16:00:03 <lbragstad> #startmeeting keystone
16:00:04 <openstack> Meeting started Tue Jul 10 16:00:03 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:05 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:06 <lbragstad> ping ayoung, breton, cmurphy, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, aselius, dpar, jdennis, ruan_he, wxy, sonuk
16:00:07 <openstack> The meeting name has been set to 'keystone'
16:00:13 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
16:00:14 <hrybacki> o/
16:00:15 <cmurphy> o/
16:00:15 <lbragstad> agenda ^
16:00:16 <knikolla> o/
16:00:17 <gagehugo> o/
16:00:31 * kmalloc goes back to sleep.
16:00:56 * hrybacki hugs kmalloc
16:01:00 * knikolla makes coffee for kmalloc
16:01:10 <kmalloc> knikolla: i'm on my second cup already
16:01:11 <kmalloc> :P
16:01:30 <wxy|_> o/
16:01:33 <knikolla> likewise
16:01:50 <knikolla> our cloud is down, it was a long night
16:01:58 <hrybacki> such a supportive group
16:02:06 * hrybacki hugs knikolla too
16:02:07 <lbragstad> we'll give it one more minute
16:03:15 <chason> o/
16:03:56 <lbragstad> #topic announcements: release status
16:04:04 <lbragstad> #info this week is feature freeze
16:04:17 <lbragstad> as noted in the release schedule
16:04:20 <lbragstad> #link https://releases.openstack.org/rocky/schedule.html
16:04:38 <lbragstad> there are a couple efforts that seems like they still need some help
16:05:27 <lbragstad> it sounds like mfa receipts is going to get pushed until Stein?
16:05:44 <lbragstad> adriant was talking about that a little bit last night
16:05:55 <lbragstad> s/last night/yesterday/
16:06:02 <kmalloc> correct
16:06:15 <ayoung> Museum of fine arts?
16:06:22 <kmalloc> mostly to ensure we're on the same page as the token model refactor
16:06:23 * ayoung ducks
16:06:40 <kmalloc> ayoung: that is master of fine arts... tyvm.
16:06:56 <kmalloc> ;)
16:07:07 * ayoung only got BofS and a commission
16:07:39 <lbragstad> the capability list work is still waiting another revision i think https://review.openstack.org/#/q/topic:bp/whitelist-extension-for-app-creds+(status:open+OR+status:merged)
16:07:42 <lbragstad> #link https://review.openstack.org/#/q/topic:bp/whitelist-extension-for-app-creds+(status:open+OR+status:merged)
16:07:42 <ayoung> seems like MFA, unscoped tokens, and Federation tokens are all doing sorta the same thing
16:07:56 <kmalloc> ayoung: and a lot will be easier to work with under the token model refactor
16:08:08 <kmalloc> so, mfa pushing makes a lot of sense.
16:08:34 * lbragstad feels bad that the token provider refactor contributed to that
16:08:44 <ayoung> lbragstad, token provider is a beast
16:08:50 <kmalloc> as much as landing the receipts soon would be good. landing it first thing stien or even put in all the scaffolding just no emitting of data in rocky is fine too
16:09:08 <ayoung> it needed to be taken out behind the woodshed and given the Ole Yeller treatment before anyone else got infected
16:09:14 <kmalloc> we might want to work with adriant to split apart the api affecting changes and land the non-api specific ones once the token model lands.
16:09:15 <lbragstad> but i'd hate for the mfa implementation to carry a bunch of the debt we've been trying to clean up for a long time
16:09:22 <kmalloc> so stien is just wiring up receipt emitting
16:09:31 <kmalloc> and have that land in S1
16:09:40 <lbragstad> that sounds good
16:09:43 <kmalloc> (not to be confused with S0i3 sleep mode)
16:10:04 <lbragstad> does anyone else have anything they want to raise regarding the release or timeline?
