#openstack-meeting log

18:01:10 <dolphm> #startmeeting keystone
18:01:11 <openstack> Meeting started Tue Jul 23 18:01:10 2013 UTC.  The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:14 <openstack> The meeting name has been set to 'keystone'
18:01:34 <dolphm> #topic Havana Milestone 3
18:01:38 <dolphm> congrats on m2 everyone :)
18:01:44 <ayoung> w00t
18:01:59 <jamielennox> yay
18:02:13 <dolphm> i think that was one of the smoothest milestone releases in terms of bugs, etc, since like folsom
18:02:30 <gyee> time for a vacation
18:02:35 <dolphm> exactly!
18:02:41 <dolphm> i'll be out beginning of next week lol
18:02:45 <dolphm> m-w
18:02:50 <ayoung> dolphm, that is cuz no other project was treating it as feature freeze and  battling us for the commit queue
18:03:01 <dolphm> and our new deadline is milestone-3 - september 4th
18:03:15 <stevemar> thought it was aug21?
18:03:18 <dolphm> at that point, feature freeze for havana kicks in and then it bug fixing until summit
18:03:33 <dolphm> err
18:03:35 <dolphm> #link https://wiki.openstack.org/wiki/Havana_Release_Schedule
18:03:43 <dolphm> nothing is aug 21
18:03:58 <ayoung> Well, actually it is my folks anniversary
18:04:14 <henrynash> ayoung: congrats!
18:04:14 <dolphm> nothing steve cares about is aug 21
18:04:16 * ayoung ducks
18:04:19 <bknudson> that must be what stevemar was thinking of.
18:04:27 <stevemar> i might care about ayoung folks?!
18:04:32 <dolphm> i mean, i'll be there if there's food
18:04:40 <gyee> me 2
18:04:51 <stevemar> nvm, i was looking at the dev list, it was nova related
18:04:55 <stevemar> whoops
18:05:05 <bknudson> nova's got their own problems.
18:05:32 <dolphm> cool
18:05:34 <dolphm> #topic High priority bugs or immediate issues?
18:06:15 <henrynash> one thing - could someone send me some guidance on doing a stable/grizzly patch?
18:06:23 <dolphm> henrynash: sure, ping me after
18:06:24 <bknudson> git cherry-pick
18:06:42 <ayoung> bknudson, only if he's lucky
18:06:46 <henrynash> dolphm, bknudson: thx
18:06:51 <dolphm> i'm assuming there's no major public issues, bugs have been quiet
18:07:03 <ayoung> none that I am aware of
18:07:12 <bknudson> no security reports lately!
18:07:19 <dolphm> okay, so from the off-list mail thread...
18:07:21 <dolphm> #topic Identity API v3.1
18:07:30 <dolphm> is now final, as of havana-m2
18:07:52 <dolphm> which means any changes proposed against the core api should be marked v3.2, and implemented in icehouse
18:07:56 <bknudson> the docs just need to match the code
18:07:56 <dolphm> or, merged in icehouse
18:08:19 <ayoung> dolphm, I assume that means that the focus is going to change to extensions until then
18:08:29 <bknudson> what about 4.0?
18:08:34 <dolphm> ayoung: ideally, the focus should be on stability
18:08:35 <henrynash> bknudson: yep, we're getting there: https://review.openstack.org/#/c/37000/ (but not done yet)
18:08:52 <gyee> dolphm, and performance?
18:09:08 <dolphm> bknudson: if we have a reason to introduce major backwards incompatibilities to the api we'll have to bump to v4.0
18:09:19 <ayoung> dolphm, I meant that new features should get implemented as extensions, and they can become core later
18:09:30 <dolphm> bknudson: but other than fixing bad status codes and stuff, i don't see a viable reason to do a major version bump
18:09:43 <topol> yay stability
18:09:43 <ayoung> I think termie has already claimed 5.0 for himself
18:10:13 <dolphm> and then straight from the agenda- "API-impacting changes must be disabled by default (as optional middleware) or be limited to backwards-compatible bug fixes"
18:10:31 <ayoung> so, that should probably include SQL migrations
18:10:36 <dolphm> i know henrynash said he had some points he wanted clarified .. henrynash?
