Friday, 2015-05-08

*** SheenaG has quit IRC00:10
*** jaosorior has quit IRC00:12
*** jamielennox|away is now known as jamielennox00:29
*** rellerreller has quit IRC00:30
openstackgerritMerged openstack/python-barbicanclient: Adding new tests to cover failure scenarios
hockeynutstill looking for some reviewers for and  Would love to get them off the books...thanks!01:23
*** rm_work|away is now known as rm_work01:23
*** crc32 has quit IRC01:39
*** crc32 has joined #openstack-barbican01:40
*** tkelsey has joined #openstack-barbican01:40
*** tkelsey has quit IRC01:45
*** kebray has joined #openstack-barbican01:55
*** kebray has quit IRC01:55
*** SheenaG has joined #openstack-barbican01:57
*** david-lyle has joined #openstack-barbican02:10
*** kebray has joined #openstack-barbican02:20
*** SheenaG has quit IRC02:22
*** SheenaG has joined #openstack-barbican02:44
*** smallbig has joined #openstack-barbican02:59
*** xaeth_afk is now known as xaeth03:06
*** xaeth is now known as xaeth_afk03:25
*** kebray has quit IRC04:04
*** SheenaG has quit IRC04:08
openstackgerritDave McCowan proposed openstack/barbican: Add Multi-user support for Functional Tests
*** rm_work is now known as rm_work|away04:19
openstackgerritDave McCowan proposed openstack/barbican: Add Multi-user support for Functional Tests
openstackgerritDave McCowan proposed openstack/barbican: Add Functional Tests for ACLs Using Multiple Users
openstackgerritDave McCowan proposed openstack/barbican: Add Functional Tests for ACLs Using Multiple Users
*** rm_work|away is now known as rm_work04:44
*** dave-mccowan has quit IRC05:05
openstackgerritMerged openstack/barbican: Updated from global requirements
*** tkelsey has joined #openstack-barbican05:41
*** tkelsey has quit IRC05:46
*** nickrmc83 has joined #openstack-barbican06:12
*** nickrmc83 has quit IRC06:41
*** nickrmc83 has joined #openstack-barbican06:42
*** tkelsey has joined #openstack-barbican06:50
*** nickrmc84 has joined #openstack-barbican07:03
*** nickrmc83 has quit IRC07:04
*** crc32 has quit IRC07:05
*** woodster_ has quit IRC07:10
*** tkelsey has quit IRC07:35
*** tkelsey has joined #openstack-barbican07:36
*** jamielennox is now known as jamielennox|away07:36
*** everjeje has joined #openstack-barbican07:38
*** jaosorior has joined #openstack-barbican08:19
*** nickrmc83 has joined #openstack-barbican08:19
*** chlong has quit IRC08:20
*** nickrmc84 has quit IRC08:20
*** nickrmc84 has joined #openstack-barbican08:36
*** nickrmc83 has quit IRC08:37
jaosorior:t pl09:27
jaosoriorwrong input09:27
jaosorioranyway, therve:are you around?09:28
*** woodster_ has joined #openstack-barbican10:11
*** darrenmoffat has joined #openstack-barbican10:13
thervejaosorior, Hi!10:25
jaosoriortherve: hey man, I remember yesterday you had a question about the policy file10:29
jaosoriorI went ahead and asked about it again, so I was wondering if you got an answer, if not, I can now answer it10:29
thervejaosorior, Saw redrobot's answer, but it didn't totally make sense to me10:30
therve"because roles are used per-project", right?10:31
jaosorioroh, alright10:31
jaosoriorwell, the thing is10:31
jaosoriorlets have this scenario10:31
jaosoriorthere is projectA that contains user1 and user210:31
jaosorioruser1 and user2 are members of the project, and thus they can create secrets without a problem10:32
jaosoriorBUT, since the policy only covers projects (and not individual resources for the users)10:32
jaosoriorboth users can read each other's secrets (what the ACL stuff wants to address)10:32
therveSo currently you don't have a way to say "user1 can delete user1's secrets"10:33
jaosoriorthe ACL stuff is covering read, at the moment, and delete is not supported yet10:33
jaosoriorso we don't want users to be able to delete other users projects10:33
jaosoriorhopefully that policy will be fixed once the delete ACL is properly implemented10:33
therveMake sense10:34
