Tuesday, 2020-11-10

« Monday, 2020-11-09 Index Wednesday, 2020-11-11 »
*** dave-mccowan has quit IRC04:19
*** dave-mccowan has joined #openstack-barbican04:20
*** tosky has joined #openstack-barbican07:32
*** tosky has quit IRC08:23
*** xek has joined #openstack-barbican08:23
*** xek_ has joined #openstack-barbican08:35
*** xek has quit IRC08:38
*** xek_ has quit IRC08:42
*** xek_ has joined #openstack-barbican08:43
*** xek__ has joined #openstack-barbican09:29
*** tosky has joined #openstack-barbican09:31
*** xek_ has quit IRC09:32
*** xek__ has quit IRC09:50
*** xek__ has joined #openstack-barbican09:52
*** xek_ has joined #openstack-barbican10:06
*** xek__ has quit IRC10:09
*** xek_ has quit IRC10:17
*** xek_ has joined #openstack-barbican10:19
*** xek__ has joined #openstack-barbican10:25
*** johnsom has quit IRC10:26
*** johnsom has joined #openstack-barbican10:28
*** xek_ has quit IRC10:28
*** Luzi has joined #openstack-barbican11:51
*** xek__ has quit IRC12:17
*** xek__ has joined #openstack-barbican12:18
noonedeadpunkhey! having question about logic of the simple_crypto secretstore plugin...12:28
*** xek_ has joined #openstack-barbican12:28
noonedeadpunkso in case both simple_crypto_plugin and p11_crypto_plugin sections are present in config - what will be used?12:28
noonedeadpunk* store_crypto to be exact12:30
noonedeadpunkhowever, I think it's still more about crypto storage rather than secret storage in case of pkcs11?12:31
*** xek__ has quit IRC12:32
redrobothi noonedeadpunk!13:00
redrobotI can answer your questions after the meeting (or during)13:00
redrobot#startmeeting barbican13:00
openstackMeeting started Tue Nov 10 13:00:48 2020 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.13:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.13:00
*** openstack changes topic to " (Meeting topic: barbican)"13:00
openstackThe meeting name has been set to 'barbican'13:00
redrobot#topic Roll Call13:00
*** openstack changes topic to "Roll Call (Meeting topic: barbican)"13:00
noonedeadpunko/13:01
toskyhi13:01
redrobotCourtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work xek nearyo13:01
redrobothi tosky!13:01
redrobothi noonedeadpunk!13:01
Luzio/13:02
redrobotAs usual our agenda can be found here:13:02
moguimaro/13:02
redrobot#link https://etherpad.opendev.org/p/barbican-weekly-meeting13:02
redrobothi Luzi!13:02
redrobothi moguimar!13:02
redrobotlet's get started13:02
redrobot#topic Review Past Meeting Action Items13:02
*** openstack changes topic to "Review Past Meeting Action Items (Meeting topic: barbican)"13:03
redrobot#link http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-11-03-13.00.html13:03
redrobotFirst, I did not get a chance to dig into noonedeadpunk's Cinder-> Barbican + Vault issue :(13:03
redrobot#action redrobot to work with noonedeadpunk to fix the Cinder+Vault issue13:03
redrobotWill shoot for this week13:03
noonedeadpunkno hurry for this:)13:04
redrobotAaaaand I didn't update the Kanban board either :(13:04
noonedeadpunkI hope I won't do this scenario but anyway worth fixing I guess13:04
redrobot#action redrobot to update the kanban board13:04
redrobotnoonedeadpunk, we had someone else ask about it yesterday13:04
redrobotthey filed a story to track it which we'll get to at the bug review13:05
redrobotAnd lastly I did get myself added to the stable team! :D13:06
redrobotI was able to get a lot of stable branches back to healthy13:06
noonedeadpunkah, I should fill a story as well I guess :(13:06
noonedeadpunkthat's super cool13:06
redrobotsome of the older ones (pike, queen, stein) still need a bit more work13:07
redrobotnoonedeadpunk, :D13:07
redrobotOK, moving on13:07
redrobot#topic Liaison updates13:07
*** openstack changes topic to "Liaison updates (Meeting topic: barbican)"13:07
redrobottosky, any news from testing?13:07
moguimarnothing from oslo13:07
toskynothing from me13:08
redrobotCool, moving on then13:08
redrobot#topic Kanban Review13:08
*** openstack changes topic to "Kanban Review (Meeting topic: barbican)"13:08
redrobot#link https://tree.taiga.io/project/dmend-openstack-barbican/kanban13:08
