| opendevreview | Takashi Kajinami proposed openstack/oslo.policy master: Use consistent commands for coverage https://review.opendev.org/c/openstack/oslo.policy/+/908236 | 03:19 |
|---|---|---|
| opendevreview | Douglas Mendizábal proposed openstack/keystone-tempest-plugin master: Consistent and Secure RBAC (Phase 1) https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 | 04:41 |
| swalladge[m] | Hi, we're trying to figure out what roles and such we need to provide to have a domain scoped admin. We're following the standard steps for creating a domain admin user, but that user can do things outside the domain still, like creating a project in another domain: https://pastebin.ubuntu.com/p/8hxPW6BTPH/ | 05:11 |
| swalladge[m] | This is with the default policies in place, deployment of openstack 2023.2. Any thoughts appreciated! :) | 05:12 |
| opendevreview | Merged openstack/oslo.policy master: Use consistent commands for coverage https://review.opendev.org/c/openstack/oslo.policy/+/908236 | 06:41 |
| gtema | Swalladge: there is spec for adding a dedicated domain manager role https://review.opendev.org/c/openstack/keystone-specs/+/903172 granting some user directly admin on a domain is as you see not the right thing | 06:48 |
| opendevreview | Artem Goncharov proposed openstack/keystone master: Fix federation mapping role jsonschema https://review.opendev.org/c/openstack/keystone/+/908163 | 07:50 |
| opendevreview | Takashi Kajinami proposed openstack/oslo.policy master: Remove fallback to DEFAULT section https://review.opendev.org/c/openstack/oslo.policy/+/908315 | 14:42 |
| *** d34dh0r5- is now known as d34dh0r53 | 14:57 | |
| d34dh0r53 | #startmeeting keystone | 15:02 |
| opendevmeet | Meeting started Wed Feb 7 15:02:19 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:02 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:02 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:02 |
| d34dh0r53 | #topic roll call | 15:02 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph | 15:02 |
| d34dh0r53 | o/ | 15:02 |
| xek | o/ | 15:03 |
| Luzi | o/ | 15:04 |
| dmendiza[m] | 🙋 | 15:05 |
| d34dh0r53 | #topic review past meeting work items | 15:06 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-31-15.01.html | 15:06 |
| d34dh0r53 | no updates from my end | 15:06 |
| d34dh0r53 | #action d34dh0r53 d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:07 |
| d34dh0r53 | #undo | 15:07 |
| opendevmeet | Removing item from minutes: #action d34dh0r53 d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:07 |
| d34dh0r53 | #action d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:07 |
| d34dh0r53 | #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation | 15:07 |
| d34dh0r53 | #topic liaison updates | 15:07 |
| d34dh0r53 | nothing from VMT | 15:07 |
| gtema | from api-sig pov: https://review.opendev.org/c/openstack/keystone/+/908163 | 15:10 |
| gtema | I work on openapi generation and found that one | 15:10 |
| d34dh0r53 | we've moved Train and Ussuri to End-Of-Life and Yoga has transitioned to unmaintained status | 15:10 |
| d34dh0r53 | ack, thanks gtema I'll take a look at that one | 15:11 |
| d34dh0r53 | that should do it for liaison updates | 15:12 |
| d34dh0r53 | moving on | 15:12 |
| d34dh0r53 | #topic specifications OAuth 2.0 (hiromu) | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability | 15:12 |
| d34dh0r53 | External OAuth 2.0 Specification | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 | 15:12 |
| d34dh0r53 | OAuth 2.0 Implementation | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls | 15:12 |
| d34dh0r53 | OAuth 2.0 Documentation | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/838108 | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 | 15:12 |
| d34dh0r53 | I haven't seen hiromu around in a while | 15:13 |
| d34dh0r53 | it looks like the WIP patches are somewhat active, updates in the last 30 days | 15:15 |
| d34dh0r53 | moving on | 15:15 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:15 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:15 |
| d34dh0r53 | 2024.1 Release Timeline | 15:15 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:15 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:15 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged) | 15:15 |
