15:31:35 #startmeeting CAIAPI coffee klatch / brainstorming / requirements gathering 15:31:35 Meeting started Thu Jul 26 15:31:35 2018 UTC. 15:31:35 This meeting is logged and archived in a public location. 15:31:35 The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:31:35 Useful Commands: #action #agreed #halp #info #idea #link #topic. 15:31:35 The meeting name has been set to 'caiapi_coffee_klatch_/_brainstorming_/_requirements_gathering' 15:31:38 .hello2 15:31:38 bowlofeggs: [hellomynameis bowlofeggs] 15:31:42 wut 15:31:43 Hey everyone. 15:31:48 hello3.7 15:31:53 haha 15:31:53 .hellomynameis iforgot 15:32:01 .hello bowlofwut 15:32:01 bowlofeggs: [hellomynameis bowlofwut] 15:32:02 zodbot has no fedora plugin loaded 15:32:04 hahah 15:32:07 oooh 15:32:11 due to pkgdb retirement, so that won't work 15:32:14 oooh 15:32:34 anyhow, lets get into it.... puiterwijk care to give a high level overview of CAIAPI? or want me to try? 15:32:42 nirik: go ahead 15:33:13 so the idea here is that we leverage IPA. We have it doing all the heavy lifting that we can (since we don't maintain it... hurray!) 15:33:24 but IPA by itself can't do everything fas2 does 15:33:50 so we want a thing that talks to IPA and provides a API 15:33:53 Also, it depends on applications directly accessing the LDAP directory, which we don't want to open up 15:34:01 yeah. that too. 15:34:26 so, CAIAPI will be that API, and then we will have a small app that talks to CAIAPI called "noggin" 15:34:43 (naming of "noggin" courtesy of ryanlerch - blame him) 15:34:44 cool 15:34:50 and noggin is like a ui? 15:34:53 yes 15:35:13 just one question most of our apps are getting the fas info via ipsilon ? 15:35:21 cverna: that will not change. 15:35:43 so for most use cases, our apps just keep on doing their thing like they have been doing 15:35:45 cverna: the differences are if they use the FAS API right now to get additional info about other users 15:35:54 ah yes 15:35:55 Or for users that are not currently in a login flow 15:35:55 so today I wanted to just talk about what we need from the api... we can stick things into a 1.0 or a 'future' milestones... I'd propose we want a minimal viable thing for 1.0 and then add extra stuff after that 15:36:08 i don't think bodhi does that, but i suppose i should double check 15:36:14 bowlofeggs: it doesn't 15:36:21 cool 15:36:37 yeah MVP is def the way 2 go 15:36:37 So, I had a few things I can toss out... 15:36:41 So for 99% of our applications, they will not notice a difference, other than possible if they use OpenID Connect with the data being more up-to-date 15:37:06 nirik: maybe I should explain one more core part of CAIAPI 15:37:15 Which is going to be the most impactful for anyone that needs to use it 15:37:36 please do 15:38:26 Specifically: when an application needs any information about a user, there will be two types of authentication going on - the application authenticating itself, *and* the application sending a user token to prove that it is currently processing a request for a user. Based on those two, a policy will be applied that determines what information about current or other users CAIAPI will be willing to 15:38:28 provide or modify 15:39:09 This means that applications will be restricted in what they can request to the specific pieces of information they need at the moment they need it. 15:39:32 * nirik nods. 15:40:05 Also, one of my core requirements (just so eople know it's on my radar) is 2fa based on u2f 15:40:19 yeah, that was one of the items I was going to ask about... 15:40:21 Okay, that's it from me. Now shoot at me 15:40:27 here's the next: 15:40:31 nirik: that's a core requirement from me 15:40:46 (and it will enforce it based on group membership and user settings) 15:41:02 FPCA/CLA handling. The way we do this in fas is to make them groups and have them as prereqs. This causes lots of confusion for people. I wonder if we shouldn't make it so when people make their account they just agree to the fpca / view the code of conduct? 