redrobotmoguimar, any updates on HVAC?13:08
moguimarnot yet13:09
redrobotI don't have any updates either.13:10
redrobot#topic Bug Review13:10
*** openstack changes topic to "Bug Review (Meeting topic: barbican)"13:10
redrobot#link https://storyboard.openstack.org/#!/project_group/barbican13:10
redrobotWe did get a new bug in Storyboard:13:10
redrobot#link https://storyboard.openstack.org/#!/story/200833513:10
redrobotit looks to be the same issue that noonedeadpunk found last week with Cinder -> Barbican + Vault13:11
noonedeadpunkyeah, it's exactly the same13:11
noonedeadpunkexcept I think I find it out 3 weeks ago or so, but yeah:)13:11
redrobothehe13:12
redrobotcool, I'll hopefully get some time to look into it sooner rather than later13:12
redrobot#link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=013:14
redrobotlooks like no new bugs in Castellan13:14
redrobot#topic Wayward Reviews13:14
*** openstack changes topic to "Wayward Reviews (Meeting topic: barbican)"13:14
redrobot#link https://tinyurl.com/y3ydwmkl13:14
moguimarwe have two patches on castellan13:15
moguimarstable branches13:15
moguimarhttps://review.opendev.org/#/c/759447/13:15
moguimarhttps://review.opendev.org/#/c/759448/13:16
moguimarbut I guess we're missing Victoria there13:17
noonedeadpunk759447 looks valid13:17
redrobotmoguimar, yeah, I was trying to check right now if we had a victoria backport13:17
noonedeadpunkit's not needed for victoria13:18
noonedeadpunkas you've branched with it13:18
moguimarI'm not sure if victoria was forked before Oct 2313:18
moguimaror after13:19
noonedeadpunkit's easy to check with Included In dropdown in gerrit13:19
noonedeadpunkwhich claims that stable/victoria already has this patch13:19
noonedeadpunkreno is here https://opendev.org/openstack/castellan/src/branch/stable/victoria/releasenotes/notes/use-barbican-endpoint-type-config-option-e583d30930cc22ba.yaml13:20
moguimarok, we have it in vic13:21
redrobotyeah, just checked in my local repo with `git branch --contains e63d813a70eb4b841937a4e8a06a55e85d3ea97d`13:22
moguimardid the same here redrobot13:22
redrobotlooks like the rest of our old patches are all -1'd13:23
redrobot#topic Open Discussion13:23
*** openstack changes topic to "Open Discussion (Meeting topic: barbican)"13:23
redrobotAnything else y'all want to talk about?13:23
redrobotThanks for joining everyone!13:30
redrobot#endmeeting13:30
*** openstack changes topic to "OpenStack Barbican Development - Weekly Meeting Agenda: https://etherpad.openstack.org/p/barbican-weekly-meeting"13:30
openstackMeeting ended Tue Nov 10 13:30:50 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)13:30
openstackMinutes:        http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-11-10-13.00.html13:30
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-11-10-13.00.txt13:30
openstackLog:            http://eavesdrop.openstack.org/meetings/barbican/2020/barbican.2020-11-10-13.00.log.html13:30
*** xek__ has joined #openstack-barbican14:08
*** xek_ has quit IRC14:10
*** xek has joined #openstack-barbican14:11
*** xek__ has quit IRC14:13
openstackgerritMerged openstack/castellan stable/ussuri: Use 'barbican_endpoint_type'config option to get endpoint from catalog  https://review.opendev.org/75944714:13
redrobotnoonedeadpunk, just realized I didn't answer your config questions14:14
redrobotnoonedeadpunk, Barbican does support enabling more than one backend.14:15
noonedeadpunkI wouldn't hesitate to ping you again later :P14:15
redrobot:D14:16
redrobotnoonedeadpunk, https://docs.openstack.org/barbican/latest/configuration/plugin_backends.html#enabling-multiple-barbican-backends14:16
redrobotSo, a SecretStore backend covers both storage and encryption.  Eg. SimpleCrypto does DB storage and software-only crypto.14:17
noonedeadpunkyes, I know that. but what I was wondering is that what will happen in case of having this config: http://paste.openstack.org/show/799877/14:17
