#openstack-meeting-3 log

17:03:25 <thinrichs> #startmeeting CongressTeamMeeting
17:03:26 <openstack> Meeting started Tue May 27 17:03:25 2014 UTC and is due to finish in 60 minutes.  The chair is thinrichs. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:03:27 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:03:29 <openstack> The meeting name has been set to 'congressteammeeting'
17:03:49 <skn_> Its weird.  I used launchpad to create the id
17:04:22 <thinrichs> skn_: I don’t know how to get your name to show up on review.openstack as a potential reviewer.
17:04:34 <thinrichs> If anyone knows a quick-fix, let us know.  Otherwise we’ll do that offline.
17:04:57 <skn_> Yup.  Let me know too.
17:05:15 <thinrichs> Let’s do our usual thing of going over action items from last week, briefly.
17:05:24 <thinrichs> sarob: are you here?
17:05:39 <iben> he's not signed on now
17:05:39 <thinrichs> Hmm.. doesn’t look like it.  Let’s hope he joins later.
17:05:57 <thinrichs> We had a couple of new use cases that were supposed to go up on the wiki.
17:06:04 <thinrichs> skn_: how’d you do with yours?
17:06:44 <skn_> I have some write up, but I’ll have to first figure out out where to put
17:06:52 <banix> is there a link?
17:06:53 <skn_> where to put it, i mean
17:07:04 <thinrichs> https://wiki.openstack.org/wiki/Congress#Use_Cases
17:07:09 <skn_> Oh ok
17:07:19 <thinrichs> We have a list with brief descriptions at the URL.
17:07:19 <banix> thinrichs: thanks
17:07:29 <skn_> But these are like one liners
17:07:48 <thinrichs> banix (and all other newcomers): the wiki *should* have links to all the resources.  So that’s the one-stop shop.
17:07:50 <skn_> I thought we’d have a lil more descriptive
17:08:07 <thinrichs> skn_: We don’t yet have a doc with longer descriptions.  Want to start one?
17:08:19 <skn_> HI banix, what’s your name?
17:08:32 <skn_> I think so, we should have a doc
17:08:39 <banix> Mohammad Banikazemi
17:08:56 <banix> skn_: Hi ^^^
17:09:15 <thinrichs> skn: sounds good.  Can we use your writeup to seed that doc?
17:09:22 <thinrichs> pballand: where should we host the doc?
17:09:24 <skn_> Yes, I will
17:09:52 <pballand> thinrichs: doc for use cases?
17:09:53 <skn_> Hi Mohammad.  Are you from IBM, who presented the neutron group policy?
17:09:57 <thinrichs> pballand: yes
17:10:07 <banix> we use google docs
17:10:15 <banix> skn_: Yes that’s me :)
17:10:23 <pballand> I’d go with google docs, or in the repo
17:10:38 <sarob_> Halo
17:10:44 <skn_> Oh, cool.  This is Susanta from Symantec.  We chatted a lil bit after your talk at OpenStack, remember?
17:10:52 <skn_> Hey sarob
17:10:59 <pballand> if we don’t expct many comments, checking them in near the specs sounds good to me
17:11:08 <sarob_> Yup
17:11:08 <thinrichs> sarob: glad you could make it.
17:11:11 <banix> skn_: Ahhh yes. great to see you here :)
17:11:35 <skn_> Good to see all you guys made it today
17:11:40 <thinrichs> sarob: we were just discussing the use case writeups we talked about last week.
17:11:52 <sarob_> Board stuff bleeding over
17:11:56 <thinrichs> sarob: We’re going to either put them in the repo or on a google doc.  Sound good?
17:12:02 <sarob_> Got it
17:12:07 <sarob_> Yup
17:12:21 <skn_> So we create a google doc for the use cases and put it where?
17:12:27 <pballand> does anyone have any preference?
17:12:49 <thinrichs> A google doc might make it easier for non-coders to add use cases.
17:13:03 <thinrichs> I’m leaning toward a google doc.
17:13:13 <skn_> May be we can just link it from those one liners in Congress wiki
17:13:22 <thinrichs> skn: yep.
