Monday, 2015-02-23

*** kgriffs|afk is now known as kgriffs00:12
*** dave-mccowan has joined #openstack-barbican00:15
*** kgriffs is now known as kgriffs|afk00:22
*** rm_work is now known as rm_work|away00:35
*** john278 has joined #openstack-barbican01:43
*** john278 has left #openstack-barbican01:45
*** kgriffs|afk is now known as kgriffs02:01
*** kgriffs is now known as kgriffs|afk02:11
*** kgriffs|afk is now known as kgriffs03:50
*** kebray has joined #openstack-barbican03:59
*** kgriffs is now known as kgriffs|afk03:59
*** kebray has quit IRC05:12
*** dave-mccowan has quit IRC05:17
*** kgriffs|afk is now known as kgriffs05:39
*** kebray has joined #openstack-barbican05:48
*** kgriffs is now known as kgriffs|afk05:48
*** kebray has quit IRC05:49
*** woodster_ has quit IRC06:40
*** kgriffs|afk is now known as kgriffs07:27
*** atiwari2 has quit IRC07:35
*** kgriffs is now known as kgriffs|afk07:37
*** atiwari has joined #openstack-barbican07:44
*** jaosorior has joined #openstack-barbican07:54
*** kgriffs|afk is now known as kgriffs09:16
*** kgriffs is now known as kgriffs|afk09:26
*** kgriffs|afk is now known as kgriffs11:05
*** kgriffs is now known as kgriffs|afk11:15
*** kgriffs|afk is now known as kgriffs12:51
*** kgriffs is now known as kgriffs|afk13:00
*** woodster_ has joined #openstack-barbican13:47
*** lisaclark1 has joined #openstack-barbican14:07
*** alee has joined #openstack-barbican14:23
*** nkinder has quit IRC14:26
*** kgriffs|afk is now known as kgriffs14:31
*** kgriffs is now known as kgriffs|afk14:40
*** igueths has quit IRC14:45
*** igueths has joined #openstack-barbican14:46
*** ametts has joined #openstack-barbican14:47
*** lisaclark1 has quit IRC14:52
*** dave-mccowan has joined #openstack-barbican14:54
*** lisaclark1 has joined #openstack-barbican14:55
*** paul_glass has joined #openstack-barbican15:05
*** dimtruck is now known as zz_dimtruck15:06
dave-mccowanhockeynut: hi steve, this is a fix for the bug we were looking at together last wednesday:
openstackLaunchpad bug 1424393 in Barbican "Functional test fails when using override-url option" [Undecided,In progress] - Assigned to Dave McCowan (dave-mccowan)15:14
hockeynutthanks dave-mccowan !15:15
*** nkinder has joined #openstack-barbican15:17
*** darrenmoffat has quit IRC15:24
*** darrenmoffat has joined #openstack-barbican15:25
*** kgriffs|afk is now known as kgriffs15:34
*** zz_dimtruck is now known as dimtruck15:38
*** lisaclark1 has quit IRC15:39
*** kebray has joined #openstack-barbican15:40
*** kebray has quit IRC15:40
*** kebray has joined #openstack-barbican15:48
*** lisaclark1 has joined #openstack-barbican15:53
*** xaeth_afk is now known as xaeth16:01
openstackgerritAde Lee proposed openstack/barbican: Modified plugin contract to include barbican-meta-dto
aleewoodster_, jaosorior , redrobot , ^^16:04
aleeredrobot, how is it going with the dogtag gate?16:04
jaosorioralee: Will take me some days to review, cause I'm in another event in Prague :/16:06
aleejaosorior, ah no worries16:06
jaosoriorback to business on Wednesday though16:06
*** lisaclark1 has quit IRC16:06
aleejaosorior, you seem to be jetsetting :)16:06
aleejaosorior, they have good beer in Prague too16:07
*** lisaclark1 has joined #openstack-barbican16:11
jaosorioralee: Indeed they do :D16:12
dave-mccowandoes anyone have a good one-slide description of Barbican and some use cases with a pretty picture?  i'd like to use it to help justify my Barbican time to my corporate overlords.16:14
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Adds orders behaviors and smoke tests.
