| *** tosky has quit IRC | 00:09 | |
| *** yamamoto has quit IRC | 00:15 | |
| *** yamamoto_ has joined #openstack-qa | 00:15 | |
| *** yamamoto has joined #openstack-qa | 01:07 | |
| *** yamamoto_ has quit IRC | 01:10 | |
| *** jhesketh has joined #openstack-qa | 02:34 | |
| *** rcernin has quit IRC | 02:42 | |
| *** rcernin has joined #openstack-qa | 02:54 | |
| johnsom | lxkong: we already have a full set of tests as part of our tempest API suite. | 03:52 |
|---|---|---|
| johnsom | I just want to adapt our existing tests to work with the new-ish “secure RBAC” roles. However all of the tempest credentials always have the “member” role, even when not requested. | 03:57 |
| johnsom | New users via the CLI don’t have this role automatically. | 03:59 |
| johnsom | My first dig in the code indicated that tempest creds with defined roles should not get this “member” role automatically, only those with roles undefined. | 04:00 |
| *** vishalmanchanda has joined #openstack-qa | 04:22 | |
| *** rcernin has quit IRC | 04:51 | |
| *** rcernin has joined #openstack-qa | 04:56 | |
| *** dpaterson has quit IRC | 04:58 | |
| *** vdrok has quit IRC | 04:58 | |
| *** johnsom has quit IRC | 04:58 | |
| *** flaviof has quit IRC | 04:58 | |
| *** TheJulia has quit IRC | 04:58 | |
| *** jamespage has quit IRC | 04:58 | |
| *** masayukig has quit IRC | 04:58 | |
| *** vdrok has joined #openstack-qa | 04:58 | |
| *** dpaterson has joined #openstack-qa | 04:58 | |
| *** flaviof has joined #openstack-qa | 04:58 | |
| *** TheJulia has joined #openstack-qa | 04:58 | |
| *** masayukig has joined #openstack-qa | 04:58 | |
| *** johnsom has joined #openstack-qa | 04:59 | |
| *** jamespage has joined #openstack-qa | 04:59 | |
| lxkong | > My first dig in the code indicated that tempest creds with defined roles should not get this “member” role automatically, only those with roles undefined. | 05:11 |
| lxkong | That also what I read from the code | 05:11 |
| openstackgerrit | Soniya Murlidhar Vyas proposed openstack/tempest master: Implementation of create_subnet() varies in manila-tempest-plugin https://review.opendev.org/c/openstack/tempest/+/766472 | 05:12 |
| *** psahoo has joined #openstack-qa | 05:27 | |
| *** whoami-rajat__ has joined #openstack-qa | 05:32 | |
| *** gcheresh has joined #openstack-qa | 06:12 | |
| *** psahoo has quit IRC | 06:18 | |
| *** psahoo has joined #openstack-qa | 06:33 | |
| *** rcernin has quit IRC | 07:16 | |
| *** rcernin has joined #openstack-qa | 07:19 | |
| *** ccamposr has joined #openstack-qa | 07:21 | |
| *** ralonsoh has joined #openstack-qa | 07:22 | |
| *** rcernin has quit IRC | 07:23 | |
| *** rcernin has joined #openstack-qa | 07:36 | |
| frickler | johnsom: IIUC auth.tempest_roles=member is what makes this always being set, c.f. https://opendev.org/openstack/tempest/src/branch/master/tempest/lib/common/dynamic_creds.py#L238 | 07:40 |
| *** sboyron_ has joined #openstack-qa | 07:40 | |
| *** eolivare has joined #openstack-qa | 07:41 | |
| *** jpena|off is now known as jpena | 08:31 | |
| *** rcernin has quit IRC | 08:32 | |
| *** dmellado has quit IRC | 08:32 | |
| *** dmellado has joined #openstack-qa | 08:33 | |
| *** lucasagomes has joined #openstack-qa | 09:00 | |
| *** arxcruz|ruck is now known as arxcruz|rover | 09:03 | |
| *** rpittau|afk is now known as rpittau | 09:03 | |
| *** jparker has quit IRC | 09:18 | |
| *** jparker has joined #openstack-qa | 09:19 | |
| *** rakhmerov has quit IRC | 09:20 | |
| *** mtreinish has quit IRC | 09:20 | |
