Thursday, 2016-02-04

*** sdake has joined #openstack-meeting-cp		00:36
*** sdake_ has joined #openstack-meeting-cp		00:50
*** sdake has quit IRC		00:54
*** nikhil has quit IRC		01:21
*** sdake_ has quit IRC		01:33
*** nikhil has joined #openstack-meeting-cp		01:35
*** angdraug has quit IRC		01:53
*** nikhil_k has joined #openstack-meeting-cp		02:24
*** nikhil has quit IRC		02:27
*** sdake has joined #openstack-meeting-cp		03:01
*** dims has joined #openstack-meeting-cp		03:37
*** sdake has quit IRC		03:45
*** sdake has joined #openstack-meeting-cp		03:53
*** dims has quit IRC		03:53
*** tpeoples has quit IRC		04:12
*** jroll has quit IRC		04:13
*** sdake has quit IRC		04:13
*** sdague has quit IRC		04:13
*** elmiko has quit IRC		04:13
*** elmiko has joined #openstack-meeting-cp		04:14
*** sdague has joined #openstack-meeting-cp		04:14
*** jroll has joined #openstack-meeting-cp		04:14
*** tpeoples has joined #openstack-meeting-cp		04:16
*** SergeyLukjanov has quit IRC		04:19
*** smcginnis has quit IRC		04:19
*** russellb has quit IRC		04:19
*** SergeyLukjanov has joined #openstack-meeting-cp		04:20
*** russellb has joined #openstack-meeting-cp		04:20
*** smcginnis has joined #openstack-meeting-cp		04:20
*** markvoelker_ has quit IRC		05:34
*** sdake has joined #openstack-meeting-cp		05:40
*** sdake_ has joined #openstack-meeting-cp		05:45
*** sdake has quit IRC		05:45
*** sdake_ has quit IRC		06:13
*** sdake has joined #openstack-meeting-cp		06:13
*** markvoelker has joined #openstack-meeting-cp		06:35
*** markvoelker has quit IRC		06:39
*** markvoelker has joined #openstack-meeting-cp		07:36
*** markvoelker has quit IRC		07:41
*** evgenyf has joined #openstack-meeting-cp		07:49
*** sdake has quit IRC		07:56
*** sdake has joined #openstack-meeting-cp		08:26
*** markvoelker has joined #openstack-meeting-cp		09:37
*** markvoelker has quit IRC		09:41
*** mugsie has quit IRC		10:39
*** mugsie has joined #openstack-meeting-cp		10:40
*** sdake has quit IRC		10:44
*** dims has joined #openstack-meeting-cp		11:12
*** markvoelker has joined #openstack-meeting-cp		11:38
*** markvoelker has quit IRC		11:43
*** markvoelker has joined #openstack-meeting-cp		12:53
*** markvoelker has quit IRC		12:58
*** markvoelker has joined #openstack-meeting-cp		13:11
*** david-lyle has quit IRC		13:38
*** sdake has joined #openstack-meeting-cp		13:50
*** NanosatC-BR1 has joined #openstack-meeting-cp		14:07
*** dims_ has joined #openstack-meeting-cp		14:10
*** dims has quit IRC		14:12
sdague	hey folks, who's around for service catalog?	15:01
bknudson_	me	15:01
sdague	ok, lets do it. Though no anne or chris	15:02
sdague	#startmeeting service-catalog-tng	15:02
openstack	Meeting started Thu Feb 4 15:02:57 2016 UTC and is due to finish in 60 minutes. The chair is sdague. Information about MeetBot at http://wiki.debian.org/MeetBot.	15:02
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	15:02
*** openstack changes topic to " (Meeting topic: service-catalog-tng)"		15:03
openstack	The meeting name has been set to 'service_catalog_tng'	15:03
bknudson_	they can check the logs later	15:03
sdague	Agenda is - https://wiki.openstack.org/wiki/Meetings/ServiceCatalogTNG#Next_Agenda	15:03
sdague	#topic Project Id Optionality in projects	15:03
*** openstack changes topic to "Project Id Optionality in projects (Meeting topic: service-catalog-tng)"		15:03
bknudson_	anne said there was some problem with optional project id.	15:03
sdague	#info nova patch to make project id optional has landed - https://review.openstack.org/#/c/233076	15:04
sdague	bknudson_: do you remember what that was?	15:04
bknudson_	she didn't say what it was.	15:04
bknudson_	I figured you'd know	15:04
sdague	I guess not	15:05
sdague	I have a patch up to make this default configuration in devstack, however there are Tempest tests blocking that	15:05
sdague	those are proposed for removal - https://review.openstack.org/#/c/271467/ - ETA TBD	15:06
bknudson_	the tempest change has a -2 so I guess that needs to be resolved	15:06
sdague	it has a procedural -2	15:06
sdague	because there is a tempest test removal process	15:06
sdague	I think it's resolvable	15:06
bknudson_	shouldn't be any objection to removing this one	15:07
sdague	agree	15:07
*** annegentle has joined #openstack-meeting-cp		15:07
annegentle	here! Sorry.	15:07
