*** alee has quit IRC | 00:38 | |
*** chlong has quit IRC | 01:40 | |
*** chlong has joined #openstack-barbican | 01:54 | |
*** gyee has quit IRC | 02:52 | |
*** woodster_ has quit IRC | 02:59 | |
*** dimtruck is now known as zz_dimtruck | 04:11 | |
*** lixiaoy1 has quit IRC | 05:14 | |
*** jsheeren has joined #openstack-barbican | 05:45 | |
jsheeren | rm_work: are you still up? | 05:47 |
---|---|---|
*** pcaruana has joined #openstack-barbican | 06:05 | |
*** andreas_s has joined #openstack-barbican | 06:15 | |
-openstackstatus- NOTICE: All python 3.5 jobs are failing today, we need to build new xenial images first. | 06:26 | |
openstackgerrit | yuyafei proposed openstack/barbican: Remove white space between print and () https://review.openstack.org/338072 | 07:43 |
jsheeren | q | 07:57 |
jsheeren | oops | 07:57 |
rm_work | jsheeren: i am now, briefly | 10:13 |
rm_work | i was away for a bit | 10:13 |
jsheeren | just to let you know | 10:14 |
jsheeren | i sniffed the queries to see what's going on at the database level | 10:14 |
jsheeren | i added both the octavia as the neutron user in the acl for the container and the secret | 10:15 |
jsheeren | **secrets | 10:15 |
jsheeren | when i want to create the https listener; it fetches the container with the correct id | 10:16 |
jsheeren | it then checks to projects | 10:16 |
jsheeren | then it tries to insert a project with the service project id | 10:16 |
jsheeren | then it tries to fetch the container with the correct id, but now limited to this new project (with the service project/tenant id) | 10:16 |
jsheeren | it does not find the container, as it is linked to the admin user project id, and then does a rollback | 10:17 |
rm_work | hmmm | 10:17 |
jsheeren | and complains about the secret in the other castle stuff | 10:17 |
rm_work | so is the first one the neutron request? | 10:17 |
rm_work | the the failing one is from octavia? | 10:17 |
rm_work | or are both from neutron-lbaas? | 10:17 |
jsheeren | yes, we can see the neutron user id in the requesst | 10:17 |
jsheeren | yep, but the octavia user has read rights on the container and the secret | 10:18 |
jsheeren | s | 10:18 |
rm_work | i don't know how it can communicate with barbican without sending the correct userid | 10:18 |
rm_work | since it has to get a keystone token, and that requires a userid :/ | 10:18 |
jsheeren | it's weird that it wants to insert a row in the projects table with the service project id; even if this succeeds it cannot find the containers because they are linked to the admin user project | 10:19 |
rm_work | and barbican should be checking the role/user from the keystone token | 10:19 |
rm_work | that is for the consumer registration | 10:19 |
rm_work | i bet the consumer registration / ACL interaction was never fixed | 10:19 |
jsheeren | was it broken? | 10:20 |
rm_work | I had to drop my work on that because i was retasked internally | 10:20 |
rm_work | i handed it off to someone else on the barbican team | 10:20 |
jsheeren | ok | 10:20 |
rm_work | but I guess it was never completed | 10:20 |
rm_work | let me see if i can find my patchset | 10:20 |
jsheeren | do you have a... ah; thx | 10:20 |
rm_work | to be fair, it is ONLY relevant to us | 10:20 |
rm_work | so i can see why it would be lowest priority :P | 10:20 |
rm_work | (us == octavia) | 10:20 |
jsheeren | :) | 10:21 |
rm_work | https://review.openstack.org/#/c/251168/ | 10:21 |
rm_work | ooooold patch | 10:21 |
rm_work | but, that is ... the beginnings of a fix | 10:22 |
jsheeren | :-) thanks i'll have a look | 10:22 |
rm_work | mostly it is policy work | 10:22 |
rm_work | maybe that is informative enough to be helpful? check the comments, there was a bit of discussion (this was a patch from the midcycle last time) | 10:22 |
jsheeren | aight i will, thx! i'll let you know if i have any progress :) | 10:23 |
rm_work | if you feel comfortable with RBAC / oslo-policy stuff, your help with that might be appreciated :P | 10:24 |
rm_work | it looks like the guy who picked it up after me also abandoned it | 10:24 |
rm_work | so, feel free to take over that patchset if you want | 10:24 |
