#openstack-meeting log

17:59:40 <stevemar> #startmeeting keystone
17:59:41 <openstack> Meeting started Tue Oct  4 17:59:40 2016 UTC and is due to finish in 60 minutes.  The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:59:42 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:59:45 <openstack> The meeting name has been set to 'keystone'
17:59:48 <stevemar> o/
18:00:01 <dstanek> o/
18:00:05 <gagehugo> o/
18:00:06 <lamt> o/
18:00:06 <lbragstad> o/
18:00:18 <amakarov> _\m/
18:00:31 <knikolla> o/
18:00:33 <bknudson> hi
18:00:44 <ayoung__> Cannot connect via normal Chat client
18:00:49 <raildo> _o_
18:00:50 <ayoung__> using Webchat
18:01:00 <dstanek> ayoung__: ouch
18:01:07 <rodrigods> hey
18:01:16 <browne> o/
18:02:03 <ayoung__> http://adam.younglogic.com/2016/10/translating-between-rdorhos-and-upstream-releases-redux/
18:02:16 <stevemar> ayoung__: ¯\_(ツ)_/¯
18:02:40 <ayoung> And now I can!
18:02:40 <stevemar> let's get the show on the road!
18:02:49 <stevemar> hopefully this goes better than last week....
18:02:56 * stevemar glares at freenode
18:03:02 <rodrigods> stevemar, ++
18:03:13 <stevemar> ping ajayaa, amakarov, ayoung, breton, browne, crinkle, claudiub, davechen, david8hu, dolphm, dstanek, edmondsw, gagehugo, gyee, henrynash, hogepodge, htruta, jamielennox, jaugustine, joesavak, jorge_munoz, knikolla, lbragstad, MaxPC, morgan, nishaYadav, nkinder, notmorgan, raildo, rodrigods, rderose, roxanaghe, samleon, samueldmq, shaleh, stevemar, tsymanczyk, topol, vivekd, wanghong, xek
18:03:26 <stevemar> that's twice i've forgotten to do that
18:03:31 * morgan ducks out to head out to the airport
18:03:38 <stevemar> morgan: safe travels bug
18:03:41 <dolphm> stevemar: how rude
18:03:41 <stevemar> bud*
18:03:48 <stevemar> dolphm: sorry :(
18:04:03 <rderose> o/
18:04:06 <stevemar> dolphm: i would think you know the time of this meeting by now
18:04:17 <dolphm> stevemar: daylight savings time makes it hard
18:04:20 <stevemar> since you've been coming to it for 4 years and chaired it for 1.5
18:04:42 <stevemar> :)
18:04:49 <dstanek> stevemar: when i'm focused on working i often lose track of what time it is
18:04:58 <stevemar> dstanek: excuses, excuses
18:05:01 <ayoung> let's do this
18:05:08 <stevemar> agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting
18:05:11 <stevemar> ayoung: ++
18:05:19 <stevemar> #topic Newton status
18:05:32 <stevemar> expect a final release this week based on RC2
18:05:45 <stevemar> dhellmann will be released all the projects this week, i assume today or tomorrow
18:05:54 <stevemar> releasing*
18:06:27 <stevemar> i haven't heard of anything major, and we're pretty much out of time, so... yeah :)
18:06:50 <stevemar> #topic Fill in all the etherpads
18:07:03 <stevemar> another reminder for this, sorry
18:07:06 <stevemar> Retrospective https://etherpad.openstack.org/p/keystone-newton-retrospective
18:07:06 <stevemar> Summit discussion ideas: https://etherpad.openstack.org/p/keystone-ocata-summit-brainstorm
18:07:25 <topol> o/
18:07:46 <stevemar> i'll be making the design session schedule at EOW, so make sure you include something you want to talk about in the etherpad
18:07:57 * stevemar waves at topol
18:08:05 <stevemar> Now on to the fun stuff
18:08:09 <stevemar> #topic Triage bug 1630259
18:08:11 <openstack> bug 1630259 in OpenStack Identity (keystone) "Rolling upgrade does not work well in Newton release" [Undecided,New] https://launchpad.net/bugs/1630259
18:08:45 <stevemar> This appeared yesterday, its related to upgrading to newton, so kinda critical. Does anyone have time to triage / verify it?
