Friday, 2015-02-27

*** jkf has quit IRC00:12
*** david-lyle is now known as david-lyle_Afk00:22
*** david-lyle_Afk is now known as david-lyle_afk00:22
kfox1111arg.... does barbican client support regions?00:24
kfox1111doesn't look like it. :/00:25
*** arunkant_ has quit IRC00:35
*** bdpayne has quit IRC01:13
*** kfox1111 has quit IRC01:14
*** rm_work is now known as rm_work|away01:46
*** gyee has quit IRC02:31
*** woodster_ has quit IRC02:40
*** dave-mccowan has quit IRC03:04
*** kebray has joined #openstack-barbican03:30
*** kebray has quit IRC03:31
*** kebray has joined #openstack-barbican03:32
*** crc32 has joined #openstack-barbican03:46
*** dave-mccowan has joined #openstack-barbican04:48
*** dave-mccowan has quit IRC04:53
*** woodster_ has joined #openstack-barbican06:44
*** crc32 has quit IRC07:37
*** kebray has quit IRC08:21
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Refactor Secrets resource to use repository factories
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Containers and Consumers controllers use repo factories
*** jaosorior has joined #openstack-barbican08:27
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Clean up test inheritance
*** chlong has quit IRC08:44
*** woodster_ has quit IRC09:10
*** darrenmoffat has quit IRC10:04
*** darrenmoffat has joined #openstack-barbican10:05
*** jaosorior has quit IRC11:02
*** jaosorior has joined #openstack-barbican12:38
*** kfox1111 has joined #openstack-barbican12:44
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Containers and Consumers controllers use repo factories
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Clean up test inheritance
*** woodster_ has joined #openstack-barbican12:56
kfox1111hey woodster_13:03
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: get_or_create_project now calls repo factory
*** lisaclark1 has joined #openstack-barbican14:10
*** lisaclark1 has quit IRC14:28
*** dave-mccowan has joined #openstack-barbican14:30
*** SheenaG1 has joined #openstack-barbican14:52
*** dave-mccowan has quit IRC14:57
woodster_kfox1111: morning, trying to catch up14:59
*** rellerreller has joined #openstack-barbican14:59
rellerrellerWhat was in that water in Austin? I have been sick since I left that place.15:02
*** paul_glass has joined #openstack-barbican15:03
kfox1111finally figured out how to get the security group information off of an instance in the metadata server.15:03
kfox1111so I can make it so that you associate files in barbican with a security group, and the vm can then download the files if it has the security group on it. :)15:04
aleejaosorior, nice set of patches -- I'm so happy to be rid of the lsts of repos.15:09
rellerrellerredrobot woodster_ Can you take a look at CR 157410, ? I need that in to complete the content type work.15:09
aleeredrobot, I see the dogtag gate is up15:09
rellerrelleralee you might want to check out the patch ^^ as well.15:10
jaosorioralee: soon. Just need to get those merged and then I'll get rid of the Repository class and then refactpr some parts were it's used15:10
aleerellerreller, yeah - just gettign back to barbican reviews this morning.15:10
aleerellerreller, I think you're going to totally break me :/15:11
rellerrelleralee I figure that. It should be a quick fix. Checkout the HSM code. Just a few lines.15:11
aleerellerreller, ok - I'll review later today15:15
aleeredrobot, what does "NOT REGISTERED" mean?15:16
*** kebray has joined #openstack-barbican15:18
*** igueths has joined #openstack-barbican15:20
*** lisaclark1 has joined #openstack-barbican15:28
openstackgerritKevin Fox proposed openstack/barbican: VM Integration
*** kebray has quit IRC15:34
woodster_kfox1111, it sounds like you are doing some interesting things with barbican there. Are you thinking this would help with upstream, or would this mainly be a custom/internal deployment for your product?15:42
woodster_rellerreller, sorry you are still sick... your system may not be used to fresh home brew beer? I need to catch up on CRs for sure.15:44
*** jorge_munoz has joined #openstack-barbican15:55
kfox1111woodster_: see  the code's all there. :)15:59
kfox1111I would like to use purle RDO as much as possible.15:59
kfox1111So I'd like to see the code upstreamed, and barbincan get into RDO. :)15:59
