| *** mhen_ is now known as mhen | 02:54 | |
| jovial | I'm trying to use Ironic's new secure rbac functionality. Previously, I used to be able to `openstack baremetal node list` with an application credential. Now I'm forced to use `openstack baremetal node list --os-system-scope=all`, but this doesn't work with app creds: `Error authenticating with application credential: Application credentials cannot request a scope. (HTTP 401) (Request-ID: req-5771aacd-7861-4ab3-8278-976551aade72)`. Is there | 12:18 |
|---|---|---|
| jovial | anyway to get this to work? | 12:18 |
| TheJulia | jovial: I guess we need some application credential testing | 13:50 |
| TheJulia | jovial: so, your trying to see *everything* or just a limited scope? What version of ironic as well? | 13:51 |
| jovial | TheJulia: This is 2024.1. I was trying to list all the baremetal nodes just to match the old behavior really; at present all of the nodes have the owner set to the admin project. I didn't really want to segregate them between projects i.e I just wanted one big pool of nodes. | 14:08 |
| frickler | jovial: iiuc app creds carry the scope they were created with. can you create a dedicated app cred with system scope? | 14:21 |
| jovial | frickler: Ahh, thanks. I will give that a try. | 14:24 |
| TheJulia | jovial: if owner is set, it *should* just work, but we've not explicitly tested app credentials. I wonder if the role is intact. I guess a look at the webserver application log might help | 14:47 |
| jovial | TheJulia, I think in this case the app cred is for a project that isn't the admin project (the one that owns the nodes) | 14:48 |
| TheJulia | ahh, that would do it | 14:49 |
| TheJulia | Admin in a project in ironic doesn't permit one to see everything across all projects. We're a bit strict about that because we had prior users doing some fancy policy stuffs to do filtered views | 14:50 |
| TheJulia | Hey, someone recently mentioned a monthly review call. When is that? Is there an agenda? etc? | 14:55 |
| jovial | TheJulia: Just upgraded from 2023.1 and am trying to work out how best to configure this stuff :) | 14:56 |
| TheJulia | jovial: understood, you *can* consider custom policy, but yeah, we took a bit of a hard stance on the default srbac behavior | 14:58 |
| d34dh0r53 | #startmeeting keystone | 15:05 |
| opendevmeet | Meeting started Wed Oct 30 15:05:34 2024 UTC and is due to finish in 60 minutes. The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:05 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:05 |
| opendevmeet | The meeting name has been set to 'keystone' | 15:05 |
| d34dh0r53 | o/ | 15:06 |
| xek | o/ | 15:06 |
| d34dh0r53 | Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct | 15:06 |
| d34dh0r53 | #link https://openinfra.dev/legal/code-of-conduct | 15:06 |
| d34dh0r53 | v | 15:07 |
| d34dh0r53 | #topic roll call | 15:07 |
| d34dh0r53 | admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe | 15:07 |
| cardoe | o/ | 15:08 |
| gtema | O/ but on travel | 15:08 |
| d34dh0r53 | #topic review past meeting work items | 15:09 |
| d34dh0r53 | no action items from our previous meeting, last week was PTG so we didn't have a weekly meeting | 15:09 |
| d34dh0r53 | Thanks everyone who attended and participated in the PTG, I felt like we had some very good sessions | 15:10 |
| d34dh0r53 | #topic liaison updates | 15:10 |
| d34dh0r53 | nothing from release or VMT at the moment | 15:11 |
| d34dh0r53 | #topic specification OAuth 2.0 (hiromu) | 15:13 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext | 15:13 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability | 15:13 |
| d34dh0r53 | External OAuth 2.0 Specification | 15:13 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged) | 15:13 |
| d34dh0r53 | OAuth 2.0 Implementation | 15:13 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls | 15:13 |
| d34dh0r53 | OAuth 2.0 Documentation | 15:13 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/838108 (merged) | 15:13 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged) | 15:13 |
| d34dh0r53 | no updates from me, I think I can allocate some time to rebase and resubmit the last remaining work for this one this week | 15:14 |
| d34dh0r53 | 'v | 15:14 |
| d34dh0r53 | #topic specification Secure RBAC (dmendiza[m]) | 15:14 |
| d34dh0r53 | #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_ | 15:14 |
| d34dh0r53 | 2024.1 Release Timeline | 15:14 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_new_defaults=True | 15:14 |
| d34dh0r53 | Update oslo.policy in keystone to enforce_scope=True | 15:14 |
| d34dh0r53 | we need to clean up this section of the etherpad dmendiza | 15:14 |
| d34dh0r53 | ok, moving on | 15:17 |
| d34dh0r53 | #topic specification OpenAPI support (gtema) | 15:17 |
| d34dh0r53 | #link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone | 15:17 |
| d34dh0r53 | https://review.opendev.org/c/openstack/keystone/+/925020 could now also land to ease api-ref work | 15:17 |
| d34dh0r53 | gtema: api-ref work started | 15:17 |
| gtema | Not many updates, but we need to decide whether OpenAPI or ruff should land first | 15:18 |
| gtema | Because also I started wip work on pagination which conflicts lot with ruff reformat | 15:18 |
| d34dh0r53 | hmm, openapi then ruff is my thinking, but that's not based on much | 15:20 |
| gtema | There are conflicts | 15:21 |
| gtema | OpenAPI itself is huge amount of changes and not all are ready | 15:22 |
