| *** vishwanathj has joined #openstack-fwaas | 01:43 | |
| *** vishwanathj has quit IRC | 01:43 | |
| *** yamamoto has joined #openstack-fwaas | 03:22 | |
| *** vishwanathj has joined #openstack-fwaas | 04:25 | |
| *** chandanc__ has joined #openstack-fwaas | 04:25 | |
| *** yushiro has joined #openstack-fwaas | 04:32 | |
| yushiro | ping SridarK | 04:35 |
|---|---|---|
| SridarK | yushiro: hi | 04:35 |
| yushiro | SridarK, Hi. Currently, I'm reviewing v2 database patch. | 04:35 |
| yushiro | Thanks for your update(Patchset38) | 04:36 |
| SridarK | yushiro: ok great, there are still some UT that i am debugging | 04:36 |
| SridarK | yushiro: but it is great that u are reviewing, so u will have enough context as i keep updating | 04:37 |
| yushiro | SridarK, Thanks. Please let me clarify. | 04:37 |
| SridarK | yushiro: i am mainly running thru the UT failures, i think list api's have some issue also | 04:38 |
| yushiro | SridarK, Oh, thanks. Currently, I'm trying to run UT too in order to review more deeply. | 04:39 |
| SridarK | yushiro: ok there are some failures - so sorry - i am trying to fix - i am trying to clean up b4 i go to bed tonight | 04:40 |
| yushiro | SridarK, no warries. Your work is great. OK, currently, I focus on PS38. | 04:42 |
| SridarK | yushiro: thx | 04:43 |
| yushiro | SridarK, Oh, I forgot the confirmation. In my understanding, when creating firewall-group, a mandatory param is only project_id, isn't it? | 04:43 |
| yushiro | I referred v2 SPEC. | 04:44 |
| SridarK | yushiro: yes that is correct, there is an issue on the ext patch the policy fields do not have a default | 04:44 |
| yushiro | SridarK, Ah, yes. That is what I'd like to comment :) | 04:45 |
| yushiro | SridarK, thank you. | 04:45 |
| SridarK | yushiro: ok great - we are on the same pg - i hit the issue on testing - i have put a comment in the ext patch | 04:45 |
| SridarK | :-) | 04:46 |
| yushiro | Yeah. | 04:46 |
| yushiro | OK. I'll turn back to review. Thank you so much!! | 04:46 |
| yushiro | If you need some help or review, please let me know! | 04:47 |
| *** vishwanathj has quit IRC | 04:55 | |
| SridarK | yushiro: many thanks - | 04:56 |
| *** mickeys has quit IRC | 05:05 | |
| *** mickeys has joined #openstack-fwaas | 05:05 | |
| *** mickeys has quit IRC | 05:10 | |
| *** vishwanathj has joined #openstack-fwaas | 05:15 | |
| *** vishwanathj is now known as vishwanathj_zzz | 05:16 | |
| *** chandanc__ has quit IRC | 05:25 | |
| *** yamamoto has quit IRC | 06:18 | |
| *** chandanc__ has joined #openstack-fwaas | 06:22 | |
| *** yamamoto has joined #openstack-fwaas | 06:59 | |
| *** chandanc__ has quit IRC | 07:04 | |
| *** mickeys has joined #openstack-fwaas | 07:29 | |
| *** mickeys has quit IRC | 07:33 | |
| *** mickeys has joined #openstack-fwaas | 08:30 | |
| *** mickeys has quit IRC | 08:31 | |
| *** mickeys has joined #openstack-fwaas | 08:31 | |
| *** mickeys has quit IRC | 08:33 | |
| *** mickeys has joined #openstack-fwaas | 08:34 | |
| *** mickeys has quit IRC | 08:38 | |
| *** yamamoto has quit IRC | 09:50 | |
| *** yamamoto_ has joined #openstack-fwaas | 10:32 | |
| mfranc213 | ping chandanc, chandanc_ | 11:50 |
| *** chandanc__ has joined #openstack-fwaas | 11:55 | |
| *** yamamoto_ has quit IRC | 12:06 | |
| *** yamamoto has joined #openstack-fwaas | 12:07 | |
| *** yamamoto has quit IRC | 12:07 | |
| *** yamamoto has joined #openstack-fwaas | 12:07 | |
