#openstack-meeting log

18:02:21 <gmann> #startmeeting policy_popup
18:02:22 <openstack> Meeting started Thu Dec 10 18:02:21 2020 UTC and is due to finish in 60 minutes.  The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:02:25 <openstack> The meeting name has been set to 'policy_popup'
18:02:32 <lbragstad> o/
18:03:25 <gmann> lbragstad: hi
18:03:31 <gmann> let's wait for couple of min
18:04:33 <lbragstad> sounds good
18:06:22 <gmann> lbragstad: seems like two of us, anyways let's start.
18:06:36 <gmann> today agenda #link https://etherpad.opendev.org/p/default-policy-meeting-agenda
18:06:55 <gmann> #topic General doubts about Default policy
18:07:18 <gmann> #link https://bugs.launchpad.net/oslo.policy/+bug/1886857
18:07:19 <openstack> Launchpad bug 1886857 in oslo.policy "Improve documentation of what data is used in checks" [High,In progress] - Assigned to Raildo Mascena de Sousa Filho (raildo)
18:07:47 <gmann> this is pending on raildo side to fix the review comments in #link  https://review.opendev.org/c/openstack/oslo.policy/+/743318
18:08:03 <gmann> Migrate Default Policy Format from JSON to YAML
18:09:01 <gmann> this is ongoing work for this goal #link https://review.opendev.org/q/topic:%22policy-json-to-yaml%22+(status:open%20OR%20status:merged)
18:09:20 <gmann> I am waiting for oslo.upgradechecks update and then release to use it on service side
18:09:30 <lbragstad> nice
18:09:38 <gmann> basically this one- #link https://review.opendev.org/c/openstack/oslo.upgradecheck/+/765631
18:09:47 <gmann> lbragstad: if you can have a look
18:10:18 <lbragstad> sure
18:10:41 <gmann> thanks
18:11:00 <gmann> Need to verify where glance stands as per communit goal (abhishekk)
18:11:07 <lbragstad> gmann which community goal?
18:11:17 <lbragstad> migrating the policy format?
18:11:23 <gmann> this is not clear to me, abhishekk added this item nit sure if he is online now
18:11:48 <lbragstad> he was online a couple of hours ago - but i do know he's about 15 hours ahead of us?
18:11:50 <gmann> not sure if it is policy format or new RBAC one
18:12:17 <gmann> 11.30 ahead, in India time
18:12:29 <lbragstad> ok - so i lied about 15
18:12:36 <lbragstad> definitely not 15 hours :)
18:12:41 <gmann> :)
18:12:53 <gmann> I will try to catch him on glance channel
18:12:58 <lbragstad> ok
18:13:11 <gmann> #topic Review Requests
18:13:28 <gmann> I added your patches in this #link https://review.opendev.org/q/topic:%22secure-rbac%22+(status:open%20OR%20status:merged)
18:13:34 <lbragstad> oh - nice
18:13:35 <lbragstad> thanks
18:13:45 <gmann> i think we can update the topic name also in wiki, it was different
18:13:56 <lbragstad> sorry about that
18:14:33 <gmann> done
18:14:35 <gmann> #link https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Communication
18:14:57 <gmann> lbragstad: your topic name is more closed to work :)
18:15:15 <gmann> any luck on projects side start reviewing or adding tests etc
18:15:24 <lbragstad> getting there
18:15:32 <lbragstad> i know a few projects have looked at the patches i've proposed
18:15:38 <lbragstad> s/i've/we've/
18:15:56 <lbragstad> but - the patches really just group resources and APIs into buckets
18:16:11 <lbragstad> i think most projects have at least something in review
18:16:36 <lbragstad> i'm starting to work back through each project and pick out a few patches to implement testing
18:16:55 <lbragstad> my goal is to have two or three resources/APIs for each series testing the new defaults
18:17:10 <gmann> great, i think this is nice start. I saw your email also but I did not reply yet as I was busy in back to back meeting (usual Thursday :))
18:17:13 <lbragstad> which will include the testing infrastructure/plumbing and the actual test cases
18:17:22 <lbragstad> ++
18:17:34 <lbragstad> so - this week and next week i'm focusing on placement and cinder
18:17:37 <gmann> I will also help in that once I get policy format work done which I am targeting before new year
18:17:42 <gmann> +1
18:17:55 <lbragstad> awesome - yeah, i'll take as much help as possible
18:18:09 <lbragstad> i'm picking placement because it should be a relatively easy one to do
18:18:21 <lbragstad> and cinder because it's probably the next largest API to work on
18:18:36 <gmann> yeah
18:18:55 <lbragstad> timing wize
18:18:57 <lbragstad> wise*
18:19:10 <lbragstad> i've been working on the audits since the PTG (so about a month)?
