Monday, 2014-10-06

*** juantwo has joined #openstack-barbican01:23
*** juantwo has quit IRC01:26
*** juantwo has joined #openstack-barbican01:26
*** woodster_ has joined #openstack-barbican03:26
*** dimtruck is now known as zz_dimtruck03:33
*** zz_dimtruck is now known as dimtruck03:39
*** dimtruck is now known as zz_dimtruck04:15
*** juantwo has quit IRC05:04
*** jaosorior has joined #openstack-barbican05:22
*** ajc_ has joined #openstack-barbican05:35
*** woodster_ has quit IRC06:01
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/barbican-specs: Replace the concept of tenants in the code-base
*** SheenaG1 has joined #openstack-barbican12:05
*** juantwo has joined #openstack-barbican12:23
*** juantwo has quit IRC12:26
*** juantwo has joined #openstack-barbican12:27
*** ajc_ has quit IRC12:38
*** ayoung-ZzzZzzZzz is now known as ayoung12:44
*** alee has joined #openstack-barbican13:19
*** mikedillion has joined #openstack-barbican13:26
*** ametts has joined #openstack-barbican13:48
*** akoneru has joined #openstack-barbican13:55
*** SheenaG1 has quit IRC13:55
*** ametts has quit IRC13:58
*** SheenaG1 has joined #openstack-barbican14:24
*** zz_dimtruck is now known as dimtruck14:30
*** kebray has joined #openstack-barbican14:47
*** rtom has joined #openstack-barbican14:50
*** paul_glass has joined #openstack-barbican14:52
*** joesavak has joined #openstack-barbican14:53
*** paul_glass1 has joined #openstack-barbican14:56
*** paul_glass has quit IRC14:58
openstackgerritOleksii Chuprykov proposed a change to openstack/python-barbicanclient: Remove code from oslo-incubator
openstackgerritTim Kelsey proposed a change to openstack/barbican: Adding a plugin to interact with HP Atalla ESKM
*** paul_glass has joined #openstack-barbican15:02
*** paul_glass1 has quit IRC15:05
openstackgerritA change was merged to openstack/barbican: Adding tox job for local functional test dev
*** tdink has joined #openstack-barbican15:16
jenkins-keepProject openstack-barbican-cloudcafe build #55: STILL FAILING in 8 min 26 sec:
jenkins-keepJohn Vrbanac: Adding tox job for local functional test dev15:16
*** paul_glass has quit IRC15:20
*** paul_glass has joined #openstack-barbican15:22
*** arunkant has quit IRC15:24
*** ametts has joined #openstack-barbican15:26
*** JeffF has joined #openstack-barbican15:35
*** woodster_ has joined #openstack-barbican15:40
openstackgerritJohn Wood proposed a change to openstack/barbican: Update to the latest global requirements versions
*** tdink has quit IRC16:01
*** tdink has joined #openstack-barbican16:01
*** jaosorior has quit IRC16:13
*** kebray has quit IRC16:19
redrobotreaperhulk do you have a minute to +Workflow
*** paul_glass has quit IRC16:27
*** paul_glass has joined #openstack-barbican16:28
reaperhulkredrobot: done16:29
*** paul_glass1 has joined #openstack-barbican16:29
*** tdink_ has joined #openstack-barbican16:32
*** paul_glass has quit IRC16:32
*** paul_glass1 has quit IRC16:34
*** tdink has quit IRC16:34
*** SheenaG11 has joined #openstack-barbican16:34
*** SheenaG1 has quit IRC16:35
*** paul_glass has joined #openstack-barbican16:35
*** kebray has joined #openstack-barbican16:36
*** arunkant has joined #openstack-barbican16:42
openstackgerritA change was merged to openstack/barbican: Update to the latest global requirements versions
*** jorge_munoz has joined #openstack-barbican16:52
jenkins-keepProject openstack-barbican-cloudcafe build #56: STILL FAILING in 8 min 22 sec:
jenkins-keepJohn Wood: Update to the latest global requirements versions17:01
rm_workredrobot: so close! :P17:07
*** SheenaG11 has quit IRC17:09
*** SheenaG1 has joined #openstack-barbican17:09
redrobotrm_work which one?17:11
redrobotrm_work today was supposed to be a day off >_>17:11
redrobotadee dstufft reaperhulk jvrbanac woodster_ can I get some eyes on this?
