Thursday, 2015-03-05

*** ametts has quit IRC00:03
*** dave-mccowan has quit IRC00:03
*** bdpayne has quit IRC00:11
*** jorge_munoz has quit IRC00:15
*** kgriffs is now known as kgriffs|afk00:41
*** crc32 has quit IRC00:41
*** igueths has left #openstack-barbican00:46
*** igueths has joined #openstack-barbican00:46
woodster_reaperhulk, i shouild be able to workflow before tests pass...will that effectively just do one gate check then (to merge)?00:47
reaperhulkIt will do the gate check for the merge yes00:48
reaperhulkbut you can wait until it passes :)00:48
woodster_reaperhulk, so the PK should be indexed by default correct?00:49
woodster_reaperhulk, I'll also ask the dbas about UUID PKs...I've read that could be a perf impact00:49
*** kfarr has quit IRC00:50
reaperhulkthe ids are set as primary key in our schemas right now00:55
*** igueths has quit IRC01:03
*** kfox1111 has quit IRC01:09
*** jorge_munoz has joined #openstack-barbican01:27
*** jorge_munoz has quit IRC01:28
*** gyee has quit IRC01:36
*** SheenaG1 has joined #openstack-barbican01:39
*** jamielennox is now known as jamielennox|lunc01:51
*** jaosorior has quit IRC01:52
*** jkf has quit IRC02:00
*** nkinder has quit IRC02:21
*** nkinder has joined #openstack-barbican02:26
*** jamielennox|lunc is now known as jamielennox02:47
*** rm_work is now known as rm_work|away03:02
*** jamielennox is now known as jamielennox|away03:45
*** dave-mccowan has joined #openstack-barbican03:58
*** dave-mcc_ has joined #openstack-barbican04:03
*** dave-mccowan has quit IRC04:03
*** dave-mcc_ has quit IRC04:27
*** zz_dimtruck has quit IRC04:29
*** xaeth_afk is now known as xaeth04:29
*** xaeth is now known as xaeth_afk04:29
*** woodster_ has quit IRC04:40
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements
openstackgerritMerged openstack/python-barbicanclient: Adds positive orders functional tests
*** woodster_ has joined #openstack-barbican05:34
openstackgerritArun Kant proposed openstack/barbican: Adding per secret ACL support
*** arunkant has quit IRC07:03
*** chellygel has quit IRC07:24
*** lisaclark has quit IRC07:24
*** jvrbanac has quit IRC07:24
*** openstackgerrit has quit IRC07:36
*** openstackgerrit has joined #openstack-barbican07:36
*** woodster_ has quit IRC07:40
*** insequent has quit IRC08:33
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Enable usage of 'payload' path to fetch decrypted secrets
*** jaosorior has joined #openstack-barbican08:46
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Enable usage of 'payload' path to fetch decrypted secrets
*** elmiko has quit IRC09:20
*** elmiko has joined #openstack-barbican09:20
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Add default max payload to functional test conf registry
*** darrenmoffat has quit IRC10:12
*** darrenmoffat has joined #openstack-barbican10:13
*** dave-mccowan has joined #openstack-barbican13:11
*** woodster_ has joined #openstack-barbican13:22
*** SheenaG1 has quit IRC13:44
*** SheenaG1 has joined #openstack-barbican14:00
*** alee has joined #openstack-barbican14:08
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Ported API documentation to the repo
*** rellerreller has joined #openstack-barbican14:31
*** lisaclark has joined #openstack-barbican14:36
*** igueths has joined #openstack-barbican14:43
*** igueths has quit IRC14:52
*** lisaclark has quit IRC15:10
*** lisaclark has joined #openstack-barbican15:12
*** chellygelz has joined #openstack-barbican15:18
*** seagray has joined #openstack-barbican15:21
*** insequent has joined #openstack-barbican15:21
*** kebray has joined #openstack-barbican15:21
*** kebray has quit IRC15:23
*** kebray has joined #openstack-barbican15:23
*** zz_dimtruck has joined #openstack-barbican15:25
*** zz_dimtruck is now known as dimtruck15:25
*** kgriffs|afk is now known as kgriffs15:28
*** hockeynut has quit IRC15:31
*** tdink has quit IRC15:31
*** jorge_munoz has joined #openstack-barbican15:32
*** hockeynut has joined #openstack-barbican15:32
*** tdink has joined #openstack-barbican15:33
*** insequent has quit IRC15:40
*** insequent has joined #openstack-barbican15:43
*** insequent has quit IRC15:46
*** lisaclark has quit IRC15:48
*** jorge_munoz has quit IRC15:53
*** lisaclark has joined #openstack-barbican15:53
openstackgerritBrianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan
woodster_hockeynut, tdink, are you there?15:58
