Wednesday, 2017-05-31

« Tuesday, 2017-05-30 Index Thursday, 2017-06-01 »
*** markvoelker has quit IRC00:04
*** gouthamr has joined #openstack-meeting-cp00:11
*** gouthamr has quit IRC00:16
*** feisky has joined #openstack-meeting-cp00:31
*** diablo_rojo has quit IRC00:31
*** markvoelker has joined #openstack-meeting-cp00:47
*** gouthamr has joined #openstack-meeting-cp01:13
*** markvoelker_ has joined #openstack-meeting-cp01:16
*** markvoelker has quit IRC01:17
*** markvoelker_ has quit IRC01:21
*** markvoelker has joined #openstack-meeting-cp01:23
*** aselius has quit IRC01:45
*** knangia has quit IRC03:14
*** david-lyle has joined #openstack-meeting-cp03:35
*** hongbin has joined #openstack-meeting-cp04:21
*** gouthamr has quit IRC04:51
*** hongbin has quit IRC04:57
*** rarcea_ has joined #openstack-meeting-cp06:43
*** kbyrne has quit IRC07:05
*** kbyrne has joined #openstack-meeting-cp07:06
*** aselius has joined #openstack-meeting-cp07:45
*** kbyrne has quit IRC08:14
*** kbyrne has joined #openstack-meeting-cp08:17
*** wxy_ has joined #openstack-meeting-cp08:53
*** ediardo_ has joined #openstack-meeting-cp08:54
*** brault has quit IRC08:58
*** johnthetubaguy_ has joined #openstack-meeting-cp09:00
*** dmellado_ has joined #openstack-meeting-cp09:00
*** ediardo has quit IRC09:01
*** wxy has quit IRC09:01
*** dmellado has quit IRC09:01
*** IgorYozhikov has quit IRC09:01
*** stvnoyes has quit IRC09:01
*** johnthetubaguy has quit IRC09:01
*** ediardo_ is now known as ediardo09:01
*** wxy_ is now known as wxy09:01
*** IgorYozhikov has joined #openstack-meeting-cp09:02
*** stvnoyes has joined #openstack-meeting-cp09:08
*** david-lyle has quit IRC09:11
*** david-lyle has joined #openstack-meeting-cp09:12
*** dmellado_ is now known as dmellado09:46
*** aselius has quit IRC09:54
*** feisky has quit IRC10:11
*** Qiming_ has quit IRC11:09
*** Qiming has joined #openstack-meeting-cp11:13
*** kbyrne has quit IRC11:23
*** edmondsw has joined #openstack-meeting-cp12:02
*** kbyrne has joined #openstack-meeting-cp12:08
*** felipemonteiro has joined #openstack-meeting-cp12:10
*** felipemonteiro_ has joined #openstack-meeting-cp12:19
*** felipemonteiro has quit IRC12:22
*** lifeless has quit IRC13:15
*** gouthamr has joined #openstack-meeting-cp13:19
*** superdan is now known as dansmith13:26
*** mugsie has quit IRC13:27
*** lifeless has joined #openstack-meeting-cp13:33
*** jaugustine has joined #openstack-meeting-cp13:50
*** cebreidian has quit IRC14:02
*** felipemonteiro_ has quit IRC14:06
*** felipemonteiro has joined #openstack-meeting-cp14:09
*** aselius has joined #openstack-meeting-cp14:13
*** zhipeng_ has joined #openstack-meeting-cp15:00
*** diablo_rojo has joined #openstack-meeting-cp15:10
*** felipemonteiro_ has joined #openstack-meeting-cp15:28
*** Rockyg has joined #openstack-meeting-cp15:41
*** nhelgeson has joined #openstack-meeting-cp15:54
*** gagehugo has joined #openstack-meeting-cp15:54
*** blancos has joined #openstack-meeting-cp15:59
*** spilla has joined #openstack-meeting-cp15:59
lbragstad#startmeeting policy16:00
openstackMeeting started Wed May 31 16:00:09 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
*** openstack changes topic to " (Meeting topic: policy)"16:00
openstackThe meeting name has been set to 'policy'16:00
lbragstadping lbragstad, raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan, ayoung, morgan, raj_singh, johnthetubaguy, knikolla, nhelgeson16:00
lbragstad#link https://etherpad.openstack.org/p/keystone-policy-meeting16:00
lbragstadagenda ^16:00
hrybackio/16:00
blancoso/16:00
edmondswo/16:00
gagehugoo/16:00
nhelgesono/16:00
lbragstadlooks like we have the same agenda that we did last week16:01
knikollao/16:01
lbragstad#topic RBAC in middleware16:01
*** openstack changes topic to "RBAC in middleware (Meeting topic: policy)"16:01
* morgan lurks16:01
lbragstadI've been reviewing the original and reproposed spec for the last 24 hours16:01