*** kebray has joined #openstack-barbican16:05
woodster_kfox1111, RDO is aligned with OpenStack global requirements, and there are efforts underway to get barbican rpms in RDO as well (cc: alee here, xaeth is offline). Custom packages you need would be deployed on top of those. The plugin structure we have is intended to handle non-OpenStack optional for stock deployments, but can be used for16:06
woodster_individual deploys.16:06
aleekfox1111, we'll be working on getting barbican into RDO soon.16:07
woodster_kfox1111, so that plugin approach provides flexibility. It seems like some of the work you are doing may fit into that plugin bucket...optional but available for particular installations.16:07
kfox1111yeah. I did manage to get rpms to build based on
kfox1111was a bit of an effort still though.16:08
woodster_kfox1111, would you be up for discussing your use case at the weekly IRC meeting next Monday16:08
woodster_kfox1111, If I see Greg I'll have him connect with you out here16:08
kfox1111let me check my calendar16:09
kfox1111unfortunatly, I have a meeting then. :/16:10
kfox1111I might be able to do the week after.16:12
kfox1111heh. that would be the third meeting at that timeslot. on the 9th. :/16:14
kfox1111though I can probably bring a laptop to the one I will be attending.16:15
*** david-lyle_afk is now known as david-lyle16:19
kfox1111so, even getting the barbican prerecs into rdo would be helpful. the fpm thing was a bit painful.16:22
woodster_kfox1111, just spoke to Greg and he mentioned that a startup script is indeed missing as a new one is really needed. The uwsgi/vassals stuff is still available to use, but really should be extracted out hence the absence of anything right now16:23
woodster_kfox1111 well I was thinking the prereqs (sort of uwsgi, which really isn't one) are already in RDO?16:24
kfox1111yeah. so I'd say put it back in until there is a solution. its completely unusable out of the box as it stands. putting it back, does produce a usable rpm.16:24
kfox1111let me look again....16:24
kfox1111uwsgi and cryptography are prereqs. I haven't even tried, but python-barbicanclient too.16:26
kfox1111yeah. the rest of the barbican prereqs are in rdo already. just those two.16:26
*** zz_dimtruck is now known as dimtruck16:29
kfox1111ok. got the vendor data plugin slid in. got a vm launched. ready to do an end to end test. :)16:29
kfox1111oh. but I don't have a barbican client anywere on that network anymore to upload the initial creds. :/16:29
*** david-lyle is now known as david-lyle_Afk16:35
*** david-lyle_Afk is now known as david-lyle_afk16:35
kfox1111oh. I was going to mention. Does the barbican client support regions? We changed the region name to Pilot, and the barbican client can't seem to find the endpoint. If I specify just the --endpoint url on the cli, it seems to be happier.16:42
*** kebray has quit IRC16:44
kfox1111 keystone catalog --service key-manager does show the entry.16:45
kfox1111ok. got the barbican cli working, other then that endpoint thing.16:47
*** igueths has quit IRC16:47
jaosoriorkfox1111: to be honest I got quite curious about your results. Thanks for the updates16:47
*** xaeth_afk is now known as xaeth16:47
kfox1111hmm... its returning localhost in the secret url's. probably a config option.16:48
kfox1111sure. :)16:48
kfox1111there we go. host_href.16:49
kfox1111is it safe to change it later?16:49
kfox1111is it stored in the db anywhere?16:49
jaosoriorYep, it should be in barbican-api.conf16:50
kfox1111ok. yeah. I just changed it and the secret list showed the updated url.16:51
jaosoriorIt's not stored in the db16:51
kfox1111ok. cool.16:53
kfox1111allright... I have a secret, I have a container named 'foo'. now to test end to end.16:54
*** gyee has joined #openstack-barbican16:55
woodster_kfox1111, I agree with jaosorior it seems you are doing interesting things there. Maybe a video chat with interested folks would be possible once you have results?16:56
*** arunkant has joined #openstack-barbican16:59
*** SheenaG11 has joined #openstack-barbican16:59
*** SheenaG1 has quit IRC16:59
kfox1111hmm.. somethings not quite right.17:01
kfox1111odd... Unable to retrieve request id from context17:04
jaosoriorkfox1111: I recall that being fixed already17:05
jaosoriorare you using the latest version from master?17:06
kfox1111no, on this cloud, its juno. so I'm using the juno branch.17:07
jaosoriorjvrbanac: mind checking my response for your comment on this CR?
