15:12:21 #startmeeting keystone 15:12:21 Meeting started Wed Nov 20 15:12:21 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:12:21 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:12:21 The meeting name has been set to 'keystone' 15:12:35 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:12:35 #link https://openinfra.dev/legal/code-of-conduct 15:12:42 #topic roll call 15:12:51 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe 15:12:58 o/ 15:13:16 my bad, fell into an internet hole 15:14:04 I feel into the dependency hell 15:14:13 feel 15:14:40 * fell 15:15:18 #topic review past meeting work items 15:15:28 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-11-13-15.02.html 15:15:33 no action items from last week 15:15:40 #topic liaison updates 15:15:50 nothing from vmt or releases 15:16:30 I just approved the patch to move 2023.1 (Antelope) to unmaintained 15:16:34 next up 15:17:45 Does that mean the gates are off for antelope? 15:17:52 🤔 15:18:15 I don't think so 15:18:42 cool 15:20:52 hmm, now you have me wondering 15:21:05 well, I'll see if I can find that answer after the meeting 15:21:08 moving on 15:21:16 #topic specification OAuth 2.0 (hiromu) 15:21:27 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:21:35 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:21:42 External OAuth 2.0 Specification 15:21:46 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:21:49 OAuth 2.0 Implementation 15:21:53 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:22:00 OAuth 2.0 Documentation 15:22:01 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:22:05 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:22:29 no updates from me on this, I probably need to rebase the last remaining patches 15:22:33 maybe on Friday 15:22:39 #topic specification Secure RBAC (dmendiza[m]) 15:23:02 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:23:06 No updates this week.... 15:23:08 2024.1 Release Timeline 15:23:11 Update oslo.policy in keystone to enforce_new_defaults=True 15:23:18 Update oslo.policy in keystone to enforce_scope=True 15:23:38 Ok, can we update that section to reflect 2025.1 work? 15:25:32 dmendiza: ? 15:26:23 Yeah, sure, I'll take a look at it after the meeting 15:26:41 Thanks! 15:26:43 #topic specification OpenAPI support (gtema) 15:26:48 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:26:54 https://review.opendev.org/c/openstack/keystone/+/925020 could now also land to ease api-ref work 15:27:14 no updates due to working on unblocking gate (https://review.opendev.org/c/openstack/keystone/+/935685) 15:27:34 what worked on Monday does not work since yesterday 15:28:05 and since it is anyway something what will need to be done anyway I decided to work on proper replacement rather then pinning fix 15:28:08 we have to update all of our graphs? 15:28:14 yes, I did so 15:28:40 manually reimplemented them. Sadly graphviz doesn't support sequence diagrams natively 15:28:57 s/natively/nicely/ 15:29:11 ack, thank you for doing that 15:30:00 Grzegorz Grasza and dmendiza please take a look at https://review.opendev.org/c/openstack/keystone/+/935685 to unblock the gates 15:30:26 next up 15:30:27 #topic specification domain manager (mhen) 15:30:29 still unmerged are: 15:30:29 documentation: https://review.opendev.org/c/openstack/keystone/+/928135 15:30:30 tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222 15:33:03 #topic specification Type annotations (stephenfin) 15:33:06 #link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing 15:33:10 This is just pending reviews now. I will push the remaining patches as soon as a sufficient quantity of the current ones land. 15:33:13 #link https://review.opendev.org/c/openstack/keystone/+/931959 - ruffing the keystone misses +W 15:33:21 ruffing has merged :) 15:33:37 yes, I forgot to drop from agenda 15:33:39 thnks 15:33:57 all open typing patches finaly merged after tons of rechecks 15:34:21 sweet! 15:34:22 stephen pushed few new changes, but we should update the release patch to bring those merged out into the wild for early testing 15:35:12 Yep, I'll update the SHA after this meeting 15:35:44 cool 15:35:47 #action d34dh0r53 Update SHA in https://review.opendev.org/c/openstack/releases/+/934599 to HEAD of keystoneauth 15:36:02 next up 15:36:04 #topic specification Include bad password details in audit messages (stanislav-z) 15:36:07 #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 15:36:10 #link https://review.opendev.org/c/openstack/keystone/+/932423 15:36:13 20-Nov update: spec and implementation updated for HMAC-based hashing. Looking for reviews. 