*** dave-mccowan has quit IRC | 00:08 | |
*** woodster_ has joined #openstack-barbican | 00:22 | |
*** rm_work|away is now known as rm_work | 01:26 | |
*** kebray has quit IRC | 01:48 | |
*** woodster_ has quit IRC | 02:30 | |
*** rm_work is now known as rm_work|away | 02:32 | |
*** alee has joined #openstack-barbican | 02:46 | |
*** zz_dimtruck is now known as dimtruck | 02:57 | |
openstackgerrit | Merged openstack/barbican: Change keystone_id for external_id in model https://review.openstack.org/143344 | 03:06 |
---|---|---|
*** woodster_ has joined #openstack-barbican | 03:07 | |
*** SheenaG1 has joined #openstack-barbican | 03:25 | |
*** SheenaG11 has joined #openstack-barbican | 03:27 | |
*** SheenaG1 has quit IRC | 03:30 | |
*** darrenmoffat has quit IRC | 03:53 | |
*** darrenmoffat has joined #openstack-barbican | 03:54 | |
*** dimtruck is now known as zz_dimtruck | 04:24 | |
openstackgerrit | John Wood proposed openstack/barbican: Add I18n-related unit tests (Part 3) https://review.openstack.org/141535 | 04:35 |
*** chlong has joined #openstack-barbican | 04:37 | |
*** rm_work|away is now known as rm_work | 05:20 | |
*** rm_work is now known as rm_work|away | 05:36 | |
*** greghayn1 is now known as greghaynes | 06:22 | |
*** jamielennox is now known as jamielennox|away | 06:33 | |
*** rm_work|away is now known as rm_work | 07:32 | |
*** jaosorior has joined #openstack-barbican | 07:42 | |
*** chlong has quit IRC | 07:47 | |
*** rm_work is now known as rm_work|away | 08:08 | |
*** woodster_ has quit IRC | 08:10 | |
*** mikedillion has joined #openstack-barbican | 08:49 | |
*** mikedillion has quit IRC | 09:00 | |
*** chlong has joined #openstack-barbican | 10:47 | |
*** kgriffs has quit IRC | 10:51 | |
*** kgriffs|afk has joined #openstack-barbican | 10:51 | |
*** kgriffs|afk is now known as kgriffs | 10:51 | |
*** chlong has quit IRC | 11:36 | |
*** hyakuhei_ has quit IRC | 11:36 | |
*** hyakuhei has joined #openstack-barbican | 11:36 | |
*** chlong has joined #openstack-barbican | 11:52 | |
*** david-lyle_afk has quit IRC | 12:38 | |
*** david-ly_ has joined #openstack-barbican | 12:38 | |
*** ryanpetrello has joined #openstack-barbican | 12:56 | |
*** woodster_ has joined #openstack-barbican | 13:01 | |
*** darrenmoffat has quit IRC | 13:06 | |
*** darrenmoffat has joined #openstack-barbican | 13:13 | |
*** kgriffs has quit IRC | 13:38 | |
*** kgriffs|afk has joined #openstack-barbican | 13:38 | |
*** kgriffs|afk is now known as kgriffs | 13:38 | |
openstackgerrit | Juan Antonio Osorio Robles proposed openstack/python-barbicanclient: Enable passing test regex to testr from tox https://review.openstack.org/144759 | 14:00 |
jaosorior | woodster_: Should I file a bug regarding what was decided from this? https://bugs.launchpad.net/barbican/+bug/1376469 or should i just fix it and that's it? | 14:03 |
woodster_ | jaosorior, well I wouldn't mind getting other folks to weigh in on the comments there. Maybe we can get folks to discuss/decide in the IRC channel today. | 14:06 |
jaosorior | That would be good | 14:07 |
jaosorior | Though I'm actually quite convinced that having the id there is not the way to go | 14:07 |
jaosorior | if the user specified an empty name, then that's what the user should get in return | 14:08 |
jaosorior | it's the same behaviour with containers | 14:08 |
jaosorior | woodster_: By the way, Happy new year man! | 14:13 |
woodster_ | jaosorior: same with you! | 14:13 |
*** dave-mccowan has joined #openstack-barbican | 14:30 | |
*** mikedillion has joined #openstack-barbican | 14:36 | |
openstackgerrit | Merged openstack/barbican: Replace instances of keystone_id from the code https://review.openstack.org/144601 | 14:36 |
