15:00:21 #startmeeting keystone 15:00:21 Meeting started Wed Jul 24 15:00:21 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:21 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:21 The meeting name has been set to 'keystone' 15:00:59 o/ 15:01:07 o/ 15:01:16 #topic roll call 15:01:22 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema 15:01:39 o/ 15:02:40 * zaitcev peeks 15:03:06 #topic review past meeting work items 15:03:30 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-10-15.00.html 15:03:45 no action items from the last meeting 15:03:53 #topic liaison updates 15:04:01 nothing from VMT or releases 15:06:03 #topic specification OAuth 2.0 (hiromu) 15:06:51 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:07:11 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:07:27 External OAuth 2.0 Specification 15:07:35 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:07:43 OAuth 2.0 Implementation 15:07:51 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:08:00 OAuth 2.0 Documentation 15:08:07 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:08:14 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:08:39 no updates, hopefully I can get a chance to rebase those last tempest tests this week and get this off the agenda 15:08:47 next up we have 15:09:00 #topic specification Secure RBAC (dmendiza[m]) 15:09:08 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:09:10 o/ 15:09:18 2024.1 Release Timeline 15:09:20 Update oslo.policy in keystone to enforce_new_defaults=True 15:09:20 Update oslo.policy in keystone to enforce_scope=True 15:09:26 #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged) 15:09:33 #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 (Merged) 15:09:41 #link https://review.opendev.org/c/openstack/tempest/+/912489 (Merged) 15:11:08 dmendiza: you around? 15:12:13 o/ 15:12:16 🙋‍♂️ 15:12:31 Heya! 15:12:47 Let me see .... I don't think I have any updates. IIRC we did merge the Domain-Manager spec? 15:13:05 we did 15:14:28 should we move the notes for domain-manager 15:14:38 from open-discussion to ..here..? 15:15:18 Yeah, I see domain-manager as part of SRBAC 15:15:20 yeah, I was just thinking about that 15:16:00 moved 15:16:13 great 15:16:44 Markus (mhen) - do you have updates here? I heard that from you already today, but ... 15:17:20 as written in the etherpad, implementation of policies is pretty much done (from my POV) 15:17:44 yep, we'll pivot into 15:17:45 I'm currently filling remaining gaps in keystone-tempest-plugin 15:17:55 #topic specification domain manager (mhen) 15:17:55 mhen - the stuff with domain specific roles is important to discuss here imho 15:18:08 #link https://review.opendev.org/c/openstack/keystone-specs/+/903172 15:18:17 implementation has started in keystone, tempest and keystone-tempest-plugin 15:18:24 #link https://review.opendev.org/q/topic:%22domain-manager%22 15:18:32 keystone 15:18:32 all applicable policies implemented for SRBAC (enforce_new_defaults and enforce_scope enabled) 15:18:32 TODO: fix policy variable naming (they got quite long, exceeding character limit in some places) 15:18:43 tempest 15:18:43 library updated to create pre-provisioned domain manager user for tests 15:18:53 keystone-tempest-plugin 15:18:53 fixed existing RBAC tests to incorporate changes done to API 15:18:53 TODO: filling remaining gaps in tests to consider the new persona in all applicable places 15:19:33 yea, about domain-specific roles: I initially added domain role management capabilites to the domain manager persona but upon further inspection and testing I realized that it actually made no sense so I removed it again 15:20:38 for the long story expand the second comment here: https://review.opendev.org/c/openstack/keystone/+/924132/comment/d13d5bc4_540fd19a/ 15:21:30 the spec actually didn't consider domain roles (only global roles and their assignment within domains) 15:22:47 ... and it seems it is best to keep it this way, i.e. not allowing the domain manager persona to use the domain role endpoints 15:23:02 it might sound contradicting at first but please read the linked comment 15:25:13 on that note I realized that the naming of the role set rule for domain managers ("domain_managed_target_role") might not be the best considering it could be confused with domain roles, which is a