20:00:32 #startmeeting barbican 20:00:33 Meeting started Mon Jul 6 20:00:32 2015 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:34 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:00:36 The meeting name has been set to 'barbican' 20:00:46 #topic Roll Call 20:00:49 o/ 20:00:54 o/ 20:00:58 o/ 20:01:00 o/ 20:01:02 o/ 20:01:17 ✧٩(•́⌄•́๑) 20:01:27 o/ 20:02:26 very fancy chellygel 20:02:33 ;) 20:02:45 guessing other barbicaneers are still out for the 4th of july weekend 20:03:00 no matter, we'll have an awesome meeting regardless 20:03:15 as usual the agenda can be found here: 20:03:16 #link https://wiki.openstack.org/wiki/Meetings/Barbican 20:03:25 #topic Action Items from previous meeting 20:03:33 #link http://eavesdrop.openstack.org/meetings/barbican/2015/barbican.2015-06-29-20.00.html 20:03:38 jaosorior are you around? 20:04:12 I'll take that as a no. 20:04:15 #action jaosorior to backport the DogTag gate fixes into stable/kilo 20:04:21 ok moving on to the agenda for today 20:04:55 #topic Update on Quota Support blueprint 20:05:03 dave-mccowan do you have an update for us? 20:05:06 I've made good progress on the quotas blueprint. To hopefully make reviewing easier, I'm breaking it into three parts: 1) config and controller, 2) repos, and 3) enforcement. I'll include relevant unit test and functional tests with each part. I submitted the CR for #1 today. https://review.openstack.org/198764 Let me know if there is anything I can do to help reviewers. Perhaps wishful thinking, but it would be great if this 20:05:06 could merge, before i start on #2. 20:05:37 o/ 20:05:42 (late, I know) 20:05:57 #info dave-mccowan will be splitting the quota bp work into several patches 20:06:01 #link https://review.openstack.org/#/c/198764/ 20:06:11 sounds great dave-mccowan ! 20:06:24 any questions/comments about this blueprint? 20:06:29 can we get a couple volunteers who will be doing the reviewing? 20:06:43 (meekly raises hand in the air) 20:07:04 6 more LOC and we would have the CR from hell 20:07:25 * makes note for next patch set 20:07:28 haha 20:07:54 I'll try to get a review in as well. 20:08:17 I'm sure woodster will be interested also 20:08:41 ok, moving on 20:08:52 #topic ACL client implementation 20:09:03 chellygel this topic is yours, yes? 20:09:06 Yes! 20:09:16 thanks redrobot (/me grabs the conch shell) 20:09:31 So, one of the tasks we want to implement is putting per-secret ACL into the barbican client 20:09:52 i have a blueprint here in launch pad: https://blueprints.launchpad.net/python-barbicanclient/+spec/per-secret-acl 20:10:07 i want to ask the community if they feel this approach to usage makes sense... as an example: 20:10:12 barbican acl "[secret-ref-here]" user list 20:10:23 would provide a list of user ids associated w/ the acl for the specific secret 20:10:53 this very basic vanilla implementation would have user add, user delete, and user list... does anyone have any thoughts, concerns, or questions about this implementation? 20:10:55 #link https://blueprints.launchpad.net/python-barbicanclient/+spec/per-secret-acl 20:11:13 chellygel I think the subcommand needs to be grouped together, so 20:11:24 barbican acl user list [secret-ref] 20:11:52 +1 20:11:52 but then again, I'm no cliff expert 20:12:01 makes sense to me :) 20:12:15 if no one else wishes to speak, i'm finished and will begin the implementation in this manner 20:12:21 It's not just cliff but what is intuitive to user as well. 20:12:34 barbican acl user delete [secret-ref] [user-ref] 20:12:49 barbican acl user add [secret-ref] [user-ref] 20:13:01 ^^ looks a little odd, but I think that would be the cliff ordering? 20:13:52 hmm.... 20:14:05 barbican acl add --user [user-id] ? 20:14:11 barbican acl list 20:14:18 barbican acl delete --user [user-id] ? 20:14:22 still need to pass that ref though, right? 