| *** tobias-urdin5 is now known as tobias-urdin | 02:09 | |
| *** EugenMayer4 is now known as EugenMayer | 02:45 | |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Fix issue with LDAP backend returning bytes instead of string https://review.opendev.org/c/openstack/keystone/+/819477 | 08:54 |
|---|---|---|
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Add an option to randomize LDAP urls list https://review.opendev.org/c/openstack/keystone/+/821086 | 10:37 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Change the min value of pool_retry_max to 1 https://review.opendev.org/c/openstack/keystone/+/824140 | 10:42 |
| *** xek_ is now known as xek | 13:26 | |
| *** dasm|off is now known as dasm | 13:31 | |
| dmendiza[m] | #startmeeting keystone | 15:00 |
| opendevmeet | Meeting started Tue Jan 18 15:00:11 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:00 |
| dmendiza[m] | #topic Roll Call | 15:00 |
| xek | o/ | 15:00 |
| dmendiza[m] | Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, ruan_he, wxy, sonuk, vishakha,Ajay, rafaelweingartner, xek | 15:00 |
| d34dh0r53 | o/ | 15:00 |
| gagehugo | o/ | 15:01 |
| h_asahina | o/ | 15:01 |
| dmendiza[m] | Great, let's get started | 15:01 |
| dmendiza[m] | #topic Review Past Meeting Action Items | 15:01 |
| dmendiza[m] | #link https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-11-15.00.html | 15:02 |
| dmendiza[m] | We didn't have any | 15:02 |
| dmendiza[m] | Moving on | 15:02 |
| dmendiza[m] | #topic Liaison Updates | 15:02 |
| dmendiza[m] | knikolla: around? | 15:02 |
| knikolla | o/ | 15:03 |
| knikolla | no updates | 15:03 |
| dmendiza[m] | Cool, thanks | 15:04 |
| dmendiza[m] | #topic Secure RBAC | 15:04 |
| dmendiza[m] | Not a whole lot of updates from me this week. We do have some TripleO Heat Template changes pending that need to get merged. I'll probably be harassing the owners this week. | 15:05 |
| dmendiza[m] | Any questions/comments about SRBAC this week? | 15:05 |
| dmendiza[m] | OK, moving on ... | 15:09 |
| dmendiza[m] | #topic OAuth 2.0 | 15:09 |
| dmendiza[m] | h_asahina: around? | 15:09 |
| h_asahina | yes | 15:10 |
| h_asahina | Today, I'd like to talk about the necessity of OAuth2.0 Introspection API which I defined in the spec. | 15:11 |
| h_asahina | Although I defined OAuth2.0 Introspection API in the current spec, maybe it can be omitted. | 15:11 |
| h_asahina | The purpose of the introspection API is to get metadata and verify the token validity. | 15:11 |
| h_asahina | As we decided to use X-Auth-Token as OAuth2.0 access token, this purpose can be accomplished through an existing identity API. | 15:12 |
| h_asahina | So, I think we don't need OAuth2.0 Introspection API. Could you tell me your opinion? | 15:13 |
| knikolla | I think we don't need it for now. But it would be a nice thing to have if we want to have more general support for keystone as an authorization server for oauth 2.0. | 15:14 |
| h_asahina | I agree with that | 15:14 |
| h_asahina | If we need to support additional token types, we should add it. | 15:15 |
| knikolla | Probably more important with new grant types than with token types | 15:16 |
| opendevreview | Merged openstack/keystone master: sql: Trivial formatting changes https://review.opendev.org/c/openstack/keystone/+/823660 | 15:17 |
| h_asahina | Could you tell me why? I think the situation where we need Introspection API is like when we want to use OAuth2.0 in keystone from the other services from the openstack. | 15:18 |
| h_asahina | if we add a new grant type, we can use an existing API for the introspection as long as we use X-Auth-Token. Am I wrong? | 15:20 |
| knikolla | Services within the OpenStack ecosystem already know how to authenticate to keystone and introspect endpoints (either through the keystoneauth, keystoneclient or keystonemiddleware). | 15:20 |
| knikolla | For them an introspection endpoint already exists within the already defined API. | 15:20 |
| knikolla | Thus it's services which don't "speak OpenStack" and use OAuth 2.0 entirely, that would require new OAuth 2.0 conforming endpoints and grant types. | 15:21 |
| knikolla | The token type is less important, as it's usually treated as opaque. | 15:22 |
| h_asahina | Is that the situation where we want to use keystone as just an OAuth2.0 authorization server? | 15:25 |
