#openstack-meeting-cp log

16:00:30 <lbragstad> #startmeeting policy
16:00:31 <openstack> Meeting started Wed Jul 12 16:00:30 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:35 <openstack> The meeting name has been set to 'policy'
16:00:52 <hrybacki> o/
16:00:52 <lbragstad> #link https://etherpad.openstack.org/p/keystone-policy-meeting
16:00:54 <lbragstad> agenda ^
16:00:55 <blancos> o/
16:01:00 <gagehugo> this always sneaks up on me
16:01:02 <gagehugo> o/
16:01:07 <lbragstad> ping raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, morgan, raj_singh, johnthetubaguy, knikolla, nhelgeson
16:01:10 <lbragstad> hi folks!
16:01:30 <lamt> o/
16:02:30 <lbragstad> #topic global roles and admin project
16:02:35 <lbragstad> gagehugo: o/
16:03:13 <gagehugo> lbragstad so I was just curious what moving to global roles means in regards to admin_project
16:03:24 <lbragstad> gagehugo: well - they are both trying to solve the same goal
16:03:34 <lbragstad> with is elevating privileges
16:03:40 <gagehugo> yup
16:04:06 <gagehugo> it looks like global roles is probably the better way to go imo
16:04:18 <lbragstad> #link https://review.openstack.org/#/c/464763/
16:04:20 <lbragstad> ^ specification
16:04:36 <lbragstad> which i need to respin because i noticied a couple things that need to be fixed as I started working on the implementation
16:04:41 <lbragstad> #link https://review.openstack.org/#/c/481781/ WIP implementation
16:04:45 <lbragstad> ^ that's the implementation
16:04:53 <lbragstad> which is kind of a hot mess at the moment
16:05:03 <lbragstad> and it still failing some tests
16:05:18 <lbragstad> the assignment code is pretty intense - we have some monsterous methods in there
16:06:24 <gagehugo> ah
16:06:57 <lbragstad> if anyone is interested in helping out with that - i'm happy to collaborate
16:07:25 <hrybacki> lbragstad: I'm happy to help refactor messy bits to get more familiar with the code
16:07:37 <lbragstad> hrybacki: awesome
16:07:50 <lbragstad> that'd be a useful exercise for me, too
16:08:13 <lbragstad> my goal is to have the implementation cleaned up by the time we go to the PTG
16:08:20 <lbragstad> then we can show how this works to other projects
16:08:28 <lbragstad> since they will be consuming it
16:08:33 * hrybacki nods
16:08:41 <gagehugo> that'd be good
16:08:47 <lbragstad> it should also give us a good platform to starting thinking about next steps with policy as far as community goals go
16:09:33 <hrybacki> agreed
16:09:48 <lbragstad> anyone else have anything for the global roles stuff?
16:10:26 <lbragstad> #topic Testing Policy
16:10:29 <lbragstad> hrybacki: o/
16:10:31 <hrybacki> o/
16:10:51 <hrybacki> I'm just curious if anyone has exp. testing policy outside of the defaults
16:11:15 <lbragstad> hrybacki:  not really - most of policy is tested in keystone's unit tests :(
16:11:25 <hrybacki> I've heard someone using patrol to this end but that only works with newer version of OS
16:11:28 <hrybacki> hmm
16:11:45 <lbragstad> blancos: has experience with patrole i believe
16:11:46 <hrybacki> this might be something we want to think about as we eventually head towards more granular control in policy
16:11:55 <lbragstad> absolutely
16:11:58 <hrybacki> bc people are going to want this
16:12:11 <blancos> lbragstad Yes, that's true
16:12:11 <lbragstad> s/are going to/already/
16:12:19 <hrybacki> ^^ +1
16:12:27 <blancos> We've used Patrole internally to test custom policy changes
16:12:50 <lbragstad> hrybacki: most of the policy rules are tested here internally https://github.com/openstack/keystone/blob/9b3d99ea24da0fa1c6257ecd633d1349a2a5fbe7/keystone/tests/unit/test_v3_protection.py
16:12:56 <lbragstad> s/internally//
16:12:57 <hrybacki> blancos: is there anything you could share with external community?
