#openstack-meeting log

18:00:33 <stevemar_> #startmeeting keystone
18:00:33 <openstack> Meeting started Tue Oct 13 18:00:33 2015 UTC and is due to finish in 60 minutes.  The chair is stevemar_. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:35 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:36 <breton> o/
18:00:38 <openstack> The meeting name has been set to 'keystone'
18:00:40 <lhcheng> o/
18:00:42 <stevemar_> #link https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting
18:00:43 <dolphm> \o/
18:00:52 <stevemar_> #topic design summit
18:00:53 * morgan runs away and hides
18:01:02 <stevemar_> the schedule is out
18:01:09 <stevemar_> well, the keystone one anyway
18:01:11 <stevemar_> #link https://mitakadesignsummit.sched.org/overview/type/Keystone#.VhQoFBNVhBc
18:01:30 <dolphm> stevemar_: nice work
18:01:37 <stevemar_> i've created etherpads for all the sessions, and pre-populated them with content from our brain dump
18:01:46 <samueldmq> oi :)
18:01:56 <bknudson> we can take tuesday off
18:02:08 <dolphm> cross-project day
18:02:12 <morgan> bknudson: I heard we also get to take monday off
18:02:12 <stevemar_> bknudson: there are a few cross project sessions you should consider going to
18:02:30 <stevemar_> bknudson-bot does not take days off
18:02:31 <gyee> like what, service catalog? :)
18:02:34 <morgan> gyee: yes
18:02:39 <marekd> stevemar_: is the scedule for x-project ?
18:02:46 <morgan> but other general x-project
18:02:50 <topol> 0/
18:02:53 <marekd> is there a schedule out for x-project?
18:02:53 <morgan> marekd: there was a ML topic just sent out for feedback on it
18:03:02 <morgan> maybe an hour ago?
18:03:08 <stevemar_> #link https://etherpad.openstack.org/p/mitaka-cross-project-session-planning
18:03:19 <stevemar_> that's the current plan for x-project session
18:03:23 <stevemar_> there are A LOT
18:03:28 <stevemar_> theres even one for federation
18:03:33 <dstanek> o/
18:03:36 <marekd> stevemar_: can't be!
18:03:37 <stevemar_> at line 605ish,
18:03:39 <topol> what day is cross project/
18:03:43 <marekd> tuesday
18:03:46 <ayoung> there was some discussion from sdague and dhelman about the policu X=project
18:03:48 <topol> cool
18:03:49 <stevemar_> topol: it spans many days i think
18:03:58 <stevemar_> ayoung: there is one for policy too!
18:04:03 <ayoung> I think the focus will be on Bug 968696 issue
18:04:03 <openstack> bug 968696 in Keystone ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)
18:04:09 <bknudson> all the summit topics should be cross-project
18:04:17 <bknudson> we have a meetup for intra-project
18:04:22 <gyee> ayoung, yay, congress
18:04:27 <gyee> I mean policy
18:05:39 <stevemar_> so if folks want to add more context to the federation and policy x-project session that would be cool :)
18:06:04 <stevemar_> marekd: i think they want actionable items, even if it's just a call to action for more projects to be aware of it
18:06:09 <htruta> stevemar_: the HMT one is very raw too
18:06:12 <marekd> stevemar_: so this voting on the etherpad was for everybody or some super heroes?
18:06:26 <stevemar_> marekd: lol i think it's just for TC
18:06:34 <htruta> for what I've been seeing in liberty, we may have some other things to discuss there
18:06:37 <stevemar_> they are kinda like a justice league...
18:07:15 <marekd> stevemar_: that's what i meant
18:07:22 <stevemar_> any other questions about the design sessions :)
18:07:38 <stevemar_> requests / comments / don't throw tomatoes at me
18:07:55 <marekd> just kudos
18:08:03 <stevemar_> if the area is something you're interested in, please try to populate the etherpad, it's in the sched link
18:08:05 <gyee> stevemar_, so Friday meetups are going to be like last time at Vancouver?
18:08:16 <gyee> do whatever
18:08:18 <stevemar_> gyee: yep
18:08:19 <samueldmq> stevemar_: I think the sched looks good, nicely done :)
18:08:30 <stevemar_> i think bknudson wants us to all do code-reviews that day :)
18:08:38 <gyee> sure, that'll work
18:08:39 <raildo> stevemar_: can we create a hangout air in the design session for who are not attending the summit? :)
18:09:01 <lbragstad> just curious, but are we going to plan on leveraging monday for anything?
