20:04:49 <chellygel> #startmeeting Barbican
20:04:50 <openstack> Meeting started Mon Jan 12 20:04:49 2015 UTC and is due to finish in 60 minutes.  The chair is chellygel. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:04:51 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:04:54 <openstack> The meeting name has been set to 'barbican'
20:04:58 <hockeynut> ^C mob load aborted
20:05:00 <jaosorior> yay
20:05:05 <chellygel> #topic rollcall
20:05:07 <rm_work> \o/
20:05:08 <tkelsey> o/
20:05:10 <hockeynut> o/
20:05:12 <jvrbanac> o/
20:05:14 <elmiko_mbl> o/
20:05:18 <woodster_> o/
20:05:22 <hyakuhei> o/
20:05:26 <tsv> o/
20:05:47 <chellygel> hey everyone. .. uhh
20:05:58 <chellygel> "Thats a lot of barbicaneers today"
20:06:02 <jaosorior> o/
20:06:13 <chellygel> "as usual, you can find the agenda for today's meeting here: https://wiki.openstack.org/wiki/Meetings/Barbican"
20:06:22 <jaosorior> chellygel: lol, really?
20:06:30 <rellerreller> o/
20:06:49 <chellygel> I was unaware that i would be today's meeting leader, so i apologize for being disorganized!
20:06:59 <chellygel> #topic Castellan progress
20:07:01 <rm_work> I assumed redrobot would be back.... so yeah
20:07:04 <jaosorior> hahaha nah, just laughing at the quotes you used, anyway
20:07:05 <rm_work> no biggie
20:07:18 <rm_work> which I guess means this is just me
20:07:19 <chellygel> Today's first stopic is about Castellan's progress via redrobot and rm_work
20:07:37 <rm_work> So... I don't actually know what the progress is. I was hoping we could figure that out today.
20:07:44 <rm_work> Also, maybe set out a tentative timeline
20:07:54 <jaosorior> O_O
20:08:01 <rellerreller> Who is working on Castellan?
20:08:03 <rm_work> Someone at JHU was supposedly writing the first draft of the spec for the main bits of Castellan?
20:08:14 <rm_work> I don't know WHO that is though, that was all I know
20:08:15 <rellerreller> haha
20:08:20 <hyakuhei> lol
20:08:25 <rm_work> I got my info secondhand from redrobot
20:08:40 <chellygel> we may have to table it to discuss with redrobot upon his return.
20:08:49 <rm_work> I am (AFAIK) adding on to that with the Certificate/Container bits
20:08:56 <rellerreller> For those who don't know I represent JHU, so this is interesting
20:09:04 <chellygel> surprise work item rellerreller !
20:09:15 <rm_work> Ok, I think the hope was that we could figure out who was doing the spec, which would be the blocker for any real work on this
20:09:24 <rellerreller> I thought the first release was going to include the code from Cinder and Nova
20:09:32 <rm_work> because the second part would be deciding if we could get something usable for K release
20:09:50 <rm_work> rellerreller: possibly, that would be ok since I modeled my Cert stuff on the cinder code
20:09:56 <rm_work> but we need a spec for it regardless
20:09:58 <chellygel> i think it is best to wait until we can get confirmation from redrobot before moving forward with this. I wouldn't want us to misinterpret
20:09:58 <rellerreller> We have been waiting for redrobot to copy that code into Castellan
20:10:04 <rm_work> ok
20:10:15 <rellerreller> Sounds good to me
20:10:26 <rm_work> well, he did say that one possibility was that we do some work on this in the latter part of the Barbican meetup in Feb
20:10:35 <rm_work> I should be available for that week
20:10:37 <rellerreller> We have been wondering what was going on with that and are very interested to see progress
20:10:50 <rm_work> yeah, we just need to get the conversation going so this doesn't stall out
20:10:52 <chellygel> Okay i have made a note here for redrobot
20:10:52 <rellerreller> We would like to see Castellan integrated with Cinder and Nova soon
20:10:55 * rm_work shakes fist at redrobot
20:11:03 <chellygel> would you guys like me to copy you on the e-mail?
20:11:09 <rm_work> rellerreller: yes, I'd like to get Neutron-LBaaS and Octavia on it sooner than later
20:11:14 <rm_work> yes plox :P
20:11:19 <rellerreller> yes
20:11:39 <chellygel> any other discussion on this topic before we move on?
20:11:47 * rm_work shakes fist at redrobot again
20:11:58 <chellygel> alright then
20:12:01 <chellygel> tkelsey, are you present ?
