#openstack-meeting log

18:00:01 <lbragstad> #startmeeting keystone
18:00:02 <openstack> Meeting started Tue Jan 17 18:00:01 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:05 <openstack> The meeting name has been set to 'keystone'
18:00:16 <lbragstad> ping agrebennikov, amakarov, annakoppad, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lamt, lbragstad, kbaikov, ktychkova, morgan, nisha, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh, spilla, srwilkers, StefanPaetowJisc, stevemar, topol, portdirect, SamYaple
18:00:24 <jaugustine> o/
18:00:24 <gagehugo> o/
18:00:26 <stevemar> o/
18:00:26 <raildo> o/
18:00:29 <spilla> o/
18:00:30 <rderose> o/
18:00:42 <samueldmq> Hey o/
18:00:48 <knikolla> o/
18:01:09 <rodrigods> o/
18:01:28 <lamt> o/
18:01:38 <lbragstad> let's give it a minute for folks to trickle in
18:03:01 <lbragstad> ok - cool
18:03:02 <lbragstad> #topic announcements
18:03:06 <lbragstad> we are in R-5 and this is the final week for non-client library releases
18:03:13 <lbragstad> only 5 weeks left until we release
18:03:27 <morgan> o/
18:03:35 <lbragstad> also this week is non-client library freeze
18:03:36 <lbragstad> we will be releasing new versions of KSA and KSC this week
18:03:47 <lbragstad> I know rodrigods has a last minute patch up to KSA to add some tests
18:03:59 <stevemar> and jdennis had a nice fix for ksa
18:04:00 <rodrigods> lbragstad, ++
18:04:00 <SamYaple> o/
18:04:06 <morgan> mordred: ^ we wont get the KSA context manager in if we don't have an example, it will take me longer to generate it than you
18:04:08 <lbragstad> but that's the only thing i think we are waiting on for KSA
18:04:23 <morgan> if you have an example today, i'll get us to land the new context manager
18:04:27 <morgan> before the release
18:04:35 <lbragstad> morgan ++
18:04:42 <lbragstad> stevemar I assume we have until friday?
18:05:00 <morgan> we should, but lets not delay unless there is a damn good reason to
18:05:01 <stevemar> lbragstad: wednesday/thursday
18:05:07 <stevemar> the release team doesn't like releasing on friday
18:05:13 <lbragstad> ack
18:05:17 <morgan> commit it and quit :P
18:05:20 <morgan> >.>
18:05:38 <gagehugo> ah
18:05:44 <lbragstad> morgan cool - so we have a day or two to land the context manager
18:05:49 <stevemar> theres one more for KSA: https://review.openstack.org/#/c/421319/
18:05:56 <samueldmq> Nice! Let's get it done
18:05:58 <morgan> yeah i can make that happen
18:06:04 <morgan> but i need an example to work from
18:06:16 <morgan> which i expect will take a day or so to shore up
18:06:22 * stevemar puts his +2 on 421319
18:06:24 <lbragstad> morgan I can follow up with you later too on that - i just want to have tabs on it
18:06:41 <morgan> lbragstad: it's more just needing a concrete example and confirming the design is sane
18:06:48 <lbragstad> morgan ++
18:06:51 <lbragstad> makes sense
18:06:57 <morgan> i don't want to land that in KSA (since ksa is very strict in contract) w/o the concrete test(s)
18:06:59 <stevemar> morgan: and docs ;)
18:07:02 <morgan> (not unit/functional)
18:07:10 <morgan> stevemar: the example will be for doc generation too
18:07:16 <stevemar> cool
18:07:24 <morgan> worst case, it lands in Pike
18:07:35 <lbragstad> morgan how much does it need to be in this next release?
