Monday, 2015-04-13

*** jamielennox|away is now known as jamielennox00:06
*** woodster_ has joined #openstack-barbican00:22
*** igueths has joined #openstack-barbican01:23
iguethsjvrbanac: Ping.01:23
*** zz_dimtruck is now known as dimtruck02:21
*** kebray has joined #openstack-barbican02:50
*** woodster_ has quit IRC03:20
*** woodster_ has joined #openstack-barbican03:47
*** crc32 has joined #openstack-barbican03:54
*** crc32 has quit IRC03:58
*** rm_you has quit IRC04:08
*** rm_you has joined #openstack-barbican04:12
*** rm_you has joined #openstack-barbican04:12
*** rm_work|away is now known as rm_work04:17
*** gitorres has quit IRC05:02
*** gitorres has joined #openstack-barbican05:03
*** dimtruck is now known as zz_dimtruck05:24
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex
*** dave-mccowan has joined #openstack-barbican06:30
*** dave-mccowan has quit IRC06:34
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Sign CSRs issued in SnakeOilCA tests
*** jaosorior has joined #openstack-barbican07:02
*** kebray has quit IRC07:10
*** jamielennox is now known as jamielennox|away07:11
*** chlong has quit IRC07:25
openstackgerritDave McCowan proposed openstack/barbican: Fix handling of payload_content_encoding for orders
*** woodster_ has quit IRC07:40
*** jamielennox|away is now known as jamielennox09:02
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Enable alternate error message for OpenSSL 1.0.2
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Enable alternate error message for OpenSSL 1.0.2
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Enable alternate error message for OpenSSL 1.0.2
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Sign CSRs issued in SnakeOilCA tests
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Initial setup for command line tests
*** jamielennox is now known as jamielennox|away12:12
jaosoriorhockeynut: I didn't really get the comment in
jaosorior* hockeynut_12:31
hockeynut_the test for openssl version would give the wrong string if openssl was at v 1.0.20 right (since 1.0.2 is in 1.0.20)12:32
hockeynut_(wonder why I'm "away")12:32
jaosoriorwell, I then it would be valid, since the change applies for 1.0.2 and above12:33
hockeynut_ah yes, I was thinking 102 and below.  Not enough caffiene this morning :-)12:34
jaosoriorhockeynut_: I know the feel :P12:42
*** jroll has quit IRC12:50
*** jroll has joined #openstack-barbican12:50
*** zz_dimtruck is now known as dimtruck12:52
*** therve has joined #openstack-barbican12:53
therveJust opened #1443436, client seems to be broken13:00
therveShould 5ed2e70f9f38e46c5af36d1e9c4eb4e24568bc5a be reverted?13:00
*** openstackgerrit has quit IRC13:00
*** openstackgerrit has joined #openstack-barbican13:03
*** dimtruck is now known as zz_dimtruck13:17
*** woodster_ has joined #openstack-barbican13:33
*** zz_dimtruck is now known as dimtruck13:54
*** nkinder has joined #openstack-barbican14:05
*** dave-mccowan has joined #openstack-barbican14:09
*** paul_glass has joined #openstack-barbican14:23
*** rellerreller has joined #openstack-barbican14:31
jaosoriortherve: let's see14:33
*** igueths1 has joined #openstack-barbican14:35
jaosoriorhockeynut_: ping14:39
hockeynut_jaosorior yessir14:44
*** xaeth_afk is now known as xaeth14:44
jaosoriorhockeynut_: I responded to your comment in this CR got a strong opinion about that? Actually I prefer the way it was written14:45
hockeynut_jaosorior nope, not a strong opinion on that one.  I can live with it as-is and will not lose any sleep14:46
jaosoriorhockeynut_: alright14:46
jaosoriortherve: are you around14:46
thervejaosorior, Yep14:47
jaosoriorare you using barbican with the unauthenticated-context?14:47
therveHow would I know?14:48
therveI'm using whatever is in devstack by default14:48
*** darrenmoffat has quit IRC14:50
jaosoriortherve: I see14:50
jaosoriortherve: alright, just asking. I'm looking into the issue you reported14:50
thervejaosorior, Is it about having the endpoint in the environment?14:51
