16:00:47 #startmeeting policy 16:00:48 Meeting started Wed Feb 8 16:00:47 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:50 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:52 The meeting name has been set to 'policy' 16:01:03 ping raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar, ravelar, morgan, raj_singh 16:01:54 agenda #link https://etherpad.openstack.org/p/keystone-policy-meeting 16:02:14 howdy 16:02:15 not sure if johnthetubaguy is around? 16:02:21 o/ 16:02:22 dstanek gagehugo edmondsw o/ 16:02:25 o/ 16:02:26 lamt o/ 16:02:27 o/ 16:03:02 o/ 16:03:20 o/ 16:03:44 we'll give folks another minute to join before we get started 16:04:29 agenda #link https://etherpad.openstack.org/p/keystone-policy-meeting for those who need it 16:05:20 #topic Nova's policy goals for Pike 16:05:40 we don't have much for announcements - so we can jump right in 16:05:54 johnthetubaguy proposed a set of goals nova wants to accomplish for Pike 16:06:02 #link https://review.openstack.org/#/c/427872/ 16:06:27 we have a talk at the nova-api meeting today about things, we may be shifting focus a bit after that 16:06:39 but its stuff we are actively discussing right now 16:07:05 johnthetubaguy this one? #link http://eavesdrop.openstack.org/#Nova_API_Meeting 16:07:45 yeah 16:08:03 johnthetubaguy awesome - i'll see if I can swing by 16:08:48 that spec has a lot of relevance with this meeting - so feel free to review it 16:09:09 I'm attempting to keep tabs on it - but i assume it will make for some good discussion at the PTG 16:09:20 which moves into our next topic 16:09:25 #topic Keystone specs for richer policy 16:10:03 so I could cover quickly the discussion if that helps 16:10:08 after seeing the work johnthetubaguy did for nova - i took a stab at doing the same for keystone #link https://review.openstack.org/#/q/status:open+project:openstack/keystone-specs+branch:master+topic:bp/richer-policy 16:10:11 sorry half in a stand up that was running long 16:10:13 ah, cool 16:10:17 johnthetubaguy go for it 16:10:22 so we are thinking we should focus on the docs 16:11:01 johnthetubaguy new docs or existing ones? 16:11:20 so using olso.polcy 16:11:23 let me get a link 16:12:11 #link http://docs.openstack.org/developer/nova/sample_policy.html 16:12:22 this is what nova today generates from the code 16:12:38 johnthetubaguy nice 16:13:19 so there is one doc comment in there alreday 16:13:23 johnthetubaguy are the docs going to describe what each operation does? 16:13:26 is terrible, but we have a route forward there 16:13:39 so there is a nice way to think about this 16:13:55 operators should be able to read this sample policy file, and no longer have to read the code 16:14:04 if thats true, we did it right 16:14:13 johnthetubaguy so exactly like configu 16:14:14 thats what we are doing for the configuration 16:14:16 yeah 16:14:17 configuration* 16:14:37 if you search for os_compute_api:os-attach-interfaces:create 16:14:40 it has a quick note 16:14:51 its almost good enough actually, and its just a one liner 16:15:02 so - would it look like? #link https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/conf/auth.py#L22-L28 16:15:37 so in the code we have this 16:15:38 https://github.com/openstack/nova/blob/4f91ed3a547965ed96a22520edcfb783e7936e95/nova/policies/attach_interfaces.py#L25 16:15:42 so yeah, basically the same 16:15:56 right now all our rules have to be registered, and you get the chance to specify the docs 16:16:14 ah - so the RuleDefault as a description attribute 16:16:34 yeah 16:16:37 the other side of this: 16:16:38 https://github.com/openstack/nova/blob/master/tox.ini#L91 16:16:47 its basically just like config 16:17:13 aha 16:17:32 when did the RuleDefault object get a description attribute? 16:17:36 there is the upgrade conversation if we want to do renames, but basically I am thinking in pike we might focus on just getting some docs in there 16:17:40 lbragstad: not sure actually 16:17:57 i swear i checked for that last week 16:18:26 https://github.com/openstack/oslo.policy/blob/9e3d46b1707152094cc2c2bdd45e22898d79140c/oslo_policy/policy.py#L791 16:18:30 * johnthetubaguy shrugs 16:19:12 seems like it got added with rule default 16:19:18 huh - cool 16:19:20 that was always our intention at least 16:19:21 https://github.com/openstack/oslo.policy/commit/bb1127232695c07eb8e3622714b7de7cf7219ccc 16:19:30 auto gen docs that match the config 16:19:48 so the auto generation already pulls the description 16:19:51 yep 16:19:53 it looks like 16:19:56 that's aweesome 16:20:07 that is essentially the next topic i had on the agenda 16:20:12 so yeah, for pike, we plan to fill that in 16:20:13 johnthetubaguy: i like this idea 16:20:13 so just docs... any thought being given to the code changes that need to happen, like https://review.openstack.org/#/c/384148/ 16:21:05 johnthetubaguy: you don't do anything dynamic with the rules through right? like at import time change the stuff that is in the list (besides the % operator stuff)? 