18:00:58 <henrynash> #startmeeting keystone 18:00:59 <openstack> Meeting started Tue Jul 30 18:00:58 2013 UTC and is due to finish in 60 minutes. The chair is henrynash. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:00 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:02 <openstack> The meeting name has been set to 'keystone' 18:01:16 <bknudson> hi 18:01:23 <topol> Hi 18:01:37 <henrynash> ok, first off reminder that Havana m3 cut in Sept 4th 18:01:37 <ayoung> all present and accounted for 18:01:53 <henrynash> #info Havana m3 cut in Sept 4th 18:02:24 <henrynash> is anyone working on a bp that ISN't already tagged as heading for m3 ? 18:02:37 <ayoung> hmm , I may be 18:02:38 <henrynash> (i.e. they are expecting it to land for m3_ 18:02:39 <bknudson> henrynash: yes... 18:02:43 <ayoung> multi repos 18:02:43 <bknudson> https://blueprints.launchpad.net/openstack/?searchtext=user-locale-api 18:02:58 <ayoung> #link https://launchpad.net/keystone/+milestone/havana-3 18:03:19 <bknudson> #link https://blueprints.launchpad.net/keystone/+spec/user-locale-api 18:03:42 <ayoung> #link https://blueprints.launchpad.net/keystone/+spec/multiple-sql-migrate-repos 18:03:51 <henrynash> #action all to make sure any bps they are planning for m3 are tagge as such 18:04:06 <ayoung> henrynash, ^^ should be a prereq for any extensions going in that need sql schema updates\ 18:04:10 <henrynash> that way, we'll have a good picture as we burn down 18:04:11 <bknudson> henrynash: Is that something I do myself? 18:04:46 <henrynash> bknudson: as core, yes you can do that (Dolphm might change it…but you should set it) 18:05:19 <bknudson> henrynash: that was easy 18:05:33 <henrynash> ayoung: re we targeting the sql migrate at Havana…thought i saw a discussion about it going to iceHouse? 18:05:44 <henrynash> bknudson :-) 18:05:58 * topol sql migrate seems scary 18:06:02 <morganfainberg> ayoung / henrynash: I'm going to write up an updated BP based upon my conversations w/ dolph about caching layer instead of the revocation-list caching 18:06:20 <morganfainberg> henrynash / ayoung: this should be tagged for h3 18:06:46 <bknudson> caching revocation list makes sense since it doesn't change that much 18:07:14 <morganfainberg> bknudson: the revocation-list caching will be implementing the same way. 18:07:25 <henrynash> morganfainberg: Ok, but get it in their quick so you can get comment….as the clock ticks down we'll not want too many new Bps flowing in 18:07:35 <morganfainberg> henrynash: i'll write it up today. 18:07:43 <henrynash> ayoung: back to migrate, so you are planning this for m3? 18:07:47 <topol> morganfainberg, no API changes required for that? 18:07:53 <henrynash> morganfainberg: thx 18:08:10 <gyee> we should fix migrate in m3 18:08:22 <morganfainberg> topol: no. it'll be just caching on top of current driver/manager calls 18:08:38 <morganfainberg> topol: and config options to make it functional. 18:08:43 <topol> morganfainberg. cool. I look fwd to reading the BP 18:08:53 <morganfainberg> topol: nod. 18:08:56 <gyee> morganfainberg, you caching it at the driver level? 18:08:58 <ayoung> henrynash, yes 18:09:04 <ayoung> henrynash, migrtate should go in ASAP 18:09:07 <henrynash> gyee: fix, as in fix anything we have broken? 18:09:20 <ayoung> henrynash, the Alembic migration should wait until icehouse 18:09:25 <morganfainberg> gyee: there is a WIP that dolph put up as an example. it'll work a lot like that 18:09:28 <gyee> henrynash, we need to get migration straighten out ASAP 18:09:40 <ayoung> morganfainberg, you mean the one I did? 18:09:48 <topol> besides the Alembic migration what are you referring too? 18:09:52 <morganfainberg> ayoung: you did that and dolph posted it? 18:09:56 <henrynash> gyee: are you referring to young's patch, or just tables we have mucked up 18:10:04 <ayoung> topol, migrations for extensions in their own repos 18:10:10 <gyee> henrynash, sorry, I mean migration for the extensions 18:10:11 <ayoung> I'll post an example here in a second 18:10:19 <henrynash> guee: Ok 18:10:21 <morganfainberg> ayoung: https://review.openstack.org/#/c/38866/ 18:10:30 <morganfainberg> using dogpile.cache 18:10:34 <topol> ayoung, I remember you mentioning those. I thought they were tied to Alembic migration.. 18:10:46 <gyee> dogpile? w00t! 18:10:52 <morganfainberg> gyee: :) 18:11:08 <henrynash> ok, so let's get the meeting back to an agenda! 