#openstack-meeting log

18:00:35 <stevemar_> #startmeeting keystone
18:00:35 <openstack> Meeting started Tue Oct  6 18:00:35 2015 UTC and is due to finish in 60 minutes.  The chair is stevemar_. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:36 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:39 <ayoung> Robot Rollcall!
18:00:39 <stevemar_> #link https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
18:00:39 <openstack> The meeting name has been set to 'keystone'
18:00:45 <stevemar_> oops
18:00:55 <stevemar_> courtesy ping
18:00:56 <stevemar_> ajayaa, amakarov, ayoung, breton, browne, davechen, david8hu, dolphm, dstanek, ericksonsantos, geoffarnold, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, lbragstad, lhcheng, marekd, morganfainberg, nkinder, raildo, rharwood, rodrigods, roxanaghe, samueldmq, stevemar, tsymanczyk, topol, vivekd, wanghong, claudiub
18:01:03 <amakarov> o/
18:01:10 <browne> o/
18:01:16 <stevemar_> o\
18:01:18 * bknudson does something
18:01:19 <david8hu> \o
18:01:24 <topol> o/
18:01:28 <dstanek> o/
18:01:28 * stevemar_ high five's bknudson
18:01:30 <htruta> o/
18:01:35 * ayoung now has the MST3K themesong playing through his head
18:01:42 <raildo> \o
18:01:47 <henrynash> :-)
18:01:49 <lhcheng_> o/
18:01:50 <ayoung> henrynash, !
18:01:51 <stevemar_> i'd say we have enough folks
18:01:57 <stevemar_> henrynash: ayoung has been looking for you
18:02:07 <ayoung> henrynash, I threw an item on the end of the agenda...
18:02:07 <henrynash> (runs, hides)
18:02:14 <ayoung> Virtual Roles
18:02:20 <stevemar_> alright, good new to start
18:02:21 <henrynash> ah-ah!
18:02:26 <topol> run Forest run
18:02:28 <stevemar_> #topic RC status
18:02:35 <stevemar_> we've cut rc2!
18:02:40 <stevemar_> yayyyyy
18:02:41 <henrynash> hay!
18:02:46 <topol> CONGRATS
18:02:46 <marekd> nice
18:02:48 <lbragstad> o/
18:02:49 <ayoung> Any significant changes from RC1?
18:03:00 <stevemar_> unless there is an install / upgrade / crazy issue, this will be the last release for liberty
18:03:22 <stevemar_> ayoung: 3 bugs, and translation: https://launchpad.net/keystone/+milestone/liberty-rc2
18:03:25 <bknudson> #link http://git.openstack.org/cgit/openstack/keystone/log/?h=stable%2Fliberty
18:03:50 <ayoung> all good stuff
18:04:06 <stevemar_> around the same topic, we have also release ksc 1.7.2 and ksm 2.3.1 for liberty
18:04:13 <bknudson> I only see 2 bug fixes in the git log
18:04:56 <lbragstad> this is everything that merged in stable/liberty so far - https://review.openstack.org/#/q/status:merged+project:openstack/keystone+branch:stable/liberty,n,z
18:04:57 <ayoung> 1) Skip rows with empty remote_ids 2) Show v3 endpoints in v2 endpoint list  3) 	Ensure token validation works irrespective of padding
18:05:06 <stevemar_> bknudson: 1) skip rows, 2) padding, 3) v3 endpoints
18:05:08 <ayoung> are those not all bugs?
18:05:09 <bknudson> oh, the top one is in there
18:05:21 * stevemar_ shakes fist at bknudson
18:05:22 <bknudson> so they're all there
18:05:25 <stevemar_> thanks ayoung :)
18:05:44 <ayoung> stevemar_, that scares me.  It is the first time i ever saw bknudson overlook a detail
18:05:57 <stevemar_> regarding libs: so when we eventually release new stuff for mitaka, they'll be at 1.8.0 and 2.4.0 respectively
18:06:01 <topol> he's slippin'
18:06:08 <stevemar_> he's human after all
18:06:15 <marekd> stevemar_: who?
