Friday, 2015-06-26

« Thursday, 2015-06-25 Index Saturday, 2015-06-27 »
openstackgerritSteve Heyman proposed openstack/barbican: Update queries to use proper offset and limit  https://review.openstack.org/19369800:11
*** darrenmoffat has quit IRC00:31
*** darrenmoffat has joined #openstack-barbican00:31
openstackgerritSteve Heyman proposed openstack/barbican: Update queries to use proper offset and limit  https://review.openstack.org/19369800:37
*** woodster_ has quit IRC00:51
*** david-ly_ has joined #openstack-barbican01:06
*** david-lyle has quit IRC01:09
*** zz_dimtruck is now known as dimtruck01:30
*** crc32 has quit IRC02:04
*** SheenaG has joined #openstack-barbican02:13
*** d0ugal has quit IRC02:29
*** d0ugal has joined #openstack-barbican02:29
*** d0ugal is now known as Guest533502:30
*** SheenaG has quit IRC02:36
*** nkinder has quit IRC02:37
openstackgerritDave McCowan proposed openstack/barbican: Refactor Stored Key Certificate Order Validator Code  https://review.openstack.org/17102302:55
*** gyee has quit IRC02:58
*** woodster_ has joined #openstack-barbican03:16
*** claudiub|2 has quit IRC03:22
*** dimtruck is now known as zz_dimtruck03:41
*** david-ly_ is now known as david-lyle03:51
*** arunkant_ has joined #openstack-barbican04:54
*** arunkant__ has quit IRC04:58
*** arunkant has joined #openstack-barbican04:58
*** arunkant_ has quit IRC05:01
*** rm_work|away is now known as rm_work05:01
*** dave-mccowan has quit IRC05:05
*** woodster_ has quit IRC05:21
*** rm_work is now known as rm_work|away06:27
*** shohel has joined #openstack-barbican06:29
*** arunkant_ has joined #openstack-barbican06:33
*** shohel has quit IRC06:33
*** Guest5335 is now known as d0ugal06:34
*** d0ugal has quit IRC06:34
*** d0ugal has joined #openstack-barbican06:34
*** arunkant has quit IRC06:37
*** arunkant__ has joined #openstack-barbican06:38
*** arunkant_ has quit IRC06:41
*** shohel has joined #openstack-barbican06:47
*** arunkant_ has joined #openstack-barbican06:48
*** arunkant__ has quit IRC06:51
*** rm_work|away is now known as rm_work07:51
*** chlong has quit IRC07:55
*** rm_work is now known as rm_work|away08:07
*** rm_work|away is now known as rm_work08:12
*** stanzi has joined #openstack-barbican08:25
*** stanzi has quit IRC08:49
*** stanzi has joined #openstack-barbican08:50
*** stanzi has quit IRC08:55
*** stanzi has joined #openstack-barbican10:00
*** shohel has quit IRC10:01
*** arunkant__ has joined #openstack-barbican10:03
*** stanzi has quit IRC10:05
*** shohel has joined #openstack-barbican10:05
*** arunkant_ has quit IRC10:07
*** mmdurrant has quit IRC10:09
*** tkelsey has joined #openstack-barbican10:20
*** shohel has quit IRC10:38
*** tkelsey has quit IRC11:01
*** SheenaG has joined #openstack-barbican11:27
*** shohel has joined #openstack-barbican11:34
*** mmdurrant has joined #openstack-barbican11:59
*** dave-mccowan has joined #openstack-barbican12:35
*** SheenaG has quit IRC13:27
*** arunkant_ has joined #openstack-barbican13:38
*** kfarr has joined #openstack-barbican13:39
*** arunkant__ has quit IRC13:41
*** woodster_ has joined #openstack-barbican13:44
*** SheenaG has joined #openstack-barbican13:59
*** zz_dimtruck is now known as dimtruck14:01
*** pglass has joined #openstack-barbican14:04
*** kebray has joined #openstack-barbican14:49
*** kebray has quit IRC14:50
*** kfarr has quit IRC14:52
*** kfarr has joined #openstack-barbican14:57
*** kebray has joined #openstack-barbican14:58
*** shohel has quit IRC14:59
*** silos has joined #openstack-barbican15:27
*** silos has quit IRC16:03
*** silos has joined #openstack-barbican16:05
*** gyee has joined #openstack-barbican16:31
*** SheenaG has quit IRC16:31
*** silos has left #openstack-barbican16:32
*** shohel has joined #openstack-barbican16:35
openstackgerritChelsea Winfree proposed openstack/barbican: Update unwrap key to accept specific variables  https://review.openstack.org/19614116:46
