| *** tkajinam has quit IRC | 01:06 | |
| *** tkajinam has joined #openstack-barbican | 01:07 | |
| *** redrobot0 has joined #openstack-barbican | 04:07 | |
| *** redrobot has quit IRC | 04:11 | |
| *** redrobot0 is now known as redrobot | 04:11 | |
| *** Luzi has joined #openstack-barbican | 06:37 | |
| *** xek has joined #openstack-barbican | 07:09 | |
| *** tosky has joined #openstack-barbican | 08:03 | |
| *** xek has quit IRC | 09:11 | |
| *** xek has joined #openstack-barbican | 09:15 | |
| trident | Does an issue with creating secrets without a name specified resulting in breaking that users context completely even for "openstack secret list" (error: "4xx Client error: Forbidden: Secret retrieval attempt not allowed - please review your user/project privileges" ring a bell? Creating the exact same secret _with_ a specified name works. Train / p11_crypto_plugin / thales DPoD. | 09:23 |
|---|---|---|
| trident | The most puzzling thing is that in another region with the same versions and configuration it seems to work just fine. | 09:24 |
| trident | Any hints on where to start looking? | 09:25 |
| *** iurygregory has joined #openstack-barbican | 10:17 | |
| *** ricolin has quit IRC | 12:15 | |
| *** d34dh0r53 has joined #openstack-barbican | 12:46 | |
| redrobot | hi trident | 12:46 |
| redrobot | trident seems like a RBAC permissions error. It should not be related to the name property, I think. | 12:47 |
| trident | redrobot: openstack secret store --secret-type symmetric causes the issue while openstack secret store --secret-type symmetric --name foo works, so it doesn't seem like it. | 13:06 |
| redrobot | trident same credentials? | 13:07 |
| trident | redrobot: Yes. | 13:07 |
| redrobot | trident for both store/retrieve? | 13:07 |
| *** rajivmucheli has joined #openstack-barbican | 13:07 | |
| trident | redrobot: It _does_ in fact store it. But can't retreive it if it doesn't have a name. | 13:08 |
| redrobot | Hmm... that's weird | 13:09 |
| redrobot | trident what roles are assigned to the user? | 13:09 |
| rajivmucheli | Hi, i see there are online blogs/articles to integrate Barbican/HSM but its a mix & match. Is there an entire workflow doc available ? | 13:09 |
| trident | redrobot: That's why "openstack secret list" breaks as well as the clients attempt to GET the secret after storing it. | 13:09 |
| rajivmucheli | also is there a doc to migrate from Simple Crypto Plugin to HSM ? | 13:10 |
| trident | redrobot: Implied roles. Both creator and reader. And exactly the same in the region where it works. | 13:10 |
| redrobot | trident ah, I see. yeah, neither "creator" nor "reader" is allowed to retrieve a secret in the default policy | 13:11 |
| trident | redrobot: Really? Docs seem to say: "They are also allowed full access to existing secrets owned by the project in scope." for creator role... | 13:14 |
| redrobot | trident actually, I'm confused now ... the old policy should allow "creator" to retrieve a secret. | 13:14 |
| redrobot | trident looking at https://docs.openstack.org/barbican/latest/admin/access_control.html | 13:14 |
| redrobot | We did implement the new unified "secure-rbac" policy for wallaby | 13:15 |
| redrobot | but the old policy is still the default | 13:15 |
| trident | redrobot: And that would still not explain why it would work perfectly with a name, but not without one... | 13:15 |
| redrobot | Yeah, that is strange. | 13:15 |
| redrobot | trident mind opening a bug story: https://storyboard.openstack.org/#!/project/openstack/barbican ? | 13:16 |
| trident | redrobot: Yeah, I'll collect some information and get something in there! Thanks for the response! | 13:17 |
