#openstack-meeting log

20:12:01 <jbryce> #startmeeting
20:12:02 <openstack> Meeting started Tue Aug 16 20:12:01 2011 UTC.  The chair is jbryce. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:12:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic.
20:12:15 <jbryce> agenda - http://wiki.openstack.org/Governance/PPB
20:12:33 <jbryce> is ziad present?
20:12:39 <zns> Yes
20:12:45 <zns> zns=ziad
20:12:54 <jbryce> #topic Keystone review
20:13:12 <jbryce> ziad said he'd like to have keystone considered for promotion to core during this cycle
20:13:43 <jbryce> this wiki page had some of the criteria we had previously laid out as the things we would want to evaluate new projects on: http://wiki.openstack.org/Governance/Approved/NewProjectProcess
20:13:43 <zns> Part of the exercise is to figure out what are the requirements for inclusion in core...
20:14:38 <jbryce> zns: i think an update of how you feel the project is maturing from a development and deployment standpoint is a start
20:14:59 <zns> Item #1. DONE. Code is out there.
20:15:05 <zns> Item #2 is to gather feedback.
20:15:15 <zns> I'd like your feedback. Status right now is...
20:15:33 <zns> We're finalizing the API and aim to get a stable release out by Diablo.
20:15:53 <zns> We have production deployments (although, I admit, I have not been part of setting them up!)
20:16:31 <zns> Integration with other projects is moving along well (I'd say Swift integration is the toughest and still needs work).
20:16:48 <jaypipes> zns: I've been impressed with Keystone devs learning the new Gerrit processes and working with Monty and Jim to integrate with the CI infrastructure.
20:16:49 <notmyname> zns: I've been able to get it to work (however, the docs are completely wrong)
20:17:05 <zns> We have interested parties outside Rackspace submitting code (LDAP backend is one example).
20:17:20 <zns> notmyname: yes, docs are bahind.
20:17:25 <jbryce> do people feel like finalizing the api is an important milestone for core promotion?
20:17:27 <zns> behind
20:17:41 <anotherjesse> jbryce: I'm torn - since it is a high bar
20:18:08 <anotherjesse> but when we know that the api *WILL* change soon, it feels like it should be finalized before promotion
20:18:12 <ttx> zns: when do you plan to move your issues to LP bugs ?
20:18:13 <jaypipes> zns: one thing I'd like to see, though, is a little more restraint on +2'ing code reviews... it seems there is a bit of a "just wing it" thing going on there :) I think working with mtaylor to set up a param builder for Keystone would help to alleviate some of the issues.
20:18:59 <zns> ttx: working with jay/monty and team on that. They have a script. We're ready to do that as soon as we get the api done (focusing on that this week).
20:19:09 * jaypipes doesn't think finalizing 2.0 API should be a requirement for core promotion...
20:19:17 <ttx> zns: cool
20:19:18 <zns> jaypipes: agreed.
20:19:36 <jaypipes> zns: on the API front or the code review comment? :)
20:19:43 <ttx> jaypipes: do we have Keystone ubuntu/debian packaging under control ?
20:19:45 <notmyname> I don't think a final API is key. using the same processes as the other projects (like issues moving to LP) and establishing community involvement seem the important things top me
20:19:48 <zns> In fairness, we need to get more aggressive on following the LP workflow (Blueprint, approval, code, etc…).
20:20:02 <jaypipes> ttx: one sec, checking blueprint.
20:20:05 <vishy> i am split as well.  I think we need auth in core ASAP, but keystone is still highly volatile, and it might be sending a bad message to promote it right now.
20:20:16 <zns> jaypipes: on the review part.
20:20:24 <ttx> vishy: it will be promoted for the next release.
20:20:26 <anotherjesse> jaypipes: as someone who helps with implementation, deployed it and consumed it - it is a *required* part of openstack
20:20:29 <ttx> i.e. be in core for Essex
20:20:41 <johnpur> agree that we need to have a core auth project
20:20:43 <anotherjesse> jaypipes: but we need to get API settled ?
