18:02:00 <dolphm> #startmeeting keystone 18:02:00 <openstack> Meeting started Tue Jul 22 18:02:00 2014 UTC and is due to finish in 60 minutes. The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:01 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:02:04 <openstack> The meeting name has been set to 'keystone' 18:02:17 <dolphm> #topic Juno milestone 2 18:02:56 <bknudson> anything that needs to get in for M2? 18:03:01 <dstanek> dolphm: i added a topic to the end - if we don't get to it i won't be heart broken 18:03:04 <dolphm> #info Ensure changes targeted at milestone-2 are gating TODAY 18:03:09 <bknudson> also, is there a keystoneclient release at M2 time? 18:03:12 <dolphm> dstanek: ack 18:03:30 <dolphm> bknudson: no; but i'd like to do a release of keystoneclient and keystonemiddleware both, by coincidence 18:04:13 <dolphm> if there's any reason to block either of those, target bugs/bp's to the next milestone of those projects and i'll follow up 18:04:18 <ayoung> Lets stagger the client changes after M2 18:04:24 <dolphm> keystoneclient 0.10.0 or keystonemiddleware 1.1.0 18:04:35 <dolphm> ayoung: why? 18:04:45 <morganfainberg> dolphm, ++ on the release of both of those 18:04:56 <ayoung> dolphm, one thing at a time...and I'm hoping to still get the revocation events in 18:05:15 <ayoung> I'd just suggest getting J2 cut first 18:05:31 <dolphm> ayoung: that'd be nice, but i'd also pull the trigger on 0.11.0 in a heartbeat to get that out if it was delayed beyond 0.10.0 18:05:40 <ayoung> dolphm, fair enough 18:05:47 <morganfainberg> ayoung, i'd argue that the moment rev. events land we can justify a rlease 18:05:47 <dolphm> ayoung: and yeah, j2 is a bigger deadline for us 18:06:04 <dolphm> lbragstad's api validation patch gated, but there are follow up patches to start utilizing that stuff 18:06:15 <morganfainberg> ayoung, this is the reason we split out the middleware :) 18:06:37 <dolphm> i'd like to have it marked as Implemented today though, so let's get as much as we can in, and then do the rest in j3 as follow up (wishlist bugs to add validation in different places?) 18:06:38 <lbragstad> the meat of the following on patches are in the catalog and assignment apis 18:06:47 <morganfainberg> dolphm, works for me. 18:07:15 <morganfainberg> this also means i can use it for validating the token format .. woo 18:07:19 <dstanek> i think lbragstad's patches will be easy to get into merging shape 18:07:30 <dolphm> lbragstad: last i looked, it appeared that you could do more parallelization among those patches (they don't need to be deps?) ... is that true? 18:07:37 <dolphm> dstanek: ++ 18:07:38 <lbragstad> yes 18:07:44 <lbragstad> they no longer need to be linear 18:07:59 <dolphm> lbragstad: can you get them split apart then? we should be able to merge more+faster that way 18:08:06 <lbragstad> so they can be working in parallel and I don't have to spam the channel every time I change the assignment validation patch :) 18:08:19 <lbragstad> dolphm: yep, I can do that 18:08:23 <morganfainberg> lbragstad, but... that was fun 18:08:25 <morganfainberg> :) 18:08:28 <dolphm> lbragstad: thanks :) 18:08:29 <dolphm> #topic Renaming the OpenStack Identity program to the OpenStack TripleA program 18:08:34 <lbragstad> thanks for all the review! 18:08:51 <dolphm> so, i've had smaller conversations on this topic, and i think it's time to bring this to a larger audience 18:08:55 <ayoung> AAA? Authentication, Authorization and Audit?\ 18:09:00 <morganfainberg> ayoung, yep. 18:09:01 <dolphm> ayoung: ++ 18:09:02 <dolphm> #link https://review.openstack.org/#/c/108739/ 18:09:15 <morganfainberg> ayoung, which also implies we push for policy (both the rules engine and otherwise) 18:09:15 <dolphm> this is a change to the openstack/governance repo to tweak our program's defintition ^ 18:09:29 <morganfainberg> ayoung, when / as they graduate. 18:09:44 <ayoung> 'Call AAA. We'll help when you crash." 18:09:56 <gyee> rather small A for authorization as it still done at the services 18:10:01 <dolphm> so there's two meaningful changes proposed there... 18:10:01 <topol> dolphm, all for it!!! 18:10:02 <bknudson> we're always the first thing to fail so that's how it works 18:10:08 <ayoung> gyee, nope, we'll own that too 18:10:13 <dolphm> one is renaming the program to TripleA (authentication + authorization + audit) 18:10:16 <ayoung> policy enforcement in keystonemiddleware 18:10:26 <dolphm> which i think better reflects the program's maturity and long term scope 18:10:37 <ayoung> Works for me 18:10:38 <dolphm> and then there's the move of pycadf from oslo to tripleA 18:10:55 <morganfainberg> good starting place. 