| *** lisaclark1 has joined #openstack-barbican | 00:29 | |
| *** jkf has quit IRC | 00:41 | |
| *** kebray has quit IRC | 00:57 | |
| *** lisaclark1 has quit IRC | 01:03 | |
| *** lisaclark1 has joined #openstack-barbican | 01:03 | |
| *** dimtruck is now known as zz_dimtruck | 01:11 | |
| *** kgriffs is now known as kgriffs|afk | 01:21 | |
| *** openstack has joined #openstack-barbican | 01:32 | |
| *** zz_dimtruck is now known as dimtruck | 01:50 | |
| *** bdpayne has quit IRC | 01:51 | |
| *** lisaclark2 has joined #openstack-barbican | 02:02 | |
| *** lisaclark1 has quit IRC | 02:03 | |
| *** lisaclark2 has quit IRC | 02:07 | |
| *** lisaclark1 has joined #openstack-barbican | 02:07 | |
| *** lisaclark2 has joined #openstack-barbican | 02:11 | |
| *** lisaclark1 has quit IRC | 02:11 | |
| *** tkelsey has joined #openstack-barbican | 02:17 | |
| *** dimtruck is now known as zz_dimtruck | 02:19 | |
| *** kgriffs|afk is now known as kgriffs | 02:21 | |
| *** tkelsey has quit IRC | 02:22 | |
| *** zz_dimtruck is now known as dimtruck | 02:22 | |
| *** kgriffs is now known as kgriffs|afk | 02:31 | |
| *** lisaclark2 has quit IRC | 03:06 | |
| *** woodster_ has quit IRC | 03:16 | |
| *** ajc_ has joined #openstack-barbican | 03:32 | |
| *** dimtruck is now known as zz_dimtruck | 03:39 | |
| *** xaeth_afk is now known as xaeth | 03:42 | |
| *** ajc_ has quit IRC | 03:42 | |
| *** kebray has joined #openstack-barbican | 03:47 | |
| *** xaeth is now known as xaeth_afk | 03:56 | |
| *** bdpayne has joined #openstack-barbican | 04:10 | |
| *** bdpayne has quit IRC | 04:11 | |
| *** kgriffs|afk is now known as kgriffs | 05:11 | |
| *** kgriffs is now known as kgriffs|afk | 05:21 | |
| *** kebray has quit IRC | 05:28 | |
| *** xaeth_afk is now known as xaeth | 05:40 | |
| *** woodster_ has joined #openstack-barbican | 06:07 | |
| *** xaeth is now known as xaeth_afk | 06:17 | |
| *** openstackgerrit has quit IRC | 06:35 | |
| *** openstackgerrit has joined #openstack-barbican | 06:35 | |
| *** ajc_ has joined #openstack-barbican | 06:36 | |
| *** kgriffs|afk is now known as kgriffs | 07:00 | |
| *** kgriffs is now known as kgriffs|afk | 07:10 | |
| *** chlong has quit IRC | 07:12 | |
| *** chlong has joined #openstack-barbican | 07:13 | |
| *** tkelsey has joined #openstack-barbican | 07:49 | |
| *** zz_dimtruck is now known as dimtruck | 07:51 | |
| *** tkelsey has quit IRC | 07:56 | |
| *** nkinder has joined #openstack-barbican | 07:56 | |
| openstackgerrit | Juan Antonio Osorio Robles proposed openstack/barbican: Refactor exception handling in the app side https://review.openstack.org/152123 | 08:06 |
|---|---|---|
| *** jaosorior has joined #openstack-barbican | 08:06 | |
| *** dimtruck is now known as zz_dimtruck | 08:16 | |
| *** woodster_ has quit IRC | 08:16 | |
| *** nkinder has quit IRC | 08:52 | |
| *** chlong has quit IRC | 08:53 | |
| *** nkinder has joined #openstack-barbican | 08:55 | |
| *** tkelsey has joined #openstack-barbican | 09:01 | |
| *** nkinder has quit IRC | 09:33 | |
| openstackgerrit | Merged openstack/barbican: Run functional tests against any barbican server https://review.openstack.org/152986 | 09:42 |
| *** rm_you has quit IRC | 09:49 | |
| *** rm_you has joined #openstack-barbican | 09:49 | |
| *** rm_you has quit IRC | 09:49 | |
| *** rm_you has joined #openstack-barbican | 09:49 | |
| *** nkinder has joined #openstack-barbican | 09:50 | |
| *** chlong has joined #openstack-barbican | 10:09 | |
| *** nkinder has quit IRC | 10:36 | |
| *** nkinder has joined #openstack-barbican | 11:55 | |
| *** russell_h has quit IRC | 12:06 | |
| *** jroll has quit IRC | 12:06 | |
| *** russell_h has joined #openstack-barbican | 12:09 | |
| *** russell_h has quit IRC | 12:09 | |
