#openstack-keystone log

16:58:19 <lbragstad> #startmeeting keystone-office-hours
16:58:20 <openstack> Meeting started Tue Jun 12 16:58:19 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:58:21 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:58:23 <openstack> The meeting name has been set to 'keystone_office_hours'
16:58:34 <kmalloc> Sundar: this is why i recommend a totally fresh devstack when possible (not just clean.sh) - this is one of those cases where devstack's cleanup is just not 100% and causes odd errors.
16:59:03 <kmalloc> the best bet when you're struggling is RECLONE=true or start fresh and see if it continues, especially if you've done a number of stack/unstack/stack cycles
16:59:52 <kmalloc> lbragstad: omg MORE COFFEE.
17:04:37 <Sundar> lbragstad: Thank you very much. I will re-install devstack with RECLONE=true.
17:09:46 <kmalloc> Sundar: good luck, let us know if you're still having issues after that
17:17:47 <kmalloc> lbragstad: did the KSA release happen yet?
17:17:54 <kmalloc> lbragstad: if not, we should include https://review.openstack.org/#/c/574784/
17:18:11 <lbragstad> kmalloc: https://review.openstack.org/#/c/574337/
17:18:13 <lbragstad> it did
17:18:17 <kmalloc> lbragstad: if it did, we should release with that once it lands
17:18:37 <lbragstad> sure - i can keep tabs on it
17:18:40 <kmalloc> cool.
17:18:53 <kmalloc> ok let me get back to this flaskification stuff.
17:19:11 <kmalloc> so i can get the root stuff moved to Flask Native and drop some of the icky dispatch code.
17:20:38 <Sundar> kmalloc: Thanks very much! I will ping back if needed -- hopefully there won't be a need. :)
17:41:38 <kmalloc> lbragstad: omg, about to post first actual move to flask api bit
17:41:40 <kmalloc> woooooooo
17:59:22 <Sundar> Hi, A cleandevstack install failed too. But not sure if this is Cinder or Keystone. Please see https://drive.google.com/file/d/19EncNpjzW_RflRn1zj_iu6hqDvoyuQ9m/view?usp=sharing
18:09:21 <lbragstad> that looks like a cinder-specific issue
18:09:41 <lbragstad> cinder providers an option that allows you to deploy it with and without a dependency on keystone
18:10:19 <lbragstad> are you able to dig into the logs and see why it failed?
18:57:11 <openstackgerrit> Lance Bragstad proposed openstack/python-keystoneclient master: Add support for registered limits  https://review.openstack.org/537668
18:57:12 <openstackgerrit> Lance Bragstad proposed openstack/python-keystoneclient master: Add support for project-specific limits  https://review.openstack.org/574391
19:06:21 <lbragstad> knikolla: thanks for the review on the unified limit client patches
19:06:29 <lbragstad> posted some newer versions
19:06:53 <knikolla> lbragstad: was just looking at the new ones now :)
19:07:05 <lbragstad> you're the man knikolla
19:11:08 <lbragstad> kmalloc: i'll crack open the flask stuff in a minute here
19:11:14 <lbragstad> i assume you still need it reviewed?
19:24:49 <kmalloc> yeah
19:24:57 <kmalloc> working on the WIP one at the end for discovery
19:25:02 <kmalloc> almost done.
