| gmaan | sean-k-mooney: amoralej: dviroel: I need your opinion on SRBAC in watcher policies. As most of those are admin only APIs, do you think any of those APIs (GET APIs) make sense and no security risk to add personas reader, manager as default ? https://github.com/openstack/watcher/tree/master/watcher/common/policies | 00:30 |
|---|---|---|
| gmaan | background: As SRBAC goal champion, I am going to start the ML thread on what all project not completed the SRBAC goal - this list https://etherpad.opendev.org/p/rbac-goal-tracking#L41 | 00:32 |
| gmaan | and before sending email for watcher I would like to know if anything we need to do for watcher or it is mostly admin only and no work needed | 00:32 |
| amoralej | gmaan, IMO, in current status of watcher, for the read role the only use case may be to read ActionPlans for efficacy indicators, for some kind of reporting or metrics gathering although that use case probably would deserve a better approach | 07:07 |
| amoralej | also, in some case, that can disclose internal details about the cluster, number of vms, number of compute nodes, etc... which I'm not sure if are accepted for a reader persona | 07:07 |
| amoralej | for manager (in project scope), i think there is not use case at this point. We have discussed in the past how to make watcher useful for non-admin at high level but that we didn't start a real work for it | 07:09 |
| amoralej | sean-k-mooney and dviroel may have other ideas about it | 07:10 |
| sean-k-mooney | gmaan: so in general not in the short term. | 10:28 |
| sean-k-mooney | gmaan: we may support the manager role in a cycle or two | 10:28 |
| sean-k-mooney | im not sure the reader role makes sense for the current apis without careful consdiertion of how to do project scope enforcement. | 10:29 |
| sean-k-mooney | gmaan: it is something i have been thinking about on an off in the background but its very similar to placement with regard to SRBAC most api are not suitable to allow acess to non admins | 10:30 |
| sean-k-mooney | we have dicussed briefly allowing some of the striagies to be used as teh manager role now that nova supprot that for some move operations but currently there isnt a greate candiate since they all effectivly need knowlage of the host infra or are not scoped to only the resouce of a single project so we woudl have a lot of work in watcher to do first before that is a good | 10:32 |
| sean-k-mooney | fit | 10:32 |
| amoralej | dviroel, wrt https://review.opendev.org/c/openstack/watcher/+/956198 i left a comment, it's probably worthy to discuss tomorrow in the meeting | 14:40 |
| dviroel | amoralej: ack, yes, make sense to have a discussion about that | 14:50 |
| dviroel | amoralej: added to meeting etherpad | 14:53 |
| dviroel | tks for your review | 14:54 |
| amoralej | cool, thanks | 14:54 |
| sean-k-mooney | we probaly should make the stragies use the model | 14:57 |
| sean-k-mooney | but im ok with catching and handelign the excption as an inital step | 14:57 |
| sean-k-mooney | we can do the performace optimization later | 14:57 |
| sean-k-mooney | both are valid in my opion | 14:57 |
| sean-k-mooney | but sure lets dicuss it more tomorrow | 14:58 |
| amoralej | don't block for discussing if it looks good for you, i didn't -1 because i was not clear and managing exception looks like a good thing anyway and short term fix | 15:04 |
| opendevreview | Merged openstack/watcher master: Configure watcher tempest's microversion in devstack https://review.opendev.org/c/openstack/watcher/+/956380 | 15:27 |
| opendevreview | Merged openstack/watcher master: Extend decision engine to support threading mode https://review.opendev.org/c/openstack/watcher/+/952257 | 15:38 |
| gmaan | sean-k-mooney: amoralej ok, as reader role is not needed, I will remove watcher from phase-1 list but keep it for manager role (phase-3) which can be decided once you fialize that. no hurry. | 15:49 |
| gmaan | thanks | 15:49 |
| amoralej | thanks gmaan | 15:50 |
| sean-k-mooney | gmaan: its not no. it coudl have a rhoele if and only if we suprpoted somethign like system scope, even then its value is limited | 15:52 |
| sean-k-mooney | if we add manager in the future we will likely add reader for resoces a manager is allwoed to create | 15:53 |
