| *** reddy has quit IRC | 00:04 | |
| *** tosky has quit IRC | 00:10 | |
| *** rfolco has quit IRC | 00:19 | |
| *** rfolco has joined #openstack-meeting-alt | 00:19 | |
| *** rfolco has quit IRC | 00:25 | |
| *** zzzeek has quit IRC | 00:28 | |
| *** zzzeek has joined #openstack-meeting-alt | 00:31 | |
| *** rcernin has quit IRC | 01:12 | |
| *** rcernin has joined #openstack-meeting-alt | 01:20 | |
| *** zzzeek has quit IRC | 01:24 | |
| *** zzzeek has joined #openstack-meeting-alt | 01:26 | |
| *** macz_ has quit IRC | 01:37 | |
| *** macz_ has joined #openstack-meeting-alt | 01:38 | |
| *** rcernin has quit IRC | 02:42 | |
| *** rcernin has joined #openstack-meeting-alt | 02:54 | |
| *** lseki has quit IRC | 04:40 | |
| *** vishalmanchanda has joined #openstack-meeting-alt | 05:04 | |
| *** zzzeek has quit IRC | 05:11 | |
| *** zzzeek has joined #openstack-meeting-alt | 05:13 | |
| *** zzzeek has quit IRC | 05:20 | |
| *** zzzeek has joined #openstack-meeting-alt | 05:25 | |
| *** zzzeek has quit IRC | 06:04 | |
| *** zzzeek has joined #openstack-meeting-alt | 06:06 | |
| *** enriquetaso has quit IRC | 06:07 | |
| *** zzzeek has quit IRC | 06:16 | |
| *** zzzeek has joined #openstack-meeting-alt | 06:18 | |
| *** zzzeek has quit IRC | 06:30 | |
| *** zzzeek has joined #openstack-meeting-alt | 06:31 | |
| *** macz_ has quit IRC | 06:38 | |
| *** zzzeek has quit IRC | 06:56 | |
| *** zzzeek has joined #openstack-meeting-alt | 06:58 | |
| *** rcernin has quit IRC | 07:06 | |
| *** zzzeek has quit IRC | 07:18 | |
| *** zzzeek has joined #openstack-meeting-alt | 07:20 | |
| *** gyee has quit IRC | 07:21 | |
| *** zzzeek has quit IRC | 07:28 | |
| *** zzzeek has joined #openstack-meeting-alt | 07:28 | |
| *** rcernin has joined #openstack-meeting-alt | 07:43 | |
| *** rcernin has quit IRC | 07:48 | |
| *** slaweq has quit IRC | 07:56 | |
| *** slaweq has joined #openstack-meeting-alt | 07:58 | |
| *** rcernin has joined #openstack-meeting-alt | 07:59 | |
| *** rcernin has quit IRC | 08:04 | |
| *** rcernin has joined #openstack-meeting-alt | 08:08 | |
| *** rcernin has quit IRC | 08:12 | |
| *** rcernin has joined #openstack-meeting-alt | 08:33 | |
| *** rcernin has quit IRC | 08:34 | |
| *** macz_ has joined #openstack-meeting-alt | 08:35 | |
| *** macz_ has quit IRC | 08:39 | |
| *** tosky has joined #openstack-meeting-alt | 08:41 | |
| *** zzzeek has quit IRC | 08:43 | |
| *** zzzeek has joined #openstack-meeting-alt | 08:44 | |
| *** lpetrut has joined #openstack-meeting-alt | 08:57 | |
| priteau | #startmeeting blazar | 09:00 |
|---|---|---|
| openstack | Meeting started Tue Dec 15 09:00:01 2020 UTC and is due to finish in 60 minutes. The chair is priteau. Information about MeetBot at http://wiki.debian.org/MeetBot. | 09:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 09:00 |
| *** openstack changes topic to " (Meeting topic: blazar)" | 09:00 | |
| openstack | The meeting name has been set to 'blazar' | 09:00 |
| priteau | #topic Roll call | 09:00 |
| *** openstack changes topic to "Roll call (Meeting topic: blazar)" | 09:00 | |
| *** zzzeek has quit IRC | 09:04 | |
| *** zzzeek has joined #openstack-meeting-alt | 09:04 | |
| *** derekh has joined #openstack-meeting-alt | 09:08 | |
| priteau | #endmeeting | 09:08 |
| *** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/" | 09:08 | |
| openstack | Meeting ended Tue Dec 15 09:08:04 2020 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 09:08 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/blazar/2020/blazar.2020-12-15-09.00.html | 09:08 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/blazar/2020/blazar.2020-12-15-09.00.txt | 09:08 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/blazar/2020/blazar.2020-12-15-09.00.log.html | 09:08 |
