15:01:29 <d34dh0r53> #startmeeting keystone
15:01:29 <opendevmeet> Meeting started Wed Mar 26 15:01:29 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:29 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:29 <opendevmeet> The meeting name has been set to 'keystone'
15:01:40 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct
15:01:46 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct
15:01:53 <d34dh0r53> #topic roll call
15:01:57 <gtema> o/
15:02:01 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra
15:02:06 <xek> o/
15:02:16 <d34dh0r53> superfluous dmendiza ping
15:05:43 <dmendiza[m]> 🙋‍♂️
15:05:48 <d34dh0r53> o/
15:06:08 <d34dh0r53> #topic review past meeting work items
15:06:17 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-19-15.01.html
15:06:24 <d34dh0r53> no action items from last week
15:06:29 <d34dh0r53> #topic liaison updates
15:06:47 <d34dh0r53> nothing from releases or VMT
15:06:53 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:06:54 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:06:57 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:06:59 <d34dh0r53> External OAuth 2.0 Specification
15:07:01 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)
15:07:04 <d34dh0r53> OAuth 2.0 Implementation
15:07:08 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged)
15:07:11 <d34dh0r53> OAuth 2.0 Documentation
15:07:13 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)
15:07:18 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)
15:07:44 <d34dh0r53> I might try and rebase the last couple of patches we have, get them in early this cycle
15:09:28 <d34dh0r53> it's some tempest tests for keystone and we're waiting on other projects to merge their patches before we add functional testing
15:09:39 <d34dh0r53> next up
15:09:45 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:09:47 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:09:49 <d34dh0r53> 2024.1 Release Timeline
15:09:52 <d34dh0r53> 'v
15:09:55 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:10:00 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:10:06 <d34dh0r53> dmendiza: any updates?
15:10:41 <dmendiza[m]> Negative.  Still nothing on this, but I do need to review SRBAC status before PTG
15:10:50 <d34dh0r53> ack, thanks
15:10:58 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:11:03 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:11:28 <gtema> stephenfin noticed failing gophercloud tests due to jsonschemas being restrictive
15:12:00 <gtema> well, they "broke" undocumented things like "?name__contains=foo"
15:12:38 <gtema> and so the question to discussion (we agreed he makes a change releasing restriction for the moment) - how do we deal with undocumented things being broken
15:13:10 <xek> we deprecate?
15:13:40 <xek> we can alsa always reverse the process of deprecation
15:13:42 <xek> *also
15:13:49 <gtema> stephenfin and I discussed raising the api ver (to 3.15), but that only after we complete the works, cause every jsonschema is restricting undocumented properties
15:14:02 <stephenfin> I was just writing exactly what gtema said
15:14:40 <stephenfin> I personally don't care whether we keep (and document) or remove these comparator-style filters, but we should have a signal that users can check for if we do remove them
15:14:47 <gtema> anyone of you know ANY customer or so relying on "?PARAM__contains=foo" sort of queries?
15:15:47 <stephenfin> As I said yesterday, gophercloud uses them in tests and documents them as _the_ example of passing a Filter argument to various keystone calls
15:16:43 <dmendiza[m]> Weird, I've never seen the double underscore filtering before
15:17:13 <dmendiza[m]> only the stuff the api-wg documented: https://specs.openstack.org/openstack/api-wg/guidelines/pagination_filter_sort.html#filtering
15:17:29 <gtema> dmendiza - that's the point - we have undocumented feature that nearly nobody knows about
15:17:31 <xek> we could open an issue in gophercloud, to ask them whether they would like to continue to use such filters
15:17:37 <stephenfin> As as I also said yesterday, changing API behaviour arbitrarily is bad form for API consumers. We need some kind of signal
15:18:39 <dmendiza[m]> Yeah, documented or not, we should keep the current behavior
15:18:56 <dmendiza[m]> and then deprecate like Grzegorz Grasza suggested if we don't want to keep it
15:19:32 <gtema> i am not fan of this style comparators, since afaik other services use different style
15:19:37 <stephenfin> xek: It's entirely your prerogative to keep or remove it. We (clients/users) just need to signal it if we remove it. This should be a no brainer 🤞
15:20:42 <gtema> I would say - lets drop them and consider harmonizing style with other services later
15:21:04 <stephenfin> sounds like a PTG session to me 0:)
15:21:08 <gtema> in till we are done with jsonschemas release the restriction
15:21:23 <gtema> yeah, makes sense stephenfin
15:21:23 <stephenfin> in any case, here are the patches for master https://review.opendev.org/c/openstack/keystone/+/945504 and stable/2025.1 https://review.opendev.org/c/openstack/keystone/+/945509
15:21:52 <stephenfin> IMO we need to merge those asap to prevent this breaking users in the wild when we release epoxy
15:22:52 <d34dh0r53> PTG session sounds good, I'll review the patches to unblock epoxy today
15:22:57 <gtema> I'm dropping off now, will read back in 1 hour or so
15:23:16 <stephenfin> gtema: o/ thanks for bringing this up
15:23:24 <gtema> wlcm
15:23:25 <d34dh0r53> thanks gtema
15:24:20 <d34dh0r53> next up
15:24:24 <d34dh0r53> #topic specification Include bad password details in audit messages (stanislav-z)
15:24:31 <d34dh0r53> #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22
15:24:32 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged)
15:24:35 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/932423 (to be reviewed)
15:24:37 <d34dh0r53> 11-Mar update: the implementation has been updated to incorporate the review feedback
15:24:57 <d34dh0r53> is there a link to the docs patch that was mentioned in the last review?
15:25:16 <stanislav-z> no, there is no patch yet :)
15:25:37 <stanislav-z> I'll work on it, and send for review
15:25:56 <d34dh0r53> ack, thank you! other than that the code changes look good to me
15:27:22 <d34dh0r53> Thanks for the work and follow through on this!
15:27:33 <d34dh0r53> that does it for specifications
15:27:41 <d34dh0r53> #topic open discussion
15:30:46 <d34dh0r53> nothing from me
15:30:47 <d34dh0r53> moving on
15:30:52 <d34dh0r53> #topic bug review
15:30:56 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:31:48 <d34dh0r53> this is the bug we were just talking about
15:31:52 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2104185
15:32:03 <d34dh0r53> thanks for the quick work on that stephenfin
15:32:29 <d34dh0r53> no more new bugs for keystone
15:32:33 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:32:48 <d34dh0r53> nothing new for python-keystoneclient
15:32:51 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:33:05 <d34dh0r53> keystoneauth has no new bugs
15:33:08 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:33:31 <d34dh0r53> nothing new in keystonemiddleware either
15:33:35 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:33:48 <d34dh0r53> no new bugs in pycadf
15:33:51 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:34:04 <d34dh0r53> ldappool is also clear
15:34:07 <d34dh0r53> #topic conclusion
15:34:33 <d34dh0r53> Not much from me, PTG is in a couple of weeks, looking forward to seeing everyone there
15:34:38 <d34dh0r53> Thanks!!
15:34:43 <d34dh0r53> #endmeeting