| *** jpena|off is now known as jpena | 07:39 | |
| opendevreview | Slawek Kaplonski proposed openstack/devstack master: Deploy Neutron with enforced new RBAC rules https://review.opendev.org/c/openstack/devstack/+/797450 | 09:39 |
|---|---|---|
| opendevreview | Soniya Murlidhar Vyas proposed openstack/patrole master: Add tests for log resource https://review.opendev.org/c/openstack/patrole/+/795548 | 10:15 |
| *** jpena is now known as jpena|lunch | 11:27 | |
| *** dviroel|out is now known as dviroel | 11:29 | |
| *** jpena|lunch is now known as jpena | 12:27 | |
| johnsom | gmann Super appreciate you spinning the Octavia patch. I saw the issue so tagged it, but didn't get a chance to fix them until today. Thanks again. | 14:37 |
| gmann | johnsom: np!, ready to help anytime. | 14:40 |
| gmann | johnsom: I think now all test are good in term of service client things ? | 14:41 |
| johnsom | I think so, I will review again this morning after my meetings | 14:41 |
| gmann | +1, thanks | 14:42 |
| TheJulia | w/r/t secure rbac stuffs, has anyone considered the fact that service accounts are project scoped and basically cross-service admin-level will require system level admin creds by default? | 16:11 |
| TheJulia | (i mean, it is basically the same level of access depending on the policy I guess) | 16:11 |
| TheJulia | Also, is anyone keeping a definitive list of projects supporting turning on scope enforcement at this point? | 16:19 |
| *** jpena is now known as jpena|off | 16:49 | |
| opendevreview | Pavan Kesava Rao proposed openstack/tempest master: Add test to verify FQDN hostname sanitization https://review.opendev.org/c/openstack/tempest/+/795699 | 16:54 |
| *** gfidente is now known as gfidente|afk | 18:11 | |
| johnsom | TheJulia This is the only list I know of: https://etherpad.opendev.org/p/policy-popup-xena-ptg | 18:52 |
| TheJulia | A new list likely needs to be started, At least for ironic, once I have all of the patches merged, I'll go ahead and check back in and see when we can flip the default configuration to be enforced. I'm sure we'll have to change some of the accounts around when we do integrations with services other than nova like swift, glance, cinder. | 19:03 |
| gmann | TheJulia: this is wiki page policy-popup team maintain - https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Team_Progress | 20:33 |
| gmann | TheJulia: please add Ironic there depends on progress. | 20:33 |
| gmann | Currently we are doing all the effort via this policy popup team and in Y cycle we are planning to do as community wide goal so that we can solve the cross service new rbac things | 20:34 |
| johnsom | Hmm, maybe the list on the etherpad needs migrated to the wiki. There are a bunch more on the etherpad. | 20:35 |
| gmann | yeah, I will update those | 20:37 |
| johnsom | Ok, I will wait then. grin | 20:37 |
| johnsom | Probably would have had the thundering herd problem anyway with all of us trying to update it. | 20:38 |
| *** dviroel is now known as dviroel|out | 20:41 | |
| gmann | updated the wiki also | 20:42 |
| gmann | there are more projects also completed or started the work but based on whether they communicated that as experimental as neutron did I will add more projects | 20:43 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!