Tuesday, 2015-06-16

*** stanzi has quit IRC00:10
*** stanzi has joined #openstack-barbican00:16
*** david-lyle has quit IRC00:24
*** kfox1111 has quit IRC00:34
*** SheenaG has quit IRC00:42
*** zz_dimtruck is now known as dimtruck01:05
*** stanzi has quit IRC01:11
*** SheenaG has joined #openstack-barbican01:33
*** gyee_ has quit IRC01:40
*** david-lyle has joined #openstack-barbican02:08
*** kebray has joined #openstack-barbican02:10
*** SheenaG has quit IRC02:28
*** kebray has quit IRC02:45
*** kebray has joined #openstack-barbican02:51
*** nkinder__ has quit IRC03:08
*** stanzi has joined #openstack-barbican03:34
*** stanzi has quit IRC03:35
*** redrobot has quit IRC03:55
*** dimtruck is now known as zz_dimtruck04:02
*** stanzi has joined #openstack-barbican05:20
*** stanzi has quit IRC05:20
*** stanzi has joined #openstack-barbican05:32
*** stanzi has quit IRC05:44
*** Nirupama has joined #openstack-barbican06:07
*** shohel has joined #openstack-barbican06:31
*** kebray has quit IRC06:57
*** nickrmc83 has joined #openstack-barbican06:59
*** greghaynes has quit IRC07:08
*** greghaynes has joined #openstack-barbican07:10
*** chlong has quit IRC07:18
*** woodster_ has quit IRC07:21
*** shohel has quit IRC08:11
*** shohel has joined #openstack-barbican08:11
*** jaosorior has joined #openstack-barbican08:27
*** nickrmc84 has joined #openstack-barbican08:27
*** nickrmc83 has quit IRC08:29
*** nickrmc84 has quit IRC08:29
*** nickrmc83 has joined #openstack-barbican08:30
*** chlong has joined #openstack-barbican09:00
*** chlong has quit IRC09:07
*** chlong has joined #openstack-barbican09:21
*** nickrmc83 has quit IRC09:26
*** shohel has quit IRC10:38
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Add project_id to Secret model  https://review.openstack.org/18102511:10
*** SheenaG has joined #openstack-barbican11:10
*** nickrmc83 has joined #openstack-barbican11:21
*** SheenaG has quit IRC12:25
*** SheenaG has joined #openstack-barbican12:26
*** nickrmc83 has quit IRC12:31
*** nickrmc83 has joined #openstack-barbican12:31
*** redrobot has joined #openstack-barbican12:41
*** redrobot is now known as Guest7499312:42
*** Guest74993 is now known as el_robot_rojo12:43
*** el_robot_rojo is now known as redrobot12:44
*** rellerreller has joined #openstack-barbican13:44
*** alee has joined #openstack-barbican13:45
jaosoriordogtag is off experimental13:48
aleejaosorior, yay13:51
aleejaosorior, are the tests passing?13:51
jaosoriorso far13:51
jaosoriorI was doing a bunch of check experimentals before the project-config CR landed, and it was passing13:52
jaosoriorand these two (which I would appreciate if you review) https://review.openstack.org/#/c/178601/  https://review.openstack.org/#/c/181025/ actually ran with dogtag in the standard gate, and it passes13:53
aleejaosorior, nice segue :)13:54
jaosoriorTIL the word segue :P13:55
redrobotalee jaosorior \o/13:59
*** stanzi has joined #openstack-barbican13:59
jaosorioryay :D14:02
jaosoriorredrobot: You might want to take a look at this: https://www.mail-archive.com/openstack-dev@lists.openstack.org/msg55739.html14:02
*** zz_dimtruck is now known as dimtruck14:02
redrobotjaosorior ah yeah... it's on my to-do list.14:03
jaosoriorredrobot: How's stuff otherwise?14:04
redrobotjaosorior pretty good, thanks!  Doing some Kilo backporting today14:05
jaosoriorredrobot: I saw. Wanted to give a score to the "500 if no payload" CR but I couldn't :/14:05
redrobotjaosorior hmm... weird... I'll have to check on stable branch permissions14:06
*** woodster_ has joined #openstack-barbican14:09
*** kfarr has joined #openstack-barbican14:11
*** SheenaG has quit IRC14:17
*** insequent has quit IRC14:21
*** pglass has joined #openstack-barbican14:22
*** stanzi has quit IRC14:23
rellerrellerjaosorior ping woodster_ to review that patch about the project ID. If he is ok with db question I raised then I will +2. Then you just need a workflow.14:24
*** stanzi has joined #openstack-barbican14:24
jaosoriorredrobot: Now I could score the CR :/ weird14:24
jaosoriorwoodster_ are you around?14:24
woodster_jaosorior: heading into work, how are things?14:26
*** SheenaG has joined #openstack-barbican14:27
woodster_rellerreller: I'll catch up in a bit14:27
rellerrellerwoodster_ no worries. Travel safely.14:27
*** kfarr1 has joined #openstack-barbican14:28
jaosoriorwoodster_: All good, dude. No worries, we'll bother you when you're at the office :P14:29
