#openstack-meeting log

22:02:29 <david-lyle> #startmeeting Horizon
22:02:30 <openstack> Meeting started Tue Aug  6 22:02:29 2013 UTC and is due to finish in 60 minutes.  The chair is david-lyle. Information about MeetBot at http://wiki.debian.org/MeetBot.
22:02:31 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
22:02:33 <openstack> The meeting name has been set to 'horizon'
22:02:47 <david-lyle> There we go
22:02:48 <jcoufal> nice david-lyle
22:02:54 <jcoufal> hey everybody
22:02:55 <gabrielhurley> I do have one note, which is that if you've heard about the new CRIME/BREACH security news today the short version is that yes, Horizon is vulnerable along with most of the rest of the web, but that there's not much we can immediately do. Best thing to do for now is just to add some info on disabling gzip body compression to the docs.
22:03:22 <gabrielhurley> I can go into more detail later, or may send something to the list
22:03:49 <gabrielhurley> the scope/scale of the attack is still somewhat limited for django-based apps, thankfully
22:04:22 <gabrielhurley> at best you can compromise one session for the duration of that session, and there are *lots* of ways to steal a token in OpenStack currently (sadly)
22:04:43 <gabrielhurley> that's about it for me
22:04:50 <gabrielhurley> I'll lurk, but I leave the meeting to y'all
22:05:18 <jcoufal> gabrielhurley: could you send more info into the list?
22:05:53 <gabrielhurley> sure
22:06:04 <jcoufal> thanks
22:06:07 <david-lyle> #topic Blueprints
22:06:29 <jpich> jcoufal: fyr: https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
22:07:04 <jcoufal> jpich: oh, thank you, this is useful
22:07:05 <david-lyle> thanks jpich
22:07:14 <Vasiliy> Hi all! Also please take a look at new blueprint - https://blueprints.launchpad.net/horizon/+spec/boot-from-volume-type-image
22:07:32 <Vasiliy> it's small implementation of new Nova feature
22:08:41 <jcoufal> I have few blueprints here waiting for approvals
22:09:08 <jcoufal> one is about navigation enhancements, we already discussed that, but it's waiting for approval: https://blueprints.launchpad.net/horizon/+spec/navigation-enhancement
22:09:58 <jcoufal> david-lyle: would you be so kind to have a look on it, since you are involved? ^
22:10:56 <david-lyle> jcoufal: sure
22:11:08 <jcoufal> david-lyle: thanks
22:11:29 <lcheng> Update for https://blueprints.launchpad.net/horizon/+spec/group-role-assignment, I've split this into two patches to make it easier to review. The first patch would be just for refactoring the project-user assignment page.  Then the second patch will cover the actual project-group assignment.
22:11:34 <kspear> Vasiliy: is that different from https://blueprints.launchpad.net/horizon/+spec/improved-boot-from-volume ?
22:11:54 <Vasiliy> kspear: let me check
22:11:56 <kspear> lcheng: thanks for that. will review both asap
22:12:48 <jcoufal> there are two more new BPs, both are related more to OpenStack Dashboard improvements
22:12:58 <lcheng> kspear: I haven't submitted the second patch, just in case I need to make some fixes for the first patch. :)
22:13:12 <jcoufal> Upgrading Twitter Bootstrap to v3: https://blueprints.launchpad.net/horizon/+spec/bootstrap-update
22:13:27 <jcoufal> Moving to font-icons: https://blueprints.launchpad.net/horizon/+spec/font-icons
22:13:57 <jcoufal> if anybody can have a look as well on these two ^^
22:14:01 <dvarga> https://blueprints.launchpad.net/horizon/+spec/horizon-rootwrap new, wanting to pull in openstack common rootwrap for use by plugin writers.  Just want to get it on the radar so people can provide feedback.
22:15:21 <david-lyle> that change scares me a bit
22:15:35 <kspear> lcheng: fair enough. will review the first one then :)
22:16:21 <david-lyle> dvarga: if we go forward with it, is there a way to make that a configuration option?
22:16:22 <kspear> dvarga: my first thought was can't you use rootwrap in your own tool? it doesn't seem like a massive benefit for this to be in horizon
22:17:13 <dvarga> david-lyle: If you do not supply any filters (none will be shipped by default) the command will not be executed
22:18:02 <dvarga> kspear: I could bundle it myself, but if other plugins would want this functionality it would be easier to make horizon a bit more extensible for anyone to use
22:18:20 <Vasiliy> kspear: thanks - you are right, this blueprint https://blueprints.launchpad.net/horizon/+spec/improved-boot-from-volume already includes feature from blueprint https://blueprints.launchpad.net/horizon/+spec/boot-from-volume-type-image.
22:19:07 <david-lyle> ok, I'll look at it again, but I think kspear has a valid point
22:19:17 <dvarga> https://wiki.openstack.org/wiki/Nova/Rootwrap goes into more detail on how that all works.  But basically if the command isn't listed in one of those filters it will not run
22:20:16 <kspear> Vasiliy: okay. would be good to coordinate with the assignee of the other bp and see what the plan is
22:20:21 <jpich> Vasiliy: Feel free to reach out to the current assignee to see if he could use a hand, if you'd like to help with the feature
22:20:39 <david-lyle> I've been working on https://blueprints.launchpad.net/horizon/+spec/rbac
22:21:18 <david-lyle> the main issue I've come across is that no services seem to be loading their policy.json files into keystone yet
22:21:31 <Vasiliy> jpich: ok - thanks - I will touch to him
22:21:32 <david-lyle> just reading them from the file-system
22:22:06 <david-lyle> does anyone have an installation where policy files are uploaded in keystone?
