Monday, 2015-07-27

*** lexholden has quit IRC00:26
*** salv-orlando has joined #openstack-security00:45
*** salv-orl_ has joined #openstack-security00:49
*** salv-orlando has quit IRC00:50
*** salv-orl_ has quit IRC00:54
*** salv-orlando has joined #openstack-security01:53
*** sdake has joined #openstack-security01:55
*** salv-orl_ has joined #openstack-security02:01
*** salv-orlando has quit IRC02:03
*** salv-orl_ has quit IRC02:06
*** tjt263 has joined #openstack-security02:28
openstackgerritStanislaw Pitucha proposed openstack/anchor: Implement new API format
*** markvoelker has joined #openstack-security02:58
*** markvoelker has quit IRC03:02
*** kcaj has quit IRC03:07
*** y_sawai has joined #openstack-security03:08
*** salv-orlando has joined #openstack-security03:08
*** salv-orlando has quit IRC03:12
*** salv-orlando has joined #openstack-security03:13
*** kcaj has joined #openstack-security03:14
openstackgerritMerged openstack/security-doc: Fix TODOs in identity
*** salv-orlando has quit IRC03:17
*** y_sawai has quit IRC03:26
openstackgerritMerged openstack/security-doc: Setup translation for security-guide-rst
openstackgerritStanislaw Pitucha proposed openstack/anchor: Return CA for a given instance
*** zul has quit IRC03:52
*** zul has joined #openstack-security03:53
openstackgerritStanislaw Pitucha proposed openstack/security-specs: Add Anchor spec for parsing backend change
openstackgerritMerged openstack/security-doc: Security-guide-rst: Convert Block Storage chapter
*** dave-mcc_ has quit IRC04:27
openstackgerritStanislaw Pitucha proposed openstack/security-specs: Add Anchor spec for parsing backend change
*** tmcpeak has quit IRC04:47
*** markvoelker has joined #openstack-security04:58
*** salv-orlando has joined #openstack-security05:01
*** browne has joined #openstack-security05:02
*** markvoelker has quit IRC05:03
*** salv-orl_ has joined #openstack-security05:03
*** salv-orlando has quit IRC05:05
*** salv-orl_ has quit IRC05:11
*** salv-orlando has joined #openstack-security05:12
*** salv-orlando has quit IRC05:16
*** salv-orlando has joined #openstack-security05:19
*** browne has quit IRC05:41
*** browne has joined #openstack-security05:41
*** tjt263 has quit IRC05:59
*** tjt263 has joined #openstack-security06:00
*** markvoelker has joined #openstack-security06:59
*** markvoelker has quit IRC07:04
openstackgerritStanislaw Pitucha proposed openstack/anchor: First attempt at pyasn1/pycrypto integration
*** salv-orlando has quit IRC07:39
*** salv-orlando has joined #openstack-security07:45
*** elo has joined #openstack-security08:12
*** elo1 has joined #openstack-security08:14
*** elo has quit IRC08:14
*** shohel has joined #openstack-security08:21
*** b10n1k has joined #openstack-security08:24
*** shohel has quit IRC08:32
*** browne has quit IRC08:36
Davieyviraptor: hey, have you tried keystone auth for anchor recently?08:45
*** lexholden has joined #openstack-security08:53
*** markvoelker has joined #openstack-security09:00
*** tkelsey has joined #openstack-security09:03
*** markvoelker has quit IRC09:05
*** rmarathu has joined #openstack-security09:21
rmarathuhi , need some info on bandit . when running bandit -r <path> - lists all levels of severity issues09:22
rmarathubandit -r <path> -ll   ------> lists only medium severity issues09:24
rmarathuhow can i list only medium and high severity issues excluding low severity issues09:24
*** rmarathu has quit IRC09:48
*** shohel has joined #openstack-security09:50
tkelseyrmarathu Hi, using -ll will list both medium and high issues10:07
tkelseyit lists issues that are medium or higher10:08
Davieytkelsey: I think you missed him10:08
tkelseyDaviey: heh, well i tried :)10:12
Davieytkelsey: Whilst i've got you.. Have you ever tried to use Anchor with Keystone Auth?10:13
tkelseyDaviey: nope :( only with shared secret10:14
tkelseya few people have asked about that this week10:14
