Tuesday, 2018-10-02

*** dtrainor_ has quit IRC		00:04
*** macza has quit IRC		00:04
*** jcoufal has joined #openstack-meeting-alt		00:05
*** jcoufal has quit IRC		00:11
*** slaweq has joined #openstack-meeting-alt		00:11
*** slaweq has quit IRC		00:15
*** rossella_s has quit IRC		00:18
*** rossella_s has joined #openstack-meeting-alt		00:19
*** tetsuro has joined #openstack-meeting-alt		00:21
*** rossella_s has quit IRC		00:36
*** rossella_s has joined #openstack-meeting-alt		00:37
*** dpawlik has joined #openstack-meeting-alt		00:45
*** dpawlik has quit IRC		00:50
*** rossella_s has quit IRC		00:54
*** rossella_s has joined #openstack-meeting-alt		00:54
*** dpawlik has joined #openstack-meeting-alt		01:01
*** rossella_s has quit IRC		01:03
*** rossella_s has joined #openstack-meeting-alt		01:04
*** dpawlik has quit IRC		01:05
*** efried has joined #openstack-meeting-alt		01:15
*** ijw has joined #openstack-meeting-alt		01:16
*** ijw has quit IRC		01:21
*** cloudrancher has quit IRC		01:22
*** hongbin has joined #openstack-meeting-alt		01:23
*** cloudrancher has joined #openstack-meeting-alt		01:23
*** Leo_m has joined #openstack-meeting-alt		01:29
*** Leo_m has quit IRC		01:29
*** rossella_s has quit IRC		01:30
*** rossella_s has joined #openstack-meeting-alt		01:30
*** yamahata has quit IRC		01:39
*** iyamahat has quit IRC		01:39
*** efried has quit IRC		02:10
*** efried1 has joined #openstack-meeting-alt		02:10
*** efried1 is now known as efried		02:12
*** rossella_s has quit IRC		02:14
*** rossella_s has joined #openstack-meeting-alt		02:14
*** rossella_s has quit IRC		02:25
*** rossella_s has joined #openstack-meeting-alt		02:26
*** yamamoto has quit IRC		02:32
*** yamamoto has joined #openstack-meeting-alt		02:33
*** yamamoto has quit IRC		02:37
*** rossella_s has quit IRC		02:52
*** rossella_s has joined #openstack-meeting-alt		02:52
*** dpawlik has joined #openstack-meeting-alt		03:02
*** yamamoto has joined #openstack-meeting-alt		03:05
*** dpawlik has quit IRC		03:06
*** dave-mccowan has quit IRC		03:07
*** yamamoto has quit IRC		03:12
*** hongbin has quit IRC		03:15
*** dpawlik has joined #openstack-meeting-alt		03:17
*** dpawlik has quit IRC		03:22
*** rossella_s has quit IRC		03:22
*** rossella_s has joined #openstack-meeting-alt		03:23
*** diablo_rojo has quit IRC		03:27
*** rossella_s has quit IRC		03:28
*** rossella_s has joined #openstack-meeting-alt		03:28
*** ijw has joined #openstack-meeting-alt		03:36
*** yamamoto has joined #openstack-meeting-alt		03:47
*** rossella_s has quit IRC		04:02
*** rossella_s has joined #openstack-meeting-alt		04:02
*** rossella_s has quit IRC		04:12
*** rossella_s has joined #openstack-meeting-alt		04:14
*** rossella_s has quit IRC		04:26
*** rossella_s has joined #openstack-meeting-alt		04:28
*** rossella_s has quit IRC		04:44
*** rossella_s has joined #openstack-meeting-alt		04:44
*** rossella_s has quit IRC		05:02
*** rossella_s has joined #openstack-meeting-alt		05:02
*** e0ne has joined #openstack-meeting-alt		05:06
*** e0ne has quit IRC		05:06
*** rossella_s has quit IRC		05:16
*** rossella_s has joined #openstack-meeting-alt		05:16
*** mtreinish has quit IRC		05:17
*** dpawlik has joined #openstack-meeting-alt		05:18
*** mtreinish has joined #openstack-meeting-alt		05:21
*** rossella_s has quit IRC		05:22
*** dpawlik has quit IRC		05:23
*** rossella_s has joined #openstack-meeting-alt		05:24
*** rossella_s has quit IRC		05:34
*** rossella_s has joined #openstack-meeting-alt		05:34
*** dpawlik has joined #openstack-meeting-alt		05:34
*** dpawlik has quit IRC		05:39
*** rossella_s has quit IRC		05:44
*** rossella_s has joined #openstack-meeting-alt		05:49
*** dpawlik has joined #openstack-meeting-alt		06:00
*** rossella_s has quit IRC		06:01
*** rossella_s has joined #openstack-meeting-alt		06:01
*** rossella_s has quit IRC		06:03
*** rossella_s has joined #openstack-meeting-alt		06:04
*** slaweq has joined #openstack-meeting-alt		06:11
*** slaweq has quit IRC		06:16
*** yamamoto has quit IRC		06:27
*** yamamoto has joined #openstack-meeting-alt		06:27
*** d0ugal has joined #openstack-meeting-alt		06:32
*** dims has quit IRC		06:38
*** dims has joined #openstack-meeting-alt		06:44
*** dims has quit IRC		06:48
*** dims has joined #openstack-meeting-alt		06:51
*** tetsuro has quit IRC		06:53
*** e0ne has joined #openstack-meeting-alt		07:00
*** rcernin has quit IRC		07:01
*** dpawlik has quit IRC		07:04
*** slaweq has joined #openstack-meeting-alt		07:07
*** kopecmartin\|off is