*** kfarr has quit IRC14:29
*** SheenaG1 has joined #openstack-barbican14:29
*** SheenaG has quit IRC14:31
*** kfarr1 has quit IRC14:32
jaosoriorredrobot, alee: Should the dogtag related changes be ported to kilo/stable too?14:39
woodster_rellerreller: jaosorior looking at the CR now...14:39
aleejaosorior, redrobot that would be nice14:41
woodster_rellerreller: jaosorior yeah migrations are tricky...ideally you mod the schema first (but still work with current code), then make the code works with both old schema and new (but new records use the new schema), then make a migration that catches the old records up to the new schema, then clean up the code to only use the new schema14:42
*** Nirupama has quit IRC14:43
jaosoriorwoodster_: For the record, mind answering that in the CR? :D14:47
rellerrellerwoodster_ that sounds extremely complicated, especially for items that are mutable. I do not envy you :)14:47
*** kfarr has joined #openstack-barbican14:48
openstackgerritKevin Bishop proposed openstack/barbican: Replace oslo incubator code with i18n  https://review.openstack.org/19223114:50
woodster_rellerreller: well, I think it would be easier to test this sort of thing if we were using grenade tests. Zero downtime is tricky though :\14:50
woodster_jaosorior: will do14:50
*** Kevin_Bishop has joined #openstack-barbican14:51
*** stanzi has quit IRC14:55
redrobotjaosorior alee  which dogtag changes?  I've already ported the critical bugfix for the base64 issue.14:59
jaosoriorredrobot: https://review.openstack.org/#/c/189379/ without this CR you cannot run the SecretStore and the CA plugins at the same time15:01
*** kebray has joined #openstack-barbican15:01
*** kebray has quit IRC15:01
aleeredrobot, there were changes in the way we set up the certdb for the ca/kra client certs.  we needed these to get both secretStore and CA plugin at the same time.15:01
redrobotjaosorior hmm... k.  wanna file a bug for it against the Kilo branch?15:01
*** kebray has joined #openstack-barbican15:02
jaosoriorwell, I gotta go, but I could file it in an hour or so15:02
*** rellerreller has quit IRC15:02
redrobotjaosorior sure, just ping me when you get a chance to file it15:02
*** xaeth_afk is now known as xaeth15:02
jaosorioralee: You could file it too though15:02
aleejaosorior, either way .. I'm ok with you filing it :)15:03
*** kfarr has quit IRC15:04
*** rellerreller has joined #openstack-barbican15:04
aleejaosorior, otherwise if you want to take off, I can do it now ..15:04
woodster_rellerreller: Hey Nate, you might also run the migration situation by Joel to get his opinion on things15:05
rellerrellerwoodster_ I can do that to see what he thinks.15:05
*** stanzi has joined #openstack-barbican15:09
*** stanzi has quit IRC15:15
aleewoodster_, ping15:18
aleewoodster_, jaosorior , redrobot , rellerreller , chellygel -- need some looks at https://review.openstack.org/#/c/187236/ please15:20
*** kfox1111 has joined #openstack-barbican15:21
*** kfarr has joined #openstack-barbican15:21
kfox1111so, what is the difference between Castellan, Certmonger and Anchor?15:22
*** stanzi has joined #openstack-barbican15:23
kfox1111The latter two have both been recommended to the Magnum folks in a thread recently on the mailing list.15:23
redrobotkfox1111 Castellan is a key manager interface.  Allows app devs to add a puggable key manager to their app, thus allowing use of Barbican or other backends if barbican is not available.15:24
kfox1111I'm thinking the same reasoning may affect the nova instance user spec I've been working on.15:24
kfox1111how does it relate to the other two though?15:24
redrobotkfox1111 Certmonger is a daemon that runs in a node and monitors TLS certificate status, and is able to reprovision a TLS cert when it's about to expire.15:25
openstackgerritKevin Bishop proposed openstack/barbican: Replace oslo incubator code with i18n  https://review.openstack.org/19223115:25
redrobotkfox1111 Anchor is a Certificate Authority, it provisions short-lived TLS certificates15:25
kfox1111hmmm... ok.15:25
kfox1111so Castellan's probably what magnum would want to use.15:26
redrobotkfox1111 I haven't had a chance to catch up on the Magnum thread, but I have it on my todo list for today.15:26
kfox1111same goes for the nova instance spec.15:26
kfox1111would you be apposed to me s/barbican/castellan/ in the nova instance user spec?15:26
*** kfarr has quit IRC15:26
redrobotkfox1111 not at all... I think the majority of Service projects will probably benefit from Castellan15:27
