| opendevreview | Hiromu Asahina proposed openstack/keystone-specs master: OAuth2.0 Client Credentials Grant Flow Support https://review.opendev.org/c/openstack/keystone-specs/+/813152 | 09:54 |
|---|---|---|
| *** thelounge94 is now known as redrobot | 13:02 | |
| *** redrobot is now known as thelounge94 | 13:04 | |
| *** thelounge94 is now known as redrobot | 13:04 | |
| rdopiera | Hi, it looks like all the patches at https://review.opendev.org/q/project:openstack%252Fpython-keystoneclient a failing on the same unrelated doc error | 13:59 |
| opendevreview | Hiromu Asahina proposed openstack/keystone-specs master: OAuth2.0 Client Credentials Grant Flow Support https://review.opendev.org/c/openstack/keystone-specs/+/813152 | 14:57 |
| lbragstad | rdopiera o/ | 15:01 |
| lbragstad | rdopiera we're about to start the keystone meeting - so i can raise it there | 15:01 |
| lbragstad | cc redrobot | 15:01 |
| rdopiera | lbragstad: awesome, I can also ask for help wih keystoneauth then | 15:02 |
| rdopiera | lbragstad: is it here on in one of the meeting channels? | 15:02 |
| lbragstad | it's in this channel now | 15:02 |
| rdopiera | s/on/or | 15:02 |
| rdopiera | thanks | 15:02 |
| lbragstad | https://meetings.opendev.org/#Keystone_Team_Meeting | 15:03 |
| redrobot | #startmeeting keystone | 15:03 |
| opendevmeet | Meeting started Tue Oct 12 15:03:16 2021 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:03 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:03 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:03 |
| redrobot | #topic Roll Call | 15:03 |
| lbragstad | o/ | 15:03 |
| * redrobot needs to set his calendar to alert for this meeting | 15:03 | |
| gagehugo | o/ | 15:03 |
| lbragstad | yes - currently i think i'm your alert system | 15:03 |
| lbragstad | :) | 15:04 |
| redrobot | Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, jdennis, ruan_he, wxy, sonuk, vishakha,Ajay, raildo, rafaelweingartner, xek | 15:04 |
| xek | o/ | 15:04 |
| d34dh0r53 | o/ | 15:04 |
| d34dh0r53 | lurking as I'm in another meeting | 15:04 |
| lbragstad | #link https://etherpad.opendev.org/p/keystone-weekly-meeting | 15:05 |
| redrobot | thanks lbragstad | 15:05 |
| redrobot | OK, let's get started | 15:05 |
| redrobot | #topic Review Past Meeting Action Items | 15:05 |
| redrobot | #link https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-10-05-15.01.html | 15:05 |
| redrobot | we didn't have any | 15:05 |
| redrobot | moving on .. | 15:05 |
| redrobot | #topic Liaison Updates | 15:06 |
| redrobot | knikolla 👋 | 15:06 |
| redrobot | I don't think knikolla is around ... let's move on | 15:07 |
| redrobot | #topic Oauth 2.0 | 15:07 |
| redrobot | #link https://review.opendev.org/c/openstack/keystone-specs/+/813152 | 15:07 |
| redrobot | h_asahina ^^^ | 15:08 |
| h_asahina | o/ | 15:08 |
| h_asahina | yes. I submitted the spec. | 15:08 |
| redrobot | looking at the agenda notes | 15:08 |
| h_asahina | I'd appreciate it if you could review it. | 15:08 |
| redrobot | #help we need folks to review the Oauth 2.0 spec patch | 15:09 |
| h_asahina | I'd like to aske you about https support status in keystone because oauth2 needs it. | 15:10 |
| h_asahina | I guess the current keystone does not support TLS in general way, like just adding a cert file to config. Is that correct? | 15:10 |
| lbragstad | keystone doesn't implement https support natively, it's handled by the webserver | 15:10 |
| redrobot | yeah the API is just a regular WSGI server | 15:11 |
| redrobot | *WSGI app | 15:11 |