18:09:10 <marekd> lbragstad: there is no summit on monday
18:09:11 <stevemar_> raildo: hmm, i will try. at the minimum we'll be updating the etherpad as we go
18:09:11 <bknudson> I assume you're all doing code reviews all the time.
18:09:14 <lbragstad> right
18:09:24 <raildo> stevemar_: ok :)
18:09:32 <htruta> bknudson: we are :D
18:09:32 <stevemar_> lbragstad: monday is for touring tokyo
18:09:50 <lbragstad> i imagine that would be the "get into town and get acclimated" day
18:09:51 <dolphm> Mobile* code reviews
18:09:57 <stevemar_> yep
18:10:00 <lbragstad> ok, works for me
18:10:04 <stevemar_> alrighty, neeeeext
18:10:13 <gyee> I plan on hanging out with the ninjas
18:10:22 <stevemar_> jamielennox: you around?
18:10:25 <jamielennox> yea
18:10:30 <bknudson> if you can find the ninjas they're not very good ones.
18:10:36 <stevemar_> #topic auth plugins
18:11:01 <stevemar_> this was something that bknudson brought up in this review: https://review.openstack.org/#/c/177227/
18:11:32 <stevemar_> basically, should we be leveraging "extras" instead of creating new repos
18:11:38 <bknudson> we've got too many repos
18:11:42 <gyee> oh the package dependency thingy
18:12:01 <stevemar_> the justification for keystoneauth-saml2 was because we didn't want to force folks to carry lxml
18:12:10 <marekd> yes
18:12:17 <stevemar_> but with setuptools 'extras' we can specify it in setup.cfg
18:12:18 <jamielennox> similarly kerberos
18:12:24 <stevemar_> and it's not there by default
18:12:26 <stevemar_> jamielennox: yep
18:12:48 <bknudson> I think reviews will go faster if we have fewer repos
18:12:51 <stevemar_> so, is this something we want to set a precedent for?
18:12:54 <stevemar_> bknudson: agreed
18:13:11 <jamielennox> if we can squeeze them back into the repo then that would be easier
18:13:14 <bknudson> only trick might be that we have to do optional imports or something.
18:13:21 <jamielennox> bknudson: yep
18:13:21 <stevemar_> thats only 1 issue, packaging and consumability are others
18:13:27 <marekd> bknudson: how does that work?
18:13:44 <bknudson> try: import lxml except ImportError: lxml = None
18:13:50 <marekd> bknudson: oh lol
18:13:51 <marekd> this way
18:13:53 <bknudson> I think we have that in a few places already
18:13:57 <marekd> bknudson: yes
18:14:03 <marekd> i thought there was smarter way
18:14:18 <jamielennox> i'm still not sure how packaging is going to handle this - but i guess that's not a problem for here
18:14:23 <bknudson> there's probably something fancy with optional imports.
18:14:31 <gyee> silent failure is not good for supportability
18:14:35 <marekd> bknudson: a decorator or generator
18:14:46 <dstanek> stevemar_: yes, not sure how distro packaging would work unless they just included the kitchen sink
18:15:02 <stevemar_> dstanek: well that's an issue for keystone right now isn't it?
18:15:07 <bknudson> similar to http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/__init__.py
18:15:09 <jamielennox> gyee: it's not silent - they just don't raise the error until you actually try to use them
18:15:10 <marekd> bknudson: jamielennox bknudson: so how is it going to work...i pip install keystoneauth and need to install lxml by hand?
18:15:14 <stevemar_> we do this technique with ldap now
18:15:24 <bknudson> pip install keystonauth[saml]
18:15:26 <jamielennox> marekd: pip install keystoneauth[saml2]
18:15:26 <stevemar_> i think there's a specific keystone-ldap package
18:15:36 <stevemar_> jamielennox: bknudson not using pip though
18:15:40 <dstanek> stevemar_: yep, i hear the complaints. that's why i say that :-)
18:15:53 <bknudson> packagers can handle it however they want to.
18:16:07 <bknudson> if I was a packager I'd just put it all in keystoneauth
18:16:11 <marekd> jamielennox: bknudson: ok, any code that already does that so i can start working on squeezing saml2 coe into ksa ?
