20:00:24 #startmeeting barbican 20:00:25 Meeting started Mon Nov 16 20:00:24 2015 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:26 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:00:29 The meeting name has been set to 'barbican' 20:00:37 #topic Roll Call 20:00:43 here 20:00:46 sort o/ 20:00:47 o/ 20:00:49 \o/ 20:00:51 o/ 20:00:52 o/ 20:00:53 sorta o/ 20:00:54 lol 20:00:56 o/ 20:01:10 o/ 20:01:14 o/ 20:01:20 o/ 20:01:21 o/ 20:01:22 as usual, the agenda can be found here: 20:01:30 #link https://wiki.openstack.org/wiki/Meetings/Barbican 20:01:47 o/ 20:01:47 a good amount of barbicaneers here! :) 20:02:13 #topic Action Items from last meeting 20:02:23 #link http://eavesdrop.openstack.org/meetings/barbican/2015/barbican.2015-11-09-20.00.html 20:02:41 kfarr so I asked the Release Managers about the Mitaka-1 release 20:03:21 kfarr apparently they will be changing the previous process (ping the ptl and ask) with a newer process that sends a patch to openstack/releases 20:03:32 kfarr there should be more information coming on the ML 20:03:38 redrobot, ok! 20:03:41 (or maybe already there... I haven't checked the ML) 20:04:01 kfarr basically one Patch with the SHA for the release to openstack/releases 20:04:10 kfarr and then one more patch to openstack/barbican to bump the version 20:04:27 redrobot, sounds reasonable 20:04:40 kfarr so you're on-board for releasing Mitaka-1 while I'm gone??? :D 20:04:47 o/ late:) 20:04:49 redrobot, sure! 20:04:50 * elmiko gasps 20:04:52 ;) 20:05:05 #info kfarr will be handling the Mitaka-1 release 20:05:09 kfarr thanks! you rock! 20:05:33 that's just barbican and not python-barbicanclient, right? 20:05:38 next, I had an action to look at diazjf use cases for Federation... which I did not get to :( 20:05:58 kfarr correct, only Barbican needs to be released during the Mitaka-1 release week 20:06:47 we have added use case diagrams to the barbican federation etherpad https://etherpad.openstack.org/p/barbican-federation-use-cases 20:06:49 kfarr also be sure to mention in the CR that you're the official release person for that release, so they know it's coming from the right source. 20:06:49 edtubill, silos1, can you please post the links to the usecases 20:07:00 o/ 20:07:01 redrobot, got it! 20:07:35 diazjf oh nice... looks like there's more stuff there for us to look at 20:07:49 #action redrobot to review updated Federation usecases https://etherpad.openstack.org/p/barbican-federation-use-cases 20:08:11 diazjf I'll send these to Joe for comments as well 20:08:28 redrobot, sounds good! 20:08:40 ok, that's it for action items 20:08:44 on to today's agenda 20:09:04 #topic Barbican Federation Use-Cases Detailed Overview 20:09:16 diazjf assuming it's the same link as above? 20:09:25 #link https://etherpad.openstack.org/p/barbican-federation-use-cases 20:09:55 redrobot, yup same one 20:10:21 diazjf anything to discuss now, or should we revisit next meeting after everyone gets a chance to review the updated etherpad? 20:10:58 Is it ok to leave comments there, or should we do that some place else? 20:11:04 Or wait for discussion? 20:11:24 rellerreller:feel free to leave comments there 20:11:32 redrobot, I would like everyone to have an understanding of the usecases before review, edtubill, silos1 anything else. 20:11:35 edtubill +1 comments in etherpad 20:12:36 diazjf sounds good, I'll move on to the next topic then 20:12:36 nope. I think we covered everything for federation. 20:12:47 also put your irc_name in front of the comment :) 20:12:55 #info everyone please review the federation use cases 20:13:17 #topic Castellan Authentication compatibility for Swift 20:13:37 https://etherpad.openstack.org/p/swifjt-keymaster-with-castellan 20:13:44 So diazjf notmyname and I were talking about this a bit on the barbican channel last week. 20:13:56 #link https://etherpad.openstack.org/p/swifjt-keymaster-with-castellan 20:14:49 Swift is most commonly used with non-Keystone authentication 20:15:18 redrobot, I added my "thoughts" section as to what I think should be done to solve this challenge. 20:15:22 I think that's a red herring, actually 20:15:48 notmyname which part is a red herring? 