#openstack-meeting log

18:02:18 <stevemar> #startmeeting keystone
18:02:19 <openstack> Meeting started Tue Mar  1 18:02:18 2016 UTC and is due to finish in 60 minutes.  The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:21 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:02:24 <openstack> The meeting name has been set to 'keystone'
18:02:25 <stevemar> #link https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting#Main_Agenda
18:02:25 <henrynash> just using teh ammunition he’s givin’ us
18:02:41 <stevemar> not much on the agenda today!
18:02:42 <dstanek> o/
18:02:46 <roxanaghe> \o
18:02:52 <StefanPaetowJi-1> Evening :-)
18:02:55 <stevemar> #topic mitaka-3 release countdown
18:02:56 <henrynash> bknudson: actually we’re pretty much all in a state of disbelief
18:03:00 <stevemar> welcome StefanPaetowJi-1 :)
18:03:04 <breton> o/
18:03:11 <amakarov> hi!
18:03:15 <stevemar> bknudson: we think it's down right hilarious
18:03:23 <stevemar> anyyywho
18:03:41 <stevemar> mitaka-3 is in good shape!!! https://launchpad.net/keystone/+milestone/mitaka-3
18:03:44 <gyee> \o
18:03:52 <bknudson> just wait til we build that wall
18:03:55 <stevemar> shadow users and reseller landed yesterday
18:04:15 <raildo> stevemar: yay \o/
18:04:22 <rderose> o/
18:04:24 <stevemar> and we bumped cascade project detele/update since we couldn't decide on authorization for it
18:04:33 <henrynash> stevemar: as indicated on irc, it would be nice to let https://review.openstack.org/#/c/286452/1 merge (51 mins away)
18:04:56 <stevemar> huge thanks to everyone involved :)
18:05:04 * topol looking fwd to those renegotiated trade deals with Canada and Great Britain...
18:05:20 <stevemar> i know i've been pestering everyone about reviewing, but i think it paid off
18:05:30 <stevemar> both features look solid
18:05:36 <stevemar> henrynash: yep, that'll go in
18:05:44 <topol> excellent!!!
18:05:58 <henrynash> great job by all
18:06:10 <stevemar> i'm waiting til bug 1549705 is fixed/merged
18:06:10 <openstack> bug 1549705 in OpenStack Identity (keystone) "migrate DB failed due to password cannot be null" [High,In progress] https://launchpad.net/bugs/1549705 - Assigned to Dave Chen (wei-d-chen)
18:06:14 <samueldmq> everybody happy :)
18:06:42 <gyee> happy on Super Tuesday!
18:06:53 <henrynash> (does dance in clogs of the seven army blankets)
18:06:55 <stevemar> henrynash: 286452 should merge soon, and i'll tag keystone when 285152 merges :)
18:06:58 <morgan> gyee: lets leave politics out of this today :P
18:07:19 <gyee> morgan, they started it :-)
18:07:23 <henrynash> stevemar: excellent
18:07:47 <henrynash> gyee: oh, “politics”, that’s what it is….
18:07:57 <stevemar> #topic mitaka-rc1
18:08:07 <stevemar> #link https://launchpad.net/keystone/+milestone/mitaka-rc1
18:08:19 <bknudson> do we get a stable branch?
18:08:21 <samueldmq> stevemar: when is mitaka-rc1 due date?
18:08:46 <stevemar> samueldmq: http://releases.openstack.org/mitaka/schedule.html
18:08:49 <samueldmq> henrynash: maybe get is_domain in the token in mitaka rc-1?
18:08:52 <stevemar> samueldmq: Mar 14-18
18:08:58 <samueldmq> henrynash: well, discuss here with others ? :)
18:09:04 <stevemar> bknudson: a stable for mitaka?
18:09:13 <samueldmq> stevemar: thx
18:09:16 <bknudson> stevemar: yes, a stable branch for mitaka
18:09:23 <henrynash> samueldmq: not sure we want to add anything to the token after m3
18:09:24 <bknudson> so we can merge N features.
18:09:46 <stevemar> bknudson: not yet, i assume those aren't created until after mitaka-3 is tagged, or rc1
18:09:50 <stevemar> dhellmann: ^
18:10:03 <bknudson> you going to -2 reviews that propose new features?
