#openstack-meeting log

18:02:00 <dolphm> #startmeeting keystone
18:02:00 <openstack> Meeting started Tue Jul 22 18:02:00 2014 UTC and is due to finish in 60 minutes.  The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:01 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:02:04 <openstack> The meeting name has been set to 'keystone'
18:02:17 <dolphm> #topic Juno milestone 2
18:02:56 <bknudson> anything that needs to get in for M2?
18:03:01 <dstanek> dolphm: i added a topic to the end - if we don't get to it i won't be heart broken
18:03:04 <dolphm> #info Ensure changes targeted at milestone-2 are gating TODAY
18:03:09 <bknudson> also, is there a keystoneclient release at M2 time?
18:03:12 <dolphm> dstanek: ack
18:03:30 <dolphm> bknudson: no; but i'd like to do a release of keystoneclient and keystonemiddleware both, by coincidence
18:04:13 <dolphm> if there's any reason to block either of those, target bugs/bp's to the next milestone of those projects and i'll follow up
18:04:18 <ayoung> Lets stagger the client changes after M2
18:04:24 <dolphm> keystoneclient 0.10.0 or keystonemiddleware 1.1.0
18:04:35 <dolphm> ayoung: why?
18:04:45 <morganfainberg> dolphm, ++ on the release of both of those
18:04:56 <ayoung> dolphm, one thing at a time...and I'm hoping to still get the revocation events in
18:05:15 <ayoung> I'd just suggest getting J2 cut first
18:05:31 <dolphm> ayoung: that'd be nice, but i'd also pull the trigger on 0.11.0 in a heartbeat to get that out if it was delayed beyond 0.10.0
18:05:40 <ayoung> dolphm, fair enough
18:05:47 <morganfainberg> ayoung, i'd argue that the moment rev. events land we can justify a rlease
18:05:47 <dolphm> ayoung: and yeah, j2 is a bigger deadline for us
18:06:04 <dolphm> lbragstad's api validation patch gated, but there are follow up patches to start utilizing that stuff
18:06:15 <morganfainberg> ayoung, this is the reason we split out the middleware :)
18:06:37 <dolphm> i'd like to have it marked as Implemented today though, so let's get as much as we can in, and then do the rest in j3 as follow up (wishlist bugs to add validation in different places?)
18:06:38 <lbragstad> the meat of the following on patches are in the catalog and assignment apis
18:06:47 <morganfainberg> dolphm, works for me.
18:07:15 <morganfainberg> this also means i can use it for validating the token format .. woo
18:07:19 <dstanek> i think lbragstad's patches will be easy to get into merging shape
18:07:30 <dolphm> lbragstad: last i looked, it appeared that you could do more parallelization among those patches (they don't need to be deps?) ... is that true?
18:07:37 <dolphm> dstanek: ++
18:07:38 <lbragstad> yes
18:07:44 <lbragstad> they no longer need to be linear
18:07:59 <dolphm> lbragstad: can you get them split apart then? we should be able to merge more+faster that way
18:08:06 <lbragstad> so they can be working in parallel and I don't have to spam the channel every time I change the assignment validation patch :)
18:08:19 <lbragstad> dolphm: yep, I can do that
18:08:23 <morganfainberg> lbragstad, but... that was fun
18:08:25 <morganfainberg> :)
18:08:28 <dolphm> lbragstad: thanks :)
18:08:29 <dolphm> #topic Renaming the OpenStack Identity program to the OpenStack TripleA program
18:08:34 <lbragstad> thanks for all the review!
18:08:51 <dolphm> so, i've had smaller conversations on this topic, and i think it's time to bring this to a larger audience
18:08:55 <ayoung> AAA?  Authentication, Authorization and Audit?\
18:09:00 <morganfainberg> ayoung, yep.
18:09:01 <dolphm> ayoung: ++
18:09:02 <dolphm> #link https://review.openstack.org/#/c/108739/
18:09:15 <morganfainberg> ayoung, which also implies we push for policy (both the rules engine and otherwise)
18:09:15 <dolphm> this is a change to the openstack/governance repo to tweak our program's defintition ^
18:09:29 <morganfainberg> ayoung, when / as they graduate.
18:09:44 <ayoung> 'Call AAA.  We'll help when you crash."
18:09:56 <gyee> rather small A for authorization as it still done at the services
18:10:01 <dolphm> so there's two meaningful changes proposed there...
18:10:01 <topol> dolphm, all for it!!!
