Wednesday, 2017-11-29

*** lbragstad has joined #openstack-meeting-cp		00:06
*** sdague has quit IRC		00:44
*** aselius has quit IRC		02:31
*** iyamahat has quit IRC		03:00
*** yamahata has quit IRC		03:02
*** coolsvap has joined #openstack-meeting-cp		03:33
*** markvoelker has quit IRC		04:30
*** gouthamr has quit IRC		04:43
*** nhelgeson has quit IRC		04:53
*** dklyle has quit IRC		05:15
*** markvoelker has joined #openstack-meeting-cp		05:30
*** gouthamr has joined #openstack-meeting-cp		05:46
*** gouthamr has quit IRC		06:04
*** yamahata has joined #openstack-meeting-cp		06:09
*** iyamahat has joined #openstack-meeting-cp		06:28
*** MarkBaker has joined #openstack-meeting-cp		09:18
*** MarkBaker has quit IRC		09:30
*** MarkBaker has joined #openstack-meeting-cp		09:30
*** iyamahat has quit IRC		09:52
*** yamahata has quit IRC		10:13
*** MarkBaker_ has joined #openstack-meeting-cp		10:15
*** MarkBaker has quit IRC		10:17
*** MarkBaker_ has quit IRC		10:20
*** haint_ has joined #openstack-meeting-cp		11:16
*** MarkBaker_ has joined #openstack-meeting-cp		11:20
*** haint has quit IRC		11:21
*** sdague has joined #openstack-meeting-cp		11:27
*** markvoelker has quit IRC		13:19
*** markvoelker has joined #openstack-meeting-cp		13:19
*** edmondsw has joined #openstack-meeting-cp		13:32
*** openstack has joined #openstack-meeting-cp		13:44
*** ChanServ sets mode: +o openstack		13:44
*** openstack has quit IRC		14:46
*** openstack has joined #openstack-meeting-cp		14:48
*** ChanServ sets mode: +o openstack		14:48
*** zhipeng has joined #openstack-meeting-cp		15:06
*** coolsvap has quit IRC		15:07
*** yamahata has joined #openstack-meeting-cp		15:18
*** iyamahat has joined #openstack-meeting-cp		15:18
*** gouthamr has joined #openstack-meeting-cp		15:22
*** zhipeng has quit IRC		15:27
*** zhipeng has joined #openstack-meeting-cp		15:29
lbragstad	#startmeeting policy	16:00
openstack	Meeting started Wed Nov 29 16:00:01 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	16:00
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	16:00
lbragstad	#link https://etherpad.openstack.org/p/keystone-policy-meeting	16:00
*** openstack changes topic to " (Meeting topic: policy)"		16:00
openstack	The meeting name has been set to 'policy'	16:00
lbragstad	agenda ^	16:00
lbragstad	ping raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan_he, ayoung, kmalloc, raj_singh, johnthetubaguy, knikolla, nhelgeson	16:00
*** edmondsw_ has joined #openstack-meeting-cp		16:00
lamt	o/	16:00
hrybacki	o/	16:00
knikolla	o/	16:00
cmurphy	o/	16:00
lbragstad	so - we don't have anything on the agenda	16:00
lbragstad	but i figured we could meet and open it up to any policy topics if folks have any	16:01
lbragstad	#topic open discussion	16:01
*** openstack changes topic to "open discussion (Meeting topic: policy)"		16:01
hrybacki	Do we want to kick up the polciy exploring sessions again or wait until after the new year?	16:01
*** iyamahat has quit IRC		16:01
edmondsw_	o/	16:02
lbragstad	hrybacki: i'm good with either	16:02
edmondsw_	I vote wait until the new year	16:02
hrybacki	+1	16:02
lbragstad	do we feel like we got some useful bits out of the ones we had/	16:02
lbragstad	and would a summary there be beneficial?	16:03
hrybacki	I think it attracted a pretty diverse crowd which was nice	16:03
edmondsw_	I thought they were useful	16:03
*** edmondsw has quit IRC		16:03
*** zhipeng has quit IRC		16:03
*** edmondsw_ is now known as edmondsw		16:03
lbragstad	it helped reinforce the needs for the initial steps we're taking	16:04
lbragstad	at least in my opinion	16:04
*** iyamahat has joined #openstack-meeting-cp		16:05
lbragstad	and it highlighted some key differences between what other systems have to protect with policy and what openstack has to protect with policy	16:05
* hrybacki nods		16:05
lbragstad	if folks think a summary would be useful - i can attempt to jot down my thoughts and aggregate notes	16:06
