#openstack-keystone log

15:12:21 <d34dh0r53> #startmeeting keystone
15:12:21 <opendevmeet> Meeting started Wed Nov 20 15:12:21 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:12:21 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:12:21 <opendevmeet> The meeting name has been set to 'keystone'
15:12:35 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct
15:12:35 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct
15:12:42 <d34dh0r53> #topic roll call
15:12:51 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe
15:12:58 <gtema> o/
15:13:16 <d34dh0r53> my bad, fell into an internet hole
15:14:04 <gtema> I feel into the dependency hell
15:14:13 <gtema> feel
15:14:40 <gtema> * fell
15:15:18 <d34dh0r53> #topic review past meeting work items
15:15:28 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-11-13-15.02.html
15:15:33 <d34dh0r53> no action items from last week
15:15:40 <d34dh0r53> #topic liaison updates
15:15:50 <d34dh0r53> nothing from vmt or releases
15:16:30 <d34dh0r53> I just approved the patch to move 2023.1 (Antelope) to unmaintained
15:16:34 <d34dh0r53> next up
15:17:45 <dmendiza[m]> Does that mean the gates are off for antelope?
15:17:52 <dmendiza[m]> 🤔
15:18:15 <d34dh0r53> I don't think so
15:18:42 <dmendiza[m]> cool
15:20:52 <d34dh0r53> hmm, now you have me wondering
15:21:05 <d34dh0r53> well, I'll see if I can find that answer after the meeting
15:21:08 <d34dh0r53> moving on
15:21:16 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:21:27 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:21:35 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:21:42 <d34dh0r53> External OAuth 2.0 Specification
15:21:46 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)
15:21:49 <d34dh0r53> OAuth 2.0 Implementation
15:21:53 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:22:00 <d34dh0r53> OAuth 2.0 Documentation
15:22:01 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)
15:22:05 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)
15:22:29 <d34dh0r53> no updates from me on this, I probably need to rebase the last remaining patches
15:22:33 <d34dh0r53> maybe on Friday
15:22:39 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:23:02 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:23:06 <dmendiza[m]> No updates this week....
15:23:08 <d34dh0r53> 2024.1 Release Timeline
15:23:11 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:23:18 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:23:38 <d34dh0r53> Ok, can we update that section to reflect 2025.1 work?
15:25:32 <d34dh0r53> dmendiza: ?
15:26:23 <dmendiza[m]> Yeah, sure, I'll take a look at it after the meeting
15:26:41 <d34dh0r53> Thanks!
15:26:43 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:26:48 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:26:54 <d34dh0r53> https://review.opendev.org/c/openstack/keystone/+/925020 could now also land to ease api-ref work
15:27:14 <gtema> no updates due to working on unblocking gate (https://review.opendev.org/c/openstack/keystone/+/935685)
15:27:34 <gtema> what worked on Monday does not work since yesterday
15:28:05 <gtema> and since it is anyway something what will need to be done anyway I decided to work on proper replacement rather then pinning fix
15:28:08 <d34dh0r53> we have to update all of our graphs?
15:28:14 <gtema> yes, I did so
15:28:40 <gtema> manually reimplemented them. Sadly graphviz doesn't support sequence diagrams natively
15:28:57 <gtema> s/natively/nicely/
15:29:11 <d34dh0r53> ack, thank you for doing that
15:30:00 <d34dh0r53> Grzegorz Grasza and dmendiza please take a look at https://review.opendev.org/c/openstack/keystone/+/935685 to unblock the gates
15:30:26 <d34dh0r53> next up
15:30:27 <d34dh0r53> #topic specification domain manager (mhen)
15:30:29 <d34dh0r53> still unmerged are:
15:30:29 <d34dh0r53> documentation: https://review.opendev.org/c/openstack/keystone/+/928135
15:30:30 <d34dh0r53> tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222
15:33:03 <d34dh0r53> #topic specification Type annotations (stephenfin)
15:33:06 <d34dh0r53> #link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing
15:33:10 <d34dh0r53> This is just pending reviews now. I will push the remaining patches as soon as a sufficient quantity of the current ones land.
15:33:13 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/931959 - ruffing the keystone misses +W
15:33:21 <d34dh0r53> ruffing has merged :)
15:33:37 <gtema> yes, I forgot to drop from agenda
15:33:39 <gtema> thnks
15:33:57 <gtema> all open typing patches finaly merged after tons of rechecks
15:34:21 <d34dh0r53> sweet!
15:34:22 <gtema> stephen pushed few new changes, but we should update the release patch to bring those merged out into the wild for early testing
15:35:12 <d34dh0r53> Yep, I'll update the SHA after this meeting
15:35:44 <gtema> cool
15:35:47 <d34dh0r53> #action d34dh0r53 Update SHA in https://review.opendev.org/c/openstack/releases/+/934599 to HEAD of keystoneauth
15:36:02 <d34dh0r53> next up
15:36:04 <d34dh0r53> #topic specification Include bad password details in audit messages (stanislav-z)
15:36:07 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/915482
15:36:10 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/932423
15:36:13 <d34dh0r53> 20-Nov update: spec and implementation updated for HMAC-based hashing. Looking for reviews.
