15:01:48 <d34dh0r53> #startmeeting keystone
15:01:48 <opendevmeet> Meeting started Wed Sep 25 15:01:48 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:48 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:48 <opendevmeet> The meeting name has been set to 'keystone'
15:03:32 <d34dh0r53> #topic roll call
15:03:39 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema, cardoe
15:03:40 <gtema> o/
15:05:29 <cardoe> \o
15:05:52 <d34dh0r53> o/
15:05:54 <d34dh0r53> let's get started
15:06:06 <d34dh0r53> #topic review past meeting work items
15:06:25 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-09-11-15.04.html
15:06:32 <d34dh0r53> no action items from last meeting
15:06:43 <d34dh0r53> #topic liaison updates
15:06:47 <d34dh0r53> nothing from VMT
15:06:59 <d34dh0r53> We're nearing dalmatian release date
15:07:21 <d34dh0r53> #topic specification
15:07:25 <d34dh0r53> #undo
15:07:25 <opendevmeet> Removing item from minutes: #topic specification
15:07:44 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:07:52 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:07:57 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:08:01 <d34dh0r53> External OAuth 2.0 Specification
15:08:07 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)
15:08:13 <d34dh0r53> OAuth 2.0 Implementation
15:08:19 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:08:26 <d34dh0r53> OAuth 2.0 Documentation
15:08:31 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)
15:08:39 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)
15:09:06 <d34dh0r53> I worked on a couple of these before my PTO, I'll take a look again this week and try to get them passing the gates
15:09:11 <d34dh0r53> next up
15:09:27 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:09:34 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:09:43 <d34dh0r53> 2024.1 Release Timeline
15:09:50 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:09:54 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:11:34 <d34dh0r53> I don't think dmendiza is around today, so moving on
15:11:49 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:11:55 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:12:03 <d34dh0r53> gtema: changes awaiting review
15:12:55 <gtema> you haven't reloaded page where I added please please please
15:13:02 <d34dh0r53> lol
15:13:03 <gtema> it is frustrating not to see any movement
15:13:04 <d34dh0r53> one sec
15:13:50 <d34dh0r53> I will try to get folks to review these, Grzegorz Grasza is on PTO until next week though
15:13:51 <cardoe> wrt to OAuth 2.0, I'm using OIDC (or at least trying to) and was hoping to ask some questions there
15:14:42 <d34dh0r53> pertaining to the spec itself or support for your deployment cardoe ?
15:15:03 <cardoe> Yes. :)
15:15:17 <gtema> lol
15:15:37 <gtema> question: A or B? Answer: yes
15:15:42 <cardoe> Happy to wait until the agenda items are over.
15:15:50 <cardoe> The answer is really both.
15:16:05 <cardoe> So the docs for OIDC aren't correct. I've started to write some patches... https://review.opendev.org/c/openstack/keystone/+/929315 is the first.
15:16:42 <cardoe> The mapping docs page is wrong from what the code expect and then the jsonschema patches alter things even further as well.
15:16:53 <gtema> cardoe - I suggest really not to do this now. I have a huge agenda for the PTG to discuss on the federation support as whole
15:17:11 <gtema> there are plenty of things done wrong afaik
15:17:22 <cardoe> okay I'll go back to my observation corner
15:17:56 <d34dh0r53> Thank you for that docs patch though, I've known the docs use some incorrect terminology but haven't gotten around to fixing them
15:18:52 <gtema> it's not about observation corner, it's about that current functionality on its own is pretty limited and having many issues that I wanted to discuss broadly. I am doing a huge research among different CSPs for their usecases and complains
15:19:20 <d34dh0r53> So back to openapi suport, I will review and try to get some movement on the patches
15:19:49 <gtema> would appreciate Dave Wilde (d34dh0r53)
15:20:44 <d34dh0r53> next up
15:20:54 <d34dh0r53> #topic specification domain manager (mhen)
15:20:59 <d34dh0r53> #link https://review.opendev.org/q/topic:%22domain-manager%22
15:21:02 <d34dh0r53> tempest core lib patch has been merged, only keystone-tempest-plugin left
15:21:09 <d34dh0r53> created a patchset for documentation: https://review.opendev.org/c/openstack/keystone/+/928135
15:21:58 <d34dh0r53> awesome, thanks mhen_
15:24:27 <gtema> doc looks good, I will review offline in detail
15:26:12 <d34dh0r53> thanks gtema (Artem Goncharov)
15:26:29 <d34dh0r53> #topic specification Type annotations (stephenfin)
15:26:54 <gtema> bunch of changes merged already
15:26:57 <d34dh0r53> #link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing
15:27:06 <gtema> rest have one +2
15:27:07 <d34dh0r53> This came about from adding type hints to openstacksdk. Since we're based on/heavily use keystoneauth, we need these annotations to be able to type things correctly. After much blood and tears, I now have the thing fully typed (except for tests and fixtures) but have refrained from pushing the full ~50 patch series to avoid overloading CI/humans :)
15:27:13 <d34dh0r53> How do we want to review these? They are generally non-functional changes, though I have reworked some logic (to avoid use of try-except pattern that mypy doesn't like) and added lots of asserts to narrow types (which I will eventually convert to proper exceptions). Can I just let gtema review them and rely on CI?
