#openstack-meeting log

18:02:18 <heckj> #startmeeting
18:02:19 <openstack> Meeting started Tue Feb 28 18:02:18 2012 UTC.  The chair is heckj. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:20 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:02:32 <heckj> morning morning! (morning for me, anyway)
18:02:47 <heckj> agenda for today: http://wiki.openstack.org/Meetings/KeystoneMeeting
18:02:48 <ayoung> O/
18:03:12 <termie> o/
18:03:25 <heckj> so let's jump in. Status for the E4 drop today!
18:03:46 <heckj> #link https://launchpad.net/keystone/+milestone/essex-4
18:03:46 <termie> heckj: i think we could probably do it, all our big stuff landed
18:04:00 <termie> heckj: i'd like to get the config stuff in
18:04:06 <termie> heckj: even though i don't like it
18:04:24 <heckj> When does Theirry normally cut those branches?
18:04:31 <heckj> (can't spell, already...)
18:04:43 <termie> i heard "early" so i assume we're already past that
18:04:50 <termie> zns: how has it worked in the past?
18:05:16 <heckj> presumably we can cherry pick back? Or are those branches closed?
18:06:00 <zns> heckj: he's done it evening European time which has translated to around 10AM Central.
18:06:18 <zns> Is today the day to cut?
18:06:29 <heckj> yep
18:06:36 <zns> termie: ^
18:06:59 <heckj> so probably happened a couple of hours ago
18:07:00 <zns> Should have been done already then...
18:07:09 <zns> * going to see if there are tags in the repo *
18:07:37 <ayoung> Only ticket not tagged complete is 942247
18:08:05 <heckj> #link https://bugs.launchpad.net/keystone/+bug/942247 - under review right now https://review.openstack.org/#change,4634
18:08:07 <uvirtbot`> Launchpad bug 942247 in keystone "auth_token middleware should properly handle KeyError" [Critical,In progress]
18:08:21 <heckj> So we'll likely have a few pieces to cherry pick back - I'll assume we can and check with ttx later today
18:08:39 <zns> I don't see anything after E3.
18:09:05 <heckj> maybe's sleeping in then - or waiting for the openstack meeting to check before he cuts
18:10:30 <heckj> termie: eyes on https://review.openstack.org/#change,4634 would be appreciated. I'd like to see logging, but am in general consensus that long term we'll likely want to shift this into openstack-common. What do you think for the middleware pieces?
18:11:43 <heckj> Anyone else have reviews pending that need immediate attention for the E4 cut?
18:11:45 <heckj> #link https://review.openstack.org/#q,status:open+keystone,n,z
18:11:46 <termie> heckj: no strong opinion on them, they are old code
18:12:06 <termie> heckj: ayoung has a small bugfix for the ldap branch that he is about to propose
18:12:25 <heckj> ayoung: https://review.openstack.org/4639?
18:12:28 <termie> heckj: but i assume from the way that the releases work, people file bugs and then we fix them and propose again
18:12:32 <ayoung> https://review.openstack.org/#change,4639
18:12:38 <ayoung> heckj, youyr faster than I am
18:12:54 <heckj> ayoung: copy/paste from the email that just appeared :-)
18:13:14 <heckj> termie: I think that's the process to. Guess we'll learn as we go.
18:13:44 <ayoung> so without this fix,  in order to get the default schema to work,  you need to set the config file option.  I'd rather avoid posting a work-around
18:13:58 <heckj> Okay - for now, let's assume features are frozen with respect to Keystone for Essex, and we'll focus on bug fixes and starting to set up a release candidate. Any disagreements there?
18:14:47 <termie> heckj: nope, though definitions of feature and bug are still vague in my mind
18:14:53 <termie> i am used to loopholing
18:16:03 <heckj> #topic high priority bugs or issues?
18:16:35 <heckj> One popped in last night related to the legacy code in auth_token, dprince seems to be all over it right now.
18:16:47 <termie> i'd say config, and possibly nova policy.js copying are high on my mind
18:16:56 <zns> Agree with termie. There are many bugs in there that really are feature requests. I think that wil be a topic at the meeting today as we discuss post-E4 work.
18:16:58 <termie> *policy.py
18:17:51 <heckj> the config doesn't seem to be changing any features per se, although the policy stuff is (to me)
18:18:24 <heckj> termie: I know you wanted to have some additional discussion around that - still your idea to work with a branch out there and discuss from there?
18:18:56 <termie> heckj: yeah generally, i mostly stabilized on not changing anythign right now just implementing the same admin checks with a better backend
18:19:08 <termie> heckj: rather than trying to improve anything there
18:19:35 <heckj> termie: agreed. How would you like to proceed to move that forward in the next couple of weeks?