18:16:16 <gyee> jamielennox, ok, that's fine then
18:16:26 <ayoung> I hate SAML
18:16:29 <marekd> ayoung: me too
18:16:44 <jamielennox> lxml is an easy dep to carry really, kerberos not so much
18:16:47 <stevemar_> zigo: you around?
18:17:05 <jamielennox> if i was packaging this i'd just rely on lxml
18:17:12 <ayoung> Kerberos really should be an optional dependency on the session, not on the auth plugin anyway
18:17:37 <gyee> ayoung, so is x.509
18:17:47 <bknudson> marekd: if you can take a look at it and propose the change and it looks good I think we should go with it.
18:17:53 <ayoung> gyee, X509 is part of the HTTP code base, though
18:17:58 <jamielennox> ayoung: x509 is both, kerberos not so much
18:18:00 <stevemar_> #action get input from packagers for handling optional libs
18:18:02 <bknudson> we never released keystoneauth-saml2?
18:18:07 <stevemar_> bknudson: correct
18:18:40 <edmondsw> I would certainly hope distros DON'T include everything as prereqs just because one extra does... leave it up to the operator/ansible/etc. to determine what they need and don't need for optional dependencies
18:18:43 <bknudson> we'll lose the git history unless we do something drastic
18:18:48 <edmondsw> they can do that easily enough by looking at the setup.cfg
18:19:40 <dstanek> edmondsw: do you see the setup.cfg when you install the package?
18:19:48 <edmondsw> no, but you see it in git :)
18:19:54 <jamielennox> edmondsw: who would be looking at setup.cfg though?
18:19:56 <stevemar_> meh, i'll poke around and ask zigo, i'll report my findings to the ML
18:20:06 <edmondsw> guys writing ansible/etc.
18:20:12 <marekd> bknudson: i can propose something, but i am not sure how i should structure the code so there is any distinction between pip install keystoneauth and pip install[saml2]
18:20:22 <edmondsw> and let's face it... operators who aren't using something like that already have to go to git
18:20:28 <marekd> pip install keystoneauth[saml2]
18:20:33 <jamielennox> stevemar_: i think it's one you should take to the list, lifeless will have an opinion and i'm sure the packagers will as well
18:20:37 <stevemar_> marekd: just gotta create entry points
18:20:43 <marekd> stevemar_: aha
18:20:45 <marekd> ok
18:20:46 <stevemar_> jamielennox: cool
18:20:48 <bknudson> marekd: http://git.openstack.org/cgit/openstack/keystone/tree/setup.cfg#n25
18:20:48 <dstanek> edmondsw: that's part of the complaining i hear
18:20:48 <jamielennox> marekd: have a look, keystone itself does it
18:20:56 <edmondsw> dstanek, what is?
18:20:58 <stevemar_> we already do this in keystone proper with our ldap support
18:21:00 <marekd> jamielennox: ok
18:21:01 <lifeless> jamielennox: stevemar_: context?
18:21:18 <jamielennox> lifeless: what's going to happen with packaging if we put lots of pip optional dependencies
18:21:24 <marekd> stevemar_: ok, so i am good
18:21:25 <dstanek> edmondsw: having to go to git to figure it out
18:21:27 <stevemar_> lifeless: impact to packagers when setuptools has 'extra' dependcies
18:21:27 <jamielennox> lifeless: keystoneauth[saml2]
18:21:37 <edmondsw> dstanek, that's unsolvable
18:21:38 <dstanek> edmondsw: and setup.cfg doesn't actually tell you what you need for a feature.
18:21:48 <edmondsw> dstanek, oh, but it does...
18:21:56 <lifeless> ah right - so they translate to recommended dependencies in the distro world typically
18:21:58 <edmondsw> that's exactly what the extras do
18:22:13 <lifeless> they can in principle be translated to helper packages that only express tings in the dependency graph
18:22:33 <stevemar_> lifeless: sounds like everything is packaged in
18:22:34 <dstanek> edmondsw: nope, between ubuntu and fedora they have different package names
18:22:44 <bknudson> lifeless: have you heard any complaints from distros about use of extras?
18:22:46 <lifeless> e.g. in Debian it might be python-keystoneauth-saml2 which is empty but has dependencies on the saml2 deps
18:22:50 <lifeless> bknudson: I have not
18:22:58 <lifeless> bknudson: but that is likely low use measurement bias
18:23:09 <dstanek> edmondsw: and then there have been times in the past where a python lib packaged for a dist also have a dep that you have to install
18:23:17 <dstanek> edmondsw: sometimes it's pretty hard
18:23:27 <jamielennox> lifeless: so i only know rpm and the recommended doesn't exist there, but do we need to structure this to ensure they are seperatable?
