Thursday, 2015-03-26

*** tkelsey has joined #openstack-barbican00:10
*** tkelsey has quit IRC00:14
*** gyee has quit IRC00:16
*** woodster_ has quit IRC00:40
*** woodster_ has joined #openstack-barbican00:42
*** kgriffs is now known as kgriffs|afk01:19
*** alee_afk is now known as alee_01:42
*** kgriffs|afk is now known as kgriffs02:20
*** kgriffs is now known as kgriffs|afk02:29
*** zz_dimtruck is now known as dimtruck03:13
*** tkelsey has joined #openstack-barbican03:22
*** tkelsey has quit IRC03:27
*** SheenaG has joined #openstack-barbican03:59
*** xaeth_afk is now known as xaeth04:02
*** xaeth is now known as xaeth_afk04:03
*** everjeje has joined #openstack-barbican04:03
*** SheenaG has quit IRC04:04
*** dimtruck is now known as zz_dimtruck04:32
openstackgerritAdam Harwell proposed openstack/barbican: Use the new Devstack external plugin method
rm_workredrobot: ^^
rm_workredrobot: makes devstack a lot easier05:55
rm_workwoodster_ / alee / hockeynut / jvrbanac ^^ comments welcome, pretty much just a reshuffle of the existing scripts05:56
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex
*** kebray has quit IRC06:14
*** jamielennox is now known as jamielennox|away06:16
openstackgerritAdam Harwell proposed openstack/barbican: Use the new Devstack external plugin method
*** chlong has quit IRC06:45
*** tkelsey has joined #openstack-barbican07:46
*** everjeje has quit IRC07:46
*** everjeje has joined #openstack-barbican07:54
*** rm_you| has quit IRC07:59
*** jaosorior has joined #openstack-barbican08:01
*** rm_work is now known as rm_work|away08:03
*** woodster_ has quit IRC08:20
openstackgerritEverardo Padilla Saca proposed openstack/barbican: Add utf-8 decoding for Content-Type
*** gitorres has joined #openstack-barbican09:45
*** gitorres has left #openstack-barbican09:45
*** jorge_munoz has quit IRC10:06
*** jorge_munoz has joined #openstack-barbican10:14
*** alpha_ori has quit IRC11:18
*** nickrmc84 has joined #openstack-barbican11:18
*** nkinder_ has joined #openstack-barbican11:18
*** alpha_ori_ has joined #openstack-barbican11:18
*** alpha_ori_ is now known as alpha_ori11:18
*** mordred_ has joined #openstack-barbican11:20
*** jenkins-keep has quit IRC11:25
*** chlong has joined #openstack-barbican11:26
*** nkinder has quit IRC11:30
*** nickrmc83 has quit IRC11:30
*** dhellmann has quit IRC11:30
*** mordred has quit IRC11:30
*** anteaya has quit IRC11:30
*** xaeth_afk has quit IRC11:30
*** mordred_ is now known as mordred11:30
*** dhellmann has joined #openstack-barbican11:33
*** xaeth_afk has joined #openstack-barbican11:33
*** anteaya has joined #openstack-barbican11:39
*** woodster_ has joined #openstack-barbican12:15
*** zz_dimtruck is now known as dimtruck12:28
*** alee_ has quit IRC12:49
*** alee has quit IRC12:49
*** alee has joined #openstack-barbican13:02
-openstackstatus- NOTICE: gerrit stopped emitting stream events around 11:30 utc and has now been restarted. please recheck any changes currently missing results from jenkins13:11
*** nkinder_ has quit IRC13:21
*** alee has quit IRC13:35
*** nickrmc84 has quit IRC13:42
*** nickrmc83 has joined #openstack-barbican13:43
*** paul_glass has joined #openstack-barbican14:04
*** rm_work|away is now known as rm_work14:08
*** nkinder has joined #openstack-barbican14:25
*** kebray has joined #openstack-barbican14:26
*** kgriffs|afk is now known as kgriffs14:31
*** kebray has quit IRC14:39
*** mdarby has joined #openstack-barbican14:43
*** tkelsey has quit IRC14:44
*** kebray has joined #openstack-barbican15:00
*** rm_mobile has joined #openstack-barbican15:10
rm_mobileAnyone have ideas about how to be codependent on an infra config change?