jaosoriorjvrbanac: Sorry if it seems a bit confusing, that commit was the first one uploaded17:10
jaosoriorI didn't wanna push a huge amount of code, so I was doing it by steps17:10
jvrbanacjaosorior, yeah... sorry. I missed that in my before-coffee fog17:10
jvrbanacjaosorior, approved17:11
jaosoriorthanks man17:11
jaosoriorhockeynut: replied to your comment in CR
hockeynutjaosorior that works for me!17:19
*** kebray has joined #openstack-barbican17:22
hockeynutjaosorior workflowed it17:23
*** rellerreller has quit IRC17:24
jaosorioryay :D17:24
kfox1111hmm.... I wonder if juno pecan's less featureful with _lookup. :/17:24
kfox1111oh gosh. yeah, probably. developed against 0.8.3. rdo's package is 0.4.5. :/17:25
kfox1111hmm... no, its not the param that its compaining about...17:27
kfox1111Got exception calling lookup(): get() got an unexpected keyword argument 'external_project_id' (("get() got an unexpected keyword argument 'external_project_id'",))17:29
kfox1111not a full stacktrace... a little hard to track down.17:29
jaosoriorkfox1111: is that with the code from your CR? or what controller is it?17:30
kfox1111ah. there's the probem. BaseRepo doesn't have an external_project_id param in juno.17:30
kfox1111yeah. my code in the CR when backported to juno.17:30
openstackgerritDouglas Mendizábal proposed openstack/barbican: Remove version from endpoints in catalog
kfox1111ah. I think its because keystone_id -> external_project_id17:32
jaosoriorkfox1111: yeah, there was some refactoring done there17:32
jaosoriormight have been me :P17:32
kfox1111no worries. looks cleaner now. so thats good. :)17:34
openstackgerritMerged openstack/barbican: Refactor Orders resource to use repository factories
kfox1111hmm... this is worse though. :/17:35
kfox11112015-02-27 09:36:11.546 5104 CRITICAL barbican [-] BarbicanException: No _CONNECTION configured17:35
jaosoriorI... don't remember where that used to be in the code. Would it be the database connection?17:36
kfox1111full stack trace here:
kfox1111it works in my trunk version. some difference between juno and trunk.17:37
jaosorioryup, database connection17:37
kfox1111I may not be initing something properly?17:37
jaosoriordid you set up the sql_connection in the config?17:38
kfox1111yeah. I'm able to do everything through the barbican cli. store/retrieve secrets, etc.17:38
kfox1111so its something my code's doing wrong, probably.17:38
kfox1111trunk might be more forgiving then juno here.17:39
kfox1111can  you have a look at:
kfox1111where I create the Container/Secret Repo objects and tell me if I'm doing it wrong?17:40
jaosorioris it your first operation from the database?17:40
jaosoriorthe lazy init of the connection was removed very recently17:40
*** erw_ is now known as erw17:41
kfox1111hmm... that looks like part of it. I just restarted fresh, then used the barbican cli, then tried the api and it got a different error.17:42
kfox1111AttributeError: 'SecretController' object has no attribute '_on_get_secret_payload'17:42
kfox1111that one I might believe.17:42
jaosoriorbut yeah, the lazy init in the database was removed, and now instead of instantiating the repo class you would call the factory methods17:42
jaosoriornot all the factory methods were implemented17:42
jaosoriorso those are my commits that are being merged at the moment17:43
jaosoriorthe _on_get_secret_payload, was a function that was introduced very recently too17:43
jaosoriorthat wasn't there in juno17:43
kfox1111so I guess I'll have to add that back in....17:44
jaosorioryeah... kinda went refactoring a bunch of the stuff from the controllers, so it seems that now that makes applying patches there a bit harder... :/17:45
openstackgerritMerged openstack/barbican: Refactor Secrets resource to use repository factories
openstackgerritMerged openstack/barbican: Containers and Consumers controllers use repo factories
woodster_kfox1111 are you using Juno via rpm/rdo perhaps? Would using master be an issue? I believe there is a nightly location for master rpms now if that's of interest17:49
kfox1111ok. yeah, I see where it was refactored. hmm...17:49
kfox1111woodster_: rdo juno, yes.17:50
kfox1111master bad for production.17:50
