Thursday, 2015-06-18

*** stanzi has joined #openstack-barbican		00:15
*** kfarr has joined #openstack-barbican		00:20
*** kfarr has left #openstack-barbican		00:22
*** gyee has quit IRC		00:23
*** zz_dimtruck is now known as dimtruck		00:28
*** jamielennox\|away is now known as jamielennox		00:35
*** kebray has quit IRC		00:40
*** kfox1111 has quit IRC		00:43
*** stanzi has quit IRC		00:47
*** stanzi has joined #openstack-barbican		00:48
*** jamielennox is now known as jamielennox\|away		01:00
*** jamielennox\|away is now known as jamielennox		01:08
*** woodster_ has quit IRC		02:01
*** jamielennox is now known as jamielennox\|away		02:20
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/barbican: Display all versions info in versions controller https://review.openstack.org/178601	02:21
*** rm_you\| has joined #openstack-barbican		02:46
*** rm_you has quit IRC		02:47
openstackgerrit	Arun Kant proposed openstack/barbican: Addred unit test around bug related to who can modify ACL. https://review.openstack.org/179547	02:54
openstackgerrit	Arun Kant proposed openstack/barbican: Added unit test around bug related to who can modify ACL. https://review.openstack.org/179547	02:56
*** jamielennox\|away is now known as jamielennox		03:03
*** arunkant1 has joined #openstack-barbican		03:05
*** arunkant1 has left #openstack-barbican		03:06
*** stanzi has quit IRC		03:08
*** arunkant__ has joined #openstack-barbican		03:13
*** stanzi has joined #openstack-barbican		03:14
*** jamielennox is now known as jamielennox\|away		03:15
*** stanzi_ has joined #openstack-barbican		03:15
*** arunkant__ has quit IRC		03:17
*** woodster_ has joined #openstack-barbican		03:18
*** stanzi_ has quit IRC		03:19
*** stanzi has quit IRC		03:19
*** jhfeng_ has joined #openstack-barbican		03:25
*** jamielennox\|away is now known as jamielennox		03:25
*** jhfeng_ has quit IRC		03:39
*** diazjf has joined #openstack-barbican		03:46
*** dimtruck is now known as zz_dimtruck		03:52
*** jaosorior has joined #openstack-barbican		03:57
jaosorior	woodster_: If you're still around, I updated this CR with the comment you pointed out https://review.openstack.org/#/c/178601/	03:58
jaosorior	for some reason (probably the excessive sun in summer here) my brain decided 5am was a good time to wake up, so now I'm here haha	03:59
*** stanzi has joined #openstack-barbican		04:24
*** stanzi has quit IRC		04:32
openstackgerrit	Merged openstack/barbican: Update version for Liberty https://review.openstack.org/192413	04:33
*** diazjf has quit IRC		05:19
*** jamielennox is now known as jamielennox\|away		05:23
*** jamielennox\|away is now known as jamielennox		05:26
*** chlong has quit IRC		05:38
*** chlong has joined #openstack-barbican		05:53
*** jaosorior has quit IRC		06:35
*** shohel has joined #openstack-barbican		06:36
*** woodster_ has quit IRC		06:51
*** Nirupama has joined #openstack-barbican		06:57
*** nickrmc83 has joined #openstack-barbican		07:05
*** chlong has quit IRC		07:18
*** stanzi has joined #openstack-barbican		07:30
*** stanzi has quit IRC		07:35
*** dave-mccowan has joined #openstack-barbican		10:21
*** dave-mccowan has quit IRC		10:26
*** dave-mccowan has joined #openstack-barbican		10:27
*** shohel has quit IRC		12:00
*** kfarr has joined #openstack-barbican		12:20
*** Nirupama has quit IRC		12:26
openstackgerrit	Nathan Reller proposed openstack/barbican: Stanardized Functional Tests https://review.openstack.org/193099	12:28
