15:00:25 #startmeeting keystone 15:00:25 Meeting started Tue Mar 7 15:00:25 2023 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:25 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:25 The meeting name has been set to 'keystone' 15:00:29 #topic roll-call 15:00:35 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, arequate, dmendiza[m] 15:00:37 o/ 15:00:41 o/ 15:00:49 o/ 15:01:10 🙋‍♂️ 15:02:21 o/ 15:02:39 hi folks, thanks for joining :) 15:03:16 #topic review past meeting work items 15:03:26 d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more 15:03:36 I didn't get a chance to look at this yet again 15:03:42 :/ 15:03:48 #action d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more 15:03:57 d34dh0r53: we could check the project-config repo to see what gerrit groups are still in use 15:03:57 that's all for the past meeting work items 15:04:05 dmendiza[m]: ack 15:04:07 good idea 15:04:57 dmendiza[m]: I might reach out to you for help on that this week 15:05:15 Sure, just ping me whenever 15:05:27 thanks 15:05:36 #topic liaison updates 15:05:44 nothing from VMT 15:06:30 knikolla[m], dmendiza[m], xek I added our highlights this morning, https://review.opendev.org/c/openstack/releases/+/876729 15:07:02 let me know if I missed anything or if they need to be reworded 15:07:08 Nice 15:07:48 that's it for liaison updates 15:08:27 #topic specification OAuth 2.0 (hiromu) 15:08:42 External OAuth 2.0 Specification 15:08:44 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 15:08:46 OAuth 2.0 Implementation 15:08:48 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:08:50 OAuth 2.0 Documentation 15:08:52 #link https://review.opendev.org/c/openstack/keystone/+/838108 15:08:54 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:09:00 we're very close to merging everything 15:09:15 Thanks a lot! I just submitted backport patches for keystoneauth and keystonemiddleware. 15:09:26 excellent! thanks hiromu 15:09:32 https://review.opendev.org/c/openstack/keystoneauth/+/876746 15:09:39 https://review.opendev.org/c/openstack/keystonemiddleware/+/876745 15:10:13 Keystone's master branch already includes the mTLS patch. 15:10:49 So I didn't submit a backport patch to Keystone. 15:12:45 o/ ohh is this a community meeting? if so can I put this on the agenda? https://bugs.launchpad.net/keystone/+bug/2009600 15:13:22 hiromu: I think we might need to backport into the stable/2023.1 branch. We do have these under review: https://review.opendev.org/c/openstack/keystone/+/876722/ 15:13:48 coreycb: sure, I'll add it 15:14:01 d34dh0r53: thanks 15:14:42 Oh, okay. I'll check commit tree again. 15:15:24 https://github.com/openstack/keystone/commits/master 15:15:38 hiromu: do a `git review -d 876722` to pull down the start of the stable/2023.1 branch and then cherry-pick the oauth patches to that chain 15:15:43 sorry it's worng. https://github.com/openstack/keystone/commits/stable/2023.1 15:16:14 Oh sweet! Looks like it's already there 15:16:17 (I think?) 15:17:07 yeah, I thought so. wrong? 15:18:21 I think we're good. My mistake 15:18:51 good :) 15:18:53 ls 15:18:55 sorry 15:19:25 by the way, I'd like to talk about Ext. Authorization Server Support today. 15:19:44 ack, I'll add that as well 15:19:53 anything else with mTLS? 15:20:26 No. That' all. thanks. 15:22:00 thanks, moving on to 15:22:14 #topic Secure RBAC (dmendiza[m]) 15:22:29 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:22:31 Service Role Implementation 15:22:33 #link https://review.opendev.org/c/openstack/keystone/+/863420 15:22:35 Manager Role Implementation 15:22:37 #link https://review.opendev.org/c/openstack/keystone/+/822601 15:22:50 No updates, sorry. I'm not even susre if gmann is still having the pop-up meetings? 15:22:53 *sure 15:23:34 ack 15:24:22 ok, moving on to 15:24:28 #topic open discussion 15:24:42 (drencrom) Need some reviews for this backport: 15:24:44 #link https://review.opendev.org/c/openstack/keystonemiddleware/+/873921 15:25:30 I'll take a look at these today 15:26:25 next up 15:26:27 (coreycb) discuss mtls/cryptography bug 15:26:29 #link https://bugs.launchpad.net/keystone/+bug/2009600 15:27:16 can we lower the cryptography version to the one they mentioned? 