18:02:45 <zns> #startmeeting Keystone Team Meeting 18:02:46 <openstack> Meeting started Tue Jan 31 18:02:45 2012 UTC. The chair is zns. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic. 18:02:57 <zns> Hi - anyone here for the Keystone meeting? 18:03:02 <mtaylor> o/ 18:03:02 <gyee> \0 18:03:07 <gyee> \o 18:03:13 <mtaylor> gyee: is a cyclops 18:03:27 <zns> Cool! Hi. 18:03:30 <ayoung> \o/ 18:03:32 <zns> #topic status update 18:03:57 <zns> Has everyone seen & read the ksl announcement? 18:04:10 <gyee> zns: I am pretty deep into the keystone domains blueprint 18:04:12 <zns> The branch is now available in the repo. It's called "redux" 18:04:38 <zns> gyee: cool. Have you had a chance to post any part of it? Or the contracts? 18:05:07 <gyee> I sent out the wadl and xsd, not sure if you guys have a chance to review it yet 18:05:24 <ayoung> zns, what is the timeline for changing over to Keystone? 18:05:26 <ayoung> Light 18:05:26 <zns> gyee: by email or in a review? 18:05:35 <gyee> zns, by email 18:05:50 <zns> ayoung: E4 if we can get the gaps filled. 18:05:59 <zns> gyee: I'll go back and review... 18:06:05 <gyee> what does KSL mean for blueprints that are currently in-flight? 18:06:58 <gyee> will the existing branch be deprecated at some point? when? 18:07:26 * mtaylor thinks that in-flight blueprints should probably be developed on top of the redux branch at this point, no? 18:07:40 <zns> gyee: E3 was the cut-off fir any new features. So, ostensibly, there are no new features in flight. Until KSL gets merged in, the current master branch is the supported branch. Blueprints and bugs against that should continue ahead. 18:07:52 * mtaylor takes back what he said 18:07:56 <gyee> :) 18:08:01 <gyee> what about the F branch? 18:08:15 <gyee> so F is the master or a separate one? 18:08:26 <mtaylor> F will be the master once E is cut 18:08:40 <mtaylor> scuse me 18:08:44 <mtaylor> master will be F once E is cut 18:08:57 <ayoung> I'm guessing that we will want a branch off of redux for Fremont/Folsom/Francisco 18:08:58 <gyee> so I can't checkin new features till E5's done" 18:08:59 <gyee> ? 18:09:29 <zns> mtaylor: I don't disagree with what you said, but KSL is not ready yet. So testing might be a challenge. BUt I do agree that new work shoud focus on KSL. 18:09:29 <gyee> we decided on Folsom already right? 18:09:41 <mtaylor> yes. we did decide on folsom 18:09:43 <zns> gyee: correct. 18:09:45 <anotherjesse> apologies for being late - in a meeting :( 18:10:14 <mtaylor> the where-does-new-features work go with our "make things stable" model at the moment is a bit of an unanswered/unaddressed issue 18:10:31 <zns> mtaylor: do we have a folsom branch already in the repo? If not, we probably should base that on redux. 18:11:07 <gyee> so Folsom = redux? 18:11:10 <zns> mtaylor: yes. It's a gap. I think that's what's confusing for gyee. He's coding against master. 18:11:10 <mtaylor> no, we don't - we don't really have a model for opening a folsom before essex is released... I think I should circle up with ttx 18:11:22 <mtaylor> zns: indeed. I think it's a gap we need to solve :) 18:11:33 <gyee> I am really confused now 18:11:41 <zns> termie, anotherjessie: any thoughts on hwta Gyee should do? Code against master and port to KSL or code to KSL 18:11:52 <gyee> what's the emoticon for confused? (_?_) 18:11:55 <ayoung> We are going to have to decide :push path to redux and then merge to Folsom or the reverse. 18:12:01 <ayoung> patch 18:12:58 <zns> There are two challenges for gyee. One, he's building a new feature; so that should go in Ffolsom since we're feature frozen. Two, which branch should he be coding against given KSL is not baked yet. 18:13:33 <zns> ayoung, gyee: any preferences for which? My preference is to continue on master until KSL is ready. 18:13:43 <gyee> then do the porting? 18:14:01 <ayoung> zns, I think I am going to focus on getting KSL feature compatible with curent master regardless. 18:14:02 <gyee> I want to have some idea what the scope is 18:14:32 <ayoung> I'd say that we push changes to redux, and then merge them over to Folsom 18:14:35 <gyee> I can continue on master, but there will be porting effort right? 18:14:42 <gyee> master to KSL 18:15:16 <zns> ayoung: for new efforts, maybe that;s a good path. But gyee has already started on master, so maybe finish that and then we work on the porting? 18:15:31 <anotherjesse> zns: my view is that we want to replace master with KSL asap 18:15:46 <zns> gyee: correct. There will be work to port. But that applies to many of the features in master now that don't exist in redux (ksl) 18:16:06 <ayoung> zns, I suspect that gyee will have a lot of work to do to make his changes work weith KSL, 18:16:08 <ayoung> with 18:16:14 <gyee> is the KSL code available now? I can go read the code and figure out the porting effort 18:16:17 <anotherjesse> our team is 100% focused on KSL in essex 18:16:32 <anotherjesse> gyee: https://github.com/termie/keystonelight 18:16:42 <zns> anotherjessie: you're saying cut over before compatibility is reached? What about existing deployments? 