| *** yamamoto has joined #openstack-qa | 00:05 | |
| *** tosky has quit IRC | 00:08 | |
| *** hamalq has quit IRC | 00:15 | |
| *** yamamoto has quit IRC | 00:27 | |
| *** zenkuro has quit IRC | 00:30 | |
| *** yamamoto has joined #openstack-qa | 00:51 | |
| *** lseki has quit IRC | 02:29 | |
| *** rpioso has quit IRC | 02:50 | |
| *** lxkong has quit IRC | 02:50 | |
| *** rpioso has joined #openstack-qa | 02:52 | |
| *** lxkong has joined #openstack-qa | 02:52 | |
| *** rfolco|bbl has quit IRC | 02:56 | |
| *** yamamoto has quit IRC | 03:20 | |
| *** ajitha has joined #openstack-qa | 03:32 | |
| *** yamamoto has joined #openstack-qa | 04:15 | |
| *** yamamoto has quit IRC | 04:21 | |
| *** yamamoto has joined #openstack-qa | 04:22 | |
| *** yamamoto has quit IRC | 04:45 | |
| *** akahat|PTO is now known as akahat | 05:19 | |
| *** yamamoto has joined #openstack-qa | 05:22 | |
| *** yamamoto has quit IRC | 05:31 | |
| *** evrardjp has quit IRC | 05:33 | |
| *** evrardjp has joined #openstack-qa | 05:33 | |
| *** gcheresh has joined #openstack-qa | 06:55 | |
| *** yamamoto has joined #openstack-qa | 07:10 | |
| *** slaweq has joined #openstack-qa | 07:56 | |
| *** slaweq has quit IRC | 08:17 | |
| *** ajitha has quit IRC | 09:32 | |
| *** ramishra has quit IRC | 09:58 | |
| *** slaweq has joined #openstack-qa | 11:02 | |
| *** slaweq has quit IRC | 11:10 | |
| *** slaweq has joined #openstack-qa | 11:12 | |
| *** yamamoto has quit IRC | 11:15 | |
| *** tosky has joined #openstack-qa | 11:23 | |
| *** zenkuro has joined #openstack-qa | 11:25 | |
| *** rfolco|bbl has joined #openstack-qa | 12:04 | |
| *** yamamoto has joined #openstack-qa | 12:18 | |
| *** rfolco|bbl is now known as rfolco | 12:25 | |
| *** yamamoto has quit IRC | 12:35 | |
| *** ccamposr__ has quit IRC | 13:04 | |
| *** ccamposr has joined #openstack-qa | 13:05 | |
| *** yamamoto has joined #openstack-qa | 13:45 | |
| *** tosky_ has joined #openstack-qa | 13:50 | |
| *** tosky is now known as Guest10516 | 13:52 | |
| *** tosky_ is now known as tosky | 13:52 | |
| *** yamamoto has quit IRC | 13:58 | |
| *** zenkuro has quit IRC | 15:03 | |
| *** zenkuro has joined #openstack-qa | 15:03 | |
| *** chaconpiza has quit IRC | 15:46 | |
| *** yamamoto has joined #openstack-qa | 15:55 | |
| *** yamamoto has quit IRC | 16:09 | |
| *** tosky has quit IRC | 16:12 | |
| *** gcheresh has quit IRC | 17:31 | |
| gmann | lbragstad: great. reviewing... | 18:07 |
|---|---|---|
| *** elod has quit IRC | 18:27 | |
| *** elod has joined #openstack-qa | 18:32 | |
| lbragstad | gmann thanks - i'll take another poke at it next week, but i'm wondering if something like that will help | 18:57 |
| lbragstad | at least getting people on the same page | 18:57 |
| lbragstad | and writing uniform tests - writing all the tests manually in keystone was a pain (i'm not sure if you felt that way implementing it in nova) | 18:57 |
| gmann | lbragstad: in nova we added unit tests only but for plugins this will be nice. | 18:58 |
| lbragstad | i got https://review.opendev.org/#/c/686305/47 working locally and it's really nice | 18:59 |
| gmann | and tempest tests we will slowly move existing tests towards scoped token as services move their policy | 18:59 |
| gmann | lbragstad: ok. only concern i had with that approach (686305 ) was duplicating the tests. | 19:00 |
| gmann | may be making patrole more light weight can save time in that, we discussed it in PTG also - L138 - https://etherpad.opendev.org/p/qa-wallaby-ptg | 19:01 |
| gmann | but for keystone we can run patrole as it is because keystone patrole tests does not take much time | 19:02 |
| lbragstad | yeah - testing it going to take longer using tempest | 19:03 |
| lbragstad | can you elaborate on your concern duplicating the tests? | 19:03 |
| lbragstad | are you referencing the abstract base classes? | 19:03 |
| gmann | i mean tests for all API are already exist in tempest or plugins. and writing same for scoped tokens again is kind of duplicate. | 19:04 |
| lbragstad | oh - i see what you mean | 19:05 |
