Friday, 2015-02-27

*** jkf has quit IRC		00:12
*** david-lyle is now known as david-lyle_Afk		00:22
*** david-lyle_Afk is now known as david-lyle_afk		00:22
kfox1111	arg.... does barbican client support regions?	00:24
kfox1111	doesn't look like it. :/	00:25
*** arunkant_ has quit IRC		00:35
*** bdpayne has quit IRC		01:13
*** kfox1111 has quit IRC		01:14
*** rm_work is now known as rm_work\|away		01:46
*** gyee has quit IRC		02:31
*** woodster_ has quit IRC		02:40
*** dave-mccowan has quit IRC		03:04
*** kebray has joined #openstack-barbican		03:30
*** kebray has quit IRC		03:31
*** kebray has joined #openstack-barbican		03:32
*** crc32 has joined #openstack-barbican		03:46
*** dave-mccowan has joined #openstack-barbican		04:48
*** dave-mccowan has quit IRC		04:53
*** woodster_ has joined #openstack-barbican		06:44
*** crc32 has quit IRC		07:37
*** kebray has quit IRC		08:21
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Refactor Secrets resource to use repository factories https://review.openstack.org/159457	08:27
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Containers and Consumers controllers use repo factories https://review.openstack.org/159745	08:27
*** jaosorior has joined #openstack-barbican		08:27
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Clean up test inheritance https://review.openstack.org/159747	08:36
*** chlong has quit IRC		08:44
*** woodster_ has quit IRC		09:10
*** darrenmoffat has quit IRC		10:04
*** darrenmoffat has joined #openstack-barbican		10:05
*** jaosorior has quit IRC		11:02
*** jaosorior has joined #openstack-barbican		12:38
*** kfox1111 has joined #openstack-barbican		12:44
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Containers and Consumers controllers use repo factories https://review.openstack.org/159745	12:47
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Clean up test inheritance https://review.openstack.org/159747	12:47
*** woodster_ has joined #openstack-barbican		12:56
kfox1111	hey woodster_	13:03
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: get_or_create_project now calls repo factory https://review.openstack.org/159826	13:09
*** lisaclark1 has joined #openstack-barbican		14:10
*** lisaclark1 has quit IRC		14:28
*** dave-mccowan has joined #openstack-barbican		14:30
*** SheenaG1 has joined #openstack-barbican		14:52
*** dave-mccowan has quit IRC		14:57
woodster_	kfox1111: morning, trying to catch up	14:59
*** rellerreller has joined #openstack-barbican		14:59
rellerreller	What was in that water in Austin? I have been sick since I left that place.	15:02
*** paul_glass has joined #openstack-barbican		15:03
kfox1111	finally figured out how to get the security group information off of an instance in the metadata server.	15:03
kfox1111	so I can make it so that you associate files in barbican with a security group, and the vm can then download the files if it has the security group on it. :)	15:04
alee	jaosorior, nice set of patches -- I'm so happy to be rid of the lsts of repos.	15:09
rellerreller	redrobot woodster_ Can you take a look at CR 157410, https://review.openstack.org/#/c/157410/ ? I need that in to complete the content type work.	15:09
alee	redrobot, I see the dogtag gate is up	15:09
rellerreller	alee you might want to check out the patch ^^ as well.	15:10
jaosorior	alee: soon. Just need to get those merged and then I'll get rid of the Repository class and then refactpr some parts were it's used	15:10
alee	rellerreller, yeah - just gettign back to barbican reviews this morning.	15:10
alee	rellerreller, I think you're going to totally break me :/	15:11
rellerreller	alee I figure that. It should be a quick fix. Checkout the HSM code. Just a few lines.	15:11
alee	rellerreller, ok - I'll review later today	15:15
alee	redrobot, what does "NOT REGISTERED" mean?	15:16
*** kebray has joined #openstack-barbican		15:18
*** igueths has joined #openstack-barbican		15:20
*** lisaclark1 has joined #openstack-barbican		15:28
openstackgerrit	Kevin Fox proposed openstack/barbican: VM Integration https://review.openstack.org/159573	15:33
*** kebray has quit IRC		15:34
woodster_	kfox1111, it sounds like you are doing some interesting things with barbican there. Are you thinking this would help with upstream, or would this mainly be a custom/internal deployment for your product?	15:42
woodster_	rellerreller, sorry you are still sick... your system may not be used to fresh home brew beer? I need to catch up on CRs for sure.	15:44