redrobotalee still waiting on infra for this patch but once it merges we can start running it on the experimental pipeline.16:27
aleeredrobot, cool16:28
*** gyee has joined #openstack-barbican16:55
*** lisaclark1 has quit IRC16:56
*** lisaclark1 has joined #openstack-barbican16:56
*** lisaclark1 has quit IRC16:59
*** lisaclark1 has joined #openstack-barbican16:59
hockeynutwould love some love here ->
*** kfox1111 has joined #openstack-barbican17:00
kfox1111so, I'm finishing standing up a new cloud. We've been using a system we call the keyserver to get keys to vm's. Looks like its time again to look at barbican...17:01
kfox1111Has any progress been made since icehouse in having an easy way to restrict which keys a vm can download?17:02
kfox1111and having read only access?17:02
redrobotkfox1111 you may be interested in this blueprint
*** lisaclark1 has quit IRC17:05
*** lisaclark1 has joined #openstack-barbican17:06
kfox1111is there a blueprint for it? can't find it.17:08
kragnizkfox1111: this one?
kfox1111ah. thanks.17:09
kfox1111So, just the spec was merged so far.17:10
kfox1111what are the odds that kilo will have it?17:10
redrobotkfox1111 still looking for someone to implement it.  there's a few folks in neutron-lbass (octavia) that are really interested in the feature, but no clear commitment to get it landed. :-\17:19
redrobotkragniz thanks, copied the wrong link for some reason >_<17:20
*** tkelsey has joined #openstack-barbican17:20
*** jkf has joined #openstack-barbican17:22
kragnizredrobot: how long do you think it would take to implement by someone who doesn't know barbican well?17:24
kfox1111bummer. :/17:28
kfox1111barbican's really not useful to us in its current state. :(17:29
openstackgerritMerged openstack/barbican: Cleaning up application initialization
woodster_kfox1111, please let us know if that blueprint looks sufficient for your needs though17:42
woodster_alee, I'll take a look at your CR this afternoon17:42
aleewoodster_, thanks17:42
hockeynutwoodster_ isn't crashing coverage anymore - I'd like to workflow but you still have a -1 on it17:44
kfox1111woodster_: a quick glance makes it seem like it gets closer.17:45
kfox1111it still needs to be paired with something like keystone domains that are in user control, and a non existant heat reasource to create users. :/17:45
kfox1111all very complicated for just letting a server download a key. :/17:45
kfox1111What we have now is, a metadata field on vm's called keyserver_groups.17:46
kfox1111its just a space seperated list of strings.17:46
woodster_hockeynut, it is still running that cover gate I think17:46
kfox1111we have a keyserver that lets you associate files with those groups. groups are per tenant.17:46
woodster_reaperhulk, just pulling you into the discussion above :)  ^^^17:47
kfox1111and lastly, a vendordata plugin, that reads in the metadata, and creates a signed token that says the bearer token that says that the vm can download files from those groups.17:47
hockeynutwoodster_ finished 27 mins ago17:47
kfox1111the vm can then simply download the token from the metadata server, and go contact the keyserver with the token to get the keys it needs.17:48
kfox1111the user doesn't have to do anything special in the heat template but tag the vm with what keys its allowed to download.17:48
kfox1111can something like that be implemented with barbican?17:49
woodster_hockeynut, oh I see...yeah just some missing lines then17:49
kfox1111having users have to create/manage users for vm's so they can download keys is a pain. :/17:49
hockeynutyes - but at least not crashing :-)  Celebrate the small victories!17:50
hockeynutwoodster_ I'll hold off17:50
kfox1111Does barbican support named groups of keys yet?17:51
reaperhulkkfox1111: we support containers, which are groupings of secrets17:52
reaperhulkwhether that does what you need, I don't know :)17:52
kfox1111can you name them? :)17:54
woodster_dave-mccowan btw several of us have made presentations for barbican now, including at this past Paris summit17:54
kfox1111If so, I wander if we can pull out the token validation code out of the Keyserver and put it in Barbican. Mapping gropus to containers.17:54
reaperhulkkfox1111: nope, they're uuid only sorry :(17:55
kfox1111The rest of the code should work as is then, I think.17:55
redrobotreaperhulk kfox1111 containers do have a name field17:55
reaperhulkoh, shows what I know.17:55
kfox1111well, uuid would still work. just much harder for the users to keep track of which is which.17:55
kfox1111ah. cool.17:56
reaperhulknever listen to me about barbican outside of its actual cryptographic primitive implementations17:56
kfox1111so, I'll just have to figure out how to write a module that bypasses keystone auth.... hmm....17:56
