15:04:26 <redrobot> #startmeeting keystone 15:04:26 <opendevmeet> Meeting started Tue Sep 28 15:04:26 2021 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:04:26 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:04:26 <opendevmeet> The meeting name has been set to 'keystone' 15:04:36 <redrobot> #topic Roll Call 15:04:38 <lbragstad> o/ 15:04:57 <redrobot> Courtesy ping for ayoung, bbobrov, crisloma, d34dh0r53, dpar, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, jdennis, ruan_he, wxy, sonuk, vishakha,Ajay, raildo, rafaelweingartner, redrobot, xek 15:05:03 <xek> o/ 15:05:08 <d34dh0r53> o/ 15:05:25 <ayoung> Can you add me to the courtesy ping list, please? 15:05:35 <redrobot> As usual the agenda can be found here: 15:05:46 <redrobot> #link https://etherpad.opendev.org/p/keystone-weekly-meeting 15:06:07 <redrobot> ayoung, already on the ping :) 15:06:34 <knikolla> o/ 15:06:34 <redrobot> Looks like we've got a few topics to cover so let's get started 15:06:36 <ayoung> Ah...cool 15:06:45 <redrobot> #topic Review Past Meeting Action Items 15:07:00 <redrobot> #link https://meetings.opendev.org/meetings/keystone/2021/keystone.2021-09-21-15.00.html 15:07:02 <h_asahina> o/ hello. it's the first time for me to attend this meeting. can i join? 15:07:08 <gagehugo> o/ 15:07:26 <redrobot> > redrobot to investigate who the Keystone liaisons are 15:07:44 <redrobot> I did not do this :( 15:07:48 * redrobot punts it to next week 15:07:51 <redrobot> #action redrobot to investigate who the Keystone liaisons are 15:07:59 <redrobot> That was the only action item 15:08:01 <redrobot> moving on ... 15:08:29 <redrobot> we'll skip the Liaison Update since we don't know who they are 15:08:46 <redrobot> #topic Suggestion for OAuth2.0 support from OpenStack Tacker team (h-asahina) 15:08:48 <knikolla> h_asahina: welcome :) 15:08:56 <h_asahina> thanks 15:09:03 <redrobot> h_asahina, floor is yours 15:09:10 <knikolla> redrobot: i think i'm most liasons, hah 15:09:55 <redrobot> knikolla, ack ... I'll circle back after this topic 15:10:49 <redrobot> Looks like the summary from h_asahina 's topic description in the etherpad is: 15:10:51 <redrobot> > we would like to propose OAuth2.0 support as an option of Keystone in the next PTG and implement it in Yoga. 15:11:23 <h_asahina> yes 15:11:50 <ayoung> Meaning you get SSO without Fedration? 15:12:12 <h_asahina> no. we want to support Oauth2 for API calls. 15:12:19 <knikolla> is there a spec discussing the proposal? 15:12:25 <h_asahina> like oauth1 extension. 15:12:40 <redrobot> h_asahina, the usual first step is to submit a Spec patch to our spec repo: 15:12:40 <h_asahina> > is there a spec discussing the proposal?. sorry not yet. 15:12:44 <redrobot> #link https://opendev.org/openstack/keystone-specs 15:12:54 <knikolla> ayoung: i think this is about having keystone as a oauth 2.0 identity provider 15:13:08 <knikolla> so that services can validate jwt tokens 15:13:09 <redrobot> ^^^ that's the impression I got too 15:14:01 <ayoung> So, reuse an existing library, or implement custom? 15:14:33 <h_asahina> we considering implementing a new custom extension 15:15:07 <h_asahina> we're also want to submit spec for next PTG. can we make it in time? 15:15:58 <knikolla> yeah, please propose a spec in the keystone-specs repository describing the API and some implementation details (choice of library, support in clients, etc) 15:16:30 <h_asahina> ok, when is the deadline for yoga 15:17:01 <knikolla> https://releases.openstack.org/yoga/schedule.html 15:17:42 <redrobot> h_asahina, feature freeze is the week of February 21 15:18:19 <h_asahina> got it. but i think we have to submit it before the next PTG, right? 