Friday, 2015-09-11

*** SheenaG has joined #openstack-barbican00:04
*** alee has joined #openstack-barbican00:05
*** SheenaG has left #openstack-barbican00:07
*** chlong has quit IRC00:19
*** jhfeng has quit IRC00:33
*** zz_dimtruck is now known as dimtruck00:41
*** chlong has joined #openstack-barbican01:02
*** lisaclark1 has joined #openstack-barbican01:06
*** chlong has quit IRC01:08
*** lisaclark1 has quit IRC01:17
*** vivek-ebay has quit IRC01:19
*** chlong has joined #openstack-barbican01:21
*** SheenaG has joined #openstack-barbican01:37
*** SheenaG has quit IRC01:58
*** SheenaG has joined #openstack-barbican02:04
*** SheenaG has left #openstack-barbican02:09
*** jhfeng has joined #openstack-barbican02:14
*** tkelsey has joined #openstack-barbican02:16
*** tkelsey has quit IRC02:20
*** dave-mccowan has joined #openstack-barbican02:35
*** dave-mccowan has quit IRC02:35
*** Nirupama has joined #openstack-barbican02:39
*** SheenaG has joined #openstack-barbican02:56
*** SheenaG has left #openstack-barbican02:57
*** gyee has quit IRC02:58
*** ryanpetrello has quit IRC03:29
*** ryanpetrello has joined #openstack-barbican03:34
*** Kevin_Zheng has joined #openstack-barbican04:11
*** dimtruck is now known as zz_dimtruck04:18
*** woodster_ has quit IRC05:09
openstackgerritAde Lee proposed openstack/barbican: Add DELETE functionality for subCAs
*** jhfeng has quit IRC06:20
*** shohel has joined #openstack-barbican06:28
*** jaosorior has joined #openstack-barbican07:14
*** tkelsey has joined #openstack-barbican07:41
*** darrenmoffat has quit IRC09:14
*** darrenmoffat has joined #openstack-barbican09:15
*** chlong has quit IRC09:16
*** mmdurrant has quit IRC10:09
*** dave-mccowan has joined #openstack-barbican10:57
*** shohel has quit IRC11:02
*** shohel has joined #openstack-barbican11:02
*** Nirupama has quit IRC11:12
*** Kevin_Zheng has quit IRC11:15
*** yuanying_ has joined #openstack-barbican11:33
*** yuanying has quit IRC11:35
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Add functional test for project CA
*** woodster_ has joined #openstack-barbican12:07
jaosoriorneed a workflow here: and here
*** shohel has quit IRC12:23
*** shohel has joined #openstack-barbican12:23
*** peter-hamilton has joined #openstack-barbican12:24
*** shohel has quit IRC12:35
*** shohel has joined #openstack-barbican12:37
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Add functional test for project CA
*** shohel has quit IRC12:41
*** shohel has joined #openstack-barbican12:41
*** peter-hamilton has quit IRC12:50
*** rellerreller has joined #openstack-barbican12:58
jaosoriorrellerreller: Got a couple of workflows to spare? :D12:59
rellerrellerjaosorior I'm not sure. My other project is calling my name all day today.13:00
rellerrellerjaosorior Can you send me 2-3 items in order of priority? If I get some time I can take a look.13:01
jaosoriorrellerreller: These two are cherry-picks from our master branch into the stable/kilo and here
jaosoriorthey're meant to fix the dogtag gate there13:03
jaosoriorthe new dogtag gate won't work for stable/kilo, only the old one13:04
jaosoriorrellerreller: So in the first one the gate is still not completely fixed, but the subsequent patch actually finishes up fixing it. But, like I said, they're cherry-picks, so they're left as they are13:07
*** jorge_munoz has quit IRC13:07
rellerrellerjaosorior what's the deal with the two non-voting gates failing for 205042?13:09
jaosoriorrellerreller: It's a cherry pick. When that commit was introduced, it used to work for the dogtag version that was being used13:09
jaosoriorthe next CR fixes it for the current dogtag version that's being used, but it depends on the changes done in 20504213:10
rellerrellerI'm looking at 205042.13:10
rellerrellerI see that most of the gates are working, but two are still failing.13:10
jaosoriorthat one13:11
jaosoriorlike I mentioned13:11
jaosoriorthe ones ending in -new will not work13:11
jaosoriorthose only work in the master branch13:11
jaosoriornot in stable/kilo13:11
jaosoriorSo the gate-barbican-devstack-dsvm-new and gate-barbican-dogtag-devstack-dsvm-f21-new are expected to fail in stable/kilo13:12
rellerrellerThat's because of the version of dogtag? Or why is that? This is more for my own understanding.13:12