18:20:25 <termie> heckj: i'll probably just do the work and have it sit around and then try to convince people they should merge it
18:20:42 <termie> i think it is only a day of work, i've just been review/emailing continuously
18:20:55 <heckj> termie: sounds good - definitely been busy
18:22:16 <heckj> anything else for high priority issues or bugs?
18:23:12 <heckj> Okay - switching over to organizational stuff for a second...
18:23:18 <heckj> #topic blueprints and bugs
18:23:58 <heckj> I'm behind on catagorizing bugs, although i did get all the older ones marked with legacy. This week I'll be going through and setting some initial priorities on the bugs outstanding that are listed as "undecided"
18:24:14 <termie> sounds awesomesauce
18:24:17 <heckj> Same plan as before, if you disagree with a prioritization, just holler and we'll work it out
18:24:49 <heckj> RIght now, we have intentionally overloaded "to do" items into bugs (which if I get the whole LP thing should be "blueprints")...
18:25:27 <heckj> I've been going through the existing blueprints, and I'm about at the decision that almost nothing should be saved there - wipe them out, and start from scratch. I'd like to get something in place to discuss Domains with the HP folks and the need they're expressing.
18:25:36 <heckj> Is there any other blueprints that folks are really attached to?
18:25:42 <heckj> (sorry, "are there")
18:25:50 <heckj> grammar is going to shit too
18:26:24 <termie> quiet meeting
18:26:24 <ayoung> gyee is here.  He owns domains
18:26:36 <termie> we've been having a lot of domains discussion
18:26:45 <termie> i think we're progressing on that solidly
18:26:52 <heckj> yeah - going to represent it in a blueprint and continue that, it's going well
18:26:56 <ayoung> So maybe keep that one  for now,  but it needs to be updated?
18:26:57 <heckj> ^^ what termie said
18:26:58 <uvirtbot`> heckj: Error: "^" is not a valid command.
18:27:04 <gyee> what's domains?
18:27:05 <heckj> I hate you virtbot
18:27:05 <gyee> :)
18:27:24 <ayoung> gyee, its an Active Directory thing afaict
18:27:29 <heckj> Okay - assume all the other blueprints are going to die in a fire shortly.
18:27:51 <gyee> two BPs HP can help
18:27:54 <gyee> domains and tempURL
18:27:55 <heckj> I'll then transfer some of the bugs that are obviously "we need to do…" and shift those into blueprints and link the bugs.
18:28:00 <heckj> (or should I just close the bugs?)
18:28:24 <termie> i'd leave the bugs open
18:28:27 <gyee> heckj, what about the serviceId filtering?
18:28:29 <termie> i don't like the domain system so much
18:28:30 <ayoung> rbac is going away, or the Blueprint needs to be rewritten?
18:28:41 <termie> gyee: we discussed that withyou, i think jesse talked a bunch about it
18:28:52 <gyee> so we'll do it as core?
18:29:13 <heckj> gyee: I think more that we want to accomodate that need in a rewrite of the API
18:29:15 <termie> gyee: not exactly, it isn't necessary right now because permissions are more restrictive
18:29:31 <termie> gyee: for domains that is something we think should get into core
18:29:39 <gyee> rbac better stays, chris kemp mentioned it RSA yesterday :)
18:29:51 <joesavak> \o
18:29:55 <heckj> gyee: I happen to know that guy… :-)
18:29:55 <termie> ayoung: rbac stuff as proposed should be scrapped, but we have good stuff already in the works via nova and glance
18:30:04 <heckj> termie: ++
18:30:20 <heckj> gyee: plus it matches what was described at the essex design summit
18:30:40 <heckj> Hey joesavak - question, or just jump in?
18:31:02 <joesavak> jumping in - i heard "rbac is going away" and API is being re-written.
18:31:10 <termie> lulz
18:31:11 <gyee> what about tempURL support?
18:31:33 <termie> gyee: i don't know what that is, i don't recall it ever being brought up before
18:31:50 <gyee> to support swift
18:31:57 <heckj> joesavak: the blueprint is going away, and it's being done as the policy service. We're resetting for moving into the folsom design summit discussions
18:32:04 <termie> gyee: my guess is either it is still applicable for folsom or it is going away, but not happening for essex
18:32:26 <gyee> yeah, for folsom
18:32:26 <heckj> it's definitely not happening in essex, but we can absolutely discuss it for the folsom timeframe
18:32:35 <joesavak> the nova and glance handling of RBAC is middleware only, right? No API calls support RBAC that I know of (at least not capability or fine-grained access control)
18:32:48 <gyee> but serviceId is a must since it address a security vulnerability
18:32:56 <heckj> gyee: which of the blueprints on https://blueprints.launchpad.net/keystone is the tempURL thing?
