#openstack-meeting-alt log

20:00:32 <redrobot> #startmeeting barbican
20:00:33 <openstack> Meeting started Mon Jul  6 20:00:32 2015 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:34 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:36 <openstack> The meeting name has been set to 'barbican'
20:00:46 <redrobot> #topic Roll Call
20:00:49 <dave-mccowan> o/
20:00:54 <kfarr> o/
20:00:58 <igueths> o/
20:01:00 <silos> o/
20:01:02 <elmiko> o/
20:01:17 <chellygel> ✧٩(•́⌄•́๑)
20:01:27 <rellerreller_> o/
20:02:26 <elmiko> very fancy chellygel
20:02:33 <chellygel> ;)
20:02:45 <redrobot> guessing other barbicaneers are still out for the 4th of july weekend
20:03:00 <redrobot> no matter, we'll have an awesome meeting regardless
20:03:15 <redrobot> as usual the agenda can be found here:
20:03:16 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican
20:03:25 <redrobot> #topic Action Items from previous meeting
20:03:33 <redrobot> #link http://eavesdrop.openstack.org/meetings/barbican/2015/barbican.2015-06-29-20.00.html
20:03:38 <redrobot> jaosorior are you around?
20:04:12 <redrobot> I'll take that as a no.
20:04:15 <redrobot> #action jaosorior to backport the DogTag gate fixes into stable/kilo
20:04:21 <redrobot> ok moving on to the agenda for today
20:04:55 <redrobot> #topic Update on Quota Support blueprint
20:05:03 <redrobot> dave-mccowan do you have an update for us?
20:05:06 <dave-mccowan> I've made good progress on the quotas blueprint.  To hopefully make reviewing easier, I'm breaking it into three parts: 1) config and controller, 2) repos, and 3) enforcement.  I'll include relevant unit test and functional tests with each part.  I submitted the CR for #1 today. https://review.openstack.org/198764  Let me know if there is anything I can do to help reviewers.  Perhaps wishful thinking, but it would be great if this
20:05:06 <dave-mccowan> could merge, before i start on #2.
20:05:37 <hockeynut> o/
20:05:42 <hockeynut> (late, I know)
20:05:57 <redrobot> #info dave-mccowan will be splitting the quota bp work into several patches
20:06:01 <redrobot> #link https://review.openstack.org/#/c/198764/
20:06:11 <redrobot> sounds great dave-mccowan !
20:06:24 <redrobot> any questions/comments about this blueprint?
20:06:29 <dave-mccowan> can we get a couple volunteers who will be doing the reviewing?
20:06:43 <hockeynut> (meekly raises hand in the air)
20:07:04 <hockeynut> 6 more LOC and we would have the CR from hell
20:07:25 <dave-mccowan> * makes note for next patch set
20:07:28 <rellerreller_> haha
20:07:54 <redrobot> I'll try to get a review in as well.
20:08:17 <redrobot> I'm sure woodster will be interested also
20:08:41 <redrobot> ok, moving on
20:08:52 <redrobot> #topic ACL client implementation
20:09:03 <redrobot> chellygel this topic is yours, yes?
20:09:06 <chellygel> Yes!
20:09:16 <chellygel> thanks redrobot (/me grabs the conch shell)
20:09:31 <chellygel> So, one of the tasks we want to implement is putting per-secret ACL into the barbican client
20:09:52 <chellygel> i have a blueprint here in launch pad: https://blueprints.launchpad.net/python-barbicanclient/+spec/per-secret-acl
20:10:07 <chellygel> i want to ask the community if they feel this approach to usage makes sense... as an example:
20:10:12 <chellygel> barbican acl "[secret-ref-here]" user list
20:10:23 <chellygel> would provide a list of user ids associated w/ the acl for the specific secret
20:10:53 <chellygel> this very basic vanilla implementation would have user add, user delete, and user list... does anyone have any thoughts, concerns, or questions about this implementation?
20:10:55 <redrobot> #link https://blueprints.launchpad.net/python-barbicanclient/+spec/per-secret-acl
20:11:13 <redrobot> chellygel I think the subcommand needs to be grouped together, so
20:11:24 <redrobot> barbican acl user list [secret-ref]
20:11:52 <rellerreller_> +1
20:11:52 <redrobot> but then again, I'm no cliff expert
20:12:01 <chellygel> makes sense to me :)
20:12:15 <chellygel> if no one else wishes to speak, i'm finished and will begin the implementation in this manner
20:12:21 <rellerreller_> It's not just cliff but what is intuitive to user as well.
20:12:34 <redrobot> barbican acl user delete [secret-ref] [user-ref]
20:12:49 <redrobot> barbican acl user add [secret-ref] [user-ref]
20:13:01 <redrobot> ^^ looks a little odd, but I think that would be the cliff ordering?
20:13:52 <redrobot> hmm....
