15:00:56 <SotK> #startmeeting storyboard 15:00:57 <openstack> Meeting started Wed Jun 15 15:00:56 2016 UTC and is due to finish in 60 minutes. The chair is SotK. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:00 <openstack> The meeting name has been set to 'storyboard' 15:01:37 <anteaya> ah here you are 15:01:53 * ttx lurks but will have a call in a few 15:02:07 <SotK> #link https://wiki.openstack.org/wiki/Meetings/StoryBoard#Agenda_for_next_meeting Agenda 15:02:32 <SotK> I don't know of any announcements or urgent things this week 15:02:42 <Zara> nope 15:02:44 <anteaya> the bug sprint 15:03:07 <SotK> we announced it last week, but can do again 15:03:11 <anteaya> #link https://wiki.openstack.org/wiki/VirtualSprints#StoryBoard_Bug_Sprint 15:03:17 <anteaya> thanks 15:03:37 <SotK> #info REMINDER: StoryBoard's Bug Sprint is next week, 22nd and 23rd June 15:04:05 <SotK> #topic In Progress Work 15:04:24 <Zara> I didn't get around to updating agenda here 15:04:27 <SotK> I've finished up the timeline rework patch 15:04:35 <anteaya> yay! 15:04:39 <SotK> #link https://review.openstack.org/#/c/327231/ 15:04:52 <SotK> Zara made a suggestion to improve it, which I'll implement after this meeting 15:05:26 <Zara> :D 15:05:32 <Zara> just to be pesky. 15:06:07 <Zara> as for me, I'm still in review mode and not looking at the gerrit integration right now. I believe anteaya is looking at that. 15:06:14 <anteaya> I am so 15:06:50 <anteaya> so for gerrit integration with mountains of help from zaro answering my silly quesitons, I have a local gerrit instance with the storyboard plugin configured 15:06:58 <Zara> \o/ 15:07:07 <anteaya> it can find the storyboard-dev api and can successfully GET things 15:07:07 <SotK> :D 15:07:15 <anteaya> however it can't PUT or POST 15:07:42 <anteaya> I just discovered that as of right now the storyboard api requires you to be authenticated to get authenticated 15:08:06 <anteaya> which may be why the storyboard plugin can't yet complete actions that it needs to be authenticated to do 15:08:21 <SotK> (or redirects you to its configured openid provider's login page) 15:08:35 <anteaya> so I will do some gathering of thoughts on the best way to address how the storyboard plugin can become authenticated via the api 15:08:51 <anteaya> SotK: sorry, what to do you mean? 15:09:35 <anteaya> storyboard redirects an api call that needs authentication to the openid provider's login page? 15:10:02 <anteaya> I'm uncertain of the value of that action in this workflow, but will follow up with others and see what to do next 15:10:36 <anteaya> I am hoping to have the storyboard plugin on the review-dev server configured to find the storyboard-dev server for next week's bug event 15:10:44 <anteaya> that's all I had 15:11:51 <anteaya> at this point even without having auth via the api figured out I have confirmed taht the plugin can find the right storyboard instance which hopefully is enough to get it on review-dev 15:12:18 <SotK> so the ways to get an access token are (1) create a new access token for your user, which requires you to already have a valid token, or (2) do a GET for `/v1/openid/authorize` with some parameters, which redirects to a provider's login page (for OpenStack that is currently launchpad) for you to provide credentials (the provider redirects back to storyboard and tells it to give you a token on succe 15:12:24 <SotK> ss) 15:12:37 <anteaya> ah ha! 15:12:53 <anteaya> thank you, I will explore option (2) 15:13:38 <SotK> if you can string together the requests required for launchpad's login process, you may be able to persuade the API to give you a token 15:13:41 <SotK> but idk 15:14:03 <anteaya> well it is worth a shot, I will work in that direction to see what happens 15:14:05 <anteaya> thank you 15:15:13 <anteaya> I have no more on this item 15:15:19 <SotK> any other in-progress work? 15:15:40 <Zara> If I'm doing any, I've forgotten it 15:15:47 <anteaya> he he 15:17:01 <SotK> then we're at open discussion already 15:17:07 <SotK> #topic Open Discussion 15:17:11 <Zara> goodness 15:17:33 <anteaya> wow 15:17:39 <Zara> I have nothing to discuss. 