18:10:10 #startmeeting keystone 18:10:11 Meeting started Tue Nov 27 18:10:10 2012 UTC. The chair is heckj. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:10:13 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:10:15 The meeting name has been set to 'keystone' 18:10:18 Folks till around? 18:10:30 ayoung, dolph, gyee, dwchadwick? 18:10:37 here 18:11:09 afraid I'm running very late and on no sleep 18:11:42 #topic agenda http://wiki.openstack.org/Meetings/KeystoneMeeting 18:11:57 hi 18:12:01 morning henrynash 18:12:05 (well, morning for me) 18:12:12 ;-) 18:12:21 Any high priority or burning issues? 18:12:48 so for me, its the infamous groups vs attribute-role mapping 18:13:01 I need to take care of the keyring thingy for keystoneclient 18:13:10 kristy? dwchadwick - either of you around today? 18:13:31 gyee: I at least found the keyring issue for you - did you get those notes? 18:13:38 i just realized my cup is leaking quite rapidly onto my desk (not sure if that counts) 18:14:18 dolphm: that sounds rather important, I'd recommend dealing with it immediately 18:14:30 heckj: fine, brb 18:15:07 We have a bug that's been reported that happens under higher load - a path to get resolved, but not clear implementations 18:15:29 heckj, yeah, thanks, I am going to make the changes 18:15:32 bug: https://bugs.launchpad.net/keystone/+bug/1020127 18:15:33 Launchpad bug 1020127 in keystone "proxy-server Error: Second simultaneous read or write detected" [High,In progress] 18:15:43 we still on? 18:15:43 question is, should we disable keyring by default 18:15:58 or override it via env var in devstack 18:16:09 Alex Yang is supposedly working on moving the memcachering (eventlet safe memcache client) into openstack common, but it's biting some folks using keystone at a high velocity 18:16:42 henrynash: yeah, just getting back up to speed 18:17:09 ok, I'm on a rather flaky internet connection from Tunisia ! 18:17:24 let's hit the attribute setup pieces in a second - sounds like the biggest topic 18:17:52 gyee: How are the other projects using it? i.e. how does novaclient do this (since it has keyring support) 18:18:42 heckj, good suggestion, we need to be consistent, I'll go find out 18:19:40 #topic attributes, role mapping, etc - ABAC and RBAC 18:19:45 ayoung: around? 18:20:26 henrynash: I haven't come up to speed with the role mapping concept - ABAC in itself seems pretty straightforward, but it's not at all what we have in V3 right now 18:20:47 agreed 18:21:07 I'm generally trying to figure out what's been requested for work - making V3 work cleanly or resetting this whole kit to an ABAC based system 18:21:14 I thought roles are nothing more than just a string, the services interpret/enforce the roles 18:22:07 gyee: yep - that's not a problem, and I like the concept of the ABAC system in general, but it's not at all what's in our policy engine and there's pending work to change the token API, present additional attributes, and pass them into the policy engine effectively. 18:22:08 I think the (short term) decision is whether we support groups/organisation roles via something like the user-group extensions to RBAC, or introduce attributes in some kind of "local mapping mode" to implement the same fucntionality 18:22:59 gyee, henrynash: do you have a preference for either implementation focus? Does using a local mapping mechanism get us closer to ABAC in the future? 18:23:18 dolphm: when you're back, would like your input on ^^ 18:24:26 heckj: i'm back, but don't have much input (just interested in seeing where the communities long term preferences lie) 18:24:35 community's 18:24:40 * heckj nods 18:24:45 heckj: Not as currently defined - the current spec seems only half the story (as per my email) 18:25:17 henrynash: sorry, which is only half defined - the V3 RBAC setup, or the ABAC/extension pieces? 18:25:37 I think if we did implement what was needed in a local mode, then actually you would end up with exactly the same spec (albeit with a few more layers thrown in) as the user-group spec 18:26:14 ..maybe group membership is just another attribute to be taken into account when we finally implement ABAC 18:28:40 group is transparent in the RBAC model I think 18:29:35 gyee: transparent? not sure I understand you 18:30:27 RBAC authorize on roles, not group 18:30:30 groups 18:30:49 18:30:59 gyee: ah, yes - in that respect it is transparent 18:30:59 groups are there to make role assignment easier 18:31:11 gyee : =1 18:31:15 +1 18:32:09 so it seems like short term, implementing a groups REST API mechanism for managing sets of users to projects is the optimal path. 18:32:22 heckj : +1 18:32:25 +1 18:32:36 With an idea to keeping that API to present the same interface back to customers, but converting the underpinning to ABAC in the long term 18:33:08 henrynash: Have you made updates to your proposed spec based on feedback received? 