| *** antosh has quit IRC | 00:02 | |
| *** jmlowe has joined #openstack-barbican | 00:42 | |
| *** dave-mccowan has quit IRC | 01:30 | |
| *** sapd has quit IRC | 01:40 | |
| *** sapd has joined #openstack-barbican | 01:44 | |
| *** annp has joined #openstack-barbican | 01:47 | |
| alee_ | @startmeeting barbican | 02:00 |
|---|---|---|
| alee_ | #startmeeting barbican | 02:00 |
| openstack | Meeting started Tue Jun 12 02:00:36 2018 UTC and is due to finish in 60 minutes. The chair is alee_. Information about MeetBot at http://wiki.debian.org/MeetBot. | 02:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 02:00 |
| *** openstack changes topic to " (Meeting topic: barbican)" | 02:00 | |
| openstack | The meeting name has been set to 'barbican' | 02:00 |
| alee_ | #topic roll call | 02:00 |
| *** openstack changes topic to "roll call (Meeting topic: barbican)" | 02:00 | |
| alee_ | redrobot, nguyenhai_ jaosorior anyone here? | 02:01 |
| alee_ | bueller? | 02:04 |
| alee_ | anyone joining the barbican meeting? | 02:08 |
| redrobot | alee_, o/ | 02:08 |
| redrobot | sorry I'm late | 02:08 |
| redrobot | here! :D | 02:08 |
| alee_ | redrobot, you're the only one :) | 02:09 |
| redrobot | \o/ | 02:09 |
| * redrobot considers himself forgiven for being late... | 02:09 | |
| alee_ | which reinforces the idea of moving this back to reasonable time for the US .. | 02:09 |
| redrobot | indeed. | 02:10 |
| alee_ | I'm going to propose we move it back to the original time starting next week | 02:10 |
| redrobot | UTC 2000 ? | 02:10 |
| alee_ | that sounds about right .. | 02:10 |
| alee_ | yup | 02:11 |
| alee_ | 3pm EST | 02:11 |
| alee_ | actually as I'll be on PTO the next couple of weeks, will need you and/or Dave to run it | 02:11 |
| redrobot | #link https://www.timeanddate.com/worldclock/fixedtime.html?hour=20&min=00&sec=0 | 02:11 |
| alee_ | for the next two meetings | 02:12 |
| redrobot | I can definitely do it if dave isn't available | 02:12 |
| alee_ | cool | 02:12 |
| redrobot | want to send a message to ML proposing the time change? | 02:12 |
| redrobot | I'll +1 it so fast! | 02:12 |
| alee_ | yes - will do in the morning | 02:12 |
| redrobot | #action alee_ to send a message to the ML proposing moving the Barbican meeting back to 2000 UTC | 02:13 |
| alee_ | so just a couple of announcements then .. | 02:13 |
| alee_ | milestone 2 was cut last week | 02:13 |
| alee_ | that means we're in the final stages to get stuff in | 02:13 |
| redrobot | 🎉🎉🎉 | 02:14 |
| alee_ | the main things missing are 1) experimental job for vault plugin | 02:14 |
| alee_ | and 2) ovo work | 02:14 |
| alee_ | we really need reviews on (2) | 02:14 |
| alee_ | so if you can - that would be good | 02:14 |
| redrobot | I started spinning up on OVOs. Don't remember them from my last tour of duty. | 02:15 |
| redrobot | still got a bit of groking to do before I feel comfortable reviewing the patch series | 02:15 |
| alee_ | yeah we need them for no downtime upgrades | 02:15 |
| redrobot | hoping to get to it by the end of the week. | 02:15 |
| alee_ | ack | 02:15 |
| alee_ | ask namh if you have questons | 02:15 |
| alee_ | in the patch even | 02:15 |
| redrobot | yes, I can definitely do that. | 02:16 |
| alee_ | we jad some requests for api changes from my meeting last week - but for that we need microversions and also the ovo stuff | 02:16 |
| alee_ | I plan to write a spec for secret ownership changes sometime this week | 02:16 |
| alee_ | as its in my mind | 02:17 |
| alee_ | and also we need to resolve a security issue -- making sure db entires are hmaced | 02:17 |
| alee_ | both require db changes - and one requires an api change so we need ovo and microversions | 02:18 |
| redrobot | hmm... k, I'll keep the hmac stuff in mind when looking at OVO | 02:18 |
| alee_ | redrobot, well we need ovo before hmac | 02:18 |
| alee_ | I plan to release stable branch releases later this week | 02:18 |
| redrobot | ack | 02:19 |
| alee_ | queens and pike | 02:19 |
| alee_ | #topic anything else? | 02:19 |
| *** openstack changes topic to "anything else? (Meeting topic: barbican)" | 02:19 | |
| redrobot | hmm... can't think of anything off the top of my head... 🤔 | 02:20 |
