#openstack-meeting log

18:00:21 <stevemar> #startmeeting keystone
18:00:22 <openstack> Meeting started Tue Apr 12 18:00:21 2016 UTC and is due to finish in 60 minutes.  The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:22 <roxanaghe> o/
18:00:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:25 <stevemar> hello!
18:00:26 <openstack> The meeting name has been set to 'keystone'
18:00:36 <stevemar> #link agenda: https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting#Agenda_for_next_meeting
18:00:36 <crinkle> o/
18:00:36 <bknudson> hi
18:00:41 <knikolla> o/ hello
18:00:42 * ayoung-mobile in lunch mode still
18:00:43 <dstanek> o/
18:00:43 <gsilvis> hello
18:00:45 <breton> hi
18:00:46 <shaleh> \o
18:00:51 <gyee> \o
18:00:56 <raildo> \o/
18:01:03 <stevemar> they are testing the fire alarm right now in my building, fun times
18:01:06 <morgan> oh
18:01:12 <morgan> o/
18:01:17 <morgan> \o
18:01:28 <stevemar> amakarov: hope you're around, you're on the agenda!
18:01:39 <amakarov> Hi all
18:01:45 <samueldmq> oh I am here
18:01:52 <stevemar> #topic mitaka is out
18:01:52 <samueldmq> and I was waiting for a courtesy ping :B
18:01:57 <samueldmq> bye mitaka
18:01:59 <samueldmq> hello newton
18:02:02 <morgan> amakarov: i have things to talk to you about that caching btw...
18:02:04 <stevemar> i am off my game...
18:02:04 <morgan> oooooh
18:02:08 <stevemar> ping ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, jorge_munoz, knikolla, lbragstad, lhcheng, marekd, MaxPC, morganfainberg, nkinder, raildo, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tjcocozz, tsymanczyk, topol, vivekd, wanghong, xek
18:02:11 <morgan> yay Mitaka
18:02:16 <rodrigods> o/
18:02:19 <bknudson> we support mitaka for at least 12 months
18:02:20 <amakarov> Why don't we cache new tokens in kmw cache right after they were issued?
18:02:25 <lbragstad> o/
18:02:26 <ayoung-mobile> Sam you are supposed tobsay "here I am!". It goes with the name
18:02:29 <shaleh> queue horrible bug discovery in 3,2,....
18:02:32 <stevemar> MITAKA is out!
18:02:32 <jamielennox> o/
18:02:40 <stevemar> release notes! http://docs.openstack.org/releasenotes/keystone/mitaka.html
18:02:54 <samueldmq> here I am! <<< ayoung-mobile
18:02:55 <lhcheng> o/
18:03:04 <stevemar> just wanted to say thanks to everyone that contributed
18:03:05 <rderose> o/
18:03:14 <morgan> amakarov: hold up but yes.
18:03:15 <stevemar> and i hope we have an awesome newton
18:03:27 <stevemar> thats alL!
18:03:33 * morgan hides the microphone before ayoung-mobile gets it ;)
18:03:35 <samueldmq> we will ahve !! for sure
18:04:00 <stevemar> alright, lets give the microphone over
18:04:10 <raildo> stevemar, great job as  PTL on mitaka! congrats :)
18:04:15 <stevemar> #topic Pre-cache new tokens for 5 minutes in KMW cache
18:04:26 <morgan> raildo: ++ so glad it wasn't me :)
18:04:39 <raildo> morgan, haha
18:04:44 <bknudson> I assume this this auth_token middleware?
18:04:48 <breton> kmw == ksm?
18:04:52 <morgan> yeah
18:04:58 <morgan> keystonemiddleware
18:05:01 <samueldmq> nice, I was confused too
18:05:16 <amakarov> Well, I've ran into one stupid thing we do for every token: validate it right after it was issued
18:05:17 <morgan> can i make a recommendation - do not abbreviate "ks, ksm, ksa,..."
18:05:17 <gyee> damn acronyms
18:05:33 <ayoung-mobile> Doesn't a shared memcache work now
18:05:35 <amakarov> is it necessary?
18:05:44 <morgan> so there is a reason for this
18:05:46 <bknudson> how does auth_token know about the new token?
18:05:52 <samueldmq> bknudson: ++
18:05:55 <bknudson> send it over a message bus?
18:06:06 <amakarov> ayoung-mobile, yes, and we can cache new tokens there
18:06:09 <morgan> bknudson: he's saying puysh the validated totken to memcache
18:06:13 <morgan> directly from keystone
18:06:15 <morgan> on issuance
18:06:23 <amakarov> without validating them first
18:06:24 <ayoung-mobile> Amakarov so this is on issue?
18:06:32 <jamielennox> i don't think you could message bus it, keystone would have to go straight to memcache
18:06:33 <samueldmq> jsut a config thing not ?
18:06:35 <samueldmq> no*
18:06:46 <morgan> so hold up before we discuss how we get tokens out there
18:06:53 <ayoung-mobile> Nah right into memcache from keystone
18:06:56 <morgan> often endpoints are grouped logically
18:07:05 <morgan> and have some shared memcache but not all shared
18:07:12 <amakarov> I'd suggest do that on client side
18:07:15 <morgan> keystone would need to know what memcaches to push the token to.
