15:02:19 #startmeeting keystone 15:02:19 Meeting started Wed Feb 7 15:02:19 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:19 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:19 The meeting name has been set to 'keystone' 15:02:39 #topic roll call 15:02:47 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph 15:02:50 o/ 15:03:05 o/ 15:04:48 o/ 15:05:07 🙋 15:06:11 #topic review past meeting work items 15:06:42 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-31-15.01.html 15:06:54 no updates from my end 15:07:04 #action d34dh0r53 d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:07:13 #undo 15:07:13 Removing item from minutes: #action d34dh0r53 d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:07:22 #action d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:07:31 #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation 15:07:45 #topic liaison updates 15:07:49 nothing from VMT 15:10:08 from api-sig pov: https://review.opendev.org/c/openstack/keystone/+/908163 15:10:26 I work on openapi generation and found that one 15:10:39 we've moved Train and Ussuri to End-Of-Life and Yoga has transitioned to unmaintained status 15:11:12 ack, thanks gtema I'll take a look at that one 15:12:09 that should do it for liaison updates 15:12:12 moving on 15:12:27 #topic specifications OAuth 2.0 (hiromu) 15:12:39 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:12:41 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:12:43 External OAuth 2.0 Specification 15:12:45 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 15:12:47 OAuth 2.0 Implementation 15:12:49 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:12:51 OAuth 2.0 Documentation 15:12:53 #link https://review.opendev.org/c/openstack/keystone/+/838108 15:12:55 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:13:47 I haven't seen hiromu around in a while 15:15:12 it looks like the WIP patches are somewhat active, updates in the last 30 days 15:15:20 moving on 15:15:29 #topic specification Secure RBAC (dmendiza[m]) 15:15:37 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:15:39 2024.1 Release Timeline 15:15:41 Update oslo.policy in keystone to enforce_new_defaults=True 15:15:43 Update oslo.policy in keystone to enforce_scope=True 15:15:45 #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged) 15:15:46 Making progress on Phase 1 15:15:47 #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 15:15:59 down to just a few more tests that need fixin in the tempest patch 15:16:29 Of course, spending so much time in the tempest code made me realize it sucks and I hate it. :-P 15:16:35 lol 15:16:38 yep 15:16:50 Needs a serious refactor for DRY principle 15:17:14 indeed 15:17:23 Anyway, the tempest patch should be ready for review for Friday's reviewathon hopefully 15:17:41 ack, thanks dmendiza[m] 15:17:51 I'm not refactoring anything right now, but it would be worth refactoring and removing duplication when we add the "manager" role tests 15:18:16 good idea 15:19:16 moving on 15:19:25 #topic specification Improve federated users management (previously: Add schema version and support to "domain" attribute in mapping rules) (gtema) 15:19:32 #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews 15:19:48 right -waiting for spec reviews 15:19:54 I gave that one a once over and will try to give it a deeper look this week 15:20:03 great, thanks 15:20:05 nothing jumped out at me 15:20:20 sounds good 15:20:41 next up 15:20:47 #topic specification Dedicated domainmanager role 15:20:54 #link https://review.opendev.org/c/openstack/keystone-specs/+/903172 -waiting for reviews 15:21:06 so, I do not know whether you noticed or not 15:21:18 earlier today someone posted a question here in room 15:21:33 that admin on a domain is still capable of doing other dangerous operations 15:21:45 that one more time proves necessity of improvements in the area 15:22:04 and I know - it touches the RBAC topic as well (at least similar direction) 15:22:50 so, what operators often need is some sort of domain manager (admin) role that they are able to give out to customers 15:22:51 right, I agree 15:22:57 but that should not be "admin" 15:23:41 gtema "admin" role is essentially root 15:23:58 correct, and thus something new should be added 15:24:00 whether "admin" is assigned on a project, or on a domain, or on the system the result is the same 15:24:28 Have you read through the latest version of the Secure RBAC spec? 15:24:30 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change 15:24:47 gtema: perhaps you want the "manager" role? 15:24:53 yes, but it doesn't explicitly describe usecase with domains 15:25:57 Right ... there's a lot of confusion around scopes unfortunately. If your use case is something that has more access than "member" but less than "admin" then the answer is the "manager" role. 15:26:19 correct, so if also in the scope of your work we can consider "manager" role it would be great 15:26:37 anyway, I wanted to put that spec on the table and if all opinions are welcome 15:27:09 Ack, I'll read through it and comment 15:27:14 great, thanks 15:27:46 thanks both! 15:28:04 #topic open discussion 15:28:08 nothing on the agenda 15:28:57 gtema there is a spec https://review.opendev.org/c/openstack/keystone-specs/+/903172 15:29:04 for a domain manager role 15:29:24 correct, this is exactly the spec I mentioned 15:30:07 a collegue and me will be driving this, when the spec is accepted 15:30:27 that's great 15:31:29 but concerning this: with feature freeze around, i doubt this will make it into this cycle - am I right d34dh0r53 ? 15:31:47 that is correct, it will have to be 2024.2 15:32:23 okay, thank you for the information d34dh0r53 :) 15:32:57 TIL 2024.2 code name is Dalmatian 15:33:19 oh sweet, I missed that 15:33:20 I assume @spotz had something to do with that. 15:33:36 Yeah, Schedule is already out: 15:33:38 lol, I'm sure she did :) 15:33:38 #link https://releases.openstack.org/dalmatian/schedule.html 15:34:00 woo woo 15:34:56 err, woof woof? 15:35:15 anything else for open discussion? 15:35:51 Feature Freeze is in a few weeks 15:36:02 indeed, good call dmendiza[m] 15:36:10 Just a heads up in case there's things we want to land before then 15:36:45 Feb 26 - Mar 01 is Caracal-3 and Feature freeze week 15:37:49 #info Feature Freeze is the week of Feb 20 - Mar 01 15:38:19 ☝️for folks who just get the tl;dr from the summary. 15:38:33 yeah, forgot about that hashtag 15:39:58 moving on 15:40:04 #topic bug review 15:40:14 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:40:18 no new bugs for keystone 15:40:25 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:40:44 python-keystoneclient is also good 15:40:51 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:41:04 nothing new for keystoneauth 15:41:17 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:41:34 keystonemiddleware is also good 15:41:50 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:42:06 pycadf has no new bugs 15:42:12 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:42:20 nor does ldappool 15:42:24 #topic conclusion 15:42:52 this is not a bug, but it's known that you have to update a release note file for yoga after transitioning stable/yoga to unmaintained/yoga 15:43:05 release note jobs are all broken until you merge the release patches proposed by bot 15:43:27 some projects like barbican didn't get that update by bot so manual patch may be needed (I've created ones for barbican I believe) 15:43:43 (assuming some people here may be interested in barbican as well :-P 15:43:58 example: https://review.opendev.org/c/openstack/keystone/+/908150 15:44:54 so I'd suggest you check your review queue and merge these patches asap before a different problem hit you 15:48:09 ack, thanks tkajinam I'll get those in for keystone 15:48:25 anything else for today? 15:48:51 d34dh0r53, thanks :-) 15:48:55 d34dh0r53, nothing else from me 15:49:06 excellent, thanks everyone! 15:49:13 have a great rest of your week :) 15:49:18 #endmeeting