17:02:29 <gmann> #startmeeting policy_popup 17:02:29 <opendevmeet> Meeting started Tue Feb 28 17:02:29 2023 UTC and is due to finish in 60 minutes. The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:02:29 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:02:29 <opendevmeet> The meeting name has been set to 'policy_popup' 17:03:02 <gthiemonge> o/ 17:03:19 <gmann> #link https://etherpad.opendev.org/p/rbac-goal-tracking#L154 17:03:40 <gmann> nothing on agenda but I will be around to answer/discuss if anything 17:03:45 <gmann> gthiemonge: o/ 17:04:52 <gthiemonge> gmann: hey, I'm trying to fix the policies in Octavia, we still have some code from the previous specs 17:05:06 <gthiemonge> so I have this change: 17:05:09 <gthiemonge> https://review.opendev.org/c/openstack/octavia/+/875620 17:05:25 <gthiemonge> it switches the scope_types['system'] to scope_types['project'] 17:05:39 <gthiemonge> and it makes the legacy admin an admin 17:05:49 <gmann> +1 17:05:57 <gthiemonge> i wanted to check if the s/'system'/'project'/ is fine 17:06:18 <gmann> yes, we need to make every policy rule to be scope to 'project' 17:06:32 <gthiemonge> ack 17:06:46 <gmann> in addition to that, introducing the project_reader role is important 17:07:11 <gthiemonge> there's project-reader on line 67 17:07:52 <gthiemonge> I'll double check that 17:08:01 <gmann> I see. 17:08:20 <gmann> I will review your patch today in case anything missing but thanks for working on this 17:08:59 <johnsom> I have a question here, isn't that "scope" setting just going to be ignored if scopes aren't enabled in the config? 17:09:19 <gthiemonge> thanks gmann 17:10:19 <johnsom> oslo.policy should just ignore it if enforce_scope is False right? 17:10:22 <gmann> johnsom: yes, if enforce_scope is false then oslo policy does not check scope 17:10:29 <gmann> yes 17:10:42 <gmann> it will add warning but no error 17:10:45 <johnsom> So shouldn't we just start removing all of that? 17:11:37 <gmann> we can and that is long term plan but we need this to be configurable during transition period. so that operators have time to move things to new policy 17:12:23 <gmann> but yes at the end enforce_scope flag should be removed. 1. make it default to True (like nova, glance did) 2. and then plan to remove at some point 17:12:43 <johnsom> What? ??? 17:12:58 <gmann> you asked about enforce_scope right? 17:13:01 <johnsom> I thought you had previously said scope was not going to happen 17:13:19 <gmann> every policy to be scoped to 'project' 17:13:38 <gmann> means if anyone using system scope token we can fail early with 403 17:13:38 <johnsom> I thought the new change was scoped tokens are not going to ever be enabled, so scope is no longer a thing and will always be False 17:14:44 <gmann> no. ok so things is system scope is no longer a things means every policy rule is default to project scope. this way if anyone using system scope token say (system admin) then it will reject early at API validation itself 17:15:36 <gmann> all policy scope to project help us to give correct error message to operators instead of failing with system scope token in lower layer and confusing error message 17:16:39 <gmann> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#change-in-scope-implementation 17:16:42 <johnsom> Sigh 17:17:08 <gmann> johnsom: ^^ that paragraph explain about scope thing 17:17:25 <johnsom> So, scope_types=[constants.RBAC_SCOPE_PROJECT] in the policy in code, those lines can go away right? Or do they have to stay and all just be set to PROJECT? 17:17:51 <gmann> constants.RBAC_SCOPE_PROJECT is 'project' right? 17:18:13 <johnsom> yes 17:18:29 <gmann> so this will stay here. we do not need to remove it 17:18:55 <gmann> so that system scope token usage can get 403 at early fail 17:19:33 <gmann> you can just remove constant and just say scope_type=['project'] 17:19:58 <gmann> but either way you like defined 'project' as constant or direct 17:20:24 <johnsom> No, we use constants to save RAM. I was just asking why even specify that if all of the policies are going to be project only. 17:21:21 <gmann> ok, it is juts to early fail system token with 403 17:21:29 <johnsom> https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L1254 17:21:35 <johnsom> Ah, it doesn't default to project 17:22:23 <gmann> yeah it is None by default 17:24:54 <gmann> one good example for its benefit is nova server operation. many of it need project_id and system scope token does not have project_id so if system scope token are used it might fail somewhere in DB or other lower layer and error might be confusing. to avoid that raising 403 for system scope token is helpful 17:25:29 <johnsom> Oh I know the heck I went through to deal with system scoped tokens and no project ID 17:25:36 <johnsom> Months of wasted time 17:27:12 <gmann> yeah 17:29:09 <gmann> johnsom: gthiemonge: anything else to discuss for today? 17:30:10 <gmann> FYI, there is magnum policy change also in progress. I did not get chance to review it but that is in my list for today #link https://review.opendev.org/c/openstack/magnum/+/875625/2 17:30:26 <gthiemonge> gmann: no, that's it for me, thanks 17:31:38 <johnsom> I don't have anything else. 17:31:59 <gmann> ok thanks for joining. let's close for today 17:32:08 <gmann> #endmeeting