| *** mhen_ is now known as mhen | 01:34 | |
| mharley[m] | #startmeeting barbican | 15:02 |
|---|---|---|
| opendevmeet | Meeting started Mon May 19 15:02:18 2025 UTC and is due to finish in 60 minutes. The chair is mharley[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:02 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:02 |
| opendevmeet | The meeting name has been set to 'barbican' | 15:02 |
| mharley[m] | #topic Roll Call | 15:02 |
| mharley[m] | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley Freeman Boss lpiwowar xek | 15:03 |
| mharley[m] | If you want to be pinged, add your nickname here: | 15:03 |
| mharley[m] | #link https://etherpad.opendev.org/p/barbican-weekly-meeting | 15:04 |
| dmendiza[m] | 🙋♂️ | 15:04 |
| mharley[m] | Hi, dmendiza. | 15:04 |
| xek | o/ | 15:04 |
| mharley[m] | Hi, Grzegorz Grasza. The meeting's agenda is also on the same link. | 15:04 |
| mharley[m] | #topic Review Past Meeting Action Items | 15:05 |
| mharley[m] | #link http://eavesdrop.openstack.org/meetings/barbican/2025 | 15:05 |
| mharley[m] | dmendiza: any progress towards the KMIP effort? | 15:05 |
| mharley[m] | #topic KMIP | 15:06 |
| mharley[m] | I saw your submitted a patch a couple of days ago. Was that the only missing part? | 15:06 |
| dmendiza[m] | Hi! | 15:06 |
| dmendiza[m] | OK, so the Action Item was for rajiv to look into supporting his fork for PyKMIP so that we can use it as a drop-in replacement for Barbican KMIP Backend | 15:07 |
| rajiv | Hi, we need OSPO and internal approvals, which is taking longer than expected. | 15:08 |
| dmendiza[m] | Hi rajiv , for your reference, these are the OpenStack requirements for adding a dependency: | 15:08 |
| dmendiza[m] | #link https://docs.openstack.org/project-team-guide/dependency-management.html#for-new-requirements | 15:08 |
| dmendiza[m] | I have a few WIP patches around KMIP | 15:09 |
| rajiv | okay sure | 15:09 |
| dmendiza[m] | #link https://zuul.opendev.org/t/openstack/build/0235a7100f644d2b8810127757123e9e | 15:10 |
| dmendiza[m] | #undo | 15:10 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/949935 | 15:10 |
| dmendiza[m] | ^^^ This is a patch to barbican-tempest-plugin to run Temepst against a Barbican+KMIP devstack deployment | 15:10 |
| dmendiza[m] | If is failing and I haven't had a chance to dig into the roto cause | 15:10 |
| dmendiza[m] | *root cause | 15:11 |
| dmendiza[m] | #link https://review.opendev.org/c/openstack/barbican/+/947760 | 15:11 |
| dmendiza[m] | ^^^ This one is a patch to Barbican that I've iterated on a few times. | 15:11 |
| dmendiza[m] | The first few patches were for testing OpenKMIP/PyKMIP to check for the current state of things. It attempts to run the in-tree functional tests. | 15:12 |
| dmendiza[m] | Some patches failed because the in-tree functional tests are incompatible with SRBAC | 15:12 |
| dmendiza[m] | The latest patch is using rajiv 's fork. It fails to initialize the server. | 15:12 |
| mharley[m] | rajiv: would you have any ETA on when such approvals would be granted or not? | 15:13 |
| dmendiza[m] | rajiv: this is the failure log for attempting to run the pykmip-server in devstack: | 15:14 |
| dmendiza[m] | #link https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_fec/openstack/fec8dfc633ed4da9afecea93bd6b7265/controller/logs/screen-pykmip-server.txt | 15:14 |
| dmendiza[m] | I have not yet looked into running the server stand-alone. | 15:14 |
| dmendiza[m] | I will try to look into that next. | 15:15 |
| dmendiza[m] | The existing OpenKMIP/PyKMIP library appears to work in CentOS 9, but it fails with an ssl module incompatibility in Ubuntu 24.04 | 15:16 |
| rajiv | i will follow up this week again. | 15:16 |
| dmendiza[m] | Thank you rajiv ! | 15:16 |
| dmendiza[m] | That's all I have on KMIP for this week. | 15:16 |
| mharley[m] | OK, thanks. | 15:17 |
| mharley[m] | #topic Outreachy | 15:17 |
| mharley[m] | I have bad news. Just got to know that the project didn't receive funding and was cancelled. | 15:18 |
| mharley[m] | It looks like this happened with many other projects too, although the selection criteria among projects is not clear to me at least. | 15:18 |
| mharley[m] | That's all for Outreachy. | 15:19 |
| mharley[m] | #topic Liaison Updates | 15:20 |
| mharley[m] | We are 19 weeks from Flamingo's release date. | 15:20 |
| mharley[m] | #link https://releases.openstack.org/epoxy/schedule.html | 15:20 |
| mharley[m] | There are currently no more news for Flamingo. | 15:20 |
| mharley[m] | #undo | 15:21 |
| opendevmeet | Removing item from minutes: #link https://releases.openstack.org/epoxy/schedule.html | 15:21 |
| mharley[m] | #link https://releases.openstack.org/flamingo/schedule.html | 15:21 |
| mharley[m] | #topic Bug Review | 15:21 |
| mharley[m] | No new bugs for Barbican. | 15:21 |
| mharley[m] | #link https://bugs.launchpad.net/barbican/+bugs?orderby=-id&start=0 | 15:21 |
| rajiv | i was playing around with secretstore api, adding -H "X-Project-Id:" seems to work as well, is this expected ? | 15:22 |
| freemanboss[m] | Good evening everyone | 15:22 |
| mharley[m] | Hello, Freeman Boss. | 15:23 |
| mharley[m] | Can you clarify, rajiv? | 15:23 |
| rajiv | based on https://docs.openstack.org/barbican/latest/api/reference/store_backends.html | 15:23 |
