18:03:06 #startmeeting keystone 18:03:07 Meeting started Tue Jun 30 18:03:06 2015 UTC and is due to finish in 60 minutes. The chair is morganfainberg. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:03:08 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:03:10 The meeting name has been set to 'keystone' 18:03:19 so ... lbragstad you here? 18:03:30 can come back to tht 18:03:31 morganfainberg: yes sir 18:03:35 o/ 18:03:36 oh bug report then 18:03:42 #topic Keystone Bug Report 18:03:44 lbragstad: o/ 18:03:52 http://keystone-weekly-bug-report.tempusfrangit.org/weekly-bug-reports/keystone-weekly-bug-report.html 18:03:54 Here now 18:04:06 most everything on list weeks list looks to be triaged 18:04:21 so, that's a plus! 18:04:48 I think there are only a couple that haven't been triaged, but I can go through those 18:05:08 other than that, bugs looks pretty tame this week 18:05:29 is oslo.policy included in the list? 18:05:29 great 18:05:33 bknudson: no 18:05:35 bknudson: it can be 18:05:37 and other oslo libs that we support 18:05:38 oslo.policy is an oslo project 18:05:44 but it probably should be in our list 18:05:49 we're the ones who mostly look at it 18:05:57 bknudson: like oslo.cache 18:06:02 I'll take the action item to add it to our bug report 18:06:14 so we have it on our radar (for people who use that report) 18:06:25 #action lbragstad to add oslo.policy and oslo.cache to keystone bug report 18:06:48 yay for relatively under control bugs 18:07:04 #topic Making devstack v3 friendly 18:07:08 jamielennox: o/ 18:07:24 hello 18:07:52 oh - right, umm there is a chain of reviews up for devstack that move everything over to v3 CRUD then v3 auth 18:08:12 awesome 18:08:19 jamielennox: link please 18:08:26 starting https://review.openstack.org/#/c/186681/8 18:08:42 it's got -1 18:08:46 damn, first one has a -1 i thought that was like 4 patches in 18:09:06 oh - wait 18:09:16 that's cause the first couple got merged :) 18:09:56 so was starting https://review.openstack.org/#/c/186678/4 18:10:20 jamielennox: https://review.openstack.org/#/q/status:open+branch:master+topic:keystonev3,n,z 18:10:26 I've got some changes up for using clouds.yaml -- https://review.openstack.org/#/c/195786/ -- might make this a little easier 18:10:42 there is a fix for glance -> swift to use v3 https://review.openstack.org/#/c/193422/ 18:10:59 and i think when those two things happen we can get devstack to run with v2 disabled 18:11:23 so not a tempest run, but at least get to the point where our v3 only gate job can start telling us things 18:11:35 jamielennox: ++ 18:11:42 jamielennox: building devstack with v3 only apis 18:11:44 is a huge setp 18:11:46 step* 18:12:08 if we are at least that far - then we're not going to have to fight too hard on the tempest side really 18:12:14 Gonna be typing slowly 18:13:05 morganfainberg: right, i figure we can find and fix real tempest bugs quickly, just hopefully it doesn't uncover too many mistakes in services 18:13:13 yeah 18:14:01 I thought samueldmq is done with migrating tempest to keystone v3? :) 18:14:49 david8hu: no, I created a devstack gate job with v2 disabled, which is something jamielennox is using :) 18:15:11 samueldmq, cool. I see. 18:15:15 david8hu: and will be used to detect issues with services using v3 once devstack can properly set up resources and tempest can run 18:15:15 samueldmq: devstack-gate job runs tempest? 18:15:34 bknudson: it will, once devstack can set up its own resources using v3 only 18:15:43 bknudson: which is the step jamielennox's right now 18:16:00 bknudson: after that step we will be able to check for individual issues on services/clients 18:16:03 bknudson: there is an experimental job on devstack, and on tempest from memory for devstack gate to run with v2 disabled 18:16:09 jamielennox: correct me if I am wrong :) 18:17:01 yeah, for example http://logs.openstack.org/84/186684/4/experimental/check-tempest-dsvm-neutron-identity-v3-only-full/ca5f300/ 18:18:16 bknudson: so in addiition to clouds.yaml i need to figure out how to fix the accrc files, i had some work done that way but i don't know if i posted it for review 18:18:39 accrc? how many files do we need? 18:18:43 or know if it would be acceptable just to switch everything over to v3 like that 18:19:27 bknudson: i don't know, at the moment the way accrc files are generated it loops over every project and creates a file for every user with a role in that project 18:19:40 yikes 18:19:45 scary 18:19:50 i expect if i suddenly make those files v3 it will break people 18:20:01 delete those files 18:20:09 would love to 18:20:34 i expect for the last patch in that chain where we actually turn over to v3 by default we will break some people anyway 18:20:39 may need an announcement 18:20:47 i'll figure that out with the devstack folks 18:21:14 anyway - i think that's all 18:21:32 (not sure how this topic got in the meeting points) 18:21:42 I wonder how many ppl rely on the accrc file 18:21:42 ++bkudson, delete them 18:22:11 these are openrc files so you source them and use devstack? 