18:07:32 <amakarov> morgan, that's not essential
18:07:33 <morgan> amakarov: wait is this a client thing or a middleware thing?
18:07:51 <amakarov> morgan, that's the client thing I think
18:08:07 <morgan> because lets draw the line in the sand, client is NOT trusted to put things in memcache that keystonemiddleware or keystone consumes
18:08:09 <amakarov> the client should cache new tokens for middleware to get it
18:08:17 <breton> so how is this different from our current flow in terms of performance?
18:08:19 <samueldmq> morgan: amakarov: client think -> keystone auth thing ?
18:08:20 <dstanek> morgan: +1000
18:08:29 <morgan> and client will never be trusted.
18:08:32 <morgan> to do so
18:08:53 <morgan> in fact, most deployments should lock down memcache more than they do... that is a different convo though
18:08:57 <samueldmq> oh wait, that's just for new issued tokens
18:09:00 <amakarov> samueldmq, by client I mean keystoneclient lib and everything it uses
18:09:00 <samueldmq> is it that important?
18:09:11 <bknudson> if the client can put tokens in the auth_token cache then there's no need for keystone at all
18:09:22 <samueldmq> I think the effort doesn't pay the improvement (1 request) ?
18:09:26 <amakarov> bknudson, hmm, right
18:09:29 <morgan> bknudson: and no security in openstack
18:09:37 <ayoung-mobile> Amakarov this is client as called from within middleware right?
18:09:37 <amakarov> let's move it to server side then
18:09:39 <bknudson> morgan: y, that too.
18:09:46 <morgan> ok, so server side
18:09:59 <morgan> you have keystone needing to know all the memcaches to push to
18:10:01 <amakarov> ayoung-mobile, I want to avoid this first-time validation
18:10:10 <morgan> i support shared memcache for endpoints
18:10:11 <jamielennox> so as of a review i have open keystone can/will be consuming keystonemiddleware
18:10:14 <bknudson> all the memcache clusters
18:10:17 <amakarov> so I assume we can trust keystone server then
18:10:22 <jamielennox> so where this code lives is not a big deal
18:10:22 <morgan> bknudson: correct
18:10:23 <amakarov> that token is valid
18:10:26 <dstanek> are we talking about keystone pushing to another service's memcache cluster?
18:10:33 <morgan> dstanek: possibly
18:10:33 <ayoung-mobile> Amakarov allinone deploys?
18:10:42 <dstanek> seems like bad architecture
18:10:51 <morgan> allinone deployes are not really something we enginerr for
18:10:59 <morgan> we get it for free most of the time :)
18:11:06 <samueldmq> dstanek: I don't like that too
18:11:06 <amakarov> ayoung-mobile, not exactly
18:11:21 <samueldmq> dstanek:  too much change for saving 1 validation request
18:11:29 <morgan> amakarov: i made this argument before
18:11:43 <morgan> and we explored it ( ayoung-mobile and i )
18:11:52 <bknudson> if keystone had a memcache where it could look up tokens quickly then the call from auth_token would be faster
18:11:54 <morgan> sharing a memcache cluster for endpoints is good
18:12:16 <morgan> however, keystone pushing to probably a separate cluster in big deploys
18:12:18 <morgan> is bad
18:12:29 <morgan> keystone as it is could pre-cache for itself making the validate faster
18:12:37 <dolphm> morgan: ++
18:12:39 <morgan> and i'd be happy to add that to the caching layer for tokens
18:12:42 <amakarov> anyway, if kmw uses another cache it will stil validate the token as usual
18:12:50 <dstanek> morgan: i think that's a good idea
18:12:53 <morgan> but i wouldn't want keystone to push to the cache in the keystonemiddleware way
18:13:00 <dolphm> morgan: ++
18:13:07 <morgan> keep keystonemiddleware in charge of keystonemiddleware semantics
18:13:23 <morgan> if the cluster happens to be shared and the semantics are the same
18:13:25 <morgan> sure
18:13:28 <dstanek> from an architecture POV a cache is within a service and not a part of the API.
18:13:33 <dolphm> keystonemiddleware can share the cache of other service's keystoenmiddlewares though, if that's convenient
18:13:36 <morgan> but i'd focus on keystone pre-caching for itself.
18:13:38 <samueldmq> dstanek: ++
18:13:51 <morgan> and i REALLY like recommending the various services sharing keystonemiddleware caches
18:13:59 <amakarov> morgan, do you suggest to cache tokens in keystone server very own jaust to validate it faster?
18:14:00 <morgan> regardless if keystone shares that or not.
18:14:14 <morgan> amakarov: it would be easy to on issuance to a pre-cache in keystone
18:14:14 <amakarov> s/jaust/just/
18:14:22 <morgan> and it would make validations faster
18:14:28 <morgan> for the window of cache
18:14:31 <amakarov> morgan, sounds like a compromise
18:14:33 <morgan> so ~300s by default
18:14:55 <morgan> once keystone uses keystonemiddleware
18:15:05 <morgan> and keystonemiddleware is on oslo.cache these pre-caches may look the same
18:15:07 <gyee> morgan, I presume we still invalid the cache of the token changes?
