Wednesday, 2018-01-10

*** felipemonteiro has quit IRC		00:40
*** markvoelker has joined #openstack-meeting-cp		00:43
*** markvoelker has quit IRC		00:45
*** markvoelker has joined #openstack-meeting-cp		00:49
*** markvoelker has quit IRC		00:50
*** david-lyle has joined #openstack-meeting-cp		00:58
*** markvoelker has joined #openstack-meeting-cp		01:08
*** markvoelker has quit IRC		01:09
*** felipemonteiro has joined #openstack-meeting-cp		01:25
*** felipemonteiro_ has joined #openstack-meeting-cp		01:47
*** felipemonteiro__ has joined #openstack-meeting-cp		01:51
*** felipemonteiro_ has quit IRC		01:51
*** felipemonteiro has quit IRC		01:51
*** felipemonteiro__ has quit IRC		01:55
*** iyamahat has joined #openstack-meeting-cp		01:57
*** iyamahat has quit IRC		02:00
*** sdague has quit IRC		02:01
*** felipemonteiro__ has joined #openstack-meeting-cp		02:07
*** david-lyle has quit IRC		02:07
*** iyamahat has joined #openstack-meeting-cp		02:07
*** iyamahat has quit IRC		02:09
*** felipemonteiro__ has quit IRC		02:18
*** harlowja has quit IRC		02:24
*** nhelgeson has quit IRC		02:34
*** iyamahat has joined #openstack-meeting-cp		02:34
*** lbragstad has quit IRC		02:54
*** david-lyle has joined #openstack-meeting-cp		04:46
*** david-lyle has quit IRC		04:53
*** coolsvap has joined #openstack-meeting-cp		04:59
*** harlowja has joined #openstack-meeting-cp		05:24
*** markvoelker has joined #openstack-meeting-cp		05:39
*** edmondsw has joined #openstack-meeting-cp		06:00
*** edmondsw has quit IRC		06:04
*** harlowja has quit IRC		07:49
*** iyamahat has quit IRC		08:44
*** markvoelker has quit IRC		09:08
*** coolsvap has quit IRC		10:29
*** markvoelker has joined #openstack-meeting-cp		11:08
*** yamahata has quit IRC		11:22
*** markvoelker has quit IRC		11:42
*** sdague has joined #openstack-meeting-cp		11:58
*** sdague has quit IRC		12:31
*** markvoelker has joined #openstack-meeting-cp		12:39
*** edmondsw has joined #openstack-meeting-cp		13:01
*** markvoelker has quit IRC		13:12
*** ttx has quit IRC		13:21
*** ttx has joined #openstack-meeting-cp		13:23
*** sdague has joined #openstack-meeting-cp		14:00
*** stvnoyes has joined #openstack-meeting-cp		14:05
*** markvoelker has joined #openstack-meeting-cp		14:10
*** zhipeng has joined #openstack-meeting-cp		14:15
*** lbragstad has joined #openstack-meeting-cp		14:38
*** coolsvap has joined #openstack-meeting-cp		14:40
*** markvoelker has quit IRC		14:43
*** iyamahat has joined #openstack-meeting-cp		14:46
*** markvoelker has joined #openstack-meeting-cp		14:51
*** iyamahat has quit IRC		14:56
*** iyamahat has joined #openstack-meeting-cp		14:56
*** felipemonteiro__ has joined #openstack-meeting-cp		14:57
*** felipemonteiro_ has joined #openstack-meeting-cp		14:59
*** felipemonteiro__ has quit IRC		15:03
*** markvoelker has quit IRC		15:03
*** iyamahat has quit IRC		15:03
*** iyamahat has joined #openstack-meeting-cp		15:09
*** iyamahat has quit IRC		15:24
*** iyamahat has joined #openstack-meeting-cp		15:26
*** iyamahat has quit IRC		15:33
*** felipemonteiro_ has quit IRC		15:33
*** felipemonteiro_ has joined #openstack-meeting-cp		15:34
*** markvoelker has joined #openstack-meeting-cp		15:37
*** david-lyle has joined #openstack-meeting-cp		15:43
*** yamahata has joined #openstack-meeting-cp		15:47
*** felipemonteiro__ has joined #openstack-meeting-cp		15:57
lbragstad	#startmeeting policy	16:00
openstack	Meeting started Wed Jan 10 16:00:02 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	16:00
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	16:00
*** openstack changes topic to " (Meeting topic: policy)"		16:00
openstack	The meeting name has been set to 'policy'	16:00
lbragstad	ping raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan_he, ayoung, kmalloc, raj_singh, johnthetubaguy, knikolla, nhelgeson	16:00
lbragstad	#link https://etherpad.openstack.org/p/keystone-policy-meeting	16:00
cmurphy	o/	16:00
edmondsw	o/	16:00
lbragstad	o/	16:00
lbragstad	so - we don't have anything on the agenda	16:00
lbragstad	#topic open discussion	16:00
*** openstack changes topic to "open discussion (Meeting topic: policy)"		16:00
lbragstad	but we can open it up in case anyone has topics	16:00
*** felipemonteiro_ has quit IRC		16:01
edmondsw	don't everyone talk at once... ;)	16:03
lbragstad	:)	16:03
lbragstad	just fyi - in case anyone finds this interesting	16:03
lbragstad	i'm refactoring all the system scope patches	16:03
