| *** thuvh1 is now known as thuvh | 07:15 | |
| *** thuvh1 is now known as thuvh | 07:28 | |
| d34dh0r53 | #startmeeting keystone | 15:01 |
|---|---|---|
| opendevmeet | Meeting started Tue Feb 28 15:01:08 2023 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:01 |
| d34dh0r53 | #topic roll call | 15:01 |
| zaitcev | o/ | 15:01 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, arequate, dmendiza[m] | 15:01 |
| d34dh0r53 | o/ | 15:01 |
| knikolla[m] | o/ | 15:01 |
| hiromu | o/ | 15:02 |
| dmendiza[m] | 🙋♂️ | 15:03 |
| d34dh0r53 | Hi all, thanks for joining | 15:03 |
| * d34dh0r53 is wondering how Doug's dog liked the snow? :) | 15:03 | |
| d34dh0r53 | #topic review past meeting work items | 15:04 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-02-21-15.00.html | 15:04 |
| d34dh0r53 | same work item as last week which I haven't had a chance to look deeper into, so pushing | 15:05 |
| d34dh0r53 | #action d34dh0r53 look into the keystone-groups members as well https://review.opendev.org/admin/groups/d7203dc55fa9bdf98c578b16ac398e0c754a1a67,members not sure if it's used any more | 15:05 |
| d34dh0r53 | #topic liaison updates | 15:06 |
| d34dh0r53 | nothing from VMT | 15:06 |
| dmendiza[m] | > * <@_oftc_d34dh0r53:matrix.org> is wondering how Doug's dog liked the snow? :) | 15:08 |
| dmendiza[m] | Doggo was not interested in a snowy walk | 15:08 |
| d34dh0r53 | lol | 15:08 |
| d34dh0r53 | #topic specifications OAuth 2.0 (hiromu) | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:09 |
| d34dh0r53 | External OAuth 2.0 Specification | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 | 15:09 |
| d34dh0r53 | OAuth 2.0 Implementation | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls | 15:09 |
| d34dh0r53 | OAuth 2.0 Documentation | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/838108 | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 | 15:10 |
| d34dh0r53 | dmendiza[m] and I tried to look at this yesterday but gerrit was down :/ | 15:10 |
| d34dh0r53 | we have another meeting scheduled for this afternoon to revisit | 15:10 |
| hiromu | got it. please let me know if you have any additional quiestions. | 15:11 |
| d34dh0r53 | will do, thanks hiromu | 15:11 |
| hiromu | :) | 15:11 |
| d34dh0r53 | next up | 15:11 |
| d34dh0r53 | #topic Secure RBAC (dmendiza[m]) | 15:11 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:11 |
| d34dh0r53 | Service Role Implementation | 15:11 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/863420 | 15:11 |
| d34dh0r53 | Manager Role Implementation | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/822601 | 15:12 |
| dmendiza[m] | I don't have any updates ... still haven't gotten up to speed as to the latest SRBAC goings-on | 15:12 |
| d34dh0r53 | ack | 15:12 |
| d34dh0r53 | sounds good, let us know if you need anything | 15:14 |
| d34dh0r53 | #topic open discussion | 15:14 |
| d34dh0r53 | (drencrom) Need some reviews for this backport: | 15:14 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystonemiddleware/+/873924 | 15:14 |
| d34dh0r53 | cores, please review | 15:15 |
| d34dh0r53 | anything else we need to discuss before bug review? | 15:16 |
| dmendiza[m] | Not sure if we want to talk about Federation + Role assignments here? | 15:17 |
| d34dh0r53 | yeah, go ahead | 15:18 |
| dmendiza[m] | I'm sure we can just test this, but we were wondering what happens when you use Keystone roles API to assign roles to a federated user? | 15:18 |
| knikolla[m] | they act as normal users, it works fine | 15:18 |
| knikolla[m] | behave* | 15:19 |
| dmendiza[m] | I see ... so we just merge assigned roles + whatever roles the mapping adds? | 15:19 |
| knikolla[m] | the roles the mapping adds are not persisted | 15:19 |
| knikolla[m] | unless they are specified in the project section | 15:19 |
| knikolla[m] | or unless they are group memberships, and the operator has configured expiring group memberships | 15:20 |
| knikolla[m] | otherwise, the mapping authorization is only valid for the duration of the token | 15:21 |
| d34dh0r53 | I was wondering that | 15:23 |
| dmendiza[m] | Sweet. So if we change mappings, the next token will have the updated mapped roles | 15:23 |
| knikolla[m] | yes | 15:24 |
| dmendiza[m] | Cool. I think that answers my questions. Thanks, knikolla | 15:25 |
| d34dh0r53 | Thanks knikolla[m] | 15:25 |
| knikolla[m] | cool. i have a talk accepted for Vancouver where I go into much more detail into the above options | 15:25 |
| d34dh0r53 | excellent | 15:26 |
| dmendiza[m] | Nice! Looking forward to that ... (although probably watching after the fact on video) | 15:26 |
| d34dh0r53 | indeed | 15:28 |
| d34dh0r53 | moving on to | 15:28 |
| d34dh0r53 | #topic bug review | 15:29 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:29 |
| d34dh0r53 | no new bugs but we have a couple of bugs from the last couple of weeks | 15:30 |
| d34dh0r53 | that could use a look if anyone has time | 15:30 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2007982 | 15:30 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2006631 | 15:30 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:31 |
| d34dh0r53 | python-keystoneclient is clean | 15:31 |
| d34dh0r53 | next up | 15:32 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:32 |
| d34dh0r53 | nothing new for keystoneauth | 15:32 |
| d34dh0r53 | next we have: | 15:32 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:33 |
| d34dh0r53 | sorry, nuked my IRC client :/ | 15:33 |
| d34dh0r53 | no new bugs in keystonemiddleware | 15:34 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:34 |
