18:01:49 <dolphm> #startmeeting keystone 18:01:50 <openstack> Meeting started Tue Apr 8 18:01:49 2014 UTC and is due to finish in 60 minutes. The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:51 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:53 <openstack> The meeting name has been set to 'keystone' 18:01:59 <topol> o/ 18:02:00 <dolphm> #topic Reminder: Design summit session proposals open until April 20th 18:02:11 <morganfainberg> o/ 18:02:28 <dolphm> so, we've got 21 proposed sessions the last i counted, and i'm aware of two more that are on their way to being proposed 18:02:36 <dolphm> we have 8 timeslots at the summit. 18:02:52 <bknudson> we need a longer summit 18:02:58 <dolphm> bknudson: i don't think we do :) 18:03:12 <dolphm> by my count, we should be able to fill those 8 nicely, by merging them 18:03:21 <dolphm> several proposals are near dupes, or closely related 18:03:22 <jamielennox> i haven't proposed anything related purely to keystoneclient (or seen anyone else do it) - i take it we are expecting one/ 18:03:34 <dolphm> jamielennox: please do! 18:03:52 <dolphm> jamielennox: i'm planning for *something* client side to be one of those 8 18:04:07 <morganfainberg> ooh we got 8 slots? 18:04:09 <jamielennox> dolphm: i have less that is related purely to keystoneclient rather than all clients, but i'll propose and people can add to it 18:04:21 <bknudson> is one of the slots for the deployer feedback? 18:04:29 <gyee> jamielennox, keystoneclient seems like a good fit for cross-project, from integration standpoint 18:04:35 <dolphm> we should also have some dedicated space in the dev-lounge type area, so we can take certain topics there as well for smaller discussions 18:04:48 <dolphm> bknudson: so far, yes 18:05:10 <dolphm> gyee: cross-project track deadline is this week 18:05:12 <dolphm> for proposals 18:05:13 <ayoung> client, tokens, Federation (and LDAP) , Hierarchy (to include Policy), 18:05:24 <jamielennox> gyee: i did one that was cross-project: http://summit.openstack.org/cfp/details/205 18:05:32 <ayoung> bascially, I made a bunch of proposals that were supposed to be buckets 18:05:44 <jamielennox> (i need to do a better job of wording it) 18:05:46 <ayoung> Didn't make a client one 18:06:13 <dolphm> if there's not actual items that need to be designed / discussed, it won't be worthy of a session 18:06:16 <ayoung> Tokenless Keystone Operations that one was for gyee 18:06:26 <gyee> client * middleware, especially middleware, auth_token is screaming out for refactoring 18:06:26 <dolphm> so a bucket alone isn't worth consideration without meaningful topics to fill it 18:06:46 <dolphm> gyee: "refactor" isn't something we need to fuss over at the summit, either 18:06:52 <bknudson> we were going to pull middleware to its own repo? 18:06:54 <jamielennox> gyee: oh there is plenty to do on the client - it's just what really needs discussing 18:07:04 <jamielennox> bknudson: that came up somewhere recently as well 18:07:19 <morganfainberg> bknudson, was goign to bring that up specifically at the end of the meeting today since we're early in a cycle we could do it. 18:07:22 <dolphm> bknudson: there's clearly some desire to - i'd be worried that we'd have to create a fourth repo as well, for things like cms 18:07:22 <ayoung> dolphm, right...those were the ones I knew we had something to talk about...feel free to close mine if there is a comparable other submission that is more explicit 18:07:26 <gyee> dolphm, jamielennox, I would like to see auth_token not putting stuff in the headers anymore 18:07:36 <gyee> should stash them into the environ 18:07:43 <dolphm> we'd end up with keystone, python-keystoneclient, keystonemiddleware, and keystonelib or something 18:07:48 <bknudson> dolphm: I don't think we've got a circular dependency 18:08:03 <morganfainberg> dolphm, that isn't a bad breakdown imo 18:08:07 <ayoung> python-keystoneclient, would be deprecated, as we are moving to unified cli? 18:08:09 <bknudson> ohh, I guess keystoneclient would import middleware until it's moved. 