*** mhen_ is now known as mhen | 02:05 | |
rajiv | Hi, | 10:16 |
---|---|---|
rajiv | does anyone have experience with barbican and kmip integration ? | 10:16 |
rajiv | i found this bug also related to https://bugs.launchpad.net/barbican/+bug/2033540 | 10:24 |
rajiv | i now get : | 11:12 |
rajiv | 2024-04-22 11:10:18,270 7 ERROR stevedore.extension [req-2df1a4a7-2f93-4ed5-8476-fc334a8b6132 gNone 835629dfd530f71ce4ab66478f5fc7d0b86f6434429b35352c9da4d8f0e4ddd1 - - 8527ec6a18394c99ab4c7378a4d214f5 8527ec6a18394c99ab4c7378a4d214f5] Could not load 'kmip_plugin': No module named 'kmip': ModuleNotFoundError: No module named 'kmip' | 11:12 |
tkajinam | rajiv, you may have to install pykmip additionally. it's not in requirements and is treated as an optional dependency | 11:28 |
tkajinam | rajiv, and also note that pykmip library is not maintained well and may not work with recent cryptography https://bugs.launchpad.net/barbican/+bug/2059755 | 11:28 |
rajiv | tkajinam: thanks for the update but to start of with, is the below multi tenant conf acceptable ? | 11:30 |
rajiv | [secretstore] enable_multiple_secret_stores = True stores_lookup_suffix = software, kmip namespace = barbican.secretstore.plugin [secretstore:software] secret_store_plugin = store_crypto crypto_plugin = simple_crypto [secretstore:kmip] secret_store_plugin = kmip_plugin global_default = True | 11:30 |
tkajinam | I have no experience with kmip plugin but the snippet looks correct according to how the plugin configurations are documented | 11:32 |
rajiv | okay, i single tenant it shows kmip_crypto : https://docs.openstack.org/barbican/latest/install/barbican-backend.html#kmip-plugin | 11:34 |
rajiv | but in multi-tenant its kmip_plugin | 11:34 |
rajiv | i am working on 2023.2, hence the configuration should work ? | 11:34 |
tkajinam | there is no kmip_crypto plugin listed in https://github.com/openstack/barbican/blob/master/setup.cfg#L60 and kmip_plugin looks correct | 11:38 |
opendevreview | Takashi Kajinami proposed openstack/barbican master: kmip: Fix missing extra requirement https://review.opendev.org/c/openstack/barbican/+/916619 | 11:39 |
rajiv | are you part of barbican team ? | 11:40 |
rajiv | are referring to this version cryptography>=2.1 in 2023.2 https://opendev.org/openstack/barbican/src/branch/stable/2023.2/requirements.txt#L6 ? | 11:41 |
opendevreview | Takashi Kajinami proposed openstack/barbican master: Fix wrong plugin name https://review.opendev.org/c/openstack/barbican/+/916620 | 11:41 |
tkajinam | rajiv, that's a bit difficult question to answer. I've made some contributions to it but I'm not dedicated to it | 11:42 |
tkajinam | my scope is more like OpenStack-wide | 11:42 |
tkajinam | rajiv, https://opendev.org/openstack/requirements/src/branch/stable/2023.2/upper-constraints.txt#L190 | 11:43 |
tkajinam | the file contains the versions we use in CI. you may be using different versions according to your installation methods | 11:43 |
rajiv | i see pykmip is also installed in our CI https://github.com/sapcc/requirements/blob/stable/2023.2-m3/upper-constraints.txt#L179 | 11:45 |
rajiv | but wonder why i get this error : Could not load 'kmip_plugin': No module named 'kmip': ModuleNotFoundError: No module named 'kmip' | 11:45 |
tkajinam | that looks horribly old | 11:46 |
tkajinam | because kmip is not in requirements | 11:46 |
tkajinam | you should install it additionally | 11:46 |
tkajinam | the file you pointed is not requirements but upper constraints | 11:46 |
tkajinam | ignore this > that looks horribly old I was looking at the wrong module | 11:47 |
tkajinam | so again, having PyKMIP in upper constraints file does not install the library. you have to install PyKMIP additionally with that constraint file to have that version/library installed | 11:48 |
rajiv | ah ok ok | 11:48 |
tkajinam | and, because you have cryptograpy==40.0.02 requested here, I'm sure you hit that bug 2059755 | 11:49 |
rajiv | ah ok, is the PTO aware of this ? was it discussed in the last PTG ? | 11:52 |
rajiv | https://review.opendev.org/c/openstack/barbican/+/914745 does this mean kmip secret store will be deprecated ? | 11:54 |