15:18:31 <knikolla> though the spec would have to be approved before that, ideally shortly after the PTG. if there are needs for revising with feedback from the PTG. 15:18:34 <redrobot> h_asahina, yeah, it would be good to have a spec submitted before the PTG 15:18:40 <redrobot> #link https://etherpad.opendev.org/p/yoga-ptg-keystone 15:18:52 <redrobot> You can add it as a topic to be discussed during the PTG session 15:19:10 <h_asahina> ok, thanks. 15:20:02 <redrobot> h_asahina, thank you. looking forward to reviewing your spec. 15:20:12 <redrobot> OK, moving on ... 15:20:42 <redrobot> #topic PTG 15:20:50 <redrobot> Just a reminder to sign up for the PTG 15:21:16 <redrobot> Our session will be on Monday October 18 @ 1400-1600 UTC 15:21:30 <redrobot> you can add topics to the etherpad I linked above. 15:23:24 <redrobot> Moving on ... 15:23:59 <redrobot> #topic Migrations Backport 15:24:22 <redrobot> #link https://review.opendev.org/c/openstack/keystone/+/806381 15:24:35 <redrobot> I wanted to follow up on last week's discussion of xek's patch 15:24:43 <redrobot> I spent a little bit of time looking at it 15:25:03 <redrobot> and realized that Keystone uses an NIH migration library that hasn't been updated in years. 15:25:18 <redrobot> so forget everything I mentioned about Alembic because I had no idea what I was talking about. 15:25:24 <lbragstad> :) 15:25:29 <ayoung> SQL Alchemy? 15:25:33 <lbragstad> long live slqalchemy 15:25:49 <redrobot> ayoung, yeah, it's a custom lib that uses SQLAlchemy 15:25:53 <lbragstad> fwiw - we've had alembic on the backlog forever 15:25:56 <knikolla> sqlalchemy-migrate 15:25:58 <ayoung> I know it well 15:26:09 <ayoung> _member_ FTW 15:26:14 <redrobot> the outstanding question was whether it was safe to backport to Wallaby 15:26:27 <lbragstad> because we didn't merge the placeholders before the wallaby release 15:27:39 <redrobot> In my limited undestanding of sqlalchemy-migrate, I _think_ it should be OK, given that it's the only migration that landed 15:27:49 <redrobot> but I'll defer to someone with better understanding of the lib 15:28:12 <knikolla> ++, i have the same general feeling, given that there's nothing to mess up the ordering yet 15:28:18 <ayoung> So we are cool with the 256 character limit, right? 15:28:31 <ayoung> THis is just about the backportability of the patch? 15:28:48 <redrobot> ayoung, right ... the patch has already landed on master 15:29:38 <ayoung> And the migration in that patch is SQL alchemy. I assume that means that we've moved to Alembic since then? 15:29:50 <ayoung> And the question is whether a SQL A migration can still land? 15:29:53 <redrobot> ayoung, negative, no alembic support yet 15:30:10 * redrobot was confused about what migration strategy keystone uses 15:30:27 <ayoung> Its more of a tactic than a strategy 15:32:00 <ayoung> And...why is the actual work done in contract? 15:32:15 <ayoung> disregard 15:32:22 <ayoung> I read them in ABC order. All makes sense 15:33:28 <ayoung> OK, so this change is only going to adjust the size of the column in the database to a larger size. Why would there be an issue with the migration? Is there a Wallaby migration <079? 15:33:42 <ayoung> Er > thatn 079 15:33:46 <lbragstad> no 15:34:15 <lbragstad> we typically merge a series of placeholders before every release to allow for backporting migrations 15:34:18 <lbragstad> but - we didn't do that 15:34:28 <lbragstad> but we also haven't merged a migration in a long time 15:34:39 <ayoung> Yes, I recall that practice. 