Thursday, 2016-02-18

openstackgerritDouglas Mendizábal proposed openstack/barbican: Update and reorganize the doc landing page.
openstackgerritFernando Diaz proposed openstack/barbican: WIP: User Metadata API and tests
openstackgerritAdam Harwell proposed openstack/barbican: Remove consumer check for project_id to match containers
aleeredrobot, jaosorior - any idea what is going on here?
aleejaosorior, I think its a config error - not a gunicorn error ..16:06
jaosorioralee: H ow does your paste.ini look like?16:09
jaosoriorSeems that the problem might be there16:09
aleejaosorior, looking -- pasting ..16:12
aleejaosorior, the paste.ini looks exactly the same as the regular paste.ini except for this addtional bits ..16:14
alee> use = egg:gunicorn#main16:14
alee> [server:main]16:15
alee> use = egg:gunicorn#main16:15
aleejaosorior, yup - that was it ..16:27
openstackgerritDouglas Mendizábal proposed openstack/barbican: Update and reorganize the doc landing page.
aleeredrobot, ya'll changed the barbican client ..16:58
redrobotalee eh?16:58
aleethere is no longer an order create ..16:59
aleenow is secret order create ?16:59
redrobotalee are you using barbican or openstack cli?16:59
redrobotalee weird ... I don't recall it being changed.17:00
redrobotalee I think it should be "barbican order create" as well17:01
*** gyee has joined #openstack-barbican17:01
aleeredrobot, let me pull up source ..  but this used to work for me ..17:02
*** su_zhang has quit IRC17:02
aleebarbican --os-username barbican --os-password a_big_secret --os-tenant-name services --os-auth-url --endpoint http://localhost:9311 order create --name foo --type key --os-identity-api-version 217:02
aleeand it does not now ..17:02
aleediazjf, well thats interesting .. good thing we're not worried about backward compatibility17:12
aleediazjf, you also made a change for the type of the order17:13
aleediazjf, changed it to a positional parameter?17:13
diazjfalee, I'd ask jaosorior ^17:14
aleediazjf, well that particular change was your commit :)17:14
aleethis now works ..17:15
diazjfohh lol alee, yeah I remember now17:15
aleebarbican --os-username barbican --os-password a_big_secret --os-tenant-name services --os-auth-url --endpoint http://localhost:9311 secret order create key --name foo  --os-identity-api-version 217:15
redrobotalee sorry, i'm mid-meeting right now... will take a look in the afternoon.17:15
aleeredrobot, no worries17:15
aleediazjf, redrobot  - I'm just not sure the cli is very intuitive  now -- barbican secret order create key ....17:16
aleebarbican secret order create certificate ..17:17
silosalee: redrobot and I were going to create an etherpad to discuss changes to the client to make it more user-friendly.17:17
silosalee: I can probably have it up in a bit and post the link17:18
aleesilos, that would be a good idea.  although all these changes make me want to use the openstack client17:18
redrobotalee agreed... one thing I was talking to silos about is that I think our approach to the CLI is not the correct one.  It seems we are trying to map 1:1 the REST concepts and make them available in the CLI17:18
redrobotalee but I think a better approach would be to think of use cases that a user of barbican would want to do with the CLI and only expose that17:19
redrobotalee a good example is 2-step secrets17:19
aleeredrobot, whats the long term strategy on the cli ?  are we moving to the openstack clientZ?17:20
redrobotalee 2-step workflow was put in place because of JSON limitations when working with the HTTP API directly.  but it doesn't make sense to issue 2 cli commands to achieve a secret store, because we can address that limitation in code and never have to expose it to the user.17:20
aleebecause if we are -- then I'm not sure how much effort we should put into prettyfying the cli.17:20
redrobotalee We have an initial plugin for the unified CLI that jaosorior worked on17:20
redrobotalee but it mostly looks like the current cli17:21
redrobotalee with warts and all17:21
redrobotalee I would like to completely revamp it with silos17:21
aleeredrobot, right - but maybe we should fix it there17:21
aleeat this point, I'm not sure who is using the cli -- certainly I'17:21
redrobotalee yeah, that would work for me17:21
aleeI'm the first one to notice that key gen cli has changed17:22
aleeand thats because I use it in my puppet-openstack ci test17:22
aleeand they're all broken now17:22
aleeredrobot, we need to put a stick in the sand and start thinking about api compatibility17:23
silosI think this also raises the necessity for better testing. I feel like backwards compatibility should be a common use case when testing changes to the client.17:25
aleesilos, yes17:25
openstackgerritMerged openstack/barbican: Typo change Barbican to barbican Closes-Bug: 1542508
openstackbug 1542508 in Barbican "Welcome page typo" [Undecided,In progress] - Assigned to Luz Cazares (luz-cazares)
*** su_zhang has joined #openstack-barbican17:53
*** alee is now known as alee_lunch17:58
openstackgerritDouglas Mendizábal proposed openstack/barbican: Update and reorganize the doc landing page.
