Wednesday, 2015-05-27

*** nelsnelson has quit IRC00:11
*** david-lyle has quit IRC00:20
*** kebray has quit IRC00:45
*** nelsnelson has joined #openstack-barbican00:46
jvrbanacalee, sry. Meeting heavy day. I don't think anyone is currently tackling writing docs for orders yet.01:22
*** jamielennox|away is now known as jamielennox01:23
*** david-lyle has joined #openstack-barbican01:35
*** zz_dimtruck is now known as dimtruck01:47
*** dave-mccowan has joined #openstack-barbican02:00
*** SheenaG1 has quit IRC02:03
*** david-lyle has quit IRC02:33
*** gyee has quit IRC02:36
*** pglass has quit IRC02:42
*** kebray has joined #openstack-barbican02:53
*** kebray has quit IRC02:53
*** nelsnelson has quit IRC02:53
*** nelsnelson has joined #openstack-barbican02:54
*** dave-mccowan has quit IRC03:04
*** kebray has joined #openstack-barbican03:08
*** david-lyle has joined #openstack-barbican03:11
*** dave-mccowan has joined #openstack-barbican03:36
*** jaosorior has joined #openstack-barbican03:44
rm_workjaosorior: back to TX03:52
rm_worki hadn't gone back yet03:52
jaosoriorrm_work: aaah, that makes sense03:55
jaosoriordamn, jetlag is hitting pretty hard again, woke up at 4am X_x03:55
*** dave-mccowan has quit IRC04:09
*** dimtruck is now known as zz_dimtruck04:15
*** kebray_ has joined #openstack-barbican06:32
*** kebray has quit IRC06:36
*** nickrmc83 has joined #openstack-barbican07:32
*** chlong has quit IRC07:45
*** kebray_ has quit IRC08:03
*** everjeje has joined #openstack-barbican08:17
*** jaosorior has quit IRC09:42
*** openstack has joined #openstack-barbican11:37
*** darrenmoffat has joined #openstack-barbican11:37
*** jaosorior has joined #openstack-barbican12:19
*** rellerreller has joined #openstack-barbican12:41
*** dave-mccowan has joined #openstack-barbican13:48
*** zz_dimtruck is now known as dimtruck14:03
*** pglass has joined #openstack-barbican14:05
*** chlong has joined #openstack-barbican14:05
*** kfarr has joined #openstack-barbican14:10
*** nelsnelson has quit IRC14:38
*** silos has joined #openstack-barbican14:42
*** nelsnelson has joined #openstack-barbican14:53
siloshey all. At the conference I heard someone is working on a way to hook up multiple KLM's to barbican. I'm interested in learning more about this and getting my hands dirty with it myself. Could someone point me in the direction of who is in charge of this?15:08
redrobothi silos!  I'm not sure what a KLM is?15:09
silosredrobot: Ah. sorry. It's an instance of a KMIP server.15:11
*** kebray has joined #openstack-barbican15:11
silosredrobot: I think I messed up the acronyms :/. I meant trying to hook up multiple KMIP servers.15:12
kfarrsilos, I remember Joel was talking to that person, but I don't know his name.  I can ping Joel to see if he remembers15:16
redrobotsilos hmm... well, I'm not entirely sure we would want to do that.  Currently barbican can support an arbitrary number of plugins, but I don't think we can have more than one instance of a particular type.15:17
siloskfarr: thanks!15:17
redrobotsilos we actually have a blueprint to change the way plugins are loaded to have just one read/write plugin and many read-only plugins15:17
silosredrobot: ah. I see.15:18
redrobotsilos last summit (Paris) we agreed that it would be better for barbican to be very explicit about which HSM device is used for storage.   We're recommending that people who have more than one device for read/write deploy one barbican per device.15:19
*** xaeth_afk is now known as xaeth15:20
redrobotsilos but if you have a strong use case, a blueprint would be the first step in getting the ball rolling.15:20
silosredrobot: that makes sense.15:20
*** SheenaG has joined #openstack-barbican15:21
silosredrobot: I think the idea was that it allows for easier multi-tenancy by being able to hook up multiple plugins to a single barbican.15:21
redrobotsilos how so?15:23
redrobotsilos are you wanting to provision a device per tenant/domain ?15:23
*** nelsnelson has quit IRC15:24
silosredrobot: yes that's the idea.15:28