| gtema | I would prefer landing ruff first | 15:22 |
| d34dh0r53 | ok, if ruff is actually easier to land first I'm all for it, I thought that since openapi was already well in progress it would be easier to land | 15:23 |
| gtema | I can't check patches now, am walking to the train | 15:24 |
| d34dh0r53 | ok, no problem | 15:25 |
| d34dh0r53 | we can look at the ruff stuff during the reviewathon | 15:25 |
| d34dh0r53 | moving on | 15:26 |
| d34dh0r53 | #topic specification domain manager (mhen) | 15:26 |
| d34dh0r53 | still unmerged are: | 15:26 |
| d34dh0r53 | documentation: https://review.opendev.org/c/openstack/keystone/+/928135 | 15:26 |
| d34dh0r53 | tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/924222 | 15:26 |
| d34dh0r53 | no update from mhen_ | 15:29 |
| d34dh0r53 | next up | 15:29 |
| d34dh0r53 | #topic specification Type annotations (stephenfin) | 15:29 |
| d34dh0r53 | #link https://review.opendev.org/q/project:openstack/keystoneauth+topic:typing | 15:29 |
| d34dh0r53 | This is just pending reviews now. I will push the remaining patches as soon as a sufficient quantity of the current ones land. | 15:29 |
| * d34dh0r53 needs to review these | 15:30 | |
| gtema | I'll try to review remaining from the train | 15:31 |
| d34dh0r53 | thank you gtema (Artem Goncharov) | 15:32 |
| d34dh0r53 | next up | 15:32 |
| d34dh0r53 | #topic specification Include bad password details in audit messages (stanislav-z) | 15:32 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone-specs/+/915482 | 15:32 |
| d34dh0r53 | #link https://review.opendev.org/c/openstack/keystone/+/932423 | 15:32 |
| d34dh0r53 | 30-Oct update: significant spec update including feedback during PTG. WIP implementation test are WIP. | 15:32 |
| d34dh0r53 | Thanks for the update Stanislav Zaprudskiy , I haven't yet had a chance to look it over but will | 15:33 |
| d34dh0r53 | moving on | 15:36 |
| d34dh0r53 | #topic open discussion | 15:36 |
| gtema | You've seen first wip for pagination. Do we want spec first or just do it? | 15:37 |
| gtema | Or not at all (but that would be rather bad ux) | 15:38 |
| d34dh0r53 | I think we should just do it, it shouldn't need a spec | 15:38 |
| d34dh0r53 | Not having it is really bad UX | 15:38 |
| gtema | Ok, there I fix failing tests (because of changed functionality | 15:39 |
| gtema | S/there/then | 15:39 |
| d34dh0r53 | ack, thank you! | 15:40 |
| d34dh0r53 | #topic bug review | 15:41 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 | 15:41 |
| d34dh0r53 | no new bugs for keystone | 15:41 |
| d34dh0r53 | #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 | 15:41 |
| d34dh0r53 | python-keystoneclient is good | 15:41 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0 | 15:41 |
| d34dh0r53 | nothing new in keystoneauth either | 15:42 |
| d34dh0r53 | #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0 | 15:42 |
| d34dh0r53 | keystonemiddleware is good, there is some low-hanging-fruit in this repo if anyone would like to contribute | 15:42 |
| d34dh0r53 | #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0 | 15:42 |
| d34dh0r53 | pycadf has no new bugs | 15:42 |
| d34dh0r53 | #link https://bugs.launchpad.net/ldappool/+bugs?ordterby=-id&start=0 | 15:43 |
| d34dh0r53 | nor does ldappool | 15:43 |
| d34dh0r53 | #topic conclusion | 15:43 |
| d34dh0r53 | I don't have anything specific, thanks again for the PTG participation! | 15:43 |
| d34dh0r53 | #endmeeting | 15:43 |
| opendevmeet | Meeting ended Wed Oct 30 15:43:58 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:43 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-30-15.05.html | 15:43 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-30-15.05.txt | 15:43 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-10-30-15.05.log.html | 15:43 |
| cardoe | Was hoping to see the OIDC check job land https://review.opendev.org/c/openstack/keystone/+/931675 and my docs update https://review.opendev.org/c/openstack/keystone/+/929315 The former being more important. | 15:54 |
| *** jjung_ is now known as jjung | 16:35 | |
| jovial | frickler, re system scoped app creds, I did this: https://paste.opendev.org/show/bltZXrw7M8mTbi5scGEm/, which seems to have no project ID set, but even with that I can't list the baremetal nodes. Am I doing something stupid? | 17:31 |
| jovial | For anyone else, the context is: https://docs.openstack.org/ironic/latest/admin/secure-rbac.html and trying to create an app cred with system scope | 17:33 |
| *** amorin_ is now known as amorin | 17:35 | |
| TheJulia | I feel curious what the debug log has in it | 17:41 |
| frickler | jovial: yes, system scope has no project associated, that part is expected, see also https://docs.openstack.org/ironic/latest/admin/secure-rbac.html#system-scoped . not sure about the roles, do you use the baremetal_* roles when using "normal" auth? also as TheJulia says debug logs from both client and server might be helpful | 18:08 |
| jovial | Getting late here. Will try and get some debug logs tomorrow | 18:27 |
| opendevreview | Artem Goncharov proposed openstack/keystone master: Ruff the code https://review.opendev.org/c/openstack/keystone/+/931959 | 19:11 |
| -opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline momentarily at 20:30 utc (half an hour from now) to apply a configuration change | 20:02 | |
| -opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline momentarily to apply a configuration change | 20:31 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!