#openstack-meeting-cp log

16:00:55 <lbragstad> #startmeeting policy
16:00:56 <openstack> Meeting started Wed Oct 11 16:00:55 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:57 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:01:00 <openstack> The meeting name has been set to 'policy'
16:01:01 <cmurphy> o/
16:01:03 <lbragstad> o/
16:01:06 <lbragstad> #link https://etherpad.openstack.org/p/keystone-policy-meeting
16:01:10 <lbragstad> ^ agenda
16:01:21 <lbragstad> ping  raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan_he, ayoung, kmalloc, raj_singh, johnthetubaguy, knikolla, nhelgeson
16:01:26 <gagehugo> o/
16:01:29 <edmondsw> o/
16:01:31 <blancos> o/
16:01:34 <knikolla> o/
16:01:40 <lamt> o/
16:02:22 <kmalloc> here
16:02:50 <lbragstad> alrighty
16:02:52 <lbragstad> #topic AWS IAM session scheduling
16:03:08 <lbragstad> in case you haven't seen it yet
16:03:10 <lbragstad> #link http://lists.openstack.org/pipermail/openstack-dev/2017-October/123069.html
16:03:35 <lbragstad> #link https://etherpad.openstack.org/p/analyzing-other-policy-systems
16:03:47 <lbragstad> i know i mentioned this last week
16:04:12 <lbragstad> but i think it would be useful to go over some stuff before we start the sessions so that we know what we want out of it
16:04:39 <lbragstad> after this meeting - i'll build a doodle with some possible times
16:04:44 <lbragstad> and send a summary
16:05:00 <gagehugo> sounds good
16:05:43 <lbragstad> so, as far as policy "flows" go, is there anything you want to see done in AWS or GKE?
16:06:10 <lbragstad> (ideally we will have a list of these to go through together)
16:07:50 <knikolla> i know nothing about either. would be helpful to start with the basics.
16:07:56 <edmondsw> +1
16:08:02 <lbragstad> ok
16:08:08 <lbragstad> so - assigning a role basics?
16:08:14 <lbragstad> or creating a policy?
16:08:20 <edmondsw> policy
16:08:35 <lbragstad> ok
16:08:50 <edmondsw> though we probably need to understand a little about their concept of roles
16:08:57 <lbragstad> yeah -
16:09:08 <lbragstad> i know they have principals/resource/actions
16:09:38 <lbragstad> but i don't think i fully understand how they work, or work together (a resource can be a thing and a user?)
16:10:31 <knikolla> i know amazon has a free kindle book for IAM, i'll do some homework reading
16:10:44 <lbragstad> knikolla: nice
16:10:47 <kmalloc> there is also a Free tier for AWS
16:11:08 <kmalloc> you can play with it and some basic stuff for no cost for a year (within limits) and the IAM bits shouldn't cost anything to poke at
16:11:36 <knikolla> nice,didn't know about that
16:11:46 <lbragstad> cool - because that was my next question
16:11:52 <lbragstad> does anyone have an AWS account?
16:12:12 <kmalloc> yes.
16:12:15 <kmalloc> i do ;)
16:12:17 * lbragstad puts up the "Judge Free Zone" sign
16:12:30 <kmalloc> i use it for my DNS (route53 is great)
16:12:32 <knikolla> i know we have a VM or two there
16:12:38 <lbragstad> cool
16:12:44 <lbragstad> second question
16:12:54 <kmalloc> we can sign up a new account JUST for this, since all it takes is an email
16:13:05 <lbragstad> is there a way for us to use an existing account (from a team member) or should we use a new one?
16:13:06 <kmalloc> (might need a CC too)
16:13:10 <kmalloc> make a new one
16:13:13 <knikolla> kmalloc: accepts guerillamail?
16:13:37 <kmalloc> knikolla: i think they rely on CC info for security
16:13:42 <kmalloc> of the user.
