Friday, 2015-04-10

« Thursday, 2015-04-09 Index Saturday, 2015-04-11 »
*** paul_glass has quit IRC00:06
*** jamielennox|away is now known as jamielennox00:28
*** SheenaG has joined #openstack-barbican00:55
*** xaeth_afk is now known as xaeth02:31
*** SheenaG has quit IRC02:50
*** SheenaG has joined #openstack-barbican02:52
*** woodster_ has quit IRC03:00
*** zz_dimtruck is now known as dimtruck03:01
*** gyee has quit IRC03:19
*** elmiko has quit IRC03:41
*** elmiko has joined #openstack-barbican03:42
openstackgerritDave McCowan proposed openstack/barbican: Refactor Stored Key Certificate Order Validator Code  https://review.openstack.org/17102303:45
*** xaeth is now known as xaeth_afk03:49
*** dimtruck is now known as zz_dimtruck03:49
*** alee has quit IRC03:59
*** alee has joined #openstack-barbican04:12
*** kebray has joined #openstack-barbican04:16
*** kebray has quit IRC04:16
*** SheenaG has quit IRC04:20
*** kebray has joined #openstack-barbican04:21
*** kebray has quit IRC04:21
*** kebray has joined #openstack-barbican04:22
*** alee has quit IRC04:26
*** crc32 has joined #openstack-barbican04:27
*** alee has joined #openstack-barbican04:39
*** kebray has quit IRC04:51
*** woodster_ has joined #openstack-barbican04:57
*** alee has quit IRC05:08
*** alee has joined #openstack-barbican05:21
*** crc32 has quit IRC05:33
*** alee has quit IRC05:42
*** alee has joined #openstack-barbican05:55
*** dave-mccowan has quit IRC06:00
*** alee has quit IRC06:04
*** alee has joined #openstack-barbican06:17
*** alee has quit IRC06:21
*** alee has joined #openstack-barbican06:34
*** alee has quit IRC06:52
*** woodster_ has quit IRC07:00
*** gitorres has quit IRC07:04
*** alee has joined #openstack-barbican07:05
*** gitorres has joined #openstack-barbican07:07
*** gitorres has quit IRC07:12
*** jamielennox is now known as jamielennox|away07:20
*** gitorres has joined #openstack-barbican07:22
*** gitorres has joined #openstack-barbican07:22
*** alee has quit IRC07:24
*** everjeje has joined #openstack-barbican07:30
*** alee has joined #openstack-barbican07:37
*** alee has quit IRC07:41
*** alee has joined #openstack-barbican07:53
*** alee has quit IRC07:58
*** alee has joined #openstack-barbican08:10
*** alee has quit IRC08:14
*** jaosorior has joined #openstack-barbican09:03
openstackgerritThomas Herve proposed openstack/python-barbicanclient: Fix order listing on the command line.  https://review.openstack.org/16948109:47
*** alee has joined #openstack-barbican10:39
*** alee has quit IRC10:43
*** alee has joined #openstack-barbican10:43
*** alee has quit IRC10:48
*** dave-mccowan has joined #openstack-barbican10:53
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Readability-related changes to secret store functions  https://review.openstack.org/17237811:16
*** rm_you| has joined #openstack-barbican12:23
*** zz_dimtruck is now known as dimtruck12:23
*** rm_you has quit IRC12:25
*** woodster_ has joined #openstack-barbican12:37
openstackgerritDave McCowan proposed openstack/barbican: Add new smoke tests for RSA type containers and secrets  https://review.openstack.org/17240112:40
dave-mccowanjaosorior, ping12:42
jaosoriordave-mccowan: pong12:55
dave-mccowanjaosorior hi oz.  are you working on 1441866?12:56
dave-mccowanjaosorior oh, i see you dropped in launchpad.  just fyi, my new CR above adds functional tests that will start working when that bug is fixed.12:58
jaosoriordave-mccowan: yeah, I dropped from it since there seemed to be some confusion related to content types. So when that's figured out, I I'll get into it again13:00
dave-mccowanjaosorior, if you get a chance, take a look at my CR to see if it adds to the confusion or helps clear it. :-) https://review.openstack.org/17240113:02
jaosoriordave-mccowan: sure13:03
*** rellerreller has joined #openstack-barbican13:05
rellerrellerredrobot fyi that I am only available until 2:00 CT today. We had said yesterday that we should discuss everyone's favorite topic of content types.13:06
*** alee has joined #openstack-barbican13:12
*** alee has quit IRC13:18
*** alee has joined #openstack-barbican13:21
*** gitorres1 has joined #openstack-barbican13:30
*** gitorres has quit IRC13:30
jaosoriorrellerreller: so, at what time will you discuss that? Might be able to join13:31
*** gitorres1 has quit IRC13:36
*** gitorres has joined #openstack-barbican13:36
*** gitorres has quit IRC13:39
*** gitorres has joined #openstack-barbican13:39
aleerellerreller, redrobot  do we have a google hangout time for today?13:41
