Monday, 2015-03-23

*** nkinder has joined #openstack-barbican00:13
*** tkelsey has joined #openstack-barbican02:19
*** tkelsey has quit IRC02:24
*** bdpayne has quit IRC02:59
*** woodster_ has joined #openstack-barbican03:14
openstackgerritMerged openstack/python-barbicanclient: First set of negative functional test for secrets
*** kebray has joined #openstack-barbican03:42
*** kebray has quit IRC03:42
*** kebray has joined #openstack-barbican03:43
*** kebray has quit IRC04:01
*** kebray has joined #openstack-barbican04:02
*** dave-mccowan has quit IRC04:02
*** xaeth_afk is now known as xaeth04:15
*** xaeth is now known as xaeth_afk04:17
openstackgerritMerged openstack/python-barbicanclient: Updated from global requirements
*** bdpayne has joined #openstack-barbican05:26
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex
*** kebray has quit IRC06:15
*** jamielennox is now known as jamielennox|away06:28
*** bdpayne has quit IRC06:32
*** gitorres has joined #openstack-barbican06:44
*** gitorres has left #openstack-barbican06:44
*** gitorres has joined #openstack-barbican07:04
*** gitorres has left #openstack-barbican07:05
*** woodster_ has quit IRC07:50
*** chlong has quit IRC07:58
*** gitorres has joined #openstack-barbican08:09
*** gitorres1 has joined #openstack-barbican08:11
*** gitorres has quit IRC08:15
*** gitorres1 has left #openstack-barbican08:23
*** tkelsey has joined #openstack-barbican08:31
*** gitorres has joined #openstack-barbican09:05
*** gitorres has quit IRC09:09
*** gitorres has joined #openstack-barbican09:51
*** gitorres has quit IRC10:37
*** gitorres has joined #openstack-barbican10:39
*** gitorres has quit IRC10:48
*** gitorres has joined #openstack-barbican10:49
*** gitorres has quit IRC10:50
*** gitorres has joined #openstack-barbican10:50
*** jaosorior has joined #openstack-barbican10:53
*** gitorres has quit IRC10:57
*** gitorres has joined #openstack-barbican10:57
*** gitorres has quit IRC11:09
*** gitorres has joined #openstack-barbican11:09
*** gitorres has quit IRC11:21
*** gitorres has joined #openstack-barbican11:21
*** gitorres has left #openstack-barbican11:43
*** dave-mccowan has joined #openstack-barbican12:21
*** dave-mccowan has quit IRC13:00
*** dave-mccowan has joined #openstack-barbican13:00
*** alee_out is now known as alee13:23
aleedave-mccowan, thats great -- what do you have?13:23
dave-mccowanalee i implemented      create_asymmetric_key_container()13:25
aleedave-mccowan, thats great - I was going to look at that next13:26
aleedave-mccowan, how did you  do it ?  issue an order for a asym key set?  or create a keyset and put it in a container?13:26
*** kebray has joined #openstack-barbican13:28
dave-mccowanalee i thought so; it gets a bunch of tests going.  i created and stored the secrets, then put the refs in the container.13:28
aleedave-mccowan, great!13:29
aleedave-mccowan, perhaps you can implement create_asymmetric_key_container_without_secrets() and create_generic_container()13:30
aleedave-mccowan, that should be a small variation on what you've already done.13:30
aleedave-mccowan, and also allows you to test the validator code you have been writing13:30
aleedave-mccowan, hows that validator code going?13:31
dave-mccowanalee sounds good.  will do.13:31
aleedave-mccowan, I'm going to post up another patch shortly that implements gets_dogtag_ca_id() and fixes a few bugs13:32
openstackgerritMartin Kletzander proposed openstack/barbican: Fix common misspellings
dave-mccowanalee i've some validating going on.  then i got stuck on a design question.  looks like a need the project_id to verify that a secret_ref is valid, but I don't have in the existing call.   so, i'll have to do something like what you did with validate_ca_id(), and call a second validator later in the flow.13:33
dave-mccowanalee, maybe you've solved some of my issues with your next patch.13:33
aleedave-mccowan, I'm not sure I have .. why do you need a project_id to verify that the secret_ref is valid?13:34
aleedave-mccowan, I think that limitation is actually removed by arunkant patches13:35
aleebecause if I recall correctly, the query for secrets implies that secret.project_id == external_project_id right now13:36
dave-mccowanalee if you're asking, maybe i don't. :-)  ah.... ok, looking at my code again, i see the problem.  the project_id was a red herring.13:39
aleedave-mccowan, ok13:40
*** woodster_ has joined #openstack-barbican13:42
dave-mccowanalee i'll work on the creates next.  let me know when you need them and i can make CR or paste them.13:45
aleedave-mccowan, yeah - go ahead and post them as soon as you have them13:46
aleedave-mccowan, I'll try to get to those tests today13:46
openstackgerritAde Lee proposed openstack/barbican: Add functional tests for certificate orders