redrobotnoonedeadpunk, store_crypto != simple crypto.  store_crypto only covers DB Storage, and uses PKCS#11 for the crypto14:18
noonedeadpunkI think that simple_crypto_plugin and p11_crypto_plugin shouldn't be defined at the same time?14:18
noonedeadpunkah14:18
redrobotIIRC it's fine if it's defined, as the logic will only load whatever you defined in enabled_secretstore_plugins14:18
noonedeadpunkwell why I'm asking is that I decided to review what we have in barbican role and https://opendev.org/openstack/openstack-ansible-os_barbican/src/branch/master/templates/barbican.conf.j2#L268-L295 looks weird to me14:19
noonedeadpunkwell it's just defaults file with all options...14:19
noonedeadpunk(I've already placed patch to move kek to be randomly generated per deployment)14:20
noonedeadpunkbut I don't really understand what is going to happen... Since tempest works I think it uses defined kek14:21
noonedeadpunkbut I guess to use p11_crypto_plugin section, simple_crypto_plugin section should be dropped?14:21
noonedeadpunkso I feel totally wrong about what we're doing here14:22
*** d34dh0r53 has quit IRC14:40
*** d34dh0r53 has joined #openstack-barbican14:47
redrobotnoonedeadpunk, sorry, had to refresh my mind on the config stuff again15:01
*** xek has quit IRC15:02
*** xek has joined #openstack-barbican15:03
redrobotSoooo... store_crypto + simple_crypto gets you db storage with software-only cryptography15:03
redrobotstore_crypto + pkcs11 gets you db storage with pkcs#11 crypto15:03
redrobot[secretstore]enabled_secretstore_pugin = store_crypto ... for both15:04
redrobot[crypto]enabled_crypto_plguins <--- is where you choose whether it'll be simple_crypto or pkcs1115:05
redrobotSo, [crypto]enabled_crypto_plugins = simple_crypto <--- gets you Software only crypto15:07
*** Luzi has quit IRC15:07
redrobotand [crypto]enabled_crypto_plugins = p11_crypto <--- gets you PKCS#1115:07
noonedeadpunkah!15:07
noonedeadpunkok, makes sense now15:07
noonedeadpunkso for p11 I should enabled_secretstore_plugins = store_crypto and enabled_crypto_plugins = p11_crypto15:08
redrobotyup!15:08
noonedeadpunk(unless it's multibackend)15:08
* noonedeadpunk tries to use thales dpod15:09
redrobotand then the details of the PKCS#11 library and credentials go into [p11_crypto_plugin]15:09
noonedeadpunkyeah. sure15:09
noonedeadpunkat the moment ended up with http://paste.openstack.org/show/799878/15:10
noonedeadpunkI think I need to place certificates somewhere as well15:10
noonedeadpunkwait, so, I can use enabled_secretstore_plugins = vault and  enabled_crypto_plugins = p11_crypto ?15:14
redrobotsorry this stuff is so confusing :(15:15
redrobotI am not 100% sure on how the vault backend for barbican works15:15
redrobotnoonedeadpunk, I want to say that the Vault backend covers both sotrage and encryption ... that is to say that secrets get stored directly to Vault instead of the DB15:16
redrobotso when enabled_secretstore_plugins = vault, then barbican does not look at enabled_crypto_plugin15:16
noonedeadpunkyeah, makes sense to me15:17
redrobotin other words, enabled_crypto_plugin only gets checked when enabled_secretstore_plugins = store_crypto15:17
noonedeadpunkwas worth asking;)15:17
noonedeadpunkas it would be too good to be true:)15:17
noonedeadpunkbtw need to check stevedore how p11_crypto is really called as `barbican.plugin.crypto.base.CryptoPluginNotFound: Crypto plugin not found.`15:19
noonedeadpunkwell, worst part here is that you can't use multi-user vault, as you provide to castellan just single token (and I _really_ doubt it will create users if it's root one).15:22
noonedeadpunkin the meanwhile for p11 there are limitations on amount of keys that could be stored in the slot... at least for thales dpod15:23
redrobotnoonedeadpunk, crypto plugin not found is usually a secondary failure15:23
redrobotsooo.... PKCS#11 plugin only stores 2 keys in the device15:23
noonedeadpunkah, your;e right - `Problem seen creating plugin: 'p11_crypto': barbican.common.exception.P11CryptoTokenException: No token was found in slot 3`15:23
