#openstack-meeting log

18:00:05 <lbragstad> #startmeeting keystone
18:00:06 <openstack> Meeting started Tue Jun 27 18:00:05 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:07 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:08 <lbragstad> ping ayoung, breton, cmurphy, dstanek, edmondsw, gagehugo, henrynash, hrybacki, knikolla, lamt, lbragstad, lwanderley, notmorgan, rderose, rodrigods, samueldmq, spilla, aselius
18:00:10 <openstack> The meeting name has been set to 'keystone'
18:00:17 <lbragstad> o/
18:00:26 <samueldmq> hi all
18:00:28 <rderose> o/
18:00:37 <knikolla> o/
18:00:40 <lbragstad> s/notmorgan/morgan/
18:00:49 <lamt> o/
18:00:58 <spilla> o/
18:01:00 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
18:01:02 <lbragstad> agenda ^
18:01:09 <gagehugo> o/
18:01:36 <lbragstad> we have quite a bit to get through this week
18:01:46 <lbragstad> #topic announcements
18:01:58 <lbragstad> #info no meeting next week in observation of the 4th of July
18:02:13 <lbragstad> we'll resume our normal meetings on the 11th
18:02:34 <lbragstad> #info office hours have been moved from Friday to Tuesday 19:00 - 22:00 UTC
18:02:51 <lbragstad> #link http://lists.openstack.org/pipermail/openstack-dev/2017-June/118921.html
18:03:02 <lbragstad> this announcement on the mailing list can be found ^
18:03:23 <lbragstad> the meeting time will be right after this meeting, which works out nicely
18:03:44 <lbragstad> so - after this meeting, anyone interested in office hours or bug work, we can meeting in #openstack-keystone
18:04:04 <lbragstad> I was tinkering with the Meeting Bot this week and I think we will try to use that to log the whole session
18:04:23 <rodrigods> o/
18:04:23 <lbragstad> we can leverage the meeting bot tooling to track things and so on
18:04:42 <lbragstad> I'll also try and send weekly updates after each office hour session
18:04:58 <lbragstad> ideally shooting for something similar to what cdent does
18:05:02 <hrybacki> o/
18:05:03 <lbragstad> for the tc related things
18:05:25 <lbragstad> #info we're two months away from release
18:05:40 <lbragstad> #link https://blueprints.launchpad.net/keystone/pike
18:05:47 <lbragstad> those are the specs that we're targetting for pike
18:06:13 <lbragstad> we have quite a bit of work ahead of us for pike yet
18:06:29 <gagehugo> o/ im down for office ours
18:06:35 <lbragstad> gagehugo: good deal
18:06:51 <gagehugo> I need to make a calender event for this
18:06:52 <hrybacki> lbragstad: how accurate is the delivery column?
18:07:03 <hrybacki> gagehugo: I made one, I can add you if you'd like
18:07:09 <gagehugo> sure!
18:07:13 <hrybacki> preferred email?
18:07:53 <lbragstad> hrybacki: that's a good question, i don't think it's accurate for the deprecated-as-of-pike or removed-as-of-pike specs
18:08:00 <gagehugo> same one on the etherpad for office hours is fine
18:08:05 <lbragstad> i need to update those since i kinda started working on that this week
18:08:18 <raildo> a little late o/
18:08:41 <hrybacki> lbragstad: ack, are any of those 'red'?
18:08:57 <lbragstad> support for federated attributes could use a follow up/assessment
18:09:14 <lbragstad> policy-docs is *almost* done, we merged a couple more patches for that recently
18:09:32 * hrybacki nods
18:09:35 <knikolla> For federated-attr as far as i remember, most patches were in good shape, but needs a final push.
