#openstack-keystone log

15:03:17 <d34dh0r53> #startmeeting keystone
15:03:17 <opendevmeet> Meeting started Wed Aug  7 15:03:17 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:03:17 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:03:17 <opendevmeet> The meeting name has been set to 'keystone'
15:03:32 <d34dh0r53> #topic roll call
15:03:43 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema
15:03:46 <gtema> o/
15:03:48 <d34dh0r53> o/
15:03:58 <mharley[m]> o/
15:04:21 <jph> o/
15:06:30 <dmendiza[m]> 🙋‍♂️
15:08:37 <d34dh0r53> sorry, was grabbing coffee
15:08:39 <d34dh0r53> #topic review past meeting work items
15:08:45 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-24-15.00.html
15:08:57 <d34dh0r53> first up
15:09:00 <d34dh0r53> reviewathon look at https://review.opendev.org/c/openstack/keystone/+/924132
15:09:39 <d34dh0r53> We spoke about this one on Friday, dmendiza was going to do some testing to ensure that the roles were working correctly
15:10:40 <dmendiza[m]> Yeah, I did a first-pass review and left some comments.  Looks like it'
15:10:45 <dmendiza[m]> s been updated so I'll look again this week.
15:11:25 <d34dh0r53> awesome, thanks dmendiza
15:11:38 <d34dh0r53> I'll re-add it to the actions items for the reviewathon
15:11:50 <d34dh0r53> #action reviewathon look at https://review.opendev.org/c/openstack/keystone/+/924132
15:11:59 <d34dh0r53> next up
15:12:05 <d34dh0r53> reviewathon https://review.opendev.org/c/openstack/keystone/+/923067 and https://review.opendev.org/c/openstack/keystone/+/923324
15:13:32 <d34dh0r53> We talked about these as well, I think they're ready for review now that the codebase has been reformatted
15:13:56 <gtema> yupp, correct
15:14:31 <d34dh0r53> sweet
15:14:41 <d34dh0r53> thanks gtema (Artem Goncharov)
15:14:47 <d34dh0r53> I'll review those today
15:15:06 <d34dh0r53> That does it for the past meeting work items
15:15:20 <d34dh0r53> #topic liaison updates
15:15:28 <d34dh0r53> nothing from VMT
15:16:11 <d34dh0r53> we're coming up on dalmation-3 near the end of the month
15:16:14 <d34dh0r53> other than that I've got nothing
15:16:25 <d34dh0r53> moving on
15:16:40 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:17:04 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/ABBUvkDlfXLRJEgqLawTZbEN>)
15:17:18 <d34dh0r53> no updates from me
15:17:59 <d34dh0r53> next up
15:18:10 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:18:19 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/wUsSZyvccxRMDwapARTwQYLL>)
15:20:47 <dmendiza[m]> No updates other than reviewing domain-manager
15:20:55 <d34dh0r53> ack, thanks dmendiza
15:21:18 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:21:28 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 (merged)
15:21:28 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:21:28 <d34dh0r53> gtema: changes awaiting review
15:21:46 <gtema> nothing else then reviewing ;-)
15:21:57 <d34dh0r53> ack, thanks gtema (Artem Goncharov)
15:22:02 <d34dh0r53> next up
15:22:18 <d34dh0r53> #topic specification domain manager (mhen)
15:22:35 <d34dh0r53> #link https://review.opendev.org/q/topic:%22domain-manager%22... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/ZYtGtQuOofpGnjLvLjCnzwOy>)
15:23:27 <gtema> long names should not be a problem with reformatted code (at least with the black in the game)
15:23:34 <gtema> but still we may want to shorten them
15:24:20 <gtema> wrt release notes I will explain to mhen offline (I have a shorter link to him)
15:24:38 <d34dh0r53> ack, thank you
15:25:33 <d34dh0r53> moving on to open discussion
15:26:34 <mharley[m]> But Python has no limit for variables names. Is it just because of legibility / aesthetics that Black is recommending reducing them?
15:27:05 <gtema> mharley - not the black on it's own. There is "OpenStack" guide with the limit
15:27:20 <mharley[m]> Hmm, gotcha.
15:27:44 <gtema> wrt renovation: there is py312 fix change ready for review
15:27:58 <gtema> and the one I mentioned on the etherpad in pycadf
15:28:36 <gtema> those 2 are fixing pretty much all sort of unittesting locally failing with py312
15:28:38 <d34dh0r53> codebase renovation (gtema)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/koTieTclPIBbnzusrWvbMQuu>)
15:28:55 <gtema> right, those 2
15:30:14 <jph> Have an issue with SAML integration with Keystone when using Chrome. I have managed to resolve it locally with `SetEnv MELLON_DISABLE_SAMESITE 1` in `/etc/apache2/mods-enabled/auth_mellon.conf` I will open a bug report but wondered if anyone else has encountered this in Zed onwards?