17:13:33 <pballand> https://docs.google.com/document/d/1ExDmT06vDZjzOPePYBqojMRfXodvsk0R8nRkX-zrkSw/edit?usp=sharing
17:13:34 <sarob_> Gdoc will be easier for the non git gerrit people
17:13:40 <rajdeep> google docs is easier unless the doc becomes large
17:13:49 <rajdeep> or we need to maintain history
17:14:00 <pballand> I’ll link from the wiki
17:14:04 <thinrichs> pballand: no need for even an action item for that, it seems.  Nice.  :)
17:14:49 <skn_> Thanks pballand
17:15:00 <thinrichs> skn_: when you copy your description in there, let us all know so we can take a look.
17:15:10 <thinrichs> sarob: any progress on your use case?
17:15:18 <skn_> We should have at least one paragraph for each of the use cases
17:15:48 <skn_> sarob: I have something written,  I’ll try to clean it up and put it in the doc today or tomorrow when I get time
17:16:11 <sarob_> No sorry. I was slammed last week
17:16:28 <sarob_> I have some time today
17:16:39 <thinrichs> sarob: no worries.  Let us know if we can help.
17:17:03 <sarob_> I'll post to the gdoc for collaboration and such
17:17:17 <thinrichs> sarob: sounds good.
17:17:50 <thinrichs> Especially for you newcomers, if you have use cases you’re interested in, put them in the doc and drop us a note so we can take a look.
17:17:57 <skn_> pballand: is the gdoc open to edit for everyone?
17:18:22 <pballand> it should be editable by anyone with the link
17:18:30 <thinrichs> I just edited it.
17:18:35 <sjcazzol> good, we are developing some new scenarios that could be addressed
17:18:37 <pballand> I can lock it down to emails I have
17:18:51 <thinrichs> sjcazzol: great!  Love to see them.
17:18:57 <thinrichs> pballand: let’s leave it open to the world.
17:19:18 <iben> How many use cases are we shooting for to start with?
17:19:30 <iben> will they be prioritized based on effort?
17:19:35 <banix> yeah open to the world will be better
17:19:36 <thinrichs> iben: I think we want to know what people are interested in and then yes, prioritized.
17:20:04 <iben> would security be one <— as an example?
17:20:08 <thinrichs> iben: meant to say we’ll prioritize them
17:20:22 <thinrichs> iben: I think we’d want something more specific than “security”.
17:20:25 <skn_> iben: Yes, I am working on a security use case
17:20:35 <skn_> IDS use case
17:20:35 <thinrichs> What data sources are needed?  What’s the concrete policy?  ETc.
17:20:46 <iben> sure - of course - but as a general category - okay - gotcha!
17:21:04 <pballand> iben: we would like to highlight cross-component uses
17:22:25 <skn_> I think we’ll need some discussion on the policy caching etc, after we make some progress with the use cases
17:23:13 <thinrichs> There’s for sure lots to discuss.
17:23:25 <sarob_> Acls being applied as set will be critical
17:23:42 <thinrichs> We are hoping to get an alpha release out in the next couple of weeks.  People are starting to ask for it.
17:24:27 <skn_> Cant folks just download from the stackforge?
17:24:30 <thinrichs> sarob: good to know.  Let’s get it up on that google doc so we can start prioritizing dev effort.
17:24:43 <thinrichs> skn: They can get the code, but they won’t be able to do much with it right now.
17:24:55 <thinrichs> The policy engine and data sources don’t talk to each other.
17:25:16 <thinrichs> I’m working on that currently.  I’m hoping to have significant time this week to devote.
17:25:22 <thinrichs> But I’ve also got jury duty.  Fun.
17:25:26 <skn_> thinrichs: Oh, ok, got it.  Do we have a readme there?
17:25:54 <thinrichs> The file is there, but I doubt it says anything interesting since the code isn’t yet functional.
17:26:02 <skn_> I see
17:26:29 <thinrichs> I forgot to record action items for sarob and skn_.
17:26:45 <thinrichs> #action sarob, skn_ will put their use cases on the use case google doc linked from the wiki
17:26:56 <sjcazzol> thinrichs: which are the main features that are missing for the alpha?
17:27:03 <thinrichs> #action thinrichs will continue working on policy/datasource integration
17:27:06 <skn_> Is it already linked from wiki?
