15:00:51 <d34dh0r53> #startmeeting keystone
15:00:51 <opendevmeet> Meeting started Wed Dec 11 15:00:51 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:51 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:51 <opendevmeet> The meeting name has been set to 'keystone'
15:00:54 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct
15:00:58 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct
15:01:05 <d34dh0r53> #topic roll call
15:01:07 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe
15:01:10 <d34dh0r53> o/
15:01:11 <xek> o/
15:01:14 <gtema> o/
15:01:24 <jph> o/
15:02:31 <d34dh0r53> Welcome, let's get started
15:02:35 <d34dh0r53> #topic review past meeting work items
15:02:39 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-12-04-15.04.html
15:02:58 <d34dh0r53> reviewathon look at the Bad Password spec https://review.opendev.org/c/openstack/keystone-specs/+/915482
15:03:23 <d34dh0r53> that was the only action item, we reviewed it in the Reviewathon on Friday
15:03:30 <d34dh0r53> next up
15:03:53 <d34dh0r53> #topic liaison updates
15:04:01 <d34dh0r53> nothing from Releases or VMT
15:04:06 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:04:09 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:04:13 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:04:16 <d34dh0r53> External OAuth 2.0 Specification
15:04:19 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)
15:04:21 <d34dh0r53> OAuth 2.0 Implementation
15:04:25 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:04:27 <d34dh0r53> OAuth 2.0 Documentation
15:04:29 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)
15:04:33 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)
15:05:00 <d34dh0r53> no updates from me on this one, hopefully will be able to recheck and rebase on Friday to get the last couple of remaining patches out
15:05:10 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:05:13 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:05:16 <d34dh0r53> 2024.1 Release Timeline
15:05:18 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:05:20 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:07:44 <d34dh0r53> guess dmendiza isn't around today
15:07:47 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:07:50 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:08:28 <gtema> I wasn't working on that this week so far, so no changes, but on friday we can review next changes done by students
15:10:15 <d34dh0r53> ack, thanks gtema (Artem Goncharov)
15:10:37 <d34dh0r53> #topic specification domain manager (mhen)
15:10:39 <d34dh0r53> still unmerged are:
15:10:42 <d34dh0r53> 'v
15:10:43 <d34dh0r53> documentation: https://review.opendev.org/c/openstack/keystone/+/928135
15:10:47 <d34dh0r53> tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222
15:11:32 <d34dh0r53> Grzegorz Grasza, dmendiza please review the domain manager patches
15:11:51 <dmendiza[m]> 🙋♂️
15:11:58 <d34dh0r53> ohai dmendiza
15:12:06 <d34dh0r53> any S-RBAC updates?
15:12:47 <dmendiza[m]> Negative, no updates this week. 😅
15:13:17 <d34dh0r53> ack, thanks
15:13:27 <d34dh0r53> #topic specification Include bad password details in audit messages (stanislav-z)
15:13:30 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/915482
15:13:34 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/932423
15:13:36 <d34dh0r53> 11-Dec update: thanks for reviews, I've updated the spec according to comments, or otherwise raised my questions in Gerrit - would appreciate your feedback.
15:13:39 <d34dh0r53> CI for keystone-spec is failing :/
15:14:02 <stanislav-z> Hi! Thanks for the review. I updated and responded in Gerrit
15:14:10 <d34dh0r53> Thanks Stanislav Zaprudskiy !
15:14:21 <d34dh0r53> I thought we unblocked the docs gate but I guess not :/
15:14:55 <stanislav-z> And CI indeed is failing - also the build is failing locally. Would looking into it in a separate patch be a way to fix it?
