Tuesday, 2015-08-11

*** everjeje has quit IRC00:42
*** gyee has quit IRC00:53
*** nkinder has quit IRC00:57
*** elmiko_ has joined #openstack-barbican01:03
*** elmiko has quit IRC01:06
*** elmiko_ has quit IRC01:11
*** elmiko has joined #openstack-barbican01:20
*** tkelsey has joined #openstack-barbican01:23
*** tkelsey has quit IRC01:27
*** vivek-ebay has quit IRC01:31
*** vivek-ebay has joined #openstack-barbican01:33
openstackgerritOpenStack Proposal Bot proposed openstack/python-barbicanclient: Updated from global requirements  https://review.openstack.org/21091601:38
*** jhfeng has joined #openstack-barbican01:41
openstackgerritZhenyu Zheng proposed openstack/barbican: Drop downgrade field in alembic script.py.mako and version  https://review.openstack.org/20932301:43
*** elmiko_ has joined #openstack-barbican01:48
*** elmiko_ has quit IRC01:51
*** elmiko has quit IRC01:52
*** zz_dimtruck is now known as dimtruck02:03
*** edtubill has joined #openstack-barbican02:06
*** ngupta has joined #openstack-barbican02:07
*** jhfeng has quit IRC02:10
*** vivek-ebay has quit IRC02:23
*** woodster_ has quit IRC02:30
*** ngupta has quit IRC02:40
*** ngupta has joined #openstack-barbican02:44
*** david-lyle has quit IRC03:21
*** ngupta has quit IRC03:26
*** xaeth_afk is now known as xaeth03:36
*** xaeth is now known as xaeth_afk03:39
*** dimtruck is now known as zz_dimtruck03:54
*** Nirupama has joined #openstack-barbican04:24
pksinghHi Folks, could you please review https://review.openstack.org/#/c/206770/ and https://review.openstack.org/#/c/206782/ , thanks in advance04:39
*** david-lyle has joined #openstack-barbican04:40
pksinghHi reaperhul, are you around?04:47
pksinghHi reaperhulk , are you around?04:48
reaperhulkpksingh: I'm about to go to bed but what's up04:48
pksinghreaperhulk: ahh, sorry for disturbance04:48
reaperhulkpksingh: that's okay04:49
reaperhulkwhat's up?04:49
pksinghreaperhulk: i was told by alee that you are working on py3 support for barbican04:49
reaperhulkpksingh: I should be, but have not started :(04:49
rm_workreaperhulk: how bad is it right now?04:49
reaperhulkbarbican doesn't have any blockers though (other than the project is overly lax about string vs bytes)04:49
pksinghactually i have started and registered a blueprint for that04:49
reaperhulkpksingh: terrific!04:49
pksinghi have also submitted some patches at https://blueprints.launchpad.net/barbican/+spec/barbican-py304:50
pksinghthere is one issue, can i discuss little bit if you have time,04:51
reaperhulkis it python-ldap? :)04:51
pksinghldap3 apis are not similer to python-ldap04:51
pksinghso i was planning to mock ldap for time being  and submitted a patch for that https://review.openstack.org/#/c/208784/04:52
rm_workpksingh: i notice your patches are not in a dependency chain -- this makes it hard to test them all together to see actually how much progress is made04:52
rm_worki mean, not THAT hard, but04:52
pksinghyes i am sorry04:53
rm_worki am surprised you are splitting it up this much :P04:53
reaperhulkpksingh: I think the ultimate solution is going to be to remove that dependency04:53
rm_workthat said, cool that work is progressing!04:53
reaperhulkit is used for validation, but that validation can be performed better with cryptography 0.904:53
reaperhulk(barbican already depends on pyca/cryptography)04:53
rm_workwhen I did py3 for octavia, i pretty much just did it as one ginormous change04:53
rm_work(not that it's better to do it that way, i like your way better)04:54
pksinghrm_work, ok i will do the same04:54
