18:01:25 <dstanek> #startmeeting keystone 18:01:26 <openstack> Meeting started Tue Mar 8 18:01:25 2016 UTC and is due to finish in 60 minutes. The chair is dstanek. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:27 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:29 <openstack> The meeting name has been set to 'keystone' 18:01:34 <dstanek> #topic there are no topics - any late topics that need discussion? 18:01:38 <henrynash> dstanek: I tried to add one thing to the agend (but couldn’t save)... 18:01:39 <dstanek> many of us are bug squashing today... 18:01:58 <dstanek> henrynash: what's the topic? 18:02:19 <henrynash> dstanek: just like clarification of the directory structure of unit tests… 18:02:30 <henrynash> dstanek: now that we are moving these all around 18:02:37 <dstanek> #topic just like clarification of the directory structure of unit tests 18:02:42 <dstanek> henrynash: fire away 18:02:49 <bknudson> the test file should be the same as the code file 18:03:06 <henrynash> bknudson: example? 18:03:28 <bknudson> so if the code is in keystone/resource/backends/sql.py then the test is keystone/tests/unit/resource/backends/test_sql.py 18:03:48 <bknudson> then it's easy to find what test file you need to change 18:04:05 <dstanek> bknudson: I agree that we should be moving that way for all unit tests 18:04:27 <henrynash> bknudson: and the test_backends.py file sists in the unit/resource dir in your example 18:04:28 <ayoung> bknudson, so we are not going to push for v2 vs v3 dir under test/unit? 18:04:32 <ayoung> I'm OK with that 18:04:39 <dstanek> i'm ok with small tests to get us there. like we have, i think, a keystone/tests/unit/assignment/test_backends.py or something like that 18:04:51 <ayoung> henrynash, judgement there 18:05:00 <bknudson> there are integration tests and there are component tests 18:05:01 <ayoung> henrynash, I'd say put it in keystone/tests/unit/resource/backends/ 18:05:06 <bknudson> most of our unit tests should be component tests 18:05:09 <ayoung> test_backend should not be named as such 18:05:33 <dstanek> ayoung: the old test_backends.py is now gone 18:05:41 <ayoung> er..wait, which is the actual executable test file? 18:05:55 <ayoung> test_sql, which calls into the common file, whatever that is now, right? 18:05:58 <bknudson> as in, the tests should test a single component and not cross component boundaries 18:06:13 <henrynash> bknudson: agreed 18:06:33 <dstanek> bknudson: ++ 18:06:36 <ayoung> http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/identity/test_core.py right? 18:07:17 <ayoung> gonna make it a pain to refactor the fernet-default code, but still worth it. 18:07:23 <henrynash> bknudson, dstanek: but right now we have test_backends.py (split up it their single components tests) NOT in the , say, resource/backend dir…but i the one above 18:07:29 <bknudson> https://review.openstack.org/#/c/289058/ is my first stab at a component test for backends. 18:07:50 <bknudson> well, test_backends is really cross-component tests and not component tests, so it's wrong to begin with 18:07:51 <marekd> hi! 18:08:26 <henrynash> bknduson: even the split up vesions are wroung, iyho? 18:08:29 <bknudson> test_backends is really testing the manager and not the drivers 18:08:42 <henrynash> bknudson: ahh, different (and accurate) issue 18:08:48 <dstanek> henrynash: only in that they do too much in the tests 18:09:33 <ayoung> henrynash, all good? 18:09:38 <bknudson> so what I'd like to see is like https://review.openstack.org/#/c/289058/ where there's tests for the driver interface, and those run on all the drivers 18:09:47 <henrynash> dstanek: and many of the unit/component dirst have test_core.py