Tuesday, 2014-08-05

*** lisaclark1 has quit IRC		00:00
*** mdorman has quit IRC		00:06
*** crc32 has quit IRC		00:22
*** lisaclark1 has joined #openstack-barbican		00:26
*** lisaclark1 has quit IRC		00:33
*** SheenaG1 has joined #openstack-barbican		00:34
*** SheenaG11 has joined #openstack-barbican		00:37
*** SheenaG1 has quit IRC		00:38
*** uberj has quit IRC		00:44
*** uberj has joined #openstack-barbican		00:44
*** xianghui has quit IRC		00:53
*** lisaclark1 has joined #openstack-barbican		00:58
*** gyee has quit IRC		00:59
*** bdpayne has quit IRC		01:02
*** xianghui has joined #openstack-barbican		01:05
*** lisaclark1 has quit IRC		01:17
*** lisaclark1 has joined #openstack-barbican		01:18
*** lisaclark1 has quit IRC		01:22
*** lisaclark1 has joined #openstack-barbican		01:57
*** lisaclark1 has quit IRC		01:58
*** lisaclark1 has joined #openstack-barbican		01:59
*** bdpayne has joined #openstack-barbican		02:08
*** bubbva has quit IRC		02:40
*** bubbva has joined #openstack-barbican		02:41
*** lisaclark1 has quit IRC		02:44
*** bdpayne has quit IRC		02:56
*** bdpayne has joined #openstack-barbican		03:00
*** juantwo_ has quit IRC		03:25
*** woodster has quit IRC		03:25
*** juantwo has joined #openstack-barbican		03:26
*** ayoung has quit IRC		03:57
openstackgerrit	Steve Martinelli proposed a change to openstack/barbican-specs: Update doc theme for barbican-specs https://review.openstack.org/111899	04:45
*** juantwo has quit IRC		05:09
*** juantwo has joined #openstack-barbican		05:10
*** juantwo has quit IRC		05:14
*** jaosorior has joined #openstack-barbican		05:18
*** bdpayne has quit IRC		05:20
*** bdpayne has joined #openstack-barbican		05:21
*** bdpayne has quit IRC		05:54
openstackgerrit	Douglas Mendizábal proposed a change to openstack/barbican-specs: Add Containers to python-barbicanclient https://review.openstack.org/110056	05:56
jaosorior	rm_work: sleep aready :P	07:38
*** juantwo has joined #openstack-barbican		11:57
*** juantwo has quit IRC		11:58
*** juantwo has joined #openstack-barbican		11:59
*** alee has quit IRC		12:07
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/barbican: Do not override venv https://review.openstack.org/111998	12:17
*** akoneru has joined #openstack-barbican		12:22
openstackgerrit	Stanislaw Pitucha proposed a change to openstack/barbican-specs: Spec for certificate api addition https://review.openstack.org/108429	12:36
openstackgerrit	Stanislaw Pitucha proposed a change to openstack/barbican-specs: Spec for certificate api addition https://review.openstack.org/108429	12:39
*** alee_ has joined #openstack-barbican		13:04
*** alee has joined #openstack-barbican		13:06
*** lisaclark1 has joined #openstack-barbican		13:07
*** insequent has quit IRC		13:08
*** juantwo has quit IRC		13:14
*** hockeynut has quit IRC		13:14
*** jamielennox\|away has quit IRC		13:14
*** juantwo has joined #openstack-barbican		13:15
*** hockeynut has joined #openstack-barbican		13:15
*** jamielennox\|away has joined #openstack-barbican		13:15
*** lbragstad has quit IRC		13:18
*** lbragstad has joined #openstack-barbican		13:23
*** woodster has joined #openstack-barbican		13:23
*** lisaclark1 has quit IRC		13:28
*** SheenaG11 has quit IRC		13:33
*** lisaclark1 has joined #openstack-barbican		13:34
*** insequent has joined #openstack-barbican		13:35
*** rellerreller has joined #openstack-barbican		13:50
jaosorior	Mr. woodster, I had a comment on this CR: https://review.openstack.org/#/c/111601/ not a big deal but I wanted to know if you had any thought about it.	13:53