20:14:34 barbican acl add --ref [ref] --user [user] 20:14:35 --secret-ref [secret=ref] 20:15:29 anyone else? thoughts? 20:15:44 If they are required do we need -- options? 20:16:12 It seems like user add would be like 20:16:13 barbican acl user add [secret-ref] [user-ref] 20:16:41 The --user makes it seem like not required, but it should be. I think. 20:16:44 i can't think of any other thing that would matter for an action w/ acls 20:17:09 there is a spec out for group acls as well 20:17:11 so we could have 20:17:22 barbican acl add --user [user-id] [secret-id] 20:17:23 and 20:17:35 barbican acl add --group [group-id] [secret-id] 20:18:24 well it could be argued that... barbican acl [user/group] add [secret-ref] [group/user-id] wouild work too 20:18:41 chellygel true... 20:18:42 im not sure the difference though, so i dont have an opinion on either way 20:18:54 chellygel would be one cliff subcommand vs two cliff sub-commands 20:19:08 chellygel functionally it wouldn't matter, I guess. 20:20:06 I vote for barbican acl user add [secret-ref] [user-ref], but I don't really care much one way or the other. 20:20:36 as long as secret-ref and user-ref are keyword args I'm good with that 20:21:03 -s secret-ref -u user-ref ? 20:21:08 then you can reorder them. 20:21:12 -- makes sense to me. barbican acl add --user [userid] --ref [refid] and barbican acl add --ref [refid] --user [userid] are the same that way. Less likely to have mistakes that way IMO 20:21:33 Actually now I take it back. Maybe I do like barbican acl add [--user || --group ] 20:22:01 what about secret vs container acl's? 20:22:09 -c for container ref, -s for secret ref. 20:22:19 I'm starting to agree on flags as well 20:22:39 kfox1111 yep, containers would be similar... I'm guessing --secret-ref and --container-ref to be consistent with the rest of the CLI 20:22:40 acl add [--user || --group ] [--container || --secret ] 20:23:48 okay, well lets get some votes in here so we can move on, yeah? 20:24:00 barbican acl add --user [id] --secret [ref] 20:24:06 is two word commands, like "user add", typical for barbican client? nova, for example, uses one word commands, e.g.: "flavor-add", "flavor-list", "flavor-delete" 20:24:34 chellygel seems like we're all agreeing on using flags for secret/container refs and for user/group 20:24:49 dave-mccowan IIRC cliff can handle either 20:25:10 +1 for flags 20:25:35 most openstack seperate clients use '-' instead of ' '. the unified openstack client uses spaces for everything. 20:25:40 +1 for flags. 20:26:17 +1 for flags 20:26:25 seems there's consensus 20:26:36 chellygel any other questions about the ACL client implementation? 20:26:49 im good :) 20:27:01 ok 20:27:12 I was hoping to bikeshed on this until woodster had a chance to jump on 20:27:34 #topic Additional role for ACL 20:27:39 * kfox1111 chuckles 20:27:49 its got to be green! :) 20:28:05 lol 20:28:09 kfox1111 lol 20:28:20 Green!! no! D: needs to be color blind friendly! 20:28:23 seems woodster isn't going to make it. 20:28:36 but I can talk about this topic anyway. 20:28:46 the idea here was to add one more role to our policy 20:29:04 potentially called "acl-user" or something similar we can bikeshed on 20:29:37 whats it do? 20:29:59 so, for ACL access, the token provided would have to have the "acl-user" role scoped to the project that owns the secret. 20:30:12 in addition to being on the ACL 20:30:23 the benefit is that you can remove the role to lock out someone from all ACL'ed secrets. 20:30:33 instead of having to iterate through all possible secrets in the project 20:30:53 also I should point out that this is strictly a policy change. 20:31:07 and as such it would only affect people who choose to use the default policy 20:31:19 someone could still write a policy to ignore that role altogether. 