15:00:21 <d34dh0r53> #startmeeting keystone
15:00:21 <opendevmeet> Meeting started Wed Jul 24 15:00:21 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:21 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:21 <opendevmeet> The meeting name has been set to 'keystone'
15:00:59 <xek> o/
15:01:07 <gtema> o/
15:01:16 <d34dh0r53> #topic roll call
15:01:22 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema
15:01:39 <mhen> o/
15:02:40 * zaitcev peeks
15:03:06 <d34dh0r53> #topic review past meeting work items
15:03:30 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-10-15.00.html
15:03:45 <d34dh0r53> no action items from the last meeting
15:03:53 <d34dh0r53> #topic liaison updates
15:04:01 <d34dh0r53> nothing from VMT or releases
15:06:03 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:06:51 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:07:11 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:07:27 <d34dh0r53> External OAuth 2.0 Specification
15:07:35 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)
15:07:43 <d34dh0r53> OAuth 2.0 Implementation
15:07:51 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:08:00 <d34dh0r53> OAuth 2.0 Documentation
15:08:07 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)
15:08:14 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)
15:08:39 <d34dh0r53> no updates, hopefully I can get a chance to rebase those last tempest tests this week and get this off the agenda
15:08:47 <d34dh0r53> next up we have
15:09:00 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:09:08 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:09:10 <mharley[m]> o/
15:09:18 <d34dh0r53> 2024.1 Release Timeline
15:09:20 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:09:20 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:09:26 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)
15:09:33 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 (Merged)
15:09:41 <d34dh0r53> #link https://review.opendev.org/c/openstack/tempest/+/912489 (Merged)
15:11:08 <d34dh0r53> dmendiza: you around?
15:12:13 <d34dh0r53> o/
15:12:16 <dmendiza[m]> 🙋‍♂️
15:12:31 <dmendiza[m]> Heya!
15:12:47 <dmendiza[m]> Let me see .... I don't think I have any updates.  IIRC we did merge the Domain-Manager spec?
15:13:05 <d34dh0r53> we did
15:14:28 <gtema> should we move the notes for domain-manager
15:14:38 <gtema> from open-discussion to ..here..?
15:15:18 <dmendiza[m]> Yeah, I see domain-manager as part of SRBAC
15:15:20 <d34dh0r53> yeah, I was just thinking about that
15:16:00 <d34dh0r53> moved
15:16:13 <gtema> great
15:16:44 <gtema> Markus (mhen) - do you have updates here? I heard that from you already today, but ...
15:17:20 <mhen> as written in the etherpad, implementation of policies is pretty much done (from my POV)
15:17:44 <d34dh0r53> yep, we'll pivot into
15:17:45 <mhen> I'm currently filling remaining gaps in keystone-tempest-plugin
15:17:55 <d34dh0r53> #topic specification domain manager (mhen)
15:17:55 <gtema> mhen - the stuff with domain specific roles is important to discuss here imho
15:18:08 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/903172
15:18:17 <d34dh0r53> implementation has started in keystone, tempest and keystone-tempest-plugin
15:18:24 <d34dh0r53> #link https://review.opendev.org/q/topic:%22domain-manager%22
15:18:32 <d34dh0r53> keystone
15:18:32 <d34dh0r53> all applicable policies implemented for SRBAC (enforce_new_defaults and enforce_scope enabled)
15:18:32 <d34dh0r53> TODO: fix policy variable naming (they got quite long, exceeding character limit in some places)
15:18:43 <d34dh0r53> tempest
15:18:43 <d34dh0r53> library updated to create pre-provisioned domain manager user for tests
15:18:53 <d34dh0r53> keystone-tempest-plugin
15:18:53 <d34dh0r53> fixed existing RBAC tests to incorporate changes done to API
15:18:53 <d34dh0r53> TODO: filling remaining gaps in tests to consider the new persona in all applicable places
15:19:33 <mhen> yea, about domain-specific roles: I initially added domain role management capabilites to the domain manager persona but upon further inspection and testing I realized that it actually made no sense so I removed it again
15:20:38 <mhen> for the long story expand the second comment here: https://review.opendev.org/c/openstack/keystone/+/924132/comment/d13d5bc4_540fd19a/
15:21:30 <mhen> the spec actually didn't consider domain roles (only global roles and their assignment within domains)
15:22:47 <mhen> ... and it seems it is best to keep it this way, i.e. not allowing the domain manager persona to use the domain role endpoints
15:23:02 <mhen> it might sound contradicting at first but please read the linked comment
15:25:13 <mhen> on that note I realized that the naming of the role set rule for domain managers ("domain_managed_target_role") might not be the best considering it could be confused with domain roles, which is a different functionality
15:25:20 <mhen> ref: https://github.com/openstack/keystone-specs/blob/master/specs/keystone/2024.1/domain-manager-persona.rst?plain=1#L139-L153
15:30:27 <gtema> ok, so a short summary - domain manager is not going to manage domain specific roles
15:31:35 <mhen> based on the current patchset, yes
15:32:05 <mhen> they will be limited to assign/revoke a fixed set of global roles within a domain
15:32:29 <mhen> in order to manage user/project/group relations
15:32:42 <gtema> ok
15:33:14 <d34dh0r53> ack
15:34:03 <d34dh0r53> that makes sense to me, I think we should target 924132 for the reviewathon to go over it though
15:34:22 <gtema> 👍️
15:34:50 <d34dh0r53> #action reviewathon look at https://review.opendev.org/c/openstack/keystone/+/924132
15:34:57 <d34dh0r53> moving on
15:35:29 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:35:37 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 (merged)
15:35:45 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:36:13 <gtema> thanks for approving blackify Dave Wilde (d34dh0r53)  - that helps to avoid merge conflicts
15:36:25 <d34dh0r53> indeed
15:36:51 <gtema> we have onboarded a Student to support me in that
15:36:52 <gtema> so hopefully she is going to make her changes soon
15:37:05 <d34dh0r53> awesome
15:37:09 <gtema> on the other side first chages are out there and the review is welcome
15:37:39 <gtema> Grzegorz Grasza had a look already, but we should have a more formal reviews
15:39:22 <d34dh0r53> on which one?
