Wednesday, 2014-12-03

« Tuesday, 2014-12-02 Index Thursday, 2014-12-04 »
*** kgriffs is now known as kgriffs|afk00:02
*** JeffF has quit IRC00:06
*** ryanpetrello has quit IRC00:22
*** kebray has joined #openstack-barbican00:28
*** ryanpetrello has joined #openstack-barbican00:31
openstackgerritJohn Wood proposed openstack/barbican-specs: Add worker retry and future updates support  https://review.openstack.org/12811300:34
openstackgerritAdam Harwell proposed openstack/barbican: Remove py26 from tox.ini  https://review.openstack.org/13857000:37
*** dave-mccowan_ has joined #openstack-barbican00:46
*** dave-mccowan has quit IRC00:49
*** dave-mccowan_ is now known as dave-mccowan00:49
*** ryanpetrello has quit IRC00:52
*** jorge_munoz has joined #openstack-barbican00:54
*** zz_dimtruck is now known as dimtruck00:56
*** jorge_munoz has quit IRC01:03
*** jorge_munoz has joined #openstack-barbican01:12
*** jorge_munoz has quit IRC01:14
*** jorge_munoz has joined #openstack-barbican01:23
*** dimtruck is now known as zz_dimtruck01:28
*** ryanpetrello has joined #openstack-barbican01:34
*** ryanpetrello has quit IRC01:48
*** jorge_munoz has quit IRC02:01
*** zz_dimtruck is now known as dimtruck02:13
*** ayoung has joined #openstack-barbican02:17
*** ryanpetrello has joined #openstack-barbican02:26
*** ryanpetrello has quit IRC02:31
*** dimtruck is now known as zz_dimtruck02:57
*** kgriffs|afk is now known as kgriffs02:59
*** ryanpetrello has joined #openstack-barbican03:02
*** kgriffs is now known as kgriffs|afk03:09
*** ryanpetrello has quit IRC03:12
*** ryanpetrello has joined #openstack-barbican03:31
*** zz_dimtruck is now known as dimtruck03:32
*** woodster_ has quit IRC03:40
*** kebray has quit IRC03:42
*** jamielennox is now known as jamielennox|away03:44
*** jamielennox|away is now known as jamielennox04:20
*** dave-mccowan has quit IRC04:29
*** ryanpetrello has quit IRC04:47
*** Nirupama has joined #openstack-barbican05:37
*** woodster_ has joined #openstack-barbican06:13
*** gyee_ has quit IRC06:36
*** alee has quit IRC07:13
*** alee has joined #openstack-barbican07:13
openstackgerritMerged openstack/barbican: Container deletion will now clean up Consumers  https://review.openstack.org/13686607:30
*** usimha has quit IRC07:49
*** himhiker has joined #openstack-barbican07:49
*** openstackgerrit has quit IRC07:50
*** openstackgerrit has joined #openstack-barbican07:50
*** woodster_ has quit IRC08:20
*** himhiker has quit IRC09:42
*** himhiker has joined #openstack-barbican10:11
*** SheenaG1 has joined #openstack-barbican11:37
*** Nirupama has quit IRC12:55
*** woodster_ has joined #openstack-barbican13:00
*** ryanpetrello has joined #openstack-barbican13:07
*** ryanpetrello has quit IRC13:37
*** ryanpetrello has joined #openstack-barbican13:46
*** ryanpetrello has quit IRC13:50
*** dave-mccowan has joined #openstack-barbican13:58
*** dimtruck is now known as zz_dimtruck14:38
*** rellerreller has joined #openstack-barbican14:45
*** ayoung has quit IRC15:00
*** SheenaG1 has quit IRC15:04
*** woodster_ has quit IRC15:10
*** zz_dimtruck is now known as dimtruck15:19
*** JeffF has joined #openstack-barbican15:28
*** SheenaG1 has joined #openstack-barbican15:41
*** jorge_munoz has joined #openstack-barbican15:42
openstackgerritMerged openstack/barbican: Remove py26 from tox.ini  https://review.openstack.org/13857015:53
*** kgriffs|afk is now known as kgriffs16:01
*** jorge_munoz has quit IRC16:05
*** kebray has joined #openstack-barbican16:05
*** jorge_munoz has joined #openstack-barbican16:08
*** jorge_munoz has quit IRC16:13
*** kebray has quit IRC16:13
aleeredrobot, ping16:18
redrobotalee pong16:18
aleeredrobot, how do I change the topic branch name?16:18
aleeah - I see I can edit it on the review page16:19
redrobotalee you can change it in Gerrit16:19
redrobotalee yep16:19
aleeredrobot, does that mean I need to change my branch name too?16:19
redrobotalee it defaults to whatever your git branch was called in your local box...  you don't need to change it, but it makes it easier so you don't have to keep updating it in Gerrit.16:20
*** jorge_munoz has joined #openstack-barbican16:20
aleeredrobot, ok - so it will overwrite uit again on future commits?16:20
redrobotalee the matching branch names help with sorting patch sets, and automagically linking them and such.16:20
