Thursday, 2019-12-12

Sundar49#startmeeting openstack-cyborg03:00
Sundar49Hi all03:00
chenkeHi all.03:01
chenkeinfo chenke.03:01
chenkeinfo# chenke03:01
Yumeng#info Yumeng03:01
Sundar49Hi chenke, Yumeng03:01
YumengHi Sundar4903:01
Sundar49Let's give a min for folks to join03:01
wangzhhHi all.03:02
YumengI just added to the policy page03:02
Sundar49Yumeng: nice!03:02
Sundar49Good, let's get started03:03
s_shogo#info s_shogo03:04
Sundar49Anything to add?03:04
Sundar49#topic Secure_Default_Policies_Popup_Team03:04
Yumengmainly three questions needs to disscuss with you guys. please take a look at the bottom of
Sundar49Yumeng, could you explain to us what's happening in this area?03:05
Sundar49What do the terms mean, member vs. reader?03:06
Sundar49Yumeng: ^03:08
Yumengemmm. to be simple. the main problem today is that : 1) admin everywhere 2)insecure custom roles: many policy rules simply use "" as the rule 3)not support read-only03:08
Sundar49Our RBAC policies allow for admin and user roles, I think. Are we considering more roles, like member and reader?03:10
Yumengthese means sometimes users may have too much or not enough privileges03:10
Sundar49Have there been any meetings across the popup team?03:11
Yumengsomething like that. 1)we need consistent admin over all openstack projects 2) we need to have read-only03:11
Yumeng3) we can have a scoped-RBAC including project-scope and system-scope03:12
Sundar49I see. So you could have a project-scope admin?03:12
Yumengyes. project-scope works for most of our current cases. maybe we need consider add system-scope for device related RBAC03:13
Yumengemmm. seems I need to propose a spec to describe this in more details03:14
Sundar49Re. the question about cyborg:arq:create, I agree that allowing any user to create an ARQ is too liberal, esp. because the ARQ creator can also program the device.03:14
Sundar49Yea, a spec would be welcome03:14
Yumengyes. I have same concerns on cyborg:arq:create03:15
Sundar49How do we fix that?03:15
xinranwangHi all, sorry for late03:16
Yumengshould we change to admin?03:16
YumengI was wondering why the initial design was allowing any user?03:17
YumengDoes anyone know that?03:17
Sundar49That is too restrictive. We want some auhtorized users to crete, and others should be forbidden.03:17
Sundar49I mean: ^ for admin03:17
Sundar49Does it make to sense to have granular roles like, device profile reader/writer, ARQ reader/writer etc.?03:18
Yumengsundar49: emmm seems no writer, only reader03:19
Sundar49Who can POST device profiles, PATCH arqs, etc.? Apart from admin?03:20
Sundar49Yumeng, chenke, xinranwang, wangzhh: ^03:21
chenkeI only use admin to create device_profile.03:22
xinranwangI think only admin03:22
Sundar49admin in project scope?03:22
wangzhhemmm  Yep. I remembered that we disscussed about it before. And only admin allowed.03:23
Sundar49Yumeng: So, the next step is that we need to review this table in the wiki?03:24
Sundar49are you included in any meetings they have for this ?03:24
Sundar49If anybody has any thoughts, please speak up.03:26
Sundar49#topic Devstack components for multi-node03:27
Sundar49Shaohe's table: end of
Sundar49Any further comments?03:27
Sundar49If not, shall we close this as final?03:28
chenkeI have one.03:29
chenke9. agent enabled_drivers                              N                               Y                                N03:29
chenkeagent enabled_drivers?03:29
Sundar49chenke, what is the comment?03:30
chenkeI think cyborg-agent node's conf need this .03:30
Sundar49Oh yes, it should be  N N Y03:31
Sundar49Please write that in the etherpad03:31
Sundar49Thanks, chenke. Anything else?03:31
YumengSundar49: not yet. I just talked to zhurong. his idea is that this can be flexible. we can either use admin directly to post ARQ or use any user to make this post request to  a system user to help do this post and return results.03:32
chenkeabout 10.  api ramdisk_heartbeat_timeout03:32
chenkeI don't know why we need this03:33
YumengSundar49: I will propose a spec today and welcome you guys to disscuss.03:33
Sundar49Yumeng: when a user wants to launch a VM with accelerators, he needs the ability to POST and PATCH ARQs, right? Does he have to ask the admin to create the VM?03:33
Sundar49Yumeng: ok, we can discuss in the spec03:34
Sundar49chenke: I don't see a reason for it either. We can probably drop it.03:35
Sundar49Ok, moving on03:36
Sundar49For functional testing, we don't have Li today03:36
*** openstack changes topic to "Programming (Meeting topic: openstack-cyborg)"03:37
Sundar49API proposal:
Sundar49Has anybody reviewed this yet?03:37
Sundar49s_shogo, would you like to bring up or discuss your patch?03:39
s_shogoYap,My patch relates the bottom of the proposal, > " Update FPGA user logic (bitstream)"03:39
Sundar49My first comment is, it probably needs more validation :)  Validation of inputs, Needs some checks: is the bitstream id valid, is the bitstream already programmed, is the deployable in use, etc.03:41
Sundar49Also, UT03:41
s_shogoThere is no specific topic, so03:41
s_shogoThank you Sundar49 , I improve that.03:42
Sundar49Before we move onto other things, have you all had a chance to look at the comments in
Sundar49This will have impact on Cyborg side too03:44
chenkeOk. Will look at it after meeting.03:45
*** openstack changes topic to "Storyboard, specs, patches (Meeting topic: openstack-cyborg)"03:45
Sundar49I know there is a long list of specs and patches for me to look at :). Does anybody want to raise anything specific to expedite?03:46
Sundar49Very quiet meeting today :)03:47
Sundar49Ok, I''m going to keep chugging on Nova side. Please ping me if you have comments/questions/concerns03:48
Sundar49Have a good day, everybody!03:48
Yumengbye. see you03:48
