20:02:02 <stevemar> #startmeeting horizon-keystone 20:02:03 <openstack> Meeting started Thu Dec 15 20:02:02 2016 UTC and is due to finish in 60 minutes. The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:02:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:02:07 <openstack> The meeting name has been set to 'horizon_keystone' 20:02:12 <r1chardj0n3s> stevemar: I cutnpaste the line from eavesdrop to keep it consistent ;-) 20:02:23 <stevemar> r1chardj0n3s: that's what i did! 20:02:29 <r1chardj0n3s> \o/ 20:02:37 <stevemar> #agenda https://etherpad.openstack.org/p/ocata-keystone-horizon 20:02:39 <stevemar> not really an agenda 20:02:43 <stevemar> #link https://etherpad.openstack.org/p/ocata-keystone-horizon 20:03:09 <stevemar> r1chardj0n3s: mind if i skip your thing til the end? 20:03:47 <stevemar> (silence means yes in my book!) 20:04:05 <stevemar> crinkle: you're around, lets talk about your stuff first 20:04:27 <stevemar> crinkle: i think you had the TODO to re-work https://review.openstack.org/#/c/389337/ 20:04:40 <r1chardj0n3s> stevemar: yes, please do that thing 20:04:47 <rderose> o/ 20:04:57 <stevemar> crinkle: are there any things we should look out for when reviewing it? 20:05:37 <stevemar> crinkle: looks like a lot of cut-n-paste of the project support 20:05:38 <crinkle> stevemar: well one thing is that it looks a little messy because i was trying to avoid duplicating code, so looking for feedback on how best to do that 20:05:51 <stevemar> (not saying thats a bad thing) 20:06:40 <stevemar> crinkle: is there any UI work needed in the horizon side? i think a drop down no? 20:07:01 <crinkle> stevemar: yes, i meant to work on that too but didn't get to it yet 20:07:10 <stevemar> crinkle: s'all good 20:07:23 <stevemar> no rel note, but it looks like doa doesn't do that 20:07:32 <stevemar> *throws shade at david-lyle* 20:07:49 <david-lyle> we put it all in horizon 20:08:17 <stevemar> documentation is kinda minimal too: http://docs.openstack.org/developer/django_openstack_auth/ 20:08:22 <david-lyle> the feature add in horizon is the only way it will be visible anyway 20:08:26 <stevemar> crinkle: looks good to me at a first glance 20:08:29 <stevemar> david-lyle: ah cool 20:08:49 * stevemar tosses a +1 to crinkle 20:09:00 <david-lyle> heck stevemar most people don't even know that library exists 20:09:13 <david-lyle> I will walk through the updated patch 20:09:33 <crinkle> thanks guys 20:09:36 <david-lyle> the domain listing seems reasonable 20:09:49 <david-lyle> backend.py I want to dig into more 20:10:02 <stevemar> yeah, utils change looks good 20:10:17 <stevemar> user.py looks like its just calling utils 20:10:36 <stevemar> i'll let david-lyle assess the backend.py bits 20:10:54 <david-lyle> yup, it changing the logic around domain scoping changes that I want to be sure about 20:11:04 <stevemar> crinkle: you tried this out i assume? 20:11:08 <stevemar> you typically do 20:11:09 <crinkle> stevemar: yes 20:11:19 <david-lyle> only federated or both? 20:11:31 <stevemar> crinkle: cool, did you have to modify horizon? 20:11:45 <crinkle> david-lyle: both 20:11:50 <crinkle> stevemar: yes it requires horizon changes 20:12:02 <david-lyle> crinkle: great, just checking, thanks 20:12:26 <stevemar> crinkle: cool 20:12:40 <stevemar> sounds like that is moving along nicely, thanks colleen 20:12:57 * stevemar forgot to use topic, noob 20:12:58 <crinkle> np thanks for reviewing 20:13:04 <stevemar> #topic k2k 20:13:07 <stevemar> edtubill: yo 20:13:13 <edtubill> hey 20:13:20 <edtubill> so I have these two patches: https://review.openstack.org/#/c/408435/1 (horizon) https://review.openstack.org/#/c/408450/1 (django_openstack_auth) 20:13:27 <edtubill> They need tests... 20:13:50 <stevemar> i think you have" https://review.openstack.org/#/q/topic:bp/k2k-horizon 20:13:59 <edtubill> but it would be cool if david-lyle or stevemar would be able to see if the approach take (at a high level) is okay to do. 20:14:20 <edtubill> Those two patches are for that bp. 20:14:23 <stevemar> edtubill: do you need guidance working on how to create more tests? i remember having trouble with that for doa and lhcheng helped me out 20:15:20 <edtubill> Sure 20:15:37 <stevemar> david-lyle: do you have time to help edtubill out with the tests? 20:15:45 <david-lyle> I should 20:15:55 <stevemar> edtubill: meet your new best friend 20:15:58 <david-lyle> I'll review the patches this afternoon 20:16:02 <edtubill> cool :) 20:16:08 <david-lyle> and we can look at adding tests 20:16:15 <stevemar> should we go over the patches here like we did with crinkle's? 20:16:15 <edtubill> please let me know if the approach should be taken a different way. 20:16:43 <edtubill> I put some comments in the commit message 20:16:50 <stevemar> we can start with the horizon one, https://review.openstack.org/#/c/408435/1 is much smaller :P 20:17:09 <david-lyle> I also worry about crinkle and your d-o-a patches stomping on each other 20:17:27 <edtubill> I'm willing to rebase.. 