| *** kebray has quit IRC | 00:05 | |
| *** david-lyle is now known as david-lyle_afk | 00:13 | |
| *** atiwari has quit IRC | 00:18 | |
| *** kgriffs|afk is now known as kgriffs | 00:21 | |
| *** ryanpetrello has joined #openstack-barbican | 00:21 | |
| *** kgriffs is now known as kgriffs|afk | 00:30 | |
| *** ryanpetrello has quit IRC | 00:40 | |
| *** zz_dimtruck is now known as dimtruck | 00:46 | |
| *** ryanpetrello has joined #openstack-barbican | 01:19 | |
| *** tdink has joined #openstack-barbican | 01:20 | |
| *** woodster_ has quit IRC | 01:30 | |
| *** tdink has quit IRC | 01:30 | |
| *** dave-mccowan_ has joined #openstack-barbican | 01:33 | |
| *** dave-mccowan has quit IRC | 01:35 | |
| *** dave-mccowan_ is now known as dave-mccowan | 01:35 | |
| *** tkelsey has joined #openstack-barbican | 01:53 | |
| *** bdpayne has quit IRC | 01:55 | |
| *** tkelsey has quit IRC | 01:59 | |
| *** ryanpetrello has quit IRC | 02:14 | |
| *** bubbva has quit IRC | 02:58 | |
| *** kgriffs|afk is now known as kgriffs | 02:59 | |
| *** bdpayne has joined #openstack-barbican | 03:03 | |
| *** rm_you| is now known as rm_you | 03:07 | |
| reaperhulk | alee: I tentatively like the idea of using CMC | 03:51 |
|---|---|---|
| alee | reaperhulk, cool - I was just about to amend the cert api spec to propose that. | 03:53 |
| reaperhulk | cool | 03:55 |
| openstackgerrit | John Wood proposed openstack/barbican-specs: Remove the tenant-secret association table https://review.openstack.org/135158 | 03:59 |
| *** dave-mccowan has quit IRC | 04:01 | |
| rm_work | wait what, why would we remove that | 04:10 |
| * rm_work reads | 04:10 | |
| *** dimtruck is now known as zz_dimtruck | 04:37 | |
| *** tkelsey has joined #openstack-barbican | 05:56 | |
| *** tkelsey has quit IRC | 06:01 | |
| *** bdpayne has quit IRC | 06:32 | |
| *** miqui has joined #openstack-barbican | 07:24 | |
| miqui | newbie question: can i run barbican standalone? | 07:25 |
| *** miqui has quit IRC | 08:11 | |
| *** codekobe has quit IRC | 08:26 | |
| *** erw has quit IRC | 08:27 | |
| *** codekobe_ has joined #openstack-barbican | 08:27 | |
| *** erw has joined #openstack-barbican | 08:27 | |
| *** jamielennox is now known as jamielennox|away | 09:43 | |
| openstackgerrit | Tim Kelsey proposed openstack/barbican: Adding client certificates to connection credentials. https://review.openstack.org/135217 | 10:36 |
| openstackgerrit | Tim Kelsey proposed openstack/barbican: Adding client certificates to connection credentials https://review.openstack.org/135217 | 11:28 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements https://review.openstack.org/135234 | 11:29 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/python-barbicanclient: Updated from global requirements https://review.openstack.org/135243 | 11:36 |
| *** ayoung-dadmode has quit IRC | 12:42 | |
| *** ryanpetrello has joined #openstack-barbican | 12:44 | |
| *** ryanpetrello has quit IRC | 12:51 | |
| *** ryanpetrello has joined #openstack-barbican | 12:57 | |
| *** woodster_ has joined #openstack-barbican | 13:26 | |
| *** dave-mccowan has joined #openstack-barbican | 14:00 | |
| *** alee has quit IRC | 14:06 | |
| *** ayoung has joined #openstack-barbican | 14:27 | |
| *** david-lyle_afk is now known as david-lyle | 14:43 | |
| *** paul_glass has joined #openstack-barbican | 14:43 | |
| *** ametts has joined #openstack-barbican | 14:51 | |
| *** kgriffs is now known as kgriffs|afk | 14:53 | |
| *** rellerreller has joined #openstack-barbican | 14:58 | |
| *** kgriffs|afk is now known as kgriffs | 14:58 | |
| *** nkinder has joined #openstack-barbican | 14:59 | |
| *** openstackgerrit has quit IRC | 15:04 | |
| *** openstackgerrit has joined #openstack-barbican | 15:04 | |
| *** zz_dimtruck is now known as dimtruck | 15:05 | |
| *** alee_ has joined #openstack-barbican | 15:11 | |
