16:58:19 #startmeeting keystone-office-hours 16:58:20 Meeting started Tue Jun 12 16:58:19 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:58:21 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:58:23 The meeting name has been set to 'keystone_office_hours' 16:58:34 Sundar: this is why i recommend a totally fresh devstack when possible (not just clean.sh) - this is one of those cases where devstack's cleanup is just not 100% and causes odd errors. 16:59:03 the best bet when you're struggling is RECLONE=true or start fresh and see if it continues, especially if you've done a number of stack/unstack/stack cycles 16:59:52 lbragstad: omg MORE COFFEE. 17:04:37 lbragstad: Thank you very much. I will re-install devstack with RECLONE=true. 17:09:46 Sundar: good luck, let us know if you're still having issues after that 17:17:47 lbragstad: did the KSA release happen yet? 17:17:54 lbragstad: if not, we should include https://review.openstack.org/#/c/574784/ 17:18:11 kmalloc: https://review.openstack.org/#/c/574337/ 17:18:13 it did 17:18:17 lbragstad: if it did, we should release with that once it lands 17:18:37 sure - i can keep tabs on it 17:18:40 cool. 17:18:53 ok let me get back to this flaskification stuff. 17:19:11 so i can get the root stuff moved to Flask Native and drop some of the icky dispatch code. 17:20:38 kmalloc: Thanks very much! I will ping back if needed -- hopefully there won't be a need. :) 17:41:38 lbragstad: omg, about to post first actual move to flask api bit 17:41:40 woooooooo 17:59:22 Hi, A cleandevstack install failed too. But not sure if this is Cinder or Keystone. Please see https://drive.google.com/file/d/19EncNpjzW_RflRn1zj_iu6hqDvoyuQ9m/view?usp=sharing 18:09:21 that looks like a cinder-specific issue 18:09:41 cinder providers an option that allows you to deploy it with and without a dependency on keystone 18:10:19 are you able to dig into the logs and see why it failed? 18:57:11 Lance Bragstad proposed openstack/python-keystoneclient master: Add support for registered limits https://review.openstack.org/537668 18:57:12 Lance Bragstad proposed openstack/python-keystoneclient master: Add support for project-specific limits https://review.openstack.org/574391 19:06:21 knikolla: thanks for the review on the unified limit client patches 19:06:29 posted some newer versions 19:06:53 lbragstad: was just looking at the new ones now :) 19:07:05 you're the man knikolla 19:11:08 kmalloc: i'll crack open the flask stuff in a minute here 19:11:14 i assume you still need it reviewed? 19:24:49 yeah 19:24:57 working on the WIP one at the end for discovery 19:25:02 almost done. 19:25:11 but the stuff up to the flask WIP one needs review 19:31:28 lbragstad: question for you -- I'm not seeing where this is ever actually set:https://github.com/openstack/keystone/blob/master/keystone/cmd/bootstrap.py#L40 19:32:28 the attempt to create the role is here: https://github.com/openstack/keystone/blob/master/keystone/cmd/bootstrap.py#L163-L165 but I'm not seeing where the `None` is being replaced by an actual string 19:33:07 hrybacki: https://github.com/openstack/keystone/blob/master/keystone/cmd/cli.py#L161 19:33:23 which is using https://github.com/openstack/keystone/blob/master/keystone/cmd/cli.py#L131 19:33:41 which uses the default here - https://github.com/openstack/keystone/blob/master/keystone/cmd/cli.py#L84 19:34:28 lbragstad: ah ack. Do you think I should port the `reader` and `admin` role names to a config and have them consumed like ^^ or keep them as is directly in the bootstrap code 19:36:24 umm 19:36:27 good question 19:36:54 since it's really just used one, i'd lean towards using it as another option to bootstrap 19:36:57 instead of config options 19:37:41 or - just create those roles and don't expose them via config or options? 19:37:45 oh no, I don't mean necessarily a 'default roles or no default roles' option. But the names themselves e.g. do we want people to be able to replace 'reader' with 'readonly' by overriding default config 19:37:58 hmmm 19:38:19 i'm not sure if allowing them override is going to be that important? 19:38:28 can always be added after the face 19:38:30 fact 19:38:36 but i'm willing to be convinced otherwise 19:38:55 see line 39 https://review.openstack.org/#/c/572243/7/keystone/cmd/bootstrap.py 19:39:00 we've already committed to using 'admin', 'member', and 'reader' 19:39:11 rather line 41 and 45 19:39:20 * hrybacki nods 19:39:37 Morgan Fainberg proposed openstack/keystone master: [WIP] Convert json_home and version discovery to Flask https://review.openstack.org/574736 19:39:53 lbragstad: do we have any docs on implied roles? 