#openstack-meeting log

17:01:48 <gmann> #startmeeting policy_popup
17:01:48 <opendevmeet> Meeting started Tue May  9 17:01:48 2023 UTC and is due to finish in 60 minutes.  The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:48 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:48 <opendevmeet> The meeting name has been set to 'policy_popup'
17:01:53 <gmann> dmendiza[m]: hi
17:02:02 <dmendiza[m]> Hi gmann
17:02:11 <gmann> this is today agenda, #link https://etherpad.opendev.org/p/rbac-goal-tracking#L148
17:02:16 <gmann> dmendiza[m]: hi, how r u
17:02:37 <dmendiza[m]> Good, just trying to get back into the SRBAC happenings
17:02:45 <gmann> great
17:03:03 <gmann> let me go through the agenda and then we can discuss if anything specific you have
17:03:05 <gmann> Updating the RBAC goal timeline for old rule removal considering the SLURP releases
17:03:22 <gmann> I updated it and governance change is merged #link https://review.opendev.org/c/openstack/governance/+/880238
17:04:00 <gmann> and you might see neutron also switched their new defaults by default
17:04:19 <gmann> #link https://lists.openstack.org/pipermail/openstack-discuss/2023-May/033579.html
17:04:30 <dmendiza[m]> Nice
17:04:30 <gmann> nova, glance already did it in last cycle
17:04:44 <dmendiza[m]> I can get Barbican and Keystone to switch over this cycle too
17:04:59 <gmann> thanks
17:05:23 <gmann> I think we need some work to do in keystone on supporting the project scope for every rule.
17:05:31 <gmann> I will try to push the changes in this week
17:05:48 <dmendiza[m]> That's to s/system-scope/admin-role/g right?
17:05:48 <gmann> that is needed as all services except ironic dropped the system scope
17:06:19 <gmann> yeah, basically allow project scope token to keep accessing the APIs as per their original persona
17:06:32 <dmendiza[m]> >  supporting the project scope for every rule
17:06:43 <dmendiza[m]> Will that be a change to Keystone's policies?
17:07:15 <gmann> yes, it will add 'project' in allowed scope but will keep system scope support also
17:07:39 <gmann> I mean just addition of project scope allow and no change in what is allowed currently
17:07:42 <dmendiza[m]> oh gotcha.  So, not dropping system, but also allowing "admin" role to do those things.
17:07:49 <gmann> yup
17:08:09 <gmann> I will try to push the change and then it will be more clear, will add you in review
17:08:33 <dmendiza[m]> Thanks, yeah, I'll keep an eye out for that.
17:08:41 <gmann> cool
17:08:41 <dmendiza[m]> I think we need to do something similar in Barbican
17:08:51 <dmendiza[m]> there's a few Barbican APIs that still require system scope
17:09:16 <gmann> dmendiza[m]: but we do not want system scope support in anywhere except ironic and keystone
17:09:34 <dmendiza[m]> gotcha
17:09:35 <dmendiza[m]> OK
17:09:49 <dmendiza[m]> yeah, I'll propose a patch to Barbican to drop system scope
17:09:52 <gmann> octavia also dropped system scope recently which is what our goal is
17:09:57 <gmann> great
17:10:14 <gmann> #action dmendiza[m] to propose change in barbican to drop system scope
17:10:20 <gmann> dmendiza[m]: ^^ just to have it reminder
17:10:34 <gmann> #action gmann to propose keystone change to support project scope
17:10:43 <dmendiza[m]> thanks
17:11:13 <gmann> next is review requests
17:11:17 <gmann> magnum
17:11:20 <gmann> #link https://review.opendev.org/c/openstack/magnum/+/875625
17:11:43 <gmann> it has one +2 and I also reviewed it +1 since last cycle but not merging
17:11:56 <gmann> I think I need to send it on ML if any other core can merge
17:12:11 <gmann> #action gmann to ask for magnum rbac change review on ML
17:12:41 <gmann> next is keystone
17:12:47 <gmann> Service role #link https://review.opendev.org/c/openstack/keystone/+/863420
17:13:24 <gmann> dmendiza[m]: I think this is ready ? I also need to review the latest PS
17:13:44 <dmendiza[m]> I'll add it to the next Keystone Reviewathon.
17:13:52 <gmann> cool, thanks
17:13:55 <dmendiza[m]> (which won't be until next week because Red Hat has a holiday on Friday)
17:14:18 <gmann> ohk
17:14:18 <dmendiza[m]> but I'll try to review it before then
17:14:30 <gmann> thanks, really appreciate, they have been open for long
17:14:54 <gmann> manger role #link https://review.opendev.org/c/openstack/keystone/+/822601
17:15:04 <gmann> this need some changes as per review comment
17:15:17 <gmann> I will try to ping abhishek about it
17:15:33 <dmendiza[m]> Ah yes, I remember this one ... I'll need a refresher though.
17:16:41 <gmann> that is all from agenda today
17:16:48 <gmann> dmendiza[m]: anything else you have to discuss ?
17:17:09 <dmendiza[m]> Nope.  I was mainly wondering what the status of "system" scope was
17:17:21 <dmendiza[m]> but we talked about that already
17:17:41 <gmann> ok, yeah we decided to dropped system scope from every project except Ironic and Keystone
17:18:39 <gmann> dmendiza[m]: this is documentation for that and above section on why we need to do it #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#change-in-scope-implementation
17:19:10 <gmann> I am keeping this goal document up to dated so any time you can refer it
17:19:26 <dmendiza[m]> That's good to know.  Thanks for that. 👍️
17:19:32 <gmann> np!
17:19:40 <gmann> ok, let's close the meeting,
17:19:46 <gmann> thanks dmendiza[m] for joining
17:19:52 <dmendiza[m]> Sounds good, thanks gmann
17:19:55 <gmann> #endmeeting