Wednesday, 2017-09-06

« Tuesday, 2017-09-05 Index Thursday, 2017-09-07 »
*** harlowja has joined #openstack-meeting-cp00:03
*** harlowja has quit IRC00:09
*** harlowja has joined #openstack-meeting-cp00:14
*** edmondsw has joined #openstack-meeting-cp00:19
*** edmondsw has quit IRC00:24
*** gouthamr has quit IRC00:45
*** aselius has quit IRC00:47
*** gouthamr has joined #openstack-meeting-cp00:49
*** harlowja has quit IRC00:57
*** harlowja has joined #openstack-meeting-cp01:01
*** scottda_ has quit IRC01:24
*** markvoelker has joined #openstack-meeting-cp01:43
*** edmondsw has joined #openstack-meeting-cp01:58
*** edmondsw has quit IRC02:02
*** yamahata has quit IRC02:14
*** iyamahat has quit IRC02:16
*** markvoelker has quit IRC02:18
*** markvoelker has joined #openstack-meeting-cp03:15
*** nhelgeson has quit IRC03:21
*** coolsvap has joined #openstack-meeting-cp03:30
*** iyamahat has joined #openstack-meeting-cp03:41
*** gouthamr has quit IRC03:46
*** edmondsw has joined #openstack-meeting-cp03:46
*** markvoelker has quit IRC03:48
*** edmondsw has quit IRC03:51
*** iyamahat has quit IRC03:58
*** iyamahat has joined #openstack-meeting-cp04:03
*** iyamahat has quit IRC04:05
*** markvoelker has joined #openstack-meeting-cp04:45
*** iyamahat has joined #openstack-meeting-cp04:53
*** iyamahat has quit IRC04:54
*** iyamahat has joined #openstack-meeting-cp04:54
*** iyamahat has quit IRC05:01
*** iyamahat has joined #openstack-meeting-cp05:02
*** iyamahat_ has joined #openstack-meeting-cp05:05
*** iyamahat_ has quit IRC05:05
*** iyamahat has quit IRC05:09
*** markvoelker has quit IRC05:18
*** yamahata has joined #openstack-meeting-cp05:39
*** iyamahat has joined #openstack-meeting-cp05:43
*** iyamahat has quit IRC05:44
*** iyamahat has joined #openstack-meeting-cp05:44
*** iyamahat_ has joined #openstack-meeting-cp05:47
*** yamahata has quit IRC05:48
*** iyamahat__ has joined #openstack-meeting-cp05:49
*** iyamahat has quit IRC05:49
*** iyamahat_ has quit IRC05:52
*** yamahata has joined #openstack-meeting-cp05:53
*** iyamahat__ has quit IRC05:56
*** iyamahat has joined #openstack-meeting-cp05:57
*** iyamahat has quit IRC06:00
*** iyamahat has joined #openstack-meeting-cp06:00
*** yamahata has quit IRC06:03
*** yamahata has joined #openstack-meeting-cp06:17
*** MarkBaker has quit IRC07:04
*** iyamahat has quit IRC07:07
*** markvoelker has joined #openstack-meeting-cp07:15
*** edmondsw has joined #openstack-meeting-cp07:22
*** edmondsw has quit IRC07:26
*** markvoelker has quit IRC07:49
*** edmondsw has joined #openstack-meeting-cp08:03
*** MarkBaker has joined #openstack-meeting-cp08:31
*** iyamahat has joined #openstack-meeting-cp08:32
*** yamahata has quit IRC08:38
*** MarkBaker has quit IRC08:44
*** markvoelker has joined #openstack-meeting-cp08:46
*** MarkBaker has joined #openstack-meeting-cp08:56
*** iyamahat has quit IRC09:06
*** markvoelker has quit IRC09:19
*** MarkBaker has quit IRC09:40
*** sdague has joined #openstack-meeting-cp09:53
*** amrith has quit IRC10:02
*** amrith has joined #openstack-meeting-cp10:12
*** amrith is now known as Guest5755910:12
*** Guest57559 is now known as amrith10:12
*** edmondsw has quit IRC10:13
*** markvoelker has joined #openstack-meeting-cp10:17
*** markvoelker has quit IRC10:49
*** kbyrne has quit IRC11:38
*** markvoelker has joined #openstack-meeting-cp11:46
*** kbyrne has joined #openstack-meeting-cp11:46
*** edmondsw has joined #openstack-meeting-cp12:10
*** edmondsw has quit IRC12:11
*** edmondsw has joined #openstack-meeting-cp12:11
*** markvoelker has quit IRC12:20
*** markvoelker has joined #openstack-meeting-cp12:28
*** scottda_ has joined #openstack-meeting-cp12:49
*** xyang1 has joined #openstack-meeting-cp13:05
*** david-lyle has quit IRC13:09
*** david-lyle has joined #openstack-meeting-cp13:09
*** gouthamr has joined #openstack-meeting-cp13:14
*** rarcea has joined #openstack-meeting-cp14:12
*** yamahata has joined #openstack-meeting-cp14:15
*** ayoung has joined #openstack-meeting-cp15:01
ayoungHeyo!15:02