lbragstad	specifically the bits for role assignments	16:03
*** dklyle has joined #openstack-meeting-cp		16:04
*** david-lyle has quit IRC		16:04
lbragstad	so that we don't use ?scope.system as a boolean	16:04
lbragstad	i should have those ready for review by eod	16:05
lbragstad	i'm hoping	16:05
lbragstad	but that's all i have	16:05
cmurphy	lbragstad: you brought up some questions at yesterday's meeting but i don't think edmondsw was there, do you want to bring it up again now?	16:06
lbragstad	sure - we can go through those	16:06
*** zhipeng has quit IRC		16:07
edmondsw	what'd I miss?	16:07
lbragstad	edmondsw: you know how the policy objects have an attribute for scope_types now?	16:07
edmondsw	yeah	16:07
lbragstad	i took a stab at trying to define those for all resources keystone owns	16:08
lbragstad	#link https://review.openstack.org/#/q/topic:add-scope-types+(status:open+OR+status:merged)	16:08
lbragstad	in doing so, it became apparent that different behaviors will be expected depending on the scope_types used in the request	16:09
edmondsw	yes	16:09
lbragstad	i attempted to highlight each of these cases with a FIXME https://review.openstack.org/#/c/526159/3/keystone/common/policies/project.py	16:09
lbragstad	#link https://review.openstack.org/#/c/526159/3/keystone/common/policies/project.py	16:09
lbragstad	yesterday, i brought it up during the keystone meeting to figure out how we should go about handling those	16:09
lbragstad	(does each one get a bug report, do all FIXMEs for a single resource get tracked for a bug, how do we want to organize the scope check code in keystone, etc..)	16:10
edmondsw	this was one of the things I brought up in Austin, I believe...	16:10
edmondsw	:)	16:10
lbragstad	the TL;DR at the end of the meeting was that we should filter some of the context information and policy information down to the managers (since this is essentially business logic)	16:11
edmondsw	you might want a blueprint to tackle those across keystone, or just start picking away at them under an existing blueprint, rather than try to file 100 bugs	16:11
lbragstad	yeah - yesterday we said pretty much the same thing, but instead of a blueprint, use a single bug "Fix all scope types for projects"	16:12
lbragstad	and that patch would address all FIXMEs in #link https://review.openstack.org/#/c/526159/3/keystone/common/policies/project.py	16:12
edmondsw	I guess even with a single bug could use multiple patches to fix it	16:13
lbragstad	sure	16:13
edmondsw	yep, will be very happy to see that fixed	16:13
lbragstad	but it wouldn't require a bug for a the FIXME on line 20 and another bug for the FIXME on line 32, etc...	16:13
edmondsw	yeah, that would get onerous	16:14
lbragstad	right..	16:14
lbragstad	so - that's what we talked about yesterday	16:14
edmondsw	cool, tx for the recap	16:14
lbragstad	but i expect each review to generate some discussion	16:14
knikolla	makes sense	16:14
lbragstad	at least for the resources that can be operated on with project scope and system scope	16:14
lbragstad	but... i'm hoping folks review so we can accurately document the behavior we want for each scope in the fixme	16:15
lbragstad	when the patch merges, i'll open a bug report for the resource and all of it's fixmes	16:15
*** gagehugo has joined #openstack-meeting-cp		16:15
lbragstad	which should make it easier to divvy up work	16:16
lbragstad	but things like:	16:16
lbragstad	#linkhttps://review.openstack.org/#/c/525695/	16:16
lbragstad	#link https://review.openstack.org/#/c/525695/	16:16
lbragstad	and #link https://review.openstack.org/#/c/525696/	16:16
lbragstad	should be pretty easy, since they only deal with system scope	16:16
lbragstad	(so not every review will generate a bug, which is good)	16:17
lbragstad	thoughts, comments, questions, or concerns?	16:18
*** markvoelker has quit IRC		16:19
edmondsw	when I flip on the scope enforcement, will it treat someone with a project-scoped token for the admin project as if that was a system-scoped token?	16:20
lbragstad	i haven't written any code that makes that mapping	16:21
lbragstad	but if someone has a policy that looking for the admin project and allows it for a policy, then it would work	16:21
edmondsw	without a warning? e.g. I don't want log warnings if I use an admin-project-scoped token to create an endpoint in the catalog	16:22
*** markvoelker has joined #openstack-meeting-cp		16:22
edmondsw	at least I don't think I do... maybe I do?	16:23
