20:01:31 <redrobot> #startmeeting barbican 20:01:31 <openstack> Meeting started Mon Mar 2 20:01:31 2015 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:01:32 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:01:34 <openstack> The meeting name has been set to 'barbican' 20:01:38 <redrobot> #topic Roll Call 20:01:48 <elmiko> yo/ 20:02:14 <kfarr> o/ 20:02:28 <reaperhulk> o/ 20:02:33 <arunkant> o/ 20:02:37 <woodster_> o/ 20:05:24 <redrobot> ok, _some_ barbicaneers here today! 20:05:27 <reaperhulk> ha 20:05:28 * redrobot is not a robot 20:05:55 <kfox1111> sounds like something a robot would say... ;) 20:05:59 <redrobot> as usual our agenda can be found here: 20:06:02 <jvrbanac> o/ 20:06:04 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican 20:06:13 <redrobot> #topic Action Items 20:06:26 <redrobot> #link http://eavesdrop.openstack.org/meetings/barbican/2015/barbican.2015-02-23-20.00.html 20:06:44 <redrobot> tsv and arunkant don't seem to be here, so I'll skip them 20:06:59 <redrobot> #action tsv arunkant to review per-secret-policy for Kilo 20:07:26 <redrobot> woodster_ have you had a chance to talk to Jarret about compliance concerns if we switch to hard deletes? 20:08:03 <woodster_> not yet, I think he's going to be busy for the next few weeks but will try to get ask him 20:08:16 <redrobot> woodster_ ok, i'll put this back in the queue 20:08:32 <redrobot> #action woodster_ to reach out to Jarret about compliance concerns if we switch to hard deletes 20:08:44 <redrobot> woodster_ also had a note here to get an update on Order sub-status 20:09:24 <redrobot> #link https://review.openstack.org/#/c/157565/ 20:09:46 <woodster_> One +2, two +1s :) 20:10:17 <redrobot> woodster_ is this the CR that implements https://blueprints.launchpad.net/barbican/+spec/add-worker-retry-update-support ? 20:10:22 <woodster_> Reviews appreciated 20:10:26 <arunkant> redrobot, for per-secret-policy update. After discussing with alee, I have started worked on it.. Will have better update next week (based on development status) 20:10:39 <alee> arunkant, yay :) 20:10:55 <dave-mccowan> o/ 20:10:56 <redrobot> arunkant awesome! I'll ask again next week. :) 20:11:01 <arunkant> ok 20:11:07 <woodster_> oh know that is different. This one just connects the task processing to the sub-status field on the order, and logic as to wheter the order stays PENDING or not 20:11:21 <woodster_> it is needed for the retry work 20:11:56 <woodster_> So sub-status CR, then the retry CR(s) will be coming 20:11:59 <redrobot> woodster_ I see... and are you still planning on implementing the spec? I think we agreed that a Rackspace dev would do that for Kilo? 20:12:20 <woodster_> I can work on that as a 'background' task :) 20:12:38 <redrobot> woodster_ hehe, ok. I'll keep you as the assigned person on that BP then. 20:12:54 <woodster_> yes, planning to have retries still for kilo 20:13:08 <redrobot> and lastly, I had an action item that I totally forgot about 20:13:09 <redrobot> so 20:13:18 <redrobot> #action redrobot to add Castellan to global-requirements 20:13:26 <redrobot> ok, moving on 20:13:30 <redrobot> #topic Kilo-3 20:13:52 <redrobot> #link https://launchpad.net/barbican/+milestone/kilo-3 20:14:25 <redrobot> also 20:14:30 <redrobot> #link https://wiki.openstack.org/wiki/Kilo_Release_Schedule 20:14:43 <redrobot> I should point out that this Thursday is the last day to propose Kilo features 20:15:21 <redrobot> after Thursday, new and unapproved specs will move to Liberty 20:16:09 <redrobot> so, one thing that Thierry recommended was to try to have all code CRs submitted two weeks in advance of the Feature freeze 20:16:25 <redrobot> which would also be this Thursday. 