Hello Zane--
Yes, this vision is consistent with the Barbican team's vision.
Barbican provides an abstraction layer over HSMs and other secret
storage services. We have a plugin architecture to enable this
abstraction over a variety of backends. Vault is a recent addition to our
supported
+1
This is a great time.
On 6/14/18, 4:30 PM, "Ade Lee" wrote:
>The new time slot has been pretty difficult for folks to attend.
>I'd like to propose a new time slot, which will hopefully be more
>amenable to everyone.
>
>Tuesday 12:00 UTC
>
>https://www.timeanddate.com/worldclock/fixedtime.html
On 12/12/17, 3:15 PM, "Doug Hellmann" wrote:
>Excerpts from Dave McCowan (dmccowan)'s message of 2017-12-12 19:56:49
>+:
>>
>> On 12/12/17, 10:38 AM, "Doug Hellmann" wrote:
>>
>> >
>> >> On Dec 12, 2017, at 9:42 AM,
On 12/12/17, 10:38 AM, "Doug Hellmann" wrote:
>
>> On Dec 12, 2017, at 9:42 AM, Paul Bourke wrote:
>>
>> From my understanding it would be a cleanup operation - which to be
>>honest, would be very much welcomed. I recently did a little work with
>>Castellan to integrate it with Murano and fou
On 12/5/17, 11:37 AM, "Matt Riedemann" wrote:
>On 12/5/2017 2:52 AM, na...@vn.fujitsu.com wrote:
>> Hi all,
>>
>> Barbican's team are considering whether the Certificate Orders and CAs
>>should be removed or not [1]. And we would like to hear information from
>>other projects. If you are using
We're working on the Barbican Onboarding session now. I don't think our Boston
session went very well, and the results borne out; we were unable to convert
any attendee to active contributor. It was a much bigger group than I was
expecting and everyone was at a different starting point . I wa
Hi Alan--
Since a fixed-key implementation is not secure, I would prefer not adding
it to Castellan. Our desire is that Castellan can be a best-practice project
to encourage operators to use key management securely.
I'm all for consolidating code and providing good migration paths from
On 8/1/17, 8:02 PM, "Tony Breeds" wrote:
>On Tue, Aug 01, 2017 at 04:58:22PM -0400, Doug Hellmann wrote:
>> Excerpts from Dave McCowan (dmccowan)'s message of 2017-08-01 20:48:12
>>+:
>> > This note is to request a Feature Freeze Exemption (FFE) for
This note is to request a Feature Freeze Exemption (FFE) for the
python-barbicanclient library in Pike.
Python-barbicanclient 4.5.0 was intended to be the Pike release. However,
after it was released, testing with the Heat and Octavia projects found that it
contained an incompatible change res
On 8/1/17, 12:21 PM, "Thierry Carrez" wrote:
>Luke Hinds wrote:
>> Thanks Dave, I will let Kendall know that we can free up the room from
>> Mon / Tuesday, and instead have the sec proj join barbican on Wed /
>>Thur.
>
>Note that we have extra room on Monday/Tuesday, so it would be OK to
>keep
Hello Barbican Team,
I believe there were some discussions on room sharing between the security
project and barbican team.
We are still keen on this in the security project. How would you like to work
out logistics?
Should we share PTG planning etherpads?
We have 4 days between us, not sure
On 6/23/17, 2:24 PM, "Matthew Treinish" wrote:
>On Fri, Jun 23, 2017 at 04:11:50PM +, Dave McCowan (dmccowan) wrote:
>> The Barbican team is currently lacking a UWSGI expert.
>> We need help identifying what work items we have to meet the UWSGI
>>community
The Barbican team is currently lacking a UWSGI expert.
We need help identifying what work items we have to meet the UWSGI community
goal.[1]
Could someone with expertise in this area review our code and docs [2] and help
me put together a to-do list?
Thanks!
Dave (dave-mccowan)
[1] https://gove
>
>So my questions are:
>
> 1) Should the openstack-ansible-security role be
> renamed to alleviate confusion?
+1 on the rename.
>
> 2) If it should be renamed, what's your suggestion?
How about linux-ansible-security?
>
>Thanks!
>
>- --
>Major Hayden
>
>[0]
>https://www.openstack.org/s
Greetings!
