Wednesday, 2015-04-29

« Tuesday, 2015-04-28 Index Thursday, 2015-04-30 »
*** zz_dimtruck is now known as dimtruck00:03
*** stanzi has quit IRC00:05
*** stanzi has joined #openstack-barbican00:06
*** kebray has joined #openstack-barbican00:14
*** david-lyle has quit IRC00:32
*** stanzi has quit IRC00:33
*** SheenaG1 has quit IRC00:33
*** stanzi has joined #openstack-barbican00:34
*** stanzi has quit IRC00:38
*** stanzi has joined #openstack-barbican00:39
*** woodster_ has quit IRC01:10
*** kebray has quit IRC01:15
*** stanzi has quit IRC01:20
*** stanzi has joined #openstack-barbican01:20
*** david-lyle has joined #openstack-barbican01:20
*** stanzi has quit IRC01:22
*** stanzi has joined #openstack-barbican01:22
*** SheenaG has joined #openstack-barbican01:23
*** kebray has joined #openstack-barbican01:24
*** alee_ has quit IRC01:29
*** alee has quit IRC01:29
*** stanzi has quit IRC01:36
*** stanzi has joined #openstack-barbican01:37
*** stanzi has quit IRC01:41
*** alee has joined #openstack-barbican01:42
*** SheenaG has left #openstack-barbican01:42
*** alee has quit IRC01:47
*** stanzi has joined #openstack-barbican01:51
*** alee has joined #openstack-barbican02:00
*** alee has quit IRC02:05
*** dimtruck is now known as zz_dimtruck02:05
*** stanzi has quit IRC02:08
*** stanzi has joined #openstack-barbican02:09
*** woodster_ has joined #openstack-barbican02:13
*** stanzi has quit IRC02:13
*** alee has joined #openstack-barbican02:18
*** zz_dimtruck is now known as dimtruck02:20
*** nkinder has joined #openstack-barbican02:22
*** alee has quit IRC02:23
*** dave-mccowan has joined #openstack-barbican02:28
*** david-lyle has quit IRC02:30
*** david-lyle has joined #openstack-barbican02:31
*** stanzi has joined #openstack-barbican02:33
*** alee has joined #openstack-barbican02:35
*** david-lyle has quit IRC02:36
openstackgerritArun Kant proposed openstack/barbican: Adding documentation for ACL operations.  https://review.openstack.org/17847902:37
*** alee has quit IRC02:40
openstackgerritArun Kant proposed openstack/barbican: Adding documentation for ACLs operations.  https://review.openstack.org/17847902:51
*** gyee has quit IRC02:53
*** alee has joined #openstack-barbican02:53
*** alee has quit IRC02:59
*** alee has joined #openstack-barbican03:11
*** dave-mccowan has quit IRC03:12
*** alee has quit IRC03:16
*** alee has joined #openstack-barbican03:17
*** dimtruck is now known as zz_dimtruck03:21
*** alee has quit IRC03:23
*** david-lyle has joined #openstack-barbican03:32
*** alee has joined #openstack-barbican03:36
*** alee has quit IRC03:41
*** alee has joined #openstack-barbican03:53
*** alee has quit IRC03:58
*** rm_work is now known as rm_work|away04:00
*** rm_work|away is now known as rm_work04:13
*** stanzi_ has joined #openstack-barbican04:28
*** kebray has quit IRC04:30
*** stanzi has quit IRC04:31
*** stanzi_ has quit IRC04:40
*** stanzi has joined #openstack-barbican04:40
*** stanzi has quit IRC04:45
*** alee has joined #openstack-barbican06:12
*** alee has quit IRC06:18
*** alee has joined #openstack-barbican06:30
*** alee has quit IRC06:36
*** jaosorior has joined #openstack-barbican07:59
*** darrenmoffat has joined #openstack-barbican08:38
*** woodster_ has quit IRC08:40
*** stanzi has joined #openstack-barbican08:40
*** stanzi has quit IRC08:45
*** alee has joined #openstack-barbican09:38
*** alee has quit IRC09:42
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Display all versions info in versions controller  https://review.openstack.org/17860110:38
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican-specs: Move fix-version-api blueprint to liberty  https://review.openstack.org/17860210:40
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican-specs: Move fix-version-api blueprint to Liberty  https://review.openstack.org/17860210:50
*** woodster_ has joined #openstack-barbican11:56
jaosoriorwoodster_ are you around?12:04
*** openstackgerrit has quit IRC12:07
*** openstackgerrit has joined #openstack-barbican12:07
woodster_jaosorior: yep12:08