rm_mobileI guess maybe I should ask infra :P15:19
*** kgriffs is now known as kgriffs|afk15:25
*** xaeth_afk is now known as xaeth15:27
openstackgerritEverardo Padilla Saca proposed openstack/barbican: Catch UnicodeEncodeError, avoiding unwanted HTTP 500 error
*** kebray has quit IRC15:31
*** kgriffs|afk is now known as kgriffs15:35
*** gyee has joined #openstack-barbican15:36
*** dimtruck is now known as zz_dimtruck15:39
chellygelwould love some quick stat boosting reviews on my docs changes o/15:39
*** nickrmc83 has quit IRC15:40
reaperhulkand asked a question on the second one15:41
*** zz_dimtruck is now known as dimtruck15:41
*** nickrmc83 has joined #openstack-barbican15:42
chellygelreplied, basically -- javascript was in the doc previously as per jvrbanac's initial change15:43
chellygeli've used bash in the other doc15:43
chellygelnot sure what it should be for this code block example15:43
openstackgerritJohn Wood proposed openstack/barbican: Restore worker tasks processing catching exceptions
jvrbanacreaperhulk, chellygel, yeaahh that was copy-pasta from the other rst docs. It sorta made sense because it syntax highlighted the json correctly lol15:44
reaperhulkso...let's change that15:47
reaperhulk"none" might be all we want here15:48
reaperhulkotherwise you can check the pygments lexer list
jvrbanacreaperhulk, for that one yeah I guess none would be best. I'll toss together a CR to change the others15:51
chellygelno jvrbanac i'll take care of it15:53
chellygelsame cr15:53
chellygelits a minor line change15:53
jvrbanacchellygel, I meant for the ones not in your cr15:53
chellygeli know15:53
chellygelits the same file15:53
chellygelaka im about to push up the change15:53
chellygeli will leave itt set to json for the Metadata Response because it is json15:54
jvrbanacchellygel, ok.15:54
chellygeland the request for post15:54
openstackgerritChelsea Winfree proposed openstack/barbican: Completing secret reference documentation
chellygel^ plz re review15:56
woodster_chellygel, jvrbanac for I see there is mention of PUT-ing to the 'payload' resource. I believe we are only doing GETs from 'payload' now.16:02
*** rm_mobile has quit IRC16:04
openstackgerritMerged openstack/barbican: Adding more detail to the secrets quickstart guide
*** xaeth is now known as xaeth_afk16:13
*** rm_mobile has joined #openstack-barbican16:18
*** rm_mobile has quit IRC16:18
*** rm_mobile has joined #openstack-barbican16:18
*** jkf has joined #openstack-barbican16:21
chellygelwoodster_, jvrbanac should i remove that section then?16:22
*** rm_mobile| has joined #openstack-barbican16:22
*** kebray has joined #openstack-barbican16:23
*** rm_mobile has quit IRC16:23
*** rm_mobile| is now known as rm_mobile16:23
woodster_chellygel, jvrbanac I'd say yes. I only see GET supported here for example:
chellygelalright, i will remove it and push here in a sec16:28
*** ccneill has joined #openstack-barbican16:30
*** chlong has quit IRC16:31
woodster_chellygel, thanks! In retrospect it would have been nice to support PUT payload...easier to remove from docs than to add to code at this point...16:32
woodster_just curious if anyone has used docker to setup the entire barbican network (so queues and workers too)?16:33
openstackgerritChelsea Winfree proposed openstack/barbican: Completing secret reference documentation
chellygel^ woodster_16:34
woodster_chellygel, thanks for that rock. But I'd like a rock without line #365 please. :)  Sorry I didn't spot that earlier, but that payload resource only supports decryption...for getting the metadata you have to use GET on secrets still.16:37
openstackgerritMerged openstack/barbican: Imported Translations from Transifex
chellygelwhat on 36516:38
woodster_chellygel, that line just needs to be removed16:40
chellygelapplication/json - Returns secret metadata16:40
openstackgerritChelsea Winfree proposed openstack/barbican: Completing secret reference documentation