| *** akoneru has joined #openstack-barbican | 15:22 | |
| *** woodster_ has quit IRC | 15:30 | |
| *** bdpayne has joined #openstack-barbican | 15:32 | |
| *** rellerreller has quit IRC | 15:33 | |
| *** bdpayne has quit IRC | 15:44 | |
| *** tdink has joined #openstack-barbican | 15:53 | |
| *** tdink has quit IRC | 15:54 | |
| *** jorge_munoz has quit IRC | 15:56 | |
| *** dave-mccowan has quit IRC | 15:57 | |
| *** kgriffs is now known as kgriffs|afk | 15:58 | |
| *** jorge_munoz has joined #openstack-barbican | 16:00 | |
| *** tdink has joined #openstack-barbican | 16:03 | |
| *** SheenaG1 has joined #openstack-barbican | 16:04 | |
| *** rellerreller has joined #openstack-barbican | 16:05 | |
| *** dave-mccowan has joined #openstack-barbican | 16:08 | |
| *** bdpayne has joined #openstack-barbican | 16:14 | |
| *** kebray has joined #openstack-barbican | 16:20 | |
| *** kebray has quit IRC | 16:21 | |
| openstackgerrit | Douglas Mendizábal proposed openstack/python-barbicanclient: Add Usage documentation https://review.openstack.org/135342 | 16:25 |
| *** kebray has joined #openstack-barbican | 16:25 | |
| *** kebray has quit IRC | 16:31 | |
| openstackgerrit | John Wood proposed openstack/barbican-specs: Remove the tenant-secret association table https://review.openstack.org/135158 | 16:37 |
| openstackgerrit | John Wood proposed openstack/barbican-specs: Remove the tenant-secret association table https://review.openstack.org/135158 | 16:42 |
| *** atiwari has joined #openstack-barbican | 16:49 | |
| rm_work | https://letsencrypt.org/ | 16:58 |
| rm_work | neat | 16:58 |
| *** SheenaG1 has quit IRC | 17:00 | |
| *** bdpayne has quit IRC | 17:03 | |
| rm_work | https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md | 17:04 |
| *** SheenaG1 has joined #openstack-barbican | 17:06 | |
| rm_work | reaperhulk / redrobot / alee_ ^^ have you seen that? | 17:07 |
| alee_ | rm_work, interesting -- I'll give it a read .. | 17:11 |
| reaperhulk | It's essentially a JSON API that does what CMC does with the addition of challenge protocols for validation. | 17:11 |
| reaperhulk | plus RFC 7030 I suppose as well since it describes the exact client/server interaction | 17:12 |
| *** kebray has joined #openstack-barbican | 17:12 | |
| reaperhulk | I haven't read it closely enough to have an opinion on its quality. | 17:12 |
| reaperhulk | Although I do have an opinion on the client python code they released as part of their preview today. It's shit. | 17:13 |
| reaperhulk | (Although some of its problems are because I need to finish the x509 support in pyca/cryptography...) | 17:13 |
| *** kebray has quit IRC | 17:17 | |
| *** kebray has joined #openstack-barbican | 17:19 | |
| rm_work | lol | 17:20 |
| *** bdpayne has joined #openstack-barbican | 17:29 | |
| *** SheenaG1 has quit IRC | 17:32 | |
| *** SheenaG1 has joined #openstack-barbican | 17:43 | |
| *** tdink has quit IRC | 17:45 | |
| *** kebray has quit IRC | 17:49 | |
| *** SheenaG1 has quit IRC | 17:55 | |
| *** tdink has joined #openstack-barbican | 17:58 | |
| *** paul_glass has quit IRC | 18:02 | |
| *** jamielennox|away is now known as jamielennox | 18:04 | |
| *** jamielennox is now known as jamielennox|away | 18:04 | |
| *** bdpayne_ has joined #openstack-barbican | 18:05 | |
| *** jamielennox|away is now known as jamielennox | 18:05 | |
| *** bdpayne has quit IRC | 18:06 | |
| *** woodster_ has joined #openstack-barbican | 18:17 | |
| openstackgerrit | Merged openstack/barbican: Updated from global requirements https://review.openstack.org/135234 | 18:22 |
| *** gyee has joined #openstack-barbican | 18:22 | |
| *** SheenaG1 has joined #openstack-barbican | 18:24 | |
| openstackgerrit | Thomas Dinkjian proposed openstack/barbican: Moved secret functional tests to data driven tests https://review.openstack.org/135089 | 18:32 |