15:27:48 that's what I'm wondering. hiromu, dmendiza[m] ? 15:28:26 I'm attempting a patch to do that 15:28:35 hopefully that'll be ok 15:28:49 i see that the version that we included was just what was in upper-constraints, so it doesn't feel like there's anything special about it. 15:29:20 it's more about what the lower constraints are in requirements.txt 15:30:00 for context, I'm a maintainer for the ubuntu cloud archive. the antelope cloud archive (and the next 2 to 3 openstack releases) are based on ubuntu jammy which has python3-cryptography 3.4.8. 15:30:19 I don't think we have any global lower constraints 15:30:53 (all i meant by my previous comment was that i don't think that version has any significance besides being what was written in the requirements repo as an upper constraint) 15:32:20 I started going down the path of backporting cryptography 38.0.2 yesterday but it gets complicated very quickly (25+ rust library backports) 15:33:57 At least, I can say I can look for workarounds to avoid using the feature that is only available on recent cryptography. 15:35:04 do you know if attr_name_overrides is required? I can test the version of cryptography and either specify it or not. or maybe it can just be dropped. 15:36:04 It is required, but there's alternative way that doesn't use attr_name_overrides but brings the same effect. 15:36:57 ok, maybe I should defer to you to work on a fix. I was just going to drop the parameter for older cryptography versions which is probably naive. 15:38:44 I'm not sure which is easier 15:40:04 but, I think there's possiblity that this kinds of problems happen again. 15:40:17 so I think I should fix it. 15:41:57 is that in line with your thought? 15:42:25 that would be great, thank you. if I can help please let me know. I'll send an email for more global discussion about cryptography to the mailing list, not related specifically to this issue. 15:42:48 great. thanks 15:42:50 awesome, thank you coreycb 15:42:54 thanks hiromu 15:43:23 next topic, is (hiromu) discuss Ext. Authorization Server Support 15:43:53 I added this topic to https://etherpad.opendev.org/p/keystone-weekly-meeting 15:44:18 We're planing to investigate if the following projects work with Ext. Authorizations, and how we can modify them to work with Ext. Authorization servers. Any other projects we must check? 15:44:26 heat 15:44:28 glance 15:44:30 nova 15:44:32 newtron 15:44:34 (placement) *low priority 15:44:36 (cinder) *low priority 15:45:01 These projects are selected based on DevStack minimal install. 15:46:13 Do you have any idea? knikolla: 15:47:41 That's a good start. I don't have any other ideas at the moment, though I would add Ironic as well. 15:48:54 and barbican? dmendiza[m]? 15:49:23 Sure. We have chance to discuss with ironic at vPTG. Depending on the result of that discussion, we might not have to check Ironic (hopefully barbican). 15:50:07 ack 15:50:34 That's a good start, I'll add this to the vPTG agenda for one of our sessions 15:50:56 moving on as we're almost out of time 15:50:59 #topic bug review 15:51:16 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:51:26 we already discussed the cryptography bug 15:52:32 another bug landed https://bugs.launchpad.net/keystone/+bug/2008890 but this looks to be kolla container specific 15:52:46 I'll make sure that is the case 15:52:59 #action d34dh0r53 ensure that https://bugs.launchpad.net/keystone/+bug/2008890 is kolla specific 15:53:18 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:53:29 nothing new for python-keystoneclient 15:53:52 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:54:09 keystoneauth is clean 15:54:19 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:54:34 as is keystone middleware 15:54:42 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:55:01 pycadf has no new bugs 15:55:08 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:55:19 and ldappool is clean too 15:55:27 #topic conclusion 15:55:44 Thanks for all the hard work in getting mTLS merged the last few weeks! 15:55:54 Anyone have anything else before we go? 15:57:03 thanks folks! 15:57:07 #endmeeting