15:01:28 <d34dh0r53> #startmeeting keystone
15:01:28 <opendevmeet> Meeting started Wed Jun 26 15:01:28 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:28 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:28 <opendevmeet> The meeting name has been set to 'keystone'
15:01:52 <d34dh0r53> #topic roll call
15:01:58 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema
15:02:27 <gtema> o/
15:02:35 <Luzi> o/
15:02:55 <jph> o/
15:03:01 <mhen> o/
15:04:17 <d34dh0r53> Hello everyone, let's get started
15:04:20 <d34dh0r53> #topic review past meeting work items
15:04:44 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-12-15.03.html
15:05:01 <d34dh0r53> no work items to review from two weeks ago
15:05:11 <d34dh0r53> #topic liaison updates
15:05:22 <d34dh0r53> nothing from releases or vmt
15:06:40 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:06:56 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:07:05 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:07:13 <d34dh0r53> External OAuth 2.0 Specification
15:07:20 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)
15:07:27 <d34dh0r53> OAuth 2.0 Implementation
15:07:33 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:07:39 <d34dh0r53> OAuth 2.0 Documentation
15:07:45 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)
15:07:56 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)
15:08:17 <d34dh0r53> There are a few more to merge, I should have some cycles to work on these over the next couple of weeks
15:08:50 <gtema> there are some changes with merge conflict as of now
15:09:02 <gtema> but those are not in keystone
15:09:21 <d34dh0r53> yeah, I'm not sure if I'll work on the non-keystone stuff
15:09:32 <d34dh0r53> maybe I can sync with dmendiza on the barbican ones
15:09:48 <gtema> oh, the doc change for keystone is also in merge conflict
15:11:02 <gtema> I am not sure https://review.opendev.org/c/openstack/keystoneauth/+/876746 should land
15:11:11 <gtema> it seems like a backport
15:12:42 <dmendiza[m]> 🙋
15:12:49 <d34dh0r53> hi dmendiza
15:15:01 <opendevreview> Markus Hentsch proposed openstack/keystone-specs master: Add identity spec for Domain Manager persona  https://review.opendev.org/c/openstack/keystone-specs/+/903172
15:20:01 <Luzi> is this meeting still going on?
15:20:14 <gtema> yes Luzi
15:20:17 <d34dh0r53> Yeah, sorry, was sidetracked with the keystoneauth patch
15:20:36 <d34dh0r53> moving on
15:21:12 <d34dh0r53> #topic specification Secure RBAC ( dmendiza )
15:21:25 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:21:33 <d34dh0r53> 2024.1 Release Timeline
15:21:40 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:21:48 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:21:55 <dmendiza[m]> No updates from me.  We should probably look a the above patch
15:22:07 <dmendiza[m]> for Domain Manager
15:22:25 <d34dh0r53> Yeah, that's in the open discussion section, but we can talk about it now
15:22:56 <gtema> yeah, lets do it
15:23:07 <mhen> I just rebased it (hence the bot ping above). Should I move it to the 2024.2 subdirectory? (it's still in 2024.1)
15:23:37 <gtema> I would rather keep it since otherwise all precious reviews are gone
15:23:44 <gtema> and it takes so long to get them
15:23:55 <d34dh0r53> I think 2024.1 is ok
15:24:07 <mhen> ok
15:24:11 <dmendiza[m]> Not the branch, but the directory
15:24:17 <dmendiza[m]> I would prefer it be updated to reflect when it merges
15:24:44 <dmendiza[m]> I'm sure it can be updated in the same gerrit patch? 🤔
15:24:45 <gtema> can we then do the following: a follow-up that moves it to 2024.2?
15:25:04 <dmendiza[m]> gtema (Artem Goncharov): sure, moving it after works for me
15:25:15 <d34dh0r53> works for me
15:25:26 <gtema> perfect, then only your review is open dmendiza
15:27:37 <dmendiza[m]> ack, will review asap
15:27:42 <gtema> thks a lot
15:27:49 <mhen> thank you :)
15:27:53 <mhen> btw, is there a spec freeze deadline for Keystone?
15:29:13 <d34dh0r53> looking now
15:29:40 <gtema> actually a next week (milestone-2) is so to say a deadline for specs, but projects are capable in defining own deadline for specs
15:29:57 <gtema> i.e. Nova does it bit later (+2 weeks)
15:30:00 <gtema> https://releases.openstack.org/dalmatian/schedule.html
15:30:07 <d34dh0r53> Yeah, we're next week
15:30:37 <gtema> so we should do everything possible to land it by that time
15:30:50 <dmendiza[m]> +1
15:31:24 <mhen> that would be very appreciated
15:31:44 <gtema> mhen - I suggest you can start implementation
15:31:50 <gtema> not to waste time
15:32:11 <gtema> "under expectation"
15:33:14 <gtema> let's please move on, time ticks
15:33:38 <d34dh0r53> ack, I think we're good on that spec and SRBAC
15:33:43 <d34dh0r53> next up
15:33:57 <d34dh0r53> #topic specification Improve federated users management (gtema)
15:34:09 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/920892
15:34:25 <gtema> I am waiting (still) for reviews
15:34:33 <d34dh0r53> I'll review this week
15:34:45 <gtema> thks a lot Dave Wilde (d34dh0r53)
15:35:19 <d34dh0r53> dmendiza, Grzegorz Grasza please take a look as well
15:35:25 <d34dh0r53> next up
15:35:37 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:35:46 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 (merged)
15:35:53 <d34dh0r53> gtema: design started
15:36:01 <gtema> cool, we started similar stuff on Manila and Nova
15:36:16 <gtema> I will push a change in next days to add a new job that generates OpenAPI spec
15:36:38 <gtema> it will not be used so far, but necessary to see the progress of moving schemas into the Keystone code base
15:36:49 <gtema> so in next days changes will start appearing
15:36:52 <d34dh0r53> great!