18:23:30 <stevemar_> lifeless: so in keystone you can do pip install keystone[ldap], does that mean there's a keystone-ldap package?
18:23:54 <jamielennox> lifeless: like obviously having things that might be split be in an __all__ is going to cause problems there
18:23:55 <lifeless> stevemar_: there's a couple different ways it could be translated; thats one of them yes
18:24:05 <edmondsw> dstanek, setup.cfg will tell you what you need in python terms... yes, the distro might name their rpm/deb a little differently, but it shouldn't be hard to find
18:24:12 <lifeless> jamielennox: so stuff in __all__ has to be defined always (but could be None)
18:24:27 <lifeless> and we can certainly make recommendations in pbr's docs for redistributors
18:24:34 <lifeless> so I think yeah, a list thread is a good idea
18:24:39 <jamielennox> stevemar_: i think keystone itself is less of a concern because it really doesn't matter if you have some extra packages there, keystoneauth on the other hand will be installed everywhere
18:24:50 <bknudson> jamielennox: marekd: it can't be imported by default, so check out the lazy importer we use in ksc -- http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/__init__.py#n52
18:25:00 <lifeless> I don't see any reason why it should make packagers grumpy (other than it being churn vs the status quo)
18:25:29 <lifeless> It should be trivially handlable in deb/rpm/arch etc
18:25:35 <jamielennox> bknudson: that got us around a very specific problem, i don't think we should intend to use that always
18:25:41 <lifeless> (since the minimum mechanical transform is an empty dep-only package)
18:25:49 <lifeless> and every system can do tht
18:26:22 <jamielennox> lifeless: oh, not actually split the code out into new packages, just the deps
18:26:59 <jamielennox> lifeless: makes more sense, not sure what i was thinking
18:27:00 <lifeless> jamielennox: yeah, extras do not imply code split out at all
18:27:20 <jamielennox> i guess because we have/can do a clean split between deps
18:27:22 <stevemar_> (gonna switch topics in 3 minutes to make sure we have enough time)
18:27:36 <jamielennox> stevemar_: do it, resolve to get packager input on list
18:27:37 <bknudson> would it be better to split out the code? if so let's keep separate repos. it's not that big of a deal
18:27:43 <stevemar_> jamielennox: rgr
18:27:53 <lifeless> bknudson: that can have high friction costs
18:27:54 <stevemar_> to the mailing list!
18:28:07 <stevemar_> #topic functional tests in keystone
18:28:12 <lifeless> bknudson: I really think its worth keeping dev easy and low-friction if the externalities are tolerable
18:28:13 <jamielennox> bknudson: lets see what packagers say, if it's a problem we keep the repos beause we have them anyway
18:28:24 <stevemar_> marekd dstanek the floor is yours
18:28:37 <ayoung> So...looking in to getting IPA up and working for Functional testing...does it have to be Ubuntu 14.04?
18:28:44 <edmondsw> keystone is carrying several optional dependencies in requirements.txt that should really be extras in setup.cfg... passlib, oauthlib, pysaml2
18:28:53 <stevemar_> mtreinish: fyi ^
18:29:10 <stevemar_> edmondsw: file a bug :P
18:29:15 <edmondsw> yeah :)
18:29:16 <lifeless> ayoung: we have centos slaves
18:29:26 <marekd> dstanek: here?
18:29:29 <lifeless> ayoung: I'm not sure if there are fedora slaves offhand
18:29:31 <bknudson> centos for python 2.6?
18:29:44 <dstanek> stevemar_: i think marekd was just worried about the path we are taking
18:29:44 <ayoung> lifeless, centos?  Ubuntu Later than 14.04?
18:29:53 <ayoung> Centos 7?
18:29:53 <dstanek> and if it jives with everyone else
18:30:05 <marekd> so we basically had a discussion about functional tests and whether things like that: https://review.openstack.org/#/c/203258/ is fine
18:30:35 <bknudson> before we go adding a bunch of functional tests there should be a gate job that at least verifies it works.
