16:00:03 <lbragstad> #startmeeting policy
16:00:03 <edmondsw> o/
16:00:04 <openstack> Meeting started Wed Aug  9 16:00:03 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:05 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:07 <lamt> o/
16:00:08 <edmondsw> o/
16:00:08 <openstack> The meeting name has been set to 'policy'
16:00:08 <gagehugo> o/
16:00:13 <ruan_he> o/
16:00:15 <nhelgeson> o/
16:00:17 <lbragstad> #link https://etherpad.openstack.org/p/keystone-policy-meeting
16:00:44 <lbragstad> we'll give it a minute for others to show up
16:00:51 <lbragstad> haven't had a policy meeting in a couple weeks
16:01:31 <knikolla> o/
16:02:30 <lbragstad> #topic external pdp hooks
16:02:32 <lbragstad> ruan_he: o/
16:02:40 <lbragstad> #link https://review.openstack.org/#/c/491565/
16:03:28 <ruan_he> we'd like to propose a hook in keystone to redirect authorization requests to an external PDP instead of the native one by oslo.policy
16:04:00 <lbragstad> ruan_he: is the hook suppose to be in keystone or oslo.policy?
16:04:12 <ruan_he> it's similar to the previous Fortress one, but now it's more generic for any external PDP
16:04:55 <edmondsw> ruan_he keystone isn't used for authorization when you talk to nova, cinder, etc... so how does this work with that?
16:05:20 <ruan_he> the hook will be in oslo.policy
16:05:31 <edmondsw> ah
16:05:47 <lbragstad> so we should probably be proposing this specification to oslo
16:05:58 <lbragstad> since it seems more relevant there
16:06:12 <edmondsw> and say oslo.policy, not keystone
16:06:42 <ruan_he> well, my understanding is that all the topics about policy.json, policy.ymal are here
16:07:14 <lbragstad> yeah - this is the policy meeting, but the specification is targeted to keystone-specs
16:07:28 <lbragstad> ruan_he: are you planning on attending the ptg?
16:07:52 <ruan_he> if this topic will be discussed in ptg, I can try to attend the meeting
16:08:18 <ruan_he> where should I put this spec?
16:08:23 <lbragstad> ruan_he: i was going to suggest that if you want to push this forward with the oslo group - you should add it to the list of topics here
16:08:25 <lbragstad> #link https://etherpad.openstack.org/p/oslo-ptg-queens
16:08:47 <lbragstad> oslo has its own specification repository
16:08:50 <lbragstad> #link https://github.com/openstack/oslo-specs
16:09:12 <lbragstad> which follows a similar process to the one used in keystone-specs
16:09:31 <ruan_he> I think that it's a cross-topic, because for authorization, roles are defined in keystone and policy.json file is used in oslo.policy
16:09:59 <edmondsw> oslo conversations are always cross-project :)
16:10:04 <lbragstad> that's true
16:10:14 <edmondsw> ruan_he this is definitely the right meeting to discuss it in, don't get us wrong
16:10:28 <edmondsw> it's the spec that's in the wrong place
16:10:43 <lbragstad> the functionality has to come from oslo.policy i think
16:10:47 <ruan_he> ok, I'll re-submit the spec to oslo
16:11:26 <lbragstad> looping in the oslo folks would be a good idea, too
16:11:37 <lbragstad> i'm certain they'd have some valuable input here
16:11:43 <lbragstad> cc dims gcb ^
16:12:38 <lbragstad> ruan_he: i'll add the topic to #link https://etherpad.openstack.org/p/oslo-ptg-queens
16:12:40 <dims> lbragstad : ack
16:12:46 <dims> lbragstad : good idea
16:12:57 <lbragstad> ruan_he: if you want to repropose the specification you have to the oslo-specs repository
16:13:05 <ruan_he> just like an external IdP, we would like to support external PDP for authorization
16:13:24 <ruan_he> ok, I'll do that
16:15:23 <lbragstad> ok - done
16:15:35 <lbragstad> ruan_he: anything else you wanted to share on this topic?
16:15:48 <ruan_he> that's all
16:16:00 <ruan_he> just a question
16:16:04 <lbragstad> ruan_he: sure
16:16:31 <ruan_he> I've read the Fortress spec, are there some guys working on that?
16:16:57 <lbragstad> ruan_he: ktychkova was working on it previously, but i'm not sure if she still is or not
16:18:04 <lbragstad> she had a PoC up earlier in the year
16:18:25 <ruan_he> ok, thanks
16:18:30 <lbragstad> no problem
16:18:35 <lbragstad> #topic update on global roles
16:18:52 <lbragstad> #link https://review.openstack.org/#/c/481781/
16:18:56 <lbragstad> i've had that up for a while
16:19:05 <lbragstad> and i need to start breaking it apart and pushing it forward
16:19:22 <lbragstad> which i should be able to start doing next week for sure once the dust settles from rc1
16:19:44 <lbragstad> knikolla: you mentioned some interest in that work
16:19:48 <lbragstad> knikolla: is that still the case/
16:20:06 <knikolla> yep
16:20:49 <lbragstad> knikolla: cool - let's sync on friday and see how we can tackle that work with two people
16:20:56 <lbragstad> (or more if anyone else is interested)
16:21:05 <knikolla> lbragstad: sounds great.
16:21:29 <lbragstad> #topic open discussion
16:21:53 <lbragstad> anyone have anything they'd like to discuss?
16:21:59 <gagehugo> do we have a room at the PTG for policy?
16:22:15 <lbragstad> not yet - i believe diablo_rojo_phon was working on lining something up
16:22:26 <gagehugo> alright cool
16:22:29 <lbragstad> i sent a note to the mailing list about getting people together to go through moving policy into code
16:22:49 <lbragstad> #link https://etherpad.openstack.org/p/policy-queens-ptg
16:22:53 <lbragstad> but so far that's been crickets
16:23:08 <lbragstad> (maybe helping the other projects will be easier that i was expecting)
16:24:06 <lbragstad> i would expect that session to be something we cover on monday or tuesday
16:24:14 <lbragstad> or have a room dedicated to policy stuff
16:24:28 <gagehugo> ok
16:24:42 <lbragstad> and since that fits the cross-project bill, I would expect to do that sometime monday or tuesday
16:25:43 <lbragstad> outside of what's already on the etherpad - does anyone have suggestions for policy topics during the PTG?
16:26:42 <lbragstad> alright - looks like we'll get some time back
16:26:44 <lbragstad> thanks for coming!
16:26:47 <lbragstad> #endmeeting