Monday, 2018-06-04

« Sunday, 2018-06-03 Index Tuesday, 2018-06-05 »
*** namnh has joined #openstack-barbican01:34
*** namnh has quit IRC02:33
*** namnh has joined #openstack-barbican02:34
*** annp has joined #openstack-barbican02:47
*** zhongjun_ has joined #openstack-barbican02:49
*** EmilienM has quit IRC03:22
*** EmilienM has joined #openstack-barbican03:24
openstackgerritNguyen Van Trung proposed openstack/barbican master: Follow the new PTI for document build  https://review.openstack.org/57136506:09
*** pcaruana has joined #openstack-barbican07:12
*** pcaruana is now known as pcaruana|worksho07:14
*** sapd_ has quit IRC07:15
*** sapd_ has joined #openstack-barbican07:15
*** serlex has joined #openstack-barbican07:23
*** alee has joined #openstack-barbican07:36
*** jaosorior has joined #openstack-barbican08:05
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Initial OVO for Barbican  https://review.openstack.org/55901408:44
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Implement OVO for Barbican [1]  https://review.openstack.org/49900408:44
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Implement OVO for Barbican [2]  https://review.openstack.org/49910908:44
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Implement OVO for Barbican [3]  https://review.openstack.org/49941908:44
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Implement OVO for Barbican [4]  https://review.openstack.org/52897208:44
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Implement OVO for Barbican [5]  https://review.openstack.org/50024408:44
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace ACL resource to use OVO  https://review.openstack.org/56385708:44
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace Transport-key using OVO  https://review.openstack.org/56385808:44
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace secretstore and secretmeta using OVO  https://review.openstack.org/56402508:44
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace container resource using OVO  https://review.openstack.org/56467208:44
*** salmankhan has joined #openstack-barbican09:08
*** salmankhan has quit IRC09:14
*** pbourke has quit IRC09:41
*** pbourke has joined #openstack-barbican09:41
*** sapd_ has quit IRC09:45
*** sapd_ has joined #openstack-barbican09:45
*** namnh has quit IRC10:05
*** dave-mccowan has joined #openstack-barbican10:41
*** dave-mcc_ has joined #openstack-barbican10:46
*** dave-mccowan has quit IRC10:47
*** noslzzp has joined #openstack-barbican12:09
*** noslzzp has quit IRC12:10
*** openstackgerrit has quit IRC12:34
redrobotGood mornin' Barbican!12:37
aleedave-mcc_, please check out any pending patches to try to get stuff in before friday13:15
aleethats when I'll cut the release13:15
*** raildo has joined #openstack-barbican13:20
*** beisner is now known as beisner-sick13:22
*** rmascena has joined #openstack-barbican13:27
*** raildo has quit IRC13:29
aleedave-mcc_, in particular, can you look at the stable branch stuff -- as you have the power!13:49
dave-mcc_alee just queens?  or pike (or ocata too)?13:51
aleedave-mcc_, we're responsible for 2 releases , right?14:02
aleeso queens and pike?14:02
aleedave-mcc_, though we should certainly cast a leery eye to pike14:02
*** noslzzp has joined #openstack-barbican14:04
aleeredrobot, jaosorior , dave-mcc_ there is some interest here in adding an api call to transfer the ownership of a secret to a different user/project -- any concerns about that?14:04
aleeredrobot, jaosorior , dave-mcc_ the use case here is a cinder capability to transfer a volume from one user to another14:05
dave-mcc_alee seems like the call would require permissions of both "old owner" and "new owner".  does keystone tokens support that?14:06
*** dave-mcc_ is now known as dave-mccowan14:06
aleedave-mccowan, maybe .. certainly permission from the old owner14:07
aleewhich we would have14:07
redrobotYeah, thinking only the current owner permission should be needed?14:07
aleedave-mccowan, cinder does have a two step process -- so that you would transfer as the old owener, and accept as the new owner14:08
aleebut that may be unneeded for us ..14:08
aleemaybe we just need the old owner's permissions?14:08
alee"dude, I'm giving you my secret ..."14:09
jaosorioralee: lets dig into what cinder can do14:09
jaosoriorit seems to me that it's from one user to another, right?14:09
dave-mccowan"dude, i'm filling your secret quota without your permission" ;-)14:09
jaosorioris there a limitation there?14:09
jaosoriorshould those users always be in the same project?14:09
aleejaosorior, no14:10
jaosoriorif that's the case, then we only need to care about ACLs14:10
aleejaosorior, they can be in different projects14:10
jaosoriorif it isn't, then yeah, it would be a project transfer14:10
jaosorioruhm14:10
aleejaosorior, if they were in the same project, it wouldn't matter - because all project members have read access at least14:10
jaosoriorwhat roles do the user that does the transfer need to have?14:10
aleethough maybe not delete14:11
