16:00:21 #startmeeting Mistral 16:00:21 Meeting started Mon Jan 25 16:00:21 2016 UTC and is due to finish in 60 minutes. The chair is rakhmerov. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:23 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:25 The meeting name has been set to 'mistral' 16:00:27 hi Dmitri 16:00:31 how are you? 16:00:36 Ok now :) hi 16:00:48 hello 16:00:52 hi 16:00:53 Half asleep :) 16:01:19 hi there 16:01:30 hi 16:01:34 hi all 16:01:46 let's start 16:02:45 #topic Review Action Items 16:02:53 1. rakhmerov, hparekh_: discuss https://blueprints.launchpad.net/mistral/+spec/mistral-items-filtering 16:02:56 done 16:03:03 there's already a patch on review 16:03:11 yeah 16:03:16 :) 16:03:21 please let me know your view 16:03:37 #action rakhmerov: review patch about items filtering 16:03:38 :) 16:03:42 2. rakhmerov: participate in [TripleO] Driving workflows with Mistral 16:03:45 thanks 16:04:11 I was participating in this thread but it is still alive so I need to continue 16:04:31 #topic Current status (progress, issues, roadblocks, further plans) 16:04:58 my status: I was actually off work for 1.5 weeks 16:05:19 last week I made several reviews, that's it 16:05:41 my status: reviewed patches, planning to start thinking about tests for murano-dashboard repo 16:06:01 my status: I have fixed some gate issue, fixed some tests which were failed periodically. submmited patch for items filtering. 16:06:07 akuznetsova: murano? :) 16:06:11 status: bug fixes, multiple patches stuck in review 16:06:19 rakhmerov, mistral) 16:06:22 ok 16:06:26 ohh 16:06:28 sorry 16:07:17 work on multiple projects has an effect 16:07:48 m4dcoder: yeah, sorry about that. It's such a period for us. Nikolay is on vacation, I've been on sick leave for a long time 16:07:56 akuznetsova: understandable 16:07:58 np 16:08:46 <^Gal^> I uploaded a patchset for Horizon, regarding the tooltip thing we need 16:08:51 <^Gal^> for cell to access another cell 16:09:09 <^Gal^> and I have some stuff for reivew 16:09:17 ^Gal^: ok 16:09:48 rakhmerov: are you feeling better? when is Nikolay back? i hope things get back to normal. the projects seems to move at a rather slow pace of late. 16:10:02 ^Gal^: I saw messages from lane_kong that some patches to dashboard don't have some necessary info required by release tools 16:10:19 something like "Merged XXX" where XXX should be a patch id or something 16:10:29 I didn't understand it on 100% 16:10:45 ^Gal^: are you aware of this? Did you talk to lane_kong? 16:11:07 m4dcoder: yes, thanks! I'm now almost ok, will be working full time since the middle of this week 16:11:22 m4dcoder: Nikolay will be back in a week 16:11:33 good good :) 16:12:31 ^Gal^: here? 16:13:58 ^Gal^: ok, let me know once you're back or we can talk offline 16:14:42 we were actually supposed to release M-2 last week (on Jan 21st) but I didn't have a chance to talk to Lingxian yet 16:14:50 who is our release liason now 16:15:07 #action rakhmerov: check how M-2 release go 16:15:59 we also need to have a planning session for M-3 asap so I'd like to ask you to come up with your preferences 16:16:38 #topic Mistral Security 16:17:17 anybody from ALU is here now? 16:17:55 a little bit of background: we now still have a big issue with using sensitive information in Mistral workflows 16:18:27 the issue is: we can't hardcode any passwords in workflows themselves and we can't pass them as input params 16:18:49 because Mistral stores them unencrypted in DB and puts into logs 16:18:56 so it is not protected 16:19:07 for example, it is related to ssh actions 16:19:52 from user perspective, it's also not feasible to have required ssh keys on executors 16:20:01 they have to be pre-configured 16:20:29 we had a couple of attempts to address this problem but it's still not solved properly 16:20:57 Moshe suggests we implement actions for using Barbican 16:20:59 https://blueprints.launchpad.net/mistral/+spec/support-barbican-actions 16:21:18 * redrobot pokes head in 16:21:45 rakhmerov is there a spec I could review for that? 16:21:58 we have only bug for it https://bugs.launchpad.net/mistral/+bug/1337268 16:22:00 Launchpad bug 1337268 in Mistral mitaka "Security issue: user secure info is not protected properly (logs, API, DB)" [Critical,New] - Assigned to Lingxian Kong (kong) 16:22:09 yes 16:22:14 redrobot: no spec yet 16:22:20 we need to transform it to bp first 16:22:32 yes 16:22:48 so we need to create a spec I guess, this is correct 16:23:01 i'm unsure how this actually works. the action will return the secret and it still needs to be pass to the other action that needs it as input param. 