16:21:06 and one of the things I find most confusing in nova is that scope is restricted to the current project via code in some places (like it should be) but in other places you have to worry about scope in the policy file 16:21:12 good luck making that clear in docs... 16:21:17 so right now, I have put about 1 billion things on the table to consider, I need to trim that down into some stages 16:21:19 it needs to be fixed in code 16:21:26 dstanek: dynamic? why would you want that? 16:22:02 edmondsw: yeah, thats on the "to fix" list, admin vs non admin used to be hardcoded to, but we have carefully removed that now, baby steps 16:22:14 cool 16:22:16 johnthetubaguy: i wouldn't :-) 16:22:26 johnthetubaguy: i was just wondering if you guys did that 16:22:32 dstanek: heh, no worries 16:22:51 dstanek: I don't see any use case for it, most folks want to audit policy, dynamic seems to fight that somewhat 16:23:06 johnthetubaguy the registration steps is what determines if you're going to use the default or a policy defined in an existing policy.json/yml file somewhere, right? 16:23:22 the registration step is the default 16:23:31 we don't have any policy file in tree any more 16:23:41 aha 16:23:44 by default Nova works with no policy file being present on the disk 16:23:47 johnthetubaguy, I would love to be involved in helping you fix the project scope check issue when you can get to it 16:23:49 johnthetubaguy: yeah, i agree. i was thinking that someone will eventually want to change policy based on config, or something else 16:23:58 then it's hard to know what is happening 16:24:08 edmondsw: cool, more hands on there could really help 16:24:36 dstanek: now available capabilities of the system is a different thing, policy always stays static for me, like you say 16:24:43 johnthetubaguy so far nova is the only project to put policy into code, right? 16:24:49 lbragstad: AFAIK, yes 16:25:12 cinder has a spec for it, but didn't make ocata 16:25:26 so for keystone - that'd be our first step #link https://review.openstack.org/#/c/428453/ 16:25:40 so there is some fun tooling that helps you merge a file with the defaults in the code, and to help find what duplicates you have in your file, to help with upgrades 16:25:40 lbragstad +1 16:25:54 haven't had feedback on if that works for people yet, but its what they asked for 16:26:05 Really no progress on that on the Cinder side for now. 16:26:07 we might be able to coordinate parallel efforts to fill in descriptions as we do that? 16:26:08 lbragstad: this should be pretty easy to get in right? you haven't heard of any pushback have you? 16:26:44 dstanek no real pushback yet - but i'm continuing to advertise it 16:27:01 and still looking for feedback and people to help out with the effort 16:27:21 (the sooner we do that the sooner we'll be on the same page as nova/other projects) 16:27:29 which would make doing what johnthetubaguy wants easier 16:27:33 lbragstad: let push in it before the haters have a chance to see it :-D 16:27:50 dstanek :) 16:28:04 so there are some interesting thoughts earlier on turning the policy file upside down 16:28:06 "nothing to see here, move along citizen, move along" 16:28:30 johnthetubaguy how so? 16:28:49 right now we say { p1: admin_or_owner, p2: admin, p3:admin ...} 16:28:57 as in define who can do each rule 16:29:05 but as an operator really you want to see 16:29:37 { owner_can_do: [p1], admin_can_do: [p2, p3] } 16:29:42 or something like that 16:29:44 +1 16:29:48 +1 16:29:48 ++ 16:29:59 that was popular quickly :) 16:30:10 i imagine that would play into capability APIs nicely 16:30:17 so its totally sdague who brought that up, it seems to make sense 16:30:46 nova and cinder both have specs for capability APIs 16:30:57 now that pivot might make sense before we add lots of roles 16:31:04 I think the more important thing, is this could be new stanzas in the policy 16:31:14 which wouldn't conflict with existing ones 16:31:24 so there is a smooth transition across as it's additive 16:31:30 sdague ++ 16:31:40 how would they not conflict? 16:32:06 they take preference, and it looks different to the old cruft 16:32:08 interesting 16:32:27 you would have to define both to be consistent, but then tell the enforcement point which one to use? 16:32:52 I would say the new one wins, or you just fail to start if it conflicts 16:33:08 but it means the old one still works 16:33:13 right 16:33:15 and the new one would work 16:33:19 which is more important 16:33:44 so - that would be an alternative to the richer policy roles? 16:34:04 so it's not the old way OR checks from the new way? 16:34:05 or a prerequisite? 16:34:06 a way of making the richer policy defaults easier to deal with maybe? 16:34:31 I quite like it as a prerequisite myself, the more I think about it 16:34:48 I assume the new way still lets you do things besides just check role... e.g. operator can do p1 if xyz 16:35:08 put policy into code -> redefine policy by role instead of operation -> introduce more granular roles ? 16:35:09 for the record, there is loads to go through here, which is why I think I want to focus on getting the docs started :) 16:35:46 johnthetubaguy yeah - i would think that'd be something we'd have to do regardless 16:35:53 lbragstad: I nova I we have some other de-cruft-i-fy bits that edmondsw hinted at earlier, but yeah, something like that 16:35:56 lbragstad: totally 16:36:07 hmm, typing failed me there 16:36:18 insert some grammar bits as you see fit 16:36:31 i was able to parse it :) 16:37:02 so - does anyone see any red flags with the policy in code + documentation around the current operations? 