Thursday, 2016-11-17

« Wednesday, 2016-11-16 Index Friday, 2016-11-18 »
*** zhurong has joined #openstack-meeting-cp00:19
*** david-lyle_ is now known as david-lyle00:35
*** zhurong has quit IRC00:40
*** ameade has quit IRC00:57
*** ameade has joined #openstack-meeting-cp00:57
*** alij has joined #openstack-meeting-cp01:39
*** alij has quit IRC01:45
*** alij has joined #openstack-meeting-cp01:45
*** zhurong has joined #openstack-meeting-cp01:51
*** fredli has joined #openstack-meeting-cp02:29
*** mars has joined #openstack-meeting-cp02:35
*** alij has quit IRC02:40
*** diablo_rojo_phon has quit IRC03:08
*** coolsvap has joined #openstack-meeting-cp03:15
*** mrhillsman has joined #openstack-meeting-cp04:42
*** fredli has quit IRC05:15
*** prateek has joined #openstack-meeting-cp05:35
*** rarcea has joined #openstack-meeting-cp06:54
*** jroll has quit IRC08:27
*** jroll has joined #openstack-meeting-cp08:41
*** gouthamr has joined #openstack-meeting-cp08:45
*** skazi has left #openstack-meeting-cp08:57
*** gouthamr has quit IRC09:05
*** gouthamr has joined #openstack-meeting-cp09:15
*** zhurong has quit IRC09:20
*** zhurong has joined #openstack-meeting-cp09:21
*** zhurong has quit IRC10:02
*** gouthamr has quit IRC10:53
*** gema has left #openstack-meeting-cp11:21
*** gouthamr has joined #openstack-meeting-cp11:32
*** gouthamr has quit IRC11:47
*** gouthamr has joined #openstack-meeting-cp11:52
*** zhurong has joined #openstack-meeting-cp12:23
*** prateek has quit IRC12:41
*** markvoelker has quit IRC12:50
*** gouthamr has quit IRC12:52
*** mars has quit IRC12:59
*** lamt has joined #openstack-meeting-cp13:14
*** zhurong has quit IRC13:28
*** zhurong has joined #openstack-meeting-cp13:28
*** gouthamr has joined #openstack-meeting-cp13:30
*** zhurong has quit IRC13:43
*** zhurong has joined #openstack-meeting-cp13:45
*** markvoelker has joined #openstack-meeting-cp13:51
*** mrhillsman has quit IRC13:52
*** prateek has joined #openstack-meeting-cp13:55
*** markvoelker has quit IRC13:56
*** codebauss has joined #openstack-meeting-cp14:02
*** codebauss is now known as mrhillsman14:03
*** zhurong has quit IRC14:21
*** uxdanielle has joined #openstack-meeting-cp15:10
*** prateek has quit IRC15:19
*** markvoelker has joined #openstack-meeting-cp15:52
*** markvoelker has quit IRC15:57
*** gouthamr has quit IRC16:23
*** uxdanielle has quit IRC17:56
*** rarcea has quit IRC17:59
*** markvoelker has joined #openstack-meeting-cp18:07
*** coolsvap has quit IRC18:37
*** edtubill has joined #openstack-meeting-cp18:56
*** edtubill has quit IRC19:03
*** edtubill has joined #openstack-meeting-cp19:55
*** r1chardj0n3s has joined #openstack-meeting-cp19:58
r1chardj0n3sstevemar: would you like to chair this morning?19:59
* lbragstad strolls in20:00
*** tqtran has joined #openstack-meeting-cp20:00
rderoseo/20:01
r1chardj0n3sI think we're missing a stevemar20:01
dstanekhi20:01
r1chardj0n3soh well, let's kick off anyway20:01
rderoser1chardj0n3s: I think I heard stevemar is in jury duty this week20:02
r1chardj0n3smy brain ain't firing, just woke up ;-)20:02
r1chardj0n3sah ok rderose20:02
r1chardj0n3s#startmeeting keystone_horizon20:02
openstackMeeting started Thu Nov 17 20:02:11 2016 UTC and is due to finish in 60 minutes.  The chair is r1chardj0n3s. Information about MeetBot at http://wiki.debian.org/MeetBot.20:02
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.20:02
*** openstack changes topic to " (Meeting topic: keystone_horizon)"20:02
openstackThe meeting name has been set to 'keystone_horizon'20:02
r1chardj0n3s#link https://etherpad.openstack.org/p/ocata-keystone-horizon Meeting agenda/minutes/work items20:02
david-lyleo/20:02
dolphm\o20:02
edtubillo/20:02
tqtran[=_=]/20:03
rderoseo/20:03
