18:01:25 #startmeeting keystone 18:01:26 Meeting started Tue Mar 8 18:01:25 2016 UTC and is due to finish in 60 minutes. The chair is dstanek. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:27 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:29 The meeting name has been set to 'keystone' 18:01:34 #topic there are no topics - any late topics that need discussion? 18:01:38 dstanek: I tried to add one thing to the agend (but couldn’t save)... 18:01:39 many of us are bug squashing today... 18:01:58 henrynash: what's the topic? 18:02:19 dstanek: just like clarification of the directory structure of unit tests… 18:02:30 dstanek: now that we are moving these all around 18:02:37 #topic just like clarification of the directory structure of unit tests 18:02:42 henrynash: fire away 18:02:49 the test file should be the same as the code file 18:03:06 bknudson: example? 18:03:28 so if the code is in keystone/resource/backends/sql.py then the test is keystone/tests/unit/resource/backends/test_sql.py 18:03:48 then it's easy to find what test file you need to change 18:04:05 bknudson: I agree that we should be moving that way for all unit tests 18:04:27 bknudson: and the test_backends.py file sists in the unit/resource dir in your example 18:04:28 bknudson, so we are not going to push for v2 vs v3 dir under test/unit? 18:04:32 I'm OK with that 18:04:39 i'm ok with small tests to get us there. like we have, i think, a keystone/tests/unit/assignment/test_backends.py or something like that 18:04:51 henrynash, judgement there 18:05:00 there are integration tests and there are component tests 18:05:01 henrynash, I'd say put it in keystone/tests/unit/resource/backends/ 18:05:06 most of our unit tests should be component tests 18:05:09 test_backend should not be named as such 18:05:33 ayoung: the old test_backends.py is now gone 18:05:41 er..wait, which is the actual executable test file? 18:05:55 test_sql, which calls into the common file, whatever that is now, right? 18:05:58 as in, the tests should test a single component and not cross component boundaries 18:06:13 bknudson: agreed 18:06:33 bknudson: ++ 18:06:36 http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/identity/test_core.py right? 18:07:17 gonna make it a pain to refactor the fernet-default code, but still worth it. 18:07:23 bknudson, dstanek: but right now we have test_backends.py (split up it their single components tests) NOT in the , say, resource/backend dir…but i the one above 18:07:29 https://review.openstack.org/#/c/289058/ is my first stab at a component test for backends. 18:07:50 well, test_backends is really cross-component tests and not component tests, so it's wrong to begin with 18:07:51 hi! 18:08:26 bknduson: even the split up vesions are wroung, iyho? 18:08:29 test_backends is really testing the manager and not the drivers 18:08:42 bknudson: ahh, different (and accurate) issue 18:08:48 henrynash: only in that they do too much in the tests 18:09:33 henrynash, all good? 18:09:38 so what I'd like to see is like https://review.openstack.org/#/c/289058/ where there's tests for the driver interface, and those run on all the drivers 18:09:47 dstanek: and many of the unit/component dirst have test_core.py as well 18:09:54 what’s that mean to do? 18:10:01 and then test_backends becomes test_manager and tests the manager with a canonical backend (sql, I guess) 18:10:39 if the logic is 100% the same between backeds, it goes in core 18:10:59 test_sql etc just the one offs and setup code 18:11:11 henrynash: my ultimate fantasy would be a patter to map from code.py to test_code.py that always works 18:11:12 We should use functional tests for backends 18:11:14 I should have said test_core not test_manager since the managers live in core.py 18:11:16 ayoung: ahh, so most of test_backends.py whould end up in test_core.py? 18:11:29 I'd expect so, yes 18:11:35 ayoung: right, got it 18:11:40 dstanek: yep, get it 18:12:08 so... let's talk Newton 18:12:15 henrynash: all good? 18:12:34 \o 18:13:07 dstanek: yep thx 18:13:14 dstanek, I didn't add to the agenda, but we really need to discuss post-mitaka plans 18:13:18 #topic {fig} newton 18:13:24 cool 18:13:26 ayoung: sounds good to me 18:13:42 are fig newtons cookies? 