18:08:19 <morganfainberg> bknudson, ++ 18:08:26 <dolphm> everything would depend on keystonelib in that breakdown 18:08:44 <dolphm> ayoung: not yet; it'd be deprecated by python-openstacksdk if anything 18:08:45 <jamielennox> dolphm: what would keystonelib be as seperate from client? 18:08:47 <ayoung> although I might suggest that keystonelib should be keystoneclient, if only to keep the git history 18:08:57 <dolphm> jamielennox: keystone.common.cms for example 18:09:01 <jamielennox> because if it's session and auth plugins then it's more generic that that 18:09:17 <stevemar> sounds like we're having the client design session now :) 18:09:22 <lbragstad> wouldn't python-keystone client still be required since it is used but the unified client? 18:09:27 <dolphm> pretty much - this is a worthwhile summit session :) 18:09:30 <gyee> stevemar, yes sir indeed 18:09:31 <ayoung> jamielennox, anything that is common between client and keystoneserver I would think 18:09:39 <morganfainberg> lbragstad, yes, but it wouldn't be the same as the CLI it currently is 18:09:45 <jamielennox> ok - i'll put up a summit session for client today 18:09:47 <dolphm> lbragstad: yes, if/until it's replaced by python-openstacksdk 18:09:52 <dolphm> jamielennox: thanks 18:10:04 <lbragstad> morganfainberg: dolphm ok, makes sense 18:10:10 <ayoung> We also have cross-project summit sessions, right? 18:10:15 <dolphm> ayoung: yes 18:10:36 <ayoung> http://summit.openstack.org/cfp/details/95 is Python OpenStack SDK. 18:10:55 <gyee> dolphm, who make the decision on x-project sessions? PTLs? 18:10:55 <ayoung> http://summit.openstack.org/cfp/details/205 is Jamies 18:11:05 <ayoung> python-*client standardization 18:11:06 <dolphm> gyee: good question, i'm not sure 18:11:14 <nkinder> ayoung: there's also the one that jamielennox already mentioned (http://summit.openstack.org/cfp/details/205) 18:11:28 <dolphm> gyee: i don't even have access to moderate keystone sessions yet - it's still too early 18:11:28 <ayoung> nkinder, beat ya too it 18:11:30 <jamielennox> I'm hoping/assuming that there will be plenty of -sdk talk, i still haven't figured out what they want to be 18:11:30 <ayoung> heh 18:11:55 <dolphm> gyee: probably, yes, though 18:11:59 <bknudson> jamielennox: from the latest discussion sounded like the current clients just in one lib 18:12:00 <gyee> dolphm, k, please update us if you have more info on that, I'll try to dig around too 18:12:17 <dolphm> jamielennox: i think "everything to everyone" is the answer :-/ 18:12:54 <ayoung> We might be able to punt on a Keystone specific talk in favor of "Hierarchical Multitenancy in Every Project" 18:13:00 <bknudson> openstacksdk has a loonnnggg ways to go 18:13:06 <dolphm> gyee: in the mean time, comment on sessions you're interested in, or not. feedback on summit.openstack.org (and the mailing list, etc) is really important for the whole selection process 18:13:14 <jamielennox> bknudson: yea i have been following but they are talking dolphm's everything approach and i don't think it's sustainable 18:13:32 <gyee> dolphm, thanks, will do that this week 18:14:17 <dolphm> that's also why it's too early to make too many guesses about what sessions will be accepted/merged/rejected -- there's not enough feedback yet for many sessions, and there are yet-to-be-proposed sessions to consider as well 18:14:49 <dolphm> on that note ... 18:14:51 <dolphm> moving on :) 18:14:54 <dolphm> #topic Reminder: Review Icehouse release notes 18:15:07 <dolphm> just a quick reminder to take a pass at: 18:15:08 <dolphm> #link https://wiki.openstack.org/wiki/ReleaseNotes/Icehouse 18:15:21 <dolphm> there's been a few things added, and there's a few TODO's noted that need to be fleshed out 18:15:29 <dolphm> if you're familiar with those features, contributions very much welcome :) 18:15:40 <dolphm> most of them are in Upgrade Notes 18:15:46 <ayoung> dolphm, do contribution have to pass a bknudson code review? 18:15:54 <dolphm> ayoung: yes? 18:16:01 <topol> only ayoungs... 