*** jorge_munoz has joined #openstack-barbican		15:55
kfox1111	woodster_: see https://review.openstack.org/#/c/159573/ the code's all there. :)	15:59
kfox1111	I would like to use purle RDO as much as possible.	15:59
kfox1111	So I'd like to see the code upstreamed, and barbincan get into RDO. :)	15:59
kfox1111	s/purle/pure/	16:03
*** kebray has joined #openstack-barbican		16:05
woodster_	kfox1111, RDO is aligned with OpenStack global requirements, and there are efforts underway to get barbican rpms in RDO as well (cc: alee here, xaeth is offline). Custom packages you need would be deployed on top of those. The plugin structure we have is intended to handle non-OpenStack implementations...so optional for stock deployments, but can be used for	16:06
woodster_	individual deploys.	16:06
alee	kfox1111, we'll be working on getting barbican into RDO soon.	16:07
woodster_	kfox1111, so that plugin approach provides flexibility. It seems like some of the work you are doing may fit into that plugin bucket...optional but available for particular installations.	16:07
kfox1111	yeah. I did manage to get rpms to build based on https://github.com/gregswift/barbican-spec	16:07
kfox1111	was a bit of an effort still though.	16:08
woodster_	kfox1111, would you be up for discussing your use case at the weekly IRC meeting next Monday	16:08
woodster_	kfox1111, If I see Greg I'll have him connect with you out here	16:08
kfox1111	let me check my calendar	16:09
kfox1111	unfortunatly, I have a meeting then. :/	16:10
kfox1111	I might be able to do the week after.	16:12
kfox1111	heh. that would be the third meeting at that timeslot. on the 9th. :/	16:14
kfox1111	though I can probably bring a laptop to the one I will be attending.	16:15
*** david-lyle_afk is now known as david-lyle		16:19
kfox1111	so, even getting the barbican prerecs into rdo would be helpful. the fpm thing was a bit painful.	16:22
woodster_	kfox1111, just spoke to Greg and he mentioned that a startup script is indeed missing as a new one is really needed. The uwsgi/vassals stuff is still available to use, but really should be extracted out hence the absence of anything right now	16:23
woodster_	kfox1111 well I was thinking the prereqs (sort of uwsgi, which really isn't one) are already in RDO?	16:24
kfox1111	yeah. so I'd say put it back in until there is a solution. its completely unusable out of the box as it stands. putting it back, does produce a usable rpm.	16:24
kfox1111	let me look again....	16:24
kfox1111	uwsgi and cryptography are prereqs. I haven't even tried, but python-barbicanclient too.	16:26
kfox1111	yeah. the rest of the barbican prereqs are in rdo already. just those two.	16:26
*** zz_dimtruck is now known as dimtruck		16:29
kfox1111	ok. got the vendor data plugin slid in. got a vm launched. ready to do an end to end test. :)	16:29
kfox1111	oh. but I don't have a barbican client anywere on that network anymore to upload the initial creds. :/	16:29
*** david-lyle is now known as david-lyle_Afk		16:35
*** david-lyle_Afk is now known as david-lyle_afk		16:35
kfox1111	oh. I was going to mention. Does the barbican client support regions? We changed the region name to Pilot, and the barbican client can't seem to find the endpoint. If I specify just the --endpoint url on the cli, it seems to be happier.	16:42
*** kebray has quit IRC		16:44
kfox1111	keystone catalog --service key-manager does show the entry.	16:45
kfox1111	ok. got the barbican cli working, other then that endpoint thing.	16:47
*** igueths has quit IRC		16:47
jaosorior	kfox1111: to be honest I got quite curious about your results. Thanks for the updates	16:47
*** xaeth_afk is now known as xaeth		16:47
kfox1111	hmm... its returning localhost in the secret url's. probably a config option.	16:48
kfox1111	sure. :)	16:48
kfox1111	there we go. host_href.	16:49
kfox1111	is it safe to change it later?	16:49
kfox1111	is it stored in the db anywhere?	16:49
jaosorior	Yep, it should be in barbican-api.conf	16:50
kfox1111	ok. yeah. I just changed it and the secret list showed the updated url.	16:51
jaosorior	It's not stored in the db	16:51
kfox1111	ok. cool.	16:53
kfox1111	allright... I have a secret, I have a container named 'foo'. now to test end to end.	16:54
*** gyee has joined #openstack-barbican		16:55
woodster_	kfox1111, I agree with jaosorior it seems you are doing interesting things there. Maybe a video chat with interested folks would be possible once you have results?	16:56
kfox1111	sure.	16:57