18:11:20 <ayoung> henrynash, I am referring to https://review.openstack.org/#/c/36731/ 18:11:22 <morganfainberg> yeah sorry. didn't mean to derail. 18:11:31 <henrynash> we'll pick up discussion on the migrate items under high priority code reviews 18:11:33 <ayoung> the comments say it needs documentation 18:11:36 <morganfainberg> thought i was jumpin in ontime for h3 ... 18:11:53 <bknudson> ayoung: I'd like docs too, but can go in a separate commit. 18:12:08 <henrynash> #topic HIgh priority bugs or immediate issues? 18:12:30 <henrynash> anything hot? 18:12:47 <ayoung> No bugs marked as Critical 18:12:58 <bknudson> builds were broken by a dependency over the weekend but that's fixed. 18:13:02 <ayoung> can we change that Agenda item to "Critical Priority bugs" in the future? 18:13:04 <henrynash> ayoung: agreed…think we are Ok shape 18:13:23 * topol maybe we can all go on that hawaii vacation for m3 like I suggested before... 18:13:31 <henrynash> #action henrynash to change item to "Critical Priority bugs" 18:13:51 <henrynash> topol: there's a plan... 18:14:10 <henrynash> #topic Reducing the default token duration in support of abandoning token revocation 18:14:31 <bknudson> what do we need to cache token revocations for if we have this? 18:14:42 <henrynash> who's item is this? 18:14:52 <topol> dolphm, I believe 18:15:04 <henrynash> topol: I had a feeling someone would say that 18:15:17 <gyee> to 1 hour? 18:15:21 <topol> He wanted to start stress testing the idea of tokens expiring to see what breaks 18:15:36 <henrynash> #link https://review.openstack.org/#/c/38672/ 18:15:38 <topol> I put a comment in that said, did you inform the other PTLs??? 18:16:20 <ayoung> henrynash, I want to do that, but it is not in H3 time frame 18:16:22 <morganfainberg> bknudson: we still need to cache, people can ask for longer tokens. 18:16:42 <morganfainberg> and limiting the backend impact… is good. 18:16:46 <henrynash> do we expect it to break (I know if we set it to minutes it definitely breaks) 18:17:02 <topol> morganfainberg, but when you change the default and folks find out by surprise.... 18:17:10 <ayoung> any work flow that lasts longer than the token duration will break. 18:17:25 <henrynash> ayoung: yep 18:17:27 <morganfainberg> topol: right. don't surprise people ; 18:17:29 <bknudson> assuming you can't get another token 18:17:37 <ayoung> But a 1 hour token duration was too long to avoid the need for revocation, according to backlash from the community 18:17:42 <topol> ayoung, I thought folks were supposed to code such that they reauthenticate if the token expires... Not true??? 18:17:58 <ayoung> we need something like this 18:17:59 <gyee> ayoung, that's where to pluggable token providers come in handy, you can customize expiration base on account :) 18:18:01 <morganfainberg> topol: that was my understanding 18:18:01 <gyee> just saying 18:18:17 <ayoung> #link https://blueprints.launchpad.net/keystone/+spec/delegation-workplans 18:18:40 <henrynash> Ok, sounds like need to circle back with dolphm on this one….to see how he plans to "experiment" with this. 18:18:43 <topol> gyee, no. its a matter of correct expectations... Either we are allowed to assume folks can code properly to this or we need to back it out 18:18:48 <ayoung> that way, you can say "use this trust or oauth request token to get the token you need whne you need it" 18:19:38 <bknudson> clients need to be able to handle tokens becoming invalid for other reasons already 18:19:45 <brich1> topol: if you code such that you can re-authenticate, you risk leaving the "secret" (password) out in the clear where bad things can happen... 18:19:51 <gyee> topol, client behaves the same way, regardless of expiration policy 18:19:55 <topol> if he other projects arent ready to handle this I need to change my vote... 18:20:14 <ayoung> brich1, that is why we have ecure delgation mechanisms now 18:20:15 <gyee> if token expires, get a new one 18:20:23 <ayoung> ecure -> secure 18:20:46 <topol> ugg... forcing folks to adopt something new by changing a default that nows screws them is not how we should do this.. 18:20:56 <henrynash> #action dolphm to explain approach to rolling this out and discussion with other projects 18:21:00 <ayoung> topol, they will just change it back in the puppet module anyway 18:21:09 * topol need to go change my vote 18:21:26 <henrynash> #topic High priority code reviews 18:21:35 <gyee> topol, if client code is so depended on the default expiration, something is fundamentally wrong 18:21:38 <ayoung> Client reviews! 