redrobotalee ^^17:12
rm_workredrobot: take the day :P i'll bug some other people17:14
dstufftredrobot: what's it need, a +Workflow?17:15
rm_workredrobot: didn't know you were ETO17:15
redrobotdstufft yes, please17:15
rm_workwhile you guys are at it, also eyes on :)17:15
rm_workexcept woodster_, who is ahead of the game ^_^17:15
*** ryanpetrello_ has joined #openstack-barbican17:24
*** ryanpetrello_ has quit IRC17:27
woodster_arunkant, please rebase your keystone CR after this CR merges:
openstackgerritA change was merged to openstack/barbican: Open Kilo development
redrobotwoohoo! ^^17:40
jenkins-keepProject openstack-barbican-cloudcafe build #57: STILL FAILING in 8 min 19 sec:
jenkins-keepthierry: Open Kilo development17:46
*** kebray has quit IRC18:05
*** kebray has joined #openstack-barbican18:05
*** kebray has quit IRC18:07
*** kebray has joined #openstack-barbican18:08
*** ayoung has quit IRC18:11
*** kebray has quit IRC18:14
*** kebray has joined #openstack-barbican18:16
*** ayoung has joined #openstack-barbican18:20
*** mikedillion has quit IRC18:29
*** akoneru is now known as akoneru_lunch18:30
*** mikedillion has joined #openstack-barbican18:30
*** tdink has joined #openstack-barbican18:34
*** tdink_ has quit IRC18:37
*** gyee has joined #openstack-barbican18:37
*** bubbva has quit IRC18:54
*** bubbva has joined #openstack-barbican18:55
*** kebray has quit IRC19:13
rm_workreaperhulk: you KNOW you want to look at
*** juantwo has quit IRC19:15
SheenaG1Hey reaperhulk - you around?  You can ignore rm_work and just talk to me ;-)19:19
*** juantwo has joined #openstack-barbican19:20
rm_workSheenaG1: you have +2, go review my CR :)19:20
*** juantwo has quit IRC19:20
*** juantwo has joined #openstack-barbican19:21
SheenaG1I have no such thing19:21
SheenaG1I have +1 sometimes19:21
SheenaG1When they let me19:21
SheenaG1Us "manager types" aren't allowed near the code for fear we'll hurt ourselves19:22
*** kaitlin-farr has joined #openstack-barbican19:22
*** atiwari has joined #openstack-barbican19:22
rm_workyeah, it can be sharp / pointy at times19:23
*** atiwari has quit IRC19:24
*** atiwari has joined #openstack-barbican19:24
*** akoneru_lunch is now known as akoneru19:25
*** atiwari has quit IRC19:26
*** atiwari has joined #openstack-barbican19:27
*** atiwari has quit IRC19:28
*** tdink has quit IRC19:28
*** atiwari has joined #openstack-barbican19:28
*** atiwari has quit IRC19:28
*** atiwari has joined #openstack-barbican19:28
*** ryanpetrello_ has joined #openstack-barbican19:35
*** ryanpetrello_ has quit IRC19:36
SheenaG1Hey reaperhulk - just wanted to let you know that some Digi folks may pop into the channel19:37
SheenaG1In case you happen to see them19:37
reaperhulkSheenaG1 ah okay. Yeah I have an email from Brian CCing some devs that I need to respond to still as well19:38
reaperhulkI didn't get lunch though so I am super sleepy :/19:38
* reaperhulk is not an adult19:38
SheenaG1You should definitely try eating.  Highly recommended19:38
rm_workA++ would ingest food again19:38
reaperhulkI wanted to, but going to a friend's house to get a reasonable network connection exhausted my supply of ambition19:39
rm_workhonestly, TMobile tethering is pretty "decent" for anything that isn't ping-reliant19:39
rm_workbetter than my parents DSL >_>19:40
reaperhulkLTE has excellent ping these days as well. Part of the big improvement from HSPA+ to LTE was a reduction in latency19:41
rm_workstill not great for FPS / MOBA :)19:42
rm_work... I have tried on several occasions. Semi-playable, but still pretty sucky.19:42
JeffFreaperhulk SheenaG1: Hey, I'm one of the DigiCert devs19:45
reaperhulkHey JeffF :)19:46
SheenaG1Hey JeffF!  Welcome19:46
JeffFhello, thanks!19:46
*** tdink has joined #openstack-barbican19:47
JeffFreaperhulk: so Brian introduced me to you over email, so to speak?19:47
reaperhulkYep! If I recall your primary question was what the plugin interface currently looks like for writing the sort of integration you're planning to do?19:49
JeffFAs I understand from Brian, we are looking to provide the same sort of client and plugin as Symantec19:50