now known as kopecmartin\|ruck		07:17
*** dpawlik has joined #openstack-meeting-alt		07:24
*** mpiwowarczy has quit IRC		07:32
*** tetsuro has joined #openstack-meeting-alt		07:38
*** slaweq has quit IRC		07:39
*** slaweq has joined #openstack-meeting-alt		07:49
*** iyamahat has joined #openstack-meeting-alt		07:51
*** priteau has joined #openstack-meeting-alt		07:51
*** d0ugal has quit IRC		07:53
*** jtomasek has joined #openstack-meeting-alt		08:04
*** alexchadin has joined #openstack-meeting-alt		08:11
*** derekh has joined #openstack-meeting-alt		08:37
*** alexchadin has quit IRC		08:45
*** ttsiouts has joined #openstack-meeting-alt		08:51
*** masahito has joined #openstack-meeting-alt		08:58
*** bertys has joined #openstack-meeting-alt		08:59
*** alexchadin has joined #openstack-meeting-alt		08:59
priteau	#startmeeting blazar	09:00
openstack	Meeting started Tue Oct 2 09:00:17 2018 UTC and is due to finish in 60 minutes. The chair is priteau. Information about MeetBot at http://wiki.debian.org/MeetBot.	09:00
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	09:00
*** openstack changes topic to " (Meeting topic: blazar)"		09:00
openstack	The meeting name has been set to 'blazar'	09:00
*** ttsiouts has quit IRC		09:00
priteau	#topic Roll call	09:00
*** openstack changes topic to "Roll call (Meeting topic: blazar)"		09:00
masahito	o/	09:00
tetsuro	o/	09:00
bertys	o/	09:00
priteau	Hello everyone	09:01
priteau	I don't have a big agenda today	09:01
priteau	1. Project Update @ Berlin Summit	09:01
priteau	2. OpenStack-wide Goals	09:01
priteau	3. AOB	09:01
priteau	#topic Project Update @ Berlin Summit	09:01
*** openstack changes topic to "Project Update @ Berlin Summit (Meeting topic: blazar)"		09:01
priteau	I have registered for the summit and sent the proof to confirm our project update slot	09:02
*** ttsiouts has joined #openstack-meeting-alt		09:02
priteau	We are on the official schedule now	09:03
priteau	#link https://www.openstack.org/summit/berlin-2018/summit-schedule/events/22775/blazar-project-update	09:03
priteau	Tuesday, November 13, 11:25am-11:45am	09:03
bertys	priteau: Thanks, I have registered as well.	09:03
masahito	Thanks	09:04
priteau	Does this time work for you masahito and bertys?	09:04
priteau	This is at the beginning of the summit	09:04
masahito	No problem.	09:04
priteau	Almost right after the keynotes	09:04
bertys	works for me as well	09:04
priteau	bertys: Could you please update your speaker profile which shows up on the page?	09:05
priteau	You can put a picture and a little bio	09:05
priteau	It's manage within your OpenStack profile	09:06
priteau	managed	09:06
bertys	priteau: ok, will do, no problem	09:06
priteau	Unless you want to remain incognito ;-)	09:06
priteau	I am going to ask whether there is a specific slide deck template to follow, and if not use the previous one	09:07
priteau	Then I will circulate the slides so we can start contributing	09:08
priteau	I haven't yet looked closely at the summit schedule, anything interesting?	09:09
masahito	me neither.	09:09
priteau	We should see a draft forum schedule next week (October 10)	09:11
priteau	Moving on to the next topic	09:11
priteau	#topic OpenStack-wide Goals	09:11
*** openstack changes topic to "OpenStack-wide Goals (Meeting topic: blazar)"		09:11
priteau	On the ML there is already a discussion of goals for the T release	09:12
priteau	#link http://lists.openstack.org/pipermail/openstack-dev/2018-September/135097.html	09:13
priteau	Interestingly the discussion has focused around openstackclient support	09:13
priteau	We are planning to make progress on our own OSC plugin this cycle so it should give us a head start for the T cycle!	09:14
masahito	Nice	09:14
priteau	And for Stein, we need to start working on our upgrade checker	09:15
priteau	#link https://governance.openstack.org/tc/goals/stein/upgrade-checkers.html	09:15
masahito	We have less CLI commands. It's easy to migrate to OSC.	09:15
priteau	masahito: It's not hard work but we still need to take the time to do it :-)	09:16
bertys	priteau: I guess you already saw the feedback from Matt @ https://storyboard.openstack.org/#!/story/2003657, right ?	09:17
priteau	bertys: I had not, thanks for letting me know.	09:17
priteau	I see that there is now a oslo.upgradecheck library	09:18
*** slaweq has quit IRC		09:19
*** yamamoto has quit IRC		09:19
bertys	right, has been accepted https://github.com/openstack/oslo.upgradecheck & https://review.openstack.org/#/c/602483/	09:19
