19:00:06 #startmeeting office-hours 19:00:07 Meeting started Tue Jul 11 19:00:06 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:09 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:00:11 The meeting name has been set to 'office_hours' 19:00:54 o/ 19:01:00 o/ 19:01:13 ok everyone, office hours! turn on the music, order pizza, party time :P 19:13:52 Matthew Edmonds proposed openstack/keystone master: fix assert_admin https://review.openstack.org/482359 19:14:36 Eric Fried proposed openstack/keystoneauth master: Make Discover.version_data accept null max_version https://review.openstack.org/482250 19:15:30 morgan: i agree! 19:18:13 lbragstad, https://bugs.launchpad.net/keystone/+bug/1703666 19:18:15 Launchpad bug 1703666 in OpenStack Identity (keystone) "Templated catalog does not handle multi-regions properly" [Undecided,New] 19:18:31 I failed a bit at the markup :D 19:19:29 Wish you could preview before you posted a bug 19:19:53 go ahead and edit it :) 19:19:59 eandersson: you should be able to edit the description 19:20:10 Oh lol 19:21:07 Is there markup for code? 19:21:27 eandersson: unfortunately no 19:25:32 o/ 19:25:54 I was looking at https://bugs.launchpad.net/keystone/+bug/1702211 yesterday, it's an odd bug 19:25:55 Launchpad bug 1702211 in OpenStack Identity (keystone) "test_password_history_not_enforced_in_admin_reset failed in tempest test" [Undecided,Confirmed] 19:27:55 Merged openstack/keystoneauth master: Fix _run_discovery caching https://review.openstack.org/481754 19:29:04 catching up on meeting logs 19:29:12 Erik Olof Gunnar Andersson proposed openstack/keystone master: Fixing multi-region support in templated v3 catalog https://review.openstack.org/482364 19:29:54 samueldmq: lbragstad the sample dsta script was useful for having data to work with without having to set up a devstac 19:30:14 but i don't feel strongly about getting rid of it 19:30:24 i always devstack now 19:31:07 gagehugo: interesting - was that a timing issue? 19:31:27 cmurphy: yeah - i'm in the same boat for the most part :-/ 19:32:05 lbragstad, no idea. either that or maybe some weird race condition 19:32:48 from the frequency log that mriedem posted it looks like it started failing on 07/01 19:34:11 Lance Bragstad proposed openstack/keystone master: WIP: Implement global role assignments https://review.openstack.org/481781 19:47:05 Matthew Edmonds proposed openstack/keystone master: don't validate trust in policy https://review.openstack.org/482190 19:51:35 here's a patch that closes a bug https://review.openstack.org/#/c/470425/16 19:54:21 * cmurphy is home and ready to officehours 19:54:34 \o/ 19:54:40 lbragstad: did you see my comments on that one? 19:54:45 it doesn't fix the bug 19:54:56 cmurphy: https://review.openstack.org/#/c/470425/16 ? 19:55:08 lbragstad: ya 19:55:13 cmurphy: checking 19:56:38 why is it only the token header gets trimmed? seems like all headers should get the same treatment 19:57:04 also, you'd expect the web server would handle fixing up the request. 19:58:03 i have no idea 19:59:05 i could be totally wrong, maybe edmondsw_ could test it to see if it actually solves his problem 20:00:07 cmurphy I'll try to do that 20:01:25 I've got 4 policy-related bug fixes out for review if anyone wants me to give pointers to them 20:03:09 bknudson: yeah - that's a good point 20:03:26 edmondsw_: i just started reviewing https://review.openstack.org/#/c/482142/ 20:05:16 lbragstad tx. The really bad one is https://review.openstack.org/482359 20:11:32 Matthew Edmonds proposed openstack/keystone master: remove default rule https://review.openstack.org/482164 20:11:37 lbragstad: i'm going to propose a deprecation of the template catalog and (hopefully) a YAML-based one to replace that is actually tested... 20:11:55 lbragstad: that is based upon convos yesterday 20:12:29 morgan: it sounds like eandersson is using the templated catalog 20:13:48 right, hence the yaml replacement 20:14:12 morgan: so what exactly would we be deprecating? 20:14:19 the current templated one 20:14:28 there would be a new one, that is named something else 20:14:28 what format is that in? 20:14:45 er - does it have a format? 20:14:46 the current one is basically write out a json doc and we replace some stuff in it 20:14:52 it's not formatted really. 