*** rellerreller has joined #openstack-barbican17:50
kfox1111I"m having to apply my patch to the rpm anyway, so I'll have to build custom rpm's until its upstreamed anyway.17:50
kfox1111would be nice to minmize patching both barbican, and patching the build system though. :)17:51
woodster_kfox1111 we have been working to get barbican ready for the production in the last couple of months, so I wouldn't consider Juno to be17:52
woodster_kfox1111 ...production ready17:52
*** jkf has joined #openstack-barbican17:53
kfox1111so maybe I'm going to have to stand up another box just for barbican, so I don't mix the two.17:53
kfox1111though I'm guessing the deps may have issues if your building from something trunkish with the rest of rdo's prerec rpms?17:54
kfox1111ok. I think I should just add the whole _on_get_secret_payload function verbatim.17:55
woodster_kfox1111 for example, there have been recent changes to the pkcs11 plugin based on performance testing trials17:55
kfox1111looks like not much has changed there.17:55
kfox1111I'm ok if barbican's a bit slow at this point. by the time we have too many users hitting on it, we should be able to get to kilo.17:56
kfox1111I just really really need a place to store keys for my heat templates to pull from.17:56
woodster_kfox1111 oh, got it17:57
kfox1111barbican without this integration work is basically as easy as just putting the keys in swift. :/17:57
kfox1111the irony is,17:57
kfox1111right now I'm setting up the rados gateway though using a heat template from within the cloud.17:58
kfox1111and I gota put the ceph key somewhere. :/17:58
kfox1111usually we use the keyserver for all of that stuff. but I'd really like to upstream it all so we are just using a normal openstack setup, rather then openstack+our special bits.17:58
*** kebray has quit IRC17:58
jaosoriorkfox1111: nice :D17:59
kfox1111I've been releasing our heat templates, since they are useful to others,17:59
kfox1111but its not good if they depend on pulling keys from the keyserver, since most dont have it. :/17:59
kfox1111and all the really interesting templates tend to need keys. :/18:00
*** kebray has joined #openstack-barbican18:00
openstackgerritArun Kant proposed openstack/barbican-specs: Spec for adding audit capability using CADF specification.
*** lisaclark1 has quit IRC18:01
kfox1111tenant/project rename. :/18:03
kfox1111I wish openstack would stop doing that. project -> tenant -> project.18:04
kfox1111I liked tenant better. :/18:04
*** chlong has joined #openstack-barbican18:05
kfox1111ok. got it patched enough to get the secret out! lets try from scratch the work flow again. :)18:06
kfox1111ok. we have a vm. it only has the default security group. we get the token, and try and get a key...18:11
kfox1111curl -f -H 'X-Token: '$BARBICAN_TOKEN $BARBICAN_URL/v1-vm/foo/sec1curl: (22) The requested URL returned error: 401 Unauthorized18:11
*** chlong has quit IRC18:11
kfox1111we pop on the 'foo' security group onto the vm.18:11
jvrbanackfox1111, X-Auth-Token18:11
kfox1111curl -f -H 'X-Token: '$BARBICAN_TOKEN $BARBICAN_URL/v1-vm/foo/sec1    mysecret18:12
kfox1111and there it is :)18:12
jvrbanacI see X-Token18:12
kfox1111It is X-Token in the code right now. want me to change it?18:12
kfox1111its not a keystone token. its a barbican token.18:12
kfox1111so the code works. yay! :)18:13
kfox1111so with this setup, all a user has to do is create a barbican container named the same as a security group, and the vm will be able to gain access to the keys in the group if the security group is associated with the vm. just a couple of clicks in the ui. :)18:16
*** bdpayne has joined #openstack-barbican18:17
*** dimtruck is now known as zz_dimtruck18:18
openstackgerritKevin Fox proposed openstack/barbican: VM Integration
*** zz_dimtruck is now known as dimtruck18:28
*** chlong has joined #openstack-barbican18:28
*** david-lyle_afk is now known as david-lyle18:35
openstackgerritMerged openstack/barbican: Clean up test inheritance
*** chlong has quit IRC18:38
kfox1111Should I file a bug for the endpoint thing?18:39
jaosorioryou mean the lack of region?18:41
jaosorioror which bug?18:41
openstackgerritArun Kant proposed openstack/barbican-specs: Spec for adding audit capability using CADF specification.