18:11:00 * morganfainberg is in support. 18:11:09 <dolphm> is anyone here opposed to either of those changes? concerns? 18:11:12 * topol is also in huge support 18:11:14 <gyee> AaA sounds good 18:11:18 <ayoung> what about Congress? Are we going to break the news to them that they can't have policy? 18:11:22 <morganfainberg> gyee, will be TripleA 18:11:26 <gyee> :) 18:11:28 <dolphm> ayoung: does that still exist? 18:11:44 <morganfainberg> ayoung, if they get that far, i would make a move to pull them into TripleA 18:11:44 <topol> are they still in session??? 18:11:55 <dolphm> commit 6 days ago: https://github.com/stackforge/congress 18:11:57 <dolphm> i basically forgot about it 18:12:08 <topol> me too. congress has been quiet 18:12:14 <morganfainberg> ayoung, but afaict they are very very much off in the "figuring how things work" 18:12:49 <ayoung> morganfainberg, they are looking to do things outside of what we consider policy as well. I suspect they are looking to be a general "here's how you do Rules based stuff" project. Half of what we get from oslo, and half stealing from each of the other project; Firewall rules are policy to Congress as well. 18:13:03 <dolphm> it should go through a graduation process on it's own; if there's clear demand/support for it, i think it would fall under the tripleA umbrella. but it shouldn't be fast tracked or grandfathered into an 'integrated' status 18:13:13 <bknudson> if audit is part of keystone then congress can work on keystone 18:13:15 <morganfainberg> ayoung, that wouldn't be a good service/program on it's own. 18:13:18 <ayoung> Weekly on Tuesdays at 1700 UTC, e.g. Feb 25, 2014 18:13:34 <topol> so if someone needs pycadf but doesnt need all of keystone that is still possible correct? 18:13:42 <dolphm> ayoung: that's right after this 18:13:45 <morganfainberg> ayoung, but I still don't see it as being a huge blocker for them joining this program if they figure things out 18:13:45 <ayoung> topol, should be. 18:13:50 <morganfainberg> topol, correct, it would stay a separate lib 18:13:54 <dolphm> topol: pycadf would still stand on it's own 18:14:06 <dolphm> topol: it's core team would just change from oslo core to keystone core 18:14:14 <topol> thats would be the only issue folks might bring up 18:14:23 <dolphm> so we'd be adopting keystone-specs for pycadf, for example 18:14:35 <ayoung> actually, according to World Clock it is 1700 UTC right now, I think. 18:14:39 <ayoung> 1715 18:14:59 <celttechie> Just FYI: Congress just finished up a meeting and they were talking about joining with Tetris too. 18:15:16 <dolphm> ayoung: oh; i'm definitely wrong. but it's 1815utc according to google :P 18:15:22 <morganfainberg> celttechie, tetris? 18:15:27 <stevemar> theres going to be a good amount of confusion about the renaming 18:15:34 <dolphm> celttechie: tetris? 18:15:40 * jamielennox arrived late and has never heard of half these terms 18:15:52 <dolphm> stevemar: with tripleO? or just between identity/triplea 18:16:00 <morganfainberg> stevemar, probably not, rename wouldn't affect the code-name, just the program name: OpenStack Identity -> OpenStack Authn/Authz/Audit 18:16:01 <stevemar> dolphm, the latter 18:16:16 <stevemar> morganfainberg, ahhh OK 18:16:16 <morganfainberg> stevemar, and most people know the code name more than anything else 18:16:24 <bknudson> we'll have to change the identity API to tripleA API 18:16:30 <dolphm> stevemar: anywhere we can solve for? s/identity-api/triplea-api/ ? 18:16:50 <stevemar> morganfainberg, thought we were changing the codename to triplea 18:16:50 <ayoung> bknudson, I think we leave it as the identity API 18:16:55 <morganfainberg> stevemar, nah. 18:17:00 <stevemar> i caught up with the train now 18:17:01 <morganfainberg> stevemar, that would be silly 18:17:07 <stevemar> agreed 18:17:19 <gyee> AAAAPI 18:17:20 <ayoung> bknudson, we might want to cut it into smaller chunks in the future; each of the A's deserves its own API 18:17:22 <morganfainberg> ayoung, i'd 301 the references 18:17:33 <dolphm> ayoung: that just sounds terrible 18:17:45 <morganfainberg> ayoung, because we are more than just "Identity" api, but something to discuss 18:18:03 <dolphm> AAAAPI 18:18:03 <lbragstad> so, we would have and Identity API that is implemented in TripleA? 