*** woodster_ has joined #openstack-barbican		12:45
*** xaeth_afk is now known as xaeth		13:04
*** kfarr has quit IRC		13:16
*** xaeth is now known as xaeth_afk		13:17
*** xek has quit IRC		13:19
*** xaeth_afk is now known as xaeth		13:25
*** SheenaG1 has joined #openstack-barbican		13:26
*** SheenaG has quit IRC		13:26
*** alee has joined #openstack-barbican		13:36
*** elmiko has joined #openstack-barbican		13:37
*** xek has joined #openstack-barbican		13:47
*** kfarr has joined #openstack-barbican		14:00
*** pglass has joined #openstack-barbican		14:04
*** Kevin_Bishop has joined #openstack-barbican		14:25
openstackgerrit	Ade Lee proposed openstack/barbican-specs: Added spec for copy constructor for secrets and containers https://review.openstack.org/127823	14:28
*** zz_dimtruck is now known as dimtruck		14:33
*** stanzi has joined #openstack-barbican		14:34
alee	woodster_, ping	14:36
woodster_	Hey Ade	14:36
alee	woodster_, hey modified spec as above ^^	14:37
alee	woodster_, about to make mods to https://review.openstack.org/#/c/187236/1/specs/liberty/add-cas.rst,cm ..	14:37
alee	before I submit though, should I change the ca_id parameter to ca_ref ?	14:37
alee	woodster_, this would be to refer to the parent ca -- for consistency ..	14:38
woodster_	alee: agreed	14:41
alee	woodster_, ok - will do.	14:42
*** diazjf has joined #openstack-barbican		14:48
*** stanzi has quit IRC		14:59
*** stanzi has joined #openstack-barbican		15:00
openstackgerrit	Ade Lee proposed openstack/barbican-specs: Added spec for add-cas https://review.openstack.org/187236	15:04
alee	woodster_, ^^	15:06
alee	jvrbanac, ping	15:06
*** stanzi has quit IRC		15:13
*** dimtruck is now known as zz_dimtruck		15:16
*** arunkant_ has quit IRC		15:21
*** xaeth is now known as xaeth_afk		15:23
jvrbanac	alee, yo	15:23
alee	jvrbanac, just trying to understand what I need to change in the cert-api doc spec	15:24
alee	jvrbanac, there aren't that many javascript blocks in the docs	15:24
alee	if I understand your comment correctly - I need it for places where I provide a large server response.	15:25
alee	also I dont know what full pretty print means	15:25
*** kebray has joined #openstack-barbican		15:26
jvrbanac	alee, the json is only partially pretty-printed	15:26
jvrbanac	alee, my comments are pretty much around making sure the style aligns with the existing quickstart guides	15:27
alee	jvrbanac, can you give me an exmaple of what a fully pretty printed json would look like?	15:27
jvrbanac	http://docs.openstack.org/developer/barbican/api/quickstart/containers.html	15:28
alee	jvrbanac, ok - by the way -- all those have code-style::bash	15:29
alee	as do all the rest of the quick start guides	15:29
jvrbanac	alee, really? We really need to change those.	15:29
*** kfox1111 has joined #openstack-barbican		15:30
alee	I'm ok with using javascript if thats what we want to change to	15:30
alee	but if we're being consistent, it should be bash	15:30
jvrbanac	We really shouldn't be using bash highlighting in json blocks	15:31
alee	jvrbanac, thats fine - I'll use javascript	15:31
*** gyee has joined #openstack-barbican		15:32
jvrbanac	alee it looks like we're doing it properly on the reference docs, just not the quickstarts	15:33
alee	jvrbanac, some of them at least ..	15:33
jvrbanac	alee, lol yeah	15:34
*** xaeth_afk is now known as xaeth		15:36
openstackgerrit	Ade Lee proposed openstack/barbican: Added Certificate API Docs and Quick Start Guides https://review.openstack.org/186771	15:41
alee	jvrbanac, woodster_ done ^^	15:41
alee	chellygel, ^^	15:41
jvrbanac	alee, I'll take a look after I get out of this meeting	15:41
alee	thanks	15:41
*** stanzi has joined #openstack-barbican		15:43
*** arunkant_ has joined #openstack-barbican		15:45
*** stanzi has quit IRC		15:48
*** zz_dimtruck is now known as dimtruck		15:52
*** dimtruck is now known as zz_dimtruck		15:53
*** zz_dimtruck is now known as dimtruck		15:55
*** stanzi has joined #openstack-barbican		15:55
*** nickrmc83 has quit IRC		15:59
*** xaeth is now known as xaeth_afk		16:21
*** openstackgerrit has quit IRC		16:22
*** openstackgerrit has joined #openstack-barbican		16:23
*** xaeth_afk is now known as xaeth		16:29
openstackgerrit	Kevin Bishop proposed openstack/barbican: Replace oslo incubator code with oslo_service https://review.openstack.org/192895	16:34
