18:01:39 #startmeeting keystone 18:01:40 Meeting started Tue Jan 24 18:01:39 2017 UTC and is due to finish in 60 minutes. The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:42 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:43 o/ 18:01:43 ping ping agrebennikov, amakarov, annakoppad, antwash, ayoung, bknudson, breton, browne, chrisplo, crinkle, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, gyee, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lamt, lbragstad, kbaikov, ktychkova, morgan, nisha, nkinder, notmorgan, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, shaleh, spilla, srwilkers, StefanPaetowJisc, 18:01:43 stevemar, topol, portdirect, SamYaple 18:01:45 o/ 18:01:45 The meeting name has been set to 'keystone' 18:01:45 o/ 18:01:47 o/ 18:01:49 \o/ 18:01:51 Oyez 18:01:52 o/ 18:01:53 \o 18:01:54 o/ 18:01:55 o/ 18:01:58 howdy 18:01:59 o/ 18:02:00 hi 18:02:03 #agenda https://etherpad.openstack.org/p/keystone-weekly-meeting 18:02:06 #link https://etherpad.openstack.org/p/keystone-weekly-meeting 18:02:39 quickly do announcements i suppose 18:02:44 #topic announcements 18:02:59 today is the last week for ocata-3 and keystoneclient! 18:03:09 we'll be releasing both on thursday 18:03:30 o/ 18:03:38 we've got a few major patches that need to get in 18:03:39 o/ 18:03:43 https://review.openstack.org/#/c/409874/ (add domaind_id to user table) 18:03:44 https://review.openstack.org/#/c/423705/ (refactor shadow user tests) 18:03:44 https://review.openstack.org/#/c/423708/ (set domain for federated users) 18:03:45 https://review.openstack.org/#/c/403916/ (PCI: force password reset) (has +2) (and a -1) 18:04:01 #link https://etherpad.openstack.org/p/keystone-sprint-to-ocata 18:04:05 https://review.openstack.org/#/c/424334/ (code defined resource specific options) 18:04:20 so it 18:04:29 so it's an all-hands on deck sort of week :) 18:04:41 i would like to ask to review one more -- https://review.openstack.org/#/c/415545/ 18:05:05 or decide what we do with it, if https://review.openstack.org/#/c/423708/ doesn't go in 18:05:10 breton: add it to the etherpad 18:05:19 breton: federated user will belong to a domain soon 18:05:44 i will release keystoneclient soon, no necessary work there 18:05:52 rderose: replied to your comment(s) 18:06:00 (whoopse meant that to be in -keystone) 18:06:03 morgan: thanks 18:06:07 spilla had a patch that needed to go in keystoneclient for the password expires query stuff 18:06:21 https://review.openstack.org/#/c/423339/ 18:06:23 lbragstad: add it to the etherpad too 18:06:28 i didn't see that one 18:06:42 thanks for the heads up 18:07:06 i'll postpone the ksc release until its in then 18:07:08 ftr, i am very close to a -2 on the password expires on first use due to it lumping more fucntionality on a terrible config option. 18:07:21 spilla, +2 from me. Nice 18:07:26 morgan: yeah, i think that's the most bumpable from me 18:07:29 i have been working on a way to unwind it. 18:07:42 but it depends on if we want to land the code i've been working on and do the deprecation 18:07:55 i didn't -2 since it was possible to unwind it. 18:08:03 morgan, I can +2 that -2. 18:08:05 :) 18:08:13 but if we're not i'd like to hold until pike 18:08:29 ayoung: hehee 18:08:46 morgan: I'm happy to deprecate and use the new options list if we can get that in 18:09:06 rderose: sounds like a plan 18:09:12 yeah, lets see how we go on that front w/ dstanek and i'll solicit a review from ayoung too 18:09:23 morgan: happy to review 18:09:28 stevemar: i assumed you would :P 18:09:52 #topic ptg 18:09:54 rderose, when did you get the OK to go ahead with Triggers? I'm OK with it, in general, but I thought there was real pushback. Are we just ignoring that, or have we convince d the amorphous OTHERS that it is the only way 18:10:10 the okay or the force to use trigger? 18:10:11 :) 18:10:17 ayoung: didn't convince, we didn't -2 it 18:10:23 rderose, yes 18:10:25 ayoung: they went forward because not enough push back 18:10:32 morgan, you still against? 18:10:36 ayoung: oh well. not worth fighting it now 18:10:43 i am, but it's landed and has prior art in newton 18:10:48 this takes 2 seconds to review https://review.openstack.org/#/c/424704/ and was slipped in by my previous change 18:10:49 i'm not foinf to force the issue 18:10:55 ayoung: since triggers was the agreed upon approach for zero downtime, had to implement 18:11:09 morgan, rderose OK..then I can get behind that patch stack 18:11:12 triggers are still terrible imsho 18:11:24 imnsho* 18:11:38 knikolla, +2A 18:12:14 ayoung: thanks! 