*** felipemonteiro has joined #openstack-meeting-cp15:03
*** felipemonteiro_ has joined #openstack-meeting-cp15:05
*** felipemonteiro has quit IRC15:08
*** david-lyle has quit IRC15:10
*** david-lyle has joined #openstack-meeting-cp15:15
*** amrith has quit IRC15:28
*** amrith has joined #openstack-meeting-cp15:28
*** amrith is now known as Guest5560115:28
*** gagehugo has joined #openstack-meeting-cp15:29
*** felipemonteiro__ has joined #openstack-meeting-cp15:38
*** felipemonteiro_ has quit IRC15:41
*** felipemonteiro_ has joined #openstack-meeting-cp15:43
*** felipemonteiro__ has quit IRC15:46
*** iyamahat has joined #openstack-meeting-cp15:52
hrybackiayoung: I think you might have been an hour early15:56
hrybacki:P15:56
ayoungyep15:56
ayounghrybacki, I confirmed that with lbragstad.  Had it on my calendar from pre-DST change15:57
hrybackisilly DST15:57
lbragstadping  raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan_he, ayoung, morgan, raj_singh, johnthetubaguy, knikolla, nhelgeson15:59
hrybackio/15:59
ayoungOyez15:59
knikollao/15:59
gagehugoo/15:59
*** blancos has joined #openstack-meeting-cp15:59
cmurphyo/16:00
lbragstad#startmeeting policy16:00
openstackMeeting started Wed Sep  6 16:00:08 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
*** openstack changes topic to " (Meeting topic: policy)"16:00
openstackThe meeting name has been set to 'policy'16:00
lbragstad#link https://etherpad.openstack.org/p/keystone-policy-meeting16:00
lbragstadagenda ^16:00
lbragstadit's a little light today - but i assume everyone is getting ready for the ptg or wrapping other things up16:00
lbragstad#topic policy-and-docs-in-code community goal16:01
*** openstack changes topic to "policy-and-docs-in-code community goal (Meeting topic: policy)"16:01
lbragstadquick update here16:01
blancoso/16:01
lbragstadI spent yesterday working through the projects that don't appear to be impacted by the goal16:01
ayoungWhat guidance are we providing with regard to role names to projects that are doing this?16:01
lbragstadand i proposed patches to governance to update those accordingly16:01
*** Rockyg has joined #openstack-meeting-cp16:01
*** aselius has joined #openstack-meeting-cp16:02
lbragstadayoung: we're not - we're just ensuring they move what they have in code16:02
lbragstadwe not requiring renames or refactoring16:02
ayoungDoes that mean the role enforcement will be in code?16:02
lbragstadbut.. that's a good question16:02
ayoungadmin?16:02
lbragstadrole enforcement will be done by the oslo.policy enforce object, like it always has16:03
ayoungIt would be best if they could tag an API as "admin" without hardcoding what that means16:03
lbragstadyeah16:03
lbragstadi also have these16:03
lbragstad#link https://review.openstack.org/#/c/500141/16:03
lbragstad#link https://review.openstack.org/#/c/500207/16:03
ayoungsomething like "default the admin_required rule to mean role:admin"  but not codify that on each line of the policy enforcement16:03
lbragstadthat seems specifically related to https://review.openstack.org/#/c/500141/16:04
ayoungThey should be able to add a single rule, even maybe in a config file, that specifies just how to do admin at both cloud and project scope16:04
*** david-lyle has quit IRC16:04
*** dklyle has joined #openstack-meeting-cp16:04
edmondswo/16:05
ayoungActually, that would be a really valuable first step;  each of the projects should identify on a per-api basis which of scope of admin they mean: global or project scoped16:06
lbragstadyeah16:06
ayoungeven if the default implementation does not distinguish, lets future proof them at that level16:06
lbragstadi completely agree16:06
edmondswwith global roles, scope is no longer a policy thing at all16:06
lbragstadayoung: you're talking about https://review.openstack.org/#/c/500207/1/specs/queens/include-scope-in-policy.rst right?16:07
ayoungI tjhink so...loooking16:07
lbragstadyeah - it'd be awesome to get that functionality into oslo this release somehow16:08
