#openstack-meeting-alt log

16:00:19 <lbragstad> #startmeeting keystone
16:00:20 <openstack> Meeting started Tue Jun 19 16:00:19 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:21 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:23 <cmurphy> o/
16:00:24 <openstack> The meeting name has been set to 'keystone'
16:00:28 <hrybacki> o/
16:00:32 <lbragstad> #link https://etherpad.openstack.org/p/keystone-weekly-meeting
16:00:36 <lbragstad> agenda ^
16:00:40 <gagehugo> o/
16:00:45 <wxy|_> o/
16:00:52 <lbragstad> ping ayoung, breton, cmurphy, dstanek, gagehugo, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, spilla, aselius, dpar, jdennis, ruan_he, wxy, sonuk
16:01:06 <knikolla> o/
16:01:26 <knikolla> i'll be mostly lurking as I'm in another meeting
16:01:50 <lbragstad> we have a lot to talk about today
16:02:09 <lbragstad> we'll give folks another minute or two though and then get started
16:03:21 <lbragstad> #topic announcements
16:03:27 <lbragstad> real quick
16:03:36 <lbragstad> if you haven't seen yet, we're starting to get a bunch of things in flight
16:03:56 <lbragstad> (e.g. default roles, unified limits, capability lists, mfa receipts)
16:04:12 <lbragstad> plenty of things to review if you're looking for something
16:04:53 <lbragstad> since I don't see kmalloc yet, we'll wait for him before jumping into the unified limits topics
16:05:05 <lbragstad> hrybacki: do you want to go through your topics in the mean time?
16:05:21 <hrybacki> sure
16:05:24 <lbragstad> #topic Ensure default roles breaking folks
16:05:47 <hrybacki> So, I more or less wanted to ask if we should review ^^
16:05:54 <lbragstad> #link https://review.openstack.org/#/c/572243/ default roles implementation
16:06:14 <hrybacki> it sounds like lbragstad has been working with folks from sahara/horizon to resolve the breakages
16:06:26 <lbragstad> #link https://review.openstack.org/#/c/576056/ proposed revert
16:06:28 <cmurphy> so is this just breaking the gate or is this going to affect users?
16:06:55 <hrybacki> cmurphy: that's hard to say. Role implications concern me a bit more now
16:07:08 <lbragstad> from what i've been seeing, it's mostly breaking on tests/infrastructure that makes assumptions about role names and casing
16:07:23 <cmurphy> but users could also be making those assumptions
16:07:27 <lbragstad> sure
16:07:28 <hrybacki> right
16:07:54 <hrybacki> I'm concerned that folks won't read the release notes, run the bootstrap, and have some implied roles they did not anticipate
16:08:18 <lbragstad> to be fair, we can only protect against that kind of stuff so much IMO
16:08:19 <cmurphy> we can't help people who don't read the release notes
16:08:31 <hrybacki> but I have no idea how to research that. Is it generally accepted that people do read them / it's on them if they dont?
16:08:40 <hrybacki> okay
16:08:57 <tosky> related question: was this change on openstack-dev with the [all] tag in the email?
16:08:57 <hrybacki> well that puts me at ease. Thanks for the push for more verbose reno cmurphy lbragstad
16:09:03 <lbragstad> it's helps protect us (as bad as that sounds?)
16:09:22 <cmurphy> i'm not worried any more about surprise implied roles, but i'm worried this bug with the duplicate role name is going to hit people
16:09:53 <cmurphy> tosky: no, i don't think we anticipated it breaking people's CI
16:10:04 <lbragstad> tosky: the approach and specification detailing all of this work has been socialized on the mailing lists since the Denver PTG last year
16:11:02 <tosky> lbragstad: with the [all] tag?
16:11:11 <lbragstad> tosky: no - we didn't use the all tag
16:11:20 <lbragstad> if i would have expected these types of issues i would have
16:11:26 <lbragstad> #link http://lists.openstack.org/pipermail/openstack-dev/2018-May/130207.html
16:11:56 <tosky> please don't take it as what's not (it's just a statement), but when something changes in keystone it's pretty much going to hit someone
16:12:02 <tosky> just a fact
16:13:33 <kmalloc> o/
16:13:33 <hrybacki> lbragstad: that's all I had for that topic
16:13:51 <cmurphy> well what's the plan though?