redrobotalee yeah, I think it does change it back if you don't update it locally.16:20
aleeok16:21
*** woodster_ has joined #openstack-barbican16:22
woodster_alee, I've updated the retry bp to hopefully address your comments: https://review.openstack.org/#/c/128113/16:23
aleewoodster_, ok thanks - I'll take a look later today16:24
rm_workalee: I believe if you update it in gerrit and then do "review -d #" to get the current code, it should keep the tag16:25
rm_work*for the next time you commit16:26
aleerm_work, thanks - no worries - I'll update my branches so I dont have to keep track16:26
aleewoodster_, rellerreller  -- for https://review.openstack.org/#/c/135490/2/specs/kilo/cert_api.rst,cm, any thoughts on the name for the request-type for option 3?16:27
aleewe've gone from "generated" -> "stored_key" -> "generate" ? -> maybe something else16:28
aleewoodster_, by the way -- did you have comments on that BP?16:29
rellerrelleralee I think auto-generate or generate are good. I think the past tense was what got me, but I'm not too particular about this.16:31
aleerellerreller, the idea here is that we are creating a cert for a private key that is already stored in barbican (whether it has been generated on barbican or not)16:32
rellerrelleralee woodster_ reaperhulk rm_work I have been putting a lot of content on the content type etherpad page, https://etherpad.openstack.org/p/barbican-formats-discussion16:32
aleeso something with "generate" in it may not make the most sense.16:32
aleewhich is why I went with "stored_key"16:32
rellerrelleralee I liked auto-generate because it means Barbican will auto-generate the certificate request16:33
aleethats true ..16:33
rellerrellerI think stored_key is good too.16:33
aleeI'll go with stored-key for now - and we can bikeshed it tommorow.16:34
rellerrellerSounds good to me16:35
rellerrellerBut what is bikeshed it?16:35
aleerellerreller, http://en.wikipedia.org/wiki/Parkinson%27s_law_of_triviality16:38
aleerellerreller, I refers pretty well to discussions for the naming of things - like for example, a new repo.16:39
rellerrelleralee Thanks. I have not heard of this before.16:40
aleerellerreller, something I picked up from one of the sessions at the summit16:40
rellerrelleralee I love bikeshedding names of new repos. If only yeti was chosen.16:40
aleerellerreller, hey - I was up for wigeon16:41
openstackgerritAde Lee proposed openstack/barbican-specs: Add Cert API Spec.  https://review.openstack.org/13549016:46
*** ryanpetrello has joined #openstack-barbican16:53
*** paul_glass has joined #openstack-barbican16:58
aleerellerreller, woodster_  - rellerreller raises an interesting question on the identify_cas BP.16:59
aleeup to now, I've considered the PCA table as a listing of the preferred CA for a project in the case that the CA is not defined in a request.17:00
rellerrellerI'm glad I did something good. What was my question?17:00
aleeso there would be a 1-1 mapping from project_id -> ca_id17:00
aleebut having the table list the possible CA's for a project is another interesting use case17:01
aleeis so , the logic on a request would look something like this perhaps --17:02
aleewe define a global policy of "allow_all_cas" and default it to true.17:03
aleethen when a cert request comes in -- if ca_id is defined ,17:03
aleethen if any entries for that project_id exist in the PCA table, then we check if the ca_id is one of those entries17:04
*** paul_glass1 has joined #openstack-barbican17:04
aleeif so - we allow the request to proceed. if not, we fail with a 400 error.17:04
aleeif no entries in the PCA table exist, then :17:05
aleeif allow_all_cas = true, we permit the request to continue to the first available ca plugin17:05
aleeif not, we fail with a 40017:06
aleeor actually 500 in this case17:06
aleefinally we add a field in the PCA table for "preferred"17:06
aleeso that if no ca_id is defined, then we select the ca_id specified as preferred ..17:07
*** kebray has joined #openstack-barbican17:07
aleedoes that sound reasonable?17:07
aleeor useful?17:08
*** paul_glass has quit IRC17:08
rellerrellerWhat about preferred column on global CAs?17:09
rellerrellerI feel like updating the CAs for a project sounds like a lot of overhead as compared to setup one or two CAs for all projects17:10
aleerellerreller, so then adding a preferred column to the CA table ..17:10