woodster_only payload decryption is supported16:41
chellygelwoodster, this rock has your name on it16:41
chellygeli dont mind playing hte rock game16:42
chellygelgood and accurate docs are critical for us16:42
woodster_chellygel, that rock rocks! +216:42
chellygelthanks woodster!16:42
chellygelif i could get a few others to push that a long, i would be most appreciative -- its just a small 60 line doc change16:42
chellygelwith tables! not huge paragraphs!16:43
woodster_chellygel, well if it lowers the frustration level from folks using Barbican that's awesome. Glad you all are updating those things...are we close to being able to obsolete that cloudkeep wiki API page then?16:43
chellygeli wouldnt say so yet16:43
chellygelwe still have a lot of ground to cover16:43
chellygelthis was just secrets, not orders or containers16:43
chellygeli think the quickstart guide could use a lot more details also16:44
chellygelbut we are definitely closer in that regard!16:44
woodster_chellygel, yeah and there are new features that are not documented either. Chipping away at it all though16:44
*** kebray has quit IRC16:51
rm_mobileAny objections to switching devstack methods?16:54
*** jkf has quit IRC16:54
*** jkf has joined #openstack-barbican16:58
redrobotrm_mobile I would just ask to make sure this isn't going to break the client devstack gate16:58
rm_mobileIt'll break any dsvm gate checks until they're updated16:59
woodster_could we put this off until RC1 is cut? I think it would require rebasing a lot of pending FFE CRs17:00
*** arunkant_ has joined #openstack-barbican17:00
*** kgriffs is now known as kgriffs|afk17:00
*** tkelsey has joined #openstack-barbican17:01
*** xaeth_afk is now known as xaeth17:06
*** kgriffs|afk is now known as kgriffs17:07
*** gyee has quit IRC17:07
*** kgriffs has left #openstack-barbican17:09
arunkant_jaosorior, replied to your comments on . Can you please look and accordingly I will make the change later.17:13
*** darrenmoffat has quit IRC17:15
*** darrenmoffat has joined #openstack-barbican17:16
*** alee has joined #openstack-barbican17:25
aleewoodster_, ping17:25
woodster_alee, howdy17:34
aleewoodster_, howdy17:38
aleejust going through the functional tests17:38
aleewoodster_, I have it all running with your CRs and just going through making sure the state machine sets things correctly17:39
woodster_do you mean the sub-status stuff, or the retry stuff?17:40
aleewoodster_, just wanted to confirm with you.  In the case where we want to terminate the order in an error state, we simply need to throw an excecption.  It looks like for the most part,17:41
aleethe error status and message is set by the handling of the exception17:41
aleeand we don't have to set it explicitly17:41
woodster_alee, that's correct, but this CR needs to land to make that work correctly:
woodster_alee, so the sub-status stuff should only be used if the order needs to stay PENDING after a task completes17:42
woodster_redrobot, jvrbanac can you guys take a look at this one too? Just restores the worker-side no-rollback flow from before17:43
aleeanyways - with your current crs, it looks like the error_status and error_status_message are being set17:43
*** everjeje has quit IRC17:56
*** ccneill has quit IRC18:06
arunkant_alee, redrobot, rm_work and other barbicaneers..can you guys review ACL related changes. There are 5 related changes and clearly needs your attention for reviews especially on part 2, 3, 4, 518:12
rm_mobileWoodster_: oh yeah, no rush. Just want to make sure people are cool with the direction, and try to figure out how to cogate with the infra change if possible18:13
*** gyee has joined #openstack-barbican18:16
*** jkf has quit IRC18:17
*** jkf has joined #openstack-barbican18:21
*** gyee has quit IRC18:24
*** jkf has quit IRC18:25
*** jkf has joined #openstack-barbican18:26
*** gyee has joined #openstack-barbican18:28
chellygelif anyone has a workflow:
openstackgerritMerged openstack/barbican: Add utf-8 decoding for Content-Type
*** igueths has joined #openstack-barbican18:46
*** ccneill has joined #openstack-barbican18:48
*** nickrmc83 has quit IRC18:53
*** nickrmc83 has joined #openstack-barbican18:53
openstackgerritMerged openstack/barbican: Completing secret reference documentation
openstackgerritCharles Neill proposed openstack/barbican: Security tests for Container resources
*** crc32 has joined #openstack-barbican19:17
openstackgerritDouglas Mendizábal proposed openstack/python-barbicanclient: Consolidate Payload Exceptions
*** crc32 has quit IRC19:19
*** rellerreller has joined #openstack-barbican19:20
*** rm_mobile has quit IRC19:23
*** crc32 has joined #openstack-barbican19:30
woodster_rm_mobile, hockeynut A devstack question please. If I want to have another process running along with the current uwsgi one, can I just add a line to the start_barbican() function here?:
*** xaeth is now known as xaeth_afk19:37
*** ccneill has quit IRC19:40
rm_workI believe so19:43
rm_workscreen_it barbican2 "secondprocess start command"19:44
rm_workso, stop_barbican is lulzy because "killall -9 uwsgi"19:44
rm_workand who knows if we're the only uwsgi process on the machine19:44
rm_worklittle bit rude :P19:44
*** xaeth_afk is now known as xaeth19:45
woodster_rm_work oh yeah that is low brow for sure19:47
woodster_rm_work, I haven't done much with docker locally the newest/easiest way now?19:48
*** openstackgerrit has quit IRC19:52
*** openstackgerrit has joined #openstack-barbican19:52
woodster_alee, btw I make comments to yours on this CR:
woodster_redrobot, do you know if the tox -e pep8 checks have changed? I see passes on my local machine that fail in the gate19:56
redrobotwoodster_ try recreating your env.  (tox -r -e pep8)   since we did change the version of hacking in test-requirements.txt19:56
chellygelhey alee, woodster_  hoping to set up time with the both of you to discuss initial steps for our OpenStack talk -- alee when is a good day for you next week? Monday or Tuesday maybe?19:56
woodster_redrobot, ah got it, thanks!19:57
chellygeli was thinking we would do a google hangout session to chat about it19:57
aleechellygel, tuesday is probably better for me19:57
woodster_chellgel, that works for me. I'll be out mid afternoon on Monday and we just have to steer around Tuesday planning stuff19:57
chellygelhow about 4pm EST ? alee woodster_ ?19:58
chellygel3 CST for us19:58
aleechellygel, you picked the one time when I have a meeting on tuesday19:58
chellygelhmm what about wednesday?19:59
aleechellygel, wed is open for me19:59
chellygelWednesday at say 2:30 EST19:59
chellygelwoodster_,  is that okay?19:59
woodster_chellygel, is that an April Fools joke??? That works for me20:00
chellygelpreferred email alee ?20:01
chellygelsent! :)20:02
chellygelthanks guys20:02
chellygeli scheduled it for 30 min, but im open until 3:30 your time20:02
rm_workwoodster_: dunno, I just use RAX VMs for devstack, generally faster and more portable (especially since I run OSX, so no docker for me)20:30
*** xaeth is now known as xaeth_afk20:32
*** ccneill has joined #openstack-barbican20:37
*** rellerreller has quit IRC20:38
*** xaeth_afk is now known as xaeth20:42
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Negative tests for orders
reaperhulkrm_work: boot2docker makes it so you can use docker without even knowing you're actually running it inside a VM20:49
rm_workhmm, will check that out20:50
openstackgerritJohn Wood proposed openstack/barbican: Allow business logic and plugins to retry tasks
rm_workoh god it is auto-running Terminal20:52
rm_workwhich is so f'ed on my system T_T20:52
woodster_reaperhulk, are you running devstack from within docker?20:56
reaperhulkI make it a point to never run devstack20:56
reaperhulkSo, no20:56
woodster_ugh tox -r does not rebuild my tox env apparently....rm -rf .tox/ does :)21:00