18:30:37 <stevemar_> marekd: dstanek i think it's good to make sure everyone else knows whats up
18:30:40 <bknudson> or we need to come up with some way to verify
18:30:51 <marekd> i remember last week there was a concern that functional tests should validate backend (mysql, postgres) not just API responses
18:30:57 <dstanek> the new question is where do the tests go? in keystone or in tempest
18:31:14 <stevemar_> dstanek: i'd definitely say keystone
18:31:23 <marekd> ^^ yes, then the convo earlier on evolved into something like that :-)
18:31:33 <jamielennox> i'm guessing it depends what you want the tests for
18:31:37 <stevemar_> we can review the tests ourselves
18:31:51 <marekd> jamielennox: i personally want to be automatize real workflows
18:31:55 <jamielennox> if you want them as part of the gate then keystone, if you want them as part of like a validation suite then tempest
18:31:57 <bknudson> we can review changes to tempest, too
18:31:59 <marekd> real interaction between keystone and idp
18:32:09 <bknudson> and maybe they're faster at doing reviews than we are
18:32:10 <marekd> real interaction between ksa/ksc and some server (when testing clients)
18:32:12 <marekd> without any mocks
18:32:27 <jamielennox> marekd: that sounds like testing, so i'd say keystone/ksa
18:32:30 <mordred> ayoung: we have centos7, fedora22 and ubuntu-trusty available
18:32:45 <marekd> jamielennox: yes
18:32:50 <ayoung> mordred, OK, Centos7 is trivial, as is F22
18:33:16 <marekd> jamielennox: you know, every change we do with federation i have to build my own env, setup, and run some code to make sure it works...
18:33:20 <dstanek> bknudson: are they faster?
18:33:21 <mordred> marekd: fwiw, we have functional tests in the shade repo that consume ksa and ksc to do things
18:33:46 <marekd> mordred: great, we now need to have something for both federations for instance :-)
18:33:47 <mordred> marekd: I know that does not solve your immediate concern - but just to let you know there are some consume non-mocked tests running currently
18:34:24 <mordred> marekd: I have nothing configured to test any auth plugins other than v2password and v3password :)
18:34:40 <jamielennox> marekd: completely agree
18:34:40 <dstanek> bknudson: my concern is i don't have any clarity for what they will accept and what they won't
18:34:41 <marekd> mordred: clients was just a part of the 'problem' i think and my understanding federation (as it needs 3rd party peer) is  in the greaest need
18:34:42 <bknudson> there's some review stats on http://russellbryant.net/openstack-stats/keystone-openreviews.html vs http://russellbryant.net/openstack-stats/tempest-openreviews.html
18:34:46 <lifeless> mordred: why is nodepool openstck config in system-config? or perhaps I just don't understand the split
18:34:51 <mordred> marekd: ah! gotcha
18:35:16 <marekd> mordred: we first need to be able to automatically build federation setup and be able to test server, than we can proceed to clients.
18:35:17 <bknudson> dstanek: I don't know if they have specs or blueprints? probably.
18:35:28 <mordred> lifeless: because it's templated via puppet because there are things we need to put into via config - project-config is all static files
18:35:55 <mordred> marekd: this makes sense to me. I will be looking forward to copying and abusing your work once it's done...
18:36:03 <jamielennox> marekd: do we care about multi-machine setups here?
18:36:03 <bknudson> dstanek: we do have a qa liaison...
18:36:06 <lifeless> mordred: ah, I thought project-config was 'things for openstack' vs system-config of 'things for folk to reuse'
18:36:11 <stevemar_> bknudson: dstanek let's keep the functional tests in house for now
18:36:15 <mordred> as I want to test that federation works from my side too, but I have no idea how to set it up
18:36:29 <ayoung> mordred, I can help
18:36:32 <marekd> jamielennox: we will need two keystones for k2k, but i think we agreed that we will try with single machine at the moment.
18:36:33 <bknudson> can we get a gate job that runs the functional tests?
18:36:34 <jamielennox> marekd: is it enough to run the IDP on the keystone box and assume we didn't fake anything or do you want to do proper multiple machines
18:36:45 <marekd> jamielennox: idp like pysaml2 - agreed
18:36:46 <bknudson> (the functional tests that we have now)
18:36:53 <mordred> bknudson: that would be awesome
18:36:53 <dstanek> bknudson: yes, i'll work on getting one up
18:37:13 <stevemar_> dstanek: bknudson: that would be great
18:37:27 <bknudson> stevemar_: only great?
18:37:28 <dstanek> bknudson: i'll add you to the review so i can get your +1 :-)
18:37:37 <stevemar_> bknudson: fantabulous?
