openstackgerrit | Pankaj Khandar proposed openstack/barbican: Insecure default PROTOCOL_TLSv1 version in KMIP plugin https://review.openstack.org/330688 | 00:14 |
---|---|---|
openstackgerrit | Pankaj Khandar proposed openstack/barbican: Insecure default PROTOCOL_TLSv1 version in KMIP plugin https://review.openstack.org/330688 | 00:20 |
*** diazjf has joined #openstack-barbican | 00:20 | |
*** catintheroof has joined #openstack-barbican | 00:47 | |
*** edtubill has quit IRC | 00:57 | |
*** catintheroof has quit IRC | 01:07 | |
*** xurong has joined #openstack-barbican | 01:18 | |
*** asingh has joined #openstack-barbican | 01:25 | |
*** asingh has quit IRC | 01:26 | |
*** stevemar has quit IRC | 01:56 | |
*** diazjf has quit IRC | 01:56 | |
*** xurong has quit IRC | 02:03 | |
*** jamielennox is now known as jamielennox|away | 02:16 | |
*** jamielennox|away is now known as jamielennox | 02:17 | |
*** jorge_munoz has quit IRC | 02:17 | |
*** xurong has joined #openstack-barbican | 02:35 | |
*** stevemar has joined #openstack-barbican | 02:56 | |
*** gyee has quit IRC | 03:24 | |
*** dimtruck is now known as zz_dimtruck | 03:33 | |
*** catintheroof has joined #openstack-barbican | 03:44 | |
*** dave-mcc_ has quit IRC | 03:48 | |
*** xurong has quit IRC | 03:57 | |
*** xurong has joined #openstack-barbican | 03:59 | |
*** stevemar has quit IRC | 04:02 | |
*** catintheroof has quit IRC | 04:02 | |
*** zz_dimtruck is now known as dimtruck | 04:07 | |
*** xurong has quit IRC | 04:20 | |
*** jaosorior has joined #openstack-barbican | 04:23 | |
*** stevemar has joined #openstack-barbican | 05:02 | |
*** stevemar has quit IRC | 05:07 | |
openstackgerrit | Juan Antonio Osorio Robles proposed openstack/barbican: Remove unnecessary executable permissions https://review.openstack.org/320114 | 05:22 |
*** chlong has quit IRC | 05:34 | |
*** chlong has joined #openstack-barbican | 05:47 | |
*** xurong has joined #openstack-barbican | 05:50 | |
*** xurong has quit IRC | 05:54 | |
*** xurong has joined #openstack-barbican | 06:24 | |
*** dimtruck is now known as zz_dimtruck | 06:33 | |
*** andreas_s has joined #openstack-barbican | 06:45 | |
*** alee has quit IRC | 06:52 | |
*** jaosorior is now known as jaosorior_brb | 06:54 | |
*** dgonzalez_ has joined #openstack-barbican | 06:55 | |
*** xurong has quit IRC | 07:04 | |
*** dgonzalez has quit IRC | 07:04 | |
*** rm_work has quit IRC | 07:04 | |
*** dgonzalez_ is now known as dgonzalez | 07:04 | |
*** permalac_ has quit IRC | 07:06 | |
*** rm_work has joined #openstack-barbican | 07:14 | |
openstackgerrit | Merged openstack/barbican: Remove unnecessary executable permissions https://review.openstack.org/320114 | 07:20 |
*** pcaruana has joined #openstack-barbican | 07:22 | |
*** chlong has quit IRC | 07:25 | |
*** stevemar has joined #openstack-barbican | 07:26 | |
*** stevemar_ has joined #openstack-barbican | 07:27 | |
*** stevemar has quit IRC | 07:30 | |
*** stevemar_ has quit IRC | 07:32 | |
*** jaosorior_brb is now known as jaosorior | 08:05 | |
openstackgerrit | liujiong proposed openstack/barbican: Barbican tests fail because of incomplete test dependencies https://review.openstack.org/329739 | 08:07 |
*** stevemar has joined #openstack-barbican | 08:27 | |
*** stevemar_ has joined #openstack-barbican | 08:29 | |
*** stevemar has quit IRC | 08:32 | |
jgrassler | Good morning | 08:33 |
