Monday, 2015-08-17

openstackgerritDouglas Mendizábal proposed openstack/barbican: Use "key-manager" instead of "keymanagement"
openstackgerritDave McCowan proposed openstack/barbican: hkntroduce the service-admin role
*** dave-mcc_ has joined #openstack-barbican01:25
*** dave-mccowan has quit IRC01:27
*** zz_dimtruck is now known as dimtruck01:28
openstackgerritDave McCowan proposed openstack/barbican: Introduce the service-admin role
openstackgerritPradeep Kumar Singh proposed openstack/barbican: Make files in barbican.tests.api py3 compatible Partially-Implements: blueprint barbican-py3
openstackgerritPradeep Kumar Singh proposed openstack/barbican: Make files in barbican.tests.api py3 compatible
*** dave-mcc_ has quit IRC02:14
*** dave-mccowan has joined #openstack-barbican02:21
openstackgerritPradeep Kumar Singh proposed openstack/barbican: Make tests in barbican.tests.api.middleware py3 compatible Partially-Implements: blueprint barbican-py3
openstackgerritPradeep Kumar Singh proposed openstack/barbican: Make tests in barbican.tests.api.middleware py3 compatible
*** dave-mccowan has quit IRC03:42
*** dimtruck is now known as zz_dimtruck03:54
*** openstack has joined #openstack-barbican04:17
openstackgerritPradeep Kumar Singh proposed openstack/barbican: Make files in barbican.tests.api py3 compatible
*** vivek-ebay has joined #openstack-barbican04:43
*** vivek-ebay has quit IRC05:25
*** edtubill has joined #openstack-barbican05:42
*** edtubill has left #openstack-barbican05:42
-openstackstatus- NOTICE: Gerrit is currently under very high load and may be unresponsive. infra are looking into the issue.07:05
*** Nirupama has joined #openstack-barbican07:07
*** shohel has joined #openstack-barbican07:33
*** mixos has quit IRC08:25
*** everjeje has joined #openstack-barbican08:27
*** Guest47951 is now known as d0ugal09:49
*** d0ugal has quit IRC09:49
*** d0ugal has joined #openstack-barbican09:49
openstackgerritMerged openstack/barbican: Updated from global requirements
-openstackstatus- NOTICE: (aka gerrit) is going down for an emergency restart10:19
*** ChanServ changes topic to " (aka gerrit) is going down for an emergency restart"10:19
*** ChanServ changes topic to "Barbican Liberty Mid-Cycle Sprint Aug 5-7"10:46
-openstackstatus- NOTICE: Gerrit restart has resolved the issue and systems are back up and functioning10:46
*** peter-hamilton has joined #openstack-barbican11:11
*** woodster_ has joined #openstack-barbican11:46
*** chlong has quit IRC11:59
*** dave-mccowan has joined #openstack-barbican12:15
openstackgerritDave McCowan proposed openstack/barbican: Introduce the service-admin role
*** SheenaG has quit IRC12:39
*** SheenaG has joined #openstack-barbican12:39
*** SheenaG has quit IRC12:48
*** Nirupama has quit IRC12:49
*** elmiko has joined #openstack-barbican13:07
*** lisaclark1 has joined #openstack-barbican13:19
dave-mccowanalee_ ping13:24
alee_dave-mccowan, yo13:25
dave-mccowanalee_ are you planning on review the CRs for the quotas blueprint?13:25
alee_dave-mccowan, I can. I wasn't planning to look into them in much detail.  figured there was enough interest from other cores.13:27
alee_dave-mccowan, are you held up on reviews?13:28
*** kfarr has joined #openstack-barbican13:29
dave-mccowanalee_ yea, i think i'm stuck now.  i have four outstanding CRs for quotas.  the good news is that all the big pieces are done, but the next step is stitching them together which will be much easier if they have landed (and I know there won't be big refactoring based on reviews).13:31
alee_dave-mccowan, ok I'll try to get to them later today13:32
dave-mccowanwoodster_ ^^ do have plans to look some more at the quotas blueprints?  there are 4 now.  you gave a +2 on one of them that needs to be re-newed.13:33
*** SheenaG has joined #openstack-barbican13:36
*** rellerreller has joined #openstack-barbican13:52
woodster_dave-mccowan: I'll take a look at them today as well13:58
*** chlong has joined #openstack-barbican14:04
dave-mccowanwoodster_ thanks!14:07
*** dave-mccowan has quit IRC14:08
*** zz_dimtruck is now known as dimtruck14:09
*** dave-mccowan has joined #openstack-barbican14:23
*** lisaclark1 has quit IRC14:23
*** silos has joined #openstack-barbican14:25
redrobotGood (UGT) morning!14:29
