Thursday, 2021-01-21

« Wednesday, 2021-01-20 Index Friday, 2021-01-22 »
*** rbudden has quit IRC00:03
*** jamesmcarthur has joined #openstack-meeting00:11
*** macz_ has quit IRC00:30
*** jamesmcarthur has quit IRC00:40
*** jmasud has quit IRC00:46
*** mlavalle has quit IRC00:49
*** jmasud has joined #openstack-meeting00:54
*** armax has joined #openstack-meeting01:11
*** jamesdenton has quit IRC01:33
*** jamesden_ has joined #openstack-meeting01:34
*** baojg has joined #openstack-meeting01:36
*** armax has quit IRC01:44
*** xinranwang has joined #openstack-meeting02:01
*** ricolin_ has joined #openstack-meeting02:14
*** lbragstad_ is now known as lbragstad02:15
*** rbudden has joined #openstack-meeting03:15
*** jmasud has quit IRC03:17
*** jmasud has joined #openstack-meeting03:25
*** jmasud has quit IRC03:46
*** yasufum has joined #openstack-meeting03:58
*** ricolin_ has quit IRC04:20
*** macz_ has joined #openstack-meeting04:21
*** ricolin has joined #openstack-meeting04:24
*** macz_ has quit IRC04:25
*** jmasud has joined #openstack-meeting04:28
*** yamamoto_ has joined #openstack-meeting04:51
*** yasufum_ has joined #openstack-meeting04:52
*** yamamoto has quit IRC04:52
*** yasufum has quit IRC04:52
*** yasufum_ is now known as yasufum04:52
*** jmasud has quit IRC05:02
*** xinranwang has quit IRC05:07
*** ricolin has quit IRC05:11
*** ricolin has joined #openstack-meeting05:24
*** jmasud has joined #openstack-meeting05:31
*** evrardjp has quit IRC05:33
*** evrardjp has joined #openstack-meeting05:33
*** rbudden has quit IRC05:43
*** vishalmanchanda has joined #openstack-meeting05:58
*** rcernin has quit IRC06:07
*** jmasud has quit IRC06:26
*** jmasud has joined #openstack-meeting06:30
*** psahoo has joined #openstack-meeting06:34
*** yasufum_ has joined #openstack-meeting06:41
*** yasufum has quit IRC06:41
*** yasufum_ is now known as yasufum06:41
*** gyee has quit IRC06:46
*** psahoo_ has joined #openstack-meeting06:58
*** psahoo has quit IRC07:02
*** lpetrut has joined #openstack-meeting07:10
*** ralonsoh has joined #openstack-meeting07:41
*** jmasud has quit IRC07:53
*** slaweq has joined #openstack-meeting07:58
*** yasufum has quit IRC07:58
*** e0ne has joined #openstack-meeting07:58
*** yasufum has joined #openstack-meeting07:58
*** ociuhandu has joined #openstack-meeting08:00
*** ociuhandu has quit IRC08:05
*** jamesden_ has quit IRC08:05
*** jamesdenton has joined #openstack-meeting08:06
*** rpittau|afk is now known as rpittau08:11
*** tosky has joined #openstack-meeting08:16
*** bbowen_ has joined #openstack-meeting08:44
*** bbowen has quit IRC08:46
*** ociuhandu has joined #openstack-meeting08:58
*** jmasud has joined #openstack-meeting09:03
*** ociuhandu has quit IRC09:04
*** ociuhandu has joined #openstack-meeting09:10
*** ociuhandu has quit IRC09:14
*** lpetrut_ has joined #openstack-meeting09:34
*** tosky has quit IRC09:36
*** tosky_ has joined #openstack-meeting09:36
*** lpetrut has quit IRC09:37
*** yamamoto_ has quit IRC09:39
*** tosky_ is now known as tosky09:43
*** jamesdenton has quit IRC10:00
*** jamesdenton has joined #openstack-meeting10:01
*** ociuhandu has joined #openstack-meeting10:18
*** yamamoto has joined #openstack-meeting10:22
*** jmasud has quit IRC10:25
*** yamamoto has quit IRC10:28
*** yasufum has quit IRC10:28
*** dsariel has joined #openstack-meeting10:56
*** rcernin has joined #openstack-meeting11:23
*** e0ne has quit IRC11:28
*** baojg has quit IRC11:41
*** bbowen_ has quit IRC11:53
*** bbowen has joined #openstack-meeting11:53
*** yamamoto has joined #openstack-meeting11:56
*** rcernin has quit IRC11:57
*** ricolin has quit IRC12:06
*** jamesdenton has quit IRC12:18
*** jamesdenton has joined #openstack-meeting12:19
*** raildo has joined #openstack-meeting12:38
*** yamamoto has quit IRC12:40
*** ociuhandu has quit IRC12:49
*** seba has joined #openstack-meeting13:02
*** rh-jelabarre has joined #openstack-meeting13:02
*** tosky has quit IRC13:06
*** tosky has joined #openstack-meeting13:06
*** ricolin has joined #openstack-meeting13:08
*** yamamoto has joined #openstack-meeting13:13
*** yamamoto has quit IRC13:18
*** yamamoto has joined #openstack-meeting13:18
*** ociuhandu has joined #openstack-meeting13:23
*** dmacpher has quit IRC13:23
*** dmacpher has joined #openstack-meeting13:28
*** rosmaita has joined #openstack-meeting14:04
*** yasufum has joined #openstack-meeting14:05
jokke#startmeeting glance14:09
