)]}'
{"id":"openstack%2Fkeystone~984640","triplet_id":"openstack%2Fkeystone~master~I3447c792a1d380853e812661339325aa13c2c0eb","project":"openstack/keystone","branch":"master","topic":"k8s-token-auth","attention_set":{"14250":{"account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"last_update":"2026-04-21 10:39:40.000000000","reason":"\u003cGERRIT_ACCOUNT_28619\u003e replied on the change","reason_account":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"}}},"removed_from_attention_set":{"27900":{"account":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"last_update":"2026-04-21 19:20:50.000000000","reason":"\u003cGERRIT_ACCOUNT_27900\u003e replied on the change","reason_account":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}}},"hashtags":[],"change_id":"I3447c792a1d380853e812661339325aa13c2c0eb","subject":"Add Kubernetes token auth middleware for OCP federation","status":"NEW","created":"2026-04-14 20:47:09.000000000","updated":"2026-04-21 19:20:50.000000000","submit_type":"MERGE_IF_NECESSARY","mergeable":true,"submittable":false,"total_comment_count":5,"unresolved_comment_count":1,"work_in_progress":true,"has_review_started":true,"meta_rev_id":"370b84d52cb5bf7405d18157bcea5d886e6a1740","_number":984640,"virtual_id_number":984640,"owner":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"actions":{},"labels":{"Verified":{"disliked":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"tag":"autogenerated:zuul:check","value":-1,"date":"2026-04-14 22:02:18.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","value":-1,"default_value":0,"optional":true},"Code-Review":{"all":[{"value":0,"date":"2026-04-21 19:20:50.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"CC":[{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"}],"REVIEWER":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}]},"pending_reviewers":{"CC":[{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"}],"REVIEWER":[{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"}]},"reviewer_updates":[{"updated":"2026-04-14 22:02:18.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-04-15 06:58:12.000000000","updated_by":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"reviewer":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"state":"REVIEWER"},{"updated":"2026-04-21 10:39:40.000000000","updated_by":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"reviewer":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"state":"CC"}],"messages":[{"id":"bdf90c1cd10c8e2ba8f01ac74fe4a293f71eb4ab","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-04-14 20:47:09.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"a5d8d17b6afa04aa02d11373bc521c4d014e4686","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-14 22:02:18.000000000","message":"Patch Set 1: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/c9a3cbc5e3224f8eaeefc6550cfd771b\n\n- test-release-openstack https://zuul.opendev.org/t/openstack/build/2632ca905da0402a810edfabf39310da : SUCCESS in 2m 16s\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/ca428eaa723a460b9415b21749846a64 : SUCCESS in 13m 41s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/e020c3c742aa4fd2b280b01919b5b272 : FAILURE in 3m 26s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/8e0f1c326ae24501b14d22479cd5e835 : SUCCESS in 9m 18s\n- openstack-tox-py313 https://zuul.opendev.org/t/openstack/build/bb9917d8fbfc47db82a34630af31cc37 : SUCCESS in 15m 05s\n- openstack-tox-py314 https://zuul.opendev.org/t/openstack/build/a52ce5c0a80f4dacb440a59bcbe59b73 : SUCCESS in 16m 06s (non-voting)\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/4d67403208c443ec9b4ee854669984c4 : SUCCESS in 13m 55s\n- requirements-check https://zuul.opendev.org/t/openstack/build/ae3dcadf28e7486fb2792f4a08636292 : SUCCESS in 3m 10s\n- grenade https://zuul.opendev.org/t/openstack/build/b5c6a4a1fa7c4d56a807c6ac5729770e : SUCCESS in 1h 08m 48s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/55013914977f4eccbbed31fc5125259e : SUCCESS in 55m 52s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/3621320254004ece907c5f7deee56812 : SUCCESS in 7m 59s (non-voting)\n- keystone-tempest https://zuul.opendev.org/t/openstack/build/d97d85c73865413ba9d9c126d4f0b38c : SUCCESS in 16m 06s\n- keystone-tempest-fips https://zuul.opendev.org/t/openstack/build/5e3839fc65cb4363b79aceb70ad4359d : FAILURE in 11m 28s (non-voting)\n- keystone-tempest-federation https://zuul.opendev.org/t/openstack/build/468a828398ec49faaff84e48959d37bd : FAILURE in 25m 40s (non-voting)\n- keystone-tempest-federation-k2k https://zuul.opendev.org/t/openstack/build/9cbcfb790bc2447588d00fa37051d225 : SUCCESS in 17m 41s\n- keystone-tempest-oidc-federation https://zuul.opendev.org/t/openstack/build/74e639591c3247f5970c0c811cd0982c : SUCCESS in 25m 55s\n- keystone-tempest-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/710b83c453034bddb2b6205808a28831 : SUCCESS in 18m 29s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/3346fad374244f5591df5f34988fde64 : SUCCESS in 1h 00m 51s\n- keystone-protection-functional https://zuul.opendev.org/t/openstack/build/5dc8ded8fbca4c0c98da8aead65669aa : FAILURE in 28m 20s (non-voting)\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/beaee8fd52ec45d7a987e55c2f28c7af : SUCCESS in 3m 