Monday, 2017-05-08

« Sunday, 2017-05-07 Index Tuesday, 2017-05-09 »
*** chlong has joined #openstack-barbican00:33
*** chlong has quit IRC00:43
*** cpuga has joined #openstack-barbican00:43
*** cpuga has quit IRC00:47
*** zz_dimtruck is now known as dimtruck01:26
*** liujiong has joined #openstack-barbican01:31
*** jamielennox is now known as jamielennox|away01:50
*** namnh has joined #openstack-barbican01:59
*** jamielennox|away is now known as jamielennox02:04
*** Kevin_Zheng has quit IRC05:07
*** nkinder has quit IRC05:18
*** nkinder has joined #openstack-barbican05:23
*** Kevin_Zheng has joined #openstack-barbican06:12
*** jroll has quit IRC06:19
*** jrollen has joined #openstack-barbican06:19
*** andreas_s has joined #openstack-barbican06:24
*** dimtruck is now known as zz_dimtruck06:26
*** nkinder has quit IRC07:24
*** nkinder has joined #openstack-barbican07:27
*** jaosorior has joined #openstack-barbican07:49
openstackgerritcheng proposed openstack/barbican master: Fix enable list project_id in secrets  https://review.openstack.org/46326907:58
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Add guideline to upgrade for Operators  https://review.openstack.org/44902209:04
openstackgerritcheng proposed openstack/barbican master: Fix enable list project_id in secrets  https://review.openstack.org/46326909:59
*** liujiong has quit IRC10:08
*** namnh has quit IRC10:31
*** dave-mccowan has joined #openstack-barbican11:30
*** dave-mcc_ has joined #openstack-barbican11:34
*** dave-mccowan has quit IRC11:35
*** jaosorior has quit IRC11:59
*** jaosorior has joined #openstack-barbican12:02
*** dave-mcc_ has quit IRC12:18
*** nkinder has quit IRC12:22
*** chlong has joined #openstack-barbican12:25
*** Daviey has joined #openstack-barbican12:27
*** cpuga has joined #openstack-barbican12:43
*** zz_dimtruck is now known as dimtruck12:48
*** chlong has quit IRC12:57
*** databus23_ has joined #openstack-barbican13:08
*** cpuga has quit IRC13:15
*** cpuga has joined #openstack-barbican13:16
*** kfarr has joined #openstack-barbican13:26
openstackgerritcheng proposed openstack/barbican master: Fix enable list project_id in secrets  https://review.openstack.org/46326913:38
openstackgerritcheng proposed openstack/barbican master: Fix enable list project_id in secrets  https://review.openstack.org/46326913:40
*** kfarr_ has joined #openstack-barbican13:44
*** kfarr has quit IRC13:45
*** chlong has joined #openstack-barbican14:13
*** andreas_s has quit IRC14:16
*** noslzzp has joined #openstack-barbican14:17
*** jrollen is now known as jroll14:18
*** kfarr_ has quit IRC14:38
*** slunkad has quit IRC15:02
*** slunkad has joined #openstack-barbican15:04
*** chlong has quit IRC15:41
*** chlong has joined #openstack-barbican15:45
*** slunkad has quit IRC15:50
*** slunkad has joined #openstack-barbican15:53
*** chlong has quit IRC15:53
*** chlong has joined #openstack-barbican16:07
*** dave-mccowan has joined #openstack-barbican16:10
*** dave-mccowan has quit IRC16:22
*** tinwood has quit IRC16:29
*** rpi has quit IRC16:33
*** rpi has joined #openstack-barbican16:34
*** rpi has quit IRC16:34
*** rpi has joined #openstack-barbican16:34
*** dimtruck is now known as zz_dimtruck16:50
*** dave-mccowan has joined #openstack-barbican17:06
*** zz_dimtruck is now known as dimtruck17:15
*** catintheroof has joined #openstack-barbican17:17
*** dave-mccowan has quit IRC17:31
*** catintheroof has quit IRC17:40
*** jaosorior is now known as jaosorior_away17:43
*** catintheroof has joined #openstack-barbican17:49
*** alee has joined #openstack-barbican17:59
*** catintheroof has quit IRC18:08
*** dave-mccowan has joined #openstack-barbican18:10
*** kfarr has joined #openstack-barbican18:17
*** tinwood has joined #openstack-barbican18:29
*** dave-mccowan has quit IRC18:36
*** alee has quit IRC18:46
*** alee has joined #openstack-barbican18:52
*** alee has quit IRC19:02
*** v1k0d3n has quit IRC19:15
*** v1k0d3n has joined #openstack-barbican19:15
*** kfarr has quit IRC19:24
*** ssmith has joined #openstack-barbican19:50
ssmithHello. We're on Newton and installed Barbican but it appears that a load balancer in the admin tenant can access the SSL cert?  Is this normal operation?19:52
