16:01:19 #startmeeting networking_policy 16:01:20 Meeting started Thu Dec 12 16:01:19 2013 UTC and is due to finish in 60 minutes. The chair is mestery. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:01:21 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:01:24 The meeting name has been set to 'networking_policy' 16:01:29 #link https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy Agenda 16:01:37 morning 16:01:43 #topic Action Items 16:01:49 hi 16:01:57 banix and alagalah: You guys have the first action items. Any updates? 16:02:06 These were from last week. 16:02:33 mestery: banix yes, I put together a strawman taxonomy and banix has fleshed it out, its available for comment 16:02:37 Aaalagalah, has prepared a resource diagram 16:02:39 #link https://docs.google.com/drawings/d/1HYGUSnxcx_8wkCAwE4Wtv3a30JstOBPyuknf7UnJMp0/edit 16:02:47 alagalah: Thanks for sharing that. 16:02:50 Have people reviewed this yet? 16:03:34 mestery: no, just aware of it now 16:03:42 Me neither--looking now. 16:03:51 * mestery gives everyone a minute, and then we can discuss it. 16:04:07 It was written last night, only shared this morning, so you are still getting "first look" thinrichs s3wong 16:04:24 alagalah: :-) 16:04:33 Thanks for writing this up alagalah. 16:04:54 Not so familiar with these diagrams--why are Security, QoS, Redirect not connected to anything? 16:05:22 thinrichs: These are not Neutron objects 16:05:36 my first question is whether we also need a relation (mapping) from group to network -- i.e., are "endpoints" here just things that can be put in groups? (nested groups may need this though) 16:05:38 thinrichs: Good observation... yes as to banix's point, the idea is to show linkages to existing neutron objects and net new objects 16:05:51 what is the intended meaning of the Policy -> Group arrow? 16:05:53 so we were debating whether we put them in the figure tror not 16:06:07 And did we settle on only having Networks and ports as endpoints? I thought banix said in the google doc we had other objects. 16:06:27 ashaikh: Great question, and if that is indeed necessary, we have a problem... imho references to existing neutron objects should really be at the edges (ie pure child nodes) of the taxonomy 16:07:17 alagalah: it may be ok as is, but it would seem a natural mapping of group to network (as an option) 16:07:19 thinrichs: I made a comment wrt "networks" and "endpoints" last night... 16:07:33 I assume that a given endpoint only a single network, correct ? 16:07:50 michsmit: I would agree with that, and thinrichs had commented on that in the google doc as well. 16:08:42 michsmit: you mean a group cannot be made of more than one network? or i missed your point? 16:09:21 in the diagram, a group references 1 or more EPs which reference 1+ networks 16:09:30 ashaikh: My only concern with that is that my understand (as naive as it is) is that group should be a collection of endpoints, and endpoints at this stage, seem to make sense to be ports or networks for ease of integration but I think its short sighted to limit it to that, since the intent is to provide an application centric API 16:09:43 ashaikh: we don't have nested groups as is; we need to add if we need it. 16:10:14 ashaikh: Hence I think it makes sense to not have a network/port reference in group 16:11:19 alagalah: i think that is simpler, but we could also think of groups as only collection of endpoints (i.e., ports) and neutron networks being a way to represent groups initially , with option for other mappings 16:11:19 OK, so should we incorporate alagalah's diagram into the document? 16:11:22 alagalah: we do need some primitives as endpoints assigned to groups, if not network/port, what can these be? 16:13:17 ashaikh: Yes, that makes sense to me, and hence the diagram reflects that imho, s3wong I think we need to eventually be able to identify application by LXC / some container identified by UUID, but thats a bigger topic, I'm just trying to build that idea into this 16:13:21 alagalah: in short, what i think may be missing in the diag is a way to directly map a group to neutron network (i.e., does this say you have to first put it in an endpoint object) 16:13:45 ashaikh: Wouldn't a group with one endpoint (which is a network) give you the same? 16:13:48 ashaikh: yes that is exactly what I'm trying to show here... and to be fair, I'm reflecting the tables but yes it makes sense 16:14:31 s3wong: I have the same question. If Neutron doesn't know what an 'app' is, it won't be able to enforce any policy about it. I don't see how we can ask Neutron to enforce policy about objects it doesn't know about. 16:14:40 banix: yes, it could, just that having to put a network in an endpoint seems a little superfluous (but i'm ok if it simplifies the imple) 16:15:43 thinrichs: I get that point. But won't it focus on the objects it knows about? 