*** kgriffs has quit IRC | 14:41 | |
*** kgriffs|afk has joined #openstack-barbican | 14:41 | |
*** kgriffs|afk is now known as kgriffs | 14:42 | |
*** ametts has joined #openstack-barbican | 14:45 | |
*** dave-mccowan has quit IRC | 14:46 | |
*** nkinder has joined #openstack-barbican | 14:46 | |
openstackgerrit | Juan Antonio Osorio Robles proposed openstack/barbican: Make default action return 405 in the controllers https://review.openstack.org/144743 | 14:56 |
*** paul_glass has joined #openstack-barbican | 14:59 | |
*** openstack has joined #openstack-barbican | 15:05 | |
*** dave-mccowan has joined #openstack-barbican | 15:08 | |
*** ayoung has joined #openstack-barbican | 15:12 | |
*** trey has quit IRC | 15:17 | |
*** jorge_munoz has joined #openstack-barbican | 15:18 | |
*** SheenaG11 has quit IRC | 15:21 | |
*** zz_dimtruck is now known as dimtruck | 15:24 | |
*** kgriffs has quit IRC | 15:28 | |
*** kgriffs has joined #openstack-barbican | 15:28 | |
*** lisaclark1 has joined #openstack-barbican | 15:30 | |
*** paul_glass has quit IRC | 15:44 | |
*** Guest75222 is now known as redrobot | 15:45 | |
*** SheenaG1 has joined #openstack-barbican | 15:47 | |
*** lisaclark1 has quit IRC | 15:52 | |
*** dave-mccowan has quit IRC | 15:52 | |
*** paul_glass has joined #openstack-barbican | 15:52 | |
*** ryanpetrello_ has joined #openstack-barbican | 15:54 | |
*** ryanpetrello has quit IRC | 15:57 | |
*** ryanpetrello_ is now known as ryanpetrello | 15:57 | |
*** miqui has joined #openstack-barbican | 16:06 | |
*** openstackgerrit has quit IRC | 16:06 | |
*** openstackgerrit has joined #openstack-barbican | 16:07 | |
openstackgerrit | Merged openstack/barbican: Enable passing test regex to testr from tox https://review.openstack.org/144744 | 16:09 |
openstackgerrit | Merged openstack/barbican: Remove invalid TODOs related to bug 1331815 https://review.openstack.org/144604 | 16:10 |
*** dave-mccowan has joined #openstack-barbican | 16:12 | |
*** david-ly_ is now known as david-lyle | 16:13 | |
*** crc32 has quit IRC | 16:14 | |
*** atiwari has joined #openstack-barbican | 16:18 | |
*** david-lyle has quit IRC | 16:22 | |
*** paul_glass has quit IRC | 16:35 | |
*** gyee has joined #openstack-barbican | 16:36 | |
*** paul_glass has joined #openstack-barbican | 16:39 | |
*** paul_glass1 has joined #openstack-barbican | 16:39 | |
*** paul_glass has quit IRC | 16:43 | |
*** openstackgerrit has quit IRC | 16:51 | |
*** openstackgerrit has joined #openstack-barbican | 16:51 | |
*** kgriffs has quit IRC | 16:52 | |
*** kgriffs|afk has joined #openstack-barbican | 16:52 | |
*** kgriffs|afk is now known as kgriffs | 16:52 | |
*** openstackgerrit has quit IRC | 17:04 | |
*** openstackgerrit has joined #openstack-barbican | 17:04 | |
*** rellerreller has joined #openstack-barbican | 17:22 | |
openstackgerrit | Ade Lee proposed openstack/barbican: Add validation for certificate-order-api https://review.openstack.org/142209 | 17:23 |
openstackgerrit | Merged openstack/python-barbicanclient: Enable passing test regex to testr from tox https://review.openstack.org/144759 | 17:23 |
*** mikedillion has quit IRC | 17:24 | |
*** crc32 has joined #openstack-barbican | 17:32 | |
woodster_ | alee: I think folks have been making comments on the various high priority blueprint CRs out there...would you have a chance this week to go over some of them? | 17:32 |
*** jaosorior has quit IRC | 17:33 | |
alee | woodster_, yes -- I plan to do just that | 17:34 |
alee | woodster_, can you look at https://review.openstack.org/142209 ? | 17:34 |
alee | I just made the relevant changes -- it would be good to get that in so that dave-mccowan can base his changes on that | 17:34 |
woodster_ | alee, sounds good | 17:35 |
alee | woodster_, trying to figure out now how to rebase my second patch on the first's changes .. | 17:35 |
