#openstack-meeting log

18:00:57 <stevemar> #startmeeting keystone
18:00:57 <openstack> Meeting started Tue May 17 18:00:57 2016 UTC and is due to finish in 60 minutes.  The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:01 <openstack> The meeting name has been set to 'keystone'
18:01:05 <jaugustine> Woo!
18:01:07 <stevemar> courtesy ping for ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gyee, henrynash, hogepodge, htruta, jamielennox, joesavak, jorge_munoz, knikolla, lbragstad, lhcheng, marekd, MaxPC, morganfainberg, nkinder, raildo, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tjcocozz, tsymanczyk, topol, vivekd, wanghong, xek
18:01:14 <rodrigods> o/
18:01:17 <ayoung> Ayuh
18:01:18 <dstanek> o/
18:01:21 <stevemar> jaugustine: that's the kind of excitement we need to see!
18:01:23 <amakarov> o/
18:01:25 <gagehugo> _o/
18:01:26 <topol> o/
18:01:40 <crinkle> o/
18:01:42 <gyee> \o
18:02:09 <stevemar> critical mass achieved, let's start
18:02:15 <stevemar> #topci release update
18:02:18 <stevemar> #topic release update
18:02:30 <stevemar> #link http://releases.openstack.org/newton/schedule.html
18:02:49 <stevemar> we are currently in week R20, it counts down to the end of the release, so 20 weeks left
18:03:11 <ayoung> CODE FREEZE!
18:03:14 <ayoung> sorry
18:03:18 <stevemar> we should be cleaning up any old issues from mitaka and preparing for newton-1
18:03:19 <stevemar> hahaha
18:03:26 <stevemar> no where near that time yet :)
18:03:45 <stevemar> but the next deadline is R18, in 2 weeks
18:03:51 <stevemar> there are 2 things happening that week
18:03:54 <ayoung> M1?
18:03:56 <stevemar> newton-1 milestone driver
18:03:57 <stevemar> yep
18:03:58 <edtubill> o/
18:04:01 <ayoung> Er..N1?
18:04:11 <ayoung> did the M mean Milestone or Mitake?
18:04:12 <stevemar> and that's the spec *proposal* freeze week
18:04:13 <ayoung> Mitaka
18:04:31 <rderose> o/
18:04:35 <stevemar> ayoung: it's N1 this time around, the letter changes
18:04:47 <ayoung> Noice
18:04:51 <stevemar> so in 2 weeks: newton-1 driver, and spec *proposal* freeze
18:05:08 <stevemar> the latter meaning, if you want a spec for newton, propose it soon!
18:05:23 <stevemar> it doesn't have to merge in 2 weeks, just be proposed and a reviewable state
18:05:53 <stevemar> any questions about dates?
18:06:03 <dolphm> when is code freeze
18:06:16 <stevemar> dolphm: all dates are here: http://releases.openstack.org/newton/schedule.html
18:06:43 <stevemar> dolphm: keystone is following the general feature freeze, which is R5
18:06:48 <stevemar> in 15 weeks
18:07:34 <stevemar> dolphm: good?
18:07:48 * topol just rsvp'd for the midcycle..  dont forget
18:07:50 <dolphm> ++
18:07:55 <stevemar> if anyone has questions, bug me in -keystone
18:08:04 <stevemar> topol: on that note...
18:08:06 <stevemar> #topic midcycle update
18:08:12 <stevemar> notmorgan: ^
18:08:16 <ayoung> anyone want to got rockclimbing in Yosemite either before or after the midcycle?
18:08:19 <notmorgan> #link https://docs.google.com/forms/d/1To2qx90Am4hcYdgaqTkRosfNOzxr26M0GiahhiWgAJU/viewform?c=0&w=1
18:08:26 <notmorgan> RSVP Form ^
18:08:34 <topol> notmorgan is there a recommended hotel
18:08:36 <notmorgan> Sign up. we have 35 slots.
18:08:55 <notmorgan> topol: no, please feel free to update the wiki/ether pad if you have recommendations...
