Monday, 2014-11-17

*** ryanpetrello has joined #openstack-barbican00:31
*** ryanpetrello has quit IRC00:47
*** ryanpetrello has joined #openstack-barbican01:03
*** ryanpetrello has quit IRC01:25
*** ryanpetrello has joined #openstack-barbican01:26
*** ryanpetrello has quit IRC01:38
*** zz_dimtruck is now known as dimtruck02:46
*** dave-mccowan has quit IRC04:29
*** dimtruck is now known as zz_dimtruck05:21
*** jamielennox is now known as jamielennox|away05:34
*** jamielennox|away is now known as jamielennox05:41
*** zz_dimtruck is now known as dimtruck05:42
*** dimtruck is now known as zz_dimtruck05:54
*** miqui has quit IRC06:22
*** ryanpetrello has joined #openstack-barbican06:23
*** ryanpetrello has quit IRC07:02
*** jaosorior has joined #openstack-barbican08:19
*** openstackgerrit has quit IRC11:48
*** openstackgerrit has joined #openstack-barbican11:49
*** ryanpetrello has joined #openstack-barbican12:41
*** rm_work is now known as rm_work|away12:45
*** ryanpetrello has quit IRC12:54
*** ryanpetrello_ has joined #openstack-barbican12:54
*** ryanpetrello_ is now known as ryanpetrello12:54
*** rcarrill` has left #openstack-barbican13:04
*** dave-mccowan has joined #openstack-barbican13:21
*** dave-mccowan_ has joined #openstack-barbican13:24
*** dave-mccowan has quit IRC13:25
*** dave-mccowan_ is now known as dave-mccowan13:25
*** SheenaG1 has joined #openstack-barbican13:38
*** ryanpetrello has quit IRC13:53
*** jaosorior has quit IRC13:53
*** kgriffs|afk is now known as kgriffs13:55
*** ryanpetrello has joined #openstack-barbican13:59
*** nkinder has quit IRC14:05
*** ayoung has quit IRC14:18
*** ryanpetrello has quit IRC14:19
*** zz_dimtruck is now known as dimtruck14:20
*** alee has quit IRC14:22
*** ayoung has joined #openstack-barbican14:26
*** ametts has joined #openstack-barbican14:28
*** ryanpetrello has joined #openstack-barbican14:36
*** dave-mccowan has quit IRC14:37
*** stanzi has joined #openstack-barbican14:40
*** tdink has joined #openstack-barbican14:42
*** dimtruck is now known as zz_dimtruck14:43
*** nkinder has joined #openstack-barbican14:57
*** dave-mccowan has joined #openstack-barbican14:57
*** tdink has quit IRC14:59
*** stanzi has quit IRC15:00
*** stanzi has joined #openstack-barbican15:01
*** stanzi has quit IRC15:05
*** stanzi has joined #openstack-barbican15:06
*** zz_dimtruck is now known as dimtruck15:09
*** jaosorior has joined #openstack-barbican15:16
*** stanzi has quit IRC15:27
*** stanzi has joined #openstack-barbican15:27
*** stanzi_ has joined #openstack-barbican15:29
*** atiwari has joined #openstack-barbican15:30
*** stanzi has quit IRC15:32
*** SheenaG1 has left #openstack-barbican15:32
*** SheenaG1 has joined #openstack-barbican15:32
*** rsyed_away is now known as rsyed15:33
*** JeffF has joined #openstack-barbican15:41
*** rsyed has left #openstack-barbican15:42
*** gyee has joined #openstack-barbican15:47
*** tdink has joined #openstack-barbican15:58
*** paul_glass has joined #openstack-barbican15:58
*** darrenmoffat2 has joined #openstack-barbican16:02
*** akoneru has joined #openstack-barbican16:02
openstackgerritDouglas Mendizábal proposed openstack/barbican: Use canonical name for coverage job
*** alee has joined #openstack-barbican16:03
*** darrenmoffat2 has quit IRC16:03
aleeredrobot, ping16:05
redrobotalee pong16:06
aleeredrobot, is woodster back today?16:06
redrobotalee I _think_ so... but he's not in the office yet.16:06
aleeredrobot, is there an agenda for today's meeting?16:06
redrobotalee not yet it seems
redrobotalee we're supposed to talk about RFC 703016:07
redrobotI'll add it to the agenda right now16:07
aleeredrobot, I had some thoughts on certs and cert handling and rfc 7030 --
