15:04:27 <d34dh0r53> #startmeeting keystone 15:04:28 <opendevmeet> Meeting started Wed Aug 6 15:04:27 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:04:28 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:04:28 <opendevmeet> The meeting name has been set to 'keystone' 15:04:44 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:04:53 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct 15:05:07 <d34dh0r53> #topic roll call 15:05:16 <dmendiza[m]> 🙋 15:05:16 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:05:19 <bbobrov> o/ 15:05:20 <d34dh0r53> o/ 15:05:30 <cardoe> o/ 15:08:04 <d34dh0r53> I think gtema is still on PTO, so let's get started 15:08:08 <d34dh0r53> #topic review past meeting work items 15:08:13 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-07-30-15.20.html 15:08:32 <d34dh0r53> one action item from last week: 15:08:34 <d34dh0r53> dmendiza look into https://bugs.launchpad.net/keystone/+bug/2119091 15:08:52 <dmendiza[m]> I did not get a chance to look at it. Let's bump to next week 15:09:21 <d34dh0r53> ack 15:09:31 <d34dh0r53> #action dmendiza look into https://bugs.launchpad.net/keystone/+bug/2119091 15:09:35 <d34dh0r53> #topic liaison updates 15:09:38 <d34dh0r53> nothing from me 15:11:45 <d34dh0r53> #topic specification OAuth 2.0 (hiromu) 15:12:31 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:12:32 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:12:33 <d34dh0r53> no updates 15:12:35 <d34dh0r53> #topic specification Secure RBAC (dmendiza) 15:12:35 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:12:36 <d34dh0r53> 2025.2 Release Timeline 15:12:37 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True 15:12:38 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True 15:13:27 <dmendiza[m]> I mentioned last week that devstack is still not setting those 15:13:33 <dmendiza[m]> or rather overriding to =False for both 15:14:09 <dmendiza[m]> #link https://review.opendev.org/c/openstack/devstack/+/956210 15:14:20 <dmendiza[m]> is the WIP. I have not looked into the failures 15:14:34 <dmendiza[m]> that's it for srbac this week 15:15:15 <d34dh0r53> thanks dmendiza 15:15:22 <d34dh0r53> #topic specification OpenAPI support (gtema) 15:15:24 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:15:51 <d34dh0r53> gtema is on PTO this week so no updates here 15:15:53 <d34dh0r53> #topic open discussion 15:15:57 <d34dh0r53> drencrom 15:15:58 <d34dh0r53> Review patch proposal: https://review.opendev.org/c/openstack/keystone/+/951792 15:15:59 <d34dh0r53> It is passing ldap tests with the devstack patches 15:16:33 <d34dh0r53> I've reviewed this, other cores please take a look 15:18:26 <d34dh0r53> anything else for open discussion? 15:19:07 <dmendiza[m]> 🙋♂️ 15:19:43 <dmendiza[m]> Still working on getting some tempest coverage of security copliance options that are not yet tested 15:19:51 <dmendiza[m]> WIP patch for setting the password regex is here: 15:20:03 <dmendiza[m]> #link https://review.opendev.org/c/openstack/devstack/+/956111 15:20:33 <dmendiza[m]> Currently running into a few issues getting a test for password length to pass because: 15:21:17 <dmendiza[m]> * Keystone must be configured in devstack - hence the devstack patch 15:21:17 <dmendiza[m]> * devstack defaults to having security compliance tests turned on for all jobs - i.e. you have to opt out 15:21:42 <dmendiza[m]> * Because of previous point, all jobs are running the new test. 15:22:11 <dmendiza[m]> Initially we'd left the regex blank by default and then overriding in a security_compliance job 15:22:25 <dmendiza[m]> but that had the side effect of only passing in that job while all other jobs failed 15:22:33 <dmendiza[m]> currently stuck at trying to pick a better default 15:22:45 <dmendiza[m]> the WIP patch I linked defaults to the same example we have in the docs 15:23:20 <dmendiza[m]> #link https://docs.openstack.org/keystone/latest/admin/configuration.html#configuring-password-strength-requirements 15:23:41 <dmendiza[m]> but there are a lot of default passwords that don't meet the criteria, which is why the patch is currently failing 15:24:07 <dmendiza[m]> options to move forward are:... (full message at <https://matrix.org/oftc/media/v1/media/download/AfmrCOZr--2rcxDNJZl_93TqIEvCbNdf1s-Y_r5a5gYEEjF7NZY6FLFojZHehDnfGc5JUor8BVS40o7tn8B__PJCeYyBSP-wAG1hdHJpeC5vcmcveEFGdGFqbU5NZ3RpZmxwRWVMR1ZhSUdo>) 15:24:24 <d34dh0r53> I'm in favor of option 2 15:24:35 <d34dh0r53> Updating the default passwords 15:25:01 <dmendiza[m]> Me too, the only concern is that this may break other jobs that are outside of devstack and tempest (which is the two repos I will update for my patches) 15:25:34 <dmendiza[m]> In the event that other jobs/repos break we could advise to either: 15:25:34 <dmendiza[m]> * update passwords 15:25:34 <dmendiza[m]> * opt-out of running the security compliance suite 15:25:48 <dmendiza[m]> If no one objects to that I'll move forward with this plan 15:27:16 <d34dh0r53> Yeah, those are both very easy to implement solutions 15:27:24 <d34dh0r53> any objections? 15:32:08 <d34dh0r53> cool, option 2 dmendiza 15:32:40 <dmendiza[m]> ack, sounds good to me 15:33:39 <d34dh0r53> anything else for open discussion? 15:34:29 <d34dh0r53> guess not 15:34:34 <d34dh0r53> #topic bug review 15:34:37 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:35:14 <d34dh0r53> several new bugs for keystone 15:35:52 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2119346 15:36:47 <d34dh0r53> looks like there is a fix proposed and it's limited to python 3.13 15:36:49 <d34dh0r53> moving on 15:37:12 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2119543 15:37:20 <d34dh0r53> I feel like this may be a dup 15:39:00 <d34dh0r53> maybe not, this may have to do with the jsonschema stuff, gtema should have a look 15:39:03 <d34dh0r53> next up 15:39:16 <bbobrov> the super secret bug 15:41:37 <d34dh0r53> Yep, not talking about that here 15:41:42 <d34dh0r53> that's it for keystone 15:41:56 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:42:07 <d34dh0r53> nothing new on python-keystoneclient 15:42:24 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:42:38 <d34dh0r53> keystoneauth is good 15:42:50 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:43:16 <d34dh0r53> no new bugs in keystonemiddleware 15:43:24 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:43:37 <d34dh0r53> pycadf is clean 15:43:48 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:43:53 <d34dh0r53> so is ldappool 15:43:58 <d34dh0r53> #topic conclusion 15:44:18 <d34dh0r53> thanks all, nothing else from me 15:44:32 <d34dh0r53> #endmeeting