Monday, 2015-08-17

openstackgerrit	Douglas Mendizábal proposed openstack/barbican: Use "key-manager" instead of "keymanagement" https://review.openstack.org/213567	00:31
openstackgerrit	Dave McCowan proposed openstack/barbican: hkntroduce the service-admin role https://review.openstack.org/213570	01:23
*** dave-mcc_ has joined #openstack-barbican		01:25
*** dave-mccowan has quit IRC		01:27
*** zz_dimtruck is now known as dimtruck		01:28
openstackgerrit	Dave McCowan proposed openstack/barbican: Introduce the service-admin role https://review.openstack.org/213570	01:53
openstackgerrit	Pradeep Kumar Singh proposed openstack/barbican: Make files in barbican.tests.api py3 compatible Partially-Implements: blueprint barbican-py3 https://review.openstack.org/213574	01:55
openstackgerrit	Pradeep Kumar Singh proposed openstack/barbican: Make files in barbican.tests.api py3 compatible https://review.openstack.org/213574	01:58
*** dave-mcc_ has quit IRC		02:14
*** dave-mccowan has joined #openstack-barbican		02:21
openstackgerrit	Pradeep Kumar Singh proposed openstack/barbican: Make tests in barbican.tests.api.middleware py3 compatible Partially-Implements: blueprint barbican-py3 https://review.openstack.org/213594	03:04
openstackgerrit	Pradeep Kumar Singh proposed openstack/barbican: Make tests in barbican.tests.api.middleware py3 compatible https://review.openstack.org/213594	03:07
*** dave-mccowan has quit IRC		03:42
*** dimtruck is now known as zz_dimtruck		03:54
*** openstack has joined #openstack-barbican		04:17
openstackgerrit	Pradeep Kumar Singh proposed openstack/barbican: Make files in barbican.tests.api py3 compatible https://review.openstack.org/213574	04:35
*** vivek-ebay has joined #openstack-barbican		04:43
*** vivek-ebay has quit IRC		05:25
*** edtubill has joined #openstack-barbican		05:42
*** edtubill has left #openstack-barbican		05:42
-openstackstatus- NOTICE: Gerrit is currently under very high load and may be unresponsive. infra are looking into the issue.		07:05
*** Nirupama has joined #openstack-barbican		07:07
*** shohel has joined #openstack-barbican		07:33
*** mixos has quit IRC		08:25
*** everjeje has joined #openstack-barbican		08:27
*** Guest47951 is now known as d0ugal		09:49
*** d0ugal has quit IRC		09:49
*** d0ugal has joined #openstack-barbican		09:49
openstackgerrit	Merged openstack/barbican: Updated from global requirements https://review.openstack.org/212243	10:19
-openstackstatus- NOTICE: review.openstack.org (aka gerrit) is going down for an emergency restart		10:19
*** ChanServ changes topic to "review.openstack.org (aka gerrit) is going down for an emergency restart"		10:19
*** ChanServ changes topic to "Barbican Liberty Mid-Cycle Sprint Aug 5-7 https://etherpad.openstack.org/p/barbican-liberty-midcycle"		10:46
-openstackstatus- NOTICE: Gerrit restart has resolved the issue and systems are back up and functioning		10:46
*** peter-hamilton has joined #openstack-barbican		11:11
*** woodster_ has joined #openstack-barbican		11:46
*** chlong has quit IRC		11:59
*** dave-mccowan has joined #openstack-barbican		12:15
openstackgerrit	Dave McCowan proposed openstack/barbican: Introduce the service-admin role https://review.openstack.org/213570	12:37
*** SheenaG has quit IRC		12:39
*** SheenaG has joined #openstack-barbican		12:39
*** SheenaG has quit IRC		12:48
*** Nirupama has quit IRC		12:49
*** elmiko has joined #openstack-barbican		13:07
*** lisaclark1 has joined #openstack-barbican		13:19
dave-mccowan	alee_ ping	13:24
alee_	dave-mccowan, yo	13:25
dave-mccowan	alee_ are you planning on review the CRs for the quotas blueprint?	13:25
alee_	dave-mccowan, I can. I wasn't planning to look into them in much detail. figured there was enough interest from other cores.	13:27
alee_	dave-mccowan, are you held up on reviews?	13:28
