17:59:35 <dolphm> #startmeeting keystone 17:59:36 <openstack> Meeting started Tue Apr 29 17:59:35 2014 UTC and is due to finish in 60 minutes. The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:59:37 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:59:40 <openstack> The meeting name has been set to 'keystone' 17:59:47 <ayoung> \)/ 18:00:10 <dolphm> i expect this meeting to be mostly open discussion, following an improv session by our special guest stevemar 18:00:23 <dolphm> #topic Design summit schedule 18:00:25 <dolphm> #link http://junodesignsummit.sched.org/ 18:00:27 <ayoung> Compress3ed tokens....review it 18:00:28 <morganfainberg> dolphm, do we get interpretive dance too? 18:00:36 <dolphm> morganfainberg: oh i hope so! 18:00:38 <ayoung> https://review.openstack.org/#/c/71181/ 18:00:48 <ayoung> You know you want it 18:01:12 <dolphm> so most projects are starting to post their design summit schedules to http://junodesignsummit.sched.org/ 18:01:54 <dolphm> it'd be awesome if everyone took this time to look for obvious conflicts between sessions that keystoners should be attending 18:02:03 <ayoung> dolphm, ++ 18:02:38 <dolphm> don't forget to look through the new "cross-project workshops" track as well 18:02:57 <morganfainberg> there are a lot of cross project items that are going to be cool 18:03:04 <lbragstad> #link http://junodesignsummit.sched.org/overview/type/cross-project+workshops#.U1_pS1feRww 18:03:10 <gyee> is there a barbican track or it is rolled into keystone? 18:03:26 <ayoung> Not rolled in 18:03:51 <morganfainberg> this one is an important one for anyone interested in SQLAlchemy, Dogpile, Alembic, etc http://junodesignsummit.sched.org/event/0a0e3cb824a090773c42b67d6ed85d29 18:04:00 <ayoung> The'yll just all be sitting together in the devlounge 18:04:07 <dolphm> gyee: looks like they'll have their own track, but it's not published yet. keep an eye out for it 18:04:16 <dolphm> gyee: their sessions aren't even reviewed yet 18:04:29 <gyee> ayoung, dolphm, seem like there are some integration points we need to discuss 18:04:36 <gyee> keystone and barbican I mean 18:04:51 <ayoung> gyee, ++ 18:05:24 <morganfainberg> gyee, this is something we'll likely just need to catch up in the dev-lounge/podarea/whatever it is 18:05:40 <morganfainberg> gyee, for in-person 18:05:45 <joesavak> dolphm - the "Federation" 2:40p Weds design session is before the 9:50 a summit session "Federated Identity & Federated Service Provider support". I think the summit session would drive attendance to the design session. 18:05:49 <gyee> yes absolutely 18:05:56 <joesavak> summit-session being thurs 18:06:09 <nkinder> gyee: I'm curious about what integration points you have in mind 18:06:27 <gyee> nkinder, like credential management 18:06:45 <gyee> authorization 18:06:54 <nkinder> gyee: using it as the password store? 18:07:01 <stevemar> o/ late 18:07:09 <gyee> nkinder, no, not password store 18:07:19 <gyee> I mean access keys, certs, etc 18:07:21 <morganfainberg> nkinder, credentials, certs, etc 18:07:22 <morganfainberg> gyee, ++ 18:07:26 <dolphm> joesavak: looking... 18:07:28 <stevemar> joesavak, i agree, i was hoping we could switch things around 18:08:02 <dolphm> joesavak: where's the conference schedule? 18:08:02 <joesavak> dolpm - links: design: http://junodesignsummit.sched.org/event/ab0966f5ec41f78e929effd499e0286f#.U1_p4_ldUog summit session: http://openstacksummitmay2014atlanta.sched.org/event/e04ac68f0c98be95f9fcbf2812e44d5d#.U1_qf_ldUog 18:08:17 <joesavak> link: http://openstacksummitmay2014atlanta.sched.org/ 18:08:23 <dolphm> joesavak: thanks 18:10:20 <ayoung> gyee, you saw this: http://junodesignsummit.sched.org/event/9a6b59be11cdeaacfea70fef34328931 18:10:32 <dolphm> would swapping the Federation session with python-keystoneclient session resolve the conference conflict? 18:10:41 <ayoung> We'll need to figure out an identity scheme for the various Queue Sinks and sources 18:10:48 <gyee> ayoung, w00t! 18:10:52 <stevemar> dolphm, i think it would 18:11:18 <ayoung> what is the conflict? 