18:01:53 <dolphm> #startmeeting keystone
18:01:54 <openstack> Meeting started Tue Apr 22 18:01:53 2014 UTC and is due to finish in 60 minutes.  The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:55 <nkinder_> hi all
18:01:55 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:58 <openstack> The meeting name has been set to 'keystone'
18:02:34 <dolphm> alright, i was waiting on sched.org... but that looks like it's going to take more than a couple minutes...
18:02:39 <dolphm> anyway:
18:02:42 <dolphm> #topic Icehouse released!
18:02:49 <morganfainberg> w00t!
18:02:52 <ayoung> \(◎o◎)/
18:03:04 <stevemar> woot woot
18:03:18 <dolphm> #link http://lists.openstack.org/pipermail/openstack-announce/2014-April/000225.html
18:03:21 <topol> Great job! Congrats!!!
18:03:36 <topol> Lot of great stuff in icehouse
18:03:45 <nkinder_> woohoo!
18:03:52 <dolphm> "Thanks to the hundreds of people who contributed to this development cycle and helped in making this release great!" <-- i can't echo that enough!
18:04:32 <ayoung> Here's a special thank you to our own Atlas.  Three cheers for the PTL.  Well done, dolphm
18:04:39 <lbragstad> ++
18:04:40 <gyee> good stuff!
18:04:42 <topol> +++++
18:04:46 <stevemar> +++
18:04:49 <dolphm> it's been surprisingly quiet on the bug front, so i'm hesitantly excited about that too :P
18:04:52 <topol> Great job dolphm!!!
18:04:56 <morganfainberg> +++++
18:04:56 <dolphm> ayoung: danke
18:05:07 <atiwari> +++
18:05:38 <dstanek> ++
18:05:44 <jamielennox> ++
18:05:54 <dolphm> more fun stuff...
18:05:57 <dolphm> #topic Design summit schedule
18:06:06 <dolphm> #link http://junodesignsummit.sched.org/
18:06:30 <dolphm> i *just* pushed a tentative schedule to sched.org a few minutes ago, so the keystone track should appear there at some point ^
18:07:08 <dolphm> in the mean time, it looks something like this:
18:07:09 <dolphm> #link http://i.imgur.com/Mglw49y.png
18:07:36 <bknudson> 8 sessions?
18:07:48 <dolphm> this is very much a first draft: timeslots WILL be shuffled, etc
18:07:54 <dolphm> bknudson: yes
18:08:02 <dolphm> bknudson: one fewer than previous summits due to the cross-project tack
18:08:04 <dolphm> track*
18:08:22 <topol> dolphm, looks good
18:08:34 <nkinder_> more reason to schedule a mid-cycle hackfest
18:08:43 <dolphm> nkinder_: ++
18:08:51 <topol> in San Antonio. Bring the pace pciante salsa
18:08:59 <nkinder_> ..get a rope
18:09:00 <topol> ++
18:09:03 <dolphm> we should also be a bit more organized for topics outside of formal design sessions
18:09:23 <gyee> just look for dolphm at the developer's lounge
18:09:26 <morganfainberg> mid-cycle fun again!
18:09:28 <nkinder_> yeah, there are some topics that would be nice to discuss that aren't in the sessions
18:09:34 <dolphm> gyee: you should be able to look for a keystone flag or something :)
18:09:42 <dolphm> gyee: not sure how it's all going to work yet
18:09:44 <gyee> grease him with beer, money, or whatever
18:09:50 <morganfainberg> gyee, whiskey
18:09:52 <topol> those breakfast burritos were good.  I hope the lamb food truck is there this time
18:09:57 <bknudson> if we're going to discuss service catalog we should consider what we're going to do with templated catalog
18:10:05 <morganfainberg> bknudson, ++++
18:10:07 <bknudson> since it seems to be getting left behind
18:10:14 <gyee> morganfainberg ++
18:10:15 <ayoung> Leav it behind
18:10:21 <morganfainberg> bknudson, i'm kindof for making it disappear.