20:20:43 <ttx> it won't be part of "Diablo".
20:21:08 <ttx> so it needs to be stable in 6 months. Not now.
20:21:10 <anotherjesse> jaypipes: i'm concerned if it isn't, once it becomes core does it become harder to settle?
20:21:16 <mtaylor> ttx: I'm going to be attacking soren's keystone packaging work probably tomorrow (and zul's doing some work tonight_ so we should have it well under hand soon
20:21:22 <jbryce> ttx: that is a good point. we are talking about it being a core project for essex in ~7 months
20:21:31 <johnpur> there is a reality that core projects depend on it today and going forward
20:21:31 <anotherjesse> ttx: the problem with that statement is that nova is removing its user system to REQUIRE keystone
20:21:37 <jaypipes> anotherjesse: not sure. I don't feel that it becomes harder to settle, but that's an opinion, nothing more...
20:21:39 <anotherjesse> this milestone
20:22:13 <soren> anotherjesse: Wait, what?
20:22:18 <ttx> anotherjesse: I think that's a mistake.
20:22:25 <ttx> anotherjesse: I thought it was to be an option.
20:22:27 <anotherjesse> it is what was discussed at the last summit
20:22:36 <anotherjesse> and is what vishy has been talking about in blueprints, ...
20:22:36 <notmyname> anotherjesse: but that's not a big issue, is it? we all depend on other things (eg eventlet) that aren't in openstack core
20:22:55 <zns> If it helps, the API and implementation will be done by Diablo. Our goal is to have no changes after diablo feature freeze (9/6) and, in fact, have the API locked down this week (we're a few days behind our self-set deadline of 8/14).
20:22:59 <anotherjesse> notmyname: I am talking to the statement that stabliity of keystone api isn't important
20:23:04 <anotherjesse> notmyname: it is very important
20:23:21 <notmyname> anotherjesse: indeed. but is it a requirement for core inclusion?
20:23:32 <notmyname> anotherjesse: I tend to think not
20:23:37 <johnpur> what we need to do here is set a precedent/policy around the usage of keystone across projects.
20:23:39 <anotherjesse> notmyname: I wasn't sure
20:23:51 <jaypipes> anotherjesse: yes, agreed with notmyname. I don't think anyone is saying it's not important... just that it's not a blocker for core promotion.
20:23:57 <johnpur> i feel we are implicitly moving in the direction of "coreness"
20:24:04 <anotherjesse> johnpur: ya
20:24:23 <notmyname> johnpur: there are some important discussions around how/if it is integrated
20:24:26 <johnpur> shouldn't we make it official, and require the project follow the core project rules/guidelines?
20:24:50 <anotherjesse> johnpur: even if it isn't core, if dash, glance, nova all integrate with it
20:24:50 <anotherjesse> if in order to have a multi-tenant cloud you need keystone, then keystone is de-facto core ;)
20:25:02 <johnpur> anotherjesse: right
20:25:11 <jaypipes> anotherjesse: glance integrates with it, but doesn't *require* it...
20:25:19 <anotherjesse> jaypipes: right
20:25:21 <notmyname> johnpur: same with swift
20:25:33 <ttx> anotherjesse: ...and it is my opinion it should be the same for nova
20:25:35 <notmyname> err jaypipes:
20:25:44 <johnpur> i guess dash isn't core, but it requires it i believe
20:25:54 <jaypipes> notmyname: I got ya :)
20:25:58 <ohnoimdead> johnpur: yeah, dash requires keystone currently
20:25:58 <anotherjesse> notmyname: without keystone or swauth (both external auth to swift) then swift accepts any query right?
20:26:10 <ttx> dash requiring it is not an issue -- it's not in core
20:26:19 <notmyname> anotherjesse: yes, but we include a tempauth stub to do simple stuff
20:26:31 <johnpur> for folks that rae integrating authn/authz systems it is pretty important to have a consistent framework to hang openstack off of
20:26:51 <anotherjesse> notmyname: which is saying that "an auth system" needs to be added - even if simple
20:26:51 <ttx> vishy: do we *have to* rip out the current auth from nova ?
