| *** itisha has quit IRC | 00:52 | |
| *** diablo_rojo has quit IRC | 01:02 | |
| *** ducttape_ has quit IRC | 03:04 | |
| *** ducttape_ has joined #openstack-meeting-cp | 03:05 | |
| *** ducttape_ has quit IRC | 03:09 | |
| *** prateek has quit IRC | 03:36 | |
| *** prateek has joined #openstack-meeting-cp | 03:36 | |
| *** prateek has quit IRC | 03:45 | |
| *** ducttape_ has joined #openstack-meeting-cp | 04:02 | |
| *** ducttape_ has quit IRC | 04:25 | |
| *** ducttape_ has joined #openstack-meeting-cp | 04:26 | |
| *** ducttape_ has quit IRC | 04:26 | |
| *** ducttape_ has joined #openstack-meeting-cp | 04:26 | |
| *** cartik has joined #openstack-meeting-cp | 04:50 | |
| *** gouthamr has joined #openstack-meeting-cp | 05:37 | |
| *** prateek has joined #openstack-meeting-cp | 05:44 | |
| *** gouthamr has quit IRC | 06:06 | |
| *** rarcea has joined #openstack-meeting-cp | 07:52 | |
| *** cartik has quit IRC | 07:59 | |
| *** mars has joined #openstack-meeting-cp | 08:22 | |
| *** cartik has joined #openstack-meeting-cp | 08:53 | |
| *** sdague has joined #openstack-meeting-cp | 11:04 | |
| *** ducttape_ has quit IRC | 11:25 | |
| *** ducttape_ has joined #openstack-meeting-cp | 11:36 | |
| *** ducttape_ has quit IRC | 11:54 | |
| *** cartik has quit IRC | 12:30 | |
| *** itisha has joined #openstack-meeting-cp | 13:21 | |
| *** lamt has joined #openstack-meeting-cp | 13:34 | |
| *** prateek has quit IRC | 13:41 | |
| *** daniela_ebert has joined #openstack-meeting-cp | 14:12 | |
| daniela_ebert | hi :-) | 14:13 |
|---|---|---|
| *** ducttape_ has joined #openstack-meeting-cp | 14:20 | |
| *** xyang1 has joined #openstack-meeting-cp | 15:00 | |
| *** edtubill has joined #openstack-meeting-cp | 15:15 | |
| *** ativelkov_ has quit IRC | 15:27 | |
| *** ativelkov has joined #openstack-meeting-cp | 15:32 | |
| *** gagehugo has joined #openstack-meeting-cp | 15:38 | |
| *** sheel has quit IRC | 15:57 | |
| *** _ducttape_ has joined #openstack-meeting-cp | 15:59 | |
| lbragstad | #startmeeting policy | 16:00 |
| openstack | Meeting started Wed Jan 4 16:00:05 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. | 16:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 16:00 |
| *** openstack changes topic to " (Meeting topic: policy)" | 16:00 | |
| openstack | The meeting name has been set to 'policy' | 16:00 |
| lbragstad | ping raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar | 16:00 |
| gagehugo | pong | 16:00 |
| lamt | o/ | 16:00 |
| *** edmondsw has joined #openstack-meeting-cp | 16:00 | |
| rderose | o/ | 16:00 |
| *** diablo_rojo_phon has joined #openstack-meeting-cp | 16:01 | |
| lbragstad | we'll give it a few minutes | 16:01 |
| lbragstad | every have a good break if they took one? | 16:01 |
| lbragstad | everyone* | 16:01 |
| lamt | The break was not long enough :( | 16:02 |
| *** ducttape_ has quit IRC | 16:03 | |
| lbragstad | lamt lol it never is ;) | 16:03 |
| *** ruan_13 has joined #openstack-meeting-cp | 16:05 | |
| lbragstad | #topic Recap action items from last meeting | 16:05 |
| *** openstack changes topic to "Recap action items from last meeting (Meeting topic: policy)" | 16:05 | |
| lbragstad | last time we met I had a couple action items to take care of | 16:05 |
| lbragstad | I wanted to follow up with both the cinder and nova teams to see what work they have done around their capabilities APIs (since that effort it closely related to policy) | 16:06 |
| lbragstad | for those interested in following along here is the discussion i had with smcginnis #link http://eavesdrop.openstack.org/irclogs/%23openstack-cinder/%23openstack-cinder.2016-12-22.log.html#t2016-12-22T21:41:10 | 16:06 |
