#openstack-keystone log

15:03:16 <redrobot> #startmeeting keystone
15:03:16 <opendevmeet> Meeting started Tue Oct 12 15:03:16 2021 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:03:16 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:03:16 <opendevmeet> The meeting name has been set to 'keystone'
15:03:22 <redrobot> #topic Roll Call
15:03:25 <lbragstad> o/
15:03:34 * redrobot needs to set his calendar to alert for this meeting
15:03:57 <gagehugo> o/
15:03:57 <lbragstad> yes - currently i think i'm your alert system
15:04:01 <lbragstad> :)
15:04:04 <redrobot> Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, jdennis, ruan_he, wxy, sonuk, vishakha,Ajay, raildo, rafaelweingartner, xek
15:04:14 <xek> o/
15:04:24 <d34dh0r53> o/
15:04:32 <d34dh0r53> lurking as I'm in another meeting
15:05:00 <lbragstad> #link https://etherpad.opendev.org/p/keystone-weekly-meeting
15:05:07 <redrobot> thanks lbragstad
15:05:22 <redrobot> OK, let's get started
15:05:31 <redrobot> #topic Review Past Meeting Action Items
15:05:42 <redrobot> #link https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-10-05-15.01.html
15:05:45 <redrobot> we didn't have any
15:05:49 <redrobot> moving on ..
15:06:08 <redrobot> #topic Liaison Updates
15:06:32 <redrobot> knikolla 👋
15:07:13 <redrobot> I don't think knikolla is around ... let's move on
15:07:34 <redrobot> #topic Oauth 2.0
15:07:42 <redrobot> #link https://review.opendev.org/c/openstack/keystone-specs/+/813152
15:08:02 <redrobot> h_asahina ^^^
15:08:03 <h_asahina> o/
15:08:27 <h_asahina> yes. I submitted the spec.
15:08:33 <redrobot> looking at the agenda notes
15:08:56 <h_asahina> I'd appreciate it if you could review it.
15:09:25 <redrobot> #help we need folks to review the Oauth 2.0 spec patch
15:10:03 <h_asahina> I'd like to aske you about https support status in keystone because oauth2 needs it.
15:10:38 <h_asahina> I guess the current keystone does not support TLS in general way, like just adding a cert file to config. Is that correct?
15:10:45 <lbragstad> keystone doesn't implement https support natively, it's handled by the webserver
15:11:07 <redrobot> yeah the API is just a regular WSGI server
15:11:15 <redrobot> *WSGI app
15:11:20 <h_asahina> got it.
15:12:00 <redrobot> added myself to that reivew I'll take a look when I have some time
15:12:34 <h_asahina> thanks.
15:12:43 <lbragstad> h_asahina this isn't much, but
15:12:43 <lbragstad> https://docs.openstack.org/keystone/latest/install/keystone-install-rdo.html#ssl
15:12:54 <redrobot> Also adding ayoung since he was asking to be added to reviews
15:13:17 <lbragstad> h_asahina it'll depend on the web server you're using though
15:13:44 <h_asahina> great. i'll check it.
15:15:01 <redrobot> looks like the topic is already in the agenda for the PTG session next week
15:16:00 <h_asahina> yeah. I added it. If you all have enough time, I'd like to discuss about the details of the above spec.
15:16:15 <h_asahina> in PTG
15:16:26 <admiyo> Is that happening now?
15:17:18 <admiyo> BTW, admiyo == ayoung
15:17:18 <redrobot> admiyo no, PTG is next Monday
15:17:41 <lbragstad> #link https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-assets-prod/Uploads/PTG-Oct-18-22-2021-Schedule-Rev2.pdf
15:17:56 <lbragstad> does anyone know where the list of etherpads is?
15:18:25 <admiyo> Did they really name the rooms after the old releases?  That is lovely
15:18:33 <redrobot> h_asahina anything else you want to talk about for your topic?
15:19:05 <admiyo> I think I had one question on the OAUTH stuff before
15:19:11 <h_asahina> yes. I want to confirm naming rules for subcommand.
15:19:46 <redrobot> admiyo  I added you to the spec gerrit change
15:19:52 <lbragstad> found it #link https://ptg.opendev.org/etherpads.html
15:20:03 <admiyo> oauth2 is  a good way to go, but is tough to implement correctly.  What is the general idea of a library to use to implement?
