16:01:56 #startmeeting keystone 16:01:56 Meeting started Tue Jan 8 16:01:56 2019 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:01:57 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:01:59 The meeting name has been set to 'keystone' 16:02:05 #link https://etherpad.openstack.org/p/keystone-weekly-meeting 16:02:08 agenda ^ 16:03:17 is anyone around? 16:03:29 o/ 16:03:30 o/ 16:03:38 o/ 16:04:14 o/ 16:04:42 * knikolla is fully back from the holiday break. 16:05:01 good deal - we'll give folks another minute to join 16:06:09 #topic Upcoming PTG Attendance 16:06:28 the foundation usually sends out emails asking for rough estimates 16:06:48 which helps them plan rooms and whatnot 16:06:53 o/ 16:06:58 i know it's probably still a bit early for people 16:07:18 but does anyone know if they're planning on going to the PTG in Denver? 16:07:41 I probably will be there. 16:08:02 no idea yet 16:08:15 I won't. :( 16:08:20 :( 16:08:45 if you do plan on going, just ping me 16:08:47 I too have no idea 16:09:07 in the mean time, i'm going to give the foundation a rough estimate 16:09:24 #topic Previous Action Items 16:09:34 o/ 16:09:46 the only thing we had from last meeting was to reach out to the nova team about unified limits 16:10:22 now that people are back from holiday - we should be able to get a response 16:11:07 i think we have an existing thread going for unified limit discussions, so i'll update that 16:11:25 #topic Reviews 16:11:38 does anyone have reviews that need eyes? 16:13:15 https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/domain-level-limit 16:13:23 for domain level limit 16:13:43 ++ 16:13:58 i gave most of that series a once over, but I'll revisit it 16:14:09 thx 16:14:23 does anyone else have reviews? 16:15:12 any eyes on https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:implement-default-roles would be great 16:15:49 most of those are pretty cookie cutter patches, so if anyone is interested in picking some up and closing bugs, just let mek now 16:15:53 i have an easy one https://review.openstack.org/629115 16:16:37 nice 16:17:00 i'd also like to get some feedback on some configuration options needed for JWT 16:17:02 #link https://review.openstack.org/#/c/628676/1 16:18:34 #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bug/1793374 would be good to review, too 16:18:37 if anyone has time 16:19:10 anything else review-wise? 16:19:58 #topic Review Priority 16:20:04 I've noticed a few other teams doing this 16:20:12 and I'm wondering if people here have an opinion on it 16:20:15 I had some thoughts about this 16:20:23 #link http://lists.openstack.org/pipermail/openstack-discuss/2018-December/001304.html 16:20:29 context ^ if folks aren't aware 16:20:39 I looked at our review queue and we have about 130 open patches open, about 100 of them are from 3 different authors and all high priority imo 16:20:51 that was a few days ago when i looked 16:20:56 yeah... 16:21:24 (60+ of them were from lbragstad iirc :P) 16:21:38 but because of that i'm not really sure it would help us right now 16:21:45 right 16:21:54 also - our team is pretty small 16:22:00 right 16:22:09 it makes more sense for huge teams like nova and cinder 16:22:17 yeah 16:22:36 does anyone (or new reviewers) think it would help them in finding reviews to look at? 16:23:38 I agree with cmurphy reasons 16:24:08 sounds good 16:24:25 we can move on - i appreciate the feedback 16:24:41 #topic Technical Vision Self Evaluation 16:24:49 #link http://lists.openstack.org/pipermail/openstack-discuss/2019-January/001417.html 16:25:12 in case you aren't aware, the TC recently came up with a technical vision for OpenStack 16:25:21 this helps us, as a whole, on a number of fronts 16:25:50 from a project-perspective, it should help us realize how we fit into the OpenStack project 16:25:55 (as keystone) 16:26:18 the document is meant to be a living thing, the has the ability to evolve over time 16:26:36 TheJulia has asked that we take a look at it from a keystone perspective 16:26:53 and we should approach the TC if we find anything we'd like to change or work on improving 16:27:04 really interesting 16:27:13 (her note explains this better than what I'm doing right now) 16:27:36 I'd like it if we could take an action item as a team to give a quick look over the next couple weeks 16:27:49 then we can talk about anything, if we come up with stuff, in a subsequent meeting 16:27:56 sounds good to me 16:28:06 * cmurphy adds to list 16:28:15 other openstack projects are doing a similar exercise 16:29:00 let me know if you have questions and this is obviously an activity open to everyone 16:29:28 #action keystone team to look over Technical Vision document from the TC 16:29:44 we'll circle back on this next week 16:29:50 ok 16:29:56 does anyone have questions right now? 16:30:48 alright - moving on 16:30:51 #topic Athenz update 16:31:04 there hasn't been any movement on this since Berlin 16:31:18 but it sounds like James is going to be attending the edge meeting next week 16:32:05 iirc - the only thing we have to do between now and then is possibly review how keystone currently implements x.509 support 16:32:26 and see if there are any parallels to the approach Athenz takes with auto-provisioning 16:33:10 so - if that sounds like a lot of fun to you, let me know 16:33:26 i have it on my list, but it's not near the top 16:33:26 i was gonna take a look at that, it kept sliding down my list since the summit 16:33:36 yeah - i hear ya... 16:33:46 i can try to move it up 16:33:55 awesome 16:34:34 if you get into it and find ways to break up the research into smaller bits, i'll probably be more useful 16:34:44 ok 16:35:01 thanks cmurphy 16:35:10 any questions on this? 16:35:56 #topic open discussion 16:36:08 floor is open if folks have anything they'd like to talk about 16:36:39 #info we're about 7 weeks away from feature proposal freeze 16:37:06 just something to keep in mind - we have a lot of things in flight 16:37:21 Yeah I have some queries regarding federation. Can we have more than one federation protocol for IDP? 16:37:56 federtion protocol with different mapping files 16:38:37 vishakha: yes you can 16:39:28 cmurphy: When an IDP will send response to SP , so which feaderation protocol it will go for? 16:41:06 Different protocols are essentially treated as different IdPs. When you start the authentication process you select IdP and protocol. 16:41:48 So the protocol used will be the one which you requested when starting the authentication process in keystone. 16:44:30 knikolla: When I test my K2K federation through CLI , I just pass the remote project and the name of SP. So I am little confused that if I have created multiple protocols with same IDP name that I created on SP but with different mappings 16:45:28 So my user will be mapped to which mapping file 16:45:32 ? 16:45:51 vishakha: when you registered the auth_url it has the protocol in the path. 16:46:02 like `http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth` 16:46:12 is idp `myidp` and protocol `mapped` 16:47:53 knikolla: if both protocols are saml2? 16:48:29 you can't create two protocols both named saml2 for the same idp 16:48:52 you also don't necessarily need to call it saml2, or mapped. you can alias the plugin. 16:49:21 cmurphy: knikolla . ok I got it thanks 16:49:24 :) 16:50:03 still, i don't see it that useful to use two mappings, for essentially the same protocol and the same idp. 16:50:11 i think we removed the ability to alias the plugin 16:50:13 you can't force users to use one over the other, so things are going to get ugly. 16:51:18 well, you can... with blacklists... but you can also use blacklists and whitelists in a single mapping to get the same result probably. 16:51:54 Just some random cases I was looking it too. Thanks for taking up the quesries 16:52:13 thanks for poking all the corner cases :) 16:53:01 anything else for open discussion? 16:54:05 well - thanks for the time everyone 16:54:14 reminder that we have office hours in a few minutes 16:54:23 otherwise, have a great day 16:54:30 #endmeeting