*** stevemar_ has quit IRC | 08:34 | |
jgrassler | Quick question: why is barbican_api (rather than barbican-api-keystone) the default pipeline in barbican-api-paste.ini (https://github.com/openstack/barbican/blob/master/etc/barbican/barbican-api-paste.ini#L4 ) | 08:34 |
jgrassler | Wouldn't it make more sense to default to Keystone authentication? | 08:35 |
jaosorior | jgrassler: I agree it would make more sense. I guess it just stuck there cause of a while the default was to use the no-auth middleware (since the company that started barbican was using other means to authenticate to it) | 08:36 |
jaosorior | well, the default actually is still no-auth | 08:36 |
jgrassler | Alright, so a patch fixing that might stand a good chance of getting accepted? | 08:37 |
jaosorior | jgrassler: It would be OK on my side at least | 08:37 |
jgrassler | In that case I'd be happy to submit one :-) | 08:37 |
jaosorior | jgrassler: I remember also that one argument was the adoption. People wanted to have barbican easy to set up for devs to test. And having the default to be keystone auth would make people need keystone too, thus making it harder to test | 08:38 |
jaosorior | buuuut anyway, I still would prefer keystone to be the default. Let me know when you have a patch ready | 08:38 |
jgrassler | Ok, thanks | 08:43 |
jgrassler | It'll take a while since I first need to apply the finishing touches to the Barbican package I'm currently building (that's where I encountered the problem), but I'll do it :-) | 08:45 |
jaosorior | jgrassler: What distro are you packaging for? | 08:54 |
jgrassler | jaosorior: SUSE | 08:58 |
jaosorior | jgrassler: is SUSE using rpms? | 08:58 |
jgrassler | jaosorior: Yes | 08:59 |
jaosorior | jgrassler: barbican has already been packaged for RDO. So you might want to look there | 08:59 |
jgrassler | jaosorior: I know - the actual packaging I've got covered already, for better or worse. But thanks :-) | 09:01 |
jgrassler | What I'm dealing with right now is a little further down the line anyway: https://github.com/crowbar/crowbar-openstack/pull/392 | 09:04 |
jgrassler | (i.e. all the configuration stuff that happens after the package is installed) | 09:04 |
jaosorior | jgrassler: things to consider are | 09:07 |
jaosorior | barbican is just a layer over real tools (HSMs and CAs) | 09:07 |
jaosorior | so the default values for the plugins are not meant for production | 09:08 |
jaosorior | I'm sure you know this already | 09:09 |
*** jaosorior has quit IRC | 09:09 | |
*** jaosorior has joined #openstack-barbican | 09:10 | |
jaosorior | but we've gotten several bug reports about the default plugins being insecure | 09:10 |
jaosorior | and of course they are, they are meant for testing | 09:10 |
jgrassler | Yes...I figured as much from messing with it for the past couple of weeks :-) | 09:11 |
jaosorior | I tries putting a big warning in the logs | 09:11 |
jaosorior | hope that helps | 09:11 |
jaosorior | cause aparently having in the documentation wasn't enough | 09:11 |
jgrassler | Right now we mainly need it to play with Magnum | 09:12 |
jaosorior | if you want to put a real CA and secret storage behind barbican. I do recommend dogtag | 09:12 |
jaosorior | it's fairly easy to set up and it's already a supported plugin | 09:12 |
jgrassler | Ah, good to know that, thanks :-) | 09:13 |
jaosorior | only thing is that people don't like it cause it's java-based | 09:13 |
*** haypo has left #openstack-barbican | 09:14 | |
jgrassler | If it does the job it's still a lot better than nothing... | 09:18 |