dave-mccowanthe *-new ones should not be run at all on stable/kilo.  we're trying to fix that with a commit to project-infra with
rellerrellerI looked at the patches. They seem straight forward. I'll one final pass and vote soon.13:12
jaosoriorrellerreller: No, they fail because of the way gates are handled in infra13:13
jaosoriorSo, apparently the gates are ran as defined in project-config and that applies to both master and stable/kilo13:14
jaosoriorproblem is, if something changes, they are reflected always in both... so stable/kilo, gate-wise, is actually not that stable13:14
dave-mccowanthey don't need to be that way; it was a mistake when the -new ones were added.13:16
jaosoriordave-mccowan: aha, well that's slightly re-asuring13:17
rellerrellerjaosorior done and done13:18
jaosorioryay :D13:19
jaosoriorrellerreller: Thanks Mr.13:19
jaosorioralee: ping13:21
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Add functional test for project CA
*** jroll is now known as jtroll13:33
*** jtroll is now known as Guest1373013:34
*** Guest13730 is now known as jroll13:34
*** mmdurrant has joined #openstack-barbican13:46
*** SheenaG has joined #openstack-barbican13:55
*** SheenaG has left #openstack-barbican13:55
aleejaosorior, pong14:04
jaosorioruploaded a patch for testing the project CA add/remove. And there I did some enhancement to how CA backends are detected, you might want to use that for the DELETE patch14:05
aleejaosorior, looking14:07
jaosorioralee: Just a fancier decorator to be honest. Nothing revolutionary at all, but it looks better :P14:08
jaosorioralee: Aaaaand the stable/kilo changes finally landed14:09
jaosoriorso dogtag gate works in stable/kilo now14:09
*** pglass has joined #openstack-barbican14:09
aleejaosorior, yay!14:10
*** xaeth_afk is now known as xaeth14:11
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Add functional test for project CA
jaosorioralee: By the way, I think your commit should go before this one
jaosoriordave-mccowan 's commit needs the delete functionality14:18
*** spotz_zzz is now known as spotz14:23
aleejaosorior, looks good although ultimately I think we're going to want a decorator thats even more complicated.14:23
aleejaosorior, essentially it would be nice to have something that says - run this test for these plugins if they are enabled.14:24
jaosorioralee: It already does that14:25
jaosoriorOr what do you mean?14:26
aleejaosorior, almost - for instance ..14:26
aleeif I have a decorator that says @run_this_for _plugins("dogtag", "snakeoil")14:27
aleeit will run through the test twice, selecting the right ca_id each time14:27
jaosoriorIf you mean that the decorator should actually inject plugin-specific information, that could be done. But I'm guessing it could be possible with the parameterized test decorators14:27
jaosoriorso it would be a mixture of the decorator I introduced, and below that would go the parameterized decorator14:28
aleedoesn't have to go in this patch of course- but I think thats the desired end state14:28
dave-mccowanalee jaosorior how about a base class with generic/abstract CA tests that can be inherited by CA specific classes that injects the CA specific parameters?14:29
jaosoriordave-mccowan: That shouldn't be too hard. I was thinking of one of these days sitting down and defining which tests should be ran for which CA plugin. And there we would see the ones that overlap and such14:30
jaosoriorSo when that's sorted out, we could write something like that14:31
*** zz_dimtruck is now known as dimtruck14:31
aleedave-mccowan, jaosorior thats not a bad idea but its not just for the catests.  Its also the cert order tests14:31
aleeso I think a decorator will be more verstaile14:32
aleethat way I dont have to keep X copies of each cert order test14:32
aleeand have to make sure I add X copies each time I add a test14:33
*** shohel has quit IRC14:34
aleejaosorior, as to the comment that Dave's CR depends on mine, thats true except that I used some code in ca behaviors that Dave put in his patch.14:35
dave-mccowanalee haha.  i was thinking base classes would be more versatile than decorators. but same goal... which ever way works out best for whoever implements it.14:35
*** edtubill has joined #openstack-barbican14:37
aleedave-mccowan, yup although I do like the idea of keeping all that selecting the cas a test will run on in the same place14:38
