14:00:23 <slaweq> #startmeeting neutron_drivers 14:00:24 <openstack> Meeting started Fri Sep 25 14:00:23 2020 UTC and is due to finish in 60 minutes. The chair is slaweq. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:28 <openstack> The meeting name has been set to 'neutron_drivers' 14:00:33 <mlavalle> o/ 14:01:03 <slaweq> welcome after pretty long break on the drivers meeting 14:01:07 <slaweq> :) 14:01:19 <yamamoto> hi 14:01:31 <amotoki> hi 14:01:54 <mlavalle> nothing wrong with that. we are supposed to meet when the community needs it. no need to meet for the sake of meeting 14:02:10 <haleyb> hi 14:02:17 <slaweq> mlavalle: I know, that's why I was cancelling it so many times recently :) 14:02:19 <njohnston> o/ 14:02:48 <slaweq> ralonsoh: are You around? 14:02:55 <slaweq> we are almost all here already 14:02:56 <ralonsoh> sorry yes 14:03:02 <slaweq> ok, now we are all there 14:03:04 <slaweq> :) 14:03:13 <slaweq> ok, so lets start 14:03:42 <slaweq> as I wrote in the email yesterday night, we don't have any new (or updated) rfe to discuss today 14:03:59 <slaweq> but I wanted to talk about one bug related to policy.json 14:04:05 <slaweq> https://bugs.launchpad.net/neutron/+bug/1895933 14:04:07 <openstack> Launchpad bug 1895933 in neutron "Admin user can do anything without the control of policy.json" [Medium,Confirmed] 14:04:51 <slaweq> basically in neutron it is like it's in the bug description, so we are checking if user is admin and then don't check anything else from the policy file 14:05:11 <amotoki> sorry for not replying this. I was busy for internal stuffs..... 14:05:26 <slaweq> and I wanted to ask You if You think it is a bug which we should fix, or maybe it's like that in all projects and we should keep it like it's now 14:05:30 <amotoki> IIRC we handled 'admin' role specially so we skipped admin check 14:05:32 <slaweq> amotoki: np 14:05:41 <amotoki> but I believe it is time to honor policy check. 14:06:34 <ralonsoh> but the default behaviour will be the current one, correct? 14:06:58 <slaweq> ralonsoh: I think so 14:07:13 <slaweq> by default admin should be able to do everything 14:07:24 <slaweq> but operator should IMHO be able to control that too 14:07:43 <amotoki> agree 14:08:20 <amotoki> at now, role admin and elevated context are considered same but perhaps we need to distinguish these two. 14:09:03 <ralonsoh> yeah, that's a good point 14:09:33 <ralonsoh> we should use elevated one internally only when needed, but should not be the same as admin 14:09:47 <ralonsoh> (could be an opportunity to clean up some parts of the code using admin indiscriminately) 14:10:33 <amotoki> ralonsoh: +1 14:11:28 <amotoki> policy check provides RBAC at the API level. Internal accesses with elevated context is a different thing. 14:14:51 <slaweq> so it seems that at least me, ralonsoh and amotoki agree that this is an improvement which we should do in our code 14:15:04 <ralonsoh> yes 14:15:08 <slaweq> anyone else has got any thougts about that? 14:15:39 <mlavalle> I'm in agreement 14:15:44 <yamamoto> +1 14:15:50 <njohnston> so does that mean we need to reevaluate places where we use context.is_admin to see if this is a case where we need elevated context or actual admin role? 14:16:14 <mlavalle> the question is what we do next 14:16:52 <slaweq> njohnston: I think so 14:17:03 <amotoki> IMHO the first step would be to improve the behavior reported in this bug (address scope) 14:17:45 <slaweq> mlavalle: I think I will open BP to track progress on that, and we will need some volunteer(s) to make progress on that 14:17:48 <njohnston> like here: https://opendev.org/openstack/neutron/src/branch/master/neutron/policy.py#L434-L437 14:18:04 <mlavalle> slaweq: +1 14:18:11 <njohnston> slaweq: +1 14:18:21 <ralonsoh> +1 14:18:29 <amotoki> slaweq: +1 14:18:41 <slaweq> njohnston: place which You pointed to is exactly the "culprit" of the whole issue IMO 14:19:00 <slaweq> so this has to be removed 14:19:10 <slaweq> and we should validate policy even if context.is_admin 14:19:38 <amotoki> we may need to revisit the condition of is_admin=true too 14:21:55 <slaweq> ok, so I think we all agreed on what to do with this bug and on the next steps plan 14:22:13 <slaweq> I will sum this up in the LP's comment today 14:22:22 <slaweq> and I will create BP for this 14:22:36 <slaweq> and basically that's all what I had for today 14:22:50 <slaweq> do You have maybe anything else You want to discuss today? 14:23:20 <mlavalle> not from me 14:23:25 <njohnston> no thanks 14:23:32 <amotoki> nothing from me 14:23:50 <ralonsoh> no thanks 14:24:13 <haleyb> not from me 14:24:19 <yamamoto> no 14:24:46 <slaweq> ok, so thx for attending 14:24:55 <slaweq> have a great weekend and see You all next week 14:24:57 <slaweq> o/ 14:24:59 <slaweq> #endmeeting