15:17:47 <Zara> well, thanks, sotk, for tidying up s.o.o today 15:17:57 <Zara> I have been watching the emails pile up :) 15:18:00 <anteaya> I'm keen to start working on the api auth thing 15:18:10 <anteaya> an thanks SotK for tidying 15:18:21 <SotK> yw 15:18:30 <SotK> I tagged some things as low-hanging-fruit 15:18:36 <Zara> I'm probably missing context, is there a reason it's impossible to login manually once and then get tokens after that? 15:18:43 <SotK> they are of variable low-ness in their hanging 15:18:54 <SotK> but all fairly low 15:20:23 <Zara> oh, and pedro's suggested approach to auth for gerrity things was to give storyboard the ability to have a user whose token never expired 15:20:28 <Zara> and use that for automated things 15:20:29 <anteaya> Zara: it is a plugin 15:20:59 <anteaya> that would be reasonable, then the token could be stored somewhere on configuration 15:21:14 <anteaya> either in puppet heira or in gerrit config 15:21:18 <anteaya> fungi: ^^ 15:21:34 <SotK> that would seem sensible to me 15:21:42 <anteaya> discussing gerrit storyboard plugin auth issue 15:22:02 <SotK> you could login manually once to get a token, then use the API to request a token with an extreme length 15:22:02 <anteaya> would a token that could only be expired manually be safe to use? 15:22:33 <fungi> so to restate, making sure i've got the proposal correct, we would have a storyboard account for gerrit with a non-expiring token 15:22:50 <fungi> that is to say, an account in storyboard for gerrit to use 15:23:04 <SotK> either non-expiring on very long lived 15:23:19 <Zara> is this storyboard or just storyboard-dev at this point? 15:23:50 <fungi> and the reason for that is the gerrit plugin to connect to storyboard doesn't know how to reauthenticate api calls? 15:24:14 <anteaya> at this point storyboad-dev, but if we are making a design decision it would affect storyboard eventually 15:24:35 <anteaya> fungi: so far, that is my conclusion, however we could check with zaro to confirm that 15:25:01 <fungi> as in it "stops working" after a short while? 15:25:17 <anteaya> well reauthenticiate or authenticate in the first place with openid 15:25:32 <anteaya> no, it can't perform any PUT or POST actions, only GET actions 15:25:42 <fungi> oh, the api authentication relies on openid somehow? 15:25:48 <anteaya> and so I am concluding that auth is an issue preventing PUT or POST 15:25:53 <anteaya> yes it does 15:25:56 <fungi> i will admit i haven't played with storyboard's api yet 15:26:08 <anteaya> fair enough, I'm learning myself 15:26:37 <anteaya> but SotK believes that I can call out to openid via the storyboard api, but it doesn't sound like he has experience doing so himself 15:27:00 <anteaya> and is uncertain of the results 15:27:01 <fungi> i suppose implementing openid authentication in the plugin is potentially less work than building digest or shared secret auth support into sb? 15:27:12 <anteaya> so the discussion moved to long lived token so I pinged you 15:27:13 <SotK> I did a curl request to get the redirect URL once, but didn't try to chase any further down the rabbit hole 15:27:43 <anteaya> let me spend some time investigating and will return next week with more facts 15:27:50 <anteaya> then we can revisit the discussion? 15:27:52 <fungi> or _was_ less work i guess (sounds like it's implemented now) 15:27:53 <anteaya> is that fair? 15:28:07 <anteaya> I don't know yet what is more or less work 15:28:15 <fungi> sounds reasonable 15:28:21 <anteaya> great thank you 15:28:32 <anteaya> thanks for popping in with no notice fungi 15:28:40 <fungi> but just to confirm, sb currently only supports openid auth 15:29:09 <SotK> yes 15:29:10 <fungi> so any reauthentication the plugin might need to do will have to be new openid callouts 15:29:23 <fungi> makes sense then, thanks 15:29:36 <anteaya> fungi: the plugin can get a new token if the old token hasnt' expired yet 15:29:39 <SotK> fungi: it could create itself a new access token whilst it still had a valid one 15:29:56 <anteaya> but it has to call out to openid to start the process or if the current token has expired 15:30:03 <persia> Yes. 15:30:05 <fungi> and what's our token expiration set for currently? 15:30:24 <fungi> (sorry if i'm asking things explained earlier) 15:30:27 <anteaya> in the gui it is one hour, I'm not sure if there is a default for api token creation 15:30:37 <SotK> there is 15:30:38 <anteaya> fungi: not to worry, thanks for being involved 15:30:44 <SotK> its in the puppet manifest, one sec 15:31:12 <anteaya> SotK: but we can configure the api token default expiration to be whatever we want? 15:31:21 <anteaya> storyboard doesn't specify a default? 15:31:53 <SotK> the default in the puppet manifest is 1 hour (s.o.o uses the default) 15:32:12 <SotK> storyboard doesn't specify a default, is defined in the configuration file 15:32:20 <anteaya> but we could change that via the puppet manifest it sounds like 15:32:25 <anteaya> oh awesome, thank you 15:33:00 <fungi> does the plugin currently support openid, or are you having to authenticate with your browser and then stick something into the plugin config? 15:33:12 <anteaya> I don't know 15:33:33 <fungi> oh, so you haven't tested it out successfully yet i guess 15:33:34 <anteaya> in the plugin config I entered my ubuntuone username (email) and password 15:33:52 <fungi> and that worked (at least for an hour)? 