20:12:06 <tkelsey> yup :)
20:12:10 <chellygel> fantastic
20:12:18 <chellygel> #topic KMIP secret Store HSM connection certificates
20:12:37 <tkelsey> so this is about this patch here https://review.openstack.org/#/c/135217/13
20:13:09 <tkelsey> I just wanted to get some more eyes (and cores) to look at it, since its quite important to us and has been sitting for a while
20:13:47 <chellygel> do i have any volunteers that would like to be assigned this action item?
20:13:52 <chellygel> (chellygel doesn't play games in meetings 8) )
20:13:54 <tkelsey> since mentioning it in the Barbican room earlier I have had some more input and will upload a new version, but would like to answer any questions people have about it
20:13:54 <jvrbanac> tkelsey, yikes! Yeah, we need to look at that
20:14:27 <chellygel> jvrbanac, is that a volunteering i see?
20:14:28 <rellerreller> It's a nice feature to have
20:14:41 <chellygel> any other reviewers  wish to volunteer for this action item?
20:15:07 <jvrbanac> tkelsey, did you want to make those changes before more people looked at it?
20:15:15 <jaosorior> I already +1ed it, but could take a look at the new patch set if it's still there tomorrow morning
20:15:35 <tsv> o/ i will also review that
20:15:40 <jvrbanac> chellygel, yeah I'll take a look
20:15:40 <woodster_> I noticed reaperhulk added a good comment on file permissions.
20:15:42 <jaosorior> unless you upload the new patchset within the next hour
20:15:50 <tkelsey> the new patch will just change the failure test to have proper file permissions, as per the comments
20:15:55 <woodster_> I'm curious, should the code be in the business of checking such permissions?
20:16:01 <woodster_> ...or is that a deployment concern?
20:16:25 <tkelsey> I did want to ask people here about the POSIX requirement mentioned as well
20:16:36 <woodster_> for example, we don't do such checks for the hsm configs and libs
20:17:28 <tkelsey> woodster_: Im not apposed to removing the test entirely, if people feel its not appropriate
20:17:43 <chellygel> (thank you tsv)
20:18:06 <alee> tkelsey, we have the same kinds of parameters in dogtag - and don't do these kinds of checks
20:18:15 <jaosorior> I have no problem with the POSIX orientation
20:18:25 <jaosorior> * direction...or whatever
20:18:29 <woodster_> To reaperhulk's point, what about windows? Or other custom deployments? It would probably be better to have a deployment guide to deal with these things, which I think is planned for Kilo release at somepoint
20:19:55 <tkelsey> so it seems people feel these checks are not appropriate then?
20:20:06 <hyakuhei> So there’s good precendent for other applications doing this
20:20:11 <hyakuhei> Namely openSSH
20:20:17 <woodster_> well, I just added a comment to the CR...I don't think we have all the reviewers in this IRC right now
20:20:53 <hyakuhei> Maybe logging a warning would be appropriate?
20:21:09 <jaosorior> not to sound close-minded or anthing, but, Is there anyone that will actually deploy this in a non-unix-based system?
20:21:31 <bknudson> could have a config option so if they want to be less secure it's their option.
20:21:37 <woodster_> It seems if we do it in one place, we should do it everywhere, so for all config files used by Barbican...in which case it would be good to leverage a lib to help out if possible.
20:21:49 <hyakuhei> Ok
20:22:00 <tkelsey> woodster_: yeah I see your point
20:22:10 <hyakuhei> but that sounds like bike shedding. Why not get it right in one place and then see if it makes sense to do it everywhere.
20:22:38 <woodster_> just seems like it opens a can of worms, and I think each deployment is potentially different, including for a dev-only deployment with no permissions restrictions
20:22:41 <woodster_> that
20:22:45 <hyakuhei> Sure
20:22:53 <hyakuhei> How would simply logging a warning break anything?
20:22:56 <woodster_> that's fine with me...I've added a comment to the CR to spur discussion anyway
20:23:11 <hyakuhei> Deployment choice then becomes around ignoring warnings rather than accidentally having bad permissions :)
20:23:33 <woodster_> logging a warning would be fine/good to do, but may not fire a warning in all deployment scenarios
20:23:42 <woodster_> ok with that though
20:23:57 <tkelsey> humm, yeah a warning I like the idea of a warning over removing them
20:24:51 <woodster_> sounds good to me
20:24:51 <tkelsey> this has been a good discussion, thanks all :) I'll update to add the warning and check real permissions in the failure tests (that wont actually fail now I guess)
20:25:21 <tkelsey> ok, I think that covers it for me
20:25:27 <chellygel> is there anything else you'd like to discuss on this topic (anyone)?
