Monday, 2024-04-22

*** mhen_ is now known as mhen02:05
rajivHi,10:16
rajivdoes anyone have experience with barbican and kmip integration ?10:16
rajivi found this bug also related to https://bugs.launchpad.net/barbican/+bug/203354010:24
rajivi now get :11:12
rajiv2024-04-22 11:10:18,270 7 ERROR stevedore.extension [req-2df1a4a7-2f93-4ed5-8476-fc334a8b6132 gNone 835629dfd530f71ce4ab66478f5fc7d0b86f6434429b35352c9da4d8f0e4ddd1 - - 8527ec6a18394c99ab4c7378a4d214f5 8527ec6a18394c99ab4c7378a4d214f5] Could not load 'kmip_plugin': No module named 'kmip': ModuleNotFoundError: No module named 'kmip'11:12
tkajinamrajiv, you may have to install pykmip additionally. it's not in requirements and is treated as an optional dependency11:28
tkajinamrajiv, and also note that pykmip library is not maintained well and may not work with recent cryptography https://bugs.launchpad.net/barbican/+bug/205975511:28
rajivtkajinam: thanks for the update but to start of with, is the below multi tenant conf acceptable ?11:30
rajiv[secretstore] enable_multiple_secret_stores = True stores_lookup_suffix = software, kmip namespace = barbican.secretstore.plugin  [secretstore:software] secret_store_plugin = store_crypto crypto_plugin = simple_crypto  [secretstore:kmip] secret_store_plugin = kmip_plugin global_default = True11:30
tkajinamI have no experience with kmip plugin but the snippet looks correct according to how the plugin configurations are documented11:32
rajivokay, i single tenant it shows kmip_crypto : https://docs.openstack.org/barbican/latest/install/barbican-backend.html#kmip-plugin11:34
rajivbut in multi-tenant its kmip_plugin11:34
rajivi am working on 2023.2, hence the configuration should work ?11:34
tkajinamthere is no kmip_crypto plugin listed in https://github.com/openstack/barbican/blob/master/setup.cfg#L60 and kmip_plugin looks correct11:38
opendevreviewTakashi Kajinami proposed openstack/barbican master: kmip: Fix missing extra requirement  https://review.opendev.org/c/openstack/barbican/+/91661911:39
rajivare you part of barbican team ?11:40
rajivare referring to this version cryptography>=2.1 in 2023.2 https://opendev.org/openstack/barbican/src/branch/stable/2023.2/requirements.txt#L6 ?11:41
opendevreviewTakashi Kajinami proposed openstack/barbican master: Fix wrong plugin name  https://review.opendev.org/c/openstack/barbican/+/91662011:41
tkajinamrajiv, that's a bit difficult question to answer. I've made some contributions to it but I'm not dedicated to it11:42
tkajinammy scope is more like OpenStack-wide11:42
tkajinamrajiv, https://opendev.org/openstack/requirements/src/branch/stable/2023.2/upper-constraints.txt#L19011:43
tkajinamthe file contains the versions we use in CI. you may be using different versions according to your installation methods11:43
rajivi see pykmip is also installed in our CI https://github.com/sapcc/requirements/blob/stable/2023.2-m3/upper-constraints.txt#L17911:45
rajivbut wonder why i get this error : Could not load 'kmip_plugin': No module named 'kmip': ModuleNotFoundError: No module named 'kmip'11:45
tkajinamthat looks horribly old11:46
tkajinambecause kmip is not in requirements11:46
tkajinamyou should install it additionally11:46
tkajinamthe file you pointed is not requirements but upper constraints11:46
tkajinamignore this > that looks horribly old  I was looking at the wrong module11:47
tkajinamso again, having PyKMIP in upper constraints file does not install the library. you have to install PyKMIP additionally with that constraint file to have that version/library installed11:48
rajivah ok ok11:48
tkajinamand, because you have cryptograpy==40.0.02 requested here, I'm sure you hit that bug 205975511:49
rajivah ok, is the PTO aware of this ? was it discussed in the last PTG ?11:52
rajivhttps://review.opendev.org/c/openstack/barbican/+/914745 does this mean kmip secret store will be deprecated ? 11:54
