18:01:57 #startmeeting keystone 18:01:58 o/ 18:01:58 Meeting started Tue Aug 23 18:01:57 2016 UTC and is due to finish in 60 minutes. The chair is dolphm. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:59 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:02:01 The meeting name has been set to 'keystone' 18:02:03 #topic fishbowls / work rooms / meetups 18:02:03 o/ 18:02:28 hi 18:02:30 so, this summit is going to be layed out a bit differently (as i suppose every summit is), but the schedule is also going to be a bit cramped 18:02:42 so, we're being asked to choose the last few details of our schedule 18:02:51 to quote the agenda: In Austin we had 5 fish bowl sessions, 8 work room sessions; 2 half-day meetups 18:03:02 Here we have one 15 minute meeting 18:03:15 Of which 12 minutes are already booked 18:03:28 3 minutes to get started... 18:03:40 sounds like my kinda meeting 18:03:45 hi keystoners! 18:03:51 we don't have a summit planning etherpad yet, do we? 18:04:36 I haven't seen one yet 18:04:46 without one, does anyone recall us having too many / not enough fish bowls and/or work rooms in austin? 18:05:05 otherwise, i assume we can aim for the same basic schedule regarding bucket topics 18:05:14 Lets blow it off and go rock climbing in the Pyrenees 18:05:35 we know where to find ayoung on monday :) 18:05:42 i cant' really rock climb, but sangria on the other hand... 18:05:48 ^ 18:06:03 the biggest outstanding question regarding schedule that we have is whether we want to have a contributor meetup on *friday afternoon* -- it's the only available time slot 18:06:22 typically, a lot of people start flying out sometime after lunch on friday 18:06:31 jamielennox can hold the rope in one hand and sangria in the other. 18:06:34 ++ 18:06:37 i'll probably leave friday morning, friday afternoon/evening flights were crazy expensive 18:06:45 same 18:06:46 so this is basically a question for those of you that have already booked travel - will you be available and interested in having a contributor meetup on friday afternoon? 18:06:46 they are useful if you can make it but it's always subject to travel plans :/ 18:06:49 bknudson, Sangria will go in a Camelback I think. 18:06:57 * breton will stay till Sunday 18:07:13 * rodrigods Monday to Friday 18:07:13 \o 18:07:22 o/ 18:07:30 * amakarov will stay for weekend 18:08:01 dolphm: could Thursday night work? 18:08:12 looks like everyone will still be there 18:08:29 samueldmq, hard to have a meetup over the sound of Flamenco Guitarres 18:08:35 samueldmq: this is our only wiggle room in the schedule 18:09:10 #callvote FOR THOSE OF YOU WHO HAVE ALREADY BOOKED TRAVEL, will you be available AND interested in a contributor meetup on Friday afternoon (say, 1-5pm)? Yes, No, I didn't read the question, I haven't booked travel, What is a contributor meetup again? 18:09:17 #startvote FOR THOSE OF YOU WHO HAVE ALREADY BOOKED TRAVEL, will you be available AND interested in a contributor meetup on Friday afternoon (say, 1-5pm)? Yes, No, I didn't read the question, I haven't booked travel, What is a contributor meetup again? 18:09:18 Begin voting on: FOR THOSE OF YOU WHO HAVE ALREADY BOOKED TRAVEL, will you be available AND interested in a contributor meetup on Friday afternoon (say, 1-5pm)? Yes, No, I didn't read the question, I haven't booked travel, What is a contributor meetup again? Valid vote options are Yes, No. 18:09:19 Vote using '#vote OPTION'. Only your last vote counts. 18:09:43 ¡Olé! 18:09:52 #vote Yes 18:09:52 * dolphm has not booked travel so i'll abstain 18:09:52 #vote yes 18:09:59 #vote yes 18:10:14 I haven't booked so I'll abstain as well 18:10:14 * jamielennox will be around friday night regardless 18:10:14 I haven't booked travel, but plan to 18:10:17 #vote I haven't booked travel 18:10:31 #vote I haven't booked travel 18:10:36 #vote I haven't booked travel 18:10:37 dolphm when do we have to have an answer? 