*** vivek-ebay has quit IRC | 00:06 | |
*** vivek-ebay has joined #openstack-barbican | 00:20 | |
*** su_zhang has quit IRC | 00:40 | |
*** vivek-ebay has quit IRC | 00:42 | |
*** chlong has joined #openstack-barbican | 00:42 | |
*** zz_dimtruck is now known as dimtruck | 01:20 | |
*** dimtruck is now known as zz_dimtruck | 01:21 | |
*** zz_dimtruck is now known as dimtruck | 01:22 | |
*** vivek-ebay has joined #openstack-barbican | 01:43 | |
*** dimtruck is now known as zz_dimtruck | 01:45 | |
*** vivek-ebay has quit IRC | 01:47 | |
*** su_zhang has joined #openstack-barbican | 02:06 | |
*** kebray has joined #openstack-barbican | 02:19 | |
*** mragupat has joined #openstack-barbican | 02:34 | |
*** mragupat_ has joined #openstack-barbican | 02:35 | |
*** mragupat has quit IRC | 02:39 | |
*** everjeje has quit IRC | 02:42 | |
*** vivek-ebay has joined #openstack-barbican | 02:52 | |
*** mragupat_ has quit IRC | 02:56 | |
*** su_zhang has quit IRC | 03:05 | |
*** vivek-ebay has quit IRC | 03:10 | |
*** vivek-ebay has joined #openstack-barbican | 03:28 | |
*** vivek-eb_ has joined #openstack-barbican | 03:33 | |
*** vivek-ebay has quit IRC | 03:34 | |
*** su_zhang has joined #openstack-barbican | 04:11 | |
*** vivek-eb_ has quit IRC | 04:32 | |
*** vivek-ebay has joined #openstack-barbican | 04:32 | |
openstackgerrit | John Wood proposed openstack/barbican: Add missing X-xxxx HTTP headers to the unauth context https://review.openstack.org/225455 | 04:38 |
---|---|---|
*** Nirupama has joined #openstack-barbican | 04:42 | |
*** vivek-eb_ has joined #openstack-barbican | 05:11 | |
*** vivek-ebay has quit IRC | 05:11 | |
*** vivek-eb_ has quit IRC | 05:37 | |
*** edtubill has joined #openstack-barbican | 05:54 | |
*** kebray has quit IRC | 06:11 | |
*** edtubill has quit IRC | 06:38 | |
*** shohel has joined #openstack-barbican | 06:46 | |
*** su_zhang has quit IRC | 06:48 | |
*** jamielennox is now known as jamielennox|away | 07:09 | |
*** chlong has quit IRC | 07:17 | |
rm_work | BTW https://review.openstack.org/#/c/220370/ just merged so let me know if anyone sees gate issues | 07:38 |
rm_work | redrobot: ^^ | 07:38 |
*** tkelsey has joined #openstack-barbican | 07:57 | |
*** su_zhang has joined #openstack-barbican | 08:06 | |
*** su_zhang has quit IRC | 08:10 | |
*** shohel has quit IRC | 08:16 | |
*** shohel has joined #openstack-barbican | 08:18 | |
*** jaosorior has joined #openstack-barbican | 08:30 | |
*** chlong has joined #openstack-barbican | 08:44 | |
*** darrenmoffat has quit IRC | 08:44 | |
*** darrenmoffat has joined #openstack-barbican | 08:45 | |
*** lisaclark has quit IRC | 08:53 | |
*** lisaclark_ has quit IRC | 08:53 | |
*** shohel has quit IRC | 08:55 | |
*** shohel has joined #openstack-barbican | 08:56 | |
*** tkelsey has quit IRC | 08:59 | |
*** lisaclark has joined #openstack-barbican | 09:32 | |
*** lisaclark_ has joined #openstack-barbican | 09:32 | |
*** shohel has quit IRC | 09:34 | |
*** shohel has joined #openstack-barbican | 09:34 | |
*** jaosorior has quit IRC | 10:55 | |
*** jaosorior has joined #openstack-barbican | 10:55 | |
*** shohel has quit IRC | 11:04 | |
*** shohel has joined #openstack-barbican | 11:04 | |
*** shohel has quit IRC | 12:01 | |
*** jaosorior has quit IRC | 12:02 | |
*** shohel has joined #openstack-barbican | 12:02 | |
*** jaosorior has joined #openstack-barbican | 12:02 | |
zigo | Hi there! | 12:16 |
zigo | Is Barbican working well with Falcon 3.0.0? | 12:16 |
zigo | The package maintainer of Mailman wishes me to upload version 3.0.0 to Debian (as Mailman 3 uses Falcon 3.0.0). | 12:17 |
zigo | redrobot: ^ | 12:17 |
*** haypo has joined #openstack-barbican | 12:26 | |
openstackgerrit | Victor Stinner proposed openstack/barbican: py3: Fix python34 check job https://review.openstack.org/225653 | 12:36 |
haypo | hi! does anyone work on the python 3 support in Barbican? | 12:37 |
haypo | i found a first change written by Pradeep Kumar Singh | 12:37 |
openstackgerrit | Victor Stinner proposed openstack/barbican: py3: Fix python34 check job https://review.openstack.org/225653 | 12:37 |
haypo | oh, there is a blueprint, cool. i linked my change to it: | 12:38 |
haypo | ^^ | 12:38 |
*** dave-mccowan has joined #openstack-barbican | 12:40 | |
jaosorior | haypo: There are a bunch of commits from Pradeep that are pending review. So the work is on-going | 12:44 |
haypo | jaosorior: cool | 12:45 |
jaosorior | haypo: I'll try to poke people to see if we could get those to land soon. | 12:45 |
haypo | jaosorior: i propose a change to add a non-voting python34 check job, https://review.openstack.org/#/c/225654/ | 12:46 |
haypo | jaosorior: later, we should make it voting to avoid python 3 regressions (if you are ok with that) | 12:46 |
jaosorior | But, of course, if you can help out both reviewing and coding, it would be greatly appreciated | 12:47 |
jaosorior | haypo: Anyway, if you come up with patches, feel free to ping me and I'll review. I'm pretty interested in that work | 12:50 |
jaosorior | haypo: +1ed the gate job CR | 12:51 |
haypo | jaosorior: really? great :-) did you read http://techs.enovance.com/7807/python-3-status-openstack-liberty ? | 12:51 |
jaosorior | haypo: I haven't; checking it out | 12:51 |
jaosorior | dave-mccowan: ping | 12:53 |
haypo | jaosorior: forget my change, please approve https://review.openstack.org/#/c/219123/ instead (it already has two +2) | 12:53 |
haypo | jaosorior: well, i don't know your status on the feature freeze. i don't know the barbican project at all :-) but it doesn't look to have stable branches yet | 12:54 |