Davieytkelsey: Yeah, it's terribly broken..10:14
Davieytkelsey: You were given a bad bug 1398474 , 200 isn't ever the return code.10:15
openstackbug 1398474 in Anchor "Authorization code should always be 200" [Medium,Fix released] - Assigned to Tim Kelsey (tim-kelsey)10:15
tkelseyim not entirely surprised if no one is using it, I'll poke the guy who wrote it originally, though he is in Australia so wont be around for a while10:15
DavieyAnd the JSON (before that bug) is also wrong.  Not sure anybody has tried it.10:15
Davieytkelsey: Yeah, i poked him earlier10:16
tkelseyah ok :)10:16
Daviey(no response)10:16
*** salv-orlando has quit IRC10:24
*** alex_klimov has joined #openstack-security10:42
*** sdake has quit IRC10:42
*** sdake has joined #openstack-security10:46
*** rmarathu has joined #openstack-security10:51
Davieytkelsey: Is dg_ around today, do you know?10:54
Davieyrmarathu: You left just before tkelsey responded to you.10:54
Daviey< tkelsey> rmarathu Hi, using -ll will list both medium and high issues10:54
Daviey< tkelsey> it lists issues that are medium or higher10:54
rmarathuDaviey, sorry about that, i had to restart my machine...10:56
tkelseythanks Daviey, hope that helps rmarathu10:56
rmarathuwhat is -l option for? when i run bandit iwth -l option i do not see any issues found...should it always run with any other options like -r10:58
*** elo1 has quit IRC11:00
*** markvoelker has joined #openstack-security11:01
rmarathui meant this option daviey,   -l, --level           results level filter?11:04
rmarathuno results when i just use this option11:04
*** markvoelker has quit IRC11:05
tkelseyrmarathu: -l is a level threshold. -l means level 1, that is show LOW, MEDIUM, HIGH stuff. It is also the default11:12
tkelsey-ll means MEDIUM and HIGH only, -lll means HIGH only11:13
tkelseyif you are scanning a folder you need to use -r, but that is not related to -l usage11:14
rmarathuwould not that be good to specify how to denote level for each kind of issue in the help?11:14
rmarathuotherwise users would not be knowing how to specify the level unless we go thru the documentation11:14
rmarathuor examples11:15
tkelseyrmarathu: seems like a good idea "results level filter" isnt telling you much. Please open a bug in Launchpad11:16
rmarathutkelsey: sure, thank you. i will do that11:17
rmarathuone more question, to use bandit.yaml , we should have different configuration files for different components?11:18
rmarathusay for keystone we will have one and for nova we have different one kind of stuff?11:18
rmarathuand any documentation on how to integrate bandit into continous integration would help11:18
rmarathuplease point me to correct link...11:19
tkelseyrmarathu: yes, it is best to have alternate configs for each project. For integration info see
rmarathutkelsey: thank you :) and I will get back with more questions once i read thru it . thank you11:22
tkelseyrmarathu: sure, no problem :)11:22
*** salv-orlando has joined #openstack-security11:26
*** salv-orlando has quit IRC11:30
*** marzif has joined #openstack-security11:31
*** salv-orlando has joined #openstack-security11:32
*** tjt263_ has joined #openstack-security11:41
*** tjt263 has quit IRC11:43
*** tjt263_ is now known as tjt26311:44
*** salv-orlando has quit IRC11:58
*** tmcpeak has joined #openstack-security12:11
*** edmondsw has joined #openstack-security12:30
viraptorDaviey: no, unfortunately not - thanks for the bug, I'll have a look at it soon12:46
Davieyviraptor: I think i have a fix12:46
viraptorwell, tomorrow, it's bedtime now :)12:46
*** bknudson has quit IRC12:46
Davieyviraptor: I need to sort out the tests tho12:46
Davieyviraptor: nn!12:47
viraptoryeah, something mocking keystone auth at the requests level would be useful :)12:47