| *** russell_h has joined #openstack-barbican | 12:09 | |
| *** ajc_ has quit IRC | 12:19 | |
| *** dougwig has quit IRC | 12:19 | |
| *** jvrbanac has quit IRC | 12:19 | |
| *** zz_dimtruck has quit IRC | 12:19 | |
| *** tdink_ has quit IRC | 12:19 | |
| *** jroll has joined #openstack-barbican | 12:20 | |
| *** dougwig has joined #openstack-barbican | 12:20 | |
| *** jvrbanac has joined #openstack-barbican | 12:20 | |
| *** zz_dimtruck has joined #openstack-barbican | 12:20 | |
| *** tdink_ has joined #openstack-barbican | 12:20 | |
| *** ajc_ has joined #openstack-barbican | 12:21 | |
| *** tkelsey has quit IRC | 12:40 | |
| *** woodster_ has joined #openstack-barbican | 13:15 | |
| *** tkelsey has joined #openstack-barbican | 13:17 | |
| *** nkinder has quit IRC | 13:51 | |
| *** nkinder has joined #openstack-barbican | 14:02 | |
| *** jroll has quit IRC | 14:03 | |
| *** jroll has joined #openstack-barbican | 14:03 | |
| *** jaosorior has quit IRC | 14:06 | |
| *** rm_work|away is now known as rm_work | 14:17 | |
| *** zz_dimtruck is now known as dimtruck | 14:55 | |
| *** darrenmoffat has quit IRC | 14:57 | |
| *** darrenmoffat has joined #openstack-barbican | 14:58 | |
| *** SheenaG1 has joined #openstack-barbican | 14:58 | |
| *** ajc_ has quit IRC | 15:01 | |
| *** dimtruck is now known as zz_dimtruck | 15:05 | |
| *** paul_glass has joined #openstack-barbican | 15:13 | |
| *** zz_dimtruck is now known as dimtruck | 15:25 | |
| *** jaosorior has joined #openstack-barbican | 15:31 | |
| *** nkinder has quit IRC | 15:34 | |
| *** nkinder has joined #openstack-barbican | 15:36 | |
| rm_work | woodster_: whatchu talkin' bout | 15:39 |
| rm_work | woodster_: Private Key is a required attribute on a CertificateContainer | 15:39 |
| *** xaeth_afk is now known as xaeth | 15:57 | |
| *** jorge_munoz has quit IRC | 16:04 | |
| *** jorge_munoz has joined #openstack-barbican | 16:06 | |
| *** david-lyle_afk is now known as david-lyle | 16:07 | |
| woodster_ | rm_work, private key shouldn't be required though...what if I have barbican create a cert and I keep the private key? | 16:12 |
| rm_work | woodster_: then make a Secret | 16:12 |
| rm_work | and put the cert in it | 16:12 |
| rm_work | you only have one thing then <_< | 16:12 |
| rm_work | the whole purpose of a CertificateContainer is so we can expect at least the minimum amount to do what we need to do | 16:13 |
| rm_work | this discussion took place MONTHS ago :P | 16:13 |
| rm_work | woodster_: https://github.com/openstack/barbican/blob/master/barbican/common/validators.py#L436 | 16:14 |
| woodster_ | rm_work I'm saying it should be optional, like intermediates are now | 16:14 |
| rm_work | though I find it interesting that this validator isn't complete? because it used to be actually validating appropriately | 16:14 |
| rm_work | woodster_: that would cause problems for us | 16:14 |
| rm_work | woodster_: our use-case NEEDS it to be required | 16:15 |
| woodster_ | rm_work I agree you guys need it in there, but only because you intend to install that. What of folks that only send a CSR for certificate orders? | 16:15 |
| rm_work | if they send only a CSR, you can return them a Secret with a Certificate <_< | 16:16 |
| SheenaG1 | rm_work: so a certificate container can only be created if a PK is available because it enables use cases that assume the full certificate chain and key are there? | 16:18 |
| woodster_ | alee: do you have thoughts on this one? ^^^ rm_work what you ask for makes more sense when we have try secret types I think, but I also think it is awkward that for some cert order types you get a container ref, and others you get a secret ref. \ | 16:18 |
| rm_work | SheenaG1: essentially, yes -- if you don't have a Cert *and* a PK, you have one thing, which is a Cert <_< | 16:19 |
