02:00:24 #startmeeting barbican 02:00:25 alee__: Which channel 02:00:25 Meeting started Tue Apr 24 02:00:24 2018 UTC and is due to finish in 60 minutes. The chair is alee__. Information about MeetBot at http://wiki.debian.org/MeetBot. 02:00:26 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 02:00:28 The meeting name has been set to 'barbican' 02:00:36 #topic roll call 02:01:36 namnh? 02:01:49 hi 02:01:56 alee__: hi alee 02:02:16 hi namnh zhongjun_ 02:02:17 i am waitting the weekly meeting 02:02:35 this is it :) 02:03:20 in case you missed it, we moved the meeting to now 02:03:46 yes, 02:03:48 because afterthe change to daylight savings time, the time was a little too late in the steate 02:03:53 states 02:04:07 I dont see Jeremy though 02:04:20 yeah, it is still good to me 02:04:53 well -lets get started 02:05:04 #topic rocky 02:05:19 milestone 1 build was released last week 02:05:43 I submitted the build on friday morning with dave's help 02:06:07 you probably noticed a bunch of patches meing merged at that time. 02:06:40 we're planning on doing some stable branch releases this week 02:06:53 as well as possibly some client releases 02:07:16 we're still on track for our rocky deliverables .. 02:07:33 https://etherpad.openstack.org/p/barbican-tracker-rocky 02:08:07 although we want to try and get most of our features in by milestone 2 if we can 02:08:14 including the OVO patches 02:08:46 questions/comments on the rocky builds / schedule? 02:09:54 #topic PTG 02:10:26 the next PTG is scheduled for september in denver IIRC 02:10:39 will either of you guys attend? 02:11:44 namnh, zhongjun_ ? 02:11:46 i'm not sure about whether i can join, it depends on my company 02:12:06 or TSP:) 02:12:34 alee_ I cloud attend to next PTG 02:13:08 namnh, sure - I figured most folks would not know by now -- I just know that the cheaper "early bird pricing" is supposed to expire relatively early 02:13:13 like in the next few weeks 02:13:28 so good to sign up if you plan to attend 02:13:36 zhongjun_, good to know! 02:14:06 also helps me let them know how many will attend for barbican for planning purposes 02:14:47 alee__: sure, i will ask some guys in our company 02:14:53 cool 02:15:23 zhongjun_, perhaps a little intro -- I don't think I've seen you attend the weekly meeting before? 02:15:38 I have a simple question 02:15:40 unless I forgot the nick 02:16:00 yes 02:16:07 This is my first time 02:16:31 zhongjun_, great - tell us a little about you, and what your interest in barbican is 02:16:38 zhongjun_: welcome to barbican team :) 02:16:45 and welcome :) 02:16:47 I usually work on manila 02:17:20 We are trying to use manila in huawei 02:18:26 ok - and you're trying to integrate using barbican with manila? 02:19:06 But I am a new guy, and I don't know the detail about barbican 02:19:44 alee__ : This is my patches: https://review.openstack.org/#/q/owner:jun.zhongjun2%2540gmail.com+status:merged 02:19:57 alee__ : Not sure now 02:20:38 namnh: thanks 02:20:54 great -- so how can we help you? 02:21:05 zhongjun_: cool, what is your question? 02:22:09 In aws cloud, we have host key and data key. But in barbican, I only see the data key named secret 02:23:00 Do we have the API to manage the key and data key in barbican 02:23:09 key: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html 02:24:01 datakey: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html 02:24:09 zhongjun_, whats the difference between a host key and a data key? 02:25:01 alee__: We generate datakey by key. 02:25:54 zhongjun_, ok - I think I see what you are talking about 02:26:16 zhongjun_, so barbican has a fairly simple interface 02:26:38 zhongjun_, basically , you store, generate or retrieve a secret 02:26:57 and that secret could be some data, a password, or a key 02:27:14 now those secrets are stored in a back-end 02:27:33 and they are of course stored encrypted 02:27:56 the secrets are encrypted using a key encryption key 02:28:31 and if you use for instance the pkcs11 backend, they are stored encrypted by a tenant specific key encryption key 02:28:56 the kek usually never leaves the barbican system though 02:29:43 if you wanted to pre-encrypt you own keys using a kek the user could retrieve, you could do that, but you'd have to manage all of that 02:29:50 thats not in the api 02:30:00 does that make sens? 02:30:04 sense? 