15:01:28 <d34dh0r53> #startmeeting keystone 15:01:28 <opendevmeet> Meeting started Wed Jun 26 15:01:28 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:28 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:28 <opendevmeet> The meeting name has been set to 'keystone' 15:01:52 <d34dh0r53> #topic roll call 15:01:58 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema 15:02:27 <gtema> o/ 15:02:35 <Luzi> o/ 15:02:55 <jph> o/ 15:03:01 <mhen> o/ 15:04:17 <d34dh0r53> Hello everyone, let's get started 15:04:20 <d34dh0r53> #topic review past meeting work items 15:04:44 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-12-15.03.html 15:05:01 <d34dh0r53> no work items to review from two weeks ago 15:05:11 <d34dh0r53> #topic liaison updates 15:05:22 <d34dh0r53> nothing from releases or vmt 15:06:40 <d34dh0r53> #topic specification OAuth 2.0 (hiromu) 15:06:56 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:07:05 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:07:13 <d34dh0r53> External OAuth 2.0 Specification 15:07:20 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:07:27 <d34dh0r53> OAuth 2.0 Implementation 15:07:33 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:07:39 <d34dh0r53> OAuth 2.0 Documentation 15:07:45 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:07:56 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:08:17 <d34dh0r53> There are a few more to merge, I should have some cycles to work on these over the next couple of weeks 15:08:50 <gtema> there are some changes with merge conflict as of now 15:09:02 <gtema> but those are not in keystone 15:09:21 <d34dh0r53> yeah, I'm not sure if I'll work on the non-keystone stuff 15:09:32 <d34dh0r53> maybe I can sync with dmendiza on the barbican ones 15:09:48 <gtema> oh, the doc change for keystone is also in merge conflict 15:11:02 <gtema> I am not sure https://review.opendev.org/c/openstack/keystoneauth/+/876746 should land 15:11:11 <gtema> it seems like a backport 15:12:42 <dmendiza[m]> 🙋 15:12:49 <d34dh0r53> hi dmendiza 15:15:01 <opendevreview> Markus Hentsch proposed openstack/keystone-specs master: Add identity spec for Domain Manager persona https://review.opendev.org/c/openstack/keystone-specs/+/903172 15:20:01 <Luzi> is this meeting still going on? 15:20:14 <gtema> yes Luzi 15:20:17 <d34dh0r53> Yeah, sorry, was sidetracked with the keystoneauth patch 15:20:36 <d34dh0r53> moving on 15:21:12 <d34dh0r53> #topic specification Secure RBAC ( dmendiza ) 15:21:25 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:21:33 <d34dh0r53> 2024.1 Release Timeline 15:21:40 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True 15:21:48 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True 15:21:55 <dmendiza[m]> No updates from me. We should probably look a the above patch 15:22:07 <dmendiza[m]> for Domain Manager 15:22:25 <d34dh0r53> Yeah, that's in the open discussion section, but we can talk about it now 15:22:56 <gtema> yeah, lets do it 15:23:07 <mhen> I just rebased it (hence the bot ping above). Should I move it to the 2024.2 subdirectory? (it's still in 2024.1) 15:23:37 <gtema> I would rather keep it since otherwise all precious reviews are gone 15:23:44 <gtema> and it takes so long to get them 15:23:55 <d34dh0r53> I think 2024.1 is ok 15:24:07 <mhen> ok 15:24:11 <dmendiza[m]> Not the branch, but the directory 15:24:17 <dmendiza[m]> I would prefer it be updated to reflect when it merges 15:24:44 <dmendiza[m]> I'm sure it can be updated in the same gerrit patch? 🤔 15:24:45 <gtema> can we then do the following: a follow-up that moves it to 2024.2? 15:25:04 <dmendiza[m]> gtema (Artem Goncharov): sure, moving it after works for me 15:25:15 <d34dh0r53> works for me 15:25:26 <gtema> perfect, then only your review is open dmendiza 15:27:37 <dmendiza[m]> ack, will review asap 15:27:42 <gtema> thks a lot 15:27:49 <mhen> thank you :) 15:27:53 <mhen> btw, is there a spec freeze deadline for Keystone? 15:29:13 <d34dh0r53> looking now 15:29:40 <gtema> actually a next week (milestone-2) is so to say a deadline for specs, but projects are capable in defining own deadline for specs 15:29:57 <gtema> i.e. Nova does it bit later (+2 weeks) 15:30:00 <gtema> https://releases.openstack.org/dalmatian/schedule.html 15:30:07 <d34dh0r53> Yeah, we're next week 15:30:37 <gtema> so we should do everything possible to land it by that time 15:30:50 <dmendiza[m]> +1 15:31:24 <mhen> that would be very appreciated 15:31:44 <gtema> mhen - I suggest you can start implementation 15:31:50 <gtema> not to waste time 15:32:11 <gtema> "under expectation" 15:33:14 <gtema> let's please move on, time ticks 15:33:38 <d34dh0r53> ack, I think we're good on that spec and SRBAC 15:33:43 <d34dh0r53> next up 15:33:57 <d34dh0r53> #topic specification Improve federated users management (gtema) 15:34:09 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/920892 15:34:25 <gtema> I am waiting (still) for reviews 15:34:33 <d34dh0r53> I'll review this week 15:34:45 <gtema> thks a lot Dave Wilde (d34dh0r53) 15:35:19 <d34dh0r53> dmendiza, Grzegorz Grasza please take a look as well 15:35:25 <d34dh0r53> next up 15:35:37 <d34dh0r53> #topic specification OpenAPI support (gtema) 15:35:46 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 (merged) 15:35:53 <d34dh0r53> gtema: design started 15:36:01 <gtema> cool, we started similar stuff on Manila and Nova 15:36:16 <gtema> I will push a change in next days to add a new job that generates OpenAPI spec 15:36:38 <gtema> it will not be used so far, but necessary to see the progress of moving schemas into the Keystone code base 15:36:49 <gtema> so in next days changes will start appearing 15:36:52 <d34dh0r53> great! 