Tuesday, 2018-11-27

*** jesusaur has quit IRC		00:02
*** tetsuro has joined #openstack-meeting-alt		00:04
*** cloudrancher has quit IRC		00:08
*** cloudrancher has joined #openstack-meeting-alt		00:09
*** gouthamr has left #openstack-meeting-alt		00:14
*** gouthamr has joined #openstack-meeting-alt		00:14
*** slaweq has joined #openstack-meeting-alt		00:16
*** jesusaur has joined #openstack-meeting-alt		00:23
*** slaweq has quit IRC		00:24
*** ijw has quit IRC		00:28
*** ijw has joined #openstack-meeting-alt		00:29
*** armstrong has quit IRC		00:34
*** markstur has joined #openstack-meeting-alt		01:12
*** slaweq has joined #openstack-meeting-alt		01:16
*** markstur has quit IRC		01:17
*** slaweq has quit IRC		01:24
*** ijw has quit IRC		01:47
*** ijw has joined #openstack-meeting-alt		01:48
*** ijw has quit IRC		01:52
*** hongbin has joined #openstack-meeting-alt		01:55
*** slaweq has joined #openstack-meeting-alt		02:13
*** slaweq has quit IRC		02:24
*** cloudrancher has quit IRC		02:38
*** cloudrancher has joined #openstack-meeting-alt		02:39
*** yamahata has quit IRC		02:41
*** iyamahat_ has quit IRC		02:41
*** bhavikdbavishi has joined #openstack-meeting-alt		02:55
*** ijw has joined #openstack-meeting-alt		02:56
*** ijw has quit IRC		03:01
*** slaweq has joined #openstack-meeting-alt		03:16
*** slaweq has quit IRC		03:24
*** sridharg has joined #openstack-meeting-alt		03:33
*** ijw has joined #openstack-meeting-alt		03:34
*** ijw has quit IRC		03:39
*** diablo_rojo has quit IRC		03:42
*** hongbin has quit IRC		04:06
*** iyamahat has joined #openstack-meeting-alt		04:09
*** slaweq has joined #openstack-meeting-alt		04:11
*** slaweq has quit IRC		04:24
*** yamahata has joined #openstack-meeting-alt		04:27
*** janki has joined #openstack-meeting-alt		04:49
*** ijw has joined #openstack-meeting-alt		04:50
*** ijw has quit IRC		04:55
*** ijw has joined #openstack-meeting-alt		05:10
*** ijw has quit IRC		05:14
*** markstur has joined #openstack-meeting-alt		05:20
*** markstur has quit IRC		05:24
*** ijw has joined #openstack-meeting-alt		05:28
*** ijw has quit IRC		05:33
*** ijw has joined #openstack-meeting-alt		05:47
*** carthaca has joined #openstack-meeting-alt		05:50
*** ijw has quit IRC		05:51
*** ijw has joined #openstack-meeting-alt		06:06
*** chhagarw has joined #openstack-meeting-alt		06:10
*** ijw has quit IRC		06:10
*** slaweq has joined #openstack-meeting-alt		06:11
*** bhavikdbavishi has quit IRC		06:16
*** slaweq has quit IRC		06:24
*** ccamacho has quit IRC		06:30
*** bhavikdbavishi has joined #openstack-meeting-alt		06:35
*** dpawlik has joined #openstack-meeting-alt		06:47
*** dpawlik has quit IRC		06:54
*** rcernin has quit IRC		06:58
*** markstur has joined #openstack-meeting-alt		07:17
*** markstur has quit IRC		07:22
*** dpawlik has joined #openstack-meeting-alt		07:23
*** kopecmartin\|off is now known as kopecmartin		07:26
*** dpawlik has quit IRC		07:38
*** slaweq has joined #openstack-meeting-alt		07:42
*** dpawlik has joined #openstack-meeting-alt		07:44
*** ccamacho has joined #openstack-meeting-alt		07:56
*** tssurya has joined #openstack-meeting-alt		08:13
*** chhagarw has quit IRC		08:18
*** lpetrut has joined #openstack-meeting-alt		08:21
*** jtomasek has joined #openstack-meeting-alt		08:22
*** priteau has joined #openstack-meeting-alt		08:23
*** ijw has joined #openstack-meeting-alt		08:36
*** ijw has quit IRC		08:41
*** irclogbot_1 has quit IRC		08:44
*** irclogbot_1 has joined #openstack-meeting-alt		08:47
*** tssurya has quit IRC		08:49
*** irclogbot_1 has quit IRC		08:53
*** ijw has joined #openstack-meeting-alt		08:57
*** irclogbot_1 has joined #openstack-meeting-alt		08:57
priteau	#startmeeting blazar	09:00
openstack	Meeting started Tue Nov 27 09:00:38 2018 UTC and is due to finish in 60 minutes. The chair is priteau. Information about MeetBot at http://wiki.debian.org/MeetBot.	09:00
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	09:00
*** openstack changes topic to " (Meeting topic: blazar)"		09:00
openstack	The meeting name has been set to 'blazar'	09:00
priteau	#topic Rollcall	09:01
*** openstack changes topic to "Rollcall (Meeting topic: blazar)"		09:01
*** masahito has joined #openstack-meeting-alt		09:01
masahito	o/	09:01
*** bertys has joined #openstack-meeting-alt		09:01
*** tssurya has joined #openstack-meeting-alt		09:01
*** ijw has quit IRC		09:01
bertys	o/	09:01
priteau	Hi masahito and bertys	09:01
priteau	tetsuro: Are you here too?	09:02
tetsuro	o/	09:02
priteau	We decided that today we would do some code review	09:03
priteau	Let's do AOB first	09:03
priteau	#topic AOB	09:03
*** openstack changes topic to "AOB (Meeting topic: blazar)"		09:03
priteau	Anything to discuss before we start discussing reviews, which might take the full hour?	09:04
*** rossella_s has joined #openstack-meeting-alt		09:04
priteau	As mentioned last week, we will cancel next week's meeting due to travel of masahito and tetsuro	09:04
priteau	If nothing let's start with the reviews	09:06
