Monday, 2015-11-16

« Sunday, 2015-11-15 Index Tuesday, 2015-11-17 »
*** stevemar_ has joined #openstack-barbican00:00
*** stevemar_ has quit IRC00:42
*** stevemar_ has joined #openstack-barbican00:44
*** mixos has joined #openstack-barbican00:47
*** stevemar_ has quit IRC00:49
*** lisaclark1 has joined #openstack-barbican01:02
*** mixos has quit IRC01:04
*** lisaclark_ has quit IRC01:33
*** eglute has quit IRC01:33
*** jilly has quit IRC01:34
*** ryanpetrello has quit IRC01:34
*** rm_work has quit IRC01:34
*** jamielennox has quit IRC01:34
*** reaperhulk has quit IRC01:34
*** spotz has quit IRC01:34
*** alee has quit IRC01:35
*** jroll has quit IRC01:35
*** reaperhulk has joined #openstack-barbican01:37
*** spotz has joined #openstack-barbican01:38
*** jroll has joined #openstack-barbican01:38
*** eglute has joined #openstack-barbican01:38
*** ryanpetrello has joined #openstack-barbican01:38
*** jillysciarilly has joined #openstack-barbican01:38
*** rm_work has joined #openstack-barbican01:38
*** rm_work has quit IRC01:38
*** rm_work has joined #openstack-barbican01:38
*** alee has joined #openstack-barbican01:38
*** lisaclark_ has joined #openstack-barbican01:40
*** jamielennox has joined #openstack-barbican01:41
*** Kevin_Zheng has joined #openstack-barbican02:21
*** dave-mccowan has joined #openstack-barbican02:21
*** lisaclark1 has quit IRC02:22
*** kebray has joined #openstack-barbican02:24
*** pdesai has joined #openstack-barbican03:06
*** pdesai has quit IRC03:19
*** spotz is now known as spotz_zzz04:21
*** stupidnic has joined #openstack-barbican04:56
*** dave-mccowan has quit IRC05:39
*** jvrbanac has joined #openstack-barbican05:48
*** stevemar_ has joined #openstack-barbican06:11
*** stevemar_ has quit IRC06:14
*** shakamunyi has joined #openstack-barbican06:21
*** jamielennox is now known as jamielennox|away06:25
*** dhellmann has quit IRC06:28
*** dhellmann has joined #openstack-barbican06:28
*** dhellmann has quit IRC06:34
*** dhellmann has joined #openstack-barbican06:34
*** shakamunyi has quit IRC06:39
*** shakamunyi has joined #openstack-barbican06:54
*** jaosorior has joined #openstack-barbican06:59
*** kebray has quit IRC07:07
*** jilly has joined #openstack-barbican07:14
*** rm_work| has joined #openstack-barbican07:14
*** zz_dimtruck has joined #openstack-barbican07:14
*** dimtruck has quit IRC07:15
*** zz_dimtruck is now known as dimtruck07:15
*** rm_work has quit IRC07:15
*** jillysciarilly has quit IRC07:15
*** lisaclark has quit IRC07:15
*** tristanC has quit IRC07:15
*** rm_work| is now known as rm_work07:15
*** rm_work has quit IRC07:15
*** rm_work has joined #openstack-barbican07:15
*** tristanC has joined #openstack-barbican07:20
*** lisaclark has joined #openstack-barbican07:22
*** shohel has joined #openstack-barbican07:39
*** jaosorior has quit IRC08:44
openstackgerritMerged openstack/python-barbicanclient: Update Readme to include new/updated CLI commands  https://review.openstack.org/24377208:47
*** jaosorior has joined #openstack-barbican08:51
*** tkelsey has joined #openstack-barbican09:07
*** xek_ is now known as xek09:22
*** everjeje has joined #openstack-barbican09:51
*** shohel1 has joined #openstack-barbican10:03
openstackgerritAtsushi SAKAI proposed openstack/barbican: Fix troubleshooting.rst broken link  https://review.openstack.org/24568410:03
*** shohel has quit IRC10:05
*** openstackgerrit has quit IRC10:16
*** openstackgerrit has joined #openstack-barbican10:17
*** shohel1 has quit IRC10:58
*** shohel has joined #openstack-barbican11:01
*** stevemar_ has joined #openstack-barbican11:12
*** stevemar_ has quit IRC11:15
*** xek has quit IRC11:47
*** shohel has quit IRC12:35
*** openstack has joined #openstack-barbican12:48
*** dave-mccowan has joined #openstack-barbican13:08
*** jaosorior has quit IRC13:16
*** jaosorior has joined #openstack-barbican13:17
*** stevemar_ has joined #openstack-barbican13:33
*** lisaclark_ has quit IRC13:52
*** lisaclark_ has joined #openstack-barbican13:52
*** DuncanT has quit IRC13:53
*** DuncanT has joined #openstack-barbican13:56
*** darrenmoffat has quit IRC14:07
*** darrenmoffat has joined #openstack-barbican14:07
*** dimtruck is now known as zz_dimtruck14:12
*** zz_dimtruck is now known as dimtruck14:15
*** rellerreller has joined #openstack-barbican14:17
*** silos has joined #openstack-barbican14:38
silosrellerreller: ping14:44
