18:02:18 #startmeeting 18:02:19 Meeting started Tue Feb 28 18:02:18 2012 UTC. The chair is heckj. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:20 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:02:32 morning morning! (morning for me, anyway) 18:02:47 agenda for today: http://wiki.openstack.org/Meetings/KeystoneMeeting 18:02:48 O/ 18:03:12 o/ 18:03:25 so let's jump in. Status for the E4 drop today! 18:03:46 #link https://launchpad.net/keystone/+milestone/essex-4 18:03:46 heckj: i think we could probably do it, all our big stuff landed 18:04:00 heckj: i'd like to get the config stuff in 18:04:06 heckj: even though i don't like it 18:04:24 When does Theirry normally cut those branches? 18:04:31 (can't spell, already...) 18:04:43 i heard "early" so i assume we're already past that 18:04:50 zns: how has it worked in the past? 18:05:16 presumably we can cherry pick back? Or are those branches closed? 18:06:00 heckj: he's done it evening European time which has translated to around 10AM Central. 18:06:18 Is today the day to cut? 18:06:29 yep 18:06:36 termie: ^ 18:06:59 so probably happened a couple of hours ago 18:07:00 Should have been done already then... 18:07:09 * going to see if there are tags in the repo * 18:07:37 Only ticket not tagged complete is 942247 18:08:05 #link https://bugs.launchpad.net/keystone/+bug/942247 - under review right now https://review.openstack.org/#change,4634 18:08:07 Launchpad bug 942247 in keystone "auth_token middleware should properly handle KeyError" [Critical,In progress] 18:08:21 So we'll likely have a few pieces to cherry pick back - I'll assume we can and check with ttx later today 18:08:39 I don't see anything after E3. 18:09:05 maybe's sleeping in then - or waiting for the openstack meeting to check before he cuts 18:10:30 termie: eyes on https://review.openstack.org/#change,4634 would be appreciated. I'd like to see logging, but am in general consensus that long term we'll likely want to shift this into openstack-common. What do you think for the middleware pieces? 18:11:43 Anyone else have reviews pending that need immediate attention for the E4 cut? 18:11:45 #link https://review.openstack.org/#q,status:open+keystone,n,z 18:11:46 heckj: no strong opinion on them, they are old code 18:12:06 heckj: ayoung has a small bugfix for the ldap branch that he is about to propose 18:12:25 ayoung: https://review.openstack.org/4639? 18:12:28 heckj: but i assume from the way that the releases work, people file bugs and then we fix them and propose again 18:12:32 https://review.openstack.org/#change,4639 18:12:38 heckj, youyr faster than I am 18:12:54 ayoung: copy/paste from the email that just appeared :-) 18:13:14 termie: I think that's the process to. Guess we'll learn as we go. 18:13:44 so without this fix, in order to get the default schema to work, you need to set the config file option. I'd rather avoid posting a work-around 18:13:58 Okay - for now, let's assume features are frozen with respect to Keystone for Essex, and we'll focus on bug fixes and starting to set up a release candidate. Any disagreements there? 18:14:47 heckj: nope, though definitions of feature and bug are still vague in my mind 18:14:53 i am used to loopholing 18:16:03 #topic high priority bugs or issues? 18:16:35 One popped in last night related to the legacy code in auth_token, dprince seems to be all over it right now. 18:16:47 i'd say config, and possibly nova policy.js copying are high on my mind 18:16:56 Agree with termie. There are many bugs in there that really are feature requests. I think that wil be a topic at the meeting today as we discuss post-E4 work. 18:16:58 *policy.py 18:17:51 the config doesn't seem to be changing any features per se, although the policy stuff is (to me) 18:18:24 termie: I know you wanted to have some additional discussion around that - still your idea to work with a branch out there and discuss from there? 