18:10:38 <bknudson> do 3.1 extensions turn into core 3.2?
18:10:46 <dolphm> bknudson: not necessarily
18:11:18 <dolphm> bknudson: if we see 100% of deployments enabling an extension and fussing over why it's not core, then it should become core
18:11:23 <henrynash> dolphm: it was the phrase "no new methods for core APIs"…or something like that in ayoung's proposed email
18:11:24 <ayoung> bknudson, I'd say it is more likely that nothing big can become core from here on out without being an extension first
18:11:54 <jamielennox> having more things as extensions permanently makes sense  to me
18:11:59 <topol> ayoung, why?
18:12:08 <henrynash> dolphm; are we saying we can't change the code inside a core API even if there is no API change?
18:12:19 <ayoung> henrynash, I was distinguishing between changing the params or input data for a URL/method  and adding a whole new URL  or method to an existing URL
18:12:21 <dolphm> the fundamental seperation between core and extensions is intended seperate portable, required and expected functionality and optional, deployment-specific features
18:12:37 <dolphm> so, not everyone has a use case for domains, so domains could/should have been an extension
18:13:02 <gyee> dolphm, I did implemented domains as extension once :)
18:13:08 <dolphm> ayoung: both of those can be accomplished via extensions
18:13:09 <gyee> in contrib
18:13:10 <jamielennox> quick question, now that the api is at v3.1, is that supposed to be reflected in GET / ?
18:13:22 <topol> intriguing, so dolphm you feel the common subset of what everyone needs has been reached???
18:13:24 <dolphm> gyee: yeah, i am glad it's a core concept though
18:13:26 <ayoung> dolphm, exactly.  That was what I was trying to convey in my email
18:13:43 <dolphm> topol: i can't imagine that's the case lol
18:13:59 <ayoung> topol, more like the intersection, which is effectively the empty set
18:14:02 <topol> dolphm, thats how I interpreted your statement
18:14:23 <dolphm> topol: there are like 3 resources in the v2.0 core spec, only because that's all we could agree on as 'required, expected functionality'
18:14:41 <dolphm> create token, list tenants, validate token
18:14:47 <gyee> :)
18:14:55 <ayoung> so, for extensions, we need to have separate migrations,  which is the driving force behind this diff:  https://review.openstack.org/#/c/36731/
18:15:11 <ayoung> and that one needs alembic, which I have a WIP for
18:15:20 <ayoung> https://review.openstack.org/#/c/38295/
18:15:36 <topol> so for example storing credentials. If you decide to do more in that space it would not be core additions?
18:15:39 <dolphm> jamielennox: yes... someone ran into a bug when they tried to change that though... i'll look around
18:15:43 <henrynash> ayoung: so I'll be pedantic…in my policy/protection bp, I am technically changing the parameters to a core function (it's just not visible or exposed via a url) - see identity/controller.py in https://review.openstack.org/#/c/38308/
18:16:14 <henrynash> ayoung: this is kind of what I was concerned about
18:16:25 <ayoung> henrynash, _check_protection?
18:16:35 <dolphm> henrynash: what's a core function?
18:16:56 <ayoung> dolphm, I think he means he is changing the policy enforcement for core functions
18:17:11 <dolphm> i'm still not sure what a core function is
18:17:13 <topol> do we have a picture that shows what is declared core and what are extensions?
18:17:21 <ayoung> so ones that would have succeeded in the past would now fail a lociy check, or vice versa
18:17:36 <dolphm> topol: you mean like a diagram with pie charts and puppies?
18:17:37 <topol> when I see the 3.1 API I think all of that is core
18:17:44 <henrynash> young, dolphm: and pass an extra parameter into, say, get_user() - see line 611
18:17:48 <ayoung> dolphm a core function is a function of a controller that maps to a public URL
18:18:05 <topol> dolphm, core list on the left, extensions on the right :-)
18:18:08 <dolphm> topol: this defines core https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md
18:18:11 <gyee> henrynash, you changing the query string filters?
