Tuesday, 2015-06-30

*** rm_you| has quit IRC00:15
*** rm_work is now known as rm_work|away00:15
*** rm_you has joined #openstack-barbican00:18
*** rm_you has joined #openstack-barbican00:18
*** chlong has joined #openstack-barbican00:32
*** darrenmoffat has quit IRC00:36
*** darrenmoffat has joined #openstack-barbican00:37
*** rm_you| has joined #openstack-barbican00:38
*** rm_you has quit IRC00:38
*** kfarr1 has joined #openstack-barbican00:41
*** rm_you|wtf has joined #openstack-barbican00:43
*** rm_you| has quit IRC00:44
*** rm_you has joined #openstack-barbican00:55
*** rm_you has joined #openstack-barbican00:55
*** rm_you|wtf has quit IRC00:57
openstackgerritKaitlin Farr proposed openstack/castellan: Add Barbican key manager  https://review.openstack.org/17191801:07
openstackgerritSteve Heyman proposed openstack/barbican: Add retry server and functional tests to DevStack  https://review.openstack.org/17089601:08
openstackgerritSteve Heyman proposed openstack/barbican: Add troubleshooting for _bsdbb import error  https://review.openstack.org/19692301:20
*** dave-mccowan has quit IRC01:28
*** dave-mccowan has joined #openstack-barbican01:32
openstackgerritSteve Heyman proposed openstack/barbican: Add retry server and functional tests to DevStack  https://review.openstack.org/17089601:53
*** gyee has quit IRC01:53
*** rm_you| has joined #openstack-barbican02:05
*** rm_you has quit IRC02:08
*** chlong_ has joined #openstack-barbican02:08
*** chlong has quit IRC02:10
*** chlong__ has joined #openstack-barbican02:10
*** chlong_ has quit IRC02:13
*** dave-mccowan has quit IRC02:13
*** chlong_ has joined #openstack-barbican02:28
*** chlong__ has quit IRC02:31
*** chlong has joined #openstack-barbican02:31
*** chlong_ has quit IRC02:34
*** xaeth_afk is now known as xaeth02:39
*** dimtruck is now known as zz_dimtruck02:50
*** kebray has joined #openstack-barbican02:51
*** kfarr1 has quit IRC03:06
*** woodster_ has quit IRC03:11
*** epequeno has quit IRC03:32
*** xaeth is now known as xaeth_afk03:43
*** xaeth_afk is now known as xaeth03:51
*** xaeth is now known as xaeth_afk03:54
*** kebray has quit IRC03:56
*** xaeth_afk is now known as xaeth04:10
*** xaeth is now known as xaeth_afk04:13
*** david-lyle has quit IRC04:13
*** david-lyle has joined #openstack-barbican04:14
*** rm_work|away is now known as rm_work04:52
*** jaosorior has joined #openstack-barbican05:38
*** Nirupama has joined #openstack-barbican05:53
*** rm_you has joined #openstack-barbican06:47
*** rm_you| has quit IRC06:50
*** shohel has joined #openstack-barbican06:59
*** nickrmc83 has joined #openstack-barbican07:03
*** chlong has quit IRC07:35
*** rm_work is now known as rm_work|away07:53
*** rm_work|away is now known as rm_work07:54
*** jaosorior has quit IRC08:06
*** shohel has quit IRC08:22
-openstackstatus- NOTICE: OpenStack CI is down due to hard drive failures08:46
*** ChanServ changes topic to "OpenStack CI is down due to hard drive failures"08:46
*** mmdurrant has quit IRC10:09
*** chlong has joined #openstack-barbican10:49
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Enable endpoint filter parameters for the CLI  https://review.openstack.org/19663911:45
*** jaosorior has joined #openstack-barbican11:45
*** SheenaG has joined #openstack-barbican11:53
*** mmdurrant has joined #openstack-barbican11:59
*** zz_dimtruck is now known as dimtruck12:27
*** dave-mccowan has joined #openstack-barbican12:38
*** Kevin_Bishop has quit IRC12:40
*** dave-mccowan has quit IRC12:44
*** rellerreller has joined #openstack-barbican12:52
*** Kevin_Bishop has joined #openstack-barbican12:53
*** Nirupama has quit IRC13:02
*** nelsnelson has joined #openstack-barbican13:27
*** shohel has joined #openstack-barbican13:33
*** dave-mccowan has joined #openstack-barbican13:56
*** nickrmc83 has quit IRC13:56
elmikorellerreller: hey13:59
