20:02:48 <redrobot> #startmeeting barbican
20:02:50 <openstack> Meeting started Mon Mar 31 20:02:48 2014 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:02:51 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:02:53 <openstack> The meeting name has been set to 'barbican'
20:03:18 <redrobot> as usual our agenda is here
20:03:22 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican
20:03:57 <redrobot> first, let's follow up on some action items
20:04:09 <redrobot> hi malini
20:04:34 <malini> hello~
20:05:06 <redrobot> malini would you like to update us on adding Barbican to the OpenStack security guide?
20:05:34 <malini> I created a bleprint, but last weeks OSSG meeting did not happen
20:05:42 <malini> So no "approved" yet
20:06:05 <redrobot> cool, do you have a link to the blueprint handy?
20:06:20 <malini> in a few minues
20:06:30 <redrobot> malini thanks
20:07:03 <redrobot> #info malini is making progress on adding Barbican to OpenStack security guide.
20:07:55 <malini> https://blueprints.launchpad.net/openstack-manuals/+spec/security-guide-key-management
20:08:06 <redrobot> #link https://blueprints.launchpad.net/openstack-manuals/+spec/security-guide-key-management
20:08:45 <redrobot> ok, let's move on to the only item on the agenda today
20:08:54 <codekobe> o/
20:09:10 <redrobot> #topic Crypto plugin contract changes
20:10:21 <redrobot> #link https://blueprints.launchpad.net/barbican/+spec/update-crypto-plugin-interface
20:12:03 <alee_> redrobot, so - yeah -- as I mentioned on irc,, I have a patch that implements these changes
20:12:04 <redrobot> I think we've agreed that we want to keep Secret out of the plugin contract
20:12:19 <alee_> and was about to submit it for review ..
20:12:32 <alee_> till i just spoke with you and reaperhulk :)
20:12:40 <alee_> a few minutes ago.
20:12:59 <alee_> I agree to creating a dto to pass the data over
20:13:07 <alee_> and will make that change
20:13:19 <redrobot> #agreed DTO should be used to pass data to plugin
20:13:20 <redrobot> awesome
20:13:28 <redrobot> thanks alee_
20:13:41 <redrobot> reaperhulk do you want to add anything?
20:14:05 <alee_> no worries .. I'll submit as soon as I set up cloudcafe to do some basic testing
20:14:08 <malini> DTO ?
20:14:20 <reaperhulk> Once we have an actual PR to look at I might have a bit more to say but I think we're all on the same page right now
20:14:22 <redrobot> #info DTO = data transfer object
20:14:33 <malini> :-) thank you
20:14:51 <redrobot> malini there's a dto parameter that is currently passed to the crypto plugin
20:15:16 <redrobot> looks like atiwari isn't here today
20:15:42 <malini> redrobot:atiwari had mentioned he would be out this week
20:15:43 <redrobot> he was also thinking about some changes that may be needed
20:15:59 <redrobot> malini that's right, thanks.
20:16:28 <rellerreller> So there will just be an ecnrypt and decrypt method?
20:16:45 <rellerreller> And the repo will just store the result returned from encrypt?
20:17:37 <alee_> as I understand it, there will still be an encrypt(), decrypt() and generate() method
20:17:38 <redrobot> rellerreller there's a couple more
20:17:50 <redrobot> also a supports method
20:17:53 <redrobot> #link rellerreller https://github.com/stackforge/barbican/blob/master/barbican/crypto/plugin.py#L85
20:18:08 <redrobot> #link https://github.com/stackforge/barbican/blob/master/barbican/crypto/plugin.py#L85
20:18:32 <redrobot> generate would return the same thing that encrypt does
20:18:36 <rellerreller> Thanks!
20:18:40 <alee_> but the generate() method will actually do what the old create() and encrypt() methods used to do.
20:19:11 <redrobot> ^^ yep.  this way the plugin manager doesn't need to see the secret data before encrypting it
20:19:33 <malini> alee: won't we have to keep the "creat" method for backwards compatibility
20:19:34 <redrobot> or before it is encrypted by the plugin, I should say
20:20:08 <redrobot> malini there's only two implementations of a plugin now that we're aware of
20:20:11 <alee_> reaperhulk, redrobot ^^ do I need to worry about backwards compatibility?
20:20:39 <redrobot> the plan is to fix the existing implementations, unless we know of a current implementation that needs the backwards compatibility
20:21:10 <malini> :-) there are some advantages for a fresh new project
20:21:21 <reaperhulk> yep
20:21:24 <annegentle> malini: what's the blueprint link? Can I approve? :)
20:21:53 <annegentle> malini: ah you have Bryan as approver
20:22:00 <redrobot> annegentle https://blueprints.launchpad.net/barbican/+spec/update-crypto-plugin-interface
20:22:01 <annegentle> malini: no biggie
20:22:14 <malini> annegentle: would you approve, that works too
20:22:30 <annegentle> malini: not sure if it's in the scope right now, considering it's just incubating, not integrated
20:22:37 <annegentle> malini: so have to think about that.
20:22:59 <annegentle> malini: can you write the chapter in the barbican doc set in such a way that it's easily placed later?
20:23:08 <malini> we had a page plus last summer as "coming soon to a theatre near you"
20:23:32 <alee_> on the same topic, then - I have a patch that will do basic integration with the dogtag drm for key generation and retrieval.  I'll be submitting that soon as wip so folks can start poking at it.
