| *** mhen_ is now known as mhen | 01:54 | |
| bbobrov | o/? | 15:02 |
|---|---|---|
| gtema | lol | 15:03 |
| xek | We have an internal meeting that's running late | 15:07 |
| d34dh0r53 | sorry | 15:08 |
| d34dh0r53 | #startmeeting keystone | 15:08 |
| opendevmeet | Meeting started Wed Jun 5 15:08:09 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:08 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:08 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:08 |
| d34dh0r53 | #topic roll call | 15:08 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema | 15:08 |
| xek | o/ | 15:08 |
| d34dh0r53 | apologies for the late start, internal meeting ran over | 15:09 |
| gtema | o/ | 15:09 |
| d34dh0r53 | #topic review past meeting work items | 15:10 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-29-15.02.html | 15:10 |
| d34dh0r53 | No action items from the last meeting, so we'll move on | 15:10 |
| d34dh0r53 | #topic liaison updates | 15:11 |
| d34dh0r53 | no updates from VMT or Releases | 15:11 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/fvtpEMahbekNLRCfgoxzSTWG>) | 15:11 |
| d34dh0r53 | I need to get to rebasing the remaining patches to see if we can finish this up | 15:12 |
| d34dh0r53 | next up | 15:12 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m])... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/uWeAyJusTMVCvAcmLqLAwxNC>) | 15:13 |
| d34dh0r53 | dmendiza: are you around? I didn't see you in the roll call | 15:13 |
| dmendiza[m] | 🙋♂️ | 15:14 |
| d34dh0r53 | guess not, moving on | 15:15 |
| d34dh0r53 | #topic specification Improve federated users management (gtema) | 15:16 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/920892 | 15:16 |
| d34dh0r53 | ready for review | 15:16 |
| gtema | wait | 15:16 |
| gtema | does somebody remember what is the state with SRBAC and Heat - there was something | 15:16 |
| dmendiza[m] | gtema (Artem Goncharov): Yeah, there is some workflow in Heat where they send Keystone a domain-scoped token | 15:17 |
| dmendiza[m] | policy for that specific API did not allow domain-scoped requests, so the request failed | 15:17 |
| gtema | somebody is working on the fix? | 15:18 |
| d34dh0r53 | I'll give this a review this week, thanks gtema (Artem Goncharov) | 15:19 |
| dmendiza[m] | The policy was fixed in this patch: | 15:19 |
| d34dh0r53 | next up | 15:19 |
| dmendiza[m] | #link https://opendev.org/openstack/keystone/commit/dd785ee692118a56ea0e3aaaf7f5bd6c73ea9c91 | 15:19 |
| d34dh0r53 | #topic specification OpenAPI support (gtema) | 15:19 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 | 15:19 |
| d34dh0r53 | gtema: waiting for reviews | 15:19 |
| dmendiza[m] | gtema (Artem Goncharov) ☝️ | 15:19 |
| gtema | feels like a heavy un-sync between my element and Dave's | 15:19 |
| dmendiza[m] | gtema (Artem Goncharov): 💯 | 15:20 |
| gtema | thks dmendiza | 15:20 |
| dmendiza[m] | gtema (Artem Goncharov): pinging Dave Wilde (d34dh0r53) on a different channel | 15:20 |
| d34dh0r53 | I just found out I'm not seeing any of your messages, going to restart my client, BRB | 15:21 |
| bbobrov | (just use irc, duh) | 15:21 |
| gtema | nope - that's the problem: IRC bridge | 15:21 |
| d34dh0r53 | testing? | 15:21 |
| bbobrov | d34dh0r53: passed | 15:21 |
| dmendiza[m] | Dave Wilde (d34dh0r53): pong | 15:22 |
| opendevreview | Artem Goncharov proposed openstack/keystone master: Improve configuration of out-of-tree identity drivers https://review.opendev.org/c/openstack/keystone/+/920892 | 15:22 |
| d34dh0r53 | hah, wow, really sorry about that | 15:22 |
| d34dh0r53 | I had an element update waiting for me and I'll bet it had expired my keys | 15:22 |
| gtema | Dave Wilde (d34dh0r53): just pushed pep God's fix for the improving out-of-tree driver config (misread email that test failed before) | 15:23 |
| gtema | the change itself is not big, added lots of comments and therefore it looks bigger then it is | 15:23 |
| d34dh0r53 | ok, cool | 15:23 |
| gtema | struggled (as usual) convincing all the singletons my test is fine - it's a nightmare | 15:24 |
| gtema | anyway - the change is ready for review and no race in tests should be added with the latest patchset | 15:24 |
| gtema | tested explicitly with serial=1 | 15:24 |
| gtema | wrt openapi: waiting for the spec to land | 15:25 |
| d34dh0r53 | ack | 15:26 |
| d34dh0r53 | dmendiza: any srbac updates? | 15:26 |
| dmendiza[m] | Only the link I shared earlier that allows domain-scoped tokens to /v3/domains | 15:27 |
| dmendiza[m] | it was backported back to antelope | 15:27 |
| d34dh0r53 | ack | 15:27 |
| bbobrov | (the one that i wanted reverted i guess) | 15:29 |
| d34dh0r53 | No, I think it was a different one bbobrov | 15:30 |
| bbobrov | https://review.opendev.org/q/I8ee50efc3b4850060cce840fc904bae17f1503a9 ? | 15:31 |
| d34dh0r53 | Yeah | 15:32 |
| bbobrov | yes, it is the one | 15:32 |
| bbobrov | i don't know. I managed to work around this in our cloud, so i am not broken any more. But i still think that this change breaks API stability and should not have been merged like that. | 15:33 |
| dmendiza[m] | Yeah, IIRC, your disagreement was about the filtering, not necessarily the policy? | 15:34 |
| bbobrov | yes, it was about the filtering, but filtering got backported too | 15:34 |
| bbobrov | i am not broken with the change. I know a company that will get broken with this. Maybe they will come with a bugreport later. | 15:35 |