18:37:41 <bknudson> that's better
18:37:54 <stevemar_> dstanek: make it non-voting initially
18:38:00 <stevemar_> or do an experimental job
18:38:01 <dstanek> i agree with Tony the Tiger - it's greeeeeaaaat
18:38:05 <marekd> anyway, guys, please have a look at https://review.openstack.org/#/c/203258/ and up
18:38:31 <stevemar_> #action review marek's functional test patches and staneks new gate job
18:38:42 <stevemar_> #action review all the things
18:38:50 <stevemar_> #undo
18:38:52 <openstack> Removing item from minutes: <ircmeeting.items.Action object at 0x95b52d0>
18:38:57 <marekd> i will be adding more and proceed to something more fancy - authentication.
18:39:04 <bknudson> JFDI
18:39:04 <stevemar_> alright
18:39:04 <marekd> stevemar_: he he
18:39:06 <mordred> jamielennox: fwiw, we do have mulit-node testing available should you decide you need it
18:39:19 <marekd> mordred:  oh, great
18:39:22 <marekd> we might need one
18:39:26 <marekd> at some point  for k2k
18:39:28 <stevemar_> bknudson: you have the right attitide there
18:39:29 <dstanek> mordred: decided. we need ot
18:39:33 <dstanek> errr. it
18:39:38 <mordred> cool. we use it to test live migrations currently
18:39:40 <marekd> uness we can run two keystones on one VM
18:39:48 <jamielennox> mordred: sweet, they managed to get that going
18:39:52 <mordred> oh yah
18:40:04 <bknudson> just use docker.
18:40:05 <mordred> clarkb is your man who actually fully understands it
18:40:19 <marekd> noted
18:40:24 <mordred> bknudson: let's not just use docker - we have absolutely no pre-caching infrastructure for docker in the gate
18:40:40 <clarkb> you could just run two keystones
18:40:48 <clarkb> without extra containers or dockers
18:40:49 <mordred> which isn't to say we shouldn't grow some - but I believe you'll find getting that solid to be more work than not using it in this particular case
18:41:42 <jamielennox> right, we should always be able to run this on different ports or set it up to work
18:41:51 <bknudson> we'll need multiple dbs
18:42:01 <dstanek> yes, backends are the issue
18:42:05 <jamielennox> right - devstack is not going to handle this
18:42:07 <marekd> bknudson: yeah, that's the concern
18:42:22 <bknudson> all it takes is to pass a different db name.
18:42:27 <stevemar_> we still need a bunch of devstack plugins, like the ones dstanek was making
18:42:27 <marekd> stanek was proposing devstack booting a VM with a keystone configured there :D
18:42:32 <lbragstad> what about a different table?
18:42:34 <jamielennox> it's just multiple config files
18:42:41 <ayoung> lbragstad, nope
18:42:44 <lbragstad> nvm
18:42:57 <gyee> can we also have multiple instances of shibd on a same node?
18:42:59 * lbragstad tries to get the words to come back
18:43:06 <marekd> gyee: which part?
18:43:08 <stevemar_> lbragstad: one day
18:43:09 <ayoung> Can a Keystone K2K with itself?
18:43:18 <gyee> marekd, for k2k we need shibd
18:43:27 <marekd> ayoung: it should
18:43:27 <jamielennox> ayoung: lol, umm.... i don't know
18:43:36 <gyee> ayoung, it can
18:43:41 <ayoung> Make that work
18:43:52 <marekd> ayoung: such config is so ridiculous i've never tried that but....
18:43:54 <jamielennox> i'm not sure we should consider that a successful functional test
18:44:01 <marekd> jamielennox: exactly
18:44:05 <stevemar_> meh, this is all getting a bit off topic, there are other functional configurations, not just k2k
18:44:12 <gyee> marekd, we tried it and it works fine
18:44:27 * marekd k2k is still far away in the  functioal tests island
18:44:33 <stevemar_> ++
18:44:45 <stevemar_> lets give ayoung some time to chat about admin-ness
18:44:47 <marekd> gyee: aha, good to know stuff i helped to make works :-)
18:44:53 <ayoung> Yay
18:45:09 <stevemar_> #topic Supressing admin role for non-admin projects
18:45:14 <stevemar_> ayoung: ^
18:45:35 <ayoung> so, the fix is to only allow the admin role on the admin proejct
18:45:37 <ayoung> why?
