15:07:05 <d34dh0r53> #startmeeting keystone
15:07:05 <opendevmeet> Meeting started Tue Jun 27 15:07:05 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:07:05 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:07:05 <opendevmeet> The meeting name has been set to 'keystone'
15:07:18 <d34dh0r53> #topic roll call
15:07:20 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m]
15:07:22 <d34dh0r53> o/
15:07:37 <zaitcev> o/
15:07:38 <hiromu> o/
15:08:07 <dmendiza[m]> 🙋‍♂️
15:08:19 <d34dh0r53> hi everyone!
15:08:48 <d34dh0r53> #topic Review Past Meeting Action Items
15:08:54 <d34dh0r53> d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:09:15 <d34dh0r53> no progress on this one :(
15:09:21 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:09:29 <d34dh0r53> d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:09:31 <d34dh0r53> nor this
15:09:36 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:09:43 <d34dh0r53> dmendiza[m] and d34dh0r53 to look at keystonemiddleware stevedore failures
15:10:21 <d34dh0r53> I've been looking at this and it's very strange, it's not 100% reproduceable
15:10:43 <d34dh0r53> I'm still trying to figure out what is going on, but I'd like to get keystonemiddleware unblocked by the end of the week
15:11:26 <d34dh0r53> #action d34dh0r53 get keystonemiddleware gates unblocked
15:11:40 <d34dh0r53> d34dh0r53 look at https://bugs.launchpad.net/keystone/+bug/2018644
15:12:21 <d34dh0r53> looks like dmendiza[m] took this one
15:13:20 <d34dh0r53> d34dh0r53 figure out why https://review.opendev.org/c/openstack/keystone/+/874844 is failing
15:13:30 <dmendiza[m]> Nothing to report this week 😅
15:14:13 <d34dh0r53> I'm also looking into this one, it can't find keystoneauth1-5.1.1 which is very strange since it's listed on PyPi, maybe bumping the version in requirements will fix this.
15:14:28 <d34dh0r53> Anyone have any other ideas on why that is failing?
15:16:35 <stephenfin> d34dh0r53: That's running against stable/wallaby. Upper-constraints has a 4.3.1 cap, so pip won't be allowed to install 5.1.1
15:16:42 <stephenfin> https://github.com/openstack/requirements/blob/stable/wallaby/upper-constraints.txt#L514
15:17:01 <stephenfin> I don't know *why* it's trying to install that version though
15:17:17 <stephenfin> ah, keystone-tempest-plugin depends on it
15:17:22 <d34dh0r53> ahh
15:17:57 <stephenfin> so you need to constraint the version of keystone-tempest-plugin on that branch
15:17:59 <stephenfin> branchless-tempest--
15:18:53 <stephenfin> gmann probably has ideas for resolving that on stable branches, as might elodilles
15:19:31 <d34dh0r53> there is a tag for wallaby-last, can I point it at that I wonder?
15:21:01 <d34dh0r53> ok, I'll play around with that today
15:21:37 <d34dh0r53> #action d34dh0r53 pin keystone-tempest-plugin to wallaby for keystone stable/wallaby
15:21:59 <d34dh0r53> next up: reviewathon https://review.opendev.org/c/openstack/keystone/+/874346
15:22:08 <d34dh0r53> this has been merged, thanks zaitcev!
15:22:23 <d34dh0r53> finally: knikolla to look into focal jobs
15:22:40 <zaitcev> Thanks to Greg
15:23:06 <d34dh0r53> :)
15:23:48 <d34dh0r53> #topic liaison updates
15:23:53 <d34dh0r53> nothing from VMT
15:25:56 <d34dh0r53> ok, as always if you're interested in being a cross project liaison please let me know, the help is most appreciated
15:26:01 <d34dh0r53> next up
15:26:17 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:26:27 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:26:28 <d34dh0r53> External OAuth 2.0 Specification
15:26:30 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:26:32 <d34dh0r53> OAuth 2.0 Implementation
15:26:34 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:26:36 <d34dh0r53> OAuth 2.0 Documentation
15:26:38 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:26:40 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:27:09 <hiromu> I have submitted another document patch to apply knikolla's comments
15:27:11 <hiromu> https://review.opendev.org/c/openstack/keystone/+/887071/1
15:27:32 <hiromu> The base document patch: https://review.opendev.org/c/openstack/keystone/+/838108
15:27:54 <opendevreview> Hiromu Asahina proposed openstack/keystonemiddleware master: [DNM] downgrade stevedore  https://review.opendev.org/c/openstack/keystonemiddleware/+/887074
15:28:53 <d34dh0r53> thanks hiromu, I just merged the top level doc for you so we can start looking at your follow up patch
15:29:13 <hiromu> That's great. Thanks
15:30:08 <hiromu> Nothing else for OAuth2.0
15:31:24 <d34dh0r53> Cool, thank you!
