17:58:24 #startmeeting keystone 17:58:25 Meeting started Tue Nov 8 17:58:24 2016 UTC and is due to finish in 60 minutes. The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:58:26 hello 17:58:27 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:58:28 lbragstad: yeah 17:58:29 The meeting name has been set to 'keystone' 17:58:36 o/ 17:59:01 o/ 17:59:10 to early! 17:59:13 stevemar we did that through a roll call over the course of a couple meetings the last time we pruned the list didn't we? 17:59:13 lbragstad: i'll trim the list soon 17:59:17 it's :59 17:59:23 breton: :O :O 17:59:48 breton: i wanted to give a few extra minutes to the people who will inevitably be caught by daylight savings time change 18:00:06 ok, we're good to go, it's :00 now 18:00:13 hi 18:00:14 o/ 18:00:16 o/ 18:00:17 dst is rough 18:00:28 o/ 18:00:28 lbragstad: i'll look at the logs, anyone who hasn't said anything in the last 4 meetings will be cut 18:00:45 Hello 18:01:08 alright, let's get the show on the road 18:01:13 hi all 18:01:15 #topic announcements 18:01:17 (hi) 18:01:26 New keystone/horizon meeting 18:01:32 o/ 18:02:05 stevemar: weekly meeting ? 18:02:08 theres a new meeting that'll take place (it's on tuesdays just after this one or an hour after) 18:02:17 nice 18:02:21 samueldmq: today is the kick starter 18:02:25 we'll see how it goes 18:02:39 * samueldmq nods 18:02:43 great! 18:02:51 but basically we want to form a squad to take down these long standing keystone/horizon integration issues 18:03:00 if you're interested, let me know 18:03:01 stevemar is that one proposed to the openstack meeting tracker? 18:03:08 lbragstad: probably 18:03:11 so that people can grab the .ics file? 18:03:11 lbragstad: link? 18:03:15 stevemar looking 18:03:26 what will be discussed is here: https://etherpad.openstack.org/p/ocata-keystone-horizon 18:03:33 nice 18:03:47 nice effort 18:04:18 it'll be nice to either a) get patches up for the issues, or b) create an undertstanding between the teams on things that can't be fixed 18:04:28 the whole thing is in the spirit of more cross team communication 18:04:44 that is a good time for the meeting 18:05:09 I think that's a real good idea. Is the first one right after this? 18:05:17 nice, so there's a keystone/horizon meeting today at 19:00 UTC? 18:05:23 stevemar, just noticing that's at the same time as the TC meeting, thinking may need to move the meeting time 18:05:51 david-lyle: i can live with it, meh 18:06:04 david-lyle: but we can bring that up at the kick off 18:06:11 stevemar, fair enough 18:06:29 dstanek: sounds like the first one is in an hour after keystone ends 18:06:35 where will it be? 18:06:45 keep an eye on the #openstack-meeting-cp channel 18:06:48 breton: ^ 18:06:53 ok 18:06:53 we should propose it here - https://github.com/openstack-infra/irc-meetings 18:07:16 if you're interested, add your name to the keystone meeting etherpad, i'll make sure you get pinged 18:07:48 so far it's just rderose :) 18:08:15 I like to be firs6t 18:08:17 *first 18:08:18 stevemar: nice. that will also help us in UX aspects 18:08:25 samueldmq: yep 18:08:33 ok, hold Horizon issues until that meeting. 18:08:46 second announcement is #What we agreed to do for Ocata-ish 18:09:07 i tried to recap all the items from the various work sessions 18:09:09 #link https://docs.google.com/document/d/1dCJyP2bfXIWoQK_wWALU83EF3G-2fJSMaFgNGCJsIhs/edit?usp=sharing 18:09:31 please comment on it, i'm trying to figure out a way to best represent and track the items 18:10:24 i can see folks are already commenting on it :) 18:10:45 i'm done announcements 18:10:53 we can switch gears to spec reviews 18:11:12 oh i guess on more announcement 18:11:20 i added the keystone specific dates to https://releases.openstack.org/ocata/schedule.html 18:11:36 the first one is "Keystone Spec Proposal Deadline" -- next week 18:11:59 the dates were decided at the summit 18:12:20 so if you want to propose a spec, get it up soon! 18:12:22 Regarding the Google doc: Cannot edit, vimperator conflicting with Google docs... :-/ 18:12:34 jgrassler: press insert 18:12:51 jgrassler: or shift-escape 18:13:15 jgrassler: breton you guys are too leet for me, i just use chrome 18:13:23 breton: Ah, the latter did the trick. Thanks :-) 18:13:23 jgrassler: turn it off for that site 18:13:26 that looks interesting 18:13:36 anyone have anything to propose that is not on the list yet? 18:13:47 breton: I'll have to try that for the Horizon console, too, one of these days 18:13:54 dstanek: did you want to propose the pysaml middleware for ocata? 