#openstack-meeting log

18:00:46 <stevemar> #startmeeting keystone
18:00:47 <openstack> Meeting started Tue Jan  3 18:00:46 2017 UTC and is due to finish in 60 minutes.  The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:48 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:49 <gagehugo> o/
18:00:50 <openstack> The meeting name has been set to 'keystone'
18:00:52 <jaugustine> Happy 2017
18:00:57 <lamt> o/
18:00:57 <lbragstad> o/
18:00:59 <dstanek> o/
18:01:01 <gagehugo> Happy New Year!
18:01:08 <stevemar> happy new year all :)
18:01:28 <morgan> o/
18:01:34 * morgan yawns and needs coffee
18:01:44 <samueldmq> hi o/
18:02:21 <stevemar> looks like we have enough people to start :)
18:02:34 <morgan> stevemar: hah.
18:02:35 <stevemar> hopefully everyone is well rested and fully recharged !
18:02:46 <morgan> rested? nope, i could use another 2-3 weeks off :P
18:02:52 <gagehugo> ^
18:02:55 <lbragstad> morgan :)
18:03:00 <breton> it is still holidays in russia
18:03:04 <breton> for the next week
18:03:09 <dstanek> morgan: ++
18:03:12 <stevemar> no one went overboard on doing things over the holidays, so thanks for that
18:03:22 <stevemar> breton: thanks for the heads up, enjoy the time off :)
18:03:31 <stevemar> #topic announcements
18:03:40 <stevemar> time to Register for PTG !
18:03:45 <stevemar> #link https://www.eventbrite.com/e/project-teams-gathering-tickets-27549298694
18:03:47 <breton> stevemar: meh, time off is for the weak :p
18:04:09 <ayoung> thought that went up months ago?
18:04:12 <stevemar> breton: your tune will change eventually :)
18:04:21 <stevemar> ayoung: hmm?
18:04:31 <samueldmq> 186 tickets lef
18:04:33 <samueldmq> left
18:04:38 <stevemar> looks like 186 left
18:04:47 <stevemar> this is essentially replacing the midcycle
18:04:47 <lbragstad> fwiw - there is a refund process I believe
18:04:53 <breton> that's a lot
18:05:05 <lbragstad> so if you do register, and can't make it you can get your money back
18:05:10 <gagehugo> you can transfer tickets too I believe
18:05:13 <samueldmq> lbragstad: refund process for the PTG ticktes ?
18:05:16 <samueldmq> tickets*
18:05:19 <lbragstad> samueldmq yes
18:05:25 <breton> yes, PTG tickets are refundable
18:05:27 <stevemar> i put my travel request in for work, as soon as it's approved i'm buying
18:05:28 <samueldmq> oh that's nice
18:06:02 <stevemar> there should be an operator or two there, mfisch i think
18:06:49 <morgan> i already got my ticket.
18:06:55 <morgan> i need to do the hotel thing though
18:06:59 <stevemar> there are a few other hotels around, but try to book at the conference hotel
18:07:06 <gagehugo> morgan: same
18:07:20 <gagehugo> not sure what hotels are going to be
18:07:20 <morgan> gagehugo: annnnnd airfare.. but that can wait :P
18:07:27 <gagehugo> yup
18:07:55 <stevemar> hotel booking through foundation discounted price: https://www.starwoodmeeting.com/events/start.action?id=1609140999&key=381BF4AA
18:08:06 <morgan> oooh starwood.
18:08:28 <stevemar> alright, next sub topic
18:08:32 <stevemar> #topic What question should we ask our users in the next user survey
18:08:44 <stevemar> #link http://lists.openstack.org/pipermail/openstack-dev/2016-December/109500.html
18:09:13 <stevemar> any ideas on this? I think last time i asked about what kind of user store is used, sql / ldap / federation / mix
18:09:19 <morgan> something something distributed
18:09:25 <morgan> multi-az
18:09:34 <morgan> try and hammer down the story for that.
