20:00:19 <redrobot> #startmeeting barbican
20:00:20 <openstack> Meeting started Mon Jan  4 20:00:19 2016 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:22 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:24 <openstack> The meeting name has been set to 'barbican'
20:00:29 <redrobot> #topic Roll Call
20:00:30 <merehdg> Ok
20:00:43 <arunkant> o/
20:00:44 <spotz> o/
20:00:45 <rellerreller> o/
20:00:45 <edtubill> o/
20:00:46 <dave-mccowan> o/
20:00:49 <merehdg> How was Christmas?
20:00:53 <diazjf> o/
20:00:54 <jrichli> o/
20:00:54 <jkf> o/
20:01:01 <redrobot> Happy New Year Barbicaneers! :D
20:01:01 <merehdg> o/
20:01:02 <maxabidi> o/
20:01:06 <redrobot> mine was quite good merehdg
20:01:14 <merehdg> Good
20:01:21 <merehdg> Mine was good too
20:01:23 <silos> \o/
20:01:24 <redrobot> although I think I'm getting old, because I got close to zero presents :(
20:01:29 <merehdg> Oh
20:01:34 <merehdg> Thst is a shame
20:01:45 <kfarr> o/
20:01:49 <alee> o/
20:01:57 <merehdg> Redrobot how was yours
20:02:02 <panatl> o/
20:02:04 <redrobot> lots of barbicaneers here today!
20:02:11 <merehdg> Oh
20:02:12 <spotz> Happy New Year
20:02:18 <redrobot> looks like everyone is ready to hit the ground running for the good year
20:02:22 <panatl> Happy New Year!!
20:02:29 <redrobot> \o/
20:02:50 <igueths> ø
20:03:07 <redrobot> as usual the agenda can be found here:
20:03:12 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican
20:03:37 <redrobot> #topic Action Items
20:03:43 <redrobot> there were no action items last week
20:03:47 <redrobot> so moving on
20:04:11 <redrobot> #topic Liaison Updates
20:04:29 <redrobot> #link https://wiki.openstack.org/wiki/CrossProjectLiaisons
20:04:41 <redrobot> so one of my new year's resolutions is to keep better track of cross-project things
20:04:55 <redrobot> so I wanted to touch base with Barbican liaisons during the weekly meeting for updates
20:05:13 <redrobot> for Oslo, I went to the meeting today, but it was quite uneventful
20:05:36 <redrobot> hockeynut_afk seems to be afk, so no update from QA
20:05:59 <redrobot> constanze seems to be mia, so no update from Docs
20:06:36 <redrobot> for VMT, we do have a security bug open, which I think may be still marked private
20:06:45 <redrobot> I need to make some progress on that bug
20:07:08 <redrobot> #action redrobot to check on status of reported security bug
20:07:16 <dave-mccowan> FYI, the Barbican Key Manager in Nova and Cinder had a pretty severe bug.  https://bugs.launchpad.net/nova/+bug/1523646  The patch is in review in Nova still, and merged in Cinder.
20:07:17 <openstack> Launchpad bug 1523646 in OpenStack Compute (nova) "Nova/Cinder Key Manager for Barbican Uses Stale Cache" [High,In progress] - Assigned to Dave McCowan (dave-mccowan)
20:07:47 <dave-mccowan> any thoughts on how far back this fix should be backported?  the key manager is unusable without the fix.
20:07:52 <redrobot> dave-mccowan thanks for the link!  I'll take a look at it
20:08:02 <woodster_> o/
20:08:13 <jkf> redrobot: it is still private, just checked
20:08:47 <redrobot> dave-mccowan I believe n-2 releases should be supported...  so Juno, Kilo and Liberty?
20:09:17 <redrobot> ...  or maybe just Kilo, Liberty and Mitaka? ...  not sure what "n" is supposed to be in this context
20:09:18 <jmckind_> o/
20:09:43 <spotz> n=current release?
20:09:47 <redrobot> jkf iirc the VMT folks said we could probably mark as public since it's not that severe...
