18:00:05 #startmeeting keystone 18:00:06 Meeting started Tue Jun 27 18:00:05 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:07 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:08 ping ayoung, breton, cmurphy, dstanek, edmondsw, gagehugo, henrynash, hrybacki, knikolla, lamt, lbragstad, lwanderley, notmorgan, rderose, rodrigods, samueldmq, spilla, aselius 18:00:10 The meeting name has been set to 'keystone' 18:00:17 o/ 18:00:26 hi all 18:00:28 o/ 18:00:37 o/ 18:00:40 s/notmorgan/morgan/ 18:00:49 o/ 18:00:58 o/ 18:01:00 #link https://etherpad.openstack.org/p/keystone-weekly-meeting 18:01:02 agenda ^ 18:01:09 o/ 18:01:36 we have quite a bit to get through this week 18:01:46 #topic announcements 18:01:58 #info no meeting next week in observation of the 4th of July 18:02:13 we'll resume our normal meetings on the 11th 18:02:34 #info office hours have been moved from Friday to Tuesday 19:00 - 22:00 UTC 18:02:51 #link http://lists.openstack.org/pipermail/openstack-dev/2017-June/118921.html 18:03:02 this announcement on the mailing list can be found ^ 18:03:23 the meeting time will be right after this meeting, which works out nicely 18:03:44 so - after this meeting, anyone interested in office hours or bug work, we can meeting in #openstack-keystone 18:04:04 I was tinkering with the Meeting Bot this week and I think we will try to use that to log the whole session 18:04:23 o/ 18:04:23 we can leverage the meeting bot tooling to track things and so on 18:04:42 I'll also try and send weekly updates after each office hour session 18:04:58 ideally shooting for something similar to what cdent does 18:05:02 o/ 18:05:03 for the tc related things 18:05:25 #info we're two months away from release 18:05:40 #link https://blueprints.launchpad.net/keystone/pike 18:05:47 those are the specs that we're targetting for pike 18:06:13 we have quite a bit of work ahead of us for pike yet 18:06:29 o/ im down for office ours 18:06:35 gagehugo: good deal 18:06:51 I need to make a calender event for this 18:06:52 lbragstad: how accurate is the delivery column? 18:07:03 gagehugo: I made one, I can add you if you'd like 18:07:09 sure! 18:07:13 preferred email? 18:07:53 hrybacki: that's a good question, i don't think it's accurate for the deprecated-as-of-pike or removed-as-of-pike specs 18:08:00 same one on the etherpad for office hours is fine 18:08:05 i need to update those since i kinda started working on that this week 18:08:18 a little late o/ 18:08:41 lbragstad: ack, are any of those 'red'? 18:08:57 support for federated attributes could use a follow up/assessment 18:09:14 policy-docs is *almost* done, we merged a couple more patches for that recently 18:09:32 * hrybacki nods 18:09:35 For federated-attr as far as i remember, most patches were in good shape, but needs a final push. 18:10:08 i remember there being a lot of discussion about the approach towards the end there 18:10:17 i need to follow back up on that discussion 18:10:40 lbragstad: I can probably take that over (federated attributes) 18:10:48 rderose: awesome - that'd be great 18:11:17 rderose: i thought dstanek had several comments/concerns with it, but i need to go dig those up 18:11:21 or follow up with him 18:11:30 lbragstad: cool 18:11:36 just so they don't get lost 18:12:10 #action rderose to assess and pick up the remaining federated attributes work 18:12:27 #action lbragstad to go through the deprecated-as-of-pike and removed-as-of-pike specs 18:12:35 #topic documentation migration 18:12:49 sjain: samueldmq have been making some great progress on this front 18:12:59 we've migrated the installation guide and the admin guide 18:13:07 #link https://review.openstack.org/#/c/469515/ 18:13:11 #link https://review.openstack.org/#/c/474545/ 18:13:28 we have a little work left to do for the configuration guide 18:13:30 #link https://review.openstack.org/#/c/474543/ 18:13:51 for ^ we mainly want to make sure we're not maintaining a copy/pasted version of our configuration file 18:14:04 lbragstad and sjain have been doing all the awesome work, I am just reviewing :) 18:14:21 instead - dhellmann had a suggestion to use oslo.config to generate the configuration reference bits for us 18:14:37 we essentially just need to hook that up, and we're good to go 18:15:01 ++ 18:15:05 the remaining documentation work is mostly shuffling bits around to the proper places and removing duplicate information between the guides (which there is a lot of) 18:15:26 lbragstad: ++ 18:15:33 if anyone is interested in helping out there, let me know or feel free to start consolidating information from the Operator guide into the admin guide 18:15:44 please do also update the structure for all of the other repos, so that the new templated docs.o.o site will link to the right place 18:16:07 thanks dhellmann, we need to make sure that too 18:16:12 dhellmann: you mean the ones documented in the etherpad 18:16:13 according to the cp spec, correct? 