jgrassler | And the getting-secrets-into-instances problem is really screaming for a solution | 09:20 |
jaosorior | jgrassler: we used to have a solution based on FreeIPA and nova hooks | 09:20 |
jaosorior | and it worked great for that | 09:20 |
jaosorior | until nova hooks were deprecated | 09:20 |
jaosorior | and no alternatives were given | 09:21 |
jaosorior | damn that was a bummer | 09:21 |
jgrassler | Hmm, I don't even know what Nova hooks are so that must have been well before I began messing with Openstack :-) | 09:25 |
jgrassler | I usually inject user data scripts via Heat, which is _really_ unusable for secrets since they are stored in cleartext in two services' databases that way. | 09:26 |
jgrassler | (not to mention getting sent over the wire) | 09:26 |
jaosorior | yep | 09:27 |
jaosorior | well, you can address that by securing heat | 09:27 |
jaosorior | which makes it kind of usable | 09:27 |
jaosorior | but still, it's not the best solution | 09:27 |
jgrassler | Nope, not really | 09:29 |
jgrassler | CA-as-a-service is really the cleanest approach | 09:30 |
jaosorior | jgrassler: a CA doesn't address injecting secrets | 09:30 |
jaosorior | it addressed PKI, which is part of a solution | 09:30 |
jaosorior | *addresses | 09:30 |
jgrassler | Well, you can generate keypairs inside the VMs and get them signed by the CA | 09:30 |
jgrassler | Better than putting private key material in there that will remain valid forever and cannot be revoked | 09:31 |
jaosorior | yet you still need to provision the CA cert (which can and will change) | 09:31 |
jaosorior | and then you need to get the machine to actually authenticate to the CA somehow | 09:31 |
jaosorior | so then you need a pre-secret | 09:32 |
jaosorior | and you can't hardocode that into the image | 09:32 |
jaosorior | because it might be compromised | 09:32 |
jaosorior | a real solution for sure is not in heat | 09:32 |
jaosorior | should be in nova | 09:32 |
jaosorior | but we already had this conversation, and the nova folks disagreed | 09:33 |
jaosorior | also, getting the CA to accept requests coming from certain IPs is not the solution (that's what some people are actually using in production) | 09:34 |
jaosorior | IP spoofing is fairly simple | 09:35 |
jgrassler | Yes, I agree it's not a real solution | 09:38 |
jgrassler | But it's better than the current worst practice (copying key material that cannot be revoked if the instance is compromised via user data) | 09:39 |
*** kebray has quit IRC | 09:39 | |
jgrassler | I've seen that happen :-/ | 09:39 |
jaosorior | ouch | 09:39 |
jgrassler | Proper CA-as-a-service probably still won't fix that | 09:40 |
jgrassler | People being...well, people :-) | 09:40 |
jaosorior | haha true that | 09:40 |
jaosorior | jgrassler: FWIW in the last summit we talked to the security folks in OpenStack. And are moving to make certmonger the standard interface to talk to CAs | 09:40 |
jaosorior | Barbican is great for secret storage; But cert-management works quite well using certmonger | 09:41 |
*** kebray has joined #openstack-barbican | 09:46 | |
*** alee has joined #openstack-barbican | 10:03 | |
*** stevemar has joined #openstack-barbican | 10:31 | |
*** stevemar has quit IRC | 10:36 | |
*** chlong has joined #openstack-barbican | 11:21 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 11:43 | |
*** chlong has quit IRC | 11:51 | |
*** dave-mccowan has joined #openstack-barbican | 12:19 | |
hyakuhei | I think when DNSaaS ends up being braodly used (and working) then ACME really offers a nice an easy way to offer up CAaaS | 12:20 |