18:18:11 <dolphm> gyee: i just understood your joke. 18:18:20 <lbragstad> I feel like that would be confusing 18:18:37 <bknudson> our meetings will get very noisy as we yell aaapi 18:18:53 <dolphm> lbragstad: well, it'd be the identity/tripleA API being implemented by Keystone 18:19:00 <stevemar> bknudson, you missed one aaaapi 18:19:07 <bknudson> aaargh 18:19:10 <dstanek> would it be too much if we did have a few different named APIs? identity-api, audit-api, etc 18:19:20 <lbragstad> that's an idea 18:19:25 <morganfainberg> dstanek, no wouldn't be a bad thing 18:19:30 <dolphm> authentication-authorization-audit-programming-interface 18:19:36 <dolphm> that works too 18:20:07 <ayoung> Dolph, if we split of the IdP, that would be the AuthN API. Current Keystone API would be AuthZ. Audit is its own thing. 18:20:21 <dolphm> so, i think we have a todo list of action items to produce (possibly renaming repos, etc), i'll start an etherpad... 18:20:23 <morganfainberg> ayoung, sounds right. 18:20:25 <bknudson> authentication-authorization-audit-roles-groups-hierarchy 18:20:31 <ayoung> current API minus the stuff that went to Idp, like user management 18:20:44 <morganfainberg> dolphm, repo renames are fairly easy. 18:20:53 <jamielennox> does this all happen within the standard v3 api? 18:21:02 <dstanek> a³pi 18:21:09 <ayoung> ThreePI 18:21:27 <dolphm> #link https://etherpad.openstack.org/p/Identity-to-TripleA 18:21:30 <morganfainberg> ayoung, c3po? 18:21:34 <ayoung> jamielennox, nah, I'd suggest we leave things along until we need to bump a version 18:22:24 <lbragstad> morganfainberg: yeah, that's how I saw it too 18:22:54 <ayoung> When we are ready to split IdP off into its own, we can deal with it then. I'd aregue that the whole thing stays in the identity API repo, just be 3 "core" apis. We can even version each of them 4.0 if we need to keep the number straight 18:23:16 <gyee> ayoung, yeah, we'll have a split repo by then 18:23:44 <morganfainberg> ayoung, lets not even talk about 4.0 here :P 18:23:57 <dolphm> alright... let's move on :P 18:24:12 <dolphm> i added a few things to the etherpad to get started; feel free to add things like repo renames 18:24:36 <ayoung> morganfainberg, its OK, termie started on 5 a while ago 18:24:49 <dolphm> uhh, there's just a couple blueprints & reviews on the agenda: jamielennox bknudson - did ya'll want those to be #topics? 18:25:22 <bknudson> For mine I just wanted to mention that it's making progress 18:25:25 <jamielennox> dolphm: don't mind, just want to get some discussion/general approval of ideas 18:25:39 <dolphm> jamielennox: bknudson: okay, then let's hit them in order 18:25:39 <bknudson> and if you want to see it in action check it out and curl -H "Accept: application/json-home" http://localhost:5000/v3 | python -mjson.tool 18:25:44 <dolphm> #topic Auth Specific Data 18:25:50 <dolphm> #link https://review.openstack.org/#/c/107325/ 18:26:08 <jamielennox> The main thing that's come up for this one is what to do about already scoped tokens 18:26:22 <bknudson> 2 specs for the price of 1 18:26:26 <gyee> jamielennox, horizon folks would love that 18:26:37 <jamielennox> i like the idea that if you are already project scoped you shouldn't receive a list of other projects that you can scope to 18:26:40 <gyee> right now they are parsing policy files on their own 18:26:47 <jamielennox> but i don't know if it's doable given default_project_ids 18:27:20 <jamielennox> related i cleaned up https://review.openstack.org/#/c/108071/ 18:27:31 <jamielennox> but i don't know if that's a viable alternative 18:27:34 <dolphm> jamielennox: side note, maybe we need a "scope": null or something in an auth request to explicitly request an unscoped token? 18:27:38 <dolphm> would be a separate bp 18:27:47 <ayoung> I wonder if we really need those. What if enumerating projects and domains could only be done with an unscoped token. Like, ever? 18:27:55 <dolphm> that'd also mean we need to support unscoped tokens forever 18:28:06 <dolphm> rather than having a higher level of explicit scope 18:28:10 <gyee> why does unscoped token need service catalog? 18:28:13 <ayoung> If the token is scoped to a project, then that scoped token can only see that project. 18:28:21 <gyee> you have the identity endpoint to begin with 18:28:24 <ayoung> Unscoped Tokens Forever! 