15:31:36 <d34dh0r53> next up
15:31:49 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:31:58 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:32:00 <d34dh0r53> Service Role Implementation
15:32:02 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/863420
15:32:04 <d34dh0r53> Manager Role Implementation
15:32:06 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/822601
15:32:36 <dmendiza[m]> Currently trying to sort out the differences between SRBAC in code and TripleO's SRBAC environment
15:33:08 <d34dh0r53> sweet
15:33:12 <dmendiza[m]> WIP patch is here:
15:33:15 <dmendiza[m]> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/885799
15:33:37 <dmendiza[m]> The main difference is that TripleO's SRBAC env does not use system scope
15:33:49 <dmendiza[m]> so the refactor is putting those tests under a new flag
15:37:07 <d34dh0r53> cool, thanks for the update dmendiza[m]
15:37:54 <d34dh0r53> I spoke with gmann at the summit about a couple more specs that he's going to propose
15:39:05 <d34dh0r53> one is for a Global Reader Role and the other is for a "super-admin" for the public cloud use case.  The name on that one is still up for debate
15:39:33 <d34dh0r53> We won't dive into the details now, just want to give a heads up about what's coming
15:39:37 <d34dh0r53> next up we have
15:39:47 <d34dh0r53> #topic specification SQLAlchemy 2.0 (stephenfin)
15:40:26 <d34dh0r53> #link https://review.opendev.org/q/topic:sqlalchemy-20+is:open+project:openstack/keystone
15:40:28 <d34dh0r53> Can I get reviews on this, while I have context/time to close it out?
15:40:30 <d34dh0r53> What more do you need from me?
15:40:49 <d34dh0r53> thanks for the reviews on these and please continue to do so, I'd like to get these merged before the end of the cycle
15:41:02 <zaitcev> I'm very proud to say that I've foreseen all of that Global Reader thing and in fact I have implemented it in Swift and Ceph under the carpet. so it's all there and available.
15:41:20 <d34dh0r53> awesome
15:41:28 <zaitcev> By Ceph unfortunately I only mean Ceph RGW. not CephFS or block.
15:41:48 <stephenfin> yup, thanks for the reviews. Just to note that there are also some changes needed for Barbican but thankfully they're very small (one issue)
15:41:53 <opendevreview> Merged openstack/keystone master: db: Don't pass strings to 'Connection.execute'  https://review.opendev.org/c/openstack/keystone/+/875761
15:41:56 <opendevreview> Merged openstack/keystone master: db: Replace use of Query.get()  https://review.opendev.org/c/openstack/keystone/+/875762
15:42:25 <d34dh0r53> kismet LOL
15:43:54 <d34dh0r53> ok, moving on
15:44:05 <d34dh0r53> #topic open discussion
15:44:38 <d34dh0r53> (drencrom) We need to merge this backport to fix pep8 tests
15:44:40 <d34dh0r53> zed #link https://review.opendev.org/c/openstack/keystonemiddleware/+/878023
15:44:54 <d34dh0r53> the zed patch merged, but we're running into the stevedore issue on other branches
15:45:10 <d34dh0r53> namely 2023.1
15:45:55 <d34dh0r53> so I'm working on that this week but if anyone has any Stevedore foo help would be welcomed ;)
15:46:50 <d34dh0r53> next up
15:46:52 <d34dh0r53> (drencrom) Remove cache invalidation when using expired token
15:46:54 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystonemiddleware/+/884738
15:46:56 <d34dh0r53> Zuul jobs seem to run but no +1 message
15:47:21 <zaitcev> I'm trying to find that timeout patch for other branches...
