18:00:02 <lbragstad> #startmeeting keystone 18:00:03 <openstack> Meeting started Tue Mar 28 18:00:02 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:06 <openstack> The meeting name has been set to 'keystone' 18:00:10 <lbragstad> ping agrebennikov, amakarov, annakoppad, antwash, ayoung, bknudson, breton, browne, chrisplo, cmurphy, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lamt, lbragstad, kbaikov, ktychkova, morgan, nishaYadav, nkinder, notmorgan, portdirect, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, SamYaple, shaleh, spilla, srwilkers, 18:00:11 <lbragstad> StefanPaetowJisc, stevemar, topol, shardy, ricolin 18:00:20 <samueldmq> hi all 18:00:27 <hrybacki> o/ 18:00:27 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting 18:00:32 <lbragstad> o/ 18:00:34 <notmorgan> o/ 18:00:37 <gagehugo> o/ 18:00:43 <cmurphy> o/ 18:00:46 <notmorgan> lbragstad: turns out my schedule conflict is starting at 11:30 not 11 18:00:54 <ravelar> o/ 18:01:02 <knikolla> o/ 18:01:07 <dstanek> ehlo 18:01:20 <spilla> o/ 18:01:49 <rodrigods> o/ 18:01:52 <lbragstad> notmorgan sweet - so we get you for a half an hour! 18:02:59 <lbragstad> our attendee list is getting a little large, and my client is showing me most of the folks aren't in the room 18:03:09 <lbragstad> figured its time for a roll call 18:03:18 <lbragstad> #topic roll call 18:03:37 <lbragstad> I've already recorded those who've already raised their hands 18:03:57 <antwash> o/ 18:04:06 <lbragstad> is anyone else here that wants a pre-meeting ping who hasn't raised their hand yet? 18:04:26 <lbragstad> we'll be doing this next week, too 18:04:41 <lbragstad> i'll aggregate the list together in a couple weeks 18:05:42 <lbragstad> alright - moving on 18:05:50 <lbragstad> #topic Boston Forum Brainstorming 18:05:58 <lbragstad> #link https://etherpad.openstack.org/p/BOS-Keystone-brainstorming 18:06:13 <lbragstad> I've started a list to see who is going to be at the forum for sure 18:06:19 <lbragstad> and who is still tentative 18:06:23 <knikolla> that's a sad attendance list 18:06:32 <rderose> o/ 18:06:52 <dstanek> knikolla: ++ 18:07:03 <lbragstad> is anyone else planning on being in Boston at this point? 18:07:15 <gagehugo> I will most likely be there* 18:07:15 <rodrigods> i am 18:07:28 <lbragstad> i understand a lot of this is based on corporate approval, i'm trying to get an early feel of who is going to be there 18:07:30 <spilla> also most likely there 18:07:40 <samueldmq> lbragstad: I'll be there 18:08:39 <lbragstad> is there anything we specifically want to request sessions for? 18:09:12 <lbragstad> (the whole concept of the proposal for projects bits is confusing to me, so i'm just kinda going with the flow based on what other projects are doing) 18:10:18 <lbragstad> it sounds like nova is only proposing 3 sessions that are pretty cross-project oriented, which makes me think we should do the same if there is anything cross project wise we need from other folks 18:10:40 <samueldmq> lbragstad: are those sessions like in the PTG ? 18:10:49 <samueldmq> lbragstad: or user/deployer focused ? 18:10:56 <lbragstad> samueldmq i have no idea 18:11:09 <lbragstad> this is the information i have 18:11:10 <lbragstad> #link http://lists.openstack.org/pipermail/openstack-dev/2017-March/114456.html 18:11:56 <rodrigods> we will always have something to discuss 18:12:01 <rodrigods> :) 18:12:05 <samueldmq> lbragstad: looks like more general 18:12:14 <samueldmq> topics to discuss with ops, with users, with the community-at-large 18:12:25 <lbragstad> true - i'm more wondering what we need to know now so that we can propose sessions by April 1st 18:12:55 <samueldmq> lbragstad: cool, so we need to brainstorm there, right ? 18:12:57 <lbragstad> one of the big ones that keeps popping up for me is the policy work 18:13:01 <lbragstad> samueldmq yeah 18:13:14 <dstanek> lbragstad: can we just get a room for some amount of time and decide how to use it later? 