00:00:51 <ekcs> #startmeeting congressteammeeting 00:00:52 <openstack> Meeting started Thu May 11 00:00:51 2017 UTC and is due to finish in 60 minutes. The chair is ekcs. Information about MeetBot at http://wiki.debian.org/MeetBot. 00:00:53 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 00:00:56 <openstack> The meeting name has been set to 'congressteammeeting' 00:01:03 <ramineni_> ekcs: hi 00:01:27 <ekcs> hi all! welcome back to another meeting. collaborative list of topics are kept here as usual: https://etherpad.openstack.org/p/congress-meeting-topics 00:01:30 <ekcs> hi ramineni_ 00:02:50 <ramineni_> ekcs: howz the summit going on? 00:04:40 <ekcs> it’s going well. got to participate in some interesting discussions around rbac, hierarchical quotas, api microversioning, deprecating postgres, etc. 00:06:18 <ramineni_> ekcs: ohk, great 00:06:41 <ekcs> ok let’s move along then =) 00:06:51 <ekcs> #topic gate failure 00:07:21 <ekcs> looks like you’ve resolved/worked around the two main issues, devstack and keystone v2? 00:07:46 <ramineni_> ekcs: yes, but still one issue is pending 00:07:55 <ekcs> thanks a ton! 00:08:00 <ekcs> what’s the pending issues ramineni_ ? 00:08:17 <ekcs> dealing with the remaining keystone v2 stuff? 00:08:23 <ramineni_> ekcs: HA tests and keystone v2 tests are disabled as of now 00:09:20 <ramineni_> ekcs: yes , with the removal of v2 v3 in the auth_url, v3 is working staright forward , but still need to figure out identifying v2 00:09:46 <ramineni_> HA test problem is also we are using idnetity v2 clients for creation of replica 00:10:26 <ekcs> ah I didn’t notice the HA stuff. so is that just a matter of changing to v3 in the way replicas are created? 00:10:37 <ramineni_> ekcs: and also, you remember making the local copy of manager file which used to be in tempest? 00:10:48 <ekcs> yes 00:11:27 <ramineni_> ekcs: any idea, if can remove this and use directly 00:11:29 <ramineni_> https://github.com/openstack/congress/blob/master/congress_tempest_tests/tests/scenario/manager.py 00:13:17 <ramineni_> ekcs: this part is failing in HA , https://github.com/openstack/congress/blob/master/congress_tempest_tests/tests/scenario/congress_ha/test_ha.py#L45 00:13:53 <ramineni_> ekcs: taking v2 here , have to use right client here and test it ..ill get to that this week 00:14:28 <ekcs> thanks so much for figuring stuff out! 00:14:58 <ekcs> ok ramineni_ said: “any idea, if can remove this and use directly https://github.com/openstack/congress/blob/master/congress_tempest_tests/tests/scenario/manager.py” 00:15:18 <ekcs> I’m confused what “this” refers to. what are you proposing to remove? 00:15:48 <ramineni_> ekcs: local copy, the link i mentioned 00:17:19 <ramineni_> can we remove this https://github.com/openstack/congress/blob/master/congress_tempest_tests/tests/scenario/manager.py” 00:17:21 <ramineni_> ? 00:17:25 <ekcs> ok yea mean remove the local copy you linked and use tempest library directly. 00:17:31 <ramineni_> ekcs: yes 00:18:15 <ekcs> I would think no because the idea is tempest team is going to take some time to refactor things and create stable interfaces. 00:18:32 <ekcs> when they’re done we’ll rework things to use their new interfaces. 00:18:42 <ramineni_> ekcs: ok 00:18:50 <ekcs> in the mean time, if we use their library directly, things will break as they make changes. 00:19:05 <ekcs> unless they’re already done, but i haven’t seen any notice on ML. 00:19:24 <ekcs> just did a search again to be sure. nothing on ML. 00:19:38 <ramineni_> ekcs: ok, got it. 00:19:41 <ekcs> does it help us/you to remove? 00:20:24 <ramineni_> ekcs: no 00:20:51 <ekcs> oh ok. well i’ll monitor the ML and when i hear update from tempest team I’ll let people know. 00:20:54 <ramineni_> ekcs: I better not create new failures by touching that file :) 00:21:00 <ekcs> hehe. 00:21:12 <ramineni_> ekcs: great, thanks 00:21:31 <ramineni_> ekcs: In the meanwhile , can we merge to resolve the gate failure as of now.. ? 00:21:56 <ekcs> ok one last thing. in what you’ve looked at so far, do you know if keystone v2 is supposed to work (we just use it wrong) or not supposed to work at all? 00:22:03 <ramineni_> ekcs: local devstack failing because of the issues, so we need that patch to be merged asap 00:22:21 <ekcs> yup I think we should merge it. I already +1ed. 00:22:38 <ekcs> you can go ahead and +2/+1 00:22:58 <ramineni_> ekcs: i couldnt get anything, i have checked the keystone latest commits, nothing of deprecation related 00:23:23 <ramineni_> ekcs: change in auth_url , may be we have to change the way we are detetcting its v2 00:23:47 <ekcs> ok hmm. maybe i’ll ask one of the keystone folks at the summit hehe. ok thanks! 