Thursday, 2019-08-15

*** dave-mccowan has quit IRC00:22
*** ricolin has joined #openstack-sdks01:03
openstackgerritMerged openstack/keystoneauth master: add support for auth_receipts and multi-method auth  https://review.opendev.org/67504901:44
adriantmordred, dtroyer: I assume the two of you are who I need to bug about MFA in the sdk and osc?02:04
adriantI'm thinking, if I can focus on Horizon, I can probably get that done before Train release (hopefully)02:06
adriantso I don't know if I can do the sdk and osc work, but I can review it02:06
*** bobh has joined #openstack-sdks02:55
*** altlogbot_3 has quit IRC03:16
*** altlogbot_1 has quit IRC03:16
*** altlogbot_2 has joined #openstack-sdks03:18
*** bobh has quit IRC03:47
*** gkadam has joined #openstack-sdks04:07
*** gkadam has quit IRC04:08
*** bobh has joined #openstack-sdks04:27
adriantdtroyer, mordred: I kind of am imagining we eventually do something like this:04:34
adrianthttp://paste.openstack.org/show/757171/04:34
adriantwhich maybe even generates and saves (based on an option) a clouds.yaml file with the values you enter04:34
adriantadditionally we may want to think about how we want to handle the MFA error from keystoneauth when it gets raised04:35
adriantand... lastly I don't think we have any SDK or CLI ways to enable MFA for a user and manage their auth rules?04:35
adriantbut I'm not 100% sure on that04:36
*** bobh has quit IRC05:00
*** bobh has joined #openstack-sdks05:02
*** bobh has quit IRC05:07
adriantyeah, doesn't look like the SDK supports user options as a value on the user object05:18
adriantbut user options lets you patch a dict so i think you can update them05:18
adrianthttps://github.com/openstack/openstacksdk/blob/master/openstack/identity/v3/_proxy.py#L67305:19
adriant^ I think. I'm not 100% sure if that will fail because options doesn't exist as an option on the user object05:19
*** ricolin_ has joined #openstack-sdks07:03
*** ricolin has quit IRC07:05
*** ricolin_ is now known as ricolin07:33
*** noama has joined #openstack-sdks07:34
*** e0ne has joined #openstack-sdks08:15
openstackgerritRabi Mishra proposed openstack/keystoneauth master: Allow initializing session with connection retries  https://review.opendev.org/67664808:43
*** cdent has joined #openstack-sdks08:52
*** bobh has joined #openstack-sdks09:06
*** ricolin has quit IRC09:07
*** bobh has quit IRC09:10
*** zbr|flu is now known as zbr09:33
*** jangutter has joined #openstack-sdks09:51
*** jangutter has quit IRC10:41
mordredadriant: yeah- I've actually wanted a login command for a while - I think if we do it right it could also be used to add a clouds.yaml entry - like from openrc values - or maybe like kubectl setcontext to set a "default" flag in the clouds.yaml (*waves hands*)10:45
*** jangutter has joined #openstack-sdks10:57
*** jangutter has quit IRC11:01
*** bobh has joined #openstack-sdks12:21
*** ricolin has joined #openstack-sdks12:37
openstackgerritMonty Taylor proposed openstack/openstacksdk master: Make block-storage work with proxies  https://review.opendev.org/67538212:37
mordredShrews, dtantsur|afk: ^^ I think that should work now - but we might need to squash it with the previous patch to make it all work happily. I figure reviewing separate before the squash would be friendlier12:38
*** bobh has quit IRC12:50
Shrewsmordred: okie dokie. will take a peek shortly12:53
mordredShrews: you're going to "love" it12:54
Shrewslike i "love" getting punched in the face?12:55
mordredShrews: yeah. pretty much just like that13:01
*** mriedem has joined #openstack-sdks13:18
*** bobh has joined #openstack-sdks13:25
*** bobh has quit IRC13:30
openstackgerritMonty Taylor proposed openstack/openstacksdk master: Make block-storage work with proxies  https://review.opendev.org/67538214:14
mordredstupid pep814:16
*** bobh has joined #openstack-sdks14:44
*** bobh has quit IRC14:51
Shrewsmordred: i left you a question/comment on that14:52
openstackgerritDavid Shrewsbury proposed openstack/openstacksdk master: Add header to auto-delete image upload objects  https://review.opendev.org/67671415:01