15:41:31 nirik: right. For that, we should ask spot probably. 15:41:51 though I believe I've heard they might want to change it up anyway. So let's talk to Tom about that 15:42:05 ok. Does anyone know a use case for 'I want a fas account, but no fpca' ? 15:42:10 sure, we should. 15:42:24 nirik: Pagure is the big case I've heard 15:42:41 We got rid of it requiring FPCA 15:42:53 ah, ok. 15:43:03 nirik: i can't think of anything, but i also wouldn't know :) 15:43:10 github.create -- codeblock created a new tag "0.4" at fedora-infra/supybot-fedora https://github.com/fedora-infra/supybot-fedora 15:43:12 I just want to try and kill the 'cla* + 1' thing, because new people don't get it. 15:43:15 puiterwijk: arrfab already covered the requirements from the centos side about this right? 15:43:41 Evolution: I am going to meet up with him later about his requirements 15:43:46 centos doesn't require an *pca either. 15:43:58 Right. So if it's in htere, it'll certainly be an option 15:44:04 puiterwijk: I would like to ask for federation/namespacing as well. 15:44:06 Just like all the email and texts will be templatized... :) 15:44:13 I had hard to get the cla+1 thing at the beginning :) 15:44:28 that way we can run one account system for everything and share. 15:44:39 Evolution: right. the idea for that was to do that on the IPA level 15:44:41 fedora and cent on the same instace(s). 15:44:44 okay good. 15:44:53 And have a CAIAPI for Fedora and CentOS pointing at their respective realms 15:45:39 puiterwijk: will that allow us to share auth/cred across domains? (have fabian admin a fedora thing, or have you admin a centos thing?) 15:45:44 puiterwijk: so can I kill that infra issue about renaming cla_done / fpca and stick it on caiapi's tracker and cc tom on it? 15:45:55 nirik: yes, please do 15:46:04 can do after the meeting. 15:46:23 Evolution: possibly, yes 15:46:50 ok, another thing: can we add bugzilla email/account... that would kill our stupid overrides 15:46:58 puiterwijk: I would like to use that as a use case if we can. a "community" cloud that both fedora and centos share. 15:47:07 Evolution: okay 15:47:28 tl;dr, the next iteration of the new cloud, I'd like to be combined. 15:47:29 nirik: right. Those are going to be fun anyway with RHBZ5. I'll need to talk with the people there how to deal with it 15:47:56 I can file an issue on that as well if you like to track it. 15:47:58 Evolution: note that it's certainly possible for one realm to auth to the other by tying the Ipsilon's together already 15:48:03 nirik: please do 15:48:35 puiterwijk: oh, interesting. okay. 15:49:41 Oh, for anyone that dind't know yet: 15:49:46 #link https://pagure.io/caiapi/ 15:49:50 That's the project URL 15:50:07 another one: migrating to this from fas2. I was wondering if we could drop a bunch of the dead/inactive/not used accounts... I had a idea for what we could do: 15:51:13 I first thought about dropping inactive or not logged in in a specified time, but then I thought... hey, why don't we just drop all the fas2 accounts where they haven't logged in and synced to IPA yet? Or is that too big a chunk? 15:51:21 nirik: so, one thing to note there is that IPA has "preserved users" - which means they're in the system, useranems are reserved, but they can't login 15:51:44 So what we could do is migrate them, but add them to preserved. 15:51:55 And then later on delete users from there 15:52:07 pagure.pull-request.flag.added -- jenkins #18 flagged releng/fedora-module-defaults#16 with "Build successful (commit: 907334c8)" https://pagure.io/releng/fedora-module-defaults/pull-request/16 15:52:24 thats a thought... although I think some are sure not useful. 15:52:33 like spamcheck_* ones 15:52:38 Sure. But then we can take chunks out from there 15:53:05 it might be nice to have old users for history, but not sure what level/amount of those... 