openstackMeeting started Thu Jan 21 14:09:23 2021 UTC and is due to finish in 60 minutes.  The chair is jokke. Information about MeetBot at http://wiki.debian.org/MeetBot.14:09
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:09
*** openstack changes topic to " (Meeting topic: glance)"14:09
openstackThe meeting name has been set to 'glance'14:09
jokke#topic roll-call14:09
*** openstack changes topic to "roll-call (Meeting topic: glance)"14:09
jokkeo/14:09
rosmaitao/14:09
jokke#link https://etherpad.openstack.org/p/glance-team-meeting-agenda14:10
dansmitho/14:11
dansmithisn't abhishekk back today?14:11
jokkeTomorrow, they had good Wedding week ;)14:11
dansmithdang14:11
jokkeI think that's everyone so lets get started14:12
rosmaitawell, best wishes from the glance team to the newlyweds!14:12
dansmithit is his sister I think14:12
jokke#topic release updates14:13
*** openstack changes topic to "release updates (Meeting topic: glance)"14:13
jokke#undo14:13
openstackRemoving item from minutes: #topic release updates14:13
rosmaitadansmith: yes, but still14:13
jokkeindeed his sister14:13
jokkeand indeed big GZ!14:13
jokke#topic release updates14:13
*** openstack changes topic to "release updates (Meeting topic: glance)"14:13
jokkeSo we have m-2 release patch waiting ofr the release team to get it tagged14:13
jokkenothing special on that14:14
jokke#topic reserved image properties14:14
*** openstack changes topic to "reserved image properties (Meeting topic: glance)"14:14
jokkedansmith: I think this is yours14:14
rosmaitai forget why i put that on the agenda14:15
dansmithpatches are up, would love some review :)14:15
rosmaitaoh, yeah, there are some side impacts14:15
jokke#link https://review.opendev.org/q/topic:%22os-glance-namespace%22+(status:open%20OR%20status:merged)14:15
dansmithI have a nova fix also because nova was abusing some props that this will prevent14:15
rosmaitai think we need to remove that deprecated option that disallows custom image properties14:16
jokke#link  https://specs.openstack.org/openstack/glance-specs/specs/ussuri/approved/glance/deprecate-allow-custom-props.html14:16
jokkethat one14:16
rosmaitayep14:16
rosmaitai guess it's assigned to me, but i wonder if cyril might pick it up14:17
dansmiththat needs to go before the reserved props? just because they could technically put reserved props in the additional list?14:17
jokkeI also think we should not count os_glance_* for the quota14:17
dansmithoh, yeah, I was supposed to look at that, but this doesn't change behavior if we're already doing that14:18
rosmaitai agree, though am not sure how easy that will be14:18
rosmaitai think our quota management is onion-layered14:18
jokkeI'm pretty sure it is14:18
rosmaitayeah, so the short-term fix would be set a min on the quota that allows for maybe 5 or so of those properties14:19
rosmaitaand dansmith to answer your question, i am not sure whether the reserved properties would be blocked if custom properties are disallowed14:20
rosmaitanot sure where that enforcement happens14:20
dansmithrosmaita: the enforcement is at the API layer, so I think not14:20
rosmaitaok, that would be good14:20
rosmaitai think we still need to remove the custom properties turnoff, because all sorts of services rely on them14:21
*** rajivmucheli has joined #openstack-meeting14:21
rosmaitabut maybe we don't have to absolutely do it in wallaby14:22
jokkeI think we need to deprecate it and wait at least a cycle anyways14:22
dansmithdoes that mean execute on the planned deprecation or cancel the deprecation?14:22