| gmaan | sean-k-mooney: system scope. humm ? but how will that work when nova or other service reject that. I am just recalling how we faced the issue with system scope in heat and nfv use case and then dropped it | 15:53 |
| opendevreview | Alfredo Moralejo proposed openstack/watcher master: Add patch call validation based on allowed_attrs https://review.opendev.org/c/openstack/watcher/+/955999 | 15:53 |
| opendevreview | Alfredo Moralejo proposed openstack/watcher master: Add parameters to force failures in nop action https://review.opendev.org/c/openstack/watcher/+/955813 | 15:53 |
| opendevreview | Alfredo Moralejo proposed openstack/watcher master: Add `status_message` column to Actions, Audits and ActionPlans tables https://review.opendev.org/c/openstack/watcher/+/954745 | 15:53 |
| opendevreview | Alfredo Moralejo proposed openstack/watcher master: Skip actions automatically based on pre_condition results https://review.opendev.org/c/openstack/watcher/+/954746 | 15:53 |
| opendevreview | Alfredo Moralejo proposed openstack/watcher master: API changes for skipped actions: patch actions and status_message https://review.opendev.org/c/openstack/watcher/+/955753 | 15:53 |
| opendevreview | Alfredo Moralejo proposed openstack/watcher master: Add `status_message` to objects and notifications https://review.opendev.org/c/openstack/watcher/+/956705 | 15:53 |
| sean-k-mooney | gmaan: that part of why i said it woudl have little value | 15:54 |
| gmaan | sean-k-mooney: reader for manager resources make sense | 15:54 |
| gmaan | ohk | 15:54 |
| sean-k-mooney | gmaan: i only know of like 3 apis that would make sense to even consider system scope enforcement | 15:54 |
| sean-k-mooney | specficilly the api for ookign at the model details | 15:54 |
| sean-k-mooney | that is a system scope like thing | 15:55 |
| sean-k-mooney | similar to the hyperviors api but i dont think system scope as a good idea in the first place | 15:55 |
| sean-k-mooney | so im not planning to push the project in that direction in the future | 15:55 |
| gmaan | yeah, it can make things complicated and need watcher to pass project scoped token to nova or so | 15:55 |
| sean-k-mooney | if we ever allow someone with manager or member to create ann audit or action plan that is scope to there resouces we can expore reader as part of that spec | 15:57 |
| sean-k-mooney | from phase 2 i do think it makes sense for watcher ot propelry supprot and use the service role | 15:57 |
| opendevreview | Alfredo Moralejo proposed openstack/watcher-tempest-plugin master: Add api test for skip action https://review.opendev.org/c/openstack/watcher-tempest-plugin/+/955775 | 15:58 |
| sean-k-mooney | i dont know what that entails yet, we may not actully need any code changes in watcher | 15:58 |
| sean-k-mooney | i.e. if you confire the user whater has with only the service role im not sure if nova will allow it to do a live migration | 15:59 |
| sean-k-mooney | gmaan: part of auditing this and connecting the dots will be undersanding if the the applier is always usign tokens generated form its config or if it ever uses oen form the user that created the action plan | 16:00 |
| sean-k-mooney | i think its alwasy form config so its alwys usign the roles related to the user created externally | 16:00 |
| sean-k-mooney | i.e. the user created when watcher was installed | 16:00 |
| gmaan | well, if watcher calling Nova user facing APIs like live migration then user token can be used and service token can be mapped just nova to know it is from service call | 16:00 |
| sean-k-mooney | it could but i dont think it does today | 16:01 |
| gmaan | that reminds me to start work on service role for nova and we can show some example of hoe those should be called as part of tempest or other service like cinder as first | 16:01 |
| sean-k-mooney | alot fo that was coded before service_uers were really a thing | 16:01 |
| gmaan | yeah, we need to change those across all most all services | 16:01 |
| sean-k-mooney | gmaan: next cycle im hoping to work on moving watcher to using the sdk instead of project client | 16:02 |
| sean-k-mooney | i will proably look at some of this as part of that but thats tbd | 16:02 |
| gmaan | ++ | 16:02 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!