18:18:14 <dolphm> topol: the entire doc
18:18:17 <ayoung> henrynash, I don't think that is going to fly
18:18:17 <henrynash> gyee: no
18:18:19 <topol> dolphm, perfect
18:18:33 <gyee> so what API change are we talking about?
18:18:37 <henrynash> ayoung: why?
18:18:49 <ayoung> henrynash, is that going to change the public interface>?
18:18:54 <topol> dolphm, and we wont ever add to that doc again??? Im guessing of course we will
18:18:58 <henrynash> ayoung: no
18:19:18 <ayoung> Oh, ok,  then the general approach is OK,
18:19:23 <dolphm> topol: we are -- we continued to add to it and maintain it after v3.0 -> v3.1
18:19:36 <dolphm> topol: we can do the same for v3.1 -> v3.2 so we don't have to maintain multiple docs
18:19:39 <topol> so ergo  core will keep expanding
18:19:47 <henrynash> ayoung: ok, I think so too.
18:19:56 <dolphm> topol: yes, but a client may only implement v3.1, and v3.2 has to be compatible with such clients, etc
18:20:07 <topol> dolphm, agreed
18:20:18 <dolphm> and vice versa, a client may understand v3.2, but the server only speaks v3.1, and that needs to work too
18:20:20 <topol> +100 on backward compatibility
18:20:23 <ayoung> henrynash, You are just trying to get the attributes down to where the decision needs to be made.  IN generla, that is OK.  Lets discuss the mechanism after the meeting
18:20:37 <henrynash> ayoung: correct, and agreed
18:21:05 <gyee> ayoung, henrynash, that would not be a core API change then
18:21:33 <bknudson> dolphm: do clients need to know if they're talking to v3.2 or v3.1?
18:21:36 <dolphm> henrynash: your change doesn't look like it affects the http api at all
18:21:36 <ayoung> as I was saying before, core devs, when reviewing extension changes, do not let in any more changes to the sql migrations from new extensions.
18:21:40 <dolphm> bknudson: yes
18:21:50 <dolphm> bknudson: well, they should
18:21:51 <ayoung> fixing old migrations is OK
18:21:52 <bknudson> dolphm: how do they know?
18:21:56 <dolphm> bknudson: GET /
18:22:01 <jamielennox> bknudson, i would say yes if they want to use a 3.2 feature
18:22:02 <dolphm> bknudson: or GET /v3/
18:22:05 <henrynash> ayoung, gyee: which is which I was trying to get clarification of exactly what the API was defined as (e.g. the one mapped to a url or the line of parameters in the controller function)
18:22:06 <ayoung> or extentions that already have migrations in the common
18:22:15 <ayoung> henrynash, the web API
18:22:21 <ayoung> URL/Method
18:22:25 <dolphm> henrynash: HTTP API
18:22:34 <ayoung> GET /v3/users
18:22:38 <henrynash> ayoung: Ok, fine.  total agreement :-)
18:22:45 <dolphm> henrynash: the internal implementation-specific api's are completely up to us
18:22:52 <ayoung> so if a current API doesn't have, say, HEAD right now, adding that is a new method
18:23:00 <dolphm> ayoung: +1
18:23:04 <topol> ayoung, whats the issue with new sql migrations?
18:23:09 <ayoung> topol, a couple things
18:23:20 <topol> cant those be done and stay backwards compatible?
18:23:24 <gyee> ayoung, not sure if I agree to no new migration for extensions
18:23:30 <ayoung> think along these lines:  we want to be able to take an extension and deploy it in its own server.
18:23:49 <gyee> most extensions require schema changes
18:23:55 <ayoung> gyee, exactly
18:23:56 <topol> gyee +1
18:23:57 <dolphm> gyee: should be schema additions
18:24:05 <dolphm> or, a new schema
18:24:06 <ayoung> gyee, and those should be in an extension specific repo
18:24:09 <ayoung> not in the common
18:24:21 <ayoung> that is the point of the first review I posted
18:24:26 <topol> so ayoung you are hiding the trash under the rug?