as well 18:09:54 <henrynash> what’s that mean to do? 18:10:01 <bknudson> and then test_backends becomes test_manager and tests the manager with a canonical backend (sql, I guess) 18:10:39 <ayoung> if the logic is 100% the same between backeds, it goes in core 18:10:59 <ayoung> test_sql etc just the one offs and setup code 18:11:11 <dstanek> henrynash: my ultimate fantasy would be a patter to map from code.py to test_code.py that always works 18:11:12 <amakarov_> We should use functional tests for backends 18:11:14 <bknudson> I should have said test_core not test_manager since the managers live in core.py 18:11:16 <henrynash> ayoung: ahh, so most of test_backends.py whould end up in test_core.py? 18:11:29 <ayoung> I'd expect so, yes 18:11:35 <henrynash> ayoung: right, got it 18:11:40 <henrynash> dstanek: yep, get it 18:12:08 <ayoung> so... let's talk Newton 18:12:15 <dstanek> henrynash: all good? 18:12:34 <shaleh> \o 18:13:07 <henrynash> dstanek: yep thx 18:13:14 <ayoung> dstanek, I didn't add to the agenda, but we really need to discuss post-mitaka plans 18:13:18 <dstanek> #topic {fig} newton 18:13:24 <ayoung> cool 18:13:26 <dstanek> ayoung: sounds good to me 18:13:42 <bknudson> are fig newtons cookies? 18:13:53 <ayoung> OK, so, between now and the start of N1 opening up, we need to prioritize the basis for the new features we want to land in Newton 18:14:02 <ayoung> If we wait until the Summit, it won;'t happen 18:14:25 <ayoung> this is based on what I have seen in all releases from Diablo on forward 18:14:35 <amakarov_> ayoung: +1 18:14:37 <gyee> ayoung, what's your hit list? 18:14:53 <ayoung> at this point, onus is on the spec owners to keep them up to date, address issues, and get the specs clean 18:15:04 <ayoung> for me, that means dynaimc RBAC policy 18:15:13 <ayoung> https://review.openstack.org/#/c/279379/ 18:15:38 <ayoung> there are a lot of details to work out in getting a policy framework that actually supports fine grained delegation 18:15:39 <bknudson> when does N1 open up? 18:15:39 <gyee> whatever happen to common policy scenarios 18:15:42 <shaleh> ayoung: maybe a list of specs should be gathered like we did when Mitaka started 18:15:46 <ayoung> gyee, that is right up there 18:15:54 <ayoung> I'll link 18:16:13 <ayoung> Common policy https://review.openstack.org/#/c/245629/ 18:16:19 <gyee> too many chef in the kitchen for that one I guess 18:16:19 <ayoung> #link https://review.openstack.org/#/c/245629/ 18:16:20 <samueldmq> hi, sorry I am late 18:16:21 <bknudson> looks like N1 will open up Apr 4-8 18:16:25 <ayoung> #link https://review.openstack.org/#/c/279379/ 18:16:38 <ayoung> gyee, well, I think I want to split common policy into two parts 18:16:49 <dstanek> ayoung: yes, we should be getting specs approved and ready to work on too 18:16:57 <ayoung> one is the top level roles, and the second is the fine grained permissions 18:17:05 <shaleh> ayoung: makes sense 18:17:21 <ayoung> also, I need to wake amakarov_ up, but unified delegation needs to start making progress, too, if we want it in 18:17:27 <ayoung> and they really are related 18:17:44 <amakarov_> I want to come up with something working to the end of March 18:18:23 <ayoung> gyee, I think those three, related efforts, are the burning platform. I'd like them in, if experimental, in Newton, so they can be supported in Ocata long term 18:18:45 <gyee> ayoung, agreed 18:19:07 <shaleh> plus we have the MFA ground work to lay 18:19:24 <ayoung> On the dynamic RBAC policy, we are going to need a way to store the policy in the Database. I am leaning towards storing it rule by rule as opposed to blob based 18:19:58 <ayoung> henrynash and I have a RBAC talk accepted at this summit. I'd like to be able to lay out the expected future of RBAC at the end of that talk 18:20:40 <ayoung> is there anything else that people see as major features desired for Newton or later? 