aleedo right off the bat I need to decide which cas a test will run on14:38
alee(and decorators are cool)14:39
*** woodster_ has quit IRC14:39
*** morgan has quit IRC14:40
*** morganfainberg has joined #openstack-barbican14:40
aleedave-mccowan, jaosorior so how do we want to structure all these CRs?14:42
dave-mccowanalee merge them all quick while no one else is looking. :-)14:43
aleedave-mccowan, :)14:43
aleedave-mccowan, jaosorior - I suppose we could take jaosorior patch first, then take mine with the ca behaviors bits from dave-mccowan patch, followed by dave-mccowan patch?14:45
aleethat may be the most logical .. or ..14:45
*** ccneill has joined #openstack-barbican14:46
aleethe simplest would be to take my patch, then daves, then jaosorior14:46
dave-mccowanalee simplest is mine first, since yours already depends on it and we know both pass the gate if we go in that order.14:49
aleeagreed - and then jaosorior on top of that14:50
dave-mccowanis all_but_audit the right user base for post/delete of a CA?  seems a little too loose for me.14:51
*** ccneill has quit IRC14:53
aleedave-mccowan, no - I was thinking it should be project admin actually14:54
aleesame for creation of cas14:54
aleeI was going to circle back to that after this set of commits, but we can look at it now.14:55
aleedave-mccowan, jaosorior do you know how to specify project admin?14:55
dave-mccowanpost should be admin-or-creator, delete should be admin.14:56
*** lisaclark1 has joined #openstack-barbican14:56
*** morganfainberg has quit IRC14:56
aleedave-mccowan, so creator should not be able to delete his own subcas?14:57
*** morganfainberg has joined #openstack-barbican14:57
dave-mccowanalee correct.  the only difference between admin and creator is the ability to delete.  if creators could delete, they would be == to admin.14:58
*** lisaclark1 has quit IRC14:59
aleedave-mccowan, we do this also for secrets? you can put something up but only admin can remove it?14:59
*** morganfainberg has quit IRC14:59
*** lisaclark1 has joined #openstack-barbican14:59
dave-mccowanalee yes.15:00
aleedave-mccowan, I'm inclined to say creating a subca should be an admin operation15:01
aleeso both would be rule:admin15:02
dave-mccowanalee i like that.15:02
aleedave-mccowan, ok I'll change to that15:04
*** morganfainberg has joined #openstack-barbican15:04
*** morganfainberg has quit IRC15:04
openstackgerritJuan Antonio Osorio Robles proposed openstack/barbican: Add functional test for project CA
aleedave-mccowan, does "rule:admin" mean project admin?15:05
aleedave-mccowan, I'm just wondering because I think we want a higher rule for "certificate_authority:set_global_preferred": "rule:admin",15:06
dave-mccowani added service-admin for project quotas.  you can use that.15:06
dave-mccowanplain old admin is a project admin15:07
aleedave-mccowan, yeah - I was just thinking that15:07
*** silos has joined #openstack-barbican15:07
aleeok thats what I'll use15:07
dave-mccowanafk for lunch...15:09
aleedave-mccowan, early lunch :)15:13
aleedave-mccowan, does this make sense to you?
*** kfarr has joined #openstack-barbican15:17
*** morgan has joined #openstack-barbican15:23
*** morgan has quit IRC15:25
*** morgan has joined #openstack-barbican15:26
*** morgan has quit IRC15:31
*** morgan has joined #openstack-barbican15:31
*** morgan has quit IRC15:35
*** morgan has joined #openstack-barbican15:35
aleejaosorior, ping15:47
jaosorioralee: pong15:48
aleejaosorior, hey -- so looking at the comment you made about making sure someone should not be able to delete the snakeoil ca15:49
aleejaosorior, the check is that the ca being deleted must be a ca -- so must have a project_id defined and that it should match the external project id15:50
*** kebray has joined #openstack-barbican15:50
aleejaosorior, I can put that check in the controller, but I can't help thinking this is something that could be checked beforehand like we do the acl stuff.15:51
aleejaosorior, I'm just not sure how to do it15:51
jaosorioralee: Yeah... not sure about it either15:51
jaosoriorand I gotta go in 5 min :/15:51
aleenp - for now I'm just put it in the controller and put in a TODO15:52
aleeand ask arunkant about it later15:52
jaosorioralee: Can you take over my CR? and check if the test in the bottom of the following file is actually valid?