16:10:17 <lbragstad> we still need to work on the community goal for this release
16:10:23 <ayoung> lbragstad, do you have a doc describing what your endstate is for the refactor?
16:10:23 * hrybacki has been out for the past week
16:10:33 <kmalloc> hrybacki: i tried to be out for the last week.
16:10:34 <hrybacki> kmalloc: am I good to jump back into policy audit?
16:10:35 <kmalloc> i failed
16:10:50 <lbragstad> ayoung: a doc, no... an interface, yes
16:10:53 <hrybacki> kmalloc: gotta leave the cellphone tower range ;)
16:11:07 <kmalloc> hrybacki: hah. i wish i could have.
16:11:21 <kmalloc> hrybacki: yes jump back in, but flask stuff hasn't all landed and conversion has not started fyi
16:11:43 <ayoung> lbragstad, I have a feeling that you are being driven by the same deamons that got me a few years back on that.  Lets chat after this to see if we can get a vision doc together so others can understand
16:11:49 <hrybacki> kmalloc: seems like I should still wait in that case
16:11:50 <kmalloc> ayoung: the interface is fairly well defined atm.
16:12:14 <ayoung> is that the end state?  A a better interface?
16:12:49 <kmalloc> ayoung: consistent unified interface that no longer assumes the token providers implement it
16:12:49 <lbragstad> a better interface and cleaning up the token provider API to have sane boundaries
16:13:07 <kmalloc> token provider populates the data and "mints [generates an ID]"
16:13:09 <lbragstad> thus, making it a lot easier for people to implement new token providers
16:13:15 <ayoung> token provider and token model are related but separate, and the token issue process is a third thing
16:13:17 <kmalloc> erm, mints only*
16:13:20 <ayoung> we should lay that out
16:13:34 <kmalloc> the token model populates the data behind the scenes
16:13:37 <lbragstad> i can walk through it after the meeting if you want
16:13:44 <ayoung> yeah, that would be grroovy
16:13:44 <kmalloc> lbragstad: good plan.
16:14:00 <ayoung> have to make it tomorrow, tho
16:14:08 <ayoung> afternoon booked solid
16:14:09 <lbragstad> #action lbragstad and ayoung to work through the token provider refactor
16:14:14 <ayoung> ++
16:14:16 <lbragstad> wfm
16:14:24 <lbragstad> anything else for the release schedule?
16:14:50 <hrybacki> I'm not so sure we'll land the policy changes on my side before freeze
16:15:12 <lbragstad> hrybacki: i can help with the audit today, i have a couple cycles
16:15:25 <ayoung> what about that request to roll back the default roles?
16:15:27 <hrybacki> lbragstad: ack that works
16:15:31 <ayoung> did we ever addres that?
16:15:41 <lbragstad> we helped the projects that needs to adapt to it
16:15:48 <lbragstad> needed*
16:16:00 <lbragstad> so the revert shouldn't be needed (the last i heard about it)
16:16:04 <hrybacki> I'd need to re-read the revert patch comments. Did someone file a bug?
16:16:24 <ayoung> cool
16:16:57 <lbragstad> #link https://git.openstack.org/cgit/openstack/keystone/commit/?id=50fd6933e8ab5ccf4ef232837fbe582d90c5c913 fixed the gate for sahara
16:16:58 <ayoung> hrybacki, make sure you add me to the policy changes revies
16:17:04 <hrybacki> ack
16:17:22 <lbragstad> ok - moving on
16:17:38 <lbragstad> #topic announcement: team updates
16:17:54 <lbragstad> every release we go through and assess core involvement and discuss new cores
16:18:24 <lbragstad> after a long discussion, we'd like to officially welcome wxy|_ to the core team :)
16:18:33 <ayoung> Yay!
16:18:33 <kmalloc> yay!
16:18:37 <hrybacki> woo!
16:18:38 <kmalloc> great work wxy|_
16:18:43 <kmalloc> and welcome.
