16:35:32 <cmurphy> #startmeeting keystone-office-hours 16:35:32 <openstack> Meeting started Tue Jul 2 16:35:32 2019 UTC and is due to finish in 60 minutes. The chair is cmurphy. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:35:34 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:35:36 <openstack> The meeting name has been set to 'keystone_office_hours' 16:35:46 <kmalloc> i just have to be able to transit between locations and airport/etc 16:35:49 <kmalloc> so, can't do video atm 16:36:12 <cmurphy> irc makes it easier for others to catch up anyways 16:36:29 <bnemec> o/ 16:38:46 <lbragstad> oh - good call 16:39:07 <lbragstad> i suppose we should start here https://review.opendev.org/#/c/668523/2 16:39:36 <lbragstad> i should ask - is everyone ready? 16:39:40 * cmurphy ready 16:40:22 <lbragstad> alright - 668523 is trivial 16:40:25 <bnemec> Well, that one's easy. It's approved. :-) 16:40:31 <lbragstad> sweet 16:40:40 <lbragstad> next one is https://review.opendev.org/#/c/666085/9 16:40:57 <lbragstad> i wanted to keep the ksa logic separate from everything else 16:41:10 <lbragstad> nothing in this patch actually uses it, it's just laying the ground work 16:41:29 <lbragstad> one area of improvement i can think of though, is additional testing 16:41:42 <lbragstad> but it would likely have to be mocked pretty heavy in order to work 16:43:04 <bnemec> You mean unit testing? 16:43:19 <lbragstad> right - if we wanted to unit test the functionality of that patch 16:43:37 <lbragstad> i was going to bring this up in a subsequent review, since it's related to that, too 16:43:40 <bnemec> I'm a little inclined not to worry too much about it since we're expecting to iterate on the implementation quite a bit. 16:43:51 <bnemec> Which I realize violates every principle of TDD. 16:44:03 <lbragstad> yeah - i was also thinking about setting up a function test suite for this stuff, too 16:44:20 <bnemec> But I also don't want someone to spend a ton of time writing tests for code that we end up not using. 16:44:24 <lbragstad> (the last patch in the series touches on that a bit) 16:44:41 <bnemec> Yeah, that seems good too. 16:45:06 <bnemec> For now, maybe look at it as a prototype and just write the tests we absolutely need? 16:45:23 * bnemec feels so dirty for suggesting we not test code 16:45:30 <lbragstad> outside of testing, does anyone have questions about the connection logic itself? 16:47:59 <cmurphy> i've been wondering if there's a way around making the connection a global 16:48:04 <cmurphy> no specific suggestion though 16:48:32 <lbragstad> cmurphy do you want it to be a property of the Enforcer object instead? 16:48:36 <lbragstad> or something along those lines? 16:49:47 <cmurphy> maybe, but i suppose you might instantiate multiple enforcers and you wouldn't want to have that many live connections? 16:49:58 <lbragstad> probably not 16:50:42 <lbragstad> I could document it as an optimization 16:52:42 <cmurphy> i think it's probably fine as is 16:52:59 <kmalloc> pass in a connection, if none is passed in, attribute. 16:53:12 <kmalloc> s/attribute/property that is on-demand built 16:53:41 <kmalloc> it allows for the same mechanism as global without explicitly expecting global(s) 16:53:59 <kmalloc> can be iterated on down the line 16:54:05 <kmalloc> no reason to fix that now. 16:54:48 * lbragstad nodes 16:54:57 * lbragstad nods* 16:55:11 <lbragstad> alright - anything else on 666085 16:55:28 <bnemec> I left a comment about the endpoint id. 16:55:47 <lbragstad> psh - working ahead 16:55:48 <cmurphy> bnemec: good point about it not being the keystone service 16:56:35 <lbragstad> ++ 16:57:19 <bnemec> I completely agree that region+service would be easier to handle in a deployment tool though. 16:57:45 <cmurphy> maybe worth optimizing in the future 16:58:05 <bnemec> I'd be curious to know what percentage of deployers are actually writing their own configurations vs. using Puppet/Ansible/Chef/etc. 16:58:17 <bnemec> That would inform which use case we should optimize for. 16:58:47 <cmurphy> i am reasonably sure almost no one deploys openstack without some kind of deployment tool 16:59:01 <lbragstad> yeah 16:59:15 <bnemec> I don't disagree, but I've been surprised before. ;-) 16:59:19 <lbragstad> my home lab is built using osa - and i don't even have customers 16:59:27 <cmurphy> lol 16:59:53 <bnemec> My home lab is built using devstack. Yes, I'm that guy. :-P 17:00:43 <lbragstad> tangent: it would be nice to have a baremetal box to pxe boot with a base image for baremetal devstack deployments 17:01:40 <lbragstad> alrighty - anything else on 666085 ? 