18:06:17 <marekd> !
18:06:18 <ayoung> Not sure about that
18:06:26 <stevemar_> marekd: bknudsonbot
18:06:31 <marekd> stevemar_: no way!
18:06:49 <stevemar_> gonna skip the 2nd topic for now (summit planning)
18:06:55 <ayoung> what is the version number for ksa?
18:07:00 <ayoung> nevermind
18:07:05 <stevemar_> ayoung: 1.0ish
18:07:09 <ayoung> ++
18:07:23 <stevemar_> ayoung: it was cut, but not too many things are using it
18:07:43 <ayoung> I saw the summit room breakdown email.  Let me see if I can link it
18:07:50 <dolphm> is that why releases haven't appeared on pypi?
18:08:03 <stevemar_> dolphm: of keystoneauth?
18:08:08 <dolphm> stevemar_: yes
18:08:20 <bknudson> #link https://pypi.python.org/pypi/keystoneauth
18:08:22 <bknudson> says 0.2.0
18:08:29 <stevemar_> that seems wrong
18:08:32 <bknudson> https://pypi.python.org/pypi/keystoneauth1
18:08:36 <bknudson> that's got 1.1.0
18:08:50 <stevemar_> ah right, it's keystoneauth1
18:09:02 <bknudson> I thought we'd want keystoneauth on pypi
18:09:03 <ayoung> http://lists.openstack.org/pipermail/openstack-dev/2015-October/076000.html
18:09:06 <dolphm> oh, f
18:09:19 <dolphm> can we delete the old package? or update the README to point to the new one?
18:09:27 <stevemar_> dolphm: i can look into that
18:09:35 <lbragstad> delete keystoneauth and point everyone to keystoneauth1
18:09:39 <lbragstad> right?
18:09:42 <stevemar_> yes
18:09:46 <topol> +++
18:09:54 <dolphm> if deleting things on pypi is acceptable, not sure it is
18:09:55 <breton> or raise an exception in keystoneauth
18:10:23 <breton> saying "keystoneauth1"
18:10:24 <stevemar_> there's a few things we can do, i'm sure there is a right answer though
18:10:38 <ayoung> #link https://docs.google.com/spreadsheets/d/1tpLN5emWhcMmSmkn8z_HuclcjnEPevP77BhdnFN9KCs/pubhtml?gid=5&single=true  Here is our room breakdown
18:10:58 <ayoung> https://mitakadesignsummit.sched.org/overview/type/Keystone#.VhQOp7P-TMU  and its on sched .org already
18:11:13 <stevemar_> ayoung: hehe, hold up.
18:11:26 <stevemar_> any other q's on liberty or the surrounding libraries?
18:11:43 <ayoung> Give me liberty or give me RC3
18:12:02 <stevemar_> #topic ops feedback for summit
18:12:22 <bknudson> hopefully the ops will show up this time.
18:12:25 <ayoung> Did we skip Design session planning?
18:12:33 <stevemar_> ayoung: just for a minute
18:12:37 <ayoung> k
18:12:48 <stevemar_> ayoung: that is gonna be a long discussion, get the easy stuff in first
18:12:53 <stevemar_> #link https://etherpad.openstack.org/p/TYO-ops-feedback-into-PWG
18:12:59 <stevemar_> add questions to that etherpad ^
18:13:03 <ayoung> #link https://mitakadesignsummit.sched.org/overview/type/Ops#.VhQPKLP-TMU
18:13:27 <stevemar_> and if you're interested in going to the session: http://mitakadesignsummit.sched.org/event/1cdd373e1128b6c5f9536c00f461947a#.VhCyIhNVhBc
18:13:36 <stevemar_> bknudson: i think it'll be more organized this time
18:13:48 <breton> yeah, last time it was 15 developers vs 2 ops
18:14:21 <stevemar_> breton: yeah, i think they are doing a general session for all the ops to generate data on projects
18:14:29 <dolphm> and for the record, the devs won
18:14:30 <stevemar_> so it's important to put questions on the etherpad
18:14:37 <stevemar_> dolphm: we always win
18:14:46 <bknudson> we really put those operators in their place.