18:09:00 <notmorgan> topol: sec getting those links too
18:09:19 <samueldmq> hi all
18:09:19 <notmorgan> #link https://wiki.openstack.org/wiki/Sprints/KeystoneNewtonSprint
18:09:29 <notmorgan> #link https://etherpad.openstack.org/p/keystone-newton-midcycle
18:09:51 <notmorgan> the RSVP form will be used as the authoritative source of "who is coming" for planning purposes
18:10:22 <rderose> is this the official rsvp form:
18:10:24 <rderose> #link https://docs.google.com/forms/d/1To2qx90Am4hcYdgaqTkRosfNOzxr26M0GiahhiWgAJU/viewform?c=0&w=1
18:10:25 <rderose> ?
18:10:38 <notmorgan> rderose: yes.
18:10:39 <dolphm> rderose: yes
18:10:45 <rderose> cool
18:10:58 <henrynash> done
18:11:03 <dstanek> notmorgan: we need a slot count down
18:11:20 <dolphm> 35?
18:11:22 <notmorgan> please take a second and thank Cisco for hosting us *and* cburgess for helping set that up
18:11:29 <notmorgan> dolphm: 35 spots.
18:11:31 <henrynash> ayoung: one way of reducing the attendee count….
18:11:31 <lbragstad> cburgess thanks!
18:11:44 <dolphm> dstanek: oh, you mean visibility into remaining number of slots?
18:11:47 <jamielennox> yea, also hotel recomentdation would be useful
18:12:00 <dstanek> dolphm: yes, exactly
18:12:03 <dolphm> there are ** 23 ** slots remaining for the midcycle
18:12:17 <notmorgan> since i know next to nothing about San Jose area... [sorry], I'm going to ask folks who are more familiar for hotel recommendations
18:12:36 <ayoung> Stay in San Francisco and take Caltrains?
18:12:47 <notmorgan> ayoung: long ride, but doable.
18:13:08 <dolphm> there's a couple hotels within a decent walking distance, but we'll probably need a few cars anyway, given it's san jose
18:13:15 <lbragstad> https://goo.gl/3gS8GQ
18:13:15 <notmorgan> dolphm: yes.
18:13:18 <gyee> you can take VTA
18:13:20 <lbragstad> nearby hotels ^
18:13:32 <gyee> I think VTA cover that area
18:13:37 <ijw> Earwigging, here, but I've done that ride and unless you like hours on the train it's not good
18:13:38 <stevemar> thanks lbragstad
18:14:02 <gyee> Caltrain is like an hour away from SF
18:14:04 <notmorgan> lbragstad: please add that to the wiki.
18:14:14 <lbragstad> notmorgan ok
18:14:42 <ijw> You can Caltrail to and VTA from Mountain View - it's not impossible - but that's another half an hour or so depending on here specifically you'll be
18:14:45 <gyee> Levi stadium is nearby so there are a bunch of hotels there
18:14:47 <roxanaghe_> ijw, I'm doing Caltrain everyday - it's not that bad :)
18:14:50 <stevemar> hyatt's are usually nice, and nearby there
18:15:08 <gyee> Aloft?
18:15:15 <dstanek> i think staying close would be much easier
18:15:15 <ayoung> Navy Lodge Moffett If you are DoD
18:15:25 <notmorgan> i added wiki link to the RSVP form
18:15:29 <ijw> There's a Hyatt House on First that comes recommended, the Crowne Plaza, and the Hilton Garnden Inn and Larkspur Landing, all in the reasonable vicinity
18:15:33 <henrynash> ayoung: The hanger at Moffet if you are NASA
18:15:49 <notmorgan> ayoung: doens't google also rent that out now? :P
18:15:52 <notmorgan> ok anyway
18:15:54 <notmorgan> thats the info
18:16:05 <ayoung> henrynash, there is an Armory Floor not too far away if you are Army National Guard.  I used to drill out of there.
18:16:23 <topol> I believe I stayed at the Santa Clara Marriott. Its nice
18:16:34 <stevemar> thanks ijw and notmorgan
18:16:41 <henrynash> topol: used to be next to Great America….
18:16:55 <ayoung> gyee, dibs on your couch.
18:16:58 <gyee> Casino M8trix :-)
18:16:59 <notmorgan> anyone have an issue with making the results of RSVP public?
18:17:00 <henrynash> (that was not a Trump reference)
18:17:04 <notmorgan> i can add it to the wiki as well.