18:16:14 #link https://etherpad.openstack.org/p/doc-migration-tracking 18:16:30 lbragstad : yes (assuming I built the full list :-) 18:16:45 samueldmq : yes 18:16:56 dhellmann: nice, thanks 18:17:01 i see the keystone specific repos at line 205 and they look correct 18:17:17 also at line 467 for the independent libraries 18:17:20 \o/ 18:17:52 so - fwiw, we've been focused on the keystone specific docs but we'll need to make sure we do the same for all the repos listed in that etherpad 18:18:16 lbragstad: all the repos under the umbrella of keystone team, correct? 18:18:22 samueldmq: yes 18:18:25 keystoneauth, python-keystoneclient, and so on 18:18:36 even openstack/ldappool 18:18:47 and openstack/python-keystoneclient-kerberos 18:18:58 kk I may get one of those and do that 18:19:07 while you and sjain fight keystone itself 18:19:29 i don't think migrating will be much of a task if any, most of those projects are pretty light when it comes to documentation 18:19:37 ah, I didn't know keystoneclient-kerberos was a thing yet :( 18:19:39 it's more of less making sure we do it and it's consistent with the spec 18:19:55 gotcha 18:20:14 the majority of the documentation migration work is certainly going to be in keystone 18:20:40 which leads nicely into our next topic 18:20:54 #topic PKI certificate cruft 18:21:16 after we merged the admin-guide into keystone, i noticied we have *tons* of duplicate documentation between the admin-guide and the operator guide 18:21:25 #link https://docs.openstack.org/developer/keystone/ 18:22:02 one of the things that was documented heavily was the use of certificates for PKI 18:22:09 (which isn't supported by keystone anymore) 18:22:36 as a result, we have a bunch of configuration options in our config file for certificates 18:22:43 since keystone doesn't support PKI anymore 18:23:00 and the /OS-PKI/ API effectively returns an empty list 18:23:16 I'm wondering if we can remove that documentation and complexity from our configuration 18:23:20 #link https://review.openstack.org/#/c/476688/1 18:23:27 I've proposed it here ^ 18:23:34 lbragstad: yes from me 18:23:55 and we just document those APIs in the api-ref, saying they return empty lists (or whatever) since it's not supported anymore 18:24:09 i think if we can assess the usage of those options in keystone and come to the conclusion that they are not needed or used, then we should remove them 18:24:41 +1 for trimming the fat 18:25:01 is anyone interested in picking apart where those options are used? 18:25:20 within keystone that is? 18:25:31 No spare cycles right now on my end =/ 18:25:43 no worries - i have to ask :) 18:26:22 I can help but I would need to read a bit about this before 18:26:35 sjain: that'd be great 18:26:40 sjain: that makes sense 18:27:12 sjain: we can push it to the back burner too, with respect to the rest of the documentation work 18:27:21 currently I'm not very familiar with this but can surely spend some time on this 18:27:35 sjain: cool - let me know if/when you need help 18:27:42 and we can work through it 18:27:44 sure :) 18:27:55 that's awesome, thanks for volunteering sjain 18:28:06 no problem :) 18:28:12 #action lbragstad and sjain to go through the certification configuration options and assess them 18:28:48 sjain: do you have anything else docs-wise you'd like to share? 18:29:17 no not much, the openstack manuals you have already discussed 18:29:32 I was also working on improving the devdocs 18:29:51 sjain: yeah - that's another piece that needs to get reworked 18:30:02 I am getting reviews on those so it would be fine 18:30:13 sjain: i'll make a note to review those soon 18:30:33 sure, thanks 18:30:45 ok - moving on 18:30:48 #topic Cleaning up deprecated functionality/removals of Pike 18:31:18 i was going through and double checking that we'd either deprecated or removed everything we needed to for Pike 18:31:36 and stumbled across a few remaining bits 18:31:39 lbragstad: dumb question -- how do you do that? 18:31:49 hrybacki: we use a library 18:32:02 hrybacki: https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/cmd/cli.py#L26 18:32:04 #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/cmd/cli.py#L26 18:32:20 which allows us to do stuff like this 18:32:22 #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/cmd/cli.py#L1097-L1101 18:32:50 ohh 18:32:57 so - wherever that library is used, a message will be logged saying that specific thing is going away in a certain timeframe 18:33:04 and possible what you should use instead 18:33:08 lbragstad: I have something to add to that list 18:33:10 #link https://github.com/openstack/keystone/blob/af4e98c770d771144463e6dd49cb4b559d48c403/keystone/auth/core.py#L38-L59 18:33:37 samueldmq: ah - i saw that too 18:33:43 i have that on line 41 in our agenda :) 18:35:01 hrybacki: i make a point every release to grep through the code base for the library and see what we're planning on removing 18:35:09 * hrybacki nods 18:35:26 the ones listed in the agenda are the remaining bits we said we are going to remove in pike but haven't yet 18:35:40 I must have missed a few on my flight back from atlanta 18:35:46 i think once all of those are addressed, we'll be done with the removed-as-of-pike blueprint 18:36:15 the first one on the list is the usage of domain_config_upload 18:36:21 #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/cmd/cli.py#L1097-L1101 18:36:27 i can propose a patch to remove that one 18:36:38 #action lbragstad to remove domain_config_upload option 18:36:56 fwiw - we'll need to include release notes for each of these i think 18:37:03 second 18:37:05 #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/auth/core.py#L52-L57 18:37:09 There's a removed as of pike release note 18:37:10 was support for domain config files dropped? 