*** ryanpetrello has quit IRC		16:37
*** stanzi has quit IRC		16:41
openstackgerrit	Dave Walker proposed openstack/barbican: Drop file extensions for /usr/bin/* https://review.openstack.org/193208	16:42
*** crc32 has joined #openstack-barbican		16:56
*** diazjf has quit IRC		17:05
*** alee is now known as alee_food		17:45
*** openstackgerrit has quit IRC		17:50
*** openstackgerrit has joined #openstack-barbican		17:51
*** kfarr1 has joined #openstack-barbican		17:53
*** kfarr has quit IRC		17:56
*** kfarr1 has quit IRC		17:59
*** stanzi has joined #openstack-barbican		18:01
*** kfarr has joined #openstack-barbican		18:14
*** stanzi has quit IRC		18:19
*** SheenaG1 has quit IRC		18:22
*** stanzi has joined #openstack-barbican		18:23
*** elmiko has quit IRC		18:27
*** stanzi has quit IRC		18:28
*** elmiko has joined #openstack-barbican		18:29
jvrbanac	alee_food, looks good! thx!	18:35
*** silos has joined #openstack-barbican		18:39
*** xaeth is now known as xaeth_afk		18:46
*** kfox1111 has quit IRC		18:47
*** alee_food is now known as alee		18:49
*** stanzi has joined #openstack-barbican		18:50
alee	jvrbanac, thanks	18:50
alee	woodster_, chellygel https://review.openstack.org/#/c/186771/ needs some love please	18:50
alee	kfarr, jvrbanac , redrobot , chellygel https://review.openstack.org/#/c/127823/ also needs some love :)	18:51
*** xaeth_afk is now known as xaeth		18:53
*** dimtruck is now known as zz_dimtruck		18:56
*** zz_dimtruck is now known as dimtruck		18:57
*** pglass has quit IRC		18:57
*** silos1 has joined #openstack-barbican		18:59
*** SheenaG has joined #openstack-barbican		19:01
*** silos has quit IRC		19:02
*** stanzi has quit IRC		19:02
*** diazjf has joined #openstack-barbican		19:02
*** stanzi has joined #openstack-barbican		19:02
*** kfarr1 has joined #openstack-barbican		19:03
*** kfarr has quit IRC		19:06
*** stanzi has quit IRC		19:07
openstackgerrit	Arun Kant proposed openstack/barbican: Added unit test around bug related to who can modify ACL. https://review.openstack.org/179547	19:14
*** kfarr has joined #openstack-barbican		19:14
*** kfarr1 has quit IRC		19:16
arunkant_	alee: there?	19:19
alee	arunkant, hi, whats up?	19:20
*** ryanpetrello has joined #openstack-barbican		19:20
arunkant_	For add-copy-constructor spec, in case of containers..is consumers data going to be cloned as well ?	19:20
arunkant_	alee, was not sure from reading the spec and that's why trying to clarify it	19:21
alee	arunkant, thats a good question -- I had not even thought about consumers	19:22
alee	arunkant, my immediate thought would be no - but I dont have a strong opinion either way	19:23
arunkant_	alee, either copy it..or may be have add new container_id to existing container-consumers relationship	19:23
*** kfarr has quit IRC		19:24
alee	arunkant, sure - I guess we can copy it	19:25
arunkant_	alee, Okay.. No is because this new container is not being referred by anybody . Is that the reason ?	19:25
alee	arunkant, I really have no opinion either way -- I could see arguments either way	19:25
alee	arunkant, but yes - because its a brand new container that is not being referred to by antbody	19:26
alee	arunkant, on the other hand, I could see an argument to make it an exact clone	19:26
alee	woodster_, redrobot , rm_work any thoughts?	19:27
redrobot	+1 "No is because this new container is not being referred by anybody"	19:28