jokkeas per the standard deprecation policy14:22
rosmaitai thought it was deprecated already14:22
rosmaitai will check14:22
jokkeohh, might be my bad. if it was indeed deprecated in ussuri where that spec is, we should be fine removing it now14:23
dansmithright, so I'm asking if rosmaita is talking about undeprecating, or continuing on removal14:24
rosmaitayes, glance conf is showing deprecated since ussuri14:24
rosmaitai am talking about removing it14:24
rosmaitacontinuing with the deprecation14:24
dansmithokay, you said "remove the custom turnoff, because people rely on it" so I was all confused :)14:24
rosmaitai wasn't sure if it would impact glance's own use of additional properties14:24
rosmaitasorry, what i meant was14:24
rosmaitaall sorts of services use custom image properties (like cinder_encryption_key_id)14:25
rosmaitaand some hypervisor stuff for nova14:25
*** macz_ has joined #openstack-meeting14:25
rosmaitaso if you turn them off, all sorts of stuff will break in your cloud14:25
rosmaitaso we should remove the temptation to turn them off14:26
dansmithright, but this is just talking about removing the static list of allowed ones yeah?14:26
*** markmcclain has quit IRC14:26
rosmaitano14:26
rosmaitathere's an option that restricts whether *any* properties outside the image schema are allowed14:26
jokkedansmith: we have config option that allows deployer to turn off all custom properties that are not supplied by glance14:26
dansmithoh, it's a toggle I see14:26
dansmithsorry, I thought it was a list for some reason. I'm caught up now14:27
rosmaitayeah, not sure why it was there, but it was14:27
jokkeI think that's still remains from the Images API v1 times14:27
jokkeso very early days14:28
rosmaitayeah, before the "quotas" were introduced14:29
rosmaitai blame jay pipes!14:29
jokkeWhat I do not know is if we can change the minimum quota or if we just need to document it14:29
rosmaitagood question14:30
dansmithwhat happens if the user uses all N on create,14:30
*** macz_ has quit IRC14:30
rosmaitathat would be a problem14:30
dansmithand then when we go to import... will glance get stuck unable to add os_glance_importing_to_stores?14:30
rosmaitathat requires some investigation14:31
rosmaitacomes down to where the enforcement actually happens14:31
jokkedansmith: that's why I was saying we just shouldn't count the os_glance_ in the quota at all now when we're preventing external setting of them14:31
dansmithwell, if it's onioned, I expect way below the api14:31
dansmithjokke: yep, I'm totally on board with that,14:32
dansmithI'm just saying maybe upping the minimum isn't good enough14:32
rosmaitathat's my worry, it was implemented while markwash was PTL iirc14:32
rosmaitaand he was big on the onion14:32
dansmithoh, is that who I should name my voodoo doll after?14:32
jokkedansmith: agreed and I don't know if we even can do that. Even changing some default values has been massive fight with QA, so I guess if tempest is testing any of the property quota stuff, changing it will be no-go14:33
rosmaitai'm pretty sure they don't14:33
dansmithI don't think that'd be a fight, FWIW, but that's a good reason to actually exclude it from the quota, in addition to the DoS problem14:34
jokkeYeah I don't think enforcing minimum quota will do any good if someone decides that they want feck around14:35
jokkeanything else about this?14:38
*** vishalmanchanda has quit IRC14:38
rosmaitaonly whether we have an action item14:39
rosmaitai guess dansmith will look into this?14:39
dansmithI still don't think either of these things are important to do before we land this enforcement,14:39
dansmithbecause the enforcement doesn't change the results of either14:39
rosmaitai don't disagree, just think we need to have a better understanding of the quota issue before RC time14:40
jokkecorrect I don't see reason why they should land before landing the enforcement patch. Just need to make sure we get it sorted for the release.14:40
