| *** mhen_ is now known as mhen | 02:29 | |
| opendevreview | Merged openstack/barbican master: Fix typo in wrap_key function https://review.opendev.org/c/openstack/barbican/+/935224 | 09:09 |
|---|---|---|
| xek | #startmeeting barbican | 15:01 |
| opendevmeet | Meeting started Mon Nov 18 15:01:23 2024 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'barbican' | 15:01 |
| xek | #topic Roll Call | 15:01 |
| xek | o/ | 15:01 |
| xek | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar | 15:01 |
| xek | As usual our agenda can be found here: | 15:01 |
| xek | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 15:01 |
| dmendiza[m] | 🙋♂️ | 15:02 |
| rajiv | hey | 15:03 |
| dmendiza[m] | Hi rajiv ! | 15:05 |
| rajiv | Hey dmendiza[m] | 15:06 |
| xek | #topic Review Past Meeting Action Items | 15:07 |
| xek | #link https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-11-04-15.00.html | 15:07 |
| xek | There were none | 15:07 |
| xek | #topic Liaison Updates | 15:07 |
| xek | We're after the Epoxy-1 milestone | 15:08 |
| xek | #link https://releases.openstack.org/epoxy/schedule.html | 15:08 |
| xek | #topic Open Discussion | 15:08 |
| rajiv | regarding https://bugs.launchpad.net/barbican/+bug/2036506, i am pushing Thales to update their docu but they want logs to show the latest mechanisms are being picked | 15:09 |
| rajiv | i enabled cklog or debugging on Thales but a barbican operation like secret create or delete isnt considered as a crypto operation | 15:09 |
| rajiv | any suggestions how to share crypto log with mechanism ? | 15:10 |
| rajiv | if the hmac or mkek are replaced or corrupt, barbican only reports Contact Administrator or errors but nothing related to mechanism or crypto mechanism | 15:11 |
| rajiv | even if debug is enabled | 15:11 |
| dmendiza[m] | rajiv: Try CKM_AES_KEY_WRAP_PAD with IV generation set to false | 15:11 |
| dmendiza[m] | You could also query the API for supported mechanisms, but you'd have to do that manually since we don't have that code in Barbican | 15:12 |
| rajiv | how can i set it to false ? https://github.com/openstack/barbican/blob/master/barbican/plugin/crypto/pkcs11.py#L144C1-L144C21 | 15:15 |
| rajiv | set key_wrap_generate_iv to false in the conf ? | 15:15 |
| rajiv | would it take sometime for the backend bug notes to be updated here ? https://docs.openstack.org/barbican/latest/install/barbican-backend.html#thales-luna-network-hsm | 15:17 |
| dmendiza[m] | yes, key_wrap_generate_iv = False | 15:17 |
| xek | dmendizanote about https://bugs.launchpad.net/barbican/+bug/2084691 | 15:19 |
| xek | I didn't realise the patch deprecating kmip already went in, so we'll leave it at that | 15:20 |
| rajiv | dmendiza[m]: i tested the patch without setting key_wrap_generate_iv = False, but the secret operations still worked, is this expected ? | 15:21 |
| rajiv | lastly, i would like to create a blueprint for multi-vendor support, is there any reference or whats the procedure to propose a blueprint ? | 15:21 |
| dmendiza[m] | Grzegorz Grasza: ack. yeah, I'll reply to the thread on the ML. Didn't realize we had already deprecated it. I remember we talked about it, but wasn't sure about the current status. | 15:22 |
| dmendiza[m] | rajiv: I don't know what your device expects for CKM_AES_KEY_WRAP_PAD. Some devices allow for the IV to be generated and passed in as a parameter of the mechanism. Other devices don't. 🤷 If it works with IV generation then that's great. | 15:23 |
| dmendiza[m] | SoftHSM, for example, throws an error if you generate an IV | 15:23 |
| rajiv | i see, i am using Thales A790 | 15:24 |
| xek | rajivyou can propose a spec to https://opendev.org/openstack/barbican-specs | 15:24 |
| rajiv | thanks xek | 15:24 |
| xek | (look at the other specs for pointers, as well as specs in other projects) | 15:24 |
| xek | There is also a description of the process here: https://wiki.openstack.org/wiki/Barbican/Blueprints | 15:25 |
| rajiv | cool | 15:25 |
| dmendiza[m] | Oh! I have a topic now that I think about it | 15:26 |
| dmendiza[m] | we have a functional target for tox in the barbican repo | 15:26 |
| dmendiza[m] | It's a whole test suite that tests integration with Keystone. But that seems like something that should be done in Tempest | 15:27 |
| dmendiza[m] | I was reminded of this again while trying to set up testing for the PKCS#11 backend using SoftHSM. | 15:27 |
| dmendiza[m] | In my opinion we should move that testing to the tempest plugin | 15:27 |
| xek | I think I was able to run at least part of the suite without keystone some time ago | 15:28 |
| dmendiza[m] | We're basically maitaining two different integration suites now | 15:29 |
| dmendiza[m] | the in-tree tox -e functional and the barbican-tempest-plugin | 15:29 |
| xek | yeah, it would be better to have just one | 15:29 |
| dmendiza[m] | There is some delta there since the PKCS#11 + SoftHSM test fails the functional suite but passes the tempest suite | 15:29 |
| dmendiza[m] | so I'll work on enhancing the tempest plugin tests | 15:30 |
| dmendiza[m] | and then we can begin to deprecate the in-tree suite | 15:30 |
| xek | dmendiza++ | 15:31 |
| xek | #topic Bug Review | 15:33 |
| xek | There are 2 new bugs already in progress: | 15:33 |
| xek | #link https://bugs.launchpad.net/barbican/+bug/2087915 | 15:33 |
| xek | #link https://bugs.launchpad.net/barbican/+bug/2088355 | 15:34 |
| xek | For the last one, there is no review proposed for Barbican yet | 15:34 |
| xek | Thats all for today | 15:35 |
| xek | See y'all next week! | 15:35 |
| xek | #endmeeting | 15:35 |
| opendevmeet | Meeting ended Mon Nov 18 15:35:53 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:35 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-11-18-15.01.html | 15:35 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-11-18-15.01.txt | 15:35 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-11-18-15.01.log.html | 15:35 |
| opendevreview | Takashi Kajinami proposed openstack/barbican-tempest-plugin master: Bump hacking https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/935437 | 15:48 |
| tkajinam | dmendiza[m], if you are still around, can you merge https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/934268 ? | 15:49 |
| tkajinam | this is required to unblock b-t-p's CI | 15:49 |
| opendevreview | Douglas Mendizábal proposed openstack/barbican-tempest-plugin master: Add job for testing PKCS#11 backend with SoftHSM https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/935377 | 16:19 |
| opendevreview | Merged openstack/barbican-tempest-plugin master: Remove stable/2023.1 job from master gate https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/934268 | 16:40 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!