15:34:52 <lbragstad> so - we wanted to make sure we weren't screwing anything up by backporting a migration without a placeholder 15:35:10 <lbragstad> i think the saving grace in this case is that both wallaby and master would have the latest migration 15:35:12 <ayoung> Since the migration numbers would be consistant from Wallaby on forward, I would think there would be no risk. It would not break a future upgrade 15:35:44 <ayoung> So long as there is no compacting of migrations, you will always get 0179 on top of 078 15:36:01 <ayoung> (I'm sure you've missed my typos) 15:36:02 <lbragstad> i think it would be a problem if we implemented 79 and then xek's patch was 80 15:36:12 <lbragstad> then, we would have a problem 15:36:22 <lbragstad> because we would have to backport 79 and 80 15:36:27 <ayoung> Right. 15:37:31 <redrobot> So it sounds like we're clear to go ahead and merge? 15:37:42 <lbragstad> i think so? 15:38:23 <lbragstad> but we should probably 1.) make sure we do the placeholders or 2.) figure out if alembic makes the problem go away 3.) move to alembic anyway since sqlalchemy-migrate is on life-support 15:38:53 <lbragstad> i think we're one of the only projects still using -migrate 15:38:54 <ayoung> placeholders would make sense at the end of a release with a lot of database migrations 15:39:07 <redrobot> 2) Yes. Alembic uses uuid-like strings to identify changes, and they point to the parent, and it's smart enough to know when a patch has already been applied. 15:39:18 <lbragstad> nice 15:39:18 <redrobot> Alembic is also good about squashing migrations 15:39:35 <ayoung> it gives the option of backporting fixes prior to any real work 15:39:52 <ayoung> Alembic is like git for Databases. I liked it when we evaluated it years back 15:39:59 <lbragstad> yeah 15:40:22 <ayoung> But, moving from SQL A to Alembic should be done in a release before any migrations land 15:40:28 <lbragstad> regardless, we probably need to adopt something soon, we've been putting it off for a long time 15:40:32 <redrobot> It was nice enough to get merged into SQLAlchemy proper 15:40:53 <lbragstad> ok - so should we plan and stage that work for Z? 15:41:20 <ayoung> Actually, it would be a good plan to do it at the end of Y 15:41:27 <redrobot> lbragstad, we can always Upstream Friday the work. :) 15:41:27 <ayoung> instead of "the first thing" make it the last 15:41:46 <lbragstad> someone could PoC it, propose it for review, and we can merge it after plenty of time to play with it in review 15:41:58 <knikolla> reminds me of https://review.opendev.org/c/openstack/keystone/+/760678 15:42:42 <redrobot> oof 15:42:42 <ayoung> Hmm...now that I think of it, I don;t know that it needs to be first thing. Just needs to be an explicit cut over 15:42:58 <lbragstad> agreed - but i need more time to think about the migration 15:43:11 <lbragstad> the good thing is that we don't really have many migration in flight 15:43:23 <ayoung> I think we are OK so long as we agree that 00X is the last SQL A migration 15:43:33 <lbragstad> right 15:43:37 <redrobot> ayoung++ 15:43:38 <ayoung> and then DB sync does the right thing 15:43:43 <ayoung> (tm) 15:44:33 <redrobot> There's a few more patches in the agenda, so I want to move on from this, since it sounds like we have a plan. 15:45:51 <redrobot> lbragstad, ayoung, knikolla, please +1/+2 the migration backport patch when you get a chance. 15:45:58 <redrobot> moving on ... 15:46:04 <redrobot> #topic Review Requests 15:46:06 <lbragstad> i'd like to get some reviews on some trivial patches 15:46:09 <lbragstad> #link https://review.opendev.org/c/openstack/keystone/+/806243 15:46:16 <lbragstad> #link https://review.opendev.org/c/openstack/keystone/+/806205 15:46:22 <lbragstad> #link https://review.opendev.org/c/openstack/keystone/+/810324 15:46:29 <knikolla> i already pushed them through :) 15:46:38 <lbragstad> knikolla noice 15:46:40 <lbragstad> thanks! 