Wednesday, 2019-12-04

« Tuesday, 2019-12-03 Index Thursday, 2019-12-05 »
openstackgerritLuigi Toscano proposed openstack/barbican stable/queens: Make broken fedora_latest job n-v  https://review.opendev.org/69532700:46
openstackgerritLuigi Toscano proposed openstack/barbican stable/queens: Don't use branch matching  https://review.opendev.org/68946300:46
openstackgerritLuigi Toscano proposed openstack/barbican stable/queens: Fix the bug of pep8 and building api-guide  https://review.opendev.org/69721000:46
*** tosky has quit IRC00:56
openstackgerritMerged openstack/barbican master: Fix the barbicanclient installation not from source  https://review.opendev.org/69012301:03
openstackgerritLuigi Toscano proposed openstack/barbican stable/train: Fix the barbicanclient installation not from source  https://review.opendev.org/69721201:07
*** dpawlik has joined #openstack-barbican01:40
*** dpawlik has quit IRC01:45
*** jmlowe has quit IRC04:37
*** jmlowe has joined #openstack-barbican04:40
*** dave-mccowan has quit IRC05:14
*** dpawlik has joined #openstack-barbican05:42
*** dpawlik has quit IRC05:47
*** pcaruana has joined #openstack-barbican06:01
*** dpawlik has joined #openstack-barbican06:45
*** Luzi has joined #openstack-barbican06:53
openstackgerritOpenStack Proposal Bot proposed openstack/barbican master: Imported Translations from Zanata  https://review.opendev.org/69448207:54
*** dpawlik has quit IRC08:01
*** awalende has joined #openstack-barbican08:15
*** spotz has quit IRC08:23
*** pcaruana has quit IRC08:24
*** irclogbot_3 has quit IRC08:24
*** efried has quit IRC08:24
*** aspiers has quit IRC08:24
*** jmccrory has quit IRC08:24
*** strigazi has quit IRC08:24
*** jmlowe has quit IRC08:24
*** njohnston has quit IRC08:24
*** beisner has quit IRC08:24
*** gregwork has quit IRC08:24
*** ade_lee has quit IRC08:24
*** trident has quit IRC08:24
*** openstackgerrit has quit IRC08:24
*** cmurphy has quit IRC08:24
*** mmethot has quit IRC08:24
*** Anticimex has quit IRC08:24
*** coreycb has quit IRC08:24
*** knikolla has quit IRC08:24
*** awalende has quit IRC08:24
*** tinwood has quit IRC08:24
*** moguimar has quit IRC08:24
*** lxkong has quit IRC08:24
*** jamespage has quit IRC08:24
*** gmann has quit IRC08:24
*** Luzi has quit IRC08:24
*** tonyb has quit IRC08:24
*** timburke has quit IRC08:24
*** andreaf has quit IRC08:24
*** johnsom has quit IRC08:24
*** kklimonda has quit IRC08:24
*** redrobot has quit IRC08:24
*** mnaser has quit IRC08:24
*** rm_work has quit IRC08:24
*** awalende has joined #openstack-barbican08:24
*** Luzi has joined #openstack-barbican08:24
*** pcaruana has joined #openstack-barbican08:24
*** jmlowe has joined #openstack-barbican08:24
*** ade_lee has joined #openstack-barbican08:24
*** trident has joined #openstack-barbican08:24
*** njohnston has joined #openstack-barbican08:24
*** cmurphy has joined #openstack-barbican08:24
*** tinwood has joined #openstack-barbican08:24
*** kklimonda has joined #openstack-barbican08:24
*** gregwork has joined #openstack-barbican08:24
*** beisner has joined #openstack-barbican08:24
*** spotz has joined #openstack-barbican08:24
*** moguimar has joined #openstack-barbican08:24
*** openstackgerrit has joined #openstack-barbican08:24
*** tonyb has joined #openstack-barbican08:24
*** mmethot has joined #openstack-barbican08:24
*** redrobot has joined #openstack-barbican08:24
*** irclogbot_3 has joined #openstack-barbican08:24
*** efried has joined #openstack-barbican08:24
*** lxkong has joined #openstack-barbican08:24
*** jamespage has joined #openstack-barbican08:24
*** knikolla has joined #openstack-barbican08:24
*** coreycb has joined #openstack-barbican08:24
*** Anticimex has joined #openstack-barbican08:24
*** aspiers has joined #openstack-barbican08:24
*** jmccrory has joined #openstack-barbican08:24
*** gmann has joined #openstack-barbican08:24
*** andreaf has joined #openstack-barbican08:24
*** strigazi has joined #openstack-barbican08:24
*** timburke has joined #openstack-barbican08:24
*** mnaser has joined #openstack-barbican08:24
*** rm_work has joined #openstack-barbican08:24
*** johnsom has joined #openstack-barbican08:24
*** dpawlik has joined #openstack-barbican08:28
*** ivve has joined #openstack-barbican08:36
*** tosky has joined #openstack-barbican09:00
*** dpawlik has quit IRC09:49
*** dpawlik has joined #openstack-barbican10:02
*** tosky has quit IRC10:21
*** tosky has joined #openstack-barbican10:21
*** Luzi has quit IRC10:38
*** dpawlik has quit IRC11:19
*** dpawlik has joined #openstack-barbican11:51
*** raildo has joined #openstack-barbican12:35
*** dpawlik has quit IRC13:10
*** dpawlik has joined #openstack-barbican13:13
*** spotz has quit IRC14:04
*** spotz has joined #openstack-barbican14:09
efriedo/ barbican!14:11
efriedredrobot, rm_work: qq: if $user creates a key, is it possible (to set policy) for admin to delete it?14:12