dave-mccowanwoodster_ yes, i'm hoping someone can share ppt source with me (at least one slide's worth)17:57
kfox1111in the pipeline, can you have one module skip another, like a pam sufficient?17:57
*** lisaclark1 has quit IRC17:57
*** dimtruck is now known as zz_dimtruck17:57
reaperhulkkeystone auth is implemented as middleware so you should be able to just not load that middleware (redrobot check me to confirm I'm not spouting nonsense again)17:57
kfox1111well, I want the keystone middleware for barbican, just for the api call to do the key get, I want it to do either keystone auth, or a token validation.17:58
kfox1111maybe I just make another api part just for the other form of auth and put a different auth handler on it hmmmm... I'm really not familior with that code at all though. :/17:59
*** zz_dimtruck is now known as dimtruck18:00
*** lisaclark1 has joined #openstack-barbican18:00
*** lisaclark1 has quit IRC18:06
woodster_dave-mccowan: I'll send the slides from the plugin presentation we did...after lunch if that's ok?18:06
dave-mccowanwoodster_ yes, thank you!18:07
*** david-lyle_afk is now known as david-lyle18:09
openstackgerritMerged openstack/barbican: Using a central secret store manager to remove lock
*** lisaclark1 has joined #openstack-barbican18:20
dave-mccowanchellygel: thanks Chelsea18:35
chellygelof course, slides is awesome becausey ou can fork presentations18:37
chellygelso you are welcome to kidnap whatever material you need out of there18:37
*** tkelsey has quit IRC18:41
*** kgriffs is now known as kgriffs|afk18:42
*** jaosorior has quit IRC18:51
*** lisaclark1 has quit IRC19:26
*** dave-mccowan has quit IRC19:30
*** lisaclark1 has joined #openstack-barbican19:31
*** lisaclark1 has quit IRC19:33
*** lisaclark1 has joined #openstack-barbican19:34
openstackgerritMerged openstack/barbican: Split override-url in functional test config file
*** openstackgerrit has quit IRC19:51
*** openstackgerrit has joined #openstack-barbican19:52
*** kfarr has joined #openstack-barbican19:54
*** bdpayne has joined #openstack-barbican19:56
*** dave-mccowan has joined #openstack-barbican19:58
redrobotWeekly IRC meeting is starting now in #openstack-meeting-alt19:59
*** jkf has quit IRC20:03
*** tkelsey has joined #openstack-barbican20:05
*** rm_work|away is now known as rm_work20:07
*** lisaclark1 has quit IRC20:50
*** chellygelly has joined #openstack-barbican20:51
*** tkelsey has quit IRC21:00
redrobotjvrbanac reaperhulk woodster_  y'all got time for a 30-second code review?21:07
reaperhulkwe're in a meeting but I'll try to look21:07
reaperhulkredrobot: what's the experimental gate there21:08
redrobotreaperhulk the new functional test gate... FAILURE is what I was expecting... will coordinate with tdink_ to get it fixed21:08
reaperhulkalso, why do the tests require sudo? Is it because they pip install some things?21:09
reaperhulkI guess I could get all nitpicky here and say this should ideally use pip install --user but then you'd need to add the pip user dir to $PATH so whatever21:09
redrobotreaperhulk good question...  the sudo pip install was because I didn't want to futz around with who is running what in the throwaway dsvm.  As far as sudo for running the tests, I'm not sure it's necessary.  I was just copy/pastaing21:10
redrobot(hence this CR fixing the copy/pasta error)21:11
reaperhulkpip install --user is the ideal, but it does require adding the pip user dir to the $PATH21:11
*** jkf has joined #openstack-barbican21:13
hockeynutredrobot for the client CR - we need a functional barbican running in that devstack so I will guess that the code that we have on the API side will be needed for the devstack we bring up for client functional tests21:14
redrobothockeynut yes indeed.  It's all working already if you look at  ... well working in the sense that Barbican server is up, and the functional test suite is executed21:15
redrobothockeynut would love a +2 there :)21:15
hockeynutredrobot just did21:15
*** kgriffs|afk is now known as kgriffs21:21
kfox1111ah.... keystonemiddleware has a delay_auth_decision mode.21:26
morganfainbergkfox1111, yes21:27
morganfainbergkfox1111, it sets a header that indicates auth passed vs not21:27
kfox1111it might be really easy to make a Keyserver workalike on top of barbican then. :)21:27
morganfainbergkfox1111, ideally all openstack should move to delay_auth_decision so we can have thigns that don't need an active token to work21:27
kfox1111I just gota set that flag, pull out the token validation code out of the keyserver into a module, and slide it in. :)21:28
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Adds orders behaviors and smoke tests.
