15:03:24 #startmeeting service-catalog-tng 15:03:25 Meeting started Thu Dec 10 15:03:24 2015 UTC and is due to finish in 60 minutes. The chair is sdague. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:27 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:03:30 The meeting name has been set to 'service_catalog_tng' 15:04:00 #link Agenda - https://wiki.openstack.org/wiki/Meetings/ServiceCatalogTNG#Service_Catalog_TNG_Meeting 15:04:32 ok, this is sparse and missing anne, so I'll try to provide some summary kickoff 15:04:47 #topic overview 15:04:52 #link https://wiki.openstack.org/wiki/ServiceCatalogTNG 15:05:23 there is a service catalog main wiki page with what we are trying to do, which is mostly make the service catalog something that gets more used going forward 15:05:58 the cross project spec - https://review.openstack.org/#/c/181393/ has some of the background on weirdnesses we currently have 15:06:29 #topic Realistic Goals for Mitaka 15:06:53 anne and I were discussing this the other day, and trying to establish what those goals would be 15:07:16 https://wiki.openstack.org/wiki/ServiceCatalogTNG#Mitaka_Goals ? 15:07:39 (is it the case that, as usual, swift is special?) 15:07:39 yes, that's our current best guess of things 15:08:10 cdent: well, the project_id in swift is semantically meaningful 15:08:22 yeah 15:08:24 which is really not true for other projects 15:08:27 have we identified the projects? 15:08:49 that need the project_id removed 15:08:57 o/ sorry I'm late 15:09:26 MEETING PARTY CRASHER 15:09:32 Sorry 15:09:48 bknudson: I don't have the complete list, that would be a good thing to capture here. nova, and things that forked out from nova mostly 15:10:12 #action need to capture authoritative list of projects that use project_id 15:10:30 that could use a volunteer, if anyone wants to pitch in 15:10:53 sdague, notmorgan was doing a POC and identified the ones he tripped over 15:11:00 I think it might be a very short list 15:11:10 ayoung: yes, it's not huge 15:11:13 sdague: I think Thomas Goirand had one, I'll find it 15:11:18 agentle: great 15:11:20 it really is only an issue if project_id is in the service catalog itselfm, and not in the URL 15:11:44 ayoung: right, that's what I mean, if project_id is dynamically serviced by the service catalog 15:12:01 that we can tell by the SC generated by devstack 15:12:11 I only ever saw a problem with Nova 15:12:36 but I tend to do limited deployments... 15:13:10 ok, so agentle can I sign you up for having the athoritative list by next week? 15:13:16 or is there someone else that would like to volunteer for that? 15:13:24 it's probably about 2 hrs worth of work tops 15:14:03 sdague: Yep, by next week thurs. 15:14:11 agentle: sounds great 15:14:37 #action (annegentle) capture authoritative list of projects that use project_id in catalog entries 15:14:39 how definitive tdoes this need to be? Everything in the Big Tent? 15:14:56 ayoung: i'll use the list of service catalogs we gathered round the world 15:15:04 #link https://wiki.openstack.org/wiki/API_Working_Group/Current_Design/Service_Catalog 15:15:09 ayoung: as authoritative as we can get it 15:15:50 ok, given that the goals get somewhat duplicated in the next set of topics, lets go through the topics in order 15:15:57 #topic Service Catalog Spec 15:16:31 agentle: the update was on your plate, what additional things do you need before pushing the next update? 15:17:22 agentle: ? 15:17:27 sdague: I think we have a response for John er, notmyname, but I might update that vision section for the focus this release 15:17:32 sorry slow typing this morning :) 15:17:37 agentle: ok, no prob 15:18:11 sdague: I can't get the eavesdrop for the first part, is the focus: project id and? 15:18:11 agentle: ok, are you able to get things into shape by next meeting? 