20:16:48 <redrobot> I think it's worth considering to give ourselves about two weeks to iterate on CRs for Kilo 20:17:29 <redrobot> kfarr do you know if there's any outstanding work for the Content-Types spec? 20:17:33 <kfox1111> Is my spec considered for Kilo at this point? 20:18:04 <kfarr> redrobot There's a few merge requests open 20:18:17 <kfarr> https://review.openstack.org/#/c/157410/ 20:18:18 <redrobot> kfox1111 yes, if we can get it landed by Thursday... but I think Liberty is more likely 20:18:32 <kfarr> ^^ Fixed Binary Encoding to Secret Stores -- a blocking bug 20:18:36 <kfarr> and 20:18:41 <kfox1111> k. :/ 20:19:01 <kfarr> https://review.openstack.org/#/c/160444/ Standardized Secret Encoding where the main logic is 20:19:40 <kfarr> If I understand correctly, these two will finish up content types 20:19:43 <redrobot> kfarr could you add Implements: blueprint content-type (or Related: blueprint content-types) 20:19:49 <redrobot> kfarr to the commit messages 20:20:04 <igueths> Hi all. 20:20:15 <redrobot> it's how they're linked to Launchpad. I didn't see any open reviews linked in LP, so I thought we didn't have any. 20:20:32 <kfarr> redrobot Ah, yes. I will do that, or have Nate do that 20:20:39 <redrobot> kfarr thanks! 20:20:53 <woodster_> BTW I've added a number of certificate related specs out there...the idea was to get them in for folks to look at before Liberty ideally, so we could start work on them in Liberty more quickly 20:21:11 <kfarr> Once those are merged, then we can work on asymmetric key support 20:21:21 <redrobot> alee Common Cert API still needs code reviews, yes? Any pending CRs? 20:21:25 <kfarr> which Nate posted the spec for, as well: https://review.openstack.org/#/c/160449/ 20:23:31 <alee> redrobot, yes - I need to revisit shortly 20:23:58 <alee> there are some CR's for idetifying ca's that are out there , but need to be revised based on the CR's I've landed 20:24:09 <alee> wil try to get those out this week 20:24:17 <redrobot> alee awesome 20:25:11 <alee> redrobot, how are we doing on the dogtag gate job? would be nice to get that going to test out the cert api and content type chanegs? 20:26:05 <redrobot> alee good question.... I'll get to it in a sec 20:26:35 <redrobot> I think that about covers Kilo-3. So if you've got time, please, please, please review CRs linked to our outstanding BPs 20:26:58 <redrobot> I would especially like to see teh Common Cert API for K-3 20:27:16 <redrobot> #topic DogTag gate job 20:27:34 <redrobot> so you may have noticed me leaving "check experimental" comments on your CRs 20:27:54 <redrobot> that's the way to trigger the DogTag gate while we iron out the kinks 20:28:06 <redrobot> it's running DevStack in a Fedora 21 box 20:28:12 <redrobot> and configuring the DogTag plugin 20:28:18 <redrobot> and then running the functional test suite 20:28:40 <redrobot> unfortunately it turns out that the script does not run with elevated privileges, which we had assumed during the mid-cycle 20:28:50 <redrobot> so I need to refactor all the bash to be able to sudo install things 20:29:46 <alee> redrobot, any timeline on when that'll be done by? 20:30:03 <redrobot> I'm hoping to get to it today/this week 20:30:41 <redrobot> good news is all the Infra config is there, so we don't need to wait on infra reviews anymore 20:30:43 <alee> redrobot, awesome -- let me know if you get stuck/need help. I'd really like to see how content types affects the dogtag gate 20:31:14 <redrobot> ok, moving on 20:31:22 <redrobot> #topic 100% Code Coverage 20:31:27 <redrobot> woodster_ did you add this topic? 