*** ayoung has joined #openstack-barbican		14:08
*** lisaclark2 has joined #openstack-barbican		14:09
*** lisaclark1 has quit IRC		14:13
*** paul_glass has joined #openstack-barbican		14:18
*** Kevin_Bishop has joined #openstack-barbican		14:26
*** mdorman has joined #openstack-barbican		14:30
*** lisaclark2 has quit IRC		14:55
*** lisaclark1 has joined #openstack-barbican		15:02
*** lisaclark1 has quit IRC		15:06
*** rellerreller has quit IRC		15:09
*** rellerreller has joined #openstack-barbican		15:09
*** lisaclark1 has joined #openstack-barbican		15:15
*** paul_glass has quit IRC		15:30
*** lisaclark2 has joined #openstack-barbican		15:32
*** paul_glass has joined #openstack-barbican		15:33
*** lisaclark2 has quit IRC		15:33
*** SheenaG1 has joined #openstack-barbican		15:33
*** lisaclark2 has joined #openstack-barbican		15:33
*** lisaclark1 has quit IRC		15:34
*** Kevin_Bishop has quit IRC		15:34
*** SheenaG11 has joined #openstack-barbican		15:34
*** SheenaG1 has quit IRC		15:38
*** Kevin_Bishop has joined #openstack-barbican		15:48
*** paul_glass has quit IRC		16:05
*** openstackstatus has quit IRC		16:17
*** openstack has joined #openstack-barbican		16:17
*** openstackstatus has joined #openstack-barbican		16:17
*** ChanServ sets mode: +v openstackstatus		16:17
*** paul_glass has joined #openstack-barbican		16:18
*** lisaclark2 has quit IRC		16:43
*** paul_glass has quit IRC		16:43
*** paul_glass has joined #openstack-barbican		16:46
*** Kevin_Bishop has quit IRC		16:48
*** gyee has joined #openstack-barbican		16:48
*** paul_glass has quit IRC		16:51
*** gyee has quit IRC		16:52
*** atiwari has joined #openstack-barbican		16:53
*** gyee has joined #openstack-barbican		16:55
*** bdpayne has joined #openstack-barbican		16:56
*** rellerreller has quit IRC		17:05
alee	woodster, ping	17:06
alee	woodster, looks like rellerreller has approved https://review.openstack.org/107111 -- just need you and jvrbanac :)	17:07
*** bdpayne has quit IRC		17:31
*** bdpayne has joined #openstack-barbican		17:33
*** lisaclark1 has joined #openstack-barbican		17:33
*** kaitlin-farr has joined #openstack-barbican		17:39
woodster	Alee: we are in planning meetings today but will weigh in later this afternoon for sure	17:52
alee	woodster, cool :)	17:52
*** SheenaG11 has quit IRC		17:56
*** lisaclark1 has quit IRC		17:57
openstackgerrit	Kaitlin Farr proposed a change to openstack/barbican: Adds store_secret_supports to secret_store https://review.openstack.org/110386	17:58
*** kaitlin-farr has quit IRC		18:00
*** lisaclark1 has joined #openstack-barbican		18:03
*** SheenaG1 has joined #openstack-barbican		18:03
*** paul_glass has joined #openstack-barbican		18:04
*** SheenaG11 has joined #openstack-barbican		18:05
*** Kevin_Bishop has joined #openstack-barbican		18:06
*** alee has quit IRC		18:07
*** SheenaG1 has quit IRC		18:07
*** alee has joined #openstack-barbican		18:07
*** jamielennox\|away is now known as jamielennox		18:13
*** kaitlin-farr has joined #openstack-barbican		18:13
*** bdpayne has quit IRC		18:30
*** bdpayne has joined #openstack-barbican		18:31
*** paul_glass has quit IRC		18:50
*** paul_glass has joined #openstack-barbican		18:56
*** lisaclark1 has quit IRC		18:56
*** alee_ has quit IRC		19:03
*** alee has quit IRC		19:03
*** SheenaG11 has quit IRC		19:09
*** lisaclark1 has joined #openstack-barbican		19:17
*** rm_mobile has joined #openstack-barbican		19:28
openstackgerrit	A change was merged to openstack/barbican: Correct container create response code to be 201 https://review.openstack.org/111302	19:29
rm_mobile	Woot	19:29
rm_mobile	Is consumer registration next? :P	19:30
chellygel	rm_mobile, we are currently reviewing it	19:31
rm_mobile	:P	19:31
rm_mobile	I'm stuck in intern presentations	19:31
rm_mobile	Speaking of which, I thought you were an intern :/	19:31
