#opendaylight-meeting log

16:59:42 <tbachman> #startmeeting tws
16:59:42 <odl_meetbot> Meeting started Mon Oct 27 16:59:42 2014 UTC.  The chair is tbachman. Information about MeetBot at http://ci.openstack.org/meetbot.html.
16:59:42 <odl_meetbot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:59:42 <odl_meetbot> The meeting name has been set to 'tws'
16:59:46 <tbachman> #chair alagalah
16:59:46 <odl_meetbot> Current chairs: alagalah tbachman
17:00:31 <tbachman> anyone else want a chair? :)
17:01:56 <alagalah> #topic Agenda
17:01:59 <alagalah> #link https://wiki.opendaylight.org/view/Tech_Work_Stream:Main#Upcoming_Meeting_Agendas
17:02:12 <tbachman> alagalah: thx!
17:03:18 <alagalah> tbachman: Will make Liem presenter once we start recording
17:04:30 <tbachman> #topic AAA presentation
17:04:31 <liemmn> #link https://drive.google.com/file/d/0B1KtwIIbDsZXVk53ZUhzWHFZRm8/view?usp=sharing
17:04:51 <tbachman> #undo
17:04:51 <odl_meetbot> Removing item from minutes: <MeetBot.ircmeeting.items.Link object at 0x2640150>
17:05:05 <tbachman> #link : #link https://drive.google.com/file/d/0B1KtwIIbDsZXVk53ZUhzWHFZRm8/view?usp=sharing Slides from powerpoint presentation
17:05:23 <tbachman> #undo
17:05:23 <odl_meetbot> Removing item from minutes: <MeetBot.ircmeeting.items.Link object at 0x2640150>
17:05:37 <tbachman> #link https://drive.google.com/file/d/0B1KtwIIbDsZXVk53ZUhzWHFZRm8/view?usp=sharing  Slides for AAA presentation
17:06:28 <tbachman> #info Conributors are HP, Cisco, Red Hat, and Inocybe
17:07:35 <tbachman> #info Helium has token-based authentication, HTTP basic authentication, built-in IdMLight for managing users/roles/domains, federation with Linux SSSD, AuthZ policies data model + API + AuthZ Broker Infrastrucutre and configuration
17:08:03 <tbachman> #info Fully-functional MD-SAL AuthZ service, Federation with Openstack Keyston, and application security didn’t make it into Helium release
17:11:21 <tbachman> #info token-based authentication supports direct authentication, where user presents credentials and receives an access token scoped to a set of resources, and uses that token to access those resources
17:11:44 <tbachman> #info The token is valid for 1hr by default, and is revokable
17:13:32 <tbachman> #info alagalah asks if there are any open source projects in use here
17:13:48 <tbachman> #info liemmn says that there are some (e.g. Apache open source project for authentication)
17:15:47 <tbachman> #info a domain is a grouping of resources for the purpose of access control
17:17:49 <tbachman> #info dbainbri asks if it’s a configuration to default to basic authentication
17:17:59 <tbachman> #info liemmn says it’s not a configuration item today
17:19:06 <tbachman> #info liemmn says you can disable the basic auth bundle
17:22:32 <tbachman> #info Federated authentication is where the authentication is delegated to an external identity provider (IdP)
17:23:02 <tbachman> #info This allows support of different authentication schemes (SSSD, LDAP, Radius, SAML, etc.) via plugins
17:27:05 <tbachman> #info alagalah asks what happens if the controller can’t talk to the IdP
17:27:13 <tbachman> #info liemmn says it depends on the case
17:27:36 <tbachman> #info if you’re using a UUID in OpenStack (e.g. keystone); if it can’t contact keystone, then the request will fail
17:28:06 <tbachman> #info There is a configuration for keystone that allows the controller to decrypt the token and perform authentication without involving keyston3
17:33:20 <tbachman> #info CRUD operations are supported on domains, users, and roles
17:34:15 <tbachman> #info model allows for netsted authorization policies
17:36:15 <tbachman> #info jmedved asks where liemmn sees enforcing these policies (e.g. on top of MD-SAL)?
17:36:48 <tbachman> #info liemmn says that they inject in an Auth-Z aware MD-SAL broker, which limits things right there
17:37:36 <tbachman> #info jmedved says there are multiple brokers — and asks if we’re planning to modify all of them (i.e. put in every broker)?
17:37:46 <tbachman> #info liemmn says there’s a plan for data brokers for all of them
17:39:25 <tbachman> #info dbainbri asks if there’s been thought about controlling access by devices contacting the controller, rather than the other way around (controller contacting devices)
17:39:29 <tbachman> dbainbri: did I get that right?
17:39:52 <tbachman> #info liemmn says AAA is focused just on the northbound for now
17:42:19 <dlenrow> dbainbri: Doesn't the scope of the ODL SNBI project cover what you asked about?
17:46:25 <tbachman> #info liemmn says they’d like to see more token-based authentication being used
17:48:26 <liemmn> #link https://wiki.opendaylight.org/view/AAA:Main
17:51:03 <tbachman> #info dlenrow points out that the SNBI and HP’s device drivers project may support dbainbri’s needs
17:52:24 <alagalah> https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd
17:52:28 <alagalah> #link https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd
17:52:42 <tbachman> #undo
17:52:42 <odl_meetbot> Removing item from minutes: <MeetBot.ircmeeting.items.Link object at 0x23a2690>
17:52:51 <tbachman> #link https://wiki.opendaylight.org/view/Simultaneous_Release:DRAFT_Lithium_Release_Plan_ckd Draft Lithium Release plan
17:53:27 <tbachman> #info alagalah says that some of the pain points identified in helium have been addressed in the Draft Lithium Release Plan
17:53:33 <dbainbri> dlenrow: sorry, missed your comment on the chart, but i think we got it covered in the call
17:54:56 * icbts Something fun to monitor you Helium deploys with https://github.com/savoirtech/ktop/tree/k30x  — its a Thread top command for your console :)
17:55:04 <tbachman> #endmeeting