jokkerosmaita: ++14:40
jokkeif it's not trivial to filter the quota enforcement, let file a bug for it so we have tracker14:41
dansmithwell, not sure why before the release,14:41
rosmaitaright, and if dansmith casts it as a DoS issue, should be backportable14:41
dansmithsince the enforcement patch isn't changing the number of keys we're using14:41
dansmithbut obviously it's a good idea to figure it out14:42
dansmithrosmaita: it's kindof a self-dos really, so not super impactful I think14:42
rosmaitai agree14:42
dansmith"user can prevent ... themselves from using resources" :P14:42
jokkewell it's yet another very crappy user experience thing ... although I have no idea if anyone is actually using the property quotas14:44
jokkeAnyways we need to have it fixed or well documented before we push release out14:45
rosmaitai think the default is 12814:45
rosmaitaso probably no one has run up against this14:45
jokkeand it's separate even without the enforcement as you can still shoot yourself into the foot as we are now14:45
jokkerosmaita: yeah, haven't heard anyone asking about it yet14:46
jokkemoving on14:46
*** markmcclain has joined #openstack-meeting14:46
jokke#topic bug fest14:46
*** openstack changes topic to "bug fest (Meeting topic: glance)"14:46
jokkeJust reminder, bug scrub Tuesday next week as it will be milestone+1 week14:47
jokke#topic Open discussion14:47
*** openstack changes topic to "Open discussion (Meeting topic: glance)"14:47
jokkeAnything else?14:48
dansmithI have a hard stop in 13 minutes,14:48
dansmithbut would definitely like to talk about the distributed import stuff14:48
rajivmuchelijokke did you get a chance to validate the version issue ? pbr commit ?14:48
rosmaitajokke: left a comment on your ceph optimization spec14:48
rosmaitadansmith: i am all ears14:48
dansmithrosmaita: well, I'd mostly like to hear review comments :)14:49
rosmaitaoh14:50
jokkerajivmucheli: still on my list to look. So all: just pointer what we're talking about. rajivmucheli is seeing glance-api reporting version 19.0.0 since Train. Not sure yet wether that is problem on our end or on their fork of the repo, but it's weird anyways14:50
*** TrevorV has joined #openstack-meeting14:50
rajivmuchelii see the glance_store upgraded but not glance-api version.14:51
jokkerosmaita: thanks, just quick remark. I will need to double check that but IIUC that feature has been in RADOSLib for ages, we're just not using it14:52
rosmaitacool14:52
jokkerosmaita: as that's what cephclient is using14:52
jokkefor long time14:52
jokkeIf there's nothing else, lets give dansmith 4min to stretch and rest of us can get back to work :D14:55
rosmaitanothing from me14:56
jokkekk, we can continue is #openstack-glance for anything else. Thanks All!14:56
jokke#endmeeting14:57
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"14:57
openstackMeeting ended Thu Jan 21 14:57:02 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)14:57
openstackMinutes:        http://eavesdrop.openstack.org/meetings/glance/2021/glance.2021-01-21-14.09.html14:57
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/glance/2021/glance.2021-01-21-14.09.txt14:57
openstackLog:            http://eavesdrop.openstack.org/meetings/glance/2021/glance.2021-01-21-14.09.log.html14:57
gagehugo#startmeeting security15:00
openstackMeeting started Thu Jan 21 15:00:26 2021 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
*** openstack changes topic to " (Meeting topic: security)"15:00
openstackThe meeting name has been set to 'security'15:00
gagehugo#link https://etherpad.opendev.org/p/security-agenda agenda15:00
fungiahoy15:01
gagehugoo/15:01
*** rosmaita has left #openstack-meeting15:02
redrobot\o15:05
gagehugoNothing on the agenda today15:06
gagehugo#topic open discussion15:06
*** openstack changes topic to "open discussion (Meeting topic: security)"15:06
gagehugoAnyone have anything?15:06
fungi#link https://bugs.launchpad.net/ossa Public reports of suspected vulnerabilities in need of review15:08