18:07:36 <lbragstad> morgan ok - that answers my question
18:07:36 <mordred> morgan: yes. sorry. I will do this
18:07:56 <morgan> lbragstad: ideally this release
18:07:59 <morgan> we want to lean on it
18:08:01 <morgan> asap
18:08:18 <morgan> it cleans up  our code in shade/zuul/nodeppool
18:08:21 <lbragstad> if there is anything else that we need in those libraries, please speak up so that we can prioritize accordingly
18:08:22 <morgan> and sooner is very much better
18:08:25 <stevemar> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
18:08:28 <stevemar> agenda ^
18:08:32 <lbragstad> thanks stevemar
18:08:41 <morgan> but worst case we can lag on it, i just don't wnat to drag too much if we can avoid it
18:08:55 <lbragstad> morgan makes sense - let me know when you need some reviews
18:09:03 <lbragstad> Pike PTG in ATL is just around the corner, be sure to check out the etherpad
18:09:11 <lbragstad> #link https://etherpad.openstack.org/p/keystone-pike-ptg
18:09:13 <morgan> if mordred doesn't get it today i'll take on the example work, but it will def be in Pike timeframe instead
18:09:18 <lbragstad> it makes it a lot easier as we go through and start planning things
18:09:31 * morgan needs to book a flight
18:09:34 <lbragstad> morgan makes sense
18:09:37 * stevemar wonders if anyone added anything to the ptg etherpad
18:09:40 <stevemar> *nope*
18:09:44 <samueldmq> Samuel has got Green status to go to Atlanta
18:09:50 <lbragstad> final few things to review
18:09:50 <stevemar> nice
18:09:58 <morgan> fwiw, i'll be missing day 1 of the PTG, family things to do that weekend in Los Angeles
18:09:59 <stevemar> i bought my ticket
18:10:00 <lbragstad> review #link https://review.openstack.org/#/c/403898
18:10:04 <morgan> but i'll be there for the rest of the time
18:10:04 <lbragstad> review #link https://review.openstack.org/#/c/409874
18:10:09 <lbragstad> review #link https://review.openstack.org/#/c/415895
18:10:14 <stevemar> lbragstad: use #topic!
18:10:16 <stevemar> :)
18:10:35 <knikolla> is the first one not WIP anymore?
18:10:36 <morgan> stevemar: ++
18:10:39 <lbragstad> stevemar i'm still in the announcements sections :)
18:11:00 <stevemar> knikolla: doesn't look like it :O
18:11:01 <lbragstad> #topic final things to review for ocata
18:11:23 <stevemar> o/
18:11:30 <stevemar> mind if i chime in here lbragstad ?
18:11:35 <lbragstad> stevemar sure
18:12:03 <stevemar> we've got maybe 1-2 weeks left for features
18:12:15 <stevemar> I've identified the following as critical patches
18:12:17 <stevemar> https://review.openstack.org/#/c/403898/
18:12:18 <stevemar> https://review.openstack.org/#/c/409874/
18:12:18 <stevemar> https://review.openstack.org/#/c/415895/
18:12:33 <stevemar> the next few are nice to have:
18:12:36 <stevemar> https://review.openstack.org/#/c/387161/
18:12:36 <stevemar> https://review.openstack.org/#/c/403916/
18:12:36 <stevemar> https://review.openstack.org/#/c/404022/
18:12:38 <stevemar> https://review.openstack.org/#/q/topic:bp/per-user-auth-plugin-reqs
18:12:53 <stevemar> so please... everyone knows what i'm gonna ask :)
18:12:56 <stevemar> reviewwwww
18:13:10 <knikolla> roger
18:13:24 <gagehugo> sure
18:13:35 <lbragstad> I have a new patch up for #link https://review.openstack.org/#/c/415895/
18:13:36 <lbragstad> I'm going to spend today working on docs
18:13:41 <stevemar> lamt: rderose samueldmq rodrigods spilla gagehugo all of you :P
18:13:44 <lbragstad> so I'll have something up before 5
18:13:51 <rderose> will do
18:13:54 <gagehugo> I shall pickup the pace
18:14:03 <stevemar> pull down the patch, play with the new functionality
18:14:07 <spilla> ay ay captain
18:14:12 <stevemar> if you have questions let me know on irc
18:14:15 * samueldmq noda
18:14:15 <lamt> will do
18:14:21 <samueldmq> Nods, not noda
18:14:29 <samueldmq> :)
18:14:31 <lbragstad> #topic announcement: prepare for bug mode!
