20:04:49 <chellygel> #startmeeting Barbican 20:04:50 <openstack> Meeting started Mon Jan 12 20:04:49 2015 UTC and is due to finish in 60 minutes. The chair is chellygel. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:04:51 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:04:54 <openstack> The meeting name has been set to 'barbican' 20:04:58 <hockeynut> ^C mob load aborted 20:05:00 <jaosorior> yay 20:05:05 <chellygel> #topic rollcall 20:05:07 <rm_work> \o/ 20:05:08 <tkelsey> o/ 20:05:10 <hockeynut> o/ 20:05:12 <jvrbanac> o/ 20:05:14 <elmiko_mbl> o/ 20:05:18 <woodster_> o/ 20:05:22 <hyakuhei> o/ 20:05:26 <tsv> o/ 20:05:47 <chellygel> hey everyone. .. uhh 20:05:58 <chellygel> "Thats a lot of barbicaneers today" 20:06:02 <jaosorior> o/ 20:06:13 <chellygel> "as usual, you can find the agenda for today's meeting here: https://wiki.openstack.org/wiki/Meetings/Barbican" 20:06:22 <jaosorior> chellygel: lol, really? 20:06:30 <rellerreller> o/ 20:06:49 <chellygel> I was unaware that i would be today's meeting leader, so i apologize for being disorganized! 20:06:59 <chellygel> #topic Castellan progress 20:07:01 <rm_work> I assumed redrobot would be back.... so yeah 20:07:04 <jaosorior> hahaha nah, just laughing at the quotes you used, anyway 20:07:05 <rm_work> no biggie 20:07:18 <rm_work> which I guess means this is just me 20:07:19 <chellygel> Today's first stopic is about Castellan's progress via redrobot and rm_work 20:07:37 <rm_work> So... I don't actually know what the progress is. I was hoping we could figure that out today. 20:07:44 <rm_work> Also, maybe set out a tentative timeline 20:07:54 <jaosorior> O_O 20:08:01 <rellerreller> Who is working on Castellan? 20:08:03 <rm_work> Someone at JHU was supposedly writing the first draft of the spec for the main bits of Castellan? 20:08:14 <rm_work> I don't know WHO that is though, that was all I know 20:08:15 <rellerreller> haha 20:08:20 <hyakuhei> lol 20:08:25 <rm_work> I got my info secondhand from redrobot 20:08:40 <chellygel> we may have to table it to discuss with redrobot upon his return. 20:08:49 <rm_work> I am (AFAIK) adding on to that with the Certificate/Container bits 20:08:56 <rellerreller> For those who don't know I represent JHU, so this is interesting 20:09:04 <chellygel> surprise work item rellerreller ! 20:09:15 <rm_work> Ok, I think the hope was that we could figure out who was doing the spec, which would be the blocker for any real work on this 20:09:24 <rellerreller> I thought the first release was going to include the code from Cinder and Nova 20:09:32 <rm_work> because the second part would be deciding if we could get something usable for K release 20:09:50 <rm_work> rellerreller: possibly, that would be ok since I modeled my Cert stuff on the cinder code 20:09:56 <rm_work> but we need a spec for it regardless 20:09:58 <chellygel> i think it is best to wait until we can get confirmation from redrobot before moving forward with this. I wouldn't want us to misinterpret 20:09:58 <rellerreller> We have been waiting for redrobot to copy that code into Castellan 20:10:04 <rm_work> ok 20:10:15 <rellerreller> Sounds good to me 20:10:26 <rm_work> well, he did say that one possibility was that we do some work on this in the latter part of the Barbican meetup in Feb 20:10:35 <rm_work> I should be available for that week 20:10:37 <rellerreller> We have been wondering what was going on with that and are very interested to see progress 20:10:50 <rm_work> yeah, we just need to get the conversation going so this doesn't stall out 20:10:52 <chellygel> Okay i have made a note here for redrobot 20:10:52 <rellerreller> We would like to see Castellan integrated with Cinder and Nova soon 20:10:55 * rm_work shakes fist at redrobot 20:11:03 <chellygel> would you guys like me to copy you on the e-mail? 20:11:09 <rm_work> rellerreller: yes, I'd like to get Neutron-LBaaS and Octavia on it sooner than later 20:11:14 <rm_work> yes plox :P 20:11:19 <rellerreller> yes 20:11:39 <chellygel> any other discussion on this topic before we move on? 20:11:47 * rm_work shakes fist at redrobot again 20:11:58 <chellygel> alright then 20:12:01 <chellygel> tkelsey, are you present ? 