lbragstadthat way projects that have policy in code can start implementing it16:08
* edmondsw adds that to his reading list16:08
lbragstadedmondsw: #link https://review.openstack.org/#/c/500141/ too16:08
ayoungedmondsw, lets use the terminology that Global IS a scope.16:08
ayoungor Cloud or even service scope, to distinguish from project scope16:08
lbragstadsomething elevated above project16:09
edmondswdefinitely16:09
*** nhelgeson has joined #openstack-meeting-cp16:09
ayoungthe only operations we consider "unscoped" are on the Keystone server itself. And unscoped token should not be accepted by a remote service16:09
lbragstadright16:09
ayoungand an unscoped token should probable not have global roles on it16:09
edmondswagreed16:09
ayoungbut that is getting ahead of the discussion16:09
*** iyamahat has quit IRC16:10
edmondswunscoped tokens shouldn't have roles or any kind16:10
edmondsws/or/of/16:10
ayoungCool.  So we will talk about tokens scoped to one of three things:  domain, project, or global?16:10
edmondswyep16:10
ayoungcool.  please continue lbragstad16:10
lbragstadcorrect - the piece that the oslo spec helps projects align operations with those scopes16:11
lbragstadhelps with*16:11
*** yamahata has quit IRC16:11
lbragstadso - if anyone has feedback on either of those oslo specs, i'd love to hear it16:11
lbragstadwe're also on the schedule to visit with the oslo folks at the ptg about it16:12
ayoungcan we provide example rules in them?16:12
lbragstad#link https://etherpad.openstack.org/p/oslo-ptg-queens16:12
ayoungand we should probably standardize what we mean by "owner"16:12
edmondswI like the use cases for include-scope-in-policy at any rate... will read more later16:13
lbragstadi would imagine that to be a conversations with a larger group, just to make sure we level set on consistent terms and don't assume owner means the same thing everywhere16:13
edmondsw"owner" definitely doesn't mean the same thing everywhere :)16:13
lbragstadi'd need to dig into other projects and how they use owner16:13
ayoungwe should also encourage them to not have ADMIN_OR... in the rule names, as admin is an override, and should be able to do anything.16:13
edmondsw++16:13
lbragstador i can just take edmondsw's word for it :)16:14
ayoungI would suspect that for most places they use "owner" to mean "member of project with write permissions"16:14
edmondswin some places owner is a user, in others it's a project16:14
lbragstadso - really quick on the policy in code stuff/communtiy goal16:14
lbragstadit also built a version of dhellmann's burndown chart to track that work16:14
lbragstad#link https://www.lbragstad.com/policy-burndown/16:14
edmondswayoung drop the "with write permissions"16:14
lbragstadthat should publish new results twice a day16:15
ayoungedmondsw, I would actually like it if they distinguished at the API level whether read/write is expected16:15
hrybackilbragstad++16:15
*** dklyle has quit IRC16:15
ayoungI think that is the heart of what you mean?16:15
ayoungMember implies Write and Read16:16
edmondswayoung I just meant that "owner" is sometimes used for read as well as write, I believe... nothing really write-specific about it16:16
ayoungyeah, I figured that is what you meant16:16
ayoungI tend to think of permissions in a DAG, so write kindof implies read, but Member definintely implies read and write16:17
edmondswayoung but if I followed your comment about distinguishing, yeah, docs for each policy should definitely be clear as to whether it is a read or write operations (and more)16:17
ayoungreally, we have admin+red+write as one set and member+read+write as a second.16:17
*** david-lyle has joined #openstack-meeting-cp16:18
ayoungas the read-only role people are asking for might need to read info that a Member should not read.16:18
ayoungwhat if we provided a default set of Rules and suggest to the projects that they implement them.16:19
edmondswthere is an odd case with nova ssh keys that we'll have to be conscious of here... in that case, I believe the user to which the key belongs can do things that even admin can't... i.e. admin isn't a true superset16:19
