20:02:40 <redrobot> #startmeeting barbican
20:02:41 <openstack> Meeting started Mon Mar 24 20:02:40 2014 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:02:42 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:02:44 <arunkant> o/
20:02:45 <openstack> The meeting name has been set to 'barbican'
20:03:08 <redrobot> As usual the agenda is available on the wiki
20:03:10 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican
20:03:41 <redrobot> jraim was kind enough to let me chair this meeting again :)
20:04:08 <redrobot> let's start by reviewing the action items from last week's meeting
20:04:29 <redrobot> #topic Action Items Update
20:04:54 <redrobot> chadlung let's start with yours
20:05:12 <chadlung> redrobot: ok
20:05:14 <redrobot> I think we solved atiwari issues with the devstack gate from last week?
20:05:23 <atiwari> yep
20:05:54 <chadlung> yes, I troubleshooted the issue on DevStack and then put the fix  (via a comment) in Atiwari's CR
20:06:20 <redrobot> awesome.  so the devstack gate is currently voting as well right?
20:06:22 <atiwari> and the CR is merged too
20:06:26 <chadlung> correct
20:06:29 <atiwari> yep
20:06:37 <chadlung> yes, its voting and the CR is merged
20:06:47 <redrobot> #info chadlung and atiwari worked through devstack gate issues
20:06:50 <chadlung> all our gates vote not
20:06:52 <chadlung> now
20:07:10 <redrobot> #info devstack gate is now a voting gate in addition to Python 2.6, 2.7 and pep8
20:07:39 <redrobot> cool, moving on
20:07:46 <malini> i have not had a chance to followup on Barbican book chapter in OpenStack Security guide,   http://docs.openstack.org/security-guide/security-guide.pdf
20:08:00 <malini> Later this week, sorry
20:08:04 <redrobot> malini no worries
20:08:32 <redrobot> #action malini still looking into adding Barbican to the OpenStack Security guide
20:08:37 <malini> BTW I voted +1 for atiwar's design summit entry for user level secrets
20:08:59 <redrobot> cool, yeah, that's next for the meeting agenda
20:09:02 <atiwari> thanks malini
20:09:20 <redrobot> codekobe do you have any updates on OpenStack Cookbooks?
20:09:24 <codekobe> yes
20:09:47 <codekobe> To add barbican cookbooks to the openstack cookbooks we would need to:
20:10:00 <codekobe> 1. Rename the cookbook to cookbook-openstack-key-management because openstack cookbooks are named after the service and not the project name.
20:10:11 <codekobe> 2. Refactor cookbooks to use the openstack common recipes for things like database creation, etc #link https://github.com/stackforge/cookbook-openstack-common
20:10:18 <codekobe> 3. Add the new cookbook repo to stackforge
20:10:27 <codekobe> 4. Update the openstack chef-repo #link https://github.com/stackforge/openstack-chef-repo to have the cookbook included in the Berksfile as well as add a role for barbican.
20:10:39 <codekobe> Step 2 looks very time consuming
20:10:48 <redrobot> yeah, that does sound like a lot of work
20:10:52 <codekobe> but probably not too bad
20:11:20 <woodster2> do they have to fit a certain chef design pattern?
20:11:35 <codekobe> it also looks like we need deployment of queues, dbs,  etc to be sub recipes
20:11:48 <woodster2> …or just be added to the project is enough?
20:11:59 <codekobe> Well, they talk about seperating out chef search like we do, but it doesnlt look like all cookbooks adhere to that
20:12:39 <codekobe> woodster2 to switch to using the common cookbook looks like some work though
20:13:00 <codekobe> the common cookbook contains a lot of library functions and recipes for managing database users, endpoints, etc
20:13:10 <codekobe> so i think it would be important to refactor for that style
20:13:21 <codekobe> similar to using oslo in our python code base
20:13:56 <redrobot> sounds like something we'd want to tackle down the road, unless someone has free cycles to look at this
20:14:04 <woodster2> sounds like a juno or beyond effort
20:14:34 <codekobe> yes, i agree with that woodster2
20:14:38 <redrobot> #help we'd like to add Barbican to the OpenStack Cookbooks effort
20:15:12 <redrobot> just going to leave that as a call for help.  maybe some kind soul will take pity on us :)
20:15:13 <codekobe> #link https://github.com/cloudkeep-ops
20:15:29 <codekobe> previous link is where our cookbooks currently reside
20:16:02 <redrobot> on my end I did add a dogtag cookbook but it doesn't do anything yet
20:16:06 <redrobot> #link https://github.com/cloudkeep-ops/chef-dogtag
20:16:29 <redrobot> ok, moving on to the next item on the agenda
20:16:40 <redrobot> #topic Upcoming Design Sessions
20:16:59 <atiwari> redrobot, there was an action on me too
20:17:20 <redrobot> atiwari that's right, sorry I skimmed over that one
20:17:22 <atiwari> putting cr for crypto
20:17:32 <atiwari> and link: https://review.openstack.org/#/c/82189/
20:17:36 <atiwari> is in place
20:17:49 <atiwari> there are concerns from Paul
20:18:05 <atiwari> some addressed and waiting for his comments for rest
20:18:30 <redrobot> Yes, I did see that in the review.  I think Paul (reaperhulk) is out the next couple of days though.
