18:00:12 <ayoung> #startmeeting keystone 18:00:13 <openstack> Meeting started Tue Dec 11 18:00:12 2012 UTC. The chair is ayoung. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:17 <openstack> The meeting name has been set to 'keystone' 18:00:25 <gyee> o/ 18:00:40 <henrynash> hi 18:00:50 <kwss> hello 18:00:59 <ayoung> dolphm is going to away for most, but should be joining us at the end 18:01:25 <ayoung> And I don't see heckj around 18:02:17 <ayoung> #link http://wiki.openstack.org/Meetings/KeystoneMeeting 18:02:35 <henrynash> ayoung: I added the item of a reference implementation for groups to the agenda 18:02:52 <ayoung> Although we are going to move the discussion of Module Refactoring to the end, to hopefully get dolph's input 18:02:59 <ayoung> henrynash, sounds goodf 18:03:43 <ayoung> We should also probably start doing a review of previous minutes in these, to make sure old "todo" items are covered. But we had no #actions from last time 18:04:12 <dwchadwick> Did we cover all the items from last week? 18:04:31 <ayoung> dwchadwick, lets see... 18:04:49 <ayoung> #link http://eavesdrop.openstack.org/meetings/keystone/2012/keystone.2012-11-27-18.10.html 18:05:26 <ayoung> I'd have to dig out the revision history in the Wiki to see what the agenda was. 18:05:26 <dwchadwick> tunnel 18:06:09 <henrynash> dwchadwick: do you see the light at the end of the tunnel or is that a train going your way :-) 18:06:21 <ayoung> old agenda was 18:06:23 <ayoung> High priority bugs or immediate issues? 18:06:23 <ayoung> Open discussion 18:06:23 <ayoung> Groups vs. attribute mappings 18:06:23 <ayoung> Adding IDPs to service catalog 18:06:23 <ayoung> https://blueprints.launchpad.net/keystone/+spec/adding-idps-to-service-catalog 18:06:24 <ayoung> Delegation 18:06:26 <ayoung> http://wiki.openstack.org/keystone/Delegation 18:06:28 <ayoung> Status/Timeframe of Federation integration 18:06:30 <ayoung> http://wiki.openstack.org/Keystone/Federation/Blueprint 18:06:32 <ayoung> https://blueprints.launchpad.net/keystone/+spec/adding-idps-to-service-catalog 18:06:36 <ayoung> I think we covered all that. 18:06:44 <ayoung> OK. let start with 18:06:52 <ayoung> #topic High priority bugs or immediate issues 18:07:46 <ayoung> 2 new (untriaged) bugs, neither seem high priority: One is a test bug the other is https://bugs.launchpad.net/keystone/+bug/1087234 18:07:47 <uvirtbot> Launchpad bug 1087234 in keystone "It should be possible to delete a tenant by its name" [Undecided,New] 18:07:50 <ayoung> RFE 18:08:47 <ayoung> Looking at the high priority bugs: 18:09:05 <ayoung> 0 critical 18:09:15 <ayoung> #link https://bugs.launchpad.net/keystone/+bugs?search=Search&field.importance=Critical&field.status=New&field.status=Incomplete&field.status=Confirmed&field.status=Triaged&field.status=In+Progress&field.status=Fix+Committed 18:09:31 <ayoung> 15 High 18:09:34 <ayoung> https://bugs.launchpad.net/keystone/+bugs?search=Search&field.importance=High&field.status=New&field.status=Incomplete&field.status=Confirmed&field.status=Triaged&field.status=In+Progress&field.status=Fix+Committed 18:10:32 <henrynash> ayoung: targets for bug squashing on Thursday? 18:10:41 <ayoung> henrynash, good question 18:11:16 <henrynash> I'be got some IBMers coming up to speed on keystone…so could direct them at whatever we select 18:11:25 <ayoung> henrynash, none of the high look like something we can just "knock out." 18:11:59 <ayoung> henrynash, potentially this one https://bugs.launchpad.net/keystone/+bug/1040696 18:12:00 <uvirtbot> Launchpad bug 1040696 in keystone "invalid EC2 signature authentication for requests without a port" [High,Triaged] 18:12:40 <ayoung> OK, let me give a quick status on the refactoring and then we can table the rest of the discussion until dolph