kfox1111yeah. the needing to specify endpoint to get it to work.18:42
kfox1111I think its region related, but not sure. there is only one region at the moment.18:42
*** igueths has joined #openstack-barbican18:43
jaosoriorI've always been using the endpoint, so I'm not sure :/ You could try and see what other devs think18:44
kfox1111I'll just file a bug. people can always let me know that I just did something stupid... :)18:46
redrobotalee NOT_REGISTERED was a bug with the way I configured the job in infra18:48
redrobotalee should be fixed now.  Looks like the script does not run in root context though, so it still needs some work.18:48
aleeredrobot, ok - let me know if you need any help getting it running18:48
aleeredrobot, once its running - will it run automatically - or do we need to type "check experimental"18:49
kfox1111bug filed.
openstackLaunchpad bug 1426514 in python-barbicanclient "endpoint required" [Undecided,New]18:50
redrobotalee it requires "check experimental" every time...  once we get it running reliably, and the tests fixed I can ask infra to move it to the gate/check pipelines18:50
aleeredrobot, ok18:50
*** lisaclark1 has joined #openstack-barbican19:00
*** paul_glass has quit IRC19:06
kfox1111arg... stupid gate. :/19:08
kfox1111it keeps throwing errors that don't show up on my box, and only one at a time. :/19:08
kfox1111oh. I see. it was from the previous change. :/19:12
kfox1111I really do not like the 80 line limit. :/19:12
openstackgerritKevin Fox proposed openstack/barbican: VM Integration
* kfox1111 waits 30 more minutes19:14
*** openstackgerrit has quit IRC19:24
*** openstackgerrit has joined #openstack-barbican19:24
*** paul_glass has joined #openstack-barbican19:37
*** gyee has quit IRC19:38
openstackgerritMerged openstack/barbican: get_or_create_project now calls repo factory
*** barra204 has joined #openstack-barbican19:48
openstackgerritJohn Wood proposed openstack/barbican-specs: Add to Orders API Support to Renew X.509 Certificates
*** rm_work|away is now known as rm_work19:52
*** lisaclark1 has quit IRC19:54
*** barra204 is now known as shakamunyi19:56
*** dave-mccowan has joined #openstack-barbican20:00
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Enable secret decrypt through 'payload' resource
*** lisaclark1 has joined #openstack-barbican20:04
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Delete factory related comment that's no longer valid
jaosoriorhockeynut: ^^20:07
hockeynutjaosorior woot woot!20:08
woodster_jaosorior, that comment was intended to go with the lines below removing that pesky repo.Repositories constructor on line #73 altogether.20:17
*** igueths has quit IRC20:17
*** dave-mccowan has quit IRC20:21
jaosoriorOh, ok, will abandon that commit and will erase it when I get rid of the Repositories class20:23
woodster_jaosorior, yeah, I figure that would be the final cause-for-celebration CR that removes that comment and that Repositories class20:24
jaosoriorwoodster_: Yep, coming soon :P20:25
jaosoriorwoodster_: probably beginning or next week.20:25
woodster_jaosorior, nice!20:26
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Update functionaltests to be able to run tox -e functional
kfox1111hmm.... what if I don't care what type the file is on upload? just a binary file21:00
kfox1111should I just use application/octet-stream ?21:01
*** gyee has joined #openstack-barbican21:02
kfox1111and then what do I use for --payload-content-encoding?21:02
*** kfarr has joined #openstack-barbican21:02
openstackgerritJohn Wood proposed openstack/barbican: Add sub-status logic to worker/task processing
kfarrredrobot I'm looking at updating some of the cookie-cutter docs in Castellan.  It seems like some of the launchpad features like the bug tracker have not been set up yet.  Is that something I can do?21:09