openstackgerritAde Lee proposed openstack/barbican: Fix CA related exceptions, and unskip relevant tests
openstackgerritAde Lee proposed openstack/barbican: Fix some ca_id related bugs, add more functional test code
aleewoodster_, ping14:00
openstackgerritMartin Kletzander proposed openstack/barbican: Fix common misspellings
dave-mccowanalee do you have any handy curl or sql commands that you use for debugging?  for example, if store something, but my code can't find it, what's a quick command that I can use to dump the stored the data for comparison?14:06
aleedave-mccowan, for database I just go into sqlite itself.  mostly though, as I've been working on fuctional tests, I've been relying on the files14:08
aleebecause my instance is now set up for keyatone auth14:09
aleedave-mccowan, pastebin what you have - maybe I'll be able to see whats going on.14:10
openstackgerritJuan Antonio Osorio Robles proposed openstack/castellan: Start using oslo.policy
aleejaosorior, yeah - I'm befuddled14:13
aleejaosorior, good catch on the skipTest/skip thing -- I was wondering how to add a comment as to why a test was being skipped14:14
jaosorioralee: I responded14:14
jaosoriorseems that the skip decorator actually takes a reason14:15
jaosoriorwell, a message14:15
jaosoriorand in that documentation that I mentioned, they were reffering to the skip method, not the decorator14:15
jaosorioralee: so I guess you could add a message to those skip decorators that don't have it. It would be useful14:16
aleejaosorior, I will - perhaps in one of the later patches14:16
aleejaosorior, I'm trying to remove all those skips14:16
aleejaosorior, please take a look at the follow on patches too.14:17
aleejaosorior, although I'm not sure how to fix the __name__ thing.14:17
aleeI have no idea what it means14:17
jaosorioralee: neither do I, but sure, will check em out14:18
*** paul_glass has joined #openstack-barbican14:19
aleedave-mccowan, it gets as far as line 51?14:20
aleedave-mccowan, after you create the container -- what do you see for wget http://host:port/v1/containers  ?14:21
*** zz_dimtruck is now known as dimtruck14:23
aleedave-mccowan, I think you may need the project_id -- see this code from the containers controller ..14:24
aleecontainer = self.container_repo.get(14:24
alee            entity_id=self.container_id,14:24
alee            external_project_id=external_project_id,14:24
alee            suppress_exception=True)14:24
alee        if not container:14:24
alee            container_not_found()14:24
aleedave-mccowan, currently, the repo has a filter on the project_id14:26
aleethat may change in arunkant patch because the acl mechanism changes and it is no longer requrested that the container be owned by the project14:26
aleeand rather the enforcement is done on the acl level.14:26
aleeso with what you have - you are looking for containers that are owned by no projects -- which gives no results14:27
dave-mccowanalee ah.  rewind back to 9:34:20.   so, i do need to write an extra validator that knows about project_id.14:27
aleeincidentally, you need suppress_exception = True otherwise no result will throw an exception and you'll never get to the next line14:28
aleeI think we'll need to adjust your validator once arunkant patches land14:29
jaosorioralee: well... keystone would still provide the X-Project header. Now, I'm not sure if the mapping or logic will actually change in barbican though.14:29
aleejaosorior, right - but right now the get query only returns those secrets and projects where your X-project == priject for secret or container14:30
aleethat is the get db query14:30
aleethat will need to change because you will now be able to access some other projects secrets and containers if you have an acl.14:30
aleejaosorior, that change is in arunkant patches14:31
aleedave-mccowan, I think we will need to revist your validator once arunkant patches land.14:31
aleedave-mccowan, in the meantime -- does the validator know anything about the external_project_id?14:31
dave-mccowanalee ok.  i was on the right track. the straight call validator does not know the project ID, but...14:32
dave-mccowanalee i can follow your validate_ca_id example:14:33
dave-mccowan        if order_type == models.OrderType.CERTIFICATE:14:33
dave-mccowan            validators.validate_ca_id(, body.get('meta'))14:33
dave-mccowan            validators.validate_container_refs(, body.get('meta'))14:33
aleedave-mccowan, yeah - lets do that14:33
aleedave-mccowan, you'll need the project_id to validate the secrets too.14:34
dave-mccowanalee or... maybe this is beyond the scope of validators, and it falls to certificate_resources to catch not-found refs.14:34
aleedave-mccowan, well - this is validating data being passed into the meta of the order request14:35