sdague	annegentle: bknudson_ said you had said there was a problem with optional project id	15:08
sdague	before we move on I wanted to figure out what that issue was	15:08
annegentle	sdague: yes I might just be behind	15:08
annegentle	sdague: I read your note to the mailing list	15:08
*** nikhil_k is now known as nikhil		15:08
annegentle	sdague: so maybe I misunderstood	15:08
sdague	annegentle: ah, right, about routing overlap	15:08
bknudson_	might be nice to be able to test the same thing somehow, but then the test would have to build the URL itself.	15:08
annegentle	right	15:08
sdague	which we solved with specifying a project id regex	15:09
annegentle	sdague: did you find a workournd?	15:09
annegentle	sdague: ah ok	15:09
sdague	yes, the nova solution is a default project id regex which is [0-9a-f]+	15:09
bknudson_	since I assume a user with a token in one project won't even see an instance in another project	15:09
sdague	bknudson_: right, all decisions in nova are based on the context value of project_id	15:09
annegentle	bknudson_: well, some providers can set up projects as billing dividers	15:10
annegentle	bknudson_: so a scientist might have two projects	15:10
sdague	annegentle: sure, but they have to specify which project they are acting in when they get the token	15:10
annegentle	bknudson_: but, the token would not be scoped for only two projects.	15:10
annegentle	sdague: yeah, is there still a super-admin token?	15:10
annegentle	sdague: those calls might require indicating which project	15:10
bknudson_	keystone doesn't support getting a token scoped to 2 projects.	15:10
sdague	annegentle: I'm not sure I know what that means?	15:10
bknudson_	in order to operate in nova you need a token scoped to a project	15:11
annegentle	bknudson_: sdague: just a sec I'll find the super token ref I'm thinking of	15:11
sdague	bknudson_: right	15:11
annegentle	bknudson_: as a cloud provider sometimes you need to shut down someone else's server. Is that a scoped project token an admin gets?	15:12
sdague	and admistrative commands that operate on resources either take the resource id, and admin is allowed to do things because they have the admin role	15:12
sdague	or there is an all_tenants param for display on list things	15:12
sdague	which again, requires admin role	15:12
sdague	without which the user would just get their own tenant	15:13
annegentle	bknudson_: ah, I'm thinking of a domain scoped token, http://docs.openstack.org/developer/keystone/configuration.html#keystone-api-protection-with-role-based-access-control-rbac	15:13
bknudson_	is there an example api? I'm not familiar enough with the nova apis	15:13
sdague	bknudson_: for which?	15:13
bknudson_	sdague: an admin shutting down a compute in a different project	15:14
annegentle	http://developer.openstack.org/api-ref-compute-v2.1.html#os-admin-actions-v2.1	15:14
annegentle	specifically, http://developer.openstack.org/api-ref-compute-v2.1.html#resetState	15:14
sdague	yeh, but DELETE is also admin_or_owner in policy	15:15
bknudson_	so in the case of these admin actions the new project ID is in the URL.	15:15
sdague	the project_id in the url is never actionable	15:16
annegentle	ok	15:16
sdague	if there is something specifically about a new project_id, it's passed as a query param	15:16
bknudson_	the old request would be POST http://openstack/compute/{tenant_id_1}/v2.1/{tenant_id}/servers/{server_id}/action	15:16
sdague	not quite	15:16
bknudson_	and the new one is POST http://openstack/compute/v2.1/{tenant_id}/servers/{server_id}/action	15:16
sdague	http://openstack/compute/v2.1/{tenant_id_1}/servers/{server_id}/action	15:16
sdague	and new one is	15:17
sdague	http://openstack/compute/v2.1/servers/{server_id}/action	15:17
bknudson_	oh, the first tenant_id was in the catalog?	15:17
sdague	the catalog entry returned today is	15:17
annegentle	right	15:17
sdague	http://openstack/compute/v2.1/{tenant_id_1}	15:17
bknudson_	I assume the server_id is unique across projects	15:18
sdague	server_id is globally unique	15:18
bknudson_	so nova doesn't look in the project to find the server	15:18
sdague	correct	15:18
bknudson_	is that only for the admin actions?	15:18
sdague	no, for everything	15:18
sdague	this is part of why removing project id was pretty sensible and easy, it's not really a first order construct in our resources	15:19
bknudson_	all these docs will have to change!	15:19