20:12:06 <tkelsey> yup :) 20:12:10 <chellygel> fantastic 20:12:18 <chellygel> #topic KMIP secret Store HSM connection certificates 20:12:37 <tkelsey> so this is about this patch here https://review.openstack.org/#/c/135217/13 20:13:09 <tkelsey> I just wanted to get some more eyes (and cores) to look at it, since its quite important to us and has been sitting for a while 20:13:47 <chellygel> do i have any volunteers that would like to be assigned this action item? 20:13:52 <chellygel> (chellygel doesn't play games in meetings 8) ) 20:13:54 <tkelsey> since mentioning it in the Barbican room earlier I have had some more input and will upload a new version, but would like to answer any questions people have about it 20:13:54 <jvrbanac> tkelsey, yikes! Yeah, we need to look at that 20:14:27 <chellygel> jvrbanac, is that a volunteering i see? 20:14:28 <rellerreller> It's a nice feature to have 20:14:41 <chellygel> any other reviewers wish to volunteer for this action item? 20:15:07 <jvrbanac> tkelsey, did you want to make those changes before more people looked at it? 20:15:15 <jaosorior> I already +1ed it, but could take a look at the new patch set if it's still there tomorrow morning 20:15:35 <tsv> o/ i will also review that 20:15:40 <jvrbanac> chellygel, yeah I'll take a look 20:15:40 <woodster_> I noticed reaperhulk added a good comment on file permissions. 20:15:42 <jaosorior> unless you upload the new patchset within the next hour 20:15:50 <tkelsey> the new patch will just change the failure test to have proper file permissions, as per the comments 20:15:55 <woodster_> I'm curious, should the code be in the business of checking such permissions? 20:16:01 <woodster_> ...or is that a deployment concern? 20:16:25 <tkelsey> I did want to ask people here about the POSIX requirement mentioned as well 20:16:36 <woodster_> for example, we don't do such checks for the hsm configs and libs 20:17:28 <tkelsey> woodster_: Im not apposed to removing the test entirely, if people feel its not appropriate 20:17:43 <chellygel> (thank you tsv) 20:18:06 <alee> tkelsey, we have the same kinds of parameters in dogtag - and don't do these kinds of checks 20:18:15 <jaosorior> I have no problem with the POSIX orientation 20:18:25 <jaosorior> * direction...or whatever 20:18:29 <woodster_> To reaperhulk's point, what about windows? Or other custom deployments? It would probably be better to have a deployment guide to deal with these things, which I think is planned for Kilo release at somepoint 20:19:55 <tkelsey> so it seems people feel these checks are not appropriate then? 20:20:06 <hyakuhei> So there’s good precendent for other applications doing this 20:20:11 <hyakuhei> Namely openSSH 20:20:17 <woodster_> well, I just added a comment to the CR...I don't think we have all the reviewers in this IRC right now 20:20:53 <hyakuhei> Maybe logging a warning would be appropriate? 20:21:09 <jaosorior> not to sound close-minded or anthing, but, Is there anyone that will actually deploy this in a non-unix-based system? 20:21:31 <bknudson> could have a config option so if they want to be less secure it's their option. 20:21:37 <woodster_> It seems if we do it in one place, we should do it everywhere, so for all config files used by Barbican...in which case it would be good to leverage a lib to help out if possible. 20:21:49 <hyakuhei> Ok 20:22:00 <tkelsey> woodster_: yeah I see your point 20:22:10 <hyakuhei> but that sounds like bike shedding. Why not get it right in one place and then see if it makes sense to do it everywhere. 20:22:38 <woodster_> just seems like it opens a can of worms, and I think each deployment is potentially different, including for a dev-only deployment with no permissions restrictions 20:22:41 <woodster_> that 20:22:45 <hyakuhei> Sure 20:22:53 <hyakuhei> How would simply logging a warning break anything? 20:22:56 <woodster_> that's fine with me...I've added a comment to the CR to spur discussion anyway 20:23:11 <hyakuhei> Deployment choice then becomes around ignoring warnings rather than accidentally having bad permissions :) 20:23:33 <woodster_> logging a warning would be fine/good to do, but may not fire a warning in all deployment scenarios 20:23:42 <woodster_> ok with that though 20:23:57 <tkelsey> humm, yeah a warning I like the idea of a warning over removing them 20:24:51 <woodster_> sounds good to me 20:24:51 <tkelsey> this has been a good discussion, thanks all :) I'll update to add the warning and check real permissions in the failure tests (that wont actually fail now I guess) 20:25:21 <tkelsey> ok, I think that covers it for me 20:25:27 <chellygel> is there anything else you'd like to discuss on this topic (anyone)? 