jaosorior* so we don't want users to be able to delete secrets from other users from the same project10:34
jaosoriorthat was the correct phrase haha, I still need more coffee :P10:34
jaosoriorbut anyway, as far as I understand, that policy is the way it is until ACL support for delete's is there10:35
therveWorking on FWIW10:36
therveSo I need that piece of users being able to delete their own secret, but for now it can be documentation for tweaking the policy file accordingly10:37
jaosoriormight be worth while to read this commit there it kind of explains the situation10:38
jaosoriortherve: I see. hopefully we can support those operations soon. Don't know how far in the coding is arunkant at the moment10:38
openstackgerritMerged openstack/python-barbicanclient: Drop use of 'oslo' namespace package
*** nickrmc84 has quit IRC11:37
*** nickrmc83 has joined #openstack-barbican11:55
*** dave-mccowan has joined #openstack-barbican12:06
*** nickrmc83 has quit IRC12:34
*** nickrmc83 has joined #openstack-barbican12:37
*** nickrmc83 has quit IRC12:42
*** chlong has joined #openstack-barbican12:47
*** joesavak has joined #openstack-barbican12:49
*** nickrmc83 has joined #openstack-barbican12:54
openstackgerritMerged openstack/python-barbicanclient: Updated from global requirements
woodster_therve: I need to read your spec, but was curious if the user that reads the secret is the same one that uploads it? Automation use cases we've seen those are two separate users that can have separate roles.12:56
*** nickrmc83 has quit IRC13:00
*** jsavak has joined #openstack-barbican13:25
*** joesavak has quit IRC13:27
jaosoriorAny workflows for this?  :D
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Create behaviors for secrets
*** rellerreller has joined #openstack-barbican13:45
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Create behaviors for secrets
*** jsavak has quit IRC13:48
*** openstackgerrit has quit IRC13:51
*** openstackgerrit has joined #openstack-barbican13:51
jaosoriorhockeynut: got some time to check this CR?
hockeynutjaosorior sure.  <click>13:57
*** alee_dinner is now known as alee14:06
*** igueths has joined #openstack-barbican14:10
*** pglass has joined #openstack-barbican14:10
jaosoriorhockeynut: thanks mr.14:24
*** shakamunyi has joined #openstack-barbican14:25
openstackgerritMerged openstack/barbican: Migrate to oslo_context
hockeynutdave-mccowan makes me smile!14:44
hockeynutdave-mccowan the only thing I think we should change are the usernames.  for folks who need to request users to be created a name like "admin1" isn't a good choice.  I'd say we should prefix those userids with something like barbican_ or hockeynut_ :-)14:47
*** xaeth_afk is now known as xaeth14:48
aleewoodster_, Sheena_ I'm working right now on the demos. Hope to wrap them up by this weekend.  Do you want to meet Monday to go over slides?14:49
aleewoodster_, Sheena_ my schedule is completely open (ie. no scheduled meetings yet) on Monday14:51
aleeand I suspect we'll need at least a couple of meetings -- one to integrate/ edit slides - and one to do a run-through.14:52
aleeso maybe Monday and Tuesday?14:52
woodster_...and to get timing14:52
aleeI have a scheulded 4pm EST meeting on tuesday, but other than that am free.14:53
*** kebray has joined #openstack-barbican14:54
dave-mccowanhockeynut good idea on the rename.  shall I change just the keystone user names, and leave the python and CONF variable names the same?14:55
*** nelsnelson has joined #openstack-barbican14:58
aleewoodster_, hopefully Sheena_ will see these messages and be able to get back to us with a time that works for all of us.  but Mon and Tues morning sometime sounds good.14:58
*** igueths has quit IRC15:13
*** igueths has joined #openstack-barbican15:18
openstackgerritDave McCowan proposed openstack/barbican: Add Multi-user support for Functional Tests
