Monday, 2015-04-27

« Sunday, 2015-04-26 Index Tuesday, 2015-04-28 »
*** Sheena_ has quit IRC01:19
*** lisaclark_ has quit IRC01:20
*** lisaclark has quit IRC01:20
*** Sheena_ has joined #openstack-barbican01:20
*** lisaclark_ has joined #openstack-barbican01:24
*** lisaclark has joined #openstack-barbican01:24
*** woodster_ has joined #openstack-barbican03:05
*** kebray has quit IRC03:14
*** dave-mccowan has quit IRC03:56
*** nickrmc84 has quit IRC06:23
*** woodster_ has quit IRC06:40
*** jillysciarilly has quit IRC07:16
*** jillysciarilly has joined #openstack-barbican07:18
*** rm_work has quit IRC07:59
*** rm_work|away has joined #openstack-barbican07:59
*** rm_work|away is now known as rm_work07:59
*** rm_work has joined #openstack-barbican07:59
*** openstackstatus has joined #openstack-barbican08:05
*** ChanServ sets mode: +v openstackstatus08:05
-openstackstatus- NOTICE: Restarting gerrit because it stopped sending events (ETA 15 mins)08:09
*** openstackgerrit has quit IRC08:13
*** darrenmoffat has quit IRC08:14
*** openstackgerrit has joined #openstack-barbican08:16
*** russell_h has quit IRC08:17
*** russell_h has joined #openstack-barbican08:20
*** alkar has joined #openstack-barbican08:32
*** darrenmoffat has joined #openstack-barbican08:34
*** darrenmoffat has left #openstack-barbican08:38
*** jaosorior has joined #openstack-barbican08:39
*** alkar has quit IRC08:59
*** alkar has joined #openstack-barbican09:04
*** woodster_ has joined #openstack-barbican12:01
*** openstackgerrit has quit IRC12:06
*** openstackgerrit has joined #openstack-barbican12:06
*** openstackgerrit has quit IRC12:37
*** openstackgerrit has joined #openstack-barbican12:37
*** elmiko_ is now known as elmiko13:09
*** alkar has quit IRC13:15
*** alkar has joined #openstack-barbican13:18
*** openstackgerrit has quit IRC13:21
*** openstackgerrit has joined #openstack-barbican13:22
*** alee_afk is now known as alee13:32
*** silos has joined #openstack-barbican13:40
*** morganfainberg has quit IRC13:44
*** jroll has quit IRC13:44
*** jroll has joined #openstack-barbican13:44
-openstackstatus- NOTICE: gerrit has been restarted to clear a problem with its event stream. change events between 13:09 and 13:36 utc should be rechecked or have approval votes reapplied as needed to trigger jobs13:46
*** morganfainberg has joined #openstack-barbican13:47
*** joesavak has joined #openstack-barbican13:59
*** silos has left #openstack-barbican14:05
*** paul_glass has joined #openstack-barbican14:06
*** paul_glass is now known as Guest3116114:06
*** Guest31161 has quit IRC14:07
*** pglass has joined #openstack-barbican14:08
*** stanzi has joined #openstack-barbican14:08
*** pglass is now known as Guest5914614:08
*** stanzi has quit IRC14:32
*** stanzi has joined #openstack-barbican14:33
*** nkinder has joined #openstack-barbican14:33
*** stanzi has quit IRC14:37
*** russell_h has quit IRC14:39
*** russell_h has joined #openstack-barbican14:39
*** dave-mccowan has joined #openstack-barbican14:40
openstackgerritAmy Marrich proposed openstack/barbican: Improved error code handling for pkcs11 errors  https://review.openstack.org/17556814:42
*** kebray has joined #openstack-barbican14:50
*** tkelsey has joined #openstack-barbican14:52
tkelseyhello barbican folks, I should probably know this but how do I pull down the "official" barbican code that formed part of Juno release?14:53
tkelseyas apposed to the current14:54
jvrbanactkelsey, it should be on the stable/juno branch14:55
jvrbanacs/juno/kilo14:56
jvrbanactkelsey, https://github.com/openstack/barbican/tree/stable/kilo14:56
tkelseyah right, thanks jvrbanac14:56
tkelseyso thats the official Juno code then14:56
tkelsey?14:57
jvrbanactkelsey, I believe so. I wouldn't use Juno though ;)14:57
jvrbanacIt's kinda old14:57
jvrbanacThe Kilo branch was split off a few days ago14:58
tkelseysure :) I just needed to look it over to answer some question14:58