*** singlethink has joined #openstack-security12:57
*** dave-mccowan has joined #openstack-security13:03
*** edmondsw has quit IRC13:08
*** bknudson has joined #openstack-security13:14
*** browne has joined #openstack-security13:19
*** browne has quit IRC13:28
*** singleth_ has joined #openstack-security13:30
*** singlethink has quit IRC13:33
*** markvoelker has joined #openstack-security13:34
*** jmckind has joined #openstack-security13:41
openstackgerritTom Cocozzello proposed openstack/anchor: Activate pep8 check that _ is imported
*** edmondsw has joined #openstack-security13:57
*** sigmavirus24_awa is now known as sigmavirus2414:04
*** salv-orlando has joined #openstack-security14:21
*** voodookid has joined #openstack-security14:25
*** salv-orlando has quit IRC14:35
*** salv-orlando has joined #openstack-security14:44
*** sicarie__ has joined #openstack-security14:45
*** singlethink has joined #openstack-security14:56
*** singlet__ has joined #openstack-security14:58
*** jmckind has quit IRC15:00
*** singleth_ has quit IRC15:00
*** singlethink has quit IRC15:02
*** dwyde has joined #openstack-security15:05
*** salv-orlando has quit IRC15:16
*** browne has joined #openstack-security15:16
*** bpokorny has joined #openstack-security15:20
*** sdake has quit IRC15:23
*** alexandra1 has joined #openstack-security15:37
*** alexandra1 has left #openstack-security15:41
*** shohel has quit IRC16:02
*** lexholden has quit IRC16:12
*** alex_klimov has quit IRC16:13
DavieyAnyone know if Doug is around today?16:13
*** singlethink has joined #openstack-security16:14
*** jmckind has joined #openstack-security16:15
*** singlet__ has quit IRC16:17
*** bpb has joined #openstack-security16:18
tmcpeakDaviey: yeah, he's here16:23
Davieytmcpeak: He's not <here> though, is he?16:24
*** salv-orlando has joined #openstack-security16:24
*** singleth_ has joined #openstack-security16:25
tmcpeakhere? no16:26
tmcpeakhe's dg_ when he's around16:26
*** salv-orl_ has joined #openstack-security16:26
* Daviey sends him a mail16:26
tmcpeakthat works16:27
*** singlethink has quit IRC16:27
*** dg_ has joined #openstack-security16:27
dg_hey Daviey16:27
DavieyOh hey dg_, was just about to send you a mail.16:28
Davieydg_: On Friday, we said we'd talk about Keystone, Anchor and Devstack today?16:28
Davieydg_: Have a few mins?16:28
dg_yeah sure16:28
*** salv-orlando has quit IRC16:29
Davieydg_: Well Keystone Auth is pretty badly broken.. but I have a branch for that.16:29
dg_on anchor?16:29
Davieydg_: Can you try this?  clone devstack ; cd devstack ; add this
Davieydg_: yeah16:29
openstackgerritDave Walker proposed openstack/anchor: Fix Keystone Auth and Tests
Daviey^ That fixes Keystone Auth.16:30
Davieydg_: I had a go at making a devstack plugin, and it seems to WFM - but perhaps not terribly graceful.16:30
dg_yeh i was thinking the same thing myself, I've not got to the point of actually trying it yet, but I've gone through the code and spun up devstack - suprised anchor isnt using the python-openstack client16:31
dg_oh awesome, I'll take a look :D16:31
Davieydg_: The plugin is here - , but if you see the gist from above, you should just be able to declare it as is in ~/devstack/local.conf16:32
DavieyDoes that make sense?16:32
dg_yeh that makes sense16:33
dg_I'll give that a try16:33
dg_I see your anchor patch you suggest using the keystone middleware - is that the python library that the keystone docs recommends?16:34
Davieydg_: I think that'll be more intrusive tho.. so i wanted to fix the current implementation with least change16:35
dg_yeh that makes sense16:35
dg_although the current impplementation is horrible16:35
*** dave-mccowan has quit IRC16:42
*** lexholden has joined #openstack-security16:49
*** pdesai has joined #openstack-security16:56
dg_sec doc meeting?16:59
pdesaiHi guys17:00
elmikohi =)17:00
elmikoamazing effort last week!17:00
pdesaiyup, thanks all of you for all the hard work17:01
pdesaican i ask you something, when do you guys sleep? lol17:01
elmikosleep? what's that... ;)17:01
dg_totally overrated17:01
pdesaii was really amazed to see all the chapters and sections moving to MERGED17:02
