Wednesday, 2017-03-01

« Tuesday, 2017-02-28 Index Thursday, 2017-03-02 »
*** ducttape_ has joined #openstack-meeting-cp00:00
*** lamt has joined #openstack-meeting-cp01:01
*** ducttape_ has quit IRC01:46
*** ducttape_ has joined #openstack-meeting-cp01:46
*** ducttape_ has quit IRC02:11
*** ducttape_ has joined #openstack-meeting-cp02:24
*** mars has joined #openstack-meeting-cp02:26
*** ducttape_ has quit IRC03:04
*** mars has quit IRC03:16
*** mars has joined #openstack-meeting-cp03:20
*** ducttape_ has joined #openstack-meeting-cp03:41
*** sheeprine has quit IRC04:00
*** sheeprine has joined #openstack-meeting-cp04:05
*** ducttape_ has quit IRC04:05
*** ducttape_ has joined #openstack-meeting-cp04:15
*** ducttape_ has quit IRC04:21
*** ducttape_ has joined #openstack-meeting-cp04:23
*** diablo_rojo has joined #openstack-meeting-cp04:26
*** ducttape_ has quit IRC04:47
*** diablo_rojo has quit IRC05:38
*** gouthamr has quit IRC05:40
*** lamt has quit IRC05:47
*** ducttape_ has joined #openstack-meeting-cp05:48
*** ducttape_ has quit IRC05:53
*** sigmavirus has quit IRC06:52
*** sigmavirus has joined #openstack-meeting-cp06:53
*** sigmavirus is now known as Guest5315306:54
*** mars has quit IRC07:08
*** ducttape_ has joined #openstack-meeting-cp07:19
*** ducttape_ has quit IRC07:23
*** mars has joined #openstack-meeting-cp07:26
*** rdopiera has quit IRC08:03
*** rdopiera has joined #openstack-meeting-cp08:03
*** dfflanders has quit IRC08:12
*** ducttape_ has joined #openstack-meeting-cp08:49
*** ducttape_ has quit IRC08:53
*** ducttape_ has joined #openstack-meeting-cp09:50
*** ducttape_ has quit IRC09:54
*** mars has quit IRC10:37
*** ducttape_ has joined #openstack-meeting-cp10:51
*** ducttape_ has quit IRC10:55
*** sdague has joined #openstack-meeting-cp11:01
*** ducttape_ has joined #openstack-meeting-cp11:52
*** ducttape_ has quit IRC11:57
*** Guest53153 is now known as sigmavirus12:10
*** sigmavirus has quit IRC12:10
*** sigmavirus has joined #openstack-meeting-cp12:10
*** ducttape_ has joined #openstack-meeting-cp12:53
*** ducttape_ has quit IRC12:58
*** ducttape_ has joined #openstack-meeting-cp13:24
*** gouthamr has joined #openstack-meeting-cp13:40
*** lamt has joined #openstack-meeting-cp14:03
*** ducttape_ has quit IRC14:06
*** ducttape_ has joined #openstack-meeting-cp14:44
*** ducttape_ has quit IRC14:53
*** lamt has quit IRC14:56
*** rderose has joined #openstack-meeting-cp15:06
*** ducttape_ has joined #openstack-meeting-cp15:21
*** lamt has joined #openstack-meeting-cp15:34
*** spilla has joined #openstack-meeting-cp15:45
*** edmondsw has joined #openstack-meeting-cp15:56
*** ravelar has joined #openstack-meeting-cp15:57
*** ruan_ has joined #openstack-meeting-cp15:57
*** ruan_ is now known as Guest7491315:57
*** gagehugo has joined #openstack-meeting-cp15:57
*** ayoung has joined #openstack-meeting-cp15:58
*** _ducttape_ has joined #openstack-meeting-cp15:58
lbragstad#startmeeting policy16:00
openstackMeeting started Wed Mar  1 16:00:00 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
*** openstack changes topic to " (Meeting topic: policy)"16:00
openstackThe meeting name has been set to 'policy'16:00
lbragstadping antwash, raildo, ktychkova, dolphm, dstanek, rderose, htruta, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, stevemar, ravelar, morgan, raj_singh, johnthetubeguy16:00
lbragstadagenda #link https://etherpad.openstack.org/p/keystone-policy-meeting16:00
gagehugoo/16:00
ravelaro/16:00
lamto/16:00
lbragstado/16:00
Guest74913o/16:00
rderoseo/16:00
*** Guest74913 has quit IRC16:00
aunnamo/16:00
ayoungHey16:01
*** diablo_rojo has joined #openstack-meeting-cp16:01
*** ruan_08 has joined #openstack-meeting-cp16:01
snetio/16:01
ruan_08o/16:01
lbragstadwe have a pretty good crowd today16:01
*** ducttape_ has quit IRC16:01
knikollao/16:02
lbragstad#topic Recap policy discussions from the PTG16:02
*** openstack changes topic to "Recap policy discussions from the PTG (Meeting topic: policy)"16:02
ayoungravelar, can you maybe come up with a more descriptive name than Policy in code (part 5)16:02
* johnthetubaguy lurks16:03
lbragstadjohnthetubaguy o/16:03
ravelarayoung are you talking about all the parts or just that one specifically?16:03
ayoungravelar, all of them16:03
