20:02:02 <redrobot> #startmeeting barbican
20:02:03 <openstack> Meeting started Mon Apr 21 20:02:02 2014 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:02:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:02:07 <openstack> The meeting name has been set to 'barbican'
20:02:23 <redrobot> welcome everyone to the Barbican weekly meeting
20:02:42 <redrobot> As usual the agenda can be found here:
20:02:45 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican
20:03:22 <redrobot> Looks like we don't have much on the agenda for today
20:03:40 <redrobot> can I get a show of hands for the Barbican meeting?
20:03:54 <atiwari> I have 2 topic to discuss
20:03:57 <ryanpetrello> o/
20:04:00 <hgedikli> o/
20:04:01 <arunkant> o/
20:04:04 <reaperhulk> o/
20:04:05 <alee> o/
20:04:41 <reaperhulk> atiwari: not quite on topic but I just finished reviewing 82189. I've put some comments and removed my -2
20:04:54 <redrobot> awesome, lots of peeps here
20:05:08 <alee> I'd like to discuss my cr as well.
20:05:10 <atiwari> reaperhulk great
20:05:28 <redrobot> so in case y'all missed it, we released Icehouse last week
20:05:51 <redrobot> #link https://launchpad.net/barbican/icehouse/icehouse/
20:06:22 <redrobot> so we're working towards Juno on trunk now
20:06:46 <redrobot> atwiari, what are the topics you want to discuss?
20:07:22 <atiwari> I need some agreement on #link https://review.openstack.org/#/c/88463/
20:07:35 <atiwari> is the API proposal for order add more type
20:07:45 <lisaclark> o/
20:08:12 <woodster_> o/
20:08:19 <SheenaG1> o/
20:08:45 <atiwari> redrobot, can we hash out summit topics ?
20:09:04 <atiwari> those are my two agendas
20:09:07 <redrobot> #topic Order resource changes to support more types
20:09:22 <redrobot> atiwari, k, let's start with the order changes
20:09:30 <atiwari> sure
20:09:55 <redrobot> has anyone had a chance to review the CR?
20:10:00 <redrobot> I have not. :(
20:10:39 <atiwari> fyi, this API change proposal is based on #link https://gist.github.com/jfwood/9080109
20:11:13 <rellerreller> I looked at it
20:11:38 <atiwari> I discussed with woodster
20:11:50 <rellerreller> I left a comment about the asymmetric keys and how you would identify both private and public key
20:12:29 <atiwari> rellerreller I replied to your comment
20:12:43 <atiwari> we are going to provide ref to container
20:12:59 <atiwari> in container ther will be multiple refs to secrets
20:13:05 <atiwari> pub and priv
20:13:17 <rellerreller> Sounds good
20:14:29 <redrobot> yep, that's correct, the order resource will return a container ref, the container will specify which keys are private/public and if there's an associated passphrase
20:14:48 <atiwari> yep
20:15:07 <atiwari> in case of key type ther will be ref to one secret
20:15:24 <atiwari> line 138
20:15:28 <atiwari> example
20:16:16 <redrobot> anyone else have input on this?  Or do we need some time to review it?
20:16:44 <atiwari> redrobot, I am ok with more review
20:16:52 <redrobot> I assume we don't want to merge this?  Just use Gerrit for the review?
20:17:00 <atiwari> correct
20:17:16 <redrobot> it would be a good candidate for either an API repo, or for starting our blueprint repo...
20:17:24 <atiwari> I did not find other way to go through review
20:17:39 <redrobot> atiwari, no worries, I don't think we have anything in place right now
20:17:46 <atiwari> redrobot we need a sepoarate repo
20:18:12 <atiwari> redrobot I have stared imp in that direction. just for FYI
20:18:27 <atiwari> which is #link https://review.openstack.org/#/c/87405/
20:18:36 <atiwari> not ready for review
20:18:52 <woodster_> I'm hopeful we can discuss these design concepts in more detail at the openstack conf as well.
20:19:27 <atiwari> yep, can be keep ball rolling till the summit :)
20:20:11 <redrobot> Ok, looks like there's no more comments on this for now, let's move on to talk about alee's changes to crypto plugin
20:20:22 <redrobot> #topic Crypto plugin changes (DogTag)
20:20:37 <redrobot> alee did you want to talk about this?
20:20:51 <alee> cool - it looks like my changes to the crypto plugin interfac went in today  - yay :)
20:21:08 <alee> now there is also a cr out there for the dogtag plugin itself
20:21:09 <redrobot> #link https://review.openstack.org/#/c/84329/
20:21:12 <redrobot> sure did
20:21:20 <alee> has anyone had a chance to review it ?