jaosoriortherve: we used to rely on a call to "session.getsession" to populate the endpoint if it wasn't provided14:52
jaosoriortherve: the commit hash that you pointed out removed that, and now there is that error14:53
jaosoriortherve: So I'm figuring out if this new adapter should have handled that, or if we need a similar call again14:53
jaosoriortherve: Anyway, will take care of it, thanks for finding this out14:53
thervejaosorior, I believe at least one of the issue is that the endpoint default to ''14:55
jaosoriortherve: Indeed, and we used to rely that if the endpoint was None or '', we would let the keystoneclient populate it14:55
therveRight, now the code believes it's set but it's not14:56
jaosoriortherve: exactly14:57
thervejaosorior, FWIW seems to be a possible solution14:58
therveNeed to check post too14:58
jaosoriorwas thinking of using the adapter's get_session function14:59
*** rellerreller has quit IRC15:00
therveHum yeah I don't know about that :)15:03
*** dave-mccowan has quit IRC15:10
jaosoriortherve: testing this at the moment
*** darrenmoffat has joined #openstack-barbican15:11
jaosoriortherve: but I seem to be missing something15:12
thervejaosorior, Yeah it's not managing the /v1 part of the URL15:12
jaosoriortherve: yeah, just noticed it15:13
*** dimtruck is now known as zz_dimtruck15:17
igueths1jvrbanac: Ping.15:20
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Use keystoneclient to get endpoint if it's empty
jaosoriortherve: fixed15:20
*** kebray has joined #openstack-barbican15:20
thervejaosorior, Cool. Works for orders and secrets, but containers are still broken though.15:27
*** dave-mccowan has joined #openstack-barbican15:30
jaosoriortherve: wha O_O15:39
jaosoriortherve: aaaaand it doesn't pass the unit tests, which I didn't think were actually using the base_url15:40
*** gyee has joined #openstack-barbican15:41
therveThat part is a good thing :)15:43
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Use keystoneclient to get endpoint if it's empty
jaosoriortherve: buuuuut, does it fail with the same error?15:48
openstackgerritIgor Gueths proposed openstack/barbican: Potential resource exhaustion when registering consumers to containers
jaosoriortherve: and there is some weird usage of that _base_url variable...  Gotta look into that15:53
thervejaosorior, I'd be tempted to remove _base_url usage if possible15:54
jaosoriortherve: you could submit a patch that depends on mine15:56
jaosoriortherve: wouldn't be a bad idea15:57
*** zz_dimtruck is now known as dimtruck16:04
*** kebray has quit IRC16:20
openstackgerritMerged openstack/barbican: Imported Translations from Transifex
*** rellerreller has joined #openstack-barbican16:55
*** dimtruck is now known as zz_dimtruck17:00
*** dave-mccowan has quit IRC17:11
*** dave-mccowan has joined #openstack-barbican17:12
*** joesavak has joined #openstack-barbican17:48
*** zz_dimtruck is now known as dimtruck17:52
*** rellerreller_ has joined #openstack-barbican18:03
*** rellerreller has quit IRC18:05
*** kebray has joined #openstack-barbican18:17
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Initial setup for command line tests
*** rellerreller has joined #openstack-barbican18:48
*** tkelsey has joined #openstack-barbican18:48
rellerrellerdave-mccowan Where do we stand with the bug reports on content types?18:51
*** rellerreller_ has quit IRC18:51
rellerrellerI saw that you submitted one. Are there others that have been filed?18:52
dave-mccowanrellerreller, i opened 5 bugs and proposed a fix for 1 of them.  to recreate any of them,  remove an @skip from functionaltestes/api/v1/smoke/test_rsa.py18:57
*** hockeynut_ has quit IRC18:57
*** tdink_ has quit IRC18:57
*** hockeynut has joined #openstack-barbican18:58
dave-mccowanrellerreller,  5 of the bottom 6.18:58
*** tdink has joined #openstack-barbican18:58
rellerrellerdave-mccowan what about the issue #1441866 public type secret creation fails with 400?19:02
