15:01:32 <d34dh0r53> #startmeeting keystone
15:01:32 <opendevmeet> Meeting started Wed Mar 13 15:01:32 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:32 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:32 <opendevmeet> The meeting name has been set to 'keystone'
15:01:38 <d34dh0r53> #topic roll call
15:01:47 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema
15:01:50 <d34dh0r53> o/
15:02:50 <gtema> o/
15:02:55 <dmendiza[m]> 🙋
15:03:00 <d34dh0r53> #topic review past meeting work items
15:03:04 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-02-28-15.02.html
15:03:31 <d34dh0r53> no updates on my action items
15:03:40 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:03:45 <d34dh0r53> d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:03:49 <d34dh0r53> #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation
15:03:56 <d34dh0r53> moving on
15:04:01 <d34dh0r53> #topic liaison updates
15:04:05 <d34dh0r53> nothing from VMT,
15:04:19 <d34dh0r53> working on approving all of the caracal-1 things
15:04:24 <d34dh0r53> for release management
15:04:57 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:05:14 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext
15:05:16 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability
15:05:18 <d34dh0r53> External OAuth 2.0 Specification
15:05:20 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/861554
15:05:22 <d34dh0r53> OAuth 2.0 Implementation
15:05:24 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls
15:05:26 <d34dh0r53> OAuth 2.0 Documentation
15:05:28 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/838108
15:05:30 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystoneauth/+/838104
15:06:04 <d34dh0r53> hmm, hiromu hasn't been around in quite a while, anyone know what the status of this work is?
15:08:03 <d34dh0r53> ok, next up
15:08:23 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:08:26 <d34dh0r53> Secure RBAC (dmendiza[m])
15:08:28 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_
15:08:30 <d34dh0r53> 2024.1 Release Timeline
15:08:32 <d34dh0r53> Update oslo.policy in keystone to enforce_new_defaults=True
15:08:34 <d34dh0r53> Update oslo.policy in keystone to enforce_scope=True
15:08:36 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged)
15:08:38 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713
15:08:44 <mharley> o/
15:08:54 <d34dh0r53> hi mharley, welcome :)
15:08:57 <dmendiza[m]> ^^ was also merged.
15:09:01 <d34dh0r53> woot
15:09:02 <mharley> Hi. Thanks!
15:09:45 <dmendiza[m]> Next, I'm working on getting Keystone tested in the Tempest repo
15:09:57 <dmendiza[m]> Tempest already has an SRBAC test, but it is not currently testing Keystone
15:10:01 <dmendiza[m]> WIP patch is here:
15:10:05 <d34dh0r53> ahh
15:10:05 <dmendiza[m]> #link https://review.opendev.org/c/openstack/tempest/+/912489
15:10:17 <dmendiza[m]> Two issues so far
15:10:38 <dmendiza[m]> First, I'm trying to figure out how Tempest decides the scope of the admin clients
15:10:55 <dmendiza[m]> Tempest has an option to auto-create networks when dynamically creating accounts
15:11:00 <dmendiza[m]> but it's using the wrong scope to do it
15:11:05 <dmendiza[m]> so it is currently failing for SRBAC
15:12:04 <dmendiza[m]> There seem to be some inconsistencies in the devstack plugin that sets up srbac for keystone
15:12:16 <d34dh0r53> that's not surprising :)
15:12:22 <dmendiza[m]> I am unsure why policy.yaml needs to be set here:
15:12:24 <dmendiza[m]> #link https://opendev.org/openstack/keystone/src/branch/master/devstack/lib/scope.sh#L18
15:12:47 <dmendiza[m]> Also admin_system is supposed to be set to all, but it is currently set to true:
15:12:49 <dmendiza[m]> #link https://opendev.org/openstack/keystone/src/branch/master/devstack/lib/scope.sh#L24
15:13:24 <dmendiza[m]> We also probably want to use... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/SZzFqKcjIZODNjTeQrtWdcIL>)
15:13:32 <d34dh0r53> hmm
15:13:52 <dmendiza[m]> instead of what we currently use: [identity-feature-enabled] enforce_scope = true
15:14:00 <dmendiza[m]> #link https://opendev.org/openstack/keystone/src/branch/master/devstack/lib/scope.sh#L23
15:14:05 <d34dh0r53> yeah, I think we definitely want to switch to that
15:14:20 <d34dh0r53> although the docs are pretty confusing
15:14:23 <dmendiza[m]> So yeah, more work to do in SRBAC
15:15:15 <d34dh0r53> ack, thanks dmendiza[m]
15:15:33 <d34dh0r53> next up
15:15:40 <d34dh0r53> #topic specification Improve federated users management (gtema)
15:15:47 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews
15:16:11 <gtema> so after you last review there were minor nits to the spec and it was updated
15:16:36 <d34dh0r53> I saw that, I'll take some to to re-review this week
15:16:48 <gtema> and since there were also again questions about mess in federation setup I decided to do "-1" on the way of api change, since it only makes it more complex
15:16:59 <gtema> but sadly after that Rafael is not responding
15:17:35 <gtema> I would appreciate if you analyze this particular issue on your re-review
15:17:54 <d34dh0r53> yes, I will focus on that
15:18:04 <gtema> perfect, thanks
15:18:20 <d34dh0r53> no problem, anything else on that?
