#openstack-meeting-alt log

20:00:46 <redrobot> #startmeeting barbican
20:00:47 <openstack> Meeting started Mon Jan 18 20:00:46 2016 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:48 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:51 <openstack> The meeting name has been set to 'barbican'
20:00:56 <redrobot> #topic Roll Call
20:01:00 <woodster_> o/
20:01:15 <diazjf> 0/
20:01:16 <spotz> o/
20:01:31 <jmckind_> \o/
20:01:35 <edtubill> o/
20:01:43 <kfarr> o/
20:02:04 <redrobot> all the usual suspects :)
20:02:47 <arunkant> o/
20:03:19 <redrobot> As usual the agenda can be found here:
20:03:36 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican#Agenda
20:04:12 <redrobot> #topic Action Items
20:04:25 <redrobot> #link http://eavesdrop.openstack.org/meetings/barbican/2016/barbican.2016-01-04-20.00.html
20:04:31 <redrobot> I had a ton of action items, but only finished one
20:04:41 <redrobot> so I have to punt on a couple
20:04:47 <redrobot> #action redrobot to check on status of reported security bug
20:04:55 <redrobot> #action redrobot to ping ccneill about the nova+cinder security bug
20:05:21 <redrobot> #topic Liaison Updates
20:05:37 <redrobot> I half-attended the oslo meeting this morning
20:05:55 <redrobot> looks like the mitaka-2 releases for oslo.* have been released
20:06:15 <redrobot> Any other liaison updates?
20:06:43 <redrobot> hockeynut isn't here so I'll skip QA
20:07:17 <redrobot> someone pinged me about documentation...  looks like we'll be having to write some WADLs and such to get our API docs up to spec
20:07:34 <redrobot> but I was busy with midcycle things so I haven't had a chance to look into all the work that needs to be done
20:07:48 <redrobot> #action redrobot to follow up with Anne Gentle re: docs
20:08:15 <diazjf> redrobot, I know a couple people here would like to join the effort on updating docs
20:08:20 <redrobot> alee isn't here either so I'll skip the Magnum cross-project stuff
20:08:30 <redrobot> diazjf cool, I'll keep you posted with what I find out
20:08:42 <redrobot> ok, on to the agenda for today
20:08:55 <redrobot> which I'm going to make up on the fly, because nobody added anything to the wiki
20:09:09 <redrobot> #topic Mid-Cycle Recap
20:09:14 <redrobot> #link https://etherpad.openstack.org/p/barbican-mitaka-midcycle
20:09:35 <redrobot> The mid-cycle meetup last week was awesome.  Many thanks to everyone who made the trip down to San Antonio
20:09:54 <edtubill> thanks for having us it was fun.
20:10:07 <silos> o/
20:10:14 <redrobot> There's lots of notes in the etherpad, including a lot of ACTION items
20:10:34 <redrobot> some of those have not been claimed, so if anyone is looking for things to do, have a gander at the etherpad
20:12:00 <rellerreller> o/ (sorry I'm late)
20:12:04 <redrobot> also, for those of you interested in Federation, diazjf will be working on a cross-project effort to get Push BYOK into OpenStack
20:12:25 <redrobot> rellerreller gonna need you to stay for 12 min after the meeting is over. :-P
20:12:45 <rellerreller> redrobot booo :(
20:12:58 <diazjf> redrobot, I'll have a spec up in OS-Security by the end of the week 8-)
20:13:13 <hockeynut> redrobot hockeynut is in another meeting :-(
20:13:39 <rellerreller> diazjf is that for byok?
20:13:49 <redrobot> rellerreller yep
20:14:26 <diazjf> rellerreller, yup see https://etherpad.openstack.org/p/cEA79A5fG1
20:14:41 <redrobot> rellerreller we had a few cross-team discussions with the ossp folks, and the consensus was that Push-model (where the client always provides the key) would be a good starting point.
20:14:47 <diazjf> ^ general notes from the midcycle
20:15:20 <redrobot> the idea is to bring an implementation plan to the Austin summit and talk about it during the cross-project design sessions.