sicarie__So I apologize, I kept losing the etherpad link17:03
elmikono worries17:03
sicarie__However, there are no pending sections17:03
sicarie__whcih is awesome17:03
sicarie__Has anyone done a read-through?17:03
DavieyIf it compiles, ship it.17:03
elmikohaha, i've only skimmed a few sections17:03
dg_Daviey +117:04
sicarie__So I’ll do a cover-to-cover today17:04
elmikoi figured that would be our next effort, the great read-through17:04
dg_I skimmed the sections I was working on17:04
sicarie__+1 elmiko17:04
pdesaii checked the list of figures which hasnt made it to sec-guide-rst17:04
DavieyYeah, i think i can only say i skimmed it.. but I can't imagine it to differ to much from the docbook17:04
sicarie__Does anyone have the etherpad?17:04
DavieyI had reasonable coverage of the reviews and I looked at the rendered copies of each.17:04
sicarie__Daviey: awesome, how did it look?17:05
Davieysicarie__: mediocre.17:05
Daviey:).. No, it was pretty good.17:05
Davieydg_ rightly pointed out that navigation is worse than the docbook version17:05
sicarie__I’m going to be pinging the docs team about that shortly17:06
sicarie__We were tracking issues at the bottom, please make sure anything you found either has a change or entry in the etherpad17:06
DavieyI also noticed some of the images were a little overwhelming.. but on my resolution they are on docbook.  Is that just me?17:06
sicarie__Daviey: thats the type of stuff I’d like to cleanup - that and table formatting :)17:07
pdesainope, most of them appear same on docbook17:07
elmikoagreed, the images need some formatting17:07
pdesaiyup +117:07
sicarie__pdesai: many of the images would render in … interesting proportions when using alternate media17:07
sicarie__(between pdf, html, etc…)17:07
pdesaiyeah, PDF has better rendering17:08
DavieyI also noticed that we have differing use of :term: across the chapters.. but that is a general thing, rather than something related to the conversion process17:08
sicarie__As long as we’re doing it, I think it makes sense to do it now17:08
sicarie__Daviey: we also don’t have all the sections marked for linking, which I’d like to go back over too17:08
sicarie__So yes, please make sure this stuff is tracked on the etherpad17:08
sicarie__We’ll either fix it, or open a bug for it17:09
Davieysicarie__: what do you mean?  the anchors?17:09
*** dave-mccowan has joined #openstack-security17:09
sicarie__Daviey: yep17:09
elmikosicarie__: do we need to mark all the sections, i'd rather do this lazy style i.e. just label the sections that need it17:09
Davieysicarie__: Surely we just want to add anchors if they are used somehwere?17:09
DavieyIe, KISS.17:09
pdesaiagree +1, elmiko fixed lot of sections for linking to chapters which were assigned to other folks17:09
sicarie__yeah, that makes sense, but I know, for example, I may have not been as careful with those as I should have17:10
sicarie__and a few may be missing from my sections :(17:10
DavieyI think the lesson i learned, and related to the fixing of links.. is that landing stubs early makes so much sense.17:10
dg_disappointed sicarie__17:10
sicarie__but agreed, that is something that would have a lower pirority17:10
elmikoDaviey: +117:11
sicarie__I’d like to end the freeze as soon as possible, so I’ll ping Andreas on how to add navigation and give an initial rating to the issues, so we can declare what does need to be handled right away, and what can just have a bug opened17:11
DavieyWhen I reviewed, i did check there were *equal* amount of links.. but i didn't dig into the correct location17:11
sicarie__Daviey: +117:11
sicarie__I tried to do similar, but I may have not been as careful as I should have been17:12
pdesaiyup, i will grep for "?" on entire sec-guide-rst and check if we have any obvious missing links17:12
sicarie__on a brief look, this looks awesome17:13
sicarie__haha, thanks!17:13
