| *** mhen_ is now known as mhen | 02:33 | |
| *** blarnath is now known as d34dh0r53 | 14:56 | |
| d34dh0r53 | #startmeeting keystone | 15:00 |
|---|---|---|
| opendevmeet | Meeting started Wed Jan 17 15:00:53 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:00 |
| d34dh0r53 | #topic roll call | 15:01 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley,jph | 15:01 |
| d34dh0r53 | o/ | 15:01 |
| dmendiza[m] | 🙋 | 15:01 |
| d34dh0r53 | #topic liaison updates | 15:03 |
| d34dh0r53 | nothing from VMT nor Release Management | 15:03 |
| d34dh0r53 | #topic review past meeting work items | 15:04 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-10-15.01.html | 15:04 |
| d34dh0r53 | no updates, still a WIP to add these sections to the docs | 15:05 |
| d34dh0r53 | #action d34dh0r53 Look into adding/restoring a known issues section to our documentation | 15:05 |
| d34dh0r53 | #action d34dh0r53 add https://bugs.launchpad.net/keystone/+bug/1305950 to the known issues section of our documentation | 15:05 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:05 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:06 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability | 15:06 |
| d34dh0r53 | External OAuth 2.0 Specification | 15:06 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 | 15:06 |
| d34dh0r53 | OAuth 2.0 Implementation | 15:06 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls | 15:06 |
| d34dh0r53 | OAuth 2.0 Documentation | 15:06 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/838108 | 15:06 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 | 15:06 |
| d34dh0r53 | looks like hiromu isn't around today | 15:08 |
| d34dh0r53 | moving on | 15:08 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:08 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:08 |
| d34dh0r53 | 2024.1 Release Timeline | 15:08 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:09 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/902730 | 15:09 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713 | 15:09 |
| dmendiza[m] | Still loking for reviews on the Phase 1 patch: ^^^^ | 15:09 |
| dmendiza[m] | Working on the tempest test changes, but it's a bit messy since I have to reorganize some large classes. 😒 | 15:09 |
| d34dh0r53 | I'll review the phase 1 patch today, on my list of ToDo's | 15:10 |
| dmendiza[m] | thanks d34dh0r53 | 15:10 |
| d34dh0r53 | np | 15:12 |
| d34dh0r53 | next up | 15:12 |
| d34dh0r53 | #topic specification Add schema version and support to "domain" attribute in mapping rules (gtema) | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/748042 (merged) | 15:12 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/739966 | 15:12 |
| gtema | pls reviews | 15:13 |
| d34dh0r53 | ack, I'll add that to my list | 15:13 |
| gtema | we are ready for next steps and need that change to be processed | 15:13 |
| d34dh0r53 | thanks gtema | 15:13 |
| d34dh0r53 | #topic open discussion | 15:15 |
| d34dh0r53 | I don't have anything | 15:15 |
| bbobrov | i have | 15:16 |
| bbobrov | i would like to talk about project tags and access to them by various actors. Today project tags are there for project admins. They can change them, via a separate API or via a project update API. | 15:17 |
| bbobrov | We would like to have project tags, that would be writeable only by "system admins". It will allow our system admins to enable certain features for projects based on existence (or nonexistence) of the tags. | 15:17 |
| bbobrov | the tags are also company-specific and probably should not be done by adding new resource options | 15:18 |
| bbobrov | would adding tag prefixes or tag namespaces be an option? | 15:19 |
| bbobrov | would this change be even in scope of keystone, or should it rather be implemented elsewhere? | 15:19 |
| gtema | tags are not only writable by admins - there are clouds where domain admins can manage project tags | 15:21 |
| bbobrov | yes, that is true. But i would like to designate certain tags to be writeable only by system admins. | 15:22 |
| d34dh0r53 | ahh, I see, a permissions flag for certain tags | 15:22 |
| d34dh0r53 | dmendiza[m]: would this be possible with a custom policy? | 15:25 |
| dmendiza[m] | Hmm... it would be tough to do, I think ... the policy engine works on an endpoint (URL) and can possibly use metadata about the object to make a decision. | 15:27 |
| dmendiza[m] | Not sure what could be done in a tag to differentiate it from other tags | 15:28 |
| bbobrov | they only way to do it via policies is to delegate the decision to a remote server (via http: rule) | 15:28 |
| d34dh0r53 | hmm, ok | 15:29 |
| bbobrov | another way to implement this would be via a new endpoint, something like /v3/projects/project_id/system-tags/, but it is a stretch, because it asks for a /domain-tags/ after that :) | 15:30 |
| d34dh0r53 | right | 15:31 |
| d34dh0r53 | I think this needs a spec as it's an API change as proposed here | 15:31 |
| bbobrov | honestly, i am not even sure that it should be in scope of keystone; maybe i should just go with yet another microservice | 15:32 |
| bbobrov | which is also not great, because i have to protect it with all the oslo stuff | 15:32 |
| jrosser | could i ask if it would be possible to merge the fix here https://bugs.launchpad.net/keystone/+bug/2030061? | 15:34 |
| d34dh0r53 | jrosser: I'll take a closer look at the fix for that later today, it does need tests though | 15:38 |
| jrosser | ok so on that, andrew works on my team and we put a bunch of time to debug and make the bug / example fix | 15:38 |
| jrosser | however we certainly do not have the skills to make a test for it | 15:39 |
| d34dh0r53 | bbobrov: yeah, it's a grey area | 15:40 |
| d34dh0r53 | jrosser: ack | 15:42 |
| d34dh0r53 | moving on for the sake of time | 15:42 |
| d34dh0r53 | bbobrov: it's up to you, we're certainly willing to look at a spec for adding that ability | 15:43 |
| d34dh0r53 | #topic bug review | 15:43 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:43 |
| d34dh0r53 | looks like a new bug for keystone | 15:44 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2049559 | 15:44 |
| d34dh0r53 | any volunteers to look at that one? | 15:45 |
| bbobrov | i think it was a deliberate decision to hide the error message from the user | 15:45 |
| d34dh0r53 | I think so too, but I'd have to check | 15:46 |
| bbobrov | and that the reason is transmitted only via notifications | 15:46 |
| d34dh0r53 | yeah, this is by design, just found the release note stating that | 15:47 |
| d34dh0r53 | I'll update the bug | 15:47 |
| d34dh0r53 | next up | 15:49 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:49 |
| d34dh0r53 | no new bugs for python-keystoneclient | 15:49 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:49 |
| d34dh0r53 | keystoneauth has no new issues | 15:50 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:50 |
| d34dh0r53 | keystonemiddleware is also goo | 15:50 |
| d34dh0r53 | d | 15:50 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:50 |
| d34dh0r53 | nothing new in pycadf | 15:51 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:51 |
| d34dh0r53 | ldappool is good to go | 15:51 |
| d34dh0r53 | #topic conclusion | 15:51 |
| d34dh0r53 | Thanks folks! | 15:51 |
| d34dh0r53 | I don't have anything | 15:51 |
| d34dh0r53 | #endmeeting | 15:52 |
| opendevmeet | Meeting ended Wed Jan 17 15:52:14 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:52 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-17-15.00.html | 15:52 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-17-15.00.txt | 15:52 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-01-17-15.00.log.html | 15:52 |
| bbobrov | thanks | 15:52 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!