15:02:19 #startmeeting keystone 15:02:19 Meeting started Wed Aug 20 15:02:19 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:19 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:19 The meeting name has been set to 'keystone' 15:02:23 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:02:26 #link https://openinfra.dev/legal/code-of-conduct 15:02:32 #topic roll call 15:02:39 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:02:46 dmendiza: o/ 15:02:47 o/ ouch 15:02:57 ouch? 15:03:04 o/ 15:03:07 o/ 15:03:08 forgot it is time 15:03:16 ahh 15:03:27 🙋‍♂️ 15:05:50 #topic review past meeting work items 15:05:51 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-08-13-15.10.html 15:06:05 two from last week 15:06:15 dmendiza look into https://bugs.launchpad.net/keystone/+bug/2119091 15:06:32 🙋‍♂️ 15:06:59 I started looking into the bug ... or rather having Cursor help out with looking into it. 15:07:10 I was able to set up an environment where I could recreate it 15:07:26 Seems to be a caching issue where the role assignments are not immediately recognized 15:07:34 still no fix for it though. 15:08:11 weird, this looked to me like a sort of racing issue, since otherwise we would have seen it earlier 15:10:02 Yeah, could also be a race condition ... 🤔 15:11:15 I did have Cursor generate a bash scrip that recreates the bug ... let me put that in a pastebin and share it with y'all 15:12:24 i am lately extremely frustrated by absolutely stupid answers and code generated by AI 15:12:37 things do not even compile 15:13:43 lol, yeah, I've been sticking to really simple things 15:14:53 Yeah, small and simple or it get's really confused 15:15:03 yeah, simple things as "generate me rust code to verify github jwt using openidconnect crate". It does not even listen for my complains to the code I raise 15:16:18 I tell it: "this function does not exist", and it: "ouch, sorry, you are right, here is the correct code" - damn, with the same function being called again 15:16:36 lol 15:16:57 In any case, I probably won't have time to work on this this week and will likely not have any updates next week 15:17:16 ack, thanks dmendiza 15:17:17 In my eyes this is not a reproducable issue 15:17:36 since it was also rechecked in the initially reported change and the test passed 15:18:26 ack, next action item 15:18:28 gtema to look into https://bugs.launchpad.net/keystone/+bug/2119543 15:18:40 fix submitted 15:18:42 https://review.opendev.org/c/openstack/keystone/+/957547 15:19:00 Just saw that, thanks gtema 15:19:10 trusts are also allowing custom attrs and the reporter faced exactly that 15:20:00 Yep 15:20:10 I'll review the patch this week 15:20:37 thks 15:20:51 next up 15:20:56 #topic liaison updates 15:21:00 nothing from me 15:21:15 nothing here as well 15:21:29 #topic specification OAuth 2.0 (hiromu) 15:21:34 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:21:37 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:21:48 no updates 15:21:55 #topic specification Secure RBAC (dmendiza) 15:21:59 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:22:05 2025.2 Release Timeline 15:22:10 Update oslo.policy in keystone to enforce_new_defaults=True 15:22:13 Update oslo.policy in keystone to enforce_scope=True 15:22:46 No updates this week. Have not had time to iterate on the failing patch that removes the devstack default. 15:23:26 #link https://review.opendev.org/c/openstack/devstack/+/956210 15:23:58 ack 15:24:26 #topic specification OpenAPI support (gtema) 15:24:30 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:25:12 nothing from me either - summer time with the student being off. Myself I am mostly spending time on the Rust part implementing the JWT auth - hence fighting the AI 15:25:37 my brain is much better than AI, that is for sure ;-) 15:26:05 but I again came to the point that we need to have "service account" concept 15:26:49 when github workflow jwt is exchanged for the keystone token we can't map it to the normal user 15:28:11 anyway - not really related to the openapi 15:29:32 let's add a PTG topic around service account 15:29:53 we should decide on that 15:29:57 yeah 15:30:15 #topic open discussion 15:30:40 #action dwilde/gtema add PTG topic about service account 15:31:09 next up for open discussion 15:31:12 drencrom 15:31:14 Review patch proposal: https://review.opendev.org/c/openstack/keystone/+/951792 15:31:17 I need another +2 15:31:53 yeah, but it is anyway blocked on devstack 15:32:19 yeah 15:33:13 The first one has merged, but the second is missing the +W 15:33:47 it recently got +2 so hopefully it lands soon 15:34:38 Yeah, hopefully 15:34:45 anything else for open discussion? 15:34:46 hi, I need another +2 review for my patch 15:35:01 sorry for being late :( 15:35:18 I'm in another meeting also 15:36:30 Hello. Could anyone have a look at CI on stable/2025.1? The cherry-pick I proposed at https://review.opendev.org/c/openstack/keystone/+/956549 is failing CI but looks like it's missing dependency problem from CI. 15:36:45 yeah, right 15:36:49 I wanted to mention this as well 15:37:20 I tried to cherry-pick the fix from master, but it fails as well since it depends on the different runtime 15:37:26 so most likely we would 15:37:42 need just to drop one part of the verification 15:37:51 I will work on that on friday 15:37:58 That's great. Thank you! 15:39:03 cool 15:39:06 no reviewathon on Friday, by the way 15:39:18 ough, good that you say this 15:39:34 Yeah, Recharge Day at Red Hat :D 15:40:08 again?? you have to many of them XD 15:40:25 1 a quarter :) 15:40:57 lucky you 15:42:21 anything else for open discussion? 15:42:38 not from me 15:42:52 Just a fun news bit for gtema 15:42:56 #link https://blog.openpolicyagent.org/note-from-teemu-tim-and-torin-to-the-open-policy-agent-community-2dbbfe494371 15:43:17 ouch 15:44:03 hope apple will not destroy this 15:45:12 🤞 15:45:35 * gtema prepares to fork OPA :) 15:45:54 lol 15:47:14 lol 15:47:18 #topic bug review 15:47:22 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:47:26 one new bug in keystone 15:47:35 #link https://bugs.launchpad.net/keystone/+bug/2120923 15:48:06 I was participating in the discussion in the mailing list 15:48:17 so i'll take it on me 15:48:46 point is to get rid of stacktrace where only a 404 should be logged 15:48:57 ack 15:49:02 thanks gtema 15:49:31 thats it for keystone 15:49:37 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:49:44 no new bugs here 15:49:49 #link https://bugs.launchpad.net/keystoneauth/+bugsdd?orderby=-id&start=0 15:49:59 also no new bugs 15:50:07 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:50:20 keystonemiddleware is good 15:50:24 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:50:35 nothing new in pycadf 15:50:42 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:50:55 pycadf is also good 15:50:59 #topic conclusion 15:51:07 Thanks folks, nothing else from me 15:51:34 thanks 15:51:40 thanks, Dave Wilde (d34dh0r53) ! 15:51:57 #endmeeting