#openstack-barbican log

13:02:17 <redrobot> #startmeeting barbican
13:02:18 <openstack> Meeting started Tue Jul 23 13:02:17 2019 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:02:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:02:21 <openstack> The meeting name has been set to 'barbican'
13:02:26 <redrobot> #topic Roll Call
13:02:32 <Luzi> o/
13:02:55 <redrobot> Courtesy ping for ade_lee hrybacki jamespage lxkong moguimar raildo rm_work xek
13:03:00 <rm_work> p/
13:03:14 <redrobot> As usual our agenda can be found here:
13:03:16 <redrobot> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
13:05:18 <jamespage> o/
13:05:39 <redrobot> Alrighty, let's get started!
13:06:31 <moguimar> o/
13:06:41 <redrobot> #topic Liaison Updates
13:06:43 <redrobot> moguimar, o/
13:06:51 <redrobot> moguimar, any updates from Oslo land?
13:06:55 <moguimar> nope
13:07:53 <redrobot> cool
13:09:05 <redrobot> #topic OpenstackSDK + Barbican
13:09:21 <redrobot> Luzi did you add this topic?
13:09:57 <Luzi> yes, it was mostly a question which came up in the last weeks image encryption meeting
13:10:29 <Luzi> because nova likes to rework their config stuff and use openstacksdk
13:11:12 <Luzi> but no one did know how well keystoneauth1 would work with the connection to Barbican
13:11:19 <redrobot> #link https://opendev.org/openstack/openstacksdk
13:12:24 <Luzi> Do you know whats the current state of this?
13:12:48 <redrobot> No, I haven't looked at any of that code recently
13:13:04 <redrobot> Is the plan for Nova to use https://opendev.org/openstack/openstacksdk/src/branch/master/openstack/key_manager instead of python-barbicanclient?
13:13:57 <Luzi> well it seems they would like to migrate to it, but there would be an exception for the barbicanclient
13:14:22 <Luzi> thats what efried told us so far and the reason he asked usif we knew something
13:15:43 <Luzi> i just wanted to ask this here, in case someone did knew something :D
13:15:47 <redrobot> I can look into it and get back to you next week about the status.
13:15:58 <Luzi> thank you redrobot
13:16:02 <redrobot> I don't really understand the purpose of openstacksdk though
13:16:15 <redrobot> seems like doubling client efforts, but I'm not sure what the benefit is
13:16:54 <redrobot> Are other teams deprecating their python-XXXXXclient in favor of openstacksdk?
13:17:40 <redrobot> #action redrobot to look into the key_manager implementation of openstacksdk to determine feature gap
13:18:11 <Luzi> i have no idea, i did only speak to nova and cinder teams, and cinder doesn't want to migrate
13:19:01 <redrobot> Seems like classic OpenStack™ 😂
13:19:20 <redrobot> cool, I'll look into openstacksdk and see what we can figure out
13:19:26 <redrobot> anything else on this topic?
13:19:50 <Luzi> nope, thank you
13:25:48 <redrobot> #topic Open Discussion
13:25:55 <redrobot> anything else we should talk about?
13:26:02 <redrobot> moguimar? rm_work?
13:26:12 * rm_work is dead
13:26:26 <redrobot> rm_dead
13:26:28 <moguimar> me is on its way too
13:26:31 <Luzi> I have a quastion regarding the default policies
13:26:32 <rm_work> i guess, how did the secret consumers thing go
13:26:37 * moguimar *
13:26:54 <redrobot> rm_work, spec was merged, moguimar will be working on implementation
13:26:58 <redrobot> Luzi, what's up?
13:26:59 <rm_work> cool
13:27:03 <moguimar> I'll start working on it soon
13:27:09 <moguimar> probably next week
13:29:28 <Luzi> uhm, why do the roles in the default policies differ from the ones used in other projects (like nova and cinder))
13:29:45 <Luzi> ?
13:31:13 <Luzi> the deployed roles often ar only admin and _member_ - so why there are Observer, creator and audit ?
13:31:52 <redrobot> The idea was to have more fine-grained control over Secrets
13:31:58 <redrobot> since they contain sensitive information
13:32:05 <Luzi> i understand that part
13:32:28 <Luzi> are these roles used somewhere by users or so?
13:33:12 <redrobot> admin shoudl have full access.  We don't use member yet, but we have been talking about working with the Keystone team to works towards a unified policy
13:34:02 <Luzi> ah, thats nice, thank you for that information :D
13:34:41 <redrobot> I'll talk to Harry Rybacki about it.  IIRC he was the one who wanted to work with us on getting the roles updated.
13:34:53 <redrobot> #action redrobot to talk to hrybacki about unified roles
13:37:37 <redrobot> Any other questions/topics we should talk about?
13:38:03 <moguimar> just a quick update
13:38:17 <moguimar> I was at EuroPython two weeks ago
13:38:26 <moguimar> with a poster about secrets in configs
13:38:45 <moguimar> using oslo.config, castellan and HashiCorp vault in a local demo
13:39:04 <redrobot> moguimar, nice!  how'd it go?
13:39:19 <moguimar> https://ep2019.europython.eu/media/conference/slides/m7RV4BB-protecting-secrets-with-osloconfig-and-hashicorp-vault.pdf
13:39:37 <moguimar> lots of questions about HashiCorp Vault 😅
13:39:57 <moguimar> people were quite interested in secret leases
13:40:37 <moguimar> in my demo I was able to generate unique credentials to a Postgres DB and pass it to a node using a unique token for that node.
13:40:49 <moguimar> so different nodes had different credentials
13:40:53 <moguimar> no secrets in config files at all
13:41:16 <moguimar> token injected via ENV vars with the env config driver of oslo.config
13:41:47 <moguimar> and database credentials fetched via castellan config driver
13:42:12 <moguimar> I should write some readme in the demo, there are links to the code in the poster
13:42:42 <moguimar> some people asked if Barbican also delivers temporary credentials like HashiCorp vault
13:43:04 <moguimar> that was it
13:43:06 <redrobot> We do not :(
13:43:57 <redrobot> thanks for the update moguimar
13:44:00 <redrobot> :D
13:44:18 <redrobot> ok, y'all, thanks for coming
13:44:21 <redrobot> see you next week!
13:44:24 <moguimar> cya
13:44:26 <redrobot> #endmeeting