16:00:33 <cmurphy> #startmeeting keystone 16:00:34 <openstack> Meeting started Tue Aug 13 16:00:33 2019 UTC and is due to finish in 60 minutes. The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:35 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:37 <openstack> The meeting name has been set to 'keystone' 16:00:44 <cmurphy> #link https://etherpad.openstack.org/p/keystone-weekly-meeting agenda 16:00:48 <cmurphy> o/ 16:00:49 <vishakha> o/ 16:01:15 <bnemec> o/ 16:01:43 <kmalloc> o/ 16:01:59 <gagehugo> o/ 16:02:58 <cmurphy> hi everyone 16:03:02 <cmurphy> #topic Shanghai Forum/PTG 16:03:28 <cmurphy> I went ahead and responded to the foundation survey saying we don't need ptg space 16:03:46 <kmalloc> basically no one showing up? 16:03:49 <kmalloc> =/ 16:03:51 <cmurphy> basically 16:03:54 <gagehugo> :( 16:03:57 <cmurphy> i am still moreorless planning on being there barring the usual uncertainty so can be around for ad hoc discussions 16:04:06 <bnemec> So no onboarding then? 16:04:32 <cmurphy> no i was still planning on doing the onboarding 16:04:38 <cmurphy> i guess i should clarify with them 16:04:45 <bnemec> I think those moved to the PTG this time. 16:05:04 <bnemec> I guess I don't know if they were going to be scheduled separately though. 16:05:05 <cmurphy> maybe i can just request an hour for the onboarding 16:05:16 <cmurphy> they didn't really mention the onboarding part in the survey email 16:06:16 <cmurphy> regardless, i will still propose a session or two for the forum 16:06:22 <cmurphy> and would like help coming up with topics 16:06:36 <cmurphy> #link https://etherpad.openstack.org/p/keystone-shanghai-ptg ptg/forum etherpad 16:07:44 <cmurphy> will also start planning the pre- and post- virtual ptgs soon 16:08:40 <cmurphy> any questions or concerns? 16:08:46 <cmurphy> or ideas? :) 16:10:22 <cmurphy> #topic Feature proposal freeze this week 16:10:34 <cmurphy> #link https://releases.openstack.org/train/schedule.html cycle schedule 16:10:58 <cmurphy> we're still missing a few implementation proposals that are due this week 16:11:08 <cmurphy> #link http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/expiring-group-memberships.html refreshable group membership 16:11:14 <cmurphy> #link http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/resource-options-for-all.html resource options for all 16:11:22 <cmurphy> #link http://specs.openstack.org/openstack/keystone-specs/specs/keystone/train/support-federated-attr.html federated attributes 16:12:18 <gyee> expiring group membership is not intend for LDAP groups right? 16:12:33 <cmurphy> gyee: correct, just federated users 16:12:38 <gyee> k 16:12:51 <cmurphy> unfortunately knikolla isn't here to discuss two of those 16:13:01 <cmurphy> kmalloc: any update on resource options? 16:14:53 <kmalloc> it's slow going 16:15:00 <kmalloc> because i've had a lot of other things on my plate. 16:15:16 <kmalloc> i am carving some time out to land the migrations here soon 16:15:28 <kmalloc> and the rest of the code shuffle is getting easier. 16:15:59 <kmalloc> i think the approach i'm going to do is implement the new table and setup the scaffolding and *then* migrate user options 16:16:11 <kmalloc> so we have the support for everything independant of the user options 16:16:20 <kmalloc> which ahs been the hard(est) part to put together 16:16:28 <cmurphy> that sounds reasonable 16:17:15 <cmurphy> would a 1-week extension give enough breathing room to help you with that? 16:17:23 <kmalloc> possibly. 16:21:02 <cmurphy> if we went forward with resource options just for roles as in https://review.opendev.org/666739 would that get seriously in the way of the migration work? 16:24:50 <cmurphy> kmalloc: ^ 16:27:30 <cmurphy> okay, well wrt expiring group membership and federated attributes, i will sync up with knikolla but my initial proposal is 1) drop federated attributes till next cycle 2) propose an extension for refreshable group membership 16:27:38 <cmurphy> if needed 16:27:43 <kmalloc> yeah it probably would 16:28:01 <cmurphy> kmalloc: yeah i figured :/ 16:28:17 <kmalloc> i can take on the resource options for roles if i get the other support done it should really be minimal code. 16:28:30 <kmalloc> then adding immutable should be a very small patch. 16:28:44 <kmalloc> ;i'll do waht i can to get something up this week. 16:29:12 <cmurphy> alright, thanks kmalloc 16:30:48 <cmurphy> I will sync up with people by the end of the week and send an email if we need to propose to drop or extend things 16:31:27 <cmurphy> #topic Noisy policy deprecation warnings 16:31:52 <cmurphy> so we landed the fix to get these out of the unit tests which is nice 16:31:57 <cmurphy> #link https://review.opendev.org/673933 16:32:06 <cmurphy> it didn't really help with the ci like i had hoped 16:32:29 <bnemec> :-( 16:32:52 <cmurphy> i suspect we need to revisit https://review.opendev.org/663065 and actually get the efficiency of our protection tests under control 16:33:43 <cmurphy> but with regard to the operator-facing issues I proposed kind of a cop-out https://review.opendev.org/674940 16:33:59 <cmurphy> wondering if there are any concerns about that approach? 