<html><body><p>Hi, <br><br>Please see in-line comments!<br><br>Catherine Diep<br>RefStack PTL <br>IBM Silicon Valley Laboratory, San Jose, California 95141<br>cdiep@us.ibm.com, Tel: (408) 463-4352 T/L: 543-4352<br><font size="2" color="#800080">----- Forwarded by Catherine Cuong Diep/San Jose/IBM</font><font size="2" color="#800080"> on 02/19/2016 09:57 AM</font><font size="2" color="#800080"> -----</font><br><br><font size="2" color="#5F5F5F">From: </font><font size="2">Alexandre Levine <alexandrelevine@gmail.com></font><br><font size="2" color="#5F5F5F">To: </font><font size="2">Mark Voelker <mvoelker@vmware.com>, Chris Hoge <chris@openstack.org></font><br><font size="2" color="#5F5F5F">Cc: </font><font size="2">"defcore-committee@lists.openstack.org" <defcore-committee@lists.openstack.org></font><br><font size="2" color="#5F5F5F">Date: </font><font size="2">02/19/2016 12:40 AM</font><br><font size="2" color="#5F5F5F">Subject: </font><font size="2">Re: [OpenStack-DefCore] RefStack development related questions</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><tt>Hi Mark,<br><br>Thanks a lot for the prompt response.<br>Your thoughts are very valid and reasonable, however:<br><br>1) I believe we'll expect Vendors registering with RefStack not being in <br>MarketPlace. Especially the external testing or small components owners <br>like EC2 API - definitely not in MarketPlace. So we can't use <br>MarketPlace link during registration. We need to collect some info. <br>Questions are still the same:<br>A) What is enough for DefCore to approve and store new Vendor's information?<br>B) What do we want to show about Vendor in details?<br><br>2) I understand according to your meeting minutes we still have to <br>create User Management UI with list of users for Foundation admins at <br>least. With some simple search obviously. Let's keep that in mind that <br>such an instrument we'll have anyways, so any other UI for other ways of <br>choosing users is extra development.</tt><br><br><tt><font color="#0000FF"><catherine> Supporting "User Management UI with list of users" for Foundation</font></tt><br><tt><font color="#0000FF">admin is in plan for RefStack. But, it MAY not be available in the Mitaka cycle.</font></tt><br><tt><font color="#0000FF">Implementation details will be discussed in RefStack team meetings.</catherine> </font></tt><br><tt><br><br>A) To be completely honest, I think that using openstackid as means for <br>pointing to a potential admin is not a good idea.<br>Why I say this - several reasons:<br>- openstackid is a very confused entity and I doubt majority of <br>vendors-to-be know theirs. I should be really ashamed of this but <br>personally dealing with openstack for more than a couple of years now <br>I've never ever used it explicitly before, so I tried to find my own id <br>after your response. For this I went to openstackid.org and tried to log <br>in. I was asked to use my openstackid to log in. That was nice but that <br>was what I came for. I somehow recalled that probably I should use my <br>email in login field. Problem is I tried with my smartphone and the <br>email I entered automatically brought trailing space which led me to <br>getting "username is of invalid format". Along with suggestion to use my <br>openstackid to log in it made me quite confused. Eventually after a <br>dozen of attempts and resetting my password I've figured everything out <br>but it took me some time. So at least the same thing should be used here <br>- email. Not the openstackid, to be in line and at least a little friendly.<br>- there can be a mistake in manually entering data, so we'll have to <br>still show all information about User and ask about confirmation.<br>- considering the previous one, having access to the Vendor's user <br>management interface (i.e. being an official Vendor) I'll have means to <br>find user's details having his/her openstackid. And openstackid is not a <br>private info - it can be easily acquired. So we're not achieving <br>anything by restricting Vendors from access to lists of users.</tt><br><br><tt><font color="#0000FF"><catherine> From RefStack point of view, either OpenID or email can be used</font></tt><br><tt><font color="#0000FF">as the user identification.</catherine> </font></tt><tt><br><br>B) It's a very good idea to display link to openstackid page, thus <br>allowing user to decide what to show. However I don't see how we can <br>show it user-friendly, especially in lists of other objects. Showing raw <br>openstackid in a column will look awful and long. Besides that it <br>contains user name in clear text. If we don't show it and show only some <br>anonymous link to openstackid page, user will go there and still see the <br>name in URL. Wouldn't it make sense to just show user's login or name <br>instead in our info if it seems not to be such a great secret after all?