Tuesday, 2015-11-24

yfujioka	dave-mccowan: thank you for your response. Must the admin role be assigned to an admin-user on each project?	00:00
yfujioka	when the admin-user want to read a secret that is in foo project, the admin-user must get token on foo project?	00:00
dave-mccowan	yfujioka when a user wants to read a secret of project X, then that user must have the role of (admin, creator, or observer) in project X. The role and project is as designated in the token. Or, that user can be a member of the ACL read access list for that secret.	00:03
yfujioka	dave-mccowan: thank kyou.	00:05
yfujioka	typo. kyou -> you	00:05
dave-mccowan	yfujioka the X-project-id: header would only be used in a test environment without authentication, and never in production.	00:06
yfujioka	dave-mccowan: oh, I knewit for the first time. thank you. is this documented?	00:09
*** Stanzi has quit IRC		00:10
*** stanzi_ has quit IRC		00:10
dave-mccowan	yfujioka probably it is not documented well enough. i'll open a bug to improve the documentation in that regard.	00:10
yfujioka	dave-mccowan: thank you. Neutron LBaaS v2 with TLS creates a consumer to a container. in this case, should neutron authenticate in Project X?	00:12
yfujioka	dave-mccowan: If it is true, I feel it's hard.	00:13
*** openstackgerrit has quit IRC		00:16
*** openstackgerrit has joined #openstack-barbican		00:16
dave-mccowan	yfujioka yes, that is why we created the ACL (access control list) for secrets and containers	00:18
dave-mccowan	yfujioka an admin (a user with role admin in project X) will add the LBaaS user (who has no role in project X) to the ACL for secrets and containers that the LBaaS user needs.	00:20
dave-mccowan	http://docs.openstack.org/developer/barbican/api/quickstart/acls.html	00:22
*** rellerreller has joined #openstack-barbican		00:23
yfujioka	dave-mccowan: I feel the LBaaS user cannot creates consumer even if an admin sets ACL. https://github.com/openstack/barbican/blob/master/barbican/api/controllers/consumers.py#L140	00:23
yfujioka	dave-mccowan: external_project_id is loaded from an auth token. if container is in Project X, LBaaS user should authenticate on Project X. is this right? does ACL solve this problem?	00:25
*** ccneill has quit IRC		00:29
*** Stanzi has joined #openstack-barbican		00:30
*** stanzi_ has joined #openstack-barbican		00:31
*** stanzi_ has quit IRC		00:35
*** Stanzi has quit IRC		00:35
*** pdesai has quit IRC		00:37
dave-mccowan	yfujiooka LBaaS user does not need to authenticate on Project X. the Admin for Project X will add the userid of the LBaaS user to the ACL. No project info for the LBaaS user will be used.	00:50
dave-mccowan	yfujioka ^^	00:51
dave-mccowan	yfujioka Barbican supports two access methods: RBAC (role based access control, which depends on project and role) and ACL (access control list, which depends only on the userid)	00:52
dave-mccowan	yfujioka ACL fits better for the LBaaS use case	00:52
*** rellerreller has quit IRC		00:56
yfujioka	dave-mccowan: I wonder it. userid is not passed to self.container_repo.get(). in case of using ACL, is external_project_id id of Project X? I feel external_project_id is Service Project ID(LBaaS user's project ID).	01:02
yfujioka	dave-mccowan: actually, I got 404 error.	01:02
dave-mccowan	yfujioka userid will come out of the token	01:05
yfujioka	dave-mccowan: I feel userid is not passed to self.container_repo.get. https://github.com/openstack/barbican/blob/master/barbican/api/controllers/consumers.py#L96	01:06
yfujioka	dave-mccowan: sorry, I must attend our team meeting. I will back on after 2 hours. thank you.	01:07
*** nelsnelson has quit IRC		01:09
dave-mccowan	yfujioka that looks like a bug in Barbican. in line 100, the container id retrieved without using the project_id. i don't know why line 96 uses the project id.	01:24
dave-mccowan	aruncant do you know? ^^ when using ACL to get get a container with consumer.py, yfujioka is getting 404.	01:25