| *** tdink has quit IRC | 18:44 | |
| *** paul_glass has joined #openstack-barbican | 18:44 | |
| *** liam__ has joined #openstack-barbican | 19:03 | |
| *** liam__ has quit IRC | 19:05 | |
| *** tdink has joined #openstack-barbican | 19:05 | |
| *** tdink has quit IRC | 19:09 | |
| *** SheenaG1 has quit IRC | 19:26 | |
| *** SheenaG1 has joined #openstack-barbican | 19:28 | |
| *** kfox1111 has joined #openstack-barbican | 19:35 | |
| kfox1111 | Is there a way to restrict access to secrets within a tenant yet? | 19:36 |
| kfox1111 | I want to be able to have some vm's in my tenant get access to their own secrets, but seems like I'm giving it too much access to give them access to all vm's secrets within the same tenant. Read only too. The vm shouldn't need to create/delete secrets. | 19:37 |
| rellerreller | kfox1111 That feature is not currently supported but on the roadmap for Kilo | 19:46 |
| redrobot | hi kfox1111 | 19:46 |
| redrobot | kfox1111 currently we do support read-only, but it would still apply to all secrets within the tenant | 19:47 |
| *** darrenmoffat has quit IRC | 19:55 | |
| *** darrenmoffat has joined #openstack-barbican | 19:56 | |
| *** ametts has quit IRC | 19:57 | |
| kfox1111 | We've been running our own keyserver that has a vendor plugin for nova. We tag vm's with metadata saying what tenant-group(s) they can access, the vendor plugin provides a signed token that the keyserver trusts for giving secrets out, and the keys are associated with tenant-groups. | 19:59 |
| kfox1111 | with this arangement, its easy to create an auto scaling group or whatever in heat, and it can download just the keys we said it can. | 20:00 |
| kfox1111 | Any plan to support this sort of arangement? | 20:00 |
| redrobot | kfox1111 we're using Keystone for Auth, so VMs would need to have a Keystone token to talk to Barbican. If all VMs share a tenant, then you could store keys under that tenant, and give the VMs read-only access to the keys. This is currently supported now. | 20:03 |
| redrobot | kfox1111 what rellerreller was talking about was scoping keys so that you provide access to only an individual key. | 20:03 |
| alee_ | redrobot, whats the scoop on the midcycle? | 20:20 |
| redrobot | alee_ nothing official yet. Still poking at people. It seems the Keystone folks are still debating between bay area or sa. I don't think we have a preference either way. | 20:21 |
| alee_ | redrobot, last I heard -- keystone was saying sa | 20:22 |
| redrobot | alee_ are they commited to SA now? Last time I spoke to morganfainberg they were leaning SA, but still up in the air. | 20:23 |
| alee_ | redrobot, I just hear rumors | 20:23 |
| redrobot | alee_ :) | 20:23 |
| alee_ | redrobot, you're more likely to know than me. | 20:24 |
| alee_ | redrobot, but its likely we'll meet wherever keystone does? | 20:24 |
| morganfainberg | we are committing to SA | 20:24 |
| morganfainberg | January 19, 20, 21 | 20:25 |
| alee_ | redrobot, ^^ there you go. | 20:25 |
| redrobot | morganfainberg cool. Do you have space yet? I can talk to the Geekdom folks, I'm sure they'll be more than happy to host they mid-cycle again | 20:25 |
| morganfainberg | redrobot, working on geekdom | 20:25 |
| morganfainberg | dolphm is handling that part for us | 20:25 |
| alee_ | redrobot, so what does mean for barbican? SA? | 20:25 |
| morganfainberg | redrobot, my expectation is i'll do the legwork *before* the summit for next cycle (or help the new PTL whatever) | 20:26 |
| morganfainberg | so it will be decided 100% by summit time. | 20:26 |
| morganfainberg | rather than "oh uh..... lets not make people scramble" | 20:26 |
| morganfainberg | should be easier for alternate city/venue that way :) | 20:26 |
| redrobot | alee_ possibly, if there's enough interest from our folks in sharing the space with Keystone again. I know jaosorio for sure would like to attend both. | 20:27 |
