Tuesday, 2023-02-28

« Monday, 2023-02-27 Index Thursday, 2023-03-02 »
yasufum-ohi tacker team.08:00
takahashi-tschi08:00
manpreetk_hi08:00
uehahi08:00
yasufum-o#startmeeting tacker08:01
opendevmeetMeeting started Tue Feb 28 08:01:42 2023 UTC and is due to finish in 60 minutes.  The chair is yasufum-o. Information about MeetBot at http://wiki.debian.org/MeetBot.08:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.08:01
opendevmeetThe meeting name has been set to 'tacker'08:01
yasufum-o#link https://etherpad.opendev.org/p/tacker-meeting08:02
yasufum-oThree topics on the etherpad.08:02
yasufum-oall of mine.08:02
yasufum-oFor first one, it's under discussion, but might be going to move them under tacker because of historical reasons between tacker and these projs.08:04
yasufum-oAnd second one, no update today.08:04
yasufum-oIs there any comment, or move on to the last topic?08:04
takahashi-tscI think OK08:04
yasufum-ogood08:05
yasufum-oLet's move on to.08:06
yasufum-oI've uploaded my draft on08:06
yasufum-o#link https://etherpad.opendev.org/p/tacker-forum-feedback-for-etsi-nfv-usecases08:06
yasufum-oas I told to do so last meeting.08:07
yasufum-oFor system's perspective, it's 751 chars while the limitation is 1000 chars for registering :)08:09
yasufum-oI'm not sure everyone already reviewed it, please give your comment on, or it's also OK to add your comment after the draft overview later.08:10
uehaThank you. I think it's good. If there is any comment, I will write it on the etherpad.08:13
yasufum-othanks08:14
yuta-kazatoThanks for updating. I will review and write additional comments if needed:)08:14
yasufum-otakahashi-tsc: By the way, thanks for your update08:14
yasufum-ofor cross-community discussion.08:14
takahashi-tscSorry for the late...08:16
yasufum-oI think integration and testing must be one of the most interested topic among people will join our session.08:16
yasufum-oThanks all for the comments.08:17
yasufum-oAlthough the deadline of the registration for forum is 21th Apr, not so soon, but I'd like to update the draft before the next meeting if it's required.08:19
yasufum-oSo, all topics done for today.08:20
yasufum-oIs there any other topic should be shared for now?08:21
uehaJust sharing, the Zuul CI error that occurred for several days no longer occurs.08:22
yasufum-othx08:23
uehaRC1 is soon, so let's promote reviewing and merging. :) that's all.08:23
yuta-kazato+108:25
yasufum-oueha, takahashi-tcs: As you may notice, it's reamined just one patch on tacker-horizon.08:25
yasufum-o#link: https://review.opendev.org/c/openstack/tacker-horizon/+/86762208:25
manpreetk_yasufum-o: The author has placed -1 in workflow.08:26
yasufum-oWithout any reason.08:26
manpreetk_Hmm we can ask author to comment or share direction08:27
yasufum-omanpreetk: Do you know anything about it?08:27
manpreetk_I ll ask the author to update it ASAP.08:27
yasufum-oI've already given +2 because it looks good to catchup such a dependency and the deadline of RC1 for tacker-horizon is the same as tacker.08:29
yasufum-oI think it might be OK to fix antelope tacker-horizon, but still better it's merged before.08:30
yasufum-oThanks.08:30
takahashi-tscI also think the patch itself is OK, but agree with manpreet, i.e. need to confirm with the author.08:30
manpreetk_Yes will try to get the confirmation before RC1 deadline.Thanks!!08:31
ueha+108:31
yasufum-oIs there any other topic, or close this meeting?08:31
yasufum-ogood08:33
yasufum-oI hope all patches for antelope will be merged before the end of RC1 week.08:34
yasufum-oAnyway, let's close this meeting.08:34
yasufum-oThanks for joining, bye.08:35
manpreetk_Thanks and Bye!08:35
uehathanks, bye08:35
yasufum-o#endmeeting08:35
opendevmeetMeeting ended Tue Feb 28 08:35:22 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)08:35
opendevmeetMinutes:        https://meetings.opendev.org/meetings/tacker/2023/tacker.2023-02-28-08.01.html08:35
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/tacker/2023/tacker.2023-02-28-08.01.txt08:35
opendevmeetLog:            https://meetings.opendev.org/meetings/tacker/2023/tacker.2023-02-28-08.01.log.html08:35
yuta-kazatobye08:37
*** kopecmartin_ is now known as kopecmartin15:00
gmann#startmeeting policy_popup17:02
opendevmeetMeeting started Tue Feb 28 17:02:29 2023 UTC and is due to finish in 60 minutes.  The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot.17:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.17:02
opendevmeetThe meeting name has been set to 'policy_popup'17:02
gthiemongeo/17:03
gmann#link https://etherpad.opendev.org/p/rbac-goal-tracking#L15417:03
gmannnothing on agenda but I will be around to answer/discuss if anything 17:03
gmanngthiemonge: o/17:03
gthiemongegmann: hey, I'm trying to fix the policies in Octavia, we still have some code from the previous specs17:04