18:14:38 <stevemar> secondly we need a few folks to look at the undecided and high bugs
18:14:38 <lbragstad> last announcement
18:14:43 <stevemar> lbragstad: take it away
18:14:48 <lbragstad> we will need to start going to bugs and getting into bug mode in order to have a productive RC period
18:14:50 <morgan> stevemar: i'll triage bugs today
18:14:53 <lbragstad> there are bunch of things that aren't triaged yet
18:15:03 <lbragstad> is anyone able to pick up a couple? this is also something we can try and get through during office hours, too
18:15:09 <lbragstad> thanks morgan
18:15:16 <stevemar> morgan: awesome, breton / lbragstad / myself have been doing a pretty good job of it this release
18:15:19 <topol> o/
18:15:34 <lbragstad> I don't want to ask someone to do *all* the work, but if someone even has time to do one, that's a big help
18:15:36 <morgan> wont commit to code, but i'll do a sweep for the high prio ones and make sure nothing is lingering/close out dead bugs if I see them
18:15:43 <stevemar> morgan: ++
18:15:51 <stevemar> thats all i was asking for
18:15:55 <morgan> but i'll be sure to hit the highs that looks relevant for ocata
18:16:19 <knikolla> lbragstad: i can work on that
18:16:24 <lbragstad> knikolla awesome
18:17:09 <lbragstad> if in the process of triaging, you find one that makes a good candidate for office hours - write it down
18:17:13 <lbragstad> or vocalize it
18:17:34 <lbragstad> it's always nice to have easy ones stashed away for folks to work on
18:17:45 <lbragstad> (I wonder if we should make an office-hours bug tag)
18:17:54 <knikolla> i'll put them on the office hours etherpad
18:18:44 <lbragstad> knikolla cool - thanks!
18:18:49 <lbragstad> moving on
18:18:55 <lbragstad> #topic Owning the Docker image
18:19:01 <lbragstad> SamYaple o/
18:20:13 <lbragstad> do we have a SamYaple ?
18:20:42 <lbragstad> we  can circle back after gagehugo's topic
18:20:49 <lbragstad> #topic Finishing up doc build stacktraces bug
18:20:50 <stevemar> lbragstad: he chimed in earlier
18:20:56 <gagehugo> o/
18:20:58 <lbragstad> gagehugo o/
18:21:18 <stevemar> gagehugo: hmm, i remember bknudson tackled this early on, looks like we created more errors since then :)
18:21:23 <gagehugo> so this bug is almost done
18:21:28 <stevemar> but he's a good resource for this stuff
18:21:43 <gagehugo> https://bugs.launchpad.net/keystone/+bug/1602422/
18:21:43 <openstack> Launchpad bug 1602422 in OpenStack Identity (keystone) "Many tracebacks building keystone docs" [Low,In progress] - Assigned to Gage Hugo (gagehugo)
18:21:44 <stevemar> #lnk https://bugs.launchpad.net/keystone/+bug/1602422/
18:21:45 <morgan> i don't wnat to convert away from @hybrid_property unless really needed
18:21:50 <gagehugo> ^
18:21:55 <morgan> it seems super useful to keep that
18:22:04 <gagehugo> the other option is to just ignore the sql_model file
18:22:07 <bknudson> we used to have an option to fail docs if there were warnings but that hasn't worked for a while now
18:22:07 <rderose> morgan: ++
18:22:10 <gagehugo> when autodoc'ing
18:22:10 <morgan> we can skip the file in autodoc for now and work to make that functional down the road
18:22:12 <rderose> we have other hybrid properties (domain_id), are any of those failing?
18:22:26 <gagehugo> I think it's something to do with value that aren't in the same table
18:22:27 <morgan> short term, skip with a todo
18:22:28 <morgan> imo
18:22:32 <stevemar> hmm
18:22:37 <rderose> hmm
18:22:41 <gagehugo> because User has name/enabled/domain_id and they are fine
18:22:44 <gagehugo> in sql_model
18:22:52 <morgan> yeah
18:23:03 <gagehugo> it's just the password stuff
18:23:20 <rderose> yeah, I am okay with skipping
18:23:21 <morgan> if you can't fix it w/o moving away from hybrid_property, just skip that autodoc bit and we can circle back on it
18:23:38 <gagehugo> http://paste.openstack.org/show/595256/
18:23:43 <gagehugo> ok, that works
18:23:45 <stevemar> gagehugo: looks like zzzeek is aware of it http://stackoverflow.com/questions/6859182/sphinx-autodoc-integrate-decorated-properties :)
18:23:53 <gagehugo> oh cool
18:24:02 <morgan> sounds like future sql-a will fix
18:24:03 <morgan> then
18:24:11 <lbragstad> that'd be nice
18:24:13 <gagehugo> 5 years ago :/
18:24:17 <ayoung> Heh
18:24:25 <morgan> well lets bug zzzeek again
18:24:26 <morgan> :)
18:24:30 <morgan> it should be fixable
18:24:49 <morgan> and zzzeek works on openstakc now, he didn't 5yrs ago
18:24:55 <stevemar> https://github.com/zzzeek/sqlalchemy/pull/238
18:24:56 <morgan> so he is more reachable for us
18:24:59 <gagehugo> also: https://review.openstack.org/#/c/420171/ for the same bug
18:25:09 <gagehugo> oh nice
18:25:49 <gagehugo> I'm good then if we wanna move on
18:25:53 <lbragstad> cool
18:25:55 <stevemar> gagehugo: maybe check if zzzeek is available in -keystone and bug him?