18:10:43 <topol> how do we know there arent folks relying on it?
18:10:45 <ayoung> it can easily be supported by SQL, or a KVS impl, so why keep a readonly, hard coded version?
18:10:46 <morganfainberg> bknudson, its suboptimal on many fronts.
18:10:46 <gyee> bknudson, catalog is a big elephant we need to tackle
18:10:48 <dstanek> morganfainberg, bknudson: does anyone use it?
18:10:57 <morganfainberg> dstanek, unfortunately we do
18:11:12 * ayoung is visualizing gyee tackling an elephant.  It is quite entertaining.
18:11:23 <morganfainberg> dstanek, but it caused us major issues so we will move off it as soon as possible
18:11:27 <ayoung> dstanek, we deprecate, and see if anyone shouts
18:11:28 <dolphm> topol: lack of bug reports, for starters. we're aware of issues that our users don't seem to care about
18:11:29 <bknudson> you can't get a v3 token using the templated catalog now
18:11:47 <gyee> ayoung, I mean elephant in the room, american thing, you don't want me to translate into other language
18:12:03 <dolphm> i'd be happy to fix it if there are users
18:12:06 <ayoung> WE NEED V2 /V3 INTEROP OR WE WILL NEVER GET PEOPLE TO V3
18:12:28 <morganfainberg> this sounds like a ML topic to me
18:12:31 <dolphm> ayoung: i suspect that will be a significant topic for the client session
18:12:33 <ayoung> ++
18:12:34 <morganfainberg> probably x-posted to operators
18:12:53 <ayoung> dolphm, wasn't there a miniscule patch that did the "chop v.20" off the endpoints?
18:13:02 <dolphm> ayoung: that landed
18:13:10 <dolphm> ayoung: i think it's in 0.7.0
18:13:13 <jamielennox> ayoung: it got merged - it doesn't really cover everything though
18:13:15 <ayoung> Ah...I was looking for it.  Good.
18:13:16 <morganfainberg> preferably I'd like that mail to be out there before we hit the summit so we have some information
18:13:17 <morganfainberg> if needed i can write that email up.
18:13:24 <ayoung> jamielennox, I realize, but its a start
18:13:55 <ayoung> jamielennox, what critical is missing?
18:14:00 <dolphm> morganfainberg: i'd like to tackle that v2 deprecation bp in the next coupld weeks
18:14:15 <ayoung> I mean, aside from support for other services....anything specific to Keystone>
18:14:16 <ayoung> ?
18:14:22 <jamielennox> https://review.openstack.org/#/c/81146/
18:14:23 <morganfainberg> dolphm, yeah good plan
18:14:33 <topol> dolphm in any of the federated sessions can we discuss audit support for federated environments?
18:14:50 <morganfainberg> topol, i thiink the answer is "we should emit audit for it"
18:15:03 <dolphm> topol: i think it's a given that we'll need to emit the appropriate audit notifications -- what is there to discuss?
18:15:05 <morganfainberg> topol, and anyone who complains about it is probably wrong
18:15:07 <jamielennox> ah, it's been a while - i can't find the dependant one
18:15:22 <topol> OK, so handle the details via blueprints. Thats cool
18:15:25 <stevemar> dolphm, there are a bunch of sessions marked as unreviewed, should those be considered rejected?
18:15:46 <morganfainberg> topol, yep, it would be silly not to do audit
18:15:57 <dolphm> stevemar: likely, yes - unless i meant to merge something and didn't. i updated the statuses of as few as possible in a flurry right before this meeting
18:15:59 <ayoung> jamielennox, starrring that one...
18:16:13 <stevemar> dolphm, cool
18:16:30 <jamielennox> ayoung: there are a couple in my client list to do with discovery, version-less auth etc
18:16:40 <jamielennox> the one i can't find is version-less endpoints in the catalog
18:16:44 <jamielennox> it should dep on that one
18:16:57 <nkinder_> As an aside, has using gerrit for blueprints been previously discussed at all? (nova started doing this recently)
18:17:13 <lbragstad> I think that led into a discussion about storyboard
18:17:24 <sjcazzol_> I was creating an specification to add quotas for users/projects by domain in the blueprint tenants-users-quotas
18:18:32 <sjcazzol_> what do you think about this blueprint?