18:17:12 <henrynash> notmorgan: fine by me
18:17:13 <stevemar> notmorgan: nope
18:17:16 <notmorgan> will do
18:17:28 <lbragstad> dstanek ++
18:19:11 <stevemar> bug notmorga if folks have questions :P
18:19:17 <notmorgan> #link https://docs.google.com/spreadsheets/d/1qTupqEyYwXnNnO-sW0kRhh-I9hvpPHA7QAuewXnw6AA/edit?usp=sharing
18:19:17 <stevemar> (fine fine, i'll be around too)
18:19:40 <stevemar> on to more contentious topics!
18:19:43 <stevemar> #topic Specify ID for Project or domain creation
18:19:53 <stevemar> amakarov ^
18:19:58 <stevemar> agrebennikov is missing :(
18:20:06 <amakarov> Thanks
18:20:33 <amakarov> The question is: why do we unconditionally overwrite project ID on creation?
18:20:51 <amakarov> Is there some reason behind it or is it a bug?
18:21:09 <lbragstad> amakarov as in you can't create a project with a project ID that you pass in?
18:21:17 <samueldmq> I think that's what we do everywhere else ?
18:21:30 <jamielennox> change question -why should you ever specify an id up front?
18:21:36 <samueldmq> jamielennox: ++
18:21:39 <dstanek> jamielennox: ++
18:21:46 <gyee> I think the argument was IDs are supposed to be globally unique
18:21:48 <rderose> ++
18:21:59 <amakarov> jamielennox: the actual case: multiDC env
18:22:01 <rderose> gyee: yeah, and we want to control that
18:22:01 <dstanek> i don't like that we can do that in some places
18:22:04 <samueldmq> gyee: good point
18:22:10 <dolphm> amakarov: to guarantee that project IDs are globally unique and immutable, we don't accept user input for them. project names are mutable, not globally unique, and user-defined
18:22:22 <notmorgan> so, i dislike specifying it - if we are doing this it can be ADMIN only
18:22:33 <amakarov> if we create projects and roles with the same ID - the tokens are valid across DC
18:22:35 <notmorgan> and it still must conform to automatic such as uuid
18:22:54 <gyee> to play the devil's advocate, we've already allowed "shadow" users, why not shadow other things?
18:23:04 <notmorgan> so there is one other reason this is important
18:23:06 <dolphm> if we all understand the consequences on federation and whatnot, i'm open to breaking that convention
18:23:07 <jamielennox> gyee: shadow users doen't let you pick the user's id
18:23:16 <lbragstad> but shadow users doesn't allow a user to specify the id of their user
18:23:19 <samueldmq> notmorgan: so no big advantage besides knowing it ahead of time (and it stil can fail at cretion time!)
18:23:19 <notmorgan> in some cases you need to restore a project after deletion
18:23:20 <amakarov> notmorgan: we still ok with that in v2
18:23:23 <gyee> jamielennox, at least to agree on a global ID
18:23:38 <notmorgan> amakarov: default domain is special, and i always treat it as such
18:23:40 <jamielennox> gyee: no, it creates an id for you as does project
18:23:46 <lbragstad> amakarov what's the use case for specifying an ID for a project?
18:23:51 <gyee> right, with a specific algorithm
18:23:55 <notmorgan> lbragstad: ^ 2 reasons
18:23:57 <rderose> lbragstad: ++
18:24:00 <jamielennox> gyee: no, uuid
18:24:01 <notmorgan> lbragstad: 1) restore a deleted project
18:24:01 <ayoung> this is going to be like Nova hooks isn't it, where someone brings up an old feature and the core immediately deprecates it?
18:24:04 <notmorgan> and maintain the id.
18:24:16 <ayoung> well, excpet V2 is already deprecated
18:24:20 <notmorgan> 2) same id across deployments (keystones)
18:24:38 <notmorgan> i would not make it a "normal" action anyone can do.
18:24:43 <notmorgan> in either case.
18:24:45 <amakarov> lbragstad: if you need to authZ in different clouds with a single token
18:24:45 <lbragstad> in order for 2 to work you'd have to have the identity backend shared anyway
18:24:45 <ayoung> notmorgan ++
18:24:50 <raildo> ayoung: v2 is deprecated
18:24:55 <dstanek> notmorgan: if you did then it may be a security issue
18:25:04 <ayoung> raildo, doesn't change the fact that Nova core hates me.
18:25:07 <raildo> I think we have good use cases to make this happen
18:25:12 <notmorgan> dstanek: exactly, it, if anyting is an Admin-only thing
18:25:16 <raildo> ayoung: I know :(
18:25:18 <ayoung> I have an abandonded spec
18:25:18 <rderose> notmorgan: why do you need the same id across deployments?