18:14:48 <dolphm> i'd like to see ops win for a change
18:14:51 <lbragstad> so, if you know people in ops that don't necessarily hangout on irc, poke them!
18:14:57 <stevemar_> lbragstad: ++
18:15:10 <lbragstad> or at least pass them the info
18:15:33 <stevemar_> also for those interested, there is also this link going around:
18:15:35 <stevemar_> #link https://etherpad.openstack.org/p/operator-local-patches
18:15:44 <stevemar_> a set of local patches that ops carry per project
18:15:58 <stevemar_> we're actually pretty good :)
18:16:36 <stevemar_> anyway, try to be engaged in these sessions, they are crazy important
18:16:51 <bknudson> "Strip catalog from PKI token"
18:17:12 <stevemar_> bknudson: comment on the etherpad if you want
18:17:14 <dolphm> ?nocatalog#implemented
18:17:22 <stevemar_> yep
18:17:24 <lbragstad> it's the fernet?
18:17:28 <lbragstad> isn't*
18:17:36 <dolphm> it's always the fernet
18:17:45 <stevemar_> teh fehrnet
18:17:51 <morgan> Delete PKI token format *shiftyeyes*
18:18:04 <dolphm> interface="furnet"
18:18:05 * lbragstad wanders off to learn to keyboard...
18:18:18 <gyee> y'all using PKI wrong
18:18:20 <morgan> dolphm: i am scared what a furnet is
18:18:37 <stevemar_> alright alright :)
18:18:55 <stevemar_> #topic release notes
18:19:04 <stevemar_> edit the wiki directly
18:19:16 <stevemar_> #link https://wiki.openstack.org/wiki/ReleaseNotes/Liberty#OpenStack_Identity_.28Keystone.29
18:19:22 <stevemar_> review and edit please
18:19:36 <stevemar_> dolphm i know you did a lot for this already
18:19:38 <stevemar_> and thanks :D
18:19:55 <stevemar_> samueldmq: you too!
18:20:08 <dolphm> ++
18:20:12 <stevemar_> apparently this is a buzz kill of a topic
18:20:20 <ayoung> lets not make any changes to PKI tokens;  lets just work on deprecating them
18:20:25 <ayoung> there are too many problems to fix
18:20:26 <dolphm> \o/ yay release notes
18:20:34 <stevemar_> ayoung: ++
18:20:41 <dstanek> ayoung: ++
18:20:41 <stevemar_> dolphm: thanks for trying :)
18:20:54 <stevemar_> alright, on to the fun stuff!
18:20:59 <ayoung> and the primary reason PKI tokens were even written is replaced by K2K and SAML.
18:20:59 <stevemar_> ayoung: it's time
18:21:09 <ayoung> Summit planning time?
18:21:11 <stevemar_> #topic design sessions
18:21:21 <ayoung> where is our etherpad?
18:21:36 <bknudson> #link https://etherpad.openstack.org/p/keystone-mitaka-summit-brainstorm
18:21:37 <lbragstad> we had one here #Link https://etherpad.openstack.org/p/keystone-mitaka-summit-brainstorm
18:21:49 <ayoung> thanks
18:21:50 <stevemar_> ayoung: so far i have the brain dump ... fineeee bknudson and lbragstad
18:22:18 <ayoung> Can we make one session that is KSA, KSM and KSC?
18:22:40 <ayoung> lets start thinking in buckets for these things.  we have 14 top level topics
18:22:41 <stevemar_> so before we start penciling in stuff
18:22:43 <lbragstad> so a session dedicated to non-server related keystone libraries
18:22:50 <marekd> who added bullet 14.3 ?
