#openstack-meeting log

17:59:42 <stevemar> #startmeeting keystone
17:59:43 <openstack> Meeting started Tue Oct 11 17:59:42 2016 UTC and is due to finish in 60 minutes.  The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:59:44 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:59:46 <stevemar> o/
17:59:47 <openstack> The meeting name has been set to 'keystone'
17:59:48 <knikolla> o/ hey everyone!
17:59:49 <browne> hi
17:59:50 <jaugustine> o/
17:59:55 <lamt> o/
18:00:21 <stevemar> heyooo
18:00:40 <nishaYadv_> hey
18:00:48 <stevemar> meeting agenda; https://etherpad.openstack.org/p/keystone-weekly-meeting
18:00:52 <stevemar> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
18:01:41 <stevemar> wait another minute til everyone shows up :)
18:01:54 <stevemar> henrynash mentioned he's on vacation this week
18:01:58 <stevemar> slacker
18:02:05 <bknudson> hi. I've got another meeting in 30 mins
18:02:14 <stevemar> bknudson: thanks for the heads up
18:02:17 <stevemar> #topic design sessions at summit
18:02:29 <ayoung> Congrats to stevemar on getting on the TC.  Well done
18:02:35 <lbragstad> ++
18:02:36 <crinkle> ++
18:02:36 <stevemar> ayoung: thanks boss!
18:02:40 <lbragstad> stevemar congrats! :)
18:02:50 <stevemar> i was pleasantly surprised :)
18:02:51 <ayoung> boss?  I think you misspelled topol
18:02:55 <bknudson> now we have to watch what we say about the TC.
18:02:55 <dolphm> ++
18:02:56 <stevemar> hehe
18:02:57 <gagehugo> Grats!
18:03:06 <lamt> grats!
18:03:12 <amakarov> Cool!
18:03:28 <ayoung> With morgan stepping down, they knew they needed someone to keep an eye on security type issues
18:03:33 <stevemar> thanks if you voted for me, not so thanks if you didn't -_-
18:03:40 <stevemar> :)
18:03:54 <bknudson> now you can jail your rivals.
18:03:59 <stevemar> lol
18:04:07 <ayoung> Not in Canada he can't.
18:04:16 <knikolla> stevemar, congrats!
18:04:28 <stevemar> thank you all for the congrats :D
18:05:29 <nishaYadv_> congrats stevemar :)
18:05:34 <stevemar> back to the topic on hand -- design sessions
18:05:47 <stevemar> i sent out a note to the ML about this
18:05:48 <stevemar> #link http://lists.openstack.org/pipermail/openstack-dev/2016-October/105239.html
18:06:08 <stevemar> each work session and fishbowl has an etherpad which i've primed with some content
18:06:49 <stevemar> the fishbowls are: retrospective, unconference, ocata priorities
18:06:57 <stevemar> we've got one more -- any suggestions?
18:07:08 <stevemar> or should i hand it back?
18:08:02 <stevemar> *crickets*
18:08:03 <breton> what should happen there?
18:08:10 <breton> in the fishbowl
18:08:16 <stevemar> any large group discussion
18:08:40 <breton> we could talk to folks from other projects about moving quota limits to keystone
18:08:44 <amakarov> Shall we drive any cross-project initiatives?
18:08:51 <ayoung> breton, we could, but we won't
18:08:53 <amakarov> breton: ++
18:09:19 <breton> ayoung: why :(
18:09:21 <stevemar> last time i had a "cross-project" fishbowl no one from another project showed up
18:09:34 <breton> ok
18:09:38 <nishaYadv_> :(
18:09:56 <stevemar> only lhcheng did, cause he was core on horizon and keystone
18:10:11 <ayoung> breton, because we had that discussion at several other summits, and when we do, we walk down the same path and the cinder and neutron and nova guys all agree it don't belong in Keystone
18:10:34 <dolphm> stevemar: was it on the cross-project track or the keystone track?
