Thursday, 2016-09-01

*** diazjf has joined #openstack-barbican00:28
*** chlong has joined #openstack-barbican01:18
*** hockeynut has quit IRC01:43
*** woodster_ has quit IRC01:59
*** edtubill has joined #openstack-barbican02:28
*** dimtruck is now known as zz_dimtruck02:30
*** jamielennox|away is now known as jamielennox02:41
*** zz_dimtruck is now known as dimtruck02:47
*** su_zhang has joined #openstack-barbican02:53
*** dave-mccowan has quit IRC02:58
*** dave-mccowan has joined #openstack-barbican03:02
*** dimtruck is now known as zz_dimtruck03:02
*** zz_dimtruck is now known as dimtruck03:23
*** dave-mccowan has quit IRC03:41
*** su_zhang has quit IRC03:48
*** su_zhang has joined #openstack-barbican03:48
*** su_zhang has quit IRC03:53
*** jamielennox is now known as jamielennox|away04:05
*** su_zhang has joined #openstack-barbican04:07
*** diazjf has quit IRC04:13
*** dimtruck is now known as zz_dimtruck04:22
*** edtubill has quit IRC04:24
*** su_zhang has quit IRC04:24
*** su_zhang has joined #openstack-barbican04:24
*** su_zhang has quit IRC04:28
*** jraim has quit IRC04:36
*** jraim has joined #openstack-barbican04:36
*** zz_dimtruck is now known as dimtruck04:42
*** pcaruana has quit IRC04:57
*** cargonza has quit IRC05:04
*** jamielennox|away is now known as jamielennox05:04
*** cargonza has joined #openstack-barbican05:05
*** dimtruck is now known as zz_dimtruck05:06
*** zz_dimtruck is now known as dimtruck05:42
*** pcaruana has joined #openstack-barbican06:30
*** shohel has joined #openstack-barbican06:59
*** andreas_s has joined #openstack-barbican07:05
*** jamielennox is now known as jamielennox|away07:17
*** nkinder has quit IRC07:21
*** dimtruck is now known as zz_dimtruck07:22
*** nkinder has joined #openstack-barbican07:24
*** shohel has quit IRC07:38
*** jaosorior has joined #openstack-barbican08:04
*** shohel has joined #openstack-barbican08:10
*** shohel has quit IRC08:11
*** toabctl_ has joined #openstack-barbican08:57
*** DandyPandy has quit IRC08:58
*** toabctl has quit IRC08:58
*** jgrassler has quit IRC08:58
*** toabctl_ is now known as toabctl08:58
*** toabctl has quit IRC08:59
*** tkelsey has joined #openstack-barbican09:01
*** DandyPandy has joined #openstack-barbican09:03
*** jgrassler has joined #openstack-barbican09:05
*** tkelsey has quit IRC09:05
*** sigmavirus|awa is now known as sigmavirus10:37
*** dave-mccowan has joined #openstack-barbican11:03
*** Kevin_Zheng has quit IRC11:42
*** Kevin_Zheng has joined #openstack-barbican11:56
*** jaosorior has quit IRC12:06
*** jaosorior has joined #openstack-barbican12:06
*** alee has quit IRC12:16
*** arunkant has quit IRC13:08
*** su_zhang has joined #openstack-barbican13:15
*** drico has joined #openstack-barbican13:15
dricoI'm trying to setup barbican for LbaaS and I get this error :13:16
dricoCould not load 'simple_certificate_event': cannot import name certificate_manager / cannot import name certificate_manager13:16
dricoI guess it's from :13:17
driconamespace = barbican.certificate.event.plugin13:17
dricoenabled_certificate_event_plugins = simple_certificate_event13:17
dricocan someone tell me what this certificate_event is for ?13:17
drico+ is there any documentation to get a barbican production ready somewhere?13:17
*** alee has joined #openstack-barbican13:29
*** openstackgerrit has quit IRC13:49
*** openstackgerrit has joined #openstack-barbican13:49
*** zz_dimtruck is now known as dimtruck14:00
*** su_zhang has quit IRC14:01
*** su_zhang has joined #openstack-barbican14:01
*** michauds has joined #openstack-barbican14:03
*** jaosorior has quit IRC14:04
*** su_zhang has quit IRC14:06
dricoapparently I have the same problem than here
dricoCould not load 'simple_certificate_event': cannot import name certificate_manager14:12
dricocannot import name certificate_manager14:12
