| *** amoralej|off is now known as amoralej | 10:28 | |
| *** pojadhav is now known as pojadhav|brb | 11:28 | |
| *** pojadhav|brb is now known as pojadhav | 12:25 | |
| *** amoralej is now known as amoralej|lunch | 13:09 | |
| *** pojadhav is now known as pojadhav|brb | 13:15 | |
| *** tosky is now known as Guest7142 | 13:37 | |
| *** tosky_ is now known as tosky | 13:37 | |
| *** pojadhav|brb is now known as pojadhav | 13:45 | |
| *** amoralej|lunch is now known as amoralej | 14:07 | |
| *** ykarel is now known as ykarel|away | 14:27 | |
| *** pojadhav is now known as pojadhav|afk | 14:46 | |
| opendevreview | Lance Bragstad proposed openstack/governance master: Rework the yoga secure RBAC community goal https://review.opendev.org/c/openstack/governance/+/815158 | 15:22 |
|---|---|---|
| lbragstad | mnaser gmann ^ updated with the new phase ordering | 15:22 |
| lbragstad | should be up-to-date and addresses dansmith's most recent comments | 15:22 |
| gmann | lbragstad: ack, also Brian commented that system reader might be more useful in phase2 or service role | 15:25 |
| lbragstad | gmann i'll let dansmith and brian battle that one out :) | 15:26 |
| gmann | lbragstad: but I am not much worry about the phase2/3 ordering and let's merge this and start phase1. later after discussion we can reorder too | 15:26 |
| gmann | lbragstad: yeah and we have time for that so that do not block the current goal to merge | 15:26 |
| dansmith | I think service role has a huge amount of actual benefit | 15:27 |
| dansmith | system-reader may be useful for some people, although I haven't heard anyone clamoring for it, while service role makes *everyone* more secure | 15:27 |
| gmann | dansmith: I am thinking for Audit but that can be done with system admin but yeah let's discuss those later | 15:28 |
| lbragstad | i do know some people need system-reader, but it's not a universal request like project-reader would be | 15:28 |
| lbragstad | s/would be// | 15:28 |
| gmann | ricolin: mnaser please check this and re-vote and other tc-members too https://review.opendev.org/c/openstack/governance/+/815158 | 15:29 |
| lbragstad | and yeah - locking down service communication is a big won | 15:29 |
| lbragstad | win* | 15:29 |
| dansmith | yeah, I'm not saying it has no purpose, just a very limited subset.. *everyone* has a service role today, and either has to define their own to make it secure, or use the default which is way too much power | 15:29 |
| lbragstad | ++ | 15:29 |
| gmann | yeah. | 15:31 |
| lbragstad | also - i think that's even more apparent now that we're keeping system completely separate from project resources (e.g., i can't use system-reader to list all instances in the deployment) | 15:32 |
| opendevreview | Ghanshyam proposed openstack/governance master: Select secure and consistent RBAC as a community-wide goal https://review.opendev.org/c/openstack/governance/+/818817 | 15:32 |
| gmann | lbragstad: dansmith ^^ just rebased this goal selection patch too. | 15:32 |
| gmann | tc-members: and this too which need formal-vote https://review.opendev.org/c/openstack/governance/+/818817 | 15:33 |
| gmann | lbragstad: good point. and system reader need enforce_scope=True by default so moving to phase-3 make sense to me now. | 15:36 |
| opendevreview | Ghanshyam proposed openstack/governance master: Move completed goals into the completed directory https://review.opendev.org/c/openstack/governance/+/818845 | 16:12 |
| *** amoralej is now known as amoralej|off | 16:29 | |
| opendevreview | Lance Bragstad proposed openstack/governance master: Address followup comments to secure RBAC community goal https://review.opendev.org/c/openstack/governance/+/819664 | 18:03 |
| opendevreview | Lance Bragstad proposed openstack/governance master: Address followup comments to secure RBAC community goal https://review.opendev.org/c/openstack/governance/+/819664 | 18:04 |
| *** tosky is now known as Guest7167 | 20:17 | |
| *** tosky_ is now known as tosky | 20:17 | |
| lbragstad | yoctozepto just checking if https://review.opendev.org/c/openstack/governance/+/815158 is good to go now that we've pulled the other changes into a separate patch | 21:40 |
| lbragstad | or is there still something you'd like me to change in 815158? | 21:40 |
| *** tosky_ is now known as tosky | 21:57 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!