16:13:55 <cmurphy> roll back? or?
16:13:56 <lbragstad> ^
16:13:59 <gagehugo> are we doing the revert, or does the list of changes fix it?
16:14:01 <lbragstad> IMO we have two options
16:14:11 <lbragstad> 1.) roll back and implement case sensitivity for roles
16:14:21 <lbragstad> 2.) push forward and help clarify assumptions about role names
16:14:58 <hrybacki> I thought implementing case sensitivity for role names wasn't an option?
16:14:59 <cmurphy> i'm in favor of 1 but i wonder if that will also break people
16:15:05 <cmurphy> yeah
16:15:13 <lbragstad> it could, it's also going to be involved
16:15:24 <cmurphy> what a mess
16:15:26 <kmalloc> hrybacki: it isn't if the behavior is already case-insentivie
16:15:40 <lbragstad> and if we take that approach with role names, we also have to take it with project names and user names, etc.....
16:15:56 <tosky> so far, was the fact the roles were not case-sensitive documented somewhere?
16:16:16 <kmalloc> tosky: documented or not, behavior is our API contract
16:16:21 <lbragstad> it's a behavior across keystone API - it's not specific to role names
16:16:29 <kmalloc> and we should document it as well.
16:16:39 <kmalloc> but changing behavior outside of a security issue is mostly off the table
16:17:05 <kmalloc> (if we had all our expected behaviors documented more clearly, it would be a different thing)
16:17:08 <lbragstad> ok - so sounds like we have an action item
16:17:20 <hrybacki> well if it is an option to enforce the existing behavior across the board I'm a fan
16:17:43 <kmalloc> FTR: In names for things, i like case preserving, but case-insensitive
16:17:49 <kmalloc> in APIs.
16:17:57 <lbragstad> keystone consideres POST /v3/projects {name: Foobar} and POST /v3/projects {name: foobar} a 409
16:18:12 <kmalloc> because representing AUser and Auser and auser and auSer as all different things is somewhat painful
16:18:15 <kmalloc> UX wise.
16:18:39 <kmalloc> (not going to argue posix-isms though)
16:18:44 <cmurphy> lbragstad: is that dependent on your database backend? or is it always?
16:18:55 <gagehugo> kmalloc ++ on case preserving & case insensitive
16:18:59 <lbragstad> i tested it with mysql
16:18:59 <tosky> fine as documenting and forcing this, but consider that as a user I never realized this non-case-sensitivness of Keystone
16:19:04 <lbragstad> i'm not sure about other backends
16:19:11 <kmalloc> cmurphy: it is... default behavior in mysql.
16:19:14 <kmalloc> it *could* be changed.
16:19:19 <tosky> I've frequently seens and described roles like Member and member, with code to distinguish between both
16:19:24 <tosky> so this will be a surprise for many people
16:19:27 <cmurphy> tosky: as a maintainer i didn't realize it either ;)
16:19:36 <tosky> oh
16:19:57 <kmalloc> we would need to swap to varbinary or binary vs varchar etc to ensure case-sensitivity
16:20:15 <lbragstad> does anyone want to take a shot at writing up a doc patch for our API reference to clarify these bits (for all name resources not just role names)
16:20:15 <kmalloc> i am unsure about non-MySQL RDBMS varbinary vs varchar
16:20:52 <kmalloc> or we could change collation
16:20:59 <cmurphy> kmalloc: yeah i'm concerned that different database backends will cause different api behaviors
16:21:10 <kmalloc> e.g. utf8mb4_0900_as_cs
16:21:17 <kmalloc> but that is also MySQL-specific.
16:21:30 <lbragstad> ^ that is the suggestion i've been stumbling across a lot
16:21:58 <lbragstad> but it's operator specific, isn't is?