| h_asahina | got it. | 15:11 |
| redrobot | added myself to that reivew I'll take a look when I have some time | 15:12 |
| h_asahina | thanks. | 15:12 |
| lbragstad | h_asahina this isn't much, but | 15:12 |
| lbragstad | https://docs.openstack.org/keystone/latest/install/keystone-install-rdo.html#ssl | 15:12 |
| redrobot | Also adding ayoung since he was asking to be added to reviews | 15:12 |
| lbragstad | h_asahina it'll depend on the web server you're using though | 15:13 |
| h_asahina | great. i'll check it. | 15:13 |
| redrobot | looks like the topic is already in the agenda for the PTG session next week | 15:15 |
| h_asahina | yeah. I added it. If you all have enough time, I'd like to discuss about the details of the above spec. | 15:16 |
| h_asahina | in PTG | 15:16 |
| admiyo | Is that happening now? | 15:16 |
| admiyo | BTW, admiyo == ayoung | 15:17 |
| redrobot | admiyo no, PTG is next Monday | 15:17 |
| lbragstad | #link https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-assets-prod/Uploads/PTG-Oct-18-22-2021-Schedule-Rev2.pdf | 15:17 |
| lbragstad | does anyone know where the list of etherpads is? | 15:17 |
| admiyo | Did they really name the rooms after the old releases? That is lovely | 15:18 |
| redrobot | h_asahina anything else you want to talk about for your topic? | 15:18 |
| admiyo | I think I had one question on the OAUTH stuff before | 15:19 |
| h_asahina | yes. I want to confirm naming rules for subcommand. | 15:19 |
| redrobot | admiyo I added you to the spec gerrit change | 15:19 |
| lbragstad | found it #link https://ptg.opendev.org/etherpads.html | 15:19 |
| admiyo | oauth2 is a good way to go, but is tough to implement correctly. What is the general idea of a library to use to implement? | 15:20 |
| admiyo | BTW, the general idea of the AUTH suburl was going to be to support different auth mechanisms. | 15:21 |
| h_asahina | we're considering to use oauthlib https://oauthlib.readthedocs.io/en/latest/ | 15:21 |
| h_asahina | which is also used by the existing oauth1 ext. | 15:21 |
| admiyo | so insteado of POST /OS-OAUTH2/introspect It would have been POST /auth/OS-OAUTH2/introspect | 15:21 |
| admiyo | but really, no, that wshould be just for the actually authentication process | 15:21 |
| admiyo | I'll review the spec | 15:22 |
| h_asahina | admiyo: thanks. please add your comments on the review :) | 15:22 |
| admiyo | ++ I think this is a long time coming, and I love the concept | 15:22 |
| admiyo | thanks for driving it forward | 15:23 |
| lbragstad | just FYI - i'm going to move the contents of #link https://etherpad.opendev.org/p/yoga-ptg-keystone to #link https://etherpad.opendev.org/p/oct2021-ptg-keystone | 15:23 |
| lbragstad | since that's the etherpad linked in #link https://ptg.opendev.org/etherpads.html | 15:23 |
| h_asahina | I'd like to back to the naming convention of the subcommand if you don't mind. | 15:24 |
| redrobot | lbragstad I think we're stepping on each others toes | 15:25 |
| redrobot | lbragstad I'll explain during PTG topic | 15:25 |
| lbragstad | redrobot ack | 15:25 |
| redrobot | h_asahina do you have a specific question about the naming? | 15:25 |
| redrobot | or just looking for style docs or some such? | 15:25 |
| h_asahina | for osc commands. like `openstack user` | 15:26 |
| h_asahina | we want to add new subcommands to OSC for OAuth2. | 15:27 |
| h_asahina | so, i'd like to know the rules in advance. | 15:27 |
| h_asahina | Currently, we are consindering either one of `openstack client`, `openstack oauth2 client` and `openstack consumer --oauth2` for the OAuth2.0 client registration. Which one is appropriate? | 15:29 |
