Monday, 2014-12-08

« Sunday, 2014-12-07 Index Tuesday, 2014-12-09 »
*** kgriffs|afk is now known as kgriffs00:32
*** kgriffs is now known as kgriffs|afk00:42
*** stanzi has joined #openstack-barbican00:43
*** ryanpetrello has joined #openstack-barbican00:44
*** ryanpetrello has quit IRC00:51
*** stanzi has quit IRC00:52
*** ryanpetrello has joined #openstack-barbican01:00
openstackgerritJohn Wood proposed openstack/barbican: Update log messages to oslo.i18n  https://review.openstack.org/13824701:05
openstackgerritJohn Wood proposed openstack/barbican: Fix diff-cover gate broken by parent CR  https://review.openstack.org/13989401:05
*** ryanpetrello has quit IRC01:37
*** dave-mccowan has joined #openstack-barbican01:51
openstackgerritJohn Wood proposed openstack/barbican: Fix diff-cover gate broken by parent CR  https://review.openstack.org/13989402:06
*** ryanpetrello has joined #openstack-barbican02:10
*** woodster_ has joined #openstack-barbican02:41
*** ryanpetrello has quit IRC02:44
*** ryanpetrello has joined #openstack-barbican02:51
*** ryanpetrello has quit IRC03:23
*** david-lyle_afk has quit IRC03:31
*** miqui_ has quit IRC03:40
*** david-lyle_afk has joined #openstack-barbican03:43
*** david-lyle_afk has quit IRC03:50
*** david-lyle_afk has joined #openstack-barbican04:02
*** david-lyle_afk has quit IRC04:02
*** dave-mccowan has quit IRC04:08
*** david-lyle_afk has joined #openstack-barbican05:01
*** kebray has joined #openstack-barbican05:05
*** kebray has quit IRC05:05
*** kebray has joined #openstack-barbican05:09
*** kebray has quit IRC05:54
*** Nirupama has joined #openstack-barbican06:08
*** zz_dimtruck is now known as dimtruck06:25
*** Nirupama has quit IRC06:28
*** Nirupama has joined #openstack-barbican06:28
*** dimtruck is now known as zz_dimtruck07:10
*** jamielennox is now known as jamielennox|away08:12
*** woodster_ has quit IRC09:00
openstackgerritTim Kelsey proposed openstack/barbican: Adding client certificates to connection credentials  https://review.openstack.org/13521712:03
*** jamielennox|away is now known as jamielennox12:31
*** dave-mccowan has joined #openstack-barbican12:35
*** jamielennox is now known as jamielennox|away12:41
*** woodster_ has joined #openstack-barbican12:42
*** dave-mccowan_ has joined #openstack-barbican12:55
*** dave-mccowan has quit IRC12:56
*** dave-mccowan_ is now known as dave-mccowan12:56
*** Nirupama has quit IRC13:32
*** ametts has joined #openstack-barbican13:38
openstackgerritMerged openstack/barbican-specs: Remove the tenant-secret association table  https://review.openstack.org/13515814:02
*** dave-mccowan_ has joined #openstack-barbican14:02
reaperhulkredrobot: we should update our channel topic since that meeting was last thursday14:05
*** dave-mccowan has quit IRC14:05
*** dave-mccowan_ is now known as dave-mccowan14:05
*** dave-mccowan_ has joined #openstack-barbican14:08
*** dave-mccowan has quit IRC14:11
*** dave-mccowan_ is now known as dave-mccowan14:11
openstackgerritMerged openstack/barbican: Update log messages to oslo.i18n  https://review.openstack.org/13824714:15
*** mikedillion has joined #openstack-barbican14:17
*** stanzi has joined #openstack-barbican14:17
*** ryanpetrello has joined #openstack-barbican14:22
*** ayoung has joined #openstack-barbican14:26
*** ayoung has quit IRC14:26
*** ayoung has joined #openstack-barbican14:33
*** zz_dimtruck is now known as dimtruck15:22
openstackgerritMerged openstack/python-barbicanclient: Trivial change to docs  https://review.openstack.org/13926515:29
*** SheenaG1 has joined #openstack-barbican15:29
*** nkinder has joined #openstack-barbican15:30
alee_redrobot, ping15:31
*** JeffF has joined #openstack-barbican15:33
*** jorge_munoz has joined #openstack-barbican15:40
*** mikedillion has quit IRC15:40
openstackgerritAde Lee proposed openstack/barbican-specs: Add Cert API Spec.  https://review.openstack.org/13549015:48