18:10:52 <stevemar> dolphm: this was before CP tracks were a thing
18:10:52 <amakarov> ayoung: so it's carved in stone then?
18:10:58 <dolphm> ayoung: breton: i personally think it belongs in a standalone service
18:11:12 <stevemar> breton: it'll be hard to push the quota stuff forward with just keystone folks in the room
18:11:17 <lbragstad> dolphm ++
18:11:17 <amakarov> dolphm: agreed
18:11:26 <ayoung> amakarov, no, it is not carved in stone.  It just is like a glitch in the matrix...deja vu all over again
18:11:46 <stevemar> breton: just from a logistics point of view, the fishbowl will be 90% keystone devs
18:12:00 <breton> then i shall have to go to their sessions
18:12:03 <breton> stevemar: got it
18:12:15 <stevemar> breton: there was a cross-project track did you propose it there?
18:12:15 <ayoung> amakarov, the easy part is saying "sure, put it in Keystone" the hard part is figuring out what "it" is.
18:12:24 <stevemar> breton: https://etherpad.openstack.org/p/ocata-cross-project-sessions
18:12:37 <breton> stevemar: thanks, will do now
18:12:42 <breton> ayoung: quota limits
18:12:46 <amakarov> ayoung: that'd be good to establish some better cross-project communications, I think. Is there some people responsible?
18:12:56 <ayoung> I'm willing to entertain the discussion, but we have danced that dance at a few Balls before.
18:12:56 <stevemar> breton: the schedule for cross project has been decided :(
18:13:26 <breton> stevemar: > by turn of day Oct 1st if possible
18:13:33 <breton> stevemar: yeah, that's bad
18:14:59 <stevemar> breton: there is a list of all the decided CP workshops: https://www.openstack.org/summit/barcelona-2016/summit-schedule/global-search?t=Cross+Project+workshops
18:15:39 <stevemar> so if no one has any other ideas for the fishbowl i'll give it back (provided i don't think of something)
18:16:24 <stevemar> we could talk about the spec process? if bugs are triaged well enough? are we fixing the important issues? etc...
18:16:42 <stevemar> maybe the liason roles?
18:17:15 <stevemar> there's also an "unconference" session: https://etherpad.openstack.org/p/ocata-keystone-unconference
18:17:49 <stevemar> in the etherpad that listed the stuff folks wanted to talk about, there were some that didn't really fit into a specific category, so i created this one to lump things into
18:18:13 <stevemar> amakarov and ayoung your stuff is here (redis hashes and novajoin)
18:18:26 <amakarov> stevemar: ack
18:18:36 <ayoung> stevemar, ++
18:18:39 <dolphm> there was definitely another project on the mailing list asking for a session slot
18:18:53 <rderose> off the top of my head, it would be nice to have more collaboration with Horizon, so that when we add new features; they get added to Horizon in a timely manner
18:19:16 <dolphm> including basic domain-admin use cases :)
18:19:27 <stevemar> rderose: not like the lingering k2k auth :(
18:19:35 <rderose> exactly
18:19:36 <rderose> :)
18:19:42 <stevemar> rderose: and your PCI stuff
18:19:54 <rderose> yeah
18:20:10 <topol> o/
18:20:22 <stevemar> let me ping richjones and see what he says
18:20:41 <stevemar> i'm down for it though
18:20:56 <jamielennox> i have a spec i'm hoping to write up between now and then, but i can just bring that up in some of the work sessions
18:21:10 <stevemar> jamielennox: sounds good to me
18:21:20 <stevemar> jamielennox: there should be one you can logically add it to
18:21:42 <stevemar> #topic Add 2 tests to tempest
18:22:07 <nishaYadv_> I would like to write the tests :)
18:22:17 <samueldmq> nishaYadv_: ++
18:22:18 <stevemar> nishaYadv_: works for me :)
18:22:20 <jamielennox> wow - that was easy, excellent
18:22:25 <stevemar> haha
18:22:29 <samueldmq> that also solves next topic
18:22:32 <stevemar> can't everything be that easy !
