#openstack-barbican log

02:00:24 <alee__> #startmeeting barbican
02:00:25 <zhongjun_> alee__: Which channel
02:00:25 <openstack> Meeting started Tue Apr 24 02:00:24 2018 UTC and is due to finish in 60 minutes.  The chair is alee__. Information about MeetBot at http://wiki.debian.org/MeetBot.
02:00:26 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
02:00:28 <openstack> The meeting name has been set to 'barbican'
02:00:36 <alee__> #topic roll call
02:01:36 <alee__> namnh?
02:01:49 <zhongjun_> hi
02:01:56 <namnh> alee__: hi alee
02:02:16 <alee__> hi namnh zhongjun_
02:02:17 <namnh> i am waitting the weekly meeting
02:02:35 <alee__> this is it :)
02:03:20 <alee__> in case you missed it, we moved the meeting to now
02:03:46 <namnh> yes,
02:03:48 <alee__> because afterthe change to daylight savings time, the time was a little too late in the steate
02:03:53 <alee__> states
02:04:07 <alee__> I dont see Jeremy though
02:04:20 <namnh> yeah, it is still good to me
02:04:53 <alee__> well -lets get started
02:05:04 <alee__> #topic rocky
02:05:19 <alee__> milestone 1 build was released last week
02:05:43 <alee__> I submitted the build on friday morning with dave's help
02:06:07 <alee__> you probably noticed a bunch of patches meing merged at that time.
02:06:40 <alee__> we're planning on doing some stable branch releases this week
02:06:53 <alee__> as well as possibly some client releases
02:07:16 <alee__> we're still  on track for our rocky deliverables ..
02:07:33 <alee__> https://etherpad.openstack.org/p/barbican-tracker-rocky
02:08:07 <alee__> although we want to try and get most of our features in by milestone 2 if we can
02:08:14 <alee__> including the OVO patches
02:08:46 <alee__> questions/comments on the rocky builds / schedule?
02:09:54 <alee__> #topic PTG
02:10:26 <alee__> the next PTG is scheduled for september in denver IIRC
02:10:39 <alee__> will either of you guys attend?
02:11:44 <alee__> namnh, zhongjun_ ?
02:11:46 <namnh> i'm not sure about whether i can join, it depends on my company
02:12:06 <namnh> or TSP:)
02:12:34 <zhongjun_> alee_ I cloud attend to next PTG
02:13:08 <alee__> namnh, sure - I figured most folks would not know by now -- I just know that the cheaper "early bird pricing" is supposed to expire relatively early
02:13:13 <alee__> like in the next few weeks
02:13:28 <alee__> so good to sign up if you plan to attend
02:13:36 <alee__> zhongjun_, good to know!
02:14:06 <alee__> also helps me let them know how many will attend for barbican for planning purposes
02:14:47 <namnh> alee__: sure, i will ask some guys in our company
02:14:53 <alee__> cool
02:15:23 <alee__> zhongjun_, perhaps a little intro -- I don't think I've seen you attend the weekly meeting before?
02:15:38 <zhongjun_> I have a simple question
02:15:40 <alee__> unless I forgot the nick
02:16:00 <zhongjun_> yes
02:16:07 <zhongjun_> This is my first time
02:16:31 <alee__> zhongjun_, great - tell us a little about you, and what your interest in barbican is
02:16:38 <namnh> zhongjun_: welcome to barbican team :)
02:16:45 <alee__> and welcome :)
02:16:47 <zhongjun_> I usually work on manila
02:17:20 <zhongjun_> We are trying to use manila in huawei
02:18:26 <alee__> ok - and you're trying to integrate using barbican with manila?
02:19:06 <zhongjun_> But I am a new guy, and I don't know the detail about barbican
02:19:44 <zhongjun_> alee__ : This is my patches:  https://review.openstack.org/#/q/owner:jun.zhongjun2%2540gmail.com+status:merged
02:19:57 <zhongjun_> alee__ : Not sure now
02:20:38 <zhongjun_> namnh:  thanks
02:20:54 <alee__> great -- so how can we help you?
02:21:05 <namnh> zhongjun_: cool, what is your question?
02:22:09 <zhongjun_> In aws cloud, we have host key and data key. But in barbican, I only see the data key named secret
02:23:00 <zhongjun_> Do we have the API to manage the key  and data key in barbican
02:23:09 <zhongjun_> key:  https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html
02:24:01 <zhongjun_> datakey: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html
02:24:09 <alee__> zhongjun_, whats the difference between a host key and a data key?
02:25:01 <zhongjun_> alee__:  We generate datakey by key.
02:25:54 <alee__> zhongjun_, ok - I think I see what you are talking about
02:26:16 <alee__> zhongjun_, so barbican has a fairly simple interface
02:26:38 <alee__> zhongjun_, basically , you store, generate or retrieve a secret
02:26:57 <alee__> and that secret could be some data, a password, or a key
02:27:14 <alee__> now those secrets are stored in a back-end
02:27:33 <alee__> and they are of course stored encrypted
02:27:56 <alee__> the secrets are encrypted using a key encryption key
02:28:31 <alee__> and if you use for instance the pkcs11 backend, they are stored encrypted by a tenant specific key encryption key
02:28:56 <alee__> the kek usually never leaves the barbican system though
02:29:43 <alee__> if you wanted to pre-encrypt you own keys using a kek the user could retrieve, you could do that, but you'd have to manage all of that
02:29:50 <alee__> thats not in the api
02:30:00 <alee__> does that make sens?
02:30:04 <alee__> sense?