priteau	Seems like the agreement is to have a noop checker if there is nothing to watch out for upgrade	09:20
*** yamamoto has joined #openstack-meeting-alt		09:20
priteau	That's from the Week R-29 Update	09:20
*** slaweq has joined #openstack-meeting-alt		09:21
priteau	#link https://review.openstack.org/#/c/603465/	09:21
priteau	Monasca's noop upgrade checker	09:21
masahito	priteau: do you have a list of issues you hit while you upgrade the Chameleon Cloud?	09:21
masahito	If there is, backporting from the list is nice.	09:22
priteau	masahito: Most issues were linked to all our local changes, including DB schema changes. I don't recall if there was an issue with upstream code.	09:22
priteau	But I will check.	09:22
masahito	Of course, noop checker is nice, too. because Blazar is operator friendly project :-)	09:22
priteau	It may be required for all projects to have a checker, even if noop, by the end of the cycle	09:24
*** yamamoto has quit IRC		09:24
priteau	If I can find some time during the week I can try to push an initial patch	09:25
*** rdopiera has joined #openstack-meeting-alt		09:26
priteau	Anything else to discuss on this topic?	09:26
masahito	nothing from my side	09:26
priteau	#topic AOB	09:27
*** openstack changes topic to "AOB (Meeting topic: blazar)"		09:27
priteau	I see there's been some discussion on the approach to use for placement client in https://review.openstack.org/#/c/584625/	09:27
masahito	priteau: Thanks for putting it on the table	09:28
priteau	For what it's worth, my opinion is that we should move forward with tetsuro's code. We can always change it to use a common library if one is created	09:28
tetsuro	Agreed.	09:29
masahito	+1	09:29
priteau	bertys: ?	09:30
bertys	priteau: My original intention was to review tetsuro's patches once https://review.openstack.org/#/c/527728/ is merged	09:31
priteau	But do you agree with the approach of writing our own client code for now, so we can make rapid progress?	09:32
priteau	Creating a common library that can be used by multiple projects is going to require time	09:34
bertys	I do not want to block making progress on blazar side so I will provide some feedback this week	09:34
priteau	Thanks	09:35
tetsuro	bertys: Thanks	09:35
priteau	Any other AOB topics?	09:36
masahito	I have few updates.	09:36
masahito	1. pushed scenario tests for the instance reservations. The scenario comes basically from host reservation's one.	09:36
masahito	https://review.openstack.org/#/q/topic:bug/1714438+(status:open+OR+status:merged)	09:37
masahito	2. Updated patches for resource-availability-api	09:37
masahito	That's from my side.	09:37
priteau	Thank you masahito. I started to review the instance reservation patches earlier this morning :-)	09:38
masahito	thanks	09:39
tetsuro	Ah, great work on instance scenario tests, thank you so much.	09:39
priteau	tetsuro: Anything new on your side?	09:40
tetsuro	Since I was a bit worried about moving on Placement related changes without instance scenario tests	09:40
tetsuro	Not really new from me this week, sorry.	09:41
masahito	tetsuro: I'm planning to add more scenario once we've added a new tag to the tempest plugin for stable/queens.	09:42
priteau	My AOB is that Chameleon needs network resource reservation, so I am going to work on prototyping an approach	09:42
*** yamamoto has joined #openstack-meeting-alt		09:42
masahito	priteau: I'm testing our ideas of floating IP reservation in the PTG in my local to find out pros/cons.	09:43
masahito	priteau: Which are you working on floatingIP or VLAN?	09:44
priteau	That's great. I am going to focus more on the VLAN side of things.	09:44
masahito	Great. We can work for it in parallel :-)	09:45
priteau	Please keep me updated as you make progress	09:46
masahito	sure	09:46
priteau	Anything else for AOB? If not we can end the meeting early and go back to work!	09:47
masahito	ah, just fyi	09:49
masahito	I noticed tetsuro became officially placement-core.	09:49
masahito	congrats!!	09:49
tetsuro	Yes, that happened last Thursday. Thanks.	09:50
priteau	Congratulations tetsuro!	09:50
bertys	tetsuro: congrats and keep up the good work!	09:50
tetsuro	Yup, thanks. Never let you down.	09:51
priteau	I don't hear anything else. Let's end early.	09:53
priteau	Have a good week everyone, thanks for joining.	09:53
priteau	#endmeeting	09:53
*** openstack changes topic to "OpenStack Meetings \|\| https://wiki.openstack.org/wiki/Meetings/"		09:53
openstack	Meeting ended Tue Oct 2 09:53:13 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	09:53