woodster_jaosorior: how are things going over there?12:09
jaosoriorwoodster_: pretty good, having a chill day working from home12:10
jaosoriorhow about there?12:10
jaosoriorwoodster_: I stumbled upon something confusing. Why didn't the unauthed tests need a project-id before? now that I introduced this https://review.openstack.org/#/c/178601/1 they seem to brake http://logs.openstack.org/01/178601/1/check/gate-barbican-devstack-dsvm/242b25e/console.html12:11
*** stanzi has joined #openstack-barbican12:11
*** stanzi has quit IRC12:16
jaosorior* break12:20
woodster_jaosorior: hmmm, that is odd, I'll take a look12:20
jaosoriorwoodster_: because from what I see, the project-id wasn't being added before, at least in the functional test client. BUT, it was being checked for https://github.com/openstack/barbican/blob/master/barbican/api/middleware/context.py#L143 which is what got me confused12:27
*** darrenmoffat has left #openstack-barbican12:28
*** dave-mccowan has joined #openstack-barbican12:31
woodster_jaosorior: do curls against a local barbican work as you expect? The / request shouldn't require a project ID, but the /v1/ should12:42
woodster_jaosorior: it looks like a malformed json is perhaps borking the project Id checking somehow?12:43
jaosoriorwoodster_: /v1/ should, as far as I can notice, the malformed id comes from the response that says that there is no project-id12:43
*** chlong has joined #openstack-barbican12:44
jaosoriorso the malformed-json is the fact that the unauther middleware returns that error message in plain text, and not in json format12:44
woodster_jaosorior: ah, got it12:47
jaosoriorwoodster_: Which is a bug by itself and I will send a fix for that (the fact that it doesn't return JSON)12:48
jaosoriorbut first I would like to understand what happened here O_o12:48
*** xaeth_afk is now known as xaeth12:52
woodster_jaosorior: yeah that is weird...maybe hockeynut or tdink have thoughts on that one?12:56
jaosoriorother than that, what's the process of bumping a blueprint to Liberty?13:02
jaosoriorI moved the version fix api to the folder and added the index in the index, but... what else is needed? https://review.openstack.org/#/c/178602/13:03
*** xaeth is now known as xaeth_afk13:03
*** nkinder has quit IRC13:12
*** xaeth_afk is now known as xaeth13:36
*** joesavak has joined #openstack-barbican13:48
*** jsavak has joined #openstack-barbican13:53
*** nkinder has joined #openstack-barbican13:56
*** joesavak has quit IRC13:56
*** pglass has joined #openstack-barbican14:04
-openstackstatus- NOTICE: gerrit has been restarted to clear a stuck events queue. any change events between 13:29-14:05 utc should be rechecked or have their approval votes reapplied to trigger jobs14:05
*** stanzi has joined #openstack-barbican14:15
*** stanzi has quit IRC14:16
*** stanzi has joined #openstack-barbican14:17
*** stanzi has quit IRC14:21
*** zz_dimtruck is now known as dimtruck14:27
*** kebray has joined #openstack-barbican14:28
*** kebray has quit IRC14:29
jaosoriorjvrbanac: ping14:37
*** kebray has joined #openstack-barbican14:45
*** silos has joined #openstack-barbican14:53
*** silos has left #openstack-barbican14:53
*** kebray has quit IRC14:55
*** nelsnelson has joined #openstack-barbican15:02
*** stanzi has joined #openstack-barbican15:03
*** alee has joined #openstack-barbican15:12
*** stanzi has quit IRC15:31
*** stanzi has joined #openstack-barbican15:32
*** SheenaG has joined #openstack-barbican15:45
*** igueths has joined #openstack-barbican15:48
*** rm_work is now known as rm_work|away15:53
*** jsavak has quit IRC16:03
*** SheenaG1 has joined #openstack-barbican16:06
*** SheenaG2 has joined #openstack-barbican16:07
*** stanzi has quit IRC16:07
*** stanzi has joined #openstack-barbican16:08
*** SheenaG2 has left #openstack-barbican16:08
*** SheenaG has quit IRC16:09
*** SheenaG1 has quit IRC16:10
*** kebray has joined #openstack-barbican16:11
*** stanzi has quit IRC16:13
*** chlong has quit IRC16:19
*** gyee has joined #openstack-barbican16:25
*** SheenaG has joined #openstack-barbican16:37
*** stanzi has joined #openstack-barbican16:48
*** stanzi has quit IRC16:49
*** stanzi has joined #openstack-barbican16:50
*** rm_you has quit IRC16:52
*** rm_you has joined #openstack-barbican16:52
*** rm_you has joined #openstack-barbican16:52
*** stanzi has quit IRC16:54
*** kebray has quit IRC17:00
*** kebray has joined #openstack-barbican17:01
*** joesavak has joined #openstack-barbican17:08
*** rellerreller has joined #openstack-barbican17:09
*** pglass is now known as pglass|away17:27
arunkantredrobot, there?17:52
