#openstack-meeting-cp log

20:00:00 <robcresswell> #startmeeting keystone_horizon
20:00:01 <openstack> Meeting started Thu Feb 16 20:00:00 2017 UTC and is due to finish in 60 minutes.  The chair is robcresswell. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:02 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:04 <openstack> The meeting name has been set to 'keystone_horizon'
20:00:07 <lbragstad> o/
20:00:14 <robcresswell> o/
20:00:15 <david-lyle> o/
20:00:36 <lbragstad> robcresswell wow - nice timing, you started the meeting exactly as my client hit 14:00:00
20:01:11 <robcresswell> lbragstad: I do my best
20:01:12 <lbragstad> agenda #link https://etherpad.openstack.org/p/ocata-keystone-horizon
20:01:21 <rdopiera> o/
20:01:23 * lbragstad bets robcresswell is a fan of automation
20:01:43 <robcresswell> lbragstad: I actually just happened to be looking at my client :p
20:01:50 <robcresswell> Sorry to disappoint
20:01:56 <lbragstad> lol
20:02:21 <robcresswell> So I wanted to kick these off again and keep using the meeting slot; if we dont use the hour, thats obviously not a problem
20:02:46 <robcresswell> Last cycle was really, really helpful for Horizon in solving some key issues, and helpful for me personally in understanding how the **** domains work
20:03:07 <robcresswell> The first thing to do is probably review the etherpad and cross off work that is completed
20:03:34 <robcresswell> There are also some outstanding patches in Horizon that im not entirely sure of, so would be good to discuss now or in the future meetings.
20:03:36 <lbragstad> i spent some time trying to do that last week
20:04:26 <robcresswell> Ah nice, thanks
20:05:10 <robcresswell> Anything anyone would like to start with?
20:05:47 <robcresswell> Working through then...
20:05:56 <robcresswell> #link https://review.openstack.org/#/c/339487/
20:06:20 <robcresswell> This got flagged again today as a potential solution to a problem someone was having in the horizon channel
20:06:50 <lbragstad> is cmurphy around?
20:06:58 <robcresswell> I've not looked at it yet, david-lyle, cmurphy, thoughts?
20:07:14 <david-lyle> i haven't reviewed that yet
20:07:35 <david-lyle> but not sure user
20:07:37 <david-lyle> s
20:07:40 <david-lyle> argh
20:07:41 <robcresswell> Ah you -1'd it a while back
20:07:54 <robcresswell> Just wondered if you'd seen it recently, but np
20:08:06 <david-lyle> not sure user's domain id is the right policy target even if one is warranted
20:08:32 <david-lyle> should be the domain I'm auth'd into
20:08:38 <david-lyle> I believe
20:08:57 <lbragstad> so the domain of the project you've scoped your token to, or the domain scope of your token?
20:09:01 <david-lyle> but our cross-domain user support is woefully inadequate in general
20:09:21 <david-lyle> domain scope for identity operations
20:10:43 <david-lyle> what we really need is to figure out the cross-openstack answer for what can I do
20:11:42 <david-lyle> because our policy implementation is limited to what we've seen, but you could add random required policy targets in your policy files and Horizon wouldn't handle them unless it's something we populate by default
20:11:59 <lbragstad> yeah
20:12:16 <robcresswell> capabilities API?
20:12:29 <lbragstad> thought be the ideal solution I would think
20:12:44 <lbragstad> that would be*
20:12:50 * lbragstad can't type
20:13:07 <david-lyle> but we have the several releases until we get that even being optimistic
20:13:13 <david-lyle> so we'll do what we can
20:13:17 <robcresswell> Yeah, I know Nova have mentioned it a few times too.
20:13:18 <robcresswell> Right
20:13:49 <lbragstad> fwiw - there is going to be a time slot dedicated to capabilities during the Arch WG sessions on tuesday
20:14:11 * robcresswell loses track of the WG's
20:14:25 <lbragstad> #link https://etherpad.openstack.org/p/ptg-architecture-workgroup
20:14:44 <lbragstad> I don't believe they have time slots allocated yet
20:14:49 <lbragstad> but it's in their list of topics
20:15:30 <robcresswell> Okay, lets keep an eye on that
20:15:46 <david-lyle> ah, I see that patch is targeting the sample v3 example policy, should still be scoped domain not user domain I think
20:16:32 <robcresswell> So, the domain of the project, is that?
