*** nkinder has joined #openstack-barbican | 00:13 | |
*** tkelsey has joined #openstack-barbican | 02:19 | |
*** tkelsey has quit IRC | 02:24 | |
*** bdpayne has quit IRC | 02:59 | |
*** woodster_ has joined #openstack-barbican | 03:14 | |
openstackgerrit | Merged openstack/python-barbicanclient: First set of negative functional test for secrets https://review.openstack.org/163156 | 03:29 |
---|---|---|
*** kebray has joined #openstack-barbican | 03:42 | |
*** kebray has quit IRC | 03:42 | |
*** kebray has joined #openstack-barbican | 03:43 | |
*** kebray has quit IRC | 04:01 | |
*** kebray has joined #openstack-barbican | 04:02 | |
*** dave-mccowan has quit IRC | 04:02 | |
*** xaeth_afk is now known as xaeth | 04:15 | |
*** xaeth is now known as xaeth_afk | 04:17 | |
openstackgerrit | Merged openstack/python-barbicanclient: Updated from global requirements https://review.openstack.org/166464 | 05:22 |
*** bdpayne has joined #openstack-barbican | 05:26 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex https://review.openstack.org/166698 | 06:06 |
*** kebray has quit IRC | 06:15 | |
*** jamielennox is now known as jamielennox|away | 06:28 | |
*** bdpayne has quit IRC | 06:32 | |
*** gitorres has joined #openstack-barbican | 06:44 | |
*** gitorres has left #openstack-barbican | 06:44 | |
*** gitorres has joined #openstack-barbican | 07:04 | |
*** gitorres has left #openstack-barbican | 07:05 | |
*** woodster_ has quit IRC | 07:50 | |
*** chlong has quit IRC | 07:58 | |
*** gitorres has joined #openstack-barbican | 08:09 | |
*** gitorres1 has joined #openstack-barbican | 08:11 | |
*** gitorres has quit IRC | 08:15 | |
*** gitorres1 has left #openstack-barbican | 08:23 | |
*** tkelsey has joined #openstack-barbican | 08:31 | |
*** gitorres has joined #openstack-barbican | 09:05 | |
*** gitorres has quit IRC | 09:09 | |
*** gitorres has joined #openstack-barbican | 09:51 | |
*** gitorres has quit IRC | 10:37 | |
*** gitorres has joined #openstack-barbican | 10:39 | |
*** gitorres has quit IRC | 10:48 | |
*** gitorres has joined #openstack-barbican | 10:49 | |
*** gitorres has quit IRC | 10:50 | |
*** gitorres has joined #openstack-barbican | 10:50 | |
*** jaosorior has joined #openstack-barbican | 10:53 | |
*** gitorres has quit IRC | 10:57 | |
*** gitorres has joined #openstack-barbican | 10:57 | |
*** gitorres has quit IRC | 11:09 | |
*** gitorres has joined #openstack-barbican | 11:09 | |
*** gitorres has quit IRC | 11:21 | |
*** gitorres has joined #openstack-barbican | 11:21 | |
*** gitorres has left #openstack-barbican | 11:43 | |
*** dave-mccowan has joined #openstack-barbican | 12:21 | |
*** dave-mccowan has quit IRC | 13:00 | |
*** dave-mccowan has joined #openstack-barbican | 13:00 | |
*** alee_out is now known as alee | 13:23 | |
alee | dave-mccowan, thats great -- what do you have? | 13:23 |
dave-mccowan | alee i implemented create_asymmetric_key_container() | 13:25 |
alee | dave-mccowan, thats great - I was going to look at that next | 13:26 |
alee | dave-mccowan, how did you do it ? issue an order for a asym key set? or create a keyset and put it in a container? | 13:26 |
*** kebray has joined #openstack-barbican | 13:28 | |
dave-mccowan | alee i thought so; it gets a bunch of tests going. i created and stored the secrets, then put the refs in the container. | 13:28 |
alee | dave-mccowan, great! | 13:29 |
alee | dave-mccowan, perhaps you can implement create_asymmetric_key_container_without_secrets() and create_generic_container() | 13:30 |
alee | dave-mccowan, that should be a small variation on what you've already done. | 13:30 |
alee | dave-mccowan, and also allows you to test the validator code you have been writing | 13:30 |
alee | dave-mccowan, hows that validator code going? | 13:31 |
dave-mccowan | alee sounds good. will do. | 13:31 |
alee | dave-mccowan, I'm going to post up another patch shortly that implements gets_dogtag_ca_id() and fixes a few bugs | 13:32 |
openstackgerrit | Martin Kletzander proposed openstack/barbican: Fix common misspellings https://review.openstack.org/166819 | 13:33 |
dave-mccowan | alee i've some validating going on. then i got stuck on a design question. looks like a need the project_id to verify that a secret_ref is valid, but I don't have in the existing call. so, i'll have to do something like what you did with validate_ca_id(), and call a second validator later in the flow. | 13:33 |
dave-mccowan | alee, maybe you've solved some of my issues with your next patch. | 13:33 |
alee | dave-mccowan, I'm not sure I have .. why do you need a project_id to verify that the secret_ref is valid? | 13:34 |
alee | dave-mccowan, I think that limitation is actually removed by arunkant patches | 13:35 |
alee | because if I recall correctly, the query for secrets implies that secret.project_id == external_project_id right now | 13:36 |
dave-mccowan | alee if you're asking, maybe i don't. :-) ah.... ok, looking at my code again, i see the problem. the project_id was a red herring. | 13:39 |
alee | dave-mccowan, ok | 13:40 |
*** woodster_ has joined #openstack-barbican | 13:42 | |
dave-mccowan | alee i'll work on the creates next. let me know when you need them and i can make CR or paste them. | 13:45 |
alee | dave-mccowan, yeah - go ahead and post them as soon as you have them | 13:46 |
alee | dave-mccowan, I'll try to get to those tests today | 13:46 |
openstackgerrit | Ade Lee proposed openstack/barbican: Add functional tests for certificate orders https://review.openstack.org/166089 | 13:59 |
openstackgerrit | Ade Lee proposed openstack/barbican: Fix CA related exceptions, and unskip relevant tests https://review.openstack.org/166316 | 13:59 |
