15:01:00 #startmeeting keystone 15:01:00 Meeting started Wed Mar 5 15:01:00 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:00 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:00 The meeting name has been set to 'keystone' 15:01:22 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:02:16 #link https://openinfra.dev/legal/code-of-conduct 15:02:24 #topic roll call 15:02:36 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:02:41 dmendiza 15:02:50 o/ but stick in another meeting 15:03:08 👋 15:06:15 #topic review past meeting work items 15:06:37 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-02-26-15.05.html 15:06:47 no action items from the last meeting 15:06:57 #topic liaison updates 15:07:07 nothing from VMT or Releases 15:08:45 #topic specification OAuth 2.0 (hiromu) 15:08:53 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:09:10 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:09:11 External OAuth 2.0 Specification 15:09:14 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:09:18 OAuth 2.0 Implementation 15:09:23 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged) 15:09:27 OAuth 2.0 Documentation 15:09:32 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:09:39 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:09:56 no updates from me on this one 15:09:57 next up 15:10:03 #topic specification Secure RBAC (dmendiza[m]) 15:10:08 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:10:14 2024.1 Release Timeline 15:10:22 Update oslo.policy in keystone to enforce_new_defaults=True 15:10:27 Update oslo.policy in keystone to enforce_scope=True 15:12:18 dmendiza: supplemental ping ;) 15:13:15 No updates 😅 15:13:43 👍 15:13:47 next up 15:13:57 #topic specification OpenAPI support (gtema) 15:14:03 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:14:21 sorry, no updates. Due to FF also no hard work done 15:14:46 ack, no worries 15:14:54 #topic specification Include bad password details in audit messages (stanislav-z) 15:15:09 #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22 15:15:18 #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged) 15:15:36 #link https://review.opendev.org/c/openstack/keystone/+/932423 (to be reviewed) 15:15:52 18-Feb update: the implementation has been updated to reflect the merged spec state 15:16:47 I owe you reviews on your patch 15:16:56 perhaps it just needs to wait for someone reviews it 15:18:17 yeah, cores, if you can review this please 15:18:28 +1 15:19:50 Thank you 15:19:55 #topic open discussion 15:20:01 I don't have anything 15:20:21 if I may :) I have use case, for which I need an advice 15:20:30 Go ahead 15:20:31 In order to reduce password authentication usage along with its associated peculiarities, there is an idea to switch to application credentials auth as much as possible in cases where technical/service users are utilized (non-humans, applications, systems, etc). Along with that, there is an idea to use short-lived application credentials for these cases all the time to improve security - something like 7d or so. Finally, the 15:20:31 idea is to have the application credentials created upon application start-up - which should generally increase start-up time a bit. Given all that, would you come up with anything that speaks against it? Or something worth keeping in mind? Generally, are application credentials suitable/designed for such use cases? It may result to tens of thousands of app credentials being created/expiring/deleted all the time - do you think 15:20:31 it could impact performance noticeably? 15:24:04 I think it would impact performance, but I don't know how much 15:24:43 gtema would know better as he operates clouds at a scale where it would be noticeable 15:26:38 all right. I'm open to comments to it after the call as well :) unless anyone wants to add something now, I suggest we move on. thanks! 15:26:58 ack, thanks Stanislav Zaprudskiy 15:28:25 #topic bug review 15:28:32 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:28:37 no new bugs for keystone 15:28:48 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:28:58 python-keystoneclient is good 15:29:16 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:29:20 no new bugs for keystoneauth 15:29:26 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:29:43 keystonemiddleware is good to go 15:29:47 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:30:01 nothing new in pycadf 15:30:13 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:30:20 ldappool is good 15:30:27 #topic conclusion 15:30:38 nothing else from me, thanks folks! 15:31:38 thks and sorry for mostly only reading 15:33:17 no problem 15:33:24 #endmeeting