hyakuhei | Until then I’ll keep banging out terrible python | 12:20 |
openstackgerrit | Pankaj Khandar proposed openstack/barbican: Insecure default PROTOCOL_TLSv1 version in KMIP plugin https://review.openstack.org/330688 | 12:31 |
jaosorior | hyakuhei: Have you been talking to the certmonger folks to get what you need fixed? | 12:31 |
jaosorior | Once that's done I'm thinking about giving a try deploying Anchor in TripleO's undercloud and using certmonger to requests certs from it | 12:31 |
jaosorior | hyakuhei: ayoung showed me a helper script that should be a pretty good start https://github.com/admiyo/anchor-certmonger-helper | 12:34 |
hyakuhei | So I really need to find viraptor and get him to jump on IRC | 12:35 |
hyakuhei | He had a few issues making certmonger play nice | 12:35 |
jaosorior | alee ^^ | 12:36 |
hyakuhei | viraptor is based in Aus so perhaps email might work better | 12:43 |
*** ayoung has joined #openstack-barbican | 12:46 | |
jaosorior | hyakuhei: So for certmonger issues or questions you can also ping ayoung | 12:46 |
ayoung | hyakuhei, I'm no certmonger expert, but I might be able to help | 12:46 |
ayoung | hyakuhei, I took gyee's helper and posted it on github. You working with that? | 12:47 |
ayoung | https://github.com/admiyo/anchor-certmonger-helper | 12:47 |
hyakuhei | I’m taking a look at it now, didn’t know it was a thing :) | 13:00 |
*** chlong has joined #openstack-barbican | 13:07 | |
*** permalac has joined #openstack-barbican | 13:07 | |
*** woodster_ has joined #openstack-barbican | 13:11 | |
*** jmckind has joined #openstack-barbican | 13:40 | |
*** lixiaoy1 has quit IRC | 13:48 | |
*** lixiaoy1 has joined #openstack-barbican | 13:49 | |
*** chlong has quit IRC | 13:49 | |
*** kfarr has joined #openstack-barbican | 13:52 | |
*** silos has joined #openstack-barbican | 14:03 | |
*** chlong has joined #openstack-barbican | 14:06 | |
*** spotz_zzz is now known as spotz | 14:07 | |
*** edtubill has joined #openstack-barbican | 14:17 | |
*** zz_dimtruck is now known as dimtruck | 14:18 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 14:22 | |
*** jorge_munoz has joined #openstack-barbican | 14:32 | |
*** asingh has joined #openstack-barbican | 14:39 | |
*** jaosorior has quit IRC | 14:47 | |
*** jaosorior has joined #openstack-barbican | 14:47 | |
*** jorge_munoz_ has joined #openstack-barbican | 14:50 | |
*** jorge_munoz has quit IRC | 14:51 | |
*** jorge_munoz_ is now known as jorge_munoz | 14:51 | |
*** randallburt has joined #openstack-barbican | 14:53 | |
openstackgerrit | Pankaj Khandar proposed openstack/barbican: Insecure default PROTOCOL_TLSv1 version in KMIP plugin https://review.openstack.org/330688 | 14:55 |
*** jaosorior has quit IRC | 15:02 | |
openstackgerrit | Andreas Scheuring proposed openstack/barbican: pkcs11-key-generation: convert mkek length to int https://review.openstack.org/332860 | 15:08 |
