18:02:18 #startmeeting keystone 18:02:19 Meeting started Tue Mar 1 18:02:18 2016 UTC and is due to finish in 60 minutes. The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:21 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:02:24 The meeting name has been set to 'keystone' 18:02:25 #link https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting#Main_Agenda 18:02:25 just using teh ammunition he’s givin’ us 18:02:41 not much on the agenda today! 18:02:42 o/ 18:02:46 \o 18:02:52 Evening :-) 18:02:55 #topic mitaka-3 release countdown 18:02:56 bknudson: actually we’re pretty much all in a state of disbelief 18:03:00 welcome StefanPaetowJi-1 :) 18:03:04 o/ 18:03:11 hi! 18:03:15 bknudson: we think it's down right hilarious 18:03:23 anyyywho 18:03:41 mitaka-3 is in good shape!!! https://launchpad.net/keystone/+milestone/mitaka-3 18:03:44 \o 18:03:52 just wait til we build that wall 18:03:55 shadow users and reseller landed yesterday 18:04:15 stevemar: yay \o/ 18:04:22 o/ 18:04:24 and we bumped cascade project detele/update since we couldn't decide on authorization for it 18:04:33 stevemar: as indicated on irc, it would be nice to let https://review.openstack.org/#/c/286452/1 merge (51 mins away) 18:04:56 huge thanks to everyone involved :) 18:05:04 * topol looking fwd to those renegotiated trade deals with Canada and Great Britain... 18:05:20 i know i've been pestering everyone about reviewing, but i think it paid off 18:05:30 both features look solid 18:05:36 henrynash: yep, that'll go in 18:05:44 excellent!!! 18:05:58 great job by all 18:06:10 i'm waiting til bug 1549705 is fixed/merged 18:06:10 bug 1549705 in OpenStack Identity (keystone) "migrate DB failed due to password cannot be null" [High,In progress] https://launchpad.net/bugs/1549705 - Assigned to Dave Chen (wei-d-chen) 18:06:14 everybody happy :) 18:06:42 happy on Super Tuesday! 18:06:53 (does dance in clogs of the seven army blankets) 18:06:55 henrynash: 286452 should merge soon, and i'll tag keystone when 285152 merges :) 18:06:58 gyee: lets leave politics out of this today :P 18:07:19 morgan, they started it :-) 18:07:23 stevemar: excellent 18:07:47 gyee: oh, “politics”, that’s what it is…. 18:07:57 #topic mitaka-rc1 18:08:07 #link https://launchpad.net/keystone/+milestone/mitaka-rc1 18:08:19 do we get a stable branch? 18:08:21 stevemar: when is mitaka-rc1 due date? 18:08:46 samueldmq: http://releases.openstack.org/mitaka/schedule.html 18:08:49 henrynash: maybe get is_domain in the token in mitaka rc-1? 18:08:52 samueldmq: Mar 14-18 18:08:58 henrynash: well, discuss here with others ? :) 18:09:04 bknudson: a stable for mitaka? 18:09:13 stevemar: thx 18:09:16 stevemar: yes, a stable branch for mitaka 18:09:23 samueldmq: not sure we want to add anything to the token after m3 18:09:24 so we can merge N features. 18:09:46 bknudson: not yet, i assume those aren't created until after mitaka-3 is tagged, or rc1 18:09:50 dhellmann: ^ 18:10:03 you going to -2 reviews that propose new features? 18:10:23 bknudson: yep, all cores are welcomed to -2 new features that are proposed 18:10:37 this should strictly be bug fixing 18:10:37 stevemar: ++ 18:10:48 stevemar: I’m working on a fix for https://bugs.launchpad.net/keystone/+bug/1517038, but it would need a driver interface change (i.e. moving yo a V9 interface for the domain_config)……although it is debatable as to whether an experimental driver interface is frozen or not 18:10:48 Launchpad bug 1517038 in OpenStack Identity (keystone) "API-based Domain config method could temporarily show partial update" [Medium,New] 18:11:56 henrynash: hmm 18:12:13 o/ late 18:12:23 henrynash: i would say not 18:12:57 now is a great time to go through the bug list if anyone has spare cycles and try to fix minor bugs during the rc1 period 18:13:26 quit 18:13:36 stevemar: we have label it V8 (when they all got labled)….but the whole domain_config feature is marked as experimental still 18:13:49 stevemar: just added another topic to agenda 18:13:51 also - keeping up on the newly opened bugs will be important too 18:14:00 if we are cool with keeping it at V8, then that maxes teh fix easier! 