reaperhulkYeah, so chellygel (who is out today) and woodster_ have been leading the work on the generic interface + the specific symantec implementation19:50
reaperhulkThe generic interface is defined here:
reaperhulkand holds the current progress of the symantec implementation.19:51
JeffFok.  yes, I've been reading the code for both of those19:51
JeffFso I'm in the right place, that's good.  ;-)19:51
reaperhulkDefinitely helpful, hehe. Have you tried to run barbican yet/get a dev env going where you can run the unit tests?19:53
JeffFyes.  I've set up barbican and have followed through the getting started guide saving and querying secrets and such19:54
JeffFI've stubbed out our own plugin following the interview defined at certificate_manager.py19:55
* JeffF erases interview and types interface19:55
*** jorge_munoz has quit IRC19:56
reaperhulkawesome :)19:56
JeffFit's been really fun so far.19:56
JeffFright now, I'm interested to know how the data gets through to the plugin, via web service or cli and what do the attributes look like when it comes through.  I just need to make sure I match up those attributes with what our API is expecting19:56
*** jorge_munoz has joined #openstack-barbican19:57
reaperhulkEssentially you can define what you are going to require and then users would pass it in as part of their order data JSON (which is a POST to the orders resource). /cc woodster_ chellygel19:58
reaperhulkThose two will be able to correct any misapprehensions I have about how this actually works, haha19:58
redrobotWeekly meeting is about to start on #openstack-meeting-alt19:59
JeffFok, got it.  Thanks a ton for that.20:00
SheenaG1Hey JeffF - everyone is hopping over to the weekly meeting, but I can try to rope woodster_ into responding here in 30-45 minutes20:02
SheenaG1Otherwise chellygel will be back tomorrow and she would (I'm sure) be super excited to help20:02
JeffFI can be on the meeting too if that is ok.20:02
SheenaG1Of course20:02
*** ryanpetrello_ has joined #openstack-barbican20:02
*** ryanpetrello_ has quit IRC20:09
*** rellerreller has joined #openstack-barbican20:12
woodster_JeffF, we are early in the process of ssl cert generation with barbican but plan to refine the API further at the Nov summit. In particular, topics #9 and #14 of this etherpad seek to flesh out specifically what should go into an order's metadata to request a cert:
JeffFwoodster_: thanks.  I'll take a look20:16
*** kebray has joined #openstack-barbican20:17
woodster_JeffF, the trick being to either standardize on metadata about a certificate order that individual plugins (such as DigiCert) could map to their own value names and formats, or else allow for service discovery via the API, and then allow for CA-specific values to be provided in the order (so DigiCert specific values if that is the chosen CA for the order).20:18
woodster_JeffF, for evaluation though, if your cert plugin is the only one enabled then it can just take the order metadata value as is and do something with it. That's the approach the Dogtag cert plugin developer is taking for example.20:21
rm_worklol, I managed to miss the meeting again :P20:22
SheenaG1I missed the congratulations for redrobot!  :-(20:22
SheenaG1CONGRATS SIR!20:22
rm_workredrobot: I have some questions about the auth in python-barbicanclient, if for some reason you continue to be on IRC on your day off after you walk your dog20:23
JeffFwoodster_: agreed on the standarized data, which is why I was wondering if the data set coming through was defined already, or if we define it.20:23
redrobotSheenaG1 thanks!20:24
redrobotrm_work what's up?20:24
woodster_JeffF, for now, you can define it, as if only your plugin is deployed with Barbican. In Kilo we might refine this to be standardized data, but then all you would need to do is add a mapping component to your plugin. So this way you can get started with your plugin interacting with Barbican20:24
rm_workredrobot: so from what I can tell, the only way to use the client right now is to create an auth object using a username and password20:25
rm_workredrobot: which... does not work for my use-case; I need to be able to go deal with keystone myself and get a trust token / composite token, and send THAT to Barbican20:25
