Friday, 2015-05-01

openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Merge tag '2015.1.0'
*** SheenaG has quit IRC00:28
*** alee has quit IRC00:28
*** zz_dimtruck is now known as dimtruck00:38
*** alee has joined #openstack-barbican00:41
*** alee_ has quit IRC00:43
*** alee has quit IRC00:50
*** alee_ has joined #openstack-barbican00:56
*** alee has joined #openstack-barbican01:02
*** alee_ has quit IRC01:04
*** alee has quit IRC01:08
*** alee_ has joined #openstack-barbican01:17
*** alee has joined #openstack-barbican01:21
*** alee_ has quit IRC01:22
*** alee has quit IRC01:28
*** alee_ has joined #openstack-barbican01:35
*** alee_ has quit IRC01:40
*** alee_ has joined #openstack-barbican01:53
*** alee_ has quit IRC01:57
*** dimtruck is now known as zz_dimtruck01:59
*** alee_ has joined #openstack-barbican02:10
*** alee_ has quit IRC02:14
*** gyee has quit IRC02:15
*** kebray has joined #openstack-barbican02:16
*** dave-mccowan has quit IRC02:20
*** alee_ has joined #openstack-barbican02:27
*** alee_ has quit IRC02:32
*** kebray has quit IRC02:35
*** rm_you| is now known as rm_you03:08
*** kebray has joined #openstack-barbican03:17
*** kebray has quit IRC03:29
*** alee has joined #openstack-barbican04:56
*** zz_dimtruck is now known as dimtruck04:59
*** SheenaG has joined #openstack-barbican05:01
*** SheenaG has quit IRC05:05
*** dimtruck is now known as zz_dimtruck05:09
*** alee_ has joined #openstack-barbican05:37
*** everjeje has quit IRC05:46
*** rm_work|away is now known as rm_work06:05
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex
*** chlong has quit IRC06:21
*** chlong has joined #openstack-barbican06:35
*** chlong has quit IRC07:02
*** woodster_ has quit IRC07:10
*** chlong has joined #openstack-barbican07:26
*** chlong has quit IRC07:37
*** chlong has joined #openstack-barbican07:49
*** chlong has quit IRC07:53
*** chlong has joined #openstack-barbican07:55
*** chlong has quit IRC08:01
*** SheenaG has joined #openstack-barbican08:07
*** tkelsey has joined #openstack-barbican08:09
openstackgerritOpenStack Proposal Bot proposed openstack/python-barbicanclient: Updated from global requirements
*** chlong has joined #openstack-barbican08:19
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Display all versions info in versions controller
*** darrenmoffat has joined #openstack-barbican08:40
*** chlong has quit IRC08:40
*** chlong has joined #openstack-barbican10:14
*** alkar has joined #openstack-barbican10:35
*** chlong has quit IRC11:01
*** chlong has joined #openstack-barbican11:04
*** chlong has quit IRC11:15
*** dave-mccowan has joined #openstack-barbican11:22
*** nickrmc83 has joined #openstack-barbican11:36
*** nickrmc83 has quit IRC11:37
*** nickrmc83 has joined #openstack-barbican11:37
*** nickrmc83 has quit IRC11:55
*** nickrmc83 has joined #openstack-barbican11:56
*** woodster_ has joined #openstack-barbican12:01
*** nickrmc83 has quit IRC12:15
*** nickrmc83 has joined #openstack-barbican12:15
*** nickrmc83 has quit IRC12:27
*** nickrmc83 has joined #openstack-barbican12:29
*** nickrmc83 has quit IRC12:31
*** nickrmc83 has joined #openstack-barbican12:31
*** rellerreller has joined #openstack-barbican12:34
*** nickrmc83 has quit IRC12:41
*** nickrmc83 has joined #openstack-barbican12:43
*** _elmiko is now known as elmiko12:52
*** nickrmc83 has quit IRC13:09
*** nickrmc83 has joined #openstack-barbican13:11
openstackgerritThomas Herve proposed openstack/barbican: Fix snakeoil_ca plugin
*** darrenmoffat has left #openstack-barbican13:17
*** nickrmc83 has quit IRC13:30
*** joesavak has joined #openstack-barbican13:33
*** openstackgerrit has quit IRC13:51
*** openstackgerrit has joined #openstack-barbican13:51
*** nickrmc83 has joined #openstack-barbican14:10
*** pglass has joined #openstack-barbican14:13
openstackgerritThomas Herve proposed openstack/python-barbicanclient: Add support for certificate order
*** nelsnelson has joined #openstack-barbican15:08
*** nickrmc83 has quit IRC15:13
openstackgerritJohn Vrbanac proposed openstack/barbican: Adding a info log for each processed request
jvrbanacrellerreller, redrobot, woodster_, hockeynut, reaperhulk, It would be great if y'all could look at this really quick CR:
*** SheenaG has joined #openstack-barbican15:23
*** gyee has joined #openstack-barbican15:42
*** nelsnels_ has joined #openstack-barbican15:47
*** nelsnelson has quit IRC15:47
openstackgerritArun Kant proposed openstack/barbican: Adding documentation for ACLs operations.