18:08:54 <stevemar> this happened this morning*
18:09:19 <lbragstad> I can give it a shot
18:09:34 <stevemar> crinkle: it reminds me of the bug you fixed earlier, where domain_id was causing issues with the cache and upgrades
18:10:19 <stevemar> it definitely seems like a data model problem -- the good news is once all nodes were upgraded to newton the problem no longer appears
18:10:28 <stevemar> so it's definitely something we should backport
18:10:57 <stevemar> lbragstad: thanks for volunteering
18:11:30 <stevemar> if anyone else is intereted in helping out, poke lbragstad
18:11:46 <stevemar> #topic Address skipped tests
18:11:54 <stevemar> 1493 out of 6500 tests are skipped, this seems high
18:12:00 <stevemar> like, really high
18:12:17 <dolphm> wow
18:12:19 <bknudson> these are typically because something isn't supported by LDAP
18:12:21 <stevemar> i know a bunch are LDAP related, but still...
18:12:25 <rodrigods> bknudson, ++
18:12:35 <stevemar> anyone want to do some sort of analysis here?
18:12:53 <knikolla> I'm in charge of removing ldap write support, so i'm already in the area for this thing
18:13:06 <knikolla> i'll look
18:13:15 <dolphm> do we know it's ldap related, or is that an assumption?
18:13:16 <stevemar> knikolla: makes sense to me
18:13:31 <dolphm> it could be (for example) all the "opportunistic" tests being skipped
18:13:45 <stevemar> dolphm: last time i looked at the backend tests for ldap there were many
18:13:48 <breton> some of the tests are skipped by design
18:13:57 <knikolla> i remember seeing a lot of ldap tests skipped, but i haven't looked in other areas
18:13:58 <breton> if caching is not enabled, for example
18:14:00 <dolphm> ++ but maybe mistakenly skipped suddenly
18:14:14 <knikolla> so can't compare
18:14:15 <stevemar> dolphm: i actually added skips since we removed write support for ldap
18:14:36 <bknudson> removing write support from ldap will likely lead to more skipped tests
18:14:53 <stevemar> yeah
18:15:13 <knikolla> skipped for a pretty good reason though.
18:15:14 <bknudson> could be refactored to have write tests in a separate class that's only run for sql backend
18:15:40 <stevemar> yes, thats what i was thinking. might be time to refactor the tests
18:15:56 <stevemar> knikolla: this is going to get nasty :)
18:16:08 <knikolla> hmmm.... yeah....
18:16:09 <stevemar> a preliminary analysis should reveal a lot
18:16:21 <knikolla> stevemar: i volunteered for the analysis only for now :P
18:16:44 <stevemar> if only half the ldap tests are revealed to be LDAP related, we're still not in good shape
18:16:58 <stevemar> knikolla: i'll add you to the agenda for next week then
18:17:09 <knikolla> stevemar: sounds good
18:17:47 <stevemar> any other comments?
18:18:04 <stevemar> #topic Devstack plugin for federation
18:18:06 <stevemar> knikolla: you're up
18:18:21 <knikolla> alright, so the devstack plugin is waiting for people to give it a spin and give reviews
18:18:30 <knikolla> #link https://review.openstack.org/#/c/320623/
18:18:49 <knikolla> it sets up federation using shibboleth
18:19:07 <knikolla> and also sets up k2k. i've tested it in ubuntu 14.04 and 16.04 and also fedora (a while ago though)
18:19:31 <knikolla> what i haven't tested is using generic IdP, instead of k2k
18:19:47 * rodrigods hides in the corner
18:19:55 <knikolla> in /devstack/README.rst theres documentation on how to set it up
18:19:56 <rodrigods> this has been on my todo list for a while :(
18:20:18 * breton ducks too
18:20:37 <jamielennox> nice, what's the id store behind shib?