18:12:22 okay, back to ptg 18:12:23 So...I am not going to the PTG. 18:12:30 anyone else not going? 18:12:39 i need to book a plane ticket 18:12:42 I got approval to go so plan to be there 18:12:53 i'll be there 18:12:55 * breton waiting for visa 18:12:58 looks like it's in the same place where lbragstad got stabbed. 18:13:05 bknudson ack 18:13:07 ayoung: that sucks 18:13:11 bknudson: really? thats surprising to hear :) 18:13:13 i'm going 18:13:23 bknudson: (about the approval, not lbragstad's stabbing) 18:13:24 the flashbacks have already started 18:13:29 wait lbragstad was stabbed? wut did I miss? 18:13:32 * rodrigods not going 18:13:38 he actually didn't 18:13:40 morgan it was terrible 18:13:40 rodrigods: :( 18:13:43 lol 18:13:59 ayoung was supposed to go 18:14:13 sounds like we'll have more people at ptg than the last summit 18:14:20 rodrigods, yeah, was hoping to hand on my ticket, too 18:14:21 ++ 18:14:29 I have approval and my trip is booked, so i'll be there 18:14:57 #topic Pike PTG etherpad 18:15:00 lbragstad: you're up 18:15:09 ok - this has been around for a few weeks 18:15:21 #link https://etherpad.openstack.org/p/keystone-pike-ptg 18:15:23 link? 18:15:28 ayoung ^ 18:15:41 yeah, I'm either too fast or too slow 18:15:52 want to make sure people have had the chance to absorb it before we start grouping things into buckets and start planning 18:16:08 * stevemar has to dial into org meeting, apparently there are 150 on the call 18:16:14 Hello is this the scientific-wg meeting? 18:16:20 armstrong, not yet 18:16:24 armstrong, keystone 18:16:26 armstrong: nope, keystone time 18:16:26 armstrong nope - this is the keystone team meeting 18:16:38 ok thanks 18:16:59 lbragstad: i was going to wait until after this week to start adding to the etherpad 18:17:03 so that's all I really have for that, just a reminder for folks to look into the etherpad and make sure we have everything we want to talk abou ton there 18:17:16 stevemar cool 18:17:26 stevemar that's it for me then 18:17:42 I've added somehting about having a pool of ideas for outreachy/gsoc programs 18:17:53 it'd be nice to have internships going from times to times :) 18:18:16 samueldmq, oh, that's nice 18:18:24 lbragstad: there was https://etherpad.openstack.org/p/keystone-ocata-summit-brainstorm from last summit 18:18:30 nishaYadav: :) 18:18:36 we could also look at the existing backlog 18:18:57 stevemar ++ 18:19:18 lbragstad: done on this topic? 18:19:24 stevemar I can take an action item to parse that and add backlogged topics from the last summit 18:19:25 stevemar yeah 18:19:45 #topic Should we move to storyboard 18:19:51 lbragstad: your item again 18:19:58 whoo! 18:20:17 ++ to storyboard 18:20:22 please not fungi and my comment 18:20:23 diablo_rojo pinged me with a bunch of information about story board 18:20:35 it is highly recomended we do not move until the minimum VMT requirements are met 18:20:39 since keystone is VMT managed 18:20:42 morgan sure - that's valid 18:20:56 i am a huge fan of storyboard over LP provided the VMT minimums are met 18:21:01 for keystone 18:21:11 yeah, i believe the point of diablo_rojo's questions was to ferret out whether there are any additional blockers the keystone team might have above and beyond other already identified blockers 18:21:14 the main thing diablo_rojo was asking in his note was if there was anything else we could think of that needs to be added to storyboard 18:21:20 It would be awesome if you all could take a look to see if there is anything else that keystone needs besides VMT support :) 18:21:23 fungi ++ 18:21:26 what is VMT ? 18:21:32 vulnerability management team 18:21:33 vulnerability management team 18:21:37 (ah!) 18:21:38 thanks 18:21:44 o/ 18:22:01 so - i spent a bunch of time playing with it last week 18:22:10 i encourage others to do the same 18:22:19 diablo_rojo: iow, i personally don't see anything needed for keystone besides the features the VMT requires, but i'll defer to other cores 18:22:29 also there is a bunch of good resources in the etherpad 18:22:29 lbragstad: link ? 18:22:33 #link https://storyboard-blog.sotk.co.uk/why-storyboard-for-openstack.html 18:22:36 same opinion morgan 18:22:58 i generally like new shiny toys 18:23:09 morgan, noted :) 18:23:14 #link sandbox https://storyboard-dev.openstack.org/#!