18:11:21 <joesavak> agreed 18:11:22 <gyee> ayoung, lets get certmonger in there, we need a realistic provisioning 18:11:31 <gyee> provisioning process 18:11:39 <ayoung> gyee, ++ 18:11:50 <morganfainberg> gyee, ++ 18:12:03 <dolphm> so python-keystoneclient Wednesday @ 2:40p and Federation Thursday @ 11:50a (with the Federated Identity conference session Thursday @ 9:50a) 18:12:16 <joesavak> dolphm +1 18:12:23 <ayoung> gyee, but certmonger only handles "Here are my certs" we need to figure out the mapping from X509 Cert name constraints to the endpoints and hypervisors etc... 18:12:34 <gyee> we are having the same issue with tripleO with cert provisioning 18:12:53 <dolphm> thursday will be 100% identity then 18:13:06 <gyee> we been told no self-signed certs, but we need a realistic solution, so I am pushing certmonger 18:13:10 <morganfainberg> dolphm, thats a good thing imo 18:13:21 <morganfainberg> dolphm, keeps general focus 18:13:23 <jamielennox> dolphm: do you know if it's possible to reword the session description now it's in? 18:13:34 <dolphm> morganfainberg: ++ and friday is sort of post-auth stuff 18:13:41 <dolphm> authorization & service catalog 18:14:05 <dolphm> err thursday 18:14:10 <ayoung> gyee, do you guys have an API for submitting and retrieving a Cert to a CA separate from the Dogtog one? 18:14:30 <dolphm> no i was right, the 16th is friday :P 18:14:33 <ayoung> If not...we can drive that in Barbican. I think they have a BP for it already 18:14:51 <gyee> ayoung, no, we don't have an agreed approach right now, that's the problem 18:14:57 <gyee> agreed upon 18:15:53 <gyee> ayoung, I am fine with Barbican, so as long as it is consistent 18:16:05 <ayoung> gyee, I'll be prepped to demo certmonger stuff, and we can discuss the wider CA story there. Barbican as a CA front works for me. 18:16:27 <morganfainberg> ayoung, ++ 18:16:28 <gyee> ayoung, ++ 18:16:29 <ayoung> And certmonger<->Baribican makes sense 18:17:06 <nkinder> ayoung: agreed 18:17:11 <dolphm> (assuming no one sees any further scheduling conflicts -- if any arise, ping me ASAP so we can try to resolve them) 18:17:26 <joesavak> thanks dolphm! 18:17:30 <dolphm> #topic Open discussion following improv and interpretive dance by stevemar 18:17:31 <dolphm> stevemar: o/ 18:17:35 <ayoung> gyee, also, I think we'll need to driver the cryptography.py work for CMS, which means accepting a 509, and verifying a signature. That will help both Keystone Client verification as well as the Messaging verification 18:17:51 <dstanek> go stevemar go 18:18:06 <stevemar> i've prepared a table flip 18:18:10 <stevemar> (╯°□°)╯ ┻━┻) 18:18:15 <stevemar> thats all i got 18:18:15 <dolphm> rofl 18:18:16 <gyee> heh 18:18:24 <morganfainberg> Nice. 18:18:26 <ayoung> ヽ(^o^)丿 18:18:45 <joesavak> lol 18:18:48 <dstanek> lol 18:18:50 <morganfainberg> ┬─┬ ノ( ^_^ノ) 18:18:52 <stevemar> serves me right for questioning the agenda 18:18:54 <ayoung> (~_~) 18:19:23 <dolphm> stevemar: damn straight 18:19:36 <dolphm> #link https://review.openstack.org/#/c/71181/ 18:19:50 <ayoung> Review compressed tokens. Please! 18:20:02 <gyee> on it 18:20:40 <ayoung> Compressed tokens will lead to being able to extract the singer info from the token prior to verification, and thus fetching the certs, allowing for multiple providers. 18:22:12 <ayoung> Oh...also, anyone have any real resistance to an addition to the mapping API that says "just pass through the groups as is, don't require an explicit enumeration of them?" 18:22:45 <ayoung> *allowing* explicit enumeration is a good thing, but requiring it leads to duplication of effort for places that don't want or need it. 18:22:50 <morganfainberg> ayoung, do we have the bug/bp to get testing of the examples handy? 18:23:12 <ayoung> morganfainberg, you mean PKI signed tokens? 18:23:27 <ayoung> compressed rather? 18:23:32 <bknudson> ayoung: https://review.openstack.org/#/c/90472/ has a -2 on it but there's no suggestion what to do differently. 18:23:50 <morganfainberg> ayoung, was that one where we wanted to test the example scripts? 18:24:23 <ayoung> bknudson, if the "server" switches from PKI to uuid tokens, the existing tokens that were revoked are still in memcache 18:24:25 <morganfainberg> ayoung, i know we had ~2-3 reviews we wanted to test the example scripts. 