ayounglike...are they by subunit, I assume?16:03
edmondswo/16:03
ravelarayoung what do you prefer? They are just redundantly adding default groups16:03
lbragstadjohnthetubaguy I totally misspelled your nick in the ping (sorry!)16:03
johnthetubaguylbragstad: heh, no worries16:04
ravelarayoung and I am just following novas convention when they made the patches on their end16:04
ayoungravelar, why are they different reviews?  Is there some ordering there?16:04
edmondswjohnthetubaguy I pinged you in nova IRC to look at a nova policy-related patch that needs your quick review... other reviewers are holding it up waiting for you16:04
johnthetubaguylbragstad: that must be my plumber cousin16:04
*** breitz has quit IRC16:04
lbragstadjohnthetubaguy that's what I was thinking16:04
johnthetubaguyedmondsw: yeah, stuck trying to rework some critical specs at the moment, its open in a tab16:04
lbragstadayoung no - they are just broken up so the changes aren't so big16:04
ravelarayoung there are many default groups and rather than putting them in one huge patch change, I simply chained them together.16:04
edmondswjohnthetubaguy tx16:04
ayoungand why are they going into common instead of the sub projects?16:05
ravelarayoung like here https://blueprints.launchpad.net/nova/+spec/policy-in-code16:05
ayoungI'd expect to see identity/policy assignment/policy  etc16:05
*** breitz has joined #openstack-meeting-cp16:05
ayoungthe only stuff in common should be actual common stuff16:05
ravelarayoung isn't policy common? it was a recommendation made by dolphm16:05
lbragstadravelar ++16:06
ravelarayoung and it is in one central place like you would expect to find policy.json16:06
lbragstadravelar didn't you both refactor that last friday?16:06
dolphmayoung: i think he's just asking why the individual policies are not in their respective modules16:06
dolphmerr, ravelar16:06
ayoungravelar, no, the policy changes you made look like each is specific to a certain submodule16:06
edmondswhaving it in a central place makes it easier to find... which is a big help to folks that want to customize policy16:06
ayoungright16:06
edmondswnova's done the same with conf, incidentally16:06
ravelarlbragstad yes16:06
lbragstadedmondsw by central you mean in keystone/common/policy/ ?16:07
edmondswwhich is also nice16:07
ayoungedmondsw, yeah, don'16:07
ayoungt do that16:07
ayoungedmondsw, the whole point of the submodules is to group like functionality together in a way that things can grow16:07
edmondswlbragstad yes... or I'd prefer to be like nova and keystone/policies16:07
johnthetubaguyFWIW, this is how ironic did it: https://github.com/openstack/ironic/blob/8db68fef4e97b2ed6552b80215ab03093f18e615/ironic/common/policy.py16:08
ayoungput things from submoduiles into common means that everything should be in common16:08
*** eglute has left #openstack-meeting-cp16:08
dolphmedmondsw: we also have keystone/policy16:08
dolphmedmondsw: for /v3/policies16:08
ravelaredmondsw it was originally setup that way, however when looking at it, the feedback was that we also have keystone/policy16:08
edmondswI meant keystone/policies would be a directory, not a file16:08
ayoungheh16:08
knikollathis is similar to our conf structure though.16:08
knikollaand i think that was the goal.16:08
edmondswe.g. https://github.com/openstack/nova/tree/master/nova/policies16:09
ayoungkeystone/policy  was just the datastore, though.  It was agnostic of content. We wanted to kill that at one point16:09
dolphmravelar: maybe base.py should be in keystone/common, and each individual policy file should be in keystone/identity keystone/catalog etc16:09
ayoungdolphm, ++16:09
lbragstadthat could work16:09
johnthetubaguyFWIW, that caused a mess for our config16:09
ayoungthink in terms of people that have to trace from API calls to policy16:09
ravelardolphm wouldn't that scatter a lot of the files unnecessarily?16:09
ayoungthe API call starts at the router, then goes to the controller.16:09
johnthetubaguyif you put them next to each other, in a central place, you can consider them as a single operator "API", but each to their own really, there are trade offs both ways16:10
dolphmalthough, nova did nova/policies/ for everything just like nova/conf and keystone/conf16:10