aleedave-mccowan, so you're not getting the container directly14:35
aleedave-mccowan, but rather passing a reference to it in the order meta14:35
aleeI think it makes sense to validate that reference here14:36
aleebefore issuing the order and notifying the user if the referenced container does not exist.14:36
aleewoodster_, ??14:38
dave-mccowanalee OK.  i'm headed in the right direction then.14:38
woodster_alee, hey Ade...trying to catch up14:38
aleewoodster_, hey -- we've got a bunch of work to do to try and get cert issuance to work.14:39
openstackgerritEverardo Padilla Saca proposed openstack/barbican: Add utf-8 decoding for Content-Type
woodster_alee, you and dave-mccowan are working that per above I take it?14:39
aleewoodster_, part of it - yes --14:40
aleewoodster_, so first up -- it would be great to get my patches for the functional tests in14:40
aleewoodster_, but there is that persistent __name__ problem14:40
jaosorioralee: I'm starting to think that the skip decorator without a reason might be the issue... Since the __name__ problem usually would relate to some issue in a decorator. On the other hand, this CR has 19 failing test cases. While this CR (in which some skips were removed)14:41
jaosoriorthere is only 9 failing test cases14:41
aleejaosorior, interesting -- let me fix the last patch and see if it passes14:42
woodster_hockeynut, have you see that issue with functional tests in the past?14:42
woodster_alee, it has the look of an object being passed into a assert test when a function/method/class was expected?14:44
aleewoodster_, not sure - I'm tring jaosorior suggestion14:47
woodster_alee, I'm pretty sure those @testtools.skip calls need a string to print out, so @testtools.skip('foo')14:47
hockeynutwoodster_ checking...14:48
jaosoriorwoodster_, alee: Yeah, it might be that there is only a partial application of those decorators, and in that state there would be no __name__14:49
jaosoriorbut I guess that would mean that those skip decorators are not implemented correctly14:49
aleejaosorior, its a good likelihood those are the problem, given that they are the only thing really different from the other tests14:51
aleejaosorior, woodster_ sending last one to the gate now ..14:52
openstackgerritAde Lee proposed openstack/barbican: Fix some ca_id related bugs, add more functional test code
aleejaosorior, woodster_ I did not change the intermediate patches -- if this works, we know the problem is fixed by the last patch14:54
alee(saves a little merge / rebase pain hopefully)14:54
jaosorioralee: figured. Lets hope it works14:54
aleejaosorior, I'm an optimist ..14:55
aleewoodster_, assuming all that works - we should then talk about the state machine14:55
aleeand making sure the first few functional tests work14:56
aleethat means talking about substatus/ status and your patches14:56
alee(at least the parts related to status/substatus14:56
woodster_alee, yeah I was curious about your use for sub-status...I've been thinking it is only for long-lived tasks14:57
aleewoodster_, well lets say we have a cert request14:58
aleewoodster_, lets start with the simple case --- its been sent to the ca, and now we are waiting for status.14:58
aleewoodster_, I think the order should be pending -- and the substatus will be something like waiting_for_ca14:59
aleewith the relevant message14:59
aleeright now -- the order is returning ACTIVE (with no cert)14:59
aleewoodster_, I think the reason for that is line 262 in certificate_resources.py15:01
aleewoodster_, well - part of the reason - the other thing we need is the top level code in your cr15:01
woodster_alee, well the sequence is (1) create order in API node as PENDING, 2) enqueue RPC task 3) worker picks it up and processes it, 4) plugin processes initiate cert and responds back to core, 5a) core sees that the cert is ready and marks cert ACTIVE, OR 5b) core sees that cert it not yet ready, so keeps the order as PENDING and sets sub-status15:02
woodster_alee, so 5b is what my chain of CRs is looking into15:02
woodster_alee, only 5a is possible now15:02
woodster_alee, that is unless at (1) we set the sub-status info?15:02
aleewoodster_, well we could set it to something like "NOT_YET_EXECUTED"15:03
aleewoodster_, that way we know that it has not yet been picked up15:04
woodster_alee, the PENDING status is intended to tell clients that the order is not yet ready to use. The sub-status just give more info on that PENDING status. We could certainly set the sub-status at the same time PENDING is set (so when the order is created by the API node). That would mean putting logic on the POST order controller side to determine what type of15:06
woodster_order we have. Not a big deal certainly15:06