18:13:53 OK, so, between now and the start of N1 opening up, we need to prioritize the basis for the new features we want to land in Newton 18:14:02 If we wait until the Summit, it won;'t happen 18:14:25 this is based on what I have seen in all releases from Diablo on forward 18:14:35 ayoung: +1 18:14:37 ayoung, what's your hit list? 18:14:53 at this point, onus is on the spec owners to keep them up to date, address issues, and get the specs clean 18:15:04 for me, that means dynaimc RBAC policy 18:15:13 https://review.openstack.org/#/c/279379/ 18:15:38 there are a lot of details to work out in getting a policy framework that actually supports fine grained delegation 18:15:39 when does N1 open up? 18:15:39 whatever happen to common policy scenarios 18:15:42 ayoung: maybe a list of specs should be gathered like we did when Mitaka started 18:15:46 gyee, that is right up there 18:15:54 I'll link 18:16:13 Common policy https://review.openstack.org/#/c/245629/ 18:16:19 too many chef in the kitchen for that one I guess 18:16:19 #link https://review.openstack.org/#/c/245629/ 18:16:20 hi, sorry I am late 18:16:21 looks like N1 will open up Apr 4-8 18:16:25 #link https://review.openstack.org/#/c/279379/ 18:16:38 gyee, well, I think I want to split common policy into two parts 18:16:49 ayoung: yes, we should be getting specs approved and ready to work on too 18:16:57 one is the top level roles, and the second is the fine grained permissions 18:17:05 ayoung: makes sense 18:17:21 also, I need to wake amakarov_ up, but unified delegation needs to start making progress, too, if we want it in 18:17:27 and they really are related 18:17:44 I want to come up with something working to the end of March 18:18:23 gyee, I think those three, related efforts, are the burning platform. I'd like them in, if experimental, in Newton, so they can be supported in Ocata long term 18:18:45 ayoung, agreed 18:19:07 plus we have the MFA ground work to lay 18:19:24 On the dynamic RBAC policy, we are going to need a way to store the policy in the Database. I am leaning towards storing it rule by rule as opposed to blob based 18:19:58 henrynash and I have a RBAC talk accepted at this summit. I'd like to be able to lay out the expected future of RBAC at the end of that talk 18:20:40 is there anything else that people see as major features desired for Newton or later? 18:20:58 what is th status of shadow users? 18:21:01 shadow ldap users 18:21:09 next 18:21:29 it would be great to have an ldap driver that works with python3 18:21:36 bknudson: ++++ 18:21:36 yeah, stablization, less moving stuff 18:21:37 we want to finish up shadow users, mfa and better DB upgrades this cycle 18:21:53 I’ll be working with ayoung on some of the RBAC stuff, but will also be (re)propsoing the reseller phase 2 stuff 18:21:56 dstanek: *this? 18:22:23 shaleh: N, i'm already in the future man 18:22:26 bknudson: i wouldn't mind helping with that 18:22:27 v2 retirement party 18:22:33 gyee: ++ 18:22:45 bknudson, is LDAP Py3 within our control to affect? 18:23:10 ayoung: morgan had ideas on a replacement library 18:23:11 versioned endpoints retirement party 18:23:29 ayoung: I guess we could always for ldappool? 