| *** mhen_ is now known as mhen | 02:45 | |
| dmendiza[m] | 1345 | 14:59 |
|---|---|---|
| rajiv | Hi | 15:00 |
| dmendiza[m] | #startmeeting barbican | 15:00 |
| opendevmeet | Meeting started Mon Nov 10 15:00:22 2025 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'barbican' | 15:00 |
| dmendiza[m] | #topic Roll Call | 15:00 |
| dmendiza[m] | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley Freeman Boss lpiwowar xek tkajinam LinuZZ | 15:00 |
| dmendiza[m] | rajiv: you around? | 15:04 |
| rajiv | hi, yes | 15:04 |
| rajiv | i have 2 questions | 15:04 |
| rajiv | can i ask now or wait for Q&A ? | 15:05 |
| dmendiza[m] | Looks like it's just you and me today | 15:06 |
| dmendiza[m] | #topic Open Discussion | 15:06 |
| rajiv | i would like to know if anyone has any experience with BSI or vs-nfd audits ? secondly, how to make barbican multi-tenant using p11_crypto plugin | 15:06 |
| dmendiza[m] | > BSI or vs-nfd audits | 15:07 |
| dmendiza[m] | I don't know what either one of those acronyms mean 😅 | 15:07 |
| rajiv | https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zulassung/VS-Anforderungsprofile/BSI-VS-AP-0027_en.pdf?__blob=publicationFile&v=2 | 15:08 |
| dmendiza[m] | Interesting ... I'll take a look at that, but afaik, we have not done that before. | 15:09 |
| dmendiza[m] | > make barbican multi-tenant using p11_crypto plugin | 15:09 |
| dmendiza[m] | What do you mean by "multi-tenant"? --- Historically, "tenant" was the name of Keystone Projects before they were renamed | 15:09 |
| dmendiza[m] | so, in that sense, yes, Barbican is multi-tenant because many projects can use Barbican at once while having their data be separated | 15:10 |
| rajiv | tenant A uses slot A of HSM A, similarly tenant B uses slot B of HSM B | 15:10 |
| dmendiza[m] | I see | 15:11 |
| dmendiza[m] | Hmm... I don't think it is currently possible. Not with two PKCS#11 devices anyway. | 15:11 |
| dmendiza[m] | It can be done with two different types of backends | 15:11 |
| rajiv | okay, we were testing this multi-tenant concept but looks like we need to manually add a backend everytime we need to add another | 15:13 |
| rajiv | https://github.com/sapcc/barbican/blob/stable/2024.2-m3/setup.cfg#L69-L71 | 15:14 |
| rajiv | looks like setup.cfg doesnt support regex or any other to over come this manual addition and DB uc_secret_store constraints | 15:14 |
| dmendiza[m] | e.g. you can configure SimpleCrypto, and then also PKCS#11 and then use the /v1/secret-stores API to set a global default (that everyone uses) and then override that on a per-project basis | 15:14 |
| dmendiza[m] | #link https://docs.openstack.org/barbican/latest/api/reference/store_backends.html | 15:14 |
| dmendiza[m] | I think the limiting factor for doing this with two PKCS#11 backends is the plugin loading logic | 15:15 |
| dmendiza[m] | Yeah, we don't maintain that fork. The official Barbican repo does not have that. | 15:16 |
| dmendiza[m] | #link https://opendev.org/openstack/barbican/src/branch/master/setup.cfg#L65 | 15:16 |
| rajiv | okay, lastly, i am planning to upgrade from dalmatian to flamingo, i reviewed the release notes, anything else i need to keep in mind ? | 15:16 |
| dmendiza[m] | I don't think there were many changes last release. | 15:18 |
| dmendiza[m] | As usual, I'd recommend testing the upgrade in a staging environment before you roll it out to production. | 15:18 |
| rajiv | okay, thanks | 15:19 |
| tobias-urdin | o/ – i have a couple of patches i would like to bring up, when possible :) | 15:19 |
| dmendiza[m] | tobias-urdin drop the links and I'll take a look today | 15:20 |
| tobias-urdin | added functional testing for openbao (fork of vault) and make the vault functional testing voting again https://review.opendev.org/c/openstack/barbican/+/957206 | 15:21 |
| tobias-urdin | i would also like to open a discussion about a delete on a secret with consumers being a hard failure directly in the API with a new microversion https://review.opendev.org/c/openstack/barbican/+/961599 | 15:23 |
| tobias-urdin | it's really painful that it a soft block in barbicanclient and not enforced on the api level | 15:23 |
| dmendiza[m] | Historically, the Barbican team's position is that the owner of the secret should be able to delete it at will regardless of who is using it. I want to say that the argument usually revolves around a break-glass scenario where the owner of the secret needs it to be removed "RIGHT NOW!" ... and forcing them to go through the process of deleting everything that is using it before they can delete it is burdensome. | 15:27 |
| dmendiza[m] | I don't remember off the top of my head what the current status is | 15:28 |
| dmendiza[m] | Personally, I would not be opposed to the change as long as we keep a --force or ?force=true parameter in the cli and api respecively to immediately delete a secret when required to do so. | 15:28 |
| tobias-urdin | the implementation i linked takes that into account and implements the `force` query parameter, so the owner can force it, but it's just not the default behaviour when calling the api | 15:28 |
| dmendiza[m] | Got it. I'll take a look then and leave my comments on the review. | 15:29 |
| tobias-urdin | the problem with it being soft in barbicanclient is that secret consumers is ignored by all third-party implementations, so we (as a community) need to implement it everywhere instead of enforcing it | 15:29 |
| tobias-urdin | dmendiza[m]: thanks! | 15:30 |
| dmendiza[m] | Anything else before we call it a day, y'all? | 15:34 |
| dmendiza[m] | Looks like we're done then. Thanks for joining! | 15:36 |
| dmendiza[m] | #endmeeting | 15:36 |
| opendevmeet | Meeting ended Mon Nov 10 15:36:48 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:36 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-11-10-15.00.html | 15:36 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-11-10-15.00.txt | 15:36 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-11-10-15.00.log.html | 15:36 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!