rm_worknah, just do dependencies04:54
rm_worksplitting it up makes it much simpler to review04:54
reaperhulkpksingh: no smaller CRs is good :)04:54
pksinghrm_work:  ok04:54
rm_workyes :P04:54
rm_workdid not mean to say you should follow my example, lol04:54
pksinghso for timebeing can we go with mocking ldap04:54
pksinghi will change it to ldap3 or some other options as i get that04:55
pksinghrm_work: what do you think ^^04:59
rm_worki'd have to see what reaperhulk is talking about, with regard to ldap just being for validation04:59
rm_workif it's possible to remove the dependency on ldap altogether, that'd be awesome, if pyca can do all the validation it is doing currently05:00
pksinghactually i have very less idea about what kind of validation it is05:00
rm_workwhere is it actually used?05:00
pksinghlet me give you the link05:01
rm_workis it literally just in the tests?05:02
reaperhulkoh it's being used in CSR generation too05:02
reaperhulkso you need cryptography 1.005:02
reaperhulkwhich will probably be out tomorrow.05:02
rm_workah validating DNs05:02
rm_workreally needed the ldap lib for that? T_T05:03
reaperhulkit's also in https://github.com/openstack/barbican/blob/91ec979ae8c5e1671357b13b564dc5d8c25011d0/barbican/tasks/certificate_resources.py05:03
rm_workfor the same reason05:03
rm_workyeah so if pyca will do DN validation...05:03
rm_workno more ldap dependency05:03
reaperhulkcryptography will give you a Name object that contains NameAttributes, which have an oid and a value05:04
reaperhulkAnd you can do whatever you want with it05:04
reaperhulkno gross LDAP strings05:04
rm_workwell the strings come in from the user05:04
rm_workthey just use str2dn to validate that the DN is acceptable05:05
rm_workit looks like05:05
reaperhulkfor the love of god don't let users specify ldap encoded DNs05:05
* reaperhulk cries05:05
rm_workjust looking where it comes from05:05
rm_workit seems to come from order metadata05:05
rm_workwhich is user specified isn't it?05:05
reaperhulkokay bed05:06
rm_worknight reaperhulk05:06
pksinghreaperhulk: good night thanks05:06
pksinghrm_work: could you please suggest the solution to this problem05:07
rm_workpksingh: reaperhulk was saying that cryptography 1.0 would do the same validation05:08
rm_workso basically you'd just need to replace the ldap validation with validation from cryptography (pyca)05:08
pksinghrm_work: i will check the same, thanks a lot...could you please review my patches :)05:09
*** tkelsey has joined #openstack-barbican05:24
*** tkelsey has quit IRC05:31
*** edtubill has quit IRC06:10
*** shohel has joined #openstack-barbican06:39
*** nickrmc83 has joined #openstack-barbican07:06
*** tkelsey has joined #openstack-barbican08:22
*** shohel has quit IRC09:31
*** shohel has joined #openstack-barbican09:31
*** shohel has quit IRC10:07
*** shohel has joined #openstack-barbican10:08
*** edtubill has joined #openstack-barbican11:36
*** edtubill has quit IRC11:44
*** alee_ has quit IRC11:50
*** zz_dimtruck is now known as dimtruck11:53
*** shohel has quit IRC12:01
*** shohel has joined #openstack-barbican12:01
*** openstackgerrit_ has joined #openstack-barbican12:02
*** dtadrzak_ has quit IRC12:26
*** DTadrzak has joined #openstack-barbican12:27
*** Nirupama has quit IRC12:27
*** kfarr has joined #openstack-barbican12:33
*** rellerreller has joined #openstack-barbican12:33
*** dimtruck is now known as zz_dimtruck12:43
*** openstackgerrit_ has quit IRC12:51
*** openstackgerrit_ has joined #openstack-barbican12:56
*** lisaclark1 has joined #openstack-barbican12:59
*** lisaclark1 has