00:24:04 <ekcs> do you have the keystone patch handy that changed the auth_url expected? 00:25:51 <ramineni_> ekcs: you meant this one https://review.openstack.org/#/c/458449/ 00:25:52 <patchbot> patch 458449 - openstack-dev/devstack - try to use unversioned keystone endpoints everywhere (MERGED) 00:27:22 <ekcs> hmm ok. yea I see that devstack patch, was wondering if we know the keystone patch that made this necessary. 00:27:52 <ekcs> from there we may be able to figure things out. 00:28:13 <ekcs> there must have been a change on keystone that made the versioned auth_url not work. 00:28:35 <ramineni_> ekcs: yes, ok, couldnt find it as of now 00:28:37 <ekcs> not necessarily easy to track down tho. 00:28:41 <ekcs> yea. ok. great 00:28:54 <ekcs> if i get hold of a keystone guy i’ll ask =) 00:29:14 <ramineni_> ekcs: great :) 00:29:59 <ekcs> ok well lets move on then? 00:30:45 <ramineni_> yes 00:32:03 <ekcs> #topic policy library 00:32:28 <ekcs> ok too bad no thinrichs and masahito, but let’s see what we can do. 00:32:33 <ekcs> thanks for the comments. 00:32:43 <ekcs> on #link https://review.openstack.org/#/c/457880/6/specs/pike/policy-library.rst@96 00:32:44 <patchbot> patch 457880 - congress-specs - policy library spec 00:33:15 <ramineni_> ekcs: yep, i was just wondering if we have explored that option ? 00:34:28 <ramineni_> ekcs: and still couldnt get why we need to store template policies in DB ? and if we want to store, can u update inthe spec, what all details we are storing? 00:34:44 <ramineni_> ekcs: is it just the id, or all details? 00:35:11 <ekcs> ok so there are two things. 00:36:17 <ekcs> for whether to go actual templates instead of plain policy that can be editted: thinrichs came up with that design. I think the idea is we may not have time this cycle to figure out all the details needed to deal with templates (what syntax, would it interfere with existing rule syntax? do we need new parser grammer?, what gui, etc) 00:36:32 <ekcs> so we can get almost all the benefit without explicitly doing placeholders. 00:36:49 <ekcs> just use normal variables/constants, and choose names that make it clear users can edit them. 00:37:47 <ekcs> do you see a major benefit of using templates instead of actual policies users can edit? 00:38:26 <thinrichs> Hi all. Sorry I'm late—got caught up (again) 00:38:41 <ramineni_> thinrichs: hi 00:38:57 <ekcs> ah you’re here just in time for the pol lib discussion. 00:39:28 <ekcs> we’re talking about ramineni_ ’s comment here: https://review.openstack.org/#/c/457880/6/specs/pike/policy-library.rst@96 00:39:28 <patchbot> patch 457880 - congress-specs - policy library spec 00:40:02 <ramineni_> ekcs: hmm , i saw using jinja2 is easier , so proposed that option , but may be for next cycle as you mentioned 00:40:18 <ekcs> ekcs: for whether to go actual templates instead of plain policy that can be editted: thinrichs came up with that design. I think the idea is we may not have time this cycle to figure out all the details needed to deal with templates (what syntax, would it interfere with existing rule syntax? do we need new parser grammer?, what gui, etc) 00:40:18 <ekcs> [5:36pm] ekcs: so we can get almost all the benefit without explicitly doing placeholders. 00:40:35 <ekcs> that’s what I said. anything correction/addition thinrichs ? 00:42:06 <thinrichs> ekcs: nope—that was the thought. That a template is a lot of work, and people will want to modify things more than a template provides (eventually) anyway. 00:42:40 <thinrichs> There's nothing stopping us from adding the functionality of templates later 00:42:47 <ramineni_> thinrichs: ya, ok 00:43:45 <ekcs> ok the other issue is why do we persist the policy library in DB. 00:44:56 <ekcs> what model do you have in mind ramineni_ ? 00:45:01 <thinrichs> My thought there was if we store them in the DB then it's easy to make them accessible via the API 00:45:21 <thinrichs> which we'd need to do, esp for Horizon 00:45:50 <ramineni_> thinrichs: after modifying or before modfying? 