fungii think there are 29 at the moment (if you're logged in as a vulnerability manager you may see a higher number)15:08
fungirevisiting private reports, it seems we have one where the embargo has expired too, i'll open it up now15:10
fungi#link https://launchpad.net/bugs/1892848 XSS in adding JavaScript into the ‘Subnet Name’ field15:11
openstackLaunchpad bug 1892848 in OpenStack Security Advisory "XSS in adding JavaScript into the ‘Subnet Name’ field" [Undecided,Incomplete]15:11
fungiso that brings the total up to 30 which would be nice to get some folks to weigh in on15:12
fungii should revisit my earlier idea to sort them by project and send a list to th eopenstack-discuss ml15:13
redrobotI'll try to make some time to review some of those. Not sure how useful I'll be though. 😅15:13
*** rajivmucheli has quit IRC15:14
gagehugothanks fungi, anyone else have anything?15:18
*** cmart has quit IRC15:19
fungithat was all i had for this week. i'll try to send something to the ml, but infra fires have dominated my available time recently15:19
*** irclogbot_3 has quit IRC15:21
gagehugoyeah, coming back from vacation has consumed most of my time lately15:22
gagehugothanks fungi, redrobot! Have a good rest of the week!15:22
*** irclogbot_3 has joined #openstack-meeting15:22
gagehugo#endmeeting15:22
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"15:22
openstackMeeting ended Thu Jan 21 15:22:43 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:22
openstackMinutes:        http://eavesdrop.openstack.org/meetings/security/2021/security.2021-01-21-15.00.html15:22
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/security/2021/security.2021-01-21-15.00.txt15:22
openstackLog:            http://eavesdrop.openstack.org/meetings/security/2021/security.2021-01-21-15.00.log.html15:22
fungithanks gagehugo!15:22
*** armax has joined #openstack-meeting15:25
*** cmart has joined #openstack-meeting15:27
*** rh-jelabarre has quit IRC15:27
*** rh-jelabarre has joined #openstack-meeting15:31
*** lpetrut_ has quit IRC15:42
*** armax has quit IRC15:48
*** jmasud has joined #openstack-meeting15:51
*** psahoo_ has quit IRC15:51
*** mlavalle has joined #openstack-meeting15:51
*** yasufum has quit IRC15:54
*** macz_ has joined #openstack-meeting15:59
*** macz_ has quit IRC15:59
*** macz_ has joined #openstack-meeting16:00
*** armax has joined #openstack-meeting16:06
*** dklyle has joined #openstack-meeting16:08
*** e0ne has joined #openstack-meeting16:29
*** gyee has joined #openstack-meeting16:32
*** lpetrut has joined #openstack-meeting16:42
*** ociuhandu_ has joined #openstack-meeting16:49
*** lpetrut has quit IRC16:50
*** armstrong has joined #openstack-meeting16:51
*** jamesmcarthur has joined #openstack-meeting16:51
*** armax has quit IRC16:52
*** ociuhandu has quit IRC16:53
*** ociuhandu_ has quit IRC16:54
*** njohnston is now known as njohnston|lunch17:01
*** lpetrut has joined #openstack-meeting17:40
*** diablo_rojo has quit IRC17:41
*** rpittau is now known as rpittau|afk17:42
*** ralonsoh has quit IRC17:52
*** rcernin has joined #openstack-meeting17:54
*** lpetrut has quit IRC17:55
*** rcernin has quit IRC17:59
gmann#startmeeting policy_popup18:02
openstackMeeting started Thu Jan 21 18:02:33 2021 UTC and is due to finish in 60 minutes.  The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot.18:02
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.18:02
*** openstack changes topic to " (Meeting topic: policy_popup)"18:02
openstackThe meeting name has been set to 'policy_popup'18:02
lbragstado/18:02
gmannseems two of us, let's quickly discuss the things18:04
gmann#link https://etherpad.opendev.org/p/default-policy-meeting-agenda18:04
gmanntoday agenda18:04
gmannwe had few action item from previous meeting18:04
gmanngmann to check with abhishekk on glance point in meeting agenda18:05
gmannI am not sure i did it so continuing this18:05
gmann#action gmann to check with abhishekk on glance point in meeting agenda18:05
