16:01:07 #startmeeting keystone 16:01:08 Meeting started Tue Aug 27 16:01:07 2019 UTC and is due to finish in 60 minutes. The chair is kmalloc. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:01:09 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:01:11 The meeting name has been set to 'keystone' 16:01:16 o/ 16:01:42 o/ 16:01:50 i'll give a couple minutes for people to arrive. 16:02:02 it is probably going to be a short meeting. 16:02:05 o/ 16:02:10 or short on planned agenda at least 16:02:36 o/ 16:03:28 o/ 16:07:02 ok 16:07:05 lets get started 16:07:40 #topic Request for Review 16:07:57 KSM v2 removals 16:08:06 gagehugo: o/ 16:08:10 o/ that's me 16:08:20 #link https://review.opendev.org/#/c/678386/ 16:08:27 #link https://review.opendev.org/#/c/669706/ 16:08:35 those two for now 16:08:44 the other links? 16:08:54 https://review.opendev.org/#/c/677585/ and https://review.opendev.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bug/1805409 ? 16:08:56 I mean for ksmv2 16:09:04 idk about the other links 16:09:08 0/ 16:09:40 in short we're working to remove the v2 support from keystonemiddleware, gagehugo has been working on getting things passing 16:09:46 and looks like vishakha is too :) 16:10:05 link https://review.opendev.org/#/c/677585/ , this is colleen's patch for client support app creds. open for review 16:10:13 vishakha: ahhh 16:10:18 there we go 16:10:35 if its good to go we can propose build of keystomeclient so that it is available for openstackclient 16:10:54 anyway, keystonemiddleware dropping v2 support will ease up the codebase for further cleanup 16:10:58 ask gagehugo questions 16:11:13 #link https://review.opendev.org/#/c/677585/ 16:11:34 needs eyes, it's app-cred related 16:11:50 thanks kmalloc 16:11:52 while cmurphy is on vacation, please feel free to review/comment/approve, etc 16:12:00 vishakha thanks 16:12:04 if you have questions both vishakha and I are available to help :) 16:12:20 and finally 16:12:23 #link https://review.opendev.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bug/1805409 16:12:44 lots of policy related work, help to get them passing gate and get these landed would be appreciated 16:12:47 this is few left in policy API in system scopes 16:12:59 * kmalloc nods. 16:13:28 vishakha: want to continue with the other changes you have in flight? 16:13:41 * kmalloc noticed more review requests by vishakha on the agenda :) 16:13:59 Thats all for policy and association API 16:14:21 but there is also oauthlib and pdf docs. 16:14:21 i did review a whole bunch yesterday, will be happy to keep reviewing 16:14:43 thanks kmalloc knikolla 16:14:55 yay knikolla reviews! 16:15:45 for oauthlib I can many test cases failing but I am still digging the reason of failure 16:15:56 * kmalloc nods. 16:16:15 Help will be appreciated :) 16:16:21 looks like an unfortunate case of the lib changed pretty drastically in weird ways. 16:16:28 s/weird/subtle 16:17:21 Also for the pdf docs we came across with the errors none of the other project ran into. Also asked the docs team to look inti 16:17:30 * kmalloc nods. 16:17:30 s/inti/into 16:17:47 that is a bit weird of an error 16:18:14 kmalloc: yes it is 16:20:20 that's it from my side 16:20:29 ok i think we're on for lbragstad 16:20:32 lbragstad: o/ 16:20:38 o; 16:20:39 o/ 16:21:01 vishakha, what's the weird error. Out of memory? 16:21:01 ok - so cmurphy|afk kmalloc and i were looking at the test run times for unit tests 16:21:30 I know others had hit that error recently, especially with large docs 16:21:41 and the obvious culprit for increased run times is all the protection testing we've been doing 16:22:05 gyee: matrix file missing. 16:22:14 i wanted to throw this on the agenda so that we could discuss additional ideas for how to keep testing policy but in ways that don't take forever or spool out of control 16:22:16 gyee: https://zuul.opendev.org/t/openstack/build/ec6d51585a3c4b31b42aebe928c73e35/log/job-output.txt#5395 16:22:34 k, that's different one then 16:23:17 initially - we were thinking that reusing some of the common resources would help out - and it certainly would 16:23:30 but we're ultimately making a lot of API requests, period 16:23:47 i'm sure that re-using fernet / cred repos would help a lot 16:24:03 that is both random/urandom and filesystem access 16:24:06 and some of the bootstrap resources - but the testresources work has kinda hit a wall 16:24:27 (i'm also not convinced its possible to do what we want with testresources) 16:24:38 integrating that into our tests has been painful 16:25:02 but that's the recommended approach over using native structures like setUpClass or setUpModule 16:25:58 i'm wondering how people feel about graduating the protection tests to formal functional tests... 