20:09:54 <redrobot> jkf thanks for checking that
20:09:59 <jkf> redrobot: I don
20:10:06 <jkf> 't have an issue with making it public.
20:10:34 <dave-mccowan> maybe we can use cross-project liasons to make sure stable branch backports happen for these patches.
20:10:49 <redrobot> dave-mccowan is this a nova+cinder patch?
20:11:49 <dave-mccowan> yes
20:11:49 <redrobot> dave-mccowan I'll ping ccneil and see if he's got  some free cycles to work on some backports
20:12:29 <redrobot> #action redrobot to ping ccneill about the nova+cinder security bug
20:12:51 <redrobot> alee any news from the magnum folks?
20:13:51 <alee> redrobot, sorry I have not checked in with them in awhile - at last check, they are still planning on integrating with the KMS side, but holding off on cms
20:14:28 <alee> redrobot, I'll try attend a meeting later this week
20:14:34 <redrobot> alee awesome, thanks
20:14:48 <redrobot> ok, I think that's it for liaisons
20:14:54 <redrobot> moving on to the agenda
20:15:01 <merehdg> Ok
20:15:03 <redrobot> #topic Mitaka Mid-cycle
20:15:20 <redrobot> #link https://wiki.openstack.org/wiki/Sprints/BarbicanMitakaSprint
20:15:29 <redrobot> The mid-cycle sprint is next week!  :-O
20:15:40 <redrobot> we're pretty excited to be hosting at the Castle
20:15:42 <diazjf> whoop whoop
20:15:58 <merehdg> It is so cool we can do thin on IRC.
20:16:29 <redrobot> everything looks good on our end.  if you haven't signed up on Eventbrite, please do, so we can plan for food and such
20:16:42 <merehdg> Ok
20:16:45 <redrobot> the etherpad is still looking a bit bare
20:16:54 <redrobot> so please add some topics this week
20:16:55 <merehdg> Really?
20:16:57 <redrobot> #link https://etherpad.openstack.org/p/barbican-mitaka-midcycle
20:17:04 <merehdg> Ok
20:17:09 <merehdg> I believe you
20:17:19 <merehdg> :)
20:17:27 <merehdg> :/
20:17:29 <redrobot> merehdg yeah, I still haven't gone through the tokyo summit notes to add outstanding topics
20:17:39 <merehdg> Ok
20:17:48 <merehdg> Ill let you do that
20:17:48 <redrobot> #action redrobot to review the Tokyo  summit notes for outstanding topics for the mid-cycle
20:17:58 <redrobot> any questions/comments regarding the mid-cycle?
20:18:11 <merehdg> Do we meet here on Memoral Day since it is a Monday
20:18:41 <merehdg> Or is that meetijg going to be cancelled
20:19:52 <redrobot> merehdg planning ahead, I see?  :)  ...  I think it may possibly be cancelled since I will not be at work...  but we usually don't make those decisions until a couple of weeks before the holiday.
20:20:07 <merehdg> Ok
20:20:09 <redrobot> merehdg usually we announce cancelled meetings on the ML
20:20:18 <merehdg> Ok
20:20:29 <redrobot> any other questions/comments about the mid-cycle?
20:20:34 <dave-mccowan> maybe thinking about MLK day, in two weeks?
20:21:32 <merehdg> I thibk we can move on
20:21:34 <redrobot> dave-mccowan I think we'll still meet on MLK day...  I don't get a holiday that day. :(
20:21:43 <redrobot> alrighty, moving on
20:22:01 <redrobot> #topic Castellan multiple keystone auth blueprint
20:22:08 <redrobot> diazjf your topic?
20:22:38 <diazjf> redrobot, I just want everyone to review https://review.openstack.org/#/c/241068/
20:22:47 <diazjf> I recently updated it and add comments
20:23:10 <diazjf> added*
20:23:27 <rellerreller> diazjf what object do you plan to use for the context parameter in the KeyManager calls?
20:24:06 <elmiko> o/
20:24:19 <rellerreller> I'm still trying to figure out this spec.