| gmann | other issue is complete runtime, for keystone it is fine but for nova and other service running complete API operation for RBAC checks is long time like patrole tests | 19:05 |
| lbragstad | yeah | 19:06 |
| lbragstad | i'm not really sure how to get around that | 19:06 |
| *** tosky has joined #openstack-qa | 19:07 | |
| lbragstad | unless we reconsider writing everything as a unit test and simulate scopes using context objects | 19:07 |
| gmann | I will think on policy engine flag (like osprofiller) approach if we can do (L147 - https://etherpad.opendev.org/p/qa-wallaby-ptg) but main challenge in that if all services are ok to do that | 19:08 |
| lbragstad | i know some people have asked for a set of tests they can use to verify RABC in their deployment | 19:08 |
| gmann | yeah, in nova i did that which took almost 70% of the work for new policy | 19:08 |
| lbragstad | right - either way, the majority of this work is in writing tests | 19:08 |
| gmann | yeah | 19:09 |
| lbragstad | even the unit test approach takes a significant amount of time to run | 19:09 |
| lbragstad | we noticed that before colleen ported all our protection unit tests to tempest | 19:09 |
| lbragstad | we drastically increased the run time of our unit tests | 19:10 |
| gmann | ok, in nova i did with mock which did not increase much time | 19:10 |
| lbragstad | i guess our tests was pretty much a functional api test | 19:11 |
| lbragstad | test* | 19:11 |
| gmann | i see | 19:11 |
| *** ccamposr has quit IRC | 19:11 | |
| lbragstad | we didn't mock anything | 19:11 |
| lbragstad | and we let keystone translate request objects to oslo.context objects - instead of simulating them | 19:12 |
| gmann | but did you move your existing functional tests to new policy or adding new one? | 19:12 |
| *** ccamposr has joined #openstack-qa | 19:12 | |
| lbragstad | we add a new suite of protection tests that were exhaustive | 19:12 |
| gmann | ok | 19:12 |
| lbragstad | then we refactored and removed existing tests if they were redundant or irrelevant | 19:13 |
| lbragstad | and those stuck out as we implemented the feature, because they usually broke | 19:13 |
| gmann | for nova, my is to make existing functional tests to run with actual policy (currently we mock policy rules in fun tests) and starting scoped token there | 19:13 |
| lbragstad | you're talking about existing tests in tempest? | 19:14 |
| lbragstad | or the tests you implemented in nova? | 19:14 |
| gmann | no, nova functional tests. | 19:14 |
| lbragstad | ok - that makes sense | 19:14 |
| lbragstad | so - you just leveraging the existing tests and filling in the gaps as you find them | 19:15 |
| gmann | tempest tests also same way but it is branchless so we need some flag to keep testing stable branch on old policy | 19:15 |
| lbragstad | right - we added a flag for that in tempest | 19:15 |
| lbragstad | and we set it in the plugin | 19:15 |
| gmann | example - https://review.opendev.org/#/c/740122/4 | 19:15 |
| gmann | ok | 19:15 |
| *** rfolco has quit IRC | 19:16 | |
| lbragstad | yeah - we do exactly the same thing | 19:16 |
| lbragstad | but since all the rbac tests are new - we short-circuit the entire suite if enforce_scope is false | 19:16 |
| lbragstad | https://review.opendev.org/#/c/686305/47/keystone_tempest_plugin/tests/rbac/v3/base.py,unified@27 | 19:17 |
| gmann | ok, for tempest i am thinking to switch it to old scope (projects scope) if enforce_scope is false. but need to try that how it will work | 19:18 |
| lbragstad | sure - that makes sense | 19:18 |
| lbragstad | if we can find a better way to re-use the existing tempest tests for various situations, i'm all for it | 19:19 |
| lbragstad | i think having a separate suite dedicated to RBAC is cleaner and much easier to use to validate deployments, but run time might be a problem | 19:19 |
| gmann | yeah for all other services like nova, cinder it is very high and that is main reason we are not able to add patrole in their gate. but for keystone it make sense | 19:20 |
| lbragstad | i'll have to think about it a bit more | 19:21 |
| lbragstad | i gotta run - but i'll try and catch up with you early next week | 19:21 |
