18:00:17 <lbragstad> #startmeeting keystone 18:00:18 <openstack> Meeting started Tue Jan 9 18:00:17 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:21 <openstack> The meeting name has been set to 'keystone' 18:00:23 <lbragstad> ping ayoung, breton, cmurphy, dstanek, edmondsw, gagehugo, henrynash, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rderose, rodrigods, samueldmq, spilla, aselius, dpar, jdennis, ruan_he 18:00:31 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting 18:00:35 <lbragstad> o/ 18:00:39 <rderose> o/ 18:00:40 <kmalloc> man, is it meeting time already? I just finished my coffee... 18:00:43 <kmalloc> i need more. 18:00:48 <kmalloc> moar! 18:00:49 <kmalloc> ;) 18:00:52 <lbragstad> better refill 18:01:07 <kmalloc> it will take like 6-10m to do so... so, i'll just wait. 18:01:33 <lamt`> o/ 18:01:39 <gagehugo> o/ 18:01:43 <lbragstad> we'll give folks a minute to join 18:02:13 <samueldmq> hi o/ 18:02:53 <spilla> o/ 18:04:22 <lbragstad> #topic announcements: PTG planning 18:04:35 <kmalloc> oh my ;) 18:04:43 <lbragstad> now that we're past the holidays - i've started prepping for the PTG 18:04:45 <lbragstad> #link https://etherpad.openstack.org/p/keystone-rocky-ptg 18:04:53 <samueldmq> PTG? When and where? 18:05:02 <lbragstad> last week of february 18:05:03 <lbragstad> in dublin 18:05:11 <samueldmq> Nice 18:05:18 <lbragstad> #link https://www.openstack.org/ptg 18:05:24 <cmurphy> o/ 18:05:25 <lbragstad> so - per our usual process 18:05:36 <lbragstad> please don't hesitate to throw topics on the etherpad 18:05:56 <lbragstad> i bootstrapped it with some content, but it certainly isn't full 18:06:11 <jdennis> dublin, sounds like a good venue for someone named Colleen Murphy :-) 18:06:26 <cmurphy> :) 18:06:45 <lbragstad> once we get closer to the PTG - we'll finalize a schedule 18:06:45 <cmurphy> they get confused by my accent there 18:07:17 <lbragstad> all in favor of cmurphy adopting an irish accent for the week? 18:07:19 <lbragstad> o/ 18:07:25 <cmurphy> >.< 18:07:56 <gagehugo> o/ 18:08:17 <lbragstad> i also have a list of attendance at the top 18:08:30 <lbragstad> if you're planning on being in dublin, please add your name 18:08:43 <lbragstad> I'd like to organize a team dinner of some kind prior to the PTG 18:09:07 <cmurphy> ++ 18:09:10 <lbragstad> no big rush there if you're still waiting on approval 18:09:31 <lbragstad> (also, if there is anything i can do to help you get approval, just DM me!) 18:10:04 <lbragstad> #topic announcement: reviews 18:10:33 <lbragstad> just a friendly reminder that feature freeze is in 16 days (not factoring in feature freeze exceptions) 18:11:00 <lbragstad> but given the rc window is only a couple week, i expect very little, if any time, for feature freeze exceptions 18:11:13 <lbragstad> we're going to have to be on the ball with feature work before that deadline 18:11:29 <lbragstad> #link https://releases.openstack.org/queens/schedule.html 18:11:46 <lbragstad> we have four big efforts underway 18:11:50 <lbragstad> unified limits 18:12:01 <lbragstad> #link https://review.openstack.org/#/q/topic:bp/unified-limits+status:open 18:12:09 <lbragstad> application credentials #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/application-credentials 18:12:22 <lbragstad> tons of work to reorganize our documentation 18:12:23 <lbragstad> #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:api-ref-reorganization 18:12:25 <lbragstad> and system scope work 18:12:30 <lbragstad> #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/system-scope 18:12:47 <cmurphy> does the docs reorg have the same feature freeze deadline? 