*** khomkrit1499 has joined #openstack-barbican19:54
*** nkinder has joined #openstack-barbican19:54
ssmithSorry only a load balancer in the admin tenant can access the SSL cert.19:55
*** nkinder has quit IRC20:08
*** khomkrit1499 has quit IRC20:10
*** khomkrit1499 has joined #openstack-barbican20:15
*** khomkrit1499 has quit IRC20:15
*** khomkrit1499 has joined #openstack-barbican20:15
rm_workssmith: So, if you want LBaaS to access certs, the user needs to create a Barbican ACL that specifically grants the LBaaS service account permission to use it20:26
rm_workOR, you need add a role to the octavia service account that grants it universal access to all barbican secrets (which I personally believe is a horrible idea, but depending on the deployment it might make sense)20:27
rm_workwhich might require mucking with the default policy definitions20:27
johnsomThis section of the docs talks about how to do the ACL approach: https://docs.openstack.org/developer/octavia/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer20:29
johnsomWe hope to make this cleaner in Pike, we are just waiting on an enhancement in barbican for cascading ACLs20:29
rm_workjohnsom: why is subnet-id required by neutronclient20:29
rm_workwhen creating a member :/20:29
rm_worksubnet is not mandatory on members, right?20:30
rm_workeven in neutron-lbaas20:30
rm_workoops, wrong channel20:30
johnsomGrin20:31
ssmithrm_work: I either use barbican or openstack client to create 3 secret stores for cert, key and intermediate from cli using my username and admin tenant (but tried with env set to other tenant) then create container but only the admin tenant can see the cert.  No other tenant can see it in the lBaaS UI.20:31
rm_workah, in the horizon UI?20:32
rm_workI actually don't know what that looks like, I haven't used it T_T20:32
rm_workit's supposed to list your available secret containers?20:33
rm_workunfortunately, barbican doesn't have a way to list containers that you have a valid ACL for, since you can only get a "list" of stuff that it actually on your project :/20:33
*** nkinder has joined #openstack-barbican20:39
johnsomssmith I'm not quite following you.  So you created a barbican container with cert/key/etc. using a non-admin tenant, then logged into horizon as that non-admin tenant and the container is not visible when you create a load balancer?20:40
ssmithThat's correct but it is visible under the admin tenant20:41
johnsomHmm, that is really strange, I don't know how it could have been stored under the admin tenant instead of your user tenant.20:45
johnsomIt doesn't look like you can see the associated project_id for a secret via the barbican API20:45
ssmithOK, my bad.  I downloaded a fresh RC file fro the tenant and it worked.  The tenant can see it now but thanks for pointing me in the right direction20:54
*** khomkrit1499 has quit IRC21:00
*** cpuga has quit IRC21:03
*** dave-mccowan has joined #openstack-barbican21:12
*** nkinder has quit IRC21:30
*** cpuga has joined #openstack-barbican21:35
*** chlong has quit IRC21:40
*** jraim_ has quit IRC21:50
*** jraim_ has joined #openstack-barbican21:50
*** ssmith has quit IRC21:51
openstackgerritJackie Truong proposed openstack/barbican-tempest-plugin master: Add ephemeral disk encryption scenario test  https://review.openstack.org/45545921:53
*** dave-mccowan has quit IRC22:02
*** cpuga has quit IRC23:31
*** cpuga has joined #openstack-barbican23:32
*** cpuga has quit IRC23:37
openstackgerritJackie Truong proposed openstack/barbican-tempest-plugin master: Add ephemeral disk encryption scenario test  https://review.openstack.org/45545923:39
« Sunday, 2017-05-07 Index Tuesday, 2017-05-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!