18:19:26 <lbragstad> and i expect testing implementation to take much longer than that
18:20:28 <gmann> yeah, as per my experience in nova, 70% of the time was in righting the tests as we did not have good coverage for policy testig
18:20:34 <lbragstad> but, once the tests are up, we should be good for people to consider reviewing the patches and merging them
18:20:39 <lbragstad> right - exactly
18:20:41 <gmann> true
18:20:44 <lbragstad> that was my experience in keystone, too
18:20:54 <gmann> it will give them more confidence on the changes
18:21:11 <gmann> Also on tempest testing support side I am still not able to debug why nova os-hypervisor test did not work with new scope token #link  https://review.opendev.org/c/openstack/devstack/+/616415
18:21:37 <gmann> I will try to dig into this next week or so
18:21:56 <lbragstad> ok
18:22:47 <gmann> anything else on review side ?
18:23:31 <lbragstad> i don't have anything
18:24:02 <gmann> #topic Open Floor
18:24:10 <gmann> nothing in open discussion too.
18:24:18 <lbragstad> sfinucan brought up a good question here https://review.opendev.org/c/openstack/placement/+/760235/2/placement/policies/base.py
18:24:39 <lbragstad> i've been proposing the common personas as constants on some policy file
18:24:42 <lbragstad> in each project
18:24:57 <lbragstad> and he asked why they aren't registered rule defaults
18:25:36 <gmann> ah good point.
18:25:44 <lbragstad> i thought i'd ask here
18:25:54 <lbragstad> i think i'm indifferent
18:25:54 <raildo> hey, sorry to be late
18:26:03 <gmann> that will give us easy to remove 'system:all' thing when enforce_scope is true by default
18:26:10 <lbragstad> +1
18:26:15 <lbragstad> that's a good point
18:26:34 <lbragstad> i also thought it would be nice to have them documented in the default policy documentation
18:26:36 <gmann> raildo: no worries.
18:27:18 <gmann> lbragstad: +1, I thought of moving these common rules and stanza in oslo policy side and then from there projects can use it consistently ?
18:27:32 <lbragstad> that's what i started thinking of next
18:27:38 <lbragstad> we'd need to a new version of oslo.policy
18:27:48 <lbragstad> and i'm wondering if that's a good idea or not
18:27:49 <gmann> raildo: we mainly discussed on these https://review.opendev.org/q/topic:%22secure-rbac%22+(status:open%20OR%20status:merged)
18:28:08 <lbragstad> oslo.policy is pretty generic - and this would be a openstack-specific personas
18:28:16 <gmann> lbragstad: good point. but with policy format work everyone needs to move to 3.6.0 latest version
18:28:57 <gmann> lbragstad: how about with openstack_common_personas.py
18:29:18 <lbragstad> yeah
18:29:28 <lbragstad> i mean - policy.py includes keystone scopes
18:29:31 * lbragstad shrugs
18:29:55 <lbragstad> i guess i can see it both ways
18:30:02 <raildo> gmann, lbragstad yeah, I started to reviewing lance's patches, seems to be my christmas gift haha
18:30:15 <raildo> lbragstad, thank you for all this hard work dude!
