| *** lamt has quit IRC | 00:08 | |
| *** sdague has joined #openstack-meeting-cp | 01:31 | |
| *** sdague has quit IRC | 01:40 | |
| *** gouthamr has quit IRC | 02:45 | |
| *** gouthamr has joined #openstack-meeting-cp | 02:46 | |
| *** markvoelker_ has joined #openstack-meeting-cp | 03:02 | |
| *** robcresswell_ has joined #openstack-meeting-cp | 03:04 | |
| *** igormarnat__ has joined #openstack-meeting-cp | 03:04 | |
| *** nikhil_ has joined #openstack-meeting-cp | 03:05 | |
| *** nikhil_ is now known as Guest16200 | 03:05 | |
| *** tonyb_ has joined #openstack-meeting-cp | 03:06 | |
| *** dmellado_ has joined #openstack-meeting-cp | 03:06 | |
| *** reed_ has joined #openstack-meeting-cp | 03:06 | |
| *** rosmaita_ has joined #openstack-meeting-cp | 03:07 | |
| *** mugsie|a1t has joined #openstack-meeting-cp | 03:07 | |
| *** phealy has quit IRC | 03:07 | |
| *** docaedo_ has joined #openstack-meeting-cp | 03:07 | |
| *** igormarnat_ has quit IRC | 03:07 | |
| *** nikhil has quit IRC | 03:07 | |
| *** dmellado has quit IRC | 03:07 | |
| *** markvoelker has quit IRC | 03:07 | |
| *** smcginnis has quit IRC | 03:07 | |
| *** reed has quit IRC | 03:07 | |
| *** tonyb has quit IRC | 03:07 | |
| *** rosmaita has quit IRC | 03:07 | |
| *** bswartz has quit IRC | 03:07 | |
| *** robcresswell has quit IRC | 03:07 | |
| *** docaedo has quit IRC | 03:07 | |
| *** lbragstad has quit IRC | 03:07 | |
| *** mugsie|alt has quit IRC | 03:07 | |
| *** igormarnat__ is now known as igormarnat_ | 03:07 | |
| *** smcginnis_ has joined #openstack-meeting-cp | 03:07 | |
| *** phealy has joined #openstack-meeting-cp | 03:07 | |
| *** smcginnis_ is now known as smcginnis | 03:07 | |
| *** reed_ is now known as reed | 03:08 | |
| *** lbragstad has joined #openstack-meeting-cp | 03:08 | |
| *** robcresswell_ is now known as robcresswell | 03:09 | |
| *** Guest16200 is now known as nikhil | 03:09 | |
| *** rosmaita_ is now known as rosmaita | 03:18 | |
| *** tonyb_ is now known as tonyb | 03:21 | |
| *** ricolin has joined #openstack-meeting-cp | 03:29 | |
| *** docaedo_ is now known as docaedo | 03:59 | |
| *** gouthamr has quit IRC | 04:01 | |
| *** MarkBaker has joined #openstack-meeting-cp | 06:16 | |
| *** cmurphy has quit IRC | 09:16 | |
| *** cmurphy has joined #openstack-meeting-cp | 09:17 | |
| *** ricolin has quit IRC | 09:35 | |
| *** sdague has joined #openstack-meeting-cp | 11:34 | |
| *** ricolin has joined #openstack-meeting-cp | 12:21 | |
| *** gouthamr has joined #openstack-meeting-cp | 13:14 | |
| *** bswartz has joined #openstack-meeting-cp | 13:39 | |
| *** lamt has joined #openstack-meeting-cp | 13:45 | |
| *** lamt has quit IRC | 13:49 | |
| *** lamt has joined #openstack-meeting-cp | 14:20 | |
| *** dmellado_ is now known as dmellado | 14:27 | |
| *** lamt has quit IRC | 14:32 | |
| *** lamt has joined #openstack-meeting-cp | 14:49 | |
| *** lamt has quit IRC | 14:56 | |
| *** lamt has joined #openstack-meeting-cp | 14:56 | |
| *** ricolin has quit IRC | 15:07 | |
| *** ricolin has joined #openstack-meeting-cp | 15:08 | |
| *** lamt has quit IRC | 15:23 | |
| *** lamt has joined #openstack-meeting-cp | 15:29 | |
| *** diablo_rojo has joined #openstack-meeting-cp | 15:44 | |
| *** MarkBaker has quit IRC | 15:51 | |
| *** diablo_rojo_phon has joined #openstack-meeting-cp | 16:00 | |
| *** edmondsw has joined #openstack-meeting-cp | 16:00 | |
| lbragstad | #startmeeting policy | 16:01 |
|---|---|---|
| openstack | Meeting started Wed Feb 15 16:01:08 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. | 16:01 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 16:01 |