priteau	#topic Code review	09:06
*** openstack changes topic to "Code review (Meeting topic: blazar)"		09:06
priteau	In openstack/blazar, the two main patch series are resource-availability-api (resource allocation blueprint) and placement	09:07
masahito	sorry, I have to leave few mins. please start tetsuro's patches.	09:08
priteau	Otherwise we have various small fixes.	09:08
priteau	tetsuro has only one pending patch now, it's https://review.openstack.org/#/c/584744/	09:08
tetsuro	I saw your comments, priteau. Will submit another patch set.	09:09
priteau	I reviewed it yesterday, I think maybe a code path were we need to delete the inventory was missed, but I am not sure	09:09
tetsuro	Your point is fair.	09:09
tetsuro	Good catch. Thanks.	09:09
priteau	OK. While masahito is away, let's look at smaller patches.	09:11
masahito	I'm back :-)	09:11
priteau	Ah great.	09:11
priteau	We're looking at https://review.openstack.org/#/q/status:open+project:openstack/blazar+branch:master+topic:bp/resource-availability-api	09:11
priteau	I reviewed it yesterday and, while the code approach is good, I have concerns about the format of the API response	09:12
masahito	got it.	09:12
masahito	The sample response is this: http://logs.openstack.org/72/584272/8/check/build-openstack-api-ref/69d2e28/html/v1/index.html?expanded=list-allocations-detail#list-allocations	09:13
priteau	To summarize, the response looks like this: http://logs.openstack.org/72/584272/8/check/build-openstack-api-ref/69d2e28/html/v1/index.html?expanded=list-allocations-detail#list-allocations	09:13
priteau	I am thinking it would make more sense for it to look like this: http://paste.openstack.org/show/736064/	09:14
priteau	What changed: inverted "allocations" <-> "reservations", and changed the main "id" to "host_id"	09:15
priteau	With my proposed API response format, when you look at the "reservations" list, the "id" fields are actually reservation IDs, so I think it makes more sense	09:16
priteau	A more minor comment is that in the "Get Allocations" case (http://logs.openstack.org/72/584272/8/check/build-openstack-api-ref/69d2e28/html/v1/index.html?expanded=list-allocations-detail,get-allocations-detail#get-allocations), we do a GET /reservations (plural), but get back an object saying "reservation" (singular)	09:17
masahito	And your suggest is changing the URI to /v1/oshost/allocations, right?	09:17
priteau	Yes, change the endpoint name as well	09:18
priteau	What do you think?	09:18
masahito	Make sense to me.	09:19
priteau	Any though on the naming of the host ID field? Could be host_id or computehost_id. I don't know if we have any existing reference in the API already.	09:20
masahito	Ah, AFAIK you have proposed another allocation API for USER API at Denver PTG?	09:20
*** ccamacho has quit IRC		09:20
priteau	Are you talking about the https://blueprints.launchpad.net/blazar/+spec/query-reservation-candidates blueprint?	09:21
masahito	To match the host APIs, what about just "host" for the key?	09:21
priteau	"host" could work as well.	09:22
priteau	In the host API we never mention the "compute" part, so we shouldn't use "compute" actually.	09:23
masahito	No, this blueprint https://blueprints.launchpad.net/blazar/+spec/reservation-consumers-api	09:23
priteau	reservation-consumers would be under the lease API endpoint	09:24
masahito	This bp uses consumers not allocation. Never mind, it was my fault.	09:24
priteau	I need to spec it. I don't think it is related though.	09:25
priteau	If you're happy with the proposed change of API response, would you be OK updating your patches? The rest of the code looks good so I can approve quickly.	09:26
masahito	Of course.	09:26
priteau	tetsuro, bertys: any comment about this?	09:27
masahito	priteau: Now that I'm thinking about it, 'host' or 'host_id' is not better because it can't be applied to network resource.	09:28
priteau	Right. It's under /os-hosts though. But we can make it abstract enough so that the same client code can be used to parse the results.	09:29
priteau	resource_id?	09:29
masahito	Great idea!	09:29
*** ccamacho has joined #openstack-meeting-alt		09:30
priteau	With API documentation explaining that in this case, resource_id == host ID	09:30
masahito	It really make sense.	09:30
priteau	OK, I think we are in aggreement.	09:31
priteau	agreement	09:31
masahito	1. change the endpoint to allocations, 2. follow the response body to http://paste.openstack.org/show/736064/ except 'host_id', and 3. use resource_id instead of host_id in the body.	09:33
priteau	There's also the issue of "allocations" vs "allocation" in the "Get allocations on a host." case. I am unsure what is the best approach for this.	09:35
priteau	Maybe it's the endpoint that should be v1/os-hosts/{host_id}/allocation?	09:36
masahito	It looks like there is only one allocation on the host.	09:36
masahito	Another idea is removing 'resource_id' key from the response because host_id is already in the URI.	09:37
