Wednesday, 2024-12-11

« Tuesday, 2024-12-10 Index Thursday, 2024-12-12 »
*** mhen_ is now known as mhen03:01
opendevreviewOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/keystone/+/93066304:29
opendevreviewStanislav Zaprudskiy proposed openstack/keystone-specs master: Include invalid password details in audit messages  https://review.opendev.org/c/openstack/keystone-specs/+/91548212:16
d34dh0r53#startmeeting keystone15:00
opendevmeetMeeting started Wed Dec 11 15:00:51 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'keystone'15:00
d34dh0r53Reminder: This meeting takes place under the OpenInfra Foundation Code of Conduct15:00
d34dh0r53#link https://openinfra.dev/legal/code-of-conduct15:00
d34dh0r53#topic roll call15:01
d34dh0r53admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], dmendiza, mharley, jph, gtema, cardoe15:01
d34dh0r53o/15:01
xeko/15:01
gtemao/15:01
jpho/15:01
d34dh0r53Welcome, let's get started15:02
d34dh0r53#topic review past meeting work items15:02
d34dh0r53#link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-12-04-15.04.html15:02
d34dh0r53reviewathon look at the Bad Password spec https://review.opendev.org/c/openstack/keystone-specs/+/91548215:02
d34dh0r53that was the only action item, we reviewed it in the Reviewathon on Friday15:03
d34dh0r53next up15:03
d34dh0r53#topic liaison updates15:03
d34dh0r53nothing from Releases or VMT15:04
d34dh0r53#topic specification OAuth 2.0 (hiromu)15:04
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext15:04
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fenhance-oauth2-interoperability15:04
d34dh0r53External OAuth 2.0 Specification15:04
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/861554 (merged)15:04
d34dh0r53OAuth 2.0 Implementation15:04
d34dh0r53#link https://review.opendev.org/q/topic:bp%252Fsupport-oauth2-mtls15:04
d34dh0r53OAuth 2.0 Documentation15:04
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/838108 (merged)15:04
d34dh0r53#link https://review.opendev.org/c/openstack/keystoneauth/+/838104 (merged)15:04
d34dh0r53no updates from me on this one, hopefully will be able to recheck and rebase on Friday to get the last couple of remaining patches out15:05
d34dh0r53#topic specification Secure RBAC (dmendiza[m])15:05
d34dh0r53#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_15:05
d34dh0r532024.1 Release Timeline15:05
d34dh0r53Update oslo.policy in keystone to enforce_new_defaults=True15:05
d34dh0r53Update oslo.policy in keystone to enforce_scope=True15:05
d34dh0r53guess dmendiza isn't around today15:07
d34dh0r53#topic specification OpenAPI support (gtema)15:07
d34dh0r53#link https://review.opendev.org/q/topic:%22openapi%22+project:openstack/keystone15:07
gtemaI wasn't working on that this week so far, so no changes, but on friday we can review next changes done by students15:08
d34dh0r53ack, thanks gtema (Artem Goncharov) 15:10
d34dh0r53#topic specification domain manager (mhen)15:10
d34dh0r53still unmerged are:15:10
d34dh0r53'v15:10
d34dh0r53documentation: https://review.opendev.org/c/openstack/keystone/+/92813515:10
d34dh0r53tempest tests: https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/92422215:10
d34dh0r53Grzegorz Grasza, dmendiza please review the domain manager patches15:11
dmendiza[m]🙋‍♂️15:11
d34dh0r53ohai dmendiza 15:11
d34dh0r53any S-RBAC updates?15:12
dmendiza[m]Negative, no updates this week. 😅15:12
d34dh0r53ack, thanks15:13
d34dh0r53#topic specification Include bad password details in audit messages (stanislav-z)15:13
d34dh0r53#link https://review.opendev.org/c/openstack/keystone-specs/+/91548215:13
d34dh0r53#link https://review.opendev.org/c/openstack/keystone/+/93242315:13
d34dh0r5311-Dec update: thanks for reviews, I've updated the spec according to comments, or otherwise raised my questions in Gerrit - would appreciate your feedback.15:13
d34dh0r53CI for keystone-spec is failing :/15:13
stanislav-zHi! Thanks for the review. I updated and responded in Gerrit15:14
d34dh0r53Thanks Stanislav Zaprudskiy !15:14
d34dh0r53I thought we unblocked the docs gate but I guess not :/15:14
stanislav-zAnd CI indeed is failing - also the build is failing locally. Would looking into it in a separate patch be a way to fix it?15:14
gtemain keystone but not in keystone-specs15:15
d34dh0r53ahh, thanks gtema (Artem Goncharov) 15:15
d34dh0r53#topic open discussion15:16
d34dh0r53nothing from me15:16
stanislav-zI have a question15:17
stanislav-zthere are 2 APIs that allow creation of ec2 credentials:15:17
stanislav-z1) https://docs.openstack.org/api-ref/identity/v3/#credentials15:17