| lbragstad | unfortunately, they are having the cinder meeting at the same time as this meeting - so getting them here might be tough (but I offered that we can always followup in -keystone if needed) | 16:07 |
| lbragstad | so ^ that should take care of the cinder action item - but I haven't had the change to sit down with the Nova folks yet | 16:07 |
| lbragstad | I briefly touched base with johnthetubaguy before the holidays, and haven't had the chance to finish up that discussion (it sounded like he had a bunch of information regarding nova's work on policy) | 16:08 |
| lbragstad | but - i'm going to carry that action item forward this week | 16:09 |
| lbragstad | on the other hand - we did have a comment from one of the nova developers on ayoung's spec #link https://review.openstack.org/#/c/391624/ | 16:09 |
| lbragstad | ^ which is interesting - and something I think we'll need to sit down and visit with nova about | 16:10 |
| *** jaugustine has joined #openstack-meeting-cp | 16:10 | |
| lbragstad | in other news - ayoung is making progress on his RBAC in middleware approach, so I figured we could move along to discussing a different approach for policy | 16:11 |
| lbragstad | #topic Project tag for supporting RBAC out-of-the-box | 16:11 |
| *** openstack changes topic to "Project tag for supporting RBAC out-of-the-box (Meeting topic: policy)" | 16:11 | |
| lbragstad | for those who remember dolphm and jamielennox's work on standardizing policy across projects, this is essentially and extension of that | 16:11 |
| lbragstad | #link https://review.openstack.org/#/c/245629/ | 16:11 |
| lbragstad | ^ that is the cross-project spec for it | 16:12 |
| lbragstad | I asked dolphm and jamie why that effort petered out and it sounded like it was tough to get that moving across a bunch of projects | 16:13 |
| lbragstad | we don't really provide any documentation for projects to use to move towards the goals outlined in that spec | 16:13 |
| dolphm | yeah, so... in one of the ops track session in barcelona, the idea came up to take a new approach to addressing this same use case | 16:13 |
| dolphm | instead of tackling it from a cross-project spec perspective, the idea was to create a project assert tag via governance to indicate to ops which projects support which rbac features, if any | 16:14 |
| dolphm | so we can start with "does this project support the admin and member roles?" and we can add new "conventional roles", such as a read-only role, for example | 16:15 |
| lbragstad | ++ | 16:15 |
| lbragstad | this is something we can do in parallel to existing policy work, too | 16:15 |
| dolphm | (via separate tags) | 16:16 |
| lbragstad | i'm curious to see what we come up with for those | 16:16 |
| lbragstad | dolphm did you have a more detailed idea of what those tags would be (elaborating on the admin/member case)? | 16:16 |
| edmondsw | dolphm so you're suggesting we create a member role? Because no projects spell out such a role today | 16:16 |
| dstanek | dolphm: who defines those roles? | 16:17 |
| lbragstad | dstanek ultimately - i think that would be up to us to define in the project tag documentation | 16:17 |
| lbragstad | s/us/the writers of the project tag/ | 16:17 |
| dolphm | edmondsw: dstanek: the idea is that the governance tag would define the role(s) | 16:18 |
| edmondsw | is the TC going to be ok with a lot of tags when we have one for each different role? | 16:18 |
| *** ayoung has joined #openstack-meeting-cp | 16:19 | |
| dolphm | the basic use case for each role, along with what types of features the role should be capable of (without getting into project-specifics) | 16:19 |
| lbragstad | I don't think there is anything stopping us from achieving ^ that, but as a group does this raise any red flags for anyone? | 16:19 |
