Wednesday, 2017-05-10

« Tuesday, 2017-05-09 Index Thursday, 2017-05-11 »
*** noslzzp has quit IRC00:30
*** noslzzp has joined #openstack-barbican00:30
*** catintheroof has quit IRC00:36
*** cpuga has joined #openstack-barbican00:55
*** cpuga has quit IRC01:05
*** cpuga has joined #openstack-barbican01:05
*** cpuga has quit IRC01:09
*** liujiong has joined #openstack-barbican01:20
*** cpuga has joined #openstack-barbican01:27
*** salmankhan has joined #openstack-barbican02:16
*** salmankhan has quit IRC02:38
*** cpuga has quit IRC02:44
*** cpuga has joined #openstack-barbican02:45
*** cpuga_ has joined #openstack-barbican03:50
*** cpuga has quit IRC03:53
*** cpuga has joined #openstack-barbican03:54
*** cpuga__ has joined #openstack-barbican03:56
*** cpuga_ has quit IRC03:58
*** cpuga has quit IRC03:59
*** jaosorior_away has quit IRC04:44
*** dimtruck is now known as zz_dimtruck05:03
*** jaosorior has joined #openstack-barbican05:16
*** salmankhan has joined #openstack-barbican05:52
*** salmankhan has quit IRC05:57
*** pcaruana has joined #openstack-barbican05:57
*** pcaruana|afk| has joined #openstack-barbican06:11
*** pcaruana has quit IRC06:12
*** pcaruana|afk| has quit IRC06:12
*** pcaruana has joined #openstack-barbican06:13
*** cpuga__ has quit IRC06:16
*** cpuga has joined #openstack-barbican06:16
*** cpuga has quit IRC06:16
*** cpuga has joined #openstack-barbican06:17
*** cpuga has quit IRC06:17
*** chlong has quit IRC06:23
*** hieulq has quit IRC06:25
*** hieulq has joined #openstack-barbican06:41
*** andreas_s has joined #openstack-barbican06:52
*** liujiong has quit IRC07:31
*** Bjoern_ has joined #openstack-barbican09:03
Bjoern_Hi folks, please could you provide me with some status for RSA-Token-Login/2FA in Horizon ? Is Mitaka able to ? Are there 3rd party tools ? Regards and thanks.09:05
*** zz_dimtruck is now known as dimtruck11:30
*** chlong has joined #openstack-barbican12:00
*** dave-mccowan has joined #openstack-barbican12:42
*** dave-mccowan has quit IRC12:47
*** dave-mccowan has joined #openstack-barbican12:47
*** salmankhan has joined #openstack-barbican12:52
*** salmankhan has quit IRC12:55
*** chlong has quit IRC13:10
*** dave-mccowan has quit IRC13:15
*** dave-mccowan has joined #openstack-barbican13:42
*** cpuga has joined #openstack-barbican13:44
*** dimtruck is now known as zz_dimtruck13:45
*** cpuga_ has joined #openstack-barbican13:49
*** cpuga has quit IRC13:50
*** catintheroof has joined #openstack-barbican13:59
*** salmankhan has joined #openstack-barbican14:00
*** salmankhan has quit IRC14:05
*** dave-mccowan has quit IRC14:05
*** dave-mccowan has joined #openstack-barbican14:06
*** zz_dimtruck is now known as dimtruck14:10
*** dave-mccowan has quit IRC14:10
*** chlong has joined #openstack-barbican14:23
*** salmankhan has joined #openstack-barbican14:24
*** salmankhan has quit IRC14:29
*** catintheroof has quit IRC14:36
*** catintheroof has joined #openstack-barbican15:02
*** salmankhan has joined #openstack-barbican15:03
*** nkinder has joined #openstack-barbican15:05
*** andreas_s has quit IRC15:27
*** cpuga_ has quit IRC15:37
*** Bjoern_ has quit IRC15:41
*** cpuga has joined #openstack-barbican15:41
*** jaosorior is now known as jaosorior_away15:42
*** dave-mccowan has joined #openstack-barbican15:42
*** nkinder has quit IRC15:45
*** salmankhan has quit IRC15:47
*** salmankhan has joined #openstack-barbican15:49
*** salmankhan has quit IRC15:52
*** catintheroof has quit IRC15:54
*** dave-mccowan has quit IRC16:21
*** ssmith has joined #openstack-barbican16:25
ssmithHello, we've gotten much further but now when creating a TERMINATED_HTTPS listener we get "Could not process TLS container https://accatl1.adaxatech.com:9311/v1/containers/c68d5b91-a86f-4a01-bbca-064e5a436737, The resource could not be found. (HTTP 404)16:26