| *** openstack changes topic to " (Meeting topic: policy)" | 16:01 | |
| openstack | The meeting name has been set to 'policy' | 16:01 |
| lbragstad | ping antwash, raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar, ravelar, morgan, raj_singh | 16:01 |
| johnthetubaguy | o/ | 16:02 |
| lbragstad | johnthetubaguy o/ | 16:02 |
| lamt | o/ | 16:02 |
| rderose | o/ | 16:02 |
| lbragstad | we will wait for a few others to show up | 16:02 |
| *** MarkBaker has joined #openstack-meeting-cp | 16:03 | |
| lbragstad | who's excited for next week?! | 16:03 |
| *** ayoung has joined #openstack-meeting-cp | 16:03 | |
| raj_singh | o/ | 16:03 |
| edmondsw | o/ | 16:03 |
| *** antwash has joined #openstack-meeting-cp | 16:03 | |
| *** gagehugo has joined #openstack-meeting-cp | 16:03 | |
| gagehugo | o/ | 16:03 |
| lbragstad | there we go - now we're getting some people | 16:03 |
| antwash | o/ | 16:04 |
| dstanek | o/ | 16:04 |
| gagehugo | this meeting always sneaks up on me | 16:04 |
| edmondsw | gatehugo +1 | 16:04 |
| lbragstad | #topic PTG Policy Meeting | 16:04 |
| *** openstack changes topic to "PTG Policy Meeting (Meeting topic: policy)" | 16:04 | |
| lbragstad | so it looks like we were able to find a time to get a couple projects together to talk at the PTG | 16:05 |
| lbragstad | specifically nova, cinder, and keystone | 16:05 |
| lbragstad | we're going to meet on Thursday 1:30 - 2:30 PM in South Capital (level 1) | 16:05 |
| * lbragstad is still in the middle of scheduling sessions | 16:05 | |
| lbragstad | but I plan to send out something a little more official along with a dedicated etherpad by the end of the week (at the absolute latest) | 16:05 |
| lbragstad | I wanted to bring it up here so that folks could get it on their calendars if they are planning to participate in that discussion | 16:06 |
| edmondsw | will plan on it | 16:06 |
| lbragstad | any questions on the time or the place? | 16:06 |
| ayoung | lbragstad, let me know if you can get remote presence | 16:07 |
| lbragstad | ayoung ack | 16:07 |
| * lbragstad sticks a post-it on his monitor | 16:07 | |
| lbragstad | alright - moving on | 16:08 |
| lbragstad | #topic Review/discuss policy specs | 16:08 |
| *** openstack changes topic to "Review/discuss policy specs (Meeting topic: policy)" | 16:08 | |
| lbragstad | #link https://review.openstack.org/#/c/433010 (nova-specs: Add policy-docs spec) | 16:08 |
| lbragstad | #link https://review.openstack.org/#/c/433037 (nova-specs: Add policy-remove-scope-checks spec) | 16:08 |
| lbragstad | #link https://review.openstack.org/#/c/427872 (nova-specs: Add additional-default-policy-roles spec) | 16:08 |
| lbragstad | #link https://review.openstack.org/#/c/428453 (keystone-specs: Policy in code) | 16:08 |
| lbragstad | so - johnthetubaguy has been doing a bunch of work in nova-specs that outline what they are trying to do | 16:08 |
| dstanek | lbragstad: are these part of what we'll be discussing at the PTG? | 16:09 |
| lbragstad | dstanek yeah | 16:09 |
| lbragstad | those are likely going to be required reading before the session | 16:09 |
| *** morgan_ is now known as morgan | 16:10 | |
| lbragstad | johnthetubaguy do you have anything in particular you want to discuss about any of those? | 16:10 |
| johnthetubaguy | the remove scope checks one is interesting | 16:10 |
| lbragstad | johnthetubaguy i know you recently reworked a couple of them based on the outcomes of last weeks meeting | 16:10 |