| alee_ | there seems to be a renewed push to get castellan as a base service | 02:20 |
| alee_ | https://review.openstack.org/#/c/572656/ | 02:20 |
| redrobot | only sort-of makes sense | 02:20 |
| alee_ | so review to keep in mind -- its been debated for some time now | 02:20 |
| redrobot | yeah, I've got quite a different opinion on castellan/barbican/other key-managers than I did back in the day | 02:21 |
| redrobot | I'll check out the spec and comment on there. | 02:21 |
| alee_ | well if you disagree with the direction, talk with me about it | 02:22 |
| redrobot | will do | 02:22 |
| redrobot | Basically, I think Barbican should only be used for people who want to provide a KMS as part of their OS deployment. So if Google KMS and AWS KMS look like something your cloud should do, then Barbican should be it. | 02:22 |
| redrobot | but I'm not so sure Barbican belongs in the undercloud | 02:23 |
| redrobot | I think Vault/Keywhiz/HSM is probably a better solution | 02:23 |
| redrobot | so it makes sense to abstract those away in Castellan | 02:23 |
| alee_ | where barbican makes sense to me is where you need to store tenant -based secrets | 02:24 |
| * redrobot regrets not getting rid of the castellan.common package when he had the chance. | 02:24 | |
| alee_ | so I think we're saying basically the same thing | 02:24 |
| redrobot | Yes, sounds like we're in violent agreement. | 02:24 |
| redrobot | but also, I haven't read that spec, haha | 02:24 |
| alee_ | when the secrets are not tenant based, barbican may not make sense | 02:24 |
| redrobot | yup yup | 02:25 |
| alee_ | the idea behind the spec is that developers should expect a castellan compatible keystore | 02:25 |
| alee_ | just like they expect an authz from keystone | 02:25 |
| redrobot | I'd think it's more like oslo.db | 02:25 |
| alee_ | right oslo.keymanager | 02:26 |
| alee_ | but yeah | 02:26 |
| redrobot | where you can use oslo.db if you need SQL but it doesn't matter which SQL-compliant db it is. | 02:26 |
| redrobot | gotta love small meetings where everyone agrees. 😜 | 02:26 |
| alee_ | as to whether it makes sense to put barbican in the undercloud, thats a different question | 02:27 |
| alee_ | I can see some advantages | 02:27 |
| alee_ | right now we dont have a vault we can deliver downstream | 02:28 |
| alee_ | so in the interim barbican provides an excellent alternative thatcan talk to hsms | 02:28 |
| alee_ | if you need it | 02:28 |
| alee_ | anyways .. meeting adjourned so we can get some sleep? | 02:29 |
| redrobot | yes, sleep does sound good! | 02:29 |
| alee_ | redrobot, thanks for joining - not all by my lonesome :) | 02:29 |
| alee_ | #endmeeting | 02:29 |
| *** openstack changes topic to "Discussion about development of OpenStack Barbican and its client libraries. - Logs: http://eavesdrop.openstack.org/irclogs/%23openstack-barbican/" | 02:29 | |
| openstack | Meeting ended Tue Jun 12 02:29:39 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 02:29 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-12-02.00.html | 02:29 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-12-02.00.txt | 02:29 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-12-02.00.log.html | 02:29 |
| *** dave-mccowan has joined #openstack-barbican | 02:54 | |
| *** agrebennikov has quit IRC | 03:02 | |
| *** dave-mccowan has quit IRC | 04:05 | |
| *** jmlowe has quit IRC | 04:10 | |
| *** pcaruana has quit IRC | 05:24 | |
| *** pcaruana has joined #openstack-barbican | 06:27 | |
| *** redrobot has quit IRC | 07:33 | |
| *** pcaruana has quit IRC | 07:34 | |
| *** redrobot has joined #openstack-barbican | 07:39 | |
| *** serlex has joined #openstack-barbican | 07:40 | |
| *** pcaruana has joined #openstack-barbican | 07:49 | |
| *** pcaruana has quit IRC | 07:59 | |
| *** pcaruana has joined #openstack-barbican | 08:15 | |
| *** salmankhan has joined #openstack-barbican | 08:59 | |
| *** pbourke has quit IRC | 09:43 | |
| *** pbourke has joined #openstack-barbican | 09:43 | |
| *** salmankhan has quit IRC | 10:15 | |
| *** salmankhan has joined #openstack-barbican | 10:15 | |
| *** annp has quit IRC | 10:22 | |
| *** abishop has joined #openstack-barbican | 11:38 | |
| *** raildo has joined #openstack-barbican | 11:54 | |