openstack	Minutes: http://eavesdrop.openstack.org/meetings/blazar/2018/blazar.2018-10-02-09.00.html	09:53
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/blazar/2018/blazar.2018-10-02-09.00.txt	09:53
openstack	Log: http://eavesdrop.openstack.org/meetings/blazar/2018/blazar.2018-10-02-09.00.log.html	09:53
masahito	Thanks. bye	09:53
tetsuro	thanks!	09:53
*** bertys has quit IRC		09:55
*** ttsiouts has quit IRC		10:01
*** ttsiouts has joined #openstack-meeting-alt		10:03
*** masahito has quit IRC		10:13
*** dpawlik has quit IRC		10:16
*** dpawlik has joined #openstack-meeting-alt		10:17
*** yamamoto has quit IRC		10:40
*** yamamoto has joined #openstack-meeting-alt		10:40
*** d0ugal has joined #openstack-meeting-alt		11:01
*** dave-mccowan has joined #openstack-meeting-alt		11:02
*** ttsiouts has quit IRC		11:03
*** ttsiouts has joined #openstack-meeting-alt		11:03
*** ttsiouts has quit IRC		11:08
*** e0ne has quit IRC		11:10
*** ttsiouts has joined #openstack-meeting-alt		11:13
*** jtomasek has quit IRC		11:16
*** jtomasek has joined #openstack-meeting-alt		11:16
*** tetsuro has quit IRC		11:18
*** jtomasek has joined #openstack-meeting-alt		11:18
*** alexchadin has quit IRC		11:21
*** ganso has joined #openstack-meeting-alt		11:24
*** ttsiouts has quit IRC		11:25
*** tbarron has joined #openstack-meeting-alt		11:25
*** ganso has left #openstack-meeting-alt		11:25
*** e0ne has joined #openstack-meeting-alt		11:50
*** dtrainor has joined #openstack-meeting-alt		11:54
*** yamamoto has quit IRC		12:07
*** yamamoto has joined #openstack-meeting-alt		12:08
*** ttsiouts has joined #openstack-meeting-alt		12:10
*** yamamoto has quit IRC		12:12
*** beagle is now known as beagles		12:16
*** haleyb has quit IRC		12:23
*** haleyb has joined #openstack-meeting-alt		12:27
*** _pewp_ has quit IRC		12:30
*** _pewp_ has joined #openstack-meeting-alt		12:31
*** rossella_s has quit IRC		12:32
*** raildo has joined #openstack-meeting-alt		12:32
*** jcoufal has joined #openstack-meeting-alt		12:32
*** markvoelker has joined #openstack-meeting-alt		12:32
*** rossella_s has joined #openstack-meeting-alt		12:33
*** raildo_ has joined #openstack-meeting-alt		12:34
*** raildo has quit IRC		12:37
*** yamamoto has joined #openstack-meeting-alt		12:51
*** tssurya has joined #openstack-meeting-alt		12:53
*** d0ugal has quit IRC		13:00
*** d0ugal has joined #openstack-meeting-alt		13:21
*** ttsiouts has quit IRC		13:23
*** dustins has joined #openstack-meeting-alt		13:27
*** rossella_s has quit IRC		13:30
*** e0ne has quit IRC		13:32
*** ttsiouts has joined #openstack-meeting-alt		13:33
*** rossella_s has joined #openstack-meeting-alt		13:33
*** dangtrinhnt_x has joined #openstack-meeting-alt		13:34
*** d0ugal has quit IRC		13:36
*** tpsilva has joined #openstack-meeting-alt		13:39
*** raildo_ is now known as raildo		13:39
*** d0ugal has joined #openstack-meeting-alt		13:54
*** hongbin has joined #openstack-meeting-alt		13:57
*** dustins has quit IRC		13:58
*** ttsiouts has quit IRC		13:58
*** dustins has joined #openstack-meeting-alt		14:01
*** e0ne has joined #openstack-meeting-alt		14:02
*** amotoki_ is now known as amotoki		14:04
*** cloudrancher has quit IRC		14:07
*** cloudrancher has joined #openstack-meeting-alt		14:08
*** ttsiouts has joined #openstack-meeting-alt		14:12
*** munimeha1 has joined #openstack-meeting-alt		14:24
*** liuyulong has joined #openstack-meeting-alt		14:29
*** liuyulong has quit IRC		14:42
*** ttsiouts has quit IRC		14:46
*** dangtrinhnt_x has quit IRC		14:56
*** ttsiouts has joined #openstack-meeting-alt		15:00
*** toabctl has joined #openstack-meeting-alt		15:03
*** gagehugo has joined #openstack-meeting-alt		15:04
*** yamamoto has quit IRC		15:10
*** yamamoto has joined #openstack-meeting-alt		15:10
*** d0ugal has quit IRC		15:12
*** d0ugal has joined #openstack-meeting-alt		15:12
*** Leo_m has joined #openstack-meeting-alt		15:15
*** e0ne has quit IRC		15:19
*** dpawlik has quit IRC		15:22
*** ircuser-1 has joined #openstack-meeting-alt		15:25
*** dave-mccowan has quit IRC		15:27
*** ttsiouts has quit IRC		15:42
*** macza has joined #openstack-meeting-alt		15:43
*** macza_ has joined #openstack-meeting-alt		15:47
*** gyee has joined #openstack-meeting-alt		15:49
*** macza has quit IRC		15:51
*** jcoufal has quit IRC		15:59
*** jgrassler has joined #openstack-meeting-alt		15:59
cmurphy	#startmeeting keystone	16:00
openstack	Meeting started Tue Oct 2 16:00:11 2018 UTC and is due to finish in 60 minutes. The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot.	16:00