/board/list 18:23:28 yeah, we need people getting familiar with it. for projects like keystone i expect the main determining factor will be that you share quite a few lp bugs with other teams (nova, oslo, cinder, whatever) and will need to wait until you're all ready to migrate together 18:23:33 fungi diablo_rojo would keystone be migrated to the existing deployment here - https://storyboard.openstack.org/#!/story/2000814 ? 18:23:40 lbragstad: yes 18:23:48 fungi cool 18:24:09 fungi, beat me to it :) 18:24:18 other more tangential/ancillary teams are free to start migrating sooner since they have less overlap 18:24:31 if anyone decides to play with it and has feedback - feel free to pass it along to me and I can aggregate the notes 18:24:32 Just do it 18:24:46 we are never going to close 968696 anyway 18:24:48 infra migrated a couple years ago and have been dogfooding it for some time already, to increasing levels of success 18:24:50 lbragstad, will try 18:25:01 fungi: unrelated question. is it available for non-big-tent teams? 18:25:06 knikolla: yes 18:25:31 lbragstad, that would be a huge help if you wanna be my point of contact :) 18:25:36 fwiw - i think the concept of worklists is going to be super nice 18:25:55 so the idea is that we partially migrate for next cycle ? 18:26:06 (a worklist for a release for example) 18:26:07 keeping VMT related bugs in LP ? 18:26:23 diablo_rojo yeah - i can do that 18:26:30 what is the relationship going to be between Specs and Storyboard? 18:27:00 samueldmq, I would think you would want to wait so that you aren't using two tools at once, but I would think that would be okay. fungi? 18:27:14 ayoung: hopefully stories can encompass specs 18:27:25 but i am unsure if that is really the case 18:27:33 yeah, how to migrate private lp bugs is still up in the air since the migration tool isn't able to query them. sb does support creating private stories already for quite some time 18:27:33 morgan, so we are not going to submit them via Gerrit once we migrate? 18:27:36 I believe we will create a story in storyboard for a feature, but the description can still ink to the detailed specification in the keystone-specs repo (I could be corrected by fungi or diablo_rojo though) 18:27:45 i would hope that would be the case ayoung 18:27:50 diablo_rojo: that makes sense. is there support for it upstream ? (is it just anything to be enabled in OpenStack's storyboad) 18:27:56 or does it need to be implemented yet ? 18:27:58 long term i would like to see the gerrit reviews drop 18:28:02 and just use stories 18:28:10 but there will be transition regardless 18:28:16 lbragstad: yep, and for infra specs we create a specs repo task in the story as teh first task 18:28:19 Gah...can't we use one tool. lbragstad lets lock the git repo, and just use storyboard. Gerrit is tough way to edit what should be collaborative documents 18:28:35 blueprints die, too 18:28:39 fungi: i would like to just work so there is no longer a keystone-specs repo 18:28:41 fungi: tbh 18:28:49 fungi do you break stories across worklists then (per release, backlog, accepted, etc..)? 18:28:51 fungi: it would be nice if stories could fill that need 18:29:04 diablo_rojo: ^ i can talk with you on specifics for that 18:29:16 * morgan has always hated needing multiple (3?) methods of documenting work 18:29:20 right, infra's "feature" stories are very hollow. they just link to/from a spec and then gerrit auto-updates the tasks in the story as they're implemented for tracking purposes 18:29:28 fungi: ah cool 18:29:51 OK...close out Ocata with existing toolchain, all Pike+ work on storyboard? We ready for it? 18:29:52 we'd have to have some way to denote state in a story for "accepted" or "bumped" specs 18:30:16 infra's use of worklists and boards has been fairly ad-hoc so far. they're getting used more heavily for the zuul v3/nodepool v1 implementation work for example 18:30:18 fungi: i'd like to see that inverted personally. i really dislike the specs-repo. gerrit is a bad tool for that.. but SB can grow to fill that need eventually 18:30:19 lbragstad, I think you could just move the story to a different worklist 18:30:32 fungi: is there tooling to move existing bugs and bps to storyboard? 