12:00:14 #startmeeting barbican 12:00:14 Meeting started Tue Aug 14 12:00:14 2018 UTC and is due to finish in 60 minutes. The chair is ade_lee. Information about MeetBot at http://wiki.debian.org/MeetBot. 12:00:15 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 12:00:17 The meeting name has been set to 'barbican' 12:00:24 o/ 12:00:26 #topic roll call 12:00:40 👋 12:00:41 redrobot, hey 12:01:49 anyone else joining? jaosorior , lxkong ? 12:02:04 hey, i'm here 12:02:14 hey :) 12:02:46 ok - lets get started then .. 12:02:56 #topic rocky 12:03:24 ok - so we have cut an rc1 for rocky as of yesterday 12:04:02 we're hoping that this will be the only release candidate, though of course there is provision for more rc if needed 12:04:31 but the assumption is that anything not essential is going to be in stein 12:05:24 I did put in a FFE exception for castellan -- not sure where it is right now. 12:05:47 (this is for the review that allows asymmetric key generation) 12:06:23 i saw your email, but i think it depends on if we really need asymmetric key generation 12:06:31 in rocky 12:06:40 for vault... 12:07:05 I'm around 12:07:19 right - it will be up to oslo config guys to decide fi they want to add it at this stage or not. 12:07:27 ade_lee: I guess you gotta poke bnemec about that 12:07:50 jaosorior, yeah , I'll do that 12:08:15 it will be nice to have in so that we have fairly complete vault plugin right out the gate. 12:08:30 true 12:08:35 but I guess it wouldn't be the end of the world if its not there 12:08:39 we are going to use vault, but in the first step, we only need secret store 12:09:06 ack. 12:09:07 i mean, use vault as barbican backend plugin 12:09:24 yup 12:10:05 one thing I need to do is create a cycle-highlights text to indicate the achievements of the rcokcy cycle 12:10:21 I'll do that later today and circulate it on the irc channel 12:10:42 any other comments on rocky? 12:11:24 #topic PTG 12:11:38 any of you guys planning to be at the PTG in Denver? 12:11:58 i won't be there 12:13:00 ok, we will be sharing the room with the security SIG, so we need to come up with a rough agenda /schedule 12:13:41 * ade_lee trying to create an etherpad .. 12:14:33 https://etherpad.openstack.org/p/barbican-stein-ptg is a blank etherpad right now 12:14:50 I suggest we put the things in there we want to discuss. 12:15:14 lxkong, if you's like to attend , we can open up a phone line too 12:15:37 lxkong: are you gonna use the vault plugin in production? 12:15:52 but lets start putting these things in this week please. 12:15:52 I might want to dial in for some of the Castellan talks 12:15:58 jaosorior: yeah...any problem? 12:16:05 ade_lee: thanks, i will try to 12:16:32 lxkong, I would not recommend Vault backend for prod until we sort out Policy 12:16:34 redrobot, ack -- please add any castellan stuff you want disuceed to the etherpad 12:16:53 lxkong: yeah, was gonna mention somehting along the lines of redrobot's concerns. 12:17:00 lxkong: any idea how you're gonna handle policy for Vault? 12:17:22 redrobot, jaosorior do you mean it's not appropriate to use root token in the config file? 12:17:22 lxkong, currently the Vault plugin requires a master token, which is a security concern IMO 12:17:30 lxkong, correct 12:17:33 redrobot: yeah, we know that 12:17:53 lxkong: weeeell, it's all up to your requirements :D not very recommended...but you could use that 12:18:08 also I'd like to see it use longer paths rather than store everything in the root 12:18:31 maybe we will use approle + secret + token, but it's not decided yet 12:18:45 too complex 12:19:34 redrobot, jaosorior lxkong has volunteered to maintain the vault plugin - so he would be one of the guys to help fix the policy :) 12:19:51 excellent :D 12:20:23 tbh - this sounds like a perfect candidate for a stein spec - and a discussion point at the PTG .. nudge nudge .. 