15:01:44 #startmeeting horizon 15:01:45 Meeting started Wed May 13 15:01:44 2020 UTC and is due to finish in 60 minutes. The chair is e0ne. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:47 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:50 The meeting name has been set to 'horizon' 15:01:56 Hi! 15:02:13 Hello 15:02:26 hi 15:02:49 hi all 15:02:51 let's wait for a few minutes to get more people here 15:02:58 Hello 15:04:04 hi 15:05:01 let's start 15:05:09 #topic Notices 15:05:42 OpenStack Ussuri is released today! 15:05:48 #link https://releases.openstack.org/ussuri/index.html 15:05:51 Nice! 15:06:06 http://lists.openstack.org/pipermail/openstack-announce/2020-May/002035.html 15:06:18 this is the official announcement :) 15:06:41 Interesting :) 15:06:44 * e0ne didn't check my mailbox today :( 15:07:23 thanks everybody for your contributions! 15:07:54 and special thanks to Akihiro amotoki for being our PTL during Ussury cycle 15:07:58 thanks all! 15:08:33 Hopefully I will be able to contribute next time :) 15:08:55 Nizars: hope so :) 15:09:56 here is victoria schedule: https://releases.openstack.org/victoria/schedule.html 15:10:12 this time, V, means virtual 15:10:34 it could be un-official release name this time :( 15:11:09 hehe🙂) 15:11:24 PTG will be virtual too 15:11:29 #link https://etherpad.opendev.org/p/horizon-v-ptg 15:11:47 feel free to add topics you would like to discuss 15:12:29 PTG registration is open 15:12:32 #link https://www.openstack.org/ptg 15:12:57 it's free to attend but OSF recommends to register 15:13:13 Nice :) 15:13:41 Can I bring up the topic I would like to discuss now? 15:15:49 that's all announcements I've got for today 15:15:55 Nizars: if you are bringing up a topic to this meeting, "On-demand agenda" section would be the one you want. 15:16:39 I see, I still haven't familiarized myself properly with the format. I will wait until I see that appear. 15:16:50 amotoki: Thank you :) 15:17:55 amotoki, vishalmanchanda : do you have anything to add as announcements? 15:18:07 nothing from me 15:18:11 e0ne: no. 15:18:27 ok 15:18:29 #topic Open Discussion 15:18:37 NizarsL it's your turn 15:18:46 Thank! 15:19:05 So me and my team have been working on developing a plugin for Horizon 15:19:15 This is how it currently looks like: 15:19:22 https://imgur.com/RB0o7Br 15:19:44 We have created a blueprint for it and we are hoping to have it approved. 15:19:51 https://blueprints.launchpad.net/horizon/+spec/policies-plugin 15:20:22 Here is the code for the plugin: 15:20:24 https://github.com/nizos/horizon-policies-plugin 15:20:35 usually, blueprints are required for some features 15:20:52 a new plugin is a new project, so I'm not sure we need a plugin 15:21:24 you mean that you are not sure we need a *blueprint right? 15:21:26 Nizars: are you going to move this plugin under openstack umbrella to opendev? 15:21:48 We are hoping to contribute with it yes. 15:22:14 to the horizon repo or a separate repo? 15:22:50 We are ok with either, you know better. :) 15:23:30 Nizars: I think we discussed it several weeks before. Any update since then? 15:24:28 Not really, we have been working on it. We are starting testing soon. There is one implementation left, which is the permissions check with openstack_auth. 15:25:10 We are currently working on that and cleaning out a few UI bugs and so on. 15:26:15 I am not sure it was from you, but we discussed the UI for policies several weeks ago. Is it from some different folks? 15:26:34 It was us, that is correct. :) 15:27:08 thanks for the confirmation 15:27:35 so, perhaps what we need to discuss are (1) updates from the previous discussion here and (2) the actual plan for the next steps 15:28:01 We are all very new to openstack and open source contribution but we hope we can contribute with this effort. Directions, guidance, critique and feedback is appreciated. :) 15:28:55 Nizars: IIRC, you said you will discuss it in oslo meeting. any update? 15:29:40 Nizars: from my memory, another action item is to check how the default policies are loaded. 15:31:00 also, there was a concern, that current implementation will work only if we've got single node deployment 15:32:24 Ok, the goal of the plugin is to allow the installer to quickly view the policies and make modifications to them. We were recommended to look into the permissions so that not anyone can access/modify policies through it. We are currently adding that functionality through openstack_auth. An issue that was brought up was how would this plugin be used with policies of projects on other servers and so on. We 15:32:24 don't think we have a solution for that at the moment without going outside of the scope of the initial goal. We will have to look into creating a back end functionality that is to be installed on the different servers/nodes and allow them to communicate. 15:34:28 I discussed the matter with either oslo or keystone, can't remember which one it was. The other one didn't sart their meeting at the time I was anticipating them to. There isn't really much to update you about from that discussion. There was something about finding a fitting team for us or something like that. 15:34:44 I will attend the future meetings and check again with them. 15:35:03 first of all, openstack_auth just provides policies for GUI (horizon and plugins) (via openstack_auth.policy) 15:35:32 Exactly 15:35:41 openstack_auth is not a place to handle policies used by backend services like nova, neutorn, cinder and so on 15:35:57 is it same as your understanding 15:35:58 ? 15:36:03 Yeah, no. That is not what I intended to communicate. 15:36:14 We are on the same page. 15:37:14 so what would your solution like to provide? 