19:54:54 #startmeeting keystone-office-hours 19:54:54 Meeting started Tue Feb 13 19:54:54 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:54:55 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:54:58 The meeting name has been set to 'keystone_office_hours' 19:55:05 * lbragstad fails at meetings 19:55:22 i should have started that about 55 minutes about, but whatever 20:01:17 heh 20:25:09 Lance Bragstad proposed openstack/keystone master: Delete system role assignments when deleting users https://review.openstack.org/543622 20:25:10 Lance Bragstad proposed openstack/keystone master: Expose bug in system assignment when deleting users https://review.openstack.org/544067 20:25:28 that should take care of https://bugs.launchpad.net/keystone/+bug/1749264 20:25:29 Launchpad bug 1749264 in OpenStack Identity (keystone) "System role assignments exist after removing users" [High,In progress] - Assigned to Lance Bragstad (lbragstad) 20:50:34 Lance Bragstad proposed openstack/keystone master: Expose bug in system assignment when deleting groups https://review.openstack.org/544073 20:50:35 Lance Bragstad proposed openstack/keystone master: Delete system role assignments when deleting groups https://review.openstack.org/544074 20:50:49 same goes for https://bugs.launchpad.net/keystone/+bug/1749267 and ^ 20:50:50 Launchpad bug 1749267 in OpenStack Identity (keystone) queens "System role assignments exist after removing groups" [High,Triaged] 21:35:38 this is ready for another pass 21:38:19 Lance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles https://review.openstack.org/544012 21:38:20 Lance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap https://review.openstack.org/530410 21:39:26 https://review.openstack.org/#/c/544011/2 21:42:12 here is a link for all the patches in that series for both master and stable/queens - https://review.openstack.org/#/q/topic:bug/1748970+(status:open+OR+status:merged) 21:44:11 a few more for the user bug (proposed to master and stable/queens) https://review.openstack.org/#/q/topic:bug/1749264+(status:open+OR+status:merged) 21:45:32 k 21:45:37 and finally https://review.openstack.org/#/q/topic:bug/1749267+(status:open+OR+status:merged) 21:46:06 or i could make it easier on everyone with - https://goo.gl/aWTZDv 21:46:20 ^ includes all patches to master and backports 21:46:25 the bugs we talked about today 21:47:38 +2 on all 21:48:03 the code review equivalent of a grand slam 22:28:21 lbragstad: looks like failing tests 22:28:30 digging into it now 22:29:03 lbragstad: 2018-02-13 21:32:24.586485 | primary | ImportError: /opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/netifaces.so: undefined symbol: PyUnicodeUCS2_FromString 22:29:13 looks like some issues with not keystone 22:29:35 hmm - because https://review.openstack.org/#/c/544073/1 and https://review.openstack.org/#/c/544074/1 failed 22:29:49 one on neutron-grenade 22:30:00 and the other on keystone-dvsm-functional 22:30:34 yeah same error 22:31:18 what log are you seeing that in? 22:31:31 job output 22:31:36 in both failed test runs 22:32:26 http://logs.openstack.org/74/544074/1/check/keystone-dsvm-functional/91fc65e/job-output.txt.gz 22:33:24 oh - i was buried in the logs already 22:33:34 that's strange 22:34:15 rechecked both 22:34:50 vvvc ''''''''' 22:34:59 yeah sounds good. 23:23:43 lbragstad: pushed the changes to master through. waiting for those to land so we can hit stab/queens 00:49:59 Merged openstack/keystone master: Expose bug in system assignment when deleting users https://review.openstack.org/544067 01:04:00 Merged openstack/keystone master: Delete system role assignments when deleting users https://review.openstack.org/543622 02:42:27 kmalloc wxy thanks for reviewing those 06:55:49 Merged openstack/keystone master: Expose bug in /role_assignments API with system-scope https://review.openstack.org/544011 06:55:53 Merged openstack/keystone master: Fix querying role_assignment with system roles https://review.openstack.org/544012 06:56:00 Merged openstack/keystone master: Grant admin a role on the system during bootstrap https://review.openstack.org/530410 07:12:24 OpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/543826 09:08:16 Merged openstack/keystone master: Expose