18:24:28 <bknudson> ayoung: does migration know what schema is being migrated?
18:24:29 <ayoung> No
18:24:38 <bknudson> is the extension passed in to keystone-migrate?
18:24:43 <ayoung> bknudson, yes
18:24:57 <ayoung> bknudson, the issue is that migrations do it differently than alembic
18:25:00 <ayoung> and I don'
18:25:08 <ayoung> t know alembic well enough yet
18:25:20 <ayoung> but for the current migration scheme, it goes into a separate row in the migrations table
18:25:25 <bknudson> ayoung: should extensions use alembic?
18:25:33 <dolphm> bknudson: i'd like them to
18:25:59 <gyee> dolphm, ayoung, I think that's a fair statement, schema addition is allowed
18:26:03 <ayoung> #link http://paste.openstack.org/show/41431/
18:26:06 <bknudson> ayoung: it would be good to have an example.
18:26:19 <gyee> as long as extension can superimpose the new schema on the existing one, we should be fine
18:26:19 <dolphm> bknudson: the community is generally leaning towards alembic, and i'm certainly on board my self... if we're going to make a transition from sqlalchemy-migrate to alembic, i'd rather do it on one migration repository than 10 (9 of which we don't have yet today)
18:26:37 <ayoung> bknudson, so I made it work for simo's kds code, but it was using the current migration scheme, not alembic
18:26:44 <ayoung> still learning alembic.
18:27:30 <topol> K, so the benefits of Alembic and the new migration scheme are???
18:27:40 <ayoung> gyee, so in the migrations table right now I have
18:27:56 <lbragstad> #link https://alembic.readthedocs.org/en/latest/ FYI on Alembic
18:28:03 <ayoung> keystone      | /opt/stack/keystone/keystone/common/sql/migrate_repo |      29
18:28:17 <ayoung> and to do an extension for kds it would be
18:28:31 <ayoung> kds      | /opt/stack/keystone/keystone/contrib/kds/sql/migrate_repo |      1
18:28:44 <topol> Im assuming it solves an issue we have...
18:28:51 <ayoung> alembic's system is more like git, in that it usese hashes, paretns, etc
18:29:04 <ayoung> but I don't know if alembic will support multiple repos or not
18:29:04 <bknudson> topol: sqlalchemy-migrate is unsupported.
18:29:15 <topol> will the number or migration operations decrease???
18:29:29 <ayoung> topol, also, it does all of the migrations ins a single commit
18:29:32 <henrynash> ayong: is an extension migration only run when it is enabled?
18:29:33 <topol> bknudson, THANKS for the explanation
18:29:45 <topol> unsupported -- bad
18:29:45 <henrynash> ayoung: is an extension migration only run when it is enabled?
18:29:48 <gyee> ayoung, in which order the migration happens, core first, then contrib?
18:29:50 <ayoung> henrynash, good question
18:29:57 <ayoung> gyee, should be irrelevant
18:30:00 <topol> single commit -- good. Im on board
18:30:26 <bknudson> ayoung: I thought you said you had to pass the extension to keystone db_sync
18:30:27 <ayoung> gyee, an extension should not know about core tables and vice versa.  They should only communicate via code
18:30:38 <dolphm> bknudson: topol: technically it's been unsupported, but it's now being run by our community
18:30:38 <gyee> ayoung, what if contrib have dependency on core schema?
18:30:38 <gyee> like foreign key or something
18:30:44 <ayoung> bknudson, that was dolphm 's suggestion, but we hadn't discussed it yet
18:31:03 <bknudson> ayoung: because otherwise how does db_sync know what extensions are enabled?
18:31:08 <dolphm> bknudson: the only catch with that is that db_sync already has an optional positional argument
18:31:08 <bknudson> parse the pipeline?