16:13:00 <hrybacki> lessons learned or w/e
16:13:11 <hrybacki> lbragstad: ack
16:13:24 <hrybacki> #link https://github.com/openstack/keystone/blob/9b3d99ea24da0fa1c6257ecd633d1349a2a5fbe7/keystone/tests/unit/test_v3_protection.py
16:13:24 <blancos> hrybacki #link https://github.com/openstack/patrole
16:13:55 <blancos> We've migrated most of our tests upstream for the big tent that also has support in Tempest; they work for any policy
16:14:16 <blancos> (i.e., they test access for both custom and default policies)
16:14:32 <hrybacki> blancos: which versions of OS have you been testing against?
16:15:02 <blancos> Internally we're a bit behind but the tests upstream work against master
16:15:16 <hrybacki> ack, thank you
16:15:16 <blancos> Our first release (0.1.0, I believe) is for Pike
16:15:25 * hrybacki nods
16:15:41 <hrybacki> we have someone trying to get it to work against Newton atm
16:16:01 <hrybacki> with some success but mostly headaches
16:16:20 <hrybacki> that's all I had lbragstad
16:16:28 <hrybacki> thanks for the input blancos!
16:16:34 <blancos> :)
16:16:36 <lbragstad> hrybacki: sounds good
16:16:39 <lbragstad> #topic open discussion
16:16:46 <lbragstad> the floor is open
16:16:51 * hrybacki has nothing to add atm
16:17:00 <lbragstad> #info policy-in-code and policy-docs has been accepted for an official community goal
16:17:03 <lbragstad> for queens
16:17:04 <blancos> hrybacki If you have any more questions I or felipemonteiro can answer them in openstack-qa
16:17:07 <gagehugo> \o/
16:17:23 <hrybacki> blancos++
16:17:54 <lbragstad> i imagine i'll be spending a good amount of time in queens working with other teams to implement that goal
16:18:40 <hrybacki> lbragstad: I'm hoping to assist you to that end
16:18:46 * hrybacki will be your shadow at PTG
16:18:51 <lbragstad> hrybacki: ++ thank you!
16:18:58 <lbragstad> we have a lot of projects to help :)
16:19:10 * hrybacki nods
16:19:15 <lbragstad> nova and keystone are done once https://review.openstack.org/#/c/449278/ merges
16:19:17 <lbragstad> #link https://review.openstack.org/#/c/449278/
16:19:24 <lbragstad> so - great work there
16:19:29 <hrybacki> nice
16:20:02 <lbragstad> forward thinking - we have a few other things that we need to do with policy, too
16:20:34 <lbragstad> one of them is to implement a way to deprecate old policy rules using oslo.policy
16:21:04 <lbragstad> at the PTG we should think about discussing a default set of roles we (as OpenStack) would like to offer by default
16:21:12 <lbragstad> read-only for example
16:21:16 <hrybacki> ^^ is a great idea
16:21:35 <hrybacki> I'll add that to the etherpad now
16:21:37 <lbragstad> then we can start looking at the work required to make something like that happen
16:21:41 <lbragstad> across project
16:22:27 <lbragstad> that'd be a great goal for us to have going into Rocky
16:22:57 * hrybacki nods
16:23:18 <lbragstad> getting consensus is going to be the first step and the PTG would be a good place to do that
16:23:49 <lbragstad> anyway - that's about all I have as far as policy communication goes
16:23:58 <lbragstad> does anyone have anything else for open discussion?
16:24:02 <hrybacki> no
16:24:34 <gagehugo> im good
16:24:37 <lbragstad> ack - looks like we can get some time back
16:24:39 <lbragstad> thanks for coming!
16:24:41 <lbragstad> #endmeeting