*** nelsnels_ has quit IRC15:47
*** nelsnelson has joined #openstack-barbican15:48
aleewoodster_, your email is timely.  I was just going to ask you where the etherpad was15:52
woodster_alee: ha! you know what they say about great minds....15:52
aleewoodster_, I'll make a few edits - we should probably chat sometime early  next week15:53
woodster_alee, Sheena_ Sheena_15:53
aleewoodster_, Sheena_ is there a scheduled time yet for the talk?15:54
woodster_alee, Sheena_ SheenaG Yeah, getting traction on those slides would be nice indeed! I'm on the hook to do a presentation of this end of next week :)15:54
aleewoodster_, thats pretty soon - not sure I can guarantee that.15:55
woodster_alee, well, I think it's ok to have some placeholder slides in there, but a final L&F would be nice to decide on before that15:56
SheenaGwoodster_, alee_ I'm planning on doing some work this weekend to try and get this presentation and the other one closer to done15:56
aleewoodster_, Sheena_ SheenaG looks like wed 20th at 2:4015:56
aleewoodster_, SheenaG ok - I'll carve out some time early next week and see if we can get most of it done.15:57
aleewoodster_, Sheena_ how about we meet on Tuesday?15:58
SheenaGWorks for me.  I should be free after 9:30 PST (11:30 CST)15:59
aleewoodster_, Sheena_ my only standing meeting on Tuesday is at 4pm EST16:00
aleewoodster_, ?16:07
*** dave-mccowan has quit IRC16:13
*** alkar has quit IRC16:14
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Add Secret CLI smoke tests
woodster_alee, SheenaG sorry in a extended daily meeting now16:16
openstackgerritMerged openstack/barbican: Adding a info log for each processed request
elmikowould anyone be willing to take a look at a castellan spec i'm working on for sahara?16:28
rm_worksure -- after lunch, if you link it16:34
elmikorm_work: cool, thanks
woodster_alee, SheenaG Noon to 2pm CDT would be open for me, as well as after 3:30pm16:36
aleeSheena_, woodster_ how about Noon to 1 pm CDT?16:37
SheenaGalee, woodster_ works for me16:37
woodster_alee: SheenaG that works for me too!16:38
aleewoodster_, SheenaG - can one of ya'll set it up?16:38
SheenaGalee woodster_ I got it16:39
woodster_SheenaG alee : if you plan to work on things before that meeting, it might be good to decide on a look and feel for PPT then. For paris we worked on our slide parts independently but with the same theme, then I combined then into the final version16:39
rm_worki am excited to see people starting to use Castellan the way I envisioned it would be used16:40
woodster_alee: SheenaG are we thinking just a google hangouts meeting? I typically just start those up right before the meeting time and then email out the links to the meeting.16:41
rm_workelmiko: everyone called me CRAZY for a while16:41
SheenaGwoodster_: yeah, Hangouts - I'm setting it up right now16:41
SheenaGrm_work: you're still crazy16:41
elmikorm_work: it seems really sensible to me16:41
rm_workSheenaG: possible, but now people will keep it to themselves maybe :P16:41
woodster_rm_work: have they stopped calling you crazy? :)16:41
SheenaGwoodster_, alee sent - let me know if you don't get it16:41
rm_workwoodster_: not really16:41
*** igueths has joined #openstack-barbican16:41
rm_workmaybe one day I can get CertificateManager merged <_<16:41
SheenaGwoodster_, alee what is the expectation for the state of things when we have this meeting?  Are we just planning who's talking about what, or is this a run-through of the deck?16:42
rm_workthen they'll see the TRUE POWER of Castellan :P16:42
aleerm_work, now I know you're crazy ..16:42
elmikorm_work: what's the deal with the CertificateManager?16:42
rm_workelmiko: for some reason people don't see that it's a perfect fit for Castellan :P16:42