*** arunkant has joined #openstack-barbican		16:59
*** SheenaG11 has joined #openstack-barbican		16:59
*** SheenaG1 has quit IRC		16:59
kfox1111	hmm.. somethings not quite right.	17:01
kfox1111	odd... Unable to retrieve request id from context	17:04
jaosorior	kfox1111: I recall that being fixed already	17:05
jaosorior	kfox1111: https://github.com/openstack/barbican/commit/ce8d9fd39dac16b9b53a9c1192613d3b93ffd9ee	17:06
jaosorior	are you using the latest version from master?	17:06
kfox1111	no, on this cloud, its juno. so I'm using the juno branch.	17:07
jaosorior	jvrbanac: mind checking my response for your comment on this CR? https://review.openstack.org/#/c/158802/	17:07
jaosorior	jvrbanac: Sorry if it seems a bit confusing, that commit was the first one uploaded	17:10
jaosorior	I didn't wanna push a huge amount of code, so I was doing it by steps	17:10
jvrbanac	jaosorior, yeah... sorry. I missed that in my before-coffee fog	17:10
jvrbanac	jaosorior, approved	17:11
jaosorior	thanks man	17:11
jaosorior	hockeynut: replied to your comment in CR https://review.openstack.org/#/c/159457/	17:18
hockeynut	jaosorior that works for me!	17:19
*** kebray has joined #openstack-barbican		17:22
hockeynut	jaosorior workflowed it	17:23
*** rellerreller has quit IRC		17:24
jaosorior	yay :D	17:24
kfox1111	hmm.... I wonder if juno pecan's less featureful with _lookup. :/	17:24
kfox1111	oh gosh. yeah, probably. developed against 0.8.3. rdo's package is 0.4.5. :/	17:25
jvrbanac	:(	17:26
kfox1111	hmm... no, its not the param that its compaining about...	17:27
kfox1111	Got exception calling lookup(): get() got an unexpected keyword argument 'external_project_id' (("get() got an unexpected keyword argument 'external_project_id'",))	17:29
kfox1111	not a full stacktrace... a little hard to track down.	17:29
jaosorior	kfox1111: is that with the code from your CR? or what controller is it?	17:30
kfox1111	ah. there's the probem. BaseRepo doesn't have an external_project_id param in juno.	17:30
kfox1111	yeah. my code in the CR when backported to juno.	17:30
openstackgerrit	Douglas Mendizábal proposed openstack/barbican: Remove version from endpoints in catalog https://review.openstack.org/127865	17:31
kfox1111	ah. I think its because keystone_id -> external_project_id	17:32
jaosorior	kfox1111: yeah, there was some refactoring done there	17:32
jaosorior	might have been me :P	17:32
kfox1111	no worries. looks cleaner now. so thats good. :)	17:34
openstackgerrit	Merged openstack/barbican: Refactor Orders resource to use repository factories https://review.openstack.org/158802	17:35
kfox1111	hmm... this is worse though. :/	17:35
kfox1111	2015-02-27 09:36:11.546 5104 CRITICAL barbican [-] BarbicanException: No _CONNECTION configured	17:35
jaosorior	I... don't remember where that used to be in the code. Would it be the database connection?	17:36
kfox1111	full stack trace here: http://pastebin.com/YaGHw0nC	17:36
kfox1111	it works in my trunk version. some difference between juno and trunk.	17:37
jaosorior	yup, database connection	17:37
kfox1111	I may not be initing something properly?	17:37
jaosorior	did you set up the sql_connection in the config?	17:38
kfox1111	yeah. I'm able to do everything through the barbican cli. store/retrieve secrets, etc.	17:38
kfox1111	so its something my code's doing wrong, probably.	17:38
kfox1111	trunk might be more forgiving then juno here.	17:39
jaosorior	uhm...	17:39
kfox1111	can you have a look at: https://review.openstack.org/#/c/159573/2/barbican/api/controllers/vm.py	17:39
kfox1111	where I create the Container/Secret Repo objects and tell me if I'm doing it wrong?	17:40
jaosorior	is it your first operation from the database?	17:40
jaosorior	the lazy init of the connection was removed very recently	17:40
*** erw_ is now known as erw		17:41
kfox1111	hmm... that looks like part of it. I just restarted fresh, then used the barbican cli, then tried the api and it got a different error.	17:42
jaosorior	O_O	17:42
jaosorior	which?	17:42
kfox1111	AttributeError: 'SecretController' object has no attribute '_on_get_secret_payload'	17:42
kfox1111	that one I might believe.	17:42
jaosorior	but yeah, the lazy init in the database was removed, and now instead of instantiating the repo class you would call the factory methods	17:42
jaosorior	not all the factory methods were implemented	17:42
jaosorior	so those are my commits that are being merged at the moment	17:43
jaosorior	now	17:43