18:14:17 i will cough up a spec that details the overall plans for the devstack plugin and how it ties with integration/functional tests 18:14:38 knikolla: cool 18:15:02 stevemar: unless there is a tangible reason not to finish, I'm going to finish anyway. better that it's tracked 18:16:23 dstanek: eh? i'm asking for a spec for it. do you already have a patch proposed? 18:16:53 dstanek: did you name it something funny like "nteresting idea" or "do not review me" 18:17:45 * stevemar pokes dstanek 18:17:56 stevemar: mostly written but not submitted. I wanted to hear if it was talked about at summit and what the response was... 18:18:02 stevemar i found an open time slot and a room for the cross project horizon/keystone meeting https://review.openstack.org/#/c/395106/ 18:18:36 dstanek: oh, it was talked about, and the ops in the room think it'll be nice to not have to restart apache 18:19:10 stevemar: then I shall button up my draft and submit 18:19:31 \o/ 18:19:48 lbragstad: thanks! 18:20:08 alright 18:20:11 #topic spec discussion 18:20:17 this should take up the bulk of the meeting 18:20:44 PCI-DSS Reason in Notifications 18:20:49 https://review.openstack.org/#/c/381302/ 18:20:51 #link https://review.openstack.org/#/c/381302/ 18:20:53 yes 18:21:05 it's got 2x +2s 18:21:19 anyone against it? 18:21:41 has anyone not been given enough time to review it...? 18:21:58 push it on ahead 18:22:05 looks good to me 18:22:10 and makes total sense 18:22:24 I'll +2...one sec 18:22:24 do we have versioning of notifications? 18:22:27 yeah, the notification ones are rarely contentious 18:22:31 bknudson: no 18:23:17 do we have 2 people that have the bandwidth to review it? 18:23:29 i can probably do it, but need one other person 18:23:34 which one? 18:23:54 just +2A https://review.openstack.org/#/c/381302/ 18:23:55 ayoung +2/+A-ed 18:24:18 Next 18:24:37 ayoung: i'm assuming you will help me review it then :) thanks for volunteering :) 18:24:55 next 18:24:58 PCI-DSS Expired Password Users 18:25:04 #link https://review.openstack.org/#/c/383832 18:25:12 this one is a bit weird 18:25:17 yeah 18:25:35 i keep mixing the terms enabled/disabled and expired 18:25:41 yeah it is confusing 18:25:54 but expired users can still be enabled and should be allowed to reset their password 18:26:14 user has a new attribute? 18:26:30 password_expires_at 18:26:45 what this spec does it allow an admin to get a list of users who have expired passwords 18:26:50 although unlikely, somebody could be using that already 18:27:48 the other funny funny about this is the query string 18:28:04 the ewwwwww comment? 18:28:04 "password_expires_at=gt:2016-10-14T15:30:22Z" 18:28:09 :) 18:28:21 gagehugo: its better now! 18:28:36 yes, much better 18:28:37 it's not clear if every user now has a new attribute. 18:28:37 yeah, that would be weird 18:28:49 most likely on greater than, less than 18:29:06 bknudson: that spec doesnt add a new attribute 18:29:12 if that's what you mean 18:29:25 bknudson: every user now already has the password_expires_at attribute 18:29:25 it says that when you list users you get back a new attribute 18:29:32 ok 18:29:51 I thought we already supported querying by attribute values 18:30:03 bknudson: me too 18:30:16 bknudson: I think it is only partially implemented 18:30:19 bknudson: it'll be a little different since it's a timestamp 18:31:02 I don't think it allows for inequality match 18:31:30 i see more value to this being a relative timestamp. like 'expires_in=1d' 18:31:42 no, the gt,inequality,etc needs to be done 18:31:52 dstanek: ++ 18:32:15 We don't need a generla puproe comparator language 18:32:29 make it part of the URL: all_after etc 18:32:31 I thought we already had a general purpose comparator language 18:32:34 api-wg defined one 18:32:34 sounds like no one is really against it. do we have people who are willing to review the code ? 18:32:43 password_expires_after 18:33:04 ayoung: ++ 18:33:36 i think the use case is "i want to list all users that are expired as of now" 18:33:38 I will review 18:33:50 dstanek: thanks, anyone else? 18:34:00 stevemar: for that case is it not enough a expired=True? 18:34:06 http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/driver_hints.py#n85 18:34:09 stevemar: I've already reviewed it 18:34:22 no because a user can be expired but their enabled field does not change 18:34:26 rderose: i mean, someone who is willing to review the implementation :) 18:34:29 * rodrigods can review 18:34:36 good enough for me 18:34:39 knikolla: nope. I need to notify users that expire in 7 days 18:34:45 ah 18:35:06 bknudson you want to use hints to get that information? 