jaosoriorto do the cinder volume transfer14:11
aleejaosorior, thats a good point -- maybe they need a special role to avoid the "secret quota problem"14:12
aleejaosorior, let me ask who can transfer volumes ...14:13
*** abishop has joined #openstack-barbican14:14
aleeabishop, hey14:14
abishopalee: hey all14:14
aleeabishop, so question -- who can transfer volumes?14:15
aleedo they need a special role?14:15
abishopthe presumption is a volume owner can try to transfer to anyone, and the recipient chooses to accept14:15
abishopno roles involved14:16
jaosoriorabishop: what role does a volume owner have in a project?14:16
jaosorioris it just a _member_ in a project?14:16
abishopI believe so14:16
abishopnot 100% solid on the details (it's old cinder code)14:17
jaosoriorhow does the recipient accept?14:17
abishopit's another cinder api call14:17
abishopinitiated by recipient (sorry if that was obvious)14:17
jaosoriorabishop: got docs about it?14:18
jaosoriorabishop: is there a way to rever the ownership transfer?14:18
aleeabishop, I imagine there is some transaction-id that is passed from sender to recipient14:18
aleejaosorior, yes there is14:19
abishopjaosorior: docs would be upstream, and I'd have to look for them (not sure who developed feature)14:19
abishopand you can cancel a transfer (reverts to original owner)14:19
jaosoriorabishop: thanks for the info14:20
abishopalee: yes, the transfer initiate generates a cookie/token that the recipient must use when accepting the xfer14:20
jaosorioralee: my concern is that if you choose to revert the ownership... the other user already has access to read the secret.14:21
abishopjaosorior: my thought is the transfer initiate could xfer ownership to cinder service, who can then xfer it on to recipient, or back to original ownder if cancelled14:22
*** openstackgerrit has joined #openstack-barbican14:23
openstackgerritMerged openstack/barbican master: Update the version of Ubuntu  https://review.openstack.org/57083514:23
aleeabishop, maybe this can be solved completely on the side of things using existing barbican api calls14:23
jaosoriorusing ACLs maybe?14:23
abishopfyi, found this: https://wiki.openstack.org/wiki/VolumeTransfer14:23
aleeyup14:23
aleeabishop, you could do something like this ..14:24
alee1. when transfer initiated, add acl to read to cinder service user14:24
alee2. when transfer accepted, cinder service user creates a clone of the key --- i.e. gets key and store it again with recipient's creds14:25
aleeand remove acl on original key14:26
abishopalee: would "store again" generate a new secret href?14:26
jaosoriorit would, yes14:27
aleeyes -- so you'd have to modify the metadata14:27
aleebut thats just a db update , right?14:27
abishopalee: then things get awkward because the key ID is stored in multiple places in cinder db14:28
abishopcould be done, but would need to ponder the details14:28
abishopalee: and what would clean up by deleting the original volume's secret?14:28
aleeabishop, we could look to add acl to allow delete to cinder service user14:29
jaosoriorabishop, alee: one downside of that is that ready access is only granted towards a specific user, not the project. So the transfer needs to be accepted by a very specific user.14:30
abishopalee: sure, as long as we agree on who handles cleanup, and that entity has perms to do so14:30
aleejaosorior, abishop the other thing we can do is model the transfer request in the same way as cinder does14:31
dave-mccowanalee giving the cinder service account access to a secret would be a new concept for encrypted volumes.  some might consider it a risk.14:31
aleeso when request is made, we could also make a "transfer request" we keep track of in barbican14:31
aleeand then when cinder volume is accepted, we have a "acccept transfer" api call in barbican too14:32
aleewith relevant cookie/id etc.14:32
dave-mccowani like following cinder's model.  hopefully, they've thought through all the issues we're bringing up now. :-)14:32
aleethen no other user ("cinder service user" is involved14:33
openstackgerritBrianna Poulos proposed openstack/barbican-tempest-plugin master: Add certificate validation scenario tests  https://review.openstack.org/51521014:40
*** tidwellr has joined #openstack-barbican14:40
*** tidwellr has quit IRC14:40
*** tidwellr has joined #openstack-barbican14:41
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican master: Remove CA API policy file  https://review.openstack.org/57212014:50
jaosoriordave-mccowan, alee: or we could use a keystone trust that the cinder user would then have to use for this.14:50
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican master: Remove CA API policy file  https://review.openstack.org/57212014:52
jaosorioralee: any reviews I should be giving priority to?14:52
dave-mccowandoes cinder also have a copy volume?  does that work well with barbican?  (do they share the same key?) what happens if a volume is copied then one copy is deleted?14:53
aleedave-mccowan, I think they make a copy of the key15:00
