| *** ykarel_ is now known as ykarel | 07:53 | |
| opendevreview | Rodolfo Alonso proposed openstack/devstack master: ovs: Fix OVS path mismatch when building from source with OVN https://review.opendev.org/c/openstack/devstack/+/995782 | 08:27 |
|---|---|---|
| opendevreview | Rodolfo Alonso proposed openstack/devstack master: ovs: Fix OVS path mismatch when building from source with OVN https://review.opendev.org/c/openstack/devstack/+/995782 | 08:29 |
| opendevreview | Manpreet Kaur proposed openstack/tempest master: Use reader role for volume admin tests https://review.opendev.org/c/openstack/tempest/+/974826 | 10:05 |
| opendevreview | yatin proposed openstack/devstack master: Update bridge mtu for geneve switch https://review.opendev.org/c/openstack/devstack/+/995805 | 11:34 |
| opendevreview | Manpreet Kaur proposed openstack/tempest master: Use reader role for volume admin tests https://review.opendev.org/c/openstack/tempest/+/974826 | 11:53 |
| *** pdeore_ is now known as pdeore | 14:01 | |
| opendevreview | Simon Dodsley proposed openstack/devstack master: Grant cinder service user the "member" role for barbican https://review.opendev.org/c/openstack/devstack/+/995827 | 14:03 |
| opendevreview | Luca Miccini proposed openstack/devstack master: Fix cinder service user role for Barbican secure RBAC https://review.opendev.org/c/openstack/devstack/+/995833 | 14:39 |
| gmaan | sean-k-mooney: if you are around, https://review.opendev.org/c/openstack/devstack/+/994937/2 | 15:20 |
| sean-k-mooney | sure im just starting on the cybrog patch tro remove that usage :) | 15:22 |
| sean-k-mooney | oh right your reading form the enforce scop var PLACEMENT_ENFORCE_NEW_DEFAULTS=$(trueorfalse True PLACEMENT_ENFORCE_SCOPE) | 15:23 |
| sean-k-mooney | but setting the new one | 15:23 |
| gmaan | that is fallback for jobs set the old variable PLACEMENT_ENFORCE_SCOPE | 15:24 |
| sean-k-mooney | looks good to me | 15:24 |
| gmaan | k | 15:24 |
| gmaan | sean-k-mooney: and this one related to rbac to unblock barbican job. https://review.opendev.org/c/openstack/devstack/+/995827 | 15:28 |
| sean-k-mooney | gmaan: when did we drop the admin role form the cinder user? | 15:43 |
| sean-k-mooney | or did it just not have that before? | 15:43 |
| sean-k-mooney | when cidner is creating secrets for the encyptred voslume it really shoudl be using the end users token | 15:44 |
| gmaan | it did not have before, nova service user had | 15:44 |
| sean-k-mooney | ok but https://review.opendev.org/c/openstack/devstack/+/995827 shoudl nto be required in general | 15:45 |
| sean-k-mooney | that is indeicating that cidner is not proly usign the users token to create teh barbican secret | 15:45 |
| sean-k-mooney | its isnstead usign the token form tis config | 15:45 |
| sean-k-mooney | which menas the secret woudl be owne dby the cidner service proejct rather then the end user | 15:46 |
| gmaan | not sure how their feature is, like nova has different mode of vTPM and that depends who generate/own the secret but yes that is more question to cinder if they do support cinder service user own the secret for anything | 15:46 |
| sean-k-mooney | anyway while there is something wrogn in that interaction i appoved that for now but maybe a good topic for the ptg | 15:46 |
| sean-k-mooney | well or the cidner channel | 15:47 |
| gmaan | ++ yeah, that is a good to be discussed and at least to bring it in cinder team if they are not aware of it | 15:47 |
| gmaan | service user own the secret is not something very appealing here unless there is a solid reason | 15:48 |
| sean-k-mooney | it really comes doen to there execpetd ownership model | 15:48 |
| sean-k-mooney | if cidner owns it then cidner cna decypte/copy any volume when an admin ask it too | 15:48 |
| sean-k-mooney | and since secrets are appretly readabel at the project level | 15:49 |
| sean-k-mooney | that means if you dpeloy openstack with all service sharign a project | 15:49 |
| sean-k-mooney | that makes the secreate management not great | 15:49 |
| sean-k-mooney | if that the turst model they designed hwoever then i guess it workign as intneded but its not really the most secure approch | 15:50 |
| gmaan | yeah, many deployment might be sharing the service projects (and might be with admin role) | 15:52 |
| sean-k-mooney | ya which si ok but not ideal | 15:54 |
| sean-k-mooney | i mentioned this elsewhere | 15:54 |
| sean-k-mooney | but there are 2 thing i want to try and add to devstack in the next month or two if i find time unless other have already started | 15:55 |
| sean-k-mooney | i want to see if we can finish cleianing up the default user so nto uses nova to talk to neutron ectra in all of the devstack generated configs | 15:56 |
| sean-k-mooney | once that is doen i woudl iek to add a flag to replace the user/password with a seperate applciation credtaion for each service | 15:56 |
| sean-k-mooney | i.e. nova would have an applcaition credetail that is uses, cinder woudl have anouther | 15:56 |
| sean-k-mooney | we recently added supprot for using applciation credtials in our downstream product but as far as im aware there isnet any testing fo that in devstack | 15:57 |
| sean-k-mooney | so im hopign to add testing fo applciation credetials to cyborg at least after i finsih the srbac work | 15:58 |
| sean-k-mooney | and i woudl like to add the basic helper funciton to devstack istelf so i can use those in the plugin | 15:58 |
| sean-k-mooney | this is not critial path for anything just a nice to have that i woudl like to do when time permits | 15:59 |
| opendevreview | Merged openstack/devstack master: Enable SRBAC by default for all services https://review.opendev.org/c/openstack/devstack/+/994937 | 18:44 |
| opendevreview | Merged openstack/devstack master: Grant cinder service user the "member" role for barbican https://review.opendev.org/c/openstack/devstack/+/995827 | 18:45 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!