*** rm_you| has quit IRC15:27
redrobotkfox1111 the only downside of Castellan is that it will probably never issue TLS certs15:27
kfox1111for the keystone user ca stuff?15:27
*** rm_you| has joined #openstack-barbican15:27
*** elmiko has joined #openstack-barbican15:28
kfox1111it wont have an api for it, or it wont do it directly?15:28
redrobotkfox1111 won't have an API for it.15:28
kfox1111don't think it will work for the instance user thing then.15:29
kfox1111well... let me make sure I get this streight.15:29
redrobotkfox1111 yeah, I still haven't fully groked the User CA spec.  I think Barbican would be issuing x509 certs for ID purposes?15:29
kfox1111the instance user thing will need a CA for producing x509 user certs. It can be a self signed CA though.15:30
kfox1111yeah. exactly.15:30
redrobotkfox1111 and possibly we would need a new root per User/Project?15:30
kfox1111no, one for all of nova should be fine.15:30
kfox1111some attribute for instance uuid would be stuck in.15:31
kfox1111then keystone can validate that if it came from Nova's CA, it trusts it as user instance_uuid.15:31
redrobotkfox1111 I think there's a handful of specs in review that would be needed for this all to work15:32
kfox1111:/  k.15:32
redrobotkfox1111 like being able to assing a preferred CA to a user15:32
kfox1111doable in the liberty time frame?15:32
redrobotkfox1111 possibly.  They're on the roadmap for Liberty, but so is a ton of other stuff :-\15:33
aleekfox1111, redrobot - I think a lot of what I see you are looking for is already there.15:33
redrobotalee I was thinking about the per-user sub-CAs15:33
redrobotalee so we can assign a CA to the Nova service user15:33
aleekfox1111, is there a spec which describes what you're looking for?>15:33
aleeredrobot, well sure - but I was not clear thats what he was looking for ..15:34
kfox1111alee: yeah. just a sec.15:34
kfox1111I need a CA for Nova to create x509 user certs that no one else can use, so that Keystone can trust certs from the CA.15:35
redrobotkfox1111 and Barbican will be storing all certs?15:35
kfox1111There are probably many differnet ways to skin that cat.15:35
kfox1111At least provisioning them.15:36
kfox1111I'm thinking for now, nova will store them once issued so a second round trip per call isn't needed.15:36
aleekfox1111, awesome, this is exactly the kind of thing  we are adding subcas to dogtag for.15:37
*** stanzi has quit IRC15:37
aleekfox1111, in fact the immediate user case we had was to create a subca for a puppet domain15:37
kfox1111ah. interesting. :)15:37
alee(within ipa) but its the exact same mechanism15:38
kfox1111I asked earlier, but this seems like an ideal time.15:38
kfox1111has anyone talked with the designate folks about integration?15:38
aleeso there are a few blueprints that are out there ..15:38
kfox1111we really need a way to get tls certs for subdomains we're allowing tenants to own.15:38
redrobotkfox1111 nope, haven't talked to any designate folks15:38
kfox1111the dns stuff is really cool, but if you can't secure it by putting tls on it, it really hurts. :/15:39
aleekfox1111, redrobot  https://review.openstack.org/#/c/187236/15:39
aleeredrobot, which incidentally needs a look-see please15:39
aleethat exposes being able to generate a subca by a project admin15:39
redrobotalee hehe... I'd say you're by far the most pro-active review getter :-P15:39
kfox1111alee: thanks. having a look.15:40
*** kfarr has joined #openstack-barbican15:40
aleethat will expose the functionality that dogtag implements through barbican15:40
aleekfox1111, and then as a client - well there would be lots of options depending on how you want to do it15:41
aleenova could use barbican-client, or maybe if you're doing this on a node, kyou use certmonger15:41
kfox1111not done reading the spec yet. so far it looks good. it does imply what's in kilo would work for my use case though, while being more manual?15:42
kfox1111alee, yeah, nova's the one using the cert, not the instance so probably juts barbican-client.15:43
kfox1111was thinking about Castellan, but if it can't do CA stuff then it woudln't work.15:43
aleekfox1111, right - there are discussions of castellan eventually being able to do cert stuff -- I think that will make another round at Tokyo.15:44
aleeor maybe the midcycle.15:44
aleekfox1111, well yes - although this only works using dogtag as a ca backend15:45