aleejaosorior, will do thanks!15:54
jaosoriorMy understanding was that if a project CA is defined, then a user should only be getting that CA when doing get_cas, but that doesn't seem to be the case15:54
aleejaosorior, that is correct -- I was actually surprised it was working :)15:54
aleebut I guess it isn;t15:55
aleeso yeah - I'll fix it15:55
jaosoriorFeel free to take over that CR15:55
aleeand rebase on top ofmine15:55
aleejaosorior, will do - thanks!15:55
jaosoriorAnyway, gotta go, talk to you guys later15:56
*** jaosorior has quit IRC15:56
aleekfarr, ping15:56
*** lisaclark1 has quit IRC15:57
aleekfarr, it would be nice if you could review please15:57
aleekfarr,  and - although I need to make an update there15:58
*** gyee has joined #openstack-barbican16:00
*** yuanying has joined #openstack-barbican16:02
dave-mccowanalee those policies look good to me16:02
aleedave-mccowan, cool thanks16:02
aleedave-mccowan, lobbying for your quota patch to be approved ..16:03
*** yuanying_ has quit IRC16:04
*** chlong has joined #openstack-barbican16:05
*** vivek-ebay has joined #openstack-barbican16:08
*** silos has left #openstack-barbican16:23
*** edtubill has quit IRC16:25
*** vivek-ebay has quit IRC16:28
*** silos has joined #openstack-barbican16:31
kfarralee, just saw these, was at lunch, I'll take a look in a little bit!16:44
dave-mccowanalee ping16:45
aleekfarr, thanks16:46
aleedave-mccowan, pong16:46
dave-mccowanalee fyi, i'll be punching out early today and then camping for the weekend totally unplugged.  so, if any of my subca related code gives you grief, you're on your own.  please feel free to hack away.16:47
aleedave-mccowan, thanks - sounds like fun :)16:47
dave-mccowanalee your policy changes may require functional test changes to set the appropriate user_name= and admin= parameters.16:48
aleedave-mccowan, I'm hoping kfarr approves your CR and we get that merged in16:48
aleedave-mccowan, then any changes needed will be in my CR16:49
aleedave-mccowan, rerunning the functional tests right now16:51
*** vivek-ebay has joined #openstack-barbican16:53
arunkantalee, reading messages you have a question?16:56
aleearunkant, I do - but I'm going to defer till next week if you dont mind16:57
arunkantalee, okay.16:57
*** edtubill has joined #openstack-barbican17:00
*** diazjf has quit IRC17:10
*** diazjf has joined #openstack-barbican17:10
*** chlong has quit IRC17:34
*** diazjf has quit IRC17:36
*** spidey has joined #openstack-barbican17:40
*** edtubill has quit IRC17:42
aleedave-mccowan, till around?17:47
dave-mccowanalee yep17:47
aleedave-mccowan, so I'm trying to run the functional tests17:47
aleedave-mccowan, what project is sent in when we do these requests?17:49
aleedave-mccowan, maybe there isn't one send tin?17:51
dave-mccowanit's set by barbican-functional.conf.  the default user is "admin" of project "admin".    you can override with other admins and projects listed in that config file.17:51
aleedave-mccowan, let me post up the patch and you can tell me whats wrong ..17:52
dave-mccowanalee the project id is sent as part of the keystone token17:52
aleedave-mccowan, right -- and it should be the same for all requests, right?17:53
*** kfarr has quit IRC17:54
dave-mccowanalee yep, unless you're doing something special.  (like if you set the policy for service-admin).  i'll look at your patch.17:54
openstackgerritAde Lee proposed openstack/barbican: Add DELETE functionality for subCAs
aleedave-mccowan, ^^ specifically I'm looking at : nosetests functionaltests.api.v1.functional.test_cas:CertificateAuthoritiesTestCase.test_create_and_delete_snakeoil_subca17:56
*** lisaclark1 has joined #openstack-barbican18:03
dave-mccowanalee the test code and policy code are right and worked fine.18:03
dave-mccowanFile "/Users/dmccowan/barbican/barbican/tasks/", line 240, in delete_subordinate_ca18:03
dave-mccowanERROR barbican.api.controllers UnauthorizedSubCADelete: Subordinate CA is not owned by this project18:04
aleeright - thats confusing to me18:04
dave-mccowan    if ca.project_id != external_project_id:18:04
dave-mccowanshould be internal project id?18:04
aleeah - could be ..18:05
aleeyeah - that sproably it ..18:05
dave-mccowanproject_id should always be should always be the internal id.18:05
*** darrenmoffat has quit IRC18:05
*** tkelsey has quit IRC18:09
*** spidey has quit IRC18:11
aleedave-mccowan, yeah - that was it18:14
dave-mccowanalee i would expect enforce_rbac() to do that check, but maybe that's extra code like in the acl policies.18:18
aleeright -- I think its acl like code18:19
aleewhich I'll try to do that way next week18:19
*** SheenaG has joined #openstack-barbican18:23
*** SheenaG has left #openstack-barbican18:23
openstackgerritJason Fritcher proposed openstack/barbican-specs: Blueprint defining healthcheck API endpoint.