r1chardj0n3sSo, unless anyone has a better idea, I'll work through the etherpad and see if there's any updates20:04
r1chardj0n3s#topic sort projects by name please!20:04
*** openstack changes topic to "sort projects by name please! (Meeting topic: keystone_horizon)"20:04
r1chardj0n3sI don't think there's been any movement on this one - is anyone aware of relevant work?20:04
r1chardj0n3sI'm gonna take that as a no :-)20:05
r1chardj0n3s#topic Proper Domain-admin support20:05
*** openstack changes topic to "Proper Domain-admin support (Meeting topic: keystone_horizon)"20:05
r1chardj0n3sLooks like there's a patch for this now20:06
r1chardj0n3s#link https://review.openstack.org/#/c/399157/20:06
rderosestarted this effort, first part is to require a domain_id when registering an idp20:06
dstanekr1chardj0n3s: i think that's something different20:06
rderosethen federated users will be mapped to real domains20:06
rderosemy part "removed hardcoded federated domain"20:07
r1chardj0n3sdstanek: I think there's a number of issues, but the federated users not being mapped to a real domain was one of them20:07
r1chardj0n3srderose: so this is the death of the ephemeral "Federated" domain?20:07
rderoseyes20:08
r1chardj0n3s\o/20:08
dstanekr1chardj0n3s: can you not have a federated user be in a domain admin group at all right now?20:08
david-lylequestion on requiring domain id20:08
r1chardj0n3sdstanek: no, at the moment federated users can't have domains at all20:08
david-lyleis that just generated?20:08
david-lyledoes a name have to be specified?20:09
rderosedavid-lyle: no, admins will be required to create the idp domain before registering the idp20:09
david-lyleand just pick one ?20:09
david-lylehopefully the correct one?20:09
david-lyle:)20:09
david-lyletrying to track future horizon work20:10
david-lyleyou can setup federation in Horizon20:10
rderosedavid-lyle: yeah, they have to associate the domain_id with the idp; could pick the wrong one20:10
dstanekdavid-lyle: ideally it'll be easy because domain admins will only have access to one domain20:10
rderosethe idp does have a description20:10
david-lyleso this would change the workflow20:10
david-lylenot a blocking issue, but we should capture the follow-on work20:10
* david-lyle goes to capture20:11
r1chardj0n3sthanks david-lyle20:11
dstanekr1chardj0n3s: i need to get the federation CLI stuff working so i can test that out20:11
rderosedavid-lyle: the docs do say create a domain as part of configuring federation20:11
r1chardj0n3sdavid-lyle: in the etherpad, ya?20:11
david-lyleyes20:11
r1chardj0n3sok, moving on (but waiting for david-lyle to stop typing as the next bit's his ;-)20:12
r1chardj0n3s#topic Roles20:12
*** openstack changes topic to "Roles (Meeting topic: keystone_horizon)"20:12
david-lyleI did not sign up for splitting the quota step out20:13
david-lyleso that's still a todo waiting for an owner20:13
david-lyleI did add some comments on the _member_ situation20:13
r1chardj0n3sI think that should be moved to be a separate item in the etherpad20:14
lbragstadlooks like david-lyle did the investigation20:14
david-lylethe choice is, do we want a default role? or force the user to select20:14
david-lyleof the two workflows one is easier to change to no defaults20:15
david-lylethe other is a bit of a hardcoded JS mess20:15
david-lylethe latter being update members on project20:15
david-lyleTheoretically all that lovely JS is going to be replace with even lovelier JS soon20:16
*** chrisplo has joined #openstack-meeting-cp20:17
david-lylebut I've been holding my breath for quite some time now and have gone through many shades of blue toward green now20:17
r1chardj0n3sdavid-lyle: yes, we have https://blueprints.launchpad.net/horizon/+spec/angularize-identity-projects20:17