18:10:23 <stevemar> bknudson: yep, all cores are welcomed to -2 new features that are proposed
18:10:37 <stevemar> this should strictly be bug fixing
18:10:37 <samueldmq> stevemar: ++
18:10:48 <henrynash> stevemar: I’m working on a fix for https://bugs.launchpad.net/keystone/+bug/1517038, but it would need a driver interface change (i.e. moving yo a V9 interface for the domain_config)……although it is debatable as to whether an experimental driver interface is frozen or not
18:10:48 <openstack> Launchpad bug 1517038 in OpenStack Identity (keystone) "API-based Domain config method could temporarily show partial update" [Medium,New]
18:11:56 <stevemar> henrynash: hmm
18:12:13 <rodrigods> o/ late
18:12:23 <stevemar> henrynash: i would say not
18:12:57 <stevemar> now is a great time to go through the bug list if anyone has spare cycles and try to fix minor bugs during the rc1 period
18:13:26 <sheeprine> quit
18:13:36 <henrynash> stevemar: we have label it V8 (when they all got labled)….but the whole domain_config feature is marked as experimental still
18:13:49 <samueldmq> stevemar: just added another topic to agenda
18:13:51 <lbragstad> also - keeping up on the newly opened bugs will be important too
18:14:00 <henrynash> if we are cool with keeping it at V8, then that maxes teh fix easier!
18:14:20 <stevemar> henrynash: yeah, let's milk the experimental status for all it's worth :)
18:14:33 <henrynash> stevemar: spoken like a true leader
18:14:43 <stevemar> gyee: raildo lbragstad i'm assuming you all have a handle on bug 1376937 and bug 1541621
18:14:43 <openstack> bug 1376937 in OpenStack Identity (keystone) "No way to prevent duplicates in endpoints" [Medium,In progress] https://launchpad.net/bugs/1376937 - Assigned to Raildo Mascena de Sousa Filho (raildo)
18:14:44 <openstack> bug 1541621 in OpenStack Identity (keystone) "Invalid fernet X-Subject-Token token should result in 404 instead of 401" [Medium,In progress] https://launchpad.net/bugs/1541621 - Assigned to Guang Yee (guang-yee)
18:14:50 <gyee> stevemar, working on it
18:14:54 <stevemar> gyee: thank you
18:15:20 <raildo> stevemar: working on it too
18:15:32 <stevemar> samueldmq: your topic is not showing up, what is it?
18:16:00 <samueldmq> stevemar: looks like I should press 'Save PAge'
18:16:07 <samueldmq> stevemar: * Add is_domain in the token for rc1 <code>henrynash, samueldmq</code>
18:16:25 <stevemar> #topic Add is_domain in the token for rc1
18:16:32 <stevemar> henrynash  samueldmq go for it
18:16:49 <henrynash> samueldmq: I’ll let you argue this one
18:16:55 <samueldmq> henrynash: k
18:17:06 <stevemar> also, if editing the wiki page, it looks like there is a new security measure -- they have a "question" before saving the page, this is due to the spam attacks
18:17:13 <samueldmq> so, projects now can act as domains
18:17:15 <samueldmq> stevemar: yep
18:17:39 <samueldmq> what we buy from it is to make it easier for other projs to adopt domain scoped tokens
18:17:45 <rodrigods> samueldmq, can you point to the changes? middleware, client and keystone
18:18:03 <samueldmq> that are project scoped tokens + is_domain flag
18:18:03 <raildo> rodrigods: https://review.openstack.org/#/c/197331/
18:18:11 <bknudson> since no other projects are going to pick up a new feature now I don't see the need to put this in keystone in M.
18:18:25 <samueldmq> raildo: thanks
18:18:30 <rodrigods> raildo, thx
18:18:48 <rodrigods> raildo, is that all?
18:19:00 <samueldmq> bknudson: is this considered new feature? I mean, the feature is there, we have merged the API
18:19:07 <samueldmq> it's just about making our change more complete
18:19:09 <raildo> rodrigods: no, the topic will be better to get all patches
18:19:12 <raildo> #link https://review.openstack.org/#/q/topic:bp/add-isdomain-to-token
18:19:23 <bknudson> samueldmq: for another project to use this would be a new feature for them.