15:47:28 <zaitcev> sorry I mean 2023.1
15:47:38 <d34dh0r53> I think that's merged up to stable/ussuri now, so hopefully we can merge that one
15:47:44 <zaitcev> https://review.opendev.org/c/openstack/keystonemiddleware/+/882401
15:48:24 <d34dh0r53> zaitcev: yeah, that's what I'm talking about with the stevedore thing, but it's not 100% reproduceable locally so it may be a red herring
15:49:46 <opendevreview> Merged openstack/keystoneauth master: Add doc of OAuth 2.0 Mutual-TLS Authenticate  https://review.opendev.org/c/openstack/keystoneauth/+/860923
15:50:02 <d34dh0r53> I just saw this https://review.opendev.org/c/openstack/keystone/+/887072, thanks stephenfin
15:51:12 <d34dh0r53> next up
15:51:21 <d34dh0r53> (mustafakemalgilor) PooledLdapHandler message.clean() patch backports
15:51:23 <d34dh0r53> review request
15:51:25 <d34dh0r53> #link ussuri: https://review.opendev.org/c/openstack/keystone/+/874846
15:51:27 <d34dh0r53> #link victoria: https://review.opendev.org/c/openstack/keystone/+/874847
15:51:29 <d34dh0r53> #link wallaby: https://review.opendev.org/c/openstack/keystone/+/874844
15:52:19 <d34dh0r53> the wallaby patch should be fixed by https://review.opendev.org/c/openstack/keystone/+/887072
15:53:51 <d34dh0r53> finally
15:53:53 <d34dh0r53> (reqa) Add openstack cli support for OAuth 2.0 Device Authorization Grant with PKCE:
15:53:55 <d34dh0r53> review request
15:53:57 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/883852
15:53:59 <d34dh0r53> Reasoning: When switching wsgi-keystone.conf to use PKCE for WebSSO, this also applies to the CLI (e.g. ForgeRock implemented the same)
15:54:31 <d34dh0r53> I'll try to review this week, maybe a candidate for the reviewathon
15:54:58 <d34dh0r53> #topic bug review
15:55:06 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:55:32 <d34dh0r53> we have a new bug in keystone
15:55:36 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2025146
15:56:20 <d34dh0r53> I can take a look at this one
15:56:51 <d34dh0r53> next up
15:56:53 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:57:07 <d34dh0r53> no new bugs in python-keystoneclient
15:57:20 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:57:39 <d34dh0r53> no new bugs in keystoneauth either
15:57:47 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:59:14 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bug/2023689
15:59:37 <d34dh0r53> is a new bug in keystonemiddleware, I'm also encountering this when I pass the stevedore tests
16:00:04 <d34dh0r53> hiromu has a patch up, we may just need to strategically merge things into keystonemiddleware to get it working
16:00:12 <d34dh0r53> thanks for the help on this one
16:00:29 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
16:00:37 <d34dh0r53> pycadf is clean
16:00:42 <hiromu> :)
16:01:02 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
16:01:06 <d34dh0r53> as is ldappool
16:01:16 <zaitcev> That's fine but the fix fails tests itself too (https://review.opendev.org/c/openstack/keystonemiddleware/+/886521).
16:01:49 <d34dh0r53> yep, that's the stevedore failure
16:02:08 <opendevreview> Merged openstack/keystone master: db: Replace use of reverse cascades  https://review.opendev.org/c/openstack/keystone/+/875763
16:02:11 <opendevreview> Merged openstack/keystone master: db: Remove legacy migrations  https://review.opendev.org/c/openstack/keystone/+/875764
16:02:14 <opendevreview> Merged openstack/keystone master: tests: Rework BannedDBSchemaOperations fixture  https://review.opendev.org/c/openstack/keystone/+/875765
16:02:29 <d34dh0r53> keystonemiddleware.auth_token and others are supposed to be in that list
16:02:42 <d34dh0r53> for some reason keystonemiddleware isn't being registered correctly in stevedore
16:03:53 <d34dh0r53> it seems to be exceptionally difficult to debug too
16:03:59 <d34dh0r53> #topic conclusion
16:04:06 <d34dh0r53> keystonemiddleware is broken :)
16:04:16 <d34dh0r53> the tests that is
16:04:52 <d34dh0r53> It was really nice to meet some folks in person at the summit :)
16:05:19 <d34dh0r53> Reviewathon is Friday, 14:00 UTC
16:05:34 <d34dh0r53> we're a bit over time so I'll end it here, thanks all!
16:05:37 <d34dh0r53> #endmeeting