rellerrellersilos pong14:47
*** jmckind has joined #openstack-barbican14:49
silosrellerreller: I wanted to propose a spec for a kmip_key_manager in Castellan. Is there a castellan-specs github? or should the spec go elsewhere?14:49
rellerrellersilos that is a good question. I'm not sure off hand. I think we had been putting them in Barbican specs.14:50
rellerrellersilos I think in Barbican specs, but maybe we should create a Castellan specs.14:50
silosI'd +1 that.14:51
silosrellerreller ^14:51
rellerrellersilos bring it up today at the Barbican meeting. I'll check with kfarr as well.14:51
rellerrellersilos I am also excited to have a KMIP key manager!14:52
silosrellerreller: me too. I'll add it to the agenda. thanks.14:52
rellerrellersilos thank you14:53
*** jmckind_ has joined #openstack-barbican14:54
*** jmckind has quit IRC14:55
*** spotz_zzz is now known as spotz14:59
*** jhfeng has joined #openstack-barbican15:07
*** jaosorior has quit IRC15:08
*** jaosorior has joined #openstack-barbican15:08
aleerellerreller, has support been added for cinder for key management for backup encrypted volumes?15:26
*** kebray has joined #openstack-barbican15:28
rellerrelleralee I'm not sure off hand. I know there are several use cases that we had to consider. I believe we do support it, but I'm not sure.15:28
rellerrelleralee I can ask joel-coffman later today.15:28
aleerellerreller, that would be great thanks.15:29
rellerrelleralee np. Sorry I don't know off hand. There are lots of different use cases for encrypting the cinder volumes and ephemeral storage. I can't keep them all straight.15:29
aleerellerreller, I think I remember hearing about this - and if I recall correctly, we actually copy the key precisely for this reason.15:29
rellerrelleralee I agree.15:30
*** silos has quit IRC15:56
*** ccneill has joined #openstack-barbican16:01
*** silos has joined #openstack-barbican16:02
*** lisaclark1 has joined #openstack-barbican16:03
*** lisaclark1 has quit IRC16:03
*** lisaclark1 has joined #openstack-barbican16:03
*** _edmund has joined #openstack-barbican16:06
*** rellerreller has quit IRC16:06
*** arunkant has quit IRC16:15
*** arunkant has joined #openstack-barbican16:30
openstackgerritMerged openstack/barbican: Remove unused scrub variables in barbican.conf  https://review.openstack.org/24417416:31
*** jaosorior has quit IRC16:31
*** jaosorior has joined #openstack-barbican16:31
*** rhagarty__ has quit IRC16:33
*** diazjf has joined #openstack-barbican16:35
*** lisaclark1 has quit IRC16:36
*** lisaclark1 has joined #openstack-barbican16:39
*** rhagarty has joined #openstack-barbican16:39
*** mixos has joined #openstack-barbican16:44
*** lisaclark1 has quit IRC16:44
*** lisaclark1 has joined #openstack-barbican16:49
rm_worklisaclark / lisaclark116:53
rm_worklisaclark_:16:53
openstackgerritMerged openstack/barbican: Updated from global requirements  https://review.openstack.org/24523516:56
spotz3 lisaclarks:)16:57
*** silos has quit IRC16:58
*** igueths has joined #openstack-barbican16:58
*** rhagarty has quit IRC17:01
openstackgerritMerged openstack/barbican: Fix troubleshooting.rst broken link  https://review.openstack.org/24568417:04
rm_worksuch lisaclark17:05
*** lisaclark1 has quit IRC17:05
*** rhagarty has joined #openstack-barbican17:06
*** silos has joined #openstack-barbican17:08
*** rhagarty has quit IRC17:08
*** rhagarty has joined #openstack-barbican17:22
*** diazjf has quit IRC17:24
*** pdesai has joined #openstack-barbican17:28
*** diazjf has joined #openstack-barbican17:35
*** igueths has quit IRC17:39
openstackgerritFernando Diaz proposed openstack/python-barbicanclient: Allow Barbican Secrets to be Updated via File  https://review.openstack.org/24263517:41
redrobotrm_work hey lisaclark is OOO today17:44
rm_workkk17:44
rm_workI'm about to go to sleep anyway17:44
redrobotrm_work still in JST?17:44
rm_workjust needed to get an endpoint, you can prolly PM it to me17:44
rm_workyeah17:44
rm_workhead back Sunday17:44
redrobotrm_work word.. enjoy your last week!17:45