| dmendiza[m] | Making progress on Phase 1 | 15:15 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 | 15:15 |
| dmendiza[m] | down to just a few more tests that need fixin in the tempest patch | 15:15 |
| dmendiza[m] | Of course, spending so much time in the tempest code made me realize it sucks and I hate it. :-P | 15:16 |
| d34dh0r53 | lol | 15:16 |
| d34dh0r53 | yep | 15:16 |
| dmendiza[m] | Needs a serious refactor for DRY principle | 15:16 |
| d34dh0r53 | indeed | 15:17 |
| dmendiza[m] | Anyway, the tempest patch should be ready for review for Friday's reviewathon hopefully | 15:17 |
| d34dh0r53 | ack, thanks dmendiza[m] | 15:17 |
| dmendiza[m] | I'm not refactoring anything right now, but it would be worth refactoring and removing duplication when we add the "manager" role tests | 15:17 |
| d34dh0r53 | good idea | 15:18 |
| d34dh0r53 | moving on | 15:19 |
| d34dh0r53 | #topic specification Improve federated users management (previously: Add schema version and support to "domain" attribute in mapping rules) (gtema) | 15:19 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews | 15:19 |
| gtema | right -waiting for spec reviews | 15:19 |
| d34dh0r53 | I gave that one a once over and will try to give it a deeper look this week | 15:19 |
| gtema | great, thanks | 15:20 |
| d34dh0r53 | nothing jumped out at me | 15:20 |
| gtema | sounds good | 15:20 |
| d34dh0r53 | next up | 15:20 |
| d34dh0r53 | #topic specification Dedicated domainmanager role | 15:20 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/903172 -waiting for reviews | 15:20 |
| gtema | so, I do not know whether you noticed or not | 15:21 |
| gtema | earlier today someone posted a question here in room | 15:21 |
| gtema | that admin on a domain is still capable of doing other dangerous operations | 15:21 |
| gtema | that one more time proves necessity of improvements in the area | 15:21 |
| gtema | and I know - it touches the RBAC topic as well (at least similar direction) | 15:22 |
| gtema | so, what operators often need is some sort of domain manager (admin) role that they are able to give out to customers | 15:22 |
| d34dh0r53 | right, I agree | 15:22 |
| gtema | but that should not be "admin" | 15:22 |
| dmendiza[m] | gtema "admin" role is essentially root | 15:23 |
| gtema | correct, and thus something new should be added | 15:23 |
| dmendiza[m] | whether "admin" is assigned on a project, or on a domain, or on the system the result is the same | 15:24 |
| dmendiza[m] | Have you read through the latest version of the Secure RBAC spec? | 15:24 |
| dmendiza[m] | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change | 15:24 |
| dmendiza[m] | gtema: perhaps you want the "manager" role? | 15:24 |
| gtema | yes, but it doesn't explicitly describe usecase with domains | 15:24 |
| dmendiza[m] | Right ... there's a lot of confusion around scopes unfortunately. If your use case is something that has more access than "member" but less than "admin" then the answer is the "manager" role. | 15:25 |
| gtema | correct, so if also in the scope of your work we can consider "manager" role it would be great | 15:26 |
| gtema | anyway, I wanted to put that spec on the table and if all opinions are welcome | 15:26 |
| dmendiza[m] | Ack, I'll read through it and comment | 15:27 |
| gtema | great, thanks | 15:27 |
| d34dh0r53 | thanks both! | 15:27 |
| d34dh0r53 | #topic open discussion | 15:28 |
| d34dh0r53 | nothing on the agenda | 15:28 |
| Luzi | gtema there is a spec https://review.opendev.org/c/openstack/keystone-specs/+/903172 | 15:28 |
| Luzi | for a domain manager role | 15:29 |
| gtema | correct, this is exactly the spec I mentioned | 15:29 |
| Luzi | a collegue and me will be driving this, when the spec is accepted | 15:30 |
| gtema | that's great | 15:30 |
| Luzi | but concerning this: with feature freeze around, i doubt this will make it into this cycle - am I right d34dh0r53 ? | 15:31 |
| d34dh0r53 | that is correct, it will have to be 2024.2 | 15:31 |
| Luzi | okay, thank you for the information d34dh0r53 :) | 15:32 |
| dmendiza[m] | TIL 2024.2 code name is Dalmatian | 15:32 |
| d34dh0r53 | oh sweet, I missed that | 15:33 |
