Wednesday, 2016-06-22

openstackgerritPankaj Khandar proposed openstack/barbican: Insecure default PROTOCOL_TLSv1 version in KMIP plugin  https://review.openstack.org/33068800:14
openstackgerritPankaj Khandar proposed openstack/barbican: Insecure default PROTOCOL_TLSv1 version in KMIP plugin  https://review.openstack.org/33068800:20
*** diazjf has joined #openstack-barbican00:20
*** catintheroof has joined #openstack-barbican00:47
*** edtubill has quit IRC00:57
*** catintheroof has quit IRC01:07
*** xurong has joined #openstack-barbican01:18
*** asingh has joined #openstack-barbican01:25
*** asingh has quit IRC01:26
*** stevemar has quit IRC01:56
*** diazjf has quit IRC01:56
*** xurong has quit IRC02:03
*** jamielennox is now known as jamielennox|away02:16
*** jamielennox|away is now known as jamielennox02:17
*** jorge_munoz has quit IRC02:17
*** xurong has joined #openstack-barbican02:35
*** stevemar has joined #openstack-barbican02:56
*** gyee has quit IRC03:24
*** dimtruck is now known as zz_dimtruck03:33
*** catintheroof has joined #openstack-barbican03:44
*** dave-mcc_ has quit IRC03:48
*** xurong has quit IRC03:57
*** xurong has joined #openstack-barbican03:59
*** stevemar has quit IRC04:02
*** catintheroof has quit IRC04:02
*** zz_dimtruck is now known as dimtruck04:07
*** xurong has quit IRC04:20
*** jaosorior has joined #openstack-barbican04:23
*** stevemar has joined #openstack-barbican05:02
*** stevemar has quit IRC05:07
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Remove unnecessary executable permissions  https://review.openstack.org/32011405:22
*** chlong has quit IRC05:34
*** chlong has joined #openstack-barbican05:47
*** xurong has joined #openstack-barbican05:50
*** xurong has quit IRC05:54
*** xurong has joined #openstack-barbican06:24
*** dimtruck is now known as zz_dimtruck06:33
*** andreas_s has joined #openstack-barbican06:45
*** alee has quit IRC06:52
*** jaosorior is now known as jaosorior_brb06:54
*** dgonzalez_ has joined #openstack-barbican06:55
*** xurong has quit IRC07:04
*** dgonzalez has quit IRC07:04
*** rm_work has quit IRC07:04
*** dgonzalez_ is now known as dgonzalez07:04
*** permalac_ has quit IRC07:06
*** rm_work has joined #openstack-barbican07:14
openstackgerritMerged openstack/barbican: Remove unnecessary executable permissions  https://review.openstack.org/32011407:20
*** pcaruana has joined #openstack-barbican07:22
*** chlong has quit IRC07:25
*** stevemar has joined #openstack-barbican07:26
*** stevemar_ has joined #openstack-barbican07:27
*** stevemar has quit IRC07:30
*** stevemar_ has quit IRC07:32
*** jaosorior_brb is now known as jaosorior08:05
openstackgerritliujiong proposed openstack/barbican: Barbican tests fail because of incomplete test dependencies  https://review.openstack.org/32973908:07
*** stevemar has joined #openstack-barbican08:27
*** stevemar_ has joined #openstack-barbican08:29
*** stevemar has quit IRC08:32
jgrasslerGood morning08:33
*** stevemar_ has quit IRC08:34
jgrasslerQuick question: why is barbican_api (rather than barbican-api-keystone) the default pipeline in barbican-api-paste.ini (https://github.com/openstack/barbican/blob/master/etc/barbican/barbican-api-paste.ini#L4 )08:34
jgrasslerWouldn't it make more sense to default to Keystone authentication?08:35
jaosoriorjgrassler: I agree it would make more sense. I guess it just stuck there cause of a while the default was to use the no-auth middleware (since the company that started barbican was using other means to authenticate to it)08:36
jaosoriorwell, the default actually is still no-auth08:36
jgrasslerAlright, so a patch fixing that might stand a good chance of getting accepted?08:37
jaosoriorjgrassler: It would be OK on my side at least08:37
jgrasslerIn that case I'd be happy to submit one :-)08:37
