#openstack-keystone log

15:04:26 <redrobot> #startmeeting keystone
15:04:26 <opendevmeet> Meeting started Tue Sep 28 15:04:26 2021 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:04:26 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:04:26 <opendevmeet> The meeting name has been set to 'keystone'
15:04:36 <redrobot> #topic Roll Call
15:04:38 <lbragstad> o/
15:04:57 <redrobot> Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, jdennis, ruan_he, wxy, sonuk, vishakha,Ajay, raildo, rafaelweingartner, redrobot, xek
15:05:03 <xek> o/
15:05:08 <d34dh0r53> o/
15:05:25 <ayoung> Can you add me to the courtesy ping list, please?
15:05:35 <redrobot> As usual the agenda can be found here:
15:05:46 <redrobot> #link https://etherpad.opendev.org/p/keystone-weekly-meeting
15:06:07 <redrobot> ayoung, already on the ping :)
15:06:34 <knikolla> o/
15:06:34 <redrobot> Looks like we've got a few topics to cover so let's get started
15:06:36 <ayoung> Ah...cool
15:06:45 <redrobot> #topic Review Past Meeting Action Items
15:07:00 <redrobot> #link https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-09-21-15.00.html
15:07:02 <h_asahina> o/ hello. it's the first time for me to attend this meeting. can i join?
15:07:08 <gagehugo> o/
15:07:26 <redrobot> > redrobot to investigate who the Keystone liaisons are
15:07:44 <redrobot> I did not do this :(
15:07:48 * redrobot punts it to next week
15:07:51 <redrobot> #action redrobot to investigate who the Keystone liaisons are
15:07:59 <redrobot> That was the only action item
15:08:01 <redrobot> moving on ...
15:08:29 <redrobot> we'll skip the Liaison Update since we don't know who they are
15:08:46 <redrobot> #topic Suggestion for OAuth2.0 support from OpenStack Tacker team (h-asahina)
15:08:48 <knikolla> h_asahina: welcome :)
15:08:56 <h_asahina> thanks
15:09:03 <redrobot> h_asahina, floor is yours
15:09:10 <knikolla> redrobot: i think i'm most liasons, hah
15:09:55 <redrobot> knikolla, ack ... I'll circle back after this topic
15:10:49 <redrobot> Looks like the summary from h_asahina 's topic description in the etherpad is:
15:10:51 <redrobot> >  we would like to propose OAuth2.0 support as an option of Keystone in the next PTG and implement it in Yoga.
15:11:23 <h_asahina> yes
15:11:50 <ayoung> Meaning you get SSO without Fedration?
15:12:12 <h_asahina> no. we want to support Oauth2 for API calls.
15:12:19 <knikolla> is there a spec discussing the proposal?
15:12:25 <h_asahina> like oauth1 extension.
15:12:40 <redrobot> h_asahina, the usual first step is to submit a Spec patch to our spec repo:
15:12:40 <h_asahina> > is there a spec discussing the proposal?. sorry not yet.
15:12:44 <redrobot> #link https://opendev.org/openstack/keystone-specs
15:12:54 <knikolla> ayoung: i think this is about having keystone as a oauth 2.0 identity provider
15:13:08 <knikolla> so that services can validate jwt tokens
15:13:09 <redrobot> ^^^ that's the impression I got too
15:14:01 <ayoung> So, reuse an existing library, or implement custom?
15:14:33 <h_asahina> we considering implementing a new custom extension
15:15:07 <h_asahina> we're also want to submit spec for next PTG. can we make it in time?
15:15:58 <knikolla> yeah, please propose a spec in the keystone-specs repository describing the API and some implementation details (choice of library, support in clients, etc)
15:16:30 <h_asahina> ok, when is the deadline for yoga
15:17:01 <knikolla> https://releases.openstack.org/yoga/schedule.html
15:17:42 <redrobot> h_asahina, feature freeze is the week of February 21
15:18:19 <h_asahina> got it. but i think we have to submit it before the next PTG, right?
15:18:31 <knikolla> though the spec would have to be approved before that, ideally shortly after the PTG. if there are needs for revising with feedback from the PTG.
