13:02:17 <redrobot> #startmeeting barbican 13:02:18 <openstack> Meeting started Tue Jul 23 13:02:17 2019 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:02:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:02:21 <openstack> The meeting name has been set to 'barbican' 13:02:26 <redrobot> #topic Roll Call 13:02:32 <Luzi> o/ 13:02:55 <redrobot> Courtesy ping for ade_lee hrybacki jamespage lxkong moguimar raildo rm_work xek 13:03:00 <rm_work> p/ 13:03:14 <redrobot> As usual our agenda can be found here: 13:03:16 <redrobot> #link https://etherpad.openstack.org/p/barbican-weekly-meeting 13:05:18 <jamespage> o/ 13:05:39 <redrobot> Alrighty, let's get started! 13:06:31 <moguimar> o/ 13:06:41 <redrobot> #topic Liaison Updates 13:06:43 <redrobot> moguimar, o/ 13:06:51 <redrobot> moguimar, any updates from Oslo land? 13:06:55 <moguimar> nope 13:07:53 <redrobot> cool 13:09:05 <redrobot> #topic OpenstackSDK + Barbican 13:09:21 <redrobot> Luzi did you add this topic? 13:09:57 <Luzi> yes, it was mostly a question which came up in the last weeks image encryption meeting 13:10:29 <Luzi> because nova likes to rework their config stuff and use openstacksdk 13:11:12 <Luzi> but no one did know how well keystoneauth1 would work with the connection to Barbican 13:11:19 <redrobot> #link https://opendev.org/openstack/openstacksdk 13:12:24 <Luzi> Do you know whats the current state of this? 13:12:48 <redrobot> No, I haven't looked at any of that code recently 13:13:04 <redrobot> Is the plan for Nova to use https://opendev.org/openstack/openstacksdk/src/branch/master/openstack/key_manager instead of python-barbicanclient? 13:13:57 <Luzi> well it seems they would like to migrate to it, but there would be an exception for the barbicanclient 13:14:22 <Luzi> thats what efried told us so far and the reason he asked usif we knew something 13:15:43 <Luzi> i just wanted to ask this here, in case someone did knew something :D 13:15:47 <redrobot> I can look into it and get back to you next week about the status. 13:15:58 <Luzi> thank you redrobot 13:16:02 <redrobot> I don't really understand the purpose of openstacksdk though 13:16:15 <redrobot> seems like doubling client efforts, but I'm not sure what the benefit is 13:16:54 <redrobot> Are other teams deprecating their python-XXXXXclient in favor of openstacksdk? 13:17:40 <redrobot> #action redrobot to look into the key_manager implementation of openstacksdk to determine feature gap 13:18:11 <Luzi> i have no idea, i did only speak to nova and cinder teams, and cinder doesn't want to migrate 13:19:01 <redrobot> Seems like classic OpenStack™ 😂 13:19:20 <redrobot> cool, I'll look into openstacksdk and see what we can figure out 13:19:26 <redrobot> anything else on this topic? 13:19:50 <Luzi> nope, thank you 13:25:48 <redrobot> #topic Open Discussion 13:25:55 <redrobot> anything else we should talk about? 13:26:02 <redrobot> moguimar? rm_work? 13:26:12 * rm_work is dead 13:26:26 <redrobot> rm_dead 13:26:28 <moguimar> me is on its way too 13:26:31 <Luzi> I have a quastion regarding the default policies 13:26:32 <rm_work> i guess, how did the secret consumers thing go 13:26:37 * moguimar * 13:26:54 <redrobot> rm_work, spec was merged, moguimar will be working on implementation 13:26:58 <redrobot> Luzi, what's up? 13:26:59 <rm_work> cool 13:27:03 <moguimar> I'll start working on it soon 13:27:09 <moguimar> probably next week 13:29:28 <Luzi> uhm, why do the roles in the default policies differ from the ones used in other projects (like nova and cinder)) 13:29:45 <Luzi> ? 13:31:13 <Luzi> the deployed roles often ar only admin and _member_ - so why there are Observer, creator and audit ? 13:31:52 <redrobot> The idea was to have more fine-grained control over Secrets 13:31:58 <redrobot> since they contain sensitive information 13:32:05 <Luzi> i understand that part 13:32:28 <Luzi> are these roles used somewhere by users or so? 13:33:12 <redrobot> admin shoudl have full access. We don't use member yet, but we have been talking about working with the Keystone team to works towards a unified policy 13:34:02 <Luzi> ah, thats nice, thank you for that information :D 13:34:41 <redrobot> I'll talk to Harry Rybacki about it. IIRC he was the one who wanted to work with us on getting the roles updated. 13:34:53 <redrobot> #action redrobot to talk to hrybacki about unified roles 13:37:37 <redrobot> Any other questions/topics we should talk about? 13:38:03 <moguimar> just a quick update 13:38:17 <moguimar> I was at EuroPython two weeks ago 13:38:26 <moguimar> with a poster about secrets in configs 13:38:45 <moguimar> using oslo.config, castellan and HashiCorp vault in a local demo 13:39:04 <redrobot> moguimar, nice! how'd it go? 13:39:19 <moguimar> https://ep2019.europython.eu/media/conference/slides/m7RV4BB-protecting-secrets-with-osloconfig-and-hashicorp-vault.pdf 13:39:37 <moguimar> lots of questions about HashiCorp Vault 😅 13:39:57 <moguimar> people were quite interested in secret leases 13:40:37 <moguimar> in my demo I was able to generate unique credentials to a Postgres DB and pass it to a node using a unique token for that node. 13:40:49 <moguimar> so different nodes had different credentials 13:40:53 <moguimar> no secrets in config files at all 13:41:16 <moguimar> token injected via ENV vars with the env config driver of oslo.config 13:41:47 <moguimar> and database credentials fetched via castellan config driver 13:42:12 <moguimar> I should write some readme in the demo, there are links to the code in the poster 13:42:42 <moguimar> some people asked if Barbican also delivers temporary credentials like HashiCorp vault 13:43:04 <moguimar> that was it 13:43:06 <redrobot> We do not :( 13:43:57 <redrobot> thanks for the update moguimar 13:44:00 <redrobot> :D 13:44:18 <redrobot> ok, y'all, thanks for coming 13:44:21 <redrobot> see you next week! 13:44:24 <moguimar> cya 13:44:26 <redrobot> #endmeeting