Tuesday, 2023-01-10

« Monday, 2023-01-09 Index Wednesday, 2023-01-11 »
*** dasm|off is now known as dasm14:00
d34dh0r53#startmeeting keystone15:00
opendevmeetMeeting started Tue Jan 10 15:00:35 2023 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'keystone'15:00
d34dh0r53#topic roll call15:00
knikolla[m]o/15:00
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev15:00
xeko/15:01
d34dh0r53o/ 15:01
d34dh0r53good time off knikolla[m] ?15:01
knikolla[m]yes! thank you :) 15:02
d34dh0r53awesome15:03
d34dh0r53#topic review past meeting work items15:03
d34dh0r53I thought I was going crazy because the log was missing, turns out it's in the 2023 folder :)15:04
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-01-03-15.03.html15:04
d34dh0r53I'm going to skip the reviewathon items as it was only me and hiromu15:07
d34dh0r53d34dh0r53 update the CrossProjectLiaisons wiki https://wiki.openstack.org/wiki/CrossProjectLiaisons15:08
d34dh0r53didn't get to this yet15:08
d34dh0r53#action d34dh0r53 update the CrossProjectLiaisons wiki https://wiki.openstack.org/wiki/CrossProjectLiaisons15:08
d34dh0r53d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more15:08
d34dh0r53nor this, will try to take care of the housekeeping stuff this week15:08
d34dh0r53#action d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more15:08
d34dh0r53next up we have 15:09
d34dh0r53#topic liaison updates15:09
d34dh0r53no updates from VMT15:09
d34dh0r53As far as release management goes I think we're good on keystoneauth, xek do you need any more reviews there?15:10
d34dh0r53ok, moving on to spec review15:11
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:12
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:12
d34dh0r53External OAuth 2.0 Specification15:12
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/86155415:12
d34dh0r53OAuth 2.0 Implementation15:12
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:12
d34dh0r53OAuth 2.0 Documentation15:12
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/83810815:12
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/83810415:12
d34dh0r53After speaking with hiromu they would like to get the External OAuth 2.0 specification and code merged before Antelope-3 so I'd like to prioritize those reviews if possible15:13
hiromuyes. thanks d34dh0r53. Aslo, I told it to d34dh0r53 the last week, we need to merge mTLS OAuth2.0 path for keystoneauth to implement External OAuth2.0 specification.15:14
hiromu /Aslo/Also/15:15
hiromuhttps://review.opendev.org/c/openstack/keystonemiddleware/+/86873415:15
hiromuthe above patch depends on https://review.opendev.org/c/openstack/keystoneauth/+/86061415:16
knikolla[m]hiromu: we can try, but while I'm sure we'll be able to merge all the mTLS patches, I'm not confident we can get External Auth in time. 15:16
hiromuI think the patches for the external oauth2.0 are lighter than the mTLS ones.15:17
hiromuonly changed keystonemidleware and keystoneauth. both are the client side. 15:18
hiromuand 1 spec: https://review.opendev.org/c/openstack/keystone-specs/+/861554  15:19
knikolla[m]I agree with you that the patches may be lighter. But it's significantly changing way things can work by removing Keystone from the picture. 15:19
knikolla[m]We need to define a standard for how project information is read from the token endpoint15:20
hiromui see15:20
knikolla[m]Code is easy, APIs are hard because we need to maintain compatibility once it's merged15:20
d34dh0r53That's a good point knikolla[m] 15:21
hiromuonly I can say is we made codes generic as much as possible.15:22
hiromuso that users can configre how attributes obtained from the introspection responses mapped to openstack environment variables15:23
knikolla[m]I will comment in the spec with my feedback15:24
hiromuokey15:25
knikolla[m]There's a lot of things that are not obvious15:25
knikolla[m]And removing Keystone entirely from the picture doesn't give you a lot that the current mechanisms that you have implemented do. 15:25
knikolla[m]For example: you can authenticate using oauth 2.0, and you can send a request using bearer token as per oauth 2.0 to any service, and that will work15:25
knikolla[m]That is all without implementing external oauth 2.0. do you agree? 15:26
hiromuyes15:27
hiromuyou're right. we are targeting the users who already have another authn server15:27
hiromuand use it for standalone openstack services.15:27
knikolla[m]Exactly, it introduces an improvement in experience for operators who have clouds that have 1-2 services and don't want to run keystone. 15:28
knikolla[m]But it doesn't introduce any new thing for them that is impossible right now. 15:28
hiromuthat't true15:30
knikolla[m]I agree that adding support for external authorization servers to keystonemiddleware is important and makes a lot of sense for a next step. But I want to do it in a way that benefits all the openstack ecosystem as opposed to a small use case. 15:30
knikolla[m]So that's why I don't want to rush this through. 15:30
knikolla[m]Cause once we implement it like this, it will be really hard to change. 15:31
hiromuour proposal strongly depends on the client credentials grant. is that the point?15:32
hiromuI said this because introspection itself is rfc-based15:32
knikolla[m]Not entirely. It's about the user experience. 15:33