sdague	bknudson_: yep	15:19
sdague	but, they will be massively less confusing	15:19
sdague	swift is really the only project where tenant_id is really a container	15:20
bknudson_	hopefully nova has some code to verify that the user access to the server	15:20
annegentle	bknudson_: it's funny, WADL has a wrapper, so the docs aren't too hard to change	15:20
sdague	yes, admin_or_owner policy enforcement	15:20
sdague	https://github.com/openstack/nova/blob/master/nova/db/sqlalchemy/models.py#L253	15:21
annegentle	good	15:21
sdague	ok, we good with all that and can move on?	15:22
bknudson_	yes, thanks for the explanation	15:22
sdague	it was a good summary of some of where we stand	15:22
sdague	yep	15:22
sdague	annegentle: lastly, were you building the list of projects that would also need this?	15:22
annegentle	sdague: I only got so far	15:22
annegentle	sdague:thinking, just a se	15:23
annegentle	sec	15:23
sdague	well, if we start from oldest projects first and move forward we can hopefully at least reset expectations a bit, I still expect that to be a Newton thing at this point	15:23
annegentle	sdague: yeah, this is the list that is not investigated https://wiki.openstack.org/wiki/API_Working_Group/Current_Design/Service_Catalog#Projects_that_I_couldn.27t_find_in_a_service_catalog_and_will_need_to_investigate_further	15:24
sdague	ok, great!	15:24
annegentle	sdague: so does anything need to happen with this list? https://wiki.openstack.org/wiki/API_Working_Group/Current_Design/Service_Catalog#These_projects_have_a_TENANT_ID_in_one_of_the_example_service_catalogs	15:25
sdague	I think for Mitaka we are probably out of runway, but we should come up with a Newton push plan. We can wait until M3 for that	15:25
bknudson_	we can put nova in a new category -- projects that have tenant_id in the catalog but it's optional	15:26
sdague	#action around M3 revisit how we'll push for project_id optionality in projects for Newton	15:26
sdague	bknudson_: yep	15:26
annegentle	bknudson_: ok, that's for mitaka right?	15:26
sdague	annegentle: yes, we've landed the code	15:26
annegentle	sdague: ok	15:26
sdague	ok, moving on....	15:26
bknudson_	I'll make that change in the wiki	15:26
annegentle	bknudson_: sounds goo	15:26
annegentle	good even	15:26
sdague	#topic Service Common Names	15:27
*** openstack changes topic to "Service Common Names (Meeting topic: service-catalog-tng)"		15:27
sdague	I kicked this one off on the list this morning, it's been bubbling about recently quite a bit	15:27
sdague	http://lists.openstack.org/pipermail/openstack-dev/2016-February/085748.html	15:27
sdague	I think we can mostly drive the discussion there and let people settle on the fact that we need to do this thing	15:28
sdague	which is the way the wind is blowing now	15:28
sdague	I think there is just a mechanics issue of where the registry actually is	15:28
annegentle	sdague: do you think there's pushback on where?	15:28
annegentle	sdague: or "who will do the work and be responsible?" <-- that's more my take	15:29
bknudson_	I always thought the name registry should be in projects.yaml or some TC repo, not keystone.	15:29
sdague	I think the question seemed to be whether etowes was ok with it being part of API-WG repo	15:29
bknudson_	keystone just stores whatever you put in it.	15:29
sdague	bknudson_: right, definitely agree with that	15:29
sdague	it's just whether the TC does this directly, or basically gives API WG authority to do it	15:30
sdague	I figured I'd let that one just simmer a bit	15:30
sdague	personally, mostly don't care, as long as we get vague concensus	15:30
bknudson_	it'll be interesting to see how keystone gets at the info if we think we need keystone to enforce it.	15:31
sdague	bknudson_: I don't think keystone should enforce it	15:31
sdague	I'm ok with keystone being dumb store for what people say	15:31
*** angdraug has joined #openstack-meeting-cp		15:31
bknudson_	works for me	15:32
sdague	ok, that was mostly an FYI, please get onto the thread and we'll drive discussion there	15:32
sdague	#topic JSON Schema for SC	15:32
*** openstack changes topic to "JSON Schema for SC (Meeting topic: service-catalog-tng)"		15:32
sdague	bknudson_: I think 2 weeks ago you said you'd take a first swipe at such a thing	15:32
sdague	any progress so far?	15:32
bknudson_	y, I didn't get this done.	15:33
sdague	ok, no prob	15:33