18:09:37 <ayoung> What federation protocols do they need support for?
18:09:46 <lbragstad> ayoung ++
18:09:57 <stevemar> we only get 1 question unfortunately
18:10:02 <lbragstad> that might give us some direction on the work dstanek is doing with native saml support
18:10:13 <dstanek> stevemar: 1 really/
18:10:30 <breton> how much policy files are changed
18:10:32 <ayoung> me, we know we need SAML and openidc
18:10:41 <ayoung> what roles do people want
18:10:58 <lbragstad> breton yeah - that would be a good one, too
18:11:15 <morgan> so 3 options imo
18:11:15 <lbragstad> can it be an essay question? ;)
18:11:20 <dstanek> what is keystone lacking?
18:11:32 <breton> nobody knows what keystone is lacking.
18:11:43 <dstanek> breton: then it's done!
18:11:44 <lbragstad> "In 500 words or less, what do we need to work on?
18:11:45 <breton> i tried asking a lot and everyone wants it to "just work"
18:11:57 <morgan> 1) policy, 2) something something multi-az how many etc needed, 3) native saml?
18:12:12 <lbragstad> morgan ++
18:12:57 <stevemar> reply back to the ML if you can about your suggestion
18:13:03 <stevemar> otherwise i'll pick one of the ones here
18:13:04 <lbragstad> I think we could use some more feedback on policy - that kind of information is always hard to come by
18:13:06 <ayoung> morgan, what do you mean by multi az?
18:13:08 <morgan> 4) Write an Essay covering all aspects of keystone you are curtrently using and wish to have in the future. Use proper grammar, this essay will be graded on a 1-5 scale.
18:13:20 <morgan> must be 1000 words or more, no more than 15 pages
18:13:22 <samueldmq> I agree a great question would be something that will help us to set a long term goal starting/continuing in next cycle
18:13:47 <breton> nobody except us wants something in keystone
18:13:55 <breton> people want some concept
18:13:58 <breton> like "policy"
18:14:09 <morgan> ayoung: how many azs are folks really running single keystone in, how many are they trying to scale out to (single = single shared store), why single shared store/issues with it/latency/etc.
18:14:14 <stevemar> breton: yeah, i understand what you mean
18:14:18 <breton> (it's the one i heard a lot btw)
18:14:19 <morgan> ayoung: it's just a request we keep getting asked about.
18:14:23 <ayoung> what is an az?
18:14:29 <samueldmq> but if the public is usign/testing, tehy know what keystone is abou
18:14:30 <samueldmq> about
18:15:01 <morgan> availability zone, datacenter, discreet cloud install, pick your poison
18:15:07 <ayoung> Ahhhh
18:15:23 <ayoung> I was reading it a authz....got it
18:15:24 <stevemar> let's go with the scaling question
18:15:26 <morgan> using "aws" terms since it is pretty universal :)
18:15:38 <breton> i am afraid that with the multi-az question we are going to be asking 5-7 people
18:15:50 <breton> because 90% of deployments are single-region
18:15:51 <ayoung> you'd be surprised breton
18:16:04 <morgan> i think we can refine the question and get needs/desires
18:16:10 <ayoung> many are single region due to constraints, would like to have more
18:16:15 <morgan> ayoung: ++
18:16:38 <stevemar> we could have it open ended and say "are you using multiple regions, and if not, what is stopping you"
18:16:45 <breton> ayoung: yes. But we are basically asking them to architect for us.
18:17:06 <ayoung> breton, many people are willing to architect it, so long as they don't have to implement it
18:17:13 <ayoung> we can then pick and choose
18:17:14 <morgan> stevemar: lets make it 2 way open ened
18:18:05 <stevemar> morgan: want to work with me on this?
18:18:22 <morgan> stevemar: Are you using multiple regions backed by a single shared keystone (replicated or otherwise)? If so, what are the short comings you are running against and how far are you trying to scale. If not, are you looking to move to multiple regions in a shared keystone backend and/or what is stopping you (limitations)?
