#openstack-meeting log

18:00:21 <heckj> #startmeeting keystone
18:00:22 <openstack> Meeting started Tue Nov 13 18:00:21 2012 UTC.  The chair is heckj. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:23 <gyee> \o
18:00:24 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:24 <ayoung> /O/
18:00:25 <openstack> The meeting name has been set to 'keystone'
18:00:25 <heckj> Ola y'all
18:00:39 <dolphm> hola
18:00:46 <dwchadwick> hello
18:00:47 <heckj> Did I catch it correctly that we have a David Chadwick lurking here today?
18:00:50 <heckj> Yeah!!!!
18:00:54 <heckj> #link Agenda: http://wiki.openstack.org/Meetings/KeystoneMeeting
18:00:54 <ayoung> gyee,
18:00:59 <gyee> yo
18:01:00 <dwchadwick> for the first time, yes
18:01:07 <dolphm> dwchadwick: welcome!
18:01:09 <Kristy> hello
18:01:15 <heckj> dwchadwick: glad you could make it
18:01:19 <heckj> Kristy: awesome! Welcome!
18:01:30 <dwchadwick> the full monty today
18:02:12 <heckj> #topic Burning/Exploding/Supernova issues?
18:02:28 <heckj> So, let's get rolling - anything broken or severely on fire that needs immediate attention?
18:02:50 * dolphm readies a fire extenguisher
18:02:59 * dolphm and a crowbar
18:03:37 <heckj> I like the sound of that silence
18:04:13 <heckj> #topic keystoneclient - version, releasin', etc
18:04:36 <ayoung> All quiet on the Western front
18:04:36 <heckj> So we've *just* landed the auth_token bits into keystoneclient with henrynash' work
18:04:51 <heckj> The current released version of keystoneclient is 0.1.3
18:05:17 <heckj> We also dropped in the AccessInfo base pieces, to start allowing authorization to be cached, etc.
18:05:29 <heckj> It's time for a new release there, and a new number
18:05:41 <dolphm> 0.1.3 is ~3 months old!
18:05:44 <heckj> Any qualms with 0.2.0? I'm open to suggestions here
18:05:56 <gyee> keyring after that?
18:06:02 <dolphm> heckj: +1
18:06:20 <ayoung> sounds good
18:06:26 <heckj> gyee: sure - or if we can wrap it up in the next day or so, we can get it in with
18:06:45 <ayoung> keysring  in 2 would be a good feature
18:06:46 <gyee> k
18:06:54 <dolphm> cool
18:06:59 <heckj> ayoung: agreed, and it's close
18:07:05 <henrynash> oops. sorry, was sitting openstack-dev
18:07:29 <heckj> I'll plan on cutting a release of the keystoneclient end of this week (Thursday evening, Fri morning) with whatever we have in there now
18:07:32 <ayoung> henrynash,  we were just suggesting upping the version number in client,  due to your recent work landing there.  we are going to get the keysringh stuff in as well and go 2.0
18:07:45 <ayoung> henrynash, do you have any changes outstanding to get into client before 2.0?
18:07:45 <heckj> (also note that keystoneclient has initial V3 api support in there too)
18:07:54 <henrynash> yes, sounds like a good idea
18:08:10 <dolphm> heckj: keystoneclient vs openstack-manuals -- when can a new version be documented there?
18:08:11 <henrynash> no, client, I think, is done…..
18:08:19 * gyee is going to pull an all nighter on keyring after we agree on the interface
18:08:38 <ayoung> henrynash, did you get all of the cms changes that , for example ,vishy posted late last week?
18:08:44 <henrynash> (side question: just checking we don't need to move ec2, swift middleware to client?)
18:08:55 <henrynash> ayoung: yes
18:08:58 <annegentle_> dolphm: we have a stable/folsom branch cut for openstack-manuals now
18:08:58 <heckj> dolphm: good question - I believe after we release it, we should help get those docs updated
18:09:09 <dolphm> heckj: already documented in openstack manuals master: --os-token / --os-endpoint; pending docs: keyring / auth_token / bootstrap
18:09:30 <heckj> dolphm: then yeah - just after release
18:09:47 <heckj> ayoung: what's the state of the signing code? When are you planning on getting that into common or keystoneclient?
