| dmendiza[m] | #startmeeting barbican | 13:00 |
|---|---|---|
| opendevmeet | Meeting started Tue Jul 12 13:00:03 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. | 13:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 13:00 |
| opendevmeet | The meeting name has been set to 'barbican' | 13:00 |
| dmendiza[m] | #topic Roll Call | 13:00 |
| Luzi | o/ | 13:00 |
| dmendiza[m] | Hi Luzi | 13:00 |
| Luzi | hi dmendiza[m] | 13:00 |
| dmendiza[m] | Courtesy ping for ade_lee dave-mccowan d34dh0r53 hrybacki jamespage lxkong mhen rm_work tosky xek nearyo oleksandry | 13:00 |
| opendevreview | Merged openstack/barbican-tempest-plugin master: Remove create_server and rebuild_server methods https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/830121 | 13:01 |
| opendevreview | Merged openstack/barbican-tempest-plugin master: Remove get_remote_client method https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833580 | 13:01 |
| opendevreview | Merged openstack/barbican-tempest-plugin master: Remove create_timestamp & get_timestamp methods https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833587 | 13:02 |
| opendevreview | Merged openstack/barbican-tempest-plugin master: Remove create_volume & create_volume_type methods https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833546 | 13:02 |
| opendevreview | Merged openstack/barbican-tempest-plugin master: Set minimal tempest version to 27.0.0 https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/845282 | 13:02 |
| dmendiza[m] | OK, let's get started | 13:03 |
| dmendiza[m] | #topic Review Past Meeting Action Items | 13:03 |
| dmendiza[m] | #link https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-07-05-13.00.html | 13:03 |
| dmendiza[m] | We didn't have any | 13:03 |
| dmendiza[m] | #topic Liaison Updates | 13:03 |
| dmendiza[m] | tosky: around? | 13:03 |
| tosky | more or less | 13:03 |
| tosky | I've seen a few fixes being merged, thanks for that | 13:04 |
| dmendiza[m] | Nice, thanks. | 13:04 |
| tosky | the urgent ones are in, I need to recheck the other open changes | 13:04 |
| dmendiza[m] | Cool, I'll try to get more reviews in the next few days | 13:05 |
| dmendiza[m] | OK, moving on | 13:05 |
| dmendiza[m] | #topic Microversions + Secret Consumers | 13:05 |
| dmendiza[m] | We've been playing musical chairs with these patches | 13:05 |
| dmendiza[m] | ade_lee is out on PTO for a couple of weeks, so I'm taking over his patches | 13:06 |
| dmendiza[m] | also d34dh0r53 shouldd be helping out too | 13:06 |
| dmendiza[m] | plan is still to get those merged and try to get a python-barbicanclient and castellan releases as soon as possible | 13:07 |
| dmendiza[m] | so folks can use the new versions before Zed-3 | 13:07 |
| Luzi | just FYI i will be on PTO the first three weeks in August | 13:07 |
| dmendiza[m] | Fun! Enjoy your time moff | 13:07 |
| dmendiza[m] | *time off | 13:07 |
| Luzi | i will hand over to my colleges in case you get ready in that time | 13:08 |
| Luzi | yeah thanks :D i need it | 13:08 |
| dmendiza[m] | OK, moving on | 13:09 |
| dmendiza[m] | #topic Secure RBAC | 13:09 |
| dmendiza[m] | I haven't had a chance to work on our goals for Zed | 13:10 |
| dmendiza[m] | definitely want to get that done before Zed-3 | 13:10 |
| dmendiza[m] | Moving on ... | 13:10 |
| tosky | there also a few tempest tests for it | 13:10 |
| tosky | in the barbican tempest plugin of course | 13:10 |
| dmendiza[m] | Nice! | 13:10 |
| tosky | written by Ade iirc | 13:10 |
| tosky | not sure if they are complete or not | 13:10 |
| dmendiza[m] | I think we have both project and system scope covered | 13:11 |
| dmendiza[m] | I just have to go back and double check our policies to make sure we're good for the Zed goal | 13:11 |
| tosky | but wasn't system scope de-scoped? | 13:12 |
| dmendiza[m] | Yeah, we wrote those before they de-scoped š | 13:15 |
| d34dh0r53 | o/ sorry Iām late | 13:16 |
| dmendiza[m] | Hi d34dh0r53 no worries | 13:16 |
| dmendiza[m] | OK, moving on | 13:18 |
| dmendiza[m] | #topic Bug Review | 13:18 |
| dmendiza[m] | #link https://storyboard.openstack.org/#!/project_group/barbican | 13:19 |
| dmendiza[m] | No new Barbican stories | 13:19 |
| dmendiza[m] | #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0 | 13:19 |
| dmendiza[m] | And no new Castellan bugs | 13:19 |
| dmendiza[m] | #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0 | 13:19 |
| dmendiza[m] | And no new Cursive bugs | 13:19 |
| dmendiza[m] | #topic Open Discussion | 13:19 |
| dmendiza[m] | Anything else y'all want to talk about? | 13:19 |