20:27:05 <alekibango> hmm so if i understand it correctly,  without auth  it will be possible to anonymously upload whatever images into glance for next 6 months ?    or i missed something...
20:27:06 <anotherjesse> ttx: and so that is what we have been talking about for nova
20:27:13 <johnpur> ttx: separate discussion
20:27:17 <anotherjesse> ttx: remove auth from inside nova to being external
20:27:19 <jbryce> so the questions that have been raised so far are around api stability, merge acceptance process, bug tracker and rate of change of the codebase. is there anything distinct for keystone specifically?
20:27:22 <anotherjesse> provided by a component
20:27:42 <anotherjesse> jbryce: what is the level of stability that we require
20:27:48 <anotherjesse> I want it to be core
20:28:00 <johnpur> anotherjesse +1
20:28:15 <anotherjesse> but I want it to have some level of stability by being in core
20:28:26 <anotherjesse> currently the mutation rate is HIGH
20:28:29 <creiht> Is there any level of scalability that is required (of any core project added)?
20:28:36 <notmyname> jbryce: zns: how does it handle scale? that is one of the core openstack principles. (just making sure it's on the list too)
20:28:51 <johnpur> notmyname: good q
20:28:55 <jbryce> it will be core for the essex cycle, so not official until next april. so i would say a level of stability and a trajectory that we feel comfortable it can be solid and production ready, deployable, not out-of-control by the essex timeframe
20:29:07 <ttx> jbryce: +1
20:29:09 <jbryce> it will be core for essex if approved now, i mean
20:29:18 <notmyname> anotherjesse: I may be wrong, but isn't nova's codebase pretty volatile too? (or at lest it used to be)
20:29:21 <vishy> ttx: My plan is to rip out unused parts, to deprecate the core stuff in diablo, and pull it out in essex
20:29:38 <zns> notmyname: we have not tested at scale. We support LDAP and MySQL as backends for more *scalable* deployment, but we still need to validate load-balancing multiple nodes.
20:29:38 <anotherjesse> notmyname: there is a difference between external volatility and internal
20:29:40 <ttx> vishy: ok
20:29:42 <vishy> ttx: so you should be able to configure nova to use old auth, but it will not be the default
20:29:45 <johnpur> jbryce: by being a core component, what do we say is the "policy" around required use by core/inubated/associated projects?
20:29:58 <notmyname> anotherjesse: ok. that's true. but one leads to the other, no?
20:30:00 <vishy> ttx: my plan is default: no multitenant auth
20:30:17 <anotherjesse> notmyname: right - hence i was asking if the api settling down would be a good thing to happen first
20:30:18 <jbryce> Integration Each project should use as many of the others' features as possible and provide the requested integration points
20:30:25 <jbryce> http://wiki.openstack.org/ProjectTypes
20:30:30 <vishy> ttx: with options for keystone or old auth, with keystone heavily favored
20:30:47 <anotherjesse> so - reason for this concenr: when keystone is added to core - other projects should work hard to make sure we all play well together
20:30:49 <notmyname> nd if keystone isn't accepted today, it can still be accepted up to halfway throught he essex cycle, right?
20:30:52 <ttx> anotherjesse: I think you need less mutation because of the integration with components, not because it will be in core for Essex
20:30:59 <ttx> notmyname: no
20:31:07 <ttx> notmyname: we need it in core before the design summit
20:31:12 <notmyname> ttx: ah
20:31:14 <anotherjesse> if the api is still in flux, then swift+nova+glance saying we all play with keystone
20:31:17 <johnpur> ttx: agree
20:31:30 <anotherjesse> will be complicated - since it changes daily due to being actively reworked
20:31:32 <ttx> notmyname: so that we can have the PTL involved in prep and give it the place it deserves in the summit
20:31:33 <vishy> can we reeval in a few weeks then?