20:17:34 <crinkle> me too 20:17:35 <david-lyle> backend.py is heavily redone in both 20:17:58 <david-lyle> but we can cross that 20:19:37 <david-lyle> the horizon patch seems reasonable 20:19:41 <stevemar> ah i see the "support / current / available" section is like regions: https://review.openstack.org/#/c/408435/1/openstack_dashboard/context_processors.py 20:20:22 <david-lyle> yes 20:20:46 <edtubill> I took inspiration from that yes :p 20:20:58 <stevemar> edtubill: use "depends-on" 20:21:14 <david-lyle> my only concern is that context_processors is executed on every request, don't want to prematurely optimize, but minimizing logic in there is desirable 20:21:48 <stevemar> david-lyle: edtubill can you check a config option before executing that code? 20:22:31 <edtubill> I can add a flag or is there another place that I could potentially put that logic that doesn't run everytime? 20:23:16 <david-lyle> I don't know that we have a k2k setting to check, and dynamically is better 20:23:23 <david-lyle> let me look at it more closely 20:23:46 <stevemar> any way to check the token in context_processors? 20:23:46 <edtubill> I could also just look at the available_providers from the session variable and just skip the rest if its an empty list. 20:23:54 <stevemar> see if service_providers is empty or not 20:23:58 <david-lyle> your reading a value from the session and then short-circuiting most of the logic if there aren't multiple keystones 20:24:08 <david-lyle> token is on the session 20:24:15 <stevemar> david-lyle: rgr 20:24:32 <stevemar> david-lyle: maybe just "if not available_providers: break" 20:24:49 <stevemar> or actually "if available_providers" then go into your logic 20:24:54 <stevemar> skip it otherwise 20:24:56 <david-lyle> but the provider list is already taken from the session in doa and put separately as a convenience 20:25:42 <david-lyle> stevemar: yeah something like that 20:26:16 <stevemar> edtubill: commented 20:26:24 <stevemar> david-lyle: are you expecting tests for that patch? 20:26:30 <edtubill> cool thx 20:26:42 <stevemar> david-lyle: and a release note? 20:27:44 <david-lyle> release note yes, testing that is difficult 20:28:07 <stevemar> edtubill: know how to create a release note, yes? 20:28:14 <stevemar> david-lyle: understood 20:28:24 <edtubill> not really.. 20:28:33 <edtubill> is there some doc I can read? 20:28:43 <stevemar> edtubill: http://docs.openstack.org/developer/keystone/developing.html#release-notes 20:29:02 <stevemar> edtubill: just run... $ tox -e venv -- reno new bp-k2k-horizon 20:29:03 <david-lyle> we have one similar since lhcheng added it to both 20:29:24 <edtubill> ok 20:29:35 <stevemar> you'll see a new file show up in horizon/releasenotes/notes, edit that file 20:29:48 <stevemar> try to think of it from a consumer perspective 20:30:06 <stevemar> if you were to use it, what would you want to know, etc 20:30:17 <stevemar> now... https://review.openstack.org/#/c/408450/2 20:30:31 <stevemar> +386, yowza! 20:30:58 <r1chardj0n3s> needs more code deletion 20:31:07 <stevemar> edtubill: are you trying to squeeze in a refactor? 20:31:30 <edtubill> yeah.. I didn't want to rewrite scoping code... 20:31:39 <stevemar> edtubill: thats totally fair 20:31:49 <stevemar> edtubill: can i ask that you break the patch up? 20:31:49 <edtubill> I can undo it if it makes it easier to review and do refactoring later. 20:31:53 <edtubill> sure. 20:32:15 <stevemar> one patch to do the split, some stuff from backend.py into base.py (that can land first) 20:32:28 <stevemar> as long as it's a pure refactor it should be easy to approve and need no tests 20:32:52 <stevemar> then it'll just be the k2k code to review 20:33:06 <edtubill> Sure, are you guys okay with the approach of making a new Auth plugin even though it doesn't really get used at Log in time? (although it might in the future) 20:33:21 <edtubill> The other plugins get used only at log in time. 20:34:35 <stevemar> i don't think there are any negative impacts there 20:34:53 <r1chardj0n3s> yep 20:35:06 <david-lyle> I don't have a reason against right now 20:35:24 <stevemar> edtubill: need a hand with breaking things up? 20:35:57 <edtubill> I think I remember how to break things up. 20:36:07 <stevemar> edtubill: ping me if you need a hand 20:36:13 <edtubill> okay will do. 20:36:43 <stevemar> alright, next topic 20:36:52 <stevemar> #topic v3 policy is terribad 20:36:59 <edtubill> Also a quick note, last time I used federation I get errors at viewing instances... am I the only one seeing this error? 