Tuesday, 2015-01-27

*** rellerreller has quit IRC00:04
*** kgriffs is now known as kgriffs|afk00:26
mjg59Is there any existing support in Barbican for clustered secret storage?00:26
*** dave-mccowan has joined #openstack-barbican00:34
*** lisaclark1 has joined #openstack-barbican00:39
*** atiwari has quit IRC00:44
*** atiwari has joined #openstack-barbican00:44
*** atiwari has quit IRC00:44
*** kebray has quit IRC00:59
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/15019901:08
*** gyee has quit IRC01:15
*** crc32 has quit IRC01:25
*** bdpayne has quit IRC01:29
*** lisaclark1 has quit IRC01:37
*** tkelsey has joined #openstack-barbican01:42
*** tkelsey has quit IRC01:46
*** lisaclark1 has joined #openstack-barbican02:14
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/15019902:15
*** kgriffs|afk is now known as kgriffs02:26
*** kgriffs is now known as kgriffs|afk02:35
*** dave-mccowan has quit IRC02:41
*** kgriffs|afk is now known as kgriffs02:50
*** kgriffs is now known as kgriffs|afk02:54
*** jkf has quit IRC03:14
*** kebray has joined #openstack-barbican03:42
*** kebray has quit IRC03:44
*** ayoung is now known as ayoung_ZZzz__03:49
*** lisaclark1 has quit IRC03:54
*** kgriffs|afk is now known as kgriffs03:54
*** kebray has joined #openstack-barbican03:57
*** kgriffs is now known as kgriffs|afk04:03
*** kgriffs|afk is now known as kgriffs04:54
*** kgriffs is now known as kgriffs|afk05:04
*** Nirupama has joined #openstack-barbican05:09
*** woodster_ has quit IRC06:23
*** kgriffs|afk is now known as kgriffs06:43
*** kgriffs is now known as kgriffs|afk06:53
*** greghaynes has quit IRC07:24
*** greghaynes has joined #openstack-barbican07:26
*** jamielennox is now known as jamielennox|away07:29
*** tkelsey has joined #openstack-barbican07:38
*** kebray has quit IRC08:05
*** kgriffs|afk is now known as kgriffs08:32
*** kgriffs is now known as kgriffs|afk08:42
*** jaosorior has joined #openstack-barbican09:25
*** kgriffs|afk is now known as kgriffs10:21
*** kgriffs is now known as kgriffs|afk10:30
*** tkelsey has quit IRC10:35
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Switch Python's json to the OpenStack's json wrapper  https://review.openstack.org/15035710:50
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Use drop old namespace for some oslo libraries  https://review.openstack.org/15037211:40
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Drop old namespace for some oslo libraries  https://review.openstack.org/15037211:43
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Drop old namespace for some oslo libraries  https://review.openstack.org/15037211:50
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Drop old namespace for some oslo libraries  https://review.openstack.org/15038612:03
*** kgriffs|afk is now known as kgriffs12:09
*** kgriffs is now known as kgriffs|afk12:19
*** woodster_ has joined #openstack-barbican12:31
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Fix symmetric/asymmetric key order meta validation  https://review.openstack.org/15039612:48
*** Nirupama has quit IRC12:52
*** tkelsey has joined #openstack-barbican13:13
*** darrenmoffat has quit IRC13:41
*** darrenmoffat has joined #openstack-barbican13:42
*** alee has quit IRC13:43
*** rellerreller has joined #openstack-barbican13:48
*** kgriffs|afk is now known as kgriffs13:58
*** rellerreller has quit IRC14:05
*** kgriffs is now known as kgriffs|afk14:08
*** nkinder has quit IRC14:22
*** rellerreller has joined #openstack-barbican14:28
*** kgriffs|afk is now known as kgriffs14:38
*** kgriffs is now known as kgriffs|afk14:47
*** david-lyle_afk is now known as david-lyle14:49
*** dimtruck is now known as zz_dimtruck14:54
*** paul_glass has joined #openstack-barbican14:57
*** alee has joined #openstack-barbican14:58
*** ametts has quit IRC15:01
jaosoriorwoodster_ jvrbanac: Should I mark this as invalid then? https://bugs.launchpad.net/barbican/+bug/136513115:04
