20:00:02 #startmeeting barbican 20:00:03 Meeting started Mon Feb 23 20:00:02 2015 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:04 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:00:06 The meeting name has been set to 'barbican' 20:00:19 #topic Roll Call 20:00:28 yo/ 20:00:31 As usual the agenda for the meeting can be found here: 20:00:33 #link https://wiki.openstack.org/wiki/Meetings/Barbican 20:00:42 Hello. 20:00:56 o/ 20:00:58 o/ 20:01:01 o/ 20:01:07 o/ 20:01:31 o/ 20:01:32 0/ 20:02:05 awesome, lots of barbicaneers here today 20:02:17 said redrobot robotically 20:02:17 o/ 20:02:26 #topic Action Items 20:02:31 o/ 20:02:44 putting the 'bot' in redrobot? 20:02:59 As I mentioned last meeting, I want to do a better job of reviewing action items from the previous meeting. 20:03:11 #link http://eavesdrop.openstack.org/meetings/barbican/2015/barbican.2015-02-09-20.00.html 20:03:33 woodster_ I had a couple of action items from last time 20:03:47 woodster_ First up was the Juno -> Kilo migration 20:04:12 I know we talked about it a bit during the mid-cycle... have we made any progress? 20:04:40 redrobot, I created a paper-cut to do this one (a migration script to start off with juno as the base) 20:04:49 #link https://bugs.launchpad.net/barbican/+bug/1423962 20:04:50 Launchpad bug 1423962 in Barbican "Add Alembic Modules to Enable Upgrades" [Wishlist,New] 20:05:18 #help We need someone to create an initial Juno migration script per bug 1423963 20:05:19 bug 1423963 in tripleo "Can't parse python-novaclient!=2.21.0,>=2.18.0" [Critical,Triaged] https://launchpad.net/bugs/1423963 20:05:43 heh... not such a smart bot, eh openstack? 20:06:35 woodster_ the other action Item I had for you was about following up with reaperhulk about the Swift integration status 20:06:48 Any news on that front from either of yous guys? 20:07:02 redrobot: I have not looked at the swift encryption spec status recently. I believe it has been merged but I don't know about the status of implementation 20:07:18 I thought it was merged as well 20:07:25 Their plan has always been to use a key manager so presumably they'd be interested in using castellan when they start implementing 20:07:50 I can't remember who was asking about this last week.... was it rm_work? 20:08:00 for swift? 20:08:05 I don't think so 20:08:05 rm_work yeah 20:08:08 we're curiois about using castellan as well, i've got a spec up in sahara currently for barbican integration 20:08:20 Sahara was who I mentioned possibly, per elmiko 20:08:45 #link https://review.openstack.org/#/c/157432/ 20:08:50 if anyone is curious 20:08:53 o/ better late than never 20:08:58 elmiko can we table that for now? I'll revisit later this meeting. 20:09:06 redrobot: sure thing! 20:09:21 last action item to review from last meeting was about fishbowl sessions 20:09:54 I talked about it during the mid-cycle, but I'll recap for those who were unable to attend: 20:11:16 Vancouver Design Summit format will be a little different than previous summits. All work spaces will be scheduled into time slots. What we previously called "design sessions" are called "Fishbowl Sessions" this time around. They'll be held in large rooms and advertised in the schedule. 20:11:48 The other type of time slots are "Working Sessions" and those will take place in smaller rooms. 20:11:58 interesting 20:12:42 Pods will no longer be available. I requested the maximum amount of time slots possible, but there's no guarantee we'll get all of them. 20:12:54 * redrobot crosses fingers 20:13:07 I think that covers action items from last meeting. 20:13:12 moving on... 20:13:12 was there an explanation about the move away from pods? 20:13:21 elmiko yes, let me dig up that link 20:13:30 cool, thanks. sorry to derail 20:14:05 #link http://lists.openstack.org/pipermail/openstack-dev/2015-January/054122.html 20:14:19 awesome 20:14:19 elmiko ^^ 20:14:24 just worried about continuity across sessions/rooms...it'd be nice if we could have a project whiteboard or something 20:15:28 woodster_ hopefully we'll get a tentative schedule soon and we can look into what breaks/room changes we'll have to deal with 20:15:40 BTW, the swift key mgr spec was merged a while ago, but not linked to a LP blueprint to make tracking CRs easier 20:15:44 #link https://review.openstack.org/#/c/123220 20:16:26 woodster_ cool. thanks for the link 20:16:34 #topic Mid-Cycle Recap 20:16:45 #link https://etherpad.openstack.org/p/barbican-kilo-sprint 20:16:55 thanks again to everyone who made it out to Austin 20:17:06 I think it was a pretty good mid-cycle 20:17:35 +1 20:17:45 +1 20:18:00 +1 thanks @rackers for hosting! 