| *** ministry is now known as __ministry | 00:54 | |
| *** mhen_ is now known as mhen | 01:45 | |
| opendevreview | Douglas Mendizábal proposed openstack/keystone master: Add keystone-manage reset_last_active command https://review.opendev.org/c/openstack/keystone/+/924892 | 02:46 |
|---|---|---|
| opendevreview | Takashi Kajinami proposed openstack/keystone master: Remove templated catalog driver https://review.opendev.org/c/openstack/keystone/+/917923 | 10:39 |
| MikeCTZA | I upgraded our openstack a few weeks back (from Yoga to Zed to Antelope) using Kolla-Ansible, since then I've not had keystone tokens working nicely (I see errors in the logs), anyone here familiar with that, I've tried all sorts like recreating the fernet-tokens but nothing has helped. I'm not sure if it's causing the error I'm seeing in horizon when viewing my hypervisors (suspect so) | 12:03 |
| gtema | In situations like that you should eliminate all side factors. I mean here if you want to check - check keystone and not use horizon | 12:05 |
| MikeCTZA | on my 1 node I have keystone working perfectly fine, on the others I am getting "exception.TokenNotFound(e) keystone.exception.TokenNotFound: Could not recognize Fernet token" type errors | 12:08 |
| MikeCTZA | agreed that horizon is just feeling at a knock on (I suspect) | 12:08 |
| MikeCTZA | I've checked and the tokens which I believe are whats in play here in /var/lib/docker/volumes/keystone_fernet_tokens/_data are the same on all 3 nodes | 12:09 |
| MikeCTZA | this all started when we had out upgrade fail due to a network disconnect, but we think we recovered OK and reran the upgrade, a few other small mistakes were made thereafter but I think we're OK - VMs and the cloud is working as expected (mostly) | 12:11 |
| MikeCTZA | I shut down keystone on the 2 "bad" nodes, I still cant do the admin (project), admin, compute, hypervisors (I get this Error: Unable to retrieve providers information. 'MEMORY_MB') ... I'm wonder, possibly I should ask in main openstack channel as could be something not keystone, although I do have errors with that | 12:13 |
| *** tkajinam is now known as Guest2415 | 12:52 | |
| *** tkajinam is now known as Guest2416 | 13:00 | |
| *** ministry is now known as __ministry | 13:55 | |
| *** whoami-rajat_ is now known as whoami-rajat | 13:56 | |
| mnaser | MikeCTZA: try flushing memcache out | 14:46 |
| tafkamax | I am looking at the docs for users: https://docs.openstack.org/keystone/2024.1/admin/cli-manage-projects-users-and-roles.html | 14:59 |
| tafkamax | I found that some examples have 'user' and some have 'username' | 14:59 |
| tafkamax | In my DB there is no username entry. Is it still relevant or a deprecated thing? | 14:59 |
| tafkamax | I am asking this because of skyline 'Real Name' value that would Firstname Lastname | 15:00 |
| tafkamax | * that would be Firstname Lastname | 15:00 |
| d34dh0r53 | #startmeeting keystone | 15:03 |
| opendevmeet | Meeting started Wed Aug 7 15:03:17 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:03 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:03 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:03 |
| d34dh0r53 | #topic roll call | 15:03 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema | 15:03 |
| gtema | o/ | 15:03 |
| d34dh0r53 | o/ | 15:03 |
| mharley[m] | o/ | 15:03 |
| jph | o/ | 15:04 |
| dmendiza[m] | 🙋♂️ | 15:06 |
| d34dh0r53 | sorry, was grabbing coffee | 15:08 |
| d34dh0r53 | #topic review past meeting work items | 15:08 |
| d34dh0r53 | #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-07-24-15.00.html | 15:08 |
| d34dh0r53 | first up | 15:08 |
| d34dh0r53 | reviewathon look at https://review.opendev.org/c/openstack/keystone/+/924132 | 15:09 |
| d34dh0r53 | We spoke about this one on Friday, dmendiza was going to do some testing to ensure that the roles were working correctly | 15:09 |
| dmendiza[m] | Yeah, I did a first-pass review and left some comments. Looks like it' | 15:10 |
| dmendiza[m] | s been updated so I'll look again this week. | 15:10 |
| d34dh0r53 | awesome, thanks dmendiza | 15:11 |
| d34dh0r53 | I'll re-add it to the actions items for the reviewathon | 15:11 |
| d34dh0r53 | #action reviewathon look at https://review.opendev.org/c/openstack/keystone/+/924132 | 15:11 |
| d34dh0r53 | next up | 15:11 |