| *** zzzeek has quit IRC | 09:11 | |
| *** zzzeek has joined #openstack-meeting-alt | 09:13 | |
| *** e0ne has joined #openstack-meeting-alt | 09:15 | |
| *** zzzeek has quit IRC | 09:27 | |
| *** zzzeek has joined #openstack-meeting-alt | 09:30 | |
| *** rdopiera has joined #openstack-meeting-alt | 09:33 | |
| *** vishalmanchanda has quit IRC | 10:22 | |
| *** vishalmanchanda has joined #openstack-meeting-alt | 10:30 | |
| *** yamamoto has joined #openstack-meeting-alt | 10:34 | |
| *** zzzeek has quit IRC | 10:45 | |
| *** zzzeek has joined #openstack-meeting-alt | 10:47 | |
| *** zzzeek has quit IRC | 10:53 | |
| *** zzzeek has joined #openstack-meeting-alt | 10:56 | |
| *** zzzeek has quit IRC | 11:16 | |
| *** zzzeek has joined #openstack-meeting-alt | 11:20 | |
| *** zzzeek has quit IRC | 11:39 | |
| *** zzzeek has joined #openstack-meeting-alt | 11:40 | |
| *** rfolco has joined #openstack-meeting-alt | 11:46 | |
| *** zzzeek has quit IRC | 11:50 | |
| *** zzzeek has joined #openstack-meeting-alt | 11:55 | |
| *** ricolin has quit IRC | 12:09 | |
| *** zzzeek has quit IRC | 12:10 | |
| *** zzzeek has joined #openstack-meeting-alt | 12:10 | |
| *** raildo has joined #openstack-meeting-alt | 12:25 | |
| *** yamamoto has quit IRC | 12:42 | |
| *** yamamoto has joined #openstack-meeting-alt | 12:43 | |
| *** yamamoto has quit IRC | 12:48 | |
| *** yamamoto has joined #openstack-meeting-alt | 12:48 | |
| *** zzzeek has quit IRC | 12:58 | |
| *** zzzeek has joined #openstack-meeting-alt | 12:58 | |
| *** yamamoto has quit IRC | 13:03 | |
| *** yamamoto has joined #openstack-meeting-alt | 13:03 | |
| *** frenzyfriday has joined #openstack-meeting-alt | 13:04 | |
| *** macz_ has joined #openstack-meeting-alt | 13:07 | |
| *** macz_ has quit IRC | 13:07 | |
| *** yamamoto has quit IRC | 13:08 | |
| *** yamamoto has joined #openstack-meeting-alt | 13:09 | |
| *** zzzeek has quit IRC | 13:13 | |
| *** zzzeek has joined #openstack-meeting-alt | 13:16 | |
| *** yamamoto has quit IRC | 13:18 | |
| *** frenzyfriday has quit IRC | 13:20 | |
| *** vishalmanchanda has quit IRC | 13:52 | |
| *** yamamoto has joined #openstack-meeting-alt | 13:55 | |
| *** yamamoto has quit IRC | 14:06 | |
| *** enriquetaso has joined #openstack-meeting-alt | 14:07 | |
| *** smyers has quit IRC | 14:18 | |
| *** smyers has joined #openstack-meeting-alt | 14:20 | |
| *** ralonsoh has quit IRC | 14:40 | |
| *** ralonsoh has joined #openstack-meeting-alt | 14:41 | |
| *** reddy has joined #openstack-meeting-alt | 14:56 | |
| *** reddy1 has joined #openstack-meeting-alt | 14:58 | |
| *** reddy has quit IRC | 15:01 | |
| *** michael-mcaleer has joined #openstack-meeting-alt | 15:02 | |
| *** lpetrut has quit IRC | 15:07 | |
| *** markmcclain has joined #openstack-meeting-alt | 15:38 | |
| *** ralonsoh has quit IRC | 15:58 | |
| *** ralonsoh has joined #openstack-meeting-alt | 15:59 | |
| *** crohmann has joined #openstack-meeting-alt | 16:01 | |
| *** yamamoto has joined #openstack-meeting-alt | 16:05 | |
| *** ralonsoh has quit IRC | 16:15 | |
| *** ralonsoh has joined #openstack-meeting-alt | 16:15 | |
| *** ralonsoh has quit IRC | 16:23 | |
| *** yamamoto has quit IRC | 16:24 | |
| *** ralonsoh has joined #openstack-meeting-alt | 16:29 | |
| *** lseki has joined #openstack-meeting-alt | 16:30 | |
| *** rafaelweingartne has joined #openstack-meeting-alt | 16:50 | |
| knikolla | #startmeeting keystone | 17:00 |
| openstack | Meeting started Tue Dec 15 17:00:28 2020 UTC and is due to finish in 60 minutes. The chair is knikolla. Information about MeetBot at http://wiki.debian.org/MeetBot. | 17:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 17:00 |
| *** openstack changes topic to " (Meeting topic: keystone)" | 17:00 | |
| openstack | The meeting name has been set to 'keystone' | 17:00 |
