#openstack-meeting log

17:00:37 <gmann> #startmeeting policy_popup
17:00:37 <opendevmeet> Meeting started Tue Nov 22 17:00:37 2022 UTC and is due to finish in 60 minutes.  The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:37 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:37 <opendevmeet> The meeting name has been set to 'policy_popup'
17:01:01 <gmann> this is RBAC meeting on new time
17:01:10 <gmann> #link https://etherpad.opendev.org/p/rbac-goal-tracking#L151
17:01:43 <gmann> nothing in agenda, I will be around for couple of min if anyone shows up for any query related to the RBAC
17:02:18 <johnsom> gmann Have we decided that scoped tokens are permanently dead? I.e. we should remove that code from the projects?
17:03:06 <gmann> johnsom: yeah no system scope but policy can be scoped to projects only. means keep the scope_type=['project'] in all the policy
17:03:27 <gmann> nova, neutron, glance did the same in Zed release
17:03:45 <johnsom> And we do not intend to enable system scope at any future point? (That is my question)
17:04:55 <gmann> example #link https://review.opendev.org/c/openstack/glance/+/855435  #link https://review.opendev.org/c/openstack/nova/+/848021
17:05:19 <johnsom> Both Octavia and Designate implemented the full system scope and new defaults back for Wallaby. System scope brought a bunch of complexity, both in the code and testing side. So I'm trying to figure out if we have made a solid decision on the new-new that we should work against, I.e. roll back the system scope stuff permanently
17:05:46 <johnsom> Yeah, those were only partial implementation in the first place, so not sure good examples.
17:05:51 <gmann> johnsom: I do not think so as system scope does not work for heat/nfv use cases, so it is difficult unless we figure out new design
17:06:54 <johnsom> Ok, so I will go on that. Basically we don't expect the goal to change again or system scope to come back in b/c/d.
17:07:06 <gmann> yes, we should not go back to system scope implementation and final directions are what we have in current goal 1. remove system scope 2. keep legacy admin behaviour
17:07:32 <johnsom> Ack, this is a much better user experience
17:07:38 <gmann> johnsom: yes, at least this is current goal and feasible way to proceed on RBAC (at least doing project reader)
17:07:55 <gmann> yes, at least projetc personas are useful
17:08:17 <johnsom> Yeah, we had that role in Octavia since Pike
17:08:26 <johnsom> So it was just a mapping
17:08:46 <gmann> cool
17:09:13 <johnsom> Thanks for the clarification. With all of the changes I wanted to get a feeling on if we are locked in now.
17:09:33 <gmann> +1
17:09:48 <johnsom> That is the only topic I had this week.
17:10:21 <gmann> ok, thanks johnsom
17:11:23 <gmann> ok, if nothing else let's close the meeting.
17:11:36 <gmann> #endmeeting