20:14:59 ah 20:15:04 it is terrible 20:15:16 that makes sense 20:16:06 I think we still need to support replacement since swift puts the project in the URL? 20:16:16 that is the plan 20:16:20 morgan: since eandersson is currently relying on it - i want to make sure that coordination happens 20:16:33 just going to make the input enforced. 20:17:04 expect regions, etc all in a yaml format that would be similar to the current in-db model 20:20:40 morgan: does eandersson on board with the deprecation of the existing templated catalog? 20:20:48 dunno 20:20:51 s/does/is/ 20:20:54 he was part of the convo esterday 20:21:17 it will be much better with something that is actually using the same mechanisms as the DB to render 20:21:34 the current templated catalog is ... frightening. 20:22:19 there is also https://github.com/openstack/keystone/blob/0731dab01a5d2da9650b67ebe8b91e825795c0ba/keystone/catalog/backends/templated.py#L244-L297 20:22:34 those will mostly be the same 20:22:44 this is a FS based catalog 20:22:53 no writes allowed, CMS is there to do that job 20:23:29 that makes sense 20:23:56 i mean... we *could* support writes... but lets not do that silly thing 20:29:56 yes - for sure we should deprecate it 20:30:06 and if needed replace it with a better alternative 20:30:41 lbragstad, can't we just remove those overrides, as they are already implemented in the base class? 20:31:05 e.g. https://github.com/openstack/keystone/blob/0731dab01a5d2da9650b67ebe8b91e825795c0ba/keystone/catalog/backends/base.py#L378 20:32:04 eandersson: i don't see a problem with that 20:32:18 we take that approach elsewhere in keystone 20:32:30 you can't remove with them being abstract 20:32:40 you must redefine abstract methods on the subclass 20:32:41 lbragstad cmurphy was right, https://review.openstack.org/#/c/470425/16 doesn't fix the bug 20:32:56 edmondsw: that code looked suspect 20:33:00 Eric Fried proposed openstack/keystoneauth master: Update docs and add a release note https://review.openstack.org/477566 20:33:12 lbragstad, Yea I agree, but not all of them are implemented at the moment 20:33:32 (sorry defined, obviously not implemented) 20:33:35 basically... don't send the /r /n etc in headers... you will be sad 20:33:51 ya...found a few sources saying just don't do that 20:33:56 cmurphy: ++ 20:33:58 morgan yeah, but when a customer does that... 20:34:11 edmondsw: you point them at the docs in curl saying "yeah don't" 20:34:18 edmondsw: removed my +1 accordingly 20:34:20 morgan it was odd that neutron worked fine and keystone didn't 20:34:28 edmondsw: apache makes a difference 20:34:41 is it a bug then? 20:34:44 unlikely 20:35:34 morgan :) sure but it was a really hard to pin down issue... wasn't obvious they had the /r in the header unless you're an awk god 20:35:42 heh 20:37:00 morgan I don't think it's an apache thing, actually... the neutron curl command was targeted at an apache reverse proxy 20:37:10 ah 20:37:22 eandersson: are you using the templated catalog backend? 20:37:30 s/are/aren't/ 20:37:44 edmondsw: morgan my test reproduced it with just uwsgi 20:38:04 ah 20:38:06 *shrug* 20:38:21 cmurphy yeah, I'm not sure why the author of this test isn't just reproducing the problem and then testing their fix against it until it actually fixes it 20:38:27 s/test/fix/ 20:38:36 I am yes 20:38:51 edmondsw: yeah :/ 20:39:16 eandersson: i'm just wondering why you wouldn't be opposed to deprecating and removing it then 20:39:50 unless i'm missing something obvious 20:40:00 I'll rather move over to sql 20:40:10 and we are not going to pike anytime soon 20:40:32 So we would have to stick with the semi-functional templated implementation for too long 20:41:09 morgan cmurphy edmondsw: I'll ping kaerie about it 20:41:22 gagehugo tx 20:41:42 Moving to a yaml based variant would be an alternative, but we couldn't really go there unless we backported that to Mitaka, or maybe Newton/Ocata. 20:42:15 I can mess around with it too after I take a look at this random failing tempest test 20:42:40 eandersson: right, but you might be able to backport the code yourself. 20:42:42 for your install 20:42:45 until you move to pike 20:43:00 Yep - that is for sure an alternative 20:46:41 It just makes more sense for us to go move to the production ready alternative. 