kfox1111is binary files not supported?21:10
woodster_kfarr, please take a look at when you can.21:11
kfarrok woodster_ looking now!21:12
woodster_kfox1111, binary is supported via application/octet-stream. See here for example:
kfox1111so you can base64 encode it, then pass it. can you just tell it it has no encoding and pass it?21:15
woodster_kfox1111 the two step method (a little below the linked section) allows for a direct binary upload if that's what you mean.21:17
kfox1111looks good to me.21:18
kfox1111ah. yeah. I missed that. thanks.21:18
woodster_kfox1111 not all of those are supported in the client though... in fact I believe there is a bug related to that now...21:18
woodster_kfox1111, actually the bug is only for the plain text secrets (
openstackLaunchpad bug 1329084 in python-barbicanclient "Python client exception on decrypt of text/plain type secret" [Undecided,New]21:19
woodster_The bot is on the job!:
woodster_...or not21:20
openstackLaunchpad bug 1329084 in python-barbicanclient "Python client exception on decrypt of text/plain type secret" [Undecided,New]21:20
kfox1111is there a way to upload a binary with the python client?21:21
woodster_...see bot run21:21
*** rellerreller has quit IRC21:21
kfox1111I've got some fellow admins that.... lets just say were somewhat unhappy they couldn't do everything from horizon.21:21
kfox1111I think they will loose it if I ask them to use a rest api. ;)21:21
kfox1111though there may be some advantages to that...21:21
woodster_kfox1111, I was curious about the Horizon dashboard...I added it to the list of things to ask about at the Liberty summit. Do you know anyone interested in adding such support for barbican? :)21:25
kfox1111possibly... ;)21:26
kfox1111depends on some funding things and how busy we get. :/21:27
kfox1111If our users really like it, then their demand will push it sooner though.21:27
kfox1111one of the reasons I really want to make the workflow really easy on them.21:27
kfox1111oh... I misunderstood the -p option to secret store so far....21:27
kfox1111the arg is the data, not the filename the data's in....21:28
openstackgerritKaitlin Farr proposed openstack/castellan: Updating HACKING.rst
kfox1111thats... unfortunate.21:28
kfox1111ok. for now, I guess this will work: -p "$(base64 ceph.client.radosgw.keyring)"  --payload-content-type "application/octet-stream" --payload-content-encoding base6421:30
woodster_kfox1111 are you still with PNNL then?21:30
kfox1111though through an odd legal issue, I contribute it as myself. :/21:30
*** SheenaG11 has quit IRC21:30
woodster_kfox1111, there are other contributors that probably have similar legal issues, like having to review blueprints before they can be reviewed21:31
woodster_kfox1111, gerrit reviewed that is21:31
woodster_kfox1111, I thought we did have a file upload option in the client :\21:32
kfox1111yeah. unfortunatly for us, it would have been easy except for the cla has made it a pain.21:32
kfox1111woodster_: maybe there is. I just dont see it.21:33
woodster_kfox1111, do you know a Tim Stavenger over there?21:33
kfox1111the name sounds familiar. probably have.21:36
woodster_kfox1111, a sharp dev and build guy that I used to work with21:38
kfox1111cool. :) small world.21:39
kfox1111ok... have a radosgw container, with a ceph key in it... lets see if we can get a vm going to pull it. :)21:41
*** xaeth is now known as xaeth_afk21:47
openstackgerritSteve Heyman proposed openstack/barbican: Update devstack to run tests both sequentially and in parallel
openstackgerritThomas Dinkjian proposed openstack/barbican: Fix bug in tests assuming order is active
kfox1111ceph key goes in... new vm pulls it. md5sums match. :)21:59
*** barra204_ has joined #openstack-barbican22:03
hockeynutgreetings all - would love to get your opinions on the ability to add filters to list and offset on GETs for /secrets, /orders, etc (ie the plurals that return lists)22:03