18:25:23 <samueldmq> lbragstad: ++
18:25:30 <dstanek> notmorgan: cloud admin?
18:25:31 <gyee> jamielennox, I see, but they are still using their native ID for auth, no?
18:25:36 <amakarov> rderose: ^^ my answer to lbragstad
18:25:39 <ayoung> #link https://review.openstack.org/#/c/203852/
18:25:40 <notmorgan> rderose: a lot of deployers want the same project id in multiple AZs that are managed by different keystones
18:25:52 <notmorgan> rderose: not my choice/reasoning, just echoing the reasoning
18:26:03 <rderose> notmorgan: ++
18:26:04 <notmorgan> rderose: the "restore a project" reason is why i support it
18:26:05 <jamielennox> i wouldn't even say this is an admin only thing, if your use case is restoring a deleted project then at best it's a keystone-manage feature
18:26:07 <dstanek> amakarov: can't you do that in a more federated approach?
18:26:13 <notmorgan> rderose: and that is a break-glass scenario
18:26:25 <notmorgan> but should be doable via the API not DB manipulation
18:26:32 <amakarov> dstanek: no, as federation is currently in demo state :)
18:26:44 <gyee> demo state!?
18:26:48 <notmorgan> dstanek: i'd make it a cloud-admin thing for sure.
18:26:49 <dstanek> amakarov: ?
18:26:57 <notmorgan> dstanek: if i was implementing it. not a domain admin thing
18:27:04 <notmorgan> vvtletuvnjejfltljiigeubducbbkiitevfbdhkgnedg
18:27:05 <raildo> notmorgan: via API ++
18:27:07 <rderose> notmorgan: but if you create a project, get the id, then you can do the restore use case?  right?  why would you need to specify the project id in that case?
18:27:13 <stevemar> notmorgan: lol
18:27:15 <ayoung> notmorgan, Ubikey failuer\\re?
18:27:17 <amakarov> gyee, dstanek: it lacks, for example, grops shadowing
18:27:20 <stevemar> ayoung: yes
18:27:34 * ayoung imagines Q-Bert
18:27:40 <samueldmq> but please don't say it's demo state, people worked hard on it
18:27:53 <samueldmq> and still do
18:27:59 <dstanek> amakarov: i think it would be better to make federation fit this, rather than do this one-off thing
18:28:08 <lbragstad> dstanek ++
18:28:13 <stevemar> `make federation great again`
18:28:16 <amakarov> unfortunately agrebennikov is away, but he exposed it very clear on design session
18:28:17 <notmorgan> ayoung: yes. i need to fix that
18:28:22 <lbragstad> stevemar --
18:28:28 <notmorgan> ayoung: i keep bumping the OTP button.
18:28:34 <notmorgan> when i move the laptop
18:28:37 <ayoung> Heh
18:28:39 <jamielennox> agreed, i can see the break-glass case of restore a project via -manage, but for cross DC you are needing to do some sort of federation
18:29:01 <ayoung> notmorgan, 3 more of those and Ithink I'll be able to crack the seed.
18:29:19 <dstanek> amakarov: can you get together a list of things the current federation implemenation is missing?
18:29:33 <lbragstad> yeah - each kesytone across DCs is going to require access to the same identity backend (which naturally fits the federation story)
18:30:00 <rderose> lbragstad: agree, but is there a big demand for this?
18:30:11 <rderose> I mean, do we want to give this a priority now?
18:30:12 <amakarov> dstanek: I agree about that approach in theory, though we can solve many problems easily and I don't see why we can't do that right away
18:30:13 <notmorgan> ayoung: good thing i don't use that OTP for anything
18:30:20 <amakarov> What will it break?
18:30:45 <dstanek> amakarov: the wrong solution right away isn't necessarily good
18:30:52 <lbragstad> i think it's more of losing control
18:30:55 <amakarov> dstanek: why is it wrong?
18:31:14 <dstanek> amakarov: i dislike specifying ids
18:31:21 <rderose> ++
18:31:38 <dstanek> i would be -2 if users could do it, but i'm still -1 for cloud admins
18:31:52 <dstanek> i like jamielennox's idea of a manage command if that is actually needed
18:32:16 <notmorgan> dstanek: sure.
18:32:29 <amakarov> dstanek: ok, what is the suggested way to create/use projects based on LDAP groups?