r1chardj0n3sbut I think we need to fix the current interface also20:17
david-lyleI'm glad you volunteered r1chardj0n3s20:18
david-lyle:)20:18
r1chardj0n3swait what20:18
r1chardj0n3sIf nothing else it would be good to capture the two broken interfaces in bugs please20:18
r1chardj0n3sThen hopefully someone will pick it up20:19
r1chardj0n3s#topic Roles and Quotas20:20
*** openstack changes topic to "Roles and Quotas (Meeting topic: keystone_horizon)"20:20
r1chardj0n3sthere's no names at all against this one :-(20:20
david-lyleseparating shouldn't be overly difficult TBH20:21
r1chardj0n3sthe colour of the Action line looks like lbragstad so I guess that's ownership, right? ;-)20:21
david-lylejust moving a step to a new form20:21
lbragstadhah - not anymore!20:21
*** robcresswell has joined #openstack-meeting-cp20:21
r1chardj0n3sdavid-lyle: agreed20:21
r1chardj0n3s#topic K2K support20:22
*** openstack changes topic to "K2K support (Meeting topic: keystone_horizon)"20:22
r1chardj0n3sedtubill: update?20:22
edtubillhey, I think the items need to be reviewed still20:22
* david-lyle has failed to review20:22
edtubillbut I've started to look into the blueprint option and writing code to see what changes we need for it.20:23
dstanekthese on my list of things i need to look at20:23
david-lylewhich is the bp option?20:23
david-lylenew dropdown?20:23
edtubillthe new drop down and 'lazy' k2k sign on20:23
edtubillyup20:23
david-lyleand why not reuse regions?20:24
david-lylenevermind, I'll push it back up to the top of my review list20:24
edtubillok20:24
edtubillI don't like reusing regions because I think you would have to sign into all the providers20:25
edtubillupon inital log in.20:25
david-lyleyou would only make the request to the endpoint you selected from regions20:25
edtubilland keep large session space for all the tokens and20:26
david-lylebut it requires a hardcoded list20:26
edtubillhmm20:26
david-lylethere is actually a matching region dropdown once you're logged in that can be enabled to20:26
david-lylebut it sends you back to the log in page20:26
edtubillYeah I think I saw that code, I wasn't sure what that did. There seems to be two region dropdowns in the code.20:27
david-lyleyes, yes there are, you're welcome20:27
david-lyle:P20:27
edtubill:)20:27
r1chardj0n3sok moving on?20:28
david-lylethe hidden one is for different endpoints, not regions in the traditional sense20:28
david-lylewell the keystone sense20:28
david-lylesure20:28
edtubillok20:28
r1chardj0n3s#topic Password about to expire info20:28
*** openstack changes topic to "Password about to expire info (Meeting topic: keystone_horizon)"20:28
r1chardj0n3swe have two patches for this, which I've added to our priority review list20:29
r1chardj0n3sI think that's probably all to say on this one20:29
r1chardj0n3sI'm going to skip to the new biggie at the end20:29
rderosewe also need to handle password strength requirements20:29
r1chardj0n3srderose: ok, that sounds like a separate issue we need to note then20:30
rderosecool20:30
r1chardj0n3s#topic #topic Retire django-openstack-auth-kerberos in favor of django_openstack_auth[kerberos]?20:30
*** openstack changes topic to "#topic Retire django-openstack-auth-kerberos in favor of django_openstack_auth[kerberos]? (Meeting topic: keystone_horizon)"20:30
r1chardj0n3stopic topic20:30
r1chardj0n3shttps://bugs.launchpad.net/django-openstack-auth/+bug/158443220:30
openstackLaunchpad bug 1584432 in django-openstack-auth-kerberos "deprecate doa-kerberos by using setuptools optional dependencies" [Undecided,In progress] - Assigned to Steve Martinelli (stevemar)20:30
david-lylerderose: https://github.com/openstack/horizon/blob/master/doc/source/topics/settings.rst#password_validator20:31
david-lylerules are optional20:31