18:24:30 <dolphm> ayoung: why is this only Partial-Bug: 1255321 rather than Closes-Bug? 18:24:37 <ayoung> and they went from revoked to unrevoked 18:25:06 <ayoung> yeah, I need to resplit the example scripts...on my list for this week 18:25:59 <morganfainberg> ayoung, ah just want to tag related reviews for tracking on that bug/bp if possible :) that way we can say "no no we're planning on implementing tests" and see what we need to incorporate. that way we don't miss something 18:26:07 <stevemar> but we still don't have anything that tests the example scripts? 18:26:10 <ayoung> dolphm, hmm...good question 18:26:31 <bknudson> ayoung: seems like auth_token always worked that way -- cached tokens aren't checked if they're revoked 18:26:39 <ayoung> that bug is a Server bug, and it needs this patch in order to issue signed tokens 18:26:50 <morganfainberg> stevemar, the plan is to work on that specifically in Juno, tag it to J1 or such so we have a timeline but not require it before. 18:26:56 <morganfainberg> stevemar, that way it's on the radar we have a timeline, but we don't block work 18:27:21 <morganfainberg> and yes, i'll commit to getting that work done if we get down to the wire on it 18:27:52 <morganfainberg> but hopefully i can convince everyone to collaborate on it vs. just waiting till it gets done at the last minute 18:28:18 <ayoung> dolphm, so the client patch is partial, and the Compressed PKI provider would be the other half. I have not yet written it, as it won't pass check until the client is avaialb3e. It is a simple one line difference from the current PKI provider 18:28:58 <ayoung> bknudson, you are correct, but we have a patch going through right now that is attempting to rectify that: let me see if I can find the link 18:29:09 <gyee> bknudson, ayoung, didn't we have the same discussion last week about the other patch which does the same thing? 18:29:24 <ayoung> gyee, heh, yeah 18:29:28 <ayoung> from the other side 18:29:45 <bknudson> gyee: right, that patch merged and now uuid-only setup fails... because there's no revocation list 18:30:27 <bknudson> ayoung: could you post the keystone server changes for compressed tokens so I can try it/ 18:30:28 <gyee> bknudson, I thought that patch is token format independent 18:30:34 <ayoung> bknudson, wilco 18:30:50 <bknudson> gyee: I thought it was too 18:30:54 <stevemar> ayoung, i like the idea of supporting a bunch of group names in mapping, but probably needs to be thought out a bit more, perfect for a side session in the dev lounge 18:31:04 <ayoung> stevemar, ++ 18:31:22 <bknudson> gyee: but if you use uuid tokens you probably didn't pki_setup, so auth_token can't get the revocation list 18:31:36 <ayoung> stevemar, I think we can do ity without an API change, actually, just a change on the enforcement of the rules processing 18:31:41 <gyee> bknudson, ahhhh! I remember now 18:31:51 <bknudson> gyee: and with the change we check UUID tokens against the revocation list 18:31:59 <gyee> there's also a bug about requiring PKI setup even though token format is set to UUID 18:32:12 <stevemar> ayoung, agreed, it might just open a discussion about how to handle domains, and we should get others opinion on that too 18:32:20 <stevemar> s/might/will 18:32:23 <ayoung> bknudson, I('m OK with that. Lets make it as painful as possible for people to stay on UUID tokens! But seriously...I wonder what the right logic is? Maybe check_revocations needs to be configurable. 18:32:24 <bknudson> gyee: so my proposed fix is to allow auth_token to fail to fetch the revocation list 18:32:31 <gyee> stevemar, you mean hierarchical domains? :D 18:32:58 <dolphm> ayoung: it should be Closes-Bug in the client then, we'd track against keystone itself separately 18:33:07 <stevemar> gyee, the old fashioned normal one 18:33:12 <ayoung> dolphm, that makes sense...I'll change 18:33:28 <stevemar> gyee, not those crazy new fangled hierarchical ones 18:33:51 <morganfainberg> ayoung, the bug should be filed against server and client if it needs to be tracked in both places. 