22:02:29 #startmeeting Horizon 22:02:30 Meeting started Tue Aug 6 22:02:29 2013 UTC and is due to finish in 60 minutes. The chair is david-lyle. Information about MeetBot at http://wiki.debian.org/MeetBot. 22:02:31 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 22:02:33 The meeting name has been set to 'horizon' 22:02:47 There we go 22:02:48 nice david-lyle 22:02:54 hey everybody 22:02:55 I do have one note, which is that if you've heard about the new CRIME/BREACH security news today the short version is that yes, Horizon is vulnerable along with most of the rest of the web, but that there's not much we can immediately do. Best thing to do for now is just to add some info on disabling gzip body compression to the docs. 22:03:22 I can go into more detail later, or may send something to the list 22:03:49 the scope/scale of the attack is still somewhat limited for django-based apps, thankfully 22:04:22 at best you can compromise one session for the duration of that session, and there are *lots* of ways to steal a token in OpenStack currently (sadly) 22:04:43 that's about it for me 22:04:50 I'll lurk, but I leave the meeting to y'all 22:05:18 gabrielhurley: could you send more info into the list? 22:05:53 sure 22:06:04 thanks 22:06:07 #topic Blueprints 22:06:29 jcoufal: fyr: https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ 22:07:04 jpich: oh, thank you, this is useful 22:07:05 thanks jpich 22:07:14 Hi all! Also please take a look at new blueprint - https://blueprints.launchpad.net/horizon/+spec/boot-from-volume-type-image 22:07:32 it's small implementation of new Nova feature 22:08:41 I have few blueprints here waiting for approvals 22:09:08 one is about navigation enhancements, we already discussed that, but it's waiting for approval: https://blueprints.launchpad.net/horizon/+spec/navigation-enhancement 22:09:58 david-lyle: would you be so kind to have a look on it, since you are involved? ^ 22:10:56 jcoufal: sure 22:11:08 david-lyle: thanks 22:11:29 Update for https://blueprints.launchpad.net/horizon/+spec/group-role-assignment, I've split this into two patches to make it easier to review. The first patch would be just for refactoring the project-user assignment page. Then the second patch will cover the actual project-group assignment. 22:11:34 Vasiliy: is that different from https://blueprints.launchpad.net/horizon/+spec/improved-boot-from-volume ? 22:11:54 kspear: let me check 22:11:56 lcheng: thanks for that. will review both asap 22:12:48 there are two more new BPs, both are related more to OpenStack Dashboard improvements 22:12:58 kspear: I haven't submitted the second patch, just in case I need to make some fixes for the first patch. :) 22:13:12 Upgrading Twitter Bootstrap to v3: https://blueprints.launchpad.net/horizon/+spec/bootstrap-update 22:13:27 Moving to font-icons: https://blueprints.launchpad.net/horizon/+spec/font-icons 22:13:57 if anybody can have a look as well on these two ^^ 22:14:01 https://blueprints.launchpad.net/horizon/+spec/horizon-rootwrap new, wanting to pull in openstack common rootwrap for use by plugin writers. Just want to get it on the radar so people can provide feedback. 22:15:21 that change scares me a bit 22:15:35 lcheng: fair enough. will review the first one then :) 22:16:21 dvarga: if we go forward with it, is there a way to make that a configuration option? 22:16:22 dvarga: my first thought was can't you use rootwrap in your own tool? it doesn't seem like a massive benefit for this to be in horizon 22:17:13 david-lyle: If you do not supply any filters (none will be shipped by default) the command will not be executed 22:18:02 kspear: I could bundle it myself, but if other plugins would want this functionality it would be easier to make horizon a bit more extensible for anyone to use 22:18:20 kspear: thanks - you are right, this blueprint https://blueprints.launchpad.net/horizon/+spec/improved-boot-from-volume already includes feature from blueprint https://blueprints.launchpad.net/horizon/+spec/boot-from-volume-type-image. 22:19:07 ok, I'll look at it again, but I think kspear has a valid point 22:19:17 https://wiki.openstack.org/wiki/Nova/Rootwrap goes into more detail on how that all works. But basically if the command isn't listed in one of those filters it will not run 22:20:16 Vasiliy: okay. would be good to coordinate with the assignee of the other bp and see what the plan is 22:20:21 Vasiliy: Feel free to reach out to the current assignee to see if he could use a hand, if you'd like to help with the feature 22:20:39 I've been working on https://blueprints.launchpad.net/horizon/+spec/rbac 22:21:18 the main issue I've come across is that no services seem to be loading their policy.json files into keystone yet 22:21:31 jpich: ok - thanks - I will touch to him 22:21:32 just reading them from the file-system 22:22:06 does anyone have an installation where policy files are uploaded in keystone? 