17:58:18 <heckj> #startmeeting Keystone
17:58:19 <openstack> Meeting started Tue Sep  4 17:58:18 2012 UTC.  The chair is heckj. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:58:20 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:58:21 <openstack> The meeting name has been set to 'keystone'
17:58:43 <heckj> ola all
17:58:59 <heckj> Hope y'all had a good holiday weekend (if you're in the US)
17:59:14 <ayoung> O/
17:59:48 <ayoung> gyee, you want to come talk Domains?
17:59:58 <gyee> \o
18:00:25 <gyee> ayoung, I am going to stash the stuff in the v3 feature branch
18:00:27 <heckj> no other burning topics unless there's new hot and heavy bugs
18:00:58 <gyee> anyone familiar with swift filter?
18:01:06 <ayoung> heckj, I'm going to try and sqeak the DB revert in
18:01:17 <heckj> DB revert?
18:01:26 <heckj> (haven't looked at reviews since last thursday)
18:01:29 <ayoung> heckj, for tokens
18:01:37 <ayoung> nah just sent it to the mailing list
18:01:51 <ayoung> dropping the body of the PKI tokens from the backing store
18:02:00 <ayoung> id_hash becomes id once again
18:02:27 <dolphm> ayoung: i was hoping we could just delete the most recent migration file, but it looks like token revocation landed a migration after #2
18:02:55 <ayoung> dolphm, yeah...we''ll just do it as an addtional migration, and then compact in the grizzly timeframe
18:03:04 * heckj nods
18:03:12 <dolphm> compact?
18:03:24 <ayoung> dolphm, merge all of the migrations into one
18:03:45 <ayoung> that should read "piost grizzly timeframe" probably
18:03:46 <dolphm> that's not really what i was thinking (not sure why you'd want to do that?)
18:03:47 <ayoung> post
18:03:51 * ayoung can't type
18:04:08 <dolphm> i was just thinking if we created and reverted a migration within a milestone, we might as well not have it
18:04:16 <dolphm> i don't know if this counts
18:04:43 <ayoung> dolphm, well, it is more developer friendly to keep moving forward.  I'm OK with hacking it out.  We can make the migration into a no-op if you would prefer
18:04:54 <ayoung> heckj, any opinion
18:05:53 <heckj> I'm OK with it either way - my gut would be to leave it in, we'll acrue more migrations over time
18:05:53 <dolphm> migrations #2 and #3 both occurred within m3, correct?
18:08:06 <ayoung> dolphm, you mean that there would be no one with a v2 DB?  Yes, that is correct
18:09:15 <ayoung> Anyway...we can work out the detail on that in the review...I'll move forward with it.
18:09:24 <heckj> sounds good
18:09:26 <ayoung> gyee, you wanted to talk swift filter?
18:09:41 <heckj> #topic open discussion
18:09:53 <ayoung> is that due to https://review.openstack.org/#/c/12356/
18:09:55 <gyee> yeah, looking at the code, doesn't appear <tenantId>:<userId> is supported
18:09:59 <gyee> crossed-tenant
18:10:02 <dolphm> ayoung: i'm not too worried, i just know people's token tables can be huge... so rewriting the migration history doesn't seem like a horrible idea to me
18:11:01 <dolphm> (if we have a safe chance to do so)
18:12:13 <ayoung> gyee, never looked at swift
18:12:40 <gyee> that's fine, the code is the truth anyway :)
18:13:14 <ayoung> gyee, where are we WRT Domains?  And,  does it play well with the Kent proposal for Federation?
18:14:25 <gyee> I haven't look at the Federation proposal
18:15:29 <ayoung> gyee, If I understand it correctly, it should mean something along the lines of  "allow these domains"  and Keystone doesn't then track individual users
18:15:47 <ayoung> Complete delegation to, say, oauth or some other provider
18:16:37 <ayoung> I'd see a need for both a traditional Keystone and Federation working together, and I suspect the right dividing line would be along Domain boundaries
18:17:45 <ayoung> gyee, you were waiting on something from the V3  impl.  What was that?
18:17:57 <gyee> that pretty much means all resources must be contained in a domain :)
18:18:03 <gyee> I am all for it!
18:18:49 <ayoung> gyee, I am sure you are...the question is whether it works with the Federation proposal...I was hoping you could vett...
18:18:51 <gyee> ayoung, the RBAC code, I think Dolph took care of it
18:19:10 <ayoung> dolphm, is that in, or does it need review?
