Friday, 2015-03-06

*** seagray has joined #openstack-barbican00:03
*** kgriffs|afk is now known as kgriffs00:12
*** kgriffs is now known as kgriffs|afk00:22
openstackgerritBrianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan
*** crc32 has quit IRC00:29
*** jkf has quit IRC00:36
*** jaosorior has quit IRC00:42
*** mikedillion has joined #openstack-barbican01:03
*** mikedillion has quit IRC01:05
*** mikedillion has joined #openstack-barbican01:06
*** dave-mcc_ has joined #openstack-barbican01:11
*** dave-mccowan has quit IRC01:14
*** lisaclark has joined #openstack-barbican01:18
*** lisaclark has quit IRC01:24
*** bdpayne has quit IRC01:33
*** lisaclark has joined #openstack-barbican01:33
*** kebray has quit IRC01:35
*** SheenaG11 has joined #openstack-barbican01:41
*** SheenaG1 has quit IRC01:44
*** dave-mcc_ has quit IRC01:45
*** kebray has joined #openstack-barbican01:47
*** dave-m___ has joined #openstack-barbican01:54
*** mikedillion has quit IRC02:02
*** seagray has quit IRC02:09
*** lisaclark has quit IRC02:16
*** crc32 has joined #openstack-barbican02:17
*** chellygel has joined #openstack-barbican02:42
openstackgerritJohn Vrbanac proposed openstack/barbican: Fixing test dependence on execution order
*** kgriffs|afk is now known as kgriffs03:26
openstackgerritJohn Vrbanac proposed openstack/barbican: Fixing test dependence on execution order
*** woodster_ has quit IRC03:30
*** dimtruck is now known as zz_dimtruck03:30
*** kgriffs is now known as kgriffs|afk03:36
*** david-lyle is now known as david-lyle_afk03:44
*** kfox1111 has quit IRC03:44
openstackgerritMerged openstack/barbican: Ensure that external secret refs cannot be added to containers
*** rm_you| is now known as rm_you03:56
*** gyee has quit IRC04:23
*** jenkins-keep has joined #openstack-barbican05:01
*** DCWilliams_VA has joined #openstack-barbican05:09
*** dave-m___ has quit IRC05:09
*** DCWilliams_VA has quit IRC05:13
*** kgriffs|afk is now known as kgriffs05:15
*** kgriffs is now known as kgriffs|afk05:24
openstackgerritJohn Vrbanac proposed openstack/barbican: Fixing test dependence on execution order
openstackgerritJohn Vrbanac proposed openstack/barbican: Starting refactor of test_resources
*** kgriffs|afk is now known as kgriffs07:03
*** kgriffs is now known as kgriffs|afk07:13
*** jamielennox is now known as jamielennox|away07:16
*** kebray has quit IRC07:39
*** chlong has quit IRC08:11
*** crc32 has quit IRC08:46
*** kgriffs|afk is now known as kgriffs08:52
*** kgriffs is now known as kgriffs|afk09:02
*** darrenmoffat has quit IRC10:13
*** darrenmoffat has joined #openstack-barbican10:14
openstackgerritEverardo Padilla Saca proposed openstack/barbican: Add missing python requierements for tests
*** kgriffs|afk is now known as kgriffs10:41
*** kgriffs is now known as kgriffs|afk10:51
*** chlong has joined #openstack-barbican11:23
*** kgriffs|afk is now known as kgriffs12:30
*** kgriffs is now known as kgriffs|afk12:39
*** DCWilliams_VA has joined #openstack-barbican13:04
*** woodster_ has joined #openstack-barbican13:06
*** rellerreller has joined #openstack-barbican13:08
*** DCWilliams_VA has quit IRC13:57
*** kgriffs|afk is now known as kgriffs14:18
openstackgerritMerged openstack/barbican: Enforce X-Project-Id coming from the request headers
*** seagray has joined #openstack-barbican14:22
*** seagray has quit IRC14:24
*** kgriffs is now known as kgriffs|afk14:28
*** lisaclark has joined #openstack-barbican14:29
*** dave-mccowan has joined #openstack-barbican14:32
*** chlong has quit IRC14:34
*** igueths has joined #openstack-barbican14:38
*** alee has quit IRC14:52
*** alee has joined #openstack-barbican14:53
*** kgriffs|afk is now known as kgriffs14:56
*** kgriffs is now known as kgriffs|afk14:56
*** paul_glass has joined #openstack-barbican15:01
*** ametts has joined #openstack-barbican15:02
*** atiwari has joined #openstack-barbican15:21
*** lisaclark has quit IRC15:22
*** lisaclark has joined #openstack-barbican15:26
*** jorge_munoz has joined #openstack-barbican15:33
*** zz_dimtruck is now known as dimtruck15:34
rellerrellerping reaperhulk15:34
rellerrellerIn PyCrypto there is the exportKey function for RSAObj. It says the DER encoding cannot be used to encrypt private key. Is that true? Can encrypted key wrapped with passphrase only come out in PEM format?15:36
*** SheenaG11 has quit IRC15:37
reaperhulkFor traditional openssl (aka PKCS1) format that is true15:38