20:25:33 <woodster_> you can check that expected log messages are output though...I did that for some of the repository tests I recall 20:25:59 <tkelsey> woodster_: sure, i'll do that 20:26:04 <chellygel> is it cycling everyone out, whats going on here O_o 20:26:20 <woodster_> looks like a lot of folks were kicked off IRC? alee are you there? 20:26:28 <tkelsey> erg, something up with connections? 20:26:54 <chellygel> before moving on, i'd like to wait 5 minutes to see if everyone reconnects 20:27:08 <tkelsey> chellygel: +1 20:27:39 <redrobot> o/ 20:27:43 <chellygel> hey redrobot 20:27:56 <chellygel> you have an action item! we are currently holding off until everyone reconnects 20:27:57 <woodster_> waiting on folks to reconnect 20:28:00 <chellygel> we just had a huge irc reconenct party. 20:28:22 <redrobot> chellygel thanks for being on the ball... 20:28:31 * redrobot hangs head in shame 20:28:42 <woodster_> I'm assuming they didn't table flip on us! 20:30:04 <chellygel> looks like we are starting to get everyone back! 20:30:14 <jvrbanac> ALL THE REJOINS! 20:30:27 <woodster_> so alee will do it all then, it's decided! 20:30:33 <woodster_> great discussion :) 20:30:38 <tkelsey> lol 20:30:38 <chellygel> welcome back everyone :) 20:30:43 <chellygel> we will be resuming the meeting here in a minute 20:30:44 <alee> woodster_, hey now .. 20:31:16 <rm_work> am I back? 20:31:32 <chellygel> you are back rm_work 20:31:33 <woodster_> rm_work, yes 20:31:38 <alee> rm_work, well, if you see this then I'm back too 20:31:44 <chellygel> Okay everyone, lets kick this back in gear 20:31:53 <chellygel> We were wrapping up the KMIP discussion with tkelsey 20:31:59 <chellygel> does anyone have any questions before we move on? 20:32:30 <chellygel> If the group wishes, i'd like to revisit the castallan discussion since redrobot has returned 20:32:38 <rm_work> :P 20:32:39 <rm_work> i do alee :P 20:32:44 <redrobot> yeah, catching up on that right now 20:32:45 <redrobot> is rellerreller back? 20:32:48 <rellerreller> back 20:32:56 <rellerreller> Never left 20:32:56 <rm_work> ohai redrobot 20:33:00 <chellygel> #topic Castellan progress 20:33:29 <redrobot> there was definitely some misunderstanding. I was under the impression that rellerreller had someone waiting to submit code to the repo once it went live 20:33:32 <redrobot> which it has 20:33:47 <rellerreller> We can submit code, but we did not know the process for that 20:33:48 <redrobot> #link http://git.openstack.org/cgit/openstack/castellan/ 20:33:57 <rm_work> I assume... gerrit? :P 20:34:01 <rellerreller> We thought you were going to do that 20:34:09 <jvrbanac> rm_work, yes 20:34:23 <woodster_> ¯\(°_o)/¯ 20:34:29 <rellerreller> OK, well we can start to work on that 20:34:43 <rm_work> are we just throwing the Cinder code in there? 20:34:47 <rm_work> or are we doing some specs first 20:34:57 <rellerreller> What are the logistics in terms of project management for Castellan? 20:35:02 <rm_work> I thought there were going to be specs first, but we can skip that if people want to just throw code at it 20:35:12 <jvrbanac> #link https://review.openstack.org/#/q/project:openstack/castellan,n,z 20:35:15 <rellerreller> Who are the core reviewers? Where do we discuss Castellan items? 20:35:20 <rm_work> basically what I figured was we'd use Cinder code for the base and Octavia code for Certs 20:35:30 <rm_work> and move from there to more generically "Containers" 20:35:37 <rm_work> or IMO just keep adding the specifics 20:35:47 <jvrbanac> rellerreller, it's apart of the key management group, so same reviewers 20:35:50 <rm_work> rather than trying to make one huge generic interface that is shitty for everything :P 20:36:24 <rm_work> key management group is.... you guys, right? 20:36:33 <rellerreller> Maybe some specs would be good then because we are interested in the new certs interface and container changes. 