18:18:28 <morgan> stevemar: something like that as a starting place.
18:18:31 <morgan> stevemar: sure.
18:18:34 <stevemar> rgr, lets move on
18:18:38 <stevemar> #topic Office hours starting this Friday [lbragstad]
18:18:57 * morgan locks the door(s) to the office so we can watch lbragstad try and pick the lock.
18:19:02 <lbragstad> alright - this is pretty self explanatory
18:19:03 <stevemar> lbragstad: ^
18:19:16 <dstanek> woot!
18:19:16 <ayoung> morgan, suspect lbragstad would resort to chainsaw
18:19:19 <lbragstad> last year dstanek was running office hours every friday
18:19:22 <morgan> ayoung: truth
18:19:27 <ayoung> or explosives
18:19:49 <lbragstad> ayoung both are acceptable
18:19:50 <stevemar> i'm super pumped about it
18:19:52 <lbragstad> or mjolnir
18:19:56 <ayoung> HA!
18:19:56 <lbragstad> but yet
18:20:15 <stevemar> we have a lot of little bugs to squash: https://docs.google.com/spreadsheets/d/156q820cXcEc8Y9YWQgoc_hyOm3AZ2jtMQM3zdDhwGFU/edit?usp=sharing
18:20:16 <lbragstad> we want to restore that meeting - and see if we can get it going again
18:20:22 <lbragstad> anyone have questions about the format?
18:20:56 <stevemar> lbragstad: we can adapt as we go, i think the way to make it succeed to do talk about it in the channel and communicate often
18:21:03 <lbragstad> stevemar ++
18:21:21 <samueldmq> just in the case someone is not looking at the etherpad
18:21:25 <stevemar> anyone else plan on attending? :)
18:21:26 <lbragstad> I'm totally open to finding new ways to keep the initiative afloat
18:21:28 <samueldmq> mailing list announcement
18:21:30 <samueldmq> #link ttp://lists.openstack.org/pipermail/openstack-dev/2016-December/109319.html
18:21:40 <samueldmq> etherpad
18:21:42 <samueldmq> #link https://etherpad.openstack.org/p/keystone-office-hours
18:21:45 <lbragstad> I forsure will be blocking off most of my day to it
18:21:50 <gagehugo> I'm definitely interested in it
18:22:03 <dstanek> I'll be around
18:22:16 <stevemar> 4 of us at least :)
18:22:28 <lbragstad> 16:00 - 23:00 UTC (9:00 - 17:00 CST)
18:22:35 <lbragstad> ^ that's my availablility
18:22:38 <stevemar> alright, next topic ...
18:22:55 <stevemar> #topic bumped a bunch of blueprints [stevemar]
18:23:08 <stevemar> i bumped the following to Pike:
18:23:10 <stevemar> Native SAML in keystone
18:23:11 <stevemar> Extend user API to support federated attributes
18:23:11 <stevemar> Versioned federation mappings
18:23:12 <stevemar> Per-User Auth Plugin Requirements
18:23:14 <stevemar> Fernet Key Store
18:23:36 <stevemar> feature proposal freeze deadline was dec 31/16
18:23:44 <morgan> ++
18:23:54 <stevemar> native saml / versioned mapping / per-user auth had no code
18:24:00 <stevemar> fernet store had a -2
18:24:21 <stevemar> and federated attributes, it's going to be a 2 parters anyway, the work for Ocata can still go in
18:24:55 <morgan> per-user-auth will have some code up soon, just better to delay since this is a short cycle
18:25:14 <breton> good, i was a little struggling to get fernet key store stuff into proper shape.
18:25:16 <stevemar> well folks can always ask for an exception
18:25:19 <morgan> if some leading refactoring lands, great, but I don't expect the bulk of the funcational bits to land.
