Monday, 2015-01-26

*** kebray has quit IRC		00:31
*** kebray has joined #openstack-barbican		00:32
*** woodster_ has joined #openstack-barbican		02:06
*** zz_dimtruck is now known as dimtruck		02:27
*** lisaclark2 has joined #openstack-barbican		02:31
*** lisaclark1 has quit IRC		02:34
*** lisaclark2 has quit IRC		02:34
*** lisaclark1 has joined #openstack-barbican		02:40
*** lisaclark1 has quit IRC		03:11
*** elmiko_ is now known as elmiko		03:26
*** dimtruck is now known as zz_dimtruck		05:10
*** zz_dimtruck is now known as dimtruck		05:11
*** dimtruck is now known as zz_dimtruck		05:20
*** jaosorior has joined #openstack-barbican		06:03
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Remove version from endpoints in catalog https://review.openstack.org/127865	06:29
*** woodster_ has quit IRC		07:13
*** kebray has quit IRC		08:31
*** Guest66252 is now known as d0ugal		09:22
*** d0ugal has quit IRC		09:23
*** d0ugal has joined #openstack-barbican		09:23
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-barbicanclient: Updated from global requirements https://review.openstack.org/149482	10:33
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Inherit tests instead of explictly calling them https://review.openstack.org/149998	11:19
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Inherit tests instead of explictly calling them https://review.openstack.org/149998	11:24
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Remove commented test cases https://review.openstack.org/150002	11:30
*** alpha_ori has quit IRC		12:51
*** redrobot has quit IRC		12:51
*** redrobot has joined #openstack-barbican		12:53
*** redrobot is now known as Guest36473		12:53
*** alpha_ori has joined #openstack-barbican		12:55
*** reaperhulk_ is now known as reaperhulk		13:25
*** woodster_ has joined #openstack-barbican		13:26
*** darrenmoffat has quit IRC		13:40
*** darrenmoffat has joined #openstack-barbican		13:41
*** jraim has quit IRC		14:15
*** jraim has joined #openstack-barbican		14:15
*** ametts has joined #openstack-barbican		14:47
*** lisaclark1 has joined #openstack-barbican		14:56
*** lisaclark1 has quit IRC		15:09
*** lisaclark1 has joined #openstack-barbican		15:12
*** kebray has joined #openstack-barbican		15:12
*** sigmavirus24_awa is now known as sigmavirus24		15:12
*** kebray has quit IRC		15:14
*** SheenaG1 has joined #openstack-barbican		15:15
*** kebray has joined #openstack-barbican		15:16
*** zz_dimtruck is now known as dimtruck		15:22
*** kebray has quit IRC		15:27
*** SheenaG1 has quit IRC		15:29
*** lisaclark1 has quit IRC		15:40
*** lisaclark1 has joined #openstack-barbican		15:40
openstackgerrit	Ade Lee proposed openstack/barbican: Added new model classes for CAs https://review.openstack.org/147323	15:43
openstackgerrit	Ade Lee proposed openstack/barbican: Added new repository classes and controller classes for CAs https://review.openstack.org/147981	15:44
openstackgerrit	Ade Lee proposed openstack/barbican: Add code to populate CA tables and select plugin based on ca_id https://review.openstack.org/150070	15:44
openstackgerrit	Merged openstack/barbican: Remove commented test cases https://review.openstack.org/150002	15:44
openstackgerrit	Merged openstack/python-barbicanclient: Updated from global requirements https://review.openstack.org/149482	15:46
*** kebray has joined #openstack-barbican		15:46
*** kebray has quit IRC		15:49
*** kebray has joined #openstack-barbican		15:49
*** SheenaG1 has joined #openstack-barbican		15:56
*** kgriffs\|afk is now known as kgriffs		15:58
*** rellerreller has joined #openstack-barbican		16:00
*** nkinder has joined #openstack-barbican		16:03
*** Guest36473 is now known as redrobot		16:06
openstackgerrit	Merged openstack/barbican: Refactor order validation https://review.openstack.org/148900	16:07
*** kebray has quit IRC		16:13
alee	rm_work, ping	16:16
rm_work	alee: pong	16:16
alee	rm_work, so, you gotten ok to work on per-secret stuff?	16:19
*** lisaclark1 has quit IRC		16:19
*** lisaclark2 has joined #openstack-barbican		16:19
alee	rm_work, just checking - because if you have, I'll prioritze getting a new version of the spec out first	16:19
rm_work	alee: yes I think so, but next sprint	16:19