rm_workthanks :)17:45
redrobotrm_work oh and definitely do go to the Robot Restaurant.17:45
rm_workheh alright will add that to the list17:46
rm_worknext up is owls17:46
rm_workhttp://akiba2960.com/17:46
openstackgerritFernando Diaz proposed openstack/barbican-specs: Blueprint for allowing file input to Barbican Client  https://review.openstack.org/24375317:48
*** igueths has joined #openstack-barbican17:54
openstackgerritElvin Tubillara proposed openstack/barbican-specs: Create spec for cron job garbage collector for barbican database  https://review.openstack.org/24380617:58
*** edtubill has joined #openstack-barbican17:58
*** edtubill has quit IRC17:59
*** edtubill has joined #openstack-barbican18:02
*** gyee has joined #openstack-barbican18:04
*** jmckind_ has quit IRC18:07
*** edtubill has quit IRC18:07
*** edtubill has joined #openstack-barbican18:08
*** edtubill has quit IRC18:10
*** edtubill has joined #openstack-barbican18:11
*** edtubill has quit IRC18:14
*** silos has quit IRC18:16
*** edtubill has joined #openstack-barbican18:17
*** kfarr has joined #openstack-barbican18:17
*** igueths has quit IRC18:19
openstackgerritMerged openstack/barbican: Remove kombu useless requirement  https://review.openstack.org/24545118:20
openstackgerritMerged openstack/barbican: Remove useless requirements  https://review.openstack.org/24545318:20
*** rellerreller has joined #openstack-barbican18:28
jkfjhfeng: I've added description of my changes to your etherpad.18:30
jhfengjkf: great thanks. we need get people to review it.18:31
*** igueths has joined #openstack-barbican18:33
*** diazjf has quit IRC18:42
notmynamewhat channel is the barbican meeting in?18:46
kfarrnotmyname, openstack-meeting-alt18:49
notmynamein 70 minutes, right?18:49
kfarrnotmyname, correct!18:49
*** ccneill has quit IRC18:50
*** melgibson has joined #openstack-barbican18:52
*** melgibson has quit IRC18:54
*** melgibson has joined #openstack-barbican19:00
*** diazjf has joined #openstack-barbican19:02
*** ccneill has joined #openstack-barbican19:05
*** melgibson has quit IRC19:12
*** melgibson has joined #openstack-barbican19:14
melgibsonHi there, I've been taking a look at barbican documentation and I am wondering if there is any installation guide for productive systems? I just found the docu for the insecure dev environment :)19:18
redrobothi melgibson ... unfortunately we don't have any deployment guides currently19:19
redrobotmelgibson but if you have any questions, we can definitely help19:19
diazjfredrobot, rellerreller, I have informed notmyname to attend our meeting today to discuss Authentication in Castellan in the Swift Keymaster. Please checkout https://etherpad.openstack.org/p/swifjt-keymaster-with-castellan19:20
redrobotmelgibson First you'll have to decide on a secure backend.  Currently supported are DogTag, PKCS#11 Devices (such as SafeNet's Luna SA), and KMIP Devices19:20
aleerellerreller, kfarr so whats the support for barbian in backing up encrypted volumes?19:21
redrobotdiazjf I'll take a look at it, thanks19:21
*** silos has joined #openstack-barbican19:23
*** rellerreller has quit IRC19:24
melgibsonoh, is there a list of which HSM are supported?19:24
kfarralee, are you waiting to hear back from rellerreller about that?19:24
aleekfarr, I mentioned it to him this morning and he was going to ask joel ..19:24
kfarrIf you're taking snapshots, the key is copied19:24
aleekfarr, if you know the answer though ..19:25
diazjfredrobot thanks. kfarr, also meant to add you to my comment above :)19:25
*** edtubill has quit IRC19:25
kfarrIf you're backing up encrypted volumes out-of-band of an openstack service, not so sure19:25
kfarrthe key is deleted if you delete the encrypted volume using the "cinder delete" command19:26
aleekfarr, ok so I'm not sure of the different things available to cinder to do backups ..19:26
aleethere are snapshots .. are those the same as a full or an incremental backup?19:26
kfarralee Not really19:27
kfarrI'm looking over http://docs.openstack.org/admin-guide-cloud/blockstorage_volume_backups.html to see how that would work for encrypted volumes19:28
aleekfarr, right -- I was looking at http://docs.openstack.org/developer/cinder/api/cinder.backup.manager.html19:29