tkajinamI raised the compatibility problem some time ago in https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/E7MXNLVWGL7Z2IX5ZDIR6VKPOQN4Y6US/ , and proposed deprecating the plugin because of the unmaintained dependency.11:54
tkajinamand yeah that's the proposal and xek (the current PTL) added +2 so I'm pretty sure he is aware of the situation11:55
tkajinamI proposed PR to fix the problem and that was merged. but the maintainer does not respond to further PRs or request for a new release11:55
tkajinamI mean PR to PyKMIP https://github.com/OpenKMIP/PyKMIP/pull/71411:56
rajivthanks for the efforts ! highly appreciated :) 11:56
rajivlastly, are you aware of https://bugs.launchpad.net/barbican/+bug/2036506 ?11:57
tkajinamrajiv, no, but I guess dmendiza[m] may be interested (IIRC he did some pkcs11 related works in the past)11:58
rajivack12:00
xek#startmeeting barbican15:00
opendevmeetMeeting started Mon Apr 22 15:00:40 2024 UTC and is due to finish in 60 minutes.  The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'barbican'15:00
xek#topic Roll Call15:00
xekCourtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar15:00
mharleyo/15:00
xekAs usual our agenda can be found here:15:01
xek#link https://etherpad.openstack.org/p/barbican-weekly-meeting15:01
xekWe have just the usual topics today15:01
dmendiza[m]🙋‍♂️15:01
xeko/15:02
xek#topic Review Past Meeting Action Item15:02
xekThere were no action items on our last meeting15:03
xek#topic Liaison Updates15:03
xekNo updates from me today :)15:03
xek#topic Open Discussion15:04
rajivHi All,15:04
rajivi had a great discussion this afternoon, any comments on that ?15:05
xekdmendiza I saw some discussion earlier about https://review.opendev.org/c/openstack/barbican/+/91474515:05
xek#link https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/E7MXNLVWGL7Z2IX5ZDIR6VKPOQN4Y6US/15:05
rajivyes, is this finalised ?15:05
xekrajiv hi15:06
rajivhi xek !15:06
rajivwe have a customer requirement to support kmip, hence i wanted to understand the roadmap15:07
rajivthis commit https://review.opendev.org/c/openstack/barbican/+/916620, costed me almost 2 days of debugging :D 15:08
xekwe need a second core's opinion, dmendiza do you have any concern with removing the kmip secret store plugin  in a future release ?15:08
rajivyou mean NOT to remove :) 15:08
* dmendiza[m] reads list message15:08
mharleyIsn't there another way to implement KMIP using something else than the not maintained library?15:09
rajivwe are currently using Thales HSM A790 in FIPS Mode which supports pkcs11 plugin, to enhance the support, we are testing kmip 15:10
mharleyYeah, but that's a specific scenario. I asked more in general.15:11
rajivThales A790 stores the keys of Thales Cipher Trust Manager which supports KMIP15:11
rajivi shared a general msg, i tried few other packages but had similar issues15:11
dmendiza[m]I think it comes down to the same issue as with anything else in open source:  Who is going to do the work?  ...  The team at Red Hat doesn't have any requirements for KMIP, so we don't have a preference either way on deprecating or fixing the backend.15:13
dmendiza[m]I am not sure what the current state of maintenance is for PyKMIP15:13
mharleyI believe we have to have a business decision here. Do we take ownership on keeping implementing this, but with another library (if any), or do we deprecate it? :-)15:14
dmendiza[m]#link https://github.com/OpenKMIP/PyKMIP15:14
dmendiza[m]seems tkajinam was able to get patches merged recentely15:15
rajivPyKMIP seems to be slow in reviewing the fix for this issue : https://github.com/OpenKMIP/PyKMIP/pull/71515:15
mharleyThere was a charge three weeks ago...15:15
xekPyKMIP last release was on Feb 25, 202015:15
mharleyOosh, 58 open issues. :-( 15:16
dmendiza[m]Has anyone tried reaching out to #pykmip on Freenode?15:16
dmendiza[m]are the devs still active there?15:16
dmendiza[m]or tried reaching out on X (formerly Twitter)?15:16