20:18:57 <redrobot> Has anyone else had a chance to review atiwari's changes to the Plugin contract?
20:19:09 <atiwari> ok, wd appreciate if some one else look in to it
20:19:46 <woodster2> not yet, but I can shortly...
20:20:08 <redrobot> I was hoping alee would be here as he's also wanting to make some changes to the plugin contract as well
20:20:11 <malini> I shall take a look too
20:21:16 <redrobot> #action atiwari still working on crypto plugin interface changes.
20:21:28 <redrobot> we can revisit next week if we need to
20:21:44 <atiwari> just for fyi, this is holding me to progress on #link: https://blueprints.launchpad.net/barbican/+spec/api-orders-add-more-types
20:23:01 <atiwari> redrobot, next week I will not be there just for fyi.
20:23:08 <redrobot> atiwari yes, this seems like something we'll want to iron out.  Plugin contract changes affect the dev plugin, the PKCS11 plugin, and soon the DogTag plugin
20:23:40 <redrobot> atiwari noted.  Hopefully we can sort this out before the next meeting.
20:23:47 <atiwari> good
20:24:22 <redrobot> now, regarding the Design Sessions
20:24:32 <redrobot> #link http://summit.openstack.org/
20:24:56 <redrobot> I see atiwari has already added a few sessions there
20:25:20 <redrobot> does anyone else have any ideas for sessions we may want to have at the summit?
20:25:37 <redrobot> I like the session about Secret Isolation at User Level
20:25:40 <chadlung> We probably need to discuss the SSL
20:26:08 <chadlung> SSL Certs to be more precise
20:26:29 <chadlung> https://blueprints.launchpad.net/barbican/+spec/add-ssl-ca-support
20:26:30 <joel-coffman> I've had some email exchanges with jraim
20:26:31 <atiwari> what about "Add more status to Barbican entities" ?
20:26:37 <woodster2> or generically, how to deal with workflow/orchestration type flows in barbican, to generate complete secrets such as SSL
20:27:02 <joel-coffman> we have a sponsor who is interested in support KMIP as a backend (like DogTag, PKCS11, etc.)
20:27:21 <woodster2> that would be an interesting plugin
20:27:24 <redrobot> chadlung that's a good point.  Do you want to add a design session to the page I linked so we can vote on it?
20:27:40 <chadlung> redrobot: sure
20:27:47 <atiwari> yes, may be good design session topic too
20:27:49 <atiwari> ?
20:28:21 <woodster2> we should probably add an auditing design session too
20:28:40 <redrobot> joel-coffman what kind of design session are you thinking?  one for a KMIP plugin specifically?  Or a more general "how to write a plugin" session?
20:28:56 <joel-coffman> KMIP plugin specifically
20:29:12 <atiwari> +1 joel-coffman
20:29:43 <redrobot> joel-coffman cool, would you mind adding that to the design session list ?
20:29:54 <redrobot> woodster2 auditing?
20:30:09 <woodster2> produciing audit logs that is…probably needed for integration
20:30:28 <joel-coffman> no, I'd be happy to but it might take a week or two (need formal approval from sponsor)
20:30:49 <redrobot> ok, cool.  I'll add it as an action item
20:31:06 <redrobot> #action joel-coffman to add design session for a KMIP plugin
20:31:14 <joel-coffman> thanks!
20:31:23 <woodster2> very raw wiki discussion here: https://github.com/cloudkeep/barbican/wiki/Auditing
20:31:23 <redrobot> +1 woodster2
20:31:38 <malini> +1 audit design session
20:31:51 <woodster2> I can carve that one out
20:32:03 <malini> on the security track there is an accept for an audit solution, lets invite them to attend and vote :-) for this
20:32:10 <redrobot> #action woodster2 to add an auditing design session
20:32:19 <atiwari> any thoughts on #link http://summit.openstack.org/cfp/details/114?
20:33:57 <codekobe> atiwari, the PENDING status seems to make sense for secrets if the order request is async
20:33:57 <redrobot> atiwari do you think this would need a design session?  It seems to me this is something we could define before then.
20:34:15 <woodster2> atiwari: I think some of the status discussion will shake out of the SSL design work. The statuses there now are really just to deal with async behaviors
20:34:26 <atiwari> np
20:34:26 <codekobe> especially once we get into ssl certs etc
20:34:33 <atiwari> I am fine
20:34:46 <atiwari> redrobot, I am already working on  #link http://summit.openstack.org/cfp/details/115
20:34:57 <atiwari> do we need session on that?