18:35:19 lbragstad: isn't that what it's for? 18:35:31 approved it 18:35:33 knikolla: just like your employer probably does for your corporate account 18:35:52 the implementation detail can change while we review the impl. 18:36:03 yeah we can fine tune it 18:36:07 bknudson yeah - we'd have to enrich the hints functionality though - it has bugs 18:36:16 gagehugo: do you mind if we review https://review.openstack.org/#/c/345113/ before the project/props one? 18:36:21 that sounds like a useful thing to do anyways 18:36:29 stevemar: yeah go for it 18:36:34 Next spec is https://review.openstack.org/#/c/345113/ 18:36:51 good ol MFA 18:37:14 it's a good idea 18:37:21 i like it 18:37:34 and adriant already has the impl. up 18:37:51 it just didn't make the cut off last cycle, but i think it's good to go 18:38:12 there are limitations (won't be enforced in v2 only deployments), but i'm still OK with it 18:38:38 there will be some issues with the client side work too, but we'll need to work that out separately 18:39:19 stevemar: I thought client side was a non-issue 18:39:41 i thought i remember that, too 18:39:55 wasn't the client just going to concatenate the code and password together? 18:40:03 dstanek: the issue there was that the user would need to get a new token every time and keep retyping their passcode 18:40:10 you just combine the code and password 18:40:21 since passcodes are only good for a few seconds 18:40:26 but code expires, and user will have to resource the rc file 18:40:29 Ah, I see 18:40:44 we need to do a better job of caching tokens and getting new ones on the client side 18:40:48 user could get an oauth token or something 18:40:51 ah - so this is a different usability issue 18:40:57 looks like we need client side token caching 18:41:03 yeah 18:41:15 you can cache the token but it's going to expire 18:41:15 dstanek: which has been an osc issue for a while 18:41:19 ++ that would be good overall 18:41:53 given that limitation, i think we're still OK for approving it on the server side 18:41:55 stevemar: I wanna discuss that offline with you... If I can remember 18:42:08 dstanek: sure, pull in jamielennox too 18:42:26 sure 18:42:50 dstanek: lbragstad bknudson i'll let you guys approve it if you agree to review the impl. 18:43:28 already been! 18:43:29 stevemar, better job caching tokens where? 18:43:39 client side 18:43:43 ayoung: on the client side 18:43:45 openstackclient doesn't cache tokens 18:43:46 I'm gonna mess that up 18:44:00 ayoung: ? 18:44:15 if we merge role validation into the token validation, caching is not going to be worth much 18:44:27 same token, different call, will have to be reauthenticated 18:44:42 that definitely messes things up 18:44:48 client will still be able to use the same token more than once right? 18:44:57 dstanek maybe, maybe not 18:45:04 depends on the call the user is making 18:45:09 it was just getting the token that required the code 18:45:40 a token might be valid for one call and invalid for another depending on the operation 18:45:40 heh 18:45:46 glad I could derail this 18:45:56 yeah lets put the train back on the tracks 18:46:00 so we wouldn't support OS_TOKEN anymore? 18:46:02 comment on the spec if need be 18:46:05 so..yeah, its going to wreak total havoc with caching 18:46:28 ayoung: the fallout from your spec is independent of this new one 18:46:36 heh 18:46:45 it'll break caching everywhere 18:46:58 so reviewers: do not treat the two as related... 18:47:01 we probably need to set aside time to talk about that one again 18:47:07 ayoung: which spec is that? 18:47:15 ayoung: I think it'll depend on if the server returns a 401 or 403 error 18:47:16 but if you are talking about having the client reuse tokens, that is different, and yes, we should do that 18:47:25 not having role should return 403 18:47:37 https://review.openstack.org/#/c/391624/ 18:47:40 invalid token should return 401 18:47:40 #link https://review.openstack.org/#/c/391624/ 18:47:42 dstanek: https://review.openstack.org/#/c/391624/ 18:47:59 :) thx all 18:48:02 ayoung: you added everyone to that review 18:48:22 stever, well, not EVERYONE, but yeah 18:48:30 if OS_TOKEN stops work than my personal automation will stop working :-( 18:48:54 dstanek: a lot of automation would stop working 18:49:02 dstanek loves the admin token 18:49:12 bknudson: different than admin token 18:49:13 yeah, but i'm mostly worried about mine 18:49:30 OS_TOKEN should and will die 18:49:34 die die die die 18:50:13 10 minutes left, lets jump to the last spec 18:50:18 Projects and properties! 