*** silos is now known as silos_away14:30
openstackgerritNathan Reller proposed openstack/barbican: Integrated with PyKMIP Pie API
*** lisaclark1 has joined #openstack-barbican14:37
*** lisaclark1 has quit IRC14:42
*** lisaclark1 has joined #openstack-barbican14:52
*** igueths has joined #openstack-barbican15:05
*** morgan_503 is now known as morgan_254915:06
*** pglass has joined #openstack-barbican15:07
*** shohel has quit IRC15:14
*** spotz_zzz is now known as spotz15:17
*** silos_away is now known as silos15:17
*** chlong has quit IRC15:18
arunkantwoodster_, redrobot, can you revisit ACL barbican client reviews as I have made changes as per meetup discussion.15:25
arunkantThere are 3 dependent reviews ( )15:26
*** chlong has joined #openstack-barbican15:32
woodster_arunkant: I'll work to catchup on those today15:33
*** pglass has quit IRC15:37
*** pglass has joined #openstack-barbican15:38
*** chlong has quit IRC15:38
*** ccneill has joined #openstack-barbican15:39
*** chlong has joined #openstack-barbican15:40
*** nkinder has joined #openstack-barbican15:42
*** darrenmoffat has quit IRC15:42
*** darrenmoffat has joined #openstack-barbican15:43
*** xaeth_afk is now known as xaeth15:45
openstackgerritMerged openstack/barbican: Replace python-ldap with ldap3 library
*** gyee has joined #openstack-barbican15:56
*** silos1 has joined #openstack-barbican16:00
*** silos has quit IRC16:02
*** everjeje has quit IRC16:02
openstackgerritKaitlin Farr proposed openstack/castellan: Add unit tests for managed objects
*** vivek-ebay has joined #openstack-barbican16:14
*** david-ly_ is now known as david-lyle16:15
*** dave-mccowan has quit IRC16:27
*** vivek-ebay has quit IRC16:29
*** vivek-ebay has joined #openstack-barbican16:50
*** lisaclark1 has quit IRC17:00
*** lisaclark1 has joined #openstack-barbican17:03
*** lisaclark2 has joined #openstack-barbican17:08
*** lisaclark2 has quit IRC17:09
*** vivek-ebay has quit IRC17:10
*** lisaclark1 has quit IRC17:10
*** lisaclark1 has joined #openstack-barbican17:12
*** vivek-ebay has joined #openstack-barbican17:14
*** lisaclark1 has quit IRC17:35
alee_kfarr, rellerreller ping17:38
kfarralee_ pong17:38
alee_kfarr, rellerreller - I'm going throught the encrypted volume tempest test and trying to see what would need to be set up to use barbican17:39
alee_kfarr, rellerreller first off - are there docs anywhere that detail how an operator would do all this?17:39
alee_ie. a HOWTO for encrypted volumes?17:39
alee_I think I can reconstruct the cli steps based on the tempest test -- but wanted to see if there was anything documented out there ..17:40
rellerrellerkfarr had some tempest tests.17:40
kfarralee_ here's what's in the openstack manuals:
kfarrI'm pretty sure there's other documentation about setting it up with Barbican specifically17:41
kfarrI'm going to look, one sec17:41
alee_kfarr, cool - the steps there mirror what I dug out of the tempest tests .. now for barbican  ..17:44
alee_rellerreller, kfarr incidentally I'm assuming the cinder and nova config with Barbican is global, right?  is not project specific?17:45
kfarralee_ not finding any documentation at the moment17:45
kfarralee_ you'd have to change both nova.conf and cinder.conf to point to Barbican, if that's what you meant17:45
rellerrelleralee_ I don't understand.17:45
alee_kfarr, do you have an example -- say from a tempest riun or otherwsie?17:46
alee_rellerreller, I think my question might be answered when I see a config example ..17:47
rellerrelleralee_ I hope so17:48
kfarralee_ you might have to give me a moment, but I'll get you something17:48
alee_kfarr, thanks17:48
alee_rellerreller, can I configure nova and cinder to store/retrieve keys in barbican X for encrypted volumes only for project X ?17:49
rellerrelleralee_ I believe it is configured per volume.17:50
*** lisaclark1 has joined #openstack-barbican17:50
openstackgerritKaitlin Farr proposed openstack/castellan: Update Barbican wrapper
rellerrelleralee_ when you create a volume it is indicated as encrypted volume type.17:50
*** peter-hamilton has quit IRC17:52
hockeynutmy kingdom for a workflow:
redrobothockeynut done17:53
hockeynutgrassy ass!17:53