*** permalac has quit IRC | 15:08 | |
*** jgrassler has quit IRC | 15:10 | |
*** kebray has quit IRC | 15:13 | |
*** kebray has joined #openstack-barbican | 15:14 | |
*** jgrassler has joined #openstack-barbican | 15:15 | |
*** diazjf has joined #openstack-barbican | 15:19 | |
*** pcaruana has quit IRC | 15:22 | |
*** kebray has quit IRC | 15:26 | |
*** andreas_s has quit IRC | 15:29 | |
*** diazjf has quit IRC | 15:32 | |
*** diazjf has joined #openstack-barbican | 15:36 | |
*** pcaruana has joined #openstack-barbican | 15:36 | |
*** diazjf1 has joined #openstack-barbican | 15:38 | |
*** diazjf has quit IRC | 15:40 | |
*** stevemar has joined #openstack-barbican | 15:44 | |
*** catintheroof has joined #openstack-barbican | 15:49 | |
*** chlong has quit IRC | 15:50 | |
*** gyee has joined #openstack-barbican | 16:13 | |
*** jmckind_ has joined #openstack-barbican | 16:23 | |
*** jmckind has quit IRC | 16:26 | |
*** jmckind has joined #openstack-barbican | 16:32 | |
*** jmckind_ has quit IRC | 16:35 | |
*** pcaruana has quit IRC | 16:43 | |
*** silos has quit IRC | 16:50 | |
*** jmckind_ has joined #openstack-barbican | 16:54 | |
*** jmckind has quit IRC | 16:57 | |
*** asingh has quit IRC | 17:11 | |
*** asingh has joined #openstack-barbican | 17:13 | |
*** randallburt has quit IRC | 17:17 | |
*** randallburt has joined #openstack-barbican | 17:20 | |
*** diazjf1 has quit IRC | 17:26 | |
*** silos has joined #openstack-barbican | 17:58 | |
*** arunkant has quit IRC | 18:03 | |
*** arunkant has joined #openstack-barbican | 18:06 | |
*** stupidni` is now known as stupidnic | 18:13 | |
*** jmckind has joined #openstack-barbican | 18:15 | |
*** dimtruck is now known as zz_dimtruck | 18:18 | |
*** jmckind_ has quit IRC | 18:18 | |
*** jmckind_ has joined #openstack-barbican | 18:19 | |
*** diazjf has joined #openstack-barbican | 18:22 | |
*** diazjf has quit IRC | 18:22 | |
*** jmckind has quit IRC | 18:22 | |
*** randallburt has quit IRC | 18:34 | |
*** randallburt has joined #openstack-barbican | 18:45 | |
*** diazjf has joined #openstack-barbican | 18:51 | |
*** zz_dimtruck is now known as dimtruck | 19:00 | |
*** jamielennox is now known as jamielennox|away | 19:21 | |
*** diazjf has quit IRC | 19:23 | |
*** jmckind has joined #openstack-barbican | 19:30 | |
*** jmckind__ has joined #openstack-barbican | 19:32 | |
*** jmckind_ has quit IRC | 19:33 | |
*** jmckind has quit IRC | 19:35 | |
*** silos has quit IRC | 19:40 | |
*** silos has joined #openstack-barbican | 20:11 | |
*** stevemar has quit IRC | 20:14 | |
*** stevemar has joined #openstack-barbican | 20:14 | |
*** stevemar has quit IRC | 20:19 | |
*** jmckind__ has quit IRC | 20:25 | |
*** rm_mobile has joined #openstack-barbican | 20:37 | |
*** rm_mobile has joined #openstack-barbican | 20:37 | |
*** rm_mobile has quit IRC | 20:46 | |
*** stevemar has joined #openstack-barbican | 20:54 | |
*** edtubill has quit IRC | 21:19 | |
*** kfarr has quit IRC | 21:22 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 21:40 | |
*** jamielennox|away is now known as jamielennox | 21:48 | |
*** silos has quit IRC | 22:03 | |
*** spotz is now known as spotz_zzz | 22:19 | |
*** jorge_munoz has quit IRC | 22:22 | |
*** dimtruck is now known as zz_dimtruck | 22:25 | |
*** jamielennox is now known as jamielennox|away | 22:44 | |
*** jamielennox|away is now known as jamielennox | 22:53 | |
*** jamielennox is now known as jamielennox|away | 23:05 | |
*** stevemar has quit IRC | 23:06 | |
*** stevemar has joined #openstack-barbican | 23:06 | |
*** stevemar has quit IRC | 23:11 | |
*** gyee has quit IRC | 23:11 | |
*** silos has joined #openstack-barbican | 23:21 | |
*** silos has quit IRC | 23:26 | |
*** catintheroof has quit IRC | 23:35 | |
*** randallburt has quit IRC | 23:36 | |
*** asingh has quit IRC | 23:49 | |
*** jamielennox|away is now known as jamielennox | 23:57 | |
*** stevemar has joined #openstack-barbican | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!