| *** mhen_ is now known as mhen | 02:12 | |
| kevko | Hi folks, master keystone is reporting "Couldn't not find a service {service}" or "Couldn't find a role {role}" etc .... logs here https://ecbb8cfc7e1592890056-5f9169eacee10b8db2558d8a4c802669.ssl.cf5.rackcdn.com/913728/80/check/kolla-ansible-debian-upgrade/6692fc2/primary/logs/kolla/all-ERROR.txt .... everything is working ..but maybe it has | 08:38 |
|---|---|---|
| kevko | some side effect elsewhere ? I don't know ..but I think it should be fixed ... | 08:38 |
| frickler | kevko: this is normal (at least when using OSC), check on any of your installations. OSC first tries to use the parameter you give it as UUID, only when keystone returns that failure, it looks up by name | 08:52 |
| frickler | one could argue about keystone being buggy by logging this as an error. or at all. or argue OSC should go the other way round. but it has been like this forever and I'm really surprised this is coming up time and again | 08:53 |
| kevko | frickler: well, but shouldn't be this lookup or exception be handled inside keystone code and raise only if real "not found" exception ? | 08:59 |
| frickler | kevko: maybe. but that would likely be a massive API change and I think it will be difficult to convince anyone that it would be useful to come up with v4.0 for that | 09:10 |
| kevko | frickler: API massive change ? why ? | 09:13 |
| kevko | frickler: btw, if i follow traceback and catch the dict send to keystone ... there is {'role_id' : 'service'} while calling openstack role show service ... but if i pop('role_id') and add 'role_name' do dict ...keystone is happy ...so maybe check if resource i am asking for in client is name/id ? | 09:15 |
| frickler | it may be non-trivial to decide whether your CLI parameter is meant to be a name or an id? also this only works for some calls, not for stuff like GET /v3/projects/{project_id}/users/{user_id}/roles | 09:18 |
| kevko | frickler: i still think this can't be difficult fix ... | 09:27 |
| opendevreview | Douglas Mendizábal proposed openstack/keystone master: Allow admin to access tokens and credentials https://review.opendev.org/c/openstack/keystone/+/914520 | 14:04 |
| d34dh0r53 | #startmeeting keystone | 15:02 |
| opendevmeet | Meeting started Wed Mar 27 15:02:17 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:02 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:02 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:02 |
| d34dh0r53 | #topic roll call | 15:02 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema | 15:02 |
| d34dh0r53 | o/ | 15:02 |
| dmendiza[m] | 🙋 | 15:03 |
| d34dh0r53 | #topic review past meeting work items | 15:04 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-03-20-15.00.html | 15:05 |
| d34dh0r53 | no updates from me | 15:05 |
| d34dh0r53 | #action d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:05 |
| d34dh0r53 | #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation | 15:05 |
| d34dh0r53 | #topic liaison updates | 15:05 |
| d34dh0r53 | nothing much, on the VMT side, we've converted two private bugs to public, LMK if you want details | 15:07 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:07 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:07 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability | 15:07 |
| d34dh0r53 | External OAuth 2.0 Specification | 15:07 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 | 15:07 |
| d34dh0r53 | OAuth 2.0 Implementation | 15:07 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls | 15:07 |
| d34dh0r53 | OAuth 2.0 Documentation | 15:07 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/838108 | 15:07 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 | 15:07 |
| d34dh0r53 | guess hiromu isn't around | 15:08 |
| d34dh0r53 | next up | 15:09 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:09 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:09 |
| d34dh0r53 | 2024.1 Release Timeline | 15:09 |
| dmendiza[m] | 🙋 | 15:09 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:09 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:09 |
| dmendiza[m] | Yeah, lots of updates | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged) | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 (Merged) | 15:09 |
| d34dh0r53 | awesome! | 15:10 |
| dmendiza[m] | OK, first up, it looks like Tempest currently has an all-or-nothing approach for setting scope in the Admin clients. | 15:10 |
| dmendiza[m] | That means that they're either all project-scope or all system-scope | 15:11 |
| dmendiza[m] | Unfortunately that does not work since some projects (i.e. neutron) only allow project-scoped requests for admin APIs. | 15:11 |
| dmendiza[m] | So, for now, we want to only run tests as project-scoped admins | 15:11 |
| dmendiza[m] | which is what this patch does: (in keystone at least) | 15:11 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone/+/913999 | 15:12 |
| dmendiza[m] | Still need another review (maybe from knikolla ?) | 15:12 |
| dmendiza[m] | since Grzegorz Grasza is out on PTO this week | 15:12 |
| dmendiza[m] | Now, for some reason, devstack also sets those same options | 15:13 |
| dmendiza[m] | so we have duplicate code setting the same options in two repos | 15:13 |
| dmendiza[m] | this is the patch to remove them from lib/tempest in the devstack repo: | 15:13 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/devstack/+/914115 | 15:13 |