18:10:02 <bknudson> we're always the first thing to fail so that's how it works
18:10:08 <ayoung> gyee, nope, we'll own that too
18:10:13 <dolphm> one is renaming the program to TripleA (authentication + authorization + audit)
18:10:16 <ayoung> policy enforcement in keystonemiddleware
18:10:26 <dolphm> which i think better reflects the program's maturity and long term scope
18:10:37 <ayoung> Works for me
18:10:38 <dolphm> and then there's the move of pycadf from oslo to tripleA
18:10:55 <morganfainberg> good starting place.
18:11:00 * morganfainberg is in support.
18:11:09 <dolphm> is anyone here opposed to either of those changes? concerns?
18:11:12 * topol is also in huge support
18:11:14 <gyee> AaA sounds good
18:11:18 <ayoung> what about Congress?  Are we going to break the news to them that they can't have policy?
18:11:22 <morganfainberg> gyee, will be TripleA
18:11:26 <gyee> :)
18:11:28 <dolphm> ayoung: does that still exist?
18:11:44 <morganfainberg> ayoung, if they get that far, i would make a move to pull them into TripleA
18:11:44 <topol> are they still in session???
18:11:55 <dolphm> commit 6 days ago: https://github.com/stackforge/congress
18:11:57 <dolphm> i basically forgot about it
18:12:08 <topol> me too. congress has been quiet
18:12:14 <morganfainberg> ayoung, but afaict they are very very much off in the "figuring how things work"
18:12:49 <ayoung> morganfainberg, they are looking to do things outside of what we consider policy as well.  I suspect they are looking to be a general "here's how you do Rules based stuff" project.  Half of what we get from oslo, and half stealing from each of the other project;  Firewall rules are policy to Congress as well.
18:13:03 <dolphm> it should go through a graduation process on it's own; if there's clear demand/support for it, i think it would fall under the tripleA umbrella. but it shouldn't be fast tracked or grandfathered into an 'integrated' status
18:13:13 <bknudson> if audit is part of keystone then congress can work on keystone
18:13:15 <morganfainberg> ayoung, that wouldn't be a good service/program on it's own.
18:13:18 <ayoung> Weekly on Tuesdays at 1700 UTC, e.g. Feb 25, 2014
18:13:34 <topol> so if someone needs pycadf but doesnt need all of keystone that is still possible correct?
18:13:42 <dolphm> ayoung: that's right after this
18:13:45 <morganfainberg> ayoung, but I still don't see it as being a huge blocker for them joining this program if they figure things out
18:13:45 <ayoung> topol, should be.
18:13:50 <morganfainberg> topol, correct, it would stay a separate lib
18:13:54 <dolphm> topol: pycadf would still stand on it's own
18:14:06 <dolphm> topol: it's core team would just change from oslo core to keystone core
18:14:14 <topol> thats would be the only issue folks might bring up
18:14:23 <dolphm> so we'd be adopting keystone-specs for pycadf, for example
18:14:35 <ayoung> actually, according to World Clock it is 1700 UTC right now, I think.
18:14:39 <ayoung> 1715
18:14:59 <celttechie> Just FYI:  Congress just finished up a meeting and they were talking about joining with Tetris too.
18:15:16 <dolphm> ayoung: oh; i'm definitely wrong. but it's 1815utc according to google :P
18:15:22 <morganfainberg> celttechie, tetris?
18:15:27 <stevemar> theres going to be a good amount of confusion about the renaming
18:15:34 <dolphm> celttechie: tetris?
18:15:40 * jamielennox arrived late and has never heard of half these terms
18:15:52 <dolphm> stevemar: with tripleO? or just between identity/triplea
18:16:00 <morganfainberg> stevemar, probably not, rename wouldn't affect the code-name, just the program name: OpenStack Identity -> OpenStack Authn/Authz/Audit
18:16:01 <stevemar> dolphm, the latter
18:16:16 <stevemar> morganfainberg, ahhh OK
18:16:16 <morganfainberg> stevemar, and most people know the code name more than anything else
18:16:24 <bknudson> we'll have to change the identity API to tripleA API
18:16:30 <dolphm> stevemar: anywhere we can solve for? s/identity-api/triplea-api/ ?
18:16:50 <stevemar> morganfainberg, thought we were changing the codename to triplea
18:16:50 <ayoung> bknudson, I think we leave it as the identity API
18:16:55 <morganfainberg> stevemar, nah.
18:17:00 <stevemar> i caught up with the train now
18:17:01 <morganfainberg> stevemar, that would be silly
18:17:07 <stevemar> agreed
18:17:19 <gyee> AAAAPI
18:17:20 <ayoung> bknudson, we might want to cut it into smaller chunks in the future;  each of the A's deserves its own API
18:17:22 <morganfainberg> ayoung, i'd 301 the references
18:17:33 <dolphm> ayoung: that just sounds terrible
18:17:45 <morganfainberg> ayoung, because we are more than just "Identity" api, but something to discuss
18:18:03 <dolphm> AAAAPI
18:18:03 <lbragstad> so, we would have and Identity API that is implemented in TripleA?