18:21:39 <henrynash> ok, so what's in most need of pushing ahead 18:21:40 <topol> ayoung, yeah after getting pissed off at us 18:21:56 <ayoung> As jamielennox's daytime voice, I need to push people to do more client reviews 18:22:00 <ayoung> fear not the client 18:22:05 <bknudson> those client reviews are always so scary because everybody seems to want to rewrite it. 18:22:09 <ayoung> heh 18:22:38 <henrynash> ayoung: ok, so migration, 18:22:43 <ayoung> I have a WIP to show 18:22:51 <ayoung> #link https://review.openstack.org/#/c/39351/ 18:22:57 <ayoung> this is based on simo' 18:23:00 <ayoung> s kds patch 18:23:10 <topol> gyee, either we have a plan for success for our stakeholders for using shorter token expiration or we dont. sounds like we dont 18:23:21 <ayoung> topol, Icehouse 18:23:52 <topol> ayoung, K. then change default *in icehouse* 18:24:03 <gyee> topol, I am more worried on other issues, like performance 18:24:04 <ayoung> on migrations, the question is whether I should contineu on with the sql migrations as is, or wshould we do the alembic move before we split out the extension repos 18:24:17 <ayoung> I think that Alembic support is going to require some thinking 18:24:19 <henrynash> topol, gyee: have set action for dolphm to come back with the plan….let's move on 18:24:21 <morganfainberg> ayoung: i am for doing the migration work now. 18:24:26 <ayoung> and I don't really want to force that through 18:24:26 <henrynash> ayoung: agred 18:24:31 <ayoung> morganfainberg, I do to 18:24:37 <topol> ayoung, avoid death or glory. go crawl walk run 18:24:38 <morganfainberg> and hit alembric in Icehouce 18:24:48 <topol> morganfainberg +1 18:25:02 <ayoung> dolph had the objection, so if we drive on, we have to be ready to convince him when he comes back. Do we have unanimous support for it? 18:25:21 <topol> support for doing it in stages??? 18:25:26 <bknudson> I think his problem was that we now have to do alembic on multiple repos 18:25:26 <henrynash> ayoung: I'd just like clarification of how a "complex" extension work work with a separate repo? 18:25:34 <ayoung> topol, for doign the migrations per extension in the existing technology 18:25:42 <ayoung> henrynash, see the above link 18:26:15 <topol> ayoung, yes that to me means stages. Unless thatmakes alembic 10 times harder later... 18:26:15 <ayoung> henrynash, the short of it is you need a migrate_repo subdir, a versions subdir under that, a config file, and a couple empty __init__.puy files 18:26:21 <gyee> ayoung, is alembic required for separating out the extension migration? 18:26:21 <henrynash> ayoung: so I posted a question on patch 11 to this end 18:26:30 <bknudson> if we have multiple repos and have alembic, we have to decide how we're going to do the sqlalchemy -> alembic change. 18:26:53 <ayoung> henrynash, yep,. just got to the point that I had one to show, and I will convert that to documentation in both the commit message and in the doc dir 18:27:19 <ayoung> bknudson, we need to do that anyway, and I think the migration will be no more complex with or without the split 18:27:30 <ayoung> gyee, alembic is not required 18:28:00 <gyee> ayoung, I would vote for getting the extension migration done first 18:28:01 <bknudson> ayoung: ok, I don't know how the sqlalchemy -> alembic migration works. Other projects always have a point where they consolidate migrations 18:28:04 <henrynash> ayoung: my question is much more fundamental…my initial reaction is that complex extensions will no long rbe possible since we won't have the DB changes sequenced with core…any sometimes I think you need to….so I am yet to be convinced over the whole approach 18:28:07 <ayoung> gyee, doing alembic support after the split means that we will have to deal with multiple migrate repos in the conversion, but that should be only slightly more complex than what we are doing now 18:28:12 <bknudson> but keystone hasn't done that (consolidation) 18:28:32 <ayoung> henrynash, if an extension needs to talk to the db, and change the core schema, it can still do that in common 18:28:44 <ayoung> we just should not allow that in a review with out serious