#openstack-keystone log

15:01:32 <d34dh0r53> #startmeeting keystone
15:01:32 <opendevmeet> Meeting started Wed Nov  5 15:01:32 2025 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:32 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:32 <opendevmeet> The meeting name has been set to 'keystone'
15:01:38 <d34dh0r53> Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct
15:02:21 <d34dh0r53> #link https://openinfra.dev/legal/code-of-conduct
15:03:08 <d34dh0r53> #topic roll call
15:03:13 <gtema> o/
15:03:20 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra
15:03:26 <d34dh0r53> dmendiza: o/
15:04:14 <opendevreview> Tobias Urdin proposed openstack/keystone master: wip: Allow service user to get credential policies  https://review.opendev.org/c/openstack/keystone/+/966189
15:07:54 <d34dh0r53> #topic review past meeting work items
15:08:47 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-10-15-15.03.html
15:09:38 <gtema> on the working items - are we ready to send out ptg summary?
15:10:32 <d34dh0r53> Yeah, getting close
15:11:00 <d34dh0r53> the only action item was to plan a session with horizon which was done
15:11:14 <d34dh0r53> #topic liaison updates
15:11:17 <d34dh0r53> nothing from me
15:11:42 <gtema> nothing special from me either
15:13:08 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:13:24 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:13:36 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:13:39 <d34dh0r53> no updates on this one
15:13:48 <d34dh0r53> #topic specification Secure RBAC (dmendiza)
15:14:00 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:14:06 <d34dh0r53> 2025.2 Release Timeline
15:14:11 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:14:17 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:14:47 <gmaan> are those disable in keystone?
15:14:51 <dmendiza[m]> 👋
15:14:51 <dmendiza[m]> Sorry, only half-here
15:16:00 <dmendiza[m]> gmaan there's only one place where they are still set to false
15:16:51 <gmaan> I think I removed but can you please give me link and  I can check
15:16:59 <dmendiza[m]> #link https://opendev.org/openstack/devstack/src/commit/f6d8dab0e885b8de8c0f44388d538da7d4f9b7ec/lib/keystone#L122
15:17:21 <gmaan> oh, for testing
15:17:36 <dmendiza[m]> Yeah, all the gate jobs are running without it
15:17:46 <dmendiza[m]> or most jobs anyway
15:17:47 <gmaan> yes, I am working to enable the things at global level in devstack and also remove it if they are disable like in keystone devstack plugin
15:18:22 <gmaan> because as per goal timeline, I am going to remove this config option 'enforce_scope' from oslo, 'enforce_new_defaults' will stay same
15:18:40 <gmaan> and to remove that scope flag I need to cleanup those configurable bits from testing side also
15:19:11 <gmaan> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id5
15:19:49 <gmaan> this ^^ one basically. which we should have done in lthe ast cycle, but I am intentionally lazy in removing the things
15:20:20 <gmaan> so I am thinking to do in this cycle if projects are ok. I will send it on ML also to get lazy consensus
15:25:52 <gtema> next?
15:26:32 <d34dh0r53> Sorry
15:26:36 <d34dh0r53> Also, half
15:26:37 <d34dh0r53> here
15:26:40 <d34dh0r53> #topic specification Secuirty Compliance Testing (dmendiza)
15:26:47 <d34dh0r53> #link https://review.opendev.org/c/openstack/devstack/+/957969
15:28:12 <gmaan> Yeah have reviewed this series, devstack, tempest, keystone change long back and many times. One thing left and I am waiting is to add depends-on in keystone change so that we can see the result of new test and devstack change
15:28:14 <gmaan> #link https://review.opendev.org/c/openstack/keystone/+/961726
15:28:28 <gmaan> i thin k I commented it many times in devstack as well as in keystone change
15:28:46 <gmaan> but to merge the devstack, tempest change, we need keystone change to test it and green
15:29:39 <gmaan> dmendiza[m]: if you are ok, can you or I can add this change as depends-on in keystone change #link https://review.opendev.org/c/openstack/tempest/+/954029
15:30:13 <gmaan> this tempest change add new test which will be running in keystone new job added in 961726
15:32:13 <gmaan> anyways we can move, I will update the keystone change
15:32:26 <d34dh0r53> thanks gmaan
15:32:33 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:32:45 <d34dh0r53> #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone
15:32:57 <gtema> I need a go on https://review.opendev.org/c/openstack/keystone/+/965939
15:33:10 <gtema> requirements and python dependency hell broke me AGAIN
15:33:53 <gtema> so now we are again not able to render the openapi docs properly
15:34:44 <gtema> I am ready to give up, this is taking much more energy than it is usable
15:35:53 <gtema> the background for that fix is that I got a report on the rust cli repo for the invalid keystone schema, but the fix cannot be released since that job is now broken
15:36:44 <gtema> thks Dave for review. That's it on the topic, we can move next
15:36:53 <d34dh0r53> cool, thanks
15:37:08 <d34dh0r53> #topic open discussion
15:37:15 <d34dh0r53> drencrom
15:37:19 <d34dh0r53> pep8 (mypy) is broken on 2024.2 branch (see for example https://zuul.opendev.org/t/openstack/build/2fdbd3164c8c4241a5a6edd1895f6d3c)
15:37:41 <gtema> I removed this from agenda - this was fixed to release the fixes few days back
15:38:36 <gtema> unfortunately I missed few minutes to land the fix on 2024.1 before it went unmaintained
15:39:14 <gtema> and now the fix does not work on unmaintained/2024.1 due to other issues, so also here I gave up on trying to fix the world
15:41:31 <d34dh0r53> ahh, my copy hadn't updated
15:41:55 <d34dh0r53> odd issues with my system today, memory leak somewhere
15:42:18 <d34dh0r53> anything else for open discussion?
15:43:09 <gtema> not from me. On Friday during review-a-ton we should discuss the way out of the token caching hell, I mean the bugs related to caching
15:44:15 <d34dh0r53> ack
15:44:24 <d34dh0r53> #topic bug review
15:44:31 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:45:07 <d34dh0r53> it doesn't look like we have any new bugs in keystone
15:45:28 <gtema> right, the ones there are known
15:45:36 <d34dh0r53> yeah
15:45:39 <d34dh0r53> next up
15:45:41 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:45:53 <d34dh0r53> nothing new here
15:47:32 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:47:50 <d34dh0r53> no new bugs in keystoneauth either
15:48:01 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:48:21 <d34dh0r53> we do have a new bug in keystonemiddleware
15:48:38 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bug/2130049
15:49:46 <gtema> a broken VMT process - nice
15:50:14 <d34dh0r53> indeed
15:50:36 <gtema> we should than review the fix asap
15:50:51 <opendevreview> Aarni Koskela proposed openstack/python-keystoneclient master: Remove `debtcollector` dependency  https://review.opendev.org/c/openstack/python-keystoneclient/+/966199
15:50:53 <d34dh0r53> yeah, for sure
15:52:34 <d34dh0r53> I'll review it today, Grzegorz Grasza , dmendiza can you please review https://review.opendev.org/c/openstack/keystonemiddleware/+/965170 as well
15:52:54 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:53:01 <d34dh0r53> no new bugs in pycadf
15:53:14 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:53:20 <d34dh0r53> and ldappool is also good
15:53:28 <d34dh0r53> #topic conclusion
15:53:38 <d34dh0r53> Thanks everyone, also thank you for the great PTG
15:53:51 <gtema> indeed
15:56:01 <d34dh0r53> #endmeeting