20:16:47 <lbragstad> yeah - because technically there is nothing stopping a user in one domain from having role assignments on other domains
20:17:14 <lbragstad> well - that's tricky too because it depends
20:17:15 <david-lyle> cross-domain user support should be added to the etherpad
20:17:39 <david-lyle> it blocked part of cmurphy's patch to doa
20:17:52 <lbragstad> as a user of keystone, i can explicitly ask for a token scoped to a specific domain that I have a role on, or I can ask for a token scoped to a project in some random domain
20:18:14 <david-lyle> but I only have permission based on the scope of my current token
20:18:25 <david-lyle> so it would be the domain I auth'd into to
20:18:44 <david-lyle> no?
20:19:04 * david-lyle reviews v3 sample policy again, crying softly
20:19:23 <lbragstad> right - would authenticating for a specific scope be considered just that?
20:20:10 <david-lyle> but the target is the project.domain_id, hmm
20:20:27 <david-lyle> I need more time to walk that through
20:20:28 <lbragstad> http://cdn.pasteraw.com/6badyzj32kns0bjhbbxk58zsc59hxrq
20:21:13 <lbragstad> ^ that would technically give me a token scoped to a domain
20:21:37 <david-lyle> the target will be  the project.domain_id and then the horizon policy will match that in the credentials check
20:22:24 <david-lyle> so either cloud_admin, domain_admin for the target domain
20:22:44 <david-lyle> the patch may be right
20:25:42 <robcresswell> I need some time to get my round this :/
20:26:20 <david-lyle> I think the logic is correct, we just didn't include the targets as specified in v3 sample policy
20:26:25 <lbragstad> do we think this is something we need more involvement in from other projects, too?
20:26:41 <david-lyle> lbragstad: which part?
20:26:50 <lbragstad> david-lyle the domain parts
20:26:58 <lbragstad> david-lyle or the *which* domains part
20:27:15 <robcresswell> This particular issue just seems like part of the underlying horizon-keystone domain confusion
20:27:23 <lbragstad> david-lyle because you also mentioned the "what can this use do across OpenStack" point of view
20:28:27 <david-lyle> so my understanding is... this really only effects keystone and horizon, the other projects' policies are completely project based
20:28:40 <lbragstad> ok
20:28:40 <david-lyle> so they only use the project scoped token
20:28:53 <david-lyle> domain token is only used for identity operations
20:28:59 <lbragstad> so this should be something we can whiteboard next week
20:29:03 <david-lyle> yes
20:29:21 <lbragstad> (pending everyone has time to digest the information)
20:29:36 <david-lyle> I think we just missed the target when we added support for the v3 sample
20:29:55 <david-lyle> and this bug will cover that, or the target was added later, I'm unsuer
20:29:58 <david-lyle> *unsure
20:31:23 <robcresswell> I'll take a look at it over the next week
20:31:32 <robcresswell> well, maybe the week after due to PTG, but before next meeting
20:31:54 <robcresswell> Assuming I can wrap my tiny UI brain around these lofty auth concepts :p
20:32:07 <david-lyle> I will draw pictures :P
20:32:16 <david-lyle> I lived domain hell for a long time
20:32:17 * lbragstad *loves* pictures
20:33:20 <robcresswell> Okay to move on for now? I see rdopiera has dropped a review on it too
20:33:27 <david-lyle> the other 2 patches in the first block still need review
20:33:33 <david-lyle> err 1 other
20:33:36 <david-lyle> 1 merged
20:33:41 <robcresswell> yep
20:34:41 <lbragstad> #link https://review.openstack.org/#/c/397332/2 this guy?
20:35:00 <david-lyle> yes, it looks fine, I just want to test to make sure
20:35:32 <david-lyle> no point in wasting the effort of trying to get a domain scoped token in a single domain env
20:35:59 <david-lyle> the base policy file will handle things
20:36:12 <david-lyle> without the domain scoped token
20:36:25 <robcresswell> Ah, yeah that looks a little more straightforward
20:38:10 <robcresswell> Would be nice to add a separate test for it I think
20:40:55 <david-lyle> so down to the PCI entry I think is done
20:41:25 <david-lyle> there are a couple of potentially unaddressed bugs in domain-admin support section
20:41:28 <lbragstad> yeah - that's what I spent a bunch of time on last week, trying to figure out what was left
20:41:48 <lbragstad> (PCI ^)
20:42:39 <david-lyle> did we figure out how to get the passwd strength regex to horizon?
20:43:03 <lbragstad> david-lyle into horizon?
20:43:07 <david-lyle> yes
20:43:14 <lbragstad> keystone now expose it through an api
20:43:29 <robcresswell> Side note, isn't the hard requirement on subsets of characters considered bad practice?