david-lyler1chardj0n3s: we're just going to retire the repo20:31
david-lyleread the line I added at the end20:31
r1chardj0n3sthat sounds like a solid plan!20:31
rderosedavid-lyle: looks like we have some duplication in keystone's config20:31
david-lylethey're addressing the problem at different points20:32
david-lylebut it would be nice to have a shared source, but openstack20:33
rderosedavid-lyle: http://docs.openstack.org/developer/keystone/security_compliance.html20:33
rderosepassword strength requirements20:33
david-lylesure, can we get that via API of an end user?20:34
david-lyles/of/by/20:34
rderosedavid-lyle: no, but the strength description is returned if the user fails password strength20:35
rderoseduring auth20:35
david-lylefor a UI that's a roundtrip to the server, where we can do it live on the page20:35
dstanekrderose: during auth or user create?20:36
rderosedstanke: right, sorry not during auth20:36
rderosebut anytime your are creating a password20:36
rderose*dstanek20:36
dstanekdavid-lyle: having it discoverable makes total sense to me20:36
david-lylediscoverable is the answer to most of Horizon's duplicate settings problems, so I'm all for discoverability20:38
r1chardj0n3s+120:38
r1chardj0n3splease add a new thing to the etherpad: keystone to make it all discoverable :-)20:38
r1chardj0n3s(let's just add that password strength info, yes)20:39
rderosehave it under PCI20:39
r1chardj0n3s#topic Support for browsing LDAP users20:40
*** openstack changes topic to "Support for browsing LDAP users (Meeting topic: keystone_horizon)"20:40
r1chardj0n3sAny updates here?20:41
r1chardj0n3slooks like some patches to fix https://bugs.launchpad.net/keystone/+bug/1582585 went in, fixing the speed issue at least20:42
openstackLaunchpad bug 1582585 in OpenStack Identity (keystone) "the speed of query user from ldap server is very slow" [Wishlist,Fix released] - Assigned to Andrew Liu (andrew-lhj)20:42
r1chardj0n3sso I think the search-instead angle just needs more investigation20:43
r1chardj0n3s*crickets* :-)20:44
rderoseso it will speed things up, but how does horizon handle pagination?20:44
rderosebecause will still return all records, unless filtered20:45
r1chardj0n3srderose: we paginate using service APIs where possible, and we paginate large lists on the client if necessary20:45
rderosebut it's probably not happening with the user list20:46
r1chardj0n3sno server side pagination20:46
rderoseaction item for keystone?20:46
r1chardj0n3sas I understand it, you can't paginate for LDAP20:47
bretonno updates from my side, sorry20:47
r1chardj0n3sso we need to implement filtering (filter-first) in our UIs20:47
* stevemar lurks in late20:47
dstanekr1chardj0n3s: that's correct on pagination20:47
rderosedstanek: is that true20:47
rderose:)20:47
stevemaron the LDAP topic?20:48
r1chardj0n3syep20:48
dstanekthere's no way to query is and say 'start at record XYZ'20:48
stevemarfor pagination you need to setup keystone to use an LDAP admin account: https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L1071-L107720:49
stevemarwhich for most enterprises, will tell you to buzz off :)20:49
robcresswellthe filter_first stuff is implemented in half a dozen views already. I'd imagine someone could copy paste the existing implementations20:49
*** kbyrne has quit IRC20:49
r1chardj0n3srobcresswell: the UI just gets a bit tricky though20:49
stevemarrobcresswell: whats an example of the filter_first stuff?20:50
robcresswellr1chardj0n3s: How so?20:50
david-lyleerror codes and notices to the user20:50
david-lylere: overflow20:50
r1chardj0n3srobcresswell: adding users to projects, IIRC, the UI is ... unique20:50
robcresswellAh20:50
robcresswellI was thinking of the overall views.20:50
robcresswellindex views etc.20:50
r1chardj0n3syeah, those are easy20:51
