Thursday, 2015-01-29

« Wednesday, 2015-01-28 Index Friday, 2015-01-30 »
*** openstackgerrit has quit IRC00:21
*** openstackgerrit has joined #openstack-barbican00:21
*** david-lyle is now known as david-lyle_afk00:28
*** kgriffs is now known as kgriffs|afk00:35
*** kebray has quit IRC00:51
*** openstackgerrit has quit IRC01:05
*** openstackgerrit has joined #openstack-barbican01:05
*** gyee has quit IRC01:12
*** bdpayne has joined #openstack-barbican01:44
*** bdpayne has quit IRC01:46
*** openstackgerrit has quit IRC02:20
*** openstackgerrit has joined #openstack-barbican02:21
*** openstackgerrit has quit IRC03:20
*** openstackgerrit has joined #openstack-barbican03:20
*** dimtruck is now known as zz_dimtruck03:24
*** zz_dimtruck is now known as dimtruck03:34
*** dimtruck is now known as zz_dimtruck03:51
*** zz_dimtruck is now known as dimtruck03:52
*** dimtruck is now known as zz_dimtruck04:01
*** kebray has joined #openstack-barbican04:57
*** kebray has quit IRC04:58
*** kebray has joined #openstack-barbican05:05
*** Nirupama has joined #openstack-barbican05:15
*** jaosorior has joined #openstack-barbican08:14
*** chlong has quit IRC08:36
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Fix error in "tenants to projects" migration script  https://review.openstack.org/15114508:59
*** woodster_ has quit IRC09:13
*** kebray has quit IRC09:26
*** chlong has joined #openstack-barbican10:13
*** chlong has quit IRC10:27
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Fix downgrade for revision 254495565185  https://review.openstack.org/15117210:40
*** chlong has joined #openstack-barbican10:45
*** chlong has quit IRC11:39
*** chlong has joined #openstack-barbican12:06
*** Nirupama has quit IRC12:29
*** woodster_ has joined #openstack-barbican12:45
*** alee_dinner has quit IRC13:41
*** darrenmoffat has quit IRC13:44
*** darrenmoffat has joined #openstack-barbican13:45
*** nkinder has quit IRC14:21
*** alee_dinner has joined #openstack-barbican14:31
*** lisaclark1 has joined #openstack-barbican14:31
*** alee_dinner is now known as alee14:32
*** lisaclark1 has quit IRC14:39
*** lisaclark1 has joined #openstack-barbican14:49
*** lisaclark1 has quit IRC14:52
*** lisaclark1 has joined #openstack-barbican14:55
*** zz_dimtruck is now known as dimtruck14:55
aleerm_work, woodster_ ping15:02
aleerm_work, woodster_ I added a comment/question on the per-secret spec.  Please take a look.15:03
aleehttps://review.openstack.org/#/c/12735315:03
*** paul_glass has joined #openstack-barbican15:03
aleewoodster_, also - I have a couple of questions for my other crs15:03
*** kgriffs|afk is now known as kgriffs15:04
*** nkinder has joined #openstack-barbican15:07
*** rellerreller has joined #openstack-barbican15:15
*** rellerreller has quit IRC15:32
aleewoodster_, ?15:34
jaosoriorrellerreller15:37
jaosorioryou around?15:37
redrobotmornin'15:39
woodster_alee: I'll take a look shortly15:47
aleewoodster_, thanks -- I also need your help in trying to figure out how to write some code when you get a chance15:48
aleewoodster_, specifically, you'll notice that my CR https://review.openstack.org/#/c/147981/ now fails unit tests because the code is trying to do an insert into the data tables instead of an update.15:49
aleeI'm trying to understand how to make it do an update instead.15:50
aleejaosorior, ^^ you might know too perhaps?15:50
*** lisaclark1 has quit IRC15:51
jaosorioralee: I can give it a look when I get home. I'm in the bus off the office15:52
aleejaosorior, thanks15:53
jaosorior... and I'm heading to climb. So I'll ping you in a couple of hours.15:53
aleejaosorior, don't fall :)15:53
*** SheenaG1 has joined #openstack-barbican15:54
jaosoriorHaha it's inevitable if I want to train for harder routes. But I don't fall in hard ground (usually) so it's ok15:55
jaosorioralee: you should try out out. It's pretty fun15:57
aleejaosorior, fair enough  -- if you do fall, make sure not to land on your head, so youcan review my CRs :)15:57
*** lisaclark1 has joined #openstack-barbican15:58
aleejaosorior, does sound like fun15:58
