17:03:25 <thinrichs> #startmeeting CongressTeamMeeting 17:03:26 <openstack> Meeting started Tue May 27 17:03:25 2014 UTC and is due to finish in 60 minutes. The chair is thinrichs. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:03:27 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:03:29 <openstack> The meeting name has been set to 'congressteammeeting' 17:03:49 <skn_> Its weird. I used launchpad to create the id 17:04:22 <thinrichs> skn_: I don’t know how to get your name to show up on review.openstack as a potential reviewer. 17:04:34 <thinrichs> If anyone knows a quick-fix, let us know. Otherwise we’ll do that offline. 17:04:57 <skn_> Yup. Let me know too. 17:05:15 <thinrichs> Let’s do our usual thing of going over action items from last week, briefly. 17:05:24 <thinrichs> sarob: are you here? 17:05:39 <iben> he's not signed on now 17:05:39 <thinrichs> Hmm.. doesn’t look like it. Let’s hope he joins later. 17:05:57 <thinrichs> We had a couple of new use cases that were supposed to go up on the wiki. 17:06:04 <thinrichs> skn_: how’d you do with yours? 17:06:44 <skn_> I have some write up, but I’ll have to first figure out out where to put 17:06:52 <banix> is there a link? 17:06:53 <skn_> where to put it, i mean 17:07:04 <thinrichs> https://wiki.openstack.org/wiki/Congress#Use_Cases 17:07:09 <skn_> Oh ok 17:07:19 <thinrichs> We have a list with brief descriptions at the URL. 17:07:19 <banix> thinrichs: thanks 17:07:29 <skn_> But these are like one liners 17:07:48 <thinrichs> banix (and all other newcomers): the wiki *should* have links to all the resources. So that’s the one-stop shop. 17:07:50 <skn_> I thought we’d have a lil more descriptive 17:08:07 <thinrichs> skn_: We don’t yet have a doc with longer descriptions. Want to start one? 17:08:19 <skn_> HI banix, what’s your name? 17:08:32 <skn_> I think so, we should have a doc 17:08:39 <banix> Mohammad Banikazemi 17:08:56 <banix> skn_: Hi ^^^ 17:09:15 <thinrichs> skn: sounds good. Can we use your writeup to seed that doc? 17:09:22 <thinrichs> pballand: where should we host the doc? 17:09:24 <skn_> Yes, I will 17:09:52 <pballand> thinrichs: doc for use cases? 17:09:53 <skn_> Hi Mohammad. Are you from IBM, who presented the neutron group policy? 17:09:57 <thinrichs> pballand: yes 17:10:07 <banix> we use google docs 17:10:15 <banix> skn_: Yes that’s me :) 17:10:23 <pballand> I’d go with google docs, or in the repo 17:10:38 <sarob_> Halo 17:10:44 <skn_> Oh, cool. This is Susanta from Symantec. We chatted a lil bit after your talk at OpenStack, remember? 17:10:52 <skn_> Hey sarob 17:10:59 <pballand> if we don’t expct many comments, checking them in near the specs sounds good to me 17:11:08 <sarob_> Yup 17:11:08 <thinrichs> sarob: glad you could make it. 17:11:11 <banix> skn_: Ahhh yes. great to see you here :) 17:11:35 <skn_> Good to see all you guys made it today 17:11:40 <thinrichs> sarob: we were just discussing the use case writeups we talked about last week. 17:11:52 <sarob_> Board stuff bleeding over 17:11:56 <thinrichs> sarob: We’re going to either put them in the repo or on a google doc. Sound good? 17:12:02 <sarob_> Got it 17:12:07 <sarob_> Yup 17:12:21 <skn_> So we create a google doc for the use cases and put it where? 17:12:27 <pballand> does anyone have any preference? 17:12:49 <thinrichs> A google doc might make it easier for non-coders to add use cases. 