20:31:45 <ttx> vishy: deadline is Sep5
20:31:55 <jbryce> anotherjesse: it sounds like zns is saying the api will be done very soon
20:31:56 <ttx> (based on a recent PPB decision)
20:31:59 <johnpur> vishy: what will you leatn in a couple of weeks?
20:32:07 <johnpur> learn
20:32:13 <anotherjesse> jbryce: yes - they were locked in a room all day friday and are working on it
20:32:22 <alekibango> vishy:  +1
20:32:23 <jaypipes> sounds like fun
20:32:24 <jbryce> we have 3 weeks basically to approve it
20:32:27 <zns> johnpur: API stable. That's big for integration and *comfort* around integration.
20:32:30 <anotherjesse> I'd rather that finish, not focus on integration into core (whatever that entails)
20:32:51 <jbryce> so what if we defer for now and get another update next week
20:32:51 <vishy> johnpur: I'm convinced it should go in, but I think it sends a better message to wait for stability before promoting
20:32:57 <johnpur> zns: will it be done by then?
20:33:02 <anotherjesse> vishy: ++
20:33:05 <alekibango> vishy: ++
20:33:08 <johnpur> vishy: i get it
20:33:13 <johnpur> and agree
20:33:17 <heckj> vishy++
20:33:37 <jaypipes> vishy: ++
20:33:37 <zns> johnpur: Sept5 or next week? Yes to Next week=API documented. Sept 5th implemented.
20:33:37 <jbryce> johnpur: if not, we can defer until the week after. we have 3 weeks (minus a day) before the deadline.
20:33:54 <jaypipes> remember, next week we have to review quantum for incubation...
20:34:07 <johnpur> i am hearing that (assuming the right level of work) that Keysone will be core for Essex, just a matter of timing?
20:34:35 <zns> vishy: I agree with the message to set the bar high. I would like to be clear on what the bar is so we can work towards that...
20:34:42 <notmyname> johnpur: well, the timing is depending on the level of work :-)
20:34:48 <johnpur> and we can have a lot of discussion at the DS :)
20:35:02 <jbryce> zns: i think the main component is api definition stable. correct me if i'm wrong, anyone
20:35:24 <johnpur> zns: who is giving input on the api dfn?
20:35:44 <jbryce> so that integrating projects will not have to worry about a moving target and we are establishing a precedent of external stability before core promotion
20:35:59 <zns> johnpur: many inputs from mailing list, blueprints, etc...
20:36:03 <jaypipes> jbryce: correct
20:36:28 <johnpur> zns: how are you arbitrating the inputs?
20:36:39 <jbryce> i propose we defer decision on keystone promotion until next week. review again with the primary focus for the team to be api stability. thoughts?
20:37:07 <jaypipes> jbryce: #agreed
20:37:08 <zns> johnpur: right now, the bar has been easy given our first goal: support existing Nova, swift, Rackspace use cases.
20:37:15 <anotherjesse> johnpur: I think they are focusing on making the core api as small as possible, until friday core was 2 api calls
20:37:43 <johnpur> ah, ok
20:38:09 <anotherjesse> johnpur: authenticate(user, pass, optional tenant) -> token, catalog
20:38:21 <anotherjesse> johnpur: validate(token) -> user/tenant/role info
20:38:40 <johnpur> it is critical that not only are the api calls stable and defined, but that all of the concepts are consistent, right? tenancy, project, user, account, etc.
20:38:43 <anotherjesse> there are extensions about how users/tenants/roles can be managemed
20:39:01 <johnpur> across projects
20:39:12 <vishy> * and get_tenants no?
20:39:19 <anotherjesse> vishy: oh ya ;)
20:39:25 <anotherjesse> johnpur: ++ - it is critical that the concepts of tenant (projects in nova, accoutns at rax), user, roles
20:39:35 <anotherjesse> and what the response from validate (the roles, ...)