18:28:25 <jamielennox> dolphm: see review https://review.openstack.org/#/c/108071/ 18:28:28 <dolphm> gyee: that's the next agenda item; hold up 18:28:45 <dolphm> jamielennox: ha 18:28:59 <jamielennox> unscoped tokens are kind of necessary given that we currently say a token has only one scope 18:29:12 <jamielennox> i don't know how far we can get away from that with PKI tokens 18:29:25 <ayoung> dolphm, we can replcae "unscoped" with "scoped to Keystone" so long as it is considered the root scope, and can only be used with Keystone. 18:29:48 <ayoung> Just that we call them unscoped today. Session tokens are another possibility, and we could lump all of the concepts together 18:29:49 <jamielennox> ayoung: right, this came up before that an unscoped token was really a keystone scoped token 18:30:05 <jamielennox> and the next blueprint about adding a service catalog is really just a cheap way of handling thta 18:30:17 <ayoung> A token granting Token, if you will..... 18:30:39 <gyee> kerberolize Keystone 18:30:48 <dolphm> ayoung: less lumping please 18:31:22 <morganfainberg> dolphm, i like my token texture creamy, not lumpy 18:31:33 <gyee> heh 18:31:44 <ayoung> dolphm, I'm willing to discuss the issues separately, but it might be that we want to have both concepts linked in the same new token format. Mostly this is to support Horizon and comparable use cases 18:32:12 <jamielennox> so if we can get ?unscoped=true into /auth/tokens then it might make sense that /auth/projects will only response to unscoped tokens? 18:32:26 <dolphm> ayoung: i'd rather have a gradual evolution than a "new format" 18:32:34 <jamielennox> 1st step on the path to getting rid of default_project_id 18:32:58 <bknudson> I'd think the token would have "scope": null 18:33:03 <bknudson> or "scope": {} 18:33:06 <bknudson> the auth request 18:33:08 <dolphm> bknudson: ++ 18:33:24 <jamielennox> ok 18:33:37 <dolphm> let's save that for an identity-api discussion; jamielennox / ayoung: cut the API details from the spec :) 18:33:46 <dolphm> i'm +A on the direction though 18:34:04 <dolphm> #topic Unscoped catalog 18:34:09 <ayoung> bknudson, yeah, that sounds right. And in the future, we could make that scope: {"endpoint": <keystone> } 18:34:11 <bknudson> the problem description makes sense... if you really want an unscoped token you can't get one 18:34:19 <dolphm> #link https://review.openstack.org/#/c/107333/ 18:34:25 <ayoung> so I think the unscoped catalog does not need to be in nthe token itslef, just in the response to getting the token 18:34:56 <ayoung> the client will use the result, but only Keystone should be able to validate/accept the token 18:34:56 <gyee> why catalog for unscoped token? use case? 18:35:04 <bknudson> seems odd that we were able to survive all this time without a catalog in an unscoped token 18:35:16 <dolphm> ayoung: why not just return a catalog in response to an unscoped token + GET /v3/catalog ? 18:35:26 <jamielennox> gyee: essentially the point is to make the flow the same as regular tokens 18:35:37 <topol> good plan 18:35:45 <dolphm> bknudson: yeah, i'd like to better understand the use case here.. 18:35:45 <jamielennox> gyee: at the moment you have to mangle unscoped URLs so that they include the auth_url 18:36:16 <gyee> auth_url is the same regardless 18:36:32 <jamielennox> that becomes somewhat harder with auth plugins where they don't need to provide you the auth_url in the same way 18:36:33 * gyee still confused 18:36:36 <bknudson> clients are going to have to handle tokens without catalogs anyways since they have to support old versions of keystone 18:36:47 <jamielennox> bknudson: right 18:37:09 <dolphm> jamielennox: so you basically just want to return the auth_url in something that looks like a catalog because it's too hard to use the auth_url that was originally requested, which you'll have to continue doing anyway for backwards compatibility? 18:37:49 <gyee> there's only one auth_url right? 18:37:52 <jamielennox> dolphm: ideally i'd return the identity endpoints and let the client do the same discovery on them that it would do for a scoped token talking to keystone 18:37:58 <gyee> one that client need to know anyway 18:38:31 <jamielennox> but essentially yes, it's kind of housekeeping in that it's something that i've always found has broken the flow of working with tokens 18:39:16 <dolphm> jamielennox: but you'll still need to support both flows... forever 18:39:22 <dolphm> jamielennox: so you're adding complexity for zero gain 18:39:46 <gyee> sound like a "zero" gain for me 18:40:32 <jamielennox> dolphm: you'd still have to support it, i guess it's just a better feeling workflow 18:40:37 <bknudson> For the server, it sounds like it's easy to implement. 