| johnthetubaguy | idea came from dstanek's comment | 16:11 |
| johnthetubaguy | basically I am proposing we remove the use of target from all our policy checks | 16:11 |
| johnthetubaguy | roughly speaking | 16:11 |
| ayoung | johnthetubaguy, you are aware of the work I was doing to fix is_admin, right? | 16:11 |
| johnthetubaguy | ayoung: roughly yeah, its very similar idea I think | 16:12 |
| ayoung | johnthetubaguy, can you take that and fix the whole thing? | 16:12 |
| ayoung | johnthetubaguy, https://review.openstack.org/#/c/384148/ | 16:12 |
| ayoung | it needs changes to the Tempest tests in order to pass | 16:12 |
| johnthetubaguy | oh, didn't know there was a patch out there | 16:12 |
| johnthetubaguy | so if tempest fails, we broke the API right, so thats really bad surely? | 16:12 |
| edmondsw | no, just bad tests | 16:13 |
| ayoung | johnthetubaguy, nope | 16:13 |
| ayoung | it is just test assumptions: | 16:13 |
| ayoung | that admin can be in any random project | 16:13 |
| johnthetubaguy | so my proposed change is quite different to your proposal | 16:13 |
| ayoung | and with that patch, and enforcement turned on, admin needs to be in the admin_project | 16:13 |
| ayoung | bad tests | 16:13 |
| ayoung | johnthetubaguy, I know. I am not working on Keystone full time anymore. If you don't take it and run with it, it is not going to happen | 16:14 |
| ayoung | and without nova support, nothing happens in OpenStack | 16:14 |
| edmondsw | ayoung I'm still trying to find time to push that patch | 16:14 |
| edmondsw | but could definitely use some nova core help | 16:14 |
| johnthetubaguy | so lets turn that around a second | 16:15 |
| johnthetubaguy | if we implemented it the way proposed here: https://review.openstack.org/#/c/433037 | 16:15 |
| *** ravelar has joined #openstack-meeting-cp | 16:15 | |
| johnthetubaguy | I believe that also fixes the bug you are trying to fix in the above patch (and fixes a few other gremlins too) | 16:15 |
| ayoung | johnthetubaguy, um...does it fix it, or just push it around? | 16:15 |
| johnthetubaguy | I believe it fixes it | 16:16 |
| johnthetubaguy | if it doesn't thats great feedback to get | 16:16 |
| johnthetubaguy | probably means I miss understood the bug | 16:16 |
| ayoung | johnthetubaguy, does not look like it. But the solution could be rewritten in terms of that spec | 16:16 |
| edmondsw | johnthetubaguy I'll add that to my reading list and let you know :) | 16:16 |
| ayoung | johnthetubaguy, there are 2 types of admin checks | 16:16 |
| johnthetubaguy | ah, so maybe its this spec that fixes it all together | 16:16 |
| ayoung | project scoped and global | 16:16 |
| johnthetubaguy | https://review.openstack.org/#/c/427872 | 16:16 |
| lbragstad | i've review a couple of them ( #link https://review.openstack.org/#/c/433010 is really straight forward) | 16:17 |
| ayoung | johnthetubaguy, yes, that looks better | 16:17 |
| johnthetubaguy | basically doing the fix in two steps | 16:17 |
| johnthetubaguy | forgot how I split that up, oops | 16:17 |
| ayoung | johnthetubaguy, there was a cross project spec along those lines years ago. I think you are on the right track | 16:17 |
| lbragstad | ayoung ++ | 16:17 |
| johnthetubaguy | yeah, its using lots of stuff from that one | 16:18 |
| ayoung | lbragstad, meanwhile, the Keystone patches are also sitting there... | 16:18 |
| ayoung | https://review.openstack.org/#/c/387161/ | 16:18 |
| lbragstad | ayoung I need to finish reading johnthetubaguy final proposal (I ran out of battery last night) | 16:18 |