02:30:38 So we don't have a API to manage " a tenant specific key encryption key" like the aws does 02:31:18 zhongjun_, right 02:31:50 It is up to the backend 02:31:58 zhongjun_, if you are using the pkcs11 plugin for instance, a tenant specific kek is automatically geerated when the first secret is stored y that tenant 02:32:06 correct 02:32:38 there is no need for the user to explicitly request -- or ever retrieve that kek 02:33:25 Maybe the user want to use the same tenant specific kek 02:34:28 zhongjun_, the barbican api is pretty simple. right now users have no facility to manage their keks 02:35:04 zhongjun_, an interesting idea - which has come up before - would be add this kind of feature 02:35:12 Do we have plan to implement the feature about support user to manage their keks 02:35:40 that is - take a small amount of data and a reference to a secret the user owns - and encrypt the secret with the kek 02:36:01 zhongjun_, there is no such ffeature currently planned 02:36:14 Is there a link? 02:36:17 if you'd like to propose it, feel free to write a spec 02:36:46 zhongjun_, I'd have to check - not sure a spec was ever written for it 02:37:13 okay, thanks, that make sense 02:37:30 if there is enough interest/ use case, we could certainly work to get it in 02:38:11 got it 02:38:19 cool - anything else? 02:38:27 not now 02:38:31 ok 02:38:37 #topic OVO patches 02:39:12 namnh, I suggested that we do a google hangout to try and get the reviews on your patches going 02:39:47 since that has helped in the past in terms of getting series od patches approved 02:40:11 unfortunately neither dave nor jeremy are here 02:40:38 and it probably makes sense to do one collectively 02:40:39 alee__: it's ok to me. btw, i'd like to notify you about the status of OVO 02:40:49 please do 02:41:03 currenly, there two first patch set are really for reviewing 02:41:17 https://review.openstack.org/#/c/559014/ 02:41:29 https://review.openstack.org/#/c/499004/ 02:42:08 i am replacing each resource like secret, order, acl, etc to use OVO 02:42:16 on my local 02:42:50 maybe, i will push a patch to replace ACL resource using OVO 02:42:55 today 02:43:02 are any of these new classes actually being used in the functional/unit tests? 02:43:20 you can see it as an example 02:44:13 eh? 02:44:25 it must be, but currently, i am forcusing on changing UT to pass py27 02:45:38 sorry - just confirming -- in the reviews you listed above, when the various tests run, are they actually using the new OVO classes? 02:47:08 or is there some switch that needs to be toggled - or some further patches that need to land first? 02:47:49 as my plan, i will split two phases. Phase 1: I just only add files which have OVO class. Anh phase 2: i will replace barbican's resource (secret, order, container, ...) using OVO 02:48:15 gotcha - just confirming 02:48:17 so all of these patchs: https://review.openstack.org/#/q/topic:bp/rolling-upgrade+(status:open+OR+status:merged) for phase 01 02:49:10 and I am doing phase 2 on my local to get suitable OVO class 02:49:58 and for now. there are two patch set as i sent the link already for reviewing 02:50:22 namnh, ok -- in reviewing phase 1, then it would be useful for me to understand your methodology 02:51:04 yeah, that's what i mean. 02:51:14 ie. I'd like to gain some idea about what your procedure is for converting a barbican object - say secret or transport key 02:51:29 so that I can get a sense if what you are doing is correct 02:51:46 obviously there will be changes needed as you get to phase 2 02:52:01 and the tests actually run against the objects 02:52:44 that what I was looking for mostly with a google hangout -- just a walkthrough 02:53:02 namnh, does that make sense? 02:53:49 yes, tomorrow is good to me 02:54:31 namnh, ok - lets see if we can get a time when we get either dave or jeremy to join too 02:54:48 that way we can get all the needed reviewers to move this along 02:55:12 I worry that if we take too long, we wont get phase 2 in .. 02:55:53 i understood, i am trying my best 02:56:28 namnh, no worries - you're doing great -- I just dont want a lack of reviews to hold you up 02:56:37 because, I still have a feature in oslo.config, that why i don't update anything last weeek 02:56:57 alee__: thanks for understanding 02:57:19 namnh, ack -- I know we're all wearing many hats :) 02:57:31 :))) 02:58:10 but I think your patches have not gotten reviews because people are scared of starting on them - and am hoping to kick start some reviews 02:58:46 so please send out an email and we can try to schedule a hangout 02:59:11 the time zone thing is tricky but we should be able to make something work. 02:59:33 #topic anything else? 03:00:29 that's all to me 03:00:31 :) 03:00:41 namnh, zhongjun_ thanks for coming -- g'night ! 03:00:51 or g'day as it were .. 03:01:03 #endmeeting