13:00:01 #startmeeting nova api 13:00:03 Meeting started Wed May 25 13:00:01 2016 UTC and is due to finish in 60 minutes. The chair is alex_xu. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:00:04 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:00:06 The meeting name has been set to 'nova_api' 13:00:10 who is here today? 13:00:15 hello 13:00:28 o/ 13:00:37 \o 13:00:45 though there is a plumber, so I might have to disappear at any point to deal with that 13:00:56 sdague: no problem 13:01:18 o/ 13:01:47 ok, i think we can start the meeting 13:01:56 #topic API Priorities 13:02:19 For the api-ref, looks like we already merge versions and metadata 13:02:21 o/ 13:02:23 hi 13:02:40 yeh, I need to finish servers, I will try to do that soon 13:02:55 there is still a pretty good flow of reviews coming in, I would encourage people to stay on top of them 13:03:09 http://burndown.dague.org/ - we're down to about 50% of tags left 13:03:22 good news! 13:03:49 alex_xu: did you guys decide on how to work with microversioned sample files? 13:04:14 Kevin_Zheng: i guess no, sdague do you have idea abou that? 13:04:28 Kevin_Zheng: not yet 13:04:52 OK 13:05:15 can we have both? 13:05:33 but if there are multiple the samples will be too much? 13:06:20 I think all the current ones match v2.1, I guess we could hide some newer samples, if there have been changes to the API, we test every edge, so we could have a sample for each edge? 13:06:23 Kevin_Zheng: does work with only the newest api sample file? as we marked some field only available in new version 13:06:43 I need to start poking at a few other microversion UX things in the code 13:06:57 I will try to start in on that this week 13:07:08 sdague: feels like we need to experiment with keypairs or something, to see what works 13:07:15 johnthetubaguy: yeh, agreed 13:07:24 yes 13:07:29 that's going to be largely os-api-ref work 13:07:32 sdague: cool 13:07:40 as it will include javascript that changes visibility 13:07:45 yeah, +1 13:07:59 cool~ 13:08:39 ok, so i think that is all for api-ref for now? 13:09:02 yep 13:09:08 let's move on 13:09:14 for policy discovery 13:09:19 #link https://review.openstack.org/289405 13:09:40 I saw claudio_ updated spec for show policy discovery in nova-manage 13:10:21 not sure people reviewed it. looks like it needs nova-manage to validate the user just like python-novaclient. 13:10:41 I wonder if we just pass in a keystone token for now? 13:10:44 I have not reviewed that yet, I will add it to my list 13:10:54 currently nova-manage just use a fake admin context 13:11:12 although I guess we can use that keystone lib we use elsewhere now 13:11:12 johnthetubaguy: ... will a token get us anywhere? 13:11:31 johnthetubaguy: still need to get the role of user form keystone? 13:11:44 yeah, I was thinking from the token fetch the roles, etc 13:11:48 s/form/from/ 13:11:59 we could just pass the info you get back from keystone, I guess, like the role and tenant, etc 13:12:21 johnthetubaguy: lots of token types don't include all that embedded info, you need the round trip 13:12:33 honestly, maybe this should be a dedicated tool 13:12:39 nova-policy-check 13:12:44 it does feel different to nova-manage 13:12:48 a new cmd seems cheap 13:13:00 just to keep us from doing ugly things in nova-manage 13:13:05 sdague: good idea 13:13:10 if we put in python-novaclient, sounds more easy 13:13:30 thats too end user facing, we need access to deep bits of nova 13:13:36 alex_xu: it can't really be in nova client, it needs access to nova code 13:13:47 ah, yea, forget that point 13:13:50 this tool only works on the machine where you nova api install is 13:14:05 but, yeh, let's just do it as a dedicated tool 13:14:08 yeah, that seems a reasonable assumption 13:14:23 we could make it use the same params/env variables as python-novaclient though 13:14:28 claudio_: sound reasonable to you? 13:14:32 i.e. do a full auth 13:14:43 johnthetubaguy: sure, but that's mostly about keystoneauth1 13:14:52 sdague: +1 13:15:00 is it ok just pass role manually by operator? 