18:31:10 <gyee> ayoung, amen brother!
18:31:12 <dolphm> (migration number)
18:31:51 <ayoung> dolphm, we could do a separate CLI param for extensions if needs be
18:31:55 <ayoung> db_sync_ext
18:31:57 <bknudson> use --extension
18:32:03 <ayoung> or something less horrible
18:32:05 <bknudson> or --extensions
18:32:09 <ayoung> bknudson, =1
18:32:10 <ayoung> +1
18:32:19 <dolphm> there's a lot of tooling today that's already calling db_sync and expecting everything to be done
18:32:43 <gyee> ayoung, I think performance may such a little, but its a price worth paying in exchange for sanity :)
18:32:44 <ayoung> dolphm, so I would not mind it being done based on active extensions
18:32:47 <bknudson> maybe there's some paste.ini magic.
18:32:54 <jamielennox> why would we do a seperate call? if it's in db_sync there is no problem running db_sync if the rest of the db is up to date
18:33:06 <dolphm> ayoung: keystone-manage has no idea what the deployment pipeline will look like
18:33:20 <ayoung> jamielennox, lets assume we want to deploy just kds.  We should only get the KDS schema on that system
18:33:54 <dolphm> bknudson: you can have more than one paste file
18:33:55 <jamielennox> ayoung, i'd suggest the cost of a number of empty tables that aren't accessed is pretty low
18:33:56 <ayoung> dolphm, would it be that wrong for manage to use the paste config?
18:34:22 <jamielennox> not optimal, but easier for configurers
18:34:32 <dolphm> ayoung: if you can answer "which paste config" then perhaps not
18:34:48 <ayoung> dolphm, there is a function in keystone/config which sorts that out IIRC
18:35:08 <ayoung> https://github.com/openstack/keystone/blob/master/keystone/config.py#L39
18:35:16 <dolphm> ayoung: you have no guarantee that's the only pipeline that the backend is supporting
18:35:38 <ayoung> dolphm, how about adding the pipeline to db_sync?
18:35:45 <dolphm> what does that mean
18:35:47 <ayoung> extensions could have their own pipeline
18:35:55 * dolphm facepalm
18:35:58 <ayoung> heh
18:36:05 * ayoung 's work here is done
18:36:12 <dolphm> #topic Havana milestoen 3 blueprints
18:36:15 <dolphm> #link https://launchpad.net/keystone/+milestone/havana-3
18:36:29 <ayoung> #action ayoung to sort out the db_sync strategy for extensions
18:36:30 <dolphm> between now and next week, we need to revise this list
18:36:49 <dolphm> so if there are blueprints you plan on working during m3 which are not on this list, speak up!
18:36:52 <dolphm> register them
18:36:55 <dolphm> whatever
18:37:05 <henrynash> dolphm: there was the pagination one…let me find it
18:37:13 <bknudson> how do we request a blueprint goes into h3?
18:37:17 <dolphm> there's also a few blueprints on here we might want to untarget from m3 (like bp notifications)
18:37:22 <ayoung> dolphm, should I add the SQL migration thing as a blueprint?  I was doing it as a prereq, but it seesm to have grown in scope
18:37:22 <gyee> dolphm, I think fabio is working on the endpoint filtering bp
18:37:22 <lbragstad> https://blueprints.launchpad.net/keystone/+spec/notifications
18:37:41 <henrynash> #link https://blueprints.launchpad.net/keystone/+spec/pagination-backend-support
18:37:42 <lbragstad> yeah, wondering how we are going to go about hten since it is blocked my rpc-api-review work in oslo
18:37:42 <gyee> fabio, please confirm
18:37:52 <dolphm> bknudson: poke me about it, if nothing else, i'm not sure what permissions people have on launchpad, but i can definitely help
18:38:16 <bknudson> dolphm: ok. I've been requested to implement some kind of translation blueprint.
