15:01:00 <d34dh0r53> #startmeeting keystone
15:01:00 <opendevmeet> Meeting started Wed Mar  5 15:01:00 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:00 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:00 <opendevmeet> The meeting name has been set to 'keystone'
15:01:22 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct
15:02:16 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct
15:02:24 <d34dh0r53> #topic roll call
15:02:36 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra
15:02:41 <d34dh0r53> dmendiza
15:02:50 <gtema> o/ but stick in another meeting
15:03:08 <dmendiza[m]> 👋
15:06:15 <d34dh0r53> #topic review past meeting work items
15:06:37 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-02-26-15.05.html
15:06:47 <d34dh0r53> no action items from the last meeting
15:06:57 <d34dh0r53> #topic liaison updates
15:07:07 <d34dh0r53> nothing from VMT or Releases
15:08:45 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:08:53 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:09:10 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:09:11 <d34dh0r53> External OAuth 2.0 Specification
15:09:14 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)
15:09:18 <d34dh0r53> OAuth 2.0 Implementation
15:09:23 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged)
15:09:27 <d34dh0r53> OAuth 2.0 Documentation
15:09:32 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)
15:09:39 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)
15:09:56 <d34dh0r53> no updates from me on this one
15:09:57 <d34dh0r53> next up
15:10:03 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:10:08 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:10:14 <d34dh0r53> 2024.1 Release Timeline
15:10:22 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:10:27 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:12:18 <d34dh0r53> dmendiza: supplemental ping ;)
15:13:15 <dmendiza[m]> No updates 😅
15:13:43 <d34dh0r53> 👍
15:13:47 <d34dh0r53> next up
15:13:57 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:14:03 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:14:21 <gtema> sorry, no updates. Due to FF also no hard work done
15:14:46 <d34dh0r53> ack, no worries
15:14:54 <d34dh0r53> #topic specification Include bad password details in audit messages (stanislav-z)
15:15:09 <d34dh0r53> #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22
15:15:18 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged)
15:15:36 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/932423 (to be reviewed)
15:15:52 <d34dh0r53> 18-Feb update: the implementation has been updated to reflect the merged spec state
15:16:47 <d34dh0r53> I owe you reviews on your patch
15:16:56 <stanislav-z> perhaps it just needs to wait for someone reviews it
15:18:17 <d34dh0r53> yeah, cores, if you can review this please
15:18:28 <gtema> +1
15:19:50 <d34dh0r53> Thank you
15:19:55 <d34dh0r53> #topic open discussion
15:20:01 <d34dh0r53> I don't have anything
15:20:21 <stanislav-z> if I may :) I have use case, for which I need an advice
15:20:30 <d34dh0r53> Go ahead
15:20:31 <stanislav-z> In order to reduce password authentication usage along with its associated peculiarities, there is an idea to switch to application credentials auth as much as possible in cases where technical/service users are utilized (non-humans, applications, systems, etc). Along with that, there is an idea to use short-lived application credentials for these cases all the time to improve security - something like 7d or so. Finally, the
15:20:31 <stanislav-z> idea is to have the application credentials created upon application start-up - which should generally increase start-up time a bit. Given all that, would you come up with anything that speaks against it? Or something worth keeping in mind? Generally, are application credentials suitable/designed for such use cases? It may result to tens of thousands of app credentials being created/expiring/deleted all the time - do you think
15:20:31 <stanislav-z> it could impact performance noticeably?
15:24:04 <d34dh0r53> I think it would impact performance, but I don't know how much
15:24:43 <d34dh0r53> gtema would know better as he operates clouds at a scale where it would be noticeable
15:26:38 <stanislav-z> all right. I'm open to comments to it after the call as well :) unless anyone wants to add something now, I suggest we move on. thanks!
15:26:58 <d34dh0r53> ack, thanks Stanislav Zaprudskiy
15:28:25 <d34dh0r53> #topic bug review
15:28:32 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:28:37 <d34dh0r53> no new bugs for keystone
15:28:48 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:28:58 <d34dh0r53> python-keystoneclient is good
15:29:16 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:29:20 <d34dh0r53> no new bugs for keystoneauth
15:29:26 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:29:43 <d34dh0r53> keystonemiddleware is good to go
15:29:47 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:30:01 <d34dh0r53> nothing new in pycadf
15:30:13 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:30:20 <d34dh0r53> ldappool is good
15:30:27 <d34dh0r53> #topic conclusion
15:30:38 <d34dh0r53> nothing else from me, thanks folks!
15:31:38 <gtema> thks and sorry for mostly only reading
15:33:17 <d34dh0r53> no problem
15:33:24 <d34dh0r53> #endmeeting