openstackgerrit | Ade Lee proposed openstack/barbican: Fix some ca_id related bugs, add more functional test code https://review.openstack.org/166839 | 13:59 |
alee | woodster_, ping | 14:00 |
openstackgerrit | Martin Kletzander proposed openstack/barbican: Fix common misspellings https://review.openstack.org/166819 | 14:06 |
dave-mccowan | alee do you have any handy curl or sql commands that you use for debugging? for example, if store something, but my code can't find it, what's a quick command that I can use to dump the stored the data for comparison? | 14:06 |
alee | dave-mccowan, for database I just go into sqlite itself. mostly though, as I've been working on fuctional tests, I've been relying on the X_behaviors.py files | 14:08 |
alee | because my instance is now set up for keyatone auth | 14:09 |
alee | dave-mccowan, pastebin what you have - maybe I'll be able to see whats going on. | 14:10 |
openstackgerrit | Juan Antonio Osorio Robles proposed openstack/castellan: Start using oslo.policy https://review.openstack.org/165743 | 14:11 |
alee | jaosorior, yeah - I'm befuddled | 14:13 |
alee | jaosorior, good catch on the skipTest/skip thing -- I was wondering how to add a comment as to why a test was being skipped | 14:14 |
jaosorior | alee: I responded | 14:14 |
jaosorior | seems that the skip decorator actually takes a reason | 14:15 |
jaosorior | well, a message | 14:15 |
dave-mccowan | alee http://www.fpaste.org/201440/ | 14:15 |
jaosorior | and in that documentation that I mentioned, they were reffering to the skip method, not the decorator | 14:15 |
jaosorior | alee: so I guess you could add a message to those skip decorators that don't have it. It would be useful | 14:16 |
alee | jaosorior, I will - perhaps in one of the later patches | 14:16 |
alee | jaosorior, I'm trying to remove all those skips | 14:16 |
alee | jaosorior, please take a look at the follow on patches too. | 14:17 |
alee | jaosorior, although I'm not sure how to fix the __name__ thing. | 14:17 |
alee | I have no idea what it means | 14:17 |
jaosorior | alee: neither do I, but sure, will check em out | 14:18 |
*** paul_glass has joined #openstack-barbican | 14:19 | |
alee | dave-mccowan, it gets as far as line 51? | 14:20 |
alee | dave-mccowan, after you create the container -- what do you see for wget http://host:port/v1/containers ? | 14:21 |
*** zz_dimtruck is now known as dimtruck | 14:23 | |
alee | dave-mccowan, I think you may need the project_id -- see this code from the containers controller .. | 14:24 |
alee | container = self.container_repo.get( | 14:24 |
alee | entity_id=self.container_id, | 14:24 |
alee | external_project_id=external_project_id, | 14:24 |
alee | suppress_exception=True) | 14:24 |
alee | if not container: | 14:24 |
alee | container_not_found() | 14:24 |
alee | dave-mccowan, currently, the repo has a filter on the project_id | 14:26 |
alee | that may change in arunkant patch because the acl mechanism changes and it is no longer requrested that the container be owned by the project | 14:26 |
alee | and rather the enforcement is done on the acl level. | 14:26 |
alee | so with what you have - you are looking for containers that are owned by no projects -- which gives no results | 14:27 |
dave-mccowan | alee ah. rewind back to 9:34:20. so, i do need to write an extra validator that knows about project_id. | 14:27 |
alee | incidentally, you need suppress_exception = True otherwise no result will throw an exception and you'll never get to the next line | 14:28 |
alee | I think we'll need to adjust your validator once arunkant patches land | 14:29 |
jaosorior | alee: well... keystone would still provide the X-Project header. Now, I'm not sure if the mapping or logic will actually change in barbican though. | 14:29 |
alee | jaosorior, right - but right now the get query only returns those secrets and projects where your X-project == priject for secret or container | 14:30 |
alee | that is the get db query | 14:30 |
alee | that will need to change because you will now be able to access some other projects secrets and containers if you have an acl. | 14:30 |
jaosorior | true | 14:31 |
alee | jaosorior, that change is in arunkant patches | 14:31 |
alee | dave-mccowan, I think we will need to revist your validator once arunkant patches land. | 14:31 |
alee | dave-mccowan, in the meantime -- does the validator know anything about the external_project_id? | 14:31 |
dave-mccowan | alee ok. i was on the right track. the straight call validator does not know the project ID, but... | 14:32 |
dave-mccowan | alee i can follow your validate_ca_id example: | 14:33 |
dave-mccowan | if order_type == models.OrderType.CERTIFICATE: | 14:33 |
dave-mccowan | validators.validate_ca_id(project.id, body.get('meta')) | 14:33 |
dave-mccowan | validators.validate_container_refs(project.id, body.get('meta')) | 14:33 |
alee | dave-mccowan, yeah - lets do that | 14:33 |
alee | dave-mccowan, you'll need the project_id to validate the secrets too. | 14:34 |
dave-mccowan | alee or... maybe this is beyond the scope of validators, and it falls to certificate_resources to catch not-found refs. | 14:34 |
alee | dave-mccowan, well - this is validating data being passed into the meta of the order request | 14:35 |
alee | dave-mccowan, so you're not getting the container directly | 14:35 |
alee | dave-mccowan, but rather passing a reference to it in the order meta | 14:35 |
alee | I think it makes sense to validate that reference here | 14:36 |
alee | before issuing the order and notifying the user if the referenced container does not exist. | 14:36 |
alee | woodster_, ?? | 14:38 |