18:26:01 <gagehugo> stevemar: sure
18:26:02 <stevemar> hes great for anything sql related
18:26:18 <lbragstad> #topic open discussion
18:26:25 <SamYaple> lbragstad: apologies, kids were screaming
18:26:29 <bknudson> there should be some way for us to catch errors in the doc builds
18:26:31 <lbragstad> SamYaple cool!
18:26:35 <lbragstad> #topic Owning the Docker image
18:26:40 <lbragstad> SamYaple o/
18:27:16 <ayoung> This is based on the pattern of functional tests and devstack moving to the projects
18:27:18 <stevemar> bknudson: fail on warnings :D
18:27:18 * topol On irc, no one can hear your kids scream.  Thank goodness. That saved me many a time
18:27:19 <ayoung> Heh...
18:27:36 <ayoung> moving from a central project to the to corresponding remote projects
18:27:40 <SamYaple> hello all. short summary, id like to see keystone repo have a Dockerfile and maintain that for keystone
18:27:58 <SamYaple> To that effect, we have this
18:28:00 <SamYaple> #link https://github.com/yaodu/docker-keystone/tree/master/dockerfiles
18:28:04 <ayoung> it allows the Keystone team to control the defaults for containerization.
18:28:33 <SamYaple> up until recently we havent been able to effectively build openstack images ina a manner that CI/CD likes
18:28:41 <SamYaple> this was a major pain point in the Kolla project
18:29:00 <ayoung> I was thinking this could go under a separate git repo under the Identity program
18:29:05 <SamYaple> where kolla solved this with many layers (a base layer, and openstack-base layer, a keystone-base layer, etc)
18:29:12 <SamYaple> this is solved with a single Dockerfile
18:29:31 <SamYaple> making it much more reasonable to get into a keystone-owned repo
18:29:40 <SamYaple> since there are no linkages to external tooling and complicated layering system
18:29:43 <dstanek> SamYaple: and the identity team should manage it?
18:29:49 <morgan> ayoung: i would agree a separate repo would be good.
18:29:57 <SamYaple> dstanek: i would like to see that yes
18:30:24 <dstanek> morgan: ++ on separate repo - that way i don't need to see it :-)
18:30:27 <SamYaple> for a quick look at how easy it would be to build images _with_ patches, https://github.com/yaodu/docker-keystone/blob/master/README.md
18:30:44 * morgan wants to avoid encoding special things for packaging (outside of like bindep) in the main repo
18:30:45 <SamYaple> single command can build an image with a ref patch
18:31:27 <morgan> SamYaple: as a point, is it possible to CI this with zuul?
18:31:35 <SamYaple> morgan: yes! thats the goal!
18:31:39 <breton> && pip install --no-cache-dir --no-index --no-compile --find-links /tmp/packages --constraint /tmp/packages/upper-constraints.txt \
18:31:40 <lbragstad> SamYaple have other projects already started maintaining their own docker files?
18:31:42 <morgan> because i don't want to be responsible for something that isn't tested
18:31:46 <stevemar> nothing wrong with keeping it in the repo
18:31:49 <breton> why does it install upper-constraints.txt?
18:31:52 <SamYaple> lbragstad: no. starting with keystone
18:31:59 <morgan> if it isn't tested it is broken (in proper openstack fashion)
18:32:03 <stevemar> we keep uwsgi and mod_wsgi stuff in the repo
18:32:14 <morgan> stevemar: that is not really deployment stuff like docker is
18:32:15 <SamYaple> breton: its not installing upper-constraints, its constraining to upper-constraints
18:32:22 <morgan> stevemar: docker is more like deb or rpm spec imo
18:32:28 <SamYaple> morgan: ++
18:32:35 <SamYaple> morgan: and thats the goal here
18:32:38 <stevemar> as long as it's tested it is OK with me
18:32:41 <morgan> and i would -2 deb control files AND rpm specs
18:32:42 <breton> SamYaple: oh ok, sorry
18:32:53 <morgan> so, i am inclined to say no to a dockerfile in keystone as well
18:32:58 <SamYaple> to produce a binary-like thing that can be plugged into a deployment tool/script/devstack
18:33:19 <morgan> this feels like part of the deployment tools that covers .deb and rpm building
18:33:34 <lbragstad> SamYaple have you talked to other projects about whether or not they want a docker file in project source?
