15:02:19 <d34dh0r53> #startmeeting keystone
15:02:19 <opendevmeet> Meeting started Wed Aug 20 15:02:19 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:19 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:19 <opendevmeet> The meeting name has been set to 'keystone'
15:02:23 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct
15:02:26 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct
15:02:32 <d34dh0r53> #topic roll call
15:02:39 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra
15:02:46 <d34dh0r53> dmendiza: o/
15:02:47 <gtema> o/ ouch
15:02:57 <d34dh0r53> ouch?
15:03:04 <seunghunlee> o/
15:03:07 <xek> o/
15:03:08 <gtema> forgot it is time
15:03:16 <d34dh0r53> ahh
15:03:27 <dmendiza[m]> 🙋‍♂️
15:05:50 <d34dh0r53> #topic review past meeting work items
15:05:51 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-08-13-15.10.html
15:06:05 <d34dh0r53> two from last week
15:06:15 <d34dh0r53> dmendiza look into https://bugs.launchpad.net/keystone/+bug/2119091
15:06:32 <dmendiza[m]> 🙋‍♂️
15:06:59 <dmendiza[m]> I started looking into the bug ... or rather having Cursor help out with looking into it.
15:07:10 <dmendiza[m]> I was able to set up an environment where I could recreate it
15:07:26 <dmendiza[m]> Seems to be a caching issue where the role assignments are not immediately recognized
15:07:34 <dmendiza[m]> still no fix for it though.
15:08:11 <gtema> weird, this looked to me like a sort of racing issue, since otherwise we would have seen it earlier
15:10:02 <dmendiza[m]> Yeah, could also be a race condition ... 🤔
15:11:15 <dmendiza[m]> I did have Cursor generate a bash scrip that recreates the bug ... let me put that in a pastebin and share it with y'all
15:12:24 <gtema> i am lately extremely frustrated by absolutely stupid answers and code generated by AI
15:12:37 <gtema> things do not even compile
15:13:43 <dmendiza[m]> lol, yeah, I've been sticking to really simple things
15:14:53 <d34dh0r53> Yeah, small and simple or it get's really confused
15:15:03 <gtema> yeah, simple things as "generate me rust code to verify github jwt using openidconnect crate". It does not even listen for my complains to the code I raise
15:16:18 <gtema> I tell it: "this function does not exist", and it: "ouch, sorry, you are right, here is the correct code" - damn, with the same function being called again
15:16:36 <d34dh0r53> lol
15:16:57 <dmendiza[m]> In any case, I probably won't have time to work on this this week and will likely not have any updates next week
15:17:16 <d34dh0r53> ack, thanks dmendiza
15:17:17 <gtema> In my eyes this is not a reproducable issue
15:17:36 <gtema> since it was also rechecked in the initially reported change and the test passed
15:18:26 <d34dh0r53> ack, next action item
15:18:28 <d34dh0r53> gtema to look into https://bugs.launchpad.net/keystone/+bug/2119543
15:18:40 <gtema> fix submitted
15:18:42 <gtema> https://review.opendev.org/c/openstack/keystone/+/957547
15:19:00 <d34dh0r53> Just saw that, thanks gtema
15:19:10 <gtema> trusts are also allowing custom attrs and the reporter faced exactly that
15:20:00 <seunghunlee> Yep
15:20:10 <d34dh0r53> I'll review the patch this week
15:20:37 <gtema> thks
15:20:51 <d34dh0r53> next up
15:20:56 <d34dh0r53> #topic liaison updates
15:21:00 <d34dh0r53> nothing from me
15:21:15 <gtema> nothing here as well
15:21:29 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:21:34 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:21:37 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:21:48 <d34dh0r53> no updates
15:21:55 <d34dh0r53> #topic specification Secure RBAC (dmendiza)
15:21:59 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:22:05 <d34dh0r53> 2025.2 Release Timeline
15:22:10 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:22:13 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:22:46 <dmendiza[m]> No updates this week.  Have not had time to iterate on the failing patch that removes the devstack default.