is present 18:12:47 <ayoung> #topic Module Refactoring 18:12:48 <henrynash> and https://bugs.launchpad.net/keystone/+bug/1061738 18:12:49 <uvirtbot> Launchpad bug 1061738 in keystone "create_service() returns 500 Internal Server Error when bad keyword arg (XML only)" [High,Triaged] 18:13:08 <ayoung> henrynash, yeah, that would be a good one to look at, too 18:13:17 <ayoung> Ok, the service.py file was too fat 18:13:34 <henrynash> :-) 18:13:51 <ayoung> and, it was not quite possible to move the TokenController into the token module package (keysteon/token) due to a circular dependency 18:14:01 <gyee> ayoung, looks like you are doing massive refactoring, should I start on the token work now or wait for you? 18:14:03 <ayoung> so I've been shuffling files around 18:14:16 <gyee> otherwise, one of us well be busy rebasing 18:14:21 <gyee> will 18:14:24 <ayoung> gyee, I think we all need to focus on understanding this refactoring before doing any more work on modules 18:14:33 <gyee> k 18:14:40 <ayoung> review is this one 18:14:51 <ayoung> #link https://review.openstack.org/#/c/17782/ 18:15:15 <gyee> I see a cross from dolph 18:15:17 <henrynash> ayoung: agreed (although I have just about completed the changes for a reference implementation of groups on the server side - so refactoring, I gotta do! 18:15:30 <ayoung> gyee, right, which is why we need him here to discuss 18:16:07 <ayoung> henrynash, if you push your changes as a WIP review, I can give you guidance how to reshuffle based on the refactoring 18:16:25 <henrynash> ayoung: great, thx 18:16:48 <ayoung> OK, keeping that in mind, let's table the rest of the discussion on the refactoring, and move on. 18:16:54 <henrynash> ayoung: you mean a git review -D ? 18:17:10 <ayoung> henrynash, yes 18:17:15 <ayoung> get review -w 18:17:30 <henrynash> ayoung: ok, thx 18:17:36 <ayoung> it will show up as a WIP. We'll be able to see it, but it won't be in danger of getting merged 18:18:10 <ayoung> #topic Groups/Attributes 18:18:15 <henrynash> (assuming we want the defence design in…but that's another topic) 18:18:25 <henrynash> ahh, I mean, this topic :-) 18:18:40 <ayoung> #action henrynash submites WIP review of reference impl thus far 18:18:59 <ayoung> henrynash, the floor is yours. What are the issues? 18:19:43 <henrynash> so the fundamental question is whether it is in our best interest to start with a defence design based on current RBAC capabilities 18:19:57 <henrynash> (sorry, I meant a "reference" design) 18:20:30 <henrynash> …and then start plugging in the attribute capabilities and cut out the bits of the reference design no lover needed 18:20:40 <henrynash> (longer) 18:20:54 <ayoung> henrynash, your typos are getting freudian 18:21:04 <henrynash> I aim to amuse :-) 18:21:52 <henrynash> current state is that the keystone client reference design is already up for review at https://review.openstack.org/#/c/17693/ 18:22:06 <ayoung> #link https://review.openstack.org/#/c/17693/ 18:22:20 <henrynash> …and the server side will be ready for review (WIP as necessary) later this week 18:22:46 <dwchad2> Henry, if you have spare development cycles, why not work with Kristy on attribute mapping 18:22:49 <ayoung> henrynash, I think we need to see that. 18:23:24 <gyee> ayoung, should we wait for henrynash's keystone impl before review the client changes? 