jaosorior	the _on_get_secret_payload, was a function that was introduced very recently too	17:43
jaosorior	that wasn't there in juno	17:43
kfox1111	so I guess I'll have to add that back in....	17:44
jaosorior	yeah... kinda went refactoring a bunch of the stuff from the controllers, so it seems that now that makes applying patches there a bit harder... :/	17:45
openstackgerrit	Merged openstack/barbican: Refactor Secrets resource to use repository factories https://review.openstack.org/159457	17:45
openstackgerrit	Merged openstack/barbican: Containers and Consumers controllers use repo factories https://review.openstack.org/159745	17:46
woodster_	kfox1111 are you using Juno via rpm/rdo perhaps? Would using master be an issue? I believe there is a nightly location for master rpms now if that's of interest	17:49
kfox1111	ok. yeah, I see where it was refactored. hmm...	17:49
kfox1111	woodster_: rdo juno, yes.	17:50
kfox1111	master bad for production.	17:50
jaosorior	:(	17:50
*** rellerreller has joined #openstack-barbican		17:50
kfox1111	I"m having to apply my patch to the rpm anyway, so I'll have to build custom rpm's until its upstreamed anyway.	17:50
kfox1111	would be nice to minmize patching both barbican, and patching the build system though. :)	17:51
woodster_	kfox1111 we have been working to get barbican ready for the production in the last couple of months, so I wouldn't consider Juno to be	17:52
woodster_	kfox1111 ...production ready	17:52
kfox1111	bummer.	17:52
*** jkf has joined #openstack-barbican		17:53
kfox1111	so maybe I'm going to have to stand up another box just for barbican, so I don't mix the two.	17:53
kfox1111	though I'm guessing the deps may have issues if your building from something trunkish with the rest of rdo's prerec rpms?	17:54
kfox1111	ok. I think I should just add the whole _on_get_secret_payload function verbatim.	17:55
woodster_	kfox1111 for example, there have been recent changes to the pkcs11 plugin based on performance testing trials	17:55
kfox1111	looks like not much has changed there.	17:55
kfox1111	I'm ok if barbican's a bit slow at this point. by the time we have too many users hitting on it, we should be able to get to kilo.	17:56
kfox1111	I just really really need a place to store keys for my heat templates to pull from.	17:56
woodster_	kfox1111 oh, got it	17:57
kfox1111	barbican without this integration work is basically as easy as just putting the keys in swift. :/	17:57
kfox1111	the irony is,	17:57
kfox1111	right now I'm setting up the rados gateway though using a heat template from within the cloud.	17:58
kfox1111	and I gota put the ceph key somewhere. :/	17:58
kfox1111	usually we use the keyserver for all of that stuff. but I'd really like to upstream it all so we are just using a normal openstack setup, rather then openstack+our special bits.	17:58
*** kebray has quit IRC		17:58
jaosorior	kfox1111: nice :D	17:59
kfox1111	I've been releasing our heat templates, since they are useful to others,	17:59
kfox1111	but its not good if they depend on pulling keys from the keyserver, since most dont have it. :/	17:59
kfox1111	and all the really interesting templates tend to need keys. :/	18:00
*** kebray has joined #openstack-barbican		18:00
openstackgerrit	Arun Kant proposed openstack/barbican-specs: Spec for adding audit capability using CADF specification. https://review.openstack.org/159938	18:00
*** lisaclark1 has quit IRC		18:01
kfox1111	arg....	18:03
kfox1111	tenant/project rename. :/	18:03
kfox1111	I wish openstack would stop doing that. project -> tenant -> project.	18:04
kfox1111	I liked tenant better. :/	18:04
*** chlong has joined #openstack-barbican		18:05
kfox1111	ok. got it patched enough to get the secret out! lets try from scratch the work flow again. :)	18:06
kfox1111	ok. we have a vm. it only has the default security group. we get the token, and try and get a key...	18:11
kfox1111	curl -f -H 'X-Token: '$BARBICAN_TOKEN $BARBICAN_URL/v1-vm/foo/sec1curl: (22) The requested URL returned error: 401 Unauthorized	18:11
*** chlong has quit IRC		18:11
jaosorior	O_O...	18:11
kfox1111	we pop on the 'foo' security group onto the vm.	18:11
jvrbanac	kfox1111, X-Auth-Token	18:11
kfox1111	curl -f -H 'X-Token: '$BARBICAN_TOKEN $BARBICAN_URL/v1-vm/foo/sec1 mysecret	18:12
kfox1111	and there it is :)	18:12
jvrbanac	I see X-Token	18:12
kfox1111	It is X-Token in the code right now. want me to change it?	18:12
kfox1111	its not a keystone token. its a barbican token.	18:12
kfox1111	so the code works. yay! :)	18:13
