16:01:29 <schwicke> #startmeeting hierarchical_multitenancy
16:01:30 <openstack> Meeting started Fri Jul 17 16:01:29 2015 UTC and is due to finish in 60 minutes.  The chair is schwicke. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:31 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:01:32 <rodrigods> o/
16:01:33 <openstack> The meeting name has been set to 'hierarchical_multitenancy'
16:01:36 <raildo1> o/
16:01:38 <schwicke> Hi, all
16:01:40 <ericksonsantos> \o
16:01:58 <ericksonsantos> schwicke, hi :)
16:02:00 <vilobhmm> hello all
16:02:20 <schwicke> Raildo: thanks for running the meeting last Friday
16:02:28 <raildo1> schwicke: np :)
16:03:20 <schwicke> #topic random coordination stuff
16:03:41 <schwicke> vilobhmm: I have just sent you an invitation via skype
16:04:01 <schwicke> did you receive it ? I'd like to add you to the group chat
16:04:09 <schwicke> hope I got it right
16:04:31 <vilobhmm> I haven't
16:04:54 <ericksonsantos> vilobhmm, what is your skype id?
16:05:34 <vilobhmm> what id schwicke did you sent it to
16:05:42 <schwicke> sent it to vilobh
16:05:44 <schwicke> not you?
16:05:49 <vilobhmm> meshramvilobh
16:05:56 <vilobhmm> no schwicke
16:06:00 <vilobhmm> its "meshramvilobh"
16:06:05 <vilobhmm> please try again
16:06:43 <schwicke> just did
16:07:22 <schwicke> did you get it this time ?
16:07:35 <vilobhmm> yes
16:07:40 <vilobhmm> accepted :) thanks
16:08:26 <schwicke> ok, I just added you. So that's done :)
16:08:30 <vilobhmm> yes
16:09:13 <schwicke> On the same organisational topic: Sajeesh is sorry he cannot attend today. It is the first birthday of his sun.
16:09:29 <vilobhmm> oh okay
16:09:33 <ericksonsantos> np
16:09:39 <vilobhmm> let me start with cinder update then
16:09:40 <rodrigods> schwicke, np at all
16:09:41 <schwicke> son  I mean
16:09:45 <raildo_m> it's a good reason :)
16:09:52 <schwicke> yes, indeed :)
16:09:58 <schwicke> So let's try without him
16:10:06 <vilobhmm> sure
16:10:22 <schwicke> As far as I see beyond this meeting we have only one opportunity before the code freeze
16:10:26 <schwicke> which is next friday, right ?
16:10:36 <rodrigods> yes
16:10:38 <raildo_m> yes
16:10:42 <vilobhmm> for nova the code free is july 30th
16:10:43 <rodrigods> we need to get things moving forward
16:10:47 <schwicke> I'll be on holiday myself from Sunday on so unlikely that I will be able to share the meeting on Friday
16:11:05 <schwicke> There should be a meeting nevertheless.
16:11:09 <raildo_m> ++
16:11:25 <vilobhmm> raildo_m : do we have a common websit for openstack which shares this details for deadline for various projects
16:11:26 <schwicke> Yes. We need to avoid the code freeze exception exercise this time
16:12:21 <raildo_m> vilobhmm: I only know that: https://wiki.openstack.org/wiki/Liberty_Release_Schedule
16:13:04 <vilobhmm> alrite
16:13:19 <vilobhmm> so from cinder side ericsonsantos and myself we tried to move https://review.openstack.org/#/c/143645/ forward
16:13:25 <vilobhmm> by reviewing it
16:13:34 <schwicke> #topic review of action items
16:13:47 <vilobhmm> which in last meeting we thought would be beneficial for cinder nested quota
16:14:27 <vilobhmm> will continue doing that
16:14:46 <vilobhmm> apart from that someone from us need to talk to keystone folks
16:14:46 <schwicke> ok
16:14:47 <ericksonsantos> what is missing in this patch in order to merge is test the keystoneclient instantiation
16:15:07 <vilobhmm> ericksonsantos : yes…if we can help here it will be nice
16:15:13 <ericksonsantos> vilobhmm, sure
16:15:49 <vilobhmm> someone from us need to talk to keystone folks as we discussed in last meeting
16:16:01 <vilobhmm> as interaction with keystone is something common for cinder/nova
16:16:15 <vilobhmm> and hence don't want that to be a blocker moving ahead
16:16:36 <ericksonsantos> vilobhmm, I have found an existing bug which may impact on nested quota driver
16:16:38 <vilobhmm> as the policy.json changes that will be done in cinder and nova will depend on the logic exposed by keystone
16:16:38 <ericksonsantos> see https://review.openstack.org/#/c/139610/
16:17:29 <raildo_m> vilobhmm: due the deadline, I think that we need to follow the current approach...