18:18:36 <gyee> jamielennox, is the discovery mechanism a standard or something we came up with
18:19:05 <jamielennox> gyee: it's something that is close to standard (which is possibly worse)
18:19:24 <jamielennox> gyee: we forked it from nova - and made changes, other projects either did the same or came up with there own
18:19:43 <gyee> jamielennox, I think TC should take on this one
18:19:49 <sjcazzol_> this blueprint is in the path to get parity on quota management with AWS
18:19:52 <dolphm> nkinder_: yes
18:19:53 <gyee> as it has wider impact
18:20:08 <jamielennox> gyee: i did a spec a while ago https://wiki.openstack.org/wiki/VersionDiscovery
18:20:23 <dolphm> gyee: ++
18:20:32 <jamielennox> gyee: publicised as much as i could and was well received - but who knows if people look at it
18:20:53 <jamielennox> gyee: the problem is no one will change because they all need backwards compat
18:21:12 <dolphm> jamielennox: the only opposition i recall is that there's an IETF draft of something similar?
18:21:21 <jamielennox> or at the very least we need to support older versions pre-changed because we can't afford  to wait for them all to standardize
18:21:28 <morganfainberg> dolphm, really an IETF draft?
18:21:47 <jamielennox> dolphm: not an IETF thing - there's a json-home spec which one of the new projects is using
18:21:51 <dolphm> morganfainberg: well there's a few, but one actually has some traction IIRC
18:21:54 <morganfainberg> ah.
18:22:03 <dstanek> dolphm: url?
18:22:08 <dolphm> #link http://tools.ietf.org/html/draft-nottingham-json-home-02
18:22:13 <dolphm> not sure if that's the latest
18:22:17 <jamielennox> AFAIK no-one is actually converting anything though
18:22:26 <dolphm> jamielennox: thanks, i couldn't remember the name
18:22:51 <dolphm> #link https://github.com/otto-de/jsonhome
18:22:54 <morganfainberg> this is something the TC should weigh in on and specify a direction to take since it needs to be consistent across projects
18:23:04 <dolphm> draft 3!
18:23:05 <dolphm> #link http://tools.ietf.org/html/draft-nottingham-json-home-03
18:23:13 <jamielennox> morganfainberg: i don't disagree - but we can't wait for that
18:23:46 <morganfainberg> jamielennox, we may not be able to wait, but we can at least get that up for consideration with the new TC convening soon
18:23:51 <gyee> jamielennox, wait for a consistent approach, or go alone and risk retrofit later? :)
18:23:52 <ayoung> ++
18:24:15 <morganfainberg> jamielennox, if we have a clear direction, we can figure out where we're headed and how to best get there
18:24:16 <ayoung> gyee, or make keystoneclient own the service catalog and just solve it for everyone
18:24:18 <jamielennox> gyee: this is client side, we are always going to have to support older versions
18:24:25 <gyee> retrofitting protocol is much difficult
18:24:32 <morganfainberg> ayoung, ++
18:24:41 <jamielennox> ayoung: that is the plan
18:24:46 <morganfainberg> ayoung, we should absolutely own the SC in either case
18:24:51 <ayoung> and policy
18:25:11 <jamielennox> if anything this means that at least all discovery should come from one place so it should be easier to convert people later
18:25:11 <dolphm> ayoung lost me -- this doesn't have much to do with the catalog...
18:25:15 <morganfainberg> ayoung, that is a slightly different topic...but don't disagree.