tkelseythanks jvrbanac14:58
jvrbanactkelsey, got it. np14:58
openstackgerritKaitlin Farr proposed openstack/castellan: Add Barbican key manager  https://review.openstack.org/17191815:09
openstackgerritKaitlin Farr proposed openstack/castellan: Add Barbican key manager  https://review.openstack.org/17191815:21
*** Guest59146 is now known as pglass15:22
*** pglass is now known as Guest3593015:22
*** Guest35930 has left #openstack-barbican15:22
*** joesavak has quit IRC15:23
*** Asha has joined #openstack-barbican15:27
*** paul_glass has joined #openstack-barbican15:29
*** paul_glass is now known as pglass15:30
*** joesavak has joined #openstack-barbican15:32
*** silos has joined #openstack-barbican15:34
*** silos has left #openstack-barbican15:35
*** silos has joined #openstack-barbican15:36
*** jroll has quit IRC15:44
*** jroll has joined #openstack-barbican15:46
*** jroll has quit IRC15:53
*** jroll has joined #openstack-barbican15:53
*** pglass has quit IRC15:53
*** gyee has joined #openstack-barbican15:55
*** stanzi has joined #openstack-barbican16:01
*** david-ly_ is now known as david-lyle16:01
*** rellerreller has joined #openstack-barbican16:07
openstackgerritMerged openstack/barbican: Fix for missing id check in ACL count query.  https://review.openstack.org/17734416:09
*** stanzi has quit IRC16:13
*** stanzi has joined #openstack-barbican16:13
*** stanzi has quit IRC16:18
*** joesavak has quit IRC16:19
openstackgerritChelsea Winfree proposed openstack/python-barbicanclient: Refactored barbican.py for better testability  https://review.openstack.org/17751116:20
*** kfarr has joined #openstack-barbican16:29
*** pglass has joined #openstack-barbican16:32
*** igueths has joined #openstack-barbican16:36
*** kebray has quit IRC16:38
*** alkar has quit IRC16:38
*** alkar_ has joined #openstack-barbican16:38
*** alkar_ has quit IRC16:38
*** kebray has joined #openstack-barbican16:38
*** chadlung has joined #openstack-barbican16:47
*** SheenaG has joined #openstack-barbican16:49
*** stanzi has joined #openstack-barbican16:59
*** stanzi has quit IRC17:01
*** stanzi has joined #openstack-barbican17:02
*** stanzi has quit IRC17:06
*** igueths has quit IRC17:07
*** igueths has joined #openstack-barbican17:07
openstackgerritKaitlin Farr proposed openstack/castellan: Add Barbican key manager  https://review.openstack.org/17191817:09
*** joesavak has joined #openstack-barbican17:09
*** stanzi has joined #openstack-barbican17:33
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Update stdout and stderr capture in functional tests  https://review.openstack.org/17515017:35
*** stanzi has quit IRC17:41
*** joesavak has quit IRC17:41
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Update stdout and stderr capture in functional tests  https://review.openstack.org/17515017:44
*** joesavak has joined #openstack-barbican17:50
*** stanzi has joined #openstack-barbican17:59
*** rellerreller has quit IRC18:03
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Add Secret CLI smoke tests  https://review.openstack.org/17790618:05
*** silos has left #openstack-barbican18:13
*** stanzi_ has joined #openstack-barbican18:23
*** stanzi has quit IRC18:23
*** stanzi_ has quit IRC18:24
*** stanzi has joined #openstack-barbican18:25
*** chadlung_ has joined #openstack-barbican18:27
*** chadlung has quit IRC18:27
*** xaethl is now known as xaeth18:45
openstackgerritMerged openstack/barbican: Improved error code handling for pkcs11 errors  https://review.openstack.org/17556818:50
arunkantIn local mysql setup seeing this error with migration script..any indication what is wrong in local setup..OperationalError: (OperationalError) near "ALTER": syntax error u'ALTER TABLE order_barbican_metadata ALTER COLUMN value TYPE TEXT' ()19:02
*** SheenaG has quit IRC19:02
arunkantits failing when it tries to alter order metadata from String to Text19:03
