15:00:56 #startmeeting storyboard 15:00:57 Meeting started Wed Jun 15 15:00:56 2016 UTC and is due to finish in 60 minutes. The chair is SotK. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:58 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:00 The meeting name has been set to 'storyboard' 15:01:37 ah here you are 15:01:53 * ttx lurks but will have a call in a few 15:02:07 #link https://wiki.openstack.org/wiki/Meetings/StoryBoard#Agenda_for_next_meeting Agenda 15:02:32 I don't know of any announcements or urgent things this week 15:02:42 nope 15:02:44 the bug sprint 15:03:07 we announced it last week, but can do again 15:03:11 #link https://wiki.openstack.org/wiki/VirtualSprints#StoryBoard_Bug_Sprint 15:03:17 thanks 15:03:37 #info REMINDER: StoryBoard's Bug Sprint is next week, 22nd and 23rd June 15:04:05 #topic In Progress Work 15:04:24 I didn't get around to updating agenda here 15:04:27 I've finished up the timeline rework patch 15:04:35 yay! 15:04:39 #link https://review.openstack.org/#/c/327231/ 15:04:52 Zara made a suggestion to improve it, which I'll implement after this meeting 15:05:26 :D 15:05:32 just to be pesky. 15:06:07 as for me, I'm still in review mode and not looking at the gerrit integration right now. I believe anteaya is looking at that. 15:06:14 I am so 15:06:50 so for gerrit integration with mountains of help from zaro answering my silly quesitons, I have a local gerrit instance with the storyboard plugin configured 15:06:58 \o/ 15:07:07 it can find the storyboard-dev api and can successfully GET things 15:07:07 :D 15:07:15 however it can't PUT or POST 15:07:42 I just discovered that as of right now the storyboard api requires you to be authenticated to get authenticated 15:08:06 which may be why the storyboard plugin can't yet complete actions that it needs to be authenticated to do 15:08:21 (or redirects you to its configured openid provider's login page) 15:08:35 so I will do some gathering of thoughts on the best way to address how the storyboard plugin can become authenticated via the api 15:08:51 SotK: sorry, what to do you mean? 15:09:35 storyboard redirects an api call that needs authentication to the openid provider's login page? 15:10:02 I'm uncertain of the value of that action in this workflow, but will follow up with others and see what to do next 15:10:36 I am hoping to have the storyboard plugin on the review-dev server configured to find the storyboard-dev server for next week's bug event 15:10:44 that's all I had 15:11:51 at this point even without having auth via the api figured out I have confirmed taht the plugin can find the right storyboard instance which hopefully is enough to get it on review-dev 15:12:18 so the ways to get an access token are (1) create a new access token for your user, which requires you to already have a valid token, or (2) do a GET for `/v1/openid/authorize` with some parameters, which redirects to a provider's login page (for OpenStack that is currently launchpad) for you to provide credentials (the provider redirects back to storyboard and tells it to give you a token on succe 15:12:24 ss) 15:12:37 ah ha! 15:12:53 thank you, I will explore option (2) 15:13:38 if you can string together the requests required for launchpad's login process, you may be able to persuade the API to give you a token 15:13:41 but idk 15:14:03 well it is worth a shot, I will work in that direction to see what happens 15:14:05 thank you 15:15:13 I have no more on this item 15:15:19 any other in-progress work? 15:15:40 If I'm doing any, I've forgotten it 15:15:47 he he 15:17:01 then we're at open discussion already 15:17:07 #topic Open Discussion 15:17:11 goodness 15:17:33 wow 15:17:39 I have nothing to discuss. 