Tuesday, 2018-06-12

*** antosh has quit IRC00:02
*** jmlowe has joined #openstack-barbican00:42
*** dave-mccowan has quit IRC01:30
*** sapd has quit IRC01:40
*** sapd has joined #openstack-barbican01:44
*** annp has joined #openstack-barbican01:47
alee_@startmeeting barbican02:00
alee_#startmeeting barbican02:00
openstackMeeting started Tue Jun 12 02:00:36 2018 UTC and is due to finish in 60 minutes.  The chair is alee_. Information about MeetBot at http://wiki.debian.org/MeetBot.02:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.02:00
*** openstack changes topic to " (Meeting topic: barbican)"02:00
openstackThe meeting name has been set to 'barbican'02:00
alee_#topic roll call02:00
*** openstack changes topic to "roll call (Meeting topic: barbican)"02:00
alee_redrobot, nguyenhai_ jaosorior anyone here?02:01
alee_anyone joining the barbican meeting?02:08
redrobotalee_, o/02:08
redrobotsorry I'm late02:08
redrobothere! :D02:08
alee_redrobot, you're the only one :)02:09
* redrobot considers himself forgiven for being late...02:09
alee_which reinforces the idea of moving this back to reasonable time for the US ..02:09
alee_I'm going to propose we move it back to the original time starting next week02:10
redrobotUTC 2000 ?02:10
alee_that sounds about right ..02:10
alee_3pm EST02:11
alee_actually as I'll be on PTO the next couple of weeks, will need you and/or Dave to run it02:11
redrobot#link https://www.timeanddate.com/worldclock/fixedtime.html?hour=20&min=00&sec=002:11
alee_for the next two meetings02:12
redrobotI can definitely do it if dave isn't available02:12
redrobotwant to send a message to ML proposing the time change?02:12
redrobotI'll +1 it so fast!02:12
alee_yes - will do in the morning02:12
redrobot#action alee_ to send a message to the ML proposing moving the Barbican meeting back to 2000 UTC02:13
alee_so just a couple of announcements then ..02:13
alee_milestone 2 was cut last week02:13
alee_that means we're in the final stages to get stuff in02:13
alee_the main things missing are 1) experimental job for vault plugin02:14
alee_and 2) ovo work02:14
alee_we really need reviews on (2)02:14
alee_so if you can - that would be good02:14
redrobotI started spinning up on OVOs.  Don't remember them from my last tour of duty.02:15
redrobotstill got a bit of groking to do before I feel comfortable reviewing the patch series02:15
alee_yeah we need them for no downtime upgrades02:15
redrobothoping to get to it by the end of the week.02:15
alee_ask namh if you have questons02:15
alee_in the patch even02:15
redrobotyes, I can definitely do that.02:16
alee_we jad some requests for api changes from my meeting last week - but for that we need microversions and also the ovo stuff02:16
alee_I plan to write a spec for secret ownership changes sometime this week02:16
alee_as its in my mind02:17
alee_and also we need to resolve a security issue -- making sure db entires are hmaced02:17
alee_both require db changes - and one requires an api change so we need ovo and microversions02:18
redrobothmm... k, I'll keep the hmac stuff in mind when looking at OVO02:18
alee_redrobot, well we need ovo before hmac02:18
alee_I plan to release stable branch releases later this week02:18
alee_queens and pike02:19
alee_#topic anything else?02:19
*** openstack changes topic to "anything else? (Meeting topic: barbican)"02:19
redrobothmm... can't think of anything off the top of my head... 🤔02:20
alee_there seems  to be a renewed push to get castellan as a base service02:20
redrobotonly sort-of makes sense02:20
alee_so review to keep in mind -- its been debated for some time now02:20
redrobotyeah, I've got quite a different opinion on castellan/barbican/other key-managers than I did back in the day02:21
redrobotI'll check out the spec and comment on there.02:21
alee_well if you disagree with the direction, talk with me about it02:22
redrobotwill do02:22
redrobotBasically, I think Barbican should only be used for people who want to provide a KMS as part of their OS deployment.  So if Google KMS and AWS KMS look like something your cloud should do, then Barbican should be it.02:22
redrobotbut I'm not so sure Barbican belongs in the undercloud02:23
redrobotI think Vault/Keywhiz/HSM is probably a better solution02:23
redrobotso it makes sense to abstract those away in Castellan02:23
alee_where barbican makes sense to me is where you need to store tenant -based secrets02:24
* redrobot regrets not getting rid of the castellan.common package when he had the chance.02:24
alee_so I think we're saying basically the same thing02:24
redrobotYes, sounds like we're in violent agreement.02:24
redrobotbut also, I haven't read that spec, haha02:24
alee_when the secrets are not tenant based, barbican may not make sense02:24
redrobotyup yup02:25
alee_the idea behind the spec is that developers should expect a castellan compatible keystore02:25
alee_just like they expect an authz from keystone02:25
redrobotI'd think it's more like oslo.db02:25
alee_right oslo.keymanager02:26
alee_but yeah02:26
redrobotwhere you can use oslo.db if you need SQL but it doesn't matter which SQL-compliant db it is.02:26
redrobotgotta love small meetings where everyone agrees. 😜02:26
alee_as to whether it makes sense to put barbican in the undercloud, thats a different question02:27