hiromugot it. basically, I agree with it affect to the future impelementation, but what kind of trigger or use cases we need to progress?15:34
knikolla[m]That's a really good question. I need to think about this a bit more. But at the top of my mind it's the lack of support in tools like the openstack CLI/SDK, and other services. 15:36
knikolla[m]And in particular, figuring out authorization15:36
knikolla[m]Keystone stores the list of projects, but without keystone, what projects exist?15:37
hiromuhmm, at least we will experiment them with barbican.15:37
hiromuwe will try to deploy tacker and barbican without keystone.15:37
knikolla[m]Please do.15:38
knikolla[m]An ideal target would also be Ironic. 15:38
knikolla[m]Please reach out to that team and see if there's anything that may be beneficial to their use case. 15:38
hiromuokey. i got your point. we need a kind of consensus among several openstack projects.15:39
d34dh0r53ok, great discussion, glad we had it.  We can continue during the reviewathon if needed15:40
d34dh0r53thanks knikolla[m] and hiromu 15:40
hiromuthank your for the discussion.15:41
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:41
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:41
d34dh0r53Service Role Implementation15:41
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/86342015:41
d34dh0r53Manager Role Implementation15:41
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/82260115:41
d34dh0r53Hoping to get some time to test the two -1's on the manager role implementation on Friday, I'd like to get those cleared up15:42
d34dh0r53ok, moving on to open discussion15:44
d34dh0r53#topic open discussion15:44
d34dh0r53OIS2023 submission  (hiromu):15:44
d34dh0r53    - Manuscript: https://etherpad.opendev.org/p/ois2023-tacker-keystone15:44
hiromuah, i already got lgtm from knikolla. it's done.15:45
hiromuthank you knikolla :)15:45
d34dh0r53Excellent!15:45
knikolla[m]hiromu: thanks for sending that. 15:45
d34dh0r53anything else before we move on to bug review?15:46
d34dh0r53#topic bug review15:46
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:46
d34dh0r53nothing new for keystone, going to clean up some more bugs here so don't be surprised by the emails :)15:47
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:47
d34dh0r53nothing new for python-keystoneclient either15:47
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:48
d34dh0r53nothing new there, we do have this one https://bugs.launchpad.net/keystoneauth/+bug/2000742 that came in at the end of the year15:49
d34dh0r53moving on15:51
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:51
d34dh0r53one new one https://bugs.launchpad.net/keystonemiddleware/+bug/200220315:51
d34dh0r53keystonemiddleware is missing the Yoga series release notes15:51
d34dh0r53not sure that there were any which is probably why they're missing15:54
d34dh0r53next up15:54
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:54
d34dh0r53nothing new in pycadf15:54
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=015:54
d34dh0r53ldappool also has nothing new15:54
d34dh0r53#topic conclusion15:54
d34dh0r53thanks for joining today folks!15:55
d34dh0r53reminder the we have the reviewathon on Friday, please let me know if you'd like to be added to the invite15:55
d34dh0r53any thing else before I close?15:55
d34dh0r53thanks all!15:56
d34dh0r53#action reviewathon https://review.opendev.org/c/openstack/keystoneauth/+/83810415:56
d34dh0r53#action reviewathon https://review.opendev.org/c/openstack/keystone/+/83810815:56
d34dh0r53#action reviewathon https://review.opendev.org/c/openstack/keystone/+/83810815:57
d34dh0r53#undo15:57
opendevmeetRemoving item from minutes: #action reviewathon https://review.opendev.org/c/openstack/keystone/+/83810815:57
d34dh0r53#action reviewathon https://review.opendev.org/c/openstack/keystone/+/86092815:57
d34dh0r53#action reviewathon https://review.opendev.org/c/openstack/keystone/+/86342015:57
d34dh0r53#action reviewathon https://review.opendev.org/c/openstack/keystoneauth/+/86760315:57
d34dh0r53#endmeeting15:57
opendevmeetMeeting ended Tue Jan 10 15:57:43 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:57
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-01-10-15.00.html15:57
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-01-10-15.00.txt15:57
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-01-10-15.00.log.html15:57
*** EugenMayer43 is now known as EugenMayer419:31
gmannd34dh0r53: can we merge this tox fix to unblock gate https://review.opendev.org/c/openstack/keystone/+/86909219:41
d34dh0r53gmann: yeah, I don't have core on keystone so hopefully knikolla[m] or xek is around and can merge19:45
gmannok19:48
-opendevstatus- NOTICE: One of our CI job log storage providers appears to be having trouble with log uploads and retrievals. We are in the process of removing that provider from the pool.22:44
JayFIs there any interest in https://review.opendev.org/c/openstack/keystoneauth/+/841169 ever merging? Ironic worked around the bug this was causing for us a long time ago, I picked up the patch and brought it up to date... but it's been lingering a while23:04
JayFif I don't here anything affirmative in here, or a comment on that patch in the next few days, I'm going to abandon the completed bugfix for lack of interest23:04
« Monday, 2023-01-09 Index Wednesday, 2023-01-11 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!