16:35:27 <cmurphy> we tend to cargocult that warning message to every other policy so want to be sure we agree on it 16:36:24 <kmalloc> cmurphy: maybe we make the warning the generic one 16:36:32 <kmalloc> and debug run through each rule? 16:36:46 <kmalloc> and make sure the policy checker CLI emits verbose warnings 16:37:09 <kmalloc> doesn't address CI things but addresses operator impact 16:37:09 <gyee> how did it impact ci? we can't handle large log files? 16:37:31 <kmalloc> hard to read logs, stupid large logs, and slow because emitting tons of lines 16:37:35 <cmurphy> kmalloc: not sure what you mean by debug run 16:37:42 <cmurphy> gyee: the logs were around 150MB 16:37:55 <cmurphy> the ci was sometimes choking on uploading them to the log server 16:38:08 <gyee> maybe we can setup a filter to optionally filter them out? 16:38:09 <kmalloc> cmurphy: emit the warning for each policy when in debug 16:38:14 <cmurphy> and trying to load them in a browser caused the browser to crash 16:38:30 <cmurphy> gyee: we tried that, there are so many it's even more inefficinet 16:38:32 <kmalloc> cmurphy: emit only a generic "hey, we noticed some things, use X command to see more details" when in not-debug mode 16:38:59 <cmurphy> kmalloc: would we need to add a new thing to oslo.policy? 16:39:00 <kmalloc> cmurphy: and make sure the policy checker tool can emit full output of each rule 16:39:14 <kmalloc> cmurphy: we would need to adjust olso.policy 16:39:41 <kmalloc> cmurphy: for logging purposes, and for CI we would need to keep the "don't emit deprecation warnings" flag. 16:40:14 <kmalloc> this feels like a debug level message vs a warning message to follow up on 16:40:18 <cmurphy> okay, i can play around with that 16:40:26 <kmalloc> and the oslo policy checker tool can be very verbose., 16:40:39 <kmalloc> and likely should be 16:40:39 <bnemec> The only thing is that debugging is probably when the log spam is most annoying. 16:40:58 <bnemec> Maybe we should expose a verbose_deprecations option or something to make it explicit. 16:41:08 <kmalloc> or we crater this to trace level logging 16:41:15 <kmalloc> but hard -2 on "verbose_deprecations" 16:41:24 <bnemec> I thought we were trying to kill off trace? 16:41:30 <kmalloc> are we? 16:41:42 <cmurphy> yeah i don't think we use trace any more 16:41:46 <kmalloc> or just make it a policy checker tool 16:41:55 <kmalloc> but really -2 on verbose_deprecations. 16:42:32 <kmalloc> warn that some policys are wonky (1 line) and make the checker tool emit verbose information 16:42:47 <kmalloc> and indicate the checker tool shgould be used to know what policys are in this state. 16:42:53 <kmalloc> policy-rules* 16:42:55 <bnemec> Yeah, I like that. 16:42:55 <gyee> I am kinda surprised that a log filter didn't work. I thought that's what its for. 16:43:04 <kmalloc> gyee: too many lines to parse 16:43:19 <kmalloc> gyee: it works, it makes CI runs 2-3x longer 16:43:49 <gyee> oh wow 16:43:54 <kmalloc> gyee: and that is a bigger issue than filtering is. 16:44:17 <cmurphy> so one WARN that indicates something is wrong, a one-line DEBUG for each policy, and a detailed message in the policy checker? 16:44:28 <kmalloc> one warn that says use the policy checker tool 16:44:36 <kmalloc> and policy checker tool more verbose 16:44:41 <kmalloc> no debug for each policy 16:44:56 <bnemec> +1 16:45:02 <cmurphy> okay 16:45:08 <kmalloc> we can escalate that one warn up to error/critical as we move closer to finalizing the move 16:45:13 <cmurphy> sounds good to me 16:46:13 <cmurphy> #topic review requests 16:46:19 <cmurphy> any other reviews to highlight? 16:47:41 <cmurphy> guessing this one is a hard no? https://review.opendev.org/675303 16:48:01 <vishakha> System scope for endpoint group policies https://review.opendev.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bug/1818734 16:48:17 <cmurphy> thanks for working on those vishakha 16:49:16 <gyee> 675303 is interesting 16:49:32 <gyee> that would mess up the API contract 16:50:58 <gyee> oh hey, they will be conveyed via "extras", kmalloc's favorite :-) 16:51:28 <kmalloc> don't do that 16:51:29 <kmalloc> please 16:53:10 <kmalloc> -2, request for more information 16:53:31 <kmalloc> i want to know the use case and what is being solved rather than a "hey this is a thing" 16:53:38 <cmurphy> ++ 16:54:00 <gyee> yeah, I agree 16:54:16 <cmurphy> i'm also hoping someone not-me can reproduce the issues in https://review.opendev.org/674782 and https://review.opendev.org/674139 and help verify the fixes 16:54:59 <gyee> I'll take a look at 674782 16:55:09 <cmurphy> thanks gyee 16:55:39 <cmurphy> relevant ml post on that one http://lists.openstack.org/pipermail/openstack-discuss/2019-August/008210.html 16:55:53 <cmurphy> #topic open floor 16:56:00 <cmurphy> 5 minutes for any other topics? 16:56:13 <cmurphy> no office hours after this 16:57:34 <gyee> 674139 is a good one. I've seen that error before. But didn't have the time to investigate how bad of leak that was. 16:58:26 <cmurphy> it seems to make sense but i first couldn't verify the fix and now for some reason can't reproduce the bug 16:58:52 <cmurphy> so just wanted someone to sanity check it 16:59:24 <gyee> yeah, a unit test would be nice 16:59:34 <cmurphy> ++ 16:59:36 <cmurphy> time's about up, thanks everyone 16:59:39 <cmurphy> #endmeeting