dave-mccowanrellerreller, redrobot marked that invalid19:06
redrobotrellerreller dave-mccowan yeah, I was originally trying to use "application/pkcs8" as the content-type19:07
redrobotbut since we decided to use "application/octet-stream" instead, the bug is invalid19:07
dave-mccowanrellerreller, redrobot that failure could be covered by #1443009 now, to cover all creates that fail when the decided encoding is used.19:09
rellerrellerredrobot OK, but I don't see anything about pkcs8 in that bug report.19:09
redrobotrellerreller oh, oops, wrong one19:10
dave-mccowanrellerreller, when  functionaltests.api.v1.smoke.test_rsa.RSATestCase.test_rsa_create_and_get_private_key works then we're good on pkcs819:10
redrobotrellerreller should've looked at the actual bug... 1441866 is a bug.  I did invalidate another one that used pcks819:10
*** joesavak has quit IRC19:18
rellerrellerredrobot dave-mccowan So who is working on what?19:25
rellerrellerI don't want to work on anything that someone else is already working on.19:25
redrobotI'm working on
openstackLaunchpad bug 1441866 in Barbican "public type secret creation fails with 400" [Critical,Confirmed] - Assigned to Douglas Mendizábal (dougmendizabal)19:26
rellerrellerThere is the API change to only accept PEM encoded private, public, and certificate secret types.19:26
rellerrellerredrobot So you are making the change to only accept PEM for private, public, and certificates?19:27
redrobotrellerreller no, I'm working on fixing the base64 normalization so that   base64(PEM) works19:28
rellerrellerredrobot Were you planning to make the changes in the backend to have the secret stores accept base64(pem)?19:28
redrobotrellerreller haven't gotten that far yet.  You can work on that if you'd like19:28
rellerrellerredrobot If you are working on the normalization then you must be doing the backend stuff as well. Unless I am missing something. How do you plan to do that?19:29
rellerrellerBecause the data is normalized before going to secret store.19:29
redrobotrellerreller I'm fixing the normalization such that a one-step POST does not return a 400 when payload="base64(PEM)"19:30
*** joesavak has joined #openstack-barbican19:33
rellerrellerredrobot OK, I was not calling that a normalization change. I was calling that a validation change.19:33
redrobotrellerreller gotcha.  yes, validation makes more sense19:34
rellerrellerredrobot I need to run. I won't be at the status meeting, but I plan to be around tomorrow.19:37
*** rellerreller has quit IRC19:41
redrobotWeekly meeting starting now in #openstack-meeting-alt19:59
jaosoriorrm_work: thanks mr.21:00
rm_workSheena_ / redrobot: FYI looks like summit is GO for me, so I'll need to get some slides ready21:01
elmikoredrobot: might take me a day or two to reconfigure my machine for mysql and rerun the tests. i want to make sure i don't hose mariadb lol21:01
*** dimtruck is now known as zz_dimtruck21:01
*** tkelsey has quit IRC21:02
Sheena_rm_work: excellent news! I'll kick that thread again today or tomorrow21:02
rm_workelmiko: that's what VMs are for :P21:03
dave-mccowanalee_, ping21:04
alee_dave-mccowan, pong21:05
dave-mccowanalee_, i've been looking at the bug on order certificates.  when doing a get order, the barbican_meta is not returned with original's order meta.  seems like an easy fix, that i'm willing to patch.  but, i can't find the code where the response to get order is built.  can you point me?21:06
openstackLaunchpad bug 1443007 in Barbican "Response to Get Certificate Order Requests Do Not Have Updated Meta" [Undecided,New]21:06
*** joesavak has quit IRC21:08
alee_dave-mccowan, thats deliberate21:09
alee_dave-mccowan, barbican-meta is stuff that is created on the server and is not necessarily returned as part of the order21:09
dave-mccowanalee_ the user can not get a copy of plugin_name or generated_csr?21:09
alee_dave-mccowan, right21:10
dave-mccowanalee_  good news, one less bug. :-)21:10
alee_dave-mccowan, the plugin-name is internal to barbican,21:10