| SridarK | njohnston: ping | 12:56 |
| *** raalee has joined #openstack-fwaas | 13:13 | |
| njohnston | good morning all | 13:13 |
| mfranc213 | hello everyone | 13:20 |
| mfranc213 | ping chandanc_ | 13:26 |
| njohnston | ^^ chandanc__ (two underscores) | 13:26 |
| mfranc213 | thank you njohnston | 13:27 |
| SridarK | njohnston: hi | 13:30 |
| njohnston | SridarK: Hello. You had a busy weekend! Sorry I couldn't participate much - family events - but I am catching up on the activity. | 13:31 |
| SridarK | njohnston: no worries, so now a good chunk of the UTs are good | 13:31 |
| SridarK | njohnston: i think a few more tweaks and we should be good | 13:32 |
| njohnston | Excellent. Do you want me to work on that, or something else? | 13:32 |
| SridarK | njohnston: i am in the middle of the firewall_group UTs | 13:33 |
| SridarK | let me clean this up and we can sync up | 13:33 |
| njohnston | sounds good | 13:33 |
| SridarK | njohnston: how is the L3Agent ext | 13:33 |
| SridarK | njohnston: meanwhile could u start looking at what will be needed on that front, L3Agent ext + versioned obj things | 13:34 |
| SridarK | i think that will be the next push, and u have more context on these areas | 13:35 |
| mfranc213 | SridarK: do you want to put me to work also? i worked on UTs for the driver over the weekend but don't want to step on chandanc__'s toes if he's already working on those. won't do anything with that until talking to him. | 13:36 |
| SridarK | meanwhile let me see how the db patch is heading and we can sync - i hit some issue with on the tests with the project id tht has been nagging | 13:36 |
| SridarK | mfranc213: surely, i think all we may need is one more refactor to move the files to _v2 (my last comment) | 13:37 |
| SridarK | njohnston: are u okay with this or pls let me know if we want to do this differently | 13:37 |
| njohnston | I think that sounds like a solid plan. Let me know when a good time to sync with you is; my schedule is wide open. | 13:38 |
| mfranc213 | SridarK: will check it out and ping with questions. thank yoiu. | 13:39 |
| SridarK | how abt we do a sync btwn njohnston: , mfranc213: , chandanc__ and myself | 13:39 |
| njohnston | sounds good | 13:39 |
| mfranc213 | sounds v good. | 13:39 |
| *** chandanc__ has quit IRC | 13:40 | |
| SridarK | i have some mtgs at 8am pacific - so if we see chandanc come online - we can do before that | 13:40 |
| mfranc213 | thank you | 13:40 |
| SridarK | great thx mfranc213:, njohnston: | 13:41 |
| *** yushiro has quit IRC | 13:47 | |
| *** yushiro has joined #openstack-fwaas | 13:51 | |
| *** yamamoto has quit IRC | 13:52 | |
| *** yamamoto has joined #openstack-fwaas | 13:52 | |
| yushiro | Hi, | 13:53 |
| yushiro | Is SridarK here? | 13:55 |
| *** yamamoto has quit IRC | 13:57 | |
| njohnston | He was here ~15 minutes ago - should be back soon I think | 13:57 |
| *** yamamoto has joined #openstack-fwaas | 14:10 | |
| njohnston | FYI all, it appears that the change "Fix db migration after project_id changes" - https://review.openstack.org/#/c/352216/ - is causing OSA DB migration issues. | 14:12 |
| njohnston | See: https://bugs.launchpad.net/neutron/+bug/1613299 | 14:12 |
| openstack | Launchpad bug 1613299 in openstack-ansible "Unknown column 'r.project_id' in FWaaS migrations" [High,New] | 14:12 |