20:37:06 <stevemar> o_O 20:37:11 <edtubill> I'll wait to ask this question later :p 20:37:17 <stevemar> probably gonna need more data than that :) 20:37:36 <stevemar> this topic relates to line 47 on https://etherpad.openstack.org/p/ocata-keystone-horizon 20:37:53 <stevemar> i have a feeling this will involve keystone fixing something 20:38:05 <stevemar> does anyone have any background on https://bugs.launchpad.net/oslo.policy/+bug/1547684 ? 20:38:07 <openstack> Launchpad bug 1547684 in oslo.policy "Attribute error on Token object when using domain scoped token" [Undecided,New] 20:38:48 <stevemar> ayoung had a comment: that had https://review.openstack.org/#/c/165908/ merged, everything would be good 20:39:28 <r1chardj0n3s> no further background from me beyond that error, I'm afraid 20:39:31 <stevemar> looks like policy is just terrible: https://launchpadlibrarian.net/242578504/policy_token.py 20:40:41 <stevemar> i can look into this, if no one else has any insight 20:41:13 <stevemar> removing token.is_admin_project:True seems to solve the issue 20:41:45 <stevemar> looking at: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json 20:42:06 <stevemar> i love how you publish something that is unusable 20:42:10 <stevemar> we* 20:42:24 <r1chardj0n3s> :-) 20:42:44 <stevemar> i think "token.is_admin_project:True" is just wrong 20:43:04 <stevemar> should it be "target.token.is_admin_project:True" ? 20:43:22 <stevemar> let me go talk to some people 20:43:27 <stevemar> next topic 20:43:41 <stevemar> #topic Visualisation of policy / role 20:43:45 <stevemar> r1chardj0n3s: ^ 20:43:48 <r1chardj0n3s> ohai 20:43:53 <stevemar> r1chardj0n3s: did you rub the sleep out of your eyes yet? 20:44:26 <r1chardj0n3s> so this came up earlier this week that some way of visualising policy and RBAC controls would be super helpful, especially in the face of ... rather opaque at times policy files :-) 20:44:50 <r1chardj0n3s> I was wondering whether there'd been any prior art on this? 20:45:09 <stevemar> r1chardj0n3s: kinda like how network topologies are visualized? 20:45:22 <david-lyle> visualize what aspect? 20:45:42 <r1chardj0n3s> I guess so, kinda. Being able to say "hey, what exactly can this role do, based on policy?" 20:45:46 <stevemar> it also stinks that policy is file based 20:46:18 <stevemar> hmm 20:47:07 <stevemar> get the roles from the token, and try enforcing all entries in all policies? 20:47:36 <david-lyle> yeah but targets come into play too 20:47:52 <r1chardj0n3s> possibly just one role at a time, but yeah, some sensible way of dealing with targes too 20:47:52 <stevemar> r1chardj0n3s: you'd get back something like "identity:create_region" passes and another thing doesn't 20:48:00 <r1chardj0n3s> yeah 20:48:26 <stevemar> yeah, its not easy, but it sounds do-able 20:48:37 <david-lyle> without attaching to resources I'm not sure how useful it will be 20:48:45 <stevemar> was there some desire to see this from an operator? 20:48:54 <david-lyle> or is this a tool for operators who are defining policy? 20:49:08 <r1chardj0n3s> yeah, this is something coming from operators 20:49:20 <david-lyle> what was the specific ask? 20:49:26 <r1chardj0n3s> I don't have any more on the specifics, sorry 20:49:31 <stevemar> r1chardj0n3s: unfortunately, editing the policy won't be easy :) 20:49:48 <r1chardj0n3s> I was mostly wondering whether anyone had done any sort of visualisation like this before 20:49:50 <david-lyle> if only policy was centralized ... 20:50:03 * stevemar throws a fish at david-lyle 20:50:24 * david-lyle claps like a seal 20:50:28 <stevemar> lol 20:50:39 <stevemar> r1chardj0n3s: okay, get back a bit more data i guess? 20:50:44 <stevemar> sounds a bit hand-wavey right now 20:51:07 <david-lyle> tough to know of prior art without undestanding the type of visualization 20:51:12 <r1chardj0n3s> yep, given the answer to my question seems to be "no... we think" then I'll go back for more detail on what's actually desired 20:51:26 <stevemar> cool 20:51:35 <stevemar> sounds like we're all wrapped up for this week 20:51:41 <stevemar> #topic open discussion 20:51:48 <stevemar> cancel next week obvs 20:52:05 <r1chardj0n3s> yep, and week after, probably 20:52:05 <stevemar> i mean, i like you people, but not that much 20:52:17 <stevemar> r1chardj0n3s: yes 20:52:35 <r1chardj0n3s> coolo 20:52:36 <stevemar> any last qs? 20:53:12 <stevemar> thanks everyone! 20:53:15 <r1chardj0n3s> narf 20:53:21 <stevemar> have a great weekend, do that last minute shopping 20:53:24 <r1chardj0n3s> thanks stevemar 20:53:25 <david-lyle> thanks 20:53:25 <stevemar> #endmeeting