openstackgerritChelsea Winfree proposed openstack/barbican: Update unwrap key to accept specific variables  https://review.openstack.org/19614116:49
*** SheenaG has joined #openstack-barbican16:58
*** atiwari has joined #openstack-barbican17:02
*** atiwari has quit IRC17:03
*** atiwari has joined #openstack-barbican17:03
*** kebray has quit IRC17:16
dave-mccowanHappy Friday everyone!  I have a couple CRs open, if anyone has time to review this afternoon.   https://review.openstack.org/171023   and   https://review.openstack.org/18129118:00
*** arunkant__ has joined #openstack-barbican18:07
*** arunkant_ has quit IRC18:08
*** arunkant__ has quit IRC18:13
*** diazjf has joined #openstack-barbican18:13
*** jhfeng has joined #openstack-barbican18:16
kfox1111can you create a cert outside of barbican and have barbican sign it with its ca?18:19
redrobotkfox1111 no, current api accepts a CSR, and we defer to the CA to create the cert.18:21
kfox1111thats what I ment I think?18:22
kfox1111in the instance user workflow, could the vm itself create the private key,18:22
kfox1111then we submit the csr to barbican somehow to create the cert?18:23
kfox1111redrobot: The nova folks finally started lookin at the spec. and are trying to figure out how nova could not be part of the picture. :/18:23
redrobotkfox1111 yeah, that's a possible workflow.  you create the key, sign a CSR and send it to barbican.  The resulting cert will have information taken from the CSR18:23
kfox1111ok.18:24
kfox1111now, here's one more crazy one...18:24
kfox1111they want another service somewhere that allows creating one time urls where a csr could be uploaded and signed. :/18:24
kfox1111would that be reasonable to be part of barbican, or do we need yet another service?18:25
redrobotnot sure I understand....18:26
kfox1111ie, heat -> barbican (i need a tmp url for a cert), heat -> nova launch vm with tmp url, vm creates private key, hands csr to tmp url, gets back cert.18:26
redrobotwhy one-time urls?18:26
kfox1111vm -> keystone I want a token, here's my cert.18:26
kfox1111because they don't want to change the metadata server/config drive and passing a cert through userdata is bad. :/18:26
kfox1111just exploring alternate workflows on their insistance.18:27
kfox1111the advantage of a tmp url is that it be made to work only once.18:27
kfox1111so if its done through a semi insecure chanel, its ok.18:27
redrobothmm...  I need to think about it more...  I'll catch up on the nova spec.18:29
kfox1111and the recent nova logs. we just had a very long conversation a few minutes ago about it. :/18:30
kfox1111we got all the way up to the point where we have the chicken and egg problem, and then john had to go. :/18:30
kfox1111but there is a lot of pushback on the spec now about why not another service instead of changing nova.18:32
kfox1111this stuff's killing me. :/18:32
*** jhfeng has quit IRC18:32
*** kebray has joined #openstack-barbican18:34
*** shohel has quit IRC18:46
*** shohel has joined #openstack-barbican18:47
*** shohel has quit IRC18:48
*** arunkant has joined #openstack-barbican18:52
*** kfarr has left #openstack-barbican19:02
*** woodster_ has quit IRC19:21
*** atiwari has quit IRC19:37
rm_workkfox1111: i believe this is a case of "welcome to OpenStack" :P19:44
*** kebray has quit IRC19:55
elmikohey barbicaneers, could someone help me understand the bin/barbican-keystone-listener.py, is that file still used?20:01
