Monday, 2015-01-05

*** dave-mccowan has quit IRC00:08
*** woodster_ has joined #openstack-barbican00:22
*** rm_work|away is now known as rm_work01:26
*** kebray has quit IRC01:48
*** woodster_ has quit IRC02:30
*** rm_work is now known as rm_work|away02:32
*** alee has joined #openstack-barbican02:46
*** zz_dimtruck is now known as dimtruck02:57
openstackgerritMerged openstack/barbican: Change keystone_id for external_id in model  https://review.openstack.org/14334403:06
*** woodster_ has joined #openstack-barbican03:07
*** SheenaG1 has joined #openstack-barbican03:25
*** SheenaG11 has joined #openstack-barbican03:27
*** SheenaG1 has quit IRC03:30
*** darrenmoffat has quit IRC03:53
*** darrenmoffat has joined #openstack-barbican03:54
*** dimtruck is now known as zz_dimtruck04:24
openstackgerritJohn Wood proposed openstack/barbican: Add I18n-related unit tests (Part 3)  https://review.openstack.org/14153504:35
*** chlong has joined #openstack-barbican04:37
*** rm_work|away is now known as rm_work05:20
*** rm_work is now known as rm_work|away05:36
*** greghayn1 is now known as greghaynes06:22
*** jamielennox is now known as jamielennox|away06:33
*** rm_work|away is now known as rm_work07:32
*** jaosorior has joined #openstack-barbican07:42
*** chlong has quit IRC07:47
*** rm_work is now known as rm_work|away08:08
*** woodster_ has quit IRC08:10
*** mikedillion has joined #openstack-barbican08:49
*** mikedillion has quit IRC09:00
*** chlong has joined #openstack-barbican10:47
*** kgriffs has quit IRC10:51
*** kgriffs|afk has joined #openstack-barbican10:51
*** kgriffs|afk is now known as kgriffs10:51
*** chlong has quit IRC11:36
*** hyakuhei_ has quit IRC11:36
*** hyakuhei has joined #openstack-barbican11:36
*** chlong has joined #openstack-barbican11:52
*** david-lyle_afk has quit IRC12:38
*** david-ly_ has joined #openstack-barbican12:38
*** ryanpetrello has joined #openstack-barbican12:56
*** woodster_ has joined #openstack-barbican13:01
*** darrenmoffat has quit IRC13:06
*** darrenmoffat has joined #openstack-barbican13:13
*** kgriffs has quit IRC13:38
*** kgriffs|afk has joined #openstack-barbican13:38
*** kgriffs|afk is now known as kgriffs13:38
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Enable passing test regex to testr from tox  https://review.openstack.org/14475914:00
jaosoriorwoodster_: Should I file a bug regarding what was decided from this? https://bugs.launchpad.net/barbican/+bug/1376469 or should i just fix it and that's it?14:03
woodster_jaosorior, well I wouldn't mind getting other folks to weigh in on the comments there. Maybe we can get folks to discuss/decide in the IRC channel today.14:06
jaosoriorThat would be good14:07
jaosoriorThough I'm actually quite convinced that having the id there is not the way to go14:07
jaosoriorif the user specified an empty name, then that's what the user should get in return14:08
jaosoriorit's the same behaviour with containers14:08
jaosoriorwoodster_: By the way, Happy new year man!14:13
woodster_jaosorior: same with you!14:13
*** dave-mccowan has joined #openstack-barbican14:30
*** mikedillion has joined #openstack-barbican14:36
openstackgerritMerged openstack/barbican: Replace instances of keystone_id from the code  https://review.openstack.org/14460114:36
*** kgriffs has quit IRC14:41
*** kgriffs|afk has joined #openstack-barbican14:41
*** kgriffs|afk is now known as kgriffs14:42
*** ametts has joined #openstack-barbican14:45
*** dave-mccowan has quit IRC14:46
*** nkinder has joined #openstack-barbican14:46
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Make default action return 405 in the controllers  https://review.openstack.org/14474314:56