20:25:33 <woodster_> you can check that expected log messages are output though...I did that for some of the repository tests I recall
20:25:59 <tkelsey> woodster_: sure, i'll do that
20:26:04 <chellygel> is it cycling everyone out, whats going on here O_o
20:26:20 <woodster_> looks like a lot of folks were kicked off IRC? alee are you there?
20:26:28 <tkelsey> erg, something up with connections?
20:26:54 <chellygel> before moving on, i'd like to wait 5 minutes to see if everyone reconnects
20:27:08 <tkelsey> chellygel: +1
20:27:39 <redrobot> o/
20:27:43 <chellygel> hey redrobot
20:27:56 <chellygel> you have an action item! we are currently holding off until everyone reconnects
20:27:57 <woodster_> waiting on folks to reconnect
20:28:00 <chellygel> we just had a huge irc reconenct party.
20:28:22 <redrobot> chellygel thanks for being on the ball...
20:28:31 * redrobot hangs head in shame
20:28:42 <woodster_> I'm assuming they didn't table flip on us!
20:30:04 <chellygel> looks like we are starting to get everyone back!
20:30:14 <jvrbanac> ALL THE REJOINS!
20:30:27 <woodster_> so alee will do it all then, it's decided!
20:30:33 <woodster_> great discussion :)
20:30:38 <tkelsey> lol
20:30:38 <chellygel> welcome back everyone :)
20:30:43 <chellygel> we will be resuming the meeting here in a minute
20:30:44 <alee> woodster_,  hey now  ..
20:31:16 <rm_work> am I back?
20:31:32 <chellygel> you are back rm_work
20:31:33 <woodster_> rm_work, yes
20:31:38 <alee> rm_work, well, if you see this then I'm back too
20:31:44 <chellygel> Okay everyone, lets kick this back in gear
20:31:53 <chellygel> We were wrapping up the KMIP discussion with tkelsey
20:31:59 <chellygel> does anyone have any questions before we move on?
20:32:30 <chellygel> If the group wishes, i'd like to revisit the castallan discussion since redrobot has returned
20:32:38 <rm_work> :P
20:32:39 <rm_work> i do alee :P
20:32:44 <redrobot> yeah, catching up on that right now
20:32:45 <redrobot> is rellerreller back?
20:32:48 <rellerreller> back
20:32:56 <rellerreller> Never left
20:32:56 <rm_work> ohai redrobot
20:33:00 <chellygel> #topic Castellan progress
20:33:29 <redrobot> there was definitely some misunderstanding.  I was under the impression that rellerreller had someone waiting to submit code to the repo once it went live
20:33:32 <redrobot> which it has
20:33:47 <rellerreller> We can submit code, but we did not know the process for that
20:33:48 <redrobot> #link http://git.openstack.org/cgit/openstack/castellan/
20:33:57 <rm_work> I assume... gerrit? :P
20:34:01 <rellerreller> We thought you were going to do that
20:34:09 <jvrbanac> rm_work, yes
20:34:23 <woodster_> ¯\(°_o)/¯
20:34:29 <rellerreller> OK, well we can start to work on that
20:34:43 <rm_work> are we just throwing the Cinder code in there?
20:34:47 <rm_work> or are we doing some specs first
20:34:57 <rellerreller> What are the logistics in terms of project management for Castellan?
20:35:02 <rm_work> I thought there were going to be specs first, but we can skip that if people want to just throw code at it
20:35:12 <jvrbanac> #link https://review.openstack.org/#/q/project:openstack/castellan,n,z
20:35:15 <rellerreller> Who are the core reviewers? Where do we discuss Castellan items?
20:35:20 <rm_work> basically what I figured was we'd use Cinder code for the base and Octavia code for Certs
20:35:30 <rm_work> and move from there to more generically "Containers"
20:35:37 <rm_work> or IMO just keep adding the specifics
20:35:47 <jvrbanac> rellerreller, it's apart of the key management group, so same reviewers
20:35:50 <rm_work> rather than trying to make one huge generic interface that is shitty for everything :P
20:36:24 <rm_work> key management group is.... you guys, right?
20:36:33 <rellerreller> Maybe some specs would be good then because we are interested in the new certs interface and container changes.