| d34dh0r53 | Sorry, was looking for your comment, and I just found it, I thought it was a -1 | 15:40 |
| bbobrov | yeah, i should have put a -1 | 15:42 |
| d34dh0r53 | I would argue that the previous behavior was a bug and this fixes it, but my gut feeling is that 'domain' means different things to different people. Let's see if a bug is filed. | 15:42 |
| d34dh0r53 | I think the only spec we haven't visited yet is | 15:43 |
| d34dh0r53 | #topic specification OpenAPI support (gtema) | 15:43 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 | 15:43 |
| d34dh0r53 | gtema: waiting for reviews | 15:43 |
| d34dh0r53 | Grzegorz Grasza: | 15:44 |
| d34dh0r53 | can you take a look at that one? | 15:44 |
| d34dh0r53 | moving on | 15:46 |
| d34dh0r53 | #topic open discussion | 15:46 |
| d34dh0r53 | passlib update... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/enFOUAKlodnKOxTDbwCwmyOA>) | 15:47 |
| d34dh0r53 | no update, I need to propose a patch to pin upper-constraints | 15:47 |
| d34dh0r53 | next up | 15:47 |
| d34dh0r53 | domain manager (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/ttlvUIIdMfZZgFLPrzPZbnRG>) | 15:47 |
| d34dh0r53 | dmendiza or Grzegorz Grasza can y'all please take a look at this one? | 15:48 |
| gtema | yes, pls pls pls | 15:49 |
| bbobrov | there is also this - https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/900545 | 15:49 |
| bbobrov | which was blocked for me (thanks!) and which should not be blocked any more | 15:49 |
| d34dh0r53 | ack, I'll unblock that one | 15:52 |
| d34dh0r53 | thanks bbobrov | 15:52 |
| d34dh0r53 | domain list scoping fix (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/kgigdMYKyYbaZFuKdYDXyewK>) | 15:52 |
| d34dh0r53 | next up | 15:52 |
| d34dh0r53 | We just talked about that | 15:53 |
| d34dh0r53 | finally in open discussion we have | 15:53 |
| d34dh0r53 | Enforcing scope in keystone breaks heat (and probably magnum) (tkajinam)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/GTlTzihMFAAlDTiTFGJHvjTl>) | 15:53 |
| dmendiza[m] | I think this is just about the test, not the patch | 15:53 |
| dmendiza[m] | oh whoops, a second too late haha | 15:54 |
| d34dh0r53 | no worries dmendiza we can go back ^Z ^Z | 15:54 |
| dmendiza[m] | Yeah, I want to say the only question we had was whether to merge that patch to tempest-plugin with the test for that endpoint | 15:58 |
| dmendiza[m] | IIRC, the test that is there now only tests on the domain for the user making the request and that patch has a cross-domain test ... | 15:58 |
| dmendiza[m] | I don't have a preference either way | 15:58 |
| d34dh0r53 | I think we should merge 900545 then | 16:00 |
| d34dh0r53 | and I think the only two remaining on the last point are whether or not https://review.opendev.org/c/openstack/keystone/+/916707 needs backports and https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/919405 needs reviews from dmendiza and Grzegorz Grasza. | 16:01 |
| d34dh0r53 | Let's quickly go through bug review | 16:01 |
| d34dh0r53 | #topic bug review | 16:01 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 16:01 |
| d34dh0r53 | no new bugs for keystone | 16:02 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 16:02 |
| d34dh0r53 | python-keystoneclient is good | 16:02 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 16:03 |
| d34dh0r53 | nothing new in keystoneauth | 16:03 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 16:03 |
| d34dh0r53 | keystonemiddleware is also good | 16:03 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 16:03 |
| d34dh0r53 | no new bugs in pycadf | 16:03 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 16:04 |
| d34dh0r53 | and ldappool is also clean | 16:04 |
| d34dh0r53 | #topic conclusion | 16:04 |
| d34dh0r53 | nothing from me, thanks all, apologies for the late start and missing messages :/ | 16:04 |
| d34dh0r53 | #endmeeting | 16:04 |
| opendevmeet | Meeting ended Wed Jun 5 16:04:52 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:04 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-05-15.08.html | 16:04 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-05-15.08.txt | 16:04 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-05-15.08.log.html | 16:04 |
| bbobrov | i would like to point out an issue with element: the minutes are a little broken with it - https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-15-15.01.html | 16:12 |
| bbobrov | all the #link commands end up in the text messages on matrix.org | 16:12 |
| dmendiza[m] | bbobrov: not sure I understand the issue? 🤔 The plaintext log looks fine to me: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-05-15.08.log.txt | 16:21 |
| dmendiza[m] | the pretty log looks fine too: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-05-15.08.log.html | 16:21 |
| dmendiza[m] | bbobrov: Is there something missing from the meeting summary that you were expecting? 🤔 | 16:22 |
| bbobrov | dmendiza[m]: the summary does not look nice: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-06-05-15.08.html and there are those matrix.org links in the logs that one has to click a lot | 16:49 |
| d34dh0r53 | bbobrov: thanks for pointing that out, I see what you're saying | 18:25 |
| d34dh0r53 | I believe it's the way I'm copy/pasting | 18:26 |
| *** dasm is now known as Guest8716 | 20:46 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!