15:01:29 <d34dh0r53> #startmeeting keystone 15:01:29 <opendevmeet> Meeting started Wed Mar 26 15:01:29 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:29 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:29 <opendevmeet> The meeting name has been set to 'keystone' 15:01:40 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:01:46 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct 15:01:53 <d34dh0r53> #topic roll call 15:01:57 <gtema> o/ 15:02:01 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:02:06 <xek> o/ 15:02:16 <d34dh0r53> superfluous dmendiza ping 15:05:43 <dmendiza[m]> 🙋♂️ 15:05:48 <d34dh0r53> o/ 15:06:08 <d34dh0r53> #topic review past meeting work items 15:06:17 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-19-15.01.html 15:06:24 <d34dh0r53> no action items from last week 15:06:29 <d34dh0r53> #topic liaison updates 15:06:47 <d34dh0r53> nothing from releases or VMT 15:06:53 <d34dh0r53> #topic specification OAuth 2.0 (hiromu) 15:06:54 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:06:57 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:06:59 <d34dh0r53> External OAuth 2.0 Specification 15:07:01 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:07:04 <d34dh0r53> OAuth 2.0 Implementation 15:07:08 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged) 15:07:11 <d34dh0r53> OAuth 2.0 Documentation 15:07:13 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:07:18 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:07:44 <d34dh0r53> I might try and rebase the last couple of patches we have, get them in early this cycle 15:09:28 <d34dh0r53> it's some tempest tests for keystone and we're waiting on other projects to merge their patches before we add functional testing 15:09:39 <d34dh0r53> next up 15:09:45 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m]) 15:09:47 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:09:49 <d34dh0r53> 2024.1 Release Timeline 15:09:52 <d34dh0r53> 'v 15:09:55 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True 15:10:00 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True 15:10:06 <d34dh0r53> dmendiza: any updates? 15:10:41 <dmendiza[m]> Negative. Still nothing on this, but I do need to review SRBAC status before PTG 15:10:50 <d34dh0r53> ack, thanks 15:10:58 <d34dh0r53> #topic specification OpenAPI support (gtema) 15:11:03 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:11:28 <gtema> stephenfin noticed failing gophercloud tests due to jsonschemas being restrictive 15:12:00 <gtema> well, they "broke" undocumented things like "?name__contains=foo" 15:12:38 <gtema> and so the question to discussion (we agreed he makes a change releasing restriction for the moment) - how do we deal with undocumented things being broken 15:13:10 <xek> we deprecate? 15:13:40 <xek> we can alsa always reverse the process of deprecation 15:13:42 <xek> *also 15:13:49 <gtema> stephenfin and I discussed raising the api ver (to 3.15), but that only after we complete the works, cause every jsonschema is restricting undocumented properties 15:14:02 <stephenfin> I was just writing exactly what gtema said 15:14:40 <stephenfin> I personally don't care whether we keep (and document) or remove these comparator-style filters, but we should have a signal that users can check for if we do remove them 15:14:47 <gtema> anyone of you know ANY customer or so relying on "?PARAM__contains=foo" sort of queries? 15:15:47 <stephenfin> As I said yesterday, gophercloud uses them in tests and documents them as _the_ example of passing a Filter argument to various keystone calls 15:16:43 <dmendiza[m]> Weird, I've never seen the double underscore filtering before 15:17:13 <dmendiza[m]> only the stuff the api-wg documented: https://specs.openstack.org/openstack/api-wg/guidelines/pagination_filter_sort.html#filtering 15:17:29 <gtema> dmendiza - that's the point - we have undocumented feature that nearly nobody knows about 15:17:31 <xek> we could open an issue in gophercloud, to ask them whether they would like to continue to use such filters 15:17:37 <stephenfin> As as I also said yesterday, changing API behaviour arbitrarily is bad form for API consumers. We need some kind of signal 15:18:39 <dmendiza[m]> Yeah, documented or not, we should keep the current behavior 15:18:56 <dmendiza[m]> and then deprecate like Grzegorz Grasza suggested if we don't want to keep it 15:19:32 <gtema> i am not fan of this style comparators, since afaik other services use different style 15:19:37 <stephenfin> xek: It's entirely your prerogative to keep or remove it. We (clients/users) just need to signal it if we remove it. This should be a no brainer 🤞 15:20:42 <gtema> I would say - lets drop them and consider harmonizing style with other services later 15:21:04 <stephenfin> sounds like a PTG session to me 0:) 15:21:08 <gtema> in till we are done with jsonschemas release the restriction 15:21:23 <gtema> yeah, makes sense stephenfin 15:21:23 <stephenfin> in any case, here are the patches for master https://review.opendev.org/c/openstack/keystone/+/945504 and stable/2025.1 https://review.opendev.org/c/openstack/keystone/+/945509 15:21:52 <stephenfin> IMO we need to merge those asap to prevent this breaking users in the wild when we release epoxy 15:22:52 <d34dh0r53> PTG session sounds good, I'll review the patches to unblock epoxy today 15:22:57 <gtema> I'm dropping off now, will read back in 1 hour or so 15:23:16 <stephenfin> gtema: o/ thanks for bringing this up 15:23:24 <gtema> wlcm 15:23:25 <d34dh0r53> thanks gtema 15:24:20 <d34dh0r53> next up 15:24:24 <d34dh0r53> #topic specification Include bad password details in audit messages (stanislav-z) 15:24:31 <d34dh0r53> #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22 15:24:32 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged) 15:24:35 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/932423 (to be reviewed) 15:24:37 <d34dh0r53> 11-Mar update: the implementation has been updated to incorporate the review feedback 15:24:57 <d34dh0r53> is there a link to the docs patch that was mentioned in the last review? 15:25:16 <stanislav-z> no, there is no patch yet :) 15:25:37 <stanislav-z> I'll work on it, and send for review 15:25:56 <d34dh0r53> ack, thank you! other than that the code changes look good to me 15:27:22 <d34dh0r53> Thanks for the work and follow through on this! 15:27:33 <d34dh0r53> that does it for specifications 15:27:41 <d34dh0r53> #topic open discussion 15:30:46 <d34dh0r53> nothing from me 15:30:47 <d34dh0r53> moving on 15:30:52 <d34dh0r53> #topic bug review 15:30:56 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:31:48 <d34dh0r53> this is the bug we were just talking about 15:31:52 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2104185 15:32:03 <d34dh0r53> thanks for the quick work on that stephenfin 15:32:29 <d34dh0r53> no more new bugs for keystone 15:32:33 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:32:48 <d34dh0r53> nothing new for python-keystoneclient 15:32:51 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:33:05 <d34dh0r53> keystoneauth has no new bugs 15:33:08 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:33:31 <d34dh0r53> nothing new in keystonemiddleware either 15:33:35 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:33:48 <d34dh0r53> no new bugs in pycadf 15:33:51 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:34:04 <d34dh0r53> ldappool is also clear 15:34:07 <d34dh0r53> #topic conclusion 15:34:33 <d34dh0r53> Not much from me, PTG is in a couple of weeks, looking forward to seeing everyone there 15:34:38 <d34dh0r53> Thanks!! 15:34:43 <d34dh0r53> #endmeeting