16:00:04 <lbragstad> #startmeeting policy
16:00:08 <openstack> Meeting started Wed Jun 21 16:00:04 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:09 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:12 <openstack> The meeting name has been set to 'policy'
16:00:12 <lbragstad> ping raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, morgan, raj_singh, johnthetubaguy, knikolla, nhelgeson
16:00:18 <gagehugo> o/
16:00:20 <blancos> o/
16:00:21 <hrybacki> o/
16:00:22 <lbragstad> o/
16:00:37 <lbragstad> #link https://etherpad.openstack.org/p/keystone-policy-meeting
16:00:39 <lbragstad> agenda ^
16:00:57 <morgan> Just 10 more minutes... I promise I'll wake up then :P
16:01:12 <lbragstad> morgan: sounds like a reason to hit snooze
16:01:15 <morgan> Or.. erm.. I guess I'm here :P
16:01:20 <hrybacki> lol
16:01:21 <morgan> Right!?
16:01:33 <lbragstad> i say that to my phone every morning
16:02:17 <edmondsw> o/
16:02:32 <lbragstad> alrighty - let's go ahead and get started
16:02:45 <lbragstad> pretty light agenda today - so we should have plenty of time to discuss open topics
16:02:52 <lbragstad> #topic policy-docs goal
16:03:01 <lbragstad> #link https://review.openstack.org/#/c/469954/
16:03:10 <lbragstad> queens goals are getting firmed up
16:03:23 <hrybacki> how many rolecall votes do we need to land this
16:03:24 <lbragstad> those those unfamiliar with that proposal - it would be great to get your feedback on it
16:03:48 <lbragstad> hrybacki: i believe it needs the majority or unanimous vote from the TC
16:04:01 <hrybacki> how many members are on the TC?
16:04:04 <lbragstad> and the members of the TC are the only ones with Rollcall power, I believe
16:04:13 * hrybacki googles
16:04:56 <hrybacki> okay, 3 more votes and we are gold
16:05:07 <lbragstad> hrybacki: https://review.openstack.org/#/admin/groups/205,members
16:05:36 <lbragstad> #link https://review.openstack.org/#/admin/groups/205,members
16:05:39 <hrybacki> lbragstad++
16:05:40 <lbragstad> which leads to our next topic
16:05:51 <lbragstad> #topic policy-docs patches
16:05:57 <lbragstad> #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/policy-docs
16:06:02 <lbragstad> we only have a few patches left
16:06:11 <lbragstad> i approved a couple yesterday
16:06:22 <hrybacki> I'm close with https://review.openstack.org/#/c/449278/ -- trying to resolve one more failing test that's being a pain
16:06:33 <lbragstad> hrybacki: sounds good
16:06:55 <lbragstad> #link https://review.openstack.org/#/c/449244/ looks ready to go
16:07:22 <lbragstad> #link https://review.openstack.org/#/c/449337/ is also ready to go but I proposed it so i'll abstain from merging it
16:07:56 <lbragstad> #link https://review.openstack.org/#/c/449255/ is in the same boat
16:08:43 <hrybacki> I'll take a look at the later two after this mtg
16:09:04 <lbragstad> awesome
16:09:14 <lbragstad> moving on
16:09:18 <lbragstad> #topic global roles work
16:09:30 <lbragstad> #link https://review.openstack.org/#/c/464763/ is proposed to backlog
16:09:42 <lbragstad> we have several other specs proposed to backlog as well
16:10:17 <lbragstad> even though we are in specification freeze, I'd be ok merging some of those to backlog (pending reviews) since it won't affect our work for Pike
16:10:45 <lbragstad> I'm also planning on setting aside time next week to start writing that implementation
16:10:56 <lbragstad> and get something in review well before the PTG
16:11:30 <lbragstad> #topic open discussion
16:11:35 <hrybacki> out-of-band: how does backlog work for upstream projects?
16:12:11 <lbragstad> hrybacki: good question - if we generally agree on something we should do as a project, or a spec, but don't have bandwidth to implement in the current cycle, we merge it to backlog
16:12:27 <lbragstad> when we're ready to commit resources to it, its moved from the backlog directory to the release we want to target
16:12:40 <hrybacki> ah I see the directory now
16:13:05 <lbragstad> during the move from backlog, we take the opportunity to update any stale information in the spec (like the people picking up the implementation)
16:13:26 * hrybacki nods
16:13:48 <hrybacki> So are you envisioning moving this out of backlog before Pike GA?