18:34:09 <ayoung> morganfainberg, it is 18:34:14 <jamielennox> bknudson: i haven't been following - but that doesn't sound right - why would you need them to fail to fetch the list? 18:34:15 <ayoung> just listed as "affects" 18:34:20 <morganfainberg> ayoung, ah easy then 18:34:21 <morganfainberg> ayoung, yep see it 18:34:22 <jamielennox> bknudson: you can still revoke a UUID token 18:34:31 <gyee> stevemar, I am hungry for a hierarchical in-and-out burger, maybe I'll get one after the meeting 18:34:49 <bknudson> jamielennox: fetching the revocation list fails because there's no PKI certs. 18:35:20 <jamielennox> bknudson: why? all it should need is the CA cert from the server 18:35:47 <bknudson> jamielennox: the server doesn't have a CA cert... if you're using UUID tokens why do you need CA cert? 18:35:58 <bknudson> deployments didn't need it before this change. 18:36:31 <jamielennox> did we not allow UUID token revocations before this then? i was under the impression that we did 18:36:48 <gyee> jamielennox, for UUID, validation is over the network 18:36:57 <bknudson> jamielennox: we did allow it. But we never checked the revocation list for UUID tokens. 18:36:58 <jamielennox> gyee: but we would always allow cachig 18:37:16 <gyee> jamielennox, right, caching is a security tradeoff 18:37:25 <jamielennox> gyee: the revocation list was just a way to remove the UUID token from memcache before it expired 18:37:29 <gyee> security-performance tradeoff 18:38:06 <gyee> jamielennox, if we really want to do it right, have a lightweight process to listening on the events and update the cache accordingly 18:38:23 <dolphm> gyee: i think caching should be a given, but how long you cache for is the trade off! 18:38:36 <jamielennox> gyee: yea, you mentioned that and i've no idea how you architect it 18:38:51 <jamielennox> gyee: really we should have all the auth_tokens listening for notifications from keystone 18:38:54 <gyee> dolphm, absolutely! but that's a decision customer needs to make 18:39:05 <jamielennox> but you can't really do something like that in middleware 18:39:42 <dolphm> jamielennox: why not? 18:39:47 <gyee> jamielennox, what is caching for anyway, if what you wanted is real time validation 18:40:22 <dstanek> i'd be worried if we only listened for revocation events and didn't have a list or something to catchup the process (or validate that is has what it needs) 18:40:28 <jamielennox> dolphm: well it 18:40:43 <dolphm> dstanek: ++ the list is critical, which is why we started there 18:41:01 <jamielennox> dolphm: well it's python you can do almost anything - but would you need to spawn a subprocess or something? because you need a server that can respond to notifications and middleware can't do that 18:41:29 <jamielennox> gyee: i was just under the impression that we used to allow that - i guess we must never have 18:42:13 <dolphm> jamielennox: oh i didn't read "lightweight process" as "subprocess" - i just read that as message listener 18:42:35 <gyee> jamielennox, security and performance is one of those things that will need constant calibrations 18:42:43 <gyee> its not a one size fits all 18:43:05 <gyee> what we can offer is flexibility, really 18:43:10 <jamielennox> dolphm: right - but middleware is only triggered on an incoming request as a wrapper. if we wanted to actually have a listener then that would require a new thread of control that could sit and listen somehow 18:43:37 <bknudson> it could gobble up all the messages when it woke up 18:43:58 <gyee> bknudson, there's no wake up 18:44:07 <bknudson> and if it got too far behind then it'd get the full list 18:44:07 <jamielennox> gyee: there is - per request 18:44:21 <gyee> its a separate process which always listening on the revocation events 18:44:31 <bknudson> amqp? 18:44:44 <dolphm> jamielennox: you should be able to create a listening on __init__, no? 18:44:44 <jamielennox> bknudson: do the queue implementations support that - what if it's getting a request/day 18:44:47 <dolphm> listener* 18:45:04 <gyee> ampq doesn't support pushing? 18:45:13 <dstanek> if you register a callback from a notification won't that callback be executed as the notification arrives and not need a request? 18:45:14 <jamielennox> dolphm: sure - but it still needs to be a thread/subprocess 18:45:20 <gyee> or it is strictly a pull model 18:45:22 <gyee> ? 