justification 18:28:44 <henrynash> ayoung: I'd suggest we need a better BP that explains what will and won't be possible…like before we start coding it 18:30:03 <ayoung> henrynash, extension , by definition, are defined to be split out from the main keystone server. I don't want any more extesnions going in until we resolve this 18:30:15 <morganfainberg> ayoung: +1 18:30:25 <ayoung> henrynash, credentials should have had its own repo, hell, Identity and token stuff should be in their own repos 18:30:39 <ayoung> catalog and policy should certainly be in their own repos, too 18:30:50 <gyee> ayoung, amen brother 18:31:40 <ayoung> So, henrynash do you really think an extension should be allowed to communicate with the underlying sql schema? 18:32:02 <henrynash> ayoung: so i get those suggestions….I thought the primary point of an extension was to allow API changes that we are not necessarily committing to support long ter, 18:32:11 <gyee> ayoung, you sure you didn't work on OSGi before? 18:33:09 <gyee> henrynash, having sql-specific schema dependencies is pretty messy 18:33:27 <gyee> especially we are supporting different backend drivers 18:33:36 <ayoung> gyee, I've worked on everything before 18:33:56 <henrynash> ayoung: I (think what I ) am advocating is that often an extension might need to change a core schema. The schema change might be done in core (and not part of the extension) as long as it is benign….but "private" sql extension changes would be in their own repo 18:34:01 <morganfainberg> gyee: yes, it makes sense especially with the pluggable nature/mutiple backends. 18:34:45 <ayoung> henrynash, I would argue that if you are modifying a set of tables, all the changes to those should be in a single repo. Extensions *can* and *should* have their own sql repos, but because some extensions are already munged into the common repo, we can't make that a *must* at least not yet 18:34:45 <henrynash> ayoung: otherwise I don't see how our dependencies will work, we'll break extensions at the drop of a hat 18:35:31 <ayoung> henrynash, so, the rule is "no new extension that requires a new sql schema goes into the common repo" 18:35:33 <bknudson> henrynash: we should have unit tests to ensure extensions work 18:35:55 <gyee> bknudson, at the minimal 18:35:59 <ayoung> bknudson, and those will be part of the sql upgrade test with that extensions patch 18:36:24 <bknudson> and we need a real sql in the gate 18:36:28 <henrynash> ayoung: so I'm not arguing that should not be able to have a repo….I'm just skeptical it is the right solution for all extension (in the future) to be wholly contained within their repo 18:36:47 <morganfainberg> yes, real SQL in gate (or something that emulates it cleanly) is important. 18:37:30 <ayoung> henrynash, it is a code standard, but one that we can address when the time comes. For example, the ec2 extensions are currently based on code in the common repo. THat won't be broken by this 18:37:37 <topol> do we expect to have enough extensions in the future to merit supporting multiple repos? 18:37:42 <ayoung> henrynash, it just provides a missing mechanism 18:37:44 <ayoung> topol, yes 18:37:49 <ayoung> topol, 3 have 3 right now 18:37:51 <ayoung> kds 18:37:53 <ayoung> mapping 18:38:03 <ayoung> oauth 18:38:11 <topol> everybody loves adding to our database... 18:38:20 <gyee> ayoung, don't forget endpoint filtering 18:38:26 <henrynash> ayoung: and that's my point, I don't see where we have planned out how different types of extensions will work….I really want to see it described how the dependencies will work, be obvious to those working on core etc. 18:38:27 <bknudson> so today an extension can't really count on the identity sql, since identity could be ldap. 18:38:29 <ayoung> gyee, make that four 18:38:34 <ayoung> bknudson, right 18:38:36 <gyee> pho for pho! 18:39:08 <henrynash> ayoung: you probably have it all worked out….I just need to be able read it and think through how it would work in practice 18:39:17 <ayoung> henrynash, fair enough. 18:39:38 <ayoung> #action ayoung to properly document split repos as part of the patch 18:39:43 <henrynash> ayoung: if you could do that, it would be great 18:39:49 <henrynash> thx 18:39:56 <henrynash> Ok, other high priority code reviews 18:40:08 <bknudson> one thing we might need is a more extensible way to notify extensions of events. 