| admiyo | client is confusing | 15:30 |
| admiyo | the whole app is known as the cli | 15:30 |
| admiyo | and there are many clients. | 15:30 |
| redrobot | What sort of commands would a user have to make? Are these oauth2 specific? | 15:31 |
| admiyo | openstack oauth2 as the naming for subcommands seems to be in keeping with the norm for newer additions. I don't knopw if there is a strict convention | 15:31 |
| admiyo | --oauth2 is non obvious to me. | 15:32 |
| admiyo | openstack oauth2 client create <params> | 15:32 |
| h_asahina | redrobot: these are oauth2 specific. the commands for users to register oauth2 client. | 15:32 |
| admiyo | that seems to be the most consistent | 15:32 |
| admiyo | openstack oauth2 client validate | 15:32 |
| admiyo | openstack oauth2 token issue | 15:32 |
| admiyo | namespace, entity, verb | 15:33 |
| admiyo | openstack baremetal node create as an example | 15:33 |
| h_asahina | i see. make sense. | 15:34 |
| h_asahina | ok. we're going with `openstack oauth2 client`. thank you for your help admiyo. | 15:35 |
| redrobot | great | 15:35 |
| redrobot | anything else on this topic? | 15:35 |
| h_asahina | nothing from my side. | 15:36 |
| redrobot | thanks h_asahina | 15:36 |
| redrobot | #topic PTG | 15:36 |
| redrobot | It's next week | 15:36 |
| redrobot | #link https://etherpad.opendev.org/p/yoga-ptg-keystone | 15:37 |
| redrobot | but it looks like we got moved. 😅 | 15:37 |
| redrobot | lbragstad I was trying to update the url on the PTG site | 15:37 |
| lbragstad | oh - sorry about that | 15:37 |
| admiyo | It got moved moments ago by lbragstad | 15:37 |
| admiyo | <lbragstad> just FYI - i'm going to move the contents of #link https://etherpad.opendev.org/p/yoga-ptg-keystone to #link https://etherpad.opendev.org/p/oct2021-ptg-keystone | 15:37 |
| redrobot | no worries | 15:37 |
| redrobot | we can keep it there | 15:37 |
| redrobot | I'll just have to update my bookmarks | 15:37 |
| redrobot | and the link in the agenda | 15:38 |
| redrobot | because I'm not sure the bot in #openinfra-events is working | 15:38 |
| redrobot | or maybe it doesn't like me. | 15:38 |
| lbragstad | i think you need +v? | 15:38 |
| redrobot | 🤷 | 15:39 |
| redrobot | #link https://etherpad.opendev.org/p/oct2021-ptg-keystone | 15:39 |
| redrobot | ^^^ going forward | 15:39 |
| redrobot | We have one session: Monday October 18, 1400-1600 UTC | 15:40 |
| redrobot | so far we have Oauth2 in the agenda as well as a status update for Secure RBAC | 15:40 |
| redrobot | if we have time maybe we can triage bugs | 15:40 |
| redrobot | please feel free to add any additional topics to the etherpad | 15:41 |
| redrobot | Have we decidedon whether to use Zoom or Meetpad? | 15:42 |
| redrobot | Also no weekly meeting next week since we'll be doing PTG things | 15:42 |
| gagehugo | I am fine with either | 15:42 |
| redrobot | Looks like our URL just got changed back >_< | 15:44 |
| redrobot | Let's plan for meetpad since it can just run in the browser | 15:44 |
| gagehugo | works for me | 15:45 |
| redrobot | I'll get the urls fixed up in the PTG system | 15:46 |
| redrobot | Any other questions/comments? | 15:47 |
| h_asahina | can I find meeting link at https://ptg.opendev.org/ptg.html? | 15:48 |
| redrobot | h_asahina yes, I just updated the meeting url | 15:49 |
| h_asahina | I mean the meeting link will appear there | 15:49 |
| redrobot | h_asahina the link is already there if you click on the "keystone" time slot in the schedule | 15:50 |