18:21:09 <stevemar> jamielennox: probably nothing fancy :P
18:21:42 <knikolla> it can setup the sp or idp separately depending on configuration.
18:21:49 <breton> it sets up shibboleth for the sp side
18:22:00 <knikolla> so id store depends on your idp. i've tested k2k.
18:22:10 <stevemar> knikolla: reviewing it and trying it has been on my todo list for a while
18:22:32 <stevemar> knikolla: is there a check job that runs the setup?
18:22:33 <breton> it would be great to write more tests using this set up
18:22:40 <knikolla> feel free to ping me at anytime in the regular room if you have issues or questions
18:22:42 <knikolla> stevemar: not yet
18:22:49 <breton> stevemar: how do we do that?
18:22:55 <stevemar> breton: that's my next question, are there any tests that we run with this setup
18:23:05 <stevemar> breton: there are a few ways we could tackle that
18:23:12 <knikolla> stevemar: rodrigo has a few patches with tests
18:23:20 <breton> stevemar: there are some tests by rodrigods afaik. But we need more.
18:23:49 <rodrigods> ++
18:23:56 <stevemar> we could create a dsvm job and create a post_hook.sh file that calls knikolla's setup
18:23:58 <rodrigods> we need tests for k2k
18:24:07 <stevemar> best bet would be to talk to the infra team
18:24:15 <dolphm> could we run against testshib.org in tests for the non-k2k case?
18:24:19 <dolphm> (in the gate)
18:24:39 <stevemar> dolphm: probbaly
18:24:53 <dolphm> i have no idea how reliable it is, or if we could run our own in the gate, etc
18:25:26 <knikolla> it'll be nonvoting for a while, so we can test the reliability. if its good enough
18:25:27 <stevemar> registering seems like the hardest part, and can be automated; http://www.testshib.org/register.html
18:25:34 <stevemar> knikolla: YEP
18:25:36 <stevemar> oops, yep
18:26:36 <jamielennox> does a project only get one plugin and then provide flags within it?
18:26:49 <knikolla> jamielennox: yes
18:27:08 <stevemar> looks like you have to upload the metadata, manually :(
18:27:17 <knikolla> jamielennox: but plugins can either live inside devstack (like ldap) or in separate plugin repos, or in the project repo
18:27:26 <ayoung> Should do LDAP the same way, but I was holding out for FreeIPA and Zuul 3
18:27:39 <stevemar> "Upload your uniquely named metadata file using the form below."
18:27:46 <hrybacki> o/
18:27:57 <stevemar> hrybacki: long time no see
18:28:11 <ayoung> hrybacki, just talking functional testing...thought you might be interested
18:28:14 <hrybacki> aye stevemar agreed. Hope all has been well :)
18:28:15 <jamielennox> knikolla: that's ok, i was just looking at how we would extend this if we wanted to, whether this would be a k2k plugin or if it's the keystone plugin that can do multiple tasks
18:28:28 * hrybacki listens in
18:28:37 <knikolla> jamielennox: it's pretty easy to extend via flags
18:28:56 <jamielennox> for example, shib -> ldap locally would probably be easier than testshib - though hard to setup users
18:28:56 <stevemar> knikolla: i'll bug the infra team with you about creating a job after the meeting
18:29:15 <ayoung> Can shib be backed to LDAP?
18:29:22 <stevemar> ayoung: fo sho
18:29:45 <ayoung> stevemar, if we do that, we could add tasks to ensure that userids from one can match the other ...
18:30:16 <ayoung> have users in LDAP that are also exposed as Federated users via SAML
18:30:28 <stevemar> ayoung: i can dig it
18:30:31 <jamielennox> ayoung: ya, reading https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration
18:30:52 <stevemar> ayoung: that'll test the shadow user bits
18:31:01 <ayoung> right
18:31:09 <stevemar> these are all good ideas, but we should review the patch and get a non-voting job for now
18:31:19 <jamielennox> yep
18:31:35 <stevemar> knikolla: be sure to bug dstanek -- he promised me he would look at testing this cycle :)
18:31:43 <rodrigods> stevemar, knikolla for reference in creating a job https://review.openstack.org/#/c/298696/
18:31:53 <knikolla> stevemar: roger
18:32:16 <stevemar> any other questions or comments?
