Monday, 2015-09-28

*** rm_you has quit IRC00:15
*** zz_dimtruck is now known as dimtruck00:23
*** vivek-ebay has joined #openstack-barbican00:26
*** alee_afk has quit IRC00:47
*** alee_afk has joined #openstack-barbican00:48
*** david-lyle has joined #openstack-barbican01:03
*** vivek-ebay has quit IRC01:09
*** kebray has quit IRC01:12
*** dave-mccowan has quit IRC01:24
*** dimtruck is now known as zz_dimtruck01:27
*** DuncanT_ has joined #openstack-barbican01:38
*** therve has quit IRC01:38
*** DuncanT has quit IRC01:38
*** therve has joined #openstack-barbican01:40
*** DuncanT_ is now known as DuncanT01:44
*** kebray has joined #openstack-barbican01:54
*** kebray has quit IRC01:55
*** su_zhang has joined #openstack-barbican02:26
*** vivek-ebay has joined #openstack-barbican02:27
*** zz_dimtruck is now known as dimtruck02:39
*** dimtruck is now known as zz_dimtruck02:52
*** vivek-ebay has quit IRC03:06
*** Nirupama has joined #openstack-barbican03:22
*** jhfeng has joined #openstack-barbican03:27
*** jhfeng has quit IRC03:31
*** kebray has joined #openstack-barbican03:33
*** kebray has quit IRC03:33
*** kebray has joined #openstack-barbican03:34
*** edtubill has joined #openstack-barbican03:54
*** everjeje has joined #openstack-barbican04:24
*** edtubill has quit IRC04:31
*** shohel has joined #openstack-barbican05:49
*** Nirupama has quit IRC06:22
*** Nirupama has joined #openstack-barbican06:22
*** su_zhang has quit IRC06:46
*** chlong has quit IRC07:17
*** jamielennox is now known as jamielennox|away07:50
*** kebray has quit IRC07:51
*** jaosorior has joined #openstack-barbican08:26
*** jaosorior has quit IRC08:34
*** jaosorior has joined #openstack-barbican08:38
*** darrenmoffat has quit IRC08:55
*** darrenmoffat has joined #openstack-barbican08:56
openstackgerritMerged openstack/barbican: Change test_containers unit test to work around webtest issue
*** su_zhang has joined #openstack-barbican09:35
*** su_zhang has quit IRC09:40
openstackgerritMerged openstack/barbican: Fix comment and remove unneeded code
*** mmdurrant has quit IRC10:09
*** Kiall has joined #openstack-barbican11:06
*** chlong has joined #openstack-barbican11:44
*** Nirupama has quit IRC11:47
*** jamielennox|away is now known as jamielennox11:52
*** mmdurrant has joined #openstack-barbican11:59
*** jamielennox is now known as jamielennox|away12:33
*** dave-mccowan has joined #openstack-barbican13:07
*** rellerreller has joined #openstack-barbican13:39
*** jmckind has joined #openstack-barbican13:41
*** alee_afk has quit IRC13:41
*** alee has joined #openstack-barbican13:42
*** nelsnelson has joined #openstack-barbican13:57
*** zz_dimtruck is now known as dimtruck13:59
openstackgerritMerged openstack/castellan: Update Barbican functional tests
*** su_zhang has joined #openstack-barbican14:02
*** stevemar has joined #openstack-barbican14:05
*** spotz_zzz is now known as spotz14:06
openstackgerritJohn Wood proposed openstack/barbican: Exit with error code when fails
*** silos has joined #openstack-barbican14:13
*** edtubill has joined #openstack-barbican14:17
*** jhfeng has joined #openstack-barbican14:18
*** xaeth_afk is now known as xaeth14:19
*** pglass has joined #openstack-barbican14:19
*** jmckind_ has joined #openstack-barbican14:32
*** jmckind has quit IRC14:33
*** jorge_munoz has joined #openstack-barbican14:36
*** diazjf has joined #openstack-barbican14:39
*** jorge_munoz has quit IRC14:48
openstackgerritFernando Diaz proposed openstack/python-barbicanclient: Fix error where barbican order create returns invalid error
*** jorge_munoz has joined #openstack-barbican14:56
*** xaeth is now known as xaeth_afk15:04
*** kebray has joined #openstack-barbican15:05
*** ccneill has joined #openstack-barbican15:06
*** arunkant has quit IRC15:15
*** xaeth_afk is now known as xaeth15:17
*** arunkant has joined #openstack-barbican15:21
*** shohel has quit IRC15:30
*** everjeje has quit IRC15:39
*** su_zhang has quit IRC16:11
openstackgerritFernando Diaz proposed openstack/python-barbicanclient: Fix error where barbican order create returns invalid error