18:15:10 <amakarov> morgan, under our loads the majority of tokens are short living
18:15:11 <morgan> so it accelerates everything
18:15:13 <gyee> i.e. role changes in fernet
18:15:32 <morgan> gyee: we would need to be smart about where we cache the data.
18:15:43 <amakarov> gyee, there may be a trade-off
18:15:51 <morgan> gyee: but we cache for 300s by default
18:16:03 <morgan> gyee: which we've always said is within our acceptible clock skew
18:16:03 <amakarov> 5 min cache is ok to wait for
18:16:05 <jamielennox> morgan: so at least under current design we don't inherit the caching part of keystonemiddleware in keystone
18:16:13 <morgan> jamielennox: and we shouldn't
18:16:19 <stevemar> amakarov: are you satisfied with this discussion, is there still a need for the blueprint? https://blueprints.launchpad.net/keystone/+spec/pre-cache-tokens
18:16:21 <jamielennox> right
18:16:21 <gyee> behavior is a bit different though, middleware versus keystone
18:16:28 <gyee> middleware cache validation results only
18:16:29 <morgan> jamielennox: i'd like to see keystonemiddleware move to oslo.cache and we can see if they align
18:16:36 <morgan> jamielennox: but i don't expect it to in the near term
18:16:50 <amakarov> stevemar, I'm ok with current agreement
18:17:04 <morgan> gyee: again, known window of validation we accept as tokens being valid for
18:17:12 <jamielennox> morgan: gah, i got it so close, but the edge cases are hard
18:17:20 <shaleh> stevemar: might make sense to document the agreement in a bp
18:17:22 <morgan> gyee: known risk and within what we consider clock-skew
18:17:28 <gyee> morgan, sure, options and tradeoffs as always
18:17:34 <shaleh> stevemar: people might want to know what we were thinking 6 months from now
18:17:47 <gyee> just saying we need to doc the difference
18:17:52 <stevemar> shaleh: that's what i'm doing :)
18:17:53 <morgan> this is a relatively low bar (yay!) to hit for newton
18:18:17 <morgan> i'm happy to sign up for helping on this front as long as someone else is willing to take a first stab at docs
18:18:25 <amakarov> shaleh, modified the bp
18:18:28 <morgan> and/or someone is willing to at least co-author so we have more cache knowledge :)
18:18:53 <morgan> or take a stab and i'll review
18:18:54 <morgan> ;)
18:19:04 <stevemar> amakarov: i may have overridden your changes, launchpad :(
18:19:12 <morgan> lets continue the impl details offline btw
18:19:12 <amakarov> morgan, :)
18:19:29 <bknudson> I'd like to know more about token validation performance since I'm sure our cloud folks will ask about it.
18:19:36 <morgan> bknudson: sounds good! :)
18:19:47 <morgan> bknudson: actually i think we have a lot of ways to improve that this cycle
18:19:53 <lbragstad> ++
18:19:59 <bknudson> how about we split token validation to another service?
18:20:04 <bknudson> ;)
18:20:08 <gyee> say what?!
18:20:13 * stevemar throws a rotten tomato at bknudson
18:20:28 * morgan borrows a wet emu from mordred to throw at bknudson
18:20:34 <ayoung> Lets go tokenless everywhere
18:20:40 <morgan> ayoung: good plan!
18:20:42 <stevemar> next topic :)
18:20:46 <stevemar> #topic OSProfiler integration
18:21:03 <stevemar> amakarov: morgan ^
18:21:13 <amakarov> ok, what's holding us from accepting that thing? )
18:21:30 <amakarov> https://review.openstack.org/#/c/294535
18:21:30 <morgan> amakarov: was working through the last bits (such as https://review.openstack.org/#/q/I4857cfe1e62d54c3c89a0206ffc895c4cf681ce5,n,z ) with DinaBelova
18:21:44 <stevemar> amakarov: i don't want config options for it (not sure if this is still an issue_
18:21:59 <morgan> making sure we weren't doing something weird with either side
18:22:05 <amakarov> morgan, yes, and I was fixing that job failures ))
18:22:17 <morgan> stevemar: all options are [iirc] in osprofiler now
18:22:24 <morgan> we have an external default set
18:22:28 <morgan> to default it to off
18:22:31 <stevemar> ++
18:22:32 <morgan> and a couple other things
18:22:46 <morgan> i'll confirm, but the code is almost there and looks pretty good
18:23:14 <morgan> we should aim to land it early this cycle and i plan on opening a convo with DinaBelova at the summit about better ways to desgin for profiling going forward across openstack
18:23:17 <amakarov> morgan, it has just passed jenkins tests
18:23:28 <morgan> but we shouldn't wait since that'll be a few cycles out
18:23:34 <morgan> this is a good starting place
18:23:46 <morgan> so in short, review it.
