#ansible-meeting log

19:10:49 <sdoran> #startmeeting Ansible Core Public IRC Meeting https://github.com/ansible/community/issues/560
19:10:49 <zodbot> Meeting started Tue Sep 22 19:10:49 2020 UTC.
19:10:49 <zodbot> This meeting is logged and archived in a public location.
19:10:49 <zodbot> The chair is sdoran. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:10:49 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:10:49 <zodbot> The meeting name has been set to 'ansible_core_public_irc_meeting_https://github.com/ansible/community/issues/560'
19:11:03 <sdoran> Sorry I'm a bit late starting. Was working on something.
19:11:48 <sdoran> Anyone around today for a meeting? We have a handful of topics.
19:13:05 <jborean93> I'm lurking
19:13:29 <sdoran> felixfontein: Are you available today?
19:15:41 <sdoran> #topic https://github.com/ansible/ansible/pull/71628
19:15:56 <sdoran> nitzmahone: Are you around to discuss `anible-galaxy login`?
19:18:29 <cyberpear> o/
19:18:58 <shertel> \o
19:19:27 <nitzmahone> yes
19:19:34 <nitzmahone> (sorry, was stuffing lunch)
19:19:42 <sdoran> No worries.
19:21:30 <nitzmahone> Yeah, just wanted to see if anyone else had thoughts or objections to what's seeming like the current plan: just ditch it
19:22:02 <jborean93> +1
19:22:20 <sdoran> I'd be in favor of the interactive token workflow, but it's fragile and we don't have a good way to test it.
19:22:28 <sdoran> We just can't have nice things.
19:22:29 <nitzmahone> I have a working PR that replaces the existing functionality with OAuth Device Flow, but nobody's really piped up and said "hey yeah, I use that"
19:22:47 <jborean93> I just haven't heard of anybody actually using it and it would be nice to remove 1 source of the Galaxy token file locations eventually
19:23:14 <jborean93> plus if there's no official supported way of getting the client id then I don't think we should rely on hacks because it will inevitably break
19:23:43 <nitzmahone> We've got a planning meeting with the Galaxy/AH team coming up in a few weeks, so I'll ask how hard it'd be to support that functionality generally across Galaxy-NG/AH- if it's something that can be done reasonably, we can bring it back once it can be supported everywhere properly.
19:24:09 <nitzmahone> But yeah, I'm also not a fan of using brittle hacks or hardcoding the client_ids.
19:24:38 <nitzmahone> Worst case, if we rip it out and the pitchfork-wielding masses appear, we've got a working impl for known client_ids that we can quick-turn back in.
19:24:47 <jborean93> yep
19:24:48 <nitzmahone> Anybody have objection to that plan?
19:25:08 <shertel> sounds good to me
19:25:12 <jborean93> plus the existing solution is going away in November right, so if someone is relying on this exact workflow they are going to have to change regardless
19:25:45 <nitzmahone> Correct, although the existing flow was already interactive-only, so the change shouldn't break scripts and stuff
19:25:57 <jborean93> ah true
19:26:11 <nitzmahone> (ie if we merged the change to device flow)
19:26:26 <sdoran> Is this different than the `--github-token` functionality?
19:27:01 <nitzmahone> IIRC that takes a GH PAT, sends it to Galaxy, and persists the resultant Galaxy token
19:27:11 <nitzmahone> (or maybe just uses it, I can't remember)
19:27:33 <nitzmahone> There are several CLI options that I'm not 100% sure how they all interact or how Galaxy uses them
19:27:35 <nitzmahone> (server side)
19:27:37 <jborean93> yea that's what it does
19:28:17 <nitzmahone> So we'd *likely* just get rid of the stored token altogether, though I'm not opposed to leaving that around for people that want to manually manage it and not pass it on the CLI or envvar
19:28:59 <jborean93> so getting rid of 1 location would simplify that behaviour a bit more
19:29:38 <nitzmahone> Yeah, though at the cost of having to pass it on the CLI (insecure) or envvar (possibly insecure/inconvenient)
19:29:43 <sdoran> We should still keep the token file. Having to pass the token in a CLI arg or envvar seems less secure than reading a (hopefully )locked down) file on disk.
19:29:52 <jborean93> They can also put it in ansible.cfg as a replacement to ~/.ansible/galaxy_token
19:30:00 <jborean93> Sorry IRCCloud dropped that message
19:30:04 <nitzmahone> Though storing it unencrypted on disk isn't exactly secure either, so kind of a poop-sandwich no matter what
19:30:05 <sivel> hey, looks like this is where everyone went to :)
19:30:23 <nitzmahone> welcome to the party pal!