15:23:26 <dmendiza[m]> #link https://review.opendev.org/c/openstack/devstack/+/956210
15:23:58 <d34dh0r53> ack
15:24:26 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:24:30 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:25:12 <gtema> nothing from me either - summer time with the student being off. Myself I am mostly spending time on the Rust part implementing the JWT auth - hence fighting the AI
15:25:37 <gtema> my brain is much better than AI, that is for sure ;-)
15:26:05 <gtema> but I again came to the point that we need to have "service account" concept
15:26:49 <gtema> when github workflow jwt is exchanged for the keystone token we can't map it to the normal user
15:28:11 <gtema> anyway - not really related to the openapi
15:29:32 <d34dh0r53> let's add a PTG topic around service account
15:29:53 <d34dh0r53> we should decide on that
15:29:57 <gtema> yeah
15:30:15 <d34dh0r53> #topic open discussion
15:30:40 <d34dh0r53> #action dwilde/gtema add PTG topic about service account
15:31:09 <d34dh0r53> next up for open discussion
15:31:12 <d34dh0r53> drencrom
15:31:14 <d34dh0r53> Review patch proposal: https://review.opendev.org/c/openstack/keystone/+/951792
15:31:17 <d34dh0r53> I need another +2
15:31:53 <gtema> yeah, but it is anyway blocked on devstack
15:32:19 <d34dh0r53> yeah
15:33:13 <d34dh0r53> The first one has merged, but the second is missing the +W
15:33:47 <gtema> it recently got +2 so hopefully it lands soon
15:34:38 <d34dh0r53> Yeah, hopefully
15:34:45 <d34dh0r53> anything else for open discussion?
15:34:46 <drencrom> hi, I need another +2 review for my patch
15:35:01 <drencrom> sorry for being late :(
15:35:18 <drencrom> I'm in another meeting also
15:36:30 <seunghunlee> Hello. Could anyone have a look at CI on stable/2025.1? The cherry-pick I proposed at https://review.opendev.org/c/openstack/keystone/+/956549 is failing CI but looks like it's missing dependency problem from CI.
15:36:45 <gtema> yeah, right
15:36:49 <gtema> I wanted to mention this as well
15:37:20 <gtema> I tried to cherry-pick the fix from master, but it fails as well since it depends on the different runtime
15:37:26 <gtema> so most likely we would
15:37:42 <gtema> need just to drop one part of the verification
15:37:51 <gtema> I will work on that on friday
15:37:58 <seunghunlee> That's great. Thank you!
15:39:03 <d34dh0r53> cool
15:39:06 <d34dh0r53> no reviewathon on Friday, by the way
15:39:18 <gtema> ough, good that you say this
15:39:34 <dmendiza[m]> Yeah, Recharge Day at Red Hat :D
15:40:08 <gtema> again?? you have to many of them XD
15:40:25 <d34dh0r53> 1 a quarter :)
15:40:57 <gtema> lucky you
15:42:21 <d34dh0r53> anything else for open discussion?
15:42:38 <gtema> not from me
15:42:52 <dmendiza[m]> Just a fun news bit for gtema
15:42:56 <dmendiza[m]> #link https://blog.openpolicyagent.org/note-from-teemu-tim-and-torin-to-the-open-policy-agent-community-2dbbfe494371
15:43:17 <gtema> ouch
15:44:03 <gtema> hope apple will not destroy this
15:45:12 <dmendiza[m]> 🤞
15:45:35 * gtema prepares to fork OPA :)
15:45:54 <dmendiza[m]> lol
15:47:14 <d34dh0r53> lol
15:47:18 <d34dh0r53> #topic bug review
15:47:22 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:47:26 <d34dh0r53> one new bug in keystone
15:47:35 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2120923
15:48:06 <gtema> I was participating in the discussion in the mailing list
15:48:17 <gtema> so i'll take it on me
15:48:46 <gtema> point is to get rid of stacktrace where only a 404 should be logged
15:48:57 <d34dh0r53> ack
15:49:02 <d34dh0r53> thanks gtema
15:49:31 <d34dh0r53> thats it for keystone
15:49:37 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:49:44 <d34dh0r53> no new bugs here
15:49:49 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugsdd?orderby=-id&start=0
15:49:59 <d34dh0r53> also no new bugs
15:50:07 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:50:20 <d34dh0r53> keystonemiddleware is good
15:50:24 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:50:35 <d34dh0r53> nothing new in pycadf
15:50:42 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:50:55 <d34dh0r53> pycadf is also good
15:50:59 <d34dh0r53> #topic conclusion
15:51:07 <d34dh0r53> Thanks folks, nothing else from me
15:51:34 <gtema> thanks
15:51:40 <dmendiza[m]> thanks, Dave Wilde (d34dh0r53) !
15:51:57 <d34dh0r53> #endmeeting