*** xaeth is now known as xaeth_afk16:24
*** jmckind has joined #openstack-barbican16:26
*** jmckind_ has quit IRC16:27
*** gyee has joined #openstack-barbican16:28
*** xaeth_afk is now known as xaeth16:31
*** kebray has quit IRC16:34
*** kebray has joined #openstack-barbican16:35
*** kebray has quit IRC16:36
*** kebray has joined #openstack-barbican16:37
openstackgerritJohn Vrbanac proposed openstack/barbican: Use environmental variables for NewRelic
aleedave-mccowan, g'day mate!16:42
*** vivek-ebay has joined #openstack-barbican16:43
aleeredrobot, ^^16:43
dave-mccowanalee howdy16:43
redrobotalee mornin'16:44
aleedave-mccowan, thats funny -- I just said howdy to someone else on a different channel :)16:44
* dave-mccowan is not stalking you16:44
aleedave-mccowan, would be impressed if you did -- was on an internal RH channel16:45
* alee thinks dave-mccowan realy works for the NSA ..16:45
aleeredrobot, dave-mccowan working on the dogtag plugin for subcas.  got the unit test updated and working on the functional tests16:46
aleeshould be done hopefully by end of today-ish16:46
aleejust fyi -  dave-mccowan any othe bugs in subcas that need to go in?16:47
dave-mccowanalee, redrobot: fixing delete should probably go in.  what about woodster's db-manage fix?16:48
redrobotalee dave-mccowan about the delete...  I don't understand why having a "preferred" CA is a requirement?16:49
redrobotalee dave-mccowan  seems to me "preferred" CAs should be optional16:49
redrobotalee dave-mccowan if you delete the preferred CA then you have no more preferred CA16:49
redrobothaving to set some other CA as preferred before you can delete the current preferred CA just complicates the workflow16:50
*** vivek-ebay has quit IRC16:51
*** su_zhang has joined #openstack-barbican16:51
aleeredrobot, this is part of the original design  in the blueprint.  The idea was that if you set a project ca , then you always had a preferred ca16:51
aleeand that the first project ca became the preferred ca16:51
aleeredrobot, I'm open to changing the design -- but thats what was decided on16:52
aleeredrobot, think of it this way ..16:53
aleea project admin has specifically chosen to limit the users in his project to a set of N cas.16:53
aleehe has done that by specifying these N cas as project cas.16:54
aleeso if someone in the project specifies a ca_id - then the request will fail if it is not one of those ca_ids16:54
aleeon the other hand, if the caller specifies no ca_id, then it will end up going to the preferred ca_id16:55
*** peter-hamilton has joined #openstack-barbican16:55
redrobotalee I guess that's the bit I'm getting stuck on16:55
redrobotalee are we saying that you always need to have a preferred CA no matter what?16:55
aleeand we need to make sure that the preferred ca_id is one of those N prohect cas16:55
aleepreferred ca is perhaps a misnomer -- default ca is probably more accurate16:56
redrobotI just don't think that "preferred CAs" really add that much value.  We have an endpoint to list a project's CAs, so I don't think it's unreasonable to require the CA ID when you send a request.16:57
redrobotthe only benefit is that you can skip that step if a preferred CA is set16:57
redrobotbut I don't think that's a huge win compared to the complexity it adds to the delete workflows16:57
aleeit makes sense to me that if an admin chooses to restrict access to N project cas, then requests that come in withiout a ca_id should go to one of those project cas16:57
aleeredrobot, well - I disagree - I think its useful for a client to be able to just send in the request and know it will go to the "right ca"16:58
aleeredrobot, and deleting a ca is an admin operation16:58
dave-mccowanit makes it harder on admin, but much easier on user client.16:59
aleeredrobot, and its not that hard for the admin16:59
aleethey just need to select another ca16:59
dave-mccowanif we change the delete logic, we'll need to revisit the remove-from-project logic.  it has the same check and error code.17:00