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Adds positive orders functional tests
*** kgriffs is now known as kgriffs|afk21:33
*** lisaclark1 has joined #openstack-barbican21:40
*** xaeth is now known as xaeth_afk21:40
kfox1111is there a barbican horizon plugin yet?21:42
redrobotkfox1111 none that I'm aware of21:43
kfox1111so, is rackspace using barbican in production? if so, did they write their own ui?21:44
*** lisaclark1 has quit IRC21:44
redrobotkfox1111 we're doing a slow rollout to production.  Currently in internal preview.  All internal customers are using API only.21:45
redrobotkfox1111 Rackspace doesn't run Horizon, so we'll have to provide a custom UI anyway21:45
kfox1111ah. ok.21:46
kfox1111ah. found an example of delay_auth_decision. glance uses it.21:48
kfox1111now to figure out what its dowing....21:48
kfox1111so, what would be the best way about blocking all of the api except the get of a credential in a container? Should I just do that in the middleware with a filter?21:52
kfox1111can you replace the uuid of a secret/container with a name in the uri?21:59
redrobotkfox1111 middleware could certainly block all of the api.  You could also use something like
redrobotkfox1111 currently we require the uuid in the url.22:01
kfox1111I can plug openrepose into barbican's pipeline easily?22:01
aleewoodster_, don't forget my cr :)22:01
kfox1111so you have to make multiple api calls to say,22:01
redrobotkfox1111 we use openrepose in front of barbican at rackspace...  repose is a proxy, so clients talk to repose, then repose forwards the request to barbican22:02
kfox1111so, you have to know the uuid of the container, then look up the list of secrets,22:02
aleejvrbanac, hockeynut, redrobot  -- you guys too please --
kfox1111then map the secret name you want to retrieve to the secret, look that up in the returned document, then request by uuid the specific secret?22:02
redrobotkfox1111 yes... so for Barbican we consider the entire URL the thing that describes a particular entity.  So you'd need the entire URL for the certificate, but then you could follow links after that.22:03
kfox1111yeah... that just complicates the client side a bit.22:03
redrobotalee trade you for a Workflow on
kfox1111we wrote the keyserver to be as simple as possible to curl a secret down.22:03
kfox1111that way we didn't have to install anything in the vm image.22:03
hockeynutalee I'll look at yours if you look at mine :-)
kfox1111almost seems easier just to require the barbican client to be installed with that api. :/22:04
kfox1111maybe it would be better to add a different api endpoint just for this purpose.22:05
*** igueths has quit IRC22:05
kfox1111a curlable secret download url. you give it a /v1-vm/<containername>/<secretname>22:05
*** tkelsey has joined #openstack-barbican22:06
kfox1111I could probably just have the middleware do the lookups itself, mangle the url to the right secret get request, then let it on through.22:07
*** chellygelly has quit IRC22:09
*** igueths has joined #openstack-barbican22:09
woodster_alee, checkout the sub-status CR when you can as well:
aleewoodster_, will do22:16
kfox1111hmm... todo that, I'd have to either call into the repo model from the middleware directly,22:17
jvrbanacFYI, This is me looking and some of our tests:
kfox1111or create a new http request into barbican. :/22:17
kfox1111is there a preference?22:17
kfox1111I guess I could call back into barbican with admin credentials...22:18
redrobotjvrbanac lol22:18
kfox1111is an admin allowed to view all Containers in all Tenants?22:18
redrobotkfox1111 I would think that a middleware would just look into the db...  if you're going to forward requests, you might as well write a stand alone proxy22:19
kfox1111so just import barbican.model.repositories and do a repo.ContainerRepo() object.22:19
kfox1111ok. that should be easy enough to do.22:20
aleeredrobot, I'll take that trade .. done22:21
aleehockeynut, I'll take that trade too -- done22:27
*** kfarr has quit IRC22:32
*** paul_glass has quit IRC22:40
*** kgriffs|afk is now known as kgriffs22:42
*** tkelsey has quit IRC22:46
*** lisaclark1 has joined #openstack-barbican22:49
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Adds orders behaviors and smoke tests.