rellerrellerelmiko hey13:59
elmikoso, i read up on the ManagedObject review last night and that cleared up many of my questions lol14:00
elmikothe Passphrase impl is eerily close to how i was testing the SaharaKey object14:00
rellerrellerI'm glad to hear that :)14:00
elmikoi'm gonna go ahead and update the sahara spec to mention Passphrase and use it in the example code14:01
rellerrellerSounds good14:01
rellerrellerSo will you have something like a SaharaKeyManager or something that only handles passphrases?14:02
rellerrellerI'm thinking about your use case of supporting the existing db setup as it currently is.14:02
rellerrellerIn that case you will need something that takes a passphrase and stores it in sahara DB as it is now.14:02
elmikoright, we'll still have SaharaKeyManager and it will mainly act as a transparent wall for the payloads14:03
elmikoi don't want to get into incorporating the db logic into our KeyManager, although it is a nice idea14:03
rellerrellerCool, I'm glad we are on the same page.14:03
*** pglass has joined #openstack-barbican14:03
rellerrellerSo how do you plan to store and retrieve the passphrases from the DB?14:04
rellerrellerIf you do not want to incorporate the db logic ino the SaharaKeyManager.14:04
elmikowell, essentially the SaharaKeyManager will return the payload instead of a UUID for the newly stored keys14:06
elmikoand likewise, on a retrieval it will actually  be taking the payload (unbeknowst to it) and returning it without doing anything14:07
elmikoin this respect, our db transaction will either store the payload (as they do now), or the UUID depending on which KeyManager is being used.14:07
rellerrellerInteresting idea, so the table will have passphrase reference.14:08
elmikowhich is what we have now, sadly...14:08
rellerrellerIn some cases it is UUID and in some cases the actual key14:08
rellerrellerThat is clever :)14:08
elmikoi figure at the least we will be backward compatible, and for those who are interested in being more secure they can use a different KeyManager14:09
elmikothis is also why i need a little more control over the default api_class option14:09
rellerrellerYes, what is that option?14:10
rellerrellerCould you expand on that some?14:10
elmikoso, in the BarbicanKeyManager review, the default api_class is set to that KM14:10
elmikoand, it uses the global oslo_config.CONF object to do all the configuration stuff14:11
elmikoi have a poc, that i will put up for review soon, which adds the ability for castellan consumers to pass in a CfgOpts object of their own14:11
elmikothis and a few helper functions, will allow more control over castellan's configuration14:11
elmikoi'm modelling it after the way oslo.db and oslo.messaging allow consumers to do things like set_defaults and list_opts14:12
elmikoimo, it will help overall consumption of castellan14:12
rellerrellerSounds interesting. I'm not familiar with the db and messaging options. I'll have to look into that.14:12
rellerrellerI think it sounds like a good idea from what I"m picturing so far.14:13
elmikoso, as it stands now, i can instantiate castellan.key_manager.API() to get the KM14:13
elmikowith my patch, you can pass in a CfgOpts object to the API call14:13
rellerrellerAnd then you can specify whatever KM you want?14:14
rellerrellerWith whatever options you want?14:14
elmikowell right, you can contain the KM options in the CfgOpts object14:14
elmikoinstead of just setting them in the global CONF object14:14
rellerrellerThat sounds great14:15
elmikoi was kinda waiting for the BarbicanKM to come along a little further since it will need some minor modifications14:15
rellerrellerYes, I would like for that to be done asap.14:15