18:14:20 henrynash: yeah, let's milk the experimental status for all it's worth :) 18:14:33 stevemar: spoken like a true leader 18:14:43 gyee: raildo lbragstad i'm assuming you all have a handle on bug 1376937 and bug 1541621 18:14:43 bug 1376937 in OpenStack Identity (keystone) "No way to prevent duplicates in endpoints" [Medium,In progress] https://launchpad.net/bugs/1376937 - Assigned to Raildo Mascena de Sousa Filho (raildo) 18:14:44 bug 1541621 in OpenStack Identity (keystone) "Invalid fernet X-Subject-Token token should result in 404 instead of 401" [Medium,In progress] https://launchpad.net/bugs/1541621 - Assigned to Guang Yee (guang-yee) 18:14:50 stevemar, working on it 18:14:54 gyee: thank you 18:15:20 stevemar: working on it too 18:15:32 samueldmq: your topic is not showing up, what is it? 18:16:00 stevemar: looks like I should press 'Save PAge' 18:16:07 stevemar: * Add is_domain in the token for rc1 henrynash, samueldmq 18:16:25 #topic Add is_domain in the token for rc1 18:16:32 henrynash samueldmq go for it 18:16:49 samueldmq: I’ll let you argue this one 18:16:55 henrynash: k 18:17:06 also, if editing the wiki page, it looks like there is a new security measure -- they have a "question" before saving the page, this is due to the spam attacks 18:17:13 so, projects now can act as domains 18:17:15 stevemar: yep 18:17:39 what we buy from it is to make it easier for other projs to adopt domain scoped tokens 18:17:45 samueldmq, can you point to the changes? middleware, client and keystone 18:18:03 that are project scoped tokens + is_domain flag 18:18:03 rodrigods: https://review.openstack.org/#/c/197331/ 18:18:11 since no other projects are going to pick up a new feature now I don't see the need to put this in keystone in M. 18:18:25 raildo: thanks 18:18:30 raildo, thx 18:18:48 raildo, is that all? 18:19:00 bknudson: is this considered new feature? I mean, the feature is there, we have merged the API 18:19:07 it's just about making our change more complete 18:19:09 rodrigods: no, the topic will be better to get all patches 18:19:12 #link https://review.openstack.org/#/q/topic:bp/add-isdomain-to-token 18:19:23 samueldmq: for another project to use this would be a new feature for them. 18:19:42 thanks raildo 18:19:54 morgan, I think removing the cache exposed some leak over between tests 18:19:56 bknudson, not really... 18:20:05 it should be just a tweak in the policy file 18:20:16 rodrigods: is any other project waiting on this for M? 18:20:17 bknudson, samuedlmq: so no new project will use this in their M release, the only reason to cnsider this is to allow early work on N for other projects 18:20:22 morgan, if I rebase my patch on top of master a bunch of the cache tests fail in setup 18:20:31 RROR: InvocationError: '/usr/bin/bash tools/pretty_tox.sh keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation.test_delete_unscoped_token' 18:20:39 keystone.exception.ProjectNotFound: Could not find project: 91078ffd3935441f8fc0e7d3674472f1 18:20:40 henrynash: ++ 18:20:53 we can merge it when N opens 18:21:03 and iirc we have told hrizon guys about this feature 18:21:16 henrynash, bknudson, deployers can use the feature by only changing the policy file 18:21:18 right? 18:21:25 if it lands in middleware 18:21:35 for other projects 18:21:35 bknudson: yes, I got your point; we may work together with them in our side + their side to merge all in a single cycle 18:21:59 horizon's not going to take advantage in M even if it's there 18:22:08 rodrigods: interesting; but in the case of horizon what bknudson is saying makes sense 18:22:32 and maybe changing token format is risky this late 18:22:33 david-lyle, let's be hones,t Horizon won't take advantage of it in 'S' if it is there in 'M' 18:22:34 stevemar: ^ 18:22:41 smaueldmq: I’ve had a look at the changes needs this morning, and while teh basic fucntionality is pretty straightforward, there are (in my mind) still some question about auth requests etc. (e.g. can you use project name + domain_id=None ?) 