*** kgriffs has quit IRC | 17:36 | |
*** kgriffs|afk has joined #openstack-barbican | 17:36 | |
*** kgriffs|afk is now known as kgriffs | 17:36 | |
*** lisaclark1 has joined #openstack-barbican | 17:37 | |
lisaclark1 | tdink: ping | 17:37 |
alee | woodster_, awesome thanks .. | 17:38 |
alee | now we just need some more +2'ers .. | 17:39 |
woodster_ | alee, I still follow the 'Add dependency' workflow here for simple dependencies (that others aren't contributing to): https://wiki.openstack.org/wiki/Gerrit_Workflow | 17:39 |
alee | reaperhulk, redrobot ? | 17:39 |
redrobot | alee hi! happy 2015! | 17:39 |
alee | you too ! :) | 17:40 |
alee | redrobot, need a review please .. https://review.openstack.org/#/c/142209/2 | 17:40 |
alee | rellerreller, jvrbanac ^^ | 17:41 |
*** paul_glass1 has quit IRC | 17:42 | |
alee | greghaynes, ^^ | 17:42 |
jvrbanac | alee, I'll take look as soon as a I get to a good stopping point | 17:42 |
*** paul_glass has joined #openstack-barbican | 17:42 | |
alee | jvrbanac, thanks | 17:43 |
jvrbanac | alee, Oh and happy new year! | 17:43 |
jvrbanac | :D | 17:43 |
alee | woodster_, yeah - I'm trying to follow that .. | 17:43 |
alee | you too :) | 17:43 |
greghaynes | alee: hey, will have a look | 17:43 |
alee | greghaynes, thanks - nothing too surprising in this one. | 17:44 |
alee | woodster_, so I'm trying to follow the instructions at the end .. | 17:46 |
alee | woodster_, ie. I have review X and review Y (X>Y) | 17:46 |
alee | woodster_, now I have updated review X | 17:46 |
alee | woodster_, so now I'm in the branch where I worked on review Y | 17:47 |
alee | and I want to update this branch with the modified version of review X | 17:47 |
greghaynes | alee: and y depends on x? | 17:47 |
alee | yup | 17:47 |
greghaynes | git rebase for great good | 17:47 |
greghaynes | basically you have to go to commit y; git rebase -i <hash of new X commit> | 17:48 |
greghaynes | and either remove the duplicate X commit in the rebase -i view, or do a second git rebase -i HEAD~3 | 17:49 |
greghaynes | Its not the most user friendly of operations ;) | 17:50 |
alee | actually I think I got it --- thanks -- removing the extra commit was what I was missing | 17:50 |
alee | jvrbanac, rellerreller - thanks - fixing now .. | 17:53 |
rellerreller | alee np | 17:53 |
alee | rellerreller, happy new year -- and congrats? | 17:54 |
rellerreller | alee yes congratulations :) | 17:54 |
jvrbanac | :D | 17:55 |
rellerreller | She was born on December 18 and all is good so far, except the lack of sleep | 17:55 |
greghaynes | ooo, congrats rellerreller! | 17:55 |
alee | rellerreller, so you | 17:55 |
alee | rellerreller, so you're coming in to work to get some sleep ? :) | 17:55 |
rellerreller | haha I actually thought about sleeping under my desk for an hour. It sounds like heaven right now. | 17:56 |
greghaynes | Pull a George Costanza | 17:57 |
*** lisaclark1 has quit IRC | 17:58 | |
alee | rellerreller, thankfully we're designed to forget the first three months -- otherwise, we'd never do it again. | 17:58 |
alee | so you just have a couple of months more .. | 17:58 |
openstackgerrit | Ade Lee proposed openstack/barbican: Add validation for certificate-order-api https://review.openstack.org/142209 | 18:05 |
alee | jvrbanac, redrobot - looks like all the functional tests are failing on the gate | 18:07 |
jvrbanac | alee? | 18:08 |
alee | rellerreller, jvrbanac , greghaynes , woodster_ updated patch | 18:08 |
alee | jvrbanac, http://logs.openstack.org/09/142209/2/check/gate-barbican-devstack-dsvm/6e8ec33/ | 18:08 |
alee | from my last patch | 18:08 |
*** ryanpetrello has quit IRC | 18:10 | |
*** ryanpetrello has joined #openstack-barbican | 18:10 | |
jvrbanac | alee, I've seen this a couple of times lately. Most of the time, a recheck to get rid of it. However, we should probably get one of the QE guys to dig into it a bit | 18:11 |