efriedon the theory that, if $user vanishes from existence, admin needs to be able to clean up.14:13
*** spotz has quit IRC14:13
redrobotefried, secrets are owned by the project, not the user, so a project-scoped-admin _should_ be able to delete keys that any user made in that project.14:15
efriedwait, secrets are owned by a project? That's... weird.14:16
efriedand is that a barbican statement or a keymgr statement?14:16
efriedI guess in that case a project-scoped admin would be able to *see* such keys as well, eh?14:16
redrobotefried, that's the general case for Barbican, as it uses Keystone for AuthZ/AuthN14:17
redrobotefried, as far as Castellan goes, it depends on the backend, and what context is being passed into it.14:18
redrobotand yeah, a project-scoped-admin would be able to see/retrieve all secrets in that project14:18
efriedOkay, so there's nothing in castellan that's doing auth/policy enforcement inherently, a random backend would be able to make its own rules14:19
efriedfor example: only $user can retrieve, but $user or admin can delete.14:19
*** spotz has joined #openstack-barbican14:19
redrobotefried, right... the barbicanclient backend uses whatever context was passed in, but the Vault backend uses only the auth info in the conf file, so everything is owned by that14:20
efriedredrobot: in the barbican case, are the operations (get vs delete) individually controlled by policy?14:21
efriedthough I guess given what you've said, even in that case there's no way to scope to the user14:22
efriedso it wouldn't help to (ugh) create a project with one user and an admin.14:23
tosky(in a unrelated news, https://review.opendev.org/#/c/690123/ merged \o/ and I started with the backports: https://review.opendev.org/#/c/697212/ )15:14
*** jaosorior has joined #openstack-barbican15:14
*** dave-mccowan has joined #openstack-barbican15:21
*** dave-mccowan has quit IRC15:26
*** ivve has quit IRC15:33
*** awalende_ has joined #openstack-barbican15:43
*** awalende has quit IRC15:46
*** awalende_ has quit IRC15:48
*** awalende has joined #openstack-barbican16:12
*** awalende has quit IRC16:16
*** jaosorior has quit IRC17:23
rm_workefried: right, yes it's all normal Oslo policy scoped if you're using keystone contexts and there are the full set of roles to control create/delete/read and also I believe the ability to actually decrypt the payload is separate from reading the secret metadata, but as with all keystone authed stuff, it is project based18:48
rm_workUnless I'm missing something, I didnt think Openstack really allowed for user-specific scoped stuff, excepting nova "keypair" objects, which seemed like an anomaly/hack18:49
efriedrm_work: oh, so you *could* technically restrict the admin from decrypting?18:49
rm_workUhh, maybe?18:49
rm_workDepends on how you configure the policies18:49
rm_workBy default I believe "admin" includes the decrypt role18:49
rm_workSee the default policy definitions18:50
efriedLess concerned about the defaults than about the level of granularity in the implementation.18:50
rm_workYeah, it is fully granular AFAIU18:50
efriedpoint being, my deployment needs the ability to restrict decrypt to owner-only.18:50
rm_workBut looking at the defaults will show you what's available18:51
efriedcool18:51
rm_workI am not an Oslo policy expert ;)18:51
rm_workBut I believe... maybe?18:51
efriedrm_work: barbican/common/policies/secrets.py <== this?18:52
*** tosky has quit IRC18:54
rm_workhttps://github.com/openstack/barbican/blob/master/barbican/common/policies/secrets.py#L1818:55
rm_workYes18:55
efriedthanks rm_work18:55
rm_workYeah by default project admin can do it all18:55
rm_workBut you could change that in your deployment18:55
*** awalende has joined #openstack-barbican19:44
*** awalende has quit IRC19:49
*** redrobot has quit IRC19:52
*** awalende has joined #openstack-barbican20:05
*** redrobot has joined #openstack-barbican20:15
*** awalende has quit IRC20:37
*** awalende has joined #openstack-barbican20:38
*** awalende has quit IRC20:42
*** pcaruana has quit IRC21:32
*** raildo has quit IRC21:45
*** tosky has joined #openstack-barbican22:10
*** goldyfruit_ has joined #openstack-barbican22:24
goldyfruit_Hi guys22:24
goldyfruit_Quick question, what is the RabbitMQ usage within Barbican project ?22:25
goldyfruit_Is it a requirement?22:25
goldyfruit_I understand that it is used between API and worker services but is there a way to bypass it as by using JSONRPC /22:26
goldyfruit_?22:26
rm_workbarbican, like almost every project in openstack, uses oslo.messaging to do interprocess communication23:16
rm_workoslo.messaging might theoretically allow other backend options besides rabbit? but I don't know23:17
*** goldyfruit_ has quit IRC23:52
« Tuesday, 2019-12-03 Index Thursday, 2019-12-05 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!