18:46:03 <stevemar_> ayoung: please tell us
18:46:04 <ayoung> becasue so mnuch is hard coded to only check the admin role.  THis, essentially, communicates which project is "admin"
18:46:31 <ayoung> Ok,. lets start with Henrynashs suggestion
18:46:34 <bknudson> you don't want admin project to be able to boot instances and stuff, right?
18:46:39 <gyee> admin should be by choice no accident :)
18:46:51 <ayoung> bknudson,  don't care if the ydo, not what it is there for though
18:47:02 <ayoung> "make people update policy"
18:47:14 <ayoung> we can't./..most people don't touch policy
18:47:34 <ayoung> and, even if we were, we would have no way to clear;y communicate "this is the admin project"
18:47:56 <ayoung> we'd have to templatize all of the policy files in glance neutron nova etc
18:48:01 <ayoung> and fill in the project id
18:48:11 <jamielennox> we don't because "this is the admin project" is never something we've tried to communicate
18:48:11 <ayoung> and, we don't control the distribution mechanism
18:48:12 <samueldmq> ayoung: also, can we have a chained-k2K ? that means a keystone as SP, that needs another keystone SP to provide auth :p nvm
18:48:24 <haneef__> stevemar: what is non-admin project?   project name is just a name. How do you define it?
18:48:39 <ayoung> haneef__, there are certain operations not scoped to a proejct
18:49:31 <ayoung> if we don't restrict where the "admin" role comes from, it means that anyone that can assign a role can assign the admin role, and thus compromise security
18:49:50 <ayoung> so, effectively, we have said "only sysadmins can assign roles"
18:49:53 <david8hu> ayoung, we needs to make people update policy or provide a way to make policy changes less painful.
18:49:53 <bknudson> put that in the commit message
18:49:59 <ayoung> which , of course, does not scale too well
18:50:06 <ayoung> david8hu, I tried that route
18:50:10 <gyee> what's the point of assigning a role if you can only get it under some conditions?
18:50:19 <ayoung> gyee, all the other roles...
18:50:22 <stevemar_> aren't policies updated every upgrade?
18:50:31 <ayoung> most important, you can add someone to your own project, or remove them
18:50:44 <ayoung> stevemar_, that is outside the scope of what openstack upstream can control
18:50:53 <ayoung> is it puppte, ansible, chef, or bash?
18:51:29 <ayoung> Dynamic policy was, effectivly, an internalized config management tool to solve this.  But, its not going to hap[p[en quickly
18:51:50 <ayoung> so, lets lay off on dynamic policy and just fix the problem first
18:51:50 <amakarov> ayoung, if keystone can store policies for entire openstack, it can modify it too, no? All we have to do is to convince others to use stored policies instead of local files
18:52:01 <ayoung> amakarov, tried.  failed
18:52:06 <stevemar_> amakarov: same argument
18:52:11 <ayoung> and, we still have the tokenizeation problem
18:52:24 <ayoung> Keystone not only needs to store, it would need to modify
18:52:24 <amakarov> ayoung, what kan be done if we negotiate Horizon team to make a convenient tool to edit them :)
18:52:33 <ayoung> so...lets change what we can control:  what goes in the token
18:52:34 <stevemar_> ayoung: so i think it's worth asking, how much of a hole are we going to dig ourselves into?
18:52:37 <david8hu> ayoung, Operator still need a way to modify and validate policy even with the dynamic policy route.
18:52:44 <ayoung> stevemar_, none
18:52:46 <stevemar_> if we assume admin roles and admin projects are always there
18:52:52 <ayoung> we are already in the hole
18:53:01 <ayoung> were just fuinally deciding to make iourselves dcomfortable
18:53:06 <stevemar_> i guess if they don't want this, they just don't set the config option?
18:53:10 <ayoung> right
18:53:17 <ayoung> config option is off by defualt, too
18:53:20 <ayoung> to avoid breaking people
18:53:21 <stevemar_> bknudson: dolphm mordred thoughts?
18:53:24 <ayoung> we'll activate it in devstack
18:53:28 <stevemar_> err morgan: not mordred
18:53:53 <amakarov> stevemar_, the bottom of a bowl usually contains the sweetest pieces!