19:25:11 <kmalloc> but the stuff up to the flask WIP one needs review
19:31:28 <hrybacki> lbragstad: question for you -- I'm not seeing where this is ever actually set:https://github.com/openstack/keystone/blob/master/keystone/cmd/bootstrap.py#L40
19:32:28 <hrybacki> the attempt to create the role is here: https://github.com/openstack/keystone/blob/master/keystone/cmd/bootstrap.py#L163-L165 but I'm not seeing where the `None` is being replaced by an actual string
19:33:07 <lbragstad> hrybacki: https://github.com/openstack/keystone/blob/master/keystone/cmd/cli.py#L161
19:33:23 <lbragstad> which is using https://github.com/openstack/keystone/blob/master/keystone/cmd/cli.py#L131
19:33:41 <lbragstad> which uses the default here - https://github.com/openstack/keystone/blob/master/keystone/cmd/cli.py#L84
19:34:28 <hrybacki> lbragstad: ah ack. Do you think I should port the `reader` and `admin` role names to a config and have them consumed like ^^ or keep them as is directly in the bootstrap code
19:36:24 <lbragstad> umm
19:36:27 <lbragstad> good question
19:36:54 <lbragstad> since it's really just used one, i'd lean towards using it as another option to bootstrap
19:36:57 <lbragstad> instead of config options
19:37:41 <lbragstad> or - just create those roles and don't expose them via config or options?
19:37:45 <hrybacki> oh no, I don't mean necessarily a 'default roles or no default roles' option. But the names themselves e.g. do we want people to be able to replace 'reader' with 'readonly' by overriding default config
19:37:58 <lbragstad> hmmm
19:38:19 <lbragstad> i'm not sure if allowing them override is going to be that important?
19:38:28 <hrybacki> can always be added after the face
19:38:30 <hrybacki> fact
19:38:36 <lbragstad> but i'm willing to be convinced otherwise
19:38:55 <hrybacki> see line 39 https://review.openstack.org/#/c/572243/7/keystone/cmd/bootstrap.py
19:39:00 <lbragstad> we've already committed to using 'admin', 'member', and 'reader'
19:39:11 <hrybacki> rather line 41 and 45
19:39:20 * hrybacki nods
19:39:37 <openstackgerrit> Morgan Fainberg proposed openstack/keystone master: [WIP] Convert json_home and version discovery to Flask  https://review.openstack.org/574736
19:39:53 <knikolla> lbragstad: do we have any docs on implied roles?
19:39:55 <lbragstad> if a deployment is going to use something else, they already need to roll their own custom policy
19:40:06 <knikolla> i'm writing the release note for the infer_roles deprecation and coming up blank with links to docs.
19:40:10 <lbragstad> knikolla: not that i am aware of - i did have a bug open for that though
19:40:13 <kmalloc> lbragstad: ^ and we have flaskified discovery/json_home
19:40:25 <hrybacki> ack. I'll leave it as is and pull out the TODOs lbragstad
19:40:26 <lbragstad> kmalloc: awesome
19:40:37 <lbragstad> kmalloc: what's your opinion on hrybacki's question?
19:40:49 <kmalloc> discovery is *not* representative of anything else, but that is because discovery is super special
19:40:52 <kmalloc> uhm reading up
19:40:54 <lbragstad> should an operator be able to override the member and reader role names?
19:40:59 <lbragstad> in the bootstrap option?
19:41:04 <kmalloc> in bootstrap?
