#openstack-tc log

15:00:58 <fungi> #startmeeting tc
15:00:58 <openstack> Meeting started Thu May 31 15:00:58 2018 UTC and is due to finish in 60 minutes.  The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:00 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:02 <TheJulia> is o/
15:01:03 <openstack> The meeting name has been set to 'tc'
15:01:03 <TheJulia> err
15:01:04 <openstack> smcginnis: Error: Can't start another meeting, one is in progress.  Use #endmeeting first.
15:01:06 <dhellmann> thanks, fungi & smcginnis
15:01:07 <fungi> #chair smcginnis
15:01:08 <openstack> Current chairs: fungi smcginnis
15:01:09 <smcginnis> :)
15:01:11 <fungi> #chair dhellmann
15:01:12 <openstack> Current chairs: dhellmann fungi smcginnis
15:01:15 <fungi> #chair TheJulia
15:01:16 <openstack> Current chairs: TheJulia dhellmann fungi smcginnis
15:01:20 <fungi> #chair zaneb
15:01:21 <openstack> Current chairs: TheJulia dhellmann fungi smcginnis zaneb
15:01:24 <fungi> #chair EmilienM
15:01:24 <openstack> Current chairs: EmilienM TheJulia dhellmann fungi smcginnis zaneb
15:01:30 <cmurphy> start all the meetings
15:01:36 <dhellmann> #chair cmurphy
15:01:37 <openstack> Current chairs: EmilienM TheJulia cmurphy dhellmann fungi smcginnis zaneb
15:01:39 <fungi> #chair cmurphy
15:01:40 <openstack> Current chairs: EmilienM TheJulia cmurphy dhellmann fungi smcginnis zaneb
15:01:42 <fungi> #chair mnaser
15:01:43 <openstack> Current chairs: EmilienM TheJulia cmurphy dhellmann fungi mnaser smcginnis zaneb
15:01:53 <ttx> ohai
15:01:55 <smcginnis> Our ping list has become a chair list. :)
15:02:01 <fungi> looks like we have a bunch of tc members around around
15:02:03 <dhellmann> heh, that's one way to do it
15:02:05 <fungi> extra around
15:02:10 <fungi> #chair ttx
15:02:11 <openstack> Current chairs: EmilienM TheJulia cmurphy dhellmann fungi mnaser smcginnis ttx zaneb
15:02:34 <fungi> to be fair, it made more sense to add all two present tc members as chairs during the last office hour ;)
15:03:04 <dhellmann> the more the merrier
15:03:20 <dhellmann> we have several items on our tracker list without drivers (or with only 1). what should we do about that? https://wiki.openstack.org/wiki/Technical_Committee_Tracker
15:04:09 <smcginnis> Did the bylaws correction get done?
15:04:33 <dhellmann> the board passed a resolution authorizing jbryce to deal with it as part of the next election
15:04:33 <fungi> bylaws correction next step is making sure it gets on the next ballot for board elections
15:04:34 <EmilienM> fungi, ttx : have we already created a story about "Reviewing the TC Vision" ?
15:04:51 <dhellmann> I thought we would want to keep tracking it to ensure that correction makes it onto the ballot, and fungi signed up for that
15:05:00 <fungi> EmilienM: i haven't yet and not aware of one, that would be great to have
15:05:06 <EmilienM> if no, I'll go ahead and do it (+ update Wiki), maybe we could start poking at it today
15:05:09 <smcginnis> Yeah, that makes sense to follow it through to completion.
15:05:15 <dhellmann> oh, yes, please add links to relevant stories in the wiki
15:06:03 <openstackgerrit> Samuel Cassiba proposed openstack/governance master: Add openstackclient to Chef OpenStack  https://review.openstack.org/571504
15:06:11 <TheJulia> dhellmann: I think for some of them, I think we need to see if someone steps forward. It is also the week after summit and people are likely still decompressing/processing last week
15:06:43 <dhellmann> sure.
15:07:02 <dhellmann> I didn't know if we wanted to ask people to sign up, move unowned things to a separate list, or something else.
15:07:57 <TheJulia> I think we should broadcast that we would like someone to step forward for these items, and kind of revisit it in a week.
15:09:01 <ttx> EmilienM: it's on dhellmann's wiki already
15:09:08 <TheJulia> That way we're also possibly growing the pool of potential leaders as time moves on/giving opportunities.