20:39:47 <johnpur> right
20:40:01 <anotherjesse> zns: I think having a document with just core would be helpful to send to the list
20:40:14 <anotherjesse> zns: the user/tenant management is extensions
20:40:23 <zns> anotherjesse: working on that… will send out this week.
20:40:44 <anotherjesse> zns: i wouldn't mind help etherpading the core doc
20:40:46 <anotherjesse> if you have time
20:40:50 <zns> anotherjesse: yes, non-core is either OS extensions or RAX extensions.
20:40:51 <anotherjesse> moving to sidechannel
20:41:00 <jbryce> ok. so, defer until next week?
20:41:07 <ttx> jbryce: sure
20:41:07 <anotherjesse> heh - ya - sorry
20:41:20 <notmyname> jbryce: +1
20:41:33 <jbryce> #info defer promotion decision 1 week. keystone team to focus on external api stability and definition.
20:41:49 <jbryce> http://wiki.openstack.org/Governance/Proposed/OpenStack%20Security%20Group
20:41:49 <jbryce> #topic security group proposal
20:41:54 <johnpur> anotherjesse, zns: let me know if there are discussions/etherpadding, etc.
20:42:14 <jbryce> we've had a fair amount of discussion on this already on the mailing list
20:42:41 <jbryce> how does everyone feel about the state of the proposal currently?
20:42:53 <notmyname> jbryce: my thoughts are that this proposal seems...ponderous. a defined process to submit bugs and alert the right dev teams seems all we need
20:44:09 <notmyname> I don't think there needs to be a separate group responsible for "Security". If we all arent' aware of it while we're writing/reviewing the code we're going to end up in a world of hurt.
20:44:27 <ttx> I share Soren's concern on the group size
20:44:34 <zns> johnpur: will do
20:44:41 <johnpur> thx
20:44:54 <notmyname> ttx: as do i
20:44:59 <ttx> notmyname: yes -- we need nothing like something of the size of MSG
20:45:01 <dendrobates> ttx: me too
20:45:19 <soren> I'm thinking 2 people. Maybe 3.
20:45:33 <jaypipes> I think having a group focused on testing OpenStack (the entire project, not just a subproject) for security vulnerabilities is a worthy goal.
20:45:35 <ttx> I mean, I've yet to see a serious vulnerability that would have neede embargo.
20:45:46 <johnpur> jbryce: i would like to see the proposal broken into 2 pieces: 1) process for setting up openstack working groups, and 2) the specific around a security wg
20:45:47 <soren> jaypipes: That's not what this is, though.
20:45:50 <notmyname> soren: agreed. and those people IMO really only need to be responsible for getting the bug reports to the right people
20:45:53 <ttx> jaypipes: that's an auditor group -- that's different
20:45:55 <soren> jaypipes: At least, that's not what I read into it all.
20:46:07 <creiht> perhaps another way of stating notmyname's position (which I share) is it would be better to start small and expand as the need requires rather than create a huge bureaucracy to start with
20:46:24 <jaypipes> creiht: ++
20:46:25 <ttx> creiht: +1
20:46:34 <johnpur> i think there are at least 2 working groups we could initiate, besides the security group
20:46:50 <letterj> jaypipes: are any of the current tests focused on security?
20:46:51 <termie> wgwg
20:47:00 <vishy> I think there are six or seven working groups here :)
20:47:09 <johnpur> termie: lol!
20:47:10 <termie> seconded
20:47:29 <anotherjesse> termie: pbb = wgwg
20:47:31 <jaypipes> letterj: not that I know of.. what about for swift?
20:47:38 <johnpur> my 2 are 1) legal and 2) strategy
20:48:33 <notmyname> johnpur: that's getting a little off topic, isn't it? ;-)
20:48:46 <notmyname> it's not like we have a lot of time here
20:48:48 <letterj> jaypipes: Not specific security tests I know of not related to auth
20:48:48 <ttx> letterj: I'm adding some security-related tests together with my new privsep stuff
20:48:54 <anotherjesse> johnpur: both groups need to talked about but ping jbryce about those?