| ayoung | https://review.openstack.org/#/c/387710/ | 16:18 |
| ayoung | and then | 16:18 |
| ayoung | https://review.openstack.org/#/c/257636/16 | 16:19 |
| ayoung | lbragstad, this is very tactical, practical, and acheiveable goals. I am not going to continue to update the patches. Merge them, or abandon them as you see fit. Let someone else hack on them...I'm, willing to review | 16:21 |
| lbragstad | ayoung added them to my list | 16:21 |
| ayoung | but this is pre-req to any future policy work being on a sound footing | 16:21 |
| lbragstad | we also have #link https://review.openstack.org/#/c/428453 (keystone-specs: Policy in code) | 16:21 |
| lbragstad | which ravelar and antwash have spoken for | 16:22 |
| lbragstad | (thanks guys) | 16:22 |
| antwash | lbragstad : you're welcome ++ | 16:22 |
| ayoung | lbragstad, there are comparable patches for Glance and Cinder. But, if johnthetubaguy is going to redo Nova's approach, perhaps we wait to see wha he learns before redoing those patches | 16:22 |
| lbragstad | ayoung totally on board there | 16:22 |
| johnthetubaguy | so I was also adding the nova-member thing | 16:23 |
| lbragstad | i'm excited to get into these discussions at the PTG to see what the consensus is *as a group* | 16:23 |
| johnthetubaguy | so folks by default have zero access to nova | 16:23 |
| lbragstad | johnthetubaguy by access do you mean write-access? | 16:24 |
| johnthetubaguy | I mean *any* access | 16:24 |
| johnthetubaguy | so no access by default | 16:24 |
| ayoung | antwash, I'd recommend grabbing johnthetubaguy 's follow on specs and doing a keystone version of them as well. Let Nova set the approach for Policy enforcement makes it easier to implement consistently in the other projects | 16:24 |
| * lbragstad is a fan of deny-all by default | 16:24 | |
| johnthetubaguy | now, there might be a big hole in my proposal somewhere | 16:24 |
| ayoung | johnthetubaguy, define "Default" here? An unscoped token should be rejected by Nova. | 16:25 |
| johnthetubaguy | it just feels like the current best bet | 16:25 |
| *** ricolin has quit IRC | 16:25 | |
| johnthetubaguy | ayoung: good question, if you have no roles assigned | 16:25 |
| johnthetubaguy | so with no roles assigned, you get no access | 16:25 |
| ayoung | johnthetubaguy, no role mean you cannot get a token scoped to that project | 16:25 |
| ayoung | but a second check is not going to hurt | 16:25 |
| johnthetubaguy | you are scoped to a project, thats cool | 16:25 |
| johnthetubaguy | but then you can't do anything, becuase you don't have a role in that project | 16:26 |
| ayoung | johnthetubaguy, I have a follow on proposal. | 16:26 |
| edmondsw | johnthetubaguy I think you mean you can't just have any role assigned (the current state), but rather have to have a role that nova has allowed to do something | 16:26 |
| lbragstad | edmondsw ++ | 16:26 |
| edmondsw | no? | 16:26 |
| ayoung | johnthetubaguy, looking for the spec... | 16:26 |
| johnthetubaguy | edmondsw: oh, right, I was missing you need a role to be "in" a project, so yet | 16:27 |
| edmondsw | cool | 16:27 |
| ayoung | johnthetubaguy, http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/role-check-from-middleware.html | 16:27 |
| johnthetubaguy | I keep meaning to do a spec on supporting domains as well | 16:27 |
| ayoung | move the role check into middleware | 16:27 |
| lbragstad | and right now the evaluation is *any* role on a project implies membership (right?) | 16:27 |
| edmondsw | johnthetubaguy what do you mean when you say "supporting domains"? | 16:27 |