dave-mccowan | alee OK. i'm headed in the right direction then. | 14:38 |
alee | cool | 14:38 |
woodster_ | alee, hey Ade...trying to catch up | 14:38 |
alee | woodster_, hey -- we've got a bunch of work to do to try and get cert issuance to work. | 14:39 |
openstackgerrit | Everardo Padilla Saca proposed openstack/barbican: Add utf-8 decoding for Content-Type https://review.openstack.org/165056 | 14:39 |
woodster_ | alee, you and dave-mccowan are working that per above I take it? | 14:39 |
alee | woodster_, part of it - yes -- | 14:40 |
alee | woodster_, so first up -- it would be great to get my patches for the functional tests in | 14:40 |
alee | woodster_, but there is that persistent __name__ problem | 14:40 |
jaosorior | alee: I'm starting to think that the skip decorator without a reason might be the issue... Since the __name__ problem usually would relate to some issue in a decorator. On the other hand, this CR https://review.openstack.org/#/c/166089/3 has 19 failing test cases. While this CR https://review.openstack.org/#/c/166839/1 (in which some skips were removed) | 14:41 |
jaosorior | there is only 9 failing test cases | 14:41 |
alee | jaosorior, interesting -- let me fix the last patch and see if it passes | 14:42 |
woodster_ | hockeynut, have you see that issue with functional tests in the past? | 14:42 |
woodster_ | alee, it has the look of an object being passed into a assert test when a function/method/class was expected? | 14:44 |
alee | woodster_, not sure - I'm tring jaosorior suggestion | 14:47 |
woodster_ | alee, I'm pretty sure those @testtools.skip calls need a string to print out, so @testtools.skip('foo') | 14:47 |
hockeynut | woodster_ checking... | 14:48 |
jaosorior | woodster_, alee: Yeah, it might be that there is only a partial application of those decorators, and in that state there would be no __name__ | 14:49 |
jaosorior | but I guess that would mean that those skip decorators are not implemented correctly | 14:49 |
alee | jaosorior, its a good likelihood those are the problem, given that they are the only thing really different from the other tests | 14:51 |
alee | jaosorior, woodster_ sending last one to the gate now .. | 14:52 |
openstackgerrit | Ade Lee proposed openstack/barbican: Fix some ca_id related bugs, add more functional test code https://review.openstack.org/166839 | 14:53 |
alee | jaosorior, woodster_ I did not change the intermediate patches -- if this works, we know the problem is fixed by the last patch | 14:54 |
alee | (saves a little merge / rebase pain hopefully) | 14:54 |
jaosorior | alee: figured. Lets hope it works | 14:54 |
alee | jaosorior, I'm an optimist .. | 14:55 |
alee | woodster_, assuming all that works - we should then talk about the state machine | 14:55 |
alee | and making sure the first few functional tests work | 14:56 |
alee | that means talking about substatus/ status and your patches | 14:56 |
alee | (at least the parts related to status/substatus | 14:56 |
woodster_ | alee, yeah I was curious about your use for sub-status...I've been thinking it is only for long-lived tasks | 14:57 |
alee | woodster_, well lets say we have a cert request | 14:58 |
alee | woodster_, lets start with the simple case --- its been sent to the ca, and now we are waiting for status. | 14:58 |
alee | woodster_, I think the order should be pending -- and the substatus will be something like waiting_for_ca | 14:59 |
alee | with the relevant message | 14:59 |
alee | right now -- the order is returning ACTIVE (with no cert) | 14:59 |
alee | woodster_, I think the reason for that is line 262 in certificate_resources.py | 15:01 |
alee | woodster_, well - part of the reason - the other thing we need is the top level code in your cr | 15:01 |
woodster_ | alee, well the sequence is (1) create order in API node as PENDING, 2) enqueue RPC task 3) worker picks it up and processes it, 4) plugin processes initiate cert and responds back to core, 5a) core sees that the cert is ready and marks cert ACTIVE, OR 5b) core sees that cert it not yet ready, so keeps the order as PENDING and sets sub-status | 15:02 |
woodster_ | alee, so 5b is what my chain of CRs is looking into | 15:02 |
woodster_ | alee, only 5a is possible now | 15:02 |
woodster_ | alee, that is unless at (1) we set the sub-status info? | 15:02 |
alee | woodster_, well we could set it to something like "NOT_YET_EXECUTED" | 15:03 |
alee | woodster_, that way we know that it has not yet been picked up | 15:04 |
woodster_ | alee, the PENDING status is intended to tell clients that the order is not yet ready to use. The sub-status just give more info on that PENDING status. We could certainly set the sub-status at the same time PENDING is set (so when the order is created by the API node). That would mean putting logic on the POST order controller side to determine what type of | 15:06 |
woodster_ | order we have. Not a big deal certainly | 15:06 |
alee | woodster_, right -- so lets say , when we set order to PENDING, we have substatus ("NOT_YET_EXECUTED") -- that could actually be set for all Order types, right? | 15:08 |
woodster_ | alee, another issue I'm seeing is with proper db transactions on the worker side...we just have to be careful to support rollbacks on failed tasks, but still update the order record properly (and not have those sub-status messages rolled back too). I'll put in a CR today or tomorrow to try to iron that out. That said, we could have the worker update the | 15:09 |
woodster_ | order sub-status before it starts work, but again, that would have to be an independent commit to the database in case the task rolls back later. | 15:09 |
alee | or do only Cert orders have substatus? | 15:09 |
