18:00:35 #startmeeting keystone 18:00:35 Meeting started Tue Oct 6 18:00:35 2015 UTC and is due to finish in 60 minutes. The chair is stevemar_. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:36 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:39 Robot Rollcall! 18:00:39 #link https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting 18:00:39 The meeting name has been set to 'keystone' 18:00:45 oops 18:00:55 courtesy ping 18:00:56 ajayaa, amakarov, ayoung, breton, browne, davechen, david8hu, dolphm, dstanek, ericksonsantos, geoffarnold, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, lbragstad, lhcheng, marekd, morganfainberg, nkinder, raildo, rharwood, rodrigods, roxanaghe, samueldmq, stevemar, tsymanczyk, topol, vivekd, wanghong, claudiub 18:01:03 o/ 18:01:10 o/ 18:01:16 o\ 18:01:18 * bknudson does something 18:01:19 \o 18:01:24 o/ 18:01:28 o/ 18:01:28 * stevemar_ high five's bknudson 18:01:30 o/ 18:01:35 * ayoung now has the MST3K themesong playing through his head 18:01:42 \o 18:01:47 :-) 18:01:49 o/ 18:01:50 henrynash, ! 18:01:51 i'd say we have enough folks 18:01:57 henrynash: ayoung has been looking for you 18:02:07 henrynash, I threw an item on the end of the agenda... 18:02:07 (runs, hides) 18:02:14 Virtual Roles 18:02:20 alright, good new to start 18:02:21 ah-ah! 18:02:26 run Forest run 18:02:28 #topic RC status 18:02:35 we've cut rc2! 18:02:40 yayyyyy 18:02:41 hay! 18:02:46 CONGRATS 18:02:46 nice 18:02:48 o/ 18:02:49 Any significant changes from RC1? 18:03:00 unless there is an install / upgrade / crazy issue, this will be the last release for liberty 18:03:22 ayoung: 3 bugs, and translation: https://launchpad.net/keystone/+milestone/liberty-rc2 18:03:25 #link http://git.openstack.org/cgit/openstack/keystone/log/?h=stable%2Fliberty 18:03:50 all good stuff 18:04:06 around the same topic, we have also release ksc 1.7.2 and ksm 2.3.1 for liberty 18:04:13 I only see 2 bug fixes in the git log 18:04:56 this is everything that merged in stable/liberty so far - https://review.openstack.org/#/q/status:merged+project:openstack/keystone+branch:stable/liberty,n,z 18:04:57 1) Skip rows with empty remote_ids 2) Show v3 endpoints in v2 endpoint list 3) Ensure token validation works irrespective of padding 18:05:06 bknudson: 1) skip rows, 2) padding, 3) v3 endpoints 18:05:08 are those not all bugs? 18:05:09 oh, the top one is in there 18:05:21 * stevemar_ shakes fist at bknudson 18:05:22 so they're all there 18:05:25 thanks ayoung :) 18:05:44 stevemar_, that scares me. It is the first time i ever saw bknudson overlook a detail 18:05:57 regarding libs: so when we eventually release new stuff for mitaka, they'll be at 1.8.0 and 2.4.0 respectively 18:06:01 he's slippin' 18:06:08 he's human after all 18:06:15 stevemar_: who? 18:06:17 ! 18:06:18 Not sure about that 18:06:26 marekd: bknudsonbot 18:06:31 stevemar_: no way! 18:06:49 gonna skip the 2nd topic for now (summit planning) 18:06:55 what is the version number for ksa? 18:07:00 nevermind 18:07:05 ayoung: 1.0ish 18:07:09 ++ 18:07:23 ayoung: it was cut, but not too many things are using it 18:07:43 I saw the summit room breakdown email. Let me see if I can link it 18:07:50 is that why releases haven't appeared on pypi? 18:08:03 dolphm: of keystoneauth? 18:08:08 stevemar_: yes 18:08:20 #link https://pypi.python.org/pypi/keystoneauth 18:08:22 says 0.2.0 18:08:29 that seems wrong 18:08:32 https://pypi.python.org/pypi/keystoneauth1 18:08:36 that's got 1.1.0 18:08:50 ah right, it's keystoneauth1 18:09:02 I thought we'd want keystoneauth on pypi 18:09:03 http://lists.openstack.org/pipermail/openstack-dev/2015-October/076000.html 18:09:06 oh, f 18:09:19 can we delete the old package? or update the README to point to the new one? 18:09:27 dolphm: i can look into that 18:09:35 delete keystoneauth and point everyone to keystoneauth1 18:09:39 right? 