| redrobot | rajivmucheli hi, have you looked at https://docs.openstack.org/barbican/latest/install/barbican-backend.html | 13:19 |
| redrobot | specifically https://docs.openstack.org/barbican/latest/install/barbican-backend.html#pkcs-11-crypto-plugin | 13:20 |
| redrobot | the workflow is: | 13:21 |
| redrobot | 1. edit the conf file to set the correct parameters for your HSM | 13:21 |
| redrobot | 2. Create the MKEK and HMAC keys in the HSM using the barbican-manage CLI tool | 13:21 |
| redrobot | 3. restart barbican | 13:21 |
| *** rajivmucheli55 has joined #openstack-barbican | 13:21 | |
| redrobot | We don't have a "migration" per-se, but you can use multiple backends to configure both simple crypto and pkcs#11 at the same time | 13:22 |
| redrobot | you can default to pkcs#11 for new secrets while still making the old secrets available with simple-crypto | 13:22 |
| rajivmucheli55 | thanks, yes i did, which is the best vendor to pick ? if cost is not a constraint for a multi-tenant & multi-region setup ? | 13:23 |
| rajivmucheli55 | is the soft-hsm module production ready ? | 13:24 |
| *** rajivmucheli has quit IRC | 13:25 | |
| redrobot | I'm not sure what you mean by "soft-hsm" ? If you're referring to the SoftHSM library provided by the DNSSec group, then it may work, but we don't test it currently | 13:25 |
| rajivmucheli55 | https://github.com/openstack/charm-barbican-softhsm | 13:26 |
| redrobot | Hmm... interesting. Yeah, that's SoftHSM. Our team doesn't maintain that charm though, and as they noted it may currently be broken. | 13:27 |
| rajivmucheli55 | oh ok, then i would invest time on this. So coming back to the question, which is the best vendor to pick ? if cost is not a constraint for a multi-tenant & multi-region setup ? | 13:28 |
| redrobot | > cost is not a constraint < nice! | 13:30 |
| rajivmucheli55 | :) | 13:30 |
| redrobot | Thales Luna Network HSM is worth considering as they provide good support for HA configurations. | 13:31 |
| redrobot | Also take a look at Entrust nCipher | 13:31 |
| redrobot | I don't have any experience with Utimaco, so I can't comment on those | 13:31 |
| redrobot | ATOS are fine, but the HA support is not ideal | 13:32 |
| rajivmucheli55 | oh ok, thanks | 13:32 |
| rajivmucheli55 | is there a doc on hardware side ? like how to setup communication, networking, etc | 13:33 |
| redrobot | When you decide on a vendor for your HSM they should make all that available to you | 13:33 |
| rajivmucheli55 | oh ok. | 13:33 |
| redrobot | You can get an idea of how things work by looking that the ansible-role-XXXX-hsm roles we provide | 13:33 |
| redrobot | https://opendev.org/openstack/ansible-role-lunasa-hsm for example | 13:34 |
| rajivmucheli55 | nice | 13:35 |
| *** rajivmucheli55 has quit IRC | 13:40 | |
| *** raildo has joined #openstack-barbican | 13:42 | |
| *** ricolin has joined #openstack-barbican | 13:50 | |
| *** dave-mccowan has quit IRC | 14:57 | |
| *** d34dh0r53 has quit IRC | 15:11 | |
| *** d34dh0r53 has joined #openstack-barbican | 15:25 | |
| *** Luzi has quit IRC | 16:31 | |
| *** raildo_ has joined #openstack-barbican | 16:56 | |
| *** raildo has quit IRC | 16:59 | |
| *** raildo_ has quit IRC | 20:36 | |
| *** lxkong has quit IRC | 20:38 | |
| *** gagehugo has quit IRC | 20:38 | |
| *** mnasiadka has quit IRC | 20:38 | |
| *** gagehugo has joined #openstack-barbican | 20:38 | |
| *** lxkong has joined #openstack-barbican | 20:38 | |
| *** mnaser has quit IRC | 20:38 | |
| *** mnasiadka has joined #openstack-barbican | 20:39 | |
| *** mnaser has joined #openstack-barbican | 20:39 | |
| *** tosky has quit IRC | 23:23 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!