gthiemongeso I have this change:17:05
gthiemongehttps://review.opendev.org/c/openstack/octavia/+/87562017:05
gthiemongeit switches the scope_types['system'] to scope_types['project']17:05
gthiemongeand it makes the legacy admin an admin17:05
gmann+117:05
gthiemongei wanted to check if the s/'system'/'project'/ is fine17:05
gmannyes, we need to make every policy rule to be scope to 'project'17:06
gthiemongeack17:06
gmannin addition to that, introducing the project_reader role is important17:06
gthiemongethere's project-reader on line 6717:07
gthiemongeI'll double check that17:07
gmannI see. 17:08
gmannI will review your patch today in case anything missing but thanks for working on this17:08
johnsomI have a question here, isn't that "scope" setting just going to be ignored if scopes aren't enabled in the config?17:08
gthiemongethanks gmann 17:09
johnsomoslo.policy should just ignore it if enforce_scope is False right?17:10
gmannjohnsom:  yes, if enforce_scope is false then oslo policy does not check scope17:10
gmannyes17:10
gmannit will add warning but no error17:10
johnsomSo shouldn't we just start removing all of that?17:10
gmannwe can and that is long term plan but we need this to be configurable during transition period. so that operators have time to move things to new policy17:11
gmannbut yes at the end enforce_scope flag should be removed. 1. make it default to True (like nova, glance did) 2. and then plan to remove at some point17:12
johnsomWhat? ???17:12
gmannyou asked about enforce_scope right?17:12
johnsomI thought you had previously said scope was not going to happen17:13
gmannevery policy to be scoped to 'project'17:13
gmannmeans if anyone using system scope token we can fail early with 40317:13
johnsomI thought the new change was scoped tokens are not going to ever be enabled, so scope is no longer a thing and will always be False17:13
gmannno. ok so things is system scope is no longer a things means every policy rule is default to project scope. this way if anyone using system scope token say (system admin) then it will reject early at API validation itself17:14
gmannall policy scope to project help us to give correct error message to operators instead of failing with system scope token in lower layer and confusing error message17:15
gmann#link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#change-in-scope-implementation17:16
johnsomSigh17:16
gmannjohnsom: ^^ that paragraph explain about scope thing17:17
johnsomSo, scope_types=[constants.RBAC_SCOPE_PROJECT] in the policy in code, those lines can go away right? Or do they have to stay and all just be set to PROJECT? 17:17
gmannconstants.RBAC_SCOPE_PROJECT is 'project' right?17:17
johnsomyes17:18
gmannso this will stay here. we do not need to remove it17:18
gmannso that system scope token usage can get 403 at early fail 17:18
gmannyou can just remove constant and just say scope_type=['project']17:19
gmannbut either way you like defined 'project' as constant or direct17:19
johnsomNo, we use constants to save RAM. I was just asking why even specify that if all of the policies are going to be project only.17:20
gmannok, it is juts to early fail system token with 40317:21
johnsomhttps://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L125417:21
johnsomAh, it doesn't default to project17:21
gmannyeah it is None by default17:22
gmannone good example for its benefit is nova server operation. many of it need project_id and system scope token does not have project_id so if system scope token are used it might fail somewhere in DB or other lower layer and error might be confusing. to avoid that raising 403 for system scope token is helpful 17:24
johnsomOh I know the heck I went through to deal with system scoped tokens and no project ID17:25
johnsomMonths of wasted time17:25
gmannyeah17:27
gmannjohnsom: gthiemonge: anything else to discuss for today?17:29
gmannFYI, there is magnum policy change also in progress. I did not get chance to review it but that is in my list for today #link https://review.opendev.org/c/openstack/magnum/+/875625/217:30
gthiemongegmann: no, that's it for me, thanks17:30
johnsomI don't have anything else.17:31
gmannok thanks for joining. let's close for today17:31
gmann#endmeeting17:32
opendevmeetMeeting ended Tue Feb 28 17:32:08 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)17:32
opendevmeetMinutes:        https://meetings.opendev.org/meetings/policy_popup/2023/policy_popup.2023-02-28-17.02.html17:32
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/policy_popup/2023/policy_popup.2023-02-28-17.02.txt17:32
opendevmeetLog:            https://meetings.opendev.org/meetings/policy_popup/2023/policy_popup.2023-02-28-17.02.log.html17:32
« Monday, 2023-02-27 Index Thursday, 2023-03-02 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!