hockeynutgreetings barbicaneers - not sure why I feel like being a masochist but I am digging into content types today and I want to pose a question for y'all.19:06
hockeynutspecifically talking about GET secret with /payload19:06
hockeynutand Accept header19:06
hockeynutold (and likely incorrect) behavior - when you create a secret as binary, then GET /payload with accept:text/plain it will convert for you19:07
hockeynutwe have tests (RSA in particular) that validate that behavior19:07
hockeynutI am working on a CR to fix a few http 500 errors in get secret payload with Accept header and one side effect is that we will no longer do that automagic conversion19:08
woodster_hockeynut:  I thought we had decided not to do conversions a long time ago... :\19:09
hockeynutbefore I put the CR up and then run like holy hell I want to run it past y'all.  In particular I'd like to hear from Ozz (who isn't on at the moment) dave-mccowan rellerreller and some of the other oldtimers who have felt the content type pain before :-)19:10
hockeynutwoodster_ thats what I thought, but the RSA tests seem to say otherwise.  Unless they were written to the behavior which now appears to be incorrect.19:10
hockeynutI will gladly dig thru those tests and update and we could discuss on gerrit, but this is a heads up to be sure that no one is depending on that behavior in the real world19:11
rellerrellerhockeynut what are you seeing?19:12
rellerrellerCan you provide more details? I'm imagining that you are inputting a secret as base64(pem(pkcs#8)).19:14
rellerrellerhockeynut what is the return you are seeing?19:14
hockeynutan example: RSATestCase.test_rsa_store_and_get_container_with_passphrase now fails with a 406 because the content type passed in doesn't match the content type used when the secret was created19:15
hockeynut(that content type match enforcement is new with my fix)19:17
rellerrellerhockeynut I did not think that there was any conversion on the return. I thought everything was expected in base64 format and returned in that format.19:18
rellerrellerhockeynut It's been so long, and I've tried to erase this from memory. I can't remember anymore.19:18
hockeynutrellerreller if you create a secret with base64 then retrieve with text you can see what I mean.  I took the text string"mypayload"...base64'd it...and used that to create a binary secret.  Then I did a GET /payload with Accept:text/plain and I got back "mypayload"19:19
hockeynutand you, sir, are very smart to forgot anything remotely related to content type19:19
hockeynutand we shall see how client tests handle it19:20
* hockeynut is regretting going into programming, especially when crime pays so much better19:20
*** alee_lunch is now known as alee19:28
diazjfredrobot ping19:48
*** silos has joined #openstack-barbican19:52
*** ccneill has joined #openstack-barbican19:53
*** ccneill has left #openstack-barbican19:56
*** gyee has joined #openstack-barbican19:58
silosredrobot, alee: I made an etherpad with my initial thoughts for revamping the client:
silosI will mention it again in Monday's meeting.20:32
silosFor everyone.20:32
diazjfredrobot, just wanted to see if you have a scheduled time for the guild meetup next week, and I just checked got all 5 votes :)!!!!!!21:02
redrobotdiazjf I don't have a  time yet.. still working with my boss to get something scheduled.21:03
redrobotdiazjf do you have a preference for Austin vs SA, or all-day/afternoon+evening/evening only?21:03
diazjfredrobot, no preference, whatever works for you.21:04
aleesilos, thanks - will take a look shortly21:19
*** silos has quit IRC21:19
mp1silos great suggestions for client changes; I made some comments on the etherpad21:19
*** silos has joined #openstack-barbican21:21
