15:00:43 <d34dh0r53> #startmeeting keystone
15:00:43 <opendevmeet> Meeting started Wed Oct  2 15:00:43 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:43 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:43 <opendevmeet> The meeting name has been set to 'keystone'
15:01:13 <d34dh0r53> #topic roll call
15:01:22 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema, cardoe
15:01:24 <d34dh0r53> o/
15:01:30 <gtema> o/
15:03:23 <d34dh0r53> #topic review past meeting work items
15:03:28 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-09-25-15.01.html
15:03:36 <d34dh0r53> no action items from the last meeting
15:03:46 <d34dh0r53> #topic liaison updates
15:04:02 <d34dh0r53> Thanks for replying to that email gtema (Artem Goncharov)
15:04:15 <d34dh0r53> that one had fallen off of my radar :/
15:04:19 <gtema> wlcm
15:04:56 <d34dh0r53> that's it from VMT, nothing from release management
15:05:48 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:05:52 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:05:56 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:06:00 <d34dh0r53> External OAuth 2.0 Specification
15:06:05 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)
15:06:12 <d34dh0r53> OAuth 2.0 Implementation
15:06:18 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:06:24 <d34dh0r53> OAuth 2.0 Documentation
15:06:30 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)
15:06:37 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)
15:06:53 <d34dh0r53> I saw hiromu pushed an update to the docs
15:07:02 <d34dh0r53> which is awesome
15:08:08 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/860928
15:08:52 <d34dh0r53> next up
15:08:57 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:09:02 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:09:07 <d34dh0r53> 2024.1 Release Timeline
15:09:11 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:09:16 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:10:11 <TheJulia> ... Hasn't 2024.1 already released.... like  *ages* ago?
15:10:12 <d34dh0r53> not sure if dmendiza is around
15:10:31 <d34dh0r53> yeah, I just noticed that, need to clean up the meeting doc
15:10:47 <dmendiza[m]> 👋
15:10:48 <TheJulia> Yeah, I think some active management of topics is definitely needed
15:10:57 <d34dh0r53> ohai dmendiza
15:11:01 <dmendiza[m]> Hello!
15:11:09 * dmendiza[m] catches up
15:11:45 <dmendiza[m]> Right, so, I think we've branched 2025.1 now?
15:11:54 <dmendiza[m]> that is to say, master is now tracking 2025.1
15:12:00 <dmendiza[m]> and branched off stable/2024.2
15:12:01 <gtema> dmendiza: fyi: in the roll-call there is your xxx[m] nick, maybe because of that you miss the notification
15:12:38 <dmendiza[m]> I'm on a Matrix client (element) which adds (or added? 🤔) the [m] when bridging to IRC
15:12:47 <dmendiza[m]> it's there so folks from IRC can ping me. 🤷
15:13:05 <gtema> then add both to the roll-call in the agenda
15:13:28 <dmendiza[m]> that's why you make the big bucks. 😜
15:13:35 <d34dh0r53> I just added it
15:14:12 <dmendiza[m]> Anyway, yeah, I think that now that we're at the beginning of a new cycle we should make sure we default to enable_new_defaults=True and enforce_scope=True
15:14:23 <dmendiza[m]> IIRC we had to override the oslo change
15:14:41 <dmendiza[m]> so no we can remove that override and just consume the defaul True from oslo.policy
15:14:51 <dmendiza[m]> I'll work on a patch for that.
15:14:57 * dmendiza[m] puts his Red Hat on
15:15:26 <dmendiza[m]> Looks like domain-manager is moving up in priority at RH.  Expect to see me propose changes to domain-manager
15:15:42 <dmendiza[m]> That's all I've got for now
15:16:00 <d34dh0r53> ack, ty dmendiza
15:16:18 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:16:23 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:16:29 <d34dh0r53> gtema: changes awaiting review - please please please
15:17:03 <gtema> yupp - dmendiza left a nit comment on one of the changes (credentials)
15:17:25 <gtema> I updated that (and needed to rebase), but still - changes are there for review and finally a go
15:17:49 <d34dh0r53> ack, any particular order to review thingsf/
15:17:57 <d34dh0r53> *things?