| johnthetubaguy | ayoung: yeah, our API is too screwed up for that to work, unless I am missing something | 16:27 |
| *** sneti has joined #openstack-meeting-cp | 16:27 | |
| ayoung | No, it should work | 16:27 |
| johnthetubaguy | edmondsw: we just ignore domain right now | 16:27 |
| ayoung | johnthetubaguy, the scope check stays in code | 16:27 |
| johnthetubaguy | ayoung: we do policy based on random things in the body of the API payload | 16:28 |
| ayoung | johnthetubaguy, Oh, wait, you mean the "pack everything into one post call" API | 16:28 |
| edmondsw | johnthetubaguy, I know, but that's true in a lot of senses... and some of them rightly... which ones are you thinking of addressing? | 16:28 |
| ayoung | johnthetubaguy, yeah...so you can still make use of the mechanism. | 16:28 |
| johnthetubaguy | we could do a basic "can I access Nova at all" check | 16:28 |
| ayoung | you just have to manually implement that same logic: | 16:29 |
| ayoung | instead of the URL being the URL, it becomes some magic string | 16:29 |
| lbragstad | so nova would have to maintain the mapping? | 16:30 |
| johnthetubaguy | the problem is I want policy checks to be simpler and easier to audit, I think having to do two levels of checks is going to bad, but I could be missing this | 16:30 |
| lbragstad | because we coded to store a URL? | 16:30 |
| johnthetubaguy | we could create some "magic" to make action work, for sure | 16:30 |
| ayoung | johnthetubaguy, I want the same things | 16:32 |
| ayoung | the scope check should be immutable | 16:33 |
| johnthetubaguy | anyways, lets step back, right now I am trying to work through a set of deployer problems really, much less worried about the how, open to options, we should look at them at the PTG | 16:33 |
| ayoung | all end users can do is break that | 16:33 |
| ayoung | the only part people should be morphing is the role->api mapping | 16:33 |
| ayoung | johnthetubaguy, it supports your spec | 16:33 |
| johnthetubaguy | ah, OK, I missed that being the aim | 16:33 |
| ayoung | this will allow you to get the granularity of readonly/readwrite/projectadmin etc | 16:33 |
| ayoung | johnthetubaguy, so, here is how I see it working | 16:34 |
| ayoung | we get the proposed mechanism built and deployed. but nothing changes on day 1 | 16:34 |
| ayoung | if a user has Member, oon a projhect, every thing works the same | 16:34 |
| ayoung | admin iplies member, so admin on a project can still do everything | 16:34 |
| ayoung | then, we change member implies read_only | 16:35 |
| ayoung | that starts showing up in the tokens...nothing changes | 16:35 |
| *** raildo has joined #openstack-meeting-cp | 16:35 | |
| ayoung | we modify a set of APIs to be read_only.... | 16:35 |
| ayoung | everything keeps working. | 16:35 |
| ayoung | now....we create a new users, and, instead of granting them Member, we grant them "read_only" | 16:36 |
| ayoung | now that use can only do the read_only APIs, not all of them | 16:36 |
| ayoung | the process is backwards compatble | 16:36 |
| johnthetubaguy | yeah, I think thats basically what I am shooting for in my spec, it falls back to use the old roles for a cycle or so | 16:37 |
| johnthetubaguy | with some warnings if haven't updated your users roles to match the "future" | 16:37 |
| ayoung | johnthetubaguy, note that implied_roles are already in keystone | 16:37 |
| ayoung | so, the big thing is to make sure that Nova only enforces the current standard. If you go too far, you ruin it for everyone | 16:38 |
