15:20:44 #startmeeting keystone 15:20:44 Meeting started Wed Jul 30 15:20:44 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:20:44 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:20:44 The meeting name has been set to 'keystone' 15:22:26 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:22:31 #link https://openinfra.dev/legal/code-of-conduct 15:22:47 #topic roll call 15:22:59 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:23:00 o/ 15:23:04 dmendiza: 15:23:19 o/ 15:24:32 🙋‍♂️ 15:24:45 o/ 15:24:50 #topic review past meeting work items 15:24:53 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-07-23-15.08.html 15:25:00 no action items from last week 15:25:06 #topic liaison updates 15:25:13 nothing from me 15:26:15 #topic specification OAuth 2.0 (hiromu) 15:26:17 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:26:20 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:26:42 waiting on things to merge in barbican and tacker before we can merge our tempest plugin changes 15:26:52 #topic specification Secure RBAC (dmendiza) 15:26:54 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:26:58 2025.2 Release Timeline 15:27:01 🙋‍♂️ 15:27:03 Update oslo.policy in keystone to enforce_new_defaults=True 15:27:07 Update oslo.policy in keystone to enforce_scope=True 15:27:24 I actually do have an update this time! 15:27:26 :D 15:27:38 Let me find this link ... one sec ... 15:27:58 😲 15:28:27 Looks like devstack is still defaulting to de deprecated legacy policies: https://opendev.org/openstack/devstack/src/branch/master/lib/keystone#L122 15:29:08 ahh, that's a bummer 15:29:37 I think we should flip the switch 👀 15:30:12 I'll have to look up how long ago the policies were marked as deprecated ... but I'm sure it's been at least a couple of years. 15:30:29 I need to remember what we can do in a SLURP/non-SLURP release though 🤔 15:32:03 yeah, I'm in favor of flipping the switch 15:32:31 I'll submit a patch to flip it and keep and see what blows up 15:32:42 Ugh, I can't type today 15:33:21 sounds good 15:33:42 Anyway, that's it for SRBAC this week. I'll update next week with patch results. 15:33:55 thanks dmendiza 15:33:58 next up 15:34:15 #topic specification OpenAPI support (gtema) 15:34:16 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:35:22 oh gtema is out on PTO this week and next 15:35:52 I imagine right now he's having a delicious dinner of fish and chips next to the Eye of London 15:36:10 ✌️ 15:37:57 VPN just booted me 15:38:04 not sure if I missed anything 15:38:41 tl;dr gtema is ooo for 2 weeks 15:38:49 ack, thanks 15:38:52 next up 15:38:57 #topic open discussion 15:38:59 drencrom 15:39:02 Review patch proposal: https://review.opendev.org/c/openstack/keystone/+/951792 15:39:04 It is passing ldap tests with the devstack patches 15:39:39 Hi, just wanted to mention that my AD patch is now passing the ldap tests 15:40:01 sweet, I'll review this week 15:40:25 thanks! 15:40:47 it depends on a couple of devstack patches 15:41:07 ack 15:42:00 anything else for open discussion? 15:42:46 kind of 15:43:31 Although its kind-of mostly tempest related 15:43:51 I'm helping a teammate with a security compliance test 15:43:53 I'm going through gtema's repo with the Keystone's rewriting. Intend to contribute with it. 15:44:32 🦀 15:45:02 tempest does not currently test the keystone option for setting a security compliance regex 15:45:13 I'm helping with a patch to add one: 15:45:15 #link https://review.opendev.org/c/openstack/tempest/+/954029 15:46:23 it turns out that security_compliance is turned on by default, which is cool, but now the new test is causing everything to fail 15:46:45 I'm not sure of the best way to fix it though 🤔 15:47:10 Since security_compliance is turned on by default in all other jobs, then we could argue that all other jobs should also have a regex set. 15:47:10 * Pros: security compliance is tested everywhere 15:47:10 * Cons: we may break more things by introducing regex validation to every single other test case 15:47:44 I think we definitely need to move towards testing with the regex 15:48:35 Cool ... other options include defaulting to security_compliance = false --- which I don't want to do, or splitting the security compliance tests into multiple options in tempest.conf (not ideal) 15:49:36 We'll update the patches to set the regex everywhere ... and then probalby not even need a new job that's specific for security compliance since it'll be tested in all other jobs. 👍️ 15:49:50 cool! 15:50:11 anything else for open discussion? 15:52:28 mharley: did you have something? 15:54:55 cool, moving on 15:55:14 #topic bug review 15:55:16 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:55:21 a couple of new keystone bugs 15:55:42 #link https://bugs.launchpad.net/keystone/+bug/2119091 15:55:48 Nope. 15:55:57 dmendiza: this one may be up your alley 15:56:51 Ack, set an #action for me, please 👍️ 15:57:12 #action dmendiza look into https://bugs.launchpad.net/keystone/+bug/2119091 15:57:17 we also have 15:57:24 #link https://bugs.launchpad.net/keystone/+bug/2119031 15:57:30 i have reported 2119031 and i have 4 ideas for fixing it 15:57:33 which Boris is working on 15:57:44 ahh, hi bbobrov o/ 15:57:46 idea 1 is to just invalidate cache every time. Bad idea, because cache will become useless after a certain rate. 15:57:49 o/ 15:57:59 idea 2 is here: https://review.opendev.org/c/openstack/keystone/+/956176. List all expiring groups, compare to the existing ones, if they differ - drop the cache 15:58:19 (patch was not tested at all, please do not merge it yet, i should mark it as wip) 15:58:32 idea 3 is idea 2 + checks of ttls and cache timeout. I don't exactly understand how cache works when a group membership expires. 15:58:43 Which is why we might need to add an additional check, that the existing group membership will live after the cache expiry, and if not, delete the cache. 15:58:55 i haven't done it yet, because idea 2 is already complex, and this will add even more complexity. 15:59:13 idea 4 is to document this as a known issue, and live with it. Users who run into the bad cache will just need to wait. I don't like this too much. 15:59:48 other suggestions would be appreciated 16:03:30 I like idea 3, but it does add some complexity. Can we see how well idea 2 works in testing and determine if we need the additional checks of idea 3? 16:04:09 yes, i am doing it. But doing it is *very* slow, because i don't see a way to unit-test this 16:06:09 Yeah, I don't either, it seems like it has to be manual testing 16:07:29 moving on for the sake of time 16:07:33 yep 16:07:35 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 16:07:40 no new bugs here 16:07:45 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 16:07:53 nor in keystoneauth 16:07:57 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 16:08:09 keystonemiddleware is good 16:08:13 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 16:08:20 no new bugs in pycadf 16:08:22 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 16:08:28 ldappool is also good 16:08:33 #topic conclusion 16:08:40 thanks all, nothing else from me 16:09:12 #endmeeting 16:09:20 s/// 16:09:26 #endmeeting