18:20:58 <shaleh> what is th status of shadow users? 18:21:01 <rderose> shadow ldap users 18:21:09 <rderose> next 18:21:29 <bknudson> it would be great to have an ldap driver that works with python3 18:21:36 <shaleh> bknudson: ++++ 18:21:36 <gyee> yeah, stablization, less moving stuff 18:21:37 <dstanek> we want to finish up shadow users, mfa and better DB upgrades this cycle 18:21:53 <henrynash> I’ll be working with ayoung on some of the RBAC stuff, but will also be (re)propsoing the reseller phase 2 stuff 18:21:56 <shaleh> dstanek: *this? 18:22:23 <dstanek> shaleh: N, i'm already in the future man 18:22:26 <browne> bknudson: i wouldn't mind helping with that 18:22:27 <gyee> v2 retirement party 18:22:33 <shaleh> gyee: ++ 18:22:45 <ayoung> bknudson, is LDAP Py3 within our control to affect? 18:23:10 <dstanek> ayoung: morgan had ideas on a replacement library 18:23:11 <gyee> versioned endpoints retirement party 18:23:29 <bknudson> ayoung: I guess we could always for ldappool? 18:23:39 <bknudson> or we just start over with a new driver that uses ldap3 driver 18:23:42 <morgan> ldap3 has a pool built in 18:23:45 <tjcocozz_> https://pypi.python.org/pypi/ldap3 18:23:46 <ayoung> so we ahvea plan, just need to execute on it? 18:23:46 <morgan> fwiw 18:24:09 <shaleh> ldap3 always seemed like the logical choice 18:24:14 <morgan> i'd ideally ask we write an isolate read-only ldap3 driver 18:24:21 <morgan> and deprecate all the old ldap code 18:24:27 <morgan> not try and retrofit things in 18:24:36 <morgan> it's a lot of work to make the current stuff ldap3 working 18:24:38 <bknudson> do we want a spec for ldap3? 18:24:44 <shaleh> morgan: that does not sound too crazy actually 18:24:52 <ayoung> morgan, is an sssd based approach viable? 18:25:07 <bknudson> I think you can already do sssd? 18:25:12 <gyee> ayoung, last I checked, sssd wasn't ready for prime time 18:25:15 <morgan> ayoung: i think it could be separately, but no not as a replacement 18:25:34 <morgan> ayoung: we need to support ldap-current model, sssd would be a different/separate dirver 18:25:39 <bknudson> you could use federation for ldap 18:26:06 <morgan> we aren't deprecating direct ldap access [if we were it would be easier] 18:26:19 <morgan> then SSSD would be more viable. 18:26:38 <ayoung> morgan, did we deprecate writable LDAP ? 18:26:48 <morgan> ayoung: in .. liberty? this cycle? we did 18:26:52 <morgan> i remember we did. 18:27:07 <bknudson> this is where it would be nice to have unit tests for the driver interface 18:27:09 <morgan> it's got a run on it stil. also ldap3 is fully py3 compat 18:27:15 <gyee> SSSD is not read-only LDAP, just to be cleared 18:27:18 <ayoung> OK, so we can yank that in +2 from deprecation. At that point, yeah, we can pull a lot of the LDAP code out and toss it 18:27:46 <ayoung> gyee, right 18:27:50 <shaleh> ayoung: if we did most of the work now in N, marked it experimental it could go live in O 18:27:51 <morgan> i think ldap3 is the right choice fwiw. an sssd alternative would be good to have too long term 18:27:52 <ayoung> they are two different stages 18:28:12 <ayoung> morgan, SSSD works now, and several releases back 18:28:21 <morgan> some deployments are going to get grumpy if we prescribe "needing" binary SSSD to access ldap 18:28:29 <ayoung> http://adam.younglogic.com/2015/03/key-fed-lookup-redux/ 18:28:30 <morgan> since we have not gone on record for that. 18:28:57 <morgan> and have said we are maintaining the current model when we were