*** shakamunyi has quit IRC22:03
*** barra204_ has quit IRC22:07
*** nkinder has quit IRC22:08
*** barra204_ has joined #openstack-barbican22:08
hockeynutI'd be willing to put together a blueprint to add filtering - makes the GETs more efficient and also solves an issue we're having with tests running in parallel - we can use filtering to only get secrets we are interested in, even if others are creating them at the same time22:09
*** SheenaG1 has joined #openstack-barbican22:09
kfox1111sounds cool.22:10
kfox1111filtering by container name would help for the code I just wrote.22:11
rm_workI thought it already supported filtering by name?22:16
rm_workor was that just the client doing it AFTER it fetches the full list?22:16
rm_workI don't remember...22:16
*** kebray has quit IRC22:18
woodster_kfox1111 sounds like progress. I think your CR will generate much discussion. Usually such CRs are preceded by a blueprint so it might take longer to get thru the review process, but it sounds like you aren't needing upstream immediately to run with it internally at least.22:23
*** lisaclark1 has quit IRC22:23
*** jamielennox is now known as jamielennox|away22:23
kfox1111yeah. I figured it wouldn't go quick. I'm guessing since its so late, kilo's probably off the table?22:26
*** jamielennox|away is now known as jamielennox22:30
kfox1111woodster_: I did put in a spec and blueprint too. if that helps.22:32
woodster_kfox1111, oh I hadn't noticed that before, sorry22:34
kfox1111no worries. :)22:35
kfox1111I had to document how to use it somewhere, and figured that would be a good place. :)22:35
*** igueths has joined #openstack-barbican22:36
woodster_kfox1111, I wouldn't give up on it for Kilo, esp. with the blueprint out there and your willingness to do the work :)  There will be design gut checking though for sure and bike shedding tweaks needed to fit within our way of things, so just be ready to put up a few patches before things are done. :)22:37
kfox1111sure. sounds good. :)22:38
woodster_kfox1111, so redrobot is the PTL and might have some suggestions as well when he's back on line. reaperhulk is our security SME so it'd be good to look things over as well.22:38
*** jamielennox is now known as jamielennox|away22:39
kfox1111heh. I was in the process of asking (typing) who the PTL was. you beat me to it. :)22:39
kfox1111ok. cool. yeah. more eyes on the security aspect of it would be great.22:40
*** jamielennox|away is now known as jamielennox22:40
kfox1111We have custom code we were using for it, but once i got into the implmentation in barbican, I noticed keystone had basically the same code already. so I just reused all of it.22:40
woodster_kfox1111 is this all part of a POC or eval that you are doing?22:40
kfox1111so I don't think the token security will be any worse then what is already being used. :)22:40
*** kfarr has quit IRC22:41
kfox1111kind of. this particular cloud is intended for researchers to do science on. mostly stable, but a bit of instability is ok.22:42
kfox1111since without barbican, there would be no key management, having it be a little green is probably ok, since its better to have green, then nothing at all.22:42
kfox1111Not having key management is a big problem.22:43
*** paul_glass has quit IRC22:43
rm_workwoodster_ / redrobot: so, my schedule is looking REALLY bad right now for doing virtually anything in time for kilo...22:43
rm_workI got pulled off Octavia/Neutron-LBaaS completely22:44
rm_workstill doing firefighting/internal stuff22:44
kfox1111bummer. I really really would like LBaaS V2.22:44
rm_workthey've got me booked for the next 1.5 months on another project T_T22:44
kfox1111v1 works okish.... hada regression in icehouse.22:44
rm_workkfox1111: well, that should still happen without me, I would hope ;P22:45
