14:00:23 #startmeeting neutron_drivers 14:00:24 Meeting started Fri Sep 25 14:00:23 2020 UTC and is due to finish in 60 minutes. The chair is slaweq. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:25 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:28 The meeting name has been set to 'neutron_drivers' 14:00:33 o/ 14:01:03 welcome after pretty long break on the drivers meeting 14:01:07 :) 14:01:19 hi 14:01:31 hi 14:01:54 nothing wrong with that. we are supposed to meet when the community needs it. no need to meet for the sake of meeting 14:02:10 hi 14:02:17 mlavalle: I know, that's why I was cancelling it so many times recently :) 14:02:19 o/ 14:02:48 ralonsoh: are You around? 14:02:55 we are almost all here already 14:02:56 sorry yes 14:03:02 ok, now we are all there 14:03:04 :) 14:03:13 ok, so lets start 14:03:42 as I wrote in the email yesterday night, we don't have any new (or updated) rfe to discuss today 14:03:59 but I wanted to talk about one bug related to policy.json 14:04:05 https://bugs.launchpad.net/neutron/+bug/1895933 14:04:07 Launchpad bug 1895933 in neutron "Admin user can do anything without the control of policy.json" [Medium,Confirmed] 14:04:51 basically in neutron it is like it's in the bug description, so we are checking if user is admin and then don't check anything else from the policy file 14:05:11 sorry for not replying this. I was busy for internal stuffs..... 14:05:26 and I wanted to ask You if You think it is a bug which we should fix, or maybe it's like that in all projects and we should keep it like it's now 14:05:30 IIRC we handled 'admin' role specially so we skipped admin check 14:05:32 amotoki: np 14:05:41 but I believe it is time to honor policy check. 14:06:34 but the default behaviour will be the current one, correct? 14:06:58 ralonsoh: I think so 14:07:13 by default admin should be able to do everything 14:07:24 but operator should IMHO be able to control that too 14:07:43 agree 14:08:20 at now, role admin and elevated context are considered same but perhaps we need to distinguish these two. 14:09:03 yeah, that's a good point 14:09:33 we should use elevated one internally only when needed, but should not be the same as admin 14:09:47 (could be an opportunity to clean up some parts of the code using admin indiscriminately) 14:10:33 ralonsoh: +1 14:11:28 policy check provides RBAC at the API level. Internal accesses with elevated context is a different thing. 14:14:51 so it seems that at least me, ralonsoh and amotoki agree that this is an improvement which we should do in our code 14:15:04 yes 14:15:08 anyone else has got any thougts about that? 14:15:39 I'm in agreement 14:15:44 +1 14:15:50 so does that mean we need to reevaluate places where we use context.is_admin to see if this is a case where we need elevated context or actual admin role? 14:16:14 the question is what we do next 14:16:52 njohnston: I think so 14:17:03 IMHO the first step would be to improve the behavior reported in this bug (address scope) 14:17:45 mlavalle: I think I will open BP to track progress on that, and we will need some volunteer(s) to make progress on that 14:17:48 like here: https://opendev.org/openstack/neutron/src/branch/master/neutron/policy.py#L434-L437 14:18:04 slaweq: +1 14:18:11 slaweq: +1 14:18:21 +1 14:18:29 slaweq: +1 14:18:41 njohnston: place which You pointed to is exactly the "culprit" of the whole issue IMO 14:19:00 so this has to be removed 14:19:10 and we should validate policy even if context.is_admin 14:19:38 we may need to revisit the condition of is_admin=true too 14:21:55 ok, so I think we all agreed on what to do with this bug and on the next steps plan 14:22:13 I will sum this up in the LP's comment today 14:22:22 and I will create BP for this 14:22:36 and basically that's all what I had for today 14:22:50 do You have maybe anything else You want to discuss today? 14:23:20 not from me 14:23:25 no thanks 14:23:32 nothing from me 14:23:50 no thanks 14:24:13 not from me 14:24:19 no 14:24:46 ok, so thx for attending 14:24:55 have a great weekend and see You all next week 14:24:57 o/ 14:24:59 #endmeeting