15:46:44 <lbragstad> nevermind then :) 15:46:50 <redrobot> that was fast! 15:47:04 <lbragstad> we should back port those to the train release if possible 15:47:12 <lbragstad> or as far back as possible 15:47:23 <redrobot> I'll keep an eye out for cherry-picks 15:47:25 <lbragstad> because the default sample doesn't make sense and is misleading 15:49:23 <ayoung> submit them for backport and tag reviewers 15:49:37 <redrobot> ^^^ 15:49:46 <redrobot> OK, last topic for today 15:49:52 <redrobot> #topic Bug Review 15:49:59 <ayoung> NOt quite last...I added one 15:50:03 <ayoung> :) 15:50:10 <redrobot> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0 15:50:40 <redrobot> Looks like no new keystone bugs in the last week 15:50:52 <lbragstad> lot of untraiged bugs 15:51:11 <ayoung> The region thing came up years ago 15:51:19 <redrobot> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0 15:51:28 <redrobot> And no new bugs in python-barbicanclient 15:51:38 <redrobot> lbragstad, yeah, we've got a topic for PTG to try to triage some of those 15:51:53 <redrobot> Although there is a lot 15:52:07 <redrobot> so maybe we should set up a recurring triage meeting until those are all triaged 15:52:17 <redrobot> something to think about for PTG anyway 15:52:35 <redrobot> And a last minute topic 15:52:48 <redrobot> #topic ayoung requests core again 15:52:48 <ayoung> Just add the bugs to the end of the Keystone meeting that we want to triage and we get through as many of them as we can until the meetingruns out of time 15:53:00 <ayoung> Yeah, so I'm back in an OpenStack world. 15:53:00 <redrobot> ayoung, that's also a good suggestion 15:53:08 <redrobot> ayoung, Welcome back! 15:53:11 <lbragstad> ++ 15:53:12 <ayoung> And I am happy to help move patches along again. 15:53:21 <lbragstad> ack - i think we've only had to do this one other time 15:53:25 <lbragstad> and that was with gyee 15:53:26 <redrobot> (lord knows we need it) 15:53:34 <ayoung> And I know where most of the bodies are buried 15:53:47 <ayoung> including gyee's 15:53:55 <ayoung> I mean, he's alive, I mean the bodies that he buried 15:55:11 <knikolla> lol 15:55:17 <redrobot> #link https://review.opendev.org/admin/groups/036b9e3b26007375b712b2fa8565e63f652fa3e9,members 15:55:18 <lbragstad> ayoung how familiar are you with the current code? i know we've changed quite a bit with the flask migration, policy stuff, application credentials, token provider refactor 15:55:44 <ayoung> I was there for flask migrations and app creds 15:55:48 <lbragstad> but i can't remember where we were with all that when you stepped away 15:55:49 <lbragstad> ok 15:55:50 <lbragstad> cool 15:55:52 <ayoung> token provider refactor needed to happen 15:55:57 * redrobot moves aside and lets ayoung cut in line to core 15:56:14 <ayoung> policy stuff...I've been keepingtrack of, and It started before I left 15:56:40 <ayoung> its not a queue, redrobot 15:56:57 <ayoung> and I am pretty sure Keystone has no quota on core 15:57:22 <redrobot> I only know enough Keystone to be dangerous 😁 15:58:24 <ayoung> THat goes for all of us 15:58:31 <ayoung> Keystone IS dangerous 15:58:57 <redrobot> Almost at the top of the hour 15:59:05 <redrobot> so we may need to let ayoung's request marinate 15:59:16 <ayoung> Yeah, that is fine 15:59:28 <ayoung> this is just the point where I let you know I am willing 15:59:37 <redrobot> much appreciated, ayoung 15:59:42 <lbragstad> agreed 15:59:47 <ayoung> tag me on reviews, please 16:00:01 <redrobot> #info tag ayoung on all reviews 16:00:07 <lbragstad> fwiw - i think gyee reviewed for a few weeks until he was comfortable with the code again 16:00:11 <redrobot> that should keep you busy for a while 16:00:22 <ayoung> ++ 16:00:26 <lbragstad> and then cmurphy reinstated him 16:00:49 <redrobot> we'll revisit next week 16:00:54 <lbragstad> but - we can work through that - ayoung let me know if there is an area of code you have questions about 16:01:00 <knikolla> ++ 16:01:13 <redrobot> thanks for joining, everyone! 16:01:25 <redrobot> #endmeeting