18:32:29 <ayoung> dstanek, its an RBAC thing regardless
18:32:34 <samueldmq> what guarantee keystone will accept the ID the user passes ?
18:32:34 <notmorgan> dstanek: a break glass method that isn't "edit the DB" is what i look for in solving the "restore" a project/domain
18:32:38 <notmorgan> dstanek: i'd support that.
18:32:55 <henrynash> dtsanek, jamielennx: ++ agree on the keystone manager cmd
18:33:00 <ayoung> Nope
18:33:05 <ayoung> that is the wrong security model
18:33:12 <ayoung> that means people who have access to the machine
18:33:23 <ayoung> you don't want to push people to do that in the course of manageing the applicaiton
18:33:36 <lbragstad> rderose i think we'd need to see a list of short comings in the federation implementation in order to prioritize
18:33:48 <jamielennox> ayoung: if we're restricting the operation to the cloud-admin they they have access to the machine
18:33:51 <stevemar> lbragstad: yep
18:33:51 <rderose> lbragstad: good point
18:34:08 <jamielennox> if you need to do this operation often enough that logging onto the machine is a problem you are doing management wrong
18:34:19 <ayoung> jamielennox, we are doing management wrong.  Its called Keystone
18:34:33 <gyee> lmao
18:34:33 <ayoung> we delete a project and all of the resources out there are orphaned
18:34:38 <samueldmq> I think we need a well described use case, and how we would support it via federation (waht's missing as lbragstad said)
18:34:42 <amakarov> ayoung: ++
18:34:57 <lbragstad> we emit notifications on resource changes
18:35:06 <jamielennox> ayoung: so we need to have a look at keystone's delete project?
18:35:12 <jamielennox> deprecate in favour of disable?
18:35:15 <amakarov> more to say, looks nobody even dare to touch this topic publicly :)
18:35:17 <ayoung> lbragstad, and we have no standard workflow engine so that is not sufficient
18:35:20 <jamielennox> soft-delete?
18:35:26 <notmorgan> jamielennox: no soft deletes.
18:35:34 <ayoung> jamielennox, gyee has  been saying that for years
18:35:35 <notmorgan> jamielennox: i'm ok with "never remove from the db"
18:35:37 <jamielennox> but a full on restore the db entry is also a bad idea
18:35:59 <gyee> resource life-cycle management
18:36:03 <notmorgan> jamielennox: soft-delete implies "could be hard-deleted"
18:36:04 <ayoung> I'm just afraid it is closing the barn door after the horse is long gone
18:36:07 <jamielennox> notmorgan: meh, we have an enabled flag on projects, it's essentially a soft delete
18:36:08 <gyee> that's production operation stuff
18:36:10 <stevemar> i think we're mixing things up here, amakarov doesn't necessarily care about the 'restore a project' if deleted case
18:36:15 <gyee> something we don't use often enough :-)
18:36:16 <notmorgan> i'm 100% ok with nevre removing it as a delete instead.
18:36:23 <dstanek> we should do event sourcing
18:36:24 <amakarov> stevemar: yes
18:36:33 <ayoung> anyway,  keep it as a restricted operation.  We can make it wider exposed later so long as it is RBAC managed
18:36:43 <samueldmq> stevemar: ++
18:36:44 <notmorgan> ok lets set "restore" to the side
18:36:45 <stevemar> so let's put the whole manage command, and soft delete discussion to the side
18:36:52 <notmorgan> i'll propose something separate for that
18:37:11 <notmorgan> i have an idea and i think it'll work just fine.
18:37:14 <ayoung> You guys are missing the fact that notifications are currently a disaster, so we can't notify untrusted services
18:37:43 <samueldmq> ayoung: let's fix it, but it's still part of the other conversation :)
18:37:49 <amakarov> well, let me put it this way: how can I provide a customer the UX when he auth in 1 cloud (in horizon) and then works with resources from the other cloud without re-login?
18:37:51 <raildo> ayoung: ++ we have a huge problem with nova quota when we delete a project =/
18:37:51 <ayoung> and we don';t even know all of the services that would need the notification
18:37:52 <samueldmq> amakarov: to do that via federation, what would we need ?
18:38:03 <stevemar> amakarov wants to specify an ID only for create, and he is using this in a multi-dc environment. if federation is stinky for this, we should fix it.
18:38:04 <samueldmq> amakarov: does that mean 'federated resources' ?