15:37:13 <gtema> that's it so far
15:37:31 <d34dh0r53> #topic open discussion
15:37:39 <d34dh0r53> passlib update
15:37:49 <d34dh0r53> no movement upstream in the passlib project
15:38:05 <d34dh0r53> in the meantime I've pinned bcrypt in the requirements
15:38:14 <gtema> that's a real crap with upstream
15:38:16 <d34dh0r53> #link https://review.opendev.org/c/openstack/requirements/+/921873
15:38:21 <d34dh0r53> yep, it sucks
15:38:45 <gtema> as I have tried to start switching it appeared to be quite a dirty work in some algorythms
15:39:25 <gtema> but apparently threre is no way around it - it feels like a dead end for passlib
15:40:20 <d34dh0r53> there are several people willing to take over maintenance of passlib but the maintainer has gone dark again without giving anyone access
15:40:41 <d34dh0r53> I'll keep pinging on the open tickets
15:40:49 <d34dh0r53> maybe it's time for a fork
15:41:20 <gtema> ah - not sure this is a good idea - there are too many very dirty things inside
15:41:48 <gtema> and it's imho better to get rid of it as such - that's going to be clearer
15:42:24 <d34dh0r53> do you have the cycles to do that work?
15:42:41 <gtema> well, all depends on priorities
15:42:54 <d34dh0r53> indeed :)
15:42:58 <gtema> in principle - yes, but I can't commit it would be ready this cycle
15:43:22 <d34dh0r53> I think the pin will suffice for this release
15:43:30 <gtema> I think we are good now with the pin and in the meanwhile I start (slowly) getting rid of passlib
15:43:34 <gtema> correct
15:43:45 <d34dh0r53> ack, thanks gtema (Artem Goncharov) !
15:43:48 <dmendiza[m]> I'm curious, what are the alternatives to passlib ? 🤔
15:44:17 <gtema> no alternatives. Basically passlib is just a wrapper around native things like bcrypt and scrypt
15:44:26 <gtema> so it's sort of single API for those
15:44:31 <dmendiza[m]> Oh, so just rewrite in cryptography.io probably
15:44:54 <gtema> that's the point - I was able to achieve this
15:45:13 <gtema> but the most complex thing is that passlib does some black magic in bcrypt pass
15:45:32 <gtema> and it is a problem to keep backward compatibility not forcing people changing their passwordds
15:46:04 <gtema> just start using cryptography is very simple in reality
15:48:07 <dmendiza[m]> I see ... 🤔
15:48:12 <d34dh0r53> moving on for time
15:48:23 <d34dh0r53> we already talked about the domain manager patch
15:48:33 <d34dh0r53> so the last item in open discussion is
15:48:40 <d34dh0r53> domain list scoping fix (mhen)
15:48:47 <d34dh0r53> the main fix was merged a while ago: https://review.opendev.org/c/openstack/keystone/+/900028
15:48:56 <d34dh0r53> Q: is https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/900545 still applicable?
15:49:11 <d34dh0r53> it would have been a necessary adjustment to the tempest tests after the above merge but tests have been restructured in the meantime (mentioned at PTG)
15:49:23 <gtema> dmendiza's final blessing is required
15:49:39 <gtema> as he left few -1 in the past
15:51:37 <gtema> great, it works ;-)
15:51:50 <d34dh0r53> book
15:51:55 <d34dh0r53> err, boom
15:52:04 <d34dh0r53> thanks dmendiza
15:52:27 <dmendiza[m]> lgtm
15:52:31 <gtema> next thing in "open" - does the review-a-thon taking place? 2 last Fridays I waited in an empty meeting
15:52:56 <d34dh0r53> For sure it will happen this week
15:53:01 <gtema> awesome
15:53:05 <d34dh0r53> sorry, some unexpected PTO on my part
15:53:13 <gtema> np
15:53:20 <d34dh0r53> #topic bug review
15:53:30 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:53:46 <d34dh0r53> we have a new bug filed against keystone
15:53:53 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2069960
15:54:27 <d34dh0r53> That should be a pretty easy fix but I'm not sure about the backportability
15:54:59 <gtema> if that is going to happen it will influence my OpenAPI stuff and similar, since I have seen places around the OpenStack "consuming" tools with length limit (explicitly in the strong-typed languages)
15:55:32 <gtema> generally I am not having any issues with that, but it definitely has an impact
15:55:38 <d34dh0r53> yeah
15:57:37 <d34dh0r53> I just looked, we don't have new bugs in any of the remaining projects
15:58:00 <d34dh0r53> #topic conclusion
15:58:07 <d34dh0r53> anything else before we go?
15:58:27 <gtema> not for me
16:01:49 <d34dh0r53> thanks everyone!
16:01:54 <d34dh0r53> #endmeeting