16:13:53 <lbragstad> so - in this case, we'd try to merge global roles to backlog, and then as soon as spec freeze is lifted we'd repropose it to queens
16:14:04 * hrybacki nods
16:14:08 <hrybacki> I understand now, thanks lbragstad
16:14:16 <lbragstad> hrybacki: anything
16:14:24 <lbragstad> anytime* rather
16:14:51 <lbragstad> do folks have anything else policy wise?
16:15:42 <hrybacki> lbragstad: you feel good about the state of policy and docs in code?
16:15:53 <hrybacki> in that we'll likely have votes we need in time
16:16:07 <lbragstad> hrybacki: i think it's a good path forward and it seems to have positive support
16:16:23 <lbragstad> our next step will be working with the oslo.policy team quite a bit
16:17:00 <lbragstad> we'll need to develop some functionality in that library in order for some of the policy-in-code and policy-docs work to be super useful
16:17:21 * hrybacki nods
16:17:38 <lbragstad> but that will be work in queens for sure
16:18:43 <lbragstad> edmondsw: have you heard any follow up on the scoping for global tokens?
16:19:02 <lbragstad> edmondsw: i believe that discussion was hanging on security vs. usability related concerns
16:19:23 <edmondsw> lbragstad no, I've totally lost track of that
16:19:35 <lbragstad> edmondsw: ok
16:19:46 <edmondsw> haven't had a chance to look at anything policy related in a while
16:19:55 <lbragstad> edmondsw: i haven't heard much either - last thing i did was drop a line in #openstack-security asking for advice
16:20:14 <lbragstad> maybe i should go poke again
16:20:26 <edmondsw> do you remember what the concerns were? or where someone wrote them down?
16:20:38 <lbragstad> edmondsw: yeah
16:21:04 <lbragstad> edmondsw: the useability concern was that global roles would be adding yet another scoping mechanism that users have to know about in order to do something
16:21:21 <lbragstad> (e.g. i want to live migrate, so i need a globally scoped token from keystone)
16:21:39 <lbragstad> the argument was that it makes things harder for clients
16:21:44 <lbragstad> and users to understand
16:22:02 <edmondsw> I just pulled up the global roles spec, and my first comment is going to be that I don't know that live migrate is a great example
16:22:20 <lbragstad> i believe gyee wrote that concern down in the spec
16:22:34 <lbragstad> edmondsw: if you can think of a better example, I'll incorporate it into the current revision for sure
16:23:05 <edmondsw> lbragstad the prime example in my mind is something like nova's GET /v2.1/servers?all_tenants
16:23:36 <edmondsw> you shouldn't be able to see things in all tenants unless you have a global role assignment
16:23:39 <lbragstad> that works today if a user has the admin role, right?
16:23:44 <edmondsw> right
16:23:52 <lbragstad> aha - ok
16:23:54 <lbragstad> agreed
16:24:00 <lbragstad> well...
16:24:12 <lbragstad> you need the global role assignment and it needs to match the role required for that policy in nova
16:24:21 <lbragstad> (if i'm thinking about this right)
16:24:35 <edmondsw> right
16:24:46 <lbragstad> ok - cool
16:24:50 <lbragstad> we're on the same page then
16:25:00 <edmondsw> so you could just have an observer role, not necessarily admin, as long as it was globally scoped
16:25:03 <lbragstad> edmondsw: if you leave a comment, i can update the spec with that example instead
16:25:08 <edmondsw> will do
16:25:14 <lbragstad> edmondsw: right - yep
16:26:15 <lbragstad> sounds like i have a few action itmes
16:26:32 <lbragstad> #action lbragstad to update the global roles spec with better examples of global operations
16:26:56 <lbragstad> #action lbragstad to follow up with the security team on the usability vs. security concerns of using unscoped tokens for global roles
16:27:51 <lbragstad> cool - does anyone have anything else?
16:28:47 <lbragstad> looks like we'll get some time back - thanks all!
16:28:49 <lbragstad> #endmeeting