18:16:10 <morganfainberg> topol, ++ :P 18:16:27 <bknudson> I will probably fix speling errors if I see them. 18:16:49 <dolphm> i'll fix wiki syntax :P 18:16:53 <gyee> bknudson, urban dictionary words ok? 18:16:57 <ayoung> any TODOs that are egregious? 18:17:03 <topol> so is there just a place toa dd comments on the wiki or we all have edit access? 18:18:10 <dolphm> ayoung: see for yourself? nothing crazy IMO 18:18:25 <ayoung> dolphm, yeah, nothing jumped out at me.... 18:18:26 <dolphm> topol: everyone should have edit access with an LP account 18:18:34 <dolphm> s/an/a/ 18:18:54 <dolphm> anyway, let's talk about something more exciting! 18:18:57 <dolphm> #topic Security review 18:18:57 <topol> dolphm, K 18:18:59 <dolphm> nkinder: o/ 18:19:32 <dolphm> nkinder: have a link to your mailing list discussion? i'm coming up empty handed 18:19:43 <nkinder> dolphm: sure... 18:20:13 <nkinder> http://lists.openstack.org/pipermail/openstack-dev/2014-April/032046.html 18:20:20 <dolphm> nkinder: thanks! 18:20:34 <dstanek> nkinder: i noticed that the wiki page was showing the source of algorithms as passlib. is that intentional? passlib actually uses the hashlib implementation if I remember correctly 18:20:35 <dolphm> hopefully everyone saw this, this is obviously a worthwhile effort :) 18:20:50 <ayoung> dstanek, that rings true 18:20:53 <nkinder> dstanek: PassLib does both 18:21:11 <nkinder> I read the code, and they implement their own rc4, etc. 18:21:18 <nkinder> ...but they do use hashlib too 18:21:23 <ayoung> http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/utils.py#n26 18:21:36 <dstanek> i don't think they implement sha* though 18:21:46 <nkinder> dstanek: correct 18:21:52 <ayoung> http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/utils.py#n110 18:22:03 <lbragstad> sha512 18:22:17 <bknudson> for the "Potential improvements" -- we're not planning to do those for icehouse? 18:22:18 <lbragstad> and http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/utils.py#n125 18:22:40 <ayoung> http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/utils.py#n117 salted sha is ugly, but necessary for the LDAP simple bind approach. Ideally, that would be replaced, but I think the only viable alternative is Kerberos 18:22:48 <gyee> nkinkder, is this an OSS initiative? 18:22:58 <nkinder> dstanek: perhaps it's not clear, but I was trying to point out that sha1 is used by PassLib (not necessarily implemented by) 18:23:01 <ayoung> bknudson, we are plannign on imporvindg from Eventlet to Apache HTTPD 18:23:13 <nkinder> ok, let's talk about it at a high-level instead of specific crypto details 18:23:15 <dolphm> dstanek: passlib does use hashlib, for example https://code.google.com/p/passlib/source/browse/passlib/handlers/md5_crypt.py 18:23:42 <nkinder> I'm trying to get projects interested in gathering and maintaining this sort of info from release to release 18:24:05 <morganfainberg> nkinder, ++ 18:24:06 <lbragstad> nkinder: ++ oslo has a bunch of stuff too.. which may or may not get used in other projects 18:24:09 <nkinder> This is useful for OpenStack deployers of course, but it's also really good from a development standpoint 18:24:09 <dolphm> nkinder: is there any reason why this shouldn't be tracked in tree, and code reviewed along with the impacting changes? 18:24:09 <ayoung> ldap_hash_password ... I assume that was only called if you create a user via the LDAP backend, which is not someth8ing I would expect a real deployment to do, but I've been surprised before. 18:24:38 <nkinder> Instead of just saying "we should all do this", I audited Keystone myself first to show how I think it might look. 18:24:53 <bknudson> dolphm: in doc/source ? 18:25:06 <dolphm> bknudson: yes. nkinder: wiki sounds like a decent place to get these docs moving, but we can enforce their maintenance in gerrit 18:25:08 <nkinder> dolphm: in tree is fine too 18:25:17 <bknudson> I like that 18:25:24 <lbragstad> me too, 18:25:25 <nkinder> dolphm: so first I want to see if there is interest from each project. Sounds like there is for Keystone. 