14:01:17 <csatari> #startmeeting review_of_dublin_edge_notes
14:01:18 <openstack> Meeting started Thu Jun 28 14:01:17 2018 UTC and is due to finish in 60 minutes.  The chair is csatari. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:01:21 <openstack> The meeting name has been set to 'review_of_dublin_edge_notes'
14:01:27 <csatari> #topic Roll Call
14:01:38 <csatari> #info Gergely Csatari
14:02:19 <Arkady_Kanevsky> hello again
14:02:38 <csatari> #link https://wiki.openstack.org/wiki/OpenStack_Edge_Discussions_Dublin_PTG
14:02:52 <Arkady_Kanevsky> i will have to drop in 15 min
14:03:05 <csatari> Hah, better to hurry , then :)
14:03:13 <Arkady_Kanevsky> +1
14:03:16 <csatari> #topic Housekeeping
14:03:31 <Arkady_Kanevsky> I did had one concern on federation.
14:03:42 <csatari> #info We continue from User management data receiver side
14:03:51 <Arkady_Kanevsky> say we have edge/core that is vmware based, say VIO
14:03:56 <csatari> Okay, What is it?
14:04:02 <dpaterson> o/
14:04:10 <Arkady_Kanevsky> And and far edge is openstack on baremetal.
14:04:33 <Arkady_Kanevsky> how does keystone fderation worrk?
14:05:29 <csatari> The VIO OpenStack should be configured to be an Identity provider
14:05:55 <csatari> While the far edge Keystone should be configured to use the remote Identity providesr.
14:06:14 <Arkady_Kanevsky> VIO will use vSsphere for platform and its identity management. Keystone is just a shim on top of it.
14:06:51 <csatari> Aham. We should ask this from Ketstone guys.
14:07:05 <csatari> #topic Keystone architectures
14:07:10 <Arkady_Kanevsky> if kesyotone can use remote ID provider then it will work. probably with local cache for disconnect periods.
14:07:18 <Arkady_Kanevsky> thanks
14:07:44 <csatari> #info VIO Keystone is only a shim layer on top of vSphere. Is it possible to configure this as an Identity provider?
14:08:02 <Arkady_Kanevsky> I will ask vmware folks
14:08:15 <csatari> I will add this as a question to https://wiki.openstack.org/wiki/Keystone_edge_architectures
14:08:22 <csatari> Okay, please report back the result.
14:08:54 <csatari> #action csatari to add this question to  https://wiki.openstack.org/wiki/Keystone_edge_architectures#Several_keystone_instances_with_federation_and_API_synchronsation
14:09:41 <csatari> #topic Review of User management data receiver side
14:10:19 <csatari> #link https://wiki.openstack.org/wiki/OpenStack_Edge_Discussions_Dublin_PTG#User_management_data_receiver_side
14:11:18 <csatari> I think we should add the option to create shadow users here as it is done with K2K federation.
14:11:44 <csatari> #action csatari Add the possibility to use shadow users.
14:12:32 <dpaterson> csatari: Does all ACL associated with user come along with shadow user?
14:12:52 <csatari> I think not.
14:13:21 <csatari> Shadow user is created by rules defined on the far side.
14:13:30 <dpaterson> So things like object store permissions etc could be an issue at the edge node?
14:14:06 <csatari> According to my understanding these can be set using these rules.
14:14:53 <csatari> Mapping rules:  https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html#mapping-combinations
14:14:57 <dpaterson> So master keystone has to create mappings that will be used for creating shadow users?  Something along those lines?
14:15:19 <dpaterson> csatari: tx
14:15:21 <csatari> Nope, the mapping is done in the edge Keystones
14:15:52 <Arkady_Kanevsky> need to drop
14:16:08 <csatari> But the best is to ask it on the DL (any of them) from Keystone guys.
14:16:10 <csatari> Okay
14:16:13 <csatari> See you.
14:17:17 <csatari> Any more comments to ?
14:17:55 <csatari> #topic Review of User management data receiver side
14:18:04 <csatari> #link https://wiki.openstack.org/wiki/OpenStack_Edge_Discussions_Dublin_PTG#User_management_data_receiver_side
14:18:34 <csatari> Here we should also mention the sahdow users case.
14:19:16 <csatari> Hah! we just discussed this.
14:19:41 <csatari> #topic Review of RBAC data source side
14:21:26 <csatari> #info Can we totally rely on K2K federation here or do we still need to synchronise data?
14:22:34 <csatari> I will ask in mail.
14:24:19 <csatari> #topic Review of RBAC data receiver side
14:24:46 <csatari> #info Same goes to here as for
14:26:07 <csatari> I just saw esarault -s mail.
14:26:32 <csatari> Am I doing a lonely review here?
14:30:30 <csatari> I think I've lost quorum, so I stop here with the review.
14:30:38 <csatari> #topic End meeting
14:31:07 <csatari> #info We will continue from VM images source side
14:32:03 <csatari> #info Next meeting is on 2018.07.05 16:00 CET on #edge-computing-group
14:32:15 <csatari> #endmeeting