ayoungthe logical place to look for the policy for a specific controller would be in a file right next to it16:10
dolphmravelar: it puts the actual policies closer to the code their protecting16:10
ravelaryeah but controller that calls policies is in common16:10
ravelarnot in the respective folder16:10
lbragstadsimilar to the schema.py files of each submidle16:10
edmondswayoung dolphm we have common conf directory... why not same for policies?16:10
lbragstadmodule*16:10
edmondswhttps://github.com/openstack/keystone/tree/master/keystone/conf16:10
dolphmravelar: it's just two different philosophies; i don't think one is necessarily better than the other (other than i'll maintain that having both keystone/policy and keystone/policies would suck)16:10
edmondswpolicy is just a different type of conf, really16:11
johnthetubaguy... but if you want to curate the policy as a single interface the operators need to understand, you might want it in one folder16:11
ravelarjohnthetubaguy ++16:11
ayoungedmondsw, because with conf you tend to go from the file to the repo to find what implements that.  With policy you tend to go from the router to the controller to the policy to see what is going to happen16:11
johnthetubaguydolphm: that sounds like the worst of both choices policy and policies16:11
dolphmjohnthetubaguy: right16:11
edmondswayoung not me...16:11
edmondswayoung I got from the file to the repo, just like conf16:12
ayoungedmondsw, yes, but with policy in code, there will be no file16:12
edmondswayoung not true16:12
rderoseI'm leaning towards keeping it in one folder16:12
edmondswayoung you'll generate the file16:12
ravelarthe policy is being called from common controller protected though right?16:12
edmondswedmondsw you can't expect operators to understand routers and such to make those connections16:12
edmondswand I should talk to ayoung, not myself...16:13
ayoungso, one folder is fine.  just name the files the same as the modules they protect16:13
ayoungidentity assignment and so on16:13
lbragstadI don't mind having them named after the resources they protect16:13
rderoseme too16:13
lbragstadbut I could go either way here16:13
ayoungI mean, its wrong, but so much of Keystone is wrong, this is not even something that registers.16:13
johnthetubaguyFWIW, we were aiming more towards the URL structure than the file structure, but the fact they aren't the same is a totally different problem we have16:13
ayoungjohnthetubaguy, +++++++16:13
edmondswthat's a reason to fix the file structure, no? :)16:14
edmondswI still struggle to figure out where to look in keystone's code structure for differnt things...16:14
dstanekjohnthetubaguy: i hate the fact that we have to consider URL structure at all16:14
ayoungso, the alternative setup we could go with is to merge the routers and maybe even the controllers into a single place, and name them accordingly16:15
ayoungdstanek, so I was looking at how Kubernetes does that.  With Kubernets, you have a single discovery page that lists the entities, and then from each entity you get the URL.  Then the URL structures are forced to be very regular16:15
rderoseayoung: you mean out of common?16:16
ayoungso user, group, role, etc....16:16
knikollamove = move and have the old location import the new one with a deprecation warning.16:16
ayoungrderose, I'd probable go keystone/routers16:16
ayoungcommon is unnecessary naming for most things16:16
*** _ducttape_ has quit IRC16:16
rderosetrue16:16
*** ducttape_ has joined #openstack-meeting-cp16:17
johnthetubaguydstanek: I am thinking about the operator, what they care about when setting things is the URL structure, at least I do16:17
ayoungSo...I opened with criticism, but ravelar I should have opened with a compliement on the nice work you are doing there...this is all just detail stuff16:17
edmondsw++16:17
lbragstad++16:17
knikolla++16:17
rderose++16:17
rderose:)16:17
ayoungjohnthetubaguy, hence http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/role-check-from-middleware.html16:17
lbragstadravelar those details aside - i think those changes are close to merging16:18
dolphmayoung: ++ :)16:18
ravelarayoung thanks! I like the input in general16:18
lbragstadit would be nice to get those issues resolved in review sometime today so that ravelar and antwash can address16:18