woodster_ | alee, for sure, we could just set the sub-status at order create time, that would work | 15:09 |
*** bdpayne has joined #openstack-barbican | 15:09 | |
alee | woodster_, ok -- so lets say we do all that .. | 15:10 |
alee | woodster_, now case 5b | 15:10 |
alee | which is I believe what is tested in my first functional test | 15:10 |
alee | test_create_simple_cmc_order() | 15:10 |
openstackgerrit | Thomas Dinkjian proposed openstack/python-barbicanclient: Container negative tests https://review.openstack.org/163985 | 15:11 |
alee | right now that returns ACTIVE | 15:11 |
alee | test_create_simple_cmc_order() is going against the simple ca plugin, which just returns WAITING_FOR_CA | 15:12 |
woodster_ | alee, so worker processing is fast in the devstack gate...you most of the time wouldn't see that PENDING -> ACTIVE transition when polling the order record, as the worker would pick up the task and process it so quickly | 15:12 |
alee | woodster_, no -- in this case its going against the Simple CA Manager -- > which returns WAITING_FOR_CA | 15:12 |
alee | always | 15:12 |
alee | so I'm not concerned about the transient state as much as the final state | 15:13 |
alee | which will be pending | 15:13 |
alee | PENDING/ WAITING_FOR_CA | 15:13 |
alee | its not working right now because 1) code in line 262 in certificate_resources.py is unimplemented 2) your top level code is not there yet | 15:14 |
woodster_ | alee, ah, so yes so until my CRs land, the order won't stay PENDING. You could return a follow on result object if you wanted to, but that won't be what you really want | 15:14 |
alee | woodster_, yeah - so maybe the thing to do is to focus on landing at least the first of your CRs and see where we are then. | 15:15 |
woodster_ | alee, I'm working on the last CR to that chain...minimal implemetnation to reschedule a retry task. Not production ready, but enough to test things out locally. | 15:16 |
woodster_ | alee, the next CR will have the periodic task actually pick up the retry task, enqueue it, and then retry the task | 15:16 |
alee | woodster_, do you implement line 262 in certificate_resources.py ? | 15:16 |
alee | and line 268? | 15:17 |
alee | aargh - waiting for gate tests is like watching paint dry .. | 15:20 |
jaosorior | any workflows for this? https://review.openstack.org/#/c/165743/ :D | 15:21 |
woodster_ | alee, the schedule tasks logic? Yes. A little differently though. Code outside of certificate_resources handles setting the sub-status. Also the retry 'method' is different, as we have to go thru the queue.server.py's Tasks class methods for all RPC tasks enqueue. We can't call just any method on any class. | 15:21 |
redrobot | jaosorior workflowed | 15:21 |
woodster_ | alee, the next CR I put up will (hopefully) clarify things. It will be easier to discuss things anyway | 15:21 |
alee | woodster_, ok good -- I'll be looking forward to seeing it. | 15:22 |
woodster_ | alee, I'm ready to get that feature off the ground! | 15:23 |
jaosorior | redrobot: yay :D | 15:23 |
alee | woodster_, me too - we're close, its just a matter of putting the pieces together | 15:23 |
alee | woodster_, there is also an issue with ca_ids that I'll need your help trying to resolve. | 15:24 |
openstackgerrit | Merged openstack/castellan: Start using oslo.policy https://review.openstack.org/165743 | 15:24 |
alee | woodster_, line 415 in test_repositories_certificate_authorities.py | 15:25 |
*** rellerreller has joined #openstack-barbican | 15:25 | |
alee | (for starters .. there are a couple other tests which depend on that underlying functionality working | 15:26 |
alee | woodster_, if you remove the skip and run the test , you will see the issues | 15:26 |
alee | having to do with uniqueness constraints and updating records. | 15:26 |
redrobot | looks like presentation proposal results went out | 15:27 |
redrobot | any barbicaneers speaking at Vancouver? | 15:27 |
alee | me, chellygel and woodster_ have one (certificate management in barbican) | 15:27 |
alee | course we should get it working first .. | 15:28 |
redrobot | alee nice! good job guys! | 15:28 |
redrobot | alee lol, true that | 15:28 |
*** bdpayne has quit IRC | 15:33 | |
*** xaeth_afk is now known as xaeth | 15:34 | |
alee | jaosorior, woodster_ yee ha! | 15:38 |
alee | jaosorior, woodster_ looks like the skips were the problem | 15:38 |
jaosorior | alee: win! | 15:39 |
alee | jaosorior, woodster_ redrobot - so do I need to fix them in the intermediate patches -- or will those merge ok? | 15:39 |
jaosorior | alee: gotta fix the intermediate ones. Well. As long as you fix the first one, then the rebasing should do the trick | 15:41 |
alee | jaosorior, phooey -- ok - here goes .. | 15:41 |
openstackgerrit | Ade Lee proposed openstack/barbican: Add functional tests for certificate orders https://review.openstack.org/166089 | 16:00 |
*** prometheanfire has joined #openstack-barbican | 16:06 | |
*** gyee has joined #openstack-barbican | 16:09 | |
*** kgriffs is now known as kgriffs|afk | 16:13 | |
*** bdpayne has joined #openstack-barbican | 16:18 | |
openstackgerrit | Ade Lee proposed openstack/barbican: Fix some ca_id related bugs, add more functional test code https://review.openstack.org/166839 | 16:21 |
openstackgerrit | Ade Lee proposed openstack/barbican: Fix CA related exceptions, and unskip relevant tests https://review.openstack.org/166316 | 16:21 |
*** zigo_ has joined #openstack-barbican | 16:21 | |
*** gyee has quit IRC | 16:21 | |
alee | jaosorior, woodster_, redrobot - rebased changes -- hoepfully these will all pass the gate | 16:21 |