15:53:11 I think I would go for the aggressive strategy :P 15:53:31 nirik: right. So, my main reason is that I do not want to make the immediate migration of data much harder with the clearing of users at the same time 15:53:33 puiterwijk || nirik I'd like to put milestones and due dates on the caiapi development to make sure we hit things on something like a schedule please. 15:53:42 In my mind, that's just *begging* for users to disappear incorrectly 15:54:09 but if you remove my spam accounts how will i advertise freenode staff blogs on the wiki? 15:54:11 nirik: I want to be able to just do a count(*) on FAS and a count on IPA and have that match to know everyone's over 15:54:12 puiterwijk: valid point 15:54:12 puiterwijk: fair enough, but it's also a good point to drop things since we have a LOT LOT LOT of spam users. 15:54:27 nirik: sure. I'm not opposed to that. Just not at the initial migration 15:54:32 So I want to detach it from the migration 15:54:41 Evolution: sounds good to me... 15:54:51 Evolution: ack. 15:54:57 separation_of_concerns++ 15:55:01 could we delete the spam accounts in fas2 before the migration ? 15:55:36 I suppose we could... 15:56:26 +1 15:56:41 I'd say that that depends on the schedule. 15:56:49 which brings up another item: basset 15:57:19 nirik: in what way? Since, obviously, I have that in mind. 15:57:57 well, do we add support for basset here or do we think it's not needed or is it build more into caiapi itself? 15:58:30 CAIAPI won't need basset support. basset gets CAIAPI support and noggin submits to Basset 15:58:45 I think it would be nice also for CAIAPI development not to be a one person job, so the knowledge of the application is spread over the team :) 15:58:57 ah, makes sense. 15:59:53 i can help maintain it 15:59:56 (caipai) 16:00:06 bowlofeggs: ack, thanks 16:00:24 Also, I've had discussions with some upstream people that might be willing t pick it up if we get it working. 16:01:05 Yeah I would be happy to help also with the development 16:01:15 is ryan making noggin? or just doing help with design, etc? 16:01:32 nirik: he's doing a lot of it, yeah 16:01:59 would be good to have more folks on that too so it's not one lone superman. ;) 16:02:17 nirik: yeah, I'm oging to do the final integration on it I was thinking 16:02:37 "final"... 16:02:43 so once we switch this fasClient is replaced by ? sssd ? ipaclinent? 16:02:54 apologies for out of topic question, but if i switch branch while 'bdiff-cover' is already running in Bodhi, will it continue with files loaded from old branch or the new one? 16:03:09 vgolwala: any chance you can ask that after the meeting? 16:03:20 nirik: ipaclient, together with fssh for ssh 16:03:22 puiterwijk: sure, my bad! 16:03:52 nirik: but basically, ipaClient 16:03:55 * nirik tries to think of anything else he had. 16:04:22 fssh? 16:04:33 pagure.issue.comment.edited -- mprahl edited a comment on ticket fm-orchestrator#974: "Tag into koji based on runtime requires" https://pagure.io/fm-orchestrator/issue/974#comment-523723 16:04:47 bstinson: I'll sync up later about that with you. But basically, u2f enhanced ssh stuff 16:04:54 oh, and totpcgi replaced also with ipaclient? 16:05:01 * nirik needs to read up on it. 16:05:02 pagure.issue.assigned.reset -- mprahl reset the assignee of ticket fm-orchestrator#974 https://pagure.io/fm-orchestrator/issue/974 16:05:03 nirik: no. fssh. 16:05:28 That's a different, related, topic. I'll explain that later. 16:06:31 so back to Evolution's question... whats our timeframe for all this? :) it's just in design now, no code yet right? 16:07:12 nirik: if I can get time to focus on this without a fried brain, I'd say 2-3 weeks for staging. 