*** Stanzi has joined #openstack-barbican		01:29
*** stanzi_ has joined #openstack-barbican		01:29
*** stanzi_ has quit IRC		01:34
*** Stanzi has quit IRC		01:35
*** pdesai has joined #openstack-barbican		01:38
*** pdesai has quit IRC		01:39
dave-mccowan	yfujioka... oh... that API is to get a list of consumers. only the admin of Project X can get the list of consumers. but, that is not needed for an LBaaS user. the LBaaS user will only want to get the container or get the secret.	01:43
*** edtubill has joined #openstack-barbican		01:49
*** Stanzi has joined #openstack-barbican		02:11
*** stanzi_ has joined #openstack-barbican		02:11
*** yfujioka_mobile has joined #openstack-barbican		02:14
*** Stanzi has quit IRC		02:17
*** stanzi_ has quit IRC		02:17
yfujioka_mobile	dave-mccowan: sorry, l missed. self.container_repo.get is called on on_post. and LBaaS user creates a consumer.	02:18
*** yfujioka_mobile has quit IRC		02:21
yfujioka	dave-mccowan: https://github.com/openstack/barbican/blob/master/barbican/api/controllers/consumers.py#L140	02:22
yfujioka	dave-mccowan: the neutron-lbaas registers a container in here. https://github.com/openstack/neutron-lbaas/blob/master/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L197	02:25
dave-mccowan	yfujioka that does look like a problem with the barbican design for lbaas. i'll talk to some other barbican engineers about it tomorrow.	02:26
*** david-ly_ has quit IRC		02:36
dave-mccowan	yfujioka i opened this bug: https://bugs.launchpad.net/barbican/+bug/1519170	02:37
openstack	Launchpad bug 1519170 in Barbican "LBaaS user needs permissions to POST consumers" [Undecided,New]	02:37
yfujioka	dave-mccowan: thank you so much!	02:38
*** diazjf has joined #openstack-barbican		02:59
*** diazjf has quit IRC		03:01
*** yfujioka has quit IRC		03:15
*** yfujioka has joined #openstack-barbican		03:16
*** vivek-ebay has quit IRC		03:19
*** vivek-ebay has joined #openstack-barbican		03:20
*** vivek-ebay has quit IRC		03:21
*** yuanying has quit IRC		03:23
openstackgerrit	Dave McCowan proposed openstack/barbican: Refactor Base64 use and other changes for Python3 https://review.openstack.org/233633	03:43
*** Kevin_Zheng has joined #openstack-barbican		03:56
*** yuanying has joined #openstack-barbican		04:08
*** david-lyle has joined #openstack-barbican		04:08
*** edtubill has quit IRC		04:22
*** edtubill has joined #openstack-barbican		04:24
*** edtubill has quit IRC		04:29
rm_work	yeah	05:00
rm_work	the LBaaS user must basically be an admin on everything	05:00
rm_work	yfujioka / dave-mccowan	05:00
rm_work	that is by design	05:00
rm_work	or wait	05:01
rm_work	no, consumers resource is supposed to be open to all	05:01
rm_work	I believe	05:01
rm_work	which is just dependent on how you set up the RBAC access in the config	05:01
dave-mccowan	rm_work i thought the LBaaS user could work with ACL access to a container and secrets?	05:02
rm_work	with configurable RBAC it's also possible to make a role specifically for doing consumers operations, and give that to the LBaaS user too	05:02
rm_work	it can	05:02
rm_work	but I don't think ACLs affect the consumer stuff?	05:03
rm_work	or does it	05:03
rm_work	crap, it has been too long	05:03
rm_work	ah, yes -- ACL I think is assumed to work on the same permission as a GET which should be ACL based	05:03
dave-mccowan	yfujioka was getting 404 when posting a consumer because the consumer controller was using project_id as part of the query looking for the container.	05:03
*** diazjf has joined #openstack-barbican		05:03
rm_work	sorry, it is also hard because our internal design does not actually use ACLs right now <_<	05:04
rm_work	hmm then yeah that needs to be fixed to properly accept ACLs	05:04
rm_work	*validate against (?) ACLs	05:04
rm_work	not sure what the best term is	05:04
rm_work	*honor ACLs	05:04
rm_work	probably	05:04