18:22:59 <stevemar_> we have 7 fishbowl sessions
18:23:03 <ayoung> marekd, I did
18:23:06 <stevemar_> these are the ones that are group discussion
18:23:19 <samueldmq> stevemar_: hello, sorry I am late
18:23:22 <samueldmq> stevemar_: no problem :)
18:23:29 <stevemar_> 4 workroom sessions
18:23:30 <marekd> ayoung: ack
18:23:37 <stevemar_> and 2 meetup sessions (same as last)
18:23:47 <stevemar_> workrooms are the boardroom style ones
18:23:57 <lbragstad> I feel like tokens and tokenless auth could be grouped
18:24:00 <stevemar_> and fishbowls are the ones we've done for a while
18:24:10 <ayoung> marekd, probably we can mix that in with something else.  Consumption of notifications needs to be addressed in a few places...its really cross project type stuff
18:24:13 <morgan> And fishbowl rooms are much larger
18:24:14 <stevemar_> samueldmq: np, and hello
18:24:17 <lbragstad> both goals for those two sessions are getting it to be the default in devstack
18:24:19 <ayoung> lbragstad, ++
18:24:20 <marekd> ayoung: yes
18:24:26 <stevemar_> lbragstad: true
18:24:27 <morgan> Fyi in tokyo expect the work rooms to be small
18:24:32 <morgan> Very small
18:24:40 <topol> how small?
18:25:01 <bknudson> also, you have to take your shoes off and sit on the floor.
18:25:07 <morgan> I think the target was ~8-10 people
18:25:08 <gyee> really?
18:25:19 <stevemar_> topol: prison sized
18:25:21 <ayoung_> gyee, really.  but just you
18:25:24 <gyee> bknudson, you ain't kidding
18:25:25 <marekd> bknudson: and put on another shoes when going to toilet (yes, really)
18:25:25 <bknudson> we're probably going to have to wander off to another area to work
18:25:39 <ayoung_> http://i.dailymail.co.uk/i/pix/2013/07/02/article-2353514-1A9F4E55000005DC-736_634x436.jpg
18:25:59 <gyee> wow
18:26:01 <morgan> The only reason any work rooms were requested was to have some general purpose time
18:26:02 <dolphm> ayoung_: are we staying at the same hotel??
18:26:21 <marekd> bknudson: 12.1 - what's incorrect right now?
18:26:22 <morgan> Otherwise I would have requested only fishbowls
18:26:41 <morgan> (Since I was the one who had to make the requests for room allocation)
18:26:43 <lbragstad> could we address topic 5 in 8 (keystone server)?
18:27:09 <ayoung_> lbragstad, ++
18:27:38 <bknudson> marekd: according to mtreinish the keystone functional tests should require checking something in the backend database.
18:27:51 <gyee> lbragstad, yeah, if we are talking about server deprecations
18:27:51 <bknudson> not just be a test that uses devstack.
18:28:02 * breton doesn't see 5 in 8, sees only 3
18:28:06 <stevemar_> so, the workrooms, anyone have a suggestion about one of the things from the etherpad that can be dumped there?
18:28:19 <lbragstad> gyee: ++ yeah, we'll have to cover deprecations for the ksm, ksc, ksa bits, too
18:28:29 <dstanek> bknudson: what sort of checking?
18:28:30 <dolphm> bknudson: that's super odd
18:28:41 <marekd> bknudson: so affter adding entity i should write a code that queries backend and checks if that's there?
18:28:59 <stevemar_> i was thinking that testing could be a workroom session
18:29:00 <bknudson> dstanek: in the case of nova, it's like checking something in libvirt I would guess. In keystone it might be something like checking that the entry was created in ldap
18:29:03 <dolphm> i care about how the interface behaves, not what the interface does on the backend.
18:29:37 <gyee> then why do we need func tests?
18:29:40 <bknudson> dolphm: that's how I interpreted functional tests at first, too, but mtreinish said that was incorrect.