20:15:59 the auth system that the end-user uses doesn't/shouldn't matter, at least for the first iteration of the crypto functionality we're building 20:16:17 notmyname agreed. Barbican does not necessarily need to have the same Auth system 20:16:29 especially if swift clients won't have access to the Barbican instance 20:16:36 ie we need swift itself to be authorized to get secrets, not the end user. phrased differently, swift owns the secrets 20:17:07 at least in the first iteration of the feature ;-) 20:17:21 So the main question is how does Swift authenticate to Barbican? ... The key point here is that whatever credentials are used to auth to Barbican will be stored as the owner of the keys 20:17:52 so for the first iteration, where Swift owns all keys, Swift would only need a single set of credentials to auth to Barbican 20:18:01 notmyname..so all secrets are owned by a single tenant/account. So no multi-tenancy support is needed ? 20:18:13 notmyname, does swift have a service user? 20:18:32 redrobot, correct, I was thinking of using a username/password to authenticate to Barbican. That way swift can have it stored in the conf or wherever and pass that to castellan. 20:18:58 arunkant: it's orthogonal. swift still has multi-tenancy support 20:19:02 Should we assume that Keystone does not exist? 20:19:18 diazjf: one reason I like that idea is the ease of testing 20:19:18 Or at least that Keystone is optional? 20:19:26 rellerreller, correct. Most swift deployments dont use keystone 20:19:45 alee: maybe? I'm not sure how that's defined 20:20:38 alee I think service user is a devstack (or keystone) concept... 20:20:55 Would it be fair to say there are two use cases. 1) Swift can authenticate to Keystone and auth as usual to Barbican. 2) Swift cannot authenticate to Keystone (does not exist) and must authenticate directly to Barbican 20:20:59 ^ ? 20:21:20 rellerreller that sounds about right. 20:21:25 rellerreller: likely, but case 2 will also be the case for testing (ideally) 20:21:57 notmyname I do not understand what you mean for the case for testing. 20:21:58 An MVP for Case 2 would require a new middleware that sits in front of Barbican that can provide Authentication. 20:22:14 rellerreller I think they would prefer to test without Keystone 20:22:24 oh 20:22:38 notmyname, redrobot right - and can provide the types of things that a keystone token would provide 20:22:42 yeah, that's all. testing is simpler the less external dependencies have to be managed ;-) 20:23:00 redrobot, correct, I am fully supportive of making a new auth middleware for Barbican :) 20:23:20 +1 20:23:43 alee yup... basically sit in front of Barbican, process Auth using X system, if auth succeeds then add X-Project-Id, X-Roles, and whatever else X-Headers we need 20:23:55 +1 -- and then the secrets could either all be owned by the switft user - or that user could be added to the acl for the secrets 20:24:03 yup 20:24:07 redrobot: diazjf: user/pass or shared secret + HMAC or whatever 20:24:36 I think we're all in agreement about that piece of the puzzle 20:24:54 so the next question is how Castellan actually handles the authentication piece 20:25:26 now that's I'm sitting here thinking about it again, I'm wondering if it's the best idea after all 20:25:29 the current interface assumes that there will be an instance of oslo.context that can be used by whatever implementation to build the required auth objects 20:25:48 notmyname if by "best" you mean "easy to implement", then yes. :) 20:26:18 so will this be two step..first authenticate to external auth..and then use that authenticated data (token in keystone world) to make call to barbican ? 20:26:20 redrobot: the concerns from the swift side are that the creds passed to barbican are decoupled from any end-user 20:26:49 redrobot: and that, at least with castellan, it would be *nice* to not require keystone if it's not using barbican 20:27:21 redrobot: and that for tests we can fairly easily sub out auth 20:27:25 *stub 20:27:34 notmyname the goal of castellan is not to depend on Keystone or any other authentication scheme. 20:27:56 The intent of the "context" parameter is to be a generic blob that is passed to a KeyManager. 20:28:01 but if a deployer is using barbican and encrypting stuff in swift, it makes sense to use keystone to manage the auth between them 20:28:11 The KeyManager is then responsible for knowing how to handle the blob. 20:28:20 rellerreller, Keystone is currently required in the barbican-keymanager 20:28:29 rellerreller I don't like that definition of "context" 20:28:36 rellerreller: the KeyManager is on the castellan side, right? 20:28:42 jrichli: did what I just say make sense? 