16:15:50 thinrichs: yes, exactly 16:16:07 Overall, I like the diagram. My 2 comments : I don't like the pink line there, I think it should be removed. 2nd comment: The reference for network and port should not have + 16:16:39 michsmith: instead of +, 1? 16:16:50 banix: yes 16:17:00 mestery: Suppose the entire policy just says UUID1 can't send traffic over port 80 to UUID2. But Neutron doesn't know what UUID1 or UUID2 are. It can't enforce the policy. What's the point of writing that policy? 16:17:20 michsmit: agree there, that pink line is strange; and an endpoint is one object, a group is a collection of endpoints 16:17:38 michsmit: IMO the pink line explains how a groups and policies are expressed, so is useful 16:17:39 michsmith, s3wong: pink is a placeholder 16:17:57 the pink was boack at first :) 16:18:24 In the doc, we specify the policy between a source group and a destination group 16:18:40 So the pink line is to represent that relationship 16:18:50 Do we ever foresee a policy that spans more than 2 groups? Maybe a policy that talks about the need to waypoint communication between a source and a target e.g. through a proxy? 16:19:05 If so, maybe we just want a + line from policy to group. 16:19:06 banix: another way would be to have groups hang off of policy with a "2" annotation 16:19:07 thinrichs: IDeally that is EXACTLY a valid policy and how it should be expressed... I think we should confuse how we identify endpoints, with the objects that the Action leverages 16:19:28 ashaikh: yes 16:19:30 thinrichs: sigh, sorry that wasn't right 16:19:31 ashaikh: a policy is provided by a group A, another group who wants to talk to group A consumes the policy; I don't know if the pink line represents this well 16:19:43 I guess I imagined that there were 3 groups in that policy: source, destination, and a collection of proxies. 16:19:52 s3wong: Agreed, hence why it's pink and see the reference in the key 16:20:02 thinrichs: that list of waypoints could be expressed in the redirect action in that case 16:20:33 s3wong: this is more a question then of having a policy attached to a group -- i find the produce/consume relation harder to understand 16:20:35 ashaikh: but that was just an example off the top of my head. Pick something that requires 3 groups but which doesn't have a pre-defined action built for handling the case. 16:20:36 thinrichs: the 3rd collection will be part of the action description 16:20:42 banix: agreed, we need a relationship of some sort there (pink line). I would think the arrow comes from the group and we can leave out the src/dst group 16:21:15 So here is the pink question: 16:22:00 thinrichs: in that case, i would express pairwise to be clear which communication the policy is governing 16:22:26 whether 1) we express the policy through producer/consumer relationship from groups point of view or 2) define the policy as governing traffic between two groups 16:22:38 ashaikh: that's fair, yet the arrow direction + src/dst reference makes it a bit unclear 16:22:42 Another example with 3 groups: Suppose we want to prohibit traffic from src to dst from traveling through a specific group; we don't care where the traffic goes as long as it does NOT go through that group. 16:22:43 banix exactly... I made a comment in the BP last night along those lines 16:22:51 I think these are the two models we have been discussing for sometime 16:23:13 Yes, and making it pink was my hamfisted way of highlighting that the tables etc are kind of dependent on the policy model 16:23:15 banix: I think those 2 models sum it up correctly 16:23:38 banix: good two models summary 16:23:40 michsmit: I was under the impression we had to pick one 16:23:56 thinrichs: you would just create a "security" policy that forbid that communication 16:23:58 We may be able to express both by showing that there can be more than 1 src group and more than 1 dest group 16:24:46 and allow the groups to refer to the policy as a src (provider) or destt (consumer) 16:24:55 michsmit: if we can give flexibility to use either approach, it would be great 16:24:57 ashaikh: would that policy be written in our policy language or in another? I thought the point was to put such policies within our language. 16:25:10 michsmit: I had that discussion with banix too, which means a table modification but makes sense 16:25:23 I personally like the consumes/produces model 16:25:35 michsmit: so if we allow possibly multiple source and multiple destination groups the two models become equivalent without needing "allow the groups to refer to the policy as a src (provider) or destt (consumer)" No? 16:25:46 thinrichs: yes, our security policy, i.e., the one in the diag, which i assume has a deny type rule 16:25:52 banix: i think so 16:26:17 OK, so lots of good discussion here around this diagram it appears. 