18:23:39 or we just start over with a new driver that uses ldap3 driver 18:23:42 ldap3 has a pool built in 18:23:45 https://pypi.python.org/pypi/ldap3 18:23:46 so we ahvea plan, just need to execute on it? 18:23:46 fwiw 18:24:09 ldap3 always seemed like the logical choice 18:24:14 i'd ideally ask we write an isolate read-only ldap3 driver 18:24:21 and deprecate all the old ldap code 18:24:27 not try and retrofit things in 18:24:36 it's a lot of work to make the current stuff ldap3 working 18:24:38 do we want a spec for ldap3? 18:24:44 morgan: that does not sound too crazy actually 18:24:52 morgan, is an sssd based approach viable? 18:25:07 I think you can already do sssd? 18:25:12 ayoung, last I checked, sssd wasn't ready for prime time 18:25:15 ayoung: i think it could be separately, but no not as a replacement 18:25:34 ayoung: we need to support ldap-current model, sssd would be a different/separate dirver 18:25:39 you could use federation for ldap 18:26:06 we aren't deprecating direct ldap access [if we were it would be easier] 18:26:19 then SSSD would be more viable. 18:26:38 morgan, did we deprecate writable LDAP ? 18:26:48 ayoung: in .. liberty? this cycle? we did 18:26:52 i remember we did. 18:27:07 this is where it would be nice to have unit tests for the driver interface 18:27:09 it's got a run on it stil. also ldap3 is fully py3 compat 18:27:15 SSSD is not read-only LDAP, just to be cleared 18:27:18 OK, so we can yank that in +2 from deprecation. At that point, yeah, we can pull a lot of the LDAP code out and toss it 18:27:46 gyee, right 18:27:50 ayoung: if we did most of the work now in N, marked it experimental it could go live in O 18:27:51 i think ldap3 is the right choice fwiw. an sssd alternative would be good to have too long term 18:27:52 they are two different stages 18:28:12 morgan, SSSD works now, and several releases back 18:28:21 some deployments are going to get grumpy if we prescribe "needing" binary SSSD to access ldap 18:28:29 http://adam.younglogic.com/2015/03/key-fed-lookup-redux/ 18:28:30 since we have not gone on record for that. 18:28:57 and have said we are maintaining the current model when we were previously asked 18:29:19 morgan, agreed. Just want to minimize the amount of effort needed for the existing LDAP code 18:29:37 IE..rewriting it to yank write access is minimal gain 18:29:54 but would be a lovely Masters Thesis project, IMHO 18:29:56 existing ldap code can pretty much sit - ldap3 is py3 and isolating the ldap code 18:30:06 it's the tests that are the problem with converting to ldap3 18:30:09 since ldap3 has pool capabilities etc 18:30:20 and ldap3 is far far more pythonic 18:30:22 and probably config options are going to be different 18:30:32 ayoung: I’m expecting us to have problems trying to pull the writeable LDAP in +2 anyway….I think it will take longer 18:30:33 also ldap3 is pure python 18:30:44 which is a win 18:30:57 bknudson: we'll need a new fake! or a better way... 18:31:40 (driver selection based on [identity]/driver` option is deprecated and will be removed in the "O" release).'), 18:31:45 if we have real unit tests for identity drivers we don't need a fake ldap like we did, can get away with mock. 18:31:46 what about mockldap? 18:31:46 that is not the same as writable... 18:31:58 I've got this funny feeling that if we are going for this full PCI thingy, writable LDAP may stick around :-) 18:32:11 browne: mockldap is pretty interesting 18:32:59 if mockldap works with ldap3 then that's fine. 18:33:25 who is going to spec this out? 18:33:37 Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release." 18:33:49 mockldap looks like it works with python-ldap 18:34:12 maybe we'll wind up writing our own mockldap3 18:34:16 why do we care about mockldap, isn't ldap all func tests? 