*** SheenaG has joined #openstack-barbican19:05
*** rellerreller has joined #openstack-barbican19:07
*** rellerreller has quit IRC19:20
*** rellerreller has joined #openstack-barbican19:20
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Add Secret CLI smoke tests  https://review.openstack.org/17790619:25
*** joesavak has quit IRC19:28
openstackgerritChelsea Winfree proposed openstack/python-barbicanclient: Refactored barbican.py for better testability  https://review.openstack.org/17751119:33
hockeynutchellygel did you have any issues with authentication for CLI in the gate?  I am getting 401 trying to do my secret CLI tests19:57
redrobotWeekly meeting is starting now in #openstack-meeting-alt19:59
*** stanzi has quit IRC20:01
*** stanzi has joined #openstack-barbican20:02
chellygelall the tests came back fine? not sure hockeynut -- have a link i can see?20:03
*** mdarby has joined #openstack-barbican20:03
hockeynuthttps://jenkins07.openstack.org/job/gate-python-barbicanclient-devstack-dsvm/32/consoleText20:03
hockeynutlook for functionaltests.cli.v1.smoke.test_secret:SecretTestCase: INFO: updated command string20:04
*** joesavak has joined #openstack-barbican20:04
*** stanzi has quit IRC20:06
chellygelhockeynut, what change is this for?20:12
hockeynutchellygel this is to add the secrets CLI tests20:14
hockeynut(functional tests)20:14
chellygelso, im going to go off a wild hair, we may want to try running these tests against the refactor we just did...20:17
chellygelis it set up for v3 auth?  i'd want to see the error we're getting in thet keystone logs20:18
*** pglass has quit IRC20:21
hockeynutchellygel yes its v320:22
hockeynutand, of course, it runs just fine locally :-)20:22
chellygeldo we have access to the keystone logs on the server somehow?20:24
hockeynutchellygel devstack goes away once its done :-(  and i don't see specific keystone logs.20:25
hockeynutI do see that I am using the expected id/pw/etc - which I do believe are the same creds we use in the python client tests20:25
hockeynutthis is the first CR for CLI that uses authentication so not too shocked that its being obstinant20:26
hockeynutI'm poking thru the other logs to see if there is anything possibly interesting20:27
chellygeljust checked, my change has no issues in devstack -- so thats annoying! what is going on >:(20:30
chellygelhockeynut, i dont think endpoint is required when using auth though20:30
chellygelbut i dont think that'd throw an error.20:30
hockeynutyou mean keystone or barbican uri?20:31
chellygelthe barbican --endpoint flag20:31
hockeynutso it would get the endpt from service catalog?20:32
chellygelyes, i believe so20:33
hockeynutinteresting if that's the problem.  I'll give it a shot20:36
chellygeli dont think it would be, but if it is -- you should punch it20:36
hockeynutcan't hurt to try20:37
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Add Secret CLI smoke tests  https://review.openstack.org/17790620:38
chellygeloh the rock game w/ devstack :(20:38
hockeynutindeed20:38
chellygeldid it work locally w/o endpoint steve?20:38
hockeynutno20:38
hockeynutI think I'll try local barbican with another keystone (not my local docker one)20:40
chellygelwell we could run the tests w/ --no-auth, right?20:40
* chellygel grasps at straws20:41
*** pglass has joined #openstack-barbican20:41
hockeynutits odd that the same creds are used for python client.20:41
*** rellerreller has quit IRC20:42
*** tkelsey has quit IRC21:00
rm_workSo user Bob is created, and granted all of the default roles that users get, plus the new "read_other" role21:01
rm_workUser Tom has a secret on his project that he shares with Bob21:01
rm_workWhen Bob reads the secret from Tom's project, we check the configured ACLs in Barbican, and also that Bob has the "read_other" role for Bob's own tenant (nothing to do with Tom)21:02
rm_workNo Tom-specific role needs to be added to Bob21:02
rm_workand if Jill also shares a secret with Bob, he can read that one too21:02