15:18:36 <gtema> btw, I proposed https://review.opendev.org/c/openstack/keystone-specs/+/910584 for next cycle to start improving openapi life
15:18:54 <d34dh0r53> great, I'll take a look at that as well
15:19:18 <gtema> great. This is a "copy" of same for Nova, so it is not something totally crazy
15:19:53 <d34dh0r53> excellent
15:21:01 <d34dh0r53> #topic open discussion
15:21:05 <d34dh0r53> passlib update
15:21:07 <d34dh0r53> The maintainer responded to the bug, and one of the top priorities is to fix the bcrypt version bug
15:21:09 <d34dh0r53> #link https://foss.heptapod.net/python-libs/passlib/-/issues/190
15:21:11 <d34dh0r53> The maintainer is working on setting up some more core reviewers and maintainers so the project so that the project will no longer be unmaintained
15:21:38 <gtema> I noticed that today as well, great news
15:21:41 <d34dh0r53> I think we can just hold on and wait for an updated passlib which is nice and should save us quite a bit of work in trying to remove it
15:22:14 <gtema> but also he himself admitted it got too complex - this is exactly what I observed looking at the code
15:22:28 <gtema> its over-designed
15:23:04 <d34dh0r53> indeed, I think multiple project realized the same thing.  Hopefully going forward it will be streamlined into what people use it for
15:23:31 <gtema> right
15:24:06 <d34dh0r53> based on the feedback from the maintenance status bug I think several projects will step up to help maintain it as it's used in a *lot* of places
15:24:30 <gtema> indeed. Would be great to see that
15:24:45 <d34dh0r53> anything else for open-discussion?
15:25:26 <fungi> just a heads up that i proposed backports of https://review.opendev.org/c/openstack/keystone/+/908850 to all open branches because otherwise they're just going to lead to zuul configuration errors as soon as the node labels are removed (which for centos-7 will be friday, but the others will be soon as well)
15:26:04 <fungi> in order to expedite things, i may just go ahead and bypass gating to merge those directly in gerrit, if there are no objections
15:26:21 <fungi> #link https://review.opendev.org/q/topic:%22drop-centos-7%22
15:26:25 <d34dh0r53> thanks fungi, I have no objections
15:26:52 <fungi> appreciated
15:27:27 <d34dh0r53> likewise!
15:27:34 <fungi> mainly, some branches are in a bad enough state that the cleanup simply can't be merged any other way without disabling or fixing lots of other jobs in the process
15:29:59 <d34dh0r53> yeah :/
15:32:09 <d34dh0r53> moving on
15:32:13 <d34dh0r53> #topic bug review
15:32:24 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:32:37 <d34dh0r53> no new bugs for keystone
15:32:47 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:32:54 <d34dh0r53> nor for python-keystoneclient
15:33:04 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:33:19 <d34dh0r53> keystoneauth is good
15:33:26 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:33:40 <d34dh0r53> so is keystonemiddleware
15:33:50 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:34:00 <d34dh0r53> nothing new for pycadf
15:34:10 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:34:22 <d34dh0r53> ldappool is also good to go
15:34:26 <d34dh0r53> #topic conclusion
15:35:01 <d34dh0r53> Reminder to register for the PTG
15:35:10 <d34dh0r53> #link https://ptg2024.openinfra.dev
15:35:27 <d34dh0r53> It's free and virtual
15:35:56 <d34dh0r53> I'm thinking about hosting 2 1-hour sessions, but if we need more please let me know and I can add them
15:36:57 <d34dh0r53> That does it for me, thanks folks!
15:37:01 <d34dh0r53> #endmeeting