Tuesday, 2014-09-09

*** bdpayne_ has joined #openstack-barbican00:01
*** bdpayne has quit IRC00:04
*** bdpayne_ has quit IRC00:14
*** kebray has quit IRC00:46
hockeynutredrobot catching up on the notes here - I see the stuff about tempest.  The direction I was given (need to rack my brain to recall where it came from) was that tests are now supposed to be in project repos, not tempest repos01:02
hockeynutand you are correct, it works just fine+dandy01:02
hockeynutthere was some discussion that woodster_ sent around about experimental gate - that seems to be relevant here01:03
*** kebray has joined #openstack-barbican01:26
*** nkinder has joined #openstack-barbican01:29
*** denis_makogon has quit IRC02:10
*** denis_makogon has joined #openstack-barbican02:10
*** openstackgerrit has quit IRC02:33
*** bdpayne has joined #openstack-barbican02:33
*** kaitlin-farr has quit IRC02:34
*** ayoung has quit IRC02:45
*** SheenaG1 has joined #openstack-barbican02:47
*** SheenaG11 has joined #openstack-barbican02:47
*** SheenaG1 has quit IRC02:51
*** ayoung has joined #openstack-barbican03:07
*** bdpayne has quit IRC03:12
*** bdpayne has joined #openstack-barbican03:12
*** ajc_ has joined #openstack-barbican03:22
*** openstack has joined #openstack-barbican03:41
*** denis_makogon has joined #openstack-barbican03:46
*** dolphm has joined #openstack-barbican03:46
*** hockeynut_ has joined #openstack-barbican03:46
*** xaeth_ has joined #openstack-barbican03:46
*** SheenaG1 has joined #openstack-barbican03:46
*** juantwo_ has joined #openstack-barbican03:46
*** ajc_ has joined #openstack-barbican03:46
*** ayoung has joined #openstack-barbican03:46
*** nkinder has joined #openstack-barbican03:46
*** kebray has joined #openstack-barbican03:46
*** arunkant has joined #openstack-barbican03:46
*** bubbva has joined #openstack-barbican03:46
*** gyee has joined #openstack-barbican03:46
*** woodster_ has joined #openstack-barbican03:46
*** rm_work has joined #openstack-barbican03:46
*** jenkins-keep has joined #openstack-barbican03:46
*** toabctl has joined #openstack-barbican03:46
*** ryanpetrello has joined #openstack-barbican03:46
*** jamielennox has joined #openstack-barbican03:46
*** jillysciarilly has joined #openstack-barbican03:46
*** alee has joined #openstack-barbican03:46
*** reaperhulk has joined #openstack-barbican03:46
*** lisaclar- has joined #openstack-barbican03:46
*** insequent has joined #openstack-barbican03:46
*** dougwig has joined #openstack-barbican03:46
*** codekobe___ has joined #openstack-barbican03:46
*** erw_ has joined #openstack-barbican03:46
*** jraim__ has joined #openstack-barbican03:46
*** sld has joined #openstack-barbican03:46
*** redrobot has joined #openstack-barbican03:46
*** hyakuhei has joined #openstack-barbican03:46
*** dstufft has joined #openstack-barbican03:46
*** russellb has joined #openstack-barbican03:46
*** rm_you has joined #openstack-barbican03:46
*** russell_h has joined #openstack-barbican03:46
*** jvrbanac has joined #openstack-barbican03:46
*** chellygel has joined #openstack-barbican03:46
*** lifeless has joined #openstack-barbican03:46
*** anteaya has joined #openstack-barbican03:46
*** d0ugal has joined #openstack-barbican03:46
*** dstanek has joined #openstack-barbican03:46
*** bdpayne has joined #openstack-barbican03:48
*** bdpayne has quit IRC03:50
*** woodster_ has quit IRC03:55
*** rm_work has quit IRC04:03
*** rm_work has joined #openstack-barbican04:08
*** rm_work is now known as rm_work|away04:08
*** juantwo_ has quit IRC04:41
*** bdpayne has joined #openstack-barbican05:05
*** ayoung has quit IRC05:10
*** gyee has quit IRC05:22
*** bdpayne has quit IRC05:23
*** jaosorior has joined #openstack-barbican06:04
*** kebray has quit IRC06:44
*** ajc__ has