elmikoso, should we make a chapter list in the pad and then make an effort to each take a chap or two this week?17:13
elmiko(for reading that is)17:13
pdesai+1 elmiko17:13
DavieyDid i see that translations are now re-enabled for it17:13
sicarie__Andreas took care of that last night17:13
DavieyHopefully we should see them come in soon..17:14
sicarie__dg_ mostly to Japanese, I think that had the most coverage17:15
sicarie__Looks like we don’t have any new bugs17:15
sicarie__Does anyone have anything else they’d like to discuss?17:16
sicarie__If not, I think the read-through and etherpad tracking will help this get wrapped up this week17:17
Davieysicarie__: So freeze lifted as of this meeting?17:17
elmikosicarie__: i'll add something about read through to the pad17:17
Davieynamespace switcheroo this week, or next?17:17
sicarie__Daviey: I’d like to hold until we get the RST moved to main17:17
DavieyYeah, are we doing the switcheroo this week or next?17:17
sicarie__I suppose people can just make changes to the RST (and not the doc) if they want17:18
sicarie__Daviey: I was hoping to do it this week, but want to get the navigation set up17:18
sicarie__IMO that’s a rather large piece of it17:18
sicarie__though if anyone disagrees and thinks we should just move over the RST I’d be interested in alternate reasoning17:18
DavieyI don't think it is significantly worse than it was17:19
sicarie__Daviey: those are the comforting words I want to hear :)17:19
DavieyI'm not sure i see value in keeping freeze longer TBH17:19
sicarie__Daviey: the purpose of the freeze would be to not require duplicate changes (in both RST and DocBook)17:19
DavieyIf we wait for it to be perfect, it'll never ship17:20
sicarie__otherwise, we need both at the same time so nothing gets out of sync17:20
DavieyI mean, in this context - freeze == RST to primary namespace17:20
dg_I think navigation is quite a lot worse17:20
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals
elmikoi think it might be nice to get a quick scan through to make sure we haven't lost any content, then remove the freeze17:20
sicarie__So if we get what we have determined is “high priority” in, then we move and open changes on the rest17:20
dg_I see no issues with making patches to the RST, but i think we need to get navigation fixed before RST becomes the book17:20
Davieydg_: Is it worse enough to frustrate users?17:20
elmikodg_: +117:21
dg_frustrated me, but I am super-grumpy17:21
DavieyFair enough17:21
sicarie__+1: someone in a rush and looking for a quick reference would click elsewhere17:21
*** dwyde has quit IRC17:21
DavieySo deep freeze on deprecated docbook, but thaw on RST - but don't expect it to be published just yet.17:21
dg_'this isnt the section I wanted, wheres the index...back...back...back...'17:21
dg_Daviey +117:22
elmikoi think that makes sense Daviey17:22
sicarie__+1 Daviey: deep freeze lifted, but patches need DocBook & RST to keep them sync’d; we’ll switch as soon as we get priorities on our issues list and navigation set up17:22
sicarie__all: ^ sound good?17:22
DavieySo for clarity, is it just better nav blocking namespace switcheroo?17:23
Davieysicarie__: I'm not sure they need to be kept in sync do they?17:23
elmikosicarie__: i guess, not thrilled about docbook needing more patches but hopefully it won't last long17:23
sicarie__Daviey: I’d like to get the issues list prioritiezed - any “high” priorities should be discussed if it’s a blocker17:23
Davieysicarie__: keeping degraded publication helps put the pressure on switching IMO.17:23
sicarie__elmiko: +117:23
sicarie__that’s why I’m going to be pinging the docs team today and trying to correlate the issues17:24
dg_why does docbook need patches?17:24
dg_just freeze it totally17:24
DavieyI think it is perfectly ok to tombstone docbook17:24
sicarie__dg_: and all new patches go to RST?17:24
dg_sicarie__ yeah17:25
elmikoyea, i'm +1 for that plan (assuming doc folks agree)17:25