15:09:25 <ttx> EmilienM: oh, you mean add link ? Yes++
15:09:32 <EmilienM> ttx: doing it now
15:10:18 <ttx> EmilienM: I'll create an etherpad where we can dump the current vision and then add comment
15:10:35 <dhellmann> TheJulia : are you suggesting that we ask folks not on the TC to take these up?
15:10:57 <TheJulia> We had discussed in the past that we felt that it was acceptable for non-tc members to take up causes and work with the TC
15:11:09 <dhellmann> I don't have a problem with us asking for help, but these are the things we said we wanted to do, so I think we should have TC members attached to each of them.
15:11:11 <TheJulia> if that is no longer the case, then we have a limited pool of resources.
15:11:41 <dhellmann> that's why I called them "drivers" and not "owners"
15:11:46 <EmilienM> ttx: works for me, it can be faster than using Gerrit for now.
15:12:10 <TheJulia> dhellmann: I see your point, I would just worry about drivers being looked at like owners
15:12:57 <dhellmann> it's hard for me to reconcile a desire to be more active with the idea that we wouldn't do things. :-)
15:13:46 <dhellmann> maybe we should have the conversation about what % of time TC members feel they have to contribute, and whether that should have some effect on the length of our todo list
15:14:06 <dhellmann> perhaps some of these things are backlog items, and not actively being worked on, for example
15:14:44 <cmurphy> what is "Trove Project Health"? I was in that session but I'm not sure what actions should be taken around that
15:15:18 <dhellmann> zaneb thought he was the one who brought that up, but I didn't remember. the question was "is anyone actually working on trove any more?"
15:15:46 <TheJulia> dhellmann: that is a valid point, we can't take on the world... at least not without prioritization and planning :)
15:15:46 <dhellmann> it relates to the thing we talked about thursday of checking in on project teams more actively
15:16:18 <ttx> dhellmann: I heard that question from a bunch
15:16:21 <TheJulia> dhellmann: cmurphy: I believe the comment is that there is nobody working on it any longer, and that maintainers and contributors are needed
15:16:26 <TheJulia> s/is/was/
15:16:56 <dhellmann> I took a peek in gerrit and saw what looked like relatively recent reviews landed, but it still seemed like enough of a question that I left it on the list
15:16:58 <TheJulia> Someone raised ?Amrith?, but... yeah.
15:17:01 <smcginnis> I thought a team from IBM took up Trove when amrith had proposed moving it to unmaintained.
15:17:07 <ttx> To the point where a "Stop or encore" session would have been good at forum
15:17:16 <ttx> smcginnis: yes
15:17:18 <TheJulia> dhellmann: good plan then
15:17:44 <dhellmann> who wants to check in on the trove team and report back?
15:17:56 <TheJulia> I can put that on my todo list
15:18:08 <mnaser> https://review.openstack.org/#/c/526728/ -- looks like they're still kinda landing things
15:18:08 <dhellmann> thanks, TheJulia!
15:18:18 <fungi> yeah, i think the worry is that trove engagement hasn't continued since the new team was put in control. if memory serves we had nobody in vancouver to run the trove sessions
15:18:18 <ttx> I have history, can take Trove too
15:18:32 <mnaser> but 6 weeks before that was the last merge
15:18:35 <dhellmann> great, please put your names in the wiki, ttx & TheJulia
15:18:41 <dhellmann> let's not do it *now*
15:18:44 <zaneb> the last I heard Trove was in 'maintenance mode' and there is no new development, but it is maintained. I haven't actually checked so I don't know that this is the case
15:18:57 <ttx> OVH has ben considering taking it over, which is why I looked into it
15:19:13 <fungi> #link https://governance.openstack.org/tc/reference/tags/status_maintenance-mode.html
15:19:18 <TheJulia> It would be good to have an operator get involved
15:19:23 <fungi> only searchlight has that governance tag applied at the moment
15:19:48 <zaneb> people (possibly including me) might have used the word 'unmaintained' to describe that, but at least in my case it wasn't based on any new information
15:19:58 * dhellmann was hoping to use this time for team organization, not a deep dive into trove
15:20:03 <ttx> I think at this point they don't dare taking it over, but we could encourage them if it's in bad shape
15:20:07 <ttx> hehe
15:20:27 <dhellmann> smcginnis , I have a ? next to your name on the stein goals item. did you want to help drive that?