| redrobot | morganfainberg that's a good plan. I wasn't even thinking about the mid-cycle until you and Rob started asking about it. Definitely makes sense to plan in advance. | 20:28 |
| kfox1111 | redrobot: but until all openstack projects have sane policy stuff, it really hurts to use keystone in that way. As is, I'd have to go find all the policy files for all services, add some roles that are required to do anything, and then make sure the vm's keystone account does not have any of those roles. Then I'd have to add the roles to all of the users I already have to ensure they can continue to use the services they already have access to. | 20:33 |
| rellerreller | alee woodster_ You should probably review the patch https://review.openstack.org/#/c/127659/. It deals with all of the content type stuff we had discussed. | 20:34 |
| kfox1111 | Otherwise, the "vm's" keystone account can lauch/delete vms, heat stacks, delete storage in swift, mess with cinder, etc. | 20:34 |
| kfox1111 | without owning the cloud, but with a regular user hat on, I can't put policy stuff in place to do that either. | 20:35 |
| kfox1111 | This is why we have continued to use our own keyserver and haven't been able to use barbican yet. :/ | 20:35 |
| alee_ | rellerreller, looks like we need your content-type spec .. | 20:37 |
| rellerreller | alee_ I know I need to get that out soon. I wish I did not have to go through prepub, so I could put out a spec tomorrow. | 20:37 |
| alee_ | rellerreller, you have to go through prepub on specs too? | 20:38 |
| rellerreller | Everything must go through prepub. | 20:39 |
| alee_ | code CRs? | 20:39 |
| rellerreller | alee_ yes | 20:39 |
| alee_ | rellerreller, wow .. sorry | 20:40 |
| kfox1111 | has any thought gone into how to get the other projects to require some role so that barbican can have users that can't do anything but download a secret? | 20:50 |
| redrobot | kfox1111 I'm not sure I understand the question | 20:51 |
| redrobot | kfox1111 policy checks happen on barbican side | 20:51 |
| redrobot | kfox1111 we do have a role that only allows reading a secret | 20:52 |
| kfox1111 | keystone gives you a token for a user bound to a tenant... that token can be used to talk to any openstack api... | 20:52 |
| redrobot | kfox1111 keystone gives you a token for user/tenant/roles combination | 20:52 |
| kfox1111 | if I have to create a user and bind it to a tenant to allow it to contact barbican to download a secret, it can do other things without some kind of restriction. | 20:52 |
| redrobot | kfox1111 not necessarily. You have the option of granting a list of roles when you create the user->tenant association. | 20:53 |
| kfox1111 | redrobot: sure, in theory. but in practice, which roles do i use? | 20:54 |
| kfox1111 | I don't think there is a role today that lets you do that. | 20:54 |
| kfox1111 | it requires allocating a role, and editing policy files of all the openstack projects? | 20:54 |
| redrobot | kfox1111 a lot of those decisions are left to the deployer. Yes, it does require editing policy files if the default ones don't do what you need. | 20:55 |
| redrobot | our reference policy file for example uses "observer" role for read only. https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json | 20:56 |
| redrobot | but our real deployment will probably have project scoped roles | 20:56 |
| kfox1111 | so, unless you are the one deploying the cloud, and the one writing heat templates to allocate the roles to your keystone users, you can't really use barbican in a very secure way. that was my point. If barbican is going to continue to only support keystone auth, how do we extend the roles provided by stock openstack to allow barbican to be used securely out of the box? | 20:56 |