bug in system assignment when deleting groups https://review.openstack.org/544073 09:08:20 Merged openstack/keystone master: Delete system role assignments when deleting groups https://review.openstack.org/544074 10:14:49 Murali Annamneni proposed openstack/keystone master: [WIP] Enables MySQL Cluster support for Keystone https://review.openstack.org/431229 14:19:53 o/ 14:20:40 o/ 15:08:32 Merged openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/543826 15:11:14 o/ 15:29:26 easy stable/ocata review https://review.openstack.org/#/c/543379/2 15:30:44 kmalloc: ^ 15:30:54 * lbragstad reboots 15:59:04 Gage Hugo proposed openstack/keystone master: Add functional testing gate https://review.openstack.org/531014 16:05:23 Lance Bragstad proposed openstack/keystone master: Remove needs_persistence property from token providers https://review.openstack.org/544515 16:14:30 Lance Bragstad proposed openstack/keystone master: Remove unused class variables from token provider https://review.openstack.org/544520 16:21:26 cmurphy: looking 16:21:49 approved 16:22:01 * kmalloc stable-cores the hell out of that review :P 16:24:43 :D 16:26:23 kmalloc you're the lone wolf :) 16:26:42 lbragstad: pushed the stab/queens stuff through now that master landed as well 16:26:47 the ones you had pending 16:27:16 kmalloc nice - there are a few others ready to go too https://goo.gl/fdNpTL 16:29:00 looking but might be post dog walk 16:29:16 had to take care of a morning call before I could jump on the dog walkingness 16:35:40 Lance Bragstad proposed openstack/keystone master: Refactor token cache invalidation callbacks https://review.openstack.org/544528 16:43:43 lbragstad did we decide to not allow release note changes after release? 16:44:06 i think we can still allow them things we haven't cut the release yet 16:44:18 s/things/since/ 16:44:26 my typing sucks recently 16:45:19 so for https://review.openstack.org/#/c/496323/ then kmalloc is right we shouldn't make changes then? 16:45:27 yep. 16:45:33 basically just don't ever change release notes 16:45:36 it makes for hell. 16:45:49 you can add them, but once they land, they should be assumed to be immutable 16:45:53 i believe so - i remember having a conversation with smginnis about that 16:45:56 until we release 16:46:06 one a release is out the door, modifying them is way harder 16:46:10 even across milestones just don't ever change release notes 16:46:19 it's a headache 16:46:22 get them right the first time. 16:46:23 * lbragstad loves waterfall 16:46:39 reno has some oddities 16:46:49 but it solves more issues than it creates 16:47:01 it's strange, i don't remember all of it, but i did do some documentation about it somewhere 16:47:22 lbragstad: all stab/pike and stab/queens reviews have a score and are either approved OR marked as why they can't be 16:47:34 yeah - here 16:47:55 https://docs.openstack.org/keystone/latest/contributor/release-notes.html 16:48:22 tl;dr - please don't change release notes 16:48:33 what about https://review.openstack.org/#/c/544101/ ? 16:49:02 adding a release note 16:49:06 ok 16:49:06 that is fine, since it's a backport 16:49:25 adding a release note in a previous branch should have zero impact 16:49:33 afaiu 16:49:53 cmurphy we don't need this anymore do we? https://review.openstack.org/#/c/511061/ 16:49:57 because it doesn't change a note causing a re-publish 16:50:44 cmurphy because https://review.openstack.org/#/c/542483/ landed 16:50:46 right? 16:50:55 lbragstad: correct 16:51:25 cmurphy awesome 16:51:29 kmalloc gagehugo https://docs.openstack.org/reno/latest/user/usage.html#updating-stable-branch-release-notes 16:51:33 ^ that clarifies it 16:52:04 if changes absolutely have to be made, which is rare, they should be made directly against the branch 16:52:06 and, iirc, it still caused weirdness 16:52:11 and not follow the typical stable process 16:52:16 hmm 16:52:31 even if URLs change, don't muck with the release notes. 16:52:47 i'd -2 any release note changes barring things to fix them if they have a render issue 16:53:05 simply to avoid issues with it 16:53:22 kmalloc samueldmq want to abandon https://review.openstack.org/#/c/511061/1 ? 