#openstack-keystone log

19:00:23 <lbragstad> #startmeeting keystone-office-hours
19:00:24 <openstack> Meeting started Tue Jan 23 19:00:23 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
19:00:27 <openstack> The meeting name has been set to 'keystone_office_hours'
19:00:36 <knikolla> o/
19:03:16 <hrybacki> lbragstad: bluejeans.com/u/hrybacki ?
19:15:21 <kmalloc> lbragstad: not sure why it's doing that
19:15:30 <kmalloc> the notifications not working that is
19:17:00 <cmurphy> maybe samueldmq remembers
19:25:26 <lbragstad> hrybacki: https://github.com/openstack/keystone/blob/master/keystone/common/sql/contract_repo/versions/036_contract_rename_application_credential_restriction_column.py#L30-L32
19:25:52 <cmurphy> so https://review.openstack.org/#/c/536869/ passes in the gate but i'd like to double-check with hwoarang and evrardjp in the europe morning that it solves the issue they were seeing
19:27:29 <cmurphy> oh nm hwoarang +1'd it
19:28:37 <lbragstad> cmurphy: you recreated this using mariadb 10.2
19:28:51 <cmurphy> lbragstad: yes
19:29:17 <lbragstad> cool
19:29:43 <lbragstad> so your fix is designed to work from a top down run and isolating that migration specifically
19:30:46 <lbragstad> (e.g. as operator should get the fix if they run keystone-manage db_sync or if they target migration 036 again)
19:30:58 <lbragstad> s/as/an/
19:31:53 <cmurphy> yes if an operator ran into this they would have expand and migrate on version 36 and contract stuck on 35
19:32:05 <cmurphy> so this would get them unstuck from that state
19:32:13 <lbragstad> got it
19:51:50 <ayoung> lbragstad, cmurphy I was in another meeting during the Keystone one...is there anything I can help move along?
19:52:02 <knikolla> lbragstad: besides a few minor questions on https://review.openstack.org/#/c/525687/ i kicked through the other ones for keystone server.
19:52:22 <ayoung> for example: https://review.openstack.org/#/c/536869/
19:53:38 <cmurphy> ayoung: yes please review that one, makes me nervous since i introduced the bug in the first place
19:53:56 <ayoung> cmurphy, you have not really arrived until you've generated a CVE
19:54:02 <cmurphy> :)
19:55:40 <ayoung> cmurphy, walk me through it, please
19:55:58 <ayoung> what is 'restricted'?
19:56:59 <cmurphy> ayoung: unrestricted is the new name for the application credential property that was called allow_application_credential_creation in http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/application-credentials.html#limitations-imposed
19:57:01 <ayoung> er./..unrestricted.  I see it is a column that got dropeed from the table
19:58:03 <cmurphy> the reason for renaming it is in the commit message here https://review.openstack.org/#/c/536347/
19:59:30 <ayoung> cmurphy, this is bringing up memories of unified delegation
19:59:57 <ayoung> "can be used to delete other application credentials and whether it can create and delete trusts"
20:00:25 <cmurphy> it is hacky
20:01:04 <ayoung> cmurphy, so this is why I wanted us to reuse the user/trust mechanism for application credentials.  You are going to become an expert on a new auth mechanism, and only you are really going to grok in fully
20:01:16 <ayoung> There are lots of gotcha's like this...
20:01:39 <ayoung> but the change you made seems ok.  For the positive thread, this will be a non issue
20:01:52 <ayoung> we see that in check
20:01:53 <cmurphy> ayoung: the majority of my earlier patchsets had this entirely built on trusts, but there were issues with reusing them
20:02:15 <ayoung> cmurphy, no silver bullet...I'm aware
20:02:25 <ayoung> this seems ok
20:02:43 <ayoung> cmurphy, is this column a key or something?
20:02:48 <ayoung> its not, right?
20:02:53 <cmurphy> ayoung: no it's not
20:03:40 <ayoung> we should stop supporting sqlite
20:04:04 <ayoung> there was a move to run mysql with a ramdisk data store at one point...would deal with the speed issues
20:04:38 <cmurphy> sqlite has been making me very sad the last few days :(
20:04:52 <ayoung> cmurphy, +2 from me.  I think this patch is OK.  As you say, there is no data yet
20:05:02 <cmurphy> thanks ayoung
20:05:31 <cmurphy> ayoung: lbragstad made a dashboard for other priority reviews https://goo.gl/NWdAH7
20:06:01 <ayoung> dstanek, !
