17:01:31 <cmurphy> #startmeeting keystone
17:01:32 <openstack> Meeting started Tue Mar 17 17:01:31 2020 UTC and is due to finish in 60 minutes.  The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:33 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:36 <openstack> The meeting name has been set to 'keystone'
17:01:47 <knikolla> o/
17:01:48 <cmurphy> #link https://etherpad.openstack.org/p/keystone-weekly-meeting agenda
17:01:51 <vishakha> o/
17:02:16 <cmurphy> hey everyone
17:02:34 <gagehugo> o/
17:02:36 <bnemec> \o
17:02:52 * bnemec practices IRC social distancing
17:03:08 <cmurphy> :P
17:03:12 <knikolla> hahaha
17:03:18 <vishakha> o/
17:03:21 <cmurphy> how's everyone doing?
17:03:53 <gagehugo> chilling at home
17:04:04 <knikolla> doing fine :) today i learned how to make my own cappuccinos
17:04:32 <cmurphy> these times are great opportunities for building new skills :)
17:05:13 <bnemec> BAU here.
17:06:01 <knikolla> i'm not used to working from home, so it's been a challenge doing it for extended periods
17:06:38 <knikolla> especially since i have a studio, and the smell of lunch persists until replaced by the smell of the next meal, and so on.
17:06:39 <vishakha> yeah same here. I too dont have wfh habit
17:07:08 <cmurphy> knikolla: working from studio is super hard :(
17:07:09 <gagehugo> we just got a house about a month ago, so I have a nice basement to hide in
17:07:20 <cmurphy> gagehugo: lucky
17:08:24 <cmurphy> let's get started
17:08:30 <cmurphy> #topic review requests
17:08:52 <cmurphy> knikolla: want to talk about yours first?
17:10:41 <knikolla> cmurphy: sure
17:11:03 <knikolla> https://review.opendev.org/#/c/448730/ - get
17:11:03 <knikolla> https://review.opendev.org/#/c/448755/ - create
17:11:03 <knikolla> https://review.opendev.org/#/c/448765/ - update
17:11:13 <knikolla> those are the reviews for federated attributes
17:11:27 <knikolla> they were rebased from code of richard avelar from 2-3 years ago
17:11:36 <knikolla> mostly clean rebases
17:11:49 <knikolla> seems to be complete and straightforward.
17:12:19 <knikolla> this is work for allowing CRUD operations of federated users the same as on normal users
17:12:35 <knikolla> so it's no longer required for a user to first do a login for the shadow reference to be created
17:12:41 <knikolla> or updated
17:12:53 <cmurphy> these are high priority to review because feature freeze is in less than a month and we've already deferred this once
17:13:39 <knikolla> ping me after review and i can respond ASAP.
17:14:18 <cmurphy> thanks knikolla
17:14:29 <cmurphy> vishakha: want to talk about yours?
17:14:46 <vishakha> Yes. #link https://review.opendev.org/#/c/588211/
17:15:01 <vishakha> #link https://review.opendev.org/#/c/704271/
17:15:26 <vishakha> These are for added openstack_groups in SAML assertion
17:15:40 <vishakha> and #link https://review.opendev.org/#/c/697444/
17:15:56 <vishakha> For user options added in openstackclient
17:17:24 <cmurphy> thanks vishakha, will try to get to them today
17:17:33 <cmurphy> any other review requests?
17:17:34 <vishakha> thanks :)
17:19:53 <cmurphy> #topic l1 duty rotation
17:20:18 <cmurphy> last week was knikolla, any cases worth a discussion here?
17:20:45 <knikolla> there wasn't much activity. i wasn't able to reproduce https://bugs.launchpad.net/keystone/+bug/1866817
17:20:46 <openstack> Launchpad bug 1866817 in OpenStack Identity (keystone) "Invalid input for field 'roles/0/id': 'role_admin' does not match '^[a-zA-Z0-9-]+$'" [Undecided,Incomplete]
17:22:21 <cmurphy> yeah that one is strange, i still suspect some kind of user error
17:23:56 <cmurphy> next up is vishakha, gagehugo can you take the following week?
