#openstack-meeting-cp log

20:02:02 <stevemar> #startmeeting horizon-keystone
20:02:03 <openstack> Meeting started Thu Dec 15 20:02:02 2016 UTC and is due to finish in 60 minutes.  The chair is stevemar. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:02:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:02:07 <openstack> The meeting name has been set to 'horizon_keystone'
20:02:12 <r1chardj0n3s> stevemar: I cutnpaste the line from eavesdrop to keep it consistent ;-)
20:02:23 <stevemar> r1chardj0n3s: that's what i did!
20:02:29 <r1chardj0n3s> \o/
20:02:37 <stevemar> #agenda https://etherpad.openstack.org/p/ocata-keystone-horizon
20:02:39 <stevemar> not really an agenda
20:02:43 <stevemar> #link https://etherpad.openstack.org/p/ocata-keystone-horizon
20:03:09 <stevemar> r1chardj0n3s: mind if i skip your thing til the end?
20:03:47 <stevemar> (silence means yes in my book!)
20:04:05 <stevemar> crinkle: you're around, lets talk about your stuff first
20:04:27 <stevemar> crinkle: i think you had the TODO to re-work https://review.openstack.org/#/c/389337/
20:04:40 <r1chardj0n3s> stevemar: yes, please do that thing
20:04:47 <rderose> o/
20:04:57 <stevemar> crinkle: are there any things we should look out for when reviewing it?
20:05:37 <stevemar> crinkle: looks like a lot of cut-n-paste of the project support
20:05:38 <crinkle> stevemar: well one thing is that it looks a little messy because i was trying to avoid duplicating code, so looking for feedback on how best to do that
20:05:51 <stevemar> (not saying thats a bad thing)
20:06:40 <stevemar> crinkle: is there any UI work needed in the horizon side? i think a drop down no?
20:07:01 <crinkle> stevemar: yes, i meant to work on that too but didn't get to it yet
20:07:10 <stevemar> crinkle: s'all good
20:07:23 <stevemar> no rel note, but it looks like doa doesn't do that
20:07:32 <stevemar> *throws shade at david-lyle*
20:07:49 <david-lyle> we put it all in horizon
20:08:17 <stevemar> documentation is kinda minimal too: http://docs.openstack.org/developer/django_openstack_auth/
20:08:22 <david-lyle> the feature add in horizon is the only way it will be visible anyway
20:08:26 <stevemar> crinkle: looks good to me at a first glance
20:08:29 <stevemar> david-lyle: ah cool
20:08:49 * stevemar tosses a +1 to crinkle
20:09:00 <david-lyle> heck stevemar most people don't even know that library exists
20:09:13 <david-lyle> I will walk through the updated patch
20:09:33 <crinkle> thanks guys
20:09:36 <david-lyle> the domain listing seems reasonable
20:09:49 <david-lyle> backend.py I want to dig into more
20:10:02 <stevemar> yeah, utils change looks good
20:10:17 <stevemar> user.py looks like its just calling utils
20:10:36 <stevemar> i'll let david-lyle assess the backend.py bits
20:10:54 <david-lyle> yup, it changing the logic around domain scoping changes that I want to be sure about
20:11:04 <stevemar> crinkle: you tried this out i assume?
20:11:08 <stevemar> you typically do
20:11:09 <crinkle> stevemar: yes
20:11:19 <david-lyle> only federated or both?
20:11:31 <stevemar> crinkle: cool, did you have to modify horizon?
20:11:45 <crinkle> david-lyle: both
20:11:50 <crinkle> stevemar: yes it requires horizon changes
20:12:02 <david-lyle> crinkle: great, just checking, thanks
20:12:26 <stevemar> crinkle: cool
20:12:40 <stevemar> sounds like that is moving along nicely, thanks colleen
20:12:57 * stevemar forgot to use topic, noob
20:12:58 <crinkle> np thanks for reviewing
20:13:04 <stevemar> #topic k2k
20:13:07 <stevemar> edtubill: yo
20:13:13 <edtubill> hey
20:13:20 <edtubill> so I have these two patches:  https://review.openstack.org/#/c/408435/1 (horizon) https://review.openstack.org/#/c/408450/1 (django_openstack_auth)
20:13:27 <edtubill> They need tests...
20:13:50 <stevemar> i think you have" https://review.openstack.org/#/q/topic:bp/k2k-horizon
20:13:59 <edtubill> but it would be cool if david-lyle or stevemar would be able to see if the approach take (at a high level) is okay to do.
20:14:20 <edtubill> Those two patches are for that bp.
20:14:23 <stevemar> edtubill: do you need guidance working on how to create more tests? i remember having trouble with that for doa and lhcheng helped me out
20:15:20 <edtubill> Sure
20:15:37 <stevemar> david-lyle: do you have time to help edtubill out with the tests?
20:15:45 <david-lyle> I should
20:15:55 <stevemar> edtubill: meet your new best friend
20:15:58 <david-lyle> I'll review the patches this afternoon
20:16:02 <edtubill> cool :)
20:16:08 <david-lyle> and we can look at adding tests
20:16:15 <stevemar> should we go over the patches here like we did with crinkle's?