aleeredrobot, perhaps you can reference that as well so folks have a chance to look at some of the ideas there.16:08
*** tdink has quit IRC16:09
redrobotalee done.  good notes btw!  Gotta make some time this morning to look over them.16:09
aleeredrobot, cool - feel free to mark up -- and let me know what you think16:10
*** david-lyle_afk is now known as david-lyle16:11
*** paul_glass has quit IRC16:21
*** tdink has joined #openstack-barbican16:30
openstackgerritMerged openstack/barbican: Updated from global requirements
*** SheenaG11 has joined #openstack-barbican16:37
*** SheenaG1 has quit IRC16:39
*** stanzi_ has quit IRC16:44
*** stanzi has joined #openstack-barbican16:45
*** woodster_ has joined #openstack-barbican16:47
openstackgerritMerged openstack/python-barbicanclient: Updated from global requirements
*** stanzi has quit IRC16:52
*** stanzi has joined #openstack-barbican16:52
*** stanzi has quit IRC16:58
*** tdink has quit IRC16:59
morganfainbergredrobot, ping16:59
morganfainbergredrobot, re: mid-cycle16:59
redrobotmorganfainberg hiya17:02
morganfainbergredrobot, so - trying to line up the last bits for our mid-cycle for keystone17:02
morganfainbergredrobot, right now January 19 - 21 (Mon, Tue, Wed) is the clear winner17:03
morganfainbergand we have 2 people who can *only* make bay area who want to join, and 4 people who can only make SAT want to join.17:03
morganfainbergerm wait17:03
morganfainbergstrike that17:03
morganfainbergJanuary 21 - 23 (Wed, Thu, Fri), is the current leader17:03
morganfainbergfor dates17:04
morganfainbergredrobot, i'm at the point where i'm going to need to make a call on what we're doing lcoation wise. so - figured i'd hit you guys up :)17:04
redrobotmorganfainberg ok, I still think space should not be a problem for hosting in SAT.   I can get you a definitive yes as soon as I poke some people here and at Geekdom.17:06
morganfainbergredrobot, yeah SAT i'm sure isn't a huge deal.17:06
morganfainbergbut if we're doing SAT does that make barbican less happy? how much of a benefit is there if we overlap?17:07
morganfainbergsecond, i def. am interested in the security team's meetup if they are doing one.17:07
morganfainbergfor *ahem* obvious reasons17:07
redrobotmorganfainberg :) ...  Yes, Rob was definitely interested in having a mid-cycle meetup as well.  He wants to either have it co-incide with Barbican and/or Keystone, or have them far enough apart to where it's not a pain to go to both.17:08
morganfainbergredrobot, so as much as I'd like the bay area for Keystone -- I *think* we're going to need to do SAT again just based upon the poll.17:11
*** kebray has joined #openstack-barbican17:19
*** bdpayne has joined #openstack-barbican17:20
*** atiwari has quit IRC17:23
*** atiwari has joined #openstack-barbican17:23
*** atiwari has quit IRC17:31
*** atiwari has joined #openstack-barbican17:32
openstackgerritMerged openstack/barbican: Use canonical name for coverage job
*** jaosorior has quit IRC17:53
SheenaG11dstufft: you still working on the architecture PR?17:53
*** bdpayne has quit IRC17:53
dstufftSheenaG11: yea, was just asking wood for clarification on a comment17:53
SheenaG11dstufft: sweet, ty - sorry for bugging :-)17:54
*** stanzi has joined #openstack-barbican17:57
*** rm_work|away is now known as rm_work18:00
*** tdink has joined #openstack-barbican18:02
*** stanzi has quit IRC18:04
*** stanzi has joined #openstack-barbican18:04
*** tdink has quit IRC18:13
*** tdink has joined #openstack-barbican18:13
openstackgerritDonald Stufft proposed openstack/barbican: Port the Architecture, Dataflow, and Project Strucure docs