15:17:47 well, thanks, sotk, for tidying up s.o.o today 15:17:57 I have been watching the emails pile up :) 15:18:00 I'm keen to start working on the api auth thing 15:18:10 an thanks SotK for tidying 15:18:21 yw 15:18:30 I tagged some things as low-hanging-fruit 15:18:36 I'm probably missing context, is there a reason it's impossible to login manually once and then get tokens after that? 15:18:43 they are of variable low-ness in their hanging 15:18:54 but all fairly low 15:20:23 oh, and pedro's suggested approach to auth for gerrity things was to give storyboard the ability to have a user whose token never expired 15:20:28 and use that for automated things 15:20:29 Zara: it is a plugin 15:20:59 that would be reasonable, then the token could be stored somewhere on configuration 15:21:14 either in puppet heira or in gerrit config 15:21:18 fungi: ^^ 15:21:34 that would seem sensible to me 15:21:42 discussing gerrit storyboard plugin auth issue 15:22:02 you could login manually once to get a token, then use the API to request a token with an extreme length 15:22:02 would a token that could only be expired manually be safe to use? 15:22:33 so to restate, making sure i've got the proposal correct, we would have a storyboard account for gerrit with a non-expiring token 15:22:50 that is to say, an account in storyboard for gerrit to use 15:23:04 either non-expiring on very long lived 15:23:19 is this storyboard or just storyboard-dev at this point? 15:23:50 and the reason for that is the gerrit plugin to connect to storyboard doesn't know how to reauthenticate api calls? 15:24:14 at this point storyboad-dev, but if we are making a design decision it would affect storyboard eventually 15:24:35 fungi: so far, that is my conclusion, however we could check with zaro to confirm that 15:25:01 as in it "stops working" after a short while? 15:25:17 well reauthenticiate or authenticate in the first place with openid 15:25:32 no, it can't perform any PUT or POST actions, only GET actions 15:25:42 oh, the api authentication relies on openid somehow? 15:25:48 and so I am concluding that auth is an issue preventing PUT or POST 15:25:53 yes it does 15:25:56 i will admit i haven't played with storyboard's api yet 15:26:08 fair enough, I'm learning myself 15:26:37 but SotK believes that I can call out to openid via the storyboard api, but it doesn't sound like he has experience doing so himself 15:27:00 and is uncertain of the results 15:27:01 i suppose implementing openid authentication in the plugin is potentially less work than building digest or shared secret auth support into sb? 15:27:12 so the discussion moved to long lived token so I pinged you 15:27:13 I did a curl request to get the redirect URL once, but didn't try to chase any further down the rabbit hole 15:27:43 let me spend some time investigating and will return next week with more facts 15:27:50 then we can revisit the discussion? 15:27:52 or _was_ less work i guess (sounds like it's implemented now) 15:27:53 is that fair? 15:28:07 I don't know yet what is more or less work 15:28:15 sounds reasonable 15:28:21 great thank you 15:28:32 thanks for popping in with no notice fungi 15:28:40 but just to confirm, sb currently only supports openid auth 15:29:09 yes 15:29:10 so any reauthentication the plugin might need to do will have to be new openid callouts 15:29:23 makes sense then, thanks 15:29:36 fungi: the plugin can get a new token if the old token hasnt' expired yet 15:29:39 fungi: it could create itself a new access token whilst it still had a valid one 15:29:56 but it has to call out to openid to start the process or if the current token has expired 15:30:03 Yes. 15:30:05 and what's our token expiration set for currently? 15:30:24 (sorry if i'm asking things explained earlier) 15:30:27 in the gui it is one hour, I'm not sure if there is a default for api token creation 15:30:37 there is 15:30:38 fungi: not to worry, thanks for being involved 15:30:44 its in the puppet manifest, one sec 15:31:12 SotK: but we can configure the api token default expiration to be whatever we want? 15:31:21 storyboard doesn't specify a default? 15:31:53 the default in the puppet manifest is 1 hour (s.o.o uses the default) 15:32:12 storyboard doesn't specify a default, is defined in the configuration file 15:32:20 but we could change that via the puppet manifest it sounds like 15:32:25 oh awesome, thank you 15:33:00 does the plugin currently support openid, or are you having to authenticate with your browser and then stick something into the plugin config? 15:33:12 I don't know 15:33:33 oh, so you haven't tested it out successfully yet i guess 15:33:34 in the plugin config I entered my ubuntuone username (email) and password 15:33:52 and that worked (at least for an hour)? 