18:33:48 <SamYaple> lbragstad: not in an official capcity, no
18:33:58 <stevemar> its to help kolla right?
18:33:58 * morgan doesn't wnat to block this though
18:34:10 <SamYaple> there are people around that are interested in it, but this is the first official project meeting
18:34:14 <morgan> but just voicing the opinion of where i see this fitting
18:34:17 <dstanek> it's no help to them if we don't use it and it just rots
18:34:32 <stevemar> dstanek: testing would be a requirement
18:34:47 <stevemar> dstanek: we've had other stuff bitrot before for less
18:34:47 <SamYaple> stevemar: this is unrelated to Kolla. Kolla needs external tooling to build and isn't CI/CD friendly
18:34:53 <lbragstad> SamYaple I'd be curious to see what a note the mailing list brings up
18:35:03 <SamYaple> lbragstad: can do.
18:35:11 <lbragstad> SamYaple I only worry about having a split conventions between the different projects
18:35:31 <SamYaple> lbragstad: to be clear, i am hoping for a cross-openstack effort here, not something keystone specific
18:35:35 <lbragstad> (some projects keeping in tree, some keeping it in a separate repo under the project, some projects keeping is somewhere else)
18:35:41 <lbragstad> SamYaple ++
18:35:45 <SamYaple> so what you suggest is reasonable. this is jsut the first conversation on the road
18:35:53 <stevemar> SamYaple: apply for a new community goal?
18:36:02 * SamYaple adds to list
18:36:26 <stevemar> SamYaple: like this? https://review.openstack.org/#/c/419706/
18:36:31 <ayoung> What I want to avboid is having people that know nothing about Keystone make decisions that are then inherited .  Containers are the main way people are going to be deployiong software here on in.  Seems we should take it that far
18:36:41 <SamYaple> for those that are interested, it takes ~1 minute to build this keystone image with a ref patch
18:36:41 <lbragstad> I just wouldn't want to have a conversation with another project as to why we keep it in tree when they have a strong reason not to, and now we have different projects doing different things
18:37:18 <stevemar> lets see what reasoning SamYaple brings up in the mailing list :D
18:37:34 <lbragstad> ++
18:37:42 <SamYaple> just as a quick poll, is there interest in this from the keystone team?
18:37:52 <ayoung> And, unlike most of OpenStack, Keystone can be deployed without any other OpenStack services running.  This is a reasonable tool for development, as well as comunicating live setup standards
18:38:17 <ayoung> SamYaple, probably too soon.  people need time to consider it, I think
18:38:24 <dstanek> i don't use docker so i likely wouldn't look at it
18:38:30 <ayoung> dstanek, *yet*
18:38:36 <SamYaple> heh
18:38:42 <dstanek> ayoung: hopefully ever
18:38:50 <morgan> ayoung: again, i am going to refer to current state. -2 for control files and rpmspecs, i view dockerfile the same
18:38:51 <SamYaple> ok fair enough. I will hit up the mailing list with all of this
18:38:58 <ayoung> dstanek, docker is like venvs for everything else
18:39:01 <lbragstad> SamYaple awesome - thanks!
18:39:03 <stevemar> SamYaple: sounds like a good initiative, needs x-project talk thogh
18:39:04 <morgan> i'd like us to have a clear this is how it works in openstack model
18:39:19 <morgan> if that is in tree, i'll conceed, but right now i'd say no based on prior art
18:39:29 <SamYaple> right morgan. and i don't have a good answer for that at the moment
18:39:30 <morgan> for in-tree, and ask for it to be like other packaging
18:39:32 <morgan> :)
18:39:34 <lbragstad> yeah - that would probably help in figuring out if people want to use it
18:39:35 <morgan> SamYaple: yep!