18:09:42 yes 18:09:46 +++ 18:09:54 if deleting things on pypi is acceptable, not sure it is 18:09:55 or raise an exception in keystoneauth 18:10:23 saying "keystoneauth1" 18:10:24 there's a few things we can do, i'm sure there is a right answer though 18:10:38 #link https://docs.google.com/spreadsheets/d/1tpLN5emWhcMmSmkn8z_HuclcjnEPevP77BhdnFN9KCs/pubhtml?gid=5&single=true Here is our room breakdown 18:10:58 https://mitakadesignsummit.sched.org/overview/type/Keystone#.VhQOp7P-TMU and its on sched .org already 18:11:13 ayoung: hehe, hold up. 18:11:26 any other q's on liberty or the surrounding libraries? 18:11:43 Give me liberty or give me RC3 18:12:02 #topic ops feedback for summit 18:12:22 hopefully the ops will show up this time. 18:12:25 Did we skip Design session planning? 18:12:33 ayoung: just for a minute 18:12:37 k 18:12:48 ayoung: that is gonna be a long discussion, get the easy stuff in first 18:12:53 #link https://etherpad.openstack.org/p/TYO-ops-feedback-into-PWG 18:12:59 add questions to that etherpad ^ 18:13:03 #link https://mitakadesignsummit.sched.org/overview/type/Ops#.VhQPKLP-TMU 18:13:27 and if you're interested in going to the session: http://mitakadesignsummit.sched.org/event/1cdd373e1128b6c5f9536c00f461947a#.VhCyIhNVhBc 18:13:36 bknudson: i think it'll be more organized this time 18:13:48 yeah, last time it was 15 developers vs 2 ops 18:14:21 breton: yeah, i think they are doing a general session for all the ops to generate data on projects 18:14:29 and for the record, the devs won 18:14:30 so it's important to put questions on the etherpad 18:14:37 dolphm: we always win 18:14:46 we really put those operators in their place. 18:14:48 i'd like to see ops win for a change 18:14:51 so, if you know people in ops that don't necessarily hangout on irc, poke them! 18:14:57 lbragstad: ++ 18:15:10 or at least pass them the info 18:15:33 also for those interested, there is also this link going around: 18:15:35 #link https://etherpad.openstack.org/p/operator-local-patches 18:15:44 a set of local patches that ops carry per project 18:15:58 we're actually pretty good :) 18:16:36 anyway, try to be engaged in these sessions, they are crazy important 18:16:51 "Strip catalog from PKI token" 18:17:12 bknudson: comment on the etherpad if you want 18:17:14 ?nocatalog#implemented 18:17:22 yep 18:17:24 it's the fernet? 18:17:28 isn't* 18:17:36 it's always the fernet 18:17:45 teh fehrnet 18:17:51 Delete PKI token format *shiftyeyes* 18:18:04 interface="furnet" 18:18:05 * lbragstad wanders off to learn to keyboard... 18:18:18 y'all using PKI wrong 18:18:20 dolphm: i am scared what a furnet is 18:18:37 alright alright :) 18:18:55 #topic release notes 18:19:04 edit the wiki directly 18:19:16 #link https://wiki.openstack.org/wiki/ReleaseNotes/Liberty#OpenStack_Identity_.28Keystone.29 18:19:22 review and edit please 18:19:36 dolphm i know you did a lot for this already 18:19:38 and thanks :D 18:19:55 samueldmq: you too! 18:20:08 ++ 18:20:12 apparently this is a buzz kill of a topic 18:20:20 lets not make any changes to PKI tokens; lets just work on deprecating them 18:20:25 there are too many problems to fix 18:20:26 \o/ yay release notes 18:20:34 ayoung: ++ 18:20:41 ayoung: ++ 18:20:41 dolphm: thanks for trying :) 18:20:54 alright, on to the fun stuff! 18:20:59 and the primary reason PKI tokens were even written is replaced by K2K and SAML. 18:20:59 ayoung: it's time 18:21:09 Summit planning time? 18:21:11 #topic design sessions 18:21:21 where is our etherpad? 