elmikorm_work: so this would be a situation where you use the CM as the api_class to get certs ordered or stored  or both?16:43
rm_workwell, it's a slightly different interface16:43
rm_workbecause it takes and returns different data16:43
elmikoah, ok16:43
rm_workbut it's identical in DESIGN to the KeyManager16:43
woodster_SheenaG: alee I'm thinking we should have our slide content out there in etherpad for sure, and informally step thru it. Then we can make formal slides with more confidence. If we could put slides together before that though, we could show those too. Thoughts though?16:44
elmikoso instead of returning Key it will return Cert (or similar)?16:44
aleeSheena_, woodster_ thats a good goal (informal step through) - I'll do what I can before then.16:45
SheenaGalee, woodster_ agreed, sounds like a plan16:45
arunkantalee, there? quick question about ACL16:45
aleearunkant, go ahead16:46
woodster_SheenaG: alee looking at that pad, we could just insert detailed slide content in the first outline part you started, and ditch the last part I had in there16:46
arunkantalee, for ACL on secret or container, does *only* the creator of secret/container should be able to define and manage ACL data ?16:46
arunkantalee, or any project user with right roles (may be admin)  can do that ?16:47
aleearunkant, I thnk thats a reasonable first implementation - at least for kilo16:48
aleearunkant, we can discuss at summit if we want to expand who can manage acl data16:48
aleebut off the cuff, I'd say only the creator should be able to16:49
aleeotherwise someone could change the acl to get to a secret you (the owner) defined as private16:49
arunkantalee, right now ACL can be managed by any project user..16:49
aleearunkant, that seems wrong to me.  it means a project user can -un-private a secret16:50
arunkantalee, okay..let me create bug for that and address it.16:50
aleearunkant, I suggest you open a bug to fix that16:50
aleecool thanks16:51
*** dave-mccowan has joined #openstack-barbican16:52
*** zz_dimtruck is now known as dimtruck16:53
rm_workelmiko: yep, would return Cert16:59
rm_workit's in use in Neutron-LBaaS and Octavia right now, they just wouldn't let me merge it to Castellan :(16:59
elmikoaww =(17:00
rm_workright? T_T17:00
*** dimtruck is now known as zz_dimtruck17:05
woodster_alee, arunkant redrobot I thought folks were leaning towards the admin role user being able to set ACL no matter what, otherwise they could get 'locked' out of secrets if the creator user is later removed17:06
arunkantwoodster_, yes good point. I have updated
openstackLaunchpad bug 1450849 in Barbican "Only ceator of secret and container should be able to define and manage ACL." [Undecided,New]17:08
arunkantwoodster_, alee, can you please review this (related to stored key order ACL check)17:10
*** nickrmc83 has joined #openstack-barbican17:11
woodster_arunkant: I'll take a look at it a bit later, fighting a fire right now though17:13
*** kebray has joined #openstack-barbican17:16
*** kebray has quit IRC17:16
dave-mccowanarunkant, what do you think about also giving the admin read access to private secrets?  since an admin can change the ACL, he'll always be able to get read access.  i think giving read access as the default policy helps set that expectation.17:18
arunkantdave-mccowan, yes I think that should be okay in general as admin user(s) should be able to manage almost all of barbican resources. I think we can talk about in summit and make change (its just policy change to allow additional role).17:24
*** kebray has joined #openstack-barbican17:25
dave-mccowanarunkant, i think the change might go well with 1450849, since that will also affect admin privileges in the policy file.17:27
*** tkelsey has quit IRC17:31
arunkantdave-mccowan, 145089 is primarily on ACL operation only. The change you mentioned is different as it for secret and container read call. This is more of feature enhancement (though its only policy change and unit test).17:32
