Thursday, 2015-07-30

« Wednesday, 2015-07-29 Index Friday, 2015-07-31 »
*** dimtruck is now known as zz_dimtruck00:53
*** h00327910__ has joined #openstack-barbican00:58
*** vivek-ebay has quit IRC01:12
*** vivek-ebay has joined #openstack-barbican01:12
*** chlong has joined #openstack-barbican01:29
*** SheenaG has joined #openstack-barbican01:46
*** SheenaG has quit IRC01:56
*** mixos has joined #openstack-barbican01:56
openstackgerritArun Kant proposed openstack/python-barbicanclient: Adding ACL support in barbican client.  https://review.openstack.org/20669902:01
*** mixos has left #openstack-barbican02:03
madhurialee, Hi, are you there?02:09
madhuriHi I have an use case of storing cert, key, ca cert in Barbican02:12
redrobothi madhuri02:13
madhuriI see certificate container in Barbican02:13
madhuriHi redrobot02:13
madhuriHappy to hear from you02:13
madhuriI have few queries about certificate container02:14
madhuriredrobot, Could you please help me out?02:14
redrobotmadhuri I can try02:14
madhuriOk so  I have an use case of storing cert, key, ca cert in Barbican02:14
madhuriI created three secrets with it02:15
madhuriAnd the stored in certificate container02:15
madhuriMy question is like certificate container have certificate, private_key, public_key and intermediates02:16
madhuriSo I have stored certificate, private_key but is it OK to store ca cert as intermediates02:16
madhuriBecause I see no option for it02:16
madhuriAnd even if it is useful to use container or not?02:17
redrobotmadhuri hmm... interesting.02:17
redrobotmadhuri are you using self-signed certificates, I assume?02:17
madhuriIt seems logically good to create container but it is increasing the no of API calls to barbican02:17
redrobotmadhuri sorry, I should ask, what CA are you using?02:17
madhuriyes self signed02:18
redrobotmadhuri and the client who needs the cert does not have the CA root?02:18
madhuriYes02:19
redrobotmadhuri I can't remember off the top of my head what the format of the intermediaries should be02:21
redrobotmadhuri hang on a sec...02:21
madhuriOk sure02:21
*** vivek-ebay has quit IRC02:26
redrobotmadhuri ok, sorry, I had to look that up real quick02:29
redrobotmadhuri so for the intermediates, we're expecting a PCKS#7 file02:29
redrobotmadhuri which can include the root02:29
redrobotmadhuri if the only certs in the chain are root->client, then you only need to upload the root once02:29
redrobotmadhuri and you can re-use the same ref for all containers you create02:30
madhuriOk that sounds good02:30
madhuriOk so now is it really useful to create containers?02:31
redrobotwith our current API you'll still need to make a separate call to retrieve the root cert02:31
madhuriredrobot, I create 3 secret, fetch 3 secret and then create a container02:31
madhuriredrobot, And similary to fetch certs, I have to fetch container and then fetch secret02:32
madhuriredrobot, So my question is what advantage is in using container?02:32
redrobotmadhuri are you provisioning these certs out of band, or are you submitting an Order to barbican?02:32
madhuriNot order02:32
madhuriI am creating my own certificates02:33
redrobotmadhuri I see.02:33
madhuriOrder returns a container ref02:33
madhuriThat sounds reasonable02:33
redrobotwhen you use an order, barbican creates the container for you, so you only need to store the container_ref02:34
redrobotbut if you create your own certs, then you have to build the container yourself.  at that point the only benefit is that the association is stored in barbican02:35
redrobotso, if you create your own container, you only have to store the container ref02:35
redrobotbut, if you don't mind storing the 3x secret_ref yourself, then container doesn't really do much for you02:36