*** jmckind has joined #openstack-barbican14:30
*** spotz_zzz is now known as spotz14:32
*** dimtruck is now known as zz_dimtruck14:33
*** zz_dimtruck is now known as dimtruck14:33
*** dimtruck is now known as zz_dimtruck14:43
*** haplo37__ has joined #openstack-barbican14:52
*** edtubill has joined #openstack-barbican14:58
*** pcaruana has quit IRC15:03
*** zz_dimtruck is now known as dimtruck15:11
*** daemontool has joined #openstack-barbican15:33
daemontoolHi, question: can Barican or Castellan be used to manage credentials for the Openstack services (i.e. the ones in the services.conf files_)?15:34
redrobothi daemontool15:34
daemontoolhi redrobot15:35
*** andreas_s has quit IRC15:35
daemontoolold topic I know...15:36
redrobotdaemontool yes, that would be a good use case.  You could store all passwords/passphrases in Barbican, then inject the keystone credentials into your service and retrieve all the relevant passwords15:36
redrobotdaemontool so instead of storing a passphrase in service.conf you'd store the barbican reference15:36
redrobothi drico15:37
dricohi !15:37
daemontooldoes the services knows how to read those creds? for instance the issue mentioned here:
openstackLaunchpad bug 1158328 in OpenStack Compute (nova) "passwords in config files stored in plaintext" [Wishlist,Won't fix]15:37
daemontoolthat is what you are referring to right?15:37
daemontoolthat is for mysql db creds for instance15:38
redrobotdaemontool yes, you could mostly solve for that bug using barbican15:38
daemontoolredrobot, brilliant, thanks15:39
daemontoolis castellan also needed to solve that?15:39
redrobotdaemontool so, castellan is an abstraction on top of barbican.  it's purpose is to let people integrate with a key manager without having to take a hard dependency on barbican15:40
daemontoolok ty15:40
redrobotdaemontool so you have to choose between using castellan or pyhton-barbicanclient directly15:40
redrobotdrico just now catching up on IRC for the day15:41
dricoyes I'm a bit lost with that issue15:41
dricoI'm using the package from ubuntu xenial for mitaka, maybe I should remove them and use some github branch15:42
redrobotdrico tbh I don't remember what the certificate event is for...  I'll have to dig into the code to refresh my memory15:42
redrobotdrico we started working on installation guides during the midcycle a couple of weeks ago, so they're not quite ready yet...15:43
dricowell even if there is some draft somewhere I'll be happy to give some feedback15:43
redrobotdrico kinda barebones right now
dricoah yes I was on it one hour ago15:46
redrobotdrico also these
daemontoolredrobot, does Mitaka supports that solution?15:47
dricoyes the one on github where pretty useful15:47
redrobotdaemontool so, you'd have to make some changes in your config logic, but storage/retrieval of secret data is basically the main feature of barbican.15:48
redrobotdaemontool I think it would be cool if oslo.config supported using barbican out of the box15:48
redrobotdaemontool maybe something to talk to the oslo team about during the next summit.15:49
daemontoolredrobot, yes for the infrastructure side usage of Barbican, that'd be a huge win15:51
*** jmckind_ has joined #openstack-barbican15:53
dricoif I try without the packages, should I go for master or the mitaka stable branch ?15:55
*** jmckind has quit IRC15:56
redrobotdrico either one should work.  we try to keep a working master at all times15:58
redrobotdrico there's a couple of new features in master that are not in mitaka15:58
redrobotdrico like filtering secrets by dates15:58
dricowell apparently the test of storing and getting a secret with curl is working16:03
dricobut not the barbican-keystone-listener16:04
dricoI'm not sure what this is for16:04
redrobotdrico so barbican-keystone-listener is an optional daemon that subscribes to the Keystone event queue16:04