22:22:41 <kspear> david-lyle: i think if horizon could intepret its own policy.json that would be a good start
22:23:10 <david-lyle> but essentially Horizon's is the union of the services
22:23:53 <kspear> david-lyle: i wonder if this something that really belongs in the python-*clients. how do we map policy entries to endpoints?
22:23:57 <gabrielhurley> dvarga: I'll have to look into that one. It's definitely not a Havana target, and I'd have to see some compelling use cases for what you'd want to run as root on the webserver. That's a pretty nasty potential vulnerability vector when mostly you should be talking to service via APIs.
22:24:41 <david-lyle> So I'd like to propose copying keystone's for now and honoring that, get the policy engine going and working and then either expand to have policy files from the other services as well
22:25:00 <david-lyle> and eventually pull them from keystone
22:25:49 <dvarga> gabrielhurley: thanks.  Basically the plugin I'm developing would be collecting diagnostic data and logs (sosreport) and that needs to run as root.  Rootwrap gives some nice filtering and restrictions which don't open it up to running arbitrary commands as root.
22:25:57 <gabrielhurley> david-lyle: starting with keystone's seems reasonable.
22:26:37 <gabrielhurley> dvarga: mostly I'm leery of other things even running in the same execution context as Horizon. that seems like the wrong place to start.
22:26:56 <gabrielhurley> dvarga: when I deploy a webservice I want it to be as isolated as possible.
22:27:00 <david-lyle> gabrielhurley: that may be the scope for Havana-3
22:27:29 <david-lyle> depending on how many distractions I have
22:27:39 <gabrielhurley> david-lyle: if that's what makes sense I'd certainly like to see the initial proof-of-concept so we know what work is ahead of us to take it the rest of the way
22:27:53 <gabrielhurley> it's a major undertaking, I'm aware
22:27:57 <david-lyle> absolutely
22:28:25 <david-lyle> I think once the first one's in the other's should come quickly, but retrofitting to read from keystone will be another larger work item
22:28:56 <gabrielhurley> interesting. I'd expect that to be relatively easy compared to the initial "parse this and do the right thing"
22:29:09 <gabrielhurley> it should be the same exact data, just one fetched via API and one read from disk
22:29:24 <david-lyle> well, most of the engine comes from oslo
22:29:43 <david-lyle> just need to add the policy checks around the calls
22:29:48 <gabrielhurley> gotcha
22:29:52 <gabrielhurley> well, we'll see
22:30:30 <kspear> david-lyle: that's what i'm wondering about. will there be a one to one mapping between policy checks in keystone and the actual api routes?
22:30:30 <david-lyle> #topic Discussion
22:31:21 <david-lyle> kspear: pretty much, although the Keystone file is not exhaustive for all potential api calls
22:31:31 <Vasiliy> sammiestoel: Hi Sam, I'd like help you with features on blueprint https://blueprints.launchpad.net/horizon/+spec/improved-boot-from-volume We started working on the same improvements https://blueprints.launchpad.net/horizon/+spec/boot-from-volume-type-image
22:32:24 <kspear> david-lyle: okay, that should make things easier
22:32:42 <kspear> so i hear that feature freeze is September 5
22:33:02 <kspear> September 4*
22:33:26 <david-lyle> 1 month, it's coming quickly
22:33:28 <kspear> so it'd be good to get code for bps up within around 2 weeks
22:33:39 <kspear> david-lyle: it really is
22:34:25 <david-lyle> jpich: do you know where the ceilometer integration stands?
22:34:31 <jpich> Vasiliy: I don't think he's on IRC at the moment, his nickname starts with "Samos". There is a "Contact this user" link on his user page on launchpad, you might want to use that instead.
22:34:55 <jpich> david-lyle: Waiting on UX feedback still I think
22:35:20 <Vasiliy> jpich: thanks
22:35:21 <jcoufal> jpich: is that? where is it happening?
22:35:38 <david-lyle> ok, I see it out there for review all the time, just want to make sure I'm not ignoring it for the wrong reason :)
22:35:56 <jcoufal> I can have a look on that
22:36:03 <jcoufal> if needed
22:36:23 <jpich> jcoufal: Looks like you already replied to Brooklyn in the UX community :) Would love actionable feedback, even if it's just a start to be improved on later
22:36:48 <jcoufal> ah, that's the one
22:36:50 <jcoufal> ok
22:37:10 <jpich> david-lyle: It'd be cool to get the API bits merged for a start, though there are some review comments on it that don't seem to have been taken into account it
22:37:23 <jpich> It's on my TODO to poke at the reviews again...
22:37:50 <david-lyle> seems like it will need to land in the next week or two
22:38:29 <jcoufal> talking about UX
22:38:36 <jcoufal> I have one thing to bring up
22:38:51 <jcoufal> there is ongoing voting for new tool for UX discussions
22:39:07 <jpich> Thanks so much for driving this jcoufal
22:39:49 <jcoufal> it is for all of developers, if you will need help with UX question that would be the tool where to start
22:40:18 <jcoufal> so, whoever is interested, feel free to participate here: http://www.surveymonkey.com/s/MNGV8D5
22:40:38 <jcoufal> deadline is until Friday midnight (GMT)
22:40:47 <david-lyle> just need time to checkout Discourse
22:40:51 <pcm_> vote early vote often :)
22:41:15 <david-lyle> a Chicago voter in the house
22:41:25 <jcoufal> jpich: np, I am happy we moved forward
22:41:38 <lifeless> ttx: sorry, I need to put the meeting in my calendar :(
22:42:18 <david-lyle> Seems like we're winding down, any other issues/topics?
22:44:22 <david-lyle> looks like we're good. Thanks everyone!
22:44:29 <jpich> Thanks
22:44:33 <david-lyle> #endmeeting