alee_I can see some advantages02:27
alee_right now we dont have a vault we can deliver downstream02:28
alee_so in the interim barbican provides an excellent alternative thatcan talk to hsms02:28
alee_if you need it02:28
alee_anyways .. meeting adjourned so we can get some sleep?02:29
redrobotyes, sleep does sound good!02:29
alee_redrobot, thanks for joining - not all by my lonesome :)02:29
*** openstack changes topic to "Discussion about development of OpenStack Barbican and its client libraries. - Logs: http://eavesdrop.openstack.org/irclogs/%23openstack-barbican/"02:29
openstackMeeting ended Tue Jun 12 02:29:39 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)02:29
openstackMinutes:        http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-12-02.00.html02:29
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-12-02.00.txt02:29
openstackLog:            http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-12-02.00.log.html02:29
*** dave-mccowan has joined #openstack-barbican02:54
*** agrebennikov has quit IRC03:02
*** dave-mccowan has quit IRC04:05
*** jmlowe has quit IRC04:10
*** pcaruana has quit IRC05:24
*** pcaruana has joined #openstack-barbican06:27
*** redrobot has quit IRC07:33
*** pcaruana has quit IRC07:34
*** redrobot has joined #openstack-barbican07:39
*** serlex has joined #openstack-barbican07:40
*** pcaruana has joined #openstack-barbican07:49
*** pcaruana has quit IRC07:59
*** pcaruana has joined #openstack-barbican08:15
*** salmankhan has joined #openstack-barbican08:59
*** pbourke has quit IRC09:43
*** pbourke has joined #openstack-barbican09:43
*** salmankhan has quit IRC10:15
*** salmankhan has joined #openstack-barbican10:15
*** annp has quit IRC10:22
*** abishop has joined #openstack-barbican11:38
*** raildo has joined #openstack-barbican11:54
*** dave-mccowan has joined #openstack-barbican12:04
*** salmankhan has quit IRC12:21
*** salmankhan has joined #openstack-barbican12:37
*** raildo has quit IRC12:53
*** raildo has joined #openstack-barbican12:55
*** pcaruana has quit IRC13:00
*** salmankhan has quit IRC13:36
*** salmankhan has joined #openstack-barbican13:38
redrobotgood mornin' barbican!13:44
*** pcaruana has joined #openstack-barbican13:46
*** sapcc-bot has quit IRC14:03
*** sapcc-bot11 has quit IRC14:03
*** sapcc-bot12 has joined #openstack-barbican14:03
*** sapcc-bot has joined #openstack-barbican14:03
*** dave-mccowan has quit IRC14:35
*** antosh has joined #openstack-barbican14:42
*** serlex has quit IRC14:49
*** tidwellr has joined #openstack-barbican14:49
*** jmlowe has joined #openstack-barbican14:56
*** dave-mccowan has joined #openstack-barbican15:03
*** tidwellr has quit IRC15:53
*** tidwellr has joined #openstack-barbican15:54
*** jmlowe has quit IRC16:13
*** dave-mccowan has quit IRC16:23
*** salmankhan has quit IRC16:33
*** salmankhan has joined #openstack-barbican16:35
*** salmankhan has quit IRC16:42
*** salmankhan has joined #openstack-barbican16:46
*** salmankhan has quit IRC16:53
*** salmankhan has joined #openstack-barbican16:56
*** toabctl has quit IRC17:05
*** salmankhan has quit IRC17:38
*** sapcc-bot has quit IRC18:21
*** sapcc-bot12 has quit IRC18:21
*** sapcc-bot3 has joined #openstack-barbican18:21
*** sapcc-bot has joined #openstack-barbican18:21
*** dave-mccowan has joined #openstack-barbican18:31
*** dave-mccowan has quit IRC18:47
*** tidwellr has quit IRC19:11
*** tidwellr has joined #openstack-barbican19:12
*** salmankhan has joined #openstack-barbican19:30
*** salmankhan has quit IRC19:34
*** raildo has quit IRC19:42
*** sapcc-bot has quit IRC19:58
*** dave-mccowan has joined #openstack-barbican20:00
*** dave-mccowan has quit IRC20:10
redrobothmm... so I don't really understand how the Vault Backend for Castellan is getting a context in the functional test suite?20:16
redrobotoh, I see... it's using an admin context...20:20
redrobotoslo admin context that is20:21
redrobotbut that makes absolutely no sense20:21
redrobotVault doesn't know anything about keystone.  WTF?20:21
redrobotContext was supposed to be backend specific IIRC.  That's why there's a context factory.20:23
redrobotSooooo... context for the Vault backend SHOULD be a Vault token.  The context should grant the scope/permissions for whatever operations are going to be taking place.20:24
* redrobot seems to be talking to himself20:26
*** sapcc-bot3 has quit IRC20:26
*** sapcc-bot has joined #openstack-barbican20:26
redrobotOh sweet jesus, the vault backend doesn't give a crap about the context.20:38
redrobotI'm just going to assume that it's still in experimental mode and it still needs work to be able to check the vault-token via the context.20:39
*** abishop has quit IRC20:57
*** pcaruana has quit IRC21:04
*** sapd has quit IRC21:26
*** sapd has joined #openstack-barbican21:27
*** sapd has quit IRC21:27
*** sapd has joined #openstack-barbican21:27
*** tidwellr has quit IRC21:55
*** dave-mccowan has joined #openstack-barbican22:00
*** antosh has quit IRC22:02
*** antosh has joined #openstack-barbican22:26
*** jmlowe has joined #openstack-barbican22:55
*** jmlowe has quit IRC23:17
*** jmlowe has joined #openstack-barbican23:18
*** jmlowe has quit IRC23:31
*** jmlowe has joined #openstack-barbican23:35
*** antosh has quit IRC23:56

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!