18:21:36 #link https://etherpad.openstack.org/p/keystone-mitaka-summit-brainstorm 18:21:37 we had one here #Link https://etherpad.openstack.org/p/keystone-mitaka-summit-brainstorm 18:21:49 thanks 18:21:50 ayoung: so far i have the brain dump ... fineeee bknudson and lbragstad 18:22:18 Can we make one session that is KSA, KSM and KSC? 18:22:40 lets start thinking in buckets for these things. we have 14 top level topics 18:22:41 so before we start penciling in stuff 18:22:43 so a session dedicated to non-server related keystone libraries 18:22:50 who added bullet 14.3 ? 18:22:59 we have 7 fishbowl sessions 18:23:03 marekd, I did 18:23:06 these are the ones that are group discussion 18:23:19 stevemar_: hello, sorry I am late 18:23:22 stevemar_: no problem :) 18:23:29 4 workroom sessions 18:23:30 ayoung: ack 18:23:37 and 2 meetup sessions (same as last) 18:23:47 workrooms are the boardroom style ones 18:23:57 I feel like tokens and tokenless auth could be grouped 18:24:00 and fishbowls are the ones we've done for a while 18:24:10 marekd, probably we can mix that in with something else. Consumption of notifications needs to be addressed in a few places...its really cross project type stuff 18:24:13 And fishbowl rooms are much larger 18:24:14 samueldmq: np, and hello 18:24:17 both goals for those two sessions are getting it to be the default in devstack 18:24:19 lbragstad, ++ 18:24:20 ayoung: yes 18:24:26 lbragstad: true 18:24:27 Fyi in tokyo expect the work rooms to be small 18:24:32 Very small 18:24:40 how small? 18:25:01 also, you have to take your shoes off and sit on the floor. 18:25:07 I think the target was ~8-10 people 18:25:08 really? 18:25:19 topol: prison sized 18:25:21 gyee, really. but just you 18:25:24 bknudson, you ain't kidding 18:25:25 bknudson: and put on another shoes when going to toilet (yes, really) 18:25:25 we're probably going to have to wander off to another area to work 18:25:39 http://i.dailymail.co.uk/i/pix/2013/07/02/article-2353514-1A9F4E55000005DC-736_634x436.jpg 18:25:59 wow 18:26:01 The only reason any work rooms were requested was to have some general purpose time 18:26:02 ayoung_: are we staying at the same hotel?? 18:26:21 bknudson: 12.1 - what's incorrect right now? 18:26:22 Otherwise I would have requested only fishbowls 18:26:41 (Since I was the one who had to make the requests for room allocation) 18:26:43 could we address topic 5 in 8 (keystone server)? 18:27:09 lbragstad, ++ 18:27:38 marekd: according to mtreinish the keystone functional tests should require checking something in the backend database. 18:27:51 lbragstad, yeah, if we are talking about server deprecations 18:27:51 not just be a test that uses devstack. 18:28:02 * breton doesn't see 5 in 8, sees only 3 18:28:06 so, the workrooms, anyone have a suggestion about one of the things from the etherpad that can be dumped there? 18:28:19 gyee: ++ yeah, we'll have to cover deprecations for the ksm, ksc, ksa bits, too 18:28:29 bknudson: what sort of checking? 18:28:30 bknudson: that's super odd 18:28:41 bknudson: so affter adding entity i should write a code that queries backend and checks if that's there? 18:28:59 i was thinking that testing could be a workroom session 18:29:00 dstanek: in the case of nova, it's like checking something in libvirt I would guess. In keystone it might be something like checking that the entry was created in ldap 18:29:03 i care about how the interface behaves, not what the interface does on the backend. 18:29:37 then why do we need func tests? 18:29:40 dolphm: that's how I interpreted functional tests at first, too, but mtreinish said that was incorrect. 18:29:42 dolphm, yeah...this sounds like a lead in to fragile tests 18:29:56 bknudson: if the test is to creates something then we'll probably check for it. other than that i don't see what we'd be doing. 18:29:58 if tests are dependent on true implementation details, then they need to be rewritten in order to do refactors, which means the tests are fragile and completely useless. 