Re: [openstack-dev] [oslo] proposing Moisés Guimarães for oslo.config core

2018-08-01 Thread Raildo Mascena de Sousa Filho 
+1

On Wed, Aug 1, 2018 at 11:49 AM Ben Nemec  wrote:

> +1
>
> On 08/01/2018 08:27 AM, Doug Hellmann wrote:
> > Moisés Guimarães (moguimar) did quite a bit of work on oslo.config
> > during the Rocky cycle to add driver support. Based on that work,
> > and a discussion we have had since then about general cleanup needed
> > in oslo.config, I think he would make a good addition to the
> > oslo.config review team.
> >
> > Please indicate your approval or concerns with +1/-1.
> >
> > Doug
> >
> >
> __
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat



TRIED. TESTED. TRUSTED. 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [oslo.config][castellan][tripleo][ptg]Protecting plain text secrets in configuration files

2018-02-02 Thread Raildo Mascena de Sousa Filho 
Hello folks,

Various regulations and best practices say that passwords and other secret
values should not be stored in plain text in configuration files. There are
“secret store” services to manage values that should be kept secure.
Castellan provides an abstraction API for accessing those services. [1]
In this manner, several different management services can be supported
through a single interface. Then, we will be able to use a Castellan
reference for those secrets and store it using a proper key store backend,
currently Castellan supports Barbican and Vault as a backend, so for this
case, we should use a more light solution, such as Custodia[2], which work
as Secrets-as-a-Service API, working as a lightweight solution compared
with Barbican, besides that, Custodia have some good features like
overlayed encryption backend that can be used to store that secret.

Currently, We have that olso.config interface for pluggable drivers in
progress[3] also the Custodia backend support for Castellan.[4] We are
planning to start the Castellan driver for oslo.config as soon as we have
that interface done.

In the next few weeks, that will be the Dublin PTG and we are planning to
discuss more this topic in the Oslo session[5], so if you are interested in
discussing/contribute for this topic and you will be attending the PTG,
please add yourself as an interested person in the topic. Also, we are
planning to integrate this whole feature with Tripleo in a near feature, so
we are planning to discuss with the Tripleo team a proper way to have that
supported as well.[6]

Finally, if want to be closer to this topic, or if you want to contribute
to this feature, we are having weekly meetings on Tuesday at 1600 UTC on
#openstack-meeting-3, we will be glad to have you working with us.

[1]
https://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html
[2] https://custodia.readthedocs.io/en/latest/readme.html
[3] https://review.openstack.org/#/c/513844/
[4] https://review.openstack.org/#/c/515190/
[5] https://etherpad.openstack.org/p/oslo-ptg-rocky
[6] https://etherpad.openstack.org/p/tripleo-ptg-rocky
[7] https://etherpad.openstack.org/p/oslo-config-plaintext-secrets

Cheers,

-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat



TRIED. TESTED. TRUSTED. 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] adding Gage Hugo to keystone core

2018-01-16 Thread Raildo Mascena de Sousa Filho 
+1

Congrats Gage, very well deserved!

Cheers,

On Tue, Jan 16, 2018 at 4:02 PM Lance Bragstad  wrote:

> Hey folks,
>
> In today's keystone meeting we made the announcement to add Gage Hugo
> (gagehugo) as a keystone core reviewer [0]! Gage has been actively
> involved in keystone over the last several cycles. Not only does he
> provide thorough reviews, but he's really stepped up to help move the
> project forward by keeping a handle on bugs, fielding questions in the
> channel, and being diligent about documentation (especially during
> in-person meet ups).
>
> Thanks for all the hard work, Gage!
>
> [0]
>
> http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-01-16-18.00.log.html
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>


-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat



TRIED. TESTED. TRUSTED. 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [oslo][oslo.config] pluggable drivers for oslo.config spec ready for review

2017-11-22 Thread Raildo Mascena de Sousa Filho 
Hello folks,

Since this topic have been discussed for a while, I'll give some updates on
our current progress and which is the next steps for that.

Yesterday, The spec for oslo.config drivers has been approved [1] and we
started that implementation [2] for that spec. After that, we should be
able to implement a Castellan driver for oslo.config, which will provide
the ability to use Castellan reference for those secrets and store it using
a proper key store backend.
Besides that, we are implementing the Custodia support to the key manager
to store/fetch secrets on Castellan [3].

Finally, as next steps for Rocky release, we should discuss (maybe in the
next PTG) some points like using some deployment tool like Ansible or
puppet, through the TripleO service, to create those secrets and store it
properly on Custodia, following that Castellan driver for oslo.config. So,
later, we will be able to restore it properly in the configuration files.

