18:00:49 #startmeeting keystone 18:00:50 Meeting started Tue Oct 30 18:00:49 2012 UTC. The chair is heckj. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:51 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:52 The meeting name has been set to 'keystone' 18:01:38 Agenda for today at http://wiki.openstack.org/Meetings/KeystoneMeeting 18:01:47 ayoung? 18:01:50 dolphm? 18:02:13 #topic High priority bugs or immediate issues? 18:02:20 Anything new popping up? 18:02:45 There's been some ongoing conversation on PKI tokens with some of the the Horizon crew 18:02:58 (Running back to my desk) 18:03:10 dolphm: np - we'll give you a few 18:03:17 \)/ 18:03:36 that is me running in the room realizing I was late 18:03:46 tl;dr of horizon discussion - PKI as a default is causing havoc with current Horizon implementaiton in devstack - looking for potential solutions 18:03:52 heh 18:04:08 what problems? 18:04:10 heckj, simple fix is to A) key the PKI tokens by hash and B) store the hash in the cookie 18:04:16 but they don't want the simple fix 18:04:26 they want to push all state over to keystone so: 18:04:33 we still do ^^ 18:04:44 ayoung: I didn't read that actaully - I think they're fine with that concept, we just don't have a public API lookup by hash at this point 18:04:52 and then, if they don't want to run memcached, it will fall back to online checking 18:04:58 heckj, yes we do 18:05:05 it is the token validate call 18:05:17 it should respond to the HASH of to token 18:05:31 as that is the ID stored in the database 18:05:57 caveat 18:06:07 ayoung: wasn't clear to me - we ought to get that into email to gabriel so we can vet it out. If we have a lookup via hash, that should suffice for his immediate needs 18:06:08 I haven't tried it out. 18:06:21 also, I think that is only implemented for SQL 18:06:27 need to confirm 18:06:36 cool 18:06:47 ayoung: dolphm_: aware of any other hot topics hitting recently? 18:07:08 there's also a security bug oustanding related to validating SSL chains I think 18:07:15 heckj, well, I realized I dealt out all of the work last week, and made myself dependent on everyone else getting their stuff in 18:07:38 for example the above change would need to be duplicated with henrynash 's work on moving auth_token to client 18:07:49 (catching up) 18:08:01 heckj, yeah, SSL. I was just discussing with gyee. 18:08:25 We also need to clean up how we generate certificates for SSL in the dev case. 18:08:58 right now, the script he provided last week is good for CA and SSL certs. We need to extend it to generate signing certs for the PKI tokens, too 18:09:01 ayoung: sounds like you've got generally positive notes on all of that (pki setup) - no real responses from operators beyond self-signing that I've seen 18:09:41 also, we probably need it to use an existing CA cert if provided in order to just update a working deployment 18:10:07 heckj: user/project name uniqueness (global vs domain-scoped) 18:10:11 heckj, other than that...REMOTE_USER has some feedback that I wil be incorporating. 18:10:40 dolphm, I thought we had agreed: global to start, but scoped back to per domain. 18:10:59 ayoung -- what is the status of that REMOTE_USER review? is there something I need to follow up on? 18:11:05 boden, yea, feedback 18:11:08 ayoung: in general, we had - henrynash has been pushing for making that change more aggressively 18:11:11 +1 on global, for backward compatibility 18:11:12 ayoung: heckj wasn't aware of that conversation, i don't think 18:11:18 boden, https://review.openstack.org/#/c/14823/ 18:11:33 comment is in the wsgy.py file 18:11:40 I was going to address it 18:11:49 dolphm: it was primarily Gabriel writing to Ayoung directly - just happened to CC me in the path 18:11:50 ayoung -- ok that was the question... you or me :) 18:12:24 #topic Pluggable authN: Apache proxy vs pluggable python handlers -- which to support (or both) 18:12:31 boden, I'll post an updated change. The fix breaks the unit tests, so I need to tweak those first. Once I post, +1 if you like 18:12:35 I'll come back to the uniqueness and remote-user things in a sec 18:12:40 i don't see any gotchas if we make room for domain-scoped names in the spec, but stick with global-uniqueness in our implementation for now 18:12:49 boden, actually, why don't you make the fix, and that way I can approve. Heh 18:13:12 ayoung -- ok I can, although I didn't agree with the latest comments I saw from Paul 18:13:31 boden, that is fine. respond in the review then 18:13:53 ayoung -- I did directly respond to his comments 18:13:53 are we sure REMOTE_USER cannot be set by the client? 