*** bdpayne has joined #openstack-barbican18:18
*** tdink has quit IRC18:18
*** rellerreller has joined #openstack-barbican18:22
*** akoneru is now known as akoneru_lunch18:23
*** gyee has quit IRC18:45
*** gyee has joined #openstack-barbican18:45
*** SheenaG11 has quit IRC18:48
*** dave-mccowan has quit IRC18:48
*** SheenaG1 has joined #openstack-barbican18:53
*** rellerreller has quit IRC18:57
*** rellerreller has joined #openstack-barbican19:05
*** tdink has joined #openstack-barbican19:06
*** dave-mccowan has joined #openstack-barbican19:08
*** SheenaG1 has quit IRC19:17
*** stanzi has quit IRC19:20
*** jaosorior has joined #openstack-barbican19:21
*** liam_ has joined #openstack-barbican19:26
*** liam_ is now known as Guest6375119:26
*** Guest63751 has quit IRC19:26
*** bdpayne has quit IRC19:29
*** bdpayne has joined #openstack-barbican19:29
*** bdpayne has quit IRC19:31
*** stanzi has joined #openstack-barbican19:36
*** bdpayne has joined #openstack-barbican19:36
*** bdpayne has quit IRC19:40
*** rtom has joined #openstack-barbican19:45
*** SheenaG1 has joined #openstack-barbican19:46
*** SheenaG11 has joined #openstack-barbican19:47
*** bdpayne has joined #openstack-barbican19:49
*** atiwari has quit IRC19:49
*** SheenaG1 has quit IRC19:51
*** darrenmoffat has quit IRC19:53
*** darrenmoffat has joined #openstack-barbican19:54
redrobotWeekly meeting starts in 5 minutes on #openstack-meeting-alt19:56
*** rellerreller has quit IRC19:58
*** tkelsey has joined #openstack-barbican19:58
jaosoriorah, still get confused about the time19:59
jaosoriorthought it was in an hour20:00
reaperhulkUTC no DST makes for some confusion, heh20:01
*** SheenaG11 has quit IRC20:01
*** rellerreller has joined #openstack-barbican20:05
*** SheenaG1 has joined #openstack-barbican20:05
*** akoneru_lunch is now known as akoneru20:11
*** stanzi has quit IRC20:22
*** stanzi has joined #openstack-barbican20:23
*** jorge_munoz has joined #openstack-barbican20:25
*** tdink has quit IRC20:40
*** SheenaG1 has quit IRC20:40
*** atiwari has joined #openstack-barbican20:40
*** tdink has joined #openstack-barbican20:41
*** stanzi has quit IRC20:43
*** openstackgerrit has quit IRC20:49
*** openstackgerrit has joined #openstack-barbican20:49
reaperhulkafter party21:00
rm_workredrobot: I have an implementation here using PyOpenSSL locally:
aleeo/ yee hah!21:00
rm_worksee: generator / manager21:01
redrobotrm_work yep, I recall you talking about it.21:01
rm_workerr, generator is PyOpenSSL, manager is just... files21:01
rm_workit's not designed to be secure, it's a PoC development implementation21:01
atiwariredrobot, are we done with meeting?21:01
aleeatiwari, this is the after party21:02
rm_workbut anyway, I'll be copy/pasting that CertManager/CertGenerator interface from Octavia to Neutron21:02
rm_workwhich doesn't seem ideal to me21:02
redrobotatiwari yes meeting ended 2 minutes ago.21:02
atiwariredrobot, it has to be 2 MT21:02
aleerm_work, so -- what about rather using an interface in certmonger?21:02
rm_workand it should probably live in Castellan (or whatever) along with the KeyManager interface21:02
*** kaitlin-farr has joined #openstack-barbican21:02
rm_workalee: well, we'd still need something to interface with Certmonger21:03
rm_workand I'd argue that whatever that is should essentially also use this interface as defined21:03
aleerm_work, one of the things I suggested was to add a python interface to certmonger21:03
redrobotatiwari meeting is scheduled in UTC .. it changes in US when DST starts/ends21:03
rm_workand that would be good21:03
aleerm_work, it needs to be written - but it could essentially do what you suggest21:03
rm_workbut that would be USED to make an implementation for CertManager21:04
atiwariredrobot, never mind I think my calender still not in sync21:04
rm_workremember we're just talking about abstractions21:04