rellerrellerI was hoping to have that done by L114:15
elmikothere is also a castellan.config module that will have a helper function list_opts, to help with a project that wants to add castellan and allow things like oslo-config-generator to create a sample conf file with all the castellan options14:15
elmiko(and be able to change defaults)14:16
elmikoyea, i think they are just minor features that will help with consuming castellan in a project14:16
elmikothe code is mostly done, i'm just writing some docs and looking over the barbican stuff now14:17
rellerrellerok, I will review when it is ready14:18
elmikoawesome, i'll be sure to make some noise ;)14:18
rellerrellerwhen will the sahara spec be resubmitted, or is that done already?14:19
rellerrellerI'm still catching up on emails.14:19
elmikoi'll get to it today most likely.14:19
rellerrellerSo for our timeline on Castellan this is what we are hoping to achieve.14:21
*** nickrmc83 has joined #openstack-barbican14:21
rellerrellerFor L2 we would like all of the ManagedObjects to be completed and update the API with the operations for the MOs.14:22
rellerrellerFor L2 we would also like to have this done for the MockKeyManager.14:22
rellerrellerThen in L3 we would make sure all of this works with the Barbican impl14:22
rellerrellerThat means I need to get secret type support implemented for Barbican client in L2.14:23
rellerrellerI know that is not a lot of time for a Sahara implementation.14:24
rellerrellerelmiko Do you think you will have enough time to get it done for Liberty release?14:24
elmikooh yea, for sure14:24
elmikomost of my sahara code is done already14:25
rellerrellerThat makes me feel better :)14:25
elmikothe issue now, is timing against the castellan release so that we can add it to our requirements14:25
elmikoit sounds like i can plan to have this as a feature that will land with the L release14:25
elmikorellerreller: thanks for explaining all that, really helps me plan for the sahara stuff =)14:28
rellerrellerNot a problem. I'm glad to help.14:28
rellerrellerLet me know if you need anything else. I'm glad that someone else wants to use Castellan :)14:29
elmikoawesome, thanks!14:30
*** kebray has joined #openstack-barbican14:37
*** jhfeng has joined #openstack-barbican14:40
*** nickrmc83 has quit IRC14:42
*** kebray has quit IRC14:44
*** ChanServ changes topic to "OpenStack Barbican development"14:52
-openstackstatus- NOTICE: The log volume was repaired and brought back online at 14:00 UTC. Log links today from before that time may be missing, and changes should be rechecked if fresh job logs are desired for them.14:52
*** diazjf has joined #openstack-barbican14:56
*** kfarr has joined #openstack-barbican15:00
*** rellerreller has quit IRC15:00
*** rellerreller has joined #openstack-barbican15:02
*** silos has joined #openstack-barbican15:14
*** xaeth_afk is now known as xaeth15:19
*** nickrmc83 has joined #openstack-barbican15:21
elmikoxaeth: hey, got my patch working for juno15:26
elmikoyea, barbican-api starts up real nice. my only concern is that i don't think the version is reporting the same way as in the upstream15:27
elmikoi can send a pull request now, or hack on the version a little more, unless you want to run with it at this point?15:27
redrobotelmiko woot! you guys rock!15:27
elmikohehe =)15:28
xaethelmiko, very nice... its up to you... i'm at your service15:28
elmikoxaeth: well, i guess the question is. what should we see for the version when GETing "/"?15:29
xaethredrobot, ^ ?15:29
elmikoshould it be the 2014.2 or should we append the fedora rpm version as well?15:29
xaethI'm inclined to lean on the 2014.215:30
xaethnot the fedora rpm version15:30
elmikoyea, makes sense15:30
xaethbut i can see where that might raise a slight question15:30