david-lylethose would still need work20:51
robcresswellRight20:51
robcresswellThey still aren't done though20:51
*** kbyrne has joined #openstack-meeting-cp20:52
r1chardj0n3sOK, moving on20:52
r1chardj0n3s#topic v3 policy is not parseable using oslo.policy20:52
*** openstack changes topic to "v3 policy is not parseable using oslo.policy (Meeting topic: keystone_horizon)"20:52
stevemarthis one is long and convoluted20:52
r1chardj0n3s\o/20:52
r1chardj0n3sok, just quickly, PCI?20:54
r1chardj0n3srderose, this is you?20:55
stevemarprobably better to cover that one20:55
stevemari need to read up on the policy bug20:55
r1chardj0n3sack20:55
rderoseyeah, we sort of covered it20:55
rderoseI moved "Password about to expire info" under PCI20:56
rderosePCI stuff is growing20:56
r1chardj0n3sok20:56
rderoseThe last one will require users to changed their password if an admin created it for them20:57
rderoseWork being done in Ocata20:57
stevemarusers should be able to change passwords in horizon i think20:57
r1chardj0n3sah, cool, I see the comment added about the password strength discoverability20:57
stevemarhmm, we could expose that via an API20:58
r1chardj0n3syes, please :-)20:58
david-lylestevemar we currently have duplicate settings20:58
david-lyleat least for that20:58
stevemarlink?20:58
david-lyleonce line above20:58
david-lylethe not about discoverable20:58
david-lyle*note20:58
david-lyle*one20:58
robcresswellhttp://docs.openstack.org/developer/horizon/topics/settings.html#password-validator ?20:59
stevemarrgr20:59
stevemaroh20:59
stevemarthats interesting...20:59
stevemaryou guys had it before we did :)20:59
rderose:)20:59
r1chardj0n3s:-)20:59
r1chardj0n3sok folks, we're out of time, thanks again!21:00
stevemarnp21:00
r1chardj0n3s#endmeeting21:00
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings"21:00
openstackMeeting ended Thu Nov 17 21:00:05 2016 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)21:00
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_horizon/2016/keystone_horizon.2016-11-17-20.02.html21:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_horizon/2016/keystone_horizon.2016-11-17-20.02.txt21:00
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_horizon/2016/keystone_horizon.2016-11-17-20.02.log.html21:00
*** edtubill has quit IRC21:00
*** r1chardj0n3s has left #openstack-meeting-cp21:00
david-lylestevemar: only be 3 years21:01
david-lyle*by21:01
stevemardavid-lyle: :)21:01
* david-lyle gives up on typing today21:01
stevemardavid-lyle: was the decision to retire the doa-kerb repo?21:01
david-lyleyes21:01
stevemarrgr21:01
stevemarany other outcomes?21:01
robcresswellstevemar: ahem. read the logs :p21:02
david-lylehorizon has work to do to get rid of _member_21:02
david-lyleand k2k bp still needs reviews21:02
stevemarrobcresswell: yeah, i could :)21:03
stevemarbut david-lyle is right here!21:03
*** uxdanielle has joined #openstack-meeting-cp21:03
stevemardavid-lyle: did we decide on what route to go down for k2k, pre or post log in?21:03
david-lyleno21:03
robcresswellstevemar: Ha, very true21:03
robcresswellI think k2k got bumped because nobody has really looked yet21:04
david-lyleI pointed out some constructs already in Horizon that could be reussed, but really I owe some reviews21:04
robcresswellI'd offer to help but I imagine I might be more burden than value.21:04
stevemardavid-lyle: robcresswell anything would be good at this point :)21:06
david-lyleI bumped it on my priority list21:06
stevemar\o/21:09
*** rarcea has joined #openstack-meeting-cp21:54
*** rarcea has joined #openstack-meeting-cp21:54
*** rarcea has quit IRC22:15
*** uxdanielle has quit IRC23:02
*** lamt has quit IRC23:37
« Wednesday, 2016-11-16 Index Friday, 2016-11-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!