*** diazjf1 has joined #openstack-barbican		05:05
dave-mccowan	does it make sense to give consumer:post permission to a user with read access via ACL?	05:05
rm_work	yes because consumer:post is equivalent to a container:get	05:06
rm_work	in all ways that matter	05:06
dave-mccowan	do you agree that an LBaaS user needs consumer:post permission?	05:06
rm_work	yes, which it would get via the container:get ACL	05:07
rm_work	(it should be reading the same perm)	05:07
dave-mccowan	cool. we have a design then... just a few lines of code to consumers.py and an update to policy.json.	05:07
rm_work	kk cool	05:07
rm_work	do you need someone to do that? i can probably pick it up and do it tomorrow	05:07
dave-mccowan	that'd be great! i don't think i'll get a chance anytime soon.	05:08
*** diazjf has quit IRC		05:08
rm_work	ok i'll take a look in the morning	05:08
rm_work	yeah your bug report is accurate ;P should have just read that first	05:09
rm_work	internally we actually stopped using ACLs so I haven't actually been validating this workflow recently	05:10
*** Prnv has joined #openstack-barbican		05:15
*** kebray has joined #openstack-barbican		05:20
*** kebray has quit IRC		05:20
*** Prnv has quit IRC		05:20
*** Nirupama has joined #openstack-barbican		05:28
*** dave-mccowan has quit IRC		05:36
*** nelsnelson has joined #openstack-barbican		05:58
*** diazjf1 has quit IRC		06:18
*** jaosorior has joined #openstack-barbican		06:48
*** jaosorior has quit IRC		07:45
*** tkelsey has joined #openstack-barbican		08:12
*** jaosorior has joined #openstack-barbican		08:15
*** tkelsey has quit IRC		08:18
*** jaosorior has quit IRC		08:21
*** jaosorior has joined #openstack-barbican		08:22
*** openstackgerrit has quit IRC		09:16
*** openstackgerrit has joined #openstack-barbican		09:16
*** woodster_ has quit IRC		09:59
*** everjeje has joined #openstack-barbican		11:01
*** Nirupama has quit IRC		11:29
*** dave-mccowan has joined #openstack-barbican		12:22
*** Stanzi_ has joined #openstack-barbican		12:40
*** stanzi has joined #openstack-barbican		12:40
dave-mccowan	jaosorior ping	13:15
*** Stanzi_ has quit IRC		13:27
*** stanzi has quit IRC		13:27
jaosorior	dave-mccowan: pong	13:31
*** alee has quit IRC		13:33
*** rellerreller has joined #openstack-barbican		13:37
*** stanzi has joined #openstack-barbican		13:48
*** Stanzi_ has joined #openstack-barbican		13:48
dave-mccowan	jaosorior i noticed that you did a code review on devstack with tls-proxy. have you tried that out?	13:48
*** stanzi has quit IRC		13:52
*** Stanzi_ has quit IRC		13:52
*** jaosorior has quit IRC		14:03
*** jaosorior has joined #openstack-barbican		14:03
*** Stanzi has joined #openstack-barbican		14:09
*** Stanzi has quit IRC		14:13
*** darrenmoffat has quit IRC		14:16
*** darrenmoffat has joined #openstack-barbican		14:17
*** zz_dimtruck is now known as dimtruck		14:25
*** stanzi has joined #openstack-barbican		14:29
*** Stanzi_ has joined #openstack-barbican		14:30
*** stanzi has quit IRC		14:33
*** Stanzi_ has quit IRC		14:34
*** alee has joined #openstack-barbican		14:39
*** Stanzi has joined #openstack-barbican		14:51
*** cbits has joined #openstack-barbican		14:52
*** Stanzi has quit IRC		14:55
*** jaosorior has quit IRC		15:00
*** jaosorior has joined #openstack-barbican		15:02
*** lisaclark1 has joined #openstack-barbican		15:03
*** spotz_zzz is now known as spotz		15:05
*** stanzi has joined #openstack-barbican		15:11
*** stanzi has quit IRC		15:16
*** stanzi has joined #openstack-barbican		15:41
*** xaeth_afk is now known as xaeth		15:42
*** Stanzi_ has joined #openstack-barbican		15:44
jaosorior	dave-mccowan: I had tried that way back, not sure if it still works :/	15:57
jaosorior	alee you around?	15:57
alee	jaosorior, sup?	16:00
jaosorior	alee: HAve you noticed the dogtag gate failing?	16:00
alee	jaosorior, um no -- which CR?	16:01
jaosorior	all of them	16:01
jaosorior	well	16:01
jaosorior	the latest ones	16:01
jaosorior	alee: Fails after running for about 5 min	16:02