18:10:41 #vote I haven't booked travel 18:10:45 #vote I haven't booked travel 18:10:47 lbragstad: within a couple days, i think 18:10:57 lbragstad: we had time to take a vote here, and that was about it IIRC 18:11:03 maybe til end of week? 18:11:11 but it sounds like a yes so far 18:11:14 #vote no 18:11:23 #vote I haven't booked travel 18:11:25 #vote I didn't read the question, I haven't booked travel, What is a contributor meetup again? 18:11:32 #showvote 18:11:39 i assume that if we commit to a meetup, we would get a room and stuff like that 18:11:46 lbragstad: yes 18:12:19 alright... 18:12:19 This trip is between my Wife's Birthday and Haloween, making it hard for me to extend on either end. 18:12:20 #endvote 18:12:21 Voted on "FOR THOSE OF YOU WHO HAVE ALREADY BOOKED TRAVEL, will you be available AND interested in a contributor meetup on Friday afternoon (say, 1-5pm)? Yes, No, I didn't read the question, I haven't booked travel, What is a contributor meetup again?" Results are 18:12:28 haha 18:12:33 #vote Yes 18:12:44 are the results showing up for you ? 18:12:52 I can't see them ... is the bot broken? 18:13:10 dolphm killed the votebot dolphm killed the votebot 18:13:10 lol 18:13:14 samueldmq: the bot is holding us in anticipation 18:13:16 no results, but it looks like a yes 18:13:18 lol 18:13:21 #showvote 18:13:23 #endvote 18:13:26 whatever, it's a yes 18:13:31 3 vs 1 IIRC 18:13:40 c'mmon openstack 18:13:41 now, everybody go book travel :) 18:13:42 the suspense ! 18:13:43 yes! 18:13:55 * lbragstad pats votebot on the shoulder 18:14:13 now onto more pressing matters... 18:14:16 #topic Release status 18:14:29 the gate has been rough lately, so please get things gating! 18:14:30 All feature work and high priority bugs should be approved or gating by friday, the gate is crazy backed up 18:14:56 gate backup started early this time. 18:15:33 if you're looking for something to review (and want to get a heads up on using our new rolling upgrades approach), review credential encryption... which has the most outstanding patch sets to be merged of the remaining bps: https://blueprints.launchpad.net/keystone/+spec/credential-encryption 18:16:04 https://review.openstack.org/#/c/355618/14 is the most indepth review 18:16:11 the rest are pretty trivial and documentation 18:16:20 #link https://review.openstack.org/#/c/355618/ 18:16:25 (removed the patchset from the link) 18:16:28 i would be forever grateful for reviews on the database triggers 18:16:37 dstanek thanks 18:16:50 s/dstanek/dolphm/ 18:17:07 lbragstad: you're welcome anyway 18:17:07 the mapping_populate patch needs a nudge (last I looked, I +2'd, but the release notes needed a rev) 18:17:08 #link https://review.openstack.org/#/c/343028/ 18:17:40 and while lbragstad is pre-occupied knocking out credential encryption, we could use some hands to performance validate amakarov's patch 18:17:42 #link https://review.openstack.org/#/c/309146/ 18:18:04 I can 18:18:07 and then we have a nasty list of bugs 18:18:22 I'll look at both 18:18:27 "The patch uses dogpile.cache internal functionality so some calls may look strange" 18:18:28 lol 18:18:34 on triggers/rolling upgrade, also look at: https://review.openstack.org/#/c/357789/ 18:19:09 henrynash: ++ 18:19:14 samueldmq: say you like it )) 18:19:50 my cache invalidation patch could use some eyes too 18:19:57 #topic steve's list of big bad hairy bugs 18:19:58 #link https://review.openstack.org/349704 Distributed cache namespace to invalidate regions 18:20:13 ^^ 18:20:26 definitely the nastiest, widest impact bug we have right now 18:22:12 and then henry's rolling upgrade fix is on steve's list 18:22:17 #link https://bugs.launchpad.net/keystone/+bug/1596500 18:22:17 Launchpad bug 1596500 in OpenStack Identity (keystone) "Passwords created_at attribute could remain unset during rolling upgrade" [High,In progress] - Assigned to Henry Nash (henry-nash) 18:22:30 there's some good background there before you dive into the code review 18:22:32 which uses rolling upgrades :) 18:22:41 if for some reason dstanek's patch won't go, here is the old way approach: https://review.openstack.org/#/c/354831/ 18:23:20 rderose got another major bug fixed in https://bugs.launchpad.net/bugs/1615000 (thanks!) 