20:36:40 <redrobot> rellerreller castellan is a part of the Barbican "program", so core reviewers are the same as barbican core 20:36:50 <rellerreller> OK, sounds good to me 20:37:16 <redrobot> castellan should be discussed here during these meetings, and also on #openstack-barbican 20:37:35 <rm_work> part of me would like to see the base code go in as-is, and then see if we need to bother with specs, since it should be very little effort to put that code in (it's all written)... if it works, great, if not, redoing it doesn't waste much effort 20:37:41 <rellerreller> So do we want specs first or code? 20:37:47 <redrobot> bugs and blueprints are tracked on launchpad 20:37:49 <redrobot> #link https://launchpad.net/castellan 20:37:58 <rellerreller> rm_work +1 20:38:17 <rm_work> this really was born out of a code-reuse issue, not a "we don't know what we're doing" issue 20:38:17 <rellerreller> I would like to see code that is already accepted get into the repo and then propose specs from there 20:38:18 <woodster_> if we think the cinder code is a good starting point, seems a bp is not needed 20:38:44 <rm_work> and cinder was my starting point for Octavia's cert code, which was modeled in a way that is complimentary to start with 20:38:48 <rm_work> so it should merge right in too 20:39:02 <redrobot> I think that a launchpad blueprint should be good enough to track for now. Not sure if we need to track these in the barbican-specs repo just yet. 20:39:30 <rm_work> so rellerreller is someone there going to do the initial Cinder merge? 20:39:40 <rm_work> if so, just let me know when that's up and I'll throw my stuff on top 20:39:57 <rellerreller> What merge? I was just going to copy the code from Cinder. 20:40:03 <rm_work> that's what I meant 20:40:15 <rellerreller> Yes, we can do that 20:40:23 <woodster_> is a bp needed to startup a new repo though, to make it legal/official? 20:41:25 <woodster_> wow, just got 12 lines of IRC in one instant 20:42:05 <redrobot> woodster_ the repo is already started/official. It's ready for PRs. It should be simple enough to not need a spec, I think... 20:42:45 <woodster_> redrobot, agreed, thanks 20:42:46 <woodster_> so will there be projects using that for their kilo releases then? 20:42:58 <woodster_> ..per roadmaps anyway? 20:43:24 <rellerreller> If we get Castellan accepted then we would probably revisit our Cinder and Nova patches to have them link to Castellan. 20:43:57 <rm_work> I would get Neutron-LBaaS / Octavia on it ASAP 20:43:58 <redrobot> rellerreller I recall you saying you had someone in mind to send patches to Cinder/Nova with castellan 20:44:26 <rellerreller> Yes, bpoulos works on our integration with key management 20:45:29 <rm_work> ah yeah i remember speaking with him 20:45:59 <rellerreller> In Atlanta? 20:46:09 <rm_work> just IRC 20:46:35 <rellerreller> Her name is Briana 20:47:04 <rellerreller> I'll have her hang out on openstack-barbican more 20:47:04 <rm_work> AH :P 20:47:24 <rm_work> I feel like I knew that and just forgot during my 3-week hiatus >_> 20:47:57 <redrobot> rellerreller will you all be working on the barbicanclient implementation as well? 20:48:24 <rellerreller> We have not been working on barbicanclient. 20:48:53 <rellerreller> We are stretched a little thin at the moment, but we can always move things around if we must. 20:49:23 <rm_work> barbicanclient is related to Castellan? 20:49:41 <woodster_> did we decide it was ok to have a barbican client plugin/impl available in castellan? 20:49:45 <rellerreller> It will be once we have a Barbican KeyManager implementation 20:50:37 <rm_work> err 20:50:43 <rm_work> OH 20:50:44 <woodster_> I see this note from Paris: "Put Barbican implementation into the barbican-pythonclient repository" 20:50:49 <redrobot> woodster_ yes, IIRC the plan was to have the implementation in barbicanclient 20:50:50 <rm_work> implementation in Castellan using BarbicanClient 20:50:52 <rm_work> got it 20:50:53 <rm_work> I can do that 20:51:05 <rm_work> err 20:51:07 <redrobot> rm_work other way around 20:51:12 <rm_work> I would assume we'd want it in the castellan bit 20:51:14 <rm_work> err 20:51:14 <redrobot> rm_work implementation of castellan in barbicanclient 20:51:14 <rm_work> wat 20:51:19 <rm_work> why would we want that 20:51:28 <rm_work> Barbican is a subset of what Castellan can do 20:51:31 <rm_work> not the other way around 20:51:39 <rm_work> why would Barbican want to know about Castellan? 