16:17:45 <ericksonsantos> when doing a cinder quota-defults <tenant_id>, this tenant_id is being ignored by cinder
16:18:04 <raildo_m> vilobhmm: liberty-2 is really closer to try change something in the keystone side now...
16:18:13 <vilobhmm> raildo_m : ok
16:18:21 <vilobhmm> so what do you propose raildo_m
16:18:47 <schwicke> maybe comment on this patch ?
16:19:09 <ericksonsantos> schwicke, will do
16:19:13 <vilobhmm> ericksonsantos : thanks…will check it out!
16:19:35 <schwicke> #action erickonsantos will comment on https://review.openstack.org/#/c/139610/
16:19:36 <raildo_m> I think that we can keep following this approach, that sajeesh are doing here: https://review.openstack.org/#/c/182522/
16:19:47 <raildo_m> vilobhmm: ^
16:20:48 <vilobhmm> ok but if such role or user are not created in keystone will it still work ?
16:20:53 <vilobhmm> raildo_m : ^^
16:21:23 <ericksonsantos> I think it will work fine if we just let policy.json as it is now
16:21:46 <raildo_m> vilobhmm: unfortunately, we need to handle with this problem :(
16:21:49 <vilobhmm> schwicke, all : sorry going in lots of details since this is something important and we need to get this resolved
16:22:01 <raildo_m> vilobhmm: writing in the docs, os something like that
16:22:07 <schwicke> that's ok
16:22:27 <vilobhmm> raildo_m, ericksonsantos : ok
16:23:21 <schwicke> so what is the conclusion?
16:23:25 <vilobhmm> then for liberty-2 lets keep it the way https://review.openstack.org/#/c/182522/ for both cinder/nova respectively and have some DocImpact section updated ….going ahead we can start the conversation with keystone folks
16:23:34 <vilobhmm> schwicke : ^^
16:23:42 <raildo_m> vilobhmm: ++
16:23:51 <schwicke> ok
16:24:06 <schwicke> #agreed for liberty-2 lets keep it the way https://review.openstack.org/#/c/182522/ for both cinder/nova respectively and have some DocImpact section updated ….going ahead we can start the conversation with keystone folk
16:24:14 <vilobhmm> +1
16:24:28 <schwicke> so who is going to contact the keyston folks ?
16:24:39 <schwicke> should be done asap as well
16:25:38 <ericksonsantos> schwicke, I'm not getting the point, what do we want from them?
16:25:59 <raildo_m> keystone folks are in the keystone midcycle today... I think that I can contact us on monday
16:27:39 <vilobhmm> raildo_m : sure…
16:27:54 <ericksonsantos> in the policy.json, I think if we have a rule like: role:admin and project_id:%(project_id)s"
16:28:00 <ericksonsantos> it will work, right?
16:29:27 <schwicke> raildo_m: what are the basic questions we need to get answered by the keystone folks ?
