#openstack-barbican log

12:00:14 <ade_lee> #startmeeting barbican
12:00:14 <openstack> Meeting started Tue Aug 14 12:00:14 2018 UTC and is due to finish in 60 minutes.  The chair is ade_lee. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:00:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:00:17 <openstack> The meeting name has been set to 'barbican'
12:00:24 <redrobot> o/
12:00:26 <ade_lee> #topic roll call
12:00:40 <redrobot> 👋
12:00:41 <ade_lee> redrobot, hey
12:01:49 <ade_lee> anyone else joining?  jaosorior , lxkong ?
12:02:04 <lxkong> hey, i'm here
12:02:14 <ade_lee> hey :)
12:02:46 <ade_lee> ok - lets get started then ..
12:02:56 <ade_lee> #topic rocky
12:03:24 <ade_lee> ok - so we have cut an rc1  for rocky as of yesterday
12:04:02 <ade_lee> we're hoping that this will be the only release candidate, though of course there is provision for more rc if needed
12:04:31 <ade_lee> but the assumption is that anything not essential is going to be in stein
12:05:24 <ade_lee> I did put in a FFE exception for castellan -- not sure where it is right now.
12:05:47 <ade_lee> (this is for the review that allows asymmetric key generation)
12:06:23 <lxkong> i saw your email, but i think it depends on if we really need asymmetric key generation
12:06:31 <lxkong> in rocky
12:06:40 <lxkong> for vault...
12:07:05 <jaosorior> I'm around
12:07:19 <ade_lee> right - it will be up to oslo config guys to decide fi they want to add it at this stage or not.
12:07:27 <jaosorior> ade_lee: I guess you gotta poke bnemec about that
12:07:50 <ade_lee> jaosorior, yeah , I'll do that
12:08:15 <ade_lee> it will be nice to have in so that we have  fairly complete vault plugin right out the gate.
12:08:30 <lxkong> true
12:08:35 <ade_lee> but I guess it wouldn't be the end of the world if its not there
12:08:39 <lxkong> we are going to use vault, but in the first step, we only need secret store
12:09:06 <ade_lee> ack.
12:09:07 <lxkong> i mean, use vault as barbican backend plugin
12:09:24 <ade_lee> yup
12:10:05 <ade_lee> one thing I need to do is create a cycle-highlights text to indicate the achievements of the rcokcy cycle
12:10:21 <ade_lee> I'll do that later today and circulate it on the irc channel
12:10:42 <ade_lee> any other comments on rocky?
12:11:24 <ade_lee> #topic PTG
12:11:38 <ade_lee> any of you guys planning to be at the PTG in Denver?
12:11:58 <lxkong> i won't be there
12:13:00 <ade_lee> ok, we will be sharing the room with the security SIG, so we need to come up with a rough agenda /schedule
12:13:41 * ade_lee trying to create an etherpad ..
12:14:33 <ade_lee> https://etherpad.openstack.org/p/barbican-stein-ptg  is a blank etherpad right now
12:14:50 <ade_lee> I suggest we put the things in there we want to discuss.
12:15:14 <ade_lee> lxkong, if you's like to attend , we can open up a phone line too
12:15:37 <jaosorior> lxkong: are you gonna use the vault plugin in production?
12:15:52 <ade_lee> but lets start putting these things in this week please.
12:15:52 <redrobot> I might want to dial in for some of the Castellan talks
12:15:58 <lxkong> jaosorior: yeah...any problem?
12:16:05 <lxkong> ade_lee: thanks, i will try to
12:16:32 <redrobot> lxkong, I would not recommend Vault backend for prod until we sort out Policy
12:16:34 <ade_lee> redrobot, ack -- please add any castellan stuff you want disuceed to the etherpad
12:16:53 <jaosorior> lxkong: yeah, was gonna mention somehting along the lines of redrobot's concerns.
12:17:00 <jaosorior> lxkong: any idea how you're gonna handle policy for Vault?
12:17:22 <lxkong> redrobot, jaosorior do you mean it's not appropriate to use root token in the config file?
12:17:22 <redrobot> lxkong, currently the Vault plugin requires a master token, which is a security concern IMO
12:17:30 <redrobot> lxkong, correct
12:17:33 <lxkong> redrobot: yeah, we know that
12:17:53 <jaosorior> lxkong: weeeell, it's all up to your requirements :D not very recommended...but you could use that
12:18:08 <redrobot> also I'd like to see it use longer paths rather than store everything in the root
12:18:31 <lxkong> maybe we will use approle + secret + token, but it's not decided yet
12:18:45 <lxkong> too complex
12:19:34 <ade_lee> redrobot, jaosorior lxkong has volunteered to maintain the vault plugin - so he would be one of the guys to help fix the policy :)
12:19:51 <jaosorior> excellent :D
12:20:23 <ade_lee> tbh - this sounds like a perfect candidate for a stein spec - and a discussion point at the PTG .. nudge nudge ..