aleewoodster_, right -- so lets say  , when we set order to PENDING, we have substatus ("NOT_YET_EXECUTED")  -- that could actually be set for all Order types, right?15:08
woodster_alee, another issue I'm seeing is with proper db transactions on the worker side...we just have to be careful to support rollbacks on failed tasks, but still update the order record properly (and not have those sub-status messages rolled back too). I'll put in a CR today or tomorrow to try to iron that out. That said, we could have the worker update the15:09
woodster_order sub-status before it starts work, but again, that would have to be an independent commit to the database in case the task rolls back later.15:09
aleeor do only Cert orders have substatus?15:09
woodster_alee, for sure, we could just set the sub-status at order create time, that would work15:09
*** bdpayne has joined #openstack-barbican15:09
aleewoodster_, ok -- so lets say we do all that ..15:10
aleewoodster_, now case 5b15:10
aleewhich is I believe what is tested in my first functional test15:10
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Container negative tests
aleeright now that returns ACTIVE15:11
aleetest_create_simple_cmc_order() is going against the simple ca plugin, which just returns WAITING_FOR_CA15:12
woodster_alee, so worker processing is fast in the devstack most of the time wouldn't see that PENDING -> ACTIVE transition when polling the order record, as the worker would pick up the task and process it so quickly15:12
aleewoodster_, no -- in this case its going against the Simple CA Manager -- > which returns WAITING_FOR_CA15:12
aleeso I'm not concerned about the transient state as much as the final state15:13
aleewhich will be pending15:13
aleeits not working right now because 1) code in line 262 in is unimplemented 2) your top level code is not there yet15:14
woodster_alee, ah, so yes so until my CRs land, the order won't stay PENDING. You could return a follow on result object if you wanted to, but that won't be what you really want15:14
aleewoodster_, yeah - so maybe the thing to do is to focus on landing at least the first of your CRs and see where we are then.15:15
woodster_alee, I'm working on the last CR to that chain...minimal implemetnation to reschedule a retry task. Not production ready, but enough to test things out locally.15:16
woodster_alee, the next CR will have the periodic task actually pick up the retry task, enqueue it, and then retry the task15:16
aleewoodster_, do you implement line 262 in ?15:16
aleeand line 268?15:17
aleeaargh - waiting for gate tests is like watching paint dry ..15:20
jaosoriorany workflows for this? :D15:21
woodster_alee, the schedule tasks logic? Yes.  A little differently though. Code outside of certificate_resources handles setting the sub-status. Also the retry 'method' is different, as we have to go thru the's Tasks class methods for all RPC tasks enqueue. We can't call just any method on any class.15:21
redrobotjaosorior workflowed15:21
woodster_alee, the next CR I put up will (hopefully) clarify things. It will be easier to discuss things anyway15:21
aleewoodster_, ok good -- I'll be looking forward to seeing it.15:22
woodster_alee, I'm ready to get that feature off the ground!15:23
jaosoriorredrobot: yay :D15:23
aleewoodster_, me too - we're close, its just a matter of putting the pieces together15:23
aleewoodster_, there is also an issue with ca_ids that I'll need your help trying to resolve.15:24
openstackgerritMerged openstack/castellan: Start using oslo.policy
aleewoodster_, line 415 in test_repositories_certificate_authorities.py15:25
*** rellerreller has joined #openstack-barbican15:25
alee(for starters .. there are a couple other tests which depend on that underlying functionality working15:26
aleewoodster_, if you remove the skip and run the test , you will see the issues15:26
aleehaving to do with uniqueness constraints and updating records.15:26
redrobotlooks like presentation proposal results went out15:27
redrobotany barbicaneers speaking at Vancouver?15:27
aleeme, chellygel and woodster_ have one (certificate management in barbican)15:27
aleecourse we should get it working first ..15:28
redrobotalee nice!  good job guys!15:28
redrobotalee lol, true that15:28
*** bdpayne has quit IRC15:33
*** xaeth_afk is now known as xaeth15:34
aleejaosorior, woodster_ yee ha!15:38
aleejaosorior, woodster_ looks like the skips were the problem15:38
jaosorioralee: win!15:39
aleejaosorior, woodster_ redrobot  - so do I need to fix them in the intermediate patches -- or will those merge ok?15:39
jaosorioralee: gotta fix the intermediate ones. Well. As long as you fix the first one, then the rebasing should do the trick15:41
aleejaosorior, phooey -- ok - here goes ..15:41
openstackgerritAde Lee proposed openstack/barbican: Add functional tests for certificate orders
