Monday, 2026-05-04

« Tuesday, 2026-04-28 Index Wednesday, 2026-05-06 »
*** kevko7 is now known as kevko12:25
gmaan#startmeeting policy_popup18:01
opendevmeetMeeting started Mon May  4 18:01:32 2026 UTC and is due to finish in 60 minutes.  The chair is gmaan. Information about MeetBot at http://wiki.debian.org/MeetBot.18:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.18:01
opendevmeetThe meeting name has been set to 'policy_popup'18:01
gmaan#link https://etherpad.opendev.org/p/rbac-goal-tracking#L10018:01
gmaantoday agenda18:01
gmaanI will cover the two things here and we can discuss if anyone joined or would like to discuss18:02
gmaan#topic Reviews:18:02
gmaan#link https://review.opendev.org/c/openstack/horizon/+/92734218:03
gmaanthis is still pending on me, I need to test it more before open it for review18:03
gouthamro/18:03
gmaangouthamr: o/18:03
gmaan#topic Open Discussion:18:04
gmaanGlobal reader:18:04
gmaandiscussion started on ML, but i asked for volunteer and artem raised hand18:04
gmaan#link https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/ZEKOWEMLY6F2RFFXVD37QRQPMB35H5PR/18:04
gmaananything on this to discuss other than what is discussed on ML18:05
gouthamrit looks like we could use a spec and re-design18:06
gmaanyes, start will be a spec in keystone like we did for manager role18:07
gouthamrsome of the questions on that discussion weren't as straight forward.. basically we need a "admin+readonly" role from what i recall the previous discussion18:07
gmaanonce we have that role in keystone/bootstrap then projects can start adding it18:07
gmaanadmin already has that capability it can read things everywhere18:07
gmaanhere we need a reader who can read across projects18:08
gmaanbut no write permission18:08
gmaanif that user need some right operation then required additional write can be assigned18:08
gouthamryes, excuse my framing of this.. i mean a "system scoped reader" in today's context can be reinterpreted as a "reader" but across projects, like "admin"18:08
gouthamri wonder if, we could do something in oslo-policy and keystone alone to enable this without changes to existing projects18:09
gmaanyeah, we will not have system scope but idea is to have a reader capability in complete system18:09
gmaanit need project code change as it is not just policy control because many projects has hardcoded admin check or query by project_id in DB18:10
gmaanI will say that is the big work here. keystone spec and bootstrap changes are small but needed for projects to start18:11
gouthamrack, but, those checks today can be bypassed by "role: admin".. so, if we did allow oslo-policy to "imply" permissions for this special role, we could solve this? 18:11
gmaanfor example, nova checks the admin in DB access so we need a good amount of code change there18:11
gmaandid not get? imply permission of new role to admin or otherway?18:12
gmaannew role should just imply the reader role hierarchy, it should not imply any higher permission role18:13
gmaanand also, oslo.policy should not imply the role permission instead that is controlled by the keystone as authorization module 18:14
cardoeSo some of the interest would also be more permissions than reader. Hence why I said auditor.18:14
cardoeSo nova for exa18:14
cardoeExample hides the hypervisor if you aren’t admin.18:14
cardoeBut openstack-exporter for example, it would be handy to see the hypervisor.18:14
gmaanthat is tricky and that is the reason we want to keep admin things away from auditor18:15
gmaanI mean that was what system reader was designed for18:15
cardoeThat’s why I was saying it might be good to start with a description of the persona of the use case.18:16
cardoeSystem reader could hide things away.18:16
gouthamrinteresting, if you're operating across projects, it should be as good as a (read-only) administrator? is there any benefit from paring this down further?18:16
gouthamracross projects/domains18:16
cardoeI actually started trying to define out these roles in ironic. Lemme find a link.18:17
gmaanglobal reader knowing admin level info also risk18:17
gouthamrack, i'd like to see an example... i can respond to gmaan's thread with a better articulated version of my idea so you can find holes18:18
gmaanfor example, nova does not allow non-admin user to live migrate by specifying the host but if a reader can know host info then it is risk for non-admin users to know the same and try live migration18:18