jaosorior	alee: for isntance http://logs.openstack.org/18/248918/1/check/gate-barbican-dogtag-devstack-dsvm-f21/cce0767/logs/devstacklog.txt.gz#_2015-11-23_21_39_30_043	16:03
alee	jaosorior, yeah I saw that.	16:04
alee	jaosorior, so whats missing?	16:04
jaosorior	that's a pretty good question	16:04
jaosorior	I dunno	16:05
*** ccneill has joined #openstack-barbican		16:07
alee	jaosorior, dave-mccowan maybe rerun it?	16:08
alee	jaosorior, dave-mccowan looks like the next two CRs had successful runs.	16:08
jaosorior	alee: That has been happening with all the latest CRs I've seen lately	16:08
jaosorior	do they?	16:08
alee	https://review.openstack.org/#/c/247810/ is ok	16:10
*** mixos has joined #openstack-barbican		16:11
jaosorior	funky	16:12
alee	jaosorior, seems to be something after Nov 23 ish	16:12
alee	jaosorior, well -- fedora 21 is nearing EOL in any case. Perhaps we should switch to F22 in any case?	16:13
alee	or F23 ..	16:13
jaosorior	F23 would be the best option, yeah	16:14
alee	jaosorior, can you try changing the gate to do that, and see if it passes?	16:14
jaosorior	huh?	16:14
alee	jaosorior, its where we want to be in any case	16:14
alee	jaosorior, changing the gate setup scripts to use f23	16:15
jaosorior	ah that	16:15
alee	instead of f21	16:15
jaosorior	well, I can try to get some cycles to start migrating to that sometime in the week	16:15
jaosorior	but I guess that should be done in project-config? I'm not entirely sure	16:15
alee	jaosorior, yeah I'm not entirely sure either .. redrobot helped set that up ..	16:16
*** lisaclark1 has quit IRC		16:16
jaosorior	and he's not around, so we gotta figure it out	16:18
*** lisaclark1 has joined #openstack-barbican		16:21
*** silos has joined #openstack-barbican		16:28
*** mixos has quit IRC		16:35
*** vivek-ebay has joined #openstack-barbican		16:36
*** mixos has joined #openstack-barbican		16:39
*** stanzi has quit IRC		16:51
*** Stanzi_ has quit IRC		16:51
*** stanzi_ has joined #openstack-barbican		16:53
*** Stanzi has joined #openstack-barbican		16:53
*** diazjf has joined #openstack-barbican		16:53
*** vivek-ebay has quit IRC		16:56
*** gerrive_ has joined #openstack-barbican		16:56
*** stanzi_ has quit IRC		16:58
*** Stanzi has quit IRC		16:58
*** stanzi has joined #openstack-barbican		16:59
*** Stanzi_ has joined #openstack-barbican		16:59
*** stanzi has quit IRC		17:02
*** stanzi has joined #openstack-barbican		17:02
*** stanzi has quit IRC		17:05
*** stanzi has joined #openstack-barbican		17:06
*** stanzi has quit IRC		17:09
*** Stanzi_ has quit IRC		17:11
*** stanzi_ has joined #openstack-barbican		17:12
*** Stanzi has joined #openstack-barbican		17:12
*** mixos has quit IRC		17:14
*** stanzi_ has quit IRC		17:16
*** Stanzi has quit IRC		17:16
*** kfarr has joined #openstack-barbican		17:18
*** david-ly_ has joined #openstack-barbican		17:19
*** mixos has joined #openstack-barbican		17:23
*** david-l__ has joined #openstack-barbican		17:23
*** david-ly_ has quit IRC		17:23
*** david-lyle has quit IRC		17:23
gerrive_	in the quick barbican install i cannot fin this file "70-barbican.sh"	17:26
gerrive_	has this been deleted?	17:27
rm_work	ah that may have changed due to the new devstack plugin	17:27
rm_work	it may just have moved	17:27
dave-mccowan	gerrive_ yes, that's been removed. it's even quicker to install barbican with devstack now (one line). what directions are you following?	17:30
*** david-l__ has quit IRC		17:30
gerrive_	i am using the get started link in the openstack barbican wiki	17:32
gerrive_	it give three options of install	17:32
rm_work	can you link the specific page?	17:33
gerrive_	https://github.com/cloudkeep/barbican/wiki/Barbican-Getting-Started-Guide	17:33
rm_work	so if you look at the script https://wiki.openstack.org/wiki/BarbicanDevStack	17:33
rm_work	at the bottom of that	17:33
rm_work	https://gist.github.com/rm-you/6feacb91182f5c011018	17:33
