#openstack-meeting log

18:01:39 <gmann> #startmeeting policy
18:01:39 <opendevmeet> Meeting started Thu Dec 16 18:01:39 2021 UTC and is due to finish in 60 minutes.  The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:39 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:39 <opendevmeet> The meeting name has been set to 'policy'
18:01:59 <rdopiera> Hi, I just added my point to the agenda on the etherpad
18:02:20 <gmann> sure checking
18:02:58 <rdopiera> I can elaborate
18:03:03 <gmann> sure
18:04:23 <rdopiera> we started work on the phase two, for the system admin support, in horizon, and for that we added the ability to switch from a project scope to the system scope, and it mostly all works as expected, however, in the system scope we are disallowed to make many calls that are used on a lot of admin pages
18:05:06 <gmann> yeah, and that is for services right like nova etc?
18:05:15 <gmann> not just keystone
18:05:19 <rdopiera> most of the problematic pages are in nova
18:05:25 <gmann> :) yeah
18:05:33 <gmann> As per the new schedule keystone system/domain scope policies are ready means their system scope panel in horizon can be implemented
18:05:42 <rdopiera> what I can tell is that some of the calls we need to make on them are allowed, but some not
18:06:10 <gmann> and nova is going to modify the policy in Yoga cycle where we are modifying many policy from system to project scoped etc
18:07:03 <gmann> this is #link BP https://blueprints.launchpad.net/nova/+spec/policy-defaults-refresh-2
18:07:04 <rdopiera> I also wanted to clarify how it should work in Horizon from the user interface point of view
18:07:30 <gmann> yeah that will be very helpful and we can see how user going to use it
18:07:35 <rdopiera> so far we based our implementation on the PTG discussion, and basically just added an entry to the project scope switching menu, that says "system scope"
18:08:06 <rdopiera> any use who has access to the system scope has that option, and can switch to this scope, at which point they will only see the menu entries appropriate for that scope
18:08:18 <rdopiera> any user*
18:08:50 <gmann> other scope entry will not be visible at all right?
18:09:20 <rdopiera> you only see the entries in the menu that are allowed by the policy with your current token
18:09:31 <gmann> +1
18:09:41 <rdopiera> I have two doubts about this.
18:10:43 <rdopiera> First, from the SRBAC high-level descriptions it seems that there is going to be a special, separate user, that has access to the system scope, and has no access to anything else, and that is going to be the only user who has access to the system scope
18:11:48 <rdopiera> If that is the case, we will need a mechanism that allows users who have no access to any project to log into Horizon -- currently if you try that, horizon will not let you to log in. And then you will start in the system scope right from the beginning -- is that right?
18:12:16 <gmann> yeah so with the new design we finalized in goal is system and project scope users are very much isolated in term of access control (except few cases where few API will be accessible to both)
18:13:07 <rdopiera> currently a user who doesn't have a project can't log into horizon
18:13:14 <gmann> yes that is my expectation.
18:13:54 <gmann> system users will not have any project_id in their token and can perform only operation allowed to system level which is nothing but the one does not need projetc id like GET hypervisors etc
18:14:18 <rdopiera> thanks, then I will add an RFE for handling this case
18:14:27 <gmann> horizon should allow them to login even they are not associated with any project
18:15:08 <gmann> and once they login to horizon they can switch to other scope if they are allowed by keystone
18:15:45 <gmann> we are very much separating the system scope users to perform any project level resource operation
18:15:54 <rdopiera> Second doubt I have, currently a lot of API calls are available by policy both in system scope and in project scope -- so the user has access to the same "admin" and "identity" menus as in system scope -- my question is should we explicitly hide them in horizon with some option, or will that be handled by new and updated set of policies?
18:16:19 <gmann> yeah, this is good question.
18:17:01 <gmann> for keystone, I think policy are ready and they will not be changed much, In Yoga cycle release we are hoping operator will use the new policy. so it is safe to migrate them in Horizon also
18:17:32 <gmann> but for service policy like Nova, cinder etc we are re-modifying the policies in Yoga and they should be ready after Yoga
18:17:34 <rdopiera> for example, I have a WIP patch for an "ENFORCE_SCOPE" option in horizon that wold hide some menu entries: https://review.opendev.org/c/openstack/horizon/+/818763
18:17:54 <gmann> and that time there will be less policy with both scope
18:18:34 <gmann> for services, I horizon needs to wait until they are ready
18:19:18 <rdopiera> so we should basically pause work on this?
18:20:41 <gmann> rdopiera: not pause but do only for keystone panel and for other yes hold until Yoga cycle
18:21:18 <gmann> Yoga cycle release or whenever services are ready. for example If I can implement for nova in Yoga m-3 or so then you can see but that is still late
18:21:21 <rdopiera> we use the policies provided to decide which panels to display, we can't use system scope just for some panels
18:21:34 <gmann> so considering services other than keystone will be good for Z cycle
18:22:33 <gmann> rdopiera: i mean if you switch for keystone panel and for other services shows everything what it is currently with message that NO SCOPE SWITCH FOR THIS SERVICE YET
18:22:37 <gmann> does that work?
18:22:48 <rdopiera> no
18:22:51 <gmann> ohk
18:23:00 <rdopiera> the switch is global, like switching projects
18:23:52 <gmann> i see
18:24:14 <rdopiera> we can add code to some of the panels that will hide them in system_scope explicitly
18:24:20 <rdopiera> ignoring the policies
18:24:29 <gmann> so in global switch, if we say either system or project scope nova panel will be shown same ?
18:24:47 <gmann> yeah kind of ignoring
18:24:58 <gmann> ignoring new policy
18:25:02 <rdopiera> right now you will see anything that the policy allows
18:25:10 <rdopiera> it's entirely driven by policy checks
18:25:47 <rdopiera> we can add additional checks, but to do that, we need to know what should be displayed in which scope
18:26:24 <rdopiera> that patch I linked does something like that
18:26:51 <rdopiera> it hides the identity panel when not in the syste_scope, when the ENFORCE_SYSTEM_SCOPE option is set
18:27:01 <gmann> so for say nove panel if we ust ignore the scope switching ?
18:27:24 <gmann> rdopiera: ohk, so ENFORCE_SYSTEM_SCOPE  is global one not per service?
18:27:31 <rdopiera> I can hide nova panels when you are switched to system scope
18:27:42 <gmann> ah hide is not good
18:27:46 <rdopiera> I can make it per service
18:28:05 <gmann> yeah, beacuse in actual we have enforce_scope per service so that operator can enable/disable per services
18:28:06 <rdopiera> I can show you how it works on video?
18:28:22 <rdopiera> I quick meet call?
18:28:28 <gmann> sure. meetpad not working currently
18:28:37 <gmann> but google meet ok for me
18:28:49 <rdopiera> https://meet.google.com/juc-fuho-iic
18:29:06 <gmann> joining, 1 min
18:45:39 <gmann> I am adding note in etherpad for discussion on horizon plan.
18:45:51 <gmann> thanks again rdopiera for joining
18:46:14 <gmann> we will cancel next meeting which is on 30th Dec and will meet on 13th Jan
18:46:19 <gmann> #endmeeting