rm_workredrobot: am I missing something simple?20:26
redrobotrm_work so currently the auth stuff isn't very good, but jvrbanac is working on changing that so that we use standard Keystone sessions20:26
rm_workredrobot: ok20:26
rm_workjvrbanac: any ETA on that? :P20:26
JeffFwoodster_: ok.  very helpful.  Thanks.20:26
woodster_JeffF, keep in mind that we are missing a component to retry the plugin periodically (say to see if the CA has created a certificate yet or not). The Dogtag developer (Ade, alee from Redhat) is implementing direct certificate generation approach first, that doesn't require the periodic status checking.20:27
JeffFwoodster_: this question was brought up this morning in our discussion as well20:28
jvrbanacrm_work, working on it right now... I should have something up an a couple days20:28
rm_workhmm thanks for the link redrobot, I may have to go talk with Keystone folks again20:28
rm_workjvrbanac: awesome :) keep me posted!20:28
rm_workjvrbanac: is there something I can subscribe to? :P launchpad / CR ?20:28
aleeJeffF, what that means is that the barbican plugin written by dogtag authenticates with dogtag CA as a trusted agent, so that cert requests can be automatically approved.20:28
aleeJeffF, and immediately returned20:28
jvrbanacrm_work, will do20:29
aleerellerreller, ping20:29
JeffFalee: and is the cert issued immediately, or how is the cert returned?20:30
redrobotrm_work jvrbanac I can add a blueprint to track the auth stuff20:30
aleeJeffF, right - the cert is issued immediately.  We return a reference to the cert (url) which we then fetch and return to barbican20:30
aleeJeffF, check out the dogtag plugin code ..20:30
aleeplugins/ iirc ..20:31
JeffFalee: I will, thanks!20:31
rm_workredrobot: :P if you want to -- it is your day off20:31
rm_workyou're welcome to work if you want to :)20:32
rm_workthough if you're going to work, I prefer ^_^20:32
rellerrelleralee what's up?20:32
rm_workthough actually I may end up stalled on this auth issue, so it might not matter if my stuff gets in anytime soon <_<20:32
aleerellerreller, hey - I was just going through the barbican related code in nove and cinder20:32
aleeand needed some clarification20:33
rm_worknova and cinder have barbican code?20:33
rellerrellerI hope I can hlep20:33
* rm_work should take a look at that20:33
aleerellerreller, specifically in cinder --20:33
aleewhat are the use cases in which they invoke the KeyManager?20:34
rellerrellerrm_work Yes, we have some code in there. Don't know if Nova accepted our code yet but Cinder does20:34
rellerrelleralee I cannot list all of the use cases bc I am not sure. We use it for disk encryption. That may be all of the use cases now :)20:34
JeffFwoodster_: is the ability to retry the cert plugin to check for a completed certificate for example being developed, or planned?20:35
rellerrelleralee Cinder and Nova use it for Cinder volume encryption20:35
rellerrelleralee Nova also is using it to encrypt LVM volumes for ephemeral storage20:35
aleerellerreller, ok - in nova, I see how it is used for ephemeral storage.20:36
rellerrelleralee There may be other use cases but those are all of the ones that I am aware of20:36
aleein the case of cinder volume encryption then , nova just tells cinder it wants an encrypted volume, and cinder provides one?20:36
*** kgriffs has joined #openstack-barbican20:37
aleeI was under the impression (perhaps mistaken) that nova would ask for the key to be generated20:37
aleerellerreller, just trying to get a sense of the flow ..20:37
*** kebray has quit IRC20:37
rellerrelleralee not exactly.  When the volume is used Nova retrieves the key ID from Cinder and then Nova uses dm-crypt to mount the encrypted drive.20:38
rellerrelleralee I think we have some powerpoint slides on the sequence of events if you like ???20:38
aleeyeah - that would be great, thanks ..20:38
rellerrellerIt has been a while since I have looked at that code. Another dev here works on that now.20:39
aleerellerreller, ok - but the generation of the symmetric key (or the request to KeyManager to do so) happens in cinder.20:39
rellerrelleralee I will try to find some slides and send them to you. I probably can get them to you tomorrow20:39