15:20:28 <TheJulia> dhellmann: next item! :)
15:20:29 * ttx now sees how fun it is to disrupt the chair
15:20:29 <mnaser> dhellmann: maybe that's why we'd need an actual meeting with an agenda besides office hours :>
15:20:43 <mnaser> but back on track
15:20:47 <dhellmann> mnaser : there is 1 topic on our agenda today: sort out this todo list! :-)
15:21:10 <mnaser> fair :)
15:21:18 <dhellmann> we more or less agreed to always pair up on items, and we have a lot with only 1 driver
15:21:45 <EmilienM> ttx: i've noticed that https://www.openstack.org/software/sample-configs redirects to projects from ocata
15:21:48 <dhellmann> do people still feel like pairing is a good way to ensure depth of coverage and to support each other? and important enough to do?
15:21:57 <EmilienM> ttx: we might want to update it to Quees, perhaps
15:22:11 <ttx> EmilienM: will signal it
15:22:18 <smcginnis> dhellmann: Yes, I will update that to remove the ?
15:22:20 <mnaser> dhellmann: i think it's beneficial being able to lean on someone else who will hopefully be intimately familiar with the topic
15:22:23 <dhellmann> smcginnis : thanks
15:22:40 <dhellmann> mnaser : good point
15:22:41 <EmilienM> ttx: are these our constellations? they look like it anyway
15:22:41 <mnaser> so i support taking items that have a single driver and aiming for at least two
15:23:24 <zaneb> dhellmann: how long are we planning to keep around stuff that is marked as Approved in the list?
15:23:35 <dhellmann> zaneb : until I send the next TC update email on Monday
15:23:48 <dhellmann> I skipped this week because there were so many forum update emails already
15:23:52 <zaneb> that makes a lot of sense :)
15:24:56 <ttx> EmilienM: kind of -- depends on what we mean by constellation :)
15:25:58 <dhellmann> ok, as TheJulia pointed out we probably have a few people on PTO after the summit, so I won't stress too much about these not having drivers until next week
15:26:20 <dhellmann> did I miss anything other than the work dims has started on writing up job descriptions for the help-wanted areas?
15:26:42 <dhellmann> I will add that item after I send my summary of the joint leadership meeting, if dims doesn't beat me to it
15:26:57 <dims> no rush dhellmann :)
15:27:57 <dims> got some feedback from Chris Price on email
15:27:57 <dhellmann> maybe we want to move on to other topics, then?
15:28:01 <dhellmann> oh, good
15:29:16 <zaneb> when is it kosher to post info from the board meeting? usually jbryce posts a summary, but he wasn't actually there...
15:29:54 <dhellmann> there are different rules for the board meeting, I think
15:30:13 <dhellmann> the board asks members not to post summaries before the official minutes are posted, I think?
15:30:28 <smcginnis> I thought we discussed that recently and heard board members need to wait for jbryce to post a summary, but non-board do not?
15:30:31 <dhellmann> but I don't think that applies to the joint leadership meeting, since that's not a board meeting
15:30:50 <dhellmann> I was going to post an email summary based on my own notes as a personal summary
15:31:25 <zaneb> as a participant in the meeting, I would feel uncomfortable posting a summary before other participants (i.e. board members) are allowed to
15:31:32 <fungi> right. yeah, official minutes will presumably eventually appear at
15:31:36 <fungi> #link https://wiki.openstack.org/wiki/Governance/Foundation/20May2018BoardMinutes
15:31:40 <dhellmann> zaneb : right, my point is that the rule on official minutes does not apply here
15:31:59 <dhellmann> we met with the board, but it was not an operating meeting of the board of directors
15:32:11 <dhellmann> *part* of the day was, but I wasn't in the room then so my summary won't cover that anyway
15:32:12 <mnaser> yeah, afaik it is a "joint leadership meeting"
15:32:15 <fungi> but only the board members (and possibly foundation staff?) are expected to refrain from making public comments before the minutes are posted
15:32:32 <zaneb> well, there was a roll call and a motion was approved
15:32:37 <zaneb> while we were there
15:32:52 <dhellmann> yes, true, that portion of the meeting was more official than the rest
15:32:52 <fungi> oh, right that too. there _was_ a board meeting, but it was at the very end of the day, lasted a handful of minutes and involved nothing of substance
15:32:58 <mnaser> do we want to confirm with the board to have a clear understanding?