18:22:34 <samueldmq> which was nishaYadv_  looking for work to do
18:22:36 <nishaYadv_> :D yup
18:23:11 <knikolla> well, i don't think this fits the ~10 days?
18:23:12 <stevemar> defcore tests for keystone are pretty narrow in scope right now, mostly because they only test non-admin function
18:23:24 <nishaYadv_> hurray! I would take some help from the community channel
18:23:30 <stevemar> knikolla: eh, things can take a while to merge for tempest
18:23:32 <lbragstad> stevemar i see someone posted questions about the defcore tests
18:23:43 <stevemar> lbragstad: yeah, getting to that
18:23:43 <nishaYadv_> SO, I will start working on the tests and continue working on them even after 10 days :)
18:23:44 <bknudson> defcore is GET /v3 and POST /v3/auth/tokens as far as I can tell
18:23:51 <stevemar> bknudson: correct
18:24:06 <nishaYadv_> I just, want few patches out for review by 10 days :)
18:24:12 <samueldmq> nishaYadv_: is it acceptable for your college project that you have patches submitted and under review ?
18:24:13 <dolphm> bknudson: pretty much
18:24:17 <bknudson> https://refstack.openstack.org/api/v1/guidelines/2016.08/tests
18:24:35 <nishaYadv_> samueldmq, yeah, it would be okay, would have been better if they get merged too.
18:24:40 <nishaYadv_> got*
18:24:48 <bknudson> also https://refstack.openstack.org/#/guidelines
18:24:56 <nishaYadv_> btw, is there also any deadline for the tempest tests?
18:24:59 <samueldmq> nishaYadv_: kk, just making sure it'd work the other way too
18:25:25 <stevemar> nishaYadv_: no deadline
18:25:27 <samueldmq> nishaYadv_: I don't think so, just the normal review process
18:25:28 <nishaYadv_> Considering we have Summit week( my very first), I might not be able to contribute during that time :(
18:25:33 <jamielennox> if you harass some of the tempest people and tell them why you'll probably get it merged there
18:25:36 <nishaYadv_> stevemar, great
18:25:46 <samueldmq> jamielennox: ++
18:25:58 <knikolla> they live in openstack-qa
18:26:08 <nishaYadv_> thanks jamielennox , samueldmq
18:26:38 <stevemar> nishaYadv_: mtreinish is core there and can help you review your patches (you can add me too)
18:26:48 <stevemar> does anyone have any issues with adding tests?
18:27:01 <stevemar> *cough* dolphm *cough*
18:27:18 <nishaYadv_> stevemar, noted ++
18:27:29 <dolphm> i mean, i'm never opposed to more test coverage
18:27:45 <dolphm> but i was trying to figure out the use case for the /groups call
18:27:50 <stevemar> i realize this may put more work for some folks that actually run public and private clouds
18:27:58 <stevemar> dolphm: i didn't even know we had that API!
18:28:11 <dolphm> same, and i don't know *why* we have that API either
18:28:25 <stevemar> dolphm: i'd be OK with not including it
18:29:21 <dolphm> so, it's:
18:29:26 <dolphm> GET /v3/users/{authenticated_user_id}
18:29:31 <dolphm> POST /v3/users/{authenticated_user_id}/password
18:29:39 <dolphm> GET /v3/users/{authenticated_user_id}/projects
18:29:51 <dolphm> so, 3 tests?
18:30:15 <stevemar> not even -- 2 is done here: https://github.com/openstack/tempest/blob/master/tempest/api/identity/v3/test_users.py#L35-L77 and 3 is done here: https://github.com/openstack/tempest/blob/master/tempest/api/identity/v3/test_projects.py#L26-L58
18:30:24 <stevemar> its just one test (if we don't include the group one)
18:30:47 <stevemar> nishaYadv_: that may not be enough :(
18:32:07 <stevemar> nishaYadv_: actually, you can add the 2 tests
18:32:27 <nishaYadv_> stevemar, so I have one or two tests to write?