20:14:05 <redrobot> barbican acl add --user [user-id] ?
20:14:11 <redrobot> barbican acl list
20:14:18 <redrobot> barbican acl delete --user [user-id] ?
20:14:22 <chellygel> still need to pass that ref though, right?
20:14:34 <chellygel> barbican acl add --ref [ref] --user [user]
20:14:35 <hockeynut> --secret-ref [secret=ref]
20:15:29 <chellygel> anyone else? thoughts?
20:15:44 <rellerreller_> If they are required do we need -- options?
20:16:12 <rellerreller_> It seems like user add would be like
20:16:13 <rellerreller_> barbican acl user add [secret-ref] [user-ref]
20:16:41 <rellerreller_> The --user makes it seem like not required, but it should be. I think.
20:16:44 <chellygel> i can't think of any other thing that would matter for an action w/ acls
20:17:09 <redrobot> there is a spec out for group acls as well
20:17:11 <redrobot> so we could have
20:17:22 <redrobot> barbican acl add --user [user-id] [secret-id]
20:17:23 <redrobot> and
20:17:35 <redrobot> barbican acl add --group [group-id] [secret-id]
20:18:24 <chellygel> well it could be argued that... barbican acl [user/group] add [secret-ref] [group/user-id] wouild work too
20:18:41 <redrobot> chellygel true...
20:18:42 <chellygel> im not sure the difference though, so i dont have an opinion on either way
20:18:54 <redrobot> chellygel would be one cliff subcommand vs two cliff sub-commands
20:19:08 <redrobot> chellygel functionally it wouldn't matter, I guess.
20:20:06 <rellerreller_> I vote for barbican acl user add [secret-ref] [user-ref], but I don't really care much one way or the other.
20:20:36 <hockeynut> as long as secret-ref and user-ref are keyword args I'm good with that
20:21:03 <kfox1111> -s secret-ref -u user-ref ?
20:21:08 <kfox1111> then you can reorder them.
20:21:12 <silos> -- makes sense to me. barbican acl add --user [userid] --ref [refid] and barbican acl add --ref [refid] --user [userid] are the same that way. Less likely to have mistakes that way IMO
20:21:33 <rellerreller_> Actually now I take it back. Maybe I do like barbican acl add [--user || --group <id>] <secret-ref>
20:22:01 <kfox1111> what about secret vs container acl's?
20:22:09 <kfox1111> -c for container ref, -s for secret ref.
20:22:19 <redrobot> I'm starting to agree on flags as well
20:22:39 <redrobot> kfox1111 yep, containers would be similar... I'm guessing --secret-ref and --container-ref to be consistent with the rest of the CLI
20:22:40 <kfox1111> acl add [--user || --group <id>] [--container || --secret <ref>]
20:23:48 <chellygel> okay, well lets get some votes in here so we can move on, yeah?
20:24:00 <chellygel> barbican acl add --user [id] --secret [ref]
20:24:06 <dave-mccowan> is two word commands, like "user add", typical for barbican client?   nova, for example, uses one word commands, e.g.:  "flavor-add", "flavor-list", "flavor-delete"
20:24:34 <redrobot> chellygel seems like we're all agreeing on using flags for secret/container refs and for user/group
20:24:49 <redrobot> dave-mccowan IIRC cliff can handle either
20:25:10 <dave-mccowan> +1 for flags
20:25:35 <kfox1111> most openstack seperate clients use '-' instead of ' '. the unified openstack client uses spaces for everything.
20:25:40 <kfox1111> +1 for flags.
20:26:17 <hockeynut> +1 for flags
20:26:25 <redrobot> seems there's consensus
20:26:36 <redrobot> chellygel any other questions about the ACL client implementation?
20:26:49 <chellygel> im good :)
20:27:01 <redrobot> ok
20:27:12 <redrobot> I was hoping to bikeshed on this until woodster had a chance to jump on
20:27:34 <redrobot> #topic Additional role for ACL
20:27:39 * kfox1111 chuckles
20:27:49 <kfox1111> its got to be green! :)
20:28:05 <elmiko> lol
20:28:09 <redrobot> kfox1111 lol
20:28:20 <chellygel> Green!! no! D: needs to be color blind friendly!
20:28:23 <redrobot> seems woodster isn't going to make it.
20:28:36 <redrobot> but I can talk about this topic anyway.
20:28:46 <redrobot> the idea here was to add one more role to our policy
20:29:04 <redrobot> potentially called "acl-user" or something similar we can bikeshed on
20:29:37 <kfox1111> whats it do?
20:29:59 <redrobot> so, for ACL access, the token provided would have to have the "acl-user" role scoped to the project that owns the secret.
20:30:12 <redrobot> in addition to being on the ACL
20:30:23 <redrobot> the benefit is that you can remove the role to lock out someone from all ACL'ed secrets.