| dmendiza[m] | I assume @spotz had something to do with that. | 15:33 |
| dmendiza[m] | Yeah, Schedule is already out: | 15:33 |
| d34dh0r53 | lol, I'm sure she did :) | 15:33 |
| dmendiza[m] | #link https://releases.openstack.org/dalmatian/schedule.html | 15:33 |
| d34dh0r53 | woo woo | 15:34 |
| d34dh0r53 | err, woof woof? | 15:34 |
| d34dh0r53 | anything else for open discussion? | 15:35 |
| dmendiza[m] | Feature Freeze is in a few weeks | 15:35 |
| d34dh0r53 | indeed, good call dmendiza[m] | 15:36 |
| dmendiza[m] | Just a heads up in case there's things we want to land before then | 15:36 |
| d34dh0r53 | Feb 26 - Mar 01 is Caracal-3 and Feature freeze week | 15:36 |
| dmendiza[m] | #info Feature Freeze is the week of Feb 20 - Mar 01 | 15:37 |
| dmendiza[m] | ☝️for folks who just get the tl;dr from the summary. | 15:38 |
| d34dh0r53 | yeah, forgot about that hashtag | 15:38 |
| d34dh0r53 | moving on | 15:39 |
| d34dh0r53 | #topic bug review | 15:40 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:40 |
| d34dh0r53 | no new bugs for keystone | 15:40 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:40 |
| d34dh0r53 | python-keystoneclient is also good | 15:40 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:40 |
| d34dh0r53 | nothing new for keystoneauth | 15:41 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:41 |
| d34dh0r53 | keystonemiddleware is also good | 15:41 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:41 |
| d34dh0r53 | pycadf has no new bugs | 15:42 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:42 |
| d34dh0r53 | nor does ldappool | 15:42 |
| d34dh0r53 | #topic conclusion | 15:42 |
| tkajinam | this is not a bug, but it's known that you have to update a release note file for yoga after transitioning stable/yoga to unmaintained/yoga | 15:42 |
| tkajinam | release note jobs are all broken until you merge the release patches proposed by bot | 15:43 |
| tkajinam | some projects like barbican didn't get that update by bot so manual patch may be needed (I've created ones for barbican I believe) | 15:43 |
| tkajinam | (assuming some people here may be interested in barbican as well :-P | 15:43 |
| tkajinam | example: https://review.opendev.org/c/openstack/keystone/+/908150 | 15:43 |
| tkajinam | so I'd suggest you check your review queue and merge these patches asap before a different problem hit you | 15:44 |
| d34dh0r53 | ack, thanks tkajinam I'll get those in for keystone | 15:48 |
| d34dh0r53 | anything else for today? | 15:48 |
| tkajinam | d34dh0r53, thanks :-) | 15:48 |
| tkajinam | d34dh0r53, nothing else from me | 15:48 |
| d34dh0r53 | excellent, thanks everyone! | 15:49 |
| d34dh0r53 | have a great rest of your week :) | 15:49 |
| d34dh0r53 | #endmeeting | 15:49 |
| opendevmeet | Meeting ended Wed Feb 7 15:49:18 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:49 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-07-15.02.html | 15:49 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-07-15.02.txt | 15:49 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-07-15.02.log.html | 15:49 |
| opendevreview | Merged openstack/keystoneauth master: reno: Update master for unmaintained/yoga https://review.opendev.org/c/openstack/keystoneauth/+/908152 | 15:59 |
| opendevreview | Merged openstack/python-keystoneclient master: reno: Update master for unmaintained/yoga https://review.opendev.org/c/openstack/python-keystoneclient/+/908156 | 16:00 |
| opendevreview | Merged openstack/keystonemiddleware master: reno: Update master for unmaintained/yoga https://review.opendev.org/c/openstack/keystonemiddleware/+/908154 | 16:00 |
| opendevreview | Merged openstack/keystone master: reno: Update master for unmaintained/yoga https://review.opendev.org/c/openstack/keystone/+/908150 | 19:16 |
| swalladge[m] | <gtema> "Swalladge: there is spec for..." <- thanks, this is helpful :) Does this mean that currently there is actually no concept of a 'domain admin'? What about the rules in keystone that seem to scope things to a domain like the create_project rule: https://opendev.org/openstack/keystone/src/commit/653d82b1b4e09b2ff37b56868e57d08c8e3af7dd/keystone/common/policies/project.py#L170 ? | 21:55 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!