lbragstad	oslo policy issues the warning, but it doesn't understand the admin_project	16:23
knikolla	probably when we deprecate admin project?	16:23
lbragstad	it just attempts to look at the context passed in and determine project scope or system scope	16:23
lbragstad	and then compares that to the scope_types of the policy being enforced	16:24
edmondsw	I'm sorry I haven't kept up... but one of the things we talked about in Sydney was the need for clients (e.g. Horizon) to be able to do a variety of things with a single token, rather than have to get a differently-scoped token for everything	16:26
edmondsw	is that supported?	16:26
*** markvoelker has quit IRC		16:27
lbragstad	not - it isn't supported today.. but i do have an item on my list of things to do to write a PoC for a capabilities API	16:27
edmondsw	e.g. see all VMs in all projects with a single request	16:27
edmondsw	how would a capabilities API help?	16:28
lbragstad	s/not/no/	16:28
edmondsw	I think that solves a different problem	16:28
edmondsw	WHAT can I do vs. ALLOW me to do	16:28
lbragstad	well - it depends on how it is implemented	16:28
lbragstad	you could have the capabilities API return operations and have scope_types be part of that	16:29
* lbragstad is open to suggestions here		16:31
edmondsw	maybe horizon could get a project-scoped token for a domain that includes all projects if they want to list VMs in all projects with a single request... but nova would have to understand that that project-scope is the top-level domain	16:31
lbragstad	yes	16:32
lbragstad	in my mind, that's how it makes sense	16:32
edmondsw	which would be tricky	16:32
lbragstad	in order to do that, we'd need to get the hardcoded 'admin' role checks fixed	16:33
edmondsw	that too, but I'm worried about how nova would know which project is the top-level project	16:33
edmondsw	and all deployments would need to have a top-level project (domain)	16:34
lbragstad	they'd need to make a callback to keystone?	16:34
lbragstad	or get that information in middleware somehow?	16:34
lbragstad	(a similar pattern is going to exist with the unified limit work)	16:34
edmondsw	wait, what do we set as the parent for a top-level domain today?	16:35
edmondsw	there's a hidden root domain, right?	16:35
lbragstad	yes - but i think it is hidden to other services	16:35
lbragstad	i don't think we actually expose it?	16:35
edmondsw	we would need nova, etc. (or oslo_policy?) to understand that is the root so if someone has a token scoped to that they can do things across all projects	16:35
edmondsw	I guess we also have the issue of what if someone is scoped to a domain that is not top-level, and wants to list all VMs anywhere in that domain. Or at any other level in the hierarchy... nova/etc. have to understand hierarchy	16:36
lbragstad	yeah...	16:37
edmondsw	ugh	16:37
lbragstad	that's the idea	16:37
lbragstad	which is going to be hard to do, but seems like the proper way to implement it	16:37
edmondsw	yeah	16:37
edmondsw	I wonder if anyone will actually use system scoping until all that is addressed	16:38
lbragstad	this is what drove a lot of the questions i had yesterday	16:38
lbragstad	that's another good question	16:38
lbragstad	my guess is that people can use it for things that don't fall in the gray area between system scope and project scope	16:39
lbragstad	(e.g. using system scope to have cloud administrator manage endpoints/services)	16:39
lbragstad	or granting someone a reader role on the system	16:40
lbragstad	but yeah - all of this certainly becomes more useful when we start working the hierarchy (if present) into the service	16:41
edmondsw	yeah	16:42
lbragstad	at the same time, there is only so much code you can write in a release :)	16:42
edmondsw	no ;)	16:42
edmondsw	yeah, hopefully you've made a good stab at things	16:43
edmondsw	and we can build on it	16:43
lbragstad	right - and that's my hope	16:43
lbragstad	i'd like to get a good idea of this built out in keystone	16:43
lbragstad	and start tackling it in nova	16:43
lbragstad	then i'm hoping others will catch on and carry the model into their own projects	16:43
edmondsw	I'd suggest building things out in keystone and nova in parallel, since they are pretty different	16:45
edmondsw	will help us do things in a way that will work for both	16:46
lbragstad	yeah	16:46
lbragstad	i'll need to sit down with a few nova folks	16:46