rm_mobile	Are you not? :P	19:32
chellygel	you should be enjoying those! -- nope im a dev :P	19:32
rm_mobile	Heh	19:32
chellygel	im young but not thaaaat young	19:32
rm_mobile	Same thing had happened to me at both this and my previous job	19:32
rm_mobile	I kept starting at the same time as the interns	19:32
rm_mobile	So people kept asking I was one T_T	19:33
rm_mobile	*assuming	19:33
rm_mobile	OK, out of that if you need anything	19:43
*** SheenaG1 has joined #openstack-barbican		19:47
*** SheenaG1 has quit IRC		19:55
openstackgerrit	Kaitlin Farr proposed a change to openstack/barbican: Adds store_secret_supports to secret_store https://review.openstack.org/110386	19:57
openstackgerrit	Kaitlin Farr proposed a change to openstack/barbican: Adds store_secret_supports to secret_store https://review.openstack.org/110386	19:59
*** kaitlin-farr has quit IRC		20:00
*** lisaclark1 has quit IRC		20:06
openstackgerrit	A change was merged to openstack/barbican-specs: Add Containers to python-barbicanclient https://review.openstack.org/110056	20:09
*** lisaclark1 has joined #openstack-barbican		20:09
chellygel	rm_mobile, we are approving some changes -- you will have to rebase :S	20:10
chellygel	rm_work, ? maybe?	20:10
rm_work	chellygel: yeah that's fine	20:10
rm_work	let me know when the last of them is merged	20:11
rm_work	I'm about ready	20:11
chellygel	yes, will do.	20:11
*** kaitlin-farr has joined #openstack-barbican		20:11
*** alee has joined #openstack-barbican		20:12
*** joel-coffman has joined #openstack-barbican		20:22
*** joel-coffman has quit IRC		20:23
openstackgerrit	John Wood proposed a change to openstack/barbican: Eager load KEKDatum record when EncryptedDatum is retrieved https://review.openstack.org/111601	20:23
rm_work	chellygel / reaperhulk / redrobot / woodster / hockeynut / jvrbanac / others: if I really am not expecting an exception to be raised, and if there were an exception it would be an "unknown serverside error", is just letting it raise the 500 it would raise by default an "ok" approach?	20:25
rm_work	I started typing "pecan.abort(500" and then realized that's what would get raised anyway if I didn't even put the try/catch in	20:26
openstackgerrit	A change was merged to openstack/barbican-specs: blueprint for restructuring the pkcs11 plugin to support wrap/unwrap https://review.openstack.org/107775	20:29
jaosorior	reaperhulk: Nice explanation for the spec 107775 :D I'm really eager to see some code for that	20:33
woodster	alee: are you there?	20:37
alee	woodster, yup	20:38
alee	woodster, in a meeting but I can answer questions ..	20:38
woodster	alee: no worries, just added a comment to https://review.openstack.org/#/c/107190/	20:39
woodster	jaosorior: I updated https://review.openstack.org/#/c/111601/ per your comments	20:40
*** juantwo has quit IRC		20:41
jaosorior	woodster: thanks, that looks classy :)	20:43
jaosorior	+1	20:43
*** paul_glass1 has joined #openstack-barbican		20:44
*** paul_glass has quit IRC		20:47
*** crc32 has joined #openstack-barbican		20:49
*** Kevin_Bishop has quit IRC		20:49
openstackgerrit	John Wood proposed a change to openstack/barbican: Eager load KEKDatum record when EncryptedDatum is retrieved https://review.openstack.org/111601	20:51
woodster	jaosorior: sorry, I somehow added an extra line in there :\	20:51
*** lisaclark1 has quit IRC		20:52
openstackgerrit	Chelsea Winfree proposed a change to openstack/barbican: Add Certificate Interface & Symantec Plugin https://review.openstack.org/107190	20:52
jaosorior	woodster: well, it's a small review, so it's not a big deal to check it from my phone. If it would be larger I would leave it for tomorrow	20:53