15:18:34 <redrobot> h_asahina, yeah, it would be good to have a spec submitted before the PTG
15:18:40 <redrobot> #link https://etherpad.opendev.org/p/yoga-ptg-keystone
15:18:52 <redrobot> You can add it as a topic to be discussed during the PTG session
15:19:10 <h_asahina> ok, thanks.
15:20:02 <redrobot> h_asahina, thank you.  looking forward to reviewing your spec.
15:20:12 <redrobot> OK, moving on ...
15:20:42 <redrobot> #topic PTG
15:20:50 <redrobot> Just a reminder to sign up for the PTG
15:21:16 <redrobot> Our session will be on Monday October 18 @ 1400-1600 UTC
15:21:30 <redrobot> you can add topics to the etherpad I linked above.
15:23:24 <redrobot> Moving on ...
15:23:59 <redrobot> #topic Migrations Backport
15:24:22 <redrobot> #link https://review.opendev.org/c/openstack/keystone/+/806381
15:24:35 <redrobot> I wanted to follow up on last week's discussion of xek's patch
15:24:43 <redrobot> I spent a little bit of time looking at it
15:25:03 <redrobot> and realized that Keystone uses an NIH migration library that hasn't been updated in years.
15:25:18 <redrobot> so forget everything I mentioned about Alembic because I had no idea what I was talking about.
15:25:24 <lbragstad> :)
15:25:29 <ayoung> SQL Alchemy?
15:25:33 <lbragstad> long live slqalchemy
15:25:49 <redrobot> ayoung, yeah, it's a custom lib that uses SQLAlchemy
15:25:53 <lbragstad> fwiw - we've had alembic on the backlog forever
15:25:56 <knikolla> sqlalchemy-migrate
15:25:58 <ayoung> I know it well
15:26:09 <ayoung> _member_ FTW
15:26:14 <redrobot> the outstanding question was whether it was safe to backport to Wallaby
15:26:27 <lbragstad> because we didn't merge the placeholders before the wallaby release
15:27:39 <redrobot> In my limited undestanding of sqlalchemy-migrate, I _think_ it should be OK, given that it's the only migration that landed
15:27:49 <redrobot> but I'll defer to someone with better understanding of the lib
15:28:12 <knikolla> ++, i have the same general feeling, given that there's nothing to mess up the ordering yet
15:28:18 <ayoung> So we are cool with the 256 character limit, right?
15:28:31 <ayoung> THis is just about the backportability of the patch?
15:28:48 <redrobot> ayoung, right ... the patch has already landed on master
15:29:38 <ayoung> And the migration in that patch is SQL alchemy.  I assume that means that we've moved to Alembic since then?
15:29:50 <ayoung> And the question is whether a SQL A migration can still land?
15:29:53 <redrobot> ayoung, negative, no alembic support yet
15:30:10 * redrobot was confused about what migration strategy keystone uses
15:30:27 <ayoung> Its more of a tactic than a strategy
15:32:00 <ayoung> And...why is the actual work done in contract?
15:32:15 <ayoung> disregard
15:32:22 <ayoung> I read them in ABC order. All makes sense
15:33:28 <ayoung> OK, so this change is only going to adjust the size of the column in the database to a larger size.  Why would there be an issue with the migration?  Is there a Wallaby migration <079?
15:33:42 <ayoung> Er > thatn 079
15:33:46 <lbragstad> no
15:34:15 <lbragstad> we typically merge a series of placeholders before every release to allow for backporting migrations
15:34:18 <lbragstad> but - we didn't do that
15:34:28 <lbragstad> but we also haven't merged a migration in a long time
15:34:39 <ayoung> Yes, I recall that practice.