alee	rm_work, which starts when?	16:20
rm_work	this sprint I am needed on internal stuff, and only had time to squeeze in Castellan since that should be super quick	16:20
rm_work	alee: uhh, two weeks	16:20
alee	rm_work, ok cool	16:20
rm_work	alee: if we're in a time crunch, i could maybe take a look over weekends :P	16:20
rm_work	but that would definitely cut into my shooting people in the face in videogames time	16:21
*** lisaclark1 has joined #openstack-barbican		16:21
alee	rm_work, :) while I think it would help your overall outlook to life being less bloodthirsty in your pursuits, I don't think we're in a crunch yet	16:22
*** lisaclark2 has quit IRC		16:22
rm_work	hehe	16:22
rm_work	yeah just let me know	16:23
rm_work	I am still reviewing as much as I can, so let me know when the new spec is up	16:23
alee	rm_work, will do - thanks	16:23
openstackgerrit	Merged openstack/barbican: Inherit tests instead of explictly calling them https://review.openstack.org/149998	16:24
*** kebray has joined #openstack-barbican		16:26
*** kebray has quit IRC		16:33
*** david-ly_ is now known as david-lyle		16:33
*** kebray has joined #openstack-barbican		16:39
*** rellerreller has quit IRC		16:42
openstackgerrit	Ade Lee proposed openstack/barbican: Added new model classes for CAs https://review.openstack.org/147323	16:50
openstackgerrit	Ade Lee proposed openstack/barbican: Add code to populate CA tables and select plugin based on ca_id https://review.openstack.org/150070	16:50
openstackgerrit	Ade Lee proposed openstack/barbican: Added new repository classes and controller classes for CAs https://review.openstack.org/147981	16:50
*** lisaclark1 has quit IRC		16:56
*** rellerreller has joined #openstack-barbican		16:57
*** lisaclark1 has joined #openstack-barbican		16:58
*** ayoung is now known as adminyoung		17:20
*** codekobe has quit IRC		17:34
*** codekobe has joined #openstack-barbican		17:35
*** kebray has quit IRC		17:35
*** lisaclark1 has quit IRC		17:45
*** gyee has joined #openstack-barbican		18:04
*** adminyoung is now known as ayoung		18:09
*** lisaclark1 has joined #openstack-barbican		18:26
*** kebray has joined #openstack-barbican		18:28
*** atiwari has joined #openstack-barbican		18:39
tdink	jaosorior woodster_ when working with barbican python client should objects return the dates as a string or a datetime object	18:42
jaosorior	verifyiing	18:47
jaosorior	it will be what oslo.utils.timeutils.parse_isotime returns	18:47
jaosorior	that's what I'm verifying	18:47
jaosorior	should be datetime objects	18:49
jaosorior	tdink	18:49
jaosorior	woodster_: Have you heard anything from the Digicert guys? This CR (https://review.openstack.org/#/c/138199/6)has been there a loooong time and they haven't replied :/	18:57
jaosorior	https://review.openstack.org/#/c/138199/6	18:57
woodster_	jaosorior: ha SheenaG1 and I talked about that this morning, so I added a question to the CR after yours, I also emailed Jeff as well	19:01
jaosorior	yeah, I had asked a while ago and got no response. On the other hand, it's almost been 2 months ever since his last contact	19:02
jaosorior	weird :/	19:02
woodster_	jaosorior: well his email didn't bounce yet so if he's still working there... :)	19:05
jaosorior	alright, seems legit	19:06
jaosorior	woodster_: What about this CR https://review.openstack.org/#/c/125798/ ?	19:07
jaosorior	you haven't replied in a while :O	19:07
woodster_	jaosorior: oh yeah forgot about that	19:10
*** atiwari has quit IRC		19:11
jaosorior	Kinda wanna get that merged :P	19:11
jaosorior	I could even work on it myself, if it's OK with you	19:12
*** david-lyle is now known as david-lyle_afk		19:15
jaosorior	redrobot: ping	19:19
redrobot	jaosorior pong	19:20
jaosorior	hey dude, I know this has been asked before (but I forgot), was there a hotel deal or something for the meetup? gonna book stuff tomorrow	19:20
*** kebray has quit IRC		19:22
openstackgerrit	Tim Kelsey proposed openstack/barbican-specs: Adding spec for Barbican MKEK Model. https://review.openstack.org/148948	19:23
redrobot	jaosorior no deals, unfortunately. Most of us are staying at the Omni, which I think is either the same building or next-door to Capital Factory http://www.omnihotels.com/hotels/austin-downtown	19:23