redrobothockeynut trade you for a +W on
hockeynutquid pro quo17:54
hockeynutbest 2 LOC ever.17:54
kfarralee_ in nova.conf, you'll need "api_class = nova.keymgr.barbican.BarbicanKeyManager" in the [keymgr] section17:57
kfarrsimilarly in cinder.conf, you'll need "api_class = cinder.keymgr.barbican.BarbicanKeyManager" in the [keymgr].17:58
alee_kfarr, anything else?  location of barbican perhaps?17:58
kfarrI've gotta run, will be back in an hour17:58
kfarrBarbican's just gotta be running17:58
kfarrand the endpoint in keystone17:59
alee_kfarr, the doc'ed steps are interesting but seem to be missing a few steps17:59
alee_kfarr, for one thing, the tempest steps has a keypair create step18:00
alee_and then when the server is created , a key_name is passed to it ...18:00
*** rellerreller has quit IRC18:01
alee_but that makes sense as its doc'ing a single key for all volumes18:01
hockeynutredrobot ping18:06
redrobothockeynut pong18:06
hockeynutI wanna add an item to the agenda for today's IRC mtg.18:06
hockeynutjust update the wiki pg with the agenda, or is there a tool for that?18:06
hockeynutadded it18:10
*** ccneill has quit IRC18:14
*** mixos has joined #openstack-barbican18:19
spotzredrobot can you abandon this review for me?
rm_workredrobot: i am concerned a little bit because your comment on castellan-certs raised the first couple of *actually valid* points against it that i've seen so far T_T18:19
*** ccneill has joined #openstack-barbican18:20
redrobotrm_work sorry, bud. :(18:20
rm_workyeah, specifically of concern is ""18:20
rm_workwrong copy/paste18:20
rm_work"We would also need to provide some service to make the creation of bundles easy for the user since they would need to be stored in the device first so the bundle reference can be made available"18:21
rm_workwhich is ... a problem18:21
rm_workand pretty much kills this in dead in the water18:21
rm_worki overlooked that problem originally, and it's a big one18:22
rm_worki honestly don't have any ideas about how to solve it18:22
redrobotthe storage service that solves it is Barbican18:22
rm_workand i'm tempted to make a patch to change neutron-lbaas/octavia to take three separate refs T_T18:22
rm_workbecause otherwise we can't stay generic18:23
rm_workeven if we have a certs interface, there's no way for users to store things reliably in the correct format besides for barbican18:23
rm_worksince the USER doesn't use the castellan interface18:25
rm_worki was thinking "the store method here makes it easy!" but nothing exposes that to the user, it isn't a real service18:25
*** everjeje has joined #openstack-barbican18:25
rm_workonly devs have access to use that18:25
alee_kfarr, nm - I see that the cinder code will create the key on barbican for me when I create the volume.18:29
redrobotspotz done18:30
alee_kfarr, I assume the key id is in the field encrypted_id ?18:30
spotzThanks redrobot:)18:30
alee_kfarr, and is what nova uses to retrieve the key?18:31
openstackgerritMerged openstack/barbican: Ensure a http 405 is returned on container(s) PUT
openstackgerritMerged openstack/barbican: Use "key-manager" instead of "keymanagement"
*** vivek-ebay has quit IRC18:46
*** vivek-ebay has joined #openstack-barbican18:56
*** dave-mccowan has joined #openstack-barbican19:01
kfarralee_, just got back, yes that sounds right19:03
kfarrCinder should create the key, store the key uuid as metadata, which nova will then retrieve to boot the volume19:03
*** vivek-ebay has quit IRC19:07
*** vivek-ebay has joined #openstack-barbican19:10
*** peter-hamilton has joined #openstack-barbican19:10
*** SheenaG has left #openstack-barbican19:12
alee_kfarr, cool thanks19:14
alee_rm_work, unfortunately I wont be able to make it to the weekly meeting.  I'll read the transcript with great interest though.19:15
rm_workalee_: eh, i think redrobot killed it19:18
rm_workmight be the shortest conversation ever19:18
alee_rm_work, less for me to read then ;/19:18
rm_workbecause unless Castellan becomes a SERVICE (which is unarguably outside any intended scope) there's no way to use the interface as an *end user* to store stuff19:19
rm_workwhich means there's no way for it to enforce its own container system19:19
rm_workwhich means... dead19:19