15:32:59 <dhellmann> the agenda that day was a bit messy
15:33:10 <dhellmann> ok, I'll ask Alan before I post anything
15:33:12 <mnaser> maybe this is part of increasing communication with our board :)
15:33:27 <dhellmann> #action dhellmann to ask Alan about posting a summary of the joint leadership meeting
15:34:40 <dhellmann> the review https://review.openstack.org/564060 about goal champions needs 1 more vote, so please take a look at that when you have time
15:36:13 <dhellmann> what else is on your minds this week?
15:37:40 <TheJulia> dhellmann: you have the extra vote now
15:38:05 <fungi> now that the summit's over and there's been no objection to the related ml thread, i was going to propose the base services addition change for a castellan-compatible key store
15:38:46 <ttx> ++
15:38:52 <dhellmann> TheJulia : thanks
15:38:59 * ttx crosses one more item from his giant list
15:39:01 <dhellmann> fungi : ++
15:39:35 <fungi> #link http://lists.openstack.org/pipermail/openstack-dev/2018-May/130567.html key store in base services
15:39:44 <zaneb> fungi: are we going to specify which key store?
15:39:47 <fungi> was the start of the thread where it was suggested
15:39:56 <dhellmann> fungi : I'm not sure what services that means today, so we probably want to make it clear that we welcome new drivers in castellan to cover other services that people want to be able to use
15:40:20 <fungi> zaneb: consensus so far seemed to be around "a castellan-compatible key store" without specifying any one in particular
15:40:40 <mnaser> one concern that i have is.. i feel like castellan is this extra layer of api abstraction on top of barbican, a secret store that abstracts other api stores
15:40:47 <zaneb> ok, that makes sense
15:41:05 <mnaser> afaik castellan has a 'vault' driver, but barbican also has one too
15:41:10 <fungi> mnaser: well, castellan was the result of complaints that barbican meant having an extra service
15:41:15 <zaneb> when people were saying Barbican in particular I was wondering if it was more a job for constellations than base services...
15:41:58 <mnaser> i guess this could be a start in openstack projects being able to be used independently
15:42:04 <mnaser> which is good too
15:42:42 <fungi> apparently some distros/deployments already have vault for other reasons and wanted a way of being able to just use it without adding a barbican service to manage
15:42:49 <dhellmann> I see it as a bit like oslo.messaging or oslo.db: services can rely on something for which we have a driver and use the abstraction layer to avoid dictating to deployers what to actually use
15:44:17 <zaneb> dhellmann: yeah, it's just a little bit weird in this case because an openstack service can be a backend. like if there was a Trove driver for oslo.db
15:45:31 <dhellmann> yes, that is a bit unusual
15:45:55 <dhellmann> I guess one difference is whether the secret is part of the deployment or something owned by an end-user
15:46:45 <dhellmann> so if a service wants to have end-user-managed secrets for doing things like encryption, that may imply barbican is actually required as an implementation detail, even if it is a wrapper around something else
15:49:31 <fungi> i think what we're more worried about for now is other services being able to rely on havnig somewhere safe to quarantine secrets/keys so that they don't all have to duplicate that work badly and end up neutering their security features as a result or influencing distros/operators to avoid turning on useful security features which might otherwise benefit from having it
15:51:12 <dhellmann> sure. is there actually a difference in user-facing vs. service-only keys? or is that distinction not important? I'm not that familiar with this space or how one interacts with something like vault, but it seems odd for us to say "in order to encrypt your cinder volume, put a key in vault and then tell us about it" since vault doesn't have an "Openstack API"
15:51:31 <dhellmann> maybe that workflow is normal and expected, though, I just don't know
15:52:05 <ttx> The reason that Vault it plugged both at castellan and Barbican levels is because those things do not strictly overlap
15:53:06 <dhellmann> yeah, that part made sense to me. I just wonder if saying a "castellan-supported secret store" is actually the right thing if we want services to provide features that require users to interact with the key store
15:54:02 <fungi> dhellmann: i think the difference between user-facing and service-only is more in how we end up saying whether it's a standard feature. for service-only we have the base services list saying what other services are allowed to depend on being present. for user-facing we decide with trademark programs and interoperability testing
15:54:20 <dhellmann> I guess I'm not being clear.
15:54:47 <dhellmann> If a user has to create a key to use a feature in cinder, is Vault "good enough"?
15:55:25 <dhellmann> Because if so, we're telling services that relying on having users interact with non-openstack services is OK, and I think that's a new statement?
