15:02:16 #startmeeting keystone 15:02:16 Meeting started Wed Feb 28 15:02:16 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:16 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:16 The meeting name has been set to 'keystone' 15:02:42 #topic roll call 15:02:44 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema 15:02:48 o/ 15:02:58 o/ 15:03:17 🙋‍♂️ 15:04:28 #topic review past meeting work items 15:04:31 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-14-15.02.html 15:05:03 no updates from me, I was out of town for a week and didn't have much time to do anything 15:05:24 #action d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:05:38 #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation 15:05:43 next up 15:05:50 #topic liaison updates 15:06:18 Caracal feature freeze starts next week 15:06:35 Friday actually 15:07:06 and I don't have anything from VMT 15:07:46 #topic specification OAuth 2.0 (hiromu) 15:07:54 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:07:56 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:07:58 External OAuth 2.0 Specification 15:08:00 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 15:08:02 OAuth 2.0 Implementation 15:08:04 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:08:06 OAuth 2.0 Documentation 15:08:08 #link https://review.opendev.org/c/openstack/keystone/+/838108 15:08:10 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:09:10 I haven't seen hiromu around in a while 15:10:05 we're really close to finishing these specs so hopefully we'll hear back from them 15:10:07 next up 15:10:24 #topic specification Secure RBAC (dmendiza[m]) 15:10:32 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:10:34 2024.1 Release Timeline 15:10:36 Update oslo.policy in keystone to enforce_new_defaults=True 15:10:38 Update oslo.policy in keystone to enforce_scope=True 15:10:40 #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged) 15:10:42 #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 15:11:07 🙋‍♂️ 15:11:26 I think we've merged everything we needed for Phase 1 15:11:40 sweet! 15:12:38 so phase 2 in 2024.2? 15:16:48 next up 15:16:58 #topic specification Improve federated users management (gtema) 15:17:04 #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews 15:17:16 still waiting for reviews ;-) 15:17:34 I just added mine, maybe dmendiza[m] or xek can take a look 15:17:51 awesome, thanks 15:17:56 np 15:18:14 #topic open discussion 15:18:28 passlib 15:18:30 unmaintained 15:18:32 bcrypt issues with newer releases 15:18:34 python3.12 issues 15:18:45 I moved this to open discussion since it's not a spec 15:18:47 so I started looking into it 15:18:53 There is an open issue https://foss.heptapod.net/python-libs/passlib/-/issues/187 regardging the maintenance status of passlib 15:19:09 I've been looking into it as well 15:19:11 thanks Dave, I have seen that issue and it sadly is not really very promising 15:19:39 Ansible stick to passlib means the chances are that someone will at some point take it over 15:19:41 yeah, I replied to a comment on there and voted but it looks like the maintainer is essentially AWOL 15:19:52 but when this happens is unknown 15:20:13 I started playing around with kicking passlib away 15:20:28 oh cool, any luck? 15:20:32 for default bcrypt there is absolutely no issue in using bcrypt directly 15:20:51 for bcrypt_sha256 (and others) the issue is absolutely different 15:21:14 while it is absolutely no problem to calculate hashes using cryptography or hashlib itself 15:21:31 it is a problem to have support for old passwords hashed by passlib 15:21:52 passlib is using black magic playing with charset, bincode, ... 15:22:13 I really really dislike how it does all of that, especially that there is no need for that 15:22:34 so basically we need to think which "compatibility" do we need 15:22:51 (remembering this is the case for non-default hash method) 15:23:20 yeah, I didn't know it was that bad 15:23:24 we could make passlib something like a "fallback", that is used when we see that password was hashed with it 15:23:37 otherwise hash new password without passlib 15:23:46 then at some point we would be able to drop it 15:23:50 yeah, that still means modifying requirements 15:23:56 but that still keeps passlib in our dependencies 15:24:08 no, we do not need to change depencies 15:24:17 bcrypt and cryptography are already there 15:25:01 I haven't been able to get keystone to deploy without changing the upper requirements to bcrypt==4.0.1 15:25:08 is there a way around that? 15:25:29 ah, you mean that. 15:25:47 don't know, I just played with what is in deps right now 15:26:19 I mean venv from few month ago 15:27:03 let me try something, I may be working with something incorrectly 15:27:04 technically I can continue looking into passlib and finally revere-engineer all the voodoo they do 15:27:22 then we would be able to drop it completely 15:27:42 just after 8h invested I was still not able to get all this uncovered 15:27:53 if ansible is going to require it, there is no way that it will continue to be unmaintained 15:28:19 right, but the code is very ugly and still has so much from py2 15:28:43 and on the other side it seems to be also a blocker for py3.12 15:29:31 I think passlib is something we need to solve asap for the next release (not for the 2024.1) 15:29:40 right, I think so too 15:29:50 it's a priority for 2024.2 15:30:04 I'll continue digging in next days 15:30:13 ok, thanks 15:30:20 wlcm 15:31:28 anything else for open discussion? 15:31:49 don't forget to submit your candidacy into elections repo 15:32:44 thank you! 15:33:36 #topic bug review 15:33:40 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:33:41 thanks for going for the next round, I already started worying 15:34:13 yeah, just been super busy and didn't realize that the date was coming up so quickly 15:34:47 we have a couple of new bugs for keystone, one looks like a docs bug that may or may not be complete 15:35:00 #link https://bugs.launchpad.net/keystone/+bug/2054800 15:35:20 and the second is an LDAP error that may also be incomplete 15:35:29 #link https://bugs.launchpad.net/keystone/+bug/2053297 15:35:52 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:36:15 python-keystoneclient is good 15:36:17 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:36:49 a docs bug has also been filed in keystoneauth 15:37:01 #link https://bugs.launchpad.net/keystoneauth/+bug/2054740 15:37:56 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:38:17 oops, there is also this bug for keystoneauth which has a fix up already 15:38:41 #link https://review.opendev.org/c/openstack/keystoneauth/+/909561 15:38:58 keystonemiddleware is good 15:39:09 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:39:27 pycadf is good 15:39:29 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:39:42 as is ldappool 15:39:48 that does it for bug review 15:39:55 #topic conclusion 15:40:51 I'm running again for PTL, and I just wanted to say thanks for all the help this cycle 15:41:07 It was a good one and I'm looking forward to a successful 2024.2 :) 15:41:24 #endmeeting