tkajinam | I raised the compatibility problem some time ago in https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/E7MXNLVWGL7Z2IX5ZDIR6VKPOQN4Y6US/ , and proposed deprecating the plugin because of the unmaintained dependency. | 11:54 |
tkajinam | and yeah that's the proposal and xek (the current PTL) added +2 so I'm pretty sure he is aware of the situation | 11:55 |
tkajinam | I proposed PR to fix the problem and that was merged. but the maintainer does not respond to further PRs or request for a new release | 11:55 |
tkajinam | I mean PR to PyKMIP https://github.com/OpenKMIP/PyKMIP/pull/714 | 11:56 |
rajiv | thanks for the efforts ! highly appreciated :) | 11:56 |
rajiv | lastly, are you aware of https://bugs.launchpad.net/barbican/+bug/2036506 ? | 11:57 |
tkajinam | rajiv, no, but I guess dmendiza[m] may be interested (IIRC he did some pkcs11 related works in the past) | 11:58 |
rajiv | ack | 12:00 |
xek | #startmeeting barbican | 15:00 |
opendevmeet | Meeting started Mon Apr 22 15:00:40 2024 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
opendevmeet | The meeting name has been set to 'barbican' | 15:00 |
xek | #topic Roll Call | 15:00 |
xek | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar | 15:00 |
mharley | o/ | 15:00 |
xek | As usual our agenda can be found here: | 15:01 |
xek | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 15:01 |
xek | We have just the usual topics today | 15:01 |
dmendiza[m] | 🙋♂️ | 15:01 |
xek | o/ | 15:02 |
xek | #topic Review Past Meeting Action Item | 15:02 |
xek | There were no action items on our last meeting | 15:03 |
xek | #topic Liaison Updates | 15:03 |
xek | No updates from me today :) | 15:03 |
xek | #topic Open Discussion | 15:04 |
rajiv | Hi All, | 15:04 |
rajiv | i had a great discussion this afternoon, any comments on that ? | 15:05 |
xek | dmendiza I saw some discussion earlier about https://review.opendev.org/c/openstack/barbican/+/914745 | 15:05 |
xek | #link https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/E7MXNLVWGL7Z2IX5ZDIR6VKPOQN4Y6US/ | 15:05 |
rajiv | yes, is this finalised ? | 15:05 |
xek | rajiv hi | 15:06 |
rajiv | hi xek ! | 15:06 |
rajiv | we have a customer requirement to support kmip, hence i wanted to understand the roadmap | 15:07 |
rajiv | this commit https://review.opendev.org/c/openstack/barbican/+/916620, costed me almost 2 days of debugging :D | 15:08 |
xek | we need a second core's opinion, dmendiza do you have any concern with removing the kmip secret store plugin in a future release ? | 15:08 |
rajiv | you mean NOT to remove :) | 15:08 |
* dmendiza[m] reads list message | 15:08 | |
mharley | Isn't there another way to implement KMIP using something else than the not maintained library? | 15:09 |
rajiv | we are currently using Thales HSM A790 in FIPS Mode which supports pkcs11 plugin, to enhance the support, we are testing kmip | 15:10 |
mharley | Yeah, but that's a specific scenario. I asked more in general. | 15:11 |
rajiv | Thales A790 stores the keys of Thales Cipher Trust Manager which supports KMIP | 15:11 |
rajiv | i shared a general msg, i tried few other packages but had similar issues | 15:11 |
dmendiza[m] | I think it comes down to the same issue as with anything else in open source: Who is going to do the work? ... The team at Red Hat doesn't have any requirements for KMIP, so we don't have a preference either way on deprecating or fixing the backend. | 15:13 |
dmendiza[m] | I am not sure what the current state of maintenance is for PyKMIP | 15:13 |
mharley | I believe we have to have a business decision here. Do we take ownership on keeping implementing this, but with another library (if any), or do we deprecate it? :-) | 15:14 |
dmendiza[m] | #link https://github.com/OpenKMIP/PyKMIP | 15:14 |
dmendiza[m] | seems tkajinam was able to get patches merged recentely | 15:15 |
rajiv | PyKMIP seems to be slow in reviewing the fix for this issue : https://github.com/OpenKMIP/PyKMIP/pull/715 | 15:15 |
mharley | There was a charge three weeks ago... | 15:15 |
xek | PyKMIP last release was on Feb 25, 2020 | 15:15 |
mharley | Oosh, 58 open issues. :-( | 15:16 |
dmendiza[m] | Has anyone tried reaching out to #pykmip on Freenode? | 15:16 |
dmendiza[m] | are the devs still active there? | 15:16 |
