Wednesday, 2016-07-06

« Tuesday, 2016-07-05 Index Thursday, 2016-07-07 »
*** alee has quit IRC00:38
*** chlong has quit IRC01:40
*** chlong has joined #openstack-barbican01:54
*** gyee has quit IRC02:52
*** woodster_ has quit IRC02:59
*** dimtruck is now known as zz_dimtruck04:11
*** lixiaoy1 has quit IRC05:14
*** jsheeren has joined #openstack-barbican05:45
jsheerenrm_work: are you still up?05:47
*** pcaruana has joined #openstack-barbican06:05
*** andreas_s has joined #openstack-barbican06:15
-openstackstatus- NOTICE: All python 3.5 jobs are failing today, we need to build new xenial images first.06:26
openstackgerrityuyafei proposed openstack/barbican: Remove white space between print and ()  https://review.openstack.org/33807207:43
jsheeren  q07:57
jsheerenoops07:57
rm_workjsheeren: i am now, briefly10:13
rm_worki was away for a bit10:13
jsheerenjust to let you know10:14
jsheereni sniffed the queries to see what's going on at the database level10:14
jsheereni added both the octavia as the neutron user in the acl for the container and the secret10:15
jsheeren**secrets10:15
jsheerenwhen i want to create the https listener; it fetches the container with the correct id10:16
jsheerenit then checks to projects10:16
jsheerenthen it tries to insert a project with the service project id10:16
jsheerenthen it tries to fetch the container with the correct id, but now limited to this new project (with the service project/tenant id)10:16
jsheerenit does not find the container, as it is linked to the admin user project id, and then does a rollback10:17
rm_workhmmm10:17
jsheerenand complains about the secret in the other castle stuff10:17
rm_workso is the first one the neutron request?10:17
rm_workthe the failing one is from octavia?10:17
rm_workor are both from neutron-lbaas?10:17
jsheerenyes, we can see the neutron user id in the requesst10:17
jsheerenyep, but the octavia user has read rights on the container and the secret10:18
jsheerens10:18
rm_worki don't know how it can communicate with barbican without sending the correct userid10:18
rm_worksince it has to get a keystone token, and that requires a userid :/10:18
jsheerenit's weird that it wants to insert a row in the projects table with the service project id; even if this succeeds it cannot find the containers because they are linked to the admin user project10:19
rm_workand barbican should be checking the role/user from the keystone token10:19
rm_workthat is for the consumer registration10:19
rm_worki bet the consumer registration / ACL interaction was never fixed10:19
jsheerenwas it broken?10:20
rm_workI had to drop my work on that because i was retasked internally10:20
rm_worki handed it off to someone else on the barbican team10:20
jsheerenok10:20
rm_workbut I guess it was never completed10:20
rm_worklet me see if i can find my patchset10:20
jsheerendo you have a... ah; thx10:20
rm_workto be fair, it is ONLY relevant to us10:20
rm_workso i can see why it would be lowest priority :P10:20
rm_work(us == octavia)10:20
jsheeren:)10:21
rm_workhttps://review.openstack.org/#/c/251168/10:21
rm_workooooold patch10:21
rm_workbut, that is ... the beginnings of a fix10:22
jsheeren:-) thanks i'll have a look10:22
rm_workmostly it is policy work10:22
rm_workmaybe that is informative enough to be helpful? check the comments, there was a bit of discussion (this was a patch from the midcycle last time)10:22
jsheerenaight i will, thx!  i'll let you know if i have any progress :)10:23
rm_workif you feel comfortable with RBAC / oslo-policy stuff, your help with that might be appreciated :P10:24
rm_workit looks like the guy who picked it up after me also abandoned it10:24
rm_workso, feel free to take over that patchset if you want10:24
rm_worki'll try to rebase it now and see how badly it explodes, lol10:24
openstackgerritAdam Harwell proposed openstack/barbican: Remove consumer check for project_id to match containers  https://review.openstack.org/25116810:24
jsheerenk, my coding skills are not that good though10:24
rm_workwow, it ... rebased without conflicts O_o10:25
rm_workunexpected10:25
jsheerenlet me check it and see if can do something (can't promise anything though)10:25
jsheerennice10:25
* rm_work is now a CR necromancer10:25
rm_workalright, i should probably try to sleep now, standup meeting in ... 5.5 hours10:27
rm_workgood luck!10:27
jsheerenhave a good night!10:27
jsheerenthanks for your help, it's much appreciated10:28
rm_worknp, i'd like to see this working10:28
*** sayalilunkad has joined #openstack-barbican11:23
*** permalac has joined #openstack-barbican12:02
*** zz_dimtruck is now known as dimtruck12:39
*** woodster_ has joined #openstack-barbican13:04
*** sigmavirus_away is now known as sigmavirus13:24
*** alee has joined #openstack-barbican13:26
*** dimtruck is now known as zz_dimtruck13:43
*** tinwood has joined #openstack-barbican13:48
tinwoodHello barbican folks.  I'm having a problem with getting barbican - softhsm2 - openssl1.0.0 running, and think I may have found a bug?  It seems to be something to do with not seeding the random seed in the OpenSSL RNG: https://www.openssl.org/docs/faq.html#USER1  -- anybody else hit this?13:52
