20:00:00 <robcresswell> #startmeeting keystone_horizon 20:00:01 <openstack> Meeting started Thu Feb 16 20:00:00 2017 UTC and is due to finish in 60 minutes. The chair is robcresswell. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:02 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:00:04 <openstack> The meeting name has been set to 'keystone_horizon' 20:00:07 <lbragstad> o/ 20:00:14 <robcresswell> o/ 20:00:15 <david-lyle> o/ 20:00:36 <lbragstad> robcresswell wow - nice timing, you started the meeting exactly as my client hit 14:00:00 20:01:11 <robcresswell> lbragstad: I do my best 20:01:12 <lbragstad> agenda #link https://etherpad.openstack.org/p/ocata-keystone-horizon 20:01:21 <rdopiera> o/ 20:01:23 * lbragstad bets robcresswell is a fan of automation 20:01:43 <robcresswell> lbragstad: I actually just happened to be looking at my client :p 20:01:50 <robcresswell> Sorry to disappoint 20:01:56 <lbragstad> lol 20:02:21 <robcresswell> So I wanted to kick these off again and keep using the meeting slot; if we dont use the hour, thats obviously not a problem 20:02:46 <robcresswell> Last cycle was really, really helpful for Horizon in solving some key issues, and helpful for me personally in understanding how the **** domains work 20:03:07 <robcresswell> The first thing to do is probably review the etherpad and cross off work that is completed 20:03:34 <robcresswell> There are also some outstanding patches in Horizon that im not entirely sure of, so would be good to discuss now or in the future meetings. 20:03:36 <lbragstad> i spent some time trying to do that last week 20:04:26 <robcresswell> Ah nice, thanks 20:05:10 <robcresswell> Anything anyone would like to start with? 20:05:47 <robcresswell> Working through then... 20:05:56 <robcresswell> #link https://review.openstack.org/#/c/339487/ 20:06:20 <robcresswell> This got flagged again today as a potential solution to a problem someone was having in the horizon channel 20:06:50 <lbragstad> is cmurphy around? 20:06:58 <robcresswell> I've not looked at it yet, david-lyle, cmurphy, thoughts? 20:07:14 <david-lyle> i haven't reviewed that yet 20:07:35 <david-lyle> but not sure user 20:07:37 <david-lyle> s 20:07:40 <david-lyle> argh 20:07:41 <robcresswell> Ah you -1'd it a while back 20:07:54 <robcresswell> Just wondered if you'd seen it recently, but np 20:08:06 <david-lyle> not sure user's domain id is the right policy target even if one is warranted 20:08:32 <david-lyle> should be the domain I'm auth'd into 20:08:38 <david-lyle> I believe 20:08:57 <lbragstad> so the domain of the project you've scoped your token to, or the domain scope of your token? 20:09:01 <david-lyle> but our cross-domain user support is woefully inadequate in general 20:09:21 <david-lyle> domain scope for identity operations 20:10:43 <david-lyle> what we really need is to figure out the cross-openstack answer for what can I do 20:11:42 <david-lyle> because our policy implementation is limited to what we've seen, but you could add random required policy targets in your policy files and Horizon wouldn't handle them unless it's something we populate by default 20:11:59 <lbragstad> yeah 20:12:16 <robcresswell> capabilities API? 20:12:29 <lbragstad> thought be the ideal solution I would think 20:12:44 <lbragstad> that would be* 20:12:50 * lbragstad can't type 20:13:07 <david-lyle> but we have the several releases until we get that even being optimistic 20:13:13 <david-lyle> so we'll do what we can 20:13:17 <robcresswell> Yeah, I know Nova have mentioned it a few times too. 20:13:18 <robcresswell> Right 20:13:49 <lbragstad> fwiw - there is going to be a time slot dedicated to capabilities during the Arch WG sessions on tuesday 20:14:11 * robcresswell loses track of the WG's 20:14:25 <lbragstad> #link https://etherpad.openstack.org/p/ptg-architecture-workgroup 20:14:44 <lbragstad> I don't believe they have time slots allocated yet 20:14:49 <lbragstad> but it's in their list of topics 20:15:30 <robcresswell> Okay, lets keep an eye on that 20:15:46 <david-lyle> ah, I see that patch is targeting the sample v3 example policy, should still be scoped domain not user domain I think 20:16:32 <robcresswell> So, the domain of the project, is that? 20:16:47 <lbragstad> yeah - because technically there is nothing stopping a user in one domain from having role assignments on other domains 20:17:14 <lbragstad> well - that's tricky too because it