gouthamroh, but that'd fail?18:19
gmaanI think there are two separate use case ask: global reader + global admin reader18:19
cardoehttps://review.opendev.org/c/openstack/ironic/+/98670218:19
gouthamroh, i forgot nova lets managers to live migrate.. but, currently, not knowing the host names is the security measure against managers moving things somewhere they aren't supposed to? :D18:20
cardoeSo in our case we've got "Cloud Admins". Which these folks are our OpenStack admins. They know OpenStack and manage it and run it.18:20
gmaanyeah but allowing reader to know host things is also security risk18:20
cardoeBut we've also got "Cloud Operators" if you'll excuse the bad names. These folks aren't our OpenStack admins. But they handle the operational issues with hypervisors for example and other hardware.18:21
gmaancardoe: yeah, I think the is sovled in ironic anyways with the system reader but yes system level admin thing reader is not18:21
cardoeTools like openstack-exporter would be able to gather information like the hypervisor that instances are on to help us correlate and say "boxes matching pattern X" are leading to issue Y being reported.18:22
cardoeBut it's ultimately a read-only user that would be scraping that data.18:22
gmaanI am not against of 'global admin reader/exporter' but we still need the 'global reader (without knowing the system info)' as first step18:22
cardoegmaan: I don't disagree.18:23
cardoeI'm advocating for a handful of use cases here.18:23
gmaan++18:23
cardoeand while I'm linking an ironic doc, I'm using examples of not having ironic in play.18:23
cardoeI started out in ironic by writing a description of these types of users and what I'm saying is that I'm happy to write this up more generically somewhere else.18:24
cardoeAnd giving these users a fictitious name like "Ollie the Cloud Operator" and "Amy the Cloud Admin". Which is what I've seen done at many orgs for doing product feature planning / management.18:24
gmaanthanks, I think that is good direction. and keystone is the right place to describe it more generically 18:24
cardoeLike "who do you expect to use this feature"18:25
gouthamrgmaan: i think it's easier to work on the "admin+reader" thing though.. i can take a deeper look at implications and get back 18:25
cardoeIn small scale deployments one person might have many hats.18:25
gouthamreasier to first work*18:25
cardoeAt Rackspace how we've handled some of this is to have a service that reads the MySQL DB directly.18:26
gmaangouthamr: sure but let's keep both idea separate and spec so that we do not hold either of it if some objection18:26
cardoeI believe I've seen in Vexxhost's repos that they do the same thing as Rackspace.18:26
gouthamrgmaan: ++18:26
cardoeI know OVH has something similar as well.18:26
gmaancardoe: so that is specific service not role which is used to assign to users for DB read right?18:27
gmaanand used for debuggin only or any other use case?18:28
cardoeIt's a completely external service to work around the cases like you've mentioned where the project info is necessary in the nova DB access.18:28
cardoeSo attempting to access multiple projects at once is just not feasible today via the API.18:28
gmaanyeah, API restrict that at least currently 18:29
cardoeI'm just trying to step back and ask "why is it being done this way"18:29
gmaanI think doing those both reader role will be good and can avoid direct DB read or so18:29
cardoeAnd it's done this way because nova doesn't have that use case as something that's supported or even in their goals.18:29
cardoeAnd why not? Because there's no definition of a role that would work to secure that.18:30
cardoeAt least that's how I'm coming to the conclusion.18:30
gmaancardoe: I do not think we had any reason of 'doing this way' it is more of we are getting more ask/use case of it now and nobody is rejecting. In past also(AFAIK), nobody rejected it. Its just nobody started it.18:31
cardoeYep. Not saying anybody rejected it.18:31
gmaansystem reader was one of the idea to solve it but once we dropped system scoped role then nobody carry forward that use case and implemented alternate18:32
cardoeI'm just trying to not be hacky about it and do it the right way18:33
gmaanhonestly saying in my previous org (and current org also) I volunteer for the RBAC goal and tried my best as much as I can. 18:33
gmaanthere was no direct use case of these new role in my previous organization. and we lacked other org to come forwards and improve the RBAC18:33