redrobotalee kfox1111 well, I think Castellan will be able to store Certs, but will probably never be able to issue them15:45
*** kfarr has quit IRC15:45
redrobotalee kfox1111 the problem is typical key storage devices don't also act as CAs15:45
kfox1111can you restrict one of the ca's in kilo to a specific project?15:45
aleekfox1111, yes15:46
aleekfox1111, thats in the cas interface I put in in kilo15:46
*** SheenaG1 has quit IRC15:46
aleekfox1111, at some point, I'll get around to writing api docs for that15:46
aleekfox1111, let me find the blueprint15:46
kfox1111ok cool.15:47
aleekfox1111, https://review.openstack.org/#/c/129048/15:48
kfox1111redrobot: I don't quite follow.15:48
redrobotkfox1111 Castellan allows you to have different key manager backends.  Barbican is one choice, but other choices would include KMIP devices, PCKS#11 devices, etc.15:49
redrobotkfox1111 usually these types of devices don't act as CAs that can provision certs15:49
redrobotkfox1111 so the Castellan abstraction could never have CA capabilities because it would force people using non-barbican devices to deploy some sort of CA15:49
kfox1111redrobot: But does Castellan have an api to provision x509 user certs?15:50
redrobotkfox1111 I don't think so.  Currently provisioning can only be done for symmetric keys (such as for AES encryption) and Asymmetric RSA keys.15:51
kfox1111ah. so Castellan's targeting the lowest common denominator with its api?15:51
redrobotkfox1111 indeed.15:51
kfox1111I understand.15:51
aleekfox1111, think of castellan as an interface to a secret storage device -- and thats it -- x509 cert issuance is a totally different function and probably should be a totally different interface15:52
kfox1111ok. so at the moment, barbicanclient's the only option.15:52
aleeor certmonger ..15:52
aleekfox1111, I'm working on patches to have certmonger talk to barbican15:53
kfox1111cool. not sure how certmonger would fit into the user cert workflow though.15:54
redrobotyeah, seems that certmonger would be overkill for a single cert issue15:54
kfox1111the user cert's would be stored in the nova database, so the nova metadata server can scale across nodes.15:55
kfox1111I'd think certmonger would cause issues with scaling that out.15:55
redrobotbrb, gotta run to a meeting15:56
kfox1111redrobot: k. thanks.15:57
aleekfox1111, so let me try and understand how this would work -- nova would provision a cert for a user -- does it generate the private key and the csr?15:57
aleekfox1111, and then store that private key locally?15:58
*** SheenaG has joined #openstack-barbican15:58
kfox1111hadn't really thought through that part, but yeah, it could.15:58
aleekfox1111, so the private key gets pushed down when the vm is configured?15:59
kfox1111nova keeps the private key. never hands it to the vm. if the vm asks for a keystone token,15:59
kfox1111the nova metadata data server contacts keystone using the user cert it created for that vm, and gets a fresh keystone token,15:59
kfox1111and hands it back to the vm.15:59
kfox1111the vm can then use the keystone token to talk to whatever it needs to/has permission to.16:00
*** kfarr has joined #openstack-barbican16:00
*** alee is now known as alee_afk16:00
kfox1111that way, someone can't just go run off with the vm's user cert and use it outside of the vm.16:00
*** nickrmc83 has quit IRC16:01
kfox1111and the vm still has an easy way to fetch fresh tokens.16:01
*** kfarr_ has joined #openstack-barbican16:02
*** kebray has quit IRC16:04
*** kfarr has quit IRC16:04
*** chadlung has joined #openstack-barbican16:05
*** kebray has joined #openstack-barbican16:05
*** alee_afk is now known as alee16:06
*** elmiko has quit IRC16:10
*** dimtruck is now known as zz_dimtruck16:10
*** zz_dimtruck is now known as dimtruck16:12
*** SheenaG1 has joined #openstack-barbican16:18
*** SheenaG has quit IRC16:19
*** kfarr has joined #openstack-barbican16:20
*** insequent has joined #openstack-barbican16:21
*** kfarr has quit IRC16:43
aleejaosorior, https://review.openstack.org/#/c/127823/2/specs/liberty/api-add-copy-constructor.rst,cm16:45
aleejaosorior, so if copy_id is provided and any other parameters are provided, we should throw an error?16:46
*** kfox1111 has quit IRC16:49
*** kfox1111 has joined #openstack-barbican16:50
openstackgerritKevin Bishop proposed openstack/barbican: Replace oslo incubator code with oslo_utils  https://review.openstack.org/19196016:51
*** rellerreller has quit IRC16:53
notmynameI'm going to a meetup tonight about https://hashicorp.com/blog/vault.html. anything I should pay close attention to?16:53
