15:01:03 #startmeeting keystone 15:01:03 Meeting started Tue Aug 16 15:01:03 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:03 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:03 The meeting name has been set to 'keystone' 15:01:11 #topic Roll Call 15:01:16 Courtesy ping for admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek 15:01:46 o/ lurking 15:02:12 o/ 15:02:28 o/ 15:02:54 - 15:04:22 Hi y'all! 15:04:25 Let's get started 15:04:38 #topic Review Previous Meeting Action Items 15:04:54 #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-08-09-15.02.html 15:04:58 We didn't have any 15:05:08 #topic Liaison U pdates 15:05:25 Just a quick update from the release/maintenance side 15:05:35 We've marked the Pike branck as EOL 15:05:37 #link https://review.opendev.org/c/openstack/releases/+/851559 15:05:44 #info Pike is now EOL 15:10:22 OK, moving on 15:10:31 #topic OAuth 2.0 15:10:39 h_asahina 👋 15:10:45 hi 15:10:47 Any updates this week? 15:11:15 first of all, we submitted a patch for keystonemiddleware Zuul error https://review.opendev.org/c/openstack/keystonemiddleware/+/852590 15:12:50 please kindly reveiew it. by this patch we can merge https://review.opendev.org/c/openstack/keystonemiddleware/+/830737. of cource we have to reply knikolla's comment before doing that. 15:13:32 I also updated the spec https://review.opendev.org/c/openstack/keystone-specs/+/843765, according to the previous meeting. 15:13:36 h-asahina: ac, merged the first patch 15:13:41 *ack 15:13:51 thanks 15:14:18 h-asahina: yeah, last Friday was a day off for Red Hat, so we didn't get a chance to review your udpates 15:14:24 we'll review this Friday for the reviewathon 15:14:40 got it thanks. 15:14:52 can i confirm the schedule? 15:15:44 I suppose this spec and 3 patches that we submitted during Yoga cycle can be merged within Zed cycle. do you feel it possible? 15:16:23 #link https://releases.openstack.org/zed/schedule.html 15:16:29 We have a couple of weeks before Zed-3 15:16:49 we should try to get everything reviewed this week so we can have some time to update patches if needed. 15:19:15 okey. that's right. from our side, it would be helpful at least if these three patches will be merged in Zed: https://review.opendev.org/c/openstack/keystoneauth/+/830734; https://review.opendev.org/c/openstack/keystonemiddleware/+/830737; https://review.opendev.org/c/openstack/keystone/+/830739 15:21:27 like you said, we have tiem. if you leave the comment this week, we'll update the patches next week. 15:21:42 great, thanks h-asahina 15:23:13 thanks. that's all from my side :) 15:24:33 OK, moving on ... 15:24:51 #topic Secure RBAC 15:27:37 Looks like the pop-ups are not really happening anymore. 15:27:53 The patch to delay system scope did merge so I'll have to review that 15:27:58 #link https://review.opendev.org/c/openstack/governance/+/847418/14/goals/selected/consistent-and-secure-rbac.rst 15:31:59 #topic Open Discussion 15:32:13 Anything else y'all want to talk about before we look at bug reports? 15:36:09 if you have time, i'd like to talk about my comment on the spec briefly 15:36:14 :dmendiza 15:36:53 if it's better to wait for the next review comment, i'll wait. 15:37:38 h-asahina: I think maybe it would be better to talk about it after folks have a had a chance to read it 15:37:48 * dmendiza[m] has not read the update yet 😅 15:38:39 ah, sorry, i meant my reply comment which is the questions about the last meeting. 15:38:52 Sure go ahead 15:39:36 thanks, I have two questions: (i) delegation of Users' permission; (ii) usage of mapping API in our case. 15:41:02 (i) according to your suggestion, we are implementing mTLS OAuth2.0 so that User API is used for OAuth2.0 client management 15:42:00 basically we think it'll work, but we have concerns that delegation of user permission is not possible. 15:42:34 for example, it's not possible for non-admin user who is only allowed to access Tacker API to delegate it's role to a client 15:43:06 but it's possible if we use credentials API and allow this user to access the credentials API. 15:44:29 do you have any idea to solve this problem or justify this issue? 15:46:22 Hmm... I am not sure. I'd like to find out what knikolla thinks... we should follow-up with him and try to get an answer. 15:46:31 ok 15:46:56 (ii) You said we can look at mapping API as a reference 15:47:52 but we feel we can just use it to manage mapping rules between DN in a client cert and keystone Users' attributes (e.g., username, project_id). 15:48:35 do you feel it's reasonable? 15:50:22 let me explain further, we thought we have to implement the similar codes from scratch but now we think we don't have to. 15:55:21 it's also knikolla's comment https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-08-09-15.02.log.html#l-65, maybe it's better to wait for him? 15:58:33 Yeah ... I think he may be referring to mapping cert attributes -> user attributes so we can get the correct roles in the token 15:59:32 I'll ask knikolla about it if he joins the review on Friday 15:59:48 That's about all the time we have for the meeting this week. 15:59:53 Thanks for joining, everyone! 15:59:57 #endmeeting