| mvpnitesh | hi all, i'm trying to execute Barbican-tempest-plugin . I don't have an L3 agent in my setup and when i try to run Barbican-tempest-plugin all the testcases are failing. When i see the tempest code at https://github.com/openstack/tempest/blob/25.0.0/tempest/lib/common/dynamic_creds.py#L343 , i see the router creation is happening. Is it Mandatory to have L3 agent? My tempest.conf is https://paste.openstack.org/show/809908/ let me know if i | 09:18 |
|---|---|---|
| opendevreview | Pavlo Shchelokovskyy proposed openstack/barbican master: Add support for Vault Namespaces https://review.opendev.org/c/openstack/barbican/+/813606 | 10:27 |
| tosky | mvpnitesh: does any other tempest test which requires networking up work? This may not be a barbican-tempest-plugin issue | 12:16 |
| tosky | tempest expects to be able to connect to the nodes | 12:17 |
| tosky | at least for some checks | 12:17 |
| tosky | it may be better to ask on the -qa channel, and provide also the exact error message | 12:17 |
| tosky | traceback even | 12:17 |
| mvpnitesh | Hi Tosky, i know that. This is not a barbican-tempest-issue. I might be missing some config | 12:18 |
| mvpnitesh | Alreay i've asked in -qa no response from them | 12:18 |
| tosky | there is going to be more activity on the channel later | 12:36 |
| tosky | with the logs too? | 12:37 |
| kim_s | will there be the possibility to ask questions later? | 12:39 |
| tosky | kim_s: sorry, that one was an answer to mvpnitesh about an earlier question, and I was talking about the -qa channel | 12:43 |
| thelounge94 | #startmeeting barbican | 13:01 |
| opendevmeet | Meeting started Tue Oct 12 13:01:48 2021 UTC and is due to finish in 60 minutes. The chair is thelounge94. Information about MeetBot at http://wiki.debian.org/MeetBot. | 13:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 13:01 |
| opendevmeet | The meeting name has been set to 'barbican' | 13:01 |
| thelounge94 | #topic Roll Call | 13:02 |
| *** thelounge94 is now known as redrobot | 13:02 | |
| redrobot | Courtesy ping for ade_lee dave-mccowan d34dh0r53 hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work tosky xek nearyo oleksandry | 13:03 |
| redrobot | #chair redrobot | 13:03 |
| d34dh0r53 | o/ | 13:04 |
| *** redrobot is now known as thelounge94 | 13:04 | |
| thelounge94 | #chair redrobot | 13:04 |
| opendevmeet | Warning: Nick not in channel: redrobot | 13:04 |
| opendevmeet | Current chairs: redrobot thelounge94 | 13:04 |
| *** thelounge94 is now known as redrobot | 13:04 | |
| rajiv | Hi, i have question on Barbican-HSM integration, mailed openstack-discussion but had no response. Could ask now or wait till the end for Q&A ? | 13:06 |
| redrobot | rajiv hi I'll add your topic to the agenda | 13:08 |
| tosky | o/ | 13:08 |
| redrobot | hi tosky! | 13:08 |
| redrobot | OK, let's get started | 13:08 |
| redrobot | #topic Review Past Meeting Action Items | 13:08 |
| redrobot | #link https://meetings.opendev.org/meetings/barbican/2021/barbican.2021-10-05-13.01.html | 13:09 |
| redrobot | We didn't have any | 13:09 |
| redrobot | moving on ... | 13:09 |
| redrobot | #topic Liaison Updates | 13:09 |
| redrobot | tosky do you have anything for us? | 13:09 |
| tosky | nothing from my side | 13:13 |
| redrobot | ack, thanks! | 13:13 |
| redrobot | moving on | 13:13 |
| redrobot | Topic Barbican+HSM integration | 13:13 |
| redrobot | #topic Barbican+HSM integration | 13:13 |
| redrobot | rajiv ^^^ | 13:13 |
| rajiv | Hi, i am switching from soft crypto plugin to HSM backend | 13:14 |
| rajiv | Thales A790 | 13:14 |
| rajiv | i am told Barbican uses self- generated IV instead of module generated IV which FIPS do not support and shows incorrect parameter error in FIPS mode. | 13:14 |
| rajiv | is this fixed in Barbican ? or Barbican doesnt run if FIPS Operation mode is enabled ? | 13:15 |
| redrobot | I had to google "Thales A790" Looks like it's the same as the Thales Luna Network HSM? | 13:16 |
| rajiv | FIPS 140-2 L3 to be precise | 13:16 |
| rajiv | yes, this is the latest device offered by Thales Luna Network HSM | 13:16 |
| kim_s | yes, Luna A790 is the Thales Luna Network HSM, the Password based | 13:16 |
| rajiv | https://cpl.thalesgroup.com/resources/encryption/openstack-barbican-integration-guide | 13:18 |
| redrobot | Yeah, that seems right that FIPS mode does not work. I think we've documented that limitation. Let me look for a link | 13:18 |