18:53:53 <bknudson> put more info in the commit message so it can be documented properly
18:53:54 <jamielennox> so my problem is that if you know enough to set the config option, then you presumably know enough to not spray admin around
18:54:05 <bknudson> and as I mentioned before there are service users that need admin
18:54:09 <samueldmq> I have thought about a tool to support customizing policies + something to validate the policy changes, something like: my admin does this and that, and then the tool would run against a live cloud and test it
18:54:11 <samueldmq> gyee: cc ^
18:54:17 <bknudson> and they're scoped to service not admin
18:54:25 <samueldmq> gyee: I think I have told you about that idea
18:54:26 <jamielennox> bknudson: service users need admin because of bad policies in other services
18:54:29 <edmondsw> if you trust someone to assign roles, you should trust them to assign roles... someone can setup a role specifically for the purpose of being able to assign roles, if they want to really lock that down
18:54:39 <edmondsw> (and should)
18:54:57 <gyee> smueldmq, tool or API?
18:54:59 <ayoung> so service users indicate we probalby needto make it a list and not a single project
18:55:08 <ayoung> I'm working on updating the patch for that
18:55:27 <jamielennox> i know it doesn't exist, but i'd love to see a list of places where services treat "admin" as not scoped to the project in the token - cause they're just bugs
18:55:28 <lhcheng> amakarov: I think Timur(tsufiev) have started looking at the policy editor in horizon, but holding that off for now.
18:55:29 <amakarov> samueldmq, I have Horizon guys who wolunteered to code the editor if we provide the data format
18:55:31 <ayoung> edmondsw, admin role is just different from other roles
18:55:45 <edmondsw> ayoung, in which sense do you mean?
18:55:55 <ayoung> edmondsw, it is hard coded everywhere, and with no scope check
18:56:01 <david8hu> Let's get x509 going for service users, so we don't need to worry about it no more ;)
18:56:04 <edmondsw> yeah... it's a mess we need to fix
18:56:06 <ayoung> this is just acceptance of the state of things
18:56:16 <ayoung> david8hu, orthogonal
18:56:19 <edmondsw> I should be able to say joe is an admin on project A, bob is an admin on project B, etc.
18:56:25 <ayoung> david8hu, don't confuse authentication with authorization
18:56:37 <ayoung> edmondsw, we'll call it soemthig other than admin
18:56:39 <ayoung> call it manager
18:56:40 <edmondsw> and I'm an admin on project C, which is a parent to both of those, so I'm effectively an admin on A and B as well
18:56:53 <edmondsw> make it heirarchical
18:56:56 <ayoung> edmondsw, nothing checks "admin on project"
18:57:02 <edmondsw> IT SHOULD, though
18:57:05 <edmondsw> we need to fix that
18:57:06 <ayoung> edmondsw, things check "on proejct" or "admin"
18:57:11 <ayoung> edmondsw, forget should...
18:57:13 <edmondsw> that's the problem
18:57:20 <ayoung> so much of this should have been done diffeerntly
18:57:26 <ayoung> we are in a world of legacy
18:57:34 <edmondsw> so we punt?
18:57:44 <samueldmq> gyee: well, some CLI that uses the oepnstack APIs to validate what users can do what
18:57:47 <ayoung> on admin, sure...but
18:57:49 <amakarov> edmondsw, I think "admin" term should dissolve when we enable better role assignment management
18:57:51 <david8hu> ayoung, let's help move it out of legacy
18:57:52 <ayoung> here is the best part:
18:58:00 <ayoung> it lets us focus on splitting policuy into two parts
18:58:14 <ayoung> let the proejct keep what they have: effectivly checking the scope of hte porject
18:58:19 <ayoung> match the tokn e
18:58:28 <ayoung> we can then do dynamic policy in middleware
18:58:29 <gyee> so we have a distinction betwee project admin and admin project admin?
18:58:34 <stevemar_> ayoung: i think you've got something here
18:58:50 <stevemar_> it just needs to be baked a bit longer, add some docs and such like bknudson asked
18:58:58 <ayoung> see, checking to see what the scope of the resource \requires a database lookup for most things
18:59:03 <ayoung> we don;t want that in dyanmic poluicy
18:59:05 <bknudson> it can't break anything if it's optional
18:59:06 <ayoung> changing it breaks things
18:59:11 <ayoung> we only want to do the role check
18:59:15 <stevemar_> bknudson: yep
18:59:26 <stevemar_> alright, lets' not creep onto infra time
18:59:28 <ayoung> so...this lets us plan on doing that in the future
18:59:35 <stevemar_> #endmeeting