| *** enriquetaso has quit IRC | 01:51 | |
| *** enriquetaso has joined #openstack-barbican | 02:29 | |
| *** enriquetaso has quit IRC | 03:05 | |
| *** dave-mccowan has quit IRC | 04:40 | |
| *** xek_ has joined #openstack-barbican | 07:57 | |
| *** tosky has joined #openstack-barbican | 08:18 | |
| *** Luzi has joined #openstack-barbican | 11:37 | |
| *** raildo has joined #openstack-barbican | 12:07 | |
| *** raildo has quit IRC | 12:19 | |
| *** raildo has joined #openstack-barbican | 12:20 | |
| *** enriquetaso has joined #openstack-barbican | 12:24 | |
| redrobot | #startmeeting barbican | 13:00 |
|---|---|---|
| openstack | Meeting started Tue Mar 10 13:00:12 2020 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. | 13:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 13:00 |
| *** openstack changes topic to " (Meeting topic: barbican)" | 13:00 | |
| openstack | The meeting name has been set to 'barbican' | 13:00 |
| redrobot | #topic Roll Call | 13:00 |
| *** openstack changes topic to "Roll Call (Meeting topic: barbican)" | 13:00 | |
| redrobot | Courtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work xek | 13:00 |
| Luzi | o/ | 13:00 |
| redrobot | As usual our agenda can be found here: | 13:00 |
| redrobot | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 13:00 |
| redrobot | Hi Luzi! | 13:00 |
| *** xek_ is now known as xek | 13:01 | |
| Luzi | hi redrobot | 13:02 |
| *** nearyo has joined #openstack-barbican | 13:02 | |
| redrobot | #topic Review Past Action Items | 13:03 |
| *** openstack changes topic to "Review Past Action Items (Meeting topic: barbican)" | 13:03 | |
| redrobot | #link http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-03-03-13.00.html | 13:03 |
| nearyo | o/ | 13:03 |
| redrobot | I still need to do my action item | 13:03 |
| redrobot | #action redrobot to send ML message to get added to barbican-stable | 13:03 |
| redrobot | ok, moving on | 13:03 |
| redrobot | hi nearyo! | 13:03 |
| nearyo | hey | 13:03 |
| redrobot | #topic Liaison Updates | 13:04 |
| *** openstack changes topic to "Liaison Updates (Meeting topic: barbican)" | 13:04 | |
| redrobot | moguimar, o/ | 13:04 |
| moguimar | o/ | 13:06 |
| redrobot | hi moguimar! | 13:06 |
| moguimar | hey | 13:06 |
| redrobot | Any updates from oslo? | 13:06 |
| moguimar | not really | 13:06 |
| moguimar | I've been doing some castellan code latelly | 13:06 |
| redrobot | :-O | 13:06 |
| redrobot | I saw your patches, but haven't had a chance to review them yet | 13:06 |
| redrobot | #topic Castellan Updates | 13:06 |
| *** openstack changes topic to "Castellan Updates (Meeting topic: barbican)" | 13:06 | |
| moguimar | the hvac backend is still waiting on some decisions | 13:07 |
| redrobot | #link https://review.opendev.org/#/q/project:openstack/castellan+status:open | 13:07 |
| moguimar | so the traditional vault backend turns the objects into dicts | 13:07 |
| redrobot | Ok, I'll try to take a look soon. For sure I'll look at it Friday at the latest. | 13:07 |
| moguimar | before storing them | 13:07 |
| moguimar | I wanna centralize that code somewhere | 13:07 |
| moguimar | and was thinking if we don't aready have a solution or pattern for that | 13:08 |
| moguimar | I looked into oslo.serialization and yesterday oslo folks recommended me to look into oslo.versionedobjects | 13:08 |
| redrobot | π€π€π€ | 13:08 |
| moguimar | so I have that on my list for when I get back from BRA | 13:09 |
| moguimar | HervΓ© is helping a lot in the reviews =D | 13:10 |
| moguimar | I gotta back to him as well in the oslo.cache code | 13:10 |
| moguimar | back him up* | 13:10 |
| moguimar | which will also help me in other security stuff | 13:11 |
| redrobot | awesome, thanks for leading the charge on the HVAC work, moguimar | 13:11 |