18:50:28 Mazes and Monsters! 18:50:31 #link https://review.openstack.org/#/c/388886/ 18:50:41 i posted this to the mailing list 18:50:43 Mailing List Discussion: http://lists.openstack.org/pipermail/openstack-dev/2016-November/106806.html 18:50:47 Yeah, this is a bad idea 18:50:52 There was good discussion on the mailing list 18:51:07 the response on the mailing list was that we hate quotas 18:51:14 i thought we got some good feedback from other developers 18:51:37 Youthought HMT was hard to solve... 18:51:49 anyone care to summarizethe feedback? 18:52:03 ayoung: ops are for it 18:52:18 nova folks are saying to watch out for a few things 18:52:29 make sure you use a strict set of valid keys 18:52:38 there's an extra metadata call for projects? 18:52:44 #link http://lists.openstack.org/pipermail/openstack-dev/2016-November/106822.html 18:52:56 jaypipes said to use tags 18:53:08 i'm definitely not a fan of this yet 18:53:23 horizon already has panels for editing metadata 18:53:37 bknudson: keystone metadata? 18:53:47 well.. extras? 18:53:49 no, volume and instance 18:53:57 here is one way to think of it 18:53:57 s/metadata/properties 18:54:05 so should be copy/paste for keystone projects :D 18:54:06 from a Keystone perspective, no service is special 18:54:08 I don't know what it has for projects 18:54:16 Nova is no more special than Neutron 18:54:26 and that goes out into the things floating around the big tent 18:54:32 and off into the sunset 18:54:58 dstanek: why are you against it? 18:55:06 we are not making a clearing house of project specific information, because if the project can't figure out how to deal with the type of info, ofbbing it off on Keystone will not solve the problem 18:55:15 it will exacerbate it 18:55:29 if we need a sound approach to quotas, solve quotas 18:55:45 don't solve it in a project specific manner, but make sure the solution works for cinder and neutron 18:55:53 lets not talk quota yet 18:55:53 stevemar: well, i think it's an interesting usecase, but in implementing it we open a can of worms 18:55:57 project properties is not for quotas 18:56:02 breton: ++ this isn't for quotas 18:56:02 breton, this is all about quotas 18:56:10 it is the same damn thing 18:56:18 ayoung: no it isn't, and it is different :) 18:56:24 quota is a specific instnace of a type of data specific to nova, neutron 18:56:26 for instance, i commented on the spec that it was broken because it allowed people with the ability to create projects to edit the metadata 18:56:27 this sounds like extras v2 18:56:34 ayoung: read adriant's use case: http://lists.openstack.org/pipermail/openstack-dev/2016-November/106839.html 18:56:38 and the billing info tags etc 18:56:40 lbragstad: yes, more or less 18:56:51 that makes sense unless you real the usecase which is really wanting only the cloud admin to edit 18:57:10 which is what we want 18:57:18 so does this mean we are opening ourselves to have multple levels or metadata controlled by permissions? 18:57:40 so - i know everyone here pretty much hates the idea of extras and we've been trying to get rid of it for a while... if we move forward with properties we need to make sure we don't reimplement the things we hate about extras 18:57:41 we already have to support "extras", may as well make a decent API for it 18:57:50 we have not even solved basic RBAC. We can't do what they want. 18:57:58 lbragstad: it is formalizing extras in a way, but their usecase limits who should have the ability to modify the metadata 18:58:05 (at least some of the metadata) 18:58:24 stevemar, we make NO guarnatees about that data. AAnd if people realized just how easy it was for that data to be something other than what they want it to be, they will freak 18:58:30 stevemar: this isn't an api for metadata. 18:59:01 dstanek: eh? 18:59:02 the original spec made it seem that way, but i was not aligned with the usecase 18:59:27 metadata might be an overloaded term - it is more storing properties (or tags) and associate it with keystone entities 18:59:41 right now the user table's stores emails in the extra column 18:59:56 i dunno, i can't believe we're arguing over what seems like a basic use case 19:00:11 times up 19:00:13 #endmeeting