previously asked 18:29:19 <ayoung> morgan, agreed. Just want to minimize the amount of effort needed for the existing LDAP code 18:29:37 <ayoung> IE..rewriting it to yank write access is minimal gain 18:29:54 <ayoung> but would be a lovely Masters Thesis project, IMHO 18:29:56 <morgan> existing ldap code can pretty much sit - ldap3 is py3 and isolating the ldap code 18:30:06 <bknudson> it's the tests that are the problem with converting to ldap3 18:30:09 <morgan> since ldap3 has pool capabilities etc 18:30:20 <morgan> and ldap3 is far far more pythonic 18:30:22 <bknudson> and probably config options are going to be different 18:30:32 <henrynash> ayoung: I’m expecting us to have problems trying to pull the writeable LDAP in +2 anyway….I think it will take longer 18:30:33 <morgan> also ldap3 is pure python 18:30:44 <morgan> which is a win 18:30:57 <dstanek> bknudson: we'll need a new fake! or a better way... 18:31:40 <ayoung> (driver selection based on [identity]/driver` option is deprecated and will be removed in the "O" release).'), 18:31:45 <bknudson> if we have real unit tests for identity drivers we don't need a fake ldap like we did, can get away with mock. 18:31:46 <browne> what about mockldap? 18:31:46 <ayoung> that is not the same as writable... 18:31:58 <gyee> I've got this funny feeling that if we are going for this full PCI thingy, writable LDAP may stick around :-) 18:32:11 <dstanek> browne: mockldap is pretty interesting 18:32:59 <bknudson> if mockldap works with ldap3 then that's fine. 18:33:25 <dstanek> who is going to spec this out? 18:33:37 <ayoung> Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release." 18:33:49 <tjcocozz_> mockldap looks like it works with python-ldap 18:34:12 <bknudson> maybe we'll wind up writing our own mockldap3 18:34:16 <gyee> why do we care about mockldap, isn't ldap all func tests? 18:34:25 <ayoung> #link http://git.openstack.org/cgit/openstack/keystone/commit/?id=99a427833b70164e974c0d17b093dfbce6952813 18:34:57 <shaleh> tjcocozz_: yeah, but either a) we help port it to the new lib or b) we come up with a similar layer for ldap3 18:35:14 <shaleh> tjcocozz_: either is better than the current fake we are maintaining 18:35:27 <bknudson> all reviews should be author stevemar, code-review +2 stevemar, workflow+1 stevemar 18:35:34 <tjcocozz_> shaleh, that would be an interesting way of going about it 18:36:03 <dstanek> there is also the real fakeldap project 18:36:21 <morgan> ayoung: i uh.. no. so we're deprecating SQL driver too? 18:36:26 <shaleh> like I said a few minutes ago, it sounds like what we need is an etherpad with viable specs for N 18:36:33 <morgan> ayoung: oh wit nvm. 18:36:35 <morgan> ayoung: i misread 18:36:36 <ayoung> Heh 18:36:38 <morgan> ayoung: nvm... 18:36:40 <morgan> sigh 18:36:47 <bknudson> fakeldap looks like python-ldap, too 18:37:07 <dstanek> bknudson: hmm... i though it was more of a generic server 18:37:15 <dstanek> maybe we'll have some work to do 18:37:28 <ayoung> this would be a great "Hey I want to get into Keystone" project for a new contributor 18:37:52 <dstanek> so do we have a spec or who will write it for ldap? 18:38:19 <bknudson> I wouldn't want to do the work to write up an ldap3 until we've got tests for the driver interface. 18:38:41 <bknudson> because the way the drivers are tested now is just going to mean all the tests run 20 times instead of 6 like they do now 18:39:12 <ayoung> bknudson, can you won the specs on that, and I'll help find coders? 