*** kebray has quit IRC18:22
*** nickrmc83 has quit IRC18:22
*** nickrmc83 has joined #openstack-barbican18:24
*** Asha has joined #openstack-barbican18:54
AshaI would like to contribute for barbican documentation .I would like to know the steps for contribution18:55
*** tkelsey has joined #openstack-barbican19:02
AshaIt would be great if some one could guide me on this19:03
*** chadlung has joined #openstack-barbican19:05
*** nickrmc83 has quit IRC19:06
*** tkelsey has quit IRC19:07
rellerrellerelmiko Good spec. I'm adding some comments to it now.19:07
*** nickrmc83 has joined #openstack-barbican19:08
*** nickrmc83 has quit IRC19:08
rellerrellerelmiko Just a heads up that we are looking to change the API slightly in Liberty. We are planning to create a new base that will have Symmetric, Public, Private, Certificate, Passphrase, and Opaque as subclasses.19:08
rellerrellerelmiko This way all of those different types of objects can be stored and managed by a KeyManager.19:09
elmikorellerreller: ok, cool19:09
dave-mccowanHi Asha.  I started with this page: last year.   The documentation is under the doc/ directory of the git repo.19:09
elmikorellerreller: and thanks for taking a look =)19:09
rellerrellerelmiko No problem. We plan to really beef up the support for Castellan in Liberty. Any help would be appreciated :)19:10
*** nickrmc83 has joined #openstack-barbican19:10
elmikorellerreller: i would love to get involved!19:10
rellerrellerelmiko We are glad that someone is actually interested and wants to use it!19:10
elmikorellerreller: my feeling is that it will really help sahara move away from storing so many dang keys19:11
rellerrellerelmiko That is the goal. That is what we did with Nova and Cinder. Nobody in their right mind wants to do that. That's more risk than people want to handle.19:11
elmikorellerreller: given what you said about the new classes, those will be Key subclasses?19:12
rellerrellerelmiko We have not yet decided on the name of the base class, but there will be some base class.19:13
rellerrellerThen subclasses for Symmetric, Passphrase, Public, Private, Opaque, Cert19:13
rellerrellerelmiko Then the store, get, and delete operations can then use the generic base class for all of the operations.19:14
elmikooh.. interesting19:14
AshaThanks Dave for your response19:14
elmikorellerreller: you just want to make me rewrite all this stuff in sahara huh...19:14
rellerrellerelmiko haha Better to rewrite part of a spec then lots of code that must be retested and scrutinized through peer review :)19:15
elmikotru dat19:15
elmikorellerreller: are you implying though that we should hold off on integration until the liberty plans have materialized?19:16
*** nickrmc83 has quit IRC19:17
rellerrellerelmiko I probably would hold off a little bit. We are trying to balance the same thing.19:18
rellerrellerelmiko We want to integrate into several services at the moment, and we are trying to get Castellan ready as soon as possible.19:18
elmikorellerreller: ok, i really would like to sync up with the plans for castellan. i can certainly spare some cycles to help get it in shape.19:19
rellerrellerelmiko That sounds great. If we can get more help then it would likely speed up the deployments.19:19
*** nickrmc83 has joined #openstack-barbican19:19
rellerrellerelmiko Are you going to the summit?19:19
elmikorellerreller: i had been planning the castellan integration as one of my top prios for L-119:19
elmikorellerreller: yes19:19
rellerrellerelmiko L-1 is likely not going to happen :(19:20
elmikorellerreller: good to know now though, i can echo this up the chain to help our planning19:21