jaosorior	alright, will keep it in mind, thanks dude	19:23
jaosorior	You guys know Austin well? We gotta go to some good taco places :P	19:24
redrobot	lol, Torchy's is supposed to be one of the best taco places	19:25
redrobot	but I think San Anto has a better taco game	19:25
jaosorior	oho	19:26
jaosorior	...hungry	19:27
redrobot	start your own taco stand in helsinki	19:27
redrobot	I bet you could make a killing out there	19:28
jaosorior	hahaha I've thought about it	19:28
*** kebray has joined #openstack-barbican		19:28
jaosorior	should I leave my life as a dev for tacos? decisions, decisions	19:29
*** jkf has joined #openstack-barbican		19:38
* greghaynes makes shameless plug for one more +2 on https://review.openstack.org/#/c/140575/		19:40
jaosorior	greghaynes: Well... there is a -1 there	19:41
greghaynes	Yea, read my reply :)	19:41
jaosorior	ah, nevermind	19:41
jaosorior	just read it	19:41
jaosorior	yeah	19:41
jaosorior	lets take a look	19:41
greghaynes	woo!	19:42
jaosorior	before scoring	19:48
jaosorior	woodster_, jvrbanac: are you around?	19:48
*** tkelsey has joined #openstack-barbican		19:52
*** tkelsey has quit IRC		19:53
*** tkelsey has joined #openstack-barbican		19:53
*** dave-mccowan has joined #openstack-barbican		19:54
redrobot	Barbican weekly meeting starts in 5 minutes in #openstack-meeting-alt	19:54
rm_work	thx	19:55
rm_work	always forget >_<	19:55
*** lisaclark2 has joined #openstack-barbican		19:55
jaosorior	greghaynes: no +2, sorry dude :/	19:58
*** lisaclark1 has quit IRC		19:58
*** kfarr has joined #openstack-barbican		19:59
greghaynes	hah, well -1's are also welcome	19:59
jaosorior	greghaynes: I would actually like jvrbanac to comment on that. Might have some relevant input on the test side.	20:01
*** kebray has quit IRC		20:06
jvrbanac	jaosorior, which one?	20:07
jaosorior	jvrbanac: https://review.openstack.org/#/c/140575/	20:08
jvrbanac	jaosorior, also hockeynut is the test guy ;)	20:08
jaosorior	jvrbanac: true dat!	20:08
jaosorior	...summoning hockeynut...	20:08
jvrbanac	jaosorior, I'll take a look at it this afternoon though	20:09
*** kebray has joined #openstack-barbican		20:11
*** atiwari has joined #openstack-barbican		20:41
*** dave-mccowan has quit IRC		20:59
*** lisaclark2 has quit IRC		21:05
*** lisaclark1 has joined #openstack-barbican		21:06
woodster_	ha, sorry I missed the tail end of irc meeting	21:07
*** kfarr has quit IRC		21:07
*** lisaclark1 has quit IRC		21:07
*** lisaclark1 has joined #openstack-barbican		21:08
*** tkelsey has quit IRC		21:14
*** kebray has quit IRC		21:17
*** crc32 has joined #openstack-barbican		21:17
rm_work	woodster_: i think redrobot found the (what should have been obvious) solution	21:17
rm_work	we need a new role, that is still attached to your project, but is specifically for viewing things that other people share	21:18
rm_work	not sure about the name yet	21:18
hockeynut	hockeynut is here jaosorior	21:35
*** lisaclark1 has quit IRC		21:38
*** lisaclark1 has joined #openstack-barbican		21:38
hockeynut	I will take a look at that review...	21:39
*** david-lyle_afk is now known as david-lyle		21:40
*** lisaclark1 has quit IRC		21:41
*** lisaclark1 has joined #openstack-barbican		21:44
*** kebray has joined #openstack-barbican		21:47
*** atiwari has quit IRC		21:55
*** atiwari has joined #openstack-barbican		21:56
woodster_	rm_work, I saw a bit of that discussion but not sure about it yet. So this would be a role that (say) LBaaS user would have to then access a secret in barbican that it was whitelisted for?	22:01
rm_work	yes	22:02
rm_work	the thing i had a problem with was not your end-goal, but the hacky method you were proposing to do it :P	22:02
rm_work	(tying it to something unrelated)	22:03
woodster_	rm_work, I'm still not clear. What user/project assoc would this role be placed on?	22:04
rm_work	it would be placed on user -> user's project	22:04
rm_work	but it'd be a distinct role that is clearly for viewing shared things	22:05
woodster_	rm_work, I'm trying to be more specific...which 'user' here, Alice or Bob?	22:05
rm_work	so we'd change the metaphor to like … viewing lockers inside a mens club	22:05