*** stanzi has joined #openstack-barbican16:56
*** stanzi has quit IRC17:01
*** kfarr has joined #openstack-barbican17:03
*** kfarr_ has quit IRC17:10
*** kfarr has quit IRC17:11
*** alee has quit IRC17:12
*** kebray has quit IRC17:13
openstackgerritKevin Bishop proposed openstack/barbican: Replace oslo incubator code with i18n  https://review.openstack.org/19223117:13
kfox1111any rdoish rpm's for barbican yet? any documentation on the CA features of barbican?17:24
*** alee has joined #openstack-barbican17:24
kfox1111any rdoish rpm's for barbican yet? any documentation on the CA features of barbican?17:24
openstackgerritAde Lee proposed openstack/barbican-specs: Added spec for copy constructor for secrets and containers  https://review.openstack.org/12782317:24
*** gyee has quit IRC17:24
aleekfox1111, we're working on the rdo rpms for barbican -- elmiko and xaeth are getting barbican into fedora and from there to rdo17:26
aleekfox1111, as for ca docs ..17:26
*** gyee has joined #openstack-barbican17:26
aleekfox1111, https://review.openstack.org/18677117:27
kfox1111cool. thanks.17:28
kfox1111any link to the fedora rpms?17:28
aleekfox1111, just to the review - just a sec17:28
kfox1111ok. thanks.17:28
aleekfox1111, https://bugzilla.redhat.com/show_bug.cgi?id=119026917:29
openstackbugzilla.redhat.com bug 1190269 in Package Review "Review Request: openstack-barbican - Secrets as a Service" [Medium,Assigned] - Assigned to karlthered17:29
kfox1111awesome. thanks. :)17:30
* kfox1111 sighs17:30
kfox1111I always have to reset my redhat bugzilla password....17:30
aleeinteresting -- guess some bot picked that up ..17:30
kfox1111yup. :)17:30
aleejaosorior, woodster_ modified https://review.openstack.org/127823 as requested ..17:32
aleewoodster_, jaosorior , rellerreller, kfarr ^^17:32
*** SheenaG1 has quit IRC17:33
kfox1111arg. the rpm's still held up by the lack of a start script?17:41
*** stanzi has joined #openstack-barbican17:44
*** kfarr has joined #openstack-barbican17:45
aleekfox1111, yeah -- but what we've decided is to get things going initially with a simple start script that usess uwsgi17:46
aleekfox1111, concurrently elmiko will work on a wsgi container17:47
aleethat can be deployed as an apache module17:47
aleekfox1111, thats the approach we will ultimately used in rdo17:47
*** Kevin_Bishop has quit IRC17:48
aleeelmiko is out for a few days but he'll pick that up when he gets back.17:48
*** stanzi has quit IRC17:51
*** Kevin_Bishop has joined #openstack-barbican17:52
kfox1111ok. thanks.17:54
kfox1111somewhat curious. almost noone of the other openstack services run in apache. why not do what they are doing?17:55
aleekfox1111, keystone is running in apache17:58
kfox1111it can run in apache. no rdo deployment works that way out of the box today.17:59
kfox1111the only thing using apache is horizon.17:59
aleekfox1111, running in apache makes some things a lot easier -- like setting up tls for instance, or running certain auth modules for instance18:00
aleekfox1111, yeah - but I think thats the direction we want to go.18:00
kfox1111all of the other modules are broken for tls. We've had to put haproxy in front of them all to do tls.18:00
kfox1111so I'm not sure what apache really buys you. :/18:00
kfox1111the auth modules make sense for kesytone.18:01
kfox1111I'm not sure what barbican in apache buys though.18:01
*** stanzi has joined #openstack-barbican18:02
*** elmiko has joined #openstack-barbican18:02
aleekfox1111, a consistent deployment perhaps ?  after all we'll do it in the way that at least a couple other services does it ..18:03
aleekfox1111, and we fix tls for keystone, and horizon and barbican , and ..18:03
kfox1111barbican in apache is inconsistent with everything else. ;)18:04
aleekfox1111, everything else is inconsistent with everything else ..18:05
kfox1111nova, neutron, glance, swift, rados gw, designate, sahara, .... all run out of seperate systemd units.18:05
kfox1111they are all consistant in that you use systemctl to start/stop their pieces. horizon and maybe keystone are the exceptions currently.18:06
kfox1111you can disover them with systemctl | grep openstack-project-name too.18:07
aleekfox1111, there is no reason to think that just because barbican is deployed behind apache, it wont have systemd start/stop scripts as well.18:09
kfox1111for barbican?18:09
kfox1111the unit files will add/remove a site out of apache and kick it?18:10
