#openstack-meeting-4 log

13:01:45 <alex_xu> #startmeeting nova api
13:01:46 <openstack> Meeting started Wed Feb 15 13:01:45 2017 UTC and is due to finish in 60 minutes.  The chair is alex_xu. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:01:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:01:49 <openstack> The meeting name has been set to 'nova_api'
13:01:54 <alex_xu> who is here today?
13:02:03 <cdent> o/
13:02:13 <gmann> o/
13:02:19 <macsz> \o
13:02:37 <johnthetubaguy> o/
13:02:38 <alex_xu> let us wait one more min for johnthetubaguy and sdague
13:02:55 <sdague> o/
13:03:19 <alex_xu> cool, let us start the meeting
13:03:26 <alex_xu> #topic Pike PTG
13:03:35 <alex_xu> #link https://etherpad.openstack.org/p/nova-ptg-pike
13:03:55 <alex_xu> I saw the capabilities already in the etherpad, johnthetubaguy I guess you need to put the policy in the etherpad?
13:05:03 <alex_xu> and I guess we needn't this https://review.openstack.org/426128 anymore, as johnthetubaguy have new plan on the policy
13:06:42 <gmann> yea may be, i need to jread johnthetubaguy policy's spec in detail
13:07:03 <alex_xu> yeah, johnthetubaguy updated the policy stuff as three specs
13:07:10 <gmann> nice
13:07:17 <alex_xu> #link https://review.openstack.org/433010
13:07:25 <alex_xu> #link https://review.openstack.org/433037
13:07:31 <alex_xu> #link https://review.openstack.org/427872
13:07:31 <johnthetubaguy> good point, the new policy check kinda replaces that
13:07:48 <alex_xu> johnthetubaguy: ok, so I can remove that from the ptg etherpad
13:07:59 <johnthetubaguy> I should get policy in there, I think keystone folks are looking at something with all of us getting together
13:08:41 <johnthetubaguy> ln199 has that listed
13:09:10 <alex_xu> cool
13:09:36 <johnthetubaguy> they have a policy meeting at 16 UTC
13:09:49 <johnthetubaguy> I am going to answer questions on those specs in there too
13:10:27 * alex_xu will read the meeting log
13:10:30 <johnthetubaguy> I haven't really got to keystone domains or sdague's really good idea around setting policy yet
13:10:56 <johnthetubaguy> but hopefully captured our discussion on docs being important from last week
13:11:25 <sdague> it sounds like that there will be a policy conversation at the PTG lead by lance
13:11:47 <johnthetubaguy> yeah, thats the line199 one
13:12:06 <johnthetubaguy> I think
13:13:39 <alex_xu> I guess that all for PTG? anymore people want to bring into PTG?
13:14:05 <gmann> seems like 1.30 PM
13:14:09 <gmann> #link https://etherpad.openstack.org/p/keystone-pike-ptg
13:14:15 <gmann> L193
13:15:37 <alex_xu> will PTG same with mid-cycle as people sit around a table? or PTG will have fishbowl room?
13:16:14 <gmann> fishbowl  also if team book any
13:16:35 <alex_xu> gmann: ah, thanks
13:16:44 <gmann> https://ethercalc.openstack.org/Pike-PTG-Discussion-Rooms
13:18:15 <alex_xu> sounds like we didn't have too much discussion at here today, then just waiting the discussion happened in ptg
13:18:30 <gmann> +1
13:18:46 <gmann> saw room booked for policy discussion
13:19:22 <alex_xu> last check, any more want to bring up? if no, we can close the meeting early today
13:19:26 <johnthetubaguy> were there any things from those policy specs people wanted to cover?
13:19:29 * alex_xu try to understand the table
13:19:49 <johnthetubaguy> I am curious about what people thought about the global context thing
13:19:54 <johnthetubaguy> its quite radical
13:20:21 <gmann> ll check those specs tomorrow.
13:20:35 <johnthetubaguy> separates the scope check and a policy check
13:20:51 <johnthetubaguy> it really makes that last spec about the new observer, member, admin roles so much simpler
13:20:58 <alex_xu> johnthetubaguy: yea, I'm also thinking that kind of change whether depend on your proposal for policy deprecation and policy rename....
13:21:20 <johnthetubaguy> I wasn't planning on any renames in the current specs, leaving that for later
13:21:58 <johnthetubaguy> I think that default policy transition thing would really help, but its not required
13:22:00 <alex_xu> ok
13:22:23 <johnthetubaguy> the rules should stay largely backwards compatible in the proposals, at least that was my intent
13:22:44 <johnthetubaguy> the logging warnings to the deprecations is the tricker a bit, but we have done some of that already
13:23:33 <alex_xu> johnthetubaguy: is there any other project already separate the scope check and a policy check?