18:38:10 <amakarov> considering existing LDAP
18:38:11 <ayoung> amakarov, that sounds like K2K
18:38:24 <ayoung> But...
18:38:36 <ayoung> that is the whole pre-sync between two clouds
18:38:41 <notmorgan> amakarov: "other cloud" - same owner different deployment (like AZ)?
18:38:42 <dstanek> amakarov: one horizon for all DCs right?
18:38:43 <ayoung> which is a good midcycle topic
18:38:50 <amakarov> dstanek: ++
18:38:51 <notmorgan> amakarov: or totally different cloud totally different dpeloyer?
18:38:57 <ayoung> lets have a "larger workflows" track at the midcycle?
18:39:03 <lbragstad> notmorgan good question
18:39:16 <notmorgan> lbragstad: because the answer to that dictates my view.
18:39:38 <raildo> amakarov: it sounds like the Mercador idea... https://wiki.openstack.org/wiki/Mercador
18:39:40 <dstanek> notmorgan: wouldn't solving for different owners essentially solve for both?
18:39:42 <amakarov> notmorgan: no. clouds may be thought about as "replicated"
18:39:54 <notmorgan> amakarov: so "same deployer"
18:40:02 <notmorgan> dstanek: not really but hold on.
18:40:15 <amakarov> notmorgan: same deployer
18:40:31 <notmorgan> amakarov: cool. then i think it's not unreasonable
18:40:56 <jamielennox> why do 2 clouds from the same deployer wanting to share projects between them not use the same keystone?
18:40:59 <stevemar> we have to move on, there are other topics on the agenda
18:41:01 <notmorgan> dstanek: different deployers/owners is the same reason we assume keystone for the local cloud is authoritative.
18:41:10 <samueldmq> jamielennox: ++
18:41:12 <stevemar> i'll give this another minute to wrap up
18:41:19 <notmorgan> jamielennox: my point was they could also solve this via replicating keystone
18:41:32 <amakarov> jamielennox: it may be a big project distributed geographically
18:41:34 <notmorgan> jamielennox: which is where i was going, and why it was "reasonable" to want that kind of replication
18:41:41 <jamielennox> amakarov: keystone will support that
18:41:43 <notmorgan> not that the API driven one was the right answer. i'm abstaining there
18:41:45 <lbragstad> jamielennox same keystone or just point to the same backend (which is essentially the same thing?)
18:41:46 <gyee> replicating gets expensive when you have more than a few DCs
18:41:48 <samueldmq> jamielennox: looks like we're trying to fix something that should be fixed with right deployment choice and/or federation
18:42:08 <dstanek> amakarov: write up a detailed usecase so we can discuss further
18:42:14 <jamielennox> you can horizontally scale keystone and you can put endpoints in different regions
18:42:20 <jamielennox> fernet was a huge win for that
18:42:47 <samueldmq> dstanek: ++ amakarov please do what dstanek said ^
18:42:51 <amakarov> jamielennox: right, if the project id's are the same
18:42:52 <lbragstad> fwiw - we did testing of that across three globally distributed datacenters
18:42:59 <amakarov> samueldmq, dstanek: ack
18:43:02 <amakarov> will do
18:43:08 <jamielennox> amakarov: if they are the same keystone the project ids are unique within it
18:43:13 <dstanek> stevemar: let's get this show on the road!
18:43:39 <stevemar> dstanek: alright!
18:43:45 <stevemar> switching gears
18:43:48 <stevemar> #topic Service Token provides user permissions spec
18:43:51 <stevemar> jamielennox: ^
18:44:12 <stevemar> (i haven't read it yet)
18:44:15 <jamielennox> ok, so we discussed this spec in tokyo and then i never got around to doing it in the last cycle
18:44:15 <amakarov> jamielennox: different keystones
18:44:17 <stevemar> #link https://review.openstack.org/#/c/317266/1/specs/keystone/newton/service-user-permissions.rst
18:45:06 <jamielennox> the intent is that we should validate users only on the first service they hit in openstack, from then on in service to service communication we should trust the user permisssions provided by the last service
18:45:07 <samueldmq> jamielennox: so a token only get validate once per openstack workflow ?