*** paul_glass has joined #openstack-barbican14:59
*** openstack has joined #openstack-barbican15:05
*** dave-mccowan has joined #openstack-barbican15:08
*** ayoung has joined #openstack-barbican15:12
*** trey has quit IRC15:17
*** jorge_munoz has joined #openstack-barbican15:18
*** SheenaG11 has quit IRC15:21
*** zz_dimtruck is now known as dimtruck15:24
*** kgriffs has quit IRC15:28
*** kgriffs has joined #openstack-barbican15:28
*** lisaclark1 has joined #openstack-barbican15:30
*** paul_glass has quit IRC15:44
*** Guest75222 is now known as redrobot15:45
*** SheenaG1 has joined #openstack-barbican15:47
*** lisaclark1 has quit IRC15:52
*** dave-mccowan has quit IRC15:52
*** paul_glass has joined #openstack-barbican15:52
*** ryanpetrello_ has joined #openstack-barbican15:54
*** ryanpetrello has quit IRC15:57
*** ryanpetrello_ is now known as ryanpetrello15:57
*** miqui has joined #openstack-barbican16:06
*** openstackgerrit has quit IRC16:06
*** openstackgerrit has joined #openstack-barbican16:07
openstackgerritMerged openstack/barbican: Enable passing test regex to testr from tox  https://review.openstack.org/14474416:09
openstackgerritMerged openstack/barbican: Remove invalid TODOs related to bug 1331815  https://review.openstack.org/14460416:10
*** dave-mccowan has joined #openstack-barbican16:12
*** david-ly_ is now known as david-lyle16:13
*** crc32 has quit IRC16:14
*** atiwari has joined #openstack-barbican16:18
*** david-lyle has quit IRC16:22
*** paul_glass has quit IRC16:35
*** gyee has joined #openstack-barbican16:36
*** paul_glass has joined #openstack-barbican16:39
*** paul_glass1 has joined #openstack-barbican16:39
*** paul_glass has quit IRC16:43
*** openstackgerrit has quit IRC16:51
*** openstackgerrit has joined #openstack-barbican16:51
*** kgriffs has quit IRC16:52
*** kgriffs|afk has joined #openstack-barbican16:52
*** kgriffs|afk is now known as kgriffs16:52
*** openstackgerrit has quit IRC17:04
*** openstackgerrit has joined #openstack-barbican17:04
*** rellerreller has joined #openstack-barbican17:22
openstackgerritAde Lee proposed openstack/barbican: Add validation for certificate-order-api  https://review.openstack.org/14220917:23
openstackgerritMerged openstack/python-barbicanclient: Enable passing test regex to testr from tox  https://review.openstack.org/14475917:23
*** mikedillion has quit IRC17:24
*** crc32 has joined #openstack-barbican17:32
woodster_alee: I think folks have been making comments on the various high priority blueprint CRs out there...would you have a chance this week to go over some of them?17:32
*** jaosorior has quit IRC17:33
aleewoodster_, yes -- I plan to do just that17:34
aleewoodster_, can you look at  https://review.openstack.org/142209 ?17:34
aleeI just made the relevant changes -- it would be good to get that in so that dave-mccowan can base his changes on that17:34
woodster_alee, sounds good17:35
aleewoodster_, trying to figure out now how to rebase my second patch on the first's changes ..17:35
*** kgriffs has quit IRC17:36
*** kgriffs|afk has joined #openstack-barbican17:36
*** kgriffs|afk is now known as kgriffs17:36
*** lisaclark1 has joined #openstack-barbican17:37
lisaclark1tdink: ping17:37
aleewoodster_, awesome thanks ..17:38
aleenow we just need some more +2'ers ..17:39
woodster_alee, I still follow the 'Add dependency' workflow here for simple dependencies (that others aren't contributing to): https://wiki.openstack.org/wiki/Gerrit_Workflow17:39
aleereaperhulk, redrobot ?17:39
redrobotalee hi! happy 2015!17:39
aleeyou too ! :)17:40
aleeredrobot, need a review please  .. https://review.openstack.org/#/c/142209/217:40
aleerellerreller, jvrbanac ^^17:41
*** paul_glass1 has quit IRC17:42
aleegreghaynes, ^^17:42
jvrbanacalee, I'll take look as soon as a I get to a good stopping point17:42
*** paul_glass has joined #openstack-barbican17:42
aleejvrbanac, thanks17:43
jvrbanacalee, Oh and happy new year!17:43
jvrbanac:D17:43
aleewoodster_, yeah - I'm trying to follow that ..17:43
aleeyou too :)17:43
greghaynesalee: hey, will have a look17:43
aleegreghaynes, thanks - nothing too surprising in this one.17:44