18:18:11 <dolphm> gyee: i just understood your joke.
18:18:20 <lbragstad> I feel like that would be confusing
18:18:37 <bknudson> our meetings will get very noisy as we yell aaapi
18:18:53 <dolphm> lbragstad: well, it'd be the identity/tripleA API being implemented by Keystone
18:19:00 <stevemar> bknudson, you missed one aaaapi
18:19:07 <bknudson> aaargh
18:19:10 <dstanek> would it be too much if we did have a few different named APIs? identity-api, audit-api, etc
18:19:20 <lbragstad> that's an idea
18:19:25 <morganfainberg> dstanek, no wouldn't be a bad thing
18:19:30 <dolphm> authentication-authorization-audit-programming-interface
18:19:36 <dolphm> that works too
18:20:07 <ayoung> Dolph, if we split of the IdP, that would be the AuthN  API.  Current Keystone API would be AuthZ.  Audit is its own thing.
18:20:21 <dolphm> so, i think we have a todo list of action items to produce (possibly renaming repos, etc), i'll start an etherpad...
18:20:23 <morganfainberg> ayoung, sounds right.
18:20:25 <bknudson> authentication-authorization-audit-roles-groups-hierarchy
18:20:31 <ayoung> current API minus the stuff that went to Idp, like user management
18:20:44 <morganfainberg> dolphm, repo renames are fairly easy.
18:20:53 <jamielennox> does this all happen within the standard v3 api?
18:21:02 <dstanek> a³pi
18:21:09 <ayoung> ThreePI
18:21:27 <dolphm> #link https://etherpad.openstack.org/p/Identity-to-TripleA
18:21:30 <morganfainberg> ayoung, c3po?
18:21:34 <ayoung> jamielennox, nah, I'd suggest we leave things along until we need to bump a version
18:22:24 <lbragstad> morganfainberg: yeah, that's how I saw it too
18:22:54 <ayoung> When we are ready to split IdP off into its own, we can deal with it then.  I'd aregue that the whole thing stays in the identity API repo, just be 3 "core" apis.  We can even version each of them 4.0  if we need to keep the number straight
18:23:16 <gyee> ayoung, yeah, we'll have a split repo by then
18:23:44 <morganfainberg> ayoung, lets not even talk about 4.0 here :P
18:23:57 <dolphm> alright... let's move on :P
18:24:12 <dolphm> i added a few things to the etherpad to get started; feel free to add things like repo renames
18:24:36 <ayoung> morganfainberg, its OK,  termie started on 5 a while ago
18:24:49 <dolphm> uhh, there's just a couple blueprints & reviews on the agenda: jamielennox bknudson - did ya'll want those to be #topics?
18:25:22 <bknudson> For mine I just wanted to mention that it's making progress
18:25:25 <jamielennox> dolphm: don't mind, just want to get some discussion/general approval of ideas
18:25:39 <dolphm> jamielennox: bknudson: okay, then let's hit them in order
18:25:39 <bknudson> and if you want to see it in action check it out and curl -H "Accept: application/json-home" http://localhost:5000/v3 | python -mjson.tool
18:25:44 <dolphm> #topic Auth Specific Data
18:25:50 <dolphm> #link https://review.openstack.org/#/c/107325/
18:26:08 <jamielennox> The main thing that's come up for this one is what to do about already scoped tokens
18:26:22 <bknudson> 2 specs for the price of 1
18:26:26 <gyee> jamielennox, horizon folks would love that
18:26:37 <jamielennox> i like the idea that if you are already project scoped you shouldn't receive a list of other projects that you can scope to
18:26:40 <gyee> right now they are parsing policy files on their own
18:26:47 <jamielennox> but i don't know if it's doable given default_project_ids
18:27:20 <jamielennox> related i cleaned up https://review.openstack.org/#/c/108071/
18:27:31 <jamielennox> but i don't know if that's a viable alternative
18:27:34 <dolphm> jamielennox: side note, maybe we need a "scope": null or something in an auth request to explicitly request an unscoped token?
18:27:38 <dolphm> would be a separate bp
18:27:47 <ayoung> I wonder if we really need  those.  What if enumerating projects and domains could only be done with an unscoped token. Like, ever?
18:27:55 <dolphm> that'd also mean we need to support unscoped tokens forever
18:28:06 <dolphm> rather than having a higher level of explicit scope
18:28:10 <gyee> why does unscoped token need service catalog?
18:28:13 <ayoung> If the token is scoped to a project, then that scoped token can only see that project.