18:13:00 <lbragstad> it doesn't, we can land that into the RC period 18:13:07 <lbragstad> good point cmurphy 18:13:16 <cmurphy> i guess it's mostly all done/easy reviews anyway 18:13:19 <lbragstad> i did add it to the list because of the volume of patches it generates 18:14:01 <lbragstad> the reorganization is the first box in this epic https://trello.com/c/5WCMxrLg/12-docs-goals-organization 18:14:22 <lbragstad> Suramya has been doing a good job tending to review feedback 18:15:05 <lbragstad> and thanks to samueldmq for the reorganization template 18:15:24 <samueldmq> glad it helped! 18:15:42 <lbragstad> #topic announcement: office hours bugs 18:16:01 <lbragstad> i went through a bunch of bugs and reworked the office-hours list 18:16:06 <lbragstad> #link https://goo.gl/PTd8bp 18:16:25 <lbragstad> feel free to check ^ out if you're interested in picking something up for office hours 18:16:44 <lbragstad> #topic questions about scope_types 18:17:27 <lbragstad> alright - if you haven't noticed, i've been spamming our review queue with a slew of patches that add scope_types to each keystone resource 18:17:38 <lbragstad> this is essentially the other half of the equation for system-scope 18:18:02 <lbragstad> but as i worked through them, i started coming up with more questions and fixmes 18:18:09 <lbragstad> #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:add-scope-types 18:18:11 <lbragstad> ^ reviews 18:18:18 <lbragstad> #link https://review.openstack.org/#/c/526159/3/keystone/common/policies/project.py@32 18:18:28 <lbragstad> ^ that is an example of a question i have concerning both scopes 18:18:33 * lbragstad gives folks a minute to read 18:20:11 <cmurphy> oof hard questions 18:20:17 <lbragstad> yes... 18:20:33 <lbragstad> which is why i'd like to discuss/get advice from you smart people :) 18:20:50 <lbragstad> ideally - keystone is going to have to start doing "scope" checks of its own 18:20:58 <lbragstad> most likely in code 18:21:07 <cmurphy> what does "relevant to that project's position in the hierarchy" mean? 18:21:34 <lbragstad> cmurphy: for example; if A is a project and has a child B which has a child C 18:21:52 <lbragstad> A -> B -> C 18:22:00 <lbragstad> and you're an administrator on project B 18:22:24 <lbragstad> what should happen when you call identity:list_projects with a token scoped to project B? 18:22:55 <gagehugo> would you just see B and C? 18:22:59 <cmurphy> I don't think you can assume the user has a role assignment on C 18:23:31 <lbragstad> ^ that begs another question, but you'll have to check for role inheritance 18:24:56 <lbragstad> if we don't assume a user who is admin on project B has a role on project C, then does that make identity:list_projects a system-only policy? 18:25:45 <cmurphy> I think it is 18:26:18 <cmurphy> if you want just your own projects you use /v3/auth/projects 18:26:24 <lbragstad> if you're a member of a project though, should you be able to get a project? 18:26:36 <lbragstad> that's true 18:26:41 <gagehugo> ah 18:26:51 <lbragstad> so - we have a similar relationship elsewhere 18:26:54 <lbragstad> and that is the service catalog 18:27:22 <lbragstad> (the /v3/endpoint API is system-only but users can still get service catalog information via their token or GET /auth/catalog) 18:28:20 <cmurphy> you can get /v3/projects/{project_id} on your own project 18:28:38 <cmurphy> you just can't get /v3/projects?project_id={project_id} 18:29:07 <lbragstad> so scope_types for GET /v3/projects/{project_id} is going to have to ['system', 'project'] 18:29:35 <gagehugo> that makes sense 18:30:21 <lbragstad> if we want to refactor scope