bknudson_	didn't happen at the keystone meetup	15:33
bknudson_	I'll throw it at the top of my work queue	15:33
sdague	I'll keep it as standing item on the agenda so we don't forget	15:33
annegentle	sounds good	15:33
sdague	#topic Open Discussion	15:33
*** openstack changes topic to "Open Discussion (Meeting topic: service-catalog-tng)"		15:33
annegentle	I got nuthin'	15:33
bknudson_	I'm actually pretty familiar with the JSONSchema spec now since I was reviewing some changes.	15:34
annegentle	I can talk to Everett etowes this morning	15:34
sdague	the only thing there is I've been bad advertising this meeting. So if anyone knows anyone that wants to help step up as meeting promoter for this, let me know. I'll put a call out to a few folks as well.	15:34
annegentle	sdague: I think some of the discussion also is in https://review.openstack.org/#/c/273158/	15:34
sdague	annegentle: yeh, the experimental APIs one	15:35
annegentle	sdague: as far as differentiation at the resource level	15:35
annegentle	sdague: I'm not sure we should offer experimental at all	15:36
sdague	annegentle: I mostly agree	15:36
annegentle	sdague: most API designs have to be fully baked to be competitive in the market	15:36
sdague	but if people want to, it shouldn't be in the same API	15:36
bknudson_	keystone as JSONHome and that's where we specify experimental.	15:36
annegentle	it's a trust thing	15:36
annegentle	sdague: yeah we need to be precise -- API or endpoint?	15:36
sdague	endpoint	15:36
annegentle	sdague: I'm all for a second experimental endpoint, I think.	15:36
annegentle	sdague: ok yeah	15:36
annegentle	and the API is the GET /blah/resources right? In that spec ^^	15:37
bknudson_	we also called some APIs extensions and they could be disabled	15:37
annegentle	sdague: I need to write a review there	15:37
sdague	yeh, I'll go pile on a bit later on that	15:37
annegentle	bknudson_: ugh those are the worst to document and use tho	15:37
annegentle	sdague: ok	15:37
annegentle	"If you're going to experiment, put it on a separate endpoint"	15:37
bknudson_	I agree that it's not fun to have optional apis.	15:37
sdague	ok, anything else from folks?	15:37
annegentle	nopety	15:37
sdague	great, thanks folks	15:38
annegentle	heh a nope and a thank you combo	15:38
sdague	#endmeeting	15:38
*** openstack changes topic to "OpenStack Meetings \|\| https://wiki.openstack.org/wiki/Meetings"		15:38
openstack	Meeting ended Thu Feb 4 15:38:07 2016 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	15:38
openstack	Minutes: http://eavesdrop.openstack.org/meetings/service_catalog_tng/2016/service_catalog_tng.2016-02-04-15.02.html	15:38
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/service_catalog_tng/2016/service_catalog_tng.2016-02-04-15.02.txt	15:38
openstack	Log: http://eavesdrop.openstack.org/meetings/service_catalog_tng/2016/service_catalog_tng.2016-02-04-15.02.log.html	15:38
*** annegentle has quit IRC		15:46
*** david-lyle has joined #openstack-meeting-cp		16:24
*** sdake has quit IRC		16:51
*** sdake has joined #openstack-meeting-cp		16:52
*** evgenyf has quit IRC		17:05
*** NanosatC-BR1 has quit IRC		17:09
*** sdake has quit IRC		18:12
*** sdake has joined #openstack-meeting-cp		19:05
*** david-lyle has quit IRC		19:11
*** nikhil_k has joined #openstack-meeting-cp		19:52
*** nikhil has quit IRC		19:55
*** stevemar has quit IRC		19:56
*** sdake_ has joined #openstack-meeting-cp		20:02
*** sdake has quit IRC		20:03
*** sdake has joined #openstack-meeting-cp		20:04
*** sdake_ has quit IRC		20:08
*** russellb_ has joined #openstack-meeting-cp		20:40
*** angdraug has quit IRC		20:47
*** russellb has quit IRC		20:47
*** bswartz has quit IRC		20:47
*** ttx has quit IRC		20:47
*** angdraug has joined #openstack-meeting-cp		20:49
*** ttx has joined #openstack-meeting-cp		20:49
*** angdraug has quit IRC		20:50
*** bswartz has joined #openstack-meeting-cp		20:51
*** sdake has quit IRC		21:49
*** russellb_ is now known as russellb		21:57
*** russellb has joined #openstack-meeting-cp		21:57
*** sdake has joined #openstack-meeting-cp		22:41
*** david-lyle has joined #openstack-meeting-cp		22:48
*** david-lyle has quit IRC		22:52
*** angdraug has joined #openstack-meeting-cp		23:21
*** dims_ has quit IRC		23:31
*** dims has joined #openstack-meeting-cp		23:32

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!