aleekfarr, so does that work for encrypted volumes?19:29
*** edtubill has joined #openstack-barbican19:30
kfarralee, I know rellerreller already told you this, but I'll check with Joel.  I'm on a conference call with him right now for an internal meeting, I'll check with him at the end of the meeting19:31
*** kebray has quit IRC19:31
aleekfarr, cool - thanks!19:31
aleekfarr, there is an interesting note there about backing up metadata19:32
aleekfarr, specifically -- "If you specify a UUID encryption key when setting up the volume specifications, the backup metadata ensures that the key will remain valid when you back up and restore the volume."19:33
melgibsonthanks redrobot, I've another question, if I don't use Symatec or digicert as CA, is there a way to use barbican with other CAs?19:33
aleemelgibson, what CA do you want to use?19:34
melgibsonhey alee, something like comodo or GoDaddy19:37
aleemelgibson, so if you wanted to use barbican to talk to either of those, you would need to write a plugin to do essentially what the symantec, digicert or dogtag plugins do.19:38
melgibsonalee, I see :)19:38
aleemelgibson, dogtag is a little different in that you set it up to be your private CA.19:39
melgibsonright19:39
*** jmckind has joined #openstack-barbican19:41
kfarralee are you seeing that in the docs you linked?19:42
kfarrdiazjf thanks!  I saw your comment.  Hopefully it's a good discussion :)19:43
elmikoredrobot: is it cool to add items on the agenda wiki?19:48
kfarralee, conference call is still going, haven't had a chance to ask yet, but I found this in the code: https://github.com/openstack/cinder/blob/c9eef31820dc385a2c9f4ba24dd1d194f9e7d088/cinder/backup/driver.py#L73-L9819:49
kfarrlooks like the key is copied when you backup the metadata19:49
aleekfarr, is that copying the key or the uuid?19:51
kfarrIt creates a copy of the key and stores the uuid of the copy of the key as metadata on the backed-up volume19:51
aleekfarr, interesting .. and what invokes this code?19:54
*** silos has quit IRC19:55
*** alpha_ori has quit IRC19:55
aleekfarr, so this is called on a get() to BackupMetadataAPI19:56
*** alpha_ori has joined #openstack-barbican19:56
*** silos1 has joined #openstack-barbican19:57
*** silos1 has left #openstack-barbican19:57
*** redrobot has quit IRC19:57
*** lvh has quit IRC19:58
*** lvh has joined #openstack-barbican19:58
*** Guest98343 has joined #openstack-barbican19:58
*** silos1 has joined #openstack-barbican19:59
*** maxabidi has quit IRC20:00
*** Guest98343 is now known as redrobot20:00
*** rellerreller has joined #openstack-barbican20:00
*** woodster_ has joined #openstack-barbican20:06
*** maxabidi has joined #openstack-barbican20:07
*** jhfeng has quit IRC20:16
*** mixos has quit IRC20:16
*** rhagarty has quit IRC20:19
*** mixos has joined #openstack-barbican20:19
*** jhfeng has joined #openstack-barbican20:34
*** everjeje has quit IRC20:37
*** alee is now known as alee_back_later20:40
*** _edmund1 has joined #openstack-barbican20:49
*** jaosorior has quit IRC20:50
*** _edmund has quit IRC20:52
woodster_kfarr: Do you expect many more changes?21:00
kfarrwoodster_, rellerreller listed these: context, barbican authentication, kmip impl21:01
elmikoredrobot: some of what i wanted to talk about actually dove-tails nicely on the auth talks21:01
redrobotwoodster_  I know elmiko wanted to talk about a Castellan spec as well21:01
kfarrbut overall, I don't really see any major changes to the API upcoming21:01
elmikoyea, i'm curious about improving the current auth_url behavior in the barbican key manager21:01
kfarrelmiko, your question was about auto discovering the barbican auth url, yeah?21:02
elmikokfarr: yea, and it ties in with the auth stuff too21:02
redrobotkfarr elmiko my $0.02 was that autodiscover would be awesome,  as long as there is the option to override with a url21:02
edtubillwoodster: I was going to make a castellan spec that would help solve the federated barbican problem by dynamically loading keymanager interfaces and endpoints...21:02
kfarrelmiko, I think it already does that!21:02
elmikoso, 2 issues: 1. discovering the barbican endpoint, 2. identity endpoint/auth21:03
