15:01:32 #startmeeting keystone 15:01:32 Meeting started Wed Nov 5 15:01:32 2025 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:32 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:32 The meeting name has been set to 'keystone' 15:01:38 Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct 15:02:21 #link https://openinfra.dev/legal/code-of-conduct 15:03:08 #topic roll call 15:03:13 o/ 15:03:20 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe, deydra 15:03:26 dmendiza: o/ 15:04:14 Tobias Urdin proposed openstack/keystone master: wip: Allow service user to get credential policies https://review.opendev.org/c/openstack/keystone/+/966189 15:07:54 #topic review past meeting work items 15:08:47 #link https://meetings.opendev.org/meetings/keystone/2025/keystone.2025-10-15-15.03.html 15:09:38 on the working items - are we ready to send out ptg summary? 15:10:32 Yeah, getting close 15:11:00 the only action item was to plan a session with horizon which was done 15:11:14 #topic liaison updates 15:11:17 nothing from me 15:11:42 nothing special from me either 15:13:08 #topic specification OAuth 2.0 (hiromu) 15:13:24 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:13:36 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:13:39 no updates on this one 15:13:48 #topic specification Secure RBAC (dmendiza) 15:14:00 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:14:06 2025.2 Release Timeline 15:14:11 Update oslo.policy in keystone to enforce_new_defaults=True 15:14:17 Update oslo.policy in keystone to enforce_scope=True 15:14:47 are those disable in keystone? 15:14:51 👋 15:14:51 Sorry, only half-here 15:16:00 gmaan there's only one place where they are still set to false 15:16:51 I think I removed but can you please give me link and I can check 15:16:59 #link https://opendev.org/openstack/devstack/src/commit/f6d8dab0e885b8de8c0f44388d538da7d4f9b7ec/lib/keystone#L122 15:17:21 oh, for testing 15:17:36 Yeah, all the gate jobs are running without it 15:17:46 or most jobs anyway 15:17:47 yes, I am working to enable the things at global level in devstack and also remove it if they are disable like in keystone devstack plugin 15:18:22 because as per goal timeline, I am going to remove this config option 'enforce_scope' from oslo, 'enforce_new_defaults' will stay same 15:18:40 and to remove that scope flag I need to cleanup those configurable bits from testing side also 15:19:11 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id5 15:19:49 this ^^ one basically. which we should have done in lthe ast cycle, but I am intentionally lazy in removing the things 15:20:20 so I am thinking to do in this cycle if projects are ok. I will send it on ML also to get lazy consensus 15:25:52 next? 15:26:32 Sorry 15:26:36 Also, half 15:26:37 here 15:26:40 #topic specification Secuirty Compliance Testing (dmendiza) 15:26:47 #link https://review.opendev.org/c/openstack/devstack/+/957969 15:28:12 Yeah have reviewed this series, devstack, tempest, keystone change long back and many times. One thing left and I am waiting is to add depends-on in keystone change so that we can see the result of new test and devstack change 15:28:14 #link https://review.opendev.org/c/openstack/keystone/+/961726 15:28:28 i thin k I commented it many times in devstack as well as in keystone change 15:28:46 but to merge the devstack, tempest change, we need keystone change to test it and green 15:29:39 dmendiza[m]: if you are ok, can you or I can add this change as depends-on in keystone change #link https://review.opendev.org/c/openstack/tempest/+/954029 15:30:13 this tempest change add new test which will be running in keystone new job added in 961726 15:32:13 anyways we can move, I will update the keystone change 15:32:26 thanks gmaan 15:32:33 #topic specification OpenAPI support (gtema) 15:32:45 #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone 15:32:57 I need a go on https://review.opendev.org/c/openstack/keystone/+/965939 15:33:10 requirements and python dependency hell broke me AGAIN 15:33:53 so now we are again not able to render the openapi docs properly 15:34:44 I am ready to give up, this is taking much more energy than it is usable 15:35:53 the background for that fix is that I got a report on the rust cli repo for the invalid keystone schema, but the fix cannot be released since that job is now broken 15:36:44 thks Dave for review. That's it on the topic, we can move next 15:36:53 cool, thanks 15:37:08 #topic open discussion 15:37:15 drencrom 15:37:19 pep8 (mypy) is broken on 2024.2 branch (see for example https://zuul.opendev.org/t/openstack/build/2fdbd3164c8c4241a5a6edd1895f6d3c) 15:37:41 I removed this from agenda - this was fixed to release the fixes few days back 15:38:36 unfortunately I missed few minutes to land the fix on 2024.1 before it went unmaintained 15:39:14 and now the fix does not work on unmaintained/2024.1 due to other issues, so also here I gave up on trying to fix the world 15:41:31 ahh, my copy hadn't updated 15:41:55 odd issues with my system today, memory leak somewhere 15:42:18 anything else for open discussion? 15:43:09 not from me. On Friday during review-a-ton we should discuss the way out of the token caching hell, I mean the bugs related to caching 15:44:15 ack 15:44:24 #topic bug review 15:44:31 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:45:07 it doesn't look like we have any new bugs in keystone 15:45:28 right, the ones there are known 15:45:36 yeah 15:45:39 next up 15:45:41 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:45:53 nothing new here 15:47:32 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:47:50 no new bugs in keystoneauth either 15:48:01 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:48:21 we do have a new bug in keystonemiddleware 15:48:38 #link https://bugs.launchpad.net/keystonemiddleware/+bug/2130049 15:49:46 a broken VMT process - nice 15:50:14 indeed 15:50:36 we should than review the fix asap 15:50:51 Aarni Koskela proposed openstack/python-keystoneclient master: Remove `debtcollector` dependency https://review.opendev.org/c/openstack/python-keystoneclient/+/966199 15:50:53 yeah, for sure 15:52:34 I'll review it today, Grzegorz Grasza , dmendiza can you please review https://review.opendev.org/c/openstack/keystonemiddleware/+/965170 as well 15:52:54 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:53:01 no new bugs in pycadf 15:53:14 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:53:20 and ldappool is also good 15:53:28 #topic conclusion 15:53:38 Thanks everyone, also thank you for the great PTG 15:53:51 indeed 15:56:01 #endmeeting