15:01:29 #startmeeting keystone 15:01:29 Meeting started Wed Mar 26 15:01:29 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:29 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:29 The meeting name has been set to 'keystone' 15:01:40 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:01:46 #link https://openinfra.dev/legal/code-of-conduct 15:01:53 #topic roll call 15:01:57 o/ 15:02:01 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:02:06 o/ 15:02:16 superfluous dmendiza ping 15:05:43 🙋‍♂️ 15:05:48 o/ 15:06:08 #topic review past meeting work items 15:06:17 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-03-19-15.01.html 15:06:24 no action items from last week 15:06:29 #topic liaison updates 15:06:47 nothing from releases or VMT 15:06:53 #topic specification OAuth 2.0 (hiromu) 15:06:54 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:06:57 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:06:59 External OAuth 2.0 Specification 15:07:01 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:07:04 OAuth 2.0 Implementation 15:07:08 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged) 15:07:11 OAuth 2.0 Documentation 15:07:13 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:07:18 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:07:44 I might try and rebase the last couple of patches we have, get them in early this cycle 15:09:28 it's some tempest tests for keystone and we're waiting on other projects to merge their patches before we add functional testing 15:09:39 next up 15:09:45 #topic specification Secure RBAC (dmendiza[m]) 15:09:47 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:09:49 2024.1 Release Timeline 15:09:52 'v 15:09:55 Update oslo.policy in keystone to enforce_new_defaults=True 15:10:00 Update oslo.policy in keystone to enforce_scope=True 15:10:06 dmendiza: any updates? 15:10:41 Negative. Still nothing on this, but I do need to review SRBAC status before PTG 15:10:50 ack, thanks 15:10:58 #topic specification OpenAPI support (gtema) 15:11:03 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:11:28 stephenfin noticed failing gophercloud tests due to jsonschemas being restrictive 15:12:00 well, they "broke" undocumented things like "?name__contains=foo" 15:12:38 and so the question to discussion (we agreed he makes a change releasing restriction for the moment) - how do we deal with undocumented things being broken 15:13:10 we deprecate? 15:13:40 we can alsa always reverse the process of deprecation 15:13:42 *also 15:13:49 stephenfin and I discussed raising the api ver (to 3.15), but that only after we complete the works, cause every jsonschema is restricting undocumented properties 15:14:02 I was just writing exactly what gtema said 15:14:40 I personally don't care whether we keep (and document) or remove these comparator-style filters, but we should have a signal that users can check for if we do remove them 15:14:47 anyone of you know ANY customer or so relying on "?PARAM__contains=foo" sort of queries? 15:15:47 As I said yesterday, gophercloud uses them in tests and documents them as _the_ example of passing a Filter argument to various keystone calls 15:16:43 Weird, I've never seen the double underscore filtering before 15:17:13 only the stuff the api-wg documented: https://specs.openstack.org/openstack/api-wg/guidelines/pagination_filter_sort.html#filtering 15:17:29 dmendiza - that's the point - we have undocumented feature that nearly nobody knows about 15:17:31 we could open an issue in gophercloud, to ask them whether they would like to continue to use such filters 15:17:37 As as I also said yesterday, changing API behaviour arbitrarily is bad form for API consumers. We need some kind of signal 15:18:39 Yeah, documented or not, we should keep the current behavior 15:18:56 and then deprecate like Grzegorz Grasza suggested if we don't want to keep it 15:19:32 i am not fan of this style comparators, since afaik other services use different style 15:19:37 xek: It's entirely your prerogative to keep or remove it. We (clients/users) just need to signal it if we remove it. This should be a no brainer 🤞 15:20:42 I would say - lets drop them and consider harmonizing style with other services later 15:21:04 sounds like a PTG session to me 0:) 15:21:08 in till we are done with jsonschemas release the restriction 15:21:23 yeah, makes sense stephenfin 15:21:23 in any case, here are the patches for master https://review.opendev.org/c/openstack/keystone/+/945504 and stable/2025.1 https://review.opendev.org/c/openstack/keystone/+/945509 15:21:52 IMO we need to merge those asap to prevent this breaking users in the wild when we release epoxy 15:22:52 PTG session sounds good, I'll review the patches to unblock epoxy today 15:22:57 I'm dropping off now, will read back in 1 hour or so 15:23:16 gtema: o/ thanks for bringing this up 15:23:24 wlcm 15:23:25 thanks gtema 15:24:20 next up 15:24:24 #topic specification Include bad password details in audit messages (stanislav-z) 15:24:31 #link https://review.opendev.org/q/topic:%22pci-dss-invalid-password-reporting%22 15:24:32 #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 (merged) 15:24:35 #link https://review.opendev.org/c/openstack/keystone/+/932423 (to be reviewed) 15:24:37 11-Mar update: the implementation has been updated to incorporate the review feedback 15:24:57 is there a link to the docs patch that was mentioned in the last review? 15:25:16 no, there is no patch yet :) 15:25:37 I'll work on it, and send for review 15:25:56 ack, thank you! other than that the code changes look good to me 15:27:22 Thanks for the work and follow through on this! 15:27:33 that does it for specifications 15:27:41 #topic open discussion 15:30:46 nothing from me 15:30:47 moving on 15:30:52 #topic bug review 15:30:56 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:31:48 this is the bug we were just talking about 15:31:52 #link https://bugs.launchpad.net/keystone/+bug/2104185 15:32:03 thanks for the quick work on that stephenfin 15:32:29 no more new bugs for keystone 15:32:33 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:32:48 nothing new for python-keystoneclient 15:32:51 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:33:05 keystoneauth has no new bugs 15:33:08 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:33:31 nothing new in keystonemiddleware either 15:33:35 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:33:48 no new bugs in pycadf 15:33:51 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:34:04 ldappool is also clear 15:34:07 #topic conclusion 15:34:33 Not much from me, PTG is in a couple of weeks, looking forward to seeing everyone there 15:34:38 Thanks!! 15:34:43 #endmeeting