*** dave-mccowan has joined #openstack-sdks15:22
*** dave-mccowan has quit IRC15:30
mordredcorvus: ^^ might be the rare SDK patch you want to review15:30
corvusmordred, Shrews: ++15:33
openstackgerritMonty Taylor proposed openstack/openstacksdk master: Make block-storage work with proxies  https://review.opendev.org/67538215:33
mordredcorvus: I don't know why it took us so long to think of that :)15:33
*** efried has quit IRC15:46
*** efried has joined #openstack-sdks15:50
*** cdent has quit IRC15:53
openstackgerritDavid Shrewsbury proposed openstack/openstacksdk master: Avoid unnecessary object meta prefix in proxy  https://review.opendev.org/67672615:59
edleafeShout out to all the API-SIG Offcie Hour people! Take a number and queue politely!16:00
*** slaweq has joined #openstack-sdks16:00
* mriedem pushes and shoves16:06
edleafeok, mriedem, back of the line!16:06
*** slaweq has quit IRC16:14
*** ricolin has quit IRC16:17
*** e0ne has quit IRC16:28
*** slaweq has joined #openstack-sdks16:30
*** slaweq has quit IRC16:38
*** slaweq has joined #openstack-sdks16:48
*** cdent has joined #openstack-sdks17:10
mordredShrews: zomg. https://review.opendev.org/#/c/675382 worked17:11
*** cdent has quit IRC17:19
mordredShrews: there's also two patches before the fixture patch - https://review.opendev.org/#/c/675178 and https://review.opendev.org/#/c/675130 that are ready whenever17:20
*** bobh has joined #openstack-sdks17:39
*** e0ne has joined #openstack-sdks17:52
*** bobh has quit IRC17:55
openstackgerritMonty Taylor proposed openstack/openstacksdk master: Replace catalog-v3.json with keystoneauth fixture  https://review.opendev.org/67518718:10
mordredShrews: thanks! ^^ merged the block-storage patch into the catalog fixture patch18:11
mordred(which is still a net-reduction in LOC)18:11
*** e0ne has quit IRC18:36
efriedmordred: Still that first ironic-sdk-in-nova patch succeeds but the second one fails. Do you have a minute to help me debug?19:14
openstackgerritMerged openstack/openstacksdk master: Avoid unnecessary object meta prefix in proxy  https://review.opendev.org/67672619:24
openstackgerritMerged openstack/openstacksdk master: Add header to auto-delete image upload objects  https://review.opendev.org/67671419:24
*** camelCaser has quit IRC19:28
openstackgerritMerged openstack/openstacksdk master: Validate that connect_as connects as the project  https://review.opendev.org/67517819:36
*** noama has quit IRC19:40
*** gouthamr is now known as gouthamr|brb20:02
*** gouthamr|brb is now known as gouthamr20:30
*** camelCaser has joined #openstack-sdks20:38
*** slaweq has quit IRC20:50
mordredefried: poop - was AFK - can you point me at the failng patch?20:55
efriedhttps://zuul.opendev.org/t/openstack/build/fcf71dbb7bd743249b69c83c8f2ba72a/log/controller/logs/screen-n-cpu.txt.gz?severity=320:56
efriedmordred: From what I can tell, we're (correctly) getting a conn error while the service is still coming up20:56
efriedBUT20:56
efriedbecause allow_version_hack=True we're actually returning an adapter rather than raising an exception.20:56
mordredefried: cool thanks20:56
mordredoh20:56
mordredthat's ...20:57
efriedI noticed there's a few places we explicitly set allow_version_hack=True, but afaict that's the default in ksa anyway.20:57
mordredthis is really a behavior design issue that I think we're going to need to fix - and is an actual valid usecase for wanting the other behavior20:57
mordredsdk is assuming that an end-user is wanting to talk to a cloud, and that the cloud exists, so it does what it can to get them _something_20:58
mordredbut for nova - you want the inverse - you *want* an error when there is an issue with the remote servie20:58
mordredbeause you're more assured that you know what you're doing so if you get an error it's because there is an error20:58
efriedI don't think this is one of the sdk paths where we explicitly set allow_version_hack=True. I think we're not setting that, but getting True because that's the default.20:58
efriedthat being the case, a possible solution is to default allow_version_hack=False *except* in those cases where we set it explicitly.20:59