17:01:52 <cmurphy> lgtm 17:02:03 <lbragstad> cool 17:02:10 <lbragstad> https://review.opendev.org/#/c/666444/7 is where things start to get interesting 17:02:13 <bnemec> FWIW, user survey says "Other Tool" is only 15% of the deployment tooling ecosystem. 17:02:50 <lbragstad> the main goal of 666444 is to just get the basic laid down and wait for actual implementation details of the models for another patch 17:03:30 <lbragstad> what i think would be really helpful in looking at this patch, is the relationship between the Enforcer and the models 17:03:50 <lbragstad> i want to keep the models separate (as their own objects that inherit an interface) 17:04:08 <lbragstad> but i found that there is a lot information you have to share between the enforcer and the models 17:05:11 <lbragstad> Enforcer.enforce() essentially passes a bunch of stuff through or needs to use composition to set various attributes on the model to limit method signatures with lots of arguments 17:07:15 <lbragstad> i tried to capture some of that information in Enforcer's doc strings 17:07:41 <bnemec> At first glance that semes to make sense. They are enforcement models, so it makes sense that they would be pretty tightly tied to the enforcer. 17:08:04 <lbragstad> yeah 17:08:25 <cmurphy> i wonder if there's a way we could reuse the keystoneauth plugin model for this, where it has a plugin class with a method class as an attribute https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/identity/v3/password.py 17:08:30 <lbragstad> at the same time, i want people to be able to extend an interface if they want to add a new model (as opposed to extending Enforcer) 17:08:43 <lbragstad> cmurphy that's a good idea 17:09:55 <lbragstad> this is all internal stuff at this point 17:10:00 <lbragstad> so we can evolve it 17:10:03 <cmurphy> maybe Enforcer has self.enforcer = _FlatEnforcer and Enforcer.enforce() calls self.enforcer.enforce() 17:10:21 <cmurphy> and then project_id etc wouldn't need to be duplicated? 17:10:49 <cmurphy> i don't think the current way is bad though 17:10:55 <lbragstad> how would _FlatEnforces implementation get the project id in question? 17:11:08 <lbragstad> _FlatEnforcer's* 17:11:47 <cmurphy> hm i guess that doesn't really solve that problem 17:13:48 * lbragstad can document this, too 17:14:36 <bnemec> Like lbragstad said, this is all private stuff right now anyway. If people want to extend it to other enforcement models then maybe we can have a discussion over the best way to expose this then? 17:14:46 <cmurphy> ++ 17:14:49 <lbragstad> true 17:14:51 <bnemec> Having a specific use case in mind would probably help with the design too. 17:14:57 <cmurphy> i can't really think of a better way to handle it at the moment 17:15:05 <lbragstad> at the same time - it works 17:15:11 <cmurphy> ++ 17:15:13 <bnemec> Ship it! 17:15:22 <lbragstad> FILGTM! 17:15:27 <lbragstad> alright - moving on 17:15:29 <lbragstad> https://review.opendev.org/#/c/667452/3 17:16:01 <cmurphy> would probably be good to have tests for this one somehow 17:16:50 <lbragstad> yeah - so this is what i was kinda talking about ealier 17:16:52 <lbragstad> earlier* 17:17:14 <lbragstad> maybe what we can do is add a super *super* basic functional testing frame work in the ksa patch 17:17:44 <lbragstad> that only tests to make sure we can instantiate an Enforcer without the connection to keystone (in a devstack) deployment without it blowing up 17:18:05 <lbragstad> having that in place would make it a little easier to introduce functional tests here 17:18:12 <cmurphy> ++ 17:18:28 <lbragstad> (i tested this logic, but i was using the script in the next patch set) 17:19:29 <bnemec> If a functional test framework could replace the test script that would be good. 17:19:36 <lbragstad> ++ 17:19:57 <lbragstad> i feel like the natural evolution of that script is to just make it an official functional test 17:20:06 <bnemec> Yep 17:20:16 <lbragstad> cool 17:20:27 <lbragstad> anything else on this patch, outside of testing? 