20:51:41 <redrobot> rm_work the idea is that castellan is an interface only. 20:51:52 <rm_work> well 20:51:54 <chellygel> just a heads up, we have about 9 minutes left 20:52:00 <woodster_> I think one purpose of castellan is to insulate openstack projects from incubated barbican 20:52:07 <rm_work> Castellan is an interface, but it's common for basic implemenation options to be included in the repo 20:52:21 <rm_work> similar to how Barbican is an interface in many ways, but the plugins are in-tree :P 20:53:43 <rm_work> that is basically how all of openstack works 20:53:43 <woodster_> rm_work, well, we had a dicussion about plugins in Paris too...see the 'plugin marketplace' section here: https://etherpad.openstack.org/p/barbican-kilo-roadmap 20:53:49 <rm_work> hmm 20:53:58 <rm_work> alright, maybe we need to discuss this offline 20:54:08 <woodster_> so I think castellan with a barbican dependency could be an issue for some project integrations 20:54:11 <woodster_> probably have to continue that discussion outside this meeting 20:54:14 <rm_work> it seems pretty clear to me how it works, but obviously there is a sync issue here :P 20:54:34 <redrobot> rm_work the idea is that not all projects will want to integrate with barbican directly. castellan is the common interface, of which barbican is just one implementation 20:54:38 <rm_work> right 20:54:49 <rm_work> Neutron-lbaas is an interface for many LB appliances 20:54:53 <redrobot> rm_work someone may choose to implement castellan to talk to an hsm directly. 20:54:54 <rm_work> most of their drivers are in-tree 20:55:02 <rm_work> just because the driver is there does not indicate a dependency 20:55:10 <rm_work> right 20:55:18 <rm_work> redrobot: and they are not prevented from doing so :P 20:55:28 <rm_work> in fact I would encourage their implementation be submitted to Castellan 20:55:28 <woodster_> I did sneak in two blueprint topics...mainly to try to capture the bigger open questions on two 20:55:28 <woodster_> essential blueprints 20:55:59 <rm_work> we should probably discuss offline 20:56:13 <rm_work> to see if we can get on even remotely the same page 20:56:30 <redrobot> rm_work ok 20:56:40 <redrobot> Almost out of time... 20:56:55 <rm_work> plug for: https://review.openstack.org/#/c/127353/ (I just put up some comments) 20:57:20 <rm_work> alee: you have a new revision in mind yet? 20:57:35 <rm_work> (per secret policy) 20:57:53 <redrobot> Also, a reminder that the Mid-Cycle sprint is coming up in February: https://wiki.openstack.org/wiki/Sprints/BarbicanKiloSprint 20:57:56 <alee> rm_work, I was waiting for comments to come in first 20:58:03 <rm_work> alee: there's a fair share :P 20:58:16 <rellerreller> The content types CR is out there, https://review.openstack.org/#/c/145073/. It affects the API and secret stores, so you probably want to review cause other I might wreck your code :) 20:58:23 <alee> rm_work, I'll likely look at them tommorow and add a new version 20:58:37 <woodster_> don't forget about the quota blueprint as well 20:58:44 <alee> rm_work, I can work on it sooner if someone wants to start implementing it .. 20:58:49 <rm_work> heh 20:59:09 <chellygel> The action items today were as follows: 20:59:09 <rm_work> I have several things on my plate right now, but I can definitely HELP... probably with the client-side work 20:59:11 <woodster_> rm_work, was that a 'yes' or really a 'heh'? 20:59:30 <alee> otherwise I'm wotrking on implementing ca stuff right now 20:59:37 <rm_work> that's fine, we need the CA stuff too :P 20:59:39 <chellygel> ** jvrbanac and tsv volunteered to help review tkelsey's KMIP HSM CR, (please volunteer your time to look this over!) 20:59:51 <rm_work> in fact this is feeling much like the "Barbican-LBaaS" cycle 20:59:52 <chellygel> ** rellerreller to start work on castellan 21:00:04 <chellygel> ** rm_work to sync with redrobot for clarification 21:00:04 <rellerreller> I'm on it :) 21:00:08 <tkelsey> thank chellygel :) and thanks for the input all 21:00:11 <alee> anyone else who would like to work on per-secret implementation -- I'm taking volunteers .. 21:00:18 <chellygel> Please move the remaining conversations to the barbican channel in #openstack-barbican 21:00:30 <chellygel> #endmeeting