15:18:15 <gtema> not anymore, mine are independent
15:18:35 <gtema> ones from Antonia are with some relations (app_creds and next on access rules)
15:18:50 <gtema> but otherwise - whatever is passing
15:19:09 <d34dh0r53> ack
15:19:11 <d34dh0r53> thanks gtema (Artem Goncharov)
15:19:15 <d34dh0r53> #topic specification domain manager (mhen)
15:19:20 <d34dh0r53> #link https://review.opendev.org/q/topic:%22domain-manager%22
15:19:24 <d34dh0r53> tempest core lib patch has been merged, only keystone-tempest-plugin left
15:19:32 <d34dh0r53> created a patchset for documentation: https://review.opendev.org/c/openstack/keystone/+/928135
15:23:18 <d34dh0r53> guess mhen_ isn't around
15:23:42 <d34dh0r53> or maybe no ping because nick changed
15:24:22 <gtema> yeah, maybe
15:25:46 <d34dh0r53> ok, moving on
15:25:52 <d34dh0r53> #topic specification Type annotations (stephenfin)
15:25:56 <d34dh0r53> #link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing
15:25:58 <d34dh0r53> This came about from adding type hints to openstacksdk. Since we're based on/heavily use keystoneauth, we need these annotations to be able to type things correctly. After much blood and tears, I now have the thing fully typed (except for tests and fixtures) but have refrained from pushing the full ~50 patch series to avoid overloading CI/humans :)
15:26:06 <d34dh0r53> How do we want to review these? They are generally non-functional changes, though I have reworked some logic (to avoid use of try-except pattern that mypy doesn't like) and added lots of asserts to narrow types (which I will eventually convert to proper exceptions). Can I just let gtema review them and rely on CI?
15:26:10 <d34dh0r53> You'll see I've used ruff and ruff-format. I realise this might be somewhat controversial, but it removes significant friction (from having to manually rewrap stuff) when adding annotations at minimal inconvenience to others
15:26:23 <d34dh0r53> was a patch added for ruff-format?
15:26:35 <gtema> Steven pushed new series which I have not had a time to review yet
15:26:37 <stephenfin> ummm, I think so
15:27:06 <stephenfin> if I did it's merged
15:27:14 <d34dh0r53> it's been added to keystoneauth, I was wondering about keystone
15:27:28 <gtema> that is not there yet as we discussed
15:27:28 <stephenfin> Ah, no, not for keystone. I think gtema was handling that?
15:27:30 <d34dh0r53> I thought it may have been mentioned last week
15:27:42 <d34dh0r53> ack
15:27:49 <gtema> I wanted that we proceed with openapi changes pending long and afterwards I will do that
15:28:02 <stephenfin> we did discuss last week. cardoe and yourself were onboard (from reading the scrollback)
15:28:03 <d34dh0r53> that's right
15:28:14 <d34dh0r53> waiting for openapi changes
15:28:30 * d34dh0r53 slaps himself with a trout
15:29:08 <gtema> what's with passlib changes?
15:29:12 <stephenfin> but yeah, for keystoneauth all of the "groundwork" patches are merged and mypy is now running in non-strict mode. The patches that are waiting for review constitute roughly half of the total queue. Once everythign is merged, we should be 100% typed (except for tests and fixtures)
15:29:25 <d34dh0r53> sweet
15:29:43 <stephenfin> *half of the total remaining patches (I have not pushed the other half to prevent swamping the CI)
15:29:59 <stephenfin> s/prevent/avoid/
15:31:04 <d34dh0r53> 👍️
15:31:20 <d34dh0r53> I'll review those this week as I'm able
15:31:37 <d34dh0r53> #topic open discussion
15:31:41 <d34dh0r53> farewell passlib #link https://review.opendev.org/q/topic:%22passlib%22
15:32:09 <TheJulia> Question, where is the meeting agenda kept?
15:32:18 <d34dh0r53> Is this ready gtema (Artem Goncharov) ?
