15:00:51 #startmeeting keystone 15:00:51 Meeting started Wed Dec 11 15:00:51 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:51 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:51 The meeting name has been set to 'keystone' 15:00:54 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:00:58 #link https://openinfra.dev/legal/code-of-conduct 15:01:05 #topic roll call 15:01:07 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe 15:01:10 o/ 15:01:11 o/ 15:01:14 o/ 15:01:24 o/ 15:02:31 Welcome, let's get started 15:02:35 #topic review past meeting work items 15:02:39 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-12-04-15.04.html 15:02:58 reviewathon look at the Bad Password spec https://review.opendev.org/c/openstack/keystone-specs/+/915482 15:03:23 that was the only action item, we reviewed it in the Reviewathon on Friday 15:03:30 next up 15:03:53 #topic liaison updates 15:04:01 nothing from Releases or VMT 15:04:06 #topic specification OAuth 2.0 (hiromu) 15:04:09 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:04:13 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:04:16 External OAuth 2.0 Specification 15:04:19 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:04:21 OAuth 2.0 Implementation 15:04:25 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:04:27 OAuth 2.0 Documentation 15:04:29 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:04:33 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:05:00 no updates from me on this one, hopefully will be able to recheck and rebase on Friday to get the last couple of remaining patches out 15:05:10 #topic specification Secure RBAC (dmendiza[m]) 15:05:13 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:05:16 2024.1 Release Timeline 15:05:18 Update oslo.policy in keystone to enforce_new_defaults=True 15:05:20 Update oslo.policy in keystone to enforce_scope=True 15:07:44 guess dmendiza isn't around today 15:07:47 #topic specification OpenAPI support (gtema) 15:07:50 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:08:28 I wasn't working on that this week so far, so no changes, but on friday we can review next changes done by students 15:10:15 ack, thanks gtema (Artem Goncharov) 15:10:37 #topic specification domain manager (mhen) 15:10:39 still unmerged are: 15:10:42 'v 15:10:43 documentation: https://review.opendev.org/c/openstack/keystone/+/928135 15:10:47 tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222 15:11:32 Grzegorz Grasza, dmendiza please review the domain manager patches 15:11:51 🙋‍♂️ 15:11:58 ohai dmendiza 15:12:06 any S-RBAC updates? 15:12:47 Negative, no updates this week. 😅 15:13:17 ack, thanks 15:13:27 #topic specification Include bad password details in audit messages (stanislav-z) 15:13:30 #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 15:13:34 #link https://review.opendev.org/c/openstack/keystone/+/932423 15:13:36 11-Dec update: thanks for reviews, I've updated the spec according to comments, or otherwise raised my questions in Gerrit - would appreciate your feedback. 15:13:39 CI for keystone-spec is failing :/ 15:14:02 Hi! Thanks for the review. I updated and responded in Gerrit 15:14:10 Thanks Stanislav Zaprudskiy ! 15:14:21 I thought we unblocked the docs gate but I guess not :/ 15:14:55 And CI indeed is failing - also the build is failing locally. Would looking into it in a separate patch be a way to fix it? 15:15:03 in keystone but not in keystone-specs 15:15:52 ahh, thanks gtema (Artem Goncharov) 15:16:34 #topic open discussion 15:16:52 nothing from me 15:17:07 I have a question 15:17:37 there are 2 APIs that allow creation of ec2 credentials: 15:17:37 1) https://docs.openstack.org/api-ref/identity/v3/#credentials 15:17:52 and 2. https://github.com/openstack/keystone/commit/afd897f9122cdee925376a1c25994a515082963f#diff-c626451fb39f390fb94dcd5e75446540e9dad2df619eec121d57d5284def37e0R434 15:19:04 they both have similar set of functionality - creation of ec2 credentials. I'm wondering, why both are kept? 15:19:17 btw, the second - /ec2tokens - is not mentioned in documentation 15:19:36 ec2creds are normal creds of the EC2 type 15:19:52 there is a separate API (I think for backwards compatibility reasons) 15:20:36 AFAIK that API has been retired 15:21:06 /credentials also allows creation of ec2 credentials - the difference is, that /ec2tokens auto-generates access key/secret, while /credentials requires caller to submit the desired access key/value 15:23:03 the follow-up question - why does the /credentials API not auto-generates the values for users? in other words, it allows users to create insecure credentials like admin/password. Just in case someone could know ... 15:23:19 * the follow-up question - why does the /credentials API not auto-generate the values for users? in other words, it allows users to create insecure credentials like admin/password. Just in case someone could know ... 15:23:30 * the follow-up question - why does the /credentials API not auto-generate the values for users? in other words, it allows users to create insecure credentials like admin/password. Just in case someone could know the historical background 15:24:45 I have no idea about the history of EC2 in Keystone, we should deprecate it IMHO as no one is able to maintain it and the EC2-API project has been retired. 15:25:38 I would image that Swift S3 emulation might use/rely on it. But got your answer, thanks for the clarification 15:26:01 s/image/imagine/ 15:26:09 Dave Wilde (d34dh0r53): yes, swift and rados GW still rely heavily on the ec2 creds 15:26:13 we cant drop it 15:27:31 ahh, yeah 15:29:36 that's a bummer 15:29:43 oh well 15:30:10 Sorry I can't be of more help with those questions Stanislav Zaprudskiy 15:30:29 anything else for open discussion? 15:31:10 cool, moving on 15:31:17 #topic bug review 15:31:21 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:31:54 one new bug for keystone 15:31:57 #link https://bugs.launchpad.net/keystone/+bug/2091317 15:34:37 That's my bug. 15:35:11 So I got it to work now by setting default_authorization_ttl 15:35:18 So I was going to close it. 15:36:18 We need to dig into default_authorization_ttl I think 15:36:40 IIRC there are several bugs surrounding it, or the confusion as to what it actually does 15:39:35 ok 15:39:43 that does it for keystone 15:39:52 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:40:10 no new bugs in python-keystoneclient 15:40:16 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:40:30 keystoneauth is good 15:40:35 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:41:01 no new bugs in keystonemiddleware 15:41:06 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:41:10 pycadf is good 15:41:18 so it ldappool 15:41:25 #topic conclusion 15:41:33 nothing else from me, thanks folks! 15:42:02 #endmeeting