15:34:52 <lbragstad> so - we wanted to make sure we weren't screwing anything up by backporting a migration without a placeholder
15:35:10 <lbragstad> i think the saving grace in this case is that both wallaby and master would have the latest migration
15:35:12 <ayoung> Since the migration numbers would be consistant from Wallaby on forward, I would think there would be no risk.  It would not break a future upgrade
15:35:44 <ayoung> So long as there is no compacting of migrations, you will always get 0179 on top of 078
15:36:01 <ayoung> (I'm sure you've missed my typos)
15:36:02 <lbragstad> i think it would be a problem if we implemented 79 and then xek's patch was 80
15:36:12 <lbragstad> then, we would have a problem
15:36:22 <lbragstad> because we would have to backport 79 and 80
15:36:27 <ayoung> Right.
15:37:31 <redrobot> So it sounds like we're clear to go ahead and merge?
15:37:42 <lbragstad> i think so?
15:38:23 <lbragstad> but we should probably 1.) make sure we do the placeholders or 2.) figure out if alembic makes the problem go away 3.) move to alembic anyway since sqlalchemy-migrate is on life-support
15:38:53 <lbragstad> i think we're one of the only projects still using -migrate
15:38:54 <ayoung> placeholders would make sense at the end of a release with a lot of database migrations
15:39:07 <redrobot> 2) Yes.  Alembic uses uuid-like strings to identify changes, and they point to the parent, and it's smart enough to know when a patch has already been applied.
15:39:18 <lbragstad> nice
15:39:18 <redrobot> Alembic is also good about squashing migrations
15:39:35 <ayoung> it gives the option of backporting fixes prior to any real work
15:39:52 <ayoung> Alembic is like git for Databases.  I liked it when we evaluated it years back
15:39:59 <lbragstad> yeah
15:40:22 <ayoung> But, moving from SQL A to Alembic should be done in a release before any migrations land
15:40:28 <lbragstad> regardless, we probably need to adopt something soon, we've been putting it off for a long time
15:40:32 <redrobot> It was nice enough to get merged into SQLAlchemy proper
15:40:53 <lbragstad> ok - so should we plan and stage that work for Z?
15:41:20 <ayoung> Actually, it would be a good plan to do it at the end of Y
15:41:27 <redrobot> lbragstad, we can always Upstream Friday the work. :)
15:41:27 <ayoung> instead of "the first thing" make it the last
15:41:46 <lbragstad> someone could PoC it, propose it for review, and we can merge it after plenty of time to play with it in review
15:41:58 <knikolla> reminds me of https://review.opendev.org/c/openstack/keystone/+/760678
15:42:42 <redrobot> oof
15:42:42 <ayoung> Hmm...now that I think of it, I don;t know that it needs to be first thing.  Just needs to be an explicit cut over
15:42:58 <lbragstad> agreed - but i need more time to think about the migration
15:43:11 <lbragstad> the good thing is that we don't really have many migration in flight
15:43:23 <ayoung> I think we are OK so long as we agree that 00X is the last SQL A migration
15:43:33 <lbragstad> right
15:43:37 <redrobot> ayoung++
15:43:38 <ayoung> and then DB sync does the right thing
15:43:43 <ayoung> (tm)
15:44:33 <redrobot> There's a few more patches in the agenda, so I want to move on from this, since it sounds like we have a plan.
15:45:51 <redrobot> lbragstad, ayoung, knikolla, please +1/+2 the migration backport patch when you get a chance.
15:45:58 <redrobot> moving on ...
15:46:04 <redrobot> #topic Review Requests
15:46:06 <lbragstad> i'd like to get some reviews on some trivial patches
15:46:09 <lbragstad> #link https://review.opendev.org/c/openstack/keystone/+/806243
15:46:16 <lbragstad> #link https://review.opendev.org/c/openstack/keystone/+/806205
15:46:22 <lbragstad> #link https://review.opendev.org/c/openstack/keystone/+/810324
15:46:29 <knikolla> i already pushed them through :)
15:46:38 <lbragstad> knikolla noice
15:46:40 <lbragstad> thanks!
15:46:44 <lbragstad> nevermind then :)
15:46:50 <redrobot> that was fast!
