18:01:52 #startmeeting keystone 18:01:52 Meeting started Tue Aug 26 18:01:52 2014 UTC and is due to finish in 60 minutes. The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:53 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:56 The meeting name has been set to 'keystone' 18:02:09 #topic Feature freeze September 4th 18:02:15 hi 18:02:17 so, that's NEXT WEEK! 18:02:18 bknudson is free to vacation as long as that means spending all his time on keystone instead of most of it 18:02:48 and we're now in our review window where new features cannot be proposed, and we have a fixed list of reviews to land 18:02:49 that would be nice 18:03:02 which looks like this: 18:03:04 #link https://review.openstack.org/#/q/starredby:dolph+is:open,n,z 18:03:13 NFL kick off on 9/4 18:03:26 that's 42 open review, 23 of which still require review/iteration 18:03:57 thanks for the link! 18:04:03 +1 18:04:15 otherwise I'd just use next-review 18:04:26 the validation stuff needs a little rework and some of the reviews will be abandoned today 18:04:42 yay, i'd love to shorten the list 18:04:47 even if it means cheating lol 18:04:59 dstanek: but there was some redundancy in that series? 18:04:59 a number of the non-persistent ones are gating 18:05:10 some patches have merged and others are no longer needed :-) 18:05:28 merged into other patches still under reivew... 18:05:44 dstanek: just proposed https://review.openstack.org/#/c/111620/ which is the first in line 18:05:59 alrighty, as soon as they're no longer open they'll be dropped from that list (either merged or abandoned) 18:06:02 and needed to do the rest of the testing on the different validation patches 18:06:30 dolphm, so they all need to be merged by 9/4 correct? 18:06:31 jsonhome and non-persistent are lookin real good! 18:06:41 dolphm: I have some patches about hierarchical projects that need to be reviewed 18:06:47 wait... sorry, wrong link https://review.openstack.org/#/c/116954/1 18:07:05 raildo: i'd like to get those into a feature for juno as well 18:07:30 dolphm, raildo: I’ll volunteer to give those a good review 18:07:45 while we're on the topic of pleading for reviews, can i get folks to look at the keystone2keystone stuff :) 18:07:47 are the hierarchical projects on https://review.openstack.org/#/q/starredby:dolph+is:open,n,z ? 18:07:51 henrynash: great, i will send for you 18:07:53 i'll be more than happy to walk people through 18:08:01 and k2k? 18:08:15 bknudson: no, they're not targeted to juno-3 18:08:16 dolphm: can you star those too? 18:08:23 juno-4 ?? 18:08:32 bknudson, it needs love, we finally got our requirements patch landed 18:08:39 bknudson, we get ajun-4??? 18:08:41 bknudson: dstanek: no, i'd like to land them in a feature branch rather than master 18:08:48 juno-4? 18:08:48 dolphm: ah, ok 18:08:53 henrynash: #link http://paste.openstack.org/raw/100590/ 18:09:07 dolphm, there are 2 more minor things to get in for FF if possible, in the non-persistent line, https://review.openstack.org/#/c/116961/ and https://review.openstack.org/#/c/116962/ mostly quality of life fixes no functional changes 18:09:27 raildo: the last time i looked i was pretty happy with how things were going 18:09:46 there's no keystoneclient in https://review.openstack.org/#/q/starredby:dolph+is:open,n,z ... 18:10:00 bknudson, ksc and middleware don't have FF in the same way 18:10:00 so I don't know if there's anything that we'd really like to have. 18:10:03 dstanek: thank you, the code is almost ready 18:10:12 bknudson: the client falls outside the named release cycle, so it's not under feature freeze, etc 18:10:16 bknudson, they are released independent of the named cycles 18:10:31 I realize it's not the same but I assume there'll be a release at about the time of juno 18:10:48 bknudson: usually aim for a last release closer to rc1 18:11:00 ok, can focus on those then 18:11:41 dolphm: the