19:01:16 <notmyname> #startmeeting swift 19:01:17 <openstack> Meeting started Wed Feb 20 19:01:16 2013 UTC. The chair is notmyname. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:01:18 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:01:20 <openstack> The meeting name has been set to 'swift' 19:01:35 <notmyname> I've got a short agenda for this week: 19:02:02 <notmyname> report from chmouel about what he has found about keystone and details of changes (if any) needed 19:02:05 <notmyname> summit talks 19:02:09 <notmyname> and any open questions 19:02:23 <notmyname> I've got to be done in 30 minutes 19:02:33 <notmyname> #topic keystone v3 changes? 19:02:40 <notmyname> chmouel: what do you have for us? 19:02:57 <chmouel> so henrynash was kind of enough to send a message resuming the problem 19:03:01 <chmouel> available here http://pastie.org/private/ndyxib6ire3y2bbxvqim4q 19:03:10 <chmouel> from the look of it i don't think this is going to cause problem 19:03:15 <chmouel> it only acls works 19:03:24 <chmouel> and that should be backward compatible 19:03:56 <notmyname> ok, so we may have some patches to the keystone middleware, but nothing beyond that? 19:04:06 <chmouel> that's correct AFAICS 19:04:18 <notmyname> great. I think that's the right answer anyway :-) 19:04:51 <notmyname> anyone have any questions/comments? 19:05:08 <davidha> chmouel: now thatther eare projectId and domainID in keystone - which will map to an account? 19:05:45 <chmouel> davidha: I believe the projectid would do since they are unique 19:05:47 <clayg> should still be tenant's (now called projects) 19:05:50 <dolphm> chmouel: +1 19:05:58 <clayg> ohai dolphm! 19:06:01 <dolphm> clayg: o/ 19:06:05 <chmouel> here is THE man speaking! 19:06:10 <clayg> lol 19:06:11 <davidha> +1 projectID == account 19:06:19 <davidha> is domain a reseller prefix? 19:06:39 <chmouel> that i am not totally sure since they have different use 19:06:41 <notmyname> no. the reseller prefix is swift-specific 19:06:42 <clayg> davidha: don't go involving swift terms like reseller prefix in keystone - it'll just get confusing :P 19:06:47 <notmyname> heh 19:07:07 <davidha> ther eis a concept pof domains in keystone v3 19:07:19 <davidha> differen tpepole think differently about it 19:07:21 <clayg> "pof"? 19:07:22 <chmouel> we could potentially have urls which include domains 19:07:32 <chmouel> and the default would be the same as now 19:07:41 <chmouel> (default being as well keystone domain default) 19:07:54 <clayg> chmouel: as long as the auth middleware is doing the remapping, the url of the data makes a difference to the ring, there's shoudln't be a data migration 19:08:13 <notmyname> keystone can map their users to swift endpoints however they want, but the important point is that it doesn't affect anything in swift 19:08:15 <davidha> Is the use pepole do with reseller prefix essentially different from whet domains will be in keystone? 19:08:33 <chmouel> clayg: well not for the domain specifics domains which woudl not need migration 19:08:35 <notmyname> davidha: ya. a reseller prefix is for swift deployments with more than one auth system 19:08:36 <chmouel> since introduced in v3 19:09:05 <chmouel> clayg: i mean domain specifics urls 19:09:07 <clayg> "doamin specifics domains"!? 19:09:16 <dolphm> i'm concerned that swift acl's wont be able to support two projects with the same name - yes it looks like it'll correctly detect that the second project is a mismatch, but that's not the same as supporting it 19:09:32 <davidha> notmyname: I am not saying anything should change in swift - but maybe the keystone middleware should have an option for mapping keystone domains to reseller prefix 19:09:40 <clayg> chmouel: oh... like *another* swift account for the domain globally instead of "just" a project? 