| *** bhagyashris_ is now known as bhagyashris | 08:03 | |
| gibi_summit | gmann: we are created the etherpad for the nova feedack session and mentioned SRBAC https://etherpad.opendev.org/p/nova-berlin-meet-and-greet | 09:06 |
|---|---|---|
| gibi_summit | s/are// | 09:06 |
| gibi_summit | feel free to add to it | 09:09 |
| gibi_summit | actually, anybody, feel free to add to that etherpad ^^ | 09:10 |
| chateaulav | Also see the etherpad for Emulation as well:. https://etherpad.opendev.org/p/Emulation_going_beyond_local_QEMU | 09:54 |
| sean-k-mooney | chateaulav: ^ sound interesting | 10:07 |
| *** dasm|ruck|off is now known as dasm|ruck | 13:32 | |
| *** tbachman_ is now known as tbachman | 13:54 | |
| *** dasm|ruck is now known as dasm|ruck|afk | 15:49 | |
| gmann | gibi_summit: thanks. I added few details there but you or bauzas really need to explain what 'scope' means to get the feedback otherwise it might be a very silent topic as hardly anyone from operator understand the 'scope' concept - https://etherpad.opendev.org/p/nova-berlin-meet-and-greet#L52 | 16:58 |
| gmann | gibi_summit: bauzas: main goal is if we can get answer to "is Scope useful for you?" that will be great feedback for us to proceed on community-wide goal. | 16:59 |
| sean-k-mooney | gmann: write now we dont really have any usages of scope | 17:01 |
| sean-k-mooney | well we have system scope and proejct scope | 17:02 |
| sean-k-mooney | but evnthing tha tis system scopd is all one scope | 17:02 |
| gmann | sean-k-mooney: did not get you completely? can you please explain or rephrase | 17:03 |
| sean-k-mooney | we have scope_type system but system_scope:all? or something like that | 17:03 |
| sean-k-mooney | we dont have say system:comptue vs system:networking | 17:04 |
| sean-k-mooney | so you cant grant system_admin on nova but nothing on other services | 17:04 |
| sean-k-mooney | im trying to rememebr what thats actully called | 17:05 |
| gmann | sean-k-mooney: ohk, yes. that is why scope has to be explained in a detail to have operator understand what it is like you mentioned | 17:05 |
| gmann | may be showing nova policy doc can help.. | 17:06 |
| sean-k-mooney | im not sure if the system:all thing still extis by the way based on https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html | 17:09 |
| sean-k-mooney | i think that was form before we did the policy reset | 17:09 |
| sean-k-mooney | https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html#authenticating-for-a-system-scoped-token | 17:10 |
| gmann | sean-k-mooney: it is not a things as per new direction in Yoga ^^. we have isolated the 'scope' from check_str | 17:10 |
| sean-k-mooney | its the "scope": { | 17:10 |
| sean-k-mooney | "system": { | 17:10 |
| sean-k-mooney | "all": true | 17:10 |
| sean-k-mooney | 17:10 | |
| sean-k-mooney | part | 17:10 |
| sean-k-mooney | https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html#authenticating-for-a-system-scoped-token | 17:10 |
| gmann | yes it was before and that is why it was not useful so we separated that out from check_str | 17:10 |
| sean-k-mooney | ack | 17:11 |
| sean-k-mooney | so i woudl not say its not use to have multiple systems | 17:11 |
| sean-k-mooney | but we might not want to do it via the check sting | 17:11 |
| sean-k-mooney | eventually i think it would to be abel to issue a token that was readonly on say neutron but could do nothing on glance | 17:12 |
| sean-k-mooney | im not sure how to model that but that was the orginal usecase for system:all vs system:compute | 17:13 |
| sean-k-mooney | when i say token i really am thinking of app creditials by the way | 17:14 |
| sean-k-mooney | it woudl be nice ot be abel to generate an app credential that hand much more fine grained scope | 17:15 |
| gmann | yeah, with no scope coupled in check_str we cannot have SYSTEM_READER until we enable scope by default and make it non-configurable | 17:15 |
| sean-k-mooney | any way that proably a differnt topic then you wanted feedback on | 17:16 |
| sean-k-mooney | one day it woudl benice if openstack coudl support the same aplication keys like funcationaltiy you get with github or other modern apis | 17:17 |
| sean-k-mooney | https://docs.github.com/en/rest/overview/permissions-required-for-github-apps | 17:20 |
| sean-k-mooney | they map all api endpoints endpoint to a permssiosn which is like a role | 17:21 |
| sean-k-mooney | and then you create a topen with a set of permmison and either read or write capablity on each | 17:21 |
| sean-k-mooney | some day it woudl benice if you coudl do the same with keystone app credetials or just in gneral | 17:22 |
| gmann | yeah, may be good to have it separate as it can make things more complex to understand | 17:25 |
| gmann | gibi_summit: bauzas I created a central etehrpad to get RBAC feedback from various forum/places. and linked it in nova etherpad also, please use that https://etherpad.opendev.org/p/rbac-operator-feedback | 17:26 |
| opendevreview | Takashi Kajinami proposed openstack/placement master: Update python testing as per zed cycle testing runtime https://review.opendev.org/c/openstack/placement/+/845059 | 23:15 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!