endpoint-policy extenion is in godo shape…but queued up behind getting the endpoint/region/region_id fix in 18:11:43 dstanek: henrynash We divided into several patches to facilitate the review,because the change is a little big 18:12:09 henrynash: that's what i've heard :) the Region ID fix looks pretty close last i checked as well 18:12:38 raildo: yes, i've been reviewing them periodically for a week or so 18:12:38 dolphm: indeed…I’ll working with KanagarajM to get that in (https://review.openstack.org/#/c/113183/21) 18:12:43 raildo: and impactful :) we'll need to work together later to get those same patches propoposed to a new branch instead of master 18:13:51 dolphm: Ok, I think we can talk about this after the meeting :) 18:14:01 we also have two outstanding work items on https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-juno that were "assigned" to ayoung and jamielennox, but they appear to be out 18:14:06 oh jamielennox is back! 18:14:11 i stand corrected 18:14:20 sorry VPN issues 18:14:25 got here eventually 18:14:49 jamielennox: no worries 18:14:50 dolphm, i'll be working on the auth plugin test bits 18:14:58 dolphm, it's just refactoring some tests nothing more 18:14:59 the /auth endpoints are merged in keystone 18:15:06 the identity-api review is still up 18:15:06 morganfainberg: test bits? 18:15:17 jamielennox: oh we missed the api review?! 18:15:24 dolphm, yeah the support for loading auth_plugins by class name is the one from ayoung 18:15:38 #link https://review.openstack.org/#/c/115423/ 18:15:45 morganfainberg: ++ it has a deprecation message, but doesn't say anything more than 'deprecated.' what's the state of tests? 18:16:12 jamielennox: damn, thanks 18:16:21 dolphm: the identity-api part is mostly formality as the response format will be the same as existing responses 18:16:27 dolphm, i have a few reviews to move some specs to Kilo 18:16:29 dolphm, just need to do a little bit of work to register some config options and de-register them 18:16:30 so yes we missed it, but not a big deal here 18:16:32 jamielennox: still, we need docs :) 18:17:24 dolphm, it's just stopping using the plugins=',' and going back to the (in my opinion awful), plugins = "name, name name", and separate options for each class 18:18:16 but there was a use case that the deprecated option didn't easily support - using the same plugin under multiple names 18:18:19 dolphm, since the class-name loading was not documented people went down the path of assuming it wasn't used and developed whole processes around plungins not "knowing" their method. 18:18:31 dolphm, yep. 18:18:50 You'd think we'd use stevedore for plugins 18:19:06 dolphm: did we ever mark the kvs backends for idenity and assignent as deprecated? If so, could we kill them? 18:19:11 dolphm, which is why i was willing to let that deprecated option go, and why i'll fix the tests to not use that method (the class-name-method was never documented) 18:19:28 henrynash: good question, not sure? 18:19:42 henrynash, no i don't think they've been marked as deprecated 18:19:46 bknudson, can't, plugins are deployment-specific, unless we shipt the plugins in separate package 18:19:47 dolphm: I’m looking, but can’t see them marked 18:19:54 down with kvs backends! 18:20:09 henrynash: happy to deprecate them this cycle 18:20:17 dolphm: agreed 18:20:25 dolphm, henrynash, the initial thought was to do dogpile for them, but honestly, i don't see a big benefit 18:20:35 except morganfainberg's token backend? (morganfainberg?) 18:20:44 dolphm, please don't deprecate the tokne one :) 18:20:52 dolphm, morganfainberg: I’d swear I’ve seen logs saying their deprecate, but maybe in my dreams 18:21:02 henrynash: fantasies* 18:21:06 henrynash, the token kvs one will report deprecated 18:21:20 morganfainberg: ah, right…I think that was it 18:21:21 henrynash, i'll fix that by making a "test" one that doesn't log that 18:21:22 morganfainberg: but it shouldn't? 18:21:37 the one kvs backend we want to keep is deprecated? 