Friday, 2014-12-19

*** ametts has quit IRC00:14
*** kebray has joined #openstack-barbican00:19
*** ryanpetrello has joined #openstack-barbican00:19
*** kebray has quit IRC00:34
*** kebray has joined #openstack-barbican00:35
*** stanzi has joined #openstack-barbican00:37
*** Stanzi_ has joined #openstack-barbican00:37
*** Stanzi_ has quit IRC00:51
*** stanzi has quit IRC00:51
*** stanzi has joined #openstack-barbican00:51
*** Stanzi_ has joined #openstack-barbican00:51
*** Stanzi_ has quit IRC00:56
*** stanzi has quit IRC00:56
*** bdpayne_ has quit IRC01:25
*** ryanpetrello has quit IRC01:40
*** tkelsey has joined #openstack-barbican01:43
*** tkelsey has quit IRC01:47
*** rm_work is now known as rm_work|away01:51
*** ryanpetrello has joined #openstack-barbican01:57
*** ryanpetrello has quit IRC02:13
*** stanzi_ has joined #openstack-barbican02:35
*** Stanzi has joined #openstack-barbican02:35
*** stanzi_ has quit IRC02:43
*** Stanzi has quit IRC02:43
*** ajc_ has joined #openstack-barbican03:04
*** ryanpetrello has joined #openstack-barbican03:15
*** tkelsey has joined #openstack-barbican03:44
*** ajc_ has quit IRC03:45
*** lisa1 has joined #openstack-barbican03:46
*** tkelsey has quit IRC03:49
*** lisa1 has quit IRC03:51
*** dave-mccowan has quit IRC04:53
*** woodster_ has quit IRC05:00
*** woodster_ has joined #openstack-barbican05:08
*** ryanpetrello has quit IRC05:18
*** rm_work|away is now known as rm_work05:21
*** lisa1 has joined #openstack-barbican05:35
*** lisa1 has quit IRC05:39
*** rm_work is now known as rm_work|away05:43
*** kebray_ has joined #openstack-barbican06:11
*** kebray has quit IRC06:13
*** jamielennox is now known as jamielennox|away06:25
*** lisa1 has joined #openstack-barbican06:29
*** kebray_ has quit IRC06:31
*** lisa1 has quit IRC06:33
*** Stanzi has joined #openstack-barbican06:35
*** stanzi_ has joined #openstack-barbican06:35
*** stanzi_ has quit IRC06:39
*** Stanzi has quit IRC06:39
*** ryanpetrello has joined #openstack-barbican07:03
*** ryanpetrello has quit IRC07:07
*** woodster_ has quit IRC07:20
*** lisa1 has joined #openstack-barbican07:23
*** lisa1 has quit IRC07:28
*** tkelsey has joined #openstack-barbican07:45
*** tkelsey has quit IRC07:50
*** lisa2 has joined #openstack-barbican08:17
*** lisa2 has quit IRC08:22
*** david-ly_ has quit IRC09:32
*** david-lyle has joined #openstack-barbican09:33
*** david-lyle has quit IRC09:38
*** dimtruck is now known as zz_dimtruck09:42
*** lisa3 has joined #openstack-barbican10:06
*** lisa3 has quit IRC10:10
*** darrenmoffat has quit IRC10:22
*** darrenmoffat has joined #openstack-barbican10:22
*** woodster_ has joined #openstack-barbican13:10
*** dave-mccowan has joined #openstack-barbican13:14
*** dave-mccowan_ has joined #openstack-barbican13:21
*** dave-mccowan has quit IRC13:21
*** dave-mccowan_ is now known as dave-mccowan13:21
*** lisa2 has joined #openstack-barbican13:50
*** ryanpetrello_ has joined #openstack-barbican14:17
*** ryanpetrello_ is now known as ryanpetrello14:19
*** ametts has joined #openstack-barbican14:30
*** dave-mccowan has quit IRC14:47
*** stanzi_ has joined #openstack-barbican14:59
*** Stanzi has joined #openstack-barbican14:59
*** Stanzi has quit IRC15:00
*** stanzi_ has quit IRC15:00
*** stanzi has joined #openstack-barbican15:01
*** Stanzi_ has joined #openstack-barbican15:01
*** Stanzi_ has quit IRC15:06
*** stanzi has quit IRC15:06
*** hyakuhei has quit IRC15:15
woodster_alee, reaperhulk, jvrbanac so is this CR stalled out? :)  I figure we should work to get closure on the essential bps today if possible15:16