15:18:16 sdague: ayup 15:18:41 #action (annegentle) update service catalog cross project spec by next meeting 15:18:50 * agentle gets all the actions today 15:18:56 well, so far :) 15:18:59 heh 15:19:17 #topic Project Id Optionality in projects 15:19:29 ok, so we have the action for anne about building the complete list of services 15:20:07 next step is to get the projects to support no project id 15:20:14 we've got a nova functional patch up https://review.openstack.org/#/c/233076/ that's mostly waiting on some refactoring of our in tree testing to get it landable 15:20:44 #action check in on nova patch for next week's meeting 15:20:48 that his a lot of files 15:20:58 I'm hopeful that is ready to go next week 15:21:25 it's router changes in 3 files, and microversion bumps 15:21:54 a microversion bump changes a constant in about 6 places in the tree, it's pretty small change really 15:22:14 looks pretty easy 15:22:18 devstack change, too? 15:22:29 there is a devstack change to set the catalog as well 15:22:48 sdague: and I wonder what docs will need updating 15:23:03 #link https://review.openstack.org/#/c/233079/ 15:23:16 that's the devstack change, it works with that nova change 15:23:24 there's a novaclient change, too? 15:23:36 bknudson: yes, it's already landed 15:23:43 it was mostly about discovery 15:23:50 I wonder if this is going to be a problem with Policy enforcement. If the projectID is dropped from the URL, is it possible that a check will also be dropped? 15:23:59 kind of scary, but whatever 15:24:21 ayoung: do you have an example of where such a policy enforcement check is today? 15:24:37 sdague, I can show you nova's 15:24:43 ayoung: are you worried the project ID won't be in the context? 15:24:45 ayoung: yeh, link would be great 15:24:53 so...not sure, but 15:24:55 the project_id is still in the context 15:25:17 the token has a proj id that is used to generate the url...the url then has a project Id that needs to match that of the resource 15:25:24 say...and image or a vm 15:25:27 the code in nova litterally only cared about project_id in url for 10 lines of code 15:25:45 where it did a project_id == context.project_id or die 15:25:59 and the url was fully ignored beyond that 15:25:59 death++ 15:26:17 right. that is important, though. Still need a check like that, but it is not sufficient 15:26:17 interesting 15:26:43 ayoung: it's not though, because the acl is enforced on the uuid of the server as well 15:26:45 I need to think this through...I'll come back 15:26:59 you can't just find someone else's uuid of server, put it under your project id, and delete it 15:27:15 sdague, meaning context.project_iod == server.proejct_id or die? 15:27:48 so, I'd recommend looking at the nova patch directly if there are concerns there 15:27:57 because I'm pretty sure things are fully covered 15:28:09 ok, lets move on to next topic 15:28:11 I suspect it is fine, but we should be testing 15:28:18 presumably there is test coverage for this sort of thing already? 15:29:15 cdent: there is, we had to change a tempest test though because it was no longer possible to ask for servers by wrong project id when project_id is not in the url 15:29:36 ✔ 15:29:52 we could determine if there is another test that's appropriate here 15:30:15 cdent: anything you might want to look at? :) 15:30:21 given you are diving into nova now 15:30:37 sdague, the token.project_id should be different from the one requested. Suspect that is already tested 15:30:50 ayoung: yes, already tested 15:30:50 I'm hesitant to make any commitments just yet because I don't know the lay of the land, but this is definitely an area where I'm very interested 15:31:20 So I'm trying to get myself oriented so I can safely say "yupppers, I'm on that" 15:31:24 ok, no prob 15:32:00 #action nova functional test to ensure we don't loose any safety in removing project_id from url 15:32:08 we'll see who ends up with that 15:32:14 ok, really next topic 15:32:21 #topic What URLs are needed 15:32:35 this is part of coming up with a draft schema for the service catalog 15:32:41 I found the mailing list thread on this topic challenging to parse. 15:32:52 today, we have 3 things: publicURL, adminURL, internalURL 15:33:19 sdague: and unfortunately it's different dependint on the catalog version 15:33:22 do we have defintions of what is meant by those? 