#openstack-meeting log

08:01:46 <yasufum> #startmeeting tacker
08:01:46 <opendevmeet> Meeting started Tue May 31 08:01:46 2022 UTC and is due to finish in 60 minutes.  The chair is yasufum. Information about MeetBot at http://wiki.debian.org/MeetBot.
08:01:46 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
08:01:46 <opendevmeet> The meeting name has been set to 'tacker'
08:02:13 <yuta-kazato> Hi
08:02:22 <yasufum> hi
08:02:45 <yasufum> #link https://etherpad.opendev.org/p/tacker-meeting
08:04:49 <yasufum> Before starting items, I would like to hear your comment for the next meeting.
08:06:29 <yasufum> Summit is going to be held on the next Tuesday, so I think to skip the next meeting although how many people are going to join the event from tacker team.
08:06:34 <yasufum> What do you think?
08:08:51 <takahashi-tsc> I think we can skip it.
08:09:16 <bkopilov> bkopilov, Hi , about RBAC. not sure if i am in the right place but need help with RBAC and cinder...
08:09:16 <bkopilov> https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/842954
08:09:28 <bkopilov> At least in review process
08:10:32 <yasufum> thanks
08:11:26 <yasufum> bkopilov: thanks for your mention, we'll catch up the change.
08:12:05 <yasufum> So, skip the next meeting, thanks.
08:12:30 <yasufum> manpreetk: can you start your item?
08:12:39 <manpreetk> sure, thanks
08:13:03 <manpreetk> This topic is regarding, open issues of OpenStack community-wide goal for Secure RBAC.
08:13:03 <manpreetk> In Zed PTG, 'heat' team address few concerns regarding SRBAC policy.
08:13:03 <manpreetk> The Secure RBAC policy requires the appropriate scope according to the resources.
08:13:03 <manpreetk> For example, project resources like instance, volume or network can be created by project-scoped token.
08:13:03 <manpreetk> And project resources like flavor, user, project or role can be created by system-scoped token.
08:13:05 <manpreetk> The Heat's `create_stack` API creates both project and system resources, but it uses a single token provided by the user in a single stack API call.
08:13:05 <manpreetk> Proposed Solution, is to "split stack", i.e. create stacks as per scope, one need to create two separate heat stacks and call heat stack API separately using different credentials (or token).
08:13:07 <manpreetk> Tacker Impact, "create vnf" API internally calls "create_stack", so in order to address "split stack" we need to divide vnf creation process in two parts as well.
08:13:09 <manpreetk> Would like to know other than one mention above, what all impact/challenge you think Tacker might face with new SRBAC policy.
08:18:10 <yasufum> Thanks for sharing the problem.
08:20:50 <yasufum> hirofumi-noguchi: Do you have any comment because might be interested in the changes about Heat?
08:22:34 <hirofumi-noguchi> Sorry, I just joined the meeting now.
08:22:52 <hirofumi-noguchi> I have not heard the discussion.
08:24:23 <hirofumi-noguchi> Also, I cannot see discussion log.
08:24:28 <yasufum> Pls find the first topic on the ethernet.
08:24:34 <yasufum> #link https://etherpad.opendev.org/p/tacker-meeting
08:24:55 <yasufum> manpreetk has just shared the problem
08:25:13 <yasufum> and ask us to give a feedback to community.
08:26:16 <yasufum> s/ethernet/etherpad
08:26:20 <yasufum> :)
08:29:24 <hirofumi-noguchi> yasufum: thank you for sharing.
08:29:39 <hirofumi-noguchi> I understood the point.
08:30:41 <hirofumi-noguchi> As mentioned in etherpad, I'm concerned about the impact on existing workflows.
08:32:07 <manpreetk> hirofumi-noguchi: Yes that is one of the major impact, which even heat team was fully concerned.
08:33:04 <hirofumi-noguchi> Let me confirm it, does this chage affect only workflow or a Tacker implementation?
08:34:17 <manpreetk> High level analysis, atleast  impacts workflow.
08:35:16 <manpreetk> Existing API needs some tweeks or alteration, hope I ans your query.
08:37:25 <hirofumi-noguchi> I think even if tacker supprts split-stack,  both split-stack configuration and existing one scope configuration can be operated.
08:37:50 <hirofumi-noguchi> Is my understanding correct?
08:39:25 <manpreetk> Hmm, one scope configuration would be a question (as it depends on heat migration plan) which is still in discussion, honestly i have no idea about it.
08:40:37 <manpreetk> In policy popup meetings heat people are not that active, but yes such backward compatibility concerns are raised there.
08:43:20 <hirofumi-noguchi> OK, thanks. I think we have to consider the backward compatibility and need investigation.
08:43:45 <manpreetk> Sure agree.
08:54:24 <yasufum> manpreetk: BTW, should we give some response soon for the discussion although we need to take a time for understanding our impact actually.
08:55:07 <yasufum> I mean for "the discussion" on ML you shared.
08:56:16 <manpreetk> yasufum: In my opinion we should discuss about this as team first, rest I ll convey in policy popup meeting to grant us some time for revert.
08:56:36 <manpreetk> What do you think?
08:57:50 <yasufum> Thanks, I agree!
08:59:17 <manpreetk> yasufum:welcome
09:01:22 <yasufum> Is there any other comment?
09:01:38 <manpreetk> Nothing from my side. Thanks everyone.
09:02:45 <yasufum> Thanks
09:03:07 <yasufum> It's the end of the time of this meeting.
09:03:44 <yasufum> So wrap up the meethg if no more items here.
09:04:19 <yasufum> Thanks for joining, bye!
09:04:30 <takahashi-tsc> Thanks
09:04:35 <hirofumi-noguchi> thanks, bye
09:04:36 <manpreetk> Thanks bye.
09:04:44 <h-asahina> bye
09:04:55 <yuta-kazato> bye
09:04:57 <yasufum> #endmeeting