18:19:42 <rodrigods> thanks raildo
18:19:54 <ayoung> morgan, I think removing the cache exposed some leak over between tests
18:19:56 <rodrigods> bknudson, not really...
18:20:05 <rodrigods> it should be just a tweak in the policy file
18:20:16 <bknudson> rodrigods: is any other project waiting on this for M?
18:20:17 <henrynash> bknudson, samuedlmq: so no new project will use this in their M release, the only reason to cnsider this is to allow early work on N for other projects
18:20:22 <ayoung> morgan, if I rebase my patch on top of master a bunch of the cache tests fail in setup
18:20:31 <ayoung> RROR: InvocationError: '/usr/bin/bash tools/pretty_tox.sh keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_unscoped_token'
18:20:39 <ayoung> keystone.exception.ProjectNotFound: Could not find project: 91078ffd3935441f8fc0e7d3674472f1
18:20:40 <samueldmq> henrynash: ++
18:20:53 <bknudson> we can merge it when N opens
18:21:03 <samueldmq> and iirc we have told hrizon guys about this feature
18:21:16 <rodrigods> henrynash, bknudson, deployers can use the feature by only changing the policy file
18:21:18 <rodrigods> right?
18:21:25 <rodrigods> if it lands in middleware
18:21:35 <rodrigods> for other projects
18:21:35 <samueldmq> bknudson: yes, I got your point; we may work together with them in our side + their side to merge all in a single cycle
18:21:59 <david-lyle> horizon's not going to take advantage in M even if it's there
18:22:08 <samueldmq> rodrigods: interesting; but in the case of horizon what bknudson is saying makes sense
18:22:32 <samueldmq> and maybe changing token format is risky this late
18:22:33 <ayoung> david-lyle, let's be hones,t Horizon won't take advantage of it in 'S' if  it is there in 'M'
18:22:34 <samueldmq> stevemar: ^
18:22:41 <henrynash> smaueldmq: I’ve had a look at the changes needs this morning, and while teh basic fucntionality is pretty straightforward, there are (in my mind) still some question about auth requests etc. (e.g. can you use project name + domain_id=None ?)
18:23:21 <samueldmq> henrynash: yes, so looks like there are others questions and corner cases to be thought
18:23:29 <samueldmq> N is safer
18:23:31 <samueldmq> imo
18:23:35 <stevemar> i don't see the harm in adding it in M to keystone, but there is no rush
18:24:03 <henrynash> samueldmq: agreed… I think this deserves extra thought
18:24:08 <rodrigods> if it is the case, where it lands in M
18:24:19 <rodrigods> and in the beginning of N everyone notices the design is wrong
18:24:35 <rodrigods> its better to not rush than imo
18:24:41 <samueldmq> stevemar: yes; my single point was that now, is_domain projects is just an alternate API to domains one
18:24:50 <rodrigods> have been a while that i don't look the changes
18:24:56 <samueldmq> stevemar: but that's okay, it's a step anyways
18:25:08 <david-lyle> ayoung ?
18:25:08 <henrynash> samueldmq: it’s a huge step!
18:25:31 <bknudson> one small step for samueldmq, a giant leap for henrynash
18:25:42 <samueldmq> henrynash: yes, I am not saying it wassn't something great
18:25:46 <samueldmq> henrynash: sorry didn't mean that :)
18:25:52 <htruta> the basics of is_domain in token was tested a few weeks ago. But I do agree that we might be more careful on that
18:25:53 <henrynash> bknudson: I can’r keep up with the real men….
18:26:25 <raildo> I think it's a good idea discuss this topic with the phase 2 from reseller in a design session
18:26:29 <samueldmq> henrynash: bknudson I meant it'd be still better, but not that it alone isn't good already :(
18:26:49 <henrynash> samueldmq: we know…we’re just ribbing you
18:27:09 <samueldmq> henrynash: :'(
18:27:19 <StefanPaetowJisc> Awwwww
18:27:27 <ayoung> david-lyle, for examplem, Horizon really needs to only use password to get an unscoped token, then use that to get a scoped token, and then Keystone should defautl on the "unscoped to scoped only" rule
18:27:35 <samueldmq> stevemar: cool, so looks like we have an agreement, let's discuss more at the summit :)
18:27:40 <samueldmq> and get this in N
18:27:41 <ayoung> that has been there a few releases now.