| njohnston | I have a revert patch ready: https://review.openstack.org/#/c/355483/ | 14:13 |
| njohnston | I suggest we revert, and then approach it again and figure out why this didn't occur on devstack. | 14:13 |
| SridarK | yushiro: here | 14:14 |
| yushiro | SridarK, Hi. Today, I tried to run UTs for DB patch and realized about 'tenant_id'. | 14:16 |
| SridarK | yushiro: ok - i have been hitting some UT issues around there which i was debugging | 14:17 |
| SridarK | njohnston: can u pls check in with HenryG as well | 14:17 |
| SridarK | on the revert | 14:17 |
| yushiro | HenryG is try to support Keystone v3 and modify from 'tenant_id' to 'project_id' on DB. | 14:18 |
| yushiro | However, all of neutron resources still have 'tenant_id' at request body. | 14:18 |
| njohnston | I thought there was something in that essentially made 'tenant_id' a synonym of 'project_id'. | 14:20 |
| SridarK | yushiro: yes this was my experience too | 14:20 |
| njohnston | at the database layer | 14:20 |
| SridarK | yushiro: i got a malformed req error | 14:20 |
| yushiro | And, base neutron codes doesn't support to specify 'project_id' in request body. | 14:20 |
| SridarK | and i added in the project_id | 14:20 |
| SridarK | njohnston: yes u are correct at the db layer | 14:21 |
| SridarK | yushiro: i had to add in project_id in the UT | 14:21 |
| SridarK | this kind of derailed me for a long time | 14:22 |
| yushiro | njohnston, Ah, in DB layer.. I see. | 14:22 |
| SridarK | yushiro: but are u saying that we need to send in 'tenant_id' | 14:22 |
| yushiro | SridarK, hmm Yes. Because of policy check. | 14:24 |
| yushiro | SridarK, If we don't have 'tenant_id' it violates at policy.py | 14:25 |
| SridarK | yushiro: ok good - i was going so crazy in debugging this | 14:25 |
| yushiro | In UT, we send 'new_create_request' --> (snip) --> populate_tenant_id --> verify_attributes ---> policy check | 14:27 |
| yushiro | populate_tenant_id will insert 'tenant_id' if we don't specify this | 14:27 |
| SridarK | yushiro: yes which is why we had UTs without the tenant_id except in some cases | 14:28 |
| yushiro | verify_attributes compares request body and extension's dict. Here is the difficult point. | 14:29 |
| yushiro | SridarK, Sorry, I think my explanation is difficult to understand :( let me see... | 14:33 |
| SridarK | yushiro: no that makes sense | 14:33 |
| SridarK | yushiro: one other thing - while running the UT, i noticed that when the create api is called | 14:34 |
| SridarK | and i checked for 'tenant_id' or 'project_id' it is always None | 14:34 |
| SridarK | and is_admin is True | 14:35 |
| SridarK | so when i run the test to make sure that i cannot access resources on another tenant - that does not quite work | 14:36 |
| SridarK | i can write an email to u with some debugs to make it more clear | 14:36 |
| SridarK | it could be related to what u say | 14:37 |
| yushiro | SridarK, OK. Maybe I've hit the same situation today. Please send me :) | 14:39 |
| *** vishwanathj_zzz is now known as vishwanathj | 14:40 | |
| SridarK | yushiro: how long will u be up ? | 14:40 |
| yushiro | SridarK, Sorry, I have to go office tomorrow. Therefore, I can be up untill 1:00am. | 14:42 |
| SridarK | yushiro: ok i have to be in a mtg shortly - will try to get this to u quickly else u can look at it first thing ur morning | 14:43 |
