19:00:53 #startmeeting keystone-office-hours 19:00:55 Meeting started Tue Dec 5 19:00:53 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:56 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:00:58 The meeting name has been set to 'keystone_office_hours' 19:07:06 o/ 19:12:32 i need to get up to speed on https://review.openstack.org/#/c/522461/ 19:15:08 lbragstad: this one goes with that one https://review.openstack.org/#/c/523005/ 19:15:25 i just noticed that, too 19:15:37 getting up to speed on https://review.openstack.org/#/c/523005 first 19:17:36 aha- ok 19:17:50 nevermind, i think i was getting things mixed up 19:18:08 we should be able to remove https://review.openstack.org/#/c/523005 19:18:16 s/remove/merge/ 19:18:31 o/ 19:18:37 because it's only removing the usage of those configuration options and removing a couple things we don't need anymore 19:18:52 which can be done before we deprecate those configuration options 19:19:25 right it's just removing a function that never gets called 19:19:33 i don't understand how someone might still be using it in v3? 19:19:40 lbragstad: the memberid thing 19:20:21 approving https://review.openstack.org/#/c/523005/ 19:20:28 ensure_default_role() gets called in bootstrap which creates the _member_ role 19:20:54 that's the only place it's actually used 19:22:49 yeah - iiuc a deployment can run bootstrap and then start using the member id with v3 assignments, and not even expose v2.0 in the deployment 19:26:10 cmurphy: edmondsw boostrap was designed to be idempotent for recovery cases 19:27:23 so it could be used outside of install day activities 19:27:52 lbragstad how so? 19:28:08 what kind of recovery? 19:28:20 losing the _member_ role could be recovered from without bootstrap 19:28:39 if an admin user is deleted, i think 19:28:53 we had a commit a while back to do this, let me see if i can dig up the context 19:29:05 to cmurphy's point, I don't think this bit about _member_ would be needed for that case 19:31:53 https://bugs.launchpad.net/keystone/+bug/1647800 19:31:53 Launchpad bug 1647800 in OpenStack Identity (keystone) newton "keystone-manage bootstrap isn't completely idempotent" [High,Fix released] - Assigned to Lance Bragstad (lbragstad) 19:33:30 that specific example is for running bootstrap during an upgrade 19:33:54 maybe it's irrelevant 19:34:42 lbragstad: what would you like to see in 522461? you want bootstrap to keep creating the role? 19:35:35 i guess i wanted to make sure we didn't break anything if we wanted to remove it 19:35:44 outside of the new install case 19:35:51 my main worry is in deployment tool CI 19:36:08 i was trying to think of times bootstrap gets run outside of new-install cases 19:36:23 and i vaguely remembered that change, but it might not be relevant 19:36:31 on upgrade cases people are reading the release notes anyways 19:36:40 so they'll know if they have to do something different 19:37:37 Merged openstack/oslo.policy master: Handle deprecation of inspect.getargspec https://review.openstack.org/521979 19:43:45 Colleen Murphy proposed openstack/keystone master: Handle deprecation of inspect.getargspec https://review.openstack.org/525740 19:46:43 fwiw - we'll have a new version of oslo.policy soon https://review.openstack.org/#/c/525623/1 19:48:40 so all https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:add-scope-types should start passing 19:50:57 \o/ 19:57:39 opinion time - do we want to hold off on https://bugs.launchpad.net/keystone/+bug/1689644 until we do microversions officially? 19:57:39 Launchpad bug 1689644 in OpenStack Identity (keystone) "Keystone does not report microversion headers" [Medium,In progress] - Assigned to Rohan Arora (ra271w) 19:58:24 knikolla: you said you have something locally for https://bugs.launchpad.net/keystone/+bug/1291157 right? 