20:49:09 <johnpur> notmyname: probably, but if we have a process to define the groups, then the security group is just one of some
20:49:30 <johnpur> i'll table it now
20:49:48 <jbryce> johnpur: we can follow up on it later
20:49:54 <johnpur> jbryce: ok
20:50:02 <jaypipes> all I was saying was that having a team looking at security testing/validation for openstack as a whole would be a laudable effort, nothing more.
20:50:16 <jbryce> so on this it sounds like most people are in favor of a small group to start with to handle vulnerability identification and handoff
20:50:28 <letterj> Is there a list floating around somewhere of what specific sercurity tests people have in mind?
20:50:30 <jaypipes> and if Jarret is already offering to lead such an effort, that might be a good start...
20:50:44 <jbryce> separate from that possible a testing/validation group for all of openstack
20:50:57 <jaypipes> letterj: I'm thinking that an app security person like Jarret would probably have some ideas on that :)
20:50:58 <ttx> jaypipes: I can work with Jarret.
20:51:04 <johnpur> we need an escalation as well for when a problem is found inthe community, an escalation of a bug report
20:51:24 <notmyname> johnpur: I think that's all that's needed now
20:51:29 <letterj> jaypipes: What about a test enviornment?
20:51:34 <johnpur> many folks are doing security, penetration, etc. testing
20:51:38 <creiht> it just needs to be well defined, and published
20:51:47 <creiht> I don't think most people know about the feature in launchpad
20:51:50 <heckj> creiht: published ++
20:52:02 <letterj> jaypipes: I didn't know if a list of proposed tests or things to look for had been proposed
20:52:16 <jaypipes> letterj: ya, no worries :)
20:52:30 <ttx> creiht: yes + publish a couple individual email addresses with GPG keys, in case someone wants to send an encrypted report
20:52:57 <creiht> ttx: certainly, or at least publish those for all the PTLs and publish the fact that they are the main points of contact
20:52:59 <ttx> that's all we urgently need. Doc on how to submit a security vulnerability
20:53:05 <creiht> agreed
20:53:08 <notmyname> ttx: ++
20:53:35 <anotherjesse> ttx: I think there should be page on openstack.org and it linked at the footer of every community page
20:54:05 <jbryce> so we are rejecting the larger proposal for now and setting up a small team to route reports, plus publishing the process for submitting security reports
20:54:12 <ttx> anotherjesse: that's part of what Jarret proposes -- maybe we should skip the "security group" setup for now, and concentrate on doc ?
20:54:50 <creiht> If you have the security process well established, then it makes it easy for multiple groups to do their testing
20:54:52 <johnpur> jbryce: having Jarret be a point of contact seems like a good thing... we can point people to him?
20:55:30 <letterj> Is there a blueprint started on security tests yet?
20:56:03 <jbryce> we've got 4 minutes left so i'd like to get at least some resolution on this one before we run out of time
20:56:03 <ttx> jbryce: i can take the action of discussing a bit more with Jarret and come up with a proposed security.openstack.org page contents.
20:56:12 <jbryce> ttx: +1
20:56:21 <jaypipes> letterj: not that I know of. please feel free to create one.
20:56:34 <jaypipes> letterj: in the openstack-ci project maybe?
20:57:06 <jbryce> anyone opposed to ttx's proposal?
20:57:18 <jaypipes> nope, sounds good to me.
20:57:24 <jbryce> ok
20:57:25 <notmyname> jbryce: +1 to rejecting the larger proposal and publishing the security reports process
20:57:44 <jbryce> #action ttx to discuss more with jarret and come up with the content to publish a process for security reporting
20:58:15 <jbryce> anything else?
20:58:51 <jbryce> thanks everyone
20:58:58 <jaypipes> ty jbryce
20:59:02 <jbryce> #endmeeting