18:29:42 <ayoung_> dolphm, yeah...this sounds like a lead in to fragile tests
18:29:56 <dstanek> bknudson: if the test is to creates something then we'll probably check for it. other than that i don't see what we'd be doing.
18:29:58 <dolphm> if tests are dependent on true implementation details, then they need to be rewritten in order to do refactors, which means the tests are fragile and completely useless.
18:30:00 <dolphm> ayoung_: ++
18:30:02 <ayoung_> functional tests  exercise the backend, but do not check for implementation details
18:30:07 <dstanek> definitely not hitting the DB directly
18:30:18 <dolphm> dstanek: ++
18:30:35 <dstanek> dolphm: ayoung_: ++
18:30:56 <stevemar_> dolphm: dstanek ayoung_ i think we're all in agreement on that
18:30:57 <dstanek> i want the same tests to run against any backend (with the exceptions i noted in my documentation)
18:31:10 <ayoung_> Now,  having two distinct servers running that talk to the same backend is a viable test setup, but it would be expensive.
18:31:10 <bknudson> I suggest you bring this up with the -qa team and figure out what the alternative is.
18:31:11 <dolphm> ++
18:31:31 <morgan> Etherpad on mobile has gotten bad :(
18:31:35 <stevemar_> morgan: :(
18:31:41 <dolphm> the alternative is not writing "unit" tests against the database and calling it "functional"
18:31:56 <ayoung_> So stevemar_ what are we looking for here:  big buckets for big rooms and small buckets for small rooms?
18:31:56 <stevemar_> this has gone way off topic :\
18:32:00 <dstanek> bknudson: where was this discussed?
18:32:22 <bknudson> dstanek: they have had summit sessions on it that I wasn't able to attend, so I got learned on irc.
18:32:24 <stevemar_> ayoung_: yes, big topic for fishbowl rooms and smaller topics for workrooms
18:32:39 <lbragstad> stevemar_: do you want to have things consolidated yet?
18:32:52 <bknudson> maybe for the workrooms we find some things that a few of us want to work on.
18:33:05 <bknudson> for example, I'd be interested in test refactoring
18:33:17 <bknudson> maybe documentation for the libs
18:33:19 <stevemar_> lbragstad: i can easily consolidate and pick things, i wanted to give the core team a chance to say "I want this topic to be a fishbowl"
18:33:30 <stevemar_> or "I want this topic to be a workroom"
18:33:35 <breton> oh, I'd love to see test refactoring.
18:34:10 <stevemar_> I think anything that touches another project should not be a workroom, since that's hard to schedule
18:34:10 <ayoung_> 5 fishbowl room sessions 5 Work room sessions ?
18:34:15 <ayoung_> Do I have that right
18:34:25 <morgan> 7 fishbowl for us, 4 workroom
18:34:29 <stevemar_> ayoung_: no, 7 fish, 4 work
18:34:31 <henrynash> the whole policy/roles direction would be another
18:34:31 <lbragstad> catalog standardization has been a theme in the last couple summits
18:34:43 <lbragstad> that'd probably benefit from being a fishbowl
18:34:48 <stevemar_> lbragstad: thats gonna be a X-project one
18:34:57 <stevemar_> so don't even count it on here
18:35:02 <lbragstad> cool
18:35:29 <ayoung_> Roles and Policy need to be cross project attended
18:35:48 <gyee> ayoung_, ++
18:35:53 <ayoung_> We need buy in, especially from Nova, if we are going to make any progress
18:35:59 <stevemar_> yep
18:36:13 <stevemar_> i think "things to deprecate and remove" and "testing" can be working rooms?
18:36:16 <samueldmq> ayoung_: ++
18:36:18 <lbragstad> federation as it's own fishbowl i assume
18:36:20 <stevemar_> anyone disagree?