20:36:40 <redrobot> rellerreller castellan is a part of the Barbican "program", so core reviewers are the same as barbican core
20:36:50 <rellerreller> OK, sounds good to me
20:37:16 <redrobot> castellan should be discussed here during these meetings, and also on #openstack-barbican
20:37:35 <rm_work> part of me would like to see the base code go in as-is, and then see if we need to bother with specs, since it should be very little effort to put that code in (it's all written)... if it works, great, if not, redoing it doesn't waste much effort
20:37:41 <rellerreller> So do we want specs first or code?
20:37:47 <redrobot> bugs and blueprints are tracked on launchpad
20:37:49 <redrobot> #link https://launchpad.net/castellan
20:37:58 <rellerreller> rm_work +1
20:38:17 <rm_work> this really was born out of a code-reuse issue, not a "we don't know what we're doing" issue
20:38:17 <rellerreller> I would like to see code that is already accepted get into the repo and then propose specs from there
20:38:18 <woodster_> if we think the cinder code is a good starting point, seems a bp is not needed
20:38:44 <rm_work> and cinder was my starting point for Octavia's cert code, which was modeled in a way that is complimentary to start with
20:38:48 <rm_work> so it should merge right in too
20:39:02 <redrobot> I think that a launchpad blueprint should be good enough to track for now.  Not sure if we need to track these in the barbican-specs repo just yet.
20:39:30 <rm_work> so rellerreller is someone there going to do the initial Cinder merge?
20:39:40 <rm_work> if so, just let me know when that's up and I'll throw my stuff on top
20:39:57 <rellerreller> What merge? I was just going to copy the code from Cinder.
20:40:03 <rm_work> that's what I meant
20:40:15 <rellerreller> Yes, we can do that
20:40:23 <woodster_> is a bp needed to startup a new repo though, to make it legal/official?
20:41:25 <woodster_> wow, just got 12 lines of IRC in one instant
20:42:05 <redrobot> woodster_ the repo is already started/official.  It's ready for PRs.  It should be simple enough to not need a spec, I think...
20:42:45 <woodster_> redrobot, agreed, thanks
20:42:46 <woodster_> so will there be projects using that for their kilo releases then?
20:42:58 <woodster_> ..per roadmaps anyway?
20:43:24 <rellerreller> If we get Castellan accepted then we would probably revisit our Cinder and Nova patches to have them link to Castellan.
20:43:57 <rm_work> I would get Neutron-LBaaS / Octavia on it ASAP
20:43:58 <redrobot> rellerreller I recall you saying you had someone in mind to send patches to Cinder/Nova with castellan
20:44:26 <rellerreller> Yes, bpoulos works on our integration with key management
20:45:29 <rm_work> ah yeah i remember speaking with him
20:45:59 <rellerreller> In Atlanta?
20:46:09 <rm_work> just IRC
20:46:35 <rellerreller> Her name is Briana
20:47:04 <rellerreller> I'll have her hang out on openstack-barbican more
20:47:04 <rm_work> AH :P
20:47:24 <rm_work> I feel like I knew that and just forgot during my 3-week hiatus >_>
20:47:57 <redrobot> rellerreller will you all be working on the barbicanclient implementation as well?
20:48:24 <rellerreller> We have not been working on barbicanclient.
20:48:53 <rellerreller> We are stretched a little thin at the moment, but we can always move things around if we must.
20:49:23 <rm_work> barbicanclient is related to Castellan?
20:49:41 <woodster_> did we decide it was ok to have a barbican client plugin/impl available in castellan?
20:49:45 <rellerreller> It will be once we have a Barbican KeyManager implementation
20:50:37 <rm_work> err
20:50:43 <rm_work> OH
20:50:44 <woodster_> I see this note from Paris: "Put Barbican implementation into the barbican-pythonclient repository"
20:50:49 <redrobot> woodster_ yes, IIRC the plan was to have the implementation in barbicanclient
20:50:50 <rm_work> implementation in Castellan using BarbicanClient
20:50:52 <rm_work> got it
20:50:53 <rm_work> I can do that
20:51:05 <rm_work> err
20:51:07 <redrobot> rm_work other way around
20:51:12 <rm_work> I would assume we'd want it in the castellan bit
20:51:14 <rm_work> err
20:51:14 <redrobot> rm_work implementation of castellan in barbicanclient
20:51:14 <rm_work> wat
20:51:19 <rm_work> why would we want that
20:51:28 <rm_work> Barbican is a subset of what Castellan can do
20:51:31 <rm_work> not the other way around
20:51:39 <rm_work> why would Barbican want to know about Castellan?