hrybacki	It would be a good thing to add to our next email to the ML advertising the next session for sure	16:06
lbragstad	hrybacki: a link to a summary?	16:07
* hrybacki nods -- or a concise version in the body of the email		16:07
lbragstad	yeah	16:07
lbragstad	in other news	16:08
lbragstad	#link http://lists.openstack.org/pipermail/openstack-dev/2017-November/124966.html	16:08
lbragstad	i sent out a quick status on goal progress	16:08
*** coolsvap has joined #openstack-meeting-cp		16:09
lbragstad	a few projects are getting really close to being done	16:09
lbragstad	also	16:10
lbragstad	#info tc is now accepting goals for rocky	16:10
lbragstad	i have a todo to draft a goal for getting projects to use scope-types	16:10
edmondsw	lbragstad do all of those actually need changes for the policy goal? Should only need changes where there's an API, so e.g. why is heatclient in the list?	16:10
lbragstad	edmondsw: yeah - that's a good question, i need to follow up with ricolin there	16:11
lbragstad	i'm not sure why that is in the list	16:11
edmondsw	and all those networking- and neutron- ones that aren't started	16:11
edmondsw	etc.	16:11
lbragstad	yep - i pinged mlavalle about those	16:11
edmondsw	cool	16:11
lbragstad	i can go ask again	16:11
lbragstad	were there any other goals we wanted to propose for rocky?	16:12
edmondsw	gnocchi and aodh seem to be missing from the email	16:12
lbragstad	from a policy roadmap perspective?	16:12
lbragstad	#link https://trello.com/b/bpWycnwa/policy-roadmap	16:12
cmurphy	something that came up in the tc office hours was that it's hard to set a goal that no one has completed yet, better to already have a few early adopters taht everyone else can copy from and make the goal just getting everyone else to follow suit	16:13
edmondsw	lbragstad I'd love to see a community goal for removing any policy hardcoding, such as things that are hardcoded for admin, ResellerAdmin in swift, etc.	16:13
hrybacki	good point cmurphy	16:14
lbragstad	cmurphy: ++	16:14
lbragstad	edmondsw: yeah - that'd be a good one,too	16:14
lbragstad	edmondsw: #link https://review.openstack.org/#/q/status:merged+project:openstack/aodh+branch:master+topic:policy-and-docs-in-code	16:14
lbragstad	i'll update aodh in governance	16:14
lbragstad	cmurphy: so maybe we do a trial run with scope_types in rocky with keystone and a couple other projects	16:15
lbragstad	and slate scope types for a proposal as a queens goal for S	16:15
lbragstad	which shouldn't set our roadmap back, since the functionality to fix admin-ness isn't changing	16:15
cmurphy	++	16:16
lbragstad	sweet - that actually removes a todo from my list	16:16
edmondsw	sounds good. I don't think we should need a trial run for removing policy hardcoding, though... Seems like a very project-specific thing	16:16
lbragstad	trial run or a goal?	16:16
edmondsw	I do think we need a goal	16:17
lbragstad	if it's project specific - does it need a goal?	16:17
lbragstad	or if it's is extremely project specific?	16:17
edmondsw	I would still think it needs a goal	16:17
edmondsw	so that everyone does it	16:17
edmondsw	it's project-specific in the sense that everyone has hardcoded things differently	16:18
lbragstad	so - in order to complete that refactor, isn't using scope-types required?	16:18
edmondsw	but it's common in the sense that nobody should hardcode anything	16:18
edmondsw	why would scope-types be required?	16:18
edmondsw	I think this is parallel to scope	16:18
lbragstad	becuase you'd need to actually fix the problem of admin-ness in order to remove the hardcoded checks	16:19
edmondsw	allow hardcoding scope, but nothing else	16:19
edmondsw	maybe I'm missing something, but I don't think we should need to fix 968696 to remove hardcoded policy checks	16:20
edmondsw	role checks, anyway	16:20
edmondsw	I'm not talking about removing hardcoding of policy checks	16:20
edmondsw	s/policy/scope/	16:20
* lbragstad is confused		16:20
lbragstad	in order to remove hardcoded "admin" checks, right?	16:21