madhuriI agree about the certificate association but this seems not much relevant in my case where I am creating the secrets myself02:36
*** mixos has joined #openstack-barbican02:37
redrobotmadhuri indeed.  you'll have to store the 3 secret refs, and label each one as cert, key, and root.   But if you don't mind storing that for each cert, then you don't need a container.02:37
madhuriredrobot, I see.02:39
madhuriThanks for the help02:39
redrobotmadhuri you're welcom02:39
redrobot*welcome02:39
madhuri:)02:39
madhuriI will be back again with my questions02:39
redrobotmadhuri I'll be around for another couple of hours (late night) so let me know if you have any other questions.02:39
madhuriSure. Thanks redrobot02:40
*** nelsnelson has quit IRC02:45
*** nelsnelson has joined #openstack-barbican02:53
*** woodster_ has quit IRC03:14
*** kebray has joined #openstack-barbican03:21
*** dave-mccowan has quit IRC03:34
rm_workmadhuri: yes, the container is useful if you want to pass that data to other services that know how to deal with cert-containers, like LBaaS03:37
rm_workor VPNaaS/FWaaS eventually03:37
rm_workand one of these days i'd love to see it be possible to easily give a cert reference to say, a heat template for an apache server03:38
*** jamielennox|away is now known as jamielennox03:47
*** vivek-ebay has joined #openstack-barbican03:49
*** jamielennox is now known as jamielennox|away04:33
jkfredrobot: still around?04:39
openstackgerritAde Lee proposed openstack/python-barbicanclient: Add ability to add and list CAs  https://review.openstack.org/20729304:57
*** vivek-eb_ has joined #openstack-barbican05:06
*** vivek-ebay has quit IRC05:08
*** vivek-eb_ has quit IRC05:37
*** Nirupama has joined #openstack-barbican05:56
*** kebray has quit IRC06:20
*** shohel has joined #openstack-barbican06:23
*** david-lyle has quit IRC06:43
*** david-lyle has joined #openstack-barbican06:49
*** nickrmc83 has joined #openstack-barbican06:58
openstackgerritJason Fritcher proposed openstack/barbican-specs: Blueprint defining healthcheck API endpoint.  https://review.openstack.org/20731707:02
*** chlong has quit IRC07:25
-openstackstatus- NOTICE: Our CI system is broken again today, jobs are not getting processed at all.07:39
*** ChanServ changes topic to "Our CI system is broken again today, jobs are not getting processed at all."07:39
-openstackstatus- NOTICE: CI system is broken and very far behind. Please do not approve any changes for a while.07:49
*** ChanServ changes topic to "CI system is broken and very far behind. Please do not approve any changes for a while."07:49
*** jamielennox|away is now known as jamielennox07:57
*** ChanServ changes topic to "OpenStack Barbican development"08:58
-openstackstatus- NOTICE: CI is back online but has a huge backlog. Please be patient and if possible delay approving changes until it has caught up.08:58
*** tkelsey has joined #openstack-barbican08:58
*** chlong has joined #openstack-barbican09:07
*** jamielennox is now known as jamielennox|away09:25
*** ig0r_ has joined #openstack-barbican09:32
*** mmdurrant has quit IRC10:09
*** darrenmoffat has quit IRC10:26
*** darrenmoffat has joined #openstack-barbican10:26
*** shohel has quit IRC10:35
*** shohel has joined #openstack-barbican10:36
openstackgerritDaniel Tadrzak proposed openstack/barbican: Order Object  https://review.openstack.org/20301410:52
DTadrzakHello guys, Could take a look on my proposition on Version Obj in Barbican. This is only outline of whole process. But it will be nice to have any feedback from you. There you can find a specs: https://review.openstack.org/#/c/174318/. I hope that you give me any feedback :11:01
DTadrzak:) Links to my commits: https://review.openstack.org/#/c/202141/ https://review.openstack.org/#/c/203014/ Thanks!11:01