15:36:28 * d34dh0r53 needs to look at those
15:36:46 * gtema will look once the world is not burning
15:36:56 <stanislav-z> thanks!
15:38:04 <d34dh0r53> #topic open discussion
15:38:07 <d34dh0r53> pagination (gtema)
15:38:09 <d34dh0r53> #link https://review.opendev.org/q/topic:%22pagination%22+project:openstack/keystone
15:38:14 <d34dh0r53> it is bit more complex than I thought since all DB queries need to be executed with pagination while some internal calls right now expect to get ALL entries (i.e. list_domains/list_projects)
15:38:26 <gtema> after Friday I rebased on top of ruffing
15:38:35 <gtema> and found that broken gate stuff
15:38:42 <gtema> but anyway I thought about the feedback
15:38:52 <gtema> and decided not to log warning of using MAX
15:39:08 <gtema> because this is going to be very similar to what we erased lately
15:39:13 <gtema> exception logging on 404
15:39:30 <gtema> it will be present very often without operator being able to do anything with it
15:39:53 <gtema> and the reason is that by default in the internal (non-api) invocation the limit can not be set by the caller
15:41:00 <gtema> so with that the change is still good for review
15:41:07 <d34dh0r53> ack
15:41:12 <d34dh0r53> that makes sense
15:41:17 <gtema> ignore the broken docs results now (this is the broken gate)
15:41:32 <d34dh0r53> ok, I'll take a look
15:41:49 <gtema> thanks
15:42:24 <d34dh0r53> np, anything else for open discussion?
15:42:32 <tkajinam> o/
15:42:40 <tkajinam> let me bring quick one
15:42:49 <tkajinam> https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/934272
15:43:11 <tkajinam> stable/2023.1 is being transitioned to unmaintained/* so now most of devstack jobs in stable/2023.1 are broken
15:43:25 <tkajinam> so can we merge that change to drop 2023.1 job asap while the CI is under control ?
15:44:01 <tkajinam> there is also another change to add 2024.2 job which is missing so I hope we can merge it soon (after merging removal of 2023.1 job) https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/930821
15:44:34 <tkajinam> that's it
15:44:40 <d34dh0r53> dmendiza: there's your answer :)
15:45:01 <d34dh0r53> Ok, thanks tkajinam !
15:47:02 <d34dh0r53> #topic bug review
15:47:04 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:47:15 <d34dh0r53> we have a couple of new bugs for keystone
15:47:25 <d34dh0r53> https://bugs.launchpad.net/keystone/+bug/2089051
15:47:29 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2089051
15:47:44 <d34dh0r53> looks like this is being fixed with a requirements change
15:48:08 <d34dh0r53> sorry, that's the other one, but this one is in progress as well
15:48:16 <tkajinam> no that needs code update
15:48:19 <tkajinam> https://review.opendev.org/c/openstack/keystone/+/935689
15:48:23 <tkajinam> which is pending on broken doc job now
15:48:30 <gtema> eh, we should proceed with openapi since that updates all jsonschemas
15:49:12 <d34dh0r53> ack
15:49:17 <tkajinam> yeah ideally though we may want a quick fix.
15:49:24 <tkajinam> I'll recheck/rebase it once the doc fix is merged
15:49:27 <gtema> absolutely
15:49:43 <tkajinam> the same affects a few other projects, as is seen in the bug
15:49:51 <tkajinam> just fyi
15:50:02 <tkajinam> I think I pushed fixes to all of these
15:51:12 <d34dh0r53> Thank you tkajinam ping us if you need reviews
15:51:13 <d34dh0r53> next up
15:51:19 <tkajinam> will do !
15:51:31 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2088355
15:51:41 <d34dh0r53> this one looks like it's fixed in releases
15:51:46 <d34dh0r53> err requirements
15:52:43 <gtema> there are lots of awkward failures on noble caused by defaulting on py312
15:53:06 <gtema> and pbr is still not supporting that properly (depending on how you use it)
15:54:18 <gtema> which is precisely the case of the openstackdocstheme. We discussed this yesterday in TC meeting long
15:54:47 <gtema> so switching of openstack-tox-docs job to noble will be put on hold until a fix lands in pbr
15:55:03 <gtema> this is the dependency hell I meant in the beginning of the meeting
15:55:23 <d34dh0r53> ahh, now I understand
15:55:53 <gtema> basically "import openstackdocstheme" under py312 doesn't work now
15:57:07 <d34dh0r53> wow
15:57:25 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:57:36 <d34dh0r53> no new bugs in python-keystoneclient
15:57:41 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:57:46 <d34dh0r53> keystoneauth is good
15:57:50 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:58:10 <d34dh0r53> nothing new in keystonemiddleware
15:58:13 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:58:21 <d34dh0r53> pycadf is clean
15:58:22 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:58:33 <d34dh0r53> no new bugs in ldappool
15:58:37 <d34dh0r53> #topic conclusion
15:58:45 <d34dh0r53> nothing from me, thanks for everything!
15:59:06 <d34dh0r53> apologies again for the late start :/
15:59:20 <d34dh0r53> #endmeeting