| rajiv | i dont see X-Project-Id: mentioned in the docu but when i use this Header in the curl command, the backend is accepted. | 15:23 |
| freemanboss[m] | <mharley[m]> "I have bad news. Just got to..." <- Ohhhh | 15:24 |
| rajiv | the below cmd works if the project id is different : | 15:25 |
| rajiv | curl -X POST -H "X-Project-Id: xxx" -H "X-Auth-Token: $TOKEN" -H "Content-Type: application/json" https://xxxx/v1/secret-stores/xxxx/preferred | jq | 15:25 |
| dmendiza[m] | rajiv: X-Project-Id is only relevant for unauthenticated deploments | 15:25 |
| freemanboss[m] | Please how do I start working on the PKCS#12 project? | 15:25 |
| dmendiza[m] | rajiv: typically you'd want to provide the `X-Auth-Token` header. | 15:25 |
| freemanboss[m] | <mharley[m]> "It looks like this happened with..." <- Please sorry please can you help confirm the criteria? | 15:26 |
| freemanboss[m] | Thank you | 15:26 |
| rajiv | dmendiza[m]: true, i was wondering how to restrict this api to domain admin only | 15:26 |
| dmendiza[m] | rajiv the way authZ/authN works is that the user provides the `X-Auth-Token` header with their Keystone token. Barbican should typically be deployed with keystonemiddleware. | 15:27 |
| mharley[m] | Freeman Boss: we can discuss during the Open Discussion section, just a bit later on this meeting. | 15:27 |
| rajiv | my prod has keystonemiddleware enabled in the barbican.conf but seems to work strangely during tests. | 15:27 |
| dmendiza[m] | keystonemiddleware takes the token from X-Auth-Token and validates it with keystone. The middleware layer then removes any existing auth headers (which includes X-Project-Id) and injects into the requrest all relevant auth headers with the values from Keystone's validation reponse. | 15:28 |
| rajiv | okay, to restrict this to admin only, i need to update the policy.yaml and its defaults ? | 15:29 |
| dmendiza[m] | rajiv: what you're seeing is that you provide an `X-Project-Id` that should be getting removed and replaced with the Project ID that Keystone validates from the token provided to X-Auth-Token | 15:30 |
| rajiv | okay, any chance on reviewing the multi-tenancy PR ? | 15:34 |
| rajiv | or the blueprint ? | 15:35 |
| mharley[m] | Would you mind sharing their links once again? | 15:35 |
| rajiv | https://review.opendev.org/c/openstack/barbican-specs/+/947093 https://review.opendev.org/c/openstack/barbican/+/947118 | 15:36 |
| mharley[m] | Cool, thanks. Let's check those. | 15:37 |
| mharley[m] | Anything else about the header topic? | 15:37 |
| mharley[m] | No new bugs for Python Barbican Client: | 15:38 |
| mharley[m] | #link https://bugs.launchpad.net/python-barbicanclient/+bugs?orderby=-id&start=0 | 15:38 |
| mharley[m] | No new bugs for Castellan: | 15:39 |
| mharley[m] | https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0 | 15:39 |
| mharley[m] | No new bugs for Cursive: | 15:40 |
| mharley[m] | #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0 | 15:40 |
| dmendiza[m] | rajiv: POST for /v1/secret-stores/$SECRET_STORE_ID/preferred is already limited to "admin" role https://opendev.org/openstack/barbican/src/branch/master/barbican/common/policies/secretstores.py#L100 | 15:41 |
| mharley[m] | #topic Open Discussion | 15:43 |
| rajiv | oh ok, i need to validate the unauthenticated calls. | 15:43 |
| mharley[m] | Freeman Boss: so you'd like to contribute with the PKCS#12 feature? | 15:45 |
| freemanboss[m] | Yes I'm interested mharley: | 15:45 |
| mharley[m] | Understood. As I told you before, this is an open-source project. Anyone interested on contributing with OpenStack is more than welcome to do it. | 15:47 |
| mharley[m] | However, as the mentoring project was not approved, there won't be any formal mentoring about this. | 15:48 |
| mharley[m] | But you can always chat here at anytime, ask your questions and benefit from the community. And I can also dedicate some of my week time to give attention to this topic. | 15:48 |
| freemanboss[m] | mharley: alright thank you. | 15:49 |
| mharley[m] | Please just be advised there's no ETA to answer questions. Everyone here is a volunteer. :-) | 15:49 |
| freemanboss[m] | Is there any setup I can work it for the project. | 15:50 |
| freemanboss[m] | It'll be integrated in the barbican repo? | 15:50 |
| mharley[m] | A good advice I can give you is to chat with Theresa James. They already submitted a patch for Barbican and know the few steps required to setup the dev environment. | 15:51 |
| mharley[m] | And once this environment is set, you are free to submit patches to Gerrit, the VCS system that OpenDev uses. | 15:52 |
| mharley[m] | Is there any other topic to be discussed, guys? | 15:53 |
| freemanboss[m] | mharley: alright thank you | 15:54 |
| mharley[m] | Anytime, Freeman Boss . | 15:54 |
| mharley[m] | Well, if there's nothing else... | 15:54 |
| mharley[m] | That's all, folks! See you next week! :-) | 15:54 |
| mharley[m] | #endmeeting | 15:54 |
| opendevmeet | Meeting ended Mon May 19 15:54:55 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:54 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-05-19-15.02.html | 15:54 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-05-19-15.02.txt | 15:54 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-05-19-15.02.log.html | 15:54 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!