Thursday, 2015-06-25

« Wednesday, 2015-06-24 Index Friday, 2015-06-26 »
*** claudiub has quit IRC00:05
*** david-ly_ has joined #openstack-barbican00:06
*** david-lyle has quit IRC00:08
*** nkinder has joined #openstack-barbican00:09
*** gyee_ has quit IRC00:17
*** SheenaG has quit IRC00:19
*** darrenmoffat has quit IRC00:29
*** darrenmoffat has joined #openstack-barbican00:30
*** zz_dimtruck is now known as dimtruck00:31
*** nkinder has quit IRC00:53
*** kfarr has joined #openstack-barbican00:58
*** david-ly_ is now known as david-lyle01:36
*** SheenaG has joined #openstack-barbican01:39
*** dimtruck is now known as zz_dimtruck01:54
*** dontalton has quit IRC01:56
*** SheenaG has quit IRC02:07
*** rm_work is now known as rm_work|away02:18
*** nkinder has joined #openstack-barbican02:33
*** zz_dimtruck is now known as dimtruck02:50
*** stanzi has joined #openstack-barbican02:57
*** dave-mccowan has quit IRC02:59
*** kfarr has quit IRC03:01
*** stanzi has quit IRC03:01
*** kebray has joined #openstack-barbican03:18
*** kfarr has joined #openstack-barbican03:35
*** dave-mccowan has joined #openstack-barbican03:37
*** dimtruck is now known as zz_dimtruck03:58
*** kfarr has quit IRC04:06
*** kebray has quit IRC04:29
*** kebray has joined #openstack-barbican04:30
*** arunkant_ has joined #openstack-barbican04:35
*** arunkant__ has joined #openstack-barbican04:37
*** arunkant has quit IRC04:38
*** arunkant_ has quit IRC04:41
*** arunkant has joined #openstack-barbican04:42
*** arunkant__ has quit IRC04:44
*** rm_work|away is now known as rm_work05:13
*** arunkant_ has joined #openstack-barbican06:17
*** arunkant__ has joined #openstack-barbican06:18
*** shohel has joined #openstack-barbican06:19
*** arunkant has quit IRC06:20
*** arunkant_ has quit IRC06:22
*** epequeno has quit IRC06:37
*** jaosorior has joined #openstack-barbican06:41
*** kebray has quit IRC07:06
openstackgerritMerged openstack/barbican: Remove left over reference to admin endpoint  https://review.openstack.org/19525107:07
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Use keystone discovery instead of endpoint_override  https://review.openstack.org/19545308:45
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Use keystone discovery instead of endpoint_override  https://review.openstack.org/19545308:46
*** nkinder has quit IRC10:03
*** nkinder has joined #openstack-barbican10:04
*** nkinder has quit IRC10:28
*** nkinder has joined #openstack-barbican10:47
*** david-lyle has quit IRC11:17
*** david-lyle has joined #openstack-barbican11:21
*** zz_dimtruck is now known as dimtruck12:30
*** david-ly_ has joined #openstack-barbican12:35
*** david-lyle has quit IRC12:39
*** SheenaG has joined #openstack-barbican13:16
*** SheenaG has quit IRC13:16
*** SheenaG has joined #openstack-barbican13:20
*** crc32 has joined #openstack-barbican13:44
*** pglass has joined #openstack-barbican14:10
*** Kevin_Bishop has joined #openstack-barbican14:12
*** woodster_ has joined #openstack-barbican14:42
*** kfarr has joined #openstack-barbican14:46
*** shohel has quit IRC15:00
*** david-ly_ is now known as david-lyle15:01
*** shohel has joined #openstack-barbican15:03
*** diazjf has joined #openstack-barbican15:12
*** igueths has joined #openstack-barbican15:39
*** silos has joined #openstack-barbican15:39
*** tkelsey has joined #openstack-barbican15:50
*** arunkant_ has joined #openstack-barbican15:59
*** arunkant__ has quit IRC16:03
*** kfarr1 has joined #openstack-barbican16:03
*** kfarr has quit IRC16:05
dave-mccowanping arunkant_16:16
hockeynutgood day barbicaneers!  I am in search of someone knowledgeable in sqlalchemy16:18
hockeynutI shall describe my problem now:16:18
hockeynutadding a filter to GET /orders like the name= filter on secrets16:19
hockeynutbut order names live in their meta16:19
hockeynutand meta is a json blob16:19
hockeynuttried this: query = query.filter(models.Order.meta['name'].like(meta_arg))16:20
hockeynutbut fails "operator gettitem is not supported on this expression"16:20
