| *** pcaruana has joined #openstack-barbican | 04:43 | |
| *** Luzi has joined #openstack-barbican | 05:05 | |
| *** dpawlik has joined #openstack-barbican | 05:44 | |
| *** irclogbot_1 has quit IRC | 07:20 | |
| *** openstackstatus has quit IRC | 07:20 | |
| *** irclogbot_2 has joined #openstack-barbican | 07:21 | |
| *** Anticimex has quit IRC | 07:24 | |
| *** Anticimex has joined #openstack-barbican | 07:29 | |
| openstackgerrit | HYSong proposed openstack/barbican master: fix secret_type_doc https://review.opendev.org/672211 | 07:38 |
|---|---|---|
| openstackgerrit | HYSong proposed openstack/barbican master: fix secret_type_doc https://review.opendev.org/672211 | 07:57 |
| *** ivve has joined #openstack-barbican | 08:22 | |
| *** jaosorior has joined #openstack-barbican | 09:52 | |
| *** dpawlik has quit IRC | 10:02 | |
| *** dpawlik has joined #openstack-barbican | 10:04 | |
| *** raildo has joined #openstack-barbican | 11:35 | |
| openstackgerrit | HYSong proposed openstack/barbican master: fix secret_type_doc https://review.opendev.org/672211 | 12:09 |
| redrobot | #startmeeting barbican | 13:02 |
| openstack | Meeting started Tue Jul 23 13:02:17 2019 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. | 13:02 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 13:02 |
| *** openstack changes topic to " (Meeting topic: barbican)" | 13:02 | |
| openstack | The meeting name has been set to 'barbican' | 13:02 |
| redrobot | #topic Roll Call | 13:02 |
| *** openstack changes topic to "Roll Call (Meeting topic: barbican)" | 13:02 | |
| Luzi | o/ | 13:02 |
| redrobot | Courtesy ping for ade_lee hrybacki jamespage lxkong moguimar raildo rm_work xek | 13:02 |
| rm_work | p/ | 13:03 |
| redrobot | As usual our agenda can be found here: | 13:03 |
| redrobot | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 13:03 |
| jamespage | o/ | 13:05 |
| redrobot | Alrighty, let's get started! | 13:05 |
| moguimar | o/ | 13:06 |
| redrobot | #topic Liaison Updates | 13:06 |
| *** openstack changes topic to "Liaison Updates (Meeting topic: barbican)" | 13:06 | |
| redrobot | moguimar, o/ | 13:06 |
| redrobot | moguimar, any updates from Oslo land? | 13:06 |
| moguimar | nope | 13:06 |
| redrobot | cool | 13:07 |
| redrobot | #topic OpenstackSDK + Barbican | 13:09 |
| *** openstack changes topic to "OpenstackSDK + Barbican (Meeting topic: barbican)" | 13:09 | |
| redrobot | Luzi did you add this topic? | 13:09 |
| Luzi | yes, it was mostly a question which came up in the last weeks image encryption meeting | 13:09 |
| Luzi | because nova likes to rework their config stuff and use openstacksdk | 13:10 |
| Luzi | but no one did know how well keystoneauth1 would work with the connection to Barbican | 13:11 |
| redrobot | #link https://opendev.org/openstack/openstacksdk | 13:11 |
| Luzi | Do you know whats the current state of this? | 13:12 |
| redrobot | No, I haven't looked at any of that code recently | 13:12 |
| redrobot | Is the plan for Nova to use https://opendev.org/openstack/openstacksdk/src/branch/master/openstack/key_manager instead of python-barbicanclient? | 13:13 |
| Luzi | well it seems they would like to migrate to it, but there would be an exception for the barbicanclient | 13:13 |
| Luzi | thats what efried told us so far and the reason he asked usif we knew something | 13:14 |
| Luzi | i just wanted to ask this here, in case someone did knew something :D | 13:15 |
| redrobot | I can look into it and get back to you next week about the status. | 13:15 |
| Luzi | thank you redrobot | 13:15 |
| redrobot | I don't really understand the purpose of openstacksdk though | 13:16 |
| redrobot | seems like doubling client efforts, but I'm not sure what the benefit is | 13:16 |
| redrobot | Are other teams deprecating their python-XXXXXclient in favor of openstacksdk? | 13:16 |
| redrobot | #action redrobot to look into the key_manager implementation of openstacksdk to determine feature gap | 13:17 |
| Luzi | i have no idea, i did only speak to nova and cinder teams, and cinder doesn't want to migrate | 13:18 |
| redrobot | Seems like classic OpenStack™ 😂 | 13:19 |
| redrobot | cool, I'll look into openstacksdk and see what we can figure out | 13:19 |
| redrobot | anything else on this topic? | 13:19 |
| Luzi | nope, thank you | 13:19 |
| *** openstackstatus has joined #openstack-barbican | 13:20 | |
| *** ChanServ sets mode: +v openstackstatus | 13:20 | |
| redrobot | #topic Open Discussion | 13:25 |
| *** openstack changes topic to "Open Discussion (Meeting topic: barbican)" | 13:25 | |
| redrobot | anything else we should talk about? | 13:25 |
| redrobot | moguimar? rm_work? | 13:26 |
| * rm_work is dead | 13:26 | |
| redrobot | rm_dead | 13:26 |
