Wednesday, 2024-10-02

« Tuesday, 2024-10-01 Index Thursday, 2024-10-03 »
*** mhen_ is now known as mhen01:08
*** mhen_ is now known as mhen02:05
opendevreviewGhanshyam proposed openstack/oslo.policy master: Drop python 3.8 support  https://review.opendev.org/c/openstack/oslo.policy/+/93111202:36
opendevreviewOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/keystone/+/93066304:22
opendevreviewOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/keystonemiddleware/+/93112705:06
opendevreviewTakashi Kajinami proposed openstack/keystonemiddleware master: Replace deprecated constant_time_compare  https://review.opendev.org/c/openstack/keystonemiddleware/+/93114809:30
greatgatsbyGood day.  Is it possible to issue an auth token with a specific duration?  I'd like to create, say, a token that's only valid for 30 minutes.12:19
gtemagreatgatsby - no, only whatever is default on a provider level12:19
gtemait is possible to revoke token though12:19
greatgatsbygtema: thanks for the quick answer.  So it's possible to change the default?  Sorry for the basic questions, just started trying to figure this out.12:20
greatgatsbyoh I think I found something, I'll do some more googling, thanks a lot!12:21
gtemahttps://docs.openstack.org/keystone/latest/configuration/config-options.html#token12:22
greatgatsbyah I see, so this is the same token as clients logging in to horizon, for example.  Ok, I'll have to give this more thought.  Thanks again, appreciate it.12:24
gtemawelcome12:25
d34dh0r53#startmeeting keystone15:00
opendevmeetMeeting started Wed Oct  2 15:00:43 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'keystone'15:00
d34dh0r53#topic roll call15:01
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema, cardoe15:01
d34dh0r53o/15:01
gtemao/15:01
d34dh0r53#topic review past meeting work items15:03
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-09-25-15.01.html15:03
d34dh0r53no action items from the last meeting15:03
d34dh0r53#topic liaison updates15:03
d34dh0r53Thanks for replying to that email gtema (Artem Goncharov) 15:04
d34dh0r53that one had fallen off of my radar :/15:04
gtemawlcm15:04
d34dh0r53that's it from VMT, nothing from release management15:04
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:05
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:05
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:05
d34dh0r53External OAuth 2.0 Specification15:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:06
d34dh0r53OAuth 2.0 Implementation15:06
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:06
d34dh0r53OAuth 2.0 Documentation15:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:06
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:06
d34dh0r53I saw hiromu pushed an update to the docs15:06
d34dh0r53which is awesome15:07
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/86092815:08
d34dh0r53next up15:08
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:08
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:09
d34dh0r532024.1 Release Timeline15:09
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:09
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:09
TheJulia... Hasn't 2024.1 already released.... like  *ages* ago?15:10
d34dh0r53not sure if dmendiza is around15:10
d34dh0r53yeah, I just noticed that, need to clean up the meeting doc15:10
dmendiza[m]👋15:10
TheJuliaYeah, I think some active management of topics is definitely needed15:10
d34dh0r53ohai dmendiza 15:10
dmendiza[m]Hello!15:11
* dmendiza[m] catches up15:11
dmendiza[m]Right, so, I think we've branched 2025.1 now?15:11
dmendiza[m]that is to say, master is now tracking 2025.115:11
dmendiza[m]and branched off stable/2024.215:12
gtemadmendiza: fyi: in the roll-call there is your xxx[m] nick, maybe because of that you miss the notification15:12
dmendiza[m]I'm on a Matrix client (element) which adds (or added? 🤔) the [m] when bridging to IRC15:12
dmendiza[m]it's there so folks from IRC can ping me. 🤷15:12
gtemathen add both to the roll-call in the agenda15:13
dmendiza[m]that's why you make the big bucks. 😜15:13
d34dh0r53I just added it15:13
dmendiza[m]Anyway, yeah, I think that now that we're at the beginning of a new cycle we should make sure we default to enable_new_defaults=True and enforce_scope=True15:14
dmendiza[m]IIRC we had to override the oslo change15:14
dmendiza[m]so no we can remove that override and just consume the defaul True from oslo.policy15:14