rm_work	that is what I wrote and use	17:34
rm_work	oh god no it isn't	17:34
rm_work	crap that is way out of date, nevermind	17:34
rm_work	let me update	17:34
gerrive_	lol	17:34
gerrive_	thank you.	17:34
rm_work	in the meantime look at this: https://gist.github.com/rm-you/f7585ca4932b3ee1eed9	17:35
rm_work	that is what I actually use, though it also includes octavia and neutron-lbaas	17:35
rm_work	basically if you run that but remove the two "enable_plugin" lines for those, it would be good	17:36
gerrive_	awesome.	17:37
rm_work	ah and a couple more	17:37
rm_work	https://gist.github.com/rm-you/6feacb91182f5c011018	17:37
rm_work	updated	17:37
rm_work	try that	17:37
rm_work	basically commented out/removed every other service	17:38
*** pdesai1 has joined #openstack-barbican		17:39
gerrive_	let me give it a go.	17:40
*** mixos has quit IRC		17:42
*** david-lyle has joined #openstack-barbican		17:44
*** pdesai1 has quit IRC		17:49
*** arunkant has quit IRC		17:50
*** arunkant has joined #openstack-barbican		17:51
*** lisaclark1 has quit IRC		17:51
*** pdesai has joined #openstack-barbican		17:52
*** arunkant_ has joined #openstack-barbican		17:52
*** rellerreller has quit IRC		17:55
*** lisaclark1 has joined #openstack-barbican		17:59
*** pdesai has quit IRC		17:59
*** pdesai has joined #openstack-barbican		18:02
*** david-lyle has quit IRC		18:03
*** pdesai has quit IRC		18:06
*** pdesai has joined #openstack-barbican		18:06
arunkant	Hi..What is the right sequence of creating new barbican database tables/schema when auto generate is turned off in barbican.conf i.e. db_auto_create = False in barbican.conf ?	18:06
*** silos has quit IRC		18:07
jaosorior	arunkant: In theory, running the db-manage should work. But honestly I've never seen in succeed	18:07
jaosorior	the first migration scripts were completely unusable, but that might have changec	18:08
jaosorior	* changed	18:08
*** mixos has joined #openstack-barbican		18:08
*** lisaclark1 has quit IRC		18:09
*** jaosorior has quit IRC		18:09
*** jaosorior has joined #openstack-barbican		18:10
arunkant	jaosorior: yes..seeing error when running "barbican-db-manage upgrade" with auto generate off for fresh database. Though it works when autogenerae flag is ON (or not set).	18:10
arunkant	getting this error "stderr: ERROR: (_mysql_exceptions.ProgrammingError) (1146, "Table 'barbican.tenant_secret' doesn't exist") [SQL: u'ALTER TABLE tenant_secret DROP FOREIGN KEY tenant_secret_ibfk_1']	18:10
arunkant	"	18:10
jaosorior	why are yo using auto generate off?	18:10
jaosorior	arunkant: Well, like I said, I've never seen it work	18:11
*** david-lyle has joined #openstack-barbican		18:11
jaosorior	in my previous company I tried to get a dude to make it work, but eventually that didn't fly. And now I don't really have time to dig into that :/	18:11
jaosorior	But yeah, would be nice to get those scripts actually working	18:11
jaosorior	the main issue is with the first ones IIRC	18:11
arunkant	I recall discussing with _woodster that auto generate can be turned off with this flag. But not sure..is it need to be done once database is created or it can off and new databse will be created with upgrade	18:12
jaosorior	arunkant: AFAIK it can be turned off once the database has been created already	18:13
jaosorior	and then you need to rely on the migration scripts	18:14
arunkant	jaosorior: The need is to control database upgrade in deployments .	18:14
arunkant	jaosorior: Yes..that seems to be the behavior..first create the database with auto-generate and then disable auto generate and use db-manage for upgrade.	18:15
jaosorior	arunkant: and you're using MySQL I assume	18:16
arunkant	yes	18:16
*** vivek-ebay has joined #openstack-barbican		18:18
jaosorior	arunkant: Yeah, most of it was tested with Postgres	18:19
jaosorior	so that will be an issue too	18:19
*** kebray has joined #openstack-barbican		18:19
arunkant	jaosorior: okay..will probably need to create issue on this.	18:21