masahito	like this http://paste.openstack.org/show/736065/	09:39
*** derekh has joined #openstack-meeting-alt		09:40
priteau	It's a tricky one. The way you've originally proposed it, it looks similar to the lease and host APIs.	09:40
masahito	that's true...	09:41
priteau	I guess it could be considered as one allocation of a hosts to many reservations.	09:42
priteau	bertys: tetsuro: any thoughts on this API?	09:44
priteau	If you're happy to change the endpoint to v1/os-hosts/{host_id}/allocation (since it would return a single allocation dictionary), let's do that	09:46
priteau	Only 15 minutes left in the meeting so we should discuss other patches.	09:46
priteau	List of Blazar master patches that can be merged: https://review.openstack.org/#/q/project:openstack/blazar+is:open+label:verified+branch:master+is:mergeable	09:47
priteau	Easy one: https://review.openstack.org/#/c/620136/	09:48
priteau	Noticed it yesterday in logs, we've moved the option in config but not updated the DevStack plugin	09:48
masahito	Thank. LGTM. If others doesn't have objections, I merge it.	09:49
priteau	tetsuro: Is this something that you are implementing already? https://review.openstack.org/#/c/578641/	09:51
priteau	masahito: There's a +2 from bertys already, go ahead.	09:51
tetsuro	No I've not yet started this spec.	09:51
priteau	tetsuro: Is the spec still compatible with your approach, i.e. would you give it a +1?	09:52
priteau	I haven't looked at it in a long time	09:52
tetsuro	I'll give it a +1	09:52
tetsuro	this is compatible with what I'm doing now.	09:53
priteau	OK, great. I will give it another look as well	09:53
priteau	Mutable config patch: https://review.openstack.org/#/c/585847/	09:54
priteau	I tested it yesterday and found issues, but now realize that the issues already exist without the patch	09:54
priteau	blazar-manager doesn't like receiving SIGHUP. Maybe an eventlet issue?	09:55
priteau	I will open a Launchpad bug.	09:55
priteau	Another easy patch, just to clear the queue: https://review.openstack.org/#/c/619464/	09:56
masahito	I guess RPCServer in blazar.utils.service should need to have SIGHUP signal handler.	09:56
priteau	OK, thanks for the pointer. We will need to look into it. In the meantime I think we can merge the mutable config patch.	10:00
priteau	We're running out of time. I think most patches now have a -1 with action to update them, so we made good progress.	10:00
masahito	priteau: I'll update the floating ip spec in this week. please review it.	10:01
priteau	Thanks masahito	10:01
priteau	No meeting next week, then code review again the week after (December 11)	10:01
priteau	Thanks everyone!	10:01
priteau	Have a good trip	10:01
priteau	#endmeeting	10:01
*** openstack changes topic to "OpenStack Meetings \|\| https://wiki.openstack.org/wiki/Meetings/"		10:01
openstack	Meeting ended Tue Nov 27 10:01:57 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	10:02
openstack	Minutes: http://eavesdrop.openstack.org/meetings/blazar/2018/blazar.2018-11-27-09.00.html	10:02
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/blazar/2018/blazar.2018-11-27-09.00.txt	10:02
openstack	Log: http://eavesdrop.openstack.org/meetings/blazar/2018/blazar.2018-11-27-09.00.log.html	10:02
masahito	thanks, bye	10:02
*** bertys has quit IRC		10:04
*** masahito has quit IRC		10:13
*** bhavikdbavishi has quit IRC		10:22
*** erlon has joined #openstack-meeting-alt		10:26
*** jlvillal has joined #openstack-meeting-alt		10:58
*** markstur has joined #openstack-meeting-alt		11:07
*** markstur has quit IRC		11:11
*** bhavikdbavishi has joined #openstack-meeting-alt		11:19
*** dosaboy has quit IRC		11:24
*** dosaboy has joined #openstack-meeting-alt		11:31
*** sambetts_ is now known as sambetts\|afk		11:32
*** raildo has joined #openstack-meeting-alt		11:37
*** armstrong has joined #openstack-meeting-alt		11:43
*** rfolco is now known as rfolco_doctor		11:45
*** chhagarw has joined #openstack-meeting-alt		11:54
*** bhavikdbavishi has quit IRC		11:54
*** janki has quit IRC		11:59
*** ccamacho has quit IRC		12:12
*** tetsuro has quit IRC		12:13
*** yamamoto has quit IRC		12:16
*** yamamoto has joined #openstack-meeting-alt		12:16
*** ccamacho has joined #openstack-meeting-alt		12:41
*** erlon has quit IRC		12:48
*** vishalmanchanda has joined #openstack-meeting-alt		12:48
*** erlon has joined #openstack-meeting-alt		12:59
*** ccamacho has quit IRC		13:04
*** ccamacho has joined #openstack-meeting-alt		13:04
*** jhesketh_ has joined #openstack-meeting-alt		13:44
*** carthaca has left #openstack-meeting-alt		13:49
*** jhesketh has quit IRC		13:50
*** armstrong has quit IRC		13:53
*** pbourke has quit IRC		14:07
*** cloudrancher has quit IRC		14:15
*** cloudrancher has joined #openstack-meeting-alt		14:15
*** dustins has joined #openstack-meeting-alt		14:20
*** chhagarw has quit IRC		14:27
*** hongbin has joined #openstack-meeting-alt		14:41
*** chhagarw has joined #openstack-meeting-alt		14:51
*** rfolco_doctor is now known as rfolco		14:53
*** dpawlik has quit IRC		