arunkantdave-mccowan, there?17:54
dave-mccowanarunkant o/17:54
arunkantI thought better to clarify review comments on https://review.openstack.org/#/c/177454/ here..17:55
arunkantdave-mccowan, for adding other operation support via ACL, the pending task is more around defining policy rules..than actually making code change per se17:56
arunkantdave-mccowan, so far rules are added only for 'read' operation in default policy. If a deployment wants to allow other operations via ACL, it can be done with their customized version which is generally the case.17:58
dave-mccowanarunkant   only policy.json changes?  or is there still some code pending to support?17:59
arunkantdave-mccowan, for secrets and containers, no code change should be needed. If need to add support for orders or some other resource, then there might be change needed.18:00
*** woodster_ has quit IRC18:00
dave-mccowanarunkant   is there any reason not to update the default policy.json file  for write/list/delete operations to match read operations   for secrets and containers?18:02
arunkantdave-mccowan, also if for some reason, CR change is needed, then I will think that its better to make change only in Kilo (though then we are removing option for deployment to use ACL for other operations)18:02
arunkantdave-mccowan, it was done to limit scope of development as this was added during kilo RC1 cycle. But it can be enhanced for other operations if needed (in upstream or via custom policy)18:04
dave-mccowanarunkant   limit the scope of development or test?   all the development is done, right?18:05
*** dhellmann has quit IRC18:05
arunkantdave-mccowan, yes its for development (unit tests) and test .18:05
*** rm_work|away is now known as rm_work18:07
dave-mccowanarunkant,  ah.  i see how the confusion has come in.   :-)18:08
*** chadlung has joined #openstack-barbican18:17
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Add Secret CLI smoke tests  https://review.openstack.org/17790618:18
redrobotarunkant dave-mccowan  about to jump in a meeting.18:18
redrobotarunkant I still don't understand why "write" and "list" were added to the API.  The spec never mentions those additions.18:19
*** pglass|away is now known as pglass18:20
arunkantredrobot, there are operations described in one of ACL spec..http://specs.openstack.org/openstack/barbican-specs/specs/kilo/add-creator-only-option.html#operations18:21
redrobotarunkant yes, the spec specifies how reading a secret would affect the operation, but that doesn't explain why they were added to the API.18:21
redrobotarunkant that section describes how the "get" and "creator-only" affects other operations, it does not say that it has to be added to the API in the JSON body.18:22
arunkantredrobot, spec talks about having operations field in data model, and operation values can be 'get' or 'read', 'write', 'delete', 'list' etc.18:27
arunkantredrbot, http://specs.openstack.org/openstack/barbican-specs/specs/kilo/add-creator-only-option.html#data-model-impact18:28
arunkantredrobot, ^^^18:28
redrobotarunkant yes, and I'm not sure what the purpose of those are...   If we do want to enable those as part of the JSON message, then I think a new spec is needed that describes how they affect normal operations18:29
redrobotarunkant I'm not convinced that we need to support all those in barbican ACL18:29
redrobotarunkant even then, those are only booleans in the table, I don't see how it follows that they would store a specific user id?18:31