aleewoodster_, so I'm trying to follow the instructions at the end ..17:46
aleewoodster_, ie. I have review X and review Y  (X>Y)17:46
aleewoodster_,  now I have updated review X17:46
aleewoodster_, so now I'm in the branch where I worked on review Y17:47
aleeand I want to update this branch with the modified version of review X17:47
greghaynesalee: and y depends on x?17:47
aleeyup17:47
greghaynesgit rebase for great good17:47
greghaynesbasically you have to go to commit y; git rebase -i <hash of new X commit>17:48
greghaynesand either remove the duplicate X commit in the rebase -i view, or do a second git rebase -i HEAD~317:49
greghaynesIts not the most user friendly of operations ;)17:50
aleeactually I think I got it --- thanks -- removing the extra commit was what I was missing17:50
aleejvrbanac, rellerreller - thanks - fixing now ..17:53
rellerrelleralee np17:53
aleerellerreller, happy new year -- and congrats?17:54
rellerrelleralee yes congratulations :)17:54
jvrbanac:D17:55
rellerrellerShe was born on December 18 and all is good so far, except the lack of sleep17:55
greghaynesooo, congrats rellerreller!17:55
aleerellerreller, so you17:55
aleerellerreller, so you're coming in to work to get some sleep ?  :)17:55
rellerrellerhaha I actually thought about sleeping under my desk for an hour. It sounds like heaven right now.17:56
greghaynesPull a George Costanza17:57
*** lisaclark1 has quit IRC17:58
aleerellerreller, thankfully we're designed to forget the first three months -- otherwise, we'd never do it again.17:58
aleeso you just have a couple of months more ..17:58
openstackgerritAde Lee proposed openstack/barbican: Add validation for certificate-order-api  https://review.openstack.org/14220918:05
aleejvrbanac, redrobot - looks like all the functional tests are failing on the gate18:07
jvrbanacalee?18:08
aleerellerreller, jvrbanac , greghaynes , woodster_ updated patch18:08
aleejvrbanac, http://logs.openstack.org/09/142209/2/check/gate-barbican-devstack-dsvm/6e8ec33/18:08
aleefrom my last patch18:08
*** ryanpetrello has quit IRC18:10
*** ryanpetrello has joined #openstack-barbican18:10
jvrbanacalee, I've seen this a couple of times lately. Most of the time, a recheck to get rid of it. However, we should probably get one of the QE guys to dig into it a bit18:11
jvrbanachockeynut, tdink ^^18:11
*** tdink has quit IRC18:11
*** lbragstad has quit IRC18:11
*** erw has quit IRC18:12
aleejvrbanac, yeah - we'll see if it shows up again in my lastest patch18:12
*** rm_work|away has quit IRC18:13
jvrbanacalee, at a very minimum, we should probably add some error handling around the line that is kicking off .json() so we get better understanding of whats going on18:13
*** russell_h has quit IRC18:13
*** jroll has quit IRC18:14
*** nkinder has quit IRC18:16
*** russell_h has joined #openstack-barbican18:16
*** russell_h has quit IRC18:16
*** russell_h has joined #openstack-barbican18:16
*** jroll has joined #openstack-barbican18:16
*** lisaclark1 has joined #openstack-barbican18:17
*** tdink has joined #openstack-barbican18:17
*** rm_work|away has joined #openstack-barbican18:17
*** lbragstad has joined #openstack-barbican18:17
greghaynesAre there not request logs somewhere?18:17
greghayneswould probably help a lot18:17
*** erw has joined #openstack-barbican18:17
*** dimtruck is now known as zz_dimtruck18:17
*** rm_work|away is now known as rm_work18:17
*** rm_work has quit IRC18:17
*** rm_work has joined #openstack-barbican18:17
*** bdpayne has joined #openstack-barbican18:18
greghaynesoh, its just in func tests, not tempest18:18
greghaynesSo looking at tests, I notice a lot of the state is created and deleted with setup and teardown instead of using fixtures18:27
greghaynesso I wonder if theres a racy fail and then a big cascading failure due to state not getting unrolled...18:27