13:15:37 or it can't show all the worksflow for us 13:15:40 alex_xu: maybe as a follow on, lets get something more automatic first 13:15:52 sdague: ok 13:15:56 ok, who wants to provide the feedback to the spec? 13:16:24 so its open in a tab, I can do that 13:16:31 johnthetubaguy: thanks 13:17:06 #action johnthetubaguy feedback the decision on separated tool for policy discovery back to the spec 13:17:24 anything more for policy? otherwise let's move on 13:17:32 on the flip side, a bunch of the oslo.policy changes landed 13:17:43 the policy generator is still outstanding I think 13:17:53 sdague: yea 13:18:00 #link https://review.openstack.org/309153 13:18:28 right, so we need to close on that 13:18:44 yeah, we had some discussions on ops requests, but I think we got to the bottom of that now 13:18:47 ok, encourage people help on the review 13:19:03 we should also probably figure out who else on the oslo side should be engaged on review 13:19:08 dhellman has been doing a bunch 13:19:28 but seems like we want additional eyes as well so this doesn't get stalled after he's happy with it 13:20:09 good point 13:20:27 I wonder if dims is feeling keen about policy 13:20:27 maybe I'll ask dhellman about that 13:21:31 ok, so sdague just is action for you? 13:21:48 yeh 13:22:09 #action sdague to follow up with dhellman to find the right additional reviewers for oslo.policy changes 13:22:23 sdague: thanks :) 13:22:38 ok, i think we can move on 13:22:52 let talks about remove legacy v2 13:22:55 #link https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:bp/remove-legacy-v2-api-code 13:23:09 johnthetubaguy: have concern on removing the old policy checks 13:23:37 ah, so the policy checks in compute.api.py 13:23:40 johnthetubaguy: so we expect fill the target param for the policy check? 13:23:46 they include the target 13:23:49 which is useful 13:24:12 johnthetubaguy: but those aren't work with v2.1 API, due to the skip_policy_checks flag 13:24:14 (and sdague was telling me about the operator thread on wanting to have policy based on user_id) 13:24:21 oh, oops 13:24:25 right, we skip those 13:24:36 ah, well, just take that out then 13:24:41 johnthetubaguy: right, so I think maybe we talk about this issue now though 13:24:42 s/aren't works/doesn't work/... 13:24:49 because it impacts the v2 legacy remove, a little 13:25:10 yeah, lets touch on the wider issue 13:25:20 http://lists.openstack.org/pipermail/openstack-operators/2016-May/010526.html 13:25:26 for people that haven't read it yet 13:25:28 ah, thanks, thats it 13:26:12 so its a horrible thing that arguably breaks our API semantics, but it worked before, and now it fails 13:26:16 ah, really have people using "user_id:%(user_id)s" 13:26:20 right 13:26:22 yeah 13:26:30 now, in some cases, I don't think they need it 13:26:47 people were basically just building catchall projects so they didn't have to create projects 13:26:57 because users will get autocreated from AD 13:27:07 now it turns out the DB code hard codes the tenant_id check, so most of the policy rules that check the tenant_id right now are misleading 13:27:16 but CERN has a more middle ground use case 13:27:24 though they still haven't responded with all the details 13:27:47 johnthetubaguy: right, we filter by context on project_id 13:27:54 so there is an overlap there 13:28:13 we can match the v2 api behaviour with quick fix by adding target param, then later fix on db layer hard-code. 13:28:25 I actually think that user_id: only works in a subset of calls anyway 13:28:31 because of things like this 13:28:50 alex_xu: the real question is what set of things do we do this across 13:29:01 or do we do it at all 13:29:08 I'm very on the fence 13:29:20 ok, got it 13:29:26 I am tempted to actually filter the objects we pass as a target 13:29:36 so we just pass user_id and project_id 13:29:37 and feel like we still don't really have enough details on the policy changes and use cases here 13:30:02 johnthetubaguy : sdague : there's only one in the queue - https://review.openstack.org/#/q/project:openstack/oslo.policy+is:open 13:30:03 johnthetubaguy: and change the meaning of GET /servers ? 