20:00:02 <redrobot> #startmeeting barbican
20:00:03 <openstack> Meeting started Mon Feb 23 20:00:02 2015 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:04 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:06 <openstack> The meeting name has been set to 'barbican'
20:00:19 <redrobot> #topic Roll Call
20:00:28 <elmiko> yo/
20:00:31 <redrobot> As usual the agenda for the meeting can be found here:
20:00:33 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican
20:00:42 <igueths> Hello.
20:00:56 <woodster_> o/
20:00:58 <reaperhulk> o/
20:01:01 <arunkant> o/
20:01:07 <rellerreller> o/
20:01:31 <jvrbanac> o/
20:01:32 <tsv> 0/
20:02:05 <redrobot> awesome, lots of barbicaneers here today
20:02:17 <reaperhulk> said redrobot robotically
20:02:17 <kragniz> o/
20:02:26 <redrobot> #topic Action Items
20:02:31 <dave-mccowan> o/
20:02:44 <woodster_> putting the 'bot' in redrobot?
20:02:59 <redrobot> As I mentioned last meeting, I want to do a better job of reviewing action items from the previous meeting.
20:03:11 <redrobot> #link http://eavesdrop.openstack.org/meetings/barbican/2015/barbican.2015-02-09-20.00.html
20:03:33 <redrobot> woodster_ I had a couple of action items from last time
20:03:47 <redrobot> woodster_ First up was the Juno -> Kilo migration
20:04:12 <redrobot> I know we talked about it a bit during the mid-cycle... have we made any progress?
20:04:40 <woodster_> redrobot, I created a paper-cut to do this one (a migration script to start off with juno as the base)
20:04:49 <woodster_> #link https://bugs.launchpad.net/barbican/+bug/1423962
20:04:50 <openstack> Launchpad bug 1423962 in Barbican "Add Alembic Modules to Enable Upgrades" [Wishlist,New]
20:05:18 <redrobot> #help We need someone to create an initial Juno migration script per bug 1423963
20:05:19 <openstack> bug 1423963 in tripleo "Can't parse python-novaclient!=2.21.0,>=2.18.0" [Critical,Triaged] https://launchpad.net/bugs/1423963
20:05:43 <redrobot> heh... not such a smart bot, eh openstack?
20:06:35 <redrobot> woodster_ the other action Item I had for you was about following up with reaperhulk about the Swift integration status
20:06:48 <redrobot> Any news on that front from either of yous guys?
20:07:02 <reaperhulk> redrobot: I have not looked at the swift encryption spec status recently. I believe it has been merged but I don't know about the status of implementation
20:07:18 <woodster_> I thought it was merged as well
20:07:25 <reaperhulk> Their plan has always been to use a key manager so presumably they'd be interested in using castellan when they start implementing
20:07:50 <redrobot> I can't remember who was asking about this last week.... was it rm_work?
20:08:00 <rm_work> for swift?
20:08:05 <rm_work> I don't think so
20:08:05 <redrobot> rm_work yeah
20:08:08 <elmiko> we're curiois about using castellan as well, i've got a spec up in sahara currently for barbican integration
20:08:20 <rm_work> Sahara was who I mentioned possibly, per elmiko
20:08:45 <elmiko> #link https://review.openstack.org/#/c/157432/
20:08:50 <elmiko> if anyone is curious
20:08:53 <hockeynut> o/ better late than never
20:08:58 <redrobot> elmiko can we table that for now?  I'll revisit later this meeting.
20:09:06 <elmiko> redrobot: sure thing!
20:09:21 <redrobot> last action item to review from last meeting was about fishbowl sessions
20:09:54 <redrobot> I talked about it during the mid-cycle, but I'll recap for those who were unable to attend:
20:11:16 <redrobot> Vancouver Design Summit format will be a little different than previous summits.  All work spaces will be scheduled into time slots.  What we previously called "design sessions" are called "Fishbowl Sessions" this time around.  They'll be held in large rooms and advertised in the schedule.
20:11:48 <redrobot> The other type of time slots are "Working Sessions" and those will take place in smaller rooms.
