Tuesday, 2015-02-03

*** rtom has joined #openstack-barbican		00:01
*** kgriffs is now known as kgriffs\|afk		00:07
*** rm_work is now known as rm_work\|away		00:16
*** zz_dimtruck is now known as dimtruck		00:17
*** kebray has quit IRC		00:34
*** rtom has quit IRC		00:39
*** chipmanc has joined #openstack-barbican		00:41
*** jraim has quit IRC		01:09
*** briancurtin has quit IRC		01:11
*** jraim has joined #openstack-barbican		01:14
*** briancurtin has joined #openstack-barbican		01:18
*** lisaclark1 has quit IRC		01:18
openstackgerrit	Steve Heyman proposed openstack/barbican: Add the ability to use either identity v2 or v3 API https://review.openstack.org/152277	01:18
openstackgerrit	Steve Heyman proposed openstack/barbican: Add the ability to use either identity v2 or v3 API https://review.openstack.org/152277	01:32
*** bdpayne has quit IRC		01:40
*** gyee has quit IRC		01:45
*** kgriffs\|afk is now known as kgriffs		01:46
*** rm_you\|wtf has left #openstack-barbican		01:54
*** rm_you\|wtf has joined #openstack-barbican		01:54
*** kgriffs is now known as kgriffs\|afk		01:55
*** SheenaG1 has joined #openstack-barbican		02:18
*** crc32 has joined #openstack-barbican		02:31
*** crc32 has quit IRC		02:31
*** crc32 has joined #openstack-barbican		02:36
*** jkf has quit IRC		02:45
*** crc32 has quit IRC		02:52
*** crc32 has joined #openstack-barbican		02:54
*** rm_you\| has joined #openstack-barbican		02:55
*** rm_you\|wtf has quit IRC		02:56
*** SheenaG1 has quit IRC		02:59
*** chipmanc has quit IRC		03:04
*** kebray has joined #openstack-barbican		03:06
*** crc32 has quit IRC		03:08
*** kebray has quit IRC		03:08
*** chipmanc has joined #openstack-barbican		03:09
*** kebray has joined #openstack-barbican		03:13
*** ajc_ has joined #openstack-barbican		03:20
*** kgriffs\|afk is now known as kgriffs		03:35
*** kgriffs is now known as kgriffs\|afk		03:44
*** xaeth_afk is now known as xaeth		03:47
*** crc32 has joined #openstack-barbican		03:59
*** cchipman has joined #openstack-barbican		04:00
*** chipmanc has quit IRC		04:01
*** kgriffs\|afk is now known as kgriffs		04:35
*** rm_you has joined #openstack-barbican		04:38
*** rm_you has quit IRC		04:38
*** rm_you has joined #openstack-barbican		04:38
*** rm_you\| has quit IRC		04:39
*** cchipman has quit IRC		04:41
*** kgriffs is now known as kgriffs\|afk		04:45
*** xaeth is now known as xaeth_afk		05:18
*** Nirupama has joined #openstack-barbican		05:35
*** dougwig has quit IRC		05:38
*** dougwig has joined #openstack-barbican		05:38
*** erw has quit IRC		05:55
*** erw has joined #openstack-barbican		05:55
*** jaosorior has joined #openstack-barbican		06:09
openstackgerrit	OpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex https://review.openstack.org/152403	06:10
*** kgriffs\|afk is now known as kgriffs		06:24
*** kgriffs is now known as kgriffs\|afk		06:34
*** nkinder has joined #openstack-barbican		07:22
jaosorior	jamielennox: ping	07:43
*** chlong has quit IRC		07:56
*** kgriffs\|afk is now known as kgriffs		08:13
jamielennox	jaosorior: if it's relatively quick...	08:16
jaosorior	just a quick ping about your CRs in python-barbicanclient. You pushed some really good stuff there, but it doesn't pass the gate, got some time for them any time soon?	08:19
*** kgriffs is now known as kgriffs\|afk		08:22
*** darrenmoffat has joined #openstack-barbican		08:42
*** woodster_ has quit IRC		08:46
*** kebray has quit IRC		09:16
*** kgriffs\|afk is now known as kgriffs		10:02
*** kgriffs is now known as kgriffs\|afk		10:11
*** darrenmoffat has left #openstack-barbican		10:40
*** tkelsey has joined #openstack-barbican		11:05
*** kgriffs\|afk is now known as kgriffs		11:50
*** Nirupama has quit IRC		11:56
*** kgriffs is now known as kgriffs\|afk		12:00
*** chlong has joined #openstack-barbican		12:06
*** woodster_ has joined #openstack-barbican		12:41
*** tkelsey_ has joined #openstack-barbican		12:49
*** crc32 has quit IRC		12:57
*** tkelsey has quit IRC		12:57
*** ajc_ has quit IRC		12:58
openstackgerrit	Tim Kelsey proposed openstack/barbican-specs: Adding spec for Barbican MKEK Model. https://review.openstack.org/148948	13:32
