20:00:45 <r1chardj0n3s> #startmeeting keystone_horizon
20:00:45 <openstack> Meeting started Thu Dec  8 20:00:45 2016 UTC and is due to finish in 60 minutes.  The chair is r1chardj0n3s. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:46 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:49 <openstack> The meeting name has been set to 'keystone_horizon'
20:00:54 <r1chardj0n3s> good morning, folks!
20:00:57 <dolphm> \o/
20:01:08 * lbragstad high-fives r1chardj0n3s
20:01:09 <robcresswell> o/
20:01:11 <crinkle> o/
20:01:33 <david-lyle> o/
20:01:46 <r1chardj0n3s> so, what've folks been working on?
20:02:04 <lbragstad> well - we merged http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/pci-dss-password-requirements-api.html
20:02:20 <r1chardj0n3s> \o/
20:02:48 <r1chardj0n3s> are we any closer to an API for getting that info from Horizon?
20:02:55 <stevemar> o/
20:03:14 <stevemar> oh dolphm is here too, nice
20:03:28 <lbragstad> r1chardj0n3s getting that information from keystone? or horizon?
20:03:37 <rderose> o/
20:03:43 <dolphm> stevemar: =)
20:03:50 <r1chardj0n3s> lbragstad: getting the password strength information from keystone into horizon
20:04:04 <ducttape_> ideally horizon gets this info from keystone, shows it to user?   and i18n would be supported ?
20:04:22 <lbragstad> r1chardj0n3s yeah - we have a spec detailing and API for it, i plan to start working on it next week
20:04:23 <r1chardj0n3s> lbragstad: the human-readable version of the regex
20:04:28 <r1chardj0n3s> lbragstad: oh cool
20:04:45 <lbragstad> r1chardj0n3s the regex and the description for it will be available via the api
20:04:53 <r1chardj0n3s> \o/
20:05:21 <dolphm> lbragstad: in an error message or in advance?
20:05:54 <lbragstad> dolphm in an error message when a user tries to update their password, you mean?
20:05:58 <dolphm> lbragstad: yes
20:06:05 <stevemar> ducttape_: translation might be hard
20:06:08 <lbragstad> dolphm i believe we already do that
20:06:08 <dolphm> lbragstad: how/when is the description exposed
20:06:22 <david-lyle> we want it upfront
20:06:23 <dolphm> lbragstad: (i thought so) so it'll now be done in advance?
20:06:27 <dolphm> gotcha
20:06:30 <lbragstad> dolphm yeah
20:06:38 <dolphm> UX++
20:06:56 <lbragstad> dolphm it can be done in advance, but it's up to whoever implements it to use it wherever they want
20:07:22 <lbragstad> but - the horizon folks had some good reasons for wanting it in advance last week
20:09:10 <rderose> yeah, I don't know how you would do translation as this is a configurable item.
20:09:16 <r1chardj0n3s> looking forward to that new API spec. it would be great to be able to get a translated version if possible, but I get that that could be difficult. Is the configuration always created by deployers?
20:09:45 <rderose> r1chardj0n3s: currently, yes
20:10:20 <r1chardj0n3s> so they'd know whether they had any i18n requirements I guess, when they're setting password_regex_description
20:10:36 <rderose> true
20:10:42 <ducttape_> localization is probably low weight concern imo.   I'd think most deployments are ok with single default lang fwiw
20:10:48 <ducttape_> was just curious
20:11:32 <dolphm> you could always write the message in two different languages in config, but that doesn't scale if you really need to cater to a long list of languages
20:12:46 <r1chardj0n3s> ok, anyone else have anything they've been working on that needs discussion?
20:14:55 <r1chardj0n3s> y'all are quiet :-) stevemar, you got anything?
20:15:21 <robcresswell> We've scared off keystone
20:15:29 * dolphm boo.
20:15:38 * robcresswell jumps
20:15:40 <lbragstad> tough crowd lol
20:15:55 <r1chardj0n3s> well, I'll poke rderose to see how "fixing federation" is going :-)
20:16:10 <rderose> sure
20:16:23 <rderose> new patch: https://review.openstack.org/#/c/399684/
20:17:07 <rderose> Essentially it require a domain_id when registering an IdP. If not provided, federated users will be put under a default federated domain.
20:17:22 <rderose> But all users will be under a concrete domain.
20:18:25 <rderose> More patches coming... :)
20:18:36 <r1chardj0n3s> ok, there's mention in the etherpad of Horizon impact too
20:19:29 <r1chardj0n3s> is that selection of domain id when configuring the idp in horizon, or at some other time?
20:20:15 <rderose> I don't think Horizon supports creating the IdP, right?
20:20:19 <rderose> or does it?
20:20:30 <david-lyle> rderose: yes
20:20:43 <rderose> ah, cool
20:20:57 <rderose> so that would be a change
20:20:59 <dolphm> it's just not entirely useful on it's own without dstanek's work
20:21:08 <david-lyle> so we'll need a new field for domain_id
20:21:25 <rderose> david-lyle: yes
20:21:38 <robcresswell> How does keystone version these changes?
20:22:04 <r1chardj0n3s> robcresswell: are you having another microversion moment?
20:22:07 <rderose> david-lyle: it is backwards compatible in that, if you don't explicitly set the domain_id, we'll create one
20:22:19 <robcresswell> Ah phew
20:22:30 <david-lyle> ok
20:22:31 <r1chardj0n3s> \o/
20:22:31 <robcresswell> r1chardj0n3s: Yes I could feel my blood pressure rising
20:22:49 <dolphm> robcresswell: we haven't introduced a backwards incompatible API change since pre-diablo :)
20:23:13 <robcresswell> dolphm: You should teach Nova how to API
20:23:33 * robcresswell goes back to being a grumpy hermit
20:23:37 <dolphm> lol
20:23:43 <david-lyle> post PTL-syndrome
20:24:24 <r1chardj0n3s> dolphm: do you have a reference to the dstanek work you mentioned above?
20:25:14 <dolphm> r1chardj0n3s: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/native-saml.html
20:25:58 <r1chardj0n3s> thx
20:26:35 <rderose> dolphm: true, but even without dstanek patch, we can remove the hardcoded 'Federated' domain
20:26:49 <david-lyle> so no dependency on apache for federation ?
20:26:54 <rderose> and migrate federated users to a concrete domain
20:27:10 <dolphm> rderose: right
20:27:37 <dolphm> rderose: i was just referring to the utility of the current horizon flow for setting up IdP's (you still have to configure shib et al)
20:27:52 <rderose> dolphm: gotcha
20:29:34 <lbragstad> david-lyle yep - specifically no dependency on mod_shib or mod_mellon
20:29:48 <david-lyle> nice
20:31:39 <r1chardj0n3s> any other issues to discuss?
20:32:22 <r1chardj0n3s> or, any patches we should look at as a priority?
20:34:14 <robcresswell> Nothing from me :)
20:34:26 <robcresswell> Can probably call the meeting early
20:35:06 <r1chardj0n3s> yep, if there's nothing either team needs from the other, I'll call it
20:35:33 <r1chardj0n3s> thanks everyone!
20:35:35 <lbragstad> o/
20:35:37 <r1chardj0n3s> #endmeeting