*** SheenaG has joined #openstack-barbican15:23
*** shakamunyi has quit IRC15:25
*** rm_work is now known as rm_work|away15:32
thervewoodster_, It ought to be the same, yes15:37
*** gyee has joined #openstack-barbican15:52
*** openstackstatus has quit IRC15:56
*** openstackstatus has joined #openstack-barbican15:56
*** ChanServ sets mode: +v openstackstatus15:56
*** gyee has quit IRC16:16
*** shakamunyi has joined #openstack-barbican16:16
*** gyee has joined #openstack-barbican16:22
hockeynutdave-mccowan that's fine.  its the keystone names that are important16:22
dave-mccowanhockeynut great!  last patch set should be good to go now.16:23
aleeredrobot, dave-mccowan ping16:27
redrobotalee pong16:27
dave-mccowanalee pong16:27
aleeredrobot, dave-mccowan where are those docs for the cert api usage cases again?16:28
redrobotalee afaik we don't have much in the way of certificate api docs.16:29
aleeredrobot, I recall there was something thwat you wrote on how to use the cert api to generate a cert request16:29
alee(including the instructions on how to generate a csr etc.16:29
aleeredrobot, jaosorior dave-mccowan  - also are there instrcutions on how to use the barbican client to generate a RSA key pair?16:30
dave-mccowanalee maybe in redrobot's gisthub
redrobotalee dave-mccowan I don't think I ever got around to documenting Cert stuff.  We do have this in the code though
redrobotalee all client docs are here  if it's not there, it may need to be added16:32
openstackgerritThomas Herve proposed openstack/barbican: Fix snakeoil_ca plugin
aleeredrobot, ah good was about to look there16:32
aleeredrobot, any docs on using barbican-client to gen a rsa key?16:33
*** shakamunyi has quit IRC16:33
redrobotalee basically like this but use this class instead
openstackgerritThomas Herve proposed openstack/barbican: Fix snakeoil_ca plugin
hockeynutdave-mccowan coolness - checking it out now16:35
aleeredrobot, ok thanks will give it a shot16:36
dave-mccowanalee for python API examples,   for curl examples,
aleedave-mccowan, thanks16:36
redrobotdave-mccowan so the client used in barbican functional tests != python-barbicanclient16:37
*** kfarr has joined #openstack-barbican16:38
thervealee, FWIW with you can generate a cert with 2 barbican order create calls16:41
aleetherve, oh nice!16:43
aleetherve, I'm going to use that in my slides for the summit -- (and reference your pending CR)16:43
thervealee, Hopefully it'll be in by then :)16:44
aleetherve, you need to be able to provide a ca_id and profile too, for automatic cert issuance.16:45
aleetherve, I guess that can be a separate CR16:46
thervealee, I'd be happy to update that one with those extra args16:46
therveI only enabled the ones I was able to test, using snakeoil_ca16:46
aleetherve, yeah - you need dogtag to really test the others.16:47
*** shakamunyi has joined #openstack-barbican16:48
aleetherve, let me get back to you later today on what changes you'd need.  but this would be nice to get in and reference in the summit talk16:48
aleetherve, I think though that this may not be a simple addition16:49
aleetherve, for instance, you're going to need to be able to query the server for the ca_id's availabel16:49
therveOh ok16:49
thervealee, That part we can do later16:49
therveAnd assume you know the ones available16:50
aleetrue -- ok - let me look now and see what would need to be added ..16:50
aleetherve, redrobot  - is there some kind of verbose setting on the barbican-client that allows one to see the actual rest call being made?16:53
*** darrenmoffat has left #openstack-barbican16:53
thervealee, the --verbose flag ought to do that16:54
aleetherve, cool -- so there should be two new parameters:  "ca_id" and "profile"16:57
aleetherve, having the profile parameter requires also having the ca_id parameter16:58
aleethe input to both are strings and these would both be passed as order metadata16:59
aleetherve, it is possible to provide ca_id without profile, but not visa versa17:00