openstackgerritSteve Heyman proposed openstack/barbican: Add ability to run secrets tests in parallel
rm_workwoodster_: err wat21:01
hockeynutjvrbanac jaosorior chellygel and anyone else - would love some comments on
woodster_rm_work, yeah I've been trying to figure out why local pep8 runs differently than the gate. redrobot mentioned hacking was updated. But even after -r I was still getting success. Rm the .tox folder finally got my local pep8 in line.21:02
rm_work`tox -r` should not fail :/21:02
openstackgerritJohn Wood proposed openstack/barbican: Restore worker tasks processing catching exceptions
rm_workwoodster_: the best part about the devstack change I put up: it could never merge, and as long as I rebase it, I can already use it :)21:04
woodster_rm_work, oh you mean for local devstack checking?21:05
rm_workwe're about to start using it for our Octavia devstack testing21:06
rm_worksince the enable_plugin line allows us to specify the changeref21:06
woodster_rm_work sounds interesting21:10
rm_workyeah, simplifies things a bit21:12
woodster_alee regarding the naming of that new dict 'barbican_meta_dto' passed into certificate methods. I'd like to change that to something like 'extended_meta_dto' or some such, to distinguish from the private barbican-core related metadata. I'm referring to line #86 in of
aleewoodster_, yeah - I'm fine with that21:19
*** mragupat has joined #openstack-barbican21:19
*** jamielennox|away is now known as jamielennox21:21
jvrbanacDoes anyone remember why we used "name" in secret_refs for a container?21:23
jvrbanacwoodster_, redrobot, alee ^21:23
redrobotjvrbanac you mean, why is it a name-> ref mapping instead of just a list of refs?21:24
aleejvrbanac, private_key, public_key, passphrase21:24
jvrbanacredrobot, no. Like why is it called name? it's really a type21:24
jvrbanacIt feels like a type atleast21:25
redrobotjvrbanac I'm not sure what you're talking about then.  What is called "name"?21:25
redrobotjvrbanac IIRC containers have both a "name" and a "type"21:26
aleejvrbanac, I suppose in this case for rsa containers or for certs21:26
aleebut they really are just all secrets21:26
aleeand the idea was to support containers as generic collections of secrets21:27
redrobotjvrbanac Oh I think I understand your question now.21:27
jvrbanacI think I phrased my question wrong. In a container we have a list attribute called secret_refs. with in that list there are dicts with two attributes name and ref21:27
jvrbanacwhy is it called name?21:28
redrobotand for a generic container, you get to provide the "name"21:28
redrobotno idea why...  I think of Containers as dicts, so maybe "key" would have been better ?21:28
jvrbanacWell, as I'm writing this doc, I was just thinking about the use case here. The way we do rsa and certificate containers makes it feel like it's a specified type21:29
jvrbanacit just feels weird21:30
jvrbanacI've never noticed it until now lol21:30
aleejvrbanac, thats a specific use case .  I also might want to group all my passwords together in a generic container21:30
aleejvrbanac, and then I might have "netflix", "bank", bitcoin_vault", ...21:31
jvrbanacalee, ah21:31
aleein that case, its not a "type"21:31
jvrbanacSo it does make sense for a generic container... perhaps we should consider making the restricted cases like rsa and certificate use a different attribute21:32
redrobotjvrbanac ugh... I'd hate to have different ways to access secret refs depending on the content type :-\21:33
redrobotsomething to think about for v2 I guess...21:33
jvrbanacyeah...I never thought about it until I'm having to write docs about what this thing does... lol!21:35
*** mdarby has quit IRC21:38
openstackgerritDouglas Mendizábal proposed openstack/python-barbicanclient: Don't ignore payload_content_encoding if set
rm_workjvrbanac: yeah it is name because they are named secrets in a container21:44