*** kgriffs is now known as kgriffs|afk18:28
*** nkinder has joined #openstack-barbican18:29
*** jroll has quit IRC18:31
*** jroll has joined #openstack-barbican18:31
woodster_rellerreller: catching up...congrats!!! First kiddo right?18:34
rellerrellerwoodster_ Yes, first one.18:45
*** rellerreller has quit IRC19:02
jvrbanacalee, I tossed up a bug for the issue https://bugs.launchpad.net/barbican/+bug/140776719:03
aleejvrbanac, ok thanks19:03
aleejvrbanac, dont forget to +2 the latest patch :)19:04
aleewoodster_, jvrbanac https://review.openstack.org/#/c/14220919:04
jvrbanacalee, hopefully that recheck comes back ok19:07
*** paul_glass has quit IRC19:11
*** zz_dimtruck is now known as dimtruck19:11
*** jaosorior has joined #openstack-barbican19:12
*** kgriffs|afk is now known as kgriffs19:16
jaosoriorWill there be a meeting today?19:17
SheenaG1jaosorior: as far as I know, yes19:18
jaosoriorAlright19:20
jaosoriorThanks :)19:20
jaosoriorAnd happy new year :D by the east19:20
jaosoriorWay not east19:21
SheenaG1jaosorior: Happy new year, sir!  How are things with you?19:21
openstackgerritAde Lee proposed openstack/barbican: Plugin contract changes for the certificate-order-api  https://review.openstack.org/14221219:34
aleewoodster_, greghaynes , jvrbanac : ^^ other patch updated.19:36
jaosoriorSheenaG1: All good! Back in Finland, life is good, just miss the food again :P19:37
aleeSheenaG1, happy new year! do we have details about the mid cycle hotel settled?19:37
SheenaG1alee: still no, working on that this week with lisaclark19:37
aleeSheenaG1, ok thanks19:38
woodster_alee: darn that JSONDecodeError!19:47
aleewoodster_, yeah ..19:48
aleewoodster_, updated the second patch too :)19:48
woodster_alee, taking a look now...19:49
aleethanks19:49
openstackgerritJohn Wood proposed openstack/barbican: Add I18n-related unit tests (Part 3)  https://review.openstack.org/14153519:50
redrobotweekly meeting starts in 5 minutes on #openstack-meeting-alt19:55
*** paul_glass has joined #openstack-barbican19:57
woodster_alee, just commit message changes on your CR please: https://review.openstack.org/#/c/14221219:57
*** tkelsey has joined #openstack-barbican19:59
aleewoodster_, gotcha - will do20:00
openstackgerritAde Lee proposed openstack/barbican: Plugin contract changes for the certificate-order-api  https://review.openstack.org/14221220:02
aleewoodster_, done20:02
woodster_CR https://review.openstack.org/#/c/142209 passing all gates now!20:04
*** lisaclark1 has quit IRC20:14
openstackgerritMerged openstack/barbican: Add validation for certificate-order-api  https://review.openstack.org/14220920:20
aleewoohoo!  1 down ..20:21
*** lisaclark1 has joined #openstack-barbican20:21
*** kgriffs is now known as kgriffs|afk20:35
hockeynutHappy New Year all - I'm not really here (returning to work tomorrow). Will jump at that functional testing issue20:46
*** rellerreller has joined #openstack-barbican20:55
*** elmiko has joined #openstack-barbican20:58
elmikowoodster_: yo20:58
woodster_elmiko, hey there20:58
*** kgriffs|afk is now known as kgriffs20:58
*** tkelsey has quit IRC20:59
elmikowoodster_: so yea, i'm just starting on a script that will generate the base required layer for a swagger doc, from the pecan impl in barb20:59
woodster_elmiko, I was told I needed to spin up on the status of that wadl file for Barbican. If you can auto gen that thing, so much the better! I'd heard swagger was pretty cool20:59
elmikoit's certainly more readable than wadl, but i'm not sure if it's better. easier to implement maybe.21:00
elmikoi'm hoping to have something that will generate the skeleton this week21:00
woodster_elmiko, that sounds nice. Are you wishing to consume that wadl with tooling on your side?21:00
woodster_elmiko, do you know how other projects are generating/publishing their wadls?21:02
elmikowoodster_: so, i'd like to create something that generates the swagger from the code, not the wadl.21:02