rellerrellerelmiko I will not be there, but some coworkers of mine will be there.19:21
elmikorellerreller: ok, i'll hang out at as many barbican sessions as possible, maybe i can sync up there?19:21
rellerrellerelmiko That would be great. I'll tell the team that you are interested. I can also do a Google hangout or phone conference too if you want more details.19:22
elmikorellerreller: cool, will castellan ever get a meeting time of its own or will it mainly be part of the barbican meets?19:23
rellerrellerelmiko I am not sure. It has sort of been adopted by Barbican at the moment. That is a question for redrobot.19:24
redrobotelmiko rellerreller since the same core reviewers for barbican own castellan reviews I would prefer to just use the same meeting.19:25
redrobotelmiko rellerreller  if we get to a point where we're constantly having a backlog of agenda items then I would consider splitting it up into separate meetings.19:26
elmikoredrobot: ok, makes sense19:26
rm_workrellerreller: oh sure, now you want to include certs :P19:27
rellerrellerrm_work I've always said certificates were fine. I just did not want to add containers.19:27
rm_workrellerreller: so a certificate is ... JUST a certificate and not the accompanying stuff like PK/PKP/intermediates?19:28
rm_workrellerreller: and if so, how would there be a barbican implementation, since barbican stores certificates as a container type?19:29
redrobotrm_work actually the certs are stored as secrets19:29
redrobotrm_work containers only group the secrets together.19:30
rm_workredrobot: and then added to Certificate Containers19:30
rm_workso essentially this would make Certificate Containers a "non-recommended" object?19:30
redrobotrm_work yes, but you'll still have to fetch the secrets individually.  barbican does not return a bundle.19:30
rm_worksince the interface (castellan) would not support them19:30
elmikoredrobot, rellerreller, i'll just keep attending the barbican meetings and hopefully we'll get a workflow going that i can help with the castellan work.19:30
rm_workredrobot: i have a pretty huge problem with that approach :/19:31
rm_workin that, whose use-case is that actually solving for?19:31
rellerrellerrm_work a certificate can be stored by itself within Barbican. It does not need a container.19:31
rm_workrellerreller: a certificate stored in barbican as a secret is just a generic secret -- it only becomes a "Certificate" type when it's actually added to a Container19:32
rm_workCertificateContainers are the actual functionality people would like to use19:32
rellerrellerrm_work No, you can store a certificate and say that it is a certificate.19:32
redrobotrm_work nope, secrets have types now19:32
rm_workand by people, I mean the only two projects so far that have voiced any requirement for certs at all19:32
rm_workbut that still just leaves containers out in the cold19:33
rm_workwhich is the way we actually interface with Barbican19:33
redrobotrm_work what is your actual use case for Castellan?  Do you expect lbass deployments to talk to KMIP/PKCS11 devices directly?19:34
rm_workI have already talked about how it is possible to store certificates alongside their private keys/etc in one package in ANY system19:34
rm_workit's not Barbican only19:35
rm_workmy vision of our use-case is to use Castellan with the Mock plugin for development, then the Barbican plugin initially in production, then down the road we could hopefully add in support for something like Certmonger as an intermediary19:37
*** xaeth_afk is now known as xaeth19:37
rm_workof course at the same time a major driver for us is code reuse19:37
rm_worksince we use the same interface code in two projects now, and probably soon 2 more19:37
redrobotrm_work could you use a mock barbicanclient instead?19:37
rm_workredrobot: that's the less important of the bunch19:38
