#openstack-keystone log

15:10:26 <d34dh0r53> #startmeeting keystone
15:10:26 <opendevmeet> Meeting started Wed Aug 13 15:10:26 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:10:26 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:10:26 <opendevmeet> The meeting name has been set to 'keystone'
15:10:33 <d34dh0r53> o/ sorry, lost track of time
15:10:55 <gtema> right, same do I
15:11:10 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct
15:11:17 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct
15:11:26 <d34dh0r53> #topic roll call
15:11:32 <gtema> o/
15:11:39 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra
15:11:45 <d34dh0r53> dmendiza: o/
15:11:51 <d34dh0r53> welcome back gtema
15:11:56 <gtema> thks
15:14:50 <d34dh0r53> #topic review past meeting work items
15:14:57 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-08-06-15.04.html
15:15:16 <d34dh0r53> one action item, dmendiza look into https://bugs.launchpad.net/keystone/+bug/2119091
15:17:25 <gtema> looks to me like a race condition since the change from where it was reported is now passing
15:17:49 <d34dh0r53> ahh, ok, I didn't look into it
15:18:24 <d34dh0r53> I'll re-add it to the action items, looks like dmendiza is AFK
15:18:31 <d34dh0r53> #action dmendiza look into https://bugs.launchpad.net/keystone/+bug/2119091
15:18:37 <d34dh0r53> next up
15:18:41 <d34dh0r53> #topic liaison updates
15:18:45 <d34dh0r53> nothing from me
15:19:16 <dmendiza[m]> 🙋‍♂️
15:19:26 <dmendiza[m]> Sorry, lost track of time
15:19:57 <dmendiza[m]> Yes, bump it, will definitely look at this week. 😅
15:19:59 <d34dh0r53> no worries, so did I :D
15:20:05 <d34dh0r53> 👍️
15:20:13 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:20:16 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:20:19 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:20:27 <d34dh0r53> no updates
15:20:33 <d34dh0r53> #topic specification Secure RBAC (dmendiza)
15:20:35 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:20:38 <d34dh0r53> 2025.2 Release Timeline
15:20:41 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:20:49 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:22:32 <d34dh0r53> any updates on SRBAC dmendiza ?
15:23:05 <dmendiza[m]> Negative ... I've been focused on the Security Compliance testing upstream
15:23:26 <dmendiza[m]> I did submit a patch to turn on SRBAC by default on devstack
15:23:42 <dmendiza[m]> but it failed as I somewhat expected
15:23:58 <dmendiza[m]> #link https://review.opendev.org/c/openstack/devstack/+/956210
15:25:15 <gtema> so you found a place where it is overridden, nice
15:29:10 <dmendiza[m]> That's it on my end, I'll look into the failures eventually. 😅
15:29:20 <d34dh0r53> thanks dmendiza
15:29:45 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:29:48 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:30:08 <gtema> #action gtema to look into https://bugs.launchpad.net/keystone/+bug/2119543
15:30:16 <gtema> nothing else
15:30:46 <d34dh0r53> cool, I was going to let you know about that bug
15:30:52 <d34dh0r53> #topic open discussion
15:30:56 <d34dh0r53> drencrom
15:30:59 <d34dh0r53> Review patch proposal: https://review.opendev.org/c/openstack/keystone/+/951792
15:31:02 <d34dh0r53> It is passing ldap tests with the devstack patches
15:31:19 <d34dh0r53> I've reviewed that one
15:31:34 <gtema> I just update review-prio on devstack change to +2
15:32:05 <gtema> till that lands - ...
15:32:25 <d34dh0r53> yeah
15:34:33 <d34dh0r53> anything else for open discussion?
15:34:40 <gtema> not from me
15:35:58 <d34dh0r53> cool
15:36:08 <dmendiza[m]> Still working on the regex thing
15:36:13 <d34dh0r53> ack
15:36:20 <d34dh0r53> #topic bug review
15:36:40 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:37:02 <d34dh0r53> one new bug in keystone
15:37:06 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2119991
15:39:14 <d34dh0r53> looks like an easy fix
15:40:02 <gtema> calling xmlsec as a subprocess from python looks to me itself like not a great idea in the first place
15:40:58 <d34dh0r53> yeah, there's that
15:42:59 <d34dh0r53> it's in the SAML code too which is pretty old
15:43:29 <gtema> and the bug reports hints people do rely on it still
15:44:49 <d34dh0r53> I think that's from the ubuntu packager
15:45:10 <gtema> ah, right
15:47:16 <d34dh0r53> we do have saml deployments though, so I know it's still being used
15:48:06 <gtema> ok
15:48:53 <d34dh0r53> that's it for keystone
15:49:06 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:49:13 <d34dh0r53> nothing new in python-keystoneclient
15:49:17 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:49:36 <d34dh0r53> keystoneauth is good
15:49:39 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:49:57 <d34dh0r53> nothing new in keystonemiddleware
15:50:16 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:50:19 <d34dh0r53> pycadf is good
15:50:22 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:50:26 <d34dh0r53> so is ldappool
15:50:31 <d34dh0r53> #topic conclusion
15:50:40 <d34dh0r53> nothing else from me, thanks folks!
15:51:10 <gtema> cool
15:51:14 <d34dh0r53> #endmeeting