*** kfarr has joined #openstack-barbican		13:29
dave-mccowan	alee_ yea, i think i'm stuck now. i have four outstanding CRs for quotas. the good news is that all the big pieces are done, but the next step is stitching them together which will be much easier if they have landed (and I know there won't be big refactoring based on reviews).	13:31
alee_	dave-mccowan, ok I'll try to get to them later today	13:32
dave-mccowan	woodster_ ^^ do have plans to look some more at the quotas blueprints? there are 4 now. you gave a +2 on one of them that needs to be re-newed.	13:33
*** SheenaG has joined #openstack-barbican		13:36
*** rellerreller has joined #openstack-barbican		13:52
woodster_	dave-mccowan: I'll take a look at them today as well	13:58
*** chlong has joined #openstack-barbican		14:04
dave-mccowan	woodster_ thanks!	14:07
*** dave-mccowan has quit IRC		14:08
*** zz_dimtruck is now known as dimtruck		14:09
*** dave-mccowan has joined #openstack-barbican		14:23
*** lisaclark1 has quit IRC		14:23
*** silos has joined #openstack-barbican		14:25
redrobot	Good (UGT) morning!	14:29
*** silos is now known as silos_away		14:30
openstackgerrit	Nathan Reller proposed openstack/barbican: Integrated with PyKMIP Pie API https://review.openstack.org/212579	14:31
*** lisaclark1 has joined #openstack-barbican		14:37
*** lisaclark1 has quit IRC		14:42
*** lisaclark1 has joined #openstack-barbican		14:52
*** igueths has joined #openstack-barbican		15:05
*** morgan_503 is now known as morgan_2549		15:06
*** pglass has joined #openstack-barbican		15:07
*** shohel has quit IRC		15:14
*** spotz_zzz is now known as spotz		15:17
*** silos_away is now known as silos		15:17
*** chlong has quit IRC		15:18
arunkant	woodster_, redrobot, can you revisit ACL barbican client reviews as I have made changes as per meetup discussion.	15:25
arunkant	There are 3 dependent reviews (https://review.openstack.org/#/c/206699/ )	15:26
*** chlong has joined #openstack-barbican		15:32
woodster_	arunkant: I'll work to catchup on those today	15:33
*** pglass has quit IRC		15:37
*** pglass has joined #openstack-barbican		15:38
*** chlong has quit IRC		15:38
*** ccneill has joined #openstack-barbican		15:39
*** chlong has joined #openstack-barbican		15:40
*** nkinder has joined #openstack-barbican		15:42
*** darrenmoffat has quit IRC		15:42
*** darrenmoffat has joined #openstack-barbican		15:43
*** xaeth_afk is now known as xaeth		15:45
openstackgerrit	Merged openstack/barbican: Replace python-ldap with ldap3 library https://review.openstack.org/211759	15:48
*** gyee has joined #openstack-barbican		15:56
*** silos1 has joined #openstack-barbican		16:00
*** silos has quit IRC		16:02
*** everjeje has quit IRC		16:02
openstackgerrit	Kaitlin Farr proposed openstack/castellan: Add unit tests for managed objects https://review.openstack.org/206649	16:08
*** vivek-ebay has joined #openstack-barbican		16:14
*** david-ly_ is now known as david-lyle		16:15
*** dave-mccowan has quit IRC		16:27
*** vivek-ebay has quit IRC		16:29
*** vivek-ebay has joined #openstack-barbican		16:50
*** lisaclark1 has quit IRC		17:00
*** lisaclark1 has joined #openstack-barbican		17:03
*** lisaclark2 has joined #openstack-barbican		17:08
*** lisaclark2 has quit IRC		17:09
*** vivek-ebay has quit IRC		17:10
*** lisaclark1 has quit IRC		17:10
*** lisaclark1 has joined #openstack-barbican		17:12
*** vivek-ebay has joined #openstack-barbican		17:14
*** lisaclark1 has quit IRC		17:35
alee_	kfarr, rellerreller ping	17:38
rellerreller	pong	17:38
kfarr	alee_ pong	17:38
alee_	kfarr, rellerreller - I'm going throught the encrypted volume tempest test and trying to see what would need to be set up to use barbican	17:39
alee_	kfarr, rellerreller first off - are there docs anywhere that detail how an operator would do all this?	17:39
alee_	ie. a HOWTO for encrypted volumes?	17:39
alee_	I think I can reconstruct the cli steps based on the tempest test -- but wanted to see if there was anything documented out there ..	17:40