16:22:11 <kmalloc> you can define the column with a collation
16:22:35 <lbragstad> ah - so a migration at the very least
16:22:37 <kmalloc> we could also encode something like that via our queries (will need to look into it) through the ORM
16:23:11 <lbragstad> we could also implement this in business logic
16:23:23 <lbragstad> (trying to remove ambiguity based on the backend being used)
16:23:51 <kmalloc> for case-preserving but case-insensitive across all backends, we will need to do something like "lookup-name" and "display-name"
16:24:04 <kmalloc> where we lower(lookup-name)
16:24:07 <lbragstad> but that could still be considered backwards incompatible if someone is using a backend that supports case sensitive names
16:24:39 <kmalloc> i'm ok with backwards incompat for "this is crazypants"
16:25:00 <kmalloc> we're solidifying behavior (closest aligned with current "general" behavior)
16:25:29 <lbragstad> we also have stuff like this in our tests - which is misleading https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_backend_sql.py#n296
16:25:36 <lbragstad> #link https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_backend_sql.py#n296
16:26:02 <cmurphy> well user is special because ldap right?
16:26:11 <kmalloc> ftr, looks like PGSQL is case-sensitive by default for string comparison
16:26:12 <kmalloc> s
16:26:19 <lbragstad> but that looks like a sql specific test (given it's location)
16:26:23 <kmalloc> unless you explicitly lower() in the query.
16:26:43 <lbragstad> and we do the same thing for projects https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_backend_sql.py#n310
16:27:01 <cmurphy> lbragstad: i assume that's because we want to enforce the same behavior between sql and ldap backends
16:27:24 <cmurphy> did we used to allow ldap as a project backend?
16:27:31 <kmalloc> cmurphy: long time ago
16:27:33 <lbragstad> a long time ago we did - i think
16:27:40 <cmurphy> so that's probably where that's from
16:27:54 <lbragstad> i pulled up the commit - it was merge like four and a half years ago
16:27:55 <kmalloc> cmurphy: used to be IDENTITY+ASSIGNMENT was one backend, then we still allowed LDAP assignment, then we split resource/killed ldap assignment
16:28:26 <kmalloc> keystone used to have a single driver (barring token) back in... folsom?
16:28:30 <kmalloc> essex
16:28:41 <lbragstad> yeah
16:28:43 <kmalloc> all or nothing.
16:28:52 <kmalloc> ok so.
16:28:58 <kmalloc> i think the options are:
16:29:11 <kmalloc> 1) Force Case Insensitivity across all backends [somehow]
16:29:20 <kmalloc> 2) Force Case Sensitivity across all backends [somehow]
16:29:27 <kmalloc> 3) Revert change.
16:29:40 <kmalloc> 4) document inconsistent behavior based upon backend and clarify what we expect
16:30:17 <lbragstad> we know this had issues with various projects CI
16:30:27 <lbragstad> but what's the worst case for end users
16:30:29 <kmalloc> fwiw, we cater to MySQL. I am ok with forcing Case Insensitivity since that is our test-bed.
16:30:31 <cmurphy> I lean toward 4 I think, the more I think about it the more I think that attempting to recreate the member and/or Member role is more going to be a CI problem than a regular user problem
16:30:49 <kmalloc> i less ok with 2 and 3.
16:30:54 <cmurphy> and if they do try to recreate it then it 409s and no harm done
16:31:01 <lbragstad> ++
16:31:03 <kmalloc> i think 4 is going to happen in either case - documentation expansion.
16:31:09 <cmurphy> sure
16:31:27 <lbragstad> worst case a deployer already has Member and hrybacki already accounted for that in the patch that implements this
16:32:00 <cmurphy> right, bootstrap itself isn't 409ing right? it's just the openstack role create Member afterward that does?
16:32:07 <lbragstad> correct
16:32:21 <lbragstad> we try/except role creation in bootstrap to explicitly handle conflicts
16:32:46 <lbragstad> #link https://git.openstack.org/cgit/openstack/keystone/tree/keystone/cmd/bootstrap.py#n120
16:33:31 <kmalloc> bootstrap is way smarter about that than it needs to be.
16:33:33 <cmurphy> what's up with this though https://review.openstack.org/#/c/576163
16:33:35 <hrybacki> lbragstad: but is that case insensitive? It attempts to pull the role based on role name 'member' not 'Member'
16:33:37 <kmalloc> but it works to our benefit there.
16:33:40 <cmurphy> why are those ones case sensitive?
16:34:02 <kmalloc> cmurphy: JSON is case preserving.