reaperhulkfor PKCS8 you can have encrypted DER15:38
rellerrellerreaperhulk Thanks!15:39
*** lisaclark has quit IRC15:45
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Moved parameterized test from smoke to functional
*** lisaclark has joined #openstack-barbican15:47
*** arunkant has joined #openstack-barbican15:50
*** arunkant has quit IRC15:51
*** arunkant has joined #openstack-barbican15:52
*** arunkant has quit IRC15:55
*** arunkant has joined #openstack-barbican15:55
*** kgriffs|afk is now known as kgriffs15:56
arunkantwoodster_, there?16:06
*** kgriffs is now known as kgriffs|afk16:06
*** rellerreller has quit IRC16:08
arunkantalee, there?16:11
chellygelarunkant, woodster_ is on vacation, as an FYI16:11
arunkantchellygel, okay..thanks.16:13
*** kebray has joined #openstack-barbican16:14
aleearunkant, hi16:16
aleearunkant, hows the per-secret stuff coming?16:16
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Third set of secrets negative tests.
jvrbanacredrobot, alee, hockeynut, if you got a sec, easy workflow:
redrobotjvrbanac done16:27
arunkantalee,  Have a question on per secret ACL. currently in barbican..whenever a secret is read from DB, it also uses project_id from token to make that read. With ACL this would not work when user belongs to some other project but is 'read' ACL user list.16:27
jvrbanacredrobot, thx16:29
arunkantalee, there?16:31
aleearunkant, yeah -- thinking .. sorry, multi-irc'ing16:31
*** kgriffs|afk is now known as kgriffs16:31
arunkantalee, this is code I am talking about.
aleearunkant, well we pass in that value, but is it actually used to filter results?16:33
aleearunkant, if so, then that may need to be changed16:33
*** chlong has joined #openstack-barbican16:34
aleearunkant, because the acl evaluation would occur before that point16:34
arunkantYes. authorization would pass based on ACL logic..but then it would not get secret as token project id is different from secret's project id16:35
arunkantalee, yes it uses in db lookup..
aleearunkant, yeah - we'll have to think on how to modify that code16:36
aleearunkant, may need to build another query16:37
arunkantalee, yes..this logic needs to be changed. Currently this mechanism/logic is used to make sure that user's project and secret's project is same16:37
aleearunkant, well its also used to get for example a list of secrets for a particular user16:38
aleearunkant - or maybe not -- if its just for accessing a single secret - then it could be changed16:39
arunkantalee, this is kind of authorization check which can enforced via policy as well.16:39
aleemaybe end up removing that filter16:39
arunkantalee, for list secret's call (with ACL logic), there has to be additional mechanism to provide project id (not always derive from token)16:41
arunkantalee, but I think for now..we can just focus on 'read' operation only.. others can be looked later.16:43
aleearunkant, sure16:43
aleearunkant, focus on whats in the blueprint - which is reading individual secrets16:43
arunkantalee, yes. So for single read as well, will need to change the above mentioned area.16:44
aleearunkant, right16:45
*** SheenaG1 has joined #openstack-barbican16:45
arunkantalee, there has been concern raised in past to change that logic. For acl logic, I don't see any other way.16:46
aleearunkant, well , we're changing it because we are putting in place a framework for acls.16:47
aleethe authz checks are done at that level.16:47
aleeso I see no reason not to change it as long as we show that the authz check is done elsewhere16:48
arunkantalee, I agree. We should not have authorization logic once its passed policy enforcement layer.16:48
aleeand no unauthorizxed access is obtained16:48
aleearunkant, rest assured, your changes will be thoroughly reviewed.16:49
*** gyee has joined #openstack-barbican16:49
arunkantalee, okay. have started adding code. . Its work in progress but you are welcome to review it and see if any significant deviation is there.16:52
aleearunkant, will do so early next week -- I've been stuck adding pointers in some old code this week.16:55
*** xaeth_afk is now known as xaeth17:00
*** lisaclark has quit IRC17:02
*** rellerreller has joined #openstack-barbican17:05
*** lisaclark has joined #openstack-barbican17:07
jvrbanacrellerreller, here is the start of the test refactoring to remove as many mocks as possible