18:34:12 I'm happy to have the bp assigned to me for implementation 18:34:50 henrynash: K - we'll go with that and start rolling there 18:35:19 dolphm: you'd opened some bugs and noted some issues with the initial V3 API in the past two weeks - any tags or notes related to that you can share? 18:36:47 heckj: just that the service+endpoint spec has evolved far beyond the current implementation... migrating the sql driver to the new model and supporting both v2 CRUD and v3 CRUD will be tricky (the service catalog response will be trivial in either case) 18:37:26 heckj, ah...got the time wrong 18:37:29 heckj: for example, each current endpoint will suddenly have 3 ID's in the v3 spec, but still need to be accessible via the original ID in the v2 spec 18:37:33 ayoung: heh 18:37:42 for for v3, token APIs are still /v2.0? 18:37:59 gyee: no, there's just no v3 implementation yet 18:38:05 k 18:38:12 gyee: and i think the v3 spec on that topic needs some attention 18:38:18 oic 18:38:31 same goes for middleware then? 18:38:44 gyee: what about middleware? (auth_token?) 18:39:00 yes, its not using /v3 at the moment 18:39:29 gyee: most of that API remained the same and during the original V3 development work was directly compatible 18:39:31 gyee: right 18:39:50 dolphm: where are you focused at the moment? 18:39:57 gyee: the auth_token contract with the underlying service won't change (although we could expose X-Domain-Id / X-Domain-Name if we want to) 18:40:22 heckj: v2 vs v3 catalog driver 18:40:29 heckj: trying to figure out how to support both 18:40:29 dolphm: cool 18:41:01 dolphm, nah, domain need not be exposed to the services at the moment 18:41:04 dolphm: did you ever port the token changes from your development/feature branch into master for Token? 18:41:21 (i.e. is there anything more that needs to get moved over)? 18:41:23 heckj, what changes? 18:41:44 gyee: agree, but i expect metering & billing projects to want that data 18:41:56 ayoung: the V3 implementation of the token API in the V3 feature branch 18:41:57 heckj: no, i never made any 18:42:10 heckj: there is no v3 token impl 18:42:15 Okay - so V3 token implemenation is still pending 18:43:04 heckj, isn't that basically the gyee work on getting the tokenid out of the URL anyway? 18:43:09 heckj, yeah, we need to figure out the auth pluggins 18:43:21 ayoung, and that too :) 18:43:23 ayoung: yep - 18:43:26 heckj: long term, are we okay with deprecating & removing all non-auth related v2 calls & extensions? (i think we need to maintain full support for /v2.0/tokens for quite a while) 18:43:35 dolphm, +1 18:43:43 dolphm: yes, definitely 18:43:49 +1 18:44:05 so I do the stop-tokin-in-uri thingy on /v2.0 for now? 18:44:05 dolphm: we just need to be very clear about deprecation and what's available/supported and when 18:44:08 dolphm, but we probably need a way to turn off the token ID in the URL 18:44:31 ayoung: i think the answer to that is to use v3, and make v2 support a deployment option 18:44:37 gyee: I think you want to do that in a /v3 API mapping, using most of what's already there for token support 18:44:37 dolphm, agreed 18:44:49 ayoung: i.e. remove v2 support from the pipeline if you think it's a security issue in your deployment 18:45:14 ayoung: token ID in the URL is intrinsic to the API - the only way we get away from it is to deprecate the V2 API 18:45:16 dolphm, yes. gyee can you factor that into your approach? 18:46:12 heckj, well, we want to deprecate it, but a security conscious deployment should be able to avoid it all together. Part of that is disabling it at keystone so you know that other services can't use it without you knowing 18:46:13 ayoung: how are you envisioning making v2 API support optional? 18:46:30 heckj, config option? 18:46:30 ayoung: like the idea to make it optional 18:46:43 config option or asking customers to change their paste.ini? 18:46:50 yes, defaults V2_Tokens=True 18:47:14 but setting to False shuts down accepting them 18:47:14 ayoung: heckj: it's already sort of optional (there's just nothing to replace it) 18:47:38 dolphm, there is also no way to yank it yet 18:47:57 dolphm: I'm just missing it this morning 18:48:07 ayoung: sure there is, remove it from your keystone.conf (v2 is isolated from v3 there) 18:48:17 gyee: are you good to move forward with what dolphm and ayoung are suggesting? 