zigo_ | Hi there! I'm about to package Barbican for Debian, but there's already a debian folder there. Could it be removed please? | 16:22 |
alee | jaosorior, woodster_ redrobot - once they do, please review so we can get them in for woodster_ and dave-mccowan to work from. | 16:22 |
zigo_ | I'm adding a patch for review for it. | 16:23 |
redrobot | zigo_ hi! the debian stuff in the barbican tree is quite stale. We would certainly merge a patch that removes it. | 16:23 |
*** gyee has joined #openstack-barbican | 16:23 | |
zigo_ | redrobot: Thanks. I'm doing such a patch. I'd appreciate moving fast, because that'd be blocking my package otherwise. | 16:24 |
redrobot | zigo_ almost all the core reviewers hang out here, so ping me when your patch is up for review and we'll get some eyes on it. | 16:25 |
zigo_ | Cool. | 16:25 |
*** jkf has joined #openstack-barbican | 16:25 | |
rm_work | zigo_: so are you planning to maintain the debian packaging stuff externally to the barbican repo, moving forward? | 16:28 |
zigo_ | rm_work: Yes, in git.debian.org, just like the rest of OpenStack. | 16:28 |
rm_work | ok, just curious -- i had noticed that it wasn't present in many other projects, but it seemed useful to have it local | 16:29 |
rm_work | but makes sense to stick with the consistent option | 16:29 |
redrobot | zigo_ FWIW this is the official RPM spec for Fedora https://github.com/gregswift/barbican-spec | 16:29 |
zigo_ | Thanks, that may be helpful indeed. | 16:29 |
*** kfarr has joined #openstack-barbican | 16:31 | |
openstackgerrit | Thomas Goirand proposed openstack/barbican: Removing the debian folder https://review.openstack.org/166913 | 16:31 |
openstackgerrit | Merged openstack/barbican: Imported Translations from Transifex https://review.openstack.org/166698 | 16:31 |
zigo_ | https://review.openstack.org/166913 | 16:31 |
zigo_ | redrobot: rm_work: ^ | 16:32 |
alee | redrobot, woodster_ jaosorior https://review.openstack.org/#/c/166089/ jenkins is happy | 16:36 |
alee | redrobot, woodster_ jaosorior please review | 16:36 |
*** bdpayne has quit IRC | 16:37 | |
alee | jaosorior, gracias! | 16:37 |
*** prometheanfire has left #openstack-barbican | 16:37 | |
alee | hockeynut, jvrbanac ^^ | 16:39 |
jaosorior | alee: no problem | 16:39 |
hockeynut | happy jenkins means happy barbicaneers! | 16:50 |
redrobot | zigo_ lgtm | 16:57 |
redrobot | alee jaosorior hockeynut easy 2 second review https://review.openstack.org/#/c/166913/ | 16:57 |
alee | redrobot, I'll trade you for a workflow on https://review.openstack.org/#/c/166089/ | 16:58 |
hockeynut | redrobot ack'ed | 16:58 |
hockeynut | alee one question on that one - I see the flake9 noqa... | 16:59 |
hockeynut | ...what was the error that you got without that? | 16:59 |
alee | hockeynut, the error was "pki imported but not used" | 17:00 |
alee | hockeynut, I need that to validate whether or not dogtag is present | 17:00 |
*** bdpayne has joined #openstack-barbican | 17:00 | |
alee | hockeynut, if so , then the dogtag test cases will run | 17:00 |
hockeynut | alee ok cool. I think you can also do "assert pki" after the import stmt then not need the noqa stuff | 17:01 |
alee | ah -- ok - I can add that in a future cr | 17:02 |
alee | hockeynut, there will be another one for the dogtag tests I'm running through right now shortly | 17:02 |
hockeynut | alee coolness! | 17:02 |
alee | hockeynut, redrobot jaosorior - dont forget https://review.openstack.org/#/c/166316/ | 17:03 |
*** atiwari has joined #openstack-barbican | 17:04 | |
alee | hockeynut, redrobot jaosorior and https://review.openstack.org/#/c/166839 | 17:04 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements https://review.openstack.org/166929 | 17:05 |
alee | for which jenkins is happy | 17:05 |
alee | kfarr, thanks! | 17:05 |
kfarr | alee sure thing! | 17:05 |
hockeynut | while we're at it: https://review.openstack.org/#/c/141138/ | 17:06 |
redrobot | wtf, how is HEAD failing pep8 ? | 17:09 |
*** darrenmoffat has quit IRC | 17:11 | |
*** darrenmoffat has joined #openstack-barbican | 17:12 | |
*** SheenaG has joined #openstack-barbican | 17:13 | |
openstackgerrit | Arun Kant proposed openstack/barbican: For per secret ACL support, adding db layer changes (Part 1) https://review.openstack.org/164334 | 17:16 |
openstackgerrit | Arun Kant proposed openstack/barbican: Adding Secret ACL controller layer changes (Part 2) https://review.openstack.org/164335 | 17:17 |
openstackgerrit | Arun Kant proposed openstack/barbican: Adding Container ACL controller layer changes (Part 3) https://review.openstack.org/165205 | 17:17 |
openstackgerrit | Arun Kant proposed openstack/barbican: Adding policy layer changes for ACL support (Part 4) https://review.openstack.org/165207 | 17:17 |
*** bdpayne has quit IRC | 17:28 | |
openstackgerrit | Everardo Padilla Saca proposed openstack/barbican: Add utf-8 decoding for Content-Type https://review.openstack.org/165056 | 17:33 |
*** SheenaG has quit IRC | 17:39 | |
*** SheenaG has joined #openstack-barbican | 18:14 | |
*** igueths has joined #openstack-barbican | 18:15 | |
igueths | Hi all. | 18:16 |
redrobot | heya igueths | 18:16 |
*** woodster_ has quit IRC | 18:30 | |
*** dave-mccowan has quit IRC | 18:37 | |
jvrbanac | redrobot, do you know if the version of hacking changed? | 18:38 |
jvrbanac | redrobot, I think we're getting a few new errors because of a newer version of hacking | 18:39 |
redrobot | jvrbanac not since January https://pypi.python.org/pypi/hacking | 18:39 |
redrobot | jvrbanac Yeah, I saw the errors on https://review.openstack.org/#/c/166913/ but for the life of me I can't get flake8 to fail. >_> | 18:39 |
redrobot | jvrbanac I pulled the patch down, and it passes for me. | 18:40 |