20:11:58 <elmiko> interesting
20:12:42 <redrobot> Pods will no longer be available.  I requested the maximum amount of time slots possible, but there's no guarantee we'll get all of them.
20:12:54 * redrobot crosses fingers
20:13:07 <redrobot> I think that covers action items from last meeting.
20:13:12 <redrobot> moving on...
20:13:12 <elmiko> was there an explanation about the move away from pods?
20:13:21 <redrobot> elmiko yes,  let me dig up that link
20:13:30 <elmiko> cool, thanks. sorry to derail
20:14:05 <redrobot> #link http://lists.openstack.org/pipermail/openstack-dev/2015-January/054122.html
20:14:19 <elmiko> awesome
20:14:19 <redrobot> elmiko ^^
20:14:24 <woodster_> just worried about continuity across sessions/rooms...it'd be nice if we could have a project whiteboard or something
20:15:28 <redrobot> woodster_ hopefully we'll get a tentative schedule soon and we can look into what breaks/room changes we'll have to deal with
20:15:40 <woodster_> BTW, the swift key mgr spec was merged a while ago, but not linked to a LP blueprint to make tracking CRs easier
20:15:44 <woodster_> #link https://review.openstack.org/#/c/123220
20:16:26 <redrobot> woodster_ cool. thanks for the link
20:16:34 <redrobot> #topic Mid-Cycle Recap
20:16:45 <redrobot> #link https://etherpad.openstack.org/p/barbican-kilo-sprint
20:16:55 <redrobot> thanks again to everyone who made it out to Austin
20:17:06 <redrobot> I think it was a pretty good mid-cycle
20:17:35 <woodster_> +1
20:17:45 <tsv> +1
20:18:00 <dave-mccowan> +1 thanks @rackers for hosting!
20:18:32 <redrobot> indeed, Lisa and Sheena did a great job of coordinating the space and food and afterhour activities
20:18:34 <kfarr> +1 \o/
20:19:02 <redrobot> This is what the Kilo-3 release looks like after the mid-cycle
20:19:04 <redrobot> #link https://launchpad.net/barbican/+milestone/kilo-3
20:19:29 <redrobot> I think that with the exception of the per-secret policy, every blueprint had somone committed to landing it
20:19:43 <redrobot> I'll go through Launchpad and assign those
20:20:19 <igueths> +1
20:20:45 <redrobot> I wanted to review some action items from the etherpad
20:21:10 <redrobot> alee Wrap profiles around CMC to pass to CA to track product type
20:21:25 <tsv> redrobot, discussed with arunkant on per-secret policy and this would be of interest for us too
20:22:01 <redrobot> tsv do you all have resources to try to get this landed for Kilo-3?
20:22:48 <tsv> arunkant, i will be doing the quota work. do you think you can pick this one up ?
20:23:23 <arunkant> redrobot, we need to breakout the tasks and will look into this. How much time is left for kilo-3 ?
20:24:05 <redrobot> arunkant Kilo-3 is scheduled for March 19 https://wiki.openstack.org/wiki/Kilo_Release_Schedule
20:24:06 <elmiko> k-3 ends march 19
20:24:16 <elmiko> feature freeze on the 5th
20:24:44 <elmiko> well, proposal freeze that is
20:24:50 <redrobot> I should clarify that March 5th is feature _proposal_ freeze, so no new kilo specs after that date
20:25:01 <redrobot> elmiko jinx!
20:25:16 <elmiko> hehe, i owe you a beverage in vancouver ;)
20:25:54 <redrobot> I guess Ade isn't here, so I'll skip his action items from the mid-cycle
20:26:13 <redrobot> dave-mccowan Certificate Order metadata change API parameter from container ref -> secret ref validation.
20:26:20 <tsv> redrobot, thanks. will follow up after discussing internally
20:26:45 <redrobot> #action tsv arunkant to review per-secret-policy for Kilo
20:27:02 <redrobot> dave-mccowan I'm not sure what the action item actually was?