20:16:25 <redrobot> anyway, awesome stuff during the midcycle
20:16:32 <redrobot> although we didn't land much in the way of blueprints
20:16:37 <redrobot> which brings me to the next topic
20:16:48 <redrobot> #topic Blueprint: API healthcheck
20:16:58 <redrobot> #link https://review.openstack.org/#/c/207317/
20:17:11 <redrobot> there were some concerns about this BP
20:17:32 <redrobot> I think that as long as this is an optional endpoint, and disabled by default, then I would be for adding it
20:18:44 <woodster_> sounds reasonable
20:19:39 <redrobot> rellerreller what do you think?  I recall you being concerned about the new unauthenticated resource
20:20:16 <rellerreller> I would rather see it have access controls in place and then if you want it like the spec describes then allow all read.
20:20:43 <rellerreller> I think it is better to have the security baked in up front as opposed to later.
20:20:58 <rellerreller> But if it is optional it's not a big deal for me.
20:21:08 <woodster_> rellerreller:  so deployers would mod their policy json files for that call then?
20:21:14 <redrobot> rellerreller so you'd like to see the default policy need auth for it, even if it's opt-in ?
20:21:18 <rellerreller> woodster_ yes
20:21:34 <rellerreller> woodster_ you would modify policy to allow all and then continue as normal
20:21:47 <rellerreller> redrobot yes
20:22:01 <redrobot> seems reasonable to me.  I'll add a comment to the spec linking back to this meeting.
20:22:16 <rellerreller> I feel like if it is not added now then people will enable it and there will be informatio leak
20:22:26 <redrobot> #agreed Healthcheck endpoint should be authenticated in the default policy file, and disabled in the default paste config.
20:22:36 <rellerreller> I also think it will fit the pattern of the other end points as well. This one won't look any different.
20:23:16 <woodster_> rellerreller:  shold this be an admin only access then?
20:23:24 <rellerreller> My only other comment on that one was about the return value.
20:23:40 <rellerreller> woodster_ I think admin would be good.
20:24:02 <redrobot> rellerreller woodster_ to be clear, this should be accesible only by the service-admin (the account owned by the deployer)
20:24:05 <rellerreller> I was wondering why not return different error codes for different errors?
20:24:05 <redrobot> ?
20:24:37 <rellerreller> redrobot that sounds good to me.
20:25:30 <rellerreller> It seems like if returning a more specific error code would be helpful. That way can begin to identify source of issue (db, threading, etc.)
20:25:34 <redrobot> rellerreller haven't looked at an exhaustive list of 5xx errors lately, but it makes sense to return different ones where appropriate
20:26:11 <redrobot> I'll leave that as a comment as well, since jkf isn't here to talk about the spec
20:26:12 <rellerreller> redrobot not 5xx errors from web server, but application defined error codes.
20:26:46 <redrobot> rellerreller ah I see...  I think there was a concern about information leak, but if we're locking it down by default, then error codes may make sense.
20:27:06 <rellerreller> redrobot those are my thoughts exactly.
20:27:42 <redrobot> ok, I think we've got enough to move this BP forward
20:27:46 <redrobot> on to the next one
20:27:49 <woodster_> please add comments to the blueprint for sure
20:28:02 <rellerreller> will do
20:28:14 <redrobot> #topic Blueprint: Mutiple secret-store backends
20:28:16 <redrobot> #link https://review.openstack.org/#/c/263972/
20:29:19 <redrobot> I don't particularly care for this BP.  I fundamentally disagree with the assumption that separate endpoints for distinct backends are "not a good user experience"
20:29:36 <redrobot> that said, I seemed to be the only dissenting one at the midcycle
20:29:45 <rellerreller> I am dissenting
20:30:19 <arunkant> redrobot: I see some good comments from alee so will update this one. rellerreller: Is it possible to remove -2 so that larger community can provide comments on this.
20:30:20 <rellerreller> I don't see how the other services will know which backend to use.