18:39:37 <stevemar> SamYaple: I'm OK as long as it's tested
18:39:42 <SamYaple> morgan: i will say it is a _bit_ different than an RPM
18:39:47 <morgan> oh for sure
18:39:49 <SamYaple> but im with you in your concerns
18:39:54 <dstanek> ayoung: i tried docker, but went back to lxc
18:40:02 <SamYaple> dstanek: you can use these images with LXC!
18:40:02 <morgan> it's why i wouldn't hard -2 it on principle
18:40:09 <morgan> just want to make sure we're not doing wacky things
18:40:17 <ayoung> dstanek, ah...so jsut the docker piece...
18:40:31 <SamYaple> cool. well this when as well as I could have expected. thats all from me
18:40:34 <dstanek> ayoung: all my dev is currently in containers
18:40:47 <lbragstad> SamYaple thanks for the info - i'll keep tabs on the mailing list
18:40:48 <SamYaple> if you want more info on any of this, hit me up. and we have a working channel for this stuff in #yaodu
18:41:14 <lbragstad> #topic open discussion (round 2!)
18:41:34 <lbragstad> reminder that we have the policy meeting tomorrow for those who are interested (#link http://eavesdrop.openstack.org/#Keystone_Policy_Meeting)
18:42:46 <morgan> *cough*U
18:42:48 <spilla> I have something (hopefully) quick if there's nothing else
18:42:50 <morgan> lbragstad: you missed my topic
18:42:55 <spilla> do that ^
18:43:09 <lbragstad> morgan ah - im sorry
18:43:14 <lbragstad> #topic *** VERY IMPORTANT *** VMT coverage / Threat Analysis Requirements
18:43:35 <lbragstad> morgan fungi o/
18:43:39 * morgan securely puts on the VMT hat
18:43:59 <morgan> ok, so keystone should be leading here. We are heavily invested in security for obvious reasons
18:44:11 <morgan> the issue is we are not fully covered by the VMT
18:44:20 <morgan> keystone server and client are grandfathered in
18:44:35 <morgan> keystone auth and middleware are not (arguably should be, but different story)
18:44:45 <morgan> we really need to move on getting these covered by the VMT
18:44:49 <morgan> especially middleware and auth
18:45:04 <morgan> this requires a security analysis that can be publically published to be completed
18:45:18 <stevemar> is there a guide that we can follow?
18:45:31 <stevemar> should i be bugging ibm's security teams?
18:45:32 <lbragstad> morgan is the security analysis manual?
18:45:34 <morgan> in the middleterm we need to do the same for keystone and keystoneclient (as the VMT will require grandfathered in projects to do the same thing to maintain the tag)
18:45:39 <morgan> there is a template
18:45:42 <morgan> one sec, getting the link
18:45:53 <lbragstad> stevemar yes - you should ;)
18:45:57 <fungi> #link http://git.openstack.org/cgit/openstack/security-analysis/
18:46:03 <morgan> thanks fungi !
18:46:16 * fungi broke radio silence
18:46:22 <browne> so i did work on this much, but i know the OSSG has been work on threat analysis of various projects
18:46:25 <morgan> but in short, it needs to be a reputable external party (meaning, not the VMT members)
18:46:43 * fungi is glad not to be reputable
18:46:43 <morgan> OSSG can commit to doing this, but we are not requiring them to do so
18:47:06 <lbragstad> this almost sounds liaison related
18:47:11 <browne> morgan:  yeah, best if the project cores did it
18:47:14 <morgan> it might be faster to not try and ask the OSSG if we can source from one of the contributors (red hat, rackspace, etc)
18:47:25 <fungi> i believe the one or two the ossg were getting hands-on with were to dry run the analysis process and templates
18:47:27 <morgan> and the project cores collaborate with them on it
18:47:40 <fungi> but the idea is that they wouldn't be directly involved beyond reviewing future analyses
18:47:45 <browne> but if you want templates or help in how to do it OSSG can be useful reference
18:48:00 <morgan> fungi: ++
18:48:36 <morgan> i really want to get us moving on this. it is *** important ***
18:48:55 <morgan> keystone should not lag behind on this. if we do, we risk a lot.
18:49:06 <fungi> that said, i don't speak for the security team. the vmt asked if they wanted to help us come up with a process for this piece and they volunteered, but their involvement is their own
18:49:07 <morgan> and we have a ton of new things that need to be looked at with a critical eye
18:49:12 <browne> i thought maybe bknudson had already done some work in this area
18:49:26 <stevemar> browne: he's been busy with a bunch of things
18:49:31 <morgan> browne: i believe so, but iirc most of the work done was not directly publishable
18:49:37 <browne> ah
18:49:46 <morgan> browne: as most of the threat-analysis done to this point has not been
18:49:56 <morgan> the key is this version must be something we can publish publically
18:50:34 <morgan> so. i am revisiting this and trying to get this done for the ocata code.
