18:00:31 <henrynash> #startmeeting keystone 18:00:32 <openstack> Meeting started Tue Jul 2 18:00:31 2013 UTC. The chair is henrynash. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:33 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:35 <openstack> The meeting name has been set to 'keystone' 18:00:36 <henrynash> ahh! 18:00:57 <henrynash> dolphm is off, so is ayoung, I think 18:01:25 <topol> who's the commanding officer??? Ain't it you Henry? 18:01:34 <henrynash> I believe 'tis me 18:01:35 <gyee> is anyone know if Malini still working on key manager? 18:01:50 <henrynash> #link https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting#Agenda_for_next_meeting 18:02:16 <henrynash> ( some of this is hang over from last time, not updated i expect) 18:02:17 <atiwari> gyee: I dropped her an email did not get any response 18:02:42 <henrynash> Reminder: Havana milestone 2 cut & API-level feature freeze July 16th 18:02:56 <henrynash> Reminder: Start using the SecurityImpact tag in gerrit 18:03:02 <bknudson> dolph seemed to indicate API freeze is only for core, not extensions 18:03:18 <stevemar> bknudson: yeah, i was under the same impression, saw that in his email 18:03:27 <gyee> bknudson, I thought he meant both 18:03:37 <gyee> at least from the last meeting 18:03:39 <henrynash> bknudson: so originally he told me that it DID include extensions, but recent email suggest that this is replaced 18:03:48 <bknudson> maybe he's finally resigned to reality. 18:04:04 <gyee> total recall 18:04:20 <henrynash> #topic High priority bugs or immediate issues? 18:04:27 <bknudson> he probably thinks he's involved in a plot on mars right now. 18:04:57 <henrynash> any burning issues? 18:05:19 <gyee> code review? I need to catch up on that too 18:05:45 <henrynash> #topic High priority code reviews - aimed at H2 18:06:23 <stevemar> its already on the list, but delegated_auth is ready for code review 18:06:41 <henrynash> so I have one for sure that I am trying to get in https://review.openstack.org/#/c/34611 18:06:43 <gyee> stevemar, that includes both keystone and keystone client right? 18:06:46 <stevemar> gyee ^ if you have free time 18:06:55 <topol> henrynash I will review it today 18:07:13 <henrynash> stevemar: it's an extension, right? 18:07:17 <stevemar> gyee: yeah, just search for stevemar as owner: or ping me and i'll give you links. 18:07:21 <stevemar> henrynash: yes 18:07:32 <gyee> k, will get on them 18:08:02 <fabio> catalog opt out: https://review.openstack.org/#/c/33188/ 18:08:02 <henrynash> steveamr: so great for H2 if we can, but would be allowed for H3 (according to latest guidance) 18:08:57 <stevemar> henrynash: yeah, hoping for H2 18:09:00 <henrynash> fabio: is there an api spec change that goes with that? 18:09:13 <henrynash> stevemar: H2 is always better than H3 1 18:09:15 <henrynash> ! 18:09:28 <fabio> spec changes: https://review.openstack.org/#/c/34478/ 18:09:46 <fabio> I also have done the spec change and code for the endpoint filtering bp 18:10:04 <fabio> specs: https://review.openstack.org/#/c/34489/ 18:10:21 <fabio> code: https://review.openstack.org/#/c/33118/ 18:10:35 <henrynash> fabio: we really need the api's agreed asap if this is going in to H2 18:10:47 <fabio> I agree 18:11:08 <fabio> so far I incorporated all the suggestions 18:11:09 <henrynash> fabio: I don't see a new version of the api posted after comments from Brant 18:11:24 <fabio> I will push them in the early aft 18:11:47 <fabio> are we ok in using the query string? 18:11:55 <fabio> for opting out of the catalog? 18:12:04 <henrynash> #action review new versions of https://review.openstack.org/#/c/34478/ and https://review.openstack.org/#/c/34489/ 18:12:29 <gyee> +1 for query string 18:12:33 <bknudson> seems weird to use a query string but I'm ok with whatever others want. 18:12:54 <gyee> for a GET function, query string is RESTi 18:13:04 <bknudson> it's not GET, it's POST 18:13:17 <gyee> oh 18:13:47 <bknudson> we've already got the body to provide all the options, so why spread them around to the query string. 