18:25:39 <samueldmq> stevemar: that's nice. we have a few weeks for 3 features (in progress) and some bugs
18:25:43 <samueldmq> sounds reasonable
18:25:57 <stevemar> samueldmq: right, this significantly reduces the amount of new stuff landing in o-3
18:26:15 <stevemar> with shadow mapping and role check being the big ones
18:26:16 <morgan> proposal: never make a freeze happen on new years again
18:26:23 <ayoung> Heh
18:26:28 <lbragstad> lol
18:26:33 <morgan> either hit that freeze before the break or after
18:26:35 <morgan> not on.
18:26:44 <breton> why?
18:26:53 <stevemar> morgan: it was agreed upon at the summit, to give folks who really wanted to code on the holiday a chance to do a PoC
18:26:59 <morgan> it's still silly
18:27:01 <ayoung> heh
18:27:26 <morgan> i would have pushed for 1st day back
18:27:30 <stevemar> with the change in cycle dates i don't think it'll be an issue
18:27:34 <morgan> anyway
18:27:37 <morgan> not a big deal
18:27:40 <stevemar> yah
18:27:54 <stevemar> noted for next time (whoever runs the show after me :) )
18:28:18 <stevemar> looks like no questions there, will jump to next topic
18:28:19 <samueldmq> freeze on the 1st and you'll need 3 cycles to recover
18:28:38 * samueldmq 's kidding
18:28:47 <stevemar> #topic a single policy file
18:29:27 <ayoung> Ha!
18:29:35 <stevemar> i was looking at using oslo.policy's in-code defaults, but then realized we have 2 policy files
18:29:44 <lbragstad> stevemar mhmm
18:29:48 <ayoung> stevemar, ah, you mean just for Keystone?
18:29:54 <ayoung> cloudsample should die
18:30:06 <stevemar> ayoung: yes, just the sample keystone provides
18:30:12 <lbragstad> for historical context - how come we have two policy files?
18:30:13 <ayoung> I thought you mean one policy for all OpenSrtack
18:30:16 <stevemar> nah
18:30:16 <ayoung> opensmack
18:30:39 <samueldmq> I think we could transfer some checks from cloudsample to the main one if needed
18:30:42 <stevemar> lbragstad: i lack the historical context :)
18:30:43 <samueldmq> and then kill cloudsample
18:30:48 <ayoung> OK, so, a lot of the issues that cloudsample exposed went into the rbac middleware design
18:30:50 <dstanek> cloud sample is the one I use all the time
18:31:14 <stevemar> cloud sample is more "domain-aware"
18:31:25 <lbragstad> (this actually leads into a topic i have for the policy meeting tomorrow so I'm super curious about this history of this)
18:31:25 <samueldmq> stevemar: ++ let's make the main one domain-aware too
18:31:28 <ayoung> can't change the default without breaking a lot of people
18:31:29 <samueldmq> and kill the cloud sample
18:31:41 <stevemar> i assumed what samueldmq said, move some checks over to policy.json and delete cloud sample after
18:31:45 <ayoung> lets kills domains
18:31:45 <lbragstad> ayoung is that because v2.0 isn't domain aware?
18:32:04 <ayoung> lbragstad, its because people do domain operations with admin tokens scoped to projects
18:32:15 <lbragstad> oh
18:32:26 <ayoung> you break workflow.  Horizon only recently grew domain awareness
18:32:58 <breton> "domain operations" sounds weird
18:33:00 <ayoung> a lot of Henry's rule writing was way too complicated to follow in cloud sample, too.  Matching the scope....
18:33:11 <rodrigods> isn't the main policy file the one with the global admin issues?
18:33:13 <samueldmq> migrate and deprecate the cloud sample
18:33:16 <ayoung> breton, "operations on domains" sound better?
18:33:18 <samueldmq> put a notice on the top of it
18:33:25 <ayoung> rodrigods, they both have that
18:33:29 <samueldmq> people using it should at least open the file (and see the notice ) :)
18:33:30 <breton> domains sounds to me just like containers for projects and users
18:33:35 <ayoung> it was easier to fix in cloudsample
18:33:43 <rodrigods> but the main one just checks "role:admin"
18:33:46 <breton> ayoung: nah, i'm talking about the meaning of it
18:33:59 <rodrigods> the cloudsample at least have the cloud_admin
18:34:08 <breton> what perpose do domains serve today?