16:23:08 we already have a few suggestion of how it can be implemented (in bug's comments) 16:23:43 rakhmerov, yes, we need spec, but afaik spec require link to bp 16:23:53 m4dcoder: yes, I don't know either 16:24:13 akuznetsova: true, I agree 16:24:45 #action rakhmerov: convert https://bugs.launchpad.net/mistral/+bug/1337268 into BP 16:24:47 Launchpad bug 1337268 in Mistral mitaka "Security issue: user secure info is not protected properly (logs, API, DB)" [Critical,New] - Assigned to Lingxian Kong (kong) 16:24:53 We can consider borrowing the solution from StackStorm 16:25:27 Where we mark secret parameters and mask them in API and logs. 16:25:29 dzimine: could you describe briefly the essense of it? 16:25:38 dzimine: makes sense 16:25:58 I suggested long time ago that we should use a special data type 16:26:14 and make all our layers explicitly aware of it 16:26:15 this requires mistral to define a type of schema for action inputs. to be consistent and not just for input with secret. 16:26:23 DB is ok, at most encode the secret but it's admin duty to protect it. 16:26:33 so that if we print into log, for example, we replace it with ***** 16:26:43 when we store it in DB we apply encryption 16:26:43 I'll fish out a PR with impl and share it in the BP 16:26:50 dzimine: yes 16:27:06 dzimine: that would be great 16:27:21 Ok. 16:28:01 as far as the API I thought it could be something like: when we pass input parameters we have a simple mechanism to explicitly mark it somehow 16:28:26 so that from that point on all layers take care of them as of sensitive data 16:28:45 but ok, I'm eager to see your idea 16:30:14 #action dzimine: File a BP wit description of how we can approach the issue with security data 16:30:57 so let's continue with this 16:31:15 ALU folks also want to backport it to Liberty once it's implemented 16:31:21 we need to see if it's possible 16:31:42 #topic Open Discussion 16:32:10 so other than that I don't have topics to discuss for now 16:32:38 rakhmerov: hi i have sent you mail regarding Austin summit did you check it ? 16:32:42 dzimine: please let me know if there's anything specific from StackStorm side for M-3 16:32:57 hparekh_: replied to you today 16:32:58 yes 16:33:08 oh will check 16:33:21 hparekh_: I'd ask you to share your plan, if possible 16:33:30 for M3, i'm still fighting for time to spec the task priority scheduler 16:33:44 as far as my participation: I would like to be there but it's not confirmed yet 16:33:48 I might not be there 16:34:01 rakhmerov:yeah sure I will share 16:34:13 m4dcoder: did you have a chance to discuss that with ALU? 16:34:29 they had a strong opinion on that topic 16:35:01 not directly. i just plan to have the spec and then discuss. it won't impact them if they don't want to change. 16:35:14 they were against it 16:35:27 but yes, I guess as long as it's configurable it won't harm them 16:35:30 my proposal is to have a plugin for how it is scheduled. they can use the plugin that uses the same algorithm. 16:36:31 m4dcoder: yeah, makes sense 16:37:09 m4dcoder: plugin arch is clear to me, I'm rather thinking how this algo would work at all 16:37:15 I don't see a clear picture now 16:37:34 i'll try to paint it clearly in the spec 16:37:43 the issue is that we use MQ and I'm not sure how we can implement this kind of scheduling on top of it 16:37:59 m4dcoder: ok, then I'll be waiting for a spec 16:38:12 cool 16:38:19 when do you think you'd be able to draft it? 16:38:58 i hope soon. i'm fighting for time to do this. 16:39:16 ok ) 16:39:19 understood 16:39:59 alright 16:40:06 anything else to discuss? 16:40:33 as usually, I'll count to 10 and end the meeting 16:40:35 1 16:40:36 2 16:40:37 3 16:40:38 4 16:40:39 5 16:40:41 6 16:40:43 7 16:40:45 8 16:40:47 9 16:40:49 10 16:40:54 bye 16:41:01 bye. thx! 16:41:01 ok, thanks for joining! Bye everyone 16:41:11 #endmeeting