17:02:52 <lbragstad> #startmeeting keystone-office-hours
17:02:53 <openstack> Meeting started Tue May  1 17:02:52 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:54 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:56 <openstack> The meeting name has been set to 'keystone_office_hours'
17:03:25 <ayoung> kmalloc, UTC 12:00 right
17:03:28 <lbragstad> that's the second time the meeting bot has failed to stop office hours
17:03:51 <lbragstad> http://eavesdrop.openstack.org/#Keystone_Team_Meeting
17:04:16 <ayoung> What is the goal of office hours anyway?  Answering questions from community members?
17:04:46 <lbragstad> yeah, that, closing bugs, working on specs
17:05:02 <lbragstad> it's really just time set aside each week to ensure other people are around
17:16:30 <ayoung> lbragstad, so...what do you think of the idea of optional time-outs on group assignments?
17:16:53 <ayoung> A user comes in via Federation, gets a group assignment and it will last for a configurable amount of time, set in the mapping
17:17:24 <ayoung> once the time is up, the group assignment is no longer valid, and role assignments based on that group are also kaput
17:17:32 <ayoung> log in again, bump the time forward.
17:17:51 <ayoung> an admin can come in and set the time out to "never" to make it permanent.
17:18:24 <lbragstad> i need to think about that a bit more
17:18:29 <lbragstad> it's interesting though
17:18:43 <ayoung> lbragstad, do we have an appropriate forum at the summit for that?
17:19:04 <lbragstad> not really, we have one for unified limits, default roles, and operator feedback
17:19:13 <lbragstad> s/one/three
17:20:27 <kmalloc> ayoung: yeah UTC (-0 offset)
17:23:20 <knikolla> there is a forum session on federation stuff, but it will probably be extremely high level
17:23:21 <knikolla> https://www.openstack.org/summit/vancouver-2018/summit-schedule/events/21786/supporting-general-federation-for-large-scale-collaborations
17:56:29 <ayoung> knikolla, it might be worth discussing there, as I think this is one of the critical topics
17:59:36 <breton> ayoung: that's nice
17:59:43 <breton> ayoung: re: timeout for groups
17:59:47 <ayoung> breton, you like the idea?
17:59:53 <ayoung> What about it appeals to you?
18:02:20 <breton> ayoung: when we were talking about adding users to groups, users being in the group forever was the biggest concern. And i see you bumped https://review.openstack.org/#/c/415545/ already.
18:02:47 <ayoung> breton, yeah, it was a simple bump, but that was before the Time-out discussion happened
18:03:14 <ayoung> I think I like the idea of timeouts for everything.  Optional, but the norm for Federation
18:04:28 <breton> timeout equal to token ttl maybe?
18:05:34 <breton> i wonder if something like ?allow_expired will be needed
18:11:55 <openstackgerrit> Merged openstack/keystone master: Add configuration option for enforcement models  https://review.openstack.org/562713
18:12:02 <ayoung> token TTL should be much shorter
18:12:09 <ayoung> breton, thing trusts.
18:12:13 <ayoung> think
18:13:48 <ayoung> breton, allowed_expired would be way too long a time for these calls.
19:46:26 <mordred> lbragstad, cmurphy: if you are bored and want an easy +3 ... https://review.openstack.org/#/c/564495/
20:59:51 <openstackgerrit> Lance Bragstad proposed openstack/keystone-specs master: Add scenarios to strict hierarchy enforcement model  https://review.openstack.org/565412
21:01:02 <lbragstad> johnthetubaguy: yankcrime ^
21:01:19 <lbragstad> i think i got most of what we talked about out of my head and on paper
21:02:52 <lbragstad> the main bits are the "model behaviors" section and the "enforcement diagrams"
21:03:02 <lbragstad> #endmeeting