20:47:12 eandersson: morgan so - let's recap the options for the templated catalog backend 20:47:33 1.) formally deprecate it for removal 20:47:58 2.) support it in a well known format (like yaml) 20:49:18 yep 20:49:34 is that it? 20:50:40 i guess there would be a 3rd option 20:51:25 3.) perform option 1, deprecating all existing templated catalog stuff and start fresh with option 2 introducing a new backend for YAML officially 20:51:39 so - maybe option 3 is actually option 2 just spelled out 20:52:06 Nr 3 is what I would recommend as well 20:57:44 option 3 was what i was planning 20:57:53 i certainly wouldn't be opposed to #3 if someone is willing to do the work 20:58:00 it isn't a ton of work 20:58:13 i have to grab my laptop, ... anyway 20:59:39 it sounds like we're in agreement that deprecation of the existing templated catalog is in order 21:04:33 having fun writing tests for the multi-region patch 21:05:51 not sure how to handle attributes 21:06:18 > v3_catalog[service_type][attr] = value 21:07:36 guessing the endpoint should have the id? 21:08:10 it should be consistent with what the sql implementation does with the exception of write operations 21:08:57 edmondsw: i'm missing the bit here at line 202 - https://review.openstack.org/#/c/482359/2/keystone/common/authorization.py 21:09:13 edmondsw: the patch ends up doing the same thing as before, right? 21:09:39 the action ends up being `identity:` right? 21:10:11 lbragstad if you call check_protection, yes... but if you call assert_admin, no 21:10:49 lbragstad the places that use check_protection expect that to be added... the places that call assert_admin don't 21:11:14 oh - line 130 21:11:28 yep, 129 21:11:43 oh, right, 130 on the new file 21:15:17 edmondsw: how'd you stumble across this? 21:15:23 edmondsw: testing a custom policy? 21:16:17 lbragstad digging into why tests failed for https://review.openstack.org/#/c/482164/ 21:17:03 which I had proposed after digging into and proposing https://review.openstack.org/482142 21:17:53 which was a result of reviewing our customized policy changes for pike and noticing that didn't look right 21:18:09 https://review.openstack.org/482190 also came out of that as well 21:18:15 lbragstad so it was quite a chain of events 21:18:55 I'm quite happy to be fixing a 4 year old defect with that last one... 21:19:42 so - correct me if i'm wrong 21:20:05 but https://review.openstack.org/#/c/482359/2 will be tested by default once https://review.openstack.org/#/c/482164/2 merges? 21:22:13 lbragstad yes... once there's no default rule, that can't hide issues like this 21:22:42 because identity:admin_required didn't exist and was getting caught by the default - which ended up having the same result 21:23:08 lbragstad exactly 21:23:14 hmmm tricky 21:23:16 yep 21:23:28 I think we may also need to merge https://review.openstack.org/482142 before the default rule is removed 21:23:41 s/may // 21:24:05 but I can't base https://review.openstack.org/482164 on multiple changes 21:24:06 edmondsw: yeah - that one looks good 21:24:09 So there is a second bug with templated - the endpoint id is used as the id for the service 21:24:29 which is an expected bug 21:24:38 edmondsw: since a policy is changing, a release note would make sense i think, would you agree? 21:24:49 lbragstad I'm adding a rel note 21:25:08 lbragstad do you think it should be a security or fixes note? 21:25:40 well - the default is still in place and that's true for all previous releases, right? 21:26:43 Monty Taylor proposed openstack/keystoneauth master: Add paragraph clarifying major and micro versions https://review.openstack.org/482710 21:26:46 edmondsw: can you walk me through the case where it *should* be considered a security issue? 21:27:26 lbragston see breton's comments in the bug 21:27:36 lbragstad ^ 21:27:47 not sure what my fingers were doing there :) 21:28:54 oh - so it would be considered a security issue if the deployer relaxed the default 21:29:25 but didn't realize they were also relaxing get_identity_providers 21:29:30 hmm 21:34:32 lbragstad yeah... I'm inclined to put it in the security section of the rel notes, but not backport anything 21:35:01 lbragstad I should probably also add a rel note to the change removing the default rule 21:35:02 so - policy in code has only been effective for pike 21:35:32 lbragstad yes, but the typo for identity:get_identity_providers goes back to the default policy.json file we shipped in past releases 21:35:33 so - if someone wanted to "backport" the fix it would consist of correcting their policy operation 21:36:09 lbragstad: deprecation patch about to be posted (catalog) 21:36:14 lbragstad right, the backport would be to update the default policy.json file and/or to change the code to look for the typo version... neither of which I like 21:36:19 i should have a yaml-loading catalog in a couple hours as well. 21:36:35 morgan: awesome - thank you 21:36:38 cc eandersson ^ 21:36:40 taht's really an or, not an and/or 21:36:58 edmondsw: so the options are 21:37:07 1.) backport the default that corrects the type 21:37:10 typo* 21:37:23 2.) correct the code to look for get_identity_providers (which breaks conventions) 21:37:33 i agree in that option 2 seems like the wrong approach 21:37:42 but what's wrong with option 1? 