aleetherve, make sense?17:00
thervealee, It does. I didn't add much validation for now, though I can at least handle this case17:01
aleetherve, cool - let me know when you get a patch up -- 'll test it and use it in my summit slides17:01
alee(and ack it assuming it works)17:02
therveYeah that'd be nice, until I manage to make dogtag works17:02
*** shakamunyi has quit IRC17:07
kfarrredrobot elmiko, here are some initial thoughts for the fishbowl, let me know what you think :)
thervealee, It seems the plugin uses 'profile' for simple_cmc and 'profile_id' for custom, is it expected?17:16
*** crc32 has joined #openstack-barbican17:17
aleetherve, you're looking at the functional tests?17:17
thervealee, source code17:17
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Create behaviors for secrets
aleetherve, right - functional tests in the source code.17:17
*** shakamunyi has joined #openstack-barbican17:18
thervealee, No no the plugin source code directly :)17:18
aleetherve, for dogtag>17:18
aleeok -- let me explain ..17:18
aleethe simple-cmc barbican interface  has a parameter "profile" -- this is the parameter you should be concerned about17:19
aleethe dogtag ca understands the parameter profile_id -- so the dogtag plugin will convert profile -> profile_id17:20
*** crc32 has quit IRC17:20
aleethe custom type of request basically says ..  sorry just a sec ..17:20
*** crc32 has joined #openstack-barbican17:21
redrobotkfarr looks good so far.  I would like to see the getter methods in the ManagedObject hierarchy removed.  They are not needed in Python.17:21
*** shakamunyi has quit IRC17:23
openstackgerritThomas Herve proposed openstack/python-barbicanclient: Add support for certificate order
woodster_alee, the ca_id and profile are optional parameters on an order though correct? So if I only have a snake oil CA plugin deployed, those wouldn't be needed.  It is only when you have more than one CA plugin that 'ca_id" is select a specific plugin if you want, correct?17:25
aleetherve, the custome type basically says -- "you know you have a ca of type X (in this case dogtag).  Send exactly the parameters that are needed for dogtag -- which in this case would be profile_id"17:26
woodster_alee: so the snake oil plugin can ignore profile, and only has to provide the description for the list of ca-id's call, correct?17:26
aleetherve, those will be passed unchanged to the dogtag ca17:26
aleewoodster_, ca_id and profile are optional17:26
aleewoodster_, snakeoli can ignore them -- although if you do provide a ca_id and it does not match an existing ca , then the order will fail17:27
thervealee, OK...17:28
thervealee, Anyhow just committed the changes17:28
aleewoodster_, which makes sense -- so you can choose not to provide them - but if you provide profile, you must provide ca_id, and if you provide ca_id, it must be right.17:28
aleetherve, cool will look shortly ..17:29
elmikokfarr: thanks! looking now17:29
aleegrabbing quick lunch ..17:29
SheenaGalee, woodster_ sending invites now17:29
SheenaGLet me know if those times don't work17:29
SheenaGI'm pretty flexible17:29
*** alee is now known as alee_nosh17:29
elmikokfarr: also, that is the best looking diagram i have ever seen in an etherpad ;)17:29
hockeynutdave-mccowan ping17:30
dave-mccowanhockeynut pong17:30
hockeynutit looks like the "1" users are for valid tests and "2" users should fail - right?17:30
elmikokfarr, rellerreller, redrobot, i was curious about the process for proposing changes to castellan. i have an idea for improved configuration options but i'd like to formalize it somehow. i realize there might not be specs repo for this stuff, what do you guys advise?17:31
dave-mccowanhockeynut 1 users have a role in project 1, and 2 users have a role in project 2.17:31
hockeynutok.  wondering if there's a more self-documenting way to name them without making each name 180 chars long17:32
rellerrellerelmiko I am not sure. etherpad?17:32
