17:59:42 #startmeeting keystone 17:59:43 Meeting started Tue Oct 11 17:59:42 2016 UTC and is due to finish in 60 minutes. The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:59:44 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:59:46 o/ 17:59:47 The meeting name has been set to 'keystone' 17:59:48 o/ hey everyone! 17:59:49 hi 17:59:50 o/ 17:59:55 o/ 18:00:21 heyooo 18:00:40 hey 18:00:48 meeting agenda; https://etherpad.openstack.org/p/keystone-weekly-meeting 18:00:52 #link https://etherpad.openstack.org/p/keystone-weekly-meeting 18:01:41 wait another minute til everyone shows up :) 18:01:54 henrynash mentioned he's on vacation this week 18:01:58 slacker 18:02:05 hi. I've got another meeting in 30 mins 18:02:14 bknudson: thanks for the heads up 18:02:17 #topic design sessions at summit 18:02:29 Congrats to stevemar on getting on the TC. Well done 18:02:35 ++ 18:02:36 ++ 18:02:36 ayoung: thanks boss! 18:02:40 stevemar congrats! :) 18:02:50 i was pleasantly surprised :) 18:02:51 boss? I think you misspelled topol 18:02:55 now we have to watch what we say about the TC. 18:02:55 ++ 18:02:56 hehe 18:02:57 Grats! 18:03:06 grats! 18:03:12 Cool! 18:03:28 With morgan stepping down, they knew they needed someone to keep an eye on security type issues 18:03:33 thanks if you voted for me, not so thanks if you didn't -_- 18:03:40 :) 18:03:54 now you can jail your rivals. 18:03:59 lol 18:04:07 Not in Canada he can't. 18:04:16 stevemar, congrats! 18:04:28 thank you all for the congrats :D 18:05:29 congrats stevemar :) 18:05:34 back to the topic on hand -- design sessions 18:05:47 i sent out a note to the ML about this 18:05:48 #link http://lists.openstack.org/pipermail/openstack-dev/2016-October/105239.html 18:06:08 each work session and fishbowl has an etherpad which i've primed with some content 18:06:49 the fishbowls are: retrospective, unconference, ocata priorities 18:06:57 we've got one more -- any suggestions? 18:07:08 or should i hand it back? 18:08:02 *crickets* 18:08:03 what should happen there? 18:08:10 in the fishbowl 18:08:16 any large group discussion 18:08:40 we could talk to folks from other projects about moving quota limits to keystone 18:08:44 Shall we drive any cross-project initiatives? 18:08:51 breton, we could, but we won't 18:08:53 breton: ++ 18:09:19 ayoung: why :( 18:09:21 last time i had a "cross-project" fishbowl no one from another project showed up 18:09:34 ok 18:09:38 :( 18:09:56 only lhcheng did, cause he was core on horizon and keystone 18:10:11 breton, because we had that discussion at several other summits, and when we do, we walk down the same path and the cinder and neutron and nova guys all agree it don't belong in Keystone 18:10:34 stevemar: was it on the cross-project track or the keystone track? 18:10:52 dolphm: this was before CP tracks were a thing 18:10:52 ayoung: so it's carved in stone then? 18:10:58 ayoung: breton: i personally think it belongs in a standalone service 18:11:12 breton: it'll be hard to push the quota stuff forward with just keystone folks in the room 18:11:17 dolphm ++ 18:11:17 dolphm: agreed 18:11:26 amakarov, no, it is not carved in stone. It just is like a glitch in the matrix...deja vu all over again 18:11:46 breton: just from a logistics point of view, the fishbowl will be 90% keystone devs 18:12:00 then i shall have to go to their sessions 18:12:03 stevemar: got it 18:12:15 breton: there was a cross-project track did you propose it there? 18:12:15 amakarov, the easy part is saying "sure, put it in Keystone" the hard part is figuring out what "it" is. 18:12:24 breton: https://etherpad.openstack.org/p/ocata-cross-project-sessions 18:12:37 stevemar: thanks, will do now 18:12:42 ayoung: quota limits 18:12:46 ayoung: that'd be good to establish some better cross-project communications, I think. Is there some people responsible? 18:12:56 I'm willing to entertain the discussion, but we have danced that dance at a few Balls before. 18:12:56 breton: the schedule for cross project has been decided :( 18:13:26 stevemar: > by turn of day Oct 1st if possible 18:13:33 stevemar: yeah, that's bad 18:14:59 breton: there is a list of all the decided CP workshops: https://www.openstack.org/summit/barcelona-2016/summit-schedule/global-search?t=Cross+Project+workshops 18:15:39 so if no one has any other ideas for the fishbowl i'll give it back (provided i don't think of something) 18:16:24 we could talk about the spec process? if bugs are triaged well enough? are we fixing the important issues? etc... 18:16:42 maybe the liason roles? 