lbragstadi'm still in the process of reviewing16:02
lbragstadI think one thing that is becoming apparent to me for that work is the isolation of the scope check from the RBAC check in each of the projects16:02
lbragstadthe part that worries me is the release or two where we have both in place in the policy file and in keystone16:03
lbragstadwhile other projects work to remove the RBAC checks from policy and move scope checks completely into code16:03
lbragstadi'm not sure if anyone else shares that view point or has given that any thought and wants to air it out here16:03
edmondswI'm not sure I completely followed16:04
knikollalbragstad: no matter how you look at it, there's bound to be a transition period16:04
edmondswlbragstad what exactly concerned you about the transition period?16:04
lbragstadedmondsw: something clicked for me yesterday16:04
edmondsw:)16:04
lbragstadand i realized that there wouldn't be any sort of role check in the policy files *eventually*16:05
knikollayes16:05
lbragstadedmondsw: does that make sense16:05
lbragstadbecause the proposal says that needs to be pulled into keystone16:05
edmondswlbragstad yes, that's the theory... unproven theory, but it's the theory16:05
knikollalbragstad: role check pulled into keystone. not scope check16:06
lbragstadknikolla: correct16:06
lbragstadboth are currently done in the policy file16:06
knikollalbragstad: scope check moved into code, which is what is happening.16:06
*** david-lyle has quit IRC16:06
lbragstadknikolla: but - that is something that is driven by the project16:06
edmondswlbragstad I'm still not convinced we'll ever be able to get all role checks into the middleware... but we should be able to get at least most there16:07
knikollalbragstad: fully agreed.16:07
knikollalbragstad: but all can be disabled until the project buys in.16:07
lbragstadedmondsw: ok - so here is my concern (real quick)16:07
knikollalbragstad: with nothing to aim towards, it's a chicken and egg buy in problem.16:07
lbragstadknikolla: sure - but we need more buy in, which i'm getting to16:08
lbragstadif a service has a policy file16:08
lbragstadand their operation -> role mapping is stored in keystone16:08
lbragstadwe have a duplicated thing16:08
lbragstadmakes sense,16:08
lbragstadwhat do we do with duplicated things? we have a migration or transition period, right?16:09
edmondswyes16:09
edmondswmiddleware is checked first, and then if it passes the policy is checked16:09
lbragstadthat migration or transition is dependent on some level of service work16:09
lbragstadideally - we want the middleware to check the role and if that passes the project should check the scope16:09
edmondswyes16:10
*** lamt has joined #openstack-meeting-cp16:10
lbragstad(if there isn't an overridden policy on disk somewhere)16:10
lbragstadthe thing that I thought was important was ensuring we have project buy in so that they prioritze the work to move the role checks out of policies16:11
lbragstadthat way we don't have duplicate storage of the same information16:11
hrybacki+116:11
lbragstadto me - that is only going to lead to inconsistent user experience16:11
lbragstadi don't think the approach is wrong16:11
lbragstadbut i want to make sure we don't let user experience degrade because we failed to convince or get proper project buy in16:12
lbragstadedmondsw: does that make more sense?16:12
knikollalbragstad: we can work with the projects to have a policy.json file without role checks in case operators want to enable the role check in middleware during the transition period16:13
hrybackilbragstad: do you see an specific projects that might need a little extra encouragement? What ux issues are you foreseeing?16:13
knikollalbragstad: also this is something entirely up to ops to enable or not, with a "caution: these projects haven't reworked their policy yet"16:13
edmondswlbragstad yes, it's going to be inconsistent16:14