dave-mccowan | haypo jaosorior i've looked through Pradeep's patches. they look good and get us close to running with py3. one problem, is most of our cores aren't familiar with py2/3 compatibility stuff. if you're reviewing those, it would be great if you would add comments with pointers on why each change is done. it would help us review and approve those. | 12:54 |
jaosorior | haypo: Well, there is still some work we would like to get into this release. | 12:54 |
jaosorior | dave-mccowan: Got a +1 for this one? https://review.openstack.org/#/c/225654/ | 12:55 |
haypo | dave-mccowan: FYI i'm working on the https://wiki.openstack.org/wiki/Python3 wiki page since 1 or 2 years. it may answer to some of you questions, especially the "Common patterns" section | 12:55 |
dave-mccowan | haypro good stuff. i have it book marked and i've been looking at that as I've reviewed the patches. :-) | 12:56 |
dave-mccowan | jaosorior, haypo i think py3 should be the first thing we finish for Mitaki milestone1. we already have too many moving parts for Liberty Release. | 12:59 |
haypo | i will review pradeep patches, but later. right now, i'm checking the status of *each* openstack project | 12:59 |
haypo | dave-mccowan: no problem to wait for Mitaki milestone1 | 12:59 |
haypo | dave-mccowan: i know well the problem is making the code stable ;) | 13:00 |
haypo | more change = more bugs | 13:00 |
haypo | in th python3 wiki page, i see that python-barbicanclient works on python3. cool :) | 13:02 |
haypo | it's a good start | 13:02 |
alee | dave-mccowan, ping | 13:03 |
alee | dave-mccowan, morning - https://review.openstack.org/#/c/224126 is waiting for you to +2 and +W it. | 13:04 |
dave-mccowan | alee done. | 13:05 |
alee | awesome | 13:05 |
alee | dave-mccowan, looking at your follow on patch now | 13:05 |
dave-mccowan | alee, jaosorior: here's a list of patches to review: https://etherpad.openstack.org/p/barbican_cas_todo_list | 13:06 |
jaosorior | dave-mccowan: Thanks for the link. Will check em out | 13:07 |
alee | dave-mccowan, thanks dave-mccowan - going through them | 13:17 |
openstackgerrit | Dave McCowan proposed openstack/barbican: Combine exit codes of the two functional test runs https://review.openstack.org/225506 | 13:19 |
openstackgerrit | Merged openstack/barbican: Replace dict.iteritems() with dict.items() https://review.openstack.org/219123 | 13:28 |
*** woodster_ has joined #openstack-barbican | 13:33 | |
*** kfarr has joined #openstack-barbican | 13:35 | |
*** Nirupama has quit IRC | 13:40 | |
woodster_ | alee, dave-mccowan , jaosorior : can you guys take a look at this tiny CR?: https://review.openstack.org/#/c/225455/ | 13:45 |
openstackgerrit | Merged openstack/barbican: Fix ca related controllers https://review.openstack.org/224126 | 13:45 |
dave-mccowan | woodster_ I think to be complete you'll also need X-Role-Id | 13:46 |
dave-mccowan | woodster_ with a couple Liberty features, there is now a service-admin in addition to admin, with different permissions. | 13:47 |
jaosorior | woodster_: Sure | 13:47 |
woodster_ | dave-mccowan: So we handle X-Role-Ids (plural) a few lines above the changes I put in...but is X-Role-Id different? | 13:48 |
alee | dave-mccowan, reviewed the latest global ca patch | 13:48 |
woodster_ | dave-mccowan: as for the service-admin are you ok with that being a different CR than this one? | 13:49 |
jaosorior | woodster_: I remember there were some functional tests for unauth context. Why not add some tests there? | 13:49 |
*** haypo has left #openstack-barbican | 13:50 | |
alee | dave-mccowan, I dont understand your question on line 30 in https://etherpad.openstack.org/p/barbican_cas_todo_list | 13:51 |
dave-mccowan | alee on Friday we talked about what GET /preferred/ should return. A list, A ref, or an object. We agreed on object, but i think we were wrong. If a user has only the object, he has no good way to get the ref. And, he might need the ref. | 13:52 |
woodster_ | jaosorior: I think unauth context functional tests would require their own gate (to not deploy keystone middleware)? | 13:52 |
*** su_zhang has joined #openstack-barbican | 13:53 | |
jaosorior | woodster_: true. Then we need that gate then. | 13:54 |
jaosorior | woodster_: Do you know if many people are actually using the unauthed context? That is a blocker to start using the openstackCLI | 13:54 |
dave-mccowan | woodster_ nevermind on roles. I see X-roles is already party of context. | 13:54 |
jaosorior | since I haven't figured out how to inject headers with it | 13:55 |
alee | dave-mccowan, when we return an object, do we ever return the ref as a location header? | 13:55 |
alee | jaosorior, woodster_ ^^ | 13:55 |
jaosorior | alee: Which part of the code are you referring to? | 13:55 |
woodster_ | alee, I think we are supposed to be doing that anyway | 13:56 |
alee | jaosorior, in general | 13:56 |
alee | yeah - thats what I thought too -- whether we actually are .. | 13:57 |
jaosorior | alee: Honestly; I have no idea. I know that we should be doing that, but I don't think we are. | 13:57 |
*** edtubill has joined #openstack-barbican | 13:58 | |
woodster_ | jaosorior: you have to provide all the X-xxxx headers manually if you use the un-auth context. We use it here because we have a proxy that sits in front of barbican (repose) | 13:58 |
alee | dave-mccowan, so I think the answer to your question about whether to retrun a list of refs, or a ref or an object, is that we should be returning an object as we agreed and we should be setting the ref in the Location field. | 13:58 |
woodster_ | alee, yeah that should probably be verified in our tests as well | 13:59 |
woodster_ | sounds like a good paper cut :) | 13:59 |
jaosorior | woodster_: I know you have to provide the headers manually; But IIRC you cannot bypass keystone auth in the openstack CLI, which is why we cannot yet replace our CLI with a plugin in the unified openstack cli. | 13:59 |