hockeynutyep - suffering through a gorgeous sunny day15:59
reaperhulkredrobot: where we at with that gate :)15:59
openstackgerritBrianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan
woodster_hockeynut aren't you guys covered with ice?16:01
hockeynuticed tea?16:01
hockeynutits sunny and cold16:01
hockeynutdallas got blasted with 7" but we got nothing16:01
woodster_hockeynut, yeah snowmageddon didn't happen here either16:02
hockeynutschools out down there16:02
woodster_hockeynut, jvrbanac, tdink so I was curious if we have tests that verify we can't spoof the x-project-id header. I thought we did in the cafe days, but not sure.16:03
hockeynutnot project ID.  we do have one for location header16:03
*** alee has quit IRC16:04
*** lisaclark has quit IRC16:05
jaosoriorwoodster_: what would then be a more appropriate place for the API doc?16:06
woodster_jaosorior, API docs *were* supposed to go into the docbook stuff that is in our repo, but until we were out of incubation, they couldn't be published anywhere. Well the raw XML docbook format is not too pleasant to look at, so we held off on pulling all API info over to it.16:08
woodster_jaosorior, so the next best thing was the good ol' cloudkeep org's wiki16:08
woodster_jaosorior, I should say the *easiest* thing was to keep it there. Your CR is really the next best thing16:09
jaosoriorWell, fuck haha. That took a quote16:09
jaosorior* while,  not quote16:09
jaosoriorShould have asked first16:09
*** lisaclark has joined #openstack-barbican16:14
woodster_jaosorior, no no we had actually wanted to do that but didn't have the time.16:15
woodster_jaosorior, I've also heard there is possible movement away from docbook to .rst, so the docs might easily move to the 'proper' home once that is figured out. The best part is when folks mod the API, we can insist on changes to the docs too.16:16
woodster_hockeynut yeah it turns out we weren't stripping that out of the request properly so it could be spoofed! This is probably a test to add to the new security suite of tests, or to the functional suite?16:17
*** alee has joined #openstack-barbican16:18
hockeynutwoodster_ yep - definitely should add to the new stuff (securitytests make sense I believe)16:19
openstackgerritMerged openstack/barbican: Updated from global requirements
openstackgerritMerged openstack/barbican: Creating indexes for foreign keys
*** dave-mcc_ has joined #openstack-barbican16:28
openstackgerritMerged openstack/barbican: Fixing race-condition for order processing in workers
*** dave-mccowan has quit IRC16:30
*** dave-mccowan has joined #openstack-barbican16:31
*** rellerreller has quit IRC16:32
*** kfox1111 has joined #openstack-barbican16:33
*** dave-mcc_ has quit IRC16:34
*** xaeth_afk is now known as xaeth16:35
*** rellerreller has joined #openstack-barbican16:38
kfox1111any other comments on the vm integration spec?16:39
kfox1111It would be nice if we could provisionally approve it for kilo, since there is code ready too.16:39
*** alee has quit IRC16:39
*** igueths has joined #openstack-barbican16:44
*** tkelsey has joined #openstack-barbican16:46
*** insequent has joined #openstack-barbican16:50
*** alee has joined #openstack-barbican16:51
*** seagray has quit IRC17:03
*** jorge_munoz_ has joined #openstack-barbican17:04
*** bdpayne has joined #openstack-barbican17:04
*** jvrbanac has joined #openstack-barbican17:05
*** lisaclark_ has joined #openstack-barbican17:06
*** insequent has quit IRC17:11
kfox1111any other comments on the vm integration spec?17:11
kfox1111It would be nice if we could provisionally approve it for kilo, since there is code ready too.17:11
*** insequent has joined #openstack-barbican17:11
kfox1111we can alwasy not commit the code for kilo if objections pop up.17:12
redrobotkfox1111 we agreed during the last weekly meeting to punt on your spec until L cycle17:13
redrobotkfox1111 I think it's a big enough change to warrant discussion during the Design Summit in Vancouver17:13
redrobotkfox1111 do you know if you'll be able to attend the Sumimt?17:15
redrobotkfox1111 it would be great to be able to discuss this in person17:15
kfox1111yeah, it would. not sure. :/ I guess it wouldn't hurt to ask management...17:17
*** jkf has joined #openstack-barbican17:23
*** kebray has quit IRC17:28
*** kebray has joined #openstack-barbican17:31
rellerrellerping woodster_17:34