18:13:15 <lbragstad> i can follow up with the nova folks to see if they'd be interested in a policy session? 18:13:28 <samueldmq> lbragstad: sounds good to me 18:13:30 <lbragstad> dstanek it doesn't sound like that's is the flow, we have to use proposals 18:14:02 <dstanek> topic1 - 1 hour, topic2 - 1 hour, etc. 18:14:29 <lbragstad> #link http://lists.openstack.org/pipermail/openstack-dev/2017-March/114399.html 18:14:44 <notmorgan> i will definitely not be at the forum 18:14:48 <lbragstad> #link http://lists.openstack.org/pipermail/user-committee/2017-March/001856.html 18:15:03 <lbragstad> that ^ note specifically requires abstracts 18:15:58 <lbragstad> "We are looking for a good mix of project-specific, cross-project or 18:15:58 <lbragstad> strategic/whole-of-community discussions, and *sessions that emphasize 18:15:59 <lbragstad> collaboration between users and developers are most welcome!*" 18:17:51 <lbragstad> is there anything other than policy that folks think we need a specific session for? 18:18:29 <henrynash> anything keystone-horizon-ish? 18:19:05 <lbragstad> like domain-admin configuration? 18:19:16 <lbragstad> and the support in horizon for it? 18:19:51 <henrynash> yeah, as well as adminness in general (e.g. recognizing is_admin_project) 18:20:24 <lbragstad> henrynash would the intended direction be that developers from horizon and keystone are there describing it to operators? 18:20:41 <lbragstad> henrynash which sounds more informative, or do we want feedback? 18:20:50 <henrynash> horizon as the classic example of how to interprest these things 18:21:00 <henrynash> yes, that’s probably true, howver 18:21:45 <lbragstad> i can follow up with robcresswell to see what his thoughts are on a cross-project proposal 18:22:01 <lbragstad> #action lbragstad to follow up with nova on a cross-project proposal for RBAC/policy 18:22:29 <lbragstad> #action lbragstad to follow up with horizon on a cross-project proposal for Boston 18:22:38 <dstanek> lbragstad: limits maybe? 18:22:44 <lbragstad> dstanek oo 18:23:03 <lbragstad> yeah - that'd be another good cross-project one 18:23:56 <lbragstad> #action lbragstad to follow up on limits session 18:24:11 <samueldmq> nice 18:24:11 <lbragstad> i assume we'll need nova, cinder, neutron, etc... in there too 18:24:26 <dstanek> yeah 18:24:39 <lbragstad> dstanek good suggestion, 18:24:46 <lbragstad> can anything think of anything else? 18:25:02 <lbragstad> rderose and samueldmq are doing talks on PCI, so i feel like that will be pretty well covered 18:25:31 <rderose> just samueldmq as I didn't get approval to go :( 18:25:32 <samueldmq> lbragstad: ++ rderose won't be able to make it though 18:25:38 <samueldmq> ^ :( 18:25:47 <lbragstad> rderose ah! :( 18:25:52 <lbragstad> samueldmq rderose thanks for the update 18:26:04 <dstanek> what about a "beat up keystone" session? or some sort of feedback thing 18:26:25 <lbragstad> dstanek yeah - have that documented in the etherpad, but I don't know if that is something that we need a proposal for? 18:26:34 <lbragstad> i can check with mrhillsman though 18:26:46 <lbragstad> something tells me he'd be the guy to ask 18:27:34 <lbragstad> #action lbragstad to check and see if operator feedback sessions need proposals 18:27:44 <lbragstad> ok - sounds like i have some work to do 18:28:09 <lbragstad> if anyone has additional ideas that fit the criteria, please ping me in -keystone 18:28:12 <dstanek> a PTLs job is never done 18:28:24 <lbragstad> since we'll have to get things proposed this week 18:28:30 <lbragstad> dstanek you're telling me 18:28:34 <samueldmq> dstanek: ++ 18:28:45 <lbragstad> alrighty - i think we're good to move on 18:28:51 <lbragstad> #topic pike specs 18:29:08 <lbragstad> #info 2.5 weeks until Spec Proposal Freeze 18:29:17 <lbragstad> #info 10 weeks until Spec Freeze 18:29:31 <lbragstad> we have several specs up for review and several of them are pretty indepth 18:29:58 <lbragstad> #topic pike