Wednesday, 2015-10-21

« Tuesday, 2015-10-20 Index Thursday, 2015-10-22 »
*** stevemar_ has joined #openstack-barbican00:00
*** stevemar_ has quit IRC00:04
*** nelsnelson has joined #openstack-barbican00:07
*** edtubill has quit IRC00:49
*** gyee has quit IRC01:15
openstackgerritMerged openstack/python-barbicanclient: README.rst devstack link not properly displayed  https://review.openstack.org/23573701:17
*** tkelsey has joined #openstack-barbican01:50
*** tkelsey has quit IRC01:54
*** stevemar_ has joined #openstack-barbican02:02
*** vivek-ebay has quit IRC02:06
openstackgerritMerged openstack/barbican: Remove old gate code  https://review.openstack.org/21945102:18
openstackgerritOpenStack Proposal Bot proposed openstack/python-barbicanclient: Updated from global requirements  https://review.openstack.org/23731602:32
*** dave-mccowan has quit IRC02:38
*** morgan has quit IRC03:00
*** pksingh has joined #openstack-barbican03:01
openstackgerritPradeep Kumar Singh proposed openstack/barbican: Replace assertFalse(a in b) with assertNotIn(a, b)  https://review.openstack.org/23786403:45
*** Nirupama has joined #openstack-barbican04:08
*** yfujioka has joined #openstack-barbican04:26
*** jaosorior has quit IRC04:48
*** jaosorior has joined #openstack-barbican04:48
*** edtubill has joined #openstack-barbican05:07
*** openstackgerrit has quit IRC05:16
*** morgan has joined #openstack-barbican05:16
*** openstackgerrit has joined #openstack-barbican05:17
*** stevemar_ has quit IRC05:19
*** stevemar_ has joined #openstack-barbican05:19
*** stevemar_ has quit IRC05:22
*** morgan has quit IRC05:45
*** tkelsey has joined #openstack-barbican05:52
*** tkelsey has quit IRC05:56
*** jaosorior has quit IRC06:00
*** jaosorior has joined #openstack-barbican06:01
*** morgan has joined #openstack-barbican06:01
*** edtubill has quit IRC06:07
*** su_zhang has quit IRC06:08
*** pksingh_ has joined #openstack-barbican06:37
*** jamielennox is now known as jamielennox|away06:37
*** pksingh has quit IRC06:41
*** jaosorior has quit IRC06:47
*** jaosorior has joined #openstack-barbican06:48
*** tkelsey has joined #openstack-barbican06:58
*** shohel has joined #openstack-barbican07:09
*** jaosorior has quit IRC07:16
*** jongchoi has joined #openstack-barbican07:30
*** jaosorior has joined #openstack-barbican07:35
*** jaosorior has quit IRC07:37
*** jaosorior has joined #openstack-barbican07:37
*** everjeje has joined #openstack-barbican08:27
*** jongchoi has quit IRC08:48
*** openstackgerrit has quit IRC09:01
*** openstackgerrit has joined #openstack-barbican09:01
*** openstackgerrit has quit IRC09:31
*** openstackgerrit has joined #openstack-barbican09:32
*** jkf has quit IRC09:59
*** mmdurrant has quit IRC10:09
*** jkf has joined #openstack-barbican10:18
*** stevemar_ has joined #openstack-barbican10:35
*** stevemar_ has quit IRC10:38
*** dave-mccowan has joined #openstack-barbican10:55
*** markus_z has joined #openstack-barbican11:27
markus_zWe have a barbican bug in Nova, maybe someone of you could help out here: https://bugs.launchpad.net/nova/+bug/150593011:28
openstackLaunchpad bug 1505930 in OpenStack Compute (nova) "Fix key manager service endpoints in devstack Nova ephemeral" [Undecided,Incomplete] - Assigned to Max (max-abidi)11:28
*** pksingh_ has quit IRC11:30
dave-mccowanmarkus_z i added a comment to the bug with a suggested fix11:42
markus_zdave-mccowan: Cool, thanks!11:43
