Tuesday, 2019-01-08

*** dims has quit IRC04:47
*** dims has joined #openstack-barbican04:48
*** dims has quit IRC04:56
*** dims has joined #openstack-barbican04:56
*** Luzi has joined #openstack-barbican06:44
jaosoriorredrobot: thanks dude!07:05
*** graeb has joined #openstack-barbican07:25
*** pcaruana has joined #openstack-barbican07:42
*** graeb has quit IRC07:53
*** graeb has joined #openstack-barbican07:53
*** graeb has quit IRC08:20
*** graeb has joined #openstack-barbican08:20
*** xek has joined #openstack-barbican08:24
*** moguimar has joined #openstack-barbican09:34
*** marios has joined #openstack-barbican10:39
marios o/ folks review request please if you have time https://review.openstack.org/#/c/628244/ replace the multinode  scenario job with the new standalone. More info at http://lists.openstack.org/pipermail/openstack-discuss/2019-January/001377.html thanks!10:40
*** pbourke has quit IRC11:08
*** pbourke has joined #openstack-barbican11:10
*** sayalilunkad has quit IRC12:51
*** raildo has joined #openstack-barbican12:51
*** sayalilunkad has joined #openstack-barbican12:51
jaosoriormarios: thanks!12:58
redrobot#startmeeting barbican13:00
openstackMeeting started Tue Jan  8 13:00:55 2019 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.13:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.13:00
*** openstack changes topic to " (Meeting topic: barbican)"13:00
openstackThe meeting name has been set to 'barbican'13:01
redrobotCourtesy ping for ade_lee hrybacki jamespage Luzi lxkong moguimar raildo rm_work xek13:01
redrobotOh wow!  Lots of folks here today. 😄13:02
redrobotAs usual our agenda can be found here:13:02
redrobot#link https://etherpad.openstack.org/p/barbican-weekly-meeting13:02
redrobotand we actually have some topics on there today! 🎉13:03
redrobotI hope everyone is having a great 2019 so far.13:03
redrobotLet's get started:13:03
redrobot#topic Action Items from last meeting:13:03
*** openstack changes topic to "Action Items from last meeting: (Meeting topic: barbican)"13:03
redrobot#link http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-12-18-13.00.html13:04
redrobotredrobot to update the Barbican Wiki page13:05
redrobotI did not do that (boo!)13:05
redrobotbut I will get it done by next week.13:05
redrobot#action redrobot to update the Barbican Wiki page13:05
redrobot> everyone think of topics for summit presentations13:06
redrobotI hope y'all did.13:06
redrobot#topic Summit CFP13:06
*** openstack changes topic to "Summit CFP (Meeting topic: barbican)"13:06
redrobotAnyone think of Barbican or Barbican related presentations over the break?13:06
Luziwill you or ade_lee give that workshop again?13:10
redrobotOk, I'm guessing y'all are still waiting for the coffee to kick in like I am. ☕13:10
*** ade_lee has quit IRC13:10
redrobotLuzi, great question.  I heard there was a lot of interest last summit, but things didn't go so well.  I think it would definitely be awesome to do it again sans hardware hiccups.13:11
redrobot#action redrobot to ask alee about submitting the Barbican workshop to the next Summit13:12
redrobotAnything else?13:12
redrobotI was thinking maybe alee and I could talk about the HSM support we've been working on ...13:12
redrobotI'll have to talk to him about it13:12
Luzithat's a good idea redrobot13:12
redrobotDoes anyone know off the top of their head when the CFP deadline is?13:13
* redrobot looks13:13
Luzi23rd i think13:13
Luzilet mee look again13:13
Luziyep 23rd of anuary 11:59 pm PT13:14
redrobotThanks, Luzi13:14
redrobotSo we've still got a couple of weeks to think about and submit proposals.13:15
redrobotDon't leave it to the last minute though! 😉13:15
redrobotOk, moving on ...13:15
redrobot#topic Multiple regressions since Barbican 7.0.013:16
*** openstack changes topic to "Multiple regressions since Barbican 7.0.0 (Meeting topic: barbican)"13:16
redrobotgraeb, Luzi: your topic?13:17
Luziyeah, graeb made some more tests with our Safenet Luna HSM and noticed a few things, we would like to ask now13:18
graebWell. Barbican 7.0.0 and newer versions stoppt working with HSMs from SafeNet.13:18
graebCommit dba5ead from Alee introduced that problem. :-/13:18
graebGot an error CKR_ATTRIBUTE_VALUE_INVALID when trying to store a secret.13:19
Luzithe same goes for utimaco soft hsm, but we heard some guys from utimaco are already working on it, right?13:19
* redrobot looks for a link to the change13:19
redrobotgraeb, are you sure that's the correct change ID?  I'm finding this:13:21
redrobot#link https://github.com/openstack/barbican/commit/dba5eade39a86b95a97369e7c0e5f79faf0ff38513:21
graebSorry, wring commit. This is right: https://github.com/openstack/barbican/commit/df8c62aab357954000e8539ac17daea45f93ee7c13:22
redrobotThere were not many attribute changes on that patch13:24
redrobotDo you know what function is throwing the error? e.g. unwrap, encrypt, decrypt, etc?13:25
graebin barbican/plugin/crypto/pkcs11.py13:26
redrobotDuring normal operation or MKEK/PKEK generation?13:27
* redrobot thinks it's going to be hard to debug this blind13:27
graebThen a new PKEK is generated, the error is thrown13:28
graebI not tried to generate a MKEK with Barbican 7.0.0 since it was already there.13:29
redrobotI see .. I'll have to dig into the code to figure out what's going on.13:30
graebI couldn't find a difference in the way the PKEKs are generated in 7.0.0 and a working version of Barbican.13:30
graebWith commit dba5ead it is still working.13:31
*** zigo has joined #openstack-barbican13:31
redrobotYeah, we tried to keep things the same when we introduced other mechanims.  Unfortunately we don't have access to a Safenet HSM for testing :(13:31
graebShall I upload the StackTRace somethere?13:32
redrobotgraeb, yeah that would help.  And if you can get a PKCS#11 log from the HSM that might help debug too13:32
redrobotI can't recall what Safenet logs look like13:33
redrobotbut the Thales HSMs we've been playing with have really good verbose logging options that would show what attributes are being sent on that generate_key call13:33
redrobotgraeb, sweet.  I'll take a look after the meeting.13:34
graebI must confess that I never have seen SafeNet HSM logs. Maybe I can past some information from such a log too.13:34
graebI juast pasted the TraceBack from Barbican.13:35
redrobotI'll see what I can figure out from the Barbican logs13:35
graebOk, thanks. So we can switch over to the next topic.13:36
redrobotgraeb, Luzi there was another concern on the agenda?13:36
redrobotYes, lets move on13:36
graebPKEK are generated with attribute CKA_SENSITIVE set to true. That means, that PKEK are extractable from the HSM. This also was introduced with commit df8c62a.13:37
graebSeems there is an compatibility issue with some HSMs, and so the workaround was to generate PKEKs like that. But this is less save.13:39
Luzithere was a comment, that this was necessary for som HSM, right?13:39
graebSo we have a security versus compatibility problem maybe?13:40
redrobotWell, PKEKs do get extracted after being wrapped.13:40
redrobotThough I can't recall off the top of my head whether CKA_SENSITIVE would survive the wrap/unwrap process.13:41
redrobotAh yes, CKA_SENSITIVE and CKA_EXTRACTABLE have to match13:42
redrobotCKA_EXTRACTABLE has to be true for PKEKs so that we can retrieve them for storage in the DB13:42
redrobotI wonder if that's the Attribute that's causing problems for the Safenet HSM?13:43
redrobotI also can't remember if it was the ATOS or the Thales HSM that complained about the CKA_SENSITIVE and CKA_EXTRACTABLE mismatch. 🤔13:44
graebOk, I will check that.13:44
graebWith SafeNet HSM.13:44
redrobotgraeb, yeah, if you can change that attribute back to always true and have it work then we'll definitely need to make it configurable.13:45
redrobotgraeb, Luzi so I think we'll have to dig into this more after the meeting.  Is there anything else y'all want to talk about while we're here?13:46
graebTo make that configurable is an brilliant idea I think.13:46
Luziredrobot, that's everything from our side13:47
redrobotok, thanks y'all13:47
redrobotmoving on ...13:47
redrobotwell, there's nothing else on there13:47
redrobotbut while we're on the topic of HSMs13:47
redrobot#topic ATOS and Thales HSM integration13:47
*** openstack changes topic to "ATOS and Thales HSM integration (Meeting topic: barbican)"13:48
redrobotalee and I have been working on getting TripleO deployment support for Barbican with both ATOS and Thales HSMs13:48
redrobotThere's still some stuff under review13:48
redrobot#link https://review.openstack.org/#/q/topic:add_hsm_parameters13:49
redrobotWe had two patches for tripleo-common but we were asked to put them elsewhere since they're not strictly tripleo related13:49
redrobotThe ansible roles are in my personal github for now:13:50
redrobot#link https://github.com/dmend/ansible-role-atos-hsm13:50
redrobot#link https://github.com/dmend/ansible-role-thales-hsm13:50
redrobotI'm going to be working with the openstack-ansible folks to hopefully add those repos to the openstack-ansible org13:51
redrobotI pitched the idea on their IRC channel the other day and they seemed receptive to the idea13:51
redrobotNext steps is to submit a patch to infra, I think13:52
redrobotso I'll post that to the channel once it happens13:52
redrobotany questions about the TripleO+HSM work?13:52
redrobotok, moving on13:53
redrobot#topic Reviews13:53
*** openstack changes topic to "Reviews (Meeting topic: barbican)"13:53
redrobot#link https://tinyurl.com/yctfozgh13:54
redrobotThere's a milestone coming up this week.13:54
redrobotare there any patches that need to be merged before then?13:54
redrobotI'm going to be looking at the Vault AppRole patch today13:54
redrobotfor castellan13:54
redrobotand I think we've gotten all the high priority patches reviewed for barbican server13:55
redrobotwe're going to have to punt on the OVO work13:55
redrobotNo patches on y'alls end?13:57
redrobotalrighty then13:57
redrobotI think we're done for the day13:57
redrobotThanks for coming everyone13:57
*** openstack changes topic to "OpenStack PTG Denver - https://etherpad.openstack.org/p/barbican-stein-ptg"13:57
openstackMeeting ended Tue Jan  8 13:57:39 2019 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)13:57
openstackMinutes:        http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-01-08-13.00.html13:57
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-01-08-13.00.txt13:57
openstackLog:            http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-01-08-13.00.log.html13:57
*** ssbarnea has joined #openstack-barbican14:22
ssbarneahi! is anyone working to fix this job http://zuul.openstack.org/builds?job_name=barbican-dogtag-devstack-functional-fedora-latest ? seems broken for almost a month14:23
jaosoriorredrobot, have you or alee had a chance to look at it? ^^14:36
redrobotjaosorior, ssbarnea I thought alee was going to look into it?14:36
jaosoriorgotta poke him when he's online14:38
*** Luzi has quit IRC14:45
openstackgerritSorin Sbarnea proposed openstack/barbican master: Replace tripleo-scenario002-multinode with scenario002-standalone  https://review.openstack.org/62824414:47
ssbarnearedrobot: jaosorior tanks for the update. do you happen to know what is causing it? I seen lots of warnings about ansible.cfg not being loaded and wonder if the failure may relate to that.14:48
redrobotssbarnea, I haven't looked into it at all.  I'll ping alee about it when I see him online14:49
ssbarneaok, don't forget to ping me when there are news, even if is not fixed yet. and thanks again!14:49
*** ade_lee has joined #openstack-barbican15:31
redrobotgraeb, looking at the trace and diff, it seems that CKR_SENSITIVE is the only thing that changed.  Have you had a chance to change that to True and see if that fixes your Safenet error?15:58
graebI now followed your suggestion and set the attribute CKA_SENSITIVE to True again and now it works! I testes with Barbican 7.0.0 and the latest commit (296ef6b894).15:59
redrobotgraeb, awesome.  I think we'll definitely need to add a config option to set that to always true for Safenet HSMs16:00
graebThat would be great! :-)16:00
*** moguimar has quit IRC16:09
*** moguimar has joined #openstack-barbican16:11
redrobotgraeb, I added a story to our storyboard for that regression fix: https://storyboard.openstack.org/#!/story/200473416:13
ade_leeredrobot, lets throw up a patch for that today and I'll revfiew16:14
redrobotade_lee, ack, I'll get a patch up today16:14
*** moguimar has quit IRC16:16
redrobotade_lee, while you're here, ssbarnea was asking about the barbican-dogtag-devstack-functional-fedora-latest gate that is failing16:18
redrobotade_lee, have you had a chance to look into it?16:18
ade_leeredrobot, I started looking16:18
ade_leeredrobot, not figured out yet -- on my list for today16:19
*** pcaruana has quit IRC16:20
*** ade_lee is now known as ade_lee_lunch16:30
*** graeb has quit IRC16:38
*** ade_lee_lunch is now known as ade_lee17:57
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Fix Safenet HSM regression in PKCS#11  https://review.openstack.org/62929419:35
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Fix Safenet HSM regression in PKCS#11  https://review.openstack.org/62929419:37
redrobotade_lee, graeb ^^19:37
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Fix Safenet HSM regression in PKCS#11  https://review.openstack.org/62929419:40
ade_leeredrobot, interesting. so safenet folks will be broken unless they add that magic flag?19:55
redrobotade_lee, yeah... the spec is not very clear on how CKA_SENSITIVE and CKA_EXTRACTABLE relate to each other.   Apparently Safenet HSMs want CKA_SENSITIVE=CK_TRUE or they complain, and one of our HSMs (can't recall if ATOS or Thales) compalains if CKA_SENSITIVE=CK_TRUE19:57
ade_leeredrobot, given that we're fixing a regression - and that we're adding support for atos/thales - it seems more appropriate to have the new HSMs have to add a new parameter .19:58
redrobotade_lee, so you'd rather it default to True?19:58
ade_leeredrobot, ie. default to always_set_secure to be True or something like that ..19:58
redrobotade_lee, works for me, give me a sec and I'll change it.19:59
redrobotade_lee, we'll also have to add it to THT19:59
ade_leeredrobot, we'll need to change dox and THT19:59
ade_leeyup -- I'm not sure I'm enamoured with the variable name ..19:59
*** redrobot has left #openstack-barbican19:59
*** redrobot has joined #openstack-barbican20:00
ade_leeredrobot, yup -- I'm not sure I'm enamoured with the variable name ..20:00
redrobotade_lee, I'm open to suggestions20:00
ade_leeI get the idea, but it seems a little inartful ..20:00
ade_leeyeah -- trying to come up with something better20:01
ade_leeredrobot, maybe this is what was throwing me -- the var name is CKR_SENSITIVE and you have always_set_secure_parameter -- should it not be something like always_set_ckr_sensitive ?20:04
redrobotade_lee, works for me20:05
redrobotCKA_SENSITIVE is a CK Attribute (hence CKA_)20:05
redrobotso yeah, set secure_attribute may have been a better choice20:06
redrobotbut always_set_cka_secure works for me20:06
* redrobot realizes its secure and not sensitive20:06
redrobotI'll update the patch right now20:07
ade_leeredrobot, well what was throwing me me .. it should be secure or sensitive?20:07
redrobotade_lee, oh derp20:08
redrobotade_lee, maybe I need to go for a walk, it's CKA_SENSITIVE, lol20:08
ade_leeI suggest you use the same as the parameter name20:08
redrobotade_lee, agreed, should be "always_set_cka_sensitive"20:08
redrobotCKR is for errors, CKA is for attributes20:09
ade_leeredrobot, and default to True20:09
ade_leeredrobot, it may be worth adding a comment that for Safenet we want it to be True, while for Thales and ATOS, we want false20:10
redrobotade_lee, I think we should add an HSM Support section to the docs, and specify there what the right options should be20:10
ade_leeredrobot, ok20:10