[1] https://review.openstack.org/#/c/454897/7
[2] https://review.openstack.org/#/c/513844/
[3] https://review.openstack.org/#/c/515190/

Regards,

On Mon, Nov 20, 2017 at 1:42 PM Doug Hellmann  wrote:

> Excerpts from Jay Pipes's message of 2017-11-20 11:02:33 -0500:
> > On 11/20/2017 10:19 AM, Doug Hellmann wrote:
> > > The spec for adding pluggable drivers to oslo.config is ready for a
> > > final queens review [1]. The latest draft should be simpler to
> implement
> > > (important given where we are in the schedule) at the expense of always
> > > requiring at least one configuration file to specify the location of
> > > other configuration sources. We can improve on that design in the
> future
> > > when we have the drivers working.
> >
> > Hi Doug. Is this spec crucial for various PCI/security-minded folks to
> > review due to how plaintext configuration options are currently handled
> > for sensitive things like password and user/project IDs?
> >
> > Best,
> > -jay
> >
>
> The spec is meant to enable securely storing secrets, but it's
> foundation work before the secret store driver can actually be
> implemented so it doesn't go into a lot of detail about the castellan
> driver. Still, I would appreciate if the folks interested in that
> feature look at it.
>
> Doug
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat



TRIED. TESTED. TRUSTED. 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [oslo][oslo.config][ansible][tripleo][kolla][ptg] Pluggable drivers and protect plaintext secrets

2017-08-24 Thread Raildo Mascena de Sousa Filho 
So, I didn't find that topic in the TripleO umbrella[1]. Emilien, can you
confirm that?
If not, I have a suggestion, we can schedule into the reservable rooms and
if we confirm that it will be able to do in the TripleO or any other team's
agenda, we can remove it.

What do you guys think?

[1] https://etherpad.openstack.org/p/tripleo-ptg-queens

On Mon, Aug 21, 2017 at 11:54 AM Doug Hellmann 
wrote:

> Excerpts from Raildo Mascena de Sousa Filho's message of 2017-08-17
> 12:16:15 +:
> > Hi all,
> >
> > Should we reserve a room in the extra session ethercalc [0
> > ] or we
> > already have a time slot scheduled for that discussion?
> >
> > [0] https://ethercalc.openstack.org/Queens-PTG-Discussion-Rooms
>
> I think this topic was on Emilien's list for TripleO. Would the other
> groups mind if the TripleO team hosts the discussion in their room? That
> would save the more limited reserveable rooms for discussions that don't
> have an obvious host.
>
> Doug
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat



TRIED. TESTED. TRUSTED. 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [barbican] [security] custodia @ PTG

2017-08-18 Thread Raildo Mascena de Sousa Filho 
Sure, I'll be there, see you guys on Thursday.

On Thu, Aug 17, 2017 at 1:53 PM Luke Hinds <lhi...@redhat.com> wrote:

> Hi Raildo,
>
> That's great news. Are you around next Thursday to jump on
> #openstack-meeting-alt at 17:00 UTC? we can then go over some topics.
>
> @Dave, unless you prefer to use the Barbican meeting that is (possible
> synergies to barbican)?
>
> Regards,
>
> Luke
>
> On Thu, Aug 17, 2017 at 1:10 PM, Raildo Mascena de Sousa Filho <
> rmasc...@redhat.com> wrote:
>
>> Hi Luke,
>>
>> I'll definitely be there, sounds like a great idea, so we can clarify a
>> lot of topics and make progress in the community together.
>>
>> Cheers,
>>
>>
>> On Thu, Aug 17, 2017 at 5:52 AM Luke Hinds <lhi...@redhat.com> wrote:
>>
>>> Hi Raildo,
>>>
>>> Both Barbican and Security have an interest in custodia and we have it
>>> marked down as a topic / discussion point for the PTG [1]
>>>
>>> Would you be interested / willing to join the Barbican room on Thurs /
>>> Fri and propose a walk through / overview etc?
>>>
>>> [1] https://etherpad.openstack.org/p/barbican-ptg-queens
>>>
>>>
>>> Regards,
>>>
>>> Luke
>>>
>> --
>>
>> Raildo mascena
>>
>> Software Engineer, Identity Managment
>>
>> Red Hat
>>
>> <https://www.redhat.com>
>> <https://red.ht/sig>
>> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
>>
>
>
>
> --
> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
> 12 52 36 2483
>
-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat

<https://www.redhat.com>
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [oslo][oslo.config][ansible][tripleo][kolla][ptg] Pluggable drivers and protect plaintext secrets

2017-08-17 Thread Raildo Mascena de Sousa Filho 
Well, it was the first option but unfortunately, Doug doesn't have any free
time slot on those days, so we have to postpone that discussion to the end
of the week.