jaosorior	Like chellygel 's CR which I'll check in the morning	20:54
chellygel	;) jaosorior	20:54
jaosorior	Damn, laundry's boring X_x	20:54
*** paul_glass1 has quit IRC		20:56
jaosorior	chellygel: yooooo	20:58
*** paul_glass has joined #openstack-barbican		20:59
jaosorior	woodster: maybe it would be appropriate to change the commit message, since now it's not only about the KEKDatum and the EnxryptedDatum	21:00
jaosorior	But containers also	21:00
jaosorior	Anyway, my laundry's ready and I'm off. I'll check it tomorrow morning	21:01
jaosorior	Have a good one, people! :)	21:02
rm_work	chellygel / reaperhulk / redrobot / woodster / et al: can I assume everything is merged for today so I can rebase now?	21:14
*** lisaclark1 has joined #openstack-barbican		21:14
chellygel	yes rm_work should be good.	21:14
redrobot	rm_work https://review.openstack.org/#/c/105562/ is still in zuul queue	21:14
*** lisaclark1 has quit IRC		21:14
*** openstackgerrit has quit IRC		21:16
rm_work	k	21:16
bdpayne	anyone aware of a nice writeup somewhere on best practices for deploying barbican?	21:16
bdpayne	I've read through the getting started guide	21:17
bdpayne	but it feels like there's some holes and a lot of that is oriented towards dev rather than production	21:17
*** openstackgerrit has joined #openstack-barbican		21:17
rm_work	heh	21:17
*** lisaclark1 has joined #openstack-barbican		21:17
rm_work	yes, there are some holes :/	21:17
bdpayne	:-)	21:17
rm_work	and yeah, it's very dev oriented	21:17
bdpayne	fwiw, I lead the openstack security guide book effort, and as barbican matures I'll be looking to writeup something like this for the book	21:18
bdpayne	for now, I'm just looking to wrap my head around it all and understand what the devs believe to be best practices	21:18
rm_work	I just had to try to follow it a month or so ago, took me a bit to get everything set up :P	21:18
alee	woodster, I responded to your response.	21:18
openstackgerrit	Adam Harwell proposed a change to openstack/barbican: Add support to Barbican for consumer registration https://review.openstack.org/107845	21:18
redrobot	bdpayne I don't think we have a deployment guide yet, since we're still working through our own deployment	21:19
redrobot	bdpayne there's about 3 different back-end options in various stages of development, and each will bring their own sets of recommendations	21:20
bdpayne	ok	21:20
bdpayne	by backend, you mean where it stores the secrets?	21:20
redrobot	yes, in addition to how crypto operations are handled.	21:21
bdpayne	ok, interesting	21:21
bdpayne	I can certainly read through the code and learn as I go	21:21
bdpayne	just wanted to make sure I wasn't missing some valuable resource that someone took the time to put together :-)	21:21
redrobot	there's basically two choices for storage: Store encrypted data inside Barbican's SQL DB, or defer that to a 3rd party.	21:22
bdpayne	right, and it looks like the sqldb goes through sqlalchemy, so it can be mysql or postgres, etc?	21:22
redrobot	bdpayne correct. Fort 3rd party storage, it could be a KMIP device, or a DogTag instance	21:23
redrobot	we call those the SecretStore plugins	21:23
redrobot	so, DB, KMIP or DogTag are your SecretStore plugin options	21:24
bdpayne	gotcha	21:24
bdpayne	the other thing I was missing... is if there's some configuration needed for encrypting the secrets?	21:24
redrobot	the DB plugin, whose name escapes me at the moment also gives you the option of the Cryptographic Backend	21:24
bdpayne	so that the various workers can all read from the same backend	21:25
redrobot	both the API node, and the Worker node would have an instance of the SecretStore plugin	21:25