*** SheenaG has quit IRC		19:28
*** SheenaG has joined #openstack-barbican		19:29
redrobot	consumers is metadata that could be used by reach, for example, to warn a user about other resources that are using the secret.	19:29
woodster_	arunkant_: redrobot +1, I'd say no to copying consumers as well...this is a different instance and UUID	19:29
redrobot	s/reach/horizon	19:29
*** stanzi has joined #openstack-barbican		19:33
alee	arunkant, seems like a consensus.	19:34
arunkant_	alee, yes. Are you planning to clarify this in spec?	19:36
*** kfarr has joined #openstack-barbican		19:39
alee	arunkant, aargh .. I was hoping to not have to submit yet another version .. yeah - I guess I need to	19:39
alee	arunkant, submitting change in a couple of mins ..	19:40
*** stanzi has quit IRC		19:42
openstackgerrit	Ade Lee proposed openstack/barbican-specs: Added spec for copy constructor for secrets and containers https://review.openstack.org/127823	19:44
alee	arunkant, woodster_ , redrobot , kfarr , jvrbanac ^^	19:44
alee	+2s please	19:45
rm_work	alee / redrobot / arunkant_: correct, do not copy consumers	19:57
rm_work	reading now	19:57
*** silos1 has quit IRC		19:58
rm_work	+1 with comment	20:00
*** diazjf has quit IRC		20:02
*** pglass has joined #openstack-barbican		20:04
openstackgerrit	Kevin Bishop proposed openstack/barbican: Refactor Barbican model registration https://review.openstack.org/193290	20:10
*** chadlung has joined #openstack-barbican		20:19
openstackgerrit	Merged openstack/barbican: Added Certificate API Docs and Quick Start Guides https://review.openstack.org/186771	20:22
*** pglass has quit IRC		20:38
openstackgerrit	Kevin Bishop proposed openstack/barbican: Refactor Barbican model registration https://review.openstack.org/193290	20:46
*** elmiko is now known as _elmiko		20:46
*** chadlung has quit IRC		20:56
*** pglass has joined #openstack-barbican		20:57
*** kfarr has left #openstack-barbican		21:00
*** jamielennox is now known as jamielennox\|away		21:01
*** kfox1111 has joined #openstack-barbican		21:04
kfox1111	23'rds cutoff day for the instance users spec. Please +1 or raise issues now.	21:04
redrobot	kfox1111 heya!	21:05
redrobot	kfox1111 I've been catching up on the keystone side of things	21:05
* morganfainberg throws glitter in the air in the channel.		21:06
morganfainberg	quick make changes on the keystone side while folks are cleaning up the glitter >.>	21:07
morganfainberg	redrobot: :P	21:07
redrobot	lol	21:07
*** chadlung has joined #openstack-barbican		21:08
*** jamielennox\|away is now known as jamielennox		21:09
redrobot	So, if I'm understanding this right, Keystone would have a trusted root cert in the config file?	21:09
redrobot	and then trust any certs signed by the trusted root?	21:09
morganfainberg	redrobot: that is the idea. i think we want to expand this a little more though - and let the full federated mapping system work with more than a single CA (long term)	21:11
kfox1111	redrobot: correct.	21:12
kfox1111	I think we should firm up the spec just far enough to get itin by the 23rd deadline,	21:12
*** chadlung has quit IRC		21:12
kfox1111	and I'd be happy to further discuss the little details.	21:12
kfox1111	once we can still target it for this cycle.	21:12
redrobot	since Nova will be storing both the cert and the private key, then the CA could be either Barbican or Anchor?	21:13
kfox1111	I guess it could be Anchor... if it does user certs.	21:13
redrobot	or do the certs need to be long-lived?	21:13
kfox1111	long lived.	21:14
redrobot	hmmm.... I don't think we've talked about CRLs in barbican yet	21:15
*** diazjf has joined #openstack-barbican		21:15
*** kebray has quit IRC		21:15
redrobot	barbican is not in itself a CA.	21:15
kfox1111	Does it matter for the spec? We can always add that functionality later otherwise.	21:16