rellerrellerActually does anyone know where the secrets are encoded to the requested type on a get secret call?17:35
rellerrellerSo if I store a secret I want to make two get calls. One to retrieve in binary format and the other in base64.17:36
woodster_rellerreller, look at line #154 in barbican.plugin.resources.py17:36
rellerrellerwoodster_ the denormalize_after_decryption call?17:37
rellerrellerMy line numbers are a little off in my branch17:38
openstackgerritMerged openstack/barbican: Ported API documentation to the repo
woodster_it's that call at the end of the get_secret() fumctipon17:38
woodster_wow, function that is17:38
rellerrellerwoodster_ So that call does not convert to base64 format or anything for binary types.17:39
rellerrellerIf the content type is set to binary then just passes the data through. Unless I am missing something.17:39
rellerrellerFor plaintext, yes, it converts to UTF-8 and returns the bytes.17:40
woodster_rellerreller, that's correct, we wern't trying to take on conversion at the time this code was written. We were also getting true binary back I think as well (not base64 encoded)17:41
rellerrellerwoodster_ That might be an issue for callers. We are ignoring there requested encoding for retrieval.17:43
*** jorge_munoz_ has quit IRC17:43
rellerrellerSorry, crying baby now. Need to get that.17:43
woodster_rellerreller, well for backwards compat, could you just do that for the opaque type17:43
woodster_rellerreller, jeez, first kid...she'll be fine.  Just kidding! :)17:44
rellerrellerwoodster_ I think we need a new CR for this issue.17:52
openstackgerritMerged openstack/python-barbicanclient: Add default max payload to functional test conf registry
*** kebray has quit IRC18:25
*** seagray has joined #openstack-barbican18:28
rellerrellerwoodster_ OK, I'm going to blame this one on sleep deprivation. I just saw that the API says it will only return secrets in binary format. I thought you could request in base64 or binary. No bug. My mistake.18:44
*** crc32 has joined #openstack-barbican18:50
*** xaeth is now known as xaeth_afk18:51
*** DCWilliams_VA has joined #openstack-barbican18:53
openstackgerritMerged openstack/python-barbicanclient: Additional requests-mock testing
woodster_rellerreller, no problem. We'll just have to give your CRs extra scrutiny. ;)19:00
*** gyee has joined #openstack-barbican19:01
*** kebray has joined #openstack-barbican19:05
*** crc32 has quit IRC19:13
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Second set of negative functional tests for secrets
*** mjg59 has quit IRC19:24
*** DCWilliams_VA has quit IRC19:25
*** DCWilliams_VA has joined #openstack-barbican19:26
*** DCWilliams_VA has quit IRC19:26
*** DCWilliams_VA has joined #openstack-barbican19:26
*** lisaclark has quit IRC19:28
*** lisaclark has joined #openstack-barbican19:32
*** lisaclark1 has joined #openstack-barbican19:33
*** lisaclark1 has quit IRC19:34
*** rm_work|away is now known as rm_work19:34
*** lisaclark1 has joined #openstack-barbican19:34
*** lisaclark has quit IRC19:36
*** DCWilliams_VA has quit IRC19:52
*** bdpayne has quit IRC19:56
*** xaeth_afk is now known as xaeth20:16
woodster_jaosorior, I just -1-ed your project-id CR, please take a look at my comments there20:22
*** chellygelz has quit IRC20:24
*** openstackgerrit has quit IRC20:25
jaosoriorwoodster_: checking it out20:25
*** openstackgerrit has joined #openstack-barbican20:26
*** lisaclark1 has quit IRC20:27
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Enforce X-Project-Id coming from the request headers
*** lisaclark has joined #openstack-barbican20:32
*** lisaclark has quit IRC20:36
redrobothockeynut ping20:37
hockeynutredrobot ack20:38
redrobothockeynut hey, I'm trying to figure out what CWD is in this context
redrobothockeynut it seems that CWD resolves to different things if we're running tox vs the new functional gate20:38
hockeynutits barbican root dir20:39
hockeynutso same place as tox.ini20:39
redrobothockeynut even when running inside the tox directory?20:39
hockeynutwhen we run tox -e functional its from the barbican root dir20:39
woodster_jaosorior, ha! Yeah we'll see what the gate does there. I see that the keystonemiddleware appears to populate both X-Tenant-Id and X-Project-Id:
jaosoriorwoodster_: Oh... So yeah.. should I revert back then?20:42
woodster_jaosorior, so techincally we could listen on both of them.20:43