checks out of the policy definition (or check_str) and into code, then we'll have to encode that check into keystone 18:32:02 <gagehugo> so keystone would be responsible for that check then? 18:32:22 <kmalloc> fwiw, back to the would you see b+c bit, we never claimed heirarchy is private info 18:32:26 <kmalloc> don't try and make it so. 18:32:35 <kmalloc> it is a big big big headache to do so 18:33:29 <kmalloc> in the a->b->c, you'd see a,b,c 18:33:40 <kmalloc> it just has to be the way it works the current implementation and behaviors 18:33:41 <lbragstad> if you're an admin on A? 18:33:50 <kmalloc> if you're an admin on b, you still see it 18:33:58 <kmalloc> if you're and admin on a you see everything below you 18:34:09 <kmalloc> you can't obscure that without breaking api behavior 18:34:41 <gagehugo> so if you're admin on B you'll see A? or am I misreading this 18:34:42 <kmalloc> we at one point planned to implement it, but that was set aside due to the volume of headaches and issues with name being unique within a tree, etc 18:34:55 <kmalloc> gagehugo: the hierarchy above/below you is not priviledged info 18:35:02 <kmalloc> so you would see A. 18:35:02 <gagehugo> ah ok 18:35:13 <kmalloc> and C 18:36:08 <lbragstad> hmm 18:36:16 <lbragstad> so - what about identity:get_project 18:36:25 <lbragstad> the policy just above that one 18:36:34 <kmalloc> i think we have a mis-match in behaviors between list and get 18:36:36 <kmalloc> but... 18:36:42 <kmalloc> list has historically been admin 18:36:43 <kmalloc> so.... 18:37:01 <lbragstad> if you call it with a system-scoped token and you're an admin, you can get any project 18:37:03 <lbragstad> which makes sense 18:37:16 <kmalloc> that being said, i'd be ok with anyone in the hierarchy being avble to get any project within it (as a project/domain admin) 18:37:19 <lbragstad> but if you're a member of a project and call it with a project-scoped token, what happens? 18:37:24 <kmalloc> system scope is *anything* 18:37:28 <kmalloc> and everything 18:38:06 <kmalloc> if its in your hierarchy, it should work, there is no reason to treat the project structure as priv data if it's above or directly below you. 18:38:23 <kmalloc> mostly likely if you're a project admin anything below you is game for you to see anyway 18:38:38 <kmalloc> and the way the heierarchy works for auth etc, it is important for folks to know where in the tree they are 18:38:46 <kmalloc> i'd let get_project fly in those casesd. 18:39:20 <lbragstad> should a user be able to get /v3/projects/{project_id} if they aren't a member of that project? 18:39:27 <lbragstad> or don't have a role assignment on it? 18:39:38 <kmalloc> if it is above/below the project they're in. 18:39:57 <lbragstad> what if we're talking about flat structures 18:40:06 <kmalloc> peers are not covered 18:40:09 <kmalloc> so, flat is no. 18:40:15 <kmalloc> basically a->b a->q 18:40:19 <kmalloc> b can't see q 18:40:26 <kmalloc> q cant get b 18:40:29 <lbragstad> (all of this is going to have to be coded into keystone somewhere) 18:40:32 <kmalloc> but a can get ba and q 18:40:33 <kmalloc> yes. 18:40:51 <lbragstad> so getting back to my original question, where do we want this type of stuff to live 18:40:52 <lbragstad> ? 18:41:06 <kmalloc> so. 18:41:20 <kmalloc> you're going to have to add the logic into the resource manager 18:41:25 <kmalloc> or we'd break behavior(s) 18:41:39 <kmalloc> because mving to systemscope, you still have to support the current mode of operations 18:41:41 <lbragstad> because it's business logic? 