13:01:45 #startmeeting nova api 13:01:46 Meeting started Wed Feb 15 13:01:45 2017 UTC and is due to finish in 60 minutes. The chair is alex_xu. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:01:47 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:01:49 The meeting name has been set to 'nova_api' 13:01:54 who is here today? 13:02:03 o/ 13:02:13 o/ 13:02:19 \o 13:02:37 o/ 13:02:38 let us wait one more min for johnthetubaguy and sdague 13:02:55 o/ 13:03:19 cool, let us start the meeting 13:03:26 #topic Pike PTG 13:03:35 #link https://etherpad.openstack.org/p/nova-ptg-pike 13:03:55 I saw the capabilities already in the etherpad, johnthetubaguy I guess you need to put the policy in the etherpad? 13:05:03 and I guess we needn't this https://review.openstack.org/426128 anymore, as johnthetubaguy have new plan on the policy 13:06:42 yea may be, i need to jread johnthetubaguy policy's spec in detail 13:07:03 yeah, johnthetubaguy updated the policy stuff as three specs 13:07:10 nice 13:07:17 #link https://review.openstack.org/433010 13:07:25 #link https://review.openstack.org/433037 13:07:31 #link https://review.openstack.org/427872 13:07:31 good point, the new policy check kinda replaces that 13:07:48 johnthetubaguy: ok, so I can remove that from the ptg etherpad 13:07:59 I should get policy in there, I think keystone folks are looking at something with all of us getting together 13:08:41 ln199 has that listed 13:09:10 cool 13:09:36 they have a policy meeting at 16 UTC 13:09:49 I am going to answer questions on those specs in there too 13:10:27 * alex_xu will read the meeting log 13:10:30 I haven't really got to keystone domains or sdague's really good idea around setting policy yet 13:10:56 but hopefully captured our discussion on docs being important from last week 13:11:25 it sounds like that there will be a policy conversation at the PTG lead by lance 13:11:47 yeah, thats the line199 one 13:12:06 I think 13:13:39 I guess that all for PTG? anymore people want to bring into PTG? 13:14:05 seems like 1.30 PM 13:14:09 #link https://etherpad.openstack.org/p/keystone-pike-ptg 13:14:15 L193 13:15:37 will PTG same with mid-cycle as people sit around a table? or PTG will have fishbowl room? 13:16:14 fishbowl also if team book any 13:16:35 gmann: ah, thanks 13:16:44 https://ethercalc.openstack.org/Pike-PTG-Discussion-Rooms 13:18:15 sounds like we didn't have too much discussion at here today, then just waiting the discussion happened in ptg 13:18:30 +1 13:18:46 saw room booked for policy discussion 13:19:22 last check, any more want to bring up? if no, we can close the meeting early today 13:19:26 were there any things from those policy specs people wanted to cover? 13:19:29 * alex_xu try to understand the table 13:19:49 I am curious about what people thought about the global context thing 13:19:54 its quite radical 13:20:21 ll check those specs tomorrow. 13:20:35 separates the scope check and a policy check 13:20:51 it really makes that last spec about the new observer, member, admin roles so much simpler 13:20:58 johnthetubaguy: yea, I'm also thinking that kind of change whether depend on your proposal for policy deprecation and policy rename.... 13:21:20 I wasn't planning on any renames in the current specs, leaving that for later 13:21:58 I think that default policy transition thing would really help, but its not required 13:22:00 ok 13:22:23 the rules should stay largely backwards compatible in the proposals, at least that was my intent 13:22:44 the logging warnings to the deprecations is the tricker a bit, but we have done some of that already 13:23:33 johnthetubaguy: is there any other project already separate the scope check and a policy check? 13:23:50 I don't know really 13:23:57 ok :) 13:24:01 it was mostly based on ideas from one the keystone folks 13:24:18 the user-id thing made it clear to me, we don't want too much control in policy 13:24:24 its really carries on from that thinking 13:24:49 the real change is that we don't use context_is_admin to also mean has global scope 13:25:04 because it turns out thats largely what we do today 13:25:11 which make per project admins really hard 13:25:46 docs wise, were people happy with the ideas in there around what docs we should add? 13:25:48 I guess so 13:26:09 thinking this one: https://review.openstack.org/#/c/433010/ 13:26:29 https://review.openstack.org/#/c/433010/5/specs/pike/approved/policy-docs.rst@56 13:28:05 I guess folks are not too chatty today / busy thinking 13:28:23 doc one looks good to me 13:28:32 * alex_xu try to understand 'Project, Member, Read' means 13:30:10 I guess looks good to me after quick reading 13:31:17 yeah, we might want to simplify that at some point 13:31:28 or come up with something that makes more sense 13:31:55 I might be tempted to leave adding that line till we do that later spec on adding the extra roles 13:32:13 but I think its useful without that, if we don't think we will get that far 13:32:57 yea, at least we show mapping between url and rule for the user 13:32:59 should be fine as it just show as example of doc string 13:34:02 johnthetubaguy: I'll look through the policy doc spec in a few 13:34:40 sdague: thanks, its split into three, so it makes a little bit more sense 13:35:00 3 specs? 13:35:14 they all depend on each other, so should be linked 13:35:31 starts with this one: https://review.openstack.org/#/c/433010/ 13:35:44 basically: docs, scope checks, extra roles 13:35:54 the most interesting one is second one :) 13:36:17 most controversial, to be sure 13:39:11 johnthetubaguy: for "os_compute_api:servers:show:host_status", it isn't very clear for which attributes controlled by the rule 13:39:32 yes, that would need to go in the description 13:40:06 GET /servers/{server_id}:attributes:host_status? 13:40:32 maybe over complext, but yes, detail description can clarify more 13:40:35 but its still the same affected URL 13:40:40 its just in the data 13:40:43 s/complext/complex 13:40:48 yea 13:40:54 same problem with action 13:41:33 I was thinking more like we just put the name after the URL 13:41:55 alex_xu: I get your comment now though 13:42:47 is there any method add some comment in the top of policy config to explain "project, memeber, write"? 13:43:20 or name as heading for each policy instead of after url ? 13:43:45 right now, there is no section comment, etc 13:43:47 but we could add that 13:43:58 we probably need to make that easier to understand 13:44:22 scope: project access:read/write/admin 13:45:32 I added comments on the spec for a suggestion 13:45:40 on this one: https://review.openstack.org/#/c/433010 13:46:38 johnthetubaguy: I just added some comments on that one 13:46:51 read/write is confuse. because the API is only about read or write 13:47:21 mostly, I wonder if we should start by making the metadata more structured from the beginning and assemble the docs 13:47:39 and it would be good to see what an action looks like in that 13:48:50 admin in access read/write/admin ? you mean read and write 13:49:11 sdague: its tempting, I guess we can see the patterns emerging 13:49:57 sdague: I was thinking we sketch out the docs for us first, and see if other projects are showing similar patterns 13:50:06 except action/attributes, found we still have a rule deep into code called 'network:attach_external_network' 13:50:22 gmann: I mean read or write or admin 13:50:47 gmann: although thats more about the last of the three specs really 13:51:23 ok 13:51:39 johnthetubaguy: yea, read/write is hard to understand without later specs 13:53:26 i guess no more comment from me 13:55:10 ok, if no more comment, I guess we can close the meeting 13:55:17 5 mins left 13:55:18 m good. 13:55:21 sounds good 13:55:34 ok, thanks all, see you in atlanta 13:55:40 #endmeeting