20:21:37 <alee> I noticed that atiwari did and chadlung
20:22:17 <alee> https://review.openstack.org/#/c/85137/
20:22:30 <reaperhulk> I am reviewing it right now alee, but am not done
20:22:39 <woodster_> me too
20:22:45 <atiwari> alee, it mostly looks good to me just one comment. which is already not a blocker
20:22:58 <atiwari> as per community members
20:23:03 <alee> atiwari, the unit tests?
20:23:13 <atiwari> we need those
20:23:18 <atiwari> unit test
20:23:19 <alee> atiwari, I plan to add those as a separate cr
20:23:31 <atiwari> why separate
20:23:36 <atiwari> ?
20:23:52 <atiwari> separate does not make sense to me
20:24:24 <alee> doesn't have to be, I can work on them concurrently.  The thing is that in order to run the unit tests as part of the build say, we need to be able to install a drm
20:24:55 <atiwari> we can mock it.
20:25:16 <atiwari> you don't need drm for unit test
20:26:00 <atiwari> we don't need a integration test with DRM
20:26:09 <alee> yes - I suppose we could - I suppose I can create some mock tests
20:26:23 <woodster_> atiwari: similar to the test_p11_crypto.py test you mean?
20:26:37 <alee> although its not clear how valuable such tests would be
20:26:50 <atiwari> yes
20:27:08 <atiwari> alee, I think unit tests are really valuable
20:27:33 <reaperhulk> Mocks are of substantially less value than a typical unit test, but I'd like to see some way to do some testing
20:27:36 <woodster_> we have been trying to get close to 100% code coverage on crypto tests
20:27:50 <woodster_> that is not a gating requirement though
20:28:23 <lisaclark> do we have any gating requirement to ensure our code coverage doesn't drop below its current level?
20:28:45 <reaperhulk> At this time we do not gate on that, no. We implicitly gate on it during code review though :)
20:29:06 <alee> atiwari, I can provide some mock tests.  I just figured that the unit test wasn't really valuable without a real drm.
20:29:22 <alee> but if it helps move things forward then I'll add them.
20:29:51 <atiwari> alee, In that case it will not be a unit test. in my opinion
20:30:11 <alee> atiwari, fair enough :/  I'll add them.
20:30:27 <woodster_> it can be helpful to exercise the business logic in there, to alert of regressions
20:30:37 <atiwari> correct
20:31:06 <atiwari> I think we have an agreement here :)
20:31:22 <redrobot> #agreed mock tests for dogtag plugin would be helpful
20:31:34 <alee> (and I'll add them)
20:31:53 <alee> now -- to discuss integration with a real drm ...
20:32:08 <redrobot> k
20:32:46 <alee> so if I recall correctly someone had started some work on a recipe to insatll a drm
20:33:07 <redrobot> yes... we'll it's more of an empty repo at the moment
20:33:10 <redrobot> #link https://github.com/cloudkeep-ops/chef-dogtag
20:33:38 <alee> we probably need to revive that effort for the purpose of actually adding a drm tot he integration tests
20:34:10 <woodster_> alee: do you mean devstack tests?
20:34:34 <woodster_> …or true integration with drm testing?
20:34:41 <redrobot> I think integration tests would be CloudCAFE or Tempest?
20:34:55 <alee> woodster_, well, thats part of my question actually.  what testing should involve a real drm?
20:35:25 <alee> devstack testing?  cloud cafe or tempest?
20:36:04 <woodster_> can it be installed without an HSM, and as a separate module from dogtag?
20:36:08 <redrobot> I don't think standing up DogTag would be necessary for DevStack gates
20:36:33 <alee> woodster_, it can be done without hsm
20:36:58 <alee> woodster_, in that case, drm will use a software based nss certdb
20:37:02 <alee> for its certs
20:37:39 <alee> so for my testing -- this is what I did ..
20:38:00 <redrobot> my preference would be to stand up a dogtag instance and run a full CloudCAFE/Tempest suite against it
20:38:33 <redrobot> is jvrbanac around?  I'd like to hear his thoughts on this
20:38:56 <alee> created a python virtual env, copied over the relevant dogtag python libs in the virtual envrionment and ran barbican.sh
20:39:18 <alee> and then did some testing by passing in requests to the barbican server
20:39:28 <alee> through curl
20:39:41 <alee> obviously thats all very manual ..