lbragstadhrybacki: for example - if a project doesn't discourage the use of roles in policy.json files, then it's possible for an operator to make changes and not update keystone (i.e. the keystone check passes or a user sees that they can do something through keystone, but can't through the service API)16:14
*** david-lyle has joined #openstack-meeting-cp16:14
hrybackithank you for the clarification, makes sense16:15
edmondswlbragstad by default, operators won't have anything set in middleware, right?16:15
lbragstadedmondsw: i don't think so?16:15
knikollaedmondsw: it's disabled by default.16:15
edmondswso they would need to set something before any of this matters16:16
lbragstadif it is enabled - the operator has to persist the role and routes in keystone in order for it to be useful16:16
knikollaedmondsw: what lbragstad said.16:16
edmondswbut that doesn't change the fact that it could be confusing that, when they set middleware, it works to varying degrees for different projects16:16
lbragstadbecause that's what keystonemiddleware has to query in order to make a decision16:16
edmondswright16:16
lbragstadedmondsw: elaborate on varying degrees a bit?16:17
edmondswlbragstad I was thinking about different projects being at various stages in the rework of their policy files16:18
lbragstadoh - sure16:18
edmondswmoving scope checks into code, etc.16:18
lbragstadideally - with the rbac in middleware bits, scope should be moved into the project16:18
knikollaedmondsw: which is why it's enablement is on a service per service basis16:18
lbragstadand role checks should be moved into keystone, according to the proposal16:19
lbragstadedmondsw: you made a comment earlier about not all roles being enforced in middleware, can you walk me through that so i understand it?16:20
edmondswlbragstad role checks can't ever move from default policy into middleware, though, unless we then require middleware be setup16:21
edmondswis that something we can eventually do at some point?16:21
lbragstadedmondsw: that's a good question - i would expect operators to answer that for us16:21
lbragstadafter some reasonable time in the wild16:21
lbragstadand looking at adoption16:21
* lbragstad shrug16:22
lbragstadanother thing that i noticed in the spec is that the routes api would be open to all users16:22
edmondswlbragstad my earlier comment about not necessarily being able to do all role checks in middleware has to do with special cases like the actions APIs, a bunch of neutron APIs, etc.16:22
lbragstadoh - sure16:23
edmondswwhere the body of the request is important16:23
knikollaedmondsw: there is a follow up spec on the body16:23
lbragstadedmondsw: we wouldn't have to worry about that if we queried of the operation/policy16:23
edmondswknikolla yeah... but I don't buy that it will solve all cases16:23
edmondswknikolla do you have a link, or is that not written yet?16:23
lbragstadthere is a section in the reproposed spec on that work16:24
knikollaedmondsw: gimme a sec for the link.16:24
lbragstadi'm not sure if there is another spec proposed detailing those steps16:24
lbragstad#link https://review.openstack.org/#/c/452198/816:24
knikolla#link https://review.openstack.org/#/c/456974/16:24
knikollaedmondsw: ^^16:24
lbragstadoh - there is one16:25
edmondswknikolla yeah, that doesn't work as written16:25
edmondswway too simplistic16:25
lbragstadbut - i don't think we'd need that follow on spec if we replaced the URL with the operation16:25
knikollaedmondsw: please comment on your concerns16:25
edmondswwill do16:25
lbragstadi.e. compute:create_service instead of POST /v2/servers/16:25
edmondswlbragstad how would you replace the url with the operation, since the middleware doesn't know the operation?16:25
lbragstadedmondsw: exactly16:26
lbragstadedmondsw: that's the tough part16:26
lbragstadyou might be able to do it in the service, or oslo.policy somewhere16:26
lbragstadbut i think the operation would be a better fit, since multiple URLs can map to the same API16:26