18:21:44 oh oh wait 18:22:01 I think some kind of kvs backend is deprecated 18:22:12 like a base kvs backend or something. 18:22:35 we should have a centralized list of everything that's deprecated, sorted by when it'll be removed :( 18:22:40 the base key-value-store is deprecated 18:22:59 http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/kvs/legacy.py#n49 18:23:06 remove in J 18:23:15 https://github.com/openstack/keystone/blob/master/keystone/common/kvs/legacy.py#L48 18:23:19 yes 18:23:32 but the KVS identity backend, and assignment backend were not explicitly marked 18:23:44 as the initial thought was to re-implement with dogpile 18:24:15 the token backend is the only one i'd appreciate having a kvs option for 18:24:27 dogpile or not, but preferrably dogpile 18:24:29 dolphm, and that one uses dogpile 18:24:59 so using a KVS assignment driver **doesn't** log a deprecation warning for example, correct? 18:25:20 dolphm, it would log a deprecation message that keystone.common.kvs.KeyValueStore is deprecated 18:25:28 dolphm, not that assignment.kvs was 18:25:44 erm 18:25:48 keystone.common.kvs.Base 18:25:52 is deprecated 18:25:54 sory 18:26:23 hmm... and was that a +1 or +2 release deprecation? 18:26:27 probably not strong enough to remove assignment/identity kvs stores 18:26:34 it was a +1, deprecated in icehouse 18:26:36 dolphm: ICEHOUSE+1 18:26:59 maybe we should bump that to icehouse+2 and deprecate the actual drivers? 18:27:06 dolphm, sure 18:27:12 so for juno, it'll just be a stronger warning 18:27:14 dolphm, i'm on board with that 18:27:20 dolphm: me too 18:27:34 dolphm : and then we get to kill identity and assignment in Kilo 18:27:37 and K1 they can disappear... and lighten a ton of code out of our codebase (and tests) 18:28:00 henrynash: \o/ 18:28:09 dolphm: excellent!!! 18:28:21 and that's like next week or something assuming we have no bugs 18:28:31 we can spend more time keeping the ldap backend up with sql 18:28:35 dolphm: sign me up that one! 18:28:57 henrynash: sign up for tweaking the deprecation now, or removing it in kilo? 18:29:24 dolphm: removing in Kilo…but happy to do the dpreciation now too 18:30:34 henrynash: done https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-juno 18:31:03 morganfainberg: so, on the auth plugin naming thing - are you going to improve the current warning message, or something else? 18:31:30 dolphm, i'll improve the message but that method of loading plugins wasn't documented 18:31:48 dolphm, more importantly i'll fix the tests to not use that method of loading plugins (without going back to config files) 18:31:52 morganfainberg: the deprecated way wasn't documented? 18:31:56 nope 18:32:01 but all the tests used it 18:32:05 ah, gotcha 18:32:26 i'm not too worried about someone using that method. 18:33:04 morganfainberg, but we can support both :) 18:33:38 gyee, no, we can't. if someone uses the plugins multuple times, with different names, you can't mix/match 18:33:55 gyee, so we'll just remove the load-by-classname support in K? L? 18:34:03 and go back to the old way. 18:34:30 I'd just write a plugin and have it report a different name. 18:34:35 so, i hope this isn't lofty with 23 remaining reviews (plus these little patches to improve deprecations), but my goal this week to have all juno-3 things approved and gating by CoB friday so we can have a few days to fight the gate 18:34:55 why would I have plugins multiple times with different names? 18:35:09 so *please* *please* *please* pitch in on reviews 18:35:20 bknudson: your solution was my solution as well 18:35:21 bknudson, mapped can be used for SAML, OpenID, K2K, etc 18:35:27 bknudson, my solution would be yours 18:35:31 bknudson, difference is dynamic versus static 18:35:40 bknudson: which is why i think i re-prioritized a high/critical bug by ayoung to a wishlist 18:35:43 bknudson, but i gave up on the argument. 