15:33:25 #link http://lists.openstack.org/pipermail/openstack-operators/2015-December/009061.html 15:33:33 I think adminURL was only there for for keystone since we have admin and public APIs 15:33:39 so really we have 6 iirc. :( 15:33:40 (in v2) 15:33:41 there is an openstack operators thread on this 15:33:53 notmorgan: ok, sure, well really we have N 15:34:03 because that's all convention, and not enforced anywhere 15:34:08 OK. I know what they are supposed to mean in Keystone. 15:34:23 and as such gets used wildly inconsistently 15:34:45 I think operators like internalURL and publicURL for services. I want my internal users to use internalURL and outside users only have publicURL 15:34:47 as can been seen by some of the responses there 15:34:58 THey are not such horrible ideas, but we should probably taylor the SC to return the right ones 15:35:01 maybe there's a better way to do internal/public access 15:35:16 bknudson: honestly, it sounded like from that thread a lot of operators don't like the current split 15:35:29 bknudson, different hostnames is really the best option. 15:35:29 bluebox uses hosts overrides 15:35:41 THat way you can have different interfaces on the same machine handle them 15:35:46 its a firewall issue 15:35:47 to always get internal users to the right address 15:35:56 for instance 15:36:10 I would recommend everyone read and comment on the operator thread 15:36:10 different ports was always sketchy, but that was an impl detail we could work around 15:36:14 y, putting the knowledge in the network makes sense 15:36:29 since otherwise apps have to provide config options or know where they're running somehow 15:36:32 #action (sdague) revisit operator thread try to reexpress current common themes 15:37:04 So, here is what they are supposed to mean, and this is not Keystone specific: 15:37:06 I think the one thing that did arrise that was new was the desire that services have dedicated urls for them to talk to each other 15:37:08 so I can say the HP Public Cloud (RIP) used adminURL for nova at least 15:37:17 Public is what users outside the firewall get for normal useage 15:37:27 admin is the same, but an higher level of control and security 15:37:41 yes david-lyle same for Rackspace also 15:37:45 certain extensions were only enabled when going through adminURL rather than public 15:37:46 some deployments want to put that inside dfirewall 15:37:59 internal is service to service 15:38:19 if HPE and RAX both find this useful/necessary then seems like we'd keep it? 15:38:21 We don't Need them per-se, as there are other ways to do the same thing, but this was not a horrible approach 15:38:35 david-lyle: for keystone only, right? 15:38:49 no for nova 15:38:51 However...we could also deduce which one to return based on the caller 15:39:04 david-lyle: hmmm... it doesn't appear in the catalog that was captured 15:39:11 https://wiki.openstack.org/wiki/API_Working_Group/Current_Design/Service_Catalog#HP 15:39:20 IE, the nova service user gets the right Keystone URL, and the right Glance url, both internal 15:39:20 sdague: that catalog is the public one not the "I'm a cloud admin" one 15:39:39 ah, ok, so you only get an adminURL if you are an admin? 15:39:54 sdague: I'm not an admin on any cloud to test that theory :) 15:40:02 that catalog is not from sufficiently empowered I think 15:40:11 sdague, so, I'm not certain about that. It is more likely that is supposed to be location aware 15:40:35 that's the end user view 15:40:35 if you are inside the firewall, and a regular user, I don't know which you would get 15:40:53 so, maybe we really should step back and describe the personas here 15:41:05 perhaps that's the next step 15:41:07 sdague: ++ 15:41:27 that's a good idea 15:41:31 The idea is that you want to do more than just Token securet (heh) if you are, say, adding a user. You only want that done from inside the firewall. Good concept, don't think the SC is the right way to enforce it 15:41:44 m,ayeb add user is a bad example, tho9ugh 15:41:54 more like adding a service or endpoint 15:41:56 I get the sense that there are some conflicts between the technical goals and the user stories... 