16:13:50 <lbragstad> ah
16:14:02 <knikolla> i see
16:14:03 <kmalloc> for signup purposes (aka, valid user), not "security" in the sense of what we do
16:14:06 <knikolla> makes senes
16:14:23 <kmalloc> or preventing access... bah you know what i mean
16:14:46 <kmalloc> anyway, i would vote a new account, that way nothing accidently gets touched/mucked with
16:14:56 <lbragstad> right
16:15:08 <lbragstad> fwiw - i'm taking notes
16:15:12 <lbragstad> #link https://etherpad.openstack.org/p/analyzing-other-policy-systems
16:15:20 <kmalloc> and ftr, aws does support the email+<tag>@gmail format
16:15:42 <kmalloc> so it could be lbragstad+aws-demo-account-blah-thing@gmail.com
16:17:55 <lbragstad> oh - nice
16:18:12 <lbragstad> ok - so it sounds like we can get some good mileage out of the free account
16:18:18 <lbragstad> i'll take an action to set on up
16:18:33 <lbragstad> #action lbragstad to setup a free AWS account for the session
16:19:28 <lbragstad> ok - while we're talking about accounts and workflows
16:19:36 <lbragstad> i assume most of this can be applied to google, too
16:19:39 <lbragstad> or GKE
16:19:50 <lbragstad> (which we can either do in the same session or a separate one)
16:21:14 <lbragstad> looks like they have a free tier, too
16:21:16 <lbragstad> #link https://cloud.google.com/container-engine/
16:25:24 <lbragstad> we can start with AWS and if we run over we'll have a separate session for GKE
16:28:45 <edmondsw> time to actually talk about scheduling that discussion? :)
16:28:56 <lbragstad> i know we have to accommodate AU time
16:29:28 <lbragstad> does anyone know what AU timezone zaneb is in?
16:32:14 <lbragstad> 1100 utc or 1900 utc might work for AU, US, and Germany
16:33:04 <lbragstad> ahh - 1900 is going to be hard
16:33:18 <cmurphy> it is basically impossible to get a time that works in those three places
16:33:23 <lbragstad> yeah
16:33:55 <lbragstad> #link https://www.worldtimebuddy.com/?pl=1&lid=100,6,2174003,2911298&h=100
16:34:06 <cmurphy> if I'm the only EU person feel free to optimize for AU + US
16:34:47 <lbragstad> the only reasonable time for AU and US is 2200, but that leaves EU attending at midnight
16:36:40 <lbragstad> i'll try and schedule for 1100 and 2000 UTC
16:37:16 <edmondsw> or 1200?
16:37:29 <lbragstad> UTC?
16:37:37 <lbragstad> it would be late for brisbane, but I can propose it
16:37:45 <edmondsw> yeah, utc
16:38:06 <lbragstad> i'll throw it up as a possibility
16:38:06 <edmondsw> if it's just zaneb there, maybe ask him how late is ok for him
16:38:11 <lbragstad> it can't hurt
16:38:17 <lbragstad> yeah
16:38:20 <edmondsw> sometimes later is better, even
16:38:32 <edmondsw> spend time with the fam, put them to bed, and then get back online
16:38:40 <lbragstad> should we record this?
16:38:47 <edmondsw> probably
16:39:06 <lbragstad> just thinking if it's going to be hard for people to attend, at least they can catch the recording
16:39:21 <edmondsw> yep
16:39:32 <lbragstad> cool
16:39:46 <lbragstad> i'll propose a few times for next week and the week after
16:40:04 <lbragstad> i think having this before Sydney is going to be good
16:41:45 <lbragstad> anyone else have suggestions for the session?
16:41:57 <lbragstad> if not - i'll get to work recapping and planning
16:42:14 <lbragstad> #topic open discussion
16:43:47 <lbragstad> looks like we can get some time back - thanks for coming folks!
16:43:49 <lbragstad> #endmeeting