18:23:50 <shaleh> morgan: ++
18:23:53 <morgan> please don't bikeshed it
18:24:15 <morgan> and if there are minor concerns lets stack the changes on top where possible
18:24:34 <morgan> i am happy where this has moved to and think it can land soon as long as it's reviewed.
18:25:06 <dstanek> morgan: we should take some hints from how things like newrelic are implemented
18:25:13 <morgan> dstanek: that is the plan.
18:25:39 <morgan> dstanek: and setting clear hook points in the projects so anything (not just osprofiler) can hool in
18:25:39 <dstanek> morgan: i have some ideas, but no time :-(
18:25:41 <morgan> hook*
18:25:45 <jamielennox> question though, why doesn't that live in oslo.db?
18:26:05 <morgan> jamielennox: it isn't db only
18:26:25 <jamielennox> no, but i know i put a review on the oslo.cache one the other day that it should be in oslo.cache
18:26:29 <dstanek> jamielennox: there should be support in oslo.db, but also in other things
18:26:42 <jamielennox> as is you are going to be _wrap_session-ing in every project, why not just control it from oslo.db?
18:26:50 <morgan> jamielennox: that is part of the larger conversation / x-project spec i want to work with DinaBelova on
18:26:53 <shaleh> so start with it here in Keystone and move it down to oslo.db?
18:26:59 <bknudson> maybe we can move it to oslo.db once we prove it out
18:27:04 <amakarov> shaleh, ++
18:27:14 <stevemar> its in all the pipelines too
18:27:17 <amakarov> let's have something up and running first
18:27:20 <dstanek> isn't this already in other projects?
18:27:24 <morgan> dstanek: it is
18:27:27 <morgan> we're one of the last
18:27:28 <jamielennox> that's ok - we can do it that way i'm just wondering why we'd do this particular case this way
18:27:29 <morgan> iirc
18:27:44 <morgan> jamielennox: version 1, i think is the answer
18:27:47 <dstanek> it that's the case why prove it again? just put it where it belongs
18:27:50 <jamielennox> k
18:28:15 <morgan> dstanek: i think the architecture isn't there.
18:28:26 <morgan> and having profiling hooks in keystone is a good thing (tm)
18:28:34 <morgan> even if they are suboptimal for the moment
18:28:51 <morgan> once it is in oslo.db we move the stuff out of keystone, it's a pattern we've done before
18:29:00 <stevemar> true
18:29:19 <morgan> and should be pretty lightweight to do so as it improves.
18:29:44 <morgan> but if we;re adding changes to oslo, and othe rthings i think we should look at the design to be not just osprofiler specific
18:29:47 <morgan> let anyone hook in
18:29:49 <stevemar> alright, lets review it then
18:29:57 <morgan> but in short,lets review it.
18:30:01 <stevemar> any new issues we can leave as comments
18:30:12 <morgan> critical concerns please highlight right away
18:30:18 <morgan> minor concerns can be addon patches
18:30:26 <morgan> bikeshedding... leave at the door ;)
18:30:45 <ayoung> I'd rather not think of it as generic hooks, but rather profiling that can be 0 cost disabled
18:30:47 * morgan steps off the soapbox
18:30:58 <stevemar> next topic
18:31:02 <shaleh> ayoung: you mean 0 cost enabled right?
18:31:11 <morgan> ayoung: join us at the summit and we will work on that :)
18:31:14 <ayoung> shaleh, nah, meaning you don't pay for it if it is disabled
18:31:16 <morgan> ayoung: please join us for that convo.
18:31:24 <morgan> ayoung: that is the goal btw.
18:31:27 <ayoung> morgan, speaking of summit....
18:31:32 <ayoung> is that next?
18:31:48 <stevemar> ayoung: next is federation functional tests
18:31:50 <dstanek> shaleh: unfortunately profiling always has a cost. that's why i was advocating for defaulting to of
18:31:52 <dstanek> off
18:31:56 <stevemar> ayoung: what did you have in mind?
18:32:09 <morgan> dstanek: and why i -2d it up and down until it was default off
18:32:34 <ayoung> stevemar, on Profiling?  Nothing, just avoiding a general "hooks" approach.
18:32:37 <shaleh> dstanek: fair anough
18:32:39 <ayoung> Lets do Federation
18:32:52 <stevemar> #topic Keystone federation integration/functional tests
18:33:12 <rodrigods> knikolla around?
18:33:18 <knikolla> rodrigods, yeah
18:33:21 <shaleh> ayoung: we talking k2k here?
18:33:23 <ayoung> So...dumb Idea....
18:33:30 <gsilvis> shaleh: yup
18:33:35 <knikolla> so, current CI gates do not do functional/integration testing for federation
18:33:37 <ayoung> what if we made Keystone act as its own Federated IdP?
18:33:39 <bknudson> devstack should be able to spin up 2 keystone instances so you can do k2k on 1 system.