jvrbanac | hockeynut, tdink ^^ | 18:11 |
*** tdink has quit IRC | 18:11 | |
*** lbragstad has quit IRC | 18:11 | |
*** erw has quit IRC | 18:12 | |
alee | jvrbanac, yeah - we'll see if it shows up again in my lastest patch | 18:12 |
*** rm_work|away has quit IRC | 18:13 | |
jvrbanac | alee, at a very minimum, we should probably add some error handling around the line that is kicking off .json() so we get better understanding of whats going on | 18:13 |
*** russell_h has quit IRC | 18:13 | |
*** jroll has quit IRC | 18:14 | |
*** nkinder has quit IRC | 18:16 | |
*** russell_h has joined #openstack-barbican | 18:16 | |
*** russell_h has quit IRC | 18:16 | |
*** russell_h has joined #openstack-barbican | 18:16 | |
*** jroll has joined #openstack-barbican | 18:16 | |
*** lisaclark1 has joined #openstack-barbican | 18:17 | |
*** tdink has joined #openstack-barbican | 18:17 | |
*** rm_work|away has joined #openstack-barbican | 18:17 | |
*** lbragstad has joined #openstack-barbican | 18:17 | |
greghaynes | Are there not request logs somewhere? | 18:17 |
greghaynes | would probably help a lot | 18:17 |
*** erw has joined #openstack-barbican | 18:17 | |
*** dimtruck is now known as zz_dimtruck | 18:17 | |
*** rm_work|away is now known as rm_work | 18:17 | |
*** rm_work has quit IRC | 18:17 | |
*** rm_work has joined #openstack-barbican | 18:17 | |
*** bdpayne has joined #openstack-barbican | 18:18 | |
greghaynes | oh, its just in func tests, not tempest | 18:18 |
greghaynes | So looking at tests, I notice a lot of the state is created and deleted with setup and teardown instead of using fixtures | 18:27 |
greghaynes | so I wonder if theres a racy fail and then a big cascading failure due to state not getting unrolled... | 18:27 |
*** kgriffs is now known as kgriffs|afk | 18:28 | |
*** nkinder has joined #openstack-barbican | 18:29 | |
*** jroll has quit IRC | 18:31 | |
*** jroll has joined #openstack-barbican | 18:31 | |
woodster_ | rellerreller: catching up...congrats!!! First kiddo right? | 18:34 |
rellerreller | woodster_ Yes, first one. | 18:45 |
*** rellerreller has quit IRC | 19:02 | |
jvrbanac | alee, I tossed up a bug for the issue https://bugs.launchpad.net/barbican/+bug/1407767 | 19:03 |
alee | jvrbanac, ok thanks | 19:03 |
alee | jvrbanac, dont forget to +2 the latest patch :) | 19:04 |
alee | woodster_, jvrbanac https://review.openstack.org/#/c/142209 | 19:04 |
jvrbanac | alee, hopefully that recheck comes back ok | 19:07 |
*** paul_glass has quit IRC | 19:11 | |
*** zz_dimtruck is now known as dimtruck | 19:11 | |
*** jaosorior has joined #openstack-barbican | 19:12 | |
*** kgriffs|afk is now known as kgriffs | 19:16 | |
jaosorior | Will there be a meeting today? | 19:17 |
SheenaG1 | jaosorior: as far as I know, yes | 19:18 |
jaosorior | Alright | 19:20 |
jaosorior | Thanks :) | 19:20 |
jaosorior | And happy new year :D by the east | 19:20 |
jaosorior | Way not east | 19:21 |
SheenaG1 | jaosorior: Happy new year, sir! How are things with you? | 19:21 |
openstackgerrit | Ade Lee proposed openstack/barbican: Plugin contract changes for the certificate-order-api https://review.openstack.org/142212 | 19:34 |
alee | woodster_, greghaynes , jvrbanac : ^^ other patch updated. | 19:36 |
jaosorior | SheenaG1: All good! Back in Finland, life is good, just miss the food again :P | 19:37 |
alee | SheenaG1, happy new year! do we have details about the mid cycle hotel settled? | 19:37 |
SheenaG1 | alee: still no, working on that this week with lisaclark | 19:37 |
alee | SheenaG1, ok thanks | 19:38 |
woodster_ | alee: darn that JSONDecodeError! | 19:47 |
alee | woodster_, yeah .. | 19:48 |
alee | woodster_, updated the second patch too :) | 19:48 |