aleekfox1111, could be18:10
kfox1111seems... less then ideal...18:11
kfox1111I'm sure it would work, but it somehow feels dirty...18:11
*** Kevin_Bishop has quit IRC18:12
aleekfox1111, you raise some good points and we'll look at how horizon/keystone do things when deciding how to move forward18:12
kfox1111horizon is just slid in apache. it just uses apache's start/stop.18:13
kfox1111keystone isn't ever shipped inside apache today by rdo. so its totally up to the admin to do that if they want today.18:13
*** stanzi has quit IRC18:14
kfox1111thanks. :)18:14
*** stanzi has joined #openstack-barbican18:14
aleekfox1111, are acls something that would be needed for subcas as woodster_ suggests?18:20
kfox1111I could potentially see it being useful, but not entirely sure...18:21
kfox1111might be more useful if subcas can be nested?[C18:22
kfox1111Its not clear how Designate and Barbican ultimately will hook together. the teams haven't discussed things yet.18:22
kfox1111Designate lets you create a subdomain on one project, then transfer it to another.18:22
kfox1111I can see maybe creating a ca, then transfering the subca along with the subdomain?18:23
kfox1111though maybe thats just a transfer, not an acl thing.18:23
*** Kevin_Bishop has joined #openstack-barbican18:24
aleekfox1111, woodster_ right - well - lets say you create a sub ca.  This gives you an entry ca_id in the ca table.  this entry will have your project_id as the owner in the table.18:24
alee(at least thats how the spec is currently written)18:24
*** crc32 has joined #openstack-barbican18:24
aleenow you can ask for a sub_ca of that ca_id18:25
aleeso that would be a nested sub ca18:25
aleeand that entry would also have your project_id18:25
*** silos has joined #openstack-barbican18:25
aleeonly users that were members of that project would be able to use the subca or the sub-sub-ca18:26
aleeie. list/view/get certs from18:26
aleekfox1111, would that work in your case?18:27
aleekfox1111, or would we need to add the concept of an acl?18:27
kfox1111honestly, I don't quite understand how subca's work with tls...18:27
kfox1111I think we'd need to add transfers ala desigate or cinder.18:27
kfox1111where you can change the project_id of that subca.18:28
kfox1111you'd want somehow to tag the subca as only being athorative for a particular subdomain.18:28
aleeso what acls do is allow you to specify other users that might not be in that project to use the subca18:28
*** crc32 has quit IRC18:29
kfox1111yeah, if you could add an acl of the other project on the subca, you wouldn't need a transfer then.18:29
aleekfox1111, right ..  ok  - so acls would be useful.18:30
kfox1111yeah, I guess I can see a concrete case for it.18:31
*** kebray has joined #openstack-barbican18:32
aleekfox1111, I'm just wondering if it needs to be there at the beginning - or if we should add in M ..18:32
aleeor can be deferred to M18:32
kfox1111I'd really like to solve the, how does barbican deal with ssl certs for designate subdomains issue,18:33
kfox1111but may be a bigger challange then can be solved in Liberty?18:34
kfox1111the solution may actually be not to use subca's though. not sure.18:34
kfox1111I'm not sure you can designate a subca for a dns subdomain at all. :/18:34
kfox1111have any experience with that?18:35
aleekfox1111, hmm .. seems we need some designate folks ..18:35
*** Kevin_Bishop has quit IRC18:36
aleelet me talk to a couple of folks and get back to you.  Whats a concise description of the problem ?18:36
kfox1111perhaps? they are very much just in the dns world. this is tls stuff thats only very tangentially related to dns.18:36
kfox1111ok. how about an example workflow...18:36
kfox1111I'm a cloud admin. our cloud owns cloud.pnnl.gov.18:36
kfox1111I have designate managing it, and its owned by tenant "mgmt".18:37
kfox1111I have a new project comealong named "foo". I create a keystone tenant "foo", and a designate subdomain, "foo.cloud.pnnl.gov", and transfer the designate subdomain to project foo.18:38
kfox1111now foo can create vm's, and create all the dns entries they want under x.foo.cloud.pnnl.gov.18:38
kfox1111user now wants to point their web browser at their webserver https://myserver.foo.cloud.pnnl.gov....18:38
kfox1111we need a way to get them a cert that says myserver.foo.cloud.pnnl.gov.18:39
kfox1111and never allow them a cert outside of foo.cloud.pnnl.gov.18:39
kfox1111make sense?18:40