18:10:08 <lbragstad> i remember there being a lot of discussion about the approach towards the end there
18:10:17 <lbragstad> i need to follow back up on that discussion
18:10:40 <rderose> lbragstad: I can probably take that over (federated attributes)
18:10:48 <lbragstad> rderose: awesome - that'd be great
18:11:17 <lbragstad> rderose: i thought dstanek had several comments/concerns with it, but i need to go dig those up
18:11:21 <lbragstad> or follow up with him
18:11:30 <rderose> lbragstad: cool
18:11:36 <lbragstad> just so they don't get lost
18:12:10 <lbragstad> #action rderose to assess and pick up the remaining federated attributes work
18:12:27 <lbragstad> #action lbragstad to go through the deprecated-as-of-pike and removed-as-of-pike specs
18:12:35 <lbragstad> #topic documentation migration
18:12:49 <lbragstad> sjain: samueldmq have been making some great progress on this front
18:12:59 <lbragstad> we've migrated the installation guide and the admin guide
18:13:07 <lbragstad> #link https://review.openstack.org/#/c/469515/
18:13:11 <lbragstad> #link https://review.openstack.org/#/c/474545/
18:13:28 <lbragstad> we have a little work left to do for the configuration guide
18:13:30 <lbragstad> #link https://review.openstack.org/#/c/474543/
18:13:51 <lbragstad> for ^ we mainly want to make sure we're not maintaining a copy/pasted version of our configuration file
18:14:04 <samueldmq> lbragstad and sjain have been doing all the awesome work, I am just reviewing :)
18:14:21 <lbragstad> instead - dhellmann had a suggestion to use oslo.config to generate the configuration reference bits for us
18:14:37 <lbragstad> we essentially just need to hook that up, and we're good to go
18:15:01 <sjain> ++
18:15:05 <lbragstad> the remaining documentation work is mostly shuffling bits around to the proper places and removing duplicate information between the guides (which there is a lot of)
18:15:26 <samueldmq> lbragstad: ++
18:15:33 <lbragstad> if anyone is interested in helping out there, let me know or feel free to start consolidating information from the Operator guide into the admin guide
18:15:44 <dhellmann> please do also update the structure for all of the other repos, so that the new templated docs.o.o site will link to the right place
18:16:07 <samueldmq> thanks dhellmann, we need to make sure that too
18:16:12 <lbragstad> dhellmann: you mean the ones documented in the etherpad
18:16:13 <samueldmq> according to the cp spec, correct?
18:16:14 <lbragstad> #link https://etherpad.openstack.org/p/doc-migration-tracking
18:16:30 <dhellmann> lbragstad : yes (assuming I built the full list :-)
18:16:45 <dhellmann> samueldmq : yes
18:16:56 <samueldmq> dhellmann: nice, thanks
18:17:01 <lbragstad> i see the keystone specific repos at line 205 and they look correct
18:17:17 <lbragstad> also at line 467 for the independent libraries
18:17:20 <dhellmann> \o/
18:17:52 <lbragstad> so - fwiw, we've been focused on the keystone specific docs but we'll need to make sure we do the same for all the repos listed in that etherpad
18:18:16 <samueldmq> lbragstad: all the repos under the umbrella of keystone team, correct?
18:18:22 <lbragstad> samueldmq: yes
18:18:25 <samueldmq> keystoneauth, python-keystoneclient, and so on
18:18:36 <lbragstad> even openstack/ldappool
18:18:47 <lbragstad> and openstack/python-keystoneclient-kerberos
18:18:58 <samueldmq> kk I may get one of those and do that
18:19:07 <samueldmq> while you and sjain fight keystone itself
18:19:29 <lbragstad> i don't think migrating will be much of a task if any, most of those projects are pretty light when it comes to documentation
18:19:37 <samueldmq> ah, I didn't know keystoneclient-kerberos was a thing yet :(
18:19:39 <lbragstad> it's more of less making sure we do it and it's consistent with the spec
18:19:55 <samueldmq> gotcha
18:20:14 <lbragstad> the majority of the documentation migration work is certainly going to be in keystone
18:20:40 <lbragstad> which leads nicely into our next topic
18:20:54 <lbragstad> #topic PKI certificate cruft
18:21:16 <lbragstad> after we merged the admin-guide into keystone, i noticied we have *tons* of duplicate documentation between the admin-guide and the operator guide
18:21:25 <lbragstad> #link https://docs.openstack.org/developer/keystone/
18:22:02 <lbragstad> one of the things that was documented heavily was the use of certificates for PKI
18:22:09 <lbragstad> (which isn't supported by keystone anymore)
18:22:36 <lbragstad> as a result, we have a bunch of configuration options in our config file for certificates
18:22:43 <lbragstad> since keystone doesn't support PKI anymore
18:23:00 <lbragstad> and the /OS-PKI/ API effectively returns an empty list
18:23:16 <lbragstad> I'm wondering if we can remove that documentation and complexity from our configuration
18:23:20 <lbragstad> #link https://review.openstack.org/#/c/476688/1
18:23:27 <lbragstad> I've proposed it here ^
18:23:34 <samueldmq> lbragstad: yes from me
18:23:55 <samueldmq> and we just document those APIs in the api-ref, saying they return empty lists (or whatever) since it's not supported anymore
18:24:09 <lbragstad> i think if we can assess the usage of those options in keystone and come to the conclusion that they are not needed or used, then we should remove them
18:24:41 <hrybacki> +1 for trimming the fat
18:25:01 <lbragstad> is anyone interested in picking apart where those options are used?
18:25:20 <lbragstad> within keystone that is?