18:45:20 <samueldmq> nice
18:45:25 <notmorgan> samueldmq: yep
18:45:42 <jamielennox> samueldmq: if you pass an X-Service-Token then the service token is validated to say that we should be able to trust this information
18:45:48 <samueldmq> notmorgan: looks like what we had a discussion a couple of months ago .. that could be implemented as a ksa plugin etc
18:45:49 <notmorgan> this is something i've been advocating for a bit.
18:45:58 <ayoung> so...what if we do :X-Service-Token + user_id + project_id + role_id
18:46:00 <jamielennox> so this is a fairly large change in the way we handle tokens in openstack
18:46:00 <notmorgan> samueldmq: same thing, slightly different mechanism
18:46:12 <jamielennox> but it sovles the mid-operation token expiry which has plagued us forever
18:46:16 <samueldmq> but the service token still needs to be validated, right ?
18:46:23 <samueldmq> so no gain in terms of performance?
18:46:25 <ayoung> so the remote side can still confirm that the resource is within the permissions boundary
18:46:26 <notmorgan> samueldmq: yes, but that isn't long term
18:46:30 <gyee> jamielennox, it will be an explicitly opt-in feature right?
18:46:31 <ayoung> and we don't have an elevation of privs
18:46:36 <jamielennox> the spec is not completely polished up and given the conceptual size of the change i just want to make sure people are on board first
18:46:37 <raildo> jamielennox: is this a overcome for the nova/keystone design session, right?
18:46:40 <notmorgan> samueldmq: actually one less validation- you don't need to validate twice
18:46:58 <ayoung> pass along the list of roles in the token that the user was originally validated
18:47:03 <notmorgan> ayoung: i still think that we're wrong on that front, but we can expand the discussion *after*
18:47:19 <notmorgan> ayoung: its a different topic that builds on jamielennox's proposal
18:47:25 <jamielennox> raildo: well i'm pushing it now because it all came up again at summit and this was our solution that never got proposed
18:47:32 <amakarov> samueldmq: if we figure smth out to trust some services - we don't have to validate tokens EVERY time
18:47:49 <ayoung> notmorgan, just the role-list?
18:47:50 <raildo> jamielennox: ++ nice
18:47:52 <jamielennox> so there are a bunch of security questions about how we trust those headers
18:47:59 <samueldmq> notmorgan: long-term is use certs for that and don't validate service token at all ? (and user token only once at the beggining of workflow)
18:48:08 <notmorgan> ayoung: like i said, something to discuss later - once we land this i don't want to derail
18:48:19 <notmorgan> samueldmq: that will also be an option
18:48:27 <notmorgan> but service tokens are easy to refresh
18:48:28 <ayoung> service token == user with service role _ is_admin_project
18:48:28 <jamielennox> samueldmq: certs would be cool
18:48:36 <ayoung> er that _  should be +
18:48:39 <notmorgan> ayoung: or whatever the definition is.
18:48:42 <samueldmq> amakarov: yes, that could be done using certificates, for example; but is a separate conversation, maybe long term :)
18:48:44 <notmorgan> ayoung: that is an implementation detail
18:48:58 <jamielennox> yea, don't need is_admin_project, however you define service is fine
18:49:16 <notmorgan> can be whatever KSM is configured for
18:49:34 <jamielennox> so there's a question in there about whether we should trust all the attributes passed as headers or whether we should take only the core user_id project_id etc and reconstruct it like we do fernet
18:49:42 <samueldmq> notmorgan: jamielennox: nice so this definitely opens the door for other long term improvements (like that using certs)
18:49:46 <samueldmq> works for me
18:49:49 <jamielennox> that i'd like people to have a look at as well
18:49:52 <stevemar> jamielennox: i think nova will no longer hate us if we get this in
18:50:09 <jamielennox> stevemar: yep, and all those stupid trust hacks that glance did recently can go away
18:50:16 <gyee> turn hate into love
18:50:16 <ayoung> So the idea is that we pre-validate at the boundaries, and then trusted services can talk to each other.  This is fine for, say, Nova to Glance, but I don't want it for *aaS like Sahara and Trove
18:50:16 <jamielennox> glance as an example
18:50:22 <stevemar> jamielennox: yep
18:50:29 <samueldmq> gyee: ++
18:50:47 <jamielennox> ayoung: right, these are the concerns that i want out on the spec
18:50:48 <ayoung> Yeah...this is not going to scale
18:50:52 <samueldmq> jamielennox: is it any worst/better in terms of security to trust all the headers ?
