20:02:48 <redrobot> #startmeeting barbican 20:02:50 <openstack> Meeting started Mon Mar 31 20:02:48 2014 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:02:51 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:02:53 <openstack> The meeting name has been set to 'barbican' 20:03:18 <redrobot> as usual our agenda is here 20:03:22 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican 20:03:57 <redrobot> first, let's follow up on some action items 20:04:09 <redrobot> hi malini 20:04:34 <malini> hello~ 20:05:06 <redrobot> malini would you like to update us on adding Barbican to the OpenStack security guide? 20:05:34 <malini> I created a bleprint, but last weeks OSSG meeting did not happen 20:05:42 <malini> So no "approved" yet 20:06:05 <redrobot> cool, do you have a link to the blueprint handy? 20:06:20 <malini> in a few minues 20:06:30 <redrobot> malini thanks 20:07:03 <redrobot> #info malini is making progress on adding Barbican to OpenStack security guide. 20:07:55 <malini> https://blueprints.launchpad.net/openstack-manuals/+spec/security-guide-key-management 20:08:06 <redrobot> #link https://blueprints.launchpad.net/openstack-manuals/+spec/security-guide-key-management 20:08:45 <redrobot> ok, let's move on to the only item on the agenda today 20:08:54 <codekobe> o/ 20:09:10 <redrobot> #topic Crypto plugin contract changes 20:10:21 <redrobot> #link https://blueprints.launchpad.net/barbican/+spec/update-crypto-plugin-interface 20:12:03 <alee_> redrobot, so - yeah -- as I mentioned on irc,, I have a patch that implements these changes 20:12:04 <redrobot> I think we've agreed that we want to keep Secret out of the plugin contract 20:12:19 <alee_> and was about to submit it for review .. 20:12:32 <alee_> till i just spoke with you and reaperhulk :) 20:12:40 <alee_> a few minutes ago. 20:12:59 <alee_> I agree to creating a dto to pass the data over 20:13:07 <alee_> and will make that change 20:13:19 <redrobot> #agreed DTO should be used to pass data to plugin 20:13:20 <redrobot> awesome 20:13:28 <redrobot> thanks alee_ 20:13:41 <redrobot> reaperhulk do you want to add anything? 20:14:05 <alee_> no worries .. I'll submit as soon as I set up cloudcafe to do some basic testing 20:14:08 <malini> DTO ? 20:14:20 <reaperhulk> Once we have an actual PR to look at I might have a bit more to say but I think we're all on the same page right now 20:14:22 <redrobot> #info DTO = data transfer object 20:14:33 <malini> :-) thank you 20:14:51 <redrobot> malini there's a dto parameter that is currently passed to the crypto plugin 20:15:16 <redrobot> looks like atiwari isn't here today 20:15:42 <malini> redrobot:atiwari had mentioned he would be out this week 20:15:43 <redrobot> he was also thinking about some changes that may be needed 20:15:59 <redrobot> malini that's right, thanks. 20:16:28 <rellerreller> So there will just be an ecnrypt and decrypt method? 20:16:45 <rellerreller> And the repo will just store the result returned from encrypt? 20:17:37 <alee_> as I understand it, there will still be an encrypt(), decrypt() and generate() method 20:17:38 <redrobot> rellerreller there's a couple more 20:17:50 <redrobot> also a supports method 20:17:53 <redrobot> #link rellerreller https://github.com/stackforge/barbican/blob/master/barbican/crypto/plugin.py#L85 20:18:08 <redrobot> #link https://github.com/stackforge/barbican/blob/master/barbican/crypto/plugin.py#L85 20:18:32 <redrobot> generate would return the same thing that encrypt does 20:18:36 <rellerreller> Thanks! 20:18:40 <alee_> but the generate() method will actually do what the old create() and encrypt() methods used to do. 20:19:11 <redrobot> ^^ yep. this way the plugin manager doesn't need to see the secret data before encrypting it 20:19:33 <malini> alee: won't we have to keep the "creat" method for backwards compatibility 20:19:34 <redrobot> or before it is encrypted by the plugin, I should say 20:20:08 <redrobot> malini there's only two implementations of a plugin now that we're aware of 20:20:11 <alee_> reaperhulk, redrobot ^^ do I need to worry about backwards compatibility? 20:20:39 <redrobot> the plan is to fix the existing implementations, unless we know of a current implementation that needs the backwards compatibility 20:21:10 <malini> :-) there are some advantages for a fresh new project 20:21:21 <reaperhulk> yep 20:21:24 <annegentle> malini: what's the blueprint link? Can I approve? :) 20:21:53 <annegentle> malini: ah you have Bryan as approver 20:22:00 <redrobot> annegentle https://blueprints.launchpad.net/barbican/+spec/update-crypto-plugin-interface 20:22:01 <annegentle> malini: no biggie 20:22:14 <malini> annegentle: would you approve, that works too 20:22:30 <annegentle> malini: not sure if it's in the scope right now, considering it's just incubating, not integrated 20:22:37 <annegentle> malini: so have to think about that. 20:22:59 <annegentle> malini: can you write the chapter in the barbican doc set in such a way that it's easily placed later? 