18:13:55 ah, see that you did 18:14:14 s/client/untrusted client/ 18:14:51 gyee: hold a sec on that thread 18:15:03 boden, yeah, I was more concerted with the comment in wsgi.py. The others indicate the need to refactor authenticate, but we do that after this patch 18:15:16 ayoung: dolphm: what's the current state of Pluggable authN: Apache proxy vs pluggable python handlers 18:15:23 Is that specific to the REMOTE_USER thing, or more generic? 18:15:32 ayoung: refactoring should generally happen before you make things worse, not "someday" 18:15:33 heckj, nothing has been done except REMOTE_USER 18:15:48 pluggable should follow a refactor of authenticate 18:16:03 ayoung -- ok can do... I have no problems with the wsgi comment 18:16:08 gyee, I know you had some work on authenticate you were going to do, but do you mind if I refactor authenticate first 18:16:38 ayoung, go ahead 18:16:51 gyee, actually, that would free you up to tackle the SSL client stuff, if you want it. 18:17:01 sounds good 18:17:39 heckj, Ok, so pluggable will follow on a refactor of authenticate, where we can just alyout what is supposed to happen in clean, readable Python first 18:18:07 then pluggable will be done by putting values into the authenticate chain based on values in the config file 18:18:30 ayoung: sounds like a good plan 18:18:53 gyee was going to tackle that, but it will likely take a little time to clean up authenticate first. 18:19:09 heckj, how come I can't assign bugs to gyee? 18:19:26 you can't? 18:20:01 heckj, nope 18:20:06 can you? 18:20:08 i don't mean to interrupt, but i think i have a high priority issue. please let me know when i can voice my concern. 18:20:09 ayoung: hmm - you're not a member of "keystone-bugs" group - ading you now 18:20:20 ayoung, you will use paste.deploy pipeline for the authn stuff right? 18:20:32 thought that was an explicit superset of keystone-core, guess not 18:20:57 ayoung: try now, you should be good to go 18:21:49 Okay - sounds like we're clear on pluggable AuthN, remote_user, and assorted plans - any further questions/issues there before I hit our last topic? 18:22:20 heckj: is devstack on the agenda? 18:22:40 mnewby: nope 18:22:48 mnewby, what about devstack? 18:23:08 by default keystone uses pki, which doesn't appear to be configured by default. 18:23:19 mnewby: feel free to add to agenda at http://wiki.openstack.org/Meetings/KeystoneMeeting prior to the meeting and it will be 18:23:28 mnewby, yes it is 18:23:45 mnewby, the change is in keystone/config.py 18:23:58 (referring to pki_setup?) 18:24:00 So long as no one modifies the default config file, they get pki tokens 18:24:21 ayoung: all i know is, i merged with upstream, ran devstack, and got a broken auth config. 18:24:53 ayoung: the concern is this breaks devstack for everyone by default. unless i'm doing something really wrong 18:25:41 ayoung: might be pebkac - just wanted to make sure it was brought to your attention. happy to work offline at resolving. 18:25:57 mnewby, there was a patch for running pki_setup as part of devstack. It is possible that it got removed due to poor patch management. 18:26:22 mnewby, 5119f6b8b75307e4f1fa764c0c56d3953a18e2ed 18:26:25 ayoung: if you could try running devstack as it exists in trunk and see if you can replicate the problem, i would appreciate it. 18:26:51 #topic feature-branch merging 18:27:15 dolphm: there's a few requests for small changes to one or two of the reviews, otherwise they're mostly all applied 18:27:41 mnewby, I tested a while ago, but willing to test again. 18:27:43 Once we have that in place, jeblair and mordred indicated this morning that we could do the feature-branch merge with ... 18:27:50 a merge commit 18:27:52 #link http://wiki.openstack.org/GerritJenkinsGithub#Merge_Commits 18:27:59 heckj: a single merge commit? 18:28:01 ayoung: yeah, it looks like i'm missing that, i'm guessing i pulled at just the wrong time. i'll let you know. 18:28:12 Apparently they gave me permissions (or maybe keystone-core folks) to set up and do a merge commit 18:28:31 dolphm: I believe so 18:28:34 mnewby, well, the change has since migrated into the devstack/lib/keystone file, but it is there for me 18:28:45 heckj: hmm alright -- there will be some conflicts to resolve 18:28:59 dolphm: yeah, expecting that 18:29:37 heckj: i'll work on fixing outstanding requests 18:29:45 dolphm: how's your week looking for this? Do you have time to do any final tweaks and then work with me on getting the relevant merge commits into place and ready to roll? 18:29:52 heckj: absolutely 18:30:15 dolphm: cool 18:30:46 heckj: it looks like the client's branch is totally merged -- is that correct? 