| knikolla | o/ | 17:00 |
| rafaelweingartne | \o | 17:00 |
| knikolla | cmurphy, lbragstad, gagehugo: around? | 17:08 |
| lbragstad | o/ | 17:08 |
| lbragstad | i am - sorry | 17:08 |
| cmurphy | o/ | 17:08 |
| gagehugo | o/ I'm on vacation but usually around :) | 17:09 |
| knikolla | gagehugo: enjoy your vacation! | 17:09 |
| knikolla | #topic Lower-constraints job failing | 17:09 |
| *** openstack changes topic to "Lower-constraints job failing (Meeting topic: keystone)" | 17:09 | |
| knikolla | The new pip dependency resolver is much stricter and is causing our lower-constraints job to fail | 17:09 |
| knikolla | I am working on fixing it, but I'm not super well versed in it, so it's taking me quite some time of whackamoling. | 17:10 |
| *** e0ne has quit IRC | 17:11 | |
| cmurphy | it looks like other projects are facing the same problem | 17:12 |
| knikolla | yeah, there is a discussion on the mailing list | 17:12 |
| knikolla | there didn't seem to be any consensus on how best to approach it though | 17:12 |
| rafaelweingartne | Yes, I fixed for cloudkitty | 17:12 |
| rafaelweingartne | but I took the lazy route, and just bumped them up as most of them were pretty outdated already | 17:13 |
| knikolla | I'm trying to be more conservative, since a lot of things import keystoneauth or client | 17:13 |
| knikolla | so I'm relaxing some constraints and trying to bump a few things | 17:14 |
| knikolla | not fun | 17:14 |
| knikolla | I miss the requirements bot | 17:15 |
| knikolla | #topic Open Discussion | 17:17 |
| *** openstack changes topic to "Open Discussion (Meeting topic: keystone)" | 17:17 | |
| knikolla | cmurphy: did you get a chance to re-review rafaelweingartne specs? | 17:20 |
| cmurphy | i left some feedback earlier but i don't really have time to keep going back and forth on it, i'll support what the rest of the cores agree with. my only discomfort with 748042 was that it seems to make the domain attribute of a mapping behave differently from the project attribute, i.e. project is for role assignments but domain is the default namespace for users and groups rather than a | 17:24 |
| cmurphy | target for role assignments. if other cores are okay with those semantics i won't fuss over it. | 17:24 |
| knikolla | rafaelweingartne: the projects_json spec depends only on the versioned mappings or also by the domain attribute? | 17:27 |
| rafaelweingartne | only on the versioned mappings | 17:27 |
| rafaelweingartne | but if you want to use more complex things, such as a default domain, and then overriding it in some projects | 17:27 |
| rafaelweingartne | then, yes, you would need it as well | 17:28 |
| knikolla | but without it, the default domain would be implied to be the domain of the idp | 17:28 |
| knikolla | right? | 17:28 |
| rafaelweingartne | if we remove that, yes | 17:28 |
| rafaelweingartne | I did not implement this way though | 17:29 |
| rafaelweingartne | I really do not see the problem on using the domain on projects definition as well. That domain element is already used by the group definition | 17:29 |
| cmurphy | that's very different, that's part of the group object | 17:30 |
| cmurphy | groups and users are always identified by a name and domain | 17:30 |
| cmurphy | so the group object contains a domain reference | 17:30 |
| rafaelweingartne | but projects also have a domain, don't they? | 17:31 |
| rafaelweingartne | they belong to a domain | 17:31 |
| rafaelweingartne | is it possible to create a project without a domain? I have not checked that | 17:32 |
| knikolla | if i understand cmurphy reservation correctly, is that in the mapping definition project/group have a domain attribute. project and group are themselves top-level objects in the mapping. | 17:32 |
| rafaelweingartne | yes | 17:33 |