| dmendiza[m] | Next, I have a patch that modifies a couple of policies that were missed when we implemented Phase 1 of SRBAC: | 15:14 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone/+/914520 | 15:14 |
| dmendiza[m] | That one is fresh out of the oven, so still waiting on CI to run the gate jobs | 15:14 |
| dmendiza[m] | Additionally, we still have the "protection" aka SRBAC jobs disabled in Keystone. I have a patch up to re-enable them, but I am not sure why it failed when I rebased... I'll look into that next: | 15:15 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone/+/909238 | 15:16 |
| dmendiza[m] | Moving on, we do not have any tests that run the full tempest suite against Keystone with SRBAC turned on | 15:16 |
| dmendiza[m] | Tempest does have an SRBAC job, but Keystone is not currently enforcing SRBAC. I have a patch up to enable it in that existing job. Currently failing the gate, but mostly due to needing some of the patches I've linked | 15:17 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/tempest/+/912489 | 15:18 |
| dmendiza[m] | Lastly, I have a patch to rename the tempest option that enables SRBAC tests in keystone-tempest-plugin. Currently it does its own thing, and my patch changes it to be in-line with the rest of the projects that use the [enforce_scope] section of tempest.conf | 15:19 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/913593 | 15:19 |
| dmendiza[m] | Oh, and I also have a DNM test to keystone-tempest-plugin to pull everything together across all those related repos and run a full suite test of SRBAC using project-admin credentials: | 15:20 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/914089 | 15:20 |
| dmendiza[m] | I still need to investigate why it's failing. I think we may need to change some tests around in the srbac suite due to the change of admin scope. | 15:21 |
| dmendiza[m] | That's all for now. | 15:21 |
| * dmendiza[m] feels like he's juggling spinning plates | 15:21 | |
| d34dh0r53 | wow, that was a lot | 15:22 |
| d34dh0r53 | thanks dmendiza[m] | 15:22 |
| d34dh0r53 | I'll leave it open for questions for a minute or two | 15:23 |
| d34dh0r53 | #topic specification Improve federated users management (gtema) | 15:27 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews | 15:27 |
| d34dh0r53 | next up | 15:33 |
| d34dh0r53 | #topic specification OpenAPI support (gtema) | 15:33 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 | 15:33 |
| d34dh0r53 | #topic open discussion | 15:35 |
| d34dh0r53 | passlib update | 15:35 |
| d34dh0r53 | The maintainer responded to the bug, and one of the top priorities is to fix the bcrypt version bug | 15:35 |
| d34dh0r53 | #link https://foss.heptapod.net/python-libs/passlib/-/issues/190 | 15:35 |
| d34dh0r53 | Targeted to 1.7.5 | 15:35 |
| d34dh0r53 | No updates on this, hopefully 1.7.5 will be released soon | 15:36 |
| d34dh0r53 | #topic bug review | 15:39 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:39 |
| d34dh0r53 | no new bugs for keystone | 15:39 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:39 |
| d34dh0r53 | python-keystoneclient is good | 15:40 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:40 |
| d34dh0r53 | nothing new in keystoneauth | 15:40 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:40 |
| d34dh0r53 | one new bug in keystonemiddleware | 15:42 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bug/1940770 | 15:42 |
| d34dh0r53 | it's actually not new, just recently updated | 15:42 |
| d34dh0r53 | I'll keep an eye on that one, maybe we should move to pymemcache | 15:43 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:43 |
| d34dh0r53 | no new bugs for pycadf | 15:43 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:43 |
| d34dh0r53 | ldappool is good | 15:43 |
| d34dh0r53 | #topic conclusion | 15:43 |
| d34dh0r53 | Nothing from me, add topics for the PTG to | 15:44 |
| d34dh0r53 | #link https://etherpad.opendev.org/p/dalmation-ptg-keystone | 15:44 |
| d34dh0r53 | Thanks all! | 15:44 |
| d34dh0r53 | #endmeeting | 15:44 |
| opendevmeet | Meeting ended Wed Mar 27 15:44:25 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:44 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-03-27-15.02.html | 15:44 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-03-27-15.02.txt | 15:44 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-03-27-15.02.log.html | 15:44 |
| frickler | d34dh0r53: dmendiza[m]: please check the reno update patches from yesterday related to the unmaintained branches. those should be merged before the release to make sure release note generation isn't broken. https://review.opendev.org/c/openstack/keystone/+/914285 etc. | 15:47 |
| opendevreview | Douglas Mendizábal proposed openstack/keystone-tempest-plugin master: DNM: test keystone change https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/914089 | 18:22 |
| opendevreview | Douglas Mendizábal proposed openstack/keystone master: Enable protection jobs https://review.opendev.org/c/openstack/keystone/+/909238 | 18:26 |
| opendevreview | Douglas Mendizábal proposed openstack/keystone-tempest-plugin master: Fix domain-scope tests for list_domains https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/914558 | 19:28 |
| opendevreview | Douglas Mendizábal proposed openstack/keystone-tempest-plugin master: DNM: test keystone change https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/914089 | 19:28 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!