*** mmdurrant has joined #openstack-barbican11:58
*** jaosorior has joined #openstack-barbican12:19
*** jamielennox|away is now known as jamielennox12:35
*** peter-hamilton has joined #openstack-barbican12:37
*** Nirupama has quit IRC12:39
*** mixos has quit IRC12:40
*** zz_dimtruck is now known as dimtruck12:53
*** alee_ has quit IRC12:54
*** alee has quit IRC12:54
*** jamielennox is now known as jamielennox|away13:06
*** rellerreller has joined #openstack-barbican13:06
*** ig0r_ has quit IRC13:10
*** ig0r_ has joined #openstack-barbican13:16
*** woodster_ has joined #openstack-barbican13:24
*** shohel has quit IRC13:27
*** ig0r_ has quit IRC13:31
*** SheenaG has joined #openstack-barbican13:35
*** kfarr has joined #openstack-barbican13:39
*** alee has joined #openstack-barbican13:45
aleejaosorior, please take a look at https://review.openstack.org/#/c/207293/ when you have time13:51
*** shohel has joined #openstack-barbican13:54
jaosoriorHey guys/gals I would really appreciate a review for this CR https://review.openstack.org/#/c/206553/ it's an attempt to fix the failing barbican-tip gate in pecan14:01
*** spotz_zzz is now known as spotz14:01
aleejaosorior, whats the status of the dogtag gate and backport?14:05
jaosorioralee: Haven't figured out how to fix the devstack gate. I've asked for support from hockeynut and redrobot.14:06
hockeynutwill spend some time on that this morning14:06
jaosoriorthe docs gate and the py27 gate are fixed by this CR though https://review.openstack.org/#/c/205059/14:07
aleejaosorior, so the gate in general is broken now?  not just the dogtag one?14:07
jaosoriorIMO this issue is pretty bad. It means that anyone that tries the stable/kilo code can't run the unit tests. And also that we can't commit any patch there since 3 voting gates are broken14:07
jaosorioralee: Yes, it is generally broken. Which is why it's taking so long14:08
aleejaosorior, this is just on stable/kilo that things are broken?14:08
jaosoriorjust stable/kilo14:09
jaosorioralee: Is there a reference to the documentation of the CAs interface14:09
*** dimtruck is now known as zz_dimtruck14:09
jaosoriorI've been trying to see how the meta looks like in the response, when you get the info of a ca. But I haven't found it14:10
redrobotjaosorior I'll take a look at it if you rebase https://review.openstack.org/#/c/206198/14:10
*** pglass has joined #openstack-barbican14:10
aleejaosorior, I dont think that documentation has been added yet.  there is a little in the cert api documentation/quickstart14:10
aleejaosorior, guess I need another cr for ca interface documentation14:10
aleejaosorior, you'll also see what it looks like when I add the tests14:11
*** nickrmc83 has quit IRC14:11
*** spotz is now known as spotz_zzz14:13
*** Kevin_Bishop has joined #openstack-barbican14:13
jaosoriorredrobot: rebased14:13
*** spotz_zzz is now known as spotz14:19
jaosorioranyway, again, a review to this CR would be greatly appreciated: https://review.openstack.org/#/c/205059/14:24
*** peter-hamilton has quit IRC14:26
*** zz_dimtruck is now known as dimtruck14:27
redrobotrm_work you need a pycharm renewal?14:27
jaosoriorDamn, I meant this CR https://review.openstack.org/#/c/207293/14:28
jaosorioruuh14:28
jaosoriorthis https://review.openstack.org/#/c/206553/ I have no idea why I failed to put the correct CR two times in a row14:28
jaosoriorI think I need coffee14:29
*** ig0r_ has joined #openstack-barbican14:32
*** edtubill has joined #openstack-barbican15:02
*** silos has joined #openstack-barbican15:02
*** ig0r_ has quit IRC15:03
*** ig0r__ has joined #openstack-barbican15:04
*** nickrmc83 has joined #openstack-barbican15:05
*** ig0r__ has quit IRC15:09
*** ig0r_ has joined #openstack-barbican15:09
*** ig0r__ has joined #openstack-barbican15:13
*** ig0r__ has quit IRC15:15
*** ig0r_ has quit IRC15:15
*** diazjf has joined #openstack-barbican15:15
*** vivek-ebay has joined #openstack-barbican15:16
*** kebray has joined #openstack-barbican15:21
jvrbanacjaosorior, coffee is always a good idea :D15:27
