15:00:35 #startmeeting keystone 15:00:35 Meeting started Tue Jan 10 15:00:35 2023 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:35 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:35 The meeting name has been set to 'keystone' 15:00:42 #topic roll call 15:00:46 o/ 15:00:52 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev 15:01:26 o/ 15:01:42 o/ 15:01:59 good time off knikolla[m] ? 15:02:15 yes! thank you :) 15:03:32 awesome 15:03:43 #topic review past meeting work items 15:04:11 I thought I was going crazy because the log was missing, turns out it's in the 2023 folder :) 15:04:26 #link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-01-03-15.03.html 15:07:35 I'm going to skip the reviewathon items as it was only me and hiromu 15:08:10 d34dh0r53 update the CrossProjectLiaisons wiki https://wiki.openstack.org/wiki/CrossProjectLiaisons 15:08:20 didn't get to this yet 15:08:23 #action d34dh0r53 update the CrossProjectLiaisons wiki https://wiki.openstack.org/wiki/CrossProjectLiaisons 15:08:36 d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more 15:08:53 nor this, will try to take care of the housekeeping stuff this week 15:08:57 #action d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more 15:09:23 next up we have 15:09:25 #topic liaison updates 15:09:39 no updates from VMT 15:10:03 As far as release management goes I think we're good on keystoneauth, xek do you need any more reviews there? 15:11:41 ok, moving on to spec review 15:12:00 #topic specification OAuth 2.0 (hiromu) 15:12:26 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:12:28 External OAuth 2.0 Specification 15:12:30 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 15:12:32 OAuth 2.0 Implementation 15:12:34 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:12:36 OAuth 2.0 Documentation 15:12:38 #link https://review.opendev.org/c/openstack/keystone/+/838108 15:12:40 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:13:59 After speaking with hiromu they would like to get the External OAuth 2.0 specification and code merged before Antelope-3 so I'd like to prioritize those reviews if possible 15:14:54 yes. thanks d34dh0r53. Aslo, I told it to d34dh0r53 the last week, we need to merge mTLS OAuth2.0 path for keystoneauth to implement External OAuth2.0 specification. 15:15:05 /Aslo/Also/ 15:15:57 https://review.opendev.org/c/openstack/keystonemiddleware/+/868734 15:16:09 the above patch depends on https://review.opendev.org/c/openstack/keystoneauth/+/860614 15:16:32 hiromu: we can try, but while I'm sure we'll be able to merge all the mTLS patches, I'm not confident we can get External Auth in time. 15:17:35 I think the patches for the external oauth2.0 are lighter than the mTLS ones. 15:18:39 only changed keystonemidleware and keystoneauth. both are the client side. 15:19:04 and 1 spec: https://review.opendev.org/c/openstack/keystone-specs/+/861554 15:19:45 I agree with you that the patches may be lighter. But it's significantly changing way things can work by removing Keystone from the picture. 15:20:05 We need to define a standard for how project information is read from the token endpoint 15:20:43 i see 15:20:55 Code is easy, APIs are hard because we need to maintain compatibility once it's merged 15:21:45 That's a good point knikolla[m] 15:22:11 only I can say is we made codes generic as much as possible. 15:23:29 so that users can configre how attributes obtained from the introspection responses mapped to openstack environment variables 15:24:50 I will comment in the spec with my feedback 15:25:01 okey 15:25:02 There's a lot of things that are not obvious 15:25:31 And removing Keystone entirely from the picture doesn't give you a lot that the current mechanisms that you have implemented do. 15:25:59 For example: you can authenticate using oauth 2.0, and you can send a request using bearer token as per oauth 2.0 to any service, and that will work 15:26:26 That is all without implementing external oauth 2.0. do you agree? 15:27:05 yes 15:27:35 you're right. we are targeting the users who already have another authn server 15:27:54 and use it for standalone openstack services. 15:28:43 Exactly, it introduces an improvement in experience for operators who have clouds that have 1-2 services and don't want to run keystone. 