20:28:52 barbican-keymanager may require it but not all key managers should require it. 20:28:55 rellerreller it's very specific to the implementation, and I would prefer that it be a well-defined object, such that any impl can use it. 20:29:03 notmyname yes it is on castellan side 20:29:22 notmyname: still processing 20:29:32 maybe I'm missing something... in my mind "generic blob" != well defined 20:29:40 redrobot the problem is that some schemes may not be known and generic for all key managers 20:30:11 for instance what about kerberos tickets or some custom signed messages or something. 20:30:53 This is why I was suggesting that maybe Castellan needs to define Auth objects... sort of similar to KMIP Credential objects 20:31:02 I think the key manager impls will have to look at the blob and say something like if instance of keystone token then do this; else if instance of .. do this; else I don't know what to do raise exception. 20:31:17 redrobot: +1 20:31:18 redrobot: an interesting thought 20:31:24 redrobot I think we are saying the same thing. 20:31:38 redrobot I'm suggesting the top level object be a generic blob. 20:31:44 perhaps. I think my concern isn't that keystone is used for a particular config (ie castellan to barbican). just that keystone might have been required in every use case 20:31:53 Then subclasses for username/password, keystone token, etc. 20:32:19 rellerreller ah yes... seems we're in violent agreement ;) 20:32:44 notmyname I'm not opposed to having multiple Barbican implementations of Castellan 20:33:00 Then I see Barbican key manager say if KeystoneContext then send directly to Barbican; else if PasswordContext take out username/password and pass to barbican; else raise error 20:33:24 And for KMIP KeyManager it does something similar by mapping to the KMIP objects for authentication 20:33:59 You should not need multiple implementations of Barbican 20:34:09 but if I'm following correctly, barbican would currently only accept a "keystonecontext" right? 20:34:41 kfarr yes, but it would not take much to change it 20:35:11 Ok just trying to keep straight what is being proposed and what is currently implemented 20:35:23 We could write a helper method to transform the Castellan context object into something that can be used by python-barbicanclient 20:36:35 rellerreller sure, a smar impl that can conditionally use Keystone would work 20:36:42 *smart 20:36:56 rellerreller I think we need to better define the context object 20:37:00 agreed 20:37:23 I think a smart implementation for KMIP impl is needed as well 20:37:36 redrobot, rellerreller, So what we have now as an acceptable solution is to do the following? 20:37:36 1.) username/password middleware for Barbican 20:37:36 2.) Castellan checks context and decides how to perform auth 20:37:46 I do not foresee a KMIP device knowing how to handle keystone tokens in the near future but could later 20:38:19 I feel like I should be arguing that barbican (the project) not reimplement auth ;-) 20:38:22 diazjf 2. Barbican KM in Castellan (just trying to clarify) 20:38:36 rellerreller, correct 20:38:47 ok, making sure we are on the same page. 20:38:59 notmyname one of my questions was how swift is doing this 20:39:12 Is there a library that can be reused? 20:39:27 for what? different auth implementations? 20:39:38 notmyname yes 20:40:06 diazjf There's a ton of different ways to achieve 1 ... still not sure we need to provide any/all possiblities with Barbican. 20:40:24 no. auth is done in swift via middleware that conforms to a protocol. swift ships with an auth middleware for testing and a keystone auth middleware. if deployers want something else, they can find or write a different one 20:41:44 notmyname why can we not apply that same scheme to barbican? 20:42:14 I suppose you could. I'm not familiar enough with your design to know how or if that would work 20:42:26 rellerreller we have a different auth story... Swift uses callbacks provided by the middlware... we strictly require the request headers provided by keystonemiddlware. 20:42:52 interesting 20:43:12 redrobot: close. the middleware can look at whatever headers it wants and does provide a callback. but it's not callbacks vs headers 20:43:16 diazjf is this helping move your spec forward? 20:43:41 redrobot yes, I will update https://review.openstack.org/#/c/241068/ 20:43:48 * redrobot only knows about Swift auth from previous discussions 20:43:53 I would really like this feature in the M release :) 20:44:35 so for now, it seems we need to 1. better define the Context object in Castellan 20:44:47 and 2. possibly provide a sample non-keystone auth middleware. 20:44:55 diazjf do you want to work on both of those? 