| d34dh0r53 | reviewathon https://review.opendev.org/c/openstack/keystone/+/923067 and https://review.opendev.org/c/openstack/keystone/+/923324 | 15:12 |
| d34dh0r53 | We talked about these as well, I think they're ready for review now that the codebase has been reformatted | 15:13 |
| gtema | yupp, correct | 15:13 |
| d34dh0r53 | sweet | 15:14 |
| d34dh0r53 | thanks gtema (Artem Goncharov) | 15:14 |
| d34dh0r53 | I'll review those today | 15:14 |
| d34dh0r53 | That does it for the past meeting work items | 15:15 |
| d34dh0r53 | #topic liaison updates | 15:15 |
| d34dh0r53 | nothing from VMT | 15:15 |
| d34dh0r53 | we're coming up on dalmation-3 near the end of the month | 15:16 |
| d34dh0r53 | other than that I've got nothing | 15:16 |
| d34dh0r53 | moving on | 15:16 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:16 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/ABBUvkDlfXLRJEgqLawTZbEN>) | 15:17 |
| d34dh0r53 | no updates from me | 15:17 |
| d34dh0r53 | next up | 15:17 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:18 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/wUsSZyvccxRMDwapARTwQYLL>) | 15:18 |
| dmendiza[m] | No updates other than reviewing domain-manager | 15:20 |
| d34dh0r53 | ack, thanks dmendiza | 15:20 |
| d34dh0r53 | #topic specification OpenAPI support (gtema) | 15:21 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/910584 (merged) | 15:21 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone | 15:21 |
| d34dh0r53 | gtema: changes awaiting review | 15:21 |
| gtema | nothing else then reviewing ;-) | 15:21 |
| d34dh0r53 | ack, thanks gtema (Artem Goncharov) | 15:21 |
| d34dh0r53 | next up | 15:22 |
| d34dh0r53 | #topic specification domain manager (mhen) | 15:22 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:%22domain-manager%22... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/ZYtGtQuOofpGnjLvLjCnzwOy>) | 15:22 |
| gtema | long names should not be a problem with reformatted code (at least with the black in the game) | 15:23 |
| gtema | but still we may want to shorten them | 15:23 |
| gtema | wrt release notes I will explain to mhen offline (I have a shorter link to him) | 15:24 |
| d34dh0r53 | ack, thank you | 15:24 |
| d34dh0r53 | moving on to open discussion | 15:25 |
| mharley[m] | But Python has no limit for variables names. Is it just because of legibility / aesthetics that Black is recommending reducing them? | 15:26 |
| gtema | mharley - not the black on it's own. There is "OpenStack" guide with the limit | 15:27 |
| mharley[m] | Hmm, gotcha. | 15:27 |
| gtema | wrt renovation: there is py312 fix change ready for review | 15:27 |
| gtema | and the one I mentioned on the etherpad in pycadf | 15:27 |
| gtema | those 2 are fixing pretty much all sort of unittesting locally failing with py312 | 15:28 |
| d34dh0r53 | codebase renovation (gtema)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/koTieTclPIBbnzusrWvbMQuu>) | 15:28 |
| gtema | right, those 2 | 15:28 |
| jph | Have an issue with SAML integration with Keystone when using Chrome. I have managed to resolve it locally with `SetEnv MELLON_DISABLE_SAMESITE 1` in `/etc/apache2/mods-enabled/auth_mellon.conf` I will open a bug report but wondered if anyone else has encountered this in Zed onwards? | 15:30 |
| d34dh0r53 | jph: we don't use SAML so I'm not much help. | 15:32 |
| d34dh0r53 | jph: is this for the open discussion section of the meeting? | 15:32 |
| jph | Yeah for open discussion. | 15:33 |
| d34dh0r53 | unless anyone here uses SAML I would file a bug report | 15:34 |
| jph | Sure I don't think SAML gets all that much use. Will open bug report only just found temporary solution. Thanks. | 15:35 |
| d34dh0r53 | jph: thank you! | 15:36 |
| d34dh0r53 | next up | 15:36 |
| d34dh0r53 | deprecate EC2 and S3 code in keystone, keystoneauth, and keystone middleware (d34dh0r53) | 15:36 |
| d34dh0r53 | the top level ec2-api project has been retired, there are some security issues in the code we have floating around our codebase. | 15:36 |
| d34dh0r53 | ec2-api has been retired upstream, any objections to me deprecating the keystone code? | 15:36 |
| gtema | it depends | 15:37 |
| gtema | I know for sure there are some places where people use ec2 credentials to access ceph (rados gw) | 15:37 |
| d34dh0r53 | specifically S3 | 15:37 |
| gtema | so people create ec2 creds and use them to access rgw in S3 style | 15:38 |