18:23:26 <henrynash> dwchad2: so have made comments to the attribute mapping api proposals 18:23:38 <ayoung> henrynash, link? 18:24:09 <dwchad2> henry: been in london at a meeting all day so not had chance to see them yet 18:24:11 <kwss> henrynash: I got an email but can't see the comments in google docs 18:24:51 <henrynash> kwss: sometimes they are in the comments button at the top - and could you post the link to your doc in this IRC? 18:24:56 <dwchad2> what is the advantage of putting in groups now, if they are going to modified in a few weeks time? 18:25:31 <ayoung> #link https://docs.google.com/a/kent.ac.uk/document/d/1cObK3P_ic9XSTwJRFsmimG94LDnFbsPbvx_H1aM1FPI/edit# 18:25:43 <ayoung> Is that still the current doc? 18:26:15 <kwss> yes 18:26:20 <kwss> ayoung: yes 18:26:28 <henrynash> dwchad2: I think we have to consider any attribute based implementation experimental until we get through all the details (which I have no doubt we will in the end)….but the RBAC solution is pretty simple, straightforward and we know will work 18:27:18 <henrynash> kwss: so on my copy, my comments come up if you click the comments box at the top…. 18:27:27 <dwchad2> but your use of attribute mapping wont be experimental since it will map groups into roles and tenants. So there are no "attributes" involved (except that they are all attributes!) 18:28:15 <kwss> henrynash: I see them now, I'll respond after the meeting :) 18:28:25 <henrynash> kwss: no problem, thx 18:28:35 <dwchad2> attribute mapping is another way of implementing groups that can be made invisible to end users, and it a step on the way to federation, whereas groups on its own is not 18:29:05 <ayoung> henrynash, I am going to kind of leave it up to you for now. If you think you can get the groups impl working on top of attributes, and do so in the Grizzly time frame, I think that would be the best approach, but I can see that might be too tight a dependency 18:29:45 <henrynash> dwchad2: agreed….and hence the proposal of the reference design that we then start using the attribute mapper to store the relationships... 18:29:50 <ayoung> I'd almost like to do attributes like we did PKI: get it in and usable in Grizzly, and then, in H, make it the default for all the things that are going to use them 18:30:49 <henrynash> ayoung: I'm happy to put the work in on top of the basic reference implementation so that we start exploring how we sue attributes for this 18:30:51 <ayoung> I think once we have Attributes etc, retrofitting APIs to use them will be fairly straightforward, so we should hold things up waiting for them for fear of future work. 18:31:03 <henrynash> ayoung: agreed 18:31:26 <ayoung> dwchad2, kwss, does that pass the sanity test? 18:32:30 <dwchad2> ayoung: did you mean not 18:33:09 <ayoung> dwchad2, yes "we should *not* hold things up..." 18:33:30 <kwss> makes sense to me 18:34:02 <ayoung> #agreed Groups goes forward ontop of RBAC, gets retrofitted in H release 18:34:16 <dwchad2> If Henry has spare dev cycles I would rather he works with Kristy on attributes now and they will have it finished in half the time 18:34:44 <ayoung> dwchad2, yes, but then we still need to do the Groups implementation on top of it 18:34:57 <ayoung> Which will likely push it out of the Griz release 18:35:05 <dwchad2> Since there are many many things to do in Keystone, creating extra work is a big issue to me 18:35:10 <ayoung> understood 18:35:38 <ayoung> but we need to balance the demand from the other projects with the need to set things up for the long term....hard line to walk 18:36:07 <dwchad2> The groups work is the easiest bit once you have attribute mapping since all Henry needs to do is add roles to the backend and pull them out. No other API changes are needed 18:36:31 <henrynash> dwchad2: I'll happily work with Kristy to add support for attributes once we have the reference design - I really think this is at the safer route 18:36:43 <dwchad2> With Henry's current plan there is a lot of changes needed to the APIs 18:36:49 <ayoung> dwchad2 I am not sure I agree. I think we are going to need a deliberate group api to give off to the other projects. 