Monday, 2015-01-05

*** dave-mccowan has quit IRC		00:08
*** woodster_ has joined #openstack-barbican		00:22
*** rm_work\|away is now known as rm_work		01:26
*** kebray has quit IRC		01:48
*** woodster_ has quit IRC		02:30
*** rm_work is now known as rm_work\|away		02:32
*** alee has joined #openstack-barbican		02:46
*** zz_dimtruck is now known as dimtruck		02:57
openstackgerrit	Merged openstack/barbican: Change keystone_id for external_id in model https://review.openstack.org/143344	03:06
*** woodster_ has joined #openstack-barbican		03:07
*** SheenaG1 has joined #openstack-barbican		03:25
*** SheenaG11 has joined #openstack-barbican		03:27
*** SheenaG1 has quit IRC		03:30
*** darrenmoffat has quit IRC		03:53
*** darrenmoffat has joined #openstack-barbican		03:54
*** dimtruck is now known as zz_dimtruck		04:24
openstackgerrit	John Wood proposed openstack/barbican: Add I18n-related unit tests (Part 3) https://review.openstack.org/141535	04:35
*** chlong has joined #openstack-barbican		04:37
*** rm_work\|away is now known as rm_work		05:20
*** rm_work is now known as rm_work\|away		05:36
*** greghayn1 is now known as greghaynes		06:22
*** jamielennox is now known as jamielennox\|away		06:33
*** rm_work\|away is now known as rm_work		07:32
*** jaosorior has joined #openstack-barbican		07:42
*** chlong has quit IRC		07:47
*** rm_work is now known as rm_work\|away		08:08
*** woodster_ has quit IRC		08:10
*** mikedillion has joined #openstack-barbican		08:49
*** mikedillion has quit IRC		09:00
*** chlong has joined #openstack-barbican		10:47
*** kgriffs has quit IRC		10:51
*** kgriffs\|afk has joined #openstack-barbican		10:51
*** kgriffs\|afk is now known as kgriffs		10:51
*** chlong has quit IRC		11:36
*** hyakuhei_ has quit IRC		11:36
*** hyakuhei has joined #openstack-barbican		11:36
*** chlong has joined #openstack-barbican		11:52
*** david-lyle_afk has quit IRC		12:38
*** david-ly_ has joined #openstack-barbican		12:38
*** ryanpetrello has joined #openstack-barbican		12:56
*** woodster_ has joined #openstack-barbican		13:01
*** darrenmoffat has quit IRC		13:06
*** darrenmoffat has joined #openstack-barbican		13:13
*** kgriffs has quit IRC		13:38
*** kgriffs\|afk has joined #openstack-barbican		13:38
*** kgriffs\|afk is now known as kgriffs		13:38
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/python-barbicanclient: Enable passing test regex to testr from tox https://review.openstack.org/144759	14:00
jaosorior	woodster_: Should I file a bug regarding what was decided from this? https://bugs.launchpad.net/barbican/+bug/1376469 or should i just fix it and that's it?	14:03
woodster_	jaosorior, well I wouldn't mind getting other folks to weigh in on the comments there. Maybe we can get folks to discuss/decide in the IRC channel today.	14:06
jaosorior	That would be good	14:07
jaosorior	Though I'm actually quite convinced that having the id there is not the way to go	14:07
jaosorior	if the user specified an empty name, then that's what the user should get in return	14:08
jaosorior	it's the same behaviour with containers	14:08
jaosorior	woodster_: By the way, Happy new year man!	14:13
woodster_	jaosorior: same with you!	14:13
*** dave-mccowan has joined #openstack-barbican		14:30
*** mikedillion has joined #openstack-barbican		14:36
openstackgerrit	Merged openstack/barbican: Replace instances of keystone_id from the code https://review.openstack.org/144601	14:36
*** kgriffs has quit IRC		14:41
*** kgriffs\|afk has joined #openstack-barbican		14:41
*** kgriffs\|afk is now known as kgriffs		14:42
*** ametts has joined #openstack-barbican		14:45
*** dave-mccowan has quit IRC		14:46
*** nkinder has joined #openstack-barbican		14:46
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Make default action return 405 in the controllers https://review.openstack.org/144743	14:56