18:36:21 <ayoung_> ++
18:36:36 <lbragstad> there is a *lot* of stuff under those
18:36:43 <stevemar_> actually... deprecation... we might need input from others
18:36:50 <bknudson> The times were 40 mins right?
18:36:54 <ayoung_> is federation even that much a hot topic anymore?  Its kindof implemented.  There are details like making them apping easier to work with...openid connect.
18:37:00 <ayoung_> OK..yeah, that is fishbowl
18:37:02 <bknudson> We didn't get much done in the 40 min sessions last time.
18:37:17 <dstanek> stevemar_: i would agree since i think those are more likely topics that we'll work on and not just discuss
18:37:20 <stevemar_> basically the contentious ones, I want to make fishbowls
18:37:22 <dolphm> ayoung_: it should be more of a cross-project topic this time around. horizon + keystone + openstackclient + etc
18:37:32 <stevemar_> dolphm: yep
18:37:37 <ayoung_> dolphm, ah,  good.
18:37:38 <lbragstad> I'd agree with that
18:37:54 <dolphm> stevemar_: is there room for that in the cross-project schedule at this point?
18:37:58 <dolphm> (federation)
18:38:29 <stevemar_> dolphm: i dont think it's finalized yet
18:38:47 <stevemar_> I could ask for it
18:38:50 <dolphm> stevemar_: ++
18:39:11 <anteaya> I think cross project schedule is on today's tc meeting agenda
18:39:12 <dstanek> i'll throw this out as a general OpenStack criticism - the x-project initiatives need an x-project team otherwise they'll either never get done or take forever
18:39:20 <dolphm> anteaya: awesome, thanks
18:39:39 <gyee> dstanek, so true :)
18:39:42 <dolphm> dstanek: that's (unfortunately?) true
18:39:52 <anteaya> dolphm: confirmed
18:40:03 <dolphm> our first round of cross project sessions was a lot of tossing responsibilities over the fence
18:40:16 <anteaya> I think growing folks to do cross project work is part of what ttx is trying to get the tc to do
18:40:21 <dolphm> some number of summits ago
18:40:34 <dstanek> anteaya: nice
18:40:40 <stevemar_> that would be cool to see
18:40:45 <anteaya> but the electorate has to elect folks who aren't currently booked with ptl duties to do so
18:40:53 <anteaya> so far, that hasn't happened a lot
18:40:58 <anteaya> here's hoping
18:41:02 <bknudson> hey, we made v3 available it's their own fault if they don't use it.
18:41:08 <dstanek> we really need OpenStack initiatives and construct a team of the right people - not a project saying we are doing this x-project thing so listen up
18:41:26 * anteaya agrees, having come into the middle of the conversation
18:42:52 <stevemar_> ayoung_: dolphm dstanek -- everyone>> my current picks: http://paste.openstack.org/show/475509/
18:42:57 <lbragstad> so, almost everything either has 'fishbowl' or 'workroom' next to it
18:43:03 <stevemar_> lbragstad: ^
18:43:22 <lbragstad> is paste.o.o slow for anyone else today?
18:43:27 <samueldmq> dstanek: ++ that looks to have happened to dynamic policies too, when ayoung_ had setions, and it seemed that people form other projects just didn't appear
18:43:28 <ayoung_> yep
18:43:33 <marekd> lbragstad: yes
18:43:49 <stevemar_> i think we got everything on the paste
18:43:54 <lbragstad> stevemar_: you want federation to be a x-project fishbowl if we have the time, right?
18:44:11 <stevemar_> lbragstad: i'd prefer that
18:44:18 <stevemar_> but in case, i can use one of ours
18:44:20 <dstanek> lbragstad: yes, takes a long time to load
18:44:33 <lbragstad> stevemar_: ok, marked it as such in the etherpad
18:45:06 <gyee> stevemar_, and audit?