18:23:21 henrynash: yes, so looks like there are others questions and corner cases to be thought 18:23:29 N is safer 18:23:31 imo 18:23:35 i don't see the harm in adding it in M to keystone, but there is no rush 18:24:03 samueldmq: agreed… I think this deserves extra thought 18:24:08 if it is the case, where it lands in M 18:24:19 and in the beginning of N everyone notices the design is wrong 18:24:35 its better to not rush than imo 18:24:41 stevemar: yes; my single point was that now, is_domain projects is just an alternate API to domains one 18:24:50 have been a while that i don't look the changes 18:24:56 stevemar: but that's okay, it's a step anyways 18:25:08 ayoung ? 18:25:08 samueldmq: it’s a huge step! 18:25:31 one small step for samueldmq, a giant leap for henrynash 18:25:42 henrynash: yes, I am not saying it wassn't something great 18:25:46 henrynash: sorry didn't mean that :) 18:25:52 the basics of is_domain in token was tested a few weeks ago. But I do agree that we might be more careful on that 18:25:53 bknudson: I can’r keep up with the real men…. 18:26:25 I think it's a good idea discuss this topic with the phase 2 from reseller in a design session 18:26:29 henrynash: bknudson I meant it'd be still better, but not that it alone isn't good already :( 18:26:49 samueldmq: we know…we’re just ribbing you 18:27:09 henrynash: :'( 18:27:19 Awwwww 18:27:27 david-lyle, for examplem, Horizon really needs to only use password to get an unscoped token, then use that to get a scoped token, and then Keystone should defautl on the "unscoped to scoped only" rule 18:27:35 stevemar: cool, so looks like we have an agreement, let's discuss more at the summit :) 18:27:40 and get this in N 18:27:41 that has been there a few releases now. 18:27:43 samueldmq: yep 18:27:53 samueldmq: good call 18:28:00 we have an explicit_unscoped flag 18:28:01 no need to rush 18:28:11 let's allow the storm that was mitaka-3 settle a little bit ;) 18:28:18 stevemar: ++ just would like to get more agreement and eyes on it :) 18:28:31 stevemar: cascade operations is also punted to N, right? 18:28:34 stevemar: yes it ws, but we won 18:28:51 htruta: yep; as anounced earlier by stevemar 18:28:53 htruta: yep - couldn't come up with a good policy / authz for it 18:29:13 htruta: all the work is there, just not the route 18:29:35 htruta: it wasn't gating as of monday, so it didn't make the cut :( 18:29:41 ayoung, david-lyle, yeah the least privilege design came up a few times at yesterdays CSA Summit 18:29:46 stevemar: probably stupid q; when does N open? 18:29:47 stevemar: cool. That might be fast in N 18:29:56 is there any FFE ? 18:30:01 htruta: and safer, and better :) 18:30:13 StefanPaetowJisc: should be soon! i don't have the exact day/time, but any week now 18:30:13 samueldmq: ++ 18:30:19 gyee, have you hunted down nkinder yet? He's there 18:30:24 Ok, ta 18:30:41 StefanPaetowJisc: i think it's just after milestone-3 or just after rc-1, i always forget 18:30:44 ayoung, no, too many people there yesterday, room was full 18:31:03 StefanPaetowJisc: the release managers do that for us :) 18:31:40 #topic open discussion 18:31:50 Ok, will keep an eye on that re: my *ahem* request ;-) 18:32:00 what do you think about test refactoring during this rc phase? 18:32:02 commit e8ac71f0360b88772044ac2638d161aa00ec5b55 18:32:02 Author: Adam Young 18:32:02 Date: Wed Dec 17 12:40:54 2014 -0500 18:32:02 stevemar, bknudson, https://review.openstack.org/#/c/277436, should I backout the v2 changes? 18:32:06 wow 18:32:13 bknudson: please do so! 18:32:32 I think samueldmq had some test refactoring lined up. 18:32:34 stevemar, bknudson, I thought correcting the return code is allowed, no? 18:32:38 bknudson: i think samueldmq had some major test refactoring ready 18:32:44 bknudson: yep.. 18:32:46 http://git.openstack.org/cgit/openstack/keystone/commit/?id=e8ac71f0360b88772044ac2638d161aa00ec5b55 david-lyle 18:32:47 gyee: correcting return codes is not allowed. 