jaosorior | woodster_: +1 for a papercut | 14:00 |
*** david-ly_ is now known as david-lyle | 14:01 | |
woodster_ | jaosorior: if the openstack CLI is passing keystone tokens to barbican, then we just need to always deploy barbican with the keystone middleware when using that CLI. Are you thinking of non-keystone/auth deployment support then? | 14:01 |
jaosorior | woodster_: yeah, that would be nice | 14:01 |
jaosorior | woodster_: Buuut yeah, this commit has been pending for a while https://review.openstack.org/#/c/198732/ | 14:02 |
woodster_ | jaosorior: why can | 14:03 |
alee | dave-mccowan, woodster_ jaosorior - looks like we manually set the Loaction header in a handful of places. Specifically when creating secrets, orders, subcas | 14:03 |
woodster_ | 't we have both ours and there's until they relax keystone only support? | 14:03 |
jaosorior | woodster_: We could | 14:03 |
jaosorior | woodster_: That's not a blocker for my commit. it's just a blocker for fully using the openstack CLI exclusively | 14:03 |
jaosorior | which is something I would like | 14:04 |
jaosorior | I see no sense in supporting repeated functionality, if it's already there in the openstack cli | 14:04 |
alee | dave-mccowan, you going to amend your preferred ca patch to include the Location header? | 14:04 |
*** spotz_zzz is now known as spotz | 14:04 | |
woodster_ | jaosorior: sounds like we need to talk to their CLI folks then | 14:05 |
jaosorior | well, if someone could take that up in the summit it would be cool. I'm not going :/ | 14:06 |
*** everjeje has joined #openstack-barbican | 14:06 | |
dave-mccowan | alee sounds good. that meets my concerns that 1) user can get the ref, and 2) consistent with 'somthing' :-) | 14:06 |
openstackgerrit | Merged openstack/barbican: Change roles to rules in policy.json file https://review.openstack.org/225509 | 14:07 |
woodster_ | jaosorior: I added a paper cut to create an unauth gate btw. | 14:10 |
jaosorior | woodster_: Excellent :D | 14:10 |
jaosorior | woodster_: By the way, How have you been? | 14:11 |
*** vivek-ebay has joined #openstack-barbican | 14:11 | |
woodster_ | dave-mccowan : if you are ok with deferring the system-admin part of unauth middleware for now, please consider a +2 on https://review.openstack.org/#/c/225455 :) | 14:11 |
dave-mccowan | alee i'd rather start a new patch to add the location field to returned CA object. OK? | 14:12 |
woodster_ | jaosorior: we've been pretty busy over here making a big push for production | 14:12 |
*** nelsnelson has joined #openstack-barbican | 14:12 | |
jaosorior | dave-mccowan: I think starting a new patch is not unreasonable. Keeps the patch shorter and hopefully the adding of the location field merges fairly quickly. | 14:13 |
alee | dave-mccowan, sounds good to me | 14:13 |
jaosorior | woodster_: damn, any idea when things get calmer? | 14:13 |
*** zz_dimtruck is now known as dimtruck | 14:13 | |
dave-mccowan | woodster_ speaking of deployment... when you have a few minutes, i'd really like to learn some best practices on deploying barbican with HA. do you have a something you can post? | 14:14 |
woodster_ | jaosorior: hopefully in the next 2 to 3 weeks it will | 14:17 |
woodster_ | dave-mccowan: I haven't been the most involved in the HA side of things, we we are just planning to use load balancers in front of the API nodes for the most part. We are using postgres for the db, so master/slave with a lb in front of that | 14:18 |
woodster_ | dave-mccowan: HSM is the toughest part, since the safenet driver we use has issues with network outtages. | 14:19 |
*** vivek-ebay has quit IRC | 14:21 | |
*** david-lyle has quit IRC | 14:22 | |
*** rellerreller has joined #openstack-barbican | 14:23 | |
*** pglass has joined #openstack-barbican | 14:24 | |
openstackgerrit | Monty Taylor proposed openstack/castellan: Change ignore-errors to ignore_errors https://review.openstack.org/225722 | 14:24 |
*** david-lyle has joined #openstack-barbican | 14:26 | |
openstackgerrit | Monty Taylor proposed openstack/kite: Change ignore-errors to ignore_errors https://review.openstack.org/225744 | 14:28 |
dave-mccowan | woodster_ i withdraw my comment on system-admin. it's already covered in existing code, a few lines above your patch. | 14:30 |
*** silos has joined #openstack-barbican | 14:31 | |
*** diazjf has joined #openstack-barbican | 14:37 | |
openstackgerrit | Dave McCowan proposed openstack/barbican: Adding Functional Tests and Supporting Fixes for Global Preferred CAs https://review.openstack.org/225387 | 14:49 |
openstackgerrit | Merged openstack/barbican: Add filter to secret list for acl secrets https://review.openstack.org/222328 | 14:53 |
*** xek has quit IRC | 14:53 | |
openstackgerrit | Monty Taylor proposed openstack/python-kiteclient: Change ignore-errors to ignore_errors https://review.openstack.org/225817 | 14:53 |
*** jkf has quit IRC | 14:54 | |
*** jkf has joined #openstack-barbican | 14:54 | |
*** shohel has quit IRC | 14:55 | |
redrobot | good (ugt) mornin' folks | 14:58 |
jaosorior | redrobot: sup duuuuude | 14:58 |
*** jorge_munoz has quit IRC | 14:58 | |
redrobot | ready to review all the things jaosorior | 14:58 |
jaosorior | http://cdn.meme.am/instances/55390489.jpg | 14:59 |
dave-mccowan | redrobot we're keeping a running list here: https://etherpad.openstack.org/p/barbican_cas_todo_list | 14:59 |
*** kebray has joined #openstack-barbican | 15:02 | |
alee | dave-mccowan, on success for the tests, retval returns 0 or 1? | 15:05 |
dave-mccowan | alee 0 is success in bash. | 15:05 |
alee | dave-mccowan, ok commented on that patch. | 15:06 |