quit IRC13:00
*** lisaclark1 has joined #openstack-barbican13:00
*** elmiko has joined #openstack-barbican13:05
*** shohel has quit IRC13:13
*** nkinder has joined #openstack-barbican13:20
*** shohel has joined #openstack-barbican13:26
*** david-lyle has quit IRC13:36
*** alee_ has joined #openstack-barbican13:36
*** lisaclark1 has quit IRC13:48
*** zz_dimtruck is now known as dimtruck13:54
*** lisaclark1 has joined #openstack-barbican13:54
*** openstackgerrit_ has quit IRC13:55
*** openstackgerrit_ has joined #openstack-barbican13:56
*** spotz_zzz is now known as spotz14:00
*** diazjf has joined #openstack-barbican14:00
*** ngupta has joined #openstack-barbican14:01
*** dave-mccowan has quit IRC14:12
*** openstackgerrit_ has quit IRC14:17
*** openstackgerrit_ has joined #openstack-barbican14:18
*** edtubill has joined #openstack-barbican14:19
openstackgerritMerged openstack/barbican: Skip Bandit Checks on Functional Test Code  https://review.openstack.org/21057614:20
*** pglass has joined #openstack-barbican14:23
*** nelsnelson has joined #openstack-barbican14:29
*** dave-mccowan has joined #openstack-barbican14:29
*** openstackgerrit_ has quit IRC14:31
*** xaeth_afk is now known as xaeth14:33
*** lisaclark1 has quit IRC14:55
*** lisaclark1 has joined #openstack-barbican14:57
*** shohel has quit IRC15:02
*** rellerreller has quit IRC15:02
*** kfarr has quit IRC15:02
*** rellerreller has joined #openstack-barbican15:07
*** silos has joined #openstack-barbican15:10
*** david-lyle has joined #openstack-barbican15:15
*** lisaclark1 has quit IRC15:19
*** nickrmc83 has quit IRC15:23
*** lisaclark1 has joined #openstack-barbican15:26
*** kfarr has joined #openstack-barbican15:31
*** darrenmoffat has quit IRC15:35
*** darrenmoffat has joined #openstack-barbican15:36
*** chadlung has joined #openstack-barbican15:38
*** vivek-ebay has joined #openstack-barbican15:41
*** nickrmc83 has joined #openstack-barbican15:44
*** woodster_ has joined #openstack-barbican15:47
*** rm_work is now known as rm_work|away15:49
*** vivek-ebay has quit IRC15:49
*** nickrmc83 has quit IRC15:58
*** gyee has joined #openstack-barbican16:03
*** lisaclark1 has quit IRC16:06
*** openstackgerrit_ has joined #openstack-barbican16:08
*** lisaclark1 has joined #openstack-barbican16:14
openstackgerritMerged openstack/barbican: Catch any exception from base64.b64decode during validation  https://review.openstack.org/21122416:17
*** kfarr has quit IRC16:19
*** ig0r_ has joined #openstack-barbican16:20
*** kfarr has joined #openstack-barbican16:26
*** vivek-ebay has joined #openstack-barbican16:29
*** vivek-ebay has quit IRC16:30
alee_rellerreller, kfarr ping16:32
kfarralee_ pong!16:32
rellerrelleralee_ pong16:32
alee_rellerreller, kfarr - do you have any client code that tests -- creating an encrypted volume and using nova to start up an instance with that volume?16:33
*** vivek-ebay has joined #openstack-barbican16:33
alee_(presumably using castellan and barbican)16:33
kfarralee_ there is a tempest test, but it does not use barbican as the backend16:33
kfarrI think it just uses a fixed key16:33
alee_kfarr, interesting -- where is that test?16:34
kfarralee_ castellan is not integrated in cinder yet, it's using a key manager interface that Castellan is based on16:34
alee_kfarr, I thought there was a test that used barbican -- ie. the one that we ended up breaking at some point?16:35
kfarralee_ https://github.com/openstack/tempest/blob/master/tempest/scenario/test_encrypted_cinder_volumes.py16:35
alee_kfarr, ok good to know.16:35