| kfox1111 | In keystone, roles are additive, and if I remember trusts correctly, you can drop roles. So flagging a user read only is not a good idea since they can wiggle out of it. So something like a 'barbican-only-ro' role on the account, then marking all the policy files disallowing access to those wouldn't work. | 20:58 |
| *** SheenaG11 has joined #openstack-barbican | 20:58 | |
| *** alee_ has quit IRC | 20:58 | |
| kfox1111 | you kind of need a "regular-openstack-user" role for normal accounts, that is on normal users, and if missing, it can still talk to barbican, but nothing else. | 20:59 |
| *** SheenaG1 has quit IRC | 20:59 | |
| kfox1111 | but then you have to get every other project to agree to use it in their default policy file. :/ | 20:59 |
| kfox1111 | am I misunderstanding something? | 21:02 |
| *** paul_glass has quit IRC | 21:03 | |
| redrobot | I'm still not sure I follow your concerns. I think that someone deploying Barbican will have to make some choices to determine what a "secure" barbican means to them. | 21:05 |
| redrobot | I think that includes figuring out what the correct policy for a their deployment iw. | 21:06 |
| redrobot | *is. | 21:06 |
| kfox1111 | but as a user of barbican, I need to ensure its "secure", but am not in control of some of that. right? | 21:06 |
| kfox1111 | it should not be different between clouds, or as a user, I have to be very careful the cloud I run on has done the right thing. | 21:07 |
| kfox1111 | For example, I create a heat template to deploy my application. I create a keystone user as part of the app, since I need a user to talk to barbican. | 21:08 |
| *** atiwari has quit IRC | 21:08 | |
| kfox1111 | I add some roles to it to be able to talk to barbican. | 21:08 |
| kfox1111 | I need to know what role names those are, and they need to have the same behaviors on all the clouds I want to launch that heat stack, or else I have to write a custom template per cloud I'm deploying on. | 21:09 |
| kfox1111 | by default, I think if there is any role on a tenant, then the user can do all sorts of bad things in most of the openstack api's. so simply tagging a service user as a barbican:observer means that the vm can do those bad things unless the cloud provider was very careful and rewrote their policy files? | 21:11 |
| redrobot | I don't think that's true, although I must admit I haven't read every single policy file for every project. If you want to create a VM, then Nova policy _should_ check for some Nova role that allows the user to do that. | 21:15 |
| kfox1111 | https://github.com/openstack/nova/blob/master/etc/nova/policy.json | 21:16 |
| redrobot | I think that oslo.policy by being flexible as it is, and letting deployers make policy decisions will make it hard/impossible to make a heat template that works for every deployment. | 21:16 |
| *** stanzi has joined #openstack-barbican | 21:17 | |
| kfox1111 | redrobot: Yeah, I agree they should have roles for different services to allow the restriction. Today, that does not look to be the case... | 21:17 |
| kfox1111 | yeah. Thats why I think the policy files should for the most part be considered code provided by openstack, and out of the box should be flexable enough to allow roles via keystone to manage stuff and policy is only changed very rarely on oddball clouds. | 21:18 |
| kfox1111 | nova's policy file above looks similar to most of the other services policies too. Its usually admin or not, not much else. :/ | 21:19 |
| redrobot | kfox1111 I think I understand where you're coming from now. I agree, there definitely seems to be a need to standardize on sane policy defaults across every project. | 21:19 |
| kfox1111 | yeah. :/ | 21:20 |
| kfox1111 | With as big as some of these policy files are too, I'm worried to have to maintain thousands of lines of changes in order to secure mine. then when kilo comes out, I got to double check everything. :/ | 21:21 |