gmanngmann to push common persona on oslo policy and release 3.6.1 and lbragstad to review that18:05
gmannlbragstad: i think you pushed this18:05
lbragstadwe had a little debate on that in review18:05
lbragstadyeah - and we weren't quite sure what to do with scope_types18:06
gmann#link https://review.opendev.org/c/openstack/oslo.policy/+/76653618:06
lbragstadfor example, if we set scope_types on personas in oslo.policy, do we expect projects to override them in the actual implementation?18:07
lbragstadthat wasn't really clear and we weren't sure what the best approach was18:07
lbragstadso it fizzled out18:07
gmannyeah having system_scope:all in check_str and not scope_type seems little conflicting18:08
lbragstadand i can see how that causes confusion18:08
lbragstadi don't really care for duplicated check string in each service, but i think i'd rather have that than push something through without thinking about how best to handle it18:09
gmannand we can leave scope_type for service side rule to take care of?18:09
gmannlike done in nova18:10
lbragstadwe could - but we need to ensure nested DocumentedDefaultRules work as expected with scope checking18:10
gmanni see your point. i think it work fine as in nova18:11
gmannbut we can add test in oslo.policy side too18:11
lbragstadi don't think i've seen a case where we nest them18:11
gmannah you mean keeping in both?18:12
gmanncommon rule as well as in specific rule too18:12
lbragstadwell - a lot of the services will use the composite rules in their services specific policies, right?18:12
lbragstadwith check_str=rule:system_admin -> which is ultimately imported as a DocumentedRuleDefault instance from oslo.policy18:13
gmannbut is common rule going to be registered  as registered rule in oslo policy?18:13
gmannbecause oslo policy only checks scope type from register rules  https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L102618:14
gmannanyways i was thinking to remove the scope_type from common rules and let service side to define that in their policy18:14
lbragstadcorrect - but the additional recommendation was to use DocumentedDefaultRule for each common persona (check string) so that the definitions for system-admin, system-reader, etc... are all consistent18:14
lbragstadacross the implementations in services18:15
gmannotherwise it is confusing in both way 1. if not checked in oslo policy or 2. checked and erorr18:15
gmannyeah DocumentedRuleDefault rule does not force scope_type18:16
gmannhttps://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L125618:16
lbragstadright18:16
lbragstadit's optional18:16
lbragstadbecause it landed in oslo.policy prior to the scope work in keystone and related libraries18:16
gmannbut we cannot make it mandatory until we remove the old/existing policy completely18:17
lbragstadso - the approach i proposed was to implement the common persona check strings as instances of DocumentedRuleDefault because we thought it would be nice to have the same definition/help text for each common personas18:17
gmannthat time we can pass some special case for common rules and ignore those in actrual checking  ?18:17
gmann+1 fo that18:18
gmannfor18:18
lbragstadotherwise - we could just do something SYSTEM_ADMIN = 'role:admin and system_scope:all'18:18
lbragstadif the common bits are just strings, then we shouldn't have any problems putting them in oslo.policy as constants18:18
lbragstadotherwise - it was going to be SYSTEM_ADMIN = policy.DocumentedRuleDefault(name='rule:system_admin', check_str='role:admin and system_scope:all')18:19
lbragstadand the second case was causing some confusion18:19
gmannother problem with having it  DocumentedRuleDefault  is about deprecation https://review.opendev.org/c/openstack/oslo.policy/+/766536/1/oslo_policy/personas.py#9718:20
lbragstadright18:20
gmannand for that services need to define other common rule there side even we make oslo policy common as constant or DocumentedRuleDefault18:20