aleerellerreller, that would be great thanks20:40
rellerrelleralee Yes, we want Cinder to generate the key but not read it. Only Nova should be able to read the key in our use cases.20:40
SheenaG1Hey JeffF - working on catching woodster_ for you20:40
aleerellerreller, ok that makes sense.  Lines up with what I;m seeing in the code.20:41
JeffFSheenaG1: np, thanks20:41
aleerellerreller, nova does generate a key in the case of ephemeral data encryption though ..20:41
aleeJeffF, there is code there but I'm not sure how much its been tested.20:42
aleeJeffF, well -let me rephrase ..20:42
rellerrelleralee Ephemeral storage keys are completely managed by Nova instances because ephemeral storage is20:43
aleethere is code there to manage state when returning status from the cert requests, but the retry mechanism -- ie. the thing that schedules and executes retry tasks - is still to be developed20:44
aleeplanned for kilo20:44
JeffFalee: ok.  so going forward, that will be available to return state of the cert then?20:45
aleeright - the whole mechanism should hopefully be ironed out and put in early in the kilo cycle.20:47
redrobotrm_work jvrbanac
jvrbanacredrobot, awesome thanks!20:50
*** kebray has joined #openstack-barbican20:50
rm_workkk thanks20:50
*** juantwo has quit IRC20:53
JeffFalee: so sorry for the many questions.  I'm just new to this and eager to ramp up quickly.20:58
rm_workwoodster_: that meeting is like, in 2 minutes20:58
rm_workwoodster_: if you wanted to hit that up20:58
JeffFthanks for the help!20:59
aleeJeffF, absolutely.  we'll be looking to you for feedback when we try to design the generic cert interface.21:00
*** codekobe____ has joined #openstack-barbican21:00
JeffFalee: very willing to help21:00
rm_workredrobot: did you want to do a video conference on your day off? :P21:02
rm_work*Vidyo :P21:02
JeffFalee: ok, final question for now I think.  the /orders resource is the api for creating a cert, correct? I see the format for a post to orders here,  Is there a specific json format I should use to pass in cert details for example?21:02
aleeJeffF, let me dig up what I was using to test using dogtag ..21:04
JeffFalee: excellent.21:05
*** ayoung is now known as ayoung-afk21:07
JeffFalee: got it.  thanks so much!21:08
aleeJeffF, np -remember of course that this contains what is needed to talk to a dogtag CA21:08
aleeyours will be different21:08
atiwariI missed the congratulations for redrobot.21:09
atiwaricongratulation redrobot21:09
JeffFalee: yes.  it gives me the example of a json request that I can use. and that's what I was looking for.  so thanks.  I'll try not to be a burden.  I think I have what I need to build away for a bit.21:09
aleeredrobot, +221:10
aleeJeffF, no worries. let us know if you have questions21:10
JeffFwill do21:11
*** rtom has quit IRC21:11
*** rtom has joined #openstack-barbican21:11
*** kaitlin-farr has quit IRC21:14
*** gyee has quit IRC21:22
*** atiwari has quit IRC21:26
rm_workhey SheenaG121:30
SheenaG1What's up rm_work?21:30
rm_workSheenaG1: you around? going to PM you some stuff21:30
SheenaG1I'm here!21:30
*** kebray has quit IRC21:34
*** kebray has joined #openstack-barbican21:36
*** joesavak has quit IRC21:42
*** rellerreller has quit IRC21:46
*** ryanpetrello_ has joined #openstack-barbican21:50
*** kebray has quit IRC21:51
*** paul_glass has quit IRC21:53
*** tdink has quit IRC21:53
*** rtom has quit IRC21:57
*** kebray has joined #openstack-barbican22:01
*** kebray has quit IRC22:09
*** kgriffs is now known as kgriffs|afk22:11
*** ryanpetrello_ has quit IRC22:11
*** kebray has joined #openstack-barbican22:12
*** gyee has joined #openstack-barbican22:32
*** dimtruck is now known as zz_dimtruck22:33
*** akoneru has quit IRC22:34
*** SheenaG1 has quit IRC22:38
*** kgriffs|afk is now known as kgriffs22:59
*** mikedillion has quit IRC23:11
*** kgriffs is now known as kgriffs|afk23:19
*** SheenaG1 has joined #openstack-barbican23:20
*** SheenaG11 has joined #openstack-barbican23:22
*** SheenaG1 has quit IRC23:25
*** JeffF has quit IRC23:34
*** kgriffs|afk is now known as kgriffs23:49
*** kgriffs is now known as kgriffs|afk23:58

Generated by 2.14.0 by Marius Gedminas - find it at!