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	16:00
*** openstack changes topic to " (Meeting topic: keystone)"		16:00
openstack	The meeting name has been set to 'keystone'	16:00
gagehugo	o/	16:00
jgrassler	o/	16:00
cmurphy	#link https://etherpad.openstack.org/p/keystone-weekly-meeting agenda	16:00
cmurphy	lbragstad is starting his 18-year indentured servitute so i am standing in	16:00
cmurphy	please add things to the agenda	16:01
knikolla	o/	16:01
cmurphy	#topic Outreachy project submissions	16:02
*** openstack changes topic to "Outreachy project submissions (Meeting topic: keystone)"		16:02
cmurphy	#link https://etherpad.openstack.org/p/keystone-outreachy-proposals keystone outreachy proposals	16:02
cmurphy	I started an etherpad to draft outreachy project submissions, it's a little more structured than the brainstorming etherpad	16:03
hrybacki	o/	16:03
*** jcoufal has joined #openstack-meeting-alt		16:03
cmurphy	there's one draft there, feel free to give me feedback on it	16:03
cmurphy	and placeholders for kmalloc's ideas	16:04
cmurphy	and if you plan to propose other projects feel free to add them there	16:04
cmurphy	any thoughts on that topic?	16:04
*** ayoung has joined #openstack-meeting-alt		16:05
ayoung	What is the time frame for submissions?	16:05
cmurphy	ayoung: deadline is Oct 16 I think	16:06
cmurphy	but they start accepting them and letting applicants apply for them before that iirc so it's good to get them in asap	16:06
knikolla	i like the tasks in there	16:06
cmurphy	ayoung: interesting, would be good to have a spec for that idea before submitting it as a project i think	16:07
gagehugo	heh "REALLY motivated"	16:07
ayoung	cmurphy, I'll work on it	16:08
cmurphy	okay thanks ayoung	16:08
ayoung	we've discussed it a bunch, so I think we should be able to come up with something clear fairly quickly on the keystone side	16:08
ayoung	client might take more work, but that would probably be follow on	16:09
cmurphy	okay, let's move on, we can come back to this in open discussion if we like	16:10
cmurphy	#topic Application credentials fine grained access control spec	16:10
*** openstack changes topic to "Application credentials fine grained access control spec (Meeting topic: keystone)"		16:10
cmurphy	#link http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/capabilities-app-creds.html spec	16:10
jgrassler	Yeah, that one...	16:10
cmurphy	so jgrassler has let me know that he has a bit too much on his plate to make this feasible for him to accomplish	16:11
ayoung	Outreachy!	16:11
cmurphy	:) i worry this is a little too involved for an outreachy project	16:11
ayoung	Heh. You Think?	16:11
jgrassler	I wouldn't have phrased it quite so diplomatically ("I fear I have to flake out on this"), but yes, that's the gist of it.	16:11
cmurphy	i wanted to ask if anyone was clamoring for a new project or would want to split up the work with me	16:11
ayoung	cmurphy, I'll help	16:12
jgrassler	ayoung: yeah...the thought had crossed my mind, too during the previous agenda item :-)	16:12
cmurphy	ayoung: awesome, thanks	16:12
ayoung	the fine grained stuff was kindof something I wanted	16:12
cmurphy	also i wanted to thanks jgrassler for getting the spec in shape, that was no small effort	16:12
ayoung	cmurphy, should I update this spec to support it: https://review.openstack.org/#/c/456974/	16:13
ayoung	Role check on body key	16:13
jgrassler	Thanks :-) I'd meant to write the code at some stage, though...	16:13
ayoung	that was originally for the policy-in-rbac,	16:13
cmurphy	ayoung: i'd rather we stick to the spec we agreed to on this iteration	16:13
ayoung	cmurphy, agreed. I meant as a mitigation for things that spec couldn't cover, I could rewrite this spec to be "here's how we do that in the future"	16:14
ayoung	things like the actions api in nova that might not map perfectly to URL+Verb along	16:14
ayoung	alone	16:14
ayoung	Or are we confident we can get away without the body checks. I'm ok deferring it	16:15
cmurphy	i think this iteration doesn't drastically need it because we're still doing the policy checks as well which cover the different policies for different bodies	16:16
ayoung	++	16:16
cmurphy	anyways, thanks jgrassler and ayoung	16:17
ayoung	I'll keep it in mind. Anyway, I can tackley the SQL and API changes	16:17
cmurphy	++	16:17
cmurphy	#topic Shared-Nothing Keystone for Multisite	16:17
*** openstack changes topic to "Shared-Nothing Keystone for Multisite (Meeting topic: keystone)"		16:17
cmurphy	ayoung: i'm guessing this is you	16:17