18:33:54 <ayoung> Like...you get an url under OS-FEDERATION
18:33:59 <ayoung> and it is protected with basic auth
18:33:59 <rodrigods> ayoung, interesting
18:34:01 <gsilvis> ayoung: I feel like testing something closer to a real setup would be a more reassuring test
18:34:12 <shaleh> bkero: yeah, plausible.
18:34:12 <breton> bknudson: why not use the same keystone as IdP and SP?
18:34:16 <ayoung> gsilvis, this is testing the Federation code itself.
18:34:17 <shaleh> bknudson: plausible
18:34:23 <shaleh> stupid auto nick
18:34:32 <ayoung> THis is not K2K
18:34:33 <breton> ayoung: ++
18:34:36 <knikolla> ayoung, a real gate with 2 devstack would allow to test features that are enabled by k2k.
18:34:43 <bknudson> http://lists.openstack.org/pipermail/openstack-dev/2016-March/091055.html says k2k
18:34:46 <shaleh> knikolla: agreed
18:34:56 <gsilvis> ayoung: we had intended it to be a test of K2K
18:35:06 <ayoung> this is just for getting rid of Password in the token request, and doing basic auth like the  web Spec
18:35:07 <rodrigods> i'd also like to see "regular" federation besides k2k
18:35:20 <gsilvis> rodrigods: sure
18:35:24 <ayoung> gsilvis, I care far more about regular federation
18:35:30 <breton> rodrigods: i am actually working on this
18:35:31 <ayoung> but, if this is K2K, go on.
18:35:36 <rodrigods> breton, wow
18:35:38 <gyee> what is "regular"?
18:35:44 <breton> rodrigods: there are patches by dstanek that i'm reviving
18:35:48 <rodrigods> so... let's focus our efforts
18:35:52 <ayoung> gyee, SAML, OpenIDC,  Federation with "2K"
18:35:55 <rodrigods> breton, our idea is to use tempest instead
18:35:57 <ayoung> without 2K
18:35:57 <gsilvis> ayoung: yup, I can understand that
18:35:58 <knikolla> ayoung, K2K includes the regular federation bits.
18:36:00 <rodrigods> and run the tests using dvms
18:36:03 <dstanek> is there different code paths between the SP in k2k vs "regular" federation?
18:36:14 <rodrigods> dstanek, just for the idp
18:36:23 <rodrigods> actually...
18:36:30 <rodrigods> no?
18:36:45 <rodrigods> it should be the same
18:36:53 <breton> rodrigods: you still need to set up federation bits like mod_shib. Does tempest do that?
18:37:03 <rodrigods> breton, we setup it up in devstack
18:37:05 <gyee> dstanek, no difference as far as I know
18:37:09 <rodrigods> since it is FOSS software
18:37:12 <dstanek> breton: not yet. that what my patches do, setup tempest
18:37:15 <dstanek> rodrigods: ^
18:37:21 <breton> dstanek: https://review.openstack.org/#/c/151310/9 these ones?
18:37:32 <jamielennox> have we asked devstack about this? it would be a huge change to make two devstacks parallelably installable
18:37:46 <morgan> jamielennox: infra supports multi-node
18:37:47 <shaleh> when i was testing this I used some ansible to manipulate the N devstacks once they were up into being federated
18:37:49 <ayoung> So....theoretically, could an application running in a VM inside of Nova accpet the SAML assertion from Keystone?
18:37:52 <dstanek> breton: yep
18:37:52 <morgan> we could hook into the muiltinode thing
18:37:57 <morgan> if we wanted
18:37:59 <shaleh> bknudson's suggestion lets it all live in devstack
18:38:03 <breton> dstanek: cool. Hope you don't mind me tackling them.
18:38:10 <rodrigods> ayoung, yes
18:38:11 <ayoung> Damnit we built an IdP.
18:38:12 <dstanek> breton: nope, not at all
18:38:24 <gsilvis> ayoung: yup.
18:38:24 <jamielennox> i think for functional testing it would be easy to have a 2 keystone only env, but i like the idea of being able to test beyond just the keystone effects and proper resource federation
18:38:25 <ayoung> I knew this was a mistake
18:38:29 <morgan> jamielennox: ++
18:38:32 <bknudson> shaleh: it makes more sense to do 2 devstack vms if you want to expand this beyond keystone (e.g. image federation)
18:38:42 <dstanek> i would rather, but get it all setup in devstack as it would be much easier and i think hits all the code paths
18:38:44 <breton> i still don't understand why we want 2 keystones
18:38:46 <shaleh> bknudson: tree
18:38:48 <shaleh> true
18:38:49 <breton> why not use the same keystone?
18:38:49 <shaleh> bah
18:39:15 <shaleh> breton: better insurance we are not lying to ourselves, right?
18:39:15 <dstanek> the only reason not to do that would be to test against a specific IdP.
18:39:16 <gsilvis> bknudson: exactly---we want to build resource federation tests on top of this
18:39:18 <ayoung> breton, the second Keystone consumes the SAML generated by the first.  We need to test that code path
18:39:21 <shaleh> Functional should be a pretty real test
18:39:27 <rodrigods> breton, like bknudson just said
18:39:34 <jamielennox> you could loop it, but it's not a realistic functional test
18:39:36 <rodrigods> the idp can be keytone... or not
18:39:58 <breton> Keystones don't consume SAML. Apache does.