20:51:41 <redrobot> rm_work the idea is that castellan is an interface only.
20:51:52 <rm_work> well
20:51:54 <chellygel> just a heads up, we have about 9 minutes left
20:52:00 <woodster_> I think one purpose of castellan is to insulate openstack projects from incubated barbican
20:52:07 <rm_work> Castellan is an interface, but it's common for basic implemenation options to be included in the repo
20:52:21 <rm_work> similar to how Barbican is an interface in many ways, but the plugins are in-tree :P
20:53:43 <rm_work> that is basically how all of openstack works
20:53:43 <woodster_> rm_work, well, we had a dicussion about plugins in Paris too...see the 'plugin marketplace' section here: https://etherpad.openstack.org/p/barbican-kilo-roadmap
20:53:49 <rm_work> hmm
20:53:58 <rm_work> alright, maybe we need to discuss this offline
20:54:08 <woodster_> so I think castellan with a barbican dependency could be an issue for some project integrations
20:54:11 <woodster_> probably have to continue that discussion outside this meeting
20:54:14 <rm_work> it seems pretty clear to me how it works, but obviously there is a sync issue here :P
20:54:34 <redrobot> rm_work the idea is that not all projects will want to integrate with barbican directly.  castellan is the common interface, of which barbican is just one implementation
20:54:38 <rm_work> right
20:54:49 <rm_work> Neutron-lbaas is an interface for many LB appliances
20:54:53 <redrobot> rm_work someone may choose to implement castellan to talk to an hsm directly.
20:54:54 <rm_work> most of their drivers are in-tree
20:55:02 <rm_work> just because the driver is there does not indicate a dependency
20:55:10 <rm_work> right
20:55:18 <rm_work> redrobot: and they are not prevented from doing so :P
20:55:28 <rm_work> in fact I would encourage their implementation be submitted to Castellan
20:55:28 <woodster_> I did sneak in two blueprint topics...mainly to try to capture the bigger open questions on two
20:55:28 <woodster_> essential blueprints
20:55:59 <rm_work> we should probably discuss offline
20:56:13 <rm_work> to see if we can get on even remotely the same page
20:56:30 <redrobot> rm_work ok
20:56:40 <redrobot> Almost out of time...
20:56:55 <rm_work> plug for: https://review.openstack.org/#/c/127353/ (I just put up some comments)
20:57:20 <rm_work> alee: you have a new revision in mind yet?
20:57:35 <rm_work> (per secret policy)
20:57:53 <redrobot> Also, a reminder that the Mid-Cycle sprint is coming up in February: https://wiki.openstack.org/wiki/Sprints/BarbicanKiloSprint
20:57:56 <alee> rm_work, I was waiting for comments to come in first
20:58:03 <rm_work> alee: there's a fair share :P
20:58:16 <rellerreller> The content types CR is out there, https://review.openstack.org/#/c/145073/. It affects the API and secret stores, so you probably want to review cause other I might wreck your code :)
20:58:23 <alee> rm_work, I'll likely look at them tommorow and add a new version
20:58:37 <woodster_> don't forget about the quota blueprint as well
20:58:44 <alee> rm_work, I can work on it sooner if someone wants to start implementing it ..
20:58:49 <rm_work> heh
20:59:09 <chellygel> The action items today were as follows:
20:59:09 <rm_work> I have several things on my plate right now, but I can definitely HELP... probably with the client-side work
20:59:11 <woodster_> rm_work, was that a 'yes' or really a 'heh'?
20:59:30 <alee> otherwise I'm wotrking on implementing ca stuff right now
20:59:37 <rm_work> that's fine, we need the CA stuff too :P
20:59:39 <chellygel> ** jvrbanac and tsv volunteered to help review tkelsey's KMIP HSM CR, (please volunteer your time to look this over!)
20:59:51 <rm_work> in fact this is feeling much like the "Barbican-LBaaS" cycle
20:59:52 <chellygel> ** rellerreller to start work on castellan
21:00:04 <chellygel> ** rm_work  to sync with redrobot for clarification
21:00:04 <rellerreller> I'm on it :)
21:00:08 <tkelsey> thank chellygel :) and thanks for the input all
21:00:11 <alee> anyone else who would like to work on per-secret implementation -- I'm taking volunteers ..
21:00:18 <chellygel> Please move the remaining conversations to the barbican channel in #openstack-barbican
21:00:30 <chellygel> #endmeeting