dave-mccowan | alee this patch has become important because of all our skipping for parallel tests. if there is a CA or Quotas functional test failure, the gate still passes, since those tests are skipped in the second run. | 15:07 |
openstackgerrit | Dave McCowan proposed openstack/barbican: Combine exit codes of the two functional test runs https://review.openstack.org/225506 | 15:10 |
*** jorge_munoz has joined #openstack-barbican | 15:11 | |
alee | jaosorior, https://review.openstack.org/225387 needs a re-review | 15:13 |
redrobot | alee dave-mccowan seems that's the only showstopper for liberty-rc1 ? | 15:15 |
alee | redrobot, which one? | 15:15 |
redrobot | alee https://review.openstack.org/#/c/225387/ ? | 15:15 |
dave-mccowan | redrobot, alee: i think there are still some CA to-dos that are showstoppers. | 15:15 |
jaosorior | alee: Looks good. Will workflow once it passes the gate | 15:16 |
alee | dave-mccowan, which ones? | 15:16 |
dave-mccowan | alee there are still functional tests that are skipped because they don't pass | 15:16 |
redrobot | dave-mccowan which ones? ... If there's too much stuff outstanding we may want to defer to mitaka .. | 15:16 |
alee | dave-mccowan, right I just +2'd that patch | 15:17 |
alee | redrobot, https://review.openstack.org/#/c/225506 | 15:17 |
alee | redrobot, so how many rc's are we planning on having? | 15:18 |
alee | (and whens the last one?) | 15:18 |
redrobot | alee RCs should be a true Release Candidate | 15:18 |
redrobot | alee if it's known to be broken, we should not cut it | 15:18 |
alee | redrobot, for instance, I would like to get an update to the dogtag plugin to support subcas. But thats not ready yet. But I'm not sure that we want to wait until it is to cut a rc1. | 15:20 |
redrobot | tdink ping | 15:20 |
alee | so where does that leave us for options? | 15:20 |
redrobot | alee would you be OK with that going into Mitaka? | 15:20 |
redrobot | alee RC2+ should be for critical bugs found in the RC1 only | 15:20 |
diazjf | redrobot, dave-mccowan, speaking of Mitaka, any mention yet on the schedule for the fish bowl sessions. | 15:20 |
tdink | redrobot: pong | 15:21 |
jaosorior | alee, redrobot; If we have some support for subCAs already working with some test plugins. I think it's OK. But if we have an RC2 it would be good to get the dogtag plugin in there | 15:21 |
redrobot | tdink just checking on the progress of the content-type bug? | 15:21 |
alee | redrobot, so I'd really like to get it into Liberty. | 15:21 |
tdink | redrobot: didnt get to work on it much on thurs/fri though ti was going to be locked out of test for a longer time, i will look at it today though | 15:21 |
redrobot | alee what's the soonest you could have it ready? ... I have to meet with the relmgr today to get an estimate for RC1 | 15:22 |
alee | redrobot, prob by end of tomorrow | 15:22 |
alee | redrobot, theres a lot to get together on the dogtag side of things | 15:23 |
alee | redrobot, but maybe it makes sense to cut rc1 and then then update for rc2+ | 15:23 |
alee | dave-mccowan, any of the other ca things that are rc1 blockers .. | 15:24 |
dave-mccowan | redrobot question: when rc1 is cut, is that when the branch is split and we have to start double-commits? | 15:24 |
redrobot | dave-mccowan yep, once RC1 is cut, master becomes mitaka | 15:25 |
*** stevemar has joined #openstack-barbican | 15:25 | |
*** stevemar has left #openstack-barbican | 15:25 | |
alee | dave-mccowan, redrobot jaosorior - on the to-do list, things that should go into liberty -- 7, 8 for sure | 15:25 |
* redrobot is looking forward to Juno EOL | 15:25 | |
alee | 5 is a good idea, 2 most likely | 15:26 |
alee | 3 would be great | 15:26 |
redrobot | alee dave-mccowan do we have bugs filed for those bullet points? | 15:26 |
alee | I guess we could always backport fixes to liberty .. | 15:27 |
alee | redrobot, prob not yet | 15:27 |
redrobot | alee dave-mccowan I'll try to push RC1 for a couple of days... hopefully I can get more time from the boss to work on this stuff. | 15:27 |
alee | 7 is practically in - waiting for workflow, 8 is something dave-mccowan is writing a patch for is should be practivcally a one -liner | 15:28 |
alee | dave-mccowan, any chance you can work on either 5 or 2? | 15:29 |
*** chadlung has joined #openstack-barbican | 15:29 | |
alee | and I'll work on 3 .. | 15:29 |
dave-mccowan | alee probably. i can look. what about the to-dos in functional tests: @testtools.skip("Skip test until ca behaviors tracks project cas") | 15:31 |
alee | dave-mccowan, yeah - that would be good to get in but not critical --I happen to know that the functional test works. Its just that it wont be idempotent. | 15:32 |
alee | dave-mccowan, but you've had some experience in getting those working - so if you can get it in - great | 15:33 |
alee | I'll look at 3 and 2/ | 15:33 |
dave-mccowan | i'll see what i can do about 5, 8, and 9 | 15:35 |
dave-mccowan | looks like 9 and 1 might be the same thing | 15:35 |
alee | dave-mccowan, yes they are | 15:44 |
alee | so that will be great thanks .. I'll work on 2 and 3 | 15:44 |
dave-mccowan | alee do you expect #5 to work, or do you expect a bug? | 15:45 |
*** ccneill has joined #openstack-barbican | 15:46 | |
alee | dave-mccowan, I expect it to work I think | 15:49 |
alee | dave-mccowan, let me see .. | 15:50 |
dave-mccowan | dave-mccowan, woodster_ jaosorior back to our ca_ref discussion. it looks like the location header is returned on POST for other objects. Not as part of a GET. | 15:57 |
jaosorior | redrobot: dave-mccowan: Should it be part of get? I didn't think it was needed. | 15:58 |
jaosorior | If you already accessed a resource through GET; It would be implied that you already have the addres, thus you wouldn't need the location | 15:58 |