lbragstad	but that would be a good topic for the PTG	16:46
edmondsw	yep	16:46
lbragstad	cross project topic*	16:46
edmondsw	and we went from having nothing to talk about to taking 45 minutes :)	16:47
lbragstad	++	16:47
lbragstad	it sounds like we're all on the same page with the scope-types stuff	16:48
*** felipemonteiro__ has quit IRC		16:48
*** felipemonteiro__ has joined #openstack-meeting-cp		16:48
edmondsw	I hope so	16:48
edmondsw	I haven't been able to keep up with the reviews	16:49
lbragstad	well - any feedback will be appreciated	16:51
lbragstad	and there are some easy ones up	16:51
edmondsw	the easy ones probably aren't the ones where my feedback would be valuable :)	16:52
lbragstad	projects, role assignments, credentials	16:52
edmondsw	honestly, I'm probably limited to attending this meeting at the moment	16:52
edmondsw	just too much on my plate	16:52
lbragstad	that's understandable	16:52
lbragstad	anything else we want to discuss?	16:53
edmondsw	it from me	16:54
lbragstad	cool - well thanks for the time	16:55
lbragstad	#endmeeting	16:55
*** openstack changes topic to "OpenStack Meetings \|\| https://wiki.openstack.org/wiki/Meetings"		16:55
openstack	Meeting ended Wed Jan 10 16:55:42 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	16:55
openstack	Minutes: http://eavesdrop.openstack.org/meetings/policy/2018/policy.2018-01-10-16.00.html	16:55
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/policy/2018/policy.2018-01-10-16.00.txt	16:55
openstack	Log: http://eavesdrop.openstack.org/meetings/policy/2018/policy.2018-01-10-16.00.log.html	16:55
*** dklyle has quit IRC		17:03
*** yamahata has quit IRC		17:05
*** harlowja has joined #openstack-meeting-cp		17:16
*** david-lyle has joined #openstack-meeting-cp		17:16
*** breton has quit IRC		17:31
*** zerick has joined #openstack-meeting-cp		17:39
*** iyamahat has joined #openstack-meeting-cp		17:40
*** iyamahat_ has joined #openstack-meeting-cp		17:40
*** iyamahat has quit IRC		17:40
*** zerick has quit IRC		17:41
*** zerick has joined #openstack-meeting-cp		17:42
*** felipemonteiro_ has joined #openstack-meeting-cp		17:43
*** zerick has quit IRC		17:45
*** zerick has joined #openstack-meeting-cp		17:46
*** felipemonteiro__ has quit IRC		17:46
*** iyamahat_ has quit IRC		17:58
*** iyamahat has joined #openstack-meeting-cp		18:00
*** david-lyle has quit IRC		18:07
*** coolsvap has quit IRC		18:18
*** felipemonteiro_ has quit IRC		18:19
*** felipemonteiro_ has joined #openstack-meeting-cp		18:19
*** nhelgeson has joined #openstack-meeting-cp		18:23
*** openstack has joined #openstack-meeting-cp		18:30
*** ChanServ sets mode: +o openstack		18:30
*** harlowja has quit IRC		18:37
*** david-lyle has joined #openstack-meeting-cp		18:59
*** felipemonteiro__ has joined #openstack-meeting-cp		19:03
*** felipemonteiro_ has quit IRC		19:06
*** harlowja has joined #openstack-meeting-cp		19:13
*** harlowja_ has joined #openstack-meeting-cp		19:16
*** harlowja has quit IRC		19:19
*** gagehugo has left #openstack-meeting-cp		19:23
*** breton has joined #openstack-meeting-cp		19:30
*** iyamahat has quit IRC		19:38
*** iyamahat has joined #openstack-meeting-cp		19:48
*** zerick has quit IRC		19:51
*** zerick_ has joined #openstack-meeting-cp		19:51
*** iyamahat has quit IRC		19:57
*** iyamahat has joined #openstack-meeting-cp		20:05
*** iyamahat has quit IRC		20:17
*** iyamahat has joined #openstack-meeting-cp		20:56
*** iyamahat_ has joined #openstack-meeting-cp		20:56
*** iyamahat has quit IRC		21:00
*** iyamahat_ has quit IRC		21:01
*** felipemonteiro__ has quit IRC		21:03
*** felipemonteiro__ has joined #openstack-meeting-cp		21:04
*** yamahata has joined #openstack-meeting-cp		21:13
*** felipemonteiro_ has joined #openstack-meeting-cp		21:20
*** felipemonteiro__ has quit IRC		21:23
*** felipemonteiro_ has quit IRC		21:32
*** felipemonteiro_ has joined #openstack-meeting-cp		21:33
*** yamahata has quit IRC		22:03
*** yamahata has joined #openstack-meeting-cp		22:04
*** yamahata has quit IRC		22:09
*** felipemonteiro__ has joined #openstack-meeting-cp		22:29
*** felipemonteiro_ has quit IRC		22:33
*** edmondsw has quit IRC		22:59
*** felipemonteiro__ has quit IRC		23:10
*** haint has quit IRC		23:41
*** sdague has quit IRC		23:47
*** SergeyLukjanov has quit IRC		23:53
*** SergeyLukjanov has joined #openstack-meeting-cp		23:54
*** edmondsw has joined #openstack-meeting-cp		23:55

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!