19:39:55 if a deployment is going to use something else, they already need to roll their own custom policy 19:40:06 i'm writing the release note for the infer_roles deprecation and coming up blank with links to docs. 19:40:10 knikolla: not that i am aware of - i did have a bug open for that though 19:40:13 lbragstad: ^ and we have flaskified discovery/json_home 19:40:25 ack. I'll leave it as is and pull out the TODOs lbragstad 19:40:26 kmalloc: awesome 19:40:37 kmalloc: what's your opinion on hrybacki's question? 19:40:49 discovery is *not* representative of anything else, but that is because discovery is super special 19:40:52 uhm reading up 19:40:54 should an operator be able to override the member and reader role names? 19:40:59 in the bootstrap option? 19:41:04 in bootstrap? 19:41:06 no 19:41:13 bootstrap is explicitly opinonated 19:41:23 it setups the system to a common "known" state 19:41:27 yeah- i just doesn't seem to get you much mileage 19:41:36 it is up to the operator to move from there, but they know the state is consistent 19:41:47 ack 19:41:56 so they can automate from that point 19:42:05 since we're going to be rewriting all of our policie to those default 19:42:13 defaults* 19:42:26 yep, go for opinionated and consistent 19:42:38 Harry Rybacki proposed openstack/keystone master: Ensure default roles created during bootstrap https://review.openstack.org/572243 19:42:41 the whole idea is bootstrap gets keystone running to the point you can use the API to setup the rest 19:42:43 Kristi Nikolla proposed openstack/keystone master: Deprecate [token] infer_roles https://review.openstack.org/574869 19:42:46 cool, ^^ should be g2g then 19:42:59 hrybacki: you can just create them and then set the role IDs on the bootstrap object 19:43:05 I'm wondering if there isn't a way to rename 'admin' as things are right now 19:43:07 then we can reuse those roles in tests 19:44:04 already setting them on the object so we should be good to go 19:44:40 sweet 19:45:44 Morgan Fainberg proposed openstack/keystone master: Convert json_home and version discovery to Flask https://review.openstack.org/574736 19:45:57 Merged openstack/keystoneauth master: raise_exc default in Adapter https://review.openstack.org/574784 19:47:57 lbragstad: i have a good feeling that we're going to see a faster keystone just by leaning 100% on flask instead of having all these mappers we pass requests through 19:48:04 a single dispatch layer is going to be good 19:48:12 i hope you're right 19:48:25 we already saw somewhat of that by dropping paste.deploy 19:48:38 it wasn't huge, but it was a bit on our unit tests. 19:57:39 lbragstad: answered in-line questions (cc gagehugo) on the flask reviews 20:04:54 kmalloc \o/ 20:46:59 Lance Bragstad proposed openstack/keystone master: Expose endpoint to return enforcement model https://review.openstack.org/562716 21:00:04 lbragstad: o/ tbh I don't understand how the blueprints work in LP :P 21:00:23 I think you added that link to commit msg and I assumed it worked lol 21:00:28 blueprint in lp or how we link to them? 21:00:59 how we link them 21:01:02 I see https://blueprints.launchpad.net/keystone/+spec/basic-default-roles 21:01:29 yeah 21:01:48 so gerrit has a parser that will parse commit messages for special strings, and format them to links 21:01:52 lbragstad: responded to comments on the discovery-flaskification bit 21:02:16 so if it sees something like `bp blah` it will replace that with a link to launchpad for a blueprint named 'blah' 21:03:29 ah, so 'basic-default-roles' rather than 'define-default-roles' 21:03:30 makes sense 21:03:34 * hrybacki updates 21:03:41 yep 21:03:50 yeah 21:04:18 Hey folks, did you want me to propose a release to pick up https://review.openstack.org/#/c/574784/ ? 21:04:32 It's not an urgent thing, so no biggie if you're waiting to collect moar stuffs. 21:05:02 would a week or two be too much time? 21:05:09 Not at all. 21:05:14 Thanks Lance. 21:05:29 awesome - i'll keep an eye on ksa stuff and see what else we can roll in the next release 21:05:35 rgr 21:05:44 if i come up dry after a week or two, we'll happily do another release 21:05:51 sounds good 21:05:53 thanks efried 21:05:58 My pleasure. 21:22:52 Harry Rybacki proposed openstack/keystone master: Ensure default roles created during bootstrap https://review.openstack.org/572243 21:23:35 thanks for the comments lbragstad 21:23:54 thanks for being on the ball 21:48:25 Morgan Fainberg proposed openstack/keystone master: Convert json_home and version discovery to Flask https://review.openstack.org/574736 21:54:47 adriant: o/ 21:54:50 have some adjutant questions 21:59:36 #endmeeting