17:13:03 <thinrichs> I’m leaning toward a google doc. 17:13:13 <skn_> May be we can just link it from those one liners in Congress wiki 17:13:22 <thinrichs> skn: yep. 17:13:33 <pballand> https://docs.google.com/document/d/1ExDmT06vDZjzOPePYBqojMRfXodvsk0R8nRkX-zrkSw/edit?usp=sharing 17:13:34 <sarob_> Gdoc will be easier for the non git gerrit people 17:13:40 <rajdeep> google docs is easier unless the doc becomes large 17:13:49 <rajdeep> or we need to maintain history 17:14:00 <pballand> I’ll link from the wiki 17:14:04 <thinrichs> pballand: no need for even an action item for that, it seems. Nice. :) 17:14:49 <skn_> Thanks pballand 17:15:00 <thinrichs> skn_: when you copy your description in there, let us all know so we can take a look. 17:15:10 <thinrichs> sarob: any progress on your use case? 17:15:18 <skn_> We should have at least one paragraph for each of the use cases 17:15:48 <skn_> sarob: I have something written, I’ll try to clean it up and put it in the doc today or tomorrow when I get time 17:16:11 <sarob_> No sorry. I was slammed last week 17:16:28 <sarob_> I have some time today 17:16:39 <thinrichs> sarob: no worries. Let us know if we can help. 17:17:03 <sarob_> I'll post to the gdoc for collaboration and such 17:17:17 <thinrichs> sarob: sounds good. 17:17:50 <thinrichs> Especially for you newcomers, if you have use cases you’re interested in, put them in the doc and drop us a note so we can take a look. 17:17:57 <skn_> pballand: is the gdoc open to edit for everyone? 17:18:22 <pballand> it should be editable by anyone with the link 17:18:30 <thinrichs> I just edited it. 17:18:35 <sjcazzol> good, we are developing some new scenarios that could be addressed 17:18:37 <pballand> I can lock it down to emails I have 17:18:51 <thinrichs> sjcazzol: great! Love to see them. 17:18:57 <thinrichs> pballand: let’s leave it open to the world. 17:19:18 <iben> How many use cases are we shooting for to start with? 17:19:30 <iben> will they be prioritized based on effort? 17:19:35 <banix> yeah open to the world will be better 17:19:36 <thinrichs> iben: I think we want to know what people are interested in and then yes, prioritized. 17:20:04 <iben> would security be one <— as an example? 17:20:08 <thinrichs> iben: meant to say we’ll prioritize them 17:20:22 <thinrichs> iben: I think we’d want something more specific than “security”. 17:20:25 <skn_> iben: Yes, I am working on a security use case 17:20:35 <skn_> IDS use case 17:20:35 <thinrichs> What data sources are needed? What’s the concrete policy? ETc. 17:20:46 <iben> sure - of course - but as a general category - okay - gotcha! 17:21:04 <pballand> iben: we would like to highlight cross-component uses 17:22:25 <skn_> I think we’ll need some discussion on the policy caching etc, after we make some progress with the use cases 17:23:13 <thinrichs> There’s for sure lots to discuss. 17:23:25 <sarob_> Acls being applied as set will be critical 17:23:42 <thinrichs> We are hoping to get an alpha release out in the next couple of weeks. People are starting to ask for it. 17:24:27 <skn_> Cant folks just download from the stackforge? 17:24:30 <thinrichs> sarob: good to know. Let’s get it up on that google doc so we can start prioritizing dev effort. 17:24:43 <thinrichs> skn: They can get the code, but they won’t be able to do much with it right now. 17:24:55 <thinrichs> The policy engine and data sources don’t talk to each other. 17:25:16 <thinrichs> I’m working on that currently. I’m hoping to have significant time this week to devote. 17:25:22 <thinrichs> But I’ve also got jury duty. Fun. 17:25:26 <skn_> thinrichs: Oh, ok, got it. Do we have a readme there? 17:25:54 <thinrichs> The file is there, but I doubt it says anything interesting since the code isn’t yet functional. 17:26:02 <skn_> I see 17:26:29 <thinrichs> I forgot to record action items for sarob and skn_. 17:26:45 <thinrichs> #action sarob, skn_ will put their use cases on the use case google doc linked from the wiki 17:26:56 <sjcazzol> thinrichs: which are the main features that are missing for the alpha? 