15:33:56 <anteaya> I cant' tell if that was useful or not since that isn't required for GET actions 15:34:06 <anteaya> which is all I can confirm it can do at the moment 15:34:11 <fungi> i see. thanks 15:34:22 <anteaya> then I moved to figuring out the api myself for PUT and POST 15:34:27 <SotK> hmm, what happens with PUTs and POSTs then? 15:34:43 <anteaya> I don't know 15:34:44 <fungi> if it turns out that the plugin does work for post operations as well with that configured, then it's presumably already doing an openid dance itself 15:34:59 <anteaya> I haven't yet figured out how to do a PUT myself yet 15:35:11 <anteaya> possibly? 15:35:45 <fungi> in which case it may simply be sufficient to convince zaro or someone to add reauthentication support into that plugin 15:35:54 <anteaya> if I can figure out the correct curl commands myself then I can feel armed with the knowledge to look at log files or request them from the storyboard-dev server 15:36:06 <fungi> sounds good 15:36:07 <anteaya> yes, that might be the route forward 15:36:12 <anteaya> thanks 15:36:25 <SotK> anteaya: is there a way you can see the response the server gives the plugin? 15:36:31 <anteaya> I don't know 15:36:45 <anteaya> I don't know what to look for yet so I don't know where to look 15:36:53 <anteaya> I haven't looked to find where to look for that yet 15:36:58 <anteaya> on my local gerrit 15:37:24 <fungi> if there's no debugging for that (perhaps in the gerrit log files?) then you might have to set up your test deployment to be http-only and use tcpdump to capture the packets for that exchange 15:37:24 <anteaya> figuring out the api for myself seemed like my first step 15:37:53 <anteaya> oh okay I might follow up with you on how to do that after I get an actual api PUT to work for me 15:38:02 <fungi> happy to help, sure 15:38:07 <anteaya> that sounds exciting 15:38:09 <anteaya> thank you 15:38:16 <fungi> packet sniffers are always exciting 15:38:20 <anteaya> woooo 15:38:29 <fungi> (for some definitions of always and exciting at least) 15:38:34 <anteaya> ha ha ha 15:39:13 <anteaya> I'm out of things to say here 15:39:15 <Zara> I'd imagine POSTs will be easier than PUTs to test auth things 15:39:27 <anteaya> oh okay fair enough 15:39:45 <anteaya> shows you how much I know about api things 15:39:57 * SotK wonders if there has been any progress with identifying blocking issues for migration 15:40:58 <anteaya> well since I consider gerrit storyboard integration very important 15:41:09 <anteaya> I haven't gone shopping for many opinions until this is in place 15:41:34 <anteaya> since once it is in place folks might decide that they are happy and their nits are minor instead of critical 15:41:54 <anteaya> like when dinner tastes so much better when the waiter keeps your drinks filled 15:43:05 <anteaya> I do think having expanded docs on the api will be helpful 15:43:22 <anteaya> like telling folks where in the gui to find their tokens, that isn't discoverable 15:43:42 <anteaya> and an example of how to use their token in a curl command 15:43:54 <anteaya> and how to auth with openid to get a token 15:44:13 <anteaya> I think these points would be helpful to have in teh api docs 15:44:32 <anteaya> but that is my personal opinion 15:45:42 <anteaya> I also think the utc timestamps thing is important for us to be able to set for infra instances 15:45:59 <anteaya> Jim was very clear that he wanted that 15:46:59 <anteaya> also dhellmann's point about how he wants to use the api 15:47:27 <anteaya> if his usecase is covered I think that should be added to the api docs 15:47:35 <SotK> seems fair, I imagine gerrit integration will make things much better 15:47:40 <anteaya> now I can't yet figure out how to edit the api docs 15:47:48 <anteaya> thanks, that is my hope too 15:48:12 <anteaya> so I hope that the api docs can in fact contain the information we would like it to contain 15:48:23 <anteaya> I haven't figured out yet how they are generated 15:49:18 <anteaya> so like I said I hope to have the storybroard gerrit integration in place on test servers by next week's bug event and hope to get some initial feedback on it from sprinit participants 15:49:32 <anteaya> then address the obvious things then take it wider 15:51:11 <anteaya> but if we can work on utc timestamps and expanding the api docs in the meantime I think that will be time well spent 15:51:43 * SotK expects so too, I was hoping to look at the timestamp stuff at some point in my pile of timeline reworking 15:54:16 <SotK> any other points to discuss? 15:54:30 <anteaya> awesome thank you 15:54:38 <anteaya> I'm happy 15:56:55 <Zara> I don't have anything right now 16:00:07 <smcginnis> SotK: end meeting? :) 16:00:09 <SotK> #endmeeting