18:13:52 <gyee> wait, that authenticate or validate? 18:14:11 <bknudson> there's no validate... https://blueprints.launchpad.net/keystone/+spec/catalog-optional 18:14:49 <bknudson> unless we were discussing another use of query options something else? 18:15:11 <gyee> bknudson, yeah, I am ok with having it in the request body 18:15:29 <atiwari> gyee: +1 18:16:00 <topol> +1 on request body 18:16:05 <henrynash> #action fabio: wok with bknudson and gyee to update api 18:16:19 <henrynash> #action fabio: work with bknudson and gyee to update api 18:16:50 <henrynash> ok, any other key H2 api changing reviews needed? 18:17:09 <atiwari> any thought about https://blueprints.launchpad.net/keystone/+spec/serviceid-binding-with-role-definition 18:17:17 <atiwari> for H2 18:17:42 <gyee> I like the service-role relationship 18:18:00 <henrynash> atiwari: so if it is going to be accepted for H, it must be in for H2… 18:18:21 <atiwari> ok 18:18:22 <bknudson> unless we provide it an extension in H? 18:18:30 <bknudson> "it as an extension" 18:18:32 <henrynash> bknudson: agreed! 18:18:44 <gyee> I am fine with extension 18:18:45 <atiwari> no, I am looking for core 18:18:54 <bknudson> It can be core in I 18:18:54 <atiwari> please see my comments in etherpad 18:19:36 <henrynash> atiwari: link? 18:19:45 <gyee> #link https://blueprints.launchpad.net/keystone/+spec/serviceid-binding-with-role-definition 18:19:59 <atiwari> #link https://etherpad.openstack.org/serviceid-binding-with-role-definition 18:20:46 <henrynash> atiwari: what about the comment about: How is this exposed to auth_token (and similar clients)? 18:21:29 <atiwari> auth_token or auth middle ware ? 18:21:42 <atiwari> I added my response over there 18:21:44 <henrynash> atiwari: both 18:21:44 <gyee> service_id is in the roles 18:22:12 <atiwari> and the token with have the service_id: role info 18:22:14 <henrynash> ok, so right now we return a list of role_names in a token 18:22:24 <atiwari> correct 18:22:39 <atiwari> later it will be ({service_id:"Swift","role":"Admin"} 18:22:57 <atiwari> Swift === 1234 18:23:03 <henrynash> atiwari: so every project will have to change how it process tokens to pass them to their policy engines? 18:23:30 <gyee> henrynash, no, policy engines only knows role names 18:23:31 <atiwari> no 18:23:40 <gyee> service ID is a filtering mechanism 18:23:52 <atiwari> there will abosolutly no change for service 18:24:06 <gyee> auth_token -> filtered by service ID -> RBAC 18:24:19 <henrynash> gyee: any who does the filtering? 18:24:29 <gyee> henrynash, middleware/client 18:24:44 <atiwari> service will consume roles the way they do it right now 18:25:37 <henrynash> gyee, antiwar: so I am just nervous about changing our token format 18:25:54 <gyee> define nervous :) 18:26:04 <henrynash> (antiwar->atiwari !) 18:26:16 <topol> nervous = people coming after us with torches and pitchforks 18:26:39 <atiwari> may be we can un touch the token for H time frame 18:26:49 <gyee> topol, in that case, all you have to do is change your username, like lopot :) 18:27:01 <atiwari> lets make it in core and in I time we will change token 18:27:11 <topol> yeah, that'll keep me safe. no one will see thru that 18:27:16 <henrynash> gyee: so I'll admit I don't have the history to fully understand how all the projects extract info from the token 18:27:20 <gyee> unless you username is bob 18:27:25 <bknudson> people around here know how to find topol 18:27:57 <gyee> henrynash, service ID used to be part of role definition, prior to KSL 18:27:59 <henrynash> gyee: udneratnd how auth middleware works, sure 18:28:18 <henrynash> gyee: KSL? 18:28:27 <gyee> Keystone Light 18:28:28 <henrynash> ahh, keystone liygt 18:29:20 <bknudson> still not sure why this can't be an extension for H 18:29:34 <atiwari> henrynash: auth middle ware will filter only those roles which are need to the service which middle ware is serving to 18:29:38 <henrynash> bknudson: I'd certainly lean that way 18:30:08 <gyee> atiwari, any reason why it can't be an extension to start with? 18:30:28 <gyee> it would certainly make henrynash feel less nervous 18:30:45 <henrynash> gyee: and I always appreciate that :-) 18:30:59 <atiwari> I don't see any side effect of having it in core 18:31:10 <atiwari> as it is backward compatible 18:31:37 <atiwari> what I am saying is in first phase let s not touch our token 18:32:11 <gyee> atiwari, but can it be an extension, rather than it must be core 18:32:11 <bknudson> how do we not change the token? 