*** prometheanfire has joined #openstack-barbican16:06
*** gyee has joined #openstack-barbican16:09
*** kgriffs is now known as kgriffs|afk16:13
*** bdpayne has joined #openstack-barbican16:18
openstackgerritAde Lee proposed openstack/barbican: Fix some ca_id related bugs, add more functional test code
openstackgerritAde Lee proposed openstack/barbican: Fix CA related exceptions, and unskip relevant tests
*** zigo_ has joined #openstack-barbican16:21
*** gyee has quit IRC16:21
aleejaosorior, woodster_, redrobot - rebased changes -- hoepfully these will all pass the gate16:21
zigo_Hi there! I'm about to package Barbican for Debian, but there's already a debian folder there. Could it be removed please?16:22
aleejaosorior, woodster_ redrobot - once they do, please review so we can get them in for woodster_ and dave-mccowan to work from.16:22
zigo_I'm adding a patch for review for it.16:23
redrobotzigo_ hi! the debian stuff in the barbican tree is quite stale.  We would certainly merge a patch that removes it.16:23
*** gyee has joined #openstack-barbican16:23
zigo_redrobot: Thanks. I'm doing such a patch. I'd appreciate moving fast, because that'd be blocking my package otherwise.16:24
redrobotzigo_ almost all the core reviewers hang out here, so ping me when your patch is up for review and we'll get some eyes on it.16:25
*** jkf has joined #openstack-barbican16:25
rm_workzigo_: so are you planning to maintain the debian packaging stuff externally to the barbican repo, moving forward?16:28
zigo_rm_work: Yes, in, just like the rest of OpenStack.16:28
rm_workok, just curious -- i had noticed that it wasn't present in many other projects, but it seemed useful to have it local16:29
rm_workbut makes sense to stick with the consistent option16:29
redrobotzigo_ FWIW this is the official RPM spec for Fedora
zigo_Thanks, that may be helpful indeed.16:29
*** kfarr has joined #openstack-barbican16:31
openstackgerritThomas Goirand proposed openstack/barbican: Removing the debian folder
openstackgerritMerged openstack/barbican: Imported Translations from Transifex
zigo_redrobot: rm_work: ^16:32
aleeredrobot, woodster_  jaosorior jenkins is happy16:36
aleeredrobot, woodster_ jaosorior please review16:36
*** bdpayne has quit IRC16:37
aleejaosorior, gracias!16:37
*** prometheanfire has left #openstack-barbican16:37
aleehockeynut, jvrbanac ^^16:39
jaosorioralee: no problem16:39
hockeynuthappy jenkins means happy barbicaneers!16:50
redrobotzigo_ lgtm16:57
redrobotalee jaosorior hockeynut easy 2 second review
aleeredrobot, I'll trade you for a workflow on
hockeynutredrobot ack'ed16:58
hockeynutalee one question on that one - I see the flake9 noqa...16:59
hockeynut...what was the error that you got without that?16:59
aleehockeynut, the error was "pki imported but not used"17:00
aleehockeynut, I need that to validate whether or not dogtag is present17:00
*** bdpayne has joined #openstack-barbican17:00
aleehockeynut, if so , then the dogtag test cases will run17:00
hockeynutalee ok cool.  I think you can also do "assert pki" after the import stmt then not need the noqa stuff17:01
aleeah -- ok - I can add that in a future cr17:02
aleehockeynut, there will be another one for the dogtag tests I'm running through right now shortly17:02
hockeynutalee coolness!17:02
aleehockeynut, redrobot jaosorior - dont forget
*** atiwari has joined #openstack-barbican17:04
aleehockeynut, redrobot jaosorior and
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements
aleefor which jenkins  is happy17:05
aleekfarr, thanks!17:05
kfarralee sure thing!17:05
hockeynutwhile we're at it:
redrobotwtf, how is HEAD failing pep8 ?17:09
*** darrenmoffat has quit IRC17:11
*** darrenmoffat has joined #openstack-barbican17:12
*** SheenaG has joined #openstack-barbican17:13
openstackgerritArun Kant proposed openstack/barbican: For per secret ACL support, adding db layer changes (Part 1)
openstackgerritArun Kant proposed openstack/barbican: Adding Secret ACL controller layer changes (Part 2)
openstackgerritArun Kant proposed openstack/barbican: Adding Container ACL controller layer changes (Part 3)
openstackgerritArun Kant proposed openstack/barbican: Adding policy layer changes for ACL support (Part 4)
*** bdpayne has quit IRC17:28
openstackgerritEverardo Padilla Saca proposed openstack/barbican: Add utf-8 decoding for Content-Type
*** SheenaG has quit IRC17:39
*** SheenaG has joined #openstack-barbican18:14
*** igueths has joined #openstack-barbican18:15
iguethsHi all.18:16
redrobotheya igueths18:16
*** woodster_ has quit IRC18:30
*** dave-mccowan has quit IRC18:37
jvrbanacredrobot, do you know if the version of hacking changed?18:38
jvrbanacredrobot, I think we're getting a few new errors because of a newer version of hacking18:39
redrobotjvrbanac not since January
