Friday, 2015-03-06

*** seagray has joined #openstack-barbican		00:03
*** kgriffs\|afk is now known as kgriffs		00:12
*** kgriffs is now known as kgriffs\|afk		00:22
openstackgerrit	Brianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan https://review.openstack.org/148742	00:23
*** crc32 has quit IRC		00:29
*** jkf has quit IRC		00:36
*** jaosorior has quit IRC		00:42
*** mikedillion has joined #openstack-barbican		01:03
*** mikedillion has quit IRC		01:05
*** mikedillion has joined #openstack-barbican		01:06
*** dave-mcc_ has joined #openstack-barbican		01:11
*** dave-mccowan has quit IRC		01:14
*** lisaclark has joined #openstack-barbican		01:18
*** lisaclark has quit IRC		01:24
*** bdpayne has quit IRC		01:33
*** lisaclark has joined #openstack-barbican		01:33
*** kebray has quit IRC		01:35
*** SheenaG11 has joined #openstack-barbican		01:41
*** SheenaG1 has quit IRC		01:44
*** dave-mcc_ has quit IRC		01:45
*** kebray has joined #openstack-barbican		01:47
*** dave-m___ has joined #openstack-barbican		01:54
*** mikedillion has quit IRC		02:02
*** seagray has quit IRC		02:09
*** lisaclark has quit IRC		02:16
*** crc32 has joined #openstack-barbican		02:17
*** chellygel has joined #openstack-barbican		02:42
openstackgerrit	John Vrbanac proposed openstack/barbican: Fixing test dependence on execution order https://review.openstack.org/161999	03:25
*** kgriffs\|afk is now known as kgriffs		03:26
openstackgerrit	John Vrbanac proposed openstack/barbican: Fixing test dependence on execution order https://review.openstack.org/161999	03:26
*** woodster_ has quit IRC		03:30
*** dimtruck is now known as zz_dimtruck		03:30
*** kgriffs is now known as kgriffs\|afk		03:36
*** david-lyle is now known as david-lyle_afk		03:44
*** kfox1111 has quit IRC		03:44
openstackgerrit	Merged openstack/barbican: Ensure that external secret refs cannot be added to containers https://review.openstack.org/161417	03:45
*** rm_you\| is now known as rm_you		03:56
*** gyee has quit IRC		04:23
*** jenkins-keep has joined #openstack-barbican		05:01
*** DCWilliams_VA has joined #openstack-barbican		05:09
*** dave-m___ has quit IRC		05:09
*** DCWilliams_VA has quit IRC		05:13
*** kgriffs\|afk is now known as kgriffs		05:15
*** kgriffs is now known as kgriffs\|afk		05:24
openstackgerrit	John Vrbanac proposed openstack/barbican: Fixing test dependence on execution order https://review.openstack.org/161999	06:07
openstackgerrit	John Vrbanac proposed openstack/barbican: Starting refactor of test_resources https://review.openstack.org/162028	06:07
*** kgriffs\|afk is now known as kgriffs		07:03
*** kgriffs is now known as kgriffs\|afk		07:13
*** jamielennox is now known as jamielennox\|away		07:16
*** kebray has quit IRC		07:39
*** chlong has quit IRC		08:11
*** crc32 has quit IRC		08:46
*** kgriffs\|afk is now known as kgriffs		08:52
*** kgriffs is now known as kgriffs\|afk		09:02
*** darrenmoffat has quit IRC		10:13
*** darrenmoffat has joined #openstack-barbican		10:14
openstackgerrit	Everardo Padilla Saca proposed openstack/barbican: Add missing python requierements for tests https://review.openstack.org/161279	10:16
*** kgriffs\|afk is now known as kgriffs		10:41
*** kgriffs is now known as kgriffs\|afk		10:51
*** chlong has joined #openstack-barbican		11:23
*** kgriffs\|afk is now known as kgriffs		12:30
*** kgriffs is now known as kgriffs\|afk		12:39
*** DCWilliams_VA has joined #openstack-barbican		13:04
*** woodster_ has joined #openstack-barbican		13:06
*** rellerreller has joined #openstack-barbican		13:08
*** DCWilliams_VA has quit IRC		13:57
*** kgriffs\|afk is now known as kgriffs		14:18
openstackgerrit	Merged openstack/barbican: Enforce X-Project-Id coming from the request headers https://review.openstack.org/161377	14:21