15:33:56 I cant' tell if that was useful or not since that isn't required for GET actions 15:34:06 which is all I can confirm it can do at the moment 15:34:11 i see. thanks 15:34:22 then I moved to figuring out the api myself for PUT and POST 15:34:27 hmm, what happens with PUTs and POSTs then? 15:34:43 I don't know 15:34:44 if it turns out that the plugin does work for post operations as well with that configured, then it's presumably already doing an openid dance itself 15:34:59 I haven't yet figured out how to do a PUT myself yet 15:35:11 possibly? 15:35:45 in which case it may simply be sufficient to convince zaro or someone to add reauthentication support into that plugin 15:35:54 if I can figure out the correct curl commands myself then I can feel armed with the knowledge to look at log files or request them from the storyboard-dev server 15:36:06 sounds good 15:36:07 yes, that might be the route forward 15:36:12 thanks 15:36:25 anteaya: is there a way you can see the response the server gives the plugin? 15:36:31 I don't know 15:36:45 I don't know what to look for yet so I don't know where to look 15:36:53 I haven't looked to find where to look for that yet 15:36:58 on my local gerrit 15:37:24 if there's no debugging for that (perhaps in the gerrit log files?) then you might have to set up your test deployment to be http-only and use tcpdump to capture the packets for that exchange 15:37:24 figuring out the api for myself seemed like my first step 15:37:53 oh okay I might follow up with you on how to do that after I get an actual api PUT to work for me 15:38:02 happy to help, sure 15:38:07 that sounds exciting 15:38:09 thank you 15:38:16 packet sniffers are always exciting 15:38:20 woooo 15:38:29 (for some definitions of always and exciting at least) 15:38:34 ha ha ha 15:39:13 I'm out of things to say here 15:39:15 I'd imagine POSTs will be easier than PUTs to test auth things 15:39:27 oh okay fair enough 15:39:45 shows you how much I know about api things 15:39:57 * SotK wonders if there has been any progress with identifying blocking issues for migration 15:40:58 well since I consider gerrit storyboard integration very important 15:41:09 I haven't gone shopping for many opinions until this is in place 15:41:34 since once it is in place folks might decide that they are happy and their nits are minor instead of critical 15:41:54 like when dinner tastes so much better when the waiter keeps your drinks filled 15:43:05 I do think having expanded docs on the api will be helpful 15:43:22 like telling folks where in the gui to find their tokens, that isn't discoverable 15:43:42 and an example of how to use their token in a curl command 15:43:54 and how to auth with openid to get a token 15:44:13 I think these points would be helpful to have in teh api docs 15:44:32 but that is my personal opinion 15:45:42 I also think the utc timestamps thing is important for us to be able to set for infra instances 15:45:59 Jim was very clear that he wanted that 15:46:59 also dhellmann's point about how he wants to use the api 15:47:27 if his usecase is covered I think that should be added to the api docs 15:47:35 seems fair, I imagine gerrit integration will make things much better 15:47:40 now I can't yet figure out how to edit the api docs 15:47:48 thanks, that is my hope too 15:48:12 so I hope that the api docs can in fact contain the information we would like it to contain 15:48:23 I haven't figured out yet how they are generated 15:49:18 so like I said I hope to have the storybroard gerrit integration in place on test servers by next week's bug event and hope to get some initial feedback on it from sprinit participants 15:49:32 then address the obvious things then take it wider 15:51:11 but if we can work on utc timestamps and expanding the api docs in the meantime I think that will be time well spent 15:51:43 * SotK expects so too, I was hoping to look at the timestamp stuff at some point in my pile of timeline reworking 15:54:16 any other points to discuss? 15:54:30 awesome thank you 15:54:38 I'm happy 15:56:55 I don't have anything right now 16:00:07 SotK: end meeting? :) 16:00:09 #endmeeting