*** tkelsey has joined #openstack-barbican22:50
*** lisaclark1 has quit IRC22:54
woodster_kfox1111, you would also want to call db lifecycle methods such as per this code:
kfox1111hmmmm. ok. thanks.22:56
*** kebray has quit IRC22:56
woodster_kfox1111, it seems to be though it would be better to manage things via the client code if at all possible...maybe to the point of just making direct calls to secrets in your container22:57
kfox1111client code is hard to control.22:58
*** tkelsey has quit IRC22:58
kfox1111a million different little vm's. I'd  rather not touch that as much as possible.22:58
kfox1111arg... the rpm build process needs work. :/23:00
woodster_kfox1111, got it. Another issue jvrbanac has noticed is that we've been lazy initializing the db which is breaking the first few requests that arrive to the server, so he introduced a setup call such as here:  that would be good to call initially.23:01
kfox1111ah. ok.23:02
woodster_alee, fyi some comments on now...23:06
kfox1111arg..... wow... the rpmbuild scripts really don't like beign in a venv...23:09
*** kebray has joined #openstack-barbican23:09
kfox1111there we go... rpms.23:11
kfox1111hmm.... going to need some systemd scripts as well...23:12
redrobotkfox1111 I think the in-script rpm files will be deprecated at some point.  We've got an effort now to get barbican into Fedora.  The repo for that is here
redrobotkfox1111 it's a much nicer setup than what we have in barbican now23:13
kfox1111nice. thanks for the pointer.23:14
kfox1111is anyone pushing the rdo folks to get it in? :)23:14
redrobotkfox1111 I think that's part of the plan... unfortunately Greg is afk...  maybe alee has some info?23:15
kfox1111whats the keystone-listener do?23:16
kfox1111will I need to hook in there too, or is that unrelated?23:16
redrobotkfox1111 listens to keystone events, acts accordingly.  I think it cleans up the DB to remove projects that have been deleted, etc.23:17
kfox1111ah. ok. then I should be able to ignore it.23:17
kfox1111so do you copy the contents of the gregswift repo over the barbican repo?23:19
openstackgerritMerged openstack/python-barbicanclient: Run client functional tests
kfox1111yeah.. looks like it.23:24
redrobotkfox1111 did it work?  you can ping xaeth_afk when he's not afk for questions re: spec23:28
kfox1111no. stuck in milestone/release/whatever heck.23:34
kfox1111its looking for a tarball named X, and I have one called Y. :)23:34
*** igueths has quit IRC23:40
*** ametts has quit IRC23:48
*** jkf has quit IRC23:50
kfox1111yeah.. realy not sure how these macro's play together.23:50
kfox1111Tried setting one, the other, or both...23:50
kfox1111or ignoring them and hard coding a value. the latter almost worked, but produced a bad python-barbican. no actual python code in it. :/23:50
kfox1111hmm.. changing the second line to #global release_number 2  makes it go farther. still unusable result though. same as just hardcoding the value.23:53
openstackgerritJohn Vrbanac proposed openstack/barbican: Making RootController load child controller at runtime

Generated by 2.14.0 by Marius Gedminas - find it at!