<br>In regard to launchpad similarity - emails and names of responsible <br>people are shown so that other users can contact them if required. <br>Wouldn't we want to have the same for our Vendors? That's why it must be <br>good to show this at least to regular users, not Guests.<br>And in regard to showing lists of users to Guests or regular Users - as <br>I said, the reason is better be asked of the Foundation - why does it <br>allow lists of attendees during the summits to be seen to everybody? <br>Probably, bonding the community or not considering it secret enough <br>information to hide. I feel that RefStack site is as public venue as <br>OpenStack summits are. And I'd expect the same policies to apply.</tt><br><br><tt><br><br>Best regards,<br> Alex Levine<br><br><br>On 2/19/16 1:59 AM, Mark Voelker wrote:<br>> Hi Alex,<br>><br>> Thanks for writing this up! Some thoughts inline...<br>><br>>> On Feb 18, 2016, at 9:59 AM, Alexandre Levine <alexandrelevine@gmail.com> wrote:<br>>><br>>> Hi,<br>>><br>>> After several recent DevCore meetings some of the questions regarding development decisions for RefStack were answered however some still remain. And during yesterday's meeting some more had arisen.<br>>> Catherine suggested to write to this list in order to speed up the process and not wait for the next DefCore meeting so here it is:<br>>><br>>> 1. Vendors registration information<br>>><br>>> There was a decision made that Vendor registration will be implemented in RefStack with subsequent approval by Foundation admins in corresponding admin interface in RefStack.<br>>> During this registration new Vendor-to-be will have to enter some information related to his/her Organization. In the OpenStack Marketplace (example: </tt><tt><a href="https://www.openstack.org/marketplace/hosted-private-clouds/unitedstack/uos-managed-private-cloud">https://www.openstack.org/marketplace/hosted-private-clouds/unitedstack/uos-managed-private-cloud</a></tt><tt>) we can see that each Vendor besides the name has at least "about" and "commitment" filled in. I think some other hidden fields might be of interest for DefCore as well.<br>>><br>>> Hence a couple of questions:<br>>> A) Would it be possible that RefStack will be used as a source or one of the sources for new Vendors who want to register?<br>>> B) What information about Vendor should RefStack show on Vendor details page?<br>>><br>>> Options:<br>>> A) The first question (if the answer is potentially yes) means that we'll have to collect all of the required information for DefCore in regard to new registering Vendor. We'll need to know what is it then.<br>> I think in an ideal world it would be nice to not have information duplicated between the MarketPlace and RefStack (so conceivably the answer is yes). But given that today information about vendors is housed in the MarketPlace, might we have the opposite situation where a vendor registers with the Marketplace and RefStack uses that data, rather than the reverse? I’m not sure how realistic that is today—Chris Hoge might know better or at least be able to point to the right folks on the Marketplace team, so I’ll leave him to comment.<br>><br>>> If the answer is no then see the second question.<br>>><br>>> B) The second one - we'll have to show something besides the name and I think information might as well correspond to what's in Marketplace because we speak about the same Vendors here. What is it exactly (which fields) and where to get them - ask user during registration I guess?<br>> Here again, it feels like we want to not duplicate information when possible…if we can get the MarketPlace data, great. If not, maybe just a link to the vendor’s MarketPlace entry would suffice.<br>><br>>> 2. Visibility of users registered in RefStack<br>>><br>>> We understand that the idea is to limit exposure of information.<br>>> However, there is a couple of use-cases which we'll have to implement:<br>>><br>>> Questions:<br>>> A) Vendor admin wants to add another admin for the Vendor. How do we allow him/her to find who to add?<br>>> B) Various data we show (Vendors, Clouds, Software, test resuts... etc) have owners and admins, people responsible for it. The question is how do we show it if we do?<br>>><br>>> Options:<br>>> A) We've got users in various roles in this regard: Guest, regular User, officially registered Vendor admin, Foundation admin.