arunkantredrobot, both of ACL specs talks about various operations and what they can do. May be alee can clarify more18:31
arunkantredrobot, there are ACL defined per operation and each ACL has corresponding list of users.18:32
redrobotarunkant the reason I want this CR to land is because "get" is the only thing that is implemented.18:37
redrobotarunkant the others are effectively broken18:37
redrobotarunkant as new CRs are made that enable those features, then validation can be updated to accept the new values18:37
redrobotarunkant I don't like the idea of not failing when a user is requesting an unimplemented feature.18:38
arunkantredrobot, "not implemented" part is only around default policy change. And policy are generally deployment specific. As I said earlier, a company can use other operations via ACL if policy is updated accordingly.18:41
arunkantredrobot, we are looking consuming barbican for LBaaS integration. Having ACL support for other operations, allow us the flexibility to use privileged accounts to operate on barbican secrets/containers (without need to have project scoped token)18:43
*** stanzi has joined #openstack-barbican18:43
redrobotarunkant I don't know how useful it would be to let the lbass user delete a certificate?18:44
redrobotarunkant And "write" doesn't make sense, since secrets are not updatable.18:44
redrobotarunkant "list" I believe does need a code change, not just policy18:45
rm_workarunkant: I'm the one that IMPLEMENTED Barbican/LBaaS18:47
rm_workACLs were designed to be compatible18:47
rm_workspecifically for LBaaS' use case18:47
rm_workI do not see any problems with the current solution18:48
arunkantredrobot, not sure why 'list' (its get on 'secrets') and other operations will need code change.18:48
rm_workI may have dropped in to this conversation in the middle though18:48
redrobotrm_work this is the relevant CR https://review.openstack.org/#/c/177454/18:49
redrobotrm_work basically right now you can send a JSON blobl that tries to set "list" and "write" to ACL, and get a 200 back, even though "list" and "write" do not work.18:49
rm_workah18:50
redrobotit appears that they could be fixed with policy18:50
rm_workif they don't work... why are they allowed?18:50
arunkantrm_work, ACL spec has various operations support. If intention was only for 'read', then most likely we don't need that data point captured.18:50
*** nkinder has quit IRC18:50
arunkantrm_work, its matter of changing policy to support other operations18:51
redrobotarunkant but still, we have the problem of not being able to give feedback on whether policy is set correctly or not18:51
redrobotarunkant how is the list query able to gather all secrets across many projects for a single user?18:52
*** chadlung_ has joined #openstack-barbican18:54
*** chadlung has quit IRC18:56
*** chadlung_ has quit IRC18:58
*** stanzi has quit IRC18:59
*** stanzi has joined #openstack-barbican18:59
arunkantredrobot, for 'delete' , it will be able to do successful authorization via ACL . For 'list', I was thinking in terms of just authorization pass. Yes you are right code change will be needed as it uses token project id to list secrets.19:01
rm_workwell, personally I think i'd +1 this CR19:02
rm_workbut maybe I don't fully understand the issue arunkant is bringing up :/19:02
rm_worksorry, got to disagree and run -- meeting :/19:02
*** chadlung has joined #openstack-barbican19:03
jaosoriorhockeynut, jvrbanac: are you guys around?19:03
hockeynutjaosorior in a meeting :-(19:05
jaosorioruok19:05
*** dhellmann has joined #openstack-barbican19:06
*** chadlung has quit IRC19:06
arunkantredrobot, okay. Looked into code now...looks like code change is needed for secret delete as well, even after passing authz check. So then its okay to remove API support if its needed.19:10
redrobotarunkant I think we can re-enable the API verification as the code changes that are needed land.19:14
jaosoriorredrobot: How's your knowledge about the functional tests?19:14
redrobotjaosorior so-so... what's up?19:14