18:25:34 <morganfainberg> ayoung, lets table the policy bit from this convo, it's not directly relevant
18:26:26 <ayoung> sure
18:26:31 <jamielennox> for comparison dtroyer has a similar discovery mechanism in OSC and (i think it's new again) in -SDK
18:26:50 <jamielennox> anything that expects to work across projects is going to have a really bastardized/hacky discovery mechanism
18:27:16 <morganfainberg> jamielennox, ok so i come back to we need the TC to set the direciton then work to get from here to there -- however hacky it is.
18:27:35 <morganfainberg> jamielennox, but making another standard.....
18:27:36 <gyee> morganfainberg, amen, brother
18:27:46 <morganfainberg> jamielennox, wait isn't there an XKCD about standards.
18:27:53 <jamielennox> morganfainberg: right - but that's a future direction. we don't get to wait for interop until the TC makes all projects convert to a standard
18:28:16 <gyee> jamielennox, then what is TC for?
18:28:24 <nkinder_> can't we do both?  Start consulting with the TC, but let them know we need to forge ahead?
18:28:30 <gyee> ceremonial?
18:28:32 <morganfainberg> nkinder_, ++
18:28:34 <nkinder_> we might get at least some early guidance
18:28:36 <jamielennox> i honestly couldn't care less what the format is, we need to get people moving to v3 and that doesn't happen until we can do discovery
18:28:43 <ayoung> lets provide them with a solution
18:28:46 <morganfainberg> nkinder_, i think we can get an answer on where we are doing and work towards it without interop
18:29:07 <nkinder_> yes, we might serve as the model for the standard if we start working with the TC from the outset
18:29:11 <jamielennox> the wiki i linked earlier was the most common elements of nova/keystone/glance etc the older projects
18:29:25 <jamielennox> the projects that were going to find it most difficult to change
18:29:30 <ayoung> I think what jamielennox was driving towards works for the majority of the services. The ones it doesn't work for are one-offs anyway
18:29:41 <ayoung> and will require specific fixes that are not generalizable
18:29:46 <morganfainberg> nkinder_, we should get the TC involved before we get too deep into the impl so we don't end up with yet-another-standard
18:29:57 <dolphm> i suspect nottingham's proposal was at least in part a result of his time spent working in/around openstack
18:30:05 <jamielennox> morganfainberg: this is not creating a standard - it's reacting to existing standards
18:30:38 <ayoung> jamielennox, please make sure the relevant reviews have keystone-core +nkinder set as reviewers
18:30:40 <jamielennox> dolphm: i didn't think he had anything to do with openstack
18:30:55 <morganfainberg> jamielennox, and if we go create an implementation to solve that... without clear direction that this is the way going forward, we have created another "standard" that the new system needs to support
18:31:15 <jamielennox> dolphm: the way i read it it was related to the json-api stuff, but it's been a while
18:31:18 <dolphm> jamielennox: http://www.mnot.net/personal/resume.html
18:31:24 <morganfainberg> jamielennox, i'm not saying don't do the work, i'm saying concurrently involve the TC so we know where we need to eventually land and we don't write ourselves into a corner reacting to the current situation
18:31:25 <topol> would it be worth an email on the mailing list to see if anyone still uses the templated catalog?
18:31:42 <topol> just to do a little cya for us if we pull it?
18:31:45 <morganfainberg> topol, yes. x-posted to operators list as well
18:31:58 <topol> morganfainberg will you handle that?
18:32:17 <morganfainberg> topol, yeah was planning on it once the meeting was done since no one responded to my earlier question
18:32:24 <topol> cool
18:32:31 <dstanek> json-home appears to be a document format - what does that have to do with discovery?
18:32:37 <ayoung> So...we should make a concerted push on all client issues in the lull between now and the summit
18:32:43 <dolphm> morganfainberg: awesome
18:32:45 <morganfainberg> topol, just going to ask for metrics on use not indicate we're trying to remove it.