15:04
*** ianychoi_ is now known as ianychoi		15:06
*** chhagarw has quit IRC		15:07
*** lpetrut has quit IRC		15:18
*** lewo has joined #openstack-meeting-alt		15:27
*** bhavikdbavishi has joined #openstack-meeting-alt		15:31
*** wxy\| has joined #openstack-meeting-alt		15:36
*** pbourke has joined #openstack-meeting-alt		15:37
*** jcoufal has joined #openstack-meeting-alt		15:47
*** ayoung has joined #openstack-meeting-alt		15:48
*** jgrosso has joined #openstack-meeting-alt		15:49
*** dpawlik has joined #openstack-meeting-alt		15:50
*** dtrainor__ is now known as dtrainor		15:52
*** jcoufal has quit IRC		15:52
*** gagehugo has joined #openstack-meeting-alt		15:53
*** ttsiouts has joined #openstack-meeting-alt		15:58
lbragstad	#startmeeting keystone	16:00
openstack	Meeting started Tue Nov 27 16:00:29 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	16:00
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	16:00
*** openstack changes topic to " (Meeting topic: keystone)"		16:00
openstack	The meeting name has been set to 'keystone'	16:00
lbragstad	#link https://etherpad.openstack.org/p/keystone-weekly-meeting	16:00
lbragstad	agenda ^	16:00
wxy\|	o/	16:00
gagehugo	o/	16:01
lbragstad	we can give folks a couple minutes	16:01
*** dansmith has quit IRC		16:02
*** dansmith has joined #openstack-meeting-alt		16:02
*** diablo_rojo has joined #openstack-meeting-alt		16:02
knikolla	o/	16:02
jdennis	jdennis: o/	16:02
lbragstad	alright - let's go ahead and get started	16:03
lbragstad	#topic announcements	16:03
*** openstack changes topic to "announcements (Meeting topic: keystone)"		16:03
lbragstad	#info we're just over a month away from milestone-2	16:04
lbragstad	reminder that milestone-2 is going to mark specification freeze	16:04
lbragstad	and feature proposal freeze is only a couple weeks after that	16:04
lbragstad	there are still several specifications up for review that we're planning on implementing this release	16:04
lbragstad	please take a look if you have time	16:04
*** cloudrancher has quit IRC		16:04
lbragstad	#link https://review.openstack.org/#/c/599491/	16:05
lbragstad	#link https://review.openstack.org/#/c/541903/	16:05
*** cloudrancher has joined #openstack-meeting-alt		16:05
lbragstad	and a bunch of those ones for the edge/multi-region/federated use cases we talked about in Berlin	16:05
lbragstad	also	16:06
lbragstad	#info keystoneclient-devstack-functional is failing	16:06
lbragstad	frickler brought this to us this morning	16:06
lbragstad	it's been failing consistently for some time	16:06
gagehugo	mysql password incorrect?	16:06
*** munimeha1 has joined #openstack-meeting-alt		16:07
lbragstad	#link http://logs.openstack.org/39/605539/24/check/keystoneclient-devstack-functional/9fff540/job-output.txt.gz#_2018-11-27_04_39_26_939041	16:07
lbragstad	yeah - it's strange	16:07
lbragstad	I noticed other projects have similar scripts, nearly identical actually	16:07
lbragstad	but they their functional jobs aren't failing	16:07
lbragstad	but their*	16:07
lbragstad	so it might be something with zuul + how we set things up in keystone	16:08
lbragstad	anyway - wanted to plug it here in case it piqued anyone'	16:08
lbragstad	anyone's interest*	16:08
lbragstad	#topic Keystone as an IdP	16:09
*** openstack changes topic to "Keystone as an IdP (Meeting topic: keystone)"		16:09
lbragstad	i'm not sure kmalloc is around	16:09
lbragstad	but the plan is to go through all the bits for this in more detail, since it was discussed at length in Berlin	16:09
lbragstad	and there are more than a handful of new specs related to it	16:10
lbragstad	we'll circle back if kmalloc hops on	16:10
lbragstad	#topic default roles and system-scope progress	16:10
*** openstack changes topic to "default roles and system-scope progress (Meeting topic: keystone)"		16:10
lbragstad	this is one of the bigger initiatives we're tackling this release	16:10
lbragstad	i apologize for all the IRC bot and bug spam recently	16:10
lbragstad	but I broke everything out into smaller bug reports, hoping that it will help enable people to pick things up	16:11
kmalloc	O/	16:11
lbragstad	so they don't feel pressured into committing to a whole pile of work	16:11
lbragstad	they can just pick up a couple things here or there if they have time, but would still be a huge help	16:11
*** markstur has joined #openstack-meeting-alt		16:11
lbragstad	ultimately, i created bugs for all keystone policies/apis that aren't currently using the defaults roles work hrybacki did in rocky	16:12
lbragstad	#link https://bugs.launchpad.net/keystone/+bugs?field.tag=default-roles	16:12
kmalloc	here.	16:12
kmalloc	sorry	16:12
lbragstad	no worries - i'll wrap up my topic quick and hand the floor over	16:12
ayoung	works for me	16:13
kmalloc	no arch diagram that will be next week.	16:13
lbragstad	here is what an example fix for the default role bugs looks like	16:13
kmalloc	but we can go over stuff otherwise.	16:13
lbragstad	#link https://review.openstack.org/#/c/620156/1	16:13