tkelsey_	thanks jaosorior	13:36
*** tkelsey_ is now known as tkelsey		13:37
*** alee has quit IRC		13:44
jaosorior	tkelsey: no prob	14:27
*** dimtruck is now known as zz_dimtruck		14:30
*** ajc_ has joined #openstack-barbican		14:31
*** lisaclark1 has joined #openstack-barbican		14:33
*** woodster_ has quit IRC		14:46
*** zz_dimtruck is now known as dimtruck		14:57
*** alee has joined #openstack-barbican		14:59
*** rm_work\|away is now known as rm_work		15:10
*** xaeth_afk is now known as xaeth		15:13
*** paul_glass has joined #openstack-barbican		15:13
*** woodster_ has joined #openstack-barbican		15:16
*** lisaclark1 has quit IRC		15:20
*** lisaclark1 has joined #openstack-barbican		15:25
openstackgerrit	Merged openstack/castellan: Add openstack/common log and policy modules https://review.openstack.org/151371	15:27
*** kgriffs\|afk is now known as kgriffs		15:31
*** kgriffs is now known as kgriffs\|afk		15:32
*** kgriffs\|afk is now known as kgriffs		15:32
*** lisaclark1 has quit IRC		15:39
rm_work	hockeynut: let me know when you're around	15:39
openstackgerrit	Merged openstack/barbican: Trivial refactors to secret controller https://review.openstack.org/151670	15:41
openstackgerrit	Merged openstack/barbican: Add support for simple cmc requests to Dogtag plugin https://review.openstack.org/146611	15:41
openstackgerrit	Merged openstack/barbican: Imported Translations from Transifex https://review.openstack.org/152403	15:47
*** ajc_ has quit IRC		15:56
*** atiwari has quit IRC		16:01
woodster_	arunkant, alee, rm_work I added comments to the per secret CR. Arun, please see if that helps with your concerns.	16:11
rm_work	hmm k	16:11
*** kebray has joined #openstack-barbican		16:13
rm_work	woodster_ / alee: basically I am good with it once you make the changes you promised :)	16:16
jaosorior	is anybody here acquainted with tempest?	16:17
rm_work	jaosorior: working on it... that is actually why we need to talk to hockeynut :P	16:17
rm_work	jaosorior: you trying to figure out tempest tests currently?	16:17
rm_work	jaosorior: there's a whole group of us sitting in a room at our hackathon for neutron-lbaas, all beating our heads against tempest and trying to figure out how to start our project's first set of tempest tests	16:18
alee	rm_work, woodster_ arunkant -- I'll try get a new versioin out today	16:19
jaosorior	rm_work: Well, do you know what the process is for... if a change will actually change how tempest expects things to be (say an API change or something of the sort) what's the process you have to follow?	16:20
*** SheenaG1 has joined #openstack-barbican		16:21
*** TobiasE has joined #openstack-barbican		16:21
*** bdpayne has joined #openstack-barbican		16:28
*** dimtruck is now known as zz_dimtruck		16:28
*** zz_dimtruck is now known as dimtruck		16:33
*** lisaclark1 has joined #openstack-barbican		16:35
*** SheenaG11 has joined #openstack-barbican		16:36
hockeynut	rm_work o/	16:37
rm_work	cool, talk to fnaval	16:37
hockeynut	rm_work ok - in meetings now, will check in with him	16:37
*** lisaclark1 has quit IRC		16:37
rm_work	:P	16:37
rm_work	he'll PM you	16:38
*** lisaclark1 has joined #openstack-barbican		16:38
*** crc32 has joined #openstack-barbican		16:38
*** SheenaG1 has quit IRC		16:38
rm_work	hockeynut: oh actually I have a question too -- in a devstack install, what credentials are the functionaltests trying to use? I'm getting InvalidCredentials exceptions in all the tests	16:40
rm_work	I have all the admin stuff set in /etc/tempest/tempest.conf	16:41
rm_work	I have: admin_username=admin	16:42
rm_work	admin_tenant_name=admin	16:42
rm_work	admin_password=password	16:42
rm_work	that used to be all I needed to set	16:42
hockeynut	rm_work see barbican/etc/dev_tempest.conf	16:50
rm_work	hockeynut: talking to tdink_ and it looks like the whole way the tests run has changed since I last did this :P	16:50
hockeynut	rm_work he's in the same meeting with me. Are you talking about running locally or in the gate?	16:52