*** paul_glass has quit IRC15:05
openstackgerritMerged openstack/barbican-specs: Snakeoil CA  https://review.openstack.org/14198115:06
*** paul_glass has joined #openstack-barbican15:06
*** ayoung_ZZzz__ is now known as ayoung_snowedin15:07
aleejaosorior, ping15:12
jaosoriorreviewing this CR from you https://review.openstack.org/#/c/147323/6/barbican/model/models.py ATM15:12
aleejaosorior, cool15:13
aleejaosorior, when did "mode" become a required attribute?15:13
aleewhat does it mean in the context of symmetric key orders?15:13
aleejaosorior, I'm looking at https://review.openstack.org/#/c/150396/115:14
jaosoriorWell, I did take that from the bug description https://bugs.launchpad.net/barbican/+bug/1376902 and it is implied from the API https://github.com/cloudkeep/barbican/wiki/Application-Programming-Interface#post-1 but now that I think about it... it could be kind of ambiguous. So that should be fixed15:16
*** nkinder has joined #openstack-barbican15:19
aleejaosorior, algorithm might make sense.  But I have no idea whats supposed to be in mode.15:20
aleejaosorior, certainly its not something that is used by the plugins as far as I know.15:20
aleeI'll make a note on the CR and let others comment15:20
jaosoriorThat would actually be a good idea15:21
jaosoriorReading a bit more into it... seems to me that the mode would probably make more sense as optional. But I would like there to be more input on the CR. If that's the case I need to start updating the Documentation, to both make this less ambiguous and reflect the change.15:23
*** kebray has joined #openstack-barbican15:26
*** kebray has quit IRC15:26
*** kebray has joined #openstack-barbican15:27
openstackgerritMerged openstack/barbican: Updated from global requirements  https://review.openstack.org/15019915:27
*** rellerreller has quit IRC15:29
*** zz_dimtruck is now known as dimtruck15:30
aleejvrbanac, jaosorior , woodster_, redrobot - quick question -- I have added some code that requires python-ldap, so I added it to requirements.txt.  Now when I run tox, it says it cannot find ldap module.15:34
*** rellerreller has joined #openstack-barbican15:34
aleeHow do I update tox ?15:34
jaosoriortox -r15:34
jaosoriorneeds to recreate the environments15:34
aleejaosorior, cool - thanks -- trying15:35
aleejaosorior, yup - looks like its doing just that15:35
jaosoriorif it again says that it cannot find it, then you might have misspelled the module in the txt15:35
jaosoriordid it work? :O15:43
aleejaosorior, yes and no -- it found the next module I need to add (pyOpenSSL) :)15:44
jaosoriorlol, alright15:45
*** SheenaG1 has joined #openstack-barbican16:14
*** kgriffs|afk is now known as kgriffs16:41
*** SheenaG1 has quit IRC16:41
*** lisaclark1 has joined #openstack-barbican16:43
*** SheenaG1 has joined #openstack-barbican16:43
*** lisaclark1 has quit IRC16:53
*** lisaclark1 has joined #openstack-barbican16:59
*** lisaclark1 has joined #openstack-barbican17:01
*** lisaclark1 has quit IRC17:02
*** lisaclark1 has joined #openstack-barbican17:04
*** lisaclark1 has quit IRC17:06
*** lisaclark1 has joined #openstack-barbican17:06
*** rm_work is now known as rm_work|away17:10
*** bdpayne has joined #openstack-barbican17:10
*** d0ugal has left #openstack-barbican17:11
*** d0ugal has joined #openstack-barbican17:11
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/15049517:16
bdpayneIs there an expected deployment model for clustered secret storage with Barbican today?17:19
redrobot bdpayne I'm not sure what you mean by "clustered" ?17:21
bdpayneOr is the idea to just push that problem back to something like Dogtag?17:21
bdpayneWell, I'd like to have HA with my secrets17:21
redrobotoh, well it depends on the choice of backend17:21
bdpayneSo each one is copied to multiple machines17:21
bdpayneI could do this with the db backend17:21