jaosorior	arunkant: There are a bunch of issues already in the tracker, but add more if needed. Certainly would appreciate patches for this	18:22
*** kebray has quit IRC		18:22
*** kebray has joined #openstack-barbican		18:22
arunkant	jaosorior: Another question, does you encountered this issue? ...https://bugs.launchpad.net/barbican/+bug/1519159	18:23
openstack	Launchpad bug 1519159 in Barbican "Barbican number of workers configuration does not work" [Undecided,New]	18:23
arunkant	jaosorior: Yes, will provide the patch if happen to create the db bug.	18:23
jaosorior	arunkant: I've never had to modify the number of workers	18:24
jaosorior	on the other hand, haven't done much barbican stuff latley :/ mostly dealing with tripleo nowadays. Hopefully I can get some time during the week, thinking of migrating the dogtag gate to Fedora 23	18:24
arunkant	jaosorior: Okay. Our QA was testing this and reported this issue. trying to support multiple worker (process) in case it dies or to have HA around order processing.	18:26
jaosorior	arunkant: Hey dude, I gotta go, it's getting late over here :/ I'll read that report tomorrow.	18:28
*** jaosorior has quit IRC		18:28
*** ccneill has quit IRC		18:39
elmiko	diazjf: we still meeting at 2?	18:54
diazjf	elmiko, yessir.	18:54
elmiko	cool	18:54
diazjf	I'll post up the link in a few min	18:54
elmiko	k	18:54
diazjf	elmiko, kfarr, rellerreller and anyone else who wants to join in: https://hangouts.google.com/hangouts/_/fiu.edu/castellan-context	19:00
diazjf	kfarr, can't hear you :(	19:03
kfarr	diazjf I know :(	19:03
kfarr	I don't know how to fix it yet	19:03
diazjf	Try rejoining maybe a browser issue	19:04
*** silos has joined #openstack-barbican		19:05
elmiko	kfarr: we're getting something from your mic	19:12
kfarr	elmiko, yeah! I think i fixed it, but didn't want to interrupt	19:12
elmiko	\o/	19:13
*** rellerreller has joined #openstack-barbican		19:13
*** lisaclark1 has joined #openstack-barbican		19:27
*** ccneill has joined #openstack-barbican		19:29
diazjf	http://docs.openstack.org/developer/swift/development_auth.html	19:37
openstackgerrit	Arun Kant proposed openstack/barbican: Fixing oslo config CONF handle to be same as barbican config CONF https://review.openstack.org/248324	19:40
diazjf	alee, we lost you :(	19:47
*** kebray has quit IRC		19:48
*** stanzi has joined #openstack-barbican		19:48
*** Stanzi_ has joined #openstack-barbican		19:48
kfarr	diazjf did everyone get kicked off?	19:49
alee	tryingg to rejoin ..	19:50
elmiko	i'm still here	19:50
kfarr	or is it just my internet	19:50
diazjf	kfarr, just you and alee	19:50
*** Stanzi_ has quit IRC		19:53
*** stanzi has quit IRC		19:53
openstackgerrit	Christopher Solis proposed openstack/python-barbicanclient: Add acl filter to secrets https://review.openstack.org/240339	20:03
*** kebray has joined #openstack-barbican		20:09
*** edtubill has joined #openstack-barbican		20:34
*** rellerreller has quit IRC		20:44
alee	diazjf, elmiko , kfarr - what we essentially discussed is creating a PKI keystone token.	20:52
alee	diazjf, elmiko kfarr -- so if we reuse the code that keystone uses to create a PKI keystone token, then we don't even need to write new middleware potentially	20:53
elmiko	alee: that would be cool	20:54
*** kebray has quit IRC		20:54
diazjf	alee, thanks for the info. I'll look more into it.	20:58
openstackgerrit	Arun Kant proposed openstack/barbican: Fixing oslo config CONF handle to be same as barbican config CONF https://review.openstack.org/248324	21:01
*** kebray has joined #openstack-barbican		21:02
openstackgerrit	Christopher Solis proposed openstack/python-barbicanclient: Add acl filter to secrets https://review.openstack.org/240339	21:06
*** kebray has quit IRC		21:06
*** kebray has joined #openstack-barbican		21:35
*** kebray has quit IRC		21:41
spotz	Hey anyone know if the wiki git repository needs a bug and gerrit to fix something?	21:45