17:22:03 <cmurphy> it seems like a good first iteration to me, i'm sure down the road we can find ways to improve the enforce logic 17:22:25 * lbragstad nods 17:22:34 <bnemec> I probably just need to take a closer look. I got nothing useful done last week because downstream, so I haven't been through this part of the series yet. :-/ 17:23:24 <lbragstad> ok - well it sounds like having functional testing there is useful so we can do that part in the meantime 17:23:29 <lbragstad> finally we have https://review.opendev.org/#/c/667242/7 17:23:35 <lbragstad> which is just documentation and a usage example 17:23:43 <bnemec> But like I've said before, I'm pretty much ready to +2 anything that gets us _an_ implementation. If it's horribly broken, we'll fix it. :-) 17:23:57 <lbragstad> some of that example is going to get pulled into a formal functional test thought 17:23:59 <lbragstad> though* 17:25:21 <bnemec> So to try that I would stand up a basic devstack, pull the series and install it, then run the example.py script? 17:25:40 <lbragstad> yeah 17:25:44 <bnemec> Tweaking the example.conf for my devstack, of course. 17:25:44 <cmurphy> you'd probably need to edit the project ids in the script 17:25:56 <lbragstad> you'll need to create a few limits and the registered limits 17:26:09 <lbragstad> and do what cmurphy said, update the project ids in the script 17:26:24 <bnemec> Makes sense. 17:26:33 <lbragstad> but yeah - it should work 17:26:51 <lbragstad> ok - so to summarize 17:27:17 <lbragstad> 666085 needs a functional testing framework and a bug open to investigate reusable ksa connections 17:27:41 <lbragstad> 666444 needs an open bug to investigate pluggable architectures for enforcement models 17:28:04 <lbragstad> 667452 needs functional testing (built on the action from 666085) 17:28:11 <lbragstad> anything else? 17:28:40 <cmurphy> i think this script will need to be tweaked for the two-level model? 17:28:54 <bnemec> Maybe a bug for 666085 to look at how to configure the endpoint? 17:29:17 <knikolla> cmurphy: sorry for missing the meeting. we're transitioning to the new adjutant based registration system and i've been swamped with work the past few weeks. 17:29:23 <lbragstad> yeah - i developed it to help me write the flat enforcement stuff, i wasn't really thinking about any of the strict-two level properties 17:29:31 <lbragstad> bnemec ++ 17:29:40 <cmurphy> no worries knikolla 17:30:47 <lbragstad> outside of those actions, does anyone have anything else to add? 17:30:57 <cmurphy> lbragstad: and i guess next steps after all that would be implementing enforce() for the two-level model 17:31:10 <lbragstad> cmurphy correct 17:31:25 <cmurphy> fun :) 17:31:31 <lbragstad> i was thinking it would be easier to implement that once the functional testing is in place 17:31:40 <cmurphy> for sure 17:31:46 <lbragstad> then we could actually use TTD to get it done 17:31:54 <lbragstad> opposed to a hacktastic script 17:32:21 <bnemec> Yeah, right now we're mostly trying to define the public interface so other projects can start looking at how it would integrate with them. 17:32:35 <lbragstad> true 17:32:39 <bnemec> Additional enforcement models can be done in parallel. 17:32:47 <lbragstad> a lot of this actually came from johnthetubaguy 17:33:28 <lbragstad> i might have to poke someone to help with setting up zuul for the functional testing bits 17:33:40 <lbragstad> (we'll need a basic devstack in order to do that) 17:34:59 <bnemec> We have some functional tests in other oslo projects, so we might be able to help with that. 17:35:06 <lbragstad> sweet 17:35:51 <lbragstad> anything else to touch on for this? 17:35:59 <cmurphy> not from me 17:36:01 <lbragstad> otherwise - that's about all i had 17:36:31 <bnemec> I'm good too. Thanks again for driving this! 17:36:38 <cmurphy> ++ thanks lbragstad 17:36:46 <lbragstad> no problem - thanks for taking the time to go through the patches 17:36:55 <lbragstad> i'll write up a recap and send it to the ML 17:37:00 <cmurphy> sweet 17:37:10 <bnemec> dude 17:37:30 <cmurphy> :'D 17:37:30 <lbragstad> dude! 17:37:43 <cmurphy> #endmeeting