02:30:38 <zhongjun_> So we don't have a API to manage  " a tenant specific key encryption key" like the aws does
02:31:18 <alee__> zhongjun_, right
02:31:50 <zhongjun_> It is up to the backend
02:31:58 <alee__> zhongjun_, if you are using the pkcs11 plugin for instance, a tenant specific kek is automatically geerated when the first secret is stored y that tenant
02:32:06 <alee__> correct
02:32:38 <alee__> there is no need for the user to explicitly request -- or ever retrieve that kek
02:33:25 <zhongjun_> Maybe the user want to use the same  tenant specific kek
02:34:28 <alee__> zhongjun_, the barbican api is pretty simple.  right now users have no facility to manage their keks
02:35:04 <alee__> zhongjun_, an interesting idea - which has come up before - would be add this kind of feature
02:35:12 <zhongjun_> Do we have plan to implement the feature about support user to manage their keks
02:35:40 <alee__> that is - take a small amount of data and a reference to a secret the user owns - and encrypt the secret with the kek
02:36:01 <alee__> zhongjun_, there is no such ffeature currently planned
02:36:14 <zhongjun_> Is there a link?
02:36:17 <alee__> if you'd like to propose it, feel free to write a spec
02:36:46 <alee__> zhongjun_, I'd have to check - not sure a spec was ever written for it
02:37:13 <zhongjun_> okay, thanks, that make sense
02:37:30 <alee__> if there is enough interest/ use case, we could certainly work to get it in
02:38:11 <zhongjun_> got it
02:38:19 <alee__> cool - anything else?
02:38:27 <zhongjun_> not now
02:38:31 <alee__> ok
02:38:37 <alee__> #topic OVO patches
02:39:12 <alee__> namnh, I suggested that we do a google hangout to try and get the reviews on your patches going
02:39:47 <alee__> since that has helped in the past in terms of getting series od patches approved
02:40:11 <alee__> unfortunately neither dave nor jeremy are here
02:40:38 <alee__> and it probably makes sense to do one collectively
02:40:39 <namnh> alee__: it's ok to me. btw, i'd like to notify you about the status of OVO
02:40:49 <alee__> please do
02:41:03 <namnh> currenly, there two first patch set are really for reviewing
02:41:17 <namnh> https://review.openstack.org/#/c/559014/
02:41:29 <namnh> https://review.openstack.org/#/c/499004/
02:42:08 <namnh> i am replacing each resource like secret, order, acl, etc to use OVO
02:42:16 <namnh> on my local
02:42:50 <namnh> maybe, i will push a patch to replace ACL resource using OVO
02:42:55 <namnh> today
02:43:02 <alee__> are any of these new classes actually being used in the functional/unit tests?
02:43:20 <namnh> you can see it as an example
02:44:13 <alee__> eh?
02:44:25 <namnh> it must be, but currently, i am forcusing on changing UT to pass py27
02:45:38 <alee__> sorry - just confirming -- in the reviews you listed above, when the various tests run, are they actually using the new OVO classes?
02:47:08 <alee__> or is there some switch that needs to be toggled - or some further patches that need to land first?
02:47:49 <namnh> as my plan, i will split two phases. Phase 1: I just only add files which have OVO class. Anh phase 2: i will replace barbican's resource (secret, order, container, ...) using OVO
02:48:15 <alee__> gotcha - just confirming
02:48:17 <namnh> so all of these patchs: https://review.openstack.org/#/q/topic:bp/rolling-upgrade+(status:open+OR+status:merged) for phase 01
02:49:10 <namnh> and I am doing phase 2 on my local to get suitable OVO class
02:49:58 <namnh> and for now. there are two patch set as i sent the link already for reviewing
02:50:22 <alee__> namnh, ok -- in reviewing phase 1, then it would be useful for me to understand your methodology
02:51:04 <namnh> yeah, that's what i mean.
02:51:14 <alee__> ie. I'd like to gain some idea about what your procedure is for converting a barbican object - say secret or transport key
02:51:29 <alee__> so that I can get a sense if what you are doing is correct
02:51:46 <alee__> obviously there will be changes needed as you get to phase 2
02:52:01 <alee__> and the tests actually run against the objects
02:52:44 <alee__> that what I was looking for mostly with a google hangout -- just a walkthrough
02:53:02 <alee__> namnh, does that make sense?
02:53:49 <namnh> yes, tomorrow is good to me
02:54:31 <alee__> namnh, ok - lets see if we can get a time when we get either dave or jeremy to join too
02:54:48 <alee__> that way we can get all the needed reviewers to move this along
02:55:12 <alee__> I worry that if we take too long, we wont get phase 2 in ..
02:55:53 <namnh> i understood, i am trying my best
02:56:28 <alee__> namnh, no worries - you're doing great -- I just dont want a lack of reviews to hold you up
02:56:37 <namnh> because, I still have a feature in oslo.config, that why i don't update anything last weeek
02:56:57 <namnh> alee__: thanks for understanding
02:57:19 <alee__> namnh, ack  -- I know we're all wearing many hats :)
02:57:31 <namnh> :)))
02:58:10 <alee__> but I think your patches have not gotten reviews because people are scared of starting on them - and am hoping to kick start some reviews
02:58:46 <alee__> so please send out an email and we can try to schedule a hangout
02:59:11 <alee__> the time zone thing is tricky but we should be able to make something work.
02:59:33 <alee__> #topic anything else?
03:00:29 <namnh> that's all to me
03:00:31 <namnh> :)
03:00:41 <alee__> namnh, zhongjun_ thanks for coming -- g'night !
03:00:51 <alee__> or g'day   as it were ..
03:01:03 <alee__> #endmeeting