rm_workbut if an admin removes the "read_other" role from Bob, then he can no longer access secrets from either Tom or Jill, even though both have valid ACLs granting Bob access, because Bob is no longer allowed to read any shared secrets21:03
rm_work^^ correct?21:03
woodster_rm_work I'd been thinking of that more simply...the policy would be the same as now, except that for ACL-related GETs, the policy would also require that the user has the new read-only role. This would be independent of project associations of the user.21:06
rm_workerr, that is what I was just saying21:07
rm_workso obviously my example is not very clear :P21:07
woodster_rm_work: ha, sorry the 'tenant' mention up there threw me21:08
woodster_alee, arunkant are you guys ok with this new role/approach?21:09
arunkantwoodster_, if user has both non-ACL and ACL secrets (let's say secret is private and user is added in ACL user list)  in a project, then to access ACL secret user need to have "read_other" role in that project as well if it want to same token to access both types of secrets21:10
aleewoodster_, I don;t have any objection to the new role21:10
rm_workarunkant: read_other in their OWN project, not the target project21:11
woodster_arunkant: so in reality the default role should be the new read-other one (to allow any other user to grant secret access later). The existing roles handle project-wide access and are optional.21:14
arunkantrm_work, yes..but if you have non-ACL secrets in a project and you want to access those secrets, then you need token scoped to that project. Now if you have ACL secret as mentioned above, then you cannot use same token if it does not have that role "read_other". So it may mean that you will need token with that project where you have that role21:14
arunkantem_work, so user will need to switch token for ACL secrets vs. non-ACL secrets within same project. Don't know if that will be an issue or not?21:16
rm_workerr, so you're mixing using ACL to provide access to secrets, and Trusts to provide access to secrets?21:16
rm_workif you have a token scoped to another project, it won't even go through the ACLs, since it'll have unlimited access to the project (not scoped to a single secret)21:17
rm_workthere wouldn't even be a point in using ACLs at all21:17
*** joesavak has quit IRC21:17
arunkantrm_work, its only in the case user has access to number of secrets in project and one of secret is marked private and then that user is provided access via ACL..but it should be okay as long as client can switch token when requesting ACL based secret.21:20
*** gyee has quit IRC21:20
rm_workarunkant: i still don't quite understand -- there is no such thing as "marked private" if you have a trust token scoped for that user21:23
rm_workbrb 30m21:24
arunkantrm_work, I meant 'creator_only' flag as true which means the other users with project roles cannot access that secret (except creator user)21:24
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Add Secret CLI smoke tests  https://review.openstack.org/17790621:28
*** dave-mccowan has quit IRC21:30
*** dave-mccowan has joined #openstack-barbican21:31
*** mdarby has quit IRC21:31
*** silos has joined #openstack-barbican21:40
*** silos has left #openstack-barbican21:41
*** dave-mccowan has quit IRC21:47
*** dave-mccowan has joined #openstack-barbican21:48
*** chadlung_ has quit IRC21:59
*** xaeth is now known as xaeth_afk22:07
*** pglass has quit IRC22:09
*** kfarr has quit IRC22:10
*** jaosorior has quit IRC22:32
*** igueths has quit IRC22:47
*** stanzi has joined #openstack-barbican22:59
*** stanzi has quit IRC23:06
*** stanzi has joined #openstack-barbican23:07
*** dimtruck is now known as zz_dimtruck23:20
*** SheenaG has quit IRC23:29
*** stanzi has quit IRC23:43
*** stanzi has joined #openstack-barbican23:44
*** stanzi has quit IRC23:48
« Sunday, 2015-04-26 Index Tuesday, 2015-04-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!