18:10:25 <heckj> (or did all that we need  come in with henrynash's changes?)
18:10:49 <ayoung> heckj, good question.  I haven't started on that yet.  the cms piece should be there, but nothing uses it
18:11:17 <ayoung> I've been in SQL land
18:11:24 <heckj> ayoung: Ok - so maybe a point release after 0.2.0 or something to add in that functionality, assuming it won't break any existing methods
18:11:27 <henrynash_> (sorry, lost connection for sec)
18:11:55 <heckj> #topic V3 Keystone API
18:11:58 <ayoung> heckj, should not break anything.  It will just be additional functionality as far as I can see for now
18:12:05 <heckj> ayoung: cool
18:12:19 <heckj> V3 API pieces are still landing policies is pending review
18:12:39 <heckj> dolphm: saw a note about skipped tests in there that I think can be removed and those tests run on the last review
18:12:42 <dwchadwick> what is the planned date for v3 api release
18:12:42 <ayoung> heckj, BTW, we are going to start deprecating KVS, to start with not including it in the policy
18:13:15 <ayoung> We can always get KVS like behavior using the SQL backends and SQLite in-memory
18:13:23 <dolphm> heckj: on your question regarding test_policy_crud in test_keystoneclient ... that was actually written against the client-side policy implementation when policies was implemented on v2... so i'm thinking create a whole new test_keystoneclient_v3 suite that runs against keystoneclient.v3?
18:13:30 <gyee> when can I start on the stop-token-in-uris bp?
18:13:51 <heckj> dwchadwick: initial "tech preview" as soon as we can get all the changes merged in
18:14:20 <heckj> dolphm: setting up the new tests sounds good
18:14:31 <dolphm> heckj: so remove for now, setup new test suite asap?
18:15:04 <heckj> dolphm: sounds good. Need help putting this into place? (can it be parallelized at all?)
18:15:28 <dolphm> gyee: are you happy with the identity api v3 spec for auth? (everything on /v3/tokens)
18:16:09 <dolphm> heckj: gyee's help implementing /tokens stuff would be a pre-req for a true v3 test suite
18:16:15 <gyee> dolphm, we would like to make more changes, like service/endpoint scoping
18:16:23 <dolphm> gyee: propose asap?
18:16:27 <heckj> dolphm: based on the emails recently, I think we might need to tweak up tokens to allow user-scoped (called "unscoped" previously) tokens as well as tenant-scoped
18:16:28 <gyee> but I am not sure about the timing
18:16:51 <dolphm> heckj: #todo catch up on mailing list :)
18:16:56 <heckj> gyee: your additional scope restriction to endpoints would be great to land in there at the same time
18:17:22 <gyee> we have a bp on service/endpoint scoping and service role delegation
18:17:31 <gyee> not sure if everyone have a chance to read up on it yet
18:17:35 <ayoung> gyee, yep. its on the agenda
18:17:37 <ayoung> https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-delegation
18:17:43 <heckj> heh - nice segway
18:17:49 <dolphm> heckj: i might be able to get rolling on a test framework in the mean time, although i doubt it'll be able to test much without auth
18:17:52 <gyee> I am sure david have more stuff to add :)
18:18:00 <heckj> gyee: any chance you can help dolph with some of the token implemenation bits?