20:23:34 <annegentle> malini: sure but it's not in an integrated release, so install isn't yet guaranteed
20:23:41 <malini> sure, that makes sense
20:23:47 <annegentle> malini: so it'd be great to get a chapter that can be later integrated
20:24:23 <redrobot> annegentle oh sorry, you probably wanted this https://blueprints.launchpad.net/openstack-manuals/+spec/security-guide-key-management
20:24:32 <malini> absolutely, redrobot and self shall work on it
20:25:09 <annegentle> malini: redrobot: yeah thanks, sorry I was a bit behind your agenda!
20:25:13 <annegentle> Carry on please :)
20:25:40 <redrobot> #action alee_ will upload WIP change to plugin
20:25:52 <alee_> but we should start thinking about other tasks -- like a rceipe to get a drm installed, and changes in the barbican client.
20:26:11 <alee_> any idea when folks will be able to start working on those tasks?
20:27:02 <redrobot> alee_ not entirely sure.  jraim would be able to speak on that
20:27:08 <malini> In 4 weeks we should get another Intel person on board to work on Barbican, our team is growing
20:27:27 <redrobot> we do have a repo for a drm cookbook, but it's just a skeleton right now
20:27:39 <redrobot> #link https://github.com/cloudkeep-ops/chef-dogtag
20:28:27 <redrobot> #help we need someone to cook up a dogtag drm recipe
20:28:56 <redrobot> any other thoughts on this before we move on?
20:29:16 <redrobot> malini that's great news :)
20:29:36 <alee_> I can ping jraim later in the week when he's not on a flight ..
20:30:17 <redrobot> yep, that'll work.  i'm sure he'll be checking the meeting logs later
20:30:29 <malini> Bryan Payne approved our key manager chapter blueprint :-)
20:31:20 <bdpayne> :-)
20:31:33 <redrobot> woot!
20:32:15 <bdpayne> I'd like to work with you guys to flush out some good content, but I really like the idea of adding more on Barbican to the book
20:32:25 <bdpayne> feel free to loop me into the writing process
20:33:12 <malini> Sounds good~
20:34:13 <redrobot> ok, moving on guys.  does anyone have any other topics they'd like to discuss?
20:35:56 <arunkant> Is it okay to discuss other blueprints or that handled outside of this meeting ?
20:36:36 <redrobot> arunkant I think this is a good venue for talking about blueprints
20:36:41 <redrobot> #topic Blueprints
20:36:53 <redrobot> arunkant what's up?
20:37:12 <arunkant> I have added this bp. #link https://blueprints.launchpad.net/barbican/+spec/policy-target-support
20:37:43 <arunkant> This is added as part of addressing https://bugs.launchpad.net/barbican/+bug/1291073
20:38:58 <redrobot> #link https://review.openstack.org/#/c/81310/
20:39:56 <redrobot> yes, I've started looking into the CR, although I must confess I'm not as familiar with oslo policy as you are, so it's taken me a while to spin up on it
20:40:23 <redrobot> i think woodster and reaperhulk had some concerns about the change
20:41:15 <arunkant> Yes..I have tried to answer woodster concern. ..let me check other concern as I have not seen it earlier in the morning..
20:41:40 <reaperhulk> I didn't post anything against the CR arunkant. I believe woodster probably captured my concerns since we talked a bit about it a few days ago
20:43:10 <arunkant> okay. I have tried to explain the intent in blueprint by providing cases where ability to validate and use target data in policy rule is useful
20:43:15 <malini> will we need to preserve as meta data with our keys access credentials <domain, tenant, user>   <foo, foo-finance, *> type stuff
20:43:24 <redrobot> unfortunately woodster couldn't make it to the meeting this week.  He should be on the barbican IRC channel later though.  I'll try to ping him if I see him.
20:43:42 <malini> and then compare against the token's particulars
20:44:18 <malini> i think atiwari had a design summit session, we need to design this well, then the policy from Oslo could be applied
20:45:29 <rellerreller> Are there any blueprints that allow secrets to store arbitrary metadata?
20:45:41 <malini> and handle token delegation -- confess I do not know much about delegation
20:46:31 <malini> Swift objects, volumes, images all allow storing meta data .. may need to take that path
20:46:51 <rellerreller> We are going to propose a blueprint and that is the first step
20:47:02 <arunkant> This way of target support is used in other openstack modules e.g. keystone, horizon, glance etc..
20:47:02 <malini> will check as pertains to access
20:49:10 <redrobot> rellerreller Yeah, blueprint would be the first step
20:49:34 <rellerreller> Cool, hopefully we can get that out soon
20:52:13 <redrobot> arunkant we'll have to follow up on the CR after the meeting.
20:52:29 <redrobot> whew, look at the time
20:53:04 <arunkant> okay.
20:54:06 <redrobot> ok guys, we're running out of time for the meeting this week.
20:54:37 <redrobot> #action rellerreller to add blueprint for adding arbitrary metadata
20:54:52 <redrobot> we'll follow up on blueprints again next meeting
20:55:02 <redrobot> any last comments before we sign off?
20:55:03 <rellerreller> I'm on it
20:56:29 <redrobot> Alrighty guys, see y'all back here next week. ^_^
20:56:30 <redrobot> #endmeeting