16:53:29 yah. 16:53:57 done 16:54:18 Morgan Fainberg proposed openstack/keystone master: Force SQLite to properly deal with foreign keys https://review.openstack.org/126030 16:54:29 rebase ^ 16:55:50 ok, dog walking 16:55:52 back in a bit 17:23:29 Gage Hugo proposed openstack/keystone master: Have project get domain_id from parent https://review.openstack.org/489655 17:29:49 Gage Hugo proposed openstack/keystone master: Remove the TokenAuth middleware https://review.openstack.org/508412 17:31:29 Gage Hugo proposed openstack/keystone master: Remove the TokenAuth middleware https://review.openstack.org/508412 19:04:56 lbragstad: ./keystone/tests/unit/test_v3_assignment.py:451:6: F821 undefined name 'test_utils' 19:05:08 lbragstad: the stab/queens fix(es) 19:05:15 looking 19:10:45 kmalloc rebased 19:10:48 k 19:11:03 testing them locally with the rebase 19:11:24 nod 19:17:48 Gage Hugo proposed openstack/keystone master: Add functional testing gate https://review.openstack.org/531014 19:21:19 kmalloc since that module is added and removed in a couple of those patches, i'm going to put them in a linear series and repropose them to stable/queens 19:21:27 ok 19:21:28 then we should have a race 19:21:31 shouldn't* 19:25:17 kmalloc sweet - putting everything in a series locally passes tests, repushed 19:33:47 Gage Hugo proposed openstack/keystone master: Add functional testing gate https://review.openstack.org/531014 19:34:54 Colleen Murphy proposed openstack/keystone master: Add docs for application credentials https://review.openstack.org/543643 19:34:55 Colleen Murphy proposed openstack/keystone master: Use OSC in application credential documentation https://review.openstack.org/543644 19:43:01 Lance Bragstad proposed openstack/keystone master: Simplify INVALIDATE_USER_TOKEN_PERSISTENCE callback https://review.openstack.org/544616 20:40:00 lbragstad: uhm 20:40:09 lbragstad: that cache change looks like it's missing something 20:40:16 "cache_dropped" is always false? 20:42:39 aha - yep, you're right 20:43:24 i can fix that in the next patch set, working on removing a separate callback 20:43:41 right. it probably doesn't work right now because of that 20:43:43 nbd 20:43:51 well - it will work 20:43:57 because it always drops the cache 20:44:02 it's an optimization 20:44:20 right 20:44:24 so right now it just drops the cache repeatedly, when it should just drop it once 20:44:27 just not working "right". 20:44:36 yeah - tests will pass 20:44:46 also you should ensure the cache drop is only at the END of any loops. 20:44:47 i should write a test for that though 20:44:53 otherwise you run into potential races 20:45:07 where something populated the cache in the middle of the loop and you end up broken. 20:45:12 because you dropped cache early 20:45:28 cache should be dropped at the latest part only, not earliest 20:45:41 yeah 20:46:10 so i probably don't need that boolean 20:46:29 yeah, unless you're setting it so you know you need to drop the cache at the end 21:41:11 Merged openstack/keystone master: Remove domains *-log-* from compile_catalog https://review.openstack.org/438875 22:34:41 https://review.openstack.org/#/c/544096/3 https://review.openstack.org/#/c/544097/3 and https://review.openstack.org/#/c/544101/2 should all be good to go 22:36:03 cmurphy proposed the backport for your docs patch - https://review.openstack.org/#/c/544718/ 22:37:36 Lance Bragstad proposed openstack/keystone master: Simplify token persistence callbacks https://review.openstack.org/544616 22:49:37 Lance Bragstad proposed openstack/keystone master: Simplify token persistence callbacks https://review.openstack.org/544616 23:18:01 Lance Bragstad proposed openstack/keystone master: Simplify federation and oauth token callbacks https://review.openstack.org/544737 03:58:34 melissaml proposed openstack/keystone-specs master: Replace Chinese quotes to English quotes https://review.openstack.org/544773 06:45:17 Merged openstack/keystone master: Add docs for application credentials https://review.openstack.org/543643 07:08:18 OpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/544796 15:12:54 kmalloc now that things settled down a bit https://goo.gl/k7Wxs9 should be the last of the stable reviews for RC2 15:13:19 included the app creds documentation patch since we should be able to include that, too 15:13:31 \o/ 15:14:17 lbragstad: were you waiting for this translations patch too? https://review.openstack.org/#/c/544796/ 15:14:52 cmurphy to back port it? 15:15:43 i've been trying to get in touch with the backports team about backports - https://review.openstack.org/#/c/543573/ 15:16:46 based on what ian said, it sounds like don't have to backport translations? i asked for clarification ^ 15:17:05 lbragstad: okay got it 15:17:22 still waiting on a response though 15:34:28 Lance Bragstad proposed openstack/keystone master: Address FIXMEs for listing revoked tokens https://review.openstack.org/545009 15:45:21 o/ 15:45:34 o/ 15:56:39 Merged openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/544796 15:57:27 kmalloc are you around yet? i'm in the middle of refactoring the token provider and i have a couple ideas (probably bad ideas) about the token model 15:58:25 i think it would be beneficial to try and apply an MVC pattern 15:59:05 so - instead of generating version specific token data to generate the token model, it would work the other way around 15:59:48 you pass a bunch of things to the token model and it gives you an object you and use to reason about the token response 16:00:12 then the v3 token controller would build the token response based on the information provided in the model object 16:00:21 does that seem sane/ 16:02:23 so - that would mean the whole V3TokenDataHelper object would get moved up to the controller layer 16:03:28 or if anyone else has thought, comments, concerns? 16:16:18 lbragstad: how is it handled currently? 16:16:55 well - right now, we have an auth controller, a token provider (manager), a token driver (provider), and a token formatter 16:17:05 from top down, in that order 16:17:32 the token controller pull information from the request and asks the token provider Manager for a token and a token response 16:18:00 (e.g. the project id, user id, trust information, domain info, etc...)_ 16:18:20 so - that part would stay the same 16:18:39 since the controller would be responsible for pulling that information from the actual authentication request 16:18:59 but instead of *expecting* a versioned response back from the token provider Manager, it would get a token_obj 16:19:49 so - it wouldn't just pass it back through to the user... instead, the controller would get more responsibility 16:20:00 and that would be to translate the token_obj to a v3 token response 16:20:44 so - essentially all this stuff https://github.com/openstack/keystone/blob/4732c67792e7d991b1296941992353551c686d93/keystone/token/providers/common.py#L87-L532 16:21:35 * lbragstad hopes he is making sense 16:22:45 lbragstad: makes sense. 16:23:06 the token provider would only really care about taking some values from the controller, generating an object, getting a token id from a provider, and passing all that back to the controller 16:23:19 and than the controller would call a view to render the token 16:23:21 then* 16:23:25 so all version specific opinions about how a token should look in a response is isolated to the controller 16:23:26 from the model object 16:23:28 yes - exactly 16:23:39 so when we go to add a new version or a different token provider 16:23:51 it's kept separate from each other 16:25:03 makes sense 16:25:33 ok - cool 16:26:13 i feel better knowing if i've gone off the deep end, at least i'm not alone :) 16:28:05 lbragstad: that's me usually during refactoring 16:32:37 lbragstad: would it make any sense at all to associate policy strings like identity:list_users to roles in keystone instead of having them in the policy.json files of projects? 16:33:01 similar to what we saw on aws 16:34:13 like pulling all policies in to keystone? 16:34:40 lbragstad: yeah. 16:35:14 if i remember correctly, that's what the policy api was meant for 16:35:47 lbragstad: not really. as all it did was accept a blob of json. 16:36:09 right - i think it was meant for that kind of use case, but it was never really finished 16:36:12 or completed 16:36:13 lbragstad: this is a one-to-many mapping between role -> action 16:36:28 keystonemiddleware gets the role of the token, expands the list of actions the user can do 16:36:36 and passes that to the service 16:37:13 service checks if action in list of actions. 