18:32:57 gyee: unless it was a 500 error 18:33:05 stevemar: bknudson yes, just need to rebase 18:33:12 alrighty then, I'll back out the v2 changes 18:33:16 it's the split of the huge test_backend.py 18:33:23 which now has up to 7k lines iirc 18:33:27 samueldmq: nice :) 18:33:32 looking forward to it 18:33:54 we also released a new keystoneclient version: https://pypi.python.org/pypi/python-keystoneclient/2.3.1 , this should be the last one for M 18:33:54 samueldmq: I've also got https://review.openstack.org/#/c/283822/ so maybe there's some overlap 18:33:57 stevemar: bknudson: I will rebase all that still this week 18:34:32 bknudson: there is likely some overlap with samueldmq's work 18:34:59 bknudson: nice, I will look at that too, and see if we're going through the same approach 18:35:24 the rackers are quiet today :) 18:35:26 the test_backend_* should be testing the driver and not the manager. 18:36:09 dstanek: henrynash and I also discussed about where to put the new tests, we decided to put in (e.g) resource/test_backends.py 18:36:22 stevemar: lbragstad ayoung I believe that we can find a way to finish the fernet default token provider (https://review.openstack.org/#/c/258650/) on mitaka, we only have 8 failed tests, right now... 18:36:33 bknudson: i'll go through a lot of the open changes today and -2 a bunch 18:36:36 bknudson: hmm, but yes that makes sense too, backends should test the drivers, tests for manager should have another name, I agree 18:36:53 bknudson: we can discuss more details in -keystone later :) 18:37:00 raildo, raildo need the trust patch, too 18:37:11 raildo: i'm in no rush to push, it's a default, a deployer can change what they don't want to use 18:37:12 raildo, and..I need to get back to that...let's see 18:37:37 raildo: bugs only, and tests for the remainder of mitaka 18:37:57 stevemar: hum.. got it, thanks :) 18:38:00 stevemar: will there be any release for ksclient yet ? 18:38:22 samueldmq: we just had one yesterday :) 18:38:26 samueldmq: https://pypi.python.org/pypi/python-keystoneclient/2.3.1 18:38:42 stevemar: oh, I will try to get some functional tests in 18:38:43 ayoung: if you want, I can help you :D 18:38:43 the libraries are finalized at this point 18:38:54 stevemar: but that can easily come in the next cycle 18:38:57 raildo, let me see if I can repro on my machine: 18:39:02 samueldmq: go ahead, tests are more than welcomed, and encouraged at this point of the cycle 18:39:15 stevemar: we're already benefiting from it if it's on master anyways 18:39:22 samueldmq: yep 18:39:29 Switching devices... 18:39:47 tests and bug fixes should be the only things merging in all our repos for the next little while, until N opens 18:40:05 * samueldmq still has a ton of work to do; he's commited to do a bunch of things this cycle :p 18:40:07 raildo, for example: tox -e py34 -- keystone.tests.unit.test_auth.FernetAuthWithTrust.test_delete_trust_revokes_token 18:40:25 stevemar: nice, thanks for clarifying 18:40:35 ayoung: running 18:40:37 running testr 18:40:37 db type could not be determined 18:40:40 hmmm 18:40:48 any other things to discuss? i think we're rambling on at this point :) 18:40:52 ayoung: rm -r .testrepository 18:41:02 bknudson, ah 18:41:08 not just rebuild venv 18:41:09 bknudson: =+ 18:41:12 bknudson: ++ 18:41:36 ayoung: yeah, if you run py27 before py34, there's a weird issue and you have to remove .testrepository 18:41:55 I had a problem running py34 after py27 last time I tried 18:42:10 gdbm wasn't installed or something 18:42:22 if no one else has anything i think i'll stop the meeting here 18:42:58 I totally forgot we were having a meeting 18:43:10 ayoung: i'm just that memorable :) 18:43:31 alright, let's go back to our home in -keystone 18:43:34 stevemar, just getting work done... 18:43:35 #endmeeting