15:04:27 #startmeeting keystone 15:04:28 Meeting started Wed Aug 6 15:04:27 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:04:28 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:04:28 The meeting name has been set to 'keystone' 15:04:44 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:04:53 #link https://openinfra.dev/legal/code-of-conduct 15:05:07 #topic roll call 15:05:16 🙋 15:05:16 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:05:19 o/ 15:05:20 o/ 15:05:30 o/ 15:08:04 I think gtema is still on PTO, so let's get started 15:08:08 #topic review past meeting work items 15:08:13 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-07-30-15.20.html 15:08:32 one action item from last week: 15:08:34 dmendiza look into https://bugs.launchpad.net/keystone/+bug/2119091 15:08:52 I did not get a chance to look at it. Let's bump to next week 15:09:21 ack 15:09:31 #action dmendiza look into https://bugs.launchpad.net/keystone/+bug/2119091 15:09:35 #topic liaison updates 15:09:38 nothing from me 15:11:45 #topic specification OAuth 2.0 (hiromu) 15:12:31 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:12:32 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:12:33 no updates 15:12:35 #topic specification Secure RBAC (dmendiza) 15:12:35 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:12:36 2025.2 Release Timeline 15:12:37 Update oslo.policy in keystone to enforce_new_defaults=True 15:12:38 Update oslo.policy in keystone to enforce_scope=True 15:13:27 I mentioned last week that devstack is still not setting those 15:13:33 or rather overriding to =False for both 15:14:09 #link https://review.opendev.org/c/openstack/devstack/+/956210 15:14:20 is the WIP. I have not looked into the failures 15:14:34 that's it for srbac this week 15:15:15 thanks dmendiza 15:15:22 #topic specification OpenAPI support (gtema) 15:15:24 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:15:51 gtema is on PTO this week so no updates here 15:15:53 #topic open discussion 15:15:57 drencrom 15:15:58 Review patch proposal: https://review.opendev.org/c/openstack/keystone/+/951792 15:15:59 It is passing ldap tests with the devstack patches 15:16:33 I've reviewed this, other cores please take a look 15:18:26 anything else for open discussion? 15:19:07 🙋‍♂️ 15:19:43 Still working on getting some tempest coverage of security copliance options that are not yet tested 15:19:51 WIP patch for setting the password regex is here: 15:20:03 #link https://review.opendev.org/c/openstack/devstack/+/956111 15:20:33 Currently running into a few issues getting a test for password length to pass because: 15:21:17 * Keystone must be configured in devstack - hence the devstack patch 15:21:17 * devstack defaults to having security compliance tests turned on for all jobs - i.e. you have to opt out 15:21:42 * Because of previous point, all jobs are running the new test. 15:22:11 Initially we'd left the regex blank by default and then overriding in a security_compliance job 15:22:25 but that had the side effect of only passing in that job while all other jobs failed 15:22:33 currently stuck at trying to pick a better default 15:22:45 the WIP patch I linked defaults to the same example we have in the docs 15:23:20 #link https://docs.openstack.org/keystone/latest/admin/configuration.html#configuring-password-strength-requirements 15:23:41 but there are a lot of default passwords that don't meet the criteria, which is why the patch is currently failing 15:24:07 options to move forward are:... (full message at ) 15:24:24 I'm in favor of option 2 15:24:35 Updating the default passwords 15:25:01 Me too, the only concern is that this may break other jobs that are outside of devstack and tempest (which is the two repos I will update for my patches) 15:25:34 In the event that other jobs/repos break we could advise to either: 15:25:34 * update passwords 15:25:34 * opt-out of running the security compliance suite 15:25:48 If no one objects to that I'll move forward with this plan 15:27:16 Yeah, those are both very easy to implement solutions 15:27:24 any objections? 15:32:08 cool, option 2 dmendiza 15:32:40 ack, sounds good to me 15:33:39 anything else for open discussion? 15:34:29 guess not 15:34:34 #topic bug review 15:34:37 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:35:14 several new bugs for keystone 15:35:52 #link https://bugs.launchpad.net/keystone/+bug/2119346 15:36:47 looks like there is a fix proposed and it's limited to python 3.13 15:36:49 moving on 15:37:12 #link https://bugs.launchpad.net/keystone/+bug/2119543 15:37:20 I feel like this may be a dup 15:39:00 maybe not, this may have to do with the jsonschema stuff, gtema should have a look 15:39:03 next up 15:39:16 the super secret bug 15:41:37 Yep, not talking about that here 15:41:42 that's it for keystone 15:41:56 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:42:07 nothing new on python-keystoneclient 15:42:24 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:42:38 keystoneauth is good 15:42:50 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:43:16 no new bugs in keystonemiddleware 15:43:24 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:43:37 pycadf is clean 15:43:48 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:43:53 so is ldappool 15:43:58 #topic conclusion 15:44:18 thanks all, nothing else from me 15:44:32 #endmeeting