rm_workmight just go abandon everything now <_<19:19
redrobotrm_work if it's any consolation, your perseverance and tenacity on this was the stuff of legends19:21
redrobotrm_work people will be talking about the Castellan discussions for years to come19:21
rm_workI just wish I had realized that flaw earlier -- where were you a week (or 6 months) ago, redrobot? T_T19:25
*** lisaclark1 has quit IRC19:28
arunkantrm_work, just reading your comments and not castellan cert functionality supposed to have a backing impl like barbican which can store the container relationship.19:32
*** rellerreller has joined #openstack-barbican19:34
rm_workarunkant: the idea was "not necessarily"19:36
rm_workbut as redrobot pointed out, the solution i had in mind doesn't actually work19:37
rm_worknot because "KMIP can't store stuff" or any of those fallacies, but because the end user just doesn't have access to the storage interface it provides :(19:37
rm_workand i agree that if it's just for developers, the gain is minimal compared to just passing multiple references :/19:38
arunkantrm_work: oh its certmonger impl will not have mechanism to store container association data, I mean datastore on castellan side.19:38
rm_workI am tempted to go as far as stripping the existing interface code out of LBaaS and just opt to use Barbican :/19:39
rm_workor, i guess Castellan19:39
rm_workbut use individual items19:40
rm_workof course, that means either we have to ditch "consumer registration" or I finally have to write support for it for Secrets19:40
arunkantyou mentioned "end user just does not have access to storage interface it provides" .. does that mean end-user by default would not know what to do with container URIs and that's why will need to write additional step to use it and then request associated secrets19:42
arunkantIs that the issue ?19:42
*** lisaclark1 has joined #openstack-barbican19:47
rm_workif a deployer chose not to use Barbican, but instead wanted to use a KMIP device to store things directly, the end user can't store things in that device via the function, because Castellan isn't a running service, its a developer library19:49
rm_workso even if Castellan-certs defined a way to store linked objects in KMIP, that doesn't allow the user to take advantage of it19:49
rm_workin fact I am not even sure how an *end-user* would store data in the KMIP device Castellan accesses19:50
rm_workat all19:50
peter-hamiltonrm_work: what do you mean?19:54
rm_workthe *end-user* needs a service available to store data19:55
rm_worklike what Barbican does19:55
rm_worklooking at it from a "backend" perspective for your service (for example LBaaS), Barbican or a KMIP device are interchangable, because i can read from either using the same Castellan interface19:56
rm_workbut from a user perspective, I need to store the cert/key info before LBaaS can retrieve it, and there is ONLY barbican for that19:56
rm_workthere's no other service running that allows me, as a user, to store cert info in some KMIP device19:57
rm_workthat is the whole point of Barbican19:57
rm_workto provide the end-user service layer19:57
peter-hamiltonrm_work: ah, i see19:57
rm_workLBaaS doesn't ever store its own cert data, it relies on the user to do that up front, and pass in references19:58
peter-hamiltonrm_work: i envision there being some sort of castellanclient that you would use to establish a connection to the backend19:58
rm_workyeah, but that doesn't exist19:58
rm_workand since Castellan isn't a service...19:58
peter-hamiltonrm_work: true but it could19:58
rm_worknot easily19:58
rm_workCastellan would have to essentially become a service like Barbican19:58
rm_workbecause you can't make a "client" for it without having credentials to the backend HSM19:58
rm_workit's just a developer library19:59
peter-hamiltonrm_work: correct, you would need to provide credentials, but not much else19:59
rm_workno one is going to expose their HSM directly to users, AFAIK19:59
*** vivek-ebay has quit IRC20:01
peter-hamiltonrm_work: i agree, no one (in their right mind :) would open up general anon access to an HSM20:01
peter-hamiltonrm_work: but castellan could provide the framework for establishing that connection20:01
