#openstack-meeting log

16:00:21 <rakhmerov> #startmeeting Mistral
16:00:21 <openstack> Meeting started Mon Jan 25 16:00:21 2016 UTC and is due to finish in 60 minutes.  The chair is rakhmerov. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:25 <openstack> The meeting name has been set to 'mistral'
16:00:27 <rakhmerov> hi Dmitri
16:00:31 <rakhmerov> how are you?
16:00:36 <dzimine> Ok now :) hi
16:00:48 <ddeja> hello
16:00:52 <dmowrer-> hi
16:00:53 <dzimine> Half asleep :)
16:01:19 <akuznetsova> hi there
16:01:30 <hparekh_> hi
16:01:34 <rakhmerov> hi all
16:01:46 <rakhmerov> let's start
16:02:45 <rakhmerov> #topic Review Action Items
16:02:53 <rakhmerov> 1. rakhmerov, hparekh_: discuss https://blueprints.launchpad.net/mistral/+spec/mistral-items-filtering
16:02:56 <rakhmerov> done
16:03:03 <rakhmerov> there's already a patch on review
16:03:11 <hparekh_> yeah
16:03:16 <rakhmerov> :)
16:03:21 <hparekh_> please let me know your view
16:03:37 <rakhmerov> #action rakhmerov: review patch about items filtering
16:03:38 <rakhmerov> :)
16:03:42 <rakhmerov> 2. rakhmerov: participate in [TripleO] Driving workflows with Mistral
16:03:45 <hparekh_> thanks
16:04:11 <rakhmerov> I was participating in this thread but it is still alive so I need to continue
16:04:31 <rakhmerov> #topic Current status (progress, issues, roadblocks, further plans)
16:04:58 <rakhmerov> my status: I was actually off work for 1.5 weeks
16:05:19 <rakhmerov> last week I made several reviews, that's it
16:05:41 <akuznetsova> my status: reviewed patches, planning to start thinking about tests for murano-dashboard repo
16:06:01 <hparekh_> my status: I have fixed some gate issue, fixed some tests which were failed periodically. submmited patch for items filtering.
16:06:07 <rakhmerov> akuznetsova: murano? :)
16:06:11 <m4dcoder> status: bug fixes, multiple patches stuck in review
16:06:19 <akuznetsova> rakhmerov, mistral)
16:06:22 <rakhmerov> ok
16:06:26 <akuznetsova> ohh
16:06:28 <akuznetsova> sorry
16:07:17 <akuznetsova> work on multiple projects has an effect
16:07:48 <rakhmerov> m4dcoder: yeah, sorry about that. It's such a period for us. Nikolay is on vacation, I've been on sick leave for a long time
16:07:56 <rakhmerov> akuznetsova: understandable
16:07:58 <rakhmerov> np
16:08:46 <^Gal^> I uploaded a patchset for Horizon, regarding the tooltip thing we need
16:08:51 <^Gal^> for cell to access another cell
16:09:09 <^Gal^> and I have some stuff for reivew
16:09:17 <rakhmerov> ^Gal^: ok
16:09:48 <m4dcoder> rakhmerov: are you feeling better? when is Nikolay back? i hope things get back to normal.  the projects seems to move at a rather slow pace of late.
16:10:02 <rakhmerov> ^Gal^: I saw messages from lane_kong that some patches to dashboard don't have some necessary info required by release tools
16:10:19 <rakhmerov> something like "Merged XXX" where XXX should be a patch id or something
16:10:29 <rakhmerov> I didn't understand it on 100%
16:10:45 <rakhmerov> ^Gal^: are you aware of this? Did you talk to lane_kong?
16:11:07 <rakhmerov> m4dcoder: yes, thanks! I'm now almost ok, will be working full time since the middle of this week
16:11:22 <rakhmerov> m4dcoder: Nikolay will be back in a week
16:11:33 <m4dcoder> good good :)
16:12:31 <rakhmerov> ^Gal^: here?