20:27:42 <dave-mccowan> there are a few "alee todos" in validators.py that i'm picking up.  that AI is just one of them.
20:28:13 <redrobot> dave-mccowan gotcha, ok.
20:28:31 <redrobot> tsv You had an action item about the Quotas BP
20:29:11 <redrobot> tsv which you already mentioned you're working on...
20:29:35 <tsv> redrobot, yes. now that the spec is merged, am working on implementation
20:29:45 <redrobot> tsv awesome!
20:30:10 <redrobot> woodster_ you had an action item to reach out to Jarret about compliance concerns if we switch to hard deletes
20:30:22 <redrobot> woodster_ any progress on that?
20:31:53 <redrobot> looks like someone is distracting woodster_ at his desk
20:32:18 <redrobot> #action woodster_ to reach out to Jarret about compliance concerns if we switch to hard deletes
20:32:28 <redrobot> #action woodster_ update on order sub-status
20:32:40 <redrobot> ok, the last item I wanted to review from the mid-cycle was the new gates
20:33:03 <redrobot> python-barbicanclient has a new gate that runs a functional test suite against a devstack instance running the latest Barbican
20:33:29 <redrobot> the gate is currently in the experimental pipeline
20:33:43 <redrobot> you can run the gate in your CR by leaving "check experimental" as a comment
20:33:49 <redrobot> which will trigger the gate job
20:34:24 <redrobot> #link https://review.openstack.org/#/c/158145/
20:34:29 <redrobot> ^^ for example
20:34:56 <redrobot> once tdink_ and I clean up the functional tests we'll be ready to move this to the regular pipelines as a voting job
20:35:58 <redrobot> We're also working on adding a new devstack gate job to Barbican, which will run the functional tests using the dogtag plugins and a real instance of dogtag
20:36:26 <redrobot> that work is still in-progress, and as soon as this CR https://review.openstack.org/#/c/157607/ merges, we'll be able to start leaving "check experimental" comments on barbican CRs as well.
20:36:59 <redrobot> That's all I can think of recapping from the mid-cycle
20:37:11 <redrobot> anything else we should mention?
20:38:31 <elmiko> nightlife report?
20:38:36 <elmiko> ;)
20:38:42 <tsv> redrobot, castellan discussion result ?
20:38:56 <elmiko> tsv: +1
20:39:33 <jvrbanac> redrobot, I think we mentioned this during the meeting, but if no one had any objects, I was going to investigate centralizing our config option registration and loading
20:39:48 <jvrbanac> s/objects/objections
20:39:52 <redrobot> elmiko we had an awesome bar crawl down Rainey St, followed by much drinking in 6th St. :)
20:40:05 <elmiko> redrobot: nice!
20:40:07 <redrobot> jvrbanac sounds good to me
20:40:29 <kfarr> Speaking of Castellan, there's still code review out there waiting for a +2 and a work-flow to add the keygr interface :]
20:40:34 <kfarr> ^^ https://review.openstack.org/#/c/148742/
20:40:40 <redrobot> #topic Castellan
20:41:00 <redrobot> To summarize the mid-cycle discussions on Castellan
20:41:38 * rm_work awaits a summary
20:41:54 <redrobot> Castellan will be a long lived KeyManager interface.  It will only contain a subset of Barbican functionality.  Specifically key storage, retrieval, and generation.
20:43:00 <rellerreller> We will modify the interface to allow "keys" to be symmetric, public, private, passphrase, and certificate
20:43:01 <redrobot> We will only recommend using Castellan if the following are true:  Your project needs to run in an OpenStack cloud where Barbican is not available, or your project needs to interface to a certified key manager device
20:43:14 <rm_work> rellerreller: I don't think Certificate made it
20:43:43 <redrobot> The plan for Certificate was to make a type avaiable, however, I don't think it's the format that rm_work wanted.
20:43:52 <rellerreller> rm_work I believe we said all of those would be supported, just not containers
20:44:16 <rm_work> I am not sure what's *in* a Certificate typed key
20:44:46 <rm_work> I don't think it was fully discussed, as I dropped by queries regarding additional cert-related functionality
20:45:11 <rm_work> which is why I'd recommend leaving it off the list for now, unless additional discussion on the topic did happen after I left?