joined #openstack-barbican07:09
*** ajc_ has quit IRC07:10
*** ajc__ has quit IRC07:14
*** ajc_ has joined #openstack-barbican08:03
*** ajc_ has quit IRC08:05
*** ajc_ has joined #openstack-barbican08:07
*** ajc_ has quit IRC08:07
*** xianghuihui has joined #openstack-barbican08:45
*** xianghuihuihui has joined #openstack-barbican08:49
*** xianghuihui has quit IRC08:49
*** openstackgerrit has joined #openstack-barbican09:20
*** Guest22704 has joined #openstack-barbican10:32
*** xianghuihuihui has quit IRC10:40
*** Guest22704 has quit IRC11:03
*** denis_makogon has quit IRC11:59
*** denis_makogon has joined #openstack-barbican11:59
*** juantwo has joined #openstack-barbican12:08
*** SheenaG1 has quit IRC13:00
*** nkinder has quit IRC13:10
*** xaeth_ is now known as xaeth13:27
*** paul_glass has joined #openstack-barbican13:43
*** nkinder has joined #openstack-barbican13:59
*** Guest22704 has joined #openstack-barbican14:07
*** SheenaG1 has joined #openstack-barbican14:07
*** LarsN has joined #openstack-barbican14:15
*** jorge_munoz has joined #openstack-barbican14:22
*** lisaclark has joined #openstack-barbican14:34
*** atiwari has joined #openstack-barbican14:34
*** ayoung has joined #openstack-barbican14:37
openstackgerritArvind Tiwari proposed a change to openstack/barbican: Add asymmtric order validator  https://review.openstack.org/11869714:41
*** lisaclark has quit IRC14:52
*** SheenaG1 has quit IRC14:56
aleeatiwari, jvrbanac ping14:57
atiwarialee, yes14:57
aleeatiwari, just to confirm, secrets are stored at the project (tenant) level, right?14:58
aleeatiwari, did we ever make the change you suggested to restrict secret retrieval to the secret's owner?14:58
atiwarino, no one likes my that idea14:59
atiwariI still think we need it at some point of time14:59
aleeatiwari, ok just confirming -- hard to remember what happened that long ago.15:00
aleeatiwari, I think we need a mechanism for solving this problem - just not sure that what you suggested is it15:00
aleeworth revisiting in K.15:00
atiwarialee, I wd love to15:01
*** paul_glass has quit IRC15:03
atiwarialee, question15:04
aleeatiwari, go ahead15:05
atiwariright now in config, passwords are in clear text. Thinking of adding infrastructure in Barbican system so that we can put encrypted password in config.15:06
aleeatiwari, ok what did you have in mind?15:08
atiwarisome how encryption and decryption is done by same barbican system which is going to use the password.15:08
atiwariin real deployment the config files will be controlled by chef like system and we can not have password in clear text15:09
atiwaribottom line is passwords should not be in clear text in config15:10
aleeatiwari, solving this problem is tricky - basically there will always be the need for at least one password to unlock the others.15:11
aleein dogtag/ rhcs , we have solved this in the past in a number of ways15:11
alee1. storing the passwords in a nss db and requiring just the password for unlocking the db15:12
atiwariI think we can solve this by having a separate project specific to Barbican and unwrapping keys will be scoped to that will solve this issue15:12
alee2. using a daemon to collect the password from a user on startup15:12
aleethe tricky thing for us is that we needed to ensure 100% uptime,15:13
aleeso that if the server went down and was restarted automatically, the passwords would be available.15:13
aleeatiwari, forred hat cert server, for our customers that require compliance with STIGs etc. , we have https://fedorahosted.org/nuxwdog/15:14
aleewhich  is a daemon that collects and caches passwords in the kernel keyring15:15
*** SheenaG1 has joined #openstack-barbican15:15
atiwaricorrect, let me put more thoughts there15:15
