Re: [openstack-dev] [barbican][tc] Seeking feedback on the OpenStack cloud vision

Hello Zane-- Yes, this vision is consistent with the Barbican team's vision. Barbican provides an abstraction layer over HSMs and other secret storage services. We have a plugin architecture to enable this abstraction over a variety of backends. Vault is a recent addition to our supported

Re: [openstack-dev] [barbican] NEW weekly meeting time

+1 This is a great time. On 6/14/18, 4:30 PM, "Ade Lee" wrote: >The new time slot has been pretty difficult for folks to attend. >I'd like to propose a new time slot, which will hopefully be more >amenable to everyone. > >Tuesday 12:00 UTC >

Re: [openstack-dev] [castellan] Removing Keystoneauth Dependency in Castellan Discussion

On 12/12/17, 3:15 PM, "Doug Hellmann" <d...@doughellmann.com> wrote: >Excerpts from Dave McCowan (dmccowan)'s message of 2017-12-12 19:56:49 >+: >> >> On 12/12/17, 10:38 AM, "Doug Hellmann" <d...@doughellmann.com> wrote: >> >&

Re: [openstack-dev] [castellan] Removing Keystoneauth Dependency in Castellan Discussion

On 12/12/17, 10:38 AM, "Doug Hellmann" wrote: > >> On Dec 12, 2017, at 9:42 AM, Paul Bourke wrote: >> >> From my understanding it would be a cleanup operation - which to be >>honest, would be very much welcomed. I recently did a little work with

Re: [openstack-dev] [barbican][nova][cinder][tacker][glance] Remove Certificate Orders and CAs from API

On 12/5/17, 11:37 AM, "Matt Riedemann" wrote: >On 12/5/2017 2:52 AM, na...@vn.fujitsu.com wrote: >> Hi all, >> >> Barbican's team are considering whether the Certificate Orders and CAs >>should be removed or not [1]. And we would like to hear information from >>other

Re: [openstack-dev] [ptls] MOAR UPDATES: Sydney Project Onboarding

We're working on the Barbican Onboarding session now. I don't think our Boston session went very well, and the results borne out; we were unable to convert any attendee to active contributor. It was a much bigger group than I was expecting and everyone was at a different starting point . I

Re: [openstack-dev] [cinder][nova][castellan] Toward deprecating ConfKeyManager

Hi Alan-- Since a fixed-key implementation is not secure, I would prefer not adding it to Castellan. Our desire is that Castellan can be a best-practice project to encourage operators to use key management securely. I'm all for consolidating code and providing good migration paths from

Re: [openstack-dev] [release][requirements][barbican][octavia][LBaaS][heat] FFE Request for python-barbicanclient library

On 8/1/17, 8:02 PM, "Tony Breeds" <t...@bakeyournoodle.com> wrote: >On Tue, Aug 01, 2017 at 04:58:22PM -0400, Doug Hellmann wrote: >> Excerpts from Dave McCowan (dmccowan)'s message of 2017-08-01 20:48:12 >>+: >> > This note is to request a Feature

[openstack-dev] [release][requirements][barbican][octavia][LBaaS][heat] FFE Request for python-barbicanclient library

This note is to request a Feature Freeze Exemption (FFE) for the python-barbicanclient library in Pike. Python-barbicanclient 4.5.0 was intended to be the Pike release. However, after it was released, testing with the Heat and Octavia projects found that it contained an incompatible change

Re: [openstack-dev] [security][barbican] PTG room sharing

On 8/1/17, 12:21 PM, "Thierry Carrez" wrote: >Luke Hinds wrote: >> Thanks Dave, I will let Kendall know that we can free up the room from >> Mon / Tuesday, and instead have the sec proj join barbican on Wed / >>Thur. > >Note that we have extra room on Monday/Tuesday, so

Re: [openstack-dev] [security][barbican] PTG room sharing

Hello Barbican Team, I believe there were some discussions on room sharing between the security project and barbican team. We are still keen on this in the security project. How would you like to work out logistics? Should we share PTG planning etherpads? We have 4 days between us, not sure

Re: [openstack-dev] [barbican] Help for Barbican and UWSGI Community Goal

On 6/23/17, 2:24 PM, "Matthew Treinish" <mtrein...@kortar.org> wrote: >On Fri, Jun 23, 2017 at 04:11:50PM +0000, Dave McCowan (dmccowan) wrote: >> The Barbican team is currently lacking a UWSGI expert. >> We need help identifying what work items we have to mee

[openstack-dev] [barbican] Help for Barbican and UWSGI Community Goal

The Barbican team is currently lacking a UWSGI expert. We need help identifying what work items we have to meet the UWSGI community goal.[1] Could someone with expertise in this area review our code and docs [2] and help me put together a to-do list? Thanks! Dave (dave-mccowan) [1]

Re: [openstack-dev] [openstack-ansible][security] Rename openstack-ansible-security role?