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/17840919:15
hockeynutjaosorior I can give you 21% of my attention while in this meeting19:15
arunkantredrobot, okay19:15
jaosoriorredrobot, hockeynut: So I started implementing the standardized version blueprint, and I did my first patch for it, But, for some reason now, the noauth functional tests break complaining about there not being a project-id19:16
jaosoriorredrobot, hockeynut: looking at it, it makes sense, the project-id is not being set... but it wasn't set before either, so now I don't understand how that used to work before19:17
jaosoriorredrobot, hockeynut: the patch I'm talking about is this one: https://review.openstack.org/#/c/178601/ and here' s the stack trace: http://logs.openstack.org/01/178601/1/check/gate-barbican-devstack-dsvm/242b25e/console.html19:17
hockeynut<clicking>19:17
hockeynutjaosorior from the comment in your CR, the / controller now requires authentication where before it did not?19:31
*** woodster_ has joined #openstack-barbican19:31
jaosoriorhockeynut: the / controller doesn't. but the /v1/ controller does19:32
openstackgerritMerged openstack/barbican-specs: Move fix-version-api blueprint to Liberty  https://review.openstack.org/17860219:34
hockeynutjaosorior do these tests work in your local env (which I assume has some flavor of keystone)?19:36
hockeynutjaosorior I'll pull down your CR and see how my env likes it19:39
jaosoriorlet me run it again, I was playing with the configs, since I had to do a change in the paste config19:39
hockeynutok19:39
jaosoriorbut actually, in my local environment, if I actually use the unauthed middleware, those tests have always failed that way19:40
jaosoriorwhich is why I ask, I have no idea how they have passed in the gate before19:40
*** rellerreller has quit IRC19:40
jaosoriorhockeynut: now that I enabled the keystone auth middleware the tests pass19:43
hockeynutah, I always run with keystone mw19:43
*** david-lyle has quit IRC19:44
*** david-lyle has joined #openstack-barbican19:44
jaosoriorhockeynut: the unauth middleware is the default, so I try to run both19:45
jaosoriorhockeynut: anyway, I have no idea how the tests passed before. And I don't see where the paste config would be changed before running the functional tests19:47
hockeynutso running unauth mw with your changes I should see these failures, right?19:52
jaosorioryup19:53
*** SheenaG has quit IRC19:53
*** SheenaG has joined #openstack-barbican19:55
elmikohey folks20:01
elmikowhen using castellan, do i need to create_key first or can i just store_key?20:01
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Display all versions info in versions controller  https://review.openstack.org/17860120:01
*** stanzi has quit IRC20:06
*** stanzi has joined #openstack-barbican20:06
*** chadlung has joined #openstack-barbican20:07
*** stanzi has quit IRC20:11
*** stanzi has joined #openstack-barbican20:11
*** chadlung has quit IRC20:12
*** stanzi_ has joined #openstack-barbican20:18
*** stanzi_ has quit IRC20:18
*** stanzi_ has joined #openstack-barbican20:19
*** stanzi has quit IRC20:21
*** igueths has quit IRC20:30
jaosoriorhockeynut: thought I had found the issue, but no :/20:32
*** stanzi_ has quit IRC20:35
*** stanzi has joined #openstack-barbican20:35
*** stanzi has quit IRC20:39
*** joesavak has quit IRC20:53
openstackgerritMichael McCune proposed openstack/castellan: Removing SymmetricKey docs from key module  https://review.openstack.org/17884320:59
elmikoredrobot: question about Key classes, would it be appropriate to use SymmetricKey for something that is unencoded?21:00
redrobothi elmiko, to be honest I haven't dug down that deep in Castellan21:01
redrobotelmiko, kfarr and rellerreller would be the best folks to ask21:01
elmikoredrobot: ack, thanks!21:01
redrobotelmiko also Brianna from JHU, but I'm not sure what her nick is21:02
jaosoriorredrobot: do you happen to know how the barbican-api-paste.ini is configured in the gate?21:02