aleeatiwari, I've been meaning to revisit that to see if there are other ways of doing it, but that approach seems to be working rather well.15:16
alee(or at least not breaking)15:16
aleeanyways - definitely scope for a whole separate design - maybe even separate project15:17
atiwariI think you are correct15:17
atiwari separate project like the idea :)15:18
*** mikedillion has joined #openstack-barbican15:27
*** lisaclark has joined #openstack-barbican15:28
*** lisaclark has quit IRC15:28
*** lisaclark has joined #openstack-barbican15:28
*** SheenaG1 has quit IRC15:28
*** Guest22704 has quit IRC15:30
openstackgerritArvind Tiwari proposed a change to openstack/barbican: Add asymmtric order validator  https://review.openstack.org/11869715:30
*** SheenaG1 has joined #openstack-barbican15:31
*** woodster_ has joined #openstack-barbican15:41
*** bklei has joined #openstack-barbican15:42
jvrbanacalee, what's up?15:43
aleejvrbanac, no worries - atiwari answered my question15:43
jvrbanacalee, k15:43
*** Guest22704 has joined #openstack-barbican15:43
*** bklei has left #openstack-barbican15:43
*** lisaclark has quit IRC15:56
atiwarialee, should add the secret isolation within a project per owner in https://etherpad.openstack.org/p/barbican-kilo-design-sessions?16:04
*** paul_glass has joined #openstack-barbican16:04
aleeatiwari, sure -- I think we should add all the possible ideas16:05
*** paul_glass1 has joined #openstack-barbican16:05
atiwariOK, then I will add this16:05
aleeatiwari, we'll have time to select from them for actual sessions/ informal sessions16:05
redrobotalee atiwari So the PTL for Keystone pretty much told us that doing that in Barbican would be really bad idea16:05
redrobotalee atiwari I don't see the need for continuing to discuss that for Barbican16:06
redrobotalee atiwari we should defer that functionality to Keystone.  So this would make sense as a Keystone session, not for Barbican.16:06
aleeredrobot, I'm not suggesting that the functionality necessarily need be in Barbican, only that a mechanism - keystone/policy / whatever - should probably be there.16:08
*** paul_glass has quit IRC16:08
aleeif it makes sense as a keystone design session, then no prob16:08
redrobotalee I think we definitely need to get a better understanding of Keystone policy in barbican16:09
redrobotalee IIRC Aadm Young was concerned about the way our policy is set up now.16:09
aleeyup - perhaps a design session around keystone policy in barbican then ?16:10
redrobotyeah, I think that would be very helpful.  Especially if we can get a Keystone Policy SME to join us16:11
aleebecause we definitely need to understand what we can do/ what we cannot do/ and what we're missing.16:11
aleeI then I can corrall ayoung16:11
ayoungalee, no one can corrall me16:11
aleeayoung, truer words were never spoken ..16:12
ayoungtechnically, those words weren't spoken either.  I need to look into a Linux port of Dragon Speaking Naturally.16:12
aleeredrobot, sorry - I've unleashed a monster ..16:13
ayoungredrobot, so we have a new feature that might make policy more interesting16:13
ayoungthere is a the ability to assign a policy file to a specific endpoint16:13
ayoungnow, Auth token middleware does not fetch policy files, so we can't really consume it yet.  But 'yet' is the operative word16:14
ayoungredrobot, let me read up a bit...unles you can summarize the topic?16:14
*** kebray has joined #openstack-barbican16:16
*** kebray has quit IRC16:16
atiwariayoung, in a nutshell we need ability to isolate secrets which are scoped to a single project based on owner.16:17
ayoungredrobot, OK, I think when atiwari and I disucssed this last summit, we were in accord.  I've lost the braincells that held that particular discussion, though16:17