bdpayne(assuming the db is clustered)17:21
redrobotwe're planning to deploy with Luna SAs in HA mode.17:22
bdpaynebut, that has shortcomings in terms of protecting the secrets (mainly a password in the config)17:22
bdpayneah... so in your case the HSM handles this for you?17:22
redrobotbdpayne yes... we'll have two hsms.  we'll be able to replicate the master key from one hsm to the other.17:23
bdpaynedo the HSMs replicate the encrypted secret blobs too?17:23
redrobotsuch that we'll have a load balancer in front of N api nodes, then the api nodes will talk to a postgres db, and pick an hsm for the crypto work17:23
bdpayne(assuming those are stored on the HSM in your model?)17:24
redrobotbdpayne nope, as of now we're planning on just having a posgresql server with a hot backup in case we need to fail over17:24
redrobotfor our load, we think a single postgres node will be enough.17:24
redrobotwe still have to think through the different datacenter backup strategy, so some of this may change.17:25
redrobotor multiple datacenter, rather17:25
bdpayneso you aren't worried about losing secrets?17:25
bdpayneoh, I see, a hot backup could help there17:25
bdpaynehrm, interesting17:25
bdpayneok, we'll need to so some thinking about this17:25
bdpayneI think that our use case here is somewhat different17:26
bdpayneso we're trying to figure the path of least resistance17:26
bdpaynewe have some ideas... but are still flushing them out17:26
*** atiwari has joined #openstack-barbican17:27
bdpaynewe were thinking about just storing the master key in an HSM and then dropping the encrypted secrets into a clustered db17:27
redrobotbdpayne yeah, it will definitely be something to talk about at the next summit.17:27
bdpaynerather than holding that master key in a file (like the driver does today) we'd boot strap it so that barbican retrieves it after startup and only holds it in memory.17:28
redrobotI think that may work right now... but I think the HSM will be a bottleneck17:28
bdpaynewe thought about forcing all encryption / decryption to go through the HSM17:28
bdpaynebut that seems like it doesn't buy much for the typical threat model at play with Barbican (mainly stolen disks)17:28
bdpayneHSM a bottleneck?  how so?17:29
redrobotinteresting... yeah, we don't want the master key to leave the hsm, so they are doing all the crypto work for us... Barbican never sees anything but the actual secret in plaintext17:29
bdpaynesure, and I can see the argument for doing that17:30
redrobotunfortunately now, that means 2 or 3 trips to the hsm per secret on retrieval17:30
bdpaynejust not sure if it is qualitatively different from a security viewpoint (losing the master secret is clearly bad, but anyone on the system could just request all of the secrets too)17:30
bdpayneat that point, it really just comes down to auditability17:31
bdpayneredrobot thanks for the input... we'll be at the OSSG mid-cycle meeting which I think will be somewhat linked into the Barbican meetup, so we may have some questions for you guys at that time.  In the interim, we'll keep exploring design options at this end.17:33
redrobotbdpayne sure thing.  Yeah, I'm hoping we can at least do some Google Hangout coordination during the mid-cycles17:34
aleebdpayne, of course, you get the HA with dogtag already.17:36
bdpayneyes, but I don't think that dogtag is going to fit into our deployment model17:36
aleebdpayne, how so?17:37
bdpaynetoo complicated17:37
bdpaynetoo many new failure points17:37
aleebdpayne, interesting -- meaning that you'd prefer barbican -> hsm, rather than barbican -> dogtag -> hsm ?17:38
bdpayneWhat does dogtag add that makes the extra complexity worth it?17:39
bdpayne(I could just be missing something here)17:39
aleewell - lets see ..17:39
bdpayneb/c it isn't just dogtag, but dogtag + deps17:39
alee1) you get a CA at the same time17:40
