Tuesday, 2023-03-07

« Monday, 2023-03-06 Index Wednesday, 2023-03-08 »
opendevreviewYonggen Sun proposed openstack/keystone-tempest-plugin master: OAuth 2.0 Mutual-TLS Support  https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/87579206:13
opendevreviewYonggen Sun proposed openstack/keystone-tempest-plugin master: OAuth 2.0 Mutual-TLS Support  https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/87579206:24
opendevreviewOpenStack Release Bot proposed openstack/keystone master: Update master for stable/2023.1  https://review.opendev.org/c/openstack/keystone/+/87672311:54
coreycbhi keystone folks, it seems that keystone has a hard dependency on cryptography 38.0.2 (or at least on a new rust-based cryptography) since the "OAuth 2.0 Mutual-TLS Support" patch landed. is that expected? 12:47
coreycbI ask because we have python3-cryptograph 3.4.8 in ubuntu jammy and would prefer not to have to backport 38.0.2 to the ubuntu cloud archive because that would also require loads of risky rust backports.12:50
coreycbI filed a bug, hopefully someone can weigh in. thank you. https://bugs.launchpad.net/keystone/+bug/200960013:43
coreycbhiromu: thoughts on that? ^13:51
coreycbmaybe I can just patch out the use of the attr_name_override parameter on the backport14:06
*** blarnath is now known as d34dh0r5314:58
d34dh0r53#startmeeting keystone15:00
opendevmeetMeeting started Tue Mar  7 15:00:25 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'keystone'15:00
d34dh0r53#topic roll-call15:00
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, arequate, dmendiza[m]15:00
xeko/15:00
hiromuo/15:00
zaitcevo/15:00
dmendiza[m]🙋‍♂️15:01
knikolla[m]o/15:02
d34dh0r53hi folks, thanks for joining :)15:02
d34dh0r53#topic review past meeting work items15:03
d34dh0r53d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more15:03
d34dh0r53I didn't get a chance to look at this yet again15:03
d34dh0r53:/15:03
d34dh0r53#action d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more15:03
dmendiza[m]d34dh0r53: we could check the project-config repo to see what gerrit groups are still in use15:03
d34dh0r53that's all for the past meeting work items15:03
d34dh0r53dmendiza[m]: ack15:04
d34dh0r53good idea15:04
d34dh0r53dmendiza[m]: I might reach out to you for help on that this week15:04
dmendiza[m]Sure, just ping me whenever15:05
d34dh0r53thanks15:05
d34dh0r53#topic liaison updates15:05
d34dh0r53nothing from VMT15:05
d34dh0r53knikolla[m], dmendiza[m], xek I added our highlights this morning, https://review.opendev.org/c/openstack/releases/+/87672915:06
d34dh0r53let me know if I missed anything or if they need to be reworded15:07
dmendiza[m]Nice15:07
d34dh0r53that's it for liaison updates15:07
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:08
d34dh0r53External OAuth 2.0 Specification15:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/86155415:08
d34dh0r53OAuth 2.0 Implementation15:08
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:08
d34dh0r53OAuth 2.0 Documentation15:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/83810815:08
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/83810415:08
d34dh0r53we're very close to merging everything15:09
hiromuThanks a lot! I just submitted backport patches for keystoneauth and keystonemiddleware.15:09
d34dh0r53excellent! thanks hiromu 15:09
hiromuhttps://review.opendev.org/c/openstack/keystoneauth/+/87674615:09
hiromuhttps://review.opendev.org/c/openstack/keystonemiddleware/+/87674515:09
hiromuKeystone's master branch already includes the mTLS patch.15:10
hiromuSo I didn't submit a backport patch to Keystone.15:10
coreycbo/ ohh is this a community meeting? if so can I put this on the agenda? https://bugs.launchpad.net/keystone/+bug/200960015:12
dmendiza[m]hiromu: I think we might need to backport into the stable/2023.1 branch.  We do have these under review: https://review.opendev.org/c/openstack/keystone/+/876722/15:13
d34dh0r53coreycb: sure, I'll add it15:13
coreycbd34dh0r53: thanks15:14
hiromuOh, okay. I'll check commit tree again.15:14
hiromuhttps://github.com/openstack/keystone/commits/master15:15
dmendiza[m]hiromu: do a `git review -d 876722` to pull down the start of the stable/2023.1 branch and then cherry-pick the oauth patches to that chain15:15
hiromusorry it's worng. https://github.com/openstack/keystone/commits/stable/2023.115:15
dmendiza[m]Oh sweet!  Looks like it's already there15:16
dmendiza[m](I think?)15:16
hiromuyeah, I thought so. wrong?15:17
dmendiza[m]I think we're good.  My mistake15:18
hiromugood :)15:18
hiromuls15:18
hiromusorry 15:18
hiromuby the way, I'd like to talk about Ext. Authorization Server Support today.15:19
d34dh0r53ack, I'll add that as well15:19
d34dh0r53anything else with mTLS?15:19
hiromuNo. That' all. thanks.15:20
d34dh0r53thanks, moving on to15:22
d34dh0r53#topic Secure RBAC (dmendiza[m])15:22
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:22
d34dh0r53Service Role Implementation15:22
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/86342015:22
d34dh0r53Manager Role Implementation15:22
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/82260115:22
dmendiza[m]No updates, sorry.  I'm not even susre if gmann is still having the pop-up meetings?15:22
dmendiza[m]*sure15:22
d34dh0r53ack15:23
d34dh0r53ok, moving on to15:24
d34dh0r53#topic open discussion15:24
d34dh0r53(drencrom) Need some reviews for this backport: 15:24