13:23:50 <johnthetubaguy> I don't know really
13:23:57 <alex_xu> ok :)
13:24:01 <johnthetubaguy> it was mostly based on ideas from one the keystone folks
13:24:18 <johnthetubaguy> the user-id thing made it clear to me, we don't want too much control in policy
13:24:24 <johnthetubaguy> its really carries on from that thinking
13:24:49 <johnthetubaguy> the real change is that we don't use context_is_admin to also mean has global scope
13:25:04 <johnthetubaguy> because it turns out thats largely what we do today
13:25:11 <johnthetubaguy> which make per project admins really hard
13:25:46 <johnthetubaguy> docs wise, were people happy with the ideas in there around what docs we should add?
13:25:48 <johnthetubaguy> I guess so
13:26:09 <johnthetubaguy> thinking this one: https://review.openstack.org/#/c/433010/
13:26:29 <johnthetubaguy> https://review.openstack.org/#/c/433010/5/specs/pike/approved/policy-docs.rst@56
13:28:05 <johnthetubaguy> I guess folks are not too chatty today / busy thinking
13:28:23 <gmann> doc one looks good to me
13:28:32 * alex_xu try to understand 'Project, Member, Read' means
13:30:10 <alex_xu> I guess looks good to me after quick reading
13:31:17 <johnthetubaguy> yeah, we might want to simplify that at some point
13:31:28 <johnthetubaguy> or come up with something that makes more sense
13:31:55 <johnthetubaguy> I might be tempted to leave adding that line till we do that later spec on adding the extra roles
13:32:13 <johnthetubaguy> but I think its useful without that, if we don't think we will get that far
13:32:57 <alex_xu> yea, at least we show mapping between url and rule for the user
13:32:59 <gmann> should be fine as it just show as example of doc string
13:34:02 <sdague> johnthetubaguy: I'll look through the policy doc spec in a few
13:34:40 <johnthetubaguy> sdague: thanks, its split into three, so it makes a little bit more sense
13:35:00 <sdague> 3 specs?
13:35:14 <johnthetubaguy> they all depend on each other, so should be linked
13:35:31 <johnthetubaguy> starts with this one: https://review.openstack.org/#/c/433010/
13:35:44 <johnthetubaguy> basically: docs, scope checks, extra roles
13:35:54 <alex_xu> the most interesting one is second one :)
13:36:17 <johnthetubaguy> most controversial, to be sure
13:39:11 <alex_xu> johnthetubaguy: for "os_compute_api:servers:show:host_status", it isn't very clear for which attributes controlled by the rule
13:39:32 <johnthetubaguy> yes, that would need to go in the description
13:40:06 <alex_xu> GET /servers/{server_id}:attributes:host_status?
13:40:32 <alex_xu> maybe over complext, but yes, detail description can clarify more
13:40:35 <johnthetubaguy> but its still the same affected URL
13:40:40 <johnthetubaguy> its just in the data
13:40:43 <alex_xu> s/complext/complex
13:40:48 <alex_xu> yea
13:40:54 <alex_xu> same problem with action
13:41:33 <johnthetubaguy> I was thinking more like we just put the name after the URL
13:41:55 <johnthetubaguy> alex_xu: I get your comment now though
13:42:47 <alex_xu> is there any method add some comment in the top of policy config to explain "project, memeber, write"?
13:43:20 <gmann> or name as heading for each policy instead of after url ?
13:43:45 <johnthetubaguy> right now, there is no section comment, etc
13:43:47 <johnthetubaguy> but we could add that
13:43:58 <johnthetubaguy> we probably need to make that easier to understand
13:44:22 <johnthetubaguy> scope: project access:read/write/admin
13:45:32 <johnthetubaguy> I added comments on the spec for a suggestion
13:45:40 <johnthetubaguy> on this one: https://review.openstack.org/#/c/433010
13:46:38 <sdague> johnthetubaguy: I just added some comments on that one
13:46:51 <alex_xu> read/write is confuse. because the API is only about read or write
13:47:21 <sdague> mostly, I wonder if we should start by making the metadata more structured from the beginning and assemble the docs
13:47:39 <sdague> and it would be good to see what an action looks like in that
13:48:50 <gmann> admin in access read/write/admin ? you mean read and write
13:49:11 <johnthetubaguy> sdague: its tempting, I guess we can see the patterns emerging
13:49:57 <johnthetubaguy> sdague: I was thinking we sketch out the docs for us first, and see if other projects are showing similar patterns
13:50:06 <alex_xu> except action/attributes, found we still have a rule deep into code called 'network:attach_external_network'
13:50:22 <johnthetubaguy> gmann: I mean read or write or admin
13:50:47 <johnthetubaguy> gmann: although thats more about the last of the three specs really
13:51:23 <gmann> ok
13:51:39 <alex_xu> johnthetubaguy: yea, read/write is hard to understand without later specs
13:53:26 <alex_xu> i guess no more comment from me
13:55:10 <alex_xu> ok, if no more comment, I guess we can close the meeting
13:55:17 <alex_xu> 5 mins left
13:55:18 <gmann> m good.
13:55:21 <johnthetubaguy> sounds good
13:55:34 <alex_xu> ok, thanks all, see you in atlanta
13:55:40 <alex_xu> #endmeeting