18:00:50 <ayoung> #startmeeting keystone 18:00:51 <openstack> Meeting started Tue Dec 4 18:00:50 2012 UTC. The chair is ayoung. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:51 <dwchadwick> FYI we have just updated the attribute mapping blueprint 18:00:52 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:54 <openstack> The meeting name has been set to 'keystone' 18:01:16 <ayoung> #link http://wiki.openstack.org/Meetings/KeystoneMeeting 18:02:24 <dwchadwick> agenda is fine for me 18:02:26 <ayoung> Robot Rollcall 18:02:35 <ayoung> heckj, you in today? 18:02:38 <heckj> here!~ 18:02:41 <heckj> Sorry, was reading bugs 18:02:43 <heckj> :-) 18:02:51 <openstack> heckj: Error: Can't start another meeting, one is in progress. 18:02:54 <ayoung> That is one thing you never need apologise for 18:03:04 <ayoung> heckj, already started 18:03:05 <heckj> Oh - you already did it, sweet! 18:03:07 <dolphm> lol 18:03:12 <dwchadwick> You should apologise for creating bugs :-) 18:03:17 <heckj> heh 18:03:18 <ayoung> dwchadwick, that would be me 18:03:19 <heckj> never 18:03:28 * dolphm apologizes 18:03:29 <ayoung> and I don't mean logging them 18:03:48 <ayoung> #topic High priority bugs or immediate issues? 18:03:50 <heckj> felt bad after henrynash asked me about a triaged bug and realized I hadn't done anything to triage in weeks 18:04:02 <heckj> 8 bugs outstanding to be triaged - working on that today 18:04:25 <dolphm> heckj: aren't you supposed to be on holiday? 18:04:26 <heckj> Haven't made any progress on the memcache thing and repro work - not hard, just haven't been able to dedicate the time as yet 18:04:31 <heckj> Starting tomorrow 18:04:49 * heckj shuts up now and let's Adam run this 18:05:12 <ayoung> heckj, actually, since we were talking Bugs, anything on the new list that is burning? 18:05:22 <ayoung> Or recently triaged? 18:05:34 <heckj> just now going through them 18:05:42 <ayoung> auth_token failure if signing_dir not specified running under upstart.....not a bug 18:05:53 <ayoung> Length of user_name in database too short for X.509 DNs that is mine 18:06:00 <heckj> The only burning one is the periodic memcache failure due to eventlet race conditions and memcache clients at high concurrency 18:06:08 <heckj> (that I know of) 18:06:31 <ayoung> heckj, OK, so the long term solution for that one is the swift memcache ring, right? 18:06:33 <gyee> swift memcache ring impl seem pretty solid 18:06:56 <heckj> ayoung: yep - Alex Yang was getting that into openstack common - may need a "boost" to do so, then using it from there 18:07:01 <dolphm> heckj: who's working to get the solution into oslo? (i believe that's the blocker on a fix, no?) 18:07:10 <dolphm> heckj: (spoke too soon!) 18:07:21 <heckj> dolphm: fellow (that I don't really know) who commented on the bug 18:07:37 <heckj> dolphm: he opened a blueprint against oslo - looks like he made traction for a while, then disappeared or lost interest 18:08:02 <ayoung> heckj that is https://bugs.launchpad.net/keystone/+bug/1052674 right? 18:08:03 <uvirtbot> Launchpad bug 1052674 in keystone "Keystone auth_token middleware should support Swift global memcache" [High,Triaged] 18:08:09 <gyee> auth_token used to take env['swift.cache'] 18:08:19 <gyee> did I file that one? 18:08:39 <heckj> actaully, I think there's a separate bug there - this might be a dupe 18:09:03 <gyee> trivial fix 18:09:05 <gyee> I can do it 18:09:50 <ayoung> #link https://bugs.launchpad.net/keystone/+bug/1052674 18:09:52 <uvirtbot> Launchpad bug 1052674 in keystone "Keystone auth_token middleware should support Swift global memcache" [High,Triaged] 18:09:56 <heckj> #link https://bugs.launchpad.net/keystone/+bug/1020127 18:09:58 <uvirtbot> Launchpad bug 1020127 in keystone "proxy-server Error: Second simultaneous read or write detected" [High,In progress] 18:10:20 <heckj> same intent, different bugs 18:10:41 <ayoung> gyee, can you own this from the Keystone side? 18:10:49 <gyee> sure 18:11:11 <ayoung> OK, other big issues? 