18:25:31 <hrybacki> No spare cycles right now on my end =/
18:25:43 <lbragstad> no worries - i have to ask :)
18:26:22 <sjain> I can help but I would need to read a bit about this before
18:26:35 <lbragstad> sjain: that'd be great
18:26:40 <lbragstad> sjain: that makes sense
18:27:12 <lbragstad> sjain: we can push it to the back burner too, with respect to the rest of the documentation work
18:27:21 <sjain> currently I'm not very familiar with this but can surely spend some time on this
18:27:35 <lbragstad> sjain: cool - let me know if/when you need help
18:27:42 <lbragstad> and we can work through it
18:27:44 <sjain> sure :)
18:27:55 <samueldmq> that's awesome, thanks for volunteering sjain
18:28:06 <sjain> no problem :)
18:28:12 <lbragstad> #action lbragstad and sjain to go through the certification configuration options and assess them
18:28:48 <lbragstad> sjain: do you have anything else docs-wise you'd like to share?
18:29:17 <sjain> no not much, the openstack manuals you have already discussed
18:29:32 <sjain> I was also working on improving the devdocs
18:29:51 <lbragstad> sjain: yeah - that's another piece that needs to get reworked
18:30:02 <sjain> I am getting reviews on those so it would be fine
18:30:13 <lbragstad> sjain: i'll make a note to review those soon
18:30:33 <sjain> sure, thanks
18:30:45 <lbragstad> ok - moving on
18:30:48 <lbragstad> #topic Cleaning up deprecated functionality/removals of Pike
18:31:18 <lbragstad> i was going through and double checking that we'd either deprecated or removed everything we needed to for Pike
18:31:36 <lbragstad> and stumbled across a few remaining bits
18:31:39 <hrybacki> lbragstad: dumb question -- how do you do that?
18:31:49 <lbragstad> hrybacki: we use a library
18:32:02 <lbragstad> hrybacki: https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/cmd/cli.py#L26
18:32:04 <lbragstad> #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/cmd/cli.py#L26
18:32:20 <lbragstad> which allows us to do stuff like this
18:32:22 <lbragstad> #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/cmd/cli.py#L1097-L1101
18:32:50 <hrybacki> ohh
18:32:57 <lbragstad> so - wherever that library is used, a message will be logged saying that specific thing is going away in a certain timeframe
18:33:04 <lbragstad> and possible what you should use instead
18:33:08 <samueldmq> lbragstad: I have something to add to that list
18:33:10 <samueldmq> #link https://github.com/openstack/keystone/blob/af4e98c770d771144463e6dd49cb4b559d48c403/keystone/auth/core.py#L38-L59
18:33:37 <lbragstad> samueldmq: ah - i saw that too
18:33:43 <lbragstad> i have that on line 41 in our agenda :)
18:35:01 <lbragstad> hrybacki: i make a point every release to grep through the code base for the library and see what we're planning on removing
18:35:09 * hrybacki nods
18:35:26 <lbragstad> the ones listed in the agenda are the remaining bits we said we are going to remove in pike but haven't yet
18:35:40 <knikolla> I must have missed a few on my flight back from atlanta
18:35:46 <lbragstad> i think once all of those are addressed, we'll be done with the removed-as-of-pike blueprint
18:36:15 <lbragstad> the first one on the list is the usage of domain_config_upload
18:36:21 <lbragstad> #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/cmd/cli.py#L1097-L1101
18:36:27 <lbragstad> i can propose a patch to remove that one
18:36:38 <lbragstad> #action lbragstad to remove domain_config_upload option
18:36:56 <lbragstad> fwiw - we'll need to include release notes for each of these i think
18:37:03 <lbragstad> second
18:37:05 <lbragstad> #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/auth/core.py#L52-L57
18:37:09 <knikolla> There's a removed as of pike release note
18:37:10 <bknudson> was support for domain config files dropped?
18:37:16 <knikolla> Add them there
18:37:27 <lbragstad> bknudson: no, just the ability to upload a domain config using keystone-manage
18:37:31 <lbragstad> knikolla: ++
18:37:47 <lbragstad> bknudson: the functionality is still supported via the API
18:38:06 <bknudson> seems strange to remove the upload function if somebody might want to do it
18:38:39 <lbragstad> #link https://github.com/openstack/keystone/commit/a5c5f5bce812fad3c6c88a23203bd6c00451e7b3
18:38:54 <lbragstad> looks like topol did it when the domain configuration api became stable
18:40:06 <lbragstad> i can send a note to the operator list
18:40:10 <bknudson> might at least want to put a warning if using domain config files that says we don't provide a way to switch from files to database
18:40:40 <lbragstad> yeah
18:40:57 <lbragstad> #action lbragstad to send a note to the operator list about removing domain config upload functionality
18:41:05 <lbragstad> worst case we bump it and keep it deprecated
18:41:06 <bknudson> but I'd prefer getting rid of files before removing the utility
18:41:26 <lbragstad> bknudson: oh - like removing support for domain config files instead?