If you are interested in learning more about Barbican with a goal to
contribute, please come to the Barbican Project Onboarding session on Tuesday,
May 9, at 2pm in Room MR101.
We'll be sharing the time slot with the Security project for those interested
in becoming an OpenStack Sec
I'm pleased to nominate Jeremy Liu for Barbican core.
He's been a top reviewer and contributor to Barbican since Newton and his
efforts are very much appreciated.
http://stackalytics.com/?module=barbican-group&user_id=liujiong&release=pike
Barbicaneers, please indicate your agreement by respond
Another option:
If you want to give User-A read access to all Project-B secrets, you could
assign User-A the role of "observer" in Project-B.
This would use the default RBAC policy, not give every user access to the
secrets, and be more convenient than adding each user to the ACL of each
secret.
On 3/31/17, 4:43 AM, "Thierry Carrez" wrote:
>Brian Rosmaita wrote:
>> On 3/29/17 12:55 AM, Jimmy McArthur wrote:
>> [snip]
>>> What we really need is the following:
>>>
>>> * A project history, including the date of project inception that's
>>> included in the TC tags.
>>> * An API history in
dividuals + oslo core +
>keystone core is to make sure both core teams are involved in the
>review process and any future contributors who are not part of either
>team can be give core rights in oslo.policy.
>
>Is it ok to continue this model?
>
>Thanks,
>Dims
>
>On Mon, Ma
This sounds good to me. I see it as a "promotion" for Castellan into the
core of OpenStack. I think a good first step in this direction is to
create a castellan-drivers team in Launchpad and a castellan-core team in
Gerrit. We can seed the list with Barbican core reviewers and any Oslo
volunteer
On 3/15/17, 6:51 AM, "Julien Danjou" wrote:
>On Mon, Mar 13 2017, Clint Byrum wrote:
>
>> To me, Oslo is a bunch of libraries that encompass "the way OpenStack
>> does ". When is key management, projects are, AFAICT,
>>universally
>> using Castellan at the moment. So I think it fits in
Hi Nam--
Thanks for writing. Offline rolling upgrades is part of the current
Barbican project. Better support and documentation for upgrades would be
a welcome addition.
1) API Versioning
Currently, Barbican only has one API version. The wiki you reference is
an old list of ideas that we st
On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco
mailto:sigmaviru...@gmail.com>> wrote:
Hi everyone,
I've seen a few nascent projects wanting to implement their own secret
storage to either replace Barbican or avoid adding a dependency on it.
When I've pressed the developers on this point, the only
On 1/17/17, 5:37 AM, "Thierry Carrez" wrote:
>I think the focus question is an illusion, as Ed brilliantly explained
>in https://blog.leafe.com/openstack-focus/
>
>The issue here is that it's just a lot more profitable career-wise and a
>lot less risky to work first-level user-visible features li
On 1/16/17, 3:06 PM, "Ian Cordasco" wrote:
>-Original Message-
>From: Dave McCowan (dmccowan)
>Reply: OpenStack Development Mailing List (not for usage questions)
>
>Date: January 16, 2017 at 13:03:41
>To: OpenStack Development Mailing List (not for usag
From: Duncan Thomas mailto:duncan.tho...@gmail.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Date: Monday, January 16, 2017 at 5:33 PM
To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-
On 1/16/17, 11:52 AM, "Ian Cordasco" wrote:
>-Original Message-
>From: Rob C
>Reply: OpenStack Development Mailing List (not for usage questions)
>
>Date: January 16, 2017 at 10:33:20
>To: OpenStack Development Mailing List (not for usage questions)
>
>Subject: Re: [openstack-dev] [al
Hi Ian--
Thanks for the reminder. As PTL, I know I have some action items to
update our project navigator status.
Speaking on behalf of the Barbican community, I can say that we do
follow the rules of stable branches and deprecation. I'll submit a patch
now to state this assertion.
I als
Arun has been a long-time terrific reviewer and contributor to Barbican.
100% +1
--Dave
On 11/7/16, 9:37 AM, "Ade Lee" wrote:
>Hi everyone,
>
>I'd like to nominate Arun Kant for the barbican-core team.