20:23:08 <malini> we had a page plus last summer as "coming soon to a theatre near you" 20:23:32 <alee_> on the same topic, then - I have a patch that will do basic integration with the dogtag drm for key generation and retrieval. I'll be submitting that soon as wip so folks can start poking at it. 20:23:34 <annegentle> malini: sure but it's not in an integrated release, so install isn't yet guaranteed 20:23:41 <malini> sure, that makes sense 20:23:47 <annegentle> malini: so it'd be great to get a chapter that can be later integrated 20:24:23 <redrobot> annegentle oh sorry, you probably wanted this https://blueprints.launchpad.net/openstack-manuals/+spec/security-guide-key-management 20:24:32 <malini> absolutely, redrobot and self shall work on it 20:25:09 <annegentle> malini: redrobot: yeah thanks, sorry I was a bit behind your agenda! 20:25:13 <annegentle> Carry on please :) 20:25:40 <redrobot> #action alee_ will upload WIP change to plugin 20:25:52 <alee_> but we should start thinking about other tasks -- like a rceipe to get a drm installed, and changes in the barbican client. 20:26:11 <alee_> any idea when folks will be able to start working on those tasks? 20:27:02 <redrobot> alee_ not entirely sure. jraim would be able to speak on that 20:27:08 <malini> In 4 weeks we should get another Intel person on board to work on Barbican, our team is growing 20:27:27 <redrobot> we do have a repo for a drm cookbook, but it's just a skeleton right now 20:27:39 <redrobot> #link https://github.com/cloudkeep-ops/chef-dogtag 20:28:27 <redrobot> #help we need someone to cook up a dogtag drm recipe 20:28:56 <redrobot> any other thoughts on this before we move on? 20:29:16 <redrobot> malini that's great news :) 20:29:36 <alee_> I can ping jraim later in the week when he's not on a flight .. 20:30:17 <redrobot> yep, that'll work. i'm sure he'll be checking the meeting logs later 20:30:29 <malini> Bryan Payne approved our key manager chapter blueprint :-) 20:31:20 <bdpayne> :-) 20:31:33 <redrobot> woot! 20:32:15 <bdpayne> I'd like to work with you guys to flush out some good content, but I really like the idea of adding more on Barbican to the book 20:32:25 <bdpayne> feel free to loop me into the writing process 20:33:12 <malini> Sounds good~ 20:34:13 <redrobot> ok, moving on guys. does anyone have any other topics they'd like to discuss? 20:35:56 <arunkant> Is it okay to discuss other blueprints or that handled outside of this meeting ? 20:36:36 <redrobot> arunkant I think this is a good venue for talking about blueprints 20:36:41 <redrobot> #topic Blueprints 20:36:53 <redrobot> arunkant what's up? 20:37:12 <arunkant> I have added this bp. #link https://blueprints.launchpad.net/barbican/+spec/policy-target-support 20:37:43 <arunkant> This is added as part of addressing https://bugs.launchpad.net/barbican/+bug/1291073 20:38:58 <redrobot> #link https://review.openstack.org/#/c/81310/ 20:39:56 <redrobot> yes, I've started looking into the CR, although I must confess I'm not as familiar with oslo policy as you are, so it's taken me a while to spin up on it 20:40:23 <redrobot> i think woodster and reaperhulk had some concerns about the change 20:41:15 <arunkant> Yes..I have tried to answer woodster concern. ..let me check other concern as I have not seen it earlier in the morning.. 20:41:40 <reaperhulk> I didn't post anything against the CR arunkant. I believe woodster probably captured my concerns since we talked a bit about it a few days ago 20:43:10 <arunkant> okay. I have tried to explain the intent in blueprint by providing cases where ability to validate and use target data in policy rule is useful 20:43:15 <malini> will we need to preserve as meta data with our keys access credentials <domain, tenant, user> <foo, foo-finance, *> type stuff 20:43:24 <redrobot> unfortunately woodster couldn't make it to the meeting this week. He should be on the barbican IRC channel later though. I'll try to ping him if I see him. 20:43:42 <malini> and then compare against the token's particulars 20:44:18 <malini> i think atiwari had a design summit session, we need to design this well, then the policy from Oslo could be applied 20:45:29 <rellerreller> Are there any blueprints that allow secrets to store arbitrary metadata? 20:45:41 <malini> and handle token delegation -- confess I do not know much about delegation 20:46:31 <malini> Swift objects, volumes, images all allow storing meta data .. may need to take that path 20:46:51 <rellerreller> We are going to propose a blueprint and that is the first step 20:47:02 <arunkant> This way of target support is used in other openstack modules e.g. keystone, horizon, glance etc.. 20:47:02 <malini> will check as pertains to access 20:49:10 <redrobot> rellerreller Yeah, blueprint would be the first step 20:49:34 <rellerreller> Cool, hopefully we can get that out soon 20:52:13 <redrobot> arunkant we'll have to follow up on the CR after the meeting. 20:52:29 <redrobot> whew, look at the time 20:53:04 <arunkant> okay. 20:54:06 <redrobot> ok guys, we're running out of time for the meeting this week. 20:54:37 <redrobot> #action rellerreller to add blueprint for adding arbitrary metadata 20:54:52 <redrobot> we'll follow up on blueprints again next meeting 20:55:02 <redrobot> any last comments before we sign off? 20:55:03 <rellerreller> I'm on it 20:56:29 <redrobot> Alrighty guys, see y'all back here next week. ^_^ 20:56:30 <redrobot> #endmeeting