20:45:04 redrobot, Yes 20:45:32 #action diazjf to write blueprint to better define Context in Castellan 20:45:46 #action diazjf to write a non-keystone auth middleware for Barbican 20:45:53 ok, good discussions y'all 20:46:22 still got a few topics, hopefully we can get through those in 15 min. 20:46:30 #topic Barbican Garbage Collector 20:46:52 for this topic I just wanted to ask people to review my spec/blue print 20:46:54 https://review.openstack.org/#/c/243806/ 20:46:54 whose topic is this? 20:46:54 https://blueprints.launchpad.net/barbican/+spec/barbican-cron-job-garbage-collector-for-database 20:47:27 redrobot: mine, I forgot to put my name on the agenda 20:47:55 and I also wanted to ask when it would be okay to start working on it, or should I wait till the blue print gets accepted? 20:48:35 edtubill up to you... the risk in working on impl before the spec is accepted is that it may change, thus forcing you to re-work the impl 20:49:58 regarding the "to be discussed" section in L65-68 20:50:23 I think all questions go back to the Soft vs. Hard dilemma 20:50:47 In previous discussions I think the general consensus is that it should be configurable per deployment 20:51:13 for example, at Rackspace, we may want soft deletes to provide "fanatical undelete" ... so you could call one of our support reps and get your key back. 20:51:37 but some other deployer may have a compliance regime that requires them to really delete a key when you ask for a delete operation 20:52:05 edtubill does that make sense? 20:52:28 redrobot, yes that makes sense. 20:52:51 edtubill anything else to discuss now, or just wait for more reviews? 20:53:08 I can wait for more reviews. lets get on to the next topic 20:53:23 #topic Creating a castellan-specs repo 20:53:34 thanks for the input. I'll add it to the spec. 20:53:54 silos1 what benefits would we get from a separate repo as opposed to having a /castellan directory in barbican-specs for example? 20:54:48 Hmm In my head it just made sense because we are adding features in castellan that don't really have any dependency on barbican. Like a key_manager interface for kmip. 20:55:21 #vote Should Castellan specs be tracked in barbican-specs or not? 20:55:39 derp 20:55:52 #startvote Should Castellan specs be tracked in barbican-specs or not? 20:55:54 Begin voting on: Should Castellan specs be tracked in barbican-specs or not? Valid vote options are Yes, No. 20:55:55 Vote using '#vote OPTION'. Only your last vote counts. 20:56:17 to clarify "Yes" means we track in barbican-specs 20:56:27 "No" vote means we should have a castellan-specs repo 20:56:34 #vote yes 20:56:38 #vote yes 20:56:42 #vote yes 20:56:44 #vote yes 20:56:44 That means put it under a castellan folder? 20:56:50 rellerreller: yes 20:56:56 #vote no :( 20:56:59 #vote No 20:57:10 rellerreller: kfarr do we expect many more changes to castellan? 20:57:12 oh wait 20:57:14 rellerreller yes, a castellan directory ... posbilly with mitaka/ etc directories underneath 20:57:48 if we do expect many more changes, then I vote 'yes' 20:57:59 Either way is fine with me. 20:58:00 #vote yes 20:58:08 * woodster_ but I doubt many more are needed :) 20:58:12 Well, this generic authentication is one upcoming big one 20:58:17 potentially 20:58:21 #endvote 20:58:22 Voted on "Should Castellan specs be tracked in barbican-specs or not?" Results are 20:58:24 kfarr: agreed 20:58:27 woodster_ why would more changes make you want it in Barbican? I would have thought the other way. 20:58:50 rellerreller: many more changes would be better in a sep repo 20:58:51 * redrobot is in suspense waiting for vote results 20:59:05 I think our voting bot broke :( 20:59:06 oh, I guess I misread that. My mistake. 20:59:14 I voted yes to a new repo if lots of changes still coming, no other wise 20:59:16 kfarr, already put the spec in Barbican :) 20:59:26 if things get crazy active with castellan specs, nothing precludes moving it out to its own space though... right? 20:59:30 in any case... it looks like we should continue to track in barbican-specs unless it becomes a problem 20:59:34 do we think castellan is stable 20:59:36 woodster_ yes means no in this case :) 20:59:56 elmiko looks like we won't have time for your topic :( 20:59:56 redrobot: ok. just wanted to clear up where to keep the specs. 20:59:56 like those proposition votes at election time! 21:00:04 redrobot: nutz... 21:00:07 woodster_, what do you mean by stable? 21:00:14 I think there will be more changes; context, barbican authentication, kmip impl 21:00:20 i think we are out of time :\ 21:00:24 I have to run 21:00:25 we're out of time folks... we can continue in our channel 21:00:29 #endmeeting