| njohnston | SridarK xgerman yushiro: Could you take a look at https://review.openstack.org/#/c/355483/ so we can unbreak OSA? I think HenryG may be travelling to the midcycle, so I am not sure we should wait for him, since the alternative is returning to status quo ante. | 14:43 |
| xgerman | sure | 14:43 |
| SridarK | njohnston: yes waiting on Jenkins | 14:44 |
| njohnston | ok good, wasn't sure. thanks! | 14:44 |
| yushiro | njohnston, Sure! but please wait tomorrow's morning :) | 14:45 |
| SridarK | yamamoto: can u pls also look at https://review.openstack.org/#/c/355483/ | 14:46 |
| yamamoto | SridarK: ? | 14:47 |
| yushiro | njohnston, midcycle! That's why HenryG does not response today. I didn't know that. Thank you. | 14:47 |
| xgerman | ok, holler, when the jenkins job finishes and I can +2/A | 14:48 |
| yamamoto | SridarK: will look tomorrow | 14:48 |
| SridarK | yamamoto: it seems https://review.openstack.org/#/c/352216/ is causing an issue, njohnston: is chasing that | 14:48 |
| SridarK | yamamoto: ok i realize it is very late for u | 14:48 |
| yamamoto | SridarK: thank you for understanding | 14:49 |
| njohnston | I got a response from HenryG, he thinks we can just fix the bad column name as opposed to reverting. | 14:49 |
| SridarK | yamamoto: no worries, GN - we can pick up a discussion later | 14:49 |
| njohnston | He gave a suggestion for how to write a test job that would pick up this issue, because the way devstack and the gate jobs do it wouldn't exercise this code path. | 14:50 |
| SridarK | njohnston: ok great | 14:50 |
| njohnston | New change to fix is: https://review.openstack.org/355511 | 14:59 |
| *** yamamoto has quit IRC | 15:14 | |
| *** yamamoto has joined #openstack-fwaas | 15:14 | |
| *** yamamoto has quit IRC | 15:20 | |
| yushiro | njohnston, I just reviewed https://review.openstack.org/355511 | 15:21 |
| *** chandanc__ has joined #openstack-fwaas | 15:23 | |
| SridarK | yushiro: so i did a quick experiment | 15:27 |
| njohnston | Thanks yushiro and xgerman! | 15:27 |
| SridarK | njohnston: i am watching Jenkins | 15:27 |
| SridarK | yushiro: i replaced 'project_id' with 'tenant_id' | 15:28 |
| SridarK | in a create req | 15:28 |
| yushiro | yes. | 15:28 |
| SridarK | and it seems like i get a Bad Req | 15:28 |
| *** raalee has quit IRC | 15:30 | |
| SridarK | yushiro: http://paste.openstack.org/show/557588/ | 15:30 |
| yushiro | OK. I think you got 'Unrecognized attribute(s)'... ah, Yes. | 15:30 |
| yushiro | I just watched pasted link. | 15:31 |
| SridarK | but if i had project_id it seems to make it to the CR method | 15:31 |
| yushiro | SridarK, Yes, you're right. in populate_tenant_id, it is validated when 'is_create' is True. | 15:32 |
| yushiro | SridarK, I think you got an error from verify_attributes in api/v2/attributes.py | 15:32 |
| *** diogogmt has joined #openstack-fwaas | 15:33 | |
| yushiro | your req-body: xxx, yyy, 'tenant_id', zzz. extension's dict: xxx, yyy, 'project_id', zzz. | 15:33 |
| yushiro | I think verify_attributes compares dict keys b/w req-body and extension's dict. | 15:34 |
| SridarK | yushiro: hmm so we need tenant_id outside of the ext dict ? | 15:35 |
| yushiro | In order to prevent from this error, Yes. But this is inconsistency. | 15:36 |
| SridarK | yushiro: how would i set that ? | 15:36 |
| SridarK | yes it seems odd | 15:36 |
| yushiro | Here is just bad workaround. 1. Please specify 'tenant_id' in req-body(You've already done) 2. replace 'project_id' to 'tenant_id' into ext dict. | 15:38 |
