Wednesday, 2016-06-15

« Tuesday, 2016-06-14 Index Thursday, 2016-06-16 »
*** garthb_ has quit IRC00:14
*** suyash has quit IRC00:16
*** rcernin has joined #openstack-swift00:17
*** suyash has joined #openstack-swift00:17
*** rcernin has quit IRC00:22
*** klamath has quit IRC00:28
*** klamath has joined #openstack-swift00:29
*** lyrrad has quit IRC00:32
*** tqtran has quit IRC00:33
*** suyash has quit IRC00:44
*** zul_ has joined #openstack-swift00:47
*** rcernin has joined #openstack-swift00:48
*** diogogmt has quit IRC00:48
*** rcernin has quit IRC00:53
*** rcernin has joined #openstack-swift01:05
*** rcernin has quit IRC01:10
kota_good morning01:10
*** suyash has joined #openstack-swift01:26
*** tqtran has joined #openstack-swift01:30
*** tqtran has quit IRC01:34
*** furlongm_ is now known as furlongm01:45
*** diogogmt has joined #openstack-swift01:52
*** links has joined #openstack-swift01:54
*** dmorita has quit IRC02:10
*** dmorita has joined #openstack-swift02:12
openstackgerritKota Tsuyuzaki proposed openstack/swift: Avoid docs warning: Duplicate explicit target name  https://review.openstack.org/32930702:20
*** garthb has joined #openstack-swift02:40
*** klrmn has quit IRC02:42
*** zul_ has quit IRC02:43
*** links has quit IRC02:56
*** gyee has quit IRC02:59
*** tqtran has joined #openstack-swift03:31
*** sheel has joined #openstack-swift