18:45:16 <gyee> its a small A of the AAA after all
18:45:21 <stevemar_> lbragstad: if anything i would like to have another random cross-project fishbowl session
18:45:23 <ayoung_> stevemar_, so  Policy can be policy and roles...and with that, I'd like to ask for the last 10 minutes of this meeting to be aboutt roles stuff
18:45:52 <morgan> gyee: we are more IAM + audit than AAA now
18:45:54 <lbragstad> stevemar_: so, should we put an action item under Federation to check on the status of getting a x-project slot for that?
18:45:56 <stevemar_> ayoung_: that's fine with me, still 5 minutes left
18:46:00 <stevemar_> err 15
18:46:04 <ayoung_> ++
18:46:08 <stevemar_> lbragstad: yep
18:46:27 <dstanek> stevemar_: i'm happy with that list so far
18:46:36 <stevemar_> i'll be doing that as i look to make sure the service catalog is coming out of x-project fishbowl and not ours
18:46:46 <ayoung_> ++
18:46:47 <stevemar_> gyee: audit might be a working room
18:46:59 <ayoung_> would love to move the service catalog to DNS
18:47:04 <stevemar_> i'd prefer to have the last fishbowl for general crossproject stuff
18:47:22 <stevemar_> so no red flags here right?
18:47:24 <dstanek> ayoung_: i started a little project to test that out
18:47:30 <stevemar_> no one is feeling short changed?
18:47:41 <stevemar_> everything is groovy
18:47:51 <ayoung_> Performing
18:48:03 <stevemar_> and with that, let the battle begin, ayoung_ and henrynash lace up
18:48:12 <ayoung_> Heh
18:48:13 <stevemar_> #topic roles
18:48:17 * dstanek grabs some popcorn and a beer
18:48:20 <henrynash> (I think not much of a battle, actually!)
18:48:25 <ayoung_> henrynash, so...aside from naming, I think we are on the same page
18:48:41 * lbragstad grabs a seat next to dstanek
18:48:48 <stevemar_> http://cdn.meme.am/instances/400x/59486625.jpg
18:48:50 <ayoung_> gyee, role groups  ayoung_ implied roles henrynash virtual roles
18:48:59 <ayoung_> but I think we all want  roughly the same thing:
18:49:03 <ayoung_> assing one role, get many...
18:49:14 <ayoung_> that is the subset of henrynash 's blueprint
18:49:20 <gyee> is assing a word?
18:49:26 <lbragstad> it is now
18:49:27 <dolphm> gyee: it's the subset
18:49:35 <ayoung_> yes,  but only halfway
18:49:37 <gyee> hahahah
18:49:45 <ayoung_> I guess I half-assigned that
18:49:56 * gyee learn something new today
18:50:01 <ayoung_> anyway
18:50:14 <ayoung_> henrynash, you also have the domain specific roles part, which is, I think 2 parts:
18:50:18 <ayoung_> 1  namespacing of roles
18:50:22 <henrynash> yes
18:50:30 <ayoung_> 2. certain roles don't go in tokens
18:50:48 <ayoung_> so..if we do implied roles first (expanded in the tokens) can we build the other things on top of it?
18:50:52 <henrynash> correct (maybe “management roles” woudl be a better name for those)
18:51:22 <ayoung_> henrynash, I was thinking virtual roles would be "roles that imply other roles but that never end up in tokens themselves:
18:51:23 <ayoung_> "
18:51:41 <gyee> all I am asking is usability
18:51:45 <dstanek> dumb question...does this concept already exist in some other product?
18:51:52 <ayoung_> dstanek, all over the place
18:51:58 <henrynash> ayoung_: sure, that’s what I meant by them too….but most people don;t like virtual roles (and I’m not sure I do either)
18:52:06 <ayoung_> dstanek, the reason gyee keeps using the term role groups is that is what MS calls it (at least)
18:52:25 <henrynash> and the very first bp I wrote called them role-groups!
18:52:31 <ayoung_> henrynash, fair enough.  I'll defer on the naming.