dave-mccowani think a case could be made for the change.  the biggest problem with that now, is that there is code that assumes there will always be a preferred if there is a project CA.  we'll need to re-review a bunch of code to make sure stuff will work with a different design.  also the docs will need to be updated.17:00
redrobotis it possible for a project to have no CAs at all?17:00
redrobotie, the admin does not want the users to provision any Certs17:00
* redrobot realizes is way too late in the game to make these changes for Liberty17:01
*** vivek-ebay has joined #openstack-barbican17:01
dave-mccowanthey can use quotas to disable orders or disable create_cas.  disabling just certificate orders sounds like a useful feature.17:01
dave-mccowan(that does not have a solution in liberty)17:02
aleedave-mccowan, redrobot and I know thats one you guys want to add -- but I thought we were talking about adding it in Mitaka17:02
*** gyee has quit IRC17:03
redrobotalee dave-mccowan so what's the current behavior for deleting the last project-ca?17:03
aleeredrobot, you could add a ca plugin that just denies certs -- or for that matter use the simple ca plugin17:03
aleeand just restrict users to that ca17:03
dave-mccowanwithout the delete bug fix, the system can get into an undefined state.  a preferred CA or project CA entry can exist, referencing a CA that has been deleted.17:04
redrobotalee dave-mccowan ehh... sounds like 500s waiting to happen?17:05
aleeredrobot, dave-mccowan yeah - we need to fix that17:05
redrobotSorry I didn't quite understand that last week, or I would have marked it as a higher priority bug17:06
dave-mccowanblocking the delete when the CA is preferred is just one of the subtle bugs that is fixed with the eventual proposed patch.17:06
redrobotdave-mccowan would it be possible to delete the last CA?17:06
dave-mccowani don't think we knew about this bug until very late last week.17:06
redrobotor I suppose the public CA is always available...17:06
* redrobot needs to kick the tires on CA API more17:06
aleeredrobot, right -- remember project cas just restrict the set of available cas17:07
aleeand you can remove the last project ca.17:07
aleethe problem si removing a project ca that is the preferred ca, when other project cas exist17:07
aleebecaus the preferredness does not transfer17:08
dave-mccowanis anyone else kicking the tires on the CA API this week?17:08
aleedave-mccowan, anyways you working on that?17:08
dave-mccowani've got a WIP patch up in gerrit, and a working patch locally.  just a bunch of unit test work to do.  there's lots of branches to cover.17:10
dave-mccowanalee, redrobot: do we have a target date in mind for RC2?17:11
redrobotdave-mccowan alee I'll have to talk to the release managers....  schedule says RC window is ongoing until next week.17:11
aleeredrobot, cool thanks - that would be good to know.17:13
*** stevemar has quit IRC17:13
aleeredrobot, I'm trying to wrap up my changes quickly, but it will still take a few days.17:14
dave-mccowando we know of any ongoing testing?  it'd be nice to only have one more RC.17:14
aleedave-mccowan, +117:14
aleedave-mccowan, redrobot heard anything from the magnum folks?17:15
aleeredrobot, I'm working on getting dogtag client code into a package on pypi.  I'm guessing though that we can defer adding this package to requirements.txt, test requirements to mitaka ..17:18
redrobotalee since it's an optional dependency, I believe it does not need to be added to global-requirements.17:18
aleeredrobot, so no procedure other than to add to our own requirements.txt?17:19
*** stevemar has joined #openstack-barbican17:19
redrobotalee probably add to test-requirements.txt because requirements.txt actually gets added to the package17:19
*** gyee has joined #openstack-barbican17:19
redrobotalee I can double check for you though17:20
aleeredrobot, thatll be great - thanks17:20
dave-mccowani'll check with the magnum folks for feedback.17:21
*** xaeth is now known as xaeth_afk17:21
dave-mccowani think there is a gate check to make sure projects don't add requirements that are not part of global-requirements.  does it not check test-requirements?17:22
jaosoriorAny workflows for this?