16:37:48 these new stanzas being organized by role is pretty much the opposite of the approach ayoung was pushing to pull role checks out to middleware 16:38:33 you wouldn't do both 16:39:01 so we would never be able to have all policy checks in middleware, unless it implemented most of our API for us 16:39:20 now it would bring consistency, but the APIs already existing, and they aren't consistent enough 16:39:31 yeah, that wasn't the proposal... just to do role checks, not the rest 16:39:47 I think I like this better, at first glance 16:39:58 having said that, maybe we want a "can access nova API" role check for all requests, that could be a thing I see people liking 16:39:59 this = sdague's proposal 16:40:33 so we can still have standards to help with names etc 16:40:51 but in reality we still need a list of all the rules, with documentation, else no one will have a clue whats going on 16:40:58 edmondsw: don't consider this as formal as a proposal at this point, it is an observation of the way that admins think about and want to interact with our stuff 16:41:22 johnthetubaguy ++ 16:41:54 johnthetubaguy that should only make "standardizing" a set of roles easier 16:41:56 they are solving a different set of problems of course, some of this is agreeing on the most important problems to solve 16:42:10 also, having fought over all the complexity of roles for even the most basic things today in working through issues to cut the stable/ocata branch, I am skeptical the current course and speed on roles is helping operators 16:42:12 sdague i.e., someone else should drive that if they think it's a good idea? :) 16:42:44 sdague can you elaborate on that last comment a bit more? 16:43:24 edmondsw: https://bugs.launchpad.net/keystone/+bug/1662911 16:43:24 Launchpad bug 1662911 in OpenStack Identity (keystone) "v3 API create_user does not use default_project_id" [Undecided,New] 16:43:51 anyway, this is probably going to divert from the core discussion here 16:44:26 I think the important thing on policy is to remember that it is an interface for operators for them to clearly express their intent of how they expect the system to work 16:44:38 sdague: ++ 16:44:52 and if that expression doesn't align with the way people think about it, they will introduce bugs and security issues 16:45:31 something tells me we need less granular rules for many things 16:45:59 an operator cares about reading servers for a project, not listing, getting, filter, etc 16:46:06 johnthetubaguy less granular than what we have today? 16:46:18 johnthetubaguy: right, though that's a project artifact 16:46:22 maybe grouped or hierarchical 16:46:23 ah - so grouping similar operations 16:46:48 the other thing is we let people basically make the API non-interoperable today, which also feels bad (and I don't just mean fix it with API discoverability) 16:46:59 s/API/capability/ 16:47:03 johnthetubaguy: yeh, one thing at a time 16:47:14 yeah, sorry, as you see, I keep getting carried away 16:47:47 i think this is good - because it helps us figure out what the big picture should be 16:47:51 the doc would should help us better understand what we have today, and should help operators come back with more interesting questions 16:47:53 because I think the biggest concrete concern today is the system is confusing enough that it is really easy to have a giant security hole and not realize it 16:48:00 sdague: +1000 16:48:05 sdague ++ 16:48:29 "oh that rule means any user can destroy my cloud now, whoops" 16:49:26 so - it still sounds like in order to do any of this we will need in-code policy 16:49:44 I think so 16:49:51 or in-code policy will make it much easier 16:49:55 yeah, that 16:50:21 does anyone disagree with that assessment? 16:51:13 johnthetubaguy, I think we need to allow folks to customize listing, getting, etc individually... but I would love to see sensible defaults that use common rules... e.g. "os_compute_api:servers:show": "os_compute_api:servers:list" so if you want to change both you only have to change the list one 16:51:15 * johnthetubaguy is hoping thats the silence of agreement 16:51:49 or a new rule that both show and list point to by default, and you change that to change them both 16:52:20 yeah, I am really meaning about adding a new rule as a default, at least at first 16:52:47 having said that, I don't really get the use case for different rules for each of those 16:53:15 99.8% of the time they're the same, but I do have cases where I've customized them differently 16:53:37 edmondsw can you share the 0.2%? 16:53:45 but was the 0.2% a real deal break, or just because you could? 16:53:47 I'll have to go find them... 16:53:57 I think they were pretty important 16:54:07 edmondsw: would be great to get data on that 16:54:46 now if enable list would create a ddos, thats probably a slightly different case 16:55:32 FYI - we're at the 5 minute mark 16:58:06 edmondsw would you be interesting in bringing those use cases to the meeting next week? 16:58:28 I will try to run them down 16:58:33 edmondsw cool 16:58:41 does anyone have any last minute things? 16:59:35 johnthetubaguy sdague thanks for sharing 16:59:53 thanks, was a good discussion 17:00:17 do we want to propose the upside-down-policy thing? 17:00:25 in a spec or something like that? 17:01:13 either way - i can look into that. thanks for coming everyone! 17:01:16 #endmeeting