efriedThree of them, I believe.20:59
efriedefried@efried-ThinkPad-W520:~/openstack/openstacksdk$ git grep -n allow_version_hack20:59
efriedopenstack/service_description.py:109:                allow_version_hack=True,20:59
efriedopenstack/service_description.py:205:            allow_version_hack=True,20:59
efriedopenstack/service_description.py:229:                allow_version_hack=True,20:59
mordredyeah - but regardless of that setting, sdk is going to, as it currently stands, try REALLY hard to not throw an exception for you20:59
*** mriedem has quit IRC21:00
efriedmm. Then yeah, I need a way to pass an option that says "throw an exception unless what you give me is really working"21:00
mordredI kind of think we need a connection flag "raise_on_missing_service" or something named better than that21:00
mordredyeah21:00
mordredbecause contrary to an end-user who may be trying to use a weird cloud, or one that's configured weirdly and may not know all the ins and outs - it is *expected* that an admin will have told nova about anyhting weird in their cloud21:01
mordredand it is much better to get a hard logged error so the admin can investigate the misconfig21:01
efriedfor sure.21:01
mordredefried: I have a thought ... let me see if I can make a patch21:01
efriedfwiw, the same sequence with ironicclient looks like this: https://zuul.opendev.org/t/openstack/build/402a73a9238643c2b893d53b37a6ce27/log/controller/logs/screen-n-cpu.txt.gz?severity=321:02
efriedwait, sorry, that's not right.21:02
mordredefried: you get "virtdriver not ready" when the service pointed to by the catalog is not there, yes?21:02
efriedVirtDriverNotReady is raised by the Ironic driver itself when it encounters an error trying to get the client (in whatever form)21:04
efriedThis is from the previous patch, which still uses sdk, but doesn't *rely* on it really early on, for node_list:21:04
efriedhttps://zuul.opendev.org/t/openstack/build/402a73a9238643c2b893d53b37a6ce27/log/controller/logs/screen-n-cpu.txt.gz?severity=321:04
efriedYou can see it's getting the same error, but eventually it succeeds.21:04
efriedactually, I think we're seeing that error for baremetal while we're building conn for a different service21:06
efriedHere's a "normal" one, from before attempting to use sdk for ironic: https://zuul.opendev.org/t/openstack/build/cbe668cd674747168ac05759e9e147f3/log/controller/logs/screen-n-cpu.txt.gz?severity=321:06
efriedThat StrictVersion exception, which I think comes from ironicclient when the service isn't ready, is the one we're translating to VirtDriverNotReady.21:07
mordredyeah - makes sense - you're asking what version the service is and you're getting nothing because there is no service21:08
efriedOkay, so that gels - that's raising an exception and nova is set up to deal with that and retry; but the sdk path isn't raising, so we thing things are fine and actually (probably) bounce trying to access the real thing.21:09
mordredyeah- and what's worse, we're never going to re-try version discovery beacuse teh proxy will already be constructed21:10
*** slaweq has joined #openstack-sdks21:11
mordredI think I've got a good handle on what we want the behavior to be21:11
mordrednow if I can just translate that into python words21:11
*** slaweq has quit IRC21:17
efriedmordred: FWIW, I think I'm going to want to use this option universally from nova.21:31
efriedI just did some local twiddling with a placement service21:31
efriedand (as expected, I think) I get a Proxy both times.21:31
efriedhere's the diff in the logs (< is service down) http://paste.openstack.org/raw/757499/21:32
efriedI tried setting allow_version_hack=False but it still returns the proxy21:36
openstackgerritMonty Taylor proposed openstack/openstacksdk master: WIP Add a strict_proxies option for services  https://review.opendev.org/67682921:36
mordredefried: ^^ how about something liek this21:36
efriedmordred: does it need to be on top of those other patches?21:37
mordredefried: no - that's just my local working state - that's a very unclean patch21:39