*** seagray has joined #openstack-barbican		14:22
*** seagray has quit IRC		14:24
*** kgriffs is now known as kgriffs\|afk		14:28
*** lisaclark has joined #openstack-barbican		14:29
*** dave-mccowan has joined #openstack-barbican		14:32
*** chlong has quit IRC		14:34
*** igueths has joined #openstack-barbican		14:38
*** alee has quit IRC		14:52
*** alee has joined #openstack-barbican		14:53
*** kgriffs\|afk is now known as kgriffs		14:56
*** kgriffs is now known as kgriffs\|afk		14:56
*** paul_glass has joined #openstack-barbican		15:01
*** ametts has joined #openstack-barbican		15:02
*** atiwari has joined #openstack-barbican		15:21
*** lisaclark has quit IRC		15:22
*** lisaclark has joined #openstack-barbican		15:26
*** jorge_munoz has joined #openstack-barbican		15:33
*** zz_dimtruck is now known as dimtruck		15:34
rellerreller	ping reaperhulk	15:34
rellerreller	In PyCrypto there is the exportKey function for RSAObj. It says the DER encoding cannot be used to encrypt private key. Is that true? Can encrypted key wrapped with passphrase only come out in PEM format?	15:36
*** SheenaG11 has quit IRC		15:37
reaperhulk	For traditional openssl (aka PKCS1) format that is true	15:38
reaperhulk	for PKCS8 you can have encrypted DER	15:38
rellerreller	reaperhulk Thanks!	15:39
*** lisaclark has quit IRC		15:45
openstackgerrit	Thomas Dinkjian proposed openstack/python-barbicanclient: Moved parameterized test from smoke to functional https://review.openstack.org/160490	15:47
*** lisaclark has joined #openstack-barbican		15:47
*** arunkant has joined #openstack-barbican		15:50
*** arunkant has quit IRC		15:51
*** arunkant has joined #openstack-barbican		15:52
*** arunkant has quit IRC		15:55
*** arunkant has joined #openstack-barbican		15:55
*** kgriffs\|afk is now known as kgriffs		15:56
arunkant	woodster_, there?	16:06
*** kgriffs is now known as kgriffs\|afk		16:06
*** rellerreller has quit IRC		16:08
arunkant	alee, there?	16:11
chellygel	arunkant, woodster_ is on vacation, as an FYI	16:11
arunkant	chellygel, okay..thanks.	16:13
chellygel	:)	16:13
*** kebray has joined #openstack-barbican		16:14
alee	arunkant, hi	16:16
alee	arunkant, hows the per-secret stuff coming?	16:16
openstackgerrit	Thomas Dinkjian proposed openstack/python-barbicanclient: Third set of secrets negative tests. https://review.openstack.org/162208	16:24
jvrbanac	redrobot, alee, hockeynut, if you got a sec, easy workflow: https://review.openstack.org/#/c/161999/	16:26
redrobot	jvrbanac done	16:27
arunkant	alee, Have a question on per secret ACL. currently in barbican..whenever a secret is read from DB, it also uses project_id from token to make that read. With ACL this would not work when user belongs to some other project but is 'read' ACL user list.	16:27
jvrbanac	redrobot, thx	16:29
arunkant	alee, there?	16:31
alee	arunkant, yeah -- thinking .. sorry, multi-irc'ing	16:31
*** kgriffs\|afk is now known as kgriffs		16:31
arunkant	alee, this is code I am talking about. https://github.com/openstack/barbican/blob/master/barbican/api/controllers/secrets.py#L211	16:32
alee	arunkant, well we pass in that value, but is it actually used to filter results?	16:33
alee	arunkant, if so, then that may need to be changed	16:33
*** chlong has joined #openstack-barbican		16:34
alee	arunkant, because the acl evaluation would occur before that point	16:34
arunkant	Yes. authorization would pass based on ACL logic..but then it would not get secret as token project id is different from secret's project id	16:35
arunkant	alee, yes it uses in db lookup.. https://github.com/openstack/barbican/blob/master/barbican/model/repositories.py#L643	16:35
alee	arunkant, yeah - we'll have to think on how to modify that code	16:36
alee	arunkant, may need to build another query	16:37
arunkant	alee, yes..this logic needs to be changed. Currently this mechanism/logic is used to make sure that user's project and secret's project is same	16:37
alee	arunkant, well its also used to get for example a list of secrets for a particular user	16:38
alee	arunkant - or maybe not -- if its just for accessing a single secret - then it could be changed	16:39
arunkant	alee, this is kind of authorization check which can enforced via policy as well.	16:39