18:41:42 <kmalloc> yeah 18:41:52 <kmalloc> and because it's business logic 18:41:53 <lbragstad> ok - that makes sense 18:42:07 <kmalloc> it's not driver and it's not REQ<->SerializedOutput 18:42:34 <lbragstad> so - that means we're going to need some level of request information in the manager 18:42:44 <lbragstad> and the policy operation, too 18:42:47 <kmalloc> which is doable via the threadlocal request data 18:42:54 <lbragstad> so the managers can reason about it, right? 18:42:56 <kmalloc> or should be if we're using oslo.context correctly 18:42:58 <kmalloc> yeah. 18:43:21 <lbragstad> ok 18:43:25 <kmalloc> this is why it's important to break apart the @protected decorator 18:43:46 <lbragstad> and do policy enforcement inline 18:43:57 <kmalloc> because there are more Policy Enforcement Points because of the system scope and added business logic 18:44:11 <kmalloc> yeah, you need to do some of this in-line. the callback system, etc wont cover it 18:44:23 <kmalloc> but managers can/should be able to look at thread local data 18:44:32 <lbragstad> right - which either bloats the @protected decorator or creates more business logic in the manager 18:44:48 <kmalloc> noooow. we also need to make sure to handle cases where thread local data isn't populated 18:44:53 <kmalloc> aka, keystone-manage bootstrap 18:45:09 <kmalloc> but in 99% of the cases context should be populated from a request 18:45:16 <kmalloc> 99.9 18:45:51 <lbragstad> hmm 18:46:30 <kmalloc> it's a simple edge cased, and the thread local could be populated by keystone-manage bootstrap with something like is_bootstrap=True 18:46:43 <lbragstad> yeah 18:46:49 <kmalloc> so we can dodge it w/o breaking the security model by just passing if context isn't populated sanely 18:47:21 <lbragstad> so - i imagine most reviews in the scope_types topic to generate some discussion like this 18:47:37 <lbragstad> (i've highlighted the bits i see with FIXMEs) 18:47:56 <lbragstad> but this is going to be a pretty significant amount of work 18:48:04 <lbragstad> thoughts on how we should track it? 18:48:19 <lbragstad> bug per FIXME? bug per a resource's FIXMEs? 18:48:34 <kmalloc> either works 18:48:37 <kmalloc> as long as we're tracking it 18:48:49 <kmalloc> i like fewer bugs, but wouldn't argue for per fixme 18:48:58 <lbragstad> ++ 18:49:10 <kmalloc> argue against* 18:49:35 <lbragstad> so something like "correct system scope and project scope for the project resource": 18:49:55 <lbragstad> and the fix for it will correct all FIXMEs in https://review.openstack.org/#/c/526159/3/keystone/common/policies/project.py 18:52:47 <kmalloc> i like that 18:53:15 <lbragstad> ok - so it sounds like we can discuss the intended behavior of the each resource in review 18:53:20 <lbragstad> document the outcome in FIXMEs 18:53:41 <lbragstad> and then i'll open bugs when they merge pointing to the FIXMEs so that we can track the work 18:54:46 <lbragstad> i think this gives me enough to get started 18:54:57 <lbragstad> #topic open discussion 18:55:18 <lbragstad> floor is open if anyone has anything 18:56:14 <kmalloc> yeah i have a question 18:56:22 <kmalloc> what if you get scared half to death twice? 18:56:33 <kmalloc> *shiftyeyes* 18:56:48 <gagehugo> would you be scared to 3/4th death then total? 18:56:50 <lbragstad> kmalloc: you're not factoring in health regen 18:57:09 <kmalloc> ok ok... 18:57:15 <lbragstad> because gagehugo's factors that in 18:57:16 <lbragstad> :) 18:57:23 <kmalloc> if one syncronised swimmer drowns... do they all follow in suit? 18:57:52 <kmalloc> ok ok i'm done 18:58:16 <lbragstad> alright - time to refill your beverage before office hours! 18:58:22 <lbragstad> thanks for the time folks 18:58:26 <lbragstad> #endmeeting