*** paul_glass has joined #openstack-barbican		14:59
*** openstack has joined #openstack-barbican		15:05
*** dave-mccowan has joined #openstack-barbican		15:08
*** ayoung has joined #openstack-barbican		15:12
*** trey has quit IRC		15:17
*** jorge_munoz has joined #openstack-barbican		15:18
*** SheenaG11 has quit IRC		15:21
*** zz_dimtruck is now known as dimtruck		15:24
*** kgriffs has quit IRC		15:28
*** kgriffs has joined #openstack-barbican		15:28
*** lisaclark1 has joined #openstack-barbican		15:30
*** paul_glass has quit IRC		15:44
*** Guest75222 is now known as redrobot		15:45
*** SheenaG1 has joined #openstack-barbican		15:47
*** lisaclark1 has quit IRC		15:52
*** dave-mccowan has quit IRC		15:52
*** paul_glass has joined #openstack-barbican		15:52
*** ryanpetrello_ has joined #openstack-barbican		15:54
*** ryanpetrello has quit IRC		15:57
*** ryanpetrello_ is now known as ryanpetrello		15:57
*** miqui has joined #openstack-barbican		16:06
*** openstackgerrit has quit IRC		16:06
*** openstackgerrit has joined #openstack-barbican		16:07
openstackgerrit	Merged openstack/barbican: Enable passing test regex to testr from tox https://review.openstack.org/144744	16:09
openstackgerrit	Merged openstack/barbican: Remove invalid TODOs related to bug 1331815 https://review.openstack.org/144604	16:10
*** dave-mccowan has joined #openstack-barbican		16:12
*** david-ly_ is now known as david-lyle		16:13
*** crc32 has quit IRC		16:14
*** atiwari has joined #openstack-barbican		16:18
*** david-lyle has quit IRC		16:22
*** paul_glass has quit IRC		16:35
*** gyee has joined #openstack-barbican		16:36
*** paul_glass has joined #openstack-barbican		16:39
*** paul_glass1 has joined #openstack-barbican		16:39
*** paul_glass has quit IRC		16:43
*** openstackgerrit has quit IRC		16:51
*** openstackgerrit has joined #openstack-barbican		16:51
*** kgriffs has quit IRC		16:52
*** kgriffs\|afk has joined #openstack-barbican		16:52
*** kgriffs\|afk is now known as kgriffs		16:52
*** openstackgerrit has quit IRC		17:04
*** openstackgerrit has joined #openstack-barbican		17:04
*** rellerreller has joined #openstack-barbican		17:22
openstackgerrit	Ade Lee proposed openstack/barbican: Add validation for certificate-order-api https://review.openstack.org/142209	17:23
openstackgerrit	Merged openstack/python-barbicanclient: Enable passing test regex to testr from tox https://review.openstack.org/144759	17:23
*** mikedillion has quit IRC		17:24
*** crc32 has joined #openstack-barbican		17:32
woodster_	alee: I think folks have been making comments on the various high priority blueprint CRs out there...would you have a chance this week to go over some of them?	17:32
*** jaosorior has quit IRC		17:33
alee	woodster_, yes -- I plan to do just that	17:34
alee	woodster_, can you look at https://review.openstack.org/142209 ?	17:34
alee	I just made the relevant changes -- it would be good to get that in so that dave-mccowan can base his changes on that	17:34
woodster_	alee, sounds good	17:35
alee	woodster_, trying to figure out now how to rebase my second patch on the first's changes ..	17:35
*** kgriffs has quit IRC		17:36
*** kgriffs\|afk has joined #openstack-barbican		17:36
*** kgriffs\|afk is now known as kgriffs		17:36
*** lisaclark1 has joined #openstack-barbican		17:37
lisaclark1	tdink: ping	17:37
alee	woodster_, awesome thanks ..	17:38
alee	now we just need some more +2'ers ..	17:39
woodster_	alee, I still follow the 'Add dependency' workflow here for simple dependencies (that others aren't contributing to): https://wiki.openstack.org/wiki/Gerrit_Workflow	17:39
alee	reaperhulk, redrobot ?	17:39
redrobot	alee hi! happy 2015!	17:39
alee	you too ! :)	17:40
alee	redrobot, need a review please .. https://review.openstack.org/#/c/142209/2	17:40
alee	rellerreller, jvrbanac ^^	17:41
*** paul_glass1 has quit IRC		17:42
alee	greghaynes, ^^	17:42
jvrbanac	alee, I'll take look as soon as a I get to a good stopping point	17:42
*** paul_glass has joined #openstack-barbican		17:42
alee	jvrbanac, thanks	17:43
jvrbanac	alee, Oh and happy new year!	17:43
jvrbanac	:D	17:43
alee	woodster_, yeah - I'm trying to follow that ..	17:43
alee	you too :)	17:43
greghaynes	alee: hey, will have a look	17:43