15:55:27 <ttx> dhellmann: I /think/ castellan will let you create a key on Vault alright
15:55:51 <fungi> if we want services to provide features that require users to interact with the key store then it's a matter for trademark programs/interop and would probably spell out barbican as a requirement
15:55:57 <dhellmann> ttx: castellan is a python library. it's how cinder would interact with vault. it's not how a user would.
15:56:51 * TheJulia wonders if the discussion is in or just above the weeds
15:56:51 <dims> https://github.com/openstack/castellan/blob/master/castellan/key_manager/key_manager.py#L43 - create_key
15:57:01 <dims> and yes vault manager supports it
15:57:01 <ttx> dims: yeah
15:57:02 <dhellmann> TheJulia : definitely muddy water, if not weeds
15:57:25 <dhellmann> right, castellan *can* talk to vault, but it's not a REST API
15:57:36 <dims> correct, calls vault directly - https://github.com/openstack/castellan/blob/master/castellan/key_manager/vault_key_manager.py#L139
15:57:59 <fungi> from a base services perspective, we're just saying it's okay for services to rely on it, not saying anything about what those services expose (and we're not saying they're required to expose anything to the user)
15:58:10 <dhellmann> so we would be saying that it's OK for an openstack cloud to rely on a service that has no openstack API, and that's different from the other base services that are all hidden behind the cloud's API
15:58:30 <mnaser> i mean, in terms of interop, how would we think about ceph and it's exposed openstack 'swift' compatible api.. it's an external component providing the same functionality (kindof?)
15:58:31 <dhellmann> ok. I just think it's not going to be useful if there's not also a way for users to actually interact with the store
15:58:34 <fungi> i don't follow
15:58:35 <zaneb> so what dhellmann is saying is that the secret has to pass through Cinder API->Castellan->Vault, instead of going straight to the Barbican API. and that may be a less safe way of handling it
15:58:39 <ttx> Does Cinder volume encryption require you to provide your own key ? Or does it just generate one for you ?
15:58:52 <mnaser> good question for smcginnis ^ ? :)
15:58:53 <fungi> etcd has a non-openstack api and it's in the base services list
15:59:23 <dhellmann> fungi : do we expect users to interact with etcd?
15:59:24 <dhellmann> zaneb : yes, that's a good way of putting it
15:59:34 <zaneb> fungi: the cloud user never has to poke any data into etcd
15:59:38 <fungi> i'm still not following. we wouldn't be saying deployments are required to expose cinder volume encryption either way
15:59:42 <dhellmann> do we want every service to invent its own API for creating or uploading keys?
16:00:30 <ttx> dhellmann: hrm, isn't that what Castellan does ?
16:00:37 <dims> dhellmann : we want them to use the common library (like oslo.db and oslo.messaging)
16:00:38 <zaneb> fungi: if there's no OpenStack API for secrets available then every API becomes an API for secrets, proxying via Castellan on the back end
16:00:41 <dhellmann> we do not, in any other case, require users to use our client libraries
16:00:47 <fungi> we'd be saying it's okay for services to assume a castellan-compatible key store is available to those services, we aren't saynig anyone has to expose any particular related api to end users
16:00:48 <ttx> Also "creating" and "uploading" are not two separate things
16:01:00 * TheJulia feels like people are approaching this from different contexties and that we need to actually write it down at this point
16:01:00 <ttx> You create keys on the secret store.
16:01:04 <dhellmann> dims : end users do not use those libraries, though
16:01:24 <dims> dhellmann : right, they use the native stuff directly like vault or barbican
16:01:49 <fungi> take designate's desire for this, as an example. designate would like to treat a key store as an hsm, have it generate keys and handle signing requests, without those keys ever leaving the store
16:02:05 <fungi> that has nothing to do with end users uploading keys
16:02:18 <zaneb> fungi: yes, that's a case that castellan works for
16:02:48 * smcginnis had to step away for a bit, reading scrollback
16:02:49 <fungi> so i really, really, really don't see where this "exposing non-openstack apis to end users" tangent is coming from
16:02:55 <dims> it's not just vault, folks want to use castellan + custodia ( https://review.openstack.org/#/c/515190/ )
16:02:58 <dhellmann> fungi : true. that's 1 use case. Is that the only case where being generic about the keystore is useful?