*** gitorres has quit IRC13:46
*** gitorres has joined #openstack-barbican13:47
rellerrelleralee jaosorior I have not heard anything yet.13:57
rellerrellerI sent a message this morning. I assume the time and details will be posted here.13:57
aleerellerreller, eh? sent a message to redrobot ?13:59
rellerrelleralee Yes to redrobot via this irc14:00
rellerrelleralee According to the log you joined at 9:12. I sent it at 9:06. You just missed it.14:00
aleerellerreller, ok sorry - I thought you were going to schedule the google hangout14:01
rellerrelleralee I thought redrobot said he was going to schedule.14:01
aleerellerreller, either way - I guess we need to wait for redrobot  ..14:02
rellerrellercorrect14:03
*** paul_glass has joined #openstack-barbican14:14
*** alee has quit IRC14:15
*** alee_ has joined #openstack-barbican14:18
*** jorge_munoz has joined #openstack-barbican14:29
*** igueths has joined #openstack-barbican14:29
*** mdarby has joined #openstack-barbican14:44
*** xaeth_afk is now known as xaeth14:45
*** kebray has joined #openstack-barbican15:03
*** mdarby has quit IRC15:04
*** mdarby has joined #openstack-barbican15:04
redrobotalee_ rellerreller  here15:08
redrobotjaosorior still around?15:08
alee_redrobot, morning - when do you want to do that google hangout?15:09
jaosoriorredrobot: yeah, but I thought 2pm CT was earlier. Still don't get used to the new time difference. It's beer o' clock now :/15:09
redrobotalee_ rellerreller jaosorior  I can do it now if y'all are avaiable15:10
alee_dave-mccowan, ^^15:11
rellerrellerredrobot alee_ I'm available too.15:11
alee_redrobot, me too -- dave-mccowan wrote some functional tests based on your examples -- we should get him on this too,.15:11
dave-mccowanalee i'm in15:11
alee_cool --- redrobot -- fire it up, please15:12
redroboton it15:12
redrobotgive me 2 seconds15:12
jaosoriorI could join briefly15:12
jaosoriorBut I'm commuting :/15:12
redrobothttps://plus.google.com/hangouts/_/gwtfnttnzlnqlbp6467rptiyeia15:14
redrobotalee_ rellerreller dave-mccowan jaosorior ^^15:15
*** SheenaG has joined #openstack-barbican15:17
hockeynutwould love some love for https://review.openstack.org/#/c/167018/15:39
-openstackstatus- NOTICE: gerrit has been restarted to address a hung event stream. change events between 15:00 and 15:43 utc which were lost will need to be rechecked or have approval workflow votes reapplied for zuul to act on them15:44
*** gyee has joined #openstack-barbican15:48
*** mdarby has quit IRC16:09
*** darrenmoffat has joined #openstack-barbican16:11
*** mdarby has joined #openstack-barbican16:27
*** jkf has joined #openstack-barbican16:43
*** mdarby has quit IRC16:50
*** xaeth is now known as xaeth_afk17:15
openstackgerritDave McCowan proposed openstack/barbican: Add new smoke tests for RSA type containers and secrets  https://review.openstack.org/17240117:26
*** jaosorior has quit IRC17:42
*** igueths has quit IRC18:17
*** dave-mccowan has quit IRC18:18
*** igueths has joined #openstack-barbican18:19
*** dimtruck is now known as zz_dimtruck18:24
openstackgerritArun Kant proposed openstack/barbican: Improving the code coverage for ACL related changes  https://review.openstack.org/17253318:29
*** crc32 has joined #openstack-barbican18:33
*** dave-mccowan has joined #openstack-barbican18:42
*** mdarby has joined #openstack-barbican18:50
*** kebray has quit IRC18:53
dave-mccowanredrobot, alee_, woodster_ this CR (with content-type func tests) may have gone up while you were out. just in case you missed it: https://review.openstack.org/17240118:54
*** kebray has joined #openstack-barbican18:54
redrobotdave-mccowan currently reviewing19:03
redrobotdave-mccowan what do you think about having the PEM literals in there instead of generating new keys every time.  I think it would make it easier to read the test if you just see the PEM content instead of having to figure out what the openssl library is doing19:04
redrobotdave-mccowan http://paste.openstack.org/show/202190/ for example19:05
dave-mccowanredrobot, i can do that.  my intent was to ensure that it worked with 'real' PEMs.  since the literals in tests/utils.py were not formatted right, i may have overcompensated.19:07
redrobotdave-mccowan I think this would be a good function to use for the Private Key (pkcs8) use case: http://paste.openstack.org/show/202198/19:13