ssmithNeutron server returns request_ids: ['req-31d0b284-7cf7-4e2e-b634-e38cb5178817']"16:26
*** dave-mccowan has joined #openstack-barbican16:51
*** cpuga has quit IRC17:03
*** salmankhan has joined #openstack-barbican17:20
*** arunkant has joined #openstack-barbican17:22
*** arunkant_ has joined #openstack-barbican17:23
*** salmankhan has quit IRC17:23
*** arunkant_ has quit IRC17:24
*** arunkant has quit IRC17:24
*** arunkant has joined #openstack-barbican17:24
*** arunkant_ has joined #openstack-barbican17:24
*** salmankhan has joined #openstack-barbican17:25
*** arunkant has quit IRC17:26
*** arunkant_ has quit IRC17:26
*** arunkant has joined #openstack-barbican17:27
*** arunkant_ has joined #openstack-barbican17:27
*** arunkant_ has quit IRC17:28
*** cpuga has joined #openstack-barbican17:41
*** cpuga_ has joined #openstack-barbican17:42
*** nkinder has joined #openstack-barbican17:44
*** alee has joined #openstack-barbican17:44
*** cpuga has quit IRC17:46
*** salmankhan has quit IRC17:46
*** edtubill has joined #openstack-barbican17:49
*** salmankhan has joined #openstack-barbican17:53
*** salmankhan has quit IRC17:55
*** salmankhan has joined #openstack-barbican18:02
openstackgerritKaitlin Farr proposed openstack/barbican master: Clean up a stray secret in the functional tests  https://review.openstack.org/46384418:15
openstackgerritKaitlin Farr proposed openstack/barbican master: Add date filter functional tests  https://review.openstack.org/43624418:19
*** edtubill has quit IRC18:20
*** salmankhan has quit IRC18:28
*** dave-mccowan has quit IRC18:29
*** dave-mccowan has joined #openstack-barbican18:33
*** nkinder has quit IRC18:35
*** salmankhan has joined #openstack-barbican18:43
*** salmankhan has quit IRC18:47
ssmithOK, so now we've changed out the user to be "barbican" with the default project to be "service" and now getting this error "TLS container https://accatl1.adaxatech.com:9311/v1/containers/e46938eb-499d-4c5d-87f4-070d6a61b976 is invalid. Forbidden Neutron server returns request_ids: ['req-de5cde16-3828-44b0-9c30-66bcd1a176b2']"18:57
*** salmankhan has joined #openstack-barbican19:31
*** dave-mccowan has quit IRC19:31
*** alee has quit IRC19:32
*** salmankhan has quit IRC19:35
*** salmankhan has joined #openstack-barbican19:37
*** salmankhan has quit IRC19:41
*** catintheroof has joined #openstack-barbican20:08
*** salmankhan has joined #openstack-barbican20:13
*** salmankhan has quit IRC20:18
*** salmankhan has joined #openstack-barbican20:19
*** dimtruck is now known as zz_dimtruck20:21
*** salmankhan has quit IRC20:23
*** alee has joined #openstack-barbican20:30
*** alee has quit IRC20:35
*** salmankhan has joined #openstack-barbican20:37
*** catintheroof has quit IRC20:41
*** salmankhan has quit IRC20:41
rm_workssmith: that's ... odd... what the heck is that error20:50
rm_workforbidden Neutron server? >_>20:50
rm_workssmith: so when you say you changed out those users, what do you mean exactly20:51
rm_workwhat user is configured as the service user in octavia? what user is creating the secrets in barbican?20:52
rm_workssmith: we actually just had a very good discussion at the summit a couple hours ago about how to improve this process, and there are a few things:20:52
rm_work1) Cascading ACLs will significantly reduce the number of calls20:52
rm_work2) Barbican allowing you to set ACLs based on a service-type and not requiring the userid will make things simpler for the end-user (and you don't have to publish your service-user name)20:53
*** pcaruana has quit IRC20:53
rm_work3) Octavia may switch to using PKCS12 cert bundles as a single secret object, instead of using certificate containers at all, which greatly simplifies the process20:53
rm_work4) Octavia may change strategies a bit, and create the ACL itself with the user's token on the initial request (feels a little icky to me, but I guess this is true to intent, and also validates that the user has the right permissions on the secret to be sharing it with us)20:54