18:23:20 Launchpad bug 1615000 in OpenStack Identity (keystone) "Entry to User table creates entries in local_user table for ldap and custom driver users" [High,Fix released] - Assigned to Ron De Rose (ronald-de-rose) 18:23:42 rderose: nice! 18:23:55 and then, if you're looking for something to work on -- we still have a couple that need to be investigated & debugged further 18:23:59 #link https://launchpad.net/keystone/+milestone/newton-3 18:24:10 samueldmq dolphm: thank you :) 18:24:15 they all seem related, but again, the impact could be substantial, so the more eyes the better 18:25:07 has anyone kept up with bugs opened recently? 18:25:32 I have not :( 18:25:34 dolphm, latest one i remember was the credential type 18:25:42 fix was approved already 18:25:54 fwiw - here is our weekly report - http://openstack-weekly-reports.lbragstad.com/keystone-weekly-bug-report.html 18:26:15 lbragstad: ++ 18:26:59 i'm going to pick up the fernet key one - that's something i poked at recently anyway 18:27:39 #topic Outreachy program in Keystone ends today 18:27:43 samueldmq: nishaYadav: o/ 18:27:47 floor is yours 18:27:49 hey 18:27:57 hey :) 18:28:01 so, nishaYadav has been working with us in the last couple of months 18:28:12 really good work by nishaYadav and samueldmq 18:28:16 we were participating of the Outreachy round (which ends today) 18:28:17 congrats 18:28:33 thanks rodrigods 18:28:35 nishaYadav has implemented functional tests in ksclient, now most of v3 managers have tests 18:28:39 rodrigods: thx 18:28:40 samueldmq: interesting, GSoC ends today too 18:28:55 besides the tests, nisha has improved the docs too! 18:29:08 it's been >30 patches merged! 18:29:15 nishaYadav: your patches were a pleasure to review (and approve!) 18:29:25 breton, yeah that's right outreachy and GSoc run in parallel :) 18:29:27 great work. It'll be running multiple times a day keeping keystone working. 18:29:31 I just would like to tell everyone the round was succcessful for keystone 18:29:37 that's great. looks like a success for keystone then! 18:29:38 and thanks nishaYadav for her awesome work 18:29:55 nishaYadav: thank you! 18:29:55 ++ 18:29:59 nishaYadav: thanks! 18:30:09 nice work, nishaYadav 18:30:22 thanks nishaYadav! 18:30:23 keep contributing nishaYadav ! 18:30:28 ^ 18:30:33 thanks samueldmq for bringing this up in the meeting :) 18:30:42 thanks to everyone who helped me mentoring her .. and reviewing her work 18:30:55 #info Thank you for all your awesome work, Nisha Yadav! 18:30:56 I am glad I worked on this project. 18:31:19 there, now it'll be buried in your google results somewhere :) 18:31:22 dolphm, rderose anteaya gagehugo rodrigods thanks a lot 18:31:38 ++ 18:31:42 well done 18:31:50 #topic Open discussion 18:31:59 o/ 18:32:06 that's all on the official agenda - anyone have anything else for today? 18:32:10 o/ 18:32:15 So...got one 18:32:16 rodrigods, can't thank you enought :D 18:32:23 <-- has an item 18:32:28 what do you think about storing quota in keystone? 18:32:37 breton, nope 18:32:41 breton, has come up many times 18:32:47 it is not the right place for it 18:32:54 everytime, we've gone around the same race track 18:32:58 ayoung: separate service? 