16:00:05 <lbragstad> #startmeeting policy
16:00:06 <openstack> Meeting started Wed Aug 23 16:00:05 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:08 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:09 <lbragstad> ping raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan_he, ayoung, morgan, raj_singh, johnthetubaguy, knikolla, nhelgeson
16:00:11 <openstack> The meeting name has been set to 'policy'
16:00:19 <edmondsw> o/
16:00:19 <lbragstad> #link https://etherpad.openstack.org/p/keystone-policy-meeting
16:00:22 <lbragstad> agenda ^
16:00:26 <blancos> o/
16:00:32 <lbragstad> o/
16:00:48 <knikolla> o/
16:00:49 <lamt> o/
16:01:11 <lbragstad> i know we have a couple more folks join - so we'll wait a minute
16:01:18 <lbragstad> joining*
16:03:06 <lbragstad> alright - let's get started
16:03:10 <lbragstad> short agenda today
16:03:19 <lbragstad> #topic global roles update
16:03:23 <lbragstad> #link  #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/global-roles
16:03:47 <lbragstad> ^ there is the implementation for global role assignments for users and groups
16:03:52 <hrybacki> o/
16:04:10 <lbragstad> i plan to get a patch up that allows you to get a globally scoped token by the end of the week
16:04:28 <lbragstad> once i get a little more planning done for the PTG i'll start that
16:04:39 <lbragstad> but please feel free to start playing with the implementation and reviewing
16:04:53 <lbragstad> i'm always a fan of early feedback
16:05:39 <lbragstad> more information on what we'll be doing for the PoC in Denver can be found in another etherpad
16:05:40 <lbragstad> #link https://etherpad.openstack.org/p/keystone-global-roles-poc
16:06:11 <lbragstad> that's about all i had for an update - does anyone have questions?
16:06:33 <hrybacki> not atm, thanks for spear heading that lbragstad
16:06:41 <lbragstad> yep! happy to
16:06:41 <edmondsw> +1
16:06:56 <lbragstad> #topic open discussion
16:07:01 <lbragstad> floor is open
16:07:33 <hrybacki> lbragstad: if no one has anything else, let's talk about global role vision per our earlier convo
16:07:41 <lbragstad> hrybacki:  go for it
16:08:41 <hrybacki> okay, so tl;dr we want to think about where we would be in an ideal world e.g. what are the services fully responsible for vs keystone*
16:08:56 <hrybacki> in a world where global roles are already a thing*
16:09:18 <hrybacki> 1 second, my client is acting up
16:12:12 <lbragstad> hrybacki: still having issues?
16:12:35 <hrybacki> my browser keeps freezing up, sorry
16:13:27 <lbragstad> hrybacki: just with irccloud?
16:13:59 <lbragstad> ok - i can pick things up until hrybacki get's things squared away
16:14:37 <lbragstad> i guess what he wanted clarification on was what policy definition/maintenance looks like after global roles are in place
16:15:37 <lbragstad> and my initial response was that policy at the service should not consist of a scope check in policy, but in code, and the policy just consists of a mapping from the role to the action
16:16:00 <knikolla> yes
16:16:28 <edmondsw> +1
16:16:28 <lbragstad> is there anything else that should be tacked on to that?
16:16:50 <hrybacki> back, thanks lbragstad
16:16:56 <lbragstad> hrybacki: get it working?
16:17:18 <hrybacki> I think so. Maybe I just need to do some solid tab-closing maintenance
16:17:21 <edmondsw> so the service responsibility is to do proper scope checking in code
16:17:35 <lbragstad> edmondsw: yeah - i'd agree with that
16:18:26 <hrybacki> What if we have a set of standard (Default) global roles
16:18:37 <lbragstad> i think that will be easy to build on once projects have defaults in code
16:18:55 <hrybacki> What if an operator decides to add a new global role
16:18:59 <edmondsw> hrybacki you mean standard roles... it is an assignment that adds scope, and we don't have standard assignments
16:19:14 <edmondsw> i.e., standard roles, not standard global roles
16:19:27 <hrybacki> edmondsw: I'm thinking down the road. What if were to have standard global roles
16:19:35 <lbragstad> standard roles being "project_admin"
16:19:35 <edmondsw> we won't
16:19:42 <hrybacki> agreed upon by the community e.g. a global observer
16:19:54 <edmondsw> that would just be observer, not global observer
16:20:20 <edmondsw> and then if you want bob to have that role globally, you give them a global role assignment. If you want julie to have that role on a specific project, you give them a project-specific assignment
16:20:24 <lbragstad> yeah - then you can give something the `observer` role globally, to a project, or on a domain
16:20:48 <hrybacki> /me nods
16:21:33 <edmondsw> that's one of the beautiful things about what we're doing here... we avoid all that nonsense from previous discussions about the role itself having global scope
16:22:03 <knikolla> agree with that.
16:22:04 <lbragstad> then when projects move scope checks into code, the scope check enforces things automatically
16:22:32 <lbragstad> operation.scope == 'global' but not context.global:
16:22:41 <lbragstad> raise Forbidden
16:23:12 <hrybacki> okay, thanks for fielding my questions :)
16:23:37 <lbragstad> does that clear things up?
16:24:06 <hrybacki> for now. I need to re-read the BPs keeping this in mind
16:24:25 <lbragstad> anyone have anything else?
16:25:25 <lbragstad> looks like we can get some time back
16:25:31 <lbragstad> thanks for coming!
16:25:33 <lbragstad> #endmeeting