| rajiv | Hi, any suggestions on https://storyboard.openstack.org/#!/story/2009322 ? | 13:20 |
| rajiv | second topic, is tags supported in barbican ? | 13:20 |
| dmendiza[m] | Hi rajiv | 13:21 |
| rajiv | i have a new Lob onboarding with 3k secrets per region, i was wondering if we have this feature in barbican similar to nova, neutron, etc | 13:21 |
| dmendiza[m] | No tags, unfortunately | 13:21 |
| dmendiza[m] | but we do have metadata | 13:21 |
| rajiv | i tried metadata but we CANT list all secrets with a metadata key know ? | 13:22 |
| rajiv | i mean we can update keys with unique sets of metadata but cant list them. | 13:23 |
| rajiv | Hi @ade_lee | 13:25 |
| ade_lee | rajiv, Hi rajiv | 13:26 |
| dmendiza[m] | rajiv: yeah, you're right, we can't filter secrets on metadata | 13:26 |
| dmendiza[m] | only name, and the deprecated metadata keys bit_length, mode, and algorithm. š¦ | 13:27 |
| rajiv | is there a workaround ? | 13:28 |
| dmendiza[m] | rajiv: these are the only filters supported right now: https://docs.openstack.org/barbican/latest/api/reference/secrets.html#get-v1-secrets | 13:28 |
| dmendiza[m] | The easiest would probably be to add filtering on metadata keys | 13:28 |
| dmendiza[m] | sometthing like `GET /v1/sedrets?metadata=the_key:the_value | 13:29 |
| dmendiza[m] | but that'll take some work | 13:29 |
| dmendiza[m] | if you want to try to implement that, we should be able to make some time to review it | 13:29 |
| dmendiza[m] | It would probably be easier than trying to implement tags | 13:30 |
| rajiv | ah ok, i started with https://github.com/sapcc/barbican/commit/bc5f09da26b0b995be2aaaaeb97ce8edff5afb13 but later realised i need to create a dedicated table to store tags data | 13:30 |
| rajiv | or create a tags column in secrets table. | 13:31 |
| dmendiza[m] | rajiv: RE: Story 2009322, I haven't looked into it. Seems like we should be able to preserve that in code. A | 13:31 |
| rajiv | okay | 13:31 |
| dmendiza[m] | rajiv: yeah, metadata already has its own table, so that would be easier to implement | 13:31 |
| dmendiza[m] | and we already have filtering logic in the GET /v1/secrets call | 13:32 |
| dmendiza[m] | so it should be fairly easy to add support for searching on metadata | 13:32 |
| dmendiza[m] | s/searching/filtering | 13:32 |
| rajiv | ah ok, could you share the exact file plz ? | 13:33 |
| dmendiza[m] | rajiv: this is the controller for GET /v1/secrets https://opendev.org/openstack/barbican/src/branch/master/barbican/api/controllers/secrets.py#L366 | 13:34 |
| rajiv | cool, | 13:35 |
| dmendiza[m] | rajiv: the date filter, for example, is applied here: https://opendev.org/openstack/barbican/src/branch/master/barbican/api/controllers/secrets.py#L391 | 13:35 |
| rajiv | last q, is it possible for the quota api to share the current consumption ? | 13:35 |
| dmendiza[m] | rajiv: I don't think so. But for a single project, each entity GET has a total count. e.g. GET /v1/secrets has a "total": XXX key in the json response. | 13:37 |
| rajiv | okay. | 13:39 |
| dmendiza[m] | Anything else? | 13:43 |
| rajiv | is there a way to download all secrets per project via api ? | 13:44 |
| dmendiza[m] | No, only one secret can be decrypted at a time | 13:44 |
| rajiv | its been a month, HSM-Barbican integration is running well on FIPS 140-2 Level3 mode :) | 13:44 |
| dmendiza[m] | rajiv: Nice! | 13:45 |
| rajiv | maybe in Zed the docu could be updated :) | 13:45 |
| dmendiza[m] | Yeah, patch it up! | 13:46 |
| rajiv | sure | 13:46 |
| rajiv | have a good one! | 13:47 |
| dmendiza[m] | Thanks rajiv | 13:47 |
| dmendiza[m] | If no one else has any topics we can call it a day | 13:47 |
| dmendiza[m] | Thanks for joining, everyone! | 13:52 |
| dmendiza[m] | #endmeeting | 13:52 |
| opendevmeet | Meeting ended Tue Jul 12 13:52:30 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 13:52 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-07-12-13.00.html | 13:52 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-07-12-13.00.txt | 13:52 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-07-12-13.00.log.html | 13:52 |
| rajiv | Hi, whats the largest secret size tested ? could test with max_allowed_secret_in_bytes = 2000000, max_allowed_request_size_in_bytes = 2500000 ? | 14:01 |
| rajiv | i.e 2MB and 2.5 MB ? | 14:02 |
| dmendiza[m] | Hi rajiv , we have not tested any secrets that big | 14:03 |
| dmendiza[m] | the limiting factor is going to be the size of the column where the ciphertext is stored. | 14:03 |
| rajiv | okay | 14:05 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!