15:32:00 <d34dh0r53> jph: we don't use SAML so I'm not much help.
15:32:43 <d34dh0r53> jph: is this for the open discussion section of the meeting?
15:33:02 <jph> Yeah for open discussion.
15:34:55 <d34dh0r53> unless anyone here uses SAML I would file a bug report
15:35:53 <jph> Sure I don't think SAML gets all that much use. Will open bug report only just found temporary solution. Thanks.
15:36:14 <d34dh0r53> jph: thank you!
15:36:20 <d34dh0r53> next up
15:36:29 <d34dh0r53> deprecate EC2 and S3 code in keystone, keystoneauth, and keystone middleware (d34dh0r53)
15:36:29 <d34dh0r53> the top level ec2-api project has been retired, there are some security issues in the code we have floating around our codebase.
15:36:52 <d34dh0r53> ec2-api has been retired upstream, any objections to me deprecating the keystone code?
15:37:03 <gtema> it depends
15:37:24 <gtema> I know for sure there are some places where people use ec2 credentials to access ceph (rados gw)
15:37:30 <d34dh0r53> specifically S3
15:38:17 <gtema> so people create ec2 creds and use them to access rgw in S3 style
15:38:37 <d34dh0r53> Does that still work?
15:38:44 <gtema> yes, sadly
15:38:52 <gtema> because it is not OpenStack itself
15:38:53 <jph> Yeah it does just deployed it yesterday.
15:39:06 <gtema> but ceph has integration with keystone and that works
15:39:33 <gtema> basically ec2 creds are just a "proxy" to regular credentials
15:39:35 <jrosser> you still need an ec2 style credential to use the s3 api
15:39:40 <gtema> just with a specific type
15:42:12 <d34dh0r53> Ok, I think that means we're going to need to update the code as our SAST tooling has found some issues in those functions. But if it's still in use...it's still in use :)
15:42:30 <d34dh0r53> next up
15:42:37 <d34dh0r53> SAML issue with Google Chrome due to SAMESITE cookies (jph)
15:42:37 <d34dh0r53> Will open bug report with findings
15:42:49 <d34dh0r53> jph: thanks for this
15:42:54 <gtema> in the renovation there is still one more interesting change: adding mypy
15:43:12 <gtema> in the long run I think it would be very useful
15:43:27 <d34dh0r53> do you have a link to the review handy gtema (Artem Goncharov) ?
15:43:39 <gtema> https://review.opendev.org/c/openstack/keystone/+/924085
15:44:21 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystone/+/924085
15:44:25 <d34dh0r53> thanks gtema (Artem Goncharov)
15:44:33 <d34dh0r53> moving on to bug review
15:44:37 <d34dh0r53> #topic bug review
15:44:44 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:45:20 <d34dh0r53> looks like three new bugs
15:45:33 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2075349
15:45:52 <d34dh0r53> Jadon is working on this and has a patch up, reviews appreciated
15:46:14 <gtema> it is a sort of doc/deployment bug and not the code
15:46:32 <gtema> ah no, sorry, wrong bug
15:46:49 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2075723
15:46:56 <d34dh0r53> yeah, this looks like a doc bug
15:46:58 <gtema> revoke no - it is the thing I mentioned
15:47:41 <d34dh0r53> oops, yeah
15:48:55 <d34dh0r53> finally
15:48:58 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2074045
15:49:28 <d34dh0r53> dineshk: it would be awesome if you can take this
15:50:20 <d34dh0r53> That doc definitely needs some TLC
15:50:20 <gtema> wrt this
15:50:38 <gtema> I have already a change updating setup guide
15:51:20 <d34dh0r53> ack, maybe you can add that bug to the commit message
15:51:34 <gtema> bug was created afterwards
15:51:43 <gtema> so not technically correct, but ok, will do so
15:51:53 <gtema> #link https://review.opendev.org/c/openstack/keystone/+/925010
15:52:07 <d34dh0r53> yeah, slightly out of order
15:52:13 <d34dh0r53> thanks gtema (Artem Goncharov)
15:52:17 <d34dh0r53> next up
15:52:20 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:52:35 <d34dh0r53> nothing new for python-keystoneclient
15:52:44 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:52:58 <opendevreview> Artem Goncharov proposed openstack/keystone master: Update development setup doc  https://review.opendev.org/c/openstack/keystone/+/925010
15:53:38 <d34dh0r53> nor keystoneauth
15:53:41 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:53:44 <d34dh0r53> keystonemiddleware is good
15:53:48 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:53:50 <d34dh0r53> pycadf is good as well
15:53:54 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:54:00 <d34dh0r53> no new bugs for ldappool
15:54:06 <d34dh0r53> #topic conclusion
15:54:24 <d34dh0r53> I don't have anything, reviewaton on Friday
15:54:31 <d34dh0r53> *reviewathon
15:54:47 <d34dh0r53> Thanks all!
15:54:53 <d34dh0r53> #endmeeting