dmendiza[m]I'll work on a patch for that.15:14
* dmendiza[m] puts his Red Hat on15:14
dmendiza[m]Looks like domain-manager is moving up in priority at RH.  Expect to see me propose changes to domain-manager15:15
dmendiza[m]That's all I've got for now15:15
d34dh0r53ack, ty dmendiza 15:16
d34dh0r53#topic specification OpenAPI support (gtema)15:16
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:16
d34dh0r53gtema: changes awaiting review - please please please15:16
gtemayupp - dmendiza left a nit comment on one of the changes (credentials)15:17
gtemaI updated that (and needed to rebase), but still - changes are there for review and finally a go15:17
d34dh0r53ack, any particular order to review thingsf/15:17
d34dh0r53*things?15:17
gtemanot anymore, mine are independent15:18
gtemaones from Antonia are with some relations (app_creds and next on access rules)15:18
gtemabut otherwise - whatever is passing15:18
d34dh0r53ack15:19
d34dh0r53thanks gtema (Artem Goncharov) 15:19
d34dh0r53#topic specification domain manager (mhen)15:19
d34dh0r53#link https://review.opendev.org/q/topic:%22domain-manager%2215:19
d34dh0r53tempest core lib patch has been merged, only keystone-tempest-plugin left15:19
d34dh0r53created a patchset for documentation: https://review.opendev.org/c/openstack/keystone/+/92813515:19
d34dh0r53guess mhen_ isn't around15:23
d34dh0r53or maybe no ping because nick changed15:23
gtemayeah, maybe15:24
d34dh0r53ok, moving on15:25
d34dh0r53#topic specification Type annotations (stephenfin)15:25
d34dh0r53#link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing15:25
d34dh0r53This came about from adding type hints to openstacksdk. Since we're based on/heavily use keystoneauth, we need these annotations to be able to type things correctly. After much blood and tears, I now have the thing fully typed (except for tests and fixtures) but have refrained from pushing the full ~50 patch series to avoid overloading CI/humans :)15:25
d34dh0r53How do we want to review these? They are generally non-functional changes, though I have reworked some logic (to avoid use of try-except pattern that mypy doesn't like) and added lots of asserts to narrow types (which I will eventually convert to proper exceptions). Can I just let gtema review them and rely on CI?15:26
d34dh0r53You'll see I've used ruff and ruff-format. I realise this might be somewhat controversial, but it removes significant friction (from having to manually rewrap stuff) when adding annotations at minimal inconvenience to others15:26
d34dh0r53was a patch added for ruff-format?15:26
gtemaSteven pushed new series which I have not had a time to review yet15:26
stephenfinummm, I think so15:26
stephenfinif I did it's merged15:27
d34dh0r53it's been added to keystoneauth, I was wondering about keystone15:27
gtemathat is not there yet as we discussed15:27
stephenfinAh, no, not for keystone. I think gtema was handling that?15:27
d34dh0r53I thought it may have been mentioned last week15:27
d34dh0r53ack15:27
gtemaI wanted that we proceed with openapi changes pending long and afterwards I will do that15:27
stephenfinwe did discuss last week. cardoe and yourself were onboard (from reading the scrollback)15:28
d34dh0r53that's right15:28
d34dh0r53waiting for openapi changes15:28
* d34dh0r53 slaps himself with a trout15:28
gtemawhat's with passlib changes?15:29
stephenfinbut yeah, for keystoneauth all of the "groundwork" patches are merged and mypy is now running in non-strict mode. The patches that are waiting for review constitute roughly half of the total queue. Once everythign is merged, we should be 100% typed (except for tests and fixtures)15:29
d34dh0r53sweet15:29
stephenfin*half of the total remaining patches (I have not pushed the other half to prevent swamping the CI)15:29
stephenfins/prevent/avoid/15:29
d34dh0r53👍️15:31
d34dh0r53I'll review those this week as I'm able15:31
d34dh0r53#topic open discussion15:31
d34dh0r53farewell passlib #link https://review.opendev.org/q/topic:%22passlib%2215:31
TheJuliaQuestion, where is the meeting agenda kept?15:32
d34dh0r53Is this ready gtema (Artem Goncharov) ?15:32
gtemayes Dave Wilde (d34dh0r53) ready15:32
d34dh0r53TheJulia: https://etherpad.opendev.org/p/keystone-weekly-meeting15:32
gtemaTheJulia: agenda link is present in the room description15:33
TheJuliaAnd has there been a review of the keystone-coresec group membership? Can that be taken care of in advance of next week's meeting15:33