elmikowoodster_: as for other projects, it's a total mish-mosh. most use hand-hacked wadl, with a little bit of generated content.21:02
elmikothere is a large gap in how much you can get done with the generators. it really depends on how much you want to mark up the code base.21:03
woodster_elmiko, oh got it. That's was I was thinking was the case21:03
elmikowoodster_: yea, it seems like the API WG would definitely like to move towards something more consistent. but it's not clear what that will be yet.21:04
elmikopart of why i'm playing around with this stuff =)21:04
elmikoi think it would be really cool if we could come up with some sort of oslo package that might help projects facilitate the creation of these api docs21:05
elmikoit get pretty funky based on all the wsgi servers the different projects use. although i understand that there might be an unstated push for more projects to use pecan21:06
elmikowoodster_: as for publishing, the only thing i know about so far is the api-ref page21:07
woodster_elmiko, yeah, we moved to Pecan to be more in line with other projects21:07
woodster_elmiko, do you mean out here?: http://developer.openstack.org/api-ref.html21:08
woodster_elmiko, we probably need to internally publish while we are incubating I figure21:09
elmikowoodster_: yea, that the site i meant.21:12
elmikowoodster_: another option for publishing that i really like is how the keystone project publishes it's api to their spec repo21:12
elmikohttps://github.com/openstack/keystone-specs/tree/master/api21:12
elmikobut that's the main documents, although there would be room for wadl/swagger stuff there too.21:13
woodster_elmiko, that is an option for sure21:13
woodster_elmiko, we were documenting with docbook as other projects have done, but pulled back once we realized that it isn't officially published until we come out of incubation. The specs repo would probably be the next best thing.21:15
woodster_elmiko, better than our original API wiki here :) https://github.com/cloudkeep/barbican/wiki/Application-Programming-Interface21:16
elmikowoodster_: yea, that's what i've been working from =)21:16
elmikowoodster_: i think publishing to barbican-specs/api might be a really nice start. assuming there are no objections.21:16
*** jamielennox|away is now known as jamielennox21:30
woodster_elmiko, per redrobot it seems that the docs team is moving to publish to the specs repo vs using docbook. Do you know about that? Do you follow the https://wiki.openstack.org/wiki/Meetings/DocTeamMeeting meetings at all?21:32
elmikowoodster_: interesting.. i was not aware of that. but it seems like a good move, imo.21:32
elmikowoodster_: i've been working towards trying to do this with the sahara stuff, but... well... time and things ;)21:33
*** jamielennox is now known as jamielennox|away21:35
*** gyee has quit IRC21:37
woodster_elmiko, yeah, I'm trying to get back into things in the new year after over 2 weeks off :)  Any help you can provide on the API side would be helpful for sure. I'll also inquire about the 'official' place for docs and wadls to go, esp. for incubating projects like Barbican21:38
elmikowoodster_: nice, so far my work has been pretty light. i'm trying to get this in as a side project basically. https://github.com/elmiko/sahara-doc is what i've put together so far for sahara. i was planning on something similiar for my barbican efforts.21:40
woodster_elmiko, that looks interesting to me21:44
elmikowoodster_: i really need to clean it up a bit. i might make a bigger repo to host both the sahara and barbican examples.21:45
woodster_elmiko, have you reached out to the docs team folks about this?21:46
elmikowoodster_: in the beginning i did talk with annegentle and a few others in the channel.21:47
elmikomainly collecting information about api-ref site and their thoughts about auto-generated stuff21:47
elmikoi also talked about it at summit in november with the api wg21:47