| ayoung | don't bake the roles into code. Only scope check | 16:38 |
| ayoung | admin we treat as a special | 16:38 |
| johnthetubaguy | so not quite sure if thats what we have done | 16:39 |
| edmondsw | but scope checks should be baked into code for the most part. For a select few APIs where we want scope to be more malleable, have an additional policy check to control that, but should be the exception | 16:39 |
| johnthetubaguy | the stuff we have in the code is more about the default policy | 16:39 |
| johnthetubaguy | edmondsw: yeah, there are a few exceptions, we are trying to slowly kill those, in the name of interop | 16:40 |
| edmondsw | ++ | 16:40 |
| ayoung | johnthetubaguy, right, and the default should be "you need a token with a project that matches" | 16:40 |
| johnthetubaguy | edmondsw: FWIW, we need to fix hierarchical multi-tenancy to get rid of those | 16:40 |
| ayoung | and, for some "you need admin on the admin_project" | 16:40 |
| edmondsw | oh? | 16:41 |
| johnthetubaguy | yeah, I don't like that | 16:41 |
| johnthetubaguy | it means you get access to everywhere by default | 16:41 |
| johnthetubaguy | so I must have missed something | 16:41 |
| lbragstad | i think by default we should have a granular set of roles that are well-defined | 16:41 |
| johnthetubaguy | so "by default" is causing confusion here | 16:42 |
| johnthetubaguy | I think what I mean is... | 16:42 |
| johnthetubaguy | when in a project, you don't automatically get access to Nova | 16:42 |
| johnthetubaguy | you can do implied roles, to make sure all Members get the nova-member rule, or some such | 16:42 |
| johnthetubaguy | if thats what you want | 16:42 |
| johnthetubaguy | ah, there is the whole in my proposal... | 16:43 |
| johnthetubaguy | you can't have a token say read access to the world, but write access to just my project | 16:44 |
| johnthetubaguy | but I think thats probably OK | 16:44 |
| ayoung | johnthetubaguy, you cannot get a token scoped to a project without having a role on that project | 16:45 |
| ayoung | johnthetubaguy, yes you can.... | 16:45 |
| ayoung | iff those are done by separate roles | 16:45 |
| lbragstad | but you can't do that with a single token though, tokens are either unscoped or scoped | 16:46 |
| ayoung | you still need a token scoped to the project to perform operations on that project | 16:46 |
| johnthetubaguy | right, you could if its separate roles, but I was proposing not to do that | 16:46 |
| lbragstad | what it sounds like johnthetubaguy wants it a token that means two different things depending on where you're using it | 16:46 |
| lbragstad | is a* | 16:46 |
| ayoung | is_admin_project being the backdoor to allow admins global access | 16:46 |
| johnthetubaguy | right, I have gone for is_admin and is_global_scope being separate roles | 16:46 |
| ayoung | you could do something comparable like role:read_only with a scope checkthat enforces is_admin_project=yes | 16:47 |
| ayoung | scope is not role. role is not scope | 16:47 |
| johnthetubaguy | so its a problem with my proposal, but I also don't think its a valid use case | 16:47 |
| johnthetubaguy | I just should pull that out explicitly | 16:47 |
| johnthetubaguy | you just re-authenticate in the project where you have the permissions you want | 16:48 |
| johnthetubaguy | (as a work around) | 16:48 |
| ayoung | yep | 16:48 |
| dstanek | johnthetubaguy: ++ on calling that out | 16:48 |