| woodster_ | SheenG1, that is what rm_work is saying, and currently the PK has to be on certificate type containers | 16:19 |
| rm_work | hmm, it's maybe possible you could have a Cert and Intermediates -- that might complicate things | 16:19 |
| alee | reading .. | 16:19 |
| rm_work | without a PK you wouldn't have a PKP | 16:19 |
| rm_work | so it comes down to whether you think it makes sense to create a CertContainer for just a Cert+Intermediates | 16:20 |
| rm_work | with Intermediates in the mix, it actually might <_< | 16:20 |
| woodster_ | rm_work, clients keeping their private key truely private is a valid use case for cert generation | 16:20 |
| rm_work | sure | 16:20 |
| SheenaG1 | rm_work: that makes sense to me, although I see woodster_'s point that it complicates the use of containers for a certificate | 16:20 |
| rm_work | but I was thinking that in that case you only have ONE thing, so why put it in a container | 16:20 |
| rm_work | but you're right that it would be awkward to return a variable type | 16:20 |
| alee | rm_work, woodster_ can you summarize what you are asking to change here? | 16:21 |
| woodster_ | rm_work, well we have one more monday IRC before the mid cycle to thrash it out :) | 16:21 |
| rm_work | woodster_ wants to change the CertContainer validation to make PrivateKey an optional field | 16:21 |
| woodster_ | alee, the cert container currently requires the private key to be a member | 16:21 |
| *** openstackgerrit has quit IRC | 16:21 | |
| woodster_ | alee, that private key is not always availalble in barbican | 16:21 |
| rm_work | alee: but that throws a big wrench into our current use-case and workflow for neutron-lbaas | 16:22 |
| rm_work | for us, a CertContainer is completely useless without the PK | 16:22 |
| *** openstackgerrit has joined #openstack-barbican | 16:22 | |
| rm_work | (and for any other SERVICES that would use them) | 16:22 |
| rm_work | (VPNaaS / FWaaS) | 16:22 |
| woodster_ | rm_work isn't this a matter of validation on the lbaas end though, when you receive a ref to a container as part of creating a new lb? | 16:22 |
| rm_work | woodster_: I guess we could do that, though we were only validating those at a very late stage, to prevent pulling the data in too early | 16:23 |
| rm_work | we'd have to validate up-front now | 16:23 |
| woodster_ | rm_work, or do you provision with that ref with barbican the source of truth and validation? | 16:23 |
| rm_work | kinda the latter | 16:23 |
| alee | rm_work, why would making the private key reference optional mess up lbaas? | 16:23 |
| rm_work | we assume that if someone passes us a "valid" ContainerRef (IE, Barbican says it exists), that it means we have what we need to function | 16:24 |
| rm_work | it would actually be easy enough to add the additional validation on our side | 16:24 |
| woodster_ | alee, there are use cases (here a rackspace as well) where we need to fully provision a device, PK + certs | 16:24 |
| rm_work | but we'd have to move the validation way up the chain | 16:24 |
| rm_work | we can do it, but we'll have to coordinate, if you're set on making this change | 16:25 |
| rm_work | I think you're winning me over just because returning multiple types is super awkward | 16:25 |
| alee | rm_work, yes but presumably you have some validation in lbaas that the data passed back is valid, right? | 16:26 |
| woodster_ | isn't anything ever simple? :) | 16:26 |
| rm_work | alee: we validate EVENTUALLY, but very late in the workflow | 16:27 |
| rm_work | we'd want to move it up | 16:27 |
| rm_work | and we have code that assumes the PK will always exist (which is what started this discussion) | 16:27 |
| alee | rm_work, fair enough. I try to make it a habit of not trusting anything to send me back what I want :) | 16:28 |