21:38:01 You'll probably have that done before I get working unit tests working for this lol 21:38:16 lbragstad I don't know that #1 really helps anyone 21:38:37 lbragstad if you've already customized policy, you're not going to take a new default policy.json file and apply it 21:38:39 is there a negative side-effect outside of that? 21:38:48 if you're not customizing policy, then things are already working ok 21:39:05 what about consuming a new release note proposed to stable/ocata and stable/newton? 21:39:07 lbragstad probably not... 21:40:04 lbragstad we could certainly propose patches to the stable releases that a) updates the policy.json to fix the typo and b) adds a rel note warning about the issue 21:40:26 edmondsw: that would at least flag things to deployers that read release notes 21:40:30 Morgan Fainberg proposed openstack/keystone master: Deprecate the templated catalog https://review.openstack.org/482714 21:40:40 lbragstad that read release notes long after the release :) 21:40:43 how they apply that change is obviously up to them - but at least they'd know 21:40:43 lbragstad: ^ very simple patch. 21:41:09 edmondsw: true - it's more or less only for following procedure ;) 21:41:14 Matthew Edmonds proposed openstack/keystone master: fix identity:get_identity_providers typo https://review.openstack.org/482142 21:41:19 lbragstad I'm fine with it 21:41:29 edmondsw: ok - i'll update the bug report then 21:41:30 lbragstad ^ that adds a rel note 21:46:00 Writing tests for this is going to require a lot more fixes than what I did :p 21:47:00 since this is being back-ported from the v2 catalog, IDs are not at all implemented properly 21:48:35 Matthew Edmonds proposed openstack/keystone master: remove default rule https://review.openstack.org/482164 21:49:55 edmondsw: looks good - one minor nit inline 21:50:08 s/inline/in the release note/ 21:51:00 do we even care about ids for this? they are not in the example config https://github.com/openstack/keystone/blob/master/etc/default_catalog.templates 21:51:49 eandersson: i would imagine that would get rewritten to yaml - based on morgan's work 21:52:07 lbragstad fixed 21:52:09 sure - but do we want to backport the yaml work as well? 21:52:14 Matthew Edmonds proposed openstack/keystone master: fix identity:get_identity_providers typo https://review.openstack.org/482142 21:52:24 or do we want to fix the current implementation pre-pike? 21:52:25 Merged openstack/keystoneauth master: Make Discover.version_data accept null max_version https://review.openstack.org/482250 21:57:38 eandersson: we won't be able to fix stable/ocata without landing something in pike first 21:57:56 but i doubt we'd backport fixes for the templated catalog to ocata anyway 21:57:57 Yep - so do we want to just skip my patch and go straight to yaml? 21:58:15 eandersson: yeah - that would seem reasonable 21:58:19 It's just weird to have a feature so broken :D 21:58:42 eandersson: yeah - the templated stuff is a mess 21:58:48 Could we maybe update our documentation for newton/ocata? 21:59:07 eandersson: saying what exactly? 21:59:21 Don't try to use with multiple regions! 21:59:31 Gage Hugo proposed openstack/keystone master: WIP - Trims whitespace from request headers https://review.openstack.org/470425 21:59:35 or not intended for production :D 21:59:51 basically just slap a warning lable on it 22:03:05 Eric Fried proposed openstack/keystoneauth master: Update docs and add a release note https://review.openstack.org/477566 22:03:14 Merged openstack/keystoneauth master: Expand some discover.py docstrings https://review.openstack.org/482207 22:04:32 eandersson: we document a few of the warts with it already https://docs.openstack.org/keystone/latest/configuration.html#service-catalog 22:04:40 #endmeeting