13:00:03 <dmendiza[m]> #startmeeting barbican 13:00:03 <opendevmeet> Meeting started Tue Jul 12 13:00:03 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:00:03 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:00:03 <opendevmeet> The meeting name has been set to 'barbican' 13:00:10 <dmendiza[m]> #topic Roll Call 13:00:12 <Luzi> o/ 13:00:17 <dmendiza[m]> Hi Luzi 13:00:26 <Luzi> hi dmendiza[m] 13:00:30 <dmendiza[m]> Courtesy ping for ade_lee dave-mccowan d34dh0r53 hrybacki jamespage lxkong mhen rm_work tosky xek nearyo oleksandry 13:01:40 <opendevreview> Merged openstack/barbican-tempest-plugin master: Remove create_server and rebuild_server methods https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/830121 13:01:42 <opendevreview> Merged openstack/barbican-tempest-plugin master: Remove get_remote_client method https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833580 13:02:14 <opendevreview> Merged openstack/barbican-tempest-plugin master: Remove create_timestamp & get_timestamp methods https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833587 13:02:15 <opendevreview> Merged openstack/barbican-tempest-plugin master: Remove create_volume & create_volume_type methods https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833546 13:02:17 <opendevreview> Merged openstack/barbican-tempest-plugin master: Set minimal tempest version to 27.0.0 https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/845282 13:03:07 <dmendiza[m]> OK, let's get started 13:03:14 <dmendiza[m]> #topic Review Past Meeting Action Items 13:03:27 <dmendiza[m]> #link https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-07-05-13.00.html 13:03:30 <dmendiza[m]> We didn't have any 13:03:50 <dmendiza[m]> #topic Liaison Updates 13:03:52 <dmendiza[m]> tosky: around? 13:03:57 <tosky> more or less 13:04:09 <tosky> I've seen a few fixes being merged, thanks for that 13:04:35 <dmendiza[m]> Nice, thanks. 13:04:49 <tosky> the urgent ones are in, I need to recheck the other open changes 13:05:11 <dmendiza[m]> Cool, I'll try to get more reviews in the next few days 13:05:25 <dmendiza[m]> OK, moving on 13:05:37 <dmendiza[m]> #topic Microversions + Secret Consumers 13:05:52 <dmendiza[m]> We've been playing musical chairs with these patches 13:06:20 <dmendiza[m]> ade_lee is out on PTO for a couple of weeks, so I'm taking over his patches 13:06:33 <dmendiza[m]> also d34dh0r53 shouldd be helping out too 13:07:20 <dmendiza[m]> plan is still to get those merged and try to get a python-barbicanclient and castellan releases as soon as possible 13:07:31 <dmendiza[m]> so folks can use the new versions before Zed-3 13:07:34 <Luzi> just FYI i will be on PTO the first three weeks in August 13:07:47 <dmendiza[m]> Fun! Enjoy your time moff 13:07:50 <dmendiza[m]> *time off 13:08:05 <Luzi> i will hand over to my colleges in case you get ready in that time 13:08:12 <Luzi> yeah thanks :D i need it 13:09:43 <dmendiza[m]> OK, moving on 13:09:51 <dmendiza[m]> #topic Secure RBAC 13:10:00 <dmendiza[m]> I haven't had a chance to work on our goals for Zed 13:10:07 <dmendiza[m]> definitely want to get that done before Zed-3 13:10:26 <dmendiza[m]> Moving on ... 13:10:35 <tosky> there also a few tempest tests for it 13:10:42 <tosky> in the barbican tempest plugin of course 13:10:46 <dmendiza[m]> Nice! 13:10:53 <tosky> written by Ade iirc 13:10:59 <tosky> not sure if they are complete or not 13:11:15 <dmendiza[m]> I think we have both project and system scope covered 13:11:48 <dmendiza[m]> I just have to go back and double check our policies to make sure we're good for the Zed goal 13:12:40 <tosky> but wasn't system scope de-scoped? 13:15:17 <dmendiza[m]> Yeah, we wrote those before they de-scoped š 13:16:48 <d34dh0r53> o/ sorry Iām late 13:16:59 <dmendiza[m]> Hi d34dh0r53 no worries 13:18:29 <dmendiza[m]> OK, moving on 13:18:46 <dmendiza[m]> #topic Bug Review 13:19:01 <dmendiza[m]> #link https://storyboard.openstack.org/#!