*** silos1 has joined #openstack-barbican | 15:59 | |
alee | jaosorior, thats true in most cases. But we're looking at things like GET /cas/preferred | 15:59 |
dave-mccowan | jaosorior the use case is: what should GET /cas/preferred return and how? a list, a ref, or an object. if an object, how does the user know his ref. | 15:59 |
alee | GET /cas/global-preferred | 15:59 |
*** diazjf has quit IRC | 15:59 | |
jaosorior | ah! that | 16:00 |
jaosorior | True, in that case it actually makes sense. | 16:00 |
alee | jaosorior, originally it was returning a list of refs -- which is a little strange because its a single ref. | 16:01 |
alee | jaosorior, dave-mccowan , redrobot we could make it return a single ref | 16:01 |
jaosorior | yeah, for the preferred case it doesn't really make sense | 16:01 |
*** silos has quit IRC | 16:01 | |
alee | or we can do what we decided last week and make it return the object | 16:01 |
*** diazjf has joined #openstack-barbican | 16:01 | |
alee | but then we need a Location | 16:01 |
jaosorior | So one of two options; Either we return the attributes of the CA, witht he X-Location header set. Or we return the ref | 16:01 |
alee | yup | 16:02 |
jaosorior | alee, exactly | 16:02 |
*** gyee has joined #openstack-barbican | 16:02 | |
jaosorior | I would go for the returning of the object with the header set | 16:02 |
alee | I suggest object + ref | 16:02 |
dave-mccowan | {"ca_ref" : "http://foo"} seems to be the most common format in Barbican. | 16:02 |
alee | +1 | 16:02 |
alee | dave-mccowan, I think we usually return lists of refs .. | 16:03 |
dave-mccowan | alee, jaosorior has that been done before? i don't want make our API any more inconsistent. | 16:03 |
jaosorior | dave-mccowan: well, depends on what you're referring to | 16:03 |
alee | dave-mccowan, jaosorior , redrobot - anyways I dont have a strong preference - if its more consistent tostick with whats been done beofre, I'm ok with that | 16:03 |
jaosorior | if we are talking about secrets. Donig a GET /secrets/<secret-id> will actually return the metadata for the secret and on the other hand, I think it sets the header for the location | 16:04 |
alee | dave-mccowan, jaosorior fwiw though, I dont think we've returned this kind of object elsewhere before in the api | 16:04 |
alee | jaosorior, no - I dont think it does .. | 16:05 |
alee | jaosorior, I saw only POST cases where the location is explicitly set | 16:05 |
jaosorior | I see | 16:05 |
jaosorior | well... | 16:05 |
jaosorior | in that case... | 16:05 |
dave-mccowan | alee, jaosorior, redrobot. According to wikipedia, X-location is to be used for 1) redirects, 2) newly created resources | 16:06 |
jaosorior | dave-mccowan: I see | 16:06 |
alee | elmiko, you there? | 16:06 |
elmiko | alee: yo | 16:07 |
jaosorior | dave-mccowan, alee: Is there a difference in the policy for who is able to view the info of a CA and who is able to view the preferred ones? | 16:07 |
alee | elmiko, when is the Location header supposed to be set? | 16:07 |
elmiko | alee: most frequently it is set after a resource creation from a POST | 16:08 |
elmiko | (with the location of the new resourcE) | 16:08 |
elmiko | but i think there are also some cases where it would be used from a PUT | 16:08 |
alee | elmiko, what about a GET? | 16:09 |
elmiko | alee: like, i would do a GET /some/resource and the Location header would be set on return? | 16:10 |
*** su_zhang has quit IRC | 16:11 | |
alee | elmiko, so the case here we are considering is GET /cas/preferred | 16:11 |
alee | for which we have two options | 16:12 |
alee | 1. return a ca_ref | 16:12 |
alee | 2. return the ca object and add ref to the Location header | 16:12 |
alee | elmiko, which is preferred/ more standard? | 16:12 |
elmiko | i think in general returning a Location header from a GET would be non-standard, or maybe unexpected would be a better way to put it. | 16:13 |
alee | elmiko, fair enough .. | 16:13 |
alee | dave-mccowan, jaosorior ^^ seems like a ca_ref is the way to go then. | 16:14 |
jaosorior | alee: Seems legit | 16:14 |
elmiko | from my understanding, the Location header should be used when a new resource is created, or an operation needs to redirect the return (which may be close to what is happening here). | 16:14 |
alee | dave-mccowan, you gonna fix it ? | 16:14 |
dave-mccowan | Option 1: {"cas": ["http://foo"]} List of one is weird, but consistent with GET /cas | 16:15 |
dave-mccowan | Option 2: {"ca_ref": "http://foo"} Not weird. | 16:15 |
dave-mccowan | alee, yea i'll code whatever we agree to. | 16:15 |
dave-mccowan | elmiko, jaosorior ^^ between #1 and #2 | 16:16 |
alee | Option 3: {"ca" : "http://foo" } not weird and more consistent with 'cas" | 16:16 |
jaosorior | I would go for #2 | 16:16 |
jaosorior | We've been using ca_ref all around | 16:17 |
elmiko | #2 does seem clear, assuming there will only be 1 returned | 16:17 |
alee | ok with me .. option 2 | 16:17 |
jaosorior | GET /cas is like doing a list_cas(). While GET /cas/preferred already asumes that we only have one preferred (which is actually the case) | 16:17 |
dave-mccowan | LOL. Do we need to change GET /cas/ to {"ca_refs" : ["http://foo", "http://bar"] ? | 16:18 |
jaosorior | unless we want to add capabilities for the service admin to list all the preferred CAs of all projects. But I don't think that's the case | 16:18 |
elmiko | dave-mccowan: that is the maximally explicit response ;) | 16:18 |
dave-mccowan | New Meme: I don't always design APIs, but when I do it's hours before release candidate deadlines. | 16:20 |
alee | dave-mccowan, I'm ok with that too - although you'll need to make sure to change the client too | 16:20 |
alee | dave-mccowan, and I dont know if others - like magnum for insatnce are already using it | 16:20 |
dave-mccowan | alee i was kidding on GET /cas/ response. user can deal with that. | 16:21 |