18:30:00 ayoung_: ++ 18:30:02 functional tests exercise the backend, but do not check for implementation details 18:30:07 definitely not hitting the DB directly 18:30:18 dstanek: ++ 18:30:35 dolphm: ayoung_: ++ 18:30:56 dolphm: dstanek ayoung_ i think we're all in agreement on that 18:30:57 i want the same tests to run against any backend (with the exceptions i noted in my documentation) 18:31:10 Now, having two distinct servers running that talk to the same backend is a viable test setup, but it would be expensive. 18:31:10 I suggest you bring this up with the -qa team and figure out what the alternative is. 18:31:11 ++ 18:31:31 Etherpad on mobile has gotten bad :( 18:31:35 morgan: :( 18:31:41 the alternative is not writing "unit" tests against the database and calling it "functional" 18:31:56 So stevemar_ what are we looking for here: big buckets for big rooms and small buckets for small rooms? 18:31:56 this has gone way off topic :\ 18:32:00 bknudson: where was this discussed? 18:32:22 dstanek: they have had summit sessions on it that I wasn't able to attend, so I got learned on irc. 18:32:24 ayoung_: yes, big topic for fishbowl rooms and smaller topics for workrooms 18:32:39 stevemar_: do you want to have things consolidated yet? 18:32:52 maybe for the workrooms we find some things that a few of us want to work on. 18:33:05 for example, I'd be interested in test refactoring 18:33:17 maybe documentation for the libs 18:33:19 lbragstad: i can easily consolidate and pick things, i wanted to give the core team a chance to say "I want this topic to be a fishbowl" 18:33:30 or "I want this topic to be a workroom" 18:33:35 oh, I'd love to see test refactoring. 18:34:10 I think anything that touches another project should not be a workroom, since that's hard to schedule 18:34:10 5 fishbowl room sessions 5 Work room sessions ? 18:34:15 Do I have that right 18:34:25 7 fishbowl for us, 4 workroom 18:34:29 ayoung_: no, 7 fish, 4 work 18:34:31 the whole policy/roles direction would be another 18:34:31 catalog standardization has been a theme in the last couple summits 18:34:43 that'd probably benefit from being a fishbowl 18:34:48 lbragstad: thats gonna be a X-project one 18:34:57 so don't even count it on here 18:35:02 cool 18:35:29 Roles and Policy need to be cross project attended 18:35:48 ayoung_, ++ 18:35:53 We need buy in, especially from Nova, if we are going to make any progress 18:35:59 yep 18:36:13 i think "things to deprecate and remove" and "testing" can be working rooms? 18:36:16 ayoung_: ++ 18:36:18 federation as it's own fishbowl i assume 18:36:20 anyone disagree? 18:36:21 ++ 18:36:36 there is a *lot* of stuff under those 18:36:43 actually... deprecation... we might need input from others 18:36:50 The times were 40 mins right? 18:36:54 is federation even that much a hot topic anymore? Its kindof implemented. There are details like making them apping easier to work with...openid connect. 18:37:00 OK..yeah, that is fishbowl 18:37:02 We didn't get much done in the 40 min sessions last time. 18:37:17 stevemar_: i would agree since i think those are more likely topics that we'll work on and not just discuss 18:37:20 basically the contentious ones, I want to make fishbowls 18:37:22 ayoung_: it should be more of a cross-project topic this time around. horizon + keystone + openstackclient + etc 18:37:32 dolphm: yep 18:37:37 dolphm, ah, good. 18:37:38 I'd agree with that 18:37:54 stevemar_: is there room for that in the cross-project schedule at this point? 