15:02:17 #startmeeting keystone 15:02:17 Meeting started Wed Mar 27 15:02:17 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:17 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:17 The meeting name has been set to 'keystone' 15:02:39 #topic roll call 15:02:47 admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema 15:02:49 o/ 15:03:38 🙋 15:04:26 #topic review past meeting work items 15:05:05 #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-03-20-15.00.html 15:05:19 no updates from me 15:05:27 #action d34dh0r53 Look into adding/restoring a known issues section to our documentation 15:05:34 #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation 15:05:45 #topic liaison updates 15:07:08 nothing much, on the VMT side, we've converted two private bugs to public, LMK if you want details 15:07:20 #topic specification OAuth 2.0 (hiromu) 15:07:29 #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext 15:07:31 #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability 15:07:33 External OAuth 2.0 Specification 15:07:35 #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 15:07:37 OAuth 2.0 Implementation 15:07:39 #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls 15:07:41 OAuth 2.0 Documentation 15:07:43 #link https://review.opendev.org/c/openstack/keystone/+/838108 15:07:45 #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 15:08:50 guess hiromu isn't around 15:09:07 next up 15:09:37 #topic specification Secure RBAC (dmendiza[m]) 15:09:49 #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ 15:09:51 2024.1 Release Timeline 15:09:51 🙋 15:09:53 Update oslo.policy in keystone to enforce_new_defaults=True 15:09:55 Update oslo.policy in keystone to enforce_scope=True 15:09:55 Yeah, lots of updates 15:09:57 #link https://review.opendev.org/c/openstack/keystone/+/902730 (Merged) 15:09:59 #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 (Merged) 15:10:06 awesome! 15:10:51 OK, first up, it looks like Tempest currently has an all-or-nothing approach for setting scope in the Admin clients. 15:11:03 That means that they're either all project-scope or all system-scope 15:11:29 Unfortunately that does not work since some projects (i.e. neutron) only allow project-scoped requests for admin APIs. 15:11:46 So, for now, we want to only run tests as project-scoped admins 15:11:56 which is what this patch does: (in keystone at least) 15:12:02 #link https://review.opendev.org/c/openstack/keystone/+/913999 15:12:19 Still need another review (maybe from knikolla ?) 15:12:31 since Grzegorz Grasza is out on PTO this week 15:13:15 Now, for some reason, devstack also sets those same options 15:13:28 so we have duplicate code setting the same options in two repos 15:13:39 this is the patch to remove them from lib/tempest in the devstack repo: 15:13:45 #link https://review.opendev.org/c/openstack/devstack/+/914115 15:14:28 Next, I have a patch that modifies a couple of policies that were missed when we implemented Phase 1 of SRBAC: 15:14:36 #link https://review.opendev.org/c/openstack/keystone/+/914520 15:14:57 That one is fresh out of the oven, so still waiting on CI to run the gate jobs 15:15:58 Additionally, we still have the "protection" aka SRBAC jobs disabled in Keystone. I have a patch up to re-enable them, but I am not sure why it failed when I rebased... I'll look into that next: 15:16:00 #link https://review.opendev.org/c/openstack/keystone/+/909238 15:16:57 Moving on, we do not have any tests that run the full tempest suite against Keystone with SRBAC turned on 15:17:55 Tempest does have an SRBAC job, but Keystone is not currently enforcing SRBAC. I have a patch up to enable it in that existing job. Currently failing the gate, but mostly due to needing some of the patches I've linked 15:18:00 #link https://review.opendev.org/c/openstack/tempest/+/912489 15:19:27 Lastly, I have a patch to rename the tempest option that enables SRBAC tests in keystone-tempest-plugin. Currently it does its own thing, and my patch changes it to be in-line with the rest of the projects that use the [enforce_scope] section of tempest.conf 15:19:33 #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/913593 15:20:48 Oh, and I also have a DNM test to keystone-tempest-plugin to pull everything together across all those related repos and run a full suite test of SRBAC using project-admin credentials: 15:20:54 #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/914089 15:21:18 I still need to investigate why it's failing. I think we may need to change some tests around in the srbac suite due to the change of admin scope. 15:21:22 That's all for now. 15:21:40 * dmendiza[m] feels like he's juggling spinning plates 15:22:54 wow, that was a lot 15:22:57 thanks dmendiza[m] 15:23:05 I'll leave it open for questions for a minute or two 15:27:23 #topic specification Improve federated users management (gtema) 15:27:27 #link https://review.opendev.org/c/openstack/keystone-specs/+/748748 - waiting for reviews 15:33:17 next up 15:33:28 #topic specification OpenAPI support (gtema) 15:33:33 #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 15:35:28 #topic open discussion 15:35:36 passlib update 15:35:38 The maintainer responded to the bug, and one of the top priorities is to fix the bcrypt version bug 15:35:40 #link https://foss.heptapod.net/python-libs/passlib/-/issues/190 15:35:42 Targeted to 1.7.5 15:36:20 No updates on this, hopefully 1.7.5 will be released soon 15:39:33 #topic bug review 15:39:40 #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:39:47 no new bugs for keystone 15:39:59 #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:40:20 python-keystoneclient is good 15:40:32 #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 15:40:48 nothing new in keystoneauth 15:40:55 #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 15:42:06 one new bug in keystonemiddleware 15:42:10 #link https://bugs.launchpad.net/keystonemiddleware/+bug/1940770 15:42:26 it's actually not new, just recently updated 15:43:04 I'll keep an eye on that one, maybe we should move to pymemcache 15:43:16 #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 15:43:28 no new bugs for pycadf 15:43:34 #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 15:43:45 ldappool is good 15:43:49 #topic conclusion 15:44:05 Nothing from me, add topics for the PTG to 15:44:15 #link https://etherpad.opendev.org/p/dalmation-ptg-keystone 15:44:22 Thanks all! 15:44:25 #endmeeting