woodster_ | alee, taking a look now... | 19:49 |
alee | thanks | 19:49 |
openstackgerrit | John Wood proposed openstack/barbican: Add I18n-related unit tests (Part 3) https://review.openstack.org/141535 | 19:50 |
redrobot | weekly meeting starts in 5 minutes on #openstack-meeting-alt | 19:55 |
*** paul_glass has joined #openstack-barbican | 19:57 | |
woodster_ | alee, just commit message changes on your CR please: https://review.openstack.org/#/c/142212 | 19:57 |
*** tkelsey has joined #openstack-barbican | 19:59 | |
alee | woodster_, gotcha - will do | 20:00 |
openstackgerrit | Ade Lee proposed openstack/barbican: Plugin contract changes for the certificate-order-api https://review.openstack.org/142212 | 20:02 |
alee | woodster_, done | 20:02 |
woodster_ | CR https://review.openstack.org/#/c/142209 passing all gates now! | 20:04 |
*** lisaclark1 has quit IRC | 20:14 | |
openstackgerrit | Merged openstack/barbican: Add validation for certificate-order-api https://review.openstack.org/142209 | 20:20 |
alee | woohoo! 1 down .. | 20:21 |
*** lisaclark1 has joined #openstack-barbican | 20:21 | |
*** kgriffs is now known as kgriffs|afk | 20:35 | |
hockeynut | Happy New Year all - I'm not really here (returning to work tomorrow). Will jump at that functional testing issue | 20:46 |
*** rellerreller has joined #openstack-barbican | 20:55 | |
*** elmiko has joined #openstack-barbican | 20:58 | |
elmiko | woodster_: yo | 20:58 |
woodster_ | elmiko, hey there | 20:58 |
*** kgriffs|afk is now known as kgriffs | 20:58 | |
*** tkelsey has quit IRC | 20:59 | |
elmiko | woodster_: so yea, i'm just starting on a script that will generate the base required layer for a swagger doc, from the pecan impl in barb | 20:59 |
woodster_ | elmiko, I was told I needed to spin up on the status of that wadl file for Barbican. If you can auto gen that thing, so much the better! I'd heard swagger was pretty cool | 20:59 |
elmiko | it's certainly more readable than wadl, but i'm not sure if it's better. easier to implement maybe. | 21:00 |
elmiko | i'm hoping to have something that will generate the skeleton this week | 21:00 |
woodster_ | elmiko, that sounds nice. Are you wishing to consume that wadl with tooling on your side? | 21:00 |
woodster_ | elmiko, do you know how other projects are generating/publishing their wadls? | 21:02 |
elmiko | woodster_: so, i'd like to create something that generates the swagger from the code, not the wadl. | 21:02 |
elmiko | woodster_: as for other projects, it's a total mish-mosh. most use hand-hacked wadl, with a little bit of generated content. | 21:02 |
elmiko | there is a large gap in how much you can get done with the generators. it really depends on how much you want to mark up the code base. | 21:03 |
woodster_ | elmiko, oh got it. That's was I was thinking was the case | 21:03 |
elmiko | woodster_: yea, it seems like the API WG would definitely like to move towards something more consistent. but it's not clear what that will be yet. | 21:04 |
elmiko | part of why i'm playing around with this stuff =) | 21:04 |
elmiko | i think it would be really cool if we could come up with some sort of oslo package that might help projects facilitate the creation of these api docs | 21:05 |
elmiko | it get pretty funky based on all the wsgi servers the different projects use. although i understand that there might be an unstated push for more projects to use pecan | 21:06 |
elmiko | woodster_: as for publishing, the only thing i know about so far is the api-ref page | 21:07 |
woodster_ | elmiko, yeah, we moved to Pecan to be more in line with other projects | 21:07 |
woodster_ | elmiko, do you mean out here?: http://developer.openstack.org/api-ref.html | 21:08 |
woodster_ | elmiko, we probably need to internally publish while we are incubating I figure | 21:09 |