20:31:30 <woodster_> I added that one 20:31:46 <woodster_> just curious how we might tackle that 20:32:08 <woodster_> the paper-cut/wishlist bugs route seems reasonable to me 20:32:23 <woodster_> do we want 100% coverage in Kilo though? 20:32:32 <redrobot> I wonder if jvrbanac has any ideas on this? 20:32:54 <redrobot> woodster_ sure we want it, but I doubt it's doable. :-\ 20:32:56 <woodster_> we have been trying to get at least the crypto package to 100% (it is less than that now) 20:33:24 <redrobot> #help We need brave souls to jump into the test code and improve our coverage 20:33:43 <jvrbanac> redrobot, I think we need to spend some time removing some of our mocking 20:33:49 <woodster_> yeah, it was more for the jaosorior's out there that have a bit of spare time to work on things :) 20:34:39 <elmiko> is there a blueprint talking about the improved test coverage, or another way to help guide folks on getting involved? 20:35:02 <redrobot> elmiko I think that's what woodster_ is asking about... how to get folks involved? 20:35:34 <elmiko> i'd like to help write some tests, but i'll probably need some direction on what needs implementing and whatnot 20:35:35 <redrobot> elmiko but it seems more of a bug than a new feature to me... maybe wishlist bugs is the right spot to advertise this? 20:35:53 <elmiko> redrobot: wishlist bugs sounds nice, that would help 20:36:07 <woodster_> that's what I was thinking...to make this more bite sized (and CRs more bite sized too) 20:36:14 <elmiko> woodster_: +1 20:36:55 <redrobot> #agreed file wishlist bugs for modules that need increased code coverage 20:37:07 <redrobot> we also haven't revisited the coverage gate in a while 20:37:15 <redrobot> as of today it's still non-voting 20:37:29 <redrobot> how do we feel about turning it into a voting gate? 20:37:37 <redrobot> reaperhulk jvrbanac ^^ 20:37:37 <woodster_> it isn't always reliable though 20:37:55 <reaperhulk> I don't think it should be a voting gate still 20:38:00 <redrobot> woodster_ how so? too many false positives? 20:38:06 <woodster_> I've seen more than once where it says lines are missing that appear covered by testing 20:38:55 <woodster_> it is still a useful gate to scrub out 99% of the uncovered lines. 20:39:15 <jvrbanac> redrobot, woodster_, yeah... lets avoid the voting part for now. We're making steady coverage improvement as is. 20:39:32 <redrobot> #agreed coverage gate should continue to be non-voting 20:39:41 <redrobot> anything else on this topic? 20:40:07 <jvrbanac> As a side note, we're up to 88% 20:40:08 <jvrbanac> w00t! 20:40:21 <redrobot> woot woot! (as lisaclark1 would say) 20:40:29 <chellygel> +1 :D 20:40:37 <redrobot> ok, moving on 20:40:38 <jvrbanac> Much better than when we started this last summer 20:40:49 <woodster_> +1 20:41:05 <redrobot> #topic VM integration 20:41:07 <redrobot> #link https://review.openstack.org/#/c/159571/ 20:41:46 <redrobot> It's an interesting use case, but there are some aspects of the BP that I don't think belong in Barbican 20:42:44 <redrobot> I think landing this in Kilo would be a stretch... so we may want to consider this a Liberty BP. 20:43:37 <redrobot> has anyone gotten a chance to review the spec? 20:44:06 <jvrbanac> not yet. redrobot, considering the proposal freeze is in a couple days. 20:44:13 <woodster_> kfox1111, ^^^^ in case you are still in this IRC (you had mentioned having meeting conflicts) 20:44:25 <jvrbanac> I'm not sure the spec is gonna land that quick 20:45:08 <woodster_> yeah, and it is blueprint + code CRs needed by Thursday too 20:45:10 <redrobot> jvrbanac 20:45:13 <redrobot> jvrbanac agreed 20:45:32 <redrobot> we'll punt on it until after k-3 20:45:39 <jvrbanac> redrobot, +1 20:45:57 <redrobot> ok, guys, that's all I have in the Agenda 20:46:05 <redrobot> any other topics we need to discuss? 