18:16:43 <gyee> anotherjesse, thanks 18:16:46 <mtaylor> gyee: https://github.com/openstack/keystone/tree/redux 18:16:48 <ayoung> anotherjesse, it is in the redux branch, too 18:17:22 <anotherjesse> zns: compatibility is within days of being finished - the missing list is: XML, pagination, token delete 18:17:44 <ayoung> anotherjesse, do we care about parity for keystone-manage? 18:18:04 <gyee> so token delete will be officially supported? 18:18:13 <anotherjesse> gyee: it is an extension I think 18:18:13 <gyee> that's the other issue I want to bring up 18:18:26 <anotherjesse> ayoung: the goal of other projects is to minimize the *-manage commands 18:18:31 <ayoung> also, does that include the LDAP backend? 18:18:33 <gyee> DELETE /v2.0/RAX/token/tokenId? 18:18:52 <zns> anotherjessie: what about LDAP, errors returned, URL normalization? 18:19:02 <anotherjesse> zns: url normalization? 18:19:16 <zns> anotherjessie: should we put all the gaps in blueprints/bugs? Maybe prefix the name with redux: ? 18:19:29 <anotherjesse> zns: yep - that is in progerss 18:19:32 <zns> .xml returns XML. .json reutnrs JSON. 18:20:58 <zns> OK. SOunds like we've got good momentum then for a switch to KSL soon? How do we validate that? What's the fallback for someone having problems? Use E3? 18:21:00 <anotherjesse> for LDAP the reason we haven't ported the existing LDAP code (that we originally wrote for nova) 18:21:29 <anotherjesse> is that KSL has the approach that tokens, users, tenants, members, roles each have their own backing system 18:21:40 <anotherjesse> since you might want to use users from company's LDAP for SSO 18:21:48 <mtaylor> well- the redux branch is tied in to gerrit now, so it will run all of the same tests that run against current keystone (or else new patches won't land) ... 18:21:54 <anotherjesse> but you don't have write access for role/membership management 18:22:04 <heckj> o/ (sorry for being late) 18:22:24 <gyee> just to clarify, new features WILL go into redux correct? 18:22:35 <mtaylor> so hopefully that should help with some of the validation 18:22:59 <ayoung> anotherjesse, then what is the right approach for LDAP in the new arch? 18:23:01 <anotherjesse> heckj: your team is focused on KSL right? 18:23:09 <heckj> yep 18:23:31 <zns> gyee: new features will go into redux in the folsom timeframe. 18:23:49 <heckj> anotherjesse: lately updating the docs in ksl and cleaning work on python-keystoneclient 18:23:53 <anotherjesse> zns: and that is because we are at feature freeze - regardless of ksl vs keystone? 18:24:04 <zns> anotherjesse: correct. 18:24:34 <gyee> zns: when can I start checking in domains code? 18:25:00 <zns> gyee: the only way we should get new features in for Essex is if they are totally optional extensions (no schema changes, etc). 18:26:15 <gyee> domains feature is an extension, though we are extending users, tenants, roles, and services 18:26:49 <zns> gyee: any time you are ready. As long as it is optional we can include it. But given we are in a feature freeze, we can't accept shcema or API changes. 18:27:11 <zns> gyee: does it come with schema changes? 18:27:23 <anotherjesse> gyee: you are referring to https://blueprints.launchpad.net/keystone/+spec/keystone-domains - correct? 18:27:32 <gyee> yes 18:27:44 <gyee> new domains APIs 18:28:03 <gyee> under /v2.0/HP-IDM/v1.0/domains 18:29:10 <zns> anotherjessie, termie: would it be easier to implement domains in KSL in a way that would not alter the schema? That might be a path forward for gyee (and a way to leverage the architecture of KSL). 18:29:25 <anotherjesse> zns: reading it now 18:29:35 <anotherjesse> gyee: are you around after the meeting to chat about it 18:29:47 <gyee> sure 18:29:53 <gyee> I can starting using KSL if you want 18:30:08 <gyee> ya know, clear the land mines for your guys :) 18:30:15 <anotherjesse> gyee: the major blocker would be XML support 18:30:18 <ayoung> gyee, how much code do you have in the domains effort thus far? 18:30:19 <anotherjesse> which we plan to land this week 18:30:36 <gyee> ayoung, quite a bit 18:30:42 <gyee> ~20 files 18:30:43 <heckj> gyee, anotherjesse: I'm trying to grok what its providing, not geting it from the blueprint description 18:31:52 <anotherjesse> gyee: my precursory read of the domain blueprint makes me wonder if it is accomplished with RBAC - having roles that allow "admin" api commands 18:32:11 * heckj was wondering the same thing 18:32:13 <zns> heckj: think of it as allowing multiple Admins, each managing their own slice of the Keystone pie without having access to each other's data. 18:32:30 <gyee> essentially domains are new containers for users, tenants, roles, and services 18:33:10 <heckj> a grouping around tenants - adding another level up to which we can apply policies, or is it one of those infinitely nested things? 