rm_work | i'll try to rebase it now and see how badly it explodes, lol | 10:24 |
openstackgerrit | Adam Harwell proposed openstack/barbican: Remove consumer check for project_id to match containers https://review.openstack.org/251168 | 10:24 |
jsheeren | k, my coding skills are not that good though | 10:24 |
rm_work | wow, it ... rebased without conflicts O_o | 10:25 |
rm_work | unexpected | 10:25 |
jsheeren | let me check it and see if can do something (can't promise anything though) | 10:25 |
jsheeren | nice | 10:25 |
* rm_work is now a CR necromancer | 10:25 | |
rm_work | alright, i should probably try to sleep now, standup meeting in ... 5.5 hours | 10:27 |
rm_work | good luck! | 10:27 |
jsheeren | have a good night! | 10:27 |
jsheeren | thanks for your help, it's much appreciated | 10:28 |
rm_work | np, i'd like to see this working | 10:28 |
*** sayalilunkad has joined #openstack-barbican | 11:23 | |
*** permalac has joined #openstack-barbican | 12:02 | |
*** zz_dimtruck is now known as dimtruck | 12:39 | |
*** woodster_ has joined #openstack-barbican | 13:04 | |
*** sigmavirus_away is now known as sigmavirus | 13:24 | |
*** alee has joined #openstack-barbican | 13:26 | |
*** dimtruck is now known as zz_dimtruck | 13:43 | |
*** tinwood has joined #openstack-barbican | 13:48 | |
tinwood | Hello barbican folks. I'm having a problem with getting barbican - softhsm2 - openssl1.0.0 running, and think I may have found a bug? It seems to be something to do with not seeding the random seed in the OpenSSL RNG: https://www.openssl.org/docs/faq.html#USER1 -- anybody else hit this? | 13:52 |
*** zz_dimtruck is now known as dimtruck | 14:05 | |
*** kfarr has joined #openstack-barbican | 14:06 | |
alee | hyakuhei, ping | 14:06 |
*** diazjf has joined #openstack-barbican | 14:06 | |
*** diazjf has quit IRC | 14:09 | |
woodster_ | tinwood: not sure how may folks deploy Barbican that way. I thought there was talk of adding softhsm as a gate job? alee do you recall? | 14:10 |
tinwood | woodster_, I'm writing a juju charm for it and needed a 'baseline' for people to install and have a 'play' so-as-to-speak. Not for production use. I just hit this issue and wondered if it was a known thing. | 14:11 |
woodster_ | tinwood: please feel free to open a bug on launchpad. I'd also note that barbican should run out of the box with an insecure dev plugin as well. That would be an even simpler play to start with if you wanted to | 14:13 |
tinwood | woodster_, yes, saw that too. This was to provide an example of an HSM plugin as a baseline for charming HSMs. | 14:14 |
tinwood | woodster_, I'll raise a bug with as much information as I can. Thanks. | 14:14 |
woodster_ | tinwood: ah got it. Yes please. There are others on the project I don't see logged in now that might be able to shed light on the bug as well | 14:15 |
tinwood | woodster_, ah, great. I'll file the bug and then pop it in here for context. Thanks again. | 14:15 |
*** randallburt has joined #openstack-barbican | 14:18 | |
*** diazjf has joined #openstack-barbican | 14:19 | |
*** randallburt1 has joined #openstack-barbican | 14:20 | |
*** randallburt has quit IRC | 14:23 | |
*** jmckind has joined #openstack-barbican | 14:25 | |
*** spotz_zzz is now known as spotz | 14:28 | |
*** alee_ has joined #openstack-barbican | 14:39 | |
*** alee_ has joined #openstack-barbican | 14:40 | |
*** alee has quit IRC | 14:42 | |
*** jsheeren has quit IRC | 14:57 | |
*** diazjf has quit IRC | 15:01 | |
*** diazjf has joined #openstack-barbican | 15:01 | |
tinwood | Just to confirm, I've filed the bug as bug#1599550. Let me know if there's any more info required. | 15:03 |
*** pcaruana has quit IRC | 15:06 | |
alee_ | redrobot, ping | 15:08 |
redrobot | alee_ pong | 15:08 |
alee_ | redrobot, anyone here familiar with writing tempest tests? | 15:08 |
*** kfarr has quit IRC | 15:09 | |
alee_ | redrobot, I'm trying to write the current encrypted volumes tempest test so as to run using barbican as a backend | 15:09 |
alee_ | redrobot, not sure what needs to be done to do that and looking for some pointers | 15:09 |