18:41:04 <dolphm> bknudson: it's easy on both sides... but there's no payoff 18:41:25 <jamielennox> especially because for unscoped tokens the fallback looks like: https://review.openstack.org/#/c/104771/9/keystoneclient/v2_0/tokens.py 18:41:58 <bknudson> there's really only a few things you can realistically do with an unscoped token 18:42:04 <bknudson> how about have an "unscoped" client? 18:42:06 <jamielennox> essentially let's try to perform this operation in the normal way and if that didn't work it must be because we have an unscoped token so try again with the auth_url 18:42:17 <dolphm> jamielennox: i don't think your auth.AUTH_INTERFACE is going anywhere healthy either 18:42:18 <bknudson> rather than trying to support unscoped tokens in the regular client lib 18:42:47 <jamielennox> bknudson: i think that might be what generic was originally for 18:43:12 <ayoung> jamielennox, the logic could also be "if there is no service catalog, generate one from the auth url" 18:43:24 <dolphm> jamielennox: it seems the auth plugin should be able to work with an auth_url to generate an unscoped token; it never needs any other endpoint. similarly the session never needs the auth_url, just scoped catalogs 18:43:25 <jamielennox> ayoung: that's what the AUTH_INTERFACE is 18:43:32 <ayoung> with auth_url becoming an implicit admin interface 18:43:42 <dolphm> something is crossing boundaries here, but i'm lost as to what it is 18:43:46 <ayoung> jamielennox, I know, I've been using that ccode for the last ...well since you wrote it 18:43:57 <dolphm> ayoung: auth_url is NOT an "admin" interface. at all. 18:44:11 <ayoung> dolphm, once you have an unscoped token, where can you use it? 18:44:16 <dolphm> ayoung: the auth_url 18:44:48 <dolphm> ayoung: you haven't finished the full authN/Z flow yet - so you're still confined to the auth_url. 18:44:49 <jamielennox> dolphm: the only way i can see that working is that auth plugins should be different for scoped and unscoped tokens 18:45:35 <jamielennox> as in all tokens that accept a credential should only be scoped and then there is only 1 way to rescope 18:45:49 <jamielennox> only be unscoped 18:45:52 <dolphm> jamielennox: let me back track on myself; i do think the session should be aware of the auth_url so that it can handle rescoping as necessary - agree? 18:46:18 <jamielennox> dolphm: no, why would the session want to know auth_url - that's plugin specific 18:46:33 <jamielennox> you can have 1:M session:plugin 18:46:40 <dolphm> jamielennox: i see the circle we're in now :) 18:48:05 <dolphm> jamielennox: can we pick this up after the meeting? 18:48:11 <jamielennox> dolphm: sure 18:48:34 <dolphm> #topic JSON-Home progress 18:48:35 <dolphm> bknudson: o/ 18:48:40 <dolphm> #link https://review.openstack.org/#/c/103983/ 18:48:48 <bknudson> just wanted to mention that it essentially works, for v3 18:48:53 <bknudson> so if you want to try it 18:48:54 <dolphm> bknudson: this must be your biggest patch ever? 18:49:04 <bknudson> curl -H "Accept: application/json-home" http://localhost:5000/v3 | python -mjson.tool 18:49:15 <bknudson> it's mostly data 18:49:26 <bknudson> also, there's a lot of duplication 18:49:40 <bknudson> removing the duplication will be quite a bit of work 18:49:55 <bknudson> because it will essentially mean going up a level of abstraction in the routers... 18:50:05 <dolphm> if anyone is interested, i just checked it out and called it: http://pasteraw.com/4ozb5otuj2bjf9tcvok9q8uolqa2qhh 18:50:14 * topol pretty sure bknudson can handle refactoring :-) 18:50:40 <bknudson> where the routers are doing mapping.add_route they should be doing some kind of self._add_resource() that has more info. 18:50:53 <bknudson> so, that was about it. 18:51:00 <bknudson> thinking about how to rewrite the clients to use it... 18:51:08 <dolphm> bknudson: COOL. 18:51:11 <jamielennox> bknudson: yea that's tough 18:51:15 <morganfainberg> thats cool to see 18:51:25 <bknudson> essentially the client would have to fetch the json-home doc, then they'd be able to get the URL from JSON-Home 18:51:29 <bknudson> rather than building the URL themselves 18:51:42 <dolphm> bknudson: i see a couple bugs :P 18:51:44 <morganfainberg> bknudson, that makes sense from a workflow 18:51:57 <morganfainberg> but yeah it's got some oddities 18:52:25 <bknudson> ok. early feedback would be nice. 18:52:36 <jamielennox> bknudson: can json-home handle the standard /v2 or /v3 discovery we do now? 18:52:42 <bknudson> jamielennox: yes... 18:52:51 <bknudson> I've only got it for /v3 18:52:51 <dolphm> is /v3/role_assignments/{role_assignment_id} actually a thing ?! 