20:30:33 <redrobot> instead of having to iterate through all possible secrets in the project
20:30:53 <redrobot> also I should point out that this is strictly a policy change.
20:31:07 <redrobot> and as such it would only affect people who choose to use the default policy
20:31:19 <redrobot> someone could still write a policy to ignore that role altogether.
20:31:49 <dave-mccowan> i envision the rule in policy.json would be: rule:secret_project_match and rule:secret_acl_read    in this case, it doesn't matter what we call the new role (member, user, acl-user, _foo_).  as long as the token is scoped for the project and the user is on the acl-read list, it's all good.
20:31:59 <kfox1111> as in the user would have to have the acl-user role on the project in order for the acl itself to take affect,
20:32:12 <kfox1111> or would have to have acl-user to be able to look at the acl itself?
20:32:41 <redrobot> kfox1111 yeah... though we could be a little looser, and just have the "acl-read" role in a scoped token... not necessarily scoped to the project that owns the secret...
20:33:28 <kfox1111> I'm a little worried the one way is too specific for things like the instance users to work,
20:33:28 <redrobot> kfox1111 someone using ACL would need both the "acl-read" role in their token (not sure about what project scope) as well as have the user-id listed in the ACL
20:33:37 <kfox1111> and the other is loose enough it might not be all the valuable.
20:35:02 <redrobot> kfox1111 good points... I wish woodster would be here to argue more for this change
20:35:12 <kfox1111> is there a spec?
20:36:03 <redrobot> I don't think so... we've had a couple of discussions about it, but it hasn't been put into a spec
20:36:24 <redrobot> probably would be good to do if woodster really wants this change.
20:36:34 <kfox1111> might be good to do a spec then, since these types of things can be discussed in the spec.
20:36:39 <kfox1111> yeah.
20:36:56 <kfox1111> it still might be a good idea, just may need to be thought out carefully.
20:37:31 <redrobot> #action redrobot to ping woodster about writing a spec for the additional acl role
20:37:42 <kfox1111> thx.
20:38:07 <redrobot> That's all I have on the agenda for today
20:38:11 <redrobot> #topic Open Discussion
20:38:36 <redrobot> any questions/comments/reviews that need to be brought up now?
20:38:57 <kfarr> Has anyone submitted any proposals for Tokyo?
20:39:18 <redrobot> kfarr not yet... we have a meeting sometime this week to brainstorm possible topics
20:39:21 <kfox1111> any more reviewers for the Container ACL and Fetch API spec? https://review.openstack.org/#/c/190404/
20:39:39 <kfarr> ok just checking!
20:39:55 <dave-mccowan> i still have the same two open reviews as last week: https://review.openstack.org/181291  and https://review.openstack.org/171023
20:40:14 <redrobot> kfarr how about you?  have you submitted anything?
20:40:52 <silos> I uploaded a new patch last week on a spec: https://review.openstack.org/#/c/194298/3
20:42:48 <kfarr> No, we were trying to come up with topics last week
20:43:26 <redrobot> I think it would be good to do a "How to deploy Barbican" talk... but we're still figuring it out >_<
20:43:43 <kfarr> :D
20:43:55 <elmiko> redrobot: +1
20:44:13 <kfarr> Oh, by the way, the Barbican wrapper for Castellan only needs a workflow! https://review.openstack.org/#/c/171918/
20:44:20 <elmiko> ooh \o/
20:44:51 <redrobot> kfarr excellent!
20:45:40 <rellerreller_> A security overview talk would be good. We could highlight what good security things are already in OpenStack and what is missing.
20:46:03 <elmiko> that would be a nice talk too
20:46:43 <kfox1111> it might make some folks cry though. :/
20:46:51 <kfox1111> I want to every time  Isee passwords passed through userdata. :/
20:46:53 <redrobot> rellerreller_ +1 ... sounds kindof like dave-mccowan 's talk in Vancouver.  It was a really good overview of security topics.
20:46:57 <elmiko> yea, maybe better to say "how you can improve security using barbican" ;)
20:47:13 <kfox1111> and instance users are not going to land in liberty. :_(
20:47:37 <rellerreller_> I missed dave-mccowan 's talk :(
20:47:42 <redrobot> kfox1111 bummer.
20:47:52 <elmiko> rellerreller_: it was nice
20:48:06 <kfox1111> nova's getting very slow at reviews. :/
20:48:12 <redrobot> rellerreller_ https://www.openstack.org/summit/vancouver-2015/summit-videos/presentation/securing-your-openstack-cloud
20:48:38 <dave-mccowan> thanks.  the video's on the openstack website.  rob clark also usually does an security overview talk.
20:49:03 <kfarr> rellerreller_, dave-mccowan's was a good one!
20:53:44 <redrobot> Alrighty y'all, I think that about does it for this meeting.
20:53:53 <redrobot> thanks everyone for coming!
20:53:57 <redrobot> #endmeeting