18:37:58 (federation) 18:38:29 dolphm: i dont think it's finalized yet 18:38:47 I could ask for it 18:38:50 stevemar_: ++ 18:39:11 I think cross project schedule is on today's tc meeting agenda 18:39:12 i'll throw this out as a general OpenStack criticism - the x-project initiatives need an x-project team otherwise they'll either never get done or take forever 18:39:20 anteaya: awesome, thanks 18:39:39 dstanek, so true :) 18:39:42 dstanek: that's (unfortunately?) true 18:39:52 dolphm: confirmed 18:40:03 our first round of cross project sessions was a lot of tossing responsibilities over the fence 18:40:16 I think growing folks to do cross project work is part of what ttx is trying to get the tc to do 18:40:21 some number of summits ago 18:40:34 anteaya: nice 18:40:40 that would be cool to see 18:40:45 but the electorate has to elect folks who aren't currently booked with ptl duties to do so 18:40:53 so far, that hasn't happened a lot 18:40:58 here's hoping 18:41:02 hey, we made v3 available it's their own fault if they don't use it. 18:41:08 we really need OpenStack initiatives and construct a team of the right people - not a project saying we are doing this x-project thing so listen up 18:41:26 * anteaya agrees, having come into the middle of the conversation 18:42:52 ayoung_: dolphm dstanek -- everyone>> my current picks: http://paste.openstack.org/show/475509/ 18:42:57 so, almost everything either has 'fishbowl' or 'workroom' next to it 18:43:03 lbragstad: ^ 18:43:22 is paste.o.o slow for anyone else today? 18:43:27 dstanek: ++ that looks to have happened to dynamic policies too, when ayoung_ had setions, and it seemed that people form other projects just didn't appear 18:43:28 yep 18:43:33 lbragstad: yes 18:43:49 i think we got everything on the paste 18:43:54 stevemar_: you want federation to be a x-project fishbowl if we have the time, right? 18:44:11 lbragstad: i'd prefer that 18:44:18 but in case, i can use one of ours 18:44:20 lbragstad: yes, takes a long time to load 18:44:33 stevemar_: ok, marked it as such in the etherpad 18:45:06 stevemar_, and audit? 18:45:16 its a small A of the AAA after all 18:45:21 lbragstad: if anything i would like to have another random cross-project fishbowl session 18:45:23 stevemar_, so Policy can be policy and roles...and with that, I'd like to ask for the last 10 minutes of this meeting to be aboutt roles stuff 18:45:52 gyee: we are more IAM + audit than AAA now 18:45:54 stevemar_: so, should we put an action item under Federation to check on the status of getting a x-project slot for that? 18:45:56 ayoung_: that's fine with me, still 5 minutes left 18:46:00 err 15 18:46:04 ++ 18:46:08 lbragstad: yep 18:46:27 stevemar_: i'm happy with that list so far 18:46:36 i'll be doing that as i look to make sure the service catalog is coming out of x-project fishbowl and not ours 18:46:46 ++ 18:46:47 gyee: audit might be a working room 18:46:59 would love to move the service catalog to DNS 18:47:04 i'd prefer to have the last fishbowl for general crossproject stuff 18:47:22 so no red flags here right? 18:47:24 ayoung_: i started a little project to test that out 18:47:30 no one is feeling short changed? 18:47:41 everything is groovy 18:47:51 Performing 18:48:03 and with that, let the battle begin, ayoung_ and henrynash lace up 18:48:12 Heh 18:48:13 #topic roles 18:48:17 * dstanek grabs some popcorn and a beer 18:48:20 (I think not much of a battle, actually!) 