18:18:14 <gyee> heckj, absolutely
18:18:18 <gyee> love to help
18:18:18 <dwchadwick> I think we need to agree on the design as we are now doing via email before finalising the implementation
18:18:26 <dolphm> gyee: thanks
18:18:51 <dolphm> dwchadwick: +1, and agree on hard spec changes as well
18:19:05 <dwchadwick> I would like to agree the concepts first
18:19:18 <gyee> yeah, lets create an etherpad on the bp
18:19:18 <dwchadwick> then proceed to the api and coding
18:19:25 <heckj> gyee: +1
18:19:58 <dwchadwick> Sorry but can you explain etherpad and bp to a newbie
18:19:59 <heckj> gyee: set one up now? I'll link into meeting notes
18:20:11 <gyee> gimme a min
18:20:23 <heckj> dwchadwick: etherpad is a collaborative text editor - see "http://etherpad.openstack.org"
18:20:28 <dolphm> dwchadwick: agree, although it's worth pointing out that if the implementation is do & easy to read, the openstack community will generally provide feedback much more readily
18:20:32 <dwchadwick> ok thanks
18:20:36 <heckj> dwchadwick: great for writing together, sharing notes, highly, highly editable
18:20:38 <dolphm> implementation is easy to do & easy to read*
18:20:46 <heckj> dwchadwick: bp is shorthand for a blueprint in launchpad
18:21:09 <heckj> much less editable, kind of a pain in the butt, but what we have as a mechanism to talk about about prioritize feature work
18:21:33 <gyee> https://etherpad.openstack.org/service-endpoint-isolation-role-delegation
18:21:34 <heckj> dolphm: 100% agree - makes a HUGE difference
18:21:44 <heckj> #link https://etherpad.openstack.org/service-endpoint-isolation-role-delegation
18:21:50 <dwchadwick> so we work on a document in etherpad then publish the agreed one as bp
18:22:53 <dwchadwick> I have quite a lot of comments to make on the current delegation bp that was published today
18:23:17 <gyee> dwchadwick, let have all your comments in the etherpad
18:23:41 <heckj> dwchadwick: you can just leave the etherpad up as a blueprint link, it's handy - but the place we'll need to publish the final spec is in the github repo identity-api - the spec is documented there and effectively published
18:23:53 <heckj> let's definitely start out on the etherpad though
18:24:01 <dolphm> general etherpad advice to EVERYONE: mark your comments/feedback in etherpad with your name! e.g. (dolph): my comment
18:24:14 <dwchadwick> I have just opened up the link but the current bp is not there. its more or less a blank page
18:24:41 <heckj> dwchadwick: refresh or re-open https://etherpad.openstack.org/service-endpoint-isolation-role-delegation
18:24:48 <heckj> I just put in some text, you should see it
18:24:57 <dwchadwick> I expected to see the current bp in etherpad so that it could be edited or commented on
18:25:10 <heckj> I see 7 collaborators connected right now there
18:25:32 <heckj> Nobody has added it yet :-) If you ahve the link handy, put it in there at the top
18:25:59 <heckj> blueprint https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-delegation pasted in there - see it?
18:26:02 <heckj> dwchadwick: ^^
18:26:24 <heckj> guessing so - the whole content of the blueprint just appeared! :-)
18:26:31 <gyee> nice
18:26:40 <heckj> Okay - let's head to that topic
18:26:45 <marek_> Without pictures
18:26:51 <heckj> #topic: https://blueprints.launchpad.net/keystone/+spec/service-isolation-and-roles-delegation
18:26:54 <heckj> marek_: ?
18:27:06 <heckj> gyee - take it away!
18:27:18 <gyee> hey everybody, marek_'s the author of the bp
18:27:22 <ayoung> so, the problem with the name service isolation is that we really want endpoint isolation
18:27:31 <ayoung> service is the Kerberos name for endpoint
18:27:54 <ayoung> so we have effectively chose the *best* name to rain confusion down upon our own users head
18:27:55 <ayoung> s
18:28:16 <gyee> we need to be able to scope it down to services and endpoints so that your token can not be reuse/abuse if the intended service happened to be compromised
18:29:04 <ayoung> gyee, does it really make sense to limit it to services?  Or is that required for when you don't know what service will be ultimately used?