| redrobot | rajiv Oh yeah, I've seen that guide before | 13:19 |
| kim_s | yes, you documented it, the question is: is it still the case? And why exactly, because it seems, that this restriction is only for Luna HSM. | 13:19 |
| redrobot | rajiv open that PDF and scroll down to pre-requisites | 13:19 |
| redrobot | > The OpenStack Barbican integration does not work with a SafeNet Luna HSM or | 13:19 |
| redrobot | Data Protection on Demand HSM on Demand services operating in FIPS mode. | 13:19 |
| kim_s | this Thales Integration Guide is quite old from 2019, we've some more actual | 13:19 |
| redrobot | AFAIK there has bee no work done to add support to FIPS mode | 13:19 |
| kim_s | yes, DPoD seems to work in FIPS Mode, and DPoD is Luna HSM | 13:20 |
| rajiv | kim_s: thanks for reiterating the question | 13:20 |
| rajiv | redrobot: yes, thats the page i am referring to, i would like to know why this restriction is in place | 13:21 |
| rajiv | is there a workaround ? | 13:21 |
| redrobot | rajiv probably because of the reasons you outlined with the IV being generated as you explained | 13:21 |
| kim_s | the irritation is: Barbican with Luna HSM is per doku not FIPS Mode compatible, but Barbican with DPoD (which are Luna HSMs) are FIPS MOde compatible. Could we clearify this? | 13:22 |
| redrobot | I do not know if there is a workaround. You might try setting aes_gcm_generate_iv=False, but I don't know if that would work or not | 13:22 |
| redrobot | https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L98-L100 | 13:22 |
| redrobot | kim_s I am not familiar with DPoD | 13:22 |
| kim_s | I'm from Thales, so I'm a little bit familiar with DPoD and Luna HSMs, but unfortunatle I'm not familiar with Barbican | 13:23 |
| rajiv | okay, i will try. | 13:23 |
| redrobot | kim_s gotcha. IIRC, the doc linked by rajiv was produced by Gemalto prior to being acquired by Thales | 13:24 |
| redrobot | We (the barbican open source community) don't have access to HSM hardware for development, so that FIPS testing was done by Gemalto | 13:24 |
| redrobot | in our documentation we do not mention DPoD | 13:25 |
| kim_s | ah, ok, thx @redrobot | 13:25 |
| redrobot | #link https://docs.openstack.org/barbican/latest/install/barbican-backend.html#thales-luna-network-hsm-safenet | 13:25 |
| redrobot | Our note just says: | 13:25 |
| redrobot | > Barbican does not support FIPS mode enabled for SafeNet Luna HSM or Data Protection on Demand HSM. Make sure that it’s operating in non-FIPS mode while integrating with Barbican. | 13:25 |
| redrobot | oh, I guess we do mention DPoD | 13:26 |
| redrobot | but our docs say we don't support that either | 13:26 |
| redrobot | In any case, you mibhg be able to set that option to False and be OK. I think that's the flag that Barbican checks to decide whether to generate an IV or not. | 13:26 |
| redrobot | You might also need to tune the Mechanism | 13:26 |
| redrobot | I am not sure GCM is supported in FIPS? | 13:27 |
| kim_s | the actual DPoD Integration Guide doesn't speak about FIPS Mode incompatibility: https://thalesdocs.com/dpod/services/integrations/other/openstack/index.html | 13:27 |
| redrobot | again, that's your doc, not one produced by the community. 😅 | 13:28 |
| kim_s | but as I understood Barbican Community did not do the Tests with Thales HSM, so I try to get any response from our Proctuct Management - again :) | 13:28 |
| redrobot | For historical context: Barbican was initally devleoped by Rackspace. We had Safenet Lunas to develop the system, but we were not able to make them available to our community for testing, so all testing was done downstream. | 13:29 |
| redrobot | Rackspace did not use FIPS mode, so we did not test that | 13:29 |
| redrobot | I believe only Safenet/Gemalto tested FIPS mode | 13:30 |
| redrobot | Currently most of the core team works at Red Hat | 13:30 |
| rajiv | okay, so other vendor HSM devices work well on FIPS mode ? | 13:30 |
| redrobot | we also have downstream Lunas for testing, but we are also unable to make them available to the community for testing. | 13:30 |
| redrobot | rajiv I don't know. I have not personally tested any HSM with FIPS mode enabled | 13:31 |
| redrobot | rajiv kim_s, that said we'd be more than happy to review any patches to add FIPS mode support | 13:31 |
| redrobot | I suggest start by tweaking the config options | 13:32 |