| rm_work | alee: well, we went to great effort to make sure this was engineered in a specific way :P | 16:28 |
| alee | rm_work, especially if is the user that is providing the reference | 16:28 |
| rm_work | but it's a good point | 16:28 |
| alee | rm_work, the standard way to request a cert is NOT to send the CA or anyone else your private key. | 16:29 |
| alee | rm_work, this whole idea of barbican keeping the private key or generating it for you , and using it to get a cert -- is somewhat non-standard | 16:30 |
| woodster_ | I'm just sorry not noticed it earlier, that does suck :\ | 16:30 |
| rm_work | well, the cert GENERATION is new | 16:31 |
| rm_work | originally it was only for Certs that the user provided | 16:31 |
| rm_work | and that the only part that was actually SECRET was the PK | 16:31 |
| woodster_ | alee, yeah that speaks to the automation and provisioning use cases around certs that of interest | 16:31 |
| rm_work | we had to ask to get the Cert included :P | 16:31 |
| *** nkinder has quit IRC | 16:31 | |
| rm_work | so originally it made 100% sense that PK was required | 16:32 |
| rm_work | make sense? :P | 16:32 |
| alee | rm_work, woodster_ yes -- I understand the scope was changed - to having barbican as a general intrface to CA's | 16:32 |
| woodster_ | so you were first! | 16:32 |
| woodster_ | rm_work: ^^ | 16:33 |
| rm_work | if we'd had this discussion four months ago, you would have said "why would we ever have the PK be optional? that makes no sense" | 16:33 |
| rm_work | "the whole point of CertificateContainers is to allow the user to store a PK, and then put the Cert along with it" | 16:33 |
| alee | woodster_, and yes -- we need to have a discussion about automation/authentication for cert issuance. | 16:33 |
| *** nkinder has joined #openstack-barbican | 16:33 | |
| alee | and how we can achieve this. | 16:34 |
| alee | I was leaving that for the midcycle | 16:34 |
| rm_work | I should be at the first couple days of the midcycle, at least | 16:34 |
| alee | excellent | 16:35 |
| rm_work | ... BTW, does anyone have a hotel room that has an unused couch? :P | 16:35 |
| rm_work | otherwise I might be a little late, driving in from SA | 16:35 |
| woodster_ | I added related topics to the midcycle etherpad here: https://etherpad.openstack.org/p/barbican-kilo-sprint | 16:45 |
| openstackgerrit | Thomas Dinkjian proposed openstack/python-barbicanclient: Adds second round of functional tests for secrets https://review.openstack.org/153628 | 16:48 |
| jaosorior | rm_work: I could confirm later about the couch | 16:53 |
| rm_work | I have to drive in Monday morning anyway, will see :P | 16:55 |
| rm_work | worst case I drive in Tuesday and maybe Wednesday too | 16:56 |
| openstackgerrit | Thomas Dinkjian proposed openstack/python-barbicanclient: Adds base behaviors, secret behaviors and the secret smoke tests https://review.openstack.org/151777 | 16:56 |
| *** crc32 has joined #openstack-barbican | 17:06 | |
| openstackgerrit | Thomas Dinkjian proposed openstack/python-barbicanclient: Adds first round of secrets functional tests https://review.openstack.org/153395 | 17:14 |
| *** jkf has joined #openstack-barbican | 17:14 | |
| *** nkinder has quit IRC | 17:19 | |
| *** nkinder has joined #openstack-barbican | 17:23 | |
| openstackgerrit | John Vrbanac proposed openstack/barbican: Cleaning up literal dict in validators https://review.openstack.org/153637 | 17:47 |
| *** nkinder has quit IRC | 17:48 | |
| openstackgerrit | John Vrbanac proposed openstack/barbican: Cleaning up literal dict in validators.py https://review.openstack.org/153637 | 17:51 |
| openstackgerrit | Alex Schultz proposed openstack/barbican: Cleaning up method identation in transportkeys.py https://review.openstack.org/153639 | 17:53 |