18:19:45 <ayoung> https://review.openstack.org/#/c/12184/
18:21:02 <heckj> I think it still needs approvals to get merged into the feature branch
18:21:12 <dolphm> ayoung: gyee: it's proposed, but the review itself is dependent on a sequence
18:21:44 <ayoung> dolphm, should we do a deliberate walkthrough of the sequence at some point?
18:21:59 <ayoung> I have to admit I have only vague notions as far as the details of the V2 api
18:21:59 <heckj> dolphm: I haven't reviewed the dependent ones - will work on that today
18:22:08 <gyee> same here
18:22:16 <dolphm> https://review.openstack.org/#/c/12058/ <-- it all starts here
18:22:26 <dolphm> and i agree 100% with jay's points -- plan on addressing them today
18:22:47 <dolphm> although, we have no i18n, so can't do much about that
18:24:42 <gyee> i18n would be awesome to have in OpenStack common
18:25:24 <ayoung> gyee, be careful what you wish for.
18:25:30 <gyee> ayoung, there was also a Federation proposal by someone in UK, using SAML
18:25:37 <gyee> we are not talking about that one right?
18:25:41 <ayoung> gyee, yeah, that is the kent proposal
18:25:49 <gyee> oh ok
18:25:49 <ayoung> University of Kent,  ac.uk
18:26:11 <dolphm> heckj: P.S. thanks for continuing to PTL
18:26:11 <gyee> that one lacks details
18:26:13 <ayoung> They have put a lot of effort in to it
18:26:23 <ayoung> dolphm, +1 heckj as PTL
18:26:49 <dolphm> heckj: (your lack of a candidacy email up until now was starting to stress me out)
18:27:29 <ayoung> gyee, agreed.  They are sponsoring a conference this week, but they will have some one attend this meeting in the future.  We'll pick their brains then
18:27:56 <gyee> dolphm, you want to do some eastwooding? :)
18:29:20 <dolphm> gyee: after some quick googling, i'm now caught up on what "eastwooding" is
18:29:39 <dolphm> i'll have to watch the video later :)
18:29:52 <ayoung> Prefer the Betty White version
18:31:17 <ayoung> Anything else burning, or are we done?
18:32:19 <dolphm> oh, i wanted to ask here before i tackled it...
18:32:36 <dolphm> there's a transient unit test failure that's checking for token expiration preservation or something
18:32:44 <heckj> dolphm: ayoung thanks re: PTL - was VERY unplugged this weekend
18:32:45 <ayoung> yeah...off by 1 second
18:32:47 <dolphm> i didn't see a bug / anyone already have a fix?
18:32:59 <heckj> rafting down the rogue river in southern oregon - freakin' fantastic
18:33:09 <dolphm> heckj: /jealous
18:33:32 <ayoung> dolphm, I tried at some point...I think the test needs to chop off the seconds or round up or something
18:33:40 <ayoung> but, no bug
18:34:05 <dolphm> ayoung: i was tempted to cheat too... but that just decreases the likelihood of a failure
18:34:18 <ayoung> nah, the test is broken
18:34:31 <ayoung> the ticket gets issued one second, tested the next
18:34:35 <heckj> might need to override time and have it return known values for that setup
18:34:51 <ayoung> a multi second granularity is safe
18:35:12 <dolphm> if it's the same time or +1 second? type thing?
18:36:32 <ayoung> either that, or grab the time prior to testing to make sure it is the same.   But that will require changing more places.
18:36:37 <ayoung> dolphm, open a ticket for it.
18:37:03 <dolphm> ayoung: will do
18:38:52 <ayoung> Are we good on bug triage?
18:40:53 <dolphm> https://bugs.launchpad.net/keystone/+bug/1045962
18:40:54 <uvirtbot> Launchpad bug 1045962 in keystone "Transient test failure: test_token_expiry_maintained" [Low,Confirmed]
18:41:28 <ayoung> dolphm, I took it.
18:41:31 <dolphm> just one new bug https://bugs.launchpad.net/keystone/+bug/1044032
18:41:32 <uvirtbot> Launchpad bug 1044032 in keystone "Trying to auth with a bad request reply with a KeyError" [Undecided,New]
18:41:40 <dolphm> ayoung: awesome, thanks
18:42:19 <ayoung> dolphm, that last one sounds familiar, too.
18:42:35 <ayoung> I wonder if that was in F3?
18:42:56 <ayoung> RAX-KSKEY
18:43:23 <ayoung> OK...I can take that one, too
18:48:07 <heckj> I think we're pretty wrapped for today - anything else, or should I formally close this out?
18:50:22 <heckj> #endmeeting