alee	greghaynes, thanks - nothing too surprising in this one.	17:44
alee	woodster_, so I'm trying to follow the instructions at the end ..	17:46
alee	woodster_, ie. I have review X and review Y (X>Y)	17:46
alee	woodster_, now I have updated review X	17:46
alee	woodster_, so now I'm in the branch where I worked on review Y	17:47
alee	and I want to update this branch with the modified version of review X	17:47
greghaynes	alee: and y depends on x?	17:47
alee	yup	17:47
greghaynes	git rebase for great good	17:47
greghaynes	basically you have to go to commit y; git rebase -i <hash of new X commit>	17:48
greghaynes	and either remove the duplicate X commit in the rebase -i view, or do a second git rebase -i HEAD~3	17:49
greghaynes	Its not the most user friendly of operations ;)	17:50
alee	actually I think I got it --- thanks -- removing the extra commit was what I was missing	17:50
alee	jvrbanac, rellerreller - thanks - fixing now ..	17:53
rellerreller	alee np	17:53
alee	rellerreller, happy new year -- and congrats?	17:54
rellerreller	alee yes congratulations :)	17:54
jvrbanac	:D	17:55
rellerreller	She was born on December 18 and all is good so far, except the lack of sleep	17:55
greghaynes	ooo, congrats rellerreller!	17:55
alee	rellerreller, so you	17:55
alee	rellerreller, so you're coming in to work to get some sleep ? :)	17:55
rellerreller	haha I actually thought about sleeping under my desk for an hour. It sounds like heaven right now.	17:56
greghaynes	Pull a George Costanza	17:57
*** lisaclark1 has quit IRC		17:58
alee	rellerreller, thankfully we're designed to forget the first three months -- otherwise, we'd never do it again.	17:58
alee	so you just have a couple of months more ..	17:58
openstackgerrit	Ade Lee proposed openstack/barbican: Add validation for certificate-order-api https://review.openstack.org/142209	18:05
alee	jvrbanac, redrobot - looks like all the functional tests are failing on the gate	18:07
jvrbanac	alee?	18:08
alee	rellerreller, jvrbanac , greghaynes , woodster_ updated patch	18:08
alee	jvrbanac, http://logs.openstack.org/09/142209/2/check/gate-barbican-devstack-dsvm/6e8ec33/	18:08
alee	from my last patch	18:08
*** ryanpetrello has quit IRC		18:10
*** ryanpetrello has joined #openstack-barbican		18:10
jvrbanac	alee, I've seen this a couple of times lately. Most of the time, a recheck to get rid of it. However, we should probably get one of the QE guys to dig into it a bit	18:11
jvrbanac	hockeynut, tdink ^^	18:11
*** tdink has quit IRC		18:11
*** lbragstad has quit IRC		18:11
*** erw has quit IRC		18:12
alee	jvrbanac, yeah - we'll see if it shows up again in my lastest patch	18:12
*** rm_work\|away has quit IRC		18:13
jvrbanac	alee, at a very minimum, we should probably add some error handling around the line that is kicking off .json() so we get better understanding of whats going on	18:13
*** russell_h has quit IRC		18:13
*** jroll has quit IRC		18:14
*** nkinder has quit IRC		18:16
*** russell_h has joined #openstack-barbican		18:16
*** russell_h has quit IRC		18:16
*** russell_h has joined #openstack-barbican		18:16
*** jroll has joined #openstack-barbican		18:16
*** lisaclark1 has joined #openstack-barbican		18:17
*** tdink has joined #openstack-barbican		18:17
*** rm_work\|away has joined #openstack-barbican		18:17
*** lbragstad has joined #openstack-barbican		18:17
greghaynes	Are there not request logs somewhere?	18:17
greghaynes	would probably help a lot	18:17
*** erw has joined #openstack-barbican		18:17
*** dimtruck is now known as zz_dimtruck		18:17
*** rm_work\|away is now known as rm_work		18:17
*** rm_work has quit IRC		18:17
*** rm_work has joined #openstack-barbican		18:17
*** bdpayne has joined #openstack-barbican		18:18
greghaynes	oh, its just in func tests, not tempest	18:18
greghaynes	So looking at tests, I notice a lot of the state is created and deleted with setup and teardown instead of using fixtures	18:27
greghaynes	so I wonder if theres a racy fail and then a big cascading failure due to state not getting unrolled...	18:27