18:30:55 my week is going to be a bit insane, but I'm planning on pushing on this to try and get it nailed down end of this week or early next week 18:31:16 dolphm: I think so at this point - I review/approved them all in this morning - haven't looked to see if any had failures 18:31:51 #topic open discussion 18:31:53 heckj: if they're all in, we can try a merge commit there 18:31:55 Free for all 18:32:25 ok, so how about the infamous "user/project" name uniqueness issue 18:32:28 dolphm: I'll start there, and see how it works. I've not used the merge commit thing before, so this is all experiment. Will be pestering james and monty if things go awry 18:33:12 henrynash, so I wanted them unique from the get go. But starting off with globally unique as a more restrictive rule to start simplifies things 18:33:51 but agree that uniqe per domain is the right solution 18:33:52 henrynash: I want the simpler for where we are - we're making a lot of delta, and keeping things as simple as possible to start is a high priority for me 18:34:18 i don't want a pesky api constraint to hinder a decent domain-scoped implementation if we come up with one, but we do need to be clear that we're more restrictive than the api for immediate compatibility 18:34:21 we need to consider backward compatibility too 18:34:29 henrynash: I also *really* want feedback from Ryan Lane and/or Tim Bell related to the end user experience impact. For the browser based setup, it can really be hidden - but from a CLI point of view, it can't. 18:34:32 we need a way to pass the domain from the webUI 18:35:09 ayoung: CLI is a first class citizen here - it can't be ignored in this solution either 18:35:19 gyee: so backward compatibility with v2 is OK if you only use a single domain in v3 18:35:23 So lets start there. 2 options: keystone domain maps to hostname of the webserver or webserver has some way to multiplex domains. People are going to want both. Maybe at the same time. 18:35:43 heckj, CLI is trivial. We add another, optional, parameter 18:35:46 domains aren't hostnames 18:36:00 dolphm, didn't say they were 18:36:04 example: 18:36:11 ayoung: the change is trivial, but we're aksing for more information as a default basis to operate on the cloud - that's NOT trivial 18:36:14 say redhat gets hosting at keystone 18:36:23 er, rackspace 18:36:28 they hostname then would be 18:36:37 http://redhat.rackspace.com 18:36:38 ayoung: anytime anyone uses "hostname" or "email address" in the same sentence as "keystone domains" i'm going to jump on them 18:36:45 and that would map to the redhat domain 18:37:02 dolphm, yes, but I happen to know what I am talking about 18:37:06 what I want is to get some explicit feedback from the operator community or end-user basis with the gist of "yeah, I get it - let's do this!", then I'll be happy shepherding that change forward 18:37:06 dolphm, me too, and carry a pile of stones :) 18:37:18 ayoung: lurkers may not (/waves to posterity) 18:37:25 understood. 18:37:48 but what I was saying is that the webUI can be customized such that when a user logs in, they are already constrained to a domain 18:38:12 uh, using email as username? 18:38:17 heckj: that's fair….and actually this is my big concern that with domain-uniquness, a class of enterprise can't but hosted in an OS backed public cloud 18:38:42 henrynash: yeah - understood. 18:39:12 maybe we can reach out explicitly to Ryan and Tim (since there's a kind of lack of "user" committee to bounce this kind of thing off of so far) 18:39:21 gyee: so username is one item, but so is project name….having that be unique would be hard to explain to an enterprise 18:39:52 for the context of https://review.openstack.org/#/c/13400/ i'm going to back off on domain-scoped uniqueness, and revert to global-uniqueness (i.e. no change) ... it's a hot enough topic to deserve it's own review in gerrit 18:40:04 henrynash, project name can user the same technique right? 18:40:09 project@domain? 18:40:12 i'll also need to propose a revert for tenant name uniqueness 18:40:23 dolphm: +1 18:40:40 "what do you mean I can't create a project called "Test" 'cause some some other customer of my cloud provider already had one called that?" 18:40:44 gyee: that shorthand has somewhat already sailed in that we never set a convention 18:40:49 (i can hear the support call now) 18:41:14 well, are we going to change the public APIs? 18:41:41 right now, none of the other OS services are domain-aware 18:42:08 gyee: I think it's incumbent on us to encourage them all to become domain aware to allow us to change this. 18:42:21 dolphm: It just seems to me that the time to get this right is the point we introduce domains…i.e. now! 18:42:31 meaning we likely need to reach into the other projects, submit change requests, doc updates, etc. to support 18:43:12 heckj: agreed, my oft quote example is images….and wanting those domain wider as well as project wide 18:43:15 henrynash: we are, we're being as restrictive as we can to give ourselves room to get it right :) 18:43:19 * gyee sees a frankenstorm coming :) 18:43:43 revised https://review.openstack.org/#/c/13400/ to be globally-scoped user names 18:44:33 Okay - so getting there. 