18:29:11 <dwchadwick> If a token is targeted then it cannot be reused anywhere else (unless the accepting party does not care)
18:29:18 <ayoung> er..what endpoint will be ultimately used
18:29:47 <gyee> any endpoint
18:30:10 <dwchadwick> On Ethterpad one of my comments isIt is always a bad idea to give a capability token to anyone you do not trust.
18:30:10 <gyee> if your token is scoped to an endpoint, it cannot be used anywhere other than that endpoint
18:30:13 <ayoung> gyee, I am almost prone to say that tokens should be scoped to endpoints
18:30:23 <ayoung> gyee, yep
18:30:28 <dwchadwick> agreed
18:30:43 <gyee> but service should be an option as well
18:30:52 <dwchadwick> and confidentiality is separate to targeting
18:31:05 <gyee> right
18:31:16 <gyee> using PKI, we can issue a cert for that endpoint
18:31:17 <dwchadwick> So encryption is not the solution to targeting
18:31:19 <ayoung> gyee, why service?  Are there cases where we know that it can be scoped to a service, but don'
18:31:21 <ayoung> t
18:31:27 <gyee> and encrypt the token for that endpoint only
18:31:32 <ayoung> know what endpoint it will ultimately be used on?
18:31:41 <dwchadwick> No because you can still have surreptitious forwarding
18:32:16 <gyee> forwarding?
18:32:17 <heckj> ayoung: for service targeting - if your endpoints are all round-robin to a single service, it would be relevant
18:32:18 <ayoung> If an endpoint is compromised, we want to make sure no tokens from there can be reused
18:32:23 <ayoung> heckj, OK
18:32:32 <gyee> heckj, exactly
18:32:48 <marek_> A service might have a few endpoints in different zones  and you would like to have a single token that can be used for all its endpoints
18:33:00 <ayoung> heckj, that seems to call for some abstraction between service and endpoint,  or, probably more correctly, a token scoped to a set of endpoints
18:33:08 <dwchadwick> if the signed token is not targeted but only encrypted for the service, then the service can decrypt it and re-encrypt it for another service
18:33:13 <heckj> we've got a little blind spot in the service/endpoint setup - unclear relations between endpoints and how they're used by implementations, means the solution gets more complicated to cover the generalized cases
18:33:58 <marek_> It can be scoped to a service or one with higher granularity to one or more endpoints of this service
18:34:00 <ayoung> I think I would prefer to state "tokens can be scoped to one or more endpoints"  unless we are forced to go "service wide"
18:34:05 <dwchadwick> this is why we need a clear conceptual specification first :-)
18:34:41 <dwchadwick> Why not have the targeting at service level plus optional endpoints
18:34:42 <gyee> a service is one or more endpoints right?
18:35:05 <dwchadwick> if there are no endpoints specified it means all endpoints of this service
18:35:06 <ayoung> gyee, more correct to say a service is a powertype of an endpoint
18:35:11 <heckj> gyee: I think more appropriately a service has one or more endpoints, but technically a servcice can have no endpoints according to the current spec
18:35:12 <gyee> dwchadwick, yes, we need the flexibility for both services and endpoints
18:35:20 <heckj> ayoung: WTF is a powertype?
18:35:30 <ayoung> heckj, I'll find a link
18:35:31 <dolphm> ... powertype?
18:35:32 <dwchadwick> black and decker?
18:35:38 <dolphm> dwchadwick: +1
18:35:43 <heckj> I see chainsaws coming next...
18:35:45 <gyee> nice
18:35:47 <ayoung> http://en.wikipedia.org/wiki/Powertype_%28UML%29
18:35:48 <marek_> That is proposed in BP, service scoping with option to scope to endpoint
18:36:15 <ayoung> heckj, its like a baseclass, but the term is better used in the cases of databases and things like this
18:36:27 <heckj> #link this is a powertype: http://en.wikipedia.org/wiki/Powertype_%28UML%29
18:36:50 <dwchadwick> So its a superclass?