>
>Arun has been a very active contributor to the project over the past
>few years, imple
Hello Translations and Reno Team,
I'm looking for help with a the Barbican release notes job.
In the last week, our release note gate job starting failing with the following
error.
2016-10-28 10:07:21.972504 | + resname=index
2016-10-28 10:07:21.972567 | + msgmerge --silent -o
releasenotes/sour
Thanks Matt.
Cross-project CI testing is something the Barbican team is very interested
in.
I'll make sure we have representation.
On 10/13/16, 4:15 PM, "Matt Riedemann" wrote:
>I've changed the nova design summit session on docs needed for newton to
>now be a session to cover the various securi
ck in July - but I guess 1.2 was released pretty
recently? maybe I don't understand the timeline.
-Clay
On Mon, Sep 26, 2016 at 2:21 PM, Dave McCowan (dmccowan)
mailto:dmcco...@cisco.com>> wrote:
The Barbican project uses Pecan as our web framework.
At some point recently,
The Barbican project uses Pecan as our web framework.
At some point recently, OpenStack started picking up their new version 1.2.
This version [1] changed one of their APIs such that certain calls that used to
return 200 now return 204. This has caused immediate problems for Barbican
(our ga
Fellow Barbicaneers,
I'd like to nominate myself to serve as Barbican PTL for the Ocata cycle.
After talking it over with Doug (redrobot), I know I have a mentor in place.
After talking it over with my employer, I know I will have the time and
resources to dedicate to this position.
I firs
Steve and I just setup and kicked off Scenario #4.
The Rally test suite is running now.
This is "Fourth Deployment" from
https://etherpad.openstack.org/p/kolla-N-midcycle-osic
This deployment is with two VIPs and TLS is configured on the external VIP.
Nodes: 3 control, 12 storage (with ceph), 100
The most basic requirement here for Magnum is that it needs a safe place to
store credentials. A safe place can not be provided by just a library or even
by just a daemon. Secure storage is provided by either hardware solution (an
HSM) or a software solution (SoftHSM, DogTag, IPA, IdM). A pr
+1
On 2/15/16, 12:45 PM, "Douglas Mendizábal"
wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>Hi All,
>
>I would like to nominate Fernando Diaz for the Barbican Core team.
>Fernando has been an enthusiastic contributor since joining the
>Barbican team. He is currently the most activ
Hi Vijay--
The recommended way for supporting that use case is to use Barbican's
ACLs. It allows user's from another project/tenant to access specific
secrets
If the "demo admin" owns a secret and wants to give read access to
"admin admin", the "demo admin" should create a ACL for the se
Hi Arif--
Maybe using the OpenStack client would be easier for you. It will take
care of authenticating with Keystone, setting the HTTP headers, and providing
reasonable defaults.
It looks like you have installed OpenStack with DevStack. If this is the
case:
$ cd ~/devstack
$
Hi Arif--
Are you using Keystone for authentication?
If so, you need to get an authentication token from Keystone and add it as
a header to your curl command: -H "X-Auth-Token:$TOKEN".
You do not need to specify the project ID (-H 'X-Project-Id:12345'). The
project ID will be based o
Hi Doug--
I will fix the Barbican branch.
https://review.openstack.org/#/c/235157/
--Dave
On 10/15/15, 2:30 PM, "Doug Hellmann" wrote:
>One of the first steps for opening stable/liberty is to update the
>version settings in the branches to no longer use pre-versioning.
>Thierry submitted a
The tenant admin from Step 1, should also do Step 2.
From: Vijay Venkatachalam
mailto:vijay.venkatacha...@citrix.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)"
mailto:openstack-dev@lists.openstack.org>>
Date: Wednesday, September 16, 2015 at 9:57 PM
To: "OpenStac
A user with the role "observer" in a project will have read access to all
secrets and containers for that project, using the default settings in the
policy.json file.
--Dave McCowan
From: Vijay Venkatachalam
mailto:vijay.venkatacha...@citrix.com>>
Reply-To: "OpenStack Development Mailing List
Has anyone else seen this error with the new mock?
'self' parameter lacking default value
My function under test runs correctly, but then Mock throws this TypeError
when comparing the parameters in assert_calls_with().
I'm seeing this in Barbican. More info below [1][2].
--Dave
[1] Compl
44 matches
Mail list logo