jvrbanacrellerreller, I would love to get your opinion on it17:09
rellerrellerjvrbanac This sounds great. I would like to take a look. When would you like feedback by? Today is pretty crazy with content types.17:10
jvrbanacrellerreller, whenever you have a chance. I'll be ping different core people throughout the day to try to get some feedback before I go hog wild and refactor the rest of api/test_resources.py17:11
*** rellerreller has quit IRC17:22
*** rellerreller has joined #openstack-barbican17:23
*** jkf has joined #openstack-barbican17:33
openstackgerritMerged openstack/barbican: Fixing test dependence on execution order
*** xaeth is now known as xaeth_afk17:34
openstackgerritBrianna Poulos proposed openstack/castellan: Copy cinder.keymgr to castellan
*** lisaclark has quit IRC17:39
*** xaeth_afk is now known as xaeth17:42
*** david-lyle_afk is now known as david-lyle17:43
*** kgriffs is now known as kgriffs|afk17:56
*** lisaclark has joined #openstack-barbican18:03
*** rellerreller has quit IRC18:07
*** bdpayne has joined #openstack-barbican18:13
*** morganfainberg is now known as needscoffeebadly18:19
*** kebray has quit IRC18:20
*** needscoffeebadly is now known as CaptainMorgan18:22
openstackgerritDouglas Mendizábal proposed openstack/python-barbicanclient: Use functional_test.conf for devstack gate
jvrbanachockeynut, redrobot, alee, If you have a moment:
*** lisaclark has quit IRC18:53
*** kgriffs|afk is now known as kgriffs18:56
elmikowoodster_: ping18:57
redrobotelmiko woodster_ is out on spring brake through next week19:01
elmikoahh cool19:02
elmikoi envision has some spare cycles and i was curious about helping improve the test coverage19:02
*** kfarr has joined #openstack-barbican19:02
elmikodo you know if there was ever a bug or bp set up describing the needed work?19:02
*** lisaclark has joined #openstack-barbican19:04
*** kgriffs is now known as kgriffs|afk19:05
elmikoredrobot: ^^19:08
*** kfarr_ has joined #openstack-barbican19:09
*** kfarr_ has quit IRC19:10
redrobotelmiko I don't think we have a bug set up yet, but jvrbanac has been doing a lot of work with the testing framework19:10
elmikoredrobot: thanks, i'll ping him =)19:10
elmikojvrbanac: ping19:10
jvrbanacelmiko, pong19:13
elmikojvrbanac: i'm curious about helping to improve the test coverage, i'm wondering if you have any pointers or places i might look at?19:14
jvrbanacelmiko, unit or functional coverage?19:16
elmikojvrbanac: i think unit is probably safer for me to start with, at least until i understand the functionals better19:17
jvrbanacelmiko, ok. So, I'm in the process of refactoring test_resources to get rid of the massive number of mocks we're using ( It would be absolutely awesome if we could do more of that, which will help our coverage as well19:19
*** kebray has joined #openstack-barbican19:19
*** kebray has quit IRC19:19
elmikojvrbanac: cool, i'll take a look and see if i can grok. will you be around later to chat?19:19
*** kebray has joined #openstack-barbican19:20
jvrbanacelmiko, sure yeah19:20
elmikojvrbanac: thanks!19:20
jvrbanacelmiko, my goal is to clean up our tests to run more real code paths as well as make them more understandable. There are places where we have horrid inheritance chains and you can't hardly tell what's going on.19:22
elmikojvrbanac: ok, and from the looks of that review i wouldn't need a related bug or something to link in the commit?19:22
elmikojvrbanac: what were you thinking about for the other secrets tests in ?19:39
jvrbanacelmiko, I'm working on those right now19:42
elmikojvrbanac: cool, would it work out if i made a dependent CR from yours adding a to that new test folder? (i don't want to step on toes if you were planning to add that)19:44
jvrbanacelmiko, what would be awesome!19:45
elmikoalternatively i could look at order or consumers19:45
elmikook, cool. i'll try and work something up =)19:45
jvrbanacelmiko, awesome thx!19:46
*** rellerreller has joined #openstack-barbican19:48
rellerrellerreaperhulk Can cryptography does RSA encryption and decryption?19:49
rellerreller /does/do/19:50
*** CaptainMorgan is now known as morganfainberg19:50
rellerrellerreaperhulk thanks!19:50
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Second set of negative functional tests for secrets
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Third set of secrets negative tests.