18:38:17 <ayoung> dolphm, guessing that heckj is not going to have time to work on  https://blueprints.launchpad.net/keystone/+spec/keystone-performance-benchmark
18:38:17 <dolphm> lbragstad: it's been on my wishlist all of havana, but i think we need to retarget to 'next'
18:38:33 <fabio> yes I am working on the ep-filter
18:38:41 <dolphm> ayoung: agree, although we've had some activity around benchmarking recently... we might be able to rubberstamp it as completed out of band
18:38:51 <ayoung> dolphm, cool
18:38:52 <gyee> dolphm, can you please add the endpoint filtering to the m3 list?
18:39:22 * topol who keeps filtering endpoint filtering out of the m3 list??? :-)
18:39:46 <ayoung> dolphm, so all of the extension blueprints should depend on https://blueprints.launchpad.net/keystone/+spec/multiple-sql-migrate-repos
18:39:51 <lbragstad> dolphm: should we think about an implementation using the existing rpc stuff in oslo?
18:39:54 <gyee> topol, we are not getting into my filter is bigger than your filter war are we?
18:40:09 <ayoung> that is KDS, endpoint filtering, OAuth,
18:40:09 <ayoung> Domain Quotas
18:40:14 <topol> lol. no I always lose those
18:40:29 <dolphm> lbragstad: i'm pretty sure someone did, and that got blocked too?
18:40:46 <gyee> who's working on domain quota?
18:40:47 <bknudson> I thought the problem with notifications is we don't want to require eventlet?
18:41:05 <ayoung> Tiago Everton Ferraz Martins gyee
18:41:11 <ayoung> https://blueprints.launchpad.net/keystone/+spec/domain-quota-management-and-enforcement
18:41:12 <dolphm> there's two quota bp's in progress
18:41:16 <dolphm> they'll have to resolve their differences
18:41:22 <lbragstad> dolphm: I think it is blocked because there are dependencies on eventlet in the rpc module of oslo. That's another thing I am working on in oslo for unified logging
18:41:25 <gyee> one's from HP I think
18:41:39 <dolphm> lbragstad: ++
18:42:32 <dolphm> this is the other one https://review.openstack.org/#/c/37545/
18:42:37 <dolphm> quota storage
18:42:39 <lbragstad> So I'm wondering if we should implement notifications on the current rpc stuff at least until the rpc api review has landed. Not sure when that is going to go in...
18:43:20 <bknudson> lbragstad: what's the current rpc stuff? is that different than oslo rpc?
18:43:21 <topol> lbragstad, what is "the current rpc stuff"??
18:43:35 <topol> jinx
18:43:43 <dolphm> lbragstad: considering we're late to the notifications party already, i would think it'd be best to wait, but if you want to pursue it...
18:43:50 <lbragstad> topol: bknudson sorry, right the current implemtation of the rpc module in Oslo-incubator
18:43:52 <lbragstad> getting link
18:44:08 <lbragstad> #link https://github.com/openstack/oslo-incubator/tree/master/openstack/common/rpc
18:44:16 <ayoung> dolphm, can we set aside a few minute to talke client issues
18:44:22 <lbragstad> #link https://github.com/openstack/oslo-incubator/tree/master/openstack/common/notifier
18:44:22 <ayoung> at the end
18:44:38 <dolphm> ayoung: sure
18:45:38 <ayoung> my issue with the notifications stuff was that it was inherantly eventlet specific.  I'm OK with us taking on some event deps so long as Keystone in Apache will continue to work in a non greenthread manner
18:46:07 <ayoung> entend dpes = "new eventlet dependencies"
18:46:11 <ayoung> ugh
18:46:19 <ayoung> event deps = "new eventlet dependencies"
18:46:28 <bknudson> ayoung: how do we show that?
18:46:30 <bknudson> try it?
18:46:38 <ayoung> bknudson, yes
18:46:58 <ayoung> bknudson, there is an open review for devstack support for Keystone running in HTTPD
18:47:05 <ayoung> that should take away some of the pain
18:47:14 <bknudson> lbragstad: so I think we know what we need to do? try it.