| knikolla | Possibly, though it's less about that. It works both ways. If keystone supports open standards, then we can transition other openstack services to talk to keystone using those open standards. Which opens the door for allowing other authorization server to be used in place of keystone if so desired. | 15:26 |
| h_asahina | You mean by supporting open standard like Introspection API makes the other components like keystonemiddleware to support the standard? | 15:28 |
| knikolla | yes | 15:29 |
| h_asahina | I got it. | 15:29 |
| h_asahina | However, for now, we don't strongly need it. | 15:29 |
| knikolla | Correct | 15:30 |
| h_asahina | If we implement it, it is just a wrapper of an existing identity API. | 15:30 |
| knikolla | Yes. | 15:31 |
| h_asahina | It's redundant and confusing. So, do you agree with omitting it in Yoga release? | 15:31 |
| knikolla | 100% | 15:31 |
| h_asahina | Ok, thanks. I'll update spec. | 15:31 |
| dmendiza[m] | Cool | 15:32 |
| knikolla | Thanks! | 15:32 |
| dmendiza[m] | Anything else on this topic h_asahina ? | 15:32 |
| h_asahina | Nothing | 15:32 |
| dmendiza[m] | OK, moving on | 15:32 |
| dmendiza[m] | #topic Open Discussion | 15:32 |
| dmendiza[m] | Any other topics y'all want to talk about? | 15:32 |
| knikolla | The CFP for proposals for Berlin is open | 15:33 |
| knikolla | Anybody planning to submit anything? Or planning to travel/ | 15:33 |
| dmendiza[m] | Ah yes, the Summit. | 15:33 |
| dmendiza[m] | I think it would be good to go talk about the Secure-RBAC work everyone has been doing | 15:33 |
| dmendiza[m] | I've gotta talk to lbragstad about it. | 15:34 |
| knikolla | cool | 15:35 |
| knikolla | I have no clue what to propose to talk about yet. | 15:36 |
| dmendiza[m] | h_asahina you should consider talking about the OAuth work you're doin g. | 15:38 |
| d34dh0r53 | I don't either | 15:39 |
| h_asahina | Alright. it's first time for me to attend the Summit, but I'll consider it. | 15:40 |
| h_asahina | What should I do if I propose something? | 15:42 |
| gagehugo | hope it gets accepted then speak in front of a crowd :) | 15:44 |
| dmendiza[m] | h_asahina: The CFP is over here: https://cfp.openinfra.dev/app/berlin-2022 | 15:45 |
| dmendiza[m] | If you do submit something let us know | 15:45 |
| dmendiza[m] | In the past they've asked folks to vote for the talks that get selected | 15:45 |
| dmendiza[m] | So I usually ask folks for votes here, haha | 15:45 |
| h_asahina | thanks. I'll notify here if I submit something. | 15:46 |
| dmendiza[m] | Cool, any other topics before we take a look at the bugs? | 15:46 |
| knikolla | In the past, each project got it's own project update session too. I don't know if that's the case this year as well. | 15:46 |
| d34dh0r53 | I have two items, the first is with Lance's move this fell through the cracks https://bugs.launchpad.net/keystone/+bug/1901891 so I'll be working on a fix for #3 this week and may ping people for reviews. Second, let me know if you want to be added to the reviewathon invitees, planning on scheduling for this Friday the 21st so please let me know conflicts as well | 15:47 |
| knikolla | d34dh0r53: sounds great! | 15:48 |
| knikolla | also, my Friday is wide open this week. | 15:48 |
| d34dh0r53 | excellent knikolla | 15:49 |
| dmendiza[m] | count me in for Friday as well | 15:49 |
| d34dh0r53 | thanks dmendiza[m] | 15:49 |
| dmendiza[m] | We've only got a few minutes left | 15:52 |
| dmendiza[m] | which is probably not enough for bug triage | 15:52 |
| dmendiza[m] | So let's punt until next week (or Friday) | 15:52 |
| dmendiza[m] | Thanks for joining, everyone! | 15:52 |
| knikolla | Thanks! | 15:52 |
| dmendiza[m] | #endmeeting | 15:52 |
| opendevmeet | Meeting ended Tue Jan 18 15:52:58 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:52 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-18-15.00.html | 15:52 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-18-15.00.txt | 15:52 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2022/keystone.2022-01-18-15.00.log.html | 15:52 |
| d34dh0r53 | Thanks dmendiza[m] | 15:53 |
| *** dasm is now known as dasm| | 23:02 | |
| *** dasm| is now known as dasm|off | 23:02 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!