alee	maybe end up removing that filter	16:39
alee	yes	16:39
arunkant	alee, for list secret's call (with ACL logic), there has to be additional mechanism to provide project id (not always derive from token)	16:41
arunkant	alee, but I think for now..we can just focus on 'read' operation only.. others can be looked later.	16:43
alee	arunkant, sure	16:43
alee	arunkant, focus on whats in the blueprint - which is reading individual secrets	16:43
arunkant	alee, yes. So for single read as well, will need to change the above mentioned area.	16:44
alee	arunkant, right	16:45
*** SheenaG1 has joined #openstack-barbican		16:45
arunkant	alee, there has been concern raised in past to change that logic. For acl logic, I don't see any other way.	16:46
alee	arunkant, well , we're changing it because we are putting in place a framework for acls.	16:47
alee	the authz checks are done at that level.	16:47
alee	so I see no reason not to change it as long as we show that the authz check is done elsewhere	16:48
arunkant	alee, I agree. We should not have authorization logic once its passed policy enforcement layer.	16:48
alee	and no unauthorizxed access is obtained	16:48
alee	arunkant, rest assured, your changes will be thoroughly reviewed.	16:49
*** gyee has joined #openstack-barbican		16:49
arunkant	alee, okay. have started adding code. https://review.openstack.org/#/c/161620 . Its work in progress but you are welcome to review it and see if any significant deviation is there.	16:52
alee	arunkant, will do so early next week -- I've been stuck adding pointers in some old code this week.	16:55
*** xaeth_afk is now known as xaeth		17:00
*** lisaclark has quit IRC		17:02
*** rellerreller has joined #openstack-barbican		17:05
*** lisaclark has joined #openstack-barbican		17:07
jvrbanac	rellerreller, here is the start of the test refactoring to remove as many mocks as possible https://review.openstack.org/#/c/162028	17:09
jvrbanac	rellerreller, I would love to get your opinion on it	17:09
rellerreller	jvrbanac This sounds great. I would like to take a look. When would you like feedback by? Today is pretty crazy with content types.	17:10
jvrbanac	rellerreller, whenever you have a chance. I'll be ping different core people throughout the day to try to get some feedback before I go hog wild and refactor the rest of api/test_resources.py	17:11
*** rellerreller has quit IRC		17:22
*** rellerreller has joined #openstack-barbican		17:23
*** jkf has joined #openstack-barbican		17:33
openstackgerrit	Merged openstack/barbican: Fixing test dependence on execution order https://review.openstack.org/161999	17:33
*** xaeth is now known as xaeth_afk		17:34
openstackgerrit	Brianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan https://review.openstack.org/148742	17:39
*** lisaclark has quit IRC		17:39
*** xaeth_afk is now known as xaeth		17:42
*** david-lyle_afk is now known as david-lyle		17:43
*** kgriffs is now known as kgriffs\|afk		17:56
*** lisaclark has joined #openstack-barbican		18:03
*** rellerreller has quit IRC		18:07
*** bdpayne has joined #openstack-barbican		18:13
*** morganfainberg is now known as needscoffeebadly		18:19
*** kebray has quit IRC		18:20
*** needscoffeebadly is now known as CaptainMorgan		18:22
openstackgerrit	Douglas Mendizábal proposed openstack/python-barbicanclient: Use functional_test.conf for devstack gate https://review.openstack.org/161466	18:44
jvrbanac	hockeynut, redrobot, alee, If you have a moment: https://review.openstack.org/#/c/162028/	18:52
*** lisaclark has quit IRC		18:53
*** kgriffs\|afk is now known as kgriffs		18:56
elmiko	woodster_: ping	18:57
redrobot	elmiko woodster_ is out on spring brake through next week	19:01
elmiko	ahh cool	19:02
elmiko	i envision has some spare cycles and i was curious about helping improve the test coverage	19:02
*** kfarr has joined #openstack-barbican		19:02
elmiko	do you know if there was ever a bug or bp set up describing the needed work?	19:02
*** lisaclark has joined #openstack-barbican		19:04
*** kgriffs is now known as kgriffs\|afk		19:05
elmiko	redrobot: ^^	19:08