<br>>> Usual way of choosing something you need to select is to show list with ability to search through it. That's what I suggest here, obviously.<br>> At the risk of turning this into a UX discussion: I wonder if searching and pick lists are actually necessary? E.g. if I go off the assumptions (please shout if you think these aren’t valid) that:<br>><br>> 1.) A vendor admin and another employee of the company who wants to become a vendor admin presumably have an easy way to exchange information outside of RefStack (phone, email, face-to-face in some cases, etc) and likely regularly do so anyway as part of normal company operations. They could easily exchange, for example, OpenStackID’s.<br>><br>> 2.) Entering one or more OpenStackID’s into a text field wouldn’t be prohibitively difficult. I could see this being a bit of a pain if we expected a single vendor to have hundreds of vendor admins or if new vendor admins needed to be added en masse very frequently, but I think that’s unlikely to be the case in reality.<br>><br>> If these are true, then I wonder if the simplest thing to do is simply give the vendor admin a text field into which he/she can type one or more OpenStackID’s rather than needing to search/find other users. Thinking about how I’d use this feature with my vendor hat on, this seems like it would be fast and easy to me and it’s something I do with other tools anyway. By way of example: if I want to add Bill to my organization on GitHub I phone/email/IM him to get his GitHub ID and type it into a text box in the GitHub UI. I’m no UI designer though, so feel free to take that as just another opinion. =)<br>><br>><br>>> Who to show it to?<br>>> Possibility of adding other users as admins to Vendors is open for official Vendors admins only (for now). So we can limit access to lists of all users and search to official Vendors admins and to Foundation admins.<br>>><br>>> However, there might be another reason to allow showing registered users even to Guests. The same one which caused showing OpenStack summit attendees to anyone in the OpenStack site. At least the login name is displayed, however user can allow more information to be shown.<br>>> I'm not sure what reason was there to disclose this information but I think it can be as good for RefStack. In which case lists of users should be available to even Guests. Or we can limit it to regular Users.<br>> We discussed disclosure at the DefCore meeting this week and the general agreement was to err on the side of keeping information private unless there’s a good reason not to, as you alluded to earlier. So with that in mind: is there a use case for anonymous Guests to be able to see this information?<br>><br>>> B) Information about the team managing particular project in launchpad, or about people responsible for something in OpenStack is usually open and available. I believe we might want to display something of the kind for our data, especially official stuff - Vendors, Clouds, Software. What should it be? What can be shown? Wouldn't it make not listing users to anyone useless if we show it?<br>> I’d probably invoke the mantra of “what information is actually useful” again here as a general rule, and then tackle individual use cases. For example: if I’m looking at a test result, it’s useful for me to see what vendor and product it belongs to. If I’m looking at information that involves and individual, most systems (including OpenStackID and Launchpad) allow users to restrict what information is shown about them, so I would think linking to OpenStackID pages (e.g. </tt><tt><a href="https://openstackid.org/mark.voelker">https://openstackid.org/mark.voelker</a></tt><tt> for example, or pulling data from OpenStackID and displaying it) would be a valid way of presenting that which allows users to a degree of control over information disclosure. Make sense?<br>><br>>> Hope the above is clear enough for discussion and getting some answers as soon as possible.<br>>><br>>> Best regards,<br>>> Alex Levine<br>> Thanks again Alex!<br>><br>> At Your Service,<br>><br>> Mark T. Voelker<br>><br>><br>>><br>>><br>>><br>>><br>>> _______________________________________________<br>>> Defcore-committee mailing list<br>>> Defcore-committee@lists.openstack.org<br>>> </tt><tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee">http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee</a></tt><tt><br><br><br>_______________________________________________<br>Defcore-committee mailing list<br>Defcore-committee@lists.openstack.org<br></tt><tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee">http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee</a></tt><tt><br></tt><br><BR>
</body></html>