16:13:58 <rakhmerov> ^Gal^: ok, let me know once you're back or we can talk offline
16:14:42 <rakhmerov> we were actually supposed to release M-2 last week (on Jan 21st) but I didn't have a chance to talk to Lingxian yet
16:14:50 <rakhmerov> who is our release liason now
16:15:07 <rakhmerov> #action rakhmerov: check how M-2 release go
16:15:59 <rakhmerov> we also need to have a planning session for M-3 asap so I'd like to ask you to come up with your preferences
16:16:38 <rakhmerov> #topic Mistral Security
16:17:17 <rakhmerov> anybody from ALU is here now?
16:17:55 <rakhmerov> a little bit of background: we now still have a big issue with using sensitive information in Mistral workflows
16:18:27 <rakhmerov> the issue is: we can't hardcode any passwords in workflows themselves and we can't pass them as input params
16:18:49 <rakhmerov> because Mistral stores them unencrypted in DB and puts into logs
16:18:56 <rakhmerov> so it is not protected
16:19:07 <rakhmerov> for example, it is related to ssh actions
16:19:52 <rakhmerov> from user perspective, it's also not feasible to have required ssh keys on executors
16:20:01 <rakhmerov> they have to be pre-configured
16:20:29 <rakhmerov> we had a couple of attempts to address this problem but it's still not solved properly
16:20:57 <rakhmerov> Moshe suggests we implement actions for using Barbican
16:20:59 <rakhmerov> https://blueprints.launchpad.net/mistral/+spec/support-barbican-actions
16:21:18 * redrobot pokes head in
16:21:45 <redrobot> rakhmerov is there a spec I could review for that?
16:21:58 <akuznetsova> we have only bug for it https://bugs.launchpad.net/mistral/+bug/1337268
16:22:00 <openstack> Launchpad bug 1337268 in Mistral mitaka "Security issue: user secure info is not protected properly (logs, API, DB)" [Critical,New] - Assigned to Lingxian Kong (kong)
16:22:09 <rakhmerov> yes
16:22:14 <rakhmerov> redrobot: no spec yet
16:22:20 <akuznetsova> we need to transform it to bp first
16:22:32 <rakhmerov> yes
16:22:48 <rakhmerov> so we need to create a spec I guess, this is correct
16:23:01 <m4dcoder> i'm unsure how this actually works.  the action will return the secret and it still needs to be pass to the other action that needs it as input param.
16:23:08 <akuznetsova> we already have a few suggestion of how it can be implemented (in bug's comments)
16:23:43 <akuznetsova> rakhmerov, yes, we need spec,  but afaik spec require link to bp
16:23:53 <rakhmerov> m4dcoder: yes, I don't know either
16:24:13 <rakhmerov> akuznetsova: true, I agree
16:24:45 <rakhmerov> #action rakhmerov: convert https://bugs.launchpad.net/mistral/+bug/1337268 into BP
16:24:47 <openstack> Launchpad bug 1337268 in Mistral mitaka "Security issue: user secure info is not protected properly (logs, API, DB)" [Critical,New] - Assigned to Lingxian Kong (kong)
16:24:53 <dzimine> We can consider borrowing the solution from StackStorm
16:25:27 <dzimine> Where we mark secret parameters and mask them in API and logs.
16:25:29 <rakhmerov> dzimine: could you describe briefly the essense of it?
16:25:38 <rakhmerov> dzimine: makes sense
16:25:58 <rakhmerov> I suggested long time ago that we should use a special data type
16:26:14 <rakhmerov> and make all our layers explicitly aware of it
16:26:15 <m4dcoder> this requires mistral to define a type of schema for action inputs.  to be consistent and not just for input with secret.
16:26:23 <dzimine> DB is ok, at most encode the secret but it's admin duty to protect it.
16:26:33 <rakhmerov> so that if we print into log, for example, we replace it with *****
16:26:43 <rakhmerov> when we store it in DB we apply encryption
16:26:43 <dzimine> I'll fish out a PR with impl and share it in the BP
16:26:50 <rakhmerov> dzimine: yes
16:27:06 <rakhmerov> dzimine: that would be great
16:27:21 <dzimine> Ok.