19:30:34 <sdoran> Hmm, but that would make `ansible.cfg` have sensitive information.
19:30:44 <jborean93> so removing `~/.ansible/galaxy_token` shouldn't happen straight away as it is used by other commands, but we can deprecate it in favour of ansible.cfg
19:30:47 <sdoran> I don't think it's generally considered a file worth protecting.
19:31:19 <sivel> well if you put something worth protecting in it, you should probably protect it
19:31:23 <jborean93> yea
19:31:42 <sdoran> Just means you can't store it in CI or make it globally readable.
19:31:55 <nitzmahone> IIRC we don't allow vault args there, so we couldn't encrypt the token in the cfg
19:31:59 <sivel> nitzmahone: +1 for just ripping the functionality out, and giving a message with what to do
19:32:10 <jborean93> you could have an ansible-galaxy specific ansible.cfg and set that with `ANSIBLE_CONFIG` if need be
19:32:29 <sivel> but I'm not sure we need to go any further than just give people their options
19:32:54 <nitzmahone> Yeah, we basically just need to decide if we're going to keep silent support for ~/.ansible/galaxy_token or not
19:32:54 <sivel> they can decide how they want to secure that any more than is already possible
19:33:00 <jborean93> Agreed, +1 to rip out (the command and not the file), document the alternative
19:33:13 <sivel> nitzmahone: I don't see a great reason for removing it right now
19:33:17 <nitzmahone> I'd lean toward keeping the file, as putting it on config is another can of worms
19:33:23 <nitzmahone> yep
19:33:32 <jborean93> I think to remove the file we need to do the normal deprecation cycle
19:33:54 <jborean93> plus we probably want to look at vaulted supported/merging of multiple configs that bcoca has proposed with his yaml config
19:34:03 <nitzmahone> Yep, and I don't even think there's a great reason to do that right now- at the point there is (eg we have a new device auth flow that works everywhere or whatever) we can revisit that
19:34:03 <sivel> yeah, so leave all the other stuff alone, and just replace the login code with a message that gets printed
19:34:13 <nitzmahone> +1
19:34:27 <nitzmahone> OK, sounds like no objections, so...
19:34:37 <sivel> make it so
19:34:46 <sdoran> What's that workflow going to look like? Got to a URL and get the API key, then put it in the file, env var, or CLI arg?
19:34:51 <nitzmahone> #decided remove ansible-galaxy login, add descriptive error message, preserve galaxy_token file support
19:34:57 <sivel> sdoran: basically
19:35:08 <nitzmahone> Yeah, it's in the Galaxy profile UI
19:35:09 <jborean93> we even have that as the documented way to get a token today
19:35:43 <nitzmahone> Though IIRC you can't revoke those right now
19:35:51 <nitzmahone> (I could be wrong though)
19:35:56 <jborean93> you can refresh
19:36:04 <jborean93> no idea if that revokes the existing tokens, I would have assumed so
19:37:06 <jborean93> sdoran: https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html#cmdoption-ansible-galaxy-collection-publish-api-key it's even in the help message
19:38:47 <nitzmahone> Anyway, I think we're good on that topic
19:38:56 <sdoran> 👍
19:39:47 <sdoran> Do we want to discuss any of the other topics related to validation?
19:40:06 * nitzmahone feels plenty validated already ;)
19:40:16 * sdoran feels overvalidated
19:40:31 <sivel> sdoran: The 2nd comment is covered. The first is just asking for a review and merge I think
19:45:51 <sdoran> #topic open floor
19:47:30 <aminvakil> I wasn't in the first 15 minutes of meeting, has https://github.com/ansible/ansible/pull/70319 been discussed? Is there anything I can help about it?
19:52:26 <shertel> It looks good to me. I'm not sure about changing the default/removing in regard to https://github.com/ansible/ansible/pull/70319/files#r486762281
19:53:05 <shertel> was this fatal before if the option wasn't provided? https://github.com/ansible/ansible/pull/70319/files#diff-4ffaa6093f1bc2806ebfbda0de550781R49
19:58:26 <aminvakil> shertel: if `selection` wasn't given on `dpkg_selections` I guess it would throw an error on this line: https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/dpkg_selections.py#L69
19:59:02 <shertel> ok, just wanted to check
20:07:40 <sdoran> Thanks everyone for attending today. 👋
20:07:42 <sdoran> #endmeeting