Wednesday, 2017-07-19

« Tuesday, 2017-07-18 Index Thursday, 2017-07-20 »
*** edmondsw has joined #openstack-meeting-cp00:19
*** edmondsw has quit IRC00:24
*** harlowja has quit IRC01:13
*** hongbin has joined #openstack-meeting-cp01:14
*** gouthamr has quit IRC01:25
*** yamahata has quit IRC01:43
*** iyamahat has quit IRC01:43
*** edmondsw has joined #openstack-meeting-cp02:07
*** edmondsw has quit IRC02:12
*** nhelgeson has quit IRC02:14
*** gouthamr has joined #openstack-meeting-cp02:21
*** markvoelker has quit IRC02:59
*** hongbin has quit IRC03:36
*** edmondsw has joined #openstack-meeting-cp03:55
*** edmondsw has quit IRC04:00
*** gouthamr has quit IRC04:14
*** harlowja has joined #openstack-meeting-cp04:31
*** gouthamr has joined #openstack-meeting-cp04:43
*** yamahata has joined #openstack-meeting-cp04:45
*** harlowja has quit IRC04:47
*** markvoelker has joined #openstack-meeting-cp05:00
*** gouthamr has quit IRC05:07
*** diablo_rojo has joined #openstack-meeting-cp05:25
*** markvoelker has quit IRC05:34
*** edmondsw has joined #openstack-meeting-cp05:43
*** harlowja has joined #openstack-meeting-cp05:46
*** edmondsw has quit IRC05:48
*** markvoelker has joined #openstack-meeting-cp06:31
*** harlowja has quit IRC06:42
*** MarkBaker has joined #openstack-meeting-cp07:01
*** markvoelker has quit IRC07:04
*** diablo_rojo has quit IRC07:21
*** rarcea has joined #openstack-meeting-cp07:28
*** edmondsw has joined #openstack-meeting-cp07:31
*** edmondsw has quit IRC07:36
*** markvoelker has joined #openstack-meeting-cp09:02
*** edmondsw has joined #openstack-meeting-cp09:19
*** edmondsw has quit IRC09:24
*** markvoelker has quit IRC09:35
*** sdague has joined #openstack-meeting-cp09:37
*** yamahata has quit IRC10:30
*** markvoelker has joined #openstack-meeting-cp10:32
*** MarkBaker has quit IRC10:45
*** markvoelker has quit IRC11:06
*** edmondsw has joined #openstack-meeting-cp11:07
*** edmondsw has quit IRC11:12
*** edmondsw has joined #openstack-meeting-cp11:30
*** MarkBaker has joined #openstack-meeting-cp11:55
*** markvoelker has joined #openstack-meeting-cp12:03
*** markvoelker has quit IRC12:25
*** markvoelker has joined #openstack-meeting-cp12:26
*** MarkBaker has quit IRC12:36
*** gouthamr has joined #openstack-meeting-cp12:58
*** felipemonteiro__ has joined #openstack-meeting-cp14:08
*** felipemonteiro_ has joined #openstack-meeting-cp14:11
*** felipemonteiro__ has quit IRC14:14
*** MarkBaker has joined #openstack-meeting-cp14:15
*** zhipeng has joined #openstack-meeting-cp14:17
*** xyang1 has joined #openstack-meeting-cp14:19
*** zhipeng has quit IRC14:22
*** zhipeng has joined #openstack-meeting-cp14:23
*** MarkBaker has quit IRC14:25
*** MarkBaker has joined #openstack-meeting-cp14:30
*** zhipeng has quit IRC14:53
*** zhipeng has joined #openstack-meeting-cp14:53
*** iyamahat has joined #openstack-meeting-cp14:59
*** blancos has joined #openstack-meeting-cp15:12
*** yamahata has joined #openstack-meeting-cp15:15
*** felipemonteiro_ has quit IRC15:18
*** zhipeng has quit IRC15:28
*** zhipeng has joined #openstack-meeting-cp15:28
*** zhipeng has quit IRC15:30
*** zhipeng has joined #openstack-meeting-cp15:31
*** zhipeng has quit IRC15:42
*** zhipeng has joined #openstack-meeting-cp15:43
*** MarkBaker has quit IRC15:47
*** Rockyg has joined #openstack-meeting-cp15:52
*** nhelgeson has joined #openstack-meeting-cp15:53
*** diablo_rojo has joined #openstack-meeting-cp15:58
*** zhipeng has quit IRC15:59
*** zhipeng has joined #openstack-meeting-cp16:00
lbragstad#startmeeting policy16:00