18:39:31 <ayoung> won->own 18:39:37 <bknudson> I can write up a spec 18:40:08 <dstanek> #action bknudson to write up a spec for ldap! 18:40:20 <ayoung> cool. So, any other long term plans for Keystone that we should all be aware of? 18:41:08 <gyee> ayoung, small things, like revocation event optimization 18:41:16 <ayoung> gyee, ah, good point 18:41:19 <ayoung> Fernet default 18:41:48 <ayoung> I had working code for "liveness" checks replacing many of the revocation events 18:42:07 <lbragstad> ayoung patch? 18:42:08 <gyee> better logging to make it easier to monitor 18:42:17 <shaleh> gyee: I was typing that as you were 18:42:19 <ayoung> IE. instead of revoke by project, just chekc at token validation time if the project exists and is active 18:42:24 <ayoung> lbragstad, sure 18:42:32 <shaleh> make INFO actually usable for operators 18:42:38 <amakarov_> What about adding missing federation features to the os-cli? Is this job done already? 18:42:53 <ayoung> #link https://review.openstack.org/#/c/285134/ Remove unneeded revocation events 18:43:11 <shaleh> amakarov_: all of the pieces exist now. Someone just needs to synthesize an interface 18:43:21 <ayoung> amakarov_, I think it is in the CLI, just not in Puppet 18:43:25 <shaleh> amakarov_: it was on my plan but I am not hacking on federation currently 18:43:36 <ayoung> what is missing from CLI? 18:43:45 <shaleh> ayoung: --use-this-SP 18:43:59 <shaleh> ayoung: --with-this-type-of-auth 18:44:01 <ayoung> shaleh, K2K is not Federation 18:44:05 <ayoung> Heh 18:44:10 <amakarov_> ayoung, shaleh: couple of months ago there was no way to register a service provider for ex. 18:44:22 <marekd> is ksa merged into osc? 18:44:28 <ayoung> OK, so please tag that stuff as K2K, as calling it Federation is really confusing. 18:44:39 <amakarov_> ayoung: got it 18:44:52 <gyee> ayoung, what do you call K2K? 18:45:18 <ayoung> gyee, using Keystone token in one Keystone via SAML to get a Keystone token in another 18:45:25 <amakarov_> gyee: it's when IdP is a Keystone in another cloud 18:45:27 <ayoung> SP is only there for that case, not basic K2K 18:45:40 <ayoung> right, what he said bettern I did 18:46:23 <gyee> huh? 18:46:30 <shaleh> amakarov_: for K2K, the only bit outside of Keystone API is setting up the SAML bits inside shibboleth or whatever. 18:46:31 <ayoung> gyee, forget it 18:46:46 <amakarov_> shaleh: ack, thank you 18:47:14 <dstanek> #action dstanek to summarize the list of things people mentioned as need in N 18:47:17 <ayoung> So any other major items we need for Newton ? 18:47:21 <dstanek> do we have any other topics? 18:47:46 <gyee> dstanek, that's a bucket-full already! 18:47:55 <dstanek> gyee: overflowing 18:48:03 <dstanek> what else is new? 18:48:16 <bknudson> looks like we can skip the summit since we've got it all taken care of 18:48:31 <dstanek> bknudson: ++ 18:48:31 <bknudson> we'll be out by the pool 18:48:33 <shaleh> bknudson: nah, we need to sit together and argue some more. 18:48:33 <samueldmq> hehe 18:48:46 <shaleh> bknudson: come to an agreement. Then have morgan change his mind and derail things. 18:48:52 <gyee> now we finally have time to wait for Franklin BBQ 18:48:55 * shaleh hugs morgan 18:48:58 <dstanek> #open open discussion 18:49:01 <morgan> shaleh: i've removed my -2s btw 18:49:10 <morgan> shaleh: but whatever :P 18:49:16 <shaleh> morgan: for now :-) 18:49:17 <morgan> shaleh: even told gyee 18:49:20 <morgan> shaleh: forever. 18:49:21 <dstanek> morgan: put them back 18:49:25 <morgan> dstanek: nope. 18:49:38 <dstanek> if there's no real work conversation we can call the meeting early 18:49:44 <morgan> dstanek: mostly cause i can't login to launchpad :P 18:49:46 <ayoung> morgan and I are tag teaming to add up to 1 termie 18:49:49 <lbragstad> i have a question 18:49:50 <shaleh> morgan: but, I need your disapproval to give me a reason to keep hacking. 