16:00:55 #startmeeting policy 16:00:56 Meeting started Wed Oct 11 16:00:55 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:57 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:01:00 The meeting name has been set to 'policy' 16:01:01 o/ 16:01:03 o/ 16:01:06 #link https://etherpad.openstack.org/p/keystone-policy-meeting 16:01:10 ^ agenda 16:01:21 ping raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan_he, ayoung, kmalloc, raj_singh, johnthetubaguy, knikolla, nhelgeson 16:01:26 o/ 16:01:29 o/ 16:01:31 o/ 16:01:34 o/ 16:01:40 o/ 16:02:22 here 16:02:50 alrighty 16:02:52 #topic AWS IAM session scheduling 16:03:08 in case you haven't seen it yet 16:03:10 #link http://lists.openstack.org/pipermail/openstack-dev/2017-October/123069.html 16:03:35 #link https://etherpad.openstack.org/p/analyzing-other-policy-systems 16:03:47 i know i mentioned this last week 16:04:12 but i think it would be useful to go over some stuff before we start the sessions so that we know what we want out of it 16:04:39 after this meeting - i'll build a doodle with some possible times 16:04:44 and send a summary 16:05:00 sounds good 16:05:43 so, as far as policy "flows" go, is there anything you want to see done in AWS or GKE? 16:06:10 (ideally we will have a list of these to go through together) 16:07:50 i know nothing about either. would be helpful to start with the basics. 16:07:56 +1 16:08:02 ok 16:08:08 so - assigning a role basics? 16:08:14 or creating a policy? 16:08:20 policy 16:08:35 ok 16:08:50 though we probably need to understand a little about their concept of roles 16:08:57 yeah - 16:09:08 i know they have principals/resource/actions 16:09:38 but i don't think i fully understand how they work, or work together (a resource can be a thing and a user?) 16:10:31 i know amazon has a free kindle book for IAM, i'll do some homework reading 16:10:44 knikolla: nice 16:10:47 there is also a Free tier for AWS 16:11:08 you can play with it and some basic stuff for no cost for a year (within limits) and the IAM bits shouldn't cost anything to poke at 16:11:36 nice,didn't know about that 16:11:46 cool - because that was my next question 16:11:52 does anyone have an AWS account? 16:12:12 yes. 16:12:15 i do ;) 16:12:17 * lbragstad puts up the "Judge Free Zone" sign 16:12:30 i use it for my DNS (route53 is great) 16:12:32 i know we have a VM or two there 16:12:38 cool 16:12:44 second question 16:12:54 we can sign up a new account JUST for this, since all it takes is an email 16:13:05 is there a way for us to use an existing account (from a team member) or should we use a new one? 16:13:06 (might need a CC too) 16:13:10 make a new one 16:13:13 kmalloc: accepts guerillamail? 16:13:37 knikolla: i think they rely on CC info for security 16:13:42 of the user. 16:13:50 ah 16:14:02 i see 16:14:03 for signup purposes (aka, valid user), not "security" in the sense of what we do 16:14:06 makes senes 16:14:23 or preventing access... bah you know what i mean 16:14:46 anyway, i would vote a new account, that way nothing accidently gets touched/mucked with 16:14:56 right 16:15:08 fwiw - i'm taking notes 16:15:12 #link https://etherpad.openstack.org/p/analyzing-other-policy-systems 16:15:20 and ftr, aws does support the email+@gmail format 16:15:42 so it could be lbragstad+aws-demo-account-blah-thing@gmail.com 16:17:55 oh - nice 16:18:12 ok - so it sounds like we can get some good mileage out of the free account 16:18:18 i'll take an action to set on up 16:18:33 #action lbragstad to setup a free AWS account for the session 16:19:28 ok - while we're talking about accounts and workflows 16:19:36 i assume most of this can be applied to google, too 16:19:39 or GKE 16:19:50 (which we can either do in the same session or a separate one) 16:21:14 looks like they have a free tier, too 16:21:16 #link https://cloud.google.com/container-engine/ 16:25:24 we can start with AWS and if we run over we'll have a separate session for GKE 16:28:45 time to actually talk about scheduling that discussion? :) 16:28:56 i know we have to accommodate AU time 16:29:28 does anyone know what AU timezone zaneb is in? 16:32:14 1100 utc or 1900 utc might work for AU, US, and Germany 16:33:04 ahh - 1900 is going to be hard 16:33:18 it is basically impossible to get a time that works in those three places 16:33:23 yeah 16:33:55 #link https://www.worldtimebuddy.com/?pl=1&lid=100,6,2174003,2911298&h=100 16:34:06 if I'm the only EU person feel free to optimize for AU + US 16:34:47 the only reasonable time for AU and US is 2200, but that leaves EU attending at midnight 16:36:40 i'll try and schedule for 1100 and 2000 UTC 16:37:16 or 1200? 16:37:29 UTC? 16:37:37 it would be late for brisbane, but I can propose it 16:37:45 yeah, utc 16:38:06 i'll throw it up as a possibility 16:38:06 if it's just zaneb there, maybe ask him how late is ok for him 16:38:11 it can't hurt 16:38:17 yeah 16:38:20 sometimes later is better, even 16:38:32 spend time with the fam, put them to bed, and then get back online 16:38:40 should we record this? 16:38:47 probably 16:39:06 just thinking if it's going to be hard for people to attend, at least they can catch the recording 16:39:21 yep 16:39:32 cool 16:39:46 i'll propose a few times for next week and the week after 16:40:04 i think having this before Sydney is going to be good 16:41:45 anyone else have suggestions for the session? 16:41:57 if not - i'll get to work recapping and planning 16:42:14 #topic open discussion 16:43:47 looks like we can get some time back - thanks for coming folks! 16:43:49 #endmeeting