redrobotayoung the discussion was that atiwari was suggesting that the check for this should happen in barbican16:18
redrobotayoung and we agreed that this would be Keystone functionality bleeding into Barbican16:18
redrobotI'm interested in achieving that without adding authorization logic in barbican16:18
*** kebray has joined #openstack-barbican16:19
*** kebray has joined #openstack-barbican16:19
*** kebray has quit IRC16:20
redrobotIt would be great if we can achieve it using Policy16:20
atiwariredrobot, I was proposing that has to be enforced by the policy engine running at Barbican16:20
atiwariand to support policy framework there has to be some improvement needed in Barbican. that was my proposal16:21
*** kebray has joined #openstack-barbican16:21
redrobotatiwari you do remember Dolph saying that the changes you proposed did not belong in Barbican, yes?16:21
redrobotok, so I'd like to find a solution that Doplh and other Keystone folks agree is the correct way of doing things16:22
atiwariredrobot, but other projects like Nova is introducing the concept of owner in it (AFAIK)16:23
atiwarito handle Quota like use case16:23
atiwariredrobot, another topic16:24
*** lisaclark has joined #openstack-barbican16:25
*** rm_work|away is now known as rm_work16:27
redrobotalee atiwari Regarding the passwords in config files, we've already proposed a solution for this, however no progress has been made  https://github.com/cloudkeep/postern16:28
redrobotalee atiwari for the general case, anyway... a bit of a chicken-and-egg problem for Barbican itself >_<16:29
atiwariredrobot, adding "Ability to manage master key encryption keys" to the etherpad. This will be a custom plugin but need some changes in models.16:31
atiwarilet me know your thoughts?16:31
redrobotatiwari  Are proposing adding a new class of plugins?  Do you think there are enough different master key management strategies to justify such a plugin?  It seems to me that if you have a specific need for a particular master key rotation scheme, then what you need to do is implement your own SecretStore.16:33
redrobotatiwari btw, did your talk get accepted?  I forgot to ask when the emails went out.16:34
atiwaricorrect this will be customer secretstore, but it will be sharing the models and there we need some improvements.16:34
atiwariredrobot, No16:34
redrobotatiwari bummer :(16:43
chellygelhey alee -- would love to get your opinion: https://etherpad.openstack.org/p/barbican_metadata16:56
chellygel+ all16:56
*** kebray has quit IRC16:57
*** bdpayne has joined #openstack-barbican16:58
aleechellygel, will look16:59
chellygelthank you!16:59
*** lisaclark has quit IRC17:03
*** lisaclark has joined #openstack-barbican17:05
openstackgerritConstanze Kratel proposed a change to openstack/barbican: Update Getting Started Guide to include tech review feedback  https://review.openstack.org/12015617:10
*** akoneru has joined #openstack-barbican17:11
openstackgerritConstanze Kratel proposed a change to openstack/barbican: removed whitespace from pom.xml  https://review.openstack.org/12016117:19
*** paul_glass1 has quit IRC17:38
openstackgerritConstanze Kratel proposed a change to openstack/barbican: removed tenant id from code samples  https://review.openstack.org/12016317:38
*** lisaclark has quit IRC17:41
*** lisaclark has joined #openstack-barbican17:46
*** gyee has joined #openstack-barbican17:46
aleechellygel, woodster_ added a few comments on meta design17:46
*** SheenaG1 has quit IRC17:47
chellygelthanks alee ! will look :)17:47