*** lisaclark1 has joined #openstack-barbican16:00
*** SheenaG1 has quit IRC16:04
*** lisaclark2 has joined #openstack-barbican16:04
*** lisaclark1 has quit IRC16:04
*** SheenaG1 has joined #openstack-barbican16:15
woodster_alee, looking at error....16:16
rm_workalee: so I am ok with everything there except i am concerned about the ACL DB Table structure16:19
rm_workit looks like you are planning to store a LIST of users inside each column?16:19
rm_workand have only one row per secret_id?16:19
aleewoodster_, the test is failing now because we put that uniqueness constraint into the db.  (good thing we did).16:19
aleerm_work, yes16:19
rm_workI am more in favor of the structure: secret_id, access_type, user_id16:19
rm_workwhere rows would look like:16:20
rm_worksecretA_uuid | read | john_uuid16:20
rm_worksecretA_uuid | read | bill_uuid16:20
rm_workthat allows you to actually do decent JOIN filtering operations16:20
aleewhat about groups and projects?16:21
rm_worksecret_id, access_type, user_id, group_id, project_id16:21
rm_worksecretA_uuid | read | john_uuid | NULL | NULL16:21
rm_worksecretA_uuid | read | NULL | NULL | johns_project_uuid16:21
rm_worklittle less clean but still works for JOINs16:22
rm_workdoing it in a list inside one column makes it a multi-step process no matter what16:22
aleerm_work, there is also the other question about how to do private secrets16:22
rm_workyou have to get a semi-complete list and then do a bunch of parsing and list modifying after that16:23
rm_workalee: define a private secret16:23
rm_workI thought that was just… one that isn't shared <_<16:23
rm_workno ACL entries = project-private?16:23
aleerm_work, a secret which I create and only I (not my project) can access16:23
rm_workuhh16:23
rm_workhmm16:23
rm_workwas that in this spec?16:24
aleethat was the other use case we were trying to solve16:24
redrobotalee that seems like something we shouldn't support16:24
rm_workI must have missed that16:24
rm_workI am not sure how that is possible with a WHITELIST16:24
redrobotalee if you don't want to share your secret, you should create a project on which only you have roles16:24
rm_workit would have to probably be a different mechanism16:24
aleeredrobot, yes -- we thought about that and decided that was a terrible idea16:24
rm_workmaybe if the secret entry itself just had another column "creator_only" that was a boolean16:25
rm_worki just don't see how the whitelist ACL thing would help accomplish that16:25
aleerm_work, originally the idea was that you didn't need a special role to use the whitelist16:26
rm_workthat actually seems like a separate spec/BP/CR to me16:26
*** lisaclark2 has quit IRC16:26
woodster_where 'creator' is the *user* that stored the secret, correct? Just making sure :)16:26
aleewoodster_, yes16:26
rm_workalee: still not sure how that would have helped16:26
rm_workwoodster_: i assume so :P16:26
*** kebray has joined #openstack-barbican16:26
aleerm_work, simple -- you would specify the whitelist to only include your uid16:26
rm_workuh16:27
rm_workso you were planning for every new secret to by default have a whitelist entry for the secret's project, unless the creator specified otherwise?16:27
aleecorrect16:27
*** lisaclark1 has joined #openstack-barbican16:27
rm_workhmm16:27
woodster_yes, default to how things work now essentially16:28
aleewe also had talked about changing that default to only creator in v216:28
rm_workso the read-shared role throws a wrench in that plan because it would not be on every user by default?16:28
aleerm_work, right16:28
woodster_correct16:29
rm_worki still feel like the ACLs might not be the right approach to accomplish that specific thing16:29
rm_workbut i see how you had originally planned it to work16:29
rm_workhmm16:29
rm_workI can't decide it splitting it out makes this more or less complex16:29
aleerm_work, well its all controlling access - which is what an acl and policy does16:29
woodster_the current behavior without a whitelist has to work correctly for v116:29
