#openstack-meeting-cp log

16:02:06 <lbragstad> #startmeeting policy
16:02:06 <openstack> Minutes (text): http://eavesdrop.openstack.org/meetings/poicy/2017/poicy.2017-04-26-16.01.txt
16:02:07 <openstack> Log:            http://eavesdrop.openstack.org/meetings/poicy/2017/poicy.2017-04-26-16.01.log.html
16:02:09 <openstack> Meeting started Wed Apr 26 16:02:06 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:02:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:02:13 <openstack> The meeting name has been set to 'policy'
16:02:16 <dstanek> o/
16:02:18 <edmondsw> o/
16:02:33 <samueldmq> hey o/
16:02:34 <lbragstad> #link https://etherpad.openstack.org/p/keystone-policy-meeting
16:02:56 <lbragstad> we don't have anything on the agenda, but dstanek was talking to ayoung yesterday about the url based approach
16:03:11 <lbragstad> i haven't had the chance to go back and parse that conversation yet, though
16:03:19 <lbragstad> is johnthetubaguy around?
16:04:43 <samueldmq> lbragstad: so I do have a topic, that is agreement in the roadmap :-)
16:04:56 <dstanek> lbragstad: this gist was that i think it enforces bad behavior of everyone knowing and baking URLs into things
16:05:00 <lbragstad> samueldmq yeah - that's what we've been trying to work towards fora  while :)
16:05:07 <samueldmq> I have not been participating of all meetings, so I am sorry if I say things that are very well defined already
16:05:23 <lbragstad> dstanek sorry to duplicate things, did you two reach consensus?
16:05:50 <dstanek> not really :-)
16:05:57 <samueldmq> lbragstad: perfect, my concerns aren't specifically about the URL part or any particular bits, just the overview
16:06:07 <edmondsw> dstanek and I thought you said you were coming around to his approach :)
16:06:16 <lbragstad> since there is only a few of us, i suppose we could take this to a hangout
16:06:49 <dstanek> edmondsw: rbac in middleware....not the implementation that is proposed
16:06:56 <edmondsw> gotcha
16:07:15 <samueldmq> sorry for long text, but this is what I think:
16:07:23 <edmondsw> dstanek did you have an alternative idea using middleware?
16:07:24 <samueldmq> I am not against it at all, my issue is with the direction, because:
16:07:31 <samueldmq> we need to make sure rbac in middleware and ongoing cross-project efforts go to the same direction
16:07:31 <samueldmq> and if they're going, we will want to have role checks in the middleware and scope checks only in the code (service)
16:07:31 <samueldmq> otherwise there will be duplication in the RBAC (both in code and middleware) and it does'nt make sense to me
16:07:31 <samueldmq> ok, so, IF there is that agreement that role checks will only happen in the middleware and scope in the services
16:07:31 <samueldmq> people MUST be aware that some complex rules that mix role+scope won't be possible anymore, because we're decoupling them into 2 separate stages.
16:07:32 <samueldmq> that's all from me
16:07:32 <samueldmq> otherwise we'll end up putting effort in something that won't be used
16:07:54 <dstanek> i would have liked to see some cohesion between what we protect via rback, policy and what users need to know. to me 'service:operation' was it
16:08:20 <lbragstad> is anyone opposed to using a hangout?
16:08:36 <lbragstad> figured it would be easier to talk about this stuff than have to type it
16:08:38 <samueldmq> lbragstad: not sure my mic is working fine, but we can have a try.
16:08:48 <edmondsw> lbragstad I'm fine with hangouts
16:08:50 <samueldmq> lbragstad: worst case my thoughts are just above ^
16:09:01 <lbragstad> #link https://hangouts.google.com/call/2tk2yazh7zgydmbhxidwf2u35yu
16:10:08 <edmondsw> samueldmq's mic is working... join the hangout
16:13:09 <gagehugo> o/
16:13:21 <lamt> o/
16:13:35 <lbragstad> gagehugo lamt we are in the hangout
16:13:41 <lbragstad> feel free to join :)
16:14:17 <gagehugo> sure
17:09:18 <lbragstad> #endmeeting