redrobotjvrbanac Yeah, I saw the errors on but for the life of me I can't get flake8 to fail.  >_>18:39
redrobotjvrbanac I pulled the patch down, and it passes for me.18:40
redrobotjvrbanac tried a few different versions of hacking and it always passes in my machine :-\18:40
jvrbanacredrobot, :/18:43
jaosoriorredrobot, jvrbanac: this is getting some weird flake8 errors in the gate
jaosoriorit does fail the functionaltests, but the flake8 stuff is weird18:43
jvrbanacjaosorior, redrobot yeah, those seem to be the same errors18:43
*** everjeje has joined #openstack-barbican18:47
*** SheenaG has quit IRC18:47
*** SheenaG has joined #openstack-barbican18:51
openstackgerritDouglas Mendizábal proposed openstack/barbican: Fix pep8 gate errors
redrobotjvrbanac jaosorior not sure what the problem is, but I think this should fix it ^^18:53
jvrbanacredrobot, jaosorior, I think I know what the problem is. Give me a couple more minutes and I'll explain18:53
jaosoriorjvrbanac: O_O... ok18:54
jvrbanacredrobot, jaosorior... ok... our test requirements aren't synced... hacking should be: hacking>=0.10.0,<0.1118:56
jaosoriorjvrbanac: bummer, thought the bot would do it18:57
jvrbanacredrobot, jaosorior, apparently, the gate is forcing the updated hacking requirements when our tox job isn't18:57
openstackgerritEverardo Padilla Saca proposed openstack/barbican: Fix flake8 issue
jvrbanacredrobot, you want to update your CR to include the change?18:57
jaosoriorjvrbanac, redrobot: apparently there was another thing where flake8 was complaining. Which is fixed in Everardo's commit ^^18:59
jvrbanacjaosorior, I'm not giving that one. I do see the other errors we were seeing19:00
jvrbanacredrobot, you gonna update your CR or do you want me to put up a CR to do that?19:12
everjejejvrbanac: I propsed My flake8 complains about H307 (like imports should be grouped together). However, I'm not sure if that rule is enforced for barbican.19:13
*** woodster_ has joined #openstack-barbican19:22
*** kfarr has quit IRC19:23
aleeredrobot, the meeting is in 30 right?19:32
*** alee is now known as alee_afk19:36
chellygelalee_afk,  yes19:47
redrobotalee_afk yeah meeting is in 10 min19:49
redrobotjvrbanac was AFK for a bit... is the gate stuff sorted out?19:49
jvrbanacredrobot, I haven't done anything with it. However, the problem is that our test-requirements aren't synced... hacking should be: hacking>=0.10.0,<0.1119:50
redrobotjvrbanac ok, let me try a sync then19:50
jvrbanacredrobot, that should replicate the issue. I was thinking you might include that in your CR with fixes19:51
redrobotjvrbanac hmmm... you know what's weird though is that this failure lists hacking 0.10.1 in the pbr freez319:53
redrobotso it doesn't look like it's picking up hacking 0.1119:53
redrobotpypi shows 0.10.1 as the latest as well19:53
jvrbanacredrobot, yeah... it's suppose to be <0.1119:53
redrobotjvrbanac that's what I'm saying, I don't think the change to test-requirements is going to do anything19:54
redrobotjvrbanac because the gate is already using <0.1119:54
*** dave-mccowan has joined #openstack-barbican19:55
jvrbanacredrobot, sooo all I know is that when I synced the hacking entry from global-reqs and rebuilt my tox I got the errors.19:56
*** fern has joined #openstack-barbican19:57
openstackgerritMerged openstack/barbican: Fix flake8 issue
jvrbanacredrobot, perhaps something about the combination of Hacking 0.10.1 and Flake8 2.2.4 brings this stuff up.19:58
*** kfarr has joined #openstack-barbican19:59
redrobotweekly meeting starting now in #openstack-meeting-alt20:00
*** toph has joined #openstack-barbican20:01
*** toph has quit IRC20:02
*** fern has quit IRC20:04
*** rm_you|wtf has joined #openstack-barbican20:09
*** rm_you| has quit IRC20:12
*** alee_afk is now known as alee20:20
*** crc32 has joined #openstack-barbican20:22
*** crc32 has quit IRC20:23
*** crc32 has joined #openstack-barbican20:36
openstackgerritEverardo Padilla Saca proposed openstack/barbican: Add utf-8 decoding for Content-Type
*** xaeth is now known as xaeth_afk20:59
kfarrredrobot, I have another question about Castellan21:00
redrobotkfarr what's up?21:00
kfarrIs there anything I can do to help with the initial release?21:00
aleeredrobot, still waiting for a workflow ..21:01
arunkantredrobot, have question around castellan usage ? Do you have a minute..21:01
redrobotalee I think I got the losing end in that review trade :-P  I'll get to it today, pinky promise21:01
redrobotkfarr maybe poke cores for +workflow in the two outstanding reviews21:02
kfarrI also hoped to work on the barbican plugin for Castellan, and just wanted to make sure no one else had already started21:02
*** jamielennox|away is now known as jamielennox21:02
aleeredrobot, cool - dont forget the others in the chain.21:02
