15:02:07 #startmeeting keystone 15:02:07 Meeting started Wed May 7 15:02:07 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:07 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:07 The meeting name has been set to 'keystone' 15:02:37 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:02:46 #link https://openinfra.dev/legal/code-of-conduct 15:02:54 #topic roll call 15:03:03 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:03:03 o/ 15:03:05 🙋‍♂️ 15:03:16 o/ 15:04:17 #topic review past meeting work items 15:04:43 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-04-23-15.02.html 15:04:48 no action items from the last meeting 15:04:57 #topic liaison updates 15:05:00 nothing from releases 15:05:24 anything from VMT? 15:05:51 not that I would know about 15:06:26 ack, thanks 15:07:04 moving on then 15:07:07 #topic specification OAuth 2.0 (hiromu) 15:07:09 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:07:15 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:07:18 External OAuth 2.0 Specification 15:07:19 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) 15:07:24 OAuth 2.0 Implementation 15:07:28 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls (merged) 15:07:32 OAuth 2.0 Documentation 15:07:34 #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) 15:07:36 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) 15:08:35 no updates 15:09:24 #link https://review.opendev.org/c/openstack/keystonemiddleware/+/899911 is waiting on dependencies in Barbican and Tacker to merge and then it's good to go. 15:09:40 The others just need rebases once that is merged. 15:09:45 next up 15:09:54 #topic specification Secure RBAC (dmendiza[m]) 15:09:57 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:10:00 2024.1 Release Timeline 15:10:01 Update oslo.policy in keystone to enforce_new_defaults=True 15:10:04 Update oslo.policy in keystone to enforce_scope=True 15:10:14 any updates dmendiza ? 15:11:15 Negative, just getting back from PTO 15:11:32 Ack, thanks, and welcome back :) 15:11:42 #topic specification OpenAPI support (gtema) 15:11:47 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:12:21 since now the os-api-ref and openstackdocstheme requirements are raised I have updated openapi build change 15:12:25 #link https://review.opendev.org/c/openstack/keystone/+/948185 15:12:41 from my pov it can go this way, so feel free to review 15:13:25 and then we can start discussing what and where is missing. It will also help landing jsonschema changes since we can see the schemas easier 15:14:03 cool 15:14:37 nothing else on that from me this week 15:15:05 Looks good to me 15:15:11 Thanks gtema 15:15:20 That does it for specs 15:15:26 #topic open discussion 15:15:34 I don't really have anything 15:16:15 anyone has ideas or proposals wrt modifying DB schema for the new federation support? 15:16:56 it is explicitly about the federated_user table linking to the idp_id and protocol_id while in the new implementation those both go away and instead there are few other attrs 15:17:32 currently there is not_null for both of them and therefore I can't use the table without easing those constraints 15:18:02 I do not want to introduce new table (federated2_user) - it is going to be insane 15:18:52 my idea was to drop the not_null constraint so that I can leave those fields empty while adding new fields and new FK constraints 15:20:05 I'm okay with dropping the constraint 15:20:45 I think the code is good enough to handle those properly 15:21:14 Yeah, and if needed we can add some additional checks in the code 15:21:25 ok, I will then proceed this way 15:21:41 sounds good 15:22:00 thks 15:24:35 cool, any other open discussion topics? 15:24:47 not from me 15:25:16 moving on 15:25:20 #topic bug review 15:25:24 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:25:40 Looks like three new bugs in keystone 15:25:53 #link https://bugs.launchpad.net/keystone/+bug/2110084 15:26:00 #link https://bugs.launchpad.net/keystone/+bug/2109989 15:26:11 #link https://bugs.launchpad.net/keystone/+bug/2109693 15:28:05 uhm 15:28:56 project creation is another misuse of admin at domain scope 15:32:04 yeah, the first two look like they may be just configuration issues 15:32:47 moving on 15:33:16 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:33:23 no new bugs for python-keystoneclient 15:33:29 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:33:38 keystoneauth is good as well 15:33:42 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:33:55 no new bugs in keystonemiddleware 15:33:59 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:34:01 pycadf is good 15:34:05 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:34:11 so is ldappool 15:34:18 #topic conclusion 15:34:23 Thanks folks! 15:34:46 thanks Dave Wilde (d34dh0r53) 15:35:07 👍️ 15:35:11 #endmeeting