specs: persistent group membership in federation 18:30:02 <lbragstad> breton o/ 18:30:14 <lbragstad> breton you've been wanting to talk about this for a long time 18:30:26 <breton> yep 18:30:34 <lbragstad> #link https://review.openstack.org/#/c/437533/ 18:30:44 <breton> so at the PTG we talked about federation 18:30:51 <breton> and that group membership was not persistent 18:31:06 <breton> we decided that we are just going to document it 18:31:11 <lbragstad> yup - iirc the idea was to provide better documentation for operators to handle that case 18:31:27 <breton> but then at the next session i suggested to add an ability to make group membership persistent 18:31:38 <breton> by adding an option to a mapping 18:31:43 <breton> and we didn't really discuss it 18:31:48 <breton> so i wanted to get some feedback on the spec 18:32:09 <lbragstad> breton does the latest version of the spec include the details about using mapping? 18:32:17 <lbragstad> about using the mapping?* 18:32:38 <lbragstad> looks like the last upload was Feb 23 18:32:42 <breton> lbragstad: not sure what you mean 18:32:47 <breton> persistent_membership is what i suggest there 18:33:20 <dstanek> breton: was there already a patch submitted for the doc update? 18:33:37 <breton> dstanek: no 18:33:51 <dstanek> although i thought i was relatively clear on the nature of groups when i overhauled that doc 18:34:16 <lbragstad> this is the relevant bug report 18:34:18 * lbragstad #link https://bugs.launchpad.net/keystone/+bug/1589993 18:34:18 <openstack> Launchpad bug 1589993 in OpenStack Identity (keystone) "cannot use trusts with federated users" [High,In progress] - Assigned to Boris Bobrov (bbobrov) 18:34:22 <breton> i really want to have persistent membership because role assignments from https://docs.openstack.org/developer/keystone/federation/mapping_combinations.html#auto-provisioning _are persistent_ 18:35:36 <knikolla> i thought they were not persistent, just the project was created. :/ 18:35:54 <lbragstad> knikolla it depends on the mapping 18:36:11 <lbragstad> if the mapping specifies a project *in* the mapping, the project reference must contain a role 18:36:29 <lbragstad> which is then assigned directly from the shadow user to the project 18:38:00 <lbragstad> breton in your approach - would the mapping change in order for keystone to make memberships persistent? 18:38:18 <breton> lbragstad: yes 18:39:08 <lbragstad> it wouldn't be the default behavior? 18:39:14 <dstanek> ++ it has too for backward compatibility 18:39:34 <breton> it wouldn't be the default behavior 18:39:41 <dstanek> i'm 'o' happy, it seems 18:40:05 <knikolla> lbragstad: did a quick check in the code. you are right about the role assignment. 18:40:33 <dstanek> lbragstad: if you changed the default behavior then you break the expectations of existing mappings 18:40:39 <lbragstad> knikolla if i wasn't right about it i would be worried since i wrote it ;) 18:40:54 <lbragstad> dstanek right - that's one of my main concerns 18:40:59 <dstanek> #action dstanek to check the mapping documentation to make sure the ephemeral nature of the groups is clear 18:41:26 <knikolla> lbragstad: i forgot that :p 18:41:29 <lbragstad> i can also see how operators would have a *ton* of stuff to clean up if they started using this feature 18:42:20 <lbragstad> since groups is batch processing for users 18:42:30 <dstanek> lbragstad: it would be nice to know if people would use it rather than the default behavior 18:43:05 <lbragstad> true 18:43:26 <lbragstad> projects like heat would probably like it because it would require less things in order for them to consume federation 18:43:52 <dstanek> lbragstad: how so? 18:44:12 <lbragstad> right now we are suggesting the operators place federated users in groups manually 18:44:20 <knikolla> also trusts 18:44:32 <lbragstad> before they can use heat which uses trusts 18:44:46 <lbragstad> which don't work with ephemeral group memberships 