20:18:32 indeed, Lisa and Sheena did a great job of coordinating the space and food and afterhour activities 20:18:34 +1 \o/ 20:19:02 This is what the Kilo-3 release looks like after the mid-cycle 20:19:04 #link https://launchpad.net/barbican/+milestone/kilo-3 20:19:29 I think that with the exception of the per-secret policy, every blueprint had somone committed to landing it 20:19:43 I'll go through Launchpad and assign those 20:20:19 +1 20:20:45 I wanted to review some action items from the etherpad 20:21:10 alee Wrap profiles around CMC to pass to CA to track product type 20:21:25 redrobot, discussed with arunkant on per-secret policy and this would be of interest for us too 20:22:01 tsv do you all have resources to try to get this landed for Kilo-3? 20:22:48 arunkant, i will be doing the quota work. do you think you can pick this one up ? 20:23:23 redrobot, we need to breakout the tasks and will look into this. How much time is left for kilo-3 ? 20:24:05 arunkant Kilo-3 is scheduled for March 19 https://wiki.openstack.org/wiki/Kilo_Release_Schedule 20:24:06 k-3 ends march 19 20:24:16 feature freeze on the 5th 20:24:44 well, proposal freeze that is 20:24:50 I should clarify that March 5th is feature _proposal_ freeze, so no new kilo specs after that date 20:25:01 elmiko jinx! 20:25:16 hehe, i owe you a beverage in vancouver ;) 20:25:54 I guess Ade isn't here, so I'll skip his action items from the mid-cycle 20:26:13 dave-mccowan Certificate Order metadata change API parameter from container ref -> secret ref validation. 20:26:20 redrobot, thanks. will follow up after discussing internally 20:26:45 #action tsv arunkant to review per-secret-policy for Kilo 20:27:02 dave-mccowan I'm not sure what the action item actually was? 20:27:42 there are a few "alee todos" in validators.py that i'm picking up. that AI is just one of them. 20:28:13 dave-mccowan gotcha, ok. 20:28:31 tsv You had an action item about the Quotas BP 20:29:11 tsv which you already mentioned you're working on... 20:29:35 redrobot, yes. now that the spec is merged, am working on implementation 20:29:45 tsv awesome! 20:30:10 woodster_ you had an action item to reach out to Jarret about compliance concerns if we switch to hard deletes 20:30:22 woodster_ any progress on that? 20:31:53 looks like someone is distracting woodster_ at his desk 20:32:18 #action woodster_ to reach out to Jarret about compliance concerns if we switch to hard deletes 20:32:28 #action woodster_ update on order sub-status 20:32:40 ok, the last item I wanted to review from the mid-cycle was the new gates 20:33:03 python-barbicanclient has a new gate that runs a functional test suite against a devstack instance running the latest Barbican 20:33:29 the gate is currently in the experimental pipeline 20:33:43 you can run the gate in your CR by leaving "check experimental" as a comment 20:33:49 which will trigger the gate job 20:34:24 #link https://review.openstack.org/#/c/158145/ 20:34:29 ^^ for example 20:34:56 once tdink_ and I clean up the functional tests we'll be ready to move this to the regular pipelines as a voting job 20:35:58 We're also working on adding a new devstack gate job to Barbican, which will run the functional tests using the dogtag plugins and a real instance of dogtag 20:36:26 that work is still in-progress, and as soon as this CR https://review.openstack.org/#/c/157607/ merges, we'll be able to start leaving "check experimental" comments on barbican CRs as well. 20:36:59 That's all I can think of recapping from the mid-cycle 20:37:11 anything else we should mention? 20:38:31 nightlife report? 20:38:36 ;) 20:38:42 redrobot, castellan discussion result ? 20:38:56 tsv: +1 20:39:33 redrobot, I think we mentioned this during the meeting, but if no one had any objects, I was going to investigate centralizing our config option registration and loading 20:39:48 s/objects/objections 20:39:52 elmiko we had an awesome bar crawl down Rainey St, followed by much drinking in 6th St. :) 20:40:05 redrobot: nice! 20:40:07 jvrbanac sounds good to me 20:40:29 Speaking of Castellan, there's still code review out there waiting for a +2 and a work-flow to add the keygr interface :] 20:40:34 ^^ https://review.openstack.org/#/c/148742/ 20:40:40 #topic Castellan 20:41:00 To summarize the mid-cycle discussions on Castellan 20:41:38 * rm_work awaits a summary 20:41:54 Castellan will be a long lived KeyManager interface. It will only contain a subset of Barbican functionality. Specifically key storage, retrieval, and generation. 