gmannor we can provide set method on DocumentedRuleDefault  to set the deprecated rule info18:21
lbragstadok - so are we saying we should or shouldn't move forward with the common personas as DocumentedRuleDefaults in oslo.policy?18:23
gmannhumm, i would like to have in DocumentedRuleDefaults  but from current challenges it seems difficult and going with constant seems easy18:25
gmannat least it can be helpful when we remove the 'system:all' special string18:25
lbragstadi need more time to think about it and the ramifications of how it's going to work and test it18:26
gmannok,18:26
gmannI will also try to consume it on nova side and see how it work/look18:26
gmann#action lbragstad to continue on common persona on oslo policy18:26
lbragstadfor the most part, i've proposed audits for each api and almost all the new check strings are consistent (even if they are duplicated)18:26
gmannok.18:27
gmannone more challenge i see in common persona is how to change them 'remove system:all' all together for all projects or one by one.18:28
gmannbut need to think more on this18:28
lbragstad++18:28
gmannanyways let's continue brainstorming on this.18:28
gmannnext Action item is18:29
gmannlbragstad to finish placement as first18:29
gmannI started review the placement patches and I think i should be able to do tomorrow18:29
lbragstad#link https://review.opendev.org/q/topic:%2522secure-rbac%2522+(status:open+OR+status:merged)+project:openstack/placement18:29
gmannstephen is already +2 on most of them i think18:29
lbragstadso - i think placement is pretty much done18:29
gmanncool, thanks for that.18:29
lbragstadi'm working on cinder and ironic now - and we're trying to work through testing strategies with ddt18:30
gmannok18:30
lbragstadironic has a pretty good start18:30
gmannwith unit tests?18:30
lbragstadthey're testing everything that's supported by the legacy RBAC approach18:30
lbragstadthey're using functional API tests with ddt18:30
gmannoh they do not use policy fixture?18:30
gmanni mean testing on actual default policy?18:31
lbragstadyeah - they're testing all the default policies that exist today without any of the secure rbac changes18:31
gmanngreat18:31
lbragstadso - they want protection testing for project-admin and project-member use cases18:31
lbragstadas a starting point18:32
gmanni see.18:32
lbragstadand then as they implement the various personas, they're going to add new tests for the additional personas18:32
lbragstad(each class will inherit a different setup that sets the oslo-policy config options that opt them into the new world of enforcement)18:32
gmann+1, that is nice.18:32
lbragstadi'm attempting to do the same thing with cinder right now18:33
*** e0ne has quit IRC18:33
gmannbut there you have to write all these new tests like done in nova18:33
lbragstadi'm not sure how far i'm going to get in two weeks - but i'd like to have enough of a start for others to start jumping in18:33
gmannI can take care of glance after checking with glance team which is fist AI18:34
gmannmy JSON->YAML work is almost done, need to debug some failure thoguh18:34
lbragstad++18:35
lbragstadsounds good18:35
gmannlet's move next18:35
gmannlast action item is raildo to update https://review.opendev.org/#/c/743318/18:35
gmannhe updated that seems.18:36
gmannI think we also covered the agenda topics also as part of action item.18:36
gmannlbragstad: anything else you have to discuss?18:36
gmannhave/want18:36
lbragstadi posted this to the openstack-discuss mailing list18:37
lbragstadhttp://lists.openstack.org/pipermail/openstack-discuss/2021-January/019916.html18:37
raildogmann, yo, yeah, I have updated the docs suggestions, but I believe that would be nice to create some spec for the "visibility" function discussed on the previous patch set18:37
gmannah i see18:37
lbragstadjust clarifying some points that have been brought regarding and important distinction between reader and auditor usecases18:37
lbragstadan important*18:37
