13:00:03 #startmeeting barbican 13:00:03 Meeting started Tue Jul 12 13:00:03 2022 UTC and is due to finish in 60 minutes. The chair is dmendiza[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:00:03 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:00:03 The meeting name has been set to 'barbican' 13:00:10 #topic Roll Call 13:00:12 o/ 13:00:17 Hi Luzi 13:00:26 hi dmendiza[m] 13:00:30 Courtesy ping for ade_lee dave-mccowan d34dh0r53 hrybacki jamespage lxkong mhen rm_work tosky xek nearyo oleksandry 13:01:40 Merged openstack/barbican-tempest-plugin master: Remove create_server and rebuild_server methods https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/830121 13:01:42 Merged openstack/barbican-tempest-plugin master: Remove get_remote_client method https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833580 13:02:14 Merged openstack/barbican-tempest-plugin master: Remove create_timestamp & get_timestamp methods https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833587 13:02:15 Merged openstack/barbican-tempest-plugin master: Remove create_volume & create_volume_type methods https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/833546 13:02:17 Merged openstack/barbican-tempest-plugin master: Set minimal tempest version to 27.0.0 https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/845282 13:03:07 OK, let's get started 13:03:14 #topic Review Past Meeting Action Items 13:03:27 #link https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-07-05-13.00.html 13:03:30 We didn't have any 13:03:50 #topic Liaison Updates 13:03:52 tosky: around? 13:03:57 more or less 13:04:09 I've seen a few fixes being merged, thanks for that 13:04:35 Nice, thanks. 13:04:49 the urgent ones are in, I need to recheck the other open changes 13:05:11 Cool, I'll try to get more reviews in the next few days 13:05:25 OK, moving on 13:05:37 #topic Microversions + Secret Consumers 13:05:52 We've been playing musical chairs with these patches 13:06:20 ade_lee is out on PTO for a couple of weeks, so I'm taking over his patches 13:06:33 also d34dh0r53 shouldd be helping out too 13:07:20 plan is still to get those merged and try to get a python-barbicanclient and castellan releases as soon as possible 13:07:31 so folks can use the new versions before Zed-3 13:07:34 just FYI i will be on PTO the first three weeks in August 13:07:47 Fun! Enjoy your time moff 13:07:50 *time off 13:08:05 i will hand over to my colleges in case you get ready in that time 13:08:12 yeah thanks :D i need it 13:09:43 OK, moving on 13:09:51 #topic Secure RBAC 13:10:00 I haven't had a chance to work on our goals for Zed 13:10:07 definitely want to get that done before Zed-3 13:10:26 Moving on ... 13:10:35 there also a few tempest tests for it 13:10:42 in the barbican tempest plugin of course 13:10:46 Nice! 13:10:53 written by Ade iirc 13:10:59 not sure if they are complete or not 13:11:15 I think we have both project and system scope covered 13:11:48 I just have to go back and double check our policies to make sure we're good for the Zed goal 13:12:40 but wasn't system scope de-scoped? 13:15:17 Yeah, we wrote those before they de-scoped 😑 13:16:48 o/ sorry I’m late 13:16:59 Hi d34dh0r53 no worries 13:18:29 OK, moving on 13:18:46 #topic Bug Review 13:19:01 #link https://storyboard.openstack.org/#!/project_group/barbican 13:19:05 No new Barbican stories 13:19:15 #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0 13:19:21 And no new Castellan bugs 13:19:32 #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0 13:19:37 And no new Cursive bugs 13:19:51 #topic Open Discussion 13:19:58 Anything else y'all want to talk about? 13:20:38 Hi, any suggestions on https://storyboard.openstack.org/#!/story/2009322 ? 13:20:51 second topic, is tags supported in barbican ? 13:21:09 Hi rajiv 13:21:35 i have a new Lob onboarding with 3k secrets per region, i was wondering if we have this feature in barbican similar to nova, neutron, etc 13:21:51 No tags, unfortunately 13:21:56 but we do have metadata 13:22:44 i tried metadata but we CANT list all secrets with a metadata key know ? 13:23:12 i mean we can update keys with unique sets of metadata but cant list them. 13:25:18 Hi @ade_lee 13:26:00 rajiv, Hi rajiv 13:26:50 rajiv: yeah, you're right, we can't filter secrets on metadata 13:27:12 only name, and the deprecated metadata keys bit_length, mode, and algorithm. 😦 13:28:00 is there a workaround ? 13:28:31 rajiv: these are the only filters supported right now: https://docs.openstack.org/barbican/latest/api/reference/secrets.html#get-v1-secrets 13:28:52 The easiest would probably be to add filtering on metadata keys 13:29:22 sometthing like `GET /v1/sedrets?metadata=the_key:the_value 13:29:34 but that'll take some work 13:29:49 if you want to try to implement that, we should be able to make some time to review it 13:30:05 It would probably be easier than trying to implement tags 13:30:38 ah ok, i started with https://github.com/sapcc/barbican/commit/bc5f09da26b0b995be2aaaaeb97ce8edff5afb13 but later realised i need to create a dedicated table to store tags data 13:31:13 or create a tags column in secrets table. 13:31:16 rajiv: RE: Story 2009322, I haven't looked into it. Seems like we should be able to preserve that in code. A 13:31:41 okay 13:31:50 rajiv: yeah, metadata already has its own table, so that would be easier to implement 13:32:10 and we already have filtering logic in the GET /v1/secrets call 13:32:15 so it should be fairly easy to add support for searching on metadata 13:32:22 s/searching/filtering 13:33:18 ah ok, could you share the exact file plz ? 13:34:52 rajiv: this is the controller for GET /v1/secrets https://opendev.org/openstack/barbican/src/branch/master/barbican/api/controllers/secrets.py#L366 13:35:04 cool, 13:35:09 rajiv: the date filter, for example, is applied here: https://opendev.org/openstack/barbican/src/branch/master/barbican/api/controllers/secrets.py#L391 13:35:48 last q, is it possible for the quota api to share the current consumption ? 13:37:18 rajiv: I don't think so. But for a single project, each entity GET has a total count. e.g. GET /v1/secrets has a "total": XXX key in the json response. 13:39:42 okay. 13:43:05 Anything else? 13:44:12 is there a way to download all secrets per project via api ? 13:44:38 No, only one secret can be decrypted at a time 13:44:51 its been a month, HSM-Barbican integration is running well on FIPS 140-2 Level3 mode :) 13:45:03 rajiv: Nice! 13:45:15 maybe in Zed the docu could be updated :) 13:46:06 Yeah, patch it up! 13:46:47 sure 13:47:18 have a good one! 13:47:27 Thanks rajiv 13:47:36 If no one else has any topics we can call it a day 13:52:28 Thanks for joining, everyone! 13:52:30 #endmeeting