rm_work*decide if16:29
woodster_standup meeting...be back in a few minutes16:30
*** dimtruck is now known as zz_dimtruck16:30
aleewe could add another "creator_only" boolean ..16:31
aleethat was also one of the original ideas ..16:31
rm_workyeah16:31
rm_worki feel like that might be better, functionally16:31
woodster_that is explicit for sure16:33
alee(creator_only and user=creator) or (not_creator_only and ((project=creator_project) or ((read_shared) and (user,group,project in whitelist)))16:34
*** zz_dimtruck is now known as dimtruck16:34
aleecan we make the policy more complex ? :/16:35
aleeits certainly a lot more complex than -->   (user,group,project) in whitelist16:36
aleewhich was the original intent.16:37
rm_workyeah well16:38
rm_work<_<16:38
*** ametts has joined #openstack-barbican16:40
aleerm_work, anyways, please comment on the spec about the table format -- and we'll see what others think16:40
rm_workk16:40
aleerm_work, I'll do the same about creator_only16:41
aleerm_work, the extra complexity isn't necessarily bad as it makes things explicit16:41
aleebut it also is somewhat less powerful16:42
aleewoodster_, need to go to a meeting in 5 mins.  Please take a look at the failing CR and let me know how to make sqlalchemy do an update (instead of an insert)16:43
aleewoodster_, and also comment on the per-secret spec16:43
rm_workis there some syntax i can put in a comment in gerrit to tell it i'm doing code or something and to not wrap my lines?16:45
rm_workanywho, commented16:47
*** david-lyle_afk is now known as david-lyle16:49
*** tkelsey has joined #openstack-barbican16:55
*** hyakuhei has joined #openstack-barbican16:55
*** lisaclark1 has quit IRC16:55
*** bdpayne has joined #openstack-barbican17:00
*** rellerreller has joined #openstack-barbican17:01
*** kebray has quit IRC17:07
rm_workbbl loonch17:18
*** jkf has joined #openstack-barbican17:38
*** jkf has quit IRC17:40
*** ayoung is now known as misanthrope17:49
*** misanthrope is now known as ayoung17:49
*** tkelsey has quit IRC17:51
*** hyakuhei has quit IRC17:55
*** hyakuhei has joined #openstack-barbican17:59
*** hyakuhei has quit IRC18:00
*** jkf has joined #openstack-barbican18:02
*** dimtruck is now known as zz_dimtruck18:03
*** zz_dimtruck is now known as dimtruck18:09
bdpayneJust curious... what's the motivation behind requiring pecan (and a bleeding edge version at that) for Barbican rather than using deps more common to the rest of OpenStack?18:15
*** bdpayne has quit IRC18:19
*** rellerreller has quit IRC18:29
*** bdpayne has joined #openstack-barbican18:43
woodster_bdpayne, we are matching global reqs right now: https://github.com/openstack/requirements/blob/master/global-requirements.txt#L8218:49
*** openstackgerrit has quit IRC18:50
*** openstackgerrit has joined #openstack-barbican18:51
*** kgriffs is now known as kgriffs|afk18:53
*** kgriffs|afk is now known as kgriffs18:53
*** ayoung has quit IRC18:53
jaosoriorback18:59
aleewoodster_, jaosorior hey19:09
aleewoodster_, so any thought on the code?19:09
jaosoriorlemme recheck the CR19:09
*** nkinder has quit IRC19:10
woodster_alee, I got distracted by lunch :)  I'll take a look now....19:11
woodster_alee, rm_work, I did add comment to your rbac blueprint comments....19:13
aleewoodster_, jaosorior - so the issue is that in that one test I want to do an update19:13
aleewoodster_, but end up calling save() which ends up doing an insert19:13
aleeI need to know how to do an update()19:14
jaosoriorlol, I thought you wanted me to recheck this CR https://review.openstack.org/#/c/14661119:14
rm_workbdpayne: yeah, I thought pecan WAS what openstack required (or at least, recommended)?19:14
jaosoriorgot confused19:14
jaosoriorbdpayne: If you're implying that pecan is no longer what Barbican requires, I would be glad to start coding the way out of it. It has caused me some problems. Damn it19:15
woodster_alee, all deletes are soft deletes right now...so your update-entity code is not removing any records, just trying to add new ones of the same ca_id and key19:15