18:32:52 <ayoung> aside from discovery....thkns for the help thus far on comporessed tokens
18:32:53 <morganfainberg> topol, don't want to induce panic
18:32:58 <jamielennox> morganfainberg: sure, that's what i tried to do with that wiki page - but client still claims compatability with like essex clouds so we are going to have to react to the current
18:33:09 <ayoung> https://review.openstack.org/#/q/status:open+project:openstack/python-keystoneclient,n,z    quite a few there still
18:33:14 <dstanek> it's more about navigating hypermedia to navigate the API - similar to what html provides
18:33:26 <morganfainberg> jamielennox, and thats fine. lets get this on the agenda for the TC first thing and start the work now.
18:33:51 <morganfainberg> jamielennox, we can put some compat stuff in as needed for the old deployments
18:34:23 <ayoung> https://review.openstack.org/#/c/81166/  revocation API needs to be in the client before it is usable.
18:34:34 <dolphm> ayoung: ++
18:34:45 <morganfainberg> ayoung, +++++
18:35:20 <nkinder_> one other topic that would be nice to discuss at the design summit is keystone scalability/performance
18:35:28 <topol> morganfainberg, nice. good to not induce panic.
18:35:40 <ayoung> jamielennox's client patches  https://review.openstack.org/#/q/status:open+project:openstack/python-keystoneclient+owner:jamielennox,n,z
18:35:42 <stevemar> nkinder_, it doesn't do either well atm :(
18:35:42 <dolphm> nkinder_: absolutely, and i'm sure we will
18:35:45 <morganfainberg> nkinder_, that is plan for the POD/Dev Lounge
18:35:46 <nkinder_> I was talking with someone last week who has a large delpoyment, and keystone is the performance bottleneck
18:36:06 <ayoung> https://review.openstack.org/#/c/74599/  that was the heart of the discussion, right?
18:36:07 <jamielennox> ayoung: on the up side that list is the shortest it's been in a while
18:36:07 <nkinder_> Ok, great.  I know the ephemeral token work is a part of it, but it would be good to outline a plan for other areas too
18:36:19 <stevemar> nkinder_, <sarcasm tell them to flush tokens />
18:36:28 <morganfainberg> nkinder_, yep, and expanding caching, working on improving SQL performance etc
18:36:46 <morganfainberg> nkinder_, lots of things to do
18:36:48 <nkinder_> stevemar: that was my first response, followed by reducing the token validity period :)
18:37:01 <bknudson> a rally person was in openstack-keystone the other day discussing how they can post their results for perf tests
18:37:13 <ayoung> nkinder_, do they have any profiling data?
18:37:21 <nkinder_> ayoung: we can get some I'm sure
18:37:27 <ayoung> and are they on anything modern, or is this an essex setup?
18:37:37 <nkinder_> once thing mentioned was scaling across cores (not just for keystone)
18:37:37 <ayoung> (RHOS 4 I assume)
18:37:41 <nkinder_> ayoung: havana
18:37:45 <morganfainberg> bknudson, yeah i want to sync up w/ the rally guys and get that info going in (probably on the checks)
18:38:31 <ayoung> nkinder_, so, is the bottleneck calling Keystone from Horizon (list users etc) or token request and verification?  Are they using UUID tokens?
18:38:37 <ayoung> Or PKI
18:38:57 <ayoung> RHOS4 == Havana for the rest of the team
18:39:15 <morganfainberg> ayoung, ah yes.
18:39:22 <ayoung> 5 will be Icehouse and so on
18:39:40 <nkinder_> ayoung: spinning up hundreds/thousands of new instances at once
18:39:49 <ayoung> interesting....
18:39:50 <sjcazzol_> I would discuss a bp to add quotas for the # of projects/users created by domain
18:39:53 <nkinder_> ayoung: this was >1000 pyhsical systems
18:39:56 <dolphm> #topic open discussion
18:39:58 <morganfainberg> nkinder_, that is not exclusively a keystone issue but it's def related.
18:40:11 <ayoung> scripted?  Are they reusing tokens or getting a new one for each op?