lbragstadpolicy etherpad from PTG #link https://etherpad.openstack.org/p/pike-ptg-keystone-policy16:18
johnthetubaguyayoung: true, but then we end up with access checks in too many places, well in the Nova case at least, but thats a different discussion16:18
lbragstadthese are the patches we have in keystone #link https://review.openstack.org/#/q/topic:bp/policy-in-code+status:open+project:openstack/keystone16:19
ayounglbragstad, I really don't care where it lands, so long as there is a well thought out rationale.  If it is functional, we can also refactor in the future16:19
lbragstadayoung ++ exactly,16:19
dstanekjohnthetubaguy: i'd love to try to figure out exactly why url structure matters so much. maybe we can have a side conversation later16:19
ayoungjohnthetubaguy, the RBAC check and the scope check are fundamentally different things, with different requirements.  I want to make sure we keep that in mind, and don't hard code the role check into the deep policy-in-code impl16:20
johnthetubaguydstanek: operators shouldn't need to read the code, only our policy docs and the api-ref, its all stemming from that view of the world really16:20
ayoungcode should not know about any actual roles...that should be a configuration/operator decision16:20
edmondswdstanek because the url structure is everything from the operator perspective. And as nice as comments are, I'm going to want to double-check things, which means going into the code. I need to know where to do that, and what I know is the url structure16:20
johnthetubaguyayoung: yeah, I think we have exactly the same goals16:20
ayoungOf course, the horrible Nova-everything-in-one-post-api-cuz-we-love-SOAP-API approach does make it a little diffiduclt to convince people16:21
ayoungbut, hey16:21
dstanekjohnthetubaguy: edmondsw: you guys have the same opinion for the exact opposite reason.16:21
edmondsw:)16:21
lbragstad#progress16:22
dstanekjohnthetubaguy: i've always thought the way we document api is wrong :-)16:22
dolphmdstanek: but it IS documented :P16:23
dstanekfor some definition of documented :P16:23
edmondsw++16:23
lbragstadso - after ravelar and antwash get through moving policy into code we have the documentation bits - #link https://review.openstack.org/#/c/435078/16:23
lbragstadwhich will have to be dependent on #link https://review.openstack.org/#/c/439070/16:24
lbragstadcc johnthetubaguy ^ that's the interface the sdague was talking about16:24
johnthetubaguyah, yeah, thats it16:24
johnthetubaguydidn't we say we needed multiple url and verb pairs?16:25
lbragstadjohnthetubaguy yeah - probably ?16:25
ayoungBTW, ravelar have you looked at my refactorings to support is_admin?16:25
lbragstadjohnthetubaguy antwash just posted that yesterday to start getting feedback on it16:25
ayoungseee the three reviews stacked up here https://review.openstack.org/#/c/387710/16:26
lbragstadjohnthetubaguy any feedback nova has on that interface would be a huge help16:26
johnthetubaguysneti and aunnam should totally take a look at that ^16:27
lbragstadonce that is released in a new version of oslo.policy, we'll be able to tackle the documentation bits16:27
ayoungI'm totes going to block anything that prevents those from merging...wrote them too long ago16:27
ayoungOct 17...16:27
edmondswjohnthetubaguy I just -1'ed with that comment16:28
edmondswand to remove scope and access16:28
ayoungand only SteveMar has reviewed them, so please just merge them16:28
ayounghttps://review.openstack.org/#/c/387161/1216:29
ayounghttps://review.openstack.org/#/c/387710/1316:29
ayoungand https://review.openstack.org/#/c/257636/1816:29
ravelarayoung ah looking at that now16:29
johnthetubaguyedmondsw: oops, me too, but thats cool16:29
lbragstadjohnthetubaguy edmondsw perfect16:29
lbragstadjohnthetubaguy is there anything else we came up with during last weeks session that needs to be in that patch that you remember?16:30
ayoungravelar, thanks, but also need people with +2 to just pull the trigger.  I'm not able to actively work on this any more, and its hurting keystone, and all of openstack, to not have is_admin support in policy16:30
edmondswayoung there's a -1 from henrynash on https://review.openstack.org/#/c/257636/1816:30
