*** d34dh0r53 has quit IRC | 03:26 | |
*** dave-mccowan has quit IRC | 03:47 | |
*** d34dh0r53 has joined #openstack-barbican | 05:11 | |
*** d34dh0r53 has quit IRC | 06:47 | |
*** xek has joined #openstack-barbican | 07:43 | |
*** tosky has joined #openstack-barbican | 08:04 | |
*** moguimar has joined #openstack-barbican | 08:19 | |
*** lxkong has quit IRC | 09:52 | |
*** xek has quit IRC | 10:01 | |
*** d34dh0r53 has joined #openstack-barbican | 13:49 | |
*** xek has joined #openstack-barbican | 13:50 | |
*** xek has quit IRC | 14:34 | |
*** moguimar has quit IRC | 15:16 | |
*** iurygregory has quit IRC | 17:45 | |
*** iurygregory has joined #openstack-barbican | 17:58 | |
*** nayarasps has joined #openstack-barbican | 18:00 | |
*** tosky has quit IRC | 18:22 | |
raildo | redrobot, yo I was looking into https://wiki.openstack.org/wiki/Barbican/Policy to get a starting point for the default policy work | 18:33 |
---|---|---|
redrobot | k | 18:33 |
raildo | redrobot, I believe that transport keys is simple enough as the first API changes | 18:33 |
raildo | redrobot, cab you confirm that everything can perform the GET on those APIs? on both scopes | 18:34 |
raildo | can* | 18:34 |
raildo | redrobot, and I'm trying to understand who can perform the POST/DELETE actions | 18:35 |
redrobot | raildo, yeah ... I think that seems right ... although the DELETE might not be correct | 18:35 |
redrobot | raildo, are you familiar with the Transport Keys feature? | 18:35 |
raildo | redrobot, currently https://github.com/openstack/barbican/blob/master/barbican/common/policies/transportkeys.py#L19 all_users can do it | 18:35 |
raildo | and for delete sounds to be admin only | 18:35 |
redrobot | raildo, Yeah, although I think DELETE might need to be system scope only | 18:36 |
raildo | same applies for POST on tranport_keys? | 18:36 |
redrobot | raildo, right yeah ... so the idea for Transport Keys is that they are an asymmetric key pair that is generated in a secure backend (ie. RSA key in the HSM) | 18:37 |
raildo | gotcha | 18:38 |
redrobot | and then the public half is POSTed to Barbican by the clodu admin that also controls the HSM | 18:38 |
redrobot | *cloud admin | 18:38 |
redrobot | so the system-scope:admin for our purposes | 18:38 |
raildo | I see.. cool, sounds about right | 18:38 |
redrobot | and then anyone should be able to GET that public half | 18:38 |
redrobot | but I think it's wrong to say that a project-scope:admin can DELETE a single key | 18:39 |
raildo | redrobot, also, I couldn't find any policy unit tests on barbican code, is that right? | 18:39 |
raildo | or am I missing something? | 18:39 |
redrobot | yeah, transport keys was a bit half-baked | 18:39 |
redrobot | there's hardly any documentation for that feature either. | 18:39 |
raildo | redrobot, agreed, we should enforce system-scope for this action after all | 18:39 |
redrobot | raildo, do you want to update that grid or should I do it? | 18:40 |
raildo | redrobot, so, do you have any other API candidate to be simple enough and the first one to be done? | 18:40 |
raildo | redrobot, well, I believe that you're more comfortable with the barbican API rbac than me atm | 18:40 |
raildo | but of course, I can review it with you :D | 18:41 |
redrobot | raildo, yeah, let's plan to pair up and review that table tomorrow if you have time? | 18:42 |
* redrobot is busy digging through logs today | 18:42 | |
raildo | redrobot, no worries, we can pair on this tomorrow | 18:43 |
redrobot | raildo, sounds good. How's your minion doing? Do they have any questions yet? | 18:43 |
raildo | redrobot, I believe that nayarasps might be around, she can answer that haha | 18:44 |
raildo | redrobot, but she is in a mid point between setting up tox/git review, and starting playing with the policy code, creating the new roles and starting with those changes | 18:44 |
nayarasps | hii :D , i was adding the new roles and some rules in the policies base, i changed the GETs in Transport Keys, but i not really sure if they are right haha, i will test them later | 19:00 |
nayarasps | i'm still getting used to how the code works, but so far so good :) | 19:00 |
*** xek has joined #openstack-barbican | 19:06 | |
*** openstackgerrit has quit IRC | 19:14 | |
redrobot | nayarasps, glad to hear that! :D Don't be afraid to ask questions here if you get stuck on something. | 19:19 |
raildo | nayarasps, good to know | 19:21 |
*** lxkong has joined #openstack-barbican | 19:32 | |
nayarasps | thanks :D | 19:39 |
*** openstackgerrit has joined #openstack-barbican | 19:41 | |
openstackgerrit | Merged openstack/barbican master: Rebase alembic migrations https://review.opendev.org/753699 | 19:41 |
*** nayarasps has quit IRC | 20:22 | |
*** xek has quit IRC | 20:35 | |
*** abishop has joined #openstack-barbican | 21:22 | |
*** raildo has quit IRC | 21:42 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!