18:02:35 #startmeeting 18:02:36 NP 18:02:36 Meeting started Tue Aug 21 18:02:35 2012 UTC. The chair is heckj. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:37 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:02:50 #topic: bugs and rc 18:03:06 I spent some of this morning triaging bugs - have a few that I need to dig into a bit more 18:03:19 heckj, anything buring? 18:03:23 burning 18:03:38 they're been a number of bugs filed about making auth_token more standalone - primary driver to it being that folks don't want to have to install all of keystone to get the auth_token pieces 18:04:03 There's also a number of tracebacks and other quirks across various pieces - lots of recent bugs filed around using auth_token with swift 18:04:08 heckj, does it belong in openstackcommon? 18:04:23 seems like that's a weak spot - maybe more so with documentation than anything else, but a weak spot none the less 18:04:47 ayoung: At some point, yes - I don't think we're ready to shift it over there quite yet though. 18:04:50 heckj, well, I am partially to blame. PKI pulls in some deps 18:05:15 It doesn't feel like that API is really stable at this point with the additions of what we're doing with the PKI token pieces, but I think we'll be able to shift that within another release 18:05:38 So could we somehow generate a library for it? 18:05:59 auth_token *should* be dependent on keystoneclient 18:06:01 keystone/common and keystone/middleware/auth_token 18:06:06 a library, or a more limited package set of some form I think - I think that would solve most of the desires there 18:06:18 new home? keystoneclient.middleware.auth_token 18:06:35 dolphm, isn't keystone client the CLI? 18:06:48 ayoung: the CLI runs on top of a full python library 18:06:49 if we're going to do that, I'd rather just move it into openstack-common 18:07:01 heckj: that's more intuitive 18:07:35 On top of that, I think the clients need to be doing more to converge - the sort of inadvertant separation that occured over the past two release cycles is a bad place to be in 18:07:59 dtroyer was starting something about an "openstack" client - don't know current state, but I'd like to support that explicitly 18:08:04 I'm not ready to surrender control of auth_token yet 18:08:12 ayoung: that's my sense as well 18:08:35 I also think a CLI is a very different thing from a web integration piece 18:08:51 heckj: https://launchpad.net/python-openstackclient 18:08:51 I think we'll also need to make some changes in auth_token when we get into supporting V3 API as well, so having it in a separate repo will be a pain point for making progress there 18:08:54 auth_token is really an extensioon to HTTProtocol 18:09:10 and could, in theory, be implemented in multiple languages 18:09:12 #link https://launchpad.net/python-openstackclient 18:09:18 (thanks dolphm ^^) 18:09:58 it would make sense to me that the python library be implemented in keystoneclient, and python-openstackclient uses that to implement the CLI (as the stated goal of openstackclient is a common shell across openstack) 18:10:15 there's also a "security" bug reported, alhtough I don't think it's really a security issue 18:10:18 sec for the link 18:10:19 heckj: it's not 18:10:26 heckj: bout to mark it invalid 18:10:51 dolphm: +1 - it's a complaint that the API wasn't documented, but is intended 18:11:12 heckj: it's documented, just not where the user expected 18:11:21 dolphm: didn't mean to throw that on your shoulders this morning - added you as subscriber so you could see it 18:11:58 why didn't https://review.openstack.org/#/c/10579/ get re smokestacked? 18:12:05 heckj: no worries 18:12:36 ayoung: dunno there, maybe ping mtaylor or jeblair for insight?> 18:13:00 aroo? 18:13:08 heckj: we don't run smokestack 18:13:19 Ah - well, you're not gunna help there then :-) 18:13:22 mtaylor: who does? 18:13:25 mtaylor, is there an equivalent to recheck for smokestack? 18:13:36 for gerrit 18:14:29 ayoung: nope. we have no control over it 18:14:32 it's all dprince 18:14:38 thanks 18:15:12 we look like we're keeping up well on reviews 18:15:19 heckj, dolphm so that is the only thing I think I have in my pipeline that was submitted buy someone else that should go through 18:15:34 which brings me to my next topic... 18:15:46 #topic OCF scripts 18:15:50 mnewby: ? 