#openstack-meeting-alt log

16:01:56 <lbragstad> #startmeeting keystone
16:01:56 <openstack> Meeting started Tue Jan  8 16:01:56 2019 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:57 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:01:59 <openstack> The meeting name has been set to 'keystone'
16:02:05 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
16:02:08 <lbragstad> agenda ^
16:03:17 <lbragstad> is anyone around?
16:03:29 <wxy|> o/
16:03:30 <vishakha> o/
16:03:38 <jdennis> o/
16:04:14 <knikolla> o/
16:04:42 * knikolla is fully back from the holiday break.
16:05:01 <lbragstad> good deal - we'll give folks another minute to join
16:06:09 <lbragstad> #topic Upcoming PTG Attendance
16:06:28 <lbragstad> the foundation usually sends out emails asking for rough estimates
16:06:48 <lbragstad> which helps them plan rooms and whatnot
16:06:53 <gagehugo> o/
16:06:58 <lbragstad> i know it's probably still a bit early for people
16:07:18 <lbragstad> but does anyone know if they're planning on going to the PTG in Denver?
16:07:41 <knikolla> I probably will be there.
16:08:02 <gagehugo> no idea yet
16:08:15 <wxy|> I won't. :(
16:08:20 <lbragstad> :(
16:08:45 <lbragstad> if you do plan on going, just ping me
16:08:47 <vishakha> I too have no idea
16:09:07 <lbragstad> in the mean time, i'm going to give the foundation a rough estimate
16:09:24 <lbragstad> #topic Previous Action Items
16:09:34 <cmurphy> o/
16:09:46 <lbragstad> the only thing we had from last meeting was to reach out to the nova team about unified limits
16:10:22 <lbragstad> now that people are back from holiday - we should be able to get a response
16:11:07 <lbragstad> i think we have an existing thread going for unified limit discussions, so i'll update that
16:11:25 <lbragstad> #topic Reviews
16:11:38 <lbragstad> does anyone have reviews that need eyes?
16:13:15 <wxy|> https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/domain-level-limit
16:13:23 <wxy|> for domain level limit
16:13:43 <lbragstad> ++
16:13:58 <lbragstad> i gave most of that series a once over, but I'll revisit it
16:14:09 <wxy|> thx
16:14:23 <lbragstad> does anyone else have reviews?
16:15:12 <lbragstad> any eyes on https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:implement-default-roles would be great
16:15:49 <lbragstad> most of those are pretty cookie cutter patches, so if anyone is interested in picking some up and closing bugs, just let mek now
16:15:53 <cmurphy> i have an easy one https://review.openstack.org/629115
16:16:37 <lbragstad> nice
16:17:00 <lbragstad> i'd also like to get some feedback on some configuration options needed for JWT
16:17:02 <lbragstad> #link https://review.openstack.org/#/c/628676/1
16:18:34 <lbragstad> #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bug/1793374 would be good to review, too
16:18:37 <lbragstad> if anyone has time
16:19:10 <lbragstad> anything else review-wise?
16:19:58 <lbragstad> #topic Review Priority
16:20:04 <lbragstad> I've noticed a few other teams doing this
16:20:12 <lbragstad> and I'm wondering if people here have an opinion on it
16:20:15 <cmurphy> I had some thoughts about this
16:20:23 <lbragstad> #link http://lists.openstack.org/pipermail/openstack-discuss/2018-December/001304.html
16:20:29 <lbragstad> context ^ if folks aren't aware
16:20:39 <cmurphy> I looked at our review queue and we have about 130 open patches open, about 100 of them are from 3 different authors and all high priority imo
16:20:51 <cmurphy> that was a few days ago when i looked
16:20:56 <lbragstad> yeah...
16:21:24 <cmurphy> (60+ of them were from lbragstad iirc :P)
16:21:38 <cmurphy> but because of that i'm not really sure it would help us right now
16:21:45 <lbragstad> right
16:21:54 <lbragstad> also - our team is pretty small
16:22:00 <cmurphy> right
16:22:09 <cmurphy> it makes more sense for huge teams like nova and cinder
16:22:17 <lbragstad> yeah
16:22:36 <lbragstad> does anyone (or new reviewers) think it would help them in finding reviews to look at?
