15:02:18 <mharley[m]> #startmeeting barbican
15:02:18 <opendevmeet> Meeting started Mon May 19 15:02:18 2025 UTC and is due to finish in 60 minutes.  The chair is mharley[m]. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:18 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:18 <opendevmeet> The meeting name has been set to 'barbican'
15:02:48 <mharley[m]> #topic Roll Call
15:03:37 <mharley[m]> Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley Freeman Boss lpiwowar xek
15:03:59 <mharley[m]> If you want to be pinged, add your nickname here:
15:04:04 <mharley[m]> #link https://etherpad.opendev.org/p/barbican-weekly-meeting
15:04:09 <dmendiza[m]> 🙋‍♂️
15:04:26 <mharley[m]> Hi, dmendiza.
15:04:28 <xek> o/
15:04:46 <mharley[m]> Hi, Grzegorz Grasza.  The meeting's agenda is also on the same link.
15:05:05 <mharley[m]> #topic Review Past Meeting Action Items
15:05:12 <mharley[m]> #link http://eavesdrop.openstack.org/meetings/barbican/2025
15:05:39 <mharley[m]> dmendiza: any progress towards the KMIP effort?
15:06:06 <mharley[m]> #topic KMIP
15:06:22 <mharley[m]> I saw your submitted a patch a couple of days ago.  Was that the only missing part?
15:06:56 <dmendiza[m]> Hi!
15:07:19 <dmendiza[m]> OK, so the Action Item was for rajiv to look into supporting his fork for PyKMIP so that we can use it as a drop-in replacement for Barbican KMIP Backend
15:08:00 <rajiv> Hi, we need OSPO and internal approvals, which is taking longer than expected.
15:08:34 <dmendiza[m]> Hi rajiv , for your reference, these are the OpenStack requirements for adding a dependency:
15:08:40 <dmendiza[m]> #link https://docs.openstack.org/project-team-guide/dependency-management.html#for-new-requirements
15:09:04 <dmendiza[m]> I have a few WIP patches around KMIP
15:09:52 <rajiv> okay sure
15:10:03 <dmendiza[m]> #link https://zuul.opendev.org/t/openstack/build/0235a7100f644d2b8810127757123e9e
15:10:07 <dmendiza[m]> #undo
15:10:17 <dmendiza[m]> #link https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/949935
15:10:47 <dmendiza[m]> ^^^ This is a patch to barbican-tempest-plugin to run Temepst against a Barbican+KMIP devstack deployment
15:10:58 <dmendiza[m]> If is failing and I haven't had a chance to dig into the roto cause
15:11:00 <dmendiza[m]> *root cause
15:11:10 <dmendiza[m]> #link https://review.opendev.org/c/openstack/barbican/+/947760
15:11:32 <dmendiza[m]> ^^^ This one is a patch to Barbican that I've iterated on a few times.
15:12:07 <dmendiza[m]> The first few patches were for testing OpenKMIP/PyKMIP to check for the current state of things.  It attempts to run the in-tree functional tests.
15:12:33 <dmendiza[m]> Some patches failed because the in-tree functional tests are incompatible with SRBAC
15:12:56 <dmendiza[m]> The latest patch is using rajiv 's fork.  It fails to initialize the server.
15:13:04 <mharley[m]> rajiv: would you have any ETA on when such approvals would be granted or not?
15:14:22 <dmendiza[m]> rajiv: this is the failure log for attempting to run the pykmip-server in devstack:
15:14:30 <dmendiza[m]> #link https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_fec/openstack/fec8dfc633ed4da9afecea93bd6b7265/controller/logs/screen-pykmip-server.txt
15:14:50 <dmendiza[m]> I have not yet looked into running the server stand-alone.
15:15:19 <dmendiza[m]> I will try to look into that next.
15:16:04 <dmendiza[m]> The existing OpenKMIP/PyKMIP library appears to work in CentOS 9, but it fails with an ssl module incompatibility in Ubuntu 24.04
15:16:19 <rajiv> i will follow up this week again.
15:16:26 <dmendiza[m]> Thank you rajiv !
15:16:35 <dmendiza[m]> That's all I have on KMIP for this week.
15:17:43 <mharley[m]> OK, thanks.
15:17:50 <mharley[m]> #topic Outreachy
15:18:12 <mharley[m]> I have bad news.  Just got to know that the project didn't receive funding and was cancelled.
15:18:45 <mharley[m]> It looks like this happened with many other projects too, although the selection criteria among projects is not clear to me at least.
15:19:46 <mharley[m]> That's all for Outreachy.
15:20:00 <mharley[m]> #topic Liaison Updates
15:20:13 <mharley[m]> We are 19 weeks from Flamingo's release date.
15:20:44 <mharley[m]> #link https://releases.openstack.org/epoxy/schedule.html
15:20:52 <mharley[m]> There are currently no more news for Flamingo.
15:21:03 <mharley[m]> #undo
15:21:03 <opendevmeet> Removing item from minutes: #link https://releases.openstack.org/epoxy/schedule.html
15:21:08 <mharley[m]> #link https://releases.openstack.org/flamingo/schedule.html
15:21:29 <mharley[m]> #topic Bug Review
15:21:58 <mharley[m]> No new bugs for Barbican.
15:21:59 <mharley[m]> #link https://bugs.launchpad.net/barbican/+bugs?orderby=-id&start=0
15:22:21 <rajiv> i was playing around with secretstore api, adding -H "X-Project-Id:" seems to work as well, is this expected ?