12:20:34 * lxkong ndoes 12:20:38 * lxkong nodes 12:20:41 * lxkong nods 12:20:44 shit... 12:20:48 :) 12:20:52 lol 12:20:54 😂 12:20:56 too late for me 12:21:11 00:21AM 12:21:19 or too early 12:21:29 any other comments on PTG ? 12:22:04 perfect segue to next topic .. 12:22:11 #topic stein 12:22:36 long live rocky! long live stein .. 12:22:46 time to start getting specs in 12:22:53 would be nice to drop these time based releases to be honest 12:23:14 Barbican doesn't have a lot of traffic and all they do is make barbican development harder than it needs to be 12:23:36 I have at least one in the pipeline .. https://review.openstack.org/586606 12:24:11 and it sounds like we could use at least one more from lxkong on vault policy 12:24:12 ade_lee, oh geeze, is that for the CVE we found back in Barcelona? 12:24:26 I'll work on a Policy spec 12:24:27 and I plan to add one for allowing changing ownership of secrets 12:24:35 cool 12:24:41 yeah it is 12:25:25 a lot of this pre-supposes we get the OVO work done though 12:26:07 in any case, lets get those specs in and start getting comments and reviews -- I 12:26:27 m going to start tracking those in meetings from next week. 12:27:15 jaosorior, yeah - its a bit of a pain - but I'm not sure what to do about it .. the release process is not overly crazy though 12:27:32 oh another Stein thing, we should definitely clean up the content-types stuff... currently it does not comply to the RFC 12:28:08 ade_lee: it's not about the release process but about it's overall effect on development. But I guess tihs is not the right place to discuss it :) 12:28:12 redrobot, please add spec/ptg item 12:28:38 jaosorior, yup 12:29:21 other stein items include -- finishing the ovo work 12:29:42 are we tracking the ovo work somewhere? 12:29:57 namh has taken it far, but we're going to need some volunterrs to get it finished off 12:30:21 namh is creating a trello board to show where the remaining work is. 12:30:45 I plan to work with him on that - and then we'll discuss and get some volunteers. 12:31:36 also, for stein, maybe micro versioning the API 12:31:58 coz some of the specs envision some API changes 12:33:06 It would also be great for us to have a gate against softHSM -- to test the pkcs11 plugin 12:33:46 right now, lots of work is going on to getthe pkcs11 plugin to work with HSMs like Thales and ATOS for instance, but there is no upstream gate 12:33:49 +1 softhsm gate 12:34:05 also, it seems we're running legacy gates, not whatever is current? 12:34:37 +1 to evaulate current gates 12:35:09 including for instance the kmip gate -- which is sadly still broken .. 12:35:58 ok -- anything else for stein/ptg? 12:36:29 ade_lee: i'm wondering why we are not using uuid for CLI output? 12:36:39 any plan to change this? 12:36:56 lxkong, actually yes :) 12:37:10 https://review.openstack.org/588104 12:37:29 ade_lee: nice 12:37:45 didn't make cutoff for rocky - but will be in stein .. 12:37:53 lxkong, also 12:37:56 #link https://storyboard.openstack.org/#!/story/2002754 12:37:58 ade_lee: i'll have a review 12:38:30 lxkong, excellent 12:38:46 I'll add to the ptg discussion too -coz we do need to clean that up 12:39:09 redrobot, jaosorior - that change could do with some reviews too.. 12:39:22 (and its needed for octavia folks) 12:39:51 anything else for stein? 12:40:39 #topic open discussion 12:41:03 anyone got anything else to discuss? 12:42:11 alrighty then! thanks for the great discussion guys == lxkong have a good nights sleep :) 12:42:34 see ya'll online 12:42:36 ade_lee: thanks i do need a sleep :-) 12:42:46 #endmeeting