knikollaedmondsw: we can work with nova to expand their actions api into separate urls. with their microversion support it shouldn't be hard.16:26
edmondswcould we have middleware-enabled services and non-middleware enabled services, and make the middleware-enabled ones provide a yaml or something that maps from POST /v2/servers to compute:create_service16:27
edmondswthen have the middleware expose compute:create_service to users, since that's what they know about?16:27
lbragstadyeah - that's an option16:27
knikollaedmondsw: yes. the check is enabled in the service.conf16:27
knikollaedmondsw: it's actually on an endpoint basis16:28
lbragstadeither way - we wouldn't have to store the url information in keystone for other service APIs16:28
lbragstadwhich goes back to usability (i.e. if an operator updates a role requirement for booting a server on one API but doesn't on another, now we have an inconsistency)16:28
knikollaedmondsw: lbragstad: during the transition period, role check in middleware is disabled by default, nothing changes unless explicitly changed. once services rework policy, they can guide their users to enable role check in middleware.16:29
edmondswknikolla yeah, we got that16:29
lbragstadknikolla: sure - that makes sense, but does it address the url concerns?16:29
edmondswno16:29
lbragstaddstanek: had a pile of them and i've been working with him to understand those16:30
knikollaedmondsw: it's up to the services.16:30
knikollalbragstad: *16:30
edmondswknikolla what is?16:30
lbragstadknikolla: what's up to the service?16:30
knikollain the future to have real REST-like apis instead of the actions api.16:31
knikollathe only solution without their work is check in the json body.16:31
lbragstadknikolla: why couldn't we check the operation key?16:32
knikollalbragstad: that's the proposal, to check the operation key in the json.16:32
lbragstadknikolla: no16:32
lbragstadknikolla: the policy key, sorry16:32
lbragstadcompute:create_server, compute:reboot_server, etc...16:33
edmondswknikolla we're not suggesting they transition to "real REST-like apis"... not going to happen16:33
knikollalbragstad: middleware has no knowledge of the mapping16:33
lbragstadknikolla: what would it take to get your proposal to adhere to that requirement then?16:33
lbragstadbecause if we could come up with a way to do what you want and solve that requirement, then i think you'll get buy in from several of the people who had concerns16:34
knikollalbragstad: a mapping from urls into policy keys. which is still the issue in middleware because there are similar urls.16:34
knikollalbragstad: a mapping (url, json key in the body) might solve that.16:35
lbragstadknikolla: yes - that's the problem16:35
knikollawhich brings me back to the role check on body key proposal. please comment on that about your concerns.16:36
lbragstadthat still requires keystone to store the URL16:36
knikollalbragstad: not necessarily.16:36
knikollalbragstad: it can be read from a conf file. but i think that is suboptimal.16:36
knikollasince middleware is deployed with the service16:37
lbragstadwhy can't we wait to query keystone for the required role until later in the request?16:37
knikollait has access to the service configuration, including policy.json16:37
lbragstadlike - why can't the service call out to keystone for that information once it knows exactly which operation it's doing16:37
knikollalbragstad: what would it benefit from for doing it that late?16:38
lbragstadbecause then the service knows the policy key it needs since it's processing the request (URL, body, method, etc..)16:38
knikollalbragstad: then the only thing that changes is that policy.json is stored as it is in keystone16:39
knikollalbragstad: however it has roles instead of overcomplicated rules16:39
lbragstadso instead of storing a bunch of URL for other services in keystone (which can be fragile) keystone only has to say "compute:create_server requires the member" role16:39