20:40:31 <redrobot> yeah, I think it would be awesome to kick off an automated job that would spin up DogTag and run a full regression suite on jenkins.cloudkeep.io
20:40:58 <alee> redrobot, thats the cloudcafe stuff?
20:41:40 <jvrbanac> alee, currently yes. We need to start getting these things into Tempest
20:42:15 <jvrbanac> I think we need to have a more extended discussion about this
20:42:43 <redrobot> jvrbanac hash it out at the summit maybe?
20:42:57 <alee> redrobot, jvrbanac that sounds good to me.  I'm not very familiar with the whole structure of the cloud cafe tests and with recipes.  Is there anyone who will be able to work with me on this?
20:43:27 <woodster_> alee: did you want to try get those cookbooks working in your environment to exercise things?
20:43:44 <alee> woodster_, I think that would be a great idea
20:44:16 <atiwari> If we are done with this topic, can I raise one?
20:44:32 <woodster_> Chad has been updating documents on the wiki here: https://wiki.openstack.org/wiki/Barbican#Automation_Details
20:44:58 <alee> redrobot, we can certainly hash things out more at the summit.  but thats awhile from now.  we can get a great deal accomplished if I can get someone to work with me on this the next couple of weeks.
20:44:59 <woodster_> we can discuss details outside of the meeting if you'd like
20:45:12 <alee> woodster_, sure
20:45:26 <redrobot> alee, jvrbanac is our resident CloudCAFE/Tempest expert.  I think he'd be the best person to help you out with this
20:46:03 <alee> ok -- jvrbanac I'll be pinging you :)
20:46:05 <woodster_> yep, so phase 1 would be getting the cookbooks working in your env. phase 2 woudl be the automation/deployemnt/testing part
20:46:08 <jvrbanac> alee, cool
20:47:35 <atiwari> Arunkant has posed as cr #link https://review.openstack.org/#/c/81310/ for BP #link https://blueprints.launchpad.net/barbican/+spec/policy-target-support. Waiting for  blessings from you guys.
20:48:05 <atiwari> any one looked at it?
20:48:26 <arunkant> I have started etherpad for discussion..https://etherpad.openstack.org/p/barbican-policy-target-support
20:49:07 <woodster_> My concern was that we plan to remove the project-id from the REST URI
20:49:23 <redrobot> #topic Policy changes
20:49:28 <woodster_> …so the specific purpose of this change (to replace the project-ID check) would not be required
20:50:13 <atiwari> woodster_ that is really good idea I am wokong on API proposal for removing tenant_id
20:50:44 <woodster_> it seems like a lot of code change for that purpose. It might be helpful for other policy purposes as Adam mentions in comments, but I don't think it is needed right now though
20:50:49 <atiwari> woodster_ even though you need this for authz purpose
20:51:46 <woodster_> You couldn't auth-n without the right token/project-id combo, so the auth-z part is just enforcing RBAC
20:52:02 <atiwari> woodster_ we can has out the tenant_id less API uris first. is that what you are thinking ?
20:52:03 <arunkant> It started as the change for that bug..but having target support will be foundation for user isolation work later. This way of policy enforcement is used in number of openstack projects
20:53:01 <atiwari> woodster_, correct but within on project multiple use case get token
20:53:41 <woodster_> is the user isolation feature planned to be available in keystone v3?
20:53:54 <atiwari> it is already there
20:54:01 <atiwari> in v3
20:54:39 <woodster_> ok, that makes sense then
20:54:40 <arunkant> this is more of isolation of barbican entities at user level and enforcing authz
20:55:16 <woodster_> can the rest of the team proceed on review then?
20:55:28 <redrobot> will do.
20:55:42 <atiwari> great
20:55:50 <redrobot> #agreed policy changes should be reviewed and merged
20:55:57 <arunkant> Will be helpful to get inputs from team..thanks
20:56:24 <redrobot> ok, guys, running out of time for this one.
20:56:38 <redrobot> atiwari, we'll have to revisit summit topics next time.
20:56:48 <arunkant> Can we tie this to milestone target in Juno?
20:56:48 <atiwari> ok
20:58:01 <redrobot> arunkant, yeah. all new CRs will be targeting juno-1
20:58:09 <atiwari> woodster_ and all, just FYI.. , soon I will submit API change proposal for tenant_id less rest API. ping you guys
20:58:22 <redrobot> time flies when you're having fun. :)
20:58:44 <redrobot> I think that's all the time we have this week.  Be sure to update the wiki if you guys have any topics for next week.
20:58:51 <redrobot> #endmeeting