*** crc32 has quit IRC19:13
redrobotdave-mccowan don't copy paste that one though, b/c I'm not sure it's the right contents :D19:13
dave-mccowanredrobot i like that a lot.  consider it done.19:15
redrobotdave-mccowan ok, last paste, I promise.  This one is functionally correct (just generated it on my machine) http://paste.openstack.org/show/202201/19:15
alee_redrobot, dave-mccowan if we are going to use explicit literals, then please include a comment as to how that literal was created.19:16
dave-mccowanredrobot.  that's cool.  i'll make my own, so i can have a matching public key for a container, and second set for the with-passphrase case.19:16
dave-mccowanalee_ +119:17
redrobotalee_ agreed, that's what i put in the docstring of the last paste19:17
*** zz_dimtruck is now known as dimtruck19:17
*** xaeth_afk is now known as xaeth19:19
*** crc32 has joined #openstack-barbican19:20
alee_dave-mccowan, what does "base64" on line 255 do?19:21
alee_sorry 225?19:21
alee_same thing for line 260?19:22
dave-mccowanit sets the value of 'payload_content_encoding' to 'base64'.  i know that's not right.  what is the correct value?19:23
dave-mccowanredrobot ^^19:23
alee_dave-mccowan, redrobot I would think that in the put case, we would prefer not to set to base64, right?19:27
alee_because the data is in fact not base64 encoded.19:27
alee_dave-mccowan, there are still some tests missing for aym key + passphrase.19:28
dave-mccowanalee_ +1 base64 is wrong (i gave myself a -1 in gerrit with this question).  but, i don't know the right value.19:28
alee_ie. asymm key with private key encrypted with passphrase.19:29
alee_right now, the test you do that includes a passphrase doesn't actually use it , right?19:29
alee_ie. the keys that are uploaded are not actually encrypted with a passphrase19:30
dave-mccowanalee_ +1 TODO(dave) asym + passphrase container test cases19:30
dave-mccowanalee_ yes, the only passphrase test case is standalone19:30
alee_also add generated asym container with passphrase19:30
alee_alee_, also cert container from stored key with passphrase19:31
alee_dave-mccowan, on cert order, you should at a minimum confirm that the csr is present19:31
alee_dave-mccowan, and you might be able to validate it by trying to load it --19:32
alee_load_request() ?19:32
rm_you|testing passphrase stuff is a little odd, since the openssl lib by default reverts to stdin input if you don't supply a passphrase19:32
rm_you|have to give it a dummy callback19:32
alee_rm_work, so what you are saying is that folks are more likely than not to use a passphrase?19:33
reaperhulkugh, pyopenssl is not handling that for you? cryptography does, heh19:34
redrobotalee_ dave-mccowan got a meeting right now, should be done in about an hour.19:34
alee_dave-mccowan, other than those things , it looks fine to me.19:35
alee_reaperhulk, we're assuming cryptography will be the answer to all out problems when we convert to use it in liberty19:36
redrobotfor passphrase, you actually have 2 things to submit to barbican19:40
redrobot1) the cert that is pasphrase protected19:40
redrobot2) the passphrase itself19:40
redrobotI think 1) could be a literal19:40
alee_redrobot, you mean the key that is passphrase protected19:41
redrobotalee_ yeah19:41
alee_and yes, they can all be literal19:41
alee_(with sufficient documentation)19:41
rm_you|alee_: no, they're likely not to -- but if they DO, and the passphrase they pass in is wrong (or they don't supply one at all), then OpenSSL will *wait for stdin input* and lock up your processing thread19:42
rm_you|alee_: which is super bad19:42
reaperhulkalee_ that's what it should be ;)19:43
reaperhulkhopefully I'll have time to implement all the features you need by then19:43
rm_you|so you have to be careful when loading up PKs19:43
reaperhulkI'll be working on it all during pycon sprints, but there is obviously still a mountain to work on19:43
rm_you|reaperhulk: are you familiar with the default behavior i'm talking about?19:43
reaperhulkrm_you|: I'm familiar with how the C layer does it19:44
reaperhulkI assumed pyopenssl would intercept that19:44
reaperhulkbut apparently not19:44
reaperhulkcryptography definitely does :)19:44
rm_you|nope19:44
rm_you|they do not19:44
rm_you|reaperhulk: well, that's good :P19:44
rm_you|so when do we switch to that? :)19:44
*** rm_you| is now known as rm_you19:44
reaperhulkliberty hopefully19:44
reaperhulkThis is how we load a key in cryptography: https://github.com/pyca/cryptography/blob/master/src/cryptography/hazmat/backends/openssl/backend.py#L84719:45