18:36:51 <gyee> WTF's UML? :)
18:37:00 <heckj> gyee: +1 :-)
18:37:20 <ayoung> Its an organization for Mixed Martial Arts, I think
18:37:24 <dwchadwick> So you can scope a token to a service type, and the type of service forms a class hierarchy
18:37:47 <gyee> not service type, just service
18:37:56 <dolphm> by service id?
18:37:58 <dwchadwick> eg. I scope a token for banking service and it can be used at BoA, Citibank, Barclays etc
18:38:00 <heckj> dwchadwick: except nothing is really inherited here, so that metaphor breaks down a bit
18:38:05 <ayoung> right
18:38:06 <marek_> We need the ability to scope to a service instance not a type
18:38:34 <dwchadwick> How many endpoints does a service instance have?
18:38:42 <ayoung> marek_, the phrase "a service instance not a type" does not compute
18:38:49 <marek_> 0...*
18:39:19 <dolphm> marek_: 0? not 1-3?
18:39:47 <dwchadwick> These are fine details that should be in the conceptual document
18:39:48 <gyee> let just call it service
18:39:52 <gyee> plain and simple
18:40:07 <ayoung> again, I'm not convince that  "all endpoints of a service" is a safe abstraction for tokens
18:40:20 <ayoung> I would much rather say "this set of endpoints"
18:40:25 <marek_> A service has a t least 1 endpoint. But there is no upper limit.
18:40:47 <dwchadwick> a service (type) has many service instances
18:40:54 <dolphm> marek_: okay, yeah (i think the current client will choke on an additional set of endpoints, but that's not an API issue)
18:40:56 <dwchadwick> a service instance has one or many endpoint
18:41:20 <marek_> correct
18:41:44 <dwchadwick> So we could agree to scope a token to a service type, service instance or set of endpoints
18:41:52 <heckj> ayoung: I'm good with asserting sets of endpoints - makes it very explicit
18:41:57 <dwchadwick> That is the full range of flexibility
18:42:12 <marek_> I do not see a benefit of scoping to service type
18:42:13 <heckj> ayoung: trick will be asserting that and coordinating that with the endpoint itself, which currently doesn't know or much care about it's endpoint ID
18:42:27 <dwchadwick> However, regardless of the scoping of the token, it has to be sent to an actual endpoint
18:43:09 <ayoung> heckj, that will need to be solved anyway
18:43:10 <dwchadwick> So each endpoint can send the token to Keystone and it can validate whether the token is valid at that endpoint or not
18:43:19 <marek_> The user may choose to scope to a service level or narrow down to a particular endpoint of this service
18:43:25 <heckj> ayoung: yep, just calling it out as an issue to be solved
18:43:25 <ayoung> dwchadwick, that is my understanding as well
18:43:36 <dwchadwick> Hence each endpoint must know its lineage (service type, service instance)
18:43:49 <ayoung> dwchadwick, just service
18:44:09 <heckj> dwchadwick: once the endpoint is correlated with it's relevant endpoint ID, lineage is explorable
18:44:11 <ayoung> there is no "service type" or , "service instance" abstraction in our dictionary
18:44:27 <gyee> just service
18:44:55 <dwchadwick> there must be the concept of service type and instance since you can have multiple copies of one service running in the cloud
18:45:03 <marek_> There is no need for adding service type, unless you want to add common  roles per service  type
18:45:37 <dwchadwick> And you have already said that a service instance can have one or many endpoints
18:46:23 <dwchadwick> Presumably there will be a service factory that can spawn instances of the service on demand
18:46:49 <heckj> dwchadwick: I think the translation that's reasonable close: service_type ==> what we're calling 'service', service_instance => what we're calling 'endpoint'
18:46:54 <dwchadwick> the scope of roles is another issue to be discussed
18:47:05 <marek_> We already  have service types like Nova, Swift. Do you mean  another type classification?