redrobotin juno and kilo it shows the released version per launchpad15:30
elmikocurrently i'm just getting back the release info, "3.fc21"15:30
elmikoredrobot: ok, ack. i'll move things around a little bit15:30
redrobotie.  2014.2.0 and 2015.1.0 respectively15:30
elmikoit's just weird the way we modify these releases to remove pbr in the fedora builds15:31
elmikoso we end up manually injecting the version info back into the package15:31
xaethhrm.. i thought we could remove that now?15:31
xaethi could be remembering wrong15:31
redrobotin liberty the "/" resource is going to change to match what other openstack proejcts are doing15:32
elmikoi'll ask around #rdo a little15:32
jaosoriorI'm thinking about starting to work on enabling Barbican as a plugin for the unified openstackclient15:32
elmikojaosorior: nice +115:32
redrobotjaosorior that's the CLI right?15:32
jaosoriorafter I get the CLI done, I will see if I can contribute to the sdk15:32
elmikoxaeth: ok, i'll do one more pass then send this over in a github pull request15:32
redrobotjaosorior I'd like to review the stuff you come up with if you don't mind?15:32
redrobotjaosorior there is some support in the unified sdk15:33
jaosoriorredrobot: the osc will not host that code in their repo. So it will be in ours15:33
redrobotjaosorior gotcha.  that's cool.15:33
jaosoriorAnyway, hopefully in the next week or so I'll come up with something in that front15:33
redrobotjaosorior this review seems to have stalled.  It would be awesome if you could chime in: https://review.openstack.org/#/c/187716/15:33
redrobotjaosorior my preference is for "key-manager" as the service type everywhere.15:34
jaosoriorWant me to re-take that CR?15:34
jaosoriorseems to be in merge-conflict15:34
redrobotjaosorior it's not my cr.  Belongs to Terry Howe15:34
jaosoriorI see15:34
*** SheenaG has quit IRC15:35
openstackgerritChelsea Winfree proposed openstack/barbican: Update unwrap key to accept specific variables  https://review.openstack.org/19614115:37
chellygelreaperhulk, fixed as per your suggestion ^ thanks again :)15:38
jaosoriorredrobot: Done15:40
elmikoxaeth: sounds like you are up to date, i'm hearing that we can leave pbr in place. i'll remove the patch and see how this works.15:42
*** nickrmc83 has quit IRC15:56
*** ngupta has quit IRC16:02
reaperhulkthanks chellygel, will look shortly16:03
elmikoxaeth: ok, pr sent your way =)16:06
*** dontalton has joined #openstack-barbican16:29
*** shohel has quit IRC16:29
*** silos has left #openstack-barbican16:46
*** openstackgerrit has quit IRC16:50
chellygelhey guys, need some reviews : https://review.openstack.org/#/c/196141/ and https://review.openstack.org/#/c/196270/116:51
*** openstackgerrit has joined #openstack-barbican16:51
chellygelFirst CR is blocking 2nd. 2nd needs only 1 more for workflow, first needs  1 +2, and 1 workflow~16:51
*** rellerreller has quit IRC16:51
chellygelJust need Workflows on both now please :)16:56
*** shohel has joined #openstack-barbican16:58
*** SheenaG has joined #openstack-barbican16:59
*** shohel has quit IRC17:03
*** shohel has joined #openstack-barbican17:17
*** ngupta has joined #openstack-barbican17:22
*** SheenaG has quit IRC17:34
openstackgerritSteve Heyman proposed openstack/barbican: Add troubleshooting for _bsdbb import error  https://review.openstack.org/19692317:39
*** diazjf has quit IRC17:40
kfox1111is there a way to syncronously generate a cert?17:43
rm_workkfox1111: the barbican Order system is very much not designed to be syncronous17:48
rm_workkfox1111: which is why I was looking into using Anchor17:48
rm_workmore directly17:48
rm_workthat only works if you don't need CRLs tho17:49
rm_work(more specifically, if you don't ever plan to revoke :P)17:49
rm_workkfox1111: it's a problem IMO, but not one I'm sure we're really in a position to solve, because syncronous cert delivery is actually pretty insane17:49