*** kgriffs is now known as kgriffs\|afk		18:28
*** nkinder has joined #openstack-barbican		18:29
*** jroll has quit IRC		18:31
*** jroll has joined #openstack-barbican		18:31
woodster_	rellerreller: catching up...congrats!!! First kiddo right?	18:34
rellerreller	woodster_ Yes, first one.	18:45
*** rellerreller has quit IRC		19:02
jvrbanac	alee, I tossed up a bug for the issue https://bugs.launchpad.net/barbican/+bug/1407767	19:03
alee	jvrbanac, ok thanks	19:03
alee	jvrbanac, dont forget to +2 the latest patch :)	19:04
alee	woodster_, jvrbanac https://review.openstack.org/#/c/142209	19:04
jvrbanac	alee, hopefully that recheck comes back ok	19:07
*** paul_glass has quit IRC		19:11
*** zz_dimtruck is now known as dimtruck		19:11
*** jaosorior has joined #openstack-barbican		19:12
*** kgriffs\|afk is now known as kgriffs		19:16
jaosorior	Will there be a meeting today?	19:17
SheenaG1	jaosorior: as far as I know, yes	19:18
jaosorior	Alright	19:20
jaosorior	Thanks :)	19:20
jaosorior	And happy new year :D by the east	19:20
jaosorior	Way not east	19:21
SheenaG1	jaosorior: Happy new year, sir! How are things with you?	19:21
openstackgerrit	Ade Lee proposed openstack/barbican: Plugin contract changes for the certificate-order-api https://review.openstack.org/142212	19:34
alee	woodster_, greghaynes , jvrbanac : ^^ other patch updated.	19:36
jaosorior	SheenaG1: All good! Back in Finland, life is good, just miss the food again :P	19:37
alee	SheenaG1, happy new year! do we have details about the mid cycle hotel settled?	19:37
SheenaG1	alee: still no, working on that this week with lisaclark	19:37
alee	SheenaG1, ok thanks	19:38
woodster_	alee: darn that JSONDecodeError!	19:47
alee	woodster_, yeah ..	19:48
alee	woodster_, updated the second patch too :)	19:48
woodster_	alee, taking a look now...	19:49
alee	thanks	19:49
openstackgerrit	John Wood proposed openstack/barbican: Add I18n-related unit tests (Part 3) https://review.openstack.org/141535	19:50
redrobot	weekly meeting starts in 5 minutes on #openstack-meeting-alt	19:55
*** paul_glass has joined #openstack-barbican		19:57
woodster_	alee, just commit message changes on your CR please: https://review.openstack.org/#/c/142212	19:57
*** tkelsey has joined #openstack-barbican		19:59
alee	woodster_, gotcha - will do	20:00
openstackgerrit	Ade Lee proposed openstack/barbican: Plugin contract changes for the certificate-order-api https://review.openstack.org/142212	20:02
alee	woodster_, done	20:02
woodster_	CR https://review.openstack.org/#/c/142209 passing all gates now!	20:04
*** lisaclark1 has quit IRC		20:14
openstackgerrit	Merged openstack/barbican: Add validation for certificate-order-api https://review.openstack.org/142209	20:20
alee	woohoo! 1 down ..	20:21
*** lisaclark1 has joined #openstack-barbican		20:21
*** kgriffs is now known as kgriffs\|afk		20:35
hockeynut	Happy New Year all - I'm not really here (returning to work tomorrow). Will jump at that functional testing issue	20:46
*** rellerreller has joined #openstack-barbican		20:55
*** elmiko has joined #openstack-barbican		20:58
elmiko	woodster_: yo	20:58
woodster_	elmiko, hey there	20:58
*** kgriffs\|afk is now known as kgriffs		20:58
*** tkelsey has quit IRC		20:59
elmiko	woodster_: so yea, i'm just starting on a script that will generate the base required layer for a swagger doc, from the pecan impl in barb	20:59
woodster_	elmiko, I was told I needed to spin up on the status of that wadl file for Barbican. If you can auto gen that thing, so much the better! I'd heard swagger was pretty cool	20:59
elmiko	it's certainly more readable than wadl, but i'm not sure if it's better. easier to implement maybe.	21:00
elmiko	i'm hoping to have something that will generate the skeleton this week	21:00
woodster_	elmiko, that sounds nice. Are you wishing to consume that wadl with tooling on your side?	21:00
woodster_	elmiko, do you know how other projects are generating/publishing their wadls?	21:02