18:33:33 <gyee> just one level, we don't support nested domains right now 18:33:41 <zns> heckj: one level, no nesting. 18:34:13 <heckj> that sure sounds like it needs schema changes in the basic (a SQL) setup 18:34:15 <gyee> just a way to segregate resources for easier management 18:34:33 <anotherjesse> gyee: do services like nova/glance get the domain from the token validation? 18:34:39 <heckj> You'd be able to apply that nicely in KSL using the policy engine setup and base components that are already in there 18:35:11 <gyee> domain ID will be returned if hpdom extension is enabled 18:35:13 <heckj> or is the domain even exposed to the services? 18:35:33 <gyee> you can lookup services for a given domain 18:36:10 <ayoung> gyee, Is there any reason to call it a Domain as opposed to Nested Tenants? 18:36:15 <gyee> if hpdom extension is disabled, you can only operate on resources that is in the Keystone default system domain 18:36:17 <anotherjesse> gyee: I ask because if a user has an admin role in a domain - nova/glance would need to make it so admin-ness was scoped to only tenants within that domain 18:36:37 <gyee> anotherjesse, that 18:36:39 <gyee> s correct 18:36:51 <gyee> domain admin can only manage resource in his own domain 18:37:10 <gyee> but he can assign roles in his own domain to users from another domain 18:37:15 <anotherjesse> gyee: I'm concerned about adding it in the essex timeframe primarily due to changes required in other projects 18:37:35 <anotherjesse> since nova doesn't have those concepts yet 18:37:45 <gyee> anotherjesse, it's extension 18:37:49 <anotherjesse> I like the idea a lot though - what are your thoughts 18:38:17 <anotherjesse> gyee: but an extension in keystone that doesn't work with other open projects, perhaps we should time it for F1 (april)? 18:38:18 <gyee> fully backward compatible 18:38:20 <heckj> Thats a pretty fundamental and far-reaching component - I think we might be better served by lining it up for a folsom-1 introduction rather than this late in the release cycle 18:38:34 <heckj> er, yeah - what anotherjesse said... 18:39:10 <gyee> I am fine with Folsom 18:39:23 <gyee> just let me know when it is ready so I can push codes for review 18:39:26 <anotherjesse> gyee: it would be good for us to add to blueprint 18:39:28 <zns> so that would mean gyee should port it to a folsom branch of ksl? Are we opening that branch? 18:39:48 <heckj> zns: I think that would make a great deal of sense 18:40:11 <zns> WHen would the right time for that be? Now, in a week, or on E4? 18:41:02 <zns> zns: proposing we open up the branch next week when KSL has reached compatibility. Seconds? 18:41:18 <heckj> I think we could make the ksl branch available at any time - right now, but we wouldn't want it as default yet 18:41:34 <anotherjesse> heckj - it is https://github.com/openstack/keystone/tree/redux 18:41:57 <heckj> eh, teach me to be late to the meeting 18:42:04 <anotherjesse> zns: the general project stance is that you don't open folsom until it is read 18:42:14 <anotherjesse> so as to prioritize community working on current branches 18:42:14 <zns> We'd be creating a new one off of that; folsom branch (based on redux). 18:42:44 <anotherjesse> so if you want to work ahead you would create a local branch against KSL and merge prop once open 18:42:54 <anotherjesse> this happens in nova as well (when a team is working ahead due to internal deadlines) 18:43:56 <zns> OK. SO gyee should work on a local branch of redux and wait for folsom to open up? 18:43:56 <ayoung> gyee, I'd just be aware that there are going to be many changes go in to redux between now and Folsom, so if you are going to work off a branch from redux, we will all want to make sure that it keeps up with all commits 18:44:20 <ayoung> so rebase early and rebase often 18:44:34 <gyee> or pushing code often :) 18:44:41 <zns> #info New features should go in local branches and wait for folsom 18:45:03 <heckj> #info based on the redux branch in keystone now 18:45:13 <ayoung> gyee, well, if you had somewhere to push to, I'd agree.... 18:45:20 <zns> #info redux branch should be ready for merge by next week 18:45:30 <gyee> wait, so redux is NOT open for writing right now? 18:45:35 <anotherjesse> it is open for writing 18:45:40 <anotherjesse> you use git-review against redux 18:45:48 <zns> I have one last quick question... 18:45:48 <anotherjesse> goal is to be ready to merge into master asap 18:46:02 <ayoung> gyee, are you going to be pushing Domains changes into redux? I thought we just agreed it would wait until Folsom? 18:46:04 <zns> anotherjessie: should we prefix bugs and blueprints with "redux:" to separate them from master? 18:46:44 <zns> or any other thoughts on how to separate them? 18:46:58 <anotherjesse> zns: use tags? 18:47:08 <zns> tags works! 18:47:27 <zns> #info: tag bugs/blueprints with "redux" to identify the branch 18:47:36 <zns> Thanks everyone! 18:47:37 <zns> #endmeeting