18:37:17 <ayoung> dwchad2, that is fine, lets get them in the review. I think the focus should be nailing down the APIs for groups 18:37:26 <dwchad2> The group API you need is to add groups to users and retrieve groups from users 18:37:55 <dwchad2> then the AM maps the groups into roles and tenants and domains and whatever else you need 18:38:01 <gyee> also, assigning roles to them 18:38:17 <ayoung> gyee, dwchad2 this is where things get gray 18:38:25 <ayoung> we can treat everything as an attribute internally 18:38:35 <dwchad2> gyee: no, since you already have the apis for adding roles to users 18:38:40 <ayoung> but we need to export APIs to the end users that speak their language. 18:39:06 <ayoung> dwchad2, but we don't have the API for adding roles to groups 18:39:13 <gyee> whole point of doing groups is we don't have to directly assigning roles to users 18:39:28 <dwchad2> You dont add roles to groups. You set up attribute mappings for this 18:39:29 <ayoung> I understand that we could do that with the mapping API, but I think it will be too low level 18:40:05 <gyee> how does attribute map API works? 18:40:10 <ayoung> dwchad2, gyee hold on 18:40:20 <ayoung> lets not get into a design discussion right now 18:40:24 <ayoung> here is the chase 18:40:47 <ayoung> we need to expose an API that people will understand. Educating them on ABAC and Attribute mapping will take time 18:40:51 <dwchad2> we already have a published design, so we should discuss this after the meeting 18:41:01 <ayoung> dwchad2, +1 18:41:21 <dwchad2> ayoung: +1 18:41:59 <ayoung> dwchad2, so I think we have an Education task as far as ABAC etc. First thing is to get ABAC into the code base. We can then show how we use it to do things that were more "hard coded" in the past. and then replace the hard coded implementations with ABAC 18:42:41 <dwchad2> clearly having working code you can demonstrate is far better to end users than a blueprint :-=) 18:42:55 <dwchad2> Just like it was with federation 18:43:02 <ayoung> However, that does not mean we hold off on new features until ABAC is in. While I know you have a good grasp on the implementation details, I still think it is going to take longer than you think to get to the point where we can depend on it 18:43:20 <dwchad2> actually we are not adding ABAC initially 18:43:27 <dwchad2> we are only adding AM 18:43:39 <dwchad2> the authz is still RBAC using existing roles 18:43:40 <ayoung> dwchad2, I am lumping attribute mapping into ABAC. I realize I am being imprecise. 18:44:19 <dwchad2> yes, its a multi step process. And AM is one way of implementing groups and RBAC which is an intercept strategy for ABAC and federation 18:44:33 <henrynash> dwchad2: but the underpinning is the same entities (sets, mappings etc.) and the api to go with it - it will be important for us to really get that right…since once it is in there, we will depend on it for a longtime 18:44:39 <dwchad2> So you dont waste any time and coding 18:45:10 <ayoung> OK, We need to make sure we talk about the Keyring thing. I'm going to move us along.... 18:45:11 <dwchad2> the api we have designed is fully generic and extensible 18:45:39 <ayoung> #topic Keyring 18:45:40 <dwchad2> so adding domains becomes very easy 18:45:48 <henrynash> ayoung: I need to ask if the action you stated a while back still stands on this 18:45:54 <henrynash> (to close it out) 18:46:13 <ayoung> henrynash, well, understand I am not PTL, so it is just my call, not an official project call 18:46:36 <henrynash> ayoung: OK, understood 18:47:21 <ayoung> I'd take it as a suggestion for now, and drive forward with the groups work as is, especially since you already have the code nearly done. We'll take it up again post code review? 