redrobotkfarr not yet.... if you want to work on it, add a BP in launchpad (no need for a barbican-spec) and assing it to yourself21:03
redrobotkfarr I can approve the BP21:03
kfarrOk thanks redrobot!21:04
elmikoredrobot: looking at the comments in the 165884 review, have you considered using something like nova's tox genconfig for the sample castellan.conf file?21:04
elmikowe just followed their style and removed the sahara.conf sample from our tree in favor of the genconfig approach21:04
elmiko(not suggesting that the review needs it, just something to consider)21:05
redrobotelmiko not familiar with genconfig... definitely sounds like a useful tool though21:05
elmikoredrobot: basically `tox -egenconfig` will generate a config file, there is a command in the tox.ini but you can see it in nova's repo21:06
elmikowe had many issues keeping the conf file current in the repo, we moved towards recommending folks just generate their own with tox instead of keeping it in the repo21:06
elmikojust a heads up21:07
redrobotthat sounds like a way better approach21:07
redrobotI know jvrbanac had a fun time chasing down all the options last time he updated the in-tree conf for barbican21:08
redrobotarunkant what's your question on Castellan?21:08
*** rellerreller has quit IRC21:13
*** kfarr has quit IRC21:18
*** tkelsey has quit IRC21:24
*** tkelsey has joined #openstack-barbican21:26
arunkantredrobot, has question on how castellan is eppected to be integrated with openstack service ?21:29
arunkantkfarr, looks like kfarr is adding plugin for barbican client. So there are going to be plugins developed for kmip as well?21:30
redrobotCastellan provides a consistent interface for people who can't integrate with Barbican directly.  The scenarios we've thought of could be:21:33
redrobot1) I need key management in a cloud where there is no barbican21:33
redrobot2) I need key management to be done by a specific device21:34
redrobotKMIP would fall into 2, where the deployer can't use barbican, but still has to provide key management.21:35
redrobotafaik, nobody has signed up to do the KMIP implementation of Castellan.21:35
redrobotfor the actual usage of Castellan,21:36
redrobotthe service would need to add a [key_manager] section to the config file21:36
redrobotapi_class =
redrobotin the code, you call castellan.key_manager.API()21:37
redrobotand that returns an instance of the configured class.21:38
openstackgerritMerged openstack/barbican: Add functional tests for certificate orders
openstackgerritJohn Vrbanac proposed openstack/barbican: Adding more content to the api reference for secrets
openstackgerritCharles Neill proposed openstack/barbican: Security tests for Consumer resources
*** tkelsey has quit IRC21:57
*** ccneill has joined #openstack-barbican21:58
zigo_I just saw in barbican-api-paste.ini a "signing_dir" directive. This is a security issue which you guys need to fix.21:59
zigo_The signing_dir directive should never be set to /tmp like this.21:59
zigo_Best is to simply remove the directive.21:59
zigo_I can find the announce for the nova security patch that happened a few years ago if you don't just trust my words... :)21:59
rm_workredrobot: I think maybe also "I need some intermediary layer between my app and Barbican" could be an interesting one, but not sure of the implications... that was where something like certmonger could go, I think22:00
redrobotzigo_ interesting22:01
ccneillif anyone has a moment to review some security tests I just pushed a new version of test_consumers, integrating the feedback I've gotten so far22:02
redrobotccneill did you see zigo_ 's comment above?22:02
ccneillabout to check out the ini now to see what's going on22:03
zigo_redrobot: What are you reffering to?22:03
redrobotzigo_ ccneill is one of our security guys... I thought he'd be interested in your signing_dir comment22:03
zigo_Oh ok.22:03
zigo_(got confused because I thought you were talking at me...)22:04
zigo_Also, I have found that barbican-api uses uwsgi to start.22:08
zigo_But I haven't found this in Debian.22:08
zigo_Or is it /usr/bin/uwsgi-core?22:08
redrobotzigo_ uwsgi is not required to run barbican per se22:09
redrobotzigo_ Rackspace is deploying Barbican with uwsgi, which is why a lot of stuff references uwsgi22:09
zigo_redrobot: So I can just run barbican-api just like I am running nova-api?22:10
redrobotzigo_ Barbican is a regular WSGI app though, so it could be deployed with any server22:10
zigo_redrobot: Like it's done with Keystone?22:10
morganfainbergzigo_, uwsgi requires some minor changes from mod_wsgi, but yes22:11
morganfainbergzigo_, in liberty i hope to have keystone supporting uwsgi (should be easy) as well.22:11