hockeynutI was hoping for something like _access and _noaccess suffixes if that's what the 1 and 2 means17:32
redrobotelmiko good question...  we could add a castellan-specs repo?  or we could test out one of woodster_ 's suggestions and just make a documentation CR with the proposed change.17:33
dave-mccowanhockeynut i tried:  "admin1" has the "admin" role in "project1"17:33
hockeynutalmost done reviewing.  A few small items but otherwise its rockin'17:34
elmikorellerreller, redrobot, i can certainly add it to the pad for us to talk about at summit. so far i've been thinking about making a fork on github and using that as my scratchpad.17:34
*** shakamunyi has joined #openstack-barbican17:34
redrobotdave-mccowan hockeynut how about p1_admin, p2_admin (for project 1 and project 2) ... that way you could have p1_admin1 and p1_admin2 to check that other admin's can't get to your private secret17:35
hockeynutproj1_admin, proj2_admin perhaps?17:35
hockeynutp1 has special meaning for us F1 fans, right reaperhulk ?17:35
elmikoredrobot: maybe we don't need a repo yet, not sure i understand the documentation CR idea. just mark up the docs or add a doc?17:35
*** tkelsey has quit IRC17:39
redrobotelmiko basically modify the user guide to give examples of how the new feature would work...  but now that I think about it, it may not make sense for a client lib.17:39
redrobotelmiko but yeah, etherpad would work.17:40
dave-mccowanhockeynut, redrobot my last patch set changed from "project1" and "admin1" to "barbican_project1" and "barbican_admin1".  so that would be: "barbican_proj1_admin" to put them together.17:40
elmikoredrobot: k, i'll add a paragraph to discuss it at summit17:40
hockeynutdave-mccowan I hear ya, but I think thats actually nicely readable17:41
hockeynutdave-mccowan done reviewing - a few things to make it more readable/etc (can you tell I'm a fan of readability?)17:42
dave-mccowanhockeynut: redrobot had a good suggestion that we might want to two admins or two creators in a project for more test variations.  barbican_proj_a_admin and barbican_proj_b_admin?   (i'll leave adding additional users for another day, but want to get the namespace right)17:49
arunkantany reviewer for ACL API changes mentioned in ACL docs review comment,cm . Looking for community opinion for these API changes.17:50
hockeynutdave-mccowan redrobot  so the convention would be barbican_proj_<projname>_<role> ?  then we could just append a sequence number for multiple users17:50
dave-mccowanhockeynut, redrobot.  or: barbican_a_admin and barbican_b_admin   or: barbican_pa_admin and barbican_ba_admin   or:  barbican_red_admin and barbican_blue_admin17:51
hockeynutdave-mccowan I like that better17:51
redrobothockeynut dave-mccowan why the barbican_ prefix?17:51
dave-mccowanhockeynut, yea, and i think i'll change the CONF variable names too to match.17:52
dave-mccowanredrobot some nut made me do it. ;-)17:53
hockeynutredrobot thinking about a company who might want naming to be more project-specific than just "admin1"17:54
*** xaeth is now known as xaeth_afk17:58
reaperhulkp1 hockeynut18:01
reaperhulkway to steal nico's seat18:02
redrobothockeynut dave-mccowan I think the "barbican_" prefix is not necessary.   They'll probably be the only users in the dsvm at the gate.18:03
*** alee_nosh is now known as alee18:03
aleewoodster_, Sheena_ times good for me18:04
hockeynutdave-mccowan yeah, I think we can drop the barbican_  If anyone need to change the names then they can do that locally18:05
kfarrelmiko, thanks!  I agree, the config options should be modified and I was trying out the tox auto config generator. I think changing the config options might not need a full-blown spec anyway18:10
dave-mccowanredrobot did you want to review this CR again?  if so, i'll wait for your comments before the next patch set.    anyone else?18:12
dave-mccowanhockeynut, redrobot.  what do you think?