18:17:15 there's also an "unconference" session: https://etherpad.openstack.org/p/ocata-keystone-unconference 18:17:49 in the etherpad that listed the stuff folks wanted to talk about, there were some that didn't really fit into a specific category, so i created this one to lump things into 18:18:13 amakarov and ayoung your stuff is here (redis hashes and novajoin) 18:18:26 stevemar: ack 18:18:36 stevemar, ++ 18:18:39 there was definitely another project on the mailing list asking for a session slot 18:18:53 off the top of my head, it would be nice to have more collaboration with Horizon, so that when we add new features; they get added to Horizon in a timely manner 18:19:16 including basic domain-admin use cases :) 18:19:27 rderose: not like the lingering k2k auth :( 18:19:35 exactly 18:19:36 :) 18:19:42 rderose: and your PCI stuff 18:19:54 yeah 18:20:10 o/ 18:20:22 let me ping richjones and see what he says 18:20:41 i'm down for it though 18:20:56 i have a spec i'm hoping to write up between now and then, but i can just bring that up in some of the work sessions 18:21:10 jamielennox: sounds good to me 18:21:20 jamielennox: there should be one you can logically add it to 18:21:42 #topic Add 2 tests to tempest 18:22:07 I would like to write the tests :) 18:22:17 nishaYadv_: ++ 18:22:18 nishaYadv_: works for me :) 18:22:20 wow - that was easy, excellent 18:22:25 haha 18:22:29 that also solves next topic 18:22:32 can't everything be that easy ! 18:22:34 which was nishaYadv_ looking for work to do 18:22:36 :D yup 18:23:11 well, i don't think this fits the ~10 days? 18:23:12 defcore tests for keystone are pretty narrow in scope right now, mostly because they only test non-admin function 18:23:24 hurray! I would take some help from the community channel 18:23:30 knikolla: eh, things can take a while to merge for tempest 18:23:32 stevemar i see someone posted questions about the defcore tests 18:23:43 lbragstad: yeah, getting to that 18:23:43 SO, I will start working on the tests and continue working on them even after 10 days :) 18:23:44 defcore is GET /v3 and POST /v3/auth/tokens as far as I can tell 18:23:51 bknudson: correct 18:24:06 I just, want few patches out for review by 10 days :) 18:24:12 nishaYadv_: is it acceptable for your college project that you have patches submitted and under review ? 18:24:13 bknudson: pretty much 18:24:17 https://refstack.openstack.org/api/v1/guidelines/2016.08/tests 18:24:35 samueldmq, yeah, it would be okay, would have been better if they get merged too. 18:24:40 got* 18:24:48 also https://refstack.openstack.org/#/guidelines 18:24:56 btw, is there also any deadline for the tempest tests? 18:24:59 nishaYadv_: kk, just making sure it'd work the other way too 18:25:25 nishaYadv_: no deadline 18:25:27 nishaYadv_: I don't think so, just the normal review process 18:25:28 Considering we have Summit week( my very first), I might not be able to contribute during that time :( 18:25:33 if you harass some of the tempest people and tell them why you'll probably get it merged there 18:25:36 stevemar, great 18:25:46 jamielennox: ++ 18:25:58 they live in openstack-qa 18:26:08 thanks jamielennox , samueldmq 18:26:38 nishaYadv_: mtreinish is core there and can help you review your patches (you can add me too) 18:26:48 does anyone have any issues with adding tests? 18:27:01 *cough* dolphm *cough* 18:27:18 stevemar, noted ++ 18:27:29 i mean, i'm never opposed to more test coverage 18:27:45 but i was trying to figure out the use case for the /groups call 18:27:50 i realize this may put more work for some folks that actually run public and private clouds 18:27:58 dolphm: i didn't even know we had that API! 18:28:11 same, and i don't know *why* we have that API either 18:28:25 dolphm: i'd be OK with not including it 18:29:21 so, it's: 18:29:26 GET /v3/users/{authenticated_user_id} 18:29:31 POST /v3/users/{authenticated_user_id}/password 18:29:39 GET /v3/users/{authenticated_user_id}/projects 18:29:51 so, 3 tests? 18:30:15 not even -- 2 is done here: https://github.com/openstack/tempest/blob/master/tempest/api/identity/v3/test_users.py#L35-L77 and 3 is done here: https://github.com/openstack/tempest/blob/master/tempest/api/identity/v3/test_projects.py#L26-L58 18:30:24 its just one test (if we don't include the group one) 18:30:47 nishaYadv_: that may not be enough :( 18:32:07 nishaYadv_: actually, you can add the 2 tests 18:32:27 stevemar, so I have one or two tests to write? 