16:26:23 But it's almost halfway through the meeting now. 16:26:28 And there are other items yet to cover. 16:26:38 Any concrete action items we want out of this particular discussion? 16:26:39 ashaikh: but I'm not saying src can't talk to that specific group (let's call it G); it's just that we don't want to route traffic between src and dst through G. 16:26:54 I think we should migrate this taxonomy doc into the main google doc. Thoughts alagalah? 16:27:15 mestery: I guess we should incorporate the diagram into the document, and we can then comment on that diagram directly in the document 16:27:28 That would make sense... before we do, see that edit I made? 16:27:29 mestery: yes for moving to the main doc. LEt's see if we can reach an agreement in the next couple of minutes :) 16:27:33 s3wong: Agreed. 16:27:36 alagalah : Yes 16:27:40 thinrichs: then you're back to the waypoint example, and we could handle with the redirect/classifer policy 16:27:51 #action alagalah to migrate taxonomy diagram into the main document 16:28:24 i agree about putting this diag in the main doc with the changes suggested by banix and michsmit to accommodate both approaches 16:28:36 So are we going to allow both models by allowing multiple source and destination groups? 16:28:48 banix: we should 16:28:51 do we all agree that is the way forward? 16:29:00 banix: I think so 16:29:04 banix: +1 16:29:08 banix: +1 16:29:10 banix: sure 16:29:31 Great 16:29:49 what's network policy btw if anyone cares for after meeting 16:29:53 OK, thanks banix. 16:29:57 sorry joined alittle late 16:30:05 So, lets move on to the next topic. 16:30:06 where is the taxanomy in the document 16:30:26 prasadv: See the link from earlier in the meeting (https://docs.google.com/drawings/d/1HYGUSnxcx_8wkCAwE4Wtv3a30JstOBPyuknf7UnJMp0/edit?usp=sharing) 16:30:32 prasadv: https://docs.google.com/drawings/d/1HYGUSnxcx_8wkCAwE4Wtv3a30JstOBPyuknf7UnJMp0/edit 16:30:35 prasadv: Its not in yet, I didn't have edit access to the BP 16:30:35 #topic Discussion Items 16:30:46 alagalah: I just added you with edit writes so you're good. 16:30:56 Next item: Endpoints/groups 16:31:07 https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy (For the item on the agenda for those who don't have it open) 16:31:26 The question in the agenda is: Endpoints belonging to multiple groups. 16:31:37 I think thinrichs pointed this out in the gdoc as well. 16:31:42 OR rather, asked about it. 16:31:54 mestery: yes. 16:32:27 Tried to put the questions on the google doc on the list of things to discuss 16:32:30 Somebody else brought it up. But the question is whether we want a classifier to have a broader range of test attributes than what was in the doc. 16:32:42 its powerfull, but can create confusion 16:32:54 And I guess whether a classifier needs to test all of the possible attributes listed in the doc. 16:33:06 don't we need to allow this to have different policies apply to the same endpoint? 16:33:11 i brought this up. I think it is needed 16:33:28 So the question is if we allow an endpoint being in multiple groups? Should we not allow it to start? 16:33:34 So, if we allow this, then ordering of policies becomes an issue to solve. 16:33:44 we likely want to start off with very simple assignment. 16:33:45 banix: Good point. First whether we allow it or not. 16:33:55 My take is the policy is applied from group to group, rather than pointing to an endpoint, therefore subjected to different policy even with a common endpoint in different groups should be fine, right? 16:34:11 mestery: yes, and possibly having conflicting policies. 16:34:14 mestery: but I think the difficulty in implementation will affect whether or not we allow it. 16:34:29 mestery: wsn't there a suggestion to have a priority with policy rules to address that 16:34:41 thinrichs: Agreed, and as michsmit said, we may want to start with the simplest case, likely not allowing this. 16:34:47 s3wong: how does one resolve conflicts as pointed in the document 16:34:53 ashaikh: That is one way to solve it, yes. 16:35:02 priority alone doesnt solve it. needs to be global 16:35:02 thinrichs: agree, but the impl could check and disallow if it can't support ? 16:35:14 ashaikh: that would apply in a policy among policy rules which may not be necessary after all. 16:35:18 prasadv: yes, the priority thing is more complex than it appears on the surface... think ye old Cisco ACLs 16:35:30 ashaikh: priority is for having more than one policy rule classifier to match a traffic flow 16:35:48 s3wong: yes, a simpler cas then 16:36:02 s3wong: still problem may show up if we allow one endpoint in multiple groups; I commented on the doc. 16:36:26 It's pretty common to have a conflict resolution scheme for policy languages, e.g. AD uses hierarchies, firewalls use (implicit) priorities. 