kfarralee_, the part that was breaking was because of some cinder unit tests16:35
kfarrthe barbican API changed and so the unit tests were using methods that didn't exist anymore16:36
*** vivek-ebay has quit IRC16:36
alee_kfarr, ah.16:36
kfarralee_, those unit tests were here: https://github.com/openstack/cinder/blob/master/cinder/tests/unit/keymgr/test_barbican.py16:36
alee_kfarr, rellerreller is there another test for encrypted images?16:36
alee_ie glance?16:36
rellerrelleralee_ encrypted images in glance has not yet been implemented16:37
rellerrelleralee_ there is a spec out for this and image signing.16:37
alee_rellerreller, so just a spec and no code yet?16:37
rellerrelleralee_ https://review.openstack.org/#/c/177948/16:38
rellerrelleralee_ we have some internal code as proof of concept at least for image signing.16:38
rellerrelleralee_ I'm not sure if we have the code for encryption yet. I would have to check with bpoulos16:38
rellerrelleralee_ we are waiting for the spec to be approved and then we will submit code. This will likely not be included until Mitaka.16:39
alee_rellerreller, any chance of getting access to that code?  I'd like to see if I can set it up.  or would that run afoul of your policies ?16:40
rellerrelleralee_ I'm not sure about that. We would have to get code through our prepub process first.16:41
rellerrelleralee_ what are you trying to do?16:41
alee_rellerreller, gotcha no prob16:41
*** xaeth is now known as xaeth_afk16:41
alee_rellerreller, just get a sense of how it all works together16:41
alee_rellerreller, I can wait till the CRs are submitted16:42
alee_rellerreller, kfarr interesting that barbican broke the unit tests -- seems like barbican is mocked ..16:42
alee_or maybe it wasn't before ...16:42
rellerrelleralee_ I'll run it up the flag pole to see what projects leads say.16:43
kfarralee_ I think that was the solution after the API changed16:43
alee_rellerreller, thanks16:43
rellerrelleralee_ I think we could post a wip, but I do not know when that would be.16:43
rellerrelleralee_ do you only care about image encryption or would image signing work?16:43
*** ig0r_ has quit IRC16:48
kfarralee_ in case you are curious, this is the bug that was filed when the cinder gate was broken: https://bugs.launchpad.net/cinder/+bug/138846116:52
openstackLaunchpad bug 1388461 in Cinder juno "cinder.tests.keymgr.test_barbican fails with barbicanclient 3.0.0" [Critical,Fix released] - Assigned to Brianna Poulos (brianna-poulos)16:52
*** alee_ is now known as alee_lunch16:59
openstackgerritAmy Marrich proposed openstack/barbican: Removes uwsgi and pyenv from barbican.sh  https://review.openstack.org/21167116:59
*** rellerreller has quit IRC17:01
*** vivek-ebay has joined #openstack-barbican17:08
*** vivek-ebay has quit IRC17:10
*** rellerreller has joined #openstack-barbican17:11
*** lisaclark1 has quit IRC17:18
openstackgerritMerged openstack/python-barbicanclient: Updated from global requirements  https://review.openstack.org/21091617:23
*** peter-hamilton has joined #openstack-barbican17:27
*** lisaclark1 has joined #openstack-barbican17:43
*** lisaclark1 has quit IRC17:43
*** lisaclark1 has joined #openstack-barbican17:44
*** rellerreller has quit IRC18:03
*** tkelsey has quit IRC18:04
*** openstackgerrit_ has quit IRC18:06
*** rellerreller has joined #openstack-barbican18:14
*** ig0r_ has joined #openstack-barbican18:18
*** ig0r_ has quit IRC18:18
*** alee_lunch is now known as alee_18:20
*** kfarr has quit IRC18:28
*** ig0r_ has joined #openstack-barbican18:28
*** xaeth_afk is now known as xaeth18:29
*** kfarr has joined #openstack-barbican18:29
*** rellerreller_ has joined #openstack-barbican18:30
*** rellerreller has quit IRC18:31
*** tkelsey has joined #openstack-barbican18:31
*** lisaclark1 has quit IRC18:32
*** diazjf has quit IRC18:34
*** tkelsey has quit IRC18:35
*** vivek-ebay has joined #openstack-barbican18:47
openstackgerritMerged openstack/castellan: Add managed objects hierarchy  https://review.openstack.org/19188418:47