aleedave-mccowan, but its all within the same project15:00
aleejaosorior, looking ..15:01
aleejaosorior, https://tinyurl.com/yctfozgh15:02
aleejaosorior, the needs approval stuff is most ready15:02
aleeand dave-mccowan should focus on the stable stuff -- as he has power to push15:04
aleejaosorior, https://review.openstack.org/568905  as well15:04
aleejaosorior, how would a keystone trust work?15:06
aleeI wonder if any other services besides cinder have this transfer ability ..15:07
jaosorioralee: https://wiki.openstack.org/wiki/Keystone/Trusts check the use cases15:09
jaosoriorthe rules explains it better15:11
aleejaosorior, gotcha - so the same flow I proposed earlier - except instead of using acls, we use two trusts -- one that the giver gives to cinder user to read/delete the secret and one that the receiver gives to cinder user to create a key15:20
aleejaosorior, sounds messy -- if I recall correctly, we developed acls specifically because trusts were not fine grained enough ..15:21
aleeie. could not be limited to a specific resource15:21
jaosorioruhm15:21
jaosoriortrue15:21
aleeso the trust would let cinder user see all my secrets ..15:22
aleeand that sucks15:22
jaosorioralee: although, cinder reading and re-writing the secret in the cinder process wouldn't be ideal either. Since that would expose the decrypted secret (even if for a very brief time) in memory15:22
jaosoriormaybe the best choice is to re-implement the transfer mechanism in barbican15:22
jaosoriorand just let cinder do that call with the user's credentials15:23
aleeyeah - I like the idea of doing this without the secret leaving barbican15:23
jaosorioryeah, I'm also starting to think it's the best idea15:24
jaosoriorwith this, we need to start thinking of microversions for barbican though15:24
jaosoriorand the OVO work becomes even more relevant15:24
jaosoriorunless we want to start backporting this15:24
jaosoriorwhich we shouldn't15:25
aleejaosorior, do we?  its a new api call ..15:26
jaosorioralee: either that or we release API v2 :D15:27
aleejaosorior, we're going to end up doing that anyways , right? :/15:27
jaosoriorat some point15:28
jaosorioralee: up to the community though15:28
jaosoriorcould be a microversion15:28
jaosorior(since nothing changes but we just add a new API call)15:28
aleejaosorior, yeah - we need to think about microversions15:28
aleeand yeah - we need to get the ovo stuff in15:28
aleejaosorior, good thing we got ovo patches to review :)15:29
jaosoriorindeed15:29
jaosoriorI'll get to those tomorrow15:29
jaosoriorthose I need to think about more15:29
aleedoes the microversion stuff require ovo to be in first?15:29
jaosoriornot necessarily15:29
aleethere will be new tables though15:30
jaosoriorso.... supporting microversions per-se doesn't require OVO... having this new API call, I think yes, it does require the OVO work15:30
jaosorioralso... what do we claim to support once the OVO work merges? rolling upgrades?15:31
aleeyup15:32
aleegotta head back to hotel .. back on later -- lets ponder on this ..15:32
jaosoriorok15:32
aleejaosorior, ideally though we can get the ovo stuff in -- in rocky15:32
jaosoriorindeed15:32
jaosoriorit's been out there too long :D15:32
aleeand then add this new api and microversions in early stein15:33
jaosorior+115:33
aleeback later ..15:33
*** alee has quit IRC15:34
*** pcaruana|worksho has quit IRC15:35
*** abishop has quit IRC15:38
*** serlex has quit IRC15:46
*** jmlowe has quit IRC15:49
openstackgerritMerged openstack/barbican master: Initial OVO for Barbican  https://review.openstack.org/55901415:51
openstackgerritMerged openstack/barbican master: Implement OVO for Barbican [1]  https://review.openstack.org/49900415:51
openstackgerritMerged openstack/python-barbicanclient master: Add --file flag for secrets  https://review.openstack.org/50625815:53
openstackgerritMerged openstack/barbican master: Commit DB changes on API startup  https://review.openstack.org/57169815:54
openstackgerritMerged openstack/barbican master: update some documents about the keystone "API v2.0"  https://review.openstack.org/56799516:09
*** tidwellr has quit IRC16:30
*** tidwellr has joined #openstack-barbican16:31
*** pcaruana|worksho has joined #openstack-barbican16:51
*** alee has joined #openstack-barbican16:54
*** jmlowe has joined #openstack-barbican16:59
*** pcaruana|worksho is now known as pcaruana17:18
*** noslzzp has quit IRC18:22
*** jaosorior has quit IRC19:19
*** noslzzp has joined #openstack-barbican19:27
*** rmascena__ has joined #openstack-barbican19:29
*** rmascena has quit IRC19:31
*** sapd_ has quit IRC20:17
*** sapd has joined #openstack-barbican20:40
*** tidwellr has left #openstack-barbican20:42
*** pcaruana has quit IRC20:59
*** jmlowe has quit IRC21:08
*** rmascena__ has quit IRC21:10
*** dave-mccowan has quit IRC21:50
*** jmlowe has joined #openstack-barbican22:12
*** noslzzp has quit IRC22:15
*** dave-mccowan has joined #openstack-barbican22:22
« Sunday, 2018-06-03 Index Tuesday, 2018-06-05 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!