#openstack-keystone log

15:00:11 <dmendiza[m]> #startmeeting keystone
15:00:11 <opendevmeet> Meeting started Tue Jan 18 15:00:11 2022 UTC and is due to finish in 60 minutes.  The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:11 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:11 <opendevmeet> The meeting name has been set to 'keystone'
15:00:18 <dmendiza[m]> #topic Roll Call
15:00:21 <xek> o/
15:00:26 <dmendiza[m]> Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, ruan_he, wxy, sonuk, vishakha,Ajay, rafaelweingartner, xek
15:00:35 <d34dh0r53> o/
15:01:24 <gagehugo> o/
15:01:31 <h_asahina> o/
15:01:42 <dmendiza[m]> Great, let's get started
15:01:50 <dmendiza[m]> #topic Review Past Meeting Action Items
15:02:13 <dmendiza[m]> #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-11-15.00.html
15:02:17 <dmendiza[m]> We didn't have any
15:02:20 <dmendiza[m]> Moving on
15:02:47 <dmendiza[m]> #topic Liaison Updates
15:02:52 <dmendiza[m]> knikolla: around?
15:03:30 <knikolla> o/
15:03:42 <knikolla> no updates
15:04:10 <dmendiza[m]> Cool, thanks
15:04:23 <dmendiza[m]> #topic Secure RBAC
15:05:05 <dmendiza[m]> Not a whole lot of updates from me this week.  We do have some TripleO Heat Template changes pending that need to get merged.  I'll probably be harassing the owners this week.
15:05:22 <dmendiza[m]> Any questions/comments about SRBAC this week?
15:09:07 <dmendiza[m]> OK, moving on ...
15:09:13 <dmendiza[m]> #topic OAuth 2.0
15:09:21 <dmendiza[m]> h_asahina: around?
15:10:06 <h_asahina> yes
15:11:01 <h_asahina> Today, I'd like to talk about the necessity of OAuth2.0 Introspection API which I defined in the spec.
15:11:05 <h_asahina> Although I defined OAuth2.0 Introspection API in the current spec, maybe it can be omitted.
15:11:44 <h_asahina> The purpose of the introspection API is to get metadata and verify the token validity.
15:12:53 <h_asahina> As we decided to use X-Auth-Token as OAuth2.0 access token, this purpose can be accomplished through an existing identity API.
15:13:36 <h_asahina> So, I think we don't need OAuth2.0 Introspection API. Could you tell me your opinion?
15:14:23 <knikolla> I think we don't need it for now. But it would be a nice thing to have if we want to have more general support for keystone as an authorization server for oauth 2.0.
15:14:44 <h_asahina> I agree with that
15:15:32 <h_asahina> If we need to support additional token types, we should add it.
15:16:33 <knikolla> Probably more important with new grant types than with token types
15:17:41 <opendevreview> Merged openstack/keystone master: sql: Trivial formatting changes  https://review.opendev.org/c/openstack/keystone/+/823660
15:18:56 <h_asahina> Could you tell me why? I think the situation where we need Introspection API is like when we want to use OAuth2.0 in keystone from the other services from the openstack.
15:20:29 <h_asahina> if we add a new grant type, we can use an existing API for the introspection as long as we use X-Auth-Token. Am I wrong?
15:20:39 <knikolla> Services within the OpenStack ecosystem already know how to authenticate to keystone and introspect endpoints (either through the keystoneauth, keystoneclient or keystonemiddleware).
15:20:54 <knikolla> For them an introspection endpoint already exists within the already defined API.
15:21:55 <knikolla> Thus it's services which don't "speak OpenStack" and use OAuth 2.0 entirely, that would require new OAuth 2.0 conforming endpoints and grant types.
15:22:28 <knikolla> The token type is less important, as it's usually treated as opaque.
15:25:24 <h_asahina> Is that the situation where we want to use keystone as just an OAuth2.0 authorization server?
