18:01:40 #startmeeting keystone 18:01:40 Meeting started Tue Sep 20 18:01:40 2016 UTC and is due to finish in 60 minutes. The chair is dstanek. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:41 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:44 The meeting name has been set to 'keystone' 18:01:49 #link https://etherpad.openstack.org/p/keystone-weekly-meeting 18:01:58 the first bunch or topics are really just announcements; let's get started 18:02:05 #topic RC status 18:02:14 RC1 was tagged on Thursday last week, we will be releasing RC2 this week or next 18:02:20 #link https://launchpad.net/keystone/+milestone/newton-rc2 18:02:28 Only bug has been backported so far: link https://bugs.launchpad.net/keystone/+bug/1621200 18:02:29 Launchpad bug 1621200 in OpenStack Identity (keystone) newton "password created_at does not honor timezones" [High,Fix committed] - Assigned to Ron De Rose (ronald-de-rose) 18:02:53 if you know of other bugs that need to be backported we should get on that 18:03:23 questions, comments or concerns? 18:03:41 other than this problem keystone is perfect. 18:03:54 ++ 18:04:09 moving along then 18:04:14 #topic newton retrospective 18:04:25 #link https://etherpad.openstack.org/p/keystone-newton-retrospective 18:04:39 has everyone seen this yet? 18:04:51 yup 18:04:53 new to me 18:05:13 started, but need to add more 18:05:14 it would be really great if everyone can help out and add some content 18:05:47 this way we can all improve and make sure as a project we are healthy 18:05:54 ++ 18:06:10 no reason to 'make keystone great again' if we never let it slip 18:06:39 :) 18:06:44 so please do take a few minutes to give some honest feedback 18:07:02 questions, comments or concerns? 18:07:20 * ayoung needs more time to work on Keystone 18:07:27 * bknudson too 18:08:08 wtb more time 18:08:12 maybe this cycle you'll get to focus more on it 18:08:24 #topic release stable/mitaka 18:08:34 we were waiting on https://review.openstack.org/#/c/369618/ but this is now merged 18:08:44 proposed to release 9.2.0 18:08:50 #link https://review.openstack.org/#/c/372771/ 18:09:03 Are there any other fixes that folks want in mitaka? it'll soon become the N-2 release -- only security and critical fixes are backport candidates 18:10:29 this is the part where you guys/gals give some feedback 18:10:54 hope the ksc functional tests issue is not related to keystone server 18:11:07 will talk more about when the topic arrives 18:11:59 I'm marginally paying attention 18:12:45 either everyone is sleeping or keystone/mitaka is perfect :-) either way i'll move on 18:12:56 #topic service provider filters [knikolla] 18:13:01 I was expecting Breton to have a few he wanted to back port:) 18:13:05 o/ 18:13:07 knikolla: are you around? 18:13:12 you have the floor 18:13:44 so i ran into that spec in the backlog. was interested in picking it up. what's the status? why was it sent back to the backlog? is there interest for me to pick it up? 18:13:52 stevemar_droid: i don't think i saw him at roll call 18:14:04 it's potentially useful for some of my projects 18:14:06 in the long term 18:14:15 knikolla, you can pick it up 18:14:24 #link https://review.openstack.org/#/c/371754/ 18:14:27 about the status... i'm not sure 18:14:34 think the better source is the bp 18:14:46 who created the spec? 18:14:47 I thought folks were on the fence about it since we couldn't decide if we wanted to improve OS-EP-FILTER or just create something new 18:14:53 lbragstad: ++ 18:14:59 I don't remember why it went to backlog. It involves creating a lot of new APIs :( 18:15:00 * rodrigods did 18:15:06 I was for creating a new, as sp has nothing to do with endpoints 18:15:17 The os-ep-fikter stuff has been buggy 18:15:26 samueldmq, it has everything to do with endpoints 18:15:31 ++ 18:15:35 not in our APIs 18:15:44 that's true 18:16:09 conceptually, they are just another region endpoint 18:16:20 is there more discussion needed about the actual proposal? 18:16:21 but was implemented/displayed differently 18:16:23 I think we should create something new rather than continuing with endpoint filtering 18:16:33 bknudson ++ 18:16:51 bknudson why is that? 18:16:57 bknudson: ++ 18:17:03 that's my opinion too 18:17:03 the catalog should be almost static 18:17:04 I just don't see how endpoint filtering can be efficient 18:17:28 changing based upon scope is just awful and will never be efficient 18:17:45 right, since the catalog is static there should be what are essentially named catalogs. 