20:24:55 <merehdg> Ok
20:25:00 <merehdg> Understood
20:25:04 <diazjf> rellerreller I think objects should still be oslo,context or just dictionaries which Castellan breaks apart and determines the correct Keystone Auth to use
20:25:35 <diazjf> I'm not sure about using a new hierarchy-based context class
20:25:56 <rellerreller> So I think this would be a good topic of discussion at the mid-cycle.
20:25:59 <redrobot> diazjf oslo.context != dict ... I think it would have to be one or the other
20:26:01 <elmiko> does castellan really need to know much about the context obj?
20:26:20 <diazjf> redrobot, shouldn't we support both?
20:26:28 <rellerreller> I am going to propose a new Credential class and object hierarchy.
20:26:59 <rellerreller> elmiko I think we should be using the term credential instead of context, but that is a minor detail.
20:27:00 <redrobot> rellerreller +1 for Castellan Auth discussion at mid-cycle
20:27:04 <diazjf> rellerreller agreed, we can have a deep discussion about this during the midcycle.
20:27:23 <merehdg> Ok
20:27:25 <elmiko> rellerreller: fair
20:27:29 <redrobot> ok, cool, so for now please read the spec so we're on the same page for next week
20:27:33 <rellerreller> I believe we should create a Credential object with subclasses for how to authenticate to the backend key management device.
20:27:56 <diazjf> rellerreller, I can add an alternative section to the spec including hierarchy if you would like :)
20:28:00 <rellerreller> I'm envisioning a KeystoneTokenCredential and a UsernamePasswordCredential.
20:28:22 <rellerreller> The KeyManager can then use this to determine how to authenticate to the device.
20:28:26 <elmiko> maybe i'm missing something, but shouldn't these credential objects just get passed along to whatever client will consume them? (does castellan really need to know much about them)
20:28:51 <merehdg> I agree
20:28:55 <redrobot> elmiko the problem is that a person consuming Castellan needs to use a credential without knowing what backend will be used a runtime
20:29:08 <rellerreller> In some cases they will be passed along in other cases we may want device specific credentials.
20:29:25 <redrobot> elmiko so we need to clearly define what a credential is, so it's part of the interface contract
20:29:32 <elmiko> ah, so castellan may need to do something special depending on what type of credential arrives, is that accurate?
20:29:41 <rellerreller> elmiko yes
20:29:45 <elmiko> got it
20:29:59 <merehdg> Ok
20:30:03 <merehdg> Understood now
20:30:05 <rellerreller> Consider the case of KMIP. You can authenticate via username and password, PKI, or something propietary.
20:30:07 <elmiko> thanks for the extended explanation =)
20:30:18 <diazjf> rellerreller, so I'm guessing a regular dictionary wouldn't be clean enough?
20:30:20 <merehdg> Sometimes they are necessary
20:30:27 <diazjf> Castellan checks for specific values?
20:31:03 <redrobot> diazjf dict may work, but we'd have to define/document the keys that castellan will use
20:31:09 <rellerreller> What I don't like about a dictionary is that it's not as clean to read. There will be checks for `if hasattr` all over the place.
20:31:43 <rellerreller> Then what happens if somehow the code has multiple dictionary entries and username/password and token are provided. Which one takes precedence?
20:31:43 <merehdg> I just finished lunch
20:31:47 <merehdg> It was good
20:31:50 <elmiko> rellerreller: good point
20:32:12 <diazjf> rellerreller, redrobot, I'll update the spec to include hierarchy as an alternative that way we can discuss all this during the midcycle. I like dictionaries, but I'll consider the cleaner alternative.
20:32:16 <redrobot> yeah... defining a class makes it cleaner
20:32:23 <redrobot> diazjf awesome
20:32:42 <redrobot> anything else on this topic before we move on?
20:32:45 <merehdg> YEAH! BRAVO!!!
20:32:46 <rellerreller> I don't know if it needs to be an alternative as opposed to a separate spec.
20:32:55 <merehdg> We can move on
20:33:34 <diazjf> rellerreller, I can put it as the main spec, no worries either way, just let me know
20:33:55 <redrobot> diazjf I'm sure we'll have a good idea what to do next week...