18:11:36 <ayoung> https://bugs.launchpad.net/keystone/+bugs?search=Search&field.status=New 18:12:20 <gyee> btw, I upgrade pep8 to 1.3.3 and it started to flag a bunch of new pep8 errors 18:12:24 <gyee> upgraded 18:12:40 <gyee> in both keystone and keystoneclient 18:12:53 <ayoung> gyee, open ticket. We'll either fix or we'll ignore 18:13:13 <gyee> question is which version is correct? :) 18:13:28 <gyee> no errors from older versions of pep8 18:13:35 <heckj> trying to figure out how to link https://bugs.launchpad.net/keystone/+bug/1082050 to the Ubuntu packagers crew 18:13:36 <uvirtbot> Launchpad bug 1082050 in keystone "Spelling errors reported on IRC" [Undecided,New] 18:13:50 <gyee> mostly choking on line continuation 18:14:40 <ayoung> OK, lets move on 18:14:55 <ayoung> lets keep open discussion for the end 18:15:03 <ayoung> #topic Groups vs. attribute mappings 18:15:31 <henrynash> ok, so last week we approved the groups bp….and so I am starting implmentation 18:15:45 <ayoung> dwchadwick, I'm guessing which side of this discussion you are going to take... 18:15:52 <henrynash> david & I have had some conversations and Kirsty and I need to have some more 18:15:54 <dwchadwick> Henry raised an issue that the attribute mapping blueprint did not mention tenants so that has been fixed now. A new version was published just before the meeting 18:16:33 <dwchadwick> Kristy is not starting the implementation. We plan to have the first version available by the end of the year 18:16:51 <ayoung> "not" should be "now" right? 18:17:00 <dwchadwick> If Henry makes the changes he needs to use this for groups it should make both our works easier 18:17:03 <henrynash> dwchadwick: so have been looking at that…perhaps the thing that is missing is what actually going to use the attributes to enforce permissions 18:17:34 <ayoung> soyeah, that is going to require buy in outside of Keystone 18:17:37 <henrynash> i.e. what changes are needed elsewhere in keystone 18:17:57 <ayoung> We want to use the policy engine to support ABAC 18:18:10 <ayoung> and policy engine is going to live in Oslo 18:18:14 <henrynash> I would think so 18:18:28 <dwchadwick> We also have an open source policy engine that we can use 18:18:29 <ayoung> So I think the right approach is like what we did for PKI 18:18:58 <ayoung> make it work, but disabled by default. Make is a "seamless change" and switch the default in the H timeframe 18:19:10 <henrynash> ayoung: +1 18:19:27 <ayoung> dwchadwick, is that engine in Python? It will be a non-starter if it isn't 18:19:38 <dwchadwick> no, its in java 18:19:42 <gyee> haha 18:19:52 <ayoung> dwchadwick, so was Keystone originally 18:19:57 <dwchadwick> but we have a python interface 18:20:01 <heckj> ayoung: excellent idea 18:20:04 <gyee> and it uses xml too? :) 18:20:08 <ayoung> heh 18:20:15 <dwchadwick> yea 18:20:23 * heckj hangs his head 18:20:26 <ayoung> dwchadwick, well, we can use it as the reference implementation, 18:20:40 <dwchadwick> exactly. but back to attribute mapping 18:20:41 <ayoung> same kind of thing was an issue when talking about using Dogtag for certificates 18:21:04 <dwchadwick> Henry, I did not follow your comment 18:21:30 <henrynash> ayoung: I do like the idea of getting the attribute implementation in there, finding where we need to do the hooks, but disabled by defualt 18:21:37 <ayoung> dwchadwick, you mean "what actually going to use the attributes to enforce permissions" 18:21:48 <henrynash> dwchadwick: sorry :-) which one? 18:22:02 <dwchadwick> henry. Ok, now I follow. You are talking about the PDP 18:22:21 <ayoung> dwchadwick, please expand your acronyms 18:22:30 <dwchadwick> But the attribute mapping design was specified so that it can work with the existing RBAC interface 18:22:54 <dwchadwick> I see the use of ABAC by services as independent of attribute mapping 18:23:47 <dwchadwick> PDP - policy decision point. The policy engine that is fed an RBAC or ABAC policy and returns a grant/deny decison 18:24:05 <henrynash> dwchadwick: yes 18:24:23 <dwchadwick> PDP is the term used by Internet RFCs and most published papers on authorisation 18:24:28 <ayoung> dwchadwick, yes, so Keystone doesn't own that. 18:25:07 <dwchadwick> Exactly. Thus attribute mapping is independent of how services make their authz decisions. It only effects how user attributes are converted into roles and tenants 18:26:08 <dwchadwick> Whilst groups do not help with the longer term strategy, attribute mappings do, and can provide most of the functionality that groups need 18:26:41 <ayoung> dwchadwick, so are you saying for V1, we make no changes to the current policy enforcement, and instead only focus on mapping an attribute to a role in a tenant? 18:26:50 <gyee> but adds more complexity? 