rellerreller	kfarr had some tempest tests.	17:40
kfarr	alee_ here's what's in the openstack manuals: http://docs.openstack.org/kilo/config-reference/content/section_volume-encryption.html	17:41
kfarr	I'm pretty sure there's other documentation about setting it up with Barbican specifically	17:41
kfarr	I'm going to look, one sec	17:41
alee_	kfarr, cool - the steps there mirror what I dug out of the tempest tests .. now for barbican ..	17:44
alee_	rellerreller, kfarr incidentally I'm assuming the cinder and nova config with Barbican is global, right? is not project specific?	17:45
kfarr	alee_ not finding any documentation at the moment	17:45
kfarr	alee_ you'd have to change both nova.conf and cinder.conf to point to Barbican, if that's what you meant	17:45
rellerreller	alee_ I don't understand.	17:45
alee_	kfarr, do you have an example -- say from a tempest riun or otherwsie?	17:46
alee_	rellerreller, I think my question might be answered when I see a config example ..	17:47
rellerreller	alee_ I hope so	17:48
kfarr	alee_ you might have to give me a moment, but I'll get you something	17:48
alee_	kfarr, thanks	17:48
alee_	rellerreller, can I configure nova and cinder to store/retrieve keys in barbican X for encrypted volumes only for project X ?	17:49
rellerreller	alee_ I believe it is configured per volume.	17:50
*** lisaclark1 has joined #openstack-barbican		17:50
openstackgerrit	Kaitlin Farr proposed openstack/castellan: Update Barbican wrapper https://review.openstack.org/208569	17:50
rellerreller	alee_ when you create a volume it is indicated as encrypted volume type.	17:50
*** peter-hamilton has quit IRC		17:52
hockeynut	my kingdom for a workflow: https://review.openstack.org/#/c/213402/	17:52
redrobot	hockeynut done	17:53
hockeynut	grassy ass!	17:53
redrobot	hockeynut trade you for a +W on https://review.openstack.org/#/c/213567/	17:54
hockeynut	quid pro quo	17:54
hockeynut	best 2 LOC ever.	17:54
kfarr	alee_ in nova.conf, you'll need "api_class = nova.keymgr.barbican.BarbicanKeyManager" in the [keymgr] section	17:57
kfarr	similarly in cinder.conf, you'll need "api_class = cinder.keymgr.barbican.BarbicanKeyManager" in the [keymgr].	17:58
alee_	kfarr, anything else? location of barbican perhaps?	17:58
kfarr	I've gotta run, will be back in an hour	17:58
kfarr	Barbican's just gotta be running	17:58
kfarr	and the endpoint in keystone	17:59
alee_	kfarr, the doc'ed steps are interesting but seem to be missing a few steps	17:59
alee_	kfarr, for one thing, the tempest steps has a keypair create step	18:00
alee_	and then when the server is created , a key_name is passed to it ...	18:00
*** rellerreller has quit IRC		18:01
alee_	but that makes sense as its doc'ing a single key for all volumes	18:01
hockeynut	redrobot ping	18:06
redrobot	hockeynut pong	18:06
hockeynut	I wanna add an item to the agenda for today's IRC mtg.	18:06
hockeynut	just update the wiki pg with the agenda, or is there a tool for that?	18:06
hockeynut	https://wiki.openstack.org/wiki/Meetings/Barbican	18:07
hockeynut	added it	18:10
*** ccneill has quit IRC		18:14
*** mixos has joined #openstack-barbican		18:19
spotz	redrobot can you abandon this review for me? https://review.openstack.org/#/c/201782/	18:19
rm_work	redrobot: i am concerned a little bit because your comment on castellan-certs raised the first couple of actually valid points against it that i've seen so far T_T	18:19
*** ccneill has joined #openstack-barbican		18:20
redrobot	rm_work sorry, bud. :(	18:20
rm_work	yeah, specifically of concern is "https://github.com/openstack/octavia/blob/master/octavia/controller/healthmanager/update_health_mixin.py"	18:20
rm_work	err	18:20
rm_work	damnit	18:20
rm_work	wrong copy/paste	18:20
rm_work	"We would also need to provide some service to make the creation of bundles easy for the user since they would need to be stored in the device first so the bundle reference can be made available"	18:21