bdpayne	ah, perhaps this cryptographic backend is what I'm refering to?	21:25
redrobot	so cryptographic backend choices are: Dev plugin, which is what we're using out of the box	21:26
* bdpayne appreciates the walkthrough :-)		21:26
redrobot	and the PKCS11 plugin, which we'll be using to talk to Luna SA HSMs	21:26
redrobot	the dev cryptographic plugin is not recommended for a production deployment	21:27
redrobot	you're welcome :)	21:27
*** SheenaG1 has joined #openstack-barbican		21:28
redrobot	I've been meaning to write a guide to the pluggable backend system, but I haven't had time to get to it	21:28
bdpayne	so is the dev cryptographic backend just a null cipher?	21:28
redrobot	it uses Fernet from PyCA's cryptography lib	21:29
redrobot	but the master key is stored in the barbican config file	21:29
bdpayne	gotcha	21:29
bdpayne	so that's why you don't like it for production?	21:29
redrobot	yeah, since the master key would be stored in plaintext in any API or Worker node	21:30
bdpayne	however, this is probably the only option for a DB secretestore?	21:30
redrobot	no, the PKCS11 plugin would be the recommended option for DB SecretStore	21:30
bdpayne	hmm, ok, I'll check that out	21:30
*** rm_mobile has quit IRC		21:31
redrobot	the PKCS11 part is about to be refactored per this spec https://github.com/openstack/barbican-specs/blob/master/specs/juno/restructure-pkcs11-plugin.rst	21:31
redrobot	bdpayne actually, the plaintext file looks better https://raw.githubusercontent.com/openstack/barbican-specs/master/specs/juno/restructure-pkcs11-plugin.rst	21:31
bdpayne	ah, interesting	21:32
*** SheenaG1 has quit IRC		21:32
redrobot	all crypto opretations would happen in the PKCS11 device (HSM)	21:32
redrobot	no keying material will be available outside of the HSM	21:32
bdpayne	so what about deployments without an HSM?	21:33
redrobot	bdpayne we would recommend DogTag SecretStore as an alternative	21:33
bdpayne	heh... have you ever installed dogtag? ;-)	21:34
bdpayne	I mean... on a non RH system	21:34
bdpayne	alas, I digress	21:34
redrobot	hehe, yeah, I've heard that a couple of times :)	21:34
*** rm_mobile has joined #openstack-barbican		21:34
bdpayne	this gives me lot to start digging into	21:34
rm_work	fffff	21:34
bdpayne	which is right where I need to be right now	21:34
rm_work	woodster / redrobot / reaperhulk: the gate for 105562 didn't pass T_T	21:34
bdpayne	if I get this put together, I'll see about writting something up	21:35
redrobot	bdpayne awesome! thanks! If you have any more questions just let us know	21:35
bdpayne	will do!	21:35
*** kaitlin-farr has quit IRC		21:38
redrobot	rm_work heh... you're really earning that ATC status, huh?	21:38
redrobot	rm_work oh bummer, that's tsv's CR	21:40
rm_work	redrobot: T_T	21:41
redrobot	rm_work did you already rebase?	21:41
rm_work	yeah	21:42
rm_work	but not onto that	21:42
rm_work	>_>	21:42
rm_work	sooooo mine could totally go first ;)	21:42
*** akoneru is now known as akoneru_afk		21:42
rm_work	though I'm still waiting on my first check	21:43
* rm_work shakes fist at Zuul queue		21:43
*** akoneru_afk has quit IRC		21:44
alee	bdpayne, what system would you be installing on? dogtag can be installed on fedora or rhel. There has also been a lot of work done getting it to install on debian based systems.	21:48
alee	woodster, any questions about my response? or my patch?	21:48
openstackgerrit	Venkat Sundaram proposed a change to openstack/python-barbicanclient: remove tenant-id from uri https://review.openstack.org/112149	21:52
*** paul_glass has quit IRC		21:53
bdpayne	alee I'm looking at doing this on a highly modified version of ubuntu	21:53