aleerm_work, how many levels of indirection do we need?21:05
rm_workthere's a lot of candidates for implementations, of which Certmonger is the most promising21:05
rm_workalee: yeah, I ask that a lot21:05
rm_workbut in this case I think it makes sense21:05
rm_workwhat if you *don't* want to use Certmonger? :/21:05
aleewhat other candidates are there out there?21:05
rm_workthere's one21:05
rm_worknot that it's usable in production :P21:06
*** bubbva has quit IRC21:06
*** bubbva has joined #openstack-barbican21:06
aleerm_work, yeah - thats my point.  I'm all for creating an interface is there are plenty of viable options out there.21:07
rm_worki mean, there's one example, i can't imagine there aren't others21:07
*** SheenaG1 has joined #openstack-barbican21:07
rm_workI just don't know that tying Certmonger directly into Neutron as a hard dependency is a great idea21:08
hyakuheiNo it isn't21:08
hyakuheiIt's a bad idea for a whole bunch of the things Neutron wants to do21:09
hyakuheiWell, I'm thinking of LBaaS/Octavia actually21:09
rm_workI'm the LBaaS/Octavia dev that's working on TLS support :P21:09
rm_workso yes21:09
aleehyakuhei, rm_work  - why is it a bad idea?21:10
hyakuheiheh yeah. CertMonger doesn't make much sense there to my basic understanding of what you're trying to do21:10
rm_workyeah it's a bit of overkill21:10
hyakuheiI'd expect you to just use barbican-client21:10
rm_workthat is the plan21:10
aleerm_work, there is no need to track the certs?21:10
rm_workalso, we're talking about two distinct things here21:11
rm_workCertManager and CertGenerator21:11
rm_workCertManager is just storing already-defined (user-defined) certs in Barbican, and retrieving them21:11
rm_workthey're *just secrets*21:11
rm_workhas nothing to do with CAs, etc21:11
rm_workthe problem with KeyMgr is that it only accounts for Secrets, not Containers21:12
rm_workwe just need a Container version of KeyMgr, at the end of the day21:12
aleerm_work, fair enough -  but I wouldn't call that a CertManager then.21:12
rm_worknow, for CertGenerator, we might look at something like Certmonger as an implementation21:12
rm_workbut more likely we could just go straight to Barbican21:13
rm_workhaving the extra service would be a lot of overhead and would add to our security workflow21:13
rm_workwe're trying to limit touchpoints21:13
rm_workalee: what would you call it?21:13
aleepotentially yes21:14
rm_workwell, KeyMgr doesn't suppose RSAContainers for some reason21:14
rm_worknot sure why21:14
rm_workmaybe if it did, then we could use it21:14
rm_worksince it would have to support Containers generically21:14
aleemaybe it should21:14
rm_workso, that's the discussion I'd like to have21:14
rm_workand when I said "merge CertManager into the project with KeyMgr", what I really meant was "get that functionality in there somehow"21:15
rm_workwhether it's explicitly another class or not21:15
aleeit seems like KeyMgr should probably support retrival of groups of secrets21:15
rm_worktheir current implementation does not21:15
rm_workand is very much not useful to us21:15
rm_workbut if it were designed with CertManagement in mind21:15
aleeafter all - as you say - its just retrieving secrets21:15
rm_workit might be worthwhile21:16
* hyakuhei has been informed that he's done for the night. Cheers all21:16
woodster_castillan is intended to break that barbican dependency for integrated projects though, and allow for other key mgr impls. In my mind that extends to secrets and containers. The cert stuff is pulling some orders functioanlity (via cert orders) into the mix it sounds like.21:16
* rm_work waves at hyakuhei 21:16
tkelseylater hyakuhei21:16
rm_workwoodster_: yes and no21:17
rm_workwoodster_: CertManager -- is not21:17