16:36:43 I don't think the need for conflict resolution is a show-stopper. 16:37:00 thinrichs: Agreed 16:37:05 thinrichs: Yes I think so too 16:37:07 thinrichs: Question is if we need to deal with it now? 16:37:12 hierarchies driven by users assigning the policy is an option 16:37:13 I think it's more a question of how hard is it to write the policy you want and get what you expect. 16:37:17 thinrichs: But needs to be explicitly called out, rather than implied 16:37:18 initially, a EP in a single group will be easiest and then we could introduce attribute-based assignment of EP to group 16:37:24 thinrichs: bingo 16:38:08 michsmit: makes sense 16:38:13 alagalah: definitely needs to be part of the language spec if conflicts are possible. And I agree that the order that rules were added via API calls is a confusing way to resolve conflicts. So if we go with priorities, they ought to be set explicitly. 16:38:34 thinrichs: Agree with you on that point. 16:38:46 There are two different questions here: 16:39:13 thinrichs: Yes, and to my point in the BP about whether this is a promise theory based implementation or... 16:39:33 1) establishing order among policy rules in a policy, 2) order among policies 16:40:09 Let me correct the last statement 16:40:24 banix: agreed 16:40:25 ideally if policy rules can be expressed without ordering, things will be easier to manage 16:40:26 One way would be that if there is conflict to push it back to the app to work out... rather than partial implementation.. ie ask for something else 16:40:39 Like the 413 return code 16:40:58 banix: agreed those are different. 16:41:05 michsmit: the explicit priority handles that case i think, right? i'm less sure about the right way to handle globally 16:41:08 alagalah: we should do that anyway after the priorities right? 16:41:09 1) establishing order among actions in a policy rule, 2) order among policy rules 3) order among policies 16:41:40 banix: 1 is interesting b/c there may be multiple actions that we can apply simultaneously. 16:42:00 1 we know the answer to (ordered list of action) 2, may not be a real issue if we do not allow overlapping classifiers 3) we can leave for later by not allowing an EP being in multiple groups 16:42:10 It depends on the actions we have of course. But right we need to resolve conflicts (1) within a policy, (2) across policies. 16:42:24 1 can often be expressed in an order independent manner 16:42:35 prasadv: Well, it maybe away of ensuring that ordering is irrelevant, ie a more "functional programming" style approach, policy is implemetnted same regardless of ordering 16:42:46 banix: overlapping classifiers are needed for several expressions 16:42:49 banix: I fear that disallowing overlapping classifiers won't be practical. 16:43:01 banix: (2) is somewhat difficult to enforce - it implies we have to run through all classifier and reject overlap at API level 16:44:12 To narrow down the problem we are discussing, is there agreement that EP belongs to one group for now? 16:44:52 banix: also (1) action list may not be ordered as different action_type can be executed simultaneously 16:45:16 banix: if each EP belongs to a single group, can't we still have multiple policies applied to that group and hence have to deal with conflicts? 16:45:40 If we're dealing with conflicts anyway, we might as well allow an EP to belong to multiple groups and apply the same conflict resolution to it. 16:45:43 s3wong: then, there won't be a need to establish order 16:46:00 thinrichs: #agreed 16:46:59 thinrichs: so in essence you are suggesting that we establish orders across policies? 16:47:24 thinrichs: different implementations will end up resolving conflicts in a different manner. users will be confused 16:47:33 s3wong: I'm not suggesting a conflict resolution strategy yet (though order is typical). I'm just trying to understand if there's anyway to avoid conflicts first. 16:47:33 s3wong thinrichs: Orders == priorities 16:47:48 thinrichs: I see your point 16:47:57 Dimit: The conflict resolution I'm suggesting will be part of the language spec. So all plugins implement it the same. 16:48:32 mestery: you think we can use a cross-policy priority to solve the problem? 16:48:34 thinrichs: I agree it should be part of the spec. 16:48:34 mestery: so you mean that we don't want explicit priorities, rather governed by ordering ? 16:48:55 thinrichs: i cant see a unique answer no matter what. users will not know what happened 16:48:59 between a given pair of groups, do we expect more than 1 policy to be applied ? 16:49:10 I think thinrichs had suggested using priorities for policies, which may solve the problem ashaikh, right? 