*** kfarr1 has quit IRC16:20
hockeynutso, how can I filter on the 'name' field in meta ?16:20
hockeynut</question>16:20
woodster_hockeynut: can you just pull all orders back but only count the ones with a specific name in the meta data client side?16:22
hockeynutsince I am testing orders paging that seems like cheating16:23
hockeynutlooks like changing "like" to "contains" on the filter is helping16:28
*** diazjf has quit IRC16:30
*** shohel1 has joined #openstack-barbican16:31
*** kfarr has joined #openstack-barbican16:34
*** shohel has quit IRC16:34
*** diazjf has joined #openstack-barbican16:35
*** jaosorior has quit IRC16:35
*** shohel1 has quit IRC16:37
openstackgerritMerged openstack/barbican: Added unit test around bug related to who can modify ACL.  https://review.openstack.org/17954716:45
*** igueths has quit IRC16:53
*** igueths has joined #openstack-barbican16:54
arunkant_dave-mccowan: yes.16:54
dave-mccowanarunkant_  is there a spec or documentation that is updated to the latest implementation of ACLs?17:00
*** kfarr has quit IRC17:01
*** shohel has joined #openstack-barbican17:05
redrobotdave-mccowan http://docs.openstack.org/developer/barbican/api/reference/acls.html17:09
dave-mccowanarunkant_ thanks.  i must have had an old link.  one specific question:  should project-access:false, prevent an admin from accessing a secret?  i think it should not, but it appears that current code does.  what do you think?17:10
woodster_dave-mccowan: I thought an admin of a project's secret does have access?17:14
redrobotdave-mccowan woodster_  agreed.  project admin should always have access17:15
dave-mccowanwoodster_, arunkant_  i would have guessed so too, but i'm working on functional tests and my admin user is getting 40317:15
dave-mccowanwoodster_ redrobot arunkant_ #agreed.  i'll open a bug and fix it.17:17
*** kfarr has joined #openstack-barbican17:18
*** mmdurrant has joined #openstack-barbican17:35
*** kfarr has quit IRC17:40
*** kebray has joined #openstack-barbican17:46
*** diazjf has quit IRC17:55
*** kfarr has joined #openstack-barbican17:56
*** dimtruck is now known as zz_dimtruck17:57
*** dontalton has joined #openstack-barbican18:02
*** husanu5 has joined #openstack-barbican18:02
*** zz_dimtruck is now known as dimtruck18:09
*** husanu5 has quit IRC18:14
*** diazjf has joined #openstack-barbican18:24
*** tkelsey has quit IRC18:35
*** xaeth_afk is now known as xaeth18:37
*** dontalton has quit IRC18:44
*** xaeth is now known as xaeth_afk18:53
*** dimtruck is now known as zz_dimtruck19:00
*** zz_dimtruck is now known as dimtruck19:09
*** Kevin_Bishop has quit IRC20:19
*** claudiub|2 has joined #openstack-barbican20:27
*** Kevin_Bishop has joined #openstack-barbican20:28
claudiub|2hello. can anyone here answer some barbican questions I have?20:31
redrobotclaudiub|2 what's up?20:31
claudiub|2redrobot: Hi. So, I'm interested in finding out how barbican works, for blueprint purposes. Basically, I want to store some secret keys via Barbican20:32
claudiub|2redrobot: now, my question is, how the authentication is done?20:32
claudiub|2redrobot: I mean, not everyone should have access to the secrets, right?20:32
redrobotclaudiub|2 right, so barbican was designed to be an openstack service from the beginning, so authentication is deferred to Keystone (or an external auth system that can provide the same request headers that Keystone provides)20:33
redrobotclaudiub|2 barbican segregates secrets at the project level20:34
redrobotand access is granted based on the role a particular user has within that project20:35
claudiub|2redrobot: from what I can see in the quick start guide, the requests are done through curl.20:35
claudiub|2redrobot: How can barbican tell that the requester is a legit user? I can only see the -H 'X-Project-Id:1234'20:36
rm_workX-Auth-Token20:36
rm_worktakes a keystone auth token, the same as other projects -- might not be in the docs?20:37
redrobotclaudiub|2 in a real deployment users would not be allowed to specify their own X-Project-Id20:37