aleewhich would specify which ca to invoke in case no project specific preferred ca is defined?17:11
*** gyee_ has joined #openstack-barbican17:12
aleerellerreller, that would be better defined that just picking the first one.17:12
rellerrellerOne thing that sticks out is that if CA ID is provided then must be in preferred CA table and if not then operation is not allowed17:12
rellerrellerBut then if CA ID is not provided then CA not in preferred list could be used? Unless I misread that part.17:13
aleerellerreller, no -- I think we're thinking about this differently17:13
aleewe have two tables proposed right now ..17:13
aleeCA table which has ca_id, ca_data17:14
aleePCA (ie. ProjectCA) table which maps projects to ca's17:14
rellerrellerI feel like if request comes in with CA ID then check if in CAs table. If not there then unknown. Else proceed with request. Why check if in preferred CA table?17:14
aleethe two tables are CA table and ProjectCA table.17:15
rellerrellerThen PCA table is only used if no CA ID provided. Check if project has preferred CA, if so use it, else check global CA table and use preferred from there.17:15
rellerrellerIf no preferred in CAs table then error out because no default has been set.17:16
aleerellerreller, right - that was the original formulation -- where the PCA had a 1-1 mapping of project -> ca17:16
aleerellerreller, what you suggested though (or alluded to) was another interpretation of the PCA table.17:16
rellerrelleralee that sounds good to me17:16
rellerrelleralee Yes, I was unsure of its purpose17:17
aleerellerreller, so instead of saying "the PCA table is a table that consists of the preferred CA for each project , and therefor has a 1-1 mapping from project to CA"17:18
aleeyou could say this ..17:18
aleethe PCA table consists of the set of CA's that are available to a project, with one of them being designated as the preferred one in case no ca_id is provided"17:19
aleethen there could be many ca entries in the PCA table per project_id17:19
aleerellerreller, we can work out the logic -- the main question is to decide the semantics of the table17:20
rellerrellerSo would the PCA table then contain the only allowable set of CAs?17:20
alee(for a project)17:21
rellerrellerYes17:21
aleeif a project chooses to define them17:21
rellerrellerSo if a project defines the ProjectCAs then I must use a CA in that set or else an error is returned?17:21
aleeyup17:21
rellerrellerAnd if a CA ID is not provided, and I'm in a project that uses a ProjectCA set then default is chosen from there and if not defined then error?17:22
aleeor it can pick one from the set of project cas17:22
aleeI'm ok with error or just pick one.17:23
rellerrellerI think picking from global CAs is the confusing part. On one hand you restrict which CAs I can use based on the ProjectCA table and then on the other you are using a CA not in that set.17:24
aleerellerreller,  no let me rephrase --17:24
aleeif a project has gone to the trouble to define project ca's, then you must select one from that set17:25
rellerrellerI think it would be weird for a user to generate a cert not defining an ID. Then want to generate another cert with the same CA, so it specifies the CA ID of the first one. In that case it will generate an error saying cannot create cert on that CA.17:25
aleeif no ca_id comes in, then we select from the "preferred" ca amongst the prioject cas if one is defined (and it should be)17:26
aleeif not -- then we either error out -- or we just pick from the project ca's17:26
aleenot picking from global ca's17:27
rellerrellerSo if ProjectCA set is defined then we guarantee that at least one is the preferred. If that is the case then that makes sense.17:27
aleerellerreller, whatdo you mean by "guarantee"?17:28
rellerrellerIf you have > 0 entries in ProjectCA for a project then at least one must be designated as preferred.17:29
rellerrellerIf that is not true then if CA ID is not provided and ProjectCA has >0 entries for the project then should error out if one is not designated as preferred.17:30
aleeok  - we can do that17:30
rellerrelleralee cool17:30
rellerrelleralee Does that mean I can eat lunch now?17:31
aleerellerreller, :) absolutely17:31
rellerrelleralee Thank you :)17:31
aleeI should proabbly do that too ..17:31
rellerrellerEnjoy17:31
aleethank you :)17:31