openstackMeeting started Wed Jul 19 16:00:19 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
*** openstack changes topic to " (Meeting topic: policy)"16:00
openstackThe meeting name has been set to 'policy'16:00
lbragstadping raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, morgan, raj_singh, johnthetubaguy, knikolla, nhelgeson16:00
lbragstadin case anyone is around16:00
*** diablo_rojo has quit IRC16:00
edmondswo/16:00
lbragstad#link https://etherpad.openstack.org/p/keystone-policy-meeting16:01
*** gagehugo has joined #openstack-meeting-cp16:01
lbragstadagenda ^16:01
gagehugoo/16:01
blancoso/16:01
lamto/16:01
* morgan lurks16:01
*** diablo_rojo has joined #openstack-meeting-cp16:01
lbragstadalright - let's go ahead and get started16:01
lbragstad#topic open discussion16:01
*** openstack changes topic to "open discussion (Meeting topic: policy)"16:01
lbragstad:)16:01
lbragstadwe don't have anything on the agenda - which i think is fine since a lot of folks are focused on finishing up feature work16:01
lbragstadbut we can certainly have open discussion16:02
edmondswI'm seeking another +2 on https://review.openstack.org/#/c/482359/16:02
edmondswpretty bad bug we introduced in pike with our policy changes16:03
lbragstadyeah - we should get that into pike for sure16:03
lbragstad(no release note needed)16:04
edmondswright... it worked before, and it will work again once we get this change merged16:04
lbragstadsomething else i wanted to run by the group before I start working on it16:05
lbragstad#link https://review.openstack.org/#/c/464763/16:05
lbragstad^ so that's the specification for global roles16:05
*** felipemonteiro has joined #openstack-meeting-cp16:05
lbragstadwhich i have a wip implementation up for16:05
*** rarcea has quit IRC16:05
lbragstadand this question is an implementation detail, but how do we want to denote global scope in the request for a token?16:06
lbragstadanyone have ideas there?16:06
*** felipemonteiro_ has joined #openstack-meeting-cp16:07
lbragstadcc morgan ^16:07
edmondsw"scope": {"global": True} ?16:07
morganhm16:07
morgani don't know if we need to do that16:07
lbragstadedmondsw: yeah - that's was samueldmq said too https://review.openstack.org/#/c/464763/15/specs/keystone/backlog/global-roles.rst16:07
morganbut i'm fine with it16:07
edmondswmorgan why wouldn't we need to?16:07
morgando we explicitly say we will always have a scope block?16:07
morganif we don't, we could just omit the scope block16:07
edmondswmorgan no, can't do that... there is a difference between globally-scoped and unscoped16:08
morganor empty scope = global16:08
morganno roles = unscoped16:08
edmondsw?16:08
lbragstadno global roles == unscoped?16:08
edmondswyou don't specify roles on a token request16:08
morganwait for in the requesT?16:08
morganoh wait i was thinking in the response16:09
lbragstadmorgan: yeah the request16:09
morgansure we can do global = true16:09
morgannot a huge fan of it, but i can16:09
morgan't  think of a better way16:09
edmondswsame here16:09
lbragstadyeah - i couldn't really either16:09
lbragstadand samueldmq said the same thing16:09
lbragstadit's also pretty consistent with scoping to a domain or project16:10
morganhm.16:10
morgani don't like it needing to be explicitly "true"16:10
lbragstadmorgan: would you prefer "scope": "global" ?16:10
morganwhat happens if you scope: {project: xxxxx, global: true}16:10
edmondsw"scope": {"type": "global"} ?16:10
morganedmondsw: that would be better16:10
lbragstadmorgan: i would say that is a 4XX16:11