> >So my questions are: > > 1) Should the openstack-ansible-security role be > renamed to alleviate confusion? +1 on the rename. > > 2) If it should be renamed, what's your suggestion? How about linux-ansible-security? > >Thanks! > >- -- >Major Hayden > >[0]

[openstack-dev] [barbican] [security] Project Onboarding in Boston

Greetings! If you are interested in learning more about Barbican with a goal to contribute, please come to the Barbican Project Onboarding session on Tuesday, May 9, at 2pm in Room MR101. We'll be sharing the time slot with the Security project for those interested in becoming an OpenStack

[openstack-dev] [barbican] Nominating Jeremy Liu for Barbican Core

I'm pleased to nominate Jeremy Liu for Barbican core. He's been a top reviewer and contributor to Barbican since Newton and his efforts are very much appreciated. http://stackalytics.com/?module=barbican-group_id=liujiong=pike Barbicaneers, please indicate your agreement by responding with +1.

Re: [openstack-dev] [barbican][castellan] How to share secrets in barbican

Another option: If you want to give User-A read access to all Project-B secrets, you could assign User-A the role of "observer" in Project-B. This would use the default RBAC policy, not give every user access to the secrets, and be more convenient than adding each user to the ACL of each

Re: [openstack-dev] Project Navigator Updates - Feedback Request

On 3/31/17, 4:43 AM, "Thierry Carrez" wrote: >Brian Rosmaita wrote: >> On 3/29/17 12:55 AM, Jimmy McArthur wrote: >> [snip] >>> What we really need is the following: >>> >>> * A project history, including the date of project inception that's >>> included in the TC tags.

Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager

p this way with individuals + oslo core + >keystone core is to make sure both core teams are involved in the >review process and any future contributors who are not part of either >team can be give core rights in oslo.policy. > >Is it ok to continue this model? > >Thanks,

Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager

This sounds good to me. I see it as a "promotion" for Castellan into the core of OpenStack. I think a good first step in this direction is to create a castellan-drivers team in Launchpad and a castellan-core team in Gerrit. We can seed the list with Barbican core reviewers and any Oslo

Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager

On 3/15/17, 6:51 AM, "Julien Danjou" wrote: >On Mon, Mar 13 2017, Clint Byrum wrote: > >> To me, Oslo is a bunch of libraries that encompass "the way OpenStack >> does ". When is key management, projects are, AFAICT, >>universally >> using Castellan at the moment.

Re: [openstack-dev] [barbican] Rolling upgrade in Barbican project

Hi Nam-- Thanks for writing. Offline rolling upgrades is part of the current Barbican project. Better support and documentation for upgrades would be a welcome addition. 1) API Versioning Currently, Barbican only has one API version. The wiki you reference is an old list of ideas that we

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco > wrote: Hi everyone, I've seen a few nascent projects wanting to implement their own secret storage to either replace Barbican or avoid adding a dependency on it. When I've pressed the

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 1/17/17, 5:37 AM, "Thierry Carrez" wrote: >I think the focus question is an illusion, as Ed brilliantly explained >in https://blog.leafe.com/openstack-focus/ > >The issue here is that it's just a lot more profitable career-wise and a >lot less risky to work first-level

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 1/16/17, 3:06 PM, "Ian Cordasco" <sigmaviru...@gmail.com> wrote: >-Original Message- >From: Dave McCowan (dmccowan) <dmcco...@cisco.com> >Reply: OpenStack Development Mailing List (not for usage questions) ><openstack-dev@lists.openstack.org

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

From: Duncan Thomas > Reply-To: "OpenStack Development Mailing List (not for usage questions)" > Date: Monday, January 16, 2017 at 5:33 PM To: "OpenStack

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 1/16/17, 11:52 AM, "Ian Cordasco" wrote: >-Original Message- >From: Rob C >Reply: OpenStack Development Mailing List (not for usage questions) > >Date: January 16, 2017 at 10:33:20 >To: OpenStack

Re: [openstack-dev] [barbican] Project Navigator Out of Date?

