15:01:48 #startmeeting keystone 15:01:48 Meeting started Wed Jul 3 15:01:48 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:48 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:48 The meeting name has been set to 'keystone' 15:02:02 #topic roll call 15:02:03 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema 15:02:53 o/ 15:03:02 o/ 15:03:46 o/ 15:04:23 #topic review past meeting work items 15:05:01 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-26-15.01.html 15:05:09 no work items of note 15:05:20 #topic liaison updates 15:07:02 from the VMT side of things 15:07:09 #link https://security.openstack.org/ossa/OSSA-2024-001.html 15:07:45 a nasty thing, but which does not affect Keystone, anyway important for people to know 15:07:47 was released yesterday, it doesn't affect keystone per se, but it does impact openstack significantly which is why I'm calling it out here 15:07:54 yep 15:08:28 for releases, Dalmatian-2 was this week 15:08:47 no blockers from us so everything has progressed 15:08:58 that's it for liaison updates 15:08:58 moving on 15:09:08 o/ 15:09:13 #topic specification OAuth 2.0 (hiromu) 15:09:27 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:09:39 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:09:40 o/ 15:09:57 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:09:59 no updates from me on this 15:10:11 Hi Luzi and mhen o/ 15:10:23 next up 15:10:35 #topic specification Secure RBAC (dmendiza[m]) 15:10:44 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:10:58 dmendiza: is on PTO today so no updates on SRBAC 15:11:19 #topic specification Improve federated users management (gtema) 15:11:26 #link https://review.opendev.org/c/openstack/keystone/+/920892 15:11:48 I started reviewing this but haven't finished yet 15:11:51 still waiting for reviews ;-) 15:11:58 sounds good 15:12:06 anything found so far 15:12:08 ? 15:12:16 I mean conceptually 15:12:37 not that I can see 15:13:13 ok, that's promising, because it is more conceptually a question then implementation 15:13:31 right 15:14:14 next up 15:14:15 #topic specification OpenAPI support (gtema) 15:14:34 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:14:50 so 15:14:55 Are these ready for reviews or still WIP? 15:15:00 I pushed first wip changes for people to see what it is 15:15:17 well, 2 first are ready 15:15:34 I mean adding job for openapi generator and adding a validation framework as such 15:15:47 adding schemas as WIP and there is one thing to discuss 15:16:18 also stephenfin noticed that as well: with this style that we are adding across all services we have a small change in behavior 15:16:36 namely that we need to validate input first and evaluate policy after that 15:17:11 so with invalid input user is getting 403 now, but will get 400 with new validation 15:17:58 and so the question is: do we agree that it make sense to do first a routing and understand whether the input is valid before we evaluate whether user is allowed to perform that operation 15:18:09 basically this is how other services work 15:18:50 otherwise, if that is nok and we want to keep the behavior, I would also need to rework policy evaluation and convert it to decorators as well 15:19:03 "valid" as in a) "is number or string" or b) "project id exists"? 15:19:09 #link the discussion is in https://review.opendev.org/c/openstack/keystone/+/923181 15:19:25 a) number or string 15:19:38 this is purely jsonschema based input validation 15:19:47 no access to DB or whatsoever 15:19:50 good, otherwise it would be a risk to expose things before authorizing users 15:20:16 I repeat - this is how other services work, so it is not something unique 15:20:31 one point to underline here is that sometimes the body is influencing routing 15:20:49 and we can't properly route the request before we actually analyze the input 15:21:43 I'm okay with the 400, it's a bit outside of what the RFC states but an argument can be made that it is malformed 15:22:31 400 is what we also use now, just that it is thrown after policy evaluation take place 15:22:50 I see 15:23:34 more or less I need to know now whether it is ok for us to change order (and thus behavior) because it influences dramatically how I should address the changes 15:26:53 I'm good with changing the order, I can't think of a reason not to 15:27:26 ok, great. I would appreciate if you can add small comment on that in the referred change for protocoling 15:27:36 I will do that 15:27:42 thanks 15:28:01 thank you! 15:28:03 next up 15:28:08 #topic open discussion 15:28:16 move reviewaton to 14:00 during Daylight time (d34dh0r53) 15:28:28 any objections? 15:28:31 UTC time 15:28:50 that is very desired by me, cause I have mentoring meeting at 15 and it is nearly impossible to move it 15:29:35 ack 15:32:08 cool, I'll move the meeting to 14:00 UTC 15:32:25 perfect, thanks a lot 15:32:36 #action d34dh0r53 move reviewathon to 14:00 UTC for Daylight time 15:32:47 we'll revisit the time once DST rolls around for everyone 15:32:51 next up 15:32:59 domain manager (mhen) 15:33:07 https://review.opendev.org/c/openstack/keystone-specs/+/903172 15:33:14 spec freeze is approaching - can we still make it? 15:33:30 we agreed last week to do the best possible to squeeze it 15:33:34 in 15:34:38 Grzegorz Grasza: can you review this today? 15:34:44 Dave Wilde (d34dh0r53): do you happen to know if dmendiza is in PTO only today or longer? 15:34:54 The rest of the week 15:35:03 uh, ok 15:36:42 from my pov all his comments were addressed and landing spec is not landing implementation 15:36:44 I'll see if I can get Grzegorz Grasza to do it 15:36:53 thank you d34dh0r53 15:37:14 np 15:38:05 #topic bug review 15:38:13 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:38:37 no new bugs for keystone 15:38:47 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:39:05 python-keystoneclient is good to go 15:39:06 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:39:27 nothing new in keystoneauth 15:39:28 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:39:47 nor in keystonemiddleware 15:39:49 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:40:01 pycadf is good 15:40:08 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:40:27 so is ldappool 15:40:33 #topic conclusion 15:40:45 Tomorrow is a US holiday so I'll be out 15:41:08 oh yeah. Have fun 15:41:17 Thank you! 15:41:42 Thanks folks! 15:41:46 #endmeeting