jaosoriorjgrassler: I remember also that one argument was the adoption. People wanted to have barbican easy to set up for devs to test. And having the default to be keystone auth would make people need keystone too, thus making it harder to test08:38
jaosoriorbuuuut anyway, I still would prefer keystone to be the default. Let me know when you have a patch ready08:38
jgrasslerOk, thanks08:43
jgrasslerIt'll take a while since I first need to apply the finishing touches to the Barbican package I'm currently building (that's where I encountered the problem), but I'll do it :-)08:45
jaosoriorjgrassler: What distro are you packaging for?08:54
jgrasslerjaosorior: SUSE08:58
jaosoriorjgrassler: is SUSE using rpms?08:58
jgrasslerjaosorior: Yes08:59
jaosoriorjgrassler: barbican has already been packaged for RDO. So you might want to look there08:59
jgrasslerjaosorior: I know - the actual packaging I've got covered already, for better or worse. But thanks :-)09:01
jgrasslerWhat I'm dealing with right now is a little further down the line anyway: https://github.com/crowbar/crowbar-openstack/pull/39209:04
jgrassler(i.e. all the configuration stuff that happens after the package is installed)09:04
jaosoriorjgrassler: things to consider are09:07
jaosoriorbarbican is just a layer over real tools (HSMs and CAs)09:07
jaosoriorso the default values for the plugins are not meant for production09:08
jaosoriorI'm sure you know this already09:09
*** jaosorior has quit IRC09:09
*** jaosorior has joined #openstack-barbican09:10
jaosoriorbut we've gotten several bug reports about the default plugins being insecure09:10
jaosoriorand of course they are, they are meant for testing09:10
jgrasslerYes...I figured as much from messing with it for the past couple of weeks :-)09:11
jaosoriorI tries putting a big warning in the logs09:11
jaosoriorhope that helps09:11
jaosoriorcause aparently having in the documentation wasn't enough09:11
jgrasslerRight now we mainly need it to play with Magnum09:12
jaosoriorif you want to put a real CA and secret storage behind barbican. I do recommend dogtag09:12
jaosoriorit's fairly easy to set up and it's already a supported plugin09:12
jgrasslerAh, good to know that, thanks :-)09:13
jaosorioronly thing is that people don't like it cause it's java-based09:13
*** haypo has left #openstack-barbican09:14
jgrasslerIf it does the job it's still a lot better than nothing...09:18
jgrasslerAnd the getting-secrets-into-instances problem is really screaming for a solution09:20
jaosoriorjgrassler: we used to have a solution based on FreeIPA and nova hooks09:20
jaosoriorand it worked great for that09:20
jaosorioruntil nova hooks were deprecated09:20
jaosoriorand no alternatives were given09:21
jaosoriordamn that was a bummer09:21
jgrasslerHmm, I don't even know what Nova hooks are so that must have been well before I began messing with Openstack :-)09:25
jgrasslerI usually inject user data scripts via Heat, which is _really_ unusable for secrets since they are stored in cleartext in two services' databases that way.09:26
jgrassler(not to mention getting sent over the wire)09:26
jaosorioryep09:27
jaosoriorwell, you can address that by securing heat09:27
jaosoriorwhich makes it kind of usable09:27
jaosoriorbut still, it's not the best solution09:27
jgrasslerNope, not really09:29
jgrasslerCA-as-a-service is really the cleanest approach09:30
jaosoriorjgrassler: a CA doesn't address injecting secrets09:30
jaosoriorit addressed PKI, which is part of a solution09:30
jaosorior*addresses09:30
jgrasslerWell, you can generate keypairs inside the VMs and get them signed by the CA09:30
jgrasslerBetter than putting private key material in there that will remain valid forever and cannot be revoked09:31
jaosorioryet you still need to provision the CA cert (which can and will change)09:31
jaosoriorand then you need to get the machine to actually authenticate to the CA somehow09:31