openstackgerritNathan Reller proposed openstack/barbican-specs: Content Types  https://review.openstack.org/14507321:57
*** chlong has quit IRC21:59
aleewoodster_, ping?22:00
aleewoodster_, whats the convention for column names in the database tables again?22:00
woodster_alee you mean for a new field, or a FK?22:01
aleenew field22:01
aleeso if for example, I'm creating a SecretACL table22:01
aleeand I want to specify the columns as ..22:02
aleesecret_id (FK) and acl22:02
woodster_alee, we've been using plurals for one to many assocs, singulars otherwise22:02
aleeSo its reasonable to say ..22:02
woodster_The Container's project_id is a FK example22:03
aleeThe SecretACL table will have columns secret_id (FK,string) and acl (string) ?22:03
woodster_alee that makes sense, thought what goes into acl? is that the user/group/project info for the whitelist?22:04
aleeyup - in some format that looks like an acl ..22:05
aleelike ..22:05
alee(read) (user_id = foo || user_id =bar || group_id = baz)22:06
*** rellerreller has quit IRC22:07
woodster_alee, is that how clients would specify the ACL then, with a string such as that example?22:07
aleewoodster_, no - I think they would just pass in the user lists / group lists22:08
aleelike we specified alreadty in the cp22:08
aleewe'll parse that and convert it into an acl22:08
aleethat way clients do not need to understand acl language22:09
aleewoodster_, although being able to pass in acl language makes all this easily extensible ..22:10
aleewoodster_, but it also means syntax checking acl language on both client and server sides22:10
woodster_elmiko, were the docs folks interested in the auto gen work you are looking into?22:12
elmikowoodster_: hmm, difficult to gauge. there is interest, but i think it depends which group you talk with.22:13
aleejvrbanac, redrobot -- https://review.openstack.org/#/c/142212/ just looking for a +1 workflow :)22:13
woodster_elmiko, sounds like they might have to see a prototype before they know for sure?22:13
elmikowoodster_: imo, the doc folks(i only talked with a couple) were interested but cautioned that auto-gen stuff usually left gaps that needed to be filled manually22:13
elmikowoodster_: otoh, the api wg folks were interested in a lot of the extended implications that come from the work that formats like swagger are doing(e.g. code generation, and crazy stuff like that)22:14
woodster_elmiko that makes sense. It's easy to automate 80% of the things, but the other 20% is why they pay us the medium bucks!22:14
elmikowoodster_: lol, too true =)22:15
elmikowoodster_: from what i can tell, there aren't many "strong" opinions yet. folks are interested to see what could come out of these efforts though.22:15
elmikoi think everyone generally likes the idea of api docs getting generated automagically during some build process, especially if the promise is that the api docs are more up-to-date.22:16
woodster_alee, that makes sense. My only concern is with queries....are there use cases for querying for all secrets accessible by user xyz? Probably only for auditing22:16
elmikothe real issue then is how to cover those 20% gaps that will occur.22:17
aleewoodster_, not sure I understand your question -- I think you are referring to (list) operation perhaps?22:19
aleewoodster_, so acl could look like --22:19
alee(read) (user_id = foo || user_id =bar || group_id = baz) ; (list) (user_id = foo || group_id = auditor)22:20
woodster_alee, I'm referring to that acl field having a logical text in there...queries are not as straightforward vs if each user/group/project is broken out as a record in the table. Just not sure if there is a good use case for that though. It seems like the acl field approach should work as long as the overall text doesn't get too large. So essentially there22:22
woodster_would be a one to one between secrets and secretacl entities, correct?22:22
aleeyup22:22