18:44:44 so, we've decided neither username and project name need to be globally unique? 18:45:07 gyee: right now, we're asserting they need to be globally unique 18:45:13 heckj: +1 18:45:20 (for the moment) 18:45:28 gyee: the question is how can we step forward to get us to the place (hopefully quickly) where they don't need to be for compatibility 18:45:44 so its still up in the air then 18:46:21 I think we really need to measure the impact of such change 18:46:28 gyee: what's up in the air? It's globally unique now - (I think) we'd all like to get to a place where it doesn't need to be. Do you disagree there? 18:46:45 gyee: not opposed - how would you propose to do so? 18:46:57 in a perfect world yes 18:47:19 all I am saying is we need to be careful, given the impact of such change 18:47:37 gyee: continuing with global uniqueness is the careful approach, no? 18:47:40 gyee: sorry, does that mean you do or don't want to get to an endgame of not requireing global uniqueness? 18:47:44 I think the current model is good enough to satisfy the use case 18:47:55 gyee: and we're sticking with it 18:48:01 good 18:48:04 so we should first decide if in order to make this change we need a) more evidence that it is needed, or b) a comprehensive bp that describes who we would do this and describes all the impacts 18:48:07 +2 for global uniqueness 18:48:19 -1 for global uniquness 18:48:36 gyee: Okay - so starting with global uniqueness, do you want to be able to transition to a place where it's NOT required? 18:48:38 henrynash, that's still a +1 sum :) 18:48:46 s 18:48:57 revert project names to be globally unique: https://review.openstack.org/#/c/15051/ 18:49:07 heckj, as long as we have a smooth transition 18:49:07 +1 party ^ don't be left out 18:50:07 dolphm +1 18:51:14 so would it help to build a full bp of the impact of the change to domian-uniquness? 18:51:35 henrynash: absolutely 18:51:43 henrynash, +1 18:51:43 henrynash: I don't want to set up makework, but I think that would be valuable 18:52:08 I think the key question behind this all is how to "migrate to" a world where it's not globally unique and do so smoothly 18:52:28 i feel very strongly that we need this for OS to be successful, so am OK with putting the time in 18:52:47 henrynash: combine that with some explicit feedback from Tim and Ryan (any anyone else who wants to step up from the user community) and we should have the makings of a reasonable plan 18:53:15 ok, sounds good 18:53:57 gyee, since you are going to be tackling some other client issues, can I fob keyring support off on you? https://bugs.launchpad.net/keystone/+bug/1040361 18:53:58 Launchpad bug 1040361 in keystone "Use Keyring to store Tokens" [Medium,Triaged] 18:54:16 ayoung, now you are pushing it 18:54:45 gyee, It looks like support for it is in some of the clients already, just not the keystone client 18:55:04 sure 18:55:05 I have been suggesting it for a while, as it limits the amount of calls that go to keystone 18:55:46 would be nice - 18:55:51 I think nova has some of that support too 18:55:54 on the subject of https://bugs.launchpad.net/keystone/+bug/1039567 (which we assigned to me)…I'm still up for this, but slight delay in IBM getting my fu*%&! CLA signed, should happen this week or early next... 18:55:55 Launchpad bug 1039567 in keystone "auth_token middleware should be stand alone" [High,Triaged] 18:56:00 (i.e. you can steal idaes/code setup from that client I think) 18:56:12 heckj, yeah 18:56:16 …..I know others are dependant on the, so wanted to make sure this is still OK 18:56:24 ayoung: ^^? 18:56:54 with merging in the feature branches, I think we can work with the delay, but checking on you since some bugs are on your plate and impacted by this 18:57:08 henrynash, I understand your pain, I've been there :) 18:57:14 heckj, yeah, I'm ok with it. The only issue is that we might need to make a fix to the keystone auth_token for Horizon. That will need to get synced up, too. I'll ping henrynash on it 18:57:23 ok 18:57:52 sounds good 18:57:54 henrynash, should be a clear change to port. Just keying memcached off the hash as opposed to the whole token. 18:58:01 Means I need hash in the client as well, 18:58:07 I->we 18:58:22 more the merrier 18:58:24 * heckj nods 18:58:36 (not really) 18:59:10 Okay - going to wrap this up for now 18:59:16 #endmeeting