jaosoriorwoodster_: Why are they soft deletes? I could see it from the code, but never really understood why it is the way it is19:16
woodster_jaosorior, there was concern early on about hard removing secrets out of barbican vs tagging them as deleted so they could be recovered if needed.19:16
rm_workjaosorior: something something HORRIBLE ACCIDENT something19:17
aleewoodster_, I see - well in that case, it will run afoul of the uniqueness constraint we put in19:17
rm_workthough from a security perspective it *is* possibly worrying if there's literally no way to do a hard-delete19:17
rm_workfrom a customer's perspective19:17
woodster_yeah something like that. However, that is baked into the base model of all our entities right now. So all entities inherit that behavior, whether or not they should or not.19:17
jaosoriorrm_work: exactly...19:17
rm_workwoodster_: I hadn't realized we weren't doing queries directly, but compiling a list ahead of time -- in that case, I guess it's not a big deal to do lists in the columns19:18
woodster_rm_work, well that is why we perpetually bring up the notion of soft vs hard deletes in barbican :)19:18
redrobotbdpayne we got a lot of grief during incubation for not using Pecan.  AFAIK, Pecan is the recommended lib for new OpenStack projects.19:18
jaosoriorwoodster_: Yup, I noticed. And the fact that it might be a security issue is what concerns me19:18
aleewoodster_, so would you propose we drop the constraint?19:18
woodster_rm_work, yeah the way the policy stuff works now is you pull all the data it needs to operate on into context, and then it chew on it via those policy.json rules19:19
aleewoodster_, or improve the constraint to only include non-deleted keys?19:19
aleenot sure how to do that ..19:19
woodster_one option is to not inherit that base behavior for key/value pairs, or else to manage it only via the mapping of the parent entity as we do in other parts of the code...let me look for an examp;le19:20
jaosoriorOr to divide the Base class. I think dstufft also had an issue with some class, where he chose not to use the Base class19:21
dstufftyea I did a thing for that19:22
dstufftI just copy/pasted from the base class19:22
jaosoriorSo, the base class could be divided, so the new base would contain the real basics for a model, while a subclass would contain all this added behaviour that not all models need. Such as the class that dstufft was working on, and now the ones that alee is working on19:23
dstufftyea19:23
dstufftthe ModelBase or w/e it is has soft delete functionality in it that Ididn't want19:23
dstufftthat could probably jsut be a mixin19:23
dstufftfor SoftDeleteMixin19:23
dstufftor w/e19:23
jaosoriordstufft: Which is exactly what alee doesn19:24
jaosoriordoesn't want either19:24
*** kebray has joined #openstack-barbican19:24
jaosoriorso I would go for that mixing approach19:24
aleedstufft, did you check in some code to do this?19:24
woodster_alee, so this stores order plugin meta: https://github.com/openstack/barbican/blob/master/barbican/tasks/certificate_resources.py#L264  which eventually calls this: https://github.com/openstack/barbican/blob/master/barbican/model/repositories.py#L96319:25
jaosorioralee: He didn't. He just copied the base class stuff that he needed into his model19:25
dstufftyea just copy/paste https://github.com/openstack/barbican/blob/master/barbican/model/models.py#L553-L57219:26
woodster_alee, so sqlalchemy should be managing the mapping records for us. I'd say change your code to not delete things first and instead mimic what is in the second link there, and then see if that constraint violation occurs19:26
aleewoodster_, looking ..19:26
aleejaosorior, dstufft , woodster_ I suppose at worst I could just override the delete() method?19:27
woodster_that base model also uses UUIDs for the PK ID, which is not needed everywhere19:27
aleein my model subclass ..19:27
dstufftthere's not much reason _not_ to use UUID pks though19:27