On Thu, Aug 17, 2017 at 9:41 AM Thierry Carrez <thie...@openstack.org>
wrote:

> Raildo Mascena de Sousa Filho wrote:
> > Hi all,
> >
> > Should we reserve a room in the extra session ethercalc [0
> > <%20https://ethercalc.openstack.org/Queens-PTG-Discussion-Rooms%20>] or
> > we already have a time slot scheduled for that discussion?
> >
> > [0] https://ethercalc.openstack.org/Queens-PTG-Discussion-Rooms
>
> It feels like this discussion could be scheduled in the Oslo room as
> well. I guess it depends whether you need extra room :)
>
> --
> Thierry Carrez (ttx)
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat

<https://www.redhat.com>
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [oslo][oslo.config][ansible][tripleo][kolla][ptg] Pluggable drivers and protect plaintext secrets

2017-08-17 Thread Raildo Mascena de Sousa Filho 
Hi all,

Should we reserve a room in the extra session ethercalc [0
] or we
already have a time slot scheduled for that discussion?

[0] https://ethercalc.openstack.org/Queens-PTG-Discussion-Rooms

Cheers,

On Tue, Aug 8, 2017 at 7:49 AM Thierry Carrez  wrote:

> Emilien Macchi wrote:
> > On Mon, Aug 7, 2017 at 9:15 AM, Doug Hellmann 
> wrote:
> >> Kendall & Thierry, what do we need to do to reserve that room if we
> >> can't find space in another team room?
> >
> > Worst case, we can use a slot from TripleO - this topic is also
> > critical to us and I think we can make our schedule to have one free
> > room during the 2 and a half days that we have.
> > Just let me know.
>
> It could also be scheduled in one of the extra reservable rooms we have
> on Thursday/Friday. The ethercalc for that should be up next week.
>
> --
> Thierry Carrez (ttx)
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat



TRIED. TESTED. TRUSTED. 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [barbican] [security] custodia @ PTG

2017-08-17 Thread Raildo Mascena de Sousa Filho 
Hi Luke,

I'll definitely be there, sounds like a great idea, so we can clarify a lot
of topics and make progress in the community together.

Cheers,


On Thu, Aug 17, 2017 at 5:52 AM Luke Hinds  wrote:

> Hi Raildo,
>
> Both Barbican and Security have an interest in custodia and we have it
> marked down as a topic / discussion point for the PTG [1]
>
> Would you be interested / willing to join the Barbican room on Thurs / Fri
> and propose a walk through / overview etc?
>
> [1] https://etherpad.openstack.org/p/barbican-ptg-queens
>
>
> Regards,
>
> Luke
>
-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat



TRIED. TESTED. TRUSTED. 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [oslo][oslo.config] Pluggable drivers and protect plaintext secrets

2017-08-04 Thread Raildo Mascena de Sousa Filho 
Hi all,

We had a couple of discussions with the Oslo team related to implement
Pluggable drivers for oslo.config[0] and use those feature to implement
support to protect plaintext secret on configuration files[1].

In another hand, due the containerized support on OpenStack services, we
have a community effort to implement a k8s ConfigMap support[2][3], which
might make us step back and consider how secret management will work, since
the config data will need to go into the configmap *before* the container
is launched.

So, I would like to see what the community think. Should we continue
working on that pluggable drivers and protect plain text secrets support
for oslo.config? Makes sense having a PTG session[4] on Oslo to discuss
that feature?

Thanks for the feedback in advance.

Cheers,

[0] https://review.openstack.org/#/c/454897/
[1] https://review.openstack.org/#/c/474304/
[2]
https://github.com/flaper87/keystone-k8s-ansible/blob/6524b768d75a28adf44c74aca77ccf13dd66b1a9/provision-keystone-apb/tasks/main.yaml#L71-L108
[3] https://kubernetes.io/docs/

tasks/configure-pod-container/configmap/

[4] https://etherpad.openstack.org/p/oslo-ptg-queens
-- 

Raildo mascena

Software Engineer, Identity Managment

Red Hat



TRIED. TESTED. TRUSTED. 
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev