#openstack-barbican log

02:00:36 <alee_> #startmeeting barbican
02:00:37 <openstack> Meeting started Tue Jun 12 02:00:36 2018 UTC and is due to finish in 60 minutes.  The chair is alee_. Information about MeetBot at http://wiki.debian.org/MeetBot.
02:00:38 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
02:00:40 <openstack> The meeting name has been set to 'barbican'
02:00:51 <alee_> #topic roll call
02:01:48 <alee_> redrobot, nguyenhai_ jaosorior anyone here?
02:04:15 <alee_> bueller?
02:08:45 <alee_> anyone joining the barbican meeting?
02:08:49 <redrobot> alee_, o/
02:08:51 <redrobot> sorry I'm late
02:08:53 <redrobot> here! :D
02:09:08 <alee_> redrobot, you're the only one :)
02:09:17 <redrobot> \o/
02:09:30 * redrobot considers himself forgiven for being late...
02:09:53 <alee_> which reinforces the idea of moving this back to reasonable time for the US ..
02:10:01 <redrobot> indeed.
02:10:17 <alee_> I'm going to propose we move it back to the original time starting next week
02:10:23 <redrobot> UTC 2000 ?
02:10:33 <alee_> that sounds about right ..
02:11:11 <alee_> yup
02:11:14 <alee_> 3pm EST
02:11:51 <alee_> actually as I'll be on PTO the next couple of weeks, will need you and/or Dave to run it
02:11:53 <redrobot> #link https://www.timeanddate.com/worldclock/fixedtime.html?hour=20&min=00&sec=0
02:12:01 <alee_> for the next two meetings
02:12:08 <redrobot> I can definitely do it if dave isn't available
02:12:21 <alee_> cool
02:12:26 <redrobot> want to send a message to ML proposing the time change?
02:12:30 <redrobot> I'll +1 it so fast!
02:12:38 <alee_> yes - will do in the morning
02:13:06 <redrobot> #action alee_ to send a message to the ML proposing moving the Barbican meeting back to 2000 UTC
02:13:26 <alee_> so just a couple of announcements then ..
02:13:37 <alee_> milestone 2 was cut last week
02:13:56 <alee_> that means we're in the final stages to get stuff in
02:14:12 <redrobot> 🎉🎉🎉
02:14:21 <alee_> the main things missing are 1) experimental job for vault plugin
02:14:27 <alee_> and 2) ovo work
02:14:41 <alee_> we really need reviews on (2)
02:14:50 <alee_> so if you can - that would be good
02:15:08 <redrobot> I started spinning up on OVOs.  Don't remember them from my last tour of duty.
02:15:26 <redrobot> still got a bit of groking to do before I feel comfortable reviewing the patch series
02:15:32 <alee_> yeah we need them for no downtime upgrades
02:15:35 <redrobot> hoping to get to it by the end of the week.
02:15:36 <alee_> ack
02:15:45 <alee_> ask namh if you have questons
02:15:51 <alee_> in the patch even
02:16:09 <redrobot> yes, I can definitely do that.
02:16:27 <alee_> we jad some requests for api changes from my meeting last week - but for that we need microversions and also the ovo stuff
02:16:59 <alee_> I plan to write a spec for secret ownership changes sometime this week
02:17:09 <alee_> as its in my mind
02:17:32 <alee_> and also we need to resolve a security issue -- making sure db entires are hmaced
02:18:03 <alee_> both require db changes - and one requires an api change so we need ovo and microversions
02:18:05 <redrobot> hmm... k, I'll keep the hmac stuff in mind when looking at OVO
02:18:24 <alee_> redrobot, well we need ovo before hmac
02:18:58 <alee_> I plan to release stable branch releases later this week
02:19:00 <redrobot> ack
02:19:08 <alee_> queens and pike
02:19:31 <alee_> #topic anything else?
02:20:10 <redrobot> hmm... can't think of anything off the top of my head... 🤔
02:20:24 <alee_> there seems  to be a renewed push to get castellan as a base service
02:20:38 <alee_> https://review.openstack.org/#/c/572656/
02:20:41 <redrobot> only sort-of makes sense
02:20:55 <alee_> so review to keep in mind -- its been debated for some time now
02:21:22 <redrobot> yeah, I've got quite a different opinion on castellan/barbican/other key-managers than I did back in the day
02:21:32 <redrobot> I'll check out the spec and comment on there.
02:22:05 <alee_> well if you disagree with the direction, talk with me about it
02:22:19 <redrobot> will do
02:22:46 <redrobot> Basically, I think Barbican should only be used for people who want to provide a KMS as part of their OS deployment.  So if Google KMS and AWS KMS look like something your cloud should do, then Barbican should be it.
02:23:12 <redrobot> but I'm not so sure Barbican belongs in the undercloud
02:23:34 <redrobot> I think Vault/Keywhiz/HSM is probably a better solution
02:23:48 <redrobot> so it makes sense to abstract those away in Castellan
02:24:03 <alee_> where barbican makes sense to me is where you need to store tenant -based secrets
02:24:07 * redrobot regrets not getting rid of the castellan.common package when he had the chance.
02:24:15 <alee_> so I think we're saying basically the same thing
02:24:27 <redrobot> Yes, sounds like we're in violent agreement.
02:24:40 <redrobot> but also, I haven't read that spec, haha
02:24:45 <alee_> when the secrets are not tenant based, barbican may not make sense
02:25:03 <redrobot> yup yup
02:25:19 <alee_> the idea behind the spec is that developers should expect a castellan compatible keystore
02:25:35 <alee_> just like they expect an authz from keystone
02:25:59 <redrobot> I'd think it's more like oslo.db
02:26:15 <alee_> right oslo.keymanager
02:26:22 <alee_> but yeah
02:26:24 <redrobot> where you can use oslo.db if you need SQL but it doesn't matter which SQL-compliant db it is.
02:26:59 <redrobot> gotta love small meetings where everyone agrees. 😜
02:27:05 <alee_> as to whether it makes sense to put barbican in the undercloud, thats a different question
02:27:15 <alee_> I can see some advantages
02:28:11 <alee_> right now we dont have a vault we can deliver downstream
02:28:31 <alee_> so in the interim barbican provides an excellent alternative thatcan talk to hsms
02:28:36 <alee_> if you need it
02:29:06 <alee_> anyways .. meeting adjourned so we can get some sleep?
02:29:16 <redrobot> yes, sleep does sound good!
02:29:34 <alee_> redrobot, thanks for joining - not all by my lonesome :)
02:29:39 <alee_> #endmeeting