woodster_alee, well, I'd prefer it if you could do the approach in that second link and let sqlalchemy handle things under the hood if possible19:27
aleewoodster_, yup - looking19:28
woodster_dstufft that was my thinkig originally, but I've heard folks say it can be less efficient for databases vs a monotonically increasing ID. With indexing that shouldn't affect queries though.19:29
jaosoriorwoodster_, dstufft: If I remember correctly, morganfainberg has something to say about that.19:30
jaosoriorOr at least he said something last time this was mentioned19:30
aleewoodster_, there are a few differences here .19:30
aleewoodster_, I actually do something very similar to that19:31
dstufftwoodster_: if the DB doesn't have a UUID type and it's represented as a string it can be yea19:31
dstufftmy answer to that is generally use a better database :D19:31
aleewoodster_, it works for OrderMetadata because we have no uniqueness constraint19:31
jaosoriordstufft: https://github.com/openstack/barbican/blob/master/barbican/model/models.py#L9519:32
woodster_dstufft, interesting...we are using the a string type for the ID in our base model now...I don't think sqlalchemy has a native UUID type?19:33
woodster_jaosorior, they the19:33
aleewoodster_, and I was actually wondering whether we should delete the entries in the order_metadata first ..19:33
woodster_that's it19:33
dstufftwoodster_: it does for postgresql19:33
aleewoodster_, I suspect that we really should19:34
jaosoriordstufft: I haven't found a uuid type for sqlalchemy19:34
jaosorior:(19:34
jaosoriorit exists, but as a dialect19:34
jaosoriorfrom sqlalchemy.dialects.postgresql import UUID19:34
aleewoodster_, this worked fine when I did not have the constraint in there.  I suspect order_meta is doing the smae thing19:35
jaosoriordstufft, woodster: What could be done is this: http://sqlalchemy.readthedocs.org/en/improve_toc/core/custom_types.html#backend-agnostic-guid-type19:36
woodster_alee, I see. You should be able to set your dict on their directly (well, except for converting the value to the entity type), and sqlalchemy should handle removes/adds/updates for you. I'd try that out if you can. Worst case a hard-delete of the record should work, just messier19:37
woodster_alee, you might be right about that19:37
aleewoodster_, I think its the right thing to have the constraint in there. but for that to work, we need a real delete.19:38
woodster_jaosorior, oh that's some loveliness there! No need for sqlalchemy to add a UUID type to do that for me :)19:38
aleewoodster_, or to somehow make the constraint soft-delete-aware.19:39
woodster_alee, conditionals in constraints, oh no!!! :)19:39
dstufftconditional constraints are great19:40
dstufftand conditional indexes19:40
woodster_dstufft can you even express that in sqlalchemy?19:40
dstufftwith a postgresql dialect yet :|19:40
aleewoodster_, I propose either 1) overriding delete() in my model  2)adding an optional parameter in the base delete() to allow for a hard-delete19:40
jaosoriorwoodster_: Well, it's their docs19:40
dstufftyou just add a postgresql_where to the constraint clause19:41
jaosorioralee: I propose implementing the SoftDeleteMixing approach that we were talking about earlier19:41
jaosorior*Mixin19:41
woodster_alee, what a mess. Can you try to set your dict of key/wrapped(values) directly onto the parent entity and see if sqlalchemy handles things correctly via that mapped collection?19:41
aleeinteresting -- let me see ..19:42
woodster_jaosorior, mixin makes sense in general, but for those key/value mappings, sqlalchemy should really be able to handle that merging and to hard delete records we don't need19:44
rm_workSo, the Consumers thing uses soft-delete and does UPDATE instead of INSERT if it needs to19:44
rm_workyou could look at how that works maybe? >_>19:44
woodster_rm_work, well I think it tries to insert first and if gets constraint violation then does the update correct?19:45