18:28:21 <gyee> you have the identity endpoint to begin with
18:28:24 <ayoung> Unscoped Tokens Forever!
18:28:25 <jamielennox> dolphm: see review https://review.openstack.org/#/c/108071/
18:28:28 <dolphm> gyee: that's the next agenda item; hold up
18:28:45 <dolphm> jamielennox: ha
18:28:59 <jamielennox> unscoped tokens are kind of necessary given that we currently say a token has only one scope
18:29:12 <jamielennox> i don't know how far we can get away from that with PKI tokens
18:29:25 <ayoung> dolphm, we can replcae "unscoped"  with "scoped to Keystone"  so long as it is considered the root scope, and can only be used with Keystone.
18:29:48 <ayoung> Just that we call them unscoped today.  Session tokens are another possibility, and we could lump all of the concepts together
18:29:49 <jamielennox> ayoung: right, this came up before that an unscoped token was really a keystone scoped token
18:30:05 <jamielennox> and the next blueprint about adding a service catalog is really just a cheap way of handling thta
18:30:17 <ayoung> A token granting Token, if you will.....
18:30:39 <gyee> kerberolize Keystone
18:30:48 <dolphm> ayoung: less lumping please
18:31:22 <morganfainberg> dolphm, i like my token texture creamy, not lumpy
18:31:33 <gyee> heh
18:31:44 <ayoung> dolphm, I'm willing to discuss the issues separately, but it might be that we want to have both concepts linked in the same new token format.  Mostly this is to support Horizon and comparable use cases
18:32:12 <jamielennox> so if we can get ?unscoped=true into /auth/tokens then it might make sense that /auth/projects will only response to unscoped tokens?
18:32:26 <dolphm> ayoung: i'd rather have a gradual evolution than a "new format"
18:32:34 <jamielennox> 1st step on the path to getting rid of default_project_id
18:32:58 <bknudson> I'd think the token would have "scope": null
18:33:03 <bknudson> or "scope": {}
18:33:06 <bknudson> the auth request
18:33:08 <dolphm> bknudson: ++
18:33:24 <jamielennox> ok
18:33:37 <dolphm> let's save that for an identity-api discussion; jamielennox / ayoung: cut the API details from the spec :)
18:33:46 <dolphm> i'm +A on the direction though
18:34:04 <dolphm> #topic Unscoped catalog
18:34:09 <ayoung> bknudson, yeah, that sounds right.  And in the future, we could make that scope: {"endpoint": <keystone> }
18:34:11 <bknudson> the problem description makes sense... if you really want an unscoped token you can't get one
18:34:19 <dolphm> #link https://review.openstack.org/#/c/107333/
18:34:25 <ayoung> so I think the unscoped catalog does not need to be in nthe token itslef, just in the response to getting the token
18:34:56 <ayoung> the client will use the result, but only Keystone should be able to validate/accept the token
18:34:56 <gyee> why catalog for unscoped token? use case?
18:35:04 <bknudson> seems odd that we were able to survive all this time without a catalog in an unscoped token
18:35:16 <dolphm> ayoung: why not just return a catalog in response to an unscoped token + GET /v3/catalog ?
18:35:26 <jamielennox> gyee: essentially the point is to make the flow the same as regular tokens
18:35:37 <topol> good plan
18:35:45 <dolphm> bknudson: yeah, i'd like to better understand the use case here..
18:35:45 <jamielennox> gyee: at the moment you  have to mangle unscoped URLs so that they include the auth_url
18:36:16 <gyee> auth_url is the same regardless
18:36:32 <jamielennox> that becomes somewhat harder with auth plugins where they don't need to provide you the auth_url in the same way
18:36:33 * gyee still confused
18:36:36 <bknudson> clients are going to have to handle tokens without catalogs anyways since they have to support old versions of keystone
18:36:47 <jamielennox> bknudson: right
18:37:09 <dolphm> jamielennox: so you basically just want to return the auth_url in something that looks like a catalog because it's too hard to use the auth_url that was originally requested, which you'll have to continue doing anyway for backwards compatibility?
18:37:49 <gyee> there's only one auth_url right?
18:37:52 <jamielennox> dolphm: ideally i'd return the identity endpoints and let the client do the same discovery on them that it would do for a scoped token talking to keystone
18:37:58 <gyee> one that client need to know anyway
18:38:31 <jamielennox> but essentially yes, it's kind of housekeeping in that it's something that i've always found has broken the flow of working with tokens
18:39:16 <dolphm> jamielennox: but you'll still need to support both flows... forever
18:39:22 <dolphm> jamielennox: so you're adding complexity for zero gain
18:39:46 <gyee> sound like a "zero" gain for me
18:40:32 <jamielennox> dolphm: you'd still have to support it, i guess it's just a better feeling workflow
18:40:37 <bknudson> For the server, it sounds like it's easy to implement.