18:32:28 dolphm: when I propose the defcore tests, i'll exclude the group one 18:32:29 so we're missing coverage for GET /v3/users/{authenticated_user_id} 18:32:46 yes 18:32:55 stevemar: sounds good ; if there's a use case for exposing it on it's own to end users, i'd be eager to hear it 18:33:04 nishaYadv_: two please! 18:33:14 stevemar, sure 18:33:25 stevemar: what's the second test? 18:33:35 besides GET /v3/users/{authenticated_user_id} 18:33:41 dolphm: /v3/users/{authenticated_user_id} and /v3/users/{authenticated_user_id}/groups 18:33:52 stevemar: oh so you want to test it, but not submit it for defcore 18:33:56 stevemar, can I add some documentation regarding them too? Or are there any other easy patches/tests required? 18:33:57 dolphm: correct 18:34:16 nishaYadv_: let's switch topics for that 18:34:19 #topic Looking for easy task/features related to keystone that can be implemented 18:34:26 stevemar: reasonable, it should be tested if it's accessible 18:34:29 anyone have suggestions here? 18:34:35 dolphm: right, thats what i figure 18:34:41 Unified Delegation? 18:34:48 lol 18:34:52 stevemar: to be fair, everything that we think is easy ends up being like a year of work 18:34:53 Dynamic Policy? 18:35:01 ayoung: all easy suggestions 18:35:02 ++ 18:35:12 year of work :o 18:35:22 ayoung: i think nishaYadv_ is looking for something in the 10day range :P 18:35:34 stevemar, ++ 18:35:37 bug fix? 18:35:40 that's why I thing those tests are doable 18:35:45 Such a thing does not exist 18:35:50 dolphm: yes, or a bug fix 18:35:52 docs? 18:35:59 Getting a typo fixed requires at least 2 releases 18:36:13 adding filtering for credentials based on type/ 18:36:15 ++ have to deprecate the old spelling 18:36:22 and include a release note so people can find the new spelling 18:36:26 ayoung, So, shall I just go through documentation to find typos ? 18:37:06 nishaYadv_: oh maybe https://bugs.launchpad.net/keystone/+bug/1523369 ? 18:37:06 Launchpad bug 1523369 in OpenStack Identity (keystone) "clean a user's default project if the project has been deleted" [Wishlist,Triaged] 18:37:17 nishaYadv_: someone proposed a patch and abandoned it 18:37:32 or - https://bugs.launchpad.net/bugs/1460492 18:37:32 Launchpad bug 1460492 in python-openstackclient "List credentials by type" [Wishlist,Triaged] 18:37:33 nishaYadv_: How about redis hash driver for dogpile.cache? )) 18:37:58 dogpile already supports redis, no? 18:37:58 amakarov, stevemar dolphm I don't really know what would be most suitable for me 18:38:15 amakarov: that doesn't sound easy at all 18:38:21 As an Outreachy OpenStack intern (May-Aug '16) I wrote functional tests for the keystone client library and improved docs for v3. But I don't have much knowledge beyond that. 18:38:28 nishaYadv_: it's a frequent question, and it's hard to answer because those types of tasks get handled quickly 18:38:33 dolphm: it does, but not as it should be used 18:39:00 nishaYadv_: i think https://bugs.launchpad.net/keystone/+bug/1523369 and https://bugs.launchpad.net/bugs/1460492 are good candidates 18:39:00 Launchpad bug 1523369 in OpenStack Identity (keystone) "clean a user's default project if the project has been deleted" [Wishlist,Triaged] 18:39:00 nishaYadv_: i believe i remember those tests :) 18:39:02 Launchpad bug 1460492 in python-openstackclient "List credentials by type" [Wishlist,Triaged] 18:39:12 stevemar: I have already started that - tests are needed 18:40:14 nishaYadv_: take a look at the bugs i mentioned, read through them and get back to me after the meeting? 18:40:21 That's not a rocket science - we just need to compare performance. That can be done locally 18:40:30 amakarov, which tests are you taking about here? 18:40:45 stevemar, sure, I can do that. Thanks 18:41:13 nishaYadv_: https://review.openstack.org/#/c/382576/ 18:41:32 those, that are yet to be written :) 18:41:49 oh and pep8 of course 18:42:05 amakarov, alright ;) 18:42:37 and pep257 18:42:37 nishaYadv_: take a look at them, see judge for yourself, feel free to ask me questions in -keystone 18:42:44 actual backend is ready, tests are needed and configuration settings 18:43:03 stevemar, sure, looking, thanks 18:43:24 #topic Mailing list post 18:43:33 Anyone want to chime in on [Magnum][Kuryr][Keystone] Securing services in container orchestration ? 