15:47:04 <lbragstad> we should back port those to the train release if possible
15:47:12 <lbragstad> or as far back as possible
15:47:23 <redrobot> I'll keep an eye out for cherry-picks
15:47:25 <lbragstad> because the default sample doesn't make sense and is misleading
15:49:23 <ayoung> submit them for backport and tag reviewers
15:49:37 <redrobot> ^^^
15:49:46 <redrobot> OK, last topic for today
15:49:52 <redrobot> #topic Bug Review
15:49:59 <ayoung> NOt quite last...I added one
15:50:03 <ayoung> :)
15:50:10 <redrobot> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:50:40 <redrobot> Looks like no new keystone bugs in the last week
15:50:52 <lbragstad> lot of untraiged bugs
15:51:11 <ayoung> The region thing came up years ago
15:51:19 <redrobot> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:51:28 <redrobot> And no new bugs in python-barbicanclient
15:51:38 <redrobot> lbragstad, yeah, we've got a topic for PTG to try to triage some of those
15:51:53 <redrobot> Although there is a lot
15:52:07 <redrobot> so maybe we should set up a recurring triage meeting until those are all triaged
15:52:17 <redrobot> something to think about for PTG anyway
15:52:35 <redrobot> And a last minute topic
15:52:48 <redrobot> #topic ayoung requests core again
15:52:48 <ayoung> Just add the bugs to the end of the Keystone meeting that we want to triage and we get through as many of them as we can until the meetingruns out of time
15:53:00 <ayoung> Yeah, so I'm back in an OpenStack world.
15:53:00 <redrobot> ayoung, that's also a good suggestion
15:53:08 <redrobot> ayoung, Welcome back!
15:53:11 <lbragstad> ++
15:53:12 <ayoung> And I am happy to help move patches along again.
15:53:21 <lbragstad> ack - i think we've only had to do this one other time
15:53:25 <lbragstad> and that was with gyee
15:53:26 <redrobot> (lord knows we need it)
15:53:34 <ayoung> And I know where most of the bodies are buried
15:53:47 <ayoung> including gyee's
15:53:55 <ayoung> I mean, he's alive, I mean the bodies that he buried
15:55:11 <knikolla> lol
15:55:17 <redrobot> #link https://review.opendev.org/admin/groups/036b9e3b26007375b712b2fa8565e63f652fa3e9,members
15:55:18 <lbragstad> ayoung how familiar are you with the current code? i know we've changed quite a bit with the flask migration, policy stuff, application credentials, token provider refactor
15:55:44 <ayoung> I was there for flask migrations and app creds
15:55:48 <lbragstad> but i can't remember where we were with all that when you stepped away
15:55:49 <lbragstad> ok
15:55:50 <lbragstad> cool
15:55:52 <ayoung> token provider refactor needed to happen
15:55:57 * redrobot moves aside and lets ayoung cut in line to core
15:56:14 <ayoung> policy stuff...I've been keepingtrack of, and It started before I left
15:56:40 <ayoung> its not a queue, redrobot
15:56:57 <ayoung> and I am pretty sure Keystone has no quota on core
15:57:22 <redrobot> I only know enough Keystone to be dangerous 😁
15:58:24 <ayoung> THat goes for all of us
15:58:31 <ayoung> Keystone IS dangerous
15:58:57 <redrobot> Almost at the top of the hour
15:59:05 <redrobot> so we may need to let ayoung's request marinate
15:59:16 <ayoung> Yeah, that is fine
15:59:28 <ayoung> this is just the point where I let you know I am willing
15:59:37 <redrobot> much appreciated, ayoung
15:59:42 <lbragstad> agreed
15:59:47 <ayoung> tag me on reviews, please
16:00:01 <redrobot> #info tag ayoung on all reviews
16:00:07 <lbragstad> fwiw - i think gyee reviewed for a few weeks until he was comfortable with the code again
16:00:11 <redrobot> that should keep you busy for a while
16:00:22 <ayoung> ++
16:00:26 <lbragstad> and then cmurphy reinstated him
16:00:49 <redrobot> we'll revisit next week
16:00:54 <lbragstad> but - we can work through that - ayoung let me know if there is an area of code you have questions about
16:01:00 <knikolla> ++
16:01:13 <redrobot> thanks for joining, everyone!
16:01:25 <redrobot> #endmeeting