15:36:28 * d34dh0r53 needs to look at those 15:36:46 * gtema will look once the world is not burning 15:36:56 thanks! 15:38:04 #topic open discussion 15:38:07 pagination (gtema) 15:38:09 #link https://review.opendev.org/q/topic:%22pagination%22+project:openstack/keystone 15:38:14 it is bit more complex than I thought since all DB queries need to be executed with pagination while some internal calls right now expect to get ALL entries (i.e. list_domains/list_projects) 15:38:26 after Friday I rebased on top of ruffing 15:38:35 and found that broken gate stuff 15:38:42 but anyway I thought about the feedback 15:38:52 and decided not to log warning of using MAX 15:39:08 because this is going to be very similar to what we erased lately 15:39:13 exception logging on 404 15:39:30 it will be present very often without operator being able to do anything with it 15:39:53 and the reason is that by default in the internal (non-api) invocation the limit can not be set by the caller 15:41:00 so with that the change is still good for review 15:41:07 ack 15:41:12 that makes sense 15:41:17 ignore the broken docs results now (this is the broken gate) 15:41:32 ok, I'll take a look 15:41:49 thanks 15:42:24 np, anything else for open discussion? 15:42:32 o/ 15:42:40 let me bring quick one 15:42:49 https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/934272 15:43:11 stable/2023.1 is being transitioned to unmaintained/* so now most of devstack jobs in stable/2023.1 are broken 15:43:25 so can we merge that change to drop 2023.1 job asap while the CI is under control ? 15:44:01 there is also another change to add 2024.2 job which is missing so I hope we can merge it soon (after merging removal of 2023.1 job) https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/930821 15:44:34 that's it 15:44:40 dmendiza: there's your answer :) 15:45:01 Ok, thanks tkajinam ! 15:47:02 #topic bug review 15:47:04 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:47:15 we have a couple of new bugs for keystone 15:47:25 https://bugs.launchpad.net/keystone/+bug/2089051 15:47:29 #link https://bugs.launchpad.net/keystone/+bug/2089051 15:47:44 looks like this is being fixed with a requirements change 15:48:08 sorry, that's the other one, but this one is in progress as well 15:48:16 no that needs code update 15:48:19 https://review.opendev.org/c/openstack/keystone/+/935689 15:48:23 which is pending on broken doc job now 15:48:30 eh, we should proceed with openapi since that updates all jsonschemas 15:49:12 ack 15:49:17 yeah ideally though we may want a quick fix. 15:49:24 I'll recheck/rebase it once the doc fix is merged 15:49:27 absolutely 15:49:43 the same affects a few other projects, as is seen in the bug 15:49:51 just fyi 15:50:02 I think I pushed fixes to all of these 15:51:12 Thank you tkajinam ping us if you need reviews 15:51:13 next up 15:51:19 will do ! 15:51:31 #link https://bugs.launchpad.net/keystone/+bug/2088355 15:51:41 this one looks like it's fixed in releases 15:51:46 err requirements 15:52:43 there are lots of awkward failures on noble caused by defaulting on py312 15:53:06 and pbr is still not supporting that properly (depending on how you use it) 15:54:18 which is precisely the case of the openstackdocstheme. We discussed this yesterday in TC meeting long 15:54:47 so switching of openstack-tox-docs job to noble will be put on hold until a fix lands in pbr 15:55:03 this is the dependency hell I meant in the beginning of the meeting 15:55:23 ahh, now I understand 15:55:53 basically "import openstackdocstheme" under py312 doesn't work now 15:57:07 wow 15:57:25 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:57:36 no new bugs in python-keystoneclient 15:57:41 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:57:46 keystoneauth is good 15:57:50 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:58:10 nothing new in keystonemiddleware 15:58:13 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:58:21 pycadf is clean 15:58:22 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:58:33 no new bugs in ldappool 15:58:37 #topic conclusion 15:58:45 nothing from me, thanks for everything! 15:59:06 apologies again for the late start :/ 15:59:20 #endmeeting