18:17:47 that idea came from reseller 18:17:48 * notmorgan gets on this soapbox again 18:17:59 and hide SPs based on domains 18:18:14 so if i'm inside a reselled cloud (aka a domain) 18:18:17 SPs should be removed from the catalog and under their own api 18:18:25 my seller won't be able to see my SPs 18:18:26 since they are much more limitedly used 18:18:38 catalog is used for a ton of things 18:18:44 to make the basic cloud work 18:18:53 notmorgan: ++ 18:18:59 notmorgan: ++ 18:19:10 it doens't make sense to have them there 18:19:14 SPs are used for federation and are use heavily when federated, but shouldn't be conflated with the catalog wich is the local cloud. 18:19:28 dstanek the service providers in the catalog you mean? 18:19:38 auth catalog ? 18:19:39 think our plugins rely on them being on the catalog 18:19:41 lbragstad: yes 18:19:44 * rodrigods needs to double check 18:19:56 plugins can be changed 18:20:00 rodrigods: somewhat, but that can be changes 18:20:08 samueldmq: no. call it service providers 18:20:15 don't overload the name catalog more ;) 18:20:53 i don;t know where catalog Tng work is 18:20:54 :) 18:20:55 isn't this an API change? 18:21:03 but with that work, SPs should not exist in the catalog 18:21:11 maybe catalog TNG work will get started back up in O. 18:21:24 I think I had a spec that matches "named catalogs" bknudson 18:21:32 catlog tng should also move catlog to /catalog 18:21:35 ayoung: yep, I've seen it. 18:21:44 which could then handle named catlogs 18:21:47 or whatever 18:21:52 notmorgan, yes 18:22:00 but again catalogs should be effectively static 18:22:03 catalog/default and catalog/all 18:22:05 named or not 18:22:32 make it a git repo and you can do git checkout catalog: 18:22:44 catalog fetch should be separate from the token anyway 18:22:55 ayoung: ++ 18:22:56 ayoung: yes 18:22:59 that would be glorious 18:23:07 Want to do it based on hash, actually, so we can tell if the default has changed 18:23:10 back to PKI! 18:23:11 (kidding) 18:23:32 rodrigods, that was where the idea came from, but it stands on its own even for uuid tokens 18:23:42 knikolla: so are you still interested in this topic? 18:23:55 after all this :-) 18:23:59 dstanek: yes, if you have a spec for me which also filters the service providers 18:24:03 (all this motivation) 18:24:18 dstanek: i'm ok with doing it the some other way, if the current spec is not the right way 18:24:24 at least any work that has been merged in this front should be reverted 18:24:34 knikolla: it sounds more like a new spec has to be created for this work 18:24:38 so - it sounds like instead of improving the current filter the general consensus is to move service providers to their own api 18:24:44 dstanek ++ 18:24:53 or we can try to rework the existing spec 18:25:09 if removed from catalog 18:25:23 filtering it is just matter of adding a domain_id field 18:25:31 just like we did for roles 18:25:41 o/ 18:26:06 i can do the implementation, for the spec we should have a longer discussion. 18:26:14 for now lets give the floor to the ksc gate 18:26:44 knikolla: ok, if you can start to drive that discussion in #openstack-keystone using what was said here as the base 18:26:57 you can give our a spec based off of those discussions 18:27:09 dstanek: sounds good. 18:27:31 #action knikolla to start driving discussions for a service provider api 18:27:35 #topic keystoneclient gate is busted 18:27:42 #link https://review.openstack.org/#/q/project:openstack/python-keystoneclient 18:27:45 * rodrigods did a bit of investigation 18:27:48 any volunteers to look at it? 18:27:59 rodrigods: what did you find out? 18:28:10 sometimes the tokens are not authorized 18:28:28 It started around 3 days ago 18:28:30 lots of unauthorized 18:28:51 have you been able to find clues as to why? 18:29:08 I like how the test output has the request ID : req-3b10a7e2-abe2-4e46-9809-d56456e21a79 ! 18:29:23 for example: http://paste.openstack.org/show/582301/ 18:29:28 I wondering if it's the same issue on the v3-only gates 18:29:31 Nice, didn't know that merged... bknudson 18:29:53 ksc functional tests uses the devstack user 18:29:57 then of course the keystone log is useless. 