18:02:21 #startmeeting policy_popup 18:02:22 Meeting started Thu Dec 10 18:02:21 2020 UTC and is due to finish in 60 minutes. The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:23 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:02:25 The meeting name has been set to 'policy_popup' 18:02:32 o/ 18:03:25 lbragstad: hi 18:03:31 let's wait for couple of min 18:04:33 sounds good 18:06:22 lbragstad: seems like two of us, anyways let's start. 18:06:36 today agenda #link https://etherpad.opendev.org/p/default-policy-meeting-agenda 18:06:55 #topic General doubts about Default policy 18:07:18 #link https://bugs.launchpad.net/oslo.policy/+bug/1886857 18:07:19 Launchpad bug 1886857 in oslo.policy "Improve documentation of what data is used in checks" [High,In progress] - Assigned to Raildo Mascena de Sousa Filho (raildo) 18:07:47 this is pending on raildo side to fix the review comments in #link https://review.opendev.org/c/openstack/oslo.policy/+/743318 18:08:03 Migrate Default Policy Format from JSON to YAML 18:09:01 this is ongoing work for this goal #link https://review.opendev.org/q/topic:%22policy-json-to-yaml%22+(status:open%20OR%20status:merged) 18:09:20 I am waiting for oslo.upgradechecks update and then release to use it on service side 18:09:30 nice 18:09:38 basically this one- #link https://review.opendev.org/c/openstack/oslo.upgradecheck/+/765631 18:09:47 lbragstad: if you can have a look 18:10:18 sure 18:10:41 thanks 18:11:00 Need to verify where glance stands as per communit goal (abhishekk) 18:11:07 gmann which community goal? 18:11:17 migrating the policy format? 18:11:23 this is not clear to me, abhishekk added this item nit sure if he is online now 18:11:48 he was online a couple of hours ago - but i do know he's about 15 hours ahead of us? 18:11:50 not sure if it is policy format or new RBAC one 18:12:17 11.30 ahead, in India time 18:12:29 ok - so i lied about 15 18:12:36 definitely not 15 hours :) 18:12:41 :) 18:12:53 I will try to catch him on glance channel 18:12:58 ok 18:13:11 #topic Review Requests 18:13:28 I added your patches in this #link https://review.opendev.org/q/topic:%22secure-rbac%22+(status:open%20OR%20status:merged) 18:13:34 oh - nice 18:13:35 thanks 18:13:45 i think we can update the topic name also in wiki, it was different 18:13:56 sorry about that 18:14:33 done 18:14:35 #link https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Communication 18:14:57 lbragstad: your topic name is more closed to work :) 18:15:15 any luck on projects side start reviewing or adding tests etc 18:15:24 getting there 18:15:32 i know a few projects have looked at the patches i've proposed 18:15:38 s/i've/we've/ 18:15:56 but - the patches really just group resources and APIs into buckets 18:16:11 i think most projects have at least something in review 18:16:36 i'm starting to work back through each project and pick out a few patches to implement testing 18:16:55 my goal is to have two or three resources/APIs for each series testing the new defaults 18:17:10 great, i think this is nice start. I saw your email also but I did not reply yet as I was busy in back to back meeting (usual Thursday :)) 18:17:13 which will include the testing infrastructure/plumbing and the actual test cases 18:17:22 ++ 18:17:34 so - this week and next week i'm focusing on placement and cinder 18:17:37 I will also help in that once I get policy format work done which I am targeting before new year 18:17:42 +1 18:17:55 awesome - yeah, i'll take as much help as possible 18:18:09 i'm picking placement because it should be a relatively easy one to do 18:18:21 and cinder because it's probably the next largest API to work on 18:18:36 yeah 18:18:55 timing wize 18:18:57 wise* 18:19:10 i've been working on the audits since the PTG (so about a month)? 18:19:26 and i expect testing implementation to take much longer than that 18:20:28 yeah, as per my experience in nova, 70% of the time was in righting the tests as we did not have good coverage for policy testig 18:20:34 but, once the tests are up, we should be good for people to consider reviewing the patches and merging them 18:20:39 right - exactly 18:20:41 true 18:20:44 that was my experience in keystone, too 18:20:54 it will give them more confidence on the changes 18:21:11 Also on tempest testing support side I am still not able to debug why nova os-hypervisor test did not work with new scope token #link https://review.opendev.org/c/openstack/devstack/+/616415 18:21:37 I will try to dig into this next week or so 18:21:56 ok 18:22:47 anything else on review side ? 