18:34:25 #link http://git.openstack.org/cgit/openstack/keystone/commit/?id=99a427833b70164e974c0d17b093dfbce6952813 18:34:57 tjcocozz_: yeah, but either a) we help port it to the new lib or b) we come up with a similar layer for ldap3 18:35:14 tjcocozz_: either is better than the current fake we are maintaining 18:35:27 all reviews should be author stevemar, code-review +2 stevemar, workflow+1 stevemar 18:35:34 shaleh, that would be an interesting way of going about it 18:36:03 there is also the real fakeldap project 18:36:21 ayoung: i uh.. no. so we're deprecating SQL driver too? 18:36:26 like I said a few minutes ago, it sounds like what we need is an etherpad with viable specs for N 18:36:33 ayoung: oh wit nvm. 18:36:35 ayoung: i misread 18:36:36 Heh 18:36:38 ayoung: nvm... 18:36:40 sigh 18:36:47 fakeldap looks like python-ldap, too 18:37:07 bknudson: hmm... i though it was more of a generic server 18:37:15 maybe we'll have some work to do 18:37:28 this would be a great "Hey I want to get into Keystone" project for a new contributor 18:37:52 so do we have a spec or who will write it for ldap? 18:38:19 I wouldn't want to do the work to write up an ldap3 until we've got tests for the driver interface. 18:38:41 because the way the drivers are tested now is just going to mean all the tests run 20 times instead of 6 like they do now 18:39:12 bknudson, can you won the specs on that, and I'll help find coders? 18:39:31 won->own 18:39:37 I can write up a spec 18:40:08 #action bknudson to write up a spec for ldap! 18:40:20 cool. So, any other long term plans for Keystone that we should all be aware of? 18:41:08 ayoung, small things, like revocation event optimization 18:41:16 gyee, ah, good point 18:41:19 Fernet default 18:41:48 I had working code for "liveness" checks replacing many of the revocation events 18:42:07 ayoung patch? 18:42:08 better logging to make it easier to monitor 18:42:17 gyee: I was typing that as you were 18:42:19 IE. instead of revoke by project, just chekc at token validation time if the project exists and is active 18:42:24 lbragstad, sure 18:42:32 make INFO actually usable for operators 18:42:38 What about adding missing federation features to the os-cli? Is this job done already? 18:42:53 #link https://review.openstack.org/#/c/285134/ Remove unneeded revocation events 18:43:11 amakarov_: all of the pieces exist now. Someone just needs to synthesize an interface 18:43:21 amakarov_, I think it is in the CLI, just not in Puppet 18:43:25 amakarov_: it was on my plan but I am not hacking on federation currently 18:43:36 what is missing from CLI? 18:43:45 ayoung: --use-this-SP 18:43:59 ayoung: --with-this-type-of-auth 18:44:01 shaleh, K2K is not Federation 18:44:05 Heh 18:44:10 ayoung, shaleh: couple of months ago there was no way to register a service provider for ex. 18:44:22 is ksa merged into osc? 18:44:28 OK, so please tag that stuff as K2K, as calling it Federation is really confusing. 18:44:39 ayoung: got it 18:44:52 ayoung, what do you call K2K? 18:45:18 gyee, using Keystone token in one Keystone via SAML to get a Keystone token in another 18:45:25 gyee: it's when IdP is a Keystone in another cloud 18:45:27 SP is only there for that case, not basic K2K 18:45:40 right, what he said bettern I did 18:46:23 huh? 18:46:30 amakarov_: for K2K, the only bit outside of Keystone API is setting up the SAML bits inside shibboleth or whatever. 18:46:31 gyee, forget it 18:46:46 shaleh: ack, thank you 18:47:14 #action dstanek to summarize the list of things people mentioned as need in N 18:47:17 So any other major items we need for Newton ? 18:47:21 do we have any other topics? 18:47:46 dstanek, that's a bucket-full already! 18:47:55 gyee: overflowing 18:48:03 what else is new? 18:48:16 looks like we can skip the summit since we've got it all taken care of 18:48:31 bknudson: ++ 18:48:31 we'll be out by the pool 18:48:33 bknudson: nah, we need to sit together and argue some more. 18:48:33 hehe 18:48:46 bknudson: come to an agreement. Then have morgan change his mind and derail things. 