kfox1111	so with this setup, all a user has to do is create a barbican container named the same as a security group, and the vm will be able to gain access to the keys in the group if the security group is associated with the vm. just a couple of clicks in the ui. :)	18:16
*** bdpayne has joined #openstack-barbican		18:17
*** dimtruck is now known as zz_dimtruck		18:18
openstackgerrit	Kevin Fox proposed openstack/barbican: VM Integration https://review.openstack.org/159573	18:27
*** zz_dimtruck is now known as dimtruck		18:28
*** chlong has joined #openstack-barbican		18:28
*** david-lyle_afk is now known as david-lyle		18:35
openstackgerrit	Merged openstack/barbican: Clean up test inheritance https://review.openstack.org/159747	18:38
*** chlong has quit IRC		18:38
kfox1111	Should I file a bug for the endpoint thing?	18:39
jaosorior	you mean the lack of region?	18:41
jaosorior	or which bug?	18:41
openstackgerrit	Arun Kant proposed openstack/barbican-specs: Spec for adding audit capability using CADF specification. https://review.openstack.org/159938	18:42
kfox1111	yeah. the needing to specify endpoint to get it to work.	18:42
kfox1111	I think its region related, but not sure. there is only one region at the moment.	18:42
*** igueths has joined #openstack-barbican		18:43
jaosorior	I've always been using the endpoint, so I'm not sure :/ You could try and see what other devs think	18:44
kfox1111	I'll just file a bug. people can always let me know that I just did something stupid... :)	18:46
redrobot	alee NOT_REGISTERED was a bug with the way I configured the job in infra	18:48
redrobot	alee should be fixed now. Looks like the script does not run in root context though, so it still needs some work.	18:48
alee	redrobot, ok - let me know if you need any help getting it running	18:48
alee	redrobot, once its running - will it run automatically - or do we need to type "check experimental"	18:49
alee	?	18:49
kfox1111	bug filed. https://bugs.launchpad.net/python-barbicanclient/+bug/1426514	18:50
openstack	Launchpad bug 1426514 in python-barbicanclient "endpoint required" [Undecided,New]	18:50
redrobot	alee it requires "check experimental" every time... once we get it running reliably, and the tests fixed I can ask infra to move it to the gate/check pipelines	18:50
alee	redrobot, ok	18:50
*** lisaclark1 has joined #openstack-barbican		19:00
*** paul_glass has quit IRC		19:06
kfox1111	arg... stupid gate. :/	19:08
kfox1111	it keeps throwing errors that don't show up on my box, and only one at a time. :/	19:08
kfox1111	oh. I see. it was from the previous change. :/	19:12
kfox1111	I really do not like the 80 line limit. :/	19:12
openstackgerrit	Kevin Fox proposed openstack/barbican: VM Integration https://review.openstack.org/159573	19:13
* kfox1111 waits 30 more minutes		19:14
*** openstackgerrit has quit IRC		19:24
*** openstackgerrit has joined #openstack-barbican		19:24
*** paul_glass has joined #openstack-barbican		19:37
*** gyee has quit IRC		19:38
openstackgerrit	Merged openstack/barbican: get_or_create_project now calls repo factory https://review.openstack.org/159826	19:46
*** barra204 has joined #openstack-barbican		19:48
openstackgerrit	John Wood proposed openstack/barbican-specs: Add to Orders API Support to Renew X.509 Certificates https://review.openstack.org/159969	19:52
*** rm_work\|away is now known as rm_work		19:52
*** lisaclark1 has quit IRC		19:54
*** barra204 is now known as shakamunyi		19:56
*** dave-mccowan has joined #openstack-barbican		20:00
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Enable secret decrypt through 'payload' resource https://review.openstack.org/157068	20:02
*** lisaclark1 has joined #openstack-barbican		20:04
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Delete factory related comment that's no longer valid https://review.openstack.org/159973	20:07
jaosorior	hockeynut: ^^	20:07
hockeynut	jaosorior woot woot!	20:08
woodster_	jaosorior, that comment was intended to go with the lines below it...so removing that pesky repo.Repositories constructor on line #73 altogether.	20:17
*** igueths has quit IRC		20:17
*** dave-mccowan has quit IRC		20:21
jaosorior	Oh, ok, will abandon that commit and will erase it when I get rid of the Repositories class	20:23
woodster_	jaosorior, yeah, I figure that would be the final cause-for-celebration CR that removes that comment and that Repositories class	20:24
jaosorior	woodster_: Yep, coming soon :P	20:25