| edmondsw | and you can get a token from a token, as long as you're ok with the new token having the same expiration of the first token, without requiring credentials again... so getting a second token with a different scope shouldn't be too problematic | 16:49 |
| *** aunnam has joined #openstack-meeting-cp | 16:50 | |
| johnthetubaguy | true, I don't think its a big deal | 16:50 |
| johnthetubaguy | just a non-obvious restriction of the system I am proposing | 16:50 |
| dstanek | yeah, calling it out will let others looking at the docs/specs know that it was thought about | 16:51 |
| lbragstad | ++ | 16:51 |
| lbragstad | 9 minute mark | 16:51 |
| johnthetubaguy | so I think I have a much better understanding of some of the background here, which is great | 16:52 |
| johnthetubaguy | so domains... | 16:53 |
| johnthetubaguy | I am thinking about how to add that | 16:53 |
| edmondsw | what about them? | 16:53 |
| johnthetubaguy | I am thinking everywhere we have project_id we also need to add domain_id | 16:53 |
| johnthetubaguy | well, project_id and user_id | 16:53 |
| edmondsw | why? | 16:53 |
| johnthetubaguy | oh, is project_id unique in the system? | 16:54 |
| edmondsw | yes | 16:54 |
| johnthetubaguy | so I totally missed that | 16:54 |
| * johnthetubaguy face palm | 16:54 | |
| lbragstad | project name is not | 16:54 |
| edmondsw | project_name is only unique within a domain, but project_id is unique globally | 16:54 |
| lbragstad | project name must be unique within the domain | 16:54 |
| johnthetubaguy | right, that makes *way* more sense to me now | 16:54 |
| lbragstad | :) | 16:54 |
| johnthetubaguy | hmm, maybe this is over kill | 16:55 |
| johnthetubaguy | if you put domain_id everywhere.... | 16:55 |
| johnthetubaguy | when we get a domain scoped token | 16:55 |
| johnthetubaguy | we could simply update the scope check to look up things limited to the domain_id | 16:55 |
| edmondsw | today nova doesn't work with domain scoped tokens at all, does it? | 16:55 |
| lbragstad | edmondsw i don't believe so | 16:55 |
| johnthetubaguy | edmondsw: I don't know what we do, honestly | 16:56 |
| johnthetubaguy | we might just call it a project | 16:56 |
| edmondsw | I'm pretty sure the only service that handles domain-scoped tokens is keystone | 16:56 |
| johnthetubaguy | and get on with things as normal | 16:56 |
| edmondsw | and that may be fine | 16:56 |
| johnthetubaguy | I was thinking about an admin that wanted visibility only in their domain | 16:56 |
| edmondsw | or there may be use cases where it would be nice for nova/etc. to allow domain-scoped tokens... I don't know | 16:56 |
| lbragstad | johnthetubaguy i have a question about policy in code too if you have a minute | 16:57 |
| johnthetubaguy | lbragstad: yeah, thats probably a better use of our time | 16:57 |
| * johnthetubaguy needs to go learn domains, and come back to that | 16:57 | |
| lbragstad | johnthetubaguy not to derail - just saw one of the post-its on my monitor and I had to ask | 16:57 |
| johnthetubaguy | heh | 16:57 |
| lbragstad | johnthetubaguy nova enforces policy in code, but how does oslo.policy grab the registered values? | 16:58 |
| lbragstad | johnthetubaguy does it reach into nova and ask for it like config? | 16:58 |
| lbragstad | cc antwash ravelar ^ | 16:58 |
| dstanek | johnthetubaguy: i also had a question about how horizon handles the policy in code thing. don't they need a copy of the policy to work correctly? | 16:59 |
| johnthetubaguy | ah, its just like conifg | 16:59 |
| johnthetubaguy | with entry point | 16:59 |
| * ravelar listening intently | 16:59 | |
| dstanek | or did you already make it discoverable? | 16:59 |