16:18:49 <wxy|_> thanks, all
16:18:50 <cmurphy> \o/ thanks wxy|_
16:18:55 <gagehugo> \o/
16:19:02 <knikolla> \o/ great work wxy|_
16:19:04 <wxy|_> :)
16:19:13 <lbragstad> wxy|_: has been doing a fantastic job helping out in a time zone we have *very* little coverage in, and that's been a huge help
16:19:54 <lbragstad> i'll get the ACL squared away after the meeting today and send a note to the mailing list
16:20:16 <lbragstad> nice work wxy|_!
16:20:38 <wxy|_> I still need to learn more from you guys. Really thanks for all your help.
16:20:51 <ayoung> wxy|_, we are all learning from you, too
16:21:05 <lbragstad> ++
16:21:20 <gagehugo> agreed
16:21:36 <ayoung> “I have learned much from my teachers. I have learned more from my colleagues than my teachers. But I have learned more from my students than from all of them.”
16:22:17 <lbragstad> if there isn't anything else for team updates, we can move on
16:22:40 <lbragstad> #topic keystone to keystone tests
16:22:43 <lbragstad> knikolla:
16:22:45 <lbragstad> o/
16:22:49 <wxy|_> ayoung: a new English quote I get
16:22:52 <knikolla> o/
16:23:06 <knikolla> i have been promising k2k tests for the last 2 years
16:23:09 <ayoung> Heh
16:23:12 <knikolla> better late than never
16:23:26 <knikolla> #link https://review.openstack.org/#/q/topic:federation-testing+OR+topic:bug/1780377
16:23:40 <lbragstad> sweet :)
16:23:40 <knikolla> there's a patch to the plugin that sets up k2k
16:23:45 <kmalloc> woot
16:23:48 <cmurphy> yay \o/
16:23:51 <knikolla> there's a patch to the tempest plugin
16:24:11 <knikolla> and there's a fix to keystone-manage not generating correct metadata under python3, discovered courtesy of the tests
16:24:29 <kmalloc> well then, that is good to have testing for!
16:24:35 <cmurphy> i love it when that happens
16:24:39 <kmalloc> score1 for tests!
16:24:46 * kmalloc makes hashmark in the air.
16:25:13 <lbragstad> knikolla: so this all looks good to go then, huh?
16:25:21 <lbragstad> just need some eyes on the reviews?
16:25:29 <knikolla> yeah, reviews
16:25:36 <ayoung> Question....can we create a "keystone-reviewers" group that people can sign up for if they want to be included on reviews, and then people can add keystone-reviewers to a review instead of selecting people?
16:25:44 <ayoung> I tend to add keystone-core
16:25:51 <ayoung> but that misses non-core that want to contribute
16:26:06 <ayoung> and knikolla could use some more people on his reviews, I see
16:26:26 <kmalloc> ayoung: really, trello and/or gerrit project-page is what should be used for that, i don't think an additional gerrit group is going to help.
16:26:36 <ayoung> maybe treat keystone-reviewers as an intern project
16:26:41 <lbragstad> knikolla: i'll review these today
16:27:07 <knikolla> cool, not to distract from reviewing the huge features we want to push in before freeze
16:27:21 <knikolla> i just really wanted to burn through my backlog while in a good mood
16:27:25 <lbragstad> i usually only add people to reviews upon request... just because i know there are some people that use the email notification system to do reviews and adding people directly generates a lot of noise
16:28:35 <lbragstad> knikolla: anything else on the k2k testing stuff?
16:28:49 <lbragstad> we should send a note to the mailing list for this, too...
16:29:04 <lbragstad> i know some of the deployment projects will probably be interested in digging into it
16:29:38 <knikolla> when u have time review. the tempest-plugin i haven't spent too much time making look nice
16:30:05 <knikolla> but was focused on minimal code and making it work. and everything does work together.
16:30:15 <lbragstad> awesome
16:30:15 <knikolla> that's all i have.
