17:02:29 <gmann> #startmeeting policy_popup
17:02:29 <opendevmeet> Meeting started Tue Feb 28 17:02:29 2023 UTC and is due to finish in 60 minutes.  The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:29 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:29 <opendevmeet> The meeting name has been set to 'policy_popup'
17:03:02 <gthiemonge> o/
17:03:19 <gmann> #link https://etherpad.opendev.org/p/rbac-goal-tracking#L154
17:03:40 <gmann> nothing on agenda but I will be around to answer/discuss if anything
17:03:45 <gmann> gthiemonge: o/
17:04:52 <gthiemonge> gmann: hey, I'm trying to fix the policies in Octavia, we still have some code from the previous specs
17:05:06 <gthiemonge> so I have this change:
17:05:09 <gthiemonge> https://review.opendev.org/c/openstack/octavia/+/875620
17:05:25 <gthiemonge> it switches the scope_types['system'] to scope_types['project']
17:05:39 <gthiemonge> and it makes the legacy admin an admin
17:05:49 <gmann> +1
17:05:57 <gthiemonge> i wanted to check if the s/'system'/'project'/ is fine
17:06:18 <gmann> yes, we need to make every policy rule to be scope to 'project'
17:06:32 <gthiemonge> ack
17:06:46 <gmann> in addition to that, introducing the project_reader role is important
17:07:11 <gthiemonge> there's project-reader on line 67
17:07:52 <gthiemonge> I'll double check that
17:08:01 <gmann> I see.
17:08:20 <gmann> I will review your patch today in case anything missing but thanks for working on this
17:08:59 <johnsom> I have a question here, isn't that "scope" setting just going to be ignored if scopes aren't enabled in the config?
17:09:19 <gthiemonge> thanks gmann
17:10:19 <johnsom> oslo.policy should just ignore it if enforce_scope is False right?
17:10:22 <gmann> johnsom:  yes, if enforce_scope is false then oslo policy does not check scope
17:10:29 <gmann> yes
17:10:42 <gmann> it will add warning but no error
17:10:45 <johnsom> So shouldn't we just start removing all of that?
17:11:37 <gmann> we can and that is long term plan but we need this to be configurable during transition period. so that operators have time to move things to new policy
17:12:23 <gmann> but yes at the end enforce_scope flag should be removed. 1. make it default to True (like nova, glance did) 2. and then plan to remove at some point
17:12:43 <johnsom> What? ???
17:12:58 <gmann> you asked about enforce_scope right?
17:13:01 <johnsom> I thought you had previously said scope was not going to happen
17:13:19 <gmann> every policy to be scoped to 'project'
17:13:38 <gmann> means if anyone using system scope token we can fail early with 403
17:13:38 <johnsom> I thought the new change was scoped tokens are not going to ever be enabled, so scope is no longer a thing and will always be False
17:14:44 <gmann> no. ok so things is system scope is no longer a things means every policy rule is default to project scope. this way if anyone using system scope token say (system admin) then it will reject early at API validation itself
17:15:36 <gmann> all policy scope to project help us to give correct error message to operators instead of failing with system scope token in lower layer and confusing error message
17:16:39 <gmann> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#change-in-scope-implementation
17:16:42 <johnsom> Sigh
17:17:08 <gmann> johnsom: ^^ that paragraph explain about scope thing
17:17:25 <johnsom> So, scope_types=[constants.RBAC_SCOPE_PROJECT] in the policy in code, those lines can go away right? Or do they have to stay and all just be set to PROJECT?
17:17:51 <gmann> constants.RBAC_SCOPE_PROJECT is 'project' right?
17:18:13 <johnsom> yes
17:18:29 <gmann> so this will stay here. we do not need to remove it
17:18:55 <gmann> so that system scope token usage can get 403 at early fail
17:19:33 <gmann> you can just remove constant and just say scope_type=['project']
17:19:58 <gmann> but either way you like defined 'project' as constant or direct
17:20:24 <johnsom> No, we use constants to save RAM. I was just asking why even specify that if all of the policies are going to be project only.
17:21:21 <gmann> ok, it is juts to early fail system token with 403
17:21:29 <johnsom> https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L1254
17:21:35 <johnsom> Ah, it doesn't default to project
17:22:23 <gmann> yeah it is None by default
17:24:54 <gmann> one good example for its benefit is nova server operation. many of it need project_id and system scope token does not have project_id so if system scope token are used it might fail somewhere in DB or other lower layer and error might be confusing. to avoid that raising 403 for system scope token is helpful
17:25:29 <johnsom> Oh I know the heck I went through to deal with system scoped tokens and no project ID
17:25:36 <johnsom> Months of wasted time
17:27:12 <gmann> yeah
17:29:09 <gmann> johnsom: gthiemonge: anything else to discuss for today?
17:30:10 <gmann> FYI, there is magnum policy change also in progress. I did not get chance to review it but that is in my list for today #link https://review.opendev.org/c/openstack/magnum/+/875625/2
17:30:26 <gthiemonge> gmann: no, that's it for me, thanks
17:31:38 <johnsom> I don't have anything else.
17:31:59 <gmann> ok thanks for joining. let's close for today
17:32:08 <gmann> #endmeeting