aleeyou too17:31
*** ryanpetrello has quit IRC17:32
*** bubbva has quit IRC17:36
*** bubbva has joined #openstack-barbican17:36
*** ayoung has joined #openstack-barbican17:46
rm_workrellerreller: sorry, looking at that etherpad -- not ignoring you, just busy :P17:48
*** tiger_toes has quit IRC17:49
woodster_alee, rellerreller, I'm curious if there are use cases that would use this project-restricted CA feature right away? Or do we think this will eventually be useful for deployments?17:50
aleewoodster_, I could imagine it being useful.  Imagine if you're a reseller and your tenant wants to use his own internal ca?17:58
kgriffs(that 0.2 makes possible)18:00
kgriffssorry, wrong window18:01
*** bdpayne has joined #openstack-barbican18:05
*** paul_glass1 has quit IRC18:12
*** dimtruck is now known as zz_dimtruck18:12
openstackgerritJeff Fischer proposed openstack/barbican: initial commit for DigiCert Barbican plugin.  https://review.openstack.org/13881218:15
*** zz_dimtruck is now known as dimtruck18:48
*** paul_glass has joined #openstack-barbican19:04
rm_workwoodster_ / alee: LBaaS needs our own private CA, for example :)19:25
*** SheenaG11 has joined #openstack-barbican19:32
*** SheenaG1 has quit IRC19:34
*** chellygelly has joined #openstack-barbican19:45
*** chellygelly has quit IRC19:49
*** paul_glass has quit IRC19:50
openstackgerritAde Lee proposed openstack/barbican-specs: Spec for identifying CAs  https://review.openstack.org/12904819:57
aleerm_work, perfect :)19:59
aleewoodster_, rellerreller, rm_work - new version of the identifying cas bp posted19:59
rm_workreading it now19:59
rm_workthough I have a meeting in 45 seconds19:59
aleeready set go ..20:00
rellerrelleralee thanks, off to meeting now but will take a look later20:00
aleethanks20:01
*** darrenmoffat has quit IRC20:11
*** darrenmoffat has joined #openstack-barbican20:12
*** kgriffs is now known as kgriffs|afk20:14
*** kebray has quit IRC20:14
*** kebray has joined #openstack-barbican20:17
*** crc32 has joined #openstack-barbican20:20
redrobotalee finally got through cleaning up the blueprints in Launchpad.  Everything should be up to date with what's being reviewed in Gerrit.20:22
redrobotalee when you get some time would you mind reviewing the priority we set on all the BPs?  https://blueprints.launchpad.net/barbican20:22
aleeredrobot, looking -- was there ever anything that came from the intel folks about tpm?20:33
redrobotalee haven't heard anything... I can try poking Malini again20:33
aleeredrobot, yeah -- seems like a nice-to-have20:34
aleeredrobot, is https://blueprints.launchpad.net/barbican/+spec/add-ssl-ca-support just the old blueprint?20:35
aleeredrobot, seems like it should be high/essential20:35
redrobotalee yep, it's the epic BP carried over from Juno20:36
redrobotalee good point... I can bump that up to essential20:36
aleeredrobot, other than that - triage looks ok to me20:36
redrobotalee awesome... I figure we can start with the Essential BPs tomorrow.20:37
*** himhiker has quit IRC20:37
aleeyup - I need to dust off the per-secret-policy one ..20:38
aleethat one may or may not be ready for tommorow20:38
*** himhiker has joined #openstack-barbican20:40
*** jorge_munoz has quit IRC20:45
*** jorge_munoz has joined #openstack-barbican20:47
*** himhiker has quit IRC20:50
*** kgriffs|afk is now known as kgriffs20:54
*** rellerreller has quit IRC21:11
*** crc32 has quit IRC21:15
*** ryanpetrello has joined #openstack-barbican21:18
woodster_alee, in the identify-cas bp, were you intending for the project/ca REST calls to allow a user with the admin role to change project settings for their own project, or for that user to be able to set project/ca assocs for other projects as well?21:20
aleewoodster_, I was thinking an admin would be able to change for all projects -- and a project admin just for their own project21:23
*** dave-mccowan has quit IRC21:24
aleewoodster_, not sure if the two separate roles actually exist21:24
*** jorge_munoz has quit IRC21:24
woodster_alee, I think the calls would be different for those two users...the former requiring the admin API with calls that end with the project-id as per your original bp version, the latter as you specify in the current version. Setting the preferred ca info on the CA table would probably need to be an admin API feature.21:27