alee2) you get all the audit functionality that isn't there in barbican yet17:40
alee3) you get HA17:40
alee4) because of the way dogtag stores things, you don't have to worry about HSM being a bottleneck17:41
bdpaynedogtag's HA model is based on an LDAP backend setup with clustered support, right?17:41
aleepretty much17:42
aleereplication agreements between ldap backends17:42
bdpayneIf I could setup dogtag HA backed by cassandra (or perhaps mysql), then I would be much more interested17:42
bdpayneI think the LDAP thing remains my biggest obstacle... just one more clustered service to setup17:43
bdpayneAnd those are traditionally the places where things get hairy and fail at the worst times17:43
aleebdpayne, well - we set it up for you, but sure ..17:43
bdpayneI do agree that some of those other benefits would be nice17:43
bdpayne"we set it up for you" ??17:43
bdpaynewould you like to come work for Nebula? ;-)17:44
aleethat is -- the dogtag install scrtipts set up all the repication agreements etc.17:44
bdpayneah, I see17:44
bdpaynebut the ldap service does need to be there17:44
bdpayneand when it fails, we'll need to understand it all deeply17:45
aleebdpayne, I'm hoping over the next couple of months to set up something like devstack with barbican and dogtag/ipa17:45
aleebdpayne, and have it all working in one foul swoop17:46
aleebdpayne, we already do a lot of this with freeipa17:46
aleeie. it sets up dogtag + ldap etc.17:46
aleethe idea would be to have barbican + freeipa (which includes the ca and dogtag kra)17:47
aleeand have a simple script that sets all this up17:47
aleemost of that is already there actually - its just a matter of tying it all together17:48
aleebdpayne, anyways - maybe if I could demonstrate that, the deployment option would be more appealing17:49
aleebdpayne, I understand the concern about complexity but taking the whole package together might make it worthwhile17:50
bdpaynetbh, it is less about setting it up and more about maintaining it17:51
aleebdpayne, and if things do go wrong, there is Red Hat support for the underlying bits (as well as the whole thing in RDO)17:51
bdpaynewell, yes17:51
bdpaynethat is probably useful for some17:51
aleebdpayne, yeah - depends on who your customers are ..17:52
-openstackstatus- NOTICE: Gerrit and Zuul will be offline for a few minutes for a security update17:53
aleebdpayne, and how much support you want to do yourself.17:53
bdpayneok, thanks for the discussion, I need to run for now17:53
aleeme too -- cheers :)17:53
*** alee is now known as alee_lunch17:53
*** bdpayne has quit IRC17:54
*** ayoung_snowedin is now known as ayoung17:55
*** openstack` has joined #openstack-barbican18:03
-sendak.freenode.net- [freenode-info] please register your nickname...don't forget to auto-identify! http://freenode.net/faq.shtml#nicksetup18:03
*** openstack` is now known as openstack18:06
*** kebray has quit IRC18:09
*** kebray has joined #openstack-barbican18:10
*** bdpayne has joined #openstack-barbican18:12
*** bdpayne_ has joined #openstack-barbican18:14
*** bdpayne has quit IRC18:17
*** rm_you| has joined #openstack-barbican18:21
*** alee_lunch is now known as alee18:24
*** rm_you has quit IRC18:24
*** jroll has quit IRC18:24
*** jroll has joined #openstack-barbican18:26
*** jorge_munoz has joined #openstack-barbican18:28
*** lisaclark1 has quit IRC18:29
*** jroll has quit IRC18:30
*** jroll has joined #openstack-barbican18:30
*** openstackgerrit has quit IRC18:30
*** openstackgerrit has joined #openstack-barbican18:32
*** lisaclark1 has joined #openstack-barbican18:32
*** jaosorior has quit IRC18:34
*** rellerreller has joined #openstack-barbican18:40
*** lisaclark1 has quit IRC18:56
*** rm_work|away is now known as rm_work19:03
aleerellerreller, did you see this? https://polarssl.org/kb/cryptography/asn1-key-structures-in-der-and-pem19:12
rellerrelleralee I had not seen this. I'll check it out.19:14