18:48:25 henrynash, so...aside from naming, I think we are on the same page 18:48:41 * lbragstad grabs a seat next to dstanek 18:48:48 http://cdn.meme.am/instances/400x/59486625.jpg 18:48:50 gyee, role groups ayoung_ implied roles henrynash virtual roles 18:48:59 but I think we all want roughly the same thing: 18:49:03 assing one role, get many... 18:49:14 that is the subset of henrynash 's blueprint 18:49:20 is assing a word? 18:49:26 it is now 18:49:27 gyee: it's the subset 18:49:35 yes, but only halfway 18:49:37 hahahah 18:49:45 I guess I half-assigned that 18:49:56 * gyee learn something new today 18:50:01 anyway 18:50:14 henrynash, you also have the domain specific roles part, which is, I think 2 parts: 18:50:18 1 namespacing of roles 18:50:22 yes 18:50:30 2. certain roles don't go in tokens 18:50:48 so..if we do implied roles first (expanded in the tokens) can we build the other things on top of it? 18:50:52 correct (maybe “management roles” woudl be a better name for those) 18:51:22 henrynash, I was thinking virtual roles would be "roles that imply other roles but that never end up in tokens themselves: 18:51:23 " 18:51:41 all I am asking is usability 18:51:45 dumb question...does this concept already exist in some other product? 18:51:52 dstanek, all over the place 18:51:58 ayoung_: sure, that’s what I meant by them too….but most people don;t like virtual roles (and I’m not sure I do either) 18:52:06 dstanek, the reason gyee keeps using the term role groups is that is what MS calls it (at least) 18:52:25 and the very first bp I wrote called them role-groups! 18:52:31 henrynash, fair enough. I'll defer on the naming. 18:52:35 and I’m Ok with taht name too 18:52:44 Role-groups is pretty descriptive 18:52:49 And not overloaded 18:52:51 Fwiw 18:53:06 Descriptive and not overloaded = good option 18:53:21 so implied roles…..just means expand this role-group and put all the roles in the token? 18:54:14 I would err to the side of something that people are familiar with. If MS uses "role groups" that is a pretty good option imo 18:54:26 henrynash: i think thst is an inplementation detail 18:54:28 henrynash, well, I was thinking that a role is either in the token or not. an implied role means "If I get this role I get this other one too" 18:54:28 morgan: and I’m fine with that 18:54:35 so I had them as two dimentions on the role object 18:54:37 Either way it could work regardless of the name 18:54:49 So either you expand or you dont. I dont think it matters 18:54:49 arole group could be "a role that does not go into a token" 18:55:03 ayoung_: agreed 18:55:03 5 minutes remaining 18:55:04 openstackbot info: 5 mins left 18:55:08 lbragstad: o/ 18:55:09 so if we give someone "admin" they get "member" and both go into the token 18:55:16 how are roles groups inherited in hierarchical multitenancy? 18:55:19 we just need something that is "easy" to explain to average users, "easy" for doc people, "easy" to use 18:55:20 * dolphm sorry. 18:55:20 ayoung_: yeah. I think your spot on lets defer impl details like expansion for not in this meetinf 18:55:25 but if we give someon "IBM-DISTINGUISHED_ENGINEER" that is a roel group and it does not go in the token 18:55:35 gyee: absolutely +++++ 18:55:35 morgan, I think we are good 18:55:44 ayoung_: yah agreed :) 18:56:13 ayoung_: ok, so namespacing 18:56:22 OK...we can battle out the rest of the details at the summit, but I want a goal of having the spec approved before we leave Japan 18:56:32 ayoung_: agreed 18:56:38 namespacing...yeah, that is tricky. 18:57:02 can we do it in this order: 18:57:06 collect everyone's passport until spec is approved 18:57:06 ayoung_: I think that’s the hardest bit, I agree….if you namespec a role that goes ina token…what does that mean? 18:57:21 henrynash, right, one of two things 18:57:29 bknudson: i think that is mordred's plan for some other sessions :P 18:57:35 1. namespace to a domain, don;'t put it in the token. 2. Namespace to a service... 18:57:40 bknudson: haha 18:57:48 what did I do? 18:57:52 so nova:admin is different from swift:admin 18:57:58 and that shoudl be expanded later? 18:58:02 ayoung_: namespacing a role_group to a domain (say) makes a lot of sense (to me)…..and doesn’t affect that types of role that end up in the token 18:58:29