh0r53> next up
15:47:37 <d34dh0r53> domain manager (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/ttlvUIIdMfZZgFLPrzPZbnRG>)
15:48:26 <d34dh0r53> dmendiza or Grzegorz Grasza can y'all please take a look at this one?
15:49:01 <gtema> yes, pls pls pls
15:49:10 <bbobrov> there is also this - https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/900545
15:49:32 <bbobrov> which was blocked for me (thanks!) and which should not be blocked any more
15:52:44 <d34dh0r53> ack, I'll unblock that one
15:52:46 <d34dh0r53> thanks bbobrov
15:52:51 <d34dh0r53> domain list scoping fix (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/kgigdMYKyYbaZFuKdYDXyewK>)
15:52:52 <d34dh0r53> next up
15:53:17 <d34dh0r53> We just talked about that
15:53:32 <d34dh0r53> finally in open discussion we have
15:53:43 <d34dh0r53> Enforcing scope in keystone breaks heat (and probably magnum) (tkajinam)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/GTlTzihMFAAlDTiTFGJHvjTl>)
15:53:50 <dmendiza[m]> I think this is just about the test, not the patch
15:54:00 <dmendiza[m]> oh whoops, a second too late haha
15:54:55 <d34dh0r53> no worries dmendiza we can go back ^Z ^Z
15:58:01 <dmendiza[m]> Yeah, I want to say the only question we had was whether to merge that patch to tempest-plugin with the test for that endpoint
15:58:29 <dmendiza[m]> IIRC, the test that is there now only tests on the domain for the user making the request and that patch has a cross-domain test ...
15:58:43 <dmendiza[m]> I don't have a preference either way
16:00:53 <d34dh0r53> I think we should merge 900545 then
16:01:26 <d34dh0r53> and I think the only two remaining on the last point are whether or not https://review.opendev.org/c/openstack/keystone/+/916707 needs backports and https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/919405 needs reviews from dmendiza and Grzegorz Grasza.
16:01:36 <d34dh0r53> Let's quickly go through bug review
16:01:41 <d34dh0r53> #topic bug review
16:01:58 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
16:02:04 <d34dh0r53> no new bugs for keystone
16:02:18 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
16:02:36 <d34dh0r53> python-keystoneclient is good
16:03:01 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
16:03:06 <d34dh0r53> nothing new in keystoneauth
16:03:20 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
16:03:27 <d34dh0r53> keystonemiddleware is also good
16:03:37 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
16:03:49 <d34dh0r53> no new bugs in pycadf
16:04:01 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
16:04:06 <d34dh0r53> and ldappool is also clean
16:04:12 <d34dh0r53> #topic conclusion
16:04:35 <d34dh0r53> nothing from me, thanks all, apologies for the late start and missing messages :/
16:04:52 <d34dh0r53> #endmeeting