18:32:15 <henrynash> atiwari: I also see the issue that as core you have 14 days to get it all agreed, implemented, merged with all the other high priority items hitting in the next 14 days 18:32:28 <topol> +1 on starting as an extension 18:32:48 <atiwari> yes, that is the real challenge 18:32:58 <bknudson> auth_token isn't going to know what to do if there's nothing new in the token. 18:33:38 <atiwari> let's take it for ext 18:33:51 <atiwari> how about that ? 18:33:55 <henrynash> ok, I think tha's the best approach 18:33:56 <gyee> +1 18:34:22 <atiwari> good 18:34:31 <henrynash> #action antiwar to re-propose serviced role extensions as an extension for H 18:35:39 <henrynash> fyi on other H2 items, I do plan to try and get the OS-INHERIT extension in, but if it slips to H3 then so be it 18:35:59 <henrynash> anything else on H2? 18:36:40 <henrynash> #topic client unification and identity v3 support 18:37:03 <henrynash> this is ensuring we have support for our v3 apis in other cli clients 18:37:25 <henrynash> the keystone client v3 auth stuff is all in now 18:37:35 <bknudson> do the other clients have the same policy to use unified cli as keystone? 18:37:57 <henrynash> bknudson: you mean use openstackclient? 18:37:59 <bknudson> I tried using openstack cli the other day and couldn't figure it out. 18:38:13 <bknudson> henrynash: yes, the openstackclient. 18:38:31 <bknudson> I should have said the other projects (nova, glance, etc) 18:38:41 <gyee> bknudson, but what about at the lib level 18:38:50 <henrynash> bknudson: so I'd hope so….but have to admit I don't see much action in that direction 18:38:57 <bknudson> are we talking about the lib or the clis ? 18:39:20 <gyee> both I suppose 18:39:26 <bknudson> we're probably going to need the libs to use keystoneclient auth first... 18:39:26 <gyee> have to be consistent 18:39:29 <henrynash> bknudson: so we need clis that support v3 (which means we wan them to use our v3 libs, of coriuse) 18:39:55 <bknudson> the libs seems like the place to start. 18:40:07 <gyee> yes 18:40:15 <henrynash> bknudson:…and I think our libs are in good shape now, no? 18:40:45 <gyee> is keystoneclient fully implemented the V3 API set? 18:41:04 <bknudson> seems like this is something the core members of keystone should know... 18:41:08 <bknudson> but I don't. 18:41:14 <henrynash> gyee: I believe so…we pushed a bit change in a week or tow ago 18:41:28 <henrynash> ..pushed a big change... 18:41:41 <bknudson> support for v3 auth was the recent change. 18:41:48 <bknudson> seems important for keystone 18:42:14 <bknudson> but this is what the other client APIs would need to use. 18:42:23 <gyee> lets comb through the keystoneclient code to see if we have all the core APIs at least 18:42:28 <henrynash> bknudson: exactly 18:43:18 <henrynash> bknuson: there was some uncertainly last time I raised this as to whether the other clis (nova, dance) etc, use our client libs….I was told they did 18:43:48 <bknudson> my understanding is that they don't, but I didn't look into it. 18:44:03 <topol> wasnt there an email that did an inventory of this? 18:44:04 <henrynash> …in which case the task for them is sot switch to the v3 client libs and update the cli options so users can specify things like domains 18:44:10 <topol> they were like all different 18:44:52 <bknudson> the clis should also all use the same "library" for the auth options. 