| -opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline briefly to upgrade to a newer 3.11 patch release and apply some configuration updates in preparation for an upgrade to 3.12 in the near future | 16:39 | |
| melwitt | dansmith: I'm going over your comments but something unrelated to the review that I keep forgetting is that barbican secrets when created default to having project_access=true which means the permission is for the project, not only the user | 17:43 |
|---|---|---|
| dansmith | really? I thought it was the opposite | 17:44 |
| melwitt | so I'm thinking I wonder if the doc for vTPM might be a bit misleading since it says "owned by the user" because it's really owned by the user and its project | 17:44 |
| melwitt | I had thought so too but apparently no. not sure if it's always been like that or if something could have changed | 17:45 |
| dansmith | either way, it doesn't matter from the perspective of the admin, which is the one doing the live migrating right? I guess I'm not sure which of my comments is yielding this clarification though... | 17:46 |
| melwitt | that's right | 17:47 |
| melwitt | it's not, it's just something i thought of while I was adding 'user' support and wanted to mention it to you in case it made you think anything different | 17:47 |
| dansmith | ah okay | 17:48 |
| dansmith | well, I thought ade told us the opposite a long while back, but fair enough.. not sure that "owned by the user" would mean anything other than "...and the project" to most readers since that's the default for most resources, | 17:49 |
| dansmith | unless we say "and NOT the project" somewhere | 17:49 |
| dansmith | but not opposed to clarifying in the docs (of course) either way | 17:49 |
| dansmith | where is that default set or overridden? | 17:49 |
| dansmith | like, barbican-side or us as the client? | 17:50 |
| melwitt | dansmith: I saw the doc here while I was writing a tempest test for 'user' that adds the admin via ACL https://docs.openstack.org/api-guide/key-manager/acls.html#default-acl but I will go see if I can find where that is actually defaulted | 19:00 |
| melwitt | looks like it is defaulted to true in the ACL model https://opendev.org/openstack/barbican/src/branch/master/barbican/model/models.py#L1243 and the ACL object https://opendev.org/openstack/barbican/src/branch/master/barbican/objects/secret_acl.py#L32 so I guess the question is, does every created secret get an ACL record automatically or does that only happen if the ACL API is called | 19:10 |
| melwitt | I also don't see any way to create a secret and specify private from the get go https://docs.openstack.org/barbican/latest/api/reference/secrets.html so I guess in order to avoid a window where the ACL is open to the project, you would have to 1) create a metadata-only secret 2) create an ACL with project_access=false 3) PUT the payload to the metadata-only secret | 19:14 |
| melwitt | maybe I'm not understanding this right | 19:14 |
| dansmith | hmm, well, (a) if it's server-side we should probably avoid any statements in our docs about "how it is" and (b) maybe we should ask just to make sure | 19:17 |
| dansmith | I was thinking there was also a "nobody (not even the owner) can see it until it has an ACL of some kind" | 19:18 |
| dansmith | like maybe the owner can always ACL it, but can't read it until they give themselves that permission? | 19:18 |
| dansmith | kinda like unix ownership.. I can remove my own read access, but I can always give it back to myself if I own it | 19:18 |
| melwitt | yeah I dunno :/ | 19:18 |
| melwitt | yeah I agree, "how it is" could change. also I guess we could do whatever explicitly but that's not been the behavior up to now, so I would hesitate to change it if it's operating in a way that vtpm users are fine with | 19:20 |
| melwitt | and yeah, it would be nice to ask if there is someone who could explain all the details | 19:20 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!