lbragstad	it's mostly tests that showcase the behaviors for each scope	16:13
ayoung	there are some subtlties on the implied roles one, I added a comment. Lets us keep a place for those convos, so, I like the smaller bug reports	16:13
lbragstad	++	16:13
lbragstad	i also have other reports dedicated to system-scope gaps	16:14
lbragstad	#link https://bugs.launchpad.net/keystone/+bugs?field.tag=system-scope	16:14
lbragstad	ideally - they go hand-in-hand	16:14
lbragstad	but depending on the API, there isn't a dependency between those two bugs if they affect the same API	16:15
lbragstad	just trying to make sure we track how much work it takes to fix all this	16:15
lbragstad	does anyone have comments, questions, or concerns about system-scope or default roles work?	16:15
lbragstad	or wants to jump in and pick up one or two?	16:16
lbragstad	;)	16:16
ayoung	lbragstad, we are ok with breaking people with these, right?	16:16
lbragstad	break people how?	16:16
ayoung	changing roles for APIs will not match the old policies.	16:17
lbragstad	yeah - so we have tooling in oslo.policy to handle that for us	16:17
lbragstad	and make it graceful for operators	16:17
ayoung	Hopefully in a "it not longer works" way as oppposed to "oops we let something else in" way	16:17
lbragstad	my goal is to be explicit with the former	16:18
kmalloc	as long as we support the model of: [override-new] > [override-old] > (DEFAULT NEW \|\| DEFAULT OLD)	16:18
kmalloc	we should be 100% ok	16:18
lbragstad	so it's really clear what we support by default from an authorization perspective upstream	16:18
kmalloc	and not letting random stuff fall through	16:18
kmalloc	just adding additional permissions that operators can opt into	16:19
kmalloc	(for transition)	16:19
lbragstad	#link https://review.openstack.org/#/c/614195/ should help with that	16:19
kmalloc	and then it becomes Override NEw > Default New (eventually)	16:19
lbragstad	same with #link https://review.openstack.org/#/c/613635/	16:19
kmalloc	once transition is done	16:19
kmalloc	long view.	16:19
lbragstad	we'll also need #link https://review.openstack.org/#/c/611443/	16:20
lbragstad	kmalloc those cases might be addressed in https://review.openstack.org/#/c/614195/5/oslo_policy/tests/test_policy.py	16:21
kmalloc	lbragstad: i'll check	16:22
lbragstad	thanks	16:22
kmalloc	i want to be sure	16:22
kmalloc	:)	16:22
lbragstad	ultimately, everything under keystone.tests.unit.protection.v3 should explicitly test each scope against each default role	16:22
kmalloc	i need to leave as soon as the meeting is over btw.	16:22
lbragstad	ok - that's about all i had for this	16:23
lbragstad	feel free to ping me if you'd like to chip in on a couple of those bugs, or have questions	16:23
lbragstad	otherwise, i have fixes for several of them up (i need to update the branch)	16:23
lbragstad	#link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bug/1788415	16:23
lbragstad	and they are all dependent on #link https://review.openstack.org/#/c/605539/	16:24
lbragstad	once ^ merges, I'll rebase them	16:24
lbragstad	any other questions?	16:24
kmalloc	... "lance, where do users come from?" :P	16:25
ayoung	Are we going to go into this detail for the other services?	16:25
lbragstad	HTTP 403	16:25
lbragstad	ayoung how do you mean?	16:25
ayoung	Nova	16:25
kmalloc	ayoung: we will provide help as we did for in-code policy	16:25
lbragstad	like helping them consume these changes?	16:25
ayoung	Neutron and so on. Bug reports for the APIS?	16:26
lbragstad	i'll likely leave that to each project	16:26
ayoung	a way to have the convos about what scope a given API should really have?	16:26
kmalloc	the plan is to support and make it a community goal	16:26
kmalloc	similar to how we did policy-in-code	16:26
lbragstad	right	16:26
ayoung	Yeah...and GLance will get around to it.	16:26
kmalloc	glance needs help	16:26
kmalloc	it is probably a place we need to explicitly step up	16:26
lbragstad	before we can do that we'll need to have it working in keystone first	16:26
kmalloc	=/	16:26
kmalloc	but i think the order is Keystone, Nova, Community Goal... and supporting glance	16:27
lbragstad	jokke and i had a conversation about how policy-in-code works	16:27
lbragstad	i think he's up to speed now	16:27
kmalloc	glance will get there	16:27
lbragstad	he told me a couple days ago that he's going to poke with the changes locally	16:27
ayoung	https://review.openstack.org/#/c/501360/ Still -1. I'll rework that	16:27
kmalloc	they might get policy-in-code and new defaults in short succession	16:27
*** jcoufal has joined #openstack-meeting-alt		16:28
*** apetrich has quit IRC		16:28
ayoung	Cool. This really needs to be in across the board to be usable	16:28
kmalloc	that is the plan.	16:29
lbragstad	i agree	16:29
ayoung	We need a banana test in Tempest	16:29
ayoung	create a "banana" role and assign it. It should not be able to do anything	16:29
lbragstad	gmann is working on the system-scope stuff from the tempest side	16:29
kmalloc	ayoung: sorryk, but our new super-admin role is named banana	16:30