18:22:26 use clouds.yaml instead 18:22:30 marekd: not really openrc 18:22:44 but when you finish devstack you get like accrc/admin/admin that you can source 18:22:46 Marked yes 18:23:29 so it sounds like we have some cleanup to do 18:23:33 on devstack and some research 18:23:40 but the work is moving forward 18:24:03 jamielennox: maybe we need to make v3 versions of those files to start with 18:24:07 as crappy as that is 18:24:17 we should bug the devstack folks on that front 18:24:37 i guess the issue is no-one really knows who relies on current behaviour 18:24:56 so lets plan to make v3 versions of those 18:24:58 does devstack say they have a stable API? 18:25:09 bknudson: no 18:25:10 it's supposed to be opionated 18:25:11 given that we wont actually turn v2 off in devstack for quite a while i was thinking i could just add some domain properties to those files 18:25:14 opinionated 18:25:28 bknudson: we could just make v3 versions 18:25:28 it won't affect us running v3 only gate jobs for quite a while 18:25:29 so if it's our opinion that you don't use accrc files then don't make them 18:25:34 or make v2 versions? 18:25:36 If someone aside from infra relies on devstack they are going to have a bad time 18:25:38 if v2 is enabled 18:25:58 anyway. jamielennox check w/ dtroyer and ianw and the other devstack folks 18:26:13 but i'd opt for just making them v3 rc files 18:26:15 peronsally 18:26:16 Steve_droid: right - we are already at the point with plugins where i'm not sure if the changes i've made so far are going to end up breaking people 18:26:18 if we can get away with it 18:26:57 use clouds.yaml instead 18:27:06 the v3 rc file could just set OS_CLOUD 18:27:47 it'll be easier to just set OS_CLOUD than source an rc file 18:28:13 ++ 18:28:31 bknudson: sure, i'm not too worried about this at the moment the first goal is to get tempest running with v3 only and we worry about devstack users later 18:28:47 i'd be happy to consider all the accrc files deprecated 18:30:11 #action jamielennox to look into depecating accrc files and alternatives 18:30:14 ok moving on 18:30:25 i think there is some external work to do 18:30:34 but we have some direction 18:30:39 #topic Progress on keystoneauth & other repos 18:30:45 jamielennox: o/ any updates? 18:31:25 morganfainberg: i am still waiting with this to be aproved - it's on a list of projec to be renamed when they schedule gerrit downtime. (https://review.openstack.org/#/c/190631/) 18:31:33 umm, keystoneauth is moving along, i'm still trying to figure out the split loading from the plugins themselves 18:31:39 marekd: ok 18:31:48 there is an issue with the gate job for ksc that relies on ksa 18:31:55 morganfainberg: one more thing - why do we hav enow keystonauth1 ? 18:32:01 jamielennox: possibly because of the namespace change? 18:32:12 what shall i put in the code? from keystoneauth or keystoneauth1 ? 18:32:13 marekd: because we're supporting side-by-side major versions 18:32:21 keystoneauth1 is the first release of keystoneauth 18:32:27 next major release will be keystoneauth2 18:32:28 morganfainberg: yes - i didn't think it would matter because it's supposed to be pulling keystoneauth from git 18:32:42 does keystoneauth-saml2 also need 1 on the package? 18:32:43 jamielennox: except the whole namespace changes now. 18:32:50 when will be next major release? and who will be supposed to use keystoneauth2 ? 18:32:54 but for whatever reason it's getting the pypi version instead and that's still on the old namespace 18:33:04 marekd: hopefully never 18:33:05 marekd: no plans for major release #2 18:33:10 but this is future proofing 18:33:12 morganfainberg: ok. 18:33:24 jamielennox: morganfainberg so for now shall i start importing from keystoneauth1 ? 18:33:29 so for example https://review.openstack.org/#/c/196479/1 is failing 18:34:21 i got as far as determining why they are failing but not yet determining why it's not pulling from git as expected 18:34:27 because i'm sure it used to 18:34:35 where does that branch get its keystoneauth from/ 18:34:36 ? 