17:25:33 <gagehugo> sure
17:25:46 <cmurphy> ty
17:26:37 <cmurphy> #topic open floor
17:27:01 <cmurphy> knikolla: want to talk about expiring group membership?
17:27:21 <knikolla> yeah. i'm pretty much done with the model and driver, and am hooking it up to the API
17:28:01 <knikolla> and currently listing for groups of a user doesn't provide anything except the group listing
17:28:17 <knikolla> i was thinking of adding a column `expires` when listing for group membership of a user
17:28:28 <knikolla> wanted to get some feedback from the team before i do that.
17:29:42 <knikolla> this api call specifically https://docs.openstack.org/api-ref/identity/v3/?expanded=list-groups-to-which-a-user-belongs-detail#list-groups-to-which-a-user-belongs
17:30:58 <cmurphy> seems like it could be useful
17:31:06 <cmurphy> is there any other way a user can get that information?
17:31:28 <knikolla> there's also a `list users in group`
17:32:02 <knikolla> i need to check the policy for who can do these calls
17:32:02 <cmurphy> i mean other ways a user can find out if their group memberships are about to expire
17:32:34 <knikolla> not currently
17:32:34 <cmurphy> oh with policy i guess it would usually be an admin
17:34:07 <cmurphy> knikolla: seems reasonable to me, can't think of a downside
17:34:48 <knikolla> the alternative is to either not expose that information through the API, or to create a new API
17:35:36 <knikolla> https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L120
17:35:50 <knikolla> it seems a user can already query the groups that they belong to
17:36:02 <cmurphy> oh good
17:36:51 <knikolla> are there any backwards compat concers with adding a field to an existing API?
17:36:59 <knikolla> concerns*
17:37:33 <cmurphy> i think since we don't have microversions we've historically kind of ignored those concerns
17:37:55 <cmurphy> i wonder if a user is logged in and able to run that query doesn't that kind of mean their group memberships are all up to date?
17:38:16 <cmurphy> like the act of getting a token pushes that expiry date out on its own?
17:38:41 <knikolla> not always
17:38:50 <knikolla> if they're logged in through application credentials or the like
17:38:59 <knikolla> they won't trigger the renewal
17:39:07 <cmurphy> ah okay
17:39:33 <knikolla> i've hooked up renewal only to the mapped authentication
17:41:22 <cmurphy> imo adding it to the existing api seems the most user-friendly
17:41:57 <cmurphy> gagehugo: vishakha bnemec have any opinion?
17:42:01 <knikolla> ++, that was my feeling as well. though then everyone, regardless if they're using this or not will see the extra column through say `openstackclient`
17:42:21 <knikolla> it's just that not expiring groups will have `expires` = None
17:43:22 <bnemec> As long as it doesn't break older clients it seems fine.
17:43:35 <bnemec> With the big disclaimer that I know squat about REST API design. :-)
17:43:42 <gagehugo> yeah, as long as it's non-breaking
17:44:11 <vishakha> ++ I think since keystone doesn't support microversions, we can add it to existing API
17:44:40 <vishakha> offcourse if it doesn't break anything
17:46:27 <cmurphy> thanks for bringing it up knikolla
17:46:31 <knikolla> shouldn't break anyone, since we've usually added extra fields throughout the years
17:46:34 <knikolla> thanks for the feedback :)
17:48:19 <cmurphy> any other topics?
17:48:54 <mordred> for the record, I agree that adding a field is fine
17:49:17 <cmurphy> mordred: yay! thank you for that feedback
17:49:28 * mordred likes to provide positive value
17:49:30 <knikolla> mordred: good to see you :)
17:49:34 <mordred> knikolla: you too!
17:52:53 <cmurphy> okay thanks for coming everyone, stay safe and take care of yourselves <3
17:52:57 <cmurphy> #endmeeting