18:50:58 <ayoung> this is why I want unified delegation
18:51:18 <jamielennox> so i don't expect everyone to have opinions on it now, but i'll put it on the agenda for next week as well and i'd like to hash it out on the spec until then
18:51:25 <ayoung> but this is the right approach
18:51:42 <stevemar> jamielennox: i don't anticipate much push back
18:51:46 <jamielennox> samueldmq: it's an open question
18:51:53 <ayoung> we distinguish betwee "this is a long running operation, but treat it all as a unit" versus "do something for me later"
18:52:00 <jamielennox> stevemar: this is a giant security model change - it needs to be pushed back on
18:52:11 <ayoung> this has the potential to be a disaster.
18:52:16 <jamielennox> ayoung: ++
18:52:28 <jamielennox> ayoung: but there's no other reasonable way i can see to solve it
18:52:29 <rderose> ++
18:53:02 <stevemar> well, currently things just time out, or token expirations are set stupidly high, so... this is an improvement to me
18:53:07 <jamielennox> i expect to have to expand the security implications bit to an essay
18:53:11 <samueldmq> it would be cool if polcies were configured per openstack workflow (create instance and all its involved API calls) rather than separate API operations
18:53:19 <ayoung> samueldmq, ++
18:53:28 <ayoung> and to do that we need to know what perms you need for the workflow
18:53:34 <samueldmq> that means, reflect this work in the policy bits
18:53:46 <jamielennox> yep - and if we're in the process of designing openstack 2.0 then i have other ideas as well
18:54:00 <ayoung> which leads to dynamic policy and all the heresy I've been spewing these past few years
18:54:03 <samueldmq> cool, I like it
18:54:20 <topol> jamielennox, what level of confidence do we have that this does not open some big unforseen security hole?
18:54:36 <topol> how do we vet/
18:54:39 <topol> ?
18:54:42 <amakarov> ayoung: we can do that btw ))
18:54:47 <ayoung> topol, 100% that it does.
18:54:56 <jamielennox> topol: it's certainly risky, it escalates the service user from something that is not particularly interesting to something that can emulate everyone
18:54:58 <notmorgan> topol: it is not a lot worse than we have now.
18:55:08 <ayoung> topol, because we are not going to be able to limit this to services in the service catalog
18:55:10 <jamielennox> nova tells me that there is no service user on the compute nodes
18:55:20 <ayoung> because they don't even know their own identity
18:55:23 <jamielennox> but it makes the service users a much jucier target
18:55:34 <gyee> if service is sharing the same memcached, any service could potentially modify the token validation results
18:55:39 <gyee> just saying :-)
18:56:10 <ayoung> Why did we split OpenStack into microservices again?
18:56:22 <jamielennox> ayoung: ++
18:57:12 <samueldmq> how does a service know its creds to auth against keystone ?
18:57:13 <stevemar> henrynash: i'm assuming 3 minutes isn't enough time for you?
18:57:17 <jamielennox> anyway - not much time left, but these questions are why i would like to debate it a lot oon the spec
18:57:21 <henrynash> probably not
18:57:24 <ayoung> notmorgan, want to float"signed requests" again?
18:57:36 <jamielennox> samueldmq: same as now, they all have it
18:57:42 <notmorgan> oauth
18:57:47 <ayoung> samueldmq, they are autogenerated and stuck in the config file by Puppet etc
18:57:48 <stevemar> henrynash: we can chat in -keystone, cc ayoung
18:57:49 <samueldmq> jamielennox: config files ?
18:57:56 <samueldmq> oh
18:57:56 <ayoung> samueldmq, ye
18:58:01 <jamielennox> i spent a bunch of time looking at oauth, it's not going to work for us
18:58:02 <henrynash> stevemar: yep
18:58:16 <samueldmq> ayoung: isn't that dangerous ?
18:58:35 <ayoung> samueldmq, yes
18:59:02 <samueldmq> jamielennox: if we're going to certs in the future, let's look at the effort with going with it now vs 2-step
18:59:14 <ayoung> samueldmq, the old saying about laws and sausages goes double for software and treble for security
18:59:32 <samueldmq> jamielennox: (not agaisnt at all, just want to put all the options on the table)
18:59:36 <jamielennox> samueldmq: certs is never something we are going to be able to enforce globally
18:59:46 <stevemar> lets roll out
18:59:48 <gyee> say what?
18:59:54 <stevemar> #endmeeting