Thursday, 2020-09-24

*** d34dh0r53 has quit IRC03:26
*** dave-mccowan has quit IRC03:47
*** d34dh0r53 has joined #openstack-barbican05:11
*** d34dh0r53 has quit IRC06:47
*** xek has joined #openstack-barbican07:43
*** tosky has joined #openstack-barbican08:04
*** moguimar has joined #openstack-barbican08:19
*** lxkong has quit IRC09:52
*** xek has quit IRC10:01
*** d34dh0r53 has joined #openstack-barbican13:49
*** xek has joined #openstack-barbican13:50
*** xek has quit IRC14:34
*** moguimar has quit IRC15:16
*** iurygregory has quit IRC17:45
*** iurygregory has joined #openstack-barbican17:58
*** nayarasps has joined #openstack-barbican18:00
*** tosky has quit IRC18:22
raildoredrobot, yo I was looking into https://wiki.openstack.org/wiki/Barbican/Policy to get a starting point for the default policy work18:33
redrobotk18:33
raildoredrobot, I believe that transport keys is simple enough as the first API changes18:33
raildoredrobot, cab you confirm that everything can perform the GET on those APIs? on both scopes18:34
raildocan*18:34
raildoredrobot, and I'm trying to understand who can perform the POST/DELETE actions18:35
redrobotraildo, yeah ... I think that seems right ... although the DELETE might not be correct18:35
redrobotraildo, are you familiar with the Transport Keys feature?18:35
raildoredrobot, currently https://github.com/openstack/barbican/blob/master/barbican/common/policies/transportkeys.py#L19 all_users can do it18:35
raildoand for delete sounds to be admin only18:35
redrobotraildo, Yeah, although I think DELETE might need to be system scope only18:36
raildosame applies for POST on tranport_keys?18:36
redrobotraildo, right yeah ... so the idea for Transport Keys is that they are an asymmetric key pair that is generated in a secure backend (ie. RSA key in the HSM)18:37
raildogotcha18:38
redrobotand then the public half is POSTed to Barbican by the clodu admin that also controls the HSM18:38
redrobot*cloud admin18:38
redrobotso the system-scope:admin for our purposes18:38
raildoI see.. cool, sounds about right18:38
redrobotand then anyone should be able to GET that public half18:38
redrobotbut I think it's wrong to say that a project-scope:admin can DELETE a single key18:39
raildoredrobot, also, I couldn't find any policy unit tests on barbican code, is that right?18:39
raildoor am I missing something?18:39
redrobotyeah, transport keys was a bit half-baked18:39
redrobotthere's hardly any documentation for that feature either.18:39
raildoredrobot, agreed, we should enforce system-scope for this action after all18:39
redrobotraildo, do you want to update that grid or should I do it?18:40
raildoredrobot, so, do you have any other API candidate to be simple enough and the first one to be done?18:40
raildoredrobot, well, I believe that you're more comfortable with the barbican API rbac than me atm18:40
raildobut of course, I can review it with you :D18:41
redrobotraildo, yeah, let's plan to pair up and review that table tomorrow if you have time?18:42
* redrobot is busy digging through logs today18:42
raildoredrobot, no worries, we can pair on this tomorrow18:43
redrobotraildo, sounds good.  How's your minion doing?  Do they have any questions yet?18:43
raildoredrobot, I believe that nayarasps might be around, she can answer that haha18:44
raildoredrobot, but she is in a mid point between setting up tox/git review, and starting playing with the policy code, creating the new roles and starting with those changes18:44
nayaraspshii :D , i was adding the new roles and some rules in the policies base, i changed the GETs in Transport Keys, but i not really sure if they are right haha, i will test them later19:00
nayaraspsi'm still getting used to how the code works, but so far so good :)19:00
*** xek has joined #openstack-barbican19:06
*** openstackgerrit has quit IRC19:14
redrobotnayarasps, glad to hear that! :D  Don't be afraid to ask questions here if you get stuck on something.19:19
raildonayarasps, good to know19:21
*** lxkong has joined #openstack-barbican19:32
nayaraspsthanks :D19:39
*** openstackgerrit has joined #openstack-barbican19:41
openstackgerritMerged openstack/barbican master: Rebase alembic migrations  https://review.opendev.org/75369919:41
*** nayarasps has quit IRC20:22
*** xek has quit IRC20:35
*** abishop has joined #openstack-barbican21:22
*** raildo has quit IRC21:42

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!