*** Nirupama has quit IRC11:52
*** peter-hamilton has joined #openstack-barbican11:54
*** arunkant has quit IRC11:57
*** mmdurrant has joined #openstack-barbican11:59
*** openstackgerrit has quit IRC12:16
*** openstackgerrit has joined #openstack-barbican12:17
*** arunkant has joined #openstack-barbican12:28
*** rellerreller has joined #openstack-barbican12:35
*** stevemar_ has joined #openstack-barbican13:03
*** stevemar_ has quit IRC13:07
*** stevemar_ has joined #openstack-barbican13:09
*** stevemar_ has quit IRC13:12
*** stevemar_ has joined #openstack-barbican13:17
*** lisaclark1 has joined #openstack-barbican13:29
*** stevemar_ has quit IRC13:54
*** DTadrzak has quit IRC14:00
*** jongchoi has joined #openstack-barbican14:08
*** silos has joined #openstack-barbican14:11
*** nkinder has quit IRC14:14
*** darrenmoffat has quit IRC14:17
*** darrenmoffat has joined #openstack-barbican14:18
*** jhfeng has joined #openstack-barbican14:19
*** diazjf has joined #openstack-barbican14:19
*** edtubill has joined #openstack-barbican14:26
*** jongchoi has quit IRC14:28
*** su_zhang has joined #openstack-barbican14:37
*** edtubill has quit IRC14:37
*** edtubill has joined #openstack-barbican14:38
*** zz_dimtruck is now known as dimtruck14:38
*** su_zhang has quit IRC14:42
*** lisaclark1 has quit IRC14:43
*** alee_afk is now known as alee14:45
*** lisaclark1 has joined #openstack-barbican14:46
*** jaosorior has quit IRC14:47
*** jaosorior has joined #openstack-barbican14:48
*** edtubill has quit IRC14:52
*** stevemar_ has joined #openstack-barbican14:55
*** stevemar_ has quit IRC14:56
*** su_zhang has joined #openstack-barbican14:58
*** stevemar_ has joined #openstack-barbican14:59
*** stevema__ has joined #openstack-barbican15:13
*** stevemar_ has quit IRC15:16
*** Kiall has quit IRC15:19
*** Kiall has joined #openstack-barbican15:20
*** ccneill has joined #openstack-barbican15:22
*** edtubill has joined #openstack-barbican15:24
*** edtubill has quit IRC15:26
openstackgerritChristopher Solis proposed openstack/barbican: Create Orders Documentation  https://review.openstack.org/23612315:26
*** edtubill has joined #openstack-barbican15:30
*** ccneill has quit IRC15:30
*** shohel has quit IRC15:33
*** ccneill has joined #openstack-barbican15:34
*** markus_z has quit IRC15:52
*** edtubill has quit IRC15:52
*** edtubill has joined #openstack-barbican15:53
*** stevema__ has quit IRC16:00
openstackgerritFernando Diaz proposed openstack/castellan: Add created property to Managed Objects  https://review.openstack.org/23815016:03
*** su_zhang has quit IRC16:17
rm_workHey, if you guys could glance at https://review.openstack.org/#/c/237807/ I think it might be relevant <_<16:32
rm_workWould appreciate it16:32
rm_workWe're trying to solve for some use-cases where our Barbican workflow currently has trouble16:32
*** stevemar_ has joined #openstack-barbican16:36
*** stevemar_ has quit IRC16:41
dave-mccowanrm_work with a passphrase requirement, does that mean that a human is required in the workflow to deploy an LB? (to enter the passphrase)16:42
rm_workno, it *is* stored, in our DB16:42
rm_workso the necessary data to have a decrypted and usable private key is split between two distinct storage systems16:43
dave-mccowanhow does the passphrase get into the Neutron DB?16:44
*** gyee has joined #openstack-barbican16:45
*** xaeth_afk is now known as xaeth16:47
rm_workdave-mccowan: passed in via API16:47
