#openstack-meeting-alt log

15:01:44 <e0ne> #startmeeting horizon
15:01:45 <openstack> Meeting started Wed May 13 15:01:44 2020 UTC and is due to finish in 60 minutes.  The chair is e0ne. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:50 <openstack> The meeting name has been set to 'horizon'
15:01:56 <Nizars> Hi!
15:02:13 <jberg-dev> Hello
15:02:26 <e0ne> hi
15:02:49 <vishalmanchanda> hi all
15:02:51 <e0ne> let's wait for a few minutes to get more people here
15:02:58 <Andreas681> Hello
15:04:04 <amotoki> hi
15:05:01 <e0ne> let's start
15:05:09 <e0ne> #topic Notices
15:05:42 <e0ne> OpenStack Ussuri is released today!
15:05:48 <e0ne> #link https://releases.openstack.org/ussuri/index.html
15:05:51 <Nizars> Nice!
15:06:06 <amotoki> http://lists.openstack.org/pipermail/openstack-announce/2020-May/002035.html
15:06:18 <amotoki> this is the official announcement :)
15:06:41 <Nizars> Interesting :)
15:06:44 * e0ne didn't check my mailbox today :(
15:07:23 <e0ne> thanks everybody for your contributions!
15:07:54 <e0ne> and special thanks to Akihiro amotoki for being our PTL during Ussury cycle
15:07:58 <amotoki> thanks all!
15:08:33 <Nizars> Hopefully I will be able to contribute next time :)
15:08:55 <amotoki> Nizars: hope so :)
15:09:56 <e0ne> here is victoria schedule: https://releases.openstack.org/victoria/schedule.html
15:10:12 <e0ne> this time, V, means virtual
15:10:34 <e0ne> it could be un-official release name this time :(
15:11:09 <vishalmanchanda> hehe🙂)
15:11:24 <e0ne> PTG will be virtual too
15:11:29 <e0ne> #link https://etherpad.opendev.org/p/horizon-v-ptg
15:11:47 <e0ne> feel free to add topics you would like to discuss
15:12:29 <e0ne> PTG registration is open
15:12:32 <e0ne> #link https://www.openstack.org/ptg
15:12:57 <e0ne> it's free to attend but OSF recommends to register
15:13:13 <Nizars> Nice :)
15:13:41 <Nizars> Can I bring up the topic I would like to discuss now?
15:15:49 <e0ne> that's all announcements I've got for today
15:15:55 <amotoki> Nizars: if you are bringing up a topic to this meeting, "On-demand agenda" section would be the one you want.
15:16:39 <Nizars> I see, I still haven't familiarized myself properly with the format. I will wait until I see that appear.
15:16:50 <Nizars> amotoki: Thank you :)
15:17:55 <e0ne> amotoki, vishalmanchanda : do you have anything to add as announcements?
15:18:07 <amotoki> nothing from me
15:18:11 <vishalmanchanda> e0ne: no.
15:18:27 <e0ne> ok
15:18:29 <e0ne> #topic Open Discussion
15:18:37 <e0ne> NizarsL it's your turn
15:18:46 <Nizars> Thank!
15:19:05 <Nizars> So me and my team have been working on developing a plugin for Horizon
15:19:15 <Nizars> This is how it currently looks like:
15:19:22 <Nizars> https://imgur.com/RB0o7Br
15:19:44 <Nizars> We have created a blueprint for it and we are hoping to have it approved.
15:19:51 <Nizars> https://blueprints.launchpad.net/horizon/+spec/policies-plugin
15:20:22 <Nizars> Here is the code for the plugin:
15:20:24 <Nizars> https://github.com/nizos/horizon-policies-plugin
15:20:35 <e0ne> usually, blueprints are required for some features
15:20:52 <e0ne> a new plugin is a new project, so I'm not sure we need a plugin
15:21:24 <Nizars> you mean that you are not sure we need a *blueprint right?
15:21:26 <e0ne> Nizars: are you going to move this plugin under openstack umbrella to opendev?
15:21:48 <Nizars> We are hoping to contribute with it yes.
15:22:14 <amotoki> to the horizon repo or a separate repo?
15:22:50 <Nizars> We are ok with either, you know better. :)
15:23:30 <amotoki> Nizars: I think we discussed it several weeks before. Any update since then?