*** nkinder has quit IRC19:30
*** kebray has quit IRC19:35
*** lisaclark1 has joined #openstack-barbican19:42
*** nkinder has joined #openstack-barbican19:44
reaperhulkrellerreller: It's possible to unambiguously identify unencrypted DER structures for DSA/EC as well. We had some serious discussion around this in cryptography land on this PR: https://github.com/pyca/cryptography/pull/161019:52
*** kebray has joined #openstack-barbican19:54
rellerrellerreaperhulk that is good to hear. Thanks for the info.19:55
*** dimtruck is now known as zz_dimtruck19:57
*** zz_dimtruck is now known as dimtruck19:58
rellerrellerrm_work redrobot We have pushed the code Castellan. Have you guys seen the CR https://review.openstack.org/#/c/148742/ ?19:59
*** lisaclark1 has quit IRC20:00
*** paul_glass has quit IRC20:02
*** lisaclark1 has joined #openstack-barbican20:04
*** atiwari1 has joined #openstack-barbican20:07
*** atiwari has quit IRC20:10
*** openstack has joined #openstack-barbican20:37
*** openstackgerrit has quit IRC20:38
*** jvrbanac_ has quit IRC20:38
*** kgriffs has quit IRC20:38
*** tdink_ has quit IRC20:38
*** russell_h has quit IRC20:38
*** jroll has quit IRC20:38
*** codekobe has quit IRC20:38
*** darrenmoffat has quit IRC20:38
*** bdpayne_ has quit IRC20:38
*** nkinder has quit IRC20:38
*** alpha_ori has quit IRC20:38
*** rm_work has quit IRC20:38
*** jamielennox has quit IRC20:38
*** rm_you| has quit IRC20:38
*** ayoung has quit IRC20:38
*** david-lyle has quit IRC20:38
*** dougwig has quit IRC20:38
*** atiwari1 has quit IRC20:38
*** lisaclark1 has quit IRC20:38
*** chlong has quit IRC20:38
*** reaperhulk has quit IRC20:38
*** elmiko has quit IRC20:38
*** mordred has quit IRC20:38
*** jkf has quit IRC20:38
*** alee has quit IRC20:38
*** mjg59 has quit IRC20:38
*** tkelsey has quit IRC20:38
*** rellerreller has quit IRC20:38
*** dimtruck has quit IRC20:38
*** jorge_munoz has quit IRC20:38
*** SheenaG1 has quit IRC20:38
*** greghaynes has quit IRC20:38
*** jraim has quit IRC20:38
*** d0ugal has quit IRC20:38
*** lbragstad has quit IRC20:38
*** jillysciarilly has quit IRC20:38
*** chellygel has quit IRC20:38
*** lisaclark has quit IRC20:38
*** insequent has quit IRC20:38
*** hockeynut has quit IRC20:38
*** anteaya has quit IRC20:38
*** arunkant has quit IRC20:38
*** woodster_ has quit IRC20:38
*** redrobot has quit IRC20:38
*** morganfainberg has quit IRC20:38
*** erw has quit IRC20:38
*** dstufft has quit IRC20:38
*** jvrbanac_ has joined #openstack-barbican20:44
*** dimtruck has joined #openstack-barbican20:44
*** kgriffs has joined #openstack-barbican20:44
*** tdink_ has joined #openstack-barbican20:44
*** russell_h has joined #openstack-barbican20:44
*** rm_work has joined #openstack-barbican20:44
*** jamielennox has joined #openstack-barbican20:44
*** atiwari1 has joined #openstack-barbican20:44
*** lisaclark1 has joined #openstack-barbican20:44
*** nkinder has joined #openstack-barbican20:44
*** rellerreller has joined #openstack-barbican20:44
*** openstackgerrit has joined #openstack-barbican20:44
*** jorge_munoz has joined #openstack-barbican20:44
*** jroll has joined #openstack-barbican20:44
*** rm_you| has joined #openstack-barbican20:44
*** bdpayne_ has joined #openstack-barbican20:44
*** jkf has joined #openstack-barbican20:44
*** d0ugal has joined #openstack-barbican20:44
*** alee has joined #openstack-barbican20:44
*** darrenmoffat has joined #openstack-barbican20:44
*** tkelsey has joined #openstack-barbican20:44
*** woodster_ has joined #openstack-barbican20:44
*** greghaynes has joined #openstack-barbican20:44
*** chlong has joined #openstack-barbican20:44
*** mjg59 has joined #openstack-barbican20:44
*** codekobe has joined #openstack-barbican20:44
*** jraim has joined #openstack-barbican20:44
*** alpha_ori has joined #openstack-barbican20:44
*** redrobot has joined #openstack-barbican20:44
*** ayoung has joined #openstack-barbican20:44
*** anteaya has joined #openstack-barbican20:44
*** lbragstad has joined #openstack-barbican20:44
*** reaperhulk has joined #openstack-barbican20:44
*** elmiko has joined #openstack-barbican20:44
*** arunkant has joined #openstack-barbican20:44
*** david-lyle has joined #openstack-barbican20:44
*** mordred has joined #openstack-barbican20:44
*** morganfainberg has joined #openstack-barbican20:44
*** dougwig has joined #openstack-barbican20:44
*** erw has joined #openstack-barbican20:44
*** hockeynut has joined #openstack-barbican20:44
*** insequent has joined #openstack-barbican20:44
*** lisaclark has joined #openstack-barbican20:44
*** chellygel has joined #openstack-barbican20:44
*** jillysciarilly has joined #openstack-barbican20:44
*** dstufft has joined #openstack-barbican20:44
rellerrelleralee ping20:48
aleerellerreller, yo20:48
rellerrellerI saw your comment about transport wrapped keys in the content types spec20:48
rellerrelleralee What encoding/format are you using?20:49
rellerrellerOr how are you doing the encryption?20:49
aleerellerreller, looking -- so we have an asn.1 structure that includes the encrypted bits.  iirc, this structure is then base 64 encoded20:50
rellerrelleralee Do you recall the asn.1 structure or is it something you created?20:51
aleeyeah - let me find a ref20:51
aleeits the crmf structure20:51
rellerrelleralee Do you have to know the RFC for that?20:52
alee2511 -- hang on - getting link20:53
rellerrelleralee I found it. I think it was then replaced with 4211?20:54
aleerellerreller, https://tools.ietf.org/html/rfc2511  section 6.420:54
aleethe pkiArchiveOptions structure20:54
rellerrelleralee Thanks!20:54
*** kebray has joined #openstack-barbican20:56
*** kebray has quit IRC20:56
*** lisaclark1 has quit IRC21:00
rm_workrellerreller: I'm +1 now on the first castellan CR21:02
rellerrellerrm_work Thanks! Hopefully that can be merged soon, and then we can merge in your stuff.21:02
rm_workyeah, wish I had as much free time for that this week as I did two weeks ago21:03
rm_workwe had production stuff kinda come to a head recently21:03
*** lisaclark1 has joined #openstack-barbican21:05
*** kebray has joined #openstack-barbican21:12
*** atiwari1 has quit IRC21:17
*** atiwari1 has joined #openstack-barbican21:18
*** jkf has quit IRC21:32
*** jkf has joined #openstack-barbican21:39
*** nkinder has quit IRC21:43
*** ametts has joined #openstack-barbican21:47
*** nkinder has joined #openstack-barbican21:56
*** tkelsey has quit IRC22:00
*** lisaclark1 has quit IRC22:00
*** lisaclark1 has joined #openstack-barbican22:09
*** jkf has quit IRC22:19
*** alee has quit IRC22:23
*** lisaclark2 has joined #openstack-barbican22:35
*** paul_glass has joined #openstack-barbican22:37
*** lisaclark2 has quit IRC22:38
*** lisaclark1 has quit IRC22:38
*** atiwari2 has joined #openstack-barbican22:39
*** atiwari1 has quit IRC22:42
*** nkinder has quit IRC22:45
*** paul_glass has quit IRC23:00
*** rellerreller has quit IRC23:06
*** jkf has joined #openstack-barbican23:37
greghaynesHey, can someone cut a release of python-barbicanclient? It just plain does not work after installing from pip and the fix has been merged for over a month23:41
greghayneshttp://git.openstack.org/cgit/openstack/python-barbicanclient/commit/?id=586e4ba0cc4458fc5fcb720562544d470e816898 being the bug making it not work23:41
rm_workredrobot usually does that23:43
redrobotgreghaynes rm_work I definitely can.23:44
greghaynesawesome, ty!23:44
openstackgerritMerged openstack/barbican: Updated from global requirements  https://review.openstack.org/15049523:44
redrobotgreghaynes https://pypi.python.org/pypi/python-barbicanclient/3.0.223:51
openstackgerritJohn Wood proposed openstack/barbican-specs: Change GET decrypted secrets to unique URI  https://review.openstack.org/12579823:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!