jaosorior	woodster_: probably beginning or next week.	20:25
woodster_	jaosorior, nice!	20:26
openstackgerrit	Steve Heyman proposed openstack/python-barbicanclient: Update functionaltests to be able to run tox -e functional https://review.openstack.org/159991	20:41
kfox1111	hmm.... what if I don't care what type the file is on upload? just a binary file	21:00
kfox1111	should I just use application/octet-stream ?	21:01
*** gyee has joined #openstack-barbican		21:02
kfox1111	and then what do I use for --payload-content-encoding?	21:02
*** kfarr has joined #openstack-barbican		21:02
openstackgerrit	John Wood proposed openstack/barbican: Add sub-status logic to worker/task processing https://review.openstack.org/157565	21:06
kfarr	redrobot I'm looking at updating some of the cookie-cutter docs in Castellan. It seems like some of the launchpad features like the bug tracker have not been set up yet. Is that something I can do?	21:09
kfox1111	is binary files not supported?	21:10
woodster_	kfarr, please take a look at https://review.openstack.org/157565 when you can.	21:11
kfarr	ok woodster_ looking now!	21:12
woodster_	kfox1111, binary is supported via application/octet-stream. See here for example: https://github.com/cloudkeep/barbican/wiki/Application-Programming-Interface#one-step-binary-secret-createretrieve	21:12
kfox1111	so you can base64 encode it, then pass it. can you just tell it it has no encoding and pass it?	21:15
woodster_	kfox1111 the two step method (a little below the linked section) allows for a direct binary upload if that's what you mean.	21:17
kfox1111	looks good to me.	21:18
kfox1111	ah. yeah. I missed that. thanks.	21:18
woodster_	kfox1111 not all of those are supported in the client though... in fact I believe there is a bug related to that now...	21:18
woodster_	kfox1111, actually the bug is only for the plain text secrets (https://bugs.launchpad.net/python-barbicanclient/+bug/1329084)	21:19
openstack	Launchpad bug 1329084 in python-barbicanclient "Python client exception on decrypt of text/plain type secret" [Undecided,New]	21:19
woodster_	The bot is on the job!: https://bugs.launchpad.net/python-barbicanclient/+bug/1329084	21:20
woodster_	...or not	21:20
woodster_	(https://bugs.launchpad.net/python-barbicanclient/+bug/1329084)	21:20
openstack	Launchpad bug 1329084 in python-barbicanclient "Python client exception on decrypt of text/plain type secret" [Undecided,New]	21:20
kfox1111	is there a way to upload a binary with the python client?	21:21
woodster_	...see bot run	21:21
*** rellerreller has quit IRC		21:21
kfox1111	I've got some fellow admins that.... lets just say were somewhat unhappy they couldn't do everything from horizon.	21:21
kfox1111	I think they will loose it if I ask them to use a rest api. ;)	21:21
kfox1111	though there may be some advantages to that...	21:21
kfox1111	:)	21:21
woodster_	kfox1111, I was curious about the Horizon dashboard...I added it to the list of things to ask about at the Liberty summit. Do you know anyone interested in adding such support for barbican? :)	21:25
kfox1111	possibly... ;)	21:26
kfox1111	depends on some funding things and how busy we get. :/	21:27
kfox1111	If our users really like it, then their demand will push it sooner though.	21:27
kfox1111	one of the reasons I really want to make the workflow really easy on them.	21:27
kfox1111	oh... I misunderstood the -p option to secret store so far....	21:27
kfox1111	the arg is the data, not the filename the data's in....	21:28
openstackgerrit	Kaitlin Farr proposed openstack/castellan: Updating HACKING.rst https://review.openstack.org/160009	21:28
kfox1111	thats... unfortunate.	21:28
kfox1111	ok. for now, I guess this will work: -p "$(base64 ceph.client.radosgw.keyring)" --payload-content-type "application/octet-stream" --payload-content-encoding base64	21:30
woodster_	kfox1111 are you still with PNNL then?	21:30
kfox1111	yeah.	21:30
kfox1111	though through an odd legal issue, I contribute it as myself. :/	21:30
*** SheenaG11 has quit IRC		21:30
woodster_	kfox1111, there are other contributors that probably have similar legal issues, like having to review blueprints before they can be reviewed	21:31
woodster_	kfox1111, gerrit reviewed that is	21:31
woodster_	kfox1111, I thought we did have a file upload option in the client :\	21:32
kfox1111	yeah. unfortunatly for us, it would have been easy except for the cla has made it a pain.	21:32
kfox1111	woodster_: maybe there is. I just dont see it.	21:33