elmiko	woodster_: so, i'd like to create something that generates the swagger from the code, not the wadl.	21:02
elmiko	woodster_: as for other projects, it's a total mish-mosh. most use hand-hacked wadl, with a little bit of generated content.	21:02
elmiko	there is a large gap in how much you can get done with the generators. it really depends on how much you want to mark up the code base.	21:03
woodster_	elmiko, oh got it. That's was I was thinking was the case	21:03
elmiko	woodster_: yea, it seems like the API WG would definitely like to move towards something more consistent. but it's not clear what that will be yet.	21:04
elmiko	part of why i'm playing around with this stuff =)	21:04
elmiko	i think it would be really cool if we could come up with some sort of oslo package that might help projects facilitate the creation of these api docs	21:05
elmiko	it get pretty funky based on all the wsgi servers the different projects use. although i understand that there might be an unstated push for more projects to use pecan	21:06
elmiko	woodster_: as for publishing, the only thing i know about so far is the api-ref page	21:07
woodster_	elmiko, yeah, we moved to Pecan to be more in line with other projects	21:07
woodster_	elmiko, do you mean out here?: http://developer.openstack.org/api-ref.html	21:08
woodster_	elmiko, we probably need to internally publish while we are incubating I figure	21:09
elmiko	woodster_: yea, that the site i meant.	21:12
elmiko	woodster_: another option for publishing that i really like is how the keystone project publishes it's api to their spec repo	21:12
elmiko	https://github.com/openstack/keystone-specs/tree/master/api	21:12
elmiko	but that's the main documents, although there would be room for wadl/swagger stuff there too.	21:13
woodster_	elmiko, that is an option for sure	21:13
woodster_	elmiko, we were documenting with docbook as other projects have done, but pulled back once we realized that it isn't officially published until we come out of incubation. The specs repo would probably be the next best thing.	21:15
woodster_	elmiko, better than our original API wiki here :) https://github.com/cloudkeep/barbican/wiki/Application-Programming-Interface	21:16
elmiko	woodster_: yea, that's what i've been working from =)	21:16
elmiko	woodster_: i think publishing to barbican-specs/api might be a really nice start. assuming there are no objections.	21:16
*** jamielennox\|away is now known as jamielennox		21:30
woodster_	elmiko, per redrobot it seems that the docs team is moving to publish to the specs repo vs using docbook. Do you know about that? Do you follow the https://wiki.openstack.org/wiki/Meetings/DocTeamMeeting meetings at all?	21:32
elmiko	woodster_: interesting.. i was not aware of that. but it seems like a good move, imo.	21:32
elmiko	woodster_: i've been working towards trying to do this with the sahara stuff, but... well... time and things ;)	21:33
*** jamielennox is now known as jamielennox\|away		21:35
*** gyee has quit IRC		21:37
woodster_	elmiko, yeah, I'm trying to get back into things in the new year after over 2 weeks off :) Any help you can provide on the API side would be helpful for sure. I'll also inquire about the 'official' place for docs and wadls to go, esp. for incubating projects like Barbican	21:38
elmiko	woodster_: nice, so far my work has been pretty light. i'm trying to get this in as a side project basically. https://github.com/elmiko/sahara-doc is what i've put together so far for sahara. i was planning on something similiar for my barbican efforts.	21:40
woodster_	elmiko, that looks interesting to me	21:44
elmiko	woodster_: i really need to clean it up a bit. i might make a bigger repo to host both the sahara and barbican examples.	21:45
woodster_	elmiko, have you reached out to the docs team folks about this?	21:46
elmiko	woodster_: in the beginning i did talk with annegentle and a few others in the channel.	21:47
elmiko	mainly collecting information about api-ref site and their thoughts about auto-generated stuff	21:47