| *** mtreinish has joined #openstack-qa | 09:20 | |
| *** zenkuro has joined #openstack-qa | 09:21 | |
| *** tosky has joined #openstack-qa | 09:24 | |
| *** rcernin has joined #openstack-qa | 09:28 | |
| *** gfidente has joined #openstack-qa | 09:29 | |
| *** dtantsur|afk is now known as dtantsur | 09:36 | |
| lxkong | johnsom, hmm, that was merged recently https://review.opendev.org/c/openstack/tempest/+/686306. | 09:41 |
| * lxkong just updated his tempest repo | 09:42 | |
| *** yamamoto has quit IRC | 09:56 | |
| *** yamamoto has joined #openstack-qa | 09:57 | |
| *** yamamoto has quit IRC | 09:57 | |
| *** chaconpiza has joined #openstack-qa | 09:57 | |
| *** rcernin has quit IRC | 10:02 | |
| *** hemanth_n has joined #openstack-qa | 10:12 | |
| openstackgerrit | Lee Yarwood proposed openstack/devstack master: nova: Default NOVA_USE_SERVICE_TOKEN to True https://review.opendev.org/c/openstack/devstack/+/775573 | 10:32 |
| *** yamamoto has joined #openstack-qa | 10:36 | |
| *** yamamoto has quit IRC | 10:48 | |
| *** dviroel has joined #openstack-qa | 11:07 | |
| *** zenkuro has quit IRC | 11:09 | |
| *** zenkuro has joined #openstack-qa | 11:09 | |
| *** yamamoto has joined #openstack-qa | 12:20 | |
| *** yamamoto has quit IRC | 12:22 | |
| *** zenkuro has quit IRC | 12:22 | |
| *** zenkuro has joined #openstack-qa | 12:23 | |
| *** jpena is now known as jpena|lunch | 12:32 | |
| *** Luzi has joined #openstack-qa | 12:55 | |
| *** yamamoto has joined #openstack-qa | 12:57 | |
| *** yamamoto has quit IRC | 13:13 | |
| soniya29 | gmann, kopecmartin, we have got all patched merged regarding scenario manager except - https://review.opendev.org/c/openstack/tempest/+/766472, So scenario manager effort is ready for stable release, right? | 13:19 |
| *** jpena|lunch is now known as jpena | 13:23 | |
| *** artom has joined #openstack-qa | 13:23 | |
| *** hemanth_n has quit IRC | 13:29 | |
| openstackgerrit | Lee Yarwood proposed openstack/tempest master: compute: Add [compute-feature-enabled]ide_bus flag https://review.opendev.org/c/openstack/tempest/+/775630 | 13:46 |
| *** zenkuro has quit IRC | 14:14 | |
| *** zenkuro has joined #openstack-qa | 14:14 | |
| *** nweinber has joined #openstack-qa | 14:17 | |
| kopecmartin | soniya29: more or less, there is still some work needed, see at the bottom of https://etherpad.opendev.org/p/tempest-scenario-manager | 14:27 |
| soniya29 | kopecmartin, ohh yes, I wasn't aware of it :) | 14:30 |
| soniya29 | kopecmartin, thanks for hinting me | 14:30 |
| *** Luzi has quit IRC | 14:34 | |
| kopecmartin | soniya29: it was added just lately | 14:45 |
| soniya29 | kopecmartin, okay | 14:46 |
| *** tosky has quit IRC | 14:55 | |
| *** zenkuro has quit IRC | 14:56 | |
| *** zenkuro has joined #openstack-qa | 14:56 | |
| gmann | soniya29: yeah, that is few things I found we should fix. | 15:00 |
| gmann | after that I will audit again but I think those are last bits | 15:00 |
| *** psahoo has quit IRC | 15:11 | |
| *** vishalmanchanda has quit IRC | 15:22 | |
| dansmith | gmann: kopecmartin: I've had this sitting for a while, hoping for validation of the service catalog approach: https://review.opendev.org/c/openstack/tempest/+/770520 | 15:27 |
| dansmith | I realize just now it might be getting ignored because of the WIP, but I had that there until you guys could tell me what I was doing was okay. maybe should have been RFC :) | 15:28 |
| dansmith | gmann: also the linked devstack patch I would need as well, so appreciate a review of that also. | 15:29 |