18:45:10 <bknudson> (provided by python-keystoneclient, maybe) 18:45:24 <tiamar> glanceclient implements keystoneclients, the others dont 18:45:25 <henrynash> #action cores: to do a quick check of the keystoneclient lib…see if you can spot anything missing 18:45:33 <gyee> bknudson, looking at novaclient code, they seem to support auth plugins 18:46:26 <henrynash> gyee, timar: i would think nova and glance would be our #1 and #2 targtes 18:46:36 <gyee> henrynash, make sense 18:47:09 <henrynash> tiamar: do you work with the glance client? 18:47:46 <bknudson> At the end of this, we would expect to be able to do something like "nova --user-domain=mydomain --user=bknudson --password=mypassword list" , for example 18:47:48 <henrynash> tiamar: as in familiar with the code and contributors 18:47:58 <henrynash> bknudson: yep 18:48:13 <tiamar> henrynash, we did an internal job to the clients authenticate using keystone v3 18:48:16 <gyee> that bakes a question, why keystoneclient not part of oslo then? 18:48:29 <gyee> if that's a common integration point 18:48:37 <topol> gyee +1 18:48:40 <tiamar> henrynash, : i'm not familiar 18:49:33 <henrynash> gyee: interesting 18:49:56 <bknudson> python-keystoneclient is already a library... not sure why it needs to be an oslo libarary? 18:50:23 <gyee> bknudson, what is oslo then? 18:50:38 <bknudson> https://pypi.python.org/pypi/python-keystoneclient 18:50:55 <bknudson> https://pypi.python.org/pypi/oslo.config/1.1.1 18:51:12 <gyee> I mean functionally 18:51:23 <bknudson> oslo provides their common libraries, and then there's oslo-incubator 18:51:33 <gyee> "common" 18:51:47 <bknudson> like oslo.config is a common library 18:51:48 <henrynash> so pretty sure for H, we won't change this 18:51:57 <henrynash> the path we were on was: 18:52:23 <henrynash> 1) we would release new version of python-keystone client that contained the new v3 auth 18:52:49 <henrynash> 2) we would work with the other project clis to use the client lib 18:52:57 <henrynash> £ 18:53:17 <bknudson> join the euro-zone already 18:53:26 <topol> :-) 18:53:29 <henrynash> #action henry-nash to follow up on status of this and discuss with other cli leads 18:53:43 <henrynash> (oops, not sure where the money came from!) 18:53:44 <gyee> so just the v3 auth apis, not the whole shebang 18:54:07 <topol> I could use some sterling guvnah 18:54:11 <henrynash> gyee: well would the other apis ever get used by another cli? 18:54:27 <gyee> probably not 18:54:37 <bknudson> the openstack cli uses the libs 18:54:40 <gyee> so does it make sense for v3 auth to be in oslo? 18:55:02 <topol> gyee, why wouldnt it? 18:55:16 <topol> its common right? Or we want it to be common 18:55:23 <gyee> topol, it should 18:55:36 <gyee> the common crypto stuff is already there 18:55:46 <henrynash> gyee: that would makes some sense, just the v3 auth part 18:56:01 <gyee> https://review.openstack.org/#/c/28471 18:56:05 <gyee> auth should be there as well 18:56:57 <henrynash> anyone have a reason why v3 auth shouldn't be in oslo 18:57:04 <bknudson> that's a good candidate for the SecurityImpact tag. 18:57:31 <bknudson> I don't see what we gain by putting it in oslo... they can already access it in python-keystoneclient. 18:57:53 <bknudson> are we saying oslo-incubator ? 18:58:17 <bknudson> If we put it in oslo-incubator, now we have to go through the work of importing it into all the other projects 18:58:18 <gyee> openstack.common.auth 18:58:41 <gyee> consistency, common integration point, stable interface (hopefully) 18:58:50 <henrynash> gyee: hmm, so that's different 18:58:55 <henrynash> OK, 2 mins to go 18:59:04 <bknudson> There's probably other keystoneclient function that should go in a common location... 18:59:09 <bknudson> service catalog handling 18:59:14 <henrynash> #topic open discussion (!) 18:59:20 <gyee> bknudson, sure 18:59:30 <gyee> I think catalog should be there as well 18:59:35 <gyee> catalog parsing 19:00:19 <henrynash> I think we'll have to continue that discussion elsewhere 19:00:24 <henrynash> #endmeeting