18:53:13 <bknudson> but essentially GET / would return all v2 and v3 resources 18:53:19 <dolphm> that's totally not documented if so, and role_assignments should not have IDs 18:53:19 <ayoung> bknudson, V3ExtensionRouter(ExtensionRouter): should be in keystone/routers, not in common/wsgi.py 18:53:31 <bknudson> v3 resources are like http://docs.openstack.org/identity/rel/v3/users 18:53:45 <bknudson> and v2 resources would be like http://docs.openstack.org/identity/rel/v2.0/users 18:53:45 <dolphm> bknudson: i don't know that we'd get much payoff from adding this to v2 18:54:09 <ayoung> Or is every router now becoming an V3ExtensionRouter.... 18:54:11 <jamielennox> dolphm: it's so we would have to do vereion discovery lookup and then json-home lookup as well 18:54:11 <bknudson> dolphm: y, I think the payoff would be if we wanted to use this for "version discovery" 18:54:12 <dolphm> ayoung: V3ExtensionRouter belongs in wsgi imo 18:54:23 <dolphm> ayoung: it's wsgi framework code 18:54:38 <jamielennox> s/would/wouldn't 18:55:06 <ayoung> I think all of the lookup/discovery stuff is starting to call for some sort of caching/bookmark story 18:55:07 <dolphm> bknudson: +1 for responding to json-home on / but do you need to provide *every* v2 resource there? 18:55:15 <jamielennox> it means is it a change to discovery or a change to client 18:55:20 <dolphm> are we going to bother revving the v2 client to acknowledge all that data? 18:55:44 <morganfainberg> dolphm, do we need the v2 client to? 18:55:57 <jamielennox> ayoung: discovery caches on the session and on the auth plugin 18:56:10 <bknudson> at least for the public interface there aren't many v2 resources 18:56:14 <morganfainberg> can we let the v2 client just kind of... do it's thing? 18:56:42 <ayoung> jamielennox, I'm not certain that will work for CLI and Horizon use cases, unless we have "persist and restore session to keyring" 18:56:45 <jamielennox> yea, i don't mind if json-home doesn't say anything at all about v2 resources 18:56:57 <jamielennox> just if /v2 and/or /v3 exist 18:57:07 <bknudson> well, it sounds like v2 isn't that interesting to people so I'll focus my time on cleaning up the current change 18:57:16 <dolphm> morganfainberg: IncompletePreposition: 'to' (i don't know what you're asking) 18:57:21 <gyee> bknudson, does it work with extensions? 18:57:32 <gyee> nm, I see it 18:57:33 <bknudson> gyee: yes, it works with extensions (the v3 work does) 18:57:36 <jamielennox> ayoung: yea CLI is a problem, serializing the session and auth plugins is something i've known about but haven't been asked for yet 18:57:47 <morganfainberg> dolphm, bother acknowledging the json-home stuff 18:57:52 <dolphm> bknudson: +++ 18:58:34 <bknudson> ok, thanks for the feedback. 18:58:58 <ayoung> jamielennox, I think I am going to be hitting that in Horizon here shortly. People are using the tokenid as the session persistance. But if there is discovery that went on, we'll want that remembered, too. And not every Horizon session should have to do the full discovery dance 18:59:31 <dolphm> hrm we're out of time with two things left on the agenda 18:59:52 <gyee> continue in #openstack-keystone 19:00:15 <dolphm> actually, is there an infra meeting today? or can we run long? jeblair? mordred? 19:00:59 <morganfainberg> dolphm, there is also OSCON stuff going on 19:01:38 <jeblair> dolphm: go for it 19:01:40 <topol> do we stay here or hop? 19:01:55 <dolphm> jeblair: are you having a meeting today? 19:01:57 <topol> alright. stay until we get bumped and glared at :-) 19:02:06 <gyee> k :) 19:02:20 <dolphm> jeblair: if we run long it'll be like 20 minutes 19:02:33 <dolphm> jeblair: or we can just switch to -keystone 19:02:36 <bknudson> gyee: would X.509 client cert auth benefit from a mapping? 19:02:41 <topol> we have our own channel... why grovel for breadcrumbs?? 