| cmurphy | right | 17:33 |
| knikolla | however domain as a top level attribute would act fundamentally differently, since it would change things of other objects in the mapping. | 17:33 |
| rafaelweingartne | it is already like that | 17:33 |
| rafaelweingartne | you can define a domain in the top level of the mapping | 17:33 |
| rafaelweingartne | also, this behavior would only be activated in the 1.1 version. Therefore, for everybody using it, they would still get the behavior we have right now | 17:34 |
| knikolla | https://github.com/openstack/keystone/blob/a98f006f854be02e5682390012d8bb917f4f3940/keystone/federation/utils.py#L118 | 17:34 |
| knikolla | i believe you're referring to this | 17:34 |
| knikolla | the fact that we already accept a domain in the mapping, but it doesn't do anything | 17:34 |
| rafaelweingartne | yes | 17:34 |
| rafaelweingartne | exactly | 17:34 |
| *** tmazur has joined #openstack-meeting-alt | 17:36 | |
| knikolla | I do see cmurphy's reservation, and I do share it. However I think none of the cores have either felt too strongly against it, or super okay with it, and are therefore waiting on someone else to take the charge in either approving or shutting it down. | 17:36 |
| cmurphy | if it currently doesn't do anything then there is no "already" to set any precedent, so now is when we define what it should be doing and i think the proposed definition doesn't make sense | 17:37 |
| rafaelweingartne | I disagree, I really do not see why so much resistance on this one. It would not be activated by default. | 17:38 |
| knikolla | rafaelweingartne: one question. if the domain is specified for the whole mapping, and you have one mapping per protocol/idp, why not use the idp domain as the default? | 17:38 |
| knikolla | rafaelweingartne: I don't think the reservation is not with it being enabled by default. It is with it not matching the way that the other attributes/objects are defined in the mapping. | 17:39 |
| rafaelweingartne | that domain value is used here: https://github.com/openstack/keystone/blob/a98f006f854be02e5682390012d8bb917f4f3940/keystone/federation/utils.py#L591 | 17:41 |
| rafaelweingartne | Probably I am misinterpreting things because I see groups and projects being bound to a domain; therefore, I would expect them to use/adopt this "domain" option in the same manner | 17:43 |
| knikolla | rafaelweingartne: i need to dig deeper in that section of the code. so you've found that the domain there does provide a domain to the groups, but not projects | 17:47 |
| rafaelweingartne | exactly | 17:47 |
| knikolla | meaning, the top-level domain does provide the default domain for the groups, attribute | 17:47 |
| rafaelweingartne | yes | 17:48 |
| rafaelweingartne | exactly | 17:48 |
| rafaelweingartne | and we extended it further, and provided this to projects as well | 17:48 |
| rafaelweingartne | and then, also a method to override it in the project if needed | 17:48 |
| knikolla | cmurphy: does it make more sense to you in this context? | 17:48 |
| cmurphy | if it's the case that that domain is already used that way then yes that makes in this context, before we were saying that domain attribute doesn't get used so i was confused | 17:50 |
| knikolla | yeah, sorry for causing the confusion. i had misunderstood. | 17:50 |
| rafaelweingartne | well, to be fair | 17:50 |
| rafaelweingartne | it is the first sentence I have there | 17:50 |
| rafaelweingartne | Currently, Keystone identity provider (IdP) attribute mapping schema onlyuses the "domain" attribute mapping as a default configuration for the domainof groups being mapped | 17:51 |
| knikolla | rafaelweingartne: you are completely right! | 17:51 |
| knikolla | any other questions concerns while we're here? | 17:53 |