20:31:49 i envision the rule in policy.json would be: rule:secret_project_match and rule:secret_acl_read in this case, it doesn't matter what we call the new role (member, user, acl-user, _foo_). as long as the token is scoped for the project and the user is on the acl-read list, it's all good. 20:31:59 as in the user would have to have the acl-user role on the project in order for the acl itself to take affect, 20:32:12 or would have to have acl-user to be able to look at the acl itself? 20:32:41 kfox1111 yeah... though we could be a little looser, and just have the "acl-read" role in a scoped token... not necessarily scoped to the project that owns the secret... 20:33:28 I'm a little worried the one way is too specific for things like the instance users to work, 20:33:28 kfox1111 someone using ACL would need both the "acl-read" role in their token (not sure about what project scope) as well as have the user-id listed in the ACL 20:33:37 and the other is loose enough it might not be all the valuable. 20:35:02 kfox1111 good points... I wish woodster would be here to argue more for this change 20:35:12 is there a spec? 20:36:03 I don't think so... we've had a couple of discussions about it, but it hasn't been put into a spec 20:36:24 probably would be good to do if woodster really wants this change. 20:36:34 might be good to do a spec then, since these types of things can be discussed in the spec. 20:36:39 yeah. 20:36:56 it still might be a good idea, just may need to be thought out carefully. 20:37:31 #action redrobot to ping woodster about writing a spec for the additional acl role 20:37:42 thx. 20:38:07 That's all I have on the agenda for today 20:38:11 #topic Open Discussion 20:38:36 any questions/comments/reviews that need to be brought up now? 20:38:57 Has anyone submitted any proposals for Tokyo? 20:39:18 kfarr not yet... we have a meeting sometime this week to brainstorm possible topics 20:39:21 any more reviewers for the Container ACL and Fetch API spec? https://review.openstack.org/#/c/190404/ 20:39:39 ok just checking! 20:39:55 i still have the same two open reviews as last week: https://review.openstack.org/181291 and https://review.openstack.org/171023 20:40:14 kfarr how about you? have you submitted anything? 20:40:52 I uploaded a new patch last week on a spec: https://review.openstack.org/#/c/194298/3 20:42:48 No, we were trying to come up with topics last week 20:43:26 I think it would be good to do a "How to deploy Barbican" talk... but we're still figuring it out >_< 20:43:43 :D 20:43:55 redrobot: +1 20:44:13 Oh, by the way, the Barbican wrapper for Castellan only needs a workflow! https://review.openstack.org/#/c/171918/ 20:44:20 ooh \o/ 20:44:51 kfarr excellent! 20:45:40 A security overview talk would be good. We could highlight what good security things are already in OpenStack and what is missing. 20:46:03 that would be a nice talk too 20:46:43 it might make some folks cry though. :/ 20:46:51 I want to every time Isee passwords passed through userdata. :/ 20:46:53 rellerreller_ +1 ... sounds kindof like dave-mccowan 's talk in Vancouver. It was a really good overview of security topics. 20:46:57 yea, maybe better to say "how you can improve security using barbican" ;) 20:47:13 and instance users are not going to land in liberty. :_( 20:47:37 I missed dave-mccowan 's talk :( 20:47:42 kfox1111 bummer. 20:47:52 rellerreller_: it was nice 20:48:06 nova's getting very slow at reviews. :/ 20:48:12 rellerreller_ https://www.openstack.org/summit/vancouver-2015/summit-videos/presentation/securing-your-openstack-cloud 20:48:38 thanks. the video's on the openstack website. rob clark also usually does an security overview talk. 20:49:03 rellerreller_, dave-mccowan's was a good one! 20:53:44 Alrighty y'all, I think that about does it for this meeting. 20:53:53 thanks everyone for coming! 20:53:57 #endmeeting