depends 20:17:15 <david-lyle> cross-domain user support should be added to the etherpad 20:17:39 <david-lyle> it blocked part of cmurphy's patch to doa 20:17:52 <lbragstad> as a user of keystone, i can explicitly ask for a token scoped to a specific domain that I have a role on, or I can ask for a token scoped to a project in some random domain 20:18:14 <david-lyle> but I only have permission based on the scope of my current token 20:18:25 <david-lyle> so it would be the domain I auth'd into to 20:18:44 <david-lyle> no? 20:19:04 * david-lyle reviews v3 sample policy again, crying softly 20:19:23 <lbragstad> right - would authenticating for a specific scope be considered just that? 20:20:10 <david-lyle> but the target is the project.domain_id, hmm 20:20:27 <david-lyle> I need more time to walk that through 20:20:28 <lbragstad> http://cdn.pasteraw.com/6badyzj32kns0bjhbbxk58zsc59hxrq 20:21:13 <lbragstad> ^ that would technically give me a token scoped to a domain 20:21:37 <david-lyle> the target will be the project.domain_id and then the horizon policy will match that in the credentials check 20:22:24 <david-lyle> so either cloud_admin, domain_admin for the target domain 20:22:44 <david-lyle> the patch may be right 20:25:42 <robcresswell> I need some time to get my round this :/ 20:26:20 <david-lyle> I think the logic is correct, we just didn't include the targets as specified in v3 sample policy 20:26:25 <lbragstad> do we think this is something we need more involvement in from other projects, too? 20:26:41 <david-lyle> lbragstad: which part? 20:26:50 <lbragstad> david-lyle the domain parts 20:26:58 <lbragstad> david-lyle or the *which* domains part 20:27:15 <robcresswell> This particular issue just seems like part of the underlying horizon-keystone domain confusion 20:27:23 <lbragstad> david-lyle because you also mentioned the "what can this use do across OpenStack" point of view 20:28:27 <david-lyle> so my understanding is... this really only effects keystone and horizon, the other projects' policies are completely project based 20:28:40 <lbragstad> ok 20:28:40 <david-lyle> so they only use the project scoped token 20:28:53 <david-lyle> domain token is only used for identity operations 20:28:59 <lbragstad> so this should be something we can whiteboard next week 20:29:03 <david-lyle> yes 20:29:21 <lbragstad> (pending everyone has time to digest the information) 20:29:36 <david-lyle> I think we just missed the target when we added support for the v3 sample 20:29:55 <david-lyle> and this bug will cover that, or the target was added later, I'm unsuer 20:29:58 <david-lyle> *unsure 20:31:23 <robcresswell> I'll take a look at it over the next week 20:31:32 <robcresswell> well, maybe the week after due to PTG, but before next meeting 20:31:54 <robcresswell> Assuming I can wrap my tiny UI brain around these lofty auth concepts :p 20:32:07 <david-lyle> I will draw pictures :P 20:32:16 <david-lyle> I lived domain hell for a long time 20:32:17 * lbragstad *loves* pictures 20:33:20 <robcresswell> Okay to move on for now? I see rdopiera has dropped a review on it too 20:33:27 <david-lyle> the other 2 patches in the first block still need review 20:33:33 <david-lyle> err 1 other 20:33:36 <david-lyle> 1 merged 20:33:41 <robcresswell> yep 20:34:41 <lbragstad> #link https://review.openstack.org/#/c/397332/2 this guy? 20:35:00 <david-lyle> yes, it looks fine, I just want to test to make sure 20:35:32 <david-lyle> no point in wasting the effort of trying to get a domain scoped token in a single domain env 20:35:59 <david-lyle> the base policy file will handle things 20:36:12 <david-lyle> without the domain scoped token 20:36:25 <robcresswell> Ah, yeah that looks a little more straightforward 20:38:10 <robcresswell> Would be nice to add a separate test for it I think 20:40:55 <david-lyle> so down to the PCI entry I think is done 20:41:25 <david-lyle> there are a couple of potentially unaddressed bugs in domain-admin support section 20:41:28 <lbragstad> yeah - that's what I spent a bunch of time on last week, trying to figure out what was left 20:41:48 <lbragstad> (PCI ^) 20:42:39 <david-lyle> did we figure out how to get the passwd strength regex to horizon? 20:43:03 <lbragstad> david-lyle into horizon? 20:43:07 <david-lyle> yes 20:43:14 <lbragstad> keystone now expose it through an api 20:43:29 <robcresswell> Side note, isn't the hard requirement on subsets of characters considered bad practice? 