elmiko | woodster_: yea, that the site i meant. | 21:12 |
elmiko | woodster_: another option for publishing that i really like is how the keystone project publishes it's api to their spec repo | 21:12 |
elmiko | https://github.com/openstack/keystone-specs/tree/master/api | 21:12 |
elmiko | but that's the main documents, although there would be room for wadl/swagger stuff there too. | 21:13 |
woodster_ | elmiko, that is an option for sure | 21:13 |
woodster_ | elmiko, we were documenting with docbook as other projects have done, but pulled back once we realized that it isn't officially published until we come out of incubation. The specs repo would probably be the next best thing. | 21:15 |
woodster_ | elmiko, better than our original API wiki here :) https://github.com/cloudkeep/barbican/wiki/Application-Programming-Interface | 21:16 |
elmiko | woodster_: yea, that's what i've been working from =) | 21:16 |
elmiko | woodster_: i think publishing to barbican-specs/api might be a really nice start. assuming there are no objections. | 21:16 |
*** jamielennox|away is now known as jamielennox | 21:30 | |
woodster_ | elmiko, per redrobot it seems that the docs team is moving to publish to the specs repo vs using docbook. Do you know about that? Do you follow the https://wiki.openstack.org/wiki/Meetings/DocTeamMeeting meetings at all? | 21:32 |
elmiko | woodster_: interesting.. i was not aware of that. but it seems like a good move, imo. | 21:32 |
elmiko | woodster_: i've been working towards trying to do this with the sahara stuff, but... well... time and things ;) | 21:33 |
*** jamielennox is now known as jamielennox|away | 21:35 | |
*** gyee has quit IRC | 21:37 | |
woodster_ | elmiko, yeah, I'm trying to get back into things in the new year after over 2 weeks off :) Any help you can provide on the API side would be helpful for sure. I'll also inquire about the 'official' place for docs and wadls to go, esp. for incubating projects like Barbican | 21:38 |
elmiko | woodster_: nice, so far my work has been pretty light. i'm trying to get this in as a side project basically. https://github.com/elmiko/sahara-doc is what i've put together so far for sahara. i was planning on something similiar for my barbican efforts. | 21:40 |
woodster_ | elmiko, that looks interesting to me | 21:44 |
elmiko | woodster_: i really need to clean it up a bit. i might make a bigger repo to host both the sahara and barbican examples. | 21:45 |
woodster_ | elmiko, have you reached out to the docs team folks about this? | 21:46 |
elmiko | woodster_: in the beginning i did talk with annegentle and a few others in the channel. | 21:47 |
elmiko | mainly collecting information about api-ref site and their thoughts about auto-generated stuff | 21:47 |
elmiko | i also talked about it at summit in november with the api wg | 21:47 |
openstackgerrit | Nathan Reller proposed openstack/barbican-specs: Content Types https://review.openstack.org/145073 | 21:57 |
*** chlong has quit IRC | 21:59 | |
alee | woodster_, ping? | 22:00 |
alee | woodster_, whats the convention for column names in the database tables again? | 22:00 |
woodster_ | alee you mean for a new field, or a FK? | 22:01 |
alee | new field | 22:01 |
alee | so if for example, I'm creating a SecretACL table | 22:01 |
alee | and I want to specify the columns as .. | 22:02 |
alee | secret_id (FK) and acl | 22:02 |
woodster_ | alee, we've been using plurals for one to many assocs, singulars otherwise | 22:02 |
alee | So its reasonable to say .. | 22:02 |
woodster_ | The Container's project_id is a FK example | 22:03 |
alee | The SecretACL table will have columns secret_id (FK,string) and acl (string) ? | 22:03 |
woodster_ | alee that makes sense, thought what goes into acl? is that the user/group/project info for the whitelist? | 22:04 |