18:48:52 now we finally have time to wait for Franklin BBQ 18:48:55 * shaleh hugs morgan 18:48:58 #open open discussion 18:49:01 shaleh: i've removed my -2s btw 18:49:10 shaleh: but whatever :P 18:49:16 morgan: for now :-) 18:49:17 shaleh: even told gyee 18:49:20 shaleh: forever. 18:49:21 morgan: put them back 18:49:25 dstanek: nope. 18:49:38 if there's no real work conversation we can call the meeting early 18:49:44 dstanek: mostly cause i can't login to launchpad :P 18:49:46 morgan and I are tag teaming to add up to 1 termie 18:49:49 i have a question 18:49:50 morgan: but, I need your disapproval to give me a reason to keep hacking. 18:49:56 He -2s and I derail conversations in IRC 18:50:08 thoughts on the validity of https://bugs.launchpad.net/keystone/+bug/1552795 ? 18:50:08 Launchpad bug 1552795 in OpenStack Identity (keystone) "enhance notification for user events with user name" [Wishlist,In progress] - Assigned to Lance Bragstad (lbragstad) 18:50:38 lbragstad, username is not worldly unique 18:50:41 do we still have 2 kinds of notifications? 18:50:57 cadf and whatever else they're called? 18:50:59 bknudson yes - kinda 18:51:11 bknudson you can either have 'basic' or 'cadf' notifications 18:51:20 does cadf have a field for user name? 18:51:29 but I am also working on https://bugs.launchpad.net/keystone/+bug/1537963 18:51:29 Launchpad bug 1537963 in OpenStack Identity (keystone) "notification not generated for authentication failure with invalid user name" [Wishlist,In progress] - Assigned to Guang Yee (guang-yee) 18:51:39 cadf notifications just include information about the initiator i believe? 18:51:43 BTW, Audit events from Keystone are totally spoofable 18:51:51 as are any other messages on the bus 18:52:01 you better protect your bus 18:52:10 Does anyone protect the bus? 18:52:19 bknudon, non-repudiation is what we need 18:52:25 not about the transport 18:52:28 gyee, wrong 18:52:32 it is about the transport, too 18:52:34 if I could spoof messages I'd start booting instances, too 18:52:36 where's Keanu when you need him 18:52:39 what we need is access control 18:53:03 http://adam.younglogic.com/2016/03/what-can-talk-to-what-on-the-openstack-message-broker/ 18:53:17 ideally, only Keystone would be able to write to the keystone topic 18:53:45 but writing that as a regex would be frightening 18:54:38 we should at a minimun have a keystone rabbit user on localhost 18:54:42 ayoung, still can run into man-in-the-middle 18:54:57 and set up the acl that only the Keystone user can write to the keystone topic 18:55:02 i'm going to put the patch I was working on for adding usernames to notifications on hold then (and review other bug fixes instead) 18:55:04 there's also message signing 18:55:04 gyee, nah, not if we configure the broker right 18:55:32 broker can enforce that keystone is local and is the only writer, or we need to set up TLS for distrbituted, and use X509 for client auth 18:56:01 gyee, simplest case: keystone is a localhost user, only keystone user can write to the keystone topic 18:56:05 lbragstad: that sounds like a plan; i want to read over that bug 18:56:10 everything else extends from there 18:56:19 dstanek i'd be curious to know what your thoughts are 18:56:36 lbragstad: that makes two of us 18:56:50 [{rabbit, [{loopback_users, [guest, keystone]}]}] 18:56:55 dstanek seems like it would be easy to bloat the notification 18:57:28 lbragstad: yeah, without reading that bug, i'd wonder why that is needed if we have the actual id 18:57:45 Dmitri has some justifications for it 18:57:58 2 mins left 18:58:10 but we also run into cases where usernames are mutable 18:58:14 etc... 18:58:22 ok, i'm going to call it in a min and we can take it to our channel 18:58:23 * morgan spoofs ayoung on the bus. 18:58:43 morgan, if only the Keystone user can write to the topic, no spoofs 18:59:06 #endmeeting