redrobot | jvrbanac tried a few different versions of hacking and it always passes in my machine :-\ | 18:40 |
jvrbanac | redrobot, :/ | 18:43 |
jaosorior | redrobot, jvrbanac: this is getting some weird flake8 errors in the gate https://review.openstack.org/#/c/165056/ | 18:43 |
jaosorior | it does fail the functionaltests, but the flake8 stuff is weird | 18:43 |
jvrbanac | jaosorior, redrobot yeah, those seem to be the same errors | 18:43 |
*** everjeje has joined #openstack-barbican | 18:47 | |
*** SheenaG has quit IRC | 18:47 | |
*** SheenaG has joined #openstack-barbican | 18:51 | |
openstackgerrit | Douglas Mendizábal proposed openstack/barbican: Fix pep8 gate errors https://review.openstack.org/166965 | 18:52 |
redrobot | jvrbanac jaosorior not sure what the problem is, but I think this should fix it ^^ | 18:53 |
jvrbanac | redrobot, jaosorior, I think I know what the problem is. Give me a couple more minutes and I'll explain | 18:53 |
jaosorior | jvrbanac: O_O... ok | 18:54 |
jvrbanac | redrobot, jaosorior... ok... our test requirements aren't synced... hacking should be: hacking>=0.10.0,<0.11 | 18:56 |
jaosorior | jvrbanac: bummer, thought the bot would do it | 18:57 |
jvrbanac | redrobot, jaosorior, apparently, the gate is forcing the updated hacking requirements when our tox job isn't | 18:57 |
openstackgerrit | Everardo Padilla Saca proposed openstack/barbican: Fix flake8 issue https://review.openstack.org/166966 | 18:57 |
jvrbanac | redrobot, you want to update your CR to include the change? | 18:57 |
jaosorior | jvrbanac, redrobot: apparently there was another thing where flake8 was complaining. Which is fixed in Everardo's commit ^^ | 18:59 |
jvrbanac | jaosorior, I'm not giving that one. I do see the other errors we were seeing | 19:00 |
jvrbanac | ^s/giving/seeing | 19:00 |
jvrbanac | redrobot, you gonna update your CR or do you want me to put up a CR to do that? | 19:12 |
everjeje | jvrbanac: I propsed https://review.openstack.org/166966. My flake8 complains about H307 (like imports should be grouped together). However, I'm not sure if that rule is enforced for barbican. | 19:13 |
*** woodster_ has joined #openstack-barbican | 19:22 | |
everjeje | (http://docs.openstack.org/developer/hacking/#import-order-template) | 19:22 |
*** kfarr has quit IRC | 19:23 | |
alee | redrobot, the meeting is in 30 right? | 19:32 |
*** alee is now known as alee_afk | 19:36 | |
chellygel | alee_afk, yes | 19:47 |
redrobot | alee_afk yeah meeting is in 10 min | 19:49 |
redrobot | jvrbanac was AFK for a bit... is the gate stuff sorted out? | 19:49 |
jvrbanac | redrobot, I haven't done anything with it. However, the problem is that our test-requirements aren't synced... hacking should be: hacking>=0.10.0,<0.11 | 19:50 |
redrobot | jvrbanac ok, let me try a sync then | 19:50 |
jvrbanac | redrobot, that should replicate the issue. I was thinking you might include that in your CR with fixes | 19:51 |
redrobot | jvrbanac hmmm... you know what's weird though is that this failure http://logs.openstack.org/13/166913/1/check/gate-barbican-pep8/a46212d/console.html lists hacking 0.10.1 in the pbr freez3 | 19:53 |
redrobot | *freeze | 19:53 |
redrobot | so it doesn't look like it's picking up hacking 0.11 | 19:53 |
redrobot | pypi shows 0.10.1 as the latest as well | 19:53 |
jvrbanac | redrobot, yeah... it's suppose to be <0.11 | 19:53 |
redrobot | jvrbanac that's what I'm saying, I don't think the change to test-requirements is going to do anything | 19:54 |
redrobot | jvrbanac because the gate is already using <0.11 | 19:54 |
*** dave-mccowan has joined #openstack-barbican | 19:55 | |
jvrbanac | redrobot, sooo all I know is that when I synced the hacking entry from global-reqs and rebuilt my tox I got the errors. | 19:56 |
*** fern has joined #openstack-barbican | 19:57 | |
openstackgerrit | Merged openstack/barbican: Fix flake8 issue https://review.openstack.org/166966 | 19:58 |
jvrbanac | redrobot, perhaps something about the combination of Hacking 0.10.1 and Flake8 2.2.4 brings this stuff up. | 19:58 |
*** kfarr has joined #openstack-barbican | 19:59 | |
redrobot | weekly meeting starting now in #openstack-meeting-alt | 20:00 |
*** toph has joined #openstack-barbican | 20:01 | |
*** toph has quit IRC | 20:02 | |
*** fern has quit IRC | 20:04 | |
*** rm_you|wtf has joined #openstack-barbican | 20:09 | |
*** rm_you| has quit IRC | 20:12 | |
*** alee_afk is now known as alee | 20:20 | |
*** crc32 has joined #openstack-barbican | 20:22 | |
*** crc32 has quit IRC | 20:23 | |
*** crc32 has joined #openstack-barbican | 20:36 | |
openstackgerrit | Everardo Padilla Saca proposed openstack/barbican: Add utf-8 decoding for Content-Type https://review.openstack.org/165056 | 20:49 |
*** xaeth is now known as xaeth_afk | 20:59 | |
kfarr | redrobot, I have another question about Castellan | 21:00 |
redrobot | kfarr what's up? | 21:00 |
kfarr | Is there anything I can do to help with the initial release? | 21:00 |
alee | redrobot, https://review.openstack.org/#/c/166089/ still waiting for a workflow .. | 21:01 |
arunkant | redrobot, have question around castellan usage ? Do you have a minute.. | 21:01 |
redrobot | alee I think I got the losing end in that review trade :-P I'll get to it today, pinky promise | 21:01 |
redrobot | kfarr maybe poke cores for +workflow in the two outstanding reviews | 21:02 |
kfarr | I also hoped to work on the barbican plugin for Castellan, and just wanted to make sure no one else had already started | 21:02 |
*** jamielennox|away is now known as jamielennox | 21:02 | |
alee | redrobot, cool - dont forget the others in the chain. | 21:02 |