| moguimar | I wanna have it with at least the same features as the current one has | 13:11 |
| moguimar | https://review.opendev.org/#/c/706468/ | 13:12 |
| moguimar | this one could use some input too | 13:12 |
| moguimar | just to raise a discussion | 13:12 |
| moguimar | and I think at some point that could be automated | 13:12 |
| moguimar | some dependabot | 13:12 |
| * redrobot looks | 13:13 | |
| redrobot | ah yes... I thought we had updated the Vault version alredy? | 13:13 |
| redrobot | I'm not sure we want to always be bumping the minimum version of Vault we support, but we definitely need to do a better job of evaluating new releases | 13:14 |
| moguimar | yep | 13:14 |
| redrobot | Cool, anything else on Castellan? | 13:16 |
| moguimar | nope | 13:16 |
| redrobot | alright, moving on | 13:16 |
| redrobot | #topic Barbican UI | 13:16 |
| *** openstack changes topic to "Barbican UI (Meeting topic: barbican)" | 13:16 | |
| redrobot | nearyo, I'm sorry I have not had a chance to look at your patch. :( | 13:16 |
| redrobot | ade_lee, was supposed to do the initial review, but I'm not sure if he's had a chance to do that | 13:16 |
| redrobot | unfortunately he's out on PTO right now. | 13:17 |
| redrobot | But I'll ask him about it when he gets back. | 13:17 |
| redrobot | I think rm_work was also interested in Barbican UI | 13:17 |
| nearyo | Hey ... okay no problem ... that was my the question | 13:17 |
| rm_work | Yeah he was | 13:18 |
| rm_work | But he knows literally nothing about UI code | 13:18 |
| redrobot | same | 13:18 |
| * redrobot hangs head in shame | 13:18 | |
| * rm_work holds head high | 13:19 | |
| nearyo | No problem ... maybe you can have a look at the python/server side? :) | 13:20 |
| Luzi | https://review.opendev.org/#/c/702399/ | 13:21 |
| redrobot | For sure. :) ... also maybe we should ping the UI folks to take a looky loo | 13:22 |
| Luzi | that's the link in case someone wants to know ;) | 13:22 |
| redrobot | thanks, Luzi | 13:22 |
| nearyo | So maybe you can check in the first place if I used the barbican-python-client correctly? This would be great. | 13:22 |
| redrobot | #help we need more reviewers for the initial Barbican UI patch | 13:22 |
| nearyo | (y) | 13:22 |
| *** nearyo has quit IRC | 13:25 | |
| redrobot | oh no! nearyo ragequit | 13:25 |
| redrobot | j/k | 13:25 |
| redrobot | I hope he comes back. | 13:25 |
| redrobot | Ok, moving on | 13:25 |
| redrobot | #topic PTG | 13:26 |
| *** openstack changes topic to "PTG (Meeting topic: barbican)" | 13:26 | |
| redrobot | I did not request space for Barbican at the upcoming PTG due to lack of attendees interested in Barbican. | 13:26 |
| *** nearyo has joined #openstack-barbican | 13:26 | |
| rm_work | RIP | 13:26 |
| nearyo | o/ | 13:26 |
| rm_work | Well hopefully it even happens :) | 13:27 |
| redrobot | sorry rm_work... you would have been sitting at the PTG table by yourself. | 13:27 |
| rm_work | I requested space for 10 for octavia lol | 13:27 |
| rm_work | How are we supposed to tear up the town if you aren't there π | 13:27 |
| redrobot | :( | 13:28 |
| redrobot | We'll have to plan to tear up Berlin instead. lol | 13:28 |
| rm_work | Works for me | 13:28 |
| Luzi | I will be in Berlin too :D | 13:28 |
| rm_work | Noice | 13:29 |
| redrobot | rm_work, I do recommend going to the Devil's Elbo for a Beer Burbon and Bacon. | 13:29 |
| redrobot | *Devil's Elbow | 13:29 |
| rm_work | Sold me with the bacon | 13:29 |
| redrobot | Luzi, awesome! I'm going to try to get to Berlin too. π€π€ | 13:29 |
| redrobot | ok, moving on | 13:31 |
| redrobot | #topic Open Discussion | 13:31 |
| *** openstack changes topic to "Open Discussion (Meeting topic: barbican)" | 13:31 | |
| redrobot | Anything else y'all want to talk about? | 13:31 |
| tosky | soooo, a review in barbican-tempest-plugin | 13:31 |