*** kebray has joined #openstack-barbican20:04
openstackgerritArun Kant proposed openstack/barbican: Fix for admin and creator user access for secret/container read calls  https://review.openstack.org/19622720:09
arunkantelmiko, yes...that is used for listening keystone project delete events20:09
elmikoarunkant: ah, ok.20:10
arunkantwhen the listener configuration is enabled in barbican configuration and assuming keystone is generating events20:10
elmikothis is for when barbican is using keystone to do token validation?20:11
*** jhfeng has joined #openstack-barbican20:11
elmikoarunkant: ok, i think i understand ;)20:13
elmikothanks20:13
arunkantIts not related to keystone token validation anyway. If barbican is not using keystone, not sure if there is any benefit of listening for project delete happening on keystone side20:14
elmikoyea20:14
elmikoi'm just doing some cleanup on the fedora packaging attempt, and trying to understand some of these extra files20:15
elmikolike barbican-worker.py as well20:15
arunkantthat's worker thread/processes for async order processing20:15
elmikook, cool. i figured it was something like that =)20:16
*** xaeth_afk is now known as xaeth20:18
elmikohey xaeth, i'm just running through some tests on a patch that i hope to send your way soon =)20:22
xaethelmiko, awesome20:22
elmikoi also talked with the rdo folks, and they are ok with requiring uwsgi for the first version of this20:23
xaethfair enough, should be fairly easy20:23
elmikoyea, i hope so20:24
elmikojkf was nice enough to share a systemd file that incorporates the uwsgi stuff20:24
xaethsweet20:25
xaethelmiko, do you know where my spec file is kewl?20:27
xaetherr is kept20:27
xaethor are you just extracing from the srpm20:27
elmikoxaeth: i got it here https://github.com/gregswift/barbican-spec/blob/master/openstack-barbican.spec20:28
elmikois that accurate?20:28
xaethyep, kew20:28
elmikoawesome20:28
elmikoi just need to brush up on my systemd a bit ;)20:30
arunkantdave-mccowan: Added change for ACL bug fix ..https://review.openstack.org/196227 . Have a look when you get the chance20:32
*** jhfeng has quit IRC20:41
dave-mccowanarunkant  thanks.  how strongly do you fell about changing creator_only to project_access_disabled ?   i think "creator_only" is more clear, since it explains what "project access disabled" does.20:53
dave-mccowanarunkant, ironically, when the flag was "creator-only", i named the test cases "private".  when the flag changed to "project-access", i changed the test cases to "creator_only".  :-)21:00
*** woodster_ has joined #openstack-barbican21:02
*** SheenaG has quit IRC21:11
*** kebray has quit IRC21:18
*** openstack has joined #openstack-barbican21:24
*** SheenaG has joined #openstack-barbican21:30
chellygelcan i get a +1 workflow? https://review.openstack.org/#/c/193698/21:32
*** xaeth is now known as xaeth_afk21:43
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/19483021:46
*** dave-mcc_ has joined #openstack-barbican22:10
*** dave-mccowan has quit IRC22:12
*** kebray has joined #openstack-barbican22:21
*** kebray has quit IRC22:22
*** pglass has quit IRC22:24
*** diazjf has left #openstack-barbican22:31
openstackgerritJohn Vrbanac proposed openstack/barbican: Adding script for rewrapping p11 KEKs  https://review.openstack.org/19627022:43
*** kebray has joined #openstack-barbican22:45
*** kebray has quit IRC22:49
*** kebray has joined #openstack-barbican22:50
*** gyee has quit IRC23:21
*** dimtruck is now known as zz_dimtruck23:21
« Thursday, 2015-06-25 Index Saturday, 2015-06-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!