woodster_rm_you: kfarr18:47
kfarrwoodster_, you're awesome!! Thank you!18:48
*** diazjf has joined #openstack-barbican18:49
woodster_kfarr: ha I had the easy job, thanks for keeping after these CRs...18:49
*** rm_work|away is now known as rm_work18:54
*** ig0r_ has quit IRC18:59
*** pglass has quit IRC19:00
*** pglass has joined #openstack-barbican19:03
*** vivek-ebay has quit IRC19:04
*** ig0r_ has joined #openstack-barbican19:05
*** peter-hamilton has quit IRC19:16
*** lisaclark1 has joined #openstack-barbican19:20
*** lisaclark1 has quit IRC19:20
*** lisaclark1 has joined #openstack-barbican19:20
*** gyee has quit IRC19:31
*** everjeje has joined #openstack-barbican19:33
rm_workkfarr: next castellan CR ready to go?19:34
rm_workhttps://review.openstack.org/#/c/203227/ <-- this right?19:34
kfarrYes, that one is one of the blocking CRs19:35
rm_worklet's get this moving then!19:35
rm_workit's ready to merge in your opinion?19:35
rm_workredrobot / woodster_: ^^ review plox19:35
*** rellerreller_ has quit IRC19:40
rm_work^^ pretty please19:54
rm_workredrobot / woodster_ ^^19:54
*** ig0r_ has quit IRC19:58
*** lisaclark1 has quit IRC19:59
rm_workredrobot / woodster_ / chellygel ^^20:06
*** ig0r_ has joined #openstack-barbican20:08
*** kfarr has quit IRC20:12
*** morgan_503 is now known as morgan_40420:23
*** igueths has joined #openstack-barbican20:30
*** tkelsey has joined #openstack-barbican20:32
*** tkelsey has quit IRC20:36
*** mixos has joined #openstack-barbican20:43
* elmiko imagines rm_work as one of the subway workers in japan pushing people on to stuffed trains20:47
*** edtubill has quit IRC20:48
*** diazjf has quit IRC20:48
*** ngupta has quit IRC20:48
*** mixos has quit IRC20:50
dave-mccowanalee ping20:52
dave-mccowanalee_ ping20:54
alee_dave-mccowan, hey -- in meeting - whats up?20:54
dave-mccowani'm looking at some order code.  in certificate_resources.py, there is a reference to "subject_dn".  in test_certificate_resources.py the key used is "subject_name".  do you know which one is "right"?20:55
*** ig0r_ has quit IRC20:58
*** morgan_404 is now known as morgan_41021:04
alee_dave-mccowan, interesting21:04
*** morgan_410 is now known as morgan_40421:05
alee_dave-mccowan, is the test being done a dogtag specific test?21:05
dave-mccowanalee_ no, straight unit test.  hmm, in test_dogtag.py, i don't see the subject at all in the order.21:10
*** gyee has joined #openstack-barbican21:17
*** edtubill has joined #openstack-barbican21:21
alee_dave-mccowan, sorry just got out of meeting ..21:24
dave-mccowanalee_ no worries.  order code seems broken in a couple ways. :-(   i'm swapping out ldap for ldap3, and it's exposed some problems.21:26
alee_dave-mccowan, well thats a good thing then ..21:26
alee_dave-mccowan, what else have you noticed?21:27
dave-mccowanalee_ according the spec, the meta parameter should be "subject_dn", so i made it all match.  once it matches, the code that unpacks the DN is not unpacking the list of tuples correctly.21:29
dave-mccowanalee_ i think i've got it fixed now.  i'll send up the CR soon, and you can just check that.21:31