| tosky | this one, part of the "drop py2" goal: https://review.opendev.org/#/c/704083/ | 13:31 |
| tosky | also, I noticed there is a bunch of barbican-tempest-plugin reviews which could be easily reviewed or even approved (like opendev links migration, stestr migration, etC) | 13:32 |
| redrobot | tosky, looking | 13:33 |
| * redrobot adds barbican-tempest-plugin to his review queue | 13:33 | |
| tosky | thanks! | 13:36 |
| redrobot | Anything else we should talk about? | 13:37 |
| nearyo | Sorry guys ... BEST-WIFI (TM)For those who are interested in the barbican-ui or if someone has any questions, it's probably the easiest to write me an email to dag.dammann@cloudandheat.com | 13:37 |
| redrobot | Ack, thanks again for the UI work, nearyo | 13:38 |
| nearyo | my pleasure ^^ | 13:38 |
| redrobot | Alrighty, y'all. I don't have anything else on the agenda. | 13:39 |
| redrobot | Thanks everyone for joining! | 13:39 |
| redrobot | See y'all online! | 13:39 |
| redrobot | #endmeeting | 13:39 |
| *** openstack changes topic to "OpenStack Barbican Development - Weekly Meeting Agenda: https://etherpad.openstack.org/p/barbican-weekly-meeting" | 13:39 | |
| openstack | Meeting ended Tue Mar 10 13:39:37 2020 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 13:39 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-03-10-13.00.html | 13:39 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-03-10-13.00.txt | 13:39 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-03-10-13.00.log.html | 13:39 |
| *** nearyo has quit IRC | 13:40 | |
| rm_work | hmmm either need to write a barbican driver or a castellan driver for our internal secret-store system >_> | 13:56 |
| rm_work | deciding which... technically our secret-store has its own API with user auth, so i guess I can just skip directly to castellan and we don't actually need to run Barbican :/ | 13:56 |
| *** dave-mccowan has joined #openstack-barbican | 14:03 | |
| openstackgerrit | Merged openstack/castellan master: Moving common objects under KeyManager. https://review.opendev.org/710440 | 14:16 |
| redrobot | rm_work, I think the deciding factor should be: Do end users of your cloud need to access secrets with those same credentials? | 14:17 |
| redrobot | rm_work, because Castellan->YourSecretStore driver means all secrets will be owned by the user you configure in that Castellan plugin | 14:18 |
| rm_work | yeah it's all universally the same auth | 14:18 |
| rm_work | openstack auth + secret auth is all with Athenz | 14:18 |
| redrobot | So, for example, let's say you use Castellan for Octavia | 14:19 |
| rm_work | all uses the same x509 certs | 14:19 |
| redrobot | Which credentials will the Octavia service use to talk to the backend? | 14:19 |
| rm_work | and octavia will have full admin access to the system (don't think about it) | 14:19 |
| redrobot | If you want to write a driver that proxies those credentials, then you may not need Barbican. | 14:19 |
| redrobot | or maybe your driver will impersonate credentials | 14:20 |
| rm_work | nah we're just god-min | 14:20 |
| redrobot | Hmm ... If the user story is -> 1. User uploads secret to YourSecretStore, 2. Octavia uses godmin privs to get that secret, then you should be good with just Castellan | 14:22 |
| rm_work | yep thats it | 14:22 |
| rm_work | exactly | 14:22 |
| redrobot | The only issue with Catellan-only would be if any service is generating Secrets | 14:23 |
| redrobot | then you have to impersonate | 14:23 |
| rm_work | just octavia uses secrets and we don't generate | 14:23 |
| redrobot | IF you want the users to later retrieve those using their credentials | 14:23 |
| redrobot | Yeah, sounds like least resistance may be writing a Castellan driver | 14:23 |
| rm_work | we run barbican now but literally no one uses it T_T | 14:24 |
| redrobot | πππ | 14:24 |