20:30:21 <redrobot> rellerreller I think you and I are the minority here
20:30:53 <redrobot> As I understand the BP, the backend would be configurable per-project
20:30:56 <rellerreller> redrobot what are your thoughts on -2?
20:31:11 <woodster_> rellerreller:  it is similar to how CAs are discovered now...there would be a ca_id sort of thing optionally specified to designate a secret store backend
20:31:30 <rellerreller> redrobot I put -2 to make sure not merged because I have strong reservations against it. I did not want it to be merge, but I also don't want to block discussion.
20:31:38 <rellerreller> I'm not exactly sure of the policy on that stuff.
20:31:45 <woodster_> rellerreller:  ...and project-configured default backends
20:32:25 <redrobot> rellerreller I'm not sure whether -2 discourages reviews from other reviewers.
20:33:07 <woodster_> Overall I like the possibility of having different 'qualities of service' for secrets in barbican
20:33:26 <redrobot> rellerreller I would personally only -1, because I disagree with the BP but I'm deferring to others to weigh in on it too, and possibly merged if it gets enough support.
20:33:36 <woodster_> ...but that is the sort of discussion to have on the blueprint CR I suppose :)
20:33:39 <redrobot> rellerreller sounds like you have a hard stance against it though, so -2 seems appropriate.
20:33:42 <rellerreller> woodster_ +1, but I'm not sure if this is the best way to achieve that.
20:34:06 <arunkant> redrobot: I have seen people even not looking into spec if it has -2 on it.
20:34:21 <woodster_> rellerreller:  if you can pitch an alternate approach that would be cool as well
20:34:41 <rellerreller> redrobot I do feel strongly about this one. Until I know for sure this will not break features, which I believe it will, then I would not like for this to merge. It is a big change.
20:34:46 <redrobot> woodster_ the alternate approach is already in the BP.  basically use different deployments of Barbican for different backends.
20:35:25 <woodster_> redrobot:  oh got it I though rellerreller had a different idea in mind
20:35:37 <rellerreller> No, that was it.
20:36:33 <arunkant> rellerreller: alee has already commented on transport key topic in spec and as per midcycle disucssion, I don't recall any isse around that during discussion
20:36:44 <rellerreller> I'm worried about relationships between keys and how that would work.
20:37:15 <redrobot> so one of the use cases that made sense to me was for a big cloud offering Barbican aaS, then upselling the customer into a "more secure hsm-backed" backend for more $ and still have them use the same endpoint.
20:37:16 <rellerreller> Like can I create a container that has keys in two different backends?
20:37:24 <woodster_> My preference is to tag secrets with quality of service explicitly, then the backend is selected automatically/optionally based on that, but that could wait till later.
20:37:45 <rellerreller> I would like to see key wrapping at some point. What if my keys are in two different backends?
20:37:50 <woodster_> rellerreller:  containers are just lightweight collections of secrets...the secrets are independent
20:38:14 <arunkant> rellerreller: Whatever is the concern, that can be raised in spec review. Please jJust don't block the discussion. We have very valid use-cases around this.
20:38:39 <rellerreller> I'm not blocking the discussion. The discussion can happen and should.
20:39:09 <redrobot> arunkant if there are Barbican cores that are avoiding the review because of the -2 please let me/them know.  I don't think we should ignore reviews based on a single dissenting vote.
20:41:20 <arunkant> redrobot: What -2 means..that this spec can never be merged. The concerns raised have been discussed nd updated in spec. I don't see why it needs to have -2 if there are some specific concern.
20:43:05 <arunkant> redrobot: I don't have any control on how other people behave when they see -2 or -1..but generally -2 means, its blocked so people would not even go there to review.
20:44:01 <arunkant> redrobot: I think there was enough consensus in mid-cycle and people have interest in having this feature.
20:44:25 <redrobot> arunkant I understand your concern, but I think that since rellerreller has a strong opinion on this, that the -2 from him is appropriate.  Like I said, if you feel other reviewers are not reviewing because of it, let me know.