15:39:42 <gtema> in particular https://review.opendev.org/c/openstack/keystone/+/923067
15:39:48 <gtema> the framework addition itself
15:40:12 <gtema> #link https://review.opendev.org/c/openstack/keystone/+/923324 covers credentials with schemas
15:41:10 <d34dh0r53> ack
15:41:23 <d34dh0r53> yeah, we can look at these on Friday as well
15:41:44 <gtema> great
15:42:13 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystone/+/923067 and https://review.opendev.org/c/openstack/keystone/+/923324
15:42:35 <d34dh0r53> moving on
15:42:40 <d34dh0r53> #topic open discussion
15:42:50 <d34dh0r53> 'v
15:42:53 <d34dh0r53> codebase renovation (gtema)
15:43:04 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/924522 - reformat patch. Would appretiate merge soon to reduce merge conflicts
15:43:10 <d34dh0r53> #link https://review.opendev.org/q/topic:%22renovate%22
15:43:24 <d34dh0r53> the first one is gating, it should merge in a couple of hours
15:43:41 <gtema> I'll add new change adding commit to ignore blame once blackify merges
15:44:10 <gtema> afterwards ensure other changes are fresh and mypy is not failing
15:44:32 <d34dh0r53> great
15:44:34 <gtema> afterwards I would address py datetime.now() issue
15:44:58 <gtema> and hopefully fix the py312 job - at least that is the initial target
15:45:33 <d34dh0r53> ok
15:45:54 <d34dh0r53> thank you for this work!
15:46:05 <gtema> welcome :)
15:46:19 <d34dh0r53> anything else for open discussion?
15:46:24 <gtema> not from me
15:48:03 <d34dh0r53> #topic bug review
15:48:12 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:48:28 <d34dh0r53> Looks like we have a couple for Keystone
15:48:44 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2073377
15:49:24 <gtema> there is actuallychange proposed for that
15:49:37 <gtema> #link https://review.opendev.org/c/openstack/keystone/+/924153
15:49:41 <d34dh0r53> ahh, yeah
15:51:27 <d34dh0r53> next up
15:51:30 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/924153
15:51:39 <d34dh0r53> oops, wrong link
15:51:43 <d34dh0r53> #undo
15:51:43 <opendevmeet> Removing item from minutes: #link https://review.opendev.org/c/openstack/keystone/+/924153
15:51:59 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2072945
15:53:18 <d34dh0r53> Yeah, that looks like an unhandled exception to me
15:56:37 <d34dh0r53> added a comment
15:57:01 <d34dh0r53> finally
15:57:11 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2072639
15:57:40 <d34dh0r53> Thanks for the reply on that one mhen
15:58:22 <d34dh0r53> That does it for keystone
15:58:25 <d34dh0r53> next up
15:58:35 <mhen> :)
15:58:36 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:58:51 <d34dh0r53> no new bugs for python-keystoneclient
15:59:00 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:59:38 <d34dh0r53> this may be a new bug
15:59:57 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bug/2072481
16:01:37 <d34dh0r53> I think we may need version bumps
16:02:25 <gtema> hopefully it is sufficient. It's bit hard to understand what is going on there
16:02:48 <d34dh0r53> yeah
16:03:54 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
16:04:01 <d34dh0r53> no new bugs for keystonemiddleware
16:04:12 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
16:04:30 <d34dh0r53> nothing new for pycadf
16:04:42 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
16:05:01 <d34dh0r53> no ldappool
16:05:10 <d34dh0r53> we're over time
16:05:14 <d34dh0r53> #topic conclusion
16:05:22 <d34dh0r53> thanks everyone, see y'all at the reviewathon
16:05:25 <d34dh0r53> #endmeeting