*** jaosorior has quit IRC16:50
*** jaosorior has joined #openstack-barbican16:50
*** diazjf has quit IRC16:50
*** edtubill has quit IRC16:51
*** zigo_ has quit IRC16:59
*** zigo has joined #openstack-barbican17:00
*** everjeje has quit IRC17:07
*** su_zhang has joined #openstack-barbican17:12
*** lisaclark1 has quit IRC17:21
*** kfarr has joined #openstack-barbican17:23
*** peter-hamilton has quit IRC17:28
*** lisaclark1 has joined #openstack-barbican17:30
*** xaeth is now known as xaeth_afk17:32
*** stevemar_ has joined #openstack-barbican17:32
*** lisaclark1 has quit IRC17:32
*** rellerreller has quit IRC17:34
*** lisaclark1 has joined #openstack-barbican17:34
*** lisaclark1 has quit IRC17:35
*** tkelsey has quit IRC17:53
*** xaeth_afk is now known as xaeth17:53
*** lisaclark1 has joined #openstack-barbican17:57
*** stevemar_ has quit IRC17:58
*** diazjf has joined #openstack-barbican18:01
*** edtubill has joined #openstack-barbican18:03
diazjfkfarr, so I added https://review.openstack.org/#/c/238150/ gonna keep working on it throughout the week. Also for https://review.openstack.org/#/c/235671/ I think its the proper way of getting context since user created(non-openstack) services may rely on keystone and not use oslo.context :)18:08
*** ccneill has quit IRC18:19
*** vivek-ebay has joined #openstack-barbican18:22
*** vivek-ebay has quit IRC18:22
*** xaeth is now known as xaeth_afk18:25
*** lisaclark1 has quit IRC18:25
*** vivek-ebay has joined #openstack-barbican18:27
*** lisaclark1 has joined #openstack-barbican18:28
*** xaeth_afk is now known as xaeth18:32
kfarrdiazjf, thanks!  I will take a look later today18:33
openstackgerritChristopher Solis proposed openstack/barbican: Update Devstack deployment and docs  https://review.openstack.org/23027618:34
*** rellerreller has joined #openstack-barbican18:43
diazjfkfarr, thanks :) I'll update some of the comments18:49
siloswoodster_: ping18:52
*** xaeth is now known as xaeth_afk18:53
*** su_zhang has quit IRC18:55
woodster_silos: hey there19:02
*** lisaclark1 has quit IRC19:03
siloswoodster_: HEY! I'm meandering around the database/sqlalchemy side of barbican and noticed your name a lot and had a question. Does sqlalchemy do any sanity checks for sql injection/user input?19:04
*** edtubill has quit IRC19:04
woodster_silos: I believe it does as long as you aren't doing direct sql (which is possible)19:05
*** lisaclark1 has joined #openstack-barbican19:06
*** stevemar_ has joined #openstack-barbican19:07
siloswoodster_: hmmm what do you mean as long as you aren't doing direct sql?19:07
woodster_silos: I think it's possible to not use the sqlalchemy classes to hit the databases...so write direct sql to hit the database. We aren't doing that in barbican as far as I know.19:08
rm_workyeah sqlalchemy lets you run a pure string query if you tell it to19:10
rm_workwhich obviously won't do any quoting or anything :/19:10
rm_workotherwise it does param binding and such19:11
siloswoodster_, rm_work: Ah I see. yea. All I have seen is sqlalchemy so far.19:11
rm_workhttp://docs.sqlalchemy.org/en/rel_0_8/core/tutorial.html#using-text19:11
siloswoodster_, rm_work: thanks!19:11
rm_workthe example does binding, but you can avoid it, and in doing so, assume the risks associated19:12
woodster_yep!19:12
rm_workah woodster_, should have had you on that last meeting :(19:12
rm_workwoodster_: did you get a chance to look at my recent spec? https://review.openstack.org/#/c/237807/19:13
woodster_rm_work: oh was that the clb integration one?19:13
rm_workwoodster_: related19:13
rm_workyes19:13
*** stevemar_ has quit IRC19:15
*** stevemar_ has joined #openstack-barbican19:16
*** stevemar_ has quit IRC19:20
rm_workwoodster_: just added more comments in response to reaperhulk19:20
rm_workerr19:20
rm_workdamnit19:20
rm_workin response to redrobot19:20
rm_work"re"-tabcomplete is blah19:20
*** edtubill has joined #openstack-barbican19:24
*** edtubill has quit IRC19:25
dave-mccowanrm_work would the same keystone credentials be able to retrieve the passphrase from neutron and the private key from barbican?19:25
*** edtubill has joined #openstack-barbican19:30
*** edtubill has quit IRC19:31
rm_workdave-mccowan: no19:38
rm_workdave-mccowan: passphrase would be set-only19:38