17:27:14 <pballand> skn_: yes
17:27:17 <thinrichs> sjcazzol: mainly the integration I mentioned and the API implementation
17:27:28 <thinrichs> pballand is working on the API
17:27:47 <thinrichs> I’m hoping to have something in review by end of week.
17:27:47 <sjcazzol> thinrichs: ok, nice
17:27:48 <skn_> pballand: where is the link in the wiki?
17:28:13 <thinrichs> pballand: an eta on the API?
17:28:22 <thinrichs> skn: refresh your web page and you’ll see it at the top.
17:28:29 <pballand> skn_: search for “use cases"
17:29:15 <skn_> pballand: https://wiki.openstack.org/wiki/Congress#Use_Cases is where I am looking at, but I dont see the link
17:29:16 <pballand> thinrichs: I keep hoping for some serious time to devote - at the risk of sounding like a broken record, I think this week is reasonable
17:29:52 <thinrichs> kudva, who I don’t see here today, is also working on adding builtins to the policy language.
17:30:09 <thinrichs> Builtins are things like addition, subtraction, string manipulation.
17:30:34 <thinrichs> Builtins aren’t strictly necessary for the alpha, but it would be nice to have them.
17:31:31 <thinrichs> rajdeep: are you still here?  I saw you signed off.
17:31:36 <rajdeep_> yes
17:31:38 <pballand> skn_: I had linked at the top, but added a link to that section as well
17:31:42 <rajdeep_> i am there
17:31:59 <thinrichs> I saw your unit tests for Nova were merged.
17:32:05 <skn_> pballand: Thanks!  Now I see it :)
17:32:18 <rajdeep_> thanks - those were first set of test cases
17:32:33 <thinrichs> Newcomers: rajdeep has been working on writing thing wrappers around Nova/Neutron so that we can write policy over the data they expose.
17:32:36 <rajdeep_> which test conversion of dictionary into tuples
17:33:10 <banix> rajdeep_: nice
17:33:35 <kudva> Hi Kudva joining, sorry for the delay
17:33:36 <rajdeep_> it will be great to take a look at the drivers for neutron and nova and provide feedback on amount of data coming in
17:33:41 <sjcazzol> rajdeep_: great
17:34:01 <thinrichs> kudva: glad you could join us.
17:34:11 <sjcazzol> rajdeep_: are you targeting other components too?
17:34:31 <rajdeep_> yes once i have the unit tests completed
17:34:40 <rajdeep_> nova and neutron were critical which are done
17:34:47 <rajdeep_> next is cinder and keystone
17:35:00 <thinrichs> sjcazzol: any components you’re specifically interested in?
17:35:03 <rajdeep_> - we should prioritize
17:35:12 <thinrichs> We were focused on integrating those necessary for one of our use cases.
17:35:18 <sjcazzol> thinrichs: for now just nova
17:35:40 <skn_> thinrichs, rajdeep: is the wrapper for enforcement of the policies?
17:35:46 <sjcazzol> thinrichs: but we are waiting for new scenarios
17:35:49 <skn_> or both?
17:36:17 <rajdeep_> enforcement is the next step ..
17:36:19 <thinrichs> sjcazzol, rajdeep: Maybe you and rajdeep should connect offline to check that we have enough Nova support to handle what you need.  I don’t believe we have full Nova integration.
17:36:50 <sjcazzol> thinrichs: perfect
17:37:00 <rajdeep_> sjcazzol you can send me email at rajdeepd at vmware.com
17:37:15 <thinrichs> skn: I didn’t understand your question
17:37:15 <sjcazzol> rajdeep_: ok, I'll do
17:37:50 <skn_> thinrics: the nova/neutron wrapper is meant to enforce the policy?
17:38:16 <iben> i would expect a policy wrapper to be like able to log or enforce
17:38:31 <iben> there should be a learning mode option
17:38:35 <iben> and an enforcement option
17:38:40 <thinrichs> The datasource wrapper just makes Nova/Neutron data look like it’s represented as tables.
17:38:51 <thinrichs> Eventually the datasource wrapper will also execute API calls on Nova/Neutron.