18:18:56 heckj: yeah generally, i mostly stabilized on not changing anythign right now just implementing the same admin checks with a better backend 18:19:08 heckj: rather than trying to improve anything there 18:19:35 termie: agreed. How would you like to proceed to move that forward in the next couple of weeks? 18:20:25 heckj: i'll probably just do the work and have it sit around and then try to convince people they should merge it 18:20:42 i think it is only a day of work, i've just been review/emailing continuously 18:20:55 termie: sounds good - definitely been busy 18:22:16 anything else for high priority issues or bugs? 18:23:12 Okay - switching over to organizational stuff for a second... 18:23:18 #topic blueprints and bugs 18:23:58 I'm behind on catagorizing bugs, although i did get all the older ones marked with legacy. This week I'll be going through and setting some initial priorities on the bugs outstanding that are listed as "undecided" 18:24:14 sounds awesomesauce 18:24:17 Same plan as before, if you disagree with a prioritization, just holler and we'll work it out 18:24:49 RIght now, we have intentionally overloaded "to do" items into bugs (which if I get the whole LP thing should be "blueprints")... 18:25:27 I've been going through the existing blueprints, and I'm about at the decision that almost nothing should be saved there - wipe them out, and start from scratch. I'd like to get something in place to discuss Domains with the HP folks and the need they're expressing. 18:25:36 Is there any other blueprints that folks are really attached to? 18:25:42 (sorry, "are there") 18:25:50 grammar is going to shit too 18:26:24 quiet meeting 18:26:24 gyee is here. He owns domains 18:26:36 we've been having a lot of domains discussion 18:26:45 i think we're progressing on that solidly 18:26:52 yeah - going to represent it in a blueprint and continue that, it's going well 18:26:56 So maybe keep that one for now, but it needs to be updated? 18:26:57 ^^ what termie said 18:26:58 heckj: Error: "^" is not a valid command. 18:27:04 what's domains? 18:27:05 I hate you virtbot 18:27:05 :) 18:27:24 gyee, its an Active Directory thing afaict 18:27:29 Okay - assume all the other blueprints are going to die in a fire shortly. 18:27:51 two BPs HP can help 18:27:54 domains and tempURL 18:27:55 I'll then transfer some of the bugs that are obviously "we need to do…" and shift those into blueprints and link the bugs. 18:28:00 (or should I just close the bugs?) 18:28:24 i'd leave the bugs open 18:28:27 heckj, what about the serviceId filtering? 18:28:29 i don't like the domain system so much 18:28:30 rbac is going away, or the Blueprint needs to be rewritten? 18:28:41 gyee: we discussed that withyou, i think jesse talked a bunch about it 18:28:52 so we'll do it as core? 18:29:13 gyee: I think more that we want to accomodate that need in a rewrite of the API 18:29:15 gyee: not exactly, it isn't necessary right now because permissions are more restrictive 18:29:31 gyee: for domains that is something we think should get into core 18:29:39 rbac better stays, chris kemp mentioned it RSA yesterday :) 18:29:51 \o 18:29:55 gyee: I happen to know that guy… :-) 18:29:55 ayoung: rbac stuff as proposed should be scrapped, but we have good stuff already in the works via nova and glance 18:30:04 termie: ++ 18:30:20 gyee: plus it matches what was described at the essex design summit 18:30:40 Hey joesavak - question, or just jump in? 18:31:02 jumping in - i heard "rbac is going away" and API is being re-written. 18:31:10 lulz 18:31:11 what about tempURL support? 18:31:33 gyee: i don't know what that is, i don't recall it ever being brought up before 18:31:50 to support swift 18:31:57 joesavak: the blueprint is going away, and it's being done as the policy service. We're resetting for moving into the folsom design summit discussions 18:32:04 gyee: my guess is either it is still applicable for folsom or it is going away, but not happening for essex 18:32:26 yeah, for folsom 18:32:26 it's definitely not happening in essex, but we can absolutely discuss it for the folsom timeframe 18:32:35 the nova and glance handling of RBAC is middleware only, right? No API calls support RBAC that I know of (at least not capability or fine-grained access control) 18:32:48 but serviceId is a must since it address a security vulnerability 18:32:56 gyee: which of the blueprints on https://blueprints.launchpad.net/keystone is the tempURL thing? 