rm_workI was careful to specify that19:38
rm_workneutron-lbaas would never return it19:38
*** rellerreller has quit IRC19:42
*** su_zhang has joined #openstack-barbican19:43
dave-mccowanrm_work i like the idea in general.  two-factor==good.  but, i'm suspicious at attempts of two-factor auth that doesn't involve a human providing the second factor.19:46
rm_workyeah19:46
dave-mccowanlooks like you're thinking that way too19:46
rm_workI try to stay away from calling it "two-factor" explicitly19:46
rm_workit's "two-system"19:46
*** edtubill has joined #openstack-barbican19:52
*** xaeth_afk is now known as xaeth20:00
dave-mccowandoes anyone know if barbican-client has "stable" versions that are patched?20:00
redrobotdave-mccowan yeah, we do have a stable release20:00
redrobotdave-mccowan all stable requirements files cap at a max version20:01
dave-mccowani'm trying to think through the issues when devstack does away with extras.d.  all releases of our stuff are going to have to work with the new plugin methods.20:03
dave-mccowandoes the stable barbican client always run with /master barbican?20:03
redrobotdave-mccowan good question... I don't know off the top of my head20:04
redrobotdave-mccowan I'm thinking that it probably does.... but the new plugin system should be able to check out stable barbicans if needed.20:04
rm_workdave-mccowan: yeah it's possible we may need to backport the plugin support :/20:05
dave-mccowanyep.  we need to before mitaka-1.  how many versions are supposed to support?20:05
*** openstackstatus has joined #openstack-barbican20:06
*** ChanServ sets mode: +v openstackstatus20:06
dave-mccowansorry, rm_work, we went the wrong way with your patches to project-config.  instead of two gate job versions, we should have made all the barbican releases do the new way.20:08
*** dimtruck is now known as zz_dimtruck20:11
openstackgerritFernando Diaz proposed openstack/castellan: Add testing documentation to Castellan  https://review.openstack.org/23569920:11
rm_workdave-mccowan: yeah :( ah well20:12
rm_workdave-mccowan: the latest two20:12
rm_workso for mitaka that'd be KL20:12
rm_workI think20:12
rm_workit should be obvious when doing it, it's all baked into project-config20:13
rm_worktons of other examples20:13
*** lisaclark1 has quit IRC20:19
*** zz_dimtruck is now known as dimtruck20:19
dave-mccowanredrobot if i want to propose backport bugs in launchpad, do i need to be a member of barbican-drivers?20:26
rm_workCan't you PROPOSE anything as a bug?20:26
*** tkelsey has joined #openstack-barbican20:40
*** lisaclark1 has joined #openstack-barbican20:42
*** tkelsey has quit IRC20:44
openstackgerritFernando Diaz proposed openstack/castellan: Add contributing documentation to Castellan  https://review.openstack.org/23824420:49
*** lisaclark1 has quit IRC20:52
*** lisaclark1 has joined #openstack-barbican20:57
*** silos has left #openstack-barbican20:59
*** lisaclark1 has quit IRC20:59
openstackgerritFernando Diaz proposed openstack/castellan: Adds documentation on creating Oslo RequestContext in Castellan  https://review.openstack.org/23824821:01
redrobotdave-mccowan I don't think so... but I can add you to that group if need be.21:04
*** jongchoi_ has joined #openstack-barbican21:10
*** stevemar_ has joined #openstack-barbican21:11
openstackgerritFernando Diaz proposed openstack/castellan: Add documentation links and fixup README.rst  https://review.openstack.org/23825221:23
rm_workredrobot: responded again... not clear on what better examples i can provide for the vulnerabilities than what I already walked through in the examples21:35