16:34:11 <kmalloc> and clients/etc all look for case
16:34:29 <kmalloc> so Member and member match in MySQL String Comparison
16:34:35 <lbragstad> https://launchpad.net/bugs/1777359
16:34:36 <openstack> Launchpad bug 1777359 in OpenStack Dashboard (Horizon) "Unable to create a project from horizon on devstack" [Undecided,New] - Assigned to Lance Bragstad (lbragstad)
16:34:39 <kmalloc> but anything in python wont match Member and member
16:34:55 <lbragstad> frickler asked me to make some additional changes there so that the names were consistent
16:35:36 <kmalloc> this is pushing me towards needing to support case [in]sensitivity directly in keystone
16:36:12 <lbragstad> that sounds like a long term direction thing
16:36:14 <kmalloc> and ... based upon emitting data (API) behavior, we might want to do case sensitive (wince) because we can't just lower() all names on output without potentially breaking a lot of things.
16:36:29 <lbragstad> that we should apply in our api consistently for all resource names
16:37:19 <kmalloc> and that is a migration to apply that, basically swap varchar -> varbinary or add collation to the queries
16:37:46 <kmalloc> initially we can just document.
16:38:16 <kmalloc> but i think we're going to need to be consistent in string matching not just let the DB be "smart enough" [and change behaviors]
16:38:48 <lbragstad> #action gagehugo to propose a patch that clarifies the behavior with resource names and SQL-based deployments
16:38:59 <lbragstad> (gagehugo volunteered in -keystone)
16:39:02 <gagehugo> lol
16:39:08 <gagehugo> yeah we should document regardless
16:39:28 <cmurphy> ++
16:39:44 <kmalloc> #action spin up bug/task[trello] to work on long-term alignment on case-[in]sensitivity within our API (names/other filters specifically)
16:39:53 <lbragstad> any other action items we need to deal with at the moment?
16:39:55 <lbragstad> kmalloc: ++
16:40:10 <lbragstad> tosky: is there anything you'd like to see in addition to those?
16:40:56 <tosky> it looks fine, thanks
16:41:19 <tosky> (and of course please the support for people trying to understand what to fix and how to fix it)
16:41:53 <lbragstad> i'll send a post with [all] today
16:41:59 <lbragstad> to the -dev mailing list
16:42:43 <lbragstad> let's circle back to the first topic quick if no one has anything else on this specific topci
16:43:15 <lbragstad> #topic Unified Limits Update
16:43:37 <lbragstad> kmalloc: raised some concerns about unified limits last week, and thought it would be good to go through them as a group
16:43:54 <lbragstad> that way we're all on the same page as far as the plan forward goes
16:44:07 <kmalloc> ok
16:44:26 <kmalloc> if you look at the agenda there are some recommended and required changes for the limits backend
16:44:46 <kmalloc> based upon my understanding after talking it through with lbragstad
16:45:09 <kmalloc> 1) we need to index columns we are matching/searching on (e.g. "name") otherwise it gets really ugly
16:45:37 <lbragstad> to level set, we have two different tables, one for registered limits and the other for project-specific limits
16:46:00 <kmalloc> 2) a FK on a column that is not unique (very mysql-specific, in fact innodb-extension specific, doesn't work on other backends) means that any value in the column that matches is sufficient for the FK.
16:46:32 <kmalloc> right now, we have name being non-unique and have a very complex FK between three columns to avoid conflicts.
16:47:10 <kmalloc> my recommendation is go for data normalization: and eliminate duplicated data in the limit table, and FK to a specific registered_limit
16:47:24 <kmalloc> instead of FK across to name, service, region[optional]
16:47:30 <kmalloc> and duplicate the storage
16:48:03 <kmalloc> the big change to the backend code is that the registered_limit would need to be looked up (based upon name, service, region) to find the right PK to use as the FK target in the limit table
16:48:17 <kmalloc> in the etherpad i gave an example of a potential "new" limit model
16:49:11 <kmalloc> and when we do the limit lookup, we do the SQLAlchemy joined load, and just build the ref from the registered limit (service_id, region, etc).
16:49:58 <kmalloc> and override to_dict and make the model super smart on finding the right registered limit
16:50:07 <kmalloc> for from_dict.