hockeynutdave-mccowan I like it except line 6 should be project_b=project_b so -50 points18:21
elmikokfarr: ok, cool. i'm cross referencing with some of the oslo libs to hopefully provide a nice template that we could follow.18:22
aleetherve, ping18:22
*** xaeth_afk is now known as xaeth18:38
*** jaosorior has quit IRC18:42
*** silos has joined #openstack-barbican19:07
*** xaeth is now known as xaeth_afk19:13
*** crc32 has quit IRC19:21
elmikokfarr: i added a few thoughts to the etherpad19:28
kfarrThanks elmiko!19:28
elmikokfarr: so, as it turns out i'm supposed to be chairing a sahara session at the same time as the castellan session. i'm trying to work with our PTL to get my session switched for another, so hopefully this will work out. just a heads up =)19:30
thervealee, Hey, around for a bit19:31
kfarrelmiko, oh no!  I hope everything will work out19:31
therveJust saw your comments19:31
elmikokfarr: lol, me too!19:31
aleetherve, ok - make sense?19:32
thervealee, Yep definitely19:32
thervealee, I'll indeed postpone the generation argument, if that's ok19:32
aleetherve, sure makes sense to me19:32
redrobotelmiko we could move castellan to the next slot.19:36
elmikoredrobot: maybe wait till monday, i sent an email to our ptl but haven't heard back yet19:38
elmikoi didn't want to intrude too much on your scheduling, so i'm trying to work with our slots. but if that fails then i'll gladly take you up on the offer =)19:38
openstackgerritThomas Herve proposed openstack/python-barbicanclient: Add support for certificate order
*** SheenaG has quit IRC19:53
*** atiwari1 has joined #openstack-barbican19:56
*** atiwari has quit IRC19:59
*** atiwari2 has joined #openstack-barbican20:06
*** atiwari1 has quit IRC20:10
elmikoredrobot, kfarr, ok problem averted. we switched the sahara schedule around.20:13
*** shakamunyi has quit IRC20:17
rellerrellerelmiko Awesome!20:23
*** SheenaG has joined #openstack-barbican20:27
*** silos has left #openstack-barbican20:33
*** shakamunyi has joined #openstack-barbican20:48
aleeredrobot, ping20:58
aleewoodster_, redrobot - I just updated my instacne to latest code and now for some reason, when I try to create an order, I get this : "Order creation attempt not allowed - please review your user/project privileges"20:59
*** rm_work|away is now known as rm_work21:00
aleeI'm using unauthenticated mode -- and I used to install.  my config files look pretty much the same as before (minus a few comments)21:00
aleeso what am I missing?21:00
*** shakamunyi has quit IRC21:03
openstackgerritDave McCowan proposed openstack/barbican: Add Multi-user support for Functional Tests
*** rellerreller has quit IRC21:07
*** xaeth_afk is now known as xaeth21:09
aleedave-mccowan, redrobot any idea?21:16
*** shakamunyi has joined #openstack-barbican21:22
dave-mccowanalee, i haven't see that issue or seen any recent merged changes in that area.21:28
aleedave-mccowan, yeah - something in my environment perhaps -- looking --- it works when I go back to an earlier tree -- seeing what changd21:29
*** xaeth is now known as xaeth_afk21:45
SheenaGalee, alee_ what does Wednesday look like for you?21:51
SheenaGI forgot woodster_ has stuff on Tuesdays21:51
aleeSheena_, wednesday is fine - I'm pretty much free.21:52
*** kebray_ has joined #openstack-barbican21:53
*** kebray has quit IRC21:55
SheenaGalee I'll schedule round #2 for Wed then - thanks sir21:58
aleenp  thanks21:58
*** nelsnelson has quit IRC21:59
*** pglass has quit IRC22:01
*** shakamunyi has quit IRC22:04
*** barra204 has joined #openstack-barbican22:05
*** SheenaG has quit IRC22:18
openstackgerritDave McCowan proposed openstack/barbican: Add Functional Tests for ACLs Using Multiple Users
*** igueths has quit IRC22:33
*** SheenaG has joined #openstack-barbican22:33
*** kebray_ has quit IRC22:36
*** kebray has joined #openstack-barbican22:48
*** kfarr has quit IRC23:02
*** atiwari1 has joined #openstack-barbican23:04
*** atiwari2 has quit IRC23:07
openstackgerritJohn Wood proposed openstack/barbican: Port the Architecture, Dataflow, and Project Strucure docs
*** barra204 has quit IRC23:22
*** SheenaG has quit IRC23:23
*** SheenaG has joined #openstack-barbican23:53
*** SheenaG has quit IRC23:55
*** atiwari2 has joined #openstack-barbican23:55
*** atiwari1 has quit IRC23:58

Generated by 2.14.0 by Marius Gedminas - find it at!