openstackgerritFernando Diaz proposed openstack/castellan: Add contributing documentation to Castellan  https://review.openstack.org/23824421:36
*** diazjf has quit IRC21:39
rm_workredrobot: would you rather try to spend some time figuring this out face-to-face instead of throwing replies back and forth over a review? :P21:44
*** lisaclark1 has joined #openstack-barbican21:44
redrobotrm_work I'm just not so quick to buy into the whole "two systems are better than one" argument.21:45
rm_workIt's fairly provable21:45
rm_workI can demonstrate clear examples on a whiteboard21:45
rm_workif you can refute those examples, then maybe i could be swayed?21:45
redrobotrm_work my point is this:  Barbican was made for secure storage, so you should use it for that.21:46
rm_workwe are21:46
redrobotbut you're not21:46
rm_worknot using it isn't an option21:46
rm_workso we are21:46
rm_workif we didn't use it, we'd be back to being hosed21:46
rm_workso i'd say it's fairly essential in the equation :P21:46
*** lisaclark1 has quit IRC21:46
redrobotthe argument for Barbican has always been to make it THE secret store for OpenStack21:47
rm_workyeah, i get that21:47
rm_workand I'm sure 90% of people will be happy with the way it functions now21:47
redrobotrm_work for the 10% you're concerned about we should work on Federation21:48
rm_workbut I don't think it'd be crazy to say "extra security is never a bad thing"21:48
redrobotrm_work it's a much better story than your proposal, I htink21:48
rm_workI don't disagree that federation would be great21:48
rm_workbut that is WAAAAAY more of a burden21:48
redrobotnot necessarily21:49
rm_work"you have to run your own cloud now"21:49
rm_workversus "you have to remember a password"21:49
redrobotwell it's not just "remember a password"21:49
rm_workthey can store the passwords internally using their own security protocols21:49
rm_workwhatever those may be21:49
rm_workwe use password-safe and at my old company we used some Vault thing21:49
rm_workmost companies will already have an analog21:50
rm_workand those are not exposed to the cloud21:50
rm_worksure, if they were, it would essentially be federation and we'd be set!21:50
rm_workbut that's a lot more work21:50
*** lisaclark1 has joined #openstack-barbican21:51
*** su_zhang has quit IRC21:53
redrobotrm_work arguably, the security-conscious customer would be willing to put in the extra work.21:53
redrobotrm_work I think that the use case you're trying to address gives you a marginally better security story21:54
redrobotrm_work at the expense of added complexity for both the user and for LBaaS21:54
redrobotrm_work I honestly don't think it's worth it.21:54
*** su_zhang has joined #openstack-barbican21:54
rm_workwell, it's optional, but i don't disagree with added complexity for lbaas21:54
*** su_zhang has quit IRC21:55
*** edtubill has quit IRC21:58
*** jongchoi_ has quit IRC22:02
*** jongchoi_ has joined #openstack-barbican22:04
*** jamielennox|away is now known as jamielennox22:07
*** lisaclark1 has quit IRC22:10
*** jongchoi_ has quit IRC22:10
*** kfarr has quit IRC22:10
*** lisaclark1 has joined #openstack-barbican22:10
*** lisaclark1 has quit IRC22:14
*** xaeth is now known as xaeth_afk22:18
*** dimtruck is now known as zz_dimtruck22:35
*** su_zhang has joined #openstack-barbican22:39
*** jaosorior has quit IRC22:48
*** jaosorior has joined #openstack-barbican22:48
*** edtubill has joined #openstack-barbican22:49
*** jhfeng has quit IRC23:02
*** edtubill has quit IRC23:34
*** ccneill has joined #openstack-barbican23:42
*** ccneill has quit IRC23:48
*** peter-hamilton has joined #openstack-barbican23:49
*** su_zhang has quit IRC23:58
« Tuesday, 2015-10-20 Index Thursday, 2015-10-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!