17:39:17 <thinrichs> But the policy engine is responsible for monitoring policy and choosing which API calls to execute (i.e. how to enforce policy).
17:39:29 <banix> sorry if this question is not relevant; iignore if that is the case: Is  a policy like “all passwords in servers of this group need to be at leat this long” something being considered?
17:39:35 <skn_> thinrichs: that’s what i wanted to know.  So, currently its only about modifying the data so that can be ingested by Congress data source
17:39:47 <thinrichs> skn: yes.
17:39:53 <skn_> Got it, thanks.
17:40:09 <thinrichs> banix: that’s possible to express/enforce IF there are datasources that allow Congress to do it.
17:40:29 <thinrichs> Say we have an ActiveDirectory integration that exposes the min-length for passwords.
17:40:46 <thinrichs> Then we could write policy in Congress saying what the min-length must be.
17:41:02 <banix> thinrichs: sure. makes sense.
17:41:44 <thinrichs> iben: what did you mean by “learning mode"
17:41:46 <thinrichs> ?
17:41:58 <skn_> thinrichs: So this wrapper will eventually be responsible for making API calls into Nova/Neutron?
17:42:00 <iben> never mind - you guys answered it
17:42:12 <thinrichs> Great.
17:42:13 <iben> the existing functions will need to be wrapped
17:42:27 <iben> this wrapped data goes into a policy engine
17:42:34 <iben> where rules can be run
17:42:43 <iben> these rules can do various things
17:42:59 <thinrichs> iben: sounds like we’re on the same page.
17:43:02 <iben> learning or analytics is one of the actions
17:43:09 <pballand> Congress needs to both get data from the components in a standard form (tables) _and_ can work with the components to enforce policy.  We are focused on the first part (which enables monitoring/logging) initially
17:43:14 <iben> but of course policy enforcement would be possible too
17:43:58 <skn_> iben: by learning you mean monitoring?
17:44:30 <thinrichs> We’re planning to look into pushing policy down to other policy-aware components (like Neutron’s GBP) so that enforcement is done more proactively.
17:44:32 <sjcazzol> pballand: do you plan to add policies enforcement for the beta?
17:45:18 <iben> i'm just thinking of a simple firewall use case - it's important not to disrupt existing traffic patterns so many vendors offer a learning mode or discover period where the sample initial rule sets get created
17:45:33 <iben> then you can decide to enable these auto generated rules (or policies)
17:46:02 <pballand> sjcazzol: I don’t know when we will tag ‘beta’, but I do envision some enforcement support comming shortly after monitoring is working
17:46:04 <skn_> iben: got it
17:46:04 <iben> the rules can be enabled in blocking (enforcing) mode or in logging only - watching
17:46:29 <thinrichs> iben: we’re definitely not aiming to auto-generate policy.
17:46:31 <sjcazzol> pballand: ok, thanks
17:46:38 <thinrichs> logging-only makes sense for sure.
17:46:40 <iben> this allows us to experiment and see the results of any policy changes without impacting production traffic.
17:46:51 <banix> iben: well i gues that could happen in parallel with what congress does
17:47:03 <banix> what thinrichs said
17:47:15 <thinrichs> But no auto-gen b/c unlike a firewall Congress doesn’t know much about the services it is monitoring.
17:47:20 <iben> coolio!  this is really great.
17:47:24 <pballand> iben: your example makes sense, but in some cases monitoring (logging) will be the final desired action (not a compromise)
17:48:00 <thinrichs> We’re sensitive to customers not trusting basically anything for a while, and trying to slowly earn their trust over time.
17:48:20 <thinrichs> Before we run out of time, let’s get to an update from kudva too.
17:48:25 <thinrichs> kudva: how are the builtins progressing?
17:48:26 <rajdeep_> you could write a driver for firewall - which could convert congress actions into firewall configuration
17:48:47 <kudva> I tried to push into gerrit.
17:49:07 <thinrichs> Did it work?
17:49:14 <thinrichs> I didn’t see a request for review for me.
17:49:24 <kudva> seems to have. I created a new branch. I have tested the builtin directory code itself. That is working fine
17:49:43 <kudva> Let me try again then. I pushed on saturday, and got an email saying jenkins test failed.