woodster_	kfox1111, do you know a Tim Stavenger over there?	21:33
kfox1111	the name sounds familiar. probably have.	21:36
woodster_	kfox1111, a sharp dev and build guy that I used to work with	21:38
kfox1111	cool. :) small world.	21:39
kfox1111	ok... have a radosgw container, with a ceph key in it... lets see if we can get a vm going to pull it. :)	21:41
*** xaeth is now known as xaeth_afk		21:47
openstackgerrit	Steve Heyman proposed openstack/barbican: Update devstack to run tests both sequentially and in parallel https://review.openstack.org/160016	21:53
openstackgerrit	Thomas Dinkjian proposed openstack/barbican: Fix bug in tests assuming order is active https://review.openstack.org/157920	21:57
kfox1111	YAY!	21:59
kfox1111	ceph key goes in... new vm pulls it. md5sums match. :)	21:59
*** barra204_ has joined #openstack-barbican		22:03
hockeynut	greetings all - would love to get your opinions on the ability to add filters to list and offset on GETs for /secrets, /orders, etc (ie the plurals that return lists)	22:03
*** shakamunyi has quit IRC		22:03
*** barra204_ has quit IRC		22:07
*** nkinder has quit IRC		22:08
*** barra204_ has joined #openstack-barbican		22:08
hockeynut	I'd be willing to put together a blueprint to add filtering - makes the GETs more efficient and also solves an issue we're having with tests running in parallel - we can use filtering to only get secrets we are interested in, even if others are creating them at the same time	22:09
*** SheenaG1 has joined #openstack-barbican		22:09
kfox1111	sounds cool.	22:10
kfox1111	filtering by container name would help for the code I just wrote.	22:11
rm_work	I thought it already supported filtering by name?	22:16
rm_work	or was that just the client doing it AFTER it fetches the full list?	22:16
rm_work	I don't remember...	22:16
*** kebray has quit IRC		22:18
woodster_	kfox1111 sounds like progress. I think your CR will generate much discussion. Usually such CRs are preceded by a blueprint so it might take longer to get thru the review process, but it sounds like you aren't needing upstream immediately to run with it internally at least.	22:23
*** lisaclark1 has quit IRC		22:23
*** jamielennox is now known as jamielennox\|away		22:23
kfox1111	yeah. I figured it wouldn't go quick. I'm guessing since its so late, kilo's probably off the table?	22:26
*** jamielennox\|away is now known as jamielennox		22:30
kfox1111	woodster_: I did put in a spec and blueprint too. if that helps.	22:32
woodster_	kfox1111, oh I hadn't noticed that before, sorry	22:34
kfox1111	no worries. :)	22:35
kfox1111	I had to document how to use it somewhere, and figured that would be a good place. :)	22:35
*** igueths has joined #openstack-barbican		22:36
woodster_	kfox1111, I wouldn't give up on it for Kilo, esp. with the blueprint out there and your willingness to do the work :) There will be design gut checking though for sure and bike shedding tweaks needed to fit within our way of things, so just be ready to put up a few patches before things are done. :)	22:37
kfox1111	sure. sounds good. :)	22:38
woodster_	kfox1111, so redrobot is the PTL and might have some suggestions as well when he's back on line. reaperhulk is our security SME so it'd be good to look things over as well.	22:38
*** jamielennox is now known as jamielennox\|away		22:39
kfox1111	heh. I was in the process of asking (typing) who the PTL was. you beat me to it. :)	22:39
kfox1111	ok. cool. yeah. more eyes on the security aspect of it would be great.	22:40
*** jamielennox\|away is now known as jamielennox		22:40
kfox1111	We have custom code we were using for it, but once i got into the implmentation in barbican, I noticed keystone had basically the same code already. so I just reused all of it.	22:40
woodster_	kfox1111 is this all part of a POC or eval that you are doing?	22:40
kfox1111	so I don't think the token security will be any worse then what is already being used. :)	22:40
*** kfarr has quit IRC		22:41
kfox1111	kind of. this particular cloud is intended for researchers to do science on. mostly stable, but a bit of instability is ok.	22:42
kfox1111	since without barbican, there would be no key management, having it be a little green is probably ok, since its better to have green, then nothing at all.	22:42
kfox1111	Not having key management is a big problem.	22:43
*** paul_glass has quit IRC		22:43
rm_work	woodster_ / redrobot: so, my schedule is looking REALLY bad right now for doing virtually anything in time for kilo...	22:43