18:47:25 <dolphm> ayoung: have you ever thought about standing up apache as a reverse proxy to keystone?
18:47:28 <lbragstad> bknudson: ok
18:47:42 <lbragstad> that will require us to sync oslo to keystone
18:47:55 <bknudson> lbragstad: try it in a sandbox
18:48:05 <bknudson> (on your own system)
18:48:13 <lbragstad> bknudson: yep
18:48:28 <ayoung> dolphm, "reverse" proxy  meaning do SSL terminiation and stuff in httpd, and run keystone in eventlet?
18:48:37 <jamielennox> dolphm, it has been done, there are some weird hacks around REMOTE_USER but it works
18:48:38 <dolphm> ayoung: yes to the first part
18:48:50 <dolphm> ayoung: and run keystone somewhere-else-it-doesnt-matter
18:49:17 <topol> why is that better than running keystone in HTTPD?
18:49:20 <bknudson> dolphm: what's the concern? run keystone-all by itself and have apache forward requests to it?
18:49:32 <dolphm> bknudson: i didn't say keystone-all, but sure
18:49:34 <jamielennox> but it is better to just have it managed in the one place
18:49:41 <dolphm> i poked at running keystone in gunicorn yesterday
18:49:43 <bknudson> I thought the problem was keystone-all is problematic.
18:49:54 <dolphm> bknudson: i wasn't using keystone-all
18:50:03 <topol> don't you still have the security holes when running in reverse proxy mode?
18:50:17 <jamielennox> topol, holes?
18:50:20 <bknudson> topol: do you know about some security holes?
18:50:25 <dolphm> topol: donuts?
18:50:58 <topol> so if keystone runs in apache we get all the benefits that Apache provides (SSl, etc)
18:50:59 <dolphm> #topic open discussion
18:51:00 <gyee> haha
18:51:16 <topol> don't some of those go away in the other config?
18:51:17 <dolphm> topol: behind* apache is all that matters, i think
18:51:17 <henrynash> i wanted to raise the support of vw in non-keystone clients
18:51:32 <bknudson> v3?
18:51:36 <ayoung> vw?
18:51:48 <dolphm> topol: whether it's actually running via mod_wsgi, keystone-all, nginx+gunicorn, etc doesn't matter
18:51:49 <ayoung> Volkswagon?
18:51:50 <henrynash> bknudson: yes, v3 support in things like novaclient
18:51:51 <lbragstad> so if the sandbox notifications work should we remove the bp that is a prereq for notification?
18:52:00 <topol> dolphm, need to verify that with the paranoid security folks
18:52:52 <gyee> you guys aware of the KC changes to support pluggable auth?
18:53:10 <henrynash> dolphm: do we know the plan for getting v3 support in novaclient etc.?
18:53:12 <gyee> like passing an auth object to the client
18:53:13 <dolphm> gyee: i haven't seen a reviwe yet
18:53:50 <ayoung> dolphm, I've thought about it.  The short of it is that I think eventlet is a mismatch for Keystone, and working around it has proven problematic.    I want to be able to remove eventlet from the equasion.  I think the Apache benefits are, as your point out, mostly in doing better HTTP handling like SSL and Authentication.
18:53:57 <dolphm> henrynash: i'm not sure there's a hard plan anywhere :-/ getting v3 auth into keystone was a major step
18:54:01 <jamielennox> yea, i like the strategy - my concern is we made him bring the auth plugins into keystone (where they belong), but how do we get the other clients to update keystone to the point where they can use those plugins?
18:54:20 <dolphm> henrynash: i think the next step is having keystoneclient own the options it wants other client to specify
18:54:24 <jamielennox> we will need to do a global kc version bump to something not released yet
18:54:34 <dolphm> --os-user-domain-id, etc
18:54:44 <ayoung> so what are the steps
18:54:45 <gyee> dolphm, https://review.openstack.org/#/c/36427
18:54:53 <ayoung> 1.  Make keystone client CLI work with the auth review
18:54:59 <bknudson> gyee: abandoned?
