15:01:42 #startmeeting keystone 15:01:42 Meeting started Wed Aug 16 15:01:42 2023 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:42 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:42 The meeting name has been set to 'keystone' 15:01:46 #topic roll call 15:01:51 o/ 15:02:06 o/ 15:02:07 🙋 15:02:25 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m] 15:02:28 o/ 15:02:44 o/ 15:02:54 #topic review past meeting work items 15:03:24 d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:03:45 I've started looking into this, we don't have a section and I'm investigating adding one 15:03:54 so I'll carry it forward 15:03:57 #action d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:04:03 the next item as well 15:04:11 isn't that part of release notes? 15:04:28 except - you'd need to move renos between releases to keep known issues there 15:05:24 #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation 15:06:42 yeah, I think it's for more long lived known issues, stuff that is idiosyncratic to keystone, and issues that are likely not to be fixed with well known workarounds 15:06:58 d34dh0r53 investigate switching the default hashing algo to scrypt in 2024.x 15:07:47 is next up, noonedeadpunk I know you did some work related to this AI this past week, I haven't had a chance to look at anything 15:08:35 yeah, patch for https://bugs.launchpad.net/keystone/+bug/2029134 proposed and needs to be reviewed 15:08:43 it also needs to be backported to 2023.1 15:09:38 Fix for https://bugs.launchpad.net/openstack-ansible/+bug/2028809 has merged on master and backports proposed to affected stable branches 15:10:09 #link https://review.opendev.org/q/Iea95a3c2df041a0046647b3d3dadead1a6d054d1 15:10:37 I didn't look into this one though 15:10:39 #link https://bugs.launchpad.net/keystone/+bug/2030061 15:11:14 ack 15:13:02 I think maybe a good first step to the hashing algo is to get https://review.opendev.org/c/openstack/keystone/+/891024/3 tested and merged 15:13:19 We can then look into perhaps making that the default in 2024.x 15:14:20 Since there is no length limitation with the additional hash and we're still using bcrypt I'm thinking that is a good way to go. 15:15:28 #action d34dh0r53 test https://review.opendev.org/c/openstack/keystone/+/891024/3 15:15:32 next up 15:15:38 noonedeadpunk and d34dh0r53 are looking for a workaround/fix for https://bugs.launchpad.net/keystone/+bug/2028809 15:16:01 I think this has been resolved in https://review.opendev.org/c/openstack/keystone/+/890936 15:16:07 yup 15:16:11 thank you for the patch noonedeadpunk 15:16:45 next up we have hiromu is going to look at https://bugs.launchpad.net/keystone/+bug/2029134 15:17:22 this has a patch up https://review.opendev.org/c/openstack/keystone/+/891521 15:17:31 hiromu: were you able to look at this patch? 15:17:43 sure 15:18:02 thank you! 15:18:08 :) 15:18:23 #action hiromu test and review https://review.opendev.org/c/openstack/keystone/+/891521 15:18:36 ok, that does it for the past week action items 15:18:51 next up 15:18:52 #topic liaison updates 15:18:56 nothing from VMT 15:21:15 cool, moving on 15:21:37 #topic specification OAuth 2.0 (hiromu) 15:22:56 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:22:58 External OAuth 2.0 Specification 15:23:00 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 15:23:02 OAuth 2.0 Implementation 15:23:04 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:23:06 OAuth 2.0 Documentation 15:23:08 #link https://review.opendev.org/c/openstack/keystone/+/838108 15:23:10 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:23:28 no update this week. I hope topic https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability will be reviwered within this cycle if possible 15:24:19 I will add it to the reviewathon 15:24:47 thank you hiromu 15:24:50 next up 15:25:05 #topic Secure RBAC (dmendiza[m]) 15:25:36 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:25:37 Manager Role Implementation 15:25:37 Not a whole lot of progress 15:25:39 #link https://review.opendev.org/c/openstack/keystone/+/822601 15:25:45 ack, thanks dmendiza[m] 15:25:45 we had the pop-up meeting yesterday 15:25:59 and I'll be helping gmann update an srbac patch 15:26:10 cool 15:28:15 #topic open discussion 15:28:40 (reqa) Add openstack cli support for OAuth 2.0 Device Authorization Grant with PKCE: 15:28:42 review request 15:28:44 #link https://review.opendev.org/c/openstack/keystoneauth/+/883852 15:28:46 Reasoning: When switching wsgi-keystone.conf to use PKCE for WebSSO, this also applies to the CLI (e.g. ForgeRock implemented the same) 15:28:53 this has merged, thanks all! 15:29:00 removing it from the doc 15:29:34 next up 15:29:35 OAuth2.0 External Authorization Server Support (hiromu) 15:29:37 Where is an appropriate place to put the user guide 15:30:49 https://opendev.org/openstack/keystone/src/branch/master/doc/source/user ? 15:31:44 but it's about keystonemiddleware 15:32:20 slightly off topic, is there a reason keystone isn't listed here: https://docs.openstack.org/2023.1/projects.html ? 15:33:23 I think d34dh0r53 has given us the answer that https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html can be appropriate last week. 15:33:25 hiromu https://opendev.org/openstack/keystonemiddleware/src/branch/master/doc/source 15:33:57 d34dh0r53: seems like a doc site bug. For some reason Identity doesn't show up in the stable branches 15:34:30 yes hiromu that is correct, I think that's where it should go and I should have moved that topic to the archive 15:34:43 indeed, this seems to contain Identity: https://docs.openstack.org/2023.2/projects.html 15:34:59 #action d34dh0r53 look into doc bug of missing Identity section on https://docs.openstack.org/2023.1/projects.html 15:35:09 thanks d34dh0r53: and dmendiza: 15:35:30 ack, that does it for open discussion 15:36:18 #topic bug review 15:36:28 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:36:39 no new bugs for keystone 15:36:51 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:37:04 nor for python-keystoneclient 15:37:16 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:37:31 keystoneauth is good 15:37:39 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:37:49 as it keystonemiddleware 15:37:56 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:38:09 pycadf is clean 15:38:15 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:38:29 and ldappool is also clean 15:38:34 #topic conclusion 15:39:17 No reviewathon this week as it's a recharge day for Red Hat 15:39:25 anyone have anything else before we close? 15:40:58 Guess not. 15:42:28 guess not :) 15:42:36 thanks folks! 15:42:39 #endmeeting