redrobotjaosorior I think it just gets copied into /etc/barbican https://github.com/openstack/barbican/blob/master/contrib/devstack/lib/barbican#L9221:08
jvrbanacwoodster_, question about one of your CR's21:11
openstackgerritJohn Vrbanac proposed openstack/barbican: Adding more logging around containers & consumers  https://review.openstack.org/17884521:15
elmikoso, if storing a secret, and it has no algorithm, is it better to use "", "None", "plain", None, or some other value for the algo?21:15
elmiko(i realize algo is optional, just curious about best practice)21:15
*** chadlung has joined #openstack-barbican21:17
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Display all versions info in versions controller  https://review.openstack.org/17860121:18
*** kebray has quit IRC21:20
woodster_jvrbanac: hey there21:23
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Add Secret CLI smoke tests  https://review.openstack.org/17790621:24
jvrbanacwoodster_, on https://review.openstack.org/#/c/132304/ should we be including GIFs into our repo? This feels like it should be an external resource21:24
jvrbanacwoodster_, Also, one of them has a rackspace logo on it21:24
woodster_jvrbanac: ah, so maybe put into a cloud files cdn or drop box maybe? Oh that first fig has a logo :\21:26
jvrbanacyeah... thinking CDN is good21:27
*** chadlung has quit IRC21:27
woodster_jvrbanac: do you think we could use our current keep account for this, or should we create a special openstack related one maybe? There might even already be such a beast...I can ask the docs team about that one21:30
*** kebray has joined #openstack-barbican21:30
jvrbanacwoodster_, just put in ours for the time being. We can always put up a CR to changes the links later21:31
woodster_jvrbanac: that sounds good, thanks21:31
*** nkinder has joined #openstack-barbican21:33
*** chadlung has joined #openstack-barbican21:44
*** kebray has quit IRC21:51
jaosoriorhockeynut, redrobot, woodster_: it works now :D21:55
jaosoriorSo... If you guys have time. Here's the first patch of the series for the standardised version thingy blueprint https://review.openstack.org/#/c/178601/21:57
hockeynutjaosorior awesomeness -22:02
*** mdarby has joined #openstack-barbican22:02
*** kebray has joined #openstack-barbican22:02
*** pglass has quit IRC22:05
*** chadlung has quit IRC22:05
*** chadlung has joined #openstack-barbican22:05
*** xaeth is now known as xaeth_afk22:08
*** chadlung has quit IRC22:10
openstackgerritMerged openstack/barbican: Updated from global requirements  https://review.openstack.org/17840922:11
openstackgerritMerged openstack/barbican: Drop use of 'oslo' namespace package.  https://review.openstack.org/17824222:11
woodster_jaosorior: wow, what was the issue after all?22:12
jaosoriorwoodster_: missed properly overwriting the new configuration in the devstack script22:14
jaosoriorSo it was setting it. But to another section. So it didn't complain. So it just took the default, which is unauthed. Instead of the one that uses keystone auth22:14
woodster_jaosorior: ugh. Devstack is magic! :) I still need to figure out how to make two screens share the same database, to test the retry stuff22:15
*** mdarby has quit IRC22:15
jaosoriorHahaha it is black magic indeed22:15
*** nelsnelson has quit IRC22:18
*** chadlung has joined #openstack-barbican22:25
openstackgerritMerged openstack/barbican: Remove Future Parameters (write, list, delete) from ACL Validation Schema  https://review.openstack.org/17745422:26
*** dimtruck is now known as zz_dimtruck22:29
*** chadlung has quit IRC22:30
openstackgerritArun Kant proposed openstack/barbican: Adding documentation for ACLs operations.  https://review.openstack.org/17847922:32
*** stanzi has joined #openstack-barbican22:41
*** rm_work is now known as rm_work|away22:58
*** stanzi has quit IRC23:07
*** stanzi has joined #openstack-barbican23:08
*** stanzi has quit IRC23:13
*** kebray has quit IRC23:32
*** chlong has joined #openstack-barbican23:50
« Tuesday, 2015-04-28 Index Thursday, 2015-04-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!