reaperhulk(not that you really need to look)19:45
reaperhulkbut it shows how we do password callbacks and hide the complexity of the password checking19:45
*** crc32 has quit IRC19:47
dave-mccowanreaperhulk what's the difference between .pem (traditional pem format) and .pk8 (pkcs#8 format)?  is .pk8 format the right one to use in the barbican api?19:52
rm_youreaperhulk: yeah looks better19:59
rm_youbasically is what we did19:59
rm_youbut nice to have it hidden -- it was not very well documented in pyopenssl and was really painful <_<20:00
reaperhulkSuffixes aren't really relevant here, but they're two different underlying formats. The agreed upon format for Barbican is pkcs8 with PEM encoding20:01
reaperhulkThe other is PEM encoded as well but is traditional OpenSSL format (sometimes called pkcs1)20:02
*** kebray has quit IRC20:25
*** elmiko has quit IRC20:25
*** elmiko has joined #openstack-barbican20:26
*** mdarby has quit IRC20:36
*** SheenaG has quit IRC20:38
*** dimtruck is now known as zz_dimtruck20:39
*** rellerreller has quit IRC20:41
*** zz_dimtruck is now known as dimtruck20:43
*** igueths1 has joined #openstack-barbican21:01
*** igueths has quit IRC21:03
*** dimtruck is now known as zz_dimtruck21:45
*** everjeje has quit IRC21:46
*** SheenaG has joined #openstack-barbican22:03
*** paul_glass has quit IRC22:07
*** xaeth is now known as xaeth_afk22:09
*** SheenaG has quit IRC22:19
*** kebray has joined #openstack-barbican22:29
openstackgerritIgor Gueths proposed openstack/barbican: Potential resource exhaustion when registering consumers to containers  https://review.openstack.org/17069322:30
*** zz_dimtruck is now known as dimtruck22:31
*** jkf has quit IRC22:31
*** igueths1 has quit IRC22:33
*** kebray has quit IRC22:34
hockeynutanybody done any debugging in pycharm with cliff.app?22:34
*** dimtruck is now known as zz_dimtruck22:48
openstackgerritDave McCowan proposed openstack/barbican: Add new smoke tests for RSA type containers and secrets  https://review.openstack.org/17240122:51
*** zz_dimtruck is now known as dimtruck23:01
woodster_rm_you, btw, those two devstack processes don't 'see' the same database it seems. I figure I'll mess this with this again once your infra change goes in23:09
rm_youhmm23:09
rm_youwell, i got a little stuck on that and actually had to spend some time on my REAL task, which is Blueflood metrics integration :P23:10
rm_youhopefully can revisit next week...23:10
*** dimtruck is now known as zz_dimtruck23:12
dave-mccowanalee_, how do I get a copy of the CSR?  http://ur1.ca/k5df323:17
*** zz_dimtruck is now known as dimtruck23:25
*** gyee has quit IRC23:26
openstackgerritJohn Wood proposed openstack/barbican: Expose root cause plugin exceptions  https://review.openstack.org/17186823:37
woodster_rm_you, arunkant, alee_ It looks like a private secret requires no roles to decrypt a secret. So there is no way for a identity admin to disable a user from decrypting secrets then, short of disabling their access to any tokens?23:44
rm_workhmm23:45
rm_worki remember this discussion23:46
rm_workI thought we discussed adding a role "read_other" or something23:46
rm_workand having that be given by default23:46
woodster_rm_work, yeah I recall that as well23:48
woodster_rm_work...but forget it when I reviewed the CRs last week23:48
rm_worki was very opposed to requiring the typical read role23:48
rm_workbut a read_other was the compromise i remember23:48
rm_workthat's purely policy though, right?23:48
*** dimtruck is now known as zz_dimtruck23:48
woodster_rm_work, well, how does no roles to decrypt suit ya then?23:49
rm_workso could be done with no code changes, just adding to the policy file23:49
rm_workheh23:49
woodster_rm_work I'm just trying to see if that's a security concern...it seems that a user should be able to access their private secrets unless they are locked out of the system altogether23:51
rm_worki suppose so23:51
woodster_rm_work I see one scenario of that is missed though...an admin wants to make a secret private for another user. Probably would just add user to white list instead though23:53
rm_workerr23:54
rm_workyeah that's ACL whitelist right23:54
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Initial setup for command line tests  https://review.openstack.org/17260423:56
« Thursday, 2015-04-09 Index Saturday, 2015-04-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!