woodster_hyakuhei, good night21:17
rm_workwoodster_: CertGenerator -- is21:17
rm_workI don't care about CertGenerator21:17
rm_workthat can be custom in our repo21:17
rm_workCertManager is the part that I think should be merged21:17
woodster_rm_work, got you21:17
tkelseythink I'm going to follow hyakuhei's good example. Later all.21:18
woodster_well, if it means we don't have to come up with yet another repo name...21:18
woodster_tkelsey, good night as well..21:18
redrobotlaters tkelsey21:18
aleerm_work, as for going to barbican directly for CertGenerator - you still have to answr the question of what parameters need to be passed for the cert request.  if we decide to make that cmc requests in general, then you have to support cmc functionality.21:18
rm_workyeah, I just want to propose that WHATEVER you end up writing as the interface project, should support Container handling as well as just Secrets21:18
rm_workalee: yeah I'm not super concerned about that21:18
rm_workthe implementation would handle it21:19
*** stanzi has joined #openstack-barbican21:19
aleerm_work, and if we'll do that in certmonger - no need to re-implement.21:19
rm_workthat is the use-case21:19
rm_workin the test file21:19
rm_workthe sign_cert method takes a CSR and returns a cert21:20
rm_workhow that's done is up to the implementation -- if Barbican ends up using CMC as its interface, I'd write something to convert it to that and pass it to Barbican using some config-values to fill in anything static21:20
rm_workright now:
rm_worknot so useful :)21:21
aleerm_work, yup21:21
rm_worki really doubt we'll end up using anything as heavy as Certmonger21:22
*** tkelsey has quit IRC21:22
rm_workbut to understand why, you REALLY have to understand our use-case21:22
rm_workwhich is admittedly a bit odd21:22
rm_workOctavia uses one-time throwaway certs21:22
rm_work... kinda21:23
aleerm_work, not sure why you think certmonger is "heavy" - its a C app that just talks either directly to a CA or potentially to barnican21:23
openstackgerritMerged openstack/barbican: Added test to check that an expired secret cannot be retrieved
aleerm_work, but we can debate that later.21:24
rm_workalee: it's something else running on the syste,21:24
rm_workthat we have to install and maintain21:24
rm_workDiagram 1 is CertManager, Diagram 2 is CertGenerator21:25
*** stanzi has quit IRC21:25
aleerm_work, woodster_ there are two ways to look at this for cert management.  One is that we are just retrieving collections of secrets.  One is that we have generated a cert and we need to get it back.21:25
*** stanzi has joined #openstack-barbican21:26
rm_workalee: yes, thus two interfaces21:26
rm_workthough we actually *don't* need the generated cert to be stored at all21:26
rm_workit's essentially throwaway21:26
rm_workwe will never need to retrieve it again21:27
rm_workand if we lose it, no one cares21:27
aleerm_work, sure - in the general case, it may need to be retrieved later21:27
rm_workyes, which is why CertGenerator isn't really something we feel needs to be shared21:27
rm_workwe'll keep that local to our project21:27
rm_workCertManager is the part that needs to be shared21:27
aleeok fair enough21:27
aleewoodster_, reaperhulk, redrobot - anyone else still around?21:29
rm_workit's funny, because when we do use Barbican for CertGenerator, we'll have to make it immediately delete the Cert data from Barbican after it generates it and retrieves it >_>21:29
rm_workor else we'd end up with a TON of cruft21:30
redrobotalee o/21:30
woodster_alee, yep still around. rm_work, I think that is why we'd talked about maybe having a synchronous API option for such throwaway certs21:31