rm_work	which is ... a problem	18:21
rm_work	and pretty much kills this in dead in the water	18:21
rm_work	i overlooked that problem originally, and it's a big one	18:22
rm_work	i honestly don't have any ideas about how to solve it	18:22
redrobot	the storage service that solves it is Barbican	18:22
rm_work	and i'm tempted to make a patch to change neutron-lbaas/octavia to take three separate refs T_T	18:22
rm_work	because otherwise we can't stay generic	18:23
rm_work	even if we have a certs interface, there's no way for users to store things reliably in the correct format besides for barbican	18:23
rm_work	s/besides/except/	18:24
rm_work	since the USER doesn't use the castellan interface	18:25
rm_work	i was thinking "the store method here makes it easy!" but nothing exposes that to the user, it isn't a real service	18:25
*** everjeje has joined #openstack-barbican		18:25
rm_work	only devs have access to use that	18:25
alee_	kfarr, nm - I see that the cinder code will create the key on barbican for me when I create the volume.	18:29
redrobot	spotz done	18:30
alee_	kfarr, I assume the key id is in the field encrypted_id ?	18:30
spotz	Thanks redrobot:)	18:30
alee_	kfarr, and is what nova uses to retrieve the key?	18:31
openstackgerrit	Merged openstack/barbican: Ensure a http 405 is returned on container(s) PUT https://review.openstack.org/213402	18:33
openstackgerrit	Merged openstack/barbican: Use "key-manager" instead of "keymanagement" https://review.openstack.org/213567	18:34
*** vivek-ebay has quit IRC		18:46
*** vivek-ebay has joined #openstack-barbican		18:56
*** dave-mccowan has joined #openstack-barbican		19:01
kfarr	alee_, just got back, yes that sounds right	19:03
kfarr	Cinder should create the key, store the key uuid as metadata, which nova will then retrieve to boot the volume	19:03
*** vivek-ebay has quit IRC		19:07
*** vivek-ebay has joined #openstack-barbican		19:10
*** peter-hamilton has joined #openstack-barbican		19:10
*** SheenaG has left #openstack-barbican		19:12
alee_	kfarr, cool thanks	19:14
alee_	rm_work, unfortunately I wont be able to make it to the weekly meeting. I'll read the transcript with great interest though.	19:15
rm_work	alee_: eh, i think redrobot killed it	19:18
rm_work	might be the shortest conversation ever	19:18
alee_	rm_work, less for me to read then ;/	19:18
rm_work	because unless Castellan becomes a SERVICE (which is unarguably outside any intended scope) there's no way to use the interface as an end user to store stuff	19:19
rm_work	which means there's no way for it to enforce its own container system	19:19
rm_work	which means... dead	19:19
rm_work	might just go abandon everything now <_<	19:19
redrobot	rm_work if it's any consolation, your perseverance and tenacity on this was the stuff of legends	19:21
redrobot	rm_work people will be talking about the Castellan discussions for years to come	19:21
rm_work	I just wish I had realized that flaw earlier -- where were you a week (or 6 months) ago, redrobot? T_T	19:25
*** lisaclark1 has quit IRC		19:28
arunkant	rm_work, just reading your comments and curious..is not castellan cert functionality supposed to have a backing impl like barbican which can store the container relationship.	19:32
*** rellerreller has joined #openstack-barbican		19:34
rm_work	arunkant: the idea was "not necessarily"	19:36
rm_work	but as redrobot pointed out, the solution i had in mind doesn't actually work	19:37
rm_work	not because "KMIP can't store stuff" or any of those fallacies, but because the end user just doesn't have access to the storage interface it provides :(	19:37
rm_work	and i agree that if it's just for developers, the gain is minimal compared to just passing multiple references :/	19:38
arunkant	rm_work: oh okay..so its certmonger impl will not have mechanism to store container association data, I mean datastore on castellan side.	19:38