*** dave-mccowan has joined #openstack-barbican15:24
*** hyakuhei has joined #openstack-barbican15:28
*** jorge_munoz has joined #openstack-barbican15:31
*** lisa2 has quit IRC15:35
aleewoodster_, I'll try to get a new version up shortly.  Let me check to see if there are still areas that are undetermined.15:37
woodster_alee, sounds good15:39
*** kebray has joined #openstack-barbican15:53
*** zz_dimtruck is now known as dimtruck15:55
*** atiwari has joined #openstack-barbican16:01
*** lisa2 has joined #openstack-barbican16:02
*** paul_glass has joined #openstack-barbican16:10
*** lisa2 has quit IRC16:50
*** kebray has quit IRC16:57
*** kebray has joined #openstack-barbican16:58
*** gyee has joined #openstack-barbican16:58
*** rm_work|away is now known as rm_work17:03
rm_workyeah, we need that one pretty badly <_<17:04
*** lisa2 has joined #openstack-barbican17:05
rm_workwoodster_: so on my bugfix change, it should actually be a change to to make the method we use for content_types read from the metadata instead?\17:07
*** lisa2 has quit IRC17:12
*** lisa2 has joined #openstack-barbican17:13
*** lisaclark has joined #openstack-barbican17:18
*** atiwari has quit IRC17:37
*** lisaclark has quit IRC17:38
*** lisa2 has quit IRC17:41
*** kebray has quit IRC17:41
woodster_rm_work: I believe so, so non-HSM secret gets work correctly. I think you should still pass along the content type to the store_crytpo flow though as you are doing in that CR. Eventually we need to not put that data in two places :\17:48
rm_workerr so keep the change I added, but ALSO fixed to load from the other location?17:49
woodster_rm_work, well do the minimum you need to fix the problem, but it hopefully supports secret gets for secret_stores and HSM stores.17:52
rm_workis it possible for me to test that easily? I don't know if those require licenses or something17:56
*** kebray has joined #openstack-barbican17:56
*** bdpayne has joined #openstack-barbican18:10
openstackgerritAdam Harwell proposed openstack/barbican: Fix content_type loading to be consistent
rm_workwoodster_: ^^18:29
aleewoodster_, ping18:31
aleeredrobot, ping18:32
aleedave-mccowan, ping18:32
rm_workalee: ^^18:39
woodster_alee, pong.  Btw, redrobot is in his homeland for the next 2-3 weeks18:40
rm_workwoodster_: you want secret_metadata to be authoritative over encrypted_data?18:41
rm_workwoodster_: I figured it would be fine to cascade, and that since the encrypted_data content_types are more "fine-grained" (it seems?) they would be authoritative18:41
woodster_rm_work: yes. All secret_store plugins should put content-type in the metadata. The HSM plugins (a sub-set of secret-store) will also store it in the encrxypted datum, but that needs to be removed at some point (not for this CR).18:42
rm_workbut if you'd rather ignore anything in encrypted_data and ONLY read from secret_metadata, that is fine by me, as long as you don't think it'll break anything18:42
woodster_rm_work: you should ignore it just for that method call. No need to cascade to encrypted datum...that is legacy code in there that needs to go.18:43
rm_workwoodster_: is it *possible* for a secret to not have secret_store_metadata?18:43
rm_workI was going to swap the "if not secret.encrypted_datum" with "if not secret.secret_store_metadata"18:43
rm_workbut I guess possibly that's redundant?18:43
woodster_rm_work, so this line is called for all plugin types (except for 1st step of 2-step secret):
woodster_rm_work so content_type is stamped on all stored secrets (that have encrxypted data that is)18:46
woodster_rm_work, the swap sounds no more encrypted_datum logic in that method is needed then18:47