20:43:31 <david-lyle> ok, I was trying to read through the patches 20:44:27 <lbragstad> implemented here - #link https://review.openstack.org/#/q/topic:bp/pci-dss-password-requirements-api 20:44:50 <lbragstad> docs #link https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=show-domain-group-option-configuration-detail#domain-configuration 20:46:05 <lbragstad> GET /v3/domains/default/config/security_compliance/password_regex 20:46:46 * david-lyle can 20:47:18 <david-lyle> I may regret asking this, keystone doesn't support microversions, correct? 20:47:30 <lbragstad> david-lyle correct 20:47:37 <robcresswell> :D 20:47:43 <lbragstad> david-lyle it's actually one of the *first* things we talk about next week 20:47:49 <robcresswell> please no 20:47:57 <robcresswell> :) 20:47:58 <lbragstad> no what? 20:47:59 <david-lyle> so in an older v3 install, I just get a 404? 20:48:04 <robcresswell> please no microversions 20:48:29 <lbragstad> david-lyle correct - we had to be careful with that 20:48:29 <robcresswell> I'm not a fan, though I can explain why separately. 20:48:47 <lbragstad> david-lyle because it exposes config over the api 20:49:00 <lbragstad> robcresswell i'd be interested in hearing your view point 20:49:02 <david-lyle> ok, so for a while horizon will have to check, but if 404 use our internal setting 20:49:26 <lbragstad> david-lyle I believe so - but let me double check the logic 20:49:35 <robcresswell> lbragstad: I'll message after the meeting if you like, or I can drop in on your PTG session. 20:49:57 <lbragstad> robcresswell first thing wednesday morning - https://etherpad.openstack.org/p/pike-ptg-keystone-ocata-carry-over 20:50:02 <robcresswell> david-lyle: Yeah, I suppose so 20:50:10 <robcresswell> lbragstad: Got it 20:50:33 <david-lyle> robcresswell: grab me before you go, as I will forget :P 20:50:48 <robcresswell> david-lyle: Ha will do 20:50:56 <lbragstad> robcresswell i'd still be interested in hearing the gist of it prior to the PTG though 20:51:05 <robcresswell> sure 20:51:32 <david-lyle> robcresswell: do we have a microversion support group session as part of horizon's time at the PTG? 20:52:07 <lbragstad> david-lyle https://github.com/openstack/keystone/blob/master/keystone/resource/core.py#L1115 20:52:13 <robcresswell> david-lyle: Whatever bar I end up in on Tuesday night 20:52:30 <lbragstad> it should be either a 404 or a 403 if the option is not set 20:52:45 <david-lyle> ok, we can handle that 20:53:06 <lbragstad> and it should be something that you can get with a valid token 20:53:24 <lbragstad> (as opposed to other things in the domain config - which typically require admin) 20:53:27 <david-lyle> right the policy was default 20:53:33 <david-lyle> err "" 20:53:54 <cmurphy> hi - sorry this meeting slipped my mind, i'll have a look at 339487 20:54:23 <lbragstad> david-lyle yeah - we shimmied that in here and beat with a hammer until it worked - https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L188-L197 20:58:08 <david-lyle> seems like time is low 20:58:27 <david-lyle> anything pressing to hit in the last couple of minutes? 20:59:20 <david-lyle> we can talk more about "Looking Forward" next week 20:59:25 <robcresswell> Nothing else from me 20:59:39 <lbragstad> not that i know of - if there is something we need to add to the agenda next week let me know 20:59:40 <robcresswell> Thanks for attending; I'll keep sending out the email reminders etc 20:59:42 <lbragstad> or add it 20:59:47 <lbragstad> https://etherpad.openstack.org/p/pike-ptg-keystone-horizon 20:59:49 <lbragstad> #link https://etherpad.openstack.org/p/pike-ptg-keystone-horizon 21:00:02 <robcresswell> lbragstad: If you could give the weekly meeting a shout out during the PTG that would be much appreciated 21:00:22 <david-lyle> horizon folks will be loitering the second half of the week so pull us in as needed 21:00:39 <lbragstad> robcresswell will do - to get more keystone devs involved? 21:00:43 <lbragstad> I assume? 21:00:50 * david-lyle may be speaking for himself only 21:00:58 <robcresswell> lbragstad: Just so people are aware its ongoing 21:01:04 <lbragstad> ++ 21:01:07 <lbragstad> will do 21:01:16 <david-lyle> oh they're aware, that's why they're not here now 21:01:19 <robcresswell> I've not intention of bullying people into attending :) 21:01:21 <robcresswell> haha 21:01:43 <robcresswell> thanks all 21:01:46 <robcresswell> #endmeeting