16:50:12 <kmalloc> i know... this is super dense.
16:50:39 <kmalloc> this is getting into something it took lbragstad and I 30-40 mins via video to hammer out the behaviors and potential issues.
16:50:58 * cmurphy trusts kmalloc is right
16:51:15 <wxy|_> ++
16:51:26 <lbragstad> i think this will be good for performance in the long run, too
16:51:27 <kmalloc> but tl;dr - we need indexes. we can also eliminate duplicated data and simplify the models with some in-code changes/model smarts.
16:51:58 <kmalloc> i've tagged each item as recommended/required. the only absolutly required thing is adding indexes
16:52:07 <kmalloc> the really hard part: data migration.
16:52:14 <lbragstad> wxy|_: already has a patch up that starts this (thanks!)
16:52:20 <wxy|_> https://review.openstack.org/#/c/576025 here is a WIP patch for the Recommendation. the Index, sql model and manage logic are still missing.
16:52:21 <cmurphy> not duplicating sounds like a win
16:52:30 <kmalloc> the simplest solution if we break apart and re-make the tables, drop all current data
16:52:37 <kmalloc> and just create a new set of tables
16:52:42 <hrybacki> #link https://review.openstack.org/#/c/576025
16:52:44 <kmalloc> this is expirmental
16:52:51 <wxy|_> the schema change is most done.
16:52:55 <kmalloc> it is pretty much ok to do that.
16:53:08 <kmalloc> but i'm also ok with preserving data if we cna migrate cleanly
16:53:16 <kmalloc> wxy|_: you're doing an awesome job on this :)
16:53:26 <lbragstad> ++
16:53:39 <cmurphy> it's experimental but dropping all data sounds like an overextension of the definition of experimental
16:53:46 <wxy|_> kmalloc: lbragstad: really thanks for the recommendation.
16:53:49 <kmalloc> i am also going to spin up a change to prevent new tables from having uuid PK columns.
16:53:59 <kmalloc> unless there is a specific override set.
16:54:27 <kmalloc> this change would have been a lot less painful if we also didn't need to change the PK.
16:54:48 <kmalloc> (we don't, but uuid pks are bad(tm))
16:55:25 <kmalloc> anyway. in short, please review wxy's change. come bug me if you need insight into what we're doing and why
16:55:38 <kmalloc> and can't divine it from the code changes.
16:56:11 <cmurphy> kmalloc: maybe you could write up a little guidance on why no more uuid pks in https://docs.openstack.org/keystone/latest/contributor/ ?
16:56:21 <cmurphy> so we don't keep making the mistake
16:56:34 <kmalloc> sure. i'll also cover it in the error that is generated when a table is added with a uuid pk
16:56:51 <cmurphy> ++
16:56:52 <lbragstad> we should walk through options for the migration though
16:57:18 <lbragstad> and vet any options we have other that 'truncate limit; truncate registered_limit;'
16:57:29 <lbragstad> s/that/than/
16:57:31 <kmalloc> sure.
16:57:55 <lbragstad> whatever comes out of that discussion will be good context to include for justificiation
16:58:01 <kmalloc> data migration is going to be ugly regardless.
16:58:03 <lbragstad> (i've never done this before)
16:58:04 <cmurphy> create new tables; copy data ; drop old tables; rename tables?
16:58:27 <kmalloc> pretty much
16:58:28 <lbragstad> ^ that's the approach we usually take
16:58:35 <kmalloc> or: create new table, reference new table
16:58:41 <kmalloc> eventually drop old table
16:58:47 <lbragstad> (two minutes remaining)
16:59:10 <lbragstad> we can continue this in -keystone, too
16:59:56 <lbragstad> hrybacki: sorry we didn't get back around to your last topic
17:00:03 <hrybacki> no worries lbragstad
17:00:15 <lbragstad> is that something we can cover next week?
17:00:22 <lbragstad> or is it time sensitive?
17:00:29 <hrybacki> yeah, it can wait
17:00:32 <lbragstad> ok
17:00:35 <hrybacki> or I'll bring it up in channel as needed
17:00:39 <lbragstad> i appreciate the time everyone
17:00:43 <lbragstad> #endmeeting