*** dave-mccowan has quit IRC15:51
*** dave-mccowan has joined #openstack-barbican15:52
*** nkinder has quit IRC15:57
*** paul_glass has joined #openstack-barbican15:58
*** nkinder has joined #openstack-barbican15:58
*** stanzi has quit IRC16:04
*** stanzi has joined #openstack-barbican16:04
*** david-lyle_afk is now known as david-lyle16:06
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/14004816:16
*** jorge_munoz has quit IRC16:17
*** jorge_munoz has joined #openstack-barbican16:19
*** paul_glass has quit IRC16:19
*** stanzi has quit IRC16:19
*** mikedillion has joined #openstack-barbican16:22
*** jorge_munoz has quit IRC16:39
*** stanzi has joined #openstack-barbican16:41
*** darrenmoffat has quit IRC16:42
*** darrenmoffat has joined #openstack-barbican16:44
*** paul_glass has joined #openstack-barbican16:44
*** stanzi has quit IRC16:48
*** lordbyron8201 has joined #openstack-barbican16:49
*** ametts has quit IRC16:51
*** lordbyron8201 has quit IRC16:53
*** jorge_munoz has joined #openstack-barbican17:07
*** lordbyron8201 has joined #openstack-barbican17:08
*** crc32 has joined #openstack-barbican17:09
*** ametts has joined #openstack-barbican17:10
*** SheenaG1 has quit IRC17:17
*** SheenaG1 has joined #openstack-barbican17:18
*** redrobot changes topic to "Incubated OpenStack Barbican"17:18
*** openstackgerrit has quit IRC17:19
*** openstackgerrit has joined #openstack-barbican17:19
*** jorge_munoz has quit IRC17:26
*** kebray has joined #openstack-barbican17:37
openstackgerritMerged openstack/python-barbicanclient: Correctly set pbr version name  https://review.openstack.org/13929217:37
*** kebray has quit IRC18:12
*** paul_glass has quit IRC18:14
*** mikedillion has quit IRC18:19
*** mikedillion has joined #openstack-barbican18:20
openstackgerritMerged openstack/python-barbicanclient: Workflow documentation is now in infra-manual  https://review.openstack.org/13936818:20
*** mikedillion has quit IRC18:22
*** stanzi has joined #openstack-barbican18:31
*** stanzi has quit IRC18:35
*** JeffF has left #openstack-barbican18:44
*** jaosorior has joined #openstack-barbican18:45
*** ametts has quit IRC18:51
*** paul_glass has joined #openstack-barbican18:58
*** kebray has joined #openstack-barbican19:01
*** ametts has joined #openstack-barbican19:04
*** kebray has quit IRC19:13
*** kebray has joined #openstack-barbican19:23
*** jorge_munoz has joined #openstack-barbican19:48
*** nkinder has quit IRC19:50
*** tkelsey has joined #openstack-barbican19:53
*** kebray has quit IRC19:54
*** rellerreller has joined #openstack-barbican19:58
redrobotweekly barbican meeting is starting now in #openstack-meeting-alt20:01
openstackgerritSteve Heyman proposed openstack/barbican-specs: Add spec to support running functional tests as different users  https://review.openstack.org/13572420:05
*** gyee has joined #openstack-barbican20:13
*** kebray has joined #openstack-barbican20:30
*** JeffF has joined #openstack-barbican20:34
openstackgerritMerged openstack/castellan: Workflow documentation is now in infra-manual  https://review.openstack.org/13931120:38
openstackgerritgreghaynes proposed openstack/barbican: Dont set debug and verbose as our example  https://review.openstack.org/14014020:42
*** kebray has quit IRC20:43
*** stanzi has joined #openstack-barbican20:49
*** lordbyron8201 has quit IRC20:53
*** stanzi has quit IRC20:53
greghayneshyakuhei: Hey O/20:59
greghayneshyakuhei: I was hoping to get to say Hi at the summit but never was able to run into you, fellow hper doing tripleo TLS stuffs21:00
*** nkinder has joined #openstack-barbican21:02
greghaynesSo, I was wondering if someone could take a minute to answer a few (probably silly newcomer) questions I have about trying to use barbican for tripleo's use case21:02
alee_greghaynes, hey - I think I ran into another triple-O dev on the way back from Paris.  I think she said you were looking into trying to get certs?21:02
greghaynesyes!21:02
alee_greghaynes, cool -- so tell us a little more about your use case21:03