20:16:15 <edtubill> please let me know if the approach should be taken a different way.
20:16:43 <edtubill> I put some comments in the commit message
20:16:50 <stevemar> we can start with the horizon one, https://review.openstack.org/#/c/408435/1 is much smaller :P
20:17:09 <david-lyle> I also worry about crinkle and your d-o-a patches stomping on each other
20:17:27 <edtubill> I'm willing to rebase..
20:17:34 <crinkle> me too
20:17:35 <david-lyle> backend.py is heavily redone in both
20:17:58 <david-lyle> but we can cross that
20:19:37 <david-lyle> the horizon patch seems reasonable
20:19:41 <stevemar> ah i see the "support / current / available" section is like regions: https://review.openstack.org/#/c/408435/1/openstack_dashboard/context_processors.py
20:20:22 <david-lyle> yes
20:20:46 <edtubill> I took inspiration from that yes :p
20:20:58 <stevemar> edtubill: use "depends-on"
20:21:14 <david-lyle> my only concern is that context_processors is executed on every request, don't want to prematurely optimize, but minimizing logic in there is desirable
20:21:48 <stevemar> david-lyle: edtubill can you check a config option before executing that code?
20:22:31 <edtubill> I can add a flag or is there another place that I could potentially put that logic that doesn't run everytime?
20:23:16 <david-lyle> I don't know that we have a k2k setting to check, and dynamically is better
20:23:23 <david-lyle> let me look at it more closely
20:23:46 <stevemar> any way to check the token in context_processors?
20:23:46 <edtubill> I could also just look at the available_providers from the session variable and just skip the rest if its an empty list.
20:23:54 <stevemar> see if service_providers is empty or not
20:23:58 <david-lyle> your reading a value from the session and then short-circuiting most of the logic if there aren't multiple keystones
20:24:08 <david-lyle> token is on the session
20:24:15 <stevemar> david-lyle: rgr
20:24:32 <stevemar> david-lyle: maybe just "if not available_providers: break"
20:24:49 <stevemar> or actually "if available_providers" then go into your logic
20:24:54 <stevemar> skip it otherwise
20:24:56 <david-lyle> but the provider list is already taken from the session in doa and put separately as a convenience
20:25:42 <david-lyle> stevemar: yeah something like that
20:26:16 <stevemar> edtubill: commented
20:26:24 <stevemar> david-lyle: are you expecting tests for that patch?
20:26:30 <edtubill> cool thx
20:26:42 <stevemar> david-lyle: and a release note?
20:27:44 <david-lyle> release note yes, testing that is difficult
20:28:07 <stevemar> edtubill: know how to create a release note, yes?
20:28:14 <stevemar> david-lyle: understood
20:28:24 <edtubill> not really..
20:28:33 <edtubill> is there some doc I can read?
20:28:43 <stevemar> edtubill: http://docs.openstack.org/developer/keystone/developing.html#release-notes
20:29:02 <stevemar> edtubill: just run... $ tox -e venv -- reno new bp-k2k-horizon
20:29:03 <david-lyle> we have one similar since lhcheng added it to both
20:29:24 <edtubill> ok
20:29:35 <stevemar> you'll see a new file show up in horizon/releasenotes/notes, edit that file
20:29:48 <stevemar> try to think of it from a consumer perspective
20:30:06 <stevemar> if you were to use it, what would you want to know, etc
20:30:17 <stevemar> now... https://review.openstack.org/#/c/408450/2
20:30:31 <stevemar> +386, yowza!
20:30:58 <r1chardj0n3s> needs more code deletion
20:31:07 <stevemar> edtubill: are you trying to squeeze in a refactor?
20:31:30 <edtubill> yeah.. I didn't want to rewrite scoping code...
20:31:39 <stevemar> edtubill: thats totally fair
20:31:49 <stevemar> edtubill: can i ask that you break the patch up?
20:31:49 <edtubill> I can undo it if it makes it easier to review and do refactoring later.
20:31:53 <edtubill> sure.
20:32:15 <stevemar> one patch to do the split, some stuff from backend.py into base.py (that can land first)
20:32:28 <stevemar> as long as it's a pure refactor it should be easy to approve and need no tests
20:32:52 <stevemar> then it'll just be the k2k code to review
20:33:06 <edtubill> Sure, are you guys okay with the approach of making a new Auth plugin even though it doesn't really get used at Log in time? (although it might in the future)
20:33:21 <edtubill> The other plugins get used only at log in time.
20:34:35 <stevemar> i don't think there are any negative impacts there
20:34:53 <r1chardj0n3s> yep
20:35:06 <david-lyle> I don't have a reason against right now
20:35:24 <stevemar> edtubill: need a hand with breaking things up?
20:35:57 <edtubill> I think I remember how to break things up.
20:36:07 <stevemar> edtubill: ping me if you need a hand
20:36:13 <edtubill> okay will do.
20:36:43 <stevemar> alright, next topic
20:36:52 <stevemar> #topic v3 policy is terribad
20:36:59 <edtubill> Also a quick note, last time I used federation I get errors at viewing instances... am I the only one seeing this error?
