15:01:18 #startmeeting keystone 15:01:18 Meeting started Wed Feb 5 15:01:18 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:18 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:18 The meeting name has been set to 'keystone' 15:01:28 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:01:33 #link https://openinfra.dev/legal/code-of-conduct 15:01:38 #topic roll call 15:01:40 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe 15:01:43 o/ 15:01:55 Super special ping for dmendiza 15:02:04 o/ 15:04:00 #topic review past meeting work items 15:04:04 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-01-22-15.03.html 15:04:11 no action items to review 15:04:15 #topic liaison updates 15:04:36 no updates from VMT or release management 15:05:49 #topic specification OAuth 2.0 (hiromu) 15:05:50 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:05:51 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:05:55 External OAuth 2.0 Specification 15:05:57 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:06:00 OAuth 2.0 Implementation 15:06:02 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged) 15:06:05 OAuth 2.0 Documentation 15:06:07 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:06:10 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:07:00 I did some review and the main thing we're waiting on are some functional jobs to be added in other projects, namely barbican and tacker 15:07:34 We're also missing two keystone-tempest-plugin patches that I'll try to rebase today 15:08:03 That's in on OAuth 2.0 15:08:07 #topic specification Secure RBAC (dmendiza[m]) 15:08:09 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:08:12 2024.1 Release Timeline 15:08:14 Update oslo.policy in keystone to enforce_new_defaults=True 15:08:16 Update oslo.policy in keystone to enforce_scope=True 15:08:34 i don't think dmendiza is around, but I'll give it a couple of minutes 15:10:19 next up 15:10:22 #topic specification OpenAPI support (gtema) 15:10:24 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:10:39 I see there are a couple of patches for me to review, will do that after this meeting 15:10:55 few changes are up to review. I just retriggered recheck on them to see fresh results from codegenerator 15:11:19 since it wasn't working due to corrupted schema landed 15:11:41 but anyway - seen one pretty interesting case wrt schemas and internal implementation on the endpoint region vs region_id front 15:12:32 in our work we were reimplementing openstackclient to use sdk instead of keystoneclient and managed to end up with entry in the catalog with non empty region_id and region = Null 15:12:43 I mean really explicit null value. 15:13:07 in the normal API case this is not going to happen, but it was present in the catalog inside the token 15:13:28 not something we should worry about here, just a fun fact of scrunity 15:14:01 I am also frustrated by the fact that I am not able to land changes in the openstackdocstheme required to start rendering openapi specs 15:14:49 was even thinking about starting just embedding swagger, but that is going to fail in the same way - collision of bootstrap versions 15:15:47 so I was also thinking about tweaking api-ref job to build openapi separately and render it using custom theme and then copy it to the regular results so that we can publish it 15:15:59 (sort of invisible without direct link) 15:16:04 what do you think? 15:17:21 What's the resistance to landing changes directly in openstackdocstheme? 15:17:26 Just review capacity? 15:17:41 its not a resistance, just nobody cares 15:18:02 it's on the TC table for more then a month already with still no change 15:18:38 hmm 15:19:05 How hard is the api-ref tweak? 15:19:11 in my rust poc I embedded the openapi directly into the binary so that it is rendered with the api (vendor) and it is so cooool 15:19:55 api-ref tweak should not be hard, but it introduces new steps into it and a dependency that might fail. I will try to implement it fail safe so that the normal build is not affected 15:20:12 it is just that it seems to be the only way to start publishing specs 15:20:24 at least for now 15:20:40 ack, I say go for it 15:20:57 ok, thks 15:21:10 anything else on openapi? 15:21:19 nope 15:21:48 #topic specification domain manager (mhen) 15:21:51 still unmerged are: 15:21:53 documentation: https://review.opendev.org/c/openstack/keystone/+/928135 15:21:55 tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222 15:23:24 this now also has some followups - certain CSPs are relying on federation and then it becomes impossible to manage user/group relations (user - role - project is still fine) 15:23:47 we try now to figure out what is the way to live properly with it 15:24:19 it is not of big problem for upstream, but is certainly a thing for CSPs and certifications 15:24:52 hmm, so the domain manager role makes it harder to manage user/group relations? how so? 15:25:24 not really. Certain CSPs want that users are only coming from let's say keycloak and groups are also managed there 15:25:40 they want to prevent any changes locally 15:26:02 btw, I have also a POC on implementing SCIM for synchronizing data from IdP to Keystone 15:26:09 Merged openstack/keystoneauth master: typing: Simplify some types, other TODOs https://review.opendev.org/c/openstack/keystoneauth/+/935764 15:26:11 Oh cool 15:26:46 it's a cool thinkg since it is a rust application using openstack_sdk (the rust one) and proxy requests to keystone directly 15:27:08 I want to also implement it with direct DB access, but that (as said on Friday) is taking much more time 15:28:08 yeah 15:28:21 I need to solve auth problem though 15:28:53 generally scim providers typically only allow you to send bearer token or oauth (but that is not what we support now) 15:29:21 Grzegorz Grasza: is working on that, although from a different perspective 15:29:53 oh cool to know. Maybe then on Friday we can discuss details 15:30:42 That's actually what I briefly mentioned last Friday, further developing the external OAuth2.0 15:31:08 yeah, I was just going through the spec and I miss there few critical things 15:31:19 oauth is only authentication and not authorization 15:31:38 right, we can discuss this further on Friday 15:31:38 so that need/may need to be handled differently 15:31:46 perfect 15:32:50 👍 15:34:04 next up 15:34:09 #topic specification Include bad password details in audit messages (stanislav-z) 15:34:12 #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged) 15:34:15 #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22 15:34:17 #link https://review.opendev.org/c/openstack/keystone/+/932423 15:34:20 5-Feb update: implementation to be updated to reflect merged spec state (WIP by @stanislav-z) 15:34:47 thanks for the reviews of the spec 👍️ I'm on updating the implementation 15:35:32 Awesome, thank you Stanislav Zaprudskiy ! 15:35:50 #topic open discussion 15:35:58 I don't have anything 15:36:58 I wanted to join Friday's review sessions once, but was hanging in the lobby of the meeting - not sure, perhaps there was no meeting at all that Fri, or do I perhaps need some authorization to join? 15:37:26 depends on when exactly 15:37:37 it was cancelled few times in Jan 15:38:28 Stanislav Zaprudskiy: if you /msg me your email address I'll add you to the invite 15:38:29 I only wanted to be around in case my PRs fall into view - would that be a valid reason to connect? 15:38:38 thanks! 15:40:40 no problem 15:41:01 moving on 15:41:05 #topic bug review 15:41:08 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:41:18 no new bugs for keystone 15:41:26 'v 15:41:32 oops 15:41:36 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:41:48 python-keystoneclient is good 15:41:50 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:42:09 nothing new in keystoneauth 15:42:17 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:42:43 keystonemiddleware has no new bugs 15:42:46 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:42:49 pycadf is good 15:42:52 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:42:56 so is ldappool 15:43:00 #topic conclusion 15:43:09 nothing from me, thanks everyone!! 15:43:16 thanks 15:43:25 #endmeeting