18:48:30 I mean, you could yank the whole v2 API...I was just thinking the tokenID in the URL piece (tokens) 18:48:55 but I guess going V3 pure would be a viable solution 18:49:23 so I am going to impl the v3 token APIs? 18:49:28 ayoung: would be less work than partially disabling V2 APIs 18:49:48 gyee: yes - and include the stop-id work in there 18:49:53 k 18:50:02 but leave the v2 APIs along for now 18:50:26 yep - we'll plan to deprecate them, at least the token part - but ideally the whole V2 API set 18:50:27 OK, that should work...it means that it would be Grizzly only, and not something independently back portable, but so be it 18:50:37 heckj: +1 18:50:42 ayoung: never expected it to be back-portable 18:50:59 not backportable since the auth content is different 18:51:25 only a few minutes left 18:51:28 #topic open discussion 18:51:35 henrynash you good? (if yo'ure still with us) 18:51:42 heckj, can I get a final blessing on the normalize patch? 18:51:46 yes, been in and out! 18:51:49 https://review.openstack.org/#/c/16322/ 18:51:50 ayoung: where are you focused? How's identity coming along? 18:52:04 heckj, I am working on preauth..now renamed to trusts 18:52:28 ayoung: trusts huh? Did you update the blueprint or is that an internal convention naming thing? 18:52:32 I like the name trust. A trust has a truster and a trustee 18:52:42 https://blueprints.launchpad.net/keystone/+spec/trusts 18:53:00 cool 18:53:18 I've done a lot of vetting of names. All names have some limitation. This had the least 18:53:21 it maps to intention 18:53:28 ayoung: will do the identity review today 18:53:51 ayoung: sounds good - isn't this predicated on passing in auth/authN refactor? - where's that sitting? 18:53:57 the word 'trusts' are used in Kerberos, but it is a slightly different level: cross domain trusts. There are user to user trusts 18:54:11 heckj, a good chunk of the refactor was done. 18:54:31 ayoung: more outstanding while you work on trusts? 18:54:40 I think I will weave the additional refactoring work in to the trusts...I don't want to shut down dev on service.py if I don't need to 18:54:41 ayoung: or is someone else tracking on that work? 18:54:55 cool 18:55:23 heckj, Iike the current refactor state, as it is at least readable/maintainable. I can foresee doing much more in the future, but under the guise of other features 18:55:43 ayoung: sounds good 18:55:56 trusts by themselves should add an addition set of functions to the Authenticate code path, but they should be isolated from the authenticate function itseld 18:55:58 f 18:56:24 I'm going to focus on that bug I mentioned at the top of the discussion - not sure how much traction I'll get between now and next week, but I'll at least try and get a repro running for it 18:57:06 ie... there will be an additional conditional that we are dealing with a trust request, and that will call a function that will prevent calling REMOTE_USER etc. I'll shoult when I get closer to that, right now I am working over the SQL schema and unit tests for the back end 18:57:33 heckj, are you referring to the swift thing? 18:57:40 ayoung: yeah 18:57:50 I think the right solution there is to stop using memcached as the cache 18:58:18 memcached and eventlet don't play nice. I hate being a playground referee 18:58:20 ayoung: and use what instead? memcachering was proposed - sounded OK to me with a move into openstack common 18:58:29 yes, that is the solution 18:58:48 ayoung: is that what you mean by "stop using memcache"? 18:58:58 assuming memcache ring doesn't have any baggage of its own... 18:59:06 dolphm, we don't want to make a blocking call to cache 18:59:13 so, KVS 18:59:30 something that times out like memcached, but that is purely in memory 18:59:36 I got burned with blocking calls in middleware once :) 18:59:50 dolphm, only for auth_token users that are running in eventlet 18:59:54 say they are running in apache under prefork mode, they should use memcached 19:00:10 ayoung: right now, we don't even have any means of reproducing the issue and verifying that it's resolved - so focusing on that first 19:00:17 so memcache ring is, I think, an abstraction that lets us swap one or the other in 19:00:19 But I want that confirmed 19:00:57 ayoung: read the code - it's not a complete memcache replacement, but it's darned close - does what's needed, and there's equiv art elsewhere in use 19:01:12 ayoung: I noted as such in the blueprint to push that into openstack-common 19:01:15 heckj, can we ask them to run with a hacked auth_token that uses kvs and see if the problem goes away? 19:01:49 ayoung: the guy asking/reporting the bug isn't in to hacking code or he'd already have this solved 19:02:03 I've got to run to another meeting 19:02:06 #endmeeting