redrobotsilos interesting.... sounds crazy expensive... I think it could be done with a custom plugin, without having to change the barbican service.  It may be worthwhile to write up a blueprint for it.15:29
silosredrobot: ah custom plugin! good idea. I'll try and work on a blueprint after hooking up with who is also working on this.15:32
darrenmoffatwhy expensive ?  multi-tenancy doesn't always imply lots of tenants it could just be two or three.  Also the back end HSM might be virtualising via different addresses/ports/accounts15:32
darrenmoffatfor example  customer doing private cloud where the tenants are separated by Line of Buisness or maybe something like PCI-DSS in scope vs out of scope systems15:33
redrobotdarrenmoffat I suppose for a small cloud it wouldn't be too bad... I'm still not sure that it would be any more secure than using different keys though.15:35
redrobotI guess it would depend on who has access to the devices?15:35
* redrobot shrugs15:35
jaosoriorredrobot: ping15:41
redrobotjaosorior pong15:41
jaosoriorcan you help me out debugging something from the gate?15:42
redrobotjaosorior I can try.  What's up?15:42
jaosoriorredrobot: the CR from project-config that this depended on was merged. And I've been trying to run the dogtag gate on it. But the installation fails15:42
jaosoriorredrobot: what's weird, is that it seems to fail while installing ldap in the "Install barbican" step15:43
*** SheenaG has quit IRC15:43
*** nelsnelson has joined #openstack-barbican15:46
woodster_silos: darrenmoffat Regarding the HSM plugin dev, there is some documentation available here:
woodster_silos: darrenmoffat The 'bind_kek_metadata()' method is invoked for each project-id a secret is stored under (see
*** igueths has joined #openstack-barbican15:48
openstackgerritMerged openstack/barbican: Add more users/roles to secret/container RBAC tests
rellerrellersilos Instead of having a new KMIP plugin for each tenant you could modify the existing KMIP plugin to store secrets on a particular KMIP device based on some routing strategy.15:50
woodster_silos: darrenmoffat Actually scratch all of said this was a multi-KMIP plugin15:50
siloswoodster_: thanks. It's still good to have this knowledge15:51
rellerrellersilos We have talked about that. For instance if one KMIP device cannot handle enough keys then have multiple devices. That requires storing the KMIP device URL in the metadata that is returned. It should not take long.15:51
woodster_silos: well we have two key management modes...the KMIPs are at a 'secret store' level, whereby the secret storage device is separate from Barbican. The crypto-plugin stuff I mentioned above is a lower level interface whereby Barbican stores the encrypted information in its own database.15:52
silosrellerreller: I think that's what redrobot was hinting at about the custom plugin. Except in this case we would just add that functionality to the KMIP plugin itself instead of creating a new plugin.15:53
*** barra204 has quit IRC15:54
siloswoodster_: true true.15:55
*** everjeje has quit IRC15:57
woodster_silos: rellerreller I think what's missing is adding the project ID to the SecretDTO (here the store_secret() method can use that to select the KMIP backend15:59
*** SheenaG has joined #openstack-barbican16:00
rellerrellerwoodster_ Yes, you would definitely need that.16:01
rellerrellerwoodster_ I think I might have noticed that while working on content types. I think if you add that then the HSM secret store would not need the context any longer and could implement the SecretStore interface.16:02
rellerrellerwoodster_ I _think_ :)16:02
*** rellerreller has quit IRC16:05
*** rellerreller has joined #openstack-barbican16:07
*** Kevin_Bishop has joined #openstack-barbican16:09
*** xaeth is now known as xaeth_afk16:12
woodster_rellerreller: hmmm...possibly. Now that we are using request-scoped transactions, not as big a deal to hit sqlalchemy multiple times to get the same models (like the project and secret models).16:13