rm_work	I am tempted to go as far as stripping the existing interface code out of LBaaS and just opt to use Barbican :/	19:39
rm_work	or, i guess Castellan	19:39
rm_work	but use individual items	19:40
rm_work	of course, that means either we have to ditch "consumer registration" or I finally have to write support for it for Secrets	19:40
arunkant	you mentioned "end user just does not have access to storage interface it provides" .. does that mean end-user by default would not know what to do with container URIs and that's why will need to write additional step to use it and then request associated secrets	19:42
arunkant	Is that the issue ?	19:42
*** lisaclark1 has joined #openstack-barbican		19:47
rm_work	no	19:48
rm_work	if a deployer chose not to use Barbican, but instead wanted to use a KMIP device to store things directly, the end user can't store things in that device via the Castellan.cert_manager.store() function, because Castellan isn't a running service, its a developer library	19:49
rm_work	so even if Castellan-certs defined a way to store linked objects in KMIP, that doesn't allow the user to take advantage of it	19:49
rm_work	in fact I am not even sure how an end-user would store data in the KMIP device Castellan accesses	19:50
rm_work	at all	19:50
peter-hamilton	rm_work: what do you mean?	19:54
rm_work	the end-user needs a service available to store data	19:55
rm_work	like what Barbican does	19:55
rm_work	looking at it from a "backend" perspective for your service (for example LBaaS), Barbican or a KMIP device are interchangable, because i can read from either using the same Castellan interface	19:56
rm_work	but from a user perspective, I need to store the cert/key info before LBaaS can retrieve it, and there is ONLY barbican for that	19:56
rm_work	there's no other service running that allows me, as a user, to store cert info in some KMIP device	19:57
rm_work	that is the whole point of Barbican	19:57
rm_work	to provide the end-user service layer	19:57
peter-hamilton	rm_work: ah, i see	19:57
rm_work	LBaaS doesn't ever store its own cert data, it relies on the user to do that up front, and pass in references	19:58
peter-hamilton	rm_work: i envision there being some sort of castellanclient that you would use to establish a connection to the backend	19:58
rm_work	yeah, but that doesn't exist	19:58
rm_work	and since Castellan isn't a service...	19:58
peter-hamilton	rm_work: true but it could	19:58
rm_work	not easily	19:58
rm_work	Castellan would have to essentially become a service like Barbican	19:58
rm_work	because you can't make a "client" for it without having credentials to the backend HSM	19:58
rm_work	it's just a developer library	19:59
peter-hamilton	rm_work: correct, you would need to provide credentials, but not much else	19:59
rm_work	no one is going to expose their HSM directly to users, AFAIK	19:59
*** vivek-ebay has quit IRC		20:01
peter-hamilton	rm_work: i agree, no one (in their right mind :) would open up general anon access to an HSM	20:01
peter-hamilton	rm_work: but castellan could provide the framework for establishing that connection	20:01
redrobot	weekly meeting starting now on #openstack-meeting-alt	20:01
rm_work	essentially you'd be defining another service exactly like what Barbican already does	20:02
rm_work	Barbican is a service to provide a front-end to a HSM, with support for CertContainers	20:02
peter-hamilton	rm_work: this would be client-only, direct to the backend, nothing in the middle	20:02
rm_work	err	20:03
rm_work	but you already agreed that no one would open up access to a HSM to the public	20:03
peter-hamilton	rm_work: you would need a backend and access to it, that's all	20:03
rm_work	what backend?	20:03
rm_work	the backend has to be the HSM	20:03
peter-hamilton	rm_work: one you own, or one you've been given access to	20:03
rm_work	that isn't particularly feasible for the use-case we're talking about	20:04