alee | :) | 16:21 |
jaosorior | dave-mccowan: hahahaha that was a pretty accurate description of what's going on | 16:21 |
dave-mccowan | elmiko thanks. alee jaosorior i think our bike shed is shiny enough. | 16:22 |
jaosorior | dave-mccowan: hahaha it didn't take aaaaas long | 16:23 |
jaosorior | could have been worse | 16:23 |
dave-mccowan | it's all good. it'll save time on the code review, since we've already agreed. | 16:24 |
jaosorior | true | 16:24 |
jaosorior | Well, add me to the review. Imma go get some dinner and probably a drink too | 16:25 |
jaosorior | Have a good day people :D | 16:26 |
*** jaosorior has quit IRC | 16:27 | |
alee | dave-mccowan, I think you're going to run into a bug on #5 | 16:30 |
alee | dave-mccowan, the code to check if the subca is valid for the user is not there yet I think | 16:30 |
dave-mccowan | jaosorior later ozz. catch you later. | 16:31 |
alee | checking validator code .. | 16:31 |
dave-mccowan | alee cool. since you just looked at the code, if you can add hints/pointers to the etherpad, I'll use them. | 16:31 |
*** vivek-ebay has joined #openstack-barbican | 16:32 | |
alee | dave-mccowan, will do | 16:32 |
*** vivek-ebay has quit IRC | 16:33 | |
*** vivek-ebay has joined #openstack-barbican | 16:34 | |
*** kebray has quit IRC | 16:44 | |
*** rellerreller has quit IRC | 16:46 | |
*** rellerreller has joined #openstack-barbican | 16:46 | |
*** chlong has quit IRC | 16:50 | |
*** chlong has joined #openstack-barbican | 17:02 | |
*** su_zhang has joined #openstack-barbican | 17:09 | |
openstackgerrit | Merged openstack/barbican: Initialize Database Before Running Quota Enforcer Unit Tests https://review.openstack.org/225502 | 17:17 |
*** silos1 has quit IRC | 17:18 | |
openstackgerrit | Kaitlin Farr proposed openstack/castellan: Add ManagedObjectNotFoundError https://review.openstack.org/225946 | 17:18 |
*** diazjf has quit IRC | 17:20 | |
*** diazjf has joined #openstack-barbican | 17:20 | |
openstackgerrit | Kaitlin Farr proposed openstack/castellan: Update Barbican functional tests https://review.openstack.org/216247 | 17:21 |
*** jorge_munoz has quit IRC | 17:24 | |
arunkant | @here..does anybody know why barbicanclient commits are failing at neutron tempest gate. I see all barbicanclient recent builds are failing at this gate | 17:24 |
diazjf | arunkant, trailed it down to the following: [ERROR] /opt/stack/new/devstack/inc/python:178 The following LIBS_FROM_GIT were not installed correct: python-barbicanclient | 17:26 |
arunkant | diazf: yes, I saw that earlier. Not able to see any place which indicates the reason for error. Trying to find out how to investigate this further as its happening for all recent builds | 17:31 |
diazjf | Yeah its a big problem, do you think https://github.com/openstack/barbican/commit/803a8a0256724876b98fceef24ec7cd4c2eb58a8 may have anything to do with it | 17:32 |
alee | redrobot, ping | 17:33 |
alee | redrobot, please workflow https://review.openstack.org/#/c/225387/ as oz is not here. | 17:33 |
openstackgerrit | Merged openstack/barbican: Add missing X-xxxx HTTP headers to the unauth context https://review.openstack.org/225455 | 17:35 |
openstackgerrit | Kaitlin Farr proposed openstack/castellan: Update Barbican functional tests https://review.openstack.org/216247 | 17:37 |
*** mmdurrant_ has joined #openstack-barbican | 17:42 | |
arunkant | diazf: Can't tell if the issue can be related to this change as barbican-devstack-dsvm gate is successful. May be rm_work has a better idea on this | 17:45 |
diazjf | rm_work -> here is the logfile, http://logs.openstack.org/43/208343/15/check/gate-tempest-dsvm-neutron-src-python-barbicanclient/bb736f2/logs/devstacklog.txt.gz any ideas on if adding the barbican-client to devstack added this error? | 17:46 |
arunkant | rm_you ^^^ | 17:49 |
alee | reaperhulk, hey - is there a way to create a pkcs7 cert chain from cert objects using pyopenssl? | 17:59 |
*** kebray has joined #openstack-barbican | 18:00 | |
*** rellerreller has quit IRC | 18:02 | |
*** silos has joined #openstack-barbican | 18:13 | |
*** vivek-ebay has quit IRC | 18:14 | |
*** tasalasc has joined #openstack-barbican | 18:17 | |
*** tasalasc has left #openstack-barbican | 18:17 | |
openstackgerrit | Merged openstack/barbican: Combine exit codes of the two functional test runs https://review.openstack.org/225506 | 18:18 |
*** jhfeng has joined #openstack-barbican | 18:19 | |
*** jorge_munoz has joined #openstack-barbican | 18:23 | |
openstackgerrit | Elvin Tubillara proposed openstack/python-barbicanclient: barbican help needs authentication https://review.openstack.org/224467 | 18:23 |
*** xaeth_afk is now known as xaeth | 18:33 | |
*** igueths has joined #openstack-barbican | 18:35 | |
openstackgerrit | Elvin Tubillara proposed openstack/python-barbicanclient: barbican help needs authentication https://review.openstack.org/224467 | 18:37 |
*** su_zhang has quit IRC | 18:45 | |
*** vivek-ebay has joined #openstack-barbican | 18:45 | |
*** su_zhang has joined #openstack-barbican | 18:49 | |
*** su_zhang has quit IRC | 19:00 | |
*** xaeth is now known as xaeth_afk | 19:05 | |
*** rellerreller has joined #openstack-barbican | 19:13 | |
*** mmdurrant_ has quit IRC | 19:14 | |
*** vivek-ebay has quit IRC | 19:15 | |
dave-mccowan | alee ping | 19:22 |
dave-mccowan | alee if a project has no project ca, but there is a global-preferred-ca set, what should GET /cas/preferred return? | 19:22 |
redrobot | alee pong looking | 19:23 |
alee | dave-mccowan, huh .. | 19:25 |
alee | dave-mccowan, who currently has perms to get the preferred ca? | 19:26 |
alee | dave-mccowan, is it project admins or anyone? | 19:26 |