*** vivek-ebay has quit IRC15:27
aleehey everyone -- don't forget to vote for openstack barbican talks !15:30
aleeI think voting ends today ..15:31
jaosorioralee: pass the links :O15:32
aleejaosorior, https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/Presentation/5546  for one ..15:32
redrobotBarbican Support of Multi-Tenant Key Lifecycle Management https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/437415:33
redrobot^^ no idea who's presenting that15:33
redrobotEncrypting Data at Rest https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/445315:34
*** SheenaG has left #openstack-barbican15:34
redrobotTLS Auth in Magnum https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/489415:34
redrobotKMIP in OpenStack https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/509115:35
*** xaeth_afk is now known as xaeth15:35
redrobotHA Barbican https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/515115:35
redrobotTesting your Barbican Deployment https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/518215:36
redrobotBarbican Backend comparisons https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/554615:36
redrobotWhy aren't you a Barbicaneer https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/602415:36
redrobotBarbican Threat Modeling https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/603915:37
redrobotSecuring the Fortress with Barbican at Symantec https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/652815:37
*** chadlung has joined #openstack-barbican15:39
jaosoriorvoted15:40
elmikothat's a good batch of barbican talks =)15:42
*** arun_kant has quit IRC15:42
redrobotelmiko indeed!15:42
aleejaosorior, thanks -- everyone else, vote early and often!15:45
elmikovoted, good luck all!15:46
*** ig0r_ has joined #openstack-barbican15:53
kfarrIn addition to the KMIP one, APL also has one about image security.  Once implemented, the feature will utilize Castellan for key management https://www.openstack.org/summit/tokyo-2015/vote-for-speakers/presentation/474915:54
*** woodster_ has quit IRC15:55
*** jaosorior has quit IRC15:55
*** DuncanT has quit IRC15:55
*** h00327910__ has quit IRC15:55
*** rellerreller has quit IRC15:56
*** nickrmc83 has quit IRC15:58
*** kfarr has quit IRC15:59
*** arunkant_ has joined #openstack-barbican16:05
*** silos1 has joined #openstack-barbican16:21
*** chadlung has quit IRC16:21
*** chadlung has joined #openstack-barbican16:21
*** chadlung has quit IRC16:24
*** chadlung has joined #openstack-barbican16:24
*** silos has quit IRC16:24
*** chadlung has quit IRC16:26
*** jaosorior has joined #openstack-barbican16:27
*** chadlung has joined #openstack-barbican16:27
*** chadlung has quit IRC16:31
*** chadlung has joined #openstack-barbican16:32
*** woodster_ has joined #openstack-barbican16:33
*** vivek-ebay has joined #openstack-barbican16:36
jkfIf anyone has a few minutes, I'd love to get some feedback on a spec I bp I submitted last night about adding a healthcheck endpoint to the API. https://review.openstack.org/#/c/207317/16:38
* jkf obviously needs more caffination.16:39
*** chadlung has quit IRC16:40
*** chadlung has joined #openstack-barbican16:40
*** DuncanT has joined #openstack-barbican16:43
jaosoriorjvrbanac, redrobot, alee: Could you review this? https://review.openstack.org/#/c/206553/  it's an attempt to get the barbican gate in the pecan repo passing16:46
jvrbanacjaosorior, +2ed16:49
jaosoriorjvrbanac: Thanks dude :D16:50