18:32:28 <jamielennox> looks good - i'll try and give it a go today
18:32:49 <stevemar> i'll try soon, weekend if i can't get to it this week
18:33:11 <stevemar> #topic midcycle fallout
18:33:22 <dstanek> fallout?
18:33:30 <stevemar> eh, couldn't think of the right word
18:34:02 <stevemar> basically, we had a list of TODOs at the midcycle, with names attached and i'm calling people out now (buhahaha)
18:34:24 <stevemar> not really meant to be mean, just wanted to know if the TODOs are still applicable
18:34:35 <stevemar> #link http://lists.openstack.org/pipermail/openstack-dev/2016-July/100299.html
18:34:51 <stevemar> ayoung: Modify policy files of each project so they can use “is_admin_project” and document how to upgrade
18:34:51 <stevemar> henrynash: Write up a reseller spec using sub domains including the auth URL idea
18:34:51 <stevemar> henrynash: Change federation shadow mapping to use the existing ID mapping (LDAP already uses it)
18:34:53 <stevemar> bknudson: Propose patches to oslo.policy for improvements to external authorization
18:34:54 <ayoung> - Modify policy files of each project so they can use “is_admin_project”
18:34:54 <ayoung> and document how to upgrade
18:34:55 <stevemar> lamt: Create a spec for notifications for PCI events
18:35:10 <ayoung> yeah, we are just now at the point where we can make use of that.  Its on the list for early next cycle
18:35:16 <stevemar> henrynash being the biggest culprit this time around
18:35:32 <amakarov> stevemar, btw, there is no my RBAC service + middleware PoC there
18:35:35 <stevemar> ayoung: cool - i figured as much, i know you've been working that topic in bursts when you have time
18:35:54 <stevemar> amakarov: i will happily add it
18:35:58 <bknudson> stevemar: regarding "Propose patches to oslo.policy for improvements to external authorization" -- with change in strategy I don't know if this is a requirement for us or anybody else anymore
18:36:01 <ayoung> stevemar, its beeen jamielennox doing the heavy lifting.  But needed to happen first.
18:36:04 <jamielennox> so keystone is about the only project that doesn't do is_admin_project in some way or another: https://review.openstack.org/#/c/371856/
18:36:11 <stevemar> bknudson: also something i assumed...
18:36:23 <stevemar> bknudson: thanks for letting me know, i'll update my notes
18:36:28 <lamt> stevemar: A spec for the pci notifications was checked in yesterday.
18:36:34 <stevemar> lamt: yes it was!
18:36:46 <stevemar> lamt: thanks for that, i have it open in a tab, will review soon
18:36:57 <lamt> stevemar: thanks
18:37:13 <stevemar> so henrynash is the troublemaker? :)
18:37:21 <stevemar> topol: ^
18:37:36 <topol> stevemar, how so?
18:37:44 <stevemar> topol: just kidding :)
18:37:55 <stevemar> i'lll follow up with henrynash when i get a chance
18:37:57 <topol> henrynash is a good egg
18:38:25 <stevemar> thanks for the updated bknudson, ayoung, amakarov and lamt
18:38:39 <stevemar> i've made notes accordingly
18:38:45 <stevemar> #topic open discussion
18:38:59 <stevemar> who's coming to barcelona? who's already booked? who's presenting?
18:39:00 <topol> open TODOs?
18:39:03 <topol> just idding
18:39:03 <dolphm> lamt: link?