18:55:01 <gyee> its trying to use the same mechanism as novaclient
18:55:16 <bknudson> ran out of time or decided not a good idea?
18:55:28 <ayoung> 2.  look at another client that already works with keystoneclient and make it auth clean.
18:55:31 <bknudson> the plugin should be common.
18:55:35 <henrynash> dolphm: when you mean own, you mean somehow do the parsing for those parameters?
18:55:41 <gyee> bknudson, I was trying to figure out if its fundamentally different from the direction ayoung's going
18:55:42 <ayoung> jamielennox, is already working on makeing the auth_token middleware use requests
18:55:52 <jamielennox> i think should be considered deprecated in favour of https://review.openstack.org/#/c/28043/
18:56:18 <bknudson> jamielennox: that's a lot of code!
18:56:30 <jamielennox> yea, but most of it is from oslo (or at least proposed)
18:56:46 <dolphm> henrynash: i'd like openstackclient, for example, to pass keystone a argparse parser, and have keystoneclient populate it with whatever options it expects
18:56:51 <gyee> bknudson, no shit!
18:56:52 <ayoung> gyee, take a look at the reveiw that jamielennox posted.  I think it handles the same things as your review.  Alessio Ababilov's put a lot of effort into it, just submitted It to oslo first
18:57:00 <jamielennox> but yes, and i think both subtly change how the client gets initiated
18:57:06 <topol> gyee +1
18:57:06 <dolphm> henrynash: i'm not sure that's the *best* way for keystoneclient to own that stuff, but it's an easy one
18:57:21 <henrynash> dolphm: understand your point
18:57:36 <topol> lets draw straws on who gets to review that
18:57:52 <dolphm> henrynash: if we can boil down the process to like 3 lines of boilerplate that other projects can include, we win
18:58:11 <gyee> topol, I am going to be like termie, start that review with a -2 :)
18:58:15 <henrynash> dolphm: agreed….
18:58:19 <ayoung> gyee, no you are not
18:59:21 <topol> I know termie is still alive because he "liked" one of my daughter's instagram photos.  1st time ever
18:59:25 <ayoung> gyee, work with Allesio on getting that sorted out.
18:59:36 <jamielennox> i've had a look through, the code is pretty good as it has been through a dozen rounds of oslo already. It's just hard to say that it's doing everything the same and trying to figure out if it prevents us doing anything new
18:59:37 <ayoung> I think that you guys are headed in the same general direction
19:00:10 <ayoung> OK, times up
19:00:11 <gyee> ayoung, I was half joking, just need to spend some time on it
19:00:30 * topol half joking... half
19:00:32 <ayoung> dolphm, you want to send out the feature freeze message?
19:01:07 <dolphm> http://paste.openstack.org/raw/41437/
19:01:13 <dolphm> henrynash: ^
19:01:46 <ayoung> dolphm, +1
19:01:49 <henrynash> dolphm: get the idea
19:02:00 <jamielennox> https://blueprints.launchpad.net/python-keystoneclient/+spec/consolidate-cli-auth
19:02:02 <bknudson> dolphm: does it need the version?
19:02:10 <bknudson> oh, probably not
19:02:22 <ayoung> bknudson, probably at the packaging level, not here
19:02:33 <dolphm> bknudson: it would be up to keystoneclient to reach out to the auth url and find out what versions are available
19:02:34 <jamielennox> for cli options, append anything to ^
19:02:42 <dolphm> bknudson: and abstract that all away from both end users and other clients
19:03:12 <topol> how much code change in all the clients?
19:03:13 <dolphm> the goal being: never maintain auth code in other clients, own it in one client
19:03:22 <dolphm> topol: hopefully a lot of deletes
19:03:41 <ayoung> we're about to get kicked out
19:03:43 <bknudson> swift is always the oddball
19:03:44 <dolphm> ah
19:03:46 <topol> how good are we at getting them to update their client per our desires?
19:03:48 <dolphm> sorry guys!
19:03:50 <dolphm> #endmeeting