| cmurphy | https://review.opendev.org/c/openstack/keystone-specs/+/748042/4/specs/keystone/wallaby/versioning-for-attribute-mapping-schema.rst#38 "The default domain definition in the "local" property of the attribute mapping rule was not being used." was where i interpreted that, sorry for the confusion | 17:53 |
| knikolla | ++, i think that's what got me too | 17:53 |
| knikolla | rafaelweingartne: so domain provides a default for the groups attribute. does it provide a default for "group" as well? | 17:54 |
| knikolla | or in that one if only name is provided, the domain attribute must be inside the group object? | 17:55 |
| rafaelweingartne | it has been a while that I did this implementation | 17:55 |
| knikolla | (i should already know these things, sorry for asking) | 17:55 |
| rafaelweingartne | I do not remember by heart, I would need to check | 17:55 |
| rafaelweingartne | I would like to say yes | 17:56 |
| rafaelweingartne | but that part of the code is a bit hard to me to read, so I would rather check it first | 17:56 |
| knikolla | if we are having that be the default for projects, it feels like it should be the default for group as well, otherwise there is inconsistency | 17:56 |
| knikolla | i will do some poking as well | 17:57 |
| rafaelweingartne | In our implementation that is how it is working now, but in master I am not sure | 17:58 |
| knikolla | sorry for taking this long to providing more feedback on the specs | 17:58 |
| rafaelweingartne | we normalized the use of that variable, then it became consistent across the different elements | 17:58 |
| knikolla | i see | 17:58 |
| knikolla | alright, we're out of time. thanks all! thanks rafaelweingartne and cmurphy for the discussion. | 17:59 |
| rafaelweingartne | welcome | 17:59 |
| rafaelweingartne | we can keep exchanging in the spec there | 17:59 |
| knikolla | #endmeeting | 17:59 |
| *** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/" | 17:59 | |
| openstack | Meeting ended Tue Dec 15 17:59:53 2020 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 17:59 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/keystone/2020/keystone.2020-12-15-17.00.html | 17:59 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/keystone/2020/keystone.2020-12-15-17.00.txt | 17:59 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/keystone/2020/keystone.2020-12-15-17.00.log.html | 17:59 |
| *** derekh has quit IRC | 18:00 | |
| *** yamamoto has joined #openstack-meeting-alt | 18:24 | |
| *** yamamoto has quit IRC | 18:37 | |
| *** rafaelweingartne has quit IRC | 18:43 | |
| *** e0ne has joined #openstack-meeting-alt | 18:48 | |
| *** rdopiera has quit IRC | 18:49 | |
| *** gyee has joined #openstack-meeting-alt | 19:00 | |
| *** michael-mcaleer has quit IRC | 19:02 | |
| *** e0ne has quit IRC | 20:22 | |
| *** yamamoto has joined #openstack-meeting-alt | 20:36 | |
| *** lbragstad has quit IRC | 20:43 | |
| *** e0ne has joined #openstack-meeting-alt | 21:02 | |
| *** raildo has quit IRC | 21:03 | |
| *** yamamoto has quit IRC | 21:03 | |
| *** e0ne has quit IRC | 21:03 | |
| *** rfolco has quit IRC | 21:10 | |
| *** rcernin has joined #openstack-meeting-alt | 21:25 | |
| *** lbragstad has joined #openstack-meeting-alt | 21:53 | |
| *** trident has quit IRC | 21:56 | |
| *** trident has joined #openstack-meeting-alt | 22:00 | |
| *** yamamoto has joined #openstack-meeting-alt | 22:01 | |
| *** yamamoto has quit IRC | 22:28 | |
| *** yamamoto has joined #openstack-meeting-alt | 22:28 | |
| *** enriquetaso has quit IRC | 23:06 | |
| *** macz_ has joined #openstack-meeting-alt | 23:09 | |
| *** slaweq has quit IRC | 23:32 | |
| *** tmazur has quit IRC | 23:51 | |
| *** sfernand has joined #openstack-meeting-alt | 23:54 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!