pdesaii was going to ask the same, as now we have an exercise of making sure we havent lost any content in docbook17:25
sicarie__Does anyone have a critical change they’re working on right now (that’s going to land within the next day or two)?17:25
dg_and lets try to get this issue knocked on the head with nav so we can swap over asap, hopefully there wont be too much divergence17:25
sicarie__yes, I believe the docbook team does want them sync’d, but I’m not 100% on that17:25
sicarie__dg_: +117:26
Davieysicarie__: Just to check, when docbook is dead.. it is dead... right?17:26
sicarie__pdesai: yep, and I’ll be doing a read-through today to make sure17:26
sicarie__Daviey: yes, but I’m going to hold onto a few silver stakes just inc ase it comes back17:26
* sicarie__ is ready to stab it through the heart17:26
Davieysicarie__: Can i also prod you with ?17:27
sicarie__Daviey: sure17:27
sicarie__Ah, yes, so they didn’t respond to my request to keep it here, I’m going to re-ping and then i think they’re in a room here I’ll jump in to double-ping17:28
sicarie__Thanks for the reminder Daviey17:28
Davieysicarie__: why not update the pull request to point to here?17:28
sicarie__Daviey: I will, there was pushback initially, but that’s the plan, re-push the request to point to the security room and ping around for approvals17:29
Daviey(then at least the tests will pass, and more likely to get reviewed)17:29
DavieyShall we go home?17:29
sicarie__+1 to that17:29
sicarie__Thanks to everyone for the awesome work last week!17:29
elmikothanks fearless leader =)17:30
sicarie__Please expect the issues email from me sometime tomorrow, and I’ll be adding names to reviews if the navigation is an easy fix17:30
pdesai+10000 for last week's efforts everyone17:30
sicarie__what pdesai said17:30
sicarie__Thanks all!17:30
dg_good work everyone, and same to the docteam17:30
pdesaithanks guys17:31
dg_Daviey looks like that devstack anchor patch works, pulled it in and got anchor set up17:35
dg_I havent tested it yet thou17:35
*** tkelsey has quit IRC17:35
Davieydg_: Sweet.  It won't work unless you apply the inflight patch tho17:36
dg_yeah sure17:36
Davieybut having a reproducible platform does become interesting for better gate testing17:36
dg_yeah i'll talk to tkelsey about it tomorrow, its an interesting apporach17:37
dg_also makes it a lot easier to setup for our users17:37
DavieySomething is weird tho... tox ; echo $? ; tox ; echo $? .. will consistently give 0 117:37
Davieytox ; echo $? ; rm -rf .tox ; tox ; echo $? .. will consistently give 1 117:38
dg_hmm that sounds like a bug17:38
DavieyIt must be leaving something on the filesystem, but i haven't worked it out.17:39
DavieyThe old test was really bad, as it was throwing crappy mock data in and expecting broken behaviour... So the issue might have been there already.17:40
dg_yeh i dont think we have ever tested that17:41
dg_with hindsight, that was dumb17:42
*** dwyde has joined #openstack-security17:44
DavieyAnyway, going home. o/17:45
dg_oki, catcha later mate17:45
dg_are you coming to the midcycle?17:45
*** dg_ has quit IRC17:49
*** sdake has joined #openstack-security17:57
*** tkelsey has joined #openstack-security18:03
*** tkelsey has quit IRC18:08
*** sdake has quit IRC18:09
*** sdake has joined #openstack-security18:10
*** salv-orl_ has quit IRC18:14
*** elo has joined #openstack-security18:20
*** sdake has quit IRC18:23
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals
*** elo has quit IRC18:25
*** elo has joined #openstack-security18:31
*** jmckind has quit IRC19:02
*** salv-orlando has joined #openstack-security19:11
*** pdesai has quit IRC19:12
*** b10n1k has quit IRC19:20
*** elo has quit IRC19:52
*** jmckind has joined #openstack-security19:54
*** elo has joined #openstack-security19:56
*** jhfeng has joined #openstack-security19:57
*** singlethink has joined #openstack-security19:59
*** singleth_ has quit IRC20:02
*** tkelsey has joined #openstack-security20:04
*** tkelsey has quit IRC20:09
*** bpokorny has quit IRC20:32
*** bpokorny has joined #openstack-security20:32
*** bpokorny has quit IRC20:33
*** bpokorny has joined #openstack-security20:34
openstackgerritwilliam snow proposed openstack/security-doc: Corrected security group documentation