20:45:45 <redrobot> rm_work no, we didn't continue Castellan discussions on Wednesday.
20:45:58 <woodster_> sorry, catching up...
20:46:03 <rm_work> Want to do it right, not get something in that doesn't have a solid use-case or design :)
20:46:13 <rm_work> we can revisit Certificate type keys later
20:46:20 <rm_work> like WAY later :)
20:46:28 <rm_work> unless someone else wanted them now
20:46:40 <rm_work> but IIRC part of the problem was that it was JUST my use-cases
20:47:54 <redrobot> rellerreller does it make sense to do the KeyEntity refactor without Certs for now?  If not should we just kick that can down the road?
20:48:29 <rm_work> rellerreller: I think I'd recommend ignoring the Cert usecase entirely and just do what you needed to get your stuff in
20:48:31 <rellerreller> redrobot We could do it without certs. That is certainly possible.
20:48:59 <rellerreller> I don't anticipate any big concerns with adding it. We can propose our BP and if too contentious then we can leave off the table.
20:49:30 <redrobot> ok, sounds good
20:49:36 <redrobot> that reminds me I have an
20:49:37 <woodster_> sub-status CR is up: https://review.openstack.org/#/c/157565/
20:49:41 <woodster_> #link https://review.openstack.org/#/c/157565/
20:49:48 <redrobot> #action redrobot to add Castellan to global-requirements
20:51:18 <redrobot> elmiko did you have any questions about Castellan?
20:51:46 <elmiko> redrobot: well, mainly when we could get access to documentation and stuff. i wasn't having much luck.
20:51:59 <elmiko> i ended up writing my spec towards barbican, with an option to replace later
20:52:18 <redrobot> elmiko Castellan is still super green... it's basicall an abstraction on top of python-barbicanclient.
20:52:22 <elmiko> hopefully we'll abstract the secrets stuff away in our api so that we can change to castellan at some point.
20:52:31 <elmiko> yea, that's what it sounded like
20:52:37 <rellerreller> elmiko What kind of documentation are you looking for?
20:53:21 <elmiko> rellerreller: i think mainly i just need a better reference to the repo. i think i was finding stale stuff.
20:53:38 <elmiko> i also had a misunderstanding about how castellan fits into things
20:53:50 <elmiko> so, i guess a general explanation doc would help as well
20:54:03 <arunkant> redrobot, Will castellan have only barbican client as the keymgr reference implementation or KMIP/HSM plugin impl will be there as well?
20:54:28 <rellerreller> elmiko The CR, https://review.openstack.org/#/c/148742/, has the latest code for Castellan.
20:54:39 <elmiko> rellerreller: awesome, thanks!
20:55:03 <redrobot> arunkant rellerreller would have a better idea about what the direct-to-kmip implementation of Castellan would be
20:55:10 <rellerreller> elmiko We might have some docs or powerpoint presentations from the past on this. I'll see if I can find anything.
20:55:18 <redrobot> I would think that yes, the impl woudl be there.
20:55:28 <elmiko> redrobot: it would be much appreciated =)
20:56:10 <redrobot> *shameless plug*  y'all could also vote for this awesome sounding presentation https://www.openstack.org/vote-vancouver/presentation/securing-your-applications-using-barbican
20:56:21 <rellerreller> arunkant I think a KMIP implementation would be great. It's not on our immediate roadmap, but we would like to see one.
20:57:28 <redrobot> Ok, almost out of time for today.
20:57:32 <arunkant> rellerreller, thanks.
20:58:27 <elmiko> if anyone is curious, or has time, i would love more eyes on our barbican integration effort: https://review.openstack.org/#/c/157432/
20:58:50 <redrobot> elmiko will take a look
20:59:05 <elmiko> thanks!
20:59:12 <redrobot> Thanks everyone for coming!  See y'all next week.
20:59:18 <redrobot> #endmeeting