18:32:28 <stevemar> dolphm: when I propose the defcore tests, i'll  exclude the group one
18:32:29 <dolphm> so we're missing coverage for GET /v3/users/{authenticated_user_id}
18:32:46 <stevemar> yes
18:32:55 <dolphm> stevemar: sounds good ; if there's a use case for exposing it on it's own to end users, i'd be eager to hear it
18:33:04 <stevemar> nishaYadv_: two please!
18:33:14 <nishaYadv_> stevemar, sure
18:33:25 <dolphm> stevemar: what's the second test?
18:33:35 <dolphm> besides GET /v3/users/{authenticated_user_id}
18:33:41 <stevemar> dolphm: /v3/users/{authenticated_user_id} and /v3/users/{authenticated_user_id}/groups
18:33:52 <dolphm> stevemar: oh so you want to test it, but not submit it for defcore
18:33:56 <nishaYadv_> stevemar, can I add some documentation regarding them too? Or are there any other easy patches/tests required?
18:33:57 <stevemar> dolphm: correct
18:34:16 <stevemar> nishaYadv_: let's switch topics for that
18:34:19 <stevemar> #topic Looking for easy task/features related to keystone that can be implemented
18:34:26 <dolphm> stevemar: reasonable, it should be tested if it's accessible
18:34:29 <stevemar> anyone have suggestions here?
18:34:35 <stevemar> dolphm: right, thats what i figure
18:34:41 <ayoung> Unified Delegation?
18:34:48 <samueldmq> lol
18:34:52 <dolphm> stevemar: to be fair, everything that we think is easy ends up being like a year of work
18:34:53 <ayoung> Dynamic Policy?
18:35:01 <samueldmq> ayoung: all easy suggestions
18:35:02 <samueldmq> ++
18:35:12 <nishaYadv_> year of work :o
18:35:22 <stevemar> ayoung: i think nishaYadv_ is looking for something in the 10day range :P
18:35:34 <nishaYadv_> stevemar, ++
18:35:37 <dolphm> bug fix?
18:35:40 <samueldmq> that's why I thing those tests are doable
18:35:45 <ayoung> Such a thing does not exist
18:35:50 <samueldmq> dolphm: yes, or a bug fix
18:35:52 <dolphm> docs?
18:35:59 <ayoung> Getting a typo fixed requires at least 2 releases
18:36:13 <lbragstad> adding filtering for credentials based on type/
18:36:15 <dolphm> ++ have to deprecate the old spelling
18:36:22 <dolphm> and include a release note so people can find the new spelling
18:36:26 <nishaYadv_> ayoung, So, shall I just go through documentation to find typos ?
18:37:06 <stevemar> nishaYadv_: oh maybe https://bugs.launchpad.net/keystone/+bug/1523369 ?
18:37:06 <openstack> Launchpad bug 1523369 in OpenStack Identity (keystone) "clean a user's default project if the project has been deleted" [Wishlist,Triaged]
18:37:17 <stevemar> nishaYadv_: someone proposed a patch and abandoned it
18:37:32 <lbragstad> or - https://bugs.launchpad.net/bugs/1460492
18:37:32 <openstack> Launchpad bug 1460492 in python-openstackclient "List credentials by type" [Wishlist,Triaged]
18:37:33 <amakarov> nishaYadv_: How about redis hash driver for dogpile.cache? ))
18:37:58 <dolphm> dogpile already supports redis, no?
18:37:58 <nishaYadv_> amakarov, stevemar dolphm I don't really know what would be most suitable for me
18:38:15 <stevemar> amakarov: that doesn't sound easy at all
18:38:21 <nishaYadv_> As an Outreachy OpenStack intern (May-Aug '16) I wrote functional tests for the keystone client library and improved docs for v3. But I don't have much knowledge beyond that.