lbragstad	where a service just checks that a user has the "admin" role regardless of what they are scoped to?	16:21
edmondsw	or other things, e.g. ResellerAdmin in swift	16:21
lbragstad	yeah	16:21
edmondsw	forget scope	16:21
edmondsw	other than that, yes	16:22
lbragstad	but scope has to be a part of that doesn't it?	16:22
edmondsw	why?	16:22
lbragstad	if we remove the hardcoded check of a string, oslo.policy has to evaluate scope, too	16:22
lbragstad	right?	16:22
edmondsw	something does, but not oslo.policy	16:23
edmondsw	not until we have scope-types anyway	16:23
edmondsw	today, scope checks are generally done in code	16:23
edmondsw	hardcoded	16:23
edmondsw	and should stay that way	16:23
edmondsw	because they shouldn't be customizable	16:24
lbragstad	i guess i could be more specific here	16:24
lbragstad	role-scope check	16:24
lbragstad	versus just scope-check	16:24
lbragstad	"does the user have the required role for this operation on the right scope"	16:24
edmondsw	I would say there is no such thing as role-scope check... there is role check and there is scope check and there is target attribute check, and they are all independent and unrelated	16:24
edmondsw	they are only related in that you have to pass all of them	16:25
edmondsw	but they can all be implemented independently	16:25
lbragstad	1.) role check = does this user have the role necessary to perform this operation	16:25
edmondsw	yes	16:25
lbragstad	2.) scope check = is the token using the proper scope for the operation being done (system vs. project)	16:26
edmondsw	yes	16:26
lbragstad	3.) target attribute check = is the thing being acted on in the right project, etc... (all service specific)	16:26
edmondsw	yes	16:26
lbragstad	in order to removed hardcoded "admin" checks	16:26
lbragstad	don't 1 and 2 need to be done?	16:26
lbragstad	in order to fix that as a community goal?	16:27
edmondsw	I think that would just be related to #1	16:27
lbragstad	ok	16:27
edmondsw	define policy checks that are customizable to indicate what role should be allowed, instead of hardcoding that only the admin role is allowed	16:27
lbragstad	yeah - i think i see what you mean now	16:27
lbragstad	i'd need to go through a bunch of the projects to figure out where that is being violated	16:28
edmondsw	yeah	16:28
lbragstad	if it's only a handful of projects, maybe we can just do it with bugs	16:28
lbragstad	instead of proposing a community goal	16:28
edmondsw	that's fair	16:28
lbragstad	but - yeah, i think that totally depends on how many services are doing that	16:29
edmondsw	I know it's a problem in nova and swift at least	16:29
edmondsw	and I think cinder?	16:29
edmondsw	and probably all the telemetry projects	16:29
lbragstad	sounds like we have something to chase before a formal proposal - either way i agree we should fix that	16:30
edmondsw	yep	16:30
lbragstad	anything else we should do as a rocky goal?	16:31
lbragstad	default roles?	16:32
lbragstad	#link https://trello.com/c/C1INH5AI/7-define-default-roles	16:32
hrybacki	That's an important one	16:33
lbragstad	even if it is just admin, reader, writer...	16:33
edmondsw	I think that one needs a trial first	16:33
lbragstad	so something we can try and pilot in rocky	16:34
edmondsw	at least more discussion on "how"	16:34
lbragstad	if all goes well we can remove the policy.v3cloudsample.json file since it will be obsolete at that point	16:35
edmondsw	because we don't want to break backward compat, and that will be tricky	16:35
edmondsw	lbragstad isn't v3cloudsample already obsolete?	16:35
lbragstad	i suppose, but we could officially remove it saying "yep, this is no longer needed because we have sensible defaults out-of-the-box"	16:36
edmondsw	oh, we probably need to fix a bunch of scope checking before we remove it?	16:36
lbragstad	yeah...	16:36
lbragstad	so, community goal, yes or no?	16:37
lbragstad	it will generate discussion that's for sure	16:37
hrybacki	I want to say yes. Might we at a minimum propose it?	16:37