18:37:16 Add them there 18:37:27 bknudson: no, just the ability to upload a domain config using keystone-manage 18:37:31 knikolla: ++ 18:37:47 bknudson: the functionality is still supported via the API 18:38:06 seems strange to remove the upload function if somebody might want to do it 18:38:39 #link https://github.com/openstack/keystone/commit/a5c5f5bce812fad3c6c88a23203bd6c00451e7b3 18:38:54 looks like topol did it when the domain configuration api became stable 18:40:06 i can send a note to the operator list 18:40:10 might at least want to put a warning if using domain config files that says we don't provide a way to switch from files to database 18:40:40 yeah 18:40:57 #action lbragstad to send a note to the operator list about removing domain config upload functionality 18:41:05 worst case we bump it and keep it deprecated 18:41:06 but I'd prefer getting rid of files before removing the utility 18:41:26 bknudson: oh - like removing support for domain config files instead? 18:41:30 yes 18:41:47 ah - yeah... i agree 18:42:04 I assume that was the plan was to stop supporting files at some point? 18:42:22 bknudson: i think so - by the sounds of the commit message topol wrote 18:42:40 it sounds like the idea was to at least provide some way to migrate domain configs into the database 18:43:32 so maybe we mark domain config file support as deprecated then 18:43:44 pending operator feedback 18:44:26 and then plan to remove domain config upload and domain config file support at the same time? 18:45:33 i can send something to the mailing list 18:45:48 next 18:45:49 #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/auth/core.py#L52-L57 18:45:52 samueldmq: ^ 18:46:11 so, the text there is pretty self-explanatory 18:46:40 yeah - we were also going to remove it almost a year ago 18:46:50 I am working on a patch for it right now 18:47:04 will submit in a bit, so this will be one thing less to keep our eyes on 18:47:07 samueldmq: awesome 18:47:28 #action samueldmq to propose patch for removing direct imports of auth plugins 18:47:39 next 18:47:42 #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/conf/eventlet_server.py 18:47:52 eventlet support has been deprecated *forever* 18:47:58 well - since Kilo, but still 18:48:22 wow 18:48:25 yeah, I dont think people use it still 18:48:31 or at least shoudnt 18:48:35 but we never put a remove_in date on eventlet support 18:48:52 * lbragstad feels like morgan has context on this topic 18:48:55 lbragstad: we might want to check with morgan? 18:48:56 I think the problem was that some of these options may still possibly be used 18:48:59 lbragstad: ++ 18:49:21 for example, one could put %(public_bind_host)s in their config file 18:49:30 or in the service catalog 18:49:34 bknudson: ah 18:50:06 maybe that's deprecated and can be removed, too? 18:50:19 bknudson: that's a good question 18:50:47 i'd be nice to remove it, but the fact there isn't a removal date on the deprecation tells me its there for backwards compat of some kind 18:51:39 i can follow up here 18:51:57 next 18:52:17 we updated the hash algorithm to be more secure 18:52:35 #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/conf/identity.py#L170 18:53:10 this one is minor, i was just going to propose a formal removal of that instead of having it in a comment 18:53:21 * lbragstad isn't really sure why he put this one on the agenda 18:53:32 Secure SSL proxy 18:53:33 #link https://github.com/openstack/keystone/blob/9070172084fe31c9564de38886662fb198de68cb/keystone/conf/default.py#L162-L171 18:53:44 this one has been deprecate for about a year 18:54:22 any objections to removing this and if so when should we do it? 18:54:46 we should have a date on that if possible to let operators know when it's going away 18:55:50 * hrybacki doesn't have enough historical context to answer 18:56:08 i'll come up with a removal proposal and we'll do it in another release 18:56:27 #action lbragstad to propose removal date for secure ssl proxy configuration 18:56:32 whew 18:56:33 and i'm done 18:56:38 #topic open discussion 18:57:00 \o/ remove everything! 18:57:01 Office hours are a go! woot 18:57:33 sweet - break for a few minutes and then start office hours in #openstack-keystone 18:57:37 I still have a total negative line count on my keystone contribs, haha 18:57:40 ++ 18:57:47 knikolla: you are living the dream 18:57:49 knikolla: that's a good thing 18:58:15 reminds me of the oslo.incubator days 18:58:21 * hrybacki fetches mas cafe 18:58:41 agreed - going to make some coffee quick and we'll get start with office hours 18:58:45 thanks for the great meeting! 18:58:47 #endmeeting