openstackgerrit | Merged openstack/castellan: Change ignore-errors to ignore_errors https://review.openstack.org/225722 | 19:26 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/castellan: Updated from global requirements https://review.openstack.org/224599 | 19:31 |
dave-mccowan | alee project preferred should be anyone. it's basically saying "what is my default?" i would think that 404 would only come if there were no CAs at all. otherwise it would be the first found of: [project preferred, global preferred, first created CA] | 19:38 |
openstackgerrit | Merged openstack/castellan: Updated from global requirements https://review.openstack.org/224599 | 19:38 |
dave-mccowan | alee same as the logic for what CA to use when none is created. or.... do we need both a /preferred/ and a /default/ ? | 19:39 |
dave-mccowan | alee or, i guess, is there no reason for a use to know his default? and /preferred/ should act RESTfullly with set/unset preferred-ca operations. | 19:41 |
*** vivek-ebay has joined #openstack-barbican | 19:47 | |
redrobot | maybe y'all covered this already, but why are we using verb routes? Ie create-xxx and delete-xxx instead of using POST/DELETE ? | 19:53 |
redrobot | weekly meeting is starting now in #openstack-meeting-alt | 20:01 |
*** su_zhang has joined #openstack-barbican | 20:09 | |
*** su_zhang has quit IRC | 20:13 | |
rm_work | arunkant: hmmmm | 20:13 |
rm_work | arunkant: that is interesting | 20:13 |
rm_work | arunkant: I am not sure -- is python-barbicanclient in LIBS_FROM_GIT in the barbican gate? I don't THINK I changed that part | 20:14 |
arunkant | rm_work..this is a recent change at devstack side..https://github.com/openstack-dev/devstack/commit/c71973eb04d05c2497eb930c4e1b59dcaf983085 | 20:14 |
arunkant | rm_work: Do we need to add something on barbican devstack side to handle this additional check/validation | 20:15 |
*** vivek-ebay has quit IRC | 20:15 | |
rm_work | ah hmm | 20:17 |
rm_work | LIBS_FROM_GIT isn't set in the barbican gate for anything | 20:17 |
rm_work | is it set in the python-barbicanclient gate? | 20:18 |
openstackgerrit | Dave McCowan proposed openstack/barbican: Changes to Preferred CA Features https://review.openstack.org/226039 | 20:18 |
arunkant | rm_work: No idea, I just noticed that this is a recent change which is generating the error. | 20:18 |
*** kebray has quit IRC | 20:18 | |
rm_work | well, barbican still does this: https://github.com/openstack/barbican/blob/master/devstack/lib/barbican#L172 | 20:19 |
rm_work | https://github.com/openstack/barbican/blob/master/devstack/settings#L21 | 20:20 |
rm_work | not sure if it interferes | 20:20 |
rm_work | that was always there | 20:20 |
*** maxabidi has joined #openstack-barbican | 20:21 | |
rm_work | is this normal too? https://github.com/openstack/python-barbicanclient/blob/master/functionaltests/post_test_hook.sh#L21 | 20:21 |
rm_work | in dsvm i thought all requirements were supposed to be handled by stack.sh | 20:21 |
rm_work | not sure though | 20:22 |
*** kebray has joined #openstack-barbican | 20:22 | |
arunkant | rm_work, may be install is there but that new valdiation is looking for the values from that variable which is likely missing barbicanclient install infor | 20:22 |
rm_work | I am not super familiar with the operation of the LIBS_FROM_GIT but some people on my team might be | 20:24 |
rm_work | I will ask them | 20:24 |
arunkant | rm_work, great..thanks | 20:25 |
diazjf | arunkant, rm_work, seems as though you can't apt-get python-barbicanclient as you can with all the rest as seen in https://github.com/openstack-infra/devstack-gate/blob/master/devstack-vm-gate-wrap.sh | 20:36 |
diazjf | Its always gonna fail in LIBS_FROM_GIT | 20:36 |
*** su_zhang has joined #openstack-barbican | 20:37 | |
rm_work | :/ | 20:39 |
arunkant | diazjf, rm_work..so can we add barbicanclient as additional git branch here? or it needs to be injected by barbican devstack setup somehow. | 20:41 |
rm_work | it is already injected by barbican devstack setup AND barbicanclient devstack script | 20:41 |
rm_work | the issue is the LIBS_FROM_GIT check that was added is maybe not possible for us to pass? i am looking | 20:42 |
*** rellerreller has quit IRC | 20:43 | |
rm_work | I am not seeing where python-barbicanclient is actually *added* to LIBS_FROM_GIT though | 20:43 |
rm_work | not in any of the scripts of gate job definitions i saw for either barbican or barbicanclient | 20:43 |
rm_work | oh | 20:44 |
rm_work | crap i didn't actually check the correct one | 20:44 |
rm_work | gate-tempest-dsvm-neutron-src-python-barbicanclient | 20:44 |
rm_work | not sure where that job is defined | 20:44 |
rm_work | i REALLY can't look at this right now though | 20:45 |
rm_work | I have an internal fire burning with a deadline of *today* | 20:45 |
rm_work | :( | 20:45 |
rm_work | but that is probably the issue -- remove it from LIBS_FROM_GIT in that job definition in project-config | 20:45 |
rm_work | because python-barbicanclient's gate script handles itself | 20:46 |
arunkant | rm_work ...remove it or add it ? because that check will fail if it did not find it | 20:46 |
rm_work | or, try to fix its gate script to handle it the same way other projects do | 20:46 |
rm_work | well i think that gate job adds it to LIBS_FROM_GIT but then python-barbicanclient's dsvm script installs itself from local, so it doesn't look like a -egit | 20:47 |
rm_work | so just get rid of python-barbicanclient from the list of LIBS_FROM_GIT for that gate job | 20:47 |
rm_work | OR, figure out if there is a more correct way to handle installation in the python-barbicanclient dsvm script that doesn't overwrite the LIBS_FROM_GIT install | 20:48 |