18:49:56 <ayoung> He -2s and I derail conversations in IRC 18:50:08 <lbragstad> thoughts on the validity of https://bugs.launchpad.net/keystone/+bug/1552795 ? 18:50:08 <openstack> Launchpad bug 1552795 in OpenStack Identity (keystone) "enhance notification for user events with user name" [Wishlist,In progress] - Assigned to Lance Bragstad (lbragstad) 18:50:38 <gyee> lbragstad, username is not worldly unique 18:50:41 <bknudson> do we still have 2 kinds of notifications? 18:50:57 <bknudson> cadf and whatever else they're called? 18:50:59 <lbragstad> bknudson yes - kinda 18:51:11 <lbragstad> bknudson you can either have 'basic' or 'cadf' notifications 18:51:20 <bknudson> does cadf have a field for user name? 18:51:29 <gyee> but I am also working on https://bugs.launchpad.net/keystone/+bug/1537963 18:51:29 <openstack> Launchpad bug 1537963 in OpenStack Identity (keystone) "notification not generated for authentication failure with invalid user name" [Wishlist,In progress] - Assigned to Guang Yee (guang-yee) 18:51:39 <lbragstad> cadf notifications just include information about the initiator i believe? 18:51:43 <ayoung> BTW, Audit events from Keystone are totally spoofable 18:51:51 <ayoung> as are any other messages on the bus 18:52:01 <bknudson> you better protect your bus 18:52:10 <ayoung> Does anyone protect the bus? 18:52:19 <gyee> bknudon, non-repudiation is what we need 18:52:25 <gyee> not about the transport 18:52:28 <ayoung> gyee, wrong 18:52:32 <ayoung> it is about the transport, too 18:52:34 <bknudson> if I could spoof messages I'd start booting instances, too 18:52:36 <dstanek> where's Keanu when you need him 18:52:39 <ayoung> what we need is access control 18:53:03 <ayoung> http://adam.younglogic.com/2016/03/what-can-talk-to-what-on-the-openstack-message-broker/ 18:53:17 <ayoung> ideally, only Keystone would be able to write to the keystone topic 18:53:45 <ayoung> but writing that as a regex would be frightening 18:54:38 <ayoung> we should at a minimun have a keystone rabbit user on localhost 18:54:42 <gyee> ayoung, still can run into man-in-the-middle 18:54:57 <ayoung> and set up the acl that only the Keystone user can write to the keystone topic 18:55:02 <lbragstad> i'm going to put the patch I was working on for adding usernames to notifications on hold then (and review other bug fixes instead) 18:55:04 <dstanek> there's also message signing 18:55:04 <ayoung> gyee, nah, not if we configure the broker right 18:55:32 <ayoung> broker can enforce that keystone is local and is the only writer, or we need to set up TLS for distrbituted, and use X509 for client auth 18:56:01 <ayoung> gyee, simplest case: keystone is a localhost user, only keystone user can write to the keystone topic 18:56:05 <dstanek> lbragstad: that sounds like a plan; i want to read over that bug 18:56:10 <ayoung> everything else extends from there 18:56:19 <lbragstad> dstanek i'd be curious to know what your thoughts are 18:56:36 <dstanek> lbragstad: that makes two of us 18:56:50 <ayoung> [{rabbit, [{loopback_users, [guest, keystone]}]}] 18:56:55 <lbragstad> dstanek seems like it would be easy to bloat the notification 18:57:28 <dstanek> lbragstad: yeah, without reading that bug, i'd wonder why that is needed if we have the actual id 18:57:45 <lbragstad> Dmitri has some justifications for it 18:57:58 <samueldmq> 2 mins left 18:58:10 <lbragstad> but we also run into cases where usernames are mutable 18:58:14 <lbragstad> etc... 18:58:22 <dstanek> ok, i'm going to call it in a min and we can take it to our channel 18:58:23 * morgan spoofs ayoung on the bus. 18:58:43 <ayoung> morgan, if only the Keystone user can write to the topic, no spoofs 18:59:06 <dstanek> #endmeeting