*** elmiko has quit IRC18:40
kfox1111maybe designate needs some kind of barbican integration, or visa versa for this use case.18:41
*** crc32 has joined #openstack-barbican18:43
aleekfox1111, right - so you're saying you need a ca for foo.cloud.pnnl.gov that issues certs for that domain.  and your web browser would need to import and trust the ca cert for that ca.18:44
* kfox1111 winces18:44
*** ngupta has joined #openstack-barbican18:44
kfox1111I think that may be too much of a burdon for every user that needs to use the websites to import all the ca's.18:44
kfox1111we need some kind of chain of trust so you only have to import the root ca.18:45
kfox1111a lot of our users are going to end up being research scientists. sending them instructions for importing a root ca every time a new project comes along won't fly. they'd rather just use a self signed cert and accept the risk I think. :/18:45
aleekfox1111, I say a root at foo.cloud.pnnl.gov because you said "never allow them a cert outside of foo.cloud.pnnl.gov"18:47
aleewhat did you mean by "never allow them a cert"?18:48
aleeyou can always have a root at "cloud.pnnl.gov" which they would import18:49
aleeand have a subca at foo.cloud.pnnl.gov18:49
aleewhich would issue certs for that doamin18:50
kfox1111and using that subca, they wouldn't be able to get a bar.cloud.pnnl.gov signature?18:51
kfox1111I wasn't sure there was a mechanism in place to enforce that.18:51
*** stanzi has quit IRC18:52
aleeright - I'm not sure there is ..18:52
kfox1111then subca's may or may not help solve the issue. :/18:53
kfox1111barbican can wrap an api around it to enforce it though, or designate can filter the request before it goes to barbican and run everything through designate.18:53
kfox1111not sure what the best way there is.18:53
*** stanzi has joined #openstack-barbican18:54
aleekfox1111, right - maybe it depends on the scale of the problem.   If I have a big project that wants to ensure this -- then maybe importing a new ca root is not unreasonable.18:54
aleekfox1111, for small ad-hoc projects, a root ca would suffix18:54
kfox1111sure, if all your users totally trust all your ca's.18:55
kfox1111I've seen organizations that use their root ca to man in the middle listen to all https traffic too. :/18:55
kfox1111I think barbican probably either needs a dns aware api, so that you can request a cert associated with a domain you own,18:56
kfox1111or designate has the api, and calls into barbican to do it.18:57
aleekfox1111, sounds like a spec is needed :)18:57
kfox1111yeah. :/18:57
kfox1111I've got 5 more specs minimum on my plate right now. :/18:57
kfox1111this instance user thing's killing me.18:57
kfox1111it went from one spec, to like 12 so far.18:57
*** everjeje has quit IRC18:57
kfox1111and each spec's taking weeks to get through, since most of the projects tend to be very very silo'd. :/18:58
kfox1111I'll add it to my spec to submit todo list if you don't get to it first.18:59
kfox1111these specs really tend to suck to write though, since its not clear if it belongs to designate or barbican. :/18:59
*** pglbutt has joined #openstack-barbican19:02
*** pglass has quit IRC19:03
aleekfox1111, woodster_ - updated https://review.openstack.org/#/c/187236/1 with comments.19:04
arunkantIn local environment, when barbican is started. It starts 2 WSGI processes. Does anybody know where to control this number of processes? Need to remote debug and cannot do with two processes running.19:05
aleewoodster_, kfox1111 let me know if acl can be deferred - and I'll update accordingly with a new version.19:05
*** Kevin_Bishop has joined #openstack-barbican19:06
*** Kevin_Bishop has quit IRC19:11
kfox1111If the subca can be restrected to enforcing only for a subdomain,  think acl's right away make sense. otherwise, it can wait I think.19:14
*** silos has left #openstack-barbican19:16
jaosorioralee: now I'm back19:17
jaosoriorregarding this one https://review.openstack.org/#/c/127823/2/specs/liberty/api-add-copy-constructor.rst,cm19:17
jaosorioralee: I don't have a strong opinion if we should throw an error whether extra parameters are given if copy_id is issued, whatever you see fit. Only thing is that I thought it would be unnecessary to require anything but copy_id, if that's all we really want from that request19:18
aleejaosorior, right -- In the latest iteration, I think I make it clearer that only copy_id is needed and we would throw an error otherwise19:21