jaosoriorso then you need a pre-secret09:32
jaosoriorand you can't hardocode that into the image09:32
jaosoriorbecause it might be compromised09:32
jaosoriora real solution for sure is not in heat09:32
jaosoriorshould be in nova09:32
jaosoriorbut we already had this conversation, and the nova folks disagreed09:33
jaosorioralso, getting the CA to accept requests coming from certain IPs is not the solution (that's what some people are actually using in production)09:34
jaosoriorIP spoofing is fairly simple09:35
jgrasslerYes, I agree it's not a real solution09:38
jgrasslerBut it's better than the current worst practice (copying key material that cannot be revoked if the instance is compromised via user data)09:39
*** kebray has quit IRC09:39
jgrasslerI've seen that happen :-/09:39
jaosoriorouch09:39
jgrasslerProper CA-as-a-service probably still won't fix that09:40
jgrasslerPeople being...well, people :-)09:40
jaosoriorhaha true that09:40
jaosoriorjgrassler: FWIW in the last summit we talked to the security folks in OpenStack. And are moving to make certmonger the standard interface to talk to CAs09:40
jaosoriorBarbican is great for secret storage; But cert-management works quite well using certmonger09:41
*** kebray has joined #openstack-barbican09:46
*** alee has joined #openstack-barbican10:03
*** stevemar has joined #openstack-barbican10:31
*** stevemar has quit IRC10:36
*** chlong has joined #openstack-barbican11:21
*** sigmavirus24 is now known as sigmavirus24_awa11:43
*** chlong has quit IRC11:51
*** dave-mccowan has joined #openstack-barbican12:19
hyakuheiI think when DNSaaS ends up being braodly used (and working) then ACME really offers a nice an easy way to offer up CAaaS12:20
hyakuheiUntil then I’ll keep banging out terrible python12:20
openstackgerritPankaj Khandar proposed openstack/barbican: Insecure default PROTOCOL_TLSv1 version in KMIP plugin  https://review.openstack.org/33068812:31
jaosoriorhyakuhei: Have you been talking to the certmonger folks to get what you need fixed?12:31
jaosoriorOnce that's done I'm thinking about giving a try deploying Anchor in TripleO's undercloud and using certmonger to requests certs from it12:31
jaosoriorhyakuhei: ayoung showed me a helper script that should be a pretty good start https://github.com/admiyo/anchor-certmonger-helper12:34
hyakuheiSo I really need to find viraptor and get him to jump on IRC12:35
hyakuheiHe had a few issues making certmonger play nice12:35
jaosorioralee ^^12:36
hyakuheiviraptor is based in Aus so perhaps email might work better12:43
*** ayoung has joined #openstack-barbican12:46
jaosoriorhyakuhei: So for certmonger issues or questions you can also ping ayoung12:46
ayounghyakuhei, I'm no certmonger expert, but I might be able to help12:46
ayounghyakuhei, I took gyee's helper and posted it on github.  You working with that?12:47
ayounghttps://github.com/admiyo/anchor-certmonger-helper12:47
hyakuheiI’m taking a look at it now, didn’t know it was a thing :)13:00
*** chlong has joined #openstack-barbican13:07
*** permalac has joined #openstack-barbican13:07
*** woodster_ has joined #openstack-barbican13:11
*** jmckind has joined #openstack-barbican13:40
*** lixiaoy1 has quit IRC13:48
*** lixiaoy1 has joined #openstack-barbican13:49
*** chlong has quit IRC13:49
*** kfarr has joined #openstack-barbican13:52
*** silos has joined #openstack-barbican14:03
*** chlong has joined #openstack-barbican14:06
*** spotz_zzz is now known as spotz14:07
*** edtubill has joined #openstack-barbican14:17
*** zz_dimtruck is now known as dimtruck14:18
*** sigmavirus24_awa is now known as sigmavirus2414:22
*** jorge_munoz has joined #openstack-barbican14:32
*** asingh has joined #openstack-barbican14:39
*** jaosorior has quit IRC14:47
*** jaosorior has joined #openstack-barbican14:47
*** jorge_munoz_ has joined #openstack-barbican14:50
*** jorge_munoz has quit IRC14:51
*** jorge_munoz_ is now known as jorge_munoz14:51
*** randallburt has joined #openstack-barbican14:53
openstackgerritPankaj Khandar proposed openstack/barbican: Insecure default PROTOCOL_TLSv1 version in KMIP plugin  https://review.openstack.org/33068814:55