15:24:28 <Nizars> Not really, we have been working on it. We are starting testing soon. There is one implementation left, which is the permissions check with openstack_auth.
15:25:10 <Nizars> We are currently working on that and cleaning out a few UI bugs and so on.
15:26:15 <amotoki> I am not sure it was from you, but we discussed the UI for policies several weeks ago. Is it from some different folks?
15:26:34 <Nizars> It was us, that is correct. :)
15:27:08 <amotoki> thanks for the confirmation
15:27:35 <amotoki> so, perhaps what we need to discuss are (1) updates from the previous discussion here and (2) the actual plan for the next steps
15:28:01 <Nizars> We are all very new to openstack and open source contribution but we hope we can contribute with this effort. Directions, guidance, critique and feedback is appreciated. :)
15:28:55 <amotoki> Nizars: IIRC, you said you will discuss it in oslo meeting. any update?
15:29:40 <amotoki> Nizars: from my memory, another action item is to check how the default policies are loaded.
15:31:00 <e0ne> also, there was a concern, that current implementation will work only if we've got single node deployment
15:32:24 <Nizars> Ok, the goal of the plugin is to allow the installer to quickly view the policies and make modifications to them.  We were recommended to look into the permissions so that not anyone can access/modify policies through it. We are currently adding that functionality through openstack_auth. An issue that was brought up was how would this plugin be used with policies of projects on other servers and so on. We
15:32:24 <Nizars> don't think we have a solution for that at the moment without going outside of the scope of the initial goal. We will have to look into creating a back end functionality that is to be installed on the different servers/nodes and allow them to communicate.
15:34:28 <Nizars> I discussed the matter with either oslo or keystone, can't remember which one it was. The other one didn't sart their meeting at the time I was anticipating them to. There isn't really much to update you about from that discussion. There was something about finding a fitting team for us or something like that.
15:34:44 <Nizars> I will attend the future meetings and check again with them.
15:35:03 <amotoki> first of all, openstack_auth just provides policies for GUI (horizon and plugins) (via openstack_auth.policy)
15:35:32 <Nizars> Exactly
15:35:41 <amotoki> openstack_auth is not a place to handle policies used by backend services like nova, neutorn, cinder and so on
15:35:57 <amotoki> is it same as your understanding
15:35:58 <amotoki> ?
15:36:03 <Nizars> Yeah, no. That is not what I intended to communicate.
15:36:14 <Nizars> We are on the same page.
15:37:14 <amotoki> so what would your solution like to provide?
15:37:57 <amotoki> is it an UI to view and edit policies as a preparation for deployment?
15:38:12 <Nizars> We have currently just implemented it for usage with Horizon "identity" but it should easily be made to work with any other project on the same node.
15:39:09 <amotoki> a single node deployment is just for testing :(
15:39:40 <amotoki> we need to consider real deployment scenarios with multinode controllers (ie API nodes)
15:40:18 <amotoki> so, we need to clarify how your UI can be used in production deployments
15:40:58 <Nizars> The solution is to allow for easy access and modification of policies. It provides functionalities such as autocomplete suggestion in the editor, tooltip information, restoring policies from uploaded file, download policy back ups, print, copy, search, sort, filter, view scopes, operations and descriptions for policies etc...
15:41:51 <Nizars> It is true what you say. If we can find a good approach to solve the multi-node deployment issue it could be used in production and not just testing.
15:42:31 <amotoki> so, is the scenario in your mind that an operator check/update policies via your UI, then save it and deploy it to all nova/neutron/cinder API servers?
15:43:57 <e0ne> multi-node deployment is an extremely important in a containerised world
15:44:32 <Nizars> It should be possible to have it deploy the policies to the different projects. We just haven't done that yet. We just need to add the functionality to the back end and add the dictionary for the corresponding project policies.
15:45:54 <amotoki> I don't understand your last statement...
15:46:18 <amotoki> individual projects (API servers) configure RBAC via policy files
15:46:36 <amotoki> I am not sure what you mean by "dictionary".
15:46:47 <Nizars> I agree, we would like to have it work in multi-node deployments. Maybe if a backend piece of software can be developed to communicate encrypted policy read/write instructions within the network, it should be able to do its job.