16:03:09 <ttx> I'm sad that we keep having this "should we require Castellan or Barbican" discussion every 6 months. Last time we spent one hour on it and concluded Castellan
16:03:13 <dims> and KMIP https://review.openstack.org/#/c/298991/
16:03:22 <dims> yep ttx
16:03:22 <ttx> Now I'm missing most of the context from that discussion
16:03:26 <dhellmann> fungi : I'm trying to understand if it is sufficient to say "castellan supported" or if that's only going to enable 1 use case.
16:03:31 <ttx> But I remember us going into deep
16:03:51 <fungi> in fact, the previous time we discussed it we convinced the barbican team to create castellan so that we could consider it for this purpose
16:04:03 <zaneb> e.g. in Heat we want to be able to auth to other OpenStack clouds, which requires the user's credentials for those cloud. we don't want to see those through the Heat API, so we're going to ask the user to put them in Barbican directly
16:04:05 <dims> with dave-mccowan and kfarr and others
16:04:29 <dhellmann> ok, I'll let it go. I'm sorry I've been unable to express my concern in a way that folks can understand.
16:04:33 <mnaser> if that discussion of 'castellan vs barbican' has been had and a conclusion has been reached
16:04:42 <mnaser> maybe we should just focus on the base services discussion
16:04:44 <zaneb> but that feature will obviously be unavailable on clouds without Barbican, even if they have Vault
16:05:00 <dims> dhellmann : another data point, some folks like Huawei have their own barbican equivalent, so castellan is the better integration point
16:05:30 <ttx> zaneb: right -- so THAT was raised as an unresolved issue last time. Reliance on Barbican-specific features
16:06:08 <dhellmann> I am not suggesting that services should only talk to barbican. I am suggesting that leaving barbican out of the base services list is going to mean we have a lot of features we can't implement  because we don't provide users a way to deal with keys *or* that we will have a lot of services adding their own APIs for dealing with keys. Both are reasons we have the list in the first place.
16:06:19 <zaneb> I'm ok with that btw. just trying to clarify Doug
16:06:28 <dhellmann> thanks, zaneb
16:06:44 <ttx> It might still be a problem
16:06:49 <fungi> yeah, i personally felt like settling on barbican as the api was best for interoperability purposes, but it seems like there was a lot of pushback from deployment and operations representatives so at least having some way for projects to avoid duplicating this effort badly/insecurely/inconsistently on their own would be nice
16:06:51 <zaneb> Doug's point that not all features we might want will be enabled by having just castellan
16:06:57 <mnaser> well, we can always extend castellan
16:07:03 <mnaser> to support barbican specific features
16:07:12 <zaneb> enter key and the apostrophe key are too close as usual
16:07:20 <dhellmann> mnaser : we cannot require users to use a specific client library for the trademark programs
16:07:26 <ttx> mnaser: except those "features" are out of scope for Vault
16:07:29 <dhellmann> so we have to enable a REST API for those things at some point
16:07:39 <dhellmann> and right now our REST API for this is barbican
16:07:45 <ttx> Basically the issue here is that Barbican is more than a store
16:07:55 <ttx> which is why it can plug into Vault for store feature
16:08:01 <fungi> castellan could also be extended to have multiple drivers for those different features to placate people who really don't want barbican running
16:08:14 <dims> yep fungi
16:08:21 <mnaser> so maybe for now we can say 'castellan' but eventually drop it if we really start running into issues
16:08:23 <smcginnis> Cinder uses castellan. Users do not provide a key, though there have been some recent informal proposals to have user provided keys per volume for encryption.
16:08:30 <mnaser> we might be discussing something that is non problematic?
16:08:31 <ttx> The other factor here is that ANYTHING is better than the current situation so we tend to jump on anything that passes
16:09:02 <smcginnis> I think it's fair to state castellan is a base service, but what is used behind that is left to the deployer.
16:09:22 <dhellmann> smcginnis : how would you implement user-provided keys?
16:09:22 <dims> we should start with castellan as a base library requirement, then if barbican takes hold among operators then we can go to full dependency on barbican
16:09:32 <dhellmann> yeah, it's a fine first step. I just expect us to have to revisit it very soon.
16:09:33 <smcginnis> dhellmann: That's the open question.
16:09:34 <mnaser> ++ dims
16:09:44 <smcginnis> dims: ++
16:09:45 <dhellmann> maybe when that happens it will be clear why in a way that I seem unable to express.