18:41:04 <dolphm> bknudson: it's easy on both sides... but there's no payoff
18:41:25 <jamielennox> especially because for unscoped tokens the fallback looks like: https://review.openstack.org/#/c/104771/9/keystoneclient/v2_0/tokens.py
18:41:58 <bknudson> there's really only a few things you can realistically do with an unscoped token
18:42:04 <bknudson> how about have an "unscoped" client?
18:42:06 <jamielennox> essentially let's try to perform this operation in the normal way and if that didn't work it must be because we have an unscoped token so try again with the auth_url
18:42:17 <dolphm> jamielennox: i don't think your auth.AUTH_INTERFACE is going anywhere healthy either
18:42:18 <bknudson> rather than trying to support unscoped tokens in the regular client lib
18:42:47 <jamielennox> bknudson: i think that might be what generic was originally for
18:43:12 <ayoung> jamielennox, the logic could also be "if there is no service catalog, generate one from the auth url"
18:43:24 <dolphm> jamielennox: it seems the auth plugin should be able to work with an auth_url to generate an unscoped token; it never needs any other endpoint. similarly the session never needs the auth_url, just scoped catalogs
18:43:25 <jamielennox> ayoung: that's what the AUTH_INTERFACE is
18:43:32 <ayoung> with auth_url becoming an implicit admin interface
18:43:42 <dolphm> something is crossing boundaries here, but i'm lost as to what it is
18:43:46 <ayoung> jamielennox, I know, I've been using that ccode for the last ...well since you wrote it
18:43:57 <dolphm> ayoung: auth_url is NOT an "admin" interface. at all.
18:44:11 <ayoung> dolphm, once you have an unscoped token, where can you use it?
18:44:16 <dolphm> ayoung: the auth_url
18:44:48 <dolphm> ayoung: you haven't finished the full authN/Z flow yet - so you're still confined to the auth_url.
18:44:49 <jamielennox> dolphm: the only way i can see that working is that auth plugins should be different for scoped and unscoped tokens
18:45:35 <jamielennox> as in all tokens that accept a credential should only be scoped and then there is only 1 way to rescope
18:45:49 <jamielennox> only be unscoped
18:45:52 <dolphm> jamielennox: let me back track on myself; i do think the session should be aware of the auth_url so that it can handle rescoping as necessary - agree?
18:46:18 <jamielennox> dolphm: no, why would the session want to know auth_url - that's plugin specific
18:46:33 <jamielennox> you can have 1:M session:plugin
18:46:40 <dolphm> jamielennox: i see the circle we're in now :)
18:48:05 <dolphm> jamielennox: can we pick this up after the meeting?
18:48:11 <jamielennox> dolphm: sure
18:48:34 <dolphm> #topic JSON-Home progress
18:48:35 <dolphm> bknudson: o/
18:48:40 <dolphm> #link https://review.openstack.org/#/c/103983/
18:48:48 <bknudson> just wanted to mention that it essentially works, for v3
18:48:53 <bknudson> so if you want to try it
18:48:54 <dolphm> bknudson: this must be your biggest patch ever?
18:49:04 <bknudson> curl -H "Accept: application/json-home" http://localhost:5000/v3 | python -mjson.tool
18:49:15 <bknudson> it's mostly data
18:49:26 <bknudson> also, there's a lot of duplication
18:49:40 <bknudson> removing the duplication will be quite a bit of work
18:49:55 <bknudson> because it will essentially mean going up a level of abstraction in the routers...
18:50:05 <dolphm> if anyone is interested, i just checked it out and called it: http://pasteraw.com/4ozb5otuj2bjf9tcvok9q8uolqa2qhh
18:50:14 * topol pretty sure bknudson can handle refactoring :-)
18:50:40 <bknudson> where the routers are doing mapping.add_route they should be doing some kind of self._add_resource() that has more info.
18:50:53 <bknudson> so, that was about it.
18:51:00 <bknudson> thinking about how to rewrite the clients to use it...
18:51:08 <dolphm> bknudson: COOL.
18:51:11 <jamielennox> bknudson: yea that's tough
18:51:15 <morganfainberg> thats cool to see
18:51:25 <bknudson> essentially the client would have to fetch the json-home doc, then they'd be able to get the URL from JSON-Home
18:51:29 <bknudson> rather than building the URL themselves
18:51:42 <dolphm> bknudson: i see a couple bugs :P
18:51:44 <morganfainberg> bknudson, that makes sense from a workflow
18:51:57 <morganfainberg> but yeah it's got some oddities
18:52:25 <bknudson> ok. early feedback would be nice.