ayoungedmondsw, and he is still wrong16:30
ayoungedmondsw, that is cuz he's thinking in terms of the cloudsample16:31
edmondswayoung cool... I didn't read his comment yet16:31
ayoungwe discussed, and he never re-addressed it16:31
edmondswyou just said nobody had reviewed them but stevemar :)16:31
knikollaayoung: as previously said, let me know when you want me to pick something up which you can't work on.16:31
knikollathough i'm still unsure what the consensus for moving forward with role check in middleware is16:32
ayoungedmondsw, yeah, and Sam looked at that one, too, but only steve looked at the prior16:32
ayounghttps://review.openstack.org/#/c/387161/1216:32
ayoungits a straight refactoring, pulling code together for the is_admin check to be done in once place16:32
edmondswknikolla ayoung we agreed at the PTG that role check in middleware was essentially dead now16:32
ayoungedmondsw, that is stupid, but irrelevant to this.16:33
edmondswayoung I was responding to knikolla's question about that16:33
ayoungedmondsw, you can;'t just kill the idea without replacign it with something else that solves the problem.  until we have the replacement, it merely pining for the Fjords16:33
ayoungedmondsw, so, what did you say was a better approach?16:34
edmondswayoung consensus was that the approach the nova team is taking is better16:34
lbragstad#link https://review.openstack.org/#/q/topic:bp/policy-remove-scope-checks16:34
lbragstadcc johnthetubaguy ^16:34
edmondswayoung don't shoot the messenger :)16:34
johnthetubaguyso we have me too spec on the docs, but this is the more interesting one16:35
johnthetubaguyso this is largely splitting our existing policy checks into a policy check and a scope check16:35
dstanekedmondsw: actually i think we said we need to go down the current path and get what we committed to completed16:35
dstanekthen revisit under the new context16:35
lbragstaddstanek specifically moving policy into code and documenting it16:36
dstaneklbragstad: ++16:36
lbragstaddstanek that's essentially common ground work we need regardless of the direction we take16:36
johnthetubaguyso where today we have a policy check, nova is going to have two checks, one checking policy and another checking the context scope16:36
dstanekwe were trying to not boil the ocean just yet16:36
lbragstadbut... moving policy into code and documenting it has immediate positive effects on operators16:36
edmondswlbragstad ++16:37
ayoungWonderful.  Is Nova going to go around and fix this in every other project?  Is it going to provide a way to map from URL to required role?16:37
edmondswayoung essentially yes16:38
johnthetubaguyI like maping a role to a URL, but doing that means breaking so much backwards compatibility, we just can't do that yet16:38
ayoungjohnthetubaguy, we can for everything but that Bulk api16:38
edmondswthe docs will tell operators which policy rules go with which URLs, and the default policy settings, which include role16:39
ayoungSo there, yeah, you would need something like a faked-out-url-string that does the same kind of role check16:39
johnthetubaguywhat I have right now is quick fixes for the problems operators are facing today, in a way that works across upgrade without changing their existing policy files16:39
ayoungbut then that would be the one off...and you would still need a top level role to be able to execute that API at all16:39
ayoungjohnthetubaguy, what I have is a fix for the whole damn problem, for all services16:39
ayoungthat works across upgrade without changing their existing policy files16:39
johnthetubaguyayoung: except it doesn't deal with upgrade16:39
ayoungyes it does16:40
johnthetubaguyso it seems like folks with modified policy files get a broken system across upgrade16:40
johnthetubaguyand we still need to write all the docs on what each of the rules mean, and what the sensible defaults are16:40
johnthetubaguythe problem is history has taught me its impossible to have this conversation on IRC and specs, needs video and voice / high bandwidth16:41
ayoungjohnthetubaguy, the problem is that when we have cross project meetings about this in the past, the only people there were Keystone people.  I16:42
ayoung've given up16:42
edmondswjohnthetubaguy ++ hence the PTG16:42