rm_workremember, we already HAVE this code19:38
rm_workCertManager interface19:38
rm_workwith Mock/Barbican plugins19:38
redrobotrm_work the certmonger bit is definitely interesting.19:38
rm_workand again, a HUGE driver for me is code reuse19:38
rm_worki am tired ot making the same changes across multiple repos19:39
rm_workevery time we fix a bug19:39
rm_workgoing to have to start using submodules or something19:39
rm_workI just...19:40
rellerrellerGotta run. Have a good weekend everyone!19:40
*** rellerreller has quit IRC19:40
rm_workit is CLEAR AS DAY to me that this obviously belongs in Castellan -- i don't even understand why this is an issue now -- I was part of the group that wanted castellan to exist in the first place and pushed for its creation, with this code as my primary contribution -- i do not understand at what point it stopped being clear that it would be included19:41
redrobotrm_work lmao19:41
redrobotrm_work always a fun discussion, Castellan scope and all. ;)19:42
rm_workI don't even understand how the original spec was put in without "certificate manager" in it19:42
rm_workI was there when we were proposing it initially and discussing it19:42
rm_workthe whole situation just seems STRANGE to me19:43
rm_workI guess I could just fork castellan and neutron-lbaas/octavia/fwaas/vpnaas could use my fork19:43
*** nickrmc83 has quit IRC19:48
*** xaeth is now known as xaeth_afk19:49
*** nickrmc83 has joined #openstack-barbican19:50
*** dave-mccowan has quit IRC19:59
*** nickrmc83 has quit IRC20:00
*** xaeth_afk is now known as xaeth20:01
*** nickrmc83 has joined #openstack-barbican20:01
*** nickrmc83 has quit IRC20:10
*** nickrmc83 has joined #openstack-barbican20:12
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements
*** nickrmc83 has quit IRC20:16
*** nickrmc83 has joined #openstack-barbican20:18
*** nickrmc83 has quit IRC20:20
*** dave-mccowan has joined #openstack-barbican20:21
*** nickrmc83 has joined #openstack-barbican20:22
*** xaeth is now known as xaeth_afk20:41
*** nickrmc83 has quit IRC20:41
*** xaeth_afk is now known as xaeth20:41
*** nickrmc83 has joined #openstack-barbican20:43
*** rellerreller has joined #openstack-barbican20:58
*** joesavak has quit IRC21:10
*** zz_dimtruck is now known as dimtruck21:22
*** dimtruck is now known as zz_dimtruck21:26
*** SheenaG has quit IRC21:30
*** xaeth is now known as xaeth_afk21:34
*** xaeth_afk is now known as xaeth21:35
*** SheenaG has joined #openstack-barbican21:35
*** nickrmc83 has quit IRC21:35
*** nickrmc83 has joined #openstack-barbican21:37
*** nickrmc83 has quit IRC21:37
*** nickrmc83 has joined #openstack-barbican21:39
*** xaeth is now known as xaeth_afk21:52
*** pglass has quit IRC21:55
*** nickrmc83 has quit IRC21:57
*** nickrmc83 has joined #openstack-barbican21:58
*** nelsnelson has quit IRC22:02
*** rellerreller has quit IRC22:02
*** chadlung has quit IRC22:10
iguethsIf anyone is planning on flying in an 787 to Vancouver, it may be advisable to ask the pilots if they can turn it off and back on again?
*** Asha has quit IRC22:15
*** nickrmc83 has quit IRC22:20
*** nickrmc83 has joined #openstack-barbican22:22
*** igueths has quit IRC22:22
*** chadlung has joined #openstack-barbican22:32
*** chadlung has quit IRC22:37
*** xaeth_afk is now known as xaeth22:38
*** atiwari has joined #openstack-barbican22:43
*** dave-mccowan has quit IRC22:59
*** nickrmc83 has quit IRC23:03
*** nickrmc83 has joined #openstack-barbican23:05
*** nickrmc83 has quit IRC23:25
*** nickrmc83 has joined #openstack-barbican23:26
*** xaeth is now known as xaeth_afk23:29
*** gyee has quit IRC23:35
*** chadlung has joined #openstack-barbican23:53
*** SheenaG has quit IRC23:54
*** SheenaG has joined #openstack-barbican23:55

Generated by 2.14.0 by Marius Gedminas - find it at!