rm_work	you need a membership to get into the mens club, but once you're in, you can look in other people's lockers if they shared the key with you	22:05
SheenaG1	What is a mens club, rm_work?	22:06
rm_work	woodster_: Bob has a role on Bob's project that says "Can View Other People's Shared Things"	22:06
SheenaG1	Like a gym?	22:06
woodster_	rm_work, I'm trying to put this into the user/project/role context that tokens are cut for	22:06
SheenaG1	But for mens?	22:06
rm_work	SheenaG1: you wouldn't understand, it's for men	22:06
SheenaG1	rm_work: I've heard of things referred to as "mens clubs" before, but they were not gyms	22:06
rm_work	heh	22:06
rm_work	yes, like a gym	22:06
rm_work	not the men's clubs you are thinking of :P	22:07
woodster_	SheenaG1, yeah, men only, no gurls allowed	22:07
rm_work	super-high-end gyms	22:07
woodster_	SheenaG1, gymnastics more like	22:07
rm_work	heh	22:07
rm_work	because security in traditional gyms is O_o	22:07
woodster_	role, not pole	22:07
SheenaG1	Hahahahahahaha	22:07
SheenaG1	+100 points to woodster_	22:08
woodster_	rm_work, I'm not sure if this metaphor brought us to nirvana yet	22:08
rm_work	yeah let me work on it	22:08
woodster_	SheenaG1: ha!	22:08
woodster_	rm_work, if I come at this from user/project/role perspective I have this:	22:08
woodster_	Alice is a user with on projectA with role of barbican:creator, and creates a secret UUIDa	22:09
woodster_	Alice adds user Bob to the whitelist of UUIDa	22:09
rm_work	with you so far	22:10
woodster_	Bob is a user on projectB with no barbican roles assigned to them	22:10
woodster_	So you would say that Bob should be able to decrypt/GET secret UUIDa then?	22:11
rm_work	no	22:11
woodster_	or you are saying Bob must have role new-role-thinggy on projectA to get secret UUIDa?	22:11
rm_work	he'd need the role barbican:can_view_shared_resources on ProjectB	22:11
rm_work	still his own project	22:11
rm_work	but the role is no longer the same one he uses for viewing his own stuff	22:11
woodster_	ok then....how is that different than what I was asking for?	22:11
rm_work	it's distinct and clearly indicates its purpose	22:12
rm_work	and not everyone has it immediately by default	22:12
rm_work	OR, they do but it can be revoked separately	22:12
rm_work	and it serves an entirely different purpose than barbican:admin / barbican:read / etc	22:12
woodster_	so you are saying current barbican roles should only apply if the project for the secret I want matches my user's auth-ed project?	22:12
rm_work	yes	22:13
rm_work	because those are YOURS	22:13
rm_work	the issue was mixing up the concept of viewing your own secrets and viewing others	22:14
rm_work	separating the concerns solves the problem (not sure why i didn't think of this immediately)	22:14
*** sigmavirus24 has left #openstack-barbican		22:16
woodster_	rm_work so the real question is what 'yours' means then. I've been thinking that concept gets blurred once you have a whitelist in place, but keeping 'yours' to mean the project a secret/container was created with makes sense (we are doing that for GET lists anyway it seems).	22:16
woodster_	rm_work my concern though is that you don't have fine grained access anymore, unless you break out the four roles into 'can_viewed_shared_resources' type roles	22:17
woodster_	rm_work so just to revisit the flow then...if we keep the current four roles then I am saying that Bob would need to have a barbican role not barbican:observer on Project B to access UUIDa. What is the issue with that access pattern though?	22:20
woodster_	rm_work are you thinking that is giving Bob more access than they should have?	22:20
rm_work	woodster_: well, sharing only works for reading	22:22
rm_work	there's no "write-sharing"	22:22
rm_work	and without those roles it makes it impossible to allow for scenarios like "can read others' secrets ONLY"	22:23
woodster_	rm_work, so do you mean restricting things such at Bob can only read secrets from barbican, and not be able to store/read his own secrets under Project B?	22:24
rm_work	yeah	22:25
rm_work	don't know if that'll come up, but it's the right way to do it	22:25
woodster_	rm_work I guess I'm trying to understand why Bob being able to write secrets to his project is a bad thing?	22:25