lbragstadthen we don't need a follow on spec for supporting json body parsing for complex (non-restful) APIs16:40
*** knangia has joined #openstack-meeting-cp16:40
knikollalbragstad: i don't have an argument against or pro, i defer to ayoung to answer that.16:40
lbragstadfair enough - it was just something that came up as i was reviewing it and reflecting on feedback about the storage or URLs :)16:41
knikollalbragstad: i thought about that too. i know that at some point there was a centralized/dynamic policy approach which was shut down. but that predates my keystone involvement.16:41
lbragstadthe difference between that approach and this one is that the dynamic policy stuff was a push of all existing policy files into keystone16:42
lbragstadso when a service needed a policy, it fetched it from keystone16:42
knikollawhile this is role check, gotcha.16:42
knikollaas i said. i don't have a strong argument against doing routes with policy keys instead of urls.16:43
knikollathe only thing is that16:43
knikollanow it needs to be in the service code16:43
lbragstadright16:43
knikollarather than keystonemiddleware code16:43
knikollaso we don't own that16:43
lbragstadyep16:43
lbragstadwhich is going to require cross-project communication in order to work16:43
lbragstadwhich isn't a bad thing16:43
lbragstadand that's something we can use project tags and community goals to get traction on if the TC thinks it's worth while16:44
knikollalbragstad: the actionable plan to split role check from scope check is still there16:44
knikollatask*16:44
knikollano matter how you look at it, that has to be done16:44
lbragstadagree - that makes sense16:44
lbragstadand some projects have already started working on that16:44
lbragstad(maybe just nova, but it's a start)16:45
knikollaand no matter how you look at it, that might break backwards compat with policy.sjon16:45
edmondswknikolla why do you say that?16:45
knikollaedmondsw: emphasis on might.16:45
edmondswmoving scope checks into code doesn't break backward compate16:45
samueldmqedmondsw: it depends16:46
edmondswnot really16:46
samueldmqthere might be complex rules that mix roles and scopes16:46
edmondswyes...16:46
knikollaedmondsw: depends on if you allow them to be ovewritten. if you don't, and someone used that, it will.16:46
samueldmqsplitting them might end up losing the power of defining those complex rules16:46
edmondswwhat is "them" in that sentence?16:46
knikollaedmondsw: policy rules with mixed scope and role.16:47
samueldmqin my sentence it's role+scope16:47
edmondswI haven't heard anyone propose that policy.json goes away, or that you can no longer do scope checks there16:47
lbragstadit would be possible for it to go away - but i'm not sure we could ever remove it16:48
samueldmqyes I believe by default it will be better, even if we change what we have to allow splitting role from scope16:48
samueldmqhowever people could still continue doing complex/complicated in their overrides in their policy.json, correct/16:48
knikollaedmondsw: then it's removing role checks from there. either way, something will change.16:48
lbragstadbut - that's something that needs to be done on a per service basis16:49
edmondswknikolla I'm not following16:49
samueldmqknikolla: from the default, I expect it to continue allowing it16:49
knikollaedmondsw: i'm moving too far head after the transition period.16:49
edmondswthat's fine... I'm thinking way ahead to.. but I'm not following your line of reasoning16:50
knikollaedmondsw: do we agree that policy.json needs to evolve eventually if we split role check?16:51
knikollaedmondsw: if we store it in keystone it will be there16:51
edmondswknikolla what is "there"?16:52
knikollaedmondsw: role check in keystone. either as a mapping with policy key -> role. or url -> verb -> etc -> role.16:52
edmondswknikolla default policy.json is going away, as we move policy defaults into code16:52
edmondswusing policy.json to override things, whether that is scope checks in code or role checks in middleware, is not going away16:53