jaosorioranybody has time to review these ones? https://review.openstack.org/#/c/150756/2 I'm using the subsequent additions to the barbican-db-manage.py (and its commands) to work easier with fixing the bugs I've found in the migration scripts... and since I need them, the dependency chain is getting pretty long19:45
rm_workyeah I think that was what I opted for19:45
rm_workbut I would have to check, it has been a while19:45
woodster_rm_work, I'd prefer to not attempt the insert on a key/value pair if I know it's already there, to avoid that exception handling logic/overhead19:46
rm_workyeah, but the whole situation is not ideal19:46
jaosoriorwoodster_: +119:46
rm_workI miss UPSERT operations :P19:46
rm_workMySQL doesn't seem to support them IIRC19:46
aleewoodster_, so right now - the code looks like this --19:47
aleesession = self.get_session(session)19:47
alee        for k, v in old_ca.ca_meta.items():19:47
alee            v.delete(session)19:47
alee        session.commit()19:47
alee        for key in parsed_ca:19:47
alee            meta = models.CertificateAuthorityMetadatum(key, parsed_ca[key])19:47
alee            old_ca.ca_meta[key] = meta19:47
alee        old_ca.save(session)19:47
aleeyour'e suggesting I try -- > old_ca.ca_meta = parsed_ca19:48
aleeold_ca.save(session)19:48
woodster_alee, so I'd say not do the delete stuff at all in that first loop, build up a new dict in the second loop, and then do this: old_ca.ca_meta = new_dict_thinggy19:49
aleeright -- thats what that line was ..19:49
woodster_alee, I don't think you can do = parsed_ca directly (try it though) as I'm pretty sure sqlalchemy requires the model.CertificateAuth...() thing on the values in the mapping19:50
aleewoodster_, ok - let me try ..19:50
*** atiwari1 has joined #openstack-barbican19:54
woodster_alee: fingers crossed19:55
*** atiwari has quit IRC19:56
aleewoodster_, nope it did not work20:00
*** dstufft|vpn has joined #openstack-barbican20:00
*** dimtruck is now known as zz_dimtruck20:01
aleewoodster_, still get unique constraint20:02
aleewoodster_, still get unique constraint violation20:02
*** openstackgerrit has quit IRC20:04
woodster_Alee: Hmmm that's too bad :(20:05
*** openstackgerrit has joined #openstack-barbican20:05
aleewoodster_, yeah -- I guess I can try the SoftDelete mixin thing20:05
*** kgriffs is now known as kgriffs|afk20:05
*** arunkant_work has joined #openstack-barbican20:06
woodster_alee: I wonder if something is missing in sqlalchemy config wise? At any rate a hard delete would work20:07
morganfainbergrm_work: upsert? Update or insert?20:19
openstackgerritBrianna Poulos proposed openstack/castellan: Add openstack/common log and policy modules  https://review.openstack.org/15137120:19
*** arunkant_work has quit IRC20:21
morganfainbergrm_work:  you mean something like "insert <blah> on duplicate key update"?20:21
aleemorganfainberg, yup20:22
morganfainbergalee: yeah. It works mostly in MYSQL.20:24
openstackgerritBrianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan  https://review.openstack.org/14874220:27
openstackgerritBrianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan  https://review.openstack.org/14874220:35
bdpaynewoodster_ rm_work jaosorior redrobot Interesting. And here's I've been running an OpenStack cloud for years and have never needed Pecan until now. Are other projects going to be changing over or ??20:36
*** arunkant_work has joined #openstack-barbican20:44
openstackgerritBrianna Poulos proposed openstack/castellan: Add openstack/common log and policy modules  https://review.openstack.org/15137120:46
openstackgerritBrianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan  https://review.openstack.org/14874220:47
aleewoodster_, there seems to be something in sqlalchemy called merge()20:51
aleewoodster_, http://docs.sqlalchemy.org/en/rel_0_8/orm/session.html20:52
aleewoodster_, it would seem that you could resolve all this by calling session.merge() instead of session.add() in save(), but doing this leads to all kinds of other tests failing20:53
redrobotbdpayne https://wiki.openstack.org/wiki/PecanStackForgeTransition20:54