| d34dh0r53 | Does that still work? | 15:38 |
| gtema | yes, sadly | 15:38 |
| gtema | because it is not OpenStack itself | 15:38 |
| jph | Yeah it does just deployed it yesterday. | 15:38 |
| gtema | but ceph has integration with keystone and that works | 15:39 |
| gtema | basically ec2 creds are just a "proxy" to regular credentials | 15:39 |
| jrosser | you still need an ec2 style credential to use the s3 api | 15:39 |
| gtema | just with a specific type | 15:39 |
| d34dh0r53 | Ok, I think that means we're going to need to update the code as our SAST tooling has found some issues in those functions. But if it's still in use...it's still in use :) | 15:42 |
| d34dh0r53 | next up | 15:42 |
| d34dh0r53 | SAML issue with Google Chrome due to SAMESITE cookies (jph) | 15:42 |
| d34dh0r53 | Will open bug report with findings | 15:42 |
| d34dh0r53 | jph: thanks for this | 15:42 |
| gtema | in the renovation there is still one more interesting change: adding mypy | 15:42 |
| gtema | in the long run I think it would be very useful | 15:43 |
| d34dh0r53 | do you have a link to the review handy gtema (Artem Goncharov) ? | 15:43 |
| gtema | https://review.opendev.org/c/openstack/keystone/+/924085 | 15:43 |
| d34dh0r53 | #action reviewathon https://review.opendev.org/c/openstack/keystone/+/924085 | 15:44 |
| d34dh0r53 | thanks gtema (Artem Goncharov) | 15:44 |
| d34dh0r53 | moving on to bug review | 15:44 |
| d34dh0r53 | #topic bug review | 15:44 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:44 |
| d34dh0r53 | looks like three new bugs | 15:45 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2075349 | 15:45 |
| d34dh0r53 | Jadon is working on this and has a patch up, reviews appreciated | 15:45 |
| gtema | it is a sort of doc/deployment bug and not the code | 15:46 |
| gtema | ah no, sorry, wrong bug | 15:46 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2075723 | 15:46 |
| d34dh0r53 | yeah, this looks like a doc bug | 15:46 |
| gtema | revoke no - it is the thing I mentioned | 15:46 |
| d34dh0r53 | oops, yeah | 15:47 |
| d34dh0r53 | finally | 15:48 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/+bug/2074045 | 15:48 |
| d34dh0r53 | dineshk: it would be awesome if you can take this | 15:49 |
| d34dh0r53 | That doc definitely needs some TLC | 15:50 |
| gtema | wrt this | 15:50 |
| gtema | I have already a change updating setup guide | 15:50 |
| d34dh0r53 | ack, maybe you can add that bug to the commit message | 15:51 |
| gtema | bug was created afterwards | 15:51 |
| gtema | so not technically correct, but ok, will do so | 15:51 |
| gtema | #link https://review.opendev.org/c/openstack/keystone/+/925010 | 15:51 |
| d34dh0r53 | yeah, slightly out of order | 15:52 |
| d34dh0r53 | thanks gtema (Artem Goncharov) | 15:52 |
| d34dh0r53 | next up | 15:52 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:52 |
| d34dh0r53 | nothing new for python-keystoneclient | 15:52 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:52 |
| opendevreview | Artem Goncharov proposed openstack/keystone master: Update development setup doc https://review.opendev.org/c/openstack/keystone/+/925010 | 15:52 |
| d34dh0r53 | nor keystoneauth | 15:53 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:53 |
| d34dh0r53 | keystonemiddleware is good | 15:53 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:53 |
| d34dh0r53 | pycadf is good as well | 15:53 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0 | 15:53 |
| d34dh0r53 | no new bugs for ldappool | 15:54 |
| d34dh0r53 | #topic conclusion | 15:54 |
| d34dh0r53 | I don't have anything, reviewaton on Friday | 15:54 |
| d34dh0r53 | *reviewathon | 15:54 |
| d34dh0r53 | Thanks all! | 15:54 |
| d34dh0r53 | #endmeeting | 15:54 |
| opendevmeet | Meeting ended Wed Aug 7 15:54:53 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:54 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-08-07-15.03.html | 15:54 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-08-07-15.03.txt | 15:54 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-08-07-15.03.log.html | 15:54 |
| gtema | thks everybody | 15:55 |
| opendevreview | Merged openstack/keystone master: Add keystone-manage reset_last_active command https://review.opendev.org/c/openstack/keystone/+/924892 | 16:36 |
| *** ministry is now known as __ministry | 20:06 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!