#openstack-meeting-alt log

17:00:23 <lbragstad> #startmeeting keystone
17:00:24 <openstack> Meeting started Tue Aug  4 17:00:23 2020 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:27 <openstack> The meeting name has been set to 'keystone'
17:00:31 <lbragstad> #link https://etherpad.opendev.org/p/keystone-weekly-meeting
17:00:39 <cmurphy> o/
17:00:40 <vishakha> o/
17:00:40 <lbragstad> o/
17:01:05 <lbragstad> we'll give folks a few minutes to show up
17:02:20 <gagehugo> o/
17:03:08 <lbragstad> #topic Announcements
17:03:15 <lbragstad> #info Last day to submit proposals for Open Infra Summit
17:03:32 <lbragstad> in case you're planning on submitting a proposal, now is the time!
17:04:22 <lbragstad> #topic Review Requests
17:04:47 <lbragstad> looks like we have some reviews
17:05:01 <lbragstad> #link https://review.opendev.org/#/c/743489/
17:05:10 <lbragstad> #link https://review.opendev.org/#/c/737225/
17:05:18 <lbragstad> #link https://review.opendev.org/#/c/742233/
17:05:25 <lbragstad> #link https://review.opendev.org/#/c/731087/
17:05:55 <vishakha> Thanks lbragstad for listing them down
17:06:06 <lbragstad> mhm - you're welcome, thanks for the patches
17:06:18 <cmurphy> i've been working on https://review.opendev.org/686305 for a while, it's now just about ready to review
17:06:35 <lbragstad> o.m.g.
17:07:01 <cmurphy> its performance isn't quite as significant as i was hoping but the subunit tests are generally a bit faster than the unit version of them
17:07:12 <lbragstad> fantastic
17:07:37 <cmurphy> it's all in one big pile but i can split it up if it would be easier for people to review, not sure if it's actually easier
17:07:50 <lbragstad> right
17:08:02 <lbragstad> i agree
17:08:32 <lbragstad> does this mean we can rip out all the unit testing in keystone?
17:08:37 <lbragstad> protection unit testing?
17:08:45 <cmurphy> i think so
17:08:48 <lbragstad> awesome
17:09:24 <cmurphy> the one thing this doesn't cover that the unit tests do cover is the enforce_scope=false tests
17:09:35 <cmurphy> but i'm not sure we want to keep those around much longer anyway
17:09:43 <lbragstad> yeah - that makes sense
17:10:32 <lbragstad> fwiw - i was trying to figure out if it was possible to do self-paced policy evolution
17:11:34 <lbragstad> s/evolution/deprecation/
17:11:46 <cmurphy> how did that go?
17:12:31 <lbragstad> i think it's useful but only for system administrators
17:13:12 <lbragstad> and i say that because i assumed that allowing unintended privilege escalation would be a deal breaker for operators
17:13:21 <cmurphy> lol
17:13:32 <cmurphy> psh who needs security
17:14:07 <lbragstad> if we keep that assumption, or agree that it's important, then i don't think self-paced policy removal is going to be feasible
17:15:05 <cmurphy> yeah
17:15:17 <lbragstad> so - marginally useful?
17:16:27 <lbragstad> or if we do allow it - we have to provide some sort of document saying projects move at their own pace and it's up to operators to ensure all services they deploy are using the new defaults
17:16:34 <lbragstad> before they start giving people project admin
17:17:01 <lbragstad> i'm bringing this up since it might affect if/when we remove the unit tests cmurphy ported over
17:19:07 <lbragstad> any way - we can circle back to this later (i don't want to derail things)
17:19:21 <lbragstad> thanks cmurphy and vishakha
17:19:26 <lbragstad> any other reviews to discuss?
17:20:03 <lbragstad> #topic Bugs
17:20:49 <lbragstad> looks like we have 12 untriaged bugs https://bugs.launchpad.net/keystone/+bugs?search=Search&field.status=New
17:21:19 <cmurphy> i will highlight prometheanfire's repeated requests for help with raising the upper-constraint for pymysql
17:21:57 <vishakha> I will look into it. I saw the failures
17:22:00 <cmurphy> we fixed the lower-constraints job in keystone by pinning pymysql but the requirements team can't raise the upper-constraint for openstack until we fix our stuff
17:22:03 <cmurphy> thanks vishakha
17:22:15 <lbragstad> cool - that sounds good
17:22:38 <lbragstad> i stumbled across https://bugs.launchpad.net/keystone/+bug/1889936 last week and i was curious if anyone else here has attempted AD integration?
17:22:39 <openstack> Launchpad bug 1889936 in OpenStack Identity (keystone) "Using Microsoft AD's objectGUID attribute as user_id_attribute breaks" [Undecided,In progress] - Assigned to Lance Bragstad (lbragstad)
17:23:43 <cmurphy> nope
17:23:57 * lbragstad nods
17:24:08 <lbragstad> anything else on the bug front?
17:25:48 <lbragstad> #topic Open Floor
17:25:55 <vishakha> I was thinking to work on bug #link https://bugs.launchpad.net/keystone/+bug/1816166
17:25:56 <openstack> Launchpad bug 1816166 in OpenStack Identity (keystone) "RFE: Support tokens with subsets of roles" [Wishlist,Triaged] - Assigned to Vishakha Agarwal (vishakha.agarwal)
17:26:24 <lbragstad> vishakha is that something you're planning to work on for this release?
17:26:28 <vishakha> I hope this is still in keystone's  roadmap.
17:26:59 <vishakha> lbragstad: Yes I am for this release.
17:27:40 <lbragstad> vishakha ok - do we have a specification for that proposed?
17:27:48 <lbragstad> i believe specification proposal freeze was July 31
17:29:15 <vishakha> ohh I did not notice that it required a specification first. These is one https://review.opendev.org/#/c/186979/, but is abandoned.
17:29:40 <lbragstad> yeah - it might need to be refreshed and reproposed to target the current release
17:29:53 <lbragstad> knikolla will have to issue an exception for it
17:29:56 <lbragstad> i believe
17:30:16 <cmurphy> hmm is this an important feature? can't we accomplish this with app creds?
17:30:16 <vishakha> Thanks for reminding. I can work on that in another cycle then.
17:31:28 <lbragstad> this request has been around for a long time, certainly before app creds were a thing
17:32:01 <lbragstad> probably worth re-assessing the use case now that we have application credentials
17:32:31 <cmurphy> yeah
17:33:31 <vishakha> I will put this on hold, and will re-assess this later
17:33:36 <lbragstad> sounds good
17:33:45 <lbragstad> anything else folks want to talk about?
17:36:15 <lbragstad> alright - looks like we can get some time back
17:36:20 <lbragstad> thanks folks
17:36:24 <lbragstad> #endmeeting