*** elo1 has joined #openstack-security20:57
*** sdake has joined #openstack-security20:58
*** elo has quit IRC21:01
*** b10n1k has joined #openstack-security21:26
*** Windir has quit IRC21:26
*** bpokorny has quit IRC21:27
*** Windir has joined #openstack-security21:33
*** jmckind has quit IRC21:36
*** bpokorny has joined #openstack-security21:39
*** salv-orlando has quit IRC21:39
*** bpokorny has quit IRC21:42
*** bpokorny has joined #openstack-security21:43
*** bpb has quit IRC21:53
*** singleth_ has joined #openstack-security21:54
*** singlethink has quit IRC21:58
*** bpokorny has quit IRC21:59
*** bpokorny has joined #openstack-security21:59
*** salv-orlando has joined #openstack-security22:09
*** singlethink has joined #openstack-security22:12
*** elo has joined #openstack-security22:14
*** edmondsw has quit IRC22:14
*** singleth_ has quit IRC22:16
*** singlethink has quit IRC22:16
*** elo1 has quit IRC22:17
*** dwyde has quit IRC22:24
*** b10n1k has quit IRC22:32
*** bpokorny_ has joined #openstack-security22:34
openstackgerritMerged openstack/anchor: Activate pep8 check that _ is imported
*** bpokorny has quit IRC22:38
Davieyviraptor: here?22:47
Davieyviraptor: Thanks for helping work out the test stuff.. I'm also looking at it right now.. but currently really confused22:48
*** sdake has quit IRC22:48
Davieyviraptor: tox -epy27 ; echo $? ; tox -epy27 ; echo $?0 # == 0 122:49
Davieyviraptor: tox -epy27 ; echo $? ; rm -rf .tox ; tox -epy27 ; echo $?0 # == 0 022:49
viraptorI think it's some webob/pecan version mismatch which gets some weird exception rather than httpclienterror (sys.stderr.write() debugging ahead)22:49
DavieyBut i've also noticed it seems racey, such that it sometimes does work.. if i run it through strace for example/22:50
DavieyTrue, yeah - i've seen that... but odd that it seems to be semi-determinisitc22:51
viraptorDaviey: while you're here, could you tell me what would we gain with signing backends implemented via stevedore? Just trying to figure out what are the benefits over importlib in case of a single function import22:52
sigmavirus24Daviey: fwiw, tox -re py27 will recreate the virtualenv in question22:52
sigmavirus24no need to separately do `rm -rf .tox/`22:53
Davieysigmavirus24: oh neat.. didn't know that... but i was more trying to show shorthand an observed oddity.22:53
sigmavirus24I got that22:53
sigmavirus24Just thought I'd drop that in here in the event it was helpful :D22:53
viraptorDaviey: I understand how it may be useful for a number of hooks, proper registration, etc. but in a simple case it looks like an overkill to me - maybe I'm missing something though22:54
Davieysigmavirus24: I'll try and remmeber it.. but i am not going to lie, i'm almost certain my fingers will type rm before i remember.22:54
*** bknudson has quit IRC22:54
sigmavirus24Daviey: muscle memory is the worst =P22:54
sigmavirus24rm -rf muscle_memory/22:55
Davieyviraptor: Hmm.  Good question.. I think it is useful to allow external plugins.. But mostly, having just unravelled the bandit plugin interface - i have a distaste for self-rolling.22:56
DavieyI'm not sure it is overkill when there is a code reduction.22:56
Davieysigmavirus24: If only.22:56
sigmavirus24Daviey: do or do not, there is no "if only" =P22:56
Davieysigmavirus24: /nick yoda22:57
viraptorDaviey: thanks, it's always good to make the framework part someone else's problem :) (stevedore's in this case)22:59
viraptorDaviey: I reproduced the issue locally... so pecan randomly throws either "webob.exc.WSGIHTTPException", or "webob.exc.HTTPServerError" in the same test23:00