16:30:26 <schwicke> #action Raildo will contact the keystone folks and report in the skype group chat about the outcome
16:30:28 <raildo_m> schwicke: I think that the main question is if we can use the "nova service role" to get the subprojects
16:30:30 <schwicke> :)
16:30:40 <schwicke> Ah
16:30:52 <raildo_m> if we can do this, we don't need new roles in the nova/cinder side
16:31:21 <ericksonsantos> raildo_m, hmm.. I see
16:31:23 <vilobhmm> +1
16:31:43 <schwicke> just wonder if there are any security related issues if we do that
16:32:34 <schwicke> maybe you can discuss with them if they can see any issues with that
16:32:48 <raildo_m> ok
16:32:48 <ericksonsantos> schwicke, ++
16:33:12 <vilobhmm> yes…I guess we can find many new things once we start discussing with keystone folks
16:33:28 <vilobhmm> sure
16:33:40 <vilobhmm> lets move on …
16:33:45 <schwicke> yes.
16:34:10 <schwicke> we had:  vilobhmm and ericksonsantos will make sure this patch
16:34:10 <schwicke> https://review.openstack.org/#/c/143645/ proceeds and gets merged
16:34:20 <schwicke> its not yet merged as far as I can see
16:34:31 <vilobhmm> +1
16:34:57 <vilobhmm> for cinder nested quota driver changes (final changes as i have 2 patches merged already) should be done by next week…this week was caught up with unit test and some work internally
16:34:59 <ericksonsantos> no, it's not. This patch needs at least one more test.
16:35:21 <schwicke> ok
16:35:51 <schwicke> let's review next week
16:35:56 <vilobhmm> alrite
16:36:11 <schwicke> #action vilobhmm and ericksonsantos will make sure this patch
16:36:11 <schwicke> https://review.openstack.org/#/c/143645/ proceeds and gets merged
16:36:22 <vilobhmm> sure
16:36:26 <vilobhmm> will do
16:36:27 <schwicke> we had: raildo wiil keep working to fix the #link
16:36:27 <schwicke> https://review.openstack.org/#/c/182140/
16:36:55 <rodrigods> this is a tricky one
16:37:15 <rodrigods> I'm debugging this to check what is the actual difference from the keypair and security group APIs
16:37:34 <rodrigods> that is making the policy enforcement to be done in the project_id of the context
16:37:41 <rodrigods> not on the project_id of the URL
16:38:33 <raildo_m> ++
16:39:54 <raildo_m> I answered the last sajeesh email with the two possibly solutions for this
16:40:08 <schwicke> he's very much in favor of a different solution
16:40:32 <rodrigods> the issue of his solution
16:40:42 <rodrigods> is that each nova API call would trigger a keystone API call
16:40:44 <ericksonsantos> I think we don't need to remove that checking
16:41:09 <rodrigods> and we also would require that the user has the role in keystone to perform a get_project()
16:41:12 <ericksonsantos> vilobhmm, we have the same checking on the cinder side
16:41:17 <rodrigods> what can not be the case
16:42:31 <schwicke> the second solution is the one that Sajeesh started to implement, right ?
16:43:29 <vilobhmm> ericksonsantos : I am not sure this time
16:43:32 <schwicke> the user needs to have the right to do the get_project on which of the projects ? On the parent ?
16:43:59 <rodrigods> in the target project
16:44:06 <ericksonsantos> vilobhmm, https://github.com/openstack/cinder/blob/master/cinder/api/openstack/wsgi.py#L1003-L1007
16:45:35 <schwicke> in which situation would the user not have the rights on the target project ?
16:46:02 <rodrigods> schwicke, it is not common
16:46:02 <rodrigods> but can happen
16:46:14 <vilobhmm> usually parent should have the right to get/update the target project ; target being the child project
16:46:16 <schwicke> needs careful thinking
16:46:20 <vilobhmm> schwikce : ^^
16:46:53 <schwicke> stupid question : what is the problem with the other solution ?
16:46:53 <rodrigods> if in keystone's policy file we have that the Member role is authorized to perform get_project()
16:47:10 <rodrigods> and in nova the user updating the quota has the _member_ role
16:47:21 <rodrigods> it is a possible situation
16:47:32 <schwicke> yes
16:49:12 <schwicke> Sajeesh said in the group chat that he'd upload the code on Sunday when he's back in Mumbai
16:50:04 <janonymous_> o/
16:50:15 <schwicke> I suggest we wait for what he has done and continue to evaluate the solution proposed by rodrigods
16:50:38 <schwicke> is that an option ?