15:26:53 <knikolla> Possibly, though it's less about that. It works both ways. If keystone supports open standards, then we can transition other openstack services to talk to keystone using those open standards. Which opens the door for allowing other authorization server to be used in place of keystone if so desired.
15:28:56 <h_asahina> You mean by supporting open standard like Introspection API makes the other components like keystonemiddleware to support the standard?
15:29:12 <knikolla> yes
15:29:36 <h_asahina> I got it.
15:29:53 <h_asahina> However, for now, we don't strongly need it.
15:30:03 <knikolla> Correct
15:30:18 <h_asahina> If we implement it, it is just a wrapper of an existing identity API.
15:31:10 <knikolla> Yes.
15:31:20 <h_asahina> It's redundant and confusing. So, do you agree with omitting it in Yoga release?
15:31:32 <knikolla> 100%
15:31:51 <h_asahina> Ok, thanks. I'll update spec.
15:32:08 <dmendiza[m]> Cool
15:32:12 <knikolla> Thanks!
15:32:19 <dmendiza[m]> Anything else on this topic h_asahina ?
15:32:32 <h_asahina> Nothing
15:32:40 <dmendiza[m]> OK, moving on
15:32:45 <dmendiza[m]> #topic Open Discussion
15:32:52 <dmendiza[m]> Any other topics y'all want to talk about?
15:33:03 <knikolla> The CFP for proposals for Berlin is open
15:33:14 <knikolla> Anybody planning to submit anything? Or planning to travel/
15:33:40 <dmendiza[m]> Ah yes, the Summit.
15:33:54 <dmendiza[m]> I think it would be good to go talk about the Secure-RBAC work everyone has been doing
15:34:08 <dmendiza[m]> I've gotta talk to lbragstad about it.
15:35:57 <knikolla> cool
15:36:27 <knikolla> I have no clue what to propose to talk about yet.
15:38:31 <dmendiza[m]> h_asahina you should consider talking about the OAuth work you're doin g.
15:39:16 <d34dh0r53> I don't either
15:40:16 <h_asahina> Alright. it's first time for me to attend the Summit, but I'll consider it.
15:42:12 <h_asahina> What should I do if I propose something?
15:44:39 <gagehugo> hope it gets accepted then speak in front of a crowd :)
15:45:11 <dmendiza[m]> h_asahina: The CFP is over here: https://cfp.openinfra.dev/app/berlin-2022
15:45:20 <dmendiza[m]> If you do submit something let us know
15:45:39 <dmendiza[m]> In the past they've asked folks to vote for the talks that get selected
15:45:51 <dmendiza[m]> So I usually ask folks for votes here, haha
15:46:10 <h_asahina> thanks. I'll notify here if I submit something.
15:46:36 <dmendiza[m]> Cool, any other topics before we take a look at the bugs?
15:46:46 <knikolla> In the past, each project got it's own project update session too. I don't know if that's the case this year as well.
15:47:25 <d34dh0r53> I have two items, the first is with Lance's move this fell through the cracks https://bugs.launchpad.net/keystone/+bug/1901891 so I'll be working on a fix for #3 this week and may ping people for reviews.  Second, let me know if you want to be added to the reviewathon invitees, planning on scheduling for this Friday the 21st so please let me know conflicts as well
15:48:46 <knikolla> d34dh0r53: sounds great!
15:48:52 <knikolla> also, my Friday is wide open this week.
15:49:11 <d34dh0r53> excellent knikolla
15:49:27 <dmendiza[m]> count me in for Friday as well
15:49:41 <d34dh0r53> thanks dmendiza[m]
15:52:12 <dmendiza[m]> We've only got a few minutes left
15:52:21 <dmendiza[m]> which is probably not enough for bug triage
15:52:37 <dmendiza[m]> So let's punt until next week (or Friday)
15:52:41 <dmendiza[m]> Thanks for joining, everyone!
15:52:56 <knikolla> Thanks!
15:52:58 <dmendiza[m]> #endmeeting