ayoung	Is App Creds Flaskified yet?	16:17
cmurphy	not yet	16:17
ayoung	OK, so SHared nothing is another way to say "different databases"	16:18
ayoung	i.e. we put a keystone server at a region, and it handles only requests for that reqion	16:18
ayoung	and I have a couple reviews outstanding in support of this approach. I'd really appreciate getting any battles about them out of the way soonish	16:18
ayoung	I have a spec, too, that I am resurrecting, based on the Federated ID changes, that should help multis-site	16:19
*** toabctl has quit IRC		16:19
ayoung	basically, the Fed Query APIs let a user ask "what would Keystone do about this REMOTE_USER/REMOTE_GROUPS set of variables	16:19
ayoung	it will support pre-population of values, and it will support using the Keystone data from an Application as well	16:20
ayoung	i.e. Identity as a Service?	16:20
ayoung	or something like that	16:20
ayoung	So, please look at them, and tell me what you don't like	16:20
cmurphy	ayoung: we have pushed back really hard on allowing user-set IDs and I don't fully understand the reasoning this is needed now, why was the predictable ID not sufficient?	16:20
cmurphy	i think kmalloc had strong objections too	16:21
ayoung	cmurphy, user-set IDs for Domain is to give us a top-level division between regions	16:21
ayoung	it is expected that only the domain_id will be user-set,	16:21
ayoung	not the userids, or project ids	16:21
ayoung	so, I am kindof sticking with kmalloc 's reasoning on the majority	16:21
ayoung	domains are a little different, in that the domain_id is used to generate the user-id in LDAP and, with the other path, Federation	16:22
ayoung	it also lets us say "this domain is at this regions, that domain is at that region" in a central server, and have the rest of the data be local to the regional keystone servers	16:23
ayoung	kmalloc, has since given his approval, at least in IRC, to this approach	16:23
ayoung	IdPs are also (iirc) allowed to have user-set Identifiers, which will let us have a unified approach to identity across the multi-sites	16:24
ayoung	cmurphy, any real objection, or just wondering "why now?"	16:24
cmurphy	ayoung: mostly wondering why	16:24
ayoung	cmurphy, cool.	16:25
cmurphy	ayoung: i will read the spec and ask you more questions	16:25
ayoung	++	16:25
ayoung	cmurphy, we have at least 2 customers that are tackling this problem and I would like to set them up for success	16:26
ayoung	I'm willing to listen to any and all wisdom on how to handle multi-site when you can't scale galera to all of the nodes	16:26
ayoung	according to what I've heard, galera will cover ~ 9 nodes, which, if you HA at a site with 3 msql instances, lets you get up to a 3 site cluster	16:27
ayoung	but, if galera goes down, you've lost the the whole cluster	16:27
ayoung	and that is a non-rare occurrence	16:27
ayoung	So the thought experiement is: what if we have a hub-and-spoke model, and try to minimize the amount of data to keep in sync between them	16:28
ayoung	at the hub, we would have keystone and the minimal service catalog with the regional keystone only	16:28
ayoung	hub would also have a domain-to-region mapping...	16:29
ayoung	and I don;'t have a good answer on how to do that today	16:29
cmurphy	i think i'm missing why you need a domain to region mapping, one domain per region doesn't fit most use cases	16:30
ayoung	Anyway, that is the goal, and I am looking for input on how to acheive it, or smart alternatives that are not just "completely separate openstack deployments"	16:30
ayoung	cmurphy, so, the domain-to-region does not need to be one-to-one	16:31
cmurphy	ah	16:31
ayoung	instead, it is a way of saying "if this domain is linked to this region, this regional keystone owns the data in it"	16:31
cmurphy	so kind of like a catalog for your regions	16:32
ayoung	I think the Federated domain, where the users are mapped, would still be owned by the central	16:32
ayoung	cmurphy, exactly, yes	16:32
ayoung	cmurphy, I would only put the identity servers into the central catalog, though	16:32
ayoung	if you want to see what is really supported there (nova, sahara, whatever) go to that Keystone server and look at the catalog	16:33
ayoung	So...I'm done	16:35
cmurphy	anyone have questions for ayoung ?	16:36
cmurphy	#topic open discussion	16:36
*** openstack changes topic to "open discussion (Meeting topic: keystone)"		16:36
cmurphy	fyi i won't be at office hours	16:36
kmalloc	O/	16:37
cmurphy	kmalloc we were talking about ayoung's explicit_domain_id plan	16:37