| dolphm | edmondsw: i suspect that as long as each tag is easily testable, they'll be agreeable (i've been working to define upgrade related tags recently) | 16:19 |
| *** sdague_ has joined #openstack-meeting-cp | 16:20 | |
| edmondsw | I'm not sure exactly how you'd make the tag easily testable, assuming the point of the testing to make sure it's not misused | 16:21 |
| dolphm | edmondsw: right | 16:22 |
| edmondsw | the tests would have to be specific to the project, so you'd have to trust that the test author understood the role's intended usage correctly | 16:22 |
| dolphm | edmondsw: ++ | 16:22 |
| edmondsw | that's trusting, not testing :) | 16:22 |
| dolphm | i don't disagree! but i think that's the position that the TC is in with tags, in general | 16:24 |
| edmondsw | other than that, I kinda like the idea | 16:24 |
| edmondsw | so if the TC is ok with it, ++ | 16:24 |
| lbragstad | it would be nice to provide some level of documentation around policy for projects to use as true north (even us!) | 16:25 |
| edmondsw | ++ | 16:25 |
| edmondsw | especially us? ;) | 16:25 |
| lbragstad | new projects shouldn't have to copy paste a policy file from another project | 16:25 |
| lbragstad | existing projects should be able to use the documentation and come up with a path for providing better defaults | 16:26 |
| edmondsw | advice #1 should be define all the defaults in code like nova did last release and cinder is working on, so you don't even have a policy file unless you're overriding things | 16:26 |
| lbragstad | does it make sense to make ^ that a tag? | 16:26 |
| edmondsw | I'm not sure what the value prop for a tag there would be | 16:27 |
| lbragstad | i suppose | 16:27 |
| lbragstad | maybe more of a stepping stone to achieving *a* tag? | 16:27 |
| dolphm | lbragstad: probably not. tags are intended to convey the expected user experience | 16:28 |
| edmondsw | maybe it's helpful to see who is following best practices? | 16:28 |
| lbragstad | got it - but something we should probably document somewhere so that projects start following the convention? | 16:29 |
| edmondsw | this does intersect user experience in the sense that a user can have a much shorter and easier to read policy file | 16:29 |
| edmondsw | lbragstad I definitely agree that we should have some kind of document on best practices for policy | 16:29 |
| lbragstad | edmondsw dolphm ok - where should that documentation live? | 16:29 |
| dolphm | edmondsw: that's true. i could see a tag around auditability, perhaps? | 16:30 |
| lbragstad | (i've been trying to answer that and I can't decide if it should live with the tag proposal or not - I'm thinking not) | 16:30 |
| dolphm | lbragstad: there are lots of guidelines in cross-project specs | 16:30 |
| dolphm | how to do CORS correctly, how to do logging correctly, how to do request IDs correctly, etc | 16:31 |
| lbragstad | dolphm do you suggest that we rework https://review.openstack.org/#/c/245629/ ? | 16:31 |
| lbragstad | and get that merged? | 16:31 |
| edmondsw | put it somewhere here http://docs.openstack.org/developer/openstack-projects.html | 16:31 |
| dolphm | lbragstad: i think we might need to start with something more fundamental than the current state of that spec | 16:32 |
| edmondsw | ++ | 16:32 |
| edmondsw | a new spec proposing the documentation of policy best practices? | 16:33 |
| dolphm | lbragstad: roughly "you need to implement basic, operator-configurable RBAC that allows you to enable or disable specific features..." | 16:33 |
| lbragstad | dolphm ok - so by rework we mean basic documentation about policy and very basic guidelines? | 16:33 |
| *** _ducttape_ has quit IRC | 16:33 | |
| dolphm | lbragstad: right | 16:33 |