ayoungADMIN_WRITE,  ADMIN_READ, MEMBER_WRITE,  MEMBER_READ.16:19
ayoungedmondsw, yes16:19
ayoungand that should be OWNER16:19
ayoungor USER?16:20
edmondsw:)16:20
ayoungsomething that indicates permission is at the per-user level.16:20
ayoungOWNER_READ:  Get my Keys.16:20
edmondswowner has been overloaded too much... I'd prefer we be clearer and say user if that's what is meant16:20
ayoungedmondsw, ++16:20
ayoungUSER: user_id=target.user_id or trustee_id=target.user_id16:21
ayoungUgh16:22
ayoungno way to scope those operations in a trust16:22
ayoungwould need to user impersonation today16:22
ayoungyuck16:22
ayoungOK, lbragstad which of those two specs do you want me to add the suggested rules to?16:23
lbragstadwell - the one is specific to deprecating policies, so probably not that one16:23
lbragstadother other is for adding scope16:23
* knikolla needs to go. but will read the log. 16:23
lbragstadwhich is probably closer to what you're thinking?16:23
lbragstadayoung: if not, we can break it off into it's own spec, too16:24
edmondswI'd have said separate spec, I think16:24
lbragstadok16:24
ayoungwell, it ties in with scope, though16:24
edmondswyeah, maybe that one... I haven't read it yet :)16:24
edmondswsure, throw it in there... we can always pull it out if need be16:25
edmondswdoes seem like it might fit there16:25
lbragstad#topic open discussion16:26
*** openstack changes topic to "open discussion (Meeting topic: policy)"16:26
lbragstadanything else we want to cover today?16:27
edmondswnone from me16:28
lbragstadcool16:28
lbragstadlooks like we can get some time back16:28
lbragstadreminder we won't have a meeting next week because of the PTG16:29
lbragstadif you're going to be there, travel safe!16:29
edmondsw++16:29
lbragstadthanks for coming!16:29
lbragstad#endmeeting16:29
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings"16:29
openstackMeeting ended Wed Sep  6 16:29:32 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:29
openstackMinutes:        http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-09-06-16.00.html16:29
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-09-06-16.00.txt16:29
openstackLog:            http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-09-06-16.00.log.html16:29
*** blancos has quit IRC16:29
*** felipemonteiro__ has joined #openstack-meeting-cp16:30
*** felipemonteiro__ has quit IRC16:33
*** felipemonteiro__ has joined #openstack-meeting-cp16:33
*** iyamahat has joined #openstack-meeting-cp16:34
*** felipemonteiro_ has quit IRC16:34
*** felipemonteiro_ has joined #openstack-meeting-cp16:50
*** felipemonteiro__ has quit IRC16:54
*** harlowja has quit IRC17:07
*** harlowja has joined #openstack-meeting-cp17:07
*** felipemonteiro_ has quit IRC17:08
*** felipemonteiro_ has joined #openstack-meeting-cp17:09
*** felipemonteiro__ has joined #openstack-meeting-cp17:11
*** rarcea has quit IRC17:12
*** felipemonteiro_ has quit IRC17:14
*** Rockyg has quit IRC17:25
*** diablo_rojo has quit IRC17:29
*** yamahata has joined #openstack-meeting-cp17:31
*** gagehugo has left #openstack-meeting-cp17:44
*** Guest55601 is now known as amrith17:52
*** coolsvap has quit IRC17:54
*** harlowja has quit IRC18:02
*** lbragstad has quit IRC19:43
*** lbragstad has joined #openstack-meeting-cp19:45
*** felipemonteiro_ has joined #openstack-meeting-cp20:09
*** felipemonteiro__ has quit IRC20:12
*** gouthamr has quit IRC21:15
*** harlowja has joined #openstack-meeting-cp21:45
*** edmondsw has quit IRC21:52
*** xyang1 has quit IRC22:09
*** edmondsw has joined #openstack-meeting-cp22:23
*** edmondsw has quit IRC22:28
*** gouthamr has joined #openstack-meeting-cp22:54
*** scottda_ has quit IRC23:00
*** felipemonteiro_ has quit IRC23:01
*** felipemonteiro has joined #openstack-meeting-cp23:09
*** kbyrne has quit IRC23:38
« Tuesday, 2017-09-05 Index Thursday, 2017-09-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!