d34dh0r53#link https://review.opendev.org/c/openstack/keystonemiddleware/+/87392115:24
d34dh0r53I'll take a look at these today15:25
d34dh0r53next up15:26
d34dh0r53(coreycb) discuss mtls/cryptography bug15:26
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/200960015:26
knikolla[m]can we lower the cryptography version to the one they mentioned? 15:27
d34dh0r53that's what I'm wondering. hiromu, dmendiza[m] ?15:27
coreycbI'm attempting a patch to do that15:28
coreycbhopefully that'll be ok15:28
knikolla[m]i see that the version that we included was just what was in upper-constraints, so it doesn't feel like there's anything special about it. 15:28
coreycbit's more about what the lower constraints are in requirements.txt15:29
coreycbfor context, I'm a maintainer for the ubuntu cloud archive. the antelope cloud archive (and the next 2 to 3 openstack releases) are based on ubuntu jammy which has python3-cryptography 3.4.8.15:30
knikolla[m]I don't think we have any global lower constraints15:30
knikolla[m](all i meant by my previous comment was that i don't think that version has any significance besides being what was written in the requirements repo as an upper constraint)15:30
coreycbI started going down the path of backporting cryptography 38.0.2 yesterday but it gets complicated very quickly (25+ rust library backports)15:32
hiromuAt least, I can say I can look for workarounds to avoid using the feature that is only available on recent cryptography.15:33
coreycbdo you know if attr_name_overrides is required? I can test the version of cryptography and either specify it or not. or maybe it can just be dropped.15:35
hiromuIt is required, but there's alternative way that doesn't use attr_name_overrides but brings the same effect.15:36
coreycbok, maybe I should defer to you to work on a fix. I was just going to drop the parameter for older cryptography versions which is probably naive.15:36
hiromuI'm not sure which is easier15:38
hiromubut, I think there's possiblity that this kinds of problems happen again.15:40
hiromuso I think I should fix it.15:40
hiromuis that in line with your thought?15:41
coreycbthat would be great, thank you. if I can help please let me know. I'll send an email for more global discussion about cryptography to the mailing list, not related specifically to this issue.15:42
hiromugreat. thanks15:42
d34dh0r53awesome, thank you coreycb 15:42
d34dh0r53thanks hiromu 15:42
d34dh0r53next topic, is (hiromu) discuss Ext. Authorization Server Support15:43
hiromuI added this topic to https://etherpad.opendev.org/p/keystone-weekly-meeting15:43
hiromuWe're planing to investigate if the following projects work with Ext. Authorizations, and how we can modify them to work with Ext. Authorization servers. Any other projects we must check?15:44
hiromu    heat15:44
hiromu    glance15:44
hiromu    nova15:44
hiromu    newtron15:44
hiromu    (placement) *low priority15:44
hiromu    (cinder) *low priority15:44
hiromuThese projects are selected based on DevStack minimal install.15:45
hiromuDo you have any idea? knikolla:15:46
knikolla[m]That's a good start. I don't have any other ideas at the moment, though I would add Ironic as well. 15:47
d34dh0r53and barbican? dmendiza[m]?15:48
hiromuSure. We have chance to discuss with ironic at vPTG. Depending on the result of that discussion, we might not have to check Ironic (hopefully barbican).15:49
d34dh0r53ack15:50
d34dh0r53That's a good start, I'll add this to the vPTG agenda for one of our sessions15:50
d34dh0r53moving on as we're almost out of time15:50
d34dh0r53#topic bug review15:50
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:51
d34dh0r53we already discussed the cryptography bug15:51
d34dh0r53another bug landed https://bugs.launchpad.net/keystone/+bug/2008890 but this looks to be kolla container specific15:52
d34dh0r53I'll make sure that is the case15:52
d34dh0r53#action d34dh0r53 ensure that https://bugs.launchpad.net/keystone/+bug/2008890 is kolla specific15:52
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:53
d34dh0r53nothing new for python-keystoneclient15:53
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:53
d34dh0r53keystoneauth is clean15:54
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:54
d34dh0r53as is keystone middleware15:54
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:54
d34dh0r53pycadf has no new bugs15:55
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:55
d34dh0r53and ldappool is clean too15:55
d34dh0r53#topic conclusion15:55
d34dh0r53Thanks for all the hard work in getting mTLS merged the last few weeks!15:55
d34dh0r53Anyone have anything else before we go?15:55
d34dh0r53thanks folks!15:57
d34dh0r53#endmeeting15:57
opendevmeetMeeting ended Tue Mar  7 15:57:07 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:57
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-03-07-15.00.html15:57
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-03-07-15.00.txt15:57
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-03-07-15.00.log.html15:57
gmanndmendiza[m]: d34dh0r53: I do policy popup meeting on every alternate week - https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Meeting18:23
gmannbut we need to get those keystone patches for Member and service role merged18:24
gmannthey are open without review for long and it might demotivate authors.18:24
« Monday, 2023-03-06 Index Wednesday, 2023-03-08 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!