| gmann | I feel if 1. each service write (or move existing) unit tests or functional tests with real policy (new ) enforcement then we will be good and 2. start tempest to move towards new policy as default 3. think on patrole to make it aster | 19:22 |
| gmann | sure, I am going to spend next week on these and reviewing existing patches also | 19:23 |
| lbragstad | ++ | 19:24 |
| gmann | and we can also catch up on call for that after some finding which is quicker than chat :) | 19:24 |
| *** ccamposr__ has joined #openstack-qa | 19:37 | |
| *** ccamposr has quit IRC | 19:40 | |
| *** yamamoto has joined #openstack-qa | 20:09 | |
| *** yamamoto has quit IRC | 20:13 | |
| *** zenkuro has quit IRC | 20:23 | |
| *** zenkuro has joined #openstack-qa | 20:23 | |
| *** whoami-rajat__ has quit IRC | 20:24 | |
| openstackgerrit | Ghanshyam Mann proposed openstack/tempest master: Add system scope for admin auth https://review.opendev.org/686073 | 20:25 |
| openstackgerrit | Ghanshyam Mann proposed openstack/tempest master: Add client methods and tests for system grants https://review.opendev.org/743865 | 20:25 |
| openstackgerrit | Ghanshyam Mann proposed openstack/tempest master: Add default RBAC personas to dynamic credentials https://review.opendev.org/686306 | 20:25 |
| openstackgerrit | Ghanshyam Mann proposed openstack/tempest master: Add default RBAC personas to pre-provisioned creds https://review.opendev.org/698397 | 20:26 |
| openstackgerrit | Ghanshyam Mann proposed openstack/tempest master: Add system scoped request for compute hypervisor tests https://review.opendev.org/740122 | 20:32 |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: Add system_scope setting support for Nova & Tempest https://review.opendev.org/613251 | 20:32 |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: DNM: Testing system-scope scenario-3 https://review.opendev.org/614486 | 20:32 |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: DNM: Testing system-scope scenario-2 https://review.opendev.org/616416 | 20:32 |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: DNM: Testing system-scope scenario-2 https://review.opendev.org/616416 | 20:33 |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: DNM: Testing system-scope scenario-1 https://review.opendev.org/616415 | 20:33 |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: Add system_scope setting support for Nova & Tempest https://review.opendev.org/613251 | 20:48 |
| openstackgerrit | Ghanshyam Mann proposed openstack/tempest master: Add new job for system scope testing https://review.opendev.org/614484 | 20:50 |
| *** paras333 has quit IRC | 20:56 | |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: DNM: Testing system-scope scenario-1 https://review.opendev.org/616415 | 21:00 |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: DNM: Testing system-scope scenario-2 https://review.opendev.org/616416 | 21:04 |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: DNM: Testing system-scope scenario-3 https://review.opendev.org/614486 | 21:06 |
| openstackgerrit | Ghanshyam Mann proposed openstack/devstack master: DNM: Testing system-scope scenario-4 https://review.opendev.org/760697 | 21:09 |
| gmann | kopecmartin: this is good to go now, testing passing with nova's depends-on patch - https://review.opendev.org/#/c/742546/ | 21:15 |
| *** gcheresh has joined #openstack-qa | 21:50 | |
| *** yamamoto has joined #openstack-qa | 22:11 | |
| *** yamamoto has quit IRC | 22:13 | |
| *** yamamoto has joined #openstack-qa | 22:13 | |
| *** gcheresh has quit IRC | 22:14 | |
| *** ccamposr__ has quit IRC | 22:45 | |
| *** yamamoto has quit IRC | 22:48 | |
| *** yamamoto has joined #openstack-qa | 22:52 | |
| *** early has quit IRC | 23:02 | |
| *** yamamoto has quit IRC | 23:03 | |
| *** yamamoto has joined #openstack-qa | 23:05 | |
| *** early has joined #openstack-qa | 23:06 | |
| *** yamamoto has quit IRC | 23:38 | |
| *** yamamoto has joined #openstack-qa | 23:42 | |
| *** slaweq_ has joined #openstack-qa | 23:55 | |
| *** slaweq has quit IRC | 23:57 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!