15:21:00 <admiyo> BTW, the general idea of the AUTH suburl was going to be to support different auth mechanisms.
15:21:05 <h_asahina> we're considering to use oauthlib  https://oauthlib.readthedocs.io/en/latest/
15:21:27 <h_asahina> which is also used by the existing oauth1 ext.
15:21:38 <admiyo> so insteado of     POST /OS-OAUTH2/introspect   It would have been     POST /auth/OS-OAUTH2/introspect
15:21:50 <admiyo> but really, no, that wshould be just for the actually authentication process
15:22:12 <admiyo> I'll review the spec
15:22:43 <h_asahina> admiyo: thanks. please add your comments on the review :)
15:22:56 <admiyo> ++  I think this is a long time coming, and I love the concept
15:23:09 <admiyo> thanks for driving it forward
15:23:15 <lbragstad> just FYI - i'm going to move the contents of #link https://etherpad.opendev.org/p/yoga-ptg-keystone to #link https://etherpad.opendev.org/p/oct2021-ptg-keystone
15:23:27 <lbragstad> since that's the etherpad linked in #link https://ptg.opendev.org/etherpads.html
15:24:53 <h_asahina> I'd like to back to the naming convention of the subcommand if you don't mind.
15:25:01 <redrobot> lbragstad I think we're stepping on each others toes
15:25:07 <redrobot> lbragstad I'll explain during PTG topic
15:25:18 <lbragstad> redrobot ack
15:25:36 <redrobot> h_asahina do you have a specific question about the naming?
15:25:47 <redrobot> or just looking for style docs or some such?
15:26:17 <h_asahina> for osc commands. like `openstack user`
15:27:06 <h_asahina> we want to add new subcommands to OSC for OAuth2.
15:27:40 <h_asahina> so, i'd like to know the rules in advance.
15:29:04 <h_asahina> Currently, we are consindering either one of `openstack client`, `openstack oauth2 client` and `openstack consumer --oauth2` for the OAuth2.0 client registration. Which one is appropriate?
15:30:40 <admiyo> client is confusing
15:30:46 <admiyo> the whole app is known as the cli
15:30:51 <admiyo> and there are many clients.
15:31:32 <redrobot> What sort of commands would a user have to make?  Are these oauth2 specific?
15:31:38 <admiyo> openstack oauth2 as the naming for subcommands seems to be in keeping with the norm for newer additions. I don't knopw if there is a strict convention
15:32:06 <admiyo> --oauth2 is non obvious to me.
15:32:27 <admiyo> openstack oauth2 client create  <params>
15:32:28 <h_asahina> redrobot: these are oauth2 specific. the commands for users to register oauth2 client.
15:32:36 <admiyo> that seems to be the most consistent
15:32:49 <admiyo> openstack oauth2 client validate
15:32:57 <admiyo> openstack oauth2 token issue
15:33:29 <admiyo> namespace, entity, verb
15:33:40 <admiyo> openstack baremetal node create  as an example
15:34:20 <h_asahina> i see. make sense.
15:35:35 <h_asahina> ok. we're going with `openstack oauth2 client`. thank you for your help admiyo.
15:35:47 <redrobot> great
15:35:52 <redrobot> anything else on this topic?
15:36:17 <h_asahina> nothing from my side.
15:36:28 <redrobot> thanks h_asahina
15:36:32 <redrobot> #topic PTG
15:36:36 <redrobot> It's next week
15:37:02 <redrobot> #link https://etherpad.opendev.org/p/yoga-ptg-keystone
15:37:18 <redrobot> but it looks like we got moved. 😅
15:37:29 <redrobot> lbragstad I was trying to update the url on the PTG site
15:37:34 <lbragstad> oh - sorry about that
15:37:35 <admiyo> It got moved moments ago by lbragstad
15:37:44 <admiyo> <lbragstad> just FYI - i'm going to move the contents of #link https://etherpad.opendev.org/p/yoga-ptg-keystone to #link https://etherpad.opendev.org/p/oct2021-ptg-keystone
15:37:44 <redrobot> no worries
15:37:52 <redrobot> we can keep it there
15:37:58 <redrobot> I'll just have to update my bookmarks
15:38:01 <redrobot> and the link in the agenda
15:38:28 <redrobot> because I'm not sure the bot in #openinfra-events is working
15:38:32 <redrobot> or maybe it doesn't like me.