*** rellerreller has quit IRC21:31
aleewoodster_, reaperhulk  , rm_work, redrobot what do you guys think about using cmc requests as the new standard cert api?21:33
alee(and anyone else)21:34
woodster_alee, I think we might need to allow for more than one format perhaps, including csrs? We've also talked about use cases where barbican generates the private key and then the CSR. So maybe we need a 'format' key added to the 'meta' field to specify this?21:38
aleewoodster_, well rememebr that simple cmc == pkcs1021:39
aleeie. same as csr.21:39
aleewoodster_, so we could support simple cmc == csr, full cmc21:40
woodster_alee, I guess that's true. So are you thinking CMC plus a CA flavor/id reference?21:40
woodster_...on the order request that is21:40
aleeand then potentially the other case, where we provide a refernce to a secret and barnican generates a csr21:40
aleeyup - flavor/id for sure21:41
aleethis is starting to sound like a spec I need to write ..21:41
woodster_indeed :)21:41
*** stanzi has quit IRC21:42
aleeok - let me do that and we can continue to discussion in there.21:42
*** stanzi has joined #openstack-barbican21:42
aleerm_work, I would suggest you think about writing a spec for updating the KeyManager interface for containers too.21:43
aleeI think thats the right approach for what you are trying to do here.21:44
aleewhich is basically store and retrieve containers of secrets21:44
woodster_rm_work, alee, redrobot, as for the cert manager, it does seem that a simplified interface in castillan would be a good generic way to go. Maybe the way to proceed on that is to create the repo with basic key manager impl first, and then have CRs for adding containers support and cert manager support?21:45
woodster_...and have discussion continue on in those respective CRs?21:45
openstackgerritThomas Dinkjian proposed openstack/barbican: Moved secret functional tests to data driven tests
aleeyes -- well what rm_work is proposing for CertManager is really retrieving secrets21:47
aleeand containers of secrets21:47
*** tkelsey has joined #openstack-barbican21:52
*** stanzi has quit IRC21:53
*** stanzi has joined #openstack-barbican21:54
*** tkelsey has quit IRC21:56
*** stanzi has quit IRC21:59
*** stanzi has joined #openstack-barbican22:00
*** SheenaG11 has joined #openstack-barbican22:00
*** SheenaG1 has quit IRC22:00
*** stanzi has quit IRC22:05
*** stanzi has joined #openstack-barbican22:05
*** SheenaG11 has quit IRC22:05
*** stanzi has quit IRC22:10
*** stanzi has joined #openstack-barbican22:11
*** kgriffs is now known as kgriffs|afk22:19
rm_workalee: yes. in fact, the implementation is here:
*** tdink has quit IRC22:28
*** stanzi_ has joined #openstack-barbican22:33
*** stanzi has quit IRC22:33
*** ayoung is now known as ayoung-dadmode22:34
*** stanzi_ has quit IRC22:41
*** SheenaG1 has joined #openstack-barbican22:43
*** dave-mccowan_ has joined #openstack-barbican22:45
*** dave-mccowan has quit IRC22:47
*** dave-mccowan_ is now known as dave-mccowan22:47
*** SheenaG1 has left #openstack-barbican22:48
*** JeffF has quit IRC22:58
*** ryanpetrello has quit IRC23:00
*** akoneru is now known as akoneru_afk23:09
*** dimtruck is now known as zz_dimtruck23:16
*** kgriffs|afk is now known as kgriffs23:19
*** nkinder has quit IRC23:20
*** gyee has quit IRC23:21
*** rm_work is now known as rm_work|away23:22
*** rm_work|away is now known as rm_work23:23
*** ametts has quit IRC23:23
*** jaosorior has quit IRC23:23
*** kaitlin-farr has quit IRC23:26
*** kgriffs is now known as kgriffs|afk23:29
*** nkinder has joined #openstack-barbican23:33
*** tdink has joined #openstack-barbican23:42
*** akoneru_afk has quit IRC23:44
*** rtom has quit IRC23:45
*** tdink has quit IRC23:52
*** nkinder has quit IRC23:56

Generated by 2.14.0 by Marius Gedminas - find it at!