18:25:30 <topol> nkinder++ that is an important initiative youa re driving 18:25:40 <nkinder> Second is what form should the info be kept in (in git, wiki, etc.) 18:25:43 <bknudson> people are always asking for this info 18:25:50 <dolphm> nkinder: absolutely, it sucks not being able to refer people to docs like these :-/ (until now!) 18:25:56 <stevemar> wiki seems good enough for now 18:25:58 <nkinder> anyone can screw with the wiki, so it's not the best place for authoritative info 18:26:04 <nkinder> yeah, good for now though 18:26:09 <dstanek> tree is good for some stuff - but if you continue down this track we'll have a while bunch of attack vectors we need to document 18:26:27 <dolphm> dstanek: that's an interesting point... 18:26:31 <bknudson> there's another effort for the threat analysis 18:26:39 <ayoung> Security bugs got in Launchpad until we have a fix, obviously 18:26:49 <nkinder> yeah, this is more of a high-level instead of a full threat analysis 18:26:54 <dolphm> this effectively becomes a release deliverable if it's in-tree, rather than a best-effort community thing 18:27:07 <dstanek> so far this is really just code level implementation, but i can see whating to document lots of other stuff too 18:27:08 <nkinder> dolphm: well, I'd like to make it a release deliverable 18:27:09 <lbragstad> I think it would be important to keep it simple right off the bat, description of why we need the encryption, names of the hashes used, maximum key length/strength, is it end user configurable? 18:27:12 <stevemar> dolphm, good point 18:27:16 <ayoung> "go in" man my typing is worse than usual today 18:27:23 <nkinder> lbragstad: +1 18:27:30 <lbragstad> something in a chart form 18:27:34 <bknudson> it'll be available here if in doc/source -- http://docs.openstack.org/developer/keystone/ 18:27:37 <nkinder> Keep it simple so we can actually acheive the goals 18:27:44 <dstanek> lbragstad ++ 18:27:45 <ayoung> It would be nice if we had ethercalc for charts 18:27:48 <lbragstad> someone can look up if pycrypto is used, and if an end-user can bump up the key strength 18:27:57 <dolphm> lbragstad: keeping it simple in the long run is important for maintainability :) 18:28:09 <topol> nkinder do we have any provenance information on what crypto libraries are used and who dveeloped them? 18:28:13 <nkinder> The tables shoudl really say what is used, and why (by what feature) 18:28:17 <stevemar> dstanek, even if it's in tree, it's not like we don't neglect the docs :( 18:28:30 <dstanek> stevemar: :-) 18:28:49 <nkinder> topol: all we really have is what I've collected on that page so far 18:28:55 <topol> nkinder, K 18:28:57 <ayoung> what about something under Anne Gentle's team instead of under keystone? Seems like a cross product doc effort? 18:29:11 <nkinder> ayoung: for publishing, that would likely work 18:29:15 <bknudson> there's a security guide... 18:29:18 <dstanek> in-tree would probably be fine, but i can definitely see things that audit logs and other artifacts out of tree 18:29:24 <dstanek> s/that/like/ 18:29:24 <dolphm> ayoung: they're already responsible for publishing keystone/docs 18:29:35 <nkinder> ayoung: but each project should own the info on their own project and keep it up to date as code changes are made 18:29:37 <bknudson> http://docs.openstack.org/security-guide/content/ 18:29:44 <ayoung> then lets do it in tree 18:29:44 <dolphm> nkinder: ++ 18:29:47 <lbragstad> nkinder: right, 18:30:04 <nkinder> We can then use that info to populate the Security Guide if we want to provide an overview of used crypto 18:30:21 <nkinder> ok, so in tree it is. Any suggestions on format? 18:30:30 <dolphm> does anyone have any criticism of what's available on https://wiki.openstack.org/wiki/Security/Icehouse/Keystone currently? 