18:50:43 <morgan> especially for ksa and ksm
18:50:51 <lbragstad> morgan what's the deadline?
18:50:59 <fungi> yea, i _believe_ the compromise there is that the analysis itself doesn't need to be performed in public (and in fact may turn up risks which the team doing the analysis want to bring to the project in private), but that the eventual _final_ document produced as an outcome of the analysis should be something the project can publish documenting its securit model and design
18:50:59 <morgan> no real hard deadline yet
18:51:14 <morgan> yes.
18:51:21 <morgan> as long as the doc (final) can be published
18:51:36 <lbragstad> ah - so it's technically doable so long as we support ocata code
18:51:37 <morgan> i'm happy to work with whatever team is doing the analysis (as a member of keystone-core-sec)
18:51:51 <morgan> lbragstad: i am targeting ocata because we are almost done with it
18:52:00 <lbragstad> morgan that makes sense
18:52:04 <morgan> lbragstad: barbican did their s-a for vmt tag on newton
18:52:10 <stevemar> morgan: maybe bug the security related folks at rh, rax and ibm ?
18:52:18 <fungi> lbragstad: right, the vmt provides coverage of stable branches starting with the release following acquisition of the vulnerability:managed tag
18:52:21 <morgan> but since we haven't started, no reason to target ocata
18:52:38 <lbragstad> morgan i have some time available tomorrow and Thursday
18:52:40 <morgan> erm s/to/not to/
18:52:47 <lbragstad> morgan if you want to work on it together?
18:52:49 <fungi> so if you can get it done before ocata is released, we can cover stable/ocata onward. or if it's done before the pike release then would be stable/pike onward
18:52:51 <morgan> lbragstad: if you wouldn't mind collaborating and working with me to liason
18:53:05 <morgan> i just want to make sure i'm not the bottleneck as i have a ton on my plate
18:53:11 <lbragstad> fungi got it - that makes sense
18:53:31 <morgan> and... i want someone not on the VMT to be ultimately a interested party within the project
18:54:01 <morgan> the only requirement i ask for whom is involved is a member of of keystone-core (and if you're not on coresec you might get added to it for this)
18:54:04 <lbragstad> morgan cool - I'd like to help, ping me when you have time and I'll get up to speed
18:54:10 <morgan> lbragstad: lets talk tomorrow
18:54:13 <morgan> then
18:54:22 <lbragstad> morgan cool - tomorrow is pretty open for me
18:54:37 <morgan> #action lbragstad to help wrangle security analysis (with help from morgan) for keystone projects
18:54:59 <morgan> i have a table being delivered but that is about it ;)
18:55:26 <lbragstad> morgan cool - ping me when you're sitting at your new table
18:55:29 <morgan> ok thats it for me.
18:55:31 <morgan> thnx
18:55:42 <morgan> fungi: thanks for the input as well
18:55:43 <lbragstad> alright - we have 5 minutes left
18:55:53 <lbragstad> anything else we want to cover?
18:56:06 <lbragstad> #topic open discussion (round 3!)
18:56:08 <fungi> morgan: always glad to help
18:56:20 <knikolla> spilla wanted to discuss something i think
18:56:51 <spilla> So sorta a heat/keystone issue, if its a thing at all anymore
18:57:26 <spilla> so when using the ResourceType keystone_role_assigments.py
18:57:59 <spilla> if there is a user associated with a non-existing role, Heat will error out and lock the Stack in a fail state
18:58:26 <spilla> Would anyone know about this/if its fixed?
18:58:50 <spilla> I was planning on ping the heat irc too, wasn't sure how involved anyone in keystone was with this
18:58:55 <spilla> pinging*
18:59:57 <stevemar> spilla: catch the roleNotFound error and make heat smarter?
19:00:20 <lbragstad> spilla stevemar want to head over to -keystone?
19:00:28 <lbragstad> we're about out of time
19:00:41 <stevemar> oh yeah
19:00:41 <lbragstad> thanks for coming, everyone!
19:00:42 <spilla> that'll work
19:00:46 <lbragstad> #endmeeting keystone