18:33:26 joesavak: yes, we're just syaing the existing blueprint should be scrapped, we have a different api we should write 18:33:42 gyee: I won't burn downt he "service-endpoint-location" - that's the associated blueprint for serviceID, right? 18:33:48 gyee: the security vuln does not exist since we have less options for what you can do 18:33:50 @heckj: https://blueprints.launchpad.net/keystone/+spec/keystone-timed-access 18:34:19 gyee: so when we increase the scope of what somebody can do something like serviceId will need to happen 18:34:33 gyee: but we aren't having the problem it tries to solve right now 18:34:35 heckj, https://blueprints.launchpad.net/keystone/+spec/keystone-timed-access 18:34:51 joesavak, gyee: thank you 18:35:08 service-endpoint-location is different from serviceId 18:35:11 gyee: haven't you been in discussions and emails with jesse about this? 18:35:14 endpoint location is meta data 18:36:10 termie, without the serviceId filter, users may get leaked permission 18:36:32 gyee: users have no permissions 18:36:42 heckj: regarding API re-write: we are still supporting core and existing extension APIs, right? It's just proposed APIs that will be rewritten in new bps (like RBAC)? 18:37:21 zns1, did https://review.openstack.org/#change,2889 survive the Keystone Light Merge? That is the only approved Blueprint in the list 18:37:26 termie, not sure if I understand what you mean 18:37:27 joesavak: we're supporting the core through the functional tests, that's how this was born. Or are you asking something else? 18:37:36 roles won't be returning as part of token validation? 18:37:41 ayoung: no 18:37:46 joesavak: we're just saying the api described in the blueprint for rbac is not the one we want 18:37:56 termie: ok cool 18:38:24 termie: any doc on the api you do want? 18:38:26 we need RBAC! don't make chris kemp look bad now :) 18:38:46 gyee: they do, but there are no longer any ways for anybody but the system admin to change them 18:39:06 gyee: there are no permissions to leak since nobody is allowed to do anything 18:39:14 gyee: except for the admin 18:39:36 gyee: re rbac, we will have rbac, we are just talking about the proposed api 18:39:45 heckj: I don't think it was ported over. AFAIK only OS-KSCATALOG and OS-KSADMIN were worked on? 18:40:15 heckj: The middleware had support for it too. Not sure that was moved into KSL. 18:41:42 zns: was not moved into ksl 18:41:56 ayoung, heckj: I intended those last two comments in response to ayoung. 18:42:21 termie, have you look at https://bugs.launchpad.net/keystone/+bug/890411? 18:42:22 Launchpad bug 890411 in keystone "Tenant role conflicts/overlaps can be a security issue" [Medium,Fix released] 18:42:34 you mean the stuff describe there are no longer applicable in KSL? 18:42:34 Okay - so the two blueprints that I will keep in the list are: "keystone-timed-access" and "keystone-domains". I'm assing gyee to be the drafter, with the idea that gyee will take the lead on explaining what's desired by those items. Are there any others that someone wants to raise a hand and protect from the flames? 18:42:53 zns, looks like the answer is no, but the blueprint is tagged for Folsom. That blueprint should stay around. 18:43:00 gyee: this is what we've been discussing 18:43:01 keckj, these are for folsom correct? 18:43:04 ayoung: which one? 18:43:11 heckj: when does the flame thrower ignite? Can we have until end-of-day? 18:43:12 s/keckj/heckj/ 18:43:16 gyee: please take this offline if you have further questions, we've already gone over this multiple times from what i am aware of 18:43:17 gyee: correct - for discussion for folsom 18:43:26 heckj, IDs in the Tokens 18:43:52 ayoung - which blueprint? 