18:33:00 breton: if it's not identity related we shouldn't we involved 18:33:18 the quotas are service specific items. They don't have enough commonality 18:33:21 dstanek: it's project related ( 18:33:26 you need a way todistribute them 18:33:27 breton: i'd love to see a centralized quota management service, and it could be under the identity umbrella, but i don't think keystone itself is the right service 18:33:36 I plan on keep contributing and hopefully meet you all in the upcoming OpenStack summit :) 18:33:45 it's an authorization problem, which is our wheelhouse 18:33:58 amakarov: it's not though. it's maybe a 'foreign key' to a project with serivce specific meaning 18:34:04 Its a billing problem 18:34:24 ayoung: turns out we own the tenants :P i mean projects 18:34:45 nishaYadav: ++ 18:34:49 dolphm: ++ 18:35:04 Does that make us slumlords? 18:35:20 ayoung: .. yes. 18:35:23 Heh 18:35:39 ayoung: helllords! 18:35:51 OK, so lets discuss at the summit. If we do centralized quota, we need to decide what that means 18:35:58 agreed 18:36:02 i think it's a complicated, valuable problem with it's own scaling concerns, so it makes sense to me to have it as a standalone service 18:36:09 it's also something i wish someone had built 5 years ago 18:36:29 dolphm: ++ to all of that 18:37:09 anteaya: don't hold back, it's an open floor 18:37:12 OK...I have one, if we are done with that 18:37:16 ayoung: sure 18:37:26 we discussed meetbot in infra 18:37:31 Spec to ignore expiry and revocation on token validation 18:37:33 anteaya: about me breaking it? 18:37:42 it seems that it doesn't like two spaces when expecting one 18:37:47 also it is case sensitive 18:37:55 It would be an incremental step toward what jamielennox was proposing at the midcycle 18:37:57 it didn't feel it got any vote information 18:38:12 we are discussing making it case insensitive in -infra 18:38:12 https://review.openstack.org/#/c/358131/ 18:38:20 feel free to share your thoughts 18:38:22 thank you 18:38:27 EOF 18:38:29 did i double space something? 18:38:42 someone did 18:38:42 the gist is this: 18:38:48 ayoung: oh - i still was intending to do that, i just had too much on directly after the midcycle to get it done for this release 18:38:50 the only case correct vote 18:39:01 ayoung: was still planning on it for early next cycle 18:39:16 we would allow, say, glance, to validate the user's token passed along with the service token, but ignore the expiry or revoke status, 18:39:19 the options were Yes and No, most folks used all lover case 18:39:19 o/ ish 18:39:29 ayoung: turns out the auth_token middleware is the hard bit, just because of the framework that's built there 18:39:31 so if Nova called Glance, we would have the mechanism 18:39:34 jamielennox, yep 18:39:43 anteaya: ah, i do wish the vote responses were case insensitive, or numbered? (which might also require a direct reply to show you what option you selected) 18:39:54 can we just sign requests from Nova to Glance? We already have x.509 authn in place 18:39:55 jamielennox, one thing I was thinking was we could first get this part working, and then optimize with bulk token validations. Bulk meaning two here 18:40:05 well it appears that making it case insensitive is on the table 18:40:12 do speak up in -infra 18:40:38 jamielennox, I thought we already had a mechanism to account for service tokens? 18:40:47 but that was why there were no results 18:41:04 ayoung: we do, but it's just treated as a seperate validation request 18:41:19 breton, so...even if we did, glance still needs to validate that the user has perms to do what nova is asking on behalf of the user 18:41:28 ayoung: just the way auth_token is setup, and keystone relies on it being set up, there's no way to pass through multiple tokens at once 18:41:29 jamielennox, I think that is fine to start, then 18:41:49 ayoung: but that should be just some delicate code reshuffling 18:41:52 did we have an argument / alternative to the "Return expired tokens within a grace period" option? 