| lbragstad | and I assume it's ok to propose specs that are just guidelines? | 16:33 |
| *** ducttape_ has joined #openstack-meeting-cp | 16:33 | |
| lbragstad | for some reason I'm hardwired to assuming merging a spec results in code deliverables | 16:33 |
| dolphm | edmondsw: ++ maybe take the WG approach, and start with a blank slate. review individual guidelines rather than a giant doc | 16:33 |
| edmondsw | ++ | 16:34 |
| dolphm | i.e. also don't expect one person to contribute the whole thing | 16:34 |
| lbragstad | agreed | 16:34 |
| dolphm | or for it to be done all at once, in one go | 16:34 |
| lbragstad | I'd like to not burn people out on it | 16:34 |
| dstanek | lbragstad: ++ | 16:34 |
| lbragstad | which is why i think making bite-sized goals achieveable and discoverable would be huge it making that work | 16:35 |
| lbragstad | so - is the best way to do that through cross project guidelines merged as cross-project specs, or through a WG approach (do we graduate this group to a WG format?) | 16:36 |
| lbragstad | or is there another approach we can take to achieve that? | 16:36 |
| dstanek | i think we should start first and graduate/grow when needed | 16:37 |
| dolphm | i think the important part is to define where the guidelines should be contributed | 16:38 |
| lbragstad | ok - with that being said, do we review individual guidelines proposed as cross-project specs? | 16:38 |
| dolphm | initialize the blank slate, so to speak | 16:38 |
| lbragstad | I'm fine with our initial blank slate being a cross project spec - if we need to move it later, we can | 16:39 |
| lbragstad | and we often say that specs can be amended | 16:39 |
| dolphm | can we land a blank cross-project spec? | 16:40 |
| lbragstad | dolphm that's a good question | 16:40 |
| dolphm | or, one with a high level outline of what should be included, with no actual guidelines? | 16:40 |
| dolphm | i believe the TC has +2 on os-specs | 16:42 |
| lbragstad | looking to see who the approvers are | 16:42 |
| dolphm | stevemar: ? | 16:42 |
| stevemar | hmm.. | 16:42 |
| stevemar | dolphm: i can verify that TC doesn't not have +2 on os-specs | 16:43 |
| stevemar | or I was secretly removed from the TC | 16:43 |
| dolphm | there's no openstack-specs-core group | 16:44 |
| stevemar | is there a reason it's not a "community wide goal" ? | 16:44 |
| lbragstad | looking at the reviewer list on https://review.openstack.org/#/c/245629/ and it's quite long | 16:44 |
| dolphm | stevemar: ooh, ++ | 16:44 |
| dolphm | stevemar: but goals are short term, no? | 16:44 |
| dolphm | stevemar: as in, scoped to a release | 16:44 |
| dolphm | not permanent guidelines | 16:44 |
| stevemar | somewhat yes -- https://etherpad.openstack.org/p/community-goals | 16:45 |
| stevemar | but py35 was a "goal" and certainly was not bound to a single release | 16:45 |
| lbragstad | 15 minutes left | 16:45 |
| lbragstad | stevemar is there a process for applying existing goals to new projects? | 16:46 |
| stevemar | i guess you can think about it as "will this goal result in TODO for a lot of openstack projects" | 16:46 |
| stevemar | lbragstad: yes | 16:46 |
| stevemar | lbragstad: https://review.openstack.org/#/c/349069/ and https://review.openstack.org/#/c/369749/ | 16:46 |
| stevemar | those are goals for Pike | 16:46 |
| stevemar | I am hoping to create a backlog like we have in keystone-specs, where goals are backlogged and teams can chip away at them at their own rate | 16:47 |
| lbragstad | hmm - so for this we would have a super general policy goal that can be amended? | 16:48 |
| stevemar | lbragstad: not sure, i'd have to look back at 245629 | 16:49 |
| lbragstad | stevemar i think we'd try to split 245629 up into bits and propose them in pieces | 16:50 |