18:41:30 <bknudson> yes
18:41:47 <lbragstad> ah - yeah... i agree
18:42:04 <bknudson> I assume that was the plan was to stop supporting files at some point?
18:42:22 <lbragstad> bknudson: i think so - by the sounds of the commit message topol wrote
18:42:40 <lbragstad> it sounds like the idea was to at least provide some way to migrate domain configs into the database
18:43:32 <lbragstad> so maybe we mark domain config file support as deprecated then
18:43:44 <lbragstad> pending operator feedback
18:44:26 <lbragstad> and then plan to remove domain config upload and domain config file support at the same time?
18:45:33 <lbragstad> i can send something to the mailing list
18:45:48 <lbragstad> next
18:45:49 <lbragstad> #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/auth/core.py#L52-L57
18:45:52 <lbragstad> samueldmq: ^
18:46:11 <samueldmq> so, the text there is pretty self-explanatory
18:46:40 <lbragstad> yeah - we were also going to remove it almost a year ago
18:46:50 <samueldmq> I am working on a patch for it right now
18:47:04 <samueldmq> will submit in a bit, so this will be one thing less to keep our eyes on
18:47:07 <lbragstad> samueldmq: awesome
18:47:28 <lbragstad> #action samueldmq to propose patch for removing direct imports of auth plugins
18:47:39 <lbragstad> next
18:47:42 <lbragstad> #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/conf/eventlet_server.py
18:47:52 <lbragstad> eventlet support has been deprecated *forever*
18:47:58 <lbragstad> well - since Kilo, but still
18:48:22 <hrybacki> wow
18:48:25 <samueldmq> yeah, I dont think people use it still
18:48:31 <samueldmq> or at least shoudnt
18:48:35 <lbragstad> but we never put a remove_in date on eventlet support
18:48:52 * lbragstad feels like morgan has context on this topic
18:48:55 <samueldmq> lbragstad: we might want to check with morgan?
18:48:56 <bknudson> I think the problem was that some of these options may still possibly be used
18:48:59 <samueldmq> lbragstad: ++
18:49:21 <bknudson> for example, one could put %(public_bind_host)s in their config file
18:49:30 <bknudson> or in the service catalog
18:49:34 <lbragstad> bknudson: ah
18:50:06 <bknudson> maybe that's deprecated and can be removed, too?
18:50:19 <lbragstad> bknudson: that's a good question
18:50:47 <lbragstad> i'd be nice to remove it, but the fact there isn't a removal date on the deprecation tells me its there for backwards compat of some kind
18:51:39 <lbragstad> i can follow up here
18:51:57 <lbragstad> next
18:52:17 <lbragstad> we updated the hash algorithm to be more secure
18:52:35 <lbragstad> #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/conf/identity.py#L170
18:53:10 <lbragstad> this one is minor, i was just going to propose a formal removal of that instead of having it in a comment
18:53:21 * lbragstad isn't really sure why he put this one on the agenda
18:53:32 <lbragstad> Secure SSL proxy
18:53:33 <lbragstad> #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/conf/default.py#L162-L171
18:53:44 <lbragstad> this one has been deprecate for about a year
18:54:22 <lbragstad> any objections to removing this and if so when should we do it?
18:54:46 <lbragstad> we should have a date on that if possible to let operators know when it's going away
18:55:50 * hrybacki doesn't have enough historical context to answer
18:56:08 <lbragstad> i'll come up with a removal proposal and we'll do it in another release
18:56:27 <lbragstad> #action lbragstad to propose removal date for secure ssl proxy configuration
18:56:32 <lbragstad> whew
18:56:33 <lbragstad> and i'm done
18:56:38 <lbragstad> #topic open discussion
18:57:00 <knikolla> \o/ remove everything!
18:57:01 <hrybacki> Office hours are a go! woot
18:57:33 <lbragstad> sweet - break for a few minutes and then start office hours in #openstack-keystone
18:57:37 <knikolla> I still have a total negative line count on my keystone contribs, haha
18:57:40 <hrybacki> ++
18:57:47 <hrybacki> knikolla: you are living the dream
18:57:49 <lbragstad> knikolla: that's a good thing
18:58:15 <lbragstad> reminds me of the oslo.incubator days
18:58:21 * hrybacki fetches mas cafe
18:58:41 <lbragstad> agreed - going to make some coffee quick and we'll get start with office hours
18:58:45 <lbragstad> thanks for the great meeting!
18:58:47 <lbragstad> #endmeeting