*** chadlung has quit IRC16:58
*** chadlung has joined #openstack-barbican16:59
*** chadlung has quit IRC17:01
*** chadlung has joined #openstack-barbican17:02
*** chadlung has quit IRC17:04
*** chadlung has joined #openstack-barbican17:05
*** h00327910__ has joined #openstack-barbican17:08
*** chadlung has quit IRC17:10
*** SheenaG has joined #openstack-barbican17:10
*** chadlung has joined #openstack-barbican17:11
*** chadlung has quit IRC17:16
*** chadlung has joined #openstack-barbican17:17
*** chadlung has quit IRC17:19
*** chadlung has joined #openstack-barbican17:20
rm_workredrobot: lol yes i do17:24
redrobotrm_work cool, adding you to the head count.  they're doing per-user licenses now.17:26
rm_workoh wat :/17:29
rm_workyeah my license just complained at me when i woke up17:29
rm_workso when do new licenses go out? :/17:30
redrobotrm_work yep, sorry...  hoping to get a tally today.  will send them out as soon as I get them... maybe tomorrowish?17:30
rm_workkk17:30
*** chadlung has quit IRC17:31
*** chadlung has joined #openstack-barbican17:31
*** chadlung has quit IRC17:34
*** chadlung has joined #openstack-barbican17:35
*** shohel has quit IRC17:36
*** diazjf has quit IRC17:37
*** chadlung has quit IRC17:42
*** chadlung has joined #openstack-barbican17:43
*** chadlung has quit IRC17:46
*** chadlung has joined #openstack-barbican17:47
*** diazjf has joined #openstack-barbican17:49
*** chadlung has quit IRC17:53
*** chadlung has joined #openstack-barbican17:54
openstackgerritFernando Diaz proposed openstack/barbican: Add Controller to handle GET and POST request for KMIP device creation  https://review.openstack.org/20720217:55
*** chadlung has quit IRC17:58
*** chadlung has joined #openstack-barbican17:59
*** chadlung has quit IRC18:03
*** silos1 has left #openstack-barbican18:04
*** chadlung has joined #openstack-barbican18:05
*** chadlung has quit IRC18:06
ryanpetrelloanybody willing to give a +A on https://review.openstack.org/#/c/206553/  :\?18:08
ryanpetrelloI'm stuck on this w/ some pecan changes18:08
redrobotryanpetrello done18:12
ryanpetrello\o/ thanks18:13
rm_workredrobot: https://review.openstack.org/191884  https://review.openstack.org/20322718:18
rm_workredrobot: +A plox18:18
rm_workah rellerreller had a problem with one of those18:19
rm_workbut the other is g2g18:19
*** tkelsey has quit IRC18:19
redrobotrm_work the first one in the chain has a problem, so I'll wait until that's resolved18:19
rm_workoh didn't notice that's actually a chain18:20
rm_worklol18:20
redrobotrm_work also have a long queue of things to do today :(18:20
rm_workguess that makes it easier in terms of needing refactors18:20
*** ig0r__ has joined #openstack-barbican18:25
*** kfarr has joined #openstack-barbican18:27
*** arun_kant has joined #openstack-barbican18:31
*** jraim_ has joined #openstack-barbican18:31
*** briancurtin_ has joined #openstack-barbican18:31
*** briancurtin has quit IRC18:34
*** jraim has quit IRC18:34
*** alee has quit IRC18:34
*** arunkant_ has quit IRC18:34
*** briancurtin_ is now known as briancurtin18:34
*** kfarr has quit IRC18:35
*** alee has joined #openstack-barbican18:35
*** jraim_ is now known as jraim18:35
*** ig0r_ has quit IRC18:50
openstackgerritMerged openstack/barbican: Flatten exceptions used in policy tests  https://review.openstack.org/20655318:52
*** ig0r_ has joined #openstack-barbican19:04
*** chadlung has joined #openstack-barbican19:05
ryanpetrelloso jaosorior that patch doesn't seem to have resolved my issue :\19:06
ryanpetrellohttps://travis-ci.org/pecan/pecan/jobs/7343463119:06
*** kebray has quit IRC19:08
*** everjeje has quit IRC19:12
jaosoriorryanpetrello: well, fuck :/ but now I can't reproduce it in my local environment... gotta figure something else out19:13
openstackgerritFernando Diaz proposed openstack/barbican: Add Controller to handle GET and POST request for KMIP device creation  https://review.openstack.org/20720219:13