15:15:03 <gtema> in keystone but not in keystone-specs
15:15:52 <d34dh0r53> ahh, thanks gtema (Artem Goncharov)
15:16:34 <d34dh0r53> #topic open discussion
15:16:52 <d34dh0r53> nothing from me
15:17:07 <stanislav-z> I have a question
15:17:37 <stanislav-z> there are 2 APIs that allow creation of ec2 credentials:
15:17:37 <stanislav-z> 1) https://docs.openstack.org/api-ref/identity/v3/#credentials
15:17:52 <stanislav-z> and 2. https://github.com/openstack/keystone/commit/afd897f9122cdee925376a1c25994a515082963f#diff-c626451fb39f390fb94dcd5e75446540e9dad2df619eec121d57d5284def37e0R434
15:19:04 <stanislav-z> they both have similar set of functionality - creation of ec2 credentials. I'm wondering, why both are kept?
15:19:17 <stanislav-z> btw, the second - �/ec2tokens� - is not mentioned in documentation
15:19:36 <gtema> ec2creds are normal creds of the EC2 type
15:19:52 <gtema> there is a separate API (I think for backwards compatibility reasons)
15:20:36 <d34dh0r53> AFAIK that API has been retired
15:21:06 <stanislav-z> �/credentials� also allows creation of ec2 credentials - the difference is, that �/ec2tokens� auto-generates access key/secret, while �/credentials� requires caller to submit the desired access key/value
15:23:03 <stanislav-z> the follow-up question - why does the �/credentials� API not auto-generates the values for users? in other words, it allows users to create insecure credentials like �admin�/�password�. Just in case someone could know ...
15:23:19 <stanislav-z> * the follow-up question - why does the �/credentials� API not auto-generate the values for users? in other words, it allows users to create insecure credentials like �admin�/�password�. Just in case someone could know ...
15:23:30 <stanislav-z> * the follow-up question - why does the �/credentials� API not auto-generate the values for users? in other words, it allows users to create insecure credentials like �admin�/�password�. Just in case someone could know the historical background
15:24:45 <d34dh0r53> I have no idea about the history of EC2 in Keystone, we should deprecate it IMHO as no one is able to maintain it and the EC2-API project has been retired.
15:25:38 <stanislav-z> I would image that Swift S3 emulation might use/rely on it. But got your answer, thanks for the clarification
15:26:01 <stanislav-z> s/image/imagine/
15:26:09 <gtema> Dave Wilde (d34dh0r53): yes, swift and rados GW still rely heavily on the ec2 creds
15:26:13 <gtema> we cant drop it
15:27:31 <d34dh0r53> ahh, yeah
15:29:36 <d34dh0r53> that's a bummer
15:29:43 <d34dh0r53> oh well
15:30:10 <d34dh0r53> Sorry I can't be of more help with those questions Stanislav Zaprudskiy
15:30:29 <d34dh0r53> anything else for open discussion?
15:31:10 <d34dh0r53> cool, moving on
15:31:17 <d34dh0r53> #topic bug review
15:31:21 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:31:54 <d34dh0r53> one new bug for keystone
15:31:57 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2091317
15:34:37 <cardoe> That's my bug.
15:35:11 <cardoe> So I got it to work now by setting default_authorization_ttl
15:35:18 <cardoe> So I was going to close it.
15:36:18 <d34dh0r53> We need to dig into default_authorization_ttl I think
15:36:40 <d34dh0r53> IIRC there are several bugs surrounding it, or the confusion as to what it actually does
15:39:35 <d34dh0r53> ok
15:39:43 <d34dh0r53> that does it for keystone
15:39:52 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:40:10 <d34dh0r53> no new bugs in python-keystoneclient
15:40:16 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:40:30 <d34dh0r53> keystoneauth is good
15:40:35 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:41:01 <d34dh0r53> no new bugs in keystonemiddleware
15:41:06 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:41:10 <d34dh0r53> pycadf is good
15:41:18 <d34dh0r53> so it ldappool
15:41:25 <d34dh0r53> #topic conclusion
15:41:33 <d34dh0r53> nothing else from me, thanks folks!
15:42:02 <d34dh0r53> #endmeeting