dmendiza[m] | or tried reaching out on X (formerly Twitter)? | 15:16 |
dmendiza[m] | rajiv: well, the bad news is that I don't think anyone from Red Hat will have time to work on this. (outside of dedicating personal time anyway) | 15:17 |
dmendiza[m] | rajiv: so your options are: RE: KMIP try to understand the current state of development. Fix issues yourself and work with their maintainers to merge/release thos fixes. | 15:18 |
rajiv | i will try to followup | 15:18 |
dmendiza[m] | rajiv: Then you could fix the KMIP backend to continue to support KMIP in Barbican | 15:18 |
rajiv | oh ok ok, looks like deprecation is the direction now. | 15:19 |
xek | Yeah, we didn't deprecate it for the 2024.1, so there is still a decision to be made | 15:19 |
xek | We can hold off for a couple of weeks, if you would like to contact the current maintainer and work something out | 15:20 |
rajiv | this will help. | 15:20 |
xek | ok | 15:22 |
xek | #agreed holding off the decision to deprecate KMIP secret store for a couple of weeks to let rajiv contact the maintainer of the PyKMIP library | 15:23 |
xek | I've also seen a mantion of this bug https://bugs.launchpad.net/barbican/+bug/2036506 | 15:24 |
xek | *mention | 15:24 |
xek | dmendiza do you know if this is something on our roadmap? | 15:25 |
rajiv | yes, this is another blocker to upgrade to latest firmware version since FIPS mode is enabled. | 15:26 |
rajiv | the code is complex and difficult to understand the strategies to fix this. | 15:26 |
xek | it references pkcs11, but is it only a pkcs11 issue? | 15:26 |
dmendiza[m] | Yeah, we do support Thales Luna HSMs, so this is something we will want to fix. | 15:26 |
tkajinam | maybe https://review.opendev.org/c/openstack/barbican/+/900107 would address it ? though this is a new feature so may not be backportable. | 15:27 |
tkajinam | (I just noticed the notification and am joining late | 15:27 |
tkajinam | (just fyi. I've not tried reaching out to the pykmip maintainers outside of github. I wasn't aware of their irc channel but I doubt that people still stay at freenode after its governance was messed up some time ago. | 15:28 |
dmendiza[m] | Possibly. The devil is in the details. I'm sure there is some other wrapping algorithm we can use ,but we have to carefully consider the upgrade path. | 15:28 |
dmendiza[m] | Yeah, I have a feeling it's a stale readme. | 15:29 |
xek | Ok, thanks for the input! we'll circle back on this, since it's early in the release cycle and we still have time to make a decision | 15:32 |
xek | #topic Bug Review | 15:33 |
xek | I see one new bug | 15:34 |
xek | #link https://bugs.launchpad.net/barbican/+bug/2063102 | 15:34 |
xek | looks like the fix in https://review.opendev.org/c/openstack/barbican/+/916620 addresses this bug | 15:35 |
xek | Allright, that's it for today | 15:36 |
xek | See y'all next week! | 15:36 |
xek | #endmeeting | 15:36 |
opendevmeet | Meeting ended Mon Apr 22 15:36:44 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:36 |
opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-04-22-15.00.html | 15:36 |
opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-04-22-15.00.txt | 15:36 |
opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-04-22-15.00.log.html | 15:36 |
tkajinam | this is not urgent but it'd be nice if I can get some feedback about https://review.opendev.org/c/openstack/barbican/+/915520 | 15:38 |
tkajinam | this finally brings oslo.db to barbican so that we can leverage the same features in all services | 15:38 |
xek | tkajinamack, I'll take a look | 15:39 |
tkajinam | one concern I can think of is that this removes old database options after a relatively short period (these were deprecated during the previous cycle) but still the timeline is compliant with FIPS | 15:39 |
tkajinam | xek, thx | 15:39 |
tkajinam | further discussion can be continued in the review, if needed | 15:39 |
-opendevstatus- NOTICE: Gerrit will be offline for a short time while we rename a project repo. https://lists.opendev.org/archives/list/service-announce@lists.opendev.org/message/KP6NCOKJEYRGFD5FS26CZPVLEKFSY2ZO/ for more details | 20:01 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!