20:35:07 <redrobot> yeah, I would think stuff like DEACTIVATED or SUSPENDED would be better as 4XX replies
20:35:55 <atiwari> redrobot, np, let me put a etherpad with my plan
20:35:58 <redrobot> atiwari that's a good question... not sure if we'd need a design session, unless we're unable to land that before then
20:36:17 <redrobot> atiwari for 115 that is
20:36:19 <atiwari> I think we are going good on that one
20:36:32 <atiwari> no, 114
20:36:42 <atiwari> 115 we are good
20:37:28 <malini> atiwari -- i do not understand "Ability to create access/secret key (for API HMAC-SHA1 signature generatinon)"
20:38:41 <atiwari> malini, it is used to generate tempurl for swift access
20:38:55 <atiwari> I will add some context in BP
20:39:42 <redrobot> #action atiwari to add more context to Additional Secret Statuses blueprint
20:40:19 <redrobot> ok guys, any other design summit session ideas we may want to talk about before moving on to the next agenda item?
20:41:36 <redrobot> moving on then...  don't forget to add comments or new design session ideas if you can think of any.
20:41:45 <redrobot> #topic Blueprints in Gerrit
20:41:57 <redrobot> I don't think jraim is around
20:42:05 <redrobot> but the idea here is to add a new gerrit repo
20:42:12 <redrobot> maybe something like barbican-blueprints
20:42:41 <redrobot> this way we could leverage Gerrit infrastructure to iterate on the blueprint design process
20:43:22 <arunkant> I have added one bp. The need came from attached bug. link# https://blueprints.launchpad.net/barbican/+spec/policy-target-support
20:43:59 <redrobot> this would allow for a better space than launchpad for comments/votes etc.  then once a blueprint is merged, it would be considered APPROVED
20:44:07 <redrobot> any thoughts on that?
20:44:46 <malini> +1 on blueprints in gerrit -- that better lends to community process
20:45:09 <redrobot> arunkant thanks for adding that blueprint.  do you have any thoughts on designing blueprints via Gerrit
20:45:47 <redrobot> malini I agree.   I like the idea.
20:45:52 <atiwari> blueprints on gerrit, that means we want to track changes on BP?
20:46:07 <atiwari> redrobot ^
20:46:33 <redrobot> atiwari not necessarily track the changes themselves, but to have a better way of collaborating on the blueprint
20:46:57 <atiwari> in my opinion , API change has to be in gerrit
20:47:05 <atiwari> BP does not make sense to me
20:47:27 <atiwari> thoughts?
20:47:32 <redrobot> atiwari noted.  jraim wanted me to toss this idea out there to see what you guys think about it
20:47:49 <codekobe> Wouldn't a proposed api change be inside of a blueprint?
20:48:03 <arunkant> redrobot . Is that standard practice in other openstack modules to have blueprints managed like this?
20:48:16 <atiwari> I have asked jraim to enable API change go through gerrit
20:48:24 <redrobot> codekobe I think what atiwari is talking about is having a git repo that is used to define the API, and any changes would go through gerrit
20:48:30 <redrobot> codekobe Keystone manages their API this way
20:48:32 <codekobe> ah ok
20:48:34 <atiwari> correct
20:48:48 <atiwari> I think BP is kind of raw stuff
20:49:06 <redrobot> atiwari I think jraim said that nova may possibly be doing that for BPs... I haven't looked into it though
20:50:00 <malini> atiwari -- BPs have a work list -- but it is primitive -- if commentor forgets to put name it, it goes, possible to wipe out others' data etc
20:50:32 <malini> but blueprints sometimes may have images -- not something gerrit may help with
20:50:36 <atiwari> malini, I don't have any issue with BP in gerrit
20:51:53 <redrobot> maybe we should reach out to the dev list to see if anyone else is using Gerrit for blueprint design
20:52:11 <atiwari> malini, are you taking about Bp which is in wiki?
20:52:18 <atiwari> like #link:https://wiki.openstack.org/wiki/KeyManager
20:52:37 <atiwari> or #link https://blueprints.launchpad.net/barbican/
20:52:38 <atiwari> ?
20:53:28 <redrobot> atiwari the idea is to create a blueprint on launchpad, but to define the blueprint details in Gerrit
20:53:43 <atiwari> ok
20:54:01 <redrobot> atiwari we'll probably have to revisit this again next week
20:54:02 <malini> atiwari: https://blueprints.launchpad.net/barbican/ but you give specification url that points to a wiki
20:54:04 <atiwari> I am ok, as long as we have one process
20:54:17 <redrobot> atiwari ok cool, I'll let jraim know
20:54:20 <woodster1> it basically encourages community discussion and contributions on blueprints
20:54:32 <redrobot> so we're quickly running out of time for the meeting today
20:54:45 <atiwari> redrobot, before we finish I would like you guys to look in to https://review.openstack.org/#/c/81310/
20:55:09 <redrobot> atiwari I don't think we need to do this during the meeting ;)
20:55:11 <atiwari> Adding target support for policy enforcement by arun
20:55:38 <atiwari> correct, its is for after meeting
20:56:48 <redrobot> ok guys, thank you for coming to the meeting.  If there's anything else that comes up, please feel free to add it to the agenda.
20:58:01 <redrobot> #endmeeting