kfarrhttps://github.com/openstack/castellan/blob/master/castellan/key_manager/barbican_key_manager.py#L142-L14921:03
elmikokfarr: ok, cool. i must have misread that. i though it was doing something else21:03
elmikoso, second question =)21:03
elmikocan we improve the way auth_url is handled. like, could we first look to the context for an auth object generated by the keystonemiddleware?21:04
*** rellerreller has quit IRC21:04
redrobotelmiko  I think that goes back to having a better definition of what the "context" object is21:04
elmikothis would make is easier to create auth sessions and we could avoid some of the need to repeat the auth_url config (when used downstream)21:04
kfarrelmiko, it's highly likely there's a better way to do it, I just don't know what thatis21:05
elmikoredrobot: yea, i could see some sort of castellan.context module to help smooth the transition21:05
mixos@kfarr Do we have a way to bypass SSL cert check in castellan ? So far I don't see it in the castellan code.21:05
elmikoso, i realize diazjf is going to be looking into creating a more full featured solution but, is there room to create some incremental improvements in the meantime?21:05
redrobotafaik, the context object isnt defined anywhere within Castellan... last time I picked kfarr 's brain it was intended to be an instance of oslo.context provided by something external to Castellan21:06
elmikoredrobot: right, it's assumed that it works like an oslo.context21:07
kfarrYeah, I was thinking oslo.context was generic enough to handle any auth, especially since most projects I'd looked at were using it, but that's not the case anymore21:07
redrobotelmiko the fastest spec wins? :-O  ...  hehe... we can work something out with diazjf if you need something to land soon.21:07
elmikoand recently, the keystonemiddleware stuff has gotten really good about putting full auth objects into the context21:07
kfarrmixos which SSL cert check?21:07
diazjfredrobot, elmiko lol. I'm willing to work together21:08
elmikoi just think we could avoid having to use the auth_url and generate a new auth/session based on information that could be present in the context21:08
*** rhagarty has joined #openstack-barbican21:08
mixos@kfarr in case barbican and keystone nodes are using HTTPS.21:08
elmikodiazjf: yea, i have no desire to race for a solution ;)21:08
elmikothat being said, i have a few small suggestions to improve the behavior of the barbican key manager21:08
elmikomy perspective on this, is that it is becoming slightly complex to manipulate castellan while trying to integrate it into the sahara project. i think there are some quality of life features that might help other projects who want to consume castellan/barbican21:09
kfarrelmiko, would be happy to hear them :)21:10
elmikokfarr: what would be the best way to propose this? (spec, etherpad, patchset, something else)21:10
diazjfelmiko, I'll be contacting you in the following weeks.21:11
*** maxabidi has quit IRC21:11
kfarrOh hmm, elmiko probably etherpad?  If they are small enough, patchset might be fine21:11
elmikodiazjf: awesome =)21:11
elmikokfarr: ok, i'll make something a little more formal. thanks!21:11
mixos@kfarr For example, from keystoneclient import session      sess = session.Session(auth=auth, verify=False)  <== verify=False to turn off cert check when connecting HTTPS keystone node/barbican node.  When you get time.21:12
kfarrmixos, I am not familiar with how to bypass SSL cert checks for Barbican.  Is there a way to do that in python-barbicanclient?21:12
redrobotkfarr  there's an "insecure" parameter that can be passed into the Keystone Session before instantiating barbicanclient21:13
kfarrredrobot, oh, ok, then we can probably add a parameter to Castellan to pass it on in the same way?21:13
elmikoredrobot: +121:14
mixos@redrobot @kfarr Is this something I can work on ? if missing in castellan.21:16
kfarrmixos, sure!21:17
mixos@kfarr this is rather bug item than spec . correct ?21:18
*** jamielennox|away is now known as jamielennox21:18
*** pdesai has quit IRC21:18
kfarrmixos, yes, probably a bug, but can be tagged as a wishlist item?21:19