| ayoung | Are we still talking policy? | 16:51 |
| ayoung | seems to have gone a bit afield | 16:51 |
| lbragstad | stevemar does the community typically have goals that change over time? Or is the process to firm things up then commit to them? | 16:51 |
| stevemar | the latter | 16:51 |
| lbragstad | ayoung we're trying to determine which process to take for documenting policy information | 16:51 |
| ayoung | its Keystone. Look who is participating. Look who is actually talking to other projects | 16:52 |
| ayoung | there is no cross-project communication | 16:52 |
| ayoung | there is the Keystone team trying to make it work, and then a bunch of cargo culting | 16:53 |
| ayoung | policy is 2 things | 16:53 |
| ayoung | scope check | 16:53 |
| ayoung | rbac | 16:53 |
| ayoung | anything beyond that is project specific | 16:53 |
| ayoung | rbac is Keystone | 16:53 |
| ayoung | scope check is 1/2 keystone, 1/2 the project | 16:53 |
| ayoung | keystone provides the scope on the token | 16:53 |
| ayoung | project makes sure that matches | 16:53 |
| ayoung | we take RBAC out of the control of the projects | 16:54 |
| lbragstad | ayoung sure - i don't think anyone disagrees with you there... but providing documentation for projects to follow should be cross project | 16:54 |
| ayoung | because they are not doing it, and you cannot do it in a vacuum | 16:54 |
| ayoung | the documentation is exactly that: "do the scope check." | 16:54 |
| ayoung | people don't even understand that much, but they seem to have made it work via cargo culting | 16:55 |
| ayoung | the role check is problematic | 16:55 |
| ayoung | we are going to have projects hard-coding the role checks, and we don't even have roles defined, aside from admin | 16:55 |
| ayoung | Until this meeting starts having people from projects other than keystone involved, nothing real is going to change | 16:56 |
| lbragstad | ayoung we could start by publishing documentation somewhere to entice discussion | 16:56 |
| stevemar | big changes do happen, look at py35 and v3 by default (finally) | 16:57 |
| stevemar | a lot of it is communication and setting expectations for projects | 16:57 |
| stevemar | its possible, not easy though | 16:57 |
| lbragstad | the big question we need to answer is where should that documentation live | 16:57 |
| ayoung | lbragstad, that is what the RBAC in middleware spec is | 16:58 |
| ayoung | that is the starting point | 16:58 |
| lbragstad | ayoung it barely has any feedback from other projects | 16:58 |
| ayoung | THat is the delineation between what Keystone is going to manage and what the projects get to change | 16:58 |
| ayoung | lbragstad, myh point exactly. | 16:58 |
| ayoung | lbragstad, everytime we have a cross project meeting, it is all keystone | 16:59 |
| ayoung | and then we go an try and fix things in their projects and we get pushback | 16:59 |
| lbragstad | fwiw - if we actually go talk to folks from other projects about policy, they do have a lot to say | 16:59 |
| ayoung | the 968696 bug gets changed from High priority to wishlist | 16:59 |
| ayoung | lbragstad, I know | 17:00 |
| edmondsw | we're talking about how to fix that... cross-project enforcement will force folks from other projects to get more involved | 17:00 |
| lbragstad | edmondsw ++ | 17:00 |
| lbragstad | we're out of itme | 17:00 |
| lbragstad | spill over into -keystone if needed | 17:00 |
| lbragstad | #endmeeting | 17:00 |
| *** openstack changes topic to " (Meeting topic: cinder-nova-api-changes)" | 17:00 | |
| openstack | Meeting ended Wed Jan 4 17:00:42 2017 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 17:00 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-01-04-16.00.html | 17:00 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-01-04-16.00.txt | 17:00 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-01-04-16.00.log.html | 17:00 |