*** SheenaG1 has quit IRC20:55
redrobotbdpayne actually, never mind, I thought that was more helpful than it really is... I'm trying to dig up where the recommendation for Pecan came from...20:55
openstackgerritBrianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan  https://review.openstack.org/14874221:00
redrobotbdpayne so digging through my notes, it seems Ceilometer is the only project that currently uses Pecan.21:02
redrobotbdpayne it looks like there was a design session in Hong Kong about moving Nova to Pecan, but I'm not sure what the result of that was... http://icehousedesignsummit.sched.org/event/4a7316a4f5c6f783e362cbba2644bae2#.VMqf3cbFtoB21:02
bdpayneinteresting, thanks21:03
bdpayneOpenStack is an interesting ecosystem ;-)21:03
dstufft|vpnshould switch to asyncio and python 3 only!21:04
dstufft|vpn>:]21:04
bdpayneheh, clearly21:04
greghaynesredrobot: I think ironic uses pecan21:13
greghaynesredrobot: and wsme21:13
greghaynesRe: ACL's, postgres now has row level ACL's so we should clearly just switch to that and let the db handle it ;)21:18
dstufft|vpnI would be a very happy person if Openstack just mandated postgresql21:23
dstufft|vpndb portability is not something I'm a fan of :|21:23
greghaynesYea, I dont think openstack generally is too crazy about that either, ive heard removing pg support brought up many times21:24
dstufft|vpnawe, I would hope they'd go the other way ;( but I'm a big pg fan so ;P21:25
greghaynesThe reality is were basically tied to mysql, no one actually runs pg deployments AFAICT21:25
* greghaynes is too21:25
dstufft|vpnsupporting only MySQL is probably better than supporting the subset of SQL that works between PostgreSQL and MySQL and whatever other DBs that are supported21:25
greghaynesjson support and row level acls = awesome for rest services21:26
greghaynesonce people start using it21:26
greghaynestotally21:26
greghaynesThe least common denominator between them is pretty crappy and its a lot of extra work for not much benefit21:26
*** kebray has quit IRC21:27
dstufft|vpnyea21:27
*** nkinder has joined #openstack-barbican21:55
*** dstufft|vpn has quit IRC22:01
*** jamielennox|away is now known as jamielennox22:03
*** kgriffs|afk is now known as kgriffs22:04
aleewoodster_, ping22:06
*** chlong has quit IRC22:08
*** kebray has joined #openstack-barbican22:09
*** kgriffs is now known as kgriffs|afk22:10
*** zz_dimtruck is now known as dimtruck22:11
aleewoodster_, nm - got it22:14
*** kgriffs|afk is now known as kgriffs22:17
*** lisaclark1 has joined #openstack-barbican22:21
*** lisaclark1 has quit IRC22:21
openstackgerritAde Lee proposed openstack/barbican: Add code to populate CA tables and select plugin based on ca_id  https://review.openstack.org/15007022:26
openstackgerritAde Lee proposed openstack/barbican: Added new repository classes and controller classes for CAs  https://review.openstack.org/14798122:26
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Initial directory changes and files for python-babricanclient functional tests  https://review.openstack.org/15140922:26
aleewoodster_, jaosorior updated patches with mixin class to do soft-delete22:27
*** kgriffs is now known as kgriffs|afk22:34
rm_workmorganfainberg: ah, so apparently I just didn't know the correct keywords for MySQL UPSERT :) cool22:36
rm_workI will check this out -- though I doubt it works with portable SQL via SQLAlchemy22:36
morganfainbergrm_work, never know. might work in SQLA22:36
dstufftUPSERT is generally a MySQL specific feature22:36
dstufftpostgresql is working on adding support for it though as I understand22:37
*** paul_glass has quit IRC22:40
*** crc32 has joined #openstack-barbican22:51
*** openstackgerrit has quit IRC22:51
*** openstackgerrit has joined #openstack-barbican22:51
*** crc32 has quit IRC23:24
*** crc32 has joined #openstack-barbican23:27
*** ametts has quit IRC23:39
*** chlong has joined #openstack-barbican23:53
« Wednesday, 2015-01-28 Index Friday, 2015-01-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!