18:16:00 ayoung: who's the someone else 18:16:03 dolphm: hi 18:16:07 apevec 18:16:18 * dolphm waves at mnewby -- didn't mean to summon you 18:16:19 dolphm: the specific review that ayoung posted above 18:16:25 agh 18:16:27 ah* 18:16:54 dolphm, I mean that 10579 (submitted by apevec) is something I am shepherding through 18:17:01 OCF? 18:17:14 the only other change I have in my pipeline is mine for PKI...we can hold off on that until after OCF 18:17:14 Yeah - ocf scripts 18:17:47 Isn't that Oracle Cluster File? no wait, that has an S 18:17:50 what is OCF? 18:17:51 The OCF scripts are scripts that can be used with pacemaker to manage resources. I orginally thought it would be fine to include a set in our repo to make them easily available 18:18:15 something i'm not qualified to review, for sure 18:18:51 bcwaldon brought up a really good point - his opinion is that anything in our repo should be fully supported - and we just don't have a lot of background or detail to be able to support, review, etc. OCF scripts - plus it's specific to actually ANOTHER project (pacemaker), so perhaps it wasn't actually appropriate to put into our repo 18:19:14 heckj, I concur with that analysis 18:19:31 I couldn't review it. I don't even know what OCF expands to. 18:19:35 heh 18:19:41 satellite project? http://osdir.com/ml/openstack-cloud-computing/2012-02/msg00883.html 18:20:02 dolphm: I think that's where it really belongs 18:20:25 I thought that was the general consensus from the IRC discussion 18:20:28 heckj: did anyone ever setup a directory of satellite projects? last i heard it would be through sourceforge? 18:20:33 but i've never seen one 18:20:38 THere was some talk of a site that would list these things, including people's github repos and such, so that related projects could be found, but support/stability/etc attestation wasn't comign from core openstack projects 18:21:17 there was a site planned called stackforge, but no end-user facing setup was created - mtaylor did some great work to expand where we can apply gerrit and CI tools, but that's where it ended 18:21:41 I'm talking with some other folks to try and re-invigorate that effort to get something up and running 18:22:10 sounds like solid consensus on that commit though, so I'll follow it up with email and relevant review comments 18:22:22 #action heckj to follow up on moving OCF scripts elsewhere 18:22:27 cool 18:22:31 ++ 18:22:36 ayoung: you said you had another review item? 18:22:42 #topic ayoungs review thing 18:22:42 we have a stackforge github org that things can go in pretty easily 18:22:44 and stuff 18:22:51 mtaylor: ++ 18:22:56 heckj, PKI revocation. 18:22:57 (and get hooked in to gerrit, should that be a useful thing) 18:23:11 #topic PKI revocation 18:23:16 take it away 18:23:31 I just reposted for review...asuming we get it through in the next day or so, doees it get merged over to the Folsom branch somehow, or are we going to cut RC1 from master? 18:23:50 master i believe 18:24:17 ttx will cut RC1 from master 18:24:21 OK. So I am set with that...so here is what I found 18:24:29 the Vary Header gets set, but only for JSON 18:24:37 I was doing the Revocation list as straight text 18:24:42 I haven't pestered mtaylor in detail with email about enabling a feature branch - which I thought we'd do for dolph's V3 api implementation work 18:24:52 ayoung: is there a reason why it's not / can't be in JSON? 18:24:57 but...it is a signed document, which means that it should be does via some standard or other, and sure enough 18:25:10 #link http://tools.ietf.org/html/rfc1847 18:25:22 oh boy... 18:25:32 Now, I just found out today how to generate that format from openssl. It is not too bad 18:25:54 But...I am not going to do that, not yet 18:26:09 I am going to return the revocation list in a JSON document. 18:26:11 ayoung: does the client need to specify Accept: multipart/signed ? 18:26:13 ayoung: just thinking that doing this right is more complex than I'd like for the timeframe we're in around release 18:26:19 need / should 18:26:48 dolphm, good question. I don't know. I don't think we/eventlet checks that.... 18:26:59 ayoung: keystone checks accept headers today 18:27:12 OK 18:27:30 ayoung: although i think application/json is assumed if one is not provided 18:27:47 otherwise application/xml is mildly supported 18:28:01 heckj: which reminds me of a v3 issue ^ actually 18:28:08 dolphm, yeah... 18:28:13 yeah 18:28:20 I'd love it if we could hit keystone from a web browser directly 18:28:26 but that would mean to default to HTML 18:28:37 heckj: the {'entity': {...