kfox1111	so if the ca barbican uses supports CRL's, then we're still ok?	21:17
redrobot	kfox1111 yeah... barbican could send the revokation request to the ca	21:18
kfox1111	k	21:18
redrobot	as long as the cert has the right CRL it should be fine	21:18
kfox1111	I've got a meeting in 5.	21:19
redrobot	kfox1111 np, I think I'm on board to +1 the spe	21:19
redrobot	spec	21:20
kfox1111	Awesome. Thanks. :)	21:20
*** stanzi has joined #openstack-barbican		21:21
kfox1111	please do let me know if you need anything else or have any questions asap. The spec's dead for 6 months on the 23rd if we can't get enough concensus. :/	21:21
kfox1111	bbiab	21:22
*** kfox1111 is now known as kfox1111_afk		21:22
*** _elmiko is now known as elmiko		21:23
rm_work	kfox1111_afk: that is starting to sound less like what you were describing to me at the summit, and more like what I was describing to you at the summit -- which concerns me, because you had pretty thoroughly convinced me that the cert way wouldn't be as clean, i thought O_o	21:29
rm_work	and that sounds very much like the system we're working with for our service-vms in Octavia	21:29
rm_work	immediately after the summit i had to step away from Openstack again briefly to fight internal fires (one of these days I might actually be free) but I would like to see what you're doing -- i will try to review that today/tonight if possible	21:31
*** silos has joined #openstack-barbican		21:38
*** silos has left #openstack-barbican		21:38
*** stanzi has quit IRC		21:45
*** stanzi has joined #openstack-barbican		21:46
*** stanzi has quit IRC		21:50
*** Kevin_Bishop has quit IRC		21:55
*** stanzi has joined #openstack-barbican		21:57
*** kebray has joined #openstack-barbican		22:00
*** kebray has quit IRC		22:01
*** kebray has joined #openstack-barbican		22:02
*** diazjf has quit IRC		22:03
*** kebray has quit IRC		22:08
*** kebray has joined #openstack-barbican		22:10
*** xaeth is now known as xaeth_afk		22:15
*** chadlung has joined #openstack-barbican		22:20
*** pglass has quit IRC		22:21
*** SheenaG has quit IRC		22:22
*** chadlung has quit IRC		22:24
woodster_	alee, are you there?	22:25
*** SheenaG has joined #openstack-barbican		22:25
alee	woodster_, just briefly	22:25
woodster_	alee, I had added some comments to the renew/reissue bp CR in response to your comments	22:26
woodster_	alee: I think the long and the short is that you are dealing with delta changes...so changes you submit on the reissue/renew request, and changes since the original certificate request. I think validating those changes makes those cases different enough to warrant a new order type. I think that is true for having separate methods to handle these cases on	22:27
woodster_	the cert plugin	22:27
*** diazjf has joined #openstack-barbican		22:27
alee	woodster_, thinking ..	22:29
*** dimtruck is now known as zz_dimtruck		22:29
alee	woodster_, what does symantec allow in terms of renewals?	22:30
alee	woodster_, does it actually allow you to change stuff?	22:30
woodster_	alee, you can change limited things yes	22:30
alee	woodster_, because dogtag doesn't for example	22:30
alee	woodster_, like what for example?	22:31
woodster_	alee: yeah I'd have to look at my notes	22:32
alee	woodster_, lets suppose that each ca plugin allows you to change various things and not others -- I'm ok with having different methods in the plugins and passing in the old and new requests.	22:34
alee	or request params	22:34
woodster_	alee: that's what I was thinking...just pass the prev and new metadata and let the plugin decide what it supports	22:35
alee	but I think that there is a bunch of code that would be duplicated by having different order types	22:35