18:26:56 <dwchadwick> The only thing missing is for the administrator to give the users some group memberships, and then for keystone middleware to pick these up and call the attribute mapping service 18:27:10 <dwchadwick> ayoung - exactly 18:27:48 <dwchadwick> Plus mapping is an optional feature that can switched on or off 18:27:56 <henrynash> what I had in mind was a having a reference groups implementation that is wholly contained withng "current keystone mechanisms", with a prototype that would talk to the attribute mapping component 18:27:59 <ayoung> dwchadwick, OK, so I think we still need groups. They are a n additional attribute for a user that will then map to multiple roles. 18:28:22 <henrynash> (sorry I menat prototype interface) 18:28:23 <ayoung> I don't think we have anything yet that can do that for us 18:29:11 <dwchadwick> ayoung. Yes you need something like groups to solve the use cases Henry specified in a non-federated world 18:29:30 <ayoung> dwchadwick, but not in a federated world? 18:29:41 <kwss> ayoung yes, what is missing from our service is the capability for administrators to assign organisational attributes internally 18:29:53 <dwchadwick> But what I am suggesting is a simpler implementation of groups for Henry because the service that deals with assigning tenants and roles to groups is done by the attribute mapping service 18:29:57 <henrynash> that way we can flesh out how the attribute mapping side works, what the admin interfaces for it are etc. etc. and know we can switch over groups to use it when we have those production ready 18:30:34 <dwchadwick> then when we migrate to federated access, the same attribute mapping service is used and the group assignment feature is no longer carried out in Keystone, but in the organisation that acts as the IDP 18:31:11 <henrynash> dchadwick: I'm less worried about typing that Henry has to do, but rather how we incrementally get to where we need to be and still ship production ready code at G and H 18:31:20 <ayoung> henrynash, do you understand what dwchadwick is proposing? 18:31:44 <dwchadwick> So to summarise. Users need to be assigned to groups or organisational attributes. This is done either in Keystone (centralised authn) or in the IDPs (federated login) 18:31:56 <ayoung> right 18:32:07 <henrynash> ayoung: only in part… 18:32:13 <dwchadwick> then these group attributes are mapped into keystone roles and tenants by the attribute mapping service 18:32:15 <gyee> so groups is a must, attribution is option, that right? 18:32:23 <gyee> attribute mapping I mean 18:32:53 <dwchadwick> gyee - groups on their own are useless. This is because services dont understand them 18:33:14 <gyee> they are useful in assigning roles 18:33:18 <henrynash> ayoung: I understand the parts do far proposed, but seems to me that there are still significant pieces to fill in 18:33:28 <dwchadwick> groups have to be mapped into tenants and roles. So we need the attribute mapping service for this (or something similar) 18:33:41 <ayoung> OK, lets say we have a groups table 18:33:51 <ayoung> then we add an attribute_mapping table 18:33:58 <dwchadwick> gyee - no groups are only useful in assigning roles if you have a service that can do this 18:34:09 <ayoung> and a group assignment table 18:34:40 <Alex-Shulman> just a small comment - groups are also useful for some access control models like ACLs - if someone will wish to plug this in at the storage level 18:34:44 <ayoung> one a user is assigned to a group via an entry in the group assignment table, we add an entry in the attribute_mapping table that would give them the role? 18:34:45 <gyee> dwchadwick, groups is only visible to Keystone 18:35:07 <dwchadwick> yes tables will do this, but if you look at the entity relationship diagram in our blueprint you will see that a simple table is not good enough in general to do many to many mapping 18:35:46 <dwchadwick> To do many to many mapping you need several tables (as per our diagram) 18:36:52 <dwchadwick> you need a group table, an OS set table (which links together tenants and roles) and and a mapping table 18:36:52 <henrynash> dwchadwick: agreed in general - but so far in keystone we have chased static assignments and hence the groups proposal is to extend that staid model….I agree a longer term goal of more flexibility is good 18:37:38 <henrynash> hmm, some words didn't come out right in that sentence :-) 18:37:54 <dwchadwick> henry - but you still have to deal