rm_workjvrbanac: Cert and RSA containers just have "mandatory names"21:45
rm_workwhy would it need to work differently?21:45
*** ccneill has quit IRC21:48
jvrbanacrm_work, well, it's more of the fact that when they're mandatory, they are treated as types of secrets. Unlike in a generic case where it's just random metadata for the ref. It's the two major different functionalities out a common field. It's just weird to document.21:49
jvrbanacrm_work, when I write docs, I try to come from a "I've never worked with barbican before" mindset. Hense why I was asking the question about why "name" when it looks like a "type"21:52
rm_workit's not strictly a type21:54
rm_workbut i guess i could see how it would look that way21:54
rm_worki mean21:54
rm_workfor CertRef21:55
rm_workerr CertContainer21:55
rm_workare both "certificates"21:55
redrobotjvrbanac rm_work  I actually had a conversation with someone new to Barbican about this very thing...!topic/cloudkeep/nscNOcKUjGQ21:55
rm_workredrobot: yeah the confusion there is that someone wrote a bad example21:56
redrobotrm_work keep scrolling dude!21:56
rm_workredrobot: if those had been three different secret refs, i don't think he would have been confused21:56
redrobotrm_work scroll about halfway down, to Generic vs RSA containers21:56
rm_work"But still my question is that why are we providing the name as private_key , public_key and private_key_passphrase for the same secret reference despite the fact that the secret_ref can only refer to any one of the key type (ie private_key , public_key and private_key_passphrase )."21:57
rm_workerr nm that's a quote21:57
rm_workyeah ok21:57
*** mragupat has quit IRC21:57
redrobotWhat is the importance of RSA type containers holding 3 secrets since we could use generic containers which holds multiple secrets .21:57
redrobotAre the secrets in RSA type containers logically connected or  they used for the single client.21:57
redrobotCould you please give an example of Generic Secret so that it helps me to understand the difference between Generic and RSA type containers21:57
rm_workthe answer is "there is no importance of the RSA type, except for systems that want a contract"21:57
rm_workotherwise yeah he could use a generic container and do the same thing21:58
rm_workit's for service contracts21:58
*** mragupat has joined #openstack-barbican21:58
openstackgerritDouglas Mendizábal proposed openstack/python-barbicanclient: Consolidate Payload Exceptions
jvrbanacrm_work, redrobot it's nothing to worry about in the near-term, but one day, it might be worthwhile to spend some time on the API thinking about UX.22:03
jvrbanaci.e. the eventual progression of an api ;)22:03
redrobotjvrbanac I agree... we need to start a list of grievances with the current API, and once we've spent some time kicking v1 around we can start thinking about v222:04
* redrobot thinks it's hard to get things right on the first try22:04
jvrbanaclol yeah22:04
*** tkelsey has quit IRC22:06
*** paul_glass has quit IRC22:06
*** nkinder has quit IRC22:11
*** xaeth is now known as xaeth_afk22:11
*** igueths has quit IRC22:15
*** kebray has joined #openstack-barbican22:16
*** dimtruck is now known as zz_dimtruck22:28
*** ccneill has joined #openstack-barbican22:33
openstackgerritCharles Neill proposed openstack/barbican: Security tests for Container resources
*** mragupat_ has joined #openstack-barbican22:52
*** mragupat has quit IRC22:55
*** mragupat_ has quit IRC22:57
*** jaosorior has quit IRC23:12
*** rm_you has joined #openstack-barbican23:26
*** arunkant_ has quit IRC23:26
openstackgerritSteve Heyman proposed openstack/barbican: Add ability to run secrets tests in parallel
*** chlong has joined #openstack-barbican23:33
*** jkf has quit IRC23:40
woodster_jvrbanac, redrobot, rm_work: FWIW, I've added comments about the container/secrets names/types to the L etherpad here:

Generated by 2.14.0 by Marius Gedminas - find it at!