alee | yup - in some format that looks like an acl .. | 22:05 |
alee | like .. | 22:05 |
alee | (read) (user_id = foo || user_id =bar || group_id = baz) | 22:06 |
*** rellerreller has quit IRC | 22:07 | |
woodster_ | alee, is that how clients would specify the ACL then, with a string such as that example? | 22:07 |
alee | woodster_, no - I think they would just pass in the user lists / group lists | 22:08 |
alee | like we specified alreadty in the cp | 22:08 |
alee | we'll parse that and convert it into an acl | 22:08 |
alee | that way clients do not need to understand acl language | 22:09 |
alee | woodster_, although being able to pass in acl language makes all this easily extensible .. | 22:10 |
alee | woodster_, but it also means syntax checking acl language on both client and server sides | 22:10 |
woodster_ | elmiko, were the docs folks interested in the auto gen work you are looking into? | 22:12 |
elmiko | woodster_: hmm, difficult to gauge. there is interest, but i think it depends which group you talk with. | 22:13 |
alee | jvrbanac, redrobot -- https://review.openstack.org/#/c/142212/ just looking for a +1 workflow :) | 22:13 |
woodster_ | elmiko, sounds like they might have to see a prototype before they know for sure? | 22:13 |
elmiko | woodster_: imo, the doc folks(i only talked with a couple) were interested but cautioned that auto-gen stuff usually left gaps that needed to be filled manually | 22:13 |
elmiko | woodster_: otoh, the api wg folks were interested in a lot of the extended implications that come from the work that formats like swagger are doing(e.g. code generation, and crazy stuff like that) | 22:14 |
woodster_ | elmiko that makes sense. It's easy to automate 80% of the things, but the other 20% is why they pay us the medium bucks! | 22:14 |
elmiko | woodster_: lol, too true =) | 22:15 |
elmiko | woodster_: from what i can tell, there aren't many "strong" opinions yet. folks are interested to see what could come out of these efforts though. | 22:15 |
elmiko | i think everyone generally likes the idea of api docs getting generated automagically during some build process, especially if the promise is that the api docs are more up-to-date. | 22:16 |
woodster_ | alee, that makes sense. My only concern is with queries....are there use cases for querying for all secrets accessible by user xyz? Probably only for auditing | 22:16 |
elmiko | the real issue then is how to cover those 20% gaps that will occur. | 22:17 |
alee | woodster_, not sure I understand your question -- I think you are referring to (list) operation perhaps? | 22:19 |
alee | woodster_, so acl could look like -- | 22:19 |
alee | (read) (user_id = foo || user_id =bar || group_id = baz) ; (list) (user_id = foo || group_id = auditor) | 22:20 |
woodster_ | alee, I'm referring to that acl field having a logical text in there...queries are not as straightforward vs if each user/group/project is broken out as a record in the table. Just not sure if there is a good use case for that though. It seems like the acl field approach should work as long as the overall text doesn't get too large. So essentially there | 22:22 |
woodster_ | would be a one to one between secrets and secretacl entities, correct? | 22:22 |
alee | yup | 22:22 |
woodster_ | elmiko, that's true | 22:22 |
woodster_ | alee, so were you going to update with an example like that one then? | 22:23 |
alee | woodster_, ideally the format we use would be one already supported by some standard python acl parsing library -- not sure id one such exusts | 22:23 |
alee | woodster_, yup - doing that right now. | 22:23 |
*** gyee has joined #openstack-barbican | 22:29 | |
alee | woodster_, by query/list -- do you mean getting just the metadata of the secret? | 22:32 |