*** SheenaG has joined #openstack-barbican17:52
*** chlong has quit IRC17:56
xaethelmiko, fancy18:04
chellygelreaperhulk, remembered the problem, it was the tests, they are giving that key error -- but i think that it calls for a rewrite on those guys anyway, lots of fun mocks to deal w/18:06
reaperhulkdamned mocking.18:07
*** silos has joined #openstack-barbican18:07
xaethelmiko, i just mentally absorb lots of things and this last week i've been wrong more than right, so at least i got that one ;)18:09
elmikoxaeth: i know the feeling, and packaging is definitely a pain point...18:09
xaethbah.. i love me some packaging ;)18:09
*** diazjf has joined #openstack-barbican18:13
rm_workchellygel: oh no, workflow failed :(18:17
chellygelrm_work, yeah there was an issue w/ the way the tests were written18:18
chellygelgotta fix the tests18:18
rm_workdem tests18:18
rm_workah yeah i see, you mentioned mocking, i was scrolled up T_T18:18
openstackgerritChelsea Winfree proposed openstack/barbican: Update unwrap key to accept specific variables  https://review.openstack.org/19614118:22
chellygel^ fixed :)18:22
elmikoxaeth: i also talked with hguemar a little bit, so he knows about us collaborating on this and i've gone through some of the changes at a high level.18:24
*** gyee has joined #openstack-barbican18:24
xaethkewl.  Who is hguemar ?18:24
elmikohaikel guemar, he's on the fedora bz18:26
*** kfarr1 has joined #openstack-barbican18:31
*** kfarr has quit IRC18:31
*** ngupta has quit IRC18:32
*** vivek_ has joined #openstack-barbican18:35
xaethahh oh ya... i recognize that now18:36
*** rellerreller has joined #openstack-barbican18:42
*** vivek_ has quit IRC18:58
*** silos1 has joined #openstack-barbican19:06
*** silos has quit IRC19:09
*** jorge_munoz has quit IRC19:14
*** jorge_munoz has joined #openstack-barbican19:19
*** jorge_munoz has quit IRC19:20
*** jorge_munoz has joined #openstack-barbican19:23
openstackgerritFernando Diaz proposed openstack/python-barbicanclient: Allow 2 Step Secret Creation and Secret Update  https://review.openstack.org/19687619:28
diazjfhey all, I am trying to add the 2 step secret creation and secret update features into the CLI.19:29
diazjfIts still a WIP, but reviews are welcome.19:29
redrobotdiazjf 2-step should not be exposed in the CLI19:30
redrobotdiazjf it would be unintuitive to a user to issue two commands in the CLI19:31
*** rm_work is now known as rm_work|away19:31
diazjfredrobot, would it be acceptable to have in the client?19:31
redrobotdiazjf if necessary, 2-step can be used in the implementation, but it should be transparent to the user.  i.e. the user should never have to issue two commands for a two step put19:31
*** epequeno has joined #openstack-barbican19:32
redrobotdiazjf the way I had thought about using 2-step, would be to maybe add a --file flag to the CLI19:32
redrobotthat can upload an entire file using 2-step.19:32
*** rm_work|away is now known as rm_work19:33
*** crc32 has joined #openstack-barbican19:33
redrobotdiazjf sorry for the brain dump without reviewing :)  Just don't want you to go too far down the 2-step road.19:33
*** dimtruck is now known as zz_dimtruck19:34
redrobotdiazjf yes, I think adding PUT to the client would be good19:34
diazjfredrobot, thanks I appreciate that!!! :) would it be feasible for me to work on the 2 step method using the --file option, since an empty secret is needed for the PUT.19:35
diazjfor should I just implement the PUT. I wanted the client to have full functionality over Barbican19:37
*** jorge_munoz has quit IRC19:37
rm_workdid python-barbicanclient not already have anything for two-stage?19:39
diazjfrm_work, actually I think your right, an empty secret can be created19:39