Hi Ian-- Thanks for the reminder. As PTL, I know I have some action items to update our project navigator status. Speaking on behalf of the Barbican community, I can say that we do follow the rules of stable branches and deprecation. I'll submit a patch now to state this assertion. I

Re: [openstack-dev] [barbican] Nominating Arun Kant for barbican-core

Arun has been a long-time terrific reviewer and contributor to Barbican. 100% +1 --Dave On 11/7/16, 9:37 AM, "Ade Lee" wrote: >Hi everyone, > >I'd like to nominate Arun Kant for the barbican-core team. > >Arun has been a very active contributor to the project over the past

[openstack-dev] [reno][i18n][barbican] msgmerge error on release notes build

Hello Translations and Reno Team, I'm looking for help with a the Barbican release notes job. In the last week, our release note gate job starting failing with the following error. 2016-10-28 10:07:21.972504 | + resname=index 2016-10-28 10:07:21.972567 | + msgmerge --silent -o

Re: [openstack-dev] [nova][barbican][security] Ocata design summit session change

Thanks Matt. Cross-project CI testing is something the Barbican team is very interested in. I'll make sure we have representation. On 10/13/16, 4:15 PM, "Matt Riedemann" wrote: >I've changed the nova design summit session on docs needed for newton to >now be a

Re: [openstack-dev] Pecan Version 1.2

ucture test jobs until it passes all our tests? Prevent a fire drill? That bug was active back in July - but I guess 1.2 was released pretty recently? maybe I don't understand the timeline. -Clay On Mon, Sep 26, 2016 at 2:21 PM, Dave McCowan (dmccowan) <dmcco...@cisco.com<mailto:dmcco

[openstack-dev] Pecan Version 1.2

The Barbican project uses Pecan as our web framework. At some point recently, OpenStack started picking up their new version 1.2. This version [1] changed one of their APIs such that certain calls that used to return 200 now return 204. This has caused immediate problems for Barbican (our

[openstack-dev] [barbican] PTL Candidacy

Fellow Barbicaneers, I'd like to nominate myself to serve as Barbican PTL for the Ocata cycle. After talking it over with Doug (redrobot), I know I have a mentor in place. After talking it over with my employer, I know I will have the time and resources to dedicate to this position. I

Re: [openstack-dev] [kolla] OSIC scale testing

Steve and I just setup and kicked off Scenario #4. The Rally test suite is running now. This is "Fourth Deployment" from https://etherpad.openstack.org/p/kolla-N-midcycle-osic This deployment is with two VIPs and TLS is configured on the external VIP. Nodes: 3 control, 12 storage (with ceph),

Re: [openstack-dev] [magnum] High Availability

The most basic requirement here for Magnum is that it needs a safe place to store credentials. A safe place can not be provided by just a library or even by just a daemon. Secure storage is provided by either hardware solution (an HSM) or a software solution (SoftHSM, DogTag, IPA, IdM). A

Re: [openstack-dev] [barbican] Nominating Fernando Diaz for Barbican Core

+1 On 2/15/16, 12:45 PM, "Douglas Mendizábal" wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA512 > >Hi All, > >I would like to nominate Fernando Diaz for the Barbican Core team. >Fernando has been an enthusiastic contributor since joining the >Barbican

Re: [openstack-dev] [Barbican] Enabling GET of secrets to work irrespective of Tenant name in login

Hi Vijay-- The recommended way for supporting that use case is to use Barbican's ACLs. It allows user's from another project/tenant to access specific secrets If the "demo admin" owns a secret and wants to give read access to "admin admin", the "demo admin" should create a ACL for the

Re: [openstack-dev] openstack-barbican-authenticate-keystone-barbican-command

Hi Arif-- Maybe using the OpenStack client would be easier for you. It will take care of authenticating with Keystone, setting the HTTP headers, and providing reasonable defaults. It looks like you have installed OpenStack with DevStack. If this is the case: $ cd ~/devstack $

Re: [openstack-dev] openstack-barbican-authenticate-keystone-barbican-command

Hi Arif-- Are you using Keystone for authentication? If so, you need to get an authentication token from Keystone and add it as a header to your curl command: -H "X-Auth-Token:$TOKEN". You do not need to specify the project ID (-H 'X-Project-Id:12345'). The project ID will be based

Re: [openstack-dev] [release] opening stable/liberty

Hi Doug-- I will fix the Barbican branch. https://review.openstack.org/#/c/235157/ --Dave On 10/15/15, 2:30 PM, "Doug Hellmann" wrote: >One of the first steps for opening stable/liberty is to update the >version settings in the branches to no longer use

Re: [openstack-dev] [Barbican] Providing service user read access to all tenant's certificates

The tenant admin from Step 1, should also do Step 2. From: Vijay Venkatachalam > Reply-To: "OpenStack Development Mailing List (not for usage questions)"

Re: [openstack-dev] [Barbican] Providing service user read access to all tenant's certificates

A user with the role "observer" in a project will have read access to all secrets and containers for that project, using the default settings in the policy.json file. --Dave McCowan From: Vijay Venkatachalam > Reply-To:

Re: [openstack-dev] [all][tests] Fix it friday! [mock failure in CI]

Has anyone else seen this error with the new mock? 'self' parameter lacking default value My function under test runs correctly, but then Mock throws this TypeError when comparing the parameters in assert_calls_with(). I'm seeing this in Barbican. More info below [1][2]. --Dave [1]