18:34:09 <rodrigods> and the concept of domain_admins
18:34:13 <ayoung> rodrigods, someone needs to carry forward the 968696 work.  I've been pulled off it
18:34:17 <breton> 1. Source of users
18:34:22 <breton> 2. ???
18:34:23 <samueldmq> so we saying we can't make the policy better because it'll break people ? :(
18:34:31 <stevemar> yeah, i like the "cloud_admin" and "domain_admin" difference that is in cloud sample
18:34:32 <ayoung> breton, a namespace for projects
18:34:35 <rodrigods> breton, think it is a clear separation in the cloud
18:34:45 <rodrigods> at least, the reseller idea was going to push that way
18:34:52 <breton> ayoung: why do we need that?
18:34:56 <ayoung> stevemar, we can't force roles on people either withoug breaking it
18:35:16 <ayoung> breton, without it, project names are global
18:35:22 <ayoung> consider the implications.
18:35:48 <breton> ayoung: ok, so 2. namespace for projects
18:36:04 <stevemar> looks like we need more investigation here
18:36:06 <breton> 3?
18:36:12 <ayoung> breton, that is it
18:36:14 <ayoung> just the 2
18:36:32 <stevemar> i thought it was just created to better show the domain operations available in v3
18:36:38 <rodrigods> i always thought the cloudsample was going to be the main one
18:36:47 <ayoung> rodrigods, that was one opinion
18:36:49 <rodrigods> the only issue was the "domain_id" checking for the cloud_admin
18:36:58 <stevemar> rodrigods: yep
18:37:00 <rodrigods> but we have the admin project now, so...
18:37:12 <ayoung> rope Henrynash in to any discussion on this, please
18:37:21 <ayoung> its his bailywick
18:37:22 <stevemar> ayoung: i was just going to do that offline :)
18:37:27 <lbragstad> ^ that sounds like an action item
18:37:30 <samueldmq> I also would like to hear henrynash's opinion, he's the one who originally wrote it iirc
18:37:37 <stevemar> i'll take that as an action item
18:37:54 <ayoung> IMNSHO the rule in cloudsample are way too hard to follow
18:38:14 <rodrigods> ayoung, yeah... but that's our fault
18:38:18 <ayoung> but they are a better "scope" check than the base policy file
18:38:27 <rodrigods> if we want to be detailed in the rules, it needs to be written like that
18:38:40 <stevemar> looks like it went in here: https://github.com/openstack/keystone/commit/c7a5c6cf27a80ca50db9f1a1a74e8795eeefd9d1
18:38:51 <stevemar> back in havana :)
18:39:29 <ayoung> think in terms of rbac in middleware and you will see that they should be mostly scope checks
18:39:40 <ayoung> admin in there for the rare api
18:40:03 <ayoung> otherwise, the domain ops rules should be allowed for anyone with the appropriate role on the domain
18:40:53 <stevemar> i'll talk with henry about it, it was just something i was mulling over
18:41:02 <stevemar> #topic open discussion
18:41:27 <lbragstad> stevemar if you get henry in -keystone, i'd be happy to hop in that discussion, too
18:42:00 <lbragstad> stevemar i'd like to start thinking about proposing a project tag for rbac support and assess using keystone as an example for other projects to follow
18:42:20 <lbragstad> and consolidating our policy files sounds like a good first step
18:42:50 <samueldmq> lbragstad: ++
18:43:09 <stevemar> yeah, its going to be a whole thing
18:43:31 <stevemar> if no one has anything else we can end it early
18:45:02 * stevemar is assuming quiet for 2 minutes means he can end the meeting
18:45:07 <stevemar> thanks for coming all :)
18:45:11 <stevemar> welcome back
18:45:16 <breton> yey.
18:45:16 <stevemar> #endmeeting