redrobotzigo_ I haven't dug into how other projects host the wsgi app, but we have talked about adding a simpler run script that can use something like paste.http so that we remove uwsgi from our repo completely22:12
zigo_Here's what keystone does:22:13
zigo_redrobot: morganfainberg: So, am I right that Barbican doesn't include an HTTP server then?22:14
zigo_And that using a 3rd party tool is mandatory?22:14
zigo_This doesn't seem the case for all daemon.22:15
redrobotzigo_ correct... if debian/openstack convention is to use httpd as in Keystone, we could add those bits.22:15
zigo_redrobot: For the moment, absolutely all OpenStack daemons are including an HTTPD server, yes.22:16
zigo_redrobot: Though we're moving toward removing this feature and switch to WSGI instead. But in that case, you'd at least provide a .wsgi file, AFAIK.22:17
*** dimtruck is now known as zz_dimtruck22:17
zigo_For the moment, I believe shipping an HTTPD server is the thing everyone does.22:17
redrobotzigo_ I see... we have a plain WSGI app now, and we use Paste to wrap it in keystone-middleware for auth22:18
arunkantalee, there?22:24
zigo_I'm not sure what to do for the barbican-api startup then... :/22:24
aleearunkant, sorry - in a meeting22:25
zigo_Is Barbican on its way to leave incubation?22:26
zigo_What's the status?22:26
arunkantalee, okay. please ping me when you have time. Have question on unique constraint around acl data, you mentioned that in your review comment as well22:26
redrobotzigo_ incubation isn't a thing anymore... we're in "official openstack project" status, but we have no tags, and until new tags are defined, we'll continue to not have any tags since "integrated" tag can't be given to new projects. :-\22:27
arunkantalee, updating model so want to check if unique constraint is really needed. I can address part of model change.22:27
zigo_redrobot: Does it mean you're having release at the same time as everyone, and security support already?22:28
*** SheenaG has quit IRC22:28
*** igueths has quit IRC22:28
redrobotzigo_ I think currently it just means we don't have to go through the "official openstack proejct" application.   We've been releasing at the same time as the rest of OpenStack for two cycles now, and we'll be releasing Kilo at the same time as everyone else.22:29
redrobotzigo_ I'm not sure "security support" is a thing anymore either.22:29
redrobotzigo_ all cross-cutting teams (docs, security, etc) are moving from actively being involved in the project to being providers of tools22:30
zigo_redrobot: Security support means you'll have to produce N months of stable release maintenance and security fixes backport.22:30
zigo_Like, 15 months for Icehouse for example ...22:30
zigo_And embargoed security announces + management ...22:31
redrobotzigo_ oh, then yes, Juno is the first release for which we're providing maitenance22:31
*** kgriffs|afk is now known as kgriffs22:31
zigo_Ah, cool! :)22:31
zigo_So then, my last issue is this thing ...22:31
zigo_If you can provide an HTTPD server for it, and I just need to run barbican-api, then I'm done with the packaging! :)22:32
redrobotzigo_ I may be able to do that... gotta check with mgmt to make sure I get time for that, so it may take me a few days (or a weekend if mgmt doesn't give me time)22:33
zigo_Ok, great. Just ping me then.22:33
*** ccneill has quit IRC22:34
zigo_One more very annoying thing...22:34
zigo_in etc/barbican/barbican-api.conf, there's this:22:34
zigo_#sql_connection = sqlite:///barbican.sqlite22:34
zigo_# Note: For absolute addresses, use '////' slashes after 'sqlite:'22:34
zigo_# Uncomment for a more global development environment22:34
zigo_sql_connection = sqlite:////var/lib/barbican/barbican.sqlite22:34
zigo_It's very annoying to have twice some valid sql_connection directives.22:35
zigo_Please remove the commented out one ...22:35
zigo_Can I send this for review?22:36
redrobotzigo_ sure, if it helps your package effort it's fair game.22:36
*** SheenaG has joined #openstack-barbican22:43
openstackgerritChelsea Winfree proposed openstack/barbican: Adding more detail to the secrets quickstart guide.
*** paul_glass has quit IRC22:53
*** crc32 has quit IRC22:53
openstackgerritThomas Goirand proposed openstack/barbican: Makes configuration files more standard
zigo_There we go... :)22:57
*** SheenaG has left #openstack-barbican23:03
openstackgerritDouglas Mendizábal proposed openstack/barbican: Fix pep8 gate errors
*** chlong has joined #openstack-barbican23:31
openstackgerritEverardo Padilla Saca proposed openstack/barbican: Catch UnicodeEncodeError, avoiding unwanted HTTP 500 error
*** zz_dimtruck is now known as dimtruck23:41
*** jaosorior has quit IRC23:42
openstackgerritChelsea Winfree proposed openstack/barbican: Adding more detail to the secrets quickstart guide
*** jkf has quit IRC23:47

Generated by 2.14.0 by Marius Gedminas - find it at!