18:33:26 <termie> joesavak: yes, we're just syaing the existing blueprint should be scrapped, we have a different api we should write
18:33:42 <heckj> gyee: I won't burn downt he "service-endpoint-location" - that's the associated blueprint for serviceID, right?
18:33:48 <termie> gyee: the security vuln does not exist since we have less options for what you can do
18:33:50 <joesavak> @heckj: https://blueprints.launchpad.net/keystone/+spec/keystone-timed-access
18:34:19 <termie> gyee: so when we increase the scope of what somebody can do something like serviceId will need to happen
18:34:33 <termie> gyee: but we aren't having the problem it tries to solve right now
18:34:35 <gyee> heckj, https://blueprints.launchpad.net/keystone/+spec/keystone-timed-access
18:34:51 <heckj> joesavak, gyee: thank you
18:35:08 <gyee> service-endpoint-location is different from serviceId
18:35:11 <termie> gyee: haven't you been in discussions and emails with jesse about this?
18:35:14 <gyee> endpoint location is meta data
18:36:10 <gyee> termie, without the serviceId filter, users may get leaked permission
18:36:32 <termie> gyee: users have no permissions
18:36:42 <joesavak> heckj: regarding API re-write: we are still supporting core and existing extension APIs, right? It's just proposed APIs that will be rewritten in new bps (like RBAC)?
18:37:21 <ayoung> zns1, did https://review.openstack.org/#change,2889  survive the Keystone Light Merge?  That is the only approved Blueprint in the list
18:37:26 <gyee> termie, not sure if I understand what you mean
18:37:27 <heckj> joesavak: we're supporting the core through the functional tests, that's how this was born. Or are you asking something else?
18:37:36 <gyee> roles won't be returning as part of token validation?
18:37:41 <dolphm> ayoung: no
18:37:46 <termie> joesavak: we're just saying the api described in the blueprint for rbac is not the one we want
18:37:56 <joesavak> termie: ok cool
18:38:24 <joesavak> termie: any doc on the api you do want?
18:38:26 <gyee> we need RBAC! don't make chris kemp look bad now :)
18:38:46 <termie> gyee: they do, but there are no longer any ways for anybody but the system admin to change them
18:39:06 <termie> gyee: there are no permissions to leak since nobody is allowed to do anything
18:39:14 <termie> gyee: except for the admin
18:39:36 <termie> gyee: re rbac, we will have rbac, we are just talking about the proposed api
18:39:45 <zns> heckj: I don't think it was ported over. AFAIK only OS-KSCATALOG and OS-KSADMIN were worked on?
18:40:15 <zns> heckj: The middleware had support for it too. Not sure that was moved into KSL.
18:41:42 <termie> zns: was not moved into ksl
18:41:56 <zns> ayoung, heckj: I intended those last two comments in response to ayoung.
18:42:21 <gyee> termie, have you look at https://bugs.launchpad.net/keystone/+bug/890411?
18:42:22 <uvirtbot`> Launchpad bug 890411 in keystone "Tenant role conflicts/overlaps can be a security issue" [Medium,Fix released]
18:42:34 <gyee> you mean the stuff describe there are no longer applicable in KSL?
18:42:34 <heckj> Okay - so the two blueprints that I will keep in the list are: "keystone-timed-access" and "keystone-domains". I'm assing gyee to be the drafter, with the idea that gyee will take the lead on explaining what's desired by those items. Are there any others that someone wants to raise a hand and protect from the flames?
18:42:53 <ayoung> zns, looks like the answer is no,  but the blueprint is tagged for Folsom.  That blueprint should stay around.
18:43:00 <termie> gyee: this is what we've been discussing
18:43:01 <gyee> keckj, these are for folsom correct?
18:43:04 <heckj> ayoung: which one?
18:43:11 <joesavak> heckj: when does the flame thrower ignite? Can we have until end-of-day?
18:43:12 <gyee> s/keckj/heckj/
18:43:16 <termie> gyee: please take this offline if you have further questions, we've already gone over this multiple times from what i am aware of
18:43:17 <heckj> gyee: correct - for discussion for folsom
18:43:26 <ayoung> heckj, IDs in the Tokens
18:43:52 <heckj> ayoung - which blueprint?
18:43:55 <gyee> we can also do endpoint locations
18:43:55 <ayoung> https://blueprints.launchpad.net/keystone/+spec/stop-ids-in-uris
18:44:03 <heckj> "stop-ids-in-uris"?
18:44:30 <heckj> sorry, I don't know what many of these mean - hence the flames. Trying to reset a bit and get it straight
18:44:49 <heckj> ayoung: got it. It's safe, and now assigned ot you as drafter
18:44:59 <termie> i don't think this is the proper way to talk about these blueprints, too many people trying to talk at once
18:45:17 <heckj> It is immensely confusing.