ryanpetrellobleh19:13
ryanpetrellolemme try running it once more19:13
ryanpetrellomaybe it just hadn't merged yet19:13
*** kfarr has joined #openstack-barbican19:17
jaosoriorryanpetrello: I'll keep looking into it later19:19
openstackgerritAde Lee proposed openstack/barbican-specs: Add CA enrollment templates spec added  https://review.openstack.org/12937719:20
aleejaosorior, redrobot -- can we get eyes on the above please ^^19:21
aleeif we want to try and get the spec in this cycle19:21
aleewoodster_, ^^19:21
aleejaosorior, redrobot as I recall it only had minor updates pending19:22
redrobotalee you just bumped yourself to the top of my queue :)19:22
aleeredrobot, excellent19:22
*** openstackgerrit has quit IRC19:46
*** openstackgerrit has joined #openstack-barbican19:47
*** SheenaG has quit IRC19:53
*** ig0r_ has quit IRC19:56
*** silos1 has joined #openstack-barbican20:00
openstackgerritAde Lee proposed openstack/barbican-specs: Added spec for copy constructor for secrets and containers  https://review.openstack.org/12782320:04
aleeredrobot, ^^20:04
aleejaosorior, ^^20:04
aleeelmiko, ^^20:04
jaosorioralee: remind me tomorrow. I'm beering20:05
aleejaosorior, no licorice ?20:06
*** arun_kant has quit IRC20:12
elmikoalee: ack20:13
aleeelmiko, thanks20:13
aleeredrobot, I'm still at the top of your queue, right?20:14
redrobotalee yep20:15
*** openstackgerrit has quit IRC20:16
*** openstackgerrit has joined #openstack-barbican20:17
*** tkelsey has joined #openstack-barbican20:17
openstackgerritJason Fritcher proposed openstack/barbican-specs: Blueprint defining healthcheck API endpoint.  https://review.openstack.org/20731720:19
*** tkelsey has quit IRC20:22
openstackgerritKevin Bishop proposed openstack/barbican: Add PUT support for generic container types  https://review.openstack.org/20724920:36
*** Kevin_Bishop has quit IRC20:44
openstackgerritFernando Diaz proposed openstack/barbican: Add Controller to handle GET and POST request for KMIP device creation  https://review.openstack.org/20720220:46
*** openstackgerrit has quit IRC20:46
*** openstackgerrit has joined #openstack-barbican20:47
*** SheenaG has joined #openstack-barbican20:52
diazjfredrobot ping20:53
*** jamielennox|away is now known as jamielennox20:57
*** kebray has joined #openstack-barbican20:58
*** woodster_ has quit IRC21:00
*** openstack has joined #openstack-barbican21:08
*** openstack has joined #openstack-barbican21:08
*** xaeth is now known as xaeth_afk21:21
*** kfarr has joined #openstack-barbican21:22
*** silos1 has left #openstack-barbican21:33
*** edtubill has left #openstack-barbican21:39
*** diazjf has left #openstack-barbican21:41
*** kfarr has quit IRC21:41
*** ig0r__ has quit IRC21:51
*** chadlung has quit IRC21:51
*** chadlung has joined #openstack-barbican21:51
*** chadlung has quit IRC21:54
*** chadlung has joined #openstack-barbican21:55
*** chadlung has quit IRC22:03
*** alee has joined #openstack-barbican22:11
*** SheenaG has quit IRC22:11
*** SheenaG has joined #openstack-barbican22:12
*** jamielennox is now known as jamielennox|away22:15
*** SheenaG has quit IRC22:26
*** kebray has quit IRC22:29
*** dimtruck is now known as zz_dimtruck22:43
*** jaosorior has quit IRC22:44
*** pglass has quit IRC22:52
*** tkelsey has joined #openstack-barbican23:05
*** tkelsey has quit IRC23:09
*** zz_dimtruck is now known as dimtruck23:22
*** spotz is now known as spotz_zzz23:28
Guest72363hi23:49
Guest72363I am using DevStack to also install Barbican.  stack.sh completes, however I do not see Barbican running (other services are running fine)23:51
*** nelsnelson has quit IRC23:56
« Wednesday, 2015-07-29 Index Friday, 2015-07-31 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!