15:37:57 is it an UI to view and edit policies as a preparation for deployment? 15:38:12 We have currently just implemented it for usage with Horizon "identity" but it should easily be made to work with any other project on the same node. 15:39:09 a single node deployment is just for testing :( 15:39:40 we need to consider real deployment scenarios with multinode controllers (ie API nodes) 15:40:18 so, we need to clarify how your UI can be used in production deployments 15:40:58 The solution is to allow for easy access and modification of policies. It provides functionalities such as autocomplete suggestion in the editor, tooltip information, restoring policies from uploaded file, download policy back ups, print, copy, search, sort, filter, view scopes, operations and descriptions for policies etc... 15:41:51 It is true what you say. If we can find a good approach to solve the multi-node deployment issue it could be used in production and not just testing. 15:42:31 so, is the scenario in your mind that an operator check/update policies via your UI, then save it and deploy it to all nova/neutron/cinder API servers? 15:43:57 multi-node deployment is an extremely important in a containerised world 15:44:32 It should be possible to have it deploy the policies to the different projects. We just haven't done that yet. We just need to add the functionality to the back end and add the dictionary for the corresponding project policies. 15:45:54 I don't understand your last statement... 15:46:18 individual projects (API servers) configure RBAC via policy files 15:46:36 I am not sure what you mean by "dictionary". 15:46:47 I agree, we would like to have it work in multi-node deployments. Maybe if a backend piece of software can be developed to communicate encrypted policy read/write instructions within the network, it should be able to do its job. 15:47:06 The dictionary is this: 15:47:08 https://github.com/nizos/horizon-policies-plugin/blob/master/policies_plugin/api/resources/keystone_fields.py 15:47:46 In addition, the current OpenStack services can work with empty policy files because default policies are defined in their python codes. 15:48:00 I am not sure how it works with your proposal. 15:48:04 even in a single node. 15:48:22 The name of the file should be identity not keystone, it will be fixed in the next commit. But it is where the description, scopes, default rule, operation values and so on are retrieved from for the policies. 15:48:51 The plugin displays default rules 15:49:04 how are they loaded? 15:49:13 It merges default rules from code with ones defined in the policy files. 15:49:32 This is the client: 15:49:32 https://github.com/nizos/horizon-policies-plugin/blob/master/policies_plugin/api/rest/client.py 15:50:08 no, the default rules are defined in (for example) keystone.common.policies 15:50:12 It uses oslo policy enforcer to get the rules 15:50:52 most operators uses policy files only when they would like to define different rules from the default ones. 15:51:13 I see 15:51:52 I assume that there is still value in viewing the default rules nonetheless? maybe an option can be configured to show/hide default rules. 15:52:08 note that horizon policy support is behind the current situation and we the horizon team is trying to catch up with the current situation. 15:52:26 you cannot assume the horizon openstakc-auth implementation is the latest oen. 15:52:26 Noted 15:53:18 I think we need to discuss the next step rather than digging into the detail of imps. 15:53:25 *implementations 15:54:22 I see, do you think implementing something to make policies accessible to the plugin in multi-node deployments is feasible? 15:54:33 in my current impression, it does not fit into the horizon repo at least because horizon provides GUI on top of REST APIs from backend services like keystone, nova, neutron and so on. 15:54:47 I see. 15:55:03 your proposal sounds like a help tool to check/edit policy files. 15:55:22 a separate repository sounds better. 15:55:38 Understood 15:55:52 my next suggestion is to discuss it with operators to understand their real scenarios. 15:55:53 It's no problem for us. 15:56:03 ok 15:56:18 I don't have a good suggestion where you can discuss but openstack-discuss ml would be a good place. 15:56:50 e0ne: vishalmanchanda: any comment? 15:57:07 We can communicate with some of the devs at City Network who work with Openstack, they might have some feedback for us. 15:57:17 amotoki: nothing more from my side 15:57:23 my comments above are based on my operator experience (not from the dev experience) 15:57:36 It's appreciated! 15:57:37 amotoki: it's good to discuss it on ml and tag tc as well. 15:57:49 What is ml? 15:57:58 Nizars: openstack-discuss ML 15:58:04 ML = mailing list 15:58:06 Nizars: Open-discuss list 15:58:08 Ah ok! 15:58:41 Nizars: generally speaking, it is nice to have UI to check/view/modify policies 15:59:02 as it is not easy to check all policies 15:59:08 amotoki: +1 15:59:27 True, it just turned out to be more complicated than we originally anticipated. 15:59:38 but the implementation needs to consider the current oslo.policy support and oeprators' scenarios. 15:59:57 I had no idea what openstack was a couple of months ago so there is a lot to learn here and a lot is being picked up along the way. 15:59:58 it is not just a GUI topic 16:00:14 I agree 16:01:03 Thanks for everything. :) 16:01:17 Nizars: we can continue the discussion in the horizon channel 16:01:34 I will be there for a while after the meeting 16:01:43 thanks everybody for [articipation 16:01:45 Another day maybe, I need to get some rest but thanks for all the help. :) 16:01:51 #endmeeting