ssmithrm_work: should we or do we need to run Octavia?20:58
rm_workAh, you are using neutron-lbaas, right20:58
rm_workit'd be the same thing20:58
rm_workwe would make the same change20:58
ssmithyes neutron-lbaas with barbican20:59
*** tomtomtom has joined #openstack-barbican20:59
rm_workbut, eventually you should be running Octavia, hopefully :)20:59
rm_workThis might be a good watch: https://www.openstack.org/videos/boston-2017/octavia-load-balancing-for-openstack20:59
rm_workAlso: https://www.openstack.org/videos/boston-2017/project-update-octavia21:00
rm_workthose were our two presentations today21:00
rm_workThey address some of that21:00
tomtomtomso to answer questions you posted to ssmith, we have neutron configured as the service_name under service_auth in neutron.conf, does that answer you question to that?21:05
tomtomtomalso the user creating the secrets in barbican is that going to be defined by the user from our openrc?21:05
tomtomtomI've also created ACL's for the certs with barbican acl user add --user <user> <https://<href>21:06
tomtomtomThose ACL's don't appear to do anything, I also tried changing the Project Access from True to False, however, I cannot find out what that actually even does, I can only guess it allows projects to access the certs but how does it do that?21:07
ssmithtomtomtom and I are working togethr on this21:07
*** zz_dimtruck is now known as dimtruck21:11
openstackgerritOctave Orgeron proposed openstack/barbican master: Use oslo.db for database sync and upgrade  https://review.openstack.org/46386521:11
ssmithAlso, when we created the openstack secret store we didn't use $cat cert) on the payload either.  We just corrected that21:12
ssmithMaybe the error means TLS container is invalid?21:13
*** salmankhan has joined #openstack-barbican21:17
*** salmankhan has quit IRC21:18
*** salmankhan has joined #openstack-barbican21:19
*** salmankhan has quit IRC21:23
*** salmankhan has joined #openstack-barbican21:35
*** salmankhan has quit IRC21:39
openstackgerritKaitlin Farr proposed openstack/barbican master: Add date filter functional tests  https://review.openstack.org/43624421:43
rm_workhmm21:45
rm_workhmm21:46
rm_workno, it looks like barbican is denying you21:46
rm_workthe RBAC policies might have become broken over time21:46
openstackgerritKaitlin Farr proposed openstack/barbican master: Add date filter functional tests  https://review.openstack.org/43624421:46
rm_worki wonder if that's the case21:46
rm_workbut upon re-reading the error, it makes more sense21:46
rm_workthe bit about Neutron server is on another line21:47
rm_workthe only relevant error output it's giving you is "Invalid" >_>21:47
openstackgerritKaitlin Farr proposed openstack/barbican master: Add date filter functional tests  https://review.openstack.org/43624421:51
tomtomtom@rm_work I got the listener to create with a new cert.  Our only issue now would be the RBAC policies, any ideas where a working one might be?22:00
tomtomtomI have tried to modify it myself, but I've had no luck getting the policy to work the way I wanted.22:00
rm_workhmm22:01
rm_workyeah i'm bad at RBAC policy myself22:01
rm_workbut if you got it to create, then it must be good22:01
tomtomtomyeah ok, I'll see if a non-admin user can create and use a cert as well.22:03
*** cpuga_ has quit IRC22:12
*** catintheroof has joined #openstack-barbican22:38
*** catintheroof has quit IRC22:56
*** catintheroof has joined #openstack-barbican22:57
*** catintheroof has quit IRC22:57
*** dimtruck is now known as zz_dimtruck23:31
*** salmankhan has joined #openstack-barbican23:36
*** salmankhan has quit IRC23:40
« Tuesday, 2017-05-09 Index Thursday, 2017-05-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!