15:02:18 <mharley[m]> #startmeeting barbican 15:02:18 <opendevmeet> Meeting started Mon May 19 15:02:18 2025 UTC and is due to finish in 60 minutes. The chair is mharley[m]. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:18 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:18 <opendevmeet> The meeting name has been set to 'barbican' 15:02:48 <mharley[m]> #topic Roll Call 15:03:37 <mharley[m]> Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley Freeman Boss lpiwowar xek 15:03:59 <mharley[m]> If you want to be pinged, add your nickname here: 15:04:04 <mharley[m]> #link https://etherpad.opendev.org/p/barbican-weekly-meeting 15:04:09 <dmendiza[m]> 🙋♂️ 15:04:26 <mharley[m]> Hi, dmendiza. 15:04:28 <xek> o/ 15:04:46 <mharley[m]> Hi, Grzegorz Grasza. The meeting's agenda is also on the same link. 15:05:05 <mharley[m]> #topic Review Past Meeting Action Items 15:05:12 <mharley[m]> #link http://eavesdrop.openstack.org/meetings/barbican/2025 15:05:39 <mharley[m]> dmendiza: any progress towards the KMIP effort? 15:06:06 <mharley[m]> #topic KMIP 15:06:22 <mharley[m]> I saw your submitted a patch a couple of days ago. Was that the only missing part? 15:06:56 <dmendiza[m]> Hi! 15:07:19 <dmendiza[m]> OK, so the Action Item was for rajiv to look into supporting his fork for PyKMIP so that we can use it as a drop-in replacement for Barbican KMIP Backend 15:08:00 <rajiv> Hi, we need OSPO and internal approvals, which is taking longer than expected. 15:08:34 <dmendiza[m]> Hi rajiv , for your reference, these are the OpenStack requirements for adding a dependency: 15:08:40 <dmendiza[m]> #link https://docs.openstack.org/project-team-guide/dependency-management.html#for-new-requirements 15:09:04 <dmendiza[m]> I have a few WIP patches around KMIP 15:09:52 <rajiv> okay sure 15:10:03 <dmendiza[m]> #link https://zuul.opendev.org/t/openstack/build/0235a7100f644d2b8810127757123e9e 15:10:07 <dmendiza[m]> #undo 15:10:17 <dmendiza[m]> #link https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/949935 15:10:47 <dmendiza[m]> ^^^ This is a patch to barbican-tempest-plugin to run Temepst against a Barbican+KMIP devstack deployment 15:10:58 <dmendiza[m]> If is failing and I haven't had a chance to dig into the roto cause 15:11:00 <dmendiza[m]> *root cause 15:11:10 <dmendiza[m]> #link https://review.opendev.org/c/openstack/barbican/+/947760 15:11:32 <dmendiza[m]> ^^^ This one is a patch to Barbican that I've iterated on a few times. 15:12:07 <dmendiza[m]> The first few patches were for testing OpenKMIP/PyKMIP to check for the current state of things. It attempts to run the in-tree functional tests. 15:12:33 <dmendiza[m]> Some patches failed because the in-tree functional tests are incompatible with SRBAC 15:12:56 <dmendiza[m]> The latest patch is using rajiv 's fork. It fails to initialize the server. 15:13:04 <mharley[m]> rajiv: would you have any ETA on when such approvals would be granted or not? 15:14:22 <dmendiza[m]> rajiv: this is the failure log for attempting to run the pykmip-server in devstack: 15:14:30 <dmendiza[m]> #link https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_fec/openstack/fec8dfc633ed4da9afecea93bd6b7265/controller/logs/screen-pykmip-server.txt 15:14:50 <dmendiza[m]> I have not yet looked into running the server stand-alone. 15:15:19 <dmendiza[m]> I will try to look into that next. 15:16:04 <dmendiza[m]> The existing OpenKMIP/PyKMIP library appears to work in CentOS 9, but it fails with an ssl module incompatibility in Ubuntu 24.04 15:16:19 <rajiv> i will follow up this week again. 15:16:26 <dmendiza[m]> Thank you rajiv ! 15:16:35 <dmendiza[m]> That's all I have on KMIP for this week. 15:17:43 <mharley[m]> OK, thanks. 15:17:50 <mharley[m]> #topic Outreachy 15:18:12 <mharley[m]> I have bad news. Just got to know that the project didn't receive funding and was cancelled. 15:18:45 <mharley[m]> It looks like this happened with many other projects too, although the selection criteria among projects is not clear to me at least. 15:19:46 <mharley[m]> That's all for Outreachy. 15:20:00 <mharley[m]> #topic Liaison Updates 15:20:13 <mharley[m]> We are 19 weeks from Flamingo's release date. 15:20:44 <mharley[m]> #link https://releases.openstack.org/epoxy/schedule.html 15:20:52 <mharley[m]> There are currently no more news for Flamingo. 15:21:03 <mharley[m]> #undo 15:21:03 <opendevmeet> Removing item from minutes: #link https://releases.openstack.org/epoxy/schedule.html 15:21:08 <mharley[m]> #link https://releases.openstack.org/flamingo/schedule.html 15:21:29 <mharley[m]> #topic Bug Review 15:21:58 <mharley[m]> No new bugs for Barbican. 15:21:59 <mharley[m]> #link https://bugs.launchpad.net/barbican/+bugs?orderby=-id&start=0 15:22:21 <rajiv> i was playing around with secretstore api, adding -H "X-Project-Id:" seems to work as well, is this expected ? 15:22:31 <freemanboss[m]> Good evening everyone 15:23:00 <mharley[m]> Hello, Freeman Boss. 15:23:07 <mharley[m]> Can you clarify, rajiv? 