16:30:24 <lbragstad> thanks knikolla this is awesome
16:30:29 <ayoung> ++
16:30:40 <lbragstad> #topic open discussion
16:30:44 <kmalloc> o/
16:31:07 <kmalloc> so, since we have a few cores here. flask work is proposed up to the point of being ready to move APIs over.
16:31:24 <kmalloc> i am hesitant to move apis because this stack is ~13 deep
16:31:36 <kmalloc> and i am already treading carefully to avoid rebase hell
16:31:59 <kmalloc> for the most part it is +2 all the way through *except* the keystone_flask +keystone_flask testing patch
16:32:06 <knikolla> ++ mutable config also depends on flask for the before_request hook
16:32:16 <kmalloc> #link https://review.openstack.org/#/c/578190/
16:32:39 <lbragstad> getting the flask stuff in is going to help hrybacki with the policy stuff, too
16:32:46 <kmalloc> once some of these patches land i can start moving APIs over to flask.
16:33:05 <kmalloc> it's been a lot of work, but we are well on our way.
16:33:22 <cmurphy> I started going through it a bit but it's pretty dense :/
16:33:31 <kmalloc> yeah, i tried to break it up as much as I could.
16:33:41 <kmalloc> unfortunately some of the things really are 500 LOC + 500 lines of tests
16:34:00 <cmurphy> I also don't know flask so understanding it is going to involve some research
16:34:24 <kmalloc> for the most part, the goal is to provide a clear move from webob to flask with minimal test/no test changes
16:34:38 <kmalloc> which is what a lot of this scaffolding is intended to do.
16:34:53 <ayoung> so...if we push that patch trhough, the rest will land?
16:34:55 <knikolla> i will review, though i'm not sure how much time i can spare today
16:34:56 <kmalloc> it's dense because it's covering a lot of ground. i'm around to answer questions.
16:35:09 <kmalloc> ayoung: well, some other +2s on earlier patches are needed
16:35:25 <kmalloc> ayoung: that patch is the last massive one that builds the structure for moving apis over
16:35:43 <ayoung> anything surprising in it?
16:35:43 <kmalloc> ayoung: but the other patches mostly already have a +2/previously had +2s and lost them in rebases.
16:36:01 <kmalloc> ayoung: shouldn't be, but i mean, you need to look at the code to see if you're surprised
16:36:15 <kmalloc> i try to not make it "SURPRISE" when writing code.
16:36:19 <kmalloc> keystone should be boring.
16:36:22 <ayoung> I'm going to propose that we be aggresive in pushing these through, and then aggresive in opening bugs
16:36:53 <ayoung> this is a hill we need to get over, and its easier to get up hills with momentum
16:36:55 <kmalloc> if i need to make large changes to the test suite to move an API to flask, i screwed up and you'll see a fix to the flask side.
16:37:16 <kmalloc> the ultimate goal is fix keystone then fix/retrofit tests to be better.
16:37:32 <kmalloc> since we can lean on the cool: "with self.test_client() as c:" mechanism
16:37:34 <ayoung> this is stand alone, right?> https://review.openstack.org/#/c/574736/
16:37:42 <cmurphy> are there features we're trying to land this week that this will conflict with?
16:37:50 <ayoung> and a prereq for a lot of others, if I read gerrit correcly
16:38:01 <kmalloc> cmurphy: i have been surgical, this should conflict with almost nothing
16:38:08 <lbragstad> the token provider refactor can wait until after feature freeze imo
16:38:13 <kmalloc> and i wont move any APIs that are touched by in-flight things.
16:38:29 <kmalloc> or moving apis can wait till post ff if they are in conflict
16:39:04 <kmalloc> we have a large surface area, i am sure i can work without breaking the ff-sensitive stuff :)
16:39:24 <kmalloc> lbragstad: and i think we only have 1 minor conflict between token refactor and flask as it sits.