18:52:35 <henrynash> and I’m Ok with taht name too
18:52:44 <morgan> Role-groups is pretty descriptive
18:52:49 <morgan> And not overloaded
18:52:51 <morgan> Fwiw
18:53:06 <morgan> Descriptive and not overloaded = good option
18:53:21 <henrynash> so implied roles…..just means expand this role-group and put all the roles in the token?
18:54:14 <morgan> I would err to the side of something that people are familiar with. If MS uses "role groups" that is a pretty good option imo
18:54:26 <morgan> henrynash: i think thst is an inplementation detail
18:54:28 <ayoung_> henrynash, well, I was thinking that a role is either in the token or not.  an implied role means "If I get this role I get this other one too"
18:54:28 <henrynash> morgan: and I’m fine with that
18:54:35 <ayoung_> so I had them as two dimentions on the role object
18:54:37 <morgan> Either way it could work regardless of the name
18:54:49 <morgan> So either you expand or you dont. I dont think it matters
18:54:49 <ayoung_> arole group could be "a role that does not go into a token"
18:55:03 <henrynash> ayoung_: agreed
18:55:03 <lbragstad> 5 minutes remaining
18:55:04 <samueldmq> openstackbot info: 5 mins left
18:55:08 <samueldmq> lbragstad: o/
18:55:09 <ayoung_> so if we give someone "admin" they get "member" and both go into the token
18:55:16 <dolphm> how are roles groups inherited in hierarchical multitenancy?
18:55:19 <gyee> we just need something that is "easy" to explain to average users, "easy" for doc people, "easy" to use
18:55:20 * dolphm sorry.
18:55:20 <morgan> ayoung_: yeah. I think your spot on lets defer impl details like expansion for not in this meetinf
18:55:25 <ayoung_> but if we give someon "IBM-DISTINGUISHED_ENGINEER" that is a roel group and it does not go in the token
18:55:35 <henrynash> gyee: absolutely +++++
18:55:35 <ayoung_> morgan, I think we are good
18:55:44 <morgan> ayoung_: yah agreed :)
18:56:13 <henrynash> ayoung_: ok, so namespacing
18:56:22 <ayoung_> OK...we can battle out the rest of the details at the summit, but I want a goal of having the spec approved before we leave Japan
18:56:32 <henrynash> ayoung_: agreed
18:56:38 <ayoung_> namespacing...yeah, that is tricky.
18:57:02 <ayoung_> can we do it in this order:
18:57:06 <bknudson> collect everyone's passport until spec is approved
18:57:06 <henrynash> ayoung_: I think that’s the hardest bit, I agree….if you namespec a role that goes ina token…what does that mean?
18:57:21 <ayoung_> henrynash, right, one of two things
18:57:29 <morgan> bknudson: i think that is mordred's plan for some other sessions :P
18:57:35 <ayoung_> 1.  namespace to a domain, don;'t put it in the token.   2. Namespace to a service...
18:57:40 <stevemar_> bknudson: haha
18:57:48 <mordred> what did I do?
18:57:52 <ayoung_> so nova:admin is different from swift:admin
18:57:58 <ayoung_> and that shoudl be expanded later?
18:58:02 <henrynash> ayoung_: namespacing a role_group to a domain (say) makes a lot of sense (to me)…..and doesn’t affect that types of role that end up in the token
18:58:29 <ayoung_> so the related spec (we don't have time for ) is this one
18:58:45 <samueldmq> henrynash: yes because role-groups never go in the token
18:58:46 <ayoung_> https://review.openstack.org/#/c/228477/
18:58:53 <ayoung_> I see you -1 ed it. have not looked yet
18:59:16 <ayoung_> henrynash, so get a sketch of your approach up
18:59:17 <henrynash> ayoung_: I only -1’d since I am going to post an alternative so we can comapre
18:59:27 <henrynash> will do
18:59:30 <ayoung_> and with that, I cede the floor
18:59:31 <stevemar_> and we're up
18:59:37 <stevemar_> excellent timing
18:59:40 <stevemar_> #endmeeting