15:27:16 <d34dh0r53> You'll see I've used ruff and ruff-format. I realise this might be somewhat controversial, but it removes significant friction (from having to manually rewrap stuff) when adding annotations at minimal inconvenience to others
15:27:35 <d34dh0r53> cool, I'll take a look at these as well
15:28:08 <gtema> maybe on that one: do we want to apply ruff also to keystone (and yes, we just did that with black)
15:28:10 <gtema> ?
15:28:16 <cardoe> +1 on the ruff stuff. Cause I agree with you it removes friction and just moves things along.
15:29:57 <cardoe> And let's you enable a ton more lints
15:30:49 <d34dh0r53> I'm good with moving keystone to ruff, how big is the effort going to be?
15:31:30 <gtema> tiny - we have already auto-formatting. So here it would be just swap black with ruff in one change
15:31:40 <gtema> I mean amount of code changes is going to be probably not so small, but all automatic
15:31:53 <gtema> all the "issues" are already polished out
15:33:00 <gtema> I can prepare the change, but I do not want to do that before we land our complex depending openapi stuff first, otherwise we are again in a pain of rebase
15:36:29 <d34dh0r53> agreed, let's prioritize the openapi stuff, ruff is a nice to have for keystone
15:36:43 <gtema> deal
15:36:52 <d34dh0r53> #topic open discussion
15:37:01 <d34dh0r53> PTG planning
15:37:24 <d34dh0r53> I'm thinking about 3 hours Tues and Wed but am open to an additional 3 on Thursday if we need it
15:37:37 <d34dh0r53> The bot is ignoring me right now
15:37:45 <gtema> :)
15:38:10 <gtema> you do not feed it, so it is angry at you
15:39:40 <gtema> from my pov we would spend at least one full 3h slot talking about federation stuff
15:41:54 <d34dh0r53> yeah
15:42:11 <d34dh0r53> I think I'll book all three days and cancel what we don't need
15:42:19 <gtema> right
15:42:30 <d34dh0r53> cool, anything else for open discussion?
15:42:43 <gtema> sure - I added on agenda
15:42:54 <gtema> #link https://review.opendev.org/q/topic:%22passlib%22
15:42:57 <gtema> farewell passlib
15:43:10 <gtema> I created series of patches getting rid of it completely
15:43:40 <d34dh0r53> Oh yeah, I noticed those
15:43:41 <gtema> and noticed also that with sha512_crypt we would need to drop it once we start supporting py313
15:44:26 <d34dh0r53> need to go look but the gates look promising, will this break backward compatability?
15:44:36 <gtema> anyway - in every change I switch 1 algo and add backwards compatibility tests (to passlib)
15:45:02 <gtema> in the last change I drop passlib dep and those tests as well. I assume the last change is something we may want to wait a bit
15:46:08 <gtema> those unittests run 10 iterations of different inputs, cause there are some funny things happening depending on the input and I try to catch those with that.
15:46:30 <gtema> unfortunately that makes those pretty slow (well, cryptography is on purpose slow)
15:46:54 <gtema> oh, I missed your question
15:47:26 <gtema> no - backward compatibility for now is guaranteed with those unittests that generate hash with passlib and try it with the new way
15:47:36 <gtema> so users are able to login with old hashes
15:48:38 <d34dh0r53> cool
15:48:42 <gtema> to be honest - this is dangerous, therefore in some change I added explicit releasenote warning about dragons
15:49:10 <gtema> but we can not do much about it. I tried to catch and workaround all known issues
15:49:26 <d34dh0r53> yeah, that is the fear, that we break all of the users with the update, I agree we need to rip the bandaid off
15:49:35 <d34dh0r53> passlib is dead
15:50:12 <gtema> right, and sadly it was doing lot of weird things which we may not see immediately
15:51:36 <d34dh0r53> yeah, that's a bummer
15:52:09 <d34dh0r53> almost out of time so moving on to bug review
15:52:18 <d34dh0r53> #topic bug review
15:52:25 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:52:56 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2081695
15:53:02 <d34dh0r53> looks like this is being worked already
15:53:33 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2081082
15:54:21 <d34dh0r53> It's probably a good idea to add indexes to the revocation table
15:54:46 <d34dh0r53> Not sure why they weren't already there
15:56:38 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2080542
15:57:47 <d34dh0r53> that does it for keystone bugs
15:58:42 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:59:09 <d34dh0r53> no new bugs for python-keystoneclient
15:59:17 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:59:31 <d34dh0r53> keystoneauth is good
15:59:38 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:59:53 <d34dh0r53> nothing for keystonemiddleware either
16:00:02 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
16:00:15 <d34dh0r53> pycadf is good
16:00:22 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?ordterby=-id&start=0
16:00:40 <d34dh0r53> and ldappool is good as well
16:00:43 <d34dh0r53> #topic conclusion
16:01:06 <d34dh0r53> Nothing else from me, I'll publish the PTG etherpad this week
16:01:10 <d34dh0r53> Thanks everyone!
16:01:13 <d34dh0r53> #endmeeting