18:39:15 <stevemar> dolphm: https://review.openstack.org/#/c/381302/
18:39:30 <dstanek> i'll won't be there
18:39:36 <lbragstad> ditto
18:39:42 <stevemar> :sadface:
18:39:56 <topol> I will be in attendance.   Presenting interoperability challenge results
18:39:56 * rodrigods has https://www.openstack.org/summit/barcelona-2016/summit-schedule/events/15560/pushing-your-qa-upstream
18:39:59 <rodrigods> please don't go
18:40:00 <rodrigods> :)
18:40:00 <jamielennox> ayoung, dolphm: i put up a spec with the fetching expired token stuff: https://review.openstack.org/#/c/381361/ - i didn't reuse an existing one
18:40:05 <ayoung> I'm coming.  Splitting my time between Keystone and Tripleo
18:40:09 <jamielennox> dstanek, lbragstad: :(
18:40:12 <breton> i will be and already booked
18:40:13 <ayoung> jamielennox, OK.
18:40:16 <dolphm> stevemar: lamt: awesome, thanks
18:40:19 <stevemar> rodrigods: i'll be there in the front seat
18:40:20 <browne> i'll be there
18:40:22 <breton> have to miss GSoC summit because of it :(
18:40:22 <jamielennox> i'm coming
18:40:27 <rodrigods> stevemar, nooo
18:40:28 <dolphm> jamielennox: oooh
18:40:42 <hrybacki> I'd like to take a LHF bug off of launchapd and walk through the replication/patch/ci process using oooq if anyone can recommend something they think would be a good fit for this?
18:40:44 <knikolla> already booked
18:40:47 <hrybacki> also, have fun in Barcelona y'all :(
18:41:07 <ayoung> oooq being Tripleo-Quickstart....
18:41:11 <knikolla> and have a vbrownbag talk
18:41:16 <rderose> I'll be there
18:41:23 <stevemar> knikolla: what about?
18:41:37 <hrybacki> ayoung: yes ty, tune to your audience
18:41:41 <ayoung> ++
18:41:49 <knikolla> stevemar: the usual "Resource Federation in a Multi-Landlord Cloud"
18:42:21 <stevemar> knikolla: nice. anyone else presenting?
18:42:22 <hrybacki> basically my goal is to make TripleO-Quickstart a better tool for developers -- and this seems like a good way to help Keystone in tandem
18:42:34 <knikolla> it's 6 minutes of presentation time :P
18:42:48 <knikolla> or was it 12 :P
18:42:51 <stevemar> hrybacki: you can use the tag to find LHF, but i'm not sure we have anything atm
18:43:09 <stevemar> knikolla: so i'm hearing a "no" :)
18:43:14 <ayoung> WTF is LHF
18:43:21 <stevemar> low-hanging-fruit
18:43:23 <rodrigods> low hanging fruit
18:43:24 <hrybacki> stevemar: aye. I see a few. ayoung low hanging fruit :P
18:43:32 <knikolla> stevemar: gsilvis is also presenting with me
18:43:32 <stevemar> it took me a while to guess what hrybacki was talking about :)
18:44:12 * rodrigods hunted LHF bugs when entering the openstack world
18:44:20 <stevemar> i know it's hard to organize, but i'll try to find a day for all of us to get together
18:44:45 <stevemar> for dinner of course
18:44:46 <hrybacki> great I'll review these -- is there someone in particular I can use as a point person for questions?
18:44:56 <stevemar> summits are harder than midcycles though :\
18:44:57 <ayoung> Sour grapse
18:44:58 <rodrigods> stevemar, for beer of course
18:45:01 <ayoung> grapes even
18:45:05 <hrybacki> rodrigods: I did too! For keystone actually
18:46:30 <rodrigods> hrybacki, ++
18:46:46 <dstanek> hrybacki: they keystone channel :-)
18:46:59 <stevemar> sounds like it'll be a good crowd going :)
18:47:09 <stevemar> with some folks sorely missed :(
18:47:38 <lbragstad> stevemar take good notes ;)
18:47:43 <stevemar> lbragstad: will do sir
18:47:58 <ayoung> We done?
18:48:07 <stevemar> lbragstad / dstanek / others that aren't going... let me know in advanced if you want to discuss something
18:48:08 <stevemar> ayoung: yep
18:48:15 <stevemar> thanks for the time everyone
18:48:18 <stevemar> o\
18:48:31 <stevemar> #endmeeting