15:08:09 #startmeeting keystone 15:08:09 Meeting started Wed Jun 5 15:08:09 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:08:09 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:08:09 The meeting name has been set to 'keystone' 15:08:33 #topic roll call 15:08:42 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema 15:08:58 o/ 15:09:00 apologies for the late start, internal meeting ran over 15:09:03 o/ 15:10:19 #topic review past meeting work items 15:10:44 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-29-15.02.html 15:10:52 No action items from the last meeting, so we'll move on 15:11:03 #topic liaison updates 15:11:12 no updates from VMT or Releases 15:11:48 #topic specification OAuth 2.0 (hiromu)... (full message at ) 15:12:24 I need to get to rebasing the remaining patches to see if we can finish this up 15:12:53 next up 15:13:12 #topic specification Secure RBAC (dmendiza[m])... (full message at ) 15:13:30 dmendiza: are you around? I didn't see you in the roll call 15:14:41 🙋‍♂️ 15:15:52 guess not, moving on 15:16:17 #topic specification Improve federated users management (gtema) 15:16:17 #link https://review.opendev.org/c/openstack/keystone/+/920892 15:16:17 ready for review 15:16:19 wait 15:16:39 does somebody remember what is the state with SRBAC and Heat - there was something 15:17:10 gtema (Artem Goncharov): Yeah, there is some workflow in Heat where they send Keystone a domain-scoped token 15:17:39 policy for that specific API did not allow domain-scoped requests, so the request failed 15:18:45 somebody is working on the fix? 15:19:06 I'll give this a review this week, thanks gtema (Artem Goncharov) 15:19:10 The policy was fixed in this patch: 15:19:12 next up 15:19:16 #link https://opendev.org/openstack/keystone/commit/dd785ee692118a56ea0e3aaaf7f5bd6c73ea9c91 15:19:24 #topic specification OpenAPI support (gtema) 15:19:24 #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 15:19:24 gtema: waiting for reviews 15:19:30 gtema (Artem Goncharov) ☝️ 15:19:57 feels like a heavy un-sync between my element and Dave's 15:20:14 gtema (Artem Goncharov): 💯 15:20:20 thks dmendiza 15:20:28 gtema (Artem Goncharov): pinging Dave Wilde (d34dh0r53) on a different channel 15:21:10 I just found out I'm not seeing any of your messages, going to restart my client, BRB 15:21:19 (just use irc, duh) 15:21:37 nope - that's the problem: IRC bridge 15:21:44 testing? 15:21:50 d34dh0r53: passed 15:22:04 Dave Wilde (d34dh0r53): pong 15:22:10 Artem Goncharov proposed openstack/keystone master: Improve configuration of out-of-tree identity drivers https://review.opendev.org/c/openstack/keystone/+/920892 15:22:14 hah, wow, really sorry about that 15:22:46 I had an element update waiting for me and I'll bet it had expired my keys 15:23:01 Dave Wilde (d34dh0r53): just pushed pep God's fix for the improving out-of-tree driver config (misread email that test failed before) 15:23:33 the change itself is not big, added lots of comments and therefore it looks bigger then it is 15:23:50 ok, cool 15:24:03 struggled (as usual) convincing all the singletons my test is fine - it's a nightmare 15:24:40 anyway - the change is ready for review and no race in tests should be added with the latest patchset 15:24:56 tested explicitly with serial=1 15:25:24 wrt openapi: waiting for the spec to land 15:26:21 ack 15:26:28 dmendiza: any srbac updates? 15:27:08 Only the link I shared earlier that allows domain-scoped tokens to /v3/domains 15:27:23 it was backported back to antelope 15:27:55 ack 15:29:02 (the one that i wanted reverted i guess) 15:30:37 No, I think it was a different one bbobrov 15:31:41 https://review.opendev.org/q/I8ee50efc3b4850060cce840fc904bae17f1503a9 ? 15:32:20 Yeah 15:32:54 yes, it is the one 15:33:58 i don't know. I managed to work around this in our cloud, so i am not broken any more. But i still think that this change breaks API stability and should not have been merged like that. 15:34:06 Yeah, IIRC, your disagreement was about the filtering, not necessarily the policy? 15:34:35 yes, it was about the filtering, but filtering got backported too 15:35:46 i am not broken with the change. I know a company that will get broken with this. Maybe they will come with a bugreport later. 15:40:25 Sorry, was looking for your comment, and I just found it, I thought it was a -1 15:42:10 yeah, i should have put a -1 15:42:47 I would argue that the previous behavior was a bug and this fixes it, but my gut feeling is that 'domain' means different things to different people. Let's see if a bug is filed. 15:43:40 I think the only spec we haven't visited yet is 15:43:54 #topic specification OpenAPI support (gtema) 15:43:54 #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 15:43:54 gtema: waiting for reviews 15:44:02 Grzegorz Grasza: 15:44:10 can you take a look at that one? 15:46:51 moving on 15:46:56 #topic open discussion 15:47:04 passlib update... (full message at ) 15:47:20 no update, I need to propose a patch to pin upper-constraints 15:47:25 next up 15:47:37 domain manager (mhen)... (full message at ) 15:48:26 dmendiza or Grzegorz Grasza can y'all please take a look at this one? 15:49:01 yes, pls pls pls 15:49:10 there is also this - https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/900545 15:49:32 which was blocked for me (thanks!) and which should not be blocked any more 15:52:44 ack, I'll unblock that one 15:52:46 thanks bbobrov 15:52:51 domain list scoping fix (mhen)... (full message at ) 15:52:52 next up 15:53:17 We just talked about that 15:53:32 finally in open discussion we have 15:53:43 Enforcing scope in keystone breaks heat (and probably magnum) (tkajinam)... (full message at ) 15:53:50 I think this is just about the test, not the patch 15:54:00 oh whoops, a second too late haha 15:54:55 no worries dmendiza we can go back ^Z ^Z 15:58:01 Yeah, I want to say the only question we had was whether to merge that patch to tempest-plugin with the test for that endpoint 15:58:29 IIRC, the test that is there now only tests on the domain for the user making the request and that patch has a cross-domain test ... 15:58:43 I don't have a preference either way 16:00:53 I think we should merge 900545 then 16:01:26 and I think the only two remaining on the last point are whether or not https://review.opendev.org/c/openstack/keystone/+/916707 needs backports and https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/919405 needs reviews from dmendiza and Grzegorz Grasza. 16:01:36 Let's quickly go through bug review 16:01:41 #topic bug review 16:01:58 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 16:02:04 no new bugs for keystone 16:02:18 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 16:02:36 python-keystoneclient is good 16:03:01 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 16:03:06 nothing new in keystoneauth 16:03:20 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 16:03:27 keystonemiddleware is also good 16:03:37 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 16:03:49 no new bugs in pycadf 16:04:01 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 16:04:06 and ldappool is also clean 16:04:12 #topic conclusion 16:04:35 nothing from me, thanks all, apologies for the late start and missing messages :/ 16:04:52 #endmeeting