efriedmordred: Okay.21:39
efriedSo right off the bat: I just tried allow_version_hack=False locally and it still returns the proxy.21:39
mordredefried: (wanted to get the first stab down so I didn't lose thinking context during dinner)21:39
efriedso I think that path should still have a check and raise, maybe on that get_endpoint()21:40
mordredefried: yeah - I think there are some other code paths in there that will return you something21:40
efriedno, this was for placement, which doesn't have a shim, so it should be hitting that code path.21:40
efriedwhich is actually confirmed by the logging - I don't see that "Fallback" message, which is only emitted when allow_version_hack=True.21:40
mordredah - gotit. so maybe check that get_endpoint() actually returns something?21:41
efriedyeah, exactly21:42
mordredwhat if ...21:42
mordredif self._strict_proxies - we do temp_client.get_endpoint_data() instead of get_endpoint() - and check to make sure endpoint_data has a version?21:42
efrieddo all services have a version?21:43
mordredeverything except swift I think21:45
mordredbut I'm not 100% sure if that's the right thing to test21:45
openstackgerritMonty Taylor proposed openstack/openstacksdk master: WIP Add a strict_proxies option for services  https://review.opendev.org/67682921:46
mordredefried: ^^ shotgun to see if we can get one of the things to trigger :)21:46
mordredand then figure out which one is the RIGHT one to trigger on when the brain has more available brainjuice21:46
efriedmordred: What's weird is, I'm making sure that get_endpoint[_data] should fail, but the proxy is still returning.21:46
efriedis there a try/except somewhere up above?21:47
mordredthere shouldn't be21:47
mordredand that is weird21:47
efriedI'm not getting an actual exception until I try to use the thing.21:47
mordredyou don't have that patch that added a placement service_description in do you?21:47
mordredefried: (I'm probably going to want to construct a bunch of weird tests for this one so we can be sure we've got this covered)21:48
efriedmordred: Well, yes, I have the commit that added placement service_description, but that only happens in a test fixture, when you setUp the fixture, which I'm not doing locally.21:49
mordredweird21:50
mordredefried: I unfortunately have to adjourn to the dinner - if you find anything, let me know - otherwise I'll pick it up first thing in the morning and see if I can't construct some catalogs/request_mock tests we can use21:51
efriedmordred: Thank you sir. I'll noodle with it for a few more minutes before I, too, have to run (and choke some people)21:52
efriedmordred: a couple of typos notwithstanding, strict_proxies is a success.21:59
mordredefried: yes? SWEET22:00
mordredefried: then in the morning I'll work on tests and cleaning it up22:01
efriedmordred: Sweet, then we'll need 0.35.0 pretty quick.22:01
efriedI'll mark up the typos (at least the ones I saw), least I can do :P22:01
efriedmordred: It works for placement... I'm not sure it'll work for ironic. I need to dig more.22:03
*** slaweq has joined #openstack-sdks22:11
*** slaweq has quit IRC22:16
*** goldyfruit has quit IRC22:35
*** goldyfruit has joined #openstack-sdks22:38
adriantmordred: how/when do we want to do the MFA work?22:54
*** goldyfruit has quit IRC22:56
*** goldyfruit has joined #openstack-sdks22:56
openstackgerritEric Fried proposed openstack/openstacksdk master: WIP: Connection(strict_proxies)  https://review.opendev.org/67683723:01
efriedmordred: there's my spin on it ^23:01
adriantI don't know your timetable, but wanna organise a meeting time and I can stay up late so we can discuss and plan?23:02
adriantmordred: ^23:02
openstackgerritEric Fried proposed openstack/openstacksdk master: WIP: Connection(strict_proxies)  https://review.opendev.org/67683723:09
*** slaweq has joined #openstack-sdks23:11
*** slaweq has quit IRC23:16
openstackgerritEric Fried proposed openstack/openstacksdk master: WIP: Connection(strict_proxies)  https://review.opendev.org/67683723:16

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!