| andrewbogott_ | Just in case anyone has a quick fix... I have a sink plugin that relied on find_records to enumerate the IPs associated with the deleted VM. With the removal of the find_records call, can anyone suggest another way to answer that question w/out having to make a rest call to Nova? | 17:04 |
|---|---|---|
| gmann | johnsom: I replied on this, please check https://review.opendev.org/c/openstack/designate/+/925531 | 17:09 |
| gmann | johnsom: this is blocking the new oslo.policy in u-c as designate job failing there (PS1, PS2 is with designate fix which pass the job)- https://review.opendev.org/c/openstack/requirements/+/925464 | 17:10 |
| johnsom | gmann Ah, so this is back to the "enable scope" will break upgrades no matter what issue. I thought we agreed to not "enable scope" as it will force errors on users | 17:20 |
| johnsom | oslo_policy.policy.InvalidScope: "all_tenants": "role:admin" requires a scope of ['project'], request was made with system scope. | 17:21 |
| gmann | johnsom: it is not like it will break upgrade as everything is 'project scoped'. it is more of fixing the existing testing and make sure everything work well before we enable it by default | 17:21 |
| gmann | johnsom: exactly, this error shows it is just usage error. system scope token should not be used for OpenStack services (except ironic) and project scoped token continue to work as it is | 17:22 |
| johnsom | gmann by "fix testing" you mean remove all of the system scope tests to back out of the system scope functionality | 17:22 |
| gmann | johnsom: yes, that is what policy default has done right. dropped the system scope support right | 17:22 |
| gmann | johnsom: or designate has not dropped system scope yet? I think it was octavia did? I remember we discussed about it in rbac meeting | 17:24 |
| johnsom | This has waffled (5th or 6th change to the plan now) so many times we stopped as config settings can disable the system scope stuff. | 17:25 |
| gmann | though i cannot find the system scope in policies default but you know if that is still supported https://github.com/openstack/designate/tree/master/designate/common/policies | 17:25 |
| gmann | other than alias name as SYSTEM-READER etc | 17:26 |
| gmann | this was done for octavia https://review.opendev.org/c/openstack/octavia/+/875620 | 17:27 |
| johnsom | Yeah, the same was done to Designate, but Octavia never tested system scope at the functional test level if I remember right | 17:27 |
| gmann | I see | 17:28 |
| johnsom | Octavia focused on tempest | 17:28 |
| gmann | johnsom: one way is the fix I proposed (continue disable the new default) or other way is 'enable new defaults by default' I can try to fix the tests (use project scope token) and that way we can release designate this cycle with 'new defaults enable' | 17:29 |
| gmann | I think we can merge this fix for now and i can work on later part so that we can unblock the use of latest oslo.policy in CI | 17:30 |
| gmann | but let me know how you prefer | 17:31 |
| johnsom | It's been years since I added system scope support, so I'm trying to dig and find where it is. If neutron has switched, we must get designate switched. | 17:31 |
| gmann | johnsom: yes, neutron has switched in bobcat (2023.2) cycle | 17:33 |
| johnsom | Hmm, I was told there were not going to do it then | 17:33 |
| gmann | ohk | 17:33 |
| gmann | https://github.com/openstack/neutron/blob/stable/2023.2/neutron/policy.py#L61 | 17:34 |
| johnsom | So it's probably this line that is a problem: https://github.com/openstack/designate/blob/master/designate/context.py#L116 | 17:34 |
| gmann | johnsom: yes, this need to be removed | 17:35 |
| gmann | and we can cleanup these alias also to avoid confusion https://github.com/openstack/designate/blob/master/designate/common/policies/base.py#L30-L36 | 17:37 |
| gmann | but they do not actually use system scope so it is more of cleanup | 17:37 |
| johnsom | Give me 30 minutes to see if I can fix those tests for this latest change of leaving system scope true | 17:38 |
| gmann | johnsom: thanks. sounds good. | 17:38 |
| opendevreview | Michael Johnson proposed openstack/designate master: Update functional tests for new RBAC system scope https://review.opendev.org/c/openstack/designate/+/925623 | 18:08 |
| johnsom | gmann This patch passes: https://review.opendev.org/c/openstack/designate/+/925623 | 18:09 |
| johnsom | I'm not 100% sure I didn't break something with oslo.policy < 4.4, but will try that out now. | 18:09 |
| gmann | johnsom: current testing in CI will be with oslo.policy <4.4 and in this requirement change it will be with 4.4 so both can be tested https://review.opendev.org/c/openstack/requirements/+/925464 | 18:10 |
| johnsom | Yeah, but I'm going to run it local now just to make sure | 18:11 |
| gmann | +! | 18:12 |
| johnsom | Yeah, we are good on < 4.4. I will update the req depends on | 18:13 |
| gmann | cool | 18:15 |
| johnsom | gmann What was the requirement bump to 3.11 for? Do I need to move that over to my patch as well? | 18:21 |
| johnsom | https://review.opendev.org/c/openstack/designate/+/925531/2/requirements.txt | 18:21 |
| gmann | johnsom: that was for overriding the rbac flag default which is not done in your change so not needed in your change | 18:22 |
| johnsom | ack | 18:22 |
| gmann | johnsom: but we need to bump it to 4.4.0 once requirement change is done example https://review.opendev.org/c/openstack/octavia/+/925625 | 18:22 |
| gmann | so that new default enable is reflected in oslo.policy required version also | 18:22 |
| johnsom | Well, not technically, but should | 18:23 |
| gmann | yeah, both work but just to tell clearly that new default are enabled and you can disable ir explicitly in conf or use older oslo.policy | 18:23 |
| gmann | enabling those in oslo.policy and version bump is to encourage operators to switch to new defaults as soon as they can | 18:24 |
| johnsom | And feel the pain... lol | 18:24 |
| gmann | :) | 18:25 |
| johnsom | So, once the designate gates are done, if you give a positive review, I will merge that today | 18:25 |
| opendevreview | Ghanshyam proposed openstack/designate master: Update oslo.policy version for new defaults https://review.opendev.org/c/openstack/designate/+/925627 | 18:26 |
| gmann | sure | 18:26 |
| gmann | johnsom: ^^ requirement bump but this need to wait until requriements change | 18:27 |
| johnsom | Yep, thanks | 18:27 |
| opendevreview | Merged openstack/designate master: Update functional tests for new RBAC system scope https://review.opendev.org/c/openstack/designate/+/925623 | 22:28 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!