18:23:31 i don't have anything 18:24:02 #topic Open Floor 18:24:10 nothing in open discussion too. 18:24:18 sfinucan brought up a good question here https://review.opendev.org/c/openstack/placement/+/760235/2/placement/policies/base.py 18:24:39 i've been proposing the common personas as constants on some policy file 18:24:42 in each project 18:24:57 and he asked why they aren't registered rule defaults 18:25:36 ah good point. 18:25:44 i thought i'd ask here 18:25:54 i think i'm indifferent 18:25:54 hey, sorry to be late 18:26:03 that will give us easy to remove 'system:all' thing when enforce_scope is true by default 18:26:10 +1 18:26:15 that's a good point 18:26:34 i also thought it would be nice to have them documented in the default policy documentation 18:26:36 raildo: no worries. 18:27:18 lbragstad: +1, I thought of moving these common rules and stanza in oslo policy side and then from there projects can use it consistently ? 18:27:32 that's what i started thinking of next 18:27:38 we'd need to a new version of oslo.policy 18:27:48 and i'm wondering if that's a good idea or not 18:27:49 raildo: we mainly discussed on these https://review.opendev.org/q/topic:%22secure-rbac%22+(status:open%20OR%20status:merged) 18:28:08 oslo.policy is pretty generic - and this would be a openstack-specific personas 18:28:16 lbragstad: good point. but with policy format work everyone needs to move to 3.6.0 latest version 18:28:57 lbragstad: how about with openstack_common_personas.py 18:29:18 yeah 18:29:28 i mean - policy.py includes keystone scopes 18:29:31 * lbragstad shrugs 18:29:55 i guess i can see it both ways 18:30:02 gmann, lbragstad yeah, I started to reviewing lance's patches, seems to be my christmas gift haha 18:30:15 lbragstad, thank you for all this hard work dude! 18:30:21 +1. 18:30:27 s/christmas gift/lump of coal/ 18:30:28 ? 18:30:57 lol 18:31:09 lbragstad: i can push the common personas thing in olso.policy if fine. after my lunch 18:31:19 gmann sure - that sounds good 18:31:25 to recap 18:31:28 we should give more gifts to raildo :) 18:31:58 * raildo has enough gifts for now 18:32:11 the main benefits would be 1.) it's a common place for common persona definitions 2.) they're included in default policy documentation rendered in each project 18:33:13 yeah 18:33:39 the only downside i can think of is that it's a another layer of indirection to figure out what rule:system_admin means 18:35:35 I think name itself if self explainer but we can add good documentation for that so that generated policy sample etc have it clear 18:35:51 lbragstad, well, I believe that if we properly document this common persona on oslo.policy and point for the team's docs for it would be enough 18:37:39 yeah - i think that's fair 18:37:49 having a common definition is a good reason 18:38:16 * lbragstad has to update a lot of patches 18:38:50 ah that is true. may be during tests addition time we can update 18:39:11 right - they have to be updated eventually 18:39:39 so - we'll have to bump the oslo.policy requirement to 3.6.1 then? 18:39:47 yeah 18:40:08 ok - makes sense 18:40:59 I think i forgot to record AI, let's do 18:41:26 #action gmann to check with abhishekk on glance point in meeting agenda 18:41:40 raildo: to update https://review.opendev.org/#/c/743318/ 18:41:48 #action raildo to update https://review.opendev.org/#/c/743318/ 18:41:53 ack, I'll have it asap 18:42:09 it updated* 18:42:41 #action gmann to push common persona on oslo policy and release 3.6.1 and lbragstad to review that 18:42:56 anything else I missed ? 18:42:57 i need to review https://review.opendev.org/c/openstack/oslo.policy/+/743318 too 18:43:09 ah right 18:43:35 #action All will review and help on https://review.opendev.org/q/topic:%22secure-rbac%22+(status:open%20OR%20status:merged) 18:44:17 anything else for today ? 18:44:30 i plan to have placement done by next week 18:44:48 rosmatia is going to meet with me early next week to go through the best approach for protection testing in cinder 18:45:02 #action lbragstad to finish placement as first 18:45:11 great 18:45:19 next thursday is my last day of the year 18:45:27 so - i hope to have something in review for cinder by then 18:45:39 as far as the testing strategy goes 18:45:40 ok 18:45:52 so should we cancel the next meeting which is on 24th Dec ? 18:46:15 i probably won't make it on that day 18:46:36 but i can read scroll back 18:46:57 raildo: how ab out you? 18:47:05 gmann, I'll not be able to make the 24th dec meeting 18:47:39 ok, let's cancel then. I will update on ML too 18:47:49 let's close for today 18:47:58 thanks lbragstad raildo for joining 18:48:09 thanks gmann 18:48:14 gmann, lbragstad thanks! 18:48:16 #endmeeting