aleejaosorior, so feel free to add that +219:21
jaosoriorI +1ed only it cause of an extra whitespace19:22
jaosoriorActually commented on the CR already19:22
openstackgerritOpenStack Proposal Bot proposed openstack/python-barbicanclient: Updated from global requirements  https://review.openstack.org/19238319:22
*** Kevin_Bishop has joined #openstack-barbican19:23
*** xaeth is now known as xaeth_afk19:24
jaosoriorredrobot, alee, hockeynut, woodster: this CR has been unreviewed for a whiiiile, got some time to check it out? https://review.openstack.org/#/c/178601/19:26
aleeaargh - whitespace19:26
jaosoriorI recommend a git hook to detect those19:27
jaosorioralee: https://gist.github.com/mxgrn/66393319:29
jaosorioralee: aaah, this actually has better instructions for git http://makandracards.com/makandra/11541-how-to-not-leave-trailing-whitespace-using-your-editor-or-git19:29
openstackgerritAde Lee proposed openstack/barbican-specs: Added spec for copy constructor for secrets and containers  https://review.openstack.org/12782319:36
aleejaosorior, woodster_ redrobot ^^19:36
*** kebray has quit IRC19:49
openstackgerritDoug Hellmann proposed openstack/barbican: Update version for Liberty  https://review.openstack.org/19241319:51
*** stanzi has quit IRC19:54
*** SheenaG has joined #openstack-barbican19:58
*** insequent has quit IRC19:58
openstackgerritAde Lee proposed openstack/barbican: Added Certificate API Docs and Quick Start Guides  https://review.openstack.org/18677119:59
aleewoodster_, ^^ updated as per request19:59
aleewoodster_, redrobot , chellygel , jaosorior ^^ get out those +2s please19:59
*** kfox1111 has quit IRC20:03
*** pglass has joined #openstack-barbican20:06
*** kebray has joined #openstack-barbican20:07
*** chadlung has quit IRC20:09
*** pglbutt has quit IRC20:10
*** Kevin_Bishop has quit IRC20:12
*** Kevin_Bishop has joined #openstack-barbican20:17
*** stanzi has joined #openstack-barbican20:24
*** Kevin_Bishop has quit IRC20:44
jaosorioralee: left some questions on that CR, but just minor stuff20:47
aleejaosorior, thanks -- what time is it for you btw?20:47
jaosoriorat night20:47
aleejaosorior, oh ok - not as bad as I thought :)20:48
jaosoriorso basically beer&code o' clock20:48
aleejaosorior, I think thats black licorice tar and code time ..20:48
jaosoriorhahaha, next time I'll bring more of those haha20:48
aleejaosorior, definitely -- although I'll make sure not to drink some before starting to climb a mountain ..20:49
jaosoriorhahahaha, it made sense at the time20:49
*** xaeth_afk is now known as xaeth20:49
aleejaosorior, sadly yes - it did.20:50
*** elmiko has joined #openstack-barbican20:50
*** kfarr has left #openstack-barbican21:06
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Add project_id to Secret model  https://review.openstack.org/18102521:07
*** stanzi has quit IRC21:07
jaosoriorredrobot, alee: by the way, for some strange reason I no longer see the errors I used to see in tox... and honestly I have no idea how it started working21:12
aleejaosorior, I have not tried again recently - will do that again today21:12
*** dimtruck is now known as zz_dimtruck21:13
*** elmiko has quit IRC21:18
*** Daviey has quit IRC21:30
*** stanzi_ has joined #openstack-barbican21:38
*** stanzi_ has quit IRC21:47
*** chadlung has joined #openstack-barbican21:58
*** chadlung has quit IRC22:02
*** pglass has quit IRC22:10
*** kfarr1 has joined #openstack-barbican22:11
*** kfarr1 has left #openstack-barbican22:12
*** xaeth is now known as xaeth_afk22:14
*** SheenaG has quit IRC22:27
*** openstackgerrit has quit IRC22:38
*** openstackgerrit has joined #openstack-barbican22:39
*** darrenmoffat has quit IRC22:44
*** darrenmoffat has joined #openstack-barbican22:44
*** zz_dimtruck is now known as dimtruck22:50
openstackgerritAde Lee proposed openstack/barbican-specs: Add mechanism for automated certificate renewals  https://review.openstack.org/19245322:57
*** chadlung has joined #openstack-barbican22:59
*** chadlung has quit IRC23:03
*** chlong has quit IRC23:15
*** alee has quit IRC23:20
*** elmiko has joined #openstack-barbican23:24
*** elmiko has quit IRC23:28
*** kfox1111 has joined #openstack-barbican23:31
*** jaosorior has quit IRC23:35
*** stanzi has joined #openstack-barbican23:41
*** kfarr has joined #openstack-barbican23:46
*** kfarr has left #openstack-barbican23:46
*** stanzi has quit IRC23:53
*** chadlung has joined #openstack-barbican23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!