elmiko	i also talked about it at summit in november with the api wg	21:47
openstackgerrit	Nathan Reller proposed openstack/barbican-specs: Content Types https://review.openstack.org/145073	21:57
*** chlong has quit IRC		21:59
alee	woodster_, ping?	22:00
alee	woodster_, whats the convention for column names in the database tables again?	22:00
woodster_	alee you mean for a new field, or a FK?	22:01
alee	new field	22:01
alee	so if for example, I'm creating a SecretACL table	22:01
alee	and I want to specify the columns as ..	22:02
alee	secret_id (FK) and acl	22:02
woodster_	alee, we've been using plurals for one to many assocs, singulars otherwise	22:02
alee	So its reasonable to say ..	22:02
woodster_	The Container's project_id is a FK example	22:03
alee	The SecretACL table will have columns secret_id (FK,string) and acl (string) ?	22:03
woodster_	alee that makes sense, thought what goes into acl? is that the user/group/project info for the whitelist?	22:04
alee	yup - in some format that looks like an acl ..	22:05
alee	like ..	22:05
alee	(read) (user_id = foo \|\| user_id =bar \|\| group_id = baz)	22:06
*** rellerreller has quit IRC		22:07
woodster_	alee, is that how clients would specify the ACL then, with a string such as that example?	22:07
alee	woodster_, no - I think they would just pass in the user lists / group lists	22:08
alee	like we specified alreadty in the cp	22:08
alee	we'll parse that and convert it into an acl	22:08
alee	that way clients do not need to understand acl language	22:09
alee	woodster_, although being able to pass in acl language makes all this easily extensible ..	22:10
alee	woodster_, but it also means syntax checking acl language on both client and server sides	22:10
woodster_	elmiko, were the docs folks interested in the auto gen work you are looking into?	22:12
elmiko	woodster_: hmm, difficult to gauge. there is interest, but i think it depends which group you talk with.	22:13
alee	jvrbanac, redrobot -- https://review.openstack.org/#/c/142212/ just looking for a +1 workflow :)	22:13
woodster_	elmiko, sounds like they might have to see a prototype before they know for sure?	22:13
elmiko	woodster_: imo, the doc folks(i only talked with a couple) were interested but cautioned that auto-gen stuff usually left gaps that needed to be filled manually	22:13
elmiko	woodster_: otoh, the api wg folks were interested in a lot of the extended implications that come from the work that formats like swagger are doing(e.g. code generation, and crazy stuff like that)	22:14
woodster_	elmiko that makes sense. It's easy to automate 80% of the things, but the other 20% is why they pay us the medium bucks!	22:14
elmiko	woodster_: lol, too true =)	22:15
elmiko	woodster_: from what i can tell, there aren't many "strong" opinions yet. folks are interested to see what could come out of these efforts though.	22:15
elmiko	i think everyone generally likes the idea of api docs getting generated automagically during some build process, especially if the promise is that the api docs are more up-to-date.	22:16
woodster_	alee, that makes sense. My only concern is with queries....are there use cases for querying for all secrets accessible by user xyz? Probably only for auditing	22:16
elmiko	the real issue then is how to cover those 20% gaps that will occur.	22:17
alee	woodster_, not sure I understand your question -- I think you are referring to (list) operation perhaps?	22:19
alee	woodster_, so acl could look like --	22:19
alee	(read) (user_id = foo \|\| user_id =bar \|\| group_id = baz) ; (list) (user_id = foo \|\| group_id = auditor)	22:20
woodster_	alee, I'm referring to that acl field having a logical text in there...queries are not as straightforward vs if each user/group/project is broken out as a record in the table. Just not sure if there is a good use case for that though. It seems like the acl field approach should work as long as the overall text doesn't get too large. So essentially there	22:22
woodster_	would be a one to one between secrets and secretacl entities, correct?	22:22