*** zz_dimtruck is now known as dimtruck14:05
*** kfarr has joined #openstack-barbican14:06
aleehyakuhei, ping14:06
*** diazjf has joined #openstack-barbican14:06
*** diazjf has quit IRC14:09
woodster_tinwood: not sure how may folks deploy Barbican that way. I thought there was talk of adding softhsm as a gate job? alee do you recall?14:10
tinwoodwoodster_, I'm writing a juju charm for it and needed a 'baseline' for people to install and have a 'play' so-as-to-speak.  Not for production use.  I just hit this issue and wondered if it was a known thing.14:11
woodster_tinwood: please feel free to open a bug on launchpad. I'd also note that barbican should run out of the box with an insecure dev plugin as well. That would be an even simpler play to start with if you wanted to14:13
tinwoodwoodster_, yes, saw that too.  This was to provide an example of an HSM plugin as a baseline for charming HSMs.14:14
tinwoodwoodster_, I'll raise a bug with as much information as I can.  Thanks.14:14
woodster_tinwood: ah got it. Yes please. There are others on the project I don't see logged in now that might be able to shed light on the bug as well14:15
tinwoodwoodster_, ah, great.  I'll file the bug and then pop it in here for context.  Thanks again.14:15
*** randallburt has joined #openstack-barbican14:18
*** diazjf has joined #openstack-barbican14:19
*** randallburt1 has joined #openstack-barbican14:20
*** randallburt has quit IRC14:23
*** jmckind has joined #openstack-barbican14:25
*** spotz_zzz is now known as spotz14:28
*** alee_ has joined #openstack-barbican14:39
*** alee_ has joined #openstack-barbican14:40
*** alee has quit IRC14:42
*** jsheeren has quit IRC14:57
*** diazjf has quit IRC15:01
*** diazjf has joined #openstack-barbican15:01
tinwoodJust to confirm, I've filed the bug as bug#1599550.  Let me know if there's any more info required.15:03
*** pcaruana has quit IRC15:06
alee_redrobot, ping15:08
redrobotalee_ pong15:08
alee_redrobot, anyone here familiar with writing tempest tests?15:08
*** kfarr has quit IRC15:09
alee_redrobot, I'm trying to write the current encrypted volumes tempest test so as to run using barbican as a backend15:09
alee_redrobot, not sure what needs to be done to do that and looking for some pointers15:09
redrobotalee_ I think hockeynut is fluent in Tempest speak15:09
redrobotalee_ for details on encrypted volumes kfarr is the expert15:10
alee_is hockeynut around?15:10
alee_yeah kfarr and diazjf pointed me to the current tempest test15:11
alee_which presumably just runs with a basic devstack instance using whatever default key manager cinder and nova have15:11
alee_what I'd like to do is retry the same tests after configuring nova and cinder to use barbican instead15:12
alee_(and of course put that in the barbican tree as a tempest plugin)15:13
*** asingh has joined #openstack-barbican15:21
*** Kiall has quit IRC15:25
*** Kiall has joined #openstack-barbican15:28
*** asingh has quit IRC15:29
*** asingh has joined #openstack-barbican15:30
*** andreas_s has quit IRC15:30
*** diazjf has quit IRC15:41
*** kfarr has joined #openstack-barbican16:10
*** gyee has joined #openstack-barbican16:21
*** gyee has quit IRC16:45
*** kfarr has quit IRC16:49
*** kfarr has joined #openstack-barbican16:53
*** gyee has joined #openstack-barbican17:00
*** kfarr has quit IRC17:10
*** diazjf has joined #openstack-barbican18:06
*** permalac has quit IRC18:09
*** jsheeren has joined #openstack-barbican18:10
*** kfarr has joined #openstack-barbican18:18
alee_kfarr, ping18:23
kfarralee_ pong18:23
alee_kfarr, are you familiar with how to write tempest tests?18:23
kfarrah, well I wrote that one tempest test for cinder volume encryption, ages ago18:24
alee_kfarr, yes - I've been studying that one intently18:24
alee_kfarr, what I'd basically like to do is run those tests - but first set up nova-cinder-barbican18:25
alee_so that it becomes a barbican tempest test18:25
alee_kfarr, trying to fdigure out how to do that.18:26
kfarrwell, so, the tempest tests are meant to run against an existing DevStack set up18:26
kfarrso if the devstack / whatever stack is set up with nova cinder barbican, it should be testing cinder volume encryption using barbican18:26
alee_kfarr, yeah ..18:27
kfarrI think it sort of goes against the nature of the Tempest tests to do any configuring / setting up of services in the middle of the tests18:28
alee_kfarr, ok18:28
kfarralee_ is that helpful maybe?18:28
alee_very helpful.  you may have saved me some unnecessary work :)18:29
alee_or at least directed me to right kind of work :)18:29
alee_kfarr, thanks18:30
*** diazjf has quit IRC18:36
*** diazjf has joined #openstack-barbican18:43
redrobotkfarr ping18:50