}} conversation we had about the entity containers ... 18:28:38 we can do that in V3...but it might break things on the landing page 18:28:43 heckj: sort of needed for easy xml support 18:28:50 dolphm: AHHH!! 18:29:02 dolphm: I wondered why we were doing that 18:29:30 {'this': {'attr': 'value'}} becomes 18:29:47 dolphm: yep, makes sense when you think about translation 18:30:06 We're veering off from ayoung's topic though - 18:30:16 heckj, not necessarilty 18:30:20 and now back to our regularly scheduled program 18:30:24 I think we need to put a focus on proper rest for Grizzly 18:30:37 Ok… wasn't sure what you needed, or if you got it with the checking vary-headers in the client 18:30:44 and that means we should support multiple content types. 18:31:03 So, I am not sure if the multipart/signed is right long term...I can investigate that 18:31:07 ayoung: I agree, although I don't know how far down the HATEOS road I really want to go with this 18:31:53 heckj, this is how far I want to go 18:31:58 ayoung: we can get into some hellashis complexity with using mime headers and such for versioning and request types - I would MUCH prefer to keep that simple 18:32:07 hit the landing page, use basic auth (or cert or kerberos in the future) 18:32:21 get apage with a link for everything that I can do 18:32:33 heckj: i'm definitely not a fan of using mime types of versions - ick 18:32:34 be able to do it all from a browser using a sparse HTML UI 18:33:10 ayoung: doesn't that overlap pretty heavily with what's happening in horizon? 18:33:18 heckj, dolphm that is fine. Lets make the design decisions explicit 18:33:27 heckj, not really. This is for our use 18:33:33 and for the Keystone administrator 18:33:44 so they can diagnose with Horizon out of the picture 18:33:53 also for the end user scripting/integrating with Keystone 18:33:59 nothing is stopping a browser-side javascript-keystoneclient from existing, either 18:34:16 dolphm, well..not quite true 18:34:27 same origin policy is still in the way 18:34:37 ayoung: I love it as a dev tool - not so sure about building up a user experience for keystone admins with it though... 18:34:57 right, but nothing is stopping someone from deploying keystone on the same domain as a JS client 18:34:57 ayoung, dolphm : related: CORS support blueprint to enable that 18:35:00 heckj, Keystone is the rich tool. This is a debugging and testing tool 18:35:08 heckj, right....doesn't exist yet 18:35:09 ayoung: yep - agreed 18:35:12 CORS that is 18:35:21 yeah 18:36:19 But also, I think, if we were to build it that way, the Javascript client would consume pieces of it that don't yet exist: figuring out what data to put together for a form should be drive off a query from tjhe server 18:36:39 so...I'd like to make HTML a 1st class marshalling format for Grizzly 18:36:49 * dolphm runs 18:37:13 ayoung, catches up with dolphm trips him, and drags him back to the meeting 18:37:14 uh, well - wow 18:37:27 heckj, simple, simple HTML: 18:37:45 * dolphm distracts ayoung with the xml middleware and makes another break for it 18:37:51 results come back in a
... form 18:38:56 ayoung: have you seen our application/xml support implementation? 18:39:05 ayoung: keystone.middleware.core.XmlBodyMiddleware 18:39:09 heckj, the same rules that go for XML should work for HTML, and then the whole thing should be browser friendly. Otherwise, we are not doing REST, we are just doing another SOAP 18:39:35 ayoung: Oh sure… throw out the "I'll beat you with a brick of SOAP" card… 18:39:36 dolphm, right 18:40:07 ayoung: WTF, let's give it a shot, see how it rolls. It'll be useful for us doing dev at least 18:40:18 Somewhat side note: 18:40:26 httplib2 broke my heart yesterday 18:40:35 (novaclient and us… built on it) 18:40:54 in the case of a timeout, with the current "release" of it, it automatically retries the connect... 18:41:14 meaning that if you were running through a proxy, and the request timed out, it would double it... 18:41:37 ayoung: how do incoming HTML requests look? are they just multipart/form-data encoded? 18:41:40 that's been made configurable in master of httplib2 development tree, but not yet released. 18:41:44 heckj: i saw your tweet lol 18:42:05 heckj: double the expected block time, i imagine? 