| yushiro | Hmm.... I think current neutron does not support to specify 'project_id' instead of 'tenant_id'. | 15:40 |
| *** mickeys has joined #openstack-fwaas | 15:40 | |
| yushiro | I tried to reach out HenryG today because he try to support keystone v3 but I couldn't :( | 15:41 |
| SridarK | actually, as i understand - i think i have only touched the ext dict | 15:44 |
| *** mickeys has quit IRC | 15:44 | |
| SridarK | chandanc__: ping | 15:47 |
| SridarK | yushiro: i will do more debugging during the day - will try to catch up with u tonight - so we can close this out | 15:57 |
| SridarK | tonight - pacific (so during ur day time) | 15:57 |
| yushiro | SridarK, I understand. Thanks for your information. | 15:58 |
| SridarK | yushiro: thx | 15:58 |
| SridarK | yushiro: can u pls do a quick scan of the ext patch to make sure ur comments are addressed | 16:00 |
| yushiro | SridarK, Sure. | 16:01 |
| SridarK | yushiro: so she can address any more, i am going to review that in a bit after i get done with mtgs etc | 16:01 |
| njohnston | I was pulled away for some neutron bug deputy duty... but I think I am back now. | 16:01 |
| SridarK | njohnston: no worries, i think chandanc__ is away (it is a local holiday for him) | 16:02 |
| SridarK | njohnston: maybe we can sync along with mfranc213 a bit later in the day | 16:02 |
| njohnston | ok. In the mean time, let me know if I can help with the DB patch. I'm just Zuul-gazing right now. | 16:03 |
| yushiro | SridarK, OK, my comment is reflected on her latest patchset. | 16:04 |
| yushiro | However, it seems that UT doesn't run correctly. I'll check/review it tomorrow. | 16:05 |
| SridarK | yushiro: ok cool i will review later today | 16:05 |
| njohnston | Are we talking about https://review.openstack.org/#/c/264489/ ? | 16:06 |
| SridarK | njohnston: yes | 16:07 |
| SridarK | njohnston: can u pls also take a look | 16:07 |
| njohnston | Will do. But the most recent comment on that from Yushiro is on 8/13, which is why I asked. | 16:08 |
| SridarK | i had a set of comments over the weekend | 16:08 |
| njohnston | Ok, re-reading what yushiro said I realized I was mistaken, I thought he had added a new comment. | 16:08 |
| njohnston | Checking it now... | 16:08 |
| mfranc213 | SridarK: yes to a sync a bit later in the day. let me know. | 16:09 |
| SridarK | njohnston: yes she pushed a PS earlier today | 16:09 |
| yushiro | SridarK, njohnston BTW, | 16:13 |
| yushiro | SridarK, njohnston Does anyone focus on policy.json? | 16:13 |
| yushiro | I think rule is necessary. ex. "delete_firewall_group": "rule:admin_or_owner", | 16:14 |
| njohnston | yushiro: Agreed, definitely. | 16:14 |
| yushiro | njohnston, SridarK OK. Let me confirm 1 thing. | 16:15 |
| yushiro | njohnston, SridarK We should add 1. neutron/etc/policy.json 2. neutron/tests/etc/policy.json, shouldn't we? | 16:16 |
| SridarK | yushiro: pls go ahead, sorry slow response in another mtg | 16:16 |
| yushiro | SridarK, Sure. No warries. | 16:16 |
| njohnston | yushiro: definitely | 16:16 |
| yushiro | I just ran UT(create_firewall_group) on DB patch and realized. | 16:17 |
| yushiro | njohnston, OK. I'm confusing that... In case of 'firewall_group', it is easy because just to add is enough. | 16:18 |
| yushiro | njohnston, However, in case of 'firewall_policy' and 'firewall_rule' | 16:19 |