18:30:00 could it be an artifact of Fernet and things happening too fast? 18:30:04 so it should be authorized 18:30:07 http://logs.openstack.org/69/369469/1/check/gate-keystoneclient-dsvm-functional-ubuntu-xenial/da5db08/logs/apache/keystone.txt.gz#_2016-09-20_11_57_17_784 18:30:08 Raildo, probably not. The devstack one looks glance related 18:30:39 ayoung, fernet isn't merged yet 18:30:51 afaik the only fernet related patches were the consistent handling of datetimes 18:30:52 "Invalid user token" - what causes that? 18:31:08 it looks like it's saying there's no token in the request. 18:31:09 the error is also reproducible in my local devstack 18:31:12 revocation. expired 18:31:36 rodrigods: oh, cool. that makes it much easier to actually debug. 18:31:44 dstanek: += 18:31:46 ++ 18:32:00 just put LOGs everywhere and narrow it down 18:32:21 dstanek: The "Invalid user token" was a different request. 18:32:39 we modified the token expiration to always round down - https://review.openstack.org/#/c/368244/2/keystone/token/provider.py,unified 18:32:52 but that shouldn't have any impact on this 18:32:57 there's 3 logs for the req-3b10a7e2-abe2-4e46-9809-d56456e21a79 request 18:33:28 bknudson: yeah, i was that. i don't remember seeing that in my logs, but with 100k lines per request i may have just missed it 18:33:52 rodrigods: ok, are you going to continue on this bug? 18:33:55 100k lines per request! 18:34:07 bknudson: i may be rounding down :-P 18:34:07 yes, but i might be preempted soon 18:34:23 so more volunteers can help a lot 18:34:39 rodrigods: ok, when you feel like that time is coming if you help my get my devstack in this state i can help pick it up 18:34:46 ok 18:34:50 dstanek, sounds good 18:35:06 keystone still needs better logging. 18:35:28 #action rodrigods to continue debugging the ksc gate issue 18:35:36 bknudson: are you volunteering? 18:35:45 It's been on my plate for a long time. 18:36:11 bknudson: i'd love to review that! 18:36:17 ... moving on 18:36:24 #topic identity v3 job for devstack (non-voting) broken 18:36:39 was mentioned last meeting 18:36:41 the job is: gate-tempest-dsvm-neutron-identity-v3-only-full-ubuntu-xenial-nv 18:36:43 any update on this? 18:36:47 raildo: ^ 18:36:51 Looks like someone posted https://review.openstack.org/#/c/369675/ to partially fix it 18:36:59 so about this issue, I investigated and talk with jamielennox earlier, we saw that glance could not find the switf endpoint using keystone v3. 18:37:12 as you can see here: http://paste.openstack.org/show/582302/ 18:37:43 is the call using ?nocatalog for some reason? 18:37:46 in addition, this commit had changed this code: https://github.com/openstack/glance_store/commit/fb77cb73c5daa9f78dbf13d9c943c91f92ba0298 not sure how this change impact this problem. 18:38:07 ^ just throwing out guesses 18:38:36 https://review.openstack.org/#/c/369675/ passes v3 18:39:08 * ayoung suggests getting rid of glance 18:39:09 that's a change in devstack 18:39:17 finally I have a patch https://review.openstack.org/#/c/324100/6 to add keystoneauth sessions support on glance, so this patch may fix this v2-v3 issues on glance. 18:39:25 raildo, Nice 18:40:16 but we have to go deeper on this glance-swift issue... 18:40:43 since, this jobs didn't changed anything about that 18:40:54 have a breif thing for the end of the meeting dstanek 18:41:00 like ~2m if tht is ok 18:41:08 raildo: is this something you are going to continue to work through? 18:41:12 notmorgan: shore 18:41:51 dstanek, I'll continue working on the keystoneauth support on glance, and on this glance-swift issue 18:41:58 if https://review.openstack.org/#/c/369675/ is merged is that going to cause problems getting a better fix in place? 18:42:08 because it looks like https://review.openstack.org/#/c/369675/ gets it working again. 18:43:31 bknudson, I think we have to fix it when we solve this bug: https://bugs.launchpad.net/glance-store/+bug/1620999 18:43:33 Launchpad bug 1620999 in glance_store "swift driver ignores user_domain_name and project_domain_name settings" [High,Triaged] 18:45:05 raildo: please ask if you need help 18:45:15 ... moving along 18:45:27 #topic Cannot list flavors using a v3 token 18:45:30 Nova team is asking for help with a bug 18:45:33 #link https://bugs.launchpad.net/nova/+bug/1593573 18:45:35 Launchpad bug 1593573 in OpenStack Compute (nova) "flavor image listing failed while calling Nova API with token from http://[host-ip]/identity/v3 " [Undecided,Incomplete] - Assigned to viswesuwara nathan (viswesn) 18:45:35 dstanek, sure, I think jamielennox will work with me on it 18:45:46 raildo: great 18:46:02 does anyone have any bandwith to help with this one? 18:46:50 dstanek: stevemar posted on it 18:46:56 it looks to be working now? 18:47:11 shaleh: yes, he's also looking for help on it :-) 18:48:02 ok, sounds like a no 18:48:10 i can poke at it 18:48:11 dstanek: I mean he posted on the bug itself. It appears to be ok now. 18:48:25 it may just need another validation. 