alee	yup	22:22
woodster_	elmiko, that's true	22:22
woodster_	alee, so were you going to update with an example like that one then?	22:23
alee	woodster_, ideally the format we use would be one already supported by some standard python acl parsing library -- not sure id one such exusts	22:23
alee	woodster_, yup - doing that right now.	22:23
*** gyee has joined #openstack-barbican		22:29
alee	woodster_, by query/list -- do you mean getting just the metadata of the secret?	22:32
*** kgriffs has quit IRC		22:33
alee	woodster_, actually I'm wondering now whether it makes sense to allow clients to specify full acls in acl language	22:34
woodster_	alee, well just querying for secrets that have specific users/groups/projects associated with them. That seems like an auditing thing.	22:34
alee	woodster_, right -- we dont have that ability now ..	22:35
alee	woodster_, but if we did -- it would mean basically getting back the metadata -- or some portion thereof of the secrets	22:36
*** kgriffs has joined #openstack-barbican		22:36
woodster_	alee, well another aspect here is that originally we were going to feed oslo policy information and then let it do the acl logic. But it can't handle lists of users/groups/projects, correct?	22:37
alee	well - we may need to extend it	22:37
alee	I'd be really surprised if oslo could not be extneded in some way	22:38
alee	after all - it supports primitives for and/or	22:38
*** SheenaG1 has quit IRC		22:40
openstackgerrit	John Wood proposed openstack/barbican: Add I18n-related unit tests (Part 3) https://review.openstack.org/141535	22:41
woodster_	alee, iow all we really needed to store for a secret was lists of users/groups/projects allowed to access the secret, and then let policy logic external to the secret determine access control. But defining that per secret provides more power...now blacklists would be possible (i.e. !user_foo) per secret.	22:42
woodster_	alee, the complexity is with updates...if a client wishes to add another user to the list that already has a complex acl string for it, either this has to be merged with it, or else would be overwritten.	22:44
woodster_	alee, yeah not so comfortable with the client API to acl field mismatch there...it seems that either the API should just have the acl string provided and then set as the client specifies for that secret, or else create a list of user/group/projects allowed for the secret per the current list-based API. Translating between the two approaches does not seem	22:46
woodster_	intuitive to me.	22:46
alee	woodster_, agreed -- and I think I'm leaning towards the acl specification by both the api and acl field	22:47
alee	woodster_, we've already specified 2 operations for which users/groups may need to be defined	22:48
alee	(read, list)	22:48
alee	we will likely eventually add write and maybe others	22:48
alee	so would the api then need read_users, read_groups, write_users, write_groups .. etc .. ?	22:49
alee	too complicated .. just let the client specify the acl	22:50
alee	we can choose to ignore anything except read/list acls in kilo	22:50
alee	but the framework will be there for post-kilo	22:51
*** jamielennox\|away is now known as jamielennox		22:51
*** alee is now known as alee_dinner		22:56
*** chlong has joined #openstack-barbican		22:57
*** ametts has quit IRC		22:57
*** ametts has joined #openstack-barbican		23:01
woodster_	that makes sense alee. So for Kilo the per-secret ACLs only apply to GET operations	23:01
*** dimtruck is now known as zz_dimtruck		23:05
*** SheenaG1 has joined #openstack-barbican		23:07
*** lisaclark1 has quit IRC		23:12
*** nkinder has quit IRC		23:13
*** chlong_ has joined #openstack-barbican		23:14
*** dave-mccowan has quit IRC		23:37
*** chlong has quit IRC		23:39
*** chlong_ has quit IRC		23:39
*** chlong_ has joined #openstack-barbican		23:46
*** chlong has joined #openstack-barbican		23:46
*** chlong_ has quit IRC		23:46
*** paul_glass has quit IRC		23:51
*** SheenaG1 has quit IRC		23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!