#openstack-keystone log

15:01:42 <d34dh0r53> #startmeeting keystone
15:01:42 <opendevmeet> Meeting started Wed Aug 16 15:01:42 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:42 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:42 <opendevmeet> The meeting name has been set to 'keystone'
15:01:46 <d34dh0r53> #topic roll call
15:01:51 <noonedeadpunk> o/
15:02:06 <hiromu> o/
15:02:07 <dmendiza[m]> 🙋
15:02:25 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m]
15:02:28 <d34dh0r53> o/
15:02:44 <knikolla> o/
15:02:54 <d34dh0r53> #topic review past meeting work items
15:03:24 <d34dh0r53> d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:03:45 <d34dh0r53> I've started looking into this, we don't have a section and I'm investigating adding one
15:03:54 <d34dh0r53> so I'll carry it forward
15:03:57 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:04:03 <d34dh0r53> the next item as well
15:04:11 <noonedeadpunk> isn't that part of release notes?
15:04:28 <noonedeadpunk> except - you'd need to move renos between releases to keep known issues there
15:05:24 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:06:42 <d34dh0r53> yeah, I think it's for more long lived known issues, stuff that is idiosyncratic to keystone, and issues that are likely not to be fixed with well known workarounds
15:06:58 <d34dh0r53> d34dh0r53 investigate switching the default hashing algo to scrypt in 2024.x
15:07:47 <d34dh0r53> is next up, noonedeadpunk I know you did some work related to this AI this past week, I haven't had a chance to look at anything
15:08:35 <noonedeadpunk> yeah, patch for https://bugs.launchpad.net/keystone/+bug/2029134 proposed and needs to be reviewed
15:08:43 <noonedeadpunk> it also needs to be backported to 2023.1
15:09:38 <noonedeadpunk> Fix for https://bugs.launchpad.net/openstack-ansible/+bug/2028809 has merged on master and backports proposed to affected stable branches
15:10:09 <noonedeadpunk> #link https://review.opendev.org/q/Iea95a3c2df041a0046647b3d3dadead1a6d054d1
15:10:37 <noonedeadpunk> I didn't look into this one though
15:10:39 <noonedeadpunk> #link https://bugs.launchpad.net/keystone/+bug/2030061
15:11:14 <d34dh0r53> ack
15:13:02 <d34dh0r53> I think maybe a good first step to the hashing algo is to get https://review.opendev.org/c/openstack/keystone/+/891024/3 tested and merged
15:13:19 <d34dh0r53> We can then look into perhaps making that the default in 2024.x
15:14:20 <d34dh0r53> Since there is no length limitation with the additional hash and we're still using bcrypt I'm thinking that is a good way to go.
15:15:28 <d34dh0r53> #action d34dh0r53 test https://review.opendev.org/c/openstack/keystone/+/891024/3
15:15:32 <d34dh0r53> next up
15:15:38 <d34dh0r53> noonedeadpunk and d34dh0r53 are looking for a workaround/fix for https://bugs.launchpad.net/keystone/+bug/2028809
15:16:01 <d34dh0r53> I think this has been resolved in https://review.opendev.org/c/openstack/keystone/+/890936
15:16:07 <noonedeadpunk> yup
15:16:11 <d34dh0r53> thank you for the patch noonedeadpunk
15:16:45 <d34dh0r53> next up we have hiromu is going to look at https://bugs.launchpad.net/keystone/+bug/2029134
15:17:22 <d34dh0r53> this has a patch up https://review.opendev.org/c/openstack/keystone/+/891521
15:17:31 <d34dh0r53> hiromu: were you able to look at this patch?
15:17:43 <hiromu> sure
15:18:02 <d34dh0r53> thank you!