| d34dh0r53 | pycadf is clean | 15:34 |
| d34dh0r53 | and... | 15:34 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:34 |
| d34dh0r53 | ldappool also has no new bugs | 15:34 |
| d34dh0r53 | #topic conclusion | 15:35 |
| d34dh0r53 | Anyone have anything else before we go? | 15:35 |
| arequate | Late for open discussion, but would like to raise interest in https://review.opendev.org/c/openstack/keystoneauth/+/869876 | 15:35 |
| d34dh0r53 | arequate: yeah, I saw that you updated that and am going to review it today | 15:36 |
| d34dh0r53 | knikolla[m], dmendiza[m], xek ^^ if you get a chance | 15:36 |
| d34dh0r53 | arequate: anything specific you'd like to raise? | 15:37 |
| knikolla[m] | ++, it's on my task list for today | 15:37 |
| d34dh0r53 | thanks knikolla[m] | 15:37 |
| zaitcev | I'm still struggling with writing tests. Fixed bug 1999068, in https://review.opendev.org/c/openstack/keystone/+/874346, but now I have to form tokens by hand for testing, etc. | 15:38 |
| d34dh0r53 | zaitcev: ack, let me see what I can come up with and I'll paste it in the review | 15:44 |
| d34dh0r53 | anything else before we close? | 15:44 |
| d34dh0r53 | thanks all! | 15:45 |
| d34dh0r53 | have a great rest of your week :) | 15:46 |
| d34dh0r53 | #endmeeting | 15:46 |
| opendevmeet | Meeting ended Tue Feb 28 15:46:07 2023 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:46 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-02-28-15.01.html | 15:46 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-02-28-15.01.txt | 15:46 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2023/keystone.2023-02-28-15.01.log.html | 15:46 |
| dmendiza[m] | Thanks d34dh0r53 ! | 15:48 |
| opendevreview | Merged openstack/keystone master: Force algo specific maximum length https://review.opendev.org/c/openstack/keystone/+/828595 | 16:47 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: Bump SQLAlchemy minimum version https://review.opendev.org/c/openstack/keystone/+/875539 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: tests: Enable SQLAlchemy 2.0 deprecation warnings https://review.opendev.org/c/openstack/keystone/+/875540 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: sql: Add support for auto-generation https://review.opendev.org/c/openstack/keystone/+/826147 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: sql: Fix incorrect constraints https://review.opendev.org/c/openstack/keystone/+/851845 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: db: Remove use of 'bind' arguments https://review.opendev.org/c/openstack/keystone/+/875758 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: db: Replace use of legacy select() calling style https://review.opendev.org/c/openstack/keystone/+/875759 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: db: Replace use of 'autoload' parameter https://review.opendev.org/c/openstack/keystone/+/875760 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: db: Don't pass strings to 'Connection.execute' https://review.opendev.org/c/openstack/keystone/+/875761 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: db: Replace use of Query.get() https://review.opendev.org/c/openstack/keystone/+/875762 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: db: Replace use of reverse cascades https://review.opendev.org/c/openstack/keystone/+/875763 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: db: Remove legacy migrations https://review.opendev.org/c/openstack/keystone/+/875764 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: tests: Rework BannedDBSchemaOperations fixture https://review.opendev.org/c/openstack/keystone/+/875765 | 17:26 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: Remove unnecessary removal of pyc files https://review.opendev.org/c/openstack/keystone/+/875766 | 17:28 |
| stephenfin | dmendiza[m]: knikolla[m]: d34dh0r53: Folks, that series about should set us up nicely for SQLAlchemy 2.0. We shouldn't merge any of them right now of course but it would be good to get them in as early as possible in Bobcat. I'd really appreciate reviews to make sure they're not hanging around too long. | 17:41 |
| JayF | Just a warning: if you all support, even a little bit, sqlite DBs, make sure to explicitly test it. | 17:47 |
| JayF | We had to do two round-trips for Ironic, one to make mysql work, one to make sqlite work (sqlite is more particular about locking) | 17:48 |
| JayF | good work though :) SQLA2 is not an easy lift | 17:48 |
| dre3ncrom | Hey, silly question: I have seen both project_domain_id and project_domain_name parameters in [keystone-authtoken] and both contain a name like "admin". Are both ok or one of them is the correct one? | 17:50 |
| stephenfin | JayF: Thanks. I suspect there'll be more to it than this. This gets rid of all the deprecation warnings at least | 17:51 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: tests: Rework BannedDBSchemaOperations fixture https://review.opendev.org/c/openstack/keystone/+/875765 | 17:55 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: sql: Add support for auto-generation https://review.opendev.org/c/openstack/keystone/+/826147 | 17:55 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: sql: Fix incorrect constraints https://review.opendev.org/c/openstack/keystone/+/851845 | 17:55 |
| opendevreview | Merged openstack/keystonemiddleware master: Add missing doc requirements https://review.opendev.org/c/openstack/keystonemiddleware/+/873382 | 19:34 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!