15:37:13 <gtema> that's it so far 15:37:31 <d34dh0r53> #topic open discussion 15:37:39 <d34dh0r53> passlib update 15:37:49 <d34dh0r53> no movement upstream in the passlib project 15:38:05 <d34dh0r53> in the meantime I've pinned bcrypt in the requirements 15:38:14 <gtema> that's a real crap with upstream 15:38:16 <d34dh0r53> #link https://review.opendev.org/c/openstack/requirements/+/921873 15:38:21 <d34dh0r53> yep, it sucks 15:38:45 <gtema> as I have tried to start switching it appeared to be quite a dirty work in some algorythms 15:39:25 <gtema> but apparently threre is no way around it - it feels like a dead end for passlib 15:40:20 <d34dh0r53> there are several people willing to take over maintenance of passlib but the maintainer has gone dark again without giving anyone access 15:40:41 <d34dh0r53> I'll keep pinging on the open tickets 15:40:49 <d34dh0r53> maybe it's time for a fork 15:41:20 <gtema> ah - not sure this is a good idea - there are too many very dirty things inside 15:41:48 <gtema> and it's imho better to get rid of it as such - that's going to be clearer 15:42:24 <d34dh0r53> do you have the cycles to do that work? 15:42:41 <gtema> well, all depends on priorities 15:42:54 <d34dh0r53> indeed :) 15:42:58 <gtema> in principle - yes, but I can't commit it would be ready this cycle 15:43:22 <d34dh0r53> I think the pin will suffice for this release 15:43:30 <gtema> I think we are good now with the pin and in the meanwhile I start (slowly) getting rid of passlib 15:43:34 <gtema> correct 15:43:45 <d34dh0r53> ack, thanks gtema (Artem Goncharov) ! 15:43:48 <dmendiza[m]> I'm curious, what are the alternatives to passlib ? 🤔 15:44:17 <gtema> no alternatives. Basically passlib is just a wrapper around native things like bcrypt and scrypt 15:44:26 <gtema> so it's sort of single API for those 15:44:31 <dmendiza[m]> Oh, so just rewrite in cryptography.io probably 15:44:54 <gtema> that's the point - I was able to achieve this 15:45:13 <gtema> but the most complex thing is that passlib does some black magic in bcrypt pass 15:45:32 <gtema> and it is a problem to keep backward compatibility not forcing people changing their passwordds 15:46:04 <gtema> just start using cryptography is very simple in reality 15:48:07 <dmendiza[m]> I see ... 🤔 15:48:12 <d34dh0r53> moving on for time 15:48:23 <d34dh0r53> we already talked about the domain manager patch 15:48:33 <d34dh0r53> so the last item in open discussion is 15:48:40 <d34dh0r53> domain list scoping fix (mhen) 15:48:47 <d34dh0r53> the main fix was merged a while ago: https://review.opendev.org/c/openstack/keystone/+/900028 15:48:56 <d34dh0r53> Q: is https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/900545 still applicable? 15:49:11 <d34dh0r53> it would have been a necessary adjustment to the tempest tests after the above merge but tests have been restructured in the meantime (mentioned at PTG) 15:49:23 <gtema> dmendiza's final blessing is required 15:49:39 <gtema> as he left few -1 in the past 15:51:37 <gtema> great, it works ;-) 15:51:50 <d34dh0r53> book 15:51:55 <d34dh0r53> err, boom 15:52:04 <d34dh0r53> thanks dmendiza 15:52:27 <dmendiza[m]> lgtm 15:52:31 <gtema> next thing in "open" - does the review-a-thon taking place? 2 last Fridays I waited in an empty meeting 15:52:56 <d34dh0r53> For sure it will happen this week 15:53:01 <gtema> awesome 15:53:05 <d34dh0r53> sorry, some unexpected PTO on my part 15:53:13 <gtema> np 15:53:20 <d34dh0r53> #topic bug review 15:53:30 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:53:46 <d34dh0r53> we have a new bug filed against keystone 15:53:53 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2069960 15:54:27 <d34dh0r53> That should be a pretty easy fix but I'm not sure about the backportability 15:54:59 <gtema> if that is going to happen it will influence my OpenAPI stuff and similar, since I have seen places around the OpenStack "consuming" tools with length limit (explicitly in the strong-typed languages) 15:55:32 <gtema> generally I am not having any issues with that, but it definitely has an impact 15:55:38 <d34dh0r53> yeah 15:57:37 <d34dh0r53> I just looked, we don't have new bugs in any of the remaining projects 15:58:00 <d34dh0r53> #topic conclusion 15:58:07 <d34dh0r53> anything else before we go? 15:58:27 <gtema> not for me 16:01:49 <d34dh0r53> thanks everyone! 16:01:54 <d34dh0r53> #endmeeting