woodster_elmiko, that's true22:22
woodster_alee, so were you going to update with an example like that one then?22:23
aleewoodster_, ideally the format we use would be one already supported by some standard python acl parsing library -- not sure id one such exusts22:23
aleewoodster_, yup - doing that right now.22:23
*** gyee has joined #openstack-barbican22:29
aleewoodster_, by query/list -- do you mean getting just the metadata of the secret?22:32
*** kgriffs has quit IRC22:33
aleewoodster_, actually I'm wondering now whether it makes sense to allow clients to specify full acls in acl language22:34
woodster_alee, well just querying for secrets that have specific users/groups/projects associated with them. That seems like an auditing thing.22:34
aleewoodster_, right -- we dont have that ability now ..22:35
aleewoodster_, but if we did -- it would mean basically getting back the metadata -- or some portion thereof of the secrets22:36
*** kgriffs has joined #openstack-barbican22:36
woodster_alee, well another aspect here is that originally we were going to feed oslo policy information and then let it do the acl logic. But it can't handle lists of users/groups/projects, correct?22:37
aleewell - we may need to extend it22:37
aleeI'd be really surprised if oslo could not be extneded in some way22:38
aleeafter all - it supports primitives for and/or22:38
*** SheenaG1 has quit IRC22:40
openstackgerritJohn Wood proposed openstack/barbican: Add I18n-related unit tests (Part 3)  https://review.openstack.org/14153522:41
woodster_alee, iow all we really needed to store for a secret was lists of users/groups/projects allowed to access the secret, and then let policy logic external to the secret determine access control. But defining that per secret provides more power...now blacklists would be possible (i.e. !user_foo) per secret.22:42
woodster_alee, the complexity is with updates...if a client wishes to add another user to the list that already has a complex acl string for it, either this has to be merged with it, or else would be overwritten.22:44
woodster_alee, yeah not so comfortable with the client API to acl field mismatch there...it seems that either the API should just have the acl string provided and then set as the client specifies for that secret, or else create a list of user/group/projects allowed for the secret per the current list-based API. Translating between the two approaches does not seem22:46
woodster_intuitive to me.22:46
aleewoodster_, agreed -- and I think I'm leaning towards the acl specification by both the api and acl field22:47
aleewoodster_, we've already specified 2 operations for which users/groups may need to be defined22:48
alee(read, list)22:48
aleewe will likely eventually add write and maybe others22:48
aleeso would the api then need read_users, read_groups, write_users, write_groups .. etc .. ?22:49
aleetoo complicated .. just let the client specify the acl22:50
aleewe can choose to ignore anything except read/list acls in kilo22:50
aleebut the framework will be there for post-kilo22:51
*** jamielennox|away is now known as jamielennox22:51
*** alee is now known as alee_dinner22:56
*** chlong has joined #openstack-barbican22:57
*** ametts has quit IRC22:57
*** ametts has joined #openstack-barbican23:01
woodster_that makes sense alee. So for Kilo the per-secret ACLs only apply to GET operations23:01
*** dimtruck is now known as zz_dimtruck23:05
*** SheenaG1 has joined #openstack-barbican23:07
*** lisaclark1 has quit IRC23:12
*** nkinder has quit IRC23:13
*** chlong_ has joined #openstack-barbican23:14
*** dave-mccowan has quit IRC23:37
*** chlong has quit IRC23:39
*** chlong_ has quit IRC23:39
*** chlong_ has joined #openstack-barbican23:46
*** chlong has joined #openstack-barbican23:46
*** chlong_ has quit IRC23:46
*** paul_glass has quit IRC23:51
*** SheenaG1 has quit IRC23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!