kfox1111still a lot missing. :/22:45
rm_workstill others here working diligently away on it22:45
kfox1111thats good.22:45
kfox1111yeah, before icehouse, I had a lb in front of a pool of ssh servers. it left connections live.22:45
rm_workjust need to let them know, since I was hoping to have time to do some work on per-secret policy, but that looks unlikely at the moment22:46
kfox1111at icehouse, it started breaking connections that were live for more then a couple of minutes. :/22:46
rm_workkfox1111: T_T22:46
rm_workwhich backend were you using?22:46
rm_workI hope not the haproxy-namespace driver22:46
rm_workoh shit22:46
rm_workthat is... not really intended for production use, or at least I would not recommend it T_T22:46
woodster_rm_work, sorry to hear that :\22:46
rm_workwe're working on stabilizing it a bit for v222:47
kfox1111bummer. cause its being used in production. ;)22:47
rm_workbut Octavia should be the default deployment option soon :P22:47
kfox1111has been for a year at least.22:47
rm_workthough probably not until Liberty22:47
rm_workso... *some* definition of "soon"22:47
kfox1111cool, and bummer. :)22:47
rm_workheh yeah...22:47
woodster_poc == production sometimes :)22:47
woodster_kfox1111, fyi the feature lbaas wanted to use was this per-secret RBAC one: Maybe we can get kfox1111 to do that per-secret RBAC stuff?22:48
woodster_kfox1111 it does have the concept of a read-only role to view shared secrets.22:48
rm_workOctavia is a good scaling/HA Loadbalancing soft-appliance that lives in nova and uses neutron for network plumbing22:48
*** kebray has joined #openstack-barbican22:48
rm_workand uses HAProxy by default22:48
rm_workthough that is theoretically extensible (could use nginx / whatever)22:49
kfox1111maybe after I get rados gw, sahara, and a gui for barbican done. :/22:49
kfox1111rm_work: yeah. been keeping an eye on it. Long term I think its a good solution.22:50
rm_workyeah I am surprised there isn't a good Barbican+Horizon solution yet22:50
kfox1111for 2 of our production clouds though, its actually has a major drawback.22:50
rm_worksomewhat disheartening22:50
rm_workkfox1111: is your GUI going to be Horizon based and eventually live upstream? :P22:50
kfox1111our network nodes are 10g attached on 1 gig to the compute nodes.22:50
kfox1111one uses vxlans over infiniband for the tenant networks.22:50
kfox1111so putting the lb on the network node is actually faster then putting it in a vm.22:51
kfox1111rm_work: If I get time for it, yes.22:51
rm_workwell, it you ran a special lbaas nova endpoint and set up your network nodes as lxc container hosts, that'd work :P22:51
rm_workwhich is actually remarkably similar to how the namespace haproxy impl works, from a really high level perspective (without the nova), I think22:53
kfox1111hmm... yeah. I could just make the network nodes compute nodes, put it in a different host aggrigate, and make sure they launch there.22:53
kfox1111thanks. :)22:53
kfox1111we do that for some of our compute nodes.22:54
woodster_kfox1111 I did intend to add a :) after that statement above! Always on the look out for folks that have time to help out with things!22:54
kfox1111time is always in short supply. but I help where I can. :)22:55
*** barra204_ has quit IRC22:57
*** igueths has quit IRC23:04
*** jamielennox is now known as jamielennox|away23:06
*** ametts has quit IRC23:14
*** jorge_munoz has quit IRC23:17
*** dimtruck is now known as zz_dimtruck23:19
*** dave-mccowan has joined #openstack-barbican23:23
*** jkf has quit IRC23:45
*** zz_dimtruck is now known as dimtruck23:46
*** kebray has quit IRC23:49
*** hockeynut has quit IRC23:51
*** tdink_ has quit IRC23:51
*** hockeynut has joined #openstack-barbican23:52
*** tdink has joined #openstack-barbican23:52

Generated by 2.14.0 by Marius Gedminas - find it at!