15:06:06 #startmeeting keystone 15:06:06 Meeting started Wed Feb 12 15:06:06 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:06:06 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:06:06 The meeting name has been set to 'keystone' 15:07:00 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:07:11 #link https://openinfra.dev/legal/code-of-conduct 15:07:21 #topic roll call 15:07:26 o/ 15:07:34 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:07:49 dmendiza 15:07:53 o/ 15:10:17 #topic review past meeting work items 15:10:25 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-02-05-15.01.html 15:10:35 no action items from our last meeting 15:10:44 #topic liaison updates 15:10:54 nothing from VMT or releases 15:11:52 #topic specification OAuth 2.0 (hiromu) 15:12:10 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:12:14 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:12:18 External OAuth 2.0 Specification 15:12:21 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:12:24 OAuth 2.0 Implementation 15:12:26 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged) 15:12:29 OAuth 2.0 Documentation 15:12:32 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:12:36 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:12:45 no updates from me this week 15:13:23 not directly related to that in particular, I started writing down ideas around oauth2/oidc/federation in https://gtema.github.io/posts/rethinking-openstack-auth-authz/ 15:13:56 oh cool, I'll give it a read 15:14:17 I touched that aspect as well. I think generally idea with adding support for oauth2 for external auth is good, but not in that implementation - we need to flip it around and make keystone issue jwt that can be checked by middleware 15:14:33 anyway - it is a working draft with many topics around 15:15:20 thanks gtema 15:15:31 #topic specification Secure RBAC (dmendiza[m]) 15:15:35 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:15:38 2024.1 Release Timeline 15:15:40 Update oslo.policy in keystone to enforce_new_defaults=True 15:15:42 Update oslo.policy in keystone to enforce_scope=True 15:15:51 dmendiza: are you around? 15:17:43 guess not 15:17:45 moving on 15:17:52 #topic specification OpenAPI support (gtema) 15:17:54 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:18:29 not much from me this week. I finally got permissions on openstackdocstheme so that I can go on making api-ref builds 15:18:54 other then that few changes are hanging around (I guess) from our intern. Will look later this week 15:19:12 🙋 15:19:42 ohai dmendiza ! 15:21:40 any updates on SRBAC dmendiza ? 15:21:57 Negative. 15:22:21 I think there's a pop-up meeting scheduled today. Not sure if it'll actually happen. 15:23:30 ack, thank you 15:23:51 and thanks gtema let us know if/when there are more openapi things to review 15:23:54 moving on 15:24:00 'v 15:24:02 #topic specification domain manager (mhen) 15:24:05 still unmerged are: 15:24:08 documentation: https://review.opendev.org/c/openstack/keystone/+/928135 15:24:11 tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222 15:24:23 dmendiza: can you take a look at those? 15:24:40 ack, yeah, sorry, I've been slacking on gerrit reveiws 15:27:16 no worries 15:27:21 #topic specification Include bad password details in audit messages (stanislav-z) 15:27:24 #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged) 15:27:27 #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22 15:27:29 #link https://review.opendev.org/c/openstack/keystone/+/932423 15:27:32 5-Feb update: implementation to be updated to reflect merged spec state (WIP by @stanislav-z) 15:28:21 hi, no updates so far - didn't find the time yet to bring it to a proper state. will try in the following days/week 15:29:09 ack, thank you Stanislav Zaprudskiy 15:29:14 #topic open discussion 15:29:19 nothing from me 15:29:36 i don't have anything either 15:29:49 ack, moving on 15:29:53 #topic bug review 15:29:57 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:30:01 one new bug in keystone 15:30:15 #link https://bugs.launchpad.net/keystone/+bug/2097550 15:32:35 we have quite a bit of flask-restful it looks like 15:33:27 jfyi: I am currently working on "reimplementing" keystone in rust. We could actually combine this with addressing flask. I know how it sounds, so just fyi 15:34:19 :) it may be the catalyst we need 15:34:30 thanks gtema 15:34:58 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:35:03 no new bugs in python-keystoneclient 15:35:12 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:35:26 keystoneauth has no new bugs 15:35:31 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:35:47 and keystonemiddleware is clean too 15:35:51 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:36:08 nothing new in pycadf 15:36:10 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:36:15 nor in ldappool 15:36:18 #topic conclusion 15:36:33 nothing from me today, thanks everyone 15:36:56 thks Dave 15:38:17 #endmeeting