*** dimtruck is now known as zz_dimtruck		21:48
alee	diazjf, elmiko , kfarr another way to think about this is like a federation problem -- how are the swift users currently authenticating ? and can we use saml/oauth or whaterver to federate identity?	21:49
alee	ultimately thats the most secure and standard way of doing things ..	21:49
alee	and then we would not have to worry about special setups	21:50
alee	with swift -- and -- we make barbican accessible outside of openstack	21:50
alee	which is perhaps much more useful from a barbican point of view.	21:51
*** mixos_ has joined #openstack-barbican		21:52
diazjf	alee, so pretty much a middleware which maps a saml assertion to user/role/tenant in the Barbican pipeline. In swift config will then just need to send the information via SAML assertion etc.	21:53
diazjf	elmiko, kfarr ^	21:53
elmiko	makes sense	21:54
alee	yup	21:54
*** cbits has quit IRC		21:54
diazjf	alee, I like this idea the most! :)	21:54
elmiko	and probably wise to use something like SAML as the generic auth methodology	21:54
*** mixos_ has quit IRC		21:54
*** mixos has quit IRC		21:55
alee	diazjf, elmiko kfarr - right -- the idea is to forget that this is swift. instead consider how anyone should authenticate to barbican	21:55
alee	and then have swift/barbican client do the right thing ..	21:55
elmiko	+1	21:56
diazjf	+1	21:56
kfarr	Does that mean Barbican will accept SAML as an option, and still accept oslo RequestContext objects?	21:58
alee	right -- two different auth middleware ..	21:58
*** mixos has joined #openstack-barbican		21:58
*** lisaclark1 has quit IRC		21:58
*** lisaclark1 has joined #openstack-barbican		21:59
kfarr	Ok, I don't know very much about this, but it seems do-able so far +1	21:59
*** pdesai has quit IRC		21:59
elmiko	alee: the question i have about SAML/oauth, does it require an outside authentication or is it just a signed token that is delivered?	22:00
diazjf	elmiko, alee, correct me if I'm wrong but I think Barbican will act as the Identity and Service provider.	22:02
diazjf	It will check agains specific SAML assertions in its mapping	22:02
diazjf	SAML assertions are created in barbican client	22:03
elmiko	diazjf: good question, i need to study up on SAML a little more before answering that	22:03
*** lisaclark1 has quit IRC		22:03
diazjf	elmiko, alee, I'll study up on all that before I create the spec ;)	22:04
elmiko	sounds good	22:05
alee	elmiko, diazjf yeah --- I need to think through how it would all work ..	22:05
*** stanzi_ has joined #openstack-barbican		22:05
*** Stanzi has joined #openstack-barbican		22:05
diazjf	alee, maybe we can look at SAML assertions in K2K Federation for starters, since KS itself can act as an IDP	22:08
alee	diazjf, yup - I'll spend a bit of time tomorrow mapping it out ..	22:08
diazjf	alee, elmiko, kfarr, awesome thanks for all your help on this	22:09
*** edtubill has quit IRC		22:13
*** kfarr has quit IRC		22:22
*** silos has left #openstack-barbican		22:22
*** nkinder has quit IRC		22:25
*** mixos has quit IRC		22:28
*** mixos has joined #openstack-barbican		22:41
*** alee has quit IRC		22:45
*** gerrive_ has quit IRC		22:51
*** spotz is now known as spotz_zzz		23:06
*** diazjf has quit IRC		23:11
*** stanzi_ has quit IRC		23:16
*** Stanzi has quit IRC		23:16
*** xaeth is now known as xaeth_afk		23:17
*** mixos has quit IRC		23:21
*** ccneill has quit IRC		23:25
*** mixos has joined #openstack-barbican		23:25
*** pdesai has joined #openstack-barbican		23:31
*** Stanzi has joined #openstack-barbican		23:32
*** stanzi_ has joined #openstack-barbican		23:32
*** Stanzi has quit IRC		23:35
*** Stanzi has joined #openstack-barbican		23:36
*** pdesai has quit IRC		23:42
*** pdesai has joined #openstack-barbican		23:42
*** pdesai has quit IRC		23:43
*** mixos has quit IRC		23:47
*** pdesai has joined #openstack-barbican		23:48

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!