*** tkelsey has quit IRC21:19
mixos@kfarr thanks for your answer. will work on it.21:19
arunkantkfarr: Looks like there might be issue in endpoint discovery on castellan side, similar to nova ephermeral bug. https://bugs.launchpad.net/nova/+bug/150593021:21
openstackLaunchpad bug 1505930 in OpenStack Compute (nova) "Fix key manager service endpoints in devstack Nova ephemeral" [Undecided,In progress] - Assigned to Arun Kant (arunkant-uws)21:21
arunkantkfarr, will need to check that but just saw the link you provided for castellan (its missing version parameter) similar to nova change..https://github.com/openstack/castellan/blob/master/castellan/key_manager/barbican_key_manager.py#L142-L14921:23
arunkantkfarr: change on nova side: https://review.openstack.org/#/c/243322/2/nova/keymgr/barbican.py,cm21:23
kfarrarunkant thanks for the head's up!  that is a strange bug21:23
arunkantredrobot21:24
kfarrarunkant, would you like to do the fix in Castellan?  Otherwise, I can do it, but it'll be the same code as yours really21:26
arunkantredrobot: Can barbican support multiple secret store backend. Asking as in our deployment, some services want to use HSM backend and some are okay with db backend as per their performance and compliance characteristics ?21:26
arunkantkfarr: Yes, I can do that..first will need to verify if this is an indeed an issue on castellan side. Made the comment made on just glancing the code section from above link.21:28
arunkantwoodster_, do you happen to know about 'multiple secret store' support question above ^^^21:31
woodster_arunkant: ...catching up...the current secret store plugin approach wasn't intended to support a per-secret/project SLA to route secrets to plugins, but that has been discussed in the past21:34
woodster_arunkant: it seems possible to install custom plugins that make use of the supported() method to determine which plugin to use with a given secret, but not enabled out of the box21:35
woodster_regarding castellan and specs, if on a handful more specs are coming over the next release cycle, I'm thinking keeping the specs in barbican should be fine. Is there concern that the combined specs are causing confusion?21:37
silos1arunkant: diazjf and I tried to work on multiple plugins but we were given the conclusion it had been tried previously and with some problems. This lead us to federated barbican.21:37
arunkantwoodster_, okay. So by design, barbican can be configured to use only one active secret store backend? I was looking in the code, it seems that multiple plugins can be configured..https://github.com/openstack/barbican/blob/master/barbican/plugin/interface/secret_store.py#L4221:38
arunkantwoodster_, its multi str option.. but not sure how support for multiple plugin is supported in the flow.21:40
redrobotarunkant technically you can have N backends all be active at once21:40
woodster_arunkant: you can have multiple backens, but the first one to say it supports a secret operation wins21:41
redrobotarunkant what woodster_ said21:41
woodster_arunkant: once a secret is stored with a given backend/plugin, only that plugin is used to decrypt it21:41
redrobotarunkant basically, the first one on the list always wins, unless you want to write your own custom plugins that can tell which backend to use based on request paraemeters.21:42
woodster_arunkant: so the plugin used with the secret is stored with that secret to it can be used again for that secret in the future21:42
woodster_arunkant: what redrobot said!21:42
arunkantwoodster_, oh okay..so which plugin supports meet the new secret input critieria will store it. So client can not specify if it wants to store in specific backend21:42
woodster_arunkant: correct21:42
mixos@kfarr would you tag this to wishlist : https://bugs.launchpad.net/castellan/+bug/151679321:43
openstackLaunchpad bug 1516793 in castellan "Castellan should be able to bypass SSL certificate check" [Undecided,New] - Assigned to Sungjin Yook (sungyook)21:43
woodster_arunkant: per-secret/project SLAs could revisit that though, in a way similar to the ca_id in the cert plugins now21:43
mixosnot sure how to do it myself. :- )21:43
jkfper-project classes of service is something I plan on exploring in the semi-near future as well.21:44