| kfox1111 | Thats why we bypassed keystone for this one case to allow vm's to download secrets based on what metadata they were tagged with. since only a tenant user can tag metadata onto the vm, the vm can't give itself privilages. its then fairly safe. | 21:23 |
| kfox1111 | In some ways, its really all the other projects problem, not barbican's. but it really messes with the barbican workflow. :/ | 21:24 |
| *** stanzi_ has joined #openstack-barbican | 21:30 | |
| *** alee_ has joined #openstack-barbican | 21:31 | |
| *** stanzi has quit IRC | 21:33 | |
| *** SheenaG11 has quit IRC | 21:36 | |
| *** kfox1111 has quit IRC | 21:52 | |
| *** paul_glass has joined #openstack-barbican | 21:55 | |
| akoneru | redrobot, ping | 21:55 |
| redrobot | akoneru pong | 21:55 |
| akoneru | redrobot, Hi. wanted to ask you where exactly during startup is the barbican-api.conf loaded using oslo.config? | 21:57 |
| akoneru | redrobot, i looked up at barbican/common/config.py, And even tried to hard code the path to barbican-api.conf as a dewfault config file, but it didn't work. | 21:58 |
| redrobot | akoneru give me a sec, let me look that up | 22:01 |
| akoneru | redrobot, sure. | 22:03 |
| *** rtom has joined #openstack-barbican | 22:07 | |
| woodster_ | akoneru, this call is what processes the config file: https://github.com/openstack/barbican/blob/master/barbican/api/app.py#L108 | 22:09 |
| woodster_ | ...this configures it: https://github.com/openstack/barbican/blob/master/barbican/api/app.py#L108 | 22:09 |
| woodster_ | are you trying to change where the config file is located? | 22:09 |
| *** SheenaG1 has joined #openstack-barbican | 22:13 | |
| anteaya | is douglas mendizabal's irc nick d0ugal ? | 22:15 |
| d0ugal | anteaya: nope :) | 22:16 |
| anteaya | any idea what it is? | 22:16 |
| *** dave-mccowan has quit IRC | 22:16 | |
| d0ugal | No idea who that is :) | 22:16 |
| anteaya | okay thanks | 22:16 |
| anteaya | anyone else? | 22:17 |
| dstufft | anteaya: redrobot | 22:17 |
| woodster_ | kfox1111, so alee has posted a CR to add white/black list functionality for secrets, not sure if that helps: https://review.openstack.org/#/c/127353/ | 22:18 |
| anteaya | dstufft: thank you | 22:18 |
| akoneru | woodster_, yeah. | 22:20 |
| *** stanzi_ has quit IRC | 22:21 | |
| akoneru | woodster_, i installed the barbican-api.conf at /etc/barbican from the rpm and would like to pass this path during startup. As of now i am getting CryptoPluginNotFound exception on starting barbican after installing the rpms | 22:21 |
| *** stanzi has joined #openstack-barbican | 22:21 | |
| akoneru | woodster_, so i think the file is not being read currently in my setup. | 22:22 |
| *** SheenaG1 has quit IRC | 22:25 | |
| *** paul_glass has quit IRC | 22:27 | |
| *** paul_glass has joined #openstack-barbican | 22:31 | |
| *** stanzi has quit IRC | 22:35 | |
| *** SheenaG1 has joined #openstack-barbican | 22:38 | |
| *** stanzi has joined #openstack-barbican | 22:40 | |
| *** akoneru is now known as akoneru_afk | 22:53 | |
| *** akoneru_afk has quit IRC | 22:54 | |
| *** paul_glass has quit IRC | 22:57 | |
| *** rellerreller has quit IRC | 23:07 | |
| *** nkinder has quit IRC | 23:08 | |
| woodster_ | akoneru, the oslo.config logic will naturally look into /etc/barbican...you shouldn't have to modify setup.py for example. | 23:10 |
| *** liam__ has joined #openstack-barbican | 23:21 | |
| *** liam__ has quit IRC | 23:21 | |
| *** stanzi has quit IRC | 23:24 | |
| *** dimtruck is now known as zz_dimtruck | 23:36 | |
| openstackgerrit | John Wood proposed openstack/barbican-specs: Remove the tenant-secret association table https://review.openstack.org/135158 | 23:45 |
| *** rtom has quit IRC | 23:46 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!