redrobotdrico it's used for clean up of our database16:04
redrobotdrico for example, when a project is deleted from Keystone, an event id emitted, which the barbican-keystone-listener can act upon to make sure that the project is also deleted from our DB16:05
dricook I get it16:05
dricohow could I check if the link between my openstack keystone and barbican is correctly working ?16:06
redrobotdrico by link do you mean authentication/authorization?16:06
dricomy idea is to use LB as a service so I will store some SSL certificates in barbican16:07
redrobotdrico if you try to curl https://barbican_host/v1/secrets without a token you should get a 40116:07
dricook so it's not ;) thanks16:08
redrobotdrico your paste config may not have the keystone-auth middleware enabled16:08
*** diazjf has joined #openstack-barbican16:10
dricoAuthentication required ! fixed it :)16:11
dricowhich plugin would you recommend for a production use ?16:11
*** alee is now known as alee_lunch16:28
*** randallburt has joined #openstack-barbican16:36
*** su_zhang has joined #openstack-barbican16:36
*** randallburt1 has joined #openstack-barbican16:37
*** daemontool has quit IRC16:40
*** randallburt has quit IRC16:40
*** su_zhang has quit IRC16:41
*** su_zhang has joined #openstack-barbican16:41
*** woodster_ has joined #openstack-barbican16:42
*** diazjf has quit IRC16:48
*** su_zhang has quit IRC16:57
*** su_zhang has joined #openstack-barbican16:58
*** su_zhang has quit IRC16:58
*** diazjf has joined #openstack-barbican17:02
*** edtubill has quit IRC17:06
*** diazjf has quit IRC17:21
*** alee_lunch is now known as alee17:28
*** su_zhang has joined #openstack-barbican18:13
*** openstackgerrit has quit IRC18:18
*** openstackgerrit has joined #openstack-barbican18:19
*** diazjf has joined #openstack-barbican18:41
*** david-lyle has quit IRC18:49
*** su_zhang has quit IRC18:50
*** david-lyle has joined #openstack-barbican18:50
*** arunkant_ has joined #openstack-barbican19:13
*** arunkant has joined #openstack-barbican19:18
*** arunkant_ has quit IRC19:20
*** su_zhang has joined #openstack-barbican19:20
*** arunkant_web has joined #openstack-barbican19:20
*** su_zhang has quit IRC19:25
redrobotdrico hey, sorry I missed your last question19:29
redrobotdrico we highly recommend using a Hardware Security Module for production deployments.19:29
redrobotdrico in theory any HSM with a KMIP or PKCS#11 interface should work.19:30
redrobotdrico in practice, most production deployments are using Safenet Luna HSMs19:30
redrobotdrico HSMs have cool security features, like encryption keys that can't be extracted, but they are quite pricey.19:31
*** su_zhang has joined #openstack-barbican19:54
*** gyee has joined #openstack-barbican20:13
*** jmckind has joined #openstack-barbican20:30
*** jmckind_ has quit IRC20:33
*** diazjf has quit IRC20:38
*** arunkant_web has quit IRC21:00
*** diazjf has joined #openstack-barbican21:10
*** diazjf has quit IRC21:10
*** diazjf has joined #openstack-barbican21:19
*** su_zhang has quit IRC21:51
*** jmckind has quit IRC21:52
*** su_zhang has joined #openstack-barbican21:53
*** haplo37__ has quit IRC21:59
*** michauds has quit IRC22:04
*** randallburt1 has quit IRC22:11
*** randallburt has joined #openstack-barbican22:12
*** diazjf has quit IRC22:33
*** alee has quit IRC22:35
*** su_zhang has quit IRC22:50
*** su_zhang has joined #openstack-barbican22:52
*** diazjf has joined #openstack-barbican22:57
*** diazjf has quit IRC23:03
*** dimtruck is now known as zz_dimtruck23:05
*** zz_dimtruck is now known as dimtruck23:05
*** spotz is now known as spotz_zzz23:07
*** dimtruck is now known as zz_dimtruck23:15
*** su_zhang has quit IRC23:16
*** randallburt has quit IRC23:21
*** chlong has quit IRC23:33
*** arunkant has quit IRC23:41

Generated by 2.14.0 by Marius Gedminas - find it at!