kmalloc	Reading backlog	16:38
kmalloc	Gimme a sec	16:38
kmalloc	i fall back to the oath model	16:39
ayoung	Oaf?	16:39
kmalloc	and predictable ids, meaning it's not "supplied" but it is something we predictably generate	16:39
kmalloc	domains being the separate case	16:40
kmalloc	meaning we need to allow some level of autoprovisioning or mechanism to supply a known domain id.	16:40
kmalloc	oath - yahoo folks doing the federation	16:40
kmalloc	the domain-to-region mapping is the key that way	16:40
kmalloc	i don't see an issue with ayoung's approach architecturally within keystone	16:41
kmalloc	and i am willing to cede a minimal level of keystone-auto-id-owning to make the model work	16:42
ayoung	#link http://superuser.openstack.org/articles/massive-hyperscale-insfrastructure-openstack/	16:42
kmalloc	it is a real concern in the direction everything is taking	16:42
cmurphy	cool, i'll look closer at it soon	16:42
ayoung	looking for design docs	16:43
kmalloc	i am also ok if a local keystone generates a local "id" that is combined with a specific local domain to generate the ultimate user-id.	16:43
kmalloc	and the "generated local-id" then is transmitted to the remote keystones, meaning the id, pending the domain-id being in sync, would be consistent between deployments	16:44
ayoung	so...sync is a problem	16:44
kmalloc	that is assuming a single keystone is the sole owner of a user resource though... so no a->b->a->c->a	16:44
ayoung	right now, what we could do is have a listener	16:44
kmalloc	just a->c, a->b....	16:44
ayoung	that would try and talk to a remote server, but if that server is down, we need to hold on to the changes	16:45
kmalloc	i am ok with a "domains must be made and configured when a federated source of id is configured"	16:45
ayoung	or, have some way to "requery all since X" when the remote site comes back up	16:45
kmalloc	there is work to do to trust a source of id, one step may be making a domain.	16:45
ayoung	so, I am really trying to avoid data sync. THus, limiting it to domains, and the rest be "provisioned on demand with predicatble IDS"	16:45
ayoung	keeping Federated configuration (IDP etc) in sync is a low risk	16:46
ayoung	users and project assignements are much more likely to be dropped	16:46
kmalloc	the goal is to avoid needing to sync everything. i don't want to sync domains, i am inclined to say operationally, make domain X, and configure IDP as trusted and linked to domain x	16:46
kmalloc	it is part of the setup.	16:46
ayoung	so, the other part is "if we need info from Region X to work with Region Y, use K2K"	16:47
ayoung	and now we have some modicum of a framework to keep the assignements we need in sync	16:48
kmalloc	that is largely what we've been driving at. or "central IDP" and locally assignments are derived from IDP info (on demand) or concretely set.	16:48
ayoung	like, DomainXY maps to Domain Y	16:48
kmalloc	the central idp may be keystone, may be something else with advanced mapping in the region-local keystones	16:48
ayoung	I'm thinking specifically of knikolla 's use cases where the Cinder Server is owned by one Keystone, and the Nova server by another	16:49
kmalloc	nothing says you still can't have a central source of ID	16:49
kmalloc	which in knikolla's case, right now is a keycloak.	16:50
kmalloc	the proxy/k2k bits for service federation is separate from strict id federation	16:50
kmalloc	don't try to over engineer a single solution	16:50
ayoung	cmurphy, does this make sense?	16:50
kmalloc	it is likely they are related (lean on similar tech) but are setup with some separation.	16:51
kmalloc	since the concerns are slightly different	16:51
kmalloc	autoprovision, consistent/predictable ids is part of it	16:51
cmurphy	ayoung: so far yes, though I'm still not 100% on why plain k2k isn't sufficient	16:51
kmalloc	but you have to look at user->service interaction and service->service interactions	16:51
kmalloc	so, k2k can fill s->s (on behalf of the user)	16:52
kmalloc	but typically users will go idp->[auth through keystone]->Nova (or similar) and not have to bounce through k2k	16:52
ayoung	One thing we can't do today is tell a user "you can only use this region's servers"	16:53
kmalloc	realistically, we're talking about changing k2k to more of "it isn't specifically a keystone you're talking to, it is any form of ID"	16:53
ayoung	however, if the regional keystone is the only thing that can supply tokens for those servers, you now have an auth-point for limiting access	16:53