18:30:35 diablo_rojo oh - good point (that reminds me of trello) 18:30:38 morgan, definitely a direction it could take. 18:30:45 to begin with best bet is going to be move bugs/work -> SB 18:30:49 lbragstad, I <3 trello :) 18:30:50 and keep specs repo for now 18:30:52 stevemar: yes, we have an import script for lp bugs, though not for blueprints i don't think 18:31:02 diablo_rojo so does dstanek! 18:31:08 fungi: bps can die in keystone 18:31:14 :-) 18:31:16 as long as we do the switch at a release marker 18:31:28 i'm ok with bps being left behind 18:31:38 (we tend to close non-active ones now) 18:31:45 morgan: some BPs are actually good ideas 18:31:48 and use them just as a "hey X patch is associated to them" 18:32:06 we would need to vet each of the open BPs (there are about 75 i think) 18:32:07 stevemar: manual resubmission (those are far anf few w/o a spec already) 18:32:19 storyboard's boards feature is fairly basic trello-like kanban, with the addition that you can have cards automatically transition between colum,ns as the story tasks change state (usually triggered automatically by changes being proposed to or merging in gerrit) 18:32:30 if that's of interest 18:32:42 fungi I like that 18:32:59 A much nicer organization and flow than lp 18:33:47 ooh 18:33:52 the subteam in infra working on zuul v3 have been doing more and more with automatic worklists and boards, so they can probably provide some better evaluations of what it's like for real-world use. i haven't done much but skim them so far 18:34:58 is the api documented somewhere? 18:35:19 well OK, sounds like we can move to LP maybe during the PTG timeframe (before ideally) 18:35:22 i know various folks here have their own tools for pulling info from launchpad, so those would need to be rewritten to talk to storyboard 18:35:48 will LP be open for people to report bugs? like users and operator? 18:36:00 LP or storyboard? 18:36:06 i can't imagine this change will go over well with them :) 18:36:06 stevemar, they will be able to report them in SB 18:36:10 stevemar: lbragstad perhaps we could use one of the Fridays/sprints for bugs for the initialmigration ? 18:36:11 or are you talking about after the migration? 18:36:11 lbragstad: it is documented, will get link now (hi!) 18:36:20 Zara thanks! 18:36:25 lbragstad: talking about after 18:36:32 stevemar ah - good question 18:36:33 lbragstad: http://docs.openstack.org/infra/storyboard/webapi/v1.html 18:36:39 Zara, the queen of storyboard :) 18:37:27 diablo_rojo: have you received feedback from ops and users about the SB move? 18:37:34 will it require a new id? 18:37:40 diablo_rojo: hah, I only know where the docs are 18:37:52 right now it bases auth on ubuntu ONe 18:38:02 stevemar, Not a whole lot yet, thats another thing that's on my todo list :) 18:38:09 but it sounds like we can switch that to the OpenStackID auth system 18:38:13 doesn't even use keystone for authentication. 18:38:16 stevemar, it should be the same id 18:38:25 diablo_rojo: okay cool 18:38:29 bknudson ++ 18:38:35 bknudson good? 18:38:38 ;) 18:38:40 lbragstad, yep OpenStackID will rule all 18:38:48 i just don't want our consumers thinking this is yet-another-openstack-tooling-change :P 18:38:58 unless theres a large benefit 18:39:09 diablo_rojo, has it been reimplemented in a reasonable IdP yet? 18:39:12 right, auth will initially be openid via lp because we need to keep account parity when we're importing bugs, but after the import is done teh plan is to switch it to openstackid.org authentication 18:39:26 stevemar, understandable. I think this change has been a long time coming. There are a lot of things that SB sets out to fix that LP struggled with. 18:39:29 i think ttx does a good job explaining that in #link https://storyboard-blog.sotk.co.uk/why-storyboard-for-openstack.html 18:39:43 ayoung, IdP ? 18:39:52 fungi: nice, makes sense 18:39:56 my worry is that folks will bail on filing a bug because they dont want to do a bit of extra work 18:40:03 diablo_rojo, openstackid was using some proprietary 3rd party hard to work with implementation 18:40:10 we already have a hard time getting feedback from users and operators 18:40:10 lbragstad, stevemar yes, I plan on pointing out that article. 