| *** iurygregory_ has joined #openstack-qa | 15:29 | |
| *** iurygregory has quit IRC | 15:30 | |
| *** iurygregory_ is now known as iurygregory | 15:30 | |
| gmann | dansmith: sure, will check after my internal meeting. i remember to keep that open in tab but somehow it got closed :) | 15:47 |
| dansmith | gmann: heh, thanks | 15:47 |
| *** tosky has joined #openstack-qa | 16:01 | |
| *** ysirndjuro has joined #openstack-qa | 16:09 | |
| *** ralonsoh has quit IRC | 16:44 | |
| *** ralonsoh has joined #openstack-qa | 16:44 | |
| openstackgerrit | Dan Smith proposed openstack/tempest master: Add image task validation https://review.opendev.org/c/openstack/tempest/+/775679 | 16:47 |
| johnsom | Ok, so confirmed that patch broke our ability to negative test RBAC: | 16:55 |
| johnsom | https://bugs.launchpad.net/tempest/+bug/1915740 | 16:55 |
| openstack | Launchpad bug 1915740 in tempest "All dynamic credentials are forced into "member" role now causing negative test failures" [Undecided,New] | 16:55 |
| johnsom | Thanks lxkong for pointing out that patch. | 16:55 |
| gmann | johnsom: let me check which creds those test are using | 16:58 |
| johnsom | gmann We use this: https://github.com/openstack/octavia-tempest-plugin/blob/master/octavia_tempest_plugin/tests/test_base.py#L52 | 16:59 |
| johnsom | That patch means "lb_member2" will get our roles, plus the "member" role magically added. | 17:00 |
| *** lucasagomes has quit IRC | 17:05 | |
| gmann | johnsom: 'member' role was added previously where devstack used to set the CONF.auth.tempest_roles to 'member' | 17:07 |
| johnsom | gmann Wasn't that only if a specific set of roles were not provided? | 17:07 |
| gmann | devstack still set that which i am removing https://review.opendev.org/c/openstack/devstack/+/774524 | 17:07 |
| gmann | johnsom: yes but with devstack setting it get added as it set CONF.auth.tempest_roles to 'member' | 17:09 |
| johnsom | gmann Yeah, it seems like we are hitting the same problem. | 17:09 |
| gmann | johnsom: can you point me the failure? | 17:10 |
| johnsom | Personally I would lean towards going a step farther and not pulling in CONF.auth.tempest_roles at all if the test suite defines the roles list. But I think with your change it will at least let the tests work | 17:10 |
| *** yamamoto has joined #openstack-qa | 17:10 | |
| gmann | johnsom: because i see no change in behavior by https://review.opendev.org/c/openstack/tempest/+/686306 | 17:10 |
| gmann | johnsom: yeah for new RBAC role like reader tests also we need to remove setting of CONF.auth.tempest_roles | 17:11 |
| gmann | but why test failing now is not clear to me yet. | 17:11 |
| johnsom | gmann This is new test code I'm working on. | 17:13 |
| johnsom | Yeah, I see where the old code was also pulling in that config setting. | 17:13 |
| gmann | johnsom: ok and what that exactly do? with these role? - https://github.com/openstack/octavia-tempest-plugin/blob/master/octavia_tempest_plugin/tests/test_base.py#L52 | 17:13 |
| gmann | johnsom: yeah, it was same way previously also | 17:14 |
| gmann | johnsom: can you test it with (depends-on can be great) https://review.opendev.org/c/openstack/devstack/+/774524 ? | 17:14 |
| gmann | we can see if any other hiding place assigning 'member' | 17:15 |
| *** jpena is now known as jpena|brb | 17:15 | |
| *** yamamoto has quit IRC | 17:15 | |
| johnsom | Sure, NP. I added a chunk of code to our setup_credentials to dump the roles to the log after I had the negative tests blow up. | 17:16 |