18:52:36 <jamielennox> bknudson: can json-home handle the standard /v2 or /v3 discovery we do now?
18:52:42 <bknudson> jamielennox: yes...
18:52:51 <bknudson> I've only got it for /v3
18:52:51 <dolphm> is /v3/role_assignments/{role_assignment_id}  actually a thing ?!
18:53:13 <bknudson> but essentially GET / would return all v2 and v3 resources
18:53:19 <dolphm> that's totally not documented if so, and role_assignments should not have IDs
18:53:19 <ayoung> bknudson,  V3ExtensionRouter(ExtensionRouter):  should be in keystone/routers, not in common/wsgi.py
18:53:31 <bknudson> v3 resources are like http://docs.openstack.org/identity/rel/v3/users
18:53:45 <bknudson> and v2 resources would be like http://docs.openstack.org/identity/rel/v2.0/users
18:53:45 <dolphm> bknudson: i don't know that we'd get much payoff from adding this to v2
18:54:09 <ayoung> Or is every router now becoming an V3ExtensionRouter....
18:54:11 <jamielennox> dolphm: it's so we would have to do vereion discovery lookup and then json-home lookup as well
18:54:11 <bknudson> dolphm: y, I think the payoff would be if we wanted to use this for "version discovery"
18:54:12 <dolphm> ayoung: V3ExtensionRouter belongs in wsgi imo
18:54:23 <dolphm> ayoung: it's wsgi framework code
18:54:38 <jamielennox> s/would/wouldn't
18:55:06 <ayoung> I think all of the lookup/discovery stuff is starting to call for some sort of caching/bookmark story
18:55:07 <dolphm> bknudson: +1 for responding to json-home on / but do you need to provide *every* v2 resource there?
18:55:15 <jamielennox> it means is it a change to discovery or a change to client
18:55:20 <dolphm> are we going to bother revving the v2 client to acknowledge all that data?
18:55:44 <morganfainberg> dolphm, do we need the v2 client to?
18:55:57 <jamielennox> ayoung: discovery caches on the session and on the auth plugin
18:56:10 <bknudson> at least for the public interface there aren't many v2 resources
18:56:14 <morganfainberg> can we let the v2 client just kind of... do it's thing?
18:56:42 <ayoung> jamielennox, I'm not certain that will work for CLI and Horizon use cases, unless we have "persist and restore session to keyring"
18:56:45 <jamielennox> yea, i don't mind if json-home doesn't say anything at all about v2 resources
18:56:57 <jamielennox> just if /v2 and/or /v3 exist
18:57:07 <bknudson> well, it sounds like v2 isn't that interesting to people so I'll focus my time on cleaning up the current change
18:57:16 <dolphm> morganfainberg: IncompletePreposition: 'to' (i don't know what you're asking)
18:57:21 <gyee> bknudson, does it work with extensions?
18:57:32 <gyee> nm, I see it
18:57:33 <bknudson> gyee: yes, it works with extensions (the v3 work does)
18:57:36 <jamielennox> ayoung: yea CLI is a problem, serializing the session and auth plugins is something i've known about but haven't been asked for yet
18:57:47 <morganfainberg> dolphm, bother acknowledging the json-home stuff
18:57:52 <dolphm> bknudson: +++
18:58:34 <bknudson> ok, thanks for the feedback.
18:58:58 <ayoung> jamielennox, I think I am going to be hitting that in Horizon here shortly.  People are using the tokenid as the session persistance.  But if there is discovery that went on, we'll want that remembered, too.  And not every Horizon session should have to do the full discovery dance
18:59:31 <dolphm> hrm we're out of time with two things left on the agenda
18:59:52 <gyee> continue in #openstack-keystone
19:00:15 <dolphm> actually, is there an infra meeting today? or can we run long? jeblair? mordred?
19:00:59 <morganfainberg> dolphm, there is also OSCON stuff going on
19:01:38 <jeblair> dolphm: go for it
19:01:40 <topol> do we stay here or hop?
19:01:55 <dolphm> jeblair: are you having a meeting today?
19:01:57 <topol> alright. stay until we get bumped and glared at :-)
19:02:06 <gyee> k :)
19:02:20 <dolphm> jeblair: if we run long it'll be like 20 minutes
19:02:33 <dolphm> jeblair: or we can just switch to -keystone
19:02:36 <bknudson> gyee: would X.509 client cert auth benefit from a mapping?
19:02:41 <topol> we have our own channel... why grovel for breadcrumbs??