redrobot | alee_ I think hockeynut is fluent in Tempest speak | 15:09 |
redrobot | alee_ for details on encrypted volumes kfarr is the expert | 15:10 |
alee_ | is hockeynut around? | 15:10 |
alee_ | yeah kfarr and diazjf pointed me to the current tempest test | 15:11 |
alee_ | which presumably just runs with a basic devstack instance using whatever default key manager cinder and nova have | 15:11 |
alee_ | what I'd like to do is retry the same tests after configuring nova and cinder to use barbican instead | 15:12 |
alee_ | (and of course put that in the barbican tree as a tempest plugin) | 15:13 |
*** asingh has joined #openstack-barbican | 15:21 | |
*** Kiall has quit IRC | 15:25 | |
*** Kiall has joined #openstack-barbican | 15:28 | |
*** asingh has quit IRC | 15:29 | |
*** asingh has joined #openstack-barbican | 15:30 | |
*** andreas_s has quit IRC | 15:30 | |
*** diazjf has quit IRC | 15:41 | |
*** kfarr has joined #openstack-barbican | 16:10 | |
*** gyee has joined #openstack-barbican | 16:21 | |
*** gyee has quit IRC | 16:45 | |
*** kfarr has quit IRC | 16:49 | |
*** kfarr has joined #openstack-barbican | 16:53 | |
*** gyee has joined #openstack-barbican | 17:00 | |
*** kfarr has quit IRC | 17:10 | |
*** diazjf has joined #openstack-barbican | 18:06 | |
*** permalac has quit IRC | 18:09 | |
*** jsheeren has joined #openstack-barbican | 18:10 | |
*** kfarr has joined #openstack-barbican | 18:18 | |
alee_ | kfarr, ping | 18:23 |
kfarr | alee_ pong | 18:23 |
alee_ | kfarr, are you familiar with how to write tempest tests? | 18:23 |
kfarr | ah, well I wrote that one tempest test for cinder volume encryption, ages ago | 18:24 |
alee_ | kfarr, yes - I've been studying that one intently | 18:24 |
alee_ | kfarr, what I'd basically like to do is run those tests - but first set up nova-cinder-barbican | 18:25 |
alee_ | so that it becomes a barbican tempest test | 18:25 |
alee_ | kfarr, trying to fdigure out how to do that. | 18:26 |
kfarr | well, so, the tempest tests are meant to run against an existing DevStack set up | 18:26 |
kfarr | so if the devstack / whatever stack is set up with nova cinder barbican, it should be testing cinder volume encryption using barbican | 18:26 |
alee_ | kfarr, yeah .. | 18:27 |
kfarr | I think it sort of goes against the nature of the Tempest tests to do any configuring / setting up of services in the middle of the tests | 18:28 |
alee_ | kfarr, ok | 18:28 |
kfarr | alee_ is that helpful maybe? | 18:28 |
alee_ | very helpful. you may have saved me some unnecessary work :) | 18:29 |
alee_ | or at least directed me to right kind of work :) | 18:29 |
alee_ | kfarr, thanks | 18:30 |
*** diazjf has quit IRC | 18:36 | |
*** diazjf has joined #openstack-barbican | 18:43 | |
redrobot | kfarr ping | 18:50 |
kfarr | redrobot, pong! | 18:50 |
redrobot | kfarr hi! I have a question for you | 18:50 |
redrobot | kfarr I'm trying to learn more about the Encrypted Block Storage feature | 18:50 |
redrobot | kfarr specifically, I'm interested in the interaction between Nova/Cinder and Barbican, and what tokens are use for what actions | 18:51 |
kfarr | redrobot, yes yes | 18:51 |
redrobot | kfarr do you have any links that may be helpful? | 18:51 |
kfarr | So the authentication that is passed to barbican is the same authentication context that was used to create the volume | 18:51 |
kfarr | I'll look | 18:51 |
redrobot | kfarr I see, so the owner of the barbian secret ends up being the user? | 18:52 |
kfarr | redrobot, yes | 18:52 |
kfarr | So the user has to have barbican admin/creator privileges | 18:52 |
kfarr | even if they are just a non-admin in the rest of openstack | 18:53 |
redrobot | kfarr gotcha, yeah that makes sense | 18:53 |
kfarr | redrobot, here's a little blurb about it here: http://docs.openstack.org/security-guide/tenant-data/data-encryption.html | 18:54 |
redrobot | kfarr sweet! I'll give that a read. Thanks! :D | 18:54 |
kfarr | redrobot, and here's a video from Hong Kong: https://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/encrypted-block-storage-technical-walkthrough | 18:55 |