18:40:04 * topol o/ better late than never
18:40:09 <dstanek> breton: .... for  now ...
18:40:19 <breton> dstanek: oh gawd
18:40:28 <dstanek> ;-)
18:40:28 <lbragstad> lol
18:40:32 <rodrigods> i think we need to sync the efforts
18:40:36 <amakarov> dstanek, are there plans to implement own shibboleth or something?
18:40:42 <knikolla> as gsilvis said, this would allow as to test resource federation using k2k between two different devstack.
18:40:44 <rodrigods> https://etherpad.openstack.org/p/Keystone-Federation-Testing
18:40:53 <knikolla> us*
18:41:06 <dstanek> amakarov: i am working on a POC to have keystone deal with the SAML bits
18:41:12 <gyee> can we call "k2k" irregular federation?
18:41:18 <gyee> :-)
18:41:20 <breton> dstanek: but why?
18:41:21 <stevemar> gyee: not so much :)
18:41:25 <dstanek> amakarov: to support dynamic configuration among other things
18:41:59 <lbragstad> it would make federation easier for ops
18:42:05 <jamielennox> i would agree - the point here was to not build a full SAML parser into keystone
18:42:15 <gyee> dstanek, yeah, PKI tokens :-)
18:42:16 <amakarov> dstanek, cool. why have you chosen saml then? Just a preference or you compared it with oidc for ex. ?
18:42:25 <gsilvis> dstanek: hm, the dynamic configuration is an interesting point
18:42:46 <amakarov> jamielennox, ++
18:42:49 <ayoung> we should actually test both
18:42:55 <dstanek> amakarov: i believe that it fits the Rackspace usecase
18:42:57 <gsilvis> dstanek: though I definitely agree with jamielennox here too
18:43:01 <ayoung> But K2K can't produce OpenIDC
18:43:05 <ayoung> only SAML now
18:43:12 <morgan> correct
18:43:13 <amakarov> jamielennox, we need an army to implement all of its bells and whistles!
18:43:21 <bknudson> so was the plan to have a job in keystone for the multinode k2k test run?
18:43:26 <jamielennox> also mod_shib is crazy in what it will do without an apache reboot
18:43:28 <ayoung> gyee, PKI tokens were written with this in mind, but let's let that go.
18:43:29 <gsilvis> bknudson: yes
18:43:31 <dstanek> gsilvis: jamielennox: fair point, but i'm actually not building the SAML parsing myself - it already exists
18:43:40 <bknudson> gsilvis: no complaints from me.
18:43:50 <ayoung> jamielennox, craazy in a good or bad wy?
18:43:52 <gyee> ayoung, oh I agree, PKI token is a "signed document" like SAML2
18:44:00 <ayoung> gyee, "was"
18:44:07 <ayoung> lets put itin the past tense.
18:44:12 <gsilvis> gyee: has anyone ever suggested saml2 tokens
18:44:13 <stevemar> dstanek: why not just use the plugins?
18:44:14 <jamielennox> ayoung: i'm undecided - but crazy
18:44:16 <morgan> ayoung: it can do interesting things if configured right w/o a restart
18:44:24 <amakarov> ayoung, gyee necromancy, hm? ;)
18:44:25 <dstanek> stevemar: like mod_shib?
18:44:29 <stevemar> dstanek: y
18:44:39 <dstanek> stevemar: you have to restart apache for most changes
18:44:40 <gyee> amakarov, I am being fair here
18:44:50 <lbragstad> every time you add an idp you have to kick apache
18:44:55 <dstanek> stevemar: and you have to manage config files instead or using an API
18:45:00 <morgan> dstanek: restart... graceful...
18:45:01 <ayoung> I think that Apache can do a kill -1 type thing, and reread its config, no need to dump sessions
18:45:08 <morgan> dstanek: potato potato
18:45:36 <jamielennox> so are we still talking k2k here? how many times are we adding this?
18:45:38 <breton> how often does one add idps?
18:45:43 <morgan> ayoung: graceful - process current requests, new requests go to new workers with new things
18:45:45 <stevemar> dstanek: you're not wrong
18:45:48 <dstanek> my vision is to build it as something that can sit outside of keystone's core code - so even if nobody else liked it we could still doit
18:45:51 <gsilvis> jamielennox: well I'd like to...
18:45:52 <lbragstad> breton depends on who you are
18:46:26 <ayoung> Have a related conversation on hold with #puppet-openstack about setting up Federation
18:46:30 <jamielennox> dstanek: and it's crypto so you want it to be fast - so an apache plugin?
18:46:46 <morgan> jamielennox: or something not pure cpython
18:46:47 <amakarov> morgan, restarting apache... as for me is like buing a new car once it out of fuel
18:46:56 <breton> lbragstad: i don't know. The guy who usually adds idp.