jaosoriorredrobot: wasn't the CWD the functionaltests directory?20:43
woodster_jaosorior, well if it is deprecated and then goes away, then we are screwed if we are listening to both of them20:43
*** lisaclark has joined #openstack-barbican20:43
jaosoriorbut a lot of people are still using v2.0...20:43
redrobotjaosorior well, that's what I'm trying to sort out... I had CWD as functionaltests but then hockeynut changed the relative path because tox -e functionaltest uses root as CWD :-\20:44
woodster_jaosorior, well it is more if folks are using older keystonemiddleware for their deployment of Barbican, which I don't think would be the case20:44
*** david-lyle_afk has joined #openstack-barbican20:45
hockeynutrax identity is 2.0-based so we need that20:45
jaosoriorBut the gate, IIRC goes to the functionaltests folder :/20:46
hockeynutgate uses the I believe20:46
hockeynutrunning outside of gate we use tox from barbican root20:46
*** david-lyle_afk has quit IRC20:47
redrobotjaosorior yup, relative paths suck, which is why I'm trying to do the cfg discovery programatically.20:47
*** david-lyle_afk has joined #openstack-barbican20:47
redrobothockeynut the problem is the relative path I linked to earlier only works for one context.  we need it to work for both.20:47
*** bdpayne has joined #openstack-barbican20:47
hockeynutredrobot yessir20:47
jaosoriorwoodster_: I'll revert the commit back to how it was20:49
woodster_jaosorior, I'm thining the x-project-id is the way to go though20:49
woodster_jaosorior, that middle ware should handle v2 vs v320:49
openstackgerritDouglas Mendizábal proposed openstack/python-barbicanclient: WIP: Fix devstack gate
jaosoriorUh... ok, so, do I leave it like it is then?20:50
*** igueths has quit IRC20:50
jaosoriorI mean, for me X-Project-Id is just fine, I try to enforce v3. Just didn't wanna break someone's deployment20:52
jaosoriorBy the way, I'll go on vacations tomorrow, and I still have some unmerged CRs. Would someone be able follow up on them over if they need further work?20:56
*** lisaclark has quit IRC20:57
*** tkelsey has quit IRC20:58
*** david-lyle_afk is now known as david-lyle21:03
*** lisaclark has joined #openstack-barbican21:03
*** crc32 has joined #openstack-barbican21:05
*** mjg59 has joined #openstack-barbican21:10
jaosorioraw :(21:10
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: First set of negative secrets tests.
redrobotI got your back jaosorior21:47
jaosoriorredrobot: yay :D21:48
redrobotjaosorior you got a few minutes to look at this Castellan CR?
*** seagray has quit IRC21:52
*** seagray has joined #openstack-barbican21:54
*** seagray has quit IRC21:56
*** jamielennox|away is now known as jamielennox21:56
jaosoriorredrobot: reading21:58
*** lisaclark has quit IRC22:01
jaosoriorredrobot: reviewed22:03
jaosoriornothing major though22:04
*** igueths has joined #openstack-barbican22:08
*** rellerreller has quit IRC22:12
openstackgerritIgor Gueths proposed openstack/barbican: Ensure that external secret refs cannot be added to containers
redrobotjaosorior thanks!22:15
redrobotjaosorior I'm trying to get some traction on Castellan so I can add it to global-req22:15
jaosoriorredrobot: Indeed...I have forgotten to take a look at the commits there22:15
jaosoriorI should really get more active there though22:16
redrobotjaosorior yeah, I had to add it to my "watched" list22:16
jaosoriorAnyway guys, I'm off. Have a good day, talk to you in a week :D22:25
jvrbanacjaosorior, have fun!22:26
*** lisaclark has joined #openstack-barbican22:27
*** paul_glass has joined #openstack-barbican22:35
*** paul_glass has quit IRC22:37
woodster_jaosorior, thanks for the code!22:39
jvrbanacwoodster_, soo I've been trying to refactor these tests...22:39
woodster_jvrbanac, not small shirt size sort of stuff?22:40
jvrbanacwoodster_, This is pretty much me right now:
jvrbanacwoodster_, anddd no it's not small at all22:41
woodster_jvrbanac, well we had talked about starting small, with an example module/test perhaps22:42
jvrbanacwoodster_, yeahhhh... soooo simple was testing the version controller. That works great lol!22:43
woodster_jvrbanac, well there you go then. Miller time!22:44
jvrbanacwoodster_, so I've created a barbican/tests/api/controllers/, etc22:44
jvrbanacwoodster_, I figured the best way to go about this was to split out test_resources while I was at it22:44