redrobotade_lee, including what mechanisms are supported, et20:11
ade_leeredrobot, yeah - we need that somewhere other than in my development guide :/20:11
* redrobot has been resisting opening the docs can of worms20:11
ade_leeredrobot, lets add a story to do that or we'll forget20:11
redrobotade_lee, docs need some serious tlc ...20:12
ade_leeredrobot, any idea how these files are zipped up -- http://logs.openstack.org/67/628667/2/check/barbican-dogtag-devstack-functional-fedora-latest/914ef00/logs/etc/barbican/alias/20:13
ade_leeredrobot, trying to figure out whats up with the dogtag gate20:14
ade_leeredrobot, looks like the binary has been textified somehow20:15
redrobotade_lee, no idea... used to be able to just click through on the browser. :-\20:17
ade_leeredrobot, any idea how to get other logs to be saved by the gate?20:17
ade_leeredrobot, gotta look at the dogtag logs - but dont know how to get them ..20:18
redrobotade_lee, I think there's some devstack ansible scripts that execute at the end of the run that package up the logs20:18
redrobotade_lee, just realized those are *.db files.  Maybe download untar and check with sqlite?20:26
ade_leeredrobot, yeah - I think those are actually ok ..20:26
ade_leeso it looks like the ansible scripts grab everything under a logs directory ..20:27
ade_leeredrobot, so what I need to do is get my logs copied to that directory20:27
ade_leeredrobot, some sort of post-test hook?20:27
redrobotade_lee, ah, I understand what you're trying to do now.20:28
redrobotade_lee, tbh, I don't remember how that stuff works exactly. :(20:28
*** jmlowe has quit IRC20:30
ade_leeredrobot, maybe you can something I can't ..20:31
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Fix Safenet HSM regression in PKCS#11  https://review.openstack.org/62929420:31
ade_leeredrobot, http://logs.openstack.org/67/628667/2/check/barbican-dogtag-devstack-functional-fedora-latest/914ef00/logs/screen-barbican-svc.txt.gz20:31
*** jmlowe has joined #openstack-barbican20:31
FrankZhanghey guys, got a question, can barbican be served via SSL or it can only be behind load balancer?20:33
redrobotFrankZhang, barbican itself doesn't have a web server (it's a wsgi server).  The recommended deployment would be: Real web server -> WSGI Server -> Barbican20:44
redrobotFrankZhang, so like ngnix -> gunicorn -> barbican20:44
redrobotFrankZhang, or apache -> paste -> barbican20:45
redrobotFrankZhang, tls would be handled by the web server (nginx or apache)20:45
redrobotFrankZhang, that's for a single instance, obviously a load balancer could also do TLS.  Then you can either terminate there or reencrypt for the LB -> Web Server connection20:46
redrobotFor super paranoid deployments it would be LB (with TLS) -> Nginx or apache (with TLS) -> WSGI thing -> barbican20:47
FrankZhangredrobot: I saw kmip ssl config here, is it served thru SSL?20:47
redrobotFrankZhang, no, that's for configuring a KMIP backend20:48
redrobotFrankZhang, so, say you have a KMIP backend, then the connection between barbican -> KMIP server could be encrypted20:48
redrobotFrankZhang, that's what the option is there for20:48
redrobotFrankZhang, the whole network would be: LB -> nginx -> gunicorn -> barbican -> KMIP20:49
ade_leeFrankZhang, in tripleo, we do --> haproxy -> apache -> paste -> barbican  -> vault/kmip/dogtag  iirc.20:51
FrankZhangOkay, thanks guys, that's much more clearer for now.21:00
*** xek has quit IRC21:02
*** xek has joined #openstack-barbican21:02
*** raildo has quit IRC21:25
openstackgerritAde Lee proposed openstack/barbican master: Work with 389-ds-base-  https://review.openstack.org/62866721:41
*** ade_lee has quit IRC22:20
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Fix Safenet HSM regression in PKCS#11  https://review.openstack.org/62929422:34
*** ade_lee has joined #openstack-barbican23:07
*** ade_lee has quit IRC23:13
*** ade_lee has joined #openstack-barbican23:13

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!