16:26:15 i'd be ok with that 16:26:25 same 16:26:31 however, i don't think it's going to reduce local testing load 16:26:34 i haven't planned things out in detail yet 16:26:42 because we're going to need to run these locally as well as unit tests 16:27:02 yeah - we'd definitely keep gating on them 16:27:04 we might be able to at least isolate the protection tests into testresources 16:27:15 esp. if we're putting them into their own test-run 16:27:17 but they wouldn't be invoked by ``tox -re py37`` 16:27:42 because we have less concern about API correctness and more of policy behavior 16:27:43 instead, we could exercise that suite using something like ``tox -e functional`` or ``tox -e protection`` 16:27:52 we can't mock the target part? 16:28:18 i'd opt for -e protection, and i would opt for trying to use testresources or similar in the protection-only tests 16:28:32 we can re-merge them to -epy37 if we want later or keep them isolated 16:28:32 sure - i think we should still vet that 16:28:45 we are going to have to rebuild a chunk of them in either case. 16:28:57 since -eprotection isn't going to be fast 16:29:05 but this would allow us to slim down the unit test times while we figure out what the deal is with testresources 16:29:17 but it's not trying to retrofit our entire test suite 16:29:23 in one go. 16:29:51 keep in mind it will only add concurrency to gating, it wont, in fact fix test runtimes overall or resource consumption 16:30:08 unless we also do testresources or more streamlined setup work 16:30:16 somehow 16:30:32 at this point - i'd be happy if we could get testresources to handle bootstrap 16:30:36 and share those resources 16:30:54 if we can get that done, i'd say we can take the next step and look at other optimizations in how we set things up 16:31:24 or we look at that now if testresources doesn't actually work for what we're trying to do with it 16:31:25 ++ 16:31:54 * lbragstad thought it was going to be more straight forward to integrate that into keystone's protection tests 16:32:21 we might need to really just isolate and build a new core test structure up that does testresources from the get go 16:32:40 it's a big chunk of work, but might be easier than retrofitting it into the current mess 16:32:43 and history 16:32:47 yeah... 16:32:58 kinda damned if you do and damned if you don't... 16:33:04 yup 16:33:06 *shrug* 16:33:09 either way it's going to be a huge refactor 16:33:13 unfortunately 16:34:02 anything else? 16:34:13 do we have general consensus on the approach? 16:34:19 does anyone see red flags with this? 16:34:23 anyone want to volunteer (gyee ?) to toss some help over to lbragstad ? 16:34:38 i don't see any red flags besides "it's a lot of work" 16:34:42 and that is expected 16:34:45 again - i'd just be happy to get things isolated this release 16:35:13 we can have another gate job that exercises protection testing - running it in parallel with our existing unit tests 16:35:19 (which might help gate run times) 16:35:51 which is at least a start 16:35:51 but we're also not forcing people to testing thousands of protection tests if they're not modifying the api layer or policies directly 16:35:51 kmalloc, sure, yeah, it'll be a lot of work 16:36:06 ok 16:36:18 moving on, resource options (this is me/cmurphy) 16:36:28 thanks kmalloc and gyee 16:36:36 some code is posted to add resource options to roles and projects (+domains) 16:36:45 #link https://review.opendev.org/#/c/678322/ 16:36:48 core addition of code 16:36:54 #link https://review.opendev.org/#/c/666739/ 16:36:58 immutable option 16:37:06 #link https://review.opendev.org/#/c/678379/ 16:37:11 tempest change to disable a test 16:37:18 #link https://review.opendev.org/#/c/678380/ 16:37:25 tempest change to re-enable and fix the test 16:37:27 eyes would be welcome 16:37:32 some tests are not 100% done 16:37:44 and i know there are some issues with gate passing, that is related to LDAP and tempest tests 16:37:50 i should have these fixed shortly 16:37:57 but, please review general approach 16:38:20 due to some complexity with the ORM, we opted to just create new tables for project_options and role_options 16:38:47 a couple key things, an immutable project cannot have tags created/updated/deleted on it as well as cannot be updated or deletedc 16:39:19 immutable works similar to chattr command, you can change immutable options and other options in one go, but you may not, for example 16:39:28 change the project name and the immutable option at the same time 16:39:56 there is not a lot else to say here, feel free to reach out to me if you have questions 16:40:35 final topic: 16:40:47 #topic meeting 2019-09-3 16:41:27 Unless someone has a critical need, I am planning on skipping the meeting (for everyone). The day before is labor day (US Holiday), this will give us a bit more heads-down time to just keep plugging on items 16:41:38 s/skipping/cancelling 16:41:46 i wont send the cancel email until friday 16:42:04 please let me know if you have a critical item for the next meeting between now and friday 16:42:13 #topic open discussion 16:42:22 anyone have anything else? 16:42:43 * gagehugo does not 16:43:25 ok 16:43:29 #endmeeting