18:48:35 i'll see if I can recreate it on a fresh devstack 18:48:43 lbragstad: ++ 18:48:50 shaleh: that would be great if it now just works! 18:49:25 lbragstad: thx, maybe there's not much to do here. you can also reach out to the nova crew and see if they are still seeing the issue 18:49:40 #action lbragstad to look into helping on https://bugs.launchpad.net/nova/+bug/1593573 18:49:41 Launchpad bug 1593573 in OpenStack Compute (nova) "flavor image listing failed while calling Nova API with token from http://[host-ip]/identity/v3 " [Undecided,Incomplete] - Assigned to viswesuwara nathan (viswesn) 18:49:52 dstanek agreed, I'll see if they are still seeing and updated the meeting agenda with the action item 18:50:10 ok notmorgan 18:50:12 #topic a brief topic from notmorgan 18:50:34 o/ 18:50:36 so 18:50:56 keystone, keystonemiddlwarew, keystoneauth, pycadf need some security love 18:51:07 we need to get a pblic threat analysis done on them 18:51:23 a couple of these projects are not covered by the VMT 18:51:32 notably, keystonemiddleware and keystoneauth 18:51:46 (KSC needs it too, but less important since it[s ust the client software) 18:51:57 how do we get them covered? 18:52:14 you need to go through the process to get them covered 18:52:24 VMT? 18:52:32 with starts with a threat analysis that is accepted by the ossg 18:52:34 vulnerability maangement team? 18:52:37 shaleh: vuln. management team 18:52:44 ah 18:52:46 thx 18:52:51 notmorgan: is there a link for the process? 18:52:58 dstanek: looking for it sec. 18:53:44 #link https://governance.openstack.org/reference/tags/vulnerability_managed.html 18:53:49 see the Tag application process 18:53:52 subsection 18:54:06 and requirements 18:54:28 number 5 for the requirements is what we need 18:54:35 keystone and ksc are covered atm 18:54:38 is this just because we broken authtoken out of keystoneclient? 18:54:48 and auth out of keystoneclient? 18:54:51 ksm was never covered after the breakout 18:54:53 same with ksa 18:55:11 an oversight, but it is where we are today 18:55:13 notmorgan: how do we get a third party audit 18:55:14 ? 18:55:33 dstanek: someone (rax, RH, etc) can volunteer to have a security audit 18:55:49 maybe something to get done during the summit? 18:55:55 or a group that does it normally (some company/individual that is capable) 18:56:13 this should be something not done at the summit but as a general task 18:56:26 a TA is not usually summit timeline type thing 18:56:26 ok, running out of time.... 18:56:33 but in short 18:56:53 i'll take the task of figuring out our nexts steps here and working with stevemar_droid to make it happen 18:56:55 keystone is covered, but we (the VMT) are going to start requiring refreshes of threat analysis / security review long term 18:57:04 so we should lead here as keystone 18:57:14 and get all our repos covered *and* evaluated 18:57:15 :) 18:57:26 especially ksa and ksm 18:57:29 notmorgan: is #openstack-security a good resource for questions i have on the docs? 18:57:49 yes. also you can ask fungi, tristanc, myself, gmurphy 18:57:54 (the VMT) 18:58:02 but openstack-security is where i'd start 18:58:14 #action dstanek to take the task of figuring out our nexts steps here and working with stevemar_droid to make it happen 18:58:25 * fungi is thrilled to see this starting 18:58:31 2 mins..... 18:58:33 you might want to make tht action more descriptive ;) 18:58:38 dstanek... makin' it happen 18:58:44 #topic open discussion 18:58:46 because you're making "what" happen 18:58:56 fungi: ;) 19:00:01 #action dstanek to be project manager for getting identity team repos under VMT 19:00:07 there we go 19:00:12 lol 19:00:14 * dstanek will make it rain 19:00:21 \o/ 19:00:26 dstanek: i... uh 19:00:41 * notmorgan goes back to lurking under a rock 19:00:45 that's time 19:00:46 'um yeah - we're gonna have to have you come in on Saturday' 19:00:47 #endmeeting