| redrobot | but als you can bookmark this: | 15:50 |
| redrobot | #link https://meetpad.opendev.org/oct2021-ptg-keystone | 15:50 |
| h_asahina | redrobot thank you | 15:50 |
| redrobot | which is why I 🖤 meetpad/jitsi | 15:51 |
| redrobot | We've only got a few minutes left | 15:52 |
| redrobot | #topic Bug Review | 15:52 |
| rdopiera | :( | 15:52 |
| redrobot | From the agenda, asking about bugfix: | 15:53 |
| redrobot | #link https://bugs.launchpad.net/keystoneauth/+bug/1930194 | 15:53 |
| redrobot | h_asahina ^^^ | 15:53 |
| h_asahina | yes. we submitted that report few month ago. | 15:54 |
| redrobot | I don't know if anyone has looked at it. | 15:54 |
| redrobot | Which is why we have a bug triage topic for the PTG | 15:54 |
| redrobot | lbragstad got time to stick around for rdopiera's topic? | 15:55 |
| lbragstad | i have a hard stop at 11 | 15:56 |
| redrobot | ack | 15:56 |
| lbragstad | sorry :( | 15:56 |
| redrobot | lbragstad no worries | 15:57 |
| h_asahina | redrobt: sorry for the delay. got it. | 15:57 |
| redrobot | #topic Help with System Scope APIS | 15:58 |
| rdopiera | We are working on imlpementing the new system scope token support in Horizon. As the first pass we are calling the APIs directly, but ultimately we would like to use keystoneclient and keystoneauth properly. Unfortunately, they are missing the required APIs. | 15:58 |
| rdopiera | I made two bugs about that, and I submitted a patch for keystoneclient that is probably wrong, but it's a start. I would like to ask for reviews and for help writing the patch for keystoneauth, as | 15:58 |
| rdopiera | this seems more complicated. Also, the keystoneclient patch seems to be failing CI on a completely unrelated doc bug, as well as all other patches in the queue. | 15:58 |
| redrobot | lbragstad sounds like maybe something our dfg can do? | 15:59 |
| lbragstad | yeah | 15:59 |
| redrobot | rdopiera let me talk to the powers that be and see if we can get our team at RH to help with this | 15:59 |
| rdopiera | redrobot: awesome, thank you | 15:59 |
| admiyo | wouldn't it be lovely if we had some way to qery the policy in use of a given endpoint? | 15:59 |
| redrobot | #action redrobot to ask for help on System-Scope implementation in keystoneauth | 15:59 |
| redrobot | admiyo 100% would +1 that spec. | 16:00 |
| admiyo | At one point, I toeyd with using a less-common verb from HTTP | 16:00 |
| redrobot | aaand that's time. | 16:01 |
| admiyo | OPTIONS | 16:01 |
| redrobot | :-O | 16:01 |
| redrobot | Thanks for joining, everyone! | 16:02 |
| redrobot | #endmeeting | 16:02 |
| opendevmeet | Meeting ended Tue Oct 12 16:02:08 2021 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:02 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-10-12-15.03.html | 16:02 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-10-12-15.03.txt | 16:02 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-10-12-15.03.log.html | 16:02 |
| gmann | lbragstad: I created this etherpad for RBAC related discussion https://etherpad.opendev.org/p/policy-popup-yoga-ptg | 22:59 |
| gmann | we do not have any dedicated sessions for policy popup, if you think we need for few common topic then I can request otherwise we can discuss the related topic in respective project room | 23:00 |
| gmann | feel free to add the more topic in that, also I will put this on ML for others to add topic or at least projects to add schedule of their sessions | 23:01 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!