18:47:00 <amakarov> s/buing/buying/
18:47:06 <morgan> amakarov: graceful reload, it's what it's there for
18:47:19 <lbragstad> breton well - public clouds might add idps a lot more than a private deployment
18:47:22 <dstanek> jamielennox: if your using separate processes in apache then crypto is find in Python since it's in C anyway. it's when you use threading that it's a problem.
18:47:39 <gsilvis> lbragstad: I could definitely imagine adding idps all the time in our usecase
18:47:47 <amakarov> morgan, not long ago wa had an issue with mod_wsgi desagree with graceful reloads
18:47:47 <shaleh> lbragstad: resource federation also opens up the possibility of a much more dynamic setup
18:48:14 <morgan> amakarov: use uwsgi and mod_proxy_uwsgi ;) [actually a better setup for that reason]
18:48:19 <dstanek> i think i side tracked us too much.
18:48:23 <morgan> amakarov: separate convo though
18:48:25 <bknudson> tornado drill... I should work from home.
18:48:34 <morgan> amakarov: stay on federatio
18:48:43 <amakarov> ack
18:48:50 <morgan> amakarov: :)
18:49:07 <rodrigods> so... who is interested in having a CI for federation
18:49:13 <rodrigods> join the etherpad
18:49:20 <morgan> rodrigods: i think everyone is interested ;)
18:49:32 <rodrigods> morgan, awesome
18:49:40 <stevemar> rodrigods: link?
18:49:43 <ayoung> rodrigods, would K2K be sufficient for SAML?
18:49:47 * morgan waits for open discussion has something.
18:49:48 <ayoung> testing, that is?
18:49:49 <rodrigods> https://etherpad.openstack.org/p/Keystone-Federation-Testing
18:49:51 <morgan> ayoung: it should be.
18:50:00 <rodrigods> ayoung, it would
18:50:00 <stevemar> ty
18:50:08 <amakarov> rodrigods, I'd start with testing on a single keystone and split it afterwards when you have tests to run in the new environment
18:50:24 <stevemar> morgan: how many minutes you need?
18:50:27 <gsilvis> can someone link the etherpad in the meeting summary?  (I don't know how that sort of thing works)
18:50:32 <morgan> stevemar: 5 ish
18:50:40 <stevemar> #link https://etherpad.openstack.org/p/Keystone-Federation-Testing
18:50:40 <morgan> stevemar: will be quick.
18:50:42 <rodrigods> amakarov, put that idea there
18:50:59 <gsilvis> stevemar: thanks
18:51:00 <rodrigods> so we can discuss and vote, also i'm not complete aware of all the needed steps
18:51:09 <stevemar> next topic for now, edit the etherpad for federation functional tests
18:51:10 <rodrigods> where to send changes to have this kind of deployment and so on
18:51:18 <rodrigods> stevemar, ++
18:51:23 <gyee> vote for who?
18:51:28 <ayoung> Pedro
18:51:31 <stevemar> #topic morgan wanted 5 minutes
18:51:33 <ayoung> Vote for PEDRO!
18:51:36 <stevemar> lol nice one ayoung
18:51:38 <rodrigods> lol
18:51:42 <morgan> Keystone Midcyle
18:51:53 <ayoung> PLease say Boston
18:51:57 <morgan> i'm volunteering to help chase down venue in the bay area
18:52:00 <morgan> sorry ayoung
18:52:06 <ayoung> Dagnabit
18:52:19 <shaleh> we already did Boston :-)
18:52:24 <gyee> bay area sounds great
18:52:32 <morgan> this is to change up the venue to a location we haven't been and switch coasts
18:52:41 <gsilvis> shaleh: is once really enough, when it's boston?
18:52:41 <morgan> also summer in the bay is kindof awesome
18:52:42 <shaleh> gyee: he means Vancouver Bay right?
18:52:55 <morgan> shaleh: lol
18:52:56 <ayoung> I vote for the Hotel Formerly named the Ahawannee
18:53:03 <lbragstad> those lobster rolls were top notch btw...
18:53:07 <gyee> shaleh, love that one too
18:53:11 <shaleh> ayoung: not exactly Bay Area but close
18:53:17 <morgan> anyway, i'll start working on some details for it this week so we can roll into the summit with planning
18:53:25 <ayoung> shaleh, If I'm flying to California....
18:53:38 <shaleh> ayoung: 2 hour drive when there is no traffic
18:53:41 <morgan> i figure it's not a hard sell to get people to fly to California / SF [everyone has offices in that area]
18:53:47 <ayoung> shaleh, thre 3.5
18:53:50 <ayoung> ttry
18:53:51 <ayoung> try
18:53:57 <shaleh> ayoung: maybe how you drive :-)
18:54:05 <amakarov> morgan, if you change coasts it can be Vladivostok :)
18:54:06 <dstanek> lbragstad: ++
18:54:07 <ayoung> shaleh, I did it most weekends for a decade
18:54:09 <morgan> ayoung: i would have voted for yosemite
18:54:16 <morgan> ayoung: but.. i think nothing would get done
18:54:23 <jamielennox> amakarov: i offer sydney each time, nothign...