18:36:42 gyee, i think the dynamic is really sloppy in this case, but it is what people are using and it works. - there are more important arguments to be had 18:36:56 mapped is generic by nature 18:37:25 gyee, the argument is i want to use "password" but call it "CoolPassword" instead but not break people using "Password" 18:37:37 (bad example, but it's really waht people are asking for) 18:37:57 so instead of subclassing and making a new "CoolPassword" plugin, just use the plugin twice with a different name 18:38:35 same argument for anything that uses mapped, might be a different name, but mapped is the core plugin code 18:38:59 there's only *one* plugin to handle a given auth payload 18:39:21 gyee, right but if you want to use the same plugin for different auth payloads 18:39:37 the plugin doesn't care, it's just handed a payload 18:39:43 we could use a fancy format like class:plugin_name 18:39:54 morganfainberg: are all your patches in the check queue? 18:40:02 dolphm, yes. 18:40:05 can I pass options to the plugin? 18:40:18 dolphm, the rest of non-persistent will be a Kilo target :( 18:40:42 btw - were we going to make UUID tokens the default? 18:40:50 dolphm, too many roadblocks fixing revocation events etc to land the refactor of issuance/validate 18:40:57 morganfainberg: understood. i'm going to keep the bp on the juno-3 list until what made FF is merged - plus those two tiny patches 18:41:06 bknudson, that was -2'd by ayoung. 18:41:46 bknudson, there is a lot of detail on the discussion on that front in the IRC logs and on that patch 18:41:57 dolphm, ++ 18:42:40 if you'd like to vote for/against changing the default token provider from PKI to UUID https://review.openstack.org/#/c/110488/ 18:43:10 oh on that topic 18:43:40 results to the survey on token provider usage 18:43:42 #link https://www.surveymonkey.com/results/SM-LX589JF8/ 18:44:07 30% are able to use PKI. 18:44:32 morganfainberg: i wish you could correlate the comments with responses 18:44:43 morganfainberg: do you need to sanitize the long form answers before publishing that 18:44:46 you can 18:44:46 https://www.surveymonkey.com/results/SM-LX589JF8/browse/ 18:45:00 dolphm: click the 'individual responses' link 18:45:10 jamielennox, eh, i don't think so. 18:45:22 they use PKI for security? 18:45:23 jameiooh thanks 18:45:25 morganfainberg: thanks 18:45:35 bknudson: that's the one i was wondering about actually. 18:45:45 PKI provides a completely false sense of additional security 18:45:48 PKI token doesn't offer any more security 18:46:02 I thought the main argument was performance 18:46:09 gyee, arguably in grizzly it provided LESS security 18:46:14 gyee: that is true 18:46:20 gyee: pretty sure our docs say that as well 18:46:28 morganfainberg: in ...every... release 18:46:31 dolphm, but people like "OMG CRYPTO" 18:46:34 3 so far 18:47:00 dolphm, I am fine with default it back to UUID 18:47:11 this one: We have a black box appliance that act likes a WAF but it only understands UUID token 18:47:24 morganfainberg, crypto != security 18:47:26 meaning... it probably only understands v2 uuid. 18:47:38 gyee: tell our users that :( 18:47:44 gyee, what dolphm said 18:47:55 yeah, +2 18:48:19 it's sort of silly that our default option is historically unstable and less secure even after 3 releases (and about to be 4)... and still not a realistic option in production 18:48:24 this one is interesting: 18:48:26 1) PKI token -- Not user friendly ( Too dificult to use with CURL) 18:48:26 2) Horizon by default converts PKI to UDDI internally ( this will not work, if someone change default hashing algorithim) 18:48:26 3) Revoke token logic is not that reliable. We don't have system bus to collect revocation event. It is easy to say, use event, but it is difficult to setup and manage that infrastructure just for revocation events 18:48:42 i think that sums up the general view on PKI 18:48:48 that i've heard 18:49:20 * morganfainberg wonders if that was gyee 's response >.