15:23:28 <rajiv> based on https://docs.openstack.org/barbican/latest/api/reference/store_backends.html 15:23:54 <rajiv> i dont see X-Project-Id: mentioned in the docu but when i use this Header in the curl command, the backend is accepted. 15:24:36 <freemanboss[m]> <mharley[m]> "I have bad news. Just got to..." <- Ohhhh 15:25:01 <rajiv> the below cmd works if the project id is different : 15:25:05 <rajiv> curl -X POST -H "X-Project-Id: xxx" -H "X-Auth-Token: $TOKEN" -H "Content-Type: application/json" https://xxxx/v1/secret-stores/xxxx/preferred | jq 15:25:14 <dmendiza[m]> rajiv: X-Project-Id is only relevant for unauthenticated deploments 15:25:28 <freemanboss[m]> Please how do I start working on the PKCS#12 project? 15:25:52 <dmendiza[m]> rajiv: typically you'd want to provide the `X-Auth-Token` header. 15:26:34 <freemanboss[m]> <mharley[m]> "It looks like this happened with..." <- Please sorry please can you help confirm the criteria? 15:26:34 <freemanboss[m]> Thank you 15:26:51 <rajiv> dmendiza[m]: true, i was wondering how to restrict this api to domain admin only 15:27:05 <dmendiza[m]> rajiv the way authZ/authN works is that the user provides the `X-Auth-Token` header with their Keystone token. Barbican should typically be deployed with keystonemiddleware. 15:27:40 <mharley[m]> Freeman Boss: we can discuss during the Open Discussion section, just a bit later on this meeting. 15:27:46 <rajiv> my prod has keystonemiddleware enabled in the barbican.conf but seems to work strangely during tests. 15:28:11 <dmendiza[m]> keystonemiddleware takes the token from X-Auth-Token and validates it with keystone. The middleware layer then removes any existing auth headers (which includes X-Project-Id) and injects into the requrest all relevant auth headers with the values from Keystone's validation reponse. 15:29:53 <rajiv> okay, to restrict this to admin only, i need to update the policy.yaml and its defaults ? 15:30:01 <dmendiza[m]> rajiv: what you're seeing is that you provide an `X-Project-Id` that should be getting removed and replaced with the Project ID that Keystone validates from the token provided to X-Auth-Token 15:34:56 <rajiv> okay, any chance on reviewing the multi-tenancy PR ? 15:35:03 <rajiv> or the blueprint ? 15:35:38 <mharley[m]> Would you mind sharing their links once again? 15:36:09 <rajiv> https://review.opendev.org/c/openstack/barbican-specs/+/947093 https://review.opendev.org/c/openstack/barbican/+/947118 15:37:01 <mharley[m]> Cool, thanks. Let's check those. 15:37:11 <mharley[m]> Anything else about the header topic? 15:38:20 <mharley[m]> No new bugs for Python Barbican Client: 15:38:22 <mharley[m]> #link https://bugs.launchpad.net/python-barbicanclient/+bugs?orderby=-id&start=0 15:39:10 <mharley[m]> No new bugs for Castellan: 15:39:13 <mharley[m]> https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0 15:40:11 <mharley[m]> No new bugs for Cursive: 15:40:20 <mharley[m]> #link https://bugs.launchpad.net/cursive/+bugs?orderby=-id&start=0 15:41:42 <dmendiza[m]> rajiv: POST for /v1/secret-stores/$SECRET_STORE_ID/preferred is already limited to "admin" role https://opendev.org/openstack/barbican/src/branch/master/barbican/common/policies/secretstores.py#L100 15:43:30 <mharley[m]> #topic Open Discussion 15:43:47 <rajiv> oh ok, i need to validate the unauthenticated calls. 15:45:09 <mharley[m]> Freeman Boss: so you'd like to contribute with the PKCS#12 feature? 15:45:49 <freemanboss[m]> Yes I'm interested mharley: 15:47:37 <mharley[m]> Understood. As I told you before, this is an open-source project. Anyone interested on contributing with OpenStack is more than welcome to do it. 15:48:07 <mharley[m]> However, as the mentoring project was not approved, there won't be any formal mentoring about this. 15:48:53 <mharley[m]> But you can always chat here at anytime, ask your questions and benefit from the community. And I can also dedicate some of my week time to give attention to this topic. 15:49:23 <freemanboss[m]> mharley: alright thank you. 15:49:41 <mharley[m]> Please just be advised there's no ETA to answer questions. Everyone here is a volunteer. :-) 15:50:05 <freemanboss[m]> Is there any setup I can work it for the project. 15:50:05 <freemanboss[m]> It'll be integrated in the barbican repo? 15:51:54 <mharley[m]> A good advice I can give you is to chat with Theresa James. They already submitted a patch for Barbican and know the few steps required to setup the dev environment. 15:52:30 <mharley[m]> And once this environment is set, you are free to submit patches to Gerrit, the VCS system that OpenDev uses. 15:53:57 <mharley[m]> Is there any other topic to be discussed, guys? 15:54:13 <freemanboss[m]> mharley: alright thank you 15:54:34 <mharley[m]> Anytime, Freeman Boss . 15:54:51 <mharley[m]> Well, if there's nothing else... 15:54:53 <mharley[m]> That's all, folks! See you next week! :-) 15:54:55 <mharley[m]> #endmeeting