dave-mccowanalee_ ok, so there is no way for functional tests to test that.  only unit tests. right?21:10
alee_and we can expose the csr later if we have call to -- but I dont think we do21:10
alee_dave-mccowan, in the dogtag test, we have funcitonal tests to confirm that you actually get a cert back21:11
alee_dave-mccowan, for the regular case, there is no way to be absolutely sure -- although theoretically, it should not get to pending state without going through some measure of success in generating the csr21:12
dave-mccowanalee_  thanks.  this is good news.  this should get four more test cases passing. (at least to 'pending' state for ordered certs).21:17
elmikorm_work: yea, i should really just do that21:17
alee_dave-mccowan, great21:17
*** alee_ is now known as alee_afk21:18
dave-mccowanalee_afk, can you still point me to where that code is? after searching for a long time, i need closure. :-)21:19
alee_afkdave-mccowan, back in a bit -- but in answer to your question -- if I were looking at where the get oder response comes from I'd look at controllers/orders.py21:24
alee_afkdave-mccowan, my guess is there we just get the order and convert it into json output21:24
alee_afkdave-mccowan, if you wanted - you could have modified the code there to add data from barbican-meta as well.21:25
alee_afkdave-mccowan, or when generating the barbican-meta, you could have saved it in the order_meta instead.21:25
dave-mccowanalee_afk, thanks.  i see it now.  i had my cursor left at exactly that function from last night.21:26
alee_afkdave-mccowan, redrobot - I'll run through what you and redrobot come up with for fixes tommorow when you guys have something ready.  some of these things need to be run against a real ca to make sure what is being generated (ie. the csr) is actually valid21:28
*** gyee has quit IRC21:32
*** SheenaG has joined #openstack-barbican21:36
*** xaeth is now known as xaeth_afk21:48
*** rtom has joined #openstack-barbican21:49
*** rtom has quit IRC21:49
*** dave-mccowan has quit IRC21:55
*** paul_glass has quit IRC21:55
*** dave-mccowan has joined #openstack-barbican21:56
*** nkinder has quit IRC22:05
*** stanzi has joined #openstack-barbican22:10
*** stanzi has quit IRC22:11
*** stanzi has joined #openstack-barbican22:12
*** stanzi has quit IRC22:13
*** stanzi has joined #openstack-barbican22:13
*** gyee has joined #openstack-barbican22:36
*** rm_work is now known as rm_work|away22:37
*** igueths1 has quit IRC22:38
*** zz_dimtruck is now known as dimtruck22:44
*** stanzi has quit IRC22:57
*** stanzi has joined #openstack-barbican22:58
woodster_alee_afk, dave-mccowan Just quick comments from above...the order is created in the PENDING state by the service before any cert processing happens. So the CSR would be generated *after* that PENDING order record is in the database. As for getting the CSR back from barbican, I guess we could add that as an optional secret ref on the certificate container?22:58
*** stanzi has quit IRC23:02
dave-mccowanwoodster_, i the CSR is generated at request; the Certificate comes late.  but,  talked with alee about this. he said it is by design that the CSR is not returned.  apparently it's between Barbican and the CA and none of the user's business. :-)23:02
woodster_dave-mccowan: yep, barbican meta is intended to be like a s23:05
woodster_dave-mccowan: ...scratchpad for processing the order23:05
*** dimtruck is now known as zz_dimtruck23:07
dave-mccowanwoodster_ yes, i'm going to fix the test cases.  no bug here on csr.23:07
*** chlong has joined #openstack-barbican23:15
woodster_dave-mccowan: nice~!23:21
*** jamielennox|away is now known as jamielennox23:22
*** kebray has quit IRC23:22
redrobotso there's two functional tests on HEAD that fail for me23:23
* redrobot wonders if it's related to
*** dave-mccowan has quit IRC23:28
*** jaosorior has quit IRC23:32
*** zz_dimtruck is now known as dimtruck23:49

Generated by 2.14.0 by Marius Gedminas - find it at!