peter-hamilton	rm_work: that may be, i guess i'm thinking more in the general case	20:04
rm_work	well, you can feel free to pick up the cause :P	20:05
peter-hamilton	rm_work: haha, sadly i've got my hands full	20:06
rm_work	heh	20:06
*** crc32 has joined #openstack-barbican		20:15
*** SheenaG has joined #openstack-barbican		20:18
*** lisaclark1 has quit IRC		20:20
*** lisaclark1 has joined #openstack-barbican		20:20
*** SheenaG has quit IRC		20:26
*** spotz is now known as spotz_zzz		20:28
*** rellerreller has quit IRC		20:41
*** peter-hamilton has quit IRC		20:43
*** mmdurrant has joined #openstack-barbican		20:57
*** silos1 has left #openstack-barbican		20:59
*** vivek-ebay has joined #openstack-barbican		21:00
openstackgerrit	Steve Heyman proposed openstack/barbican: Use config rather than hardcoded admin id from Quotas test https://review.openstack.org/213860	21:06
openstackgerrit	Steve Heyman proposed openstack/barbican: Use config rather than hardcoded admin id from Quotas test https://review.openstack.org/213860	21:07
*** igueths has quit IRC		21:12
*** SheenaG has joined #openstack-barbican		21:19
*** lisaclark1 has quit IRC		21:19
*** SheenaG has left #openstack-barbican		21:21
dave-mccowan	redrobot, woodster_, is keystone v2 a requirement? looks like all our stuff is already on v3.	21:22
redrobot	dave-mccowan nope.... If you want to upgrade the policy to v3 that's fine by me.	21:23
*** pglass has quit IRC		21:25
rm_work	woodster_ / dave-mccowan responded on https://review.openstack.org/#/c/212967/1	21:44
*** lisaclark1 has joined #openstack-barbican		21:52
openstackgerrit	OpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements https://review.openstack.org/213882	22:07
dave-mccowan	rm_work thanks. the quotas are set in a different CR. https://review.openstack.org/205894	22:08
*** xaeth is now known as xaeth_afk		22:30
*** chlong has quit IRC		22:34
openstackgerrit	OpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements https://review.openstack.org/213882	22:35
rm_work	dave-mccowan: ok, i see... so is there an answer to my question that I am going to actually like? :P	22:37
*** lisaclark1 has quit IRC		22:39
dave-mccowan	rm_work ah, i see your other question now. in your question who registers a consumer? the user who consumes, or the owner of container?	22:42
rm_work	the user who consumes	22:42
rm_work	in this case, it is a service account	22:42
rm_work	one service account	22:43
rm_work	and one customer (for example some of our larger existing customers already have this scale) might have hundreds of TLS LBs	22:43
*** lisaclark1 has joined #openstack-barbican		22:43
rm_work	each with their own Barbican container	22:43
rm_work	so our service account might need to register 100 consumers (or even 1000 depending on if we got another large customer) with the same user	22:44
rm_work	would that require upping the quota globally?	22:44
rm_work	if so, that'd make quotas pretty useless in our deployment :(	22:44
dave-mccowan	i'm not set on any solution. if setting a quota on consumers doesn't make sense, we can rip it out of the spec and code. if it makes sense, a different way, i can code it a different way.	22:45
*** lisaclark1 has quit IRC		22:45
*** lisaclark1 has joined #openstack-barbican		22:45
* dave-mccowan stepping out for a few minutes		22:45
rm_work	k	22:49
*** lisaclark1 has quit IRC		22:50
*** dimtruck is now known as zz_dimtruck		22:56
*** ccneill has quit IRC		22:56
*** vivek-ebay has quit IRC		22:57
*** vivek-ebay has joined #openstack-barbican		23:07
*** mixos has quit IRC		23:15
*** crc32 has quit IRC		23:51
* dave-mccowan is back		23:55
dave-mccowan	rm_work everything is by project, not user. i can write the code to "charge" the quota against whatever project. does it make sense to charge the "target project"?	23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!