18:47:06 <ayoung> dwchadwick, "instances of the service" are endpoints
18:47:31 <dwchadwick> heckj -> I dont think so since a service can have multiple endpoints
18:47:58 <heckj> dwchadwick: you're assuming more and deeper structure in your definitions than we have in reality
18:48:08 <dwchadwick> Maybe
18:48:21 <dwchadwick> But say a service has an admin endpoint and a user endpoint
18:48:27 <heckj> they aren't today classes and instances, they're a composition of REST objects with attributes on them that we can manipulate
18:48:57 <heckj> there's no factory, only API's to create services or create endpoints at the moment
18:49:06 <dwchadwick> Are these different services in your world view? Because ultimately they should be the same object
18:49:56 <ayoung> dwchadwick, they are the same endpoint.
18:49:59 <heckj> dwchadwick: today, and with the current API, they're treated as 3 separate objects - a service and two endpoints with a relation between them from the endpoint pointing to the service to which they're related
18:50:16 <heckj> ayoung: more correct
18:50:18 <ayoung> heckj, do we put admin and public as 2 endpoints in keystone?
18:50:45 <heckj> ayoung: no, we shimmed in some attributes on the endpoint so we could differentiate "public", "internal", and "admin"
18:50:46 <gyee> ayoung, we have the 'facing' attr
18:51:04 <dolphm> an endpoint is a pointer to an instance of a service, two endpoints may point to the same instance, a service is useless without at least one endpoint because you can't use it :P
18:51:46 <dwchadwick> agreed that zero endpoints makes no sense. But what about multiple endpoints
18:52:00 <marek_> Well, you can still use the service with hidden/private/disabled endpoints to assigne roles and status of service
18:52:25 <dwchadwick> like an admin endpoint for the service
18:53:08 <dwchadwick> Sorry guys but I have to go now. I really enjoyed my first meeting with you via IRC
18:53:22 <dwchadwick> I can continue on the Etherpad later tonight or tomorrow
18:53:32 <heckj> dwchadwick: thanks for joining us
18:53:38 <heckj> Kristy: thanks for being here as well
18:53:49 <marek_> You can define a Nova service in Keystone and use it as target for roles grants. Then later on you add /enable/ or just publish  or more endpoints  of this service
18:54:08 <heckj> FYI: We've seven more minutes
18:54:21 <Kristy> Thanks :)
18:54:40 <heckj> gyee: what's your schedule today? I've got another meeting right after this that just smacked me
18:54:43 <henrynash> are we ready for aob?
18:54:48 <heckj> aob?
18:54:56 <henrynash> any Other Business
18:55:03 <heckj> #topic open discussion
18:55:09 <gyee> heckj, how about I ping you later in the afternoon?
18:55:22 <heckj> gyee: sounds good - I'll be offline for a while, but back in within a few hours
18:55:24 <dolphm> marek_: when you say enable the endpoint -- are you referring to the v3 definition of enable/disabling endpoints?
18:55:32 <gyee> I just need to know what are we going to do with the authenticate() interface for keyrig stuff
18:55:34 <henrynash> so wanted to let you know that I will complete the bp for groups of suers tonight
18:55:43 <henrynash> https://blueprints.launchpad.net/keystone/+spec/user-groups
18:55:55 <heckj> henrynash: sounds good - looking forward to readin git
18:56:02 <gyee> henrynash, I plan on commenting on your bp later today as well
18:56:03 <henrynash> will hook up the api design doc for it later tonight
18:56:08 <ayoung> gyee, continue the "authenticate()" discussion in #openstack-dev after the meeting.
18:56:14 <marek_> dolphm: yes
18:56:27 <gyee> ayoung, sure
18:56:39 <heckj> ayoung: wo'nt work for me- I need to run to other meetings, but will be back in a few hours
18:56:46 <henrynash> I also plan to complete the bp for private name spaces this week: https://blueprints.launchpad.net/keystone/+spec/domain-name-spaces
18:57:21 <ayoung> heckj, that is OK,  we'll have a solution for you by the time you are done
18:57:28 <heckj> ayoung: yeah, good luck with that
18:57:43 <gyee> :)
18:59:53 <heckj> Wrapping up for now
18:59:56 <heckj> #endmeeting