rm_work	in my devstack VM	16:52
hockeynut	I think tdink is talking about an issue we've seen with tempest not finding the config file (happens when you run locally in a clean virtualenv)	16:55
hockeynut	tdink_ ^^	16:55
tdink_	that is correct, but not sure what might happen with run_tests. i havnt had a change to use runtests since i started getting the problems with credentials in tox	16:56
hockeynut	tdink_ has a workaround - rm_work you can give it a try and see if that solves your issue.	16:57
arunkant	woodster_, still did not follow the creator_rbac_only flag behavior difference. If that flag is False and there are whitelist ACL ids, it still bypasses project-based rbac . So what is difference?	16:58
*** TobiasE has left #openstack-barbican		16:58
arunkant	woodster_, for that CR, I am assuming creator_rbac_only flag is to indicate private nature of secret or container when True.	17:00
*** crc32 has quit IRC		17:08
openstackgerrit	Merged openstack/barbican: Add the ability to use either identity v2 or v3 API https://review.openstack.org/152277	17:08
woodster_	arunkant, when it is False, then the current RBAC would be used, per 'current_perms and not_creator_only'. If the whitelist is also available, then there is an OR clause on that as well	17:11
woodster_	alee, rm_work: ^^^	17:11
*** crc32 has joined #openstack-barbican		17:11
woodster_	arunkant, I think that is reasonable behavior, as the whitelist could only be there if the creator user adds stuff there	17:12
alee	woodster_, arunkant reading comments here and in BP ..	17:14
*** kebray has quit IRC		17:16
*** kebray has joined #openstack-barbican		17:17
alee	arunkant, woodster_ think of the whitelist as applying only to users/projects/groups that ordinarily would not have access to the secret because they are not part of the secret creators project.	17:17
alee	these users/projects/groups would be granted access if they are whitelisted	17:18
alee	in that way, the whitelist allows you to expand the access list of a secret.	17:18
woodster_	jaosorior, alee: Just noting that Venkat has a new version for the quota BP here: https://review.openstack.org/#/c/132091/	17:18
jaosorior	I saw, haven't had a chance to review it	17:19
rm_work	tdink_: ok cool, combination of switching to tox and copying the barbican example tempest conf into /etc/tempest.conf worked	17:19
alee	if the whitelist is empty, that the standard acls apply and only those in the creator's project are able to view the secret.	17:19
tdink_	rm_work: Woohoo!	17:20
alee	arunkant, woodster_ - the creator_only -- or creator_rbac_only if you prefer flag is a way to restrict the access of the users that would ordinarily be able to get the secret.	17:20
alee	arunkant, woodster_ - so instead of the creator's project being able to access the secret, only the creator would able to do so.	17:21
alee	arunkant, woodster_ if you wanted only the creator to be able to access a secret, you would need to set creator_only and whitelist empty.	17:22
*** crc32 has quit IRC		17:22
arunkant	alee: So if that flag is True (I am assuming its a private secret case), and whitelist of ids is there..will those users from whitelist will be able to access that secret ?	17:23
alee	arunkant, woodster_ -- yes	17:23
*** jkf has joined #openstack-barbican		17:23
alee	arunkant, woodster_ remember you are specifically allowing whitelist users - so presumably you know what you're doing	17:23
arunkant	alee: Then how its different from that flag being False (not a private secret case)..whitelist id seems to always override	17:24
alee	arunkant, woodster_ noone may ever configure it this way, but it gives us flexibility in case anyone needs it	17:24
alee	arunkant, whitelist does in fact always override. the difference is for users not on the whitelist	17:25
*** nkinder has quit IRC		17:25
alee	arunkant, woodster_ if flag is false, you allow access to users on whitelist and users in the secret creators project.	17:26