20:33:56 <rellerreller> I'll put some thoughts together and would like to propose a bp.
20:34:06 <rellerreller> Hopefully I can get through prepub in a timely fashion.
20:34:15 <redrobot> rellerreller guess we'll be dialing you in for the Castellan auth discussion next week?
20:34:29 <rellerreller> redrobot yes please.
20:34:48 <diazjf> rellerreller, awesome, I'll wait for your blueprint.
20:34:54 <rellerreller> I wish I could be there, but there was no funding for me :( Monday would work best for me if that is possible.
20:35:24 <redrobot> rellerreller ok, I'll coordinate with diazjf to dial you in on Monday... I'm thinking afternoon so we can split up into smaller groups
20:35:34 <rellerreller> Sounds good
20:36:02 <diazjf> awesome!
20:36:17 <redrobot> we've got 20+ people signed up for next week
20:36:30 <redrobot> so we'll need a smaller group for the remote discussion to work well
20:36:44 <merehdg> Ok
20:36:54 <redrobot> ok, moving on
20:37:07 <redrobot> #topic Puppet modules for Barbican
20:37:15 <redrobot> alee is this your topic?
20:37:22 <alee> redrobot, yup
20:37:32 <redrobot> #link https://review.openstack.org/#/c/258851/
20:37:50 <alee> just letting folks know that I have started working on the puppet modules for barbican
20:37:59 <merehdg> Ok
20:38:09 <alee> based on the template the puppet folks have been using
20:38:17 <redrobot> sounds awesome...  although I'm more of an Ansible guy myself ;)
20:38:22 <alee> there is a patch out there for review that does some initial stuff
20:38:36 <alee> which is the link that redrobot referenced
20:38:49 <alee> about to add a new one on top of that for keystone auth
20:39:02 <redrobot> alee who owns openstack/puppet-barbican ?
20:39:15 <alee> it works for fedora/rdo packages -- would need to be tweaked for ubuntu
20:39:59 <alee> redrobot, the puppert folks that are doing all/most of the oopenstack puppet modules
20:40:11 <redrobot> alee ok, cool
20:40:38 <alee> they are planning on reviewing too - and some have to some extent as well.
20:40:57 <alee> but feedback/testing by folks here will help a lot
20:41:11 <alee> and patches to get it working for ubuntu say
20:41:51 <redrobot> alee I would suggest sending a message to the ML ... maybe you can shake some puppeteers out of the woodwork to help
20:42:01 <alee> also, I'm working on getting it running as an apache module , and if anyone has done that,  it would be great to see how you did it.
20:42:18 <alee> redrobot, yup - I'll do that.
20:42:22 <merehdg> Make sure you tell the boss thatI wont be here next week.
20:43:45 <merehdg> Lets move on
20:43:53 <alee> anyways, thats it for me on this now ..
20:44:00 <redrobot> alee alrighty
20:44:15 <redrobot> that's all I have on the agenda for today
20:44:19 <redrobot> #topic Open Discussion
20:44:19 <merehdg> Ok
20:44:25 <redrobot> any other topics that didn't make it to the agenda?
20:45:24 <merehdg> It doesnt appear thst way.
20:45:43 <merehdg> Fredyx you missed the meeting
20:45:51 <merehdg> Fredyx10
20:46:07 <redrobot> going once
20:46:40 <redrobot> ok, we all get 10 minutes of workday back!  \o/
20:46:53 <redrobot> thanks for coming y'all!
20:46:56 <merehdg> Ok
20:47:00 <edtubill> cool, see you guys next week :)
20:47:03 <merehdg> Im not at work
20:47:05 <dave-mccowan> see ya next week
20:47:15 <redrobot> see y'all in San Antonio :D
20:47:16 <spotz> see everyone next week
20:47:18 <merehdg> Im not part of this company
20:47:28 <merehdg> I wont be in San antonio
20:47:39 <merehdg> But see you
20:47:46 <redrobot> #endmeeting