lbragstad	yeah - worst case, it gets shot down and we learn a little more about what still needs to be done	16:38
lbragstad	and maybe we break it into a couple goals	16:39
lbragstad	1.) define a set of defaults	16:39
lbragstad	2.) implement a set of defaults	16:39
edmondsw	I don't think #1 needs a goal	16:39
hrybacki	3.) test a set of defaults	16:40
lbragstad	probably not - but we do need people to participate in the discussion	16:40
edmondsw	and you can't separate 2 and 3	16:40
edmondsw	:)	16:40
lbragstad	traditionally - any sort of default roles discussion had lived in either nova-specs or keystone-specs	16:41
lbragstad	and i think we need to have it at a level where other projects can jump into that discussion	16:41
* lbragstad is open to suggestions here		16:41
edmondsw	I think it should be a cross-project spec	16:41
lbragstad	that might work	16:42
lbragstad	are cross-project specs voted on by tc?	16:42
lbragstad	and tc managed?	16:42
edmondsw	I'm not entirely sure how that works	16:42
edmondsw	but I think that's the right place to do it, and I would start that ball rolling and get that spec approved before we propose a goal that everyone implements it	16:43
lbragstad	yeah - i agree	16:43
lbragstad	so, it looks like we have an action there	16:44
lbragstad	i think that kinda wraps up the rocky goals questions i had	16:45
lbragstad	does anyone have anything else?	16:45
*** spilla has joined #openstack-meeting-cp		16:45
* hrybacki shakes his head		16:46
lbragstad	cool - thanks for coming everyone	16:46
lbragstad	#endmeeting	16:46
*** openstack changes topic to "OpenStack Meetings \|\| https://wiki.openstack.org/wiki/Meetings"		16:46
openstack	Meeting ended Wed Nov 29 16:46:57 2017 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	16:46
hrybacki	thanks all! o/	16:46
openstack	Minutes: http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-11-29-16.00.html	16:46
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-11-29-16.00.txt	16:47
openstack	Log: http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-11-29-16.00.log.html	16:47
*** MarkBaker_ has quit IRC		16:51
*** gagehugo has joined #openstack-meeting-cp		17:00
*** gagehugo has left #openstack-meeting-cp		17:05
*** MarkBaker has joined #openstack-meeting-cp		17:21
*** nhelgeson has joined #openstack-meeting-cp		17:42
*** MarkBaker has quit IRC		17:58
*** MarkBaker has joined #openstack-meeting-cp		18:03
*** iyamahat has quit IRC		18:05
*** yamahata has quit IRC		18:09
*** MarkBaker has quit IRC		18:14
*** coolsvap has quit IRC		18:18
*** iyamahat has joined #openstack-meeting-cp		18:26
*** iyamahat_ has joined #openstack-meeting-cp		18:34
*** iyamahat has quit IRC		18:34
*** aselius has joined #openstack-meeting-cp		18:43
*** yamahata has joined #openstack-meeting-cp		18:45
*** david-lyle has joined #openstack-meeting-cp		18:45
*** iyamahat_ has quit IRC		18:54
*** david-lyle has quit IRC		18:54
*** iyamahat has joined #openstack-meeting-cp		18:54
*** diablo_rojo has quit IRC		18:55
*** diablo_rojo has joined #openstack-meeting-cp		18:55
*** david-lyle has joined #openstack-meeting-cp		19:01
*** david-lyle has quit IRC		19:02
*** iyamahat has quit IRC		19:07
*** iyamahat has joined #openstack-meeting-cp		19:08
*** david-lyle has joined #openstack-meeting-cp		19:21
*** david-lyle has quit IRC		19:34
*** david-lyle has joined #openstack-meeting-cp		19:35
*** david-lyle has quit IRC		19:53
*** david-lyle has joined #openstack-meeting-cp		20:04
*** iyamahat has quit IRC		20:36
*** iyamahat has joined #openstack-meeting-cp		20:43
*** david-lyle has quit IRC		20:45
*** david-lyle has joined #openstack-meeting-cp		21:04
*** edmondsw has quit IRC		21:51
*** edmondsw has joined #openstack-meeting-cp		21:53
*** edmondsw has quit IRC		21:58
*** MarkBaker has joined #openstack-meeting-cp		22:15
*** spilla has quit IRC		22:17
*** edmondsw has joined #openstack-meeting-cp		22:32
*** edmondsw has quit IRC		22:37
*** edmondsw has joined #openstack-meeting-cp		22:48

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!