18:40:11 IdP is Identity Provider 18:40:32 stevemar, I want to do a talk on storyboard at the summit and then again at the ops meetup 18:40:46 diablo_rojo: okie :) 18:40:50 diablo_rojo: ayoung: there is a separate but related effort to reimplement the openid provider piece of openstackid with ipsilon, though that effort is currently stalling for available interested devs 18:41:32 fungi, Yay! 18:41:49 there is a poc ipsilon server up with some minimal glue to query the openstackid backend, and an emerging puppet module for deploying it, but that's as far as it's gotten 18:42:15 ayoung, so if you are interested in a little bit of work on the side we would love you to get involved ;) 18:42:17 so many bookmarks will be deleted :| 18:42:32 the idea there being that we would do a seamless transition for the openid provider interface when the time comes, so that effort can proceed in parallel 18:43:12 diablo_rojo, ask nkinder. 18:44:18 ayoung, ha ha okay :) 18:45:24 alright, i think we can move to open discussion 18:45:30 #topic open discussion 18:45:35 please welcome antwash_ (anthony), he was recently added to our team from qa (intel). he'll now be 100% on keytone. 18:45:48 whoop 18:45:51 ohhh just when i thought we were going to end early 18:45:55 hi antwash_ ! 18:45:58 any good hazing ideas? 18:46:03 :) 18:46:16 rderose: nice! 18:46:20 i could come up with a few 18:46:21 haha -- thanks for the intro ron! Hey everyone -- very happy to be apart of the team :) 18:46:23 antwash_: welcome aboard! 18:46:27 antwash_: it's customary to buy the incoming and outgoing ptl a beer at the ptg/summit -- just saying 18:46:28 i want to discuss https://pp.vk.me/c837734/v837734937/1d76a/ZYkP7Ez5HpU.jpg 18:46:32 oh wow 18:46:34 not this 18:46:40 lol 18:46:41 https://review.openstack.org/#/c/415545/ 18:46:43 this 18:46:57 (don't pin that visa photo for darts) 18:47:05 :) 18:47:10 breton: you look more aerodynamic 18:47:11 breton: nice! 18:47:14 stevemar : haha I got you a nice cold one promise 18:47:49 breton: what happened! 18:47:56 breton: if rderose's patch merges, it'll add domain id to federated users, do we still need yours? 18:48:05 breton: how much did you pay for that haircut? 18:48:14 rderose: he clearly lost a bet 18:48:22 stevemar: yes. Federated users still need to be in the groups 18:48:28 stevemar: "breton: you look more aerodynamic" this is the best comment ever possible :-) 18:48:37 rderose: $10 :p 18:48:46 haha you paid too much 18:48:48 Trusts for Federated users should be solved by rderose 's current efforts 18:48:49 $free.99 18:49:11 breton, is there anything you need beyond that? 18:49:42 you are adding groups to the identity via mapped...I think that is OK 18:49:44 ayoung: no, only add federated users to groups when they authenticate 18:50:11 breton, you might need to be forgiving there: 18:50:21 if groups don't exist...I know that has come up 18:50:35 breton: got it, that makes sense 18:50:42 i would rebase the patch on rderose's, but i am not sure that it will get in 18:50:51 I think https://review.openstack.org/#/c/415545/2/keystone/identity/core.py will be superceded by rderose work 18:50:55 you will always have a domain 18:51:15 i agree 18:51:24 breton: i will release ocata with rderose's patch 18:51:25 i just want the patch to get merged in Ocata 18:51:26 breton, so rebase on his changes, please 18:51:41 breton: we won't release ocata without rderose's patch 18:51:47 (and backport it to newton) 18:52:02 ok, sounds good. Will rebase. 18:52:05 breton: backporting won't happen since it depends no a migration :9 18:52:07 ++ 18:52:26 stevemar: can we backport with https://review.openstack.org/#/c/415545/2/keystone/identity/core.py ? 18:52:52 the patch actuall works even for Mitaka 18:52:58 breton, oh 18:53:33 people are now testing it for a customer who ran into the issue 18:53:39 breton: eh... you're going to be doing that same check all over the place 18:53:45 even in clients 18:54:54 i don't think its a good backport candidate 18:54:54 ok, i am good with what we have decided for the main patch. I will rebase and then will propose a backport and we'll talk about it 18:55:06 okay with me 18:55:27 (and sorry for the photo. stupid ctrl+v) 18:55:36 :) 18:55:40 :) 18:55:41 (aerodynamics is cool indeed) 18:55:42 it gave us some lulz 18:55:42 hilarious 18:55:59 only because we were not expecting it :) 18:56:30 anyone else? 18:56:49 antwash_: it's also customary that the outgoing ptl's beer be served in a pitcher 18:57:17 ok ok, enough with the jokes stevemar 18:57:24 lets wrap up ocata and ship it! 18:57:40 thanks for coming everyone ! and for your hard work that will happen this week :) 18:57:44 ++ 18:57:49 \o/ 18:57:51 #endmeeting