viraptorif only I could smack software....23:00
DavieyActually, this sounds familiar23:00
Davieyviraptor: WSGIHTTPException and HTTPServerError both == 500, right?23:02
viraptorsecond one definitely, first not sure23:03
DavieyI'm curious why it seems non-deterministic..23:03
*** voodookid has quit IRC23:03
*** tkelsey has joined #openstack-security23:04
viraptorso the exception type comes from WebOb.ex.status_map[exception_number]23:04
viraptorDaviey: I added some debugging to webob's status_map creation23:07
*** tkelsey has quit IRC23:08
Davieyviraptor: Yeah, so just matching 500 should catch it?23:08
viraptorso we'll get a random one each time due to hashmap randomisation23:08
viraptoryeah, but I think it's a bad pecan issue anyway23:09
Davieyviraptor: I'm amazed nobody else has hit this!23:10
viraptorI'll send a patch in a moment, just going to figure out what's the top level exception that can be caught here...23:12
*** sicarie__ has quit IRC23:22
openstackgerritStanislaw Pitucha proposed openstack/anchor: Check for exception code and not type
viraptorDaviey: ^23:24
*** sicarie__ has joined #openstack-security23:25
viraptorI still don't understand why did clearing .tox fix this - I expected a better randomness23:25
Davieyviraptor: I'll try it.. but it does feel like the wrong way to fix this..23:26
Davieyviraptor: I wonder if pyc optimizes this out?23:26
Davieyerr, no - scrub that23:26
*** salv-orlando has quit IRC23:32
Davieyviraptor: Why not do this?
*** markvoelker has quit IRC23:40
DavieyI'm not a fan of using codes when we have helpers personally23:40
viraptorbut that's the original issue - the exception being raised is not guaranteed to be of that type23:42
viraptorwe could check if it's one of the exceptions, but for 500 that means checking 5 different types (and can be more after webob updates)23:42
*** jhfeng has quit IRC23:43
Davieyviraptor: Yeah, i thought maybe if we were outside of the context it might be differnet.. but seems not23:45
DavieyI ran it 5 times before posting it.. :/23:45
Davieyviraptor: Ok, one more thing - that review where you questioned my comment about "+1 on direction rather than current implementation".. it was just because it was a large code change and i've not had time to sit down and review it.23:48
DavieyAs the conversation was a "is this the right thing?".. I wanted to chirp in that i thought it was.23:48
Davieyviraptor: I did want to check that we can support arbitrary leading hierarchy, rather than expecting to own document root... Which i suspect that change doesn't do.23:50
DavieyBut that might belong in a separate change anyway23:50
DavieyAlso, we currently default to using port 5000 - which is pretty anti-social, considering Keystone does aswell (and was in the playground first)... But also a problem, if you want to use anchor + keystone together!23:51
viraptorraised for the exceptions issue23:51
openstackLaunchpad bug 1478732 in pecan "pecan.abort exception changes on each run" [Undecided,New]23:51
viraptorDaviey: I thought I missed some specific comment about implementation - thanks for reviewing it! it's great to have more people looking at Anchor now - I'd hate it if it was an HP-only project23:52
viraptoras for the arbitrary leading hierarchy, I didn't even think about it before; I assumed we do - is there some story behind it?23:53
Davieyviraptor: The other projects are trying to get behind namespacing ^/compute/ ^/identity/ .. but also support other leading noise.23:54
viraptorgood point on port 5000... do you want to raise all of those as bugs / blueprints? I'm about to leave for lunch, but they all sound like something we need to do23:55
openstackgerritDave Walker proposed openstack/anchor: [WIP] Initial commit of devstack plugin
*** bpokorny_ has quit IRC23:59
*** bpokorny has joined #openstack-security23:59

Generated by 2.14.0 by Marius Gedminas - find it at!