20:47:18 <woodster_> Just noting there are security tests being worked on now 20:47:27 <elmiko> i have an update from sahara 20:47:48 <elmiko> my spec for barbican integration is approved, and it looks like i'll land the code in k-3 20:47:49 <kfarr> If anyone has time, please review the merge request to add cinder's keymgr code to Castellan https://review.openstack.org/#/c/148742/ 20:47:54 <redrobot> #topic Sahara integration 20:48:09 <redrobot> elmiko woot! that' is awesome news 20:48:09 <elmiko> redrobot: hehe, cool! 20:48:22 <woodster_> elmiko, can you link to the CR again? 20:48:31 <elmiko> sure, 1sec. 20:48:50 <elmiko> https://review.openstack.org/#/c/157432/ 20:48:53 <elmiko> that's the spec 20:48:59 <elmiko> code review will be up soon 20:49:07 <kfox1111> woodster_: yeah, I'm here sort of. 20:49:23 <kfox1111> The meeting thing said it was at 1:00pm pst, not 12:00pm pst. 20:49:36 <elmiko> basically once our barbican wrapper is in place, we'll start off-boarding all stored passwords to barbican 20:49:59 <redrobot> elmiko are you planning to use Castellan as a "barbican wrapper" or are you rolling your own? 20:50:20 <elmiko> we're gonna start with rolling our own, but i'd like to move to castellan 20:50:24 <redrobot> kfox1111 this meeting is always at 2000 UTC. 20:50:31 <elmiko> i'm writing our wrapper to be tolerant of that switch 20:50:57 <kfox1111> http://www.timeanddate.com/worldclock/fixedtime.html?iso=20130502T2000 20:50:58 <elmiko> so really, we have an internal api that can wrap around whatever we need to use for a key manager 20:51:05 <kfox1111> <- says 1:00pm for me. 20:51:39 <kfox1111> thats the link given at: https://wiki.openstack.org/wiki/Meetings/Barbican 20:51:39 <elmiko> currently our need is to just get passwords out of our database 20:51:47 <redrobot> kfox1111 http://time.is/UTC 20:52:12 <kfox1111> yeah. the website your pointing at is broken. 20:52:16 <redrobot> kfox1111 seems that website is wrong... I'll update the link to a non-crappy website 20:52:39 <kfox1111> thanks. :) 20:52:45 <alee> redrobot, rm_work - whats the status of the cert stuff vis a vis castellan? has rm_work given up? 20:53:10 <reaperhulk> Haha, timeanddate.com isn't wrong, it just says CDT/PDT when it should say CST/PST right now since that's what we're on 20:53:15 <reaperhulk> (so not wrong, but useless) 20:53:20 <elmiko> lol 20:53:22 <dave-mccowan> website points to 12:00pm PDT (but it's currently PST) i've gotten bitten by that too 20:53:42 <redrobot> alee yeah, I think rm_work has given up for Kilo, may revisit in Liberty 20:53:51 <alee> redrobot, ok 20:54:05 <rm_work> yeah :( 20:54:13 <redrobot> alee rellerreller had agreeed to add a Certificate type to the Castellan interface, but it's not quite what rm_work wanted, so I think it's all on hold 20:54:32 <rm_work> yeah we're going to revisit our requirements around that in Liberty 20:54:45 <rm_work> but I didn't see a point in forcing something in that we wouldn't even use 20:55:03 <alee> rm_work, you almost had me convinced with a pkcs12 type thing. 20:55:05 <woodster_> Maybe we need an extensions/contrib for castellan for optional features like the cert grouping 20:55:12 <rm_work> yeah, I could maybe have gotten that to work 20:55:25 <rm_work> but the priority on it is low enough that I had to peel off and work on other stuff 20:55:26 <redrobot> I agree the PCKS12 story seemed interesting 20:55:43 <alee> rm_work, but I look forward to another round at the summit 20:55:57 <rm_work> heh 20:56:00 <rm_work> we'll see :P 20:57:20 <redrobot> ok, that'll wrap it up for this week 20:57:24 <redrobot> thanks everyone for coming 20:57:28 <redrobot> #endmeeting