rm_work	doing it the way you wanted to do it was overloading the original role	22:26
woodster_	rm_work, where Bob could be LBaaS in this case	22:26
woodster_	you mean Alice's 'original' role?	22:26
redrobot	The reason I proposed a new role is that it seemed that woodster_'s concern was about cutting off access to Barbican if Bob had no barbican roles	22:26
redrobot	adding a new role is better because it specifically allows/denies the ability to read a shared secret	22:27
redrobot	this is better than just picking any role	22:27
rm_work	^^	22:27
woodster_	I believe Bob should have to have a barbican role to be able to access a secret in Barbican. An admin should be able to cut Bob off by taking away his roles if needed.	22:29
redrobot	woodster_ yes, and by creating a role that specifically allows for shared secrets enables a cloud admin to still let someone audit secrets, but not be able to read shared secrets	22:29
redrobot	in fact, an admin could cut off access to shared secrets only, by removing the barbican:read_shared_secrets role	22:30
rm_work	yes	22:31
rm_work	^^ that is possibly the more realistic concern	22:31
redrobot	this way Bob can still access their own secrets	22:31
woodster_	ok, so the shared-secrets role would restrict access to things on the whitelist, and if that's the only role they have, then they can't even access their own secrets...where 'own' is defined as secrets under Project B for Bob above	22:32
redrobot	woodster_ correct, if the only barbican role they have is barbican:read_shared_secrets, then they can't store their own stuff, but if someone happens to share something with them, then they could only read that one shared secret.	22:33
*** dimtruck is now known as zz_dimtruck		22:34
woodster_	conversely, if Bob did not have the shared-secrets role, then they could only access Project B's secrets and not any secrets that Bob might be whitelisted on?	22:35
woodster_	they -> Bob	22:35
*** rtom has joined #openstack-barbican		22:36
rm_work	yes	22:37
woodster_	would the expectation be that a GET list of secrets by Bob with only the read_shared role would give them a list of secrets they are whitelisted for only?	22:38
rm_work	I would assume they would get no secrets listed still (per our previous conversations)	22:38
redrobot	rm_work +1	22:38
woodster_	I would agree, but this new role would beg that question/feature a bit more in my mind. Security wise though, still good to only allow this for GETs on a specific secret for both meta and decrypted modes.	22:41
*** jamielennox\|away is now known as jamielennox		22:41
woodster_	alee, can you review the last 40 mins of conversation please? :)	22:41
woodster_	alee...so you see, it's like a membership to a men's club...	22:42
rm_work	heh	22:42
rm_work	I should have said "mens athletic club"	22:43
rm_work	to be more clear	22:43
rm_work	also, I'm not 100% on that metaphor yet, still working on it	22:43
woodster_	rm_work, I'm just glad roles are in there someplace :) I agree that whittles down the access control granularity even more. The policy stuff will be fun. I bet alee is regretting writing that bp!	22:45
woodster_	rm_work did you want to feed this back to alee to add to the blueprint then? I'm thinking 'read_shared' for the role name would be fine, to access secrets or containers.	22:52
rm_work	that should probably be fine	22:54
rm_work	I think alee was there and liked the idea when we talked about it in the meeting, so I am guessing he's already on it	22:54
woodster_	rm_work, sounds good, thanks again	23:14
*** jaosorior has quit IRC		23:14
*** kebray has quit IRC		23:17
*** kebray has joined #openstack-barbican		23:18
*** mjg59 has joined #openstack-barbican		23:18
*** bdpayne has joined #openstack-barbican		23:19
*** zz_dimtruck is now known as dimtruck		23:25
*** kgriffs is now known as kgriffs\|afk		23:26
*** kgriffs\|afk is now known as kgriffs		23:26
*** SheenaG1 has quit IRC		23:26
*** lisaclark1 has quit IRC		23:31
*** david-lyle is now known as david-lyle_afk		23:31
*** rtom has quit IRC		23:39
*** chlong has joined #openstack-barbican		23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!