| openstackgerrit | Peter Kazmir proposed openstack/barbican: Cleaning up formatting for readability https://review.openstack.org/153641 | 18:01 |
| *** gyee has joined #openstack-barbican | 18:03 | |
| *** tkelsey has quit IRC | 18:21 | |
| alee | woodster_, SheenaG1 , chellygel - sent back feedback on abstract. | 18:30 |
| SheenaG1 | alee: thank you! I'd like Wood's input as well, but I think we're good to submit after that. Any preference on who submits the actual presentation? | 18:34 |
| alee | SheenaG1, nope -- no preference other than not me :) | 18:34 |
| SheenaG1 | alee: I think that's *everyone's* preference. But I'm sure I can get someone on our side to submit, no worries. | 18:35 |
| alee | cool - thanks | 18:36 |
| *** bdpayne has joined #openstack-barbican | 18:48 | |
| *** kebray has joined #openstack-barbican | 18:55 | |
| *** jaosorior has quit IRC | 19:16 | |
| openstackgerrit | Merged openstack/barbican: Cleaning up method identation in transportkeys.py https://review.openstack.org/153639 | 19:17 |
| openstackgerrit | Merged openstack/barbican: Cleaning up literal dict in validators.py https://review.openstack.org/153637 | 19:18 |
| *** rellerreller has joined #openstack-barbican | 19:29 | |
| *** SheenaG11 has joined #openstack-barbican | 19:49 | |
| *** SheenaG1 has quit IRC | 19:50 | |
| openstackgerrit | Thomas Dinkjian proposed openstack/python-barbicanclient: Adds base behaviors, secret behaviors and the secret smoke tests https://review.openstack.org/151777 | 20:09 |
| *** kebray has quit IRC | 20:19 | |
| xaeth | alee: who did you say to put on the fedora package request? https://bugzilla.redhat.com/show_bug.cgi?id=1190269 | 20:32 |
| openstack | bugzilla.redhat.com bug 1190269 in Package Review "Review Request: openstack-barbican - Secrets as a Service" [Medium,New] - Assigned to nobody | 20:32 |
| alee | xaeth, added | 20:34 |
| xaeth | :) | 20:34 |
| alee | xaeth, I'll look at it early next week | 20:34 |
| xaeth | i did run the review... there are a few things i wasnt able to address | 20:34 |
| xaeth | kewl | 20:34 |
| alee | ok | 20:34 |
| openstackgerrit | Alex Schultz proposed openstack/barbican: Cleanup code duplication in hrefs.py https://review.openstack.org/153684 | 20:43 |
| openstackgerrit | Thomas Dinkjian proposed openstack/python-barbicanclient: Adds positive secrets functional tests https://review.openstack.org/153395 | 20:47 |
| *** rellerreller has quit IRC | 20:47 | |
| *** bdpayne has quit IRC | 21:06 | |
| *** xaeth is now known as xaeth_afk | 21:17 | |
| *** crc32 has quit IRC | 21:40 | |
| openstackgerrit | Alex Schultz proposed openstack/barbican: Cleaning up code duplication in hrefs.py https://review.openstack.org/153684 | 21:56 |
| openstackgerrit | Douglas Mendizábal proposed openstack/python-barbicanclient: Chnage usage example to show plain/text secret https://review.openstack.org/153711 | 22:14 |
| openstackgerrit | Douglas Mendizábal proposed openstack/python-barbicanclient: Change usage example to show plain/text secret https://review.openstack.org/153711 | 22:14 |
| *** tkelsey has joined #openstack-barbican | 22:19 | |
| *** tkelsey has quit IRC | 22:23 | |
| *** SheenaG1 has joined #openstack-barbican | 22:27 | |
| *** SheenaG11 has quit IRC | 22:27 | |
| *** SheenaG1 has quit IRC | 23:22 | |
| *** ametts has quit IRC | 23:27 | |
| *** paul_glass has quit IRC | 23:31 | |
| openstackgerrit | Douglas Mendizábal proposed openstack/python-barbicanclient: Update documentation https://review.openstack.org/153730 | 23:39 |
| *** nkinder has joined #openstack-barbican | 23:44 | |
| *** xaeth_afk has quit IRC | 23:51 | |
| *** nkinder has quit IRC | 23:56 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!