13:30:28 dims: that's the only one outstanding, it requires a spec as well 13:30:46 dims: the oslo.policy changes are pretty compact 13:30:54 so by default there is no change in the API, it just allows people to break the API 13:31:05 johnthetubaguy: that seems... problematic 13:31:11 my thinking is we then deprecate user_id, and work out how to support those usecases another way 13:31:23 that's actually why mtreinish pushed back really hard on people testing this 13:31:27 your quota idea, could be part of that, but it feels like there are other things 13:31:53 right, so the thing is, I feel like we need a lot more engagement on the operator side to figure out those details 13:32:08 I've asked for them a few times in the ML, and really haven't seen detailed answers 13:32:09 we do, we will need to go to ops meetups with ideas and get feedback, etc 13:32:20 * dims notes mikal has oslo core privs :) 13:32:25 they seems talkative when pin them down in a room 13:32:27 johnthetubaguy: well, we need this info sooner than that 13:32:31 sdague : johnthetubaguy : will review the spec and that review today 13:32:32 * johnthetubaguy makes a note of dims note 13:32:39 dims: thank you 13:33:29 so we have lots of policy things in flux, if we get the default policy thing, we can start output warning when people have deprecated "rule params", like user_id 13:33:47 sure 13:33:54 at that point, I think we have they system by which we can sensible message to people we can remove the feature 13:34:00 it feels like we are stuck with it till then :( 13:34:02 but we will ship a release where their rules will not work at all 13:34:23 delete of v2 legacy removes all these features 13:34:34 in my head I was thinking this release, we add in the target everywhere, to smooth the transition 13:34:48 johnthetubaguy: that means it needs to be tested everywhere 13:34:57 the reason this broke is no tests 13:35:03 that's actually a pretty big effort 13:35:11 yeah, that true it is 13:35:30 so, it's definitely a spec 13:35:34 and it needs people 13:35:36 it is something I can get some of the OSIC folks to help with, I suspect, but we clearly shouldn't do that lightly 13:35:46 yeah, it needs a spec 13:36:02 can anyone see another way to dig out of this problem? 13:36:20 other than just not fixing it 13:36:39 anyways, putting a spec up gives us all time to think about it more 13:37:05 well, the other thing is to go through the details that people did and figure out much narrower targets 13:37:30 like, if this is only for server state change actions, that's one thing 13:37:41 it's like 6 actions that are probably important, and that's all we do 13:37:53 but right now it's just "we need this generically supported in policy" 13:37:55 which is huge 13:38:09 yeah, starting with server actions, adding user_id and project_id as the target, seems like a scope 13:38:23 and I only want to fix specific ones that people can't live without 13:38:35 If it can be done for just those few cases, that would be preferable 13:38:43 and try to figure out a different way around for all of them 13:38:52 hmm, OK... I just worry about the folks that haven't spoken up 13:38:55 because, server locking seems like it solves a ton of that 13:38:59 That will give time for them/us to figure out an alternative 13:39:12 johnthetubaguy: sure... but honestly, we can't just keep guessing in the wind :) 13:39:17 sdague: thats a good point, server locking does 13:39:28 you have to speak up if you want a voice 13:39:33 we are not mind readers 13:39:54 true, I was more coming from the, oops, lets follow the deprecation cycle properly 13:40:16 johnthetubaguy: well, this was never deprecated because "no one knew it was a feature" 13:40:22 but its not that clear cut, we did deprecate the code that supports all this 13:40:26 like, we litterally didn't put this code into the