*** lisaclark has quit IRC18:00
*** lisaclark has joined #openstack-barbican18:04
*** lisaclark has quit IRC18:04
*** SheenaG1 has joined #openstack-barbican18:09
*** lisaclark has joined #openstack-barbican18:09
*** SheenaG11 has joined #openstack-barbican18:10
*** SheenaG1 has quit IRC18:13
*** paul_glass has joined #openstack-barbican18:25
*** jaosorior has quit IRC18:32
*** jaosorior has joined #openstack-barbican18:35
*** kebray has joined #openstack-barbican18:36
*** kebray has quit IRC18:36
*** kebray has joined #openstack-barbican18:37
*** Guest22704 has quit IRC18:46
*** Stanzi has joined #openstack-barbican18:47
*** ametts has joined #openstack-barbican19:00
*** Stanzi has quit IRC19:02
*** openstackgerrit has quit IRC19:02
*** paul_glass has quit IRC19:04
*** kebray has quit IRC19:12
rm_workredrobot / woodster_: if one of you is not totally busy, could you pop into #openstack-keystone and at least monitor the conversation I'm having in there?19:16
*** lisaclark has quit IRC19:33
*** lisaclark has joined #openstack-barbican19:34
*** openstackgerrit has joined #openstack-barbican19:41
*** kebray has joined #openstack-barbican19:44
*** kebray has quit IRC20:00
*** alee has quit IRC20:03
*** bubbva has quit IRC20:04
*** bubbva has joined #openstack-barbican20:04
*** kebray has joined #openstack-barbican20:08
*** alee has joined #openstack-barbican20:09
*** lisaclark has quit IRC20:10
*** lisaclark has joined #openstack-barbican20:11
*** mikedillion has quit IRC20:25
*** dolphm has left #openstack-barbican20:49
*** lisaclark has quit IRC20:59
*** lisaclark has joined #openstack-barbican21:00
atiwariredrobot, yt?21:01
*** jaosorior has quit IRC21:02
*** juantwo has quit IRC21:03
*** kebray has quit IRC21:10
*** lisaclark has quit IRC21:11
*** ametts has quit IRC21:13
*** kebray has joined #openstack-barbican21:13
*** kebray has quit IRC21:13
*** lisaclark has joined #openstack-barbican21:14
*** kebray has joined #openstack-barbican21:14
*** kebray has quit IRC21:14
redrobotatiwari what's up?21:18
atiwariredrobot, can you please validate my https://review.openstack.org/#/c/110817/17/barbican/tasks/keystone_consumer.py21:23
atiwariI think this is not the correct way of extending the calss21:23
atiwarimethod signature in sub class is modified21:23
atiwariwd you mind taking a quick look?21:24
atiwariredrobot, ^21:24
redrobotatiwari will do21:24
atiwariredrobot, thanks for your time21:25
atiwarino rush though21:25
jamielennoxhey all, 2 +2s on kite stuff: https://review.openstack.org/#/c/119692/2 and https://review.openstack.org/#/c/119693/ its just process stuff for the gate tests21:28
jamielennoxcan someone leave the +A?21:28
*** kebray has joined #openstack-barbican21:34
redrobotjamielennox done21:36
jamielennoxredrobot: cheers21:36
openstackgerritA change was merged to openstack/kite: Explicitly import _ translation function  https://review.openstack.org/11969221:37
*** dolphm has joined #openstack-barbican21:43
*** akoneru is now known as akoneru_lunch21:46
*** SheenaG11 has quit IRC21:54
*** nkinder has quit IRC22:02
*** bdpayne_ has joined #openstack-barbican22:02
*** bdpayne has quit IRC22:03
*** kebray has quit IRC22:04
*** lisaclark has quit IRC22:05
*** kebray has joined #openstack-barbican22:15
*** ayoung has quit IRC22:16
*** kebray has quit IRC22:16
*** atiwari has quit IRC22:23
*** juantwo has joined #openstack-barbican22:28
*** juantwo has quit IRC22:30
*** jorge_munoz has quit IRC22:30
*** juantwo has joined #openstack-barbican22:31
*** kebray has joined #openstack-barbican22:35
*** akoneru_lunch is now known as akoneru22:43
*** kebray has quit IRC22:53
*** bdpayne_ has quit IRC23:11
*** bdpayne has joined #openstack-barbican23:13
*** nkinder has joined #openstack-barbican23:18
openstackgerritArun Kant proposed a change to openstack/barbican: Adding keystone notification listener support  https://review.openstack.org/11081723:18
*** ayoung has joined #openstack-barbican23:28

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!