| johnthetubaguy | https://docs.openstack.org/developer/oslo.policy/usage.html#sample-file-generation | 17:00 |
| lbragstad | ah - so you can access an policy in oslo.policy (to do the evaluation) by doing `from nova import policies; policies.instances...` | 17:00 |
| johnthetubaguy | alaski did all the good work here | 17:00 |
| johnthetubaguy | oh, let me find our wiring | 17:00 |
| edmondsw | lbragstad I think you're looking for this? https://github.com/openstack/nova/blob/master/nova/policy.py#L207 | 17:00 |
| lbragstad | edmondsw aha! | 17:01 |
| johnthetubaguy | ah, yeah | 17:01 |
| lbragstad | edmondsw yes - so that's what makes oslo.policy use the registered policy rules instead of some file | 17:01 |
| lbragstad | (i.e. policy.json or policy.yaml) | 17:01 |
| johnthetubaguy | well, overrides still come from the file | 17:01 |
| edmondsw | right | 17:01 |
| johnthetubaguy | we aslo use a new method | 17:01 |
| lbragstad | right - but they are registered together | 17:01 |
| johnthetubaguy | https://github.com/openstack/nova/blob/master/nova/context.py#L274 | 17:02 |
| johnthetubaguy | at least I thought that was new | 17:02 |
| johnthetubaguy | I think we error out if the rule is no pre-registered | 17:02 |
| lbragstad | got it - so just like config, policy must be registered before use | 17:02 |
| lbragstad | (which finds the overrides, if any, and populates the rest of the policies with the default defined in code) | 17:02 |
| johnthetubaguy | yeah | 17:03 |
| lbragstad | awesome - that helps | 17:03 |
| lbragstad | we're over time (sorry!) | 17:03 |
| lbragstad | thanks for coming everyone! | 17:03 |
| lbragstad | #endmeeting | 17:03 |
| *** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings" | 17:03 | |
| openstack | Meeting ended Wed Feb 15 17:03:56 2017 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 17:03 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-02-15-16.01.html | 17:03 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-02-15-16.01.txt | 17:04 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-02-15-16.01.log.html | 17:04 |
| *** gagehugo has left #openstack-meeting-cp | 17:04 | |
| *** edmondsw has left #openstack-meeting-cp | 17:05 | |
| *** sdague has quit IRC | 18:51 | |
| *** sdague has joined #openstack-meeting-cp | 18:55 | |
| *** ravelar has quit IRC | 18:57 | |
| *** diablo_rojo_phon has quit IRC | 19:00 | |
| *** rdopiera has left #openstack-meeting-cp | 19:55 | |
| *** ducttape_ has joined #openstack-meeting-cp | 20:00 | |
| *** antwash has left #openstack-meeting-cp | 20:11 | |
| *** kbyrne has quit IRC | 20:22 | |
| *** _ducttape_ has joined #openstack-meeting-cp | 20:22 | |
| *** ducttape_ has quit IRC | 20:26 | |
| *** _ducttape_ has quit IRC | 21:07 | |
| *** ducttape_ has joined #openstack-meeting-cp | 21:08 | |
| *** raildo has quit IRC | 21:11 | |
| *** ducttape_ has quit IRC | 21:40 | |
| *** diablo_rojo has quit IRC | 21:58 | |
| *** diablo_rojo has joined #openstack-meeting-cp | 21:58 | |
| *** gouthamr has quit IRC | 22:22 | |
| *** ducttape_ has joined #openstack-meeting-cp | 22:29 | |
| *** diablo_rojo has quit IRC | 22:33 | |
| *** diablo_rojo_phon has joined #openstack-meeting-cp | 22:47 | |
| *** gouthamr has joined #openstack-meeting-cp | 22:53 | |
| *** lamt has quit IRC | 23:09 | |
| *** lamt has joined #openstack-meeting-cp | 23:11 | |
| *** lamt has quit IRC | 23:15 | |
| *** diablo_rojo has joined #openstack-meeting-cp | 23:38 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!