18:43:55 we can also do endpoint locations 18:43:55 https://blueprints.launchpad.net/keystone/+spec/stop-ids-in-uris 18:44:03 "stop-ids-in-uris"? 18:44:30 sorry, I don't know what many of these mean - hence the flames. Trying to reset a bit and get it straight 18:44:49 ayoung: got it. It's safe, and now assigned ot you as drafter 18:44:59 i don't think this is the proper way to talk about these blueprints, too many people trying to talk at once 18:45:17 It is immensely confusing. 18:45:37 if only blueprints had some way to comment on them... 18:45:40 * termie hates launchpad 18:45:49 I don't want to discuss them in detail, but just get a quick list of what we need to save… (yeah, agreed) 18:45:56 whiteboard? 18:46:13 whiteboards are terrible, that is not a discussion 18:46:26 commenting is a discussion 18:46:42 I think the theory is that the meat of the thing and discussion would be on a wiki or someother thing that isn't the blueprint 18:46:48 and the blueprint is just a pointer to that 18:46:49 mtaylor: fanboy 18:46:53 * mtaylor thinks it's crap too 18:47:09 How about we plan to discuss them on IRC (or as a pull request in gerrit)? 18:47:31 next week we can queue up a few and discuss one at a time 18:47:40 18:47:45 We can schedule them up and knock them down - keystone meeting is (I think) a reasonable time - 18:47:50 aye 18:47:59 #action - heckj to schedule up blueprints for discussion next week 18:48:03 Unassign everyone. provide a date for the flamethrower & communicate to mailing list - any that don't have an assignee on that date gets burned 18:48:22 #action - heckj to bring the purifying flames to existing blueprints 18:48:27 joesavak: yep, will do 18:48:43 joesavak: i still think they need discussion, people seem to treat them as if they are all good ideas 18:49:01 joesavak: (because they are their ideas) 18:49:02 termie: at least we'll know by the assignee who wants to be the advocate 18:49:07 sure 18:49:15 (that makes sense) 18:49:57 http://www.quickmeme.com/meme/36cvj6/ 18:49:59 it'll clear out the ones that have no adovate or owner anymore 18:50:04 Okay - that's good for now 18:50:13 lol 18:50:17 heh 18:50:25 #topic: Open Discussion 18:50:26 heckj for president 18:50:32 oh dear god 18:51:03 i was thinking if we get him on teh ppb then our project has two votes 18:51:20 fighting above our weight, etc 18:51:39 you should get me on too ... my vote can be bought ;) 18:51:57 what's your price mtaylor? Are you a scotch man? Tequila? 18:52:04 yes 18:52:30 vodka, cachaça, tequila, scotch - you know, whatever 18:52:38 heckj, so the service endpoint location BP is still on the radar? 18:52:38 anyone seen chmouel around? 18:52:48 mtaylor: http://distilleryimage0.instagram.com/4aa1341661b211e19e4a12313813ffc0_7.jpg 18:52:56 mtaylor: think we've got you covered 18:53:12 heckj: i'm here 18:53:13 mtaylor: (i went shopping yesterday) 18:53:16 gyee: anything *can* be on the radar - all you need to do is step up to advocate for the work and explain/defend why its needed 18:53:16 termie: nice 18:53:22 mtaylor: Poitín it is so.. really shouldnt have said "whatever" ;) 18:53:39 * mtaylor does not accept finnish black vodka... 18:53:53 Poitín is an Irish drink ;) 18:53:55 chmouel: you've got three blueprints in keystone - I'm going to remove you as assignee for right now. If you want them to stay and advocate those that functionality, please just reassign yourself. 18:53:56 salmiakki 18:54:04 60-95% alcohol ;) 18:54:20 chmouel: I'm trying to clear out the dead wood, so anything unassigned in a day or two is going to get nuked from the list 18:54:37 heckj: cool, i'll do that does are for folsom 18:54:44 s/does/those/ 18:54:51 chmouel: thanks man! 18:55:28 heckj, I'll tell the lobbyist to get busy then :) 18:55:51 gyee: you're already listed as a lobbyist on two right now 18:55:52 :-) 18:56:01 We've got 3 minutes until the next meeting barges in.... 18:56:08 termie: what a set! 18:56:17 (re: link above) 18:56:22 Okay - anything else? 18:56:46 thanks all! 18:56:47 KEEP IT REAL 18:56:51 #endmeeting