*** lpetrut has joined #openstack-meeting-alt		16:30
kmalloc	/s	16:30
ayoung	https://lh3.googleusercontent.com/-CjxR7w-1iHA/UvfAaZCCr6I/AAAAAAAAJtk/G-Knih6Ze7M/s400/We%2520Are%2520in%2520a%2520Book%2520Mo%2520Willems%25202.jpg	16:31
ayoung	You guys don't know Elephant and Piggy. yet.	16:31
lbragstad	anything else before we move on?	16:31
lbragstad	#topic Keystone as an IdP Proxy	16:32
*** openstack changes topic to "Keystone as an IdP Proxy (Meeting topic: keystone)"		16:32
lbragstad	kmalloc you're up	16:32
kmalloc	ok	16:32
kmalloc	quick note: I am working on an architecture diagrame	16:32
knikolla	awesome	16:33
kmalloc	it should be done for the next meeting. but with holiday/travel/other things... it's a bit delayed	16:33
lbragstad	cc ildikov ^	16:33
kmalloc	it will cover the forward looking goals I see for Keystone, specifically how it works as an IDP and an IDP Proxy	16:33
ayoung	Why do we call it a Proxy?	16:33
kmalloc	officially that is the wrong term	16:34
knikolla	broker?	16:34
kmalloc	i am trying to reword that to be Broker	16:34
kmalloc	yes	16:34
lbragstad	because the idea was to shuffle identities between formats	16:34
*** chhagarw has joined #openstack-meeting-alt		16:34
ayoung	And not just IdP?	16:34
ayoung	Ah	16:34
kmalloc	it's some rewiring in my head to keep saying Identity Broker	16:34
lbragstad	so if you have a google user	16:34
kmalloc	we will be a full featured IDP but also have the ability to broker from one form to another	16:34
kmalloc	IDP[s] -> Keystone -> SP[s]	16:35
ayoung	Translation from SAML to OIDC and so on?	16:35
lbragstad	you can use keystone to convert whatever google gives you to prove your identity, to something else	16:35
kmalloc	yes	16:35
kmalloc	ayoung: the SPs will consume whatever they consume, keystone will broker from one form to that form for the SP.	16:35
kmalloc	or the best form for the SP in the case it supports many	16:35
knikolla	right now we already do that but with SAML ECP.	16:35
ayoung	Adapter	16:35
knikolla	for the k2k pieces.	16:35
kmalloc	the industry(ish) term is broker for this	16:36
lbragstad	well - we do have a great track record for naming things	16:36
ayoung	https://en.wikipedia.org/wiki/Adapter_pattern	16:36
kmalloc	it is an adapter pattern	16:36
ayoung	But...Broker is right	16:36
kmalloc	yep.	16:36
kmalloc	100%	16:36
ayoung	because we are not making an Adapter, we are converting one to the other	16:36
kmalloc	so, the core bits we need from today.	16:36
kmalloc	1) Auth will be split from CRUD (backlogged SPEC)	16:37
kmalloc	this is so our well-defined endpoints for auth are located at /auth/XXXX	16:37
kmalloc	/v3/auth will reamin	16:37
kmalloc	remain*	16:37
kmalloc	no one will be broken on that front	16:37
ayoung	But...we are going to add additional auth attributes in addition to the original assertion. Specifically, we add the Keystone role assignment data. THey can ignore it, but they can consume it, too, right?	16:37
kmalloc	the goal is here 2 fold: let us iterate on crud independant of auth and auth can be exposed in isolation from crud for auth to the SPs	16:38
kmalloc	ayoung: correct. we will pass through but also allow for applying keystone permissions directly	16:38
kmalloc	ayoung: that is the "virtual organization" parts.	16:38
ayoung	Cool. This is going to explode on us, but, I think, in a good way	16:39
kmalloc	the second bit we need (2)	16:39
kmalloc	is the principal object	16:39
kmalloc	this is to replace shadow users.	16:39
kmalloc	and be fully featured	16:39
lbragstad	hopefully we can just extend shadow users	16:40
kmalloc	keystone will maintain a single consistent user object that many AuthN sources can hook onto	16:40
kmalloc	it is either "extend and fix shadow users" or "replace shadow users and drop shadow users"	16:40
kmalloc	it looks to be about the same amount of work	16:40
lbragstad	yeah - i just hope its the first and not the second :)	16:40
kmalloc	and i worry how deep / odd shadow users is due to where it left off	16:40
kmalloc	Key bits: Users are principals	16:41
kmalloc	Groups are groupings of principals	16:41
kmalloc	app creds are principals	16:41
kmalloc	projects are most likely a group of principals	16:41
*** tpsilva has joined #openstack-meeting-alt		16:41
ayoung	app creds contain a principal and a delegation	16:41
kmalloc	ayoung: ++	16:41
lbragstad	i think the next step in that work is to grok the current state of things	16:42
kmalloc	the key is normalizing the data structure and making sure we have a clear object that AuthN hooks into, a source of AuthN will be the SQL (password) backend or LDAP backend	16:42
lbragstad	and see if we can trace steps that rderose and dstanek were workings towards	16:42
kmalloc	these will not implement the entire identity driver anymore, they will be a source of Auth hooked onto the user principal	16:42
*** apetrich has joined #openstack-meeting-alt		16:42
kmalloc	any questions so far? I can keep moving on the rest of the bits needed	16:43