19:02:53 <gyee> bknudson, it could
19:02:54 <morganfainberg> lol
19:03:05 <gyee> but we don't have the plumbing in place for that kind of stuff yet
19:03:14 <gyee> ideally, everyting should go through mapping
19:03:16 <bknudson> I like federation then
19:03:18 <topol> keystone is no longer living in a van by the river
19:03:29 <morganfainberg> topol, shhh don't tell anyone
19:03:30 <dolphm> #topic X.509 SSL Client Certificate Authn
19:03:31 <morganfainberg> :P
19:03:43 <gyee> we'll need to make significant changes to the federation plumbing to make that happen
19:03:53 <gyee> right now it only works for saml2
19:03:55 <jamielennox> significant?
19:03:59 <gyee> yes
19:04:01 <bknudson> hopefully those changes to the plumbing will make it more flexible
19:04:16 <bknudson> I think this is what we wanted from the beginning.
19:04:18 <jamielennox> how does it change from the current 'map this httpd header to this attribute'
19:04:34 <jamielennox> and i agree anything it doesn't currently cover it should
19:05:08 <dstanek> gyee: i think it will be less work than you think and there is already movement toward making it more generic
19:05:40 <gyee> yes, I think we can make it generic
19:05:50 <gyee> only question is time and effort
19:05:56 <kwss> I'd like to know what is happening towards this :)
19:06:13 <bknudson> gyee: btw the spec looks great
19:06:17 <gyee> 1) change federation plugin to make it generic
19:06:23 <gyee> https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L242
19:06:34 <jamielennox> so i guess the interesting part of this would be how does it fit in with /identity_providers/{idp}/protocols/{protocol} ?
19:06:37 <gyee> 2) change the saml2 plugin to make it generic
19:06:45 <gyee> 3) make token issuance a pipeline
19:07:17 <gyee> jamielennox, it would be an x.509 provider
19:07:18 <dstanek> there is a code review somewhere to rename saml2 to something else - it really isn't saml2 specific IIRC
19:07:32 <bknudson> if federation was used then would you have to use an apache module?
19:07:48 <gyee> bknudson, yes
19:07:50 <kwss> https://review.openstack.org/#/c/104301/
19:07:51 <jamielennox> gyee: but it doesn't map to an idp id was my though
19:08:06 <gyee> you still need apache to do the heavy lifting in validating and parsing the cert
19:08:06 <dstanek> bknudson: you wouldn't have to because the vars are pulled from the environment
19:08:46 <bknudson> does it work through an SSL terminator?
19:08:48 <dolphm> kwss: can you take the term 'reegineered' out of that spec? it scares people and it's so vague that any spec could be prefixed by 'reegineered-*'
19:08:50 <jamielennox> dstanek: apache is still needed to populate those environments though
19:09:15 <kwss> dolphm, sure, what do you think it should be changed to?
19:09:36 <dstanek> jamielennox: using federation does not require it though - you may need an apache module for a specific protocol though
19:09:42 <dolphm> kwss: something specific and succinct that describes the problem
19:09:45 <morganfainberg> bknudson, i don't think it would work through an SSL terminator
19:09:59 <gyee> bknudson, SSL has to be terminated at Apache
19:10:23 <kwss> dolphm, something like generic-federation-plugin?
19:10:38 <dolphm> kwss: that's a step better
19:10:50 <jamielennox> standard-mapping
19:11:02 <gyee> so we all agree to kill the x.509 cert auth plugin in favor of a generic federation layer?
19:11:18 <gyee> or do the plugin now and then work on generic federation?
19:11:45 <bknudson> gyee: I prefer federation
19:12:07 <dstanek> gyee: i think that's the right path
19:12:08 <gyee> with federation, we can get rid all the remote user auth plugins too
19:12:28 <gyee> external auth can also use the same framework
19:12:32 <kwss> bknudson, I agree, as it then ties in with adding keystone-to-keystone, open idc etc
19:13:13 <bknudson> gyee: so is there still a "support X.509" or is it just "make federation more generic"
19:13:24 <dolphm> bknudson: ++
19:13:54 <gyee> bknudson, we still need x.509
19:14:17 <bknudson> ok, just wondering if x.509 needed something in addition to generic federation
19:14:19 <gyee> but now it has a dependency on making federation more generic
19:14:41 <gyee> instead of a standalone plugin
19:15:09 <dolphm> gyee: i'm lost on how x509 support is not a plugin either way?
19:15:30 <gyee> dolphm, with generic federation, it would become an identity provider
19:15:56 <gyee> saml2 auth plugin will be part of the token pipeline
19:16:53 <gyee> only problem is making generic federation work, we are probably looking at K and beyond
19:17:17 <dstanek> gyee: do you know what doesn't work?
19:17:22 <gyee> since the changes are quite significant
19:17:27 <bknudson> we seem to have a lot of people interested in it
19:17:38 <dolphm> gyee: ^ does a spec exist that describes the gaps your looking at?