*** elmiko is now known as _elmiko		22:35
woodster_	alee: dup code on the plugin side or barbican core side?	22:35
alee	woodster_, well likely both	22:36
alee	but I was thinking on the barbican core side	22:36
alee	woodster_, if you really want to treat the renewal and the reissue in the same way as initial issuances, then you neeed to go through the same kinds of validations	22:37
alee	and that means writing code like ..	22:37
alee	if order_type = cert or cert-reissue or cert-renew .. do X	22:38
alee	if you want to treat them essentially the same, then there is no reason to have separate types	22:38
alee	just have a metadata filed that indicates what what kind of subtype of issuance it is.	22:39
alee	woodster_, but I really think renewal is different from issuance	22:40
woodster_	alee: that could work, and if it not specified then it is straight issue call	22:40
alee	and reissuance is basically the same as issuance	22:40
alee	(delta considerations notwithstanding)	22:40
alee	woodster_, thats why I'm curious what symantec accepts for changes for renewal	22:41
woodster_	alee: they are different from the plugin business process perspective, but less so from the core side I think	22:41
alee	and what it requires for authentication	22:41
alee	woodster_, depends on the requirements for approval/authentication	22:41
alee	woodster_, for instance, in dogtag its possible to try to do a self-renewal	22:42
alee	where you provide proof of ownership of the cert and maybe one other auth to do a renewal	22:42
woodster_	alee: per notes with chellygel, Symantec allows sub-domains on SAN certs	22:43
alee	butyou dont need any other request params	22:43
alee	allows subdomains to change on renewals?	22:43
woodster_	alee, yep	22:43
alee	woodster_, I need to think on this a bit more , but I've run out of time for today. lets chat next week. I'll be offline but you can call me.	22:45
woodster_	alee, will do. Have a good vacation!	22:46
*** darrenmoffat has quit IRC		22:46
alee	thanks	22:46
*** darrenmoffat has joined #openstack-barbican		22:47
*** nkinder has quit IRC		22:49
*** dave-mccowan has quit IRC		22:50
*** openstackgerrit has quit IRC		22:55
*** ngupta has quit IRC		22:55
*** jkf has quit IRC		22:55
*** nkinder has joined #openstack-barbican		22:57
*** stanzi has quit IRC		23:00
*** stanzi has joined #openstack-barbican		23:00
*** stanzi has quit IRC		23:04
*** dave-mcc_ has joined #openstack-barbican		23:06
*** openstackgerrit has joined #openstack-barbican		23:06
*** ngupta has joined #openstack-barbican		23:06
*** jkf has joined #openstack-barbican		23:06
*** diazjf has quit IRC		23:07
*** SheenaG has quit IRC		23:12
*** SheenaG has joined #openstack-barbican		23:15
*** arunkant_ has quit IRC		23:16
*** chadlung has joined #openstack-barbican		23:24
*** chadlung has quit IRC		23:26
*** chadlung has joined #openstack-barbican		23:26
kfox1111_afk	rm_work: I was worried at the summit that every project was going to be forced to be its own CA to hand out certs to the vm's to then be able to use the same cert to contact back that one service.	23:27
kfox1111_afk	Having keystone in the process means that nova->keystone make the arangements, and its all Instance -> openstack service using keystones just like any other user.	23:28
kfox1111_afk	And I'd still somewhat like the user/password idea from the summit but the Keystone guys -2'ed it. So its something of a compromise.	23:29
kfox1111_afk	It benefits them in that they really want to get out of being an identity provider. This lets Nova be an identity provider for the VM's its managing.	23:29
*** kfox1111_afk is now known as kfox1111		23:30
*** SheenaG has quit IRC		23:37
*** chlong has joined #openstack-barbican		23:48
*** alee has quit IRC		23:50

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!