19:41:06 <kmalloc> no
19:41:13 <kmalloc> bootstrap is explicitly opinonated
19:41:23 <kmalloc> it setups the system to a common "known" state
19:41:27 <lbragstad> yeah- i just doesn't seem to get you much mileage
19:41:36 <kmalloc> it is up to the operator to move from there, but they know the state is consistent
19:41:47 <hrybacki> ack
19:41:56 <kmalloc> so they can automate from that point
19:42:05 <lbragstad> since we're going to be rewriting all of our policie to those default
19:42:13 <lbragstad> defaults*
19:42:26 <kmalloc> yep, go for opinionated and consistent
19:42:38 <openstackgerrit> Harry Rybacki proposed openstack/keystone master: Ensure default roles created during bootstrap  https://review.openstack.org/572243
19:42:41 <kmalloc> the whole idea is bootstrap gets keystone running to the point you can use the API to setup the rest
19:42:43 <openstackgerrit> Kristi Nikolla proposed openstack/keystone master: Deprecate [token] infer_roles  https://review.openstack.org/574869
19:42:46 <hrybacki> cool, ^^ should be g2g then
19:42:59 <lbragstad> hrybacki: you can just create them and then set the role IDs on the bootstrap object
19:43:05 <hrybacki> I'm wondering if there isn't a way to rename 'admin' as things are right now
19:43:07 <lbragstad> then we can reuse those roles in tests
19:44:04 <hrybacki> already setting them on the object so we should be good to go
19:44:40 <lbragstad> sweet
19:45:44 <openstackgerrit> Morgan Fainberg proposed openstack/keystone master: Convert json_home and version discovery to Flask  https://review.openstack.org/574736
19:45:57 <openstackgerrit> Merged openstack/keystoneauth master: raise_exc default in Adapter  https://review.openstack.org/574784
19:47:57 <kmalloc> lbragstad: i have a good feeling that we're going to see a faster keystone just by leaning 100% on flask instead of having all these mappers we pass requests through
19:48:04 <kmalloc> a single dispatch layer is going to be good
19:48:12 <lbragstad> i hope you're right
19:48:25 <kmalloc> we already saw somewhat of that by dropping paste.deploy
19:48:38 <kmalloc> it wasn't huge, but it was a bit on our unit tests.
19:57:39 <kmalloc> lbragstad: answered in-line questions (cc gagehugo) on the flask reviews
20:04:54 <gagehugo> kmalloc \o/
20:46:59 <openstackgerrit> Lance Bragstad proposed openstack/keystone master: Expose endpoint to return enforcement model  https://review.openstack.org/562716
21:00:04 <hrybacki> lbragstad: o/ tbh I don't understand how the blueprints work in LP :P
21:00:23 <hrybacki> I think you added that link to commit msg and I assumed it worked lol
21:00:28 <lbragstad> blueprint in lp or how we link to them?
21:00:59 <hrybacki> how we link them
21:01:02 <hrybacki> I see https://blueprints.launchpad.net/keystone/+spec/basic-default-roles
21:01:29 <lbragstad> yeah
21:01:48 <lbragstad> so gerrit has a parser that will parse commit messages for special strings, and format them to links
21:01:52 <kmalloc> lbragstad: responded to comments on the discovery-flaskification bit
21:02:16 <lbragstad> so if it sees something like `bp blah` it will replace that with a link to launchpad for a blueprint named 'blah'
21:03:29 <hrybacki> ah, so 'basic-default-roles' rather than 'define-default-roles'
21:03:30 <hrybacki> makes sense
21:03:34 * hrybacki updates
21:03:41 <lbragstad> yep
21:03:50 <kmalloc> yeah
21:04:18 <efried> Hey folks, did you want me to propose a release to pick up https://review.openstack.org/#/c/574784/ ?
21:04:32 <efried> It's not an urgent thing, so no biggie if you're waiting to collect moar stuffs.
21:05:02 <lbragstad> would a week or two be too much time?
21:05:09 <efried> Not at all.
21:05:14 <efried> Thanks Lance.
21:05:29 <lbragstad> awesome - i'll keep an eye on ksa stuff and see what else we can roll in the next release
21:05:35 <efried> rgr
21:05:44 <lbragstad> if i come up dry after a week or two, we'll happily do another release
21:05:51 <efried> sounds good
21:05:53 <lbragstad> thanks efried
21:05:58 <efried> My pleasure.
21:22:52 <openstackgerrit> Harry Rybacki proposed openstack/keystone master: Ensure default roles created during bootstrap  https://review.openstack.org/572243
21:23:35 <hrybacki> thanks for the comments lbragstad
21:23:54 <lbragstad> thanks for being on the ball
21:48:25 <openstackgerrit> Morgan Fainberg proposed openstack/keystone master: Convert json_home and version discovery to Flask  https://review.openstack.org/574736
21:54:47 <knikolla> adriant: o/
21:54:50 <knikolla> have some adjutant questions
21:59:36 <lbragstad> #endmeeting