15:22:31 <freemanboss[m]> Good evening everyone
15:23:00 <mharley[m]> Hello, Freeman Boss.
15:23:07 <mharley[m]> Can you clarify, rajiv?
15:23:28 <rajiv> based on https://docs.openstack.org/barbican/latest/api/reference/store_backends.html
15:23:54 <rajiv> i dont see X-Project-Id: mentioned in the docu but when i use this Header in the curl command, the backend is accepted.
15:24:36 <freemanboss[m]> <mharley[m]> "I have bad news.  Just got to..." <- Ohhhh
15:25:01 <rajiv> the below cmd works if the project id is different :
15:25:05 <rajiv> curl -X POST -H "X-Project-Id: xxx"  -H "X-Auth-Token: $TOKEN"   -H "Content-Type: application/json" https://xxxx/v1/secret-stores/xxxx/preferred | jq
15:25:14 <dmendiza[m]> rajiv: X-Project-Id is only relevant for unauthenticated deploments
15:25:28 <freemanboss[m]> Please how do I start working on the PKCS#12 project?
15:25:52 <dmendiza[m]> rajiv: typically you'd want to provide the `X-Auth-Token` header.
15:26:34 <freemanboss[m]> <mharley[m]> "It looks like this happened with..." <- Please sorry please can you help confirm the criteria?
15:26:34 <freemanboss[m]> Thank you
15:26:51 <rajiv> dmendiza[m]: true, i was wondering how to restrict this api to domain admin only
15:27:05 <dmendiza[m]> rajiv the way authZ/authN works is that the user provides the `X-Auth-Token` header with their Keystone token.  Barbican should typically be deployed with keystonemiddleware.
15:27:40 <mharley[m]> Freeman Boss: we can discuss during the Open Discussion section, just a bit later on this meeting.
15:27:46 <rajiv> my prod has keystonemiddleware enabled in the barbican.conf but seems to work strangely during tests.
15:28:11 <dmendiza[m]> keystonemiddleware takes the token from X-Auth-Token and validates it with keystone.  The middleware layer then removes any existing auth headers (which includes X-Project-Id) and injects into the requrest all relevant auth headers with the values from Keystone's validation reponse.
15:29:53 <rajiv> okay, to restrict this to admin only, i need to update the policy.yaml and its defaults ?
15:30:01 <dmendiza[m]> rajiv: what you're seeing is that you provide an `X-Project-Id` that should be getting removed and replaced with the Project ID that Keystone validates from the token provided to X-Auth-Token
15:34:56 <rajiv> okay, any chance on reviewing the multi-tenancy PR ?
15:35:03 <rajiv> or the blueprint ?
15:35:38 <mharley[m]> Would you mind sharing their links once again?
15:36:09 <rajiv> https://review.opendev.org/c/openstack/barbican-specs/+/947093 https://review.opendev.org/c/openstack/barbican/+/947118
15:37:01 <mharley[m]> Cool, thanks.  Let's check those.
15:37:11 <mharley[m]> Anything else about the header topic?
15:38:20 <mharley[m]> No new bugs for Python Barbican Client:
15:38:22 <mharley[m]> #link https://bugs.launchpad.net/python-barbicanclient/+bugs?orderby=-id&start=0
15:39:10 <mharley[m]> No new bugs for Castellan:
15:39:13 <mharley[m]> https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0
15:40:11 <mharley[m]> No new bugs for Cursive:
15:40:20 <mharley[m]> #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0
15:41:42 <dmendiza[m]> rajiv: POST for /v1/secret-stores/$SECRET_STORE_ID/preferred is already limited to "admin" role https://opendev.org/openstack/barbican/src/branch/master/barbican/common/policies/secretstores.py#L100
15:43:30 <mharley[m]> #topic Open Discussion
15:43:47 <rajiv> oh ok, i need to validate the unauthenticated calls.
15:45:09 <mharley[m]> Freeman Boss: so you'd like to contribute with the PKCS#12 feature?
15:45:49 <freemanboss[m]> Yes I'm interested mharley:
15:47:37 <mharley[m]> Understood.  As I told you before, this is an open-source project.  Anyone interested on contributing with OpenStack is more than welcome to do it.
15:48:07 <mharley[m]> However, as the mentoring project was not approved, there won't be any formal mentoring about this.
15:48:53 <mharley[m]> But you can always chat here at anytime, ask your questions and benefit from the community.  And I can also dedicate some of my week time to give attention to this topic.
15:49:23 <freemanboss[m]> mharley: alright thank you.
15:49:41 <mharley[m]> Please just be advised there's no ETA to answer questions.  Everyone here is a volunteer. :-)
15:50:05 <freemanboss[m]> Is there any setup I can work it for the project.
15:50:05 <freemanboss[m]> It'll be integrated in the barbican repo?
15:51:54 <mharley[m]> A good advice I can give you is to chat with Theresa James.  They already submitted a patch for Barbican and know the few steps required to setup the dev environment.
15:52:30 <mharley[m]> And once this environment is set, you are free to submit patches to Gerrit, the VCS system that OpenDev uses.
15:53:57 <mharley[m]> Is there any other topic to be discussed, guys?
15:54:13 <freemanboss[m]> mharley: alright thank you
15:54:34 <mharley[m]> Anytime, Freeman Boss .
15:54:51 <mharley[m]> Well, if there's nothing else...
15:54:53 <mharley[m]> That's all, folks!  See you next week! :-)
15:54:55 <mharley[m]> #endmeeting