18:30:21 <gmann> +1.
18:30:27 <lbragstad> s/christmas gift/lump of coal/
18:30:28 <lbragstad> ?
18:30:57 <raildo> lol
18:31:09 <gmann> lbragstad: i can push the common personas thing in olso.policy if fine. after my lunch
18:31:19 <lbragstad> gmann sure - that sounds good
18:31:25 <lbragstad> to recap
18:31:28 <gmann> we should give more gifts to raildo :)
18:31:58 * raildo has enough gifts for now
18:32:11 <lbragstad> the main benefits would be 1.) it's a common place for common persona definitions 2.) they're included in default policy documentation rendered in each project
18:33:13 <gmann> yeah
18:33:39 <lbragstad> the only downside i can think of is that it's a another layer of indirection to figure out what rule:system_admin means
18:35:35 <gmann> I think name itself if self explainer but we can add good documentation for that so that generated policy sample etc have it clear
18:35:51 <raildo> lbragstad, well, I believe that if we properly document this common persona on oslo.policy and point for the team's docs for it would be enough
18:37:39 <lbragstad> yeah - i think that's fair
18:37:49 <lbragstad> having a common definition is a good reason
18:38:16 * lbragstad has to update a lot of patches
18:38:50 <gmann> ah that is true. may be during tests addition time we can update
18:39:11 <lbragstad> right - they have to be updated eventually
18:39:39 <lbragstad> so - we'll have to bump the oslo.policy requirement to 3.6.1 then?
18:39:47 <gmann> yeah
18:40:08 <lbragstad> ok - makes sense
18:40:59 <gmann> I think i forgot to record AI, let's do
18:41:26 <gmann> #action gmann to check with abhishekk on glance point in meeting agenda
18:41:40 <gmann> raildo: to update https://review.opendev.org/#/c/743318/
18:41:48 <gmann> #action raildo to update https://review.opendev.org/#/c/743318/
18:41:53 <raildo> ack, I'll have it asap
18:42:09 <raildo> it updated*
18:42:41 <gmann> #action gmann to push common persona on oslo policy and release 3.6.1 and lbragstad to review that
18:42:56 <gmann> anything else I missed ?
18:42:57 <lbragstad> i need to review https://review.opendev.org/c/openstack/oslo.policy/+/743318 too
18:43:09 <gmann> ah right
18:43:35 <gmann> #action All will review and help on https://review.opendev.org/q/topic:%22secure-rbac%22+(status:open%20OR%20status:merged)
18:44:17 <gmann> anything else for today ?
18:44:30 <lbragstad> i plan to have placement done by next week
18:44:48 <lbragstad> rosmatia is going to meet with me early next week to go through the best approach for protection testing in cinder
18:45:02 <gmann> #action lbragstad to finish placement as first
18:45:11 <gmann> great
18:45:19 <lbragstad> next thursday is my last day of the year
18:45:27 <lbragstad> so - i hope to have something in review for cinder by then
18:45:39 <lbragstad> as far as the testing strategy goes
18:45:40 <gmann> ok
18:45:52 <gmann> so should we cancel the next meeting which is on 24th Dec ?
18:46:15 <lbragstad> i probably won't make it on that day
18:46:36 <lbragstad> but i can read scroll back
18:46:57 <gmann> raildo: how ab out you?
18:47:05 <raildo> gmann, I'll not be able to make the 24th dec meeting
18:47:39 <gmann> ok, let's cancel then. I will update on ML too
18:47:49 <gmann> let's close for today
18:47:58 <gmann> thanks lbragstad raildo for joining
18:48:09 <lbragstad> thanks gmann
18:48:14 <raildo> gmann, lbragstad thanks!
18:48:16 <gmann> #endmeeting