arunkant	alee: I think..I am confused what is the access level for private or non-private case..if whitelist is always overriding..then still not getting what is the difference. I was thinking..once private flag is True, then override list would not allowed or not looked into for authorization	17:26
alee	if flag is true -- then you allow access to members of whitelist and only creator	17:27
arunkant	okay..if flag is false..then ?	17:27
arunkant	I mean private flag is false	17:28
alee	arunkant, woodster_ if flag is false, you allow access to users on whitelist and users in the secret creators project.	17:28
arunkant	alee, Okay so difference is project-based rbac is disabled or enabled based on flag is True or False. Other access rules remain same...So it private for other users in the same project which has necessary roles	17:31
arunkant	s/private for/ private from	17:31
alee	right	17:31
alee	arunkant, I like it because it gives us what we need and flexibility for someone to specify other accesses using whitelist as needed	17:32
*** crc32 has joined #openstack-barbican		17:32
arunkant	Okay..thanks..now I understand it, it makes sense	17:32
*** crc32 has quit IRC		17:32
alee	cool	17:33
alee	arunkant, we're going to need a good tech writer to doc it all :)	17:33
*** lisaclark1 has quit IRC		17:33
arunkant	alee, yes and it will fun to write policy rules around this :)	17:34
arunkant	alee, another question on same CR..what are groups ?	17:36
*** atiwari has joined #openstack-barbican		17:45
*** jkf has quit IRC		17:59
*** jkf has joined #openstack-barbican		18:02
*** alee is now known as alee_lunch		18:11
*** kgriffs is now known as kgriffs\|afk		18:18
*** crc32 has joined #openstack-barbican		18:18
*** lisaclark1 has joined #openstack-barbican		18:30
*** SheenaG11 has quit IRC		18:49
*** jkf has quit IRC		18:53
*** alee_lunch is now known as alee		18:54
*** SheenaG1 has joined #openstack-barbican		18:54
*** jkf has joined #openstack-barbican		18:55
woodster_	alee, arunkant, just catching up on the conversations...	19:14
*** kgriffs\|afk is now known as kgriffs		19:28
*** SheenaG11 has joined #openstack-barbican		19:28
*** lisaclark1 has quit IRC		19:28
*** lisaclark1 has joined #openstack-barbican		19:30
*** dimtruck is now known as zz_dimtruck		19:30
*** lisaclark1 has quit IRC		19:31
*** SheenaG1 has quit IRC		19:31
*** lisaclark1 has joined #openstack-barbican		19:31
*** tkelsey has quit IRC		19:37
*** lisaclark1 has quit IRC		19:43
*** lisaclark1 has joined #openstack-barbican		19:52
*** zz_dimtruck is now known as dimtruck		19:53
rm_work	heyo	20:03
rm_work	+A maybe? https://review.openstack.org/#/c/125798/	20:03
*** chlong has quit IRC		20:05
rm_work	^_^	20:06
*** jorge_munoz has joined #openstack-barbican		20:28
*** anteaya has quit IRC		20:34
*** kgriffs is now known as kgriffs\|afk		20:35
*** lisaclark1 has quit IRC		20:40
*** lisaclark1 has joined #openstack-barbican		20:45
*** lisaclark1 has quit IRC		20:50
*** openstackgerrit has quit IRC		20:50
*** openstackgerrit has joined #openstack-barbican		20:51
*** anteaya has joined #openstack-barbican		20:53
*** kgriffs\|afk is now known as kgriffs		21:01
hockeynut	rm_work To be clear:	21:03
hockeynut	1) today's API will still work	21:03
hockeynut	2) if you use the additional /payload path then the new semantics apply.	21:03
*** dimtruck is now known as zz_dimtruck		21:03
rm_work	hockeynut: yes	21:04
hockeynut	gracias!	21:05
*** kebray has quit IRC		21:05
rm_work	been waiting on this since October 2 <_<	21:06
*** zz_dimtruck is now known as dimtruck		21:11
*** SheenaG12 has joined #openstack-barbican		21:37
*** SheenaG11 has quit IRC		21:39
*** kgriffs is now known as kgriffs\|afk		21:53
*** kgriffs\|afk is now known as kgriffs		21:54
*** kebray has joined #openstack-barbican		22:00
*** kgriffs is now known as kgriffs\|afk		22:03
*** nkinder has joined #openstack-barbican		22:04
*** lisaclark1 has joined #openstack-barbican		22:07
*** lisaclark1 has quit IRC		22:10
*** nkinder has quit IRC		22:12
*** kebray has quit IRC		22:12
*** kgriffs\|afk is now known as kgriffs		22:19
*** rm_work is now known as rm_work\|away		22:19
*** SheenaG12 has quit IRC		22:20
*** crc32 has quit IRC		22:22
*** alee has quit IRC		22:24
*** lisaclark1 has joined #openstack-barbican		22:25
*** klep has joined #openstack-barbican		22:32
klep	greetings. Just starting to try to learn barbican. I was wondering what the best method to store and retrieve ssh keys is. any advice?	22:33