aleewoodster_, so - just looking over the per-secret spec18:49
aleewoodster_, there are not a lot edits I need to make -- its mostly deciding what we need to do for kilo and beyond18:50
aleewoodster_, if its decided -- then I can specify that ..18:50
rm_workwoodster_: and  # TODO(jwood): How deal with merging more than one datum instance?18:51
rm_workis no longer valid, right?18:51
alee1. only do get request whitelist for kilo.  more detailed acls later (decided?)18:51
alee2. for kilo do project access only .. change default for v2 for L or later (decided?)18:52
alee3. defer concerns on delete for creator till L (decided?)18:53
alee4. seems we have decided on mutable acls18:54
aleewoodster_, if all is decided as above, I can write it as such in a new version of the spec.18:55
woodster_rm_work: yep you can remove to do18:56
woodster_alee: that sounds right. So if whitelist it only applies to get calls. Project that created secret can still do current operations18:59
aleewoodster_, right -- ok- thats the way I'll write it up then18:59
woodster_rm_work: ^^^ as this pertains to lbaas use case too19:00
*** openstack has joined #openstack-barbican19:08
rm_workalee: one interesting thing is, I'd probably want to tie consumer POST/DELETE requests to the GET whitelist19:08
rm_workbut I hope that'd be easy19:08
rm_workthat or, something more complicated requiring a service-account + GET access19:08
*** woodster_ has joined #openstack-barbican19:08
*** openstackstatus has joined #openstack-barbican19:09
*** ChanServ sets mode: +v openstackstatus19:09
aleerm_work, hmm19:09
*** dougwig has joined #openstack-barbican19:09
rm_workthe "something more complicated" requires keystone composite-tokens to work19:10
aleerm_work, I dont think it will be too hard to do the simple case -- ie. tie consumer POST/DELETE requests to the GET whitelists19:14
aleerm_work, I'll add a note about that in the spec for something to do in a follow-on spec19:14
aleeI think things will be much clearer once we have a framework there.19:15
*** rm_you has quit IRC19:16
*** rm_you has joined #openstack-barbican19:17
rm_workwoodster_: lol, bunch of tests fail now because they don't set up secret_store_metadata19:17
woodster_rm_work: really? Are they older hsm ones?19:19
woodster_rm_work: also can you run server locally then run the bin/demo script successfully?19:21
rm_workthis is one: /barbican/tests/api/", line 1118, in test_should_get_secret_meta_for_binary_with_tkey19:21
rm_worktrying that19:22
rm_workhmm no, that script fails19:22
rm_workbut not on anything that makes sense for my change <_<19:22
*** jorge_munoz has quit IRC19:25
*** jorge_munoz has joined #openstack-barbican19:25
rm_workyeah WhenGettingPuttingOrDeletingSecretUsingSecretResource does not initialize any secret_meta19:28
woodster_rm_work, that's a bit odd for sure (on the bin/demo... script error)19:33
aleewoodster_, rm_work where is the link with the details on the mid-cycle?19:35
aleefound it --
aleedave-mccowan, ^^19:40
*** lisa1 has joined #openstack-barbican19:42
dave-mccowanalee, thanks19:42
aleewoodster_, ping19:44
dave-mccowanis there a favorite hotel?19:44
aleedave-mccowan, SheenaG has been arranging a group rate at a downtown hotel -- the Omni I believe.19:45
woodster_rm_work, yeah that an old really need to add the content-type to secret metadata dict if the encrypted_data passed to create_secret() has that on there19:45
aleedave-mccowan, the rate will be around $240/night19:45
woodster_alee, hwllo19:45
rm_workwoodster_: yeah fixed it19:45
aleewoodster_, so -- on the per secret thing ..19:45