16:39:14 its the rbac in middleware appraoch 16:39:54 lbragstad: rbac in middleware had enforcement in the middleware. this doesn't . 16:40:15 the enforcement would be in keystone, then? 16:41:39 lbragstad: the enforcement will be in the service in the form of. keystonemiddleware expands role to list of actions; service checks if action is in list of actions provided by keystonemiddleware. 16:42:07 the actions that a role can do are in keystone 16:43:48 similar to oauth scopes. https://auth0.com/docs/scopes/current 16:44:45 so - keystone has to maintain the mapping of roles -> actions 16:44:54 yes 16:46:12 what happens when new operations are added to the service? 16:46:17 or actions? 16:47:43 something has to update keystone, right? 16:48:17 lbragstad: yes, this is also a question for the current approach when we introduce some default roles that are openstack-wide. 16:48:38 we can exploit those default roles to provide sane defaults. 16:49:28 keystone would have to add those during bootstrap 16:50:43 i guess we need to work through the upgrade case, in both situations 16:51:25 lbragstad: another approach exploits the current system scoping 16:51:36 nova for example gets access to system:nova:policy 16:51:51 i think this would be good to run by other projects at the PTG 16:52:00 nova gets that by default? 16:52:51 lbragstad: the admin would grant it on the nova service user 16:54:14 yeah - i think moving to something like that would be useful 16:54:29 it would be nice to restrict service users to only what they need to do in other services 16:56:29 knikolla adding a snippet for this in https://etherpad.openstack.org/p/baremetal-vm-rocky-ptg 16:56:55 lbragstad: i'll sketch out a spec 16:57:15 * knikolla goes for lunch 16:57:16 cool 16:57:19 i'll read the auth0 doc 16:57:23 sometime today 18:37:06 Merged openstack/keystone-specs master: Fix typos in keystone-specs https://review.openstack.org/542010 19:09:53 Colleen Murphy proposed openstack/keystoneauth master: Add pep8 import order validation https://review.openstack.org/545094 19:12:53 cmurphy: ^^ TIL 19:13:41 mordred: :D 19:14:00 was looking at another change and wondering why the hell that wasn't being caught 19:14:44 cmurphy: you know what would be neat? a script that would fix those ... 19:15:22 ;) 19:16:46 did flake get updated recently? 19:16:54 i'm seeing a bunch of that stuff in keystone,t oo 19:20:29 the violations i found in ksa had been there a while 19:26:39 must be the version i have locally then 19:33:33 cmurphy, lbragstad: feel like +3ing https://review.openstack.org/#/c/505764 ? 19:34:16 yes will look 19:34:27 sorry, i keep promising to look at it and then drop it on the floor 19:51:22 Merged openstack/keystone master: Remove unused class variables from token provider https://review.openstack.org/544520 19:53:38 Merged openstack/keystoneauth master: Fix a spelling error https://review.openstack.org/541949 20:09:05 cmurphy: no worries - I promised to write a feature for keystone last cycle and i'm pretty sure you did 100% of the work, so I don't think I get to complain :) 20:19:55 mordred: :) 20:41:27 Lance Bragstad proposed openstack/keystone master: Remove needs_persistence property from token providers https://review.openstack.org/544515 20:41:28 Lance Bragstad proposed openstack/keystone master: Refactor token cache invalidation callbacks https://review.openstack.org/544528 20:41:28 Lance Bragstad proposed openstack/keystone master: Simplify token persistence callbacks https://review.openstack.org/544616 20:41:57 Lance Bragstad proposed openstack/keystone master: Simplify federation and oauth token callbacks https://review.openstack.org/544737 20:53:41 Holleee crap. I might have just used Hierarchical Multi Tenancy to fix a disconnect between CloudForms and Nova.... 21:14:29 Merged openstack/keystoneauth master: Split request logging into four different loggers https://review.openstack.org/505764 21:14:31 Merged openstack/keystoneauth master: Add some comments explaining split_loggers flag logic https://review.openstack.org/541066 21:23:06 Merged openstack/keystoneauth master: Remove PYTHONHASHSEED setting https://review.openstack.org/533798 21:32:10 kmalloc ah the certs part makes sense 21:32:17 gagehugo: yeah