17:27:03 <thinrichs> #action thinrichs will continue working on policy/datasource integration 17:27:06 <skn_> Is it already linked from wiki? 17:27:14 <pballand> skn_: yes 17:27:17 <thinrichs> sjcazzol: mainly the integration I mentioned and the API implementation 17:27:28 <thinrichs> pballand is working on the API 17:27:47 <thinrichs> I’m hoping to have something in review by end of week. 17:27:47 <sjcazzol> thinrichs: ok, nice 17:27:48 <skn_> pballand: where is the link in the wiki? 17:28:13 <thinrichs> pballand: an eta on the API? 17:28:22 <thinrichs> skn: refresh your web page and you’ll see it at the top. 17:28:29 <pballand> skn_: search for “use cases" 17:29:15 <skn_> pballand: https://wiki.openstack.org/wiki/Congress#Use_Cases is where I am looking at, but I dont see the link 17:29:16 <pballand> thinrichs: I keep hoping for some serious time to devote - at the risk of sounding like a broken record, I think this week is reasonable 17:29:52 <thinrichs> kudva, who I don’t see here today, is also working on adding builtins to the policy language. 17:30:09 <thinrichs> Builtins are things like addition, subtraction, string manipulation. 17:30:34 <thinrichs> Builtins aren’t strictly necessary for the alpha, but it would be nice to have them. 17:31:31 <thinrichs> rajdeep: are you still here? I saw you signed off. 17:31:36 <rajdeep_> yes 17:31:38 <pballand> skn_: I had linked at the top, but added a link to that section as well 17:31:42 <rajdeep_> i am there 17:31:59 <thinrichs> I saw your unit tests for Nova were merged. 17:32:05 <skn_> pballand: Thanks! Now I see it :) 17:32:18 <rajdeep_> thanks - those were first set of test cases 17:32:33 <thinrichs> Newcomers: rajdeep has been working on writing thing wrappers around Nova/Neutron so that we can write policy over the data they expose. 17:32:36 <rajdeep_> which test conversion of dictionary into tuples 17:33:10 <banix> rajdeep_: nice 17:33:35 <kudva> Hi Kudva joining, sorry for the delay 17:33:36 <rajdeep_> it will be great to take a look at the drivers for neutron and nova and provide feedback on amount of data coming in 17:33:41 <sjcazzol> rajdeep_: great 17:34:01 <thinrichs> kudva: glad you could join us. 17:34:11 <sjcazzol> rajdeep_: are you targeting other components too? 17:34:31 <rajdeep_> yes once i have the unit tests completed 17:34:40 <rajdeep_> nova and neutron were critical which are done 17:34:47 <rajdeep_> next is cinder and keystone 17:35:00 <thinrichs> sjcazzol: any components you’re specifically interested in? 17:35:03 <rajdeep_> - we should prioritize 17:35:12 <thinrichs> We were focused on integrating those necessary for one of our use cases. 17:35:18 <sjcazzol> thinrichs: for now just nova 17:35:40 <skn_> thinrichs, rajdeep: is the wrapper for enforcement of the policies? 17:35:46 <sjcazzol> thinrichs: but we are waiting for new scenarios 17:35:49 <skn_> or both? 17:36:17 <rajdeep_> enforcement is the next step .. 17:36:19 <thinrichs> sjcazzol, rajdeep: Maybe you and rajdeep should connect offline to check that we have enough Nova support to handle what you need. I don’t believe we have full Nova integration. 17:36:50 <sjcazzol> thinrichs: perfect 17:37:00 <rajdeep_> sjcazzol you can send me email at rajdeepd at vmware.com 17:37:15 <thinrichs> skn: I didn’t understand your question 17:37:15 <sjcazzol> rajdeep_: ok, I'll do 17:37:50 <skn_> thinrics: the nova/neutron wrapper is meant to enforce the policy? 17:38:16 <iben> i would expect a policy wrapper to be like able to log or enforce 17:38:31 <iben> there should be a learning mode option 17:38:35 <iben> and an enforcement option 17:38:40 <thinrichs> The datasource wrapper just makes Nova/Neutron data look like it’s represented as tables. 17:38:51 <thinrichs> Eventually the datasource wrapper will also execute API calls on Nova/Neutron. 17:39:17 <thinrichs> But the policy engine is responsible for monitoring policy and choosing which API calls to execute (i.e. how to enforce policy). 17:39:29 <banix> sorry if this question is not relevant; iignore if that is the case: Is a policy like “all passwords in servers of this group need to be at leat this long” something being considered? 