19:17:46 <dolphm> you're*
19:18:03 <gyee> dolphm, I think David and kwss have a spec
19:18:11 <gyee> kwss, you have the url?
19:18:42 <kwss> It's this one, but I think it still needs work https://review.openstack.org/#/c/104301/
19:19:31 <kwss> Can I rename a spec or do I need to make a fresh one?
19:19:40 <dolphm> kwss: iterate on this one
19:19:49 <dstanek> when we talked about this at the hackathon i got the impression that it really wasn't that bad
19:20:16 <gyee> dstanek, you mean the refactoring part?
19:20:23 <dolphm> dstanek: kwss's spec is fairly straight forward
19:20:38 <dstanek> gyee: making the mechanism more generic
19:20:45 <kwss> dstanek, I thought it was just a case of renaming the saml2 plugin to something generic and calling the correct code to manage extraction of assertion data
19:20:55 <dolphm> kwss: gyee: but that doesn't describe the relationship between x509, the mythical token pipeline that we've mutilated, and federation
19:21:04 <dstanek> the real work would be in whatever other identity providers you have to make
19:21:22 <gyee> dolphm, lemme work off kwss's spec
19:21:38 <gyee> a diagram or two probably will make things better
19:21:44 <dolphm> gyee: keeps specs narrow and focused!
19:22:00 <gyee> but its a "generic" spec :)
19:22:09 <dolphm> so anyway
19:22:09 <dolphm> #topic Python 3 temporary solutions
19:22:12 <dolphm> dstanek: o/
19:22:18 <dolphm> #link https://review.openstack.org/#/c/95827/11/test-requirements-py3.txt
19:22:35 <dstanek> so i just wanted to get some feedback on what i was hacking on
19:22:54 <dstanek> we all know that we can't product a real py3 version any time soon
19:23:17 <dstanek> but i really want to get something usable so i can start testing in a real environment and not just unit tests
19:23:35 <bknudson> jenkins likes it
19:23:47 <dstanek> so one of the compromises i decided to make was "temporarily" depend on third party packages that are not approved
19:24:06 <bknudson> I think packagers are going to freak out
19:24:17 <dolphm> bknudson: but no one is packaging for py3 either
19:24:22 <dstanek> for example i wanted to hook it into my ldap setup so i needed a version of ldap that actually works in py3
19:24:34 <dstanek> bknudson: they can't package it yet
19:24:39 <bknudson> gate-keystone-python33 SUCCESS in 6m 21s (non-voting)
19:24:49 <dstanek> up until today or yesterday we have py3 syntax errors
19:24:59 <bknudson> if it allows us to turn on gating for py3 then it's probably worth it
19:25:27 <dolphm> the patch linked about is also like tenth in a chain of patches
19:25:27 <dstanek> yes, i would very much like to get that going much faster than it is now
19:25:49 <dstanek> dolphm: yes, but the only one where i admit to using questionable methods
19:26:23 <bknudson> well, the blueprint isn't approved so nobody's going to review it
19:26:26 <dstanek> this also gives us a list of things that need to be fixed before we can have a real release
19:26:41 <dolphm> bknudson: dstanek: isn't it targeted to ongoing anyway?
19:27:08 <dolphm> fixed*
19:27:15 <stevemar> shouldn't we be in -keystone and not in -meeting
19:27:29 <dstanek> dolphm: yes, but i should probably make a spec anyway? there have already been a tons of patches attributes to py3 and that bp
19:27:31 <morganfainberg> stevemar, no infra meeting, we're occupying the channel
19:27:45 <morganfainberg> stevemar had a couple extra topics to cover
19:27:56 <bknudson> I don't see the need for a spec
19:27:59 <dolphm> dstanek: sure, i imagine it'd be short
19:28:57 <dstanek> if there are no major issues with the dependencies i'll continue down that path
19:31:08 <dolphm> i see the -py3 requirements file as being documentation
19:31:34 <dolphm> first and foremost ^ so i don't have a problem with documenting what it takes to run on py3
19:32:35 <dolphm> bknudson: i saw you reviewed the first patch in the series; fwiw, the first few in the series look really simple
19:33:13 <bknudson> dolphm: y, should be able to approve the others once jenkins oks
19:33:26 <bknudson> dstanek: https://review.openstack.org/#/c/102737/ has comments
19:33:40 <dolphm> i just +2'd that one regardless
19:33:45 <jamielennox> dolphm: keystoneclient release? (when conversation slows)
19:34:02 <dolphm> jamielennox: i'll prepare one now
19:34:09 <dolphm> let's switch back to -keystone
19:34:13 <dolphm> #endmeeting