| rajiv | redrobot: i will test this in my qa setup, would there be any config options to lookout for ? any downsides by setting it to true ? | 13:32 |
| redrobot | e.g. turn of IV generation, and possibly change the mechanism to CKM_AES_CBC or something more compatible than GCM | 13:32 |
| redrobot | https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L77-L79 | 13:32 |
| redrobot | rajiv yes, I linked the two options that are most relevant | 13:33 |
| rajiv | sure, how about other plugins ? | 13:34 |
| redrobot | rajiv all HSMs use the same plugin | 13:34 |
| rajiv | KMIP ? | 13:34 |
| redrobot | KMIP backend is not very well tested. I doubt FIPS is supported as we had the same situation where we had no HSMs for testing and were only using pykmip for testing. | 13:35 |
| redrobot | Unfortunately the folks behind the KMIP backend (who had the downstream HSMs for development) are no longer contributing to the project | 13:36 |
| redrobot | We can certainly review patches to add FIPS support to KMIP if needed. | 13:36 |
| rajiv | ah i see, pkcs11 is the best best to start with i guess. | 13:37 |
| kim_s | yes, pkcs#11 is the best option | 13:37 |
| rajiv | maybe after testing the config options, etc i could raise a question/bug request for further assistance ? | 13:38 |
| redrobot | Yeah, here or the mailing list are good places to ask kquestions | 13:40 |
| redrobot | (although I haven't checked the ML in a few days an dmissed your email 😅) | 13:41 |
| rajiv | thanks | 13:41 |
| redrobot | rajiv you're welcome | 13:41 |
| redrobot | OK, moving on | 13:41 |
| redrobot | #topic PTG | 13:41 |
| redrobot | #link https://etherpad.opendev.org/p/yoga-ptg-barbican | 13:42 |
| redrobot | PTG is coming up next week | 13:42 |
| redrobot | We have two sessions scheduled on Tuesday October 19 and Thursday October 21 | 13:42 |
| redrobot | both sessions start at 1300 UTC | 13:42 |
| redrobot | #info weekly meeting next week is canceled | 13:43 |
| redrobot | since we'll all be at the PTG | 13:43 |
| redrobot | please sign up if you haven't yet. | 13:43 |
| redrobot | Also feel free to add any topics you want to talk about to the etherpad I linked above | 13:44 |
| redrobot | #topic Kanban Review | 13:47 |
| redrobot | #link https://tree.taiga.io/project/dmend-openstack-barbican/kanban | 13:48 |
| redrobot | not a whole lot of progress on my end | 13:49 |
| redrobot | #topic New Bug Review | 13:49 |
| redrobot | #link https://storyboard.openstack.org/#!/project_group/barbican | 13:49 |
| redrobot | Looks like no new bugs | 13:52 |
| redrobot | #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0 | 13:53 |
| redrobot | and no new Castellan bugs | 13:53 |
| redrobot | #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0 | 13:53 |
| redrobot | and no new Cursvie bugs | 13:53 |
| redrobot | #topic Open Discussion | 13:54 |
| redrobot | We have a few minutes if anyone else has something quick to talk about? | 13:54 |
| redrobot | rajiv please open a Storyboard bug about FIPS mode not working | 13:55 |
| redrobot | That's all the time we have for today | 13:59 |
| redrobot | thanks for joining, everyone! | 13:59 |
| redrobot | #endmeeting | 13:59 |
| opendevmeet | Meeting ended Tue Oct 12 13:59:12 2021 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 13:59 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2021/barbican.2021-10-12-13.01.html | 13:59 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2021/barbican.2021-10-12-13.01.txt | 13:59 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2021/barbican.2021-10-12-13.01.log.html | 13:59 |
| opendevreview | Merged openstack/barbican master: Fix secret metadata access rules https://review.opendev.org/c/openstack/barbican/+/811236 | 18:51 |
| opendevreview | Merged openstack/barbican master: Fix secret metadata access rules (pt 2) https://review.opendev.org/c/openstack/barbican/+/811237 | 18:57 |
| opendevreview | Merged openstack/barbican-tempest-plugin master: Add secure-rbac tests for Secret Metadata https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/810942 | 19:32 |
| opendevreview | Douglas Mendizábal proposed openstack/barbican stable/train: DNM - Check stable/train gate health https://review.opendev.org/c/openstack/barbican/+/813706 | 21:15 |
| opendevreview | Lingxian Kong proposed openstack/castellan master: Support setting Vault kv version config https://review.opendev.org/c/openstack/castellan/+/807664 | 21:20 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!