18:38:28 <dolphm> nishaYadv_: it's a frequent question, and it's hard to answer because those types of tasks get handled quickly
18:38:33 <amakarov> dolphm: it does, but not as it should be used
18:39:00 <stevemar> nishaYadv_: i think https://bugs.launchpad.net/keystone/+bug/1523369 and https://bugs.launchpad.net/bugs/1460492 are good candidates
18:39:00 <openstack> Launchpad bug 1523369 in OpenStack Identity (keystone) "clean a user's default project if the project has been deleted" [Wishlist,Triaged]
18:39:00 <dolphm> nishaYadv_: i believe i remember those tests :)
18:39:02 <openstack> Launchpad bug 1460492 in python-openstackclient "List credentials by type" [Wishlist,Triaged]
18:39:12 <amakarov> stevemar: I have already started that - tests are needed
18:40:14 <stevemar> nishaYadv_: take a look at the bugs i mentioned, read through them and get back to me after the meeting?
18:40:21 <amakarov> That's not a rocket science - we just need to compare performance. That can be done locally
18:40:30 <nishaYadv_> amakarov, which tests are you taking about here?
18:40:45 <nishaYadv_> stevemar, sure, I can do that. Thanks
18:41:13 <amakarov> nishaYadv_: https://review.openstack.org/#/c/382576/
18:41:32 <amakarov> those, that are yet to be written :)
18:41:49 <amakarov> oh and pep8 of course
18:42:05 <nishaYadv_> amakarov, alright ;)
18:42:37 <dolphm> and pep257
18:42:37 <stevemar> nishaYadv_: take a look at them, see judge for yourself, feel free to ask me questions in -keystone
18:42:44 <amakarov> actual backend is ready, tests are needed and configuration settings
18:43:03 <nishaYadv_> stevemar, sure, looking, thanks
18:43:24 <stevemar> #topic Mailing list post
18:43:33 <stevemar> Anyone want to chime in on [Magnum][Kuryr][Keystone] Securing services in container orchestration ?
18:43:33 <stevemar> Kubernetes and Swarn knowledge is recommended
18:43:33 <stevemar> http://lists.openstack.org/pipermail/openstack-dev/2016-October/105304.html
18:43:42 <stevemar> my kubernetes game is weak
18:44:11 <ayoung> stevemar, I have in the past.  I keep telling them not to do it.
18:44:49 <jamielennox> oh, huh, this might dovetail into my spec
18:44:58 <ayoung> jamielennox, which?
18:45:53 <jamielennox> ayoung: one i briefly discussed last summit, got dissuaded, and want to write up in full for BCN
18:46:02 <jamielennox> then again, probably not
18:46:41 <jamielennox> so - oauth?
18:47:04 <ayoung> I can talk with the folks at the summit about Keystone and Kubernetes.
18:47:27 <jamielennox> could the individual kube deploys be registered as oauth services?
18:47:32 <stevemar> jamielennox: oauth is possible here i think
18:47:33 <ayoung> oauth probably as good a mechanism to standardize on as any
18:48:25 <stevemar> we should get back to them anyway, anyone want to pick this up?
18:48:26 <amakarov> ayoung: and oauth2 is even better - one can declare almost everything as oauth2 compliant ))
18:48:46 <stevemar> amakarov: ha
18:49:26 <ayoung> actually, I hate OAUTH, but then, I hate everything
18:49:32 <jamielennox> I can follow this up i guess
18:49:51 <stevemar> jamielennox: thanks, let me know if you want to bounce ideas
18:49:58 <jamielennox> meh, oauth is fine, and better than them storing creds on the vms
18:49:59 <stevemar> #topic open discussion
18:50:15 <lbragstad> I have a pile of reviews that clean up the token provider - https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:cleanup-token-provider
18:50:15 <amakarov> jamielennox: ++
18:50:23 <lbragstad> in case anyone is interested in reviewing those
18:50:31 <knikolla> stevemar, you "skipped" the skipped tests
18:50:35 <stevemar> knikolla: :O
18:50:41 <lbragstad> I also have reviews across several projects to make fernet default - https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:make-fernet-default
18:50:57 <stevemar> knikolla: talk in -keystone?