gmaani agree, whole effort of SRBAC is to make defaults more usable the do hack. 18:34
gmaan*then do18:34
gouthamrack ty for all the pain so far, it's been a kinda sad state not to get the stated goal past the finish line too.. 18:34
gouthamrwhile we can discuss these improvements in parallel, where are we stuck on the current goal?18:35
gmaananyways I will wait for the specs and we can review it in detail covering the exact use cases18:35
gmaangouthamr: current goal is all good. These new use case are expanding the goal. 18:35
gmaanI do not think we need to drag the goal for every use case or every role. I will say it can move forward independent of goal also18:36
gmaanif we want to track it as a goal I will say we can start a new one instead of creating confusion on re-timelined the current goal18:36
gouthamryes18:36
cardoeYeah this can be a new one.18:37
gmaanand not sure if all projects need such global reader accounts18:37
gmaanI will say steps can be:18:39
gmaan1. spec in keystone for new roles18:39
gmaan2. implementation of the new role in keystone with bootstrap + imply other role if needed18:39
gmaan3. documentation in keystone to define 'what are these role and who should use it'. like what cardoe trying with other personas18:39
gmaan4. ask projects to adopt those18:39
gmaanas artem volunteer it and he is also keystone maintainer it matches with the above required steps 18:40
gmaanof course other member can join the effort18:40
gmaan4th one is project side which can be more work or less or no work at all which depends on how project implementation is18:40
gmaananything else on this ?18:41
gouthamr++18:41
gouthamrnothing from me. will think about this some more; but want to discuss the current goal a bit more 18:42
gmaansure18:42
gmaan let's close meeting then. thanks gouthamr cardoe for joinging18:42
gmaangouthamr: oh you mean to discuss today in meeting or later?18:43
gouthamrif phase 2 (service role) and phase 3 (project manager role) aren't done by someone, it could just mean that the OpenStack service doesn't care about this?18:43
gouthamrsorry, yes, was taking a minute to formulate that question18:43
gouthamri'm wondering how long we'll keep this goal around18:43
gmaannot sure, i have been asking the same question to projects but no clear answer18:43
gmaanas discussed in PTG, I will contionue the removal of enforce-scope things andin next PTG we can iterate on if we close or not18:44
gouthamrthat's great, ty for https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/M72AY5ABQFXQ7XHLVEGHLBBK4XFQGVFK/18:44
gmaanremoval of enforce-scope is the last things to do other than phase wise progress18:45
gmaanI will be sending the nova as an example to fix the testing on that18:45
gouthamrack, would be helpful18:45
gouthamryou're targeting this to milestone-2 (July 3rd)18:45
gmaanyes18:45
gouthamrthanks, good amount of time.. unless project teams are ignoring the urgency in your email :D 18:46
gmaanyeah, I will send more reminder in between but let's see18:46
gouthamr#link https://etherpad.opendev.org/p/rbac-goal-tracking#L7918:46
gouthamrthis is the list we know of atm18:46
gmaanyes18:46
gouthamri'll try to reiterate this with the TC and through the weekly email18:47
gmaani send the same in ML and also changes in gerrit18:47
gmaan++18:47
gmaan++18:47
gmaanthat will be helpful18:47
gouthamrack, based on the results of our testing, i was going to suggest wrapping up the goal18:48
gouthamrand writing up a recommendation document on "service" and "manager" personas18:48
gmaanyeah, once enforce_scope is removed I will try to wrap it up18:48
gmaanyeah18:48
gouthamrthanks gmaan, that's all i had :) 18:49
gmaank18:49
gmaanlet's close then, thanks again for the discussion18:49
gmaan#endmeeting18:49
opendevmeetMeeting ended Mon May  4 18:49:30 2026 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)18:49
opendevmeetMinutes:        https://meetings.opendev.org/meetings/policy_popup/2026/policy_popup.2026-05-04-18.01.html18:49
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/policy_popup/2026/policy_popup.2026-05-04-18.01.txt18:49
opendevmeetLog:            https://meetings.opendev.org/meetings/policy_popup/2026/policy_popup.2026-05-04-18.01.log.html18:49
cardoegouthamr: writing it up in keystone docs?20:12
« Tuesday, 2026-04-28 Index Wednesday, 2026-05-06 »

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!