*** chadlung has joined #openstack-barbican16:34
*** xaeth_afk is now known as xaeth16:53
*** nickrmc83 has quit IRC16:56
*** kebray has quit IRC17:00
*** kebray has joined #openstack-barbican17:04
*** everjeje has joined #openstack-barbican17:23
arunkantjaosorior: Can you check my reply comments for . And let me know what you think.17:25
*** chlong has quit IRC17:53
reaperhulkI got an apology from Hyatt for their terrible elevator system17:53
*** kebray has quit IRC17:55
chellygelreaperhulk, did it have any $$$ with it?17:56
chellygelwhat a shitty apology :P17:58
*** kebray has joined #openstack-barbican17:58
*** SheenaG has left #openstack-barbican18:07
*** Kevin_Bishop has quit IRC18:07
*** Kevin_Bishop has joined #openstack-barbican18:19
*** SheenaG has joined #openstack-barbican18:40
*** dave-mccowan has quit IRC18:52
*** dave-mccowan has joined #openstack-barbican19:10
*** chadlung has quit IRC19:16
*** chadlung has joined #openstack-barbican19:16
*** gyee has joined #openstack-barbican19:16
*** kebray has quit IRC19:23
*** redrobot sets mode: +v chellygel19:23
*** redrobot sets mode: +v alee19:23
*** redrobot sets mode: +v hockeynut19:23
*** redrobot sets mode: +v kfarr19:23
*** redrobot sets mode: +v jvrbanac19:23
*** redrobot sets mode: +v chadlung19:24
*** redrobot sets mode: +v rellerreller19:24
*** redrobot sets mode: +v woodster_19:24
*** redrobot sets mode: +v jaosorior19:26
*** rellerreller has quit IRC19:41
*** SheenaG has left #openstack-barbican19:42
openstackgerritSteve Heyman proposed openstack/barbican: Complete RBAC tests for secrets
*** kebray has joined #openstack-barbican20:20
*** kfarr has quit IRC20:22
*** barra204 has joined #openstack-barbican20:35
*** kebray has quit IRC20:48
*** kebray has joined #openstack-barbican20:48
*** barra204 has quit IRC20:50
dave-mccowanhockeynut ping20:50
hockeynutdave-mccowan yessir!20:50
dave-mccowanhockeynut are you also adding container_rbac tests?20:51
hockeynutjust finishing them up now20:51
hockeynutI broke them up into 2 CRs so they wouldn't be too huge20:51
dave-mccowancool.  i'll review 'em. :-)20:52
hockeynuthey all - looking at this page and it implies that you can issue a PUT to a container.  I believe that is wrong...20:57
redrobothockeynut that wiki page needs to die a horrible death.  The up-to-date docs are here
hockeynutthanks.  given the cloudkeep I figured it was old...but that rbac table is nice (wrong, but nice)21:11
woodster_hockeynut: redrobot Do we have a new RBAC page now?21:19
redrobotwoodster_ I don't think so...  unless arunkant added RBAC stuff to his docs...21:20
woodster_redrobot: he's been working on the ACL stuff I think, not the RBAC stuff21:21
redrobotwoodster_ but the two are related....  ie. the ACL stuff affects how RBAC works.21:21
woodster_redrobot: when the ACL is used to greenlight a secret's access the traditional 4 roles don't apply. They certainly belong together in our docs under 'RBAC', but they do operate differently than the 4-role matrix stuff captured in the original wiki.21:23
reaperhulkredrobot: do you know Jason's email (symantec)21:24
jkfreaperhulk: I can message it to you.21:25
reaperhulkah, jkf you're here :)21:25
reaperhulkplease do, I'm going to send the "let's harass safenet about aes key wrap" email ;)21:25
jkfheheh, will do.21:26
*** dave-mccowan has quit IRC21:28
*** dave-mccowan has joined #openstack-barbican21:29
*** pglass has quit IRC21:30
*** pglass has joined #openstack-barbican21:31
*** dave-mccowan has quit IRC21:34
*** silos has left #openstack-barbican21:48
*** xaeth is now known as xaeth_afk21:54
arunkantredrobot, woodster_, I have not changed any existing container/secret API and just added ACL docs. I don't recall seeing any rbac documentation related to that22:00
woodster_arunkant: Yeah, the RBAC matrix (with the original 4 roles) need to eventually be added in a future CR.22:01
woodster_arunkant: redrobot And we still need a 5th role added, that read-only role, at some point too22:02
woodster_ arunkant: redrobot I keep forgetting about that :\22:02
redrobotwoodster_ I can add it to the list of TODOs you signed up for at the Summit :022:03