redrobotclaudiub|2 quick start examples assume a development (non-production) barbican instance20:37
claudiub|2rm_work: I see. well, https://github.com/cloudkeep/barbican/wiki/Barbican-Quick-Start-Guide doesn't contain any X-Auth-Token20:38
claudiub|2redrobot: I see.20:38
redrobotclaudiub|2 in a real deployment the user would provide an X-Auth-Token acquired from Keystone, and Barbican would be configured to use keystonemiddleware to validate the token and set the X-Project-Id20:38
rm_workIn production, just pass X-Auth-Token in the headers and you'll be good :)20:38
claudiub|2redrobot: rm_work: got, thanks. :)20:39
claudiub|2got it *20:39
* redrobot makes a note to clarify this in the Quick Start guide20:39
claudiub|2also, will there be a client released?20:39
rm_workpython-barbicanclient exists20:39
redrobotclaudiub|2 https://pypi.python.org/pypi/python-barbicanclient/3.2.020:40
rm_workand is usable (though lacks some of the newer features, like ACL)20:40
claudiub|2ah, cool. makes my work easier. :)20:40
redrobotclaudiub|2 long term, the client will be deprecated in favor of python-openstacksdk, but that's still a ways out.20:40
rm_workthere are some examples of using python-barbicanclient in production, I can link some20:41
rm_workhttps://github.com/openstack/neutron-lbaas/blob/master/neutron_lbaas/common/cert_manager/barbican_cert_manager.py20:41
claudiub|2redrobot: rm_work: awesome, thanks for the info folks. :D20:42
claudiub|2I guess we barbi CAN do the blueprint properly now. :D20:43
* chellygel groans20:43
* claudiub|2 hears cricket sounds20:43
chellygelhahahahaha20:43
redrobotclaudiub|2 lol, you're welcome20:43
rm_worklol20:43
openstackgerritDave McCowan proposed openstack/barbican: Add Functional Tests for ACLs Using Multiple Users  https://review.openstack.org/18129120:44
*** arunkant__ has joined #openstack-barbican20:57
*** arunkant_ has quit IRC21:01
*** rm_work is now known as rm_work|away21:02
*** rm_work|away is now known as rm_work21:06
*** chlong has quit IRC21:11
*** kebray has quit IRC21:13
*** SheenaG has quit IRC21:18
silosHey. I noticed it is possible to generate a certificate and retrieve it in barbican. Where is the certificate stored in barbican? Or is it stored in the CA plugin and barbican acts as the middle man?21:22
chellygelsilos, it will be stored within a certificate container, which will point to a secret ref for the certificate itself21:22
redrobotsilos the CA plugin provisions the certificate by interacting with an external CA.  Once the cert is issued, barbican stores it in the SecretStore plugin.21:23
*** chlong has joined #openstack-barbican21:23
siloschellygel redrobot: thanks!21:24
silos:-D21:24
chellygelyou can see stuff about containers here silos: http://docs.openstack.org/developer/barbican/api/quickstart/containers.html21:25
*** igueths has quit IRC21:26
siloschellygel: thanks. reading now.21:26
*** shohel has quit IRC21:39
*** kebray has joined #openstack-barbican21:46
*** diazjf has left #openstack-barbican21:56
*** silos has left #openstack-barbican21:59
*** chlong has quit IRC22:00
*** rm_work is now known as rm_work|away22:09
*** kfarr has quit IRC22:11
*** SheenaG has joined #openstack-barbican22:16
*** Kevin_Bishop has quit IRC22:27
kfox1111redrobot: you there?22:31
*** dontalton has joined #openstack-barbican22:32
*** pglass has quit IRC22:33
*** rm_work|away is now known as rm_work22:36
*** dontalton has quit IRC22:45
*** rm_work is now known as rm_work|away22:52
*** dimtruck is now known as zz_dimtruck22:57
openstackgerritDoug Hellmann proposed openstack/kite: Drop use of 'oslo' namespace package  https://review.openstack.org/19577722:58
openstackgerritMerged openstack/python-barbicanclient: Use keystone discovery instead of endpoint_override  https://review.openstack.org/19545323:06
*** kebray has quit IRC23:41
*** chlong has joined #openstack-barbican23:48
*** SheenaG has quit IRC23:51
« Wednesday, 2015-06-24 Index Friday, 2015-06-26 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!