knikollaedmondsw: including long after the transition period?16:54
edmondswknikolla yes16:54
edmondswever16:54
samueldmqmoving into code means moving into projects code16:54
edmondswyes16:54
samueldmqnot moving them all into keystone code16:54
edmondswright16:54
lbragstadcorrect - keystone should never have to deal with scope checks16:54
lbragstadIMO16:54
knikollalbragstad: i never mentioned scope checks into keystone16:55
lbragstadknikolla: just clarifying16:55
samueldmqlbragstad: except for its own scope checks that goes into its code :-)16:55
knikollaedmondsw: what i'm pointing to is: right now policy.json can override both role and scope. in response to lbragstad's concern about having two sources of truth for role checks, would we deprecate the possibility of having role checks in policy.json16:55
knikollaemphasis on eventually (which i forgot to write)16:56
edmondswknikolla I don't think so16:56
lbragstad4 minutes remaining16:57
samueldmqI think we still allow scope+roles checks in the policy.json files, for the sack of backward compatibility, even if we do not do it upstream (or do not advise it)16:57
samueldmqedmondsw: lbragstad is that correct?16:57
edmondswknikolla maybe if we really solve things in middleware... but again, I don't think bodykeys necessarily do that16:57
lbragstadprobably? but i'll defer to edmondsw16:57
knikollaedmondsw: that is fine.16:58
knikollaedmondsw: more ops choice :)16:58
lbragstadok - real quick16:58
knikollaedmondsw: as long as they don't mix them…16:58
lbragstadthere are a couple general documents i've proposed to specs that i'd like get reviews on (and i need to address samueldmq's comments)16:58
lbragstad#link https://review.openstack.org/#/q/status:open+project:openstack/keystone-specs+branch:master+topic:46034416:58
samueldmqlbragstad: ++ I will review the others too16:59
samueldmqand we're out of time, thanks lbragstad knikolla edmondsw o/16:59
lbragstadthey are in a linear series and i attempted to make it clear that they build on each other16:59
lbragstadthanks for coming - today was good16:59
knikollaplease reach out to me in -keystone for more rbac middleware concerns16:59
knikollai really want this merged :)16:59
hrybackithanks all o/16:59
lbragstadknikolla: will do16:59
lbragstad#endmeeting16:59
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings"16:59
openstackMeeting ended Wed May 31 16:59:57 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:59
openstackMinutes:        http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-05-31-16.00.html16:59
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-05-31-16.00.txt17:00
openstackLog:            http://eavesdrop.openstack.org/meetings/policy/2017/policy.2017-05-31-16.00.log.html17:00
*** zhipeng_ has quit IRC17:00
*** gagehugo has left #openstack-meeting-cp17:48
*** spilla has left #openstack-meeting-cp17:53
*** blancos has left #openstack-meeting-cp18:03
*** Rockyg has quit IRC18:08
*** nhelgeson has quit IRC18:54
*** rarcea_ has quit IRC20:21
*** harlowja has quit IRC21:21
*** jaugustine has quit IRC21:33
*** felipemonteiro has quit IRC21:53
*** felipemonteiro has joined #openstack-meeting-cp21:58
*** felipemonteiro__ has joined #openstack-meeting-cp21:59
*** edmondsw has quit IRC22:01
*** edmondsw has joined #openstack-meeting-cp22:01
*** felipemonteiro has quit IRC22:03
*** edmondsw_ has joined #openstack-meeting-cp22:03
*** edmondsw has quit IRC22:05
*** harlowja has joined #openstack-meeting-cp22:06
*** edmondsw_ has quit IRC22:07
*** felipemonteiro__ has quit IRC22:08
*** rockyg has joined #openstack-meeting-cp22:12
*** gouthamr has quit IRC22:20
*** sheeprine has quit IRC22:24
*** edmondsw has joined #openstack-meeting-cp22:31
*** edmondsw has quit IRC22:35
*** rockyg has quit IRC22:59
*** gouthamr has joined #openstack-meeting-cp23:12
« Tuesday, 2017-05-30 Index Thursday, 2017-06-01 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!