rm_work	I got pulled off Octavia/Neutron-LBaaS completely	22:44
rm_work	still doing firefighting/internal stuff	22:44
kfox1111	bummer. I really really would like LBaaS V2.	22:44
rm_work	they've got me booked for the next 1.5 months on another project T_T	22:44
kfox1111	v1 works okish.... hada regression in icehouse.	22:44
rm_work	kfox1111: well, that should still happen without me, I would hope ;P	22:45
kfox1111	still a lot missing. :/	22:45
rm_work	still others here working diligently away on it	22:45
kfox1111	thats good.	22:45
kfox1111	:)	22:45
kfox1111	yeah, before icehouse, I had a lb in front of a pool of ssh servers. it left connections live.	22:45
rm_work	just need to let them know, since I was hoping to have time to do some work on per-secret policy, but that looks unlikely at the moment	22:46
kfox1111	at icehouse, it started breaking connections that were live for more then a couple of minutes. :/	22:46
rm_work	kfox1111: T_T	22:46
rm_work	which backend were you using?	22:46
kfox1111	haproxy	22:46
rm_work	I hope not the haproxy-namespace driver	22:46
rm_work	oh shit	22:46
rm_work	lol	22:46
rm_work	that is... not really intended for production use, or at least I would not recommend it T_T	22:46
woodster_	rm_work, sorry to hear that :\	22:46
rm_work	we're working on stabilizing it a bit for v2	22:47
kfox1111	bummer. cause its being used in production. ;)	22:47
rm_work	but Octavia should be the default deployment option soon :P	22:47
kfox1111	has been for a year at least.	22:47
rm_work	though probably not until Liberty	22:47
rm_work	so... some definition of "soon"	22:47
kfox1111	cool, and bummer. :)	22:47
rm_work	heh yeah...	22:47
woodster_	poc == production sometimes :)	22:47
kfox1111	yup.	22:48
woodster_	kfox1111, fyi the feature lbaas wanted to use was this per-secret RBAC one: Maybe we can get kfox1111 to do that per-secret RBAC stuff?	22:48
woodster_	kfox1111 it does have the concept of a read-only role to view shared secrets.	22:48
rm_work	Octavia is a good scaling/HA Loadbalancing soft-appliance that lives in nova and uses neutron for network plumbing	22:48
*** kebray has joined #openstack-barbican		22:48
rm_work	and uses HAProxy by default	22:48
rm_work	though that is theoretically extensible (could use nginx / whatever)	22:49
kfox1111	maybe after I get rados gw, sahara, and a gui for barbican done. :/	22:49
kfox1111	rm_work: yeah. been keeping an eye on it. Long term I think its a good solution.	22:50
rm_work	yeah I am surprised there isn't a good Barbican+Horizon solution yet	22:50
kfox1111	for 2 of our production clouds though, its actually has a major drawback.	22:50
rm_work	somewhat disheartening	22:50
rm_work	kfox1111: is your GUI going to be Horizon based and eventually live upstream? :P	22:50
kfox1111	our network nodes are 10g attached on 1 gig to the compute nodes.	22:50
kfox1111	one uses vxlans over infiniband for the tenant networks.	22:50
kfox1111	so putting the lb on the network node is actually faster then putting it in a vm.	22:51
rm_work	heh	22:51
kfox1111	rm_work: If I get time for it, yes.	22:51
rm_work	well, it you ran a special lbaas nova endpoint and set up your network nodes as lxc container hosts, that'd work :P	22:51
rm_work	which is actually remarkably similar to how the namespace haproxy impl works, from a really high level perspective (without the nova), I think	22:53
kfox1111	hmm... yeah. I could just make the network nodes compute nodes, put it in a different host aggrigate, and make sure they launch there.	22:53
kfox1111	thanks. :)	22:53
kfox1111	we do that for some of our compute nodes.	22:54
woodster_	kfox1111 I did intend to add a :) after that statement above! Always on the look out for folks that have time to help out with things!	22:54
kfox1111	time is always in short supply. but I help where I can. :)	22:55
*** barra204_ has quit IRC		22:57
*** igueths has quit IRC		23:04
*** jamielennox is now known as jamielennox\|away		23:06
*** ametts has quit IRC		23:14
*** jorge_munoz has quit IRC		23:17
*** dimtruck is now known as zz_dimtruck		23:19
*** dave-mccowan has joined #openstack-barbican		23:23
*** jkf has quit IRC		23:45
*** zz_dimtruck is now known as dimtruck		23:46
*** kebray has quit IRC		23:49
*** hockeynut has quit IRC		23:51
*** tdink_ has quit IRC		23:51
*** hockeynut has joined #openstack-barbican		23:52
*** tdink has joined #openstack-barbican		23:52

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!