aleewoodster_, ok that makes sense.  is the admin api specified by a different url?21:29
aleeor different port?21:29
woodster_alee, yeah it'd be either one. It is a separate service for sure. We haven't crossed that bridge yet, but I'm recalling that projects were moving away from admin endpoints...not sure if that's the case really or not though.21:31
woodster_redrobot, have you heard anything about project's moving away from admin API services?21:32
*** jorge_munoz has joined #openstack-barbican21:33
redrobotwoodster_ alee The only project with admin endpoints that I'm familiar with is Keystone.  In Keystone v2.0 there was two different endpoints (different ports) for the user api vs the admin api21:34
redrobotwoodster_ alee In Keystone 3.0 the admin api is on the same endpoint as the user api21:34
redrobotI still don't know WHY they consolidated the two21:34
woodster_redrobot, alee so cross-project REST calls are probably handled with a separate/special role then. It would certainly be less hassle to not have to spin up another endpoint21:35
aleeredrobot, woodster_ right - which is what I was thinking in this case21:37
woodster_two endpoints = twice the deployment headaches :)  That said, it would be more secure to have a non-public admin endpoint21:37
aleewoodster_, so -- the rule for the operation would be token scoped to project and admin role in project or global admin role21:38
aleewoodster_, only one endpoint needed -- and this is a policy thing ..21:38
woodster_alee, but that also means that a global admin user wishing to modify project/ca assocs for any project would need the REST calls that end with the {project-id}21:40
*** dave-mccowan has joined #openstack-barbican21:40
woodster_alee, do you think there is a need for that feature though? Or would an admin for the project most likely be setting up those assocs for their own project? I think the latter, but just curious21:41
aleewoodster_, I think most likely the admin would be setting up for their own project21:41
openstackgerritJohn Wood proposed openstack/barbican: Update log messages to oslo.i18n  https://review.openstack.org/13824721:41
aleewoodster_, but sometimes they need tech support :)21:42
aleewoodster_, I'm ok with just limiting those to project admin for now21:42
alee(except for the global one of course)21:42
*** jamielennox is now known as jamielennox|away21:42
*** dave-mccowan_ has joined #openstack-barbican21:42
woodster_alee, that could apply to all REST actions though?21:43
*** dave-mccowan has quit IRC21:45
*** dave-mccowan_ is now known as dave-mccowan21:46
aleewoodster_, it will apply to the ones where I say "limited to project admin or admin"21:46
woodster_alee, ok then the calls in the bp are good then (with minor nits I'll note shortly :)21:46
aleewoodster_, cool - yup21:47
aleeset-global-preferred  must be admin21:47
woodster_alee, admin > project-admin correct?21:56
aleeproject-admin and admin -> project-admin22:06
aleesorry -- yes :)22:06
aleewoodster_, ?22:17
woodster_alee, hello22:18
aleewoodster_, I have a question about your comment in https://review.openstack.org/#/c/129377/1/specs/kilo/expose_ca_templates.rst,cm22:18
aleespecifically about the flavor concept ..22:19
aleewoodster_, I'm trying to understand how to apply that here ..22:20
woodster_alee, oh got it. I think I just confused the template with  the ca-id...you are already providing the URI to that in the order request, not a reference to the template. I'll add a note about ignoring this, sorry22:22
aleewoodster_, ok np -- justwanted to make sure I wasn't missing something22:24
openstackgerritJohn Wood proposed openstack/barbican: Update log messages to oslo.i18n  https://review.openstack.org/13824722:36
*** jorge_munoz has quit IRC22:37
*** kebray has quit IRC22:52
*** kebray has joined #openstack-barbican22:53
*** SheenaG11 has quit IRC23:03
*** jamielennox|away is now known as jamielennox23:09
*** dimtruck is now known as zz_dimtruck23:17
*** ryanpetrello has quit IRC23:24
openstackgerritJeff Fischer proposed openstack/barbican: initial commit for DigiCert Barbican plugin  https://review.openstack.org/13819923:35
*** SheenaG1 has joined #openstack-barbican23:36
*** ryanpetrello has joined #openstack-barbican23:51
*** SheenaG1 has quit IRC23:55
« Tuesday, 2014-12-02 Index Thursday, 2014-12-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!