> 18:49:21 also we keep having needs to put more stuff in the token (or auth response) and it's just not going to work with PKI 18:49:33 lots of problems in there for PKI header size 18:49:41 morganfainberg: ++ 18:49:46 morganfainberg, 4) all of the above 18:49:52 I know for sure, it is not from gyee 18:49:57 gyee: that was all in one response lol 18:50:02 Haneef, haha ok :) 18:50:25 jamielennox: as much as i'd hate to agree with adding more stuff to the token... ++ 18:50:38 dolphm, i think we can make uuid tokens *way* better 18:50:50 dolphm: well the 'adding more stuff to the token' issue is primarily only a problem because of PKI 18:50:51 morganfainberg: me too 18:51:16 morganfainberg: ++ 18:51:30 jamielennox: it's also a problem for us when we try to parse apart the token, and there's always new attributes etc... i wish we could simplify all that 18:52:03 we need to figure out at the summit how to get tokens to work... it shouldn't be this difficult. 18:52:07 dolphm: right but our lack of good token format that people abuse is not a problem about the size and 'official' content in there 18:52:47 jamielennox, are you advocating xml token? :) 18:53:01 bknudson, i think we can make tokens better, and if we focus on making uuid tokens better we could also move towards signed requests instead of x-auth-token (long term) 18:53:25 gyee: i think you can get a token response as XML with UUID ? 18:53:29 bknudson, i've floated some ideas on the token improvements, but i know some people are against it. 18:53:37 morganfainberg: so just switch to oauth? 18:53:47 open id connect :D 18:53:49 jamielennox: yes you can 18:54:02 it seems like we shouldn't be inventing something when there must be an existing solution. 18:54:22 bknudson, i actually was thinking the EC2 model is pretty nice. 18:54:46 morganfainberg: I looked at it a little bit and it looks better than what we've got. 18:54:52 morganfainberg: how is it different from oauth? 18:55:11 real ec2, not our shared secret hack 18:55:30 dolphm, keypair and HMAC sign your request, then the endpoint does some backend lookup for extra auth 18:55:32 morganfainberg, ++ 18:55:57 dolphm, they use a distributed fast store that the endpoints can lookup the data from afaict 18:56:04 xacml, yay 18:56:17 morganfainberg: i said "different" from oauth? 18:56:23 dolphm, LOL 18:56:28 wait, endpoint policy is sorta like xacml 18:56:28 dolphm, well oauth1 sucks :P 18:56:37 dolphm, oauth2 is closer to that 18:56:46 dolphm, i was thinking different than *out* oauth 18:56:50 our* 18:57:13 dolphm, morganfainberg fwiw, cloud foundry uses oauth2 and openid connect for their authZ, authN ... https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst 18:57:18 just tossing that one out there 18:57:56 that's the format of oauth requests, but given that we don't want all the delegation stuff why would we call it oauth2 18:58:00 part of our issue is the keystone internal idp isn't a full featured idp and a lot of people use it 18:58:03 um yeah, that does kind of work and seems so standard :-) 18:58:24 we can steal their rest api 18:58:25 big corporate = standard 18:58:26 dolphm, 2min left 18:58:46 gyee, you STARTUP guy :-) 18:59:01 i think we should plan to do a "fix the tokens... no really" summit session 18:59:23 fix the tokens .. no really we mean it this time 18:59:28 * lbragstad plans to attend 18:59:50 and be willing to assume uuid and PKI are off the table. 18:59:59 in their current forms 19:00:03 pretty sure i just dropped for a bit - just switched from wifi to not 19:00:23 we're at time 19:00:47 thanks! 19:00:50 * dolphm REVIEWS PLZ! https://review.openstack.org/#/q/starredby:dolph+is:open,n,z 19:00:52 #endmeeting