alee_dave-mccowan, right - its supposed to be subject_dn21:33
alee_looking at test21:33
alee_dave-mccowan, and yeah - I think the test is wrong21:34
alee_dave-mccowan, so theoretically, the only change you have to make is to that test21:35
alee_dave-mccowan, if you do that, does the test now fail?21:35
dave-mccowanalee_, you'd think.  yea, the code has a bug that was masked by the test error.  certificate_resources.py:344 tries to use a for loop to unpack a tuple.  i changed that to a straight assignment, and now that works too.21:37
dave-mccowanalee_ at least it fails with ldap3 in that way.  i'll changes back to ldap to see what happens.  maybe that's part of the API change between ldap and ldap3.21:38
alee_dave-mccowan, ah - you might want to talk to reaperhulk about this ..21:41
alee_dave-mccowan, maybe the latest python cryptography would allow us to replace this code with something simpler21:41
rm_workelmiko: I am just really impatient and noisy :P21:42
elmikorm_work, hehe, i'm just goofin around =)21:44
elmikobut i do appreciate the noise21:44
*** xaeth is now known as xaeth_afk21:45
*** nkinder has quit IRC21:46
openstackgerritDave McCowan proposed openstack/barbican: Replace python-ldap with ldap3 library  https://review.openstack.org/21175921:46
*** alee_ is now known as alee_driving_hom21:50
*** alee_driving_hom is now known as alee_on_way_home21:51
*** dave-mccowan has quit IRC21:51
*** vivek-ebay has joined #openstack-barbican21:52
*** vivek-ebay has quit IRC21:53
*** xaeth_afk is now known as xaeth21:54
*** alee_on_way_home has quit IRC21:56
*** silos has left #openstack-barbican22:01
*** edtubill has quit IRC22:01
rm_workupdating a lot of stuff for the castellan-certs CR22:04
rm_worksoon will actually be ready to push up something readable-ish22:04
rm_workquite a lot of design change actually to make it fit in the new castellan architecture22:04
rm_workbut it works22:04
rm_workdefinitely will need a lot of eyes for reviewing, i am sure i missed stuff22:04
elmikocool, sounds intense =)22:09
elmikorm_work, i hope this means i can get a few reviews on the config stuff *nudge* *nudge* ;)22:11
*** igueths has quit IRC22:16
*** mjg59 has quit IRC22:22
*** mjg59 has joined #openstack-barbican22:24
*** tkelsey has joined #openstack-barbican22:33
*** spotz is now known as spotz_zzz22:35
*** tkelsey has quit IRC22:37
*** vivek-ebay has joined #openstack-barbican22:38
*** pglass has quit IRC22:39
*** dimtruck is now known as zz_dimtruck22:47
*** alee_on_way_home has joined #openstack-barbican22:51
*** dave-mccowan has joined #openstack-barbican23:10
openstackgerritDave McCowan proposed openstack/barbican: Replace python-ldap with ldap3 library  https://review.openstack.org/21175923:12
*** vivek-ebay has quit IRC23:13
*** elmiko has quit IRC23:23
rm_workWHELP HERE GOES23:27
*** morgan_404 has quit IRC23:29
openstackgerritAdam Harwell proposed openstack/castellan: Officially add Certificate Management to scope  https://review.openstack.org/15662323:29
openstackgerritAdam Harwell proposed openstack/castellan: Copy octavia.certmgr to Castellan  https://review.openstack.org/15630723:29
openstackgerritAdam Harwell proposed openstack/castellan: Add barbican implementation of CertManager  https://review.openstack.org/21178023:29
*** morganfainberg has joined #openstack-barbican23:31
*** morganfainberg is now known as morgan_40423:32
*** chadlung has quit IRC23:42
*** rm_work is now known as rm_work|away23:46
*** david-lyle has quit IRC23:58
*** david-lyle has joined #openstack-barbican23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!