v3 stack at all 13:40:33 sdague: ack 13:40:38 it's effectively not existed in new code in 3 years 13:40:53 and all these calls of "please go try this" 13:41:10 kind of ignored until the week before deleting all the legacy v2 code 13:41:46 It's the downside of running Juno/Kilo 13:41:50 well its about now folks are using the thing where we made v2.1 the default, but agreed its not idea 13:41:57 when we're working on Newton 13:43:00 anyways, I am +1 getting a list of places where it matters, and just fixing that 13:43:10 johnthetubaguy: ok, how do we get that? 13:43:14 with a note saying, we need to get you off this thing 13:43:30 because my asks on the ML aren't 13:44:15 they don't seem to http://lists.openstack.org/pipermail/openstack-operators/2016-May/010531.html 13:44:20 maybe we just add a reno note about the new policy not supporting any target info, and we update the default policy to make that clear? 13:44:52 if someone comes forward with specific cases (I think we have that old patch on the bug), we consider adding it? 13:45:05 we can tell them that on the ML, and hope for the best? 13:45:38 johnthetubaguy: +1 for clarifying that on a reno, and we will be able to get real feedback/requirements 13:45:52 actually, we need to update all our docs, as it turns out we documented this as an option 13:47:24 that sounds a plan 13:47:59 johnthetubaguy: ok, do you have the action to go update those docs? 13:48:20 I think I do, yes 13:48:33 I will try find someone to own this, and help them through it 13:49:27 * alex_xu not sure how to write this action... 13:49:49 ok, johnthetubaguy can you write the action 13:49:59 I will try sort out the policy user_id mess 13:50:03 or something like that? 13:50:06 and we should make sure to revisit all old actions next meeting 13:50:13 sdague: +1 13:50:19 sdague: yea 13:50:26 #action johnthetubaguy to update policy docs to remove user_id references to server actions 13:50:34 also 13:50:48 #action alex_xu will revisit all old actions next meeting 13:50:50 :) 13:50:50 #action johnthetubaguy to reply on bug and ML about the ops issues with user_id 13:51:18 johnthetubaguy: thanks 13:51:23 i think we can move on 13:51:45 anything we want to talk about deprecation? 13:52:02 of the user_id? 13:52:53 johnthetubaguy: sorry, you mean? 13:53:10 oh, I was meaning, what bits of deprecation did you want to talk about? 13:53:37 the deprecation proxy api was merged 13:53:51 another thing is about extension 13:53:55 ah, proxy APIs, gotacha 13:54:15 i guess no update for deprecate proxy api for now. 13:54:20 and not hurry 13:54:58 sorry, i didn't get time to work out a spec for extension also. people can free to take this task also 13:55:37 if we didn't have anything for those, let jump to open? there are two opens didn't get chance last week. 13:56:27 ok...3 mins left 13:57:03 before we scoot off, just want to say this ought to be ready for review: https://review.openstack.org/300077 13:57:08 that's support for both microversion headers 13:57:10 can we talk a little about the hard-stop feature? 13:57:15 the main sticking points will be the docs 13:57:17 cdent: yea 13:57:23 Kevin_Zheng: go ahead 13:57:25 as it is hard to know what's best 13:57:49 i guess just for advertis your item... 13:57:58 https://review.openstack.org/#/c/293790/ 13:58:06 cdent: seems like the docs are failing to build right now? 13:58:10 cdent: I'll add https://review.openstack.org/300077 to my review queue 13:58:16 and suggestion docs 13:58:19 really hope this can merged, 13:58:26 johnthetubaguy: feh 13:58:29 I'll fix that 13:58:42 really close to non-priority spec freeze 13:58:44 thanks sdague 13:58:57 no worries, appreciate the extra doc entires on that one, its looking close 13:59:15 Kevin_Zheng: https://review.openstack.org/#/c/293790/8/specs/newton/approved/allow-user-defined-shutdown-for-stop.rst has some remarkable overlap to - https://review.openstack.org/#/c/234219/ shutdown_termination part 13:59:34 sorry....let's back to openstack-nova 13:59:39 #endmeeting