| johnsom | https://www.irccloud.com/pastebin/mHBzl1qq/ | 17:16 |
| gmann | johnsom: nice, +1. probably we should log that from tempest itself | 17:17 |
| johnsom | I expected this rule to not have access in the test "rule:load-balancer:write and role:member", but it did and our "should not have access" test failed. | 17:19 |
| gmann | johnsom: agree. if your test pass with 774524 then i can update the cmt message with ^^ scenario too | 17:20 |
| johnsom | gmann Yep, that lets the tests run as expected: Details: {'faultcode': 'Client', 'faultstring': 'Policy does not allow this request to be performed.', 'debuginfo': None} | 17:26 |
| johnsom | Do you want to link to my bug or should I close it? | 17:26 |
| openstackgerrit | Dan Smith proposed openstack/tempest master: Test glance distributed import https://review.opendev.org/c/openstack/tempest/+/770520 | 17:26 |
| gmann | johnsom: great, I will use that bug i commented there. let me update my commit msg | 17:27 |
| johnsom | +1 the patch too | 17:28 |
| openstackgerrit | Ghanshyam proposed openstack/devstack master: Stop configure 'member' role in tempest_roles https://review.opendev.org/c/openstack/devstack/+/774524 | 17:34 |
| gmann | johnsom: ^^ added bug link | 17:35 |
| johnsom | Yep, +1 | 17:35 |
| *** jpena|brb is now known as jpena | 17:35 | |
| *** gfidente is now known as gfidente|afk | 17:44 | |
| *** rpittau is now known as rpittau|afk | 17:47 | |
| *** eolivare has quit IRC | 17:47 | |
| gmann | frickler: can you check this, unblock the neutron gate https://review.opendev.org/c/openstack/devstack/+/774103 | 17:49 |
| *** jpena is now known as jpena|off | 17:51 | |
| *** rcernin has joined #openstack-qa | 17:59 | |
| *** dpaterson has quit IRC | 18:01 | |
| *** johnsom has quit IRC | 18:01 | |
| *** rpittau|afk has quit IRC | 18:01 | |
| *** dpaterson has joined #openstack-qa | 18:02 | |
| *** johnsom has joined #openstack-qa | 18:02 | |
| *** rpittau|afk has joined #openstack-qa | 18:04 | |
| *** rcernin has quit IRC | 18:04 | |
| *** gcheresh has quit IRC | 18:21 | |
| *** dtantsur is now known as dtantsur|afk | 18:32 | |
| *** openstackgerrit has quit IRC | 18:38 | |
| *** rcernin has joined #openstack-qa | 18:59 | |
| *** sboyron_ has quit IRC | 19:10 | |
| *** rcernin has quit IRC | 19:12 | |
| *** rcernin has joined #openstack-qa | 19:48 | |
| *** rcernin has quit IRC | 20:05 | |
| *** rcernin has joined #openstack-qa | 20:21 | |
| *** whoami-rajat__ has quit IRC | 20:22 | |
| *** rh-jelabarre has quit IRC | 20:55 | |
| *** rcernin has quit IRC | 20:57 | |
| *** rh-jelabarre has joined #openstack-qa | 21:01 | |
| *** rh-jelabarre has quit IRC | 21:01 | |
| *** rh-jelabarre has joined #openstack-qa | 21:02 | |
| *** hamalq has joined #openstack-qa | 21:22 | |
| *** rcernin has joined #openstack-qa | 21:23 | |
| *** rcernin has quit IRC | 21:38 | |
| *** rcernin has joined #openstack-qa | 21:38 | |
| *** yamamoto has joined #openstack-qa | 22:15 | |
| *** slaweq has quit IRC | 22:18 | |
| *** yamamoto has quit IRC | 22:39 | |
| *** yamamoto has joined #openstack-qa | 22:40 | |
| *** clarkb has quit IRC | 22:42 | |
| *** nweinber has quit IRC | 23:03 | |
| *** gfidente|afk has quit IRC | 23:21 | |
| *** openstackgerrit has joined #openstack-qa | 23:30 | |
| openstackgerrit | James Parker proposed openstack/whitebox-tempest-plugin master: Added emulator thread pinning tests https://review.opendev.org/c/openstack/whitebox-tempest-plugin/+/687643 | 23:30 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!