| yushiro | njohnston, SridarK sorry, I'll paste the link. Just a moment please.... | 16:20 |
| njohnston | sure thing | 16:20 |
| *** mickeys has joined #openstack-fwaas | 16:21 | |
| SridarK | yushiro: catching up | 16:21 |
| yushiro | njohnston, SridarK Here is current policy definition about FWaaS and my thought. http://paste.openstack.org/show/557591/ | 16:24 |
| yushiro | Could you please check it? | 16:24 |
| njohnston | We will want these methods to have "_v2" appended to them, yes? | 16:25 |
| yushiro | njohnston, Hmmm, it is difficult. Because, these methods is automatically generated. | 16:29 |
| yushiro | njohnston, But, it's better to append "_v2" I think. | 16:30 |
| SridarK | sorry back | 16:30 |
| SridarK | yes i am not sure on the v2 either | 16:31 |
| SridarK | njohnston: i just got done with some mtgs, shall we do a quick sync along with mfranc213: | 16:32 |
| mfranc213 | here | 16:32 |
| mfranc213 | :) | 16:32 |
| SridarK | :-) | 16:32 |
| njohnston | sure | 16:32 |
| SridarK | ok cool let me set up a call - | 16:33 |
| mfranc213 | okay | 16:33 |
| SridarK | yushiro: i think it is really late, shall we continue the discussion over email, perhaps we can discuss this more during our day | 16:33 |
| yushiro | SridarK, OK. Oh, it's 1:33 JST. Hahaha | 16:34 |
| yushiro | I'll go to bed. Good night, SridarK and njohnston. Let me discuss or send e-mail tomorrow. | 16:34 |
| njohnston | Thanks for all your work yushiro! | 16:34 |
| yushiro | thank you | 16:34 |
| SridarK | yushiro: thx much | 16:35 |
| SridarK | GN | 16:35 |
| *** yushiro has left #openstack-fwaas | 16:35 | |
| *** chandanc__ has quit IRC | 16:41 | |
| njohnston | Jenkins is happy with https://review.openstack.org/#/c/355511/ BTW, it is ready for +A | 17:01 |
| njohnston | Thanks SridarK! | 17:05 |
| *** chandanc__ has joined #openstack-fwaas | 17:37 | |
| *** chandanc__ has quit IRC | 18:04 | |
| njohnston | xgerman: Question for you. I'm pretty sure I grok what I am typing, but my apologies if I don't. I feel pretty sure that LBaaS v1 added methods to the neutron API in the same way that FWaaS does. How does/did LBaaS furnish what it will need in terms of a policy.json to govern access to those API methods? | 18:16 |
| xgerman | I think we made them all admin | 18:17 |
| njohnston | Right, but you didn't add the policy.json items directly into the main Neutron policy.json. How would those items get added so that Neutron would know the policy was admin_only for those methods? Will it read additional policy,json files for *-aas projects? | 18:21 |
| xgerman | mmh, @blogan likely knows the details | 18:31 |
| xgerman | blogan | 18:31 |
| njohnston | xgerman: thanks! pinging him now | 18:36 |
| xgerman | yeah, I tried to get to him myself, too | 18:36 |
| xgerman | sorry, this has been so long back... | 18:36 |
| njohnston | Not a problem, thanks for the pointer for blogan! | 18:37 |
| xgerman | y.w. — dougwig might also able to help | 18:37 |
| dougwig | I recall discussing that a policy.d directory would be good for neutron, but don't think it got implemented. | 19:38 |
| *** greghaynes has joined #openstack-fwaas | 20:11 | |
| *** yamamoto has joined #openstack-fwaas | 21:10 | |
| *** yamamoto has quit IRC | 21:11 | |
| *** yamamoto has joined #openstack-fwaas | 22:26 | |
| *** diogogmt has quit IRC | 23:31 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!