16:50:41 <rodrigods> will write an email explaining my solution
16:50:47 <rodrigods> actually, abrito's solution
16:50:47 <vilobhmm> sure
16:50:55 <rodrigods> see if you all agree
16:50:55 <schwicke> ah, sorry
16:51:22 <vilobhmm> rodrigods : If you can document both the approches and the problem they will solve with an example as we dicsused here
16:51:47 <rodrigods> vilobhmm, absolutely
16:51:49 <vilobhmm> we can discuss and have a conclusion over email by monday
16:51:59 <vilobhmm> or if needed get on a skype call
16:52:07 <rodrigods> ++
16:52:09 <vilobhmm> thanks
16:52:11 <schwicke> #action review Sajeeshs code for  https://review.openstack.org/#/c/182140/ and continue to evaluate alternative solution by Abrito
16:52:33 <schwicke> good idea
16:53:22 <schwicke> #action document and discuss implications of both solution by Monday
16:53:48 <schwicke> Sajeesh asked me to action item him
16:53:54 <schwicke> #action Rectifying the context checking of https://review.openstack.org/#/c/182140.
16:54:10 <schwicke> that's for Sajeesh :)
16:55:04 <schwicke> he asks for help on implementing more test cases
16:55:21 <schwicke> I wonder if there are some synergies between nova and cinder, something that can be re-used ?
16:55:43 <schwicke> #action (all)  Adding more test cases for nested quota.
16:56:25 <schwicke> are there any free resources to help on this ?
16:56:53 <schwicke> time is running out
16:57:13 <rodrigods> I think ericksonsantos is writing tests for Cinder
16:57:13 <ericksonsantos> schwicke, I think the steps in order to get it done are almost the same. So, sure, code can be re-used.
16:57:17 <rodrigods> some of them can be reused
16:57:34 <rodrigods> but let's not create too much tests
16:57:37 <vilobhmm> schwicke : agree with ericsonsantos
16:57:50 <rodrigods> repeating the same thing
16:58:02 <rodrigods> in HMT in Keystone we had just a few tests that covered all situations
16:58:08 <vilobhmm> lets just focus on basic get/update/delete use cases
16:58:09 <ericksonsantos> rodrigods, sure
16:58:16 <schwicke> ok
16:58:28 <vilobhmm> sure
16:58:43 <rodrigods> ++
16:58:47 <schwicke> #agreed focus on the basic get/update/delete use cases for tests
16:59:13 <schwicke> still, it should be review what is missing for nova and already there for cinder and then copy and paste if needed
16:59:31 <rodrigods> ++
16:59:33 <rodrigods> and vice versa
16:59:34 <schwicke> can discuss this over skype
16:59:37 <raildo_m> ++
16:59:40 <schwicke> exactly
17:00:03 <schwicke> #action (all) import and exchange missing tests for cinder and nova
17:00:23 <schwicke> the last thing are the still failing tests after monkey patching
17:00:31 <vilobhmm> and jump on to all the reviews posted by our team irrespective of nova or cinder :)
17:00:42 <schwicke> #action sajeesh will check the 3 still failing tests after monkey patching
17:01:03 <schwicke> let's follow up on skype and/or email
17:01:09 <schwicke> we have to leave the room
17:01:15 <vilobhmm> alrite
17:01:16 <vilobhmm> sure
17:01:17 <rodrigods> yep
17:01:17 <ericksonsantos> sure
17:01:19 <rodrigods> bye guys
17:01:20 <rodrigods> p/
17:01:22 <ericksonsantos> see you
17:01:22 <rodrigods> o/
17:01:24 <ericksonsantos> :)
17:01:26 <raildo_m> bye
17:01:28 <schwicke> #endmeeting