19:10:49 #startmeeting Ansible Core Public IRC Meeting https://github.com/ansible/community/issues/560 19:10:49 Meeting started Tue Sep 22 19:10:49 2020 UTC. 19:10:49 This meeting is logged and archived in a public location. 19:10:49 The chair is sdoran. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:10:49 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:10:49 The meeting name has been set to 'ansible_core_public_irc_meeting_https://github.com/ansible/community/issues/560' 19:11:03 Sorry I'm a bit late starting. Was working on something. 19:11:48 Anyone around today for a meeting? We have a handful of topics. 19:13:05 I'm lurking 19:13:29 felixfontein: Are you available today? 19:15:41 #topic https://github.com/ansible/ansible/pull/71628 19:15:56 nitzmahone: Are you around to discuss `anible-galaxy login`? 19:18:29 o/ 19:18:58 \o 19:19:27 yes 19:19:34 (sorry, was stuffing lunch) 19:19:42 No worries. 19:21:30 Yeah, just wanted to see if anyone else had thoughts or objections to what's seeming like the current plan: just ditch it 19:22:02 +1 19:22:20 I'd be in favor of the interactive token workflow, but it's fragile and we don't have a good way to test it. 19:22:28 We just can't have nice things. 19:22:29 I have a working PR that replaces the existing functionality with OAuth Device Flow, but nobody's really piped up and said "hey yeah, I use that" 19:22:47 I just haven't heard of anybody actually using it and it would be nice to remove 1 source of the Galaxy token file locations eventually 19:23:14 plus if there's no official supported way of getting the client id then I don't think we should rely on hacks because it will inevitably break 19:23:43 We've got a planning meeting with the Galaxy/AH team coming up in a few weeks, so I'll ask how hard it'd be to support that functionality generally across Galaxy-NG/AH- if it's something that can be done reasonably, we can bring it back once it can be supported everywhere properly. 19:24:09 But yeah, I'm also not a fan of using brittle hacks or hardcoding the client_ids. 19:24:38 Worst case, if we rip it out and the pitchfork-wielding masses appear, we've got a working impl for known client_ids that we can quick-turn back in. 19:24:47 yep 19:24:48 Anybody have objection to that plan? 19:25:08 sounds good to me 19:25:12 plus the existing solution is going away in November right, so if someone is relying on this exact workflow they are going to have to change regardless 19:25:45 Correct, although the existing flow was already interactive-only, so the change shouldn't break scripts and stuff 19:25:57 ah true 19:26:11 (ie if we merged the change to device flow) 19:26:26 Is this different than the `--github-token` functionality? 19:27:01 IIRC that takes a GH PAT, sends it to Galaxy, and persists the resultant Galaxy token 19:27:11 (or maybe just uses it, I can't remember) 19:27:33 There are several CLI options that I'm not 100% sure how they all interact or how Galaxy uses them 19:27:35 (server side) 19:27:37 yea that's what it does 19:28:17 So we'd *likely* just get rid of the stored token altogether, though I'm not opposed to leaving that around for people that want to manually manage it and not pass it on the CLI or envvar 19:28:59 so getting rid of 1 location would simplify that behaviour a bit more 19:29:38 Yeah, though at the cost of having to pass it on the CLI (insecure) or envvar (possibly insecure/inconvenient) 19:29:43 We should still keep the token file. Having to pass the token in a CLI arg or envvar seems less secure than reading a (hopefully )locked down) file on disk. 19:29:52 They can also put it in ansible.cfg as a replacement to ~/.ansible/galaxy_token 19:30:00 Sorry IRCCloud dropped that message 19:30:04 Though storing it unencrypted on disk isn't exactly secure either, so kind of a poop-sandwich no matter what 19:30:05 hey, looks like this is where everyone went to :) 19:30:23 welcome to the party pal! 19:30:34 Hmm, but that would make `ansible.cfg` have sensitive information. 19:30:44 so removing `~/.ansible/galaxy_token` shouldn't happen straight away as it is used by other commands, but we can deprecate it in favour of ansible.cfg 19:30:47 I don't think it's generally considered a file worth protecting. 19:31:19 well if you put something worth protecting in it, you should probably protect it 19:31:23 yea 19:31:42 Just means you can't store it in CI or make it globally readable. 19:31:55 IIRC we don't allow vault args there, so we couldn't encrypt the token in the cfg 19:31:59 nitzmahone: +1 for just ripping the functionality out, and giving a message with what to do 19:32:10 you could have an ansible-galaxy specific ansible.cfg and set that with `ANSIBLE_CONFIG` if need be 19:32:29 but I'm not sure we need to go any further than just give people their options 19:32:54 Yeah, we basically just need to decide if we're going to keep silent support for ~/.ansible/galaxy_token or not 19:32:54 they can decide how they want to secure that any more than is already possible 19:33:00 Agreed, +1 to rip out (the command and not the file), document the alternative 19:33:13 nitzmahone: I don't see a great reason for removing it right now 19:33:17 I'd lean toward keeping the file, as putting it on config is another can of worms 19:33:23 yep 19:33:32 I think to remove the file we need to do the normal deprecation cycle 19:33:54 plus we probably want to look at vaulted supported/merging of multiple configs that bcoca has proposed with his yaml config 19:34:03 Yep, and I don't even think there's a great reason to do that right now- at the point there is (eg we have a new device auth flow that works everywhere or whatever) we can revisit that 19:34:03 yeah, so leave all the other stuff alone, and just replace the login code with a message that gets printed 19:34:13 +1 19:34:27 OK, sounds like no objections, so... 19:34:37 make it so 19:34:46 What's that workflow going to look like? Got to a URL and get the API key, then put it in the file, env var, or CLI arg? 19:34:51 #decided remove ansible-galaxy login, add descriptive error message, preserve galaxy_token file support 19:34:57 sdoran: basically 19:35:08 Yeah, it's in the Galaxy profile UI 19:35:09 we even have that as the documented way to get a token today 19:35:43 Though IIRC you can't revoke those right now 19:35:51 (I could be wrong though) 19:35:56 you can refresh 19:36:04 no idea if that revokes the existing tokens, I would have assumed so 19:37:06 sdoran: https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html#cmdoption-ansible-galaxy-collection-publish-api-key it's even in the help message 19:38:47 Anyway, I think we're good on that topic 19:38:56 👍 19:39:47 Do we want to discuss any of the other topics related to validation? 19:40:06 * nitzmahone feels plenty validated already ;) 19:40:16 * sdoran feels overvalidated 19:40:31 sdoran: The 2nd comment is covered. The first is just asking for a review and merge I think 19:45:51 #topic open floor 19:47:30 I wasn't in the first 15 minutes of meeting, has https://github.com/ansible/ansible/pull/70319 been discussed? Is there anything I can help about it? 19:52:26 It looks good to me. I'm not sure about changing the default/removing in regard to https://github.com/ansible/ansible/pull/70319/files#r486762281 19:53:05 was this fatal before if the option wasn't provided? https://github.com/ansible/ansible/pull/70319/files#diff-4ffaa6093f1bc2806ebfbda0de550781R49 19:58:26 shertel: if `selection` wasn't given on `dpkg_selections` I guess it would throw an error on this line: https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/dpkg_selections.py#L69 19:59:02 ok, just wanted to check 20:07:40 Thanks everyone for attending today. 👋 20:07:42 #endmeeting