/project_group/barbican 13:19:05 <dmendiza[m]> No new Barbican stories 13:19:15 <dmendiza[m]> #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0 13:19:21 <dmendiza[m]> And no new Castellan bugs 13:19:32 <dmendiza[m]> #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0 13:19:37 <dmendiza[m]> And no new Cursive bugs 13:19:51 <dmendiza[m]> #topic Open Discussion 13:19:58 <dmendiza[m]> Anything else y'all want to talk about? 13:20:38 <rajiv> Hi, any suggestions on https://storyboard.openstack.org/#!/story/2009322 ? 13:20:51 <rajiv> second topic, is tags supported in barbican ? 13:21:09 <dmendiza[m]> Hi rajiv 13:21:35 <rajiv> i have a new Lob onboarding with 3k secrets per region, i was wondering if we have this feature in barbican similar to nova, neutron, etc 13:21:51 <dmendiza[m]> No tags, unfortunately 13:21:56 <dmendiza[m]> but we do have metadata 13:22:44 <rajiv> i tried metadata but we CANT list all secrets with a metadata key know ? 13:23:12 <rajiv> i mean we can update keys with unique sets of metadata but cant list them. 13:25:18 <rajiv> Hi @ade_lee 13:26:00 <ade_lee> rajiv, Hi rajiv 13:26:50 <dmendiza[m]> rajiv: yeah, you're right, we can't filter secrets on metadata 13:27:12 <dmendiza[m]> only name, and the deprecated metadata keys bit_length, mode, and algorithm. š¦ 13:28:00 <rajiv> is there a workaround ? 13:28:31 <dmendiza[m]> rajiv: these are the only filters supported right now: https://docs.openstack.org/barbican/latest/api/reference/secrets.html#get-v1-secrets 13:28:52 <dmendiza[m]> The easiest would probably be to add filtering on metadata keys 13:29:22 <dmendiza[m]> sometthing like `GET /v1/sedrets?metadata=the_key:the_value 13:29:34 <dmendiza[m]> but that'll take some work 13:29:49 <dmendiza[m]> if you want to try to implement that, we should be able to make some time to review it 13:30:05 <dmendiza[m]> It would probably be easier than trying to implement tags 13:30:38 <rajiv> ah ok, i started with https://github.com/sapcc/barbican/commit/bc5f09da26b0b995be2aaaaeb97ce8edff5afb13 but later realised i need to create a dedicated table to store tags data 13:31:13 <rajiv> or create a tags column in secrets table. 13:31:16 <dmendiza[m]> rajiv: RE: Story 2009322, I haven't looked into it. Seems like we should be able to preserve that in code. A 13:31:41 <rajiv> okay 13:31:50 <dmendiza[m]> rajiv: yeah, metadata already has its own table, so that would be easier to implement 13:32:10 <dmendiza[m]> and we already have filtering logic in the GET /v1/secrets call 13:32:15 <dmendiza[m]> so it should be fairly easy to add support for searching on metadata 13:32:22 <dmendiza[m]> s/searching/filtering 13:33:18 <rajiv> ah ok, could you share the exact file plz ? 13:34:52 <dmendiza[m]> rajiv: this is the controller for GET /v1/secrets https://opendev.org/openstack/barbican/src/branch/master/barbican/api/controllers/secrets.py#L366 13:35:04 <rajiv> cool, 13:35:09 <dmendiza[m]> rajiv: the date filter, for example, is applied here: https://opendev.org/openstack/barbican/src/branch/master/barbican/api/controllers/secrets.py#L391 13:35:48 <rajiv> last q, is it possible for the quota api to share the current consumption ? 13:37:18 <dmendiza[m]> rajiv: I don't think so. But for a single project, each entity GET has a total count. e.g. GET /v1/secrets has a "total": XXX key in the json response. 13:39:42 <rajiv> okay. 13:43:05 <dmendiza[m]> Anything else? 13:44:12 <rajiv> is there a way to download all secrets per project via api ? 13:44:38 <dmendiza[m]> No, only one secret can be decrypted at a time 13:44:51 <rajiv> its been a month, HSM-Barbican integration is running well on FIPS 140-2 Level3 mode :) 13:45:03 <dmendiza[m]> rajiv: Nice! 13:45:15 <rajiv> maybe in Zed the docu could be updated :) 13:46:06 <dmendiza[m]> Yeah, patch it up! 13:46:47 <rajiv> sure 13:47:18 <rajiv> have a good one! 13:47:27 <dmendiza[m]> Thanks rajiv 13:47:36 <dmendiza[m]> If no one else has any topics we can call it a day 13:52:28 <dmendiza[m]> Thanks for joining, everyone! 13:52:30 <dmendiza[m]> #endmeeting