18:30:31 <nkinder> markdown? something else? 18:30:44 <nkinder> dolphm: I do :) 18:30:46 <dolphm> nkinder: docs/ uses RST already 18:30:55 <nkinder> dolphm: some things are missing or need to be filled in more 18:31:30 <nkinder> dolphm: but we can discuss those on IRC outside of this meeting 18:31:44 <dolphm> nkinder: i'd like to see Potential Improvements filed as Wishlist bugs and tagged with 'security' 18:31:55 <lbragstad> nkinder: when do we plan to have a format up? 18:32:14 <dstanek> dolphm: great idea - i'll start posting those after this meeting 18:32:16 <dolphm> nkinder: you can then link this doc to https://bugs.launchpad.net/keystone/+bugs?field.tag=security - rather than duplicating those in the doc 18:32:21 <nkinder> So the other thought is that we can use the security-impact keyword to flag when a code change requires an update 18:32:32 <dstanek> idea are flooding in :-) 18:32:46 <nkinder> dolphm: +1 on filing the improvements. Those were just items that I had ideas on, so feel free to chime in with others. 18:33:03 <dolphm> nkinder: i'd rather the code change include the doc update AND include SecurityImpact ;) 18:33:07 <nkinder> lbragstad: I can work on a format, though I'm not familiar with RST 18:33:24 <nkinder> dolphm: yes, both in one patch would be ideal 18:33:32 <bknudson> nkinder: here's the link I use -- http://docutils.sourceforge.net/rst.html#user-documentation 18:33:34 <lbragstad> nkinder: ok, cool. I can help out with that too. 18:33:36 <nkinder> dolphm: then we can -1 changes that skipped updating the doc. 18:33:44 <dolphm> nkinder: ++ 18:33:48 <nkinder> lbragstad: that would be much appreciated 18:34:15 <nkinder> did most of my audit look accurate to everyone? Is there anything important that I missed? 18:34:22 <bknudson> lbragstad: we've got scans for the other projects, too? 18:34:42 <nkinder> bknudson: not yet. I need to go around and evangelize that... 18:35:01 <dstanek> nkinder: only thing confusing to me where what implementation was used for algorithms 18:35:12 <dstanek> other than that i thought it was great 18:35:19 <nkinder> bknudson: I'm really hoping to get buy-in from everyone such that this can be a part of our normal release process 18:35:29 <dolphm> hrm, i also just realized this encompasses both keystone and keystoneclient (and some of this would be moved to keystonelib if that existed) 18:35:30 <topol> nkinder++ 18:35:35 <nkinder> dstanek: any suggestions on how it could be represented to be more clear? 18:35:41 <ayoung> nkinder, as I mentioned before, the "Self signed certificates" approach needs to die 18:35:52 <nkinder> dolphm: yeah, they are kindof wrapped together 18:36:21 <dstanek> nkinder: i can't tell if we are using three different sha1 implementations or if there are three different wrappers to the same implemenation 18:36:27 <stevemar> dolphm, whys that an issue? 18:36:31 <dolphm> nkinder: this one wiki page should be split into python-keystoneclient/docs and keystone/docs then -- and probably cross-linked to each other since they're so closely related 18:36:41 <ayoung> stevemar, auditability 18:36:42 <nkinder> dstanek: ah, yeah. The wiki table made that odd. 18:36:46 <dolphm> stevemar: because a client change shouldn't require docs in the keystone/ repo to be updated, for example 18:36:59 <ayoung> you want to make sure that, if there is an known issue in an implementation, you've updated the vulnerability 18:37:00 <nkinder> dstanek: it's all just sha1 (hashlib), but it was for threee different usages 18:37:07 <stevemar> we'll probably have a lot of duplication 18:37:12 <ayoung> updated beyond the vulnerability 18:37:28 <nkinder> stevemar: in what regards? between projects? 18:37:57 <stevemar> if we split the wiki contents to keystone/docs and keystoneclient/docs 18:38:18 <nkinder> stevemar: yeah, that's why I avoided it and just called out the source files. 18:38:49 <nkinder> ...but it's going to have to be split if we keep the docs in tree 18:39:04 <stevemar> i guess so :) 18:39:19 <bknudson> can we backport doc updates? 18:39:27 <nkinder> ok, well next steps seem to be to work on the formatting, then we can decide how to organize it between repos. 