greghaynesSo, our use case is essentially that we need to be able to do snakeoil CA and cert generation for devs/CI while allowing prod users to have a good way to integrate with their own pki21:03
*** kebray has joined #openstack-barbican21:04
greghaynesas is right now we have a some bash + python that do this and we tell the users they can provide some json with their certs/keys if they want to use their own pki... but ideally we can use something else (barbican) for this21:04
greghaynesits purely TLS certs, to specify a bit more21:05
alee_greghaynes, these are long lasting certs?21:05
alee_ie. tls certs for real servers21:05
alee_that you might want to renew for instance? or rekey?21:06
greghaynesinitially, yes. There is talk about doing some of the more fancy stuff I think hyakuhei is working on but we dont really support TLS much right now so walking first21:06
alee_greghaynes, how often do these cert requests come in?21:07
alee_so let me explain the state of certs right now in barbican, and where it is going ..21:08
alee_barbican has an orders interface that can be used to generate a cert given certain parameters (like for example a cert-request)21:09
greghaynesso for the dev/ci use case there is 2 snakeoil CA's that we need to make certs off of. then after we make each CA theres a whole slew of cert requests we need to make (for all the various services) and then we need a good way to ask "what was cert/key for service foo". Ideally there is a good decoupling layer where a user could then upload a "service foo" cert/key and then we simply notice that21:09
greghaynesand dont gen a snakeoil cert/key for that service21:09
greghaynesalee_: yep, was just looking at that21:10
alee_this orders api talks to any number of back-end ca plugins -- which talk to a backend ca21:10
alee_on the backend ca, a cert request is made and then needs to be approved by that ca21:10
greghaynesHas anyone made a sort of snakeoil ca plugin?21:11
alee_or if you happen to have a dogtag ca in the backend - then you can configure the cert request to be made by a trusted agent and have it get automatically approved.21:11
greghayneshrm21:12
alee_we have a few plugins there right now -- dogtag, symantec, digicert and a dev plugin.21:12
greghaynesoh, whats the dev one called? I saw the others21:13
alee_greghaynes, its very basic -- I dont think it even gives you back a cert21:13
greghaynesTheres a simple_cert_manager but that seems to be a little too simple ;)21:13
greghaynesyea, thats the simple_cert_one21:13
alee_that the basic one.21:13
alee_now -- the order interface also has the limitation right now, that you have to know which ca you want to talk to21:14
alee_because the parameters are just passed as -is back to the ca21:14
alee_hence the need for a common cert API21:14
greghaynesI really couldnt find any good docs on how to hit the orders interface to do cert gen, any pointers on that?21:15
greghaynesok21:15
alee_so that a client could create a generic order and it would go to whatever ca21:15
alee_thats the BP thats in review ..21:15
greghaynesYep, was just reading that21:15
alee_https://review.openstack.org/13549021:15
alee_which we hope to land this week.21:15
alee_(and then start working on)21:16
greghaynesso, how do you interact with the existing orders interface to do a cert request?21:16
alee_you'll notice in the bp, there are four different ways of gettign a cert21:16
alee_so the currently supported one is method 421:16
alee_("custom")21:17
greghaynesok, gotcha21:17
alee_method 1 -- simple-cmc should actually be dead easy to write.21:17
alee_and will be the first one in there/21:17
alee_so -- the plan is to get that interface in -- and then to work on clients to interact with the interface21:18
alee_greghaynes, now the client story is interesting21:18
alee_greghaynes, we plan to add functionality to barbican-client , but21:18
alee_I think that the right way to do it is to implement a barbican backend to certmonger21:19