16:23:38 <vishakha> I  agree with cmurphy  reasons
16:24:08 <lbragstad> sounds good
16:24:25 <lbragstad> we can move on - i appreciate the feedback
16:24:41 <lbragstad> #topic Technical Vision Self Evaluation
16:24:49 <lbragstad> #link http://lists.openstack.org/pipermail/openstack-discuss/2019-January/001417.html
16:25:12 <lbragstad> in case you aren't aware, the TC recently came up with a technical vision for OpenStack
16:25:21 <lbragstad> this helps us, as a whole, on a number of fronts
16:25:50 <lbragstad> from a project-perspective, it should help us realize how we fit into the OpenStack project
16:25:55 <lbragstad> (as keystone)
16:26:18 <lbragstad> the document is meant to be a living thing, the has the ability to evolve over time
16:26:36 <lbragstad> TheJulia has asked that we take a look at it from a keystone perspective
16:26:53 <lbragstad> and we should approach the TC if we find anything we'd like to change or work on improving
16:27:04 <knikolla> really interesting
16:27:13 <lbragstad> (her note explains this better than what I'm doing right now)
16:27:36 <lbragstad> I'd like it if we could take an action item as a team to give a quick look over the next couple weeks
16:27:49 <lbragstad> then we can talk about anything, if we come up with stuff, in a subsequent meeting
16:27:56 <knikolla> sounds good to me
16:28:06 * cmurphy adds to list
16:28:15 <lbragstad> other openstack projects are doing a similar exercise
16:29:00 <lbragstad> let me know if you have questions and this is obviously an activity open to everyone
16:29:28 <lbragstad> #action keystone team to look over Technical Vision document from the TC
16:29:44 <lbragstad> we'll circle back on this next week
16:29:50 <gagehugo> ok
16:29:56 <lbragstad> does anyone have questions right now?
16:30:48 <lbragstad> alright - moving on
16:30:51 <lbragstad> #topic Athenz update
16:31:04 <lbragstad> there hasn't been any movement on this since Berlin
16:31:18 <lbragstad> but it sounds like James is going to be attending the edge meeting next week
16:32:05 <lbragstad> iirc - the only thing we have to do between now and then is possibly review how keystone currently implements x.509 support
16:32:26 <lbragstad> and see if there are any parallels to the approach Athenz takes with auto-provisioning
16:33:10 <lbragstad> so - if that sounds like a lot of fun to you, let me know
16:33:26 <lbragstad> i have it on my list, but it's not near the top
16:33:26 <cmurphy> i was gonna take a look at that, it kept sliding down my list since the summit
16:33:36 <lbragstad> yeah - i hear ya...
16:33:46 <cmurphy> i can try to move it up
16:33:55 <lbragstad> awesome
16:34:34 <lbragstad> if you get into it and find ways to break up the research into smaller bits, i'll probably be more useful
16:34:44 <cmurphy> ok
16:35:01 <lbragstad> thanks cmurphy
16:35:10 <lbragstad> any questions on this?
16:35:56 <lbragstad> #topic open discussion
16:36:08 <lbragstad> floor is open if folks have anything they'd like to talk about
16:36:39 <lbragstad> #info we're about 7 weeks away from feature proposal freeze
16:37:06 <lbragstad> just something to keep in mind - we have a lot of things in flight
16:37:21 <vishakha> Yeah I have some queries regarding federation. Can we have more than one federation protocol for IDP?
16:37:56 <vishakha> federtion protocol with different mapping files
16:38:37 <cmurphy> vishakha: yes you can
16:39:28 <vishakha> cmurphy:  When an IDP will send response to SP , so which feaderation protocol it will go for?
16:41:06 <knikolla> Different protocols are essentially treated as different IdPs. When you start the authentication process you  select IdP and protocol.
16:41:48 <knikolla> So the protocol used will be the one which you requested when starting the authentication process in keystone.
16:44:30 <vishakha> knikolla:  When I test my K2K federation through CLI , I just pass the remote project and the name of SP. So I am little confused that if I have created multiple protocols with same IDP name that I created on SP  but with different mappings
16:45:28 <vishakha> So my user will be mapped to which mapping file
16:45:32 <vishakha> ?
16:45:51 <knikolla> vishakha: when you registered the auth_url it has the protocol in the path.
16:46:02 <knikolla> like `http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth`
16:46:12 <knikolla> is idp `myidp` and protocol `mapped`
16:47:53 <vishakha> knikolla: if both protocols are saml2?
16:48:29 <cmurphy> you can't create two protocols both named saml2 for the same idp
16:48:52 <knikolla> you also don't necessarily need to call it saml2, or mapped. you can alias the plugin.
16:49:21 <vishakha> cmurphy: knikolla . ok I got it thanks
16:49:24 <vishakha> :)
16:50:03 <knikolla> still, i don't see it that useful to use two mappings, for essentially the same protocol and the same idp.
16:50:11 <cmurphy> i think we removed the ability to alias the plugin
16:50:13 <knikolla> you can't force users to use one over the other, so things are going to get ugly.
16:51:18 <knikolla> well, you can... with blacklists... but you can also use blacklists and whitelists in a single mapping to get the same result probably.
16:51:54 <vishakha> Just some random cases I was looking it too. Thanks for taking up the quesries
16:52:13 <cmurphy> thanks for poking all the corner cases :)
16:53:01 <lbragstad> anything else for open discussion?
16:54:05 <lbragstad> well - thanks for the time everyone
16:54:14 <lbragstad> reminder that we have office hours in a few minutes
16:54:23 <lbragstad> otherwise, have a great day
16:54:30 <lbragstad> #endmeeting