19:09:41 <dolphm> (i'm reading the link above) 19:10:14 <chmouel> well no, but the way I sees it it's by default we have: 19:10:20 <clayg> davidha: I think that would overload what swift currently does with reseller prefix, and cause problems for people using more than one authorizer to their swift cluster 19:10:26 <chmouel> http://url/AUTH_tenantid 19:10:29 <clayg> ... but may there's room in the middle 19:10:32 <chmouel> and if we are getting from auth_token a domain 19:10:33 <notmyname> dolphm: the ACLs are opaque to swift and only matter to the auth middleware. if that needs to change to better match keystone v3, that's ok 19:10:42 <dolphm> notmyname: cool 19:10:45 <chmouel> we can have instead http://url/AUTH_tenantid@domain 19:10:53 <chmouel> or whatever url 19:11:07 <davidha> chmouel: are you sure that projectID is unqie between ketstone domains? 19:11:10 <notmyname> dolphm: the only concern (and mostly on the keystone side rather than swift) is that there is a migration path 19:11:13 <dolphm> davidha: yes 19:11:20 <chmouel> it's uuid 19:11:32 <davidha> such that we do not have domain1-project_jack and domain2-project-jack 19:11:44 <clayg> chmouel: how would the @doamin disambiguate the globally unique teantid? AUTH_tenantid@a_different_domain wouldn't make any sense to me? 19:11:52 <davidha> chmouel: well there is a project name and ther eis a uuid 19:12:01 <davidha> the project name I think is not unique 19:12:09 <chmouel> davidha: it's not using project_name but only project_id 19:12:20 <clayg> chmouel: +1 19:12:37 <clayg> that's KEY 19:12:37 <davidha> Maybe the middleware should ofer more than option for mapping to solve different use cases 19:12:38 <dolphm> names are user-defined in keystone, and now may conflict across domains; ID's are UUID's provided by keystone and therefore safe to use unencoded in URL's and stuff 19:12:38 <clayg> ;) 19:13:06 <chmouel> yep using the tenantid would ensure uniqueness and no conflict 19:13:21 <clayg> davidha: enumerate the use cases, if there's something missed there's probably time to fill the gaps 19:13:21 <davidha> if account = project uuid - we loose this nice swift charactaristic that users can define their URLs 19:13:38 <chmouel> davidha: well it never was able with keystoneauth 19:13:44 <caitlin-nexenta> UUIDs might be unique, but no user is going to want to enter them in an ACL. 19:14:06 <chmouel> because keystone could not give have endpoint url wiht %(tenant_name) 19:14:12 <dolphm> caitlin-nexenta: i'd personally like to make the default ID length configurable to ease that 19:14:13 <chmouel> only tenant_id 19:14:31 <davidha> AUTH_TEST/y387437434632643648736487326487364/mycontainer/myfile is not as good as AUTH_TEST/myaccount/mycontainer/myfile 19:14:32 <chmouel> dolphm: +1 19:14:52 <chmouel> davidha: well i think there is the keystone side to fix first if we wanted that 19:15:18 <chmouel> but i think we may work on that further when the v3 imp is stable 19:15:35 <notmyname> dolphm: so it sounds like there are a few things to discuss, but those will probably come up in patches to the keystone middleware. correct? 19:15:37 <davidha> chmouel: unless we use domain = prefix , such that the project ud becomes unique within that prefix - this still can allow using adifferent prefix to direct to a different auth system 19:15:55 <dolphm> notmyname: i think so 19:16:02 <davidha> (or that we have a configuration option for the middleware mapping - both are fine) 19:16:06 <dolphm> notmyname: auth_token isn't consuming v3 yet anyway 19:16:18 <chmouel> davidha: yes but prefix has not been designed to do that 19:16:28 <notmyname> ok. I think that would be our timeframe 19:16:42 <notmyname> dolphm: is that anticipated before girzzly or in H? 19:17:17 <davidha> notmyname: I also think it is all solvable in the middleware 19:17:30 <dolphm> notmyname: H 19:17:36 <notmyname> dolphm: ok. 19:17:38 <chmouel> davidha: +1 19:17:39 <notmyname> let's move on then 19:17:47 <notmyname> #topic summit talks 19:18:06 <notmyname> submissions for talks in the swift track (and all the others) are open at http://summit.openstack.org 19:18:24 <davidha> This will probably my first visit to portland :) 19:18:33 <notmyname> if you have something to talk about (code, designs, other technical content), please submit a talk 19:18:41 <chmouel> done! 19:18:49 <cschwede> is this still open? 19:18:50 <notmyname> the goal is not for presentations (lectures) but for conversations 19:19:07 <davidha> notmyname: deadline for submitting items? 