18:27:43 <henrynash> samueldmq: yep
18:27:53 <stevemar> samueldmq: good call
18:28:00 <ayoung> we have an explicit_unscoped  flag
18:28:01 <stevemar> no need to rush
18:28:11 <stevemar> let's allow the storm that was mitaka-3 settle a little bit ;)
18:28:18 <samueldmq> stevemar: ++ just would like to get more agreement and eyes on it :)
18:28:31 <htruta> stevemar: cascade operations is also punted to N, right?
18:28:34 <samueldmq> stevemar: yes it ws, but we won
18:28:51 <samueldmq> htruta: yep; as anounced earlier by stevemar
18:28:53 <stevemar> htruta: yep - couldn't come up with a good policy / authz for it
18:29:13 <stevemar> htruta: all the work is there, just not the route
18:29:35 <stevemar> htruta: it wasn't gating as of monday, so it didn't make the cut :(
18:29:41 <gyee> ayoung, david-lyle, yeah the least privilege design came up a few times at yesterdays CSA Summit
18:29:46 <StefanPaetowJisc> stevemar: probably stupid q; when does N open?
18:29:47 <htruta> stevemar: cool. That might be fast in N
18:29:56 <htruta> is there any FFE ?
18:30:01 <samueldmq> htruta: and safer, and better :)
18:30:13 <stevemar> StefanPaetowJisc: should be soon! i don't have the exact day/time, but any week now
18:30:13 <htruta> samueldmq: ++
18:30:19 <ayoung> gyee, have you hunted down nkinder yet?  He's there
18:30:24 <StefanPaetowJisc> Ok, ta
18:30:41 <stevemar> StefanPaetowJisc: i think it's just after milestone-3 or just after rc-1, i always forget
18:30:44 <gyee> ayoung, no, too many people there yesterday, room was full
18:31:03 <stevemar> StefanPaetowJisc: the release managers do that for us :)
18:31:40 <stevemar> #topic open discussion
18:31:50 <StefanPaetowJisc> Ok, will keep an eye on that re: my *ahem* request ;-)
18:32:00 <bknudson> what do you think about test refactoring during this rc phase?
18:32:02 <ayoung> commit e8ac71f0360b88772044ac2638d161aa00ec5b55
18:32:02 <ayoung> Author: Adam Young <ayoung@redhat.com>
18:32:02 <ayoung> Date:   Wed Dec 17 12:40:54 2014 -0500
18:32:02 <gyee> stevemar, bknudson, https://review.openstack.org/#/c/277436, should I backout the v2 changes?
18:32:06 <ayoung> wow
18:32:13 <stevemar> bknudson: please do so!
18:32:32 <bknudson> I think samueldmq had some test refactoring lined up.
18:32:34 <gyee> stevemar, bknudson, I thought correcting the return code is allowed, no?
18:32:38 <stevemar> bknudson: i think samueldmq had some major test refactoring ready
18:32:44 <stevemar> bknudson: yep..
18:32:46 <ayoung> http://git.openstack.org/cgit/openstack/keystone/commit/?id=e8ac71f0360b88772044ac2638d161aa00ec5b55  david-lyle
18:32:47 <bknudson> gyee: correcting return codes is not allowed.
18:32:57 <bknudson> gyee: unless it was a 500 error
18:33:05 <samueldmq> stevemar: bknudson yes, just need to rebase
18:33:12 <gyee> alrighty then, I'll back out the v2 changes
18:33:16 <samueldmq> it's the split of the huge test_backend.py
18:33:23 <samueldmq> which now has up to 7k lines iirc
18:33:27 <stevemar> samueldmq: nice :)
18:33:32 <stevemar> looking forward to it
18:33:54 <stevemar> we also released a new keystoneclient version: https://pypi.python.org/pypi/python-keystoneclient/2.3.1 , this should be the last one for M
18:33:54 <bknudson> samueldmq: I've also got https://review.openstack.org/#/c/283822/ so maybe there's some overlap
18:33:57 <samueldmq> stevemar: bknudson: I will rebase all that still this week
18:34:32 <stevemar> bknudson: there is likely some overlap with samueldmq's work
18:34:59 <samueldmq> bknudson: nice, I will look at that too, and see if we're going through the same approach
18:35:24 <stevemar> the rackers are quiet today :)
18:35:26 <bknudson> the test_backend_* should be testing the driver and not the manager.