17:50:01 <thinrichs> Don’t worry about the Jenkins test for now.
17:50:11 <skn_> rajdeep_: agreed.  That’s the right way, because Congress should not try to understand the concepts like firewalling, or for that matter anything else
17:50:25 <kudva> The runtime.py with Tim's recommended changes was also pushed, but all my code was commented out. I need some feedback on that section
17:50:25 <thinrichs> Add at least me as a reviewer (Tim Hinrichs), and we can iterate.
17:51:16 <kudva> okay, will do that. The builtin directory that manages the objects for the builtin are testing. The hook to runtime.py is about 10-20 lines of code which I need some help with since
17:51:27 <kudva> I am not completely clear on the TopDownTheory data structure
17:51:37 <kudva> So, I will push again
17:51:47 <thinrichs> kudva: I’ll definitely help out.
17:51:50 <kudva> Wondering how I can have review on the runtime.py code
17:51:52 <kudva> irc?
17:51:55 <banix> kudva: do you have a link from your push?
17:52:33 <kudva> http://logs.openstack.org/40/95340/1/check/gate-congress-pep8/178c99b
17:52:47 <kudva> http://logs.openstack.org/40/95340/1/check/gate-congress-python27/7a3e74c
17:53:21 <banix> #link https://review.openstack.org/#/c/95340/
17:53:23 <kudva> the first link says failure, the second one says success
17:53:51 <thinrichs> kudva: there’s probably just some formatting that needs fixing.
17:53:56 <rajdeep_> you need to fix the pep warnings
17:54:01 <banix> kudva: no worries; mainly white space you need to clean up.
17:54:05 <rajdeep_> white spaces etc
17:54:20 <thinrichs> You can add me as a reviewer by typing in Tim Hinrichs next to the button “Add Reviewer”
17:54:24 <banix> kudva: https://review.openstack.org/#/c/95340/1/congress/builtin/congressbuiltin.py
17:55:12 <kudva> got it, will clean up and push again
17:55:17 <thinrichs> I’ll write comments, and you should get an email saying that I’ve posted those comments.
17:55:33 <thinrichs> I think that covers all our action items from last week.
17:55:40 <thinrichs> Let’s open it up for discussion.
17:55:43 <kudva> okay, grat thanks
17:55:45 <thinrichs> #topic open discussion
17:56:41 <thinrichs> If no one has anything specific, maybe the newcomers can tell us why they’re interested in Congress.
17:57:01 <sjcazzol> thinrichs: ok
17:57:28 <banix> Let me say a few words: The Neutron group poliy is getting to a point that we may have some code merged this cycle
17:57:28 <skn_> BTW, it would be nice if the newcomers can tell their names too
17:57:28 <sjcazzol> we are working on a POC to add SLA to openstack
17:57:46 <sjcazzol> Sergio Cazzolato
17:57:56 <banix> would be great to see how it can get used by other policy engines like Congress
17:57:56 <sjcazzol> I work at Intel
17:58:08 <skn_> sjcazzol: Awesome
17:58:30 <iben> I've heard a lot about the need for policy to enable standard security practices across a disparate infrastrcuture. <— Iben Rodriguez - cloud security architect - leveraging my background in vmware environments to being openstack to the enterprise
17:58:34 <skn_> SLA for availability or performance?
17:58:47 <thinrichs> banix: That’s been on our agenda for a long while.
17:58:57 <sjcazzol> SLA for both
17:59:13 <sjcazzol> also we are considering other scenarios
17:59:25 <thinrichs> sjcazzol: SLAs sound interesting.  I’m looking forward to the details for your use cases.
17:59:26 <banix> thinrichs: yes looks like we may be getting closer to the goal :)
17:59:27 <skn_> Got to leave, running out of time.  Thanks folks
17:59:37 <thinrichs> skn: thanks!
17:59:46 <iben> bye everyone!
17:59:47 <sjcazzol> thanks folks
17:59:49 <thinrichs> iben: cool—glad to have you.
18:00:13 <thinrichs> And yes it seems we’re out of time.  Follow up to the ML if it can’t wait til next week!
18:00:19 <thinrichs> Thanks all!
18:00:19 <banix> bye everybody
18:00:22 <thinrichs> #endmeeting