13:00:03 <dmendiza[m]> #startmeeting barbican
13:00:03 <opendevmeet> Meeting started Tue Jul 12 13:00:03 2022 UTC and is due to finish in 60 minutes.  The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:03 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:00:03 <opendevmeet> The meeting name has been set to 'barbican'
13:00:10 <dmendiza[m]> #topic Roll Call
13:00:12 <Luzi> o/
13:00:17 <dmendiza[m]> Hi Luzi
13:00:26 <Luzi> hi dmendiza[m]
13:00:30 <dmendiza[m]> Courtesy ping for ade_lee dave-mccowan d34dh0r53 hrybacki jamespage lxkong mhen rm_work tosky xek nearyo oleksandry
13:01:40 <opendevreview> Merged openstack/barbican-tempest-plugin master: Remove create_server and rebuild_server methods  https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/830121
13:01:42 <opendevreview> Merged openstack/barbican-tempest-plugin master: Remove get_remote_client method  https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833580
13:02:14 <opendevreview> Merged openstack/barbican-tempest-plugin master: Remove create_timestamp & get_timestamp methods  https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833587
13:02:15 <opendevreview> Merged openstack/barbican-tempest-plugin master: Remove create_volume & create_volume_type methods  https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833546
13:02:17 <opendevreview> Merged openstack/barbican-tempest-plugin master: Set minimal tempest version to 27.0.0  https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/845282
13:03:07 <dmendiza[m]> OK, let's get started
13:03:14 <dmendiza[m]> #topic Review Past Meeting Action Items
13:03:27 <dmendiza[m]> #link https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-07-05-13.00.html
13:03:30 <dmendiza[m]> We didn't have any
13:03:50 <dmendiza[m]> #topic Liaison Updates
13:03:52 <dmendiza[m]> tosky: around?
13:03:57 <tosky> more or less
13:04:09 <tosky> I've seen a few fixes being merged, thanks for that
13:04:35 <dmendiza[m]> Nice, thanks.
13:04:49 <tosky> the urgent ones are in, I need to recheck the other open changes
13:05:11 <dmendiza[m]> Cool, I'll try to get more reviews in the next few days
13:05:25 <dmendiza[m]> OK, moving on
13:05:37 <dmendiza[m]> #topic Microversions + Secret Consumers
13:05:52 <dmendiza[m]> We've been playing musical chairs with these patches
13:06:20 <dmendiza[m]> ade_lee is out on PTO for a couple of weeks, so I'm taking over his patches
13:06:33 <dmendiza[m]> also d34dh0r53 shouldd be helping out too
13:07:20 <dmendiza[m]> plan is still to get those merged and try to get a python-barbicanclient and castellan releases as soon as possible
13:07:31 <dmendiza[m]> so folks can use the new versions before Zed-3
13:07:34 <Luzi> just FYI i will be on PTO the first three weeks in August
13:07:47 <dmendiza[m]> Fun! Enjoy your time moff
13:07:50 <dmendiza[m]> *time off
13:08:05 <Luzi> i will hand over to my colleges in case you get ready in that time
13:08:12 <Luzi> yeah thanks :D i need it
13:09:43 <dmendiza[m]> OK, moving on
13:09:51 <dmendiza[m]> #topic Secure RBAC
13:10:00 <dmendiza[m]> I haven't had a chance to work on our goals for Zed
13:10:07 <dmendiza[m]> definitely want to get that done before Zed-3
13:10:26 <dmendiza[m]> Moving on ...
13:10:35 <tosky> there also a few tempest tests for it
13:10:42 <tosky> in the barbican tempest plugin of course
13:10:46 <dmendiza[m]> Nice!
13:10:53 <tosky> written by Ade iirc
13:10:59 <tosky> not sure if they are complete or not
13:11:15 <dmendiza[m]> I think we have both project and system scope covered
13:11:48 <dmendiza[m]> I just have to go back and double check our policies to make sure we're good for the Zed goal
13:12:40 <tosky> but wasn't system scope de-scoped?
13:15:17 <dmendiza[m]> Yeah, we wrote those before they de-scoped šŸ˜‘
13:16:48 <d34dh0r53> o/ sorry Iā€™m late
13:16:59 <dmendiza[m]> Hi d34dh0r53 no worries
13:18:29 <dmendiza[m]> OK, moving on
13:18:46 <dmendiza[m]> #topic Bug Review
13:19:01 <dmendiza[m]> #link https://storyboard.openstack.org/#!/project_group/barbican
13:19:05 <dmendiza[m]> No new Barbican stories
13:19:15 <dmendiza[m]> #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0
13:19:21 <dmendiza[m]> And no new Castellan bugs
13:19:32 <dmendiza[m]> #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0
13:19:37 <dmendiza[m]> And no new Cursive bugs
13:19:51 <dmendiza[m]> #topic Open Discussion
13:19:58 <dmendiza[m]> Anything else y'all want to talk about?