18:46:09 <jamielennox> dstanek: all this stuff is controlled by an event loop somewhere, we *could* try to get access to that from middleware but that's crossign boundaries 18:47:05 <bknudson> btw -- the way nova works with the default setup is that there's a separate in-memory cache for each "thread" 18:47:32 <dolphm> gyee: both/either 18:47:33 <bknudson> so one thread could have the token cached and it works and another doesn't have the token cached and it fails 18:48:08 <gyee> dolphm, both/either sounds good :-) 18:48:15 <jamielennox> bknudson: is nova handling this differently? 18:48:45 <gyee> bknudson, they have the *option* to use a distributed cache no? 18:48:49 <dolphm> jamielennox: i think he's just referring to auth_token's default in-memory token cache 18:48:58 <dolphm> there's nothing specific about nova in the example 18:49:07 <bknudson> gyee: I'm guessing if they use memcache they'd have consistent results. 18:49:41 <bknudson> memcache for token caching seems like overkill 18:49:57 <morganfainberg> bknudson, heh 18:50:05 <jamielennox> so, does anyone know how the other projects support integrating the HTTP listener event loop with the AMQP event loop? 18:50:12 <jamielennox> i haven't done that 18:50:34 <morganfainberg> jamielennox, not sure. 18:50:40 <jamielennox> does it 'just work' because of socket.select()? 18:50:54 <morganfainberg> jamielennox, it might "just work" 18:51:42 <jamielennox> because in that case we might be able to spawn a listener in __init__ 18:51:51 <bknudson> what project would be listening for amqp events? 18:51:56 <dolphm> bknudson: auth_token 18:52:05 <jamielennox> although then we would have a listener per worker process which is not ideal 18:52:27 <jamielennox> bknudson: ceilometer is the main one i think 18:52:27 <gyee> jamielennox, make it configurable, per process or shared 18:52:59 <morganfainberg> jamielennox, the way the fan-out queues work that would be most correct if auth_token itself was meant to listen for that for a thread-local cache 18:53:21 <morganfainberg> jamielennox, /for a/with a 18:53:27 <ayoung> bknudson, make revocation checking a configurable option is, I think the only solution. 18:53:42 <ayoung> And, no, we are not spawing a separate thread for it. 18:53:53 <jamielennox> morganfainberg: yea because it will be a lot of extra work for a memcache setup to have every listener try to remove a token from the cache 18:53:59 <bknudson> ayoung: ok, I'll take a look at that as a solution 18:55:02 <ayoung> bknudson, the issue is that the server doesn't know if the token format is PKI or UUID, and it doesn't know if it should be looking for revocation events. With PKI, revocation (events or list) is a must have, with UUID, it is a nice-to-have....but with caching, it really should be required 18:55:04 <morganfainberg> jamielennox, depending on the number of workers 18:55:06 <bknudson> ayoung: I might have an option to check revocation list for UUID tokens? 18:55:20 <ayoung> bknudson, there is no way to distinguish 18:55:35 <ayoung> it might have been issued as PKI, but thne the MD5/SHA256 submitted as the token itself 18:55:37 <morganfainberg> 5 minutes 18:55:58 <ayoung> it will be treated as a Keystone lookup....but by the time it gets put in memcahced, that detail is forgotten 18:56:00 <dolphm> morganfainberg: 2? 18:56:08 <bknudson> ayoung: if auth_token gets a MD5 hash of PKI token it typically goes to the server 18:56:28 <morganfainberg> dolphm, maybe the clock here is off then \ 18:56:30 <dolphm> bknudson: why do you need the revocation list for UUID tokens? 18:56:36 <morganfainberg> dolphm, here = my computer 18:56:46 <dolphm> bknudson: you need to validate them online to populate headers anyway 18:56:50 <morganfainberg> dolphm, caching. 18:57:10 <morganfainberg> dolphm, if auth)_token is caching, you don't ask keystone for token validity 18:57:22 <dolphm> morganfainberg: because you already have, and trust that cached data for some duration 18:57:32 <dolphm> morganfainberg: what does that have to do with the revocation list? 18:57:38 <gyee> :-) 18:57:47 <dolphm> (time) 18:57:51 <morganfainberg> dolphm, you could use the revocation list to know if you should trust that token (uuid or not) 18:57:51 <bknudson> the revocation list is cached on a different schedule 18:58:00 <dolphm> #endmeeting