kfarr | think job is defined here: https://github.com/openstack-infra/project-config/blob/6775d35290cc41f0de652c62ace975dcb5dcea65/jenkins/jobs/devstack-gate.yaml#L123 | 20:49 |
kfarr | the tempest-dsvm-neutron-src-{name} job, I mean | 20:50 |
rm_work | yeah i see | 20:50 |
rm_work | that is what i thought | 20:50 |
rm_work | basically i think this is killing the git install: https://github.com/openstack/python-barbicanclient/blob/master/functionaltests/post_test_hook.sh#L21 | 20:51 |
rm_work | because that won't be -egit | 20:51 |
rm_work | so the check in https://github.com/openstack-dev/devstack/commit/c71973eb04d05c2497eb930c4e1b59dcaf983085 won't see it right | 20:51 |
rm_work | so maybe the post-test-hook there needs to be changed to match other projects? | 20:52 |
rm_work | i assume other projects do not have this problem | 20:52 |
arunkant | somehow need to figure out how/where this LIBS_FROM_GIT is defined. | 20:55 |
*** vivek-ebay has joined #openstack-barbican | 20:57 | |
diazjf | take a look at https://github.com/openstack-infra/project-config/blob/0ea5b0829f65487f72140bb76bf38c107d20aaaa/jenkins/jobs/python-barbicanclient.yaml | 20:59 |
dave-mccowan | rm_work. fyi: https://review.openstack.org/222328 landed. i believe this is a feature you wanted for LBaaS. | 20:59 |
rm_work | hmm | 21:00 |
rm_work | interesting | 21:00 |
rm_work | and neat | 21:00 |
rm_work | not sure if we actually need it though | 21:00 |
rm_work | but thanks for the heads up | 21:00 |
diazjf | arunkant, do you think removing https://github.com/openstack/python-barbicanclient/blob/master/functionaltests/post_test_hook.sh#L21 will be enough since it creates it with https://github.com/openstack/barbican/blob/a58aab748116f8090006a078de494b088d395563/devstack/plugin.sh#L11? I'm gonna put up a simple doc patch thats failing with that change as well just to check | 21:16 |
diazjf | when doing pip-freeze it will have a git repo rather than a version if this is done | 21:16 |
diazjf | we are picking up the src install | 21:17 |
rm_work | that seems correct | 21:19 |
reaperhulk | alee: unfortunately I don't know if pyopenssl has that... Probably should implement PKCS7 eneveloping in cryptography soon, hmm | 21:20 |
reaperhulk | enveloping even | 21:20 |
alee | reaperhulk, as far as I can tell , it doesn't - which perhaps shouldn't surprise me | 21:21 |
*** vivek-ebay has quit IRC | 21:21 | |
alee | reaperhulk, but yeah, thats not a bad idea | 21:21 |
reaperhulk | ECDH, CRL, and a new KDF are on the top of the queue right now (along with a lot of infra work for shipping more binary wheels), but I'll keep it in mind, hehe | 21:22 |
*** mmdurrant_ has joined #openstack-barbican | 21:33 | |
openstackgerrit | Fernando Diaz proposed openstack/python-barbicanclient: Fix barbican-client README.rst https://review.openstack.org/220848 | 21:34 |
diazjf | arunkant, rm_work, ok so the problem should be resolved with https://review.openstack.org/#/c/220848/4/functionaltests/post_test_hook.sh it should install the package from GIT, lets see what happens | 21:35 |
arunkant | diazjf, great..let's see how neutron gate reacts to this.. | 21:36 |
rm_work | yep let's cross our fingers :) | 21:39 |
*** vivek-ebay has joined #openstack-barbican | 21:39 | |
*** silos has left #openstack-barbican | 21:39 | |
*** vivek-ebay has quit IRC | 21:46 | |
openstackgerrit | Dave McCowan proposed openstack/barbican: Changes to Preferred CA Features https://review.openstack.org/226039 | 21:47 |
*** kebray has quit IRC | 21:54 | |
diazjf | arunkant, rm_work, still fails, but I have 1 more trick up my sleeve | 21:55 |
openstackgerrit | Fernando Diaz proposed openstack/python-barbicanclient: Fix barbican-client README.rst https://review.openstack.org/220848 | 21:56 |
*** vivek-ebay has joined #openstack-barbican | 22:05 | |
*** igueths has quit IRC | 22:10 | |
openstackgerrit | Merged openstack/barbican: Adding Functional Tests and Supporting Fixes for Global Preferred CAs https://review.openstack.org/225387 | 22:11 |
*** kebray has joined #openstack-barbican | 22:15 | |
*** jorge_munoz has quit IRC | 22:15 | |
*** kebray has quit IRC | 22:16 | |
*** kebray has joined #openstack-barbican | 22:19 | |
*** kebray has quit IRC | 22:22 | |
*** kebray has joined #openstack-barbican | 22:22 | |
openstackgerrit | Fernando Diaz proposed openstack/python-barbicanclient: Fix barbican-client README.rst https://review.openstack.org/220848 | 22:24 |
*** jorge_munoz has joined #openstack-barbican | 22:25 | |
diazjf | keep an eye on https://review.openstack.org/220848 | 22:27 |
*** edtubill has quit IRC | 22:27 | |
*** su_zhang has quit IRC | 22:27 | |
*** diazjf has left #openstack-barbican | 22:27 | |
*** jorge_munoz has quit IRC | 22:27 | |
*** su_zhang has joined #openstack-barbican | 22:27 | |
*** spotz is now known as spotz_zzz | 22:32 | |
*** su_zhang_ has joined #openstack-barbican | 22:36 | |
*** pglass has quit IRC | 22:37 | |
*** su_zhang has quit IRC | 22:38 | |
*** dimtruck is now known as zz_dimtruck | 22:40 | |
*** kfarr has quit IRC | 22:48 | |
*** edtubill has joined #openstack-barbican | 22:55 | |
*** su_zhang has joined #openstack-barbican | 23:03 | |
openstackgerrit | Fernando Diaz proposed openstack/python-barbicanclient: Fix barbican-client README.rst https://review.openstack.org/220848 | 23:05 |
*** vivek-ebay has quit IRC | 23:06 | |
*** su_zhang_ has quit IRC | 23:06 | |
*** chadlung has quit IRC | 23:08 | |
*** su_zhang has quit IRC | 23:09 | |
*** su_zhang has joined #openstack-barbican | 23:10 | |
*** vivek-ebay has joined #openstack-barbican | 23:10 | |
*** vivek-ebay has quit IRC | 23:14 | |
*** jamielennox|away is now known as jamielennox | 23:23 | |
*** ccneill has quit IRC | 23:28 | |
*** vivek-ebay has joined #openstack-barbican | 23:44 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!