20:43:31 <david-lyle> ok, I was trying to read through the patches
20:44:27 <lbragstad> implemented here - #link https://review.openstack.org/#/q/topic:bp/pci-dss-password-requirements-api
20:44:50 <lbragstad> docs #link https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=show-domain-group-option-configuration-detail#domain-configuration
20:46:05 <lbragstad> GET /v3/domains/default/config/security_compliance/password_regex
20:46:46 * david-lyle can
20:47:18 <david-lyle> I may regret asking this, keystone doesn't support microversions, correct?
20:47:30 <lbragstad> david-lyle correct
20:47:37 <robcresswell> :D
20:47:43 <lbragstad> david-lyle it's actually one of the *first* things we talk about next week
20:47:49 <robcresswell> please no
20:47:57 <robcresswell> :)
20:47:58 <lbragstad> no what?
20:47:59 <david-lyle> so in an older v3 install, I just get a 404?
20:48:04 <robcresswell> please no microversions
20:48:29 <lbragstad> david-lyle correct - we had to be careful with that
20:48:29 <robcresswell> I'm not a fan, though I can explain why separately.
20:48:47 <lbragstad> david-lyle because it exposes config over the api
20:49:00 <lbragstad> robcresswell i'd be interested in hearing your view point
20:49:02 <david-lyle> ok, so for a while horizon will have to check, but if 404 use our internal setting
20:49:26 <lbragstad> david-lyle I believe so - but let me double check the logic
20:49:35 <robcresswell> lbragstad: I'll message after the meeting if you like, or I can drop in on your PTG session.
20:49:57 <lbragstad> robcresswell first thing wednesday morning - https://etherpad.openstack.org/p/pike-ptg-keystone-ocata-carry-over
20:50:02 <robcresswell> david-lyle: Yeah, I suppose so
20:50:10 <robcresswell> lbragstad: Got it
20:50:33 <david-lyle> robcresswell: grab me before you go, as I will forget :P
20:50:48 <robcresswell> david-lyle: Ha will do
20:50:56 <lbragstad> robcresswell i'd still be interested in hearing the gist of it prior to the PTG though
20:51:05 <robcresswell> sure
20:51:32 <david-lyle> robcresswell: do we have a microversion support group session as part of horizon's time at the PTG?
20:52:07 <lbragstad> david-lyle https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L1115
20:52:13 <robcresswell> david-lyle: Whatever bar I end up in on Tuesday night
20:52:30 <lbragstad> it should be either a 404 or a 403 if the option is not set
20:52:45 <david-lyle> ok, we can handle that
20:53:06 <lbragstad> and it should be something that you can get with a valid token
20:53:24 <lbragstad> (as opposed to other things in the domain config - which typically require admin)
20:53:27 <david-lyle> right the policy was default
20:53:33 <david-lyle> err ""
20:53:54 <cmurphy> hi - sorry this meeting slipped my mind, i'll have a look at 339487
20:54:23 <lbragstad> david-lyle yeah - we shimmied that in here and beat with a hammer until it worked - https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L188-L197
20:58:08 <david-lyle> seems like time is low
20:58:27 <david-lyle> anything pressing to hit in the last couple of minutes?
20:59:20 <david-lyle> we can talk more about "Looking Forward" next week
20:59:25 <robcresswell> Nothing else from me
20:59:39 <lbragstad> not that i know of - if there is something we need to add to the agenda next week let me know
20:59:40 <robcresswell> Thanks for attending; I'll keep sending out the email reminders etc
20:59:42 <lbragstad> or add it
20:59:47 <lbragstad> https://etherpad.openstack.org/p/pike-ptg-keystone-horizon
20:59:49 <lbragstad> #link https://etherpad.openstack.org/p/pike-ptg-keystone-horizon
21:00:02 <robcresswell> lbragstad: If you could give the weekly meeting a shout out during the PTG that would be much appreciated
21:00:22 <david-lyle> horizon folks will be loitering the second half of the week so pull us in as needed
21:00:39 <lbragstad> robcresswell will do - to get more keystone devs involved?
21:00:43 <lbragstad> I assume?
21:00:50 * david-lyle may be speaking for himself only
21:00:58 <robcresswell> lbragstad: Just so people are aware its ongoing
21:01:04 <lbragstad> ++
21:01:07 <lbragstad> will do
21:01:16 <david-lyle> oh they're aware, that's why they're not here now
21:01:19 <robcresswell> I've not intention of bullying people into attending :)
21:01:21 <robcresswell> haha
21:01:43 <robcresswell> thanks all
21:01:46 <robcresswell> #endmeeting