*** lisaclark has quit IRC19:58
*** jkf has quit IRC20:01
*** lisaclark has joined #openstack-barbican20:02
*** jkf has joined #openstack-barbican20:03
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Second set of negative functional tests for secrets
*** rellerreller has quit IRC20:17
*** lisaclark has quit IRC20:19
elmikojvrbanac: you weren't kidding about the tangled object hierarchy!20:31
*** lisaclark has joined #openstack-barbican20:34
*** crc32 has joined #openstack-barbican20:43
*** kgriffs|afk is now known as kgriffs20:45
*** kgriffs is now known as kgriffs|afk20:54
*** SheenaG1 has quit IRC21:03
*** kgriffs|afk is now known as kgriffs21:04
*** lisaclark has quit IRC21:10
elmikojvrbanac: question about barbican.models.repositories, if i need to add Secrets do i use the method with a new Secret object?21:14
kfarrhockeynut, do you have a second to explain to me the difference between a smoke test and a functional test?21:23
iguethsmpc -q next21:30
iguethsWrong console...21:30
*** kgriffs is now known as kgriffs|afk21:58
rm_worklol wow, someone updated the barbican-client and changed the way the api object works (split httpclient out) and didn't update containers T_T22:00
rm_workanyone know if there is a patch incoming for this? if not, I can do it now22:00
* rm_work checks gerrit22:00
rm_workdoesn't look like it22:01
rm_workpatch incoming22:01
rm_workah, I see why no one thought to update container create -- it's a bit odd, normally it wouldn't matter22:05
*** woodster_ has quit IRC22:10
openstackgerritAdam Harwell proposed openstack/python-barbicanclient: Pass correct api object to Container constructor
*** kgriffs|afk is now known as kgriffs22:12
rm_workfiled a bug for it:
openstackLaunchpad bug 1429286 in python-barbicanclient "Can't create Containers, missing self._api._post method" [Undecided,New]22:12
rm_workwow that was fast, jaosorior already commenting22:14
rm_workerr nm22:14
rm_workwrong CR22:14
openstackgerritDouglas Mendizábal proposed openstack/python-barbicanclient: Refactor test modules
rm_workredrobot: current release of python-barbicanclient container creation is broken T_T22:15
redrobotrm_work :(  have you filed a bug?22:15
rm_workredrobot: ^^22:15
reaperhulkrm_work: good thing we're trying to turn on a functional test gate22:15
* redrobot should read context before replying22:15
rm_workredrobot: bug filed and patch submitted, see above22:15
rm_workanyway, I assume there'll be a new release cut to correspond with the Kilo release?22:16
rm_workjust need the fix to make it in by then22:16
rm_workreaperhulk: heh yes, that would be nice :)22:17
redrobotrm_work yeah we're planning a client release around k-322:17
rm_workredrobot: how long is that from now?22:17
*** kebray_ has joined #openstack-barbican22:17
redrobot~ 2 weeks22:17
*** kebray has quit IRC22:17
elmikojvrbanac: a little update, i'm making good progress. got the first few tests converted. i just need to figure out a better way to inject secrets into the repos.22:18
elmikoredrobot, rm_work, maybe you guys know. if i have a Secret() is there an easy way to get the secret_ref for it?22:19
rm_workassuming my_secret is a Secret() object22:19
rm_work* my_secret.secret_ref22:20
rm_workis the ref :P22:20
redrobotrm_work that's true for the client, I think elmiko is working on server side code22:20
elmikothis is for tests22:20
rm_workTHAT kind of Secret object22:20
elmikosorry, should have been more clear22:20
rm_worknp, normally would have caught that, but I'm in Client mode today22:20
rm_workit's a repository Secret object?22:21
elmikono worries, i just feel like i'm doing this the "wrong way(tm)" if i need to make rest calls to generate secrets for a container22:21
elmikorm_work: yea, that's what i'm trying to do now22:21
rm_workif PyCharm would stop beachballing on me....22:21
*** chlong has quit IRC22:24
*** jkf has quit IRC22:25
*** jkf has joined #openstack-barbican22:27
*** dave-mccowan has quit IRC22:28
*** jorge_munoz has quit IRC22:46
*** paul_glass has quit IRC22:49
*** kgriffs is now known as kgriffs|afk22:54
openstackgerritArun Kant proposed openstack/barbican: Adding per secret ACL support
*** crc32 has quit IRC23:13
*** xaeth is now known as xaeth_afk23:14
*** kebray_ has quit IRC23:18
*** kebray has joined #openstack-barbican23:19
*** xaeth_afk is now known as xaeth23:24
*** igueths has quit IRC23:24
*** dave-mccowan has joined #openstack-barbican23:38
*** ametts has quit IRC23:38
*** woodster_ has joined #openstack-barbican23:39
*** jkf has quit IRC23:51
*** kgriffs|afk is now known as kgriffs23:54

Generated by 2.14.0 by Marius Gedminas - find it at!