18:40:22 <bknudson> more comprehensive might be a better word 18:40:47 <gyee> bknudson, can you translate that in plain english? 18:40:49 <henrynash> bknudson: do we ahem any way implemented today? I didn't think so? 18:41:11 <ayoung> bknudson, that statement scares me 18:41:35 <bknudson> more of a thought, but you use foreign keys for example to delete rows from a table when the user goes away. 18:41:37 * topol plz be thinkijng of something lightweight :-) 18:41:43 <bknudson> and now we don't have foreign keys for that. 18:41:59 <bknudson> so some way to tell an extension that the user has gone away and it should clean up. 18:42:04 <ayoung> bknudson, LDAP does not notify anyway 18:42:10 <ayoung> users never "go away" 18:42:23 <ayoung> now, projects, OTOH, 18:42:27 <bknudson> users was an example... not sure if there's another one. 18:42:36 <ayoung> roles get removed, and tokens get revoked 18:42:51 <ayoung> integration happens at the component to component level 18:43:21 <topol> does openstack have a common event listening mechanism? 18:43:36 <bknudson> we've got a discussion of notifications later on the agenda already. 18:43:38 <gyee> bknudson, you thinking of an internal message queue or something? 18:43:41 <ayoung> wirth extensions, we should try to keep integration to a minimum. Ideally, different extensjhions should be able to run on different servers, and Keystone can then just act as a n incubatoer for new services with them all living in a single server 18:44:10 <bknudson> gyee: yes, it could be through an internal mechanism to register for events. 18:44:40 <henrynash> bknudson: Ok, think we need to table that topic, to make sure we get through the agent - maybe add it to next week? 18:44:45 <topol> anyway we can avoid not invented here and rolling our own for this??? 18:44:57 <henrynash> any other high priority reviews? 18:45:16 <henrynash> probably a bit early in the cycle 18:45:16 <ayoung> Implement apiclient library 18:45:21 <henrynash> ayoung: ahh! 18:45:26 <ayoung> https://review.openstack.org/#/c/28043/ 18:45:30 <henrynash> ayoung: indeed 18:45:38 <ayoung> we need to solve the common authentication mechanism problem 18:45:48 <bknudson> it's only 3000 lines 18:45:57 <ayoung> heh 18:46:03 <bknudson> seems like common authentication mech wouldn't take 3k loc 18:46:04 <topol> with lots of -1s to boot 18:46:21 <ayoung> agreed, so what do we do about moving this ahead? 18:46:26 <ayoung> I think we need to work with him 18:46:42 <ayoung> but scope down this into multiple, independent blueprints 18:46:50 <ayoung> with auth being the highest priority 18:46:54 <morganfainberg> ayoung: +1 18:46:57 <bknudson> ayoung: +1 18:46:58 <gyee> ayoung +1 18:47:07 <henrynash> ayoung: are any clients "signed up" to use such a think…or is it that if build (we hope) they shall come? 18:47:18 <topol> does ti have stakeholders lined up? Will folks jump to this once its avail or say, what I have works... leave me alone? 18:47:27 <bknudson> so novaclient already has this plugin mechanism 18:47:28 <ayoung> henrynash, I think cinder already pullins the keystone client 18:47:35 <ayoung> I know at least one client does, 18:47:45 <henrynash> ayoung:I think that is true, yes 18:48:40 <ayoung> henrynash, it is in cinder's pip-requires but not in python-cinderclient 18:49:09 <ayoung> glance has it , though 18:49:13 <henrynash> ayoung: ahh. that might be just that it wants the middleware 18:49:36 <ayoung> https://github.com/openstack/python-glanceclient/blob/master/requirements.txt#L6 18:50:14 <bknudson> all the clients will need keystoneclient to get a token 18:50:26 <ayoung> bknudson, they do direct calls right now 18:50:57 <topol> the safe thing to do would be to confirm what the stakeholders really need in this space, that they are willing to move to the new code base and to make sure the 3000 lines are trimmed down to deliver only what the stakeholders need. could waste a lot of time if not real agile dvelopment is used on this one 18:51:03 <bknudson> ayoung: oh, so we've got some work ahead of us! 18:51:09 <ayoung> bknudson, so we want them to consume the python-keystoneclient in order to manage how the authenticate both when they get a token and when they pass that token to aremote service, assuming the remote services can handle SPNEGO or CLient certs. Down the road of course 18:51:52 <henrynash> #action cores (at least) to take some the to work on this issue this week….. 