| *** dave-mccowan has joined #openstack-barbican | 12:04 | |
| *** salmankhan has quit IRC | 12:21 | |
| *** salmankhan has joined #openstack-barbican | 12:37 | |
| *** raildo has quit IRC | 12:53 | |
| *** raildo has joined #openstack-barbican | 12:55 | |
| *** pcaruana has quit IRC | 13:00 | |
| *** salmankhan has quit IRC | 13:36 | |
| *** salmankhan has joined #openstack-barbican | 13:38 | |
| redrobot | good mornin' barbican! | 13:44 |
| *** pcaruana has joined #openstack-barbican | 13:46 | |
| *** sapcc-bot has quit IRC | 14:03 | |
| *** sapcc-bot11 has quit IRC | 14:03 | |
| *** sapcc-bot12 has joined #openstack-barbican | 14:03 | |
| *** sapcc-bot has joined #openstack-barbican | 14:03 | |
| *** dave-mccowan has quit IRC | 14:35 | |
| *** antosh has joined #openstack-barbican | 14:42 | |
| *** serlex has quit IRC | 14:49 | |
| *** tidwellr has joined #openstack-barbican | 14:49 | |
| *** jmlowe has joined #openstack-barbican | 14:56 | |
| *** dave-mccowan has joined #openstack-barbican | 15:03 | |
| *** tidwellr has quit IRC | 15:53 | |
| *** tidwellr has joined #openstack-barbican | 15:54 | |
| *** jmlowe has quit IRC | 16:13 | |
| *** dave-mccowan has quit IRC | 16:23 | |
| *** salmankhan has quit IRC | 16:33 | |
| *** salmankhan has joined #openstack-barbican | 16:35 | |
| *** salmankhan has quit IRC | 16:42 | |
| *** salmankhan has joined #openstack-barbican | 16:46 | |
| *** salmankhan has quit IRC | 16:53 | |
| *** salmankhan has joined #openstack-barbican | 16:56 | |
| *** toabctl has quit IRC | 17:05 | |
| *** salmankhan has quit IRC | 17:38 | |
| *** sapcc-bot has quit IRC | 18:21 | |
| *** sapcc-bot12 has quit IRC | 18:21 | |
| *** sapcc-bot3 has joined #openstack-barbican | 18:21 | |
| *** sapcc-bot has joined #openstack-barbican | 18:21 | |
| *** dave-mccowan has joined #openstack-barbican | 18:31 | |
| *** dave-mccowan has quit IRC | 18:47 | |
| *** tidwellr has quit IRC | 19:11 | |
| *** tidwellr has joined #openstack-barbican | 19:12 | |
| *** salmankhan has joined #openstack-barbican | 19:30 | |
| *** salmankhan has quit IRC | 19:34 | |
| *** raildo has quit IRC | 19:42 | |
| *** sapcc-bot has quit IRC | 19:58 | |
| *** dave-mccowan has joined #openstack-barbican | 20:00 | |
| *** dave-mccowan has quit IRC | 20:10 | |
| redrobot | hmm... so I don't really understand how the Vault Backend for Castellan is getting a context in the functional test suite? | 20:16 |
| redrobot | oh, I see... it's using an admin context... | 20:20 |
| redrobot | oslo admin context that is | 20:21 |
| redrobot | but that makes absolutely no sense | 20:21 |
| redrobot | Vault doesn't know anything about keystone. WTF? | 20:21 |
| redrobot | Context was supposed to be backend specific IIRC. That's why there's a context factory. | 20:23 |
| redrobot | Sooooo... context for the Vault backend SHOULD be a Vault token. The context should grant the scope/permissions for whatever operations are going to be taking place. | 20:24 |
| * redrobot seems to be talking to himself | 20:26 | |
| *** sapcc-bot3 has quit IRC | 20:26 | |
| *** sapcc-bot has joined #openstack-barbican | 20:26 | |
| redrobot | Oh sweet jesus, the vault backend doesn't give a crap about the context. | 20:38 |
| redrobot | hmmm... | 20:38 |
| redrobot | I'm just going to assume that it's still in experimental mode and it still needs work to be able to check the vault-token via the context. | 20:39 |
| *** abishop has quit IRC | 20:57 | |
| *** pcaruana has quit IRC | 21:04 | |
| *** sapd has quit IRC | 21:26 | |
| *** sapd has joined #openstack-barbican | 21:27 | |
| *** sapd has quit IRC | 21:27 | |
| *** sapd has joined #openstack-barbican | 21:27 | |
| *** tidwellr has quit IRC | 21:55 | |
| *** dave-mccowan has joined #openstack-barbican | 22:00 | |
| *** antosh has quit IRC | 22:02 | |
| *** antosh has joined #openstack-barbican | 22:26 | |
| *** jmlowe has joined #openstack-barbican | 22:55 | |
| *** jmlowe has quit IRC | 23:17 | |
| *** jmlowe has joined #openstack-barbican | 23:18 | |
| *** jmlowe has quit IRC | 23:31 | |
| *** jmlowe has joined #openstack-barbican | 23:35 | |
| *** antosh has quit IRC | 23:56 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!