dmendiza[m]rajiv: well, the bad news is that I don't think anyone from Red Hat will have time to work on this.  (outside of dedicating personal time anyway)15:17
dmendiza[m]rajiv: so your options are:  RE: KMIP try to understand the current state of development.  Fix issues yourself and work with their maintainers to merge/release thos fixes.15:18
rajivi will try to followup15:18
dmendiza[m]rajiv: Then you could fix the KMIP backend to continue to support KMIP in Barbican15:18
rajivoh ok ok, looks like deprecation is the direction now.15:19
xekYeah, we didn't deprecate it for the 2024.1, so there is still a decision to be made15:19
xekWe can hold off for a couple of weeks, if you would like to contact the current maintainer and work something out15:20
rajivthis will help.15:20
xekok15:22
xek#agreed holding off the decision to deprecate KMIP secret store  for a couple of weeks to let rajiv contact the maintainer of the PyKMIP library15:23
xekI've also seen a mantion of this bug https://bugs.launchpad.net/barbican/+bug/203650615:24
xek*mention15:24
xekdmendiza do you know if this is something on our roadmap?15:25
rajivyes, this is another blocker to upgrade to latest firmware version since FIPS mode is enabled.15:26
rajivthe code is complex and difficult to understand the strategies to fix this.15:26
xekit references pkcs11, but is it only a pkcs11 issue?15:26
dmendiza[m]Yeah, we do support Thales Luna HSMs, so this is something we will want to fix.15:26
tkajinammaybe https://review.opendev.org/c/openstack/barbican/+/900107 would address it ? though this is a new feature so may not be backportable.15:27
tkajinam(I just noticed the notification and am joining late15:27
tkajinam(just fyi. I've not tried reaching out to the pykmip maintainers outside of github. I wasn't aware of their irc channel but I doubt that people still stay at freenode after its governance was messed up some time ago.15:28
dmendiza[m]Possibly. The devil is in the details. I'm sure there is some other wrapping algorithm we can use ,but we have to carefully consider the upgrade path.15:28
dmendiza[m]Yeah, I have a feeling it's a stale readme.15:29
xekOk, thanks for the input! we'll circle back on this, since it's early in the release cycle and we still have time to make a decision15:32
xek#topic Bug Review15:33
xekI see one new bug15:34
xek#link https://bugs.launchpad.net/barbican/+bug/206310215:34
xeklooks like the fix in https://review.opendev.org/c/openstack/barbican/+/916620 addresses this bug15:35
xekAllright, that's it for today15:36
xekSee y'all next week!15:36
xek#endmeeting15:36
opendevmeetMeeting ended Mon Apr 22 15:36:44 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:36
opendevmeetMinutes:        https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-04-22-15.00.html15:36
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-04-22-15.00.txt15:36
opendevmeetLog:            https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-04-22-15.00.log.html15:36
tkajinamthis is not urgent but it'd be nice if I can get some feedback about https://review.opendev.org/c/openstack/barbican/+/91552015:38
tkajinamthis finally brings oslo.db to barbican so that we can leverage the same features in all services15:38
xektkajinamack, I'll take a look15:39
tkajinamone concern I can think of is that this removes old database options after a relatively short period (these were deprecated during the previous cycle) but still the timeline is compliant with FIPS15:39
tkajinamxek, thx15:39
tkajinamfurther discussion can be continued in the review, if needed15:39
-opendevstatus- NOTICE: Gerrit will be offline for a short time while we rename a project repo. https://lists.opendev.org/archives/list/service-announce@lists.opendev.org/message/KP6NCOKJEYRGFD5FS26CZPVLEKFSY2ZO/ for more details20:01

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!