diazjfjust need to PUT functionality to be added19:39
rm_workI thought I remembered logic for that19:40
rm_workbut I guess possibly not19:40
rm_workit has been a while19:40
diazjfrm_work, actually I believe there is currently logic which does not allow a secret to be stored without a payload19:42
diazjfif not self.payload: raise exceptions.PayloadException("Missing Payload")19:42
diazjfin the store()19:42
rm_workhmm ok19:42
diazjfredrobot, I'll continue to work on the PUT, just let me know if I should try and Implement the 2 step creation with the --file option and maybe some documentation.19:44
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/19483019:54
*** zz_dimtruck is now known as dimtruck19:59
*** arunkant has joined #openstack-barbican19:59
rm_workreaperhulk: huh, global requirements bumped cryptography down from >=0.9 to >=0.8.220:02
rm_workreaperhulk: any idea why?20:02
reaperhulknot a clue20:02
reaperhulkI don't believe we did any deprecation removal there...20:03
rm_workany gut feelings on whether that could be an issue?20:03
rm_workI mean, it SHOULD still install latest, either way20:03
rm_workit's a >=20:03
rm_workjust seems strange20:03
reaperhulkyeah that's...weird20:03
*** jorge_munoz has joined #openstack-barbican20:04
reaperhulkrm_work: looking at global requirements I don't see 0.9 ever having been set20:05
reaperhulk1.0 will be out soonish so people can decide if they want to bump the requirement then :)20:05
*** rellerreller has quit IRC20:06
*** dimtruck is now known as zz_dimtruck20:08
rm_workmaybe because of our local requirements20:09
rm_workI assumed it had always been there20:09
reaperhulkyeah the history of global doesn't show 0.9 ever20:12
reaperhulkI don't think anybody tried to bump it20:12
reaperhulkbut I'd wait for 1.0 at this point :P20:12
*** pglass has quit IRC20:21
*** zz_dimtruck is now known as dimtruck20:25
*** dimtruck is now known as zz_dimtruck20:45
*** jaosorior has quit IRC20:46
*** zz_dimtruck is now known as dimtruck20:46
*** dimtruck is now known as zz_dimtruck20:56
*** zz_dimtruck is now known as dimtruck20:59
kfox1111redrobot: I updated the spec with an implementation I think will work. when you get an hour (its longish now :/) could you please take a look?21:00
*** pglass has joined #openstack-barbican21:00
*** jorge_munoz has quit IRC21:02
*** jorge_munoz has joined #openstack-barbican21:03
*** dave-mccowan has quit IRC21:04
*** arunkant_ has joined #openstack-barbican21:10
redrobotkfox1111 queued up21:13
*** arunkant has quit IRC21:14
*** shohel has quit IRC21:26
*** dave-mccowan has joined #openstack-barbican21:28
*** silos1 has left #openstack-barbican21:28
*** shohel has joined #openstack-barbican21:42
openstackgerritFernando Diaz proposed openstack/python-barbicanclient: Allow Barbican Client Secret Update Functionality  https://review.openstack.org/19687621:42
*** ngupta has joined #openstack-barbican21:43
diazjfredrobot, as you suggested, I will work on the PUT functionality for the client.21:43
diazjfleaving all other secret code untouched21:43
diazjfI know you guys are busy so if anything just submit a comment on the patch. Thanks :).  Reviews are welcome21:48
*** pglass has quit IRC21:59
*** diazjf has left #openstack-barbican22:00
*** kebray has joined #openstack-barbican22:04
*** shohel has quit IRC22:09
*** xaeth is now known as xaeth_afk22:22
*** jhfeng has quit IRC22:33
*** kebray has quit IRC22:35
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/19483022:36
*** dontalton has quit IRC22:37
*** nelsnels_ has joined #openstack-barbican22:50
*** nelsnelson has quit IRC22:53
kfox1111redrobot: Thanks. :)23:08
*** SheenaG has quit IRC23:10
*** dimtruck is now known as zz_dimtruck23:15

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!