18:39:36 <dstanek> nkinder: yeah, something like that works 18:39:40 <dolphm> bknudson: yes 18:39:53 <dolphm> bknudson: not sure if they'd be consumed that way though 18:40:11 <ayoung> dolphm, rc2 window is closed, right? 18:40:15 <topol> dolphm, whats the criteria for backporting doc updates? Just critical; stuff? 18:40:21 <morganfainberg> ayoung, yes 18:40:23 <dolphm> ayoung: yes 18:40:33 <nkinder> we can use wiki for Icehouse, and in-tree for Juno 18:40:35 <ayoung> dolphm, when do we expect rc2 announced, then? 18:40:49 <nkinder> Icehouse will largely be going back and reviewing what we've already done anyway 18:40:55 <bknudson> I don't know if we can get to havana keystone developer docs. 18:40:59 <dolphm> topol: there's no precedence in keystone, afaik - but i'd happily propose doc corrections & additions to stable-maintenance 18:41:19 <dolphm> ayoung: it was released this morning 18:41:23 <bknudson> http://docs.openstack.org/havana/ just links to http://docs.openstack.org/developer/keystone/ 18:41:27 <ayoung> Ah... 18:41:31 <ayoung> need to catch up on email 18:41:32 <dolphm> ayoung: i meant to mention it at the beginning of the meeting, but forgot to put it on the agenda 18:41:44 <annegentle> bknudson: mostly the keystone docs are common and embedded 18:41:44 <dolphm> ayoung: http://lists.openstack.org/pipermail/openstack/2014-April/006468.html 18:42:00 <stevemar> bknudson, then no need to backport! 18:42:15 <annegentle> bknudson: http://docs.openstack.org/admin-guide-cloud/content/ch-identity-mgmt-config.html 18:42:17 <ayoung> So....that is probably Icehouse.... 18:42:32 <annegentle> bknudson: oh sorry you're talking about dev docs 18:42:45 <dolphm> annegentle: ++ 18:43:01 <bknudson> annegentle: well, we had discussed whether to put the security notes in dev docs or other docs. 18:43:19 <nkinder> annegentle: yeah, this is security guide related as well. 18:43:27 <dolphm> annegentle: we're discussing backports for openstack/keystone/docs to stable/ branches, for the purpose of documenting security-relevant topics 18:43:42 <nkinder> annegentle: we're talking about having some security info from each project feed into the Security Guide. 18:43:47 <dolphm> annegentle: (for docs that don't exist in-tree yet, just on the wiki) 18:43:47 <annegentle> ah you won't get point-in-time publishing of dev docs 18:43:59 <annegentle> nkinder: cool, great. 18:44:17 <dolphm> annegentle: are you aware of any distros or anyone doing anything with stable/ dev docs? 18:44:35 <annegentle> dolphm: the only stable/relname docs are in openstack-manuals and it's just the install guide and the config ref. We could add the security guide though, just a matter of deciding on it 18:44:45 <nkinder> annegentle: I can chat with you offline about the idea to get your recommendations on the best way to do that from a format perspective (it's sort of the same thing we need to figure out for OSSNs). 18:44:54 <annegentle> nkinder: sure 18:45:20 <nkinder> annegentle: ok, I'll shoot you an e-mail on it. 18:45:20 <bknudson> I like the dev docs because it's easy to update with the code. 18:45:27 <bknudson> also, we can look at them on github 18:45:29 <stevemar> ++ 18:45:35 <nkinder> bknudson: +1. It will help to keep it in sync 18:45:39 <annegentle> bknudson: but security affects all of openstack and is more of an integrated project set of issues 18:45:45 <dolphm> bknudson: ++ 18:46:03 <annegentle> bknudson: nkinder: prioritization and discipline around it keeps it in sync 18:46:06 <nkinder> I do want to see what other projects think as well, as they may have different ideas 18:46:40 <bknudson> annegentle: well, I also like the security guide because it's going to be consumed outside of developers 18:46:50 <dolphm> nkinder: if they have better ideas, please share :) 18:46:57 <dolphm> nkinder: definitely bring this up at the barbican meeting as well :D 18:47:01 <ayoung> ++ 18:47:02 <nkinder> dolphm: will do! 18:47:21 <nkinder> I'm happy to see all of the interest in it! 18:47:37 <dolphm> sounds like we have some agreement here for now, and there's nothing left on the agenda for today, so: 18:47:43 <dolphm> #topic open discussion 18:48:02 <dolphm> 12 free minutes 18:48:03 <morganfainberg> Quick plug 18:48:17 <morganfainberg> sql collapse: https://review.openstack.org/#/c/78169/ this needs some feedback on the fk/constraint/index naming etc 18:48:52 <bknudson> +395, -4758 18:48:58 <dolphm> morganfainberg: i wanted to run db_sync 36 with and without that patch on mysql & postgres prior to +2'ing -- have you done either of those and compared sqldumps? 