stanislav-zand 2. https://github.com/openstack/keystone/commit/afd897f9122cdee925376a1c25994a515082963f#diff-c626451fb39f390fb94dcd5e75446540e9dad2df619eec121d57d5284def37e0R43415:17
stanislav-zthey both have similar set of functionality - creation of ec2 credentials. I'm wondering, why both are kept?15:19
stanislav-zbtw, the second - /ec2tokens - is not mentioned in documentation15:19
gtemaec2creds are normal creds of the EC2 type15:19
gtemathere is a separate API (I think for backwards compatibility reasons)15:19
d34dh0r53AFAIK that API has been retired15:20
stanislav-z/credentials also allows creation of ec2 credentials - the difference is, that /ec2tokens auto-generates access key/secret, while /credentials requires caller to submit the desired access key/value15:21
stanislav-zthe follow-up question - why does the /credentials API not auto-generates the values for users? in other words, it allows users to create insecure credentials like admin/password. Just in case someone could know ...15:23
stanislav-z * the follow-up question - why does the /credentials API not auto-generate the values for users? in other words, it allows users to create insecure credentials like admin/password. Just in case someone could know ...15:23
stanislav-z * the follow-up question - why does the /credentials API not auto-generate the values for users? in other words, it allows users to create insecure credentials like admin/password. Just in case someone could know the historical background15:23
d34dh0r53I have no idea about the history of EC2 in Keystone, we should deprecate it IMHO as no one is able to maintain it and the EC2-API project has been retired.15:24
stanislav-zI would image that Swift S3 emulation might use/rely on it. But got your answer, thanks for the clarification15:25
stanislav-zs/image/imagine/15:26
gtemaDave Wilde (d34dh0r53): yes, swift and rados GW still rely heavily on the ec2 creds15:26
gtemawe cant drop it15:26
d34dh0r53ahh, yeah15:27
d34dh0r53that's a bummer15:29
d34dh0r53oh well15:29
d34dh0r53Sorry I can't be of more help with those questions Stanislav Zaprudskiy 15:30
d34dh0r53anything else for open discussion?15:30
d34dh0r53cool, moving on15:31
d34dh0r53#topic bug review15:31
d34dh0r53#link https://bugs.launchpad.net/keystone/?orderby=-id&start=015:31
d34dh0r53one new bug for keystone15:31
d34dh0r53#link https://bugs.launchpad.net/keystone/+bug/209131715:31
cardoeThat's my bug.15:34
cardoeSo I got it to work now by setting default_authorization_ttl15:35
cardoeSo I was going to close it.15:35
d34dh0r53We need to dig into default_authorization_ttl I think15:36
d34dh0r53IIRC there are several bugs surrounding it, or the confusion as to what it actually does15:36
d34dh0r53ok15:39
d34dh0r53that does it for keystone15:39
d34dh0r53#link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=015:39
d34dh0r53no new bugs in python-keystoneclient15:40
d34dh0r53#link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=015:40
d34dh0r53keystoneauth is good15:40
d34dh0r53#link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=015:40
d34dh0r53no new bugs in keystonemiddleware15:41
d34dh0r53#link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=015:41
d34dh0r53pycadf is good15:41
d34dh0r53so it ldappool15:41
d34dh0r53#topic conclusion15:41
d34dh0r53nothing else from me, thanks folks!15:41
d34dh0r53#endmeeting15:42
opendevmeetMeeting ended Wed Dec 11 15:42:02 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:42
opendevmeetMinutes:        https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-12-11-15.00.html15:42
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-12-11-15.00.txt15:42
opendevmeetLog:            https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-12-11-15.00.log.html15:42
cardoed34dh0r53: I was going to ask about doc updates. So the mapping docs don't match up with what the JSON schema requires / enforces. So I wanted to update them. But not sure if that's an area that's gonna change so you're not wanting updates to those docs?16:06
cardoeLike https://review.opendev.org/c/openstack/keystone/+/929315 I understand is going to change so that's why no docs merge.16:06
fricklerd34dh0r53: just a reminder that https://review.opendev.org/c/openstack/releases/+/936261 is still waiting for an update17:50
-opendevstatus- NOTICE: Gerrit will undergo a short restart to pick up some bugfixes for the 3.10 release that we upgraded to.19:25
opendevreviewOria Weng proposed openstack/keystone master: Add JSON schema and validation for `implied role`  https://review.opendev.org/c/openstack/keystone/+/93757222:48
« Tuesday, 2024-12-10 Index Thursday, 2024-12-12 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!