20:37:06 <stevemar> o_O
20:37:11 <edtubill> I'll wait to ask this question later :p
20:37:17 <stevemar> probably gonna need more data than that :)
20:37:36 <stevemar> this topic relates to line 47 on https://etherpad.openstack.org/p/ocata-keystone-horizon
20:37:53 <stevemar> i have a feeling this will involve keystone fixing something
20:38:05 <stevemar> does anyone have any background on https://bugs.launchpad.net/oslo.policy/+bug/1547684 ?
20:38:07 <openstack> Launchpad bug 1547684 in oslo.policy "Attribute error on Token object when using domain scoped token" [Undecided,New]
20:38:48 <stevemar> ayoung had a comment: that had https://review.openstack.org/#/c/165908/ merged, everything would be good
20:39:28 <r1chardj0n3s> no further background from me beyond that error, I'm afraid
20:39:31 <stevemar> looks like policy is just terrible: https://launchpadlibrarian.net/242578504/policy_token.py
20:40:41 <stevemar> i can look into this, if no one else has any insight
20:41:13 <stevemar> removing token.is_admin_project:True seems to solve the issue
20:41:45 <stevemar> looking at: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
20:42:06 <stevemar> i love how you publish something that is unusable
20:42:10 <stevemar> we*
20:42:24 <r1chardj0n3s> :-)
20:42:44 <stevemar> i think "token.is_admin_project:True" is just wrong
20:43:04 <stevemar> should it be "target.token.is_admin_project:True" ?
20:43:22 <stevemar> let me go talk to some people
20:43:27 <stevemar> next topic
20:43:41 <stevemar> #topic Visualisation of policy / role
20:43:45 <stevemar> r1chardj0n3s: ^
20:43:48 <r1chardj0n3s> ohai
20:43:53 <stevemar> r1chardj0n3s: did you rub the sleep out of your eyes yet?
20:44:26 <r1chardj0n3s> so this came up earlier this week that some way of visualising policy and RBAC controls would be super helpful, especially in the face of ... rather opaque at times policy files :-)
20:44:50 <r1chardj0n3s> I was wondering whether there'd been any prior art on this?
20:45:09 <stevemar> r1chardj0n3s: kinda like how network topologies are visualized?
20:45:22 <david-lyle> visualize what aspect?
20:45:42 <r1chardj0n3s> I guess so, kinda. Being able to say "hey, what exactly can this role do, based on policy?"
20:45:46 <stevemar> it also stinks that policy is file based
20:46:18 <stevemar> hmm
20:47:07 <stevemar> get the roles from the token, and try enforcing all entries in all policies?
20:47:36 <david-lyle> yeah but targets come into play too
20:47:52 <r1chardj0n3s> possibly just one role at a time, but yeah, some sensible way of dealing with targes too
20:47:52 <stevemar> r1chardj0n3s: you'd get back something like "identity:create_region" passes and another thing doesn't
20:48:00 <r1chardj0n3s> yeah
20:48:26 <stevemar> yeah, its not easy, but it sounds do-able
20:48:37 <david-lyle> without attaching to resources I'm not sure how useful it will be
20:48:45 <stevemar> was there some desire to see this from an operator?
20:48:54 <david-lyle> or is this a tool for operators who are defining policy?
20:49:08 <r1chardj0n3s> yeah, this is something coming from operators
20:49:20 <david-lyle> what was the specific ask?
20:49:26 <r1chardj0n3s> I don't have any more on the specifics, sorry
20:49:31 <stevemar> r1chardj0n3s: unfortunately, editing the policy won't be easy :)
20:49:48 <r1chardj0n3s> I was mostly wondering whether anyone had done any sort of visualisation like this before
20:49:50 <david-lyle> if only policy was centralized ...
20:50:03 * stevemar throws a fish at david-lyle
20:50:24 * david-lyle claps like a seal
20:50:28 <stevemar> lol
20:50:39 <stevemar> r1chardj0n3s: okay, get back a bit more data i guess?
20:50:44 <stevemar> sounds a bit hand-wavey right now
20:51:07 <david-lyle> tough to know of prior art without undestanding the type of visualization
20:51:12 <r1chardj0n3s> yep, given the answer to my question seems to be "no... we think" then I'll go back for more detail on what's actually desired
20:51:26 <stevemar> cool
20:51:35 <stevemar> sounds like we're all wrapped up for this week
20:51:41 <stevemar> #topic open discussion
20:51:48 <stevemar> cancel next week obvs
20:52:05 <r1chardj0n3s> yep, and week after, probably
20:52:05 <stevemar> i mean, i like you people, but not that much
20:52:17 <stevemar> r1chardj0n3s: yes
20:52:35 <r1chardj0n3s> coolo
20:52:36 <stevemar> any last qs?
20:53:12 <stevemar> thanks everyone!
20:53:15 <r1chardj0n3s> narf
20:53:21 <stevemar> have a great weekend, do that last minute shopping
20:53:24 <r1chardj0n3s> thanks stevemar
20:53:25 <david-lyle> thanks
20:53:25 <stevemar> #endmeeting