*** kfarr has quit IRC | 18:59 | |
jsheeren | rm_work: hi, are you here? | 19:00 |
*** asingh has quit IRC | 19:03 | |
*** asingh has joined #openstack-barbican | 19:04 | |
*** diazjf has quit IRC | 19:17 | |
*** kfarr has joined #openstack-barbican | 19:19 | |
jsheeren | rm_work: just to let you know, the patches you suggested (https://review.openstack.org/#/c/251168/) work in our environement | 19:20 |
jsheeren | we just had to edit the policy file a little bit further to make it work, also, we added the octavia and neutron users as observers inside the users project | 19:22 |
jsheeren | don't know if that is an issue or not? https://github.com/cloudkeep/barbican/wiki/Role-Based-Access-Control#roles | 19:22 |
jsheeren | without that, we got permission denieds in our logs | 19:23 |
*** diazjf has joined #openstack-barbican | 19:41 | |
*** mathiasb has quit IRC | 20:01 | |
*** rm_mobile has joined #openstack-barbican | 20:01 | |
*** rm_mobile has quit IRC | 20:01 | |
*** rm_mobile has joined #openstack-barbican | 20:01 | |
*** diazjf has quit IRC | 20:01 | |
*** diazjf has joined #openstack-barbican | 20:02 | |
*** rm_mobile| has joined #openstack-barbican | 20:09 | |
*** rm_mobile has quit IRC | 20:13 | |
rm_work | jsheeren: hmm, they should not need anything on the project besides the basic ACL READ on the secrets/container | 20:13 |
rm_work | jsheeren: but it is good to hear that it works otherwise | 20:13 |
rm_work | oh, though | 20:13 |
rm_work | i think maybe it doesn't ACTUALLY work | 20:14 |
jsheeren | hm? | 20:14 |
rm_work | because after i passed it off, it looks like the person who took over the patch just commented out a bunch of validation code | 20:14 |
rm_work | if you un-comment that, i wonder if it will still actually work | 20:14 |
jsheeren | right, yeah i saw that | 20:14 |
rm_work | if you're running that patch, access to your containers may be wide open? | 20:14 |
jsheeren | you mean the _consumer_ownership_mismatch line? | 20:15 |
rm_work | yeah that whole block | 20:15 |
*** rm_mobile| has quit IRC | 20:16 | |
*** mathiasb has joined #openstack-barbican | 20:33 | |
jsheeren | rm_work: so I uncommented the commented code. and it still works | 20:37 |
rm_work | ok | 20:37 |
jsheeren | tls listener is created | 20:37 |
rm_work | that's great | 20:37 |
rm_work | definitely update that CR with the changes you've made | 20:37 |
jsheeren | no errors about not finding stuff or policy stuff | 20:37 |
rm_work | and we'll get redrobot and alee_ and others to take a look :P | 20:37 |
jsheeren | I will, just need to figure out how to do that! | 20:38 |
jsheeren | :) | 20:38 |
rm_work | heh, there's a guide somewhere... | 20:38 |
rm_work | http://docs.openstack.org/infra/manual/developers.html#getting-started | 20:38 |
jsheeren | https://review.openstack.org/Documentation/intro-quick.html | 20:38 |
jsheeren | ah another one | 20:38 |
jsheeren | thanks | 20:38 |
rm_work | the one i linked is possibly newer and more direct | 20:39 |
rm_work | LP account -> install git-review -> do the thing :P | 20:39 |
rm_work | hit me up if you need help at any stage of getting set up for that | 20:39 |
jsheeren | rm_work: aight thanks! | 20:52 |
*** jsheeren has quit IRC | 20:52 | |
*** jsheeren has joined #openstack-barbican | 20:54 | |
*** diazjf has quit IRC | 21:07 | |
openstackgerrit | Douglas Mendizábal proposed openstack/barbican: Implement Date Filters for Secrets https://review.openstack.org/338405 | 21:12 |
*** jmckind has quit IRC | 21:43 | |
*** jsheeren has quit IRC | 21:47 | |
*** sigmavirus is now known as sigmavirus_away | 21:52 | |
*** gyee has quit IRC | 21:54 | |
*** diazjf has joined #openstack-barbican | 21:56 | |
*** spotz is now known as spotz_zzz | 21:57 | |
*** diazjf has quit IRC | 22:00 | |
openstackgerrit | Merged openstack/barbican: Add support for modifying Generic Containers https://review.openstack.org/327229 | 22:05 |
*** david-lyle_ has joined #openstack-barbican | 22:21 | |
*** kfarr has quit IRC | 22:25 | |
*** david-lyle_ is now known as david-lyle | 22:35 | |
*** dimtruck is now known as zz_dimtruck | 22:43 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!