noonedeadpunkredrobot: um, wait, I thought it creates kek per tenant?15:24
redrobotThere's 2 root keys we use to secure a PKCS#11 deployment:  The MKEK and HMAC keys.  They're generated out of band using the barbican-manage CLI15:24
noonedeadpunk`Secrets are encrypted (and decrypted on retrieval) by a project specific Key Encryption Key (KEK), which resides in the HSM.`?15:25
redrobotSo, each project (aka tenant) does get a PKEK15:25
redrobotbut they're stored in the DB15:25
noonedeadpunkaha15:25
redrobotactually the encrypted blob gets stored in the DB15:26
redrobotencrypted by the MKEK that resides in the hsm15:26
redrobotand then each secret is encrypted by the PKEK and stored in the DB as well15:26
redrobotand all encryption/decryption happens inside the HSM15:27
redrobotso PKEKs never leave the HSM unencrypted15:27
redrobotwe implemented this multi-layer encryption when we realized we had very little storage room in Luna Network HSMs back in the day.15:28
noonedeadpunkwell yes, I faced that I think)15:28
noonedeadpunkas I think that's exactly I'm trying to do right now15:29
redrobotSo yeah, the HSMs only permanently store the MKEK and HMAC.  Everything else is done in the HSM memory and encrypted blobs are persisted in the DB15:29
noonedeadpunkok, thank you so much for so detailed explanation15:30
noonedeadpunkit really explains a lot15:30
redrobot😁👍  Any time!15:32
noonedeadpunkI will probably try to adjust docs https://docs.openstack.org/barbican/latest/install/barbican-backend.html15:32
redrobotnoonedeadpunk, would definitely appreciate any changes you think would make things clearer15:34
redrobotnoonedeadpunk, RE: http://paste.openstack.org/show/799878/  how are you generating the new random keys?15:34
noonedeadpunkdisregard it it was issue in conf.15:35
redrobotcool15:35
noonedeadpunkredrobot: since you said you had some hands on with luna network hsm, probably you know what level of access I should give to barbican? as there are po, co, cu?15:44
*** xek_ has joined #openstack-barbican15:52
*** xek has quit IRC15:53
*** xek_ has quit IRC15:53
redrobotnoonedeadpunk, I want to say we were using Crypto Officer for barbican connections15:53
noonedeadpunkyeah, ok, doing the same15:54
*** xek_ has joined #openstack-barbican15:54
noonedeadpunkjust having `No token was found in slot` so decided to double check15:55
noonedeadpunkwell, I need to get used to look thorugh full stack trace15:58
noonedeadpunkHSM returned response code: 0x191 CKR_CRYPTOKI_ALREADY_INITIALIZED15:58
noonedeadpunkthanks a lot for the help, will try to handle this now)15:58
*** xek__ has joined #openstack-barbican16:11
*** jmlowe has quit IRC16:13
*** xek_ has quit IRC16:14
*** jmlowe has joined #openstack-barbican16:14
*** xek__ has quit IRC16:30
*** xek__ has joined #openstack-barbican16:31
*** xek_ has joined #openstack-barbican16:33
*** xek__ has quit IRC16:36
*** iurygregory has quit IRC16:42
*** dave-mccowan has quit IRC16:56
*** xek_ has quit IRC17:32
*** xek_ has joined #openstack-barbican17:33
*** iurygregory has joined #openstack-barbican17:33
*** xek__ has joined #openstack-barbican17:46
*** xek_ has quit IRC17:49
openstackgerritAde Lee proposed openstack/barbican master: DNM: testing FIPS gate job  https://review.opendev.org/76066518:41
*** xek__ has quit IRC19:09
*** xek__ has joined #openstack-barbican19:10
*** xek__ has quit IRC19:17
*** xek__ has joined #openstack-barbican19:18
*** gmann is now known as gmann_lunch19:29
*** iurygregory has quit IRC20:25
*** xek__ has quit IRC20:32
*** xek__ has joined #openstack-barbican20:33
*** xek_ has joined #openstack-barbican20:40
*** tosky has quit IRC20:42
*** xek__ has quit IRC20:42
*** tosky has joined #openstack-barbican20:42
*** xek_ has quit IRC20:43
*** iurygregory has joined #openstack-barbican21:51
*** raildo has quit IRC22:01
*** gmann_lunch is now known as gmann22:27
*** iurygregory has quit IRC22:47
*** iurygregory has joined #openstack-barbican22:49
*** tosky has quit IRC22:55
« Monday, 2020-11-09 Index Wednesday, 2020-11-11 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!