*** everjeje has joined #openstack-barbican17:25
*** vivek-ebay has quit IRC17:31
*** vivek-ebay has joined #openstack-barbican17:32
dave-mccowanredrobot, alee: i checked with the magnum team. for Liberty, they roll-their-own subCAs and certificates.  ( :-( one more RA/CA in OpenStack.)  They have a barbican plugin, but currently it can only store certificates.17:34
*** alee has quit IRC17:34
redrobotdave-mccowan alee bummer :(17:34
*** alee has joined #openstack-barbican17:36
*** xaeth_afk is now known as xaeth17:37
*** kebray has quit IRC17:38
*** alee has quit IRC17:39
*** alee has joined #openstack-barbican17:39
jaosoriordave-mccowan: do you know why they decided to go that way?17:45
redrobotjaosorior mostly because our CR provisioning workflow was broken when they looked at it17:46
jaosoriorredrobot: well, shit17:46
jaosoriorredrobot: I understood anyway. Bummer :/17:47
*** diazjf_ has joined #openstack-barbican17:47
redrobotyeah, bummer for sure.17:47
redrobotI was in the Security meeting last week and someone there was wanting to spin up their own CA API as well...  I'm hoping I can convince them to contribute to Barbican instead.17:48
dave-mccowanhopefully they will expand the barbican driver to include enrollment and subcas in Mitaka17:49
dave-mccowanredrobot +1 we should help the community converge on one RA/CA API.17:50
redrobotdave-mccowan indeed!  ...  I still have it on my to-dos to learn the Anchor API.17:50
*** igueths has joined #openstack-barbican17:51
dave-mccowanredrobot.  not much to it. curl http://localhost:5000/v1/sign/CAID -F encoding=pem F 'csr=<put the CSR here>'17:54
*** kebray has joined #openstack-barbican17:59
*** kebray has quit IRC17:59
*** kebray has joined #openstack-barbican18:00
*** jmckind has quit IRC18:03
*** diazjf_ has quit IRC18:07
redrobotanyone know off the top of their head what "@" means in the policy file?18:10
*** xaeth is now known as xaeth_afk18:11
*** su_zhang has quit IRC18:11
*** su_zhang_ has joined #openstack-barbican18:12
*** jmckind has joined #openstack-barbican18:13
dave-mccowanredrobot it means the action is always permitted.18:25
redrobotdave-mccowan ack, thanks!18:26
*** ccneill_ has joined #openstack-barbican18:28
*** ccneill has quit IRC18:29
*** jmckind has quit IRC18:38
*** jmckind has joined #openstack-barbican18:50
*** xaeth_afk is now known as xaeth18:50
*** su_zhang_ has quit IRC18:53
*** fnaval has quit IRC18:55
*** jmckind has quit IRC19:04
*** ccneill_ has quit IRC19:06
*** kfarr has joined #openstack-barbican19:09
*** ccneill_ has joined #openstack-barbican19:09
*** ccneill_ is now known as ccneill19:19
*** jmckind has joined #openstack-barbican19:29
*** jmckind has quit IRC19:30
*** woodster_ has joined #openstack-barbican19:42
*** su_zhang has joined #openstack-barbican19:50
*** jmckind has joined #openstack-barbican19:57
*** su_zhang has quit IRC19:58
*** jsavak has joined #openstack-barbican20:02
*** peter-hamilton has quit IRC20:03
*** vivek-ebay has quit IRC20:05
jaosorior#join #openstack-meeting-alt20:07
*** jsavak has quit IRC20:08
*** david-lyle has quit IRC20:14
*** jmckind has quit IRC20:16
*** everjeje has quit IRC20:19
*** jmckind has joined #openstack-barbican20:20
*** su_zhang has joined #openstack-barbican20:27
*** jmckind has quit IRC20:31
*** jmckind has joined #openstack-barbican20:38
*** rellerreller has quit IRC20:44
*** vivek-ebay has joined #openstack-barbican20:49
*** xaeth is now known as xaeth_afk20:55
*** jmckind has quit IRC20:58
*** pglass has quit IRC21:04
*** jmckind has joined #openstack-barbican21:05
siloswoodster_: ping. Hope I'm not catching you on your way out.21:09