17:39:35 <skn_> thinrichs: that’s what i wanted to know. So, currently its only about modifying the data so that can be ingested by Congress data source 17:39:47 <thinrichs> skn: yes. 17:39:53 <skn_> Got it, thanks. 17:40:09 <thinrichs> banix: that’s possible to express/enforce IF there are datasources that allow Congress to do it. 17:40:29 <thinrichs> Say we have an ActiveDirectory integration that exposes the min-length for passwords. 17:40:46 <thinrichs> Then we could write policy in Congress saying what the min-length must be. 17:41:02 <banix> thinrichs: sure. makes sense. 17:41:44 <thinrichs> iben: what did you mean by “learning mode" 17:41:46 <thinrichs> ? 17:41:58 <skn_> thinrichs: So this wrapper will eventually be responsible for making API calls into Nova/Neutron? 17:42:00 <iben> never mind - you guys answered it 17:42:12 <thinrichs> Great. 17:42:13 <iben> the existing functions will need to be wrapped 17:42:27 <iben> this wrapped data goes into a policy engine 17:42:34 <iben> where rules can be run 17:42:43 <iben> these rules can do various things 17:42:59 <thinrichs> iben: sounds like we’re on the same page. 17:43:02 <iben> learning or analytics is one of the actions 17:43:09 <pballand> Congress needs to both get data from the components in a standard form (tables) _and_ can work with the components to enforce policy. We are focused on the first part (which enables monitoring/logging) initially 17:43:14 <iben> but of course policy enforcement would be possible too 17:43:58 <skn_> iben: by learning you mean monitoring? 17:44:30 <thinrichs> We’re planning to look into pushing policy down to other policy-aware components (like Neutron’s GBP) so that enforcement is done more proactively. 17:44:32 <sjcazzol> pballand: do you plan to add policies enforcement for the beta? 17:45:18 <iben> i'm just thinking of a simple firewall use case - it's important not to disrupt existing traffic patterns so many vendors offer a learning mode or discover period where the sample initial rule sets get created 17:45:33 <iben> then you can decide to enable these auto generated rules (or policies) 17:46:02 <pballand> sjcazzol: I don’t know when we will tag ‘beta’, but I do envision some enforcement support comming shortly after monitoring is working 17:46:04 <skn_> iben: got it 17:46:04 <iben> the rules can be enabled in blocking (enforcing) mode or in logging only - watching 17:46:29 <thinrichs> iben: we’re definitely not aiming to auto-generate policy. 17:46:31 <sjcazzol> pballand: ok, thanks 17:46:38 <thinrichs> logging-only makes sense for sure. 17:46:40 <iben> this allows us to experiment and see the results of any policy changes without impacting production traffic. 17:46:51 <banix> iben: well i gues that could happen in parallel with what congress does 17:47:03 <banix> what thinrichs said 17:47:15 <thinrichs> But no auto-gen b/c unlike a firewall Congress doesn’t know much about the services it is monitoring. 17:47:20 <iben> coolio! this is really great. 17:47:24 <pballand> iben: your example makes sense, but in some cases monitoring (logging) will be the final desired action (not a compromise) 17:48:00 <thinrichs> We’re sensitive to customers not trusting basically anything for a while, and trying to slowly earn their trust over time. 17:48:20 <thinrichs> Before we run out of time, let’s get to an update from kudva too. 17:48:25 <thinrichs> kudva: how are the builtins progressing? 17:48:26 <rajdeep_> you could write a driver for firewall - which could convert congress actions into firewall configuration 17:48:47 <kudva> I tried to push into gerrit. 17:49:07 <thinrichs> Did it work? 17:49:14 <thinrichs> I didn’t see a request for review for me. 17:49:24 <kudva> seems to have. I created a new branch. I have tested the builtin directory code itself. That is working fine 17:49:43 <kudva> Let me try again then. I pushed on saturday, and got an email saying jenkins test failed. 