*** kgriffs has quit IRC | 22:33 | |
alee | woodster_, actually I'm wondering now whether it makes sense to allow clients to specify full acls in acl language | 22:34 |
woodster_ | alee, well just querying for secrets that have specific users/groups/projects associated with them. That seems like an auditing thing. | 22:34 |
alee | woodster_, right -- we dont have that ability now .. | 22:35 |
alee | woodster_, but if we did -- it would mean basically getting back the metadata -- or some portion thereof of the secrets | 22:36 |
*** kgriffs has joined #openstack-barbican | 22:36 | |
woodster_ | alee, well another aspect here is that originally we were going to feed oslo policy information and then let it do the acl logic. But it can't handle lists of users/groups/projects, correct? | 22:37 |
alee | well - we may need to extend it | 22:37 |
alee | I'd be really surprised if oslo could not be extneded in some way | 22:38 |
alee | after all - it supports primitives for and/or | 22:38 |
*** SheenaG1 has quit IRC | 22:40 | |
openstackgerrit | John Wood proposed openstack/barbican: Add I18n-related unit tests (Part 3) https://review.openstack.org/141535 | 22:41 |
woodster_ | alee, iow all we really needed to store for a secret was lists of users/groups/projects allowed to access the secret, and then let policy logic external to the secret determine access control. But defining that per secret provides more power...now blacklists would be possible (i.e. !user_foo) per secret. | 22:42 |
woodster_ | alee, the complexity is with updates...if a client wishes to add another user to the list that already has a complex acl string for it, either this has to be merged with it, or else would be overwritten. | 22:44 |
woodster_ | alee, yeah not so comfortable with the client API to acl field mismatch there...it seems that either the API should just have the acl string provided and then set as the client specifies for that secret, or else create a list of user/group/projects allowed for the secret per the current list-based API. Translating between the two approaches does not seem | 22:46 |
woodster_ | intuitive to me. | 22:46 |
alee | woodster_, agreed -- and I think I'm leaning towards the acl specification by both the api and acl field | 22:47 |
alee | woodster_, we've already specified 2 operations for which users/groups may need to be defined | 22:48 |
alee | (read, list) | 22:48 |
alee | we will likely eventually add write and maybe others | 22:48 |
alee | so would the api then need read_users, read_groups, write_users, write_groups .. etc .. ? | 22:49 |
alee | too complicated .. just let the client specify the acl | 22:50 |
alee | we can choose to ignore anything except read/list acls in kilo | 22:50 |
alee | but the framework will be there for post-kilo | 22:51 |
*** jamielennox|away is now known as jamielennox | 22:51 | |
*** alee is now known as alee_dinner | 22:56 | |
*** chlong has joined #openstack-barbican | 22:57 | |
*** ametts has quit IRC | 22:57 | |
*** ametts has joined #openstack-barbican | 23:01 | |
woodster_ | that makes sense alee. So for Kilo the per-secret ACLs only apply to GET operations | 23:01 |
*** dimtruck is now known as zz_dimtruck | 23:05 | |
*** SheenaG1 has joined #openstack-barbican | 23:07 | |
*** lisaclark1 has quit IRC | 23:12 | |
*** nkinder has quit IRC | 23:13 | |
*** chlong_ has joined #openstack-barbican | 23:14 | |
*** dave-mccowan has quit IRC | 23:37 | |
*** chlong has quit IRC | 23:39 | |
*** chlong_ has quit IRC | 23:39 | |
*** chlong_ has joined #openstack-barbican | 23:46 | |
*** chlong has joined #openstack-barbican | 23:46 | |
*** chlong_ has quit IRC | 23:46 | |
*** paul_glass has quit IRC | 23:51 | |
*** SheenaG1 has quit IRC | 23:55 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!