20:44:44 <redrobot> arunkant there was, but currently there are no +X votes on there.
20:45:32 <redrobot> arunkant and I do apologize for not setting up a hangout last Friday
20:45:33 <arunkant> redrobot: alee has already reviewed it and you were also reviewing in midcycle.
20:45:37 <redrobot> arunkant I was tied up with OSSP mid-cycle
20:46:10 <arunkant> I believe _woodster was also okay with the idea.
20:46:39 <woodster_> it would probably be good for everyone's action items this week to review the blueprints out there...folks are standing by to implement them and we are running out of time in this cycle
20:46:57 <redrobot> woodster_ +1
20:47:00 <woodster_> arunkant:  the feature seems useful to me for sure
20:47:44 <arunkant> I don't see any outstanding question from rellerreller on this..other than we may want to implement key wrapping in some future ..and that may have some issue.
20:48:59 <redrobot> I think the concern was around the added complexity of having concurrent backends and the implications for other features, such as containers.
20:49:52 <arunkant> redrobot: I am not sure what complexity, it adds. Its new feature quite similar to CA support which alee added in liberty.
20:50:06 <rellerreller> Yes, key dependencies/transport keys, added complexity, and implications for other features
20:51:51 <arunkant> I don't see what kind of complexity is being talked here. Its opt-in feature which can be very useful in many private cloud deployments.
20:51:55 <redrobot> I'm going to table this discussion...  maybe we can get alee and woodster_ to give some positive reviews of the BP
20:52:58 <redrobot> then revisit later this week, maybe do a google hangout
20:53:15 <redrobot> #topic Blueprint: DB cleanup
20:53:28 <edtubill> ok
20:53:31 <redrobot> edtubill you were talking about this yes?
20:53:49 <arunkant> redrobot: I am all for discussion and making the spec better if there are any technical or functional concern but cannot answer on future features.
20:54:18 <edtubill> yes, there were some constraints that I was worried about, so I wanted to set up a hangout later on so we can discuss this.
20:54:25 <edtubill> And wanted other people to join in if interested
20:54:44 <redrobot> ok, so to summarize for other folks
20:54:51 <redrobot> (and try to fit into a few min)
20:54:59 <redrobot> edtubill is working on a BP to clean up the DB
20:55:22 <redrobot> edtubill a new function of barbican-manage would delete soft-deleted and expired secrets.
20:55:39 <redrobot> however, currently Orders has a non-nullable reference to Secret
20:55:52 <edtubill> ok, so for that was a false concern
20:56:02 <redrobot> which means we can't delete Secrets that were created by an order even if the Secret is soft-deleted or expired
20:56:04 <redrobot> ...
20:56:06 <edtubill> I looked at it again and it is nullable, but I would need to set it to null first.
20:56:11 <redrobot> or I may be making up stuff :D
20:56:30 <edtubill> :) no that was my bad. But there was another thing for order_retry_tasks that I was worried about.
20:56:51 <edtubill> for what happens if someone deletes an order when it was in the retry queue
20:57:00 <redrobot> edtubill does it affect the clean up Secrets BP?
20:57:38 <edtubill> it shouldn't really, but I'm more interested in getting info on implementation wise.
20:57:53 <edtubill> The blue print will be the same, I will make another blue print for expiring secrets.
20:58:08 <woodster_> edtubill: the worker processing that request would raise an error due to a non-existent order, but would juts report/log that and the move on
20:58:29 <redrobot> edtubill  I thought the current BPs would focus on cleaning up Secrets only?
20:58:36 <edtubill> wooderster_, but would it be cleaned up afterwards?
20:58:52 <edtubill> redrobot, the blue print is for anything that is soft deletable
20:59:06 <edtubill> we aren't touching orders unless it is soft deleted.
20:59:13 <redrobot> edtubill ok, cool
20:59:30 <redrobot> almost out of time here... we can continue discussion on #openstack-barbican if people want to stick around.
20:59:40 <redrobot> thanks for coming everyone
20:59:42 <redrobot> #endmeeting