bdpayne	I've tried doing dogtag before and it was... well, quite a bit more complex than I'd prefer for this deployment	21:53
rm_work	redrobot: woodster: reaperhulk: jvrbanac: hockeynut: could you take a look now? it will pass jenkins (with rechecks possibly, but i've tested the devstack deploy and functional tests and they will eventually pass)	22:04
rm_work	https://review.openstack.org/#/c/107845/	22:04
*** lisaclark1 has quit IRC		22:05
*** lisaclark1 has joined #openstack-barbican		22:12
*** lisaclark1 has quit IRC		22:12
*** lisaclark1 has joined #openstack-barbican		22:12
alee	bdpayne, fair enough, but you might want to take another look as things progress. A lot of work has gone into making the latest version of dogtag pretty seamless to install.	22:21
bdpayne	good to know	22:21
alee	bdpayne, and I'm working to make the barbican/dogtag interaction seamless too.	22:22
alee	and the latest version of dogtag will be in the next version of ubuntu.	22:22
*** atiwari has quit IRC		22:22
bdpayne	although, perhaps I'm missing something, but it still seems like a weird architecture to me	22:22
bdpayne	so dogtag stores a secret so that barbican can store other secrets	22:22
bdpayne	with an HSM, this all makes sense	22:23
bdpayne	but I don't get the security argument for dogtag	22:23
alee	bdpayne, dogtag has a known tested production backend to store secrets.	22:24
alee	whether in an hsm or not.	22:24
alee	all the secrets would be stored in dogtag	22:25
bdpayne	oh, I see	22:26
alee	bdpayne, there is a possible key wrapping mechanism to ensure secure transit of secrets from client through barbican to dogtag, but its not required.	22:26
bdpayne	so barbican just becomes an api middleware for dogtag?	22:26
rm_work	woodster: damn, dsvm did fail. not sure if i have to wait to recheck until the other tests finish <_<	22:26
alee	bdpayne, yup	22:26
alee	bdpayne, there is a lot that barbican will be doing - like generating symmetric and asymmetric keys and contacting CA's to get certs, but the idea will be for you be able to do that with dogtag as a backend	22:28
bdpayne	ok	22:29
bdpayne	so yeah, looks like there'a bit for me to explore with this as well	22:30
chellygel	rm_work, i dont think it matters... you can rerun it anyway -- it just wont cancel the firs tone	22:30
chellygel	first one*	22:30
*** juantwo has joined #openstack-barbican		22:30
*** juantwo has quit IRC		22:30
rm_work	hmm	22:30
bdpayne	I think I'll start with a basic install without dogtag, and then add that layer of complexity after things are otherwise working	22:30
rm_work	well, i tried "recheck no bug" (starting to think I should file a bug) and waiting to see what happens	22:30
alee	bdpayne, gotta go - but feel free to ask if you have any questions	22:30
*** juantwo has joined #openstack-barbican		22:30
bdpayne	yep, thanks	22:31
*** atiwari has joined #openstack-barbican		22:32
*** lisaclark1 has quit IRC		22:35
openstackgerrit	Arvind Tiwari proposed a change to openstack/barbican: Reorganize code to use store crypto plug-in https://review.openstack.org/111412	22:39
*** atiwari has quit IRC		22:45
*** ayoung has quit IRC		22:51
*** jaosorior has quit IRC		23:02
*** atiwari has joined #openstack-barbican		23:02
*** mdorman has quit IRC		23:21
openstackgerrit	Chelsea Winfree proposed a change to openstack/barbican: Add Certificate Interface & Symantec Plugin https://review.openstack.org/107190	23:24
*** atiwari has quit IRC		23:24
*** bdpayne has quit IRC		23:30
*** bdpayne has joined #openstack-barbican		23:33
openstackgerrit	Venkat Sundaram proposed a change to openstack/barbican: remove project-id from resource URIs https://review.openstack.org/105562	23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!