edmondswlbragstad +116:11
*** felipemonteiro has quit IRC16:11
morganactually that more accurately dictates what i want to implement in a more generic auth route16:11
lbragstadthat'd be like scoping to a project and a domain at the same time16:11
morgans/dictates/mirrors16:11
morganlbragstad: ^ what edmondsw suggested looks way better16:11
morgantype: "global"16:11
lbragstadmorgan: ok - so how would we convert that to support projects and domain?16:12
lbragstadyou'd have to supply an ID with it16:12
morganwe could support type: project, id: XXXX16:12
edmondswlbragstad I'm not following16:12
edmondswjust leave projects and domains as they are16:12
morganbut we wouldn't change anything for project/domain scoping today16:12
lbragstadmorgan: yeah - project would require another field in the request for the id16:12
edmondswi.e., type isn't required for them16:12
morganedmondsw: ++16:12
lbragstadright16:12
morganif we do an iteration on auth to move it to /auth (See backlog) we can make type required there16:13
lbragstadit would be a little weird to have the inconsistency - but i do see the reason for it16:13
edmondswoh, are we talking about the response now?16:13
lbragstadi'm still focused on the request16:13
morganlbragstad: we could support both mechanisms16:13
morganand i'd just support it16:13
edmondswso yeah, no changes to project or domain-scoped requests, I think16:13
morgantype: "project", id: XXX16:13
morganwould be trivial to add it16:13
morganbut not needed16:13
* lbragstad grabs an etherpad16:14
morganwe would continue to support "project: id-xxxxx"16:14
lbragstad#link https://etherpad.openstack.org/p/keystone-global-roles-scratchpaper16:14
edmondswif you did want to support type: "project" on /auth, you'd still need a project: {} block, not just an id, so it could be a name and domain name, etc.16:14
edmondswas it is today16:14
morganlbragstad: so, i think we always accept type16:16
morganbut it's optional for project/domain,16:16
morgan?16:16
morgan*shrug*16:16
edmondswyep16:16
lbragstadok - so the top three are already implemented16:17
lbragstadand we have to support those16:17
morganreally? we support "scoped": "unscoped"?!16:18
morgan*sigh*16:18
lbragstadyeah....16:18
morganwow that is terrible16:18
edmondswugh16:18
morganwhat the hell.16:18
edmondswI thought unscoped was just not specifying the scope block16:18
morganwhen did that creep in?16:18
lbragstada long time ago16:18
lbragstadi spent a day trying to figure it out16:18
edmondswcan you also just not specify the scope block?16:18
lbragstadedmondsw: right16:18
edmondswok, I didn't imagine that, at least16:19
morganok so we could do "scope": "global"16:19
lbragstadedmondsw: but not if the user has a default project and a role on that default project16:19
morgan*sobs"16:19
edmondswoh, default projects... ugh...16:19
edmondswthat's a v2 thing, right? So we can get rid of it soon?16:19
morganyeah default projects should have died16:19
morganno16:19
morganit's also in v316:19
edmondswboo16:19
lbragstadwell - kind of16:19
morganyeah.. lets just... pretend it isn't16:19
morganfor now16:19
lbragstadit's in v3 enough to be a pain16:19
edmondswlol16:19
lbragstadit's kinda there but not really...16:19
lbragstadit certainly wasn't a clean break16:20
edmondswkeystone v4! with new auth! ;)16:20
morganedmondsw: actually16:20
morganv4, no auth in /v416:20
lbragstadlet's do it16:20
edmondswmorgan that was just to get your reaction :P16:20
morganand i'm being serious16:20
lbragstadedmondsw: we're already sold on it16:20
edmondswyeah, I know16:21
lbragstadmorgan: i have a post it on my monitor to try and write up what we discussed in atlanta16:21
morganyeah16:21
edmondswI guess default projects aren't really part of the auth API, so they could go away in v4?16:21
morganedmondsw: no, they could be removed in a new auth version16:22
* edmondsw thinks this is more like a keystone meeting than a policy meeting16:22
morgananyway16:22
morganthere is't much in policy atm to talk about16:22
morgananyway16:22
lbragstadsince it's a major revision - it could go away16:22
lbragstadyeah - this is helpful, i mostly wanted to try and figure out what it would look like for requesting a global token16:22
morganso lets *not* do scope: global16:23
morganlets do scope { type: global }16:23
morganit is *more* consistent16:23
lbragstadif we went the type route eventually - we would need to port the existing project and domain scoping to it16:23
morgantrivial to do so16:24
morgantype supersedes non-specified project block16:24
edmondswif we have "scope": "unscoped" should we just have "scope": "global" instead of "scope": {"type": "global"} ?16:24
morganallowing scope { type: project, project: {id: xxx}, domain: {id: yyy}}16:24
morganand we would support type: unscoped16:25
morganoh fff.16:25
morganthis is not discoverable16:25
morgan*sigh*16:25
morganedmondsw: i would prefer to add support for type: unscoped16:25
morganthan more non-dict forms of the scope-key16:25
edmondswmorgan fine by me16:25
edmondswyeah16:26
* morgan notes we need to make this discoverable16:26
morganbut that is a separate issue.16:26
edmondswmorgan now you have me concerned about how we make this discoverable...16:26
lbragstadmorgan: which part specifically isn't discoverable?16:26
edmondswlbragstad that keystone supports global scoping16:27
morgan^^16:27
lbragstadbah16:27
lbragstadwe need a GET /auth/scopes16:27
lbragstadendpoint16:27
* morgan grabs laptop to wire up /auth as soon as tests for new-filesystem catalog are done16:27
morganlbragstad: /auth/ having info for this is probably a good place to start.16:28
lbragstadthe first step for making this discoverable would be allowing keystone to answer "what scopes do you support?"16:29
lbragstadright?16:29
morganyeah16:29
morganand i don't want to add that to /v3/auth if that makes sense16:29
morgani mean we can... but i think /v3/auth doesn't actually do anything interesting with a GET right now16:30
morganand no token16:30
morganso, i don't want to change that behavior16:30
*** blancos_ has joined #openstack-meeting-cp16:31
lbragstadyeah - that's fine16:31
lbragstadthis feels like something we could do with versionless auth16:32
lbragstador at least start fresh with16:32
morganyeah16:32
lbragstadmorgan: https://github.com/openstack/keystone/blob/025e844fc485c23be1de033473f3cadd7486b642/keystone/auth/core.py#L231-L24416:32
morganyeah.16:32
lbragstadmorgan: some of the `unscoped` bits bled into https://github.com/openstack/keystone/blob/025e844fc485c23be1de033473f3cadd7486b642/keystone/auth/schema.py#L56-L6116:33
morganyep16:34
lbragstadbut - that issues pre-existed our jsonschema validation16:34
*** david-lyle has quit IRC16:34
lbragstadwhich was done in 201416:34
lbragstadit's been there a while16:34
morganyah16:34
morgananyway16:34
lbragstadok - so in summary16:35
lbragstadit sounds like if we do global roles and want to scope globally16:36
lbragstadwe can do so with "scope": {"type": "global"}16:36
lbragstadwhich would be inconsistent with the rest of how scope is done16:36
lbragstadbut it would be consistent if/when we do versionless auth16:36
lbragstador - we could do "scope": {"global": "true"} to be more consistent with project and domain scoping16:38
*** zhipeng has quit IRC16:39
*** zhipeng has joined #openstack-meeting-cp16:39
morgansure. but i don't think a different key matters16:40
morganin this case16:40
morganmost consistent with current would be "scope": "global"16:40
morganas much as i hate it16:40
lbragstadok - so16:40
lbragstad1.) "scope": {"type": "global"}16:40
morganand that is just because of prior art for unscoped16:41
*** blancos_ has quit IRC16:41
lbragstad2.) "scope": {"global": "true"}16:41
*** zhipeng has quit IRC16:41
lbragstad3.) "scope": "global"16:41
*** blancos_ has joined #openstack-meeting-cp16:41
lbragstad3 would be the most consistent given the warts with "unscoped"16:41
morgan4<snark>.) "scope": {"global": {"yes_really": True}}16:41
lbragstad++16:42
morgancorrect, 3 is most consistent with v3 auth16:42
morgan2. is most consistent with other "scoped" operations16:42
lbragstad2 isn't as bad and still offers consistency with project and domain scoping16:42
morgan1 is the best overall option, but is most inconsistent with v3 auth16:42
lbragstadbut the "global": "true" part doesn't really make much sense16:42
morganso, i vote either 1 or 316:43
morgani don't like 2 at all16:43
*** blancos_ has quit IRC16:43
lbragstadok16:43
* lbragstad votes for #416:43
lbragstadi can detail both options in the spec16:43
*** blancos_ has joined #openstack-meeting-cp16:43
morganwfm16:43
lbragstadcool - i think that's all I had for open discussion16:44
lbragstadanyone have anything else?16:44
lbragstadalright - looks like we'll get some time back16:45
lbragstadthanks all16:45
lbragstad#endmeeting16:45
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings"16:45
openstackMeeting ended Wed Jul 19 16:45:58 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:46
openstackMinutes:        http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-07-19-16.00.html16:46
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-07-19-16.00.txt16:46
*** blancos_ has quit IRC16:46
openstackLog:            http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-07-19-16.00.log.html16:46
*** gagehugo has left #openstack-meeting-cp16:50
*** david-lyle has joined #openstack-meeting-cp16:52
*** blancos has left #openstack-meeting-cp17:19
*** harlowja has joined #openstack-meeting-cp17:25
*** harlowja has quit IRC17:25
*** harlowja has joined #openstack-meeting-cp17:26
*** Rockyg has quit IRC17:54
*** yamahata has quit IRC17:54
*** iyamahat has quit IRC17:54
*** iyamahat has joined #openstack-meeting-cp18:12
*** yamahata has joined #openstack-meeting-cp18:31
*** u_nuSLASHkm8 has joined #openstack-meeting-cp18:33
*** u_nuSLASHkm8 has quit IRC18:33
*** kbyrne has quit IRC19:22
*** kbyrne has joined #openstack-meeting-cp19:25
*** tinyurl_comSLASH has joined #openstack-meeting-cp19:44
*** MarkBaker has joined #openstack-meeting-cp19:45
*** tinyurl_comSLASH has left #openstack-meeting-cp19:47
*** coolsvap has quit IRC19:51
*** MarkBaker has quit IRC20:00
*** MarkBaker has joined #openstack-meeting-cp21:11
*** gouthamr has quit IRC21:49
*** felipemonteiro_ has quit IRC22:15
*** gouthamr has joined #openstack-meeting-cp22:18
*** sdague has quit IRC22:33
*** edmondsw has quit IRC22:40
*** MarkBaker has quit IRC23:13
*** MarkBaker has joined #openstack-meeting-cp23:24
*** edmondsw has joined #openstack-meeting-cp23:59
« Tuesday, 2017-07-18 Index Thursday, 2017-07-20 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!