| johnsom | rm_work: Did you find out about that barbican client exception issue? | 14:25 |
| rm_work | not yet, i should probably be asking about that XD | 14:25 |
| johnsom | i.e. secrets api with container ref not raising an exception | 14:25 |
| rm_work | also still never heard a confirmation from alee about that tomcat thing, ah well | 14:26 |
| rm_work | yeah i seriously don't know what's going on there, i think someone f'd something up | 14:26 |
| rm_work | if you use the client to pass a ref to secret-get, if that ref isn't valid, it will 404 | 14:26 |
| rm_work | end of story | 14:26 |
| rm_work | whether it's a valid container-ref or not is irrelevant | 14:27 |
| rm_work | as far as the client is concerned, it's NOT a valid secret ref | 14:27 |
| rm_work | it's not going around comparing to other object types just in case you tried the wrong type, lol | 14:27 |
| johnsom | I just donβt want to revert that patch for better error handling on our side | 14:27 |
| redrobot | rm_work, ade_lee is out on PTO | 14:29 |
| rm_work | ahh ok | 14:29 |
| rm_work | johnsom: yeah we shouldn't | 14:29 |
| rm_work | i honestly am not sure i believe it's a real error | 14:29 |
| rm_work | have you replicated it yourself? | 14:29 |
| rm_work | i've been having issues getting my devstack working recently for a number of issues so it's hard for me to test this kind of thing | 14:30 |
| rm_work | oh, though ... i bet this is testable directly in my real cloud actually <_< | 14:31 |
| rm_work | sec, i'll give it a whirl in a minute | 14:31 |
| *** Luzi has quit IRC | 14:32 | |
| johnsom | I have not tested it. Focused on unit tests currently. | 14:39 |
| rm_work | k i'm stuck on remembering how to generate a valid cert+key :D | 14:40 |
| rm_work | ah octavia has a thing | 14:40 |
| rm_work | lol apparently our barbican deployment is broken enough that i can't store a cert T_T | 14:42 |
| redrobot | rm_work, oof, that sucks. Let me know if you need help debugging | 14:46 |
| rm_work | ah nah it seems like the issue isn't in barbican | 14:47 |
| rm_work | it's something with our LB shutting off connections too early | 14:47 |
| rm_work | not sure what's up | 14:47 |
| rm_work | it just means it's gonna take me a sec | 14:48 |
| rm_work | lol apparently default users don't even have permissions in our cloud to use barbican, awesome | 14:48 |
| rm_work | ah and as admin, it fails somehow to create | 14:49 |
| rm_work | (i'm bypassing the LB now) | 14:50 |
| rm_work | lol so i just ran it a couple more times and randomly eventually got a different error | 14:51 |
| rm_work | this is super weird | 14:52 |
| rm_work | http://paste.openstack.org/show/790513/ | 14:53 |
| rm_work | it's just alternating between 400 and 500 | 14:53 |
| rm_work | super odd | 14:53 |
| rm_work | ahhhh | 14:54 |
| rm_work | on the barbican side: | 14:54 |
| rm_work | requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://localhost:8373/kra/rest/agent/keyrequests | 14:54 |
| rm_work | so obviously we messed up the auth for dogtag | 14:55 |
| rm_work | yeah ok due to general incompetence, I will not be able to test this easily :D | 15:11 |
| redrobot | rm_work, oof | 15:12 |
| rm_work | ah and apparently our security policy won't let us do TLS Termination on a LB anyway | 15:12 |
| * rm_work flips table | 15:12 | |
| * rm_work burns it all down | 15:12 | |
| *** trident has quit IRC | 16:34 | |
| *** trident has joined #openstack-barbican | 16:36 | |
| *** trident has quit IRC | 18:08 | |
| *** trident has joined #openstack-barbican | 18:17 | |
| *** openstackgerrit has quit IRC | 19:32 | |
| *** openstackstatus has joined #openstack-barbican | 20:18 | |
| *** ChanServ sets mode: +v openstackstatus | 20:18 | |
| *** dave-mccowan has quit IRC | 20:27 | |
| *** xek has quit IRC | 21:07 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!