18:36:09 <samueldmq> dstanek: henrynash and I also discussed about where to put the new tests, we decided to put in (e.g) resource/test_backends.py
18:36:22 <raildo> stevemar: lbragstad ayoung I believe that we can find a way to finish the fernet default token provider (https://review.openstack.org/#/c/258650/) on mitaka, we only have 8 failed tests, right now...
18:36:33 <stevemar> bknudson: i'll go through a lot of the open changes today and -2 a bunch
18:36:36 <samueldmq> bknudson: hmm, but yes that makes sense too, backends should test the drivers, tests for manager should have another name, I agree
18:36:53 <samueldmq> bknudson: we can discuss more details in -keystone later :)
18:37:00 <ayoung> raildo, raildo need the trust patch, too
18:37:11 <stevemar> raildo: i'm in no rush to push, it's a default, a deployer can change what they don't want to use
18:37:12 <ayoung> raildo, and..I need to get back to that...let's see
18:37:37 <stevemar> raildo: bugs only, and tests for the remainder of mitaka
18:37:57 <raildo> stevemar: hum.. got it, thanks :)
18:38:00 <samueldmq> stevemar: will there be any release for ksclient yet ?
18:38:22 <stevemar> samueldmq: we just had one yesterday :)
18:38:26 <stevemar> samueldmq: https://pypi.python.org/pypi/python-keystoneclient/2.3.1
18:38:42 <samueldmq> stevemar: oh, I will try to get some functional tests in
18:38:43 <raildo> ayoung: if you want, I can help you :D
18:38:43 <stevemar> the libraries are finalized at this point
18:38:54 <samueldmq> stevemar: but that can easily come in the next cycle
18:38:57 <ayoung> raildo, let me see if I can repro on my machine:
18:39:02 <stevemar> samueldmq: go ahead, tests are more than welcomed, and encouraged at this point of the cycle
18:39:15 <samueldmq> stevemar: we're already benefiting from it if it's on master anyways
18:39:22 <stevemar> samueldmq: yep
18:39:29 <StefanPaetowJisc> Switching devices...
18:39:47 <stevemar> tests and bug fixes should be the only things merging in all our repos for the next little while, until N opens
18:40:05 * samueldmq still has a ton of work to do; he's commited to do a bunch of things this cycle :p
18:40:07 <ayoung> raildo, for example: tox -e py34 -- keystone.tests.unit.test_auth.FernetAuthWithTrust.test_delete_trust_revokes_token
18:40:25 <samueldmq> stevemar: nice, thanks for clarifying
18:40:35 <raildo> ayoung: running
18:40:37 <ayoung> running testr
18:40:37 <ayoung> db type could not be determined
18:40:40 <ayoung> hmmm
18:40:48 <stevemar> any other things to discuss? i think we're rambling on at this point :)
18:40:52 <bknudson> ayoung: rm -r .testrepository
18:41:02 <ayoung> bknudson, ah
18:41:08 <ayoung> not just rebuild venv
18:41:09 <stevemar> bknudson: =+
18:41:12 <stevemar> bknudson: ++
18:41:36 <stevemar> ayoung: yeah, if you run py27 before py34, there's a weird issue and you have to remove .testrepository
18:41:55 <bknudson> I had a problem running py34 after py27 last time I tried
18:42:10 <bknudson> gdbm wasn't installed or something
18:42:22 <stevemar> if no one else has anything i think i'll stop the meeting here
18:42:58 <ayoung> I totally forgot we were having a meeting
18:43:10 <stevemar> ayoung: i'm just that memorable :)
18:43:31 <stevemar> alright, let's go back to our home in -keystone
18:43:34 <ayoung> stevemar, just getting work done...
18:43:35 <stevemar> #endmeeting