18:42:34 dolphm: we're repackaging httplib2 with the fix ourselves short term 18:42:43 dolphm, you mean from a browser? What kind of requests? POST or GET? 18:42:47 ayoung: POST 18:42:52 ayoung: and PATCH 18:43:03 haven't looked at patch yet. 18:43:23 ayoung: looks just like POST, except the resource isn't a collection 18:43:49 dolphm, I have to admit, I have been doing AJAX for so long that I am not sure. 18:43:55 ayoung: i believe the PUT operations in V3 don't require a request/response body 18:44:01 I had libraries managing it for me last project. 18:44:06 ayoung, dolphm Any word from David Chadwick? Said he'd be on IRC, but I don't know what his nick would be... 18:44:17 he's on the wrong IRC server 18:44:28 ah 18:44:30 heckj: (who's david chadwick?) 18:45:24 dolphm: he's the guy that's been talking about federation and the use cases they need 18:45:29 ah cool 18:45:33 dolphm, wrote a Federated Keystone proof of concept 18:45:38 d.w.chadwick@kent.ac.uk 18:45:44 oh yeah 18:45:46 i remember him 18:46:06 Sent him the URL for Freenode 18:46:21 ayoung: thanks 18:46:31 attribute based authz? 18:46:53 dolphm, those links from last week? 18:47:06 http://etherpad.openstack.org/GrizzlyKeystoneSessions 18:47:08 ayoung: i'm thinking back to the essex conference, hadn't heard from him since 18:48:08 heckj, dolphm so the thing I wanted to make sure was that for the V3 API, we weren't assuming JSON by default. I think that will not allow the browsers to do HTML. 18:48:27 And instead, require an Accepts header. 18:48:51 ayoung: we can make it required, the clients i've seen are good about specifying it 18:48:54 ayoung: that seems quite reasonable 18:49:08 ayoung: i know i'm lazy when it comes to curl/etc, but that's my fault :) 18:49:24 dolphm, its easy if you just cut/paste.... 18:49:50 sounds like we should make some quick doc notes in our dev docs with relevant cut/paste usefulness :-) 18:50:00 yep 18:50:41 can we #action that? 18:50:55 or decision or whatnot? 18:51:08 require appropriate accept headers? 18:51:14 dolphm, yes,. that 18:51:23 and require appropriate content-type while we're at it? 18:52:00 #action ayoung to scribble up some cut and paste URL examples with appropriate accept headers for dev docs 18:52:09 (we might already require appropriate content-type) 18:52:18 #action: V3 API (all of us to implement) will require accept headers 18:52:33 good ^ ? 18:53:21 so, i've got a giant chunk of v3 implemented 18:53:34 i haven't touched /tokens yet, though 18:53:39 good 18:53:48 nice 18:54:04 dolphm, I can take a look once I've knocked out revocation. 18:54:32 ayoung: heckj: let me know when ya'll want to take a peek -- otherwise i'll keep chugging away offline 18:54:55 dolphm, OK...will do 18:55:21 dolphm: I'll find out the feature branch idea that monty had and start that thread in email 18:55:21 ayoung: heckj: majorish change from my last review on policy -- i'm implementing a single router deployed to both :5000 and :35357 by default -- not making any distinction between API's whatsoever 18:55:35 dolphm, I like that! 18:55:58 dolphm: I think that's a good way to go. 18:55:59 I would really really really like to be able to deploy on a single port. 18:56:01 ayoung: heckj: to compensate, i'd like to write some whitelist middleware for people that want it, which would only allow "public"-friendly calls to make it through ... but i wouldn't include it in keystone.conf.sample by default 18:56:26 dolphm: seems reasonable - toss up a relevant blueprint on that, will you? 18:56:32 heckj: sure 18:56:47 ayoung: related - IANA declined our request for another port # - so "35357" is our official port, and will stay that way 18:57:10 IMO, splitting up the API across multiple ports is a deployment concern, with MUCH better solutions on that side of the fence than what we're "enforcing" today 18:57:16 heckj, as well they should....but personally, I want to be able to deploy on 443.... 18:57:18 heckj: cool 18:57:24 I think if we get policy implemented in our own API, we can and should drop this to a single port 18:57:35 ayoung: word 18:58:08 OK, that is 15:00. We now turn into pumpkins 18:58:15 * dolphm runs from mtaylor 18:58:26 er..I guess the chat room turns into a pumpkin, and we turn back into mice. 18:58:26 ayoung, dolphm - can one of you stand in for me in the release meeting today? 18:58:36 * mtaylor ties up dolphm and feeds him to jenkins 18:58:48 '#endmeeting 18:58:53 #endmeeting