15:38:42 <lbragstad> i think you need +v?
15:39:46 <redrobot> 🤷
15:39:53 <redrobot> #link https://etherpad.opendev.org/p/oct2021-ptg-keystone
15:39:56 <redrobot> ^^^ going forward
15:40:14 <redrobot> We have one session: Monday October 18, 1400-1600 UTC
15:40:37 <redrobot> so far we have Oauth2 in the agenda as well as a status update for Secure RBAC
15:40:42 <redrobot> if we have time maybe we can triage bugs
15:41:35 <redrobot> please feel free to add any additional topics to the etherpad
15:42:02 <redrobot> Have we decidedon whether to use Zoom or Meetpad?
15:42:21 <redrobot> Also no weekly meeting next week since we'll be doing PTG things
15:42:31 <gagehugo> I am fine with either
15:44:20 <redrobot> Looks like our URL just got changed back >_<
15:44:40 <redrobot> Let's plan for meetpad since it can just run in the browser
15:45:17 <gagehugo> works for me
15:46:38 <redrobot> I'll get the urls fixed up in the PTG system
15:47:12 <redrobot> Any other questions/comments?
15:48:07 <h_asahina> can I find meeting link at https://ptg.opendev.org/ptg.html?
15:49:58 <redrobot> h_asahina yes, I just updated the meeting url
15:49:58 <h_asahina> I mean the meeting link will appear there
15:50:13 <redrobot> h_asahina the link is already there if you click on the "keystone" time slot in the schedule
15:50:16 <redrobot> but als you can bookmark this:
15:50:18 <redrobot> #link https://meetpad.opendev.org/oct2021-ptg-keystone
15:50:41 <h_asahina> redrobot thank you
15:51:50 <redrobot> which is why I 🖤 meetpad/jitsi
15:52:18 <redrobot> We've only got a few minutes left
15:52:36 <redrobot> #topic Bug Review
15:52:57 <rdopiera> :(
15:53:02 <redrobot> From the agenda, asking about bugfix:
15:53:06 <redrobot> #link https://bugs.launchpad.net/keystoneauth/+bug/1930194
15:53:34 <redrobot> h_asahina ^^^
15:54:17 <h_asahina> yes. we submitted that report few month ago.
15:54:40 <redrobot> I don't know if anyone has looked at it.
15:54:47 <redrobot> Which is why we have a bug triage topic for the PTG
15:55:47 <redrobot> lbragstad got time to stick around for rdopiera's topic?
15:56:22 <lbragstad> i have a hard stop at 11
15:56:28 <redrobot> ack
15:56:36 <lbragstad> sorry :(
15:57:03 <redrobot> lbragstad no worries
15:57:45 <h_asahina> redrobt: sorry for the delay. got it.
15:58:09 <redrobot> #topic Help with System Scope APIS
15:58:19 <rdopiera> We are working on imlpementing the new system scope token support in Horizon. As the first pass we are calling the APIs directly, but ultimately we would like to use keystoneclient and keystoneauth properly. Unfortunately, they are missing the required APIs.
15:58:27 <rdopiera> I made two bugs about that, and I submitted a patch for keystoneclient that is probably wrong, but it's a start. I would like to ask for reviews and for help writing the patch for keystoneauth, as
15:58:31 <rdopiera> this seems more complicated. Also, the keystoneclient patch seems to be failing CI on a completely unrelated doc bug, as well as all other patches in the queue.
15:59:00 <redrobot> lbragstad sounds like maybe something our dfg can do?
15:59:06 <lbragstad> yeah
15:59:30 <redrobot> rdopiera let me talk to the powers that be and see if we can get our team at RH to help with this
15:59:51 <rdopiera> redrobot: awesome, thank you
15:59:53 <admiyo> wouldn't it be lovely if we had some way to qery the policy in use of a given endpoint?
15:59:55 <redrobot> #action redrobot to ask for help on System-Scope implementation in keystoneauth
16:00:14 <redrobot> admiyo 100%  would +1  that spec.
16:00:43 <admiyo> At one point, I toeyd with using a less-common verb from HTTP
16:01:12 <redrobot> aaand that's time.
16:01:13 <admiyo> OPTIONS
16:01:23 <redrobot> :-O
16:02:04 <redrobot> Thanks for joining, everyone!
16:02:08 <redrobot> #endmeeting