18:43:33 Kubernetes and Swarn knowledge is recommended 18:43:33 http://lists.openstack.org/pipermail/openstack-dev/2016-October/105304.html 18:43:42 my kubernetes game is weak 18:44:11 stevemar, I have in the past. I keep telling them not to do it. 18:44:49 oh, huh, this might dovetail into my spec 18:44:58 jamielennox, which? 18:45:53 ayoung: one i briefly discussed last summit, got dissuaded, and want to write up in full for BCN 18:46:02 then again, probably not 18:46:41 so - oauth? 18:47:04 I can talk with the folks at the summit about Keystone and Kubernetes. 18:47:27 could the individual kube deploys be registered as oauth services? 18:47:32 jamielennox: oauth is possible here i think 18:47:33 oauth probably as good a mechanism to standardize on as any 18:48:25 we should get back to them anyway, anyone want to pick this up? 18:48:26 ayoung: and oauth2 is even better - one can declare almost everything as oauth2 compliant )) 18:48:46 amakarov: ha 18:49:26 actually, I hate OAUTH, but then, I hate everything 18:49:32 I can follow this up i guess 18:49:51 jamielennox: thanks, let me know if you want to bounce ideas 18:49:58 meh, oauth is fine, and better than them storing creds on the vms 18:49:59 #topic open discussion 18:50:15 I have a pile of reviews that clean up the token provider - https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:cleanup-token-provider 18:50:15 jamielennox: ++ 18:50:23 in case anyone is interested in reviewing those 18:50:31 stevemar, you "skipped" the skipped tests 18:50:35 knikolla: :O 18:50:41 I also have reviews across several projects to make fernet default - https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:make-fernet-default 18:50:57 knikolla: talk in -keystone? 18:51:17 lots of LDAP tests being skipped :( 18:51:23 so my only plug is that i have most of what seems to be required for fetching expired tokens in this topic: https://review.openstack.org/#/q/status:open+topic:bp/allow-expired it's not done but it seems to work for me and it would be good if people can have a play before BCN 18:51:40 jamielennox: awesome 18:51:41 lots of qualifiers in that statement 18:51:47 jamielennox: hehe 18:51:53 lbragstad: if you review https://review.openstack.org/#/c/379334/ i'll review you stuff 18:51:54 lbragstad, glad to look at them 18:52:08 jamielennox: the earlier the better for that stuff, land it soon 18:52:09 stevemar sure thing 18:52:10 stevemar, i need to get lunch after this meeting. 18:52:11 jamielennox, great 18:52:15 ayoung thanks 18:52:29 i have to clean up some lbragstad comments in the spec 18:52:51 also i dislike the raw ?allow_expired without an =value, but i guess we have used it in the past 18:53:01 rderose / lbragstad do you guys have a blueprint for the mapping engine work? 18:53:34 i have to manually construct the requests from auth_token then because requests and others don't recognize ?X without the = as params 18:53:39 stevemar nope - https://blueprints.launchpad.net/keystone/+spec/shadow-mapping 18:53:48 unless rderose has it somewhere 18:54:45 lbragstad: I'll create it and target Ocata-1 :) 18:55:01 also https://review.openstack.org/#/c/320623/ is still waiting for some love. 18:55:03 stevemar awesome - thanks 18:55:34 knikolla: dammit, i said i would look at that 18:55:37 knikolla: ah, i did run that and realized you need an existing IDP to point it at? 18:55:45 knikolla: the amount of tabs i have open is not doing down 18:55:47 it doesn't construct anything for you 18:56:05 jamielennox, you can tell it to set up a k2k idp. 18:56:22 knikolla: and map back onto itself? 18:56:23 stevemar, i installed a plugin to limit my open tabs to 6. has done me wonders. 18:56:52 jamielennox, you tell it the url of the service provider, so it can be itself, or it can be another devstack running the plugin. 18:57:09 jamielennox, there's /devstack/README.rst with information 18:57:14 knikolla: wasn't there something that setup an idp for you? 18:57:14 ok, i can give that a go 18:57:26 knikolla: i guess i could point it to testshib 18:57:29 stevemar: we discussed doing that but it wasn't part of this patch 18:57:53 stevemar: there's already LDAP in devstack, so we were discussing extending it to LDAP+shib as an IDP 18:58:11 that makes sense to me 18:58:17 which i think would be the most interesting usage here, but it can be a follow up patch 18:58:46 i gotta get an LDAP functional test setup dang it 18:59:14 alright, one more meeting until summit? 18:59:26 yup 18:59:28 PM me if you have questions 18:59:34 thanks for coming all 18:59:35 #endmeeting