*** kfarr_ has joined #openstack-barbican		19:09
*** kfarr_ has quit IRC		19:10
redrobot	elmiko I don't think we have a bug set up yet, but jvrbanac has been doing a lot of work with the testing framework	19:10
elmiko	redrobot: thanks, i'll ping him =)	19:10
elmiko	jvrbanac: ping	19:10
jvrbanac	elmiko, pong	19:13
elmiko	jvrbanac: i'm curious about helping to improve the test coverage, i'm wondering if you have any pointers or places i might look at?	19:14
jvrbanac	elmiko, unit or functional coverage?	19:16
elmiko	jvrbanac: i think unit is probably safer for me to start with, at least until i understand the functionals better	19:17
jvrbanac	elmiko, ok. So, I'm in the process of refactoring test_resources to get rid of the massive number of mocks we're using (https://review.openstack.org/#/c/162028/). It would be absolutely awesome if we could do more of that, which will help our coverage as well	19:19
*** kebray has joined #openstack-barbican		19:19
*** kebray has quit IRC		19:19
elmiko	jvrbanac: cool, i'll take a look and see if i can grok. will you be around later to chat?	19:19
*** kebray has joined #openstack-barbican		19:20
jvrbanac	elmiko, sure yeah	19:20
elmiko	jvrbanac: thanks!	19:20
jvrbanac	elmiko, my goal is to clean up our tests to run more real code paths as well as make them more understandable. There are places where we have horrid inheritance chains and you can't hardly tell what's going on.	19:22
elmiko	jvrbanac: ok, and from the looks of that review i wouldn't need a related bug or something to link in the commit?	19:22
elmiko	jvrbanac: what were you thinking about for the other secrets tests in test_resources.py ?	19:39
jvrbanac	elmiko, I'm working on those right now	19:42
elmiko	jvrbanac: cool, would it work out if i made a dependent CR from yours adding a test_containers.py to that new test folder? (i don't want to step on toes if you were planning to add that)	19:44
jvrbanac	elmiko, what would be awesome!	19:45
elmiko	alternatively i could look at order or consumers	19:45
elmiko	ok, cool. i'll try and work something up =)	19:45
jvrbanac	elmiko, awesome thx!	19:46
*** rellerreller has joined #openstack-barbican		19:48
rellerreller	reaperhulk Can cryptography does RSA encryption and decryption?	19:49
rellerreller	/does/do/	19:50
*** CaptainMorgan is now known as morganfainberg		19:50
reaperhulk	yes: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#encryption	19:50
rellerreller	reaperhulk thanks!	19:50
openstackgerrit	Thomas Dinkjian proposed openstack/python-barbicanclient: Second set of negative functional tests for secrets https://review.openstack.org/161846	19:55
openstackgerrit	Thomas Dinkjian proposed openstack/python-barbicanclient: Third set of secrets negative tests. https://review.openstack.org/162208	19:58
*** lisaclark has quit IRC		19:58
*** jkf has quit IRC		20:01
*** lisaclark has joined #openstack-barbican		20:02
*** jkf has joined #openstack-barbican		20:03
openstackgerrit	Thomas Dinkjian proposed openstack/python-barbicanclient: Second set of negative functional tests for secrets https://review.openstack.org/161846	20:06
*** rellerreller has quit IRC		20:17
*** lisaclark has quit IRC		20:19
elmiko	jvrbanac: you weren't kidding about the tangled object hierarchy!	20:31
*** lisaclark has joined #openstack-barbican		20:34
*** crc32 has joined #openstack-barbican		20:43
*** kgriffs\|afk is now known as kgriffs		20:45
*** kgriffs is now known as kgriffs\|afk		20:54
*** SheenaG1 has quit IRC		21:03
*** kgriffs\|afk is now known as kgriffs		21:04
*** lisaclark has quit IRC		21:10
elmiko	jvrbanac: question about barbican.models.repositories, if i need to add Secrets do i use the BaseRepo.save method with a new Secret object?	21:14
kfarr	hockeynut, do you have a second to explain to me the difference between a smoke test and a functional test?	21:23
igueths	mpc -q next	21:30
igueths	Wrong console...	21:30