16:07:43 does noggin have a pagure project yet? 16:07:47 puiterwijk: +1 week for finishing up repospammer 16:07:50 er, spanner 16:07:55 With a fried brian, I'm going for ∞ weeks 16:07:56 it does 16:08:07 https://pagure.io/noggin 16:08:22 Evolution: yeah. that's why the "just this" 16:08:36 With that included, I'm going for the 4-5, since I'd like to not rush that deployment 16:08:46 pagure.issue.comment.added -- mprahl commented on ticket fm-orchestrator#974: "Tag into koji based on runtime requires" https://pagure.io/fm-orchestrator/issue/974#comment-523738 16:08:58 github.pull_request.synchronize -- vismay-golwala synchronized pull request #2494 on fedora-infra/bodhi https://github.com/fedora-infra/bodhi/pull/2494 16:09:09 oh, whats CAIAPI going to be written in? python? python3? 16:09:18 nirik: python3 flask 16:09:20 and what editor will you use? emacs? 16:09:26 vscode, probably 16:09:33 do we know what is the scope of the MVP ? before we give a timeline ? 16:09:43 cverna++ 16:09:45 puiterwijk: let's switch to rust nightly 16:09:48 * bowlofeggs runs 16:09:57 * relrod feels the emacs hate and cowers in a corner :( 16:10:00 bowlofeggs: don't temp me to go Go. 16:10:01 hahaha 16:10:15 relrod: i've been running vim for over 20 years… i can't figure out how to exit it 16:10:20 relrod: I... don't think there's hate against it.. 16:10:25 relrod: if you use emacs, we may have to discuss what your performance plan is going to look like..... 16:10:27 cverna: yes, pretty much 16:10:37 Evolution: haha 16:10:50 (as in, yes, I know what the MVP is, unless anyone is going to add anything big at this moment in time) 16:11:00 I think it would be nice to fill the pagure project with issues and use the milestone feature 16:11:04 cverna: I'd say something that can replace fas2... but then thats kinda vuage, because we don't want something that does all fas2 did, we want to simplify 16:11:08 Which is what this meeting was for. If people think there are more critical stuff, tell me now 16:11:25 puiterwijk: please work with cverna to document the mvp for milestone/schedule then? 16:11:42 so it is easy to track progress and it is also easy for me to know how I can give a hand :) 16:11:45 yes, we should do a 1.0 MVP and push wishlist things out after that. ;) 16:12:12 actual measureable goal/deliverables please. 16:12:13 cverna: so, I know what you can help me with - maintain all the tickets then? :P 16:12:17 * nirik is happy to file issues and make up milestones unless someone else wants to. 16:12:25 puiterwijk: sure :) 16:12:42 nirik: I can help you with that 16:12:48 nirik: if you do, please get input from cverna, given his scrum/agile background. 16:12:55 sure thing. 16:13:08 RFE: the ability to disable puiterwijk's account for days he *should* be on vacation but isn't 16:13:13 I don't care who does it, as long as it's done. ;) we can start by filing tickets on things. 16:13:29 bowlofeggs++ 16:14:20 Anyonw has anything else for this moment? 16:14:34 I think thats it from me for now at least 16:14:34 also we can't roll out CAIAPI without noggin ? or can we ? 16:14:46 well, we can, but not sure how useful it would be. 16:14:46 cverna: technically, yes, practically, no 16:14:54 Well, actually.... 16:15:42 So, one thing we need is an overview of any applications that use the FAS API right now. 16:16:11 do we need to do the same milestone and feature needed for noggin ? 16:16:12 If we find anything big there that is going to take a while to migrate, we can make CAIAPI support FAS as backend, so we can start migrating those applications 16:16:48 cverna: I'd say yes 16:17:03 puiterwijk: let's make sure what we do simplifies things overall. 16:17:36 cverna: if you're going to do stuff for nogging, manage it as if it's part of caiapi please. I really do not want to end up spending 50% of the time trackin gdown on which end a ticket is and updating/maintaining 20 ticket for a single thing 16:17:42 puiterwijk: in theory this *should* be project neutral and it would be nice for some of it to be picked up by the IPA devs. 16:18:16 puiterwijk: I agree we need to consider these 2 projects together 16:18:19 Evolution: yes, but I meant as a migration step so as to not require everything to switch on the exact same day. And that is what I had planned myself 16:18:58 puiterwijk: perfect. 