alee_and I plan to work on that sometime.21:19
alee_you should check out certmonger21:19
greghayneshrm, im sure we would like the -client functionality for our use case21:19
alee_its pretty nice.21:19
greghaynesIf you do end up using it, I imagine it would be barbican-client -> dbus -> certmonger?21:20
alee_possibly -- I was actually thinking of adding something like a python front end to cert,onger21:21
alee_but thats intriguing ..21:21
greghaynesAnother question, how do CA's get into barbican21:21
alee_so it would be certmonger-python -> dbus -> certmonger -> barbican21:21
alee_https://review.openstack.org/12904821:21
rm_workI really hope cert-monger doesn't HAVE to be in the process...21:22
greghaynesand additionally, is there any interface for requesting a CA to be generated21:22
alee_(it will be by config)21:22
alee_rm_work, yeah - I know --- I think we'll end up with barbican-client-> barbican as well21:22
greghaynesYes, this is my concern with certmonger, im +1 on using it but we would probably have to support running without it and therefore we would want to test without it21:22
alee_yup definitely21:23
alee_I'm thinking there will be two methods ..21:23
greghaynesso do you think making a snakeoil ca plugin seems reasonable? I could definitely work on deving that21:23
alee_certmonger-python-> dbus -> certmonger -> barbican21:23
alee_and barbcian-client -> barbican21:23
greghaynesbasically one that auto-approves all requets and just makes the openssl-python calls directly21:24
alee_greghaynes, definitely :)21:24
greghaynesAwesome21:24
alee_we need that for our testing for sure21:24
greghaynesYep, thats exactly our use case21:24
alee_so if you want to dev that , that would be great.21:24
greghaynesand then ill also probably try and fill in the python-barbicanclient because AFAICT its still needs to know about cert generation21:25
alee_greghaynes, its one of those things that had been planned21:25
alee_yes it does21:25
alee_as soon as we get the cert api landed , we know what to do in the clients21:25
alee_greghaynes, though of course, dogtag could already work as your snake oil ca21:26
alee_(but you'd need to install/configure dogtag)21:27
greghayneshrmm21:27
greghaynesIll look at it, its definitely a possibility21:27
alee_greghaynes, we still need a better dev plugin in any case though .. in case someone wants to test w/o dogtag21:28
greghaynesYep. The snakeoil thing is win for stuff like "getting started docs"21:28
greghaynesas long as it has a big warning of "never actually use this in prod"21:29
alee_yup21:29
greghayneswell, thanks a ton for the help! ill probably be back with questions eventually21:29
greghaynesalso, what time zone are you?21:29
alee_EST21:30
greghaynesok, im PSY21:30
greghayneser, PST21:30
alee_greghaynes, :) I was going to say --- you're a korean singer?21:30
greghaynesIve moved on since then :)21:30
alee_(and the world is a better place ... :)21:31
*** gyee has quit IRC21:32
*** tkelsey has quit IRC21:36
*** kebray has quit IRC21:51
*** kebray has joined #openstack-barbican21:58
*** alee_ has left #openstack-barbican22:07
*** alee_ has joined #openstack-barbican22:07
*** stanzi has joined #openstack-barbican22:27
*** SheenaG1 has quit IRC22:29
openstackgerritMerged openstack/barbican: Updated from global requirements  https://review.openstack.org/14004822:47
*** stanzi has quit IRC22:55
*** paul_glass has quit IRC23:02
*** ayoung has quit IRC23:03
*** ryanpetrello has quit IRC23:12
*** ryanpetrello has joined #openstack-barbican23:14
*** jamielennox|away is now known as jamielennox23:15
*** rellerreller has quit IRC23:16
*** ryanpetrello has quit IRC23:20
*** kebray has quit IRC23:22
*** jaosorior has quit IRC23:23
*** ametts has quit IRC23:35
*** dimtruck is now known as zz_dimtruck23:56
*** gyee has joined #openstack-barbican23:58
« Sunday, 2014-12-07 Index Tuesday, 2014-12-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!