16:49:11 ashaikh: I think his point was that whether you choose ordering or priority, you still end up at the same place 16:49:27 alagalah: ^^^^ That too :) 16:49:43 Dimit: suppose we require every policy to be assigned a unique number (via the API call). The language spec says that the policy that applies with the highest priority is the one that applies. Then the user understands what is happening. 16:49:53 michsmit: couldn't you have have a redirect + QoS policy, for example between groups? 16:50:19 alagalah: yes, same place, except not implicit in the ordering 16:50:30 ashaikh: but those will be policy rules in a single policy 16:50:37 ashaikh: yes, but couldn't they be combined into a single policy 16:51:03 banix: your fingers are faster than mine :-) 16:51:04 michsmit: yes, as mult policy_rules 16:51:07 michsmit: more than one policy: sure, a policy for app tier, an another policy for Sharepoint application specifically 16:51:08 mestery: I think priorities are one solution, though an absolute priority like I mentioned in the example above is not the only way. We could have a partial order of priorities and a mechanism for combining policies of the same priority into one. 16:51:15 openstack-meeting-alt 16:51:40 s3wong: can't you combine that into policy rules if the groups are the same 16:51:45 thinrichs: so two priorities: policy and classifier. i can still see conflict. for ep1, policy A preffered when talking to Ep2 and B preferred when talking to ep3 16:52:08 Just a note folks: We have 9 minutes left, there is another meeting in this channel immediately following this one. 16:52:09 then in a single policy, the order can be established more easily. 16:52:12 Dimit: we need 2 levels of conflict resolution: within the policy and across policies. 16:52:29 Dimit: I was giving the cross-policy resolution scheme. 16:52:36 prasadv: I picture that we want policies to be reused, so using it like two separate ones seems to make sense 16:52:51 s3wong: if we limit an EP to a single group, the policy could be combined as well in the case of app tier/Sharepoint 16:53:11 s3wong: at least initially 16:53:13 Dimit: The resolution scheme within a policy should ensure that we can write a policy that describes both QOs and Security. So a strict ordering there isn't so good either. 16:53:18 thinrichs: cross policy resolution is different for different end poinds . its possible 16:53:30 michsmit: I think that is the way to go 16:53:56 michsmit: then policy combination become an item we have to support in the framework 16:54:03 Dimit: sure--I could see priorities on groups as well. There are a bunch of variations here. The important thing is that the language chooses one. 16:54:22 should we continue this discussion on mailing list? 16:54:43 I would think we start by figuring out the conflict resolution scheme for an individual policy and then worry about cross-policy conflict resolution. 16:54:51 then going back to thinrichs' point, at time of combining policies, we would need to resolve conflicts 16:54:56 thinrichs: yes 16:54:58 banix: +1 to the mailing list discussion 16:55:03 banix: +1 16:55:07 banix: +1 16:55:07 +1 16:55:08 We're almost out of time here. 16:55:12 What mailing list :) 16:55:12 thinrichs: exactly. it can get arbitrarily complex. thats why i suggest single group for ebd point and simple resolution 16:55:17 #topic Open Discussion and Next Steps 16:55:28 For the last 5 minutes, lets see what we'd like to accompliush for next week. 16:55:35 And then do open discussion for hte last few minutes. 16:55:40 openstack-dev mark with [Neutron][Policy] 16:55:54 banix: ty 16:56:00 I did some update on the action_type=='qos' just before the meeting, please take a look 16:56:11 #info Emails for Neutron policy should go to openstack-dev marked as "[neutron] [policy]" 16:56:18 s3wong: Thank you for that. 16:56:30 Also, I would like the community to converge on the default set of actions we would force all plugins to support 16:56:45 s3wong: Can you send an email with that to the list? 16:56:55 mestery: certainly 16:56:55 s3wong:are you going to put more clarity on redirect policy 16:57:09 Let us finalize the object model (with support for combining two model) 16:57:19 fff 16:57:21 prasadv: yes, will also send out to ML to enlist community suggestions/opinions 16:57:41 s3wong: yes, we need that 16:57:45 banix: +1 I think there is more thinking we need to do on combining the models 16:57:50 s3wong: I like it but do we want to mix classification with queueing in the same action ? 16:58:00 prasadv: also, you mentioned you want some redirect dst list mgmt, we should discuss that on ML as well 16:58:14 s3wong: yes we do need to do that 16:58:33 OK, so lets wrap things up here. 16:58:40 We took a few action items which will appear in the meeting minutes. 16:58:46 I'll add them for next week to followup on. 16:58:58 Thanks. 16:59:01 Lets continue discussions on the ML for this week for any items which were not discussed here. 16:59:07 And thanks for attending everyone! 16:59:10 #endmeeting