16:19:04 which project owns the workflow engine? is noggin just the frontend, or is it the process management piece as well? 16:19:14 is there a way to gather apps that use fas api now? (by looking at fas logs or something?) 16:19:24 bstinson: process management stuff is IPA itself primarily 16:19:39 puiterwijk: including sponsorship workflows? 16:19:45 bstinson: yes 16:20:07 bstinson: the one thing CAIAPI will know how to do is how to exactly set up the IPA permissions to enforce our sponsorship flows 16:20:22 Since technically IPA can do it, but it requires a lot of manual fiddling. And that'll be in CAIAPI 16:20:30 But all the actual enforcement etc will be IPA 16:20:34 so caiapi will hold the rule definitions 16:20:51 Yes 16:21:15 But enforcement is IPA 16:21:20 but if i'm an admin on a group, what is my interface to provide sponsorship to someone else? is that part of noggin? 16:21:37 Do you use the API or clickety clickety? 16:21:42 Former - CAIAPI, latter - noggin 16:21:51 Noggin is literally just a frontend directly talking to CAIAPI 16:21:57 got it 16:22:27 so for down the road it might be nice to have a command line util as well... but not for 1.0 16:22:40 nirik: I'm leaving that to $someone_else to do 16:22:47 just a question any reason we choose to go with 2 different projects ? 16:23:05 as long as the process logic is in one place that sort of thing gets easier 16:23:13 cverna: as I said before, the plan was to do CAIAPI first backed by FAS so hubs could start using it 16:23:36 cverna: but now that hubs is no longer a concern, it's more a strict separation of concerns 16:25:01 puiterwijk: ok, I was just thinking that since it is "just" the UI it might be easier to manage one project rather than 2. same latter with people filling bugs or trying to know if the issue is in noggin or CAIAPI 16:25:43 cverna: because it is a different problem set from CAIAPI 16:25:59 Since noggin will also need things like templating and translation. 16:26:20 oh I have another question :) 16:26:32 will these apps run in openshift ? 16:26:41 Yes 16:26:55 can we use s2i ? :D 16:27:22 Did anyone build a license-enforcing s2i image yet? 16:27:23 It would be very nice to have some sort of continuous delivery :) 16:27:32 pagure.pull-request.comment.added -- mprahl commented on PR #973 on fm-orchestrator https://pagure.io/fm-orchestrator/pull-request/973#comment-59170 16:27:43 that could be part of CAIAPI MVP 16:27:48 It is not. 16:28:05 and that would save a lot of time in application release and deployment 16:28:19 openshift++ 16:28:19 just saying :P 16:28:30 pagure.pull-request.comment.added -- mprahl commented on PR #973 on fm-orchestrator https://pagure.io/fm-orchestrator/pull-request/973#comment-59171 16:28:32 thats a deployment detail tho. ;) 16:28:34 I do not think I fully agree with that 16:28:43 i think that's a separate concern 16:28:46 but we'll see 16:28:51 probably should emphasize the M in MVP 16:29:01 because that doesn't sound like an easy problem ot solve 16:29:01 Yep 16:29:06 though it would be a good problem to solve in general 16:29:18 Oh, I don't disagree on that. Just not as part of CAIAPI 16:29:28 yeah that's what i'm getting at 16:29:49 so, we are up on an hour here... does anyone have further items? or shall we close out and go file tickets. ;) 16:29:56 Okay, it's time. Anyone else has any critical things remaining? 16:30:00 Yeah, what Kevin says 16:30:06 I think automated deployment would save us quite some time and also enable us to deliver feature much faster. But I agree that another topic 16:30:19 cverna: I do not think I agree with that either. 16:30:43 Because I believe that what we have right now is already significantly what we'd need/want 16:30:48 puiterwijk: happy to discuss it at flock :) 16:31:11 cverna: come to my and bowlofeggs' talk and see what you think then :) 16:31:26 So, sure, flock 16:32:08 thanks for coming everyone! 16:32:10 Okay, if nothing else, let's call it an end. Any thing else you can ping me on IRC or file tickets 16:32:14 #endmeeting