20:43:00 We will modify the interface to allow "keys" to be symmetric, public, private, passphrase, and certificate 20:43:01 We will only recommend using Castellan if the following are true: Your project needs to run in an OpenStack cloud where Barbican is not available, or your project needs to interface to a certified key manager device 20:43:14 rellerreller: I don't think Certificate made it 20:43:43 The plan for Certificate was to make a type avaiable, however, I don't think it's the format that rm_work wanted. 20:43:52 rm_work I believe we said all of those would be supported, just not containers 20:44:16 I am not sure what's *in* a Certificate typed key 20:44:46 I don't think it was fully discussed, as I dropped by queries regarding additional cert-related functionality 20:45:11 which is why I'd recommend leaving it off the list for now, unless additional discussion on the topic did happen after I left? 20:45:45 rm_work no, we didn't continue Castellan discussions on Wednesday. 20:45:58 sorry, catching up... 20:46:03 Want to do it right, not get something in that doesn't have a solid use-case or design :) 20:46:13 we can revisit Certificate type keys later 20:46:20 like WAY later :) 20:46:28 unless someone else wanted them now 20:46:40 but IIRC part of the problem was that it was JUST my use-cases 20:47:54 rellerreller does it make sense to do the KeyEntity refactor without Certs for now? If not should we just kick that can down the road? 20:48:29 rellerreller: I think I'd recommend ignoring the Cert usecase entirely and just do what you needed to get your stuff in 20:48:31 redrobot We could do it without certs. That is certainly possible. 20:48:59 I don't anticipate any big concerns with adding it. We can propose our BP and if too contentious then we can leave off the table. 20:49:30 ok, sounds good 20:49:36 that reminds me I have an 20:49:37 sub-status CR is up: https://review.openstack.org/#/c/157565/ 20:49:41 #link https://review.openstack.org/#/c/157565/ 20:49:48 #action redrobot to add Castellan to global-requirements 20:51:18 elmiko did you have any questions about Castellan? 20:51:46 redrobot: well, mainly when we could get access to documentation and stuff. i wasn't having much luck. 20:51:59 i ended up writing my spec towards barbican, with an option to replace later 20:52:18 elmiko Castellan is still super green... it's basicall an abstraction on top of python-barbicanclient. 20:52:22 hopefully we'll abstract the secrets stuff away in our api so that we can change to castellan at some point. 20:52:31 yea, that's what it sounded like 20:52:37 elmiko What kind of documentation are you looking for? 20:53:21 rellerreller: i think mainly i just need a better reference to the repo. i think i was finding stale stuff. 20:53:38 i also had a misunderstanding about how castellan fits into things 20:53:50 so, i guess a general explanation doc would help as well 20:54:03 redrobot, Will castellan have only barbican client as the keymgr reference implementation or KMIP/HSM plugin impl will be there as well? 20:54:28 elmiko The CR, https://review.openstack.org/#/c/148742/, has the latest code for Castellan. 20:54:39 rellerreller: awesome, thanks! 20:55:03 arunkant rellerreller would have a better idea about what the direct-to-kmip implementation of Castellan would be 20:55:10 elmiko We might have some docs or powerpoint presentations from the past on this. I'll see if I can find anything. 20:55:18 I would think that yes, the impl woudl be there. 20:55:28 redrobot: it would be much appreciated =) 20:56:10 *shameless plug* y'all could also vote for this awesome sounding presentation https://www.openstack.org/vote-vancouver/presentation/securing-your-applications-using-barbican 20:56:21 arunkant I think a KMIP implementation would be great. It's not on our immediate roadmap, but we would like to see one. 20:57:28 Ok, almost out of time for today. 20:57:32 rellerreller, thanks. 20:58:27 if anyone is curious, or has time, i would love more eyes on our barbican integration effort: https://review.openstack.org/#/c/157432/ 20:58:50 elmiko will take a look 20:59:05 thanks! 20:59:12 Thanks everyone for coming! See y'all next week. 20:59:18 #endmeeting