16:39:43 <lbragstad> and it should be the controller/policy bit in middleware i htink
16:39:45 <lbragstad> think*
16:39:53 <kmalloc> ayoung: and yes that is the bottom of the stack
16:40:08 <kmalloc> lbragstad: yeah, it's the enforcer bit that leans on keystonetokenmodel
16:40:19 <lbragstad> right - ok
16:40:27 <kmalloc> i think it's one added line/2 added lines to fix.
16:40:39 <kmalloc> very minor.
16:41:45 <kmalloc> ayoung: that patch you referenced is the first actual move to flask, it moves our discovery stuff over. and that is very special because it can't be flask-restful-ized (due to the way it works)
16:41:45 <lbragstad> anything else we want to go through for open discussion?
16:41:51 <kmalloc> anyway ...
16:41:51 <ayoung> Yeah
16:41:57 <ayoung> so...edge
16:41:58 * kmalloc steps out and hands over the mic.
16:42:12 <ayoung> I want to put in a talk about Keystone and Edge, and wonder if anyone wants to join
16:42:17 <ayoung> Tentative title:
16:42:22 <ayoung> Pushing Keystone over the Edge
16:42:31 <knikolla> lol
16:42:39 <ayoung> hrybacki, and I are already on a policy talk together
16:42:40 <lbragstad> i don't understand enough about edge to be useful in a talk like that :)
16:42:52 <ayoung> this, I think, would be better if it is a multi-company speaker list
16:42:52 <knikolla> i'd be interested if i know more about what u're trying to do
16:42:55 <hrybacki> just push lbragstad :P
16:43:15 <ayoung> anyone interested, I'll talk with you off line.
16:43:28 <ayoung> but, the core thing is something jamielennox proposed a while back
16:43:39 <ayoung> which is putting a mini service catalog in unscoped tokens
16:43:44 <ayoung> and federtation tokens, too
16:43:47 <kmalloc> ayoung: love it
16:44:01 <kmalloc> ayoung: i'd offer to talk... but... uh
16:44:14 <kmalloc> ayoung: multi-company thing doesn't fly w/ just me and you
16:44:14 <ayoung> the general idea is that there is some centralized stuff, and you get that with an unscoped token, and then you go to the region
16:44:22 <ayoung> and we can use K2K to sync between regions
16:44:34 <kmalloc> k2k, and auto-refresh app-cred
16:44:41 <ayoung> still a little hazy, want to hash it out before the summit, but would ratjher work with other cores on it
16:44:50 <ayoung> knikolla, this might be right up your alley
16:44:55 <knikolla> ++ i'm interested
16:45:06 <kmalloc> yeah it plays right into OCX stuff
16:45:12 <ayoung> cool.  Deadline is approaching, lets talk tonight or tomorrow
16:45:14 <kmalloc> just without mix=match
16:45:23 <hrybacki> CFP closes next Tuesday IIRC
16:45:29 <ayoung> we'll run the general apporach past the rest of the core team prior to summit so it is unsurprising
16:45:45 <knikolla> sounds good
16:45:47 <kmalloc> ayoung: you are welcome to add me as well.
16:45:51 <kmalloc> i'm happy to join
16:46:04 <kmalloc> if you want. but i think you and knikolla would make a solid presenting team
16:46:05 <ayoung> excellent
16:46:16 * kmalloc will consult on the talk in either case.
16:46:35 <ayoung> thats all I got
16:46:43 <lbragstad> cool - anything else?
16:46:59 <lbragstad> otherwise we can get some time back before office hours
16:47:05 <kmalloc> not keystone related, but i found a puppy tooth on the floor yesterday. yay puppy teething!
16:47:19 * kmalloc hands ice to said pupper to chew on.
16:47:35 <cmurphy> ^.^
16:48:16 <lbragstad> thanks for coming everyone
16:48:21 <lbragstad> #endmeeting