redrobotweekly meeting starting now on #openstack-meeting-alt20:01
rm_workessentially you'd be defining another service exactly like what Barbican already does20:02
rm_workBarbican *is* a service to provide a front-end to a HSM, with support for CertContainers20:02
peter-hamiltonrm_work: this would be client-only, direct to the backend, nothing in the middle20:02
rm_workbut you already agreed that no one would open up access to a HSM to the public20:03
peter-hamiltonrm_work: you would need a backend and access to it, that's all20:03
rm_workwhat backend?20:03
rm_workthe backend has to be the HSM20:03
peter-hamiltonrm_work: one you own, or one you've been given access to20:03
rm_workthat isn't particularly feasible for the use-case we're talking about20:04
peter-hamiltonrm_work: that may be, i guess i'm thinking more in the general case20:04
rm_workwell, you can feel free to pick up the cause :P20:05
peter-hamiltonrm_work: haha, sadly i've got my hands full20:06
*** crc32 has joined #openstack-barbican20:15
*** SheenaG has joined #openstack-barbican20:18
*** lisaclark1 has quit IRC20:20
*** lisaclark1 has joined #openstack-barbican20:20
*** SheenaG has quit IRC20:26
*** spotz is now known as spotz_zzz20:28
*** rellerreller has quit IRC20:41
*** peter-hamilton has quit IRC20:43
*** mmdurrant has joined #openstack-barbican20:57
*** silos1 has left #openstack-barbican20:59
*** vivek-ebay has joined #openstack-barbican21:00
openstackgerritSteve Heyman proposed openstack/barbican: Use config rather than hardcoded admin id from Quotas test
openstackgerritSteve Heyman proposed openstack/barbican: Use config rather than hardcoded admin id from Quotas test
*** igueths has quit IRC21:12
*** SheenaG has joined #openstack-barbican21:19
*** lisaclark1 has quit IRC21:19
*** SheenaG has left #openstack-barbican21:21
dave-mccowanredrobot, woodster_, is keystone v2 a requirement?  looks like all our stuff is already on v3.21:22
redrobotdave-mccowan nope.... If you want to upgrade the policy to v3 that's fine by me.21:23
*** pglass has quit IRC21:25
rm_workwoodster_ / dave-mccowan responded on
*** lisaclark1 has joined #openstack-barbican21:52
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements
dave-mccowanrm_work  thanks.  the quotas are set in a different CR.
*** xaeth is now known as xaeth_afk22:30
*** chlong has quit IRC22:34
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements
rm_workdave-mccowan: ok, i see... so is there an answer to my question that I am going to actually like? :P22:37
*** lisaclark1 has quit IRC22:39
dave-mccowanrm_work  ah, i see your other question now.  in your question who registers a consumer?  the user who consumes, or the owner of container?22:42
rm_workthe user who consumes22:42
rm_workin this case, it is a service account22:42
rm_workone service account22:43
rm_workand one customer (for example some of our larger existing customers already have this scale) might have hundreds of TLS LBs22:43
*** lisaclark1 has joined #openstack-barbican22:43
rm_workeach with their own Barbican container22:43
rm_workso our service account might need to register 100 consumers (or even 1000 depending on if we got another large customer) with the same user22:44
rm_workwould that require upping the quota globally?22:44
rm_workif so, that'd make quotas pretty useless in our deployment :(22:44
dave-mccowani'm not set on any solution.  if setting a quota on consumers doesn't make sense, we can rip it out of the spec and code.  if it makes sense, a different way, i can code it a different way.22:45
*** lisaclark1 has quit IRC22:45
*** lisaclark1 has joined #openstack-barbican22:45
* dave-mccowan stepping out for a few minutes22:45
*** lisaclark1 has quit IRC22:50
*** dimtruck is now known as zz_dimtruck22:56
*** ccneill has quit IRC22:56
*** vivek-ebay has quit IRC22:57
*** vivek-ebay has joined #openstack-barbican23:07
*** mixos has quit IRC23:15
*** crc32 has quit IRC23:51
* dave-mccowan is back23:55
dave-mccowanrm_work everything is by project, not user.  i can write the code to "charge" the quota against whatever project.  does it make sense to charge the "target project"?23:56

Generated by 2.14.0 by Marius Gedminas - find it at!