18:34:39 pypi? 18:34:57 bknudson: git 18:35:02 directly 18:35:08 so it's supposed to be git https://github.com/openstack/python-keystoneclient/blob/feature/keystoneauth_integration/requirements.txt#L9 18:35:08 http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/requirements.txt?h=feature/keystoneauth_integration 18:35:09 ah 18:35:37 but it appears to be from pypi 18:35:38 http://logs.openstack.org/79/196479/1/check/gate-tempest-dsvm-neutron-src-python-keystoneclient/b1d809b/logs/devstacklog.txt.gz#_2015-06-28_23_16_19_032 18:36:09 weird 18:36:24 something to chase down 18:37:02 i would like to start getting those ksc on ksa patches merged as i don't want to consider keystoneauth stable until we know we can offload most of ksc to it 18:37:21 jamielennox: sure. 18:38:18 so we need eyes on those reviews 18:38:37 #action please review keystoneauth integration patches 18:38:43 #undo 18:38:44 Removing item from minutes: 18:38:59 #action keystone developers please review keystoneauth integration patches 18:39:07 #topic Review policy update 18:39:11 bknudson: o/ 18:39:47 morganfainberg: I've got a couple of reviews out that hope to clarify that some things can be left up to the developer 18:39:58 https://review.openstack.org/#/c/194906/ -- Document update sample config up to developer 18:40:18 the only reason i don't want the sample config to be *in* the same review as code changes is because we've had massive rebase issues in the past 18:40:25 https://review.openstack.org/#/c/195335/ -- Document use of wip up to developer 18:40:32 I'm still hoping to automate that via a job 18:40:33 we had one review that had rebase issues. 18:40:39 if everyone else would rather make it up to the dev, i'll just abstain and not really care 18:40:50 bknudson: this was at the end of last cycle 18:40:54 y, so this is just to clarify whether it's up to the developer or not 18:41:11 we had a bunch of them. but like i said, i'll happliy defer to the rest of the team here. 18:41:16 on both counts 18:41:23 i don't feel strongly on WIP either 18:41:25 if cores don't think it should be up to the developer then I'll change the reviews to say it's not up to the developer instead 18:41:47 cores- please vote those 18:41:52 I think updating the sample config should be up to teh developer 18:41:55 bknudson: whatever it is - just let's be verbose and make sure readed knows exactly what is the intention. 18:41:58 I think if people don't feel strongly one way or the other then let's leave it up to the developer 18:42:25 and reviews should -1 if a config file change is being put in with a sample updated (basically…the way it used to be) 18:42:29 I am struggling with the wip decorator 18:42:33 here's an example, https://review.openstack.org/#/c/187899/9/keystone/tests/unit/test_v3_protection.py 18:42:38 line 994 18:42:55 the API hasn't been developed yet so the code may not be correct 18:43:26 so its essentially dead code at the moment 18:43:34 I would rather not have them for now 18:43:40 i liked wip too 18:43:50 sometimes wip is useful, other times I think it is more clear to really show the actual point in the test method where a failure is expected 18:44:17 so wip is replacing TODO or FIXME? 18:44:34 ok so, i think we should be voting on those patches. if you want it to be more open - +1/+2 them 18:44:53 if you want ot be more restrictive -1 them. please let bknudson +A once we've let people vode 18:45:12 bknudson: feel free to +A at the end of the week provided enough +2s are there and outweigh the -1s 18:45:31 * morganfainberg is fine with it going either way 18:46:03 henrynash +++ 18:46:06 gyee: wip is different; it's really for replacing a skip 18:46:32 so wip is for tests only? 18:46:50 gyee: that's my understanding 18:47:05 dstanek: …or an explict assertRaises() with a comment as to “here is the bug I am going to fix in the next patch" 18:47:07 How does wip know the bug is fixed or develper has to going in and remove wip? 18:47:36 david8hu: wip passes if the test fail, and fail if the test passes 18:47:55 henrynash: right, if otherwise the test should pass by just removing the wip 18:48:17 gyee: tests it's a testing tool from the TDD/BDD world 18:48:27 s/tests/yes,/ 18:48:49 alrighty then 18:49:09 * gyee vote for +0 instead of -0 18:49:17 ok anyway 18:49:33 #action keystone-core vote on the reviews for policy (sample config and WIP) 18:49:38 #topic Dynamic Policies - Current Status and Scope for Liberty 18:49:54 hi 18:49:58 hello 18:50:03 htruta: sorry we'll likely need to defer your topic for next week