johnthetubaguyif I had seen the policy ones, I would have gone, I just didn't sadly16:43
johnthetubaguywe have the same issue in reverse with capabilities API16:44
johnthetubaguyhad no API wg or keystone folks when we did that in cross project session before, it happens, PTG is making that a little better and worse at the same time16:44
ayoungjohnthetubaguy, so, the Nova work should probably be orthoganal, but the RBAC check from middleware needs to be kept alive, and implemented.  Otherwise, we don't really have a solution.  OpenStack is more than just Nova, and a solution tthat ignores the other services is not a solution16:44
ayoungdoing a smarter scope check in Nova is awesome16:45
johnthetubaguyNova is nothing without the rest of OpenStack, I am totally sold on that16:45
ayoungits the right thing to do, and the other project should follow suit16:45
johnthetubaguyit feels like all this stuff is needed before we could move to anything new anyways16:45
edmondswjohnthetubaguy you were in the main policy one :)16:45
ayoungjohnthetubaguy, have you read that spec?16:46
ayoungI am pretty sure you hhave, we discuessd in previous meetings16:46
johnthetubaguyayoung: I did, I think I read read that when you pointed to that last time16:46
johnthetubaguyre-read^16:46
lbragstadayoung the role check in middleware spec had a few reviews from contributors representing other projects16:47
ayounglbragstad So, who decided it was dead?   What superceded it?16:47
lbragstadayoung we decided to put it on hold until we do policy in code and solid documentation16:47
dstanekayoung: i think just getting some of the foundational work done16:47
johnthetubaguyI think I remember starting to add comments on it actually, but it had merged already, but I could be miss-remembering that16:48
ayounglbragstad, the two are orthogonal, though16:48
lbragstadayoung and the *main* reason why I wanted to do that was because it will force our developers through and exercise of understand the warts in our existing policy implementation16:48
lbragstadayoung that way we can get more people up to speed on the approach16:48
ayoungwhile the is_admin check should be a pre-req for the policy-in-code work16:48
ayounglbragstad, who do you mean by "our developers" ?  I was working on this, heads down, for years.16:49
lbragstadayoung exactly16:49
lbragstadayoung just you though, and you undestand a *lot* about policy16:49
ayoungSo who are you planning on taking this on?16:49
lbragstadantwash and ravelar are started on it already16:50
ayounglbragstad, wonderful. ravelar the policy in code stuff is, I would say, third priority.16:50
ayoungFirst is bug 96869616:50
openstackbug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)16:50
ayoungSecond is policy in middleware16:50
ayoungpolicy in code is third16:50
ayoungnow...16:51
johnthetubaguyfor me this is about the operators, if we can do something to get them into a happier place, and it doesn't move us further away from the existing plans, thats all good16:51
ayoungI don't say that to belittle your efforts, and it can go in as soon as it is ready16:51
*** antwash has joined #openstack-meeting-cp16:51
lbragstadI disagree because the policy in code has zero impact16:51
ayounglbragstad, and has 0 value16:51
ayoungbusineess valuie16:51
ayoungit can be done the way things are now16:51
johnthetubaguyayoung: all the operators want the policy docs yesterday, this gets them some docs16:52
ayoungpolicy in code is a good idea, but it does not solve the limitations of keystone16:52
lbragstadi also disagree with that because it allows better management of policy files16:52
edmondswpolicy in code is going to make fixing 968696 easier16:52
lbragstadayoung i won't say that policy in code is going to be the silver bullet16:52
ayoungedmondsw, not if it does not take the is_admin fixes into account16:52
ayoung which were written 6 months ago16:52
edmondswayoung have you read john's specs?16:52
lbragstadbut I do understand the value of implementing it because it will force developers *across* openstack to understand the policy checks they provide16:52
ayounglbragstad, its a good idea, its just not nearly as important as understanding where keystone is falling down16:53
johnthetubaguy"falling down"?16:53
ayoungjohnthetubaguy, yes16:54