00:46:27 <thinrichs> Both. The policy "library" has its own API and policies contained within it are not active. (Eventually these could be raw policies or templates.) 00:47:08 <ramineni_> thinrichs: if user wants to use only 2/3 policies of it? still we load all the policies into DB 00:47:17 <thinrichs> Then the user wants to apply/instantiate a policy from the library and make it active. 00:47:48 <thinrichs> The library DB tables would be completely separate from the current Policy/Rule tables. 00:48:17 <thinrichs> The library DB tables have their own CRUD operations to add new policies, look at the ones that exist, update, and delete. 00:48:33 <thinrichs> All those operations would be completely independent of our current CRUD operations on Policies/Rules. 00:48:59 <ramineni_> thinrichs: what details are we storing in DB for policy libraries? same as policy table? 00:49:29 <thinrichs> I believe so. Not sure if there are any extra fields we'd want. The spec might cover that. 00:49:54 <ekcs> ramineni_: https://review.openstack.org/#/c/457880/6/specs/pike/policy-library.rst@96 00:49:55 <patchbot> patch 457880 - congress-specs - policy library spec 00:50:13 <ekcs> here is the table I propose in the spec 00:50:23 <ekcs> ugh nvm 00:50:24 <ekcs> wrong link 00:50:27 <thinrichs> The difference is most obvious with execute[] rules. The execute[] rules in the Library tables would never fire; but the execute[] rules in the Policy/Rules tables would fire. 00:50:58 <thinrichs> Said another way, the Policy Engine would never see any of the Library policies (until they were inserted into the Policy/Rules tables). 00:51:04 <ekcs> https://review.openstack.org/#/c/457880/6/specs/pike/policy-library.rst@209 00:51:05 <patchbot> patch 457880 - congress-specs - policy library spec 00:51:27 <ramineni_> thinrichs: hmm, so user would edit the polciies in files or using API? 00:52:18 <ramineni_> thinrichs: sample policies** 00:52:38 <ekcs> the API is how congress server sees it. 00:52:50 <ekcs> but CLI would support referencing a file. 00:53:07 <ekcs> and passing it along to server using API. 00:53:19 <ekcs> horizon would have edit box. but again pass it along to server using API. 00:53:55 <ekcs> in the current spec proposal anyway. 00:54:16 <thinrichs> Looking at the sample policies, I'd think most of the time people will want to edit them before instantiating them (templating might make that easier). 00:54:29 <thinrichs> In Horizon, that editing could be done in an edit box, as ekcs suggests. 00:54:54 <thinrichs> From the CLI it's unclear to me, but I'd imagine pulling the policy into a file, having the user edit it, and uploading the file. 00:55:14 <thinrichs> The CLI could also stitch together the download + upload APIs into a single command 00:55:30 <thinrichs> for those cases when the user doesn't want to edit 00:56:41 <thinrichs> When we support templates, I'd imagine the user would want to instantiate the template with given parameters. 00:56:49 <ekcs> in either `policy create` or `library policy create` the CLI can accept either the policy with all rules in json/yaml as well as path to file. 00:57:27 <ekcs> in `policy create`, an additional option is to create directly from a policy stored in the library, by referencing it’s name. 00:57:50 <ekcs> a deployer may have already edited that policy in the library to be suitable for the particular setup. then an admin can simply activate it this way. 00:58:25 <thinrichs> So the CLI would be something like "openstack congress library install <policy name> <values>", which would under the hood (a) pull down the template, (b) run the template, (c) upload the instantiated policy. (We could move some/all of that to the server too) 00:58:46 <thinrichs> (The above was for the templated case.) 00:58:53 <thinrichs> down the road 00:59:00 <ramineni_> thinrichs: yes, thats what i had in mind 00:59:00 <ekcs> Here’s the proposed API for activating directly from library without editing. https://review.openstack.org/#/c/457880/6/specs/pike/policy-library.rst@609 00:59:01 <patchbot> patch 457880 - congress-specs - policy library spec 00:59:37 <ekcs> well we’re out of time. let’s continue on gerrit =) 01:00:08 <ramineni_> ekcs: ok 01:00:15 <thinrichs> Ok 01:00:25 <ekcs> or we could contine on #congress if interested. 01:00:34 <ekcs> anyway i’ll be on congress. 01:00:38 <ekcs> see you next time! 01:00:41 <ekcs> #endmeeting