13:20:38 <rajiv> Hi, any suggestions on https://storyboard.openstack.org/#!/story/2009322 ?
13:20:51 <rajiv> second topic, is tags supported in barbican ?
13:21:09 <dmendiza[m]> Hi rajiv
13:21:35 <rajiv> i have a new Lob onboarding with 3k secrets per region, i was wondering if we have this feature in barbican similar to nova, neutron, etc
13:21:51 <dmendiza[m]> No tags, unfortunately
13:21:56 <dmendiza[m]> but we do have metadata
13:22:44 <rajiv> i tried metadata but we CANT list all secrets with a metadata key know ?
13:23:12 <rajiv> i mean we can update keys with unique sets of metadata but cant list them.
13:25:18 <rajiv> Hi @ade_lee
13:26:00 <ade_lee> rajiv, Hi rajiv
13:26:50 <dmendiza[m]> rajiv: yeah, you're right, we can't filter secrets on metadata
13:27:12 <dmendiza[m]> only name, and the deprecated metadata keys bit_length, mode, and algorithm. šŸ˜¦
13:28:00 <rajiv> is there a workaround ?
13:28:31 <dmendiza[m]> rajiv: these are the only filters supported right now: https://docs.openstack.org/barbican/latest/api/reference/secrets.html#get-v1-secrets
13:28:52 <dmendiza[m]> The easiest would probably be to add filtering on metadata keys
13:29:22 <dmendiza[m]> sometthing like `GET /v1/sedrets?metadata=the_key:the_value
13:29:34 <dmendiza[m]> but that'll take some work
13:29:49 <dmendiza[m]> if you want to try to implement that, we should be able to make some time to review it
13:30:05 <dmendiza[m]> It would probably be easier than trying to implement tags
13:30:38 <rajiv> ah ok, i started with https://github.com/sapcc/barbican/commit/bc5f09da26b0b995be2aaaaeb97ce8edff5afb13 but later realised i need to create a dedicated table to store tags data
13:31:13 <rajiv> or create a tags column in secrets table.
13:31:16 <dmendiza[m]> rajiv: RE: Story 2009322, I haven't looked into it.  Seems like we should be able to preserve that in code.  A
13:31:41 <rajiv> okay
13:31:50 <dmendiza[m]> rajiv: yeah, metadata already has its own table, so that would be easier to implement
13:32:10 <dmendiza[m]> and we already have filtering logic in the GET /v1/secrets call
13:32:15 <dmendiza[m]> so it should be fairly easy to add support for searching on metadata
13:32:22 <dmendiza[m]> s/searching/filtering
13:33:18 <rajiv> ah ok, could you share the exact file plz ?
13:34:52 <dmendiza[m]> rajiv: this is the controller for GET /v1/secrets https://opendev.org/openstack/barbican/src/branch/master/barbican/api/controllers/secrets.py#L366
13:35:04 <rajiv> cool,
13:35:09 <dmendiza[m]> rajiv: the date filter, for example, is applied here: https://opendev.org/openstack/barbican/src/branch/master/barbican/api/controllers/secrets.py#L391
13:35:48 <rajiv> last q, is it possible for the quota api to share the current consumption ?
13:37:18 <dmendiza[m]> rajiv: I don't think so.  But for a single project, each entity GET has a total count.  e.g. GET /v1/secrets has a "total": XXX key in the json response.
13:39:42 <rajiv> okay.
13:43:05 <dmendiza[m]> Anything else?
13:44:12 <rajiv> is there a way to download all secrets per project via api ?
13:44:38 <dmendiza[m]> No, only one secret can be decrypted at a time
13:44:51 <rajiv> its been a month, HSM-Barbican integration is running well on FIPS 140-2 Level3 mode :)
13:45:03 <dmendiza[m]> rajiv: Nice!
13:45:15 <rajiv> maybe in Zed the docu could be updated :)
13:46:06 <dmendiza[m]> Yeah, patch it up!
13:46:47 <rajiv> sure
13:47:18 <rajiv> have a good one!
13:47:27 <dmendiza[m]> Thanks rajiv
13:47:36 <dmendiza[m]> If no one else has any topics we can call it a day
13:52:28 <dmendiza[m]> Thanks for joining, everyone!
13:52:30 <dmendiza[m]> #endmeeting