18:40:15 <morganfainberg> nkinder_, we have had similar complaints (smaller hypervisor counts)
18:40:17 <bknudson> I was wondering if we could discuss https://bugs.launchpad.net/python-keystoneclient/+bug/1287301
18:40:19 <uvirtbot> Launchpad bug 1287301 in python-keystoneclient "Keystone client token cache doesn't respect revoked tokens" [Medium,In progress]
18:40:24 <nkinder_> morganfainberg: sure, other areas are problems too (nova scaling across cpus, etc.)
18:40:29 <morganfainberg> nkinder_, yep
18:40:38 <jamielennox> bknudson: looking
18:41:05 <morganfainberg> nkinder_, they were scripted against the API directly but similar issues, adding neutron in causes more pain (due to token issuance insanity)
18:41:07 <ayoung> gyee is gone...he's the one that held up https://bugs.launchpad.net/python-keystoneclient/+bug/1287301
18:41:17 <bknudson> so the proposed fix was, I think, to check both the token cache AND the revocation list
18:41:20 <ayoung> I still don't understand his concern
18:41:25 <ayoung> I think he's wrong
18:41:28 <bknudson> whereas before it was checking only the token cache
18:41:45 <morganfainberg> bknudson, that was my understanding
18:41:55 <jamielennox> bknudson: i was under the impression that became a non-issue
18:41:57 <bknudson> which doesn't seem like a terrible thing to do
18:42:09 <sjcazzol_> I would discuss a bp to add quotas for the # of projects/users created by domain in https://blueprints.launchpad.net/keystone/+spec/tenants-users-quotas
18:42:22 <bknudson> well, the revocation cache and the token cache were changed to have the same timeout
18:42:43 <bknudson> so maybe it is a non-issue?
18:43:17 <jamielennox> sjcazzol_: i think this or something similar has been raised before
18:43:17 <morganfainberg> bknudson, i think it is worth revisiting.
18:43:20 <ayoung> bknudson, yeah, his concern seems ill-=placed.  I PMed him and his response still puzzles me
18:43:29 <dolphm> sjcazzol_: it's open discussion, feel free
18:43:50 <morganfainberg> sjcazzol_, i know there is demand from my company's customers for something like that (when we move to domains)
18:44:13 <ayoung> "If you really want to do it right, get rid of revocation_cache_time and come
18:44:13 <ayoung> up with a lightweight daemon process to listen on the revocation events and update the cache accordingly. Similar to how Certmonger monitoring the certificate status and perform automatic renewal."
18:44:16 <morganfainberg> sjcazzol_, so please :) lets discuss it!
18:44:43 <jamielennox> sjcazzol_: and from memory there are two problems 1 there is no standard quotaing method in keystone or openstack 2. why? users are cheap
18:44:51 <ayoung> sjcazzol_, how are you going to distribute global quotas, and how are you going to enforce?
18:44:51 <bknudson> ayoung: I can see the desire to have some kind of notification... maybe revocation events makes it a non-issue
18:45:00 <morganfainberg> jamielennox, it's project quotas
18:45:03 <ayoung> bknudson, regardless...he's wrong
18:45:03 <morganfainberg> jamielennox, not users.
18:45:14 <jamielennox> morganfainberg: users per project
18:45:22 <morganfainberg> jamielennox, oh wait did i misread it?
18:45:28 <morganfainberg> jamielennox, ah
18:45:32 <jamielennox> users per domain, users per project
18:45:45 <morganfainberg> sjcazzol_, i'm in support of working on a quota of projects per domain
18:45:50 <morganfainberg> sjcazzol, but i don't see a value to users per domain?
18:46:02 <ayoung> bknudson, cache is to keep from doing a validation again, but a revocation event timeout (or revocation list) still needs to be checked.  It doesn't render the cache useless.
18:46:03 <jamielennox> morganfainberg: is it just a billing thing?
18:46:20 <morganfainberg> jamielennox, less billing more they allow anyone to create projects on demand
18:46:25 <nkinder_> I suppose you could prevent someone from adding 1M users that way
18:46:29 <morganfainberg> jamielennox, they would like to limit it because a project can consume a network
18:46:34 <morganfainberg> jamielennox, etc.