18:47:40 <henrynash> ayoung: ok, agreed 18:47:44 <ayoung> #action revisit Groups once Attribute Mapping and Groups reviews are both posted 18:47:52 <ayoung> OK, Keysring 18:48:04 <gyee> keyring 18:48:09 <ayoung> gyee, here is my understanding 18:48:30 <ayoung> we want keyring as a long term tool, but we need to be sneaky about it. And we got caught 18:49:08 <dwchad2> what is keyring. Do you have a URL 18:49:21 <ayoung> There are many issues around credentials caching, probably most significantly when the user is an automated daemon 18:49:38 <gyee> ayoung, disabling keyring by default means on one will use it, ever :) 18:49:41 <ayoung> gyee, can you summarize Keysring support 18:49:48 <ayoung> gyee, understood 18:49:58 <ayoung> but we need to do that initially 18:50:01 <ayoung> like PKI tokens 18:50:14 <ayoung> get it in, but disabled 18:50:14 <gyee> we added keyring support in keystoneclient so we can cache tokens in keyring 18:50:41 <gyee> advantage #1 no need to keep requesting tokens 18:50:41 <ayoung> then work out the issues with explicitly enabling it in Devstack. 18:50:50 <ayoung> gyee, to be specific 18:50:56 <gyee> #2 no need to have passwords in env var 18:51:19 <ayoung> if we cache the unscoped tokens, we only need to request a new one when they are about to time out, and we can continue to use them to request scoped tokens 18:51:31 <gyee> yes 18:51:33 <ayoung> gyee, so there is the rub...#2 18:52:13 <ayoung> for an automated daemon, we need to be able to deal with initializing keyring without user interaction, much like a kerberos Keytab 18:52:28 <gyee> problem is there are two usage of python-keystoneclient, interactively and non-interactive 18:52:59 <ayoung> gyee, right, so we need to keep it disabled by default until we clear up how to solve the non-interactive use cases 18:53:40 <gyee> ayoung, I'll need to do some code diving 18:53:47 <gyee> I mean looking at the keyring impl 18:53:56 <ayoung> dwchad2, I think I have a link to the upstream package we are pulling in for Keyring, but basically it is a python front end to things like nss databases, openssh keys, etc. A (hopefully secure) credential cache 18:55:56 <ayoung> #link http://bitbucket.org/kang/python-keyring-lib 18:55:57 <gyee> if your login password is the same as your keyring password, ubuntu won't prompt for keyring password 18:56:01 <ayoung> That is from 18:56:08 <ayoung> /usr/lib/python2.7/site-packages/keyring-0.9.2-py2.7.egg-info/PKG-INFO 18:57:24 <ayoung> gyee, there is also the question about whether tokens should get shared between applications that are all using keystone client. My thought is "of course" but I suspect some people will object. Also, we need to figure out what to do if keyring is installed on a machine that is running horizon 18:57:40 <ayoung> tokens should not get cached the same way from HTTPD.... 18:57:50 <gyee> that's what keyring is for 18:58:27 <gyee> think of keyring as your browser cookie jar 18:58:39 <ayoung> gyee, can I ask you to write up what the overall strategy is for implementing keyring, and covere those 3 uses: automates, HTTPD, CLI? 18:59:04 <ayoung> I think we need to be able to point people at that doc when we try to educate them about the usage. 18:59:23 <gyee> sure 19:00:45 <ayoung> #action gyee to write up strategy is for implementing keyring, covering (at least) 3 uses: automated , HTTPD, CLI 19:01:08 <ayoung> OK, that is 2PM. No dolphm so we are going to have to table the discussion on the refactoring. 19:01:16 <ayoung> Any last points before we get kicked out? 19:01:33 <ayoung> #topic Test Coverage 19:01:44 <ayoung> #link http://admiyo.fedorapeople.org/openstack/covhtml/ 19:02:21 <ayoung> I'll update that post refactoring, but please take a look at the pieces you are working on, and try and expand the unit test coverage. That is all. 19:02:40 <ayoung> #endmeeting