18:45:37 <termie> if only blueprints had some way to comment on them...
18:45:40 * termie hates launchpad
18:45:49 <heckj> I don't want to discuss them in detail, but just get a quick list of what we need to save… (yeah, agreed)
18:45:56 <joesavak> whiteboard?
18:46:13 <termie> whiteboards are terrible, that is not a discussion
18:46:26 <termie> commenting is a discussion
18:46:42 <mtaylor> I think the theory is that the meat of the thing and discussion would be on a wiki or someother thing that isn't the blueprint
18:46:48 <mtaylor> and the blueprint is just a pointer to that
18:46:49 <termie> mtaylor: fanboy
18:46:53 * mtaylor thinks it's crap too
18:47:09 <heckj> How about we plan to discuss them on IRC (or as a pull request in gerrit)?
18:47:31 <termie> next week we can queue up a few and discuss one at a time
18:47:40 <termie> </idea>
18:47:45 <heckj> We can schedule them up and knock them down - keystone meeting is (I think) a reasonable time -
18:47:50 <termie> aye
18:47:59 <heckj> #action - heckj to schedule up blueprints for discussion next week
18:48:03 <joesavak> Unassign everyone. provide a date for the flamethrower & communicate to mailing list - any that don't have an assignee on that date gets burned
18:48:22 <heckj> #action - heckj to bring the purifying flames to existing blueprints
18:48:27 <heckj> joesavak: yep, will do
18:48:43 <termie> joesavak: i still think they need discussion, people seem to treat them as if they are all good ideas
18:49:01 <termie> joesavak: (because they are their ideas)
18:49:02 <joesavak> termie: at least we'll know by the assignee who wants to be the advocate
18:49:07 <termie> sure
18:49:15 <termie> (that makes sense)
18:49:57 <termie> http://www.quickmeme.com/meme/36cvj6/
18:49:59 <joesavak> it'll clear out the ones that have no adovate or owner anymore
18:50:04 <heckj> Okay - that's good for now
18:50:13 <joesavak> lol
18:50:17 <heckj> heh
18:50:25 <heckj> #topic: Open Discussion
18:50:26 <joesavak> heckj for president
18:50:32 <heckj> oh dear god
18:51:03 <termie> i was thinking if we get him on teh ppb then our project has two votes
18:51:20 <termie> fighting above our weight, etc
18:51:39 <mtaylor> you should get me on too ... my vote can be bought ;)
18:51:57 <heckj> what's your price mtaylor? Are you a scotch man? Tequila?
18:52:04 <mtaylor> yes
18:52:30 <mtaylor> vodka, cachaça, tequila, scotch - you know, whatever
18:52:38 <gyee> heckj, so the service endpoint location BP is still on the radar?
18:52:38 <heckj> anyone seen chmouel around?
18:52:48 <termie> mtaylor: http://distilleryimage0.instagram.com/4aa1341661b211e19e4a12313813ffc0_7.jpg
18:52:56 <termie> mtaylor: think we've got you covered
18:53:12 <chmouel> heckj: i'm here
18:53:13 <termie> mtaylor: (i went shopping yesterday)
18:53:16 <heckj> gyee: anything *can* be on the radar - all you need to do is step up to advocate for the work and explain/defend why its needed
18:53:16 <mtaylor> termie: nice
18:53:22 <Kiall> mtaylor: Poitín it is so.. really shouldnt have said "whatever" ;)
18:53:39 * mtaylor does not accept finnish black vodka...
18:53:53 <Kiall> Poitín is an Irish drink ;)
18:53:55 <heckj> chmouel: you've got three blueprints in keystone - I'm going to remove you as assignee for right now. If you want them to stay and advocate those that functionality, please just reassign yourself.
18:53:56 <termie> salmiakki
18:54:04 <Kiall> 60-95% alcohol ;)
18:54:20 <heckj> chmouel: I'm trying to clear out the dead wood, so anything unassigned in a day or two is going to get nuked from the list
18:54:37 <chmouel> heckj: cool, i'll do that does are for folsom
18:54:44 <chmouel> s/does/those/
18:54:51 <heckj> chmouel: thanks man!
18:55:28 <gyee> heckj, I'll tell the lobbyist to get busy then :)
18:55:51 <heckj> gyee: you're already listed as a lobbyist on two right now
18:55:52 <heckj> :-)
18:56:01 <ayoung> We've got 3 minutes until the next meeting barges in....
18:56:08 <heckj> termie: what a set!
18:56:17 <heckj> (re: link above)
18:56:22 <heckj> Okay - anything else?
18:56:46 <heckj> thanks all!
18:56:47 <termie> KEEP IT REAL
18:56:51 <heckj> #endmeeting