18:42:00 #link https://review.openstack.org/#/c/345092/ 18:42:16 we use service token for Nova, and pass the token as per normal, and glance needs the config to say "validate both, but on user pass this flag." 18:42:37 ayoung: the flag being "ignore expiration on this second token?" 18:42:51 ayoung: what if we sign a token and skip revocation for the token if it is signed 18:43:05 dolphm, this is essentially the spec for that, but didn't realize we had a review 18:43:16 i didn't realize there was a spec 18:43:17 breton, ++ that is part of it 18:43:56 dolphm: i had some code i was messing with, but its not up as i wasn't going to get it finished this cycle 18:43:56 dolphm, I think there is a need for an API change, which is why I posted the spec 18:44:20 anyway, pleae hack on the spec, and make the APi code sane. 18:44:23 the code is pretty easy really, just needs a few different pieces in place 18:44:36 jamielennox, skipping revocation, too, please 18:44:47 henrynash still around? 18:44:48 deal with the Horizon-log-out problem 18:44:51 i didn't change that 18:44:56 lbragstad: hi 18:45:04 dolphm, yes, that is the flag. 18:45:09 i wouldn't have thought we would skip revocation 18:45:18 jamielennox, yeah, I think we need to. 18:45:21 henrynash dolphm and I were poking at an issue I was having when writing tests for the credential encryption migration 18:45:32 henrynash wonder if you happen to see this at all? http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-08-22.log.html#t2016-08-22T17:49:58 18:45:39 wondering* 18:45:50 this thread also popped up on the mailing list, but hasn't gotten any love from us yet (there's no [keystone] in the subject line, so i'm assuming a lot of people missed it) 18:45:59 #link http://lists.openstack.org/pipermail/openstack-dev/2016-August/102012.html [openstack-dev] Mitaka: Identity V3 status and observations using domains 18:46:02 jamielennox, if the project or role is revoked, the token should just not show those roles assigned, but an explicit revocation should be ignored, I think. 18:46:10 jamielennox: we do need to skip revocation because horizon logout is an explicit revoke 18:46:21 lbragstad: so we do run the previous (legacy) migration first... 18:46:24 which would cause things to fail 18:46:38 henrynash interesting... 18:46:39 henrynash: but that test suite does not 18:47:00 henrynash when it gets into my migration that does things to the credential table - it doesn't think it exists 18:47:18 lbragstad: ...at least that was my attempt...in fact, if we didn;t then my patch would also fail (since I refer to the password table)....and this DID fail until I added the code to first migrate the legacy repo 18:47:22 which wouldn't necessarily be caught because the 001 migration is a noop 18:47:22 dolphm: i didn't even read that thread because no [] (emails without a tag get filtered out of my inbox completly 18:47:31 notmorgan: i figured 18:48:01 henrynash did you add the code to migrate the legacy repo in your password migration patch? 18:48:06 henrynash or is that somewhere else? 18:48:16 lbragstad: look at https://review.openstack.org/#/c/357789/ ...it would fail if we didn't run the legacy migration first 18:48:18 henrynash because I'll need to probably rebase my work on taht too 18:49:57 lbragstad: nope it's alreayd in master...see lines 1532/33 of test_sql_upgrade 18:50:16 * dolphm is looking to end the meeting early ... 18:50:25 henrynash ah - the setUp of SqlExpandSchemaUpgradeTests 18:50:40 as an aside, you should do self.upgrade(self.max_version) in your test, but you should do self.upgrade(2) 18:50:50 lbragstad: henrynash: it's not a broad topic, so take it back to #openstack-keystone :) 18:50:52 #endmeeting