18:54:24 <ayoung> morgan, lots would get done
18:54:29 <morgan> ayoung: just not code.
18:54:35 <ayoung> Priorities
18:54:37 <anteaya> jamielennox: sydney!
18:54:41 <stevemar> jamielennox: hehe
18:54:42 <lbragstad> ayoung ++
18:54:45 <shaleh> samueldmq: wanted it down his way. But you know, Olympics.....
18:54:50 <anteaya> Toronto
18:54:54 <ayoung> Push for Summit in Sydney afte Barthelona
18:54:55 <samueldmq> shaleh: :-(
18:54:57 <stevemar> anteaya ++
18:54:59 <amakarov> btw, why not Sidney?
18:54:59 <samueldmq> shaleh: maybe next year
18:55:06 <topol> what dates were we looking at for the midcycle?
18:55:08 <morgan> as a fallback would be Tronto if the bay area can't happen this time around
18:55:13 <ayoung> Boston
18:55:14 <morgan> topol: haven't looked at the scheudle
18:55:24 <shaleh> late June right?
18:55:29 <morgan> topol: will know more later this week, but it'll prob be june
18:55:34 <samueldmq> FYI 5 mins left
18:55:35 <ayoung> Late July I think
18:55:36 <stevemar> topol: releases.openstack.org/newton/schedule.html late june or early july
18:55:36 <jamielennox> amakarov: because enough people couldn't justify the flight to come
18:55:37 <morgan> shaleh: typically.
18:55:40 <topol> morgan so its gonna be city by the bay? Awesome
18:55:48 <morgan> topol: that is what i want :)
18:55:49 <gsilvis> ayoung: if only the midcycle were in a month with good weather in boston
18:56:05 <ayoung> gsilvis, is there such a month?
18:56:16 <lbragstad> 4 minutes
18:56:24 <morgan> i'll send ML emails and such later this week
18:56:25 <knikolla> ayoung, we can lie and say they all are.
18:56:27 * morgan is done.
18:56:28 <gsilvis> ayoung: ... well there's a week, sometimes, does that count?
18:56:29 <topol> legal seafood in boston or fishermans warf in SF. Its a win win
18:56:31 <stevemar> gsilvis: thats why i'm gunning for rochestor and toronto :P
18:56:41 <ayoung> topol, not.even.close.
18:56:52 <jamielennox> topol: where is this illegal seafood you eat?
18:56:58 <ayoung> But there is much good food in SF
18:57:01 <morgan> topol: sourdough is better in SF though.
18:57:03 <stevemar> jamielennox: his fish tank
18:57:07 <morgan> ayoung: ++ tons of fantastic food
18:57:10 <jamielennox> stevemar: that... ugh..
18:57:22 <ayoung> morgan, are you looking for in SF proper?
18:57:23 <topol> ayoung. well maybe if you took me to the good seafood restaurant in boston I could agree
18:57:23 <jamielennox> not so much illegal as unhygenic
18:57:28 <gyee> topol ate nemo?
18:57:32 <ayoung> Cuz South Bay is not worth the trip.
18:57:40 <shaleh> ayoung: nah, let's do something horrible like milptas
18:57:42 <stevemar> gyee: and dory
18:57:45 <ayoung> Vacaville
18:57:48 <breton> lets do in Europe
18:57:50 * gyee cries
18:57:54 <breton> UK?
18:57:55 <shaleh> ayoung: eeewww in June :-)
18:58:03 <ayoung> Fremont!
18:58:15 <shaleh> ayoung: Fremont is just Milpitas north
18:58:16 <morgan> brazil!
18:58:22 <amakarov> breton, spb? :)
18:58:24 <jamielennox> we are getting to the point where we have a decent contingent of non-US people who would attend\
18:58:27 <morgan> we can all visit samueldmq
18:58:32 <ayoung> Dublin.  Lunch at Gyee's
18:58:47 <stevemar> i imagine we'll hash this all out at the summit
18:58:48 <shaleh> ayoung: sounds good. His Dad rocks the kitchen.
18:58:57 <gyee> ayoung, sounds good
18:59:02 <morgan> jamielennox: i think midcycles are going to be a different thing post austin.
18:59:06 <ayoung> shaleh, and we would be ahead of the City traffic headed out 120 to Yose
18:59:08 <stevemar> whoever is willing to organize it has my vote
18:59:08 <amakarov> ayoung, good idea!
18:59:10 <morgan> jamielennox: and it'll make it easier [i hope]
18:59:13 <anteaya> post barcelona
18:59:15 <jamielennox> morgan: waiting to see how that one plays out
18:59:18 <shaleh> ayoung: ++++++++....
18:59:19 <morgan> anteaya: ++
18:59:19 <ayoung> I mean Dublin, CA
18:59:31 <lbragstad> oh... I was totally fore ireland
18:59:32 <morgan> anyway, i'll start organizing this for this cycle.
18:59:33 <stevemar> lets give infra time to assemble
18:59:35 <amakarov> ayoung, LOL
18:59:36 <morgan> cheers.
18:59:37 <stevemar> #endmeeting