*** david-lyle has joined #openstack-barbican21:09
woodster_silos: nope21:10
siloswoodster_: Have you tested from base recently?21:10
woodster_silos: yes, yesterday/today21:11
woodster_silos: against postgres only though21:11
silosah ok. I tested against mysql and I'm getting a few errors. If we add this to the gate will it use mysql, postgresql, or something else?21:11
woodster_silos: it would use mysql by default. can you send the stack trace you see to my IRC directly?21:12
woodster_silos: I'm replaced some of the 'execute' calls in there, so I wonder if that is breaking mysql now21:13
woodster_silos: are you thinking of putting that into the devstack gate?21:13
*** silos has quit IRC21:14
*** xaeth_afk is now known as xaeth21:14
*** silos has joined #openstack-barbican21:14
siloswoodster_:  no. I was just wondering if it's something to worry about since we talked about the db_manage script today.21:15
woodster_silos:  indeed!21:15
*** diazjf has quit IRC21:18
openstackgerritMerged openstack/python-barbicanclient: Create Openstack CLI plugin for Barbican
jaosoriorstevemar: ^^ yay! :D21:23
*** dave-mccowan has quit IRC21:23
stevemarjaosorior: holy crap21:23
stevemarthat thing was sitting at 2x+2 forever21:23
jaosoriorstevemar: By the way, congrats on becoming the new keystone PTL :D21:23
stevemarjaosorior: ty ty!21:23
* stevemar bows elegantly 21:24
jaosoriorhahaha awesome21:24
jaosoriorstevemar: Celebrated already?21:24
stevemarjaosorior: topol took me out for giant steaks21:24
stevemarthat was nice21:25
jaosoriorstevemar: Aah yeah! Saw the pic on twitter21:25
jaosoriorstevemar: very well deserved21:26
stevemarjaosorior: \o/21:26
jaosoriorAnyway, it's pretty late over here21:26
stevemarjaosorior: now to ruin everything!21:26
jaosoriorgonna go to sleep already21:26
jaosoriorhave a good one21:26
stevemarjaosorior: gn!21:26
*** jaosorior has quit IRC21:26
*** stevemar has quit IRC21:29
*** stevemar has joined #openstack-barbican21:29
*** dave-mccowan has joined #openstack-barbican21:31
*** stevemar has quit IRC21:32
*** pglass has joined #openstack-barbican21:33
*** silos has left #openstack-barbican21:35
*** edtubill has quit IRC21:38
*** jmckind has quit IRC21:38
*** su_zhang_ has joined #openstack-barbican21:44
*** su_zhang has quit IRC21:47
*** vivek-ebay has quit IRC21:51
*** su_zhang has joined #openstack-barbican21:53
*** igueths has quit IRC21:56
*** su_zhang_ has quit IRC21:56
*** kfarr has quit IRC22:02
*** vivek-ebay has joined #openstack-barbican22:05
*** stevemar has joined #openstack-barbican22:12
*** xaeth is now known as xaeth_afk22:14
*** stevemar has quit IRC22:17
*** vivek-ebay has quit IRC22:17
*** dimtruck is now known as zz_dimtruck22:20
*** stevemar has joined #openstack-barbican22:21
*** stevemar_ has joined #openstack-barbican22:23
*** pglbutt has joined #openstack-barbican22:25
*** stevemar has quit IRC22:25
*** stevemar_ has quit IRC22:28
*** pglass has quit IRC22:29
*** stevemar has joined #openstack-barbican22:30
*** stevemar_ has joined #openstack-barbican22:31
*** spotz is now known as spotz_zzz22:32
*** su_zhang has quit IRC22:32
*** pglbutt has quit IRC22:33
*** stevemar has quit IRC22:34
*** stevemar_ has quit IRC22:36
*** stevemar has joined #openstack-barbican22:36
*** vivek-ebay has joined #openstack-barbican22:38
*** su_zhang has joined #openstack-barbican22:39
*** stevemar has quit IRC22:41
*** jamielennox|away is now known as jamielennox23:13
*** gyee has quit IRC23:14
*** vivek-ebay has quit IRC23:26
*** vivek-eb_ has joined #openstack-barbican23:26
*** ccneill has quit IRC23:38

Generated by 2.14.0 by Marius Gedminas - find it at!