15:28:58 But it doesn't introduce any new thing for them that is impossible right now. 15:30:24 that't true 15:30:27 I agree that adding support for external authorization servers to keystonemiddleware is important and makes a lot of sense for a next step. But I want to do it in a way that benefits all the openstack ecosystem as opposed to a small use case. 15:30:59 So that's why I don't want to rush this through. 15:31:08 Cause once we implement it like this, it will be really hard to change. 15:32:10 our proposal strongly depends on the client credentials grant. is that the point? 15:32:41 I said this because introspection itself is rfc-based 15:33:09 Not entirely. It's about the user experience. 15:34:29 got it. basically, I agree with it affect to the future impelementation, but what kind of trigger or use cases we need to progress? 15:36:06 That's a really good question. I need to think about this a bit more. But at the top of my mind it's the lack of support in tools like the openstack CLI/SDK, and other services. 15:36:59 And in particular, figuring out authorization 15:37:00 Keystone stores the list of projects, but without keystone, what projects exist? 15:37:19 hmm, at least we will experiment them with barbican. 15:37:41 we will try to deploy tacker and barbican without keystone. 15:38:25 Please do. 15:38:34 An ideal target would also be Ironic. 15:38:45 Please reach out to that team and see if there's anything that may be beneficial to their use case. 15:39:55 okey. i got your point. we need a kind of consensus among several openstack projects. 15:40:50 ok, great discussion, glad we had it. We can continue during the reviewathon if needed 15:40:56 thanks knikolla[m] and hiromu 15:41:10 thank your for the discussion. 15:41:30 #topic specification Secure RBAC (dmendiza[m]) 15:41:42 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:41:43 Service Role Implementation 15:41:45 #link https://review.opendev.org/c/openstack/keystone/+/863420 15:41:47 Manager Role Implementation 15:41:49 #link https://review.opendev.org/c/openstack/keystone/+/822601 15:42:23 Hoping to get some time to test the two -1's on the manager role implementation on Friday, I'd like to get those cleared up 15:44:20 ok, moving on to open discussion 15:44:26 #topic open discussion 15:44:44 OIS2023 submission (hiromu): 15:44:45 - Manuscript: https://etherpad.opendev.org/p/ois2023-tacker-keystone 15:45:23 ah, i already got lgtm from knikolla. it's done. 15:45:32 thank you knikolla :) 15:45:35 Excellent! 15:45:41 hiromu: thanks for sending that. 15:46:02 anything else before we move on to bug review? 15:46:39 #topic bug review 15:46:47 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:47:22 nothing new for keystone, going to clean up some more bugs here so don't be surprised by the emails :) 15:47:35 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:47:55 nothing new for python-keystoneclient either 15:48:13 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:49:50 nothing new there, we do have this one https://bugs.launchpad.net/keystoneauth/+bug/2000742 that came in at the end of the year 15:51:17 moving on 15:51:20 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:51:31 one new one https://bugs.launchpad.net/keystonemiddleware/+bug/2002203 15:51:51 keystonemiddleware is missing the Yoga series release notes 15:54:15 not sure that there were any which is probably why they're missing 15:54:21 next up 15:54:30 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:54:36 nothing new in pycadf 15:54:42 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:54:47 ldappool also has nothing new 15:54:53 #topic conclusion 15:55:01 thanks for joining today folks! 15:55:26 reminder the we have the reviewathon on Friday, please let me know if you'd like to be added to the invite 15:55:39 any thing else before I close? 15:56:36 thanks all! 15:56:45 #action reviewathon https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:56:56 #action reviewathon https://review.opendev.org/c/openstack/keystone/+/838108 15:57:07 #action reviewathon https://review.opendev.org/c/openstack/keystone/+/838108 15:57:13 #undo 15:57:13 Removing item from minutes: #action reviewathon https://review.opendev.org/c/openstack/keystone/+/838108 15:57:22 #action reviewathon https://review.opendev.org/c/openstack/keystone/+/860928 15:57:32 #action reviewathon https://review.opendev.org/c/openstack/keystone/+/863420 15:57:41 #action reviewathon https://review.opendev.org/c/openstack/keystoneauth/+/867603 15:57:43 #endmeeting