16:59:42 <tbachman> #startmeeting tws 16:59:42 <odl_meetbot> Meeting started Mon Oct 27 16:59:42 2014 UTC. The chair is tbachman. Information about MeetBot at http://ci.openstack.org/meetbot.html. 16:59:42 <odl_meetbot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:59:42 <odl_meetbot> The meeting name has been set to 'tws' 16:59:46 <tbachman> #chair alagalah 16:59:46 <odl_meetbot> Current chairs: alagalah tbachman 17:00:31 <tbachman> anyone else want a chair? :) 17:01:56 <alagalah> #topic Agenda 17:01:59 <alagalah> #link https://wiki.opendaylight.org/view/Tech_Work_Stream:Main#Upcoming_Meeting_Agendas 17:02:12 <tbachman> alagalah: thx! 17:03:18 <alagalah> tbachman: Will make Liem presenter once we start recording 17:04:30 <tbachman> #topic AAA presentation 17:04:31 <liemmn> #link https://drive.google.com/file/d/0B1KtwIIbDsZXVk53ZUhzWHFZRm8/view?usp=sharing 17:04:51 <tbachman> #undo 17:04:51 <odl_meetbot> Removing item from minutes: <MeetBot.ircmeeting.items.Link object at 0x2640150> 17:05:05 <tbachman> #link : #link https://drive.google.com/file/d/0B1KtwIIbDsZXVk53ZUhzWHFZRm8/view?usp=sharing Slides from powerpoint presentation 17:05:23 <tbachman> #undo 17:05:23 <odl_meetbot> Removing item from minutes: <MeetBot.ircmeeting.items.Link object at 0x2640150> 17:05:37 <tbachman> #link https://drive.google.com/file/d/0B1KtwIIbDsZXVk53ZUhzWHFZRm8/view?usp=sharing Slides for AAA presentation 17:06:28 <tbachman> #info Conributors are HP, Cisco, Red Hat, and Inocybe 17:07:35 <tbachman> #info Helium has token-based authentication, HTTP basic authentication, built-in IdMLight for managing users/roles/domains, federation with Linux SSSD, AuthZ policies data model + API + AuthZ Broker Infrastrucutre and configuration 17:08:03 <tbachman> #info Fully-functional MD-SAL AuthZ service, Federation with Openstack Keyston, and application security didn’t make it into Helium release 17:11:21 <tbachman> #info token-based authentication supports direct authentication, where user presents credentials and receives an access token scoped to a set of resources, and uses that token to access those resources 17:11:44 <tbachman> #info The token is valid for 1hr by default, and is revokable 17:13:32 <tbachman> #info alagalah asks if there are any open source projects in use here 17:13:48 <tbachman> #info liemmn says that there are some (e.g. Apache open source project for authentication) 17:15:47 <tbachman> #info a domain is a grouping of resources for the purpose of access control 17:17:49 <tbachman> #info dbainbri asks if it’s a configuration to default to basic authentication 17:17:59 <tbachman> #info liemmn says it’s not a configuration item today 17:19:06 <tbachman> #info liemmn says you can disable the basic auth bundle 17:22:32 <tbachman> #info Federated authentication is where the authentication is delegated to an external identity provider (IdP) 17:23:02 <tbachman> #info This allows support of different authentication schemes (SSSD, LDAP, Radius, SAML, etc.) via plugins 17:27:05 <tbachman> #info alagalah asks what happens if the controller can’t talk to the IdP 17:27:13 <tbachman> #info liemmn says it depends on the case 17:27:36 <tbachman> #info if you’re using a UUID in OpenStack (e.g. keystone); if it can’t contact keystone, then the request will fail 17:28:06 <tbachman> #info There is a configuration for keystone that allows the controller to decrypt the token and perform authentication without involving keyston3 17:33:20 <tbachman> #info CRUD operations are supported on domains, users, and roles 17:34:15 <tbachman> #info model allows for netsted authorization policies 17:36:15 <tbachman> #info jmedved asks where liemmn sees enforcing these policies (e.g. on top of MD-SAL)? 17:36:48 <tbachman> #info liemmn says that they inject in an Auth-Z aware MD-SAL broker, which limits things right there 17:37:36 <tbachman> #info jmedved says there are multiple brokers — and asks if we’re planning to modify all of them (i.e. put in every broker)? 17:37:46 <tbachman> #info liemmn says there’s a plan for data brokers for all of them 17:39:25 <tbachman> #info dbainbri asks if there’s been thought about controlling access by devices contacting the controller, rather than the other way around (controller contacting devices) 17:39:29 <tbachman> dbainbri: did I get that right? 17:39:52 <tbachman> #info liemmn says AAA is focused just on the northbound for now 17:42:19 <dlenrow> dbainbri: Doesn't the scope of the ODL SNBI project cover what you asked about? 17:46:25 <tbachman> #info liemmn says they’d like to see more token-based authentication being used 17:48:26 <liemmn> #link https://wiki.opendaylight.org/view/AAA:Main 17:51:03 <tbachman> #info dlenrow points out that the SNBI and HP’s device drivers project may support dbainbri’s needs 17:52:24 <alagalah> https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd 17:52:28 <alagalah> #link https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd 17:52:42 <tbachman> #undo 17:52:42 <odl_meetbot> Removing item from minutes: <MeetBot.ircmeeting.items.Link object at 0x23a2690> 17:52:51 <tbachman> #link https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd Draft Lithium Release plan 17:53:27 <tbachman> #info alagalah says that some of the pain points identified in helium have been addressed in the Draft Lithium Release Plan 17:53:33 <dbainbri> dlenrow: sorry, missed your comment on the chart, but i think we got it covered in the call 17:54:56 * icbts Something fun to monitor you Helium deploys with https://github.com/savoirtech/ktop/tree/k30x — its a Thread top command for your console :) 17:55:04 <tbachman> #endmeeting