#openstack-meeting log

14:00:23 <slaweq> #startmeeting neutron_drivers
14:00:24 <openstack> Meeting started Fri Sep 25 14:00:23 2020 UTC and is due to finish in 60 minutes.  The chair is slaweq. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:28 <openstack> The meeting name has been set to 'neutron_drivers'
14:00:33 <mlavalle> o/
14:01:03 <slaweq> welcome after pretty long break on the drivers meeting
14:01:07 <slaweq> :)
14:01:19 <yamamoto> hi
14:01:31 <amotoki> hi
14:01:54 <mlavalle> nothing wrong with that. we are supposed to meet when the community needs it. no need to meet for the sake of meeting
14:02:10 <haleyb> hi
14:02:17 <slaweq> mlavalle: I know, that's why I was cancelling it so many times recently :)
14:02:19 <njohnston> o/
14:02:48 <slaweq> ralonsoh: are You around?
14:02:55 <slaweq> we are almost all here already
14:02:56 <ralonsoh> sorry yes
14:03:02 <slaweq> ok, now we are all there
14:03:04 <slaweq> :)
14:03:13 <slaweq> ok, so lets start
14:03:42 <slaweq> as I wrote in the email yesterday night, we don't have any new (or updated) rfe to discuss today
14:03:59 <slaweq> but I wanted to talk about one bug related to policy.json
14:04:05 <slaweq> https://bugs.launchpad.net/neutron/+bug/1895933
14:04:07 <openstack> Launchpad bug 1895933 in neutron "Admin user can do anything without the control of policy.json" [Medium,Confirmed]
14:04:51 <slaweq> basically in neutron it is like it's in the bug description, so we are checking if user is admin and then don't check anything else from the policy file
14:05:11 <amotoki> sorry for not replying this. I was busy for internal stuffs.....
14:05:26 <slaweq> and I wanted to ask You if You think it is a bug which we should fix, or maybe it's like that in all projects and we should keep it like it's now
14:05:30 <amotoki> IIRC we handled 'admin' role specially so we skipped admin check
14:05:32 <slaweq> amotoki: np
14:05:41 <amotoki> but I believe it is time to honor policy check.
14:06:34 <ralonsoh> but the default behaviour will be the current one, correct?
14:06:58 <slaweq> ralonsoh: I think so
14:07:13 <slaweq> by default admin should be able to do everything
14:07:24 <slaweq> but operator should IMHO be able to control that too
14:07:43 <amotoki> agree
14:08:20 <amotoki> at now, role admin and elevated context are considered same but perhaps we need to distinguish these two.
14:09:03 <ralonsoh> yeah, that's a good point
14:09:33 <ralonsoh> we should use elevated one internally only when needed, but should not be the same as admin
14:09:47 <ralonsoh> (could be an opportunity to clean up some parts of the code using admin indiscriminately)
14:10:33 <amotoki> ralonsoh: +1
14:11:28 <amotoki> policy check provides RBAC at the API level. Internal accesses with elevated context is a different thing.
14:14:51 <slaweq> so it seems that at least me, ralonsoh and amotoki agree that this is an improvement which we should do in our code
14:15:04 <ralonsoh> yes
14:15:08 <slaweq> anyone else has got any thougts about that?
14:15:39 <mlavalle> I'm in agreement
14:15:44 <yamamoto> +1
14:15:50 <njohnston> so does that mean we need to reevaluate places where we use context.is_admin to see if this is a case where we need elevated context or actual admin role?
14:16:14 <mlavalle> the question is what we do next
14:16:52 <slaweq> njohnston: I think so
14:17:03 <amotoki> IMHO the first step would be to improve the behavior reported in this bug (address scope)
14:17:45 <slaweq> mlavalle: I think I will open BP to track progress on that, and we will need some volunteer(s) to make progress on that
14:17:48 <njohnston> like here: https://opendev.org/openstack/neutron/src/branch/master/neutron/policy.py#L434-L437
14:18:04 <mlavalle> slaweq: +1
14:18:11 <njohnston> slaweq: +1
14:18:21 <ralonsoh> +1
14:18:29 <amotoki> slaweq: +1
14:18:41 <slaweq> njohnston: place which You pointed to is exactly the "culprit" of the whole issue IMO
14:19:00 <slaweq> so this has to be removed
14:19:10 <slaweq> and we should validate policy even if context.is_admin
14:19:38 <amotoki> we may need to revisit the condition of is_admin=true too
14:21:55 <slaweq> ok, so I think we all agreed on what to do with this bug and on the next steps plan
14:22:13 <slaweq> I will sum this up in the LP's comment today
14:22:22 <slaweq> and I will create BP for this
14:22:36 <slaweq> and basically that's all what I had for today
14:22:50 <slaweq> do You have maybe anything else You want to discuss today?
14:23:20 <mlavalle> not from me
14:23:25 <njohnston> no thanks
14:23:32 <amotoki> nothing from me
14:23:50 <ralonsoh> no thanks
14:24:13 <haleyb> not from me
14:24:19 <yamamoto> no
14:24:46 <slaweq> ok, so thx for attending
14:24:55 <slaweq> have a great weekend and see You all next week
14:24:57 <slaweq> o/
14:24:59 <slaweq> #endmeeting