woodster_rm_work, nice! Is the demo script still not working though?19:46
rm_workwoodster_: going to look at that next19:46
aleeline 17319:46
*** lisa1 has quit IRC19:46
aleedoe sit make sense to rename the parameters there read_users? read_groups?19:46
aleeinstead of allowed?19:46
aleein anticipation of having more detailed acls in future?19:47
aleeor just leave it as allowed_users?19:47
woodster_alee, that makes sense, unless the thinkng is that per user/group/project you give a list of actions they can do?19:48 the future that is19:48
aleerigtht ..19:49
aleewoodster_, here is an example of an acl in dogtag --19:50
aleeresourceACLS: certServer.general.configuration:read,modify,delete:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify,delete) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify and delete19:50
*** ryanpetrello has quit IRC19:50
aleegrouping is done per operation19:50
aleebut I guess you really could go either way19:51
*** ryanpetrello has joined #openstack-barbican19:51
aleewoodster_, I'm going to need to step out for a bit -- kids christmas party/concert -- and I'm off for the rest of the year as of next week.19:53
aleebut I'll try get a new version out of the spec and my cert api patches over the next day or so.19:54
woodster_alee that sounds good, enjoy the party! Today is my last day of the year officially anyway19:54
aleemine too :)19:54
*** alee is now known as alee_afk19:55
*** alee_afk has quit IRC20:04
rm_workwoodster_: nice, me too :P20:16
woodster_rmwork Douglas said you were running the IRC meeting on Monday20:18
woodster_rmwork just kidding, chellygel is20:18
rm_workI might show up20:19
rm_workI am trying to get one of my friends a commit in OpenStack, so I may be picking up another bugfix next week on my offtime to help him get started :P20:19
woodster_rm_work, nice!20:24
rm_workugh some of these tests are kinda WTF20:25
rm_workstill working through fixing them20:25
*** lisa1 has joined #openstack-barbican20:36
*** gyee has quit IRC20:39
*** lisa1 has quit IRC20:41
chellygelhope chellygel doesnt forget to do the meeting >_>20:41
rm_workchellygel: I'm sure she'll remember20:46
rm_workwoodster_: does the demo thing work for you? i don't think it will20:46
rm_workdelete_entity_by_id() takes exactly 3 arguments (2 given)20:47
rm_work2014-12-19 12:46:56.838 51038 TRACE barbican.api.controllers20:47
rm_workFile "/Users/adam6424/IdeaProjects/barbican/barbican/api/controllers/", line 89, in on_delete20:47
rm_workso I assume something was updated in a past patch (possibly my fault?) that broke this20:47
rm_workI assume the demo will be broken on anything20:48
woodster_rm_work: hmmmm, I think that I've fixed that in my oslo I18n CR hanging around out there. I didn't think it was being tested though. Doing way to many things at once of late :\20:48
woodster_rm_work: well, if it is passing the basic secret/container crud stuff, that should be ok for your CR. Mine should addess the consumers issue then20:49
rm_workwoodster_: it's hard to tell since it breaks on like the fourth test and bails20:49
woodster_rm_work, i was more concerned that removing the content-type broke something else20:49
rm_workright now I am trying to figure out how my change causes this other test to get a 50020:49
rm_workdoesn't even make sense20:51
*** gyee has joined #openstack-barbican20:55
rm_workah got it20:56
rm_workmy bad20:56
woodster_rm_work thanks for tracking that stuff down20:57
rm_worknew patchset20:57
rm_workif you want to review it before you pop off... err, momentarily20:57
openstackgerritAdam Harwell proposed openstack/barbican: Fix content_type loading to be consistent