ayoung	Are we going to support a basi-cauyth mechansim under /auth?	16:43
ayoung	basic-auth	16:44
kmalloc	ayoung: the plan would be to be more fully featured on that front	16:44
kmalloc	and implement as much as we can directly in python	16:44
kmalloc	we may offload to a web server/module	16:44
lbragstad	ayoung like #link https://en.wikipedia.org/wiki/Basic_access_authentication ?	16:44
kmalloc	but we should implement the functionality 100% in python where possible	16:44
ayoung	Yeah, basic auth would have to be Python	16:44
kmalloc	lbragstad: yeah, both basic and digest mode.	16:45
ayoung	and work based on a GET	16:45
kmalloc	part of that deal is there will be a UI added to keystone.	16:45
kmalloc	we are a standalone IDP, deployers need a way to interact with keystone	16:45
kmalloc	in isolation of horizon etc	16:45
kmalloc	we will continue support for horizon (of course)	16:46
ayoung	"All My plans are coming together"	16:46
kmalloc	BASIC AUTH, SAML, OIDC, Digest+Basic will work	16:46
kmalloc	we will also implement support for U2F/FIDO in the ui for Multi-factor Auth	16:46
kmalloc	the UI will be something akin to React based (may change the framework)	16:47
kmalloc	the goal is to strictly reference the API not be a layer inbetween with more python (e.g. django)	16:47
*** markstur_ has joined #openstack-meeting-alt		16:48
ayoung	Do we have an HTML renderer for Flask?	16:48
kmalloc	there will be discussions about a V4 crud api along the way for supporting the UI because we may want to restructure how the API works for this (breaking changes, but mostly cruft cleanup/re-homing)	16:48
kmalloc	ayoung: flask easily supports it	16:48
kmalloc	ayoung: we already use it in a couple places, notably in 404 errors	16:48
kmalloc	unrouted-404 errors	16:49
kmalloc	and some other cases (ec2)	16:49
kmalloc	the V4 CRUD api will be discussed one the core bits of Keystone are worked through	16:49
kmalloc	once*	16:50
kmalloc	that would be in support of the UI. restructuring the API under flask is much faster if we decide to do this.	16:50
kmalloc	a couple additional security bits will be needed	16:50
ayoung	Excellent	16:50
kmalloc	JWT (for full OIDC support)	16:50
kmalloc	yes i classify that as security	16:50
*** markstur has quit IRC		16:51
lbragstad	<shameless-plug>The jwt stuff is up for review along with the specification</shameless-plug>	16:51
kmalloc	i want to fully support the timestamp protocol as well for signing when things occur (creation/cadf/tokens) as well	16:51
kmalloc	we will need to look at the at-rest data storage in SQL and ensure we are being good at PII, and can support PCI-DSS/NIST recommendations as well as cover GDPR concerns	16:52
lbragstad	time check - 7 minutes left	16:52
kmalloc	thanks	16:52
knikolla	this, adjutant, and athenz makes me so happy.	16:53
ayoung	kmalloc, you do all your keystone development in containers, right? Do you have a document contributors can follow? Should we get that into keystone/doc/source?	16:53
kmalloc	we will finally need to add much much much better autoprovisioning	16:53
kmalloc	ayoung: i plan to get that codified into git (the dev docs)	16:54
ayoung	++	16:54
kmalloc	and yes, i use containers for everything	16:54
* lbragstad has ideas for that based on what penick was talking about		16:54
kmalloc	lbragstad: exactly	16:54
ayoung	I'll revisit. Its been a year	16:54
ayoung	or more	16:54
kmalloc	so, in Stein: I want these things to land	16:54
kmalloc	1) Auth support at /auth	16:54
lbragstad	fwiw - i was going to wait for recordings to get posted for posting by summary	16:54
knikolla	with the above things aligning with what i need to get done for the MOC, y'all get 60% of my time.	16:55
lbragstad	but that's going to be a bit, so i'll just publish today and update later	16:55
kmalloc	2) principal work (shadow users rework)	16:55
knikolla	up from 20%	16:55
kmalloc	3) Federation support (brokering) changes	16:55
kmalloc	4) JWT	16:55
kmalloc	(no particular order)	16:55
kmalloc	autoprovisioning becomes a #5 if we can	16:56
kmalloc	v4 API, UI, Timestamp protocol, those will likely be post Stein	16:56
kmalloc	we will also need a LOT of cleanup on our internal SQL store.	16:56
kmalloc	oh one last bit we need to clearly work out	16:57
kmalloc	E-Tag/Cache-Control	16:57
ayoung	Videos are slow to land this summit. Something is not working right in the process. Used to be up during the week of.	16:57
kmalloc	which comes post UI	16:57
kmalloc	so i see 3-4 specs in Stein.	16:57
kmalloc	still to do.	16:58
kmalloc	JWT is almost done, so that is easy	16:58
*** vishalmanchanda has quit IRC		16:58
* kmalloc hands the mic back to lbragstad		16:58
knikolla	kmalloc: i can take on some of that during office hours. together with polishing the renewable app creds specs.	16:58
kmalloc	cool.	16:58
knikolla	so let's sync up	16:58
lbragstad	#topic open discussion	16:58
*** openstack changes topic to "open discussion (Meeting topic: keystone)"		16:58
kmalloc	oh yeah refreshable app creds needed too	16:58