19:58:24 Launchpad bug 1291157 in OpenStack Identity (keystone) "idp deletion should trigger token revocation" [Medium,In progress] - Assigned to Lance Bragstad (lbragstad) 19:58:57 lbragstad: yes, rebased the old review, now getting it to pass tests 19:59:11 knikolla: awesome 19:59:18 knikolla: thanks for picking that up 19:59:59 lbragstad: i think that bug is not really valid, if/when we do microversions then a condition of that being done is having microversion headers 20:00:01 we can probably close out https://bugs.launchpad.net/keystone/+bug/1662623 today 20:00:01 Launchpad bug 1662623 in OpenStack Identity (keystone) "Testing keystone docs are outdated" [Wishlist,In progress] - Assigned to Lance Bragstad (lbragstad) 20:00:22 cmurphy: yeah... after all the ms discussions, i inclined to agree with you 20:00:53 i'm inclined* 20:01:29 cmurphy: close with a comment? 20:02:08 sure 20:06:40 Colleen Murphy proposed openstack/keystone master: WIP Add Application Credentials manager https://review.openstack.org/524747 20:06:40 Colleen Murphy proposed openstack/keystone master: WIP Add Application Credentials controller https://review.openstack.org/524423 20:06:41 Colleen Murphy proposed openstack/keystone master: WIP Add application credential auth plugin https://review.openstack.org/525346 20:08:17 another opinion question - what are peoples thoughts on https://bugs.launchpad.net/keystone/+bug/1642988 ? 20:08:17 Launchpad bug 1642988 in OpenStack Identity (keystone) "Optionally encode project IDs in fernet tokens" [Wishlist,Triaged] - Assigned to Jose Castro Leon (jose-castro-leon) 20:08:45 it doesn't impact API behavior 20:09:10 and it's opt in for deployers to migrate to fernet 20:09:16 (or jwt eventually) 20:10:10 i know cern has project ids that vary in format 20:10:19 is it because of the dashes? 20:10:24 yeah 20:10:34 so when the project id get reinflated 20:10:45 it gets reinflated without the dashes 20:10:51 but their backend expects it 20:11:40 s/it/dashes/ 20:13:22 so aa53ea1a-d9f8-11e7-957d-00163e88ac80 instead of abf4be76d9f811e7957d00163e88ac80 20:14:38 UUID spec says the dashes are optional right? 20:14:58 that's a good question, i'd have to check 20:16:03 seems like they could extend the token provider to handle it? 20:16:18 that was our original suggestion back to them 20:16:19 jamielennox, cmurphy lbragstad can we put oslo-context to rest? https://review.openstack.org/#/c/523650/ 20:16:43 for example - http://cdn.pasteraw.com/htn79m729bk6wuikvgkwaj96phsozsi 20:18:46 i'm not seeing whether they objected to that idea 20:19:25 i don't see KwozyMan or jose-castro-leon online either 20:19:49 ayoung: looking again 20:20:05 cmurphy, thanks. Much smaller now 20:20:26 ayoung: once we get a new version of oslo.policy - https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:add-scope-types should start passing 20:20:51 lbragstad, cool. THe policy patch got approved, right? 20:21:01 oslo.policy patch? 20:21:02 yes? 20:21:03 yeah I like the token provider extension 20:21:16 ayoung: waiting on https://review.openstack.org/#/c/525623/1 20:21:32 cmurphy: gagehugo we should update the bug report then 20:21:39 lbragstad, of course.... 20:21:42 ok 20:21:59 lbragstad, needs one more +2? 20:22:12 from requirements, yes 20:22:14 i think so 20:24:48 lbragstad, I only saw a requirements-stable-core group there, but it is roughly the same set of reviewers 20:25:06 dims, can you +2 A that one 20:25:13 https://review.openstack.org/#/c/525623/1 20:25:18 ayoung: i think dims is at kubecon this week 20:25:28 participating in container-things 20:25:32 almost certainly 20:26:19 ayoung: you weighed in on https://bugs.launchpad.net/keystone/+bug/1642988 once 20:26:19 Launchpad bug 1642988 in OpenStack Identity (keystone) "Optionally encode project IDs in fernet tokens" [Wishlist,Triaged] - Assigned to Jose Castro Leon (jose-castro-leon) 20:26:36 think that is too specific to carry upstream? 20:34:10 cmurphy: wxy fwiw - i'm going to try and spend the last hour of office hours proposing the rest of https://review.openstack.org/#/c/524657/ 20:35:34 oh - actually, it looks like wxy propose a version of that specification with limit IDs 20:55:47 kmalloc: cmurphy wxy question on unified limits 20:55:58 we have registered limits and project limits 20:56:06 yeah 20:56:19 thoughts on splitting them into their own specs? 