ayoung	can't do that solely with K2k	16:53
ayoung	but K2K would be useful for then saying "OK, now allow user U2 to use this nova as well"	16:54
cmurphy	ayoung: we could give them a mapping that only maps to the domains in one region	16:54
cmurphy	but i guess you're saying the user can't discover that	16:54
kmalloc	cmurphy: correct.	16:54
ayoung	Service catalog is not used to enforce, either	16:55
kmalloc	and should not be used to enforce*	16:56
ayoung	so a user can use an endpoint not in their catalog if the token is still valid	16:56
ayoung	So, say we have 3 tiers (Gold, Silvern Bronze)	16:56
cmurphy	3 minutes left	16:57
ayoung	do it as 3 regions, each with their own keystone, each with a distinct service catalog	16:57
kmalloc	the enforcement should not be predicated on the SC, the SC may communicate what is really enforced (I worry about shipping the SC around as auth[z] data)	16:57
ayoung	the only time you need to do K2K is to set up an arraingement that cuts horizontally, and that should be owned by one of the regions	16:57
kmalloc	all of this is enhancements to how keystone does federation and how sources of IDentity are handled.	16:58
cmurphy	times up	17:00
kmalloc	the end goal is: source of identity -> keystone, and keystone is locally independant/not synchronized.	17:00
cmurphy	#endmeeting	17:00
*** openstack changes topic to "OpenStack Meetings \|\| https://wiki.openstack.org/wiki/Meetings/"		17:00
openstack	Meeting ended Tue Oct 2 17:00:09 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	17:00
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-10-02-16.00.html	17:00
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-10-02-16.00.txt	17:00
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-10-02-16.00.log.html	17:00
kmalloc	thanks for chairing the meeting cmurphy	17:00
cmurphy	yw	17:00
*** iyamahat has quit IRC		17:01
*** gagehugo has left #openstack-meeting-alt		17:02
*** derekh has quit IRC		17:03
*** rossella_s has quit IRC		17:12
*** rossella_s has joined #openstack-meeting-alt		17:12
*** cloudrancher has quit IRC		17:24
*** cloudrancher has joined #openstack-meeting-alt		17:25
*** iyamahat has joined #openstack-meeting-alt		17:26
*** rdopiera has quit IRC		17:29
*** rossella_s has quit IRC		17:30
*** rossella_s has joined #openstack-meeting-alt		17:34
*** munimeha1 has quit IRC		17:47
*** priteau has quit IRC		17:47
*** dpawlik has joined #openstack-meeting-alt		17:48
*** diablo_rojo has joined #openstack-meeting-alt		17:48
*** tssurya has quit IRC		17:52
*** dpawlik has quit IRC		17:53
*** dpawlik has joined #openstack-meeting-alt		18:09
*** dpawlik has quit IRC		18:14
*** smyers has quit IRC		18:41
*** smyers has joined #openstack-meeting-alt		18:49
*** Swami has joined #openstack-meeting-alt		19:03
*** e0ne has joined #openstack-meeting-alt		19:32
*** diablo_rojo has quit IRC		20:00
*** dave-mccowan has joined #openstack-meeting-alt		20:09
*** dustins has quit IRC		20:16
*** dave-mccowan has quit IRC		20:30
*** dave-mccowan has joined #openstack-meeting-alt		20:31
*** dave-mccowan has quit IRC		20:36
*** cloudrancher has quit IRC		20:41
*** ttsiouts has joined #openstack-meeting-alt		20:55
*** raildo has quit IRC		20:58
*** cloudrancher has joined #openstack-meeting-alt		20:59
*** e0ne has quit IRC		21:02
*** ttsiouts has quit IRC		21:10
*** ttsiouts has joined #openstack-meeting-alt		21:11
*** cloudrancher has quit IRC		21:12
*** diablo_rojo has joined #openstack-meeting-alt		21:22
*** ttsiouts has quit IRC		21:27
*** ttsiouts has joined #openstack-meeting-alt		21:28
*** Leo_m has quit IRC		21:40
*** ijw has quit IRC		21:57
*** ttsiouts has quit IRC		22:04
*** jesusaur has quit IRC		22:06
*** jesusaur has joined #openstack-meeting-alt		22:11
*** jcoufal has quit IRC		22:36
*** tpsilva has quit IRC		22:55
*** pbourke has quit IRC		23:02
*** pbourke has joined #openstack-meeting-alt		23:02
*** hongbin has quit IRC		23:02
*** yamamoto has quit IRC		23:21
*** yamamoto has joined #openstack-meeting-alt		23:22
*** yamamoto has quit IRC		23:24
*** yamamoto has joined #openstack-meeting-alt		23:24
*** yamamoto has quit IRC		23:29
*** yamamoto has joined #openstack-meeting-alt		23:30
*** yamamoto has quit IRC		23:34
*** erlon has joined #openstack-meeting-alt		23:36
*** macza_ has quit IRC		23:37
*** macza has joined #openstack-meeting-alt		23:37
*** macza has quit IRC		23:42
*** Swami has quit IRC		23:42
*** rcernin has joined #openstack-meeting-alt		23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!