17:50:01 <thinrichs> Don’t worry about the Jenkins test for now. 17:50:11 <skn_> rajdeep_: agreed. That’s the right way, because Congress should not try to understand the concepts like firewalling, or for that matter anything else 17:50:25 <kudva> The runtime.py with Tim's recommended changes was also pushed, but all my code was commented out. I need some feedback on that section 17:50:25 <thinrichs> Add at least me as a reviewer (Tim Hinrichs), and we can iterate. 17:51:16 <kudva> okay, will do that. The builtin directory that manages the objects for the builtin are testing. The hook to runtime.py is about 10-20 lines of code which I need some help with since 17:51:27 <kudva> I am not completely clear on the TopDownTheory data structure 17:51:37 <kudva> So, I will push again 17:51:47 <thinrichs> kudva: I’ll definitely help out. 17:51:50 <kudva> Wondering how I can have review on the runtime.py code 17:51:52 <kudva> irc? 17:51:55 <banix> kudva: do you have a link from your push? 17:52:33 <kudva> http://logs.openstack.org/40/95340/1/check/gate-congress-pep8/178c99b 17:52:47 <kudva> http://logs.openstack.org/40/95340/1/check/gate-congress-python27/7a3e74c 17:53:21 <banix> #link https://review.openstack.org/#/c/95340/ 17:53:23 <kudva> the first link says failure, the second one says success 17:53:51 <thinrichs> kudva: there’s probably just some formatting that needs fixing. 17:53:56 <rajdeep_> you need to fix the pep warnings 17:54:01 <banix> kudva: no worries; mainly white space you need to clean up. 17:54:05 <rajdeep_> white spaces etc 17:54:20 <thinrichs> You can add me as a reviewer by typing in Tim Hinrichs next to the button “Add Reviewer” 17:54:24 <banix> kudva: https://review.openstack.org/#/c/95340/1/congress/builtin/congressbuiltin.py 17:55:12 <kudva> got it, will clean up and push again 17:55:17 <thinrichs> I’ll write comments, and you should get an email saying that I’ve posted those comments. 17:55:33 <thinrichs> I think that covers all our action items from last week. 17:55:40 <thinrichs> Let’s open it up for discussion. 17:55:43 <kudva> okay, grat thanks 17:55:45 <thinrichs> #topic open discussion 17:56:41 <thinrichs> If no one has anything specific, maybe the newcomers can tell us why they’re interested in Congress. 17:57:01 <sjcazzol> thinrichs: ok 17:57:28 <banix> Let me say a few words: The Neutron group poliy is getting to a point that we may have some code merged this cycle 17:57:28 <skn_> BTW, it would be nice if the newcomers can tell their names too 17:57:28 <sjcazzol> we are working on a POC to add SLA to openstack 17:57:46 <sjcazzol> Sergio Cazzolato 17:57:56 <banix> would be great to see how it can get used by other policy engines like Congress 17:57:56 <sjcazzol> I work at Intel 17:58:08 <skn_> sjcazzol: Awesome 17:58:30 <iben> I've heard a lot about the need for policy to enable standard security practices across a disparate infrastrcuture. <— Iben Rodriguez - cloud security architect - leveraging my background in vmware environments to being openstack to the enterprise 17:58:34 <skn_> SLA for availability or performance? 17:58:47 <thinrichs> banix: That’s been on our agenda for a long while. 17:58:57 <sjcazzol> SLA for both 17:59:13 <sjcazzol> also we are considering other scenarios 17:59:25 <thinrichs> sjcazzol: SLAs sound interesting. I’m looking forward to the details for your use cases. 17:59:26 <banix> thinrichs: yes looks like we may be getting closer to the goal :) 17:59:27 <skn_> Got to leave, running out of time. Thanks folks 17:59:37 <thinrichs> skn: thanks! 17:59:46 <iben> bye everyone! 17:59:47 <sjcazzol> thanks folks 17:59:49 <thinrichs> iben: cool—glad to have you. 18:00:13 <thinrichs> And yes it seems we’re out of time. Follow up to the ML if it can’t wait til next week! 18:00:19 <thinrichs> Thanks all! 18:00:19 <banix> bye everybody 18:00:22 <thinrichs> #endmeeting