16:10:15 <fungi> i think that as soon as we're talking about whether it's safe for a trademark-covered service to require exposing another api to users, then we need that api also covered under the same trademark program(s)
16:10:19 <smcginnis> I remember DuncanT had some concerns about Barbican, but I do not know enough about that area to really comment.
16:10:22 <ttx> dims:  that sounds a bit... weird though
16:10:40 <ttx> People who end up doing Castellan+Vault might be forced to change
16:11:09 <mnaser> arent those the same people who didnt want to run barbican in the first place? :\
16:11:21 <dhellmann> keystone is a good parallel here. we say that all of the services can rely on having keystone present to authenticate users, so that those services don't have to implement their own authentication. s/authentication/key management/
16:11:24 <dims> mysql / postgresql situation
16:11:41 <TheJulia> I would urge us not to force additional services where they are not needed. Use cases are going to differ as this discussion shows, and the standalone usage or back-end integration points make very valid sense as some operators have different use context and business needs.
16:12:21 <TheJulia> If the projects evolve to have that need, so be it, but at that point it is a conscious decision.
16:12:24 <ttx> I guess the issue is that for 90% of the use cases castellan is enough... and forcing everyone to go full Barbican might hinder solution for those 90%
16:12:51 <dhellmann> ttx: I guess I am questioning that 90% number, though.
16:12:56 <mnaser> maybe this is an outlier and not the time for this comment, but barbican really isn't that heavy of a service.
16:13:07 <mnaser> it's a simple rest api, it can integrate with vault if you're already running it
16:13:33 <clarkb> as an end user this type of compromise typically means I never use any of these features (and if you look at infra's consumption of openstack its a very reduced feature set because very few things are reliably available). To me that effectively means not enforcing a complete solution is as bad as not having a solution at all
16:13:41 <dhellmann> let's get a concrete proposal written up and have some project teams comment on it
16:13:42 <TheJulia> mnaser: but it is still another network accessible service, that has to be monitored, reported upon, it is security related so additional reporting controls have to be put into place depending on operating and regulatory requirements
16:13:44 <fungi> and the hope is that we can overcome the catch-22 critical mass inflection point which is causing deployments to resist implementing security features they'd find useful
16:13:49 <ttx> Last time the only things that were raised as potentially needing Barbican were Octavia and Designate iirc
16:13:59 <ttx> Octavia now uses Castellan...
16:14:13 <johnsom> Octavia support both
16:14:30 <mnaser> TheJulia: that's true, but that's up to the deployer if they want to use the extra features, then they'll have to support the things that come with it
16:14:30 <ttx> So 90% might be 99% :)
16:14:40 <ttx> johnsom: OR or AND ?
16:14:45 <smcginnis> clarkb: That's a good point.
16:14:47 <clarkb> johnsom: and octavia has its own apis for storing certs?
16:15:04 <TheJulia> mnaser: empowering the deployer to make the choice seems.. ideal, at least to me.
16:15:12 <johnsom> Currently it is an OR, but with flavors (coming) it could be AND.
16:15:37 <zaneb> so Heat needs Barbican for multi-cloud. It's fine if that's a soft dependency, but obviously better if it were available to everyone
16:15:40 <ttx> johnsom: no I mean you need one of them, not both, right ?
16:15:45 <johnsom> clarkb No, the user provides Octavia with the reference to the secrets. We do not have an upload interface.
16:16:09 <clarkb> johnsom: right so if the secret is in vault fronted by castellan how do I (the end user) give that service my certs so that octavia can use them?
16:16:13 <clarkb> (this is dhellmann's concern aiui)
16:16:18 <dhellmann> johnsom : how does the user create the secret?
16:16:27 <johnsom> ttx It's an operator choice thing.  Barbican has been supported for a long time, but people wanted Vault so we added Castellan
16:16:35 <ttx> ok
16:18:08 <dhellmann> fungi , you started the meeting, do you want to close it out?
16:18:17 <johnsom> dhellmann We leave that to the user.  Either the barbican CLI or custom UI systems.  One operator already has a cert management UI for vault, so just uses that.  Our cookbooks describe how to use OpenStack client to add certs to Barbican.  There was also castellan-ui dashboard plugin, but I'm not sure if that is finished.
16:18:47 <fungi> oh! sure
16:18:53 <clarkb> on an interop front ^ is not very friendly and is another case of infra wouldn't use that feature
16:18:54 <fungi> #endmeeting