18:49:01 <morganfainberg> i'd like to implement consistent naming across the board, which requires a migration to sync all prodiuction deployments, but i want to get it right in that review as the base 18:49:04 <dolphm> bknudson: auto +2 18:49:16 <morganfainberg> dolphm, i did that when developing this. 18:49:31 <morganfainberg> dolphm, but... the FK / constraint / etc names are difference 18:49:41 <morganfainberg> and with SQLA and postgres there are oddities that require explicit naming 18:49:45 <dolphm> morganfainberg: if you have a diff handy, could you paste one? 18:50:01 <morganfainberg> dolphm, i'll need to re-run it, the diff came pre icehouse 18:50:06 <morganfainberg> dolphm, so i'll re-run and post the diffs 18:50:16 <jamielennox> i have a request for some client reviews please - they are stagnating again, we are back to the point where there are a few difficult ones to process so come find me if you are unsure of any reasoning 18:50:22 <topol> morganfainberg, whats the magic that allows you to compress so much??? 18:50:36 <dolphm> topol: dropping support 18:50:37 <jamielennox> re-reading that it was way to gentle: do client reviews! 18:50:48 <morganfainberg> jamielennox, i expected less gentle this time :P 18:50:50 <ayoung> morganfainberg, did you run that against livetests for both mysql and postgresql? bknudson can one of you IBMers confrim the DBishness of that smooshing? 18:50:51 <dolphm> topol: for essex and folsom 18:51:06 <topol> dolphm, thats awesome. so much less code to look at 18:51:13 <dolphm> topol: and less to maintain! 18:51:14 <morganfainberg> ayoung, i had no issues with the migrations working under mysql and postgres, that seems like all the _live_tests do 18:51:21 <gyee> jamielennox, I'll take a look 18:51:33 <topol> dolphm, I may actually look in that folder now :-) 18:51:35 <gyee> I also commented on the configurable hash algorithm review https://review.openstack.org/#/c/80401/ 18:51:35 <dolphm> topol: this also means faster tox run times :) 18:51:38 <morganfainberg> ayoung, but before i went too much further i wanted to snag people for the FK / ix / ixu naming 18:51:40 <dolphm> topol: ha 18:51:48 <ayoung> morganfainberg, yeah....need to take another look at getting out sql unit tests running against the real databases again 18:51:49 <gyee> we need to embed the algorithm into token data 18:51:56 <bknudson> ayoung: I'll try it out with my db2 setup. 18:52:05 <dstanek> has anyone run the unit tests against mysql? i was having a bunch or problems with it 18:52:05 <morganfainberg> dolphm, not much faster. we don't migrate for most tests now we use sqlite reflection in memory 18:52:09 <ayoung> morganfainberg, FK naming should be in a DBMS specific manner, I think 18:52:19 <ayoung> dstanek, I have not tried in over a year 18:52:21 <bknudson> gyee: I'll take a look at embedding the algorithm. 18:52:29 <bknudson> gyee: why is that necessary? 18:52:31 <morganfainberg> ayoung, except that we can't use reflection if needed to interact with it then 18:52:36 <topol> we need to keep a record of the patch that replaces a huge chunk of code with a smaller replacement. And that person gets a prize every release 18:52:41 <nkinder> jamielennox: you need more of a mean-streak... ;) 18:52:44 <morganfainberg> ayoung, mysql would be _ibfkXX posgres is _fkey, etc 18:52:49 <gyee> bknudson, otherwise, it will break rolling upgrade 18:52:50 <dolphm> bknudson: you don't seem to be impacting /v3/OS-REVOKE/ ? 