19:19:27 <cschwede> @notmyname: ah, ok. 19:19:38 <notmyname> I don't know the deadline, but it should be after the PTL elections, I'd imagine (since the PTLs set the schedules) 19:19:53 <notmyname> so I'd guess you have a few weeks 19:20:30 <notmyname> any other questions about the summit? 19:20:59 <notmyname> #topic open discussion 19:21:18 <notmyname> any other issues that need addressing? patches that need discussion that can't happen in gerrit? 19:21:36 <davidha> I would need some assistance and guiding reg doubling the ring 19:22:24 <davidha> any volenteers? 19:22:56 <torgomatic> davidha: I should have some time to start looking at patches again soon 19:23:09 <davidha> torgomatic: Thanks 19:23:24 <notmyname> I'd like to see if your latest patch set addresses the concerns gholt has (his -2 is still there) 19:23:25 <torgomatic> I've been quite busy with other, non-Swift stuff, but that should be slowing down soonish 19:23:41 <notmyname> torgomatic: not slower, just refocused on swift things :-) 19:24:10 <davidha> notmyname: gholt indicted later that he think the ideas in the patch seem to address teh main isues 19:24:22 <davidha> but it is not a done deal yet 19:24:29 <notmyname> davidha: ya, I remember seeing something like that 19:24:59 <notmyname> he's not in here, so someone who sits near him at RAX should ask him if his -2 still stands 19:25:23 <clayg> davidha: gholt's last comment seemed to just be "please set this to work in progress" - which is a neat trick for patches you're still making changes too 19:25:27 <notmyname> davidha: if your patch is still a work in progress, cna you please mark it as such 19:25:37 <notmyname> ya. what clayg said :-) 19:25:46 <redbo> I think he meant gholt's comments on the blueprint 19:25:53 <clayg> oh yeah those! 19:26:09 <clayg> for the love of god just link an etherpad.openstack.org and get off that horrid thing 19:26:10 <davidha> yes on the blueprint 19:26:58 <notmyname> any other things to bring up today? 19:27:17 <cschwede> I'd like to know if someone is interested in a shared container approach (ie you see shared containers from other users and access them with your own storage URL). I have a working draft and would appreciate any comments 19:27:38 <chmouel> would be nice if we can get https://review.openstack.org/#/c/21563/ reviewed 19:27:52 <notmyname> cschwede: interesting. as something different than ACLs? 19:27:52 <chmouel> cschwede: what would be different to ACLs ? 19:28:13 <caitlin-nexenta> Who would control access to a shared container? 19:28:14 <cschwede> no, using current acls. We will use it as an internal dropbox for large data sets 19:28:47 <notmyname> cschwede: have you published your draft anywhere? 19:29:10 <davidha> cschwede: what does it add beyond what can be done today with ACLs 19:29:12 <davidha> ? 19:29:18 <cschwede> @chmouel: you see shared containers in your container listing, without need for the storage url from other users 19:29:51 <cschwede> @notnmyname: https://github.com/cschwede/swift-containerlist 19:29:52 <chmouel> cschwede: so is that .rlistings on ACLs ? 19:30:16 <clayg> chmouel: can you set .rlisting on your account 19:30:24 <chmouel> clayg: oh correct 19:30:26 <cschwede> @davidha: easier to use for your users 19:30:58 <chmouel> but isn't that something that can be extended in auth middlewares/acl.parse_acl? 19:31:29 <clayg> cschwede: I think it's as least an interesting idea as allowing keystone domain & project names in the url instead of tenant_id's 19:32:18 <cschwede> sorry, I meant containers from other accounts, not other users 19:32:28 <notmyname> unfortunately, I've got to run now. there's nothign scheduled in here for the next 30 minutes, so please keep discussing if you'd like 19:32:45 <clayg> I've acctually noted that not having a way to enumerate a users's permissions is sort of a hassle from a design perspective 19:32:49 <notmyname> cschwede: I'd also suggest getting feedback from devs in #openstack-swift or comments on the mailing list 19:33:06 <chmouel> clayg: +1 19:33:13 <notmyname> next meeting in two weeks 19:33:15 <notmyname> #endmeeting