15:47:06 <Nizars> The dictionary is this:
15:47:08 <Nizars> https://github.com/nizos/horizon-policies-plugin/blob/master/policies_plugin/api/resources/keystone_fields.py
15:47:46 <amotoki> In addition, the current OpenStack services can work with empty policy files because default policies are defined in their python codes.
15:48:00 <amotoki> I am not sure how it works with your proposal.
15:48:04 <amotoki> even in a single node.
15:48:22 <Nizars> The name of the file should be identity not keystone, it will be fixed in the next commit. But it is where the description, scopes, default rule, operation values and so on are retrieved from for the policies.
15:48:51 <Nizars> The plugin displays default rules
15:49:04 <amotoki> how are they loaded?
15:49:13 <Nizars> It merges default rules from code with ones defined in the policy files.
15:49:32 <Nizars> This is the client:
15:49:32 <Nizars> https://github.com/nizos/horizon-policies-plugin/blob/master/policies_plugin/api/rest/client.py
15:50:08 <amotoki> no, the default rules are defined in (for example) keystone.common.policies
15:50:12 <Nizars> It uses oslo policy enforcer to get the rules
15:50:52 <amotoki> most operators uses policy files only when they would like to define different rules from the default ones.
15:51:13 <Nizars> I see
15:51:52 <Nizars> I assume that there is still value in viewing the default rules nonetheless? maybe an option can be configured to show/hide default rules.
15:52:08 <amotoki> note that horizon policy support is behind the current situation and we the horizon team is trying to catch up with the current situation.
15:52:26 <amotoki> you cannot assume the horizon openstakc-auth implementation is the latest oen.
15:52:26 <Nizars> Noted
15:53:18 <amotoki> I think we need to discuss the next step rather than digging into the detail of imps.
15:53:25 <amotoki> *implementations
15:54:22 <Nizars> I see, do you think implementing something to make policies accessible to the plugin in multi-node deployments is feasible?
15:54:33 <amotoki> in my current impression, it does not fit into the horizon repo at least because horizon provides GUI on top of REST APIs from backend services like keystone, nova, neutron and so on.
15:54:47 <Nizars> I see.
15:55:03 <amotoki> your proposal sounds like a help tool to check/edit policy files.
15:55:22 <amotoki> a separate repository sounds better.
15:55:38 <Nizars> Understood
15:55:52 <amotoki> my next suggestion is to discuss it with operators to understand their real scenarios.
15:55:53 <Nizars> It's no problem for us.
15:56:03 <Nizars> ok
15:56:18 <amotoki> I don't have a good suggestion where you can discuss but openstack-discuss ml  would be a good place.
15:56:50 <amotoki> e0ne: vishalmanchanda: any comment?
15:57:07 <Nizars> We can communicate with some of the devs at City Network who work with Openstack, they might have some feedback for us.
15:57:17 <e0ne> amotoki: nothing more from my side
15:57:23 <amotoki> my comments above are based on my operator experience (not from the dev experience)
15:57:36 <Nizars> It's appreciated!
15:57:37 <vishalmanchanda> amotoki: it's good to discuss it on ml and tag tc as well.
15:57:49 <Nizars> What is ml?
15:57:58 <amotoki> Nizars: openstack-discuss ML
15:58:04 <amotoki> ML = mailing list
15:58:06 <vishalmanchanda> Nizars: Open-discuss list
15:58:08 <Nizars> Ah ok!
15:58:41 <amotoki> Nizars: generally speaking, it is nice to have UI to check/view/modify policies
15:59:02 <amotoki> as it is not easy to check all policies
15:59:08 <e0ne> amotoki: +1
15:59:27 <Nizars> True, it just turned out to be more complicated than we originally anticipated.
15:59:38 <amotoki> but the implementation needs to consider the current oslo.policy support and oeprators' scenarios.
15:59:57 <Nizars> I had no idea what openstack was a couple of months ago so there is a lot to learn here and a lot is being picked up along the way.
15:59:58 <amotoki> it is not just a GUI topic
16:00:14 <Nizars> I agree
16:01:03 <Nizars> Thanks for everything. :)
16:01:17 <e0ne> Nizars: we can continue the discussion in the horizon channel
16:01:34 <amotoki> I will be there for a while after the meeting
16:01:43 <e0ne> thanks everybody for [articipation
16:01:45 <Nizars> Another day maybe, I need to get some rest but thanks for all the help. :)
16:01:51 <e0ne> #endmeeting