22:22:41 david-lyle: i think if horizon could intepret its own policy.json that would be a good start 22:23:10 but essentially Horizon's is the union of the services 22:23:53 david-lyle: i wonder if this something that really belongs in the python-*clients. how do we map policy entries to endpoints? 22:23:57 dvarga: I'll have to look into that one. It's definitely not a Havana target, and I'd have to see some compelling use cases for what you'd want to run as root on the webserver. That's a pretty nasty potential vulnerability vector when mostly you should be talking to service via APIs. 22:24:41 So I'd like to propose copying keystone's for now and honoring that, get the policy engine going and working and then either expand to have policy files from the other services as well 22:25:00 and eventually pull them from keystone 22:25:49 gabrielhurley: thanks. Basically the plugin I'm developing would be collecting diagnostic data and logs (sosreport) and that needs to run as root. Rootwrap gives some nice filtering and restrictions which don't open it up to running arbitrary commands as root. 22:25:57 david-lyle: starting with keystone's seems reasonable. 22:26:37 dvarga: mostly I'm leery of other things even running in the same execution context as Horizon. that seems like the wrong place to start. 22:26:56 dvarga: when I deploy a webservice I want it to be as isolated as possible. 22:27:00 gabrielhurley: that may be the scope for Havana-3 22:27:29 depending on how many distractions I have 22:27:39 david-lyle: if that's what makes sense I'd certainly like to see the initial proof-of-concept so we know what work is ahead of us to take it the rest of the way 22:27:53 it's a major undertaking, I'm aware 22:27:57 absolutely 22:28:25 I think once the first one's in the other's should come quickly, but retrofitting to read from keystone will be another larger work item 22:28:56 interesting. I'd expect that to be relatively easy compared to the initial "parse this and do the right thing" 22:29:09 it should be the same exact data, just one fetched via API and one read from disk 22:29:24 well, most of the engine comes from oslo 22:29:43 just need to add the policy checks around the calls 22:29:48 gotcha 22:29:52 well, we'll see 22:30:30 david-lyle: that's what i'm wondering about. will there be a one to one mapping between policy checks in keystone and the actual api routes? 22:30:30 #topic Discussion 22:31:21 kspear: pretty much, although the Keystone file is not exhaustive for all potential api calls 22:31:31 sammiestoel: Hi Sam, I'd like help you with features on blueprint https://blueprints.launchpad.net/horizon/+spec/improved-boot-from-volume We started working on the same improvements https://blueprints.launchpad.net/horizon/+spec/boot-from-volume-type-image 22:32:24 david-lyle: okay, that should make things easier 22:32:42 so i hear that feature freeze is September 5 22:33:02 September 4* 22:33:26 1 month, it's coming quickly 22:33:28 so it'd be good to get code for bps up within around 2 weeks 22:33:39 david-lyle: it really is 22:34:25 jpich: do you know where the ceilometer integration stands? 22:34:31 Vasiliy: I don't think he's on IRC at the moment, his nickname starts with "Samos". There is a "Contact this user" link on his user page on launchpad, you might want to use that instead. 22:34:55 david-lyle: Waiting on UX feedback still I think 22:35:20 jpich: thanks 22:35:21 jpich: is that? where is it happening? 22:35:38 ok, I see it out there for review all the time, just want to make sure I'm not ignoring it for the wrong reason :) 22:35:56 I can have a look on that 22:36:03 if needed 22:36:23 jcoufal: Looks like you already replied to Brooklyn in the UX community :) Would love actionable feedback, even if it's just a start to be improved on later 22:36:48 ah, that's the one 22:36:50 ok 22:37:10 david-lyle: It'd be cool to get the API bits merged for a start, though there are some review comments on it that don't seem to have been taken into account it 22:37:23 It's on my TODO to poke at the reviews again... 22:37:50 seems like it will need to land in the next week or two 22:38:29 talking about UX 22:38:36 I have one thing to bring up 22:38:51 there is ongoing voting for new tool for UX discussions 22:39:07 Thanks so much for driving this jcoufal 22:39:49 it is for all of developers, if you will need help with UX question that would be the tool where to start 22:40:18 so, whoever is interested, feel free to participate here: http://www.surveymonkey.com/s/MNGV8D5 22:40:38 deadline is until Friday midnight (GMT) 22:40:47 just need time to checkout Discourse 22:40:51 vote early vote often :) 22:41:15 a Chicago voter in the house 22:41:25 jpich: np, I am happy we moved forward 22:41:38 ttx: sorry, I need to put the meeting in my calendar :( 22:42:18 Seems like we're winding down, any other issues/topics? 22:44:22 looks like we're good. Thanks everyone! 22:44:29 Thanks 22:44:33 #endmeeting