redrobot | kfarr not yet.... if you want to work on it, add a BP in launchpad (no need for a barbican-spec) and assing it to yourself | 21:03 |
redrobot | kfarr I can approve the BP | 21:03 |
kfarr | Ok thanks redrobot! | 21:04 |
elmiko | redrobot: looking at the comments in the 165884 review, have you considered using something like nova's tox genconfig for the sample castellan.conf file? | 21:04 |
elmiko | we just followed their style and removed the sahara.conf sample from our tree in favor of the genconfig approach | 21:04 |
elmiko | (not suggesting that the review needs it, just something to consider) | 21:05 |
redrobot | elmiko not familiar with genconfig... definitely sounds like a useful tool though | 21:05 |
elmiko | redrobot: basically `tox -egenconfig` will generate a config file, there is a command in the tox.ini but you can see it in nova's repo | 21:06 |
elmiko | we had many issues keeping the conf file current in the repo, we moved towards recommending folks just generate their own with tox instead of keeping it in the repo | 21:06 |
elmiko | just a heads up | 21:07 |
redrobot | that sounds like a way better approach | 21:07 |
redrobot | I know jvrbanac had a fun time chasing down all the options last time he updated the in-tree conf for barbican | 21:08 |
redrobot | arunkant what's your question on Castellan? | 21:08 |
*** rellerreller has quit IRC | 21:13 | |
*** kfarr has quit IRC | 21:18 | |
*** tkelsey has quit IRC | 21:24 | |
*** tkelsey has joined #openstack-barbican | 21:26 | |
arunkant | redrobot, has question on how castellan is eppected to be integrated with openstack service ? | 21:29 |
arunkant | s/eppected/expected | 21:29 |
arunkant | kfarr, looks like kfarr is adding plugin for barbican client. So there are going to be plugins developed for kmip as well? | 21:30 |
redrobot | Castellan provides a consistent interface for people who can't integrate with Barbican directly. The scenarios we've thought of could be: | 21:33 |
redrobot | 1) I need key management in a cloud where there is no barbican | 21:33 |
redrobot | 2) I need key management to be done by a specific device | 21:34 |
redrobot | KMIP would fall into 2, where the deployer can't use barbican, but still has to provide key management. | 21:35 |
redrobot | afaik, nobody has signed up to do the KMIP implementation of Castellan. | 21:35 |
redrobot | for the actual usage of Castellan, | 21:36 |
redrobot | the service would need to add a [key_manager] section to the config file | 21:36 |
redrobot | with | 21:36 |
redrobot | api_class = full.path.to.the.ImplementationClass | 21:36 |
redrobot | in the code, you call castellan.key_manager.API() | 21:37 |
redrobot | arunkant http://git.openstack.org/cgit/openstack/castellan/tree/castellan/keymgr/__init__.py#n30 | 21:37 |
redrobot | and that returns an instance of the configured class. | 21:38 |
openstackgerrit | Merged openstack/barbican: Add functional tests for certificate orders https://review.openstack.org/166089 | 21:41 |
openstackgerrit | John Vrbanac proposed openstack/barbican: Adding more content to the api reference for secrets https://review.openstack.org/167015 | 21:45 |
openstackgerrit | Charles Neill proposed openstack/barbican: Security tests for Consumer resources https://review.openstack.org/167018 | 21:46 |
*** tkelsey has quit IRC | 21:57 | |
*** ccneill has joined #openstack-barbican | 21:58 | |
zigo_ | I just saw in barbican-api-paste.ini a "signing_dir" directive. This is a security issue which you guys need to fix. | 21:59 |
zigo_ | The signing_dir directive should never be set to /tmp like this. | 21:59 |
zigo_ | Best is to simply remove the directive. | 21:59 |
zigo_ | I can find the announce for the nova security patch that happened a few years ago if you don't just trust my words... :) | 21:59 |
rm_work | redrobot: I think maybe also "I need some intermediary layer between my app and Barbican" could be an interesting one, but not sure of the implications... that was where something like certmonger could go, I think | 22:00 |
redrobot | zigo_ interesting | 22:01 |
ccneill | if anyone has a moment to review some security tests I just pushed a new version of test_consumers, integrating the feedback I've gotten so far | 22:02 |
ccneill | https://review.openstack.org/#/c/167018/ | 22:02 |
redrobot | ccneill did you see zigo_ 's comment above? | 22:02 |
ccneill | yep | 22:02 |
ccneill | about to check out the ini now to see what's going on | 22:03 |
zigo_ | redrobot: What are you reffering to? | 22:03 |
redrobot | zigo_ ccneill is one of our security guys... I thought he'd be interested in your signing_dir comment | 22:03 |
zigo_ | Oh ok. | 22:03 |
zigo_ | :) | 22:03 |
zigo_ | (got confused because I thought you were talking at me...) | 22:04 |
zigo_ | to | 22:04 |
zigo_ | Also, I have found that barbican-api uses uwsgi to start. | 22:08 |
zigo_ | But I haven't found this in Debian. | 22:08 |
zigo_ | Or is it /usr/bin/uwsgi-core? | 22:08 |
redrobot | zigo_ uwsgi is not required to run barbican per se | 22:09 |
redrobot | zigo_ Rackspace is deploying Barbican with uwsgi, which is why a lot of stuff references uwsgi | 22:09 |
zigo_ | redrobot: So I can just run barbican-api just like I am running nova-api? | 22:10 |
redrobot | zigo_ Barbican is a regular WSGI app though, so it could be deployed with any server | 22:10 |
zigo_ | Hum... | 22:10 |
zigo_ | redrobot: Like it's done with Keystone? | 22:10 |
morganfainberg | zigo_, uwsgi requires some minor changes from mod_wsgi, but yes | 22:11 |
morganfainberg | zigo_, in liberty i hope to have keystone supporting uwsgi (should be easy) as well. | 22:11 |