20:06:23 <ayoung> He has not really been working on that one, tho, has he
20:06:40 <cmurphy> he showed up today and said he'd take a look
20:24:14 <lbragstad> cmurphy: i'm having a hell of a time getting mariadb 10.2. setup
20:24:32 <lbragstad> apparently upgrading from mysql to maria is problematic
20:24:55 <cmurphy> lbragstad: heh
20:25:25 <cmurphy> lbragstad: so what i did was created an opensuse tumbleweed vm
20:25:36 <cmurphy> which has mariadb 10.2
20:25:42 <lbragstad> that's easy
20:25:49 <ayoung> cmurphy, why workflow -1 on https://review.openstack.org/#/c/524423/39
20:26:12 <cmurphy> ayoung: i wanted the db bugfix to make it in first
20:26:18 <ayoung> k
20:26:32 <ayoung> gagehugo, Care to pull the trigger on that?
20:26:46 <ayoung> https://review.openstack.org/#/c/536869/1
20:27:04 <cmurphy> i think lbragstad is doing his best to manually verify that one
20:27:10 <gagehugo> ayoung looking
20:41:05 <ayoung> cmurphy, we're eon the sql change.  why not drop the workflow - on https://review.openstack.org/#/c/524423/39
20:45:52 <ayoung> I think we can push through app creds relatively quickly now.
20:58:09 <cmurphy> ayoung: i'm just worried if it lands in the wrong order then we can't claim with certainty that someone doesn't have data in that table
20:58:35 <ayoung> cmurphy, can't have data without the API, right?
20:58:45 <ayoung> We would not support a sql load for data
20:59:14 <cmurphy> ayoung: right, but when https://review.openstack.org/#/c/524423/39 lands then we have an API
21:00:03 <ayoung> cmurphy, make that review depend on the SQL change then
21:00:40 <cmurphy> i can do that, i just didn't want to respin the whole stack
21:00:44 <cmurphy> but that's not a problem for me
21:03:07 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Add Application Credentials controller  https://review.openstack.org/524423
21:03:07 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Add application credential auth plugin  https://review.openstack.org/525346
21:03:08 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Add api-ref for application credentials  https://review.openstack.org/533744
21:03:08 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Enable application_credential auth by default  https://review.openstack.org/535469
21:03:09 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Impose limits on application credentials  https://review.openstack.org/536543
21:03:09 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Add a release note for application credentials  https://review.openstack.org/535493
21:07:46 <lbragstad> omg - database upgrade problems are the bane of my existence...
21:08:20 * lbragstad just finished scrubbing all remnants of mysql-server and mariadb from his system
21:08:40 <cmurphy> computers are the worst
21:09:25 <lbragstad> that was super weird...
21:09:48 <lbragstad> i got hung up in some weird state between upgrading from mysql 5.7 to maria 10.0.33 to maria 10.2
21:09:55 <lbragstad> i could remove packages
21:10:08 <gagehugo> ew
21:10:12 <lbragstad> i couldn't* remove packages
21:10:16 <lbragstad> or finish a clean install
21:10:29 * gagehugo just followed cmurphy's advice and used a tumbleweed vm
21:10:41 <lbragstad> but the database service (not sure which version was running) just kept asking for passwords
21:10:45 <lbragstad> then things wouldn't start
21:11:15 <lbragstad> i guess the answer is to process the dependency tree and force purge packages
21:11:41 <lbragstad> and then manually remove configuration directories
21:11:48 <lbragstad> (because apparently purge doesn't do that either)
21:12:34 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Add Application Credentials controller  https://review.openstack.org/524423
21:12:34 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Add application credential auth plugin  https://review.openstack.org/525346
21:12:35 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Add api-ref for application credentials  https://review.openstack.org/533744
21:12:35 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Enable application_credential auth by default  https://review.openstack.org/535469
21:12:36 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Impose limits on application credentials  https://review.openstack.org/536543
21:12:36 <openstackgerrit> Colleen Murphy proposed openstack/keystone master: Add a release note for application credentials  https://review.openstack.org/535493
21:14:44 <gagehugo> lbragstad did you get it working?
21:15:23 <lbragstad> nope..
21:15:26 <lbragstad> \o/
21:15:44 <lbragstad> but... what I *do* have is a development box without a database
21:16:23 <lbragstad> now that i don't have any configuration for a database, i might try installing it again
21:55:28 <lbragstad> alright - i'm going to respin the system-scope patches and worry about mariadb 10.2 later
22:01:07 <cmurphy> lol
22:05:21 <lbragstad> #endmeeting