*** kgriffs is now known as kgriffs\|afk		21:58
rm_work	lol wow, someone updated the barbican-client and changed the way the api object works (split httpclient out) and didn't update containers T_T	22:00
rm_work	anyone know if there is a patch incoming for this? if not, I can do it now	22:00
* rm_work checks gerrit		22:00
rm_work	doesn't look like it	22:01
rm_work	patch incoming	22:01
rm_work	ah, I see why no one thought to update container create -- it's a bit odd, normally it wouldn't matter	22:05
*** woodster_ has quit IRC		22:10
openstackgerrit	Adam Harwell proposed openstack/python-barbicanclient: Pass correct api object to Container constructor https://review.openstack.org/162318	22:11
*** kgriffs\|afk is now known as kgriffs		22:12
rm_work	filed a bug for it: https://bugs.launchpad.net/python-barbicanclient/+bug/1429286	22:12
openstack	Launchpad bug 1429286 in python-barbicanclient "Can't create Containers, missing self._api._post method" [Undecided,New]	22:12
rm_work	wow that was fast, jaosorior already commenting	22:14
rm_work	err nm	22:14
rm_work	wrong CR	22:14
openstackgerrit	Douglas Mendizábal proposed openstack/python-barbicanclient: Refactor test modules https://review.openstack.org/162320	22:14
rm_work	redrobot: current release of python-barbicanclient container creation is broken T_T	22:15
redrobot	rm_work :( have you filed a bug?	22:15
rm_work	redrobot: ^^	22:15
reaperhulk	rm_work: good thing we're trying to turn on a functional test gate	22:15
* redrobot should read context before replying		22:15
rm_work	redrobot: bug filed and patch submitted, see above	22:15
rm_work	:P	22:15
rm_work	anyway, I assume there'll be a new release cut to correspond with the Kilo release?	22:16
rm_work	just need the fix to make it in by then	22:16
rm_work	reaperhulk: heh yes, that would be nice :)	22:17
redrobot	rm_work yeah we're planning a client release around k-3	22:17
rm_work	redrobot: how long is that from now?	22:17
*** kebray_ has joined #openstack-barbican		22:17
redrobot	~ 2 weeks	22:17
rm_work	k	22:17
*** kebray has quit IRC		22:17
elmiko	jvrbanac: a little update, i'm making good progress. got the first few tests converted. i just need to figure out a better way to inject secrets into the repos.	22:18
elmiko	redrobot, rm_work, maybe you guys know. if i have a Secret() is there an easy way to get the secret_ref for it?	22:19
rm_work	assuming my_secret is a Secret() object	22:19
rm_work	my_secret.secret_reg	22:20
rm_work	* my_secret.secret_ref	22:20
rm_work	is the ref :P	22:20
redrobot	rm_work that's true for the client, I think elmiko is working on server side code	22:20
rm_work	ah	22:20
elmiko	yea	22:20
elmiko	this is for tests	22:20
rm_work	THAT kind of Secret object	22:20
elmiko	sorry, should have been more clear	22:20
rm_work	heh	22:20
rm_work	np, normally would have caught that, but I'm in Client mode today	22:20
rm_work	it's a repository Secret object?	22:21
elmiko	no worries, i just feel like i'm doing this the "wrong way(tm)" if i need to make rest calls to generate secrets for a container	22:21
elmiko	rm_work: yea, that's what i'm trying to do now	22:21
rm_work	if PyCharm would stop beachballing on me....	22:21
*** chlong has quit IRC		22:24
*** jkf has quit IRC		22:25
*** jkf has joined #openstack-barbican		22:27
*** dave-mccowan has quit IRC		22:28
*** jorge_munoz has quit IRC		22:46
*** paul_glass has quit IRC		22:49
*** kgriffs is now known as kgriffs\|afk		22:54
openstackgerrit	Arun Kant proposed openstack/barbican: Adding per secret ACL support https://review.openstack.org/161620	22:55
*** crc32 has quit IRC		23:13
*** xaeth is now known as xaeth_afk		23:14
*** kebray_ has quit IRC		23:18
*** kebray has joined #openstack-barbican		23:19
*** xaeth_afk is now known as xaeth		23:24
*** igueths has quit IRC		23:24
*** dave-mccowan has joined #openstack-barbican		23:38
*** ametts has quit IRC		23:38
*** woodster_ has joined #openstack-barbican		23:39
*** jkf has quit IRC		23:51
*** kgriffs\|afk is now known as kgriffs		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!