unless this goes quickly 18:50:13 htruta: my apologies 18:50:17 last week I had a couple of conversations with morgan and adam about the scope for L 18:50:22 morganfainberg: trying to be quick 18:50:26 morganfainberg: it'd be quick 18:50:37 but we can discuss in openstack-keytone later 18:50:38 htruta: depends on samueldmq 18:50:40 aye 18:50:42 so, basically, we're adding the capability of dynamic fetching of policies in endpoints 18:50:43 samueldmq: go 18:50:45 wip 18:50:49 * samueldmq runs 18:51:02 so, i)policy overrides occur at keystone 18:51:10 ii) middleware fetches and cache the policy 18:51:21 iii) using the oslo.policy libreary to overlay the local policy file 18:51:24 auth_token middleware? 18:51:25 there are 3 respective specs 18:51:39 oslo.policy doing the policy overlay 18:51:40 #link https://review.openstack.org/#/c/196753/ 18:51:42 ksmiddleware doing fetch and cache 18:51:44 #link https://review.openstack.org/#/c/134655/ 18:51:45 or middleware after auth_token? 18:51:46 keystone server associating and delivering policies by url 18:51:48 #link https://review.openstack.org/#/c/192422/ 18:52:02 bknudson, before auth_token as endpoint constraint depends on it 18:52:15 bknudson: I think it will be a separate middleware filter, as suggested by morgan, need to visit this point 18:52:38 I've updated the oslo and ksmiddleware specs, I will be addressing the keystone one until tomorrow 18:52:39 Na 18:52:39 and then.... 18:52:49 sending the FFE request to the ML 18:52:52 while separate would be cleaner...harder to deploy 18:52:59 I think that's all 18:53:01 samueldmq, for policy by url, we need to consider additional cases that I commented on yesterday and today. 18:53:13 so, much as it pains me to drive toward it, its probably going to end up in auth_token 18:53:16 sounds like it might as well just be part of auth_token 18:53:22 david8hu: sure, I 'll take a look at then 18:53:26 bknudson: makes sense 18:53:35 thx 18:53:36 so please review and leave comments :) 18:53:45 auth_token is way overloaded already 18:53:51 and for an overview reference 18:53:52 see https://wiki.openstack.org/wiki/DynamicPolicies 18:54:06 auth_token might need some refactoring 18:54:24 morganfainberg: I'd like to have more time, but I think I covered what I wanted .. letting people know about it .. we can move on 18:54:28 gyee, agreed, but we are cleaning up the architecture. I could see an approach that says there is a generic python middleware that lumps it all together 18:54:36 i think this should be it's own middleware 18:54:38 but the sperate pieces could be deployed stnad alone as well 18:54:42 * morganfainberg is a fan of not making auth_token do everything 18:54:53 jamielennox, *should* only from a code cleanliness standpoint 18:54:55 morganfainberg: so different middlewares? 18:54:57 it's no harder to deploy than any other middleware we've added and there have been a few 18:55:05 ayoung: mainly sure 18:55:08 lets treat auth_token as a facade for multiple middlewares 18:55:09 jamielennox, exactly 18:55:11 if its its own middleware then it'll need to get the auth config again 18:55:15 marekd: thats my choice, but it's just from a separation of concern aspect 18:55:27 bknudson: auth config? 18:55:34 it would be paste.ini 18:55:37 jamielennox: config for how to talk to keystone 18:55:42 oh - right 18:55:54 * morganfainberg avoids making a bad joke. 18:55:55 although we've been talking already about some middleware for that too 18:56:02 morganfainberg: so one day it woud go for instance auth_token -> kmw-dynamic-policy - ksm-k2k for instance? 18:56:06 since nobody wants to use global CONF 18:56:25 marekd: possibly 18:56:28 bknudson: so we need a way to pass down the plugin that auth_token middleware creates? 18:56:50 jamielennox: we can't pass it down since the policy middleware needs to be first 18:57:09 maybe we need another middleware that generates the plugin that's before both of them 18:57:25 why does policy need to be first? 18:57:38 (01:52:02 PM) gyee: bknudson, before auth_token as endpoint constraint depends on it 18:57:42 jamielennox, because we need it to enforce endpoint constraint 18:57:53 2m left 18:58:21 why don't we make endpoint constraint enforcement part of the policy middleware then 18:58:40 * jamielennox was arguing for it being seperate from auth_token anyway 18:58:42 jamielennox, that is where it belongs 18:58:50 1m 18:58:57 jamielennox, ayoung, no argument here 18:59:05 ++ 18:59:13 30 seconds 18:59:21 jamielennox, I just want to avoid the deployment issues 18:59:21 #endmeeting