kmalloc	haha	16:59
lbragstad	one minute left if anyone has anything	16:59
kmalloc	i am AFK for a few hours post meeting	16:59
kmalloc	fyi (knikolla)	16:59
kmalloc	not IDP related	16:59
kmalloc	we should explore gabbi for functional tests	16:59
kmalloc	cdent has done a good chunk of work on it.	16:59
kmalloc	it's awesome.	16:59
*** gyee has joined #openstack-meeting-alt		16:59
kmalloc	gyee: you're off by an hour :P DST!	16:59
lbragstad	alright - let's wrap up	16:59
lbragstad	thanks for coming, all	17:00
lbragstad	reminder office hours in -keystone	17:00
lbragstad	#endmeeting	17:00
*** openstack changes topic to "OpenStack Meetings \|\| https://wiki.openstack.org/wiki/Meetings/"		17:00
openstack	Meeting ended Tue Nov 27 17:00:22 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	17:00
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-11-27-16.00.html	17:00
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-11-27-16.00.txt	17:00
*** jdennis has left #openstack-meeting-alt		17:00
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-11-27-16.00.log.html	17:00
*** lpetrut has quit IRC		17:01
*** gagehugo has left #openstack-meeting-alt		17:02
*** wxy\| has quit IRC		17:04
*** ttsiouts has quit IRC		17:06
*** ttsiouts has joined #openstack-meeting-alt		17:07
*** lpetrut has joined #openstack-meeting-alt		17:10
*** ttsiouts has quit IRC		17:11
*** dpawlik has quit IRC		17:13
*** dpawlik has joined #openstack-meeting-alt		17:14
*** dpawlik has quit IRC		17:18
*** diablo_rojo has quit IRC		17:19
*** derekh has quit IRC		17:23
*** dpawlik has joined #openstack-meeting-alt		17:29
*** apetrich has quit IRC		17:30
*** jcoufal has quit IRC		17:31
*** dpawlik has quit IRC		17:34
*** diablo_rojo has joined #openstack-meeting-alt		17:35
*** apetrich has joined #openstack-meeting-alt		17:50
*** ijw has joined #openstack-meeting-alt		17:56
*** yamahata has quit IRC		17:58
*** iyamahat has quit IRC		17:58
*** ijw has quit IRC		18:02
*** bnemec has quit IRC		18:06
*** jcoufal has joined #openstack-meeting-alt		18:06
*** bnemec has joined #openstack-meeting-alt		18:06
*** bhavikdbavishi has quit IRC		18:08
*** sridharg has quit IRC		18:09
*** jtomasek has quit IRC		18:12
*** kopecmartin is now known as kopecmartin\|off		18:16
*** iyamahat has joined #openstack-meeting-alt		18:18
*** lpetrut has quit IRC		18:33
*** jgrosso has quit IRC		18:35
*** tsmith_ has joined #openstack-meeting-alt		18:37
*** yamahata has joined #openstack-meeting-alt		18:37
*** dpawlik has joined #openstack-meeting-alt		18:37
*** tsmith2 has quit IRC		18:40
*** tsmith_ is now known as tsmith2		18:40
*** dpawlik has quit IRC		18:42
*** tssurya has quit IRC		18:50
*** dpawlik has joined #openstack-meeting-alt		18:53
*** Ablu has quit IRC		18:54
*** dpawlik has quit IRC		18:57
*** jlvillal has left #openstack-meeting-alt		19:11
*** Ablu has joined #openstack-meeting-alt		19:13
*** erlon has quit IRC		19:17
*** chhagarw has quit IRC		19:28
*** dpawlik has joined #openstack-meeting-alt		19:38
*** cloudrancher has quit IRC		19:39
*** cloudrancher has joined #openstack-meeting-alt		19:40
*** cloudrancher has quit IRC		19:40
*** cloudrancher has joined #openstack-meeting-alt		19:41
*** ayoung has quit IRC		19:51
*** Ablu has quit IRC		19:56
*** cloudrancher has quit IRC		20:00
*** cloudrancher has joined #openstack-meeting-alt		20:01
*** Ablu has joined #openstack-meeting-alt		20:04
*** dustins has quit IRC		20:06
*** jcoufal has quit IRC		20:09
*** jtomasek has joined #openstack-meeting-alt		20:17
*** slaweq_ has joined #openstack-meeting-alt		20:44
*** jtomasek has quit IRC		20:45
*** rossella_s has quit IRC		20:57
*** slaweq_ has quit IRC		21:03
*** raildo has quit IRC		21:14
*** jcoufal has joined #openstack-meeting-alt		21:28
*** yamamoto has quit IRC		21:29
*** tpsilva has quit IRC		21:31
*** priteau has quit IRC		21:47
*** dpawlik has quit IRC		21:54
*** dpawlik has joined #openstack-meeting-alt		21:55
*** dpawlik has quit IRC		22:00
*** slaweq has quit IRC		22:03
*** yamamoto has joined #openstack-meeting-alt		22:07
*** yamamoto has quit IRC		22:18
*** slaweq has joined #openstack-meeting-alt		22:19
*** slaweq has quit IRC		22:24
*** munimeha1 has quit IRC		22:45
*** rossella_s has joined #openstack-meeting-alt		22:45
*** iyamahat_ has joined #openstack-meeting-alt		22:53
*** priteau has joined #openstack-meeting-alt		22:54
*** jcoufal has quit IRC		22:56
*** iyamahat has quit IRC		22:56
*** radeks has quit IRC		22:57
*** rcernin has joined #openstack-meeting-alt		22:57
*** iyamahat_ has quit IRC		22:58
*** iyamahat has joined #openstack-meeting-alt		22:58
*** priteau has quit IRC		22:58
*** rossella_s has quit IRC		23:23
*** slaweq has joined #openstack-meeting-alt		23:29
*** slaweq has quit IRC		23:33
*** yamamoto has joined #openstack-meeting-alt		23:34
*** jhesketh_ is now known as jhesketh		23:51
*** iyamahat has quit IRC		23:54
*** diablo_rojo has quit IRC		23:57
*** hongbin has quit IRC		23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!