19:02:53 <gyee> bknudson, it could 19:02:54 <morganfainberg> lol 19:03:05 <gyee> but we don't have the plumbing in place for that kind of stuff yet 19:03:14 <gyee> ideally, everyting should go through mapping 19:03:16 <bknudson> I like federation then 19:03:18 <topol> keystone is no longer living in a van by the river 19:03:29 <morganfainberg> topol, shhh don't tell anyone 19:03:30 <dolphm> #topic X.509 SSL Client Certificate Authn 19:03:31 <morganfainberg> :P 19:03:43 <gyee> we'll need to make significant changes to the federation plumbing to make that happen 19:03:53 <gyee> right now it only works for saml2 19:03:55 <jamielennox> significant? 19:03:59 <gyee> yes 19:04:01 <bknudson> hopefully those changes to the plumbing will make it more flexible 19:04:16 <bknudson> I think this is what we wanted from the beginning. 19:04:18 <jamielennox> how does it change from the current 'map this httpd header to this attribute' 19:04:34 <jamielennox> and i agree anything it doesn't currently cover it should 19:05:08 <dstanek> gyee: i think it will be less work than you think and there is already movement toward making it more generic 19:05:40 <gyee> yes, I think we can make it generic 19:05:50 <gyee> only question is time and effort 19:05:56 <kwss> I'd like to know what is happening towards this :) 19:06:13 <bknudson> gyee: btw the spec looks great 19:06:17 <gyee> 1) change federation plugin to make it generic 19:06:23 <gyee> https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L242 19:06:34 <jamielennox> so i guess the interesting part of this would be how does it fit in with /identity_providers/{idp}/protocols/{protocol} ? 19:06:37 <gyee> 2) change the saml2 plugin to make it generic 19:06:45 <gyee> 3) make token issuance a pipeline 19:07:17 <gyee> jamielennox, it would be an x.509 provider 19:07:18 <dstanek> there is a code review somewhere to rename saml2 to something else - it really isn't saml2 specific IIRC 19:07:32 <bknudson> if federation was used then would you have to use an apache module? 19:07:48 <gyee> bknudson, yes 19:07:50 <kwss> https://review.openstack.org/#/c/104301/ 19:07:51 <jamielennox> gyee: but it doesn't map to an idp id was my though 19:08:06 <gyee> you still need apache to do the heavy lifting in validating and parsing the cert 19:08:06 <dstanek> bknudson: you wouldn't have to because the vars are pulled from the environment 19:08:46 <bknudson> does it work through an SSL terminator? 19:08:48 <dolphm> kwss: can you take the term 'reegineered' out of that spec? it scares people and it's so vague that any spec could be prefixed by 'reegineered-*' 19:08:50 <jamielennox> dstanek: apache is still needed to populate those environments though 19:09:15 <kwss> dolphm, sure, what do you think it should be changed to? 19:09:36 <dstanek> jamielennox: using federation does not require it though - you may need an apache module for a specific protocol though 19:09:42 <dolphm> kwss: something specific and succinct that describes the problem 19:09:45 <morganfainberg> bknudson, i don't think it would work through an SSL terminator 19:09:59 <gyee> bknudson, SSL has to be terminated at Apache 19:10:23 <kwss> dolphm, something like generic-federation-plugin? 19:10:38 <dolphm> kwss: that's a step better 19:10:50 <jamielennox> standard-mapping 19:11:02 <gyee> so we all agree to kill the x.509 cert auth plugin in favor of a generic federation layer? 19:11:18 <gyee> or do the plugin now and then work on generic federation? 19:11:45 <bknudson> gyee: I prefer federation 19:12:07 <dstanek> gyee: i think that's the right path 19:12:08 <gyee> with federation, we can get rid all the remote user auth plugins too 19:12:28 <gyee> external auth can also use the same framework 19:12:32 <kwss> bknudson, I agree, as it then ties in with adding keystone-to-keystone, open idc etc 19:13:13 <bknudson> gyee: so is there still a "support X.509" or is it just "make federation more generic" 19:13:24 <dolphm> bknudson: ++ 19:13:54 <gyee> bknudson, we still need x.509 19:14:17 <bknudson> ok, just wondering if x.509 needed something in addition to generic federation 19:14:19 <gyee> but now it has a dependency on making federation more generic 19:14:41 <gyee> instead of a standalone plugin 19:15:09 <dolphm> gyee: i'm lost on how x509 support is not a plugin either way? 19:15:30 <gyee> dolphm, with generic federation, it would become an identity provider 19:15:56 <gyee> saml2 auth plugin will be part of the token pipeline 19:16:53 <gyee> only problem is making generic federation work, we are probably looking at K and beyond 19:17:17 <dstanek> gyee: do you know what doesn't work? 19:17:22 <gyee> since the changes are quite significant 19:17:27 <bknudson> we seem to have a lot of people interested