15:18:08 <hiromu> :)
15:18:23 <d34dh0r53> #action hiromu test and review https://review.opendev.org/c/openstack/keystone/+/891521
15:18:36 <d34dh0r53> ok, that does it for the past week action items
15:18:51 <d34dh0r53> next up
15:18:52 <d34dh0r53> #topic liaison updates
15:18:56 <d34dh0r53> nothing from VMT
15:21:15 <d34dh0r53> cool, moving on
15:21:37 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:22:56 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:22:58 <d34dh0r53> External OAuth 2.0 Specification
15:23:00 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:23:02 <d34dh0r53> OAuth 2.0 Implementation
15:23:04 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:23:06 <d34dh0r53> OAuth 2.0 Documentation
15:23:08 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:23:10 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:23:28 <hiromu> no update this week. I hope topic https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability will be reviwered within this cycle if possible
15:24:19 <d34dh0r53> I will add it to the reviewathon
15:24:47 <d34dh0r53> thank you hiromu
15:24:50 <d34dh0r53> next up
15:25:05 <d34dh0r53> #topic Secure RBAC (dmendiza[m])
15:25:36 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:25:37 <d34dh0r53> Manager Role Implementation
15:25:37 <dmendiza[m]> Not a whole lot of progress
15:25:39 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/822601
15:25:45 <d34dh0r53> ack, thanks dmendiza[m]
15:25:45 <dmendiza[m]> we had the pop-up meeting yesterday
15:25:59 <dmendiza[m]> and I'll be helping gmann update an srbac patch
15:26:10 <d34dh0r53> cool
15:28:15 <d34dh0r53> #topic open discussion
15:28:40 <d34dh0r53> (reqa) Add openstack cli support for OAuth 2.0 Device Authorization Grant with PKCE:
15:28:42 <d34dh0r53> review request
15:28:44 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/883852
15:28:46 <d34dh0r53> Reasoning: When switching wsgi-keystone.conf to use PKCE for WebSSO, this also applies to the CLI (e.g. ForgeRock implemented the same)
15:28:53 <d34dh0r53> this has merged, thanks all!
15:29:00 <d34dh0r53> removing it from the doc
15:29:34 <d34dh0r53> next up
15:29:35 <d34dh0r53> OAuth2.0 External Authorization Server Support (hiromu)
15:29:37 <d34dh0r53> Where is an appropriate place to put the user guide
15:30:49 <dmendiza[m]> https://opendev.org/openstack/keystone/src/branch/master/doc/source/user ?
15:31:44 <hiromu> but it's about keystonemiddleware
15:32:20 <d34dh0r53> slightly off topic, is there a reason keystone isn't listed here: https://docs.openstack.org/2023.1/projects.html ?
15:33:23 <hiromu> I think d34dh0r53 has given us the answer that https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html can be appropriate last week.
15:33:25 <dmendiza[m]> hiromu https://opendev.org/openstack/keystonemiddleware/src/branch/master/doc/source
15:33:57 <dmendiza[m]> d34dh0r53: seems like a doc site bug.  For some reason Identity doesn't show up in the stable branches
15:34:30 <d34dh0r53> yes hiromu that is correct, I think that's where it should go and I should have moved that topic to the archive
15:34:43 <zaitcev> indeed, this seems to contain Identity: https://docs.openstack.org/2023.2/projects.html
15:34:59 <d34dh0r53> #action d34dh0r53 look into doc bug of missing Identity section on https://docs.openstack.org/2023.1/projects.html
15:35:09 <hiromu> thanks d34dh0r53: and dmendiza:
15:35:30 <d34dh0r53> ack, that does it for open discussion
15:36:18 <d34dh0r53> #topic bug review
15:36:28 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:36:39 <d34dh0r53> no new bugs for keystone
15:36:51 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:37:04 <d34dh0r53> nor for python-keystoneclient
15:37:16 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:37:31 <d34dh0r53> keystoneauth is good
15:37:39 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:37:49 <d34dh0r53> as it keystonemiddleware
15:37:56 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:38:09 <d34dh0r53> pycadf is clean
15:38:15 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:38:29 <d34dh0r53> and ldappool is also clean
15:38:34 <d34dh0r53> #topic conclusion
15:39:17 <d34dh0r53> No reviewathon this week as it's a recharge day for Red Hat
15:39:25 <d34dh0r53> anyone have anything else before we close?
15:40:58 <zaitcev> Guess not.
15:42:28 <d34dh0r53> guess not :)
15:42:36 <d34dh0r53> thanks folks!
15:42:39 <d34dh0r53> #endmeeting