*** kebray has joined #openstack-barbican		22:35
*** crc32 has joined #openstack-barbican		22:36
*** lisaclark1 has quit IRC		22:45
*** rm_work\|away is now known as rm_work		23:06
*** xaeth is now known as xaeth_afk		23:06
*** kgriffs is now known as kgriffs\|afk		23:07
*** briancurtin has quit IRC		23:08
*** codekobe has quit IRC		23:09
*** kgriffs\|afk is now known as kgriffs		23:10
*** jraim has quit IRC		23:10
*** alee has joined #openstack-barbican		23:14
*** jaosorior has quit IRC		23:16
*** jraim has joined #openstack-barbican		23:21
*** kgriffs is now known as kgriffs\|afk		23:22
*** kgriffs\|afk is now known as kgriffs		23:23
woodster_	klep, you can spin up on Barbican this wiki page: http://docs.openstack.org/developer/barbican/setup/dev.html After that, you could try some of the example curl commands here: https://github.com/cloudkeep/barbican/wiki/Barbican-Quick-Start-Guide#store-and-retrieve-a-secret-one-step	23:27
*** codekobe has joined #openstack-barbican		23:29
klep	woodster_: I checked out both links. It was just unclear how to use this for SSH key storage or what the best practices were in those regards	23:29
rm_work	damnit hockeynut T_T	23:30
rm_work	"This is going to be a big win for usability!", -1	23:30
*** briancurtin has joined #openstack-barbican		23:33
woodster_	klep, I'm not sure about best practices. If you have a file with the binary key you wish to upload to Barbican for later retrieval, you could either base64 encode it and use this call (https://github.com/cloudkeep/barbican/wiki/Application-Programming-Interface#post) or else use the two step approach to allow upload of your secret	23:34
woodster_	(https://github.com/cloudkeep/barbican/wiki/Application-Programming-Interface#post)	23:34
rm_work	woodster_: can you update https://review.openstack.org/#/c/125798/ for hockeynut?	23:35
woodster_	klep there is also a python client library that interacts with a Barbican endpoint	23:35
klep	woodster_: thanks	23:35
woodster_	rm_work I;ll take a look	23:35
rm_work	klep: if you have easy access to spin up new VMs, https://wiki.openstack.org/wiki/BarbicanDevStack#The_Easy_Way makes it easy easy	23:35
woodster_	klep, you can do similar operations with plain text secrets	23:35
klep	I was hoping there would be a way to store a secret and retrieve it by name potentially	23:37
woodster_	klep this also has devstack information: http://docs.openstack.org/developer/barbican/setup/devstack.html	23:37
klep	cool	23:37
rm_work	klep: you can filter by secret name on the GET	23:41
rm_work	so that could work	23:41
rm_work	but it'd take two calls, one to get the filtered list, and one to get the actual secret	23:41
woodster_	klep, all resources in barbican are accessed via their unique UUIDs. rm_work beat me to it regarding the query-parameter filter possible on secret GETs.	23:41
*** paul_glass has quit IRC		23:41
klep	ahhhhh cool. I'm going to try some of this outThanks for the help. I'll probably be bugging you again : ) Very fun stuff	23:42
woodster_	klep no problem please let us know if you run into issues	23:43
*** crc32 has quit IRC		23:43
*** dimtruck is now known as zz_dimtruck		23:52
*** lisaclark1 has joined #openstack-barbican		23:52
openstackgerrit	John Wood proposed openstack/barbican-specs: Change GET decrypted secrets to unique URI https://review.openstack.org/125798	23:53
rm_work	woo	23:53
*** jkf has quit IRC		23:54
*** rm_work is now known as rm_work\|away		23:54
openstackgerrit	John Wood proposed openstack/barbican-specs: Change GET decrypted secrets to unique URI https://review.openstack.org/125798	23:55
*** kgriffs is now known as kgriffs\|afk		23:55
*** lisaclark1 has quit IRC		23:58
*** lisaclark1 has joined #openstack-barbican		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!