with tenants and roles dont you? 18:38:03 <henrynash> (chosen status assignments……extend static model) 18:38:18 <henrynash> dwchadwick: sure 18:39:06 <dwchadwick> Our model has five new tables I think 18:39:36 <ayoung> dwchadwick, OK, I think we need to go back and review to that design. Let me see if I can get it up on line 18:39:38 <henrynash> we don't use the sets model of course in leystone today 18:39:40 <dwchadwick> So this is what we are talking about. Providing a set of APIs for setting, getting and deleting the table entries 18:40:03 <dwchadwick> https://docs.google.com/a/kent.ac.uk/document/d/1cObK3P_ic9XSTwJRFsmimG94LDnFbsPbvx_H1aM1FPI/edit# 18:41:56 <dwchadwick> Should we move to the next topic now and continue detailed discussions about attribute mapping via email, as time is running out 18:42:45 <ayoung> Well, I think we covered everything but trusts 18:42:50 <ayoung> #topic Trusts 18:43:06 <ayoung> http://wiki.openstack.org/Keystone/Trusts 18:43:24 <dwchadwick> this seems to be progressing nicely 18:43:43 <dwchadwick> I think some more work is still needed for recursive delegation 18:43:44 <ayoung> I feel pretty good about this spec. There was one outstanding issue about whether we should allow administrative acces to the trusts. 18:44:02 <ayoung> dwchadwick, agreed, but I think I want to punt on recursive for phase 1 18:44:19 <dwchadwick> You will need either backdoor or front door API access for administrators 18:44:23 <ayoung> Since that is encapsulated inside of Keystone, we can phase it in 18:44:37 <ayoung> dwchadwick, yeah, and I guess there is no harm there, either 18:44:45 <ayoung> it will be either GET or DELETE 18:45:02 <dwchadwick> Yes, you can default delegation depth to zero in the first implementation. Also default validity time to infinity 18:45:54 <ayoung> I don't think I want to allow admins to create Trusts, and no one should be able to modify them 18:46:04 <heckj> ayoung: I like where it's going - want to get vishy input on it too, as it'll impact a number of pieces in core nova as well 18:46:10 <dwchadwick> You can also omit most other policy fields in the first implementation so that delegation is based primarily on the tenant and roles 18:46:12 <heckj> (any notmyname and bcwaldon) 18:46:35 <notmyname> ? 18:46:39 <dwchadwick> ayoung agreed. Admin should only read and delete 18:47:01 <ayoung> heckj, yes, but i suspect that, like most things, they won't pay attention until it is implemented and they try to use it. 18:47:12 * ayoung is slightly jaded from PKI 18:47:29 <dwchadwick> I have to go in five mins. sorry 18:47:31 <heckj> ayoung: fair enough, I'm pushing them to look, read and think about it here 18:47:55 <ayoung> heckj, as well we should. 18:48:07 <ayoung> #topic open discussion 18:48:16 <dwchadwick> once they start to use it, then they will be hooked and you will have plenty of demand for new features :-) 18:48:28 <ayoung> Can you all chime in with who is working on what, if it has not come up in the meeting yet? 18:48:35 <dwchadwick> What about adding IDPs to service catalog 18:48:50 <ayoung> aah, right 18:48:51 <dwchadwick> Kristy has nearly finished this implementation now 18:49:31 <dwchadwick> It wont be needed until federation, but it would be nice to include the code to make sure it is bug free 18:49:33 <ayoung> I don;t see anything contraversial there. 18:49:45 <kwss> yes, i should have a rough implementation finished by the end of tomorrow. 18:49:53 <dwchadwick> excellent 18:50:13 <henrynash> (separate topic): I think we need more clarity on what we mean when we talk about a "tenant" in v3 and beyond 18:50:15 <dwchadwick> but make sure it is smooth before it is sent for QA :-) 18:50:32 <ayoung> kwss, great. don't be daunted by the thoroughness of dolph's code reviews. 