18:51:17 <stevemar> lots of LDAP tests being skipped :(
18:51:23 <jamielennox> so my only plug is that i have most of what seems to be required for fetching expired tokens in this topic: https://review.openstack.org/#/q/status:open+topic:bp/allow-expired it's not done but it seems to work for me and it would be good if people can have a play before BCN
18:51:40 <dolphm> jamielennox: awesome
18:51:41 <jamielennox> lots of qualifiers in that statement
18:51:47 <stevemar> jamielennox: hehe
18:51:53 <stevemar> lbragstad: if you review https://review.openstack.org/#/c/379334/ i'll review you stuff
18:51:54 <ayoung> lbragstad, glad to look at them
18:52:08 <stevemar> jamielennox: the earlier the better for that stuff, land it soon
18:52:09 <lbragstad> stevemar sure thing
18:52:10 <knikolla> stevemar, i need to get lunch after this meeting.
18:52:11 <ayoung> jamielennox, great
18:52:15 <lbragstad> ayoung thanks
18:52:29 <jamielennox> i have to clean up some lbragstad comments in the spec
18:52:51 <jamielennox> also i dislike the raw ?allow_expired without an =value, but i guess we have used it in the past
18:53:01 <stevemar> rderose / lbragstad do you guys have a blueprint for the mapping engine work?
18:53:34 <jamielennox> i have to manually construct the requests from auth_token then because requests and others don't recognize ?X without the = as params
18:53:39 <lbragstad> stevemar nope - https://blueprints.launchpad.net/keystone/+spec/shadow-mapping
18:53:48 <lbragstad> unless rderose has it somewhere
18:54:45 <stevemar> lbragstad: I'll create it and target Ocata-1 :)
18:55:01 <knikolla> also https://review.openstack.org/#/c/320623/ is still waiting for some love.
18:55:03 <lbragstad> stevemar awesome - thanks
18:55:34 <stevemar> knikolla: dammit, i said i would look at that
18:55:37 <jamielennox> knikolla: ah, i did run that and realized you need an existing IDP to point it at?
18:55:45 <stevemar> knikolla: the amount of tabs i have open is not doing down
18:55:47 <jamielennox> it doesn't construct anything for you
18:56:05 <knikolla> jamielennox, you can tell it to set up a k2k idp.
18:56:22 <jamielennox> knikolla: and map back onto itself?
18:56:23 <knikolla> stevemar, i installed a plugin to limit my open tabs to 6. has done me wonders.
18:56:52 <knikolla> jamielennox, you tell it the url of the service provider, so it can be itself, or it can be another devstack running the plugin.
18:57:09 <knikolla> jamielennox, there's /devstack/README.rst with information
18:57:14 <stevemar> knikolla: wasn't there something that setup an idp for you?
18:57:14 <jamielennox> ok, i can give that a go
18:57:26 <stevemar> knikolla: i guess i could point it to testshib
18:57:29 <jamielennox> stevemar: we discussed doing that but it wasn't part of this patch
18:57:53 <jamielennox> stevemar: there's already LDAP in devstack, so we were discussing extending it to LDAP+shib as an IDP
18:58:11 <stevemar> that makes sense to me
18:58:17 <jamielennox> which i think would be the most interesting usage here, but it can be a follow up patch
18:58:46 <stevemar> i gotta get an LDAP functional test setup dang it
18:59:14 <stevemar> alright, one more meeting until summit?
18:59:26 <knikolla> yup
18:59:28 <stevemar> PM me if you have questions
18:59:34 <stevemar> thanks for coming all
18:59:35 <stevemar> #endmeeting