15:41:58 ok, anyone interested in starting to hack out the personas? That seems like an etherpad activity. 15:42:04 cdent: yeh 15:42:05 ayoung: I think david-lyle says it's not inside/outside firewall at all, but the user's auth. 15:42:15 bknudson, I said that 15:42:24 bknudson, it is a case of userauth + more security 15:42:30 at least, that was the concept 15:42:42 we could do it with just user auth, but that is not sufficient for some people 15:42:53 they want to reduce their attack surface 15:43:04 ask gyee, this is his kind of thing 2FA and all that 15:43:05 yeh, the "more security" seems weird though. If you don't trust keystone to enforce security correctly on 1 url, I'm not sure why 2 makes it better :) 15:43:25 sdague, cuz tokens suck 15:43:55 you want to make it if an admin user loses a token in the wild, the server can't even be reached and it is not attackable for the sensitive operations 15:44:08 #info we need a personas document to really determine what data / urls will be needed in a new catalog 15:44:34 I think we'll need more operator feedback into personas 15:44:37 this is just the rationalization I have been able to piece together over the years. I was not there for the initial discussion 15:44:49 ayoung: i also don't think most operators actually do that. 15:44:58 ayoung: HP is one of the few. 15:44:59 notmorgan, Heh, neither do I 15:45:09 ayoung: i also think it's a false set of security. 15:45:21 ok, I'm going to move us to open discussion 15:45:27 #topic Open Discussion 15:45:33 so, a few things quick 15:45:50 notmorgan, I'm guessing you would argue "if you need to be inside the firewall, use a CLI with direct access to the machine" is the right approach? 15:45:50 1) volutneers wanted / needed if we are going to make real progress here 15:46:34 ayoung: that is my general view - if it's something that really is *that* sensitive, you probably shouldn't be exposing it via a REST API and it should be CMS 15:46:38 the idea is this meeting becomes more of a status check in. less discussion. disucssion should go to the lists. 15:46:51 sdague, got iot 15:46:53 it 15:47:20 stand up :) 15:47:21 sdague: keep after me to be an active part of this 15:47:30 thanks cdent 15:47:43 I posted a related change to devstack, removing /v2.0 from the identity entry in the catalog: https://review.openstack.org/#/c/255294/ 15:47:43 related, notmorgan and I have been working towards having nova know how to talk to glance via service catalog entries 15:47:59 notmorgan, I think that makes sense. 15:47:59 as it's the last service nova talks to with hardcoded values only 15:48:14 sdague, the MOC guys are working on that too. 15:48:16 link https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:glance_image_config,n,z 15:48:17 sdague: actually... i think neutron needs work. 15:48:20 which version of the service catalog are you using? 15:48:25 also, which endpoint? 15:48:26 I'll ask them to comment and contriubte 15:48:35 ayoung: MOC? 15:49:04 Mass Open Cloud. Resourece Federation 15:49:06 notmorgan: ok, cool, I thought we had base infrastructure for that 15:49:09 ayoung: ah great 15:49:14 say glance and Nova are owned by two different orgs 15:49:26 sdague: ran into this with my POC 15:49:31 ok, any other related work from people to highlight that we should keep an eye on things? 15:49:36 sdague, add gsilvis to any reviews you have along those lines 15:49:56 ayoung: ok, will do 15:50:23 ok, anything else, or time to end meeting? 15:50:36 next week we'll start with outstanding actions from this week 15:50:45 then a 2 week hiatus re:holidays 15:50:55 then back with a furry in 2016 15:51:13 what kind of furry? a teddy bear? reindeer? kitty cat? ;) 15:51:22 cat bus 15:51:26 YES 15:51:29 new year's resolution will be to fix the service catalog 15:51:29 \o/ 15:51:32 I brought one back for my daughter 15:51:37 it's awesome 15:51:50 ok, thanks for showing up to our kickoff, see you all next week 15:51:54 #endmeeting