#openstack-keystone log

15:00:53 <d34dh0r53> #startmeeting keystone
15:00:53 <opendevmeet> Meeting started Wed Jan 17 15:00:53 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:53 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:53 <opendevmeet> The meeting name has been set to 'keystone'
15:01:05 <d34dh0r53> #topic roll call
15:01:19 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley,jph
15:01:26 <d34dh0r53> o/
15:01:54 <dmendiza[m]> 🙋
15:03:18 <d34dh0r53> #topic liaison updates
15:03:28 <d34dh0r53> nothing from VMT nor Release Management
15:04:42 <d34dh0r53> #topic review past meeting work items
15:04:54 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-10-15.01.html
15:05:16 <d34dh0r53> no updates, still a WIP to add these sections to the docs
15:05:25 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:05:34 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:05:53 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:06:03 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:06:05 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:06:07 <d34dh0r53> External OAuth 2.0 Specification
15:06:09 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:06:11 <d34dh0r53> OAuth 2.0 Implementation
15:06:13 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:06:15 <d34dh0r53> OAuth 2.0 Documentation
15:06:17 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:06:19 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:08:26 <d34dh0r53> looks like hiromu isn't around today
15:08:28 <d34dh0r53> moving on
15:08:46 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:08:56 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:08:58 <d34dh0r53> 2024.1 Release Timeline
15:09:00 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:09:02 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:09:04 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/902730
15:09:06 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713
15:09:09 <dmendiza[m]> Still loking for reviews on the Phase 1 patch: ^^^^
15:09:40 <dmendiza[m]> Working on the tempest test changes, but it's a bit messy since I have to reorganize some large classes. 😒
15:10:12 <d34dh0r53> I'll review the phase 1 patch today, on my list of ToDo's
15:10:23 <dmendiza[m]> thanks d34dh0r53
15:12:27 <d34dh0r53> np
15:12:32 <d34dh0r53> next up
15:12:44 <d34dh0r53> #topic specification Add schema version and support to "domain" attribute in mapping rules (gtema)
15:12:52 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/748042 (merged)
15:12:54 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/739966
15:13:31 <gtema> pls reviews
15:13:42 <d34dh0r53> ack, I'll add that to my list
15:13:44 <gtema> we are ready for next steps and need that change to be processed
15:13:50 <d34dh0r53> thanks gtema
15:15:07 <d34dh0r53> #topic open discussion
15:15:19 <d34dh0r53> I don't have anything
15:16:56 <bbobrov> i have
15:17:08 <bbobrov> i would like to talk about project tags and access to them by various actors. Today project tags are there for project admins. They can change them, via a separate API or via a project update API.
15:17:41 <bbobrov> We would like to have project tags, that would be writeable only by "system admins". It will allow our system admins to enable certain features for projects based on existence (or nonexistence) of the tags.
15:18:32 <bbobrov> the tags are also company-specific and probably should not be done by adding new resource options
15:19:06 <bbobrov> would adding tag prefixes or tag namespaces be an option?
15:19:26 <bbobrov> would this change be even in scope of keystone, or should it rather be implemented elsewhere?
15:21:49 <gtema> tags are not only writable by admins - there are clouds where domain admins can manage project tags
15:22:30 <bbobrov> yes, that is true. But i would like to designate certain tags to be writeable only by system admins.
15:22:50 <d34dh0r53> ahh, I see, a permissions flag for certain tags
15:25:16 <d34dh0r53> dmendiza[m]: would this be possible with a custom policy?
15:27:58 <dmendiza[m]> Hmm...  it would be tough to do, I think ...  the policy engine works on an endpoint (URL) and can possibly use metadata about the object to make a decision.
15:28:28 <dmendiza[m]> Not sure what could be done in a tag to differentiate it from other tags
15:28:34 <bbobrov> they only way to do it via policies is to delegate the decision to a remote server (via http: rule)
15:29:59 <d34dh0r53> hmm, ok
15:30:50 <bbobrov> another way to implement this would be via a new endpoint, something like /v3/projects/project_id/system-tags/, but it is a stretch, because it asks for a /domain-tags/ after that :)
15:31:10 <d34dh0r53> right
15:31:49 <d34dh0r53> I think this needs a spec as it's an API change as proposed here
15:32:24 <bbobrov> honestly, i am not even sure that it should be in scope of keystone; maybe i should just go with yet another microservice
15:32:54 <bbobrov> which is also not great, because i have to protect it with all the oslo stuff
15:34:49 <jrosser> could i ask if it would be possible to merge the fix here https://bugs.launchpad.net/keystone/+bug/2030061?
15:38:17 <d34dh0r53> jrosser: I'll take a closer look at the fix for that later today, it does need tests though
15:38:59 <jrosser> ok so on that, andrew works on my team and we put a bunch of time to debug and make the bug / example fix
15:39:13 <jrosser> however we certainly do not have the skills to make a test for it
15:40:03 <d34dh0r53> bbobrov: yeah, it's a grey area
15:42:11 <d34dh0r53> jrosser: ack
15:42:49 <d34dh0r53> moving on for the sake of time
15:43:17 <d34dh0r53> bbobrov: it's up to you, we're certainly willing to look at a spec for adding that ability
15:43:25 <d34dh0r53> #topic bug review
15:43:46 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:44:02 <d34dh0r53> looks like a new bug for keystone
15:44:05 <d34dh0r53> #link https://bugs.launchpad.net/keystone/+bug/2049559
15:45:02 <d34dh0r53> any volunteers to look at that one?
15:45:36 <bbobrov> i think it was a deliberate decision to hide the error message from the user
15:46:05 <d34dh0r53> I think so too, but I'd have to check
15:46:37 <bbobrov> and that the reason is transmitted only via notifications
15:47:36 <d34dh0r53> yeah, this is by design, just found the release note stating that
15:47:41 <d34dh0r53> I'll update the bug
15:49:19 <d34dh0r53> next up
15:49:30 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:49:40 <d34dh0r53> no new bugs for python-keystoneclient
15:49:54 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:50:10 <d34dh0r53> keystoneauth has no new issues
15:50:21 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:50:37 <d34dh0r53> keystonemiddleware is also goo
15:50:39 <d34dh0r53> d
15:50:50 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:51:02 <d34dh0r53> nothing new in pycadf
15:51:13 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:51:24 <d34dh0r53> ldappool is good to go
15:51:28 <d34dh0r53> #topic conclusion
15:51:41 <d34dh0r53> Thanks folks!
15:51:48 <d34dh0r53> I don't have anything
15:52:14 <d34dh0r53> #endmeeting