15:04:05 #startmeeting keystone 15:04:05 Meeting started Wed Dec 4 15:04:05 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:04:05 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:04:05 The meeting name has been set to 'keystone' 15:04:24 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:04:32 #link https://openinfra.dev/legal/code-of-conduct 15:04:40 #topic roll call 15:04:48 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe 15:04:54 0- 15:05:01 o/ 15:06:29 #topic review past meeting work items 15:06:47 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-11-20-15.12.html 15:06:57 There was one action item: 15:07:14 d34dh0r53 Update SHA in https://review.opendev.org/c/openstack/releases/+/934599 to HEAD of keystoneauth 15:07:27 This has been done 15:07:38 #topic liaison updates 15:07:51 nothing from VMT nor releases 15:09:13 #topic specification OAuth 2.0 (hiromu) 15:09:14 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:09:15 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:09:16 External OAuth 2.0 Specification 15:09:18 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:09:21 OAuth 2.0 Implementation 15:09:25 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:09:30 OAuth 2.0 Documentation 15:09:33 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:09:38 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:09:44 no updates from me on this one 15:09:48 next up 15:09:54 #topic specification Secure RBAC (dmendiza[m]) 15:09:58 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:10:00 2024.1 Release Timeline 15:10:03 Update oslo.policy in keystone to enforce_new_defaults=True 15:10:05 Update oslo.policy in keystone to enforce_scope=True 15:11:40 dmendiza: you around? 15:13:00 guess not 15:13:02 #topic specification OpenAPI support (gtema) 15:13:04 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:13:39 after merging some of the latest changes I noticed some jsonschemas became corrupted (the ones which are not attached to api yet) 15:13:53 but for the moment I have implemented workaround 15:14:11 that tells we need to speed up a bit merging the changes 15:14:31 and so the work is in progress. Nothing else about openapi 15:14:53 ack, do any of them need reviews right now? 15:15:07 will check today what is up next 15:15:16 ack, thanks gtema (Artem Goncharov) 15:15:23 #topic specification domain manager (mhen) 15:15:26 still unmerged are: 15:15:28 documentation: https://review.opendev.org/c/openstack/keystone/+/928135 15:15:31 tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222 15:15:52 dmendiza, Grzegorz Grasza please review these 15:16:15 🙋‍♂️ 15:16:48 o/ dmendiza 15:17:52 Ack, will take a look at Domain Manager patches 15:18:08 thanks! 15:18:27 next up 15:18:34 #topic specification Include bad password details in audit messages (stanislav-z) 15:18:37 #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 15:18:40 #link https://review.opendev.org/c/openstack/keystone/+/932423 15:18:43 20-Nov update: spec and implementation updated for HMAC-based hashing. Looking for reviews. 15:18:54 Stanislav Zaprudskiy: any updates? 15:19:29 I guess our reviews are missing 15:20:20 indeed 15:20:58 sadly I had no time to look at it so far 15:21:15 nor me 15:21:29 we can dedicate some time during the reviewathon this week 15:22:04 #action reviewathon look at the Bad Password spec https://review.opendev.org/c/openstack/keystone-specs/+/915482 15:22:09 next up 15:22:17 #topic open discussion 15:22:19 new gate (un)blocker 15:22:22 #link https://review.opendev.org/c/openstack/keystone/+/936721 15:23:02 last week I identified (after working on pagination) that I accidentally introduced new blocker with the change in devstack that got merged 15:23:35 ack, I just reviewed it 15:23:53 dmendiza: can you push the go button on https://review.opendev.org/c/openstack/keystone/+/936721 15:24:05 this change fixes that. Point is that 1st I introduced new wsgi module, 2nd devstack switched to using that, 3rd - there are no federation jobs running in devstack changes so I missed breaking federation tests 15:24:11 thks 15:24:34 lgtm 15:25:36 👍️ 15:25:39 next up 15:25:42 pagination (gtema) 15:25:45 #link https://review.opendev.org/q/topic:%22pagination%22+project:openstack/keystone 15:25:49 #link https://review.opendev.org/c/openstack/keystone/+/933598 must be merged before next work can be started 15:26:08 right, so last week I have figured out that the change was already paginating domains 15:26:17 because domains are, well, projects 15:26:43 so I fine-tuned the change to explicitly tell that and added sufficient unit tests for the changed API 15:26:48 ahh 15:27:10 is the zuul failure still unrelated? 15:27:17 this is the one from above 15:27:21 the federation stuff 15:27:28 once that is merged should be fine 15:27:32 ack 15:27:54 I'll try to review pagination this week 15:28:01 awesome, thanks 15:28:15 anything else for open discussion? 15:28:24 not from me 15:29:18 #topic bug review 15:29:22 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:29:43 #link https://bugs.launchpad.net/keystone/+bug/2089051 15:29:56 gtema (Artem Goncharov): have you seen this one? 15:30:11 it looks like Takashi is working on it, but wanted you to see it 15:30:16 I think I have seen that report 15:30:28 not sure if it coincides with what you're working on 15:31:14 to some extend it does, but not heavily 15:31:18 ok 15:31:20 next up 15:31:23 #link https://bugs.launchpad.net/keystone/+bug/2089403 15:32:01 we identified that working on openapi 15:33:13 if you remember we have this one change removing "experimental" label from the unified limits api 15:33:23 and this is one interesting gotcha there 15:33:28 indeed 15:33:46 based on the test that is expected behavior though, which is interesting 15:34:34 yeah, I think people have overseen that 15:36:08 ok, we at least need documentation 15:37:31 that does it for keystone 15:37:33 next up 15:37:41 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:37:57 no new bugs in python-keystoneclient 15:38:20 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:38:29 looks like keystoneauth is good 15:38:33 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:38:43 as is keystonemiddleware 15:38:47 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:38:53 pycadf is good 15:38:59 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:39:06 so is ldappool 15:39:09 #topic conclusion 15:39:33 That's all I have, thanks everyone! 15:39:36 thks 15:39:39 #endmeeting