18:46:46 <morganfainberg> jamielennox, so you can give them a domain and they get X projects to play with
18:47:10 <gyee> ayoung, you have a question for me, sorry I have a shitty connection here
18:47:15 <morganfainberg> jamielennox, dev, stage, prod, prod2, etc but not 1000 projects
18:47:16 <ayoung> gyee, yeah
18:47:26 <morganfainberg> jamielennox, you can make a policy saying "no don't do that" or you can enforce "you get X projects"
18:47:40 <ayoung> gyee, can you please unblock  https://bugs.launchpad.net/python-keystoneclient/+bug/1287301
18:47:46 <uvirtbot> Launchpad bug 1287301 in python-keystoneclient "Keystone client token cache doesn't respect revoked tokens" [Medium,In progress]
18:47:49 <bknudson> gyee: https://review.openstack.org/#/c/78241/
18:47:53 <ayoung> I think you are wrong in that it does not invalidate the value of the cache
18:48:00 <jamielennox> morganfainberg: fair enough, it'd be nice if this stuff was a bit more generic across openstack
18:48:05 <morganfainberg> jamielennox, yeah
18:48:23 <ayoung> cache in this case will prevent a popen openssl cms call
18:48:25 <jamielennox> morganfainberg: i wouldn't prefer not to have a whole quotaing system within keystone
18:48:27 <gyee> that one doesn't *fix* the problem completely
18:48:31 <bknudson> since https://review.openstack.org/#/c/78241/ is abandoned, may not be able to re-do
18:48:41 <ayoung> and you still want to check that the token is not revoked separate from cached timeout
18:48:51 <morganfainberg> jamielennox, ++ consistent quota system would be nice. but i don't think we have anything like that yet*
18:48:51 <dolphm> jamielennox: is that a +1 for a standalone quota service? :D
18:48:56 <ayoung> we can resubmit in a different reviewid if needs be
18:49:06 <jamielennox> dolphm: i think i +1ed that a while ago
18:49:09 <dolphm> morganfainberg: there is actually an abandoned standalone quota service
18:49:11 <sjcazzol_> morganfainberg, what about to have quotas for user but per project instead of domain?
18:49:13 <dolphm> jamielennox: probably so
18:49:22 <morganfainberg> bknudson we can have infra restore a review
18:49:23 <gyee> ayoung, best we can do is reverse the order between revocation cache and token cache
18:49:31 <ayoung> ?
18:49:36 <dolphm> gyee: reverse the check?
18:49:41 <dolphm> order of checks*
18:49:42 <gyee> dolphm, yes
18:49:44 <ayoung> gyee, that makes no sense
18:49:46 <morganfainberg> sjcazzol_, i don't see a value to limiting the number of users in that regard, what is the value / usecase?
18:49:47 <morganfainberg> sjcazzol_, users are cheap.
18:49:56 <gyee> right now token_cache_time have priority over revocation_cache_time
18:50:05 <ayoung> we pull the token out of memcached first, check against the revocation list second
18:50:10 <gyee> that patch, if implemented correct, will reverse the order
18:50:24 <bknudson> currently we're not checking revocation list if it's in the cache
18:50:25 <gyee> and that's it, but its still not real time
18:50:28 <morganfainberg> gyee, if we hit the cache, no popen call
18:50:45 <morganfainberg> gyee, avoiding popen would be good?
18:50:49 <morganfainberg> gyee, doesn't mean we shouldn't also check revocation list
18:51:24 <gyee> morganfainberg, yes, it's only helpful if token_cache_time is much greater than revocation_cache_time
18:51:32 <morganfainberg> gyee, oh i see, no popen is needed if we check TRL first
18:51:35 <gyee> right now they are both default at 300 seconds
18:51:45 <bknudson> both those cache times are configurable.