*** xaeth_afk is now known as xaeth22:04
arunkantwoodster_ , redrobot, can you guys review ACL changes (doc + code). I have updated docs with statement related to near future change.22:05
*** pglass has quit IRC22:05
redrobotarunkant I'll try to get to it tomorrow.22:07
openstackgerritJoe Gordon proposed openstack/barbican: Drop incubating theme from docs
openstackgerritJoe Gordon proposed openstack/barbican-specs: Drop incubating theme from docs
*** xaeth is now known as xaeth_afk22:16
openstackgerritJoe Gordon proposed openstack/python-barbicanclient: Drop incubating theme from docs
*** SheenaG has joined #openstack-barbican22:25
*** SheenaG has left #openstack-barbican22:26
*** igueths has quit IRC22:26
*** jaosorior has quit IRC22:32
*** nelsnelson has quit IRC22:32
*** dimtruck is now known as zz_dimtruck22:35
openstackgerritJohn Wood proposed openstack/barbican-specs: Add Crypto/HSM MKEK Rotation Support (Light)
*** chadlung has quit IRC22:45
*** Kevin_Bishop has quit IRC22:53
jkfwoodster_: Regarding the key rotation specs, is there a need for two overlapping specs? The light spec covers mkeks, but the heavy weight could changed to cover just the project kek, and the rotations could be handled as two independant steps.22:57
jkfI can think of a few groups in Symantec that might want a much shorter project kek rotation schedule than a more relaxed default and it could be good to have that decoupled from mkek rotations.22:58
*** kfox1111 has joined #openstack-barbican23:02
kfox1111hey all.23:02
kfox1111anyone working on rdo barbican rpms yet?23:02
woodster_jkf: well the lightweight bp replaces wrapped project kek info in place, whereas the heavyweight one calls for adding new wrapped project kek records, as well as updating secrets. They are pretty different logic, so I wouldn't consider them overlapping. If you just wanted to update the project keks (and wrapping them with current MKEK), you'd still be using23:02
woodster_the heavyweight process I'd say.23:02
woodster_kfox1111: yes, alee (Ade) and xaeth (Greg Swift here at Rackspace) are working on that...I don't know much beyond that23:03
woodster_arunkant: I'll take a look at your CRs tonight/tomorrow morning btw23:03
jkfI was just thinking overlapping in that they both describe the mkek process, with the heavy bp going on to describe the project kek process as well.23:04
*** chlong has joined #openstack-barbican23:05
kfox1111I looked at some packaging a few months ago, I think by maybe those folks, but I need to redeploy it again, and was hoping something was coming soon so I wouldn't have to build it myself.23:05
woodster_jkf: the project kek processing itself is different between the two though...the lightweight one reuses the generated project kek for example, just re-wrapping with the new MKEK. If you really want a truely new project KEK for your secrets, the heavyweight approach is needed, even if you don't rotate your MKEK.23:06
woodster_elmiko: are you there?23:06
kfox1111I've got part of the nova instance user prototype built, and am at the point I need to get it test talking to barbican.23:06
kfox1111gota see if an unscoped keystone token will work with barbican acl's.23:06
woodster_kfox1111: elmiko and alee are working together on the RDO side of things I think23:06
kfox1111ok. I'll try and get a hold of them. thanks. :)23:07
jkfwoodster_: Of course, I may be overthinking things and making something out of nothing. :)23:11
woodster_jkf: I never assume I'm right either! I do think that heavyweight Bo23:24
woodster_Would work for you though23:24
jkfWe'll need both and as long as the two processes are decoupled, in that I can rotate a project kek, without changing the mkek, or change the mkek without having to do more than just rewrap the project keks, I'm good.23:25
jkfI'm out, ttyl.23:34
*** nelsnelson has joined #openstack-barbican23:36
*** rellerreller has joined #openstack-barbican23:37
*** everjeje has quit IRC23:37
*** nelsnelson has quit IRC23:52

Generated by 2.14.0 by Marius Gedminas - find it at!