16:00:52 <lbragstad> #startmeeting policy
16:00:52 <openstack> Meeting started Wed Jan 25 16:00:52 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:53 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:56 <openstack> The meeting name has been set to 'policy'
16:00:59 <lbragstad> ping raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar, ravelar, morgan
16:01:05 <lbragstad> agenda #link https://etherpad.openstack.org/p/keystone-policy-meeting
16:01:11 <lbragstad> o/
16:01:14 <gagehugo> o/
16:01:44 <lbragstad> Just a heads up - our schedule is really light today and I think that's fine because I know several of you are swapped with last minute ocata thing (including me!)
16:02:02 <lbragstad> so this will more or less just be a touch base unless various folks have specific things they want to talk about
16:02:27 <gagehugo> alrighty
16:03:15 <lbragstad> ayoung o/
16:03:39 <lbragstad> lamt o/
16:03:44 <lamt> o/
16:03:44 * lbragstad feels like a greeter
16:04:18 <lbragstad> alright - let's get going
16:04:27 <lbragstad> I only have a couple annoucements
16:04:29 <lbragstad> #topic announcement: reminder about policy actions thread
16:04:42 <knikolla> o/
16:04:48 <lbragstad> last week we had a really good discussion about the various policy files
16:04:51 <rderose> o/
16:05:09 <lbragstad> and plans we have to try and consolidate them (moving to the nova model of consolidation policy into code)
16:05:14 <lbragstad> or at least the defaults
16:05:38 <lbragstad> I attempted to summarize the options we talked about in a ML thread
16:05:39 <lbragstad> #link http://lists.openstack.org/pipermail/openstack-dev/2017-January/109639.html
16:05:54 <lbragstad> it hasn't gotten any feedback yet - but I am open to any/all feedback
16:06:19 <lbragstad> (people for the idea, against the idea, or proposing alternatives wrt the goal listed in the thread)
16:06:47 <lbragstad> I want to try and keep that fresh on people's minds so that it helps us prepare for discussions in ATL
16:07:02 <lbragstad> (as I'm assuming we will have some sort of topic on it)
16:07:39 <lbragstad> any questions on that?
16:08:38 <lbragstad> alright
16:08:39 <lbragstad> next
16:08:40 <lbragstad> #topic announcement: interesting video from KubeCon wrt policy
16:09:00 <lbragstad> thanks to ayoung for posting this yesterday - #link https://www.youtube.com/watch?v=WvnXemaYQ50
16:09:26 <ayoung> Yeah
16:09:34 <dstanek> lbragstad: that looks really interesting. have you watched it yet?
16:09:39 <lbragstad> ^ if you haven't seen it yet, it's pretty interesting and thought I'd throw it up here
16:09:42 <lbragstad> dstanek yeah - i haev
16:09:44 <ayoung> My take away is that they are ahead of us in the things that I am proposing for RBAC from middleware, but missing impliedroles
16:10:01 <lbragstad> there are a lot of similarities with things we have faced or are facing
16:10:04 <ayoung> a namespace in Kubernetes is comparable to a domain/project in Keystone
16:10:11 <lbragstad> they've solved a few problems that we want to solve
16:10:17 <ayoung> don't know if namespaces are hierarchical yet
16:10:26 <lbragstad> ayoung i don't think it is
16:10:34 <lbragstad> I thought I remember them saying it wasn't
16:10:44 <lbragstad> s/them/Eric/
16:11:11 <lbragstad> anyway - it's a cool video, and figured it would give some good perspective from another group facing the same problems we are
16:11:19 <ayoung> and what naming constraints they have
16:11:38 <ayoung> from a interop perspective, we should make sure we can map cleanly
16:11:41 <lbragstad> yeah - they implement RBAC and a version of scoped-RBAC (like what keystone does)
16:11:46 <ayoung> Murano esp should be able to use the Keystone data
16:11:52 <lbragstad> they also provide *sane* defaults out of the box
16:12:16 <lbragstad> they also scope the equivalent of service accounts to very specific roles
16:12:31 <ayoung> ClusterRoles, which are outside of regular roles
16:12:31 <lbragstad> that only consist of operations a service accounts needs (and not admin)
16:12:59 <lbragstad> yeah - in my mind, ClusterRoles are the equivalent to global role assignments
16:13:47 <lbragstad> but - if anyone watches that and wants to have a discussion about it later, feel free to ping me
16:14:01 <lbragstad> (in #openstack-keystone obviously)
16:14:53 <lbragstad> #topic open discussion
16:15:07 <lbragstad> does anyone have anything they wanna air out?
16:15:39 <lbragstad> otherwise we can be done early (i know several of you have a lot on your plates)
16:16:55 <lbragstad> well - thanks everyone for coming! we will plan on meeting next week and I'm going to see if I can push for some representation from other projects
16:17:39 <lbragstad> #endmeeting