TheJuliagtema: ahh, didn't even see it there! Thanks!15:33
d34dh0r53I will take care of that review this week TheJulia,15:33
TheJuliaOkay, thanks. 15:34
gtemaback to passlib: as discussed last friday: it is ready, is a big "kill-switch", no other way exists, is tested to be backwardscompatible15:36
d34dh0r53Ok, time for the bandaid rip, I propose that we devote some time in the reviewathon on Friday to do that15:37
gtemaoki15:37
d34dh0r53#action reviewathon discuss and hopefully perform the removal of passlib https://review.opendev.org/q/topic:%22passlib%2215:38
d34dh0r53cool, moving on, thanks gtema (Artem Goncharov) 15:38
d34dh0r53#topic bug review15:38
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:38
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/208300415:39
d34dh0r53Looks like a wishlist item to me, the solution is to set the cache timeout to a reasonable value for your use case15:42
d34dh0r53next up15:42
gtemahe, what?15:42
gtemaI mean the above bug15:42
d34dh0r53? what about it?15:43
gtemaassignments in Keycloak are not immediately visible in Keystone15:43
gtemathat is what disturbs me15:43
d34dh0r53is that not true in your case?15:44
gtemawell, this is a big confusion people have about federation: when they do changes in IdP they expect immediately to see changes reflected on SP15:45
TheJuliaFurther question for some point during open discussion: Is there an PTG etherpad yet? The linked one in the agenda is for Antelope15:45
gtemain the oidc/oauth2 this will never happen unless user re-logs in15:45
d34dh0r53TheJulia: yes, I'll fix that link15:46
gtemathere are few things you can do here, but it will not happen magically15:46
d34dh0r53TheJulia: https://etherpad.opendev.org/p/oct2024-ptg-keystone15:46
gtemaDave Wilde (d34dh0r53): since we have federation topic for PTG let's postpone this bug till then15:47
d34dh0r53ack15:48
d34dh0r53I agree gtema (Artem Goncharov) 15:48
d34dh0r53that's it for keystone15:48
TheJuliaCan it wait 2.5 weeks?15:48
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:48
d34dh0r53TheJulia: we can add a response to that bug but it's essentially working as designed for now15:51
TheJuliad34dh0r53: that would be ideal since there is no guarantee the subscribers can attend the ptg. Thanks again!15:52
d34dh0r53👍️15:52
d34dh0r53no new bugs for python-keystoneclient15:52
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:52
d34dh0r53nor keystoneauth15:53
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:53
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bug/208173215:53
d34dh0r53work is done, cores please review the patch that has been proposed to keystonemiddleware15:54
d34dh0r53#link https://review.opendev.org/c/openstack/keystonemiddleware/+/93114815:54
d34dh0r53that does it for keystonemiddleware15:55
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:55
d34dh0r53no new bugs for pycadf15:55
d34dh0r53#link https://bugs.launchpad.net/ldappool/+bugs?ordterby=-id&start=015:55
d34dh0r53and ldappool also has no new bugs15:55
d34dh0r53#topic conclusion15:55
d34dh0r53please add to the PTG agenda15:56
d34dh0r53#link https://etherpad.opendev.org/p/oct2024-ptg-keystone15:56
d34dh0r53that's it from me, thanks everyone!15:56
gtemathanks15:57
d34dh0r53#endmeeting15:57
opendevmeetMeeting ended Wed Oct  2 15:57:20 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:57
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-02-15.00.html15:57
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-02-15.00.txt15:57
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-02-15.00.log.html15:57
opendevreviewArtem Goncharov proposed openstack/keystone master: Enable JsonSchema validation for `project`  https://review.opendev.org/c/openstack/keystone/+/92318116:20
opendevreviewDmitriy Rabotyagov proposed openstack/keystone master: Fix DB migrations after alembic integration  https://review.opendev.org/c/openstack/keystone/+/93058916:48
opendevreviewTakashi Kajinami proposed openstack/keystonemiddleware master: Get rid of pkg_resources  https://review.opendev.org/c/openstack/keystonemiddleware/+/93121117:15
opendevreviewGhanshyam proposed openstack/oslo.policy master: Drop python 3.8 support  https://review.opendev.org/c/openstack/oslo.policy/+/93111218:16
« Tuesday, 2024-10-01 Index Thursday, 2024-10-03 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!