15:32:31 <gtema> yes Dave Wilde (d34dh0r53) ready
15:32:33 <d34dh0r53> TheJulia: https://etherpad.opendev.org/p/keystone-weekly-meeting
15:33:24 <gtema> TheJulia: agenda link is present in the room description
15:33:28 <TheJulia> And has there been a review of the keystone-coresec group membership? Can that be taken care of in advance of next week's meeting
15:33:58 <TheJulia> gtema: ahh, didn't even see it there! Thanks!
15:33:59 <d34dh0r53> I will take care of that review this week TheJulia,
15:34:31 <TheJulia> Okay, thanks.
15:36:13 <gtema> back to passlib: as discussed last friday: it is ready, is a big "kill-switch", no other way exists, is tested to be backwardscompatible
15:37:12 <d34dh0r53> Ok, time for the bandaid rip, I propose that we devote some time in the reviewathon on Friday to do that
15:37:23 <gtema> oki
15:38:05 <d34dh0r53> #action reviewathon discuss and hopefully perform the removal of passlib https://review.opendev.org/q/topic:%22passlib%22
15:38:19 <d34dh0r53> cool, moving on, thanks gtema (Artem Goncharov)
15:38:27 <d34dh0r53> #topic bug review
15:38:32 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:39:22 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2083004
15:42:04 <d34dh0r53> Looks like a wishlist item to me, the solution is to set the cache timeout to a reasonable value for your use case
15:42:46 <d34dh0r53> next up
15:42:53 <gtema> he, what?
15:42:58 <gtema> I mean the above bug
15:43:15 <d34dh0r53> ? what about it?
15:43:37 <gtema> assignments in Keycloak are not immediately visible in Keystone
15:43:56 <gtema> that is what disturbs me
15:44:33 <d34dh0r53> is that not true in your case?
15:45:38 <gtema> well, this is a big confusion people have about federation: when they do changes in IdP they expect immediately to see changes reflected on SP
15:45:53 <TheJulia> Further question for some point during open discussion: Is there an PTG etherpad yet? The linked one in the agenda is for Antelope
15:45:58 <gtema> in the oidc/oauth2 this will never happen unless user re-logs in
15:46:27 <d34dh0r53> TheJulia: yes, I'll fix that link
15:46:33 <gtema> there are few things you can do here, but it will not happen magically
15:46:53 <d34dh0r53> TheJulia: https://etherpad.opendev.org/p/oct2024-ptg-keystone
15:47:42 <gtema> Dave Wilde (d34dh0r53): since we have federation topic for PTG let's postpone this bug till then
15:48:04 <d34dh0r53> ack
15:48:09 <d34dh0r53> I agree gtema (Artem Goncharov)
15:48:40 <d34dh0r53> that's it for keystone
15:48:40 <TheJulia> Can it wait 2.5 weeks?
15:48:47 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:51:26 <d34dh0r53> TheJulia: we can add a response to that bug but it's essentially working as designed for now
15:52:01 <TheJulia> d34dh0r53: that would be ideal since there is no guarantee the subscribers can attend the ptg. Thanks again!
15:52:12 <d34dh0r53> 👍️
15:52:36 <d34dh0r53> no new bugs for python-keystoneclient
15:52:49 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:53:04 <d34dh0r53> nor keystoneauth
15:53:13 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:53:45 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bug/2081732
15:54:22 <d34dh0r53> work is done, cores please review the patch that has been proposed to keystonemiddleware
15:54:41 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystonemiddleware/+/931148
15:55:03 <d34dh0r53> that does it for keystonemiddleware
15:55:07 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:55:20 <d34dh0r53> no new bugs for pycadf
15:55:24 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?ordterby=-id&start=0
15:55:52 <d34dh0r53> and ldappool also has no new bugs
15:55:55 <d34dh0r53> #topic conclusion
15:56:01 <d34dh0r53> please add to the PTG agenda
15:56:17 <d34dh0r53> #link https://etherpad.opendev.org/p/oct2024-ptg-keystone
15:56:27 <d34dh0r53> that's it from me, thanks everyone!
15:57:00 <gtema> thanks
15:57:20 <d34dh0r53> #endmeeting