redrobot | zigo_ I haven't dug into how other projects host the wsgi app, but we have talked about adding a simpler run script that can use something like paste.http so that we remove uwsgi from our repo completely | 22:12 |
zigo_ | Here's what keystone does: | 22:13 |
zigo_ | http://paste.debian.net/162834/ | 22:13 |
zigo_ | redrobot: morganfainberg: So, am I right that Barbican doesn't include an HTTP server then? | 22:14 |
zigo_ | And that using a 3rd party tool is mandatory? | 22:14 |
zigo_ | Hum... | 22:15 |
zigo_ | This doesn't seem the case for all daemon. | 22:15 |
redrobot | zigo_ correct... if debian/openstack convention is to use httpd as in Keystone, we could add those bits. | 22:15 |
zigo_ | redrobot: For the moment, absolutely all OpenStack daemons are including an HTTPD server, yes. | 22:16 |
zigo_ | redrobot: Though we're moving toward removing this feature and switch to WSGI instead. But in that case, you'd at least provide a .wsgi file, AFAIK. | 22:17 |
*** dimtruck is now known as zz_dimtruck | 22:17 | |
zigo_ | For the moment, I believe shipping an HTTPD server is the thing everyone does. | 22:17 |
redrobot | zigo_ I see... we have a plain WSGI app now, and we use Paste to wrap it in keystone-middleware for auth | 22:18 |
arunkant | alee, there? | 22:24 |
zigo_ | I'm not sure what to do for the barbican-api startup then... :/ | 22:24 |
alee | arunkant, sorry - in a meeting | 22:25 |
zigo_ | Is Barbican on its way to leave incubation? | 22:26 |
zigo_ | What's the status? | 22:26 |
arunkant | alee, okay. please ping me when you have time. Have question on unique constraint around acl data, you mentioned that in your review comment as well | 22:26 |
redrobot | zigo_ incubation isn't a thing anymore... we're in "official openstack project" status, but we have no tags, and until new tags are defined, we'll continue to not have any tags since "integrated" tag can't be given to new projects. :-\ | 22:27 |
arunkant | alee, updating model so want to check if unique constraint is really needed. I can address part of model change. | 22:27 |
zigo_ | redrobot: Does it mean you're having release at the same time as everyone, and security support already? | 22:28 |
*** SheenaG has quit IRC | 22:28 | |
*** igueths has quit IRC | 22:28 | |
redrobot | zigo_ I think currently it just means we don't have to go through the "official openstack proejct" application. We've been releasing at the same time as the rest of OpenStack for two cycles now, and we'll be releasing Kilo at the same time as everyone else. | 22:29 |
redrobot | zigo_ I'm not sure "security support" is a thing anymore either. | 22:29 |
redrobot | zigo_ all cross-cutting teams (docs, security, etc) are moving from actively being involved in the project to being providers of tools | 22:30 |
zigo_ | redrobot: Security support means you'll have to produce N months of stable release maintenance and security fixes backport. | 22:30 |
zigo_ | Like, 15 months for Icehouse for example ... | 22:30 |
zigo_ | And embargoed security announces + management ... | 22:31 |
redrobot | zigo_ oh, then yes, Juno is the first release for which we're providing maitenance | 22:31 |
*** kgriffs|afk is now known as kgriffs | 22:31 | |
zigo_ | Ah, cool! :) | 22:31 |
zigo_ | So then, my last issue is this barbican-api.init.in thing ... | 22:31 |
zigo_ | If you can provide an HTTPD server for it, and I just need to run barbican-api, then I'm done with the packaging! :) | 22:32 |
redrobot | zigo_ I may be able to do that... gotta check with mgmt to make sure I get time for that, so it may take me a few days (or a weekend if mgmt doesn't give me time) | 22:33 |
zigo_ | Ok, great. Just ping me then. | 22:33 |
*** ccneill has quit IRC | 22:34 | |
zigo_ | Hum... | 22:34 |
zigo_ | One more very annoying thing... | 22:34 |
zigo_ | in etc/barbican/barbican-api.conf, there's this: | 22:34 |
zigo_ | #sql_connection = sqlite:///barbican.sqlite | 22:34 |
zigo_ | # Note: For absolute addresses, use '////' slashes after 'sqlite:' | 22:34 |
zigo_ | # Uncomment for a more global development environment | 22:34 |
zigo_ | sql_connection = sqlite:////var/lib/barbican/barbican.sqlite | 22:34 |
zigo_ | It's very annoying to have twice some valid sql_connection directives. | 22:35 |
zigo_ | Please remove the commented out one ... | 22:35 |
zigo_ | Can I send this for review? | 22:36 |
redrobot | zigo_ sure, if it helps your package effort it's fair game. | 22:36 |
*** SheenaG has joined #openstack-barbican | 22:43 | |
openstackgerrit | Chelsea Winfree proposed openstack/barbican: Adding more detail to the secrets quickstart guide. https://review.openstack.org/167029 | 22:52 |
*** paul_glass has quit IRC | 22:53 | |
*** crc32 has quit IRC | 22:53 | |
openstackgerrit | Thomas Goirand proposed openstack/barbican: Makes configuration files more standard https://review.openstack.org/167031 | 22:56 |
zigo_ | There we go... :) | 22:57 |
*** SheenaG has left #openstack-barbican | 23:03 | |
openstackgerrit | Douglas Mendizábal proposed openstack/barbican: Fix pep8 gate errors https://review.openstack.org/166965 | 23:15 |
*** chlong has joined #openstack-barbican | 23:31 | |
openstackgerrit | Everardo Padilla Saca proposed openstack/barbican: Catch UnicodeEncodeError, avoiding unwanted HTTP 500 error https://review.openstack.org/167044 | 23:39 |
*** zz_dimtruck is now known as dimtruck | 23:41 | |
*** jaosorior has quit IRC | 23:42 | |
openstackgerrit | Chelsea Winfree proposed openstack/barbican: Adding more detail to the secrets quickstart guide https://review.openstack.org/167029 | 23:44 |
*** jkf has quit IRC | 23:47 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!