raildo#link https://review.opendev.org/c/openstack/glance/+/742810/3/doc/source/admin/interoperable-image-import.rst18:37
gmannlbragstad: +1, that was really nice info. should we add that in some doc in keystone side or so?18:38
lbragstadalready done18:39
lbragstad#link https://review.opendev.org/c/openstack/keystone/+/77150918:39
gmannraildo: yeah, that case we can cover.18:39
gmannlbragstad: ah nice :) thanks18:39
lbragstadif you want to review it18:40
gmannyeah sure, I will check.18:40
gmannso raildo point for 'visibility' is in many places in neutron side i think18:40
lbragstadhttps://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_527/771509/1/check/openstack-tox-docs/5276478/docs/admin/service-api-protection.html#reader18:40
raildoyeah, it might want to discuss about this on the next PTG-ish?18:40
gmannraildo: ok and merge the current version of 743318/ for now or you want to hold it?18:42
*** jamesdenton has quit IRC18:43
raildogmann, I would that we can merge it, I already adding a note saying that we'll discuss the visibility in a future18:43
raildoI would say*18:43
*** jamesdenton has joined #openstack-meeting18:43
gmann+1 from me.18:44
gmannI will review the latest version.18:44
gmannthanks18:44
gmannanything else to discuss?18:44
lbragstadi'm good18:44
raildonope18:45
gmannthanks lbragstad raildo .18:45
lbragstadthanks gmann18:45
gmann#endmeeting18:45
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"18:45
openstackMeeting ended Thu Jan 21 18:45:23 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)18:45
openstackMinutes:        http://eavesdrop.openstack.org/meetings/policy_popup/2021/policy_popup.2021-01-21-18.02.html18:45
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/policy_popup/2021/policy_popup.2021-01-21-18.02.txt18:45
openstackLog:            http://eavesdrop.openstack.org/meetings/policy_popup/2021/policy_popup.2021-01-21-18.02.log.html18:45
*** _mlavalle_1 has joined #openstack-meeting18:59
*** njohnston|lunch is now known as njohnston19:02
*** mlavalle has quit IRC19:03
*** haleyb has quit IRC19:27
*** dougwig has quit IRC19:27
*** dougwig has joined #openstack-meeting19:28
*** haleyb has joined #openstack-meeting19:28
*** jamesmcarthur has quit IRC19:52
*** slaweq has quit IRC19:55
*** jamesmcarthur has joined #openstack-meeting20:03
*** jamesdenton has quit IRC20:06
*** jamesdenton has joined #openstack-meeting20:06
*** irclogbot_3 has quit IRC20:14
*** tosky has quit IRC20:14
*** tosky has joined #openstack-meeting20:15
*** irclogbot_0 has joined #openstack-meeting20:16
*** jmasud has quit IRC20:34
*** jmasud has joined #openstack-meeting20:44
*** TrevorV has quit IRC21:12
*** raildo has quit IRC21:41
*** manpreet has quit IRC21:43
*** jamesmcarthur_ has joined #openstack-meeting21:45
*** jamesmcarthur has quit IRC21:49
*** rcernin has joined #openstack-meeting21:54
*** rcernin has quit IRC21:59
*** jamesmcarthur has joined #openstack-meeting22:02
*** jamesmcarthur_ has quit IRC22:05
*** jmasud has quit IRC22:10
*** jmasud has joined #openstack-meeting22:12
*** rcernin has joined #openstack-meeting22:38
*** jamesmcarthur_ has joined #openstack-meeting22:51
*** jamesmcarthur has quit IRC22:55
*** rcernin has quit IRC22:56
*** rcernin has joined #openstack-meeting22:57
*** armstrong has quit IRC23:01
*** jamesmcarthur has joined #openstack-meeting23:02
*** yamamoto has quit IRC23:04
*** yamamoto has joined #openstack-meeting23:04
*** jamesmcarthur_ has quit IRC23:05
*** jamesmcarthur has quit IRC23:12
*** jamesmcarthur has joined #openstack-meeting23:16
*** jamesmcarthur has quit IRC23:16
*** jamesmcarthur has joined #openstack-meeting23:16
*** jmasud has quit IRC23:19
*** jmasud has joined #openstack-meeting23:22
*** ociuhandu has joined #openstack-meeting23:24
*** ociuhandu has quit IRC23:29
*** jamesmcarthur has quit IRC23:55
*** jamesmcarthur has joined #openstack-meeting23:59
« Wednesday, 2021-01-20 Index Friday, 2021-01-22 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!