| *** ruan_13 has quit IRC | 17:00 | |
| *** gagehugo has left #openstack-meeting-cp | 17:00 | |
| *** jaugustine has quit IRC | 17:10 | |
| *** sdague_ has quit IRC | 17:30 | |
| *** sdague has quit IRC | 17:39 | |
| *** rarcea has quit IRC | 17:42 | |
| *** rarcea has joined #openstack-meeting-cp | 18:00 | |
| johnthetubaguy | lbragstad: dolphm: sorry, missed your note, but we should totally catch up tomorrow | 18:07 |
| lbragstad | johnthetubaguy feel free to put time on my calendar | 18:07 |
| lbragstad | johnthetubaguy im completely open except 10-10:30 central | 18:08 |
| lbragstad | johnthetubaguy or maybe we can do that after standup? | 18:09 |
| *** jaugustine has joined #openstack-meeting-cp | 18:12 | |
| *** rarcea has quit IRC | 18:13 | |
| *** rarcea has joined #openstack-meeting-cp | 18:14 | |
| *** jaugustine has quit IRC | 18:17 | |
| *** rarcea has quit IRC | 18:17 | |
| *** jaugustine has joined #openstack-meeting-cp | 18:29 | |
| *** jaugustine has quit IRC | 18:48 | |
| *** jaugustine has joined #openstack-meeting-cp | 18:49 | |
| *** sdague has joined #openstack-meeting-cp | 18:52 | |
| *** jaugustine has quit IRC | 18:53 | |
| *** sdague_ has joined #openstack-meeting-cp | 19:10 | |
| *** jaugustine has joined #openstack-meeting-cp | 19:11 | |
| *** jaugustine has quit IRC | 19:22 | |
| *** jaugustine has joined #openstack-meeting-cp | 19:23 | |
| *** jaugustine has quit IRC | 19:28 | |
| *** ttx has quit IRC | 19:36 | |
| *** lifeless has quit IRC | 19:36 | |
| *** raj_singh has quit IRC | 19:36 | |
| *** cFouts has quit IRC | 19:36 | |
| *** eglute has quit IRC | 19:36 | |
| *** eglute has joined #openstack-meeting-cp | 19:36 | |
| *** lifeless has joined #openstack-meeting-cp | 19:36 | |
| *** ttx has joined #openstack-meeting-cp | 19:36 | |
| *** gnarld_ has joined #openstack-meeting-cp | 19:36 | |
| *** gnarld_ is now known as cFouts | 19:37 | |
| *** raj_singh has joined #openstack-meeting-cp | 19:44 | |
| *** jaugustine has joined #openstack-meeting-cp | 19:49 | |
| *** ayoung is now known as ayoung-afk | 19:52 | |
| *** gouthamr has joined #openstack-meeting-cp | 19:58 | |
| *** lamt has quit IRC | 20:39 | |
| *** jaugustine has quit IRC | 21:02 | |
| *** ayoung-afk is now known as ayoung | 21:12 | |
| *** _ducttape_ has joined #openstack-meeting-cp | 21:23 | |
| *** ducttape_ has quit IRC | 21:26 | |
| *** _ducttape_ has quit IRC | 21:27 | |
| *** lamt has joined #openstack-meeting-cp | 21:50 | |
| *** edtubill has quit IRC | 22:06 | |
| *** ducttape_ has joined #openstack-meeting-cp | 22:06 | |
| *** gouthamr has quit IRC | 22:36 | |
| *** edmondsw has left #openstack-meeting-cp | 22:40 | |
| *** diablo_rojo_phon has quit IRC | 22:50 | |
| *** openstack has joined #openstack-meeting-cp | 22:54 | |
| *** ChanServ sets mode: +o openstack | 22:54 | |
| *** jaugustine has joined #openstack-meeting-cp | 23:04 | |
| *** xyang1 has quit IRC | 23:05 | |
| *** jaugustine has quit IRC | 23:10 | |
| *** ducttape_ has quit IRC | 23:16 | |
| *** ducttape_ has joined #openstack-meeting-cp | 23:17 | |
| *** ducttape_ has quit IRC | 23:21 | |
| *** ducttape_ has joined #openstack-meeting-cp | 23:24 | |
| *** ducttape_ has quit IRC | 23:35 | |
| *** ducttape_ has joined #openstack-meeting-cp | 23:35 | |
| *** gouthamr has joined #openstack-meeting-cp | 23:38 | |
| *** ducttape_ has quit IRC | 23:40 | |
| *** ducttape_ has joined #openstack-meeting-cp | 23:40 | |
| *** lamt has quit IRC | 23:48 | |
| *** gouthamr has quit IRC | 23:48 | |
| *** gouthamr has joined #openstack-meeting-cp | 23:52 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!