kfarrredrobot, pong!18:50
redrobotkfarr hi!  I have a question for you18:50
redrobotkfarr I'm trying to learn more about the Encrypted Block Storage feature18:50
redrobotkfarr specifically, I'm interested in the interaction between Nova/Cinder and Barbican, and what tokens are use for what actions18:51
kfarrredrobot, yes yes18:51
redrobotkfarr do you have any links that may be helpful?18:51
kfarrSo the authentication that is passed to barbican is the same authentication context that was used to create the volume18:51
kfarrI'll look18:51
redrobotkfarr I see, so the owner of the barbian secret ends up being the user?18:52
kfarrredrobot, yes18:52
kfarrSo the user has to have barbican admin/creator privileges18:52
kfarreven if they are just a non-admin in the rest of openstack18:53
redrobotkfarr gotcha, yeah that makes sense18:53
kfarrredrobot, here's a little blurb about it here: http://docs.openstack.org/security-guide/tenant-data/data-encryption.html18:54
redrobotkfarr sweet!  I'll give that a read.  Thanks! :D18:54
kfarrredrobot, and here's a video from Hong Kong: https://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/encrypted-block-storage-technical-walkthrough18:55
*** kfarr has quit IRC18:59
jsheerenrm_work: hi, are you here?19:00
*** asingh has quit IRC19:03
*** asingh has joined #openstack-barbican19:04
*** diazjf has quit IRC19:17
*** kfarr has joined #openstack-barbican19:19
jsheerenrm_work: just to let you know, the patches you suggested (https://review.openstack.org/#/c/251168/) work in our environement19:20
jsheerenwe just had to edit the policy file a little bit further to make it work, also, we added the octavia and neutron users as observers inside the users project19:22
jsheerendon't know if that is an issue or not?  https://github.com/cloudkeep/barbican/wiki/Role-Based-Access-Control#roles19:22
jsheerenwithout that, we got permission denieds in our logs19:23
*** diazjf has joined #openstack-barbican19:41
*** mathiasb has quit IRC20:01
*** rm_mobile has joined #openstack-barbican20:01
*** rm_mobile has quit IRC20:01
*** rm_mobile has joined #openstack-barbican20:01
*** diazjf has quit IRC20:01
*** diazjf has joined #openstack-barbican20:02
*** rm_mobile| has joined #openstack-barbican20:09
*** rm_mobile has quit IRC20:13
rm_workjsheeren: hmm, they should not need anything on the project besides the basic ACL READ on the secrets/container20:13
rm_workjsheeren: but it is good to hear that it works otherwise20:13
rm_workoh, though20:13
rm_worki think maybe it doesn't ACTUALLY work20:14
jsheerenhm?20:14
rm_workbecause after i passed it off, it looks like the person who took over the patch just commented out a bunch of validation code20:14
rm_workif you un-comment that, i wonder if it will still actually work20:14
jsheerenright, yeah i saw that20:14
rm_workif you're running that patch, access to your containers may be wide open?20:14
jsheerenyou mean the _consumer_ownership_mismatch line?20:15
rm_workyeah that whole block20:15
*** rm_mobile| has quit IRC20:16
*** mathiasb has joined #openstack-barbican20:33
jsheerenrm_work: so I uncommented the commented code. and it still works20:37
rm_workok20:37
jsheerentls listener is created20:37
rm_workthat's great20:37
rm_workdefinitely update that CR with the changes you've made20:37
jsheerenno errors about not finding stuff or policy stuff20:37
rm_workand we'll get redrobot and alee_ and others to take a look :P20:37
jsheerenI will, just need to figure out how to do that!20:38
jsheeren:)20:38
rm_workheh, there's a guide somewhere...20:38
rm_workhttp://docs.openstack.org/infra/manual/developers.html#getting-started20:38
jsheerenhttps://review.openstack.org/Documentation/intro-quick.html20:38
jsheerenah another one20:38
jsheerenthanks20:38
rm_workthe one i linked is possibly newer and more direct20:39
rm_workLP account -> install git-review -> do the thing :P20:39
rm_workhit me up if you need help at any stage of getting set up for that20:39
jsheerenrm_work: aight thanks!20:52
*** jsheeren has quit IRC20:52
*** jsheeren has joined #openstack-barbican20:54
*** diazjf has quit IRC21:07
openstackgerritDouglas Mendizábal proposed openstack/barbican: Implement Date Filters for Secrets  https://review.openstack.org/33840521:12
*** jmckind has quit IRC21:43
*** jsheeren has quit IRC21:47
*** sigmavirus is now known as sigmavirus_away21:52
*** gyee has quit IRC21:54
*** diazjf has joined #openstack-barbican21:56
*** spotz is now known as spotz_zzz21:57
*** diazjf has quit IRC22:00
openstackgerritMerged openstack/barbican: Add support for modifying Generic Containers  https://review.openstack.org/32722922:05
*** david-lyle_ has joined #openstack-barbican22:21
*** kfarr has quit IRC22:25
*** david-lyle_ is now known as david-lyle22:35
*** dimtruck is now known as zz_dimtruck22:43
« Tuesday, 2016-07-05 Index Thursday, 2016-07-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!