*** diazjf has joined #openstack-barbican18:39
*** kfarr has joined #openstack-barbican18:40
*** edtubill has joined #openstack-barbican18:40
aleekfarr, dave-mccowan I workflowed the dave-mccowan CR,  the delete CA CR is being sent in momentarily18:45
*** everjeje has quit IRC18:52
openstackgerritAde Lee proposed openstack/barbican: Add DELETE functionality for subCAs
aleedave-mccowan, kfarr - please take a look ^^19:06
aleerellerreller, if you're available, I could do with another core reviewer too please19:07
*** gyee has quit IRC19:17
*** SheenaG has joined #openstack-barbican19:25
*** SheenaG has left #openstack-barbican19:25
redrobotsilos ping19:28
redrobotactually never mind19:28
redrobotdiazjf ping !19:28
silosredrobot :(19:30
diazjfredrobot, pong19:30
redrobotdiazjf hey, I don't think I'll be able to do a hangout today... but I'll review client CRs over the weekend19:30
openstackgerritMerged openstack/barbican: Add Project Quota Support for Sub CAs
diazjfredrobot, no worries, dave-mccowan had a good suggestion for so I may just alter the code soon19:32
openstackgerritFernando Diaz proposed openstack/barbican: Use testr for running functional tests and documentation
rm_workhey guys:
rm_work^^ could use a +A19:36
redrobotrm_work done19:37
*** lisaclark1 has joined #openstack-barbican19:38
*** lisaclark1 has quit IRC19:38
*** lisaclark1 has joined #openstack-barbican19:39
silosdave-mccowan: ping19:44
*** tkelsey has joined #openstack-barbican19:46
*** lisaclark1 has quit IRC19:47
*** gyee has joined #openstack-barbican19:57
openstackgerritFernando Diaz proposed openstack/castellan: Add name to Barbican Key Manager Secret Creation
*** rm_you| is now known as rm_you20:07
openstackgerritFernando Diaz proposed openstack/barbican: Use testr for running functional tests and documentation
*** rellerreller has quit IRC20:09
openstackgerritMerged openstack/barbican: Remove bad clones (new devstack method doesn't need this)
*** kebray has quit IRC20:15
*** kebray has joined #openstack-barbican20:16
*** lisaclark1 has joined #openstack-barbican20:17
*** dave-mccowan has quit IRC20:18
openstackgerritFernando Diaz proposed openstack/barbican: Use testr for running functional tests and documentation
*** tkelsey has quit IRC20:34
*** lisaclark1 has quit IRC20:51
*** tkelsey has joined #openstack-barbican21:02
*** tkelsey has quit IRC21:06
*** kfarr has quit IRC21:12
*** silos has left #openstack-barbican21:16
*** alee is now known as alee_afk21:17
*** gyee has quit IRC21:19
*** edtubill has quit IRC21:38
*** tkelsey has joined #openstack-barbican21:41
*** tkelsey has quit IRC21:45
*** diazjf has left #openstack-barbican21:50
*** dimtruck is now known as zz_dimtruck21:57
*** xaeth is now known as xaeth_afk22:01
*** gyee has joined #openstack-barbican22:19
*** gyee has quit IRC22:25
*** pglass has quit IRC22:29
-openstackstatus- NOTICE: 30 minute warning, Gerrit will be offline from 23:00 to 23:30 UTC while some projects are renamed
*** gyee has joined #openstack-barbican22:33
*** spotz is now known as spotz_zzz22:38
-openstackstatus- NOTICE: Gerrit is offline from 23:00 to 23:30 UTC while some projects are renamed.
*** ChanServ changes topic to "Gerrit is offline from 23:00 to 23:30 UTC while some projects are renamed."23:00
*** codekobe has quit IRC23:04
*** codekobe has joined #openstack-barbican23:06
*** gyee has quit IRC23:16
*** gyee has joined #openstack-barbican23:23
*** gyee has quit IRC23:23
*** ChanServ changes topic to "OpenStack Barbican Development - next milestone liberty-3 on Sept 1-3"23:38
*** SheenaG has joined #openstack-barbican23:41
*** SheenaG has quit IRC23:45
*** openstackgerrit has quit IRC23:46
*** SheenaG has joined #openstack-barbican23:46
*** openstackgerrit has joined #openstack-barbican23:46
*** SheenaG has quit IRC23:49

Generated by 2.14.0 by Marius Gedminas - find it at!