18:50:39 <dwchadwick> tenant is an entity in the ISO standard for clouds 18:51:12 <dwchadwick> It is equivalent to account holder so I am led to believe 18:51:13 <ayoung> henrynash, yes. The thing is, we misused tenant in Keystone in the past 18:51:30 <henrynash> ayoung: agreed 18:51:31 * heckj is tired of tilting at that windmill 18:51:41 <ayoung> which is why we want to get everyone saying project for a while before we reintroduce the term in its correct meaning 18:51:50 * vishy has something to add to the meeting when there is a moment 18:51:55 <heckj> we (the project) blew that earlier I'm afraid, makes it difficult to reset to what is reasonable 18:51:58 <henrynash> ayoung: lol 18:52:06 <ayoung> vishy, you have the conch 18:53:11 <dwchadwick> seeing as vishy seems to have dissappeared, what about the release shedule for federation 18:53:49 <dwchadwick> If we can get attribute mapping and idp service in first, then it makes the rest that much less work 18:54:14 <ayoung> dwchadwick, so it really is a question of having it ready for review 18:54:24 <ayoung> IDPs will be G2 18:54:26 <dwchadwick> BTW, there is an OpenStack meeting in London tomorrow, where I am giving a talk about federated Keystone 18:54:51 <ayoung> dwchadwick, where is attribute mapping? Almost done? Month or two away? 18:55:12 <heckj> vishy: jump in whenever 18:55:15 <dwchadwick> Ok, so once Kristy has finished IDP service it will go for review, then next will be attribute mapping, and then finally the revised federation making use of the new service APIs. 18:55:41 <dwchadwick> Sorry but I must go now. Take care everyone 18:55:58 <ayoung> dwchadwick, agreed. So I would guess that G3 is likely, but like PKI, a tech preivew for Grizzly? 18:56:11 <kwss> ayoung, we hope to have an attribute mapping implementation ready by the end of the year 18:56:46 <ayoung> kwss, I would warn you that things slow down in December, but I promise to keep on top of any code reviews 18:57:08 <kwss> ayoung, understood 18:57:16 <ayoung> But that should stil be a go for G2 18:57:54 <ayoung> But even if it isn't It really matters how far between that and the full Federated impl 18:58:23 <vishy> heckj: sorry, missed the notification 18:58:46 <ayoung> and that is likely to be completed shortly before the end of the Grizzly cycle. We'll have to decide based on how close and how hard it is to test whether it goes in, and if so, if we caveat it with "something new and shiny, please test." 18:58:49 <vishy> heckj: so we were discussing having a way to map tenant_ids to tenant_names 18:59:10 <vishy> is there an easy way to do it a) for one tenant and b) in bulk for a group of tenants? 18:59:32 <ayoung> vishy, tenant ID generation defaults to uuid, but it doesn't need to be 18:59:50 <ayoung> tenant ID just needs to be unique, so the two could potentially be the same 19:00:17 <ayoung> let me peek at the create_tenant API, 19:00:58 <heckj> vishy: today, no - but we could make an extension API to single or bulk lookup 19:00:59 <Alex-Shulman> also tenants are created by name, but deleted by tenant_id - this is very inconvenient. Can this be changed? 19:01:09 <ayoung> tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex) 19:01:28 <ayoung> so you should be able to create a tenant with a specified ID that you pass it in 19:01:41 <ayoung> TenantController.create_tenant 19:02:01 <Alex-Shulman> can we allow delete by tenant name as well (and implement the look up inside)? 19:02:02 <ayoung> You can't modify the id once it is created 19:02:26 <Alex-Shulman> working with names is easier ... 19:02:34 <vishy> i get push back about making them the same 19:02:49 <vishy> becuase then project names can't change 19:03:02 <vishy> i just need a way to map one to the other for user display 19:03:05 <ayoung> Alex-Shulman, I think we can make that extension. It is not changing previous behaviour. It would also entail a CLI change 19:03:07 <vishy> horizon needs it too 19:03:30 <Alex-Shulman> this will be great, thanks 19:04:02 <ayoung> Alex-Shulman, file it as a ticket in track 19:04:11 <Alex-Shulman> ok 19:04:23 <ayoung> er, launchpad 19:04:30 <heckj> ayoung: heh 19:04:49 <ayoung> vishy, by mapping, do you mean just an API to enumerate all the tenants, names and ids? 19:04:49 <heckj> vishy: I'll create a quick BP to make an extension or something for the lookup - will that work to get it started? 19:05:07 <heckj> ayoung: lit "give me a name for this UUID" 19:05:15 <heckj> ayoung: for projects and users I think 19:05:26 * heckj bets cielometer would love that too 19:05:35 * mordred would love it 19:05:43 * mordred loves UUIDs 19:05:48 <ayoung> heckj GET works for userid 19:06:15 <jeblair> mordred: i think the whole infra team loves uuids. ;) 19:07:20 <kwss> I have to leave. Take care :) 19:07:21 * mordred hands jeblair a UUID, asks what its name is 19:07:35 <henrynash> cheers, everyone 19:09:57 <jeblair> mordred: it's name is "#endmeeting" 19:10:42 <clarkb> ayoung: care toe #endmeeting for us? 19:10:45 <ayoung> #endmeeting