rm_workah and i see the problem, need to pass keystone_id now to the consumer_repo21:00
rm_workcool, yep, passes with that fixed, but I'll leave that out and let that fix be merged in your patch elsewhere21:00
*** darrenmoffat has quit IRC21:17
rm_workwoodster_: why is this still stuck?21:20
rm_workyou rechecked once...21:20
woodster_I have no idea21:20
rm_work100% of the tests are failing for dsvm21:21
rm_workall with the same error21:21
rm_workJSONDecodeError: Expecting value: line 1 column 1 (char 0)21:21
rm_workie, no response from server21:22
*** crc32 has joined #openstack-barbican21:30
woodster_rm_work, yeah, it was working, and then once it got the workflow +1, it started breaking21:32
rm_workmakes little sense21:33
rm_workit's re-running again now...21:33
rm_workcheck gate == workflow gate21:33
rm_workso I don't know why it'd break all the sudden21:33
woodster_rm_work: that work came out of just updating a bunch of messages for i18n and then getting unit tests to cover the broke cover gate. It has been an ordeal to get those CRs landed21:34
rm_workhopefully this one transitions soon from "on approach" :)21:34
woodster_now can't get on Vpn for some reason...going to thera-boot my machine....21:35
rm_workwatching hopefully21:35
rm_workif only devstack didn't take 15m to spin up :(21:35
rm_workwoodster_: looks like it passed this time O_o21:38
rm_workso I guess it's about 20 seconds from merging21:38
woodster_rm_work: wow, 3rd (or 4th/5th?) times the charm, thanks!21:40
rm_workheh, hopefully not the same situation as my 20+ retry commit where something was ACTUALLY broken :P21:41
rm_workoh god it has to run the test AGAIN!?21:43
*** darrenmoffat has joined #openstack-barbican21:45
rm_workrecheck causes it to re-run the "check" check, now it passed that so it's willing to run the "gate" check again >_<21:45
*** dave-mccowan has quit IRC21:50
*** alee_afk has joined #openstack-barbican21:55
openstackgerritMerged openstack/barbican: Add I18n-related unit tests (Part 2)
*** ryanpetrello_ has joined #openstack-barbican21:58
*** bdpayne_ has joined #openstack-barbican21:59
rm_workwoodster_: ^^ cool22:00
*** ryanpetrello has quit IRC22:01
*** ryanpetrello_ is now known as ryanpetrello22:01
*** bdpayne has quit IRC22:02
*** dave-mccowan has joined #openstack-barbican22:06
*** dave-mccowan_ has joined #openstack-barbican22:10
*** dave-mccowan has quit IRC22:11
*** dave-mccowan_ is now known as dave-mccowan22:11
*** ryanpetrello has quit IRC22:13
rm_workwoodster_: now re-review my thing :P
woodster_rm_work, nice! I thought that would never make it to master22:15
woodster_rm_work, thanks for the updated CR. So would you be up for helping with the per-secret RBAC work should that blueprint ever land? :)22:18
rm_workIt's something I could probably justify22:18
rm_workbut I don't know much about how RBAC works22:18
rm_workI've been faking it up to now :P22:18
rm_workalways time to learn though22:19
woodster_rm_work, you focus on the lbaas-interaction aspects initially, and that would get a lot of the scaffolding up for the feature overall22:20
rm_workI'll look into it once the spec lands (and once I have a chance to talk about it during sprint planning) :P22:25
*** paul_glass has quit IRC22:40
*** ayoung has quit IRC22:57
woodster_rm_work: I meant you 'could' focus... up above there23:05
*** rm_work is now known as rm_work|away23:20
*** ametts has quit IRC23:21
*** lisa1 has joined #openstack-barbican23:35
*** lisaclark has joined #openstack-barbican23:36
*** lisaclark has quit IRC23:39
*** lisa1 has quit IRC23:40

Generated by 2.14.0 by Marius Gedminas - find it at!