30s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"feb79a5b64a115e2202df80c47209985b73c27f0","tag":"autogenerated:gerrit:setWorkInProgress","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-04-14 22:45:14.000000000","message":"Set Work In Progress","accounts_in_message":[],"_revision_number":1},{"id":"c4bc0aae85ff66f70d1322b6f856470108655392","tag":"autogenerated:zuul:check-arm64","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-15 02:04:16.000000000","message":"Patch Set 1:\n\nBuild succeeded (ARM64 pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/2a1aab0264a94fa59cdff5361edace09\n\n- openstack-tox-py310-arm64 https://zuul.opendev.org/t/openstack/build/57fc6e55e35f4407ae450c7b7fd15e4e : SUCCESS in 23m 21s (non-voting)\n- openstack-tox-py313-arm64 https://zuul.opendev.org/t/openstack/build/a1b405e92fcb42b0af68b2a77af7b90b : SUCCESS in 15m 39s (non-voting)\n- openstack-tox-py314-arm64 https://zuul.opendev.org/t/openstack/build/e4a22e3f943b4be2a73b7c9f7d94cb8e : SUCCESS in 24m 23s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"650e59e7c51773a3f40d83d576642d39ac450b86","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-04-15 06:58:12.000000000","message":"Patch Set 1: Code-Review-2\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"99e3ea813cd05311846f00e8a2223c076a450a13","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-04-20 11:13:30.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"032821bd8004446c0613b790a6a0575c210c352b","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2026-04-20 11:15:26.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"4cb376ce07379a74a1a72e6d563594b562b8e5f3","author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"date":"2026-04-21 10:39:40.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"370b84d52cb5bf7405d18157bcea5d886e6a1740","author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"date":"2026-04-21 19:20:50.000000000","message":"Patch Set 1: -Code-Review\n\n(1 comment)","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"b42547956017d5c04b62c77cbc1b8395986299a3","revisions":{"b42547956017d5c04b62c77cbc1b8395986299a3":{"kind":"REWORK","_number":1,"created":"2026-04-14 20:47:09.000000000","uploader":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"ref":"refs/changes/40/984640/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/40/984640/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/40/984640/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/40/984640/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/40/984640/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/40/984640/1"}}},"commit":{"parents":[{"commit":"80d5b7bf50448073223723cf1f6001a367695e80","subject":"Merge \"Fix pagination next link duplicating URL prefix\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/80d5b7bf50448073223723cf1f6001a367695e80"}]}],"author":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-04-14 20:46:47.000000000","tz":120},"committer":{"name":"Grzegorz Grasza","email":"xek@redhat.com","date":"2026-04-14 20:46:47.000000000","tz":120},"subject":"Add Kubernetes token auth middleware for OCP federation","message":"Add Kubernetes token auth middleware for OCP federation\n\nWhen Keystone is deployed on OpenShift, service accounts have\nJWT tokens that can be validated via the cluster JWKS, but human\nusers get opaque OAuth tokens (sha256~...) that mod_auth_openidc\ncannot validate. This middleware bridges the gap by validating\nboth token types and populating the WSGI environment with\nstandard OIDC-style claims for Keystone\u0027s federation mapped\nauth plugin.\n\nThree auth paths are supported:\n\n  1. API bearer auth with k8s SA JWT tokens — validated locally\n     via the cluster JWKS endpoint, equivalent to mod_auth_openidc\n     with AuthType oauth20.\n\n  2. API bearer auth with opaque OCP OAuth tokens — validated\n     via the Kubernetes TokenReview API, which mod_auth_openidc\n     cannot do.\n\n  3. Browser-based websso — implements the OAuth2 authorization\n     code flow against OCP\u0027s built-in OAuth server, exchanging\n     the code for an opaque token, then validating via\n     TokenReview. No external IdP (Keycloak/Dex) required.\n\nThe middleware sets REMOTE_USER and HTTP_OIDC_* environ variables\nso existing federation mapping rules work without modification.\nIt is gated behind [k8s_auth] enabled \u003d true (default: false)\nand can coexist with mod_auth_openidc on different protocol\npaths.\n\nAll three paths have been validated end-to-end on CRC (OCP 4.21)\nwith a real RHOSO deployment via install_yamls.\n\nAssisted-by: Claude Opus 4 (Anthropic)\nChange-Id: I3447c792a1d380853e812661339325aa13c2c0eb\nSigned-off-by: Grzegorz Grasza \u003cxek@redhat.com\u003e\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b42547956017d5c04b62c77cbc1b8395986299a3"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/b42547956017d5c04b62c77cbc1b8395986299a3"}]},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"OK","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY"},{"label":"Workflow","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Verified\u003dMAX","label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Code-Review\u003dMAX","label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Workflow\u003dMAX","label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}