dstanekgreat movie?16:54
ayoungjohnthetubaguy, I have ahad to stop thinking about the security aspects of opolicy enforcement becauser it was keeping me up nights16:54
ayoungdstanek, Meh...good movie, not quite great...only watched once16:55
ayoungSo, please get the is_admin stuff in *before* policy in code16:55
ayoungthe policy in code stuff looks well enough self contained that it should follow in pretty soon there after16:56
ayoungthen, please either go with RBAC in middleware, or come up with some other approach that actually solves the problems16:56
lbragstadI see no technical reason why policy in code has to be dependent on the is_admin stuff16:56
johnthetubaguythey seem in parallel to me16:56
ayounglbragstad, look closer16:57
ayoungis_admin needs to be enforced by the the code16:57
* lbragstad squints 16:57
ayoungotherwise, both those patches will need to be rewritten16:57
lbragstadI will review those three patches today16:57
ayoungIts going to be a rebase nightmare, and I am not around to do it16:57
ayoungwhich means it is not going to happen16:58
ayounglbragstad, understand that I don't have time to work on them, so if you have changes you want made, you need to find someone else to make them16:58
lbragstadack16:59
lbragstadalright - we're about out of time16:59
johnthetubaguythere are tweaks to the default policy.json there is a little clash there16:59
ayoungjohnthetubaguy, yep.16:59
johnthetubaguyhonestly, people are setting the rules with no idea what they mean right now, that seems really bad16:59
lbragstadjohnthetubaguy ++16:59
johnthetubaguythey are both things we need to fix, so there is certainly agreement there17:00
lbragstadalright - thanks for coming everyone! i appreciate the discussion :)17:01
lbragstadsee everyone next week17:01
ayoungjohnthetubaguy, so lets make it so they never have to touche policy.jhson again17:01
lbragstad#endmeeting17:01
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings"17:01
openstackMeeting ended Wed Mar  1 17:01:34 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)17:01
openstackMinutes:        http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-03-01-16.00.html17:01
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-03-01-16.00.txt17:01
openstackLog:            http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-03-01-16.00.log.html17:01
*** spilla has left #openstack-meeting-cp17:02
*** ravelar has left #openstack-meeting-cp17:02
*** edmondsw has left #openstack-meeting-cp17:05
*** gagehugo has left #openstack-meeting-cp17:06
*** eglute has joined #openstack-meeting-cp18:07
*** harlowja has quit IRC18:43
*** harlowja has joined #openstack-meeting-cp18:46
*** gouthamr has quit IRC18:56
*** gouthamr has joined #openstack-meeting-cp19:00
*** ducttape_ has quit IRC19:10
*** raj_singh_ has joined #openstack-meeting-cp19:30
*** raj_singh_ has quit IRC19:31
*** stream10 has joined #openstack-meeting-cp19:35
*** ruan_08 has quit IRC19:42
*** ducttape_ has joined #openstack-meeting-cp19:48
*** ducttape_ has quit IRC19:59
*** ducttape_ has joined #openstack-meeting-cp20:01
*** harlowja has quit IRC20:08
*** stream10 has quit IRC20:47
*** beisner- has joined #openstack-meeting-cp20:50
*** beisner has quit IRC20:53
*** beisner- is now known as beisner20:53
*** ducttape_ has quit IRC21:00
*** harlowja has joined #openstack-meeting-cp21:01
*** harlowja has quit IRC21:01
*** harlowja has joined #openstack-meeting-cp21:01
*** ducttape_ has joined #openstack-meeting-cp21:20
*** stream10 has joined #openstack-meeting-cp21:30
*** gouthamr has quit IRC21:33
*** ducttape_ has quit IRC21:38
*** stream10 has quit IRC22:14
*** ducttape_ has joined #openstack-meeting-cp22:39
*** ducttape_ has quit IRC22:45
*** breitz_ has joined #openstack-meeting-cp22:45
*** breitz has quit IRC22:46
*** ducttape_ has joined #openstack-meeting-cp22:51
*** breitz has joined #openstack-meeting-cp22:52
*** breitz_ has quit IRC22:54
*** gouthamr has joined #openstack-meeting-cp22:58
*** lamt has quit IRC23:17
*** ducttape_ has quit IRC23:27
*** ducttape_ has joined #openstack-meeting-cp23:44
*** Guest27057 is now known as zigo23:57
*** sdague has quit IRC23:58
« Tuesday, 2017-02-28 Index Thursday, 2017-03-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!