different functionality 15:25:20 ref: https://github.com/openstack/keystone-specs/blob/master/specs/keystone/2024.1/domain-manager-persona.rst?plain=1#L139-L153 15:30:27 ok, so a short summary - domain manager is not going to manage domain specific roles 15:31:35 based on the current patchset, yes 15:32:05 they will be limited to assign/revoke a fixed set of global roles within a domain 15:32:29 in order to manage user/project/group relations 15:32:42 ok 15:33:14 ack 15:34:03 that makes sense to me, I think we should target 924132 for the reviewathon to go over it though 15:34:22 👍️ 15:34:50 #action reviewathon look at https://review.opendev.org/c/openstack/keystone/+/924132 15:34:57 moving on 15:35:29 #topic specification OpenAPI support (gtema) 15:35:37 #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 (merged) 15:35:45 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:36:13 thanks for approving blackify Dave Wilde (d34dh0r53) - that helps to avoid merge conflicts 15:36:25 indeed 15:36:51 we have onboarded a Student to support me in that 15:36:52 so hopefully she is going to make her changes soon 15:37:05 awesome 15:37:09 on the other side first chages are out there and the review is welcome 15:37:39 Grzegorz Grasza had a look already, but we should have a more formal reviews 15:39:22 on which one? 15:39:42 in particular https://review.opendev.org/c/openstack/keystone/+/923067 15:39:48 the framework addition itself 15:40:12 #link https://review.opendev.org/c/openstack/keystone/+/923324 covers credentials with schemas 15:41:10 ack 15:41:23 yeah, we can look at these on Friday as well 15:41:44 great 15:42:13 #action reviewathon https://review.opendev.org/c/openstack/keystone/+/923067 and https://review.opendev.org/c/openstack/keystone/+/923324 15:42:35 moving on 15:42:40 #topic open discussion 15:42:50 'v 15:42:53 codebase renovation (gtema) 15:43:04 #link https://review.opendev.org/c/openstack/keystone/+/924522 - reformat patch. Would appretiate merge soon to reduce merge conflicts 15:43:10 #link https://review.opendev.org/q/topic:%22renovate%22 15:43:24 the first one is gating, it should merge in a couple of hours 15:43:41 I'll add new change adding commit to ignore blame once blackify merges 15:44:10 afterwards ensure other changes are fresh and mypy is not failing 15:44:32 great 15:44:34 afterwards I would address py datetime.now() issue 15:44:58 and hopefully fix the py312 job - at least that is the initial target 15:45:33 ok 15:45:54 thank you for this work! 15:46:05 welcome :) 15:46:19 anything else for open discussion? 15:46:24 not from me 15:48:03 #topic bug review 15:48:12 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:48:28 Looks like we have a couple for Keystone 15:48:44 #link https://bugs.launchpad.net/keystone/+bug/2073377 15:49:24 there is actuallychange proposed for that 15:49:37 #link https://review.opendev.org/c/openstack/keystone/+/924153 15:49:41 ahh, yeah 15:51:27 next up 15:51:30 #link https://review.opendev.org/c/openstack/keystone/+/924153 15:51:39 oops, wrong link 15:51:43 #undo 15:51:43 Removing item from minutes: #link https://review.opendev.org/c/openstack/keystone/+/924153 15:51:59 #link https://bugs.launchpad.net/keystone/+bug/2072945 15:53:18 Yeah, that looks like an unhandled exception to me 15:56:37 added a comment 15:57:01 finally 15:57:11 #link https://bugs.launchpad.net/keystone/+bug/2072639 15:57:40 Thanks for the reply on that one mhen 15:58:22 That does it for keystone 15:58:25 next up 15:58:35 :) 15:58:36 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:58:51 no new bugs for python-keystoneclient 15:59:00 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:59:38 this may be a new bug 15:59:57 #link https://bugs.launchpad.net/keystoneauth/+bug/2072481 16:01:37 I think we may need version bumps 16:02:25 hopefully it is sufficient. It's bit hard to understand what is going on there 16:02:48 yeah 16:03:54 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 16:04:01 no new bugs for keystonemiddleware 16:04:12 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 16:04:30 nothing new for pycadf 16:04:42 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 16:05:01 no ldappool 16:05:10 we're over time 16:05:14 #topic conclusion 16:05:22 thanks everyone, see y'all at the reviewathon 16:05:25 #endmeeting