12:20:34 * lxkong ndoes
12:20:38 * lxkong nodes
12:20:41 * lxkong nods
12:20:44 <lxkong> shit...
12:20:48 <ade_lee> :)
12:20:52 <jaosorior> lol
12:20:54 <redrobot> 😂
12:20:56 <lxkong> too late for me
12:21:11 <lxkong> 00:21AM
12:21:19 <lxkong> or too early
12:21:29 <ade_lee> any other comments on PTG ?
12:22:04 <ade_lee> perfect segue to next topic ..
12:22:11 <ade_lee> #topic stein
12:22:36 <ade_lee> long live rocky! long live stein ..
12:22:46 <ade_lee> time to start getting specs in
12:22:53 <jaosorior> would be nice to drop these time based releases to be honest
12:23:14 <jaosorior> Barbican doesn't have a lot of traffic and all they do is make barbican development harder than it needs to be
12:23:36 <ade_lee> I have at least one in the pipeline .. https://review.openstack.org/586606
12:24:11 <ade_lee> and it sounds like we could use at least one more from lxkong on vault policy
12:24:12 <redrobot> ade_lee, oh geeze, is that for the CVE we found back in Barcelona?
12:24:26 <redrobot> I'll work on a Policy spec
12:24:27 <ade_lee> and I plan to add one for allowing changing ownership of secrets
12:24:35 <ade_lee> cool
12:24:41 <ade_lee> yeah it is
12:25:25 <ade_lee> a lot of this pre-supposes we get the OVO work done though
12:26:07 <ade_lee> in any case, lets get those specs in and start getting comments and reviews -- I
12:26:27 <ade_lee> m going to start tracking those in meetings from next week.
12:27:15 <ade_lee> jaosorior, yeah - its a bit of a pain - but I'm not sure what to do about it .. the release process is not overly crazy though
12:27:32 <redrobot> oh another Stein thing, we should definitely clean up the content-types stuff... currently it does not comply to the RFC
12:28:08 <jaosorior> ade_lee: it's not about the release process but about it's overall effect on development. But I guess tihs is not the right place to discuss it :)
12:28:12 <ade_lee> redrobot, please add spec/ptg item
12:28:38 <ade_lee> jaosorior, yup
12:29:21 <ade_lee> other stein items include -- finishing the ovo work
12:29:42 <jaosorior> are we tracking the ovo work somewhere?
12:29:57 <ade_lee> namh has taken it far, but we're going to need some volunterrs to get it finished off
12:30:21 <ade_lee> namh is creating a trello board to show where the remaining work is.
12:30:45 <ade_lee> I plan to work with him on that - and then we'll discuss and get some volunteers.
12:31:36 <ade_lee> also, for stein, maybe micro versioning the API
12:31:58 <ade_lee> coz some of the specs envision some API changes
12:33:06 <ade_lee> It would also be great for us to have a gate against softHSM -- to test the pkcs11 plugin
12:33:46 <ade_lee> right now, lots of work is going on to getthe pkcs11 plugin to work with HSMs like Thales and ATOS for instance, but there is no upstream gate
12:33:49 <redrobot> +1 softhsm gate
12:34:05 <redrobot> also, it seems we're running legacy gates, not whatever is current?
12:34:37 <ade_lee> +1 to evaulate current gates
12:35:09 <ade_lee> including for instance the kmip gate -- which is sadly still broken ..
12:35:58 <ade_lee> ok -- anything else for stein/ptg?
12:36:29 <lxkong> ade_lee: i'm wondering why we are not using uuid for CLI output?
12:36:39 <lxkong> any plan to change this?
12:36:56 <ade_lee> lxkong, actually yes :)
12:37:10 <ade_lee> https://review.openstack.org/588104
12:37:29 <lxkong> ade_lee: nice
12:37:45 <ade_lee> didn't make cutoff for rocky - but will be in stein ..
12:37:53 <redrobot> lxkong, also
12:37:56 <redrobot> #link https://storyboard.openstack.org/#!/story/2002754
12:37:58 <lxkong> ade_lee: i'll have a review
12:38:30 <ade_lee> lxkong, excellent
12:38:46 <ade_lee> I'll add to the ptg discussion too -coz we do need to clean that up
12:39:09 <ade_lee> redrobot, jaosorior - that change could do with some reviews too..
12:39:22 <ade_lee> (and its needed for octavia folks)
12:39:51 <ade_lee> anything else for stein?
12:40:39 <ade_lee> #topic open discussion
12:41:03 <ade_lee> anyone got anything else to discuss?
12:42:11 <ade_lee> alrighty then!  thanks for the great discussion guys == lxkong have a good nights sleep :)
12:42:34 <ade_lee> see ya'll online
12:42:36 <lxkong> ade_lee: thanks i do need a sleep :-)
12:42:46 <ade_lee> #endmeeting