18:45:57 <dstanek> lbragstad: ah i see. it also adds effort to their user provising systems that they have to consider 18:46:06 <lbragstad> right 18:46:18 <lbragstad> they also have to clean things up manually 18:46:39 <lbragstad> regardless, of if the mapping engine makes the group membership persistent or if they do 18:46:48 <dstanek> yeah, anytime a group change in AD (or whatever) they need to "manually" make that change 18:47:04 <lbragstad> (which is totally another thing we need to document if we haven't already) 18:47:21 <dstanek> lbragstad: that's why it would be nice to just fix trusts so they don't have to do it at all 18:47:24 <lbragstad> ok - so random tangent question, would this be a problem if heat used something like oauth? 18:47:35 <lbragstad> instead of trusts 18:47:43 <dstanek> i suggested in the case of a federated trust that we don't do a group lookup, but i'm not sure it that feasible 18:48:17 <dstanek> lbragstad: i think with a little work on our side that would be entirely possible 18:48:35 <lbragstad> is it a more appropriate solution? 18:48:37 <dstanek> ...or api keys? 18:48:54 <lbragstad> i can ask the same question about api keys, too :) 18:49:03 <knikolla> i thought the underlying issue is that we can't know if the user still has that kind of group permissions. so everything persistent is sketchy 18:49:40 <dstanek> we'd still need to understand the tolerance for the risk of a user no longer being in a group 18:49:54 <lbragstad> ok - so oauth might not help us here? 18:50:02 * lbragstad totally thought it might for some reason 18:50:20 <dstanek> knikolla: that's exactly the problem. until they auth again we won't know 18:50:46 <dstanek> lbragstad: it totally could. we just have to understand the tolerance for group membership changes 18:50:48 <lbragstad> otherwise its a bunch of duplicated state across identity systems 18:51:23 <lbragstad> so if heat wanted to use oauth for federated users, what would that look like? 18:52:17 <dstanek> lbragstad: i assume the user would auth and give heat a token. that token would then have roles back on groups that we can no longer verify 18:54:02 <lbragstad> hmm 18:54:05 <lbragstad> breton thoughts? 18:55:10 <knikolla> does an oauth idp have an api to check group mempership? 18:55:19 <dstanek> no matter what we run into the same problem. the question is what side is best for the solution or can we just assme the change-group risk for some period of time 18:55:48 <lbragstad> dstanek i feel like that has to be a question answered by the deployer 18:56:00 <lbragstad> if we provide both in keystone 18:56:16 <rderose> I thought we talked about making concrete role assignments to solve this 18:56:42 <dstanek> rderose: that doesn't solve group membership changes 18:56:45 <lbragstad> rderose i think this is more related to concrete role assignments 18:57:08 <lbragstad> s/role assignment/group membership/ 18:57:32 <rderose> dstanek: right, but it's about the roles 18:57:49 <knikolla> until create user with federated attributes is merged, users have to auth once before they can be assigned concrete roles. with the mapping that is automatic. 18:57:59 <knikolla> but not concrete 18:58:13 <knikolla> if i understand correctly, breton wants an option in the mapping to make it concrete 18:58:16 <rderose> knikolla: right 18:58:22 <dstanek> rderose: right, that causes the issue of the operator needing to cleanup 18:58:41 <lbragstad> information sprawl across identity systems 18:58:53 <lbragstad> i think we need more input from operators on this 18:59:33 <dstanek> i'd really just like trusts to 'trust' the group membership (epheral groups) and make the operator responsible for kicking keystone when that changes 18:59:35 <dstanek> lbragstad: ++ 18:59:57 <knikolla> we probably can have it as an option and let ops decide. it's their tradeoff to decide. 19:00:14 <lbragstad> alright - we can take this to -keystone 19:00:25 <lbragstad> #endmeeting