20:56:26 why? 20:56:48 well - registered limits needs to be done first regardless 20:56:48 why? 20:56:54 what cmurphy said 20:56:55 :P 20:56:57 because project limits always act as overrides? 20:57:14 do registered limits have any value if there isn't also project limits? 20:57:29 kinda the other way around IMO 20:57:39 i don't think anyone would use registered limits without project limits 20:58:09 you can't use project limits with a registered limit, at least that how i understand things 20:58:16 cmurphy, TYVM 20:58:28 ayoung: YW 20:58:52 lbragstad: you need to have a registered limit in order for the project limit to override it 20:59:06 project limits are invalid if there's nothing registered 20:59:06 oh - sorry, s/with/without/ 20:59:10 yes 20:59:11 oh yes 20:59:23 i'm bad at typing lately 20:59:26 lol 20:59:50 registered limits have to be done first yes but they're not useful without project limits 21:00:05 yeah 21:00:34 ok - so another question 21:00:42 project limits will always require a project 21:00:55 yes 21:00:56 do we put the project in the request body or the path? 21:01:13 eh, either/or 21:01:20 POST /limits/{project_id} or just POST /limits with the project id in the body 21:01:54 i think POST /limits is more rest-y? 21:01:59 * cmurphy looks up guidelines 21:01:59 cmurphy: ++ 21:02:11 the get /limits/{project_id} is the reference to the id 21:02:20 ok - that current proposal im reviewing has POST /limits with option project id in the request body 21:02:26 yeah 21:02:28 that sounds fin 21:02:29 e 21:02:32 yeah that makes sense to me 21:02:34 ok 21:02:35 cool 21:04:16 actually, the current proposal uses the project id from the request context... 21:04:21 which makes sense, too 21:06:11 that is also fine 21:06:22 but the post with the body makes more sense 21:06:36 since switching scope ... may be painful 21:06:52 especially with say... admin RBAC future looking 21:07:03 yeah i feel like it should be explicit in the body 21:09:11 anyone want to push https://review.openstack.org/#/c/524882 through (or know why that happens?) 21:16:32 cmurphy: done - and that also beats me 21:16:38 seams like a system level thing? 21:16:48 https://review.openstack.org/#/c/523524/ will close a bug 21:17:30 yeah it's something to do with the os, i wasn't able to reproduce it but it was seen in ci and by mordred 21:18:10 lbragstad: you keep linking that and i always click on it and then i'm sad i can't help :'( 21:18:18 lol 21:18:42 regardless - thanks for the review cmurphy 21:18:47 :) 21:18:57 it's the thought that counts, amiright?! 21:19:03 lol 21:20:30 lbragstad: re service_type/service_id see my and wxy's comments on https://review.openstack.org/#/c/455709/13/specs/keystone/queens/limits-api.rst 21:20:36 service_type isn't guaranteed unique 21:22:52 cmurphy: what did I do? 21:23:19 mordred: the +00:00 thing 21:23:45 ?! 21:23:55 oh - that 21:24:03 JEEZ don't even get me started on that 21:25:21 i thought services had type built into the unique constraint 21:26:10 i don't think so http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/sql/migrate_repo/versions/067_kilo.py#n115 21:26:25 bah 21:26:41 that kinda sucks 21:27:01 http://paste.openstack.org/show/628219/ 21:28:26 * lbragstad sigh 21:32:34 it looks like i can abandon my follow on to that spec then 21:33:05 cmurphy, lbragstad: I know of at least one existing deployment with non-unique service types - as much as it drives me completely bonkers 21:33:13 I'd, of course, argue that it SHOULD be unique 21:33:40 and that people with non-unique service types are making the world a terrible place 21:34:01 * lbragstad waits for the "this is why we can't have nice things" rant 21:34:23 lbragstad: yeah i thnk all work can be done in the original spec 21:34:32 sweet 21:35:16 lbragstad: I figure everyone knows that rant by now ... 21:51:45 mordred: so.. i agree 21:51:51 unfortunately... 21:51:59 mordred: it's an API break if we change that >.< 21:52:19 mordred: i don't think many people would disagree about service-types need to be unique 22:00:03 #endmeeting