16:28:01 <rakhmerov> as far as the API I thought it could be something like: when we pass input parameters we have a simple mechanism to explicitly mark it somehow
16:28:26 <rakhmerov> so that from that point on all layers take care of them as of sensitive data
16:28:45 <rakhmerov> but ok, I'm eager to see your idea
16:30:14 <rakhmerov> #action dzimine: File a BP wit description of how we can approach the issue with security data
16:30:57 <rakhmerov> so let's continue with this
16:31:15 <rakhmerov> ALU folks also want to backport it to Liberty once it's implemented
16:31:21 <rakhmerov> we need to see if it's possible
16:31:42 <rakhmerov> #topic Open Discussion
16:32:10 <rakhmerov> so other than that I don't have topics to discuss for now
16:32:38 <hparekh_> rakhmerov: hi i have sent you mail regarding Austin summit  did you check it ?
16:32:42 <rakhmerov> dzimine: please let me know if there's anything specific from StackStorm side for M-3
16:32:57 <rakhmerov> hparekh_: replied to you today
16:32:58 <rakhmerov> yes
16:33:08 <hparekh_> oh will check
16:33:21 <rakhmerov> hparekh_: I'd ask you to share your plan, if possible
16:33:30 <m4dcoder> for M3, i'm still fighting for time to spec the task priority scheduler
16:33:44 <rakhmerov> as far as my participation: I would like to be there but it's not confirmed yet
16:33:48 <rakhmerov> I might not be there
16:34:01 <hparekh_> rakhmerov:yeah sure  I will share
16:34:13 <rakhmerov> m4dcoder: did you have a chance to discuss that with ALU?
16:34:29 <rakhmerov> they had a strong opinion on that topic
16:35:01 <m4dcoder> not directly.  i just plan to have the spec and then discuss.  it won't impact them if they don't want to change.
16:35:14 <rakhmerov> they were against it
16:35:27 <rakhmerov> but yes, I guess as long as it's configurable it won't harm them
16:35:30 <m4dcoder> my proposal is to have a plugin for how it is scheduled.  they can use the plugin that uses the same algorithm.
16:36:31 <rakhmerov> m4dcoder: yeah, makes sense
16:37:09 <rakhmerov> m4dcoder: plugin arch is clear to me, I'm rather thinking how this algo would work at all
16:37:15 <rakhmerov> I don't see a clear picture now
16:37:34 <m4dcoder> i'll try to paint it clearly in the spec
16:37:43 <rakhmerov> the issue is that we use MQ and I'm not sure how we can implement this kind of scheduling on top of it
16:37:59 <rakhmerov> m4dcoder: ok, then I'll be waiting for a spec
16:38:12 <m4dcoder> cool
16:38:19 <rakhmerov> when do you think you'd be able to draft it?
16:38:58 <m4dcoder> i hope soon.  i'm fighting for time to do this.
16:39:16 <rakhmerov> ok )
16:39:19 <rakhmerov> understood
16:39:59 <rakhmerov> alright
16:40:06 <rakhmerov> anything else to discuss?
16:40:33 <rakhmerov> as usually, I'll count to 10 and end the meeting
16:40:35 <rakhmerov> 1
16:40:36 <rakhmerov> 2
16:40:37 <rakhmerov> 3
16:40:38 <rakhmerov> 4
16:40:39 <rakhmerov> 5
16:40:41 <rakhmerov> 6
16:40:43 <rakhmerov> 7
16:40:45 <rakhmerov> 8
16:40:47 <rakhmerov> 9
16:40:49 <rakhmerov> 10
16:40:54 <akuznetsova> bye
16:41:01 <m4dcoder> bye. thx!
16:41:01 <rakhmerov> ok, thanks for joining! Bye everyone
16:41:11 <rakhmerov> #endmeeting