*** jaosorior has quit IRC15:02
openstackgerritAndreas Scheuring proposed openstack/barbican: pkcs11-key-generation: convert mkek length to int  https://review.openstack.org/33286015:08
*** permalac has quit IRC15:08
*** jgrassler has quit IRC15:10
*** kebray has quit IRC15:13
*** kebray has joined #openstack-barbican15:14
*** jgrassler has joined #openstack-barbican15:15
*** diazjf has joined #openstack-barbican15:19
*** pcaruana has quit IRC15:22
*** kebray has quit IRC15:26
*** andreas_s has quit IRC15:29
*** diazjf has quit IRC15:32
*** diazjf has joined #openstack-barbican15:36
*** pcaruana has joined #openstack-barbican15:36
*** diazjf1 has joined #openstack-barbican15:38
*** diazjf has quit IRC15:40
*** stevemar has joined #openstack-barbican15:44
*** catintheroof has joined #openstack-barbican15:49
*** chlong has quit IRC15:50
*** gyee has joined #openstack-barbican16:13
*** jmckind_ has joined #openstack-barbican16:23
*** jmckind has quit IRC16:26
*** jmckind has joined #openstack-barbican16:32
*** jmckind_ has quit IRC16:35
*** pcaruana has quit IRC16:43
*** silos has quit IRC16:50
*** jmckind_ has joined #openstack-barbican16:54
*** jmckind has quit IRC16:57
*** asingh has quit IRC17:11
*** asingh has joined #openstack-barbican17:13
*** randallburt has quit IRC17:17
*** randallburt has joined #openstack-barbican17:20
*** diazjf1 has quit IRC17:26
*** silos has joined #openstack-barbican17:58
*** arunkant has quit IRC18:03
*** arunkant has joined #openstack-barbican18:06
*** stupidni` is now known as stupidnic18:13
*** jmckind has joined #openstack-barbican18:15
*** dimtruck is now known as zz_dimtruck18:18
*** jmckind_ has quit IRC18:18
*** jmckind_ has joined #openstack-barbican18:19
*** diazjf has joined #openstack-barbican18:22
*** diazjf has quit IRC18:22
*** jmckind has quit IRC18:22
*** randallburt has quit IRC18:34
*** randallburt has joined #openstack-barbican18:45
*** diazjf has joined #openstack-barbican18:51
*** zz_dimtruck is now known as dimtruck19:00
*** jamielennox is now known as jamielennox|away19:21
*** diazjf has quit IRC19:23
*** jmckind has joined #openstack-barbican19:30
*** jmckind__ has joined #openstack-barbican19:32
*** jmckind_ has quit IRC19:33
*** jmckind has quit IRC19:35
*** silos has quit IRC19:40
*** silos has joined #openstack-barbican20:11
*** stevemar has quit IRC20:14
*** stevemar has joined #openstack-barbican20:14
*** stevemar has quit IRC20:19
*** jmckind__ has quit IRC20:25
*** rm_mobile has joined #openstack-barbican20:37
*** rm_mobile has joined #openstack-barbican20:37
*** rm_mobile has quit IRC20:46
*** stevemar has joined #openstack-barbican20:54
*** edtubill has quit IRC21:19
*** kfarr has quit IRC21:22
*** sigmavirus24 is now known as sigmavirus24_awa21:40
*** jamielennox|away is now known as jamielennox21:48
*** silos has quit IRC22:03
*** spotz is now known as spotz_zzz22:19
*** jorge_munoz has quit IRC22:22
*** dimtruck is now known as zz_dimtruck22:25
*** jamielennox is now known as jamielennox|away22:44
*** jamielennox|away is now known as jamielennox22:53
*** jamielennox is now known as jamielennox|away23:05
*** stevemar has quit IRC23:06
*** stevemar has joined #openstack-barbican23:06
*** stevemar has quit IRC23:11
*** gyee has quit IRC23:11
*** silos has joined #openstack-barbican23:21
*** silos has quit IRC23:26
*** catintheroof has quit IRC23:35
*** randallburt has quit IRC23:36
*** asingh has quit IRC23:49
*** jamielennox|away is now known as jamielennox23:57
*** stevemar has joined #openstack-barbican23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!