in it 19:17:38 <dolphm> gyee: ^ does a spec exist that describes the gaps your looking at? 19:17:46 <dolphm> you're* 19:18:03 <gyee> dolphm, I think David and kwss have a spec 19:18:11 <gyee> kwss, you have the url? 19:18:42 <kwss> It's this one, but I think it still needs work https://review.openstack.org/#/c/104301/ 19:19:31 <kwss> Can I rename a spec or do I need to make a fresh one? 19:19:40 <dolphm> kwss: iterate on this one 19:19:49 <dstanek> when we talked about this at the hackathon i got the impression that it really wasn't that bad 19:20:16 <gyee> dstanek, you mean the refactoring part? 19:20:23 <dolphm> dstanek: kwss's spec is fairly straight forward 19:20:38 <dstanek> gyee: making the mechanism more generic 19:20:45 <kwss> dstanek, I thought it was just a case of renaming the saml2 plugin to something generic and calling the correct code to manage extraction of assertion data 19:20:55 <dolphm> kwss: gyee: but that doesn't describe the relationship between x509, the mythical token pipeline that we've mutilated, and federation 19:21:04 <dstanek> the real work would be in whatever other identity providers you have to make 19:21:22 <gyee> dolphm, lemme work off kwss's spec 19:21:38 <gyee> a diagram or two probably will make things better 19:21:44 <dolphm> gyee: keeps specs narrow and focused! 19:22:00 <gyee> but its a "generic" spec :) 19:22:09 <dolphm> so anyway 19:22:09 <dolphm> #topic Python 3 temporary solutions 19:22:12 <dolphm> dstanek: o/ 19:22:18 <dolphm> #link https://review.openstack.org/#/c/95827/11/test-requirements-py3.txt 19:22:35 <dstanek> so i just wanted to get some feedback on what i was hacking on 19:22:54 <dstanek> we all know that we can't product a real py3 version any time soon 19:23:17 <dstanek> but i really want to get something usable so i can start testing in a real environment and not just unit tests 19:23:35 <bknudson> jenkins likes it 19:23:47 <dstanek> so one of the compromises i decided to make was "temporarily" depend on third party packages that are not approved 19:24:06 <bknudson> I think packagers are going to freak out 19:24:17 <dolphm> bknudson: but no one is packaging for py3 either 19:24:22 <dstanek> for example i wanted to hook it into my ldap setup so i needed a version of ldap that actually works in py3 19:24:34 <dstanek> bknudson: they can't package it yet 19:24:39 <bknudson> gate-keystone-python33 SUCCESS in 6m 21s (non-voting) 19:24:49 <dstanek> up until today or yesterday we have py3 syntax errors 19:24:59 <bknudson> if it allows us to turn on gating for py3 then it's probably worth it 19:25:27 <dolphm> the patch linked about is also like tenth in a chain of patches 19:25:27 <dstanek> yes, i would very much like to get that going much faster than it is now 19:25:49 <dstanek> dolphm: yes, but the only one where i admit to using questionable methods 19:26:23 <bknudson> well, the blueprint isn't approved so nobody's going to review it 19:26:26 <dstanek> this also gives us a list of things that need to be fixed before we can have a real release 19:26:41 <dolphm> bknudson: dstanek: isn't it targeted to ongoing anyway? 19:27:08 <dolphm> fixed* 19:27:15 <stevemar> shouldn't we be in -keystone and not in -meeting 19:27:29 <dstanek> dolphm: yes, but i should probably make a spec anyway? there have already been a tons of patches attributes to py3 and that bp 19:27:31 <morganfainberg> stevemar, no infra meeting, we're occupying the channel 19:27:45 <morganfainberg> stevemar had a couple extra topics to cover 19:27:56 <bknudson> I don't see the need for a spec 19:27:59 <dolphm> dstanek: sure, i imagine it'd be short 19:28:57 <dstanek> if there are no major issues with the dependencies i'll continue down that path 19:31:08 <dolphm> i see the -py3 requirements file as being documentation 19:31:34 <dolphm> first and foremost ^ so i don't have a problem with documenting what it takes to run on py3 19:32:35 <dolphm> bknudson: i saw you reviewed the first patch in the series; fwiw, the first few in the series look really simple 19:33:13 <bknudson> dolphm: y, should be able to approve the others once jenkins oks 19:33:26 <bknudson> dstanek: https://review.openstack.org/#/c/102737/ has comments 19:33:40 <dolphm> i just +2'd that one regardless 19:33:45 <jamielennox> dolphm: keystoneclient release? (when conversation slows) 19:34:02 <dolphm> jamielennox: i'll prepare one now 19:34:09 <dolphm> let's switch back to -keystone 19:34:13 <dolphm> #endmeeting