18:52:57 <ayoung> morganfainberg, yes, and its ug-ga-lee.... 18:53:01 <morganfainberg> ayoung, a consistent naming convention would be good. 18:53:02 <topol> Sort of like the hourly high poker hand at the card room 18:53:15 <bknudson> dolphm: I haven't looked at OS-REVOKE... will do 18:53:17 <morganfainberg> ayoung, and there are times reflection use is important (notably in some migrations) 18:53:17 <dolphm> err, that's not where the revocation *list* lives... 18:53:30 <bknudson> dolphm: does it have token hashes? 18:53:37 <ayoung> morganfainberg, I'm ok with reflection use, I was not the one that protested it. 18:53:44 <morganfainberg> ayoung, i know. 18:53:50 <dolphm> bknudson: /v2.0/tokens/revoked is completely undocumented - ayoung: do we expose the token revocation *list* on v3? 18:53:57 <dolphm> ayoung: or just events? 18:53:58 <ayoung> BTW...if we change the token hash algorithm...all old tokens should be revoked.... 18:54:06 <bknudson> there's no revocation list on v3... we've got the certs 18:54:13 <ayoung> dolphm, I thought just v2....let me confirm 18:54:31 <morganfainberg> ayoung, but anyway, i want something we can programatically interact with / validate if we choose. anyway topic to be continued on gerrit review post meeting 18:54:46 <dolphm> bknudson: if there's no existing docs to update, go ahead and +A the client-side review 18:54:53 <ayoung> dolphm, V3 as well: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/controllers.py#n457 18:55:09 <ayoung> http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/routers.py#n37 18:55:19 <bknudson> dolphm: I'm going to look into the hash algorithm in the tokens... does the middleware care? 18:55:29 <bknudson> it tries to hash the token right away to see if it's in the cache 18:55:30 <ayoung> bknudson, yes it cares 18:55:47 <gyee> bknudson, ^^ what he says 18:55:48 <bknudson> but this is before it's even validated it. 18:55:49 <ayoung> bknudson, might not be a real issue 18:56:05 <bknudson> this is before auth_token has validated the pki token 18:56:32 <bknudson> the revocation list will have the hash algorithm 18:56:36 <ayoung> if the middleware hashes the token...it would be wierd for anything other than a local memcached look up. In theory, middleware could skip PKI validation and do a remote verification 18:57:15 <gyee> bknudson, middleware should get the algorithm from token data, not configurable 18:57:24 <ayoung> that would take an explicit setting of a config value. So if it hashed to MD5, but the serve was doing sha256, token validation would fail 18:57:27 <dstanek> ayoung: just ran against mysql and had over 2200 failures (can't create federation tables and unicode won't work) 18:57:27 <bknudson> ok, middleware gets a token hash -- it doesn't know what algorithm was used. 18:57:56 <ayoung> dstanek, ran what against mysql? morganfainberg 's patch? 18:58:15 <dstanek> ayoung: the unit tests on master 18:58:18 <gyee> bknudson, you can tell be the length 18:58:21 <nkinder> ayoung: the hash algo. mismatch would be solved if we do what gyee suggests though, right? 18:58:38 <ayoung> ah...that might be as expected, dstanek but good to know....starting point for Juno cleanup 18:58:46 <ayoung> nkinder, yep 18:58:52 <nkinder> gyee: you could, though that's a bit hackish 18:58:54 <bknudson> if middleware gets a token hash it validates against the server. 18:58:55 <ayoung> nkinder, except that it would never fetch the revoc ation list 18:59:02 <bknudson> I don't think it cares about the hash then? 18:59:03 <ayoung> that is only done for PKI validation 18:59:08 <dolphm> time's up! 18:59:23 <bknudson> thanks! 18:59:26 <gyee> nkinder, if we only have to hash string, that's best we can do :) 18:59:27 <nkinder> thanks alL! 18:59:32 <dolphm> ayoung: https://bugs.launchpad.net/openstack-api-site/+bug/1304606 18:59:33 <gyee> s/to/the/ 18:59:34 <uvirtbot> Launchpad bug 1304606 in openstack-api-site "Identity API v3 OS-PKI extension is undocumented" [High,Triaged] 18:59:34 <dolphm> #endmeeting