15:06:16 <d34dh0r53> #startmeeting keystone
15:06:16 <opendevmeet> Meeting started Wed Sep 27 15:06:16 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:06:16 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:06:16 <opendevmeet> The meeting name has been set to 'keystone'
15:06:19 <hiromu> o/
15:06:38 <d34dh0r53> #topic roll call
15:06:40 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m]
15:06:48 <d34dh0r53> o/ sorry I'm late today
15:08:18 <dmendiza[m]> 🙋‍♂️
15:08:24 <d34dh0r53> #topic review past meeting work items
15:08:45 <d34dh0r53> we didn't have a meeting last week, so this is from a couple of weeks ago
15:08:51 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-09-13-15.03.html
15:09:21 <d34dh0r53> both of the actions items are on me, and I didn't get a chance to look at either as I was on unscheduled PTO for the majority of the week
15:09:29 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:09:38 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:09:50 <d34dh0r53> moving on...
15:10:00 <d34dh0r53> #topic liaison updates
15:10:06 <d34dh0r53> nothing from VMT
15:11:47 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:12:00 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:12:02 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:12:04 <d34dh0r53> External OAuth 2.0 Specification
15:12:06 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:12:08 <d34dh0r53> OAuth 2.0 Implementation
15:12:10 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:12:12 <d34dh0r53> OAuth 2.0 Documentation
15:12:14 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:12:16 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:12:40 <hiromu> We're going to implement FT for ext. Auth server support for Keystone middleware
15:12:54 <hiromu> and I have a question about that
15:13:05 <d34dh0r53> sorry, FT?
15:13:23 <hiromu> I mean functional tests
15:13:29 <hiromu> like tempest
15:13:41 <hiromu> or integrated tests
15:14:05 <d34dh0r53> ahh
15:14:07 <d34dh0r53> thank you
15:14:36 <hiromu> no worry. that might be domestic term
15:14:55 <hiromu> anyway, we're looking for the right place for the tests
15:15:30 <d34dh0r53> keystone-tempest-tests I think
15:16:49 <hiromu> Yeah, but I think implementing the test in other projects that will use this feature can be another option
15:17:06 <d34dh0r53> I see
15:17:17 <hiromu> tacker-tempest-plugin for example,
15:17:28 <hiromu> although tacker doesn't have the tempest-plugin now
15:17:57 <hiromu> I think that might be better in terms of maintancability
15:19:55 <d34dh0r53> ok, I would like to see some tests in keystone-tempest-plugin as well so that we can run them in the gate
15:20:14 <d34dh0r53> and ensure we don't break anything with future code updates
15:20:25 <hiromu> ok
15:20:34 <hiromu> but what we should test?
15:20:58 <hiromu> I mean keystone middleware for ext. oauth server only works with Tacker, Barbican and Ironic
15:21:47 <hiromu> running integration tests of keystonemiddleware with those services at keystone-tempest-plugin is a little bit unnatural for me.
15:22:30 <d34dh0r53> hmm, I see your point
15:23:50 <d34dh0r53> maybe we can include those tests as part of our testing then
15:24:07 <hiromu> also, I'm afraid of that tests will fail due to changes of Tacker, Ironic and Barbican. In that case, Keystone maintainer have to fix Tacker, Ironic and Barbican's codes for keystone-tempest-plugin
15:24:35 <hiromu> which test you meant?
15:24:52 <d34dh0r53> maybe a non-voting or experimental test
15:25:24 <hiromu> non-voting make sense for me.
15:25:58 <d34dh0r53> ok, that sounds good, please let us know if we can assist with reviews
15:26:22 <hiromu> good.
15:26:25 <hiromu> thanks
15:26:32 <d34dh0r53> anything else hiromu?
15:27:00 <hiromu> no, but one thing. the implementation of that test might take time
15:27:44 <hiromu> so I want to put the target date of merging it to the end of  release cycle
15:27:52 <d34dh0r53> ok
15:28:09 <d34dh0r53> that shouldn't be a problem
15:28:19 <hiromu> perfect. nothing else. thank you for your help.
15:29:01 <d34dh0r53> thank you hiromu!
15:29:02 <d34dh0r53> next up
15:29:20 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:29:48 <d34dh0r53> I think we've done everything for now, do we still need to keep this on the agenda dmendiza[m]?
15:30:20 <dmendiza[m]> Yes, there is still work to do
15:30:41 <dmendiza[m]> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
15:30:54 <dmendiza[m]> I think now that bobcat (2023.2) has branched we can move to the next phase
15:31:37 <d34dh0r53> ok
15:31:43 <dmendiza[m]> We can probably change our defaults to use SRBAC by default
15:32:00 <dmendiza[m]> i.e. enforce_new_defaults=True and enforce_Scope=True
15:33:31 <d34dh0r53> cool, updating the agenda
15:33:57 <d34dh0r53> Who is doing the oslo.policy work, or is that TBD?
15:35:48 <dmendiza[m]> not sure I understand your question.  What work are you referring to?
15:36:34 <d34dh0r53> updating the defaults in oslo.policy, or did I misread?
15:38:59 <dmendiza[m]> Oh, we do that in keystone
15:39:14 <dmendiza[m]> there's a function called set_defaults where we can override what oslo.policy has as their default
15:39:23 <d34dh0r53> ahh, ok
15:39:44 <dmendiza[m]> I don't think we can change the defaults in oslo.policy until everyone is on-board
15:40:08 <d34dh0r53> I see, I misunderstood what the spec was saying
15:42:19 <dmendiza[m]> So yeah, I'll be working on that
15:42:32 <d34dh0r53> ok, cool
15:42:37 <d34dh0r53> thanks dmendiza[m]
15:42:56 <d34dh0r53> moving on
15:43:01 <d34dh0r53> #topic open discussion
15:43:08 <d34dh0r53> nothing on the agenda
15:43:15 <d34dh0r53> anyone have anything?
15:44:50 <d34dh0r53> cool, moving on
15:44:55 <d34dh0r53> #topic bug review
15:45:05 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:45:09 <d34dh0r53> there is one new bug in keystone
15:45:22 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2037052
15:45:47 <d34dh0r53> it has a patch up
15:46:07 <d34dh0r53> next up we have
15:46:08 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:46:24 <d34dh0r53> nothing new in python-keystoneclient
15:46:36 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:46:48 <d34dh0r53> keystoneauth is clean
15:47:06 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:47:32 <d34dh0r53> one new bug
15:47:35 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bug/2037177
15:47:48 <d34dh0r53> we have six still being imported, should be an easy fix
15:48:07 <d34dh0r53> that does it for keystonemiddleware
15:48:18 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:48:38 <d34dh0r53> nothing for pycadf
15:48:40 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:48:52 <d34dh0r53> and ldappool is looking good
15:48:58 <d34dh0r53> #topic conclusion
15:49:05 <d34dh0r53> anyone have anything before we go?
15:49:21 <d34dh0r53> thanks everyone!
15:49:24 <d34dh0r53> #endmeeting