arunkantwoodster_, okay. Yes, might be useful to have mechanism to choose secret store backend on per project level..similar to cert plugins.21:45
redrobotarunkant I disagree21:46
*** tkelsey has joined #openstack-barbican21:46
redrobotarunkant if you want different backends, you should deploy different instances of Barbican21:46
arunkantjkf, what classes of service you are thinking of ?21:46
redrobotthen it's very easy for the client to decide which barbican to use based on their security requirements21:46
jkfarunkant: I have a need for two, the full pkcs11 model, and then a hybrid of pkcs11 and simple_crypto, with the hybrid model doing secret operations like simple_crypto, but it uses the mkek in the HSM instead of storing a master key in the config file.21:48
arunkantredrobot:  So we are asking services to keep data for barbican endpoints based on feature set. Are there any openstack services which are following this model21:49
*** rhagarty_ has joined #openstack-barbican21:49
redrobotarunkant afaik, there are no projects that provide different service levels21:50
*** tkelsey has quit IRC21:50
*** mixos has quit IRC21:51
*** rhagarty has quit IRC21:51
arunkantredrobot: Yes, this is barbican service feature/ functonality. Like keystone offers factility to use "ldap" or "sql" user store backends based on domain  separation.21:51
redrobotarunkant  interesting...21:53
arunkantredrobot: I am also not sure how having multiple endpoints per feature set will integrate..like catalog, endpoint discovery features.21:54
woodster_redrobot: from a performance perspective, it might be good to offer SLAs. We are tipping that way for public cert types, that really only need to be signed in Barbican rather than fully encrypted21:54
*** pdesai has joined #openstack-barbican21:56
arunkantwoodster_, performance is one of the reason, some services may not want to opt for HSM based backend. Giving choice to client ( or may be default on tenant level..similar to cert plugin changes) is more flexible as not all of a service data has same compliance requirement.22:00
*** silos1 has quit IRC22:04
*** diazjf has quit IRC22:04
*** melgibson has quit IRC22:05
*** silos has joined #openstack-barbican22:09
woodster_arunkant: yep, the per-secret SLA could include compliance guarantees as needed22:15
*** pdesai has quit IRC22:17
*** diazjf has joined #openstack-barbican22:18
diazjfredrobot, hockeynut, woodster_, I'll be attending an openstack meetup(http://www.meetup.com/OpenStack-Austin/events/226421170/) on Thursday in Austin. Let me know if you would like me to coordinate a future talk for Barbican?22:19
*** rellerreller has joined #openstack-barbican22:24
*** jamielennox is now known as jamielennox|away22:27
*** melgibson has joined #openstack-barbican22:27
*** mixos has joined #openstack-barbican22:32
*** dave-mccowan has quit IRC22:32
*** mixos has quit IRC22:34
*** jhfeng has quit IRC22:35
*** jhfeng has joined #openstack-barbican22:35
*** edtubill has quit IRC22:38
*** silos has quit IRC22:39
*** rellerreller has quit IRC22:51
*** elmiko has quit IRC22:54
*** gyee has quit IRC22:54
*** arunkant has quit IRC22:54
*** therve has quit IRC22:54
*** arunkant has joined #openstack-barbican22:55
*** elmiko has joined #openstack-barbican22:56
*** therve has joined #openstack-barbican22:59
*** jkf_ has joined #openstack-barbican23:01
*** dabukalam has joined #openstack-barbican23:02
*** diazjf has left #openstack-barbican23:03
*** dave-mccowan has joined #openstack-barbican23:06
*** jkf has quit IRC23:06
*** dabukalam_ has quit IRC23:06
*** jkf_ is now known as jkf23:06
*** gyee has joined #openstack-barbican23:08
*** mixos has joined #openstack-barbican23:14
*** pdesai has joined #openstack-barbican23:14
*** igueths has quit IRC23:21
*** _edmund1 has quit IRC23:21
*** jmckind has quit IRC23:22
*** fnaval has joined #openstack-barbican23:27
*** ccneill has quit IRC23:32
*** jamielennox|away is now known as jamielennox23:37
*** dimtruck is now known as zz_dimtruck23:43
*** melgibson has quit IRC23:44
*** melgibson has joined #openstack-barbican23:45
« Sunday, 2015-11-15 Index Tuesday, 2015-11-17 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!