woodster_jvrbanac, another option is to create a new module entirely that just test one aspect of a controller, mainly to introduce and demo concepts/collaborating classes...could just be in its own package to start with22:45
woodster_jvrbanac, I don't think the module reached 10k lines just yet IDE could still open that file up after all :\22:46
jvrbanacwoodster_, I can always move stuff around later; however, these tests have so much bundled around them it's not funny.22:47
openstackgerritDouglas Mendizábal proposed openstack/barbican: Refactor dogtag gate scripts
jvrbanacwoodster_, my goal is to use a little mocking and patching as possible. So far I've been doing pretty good. I'm just trying to figure out transport keys22:49
jvrbanacwoodster_, I don't see anything about them in our docs22:49
woodster_jvrbanac, I think we lost track of that feature, probably because it doesn't have python client support. Now that Oz has put api docs into sphinx, maybe it would easier to add such docs.22:51
jvrbanacwoodster_, yeah22:51
woodster_alee, have you thought about documenting your nifty transport keys feature? ^^^22:51
aleewoodster_, eventually yes22:53
aleewoodster_, sorry I've been drawn into messy old dogtag code this week22:53
woodster_jvrbanac, is your general strategy to build up python test classes that mimic the real thing?22:53
aleepointer arithmetic anyone ?22:53
woodster_alee, I thought you were on vacation...oh wow, the opposite of that C code?22:54
aleeC and C++22:54
aleenot vacation I assure you22:54
woodster_alee C++ is nice, unless it is used by a C coder22:54
jvrbanacwoodster_, I'm not mimic-ing anything. I'm using a webtest for the test app, but I'm hitting in memory db and a "standalone" variant of our wsgi app with controllers.22:55
aleewhich this code is a prime example of ..22:55
jvrbanacwoodster_, I'm having to setup for specific tests, but so far I haven't used a single mock or patch22:55
woodster_jvrbanac, sounds nice to me. I'd suggest getting something bite sized up for folks to take a look once that makes sense22:57
jvrbanacwoodster_, yeah... I'll toss up something after I figure out a few more of these tests. I keep getting a SecretStorePluginNotFound when I'm trying to use the transport key stuff. I might have to patch that sucker for the moment23:01
redrobotjvrbanac you can take the Dev out of QE, but you can't take the QE out of the Dev ;)23:06
*** kgriffs is now known as kgriffs|afk23:08
jvrbanacredrobot, lol more like I'm tired of working on something, go to write the unit test to cover it and have my eyes glaze over due to not understanding wtf is going on.23:08
redrobotalee if you've got a sec, I can't tell why the KRA is failing
*** xaeth is now known as xaeth_afk23:09
aleeredrobot, sorry - can't look right now23:11
aleeredrobot, I'm on a deadline to get a build out this week.23:11
redrobotalee no prob...  I'll add you to the reviewers in my CR for when you get a chance23:12
aleeredrobot, will get back to you tommorow if I can23:12
woodster_jvrbanac, well the transport key stuff is a bit tricky. It is a two step process I recall, once to get the transport key id (from a specific plugin), and then one to make the call with the transport key specified (which maps to the plugin that generated the transport key).23:13
jvrbanacwoodster_, yeah... I've spent nearly two hours trying to solve this without a patch... I think I'm just gonna patch it and move on. Figure it out later23:14
woodster_jvrbanac, so it sounds like you are doing more integration style tests which just require more of these API-ish things to be filled in before hand.23:14
woodster_jvrbanac, yeah that sounds fair. I think your other non-patch stuff will inspire us to remove that patch in a later CR23:14
jvrbanacwoodster_, kinda yeah. This tests are for the controllers, so it makes sense23:15
jvrbanacwoodster_, if we're hitting* might as well have it follow as much of the real code paths as possible23:16
woodster_jvrbanac, I'd agree with that. If there is a lot of biz logic complexity in the controller (so lots of branch combinations to test), those controllers probably need to be refactored anyway to break out that logic into bite sized testable chunks23:17
*** igueths has quit IRC23:20
*** lisaclark has quit IRC23:28
*** openstack has joined #openstack-barbican23:52

Generated by 2.14.0 by Marius Gedminas - find it at!