18:52:00 <ayoung> bknudson, yeah, I would say so, and it is going to take some joint engagement. Thus, the first challenge to the core devs is to get comfortable with the client code, and get a common vision of how it should look and work. 18:52:19 <henrynash> we need to make progress or we still won't have a v3 nova client by Havana ship 18:52:25 <henrynash> v3 auth 18:52:49 <gyee> henrynash, who's working on this? 18:52:50 <ayoung> We need to work with the other projects to up the minimum version, too 18:53:04 <gyee> ayoung, what kind of help you need from on this front? 18:53:06 <ayoung> we should be able to use the latest keystone client in all projects 18:53:27 <topol> ayoung, +1 and if not to understand why not 18:53:28 <ayoung> gyee, jamielennox has been working on it 18:53:37 <henrynash> young, guee: so I raised this at the project meetinga few weeks ago (when deputising for Dolphm) and the reaction was…use the mailing list! 18:53:57 <ayoung> henrynash, or submit patches 18:54:02 <gyee> henrynash, yup 18:54:02 <henrynash> ayoung: always better 18:54:07 <gyee> just do it 18:54:32 <henrynash> young, gyee: ..and I coming round to thinking that this is what we must do 18:54:48 <gyee> henrynash, yes, we'll have to write the code 18:55:16 <henrynash> gyee, ayoung, bknudson: let's chat after the meeting on this one 18:55:24 <bknudson> henrynash: ok 18:55:34 <henrynash> #topic Oslo unified logging patch landing soon? (https://review.openstack.org/#/c/34834/) 18:55:41 <lbragstad> #link https://review.openstack.org/#/c/34834/ 18:55:48 <topol> gyee, plz find a stakeholder from each project that needs to adopt. My rule of thumb would be if you cant get a stakeholder its a recipe for a waste of time.. 18:56:00 <ayoung> henrynash, I'll OK the approach once we are certain it doens't mess up apache 18:56:15 <lbragstad> hoping that this lands soon, and this change was purposed for keystone a while ago to implement a unified logging solution but concerns were raised about eventlet 18:56:34 <gyee> topol, sure, make sense 18:56:44 <lbragstad> just wanted to give everyone a heads up on this, and once it lands in Oslo I'll plan to implement the unified logging solution to keystone 18:56:52 <bknudson> so do we want to wait for the oslo change before we get notifications or stick with where we were before? 18:57:11 <ayoung> bknudson, does it require changes to the config file? 18:57:27 <henrynash> lbragstad: and the question of apache? 18:57:36 <ayoung> If so, that breaks the feature freeze rule. Otherwise, I am OK with it going in to H3. 18:57:37 <lbragstad> jsut about to test it in apache. 18:57:41 <lbragstad> henrynash: ^ 18:57:49 <bknudson> ayoung: do notifications require changes to the config file? I'm sure there's config options to tell it what notifier to use. 18:57:57 <lbragstad> yes 18:58:01 <ayoung> lbragstad, can you file that as an Agenda item for next week, then, to make sure we close it on out? 18:58:02 <lbragstad> ayoung: bknudson^ 18:58:11 <ayoung> bknudson, optional changes are OK 18:58:11 <lbragstad> #link http://docs.openstack.org/trunk/openstack-network/admin/content/ch_adv_notification_overview.html 18:58:18 <ayoung> bknudson, required changes are not 18:58:19 <henrynash> ayoung: I didn't think changes to config file where verboten…just that we can't break anything that is in there already 18:58:36 <bknudson> right, it has to have a sensible default. 18:59:05 <ayoung> henrynash, think of it as an integration problem. API's are fixed to keep from breaking iother apps. Config files are fixed to keep from breaking the puppet modules and installers 18:59:44 <bknudson> people are going to think we're on vaca in Hawaii if we don't make work by breaking other apps. 18:59:50 <ayoung> 1 minute remaining 18:59:54 <fabiog> henrynash, endpoint filter is ready for review 19:00:04 <ayoung> fabiog, add me to the review, please 19:00:04 <henrynash> ayoung: hmm, agree we can't change existing values…take offline 19:00:08 <fabiog> #link https://review.openstack.org/#/c/33118/ 19:00:20 <henrynash> #topoc open discussion ! 19:00:31 <fabiog> ayoung, added 19:00:34 <henrynash> but we are out of time! 19:00:36 <topol> fabiog, dolph has a red x on it. why would we review??? 19:00:47 <henrynash> #stopmeeting 19:00:54 <henrynash> #endmeeting