18:51:56 <gyee> lemme unblock, but that's just an half-ass solution
18:52:05 <sjcazzol_> morganfainberg, I think it should be to avoid performance issues
18:52:30 <morganfainberg> sjcazzol_, i would argue that limitation is premature optimisation
18:52:40 <gyee> if you want real time check, implement a lightweight process to listen on revocation events and update the cache
18:52:59 <gyee> similar to certmonger
18:53:30 <sjcazzol_> morganfainberg, yes
18:53:31 <morganfainberg> gyee, sure. better solution, but we should make things incrementally better if we can as well.
18:53:53 <jamielennox> gyee: also a standalone service on every machine with auth_token is a big ask
18:54:13 <gyee> jamielennox, no
18:54:22 <ayoung> gyee, you mean thread, right?
18:54:29 <gyee> memcached is usually running in a ring
18:54:32 <morganfainberg> ayoung, thread/process same thing right?
18:54:34 <gyee> you just need one process
18:54:35 <dolphm> jamielennox: on every machine?
18:54:45 <morganfainberg> ayoung, when you involve external (memcache) kvs for the cache
18:54:46 <morganfainberg> ayoung, this isn't in-mem
18:54:47 <sjcazzol_> morganfainberg, also it could be used to charge extra money in case a domain is requesting more users/projects
18:55:01 <ayoung> its like token_flush.
18:55:08 <jamielennox> dolphm: i guess it depends on where memcache is
18:55:22 <jamielennox> but i'm guessing for auth_token it's largely just on the same machine
18:55:24 <gyee> ayoung, can't unblock, patch is abandon
18:55:32 <ayoung> revoation list fetch could easily be done external to the flow, but it would not make a difference.
18:55:33 <gyee> author needs to restore it first I guess
18:55:36 <nkinder_> I'd like to briefly discuss the keystone security info wiki pages while we still have a few minutes (or we can take it to #openstack-keystone afterwards)
18:55:49 <ayoung> gyee, NP.  so long as you agree in principal to the direction, we can create a new review if necessary
18:56:13 <nkinder_> I've added a new security info page for keystone in Juno now that Icehouse has been released
18:56:20 <gyee> ayoung, I don't agree with the current impl, but its some improvement nevertheless
18:56:23 <morganfainberg> sjcazzol_, sure, lets work on figuring out quota stuff and we can implement as many/few quota implements then (argue about the individual ones)
18:56:40 <dolphm> jamielennox: ah, i thought you were referring to another web service
18:56:46 <morganfainberg> nkinder_, awesome!
18:56:49 <nkinder_> I added a new section at the bottom to cover security items that have changed since the previous release
18:56:54 <bknudson> I asked on -infra if https://review.openstack.org/#/c/78241/ could be restored.
18:57:03 <dolphm> gyee: leave a comment that you'll unblock when the author restores?
18:57:04 <nkinder_> https://wiki.openstack.org/wiki/Security/Juno/Keystone#Notable_changes_since_Icehouse
18:57:12 <gyee> dolphm, sure
18:57:35 <nkinder_> We have a few things in progress that I called out there (and the LDAP hashing patch that landed)
18:57:49 <morganfainberg> i hear we might have a new gerrit soon™, and i think cores will be able to restore patches for their project from abandoned
18:57:53 <bknudson> gyee: https://review.openstack.org/#/c/78241/ is restored now
18:57:53 <ayoung> gyee, I think you are caluclating wrong
18:57:59 <dolphm> this showed up at some point:
18:58:00 <dolphm> #link http://junodesignsummit.sched.org/overview/type/keystone
18:58:04 <dolphm> design summit schedule ^
18:58:12 <dolphm> (TENTATIVE)
18:58:24 <ayoung> cache time of 300 starts when token is validated.  Revocation cache time is every 300 regardless.  They do not necessarily align
18:58:25 <dolphm> also, time's up
18:58:28 <bknudson> looks like I don't have to show up until wed
18:58:34 <morganfainberg> bknudson, hehe
18:58:42 <dolphm> bknudson: cross-project tracks tuesday
18:58:45 <morganfainberg> bknudsonm there are cross project things on tuesday
18:58:55 <dolphm> #endmeeting