| moguimar | me is on its way too | 13:26 |
| Luzi | I have a quastion regarding the default policies | 13:26 |
| rm_work | i guess, how did the secret consumers thing go | 13:26 |
| * moguimar * | 13:26 | |
| redrobot | rm_work, spec was merged, moguimar will be working on implementation | 13:26 |
| redrobot | Luzi, what's up? | 13:26 |
| rm_work | cool | 13:26 |
| moguimar | I'll start working on it soon | 13:27 |
| moguimar | probably next week | 13:27 |
| Luzi | uhm, why do the roles in the default policies differ from the ones used in other projects (like nova and cinder)) | 13:29 |
| Luzi | ? | 13:29 |
| Luzi | the deployed roles often ar only admin and _member_ - so why there are Observer, creator and audit ? | 13:31 |
| redrobot | The idea was to have more fine-grained control over Secrets | 13:31 |
| redrobot | since they contain sensitive information | 13:31 |
| Luzi | i understand that part | 13:32 |
| Luzi | are these roles used somewhere by users or so? | 13:32 |
| redrobot | admin shoudl have full access. We don't use member yet, but we have been talking about working with the Keystone team to works towards a unified policy | 13:33 |
| Luzi | ah, thats nice, thank you for that information :D | 13:34 |
| redrobot | I'll talk to Harry Rybacki about it. IIRC he was the one who wanted to work with us on getting the roles updated. | 13:34 |
| redrobot | #action redrobot to talk to hrybacki about unified roles | 13:34 |
| redrobot | Any other questions/topics we should talk about? | 13:37 |
| moguimar | just a quick update | 13:38 |
| moguimar | I was at EuroPython two weeks ago | 13:38 |
| moguimar | with a poster about secrets in configs | 13:38 |
| moguimar | using oslo.config, castellan and HashiCorp vault in a local demo | 13:38 |
| redrobot | moguimar, nice! how'd it go? | 13:39 |
| moguimar | https://ep2019.europython.eu/media/conference/slides/m7RV4BB-protecting-secrets-with-osloconfig-and-hashicorp-vault.pdf | 13:39 |
| moguimar | lots of questions about HashiCorp Vault 😅 | 13:39 |
| moguimar | people were quite interested in secret leases | 13:39 |
| moguimar | in my demo I was able to generate unique credentials to a Postgres DB and pass it to a node using a unique token for that node. | 13:40 |
| moguimar | so different nodes had different credentials | 13:40 |
| moguimar | no secrets in config files at all | 13:40 |
| moguimar | token injected via ENV vars with the env config driver of oslo.config | 13:41 |
| moguimar | and database credentials fetched via castellan config driver | 13:41 |
| moguimar | I should write some readme in the demo, there are links to the code in the poster | 13:42 |
| moguimar | some people asked if Barbican also delivers temporary credentials like HashiCorp vault | 13:42 |
| moguimar | that was it | 13:43 |
| redrobot | We do not :( | 13:43 |
| redrobot | thanks for the update moguimar | 13:43 |
| redrobot | :D | 13:44 |
| redrobot | ok, y'all, thanks for coming | 13:44 |
| redrobot | see you next week! | 13:44 |
| moguimar | cya | 13:44 |
| redrobot | #endmeeting | 13:44 |
| *** openstack changes topic to "OpenStack PTG Denver - https://etherpad.openstack.org/p/barbican-train-ptg" | 13:44 | |
| openstack | Meeting ended Tue Jul 23 13:44:26 2019 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 13:44 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-07-23-13.02.html | 13:44 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-07-23-13.02.txt | 13:44 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-07-23-13.02.log.html | 13:44 |
| *** Luzi has quit IRC | 13:51 | |
| *** trident has quit IRC | 15:18 | |
| *** trident has joined #openstack-barbican | 15:20 | |
| *** dpawlik has quit IRC | 15:30 | |
| *** trident has quit IRC | 15:52 | |
| *** jaosorior has quit IRC | 15:53 | |
| *** trident has joined #openstack-barbican | 15:55 | |
| *** trident has quit IRC | 17:07 | |
| *** trident has joined #openstack-barbican | 17:10 | |
| *** pcaruana has quit IRC | 20:50 | |
| *** irclogbot_2 has quit IRC | 21:32 | |
| *** altlogbot_0 has quit IRC | 21:33 | |
| *** altlogbot_1 has joined #openstack-barbican | 21:33 | |
| *** irclogbot_2 has joined #openstack-barbican | 21:33 | |
| *** irclogbot_2 has quit IRC | 21:59 | |
| *** altlogbot_1 has quit IRC | 22:01 | |
| *** altlogbot_1 has joined #openstack-barbican | 22:21 | |
| *** altlogbot_1 has quit IRC | 22:27 | |
| *** raildo has quit IRC | 22:35 | |
| *** altlogbot_0 has joined #openstack-barbican | 23:13 | |
| *** altlogbot_0 has quit IRC | 23:19 | |
| *** altlogbot_0 has joined #openstack-barbican | 23:27 | |
| *** irclogbot_3 has joined #openstack-barbican | 23:31 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!