15:00:56 <d34dh0r53> #startmeeting keystone
15:00:56 <opendevmeet> Meeting started Tue Nov  1 15:00:56 2022 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:56 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:56 <opendevmeet> The meeting name has been set to 'keystone'
15:01:05 <d34dh0r53> #topic Roll Call
15:01:08 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek
15:01:54 <knikolla[m]> o/
15:02:06 <hiromu> o/
15:03:07 <d34dh0r53> Hi folks!
15:03:23 <d34dh0r53> #topic Review past meeting work items
15:03:44 <d34dh0r53> We had a few, first up is
15:03:54 <d34dh0r53> dmendiza[m] will look at https://bugs.launchpad.net/keystone/+bug/1990987
15:04:03 <d34dh0r53> dmendiza[m]: any update?
15:04:08 <dmendiza[m]> 👀
15:04:11 <dmendiza[m]> Still looking
15:04:49 <d34dh0r53> ack
15:04:53 <d34dh0r53> next up is
15:04:59 <d34dh0r53> d34dh0r53 look into user-defined attribute access control
15:05:06 <d34dh0r53> no updates
15:05:26 <d34dh0r53> we have some reviewathon items that we were going to look at
15:05:43 <d34dh0r53> reviewathon review https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:05:45 <d34dh0r53> reviewathon review https://review.opendev.org/c/openstack/keystone/+/838108
15:05:47 <d34dh0r53> reviewathon review https://review.opendev.org/c/openstack/keystone/+/822601
15:05:49 <d34dh0r53> reviewathon review https://review.opendev.org/c/openstack/keystone-specs/+/818616
15:06:15 <d34dh0r53> We didn't get to the first one
15:06:27 <d34dh0r53> nor the second
15:07:06 <d34dh0r53> the third has -1's and commentary so that is in progress
15:07:25 <d34dh0r53> the fourth is the default service role
15:07:54 <d34dh0r53> next up is dmendiza[m] and d34dh0r53 make some time to start the gap analysis between CLI and OSC.
15:08:02 <d34dh0r53> we didn't get to that
15:08:22 <d34dh0r53> and finally we have d34dh0r53 try to reproduce https://bugs.launchpad.net/python-keystoneclient/+bug/1993614
15:08:28 <d34dh0r53> which I wasn't able to get to
15:08:33 <knikolla[m]> the gap analysis is about sdk and the client
15:08:44 <knikolla[m]> we don't have any other cli besides osc already :)
15:09:36 <d34dh0r53> knikolla[m]: right
15:11:12 <d34dh0r53> #action dmendiza[m] and d34dh0r53 make some time to start the gap analysis between SDK and the Client
15:11:28 <d34dh0r53> #action dmendiza[m] will look at https://bugs.launchpad.net/keystone/+bug/1990987
15:11:41 <d34dh0r53> #action reviewathon review https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:11:50 <d34dh0r53> #action reviewathon review https://review.opendev.org/c/openstack/keystone/+/838108
15:12:14 <d34dh0r53> #action d34dh0r53 look into user-defined attribute access control
15:12:35 <d34dh0r53> ok, next up we have
15:12:37 <d34dh0r53> #topic Liaison Updates
15:12:46 <d34dh0r53> Nothing from VMT
15:12:58 <d34dh0r53> dmendiza[m], knikolla[m] anything from Release Management?
15:13:47 <dmendiza[m]> I can't think of anything
15:13:58 <d34dh0r53> ok, thanks
15:14:08 <d34dh0r53> #help still looking for additional cross-project liaisons
15:14:38 <d34dh0r53> any other liaison updates?
15:15:19 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:15:48 <hiromu> thanks for the remind.
15:15:56 <hiromu> first, i've updated the spec
15:16:01 <hiromu> https://review.opendev.org/c/openstack/keystone-specs/+/861554/2..3
15:16:37 <hiromu> I think it's now ready for the first review.
15:17:00 <hiromu> and I have a question
15:17:25 <d34dh0r53> ok
15:17:27 <hiromu> that i wrote on the etherpad.
15:18:23 <d34dh0r53> the etherpad is here: https://etherpad.opendev.org/p/keystone-weekly-meeting
15:18:35 <d34dh0r53> The question is, which is better?
15:18:45 <hiromu> yes
15:19:09 <d34dh0r53> supporting authentication with external OAuth 2.0 authorization servers (ext authz servers) by keystoneauth
15:19:20 <d34dh0r53> i.e., users can use openstack command as usual when using ext authn servers.
15:19:31 <d34dh0r53> or do not support ext authn servers by keystoneauth
15:19:38 <d34dh0r53> i.e., users set an access token as an environment variable, e.g., OS_TOKEN, to call API of OpenStack services. This is not unnatural, assuming the programmatic access which must be a major usecase of the client credentials grant.
15:19:54 <hiromu> thank you d34dh0r53 :)
15:20:01 <d34dh0r53> :)
15:21:00 <d34dh0r53> I think the second approach is simpler and consistent with the way many things already work
15:22:04 <hiromu> I agree with you
15:22:22 <d34dh0r53> knikolla[m], dmendiza[m] any thoughts?
15:23:10 <knikolla[m]> I also don't think we should worry about authenticating with external servers with keystoneauth
15:24:09 <d34dh0r53> ok, so we're in agreement
15:24:25 <hiromu> ok, i'll go with the second one.
15:24:34 <d34dh0r53> awesome!
15:24:34 <dmendiza[m]> 👍️
15:24:42 <hiromu> thanks a lot
15:24:51 <d34dh0r53> thank you hiromu!
15:25:07 <d34dh0r53> #topic Secure RBAC (dmendiza[m])
15:25:58 <dmendiza[m]> Not a whole lot of progress this week.  I did bring up the next two tasks with my team downstream:
15:26:50 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone/+/822601
15:27:27 <dmendiza[m]> Getting the "manager" role patch updated/landed.
15:27:42 <dmendiza[m]> and 2)
15:28:19 <dmendiza[m]> The "service" role spec:
15:28:20 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone-specs/+/818616
15:28:29 <dmendiza[m]> followed by implementation
15:29:29 <dmendiza[m]> I'll try to help out as much as possible for the next +/-2 weeks before I take leave for a few months.
15:31:27 <d34dh0r53> ack, thanks dmendiza[m]
15:31:59 <d34dh0r53> #action reviewathon https://review.opendev.org/c/openstack/keystone-specs/+/818616
15:32:12 <d34dh0r53> we really need to get that spec reviewed and merged
15:32:45 <dmendiza[m]> Agreed.  I'm going to read/comment in the next few days and maybe we can check progress on Friday
15:32:48 <dmendiza[m]> for the reviewathon
15:32:56 <d34dh0r53> ack
15:33:11 * d34dh0r53 needs to remember to look at the meeting log for the reviewathon action items
15:33:43 <d34dh0r53> #topic Open Discussion
15:34:02 <d34dh0r53> we don't have anything on the agenda, does anyone have anything before we do bug review?
15:34:52 <d34dh0r53> ok, moving on then
15:34:58 <d34dh0r53> #topic bug review
15:35:09 <d34dh0r53> First off we have keystone
15:35:16 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:35:25 <d34dh0r53> no new bugs here
15:35:34 <d34dh0r53> next up, python-keystoneclient
15:35:43 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:36:01 <d34dh0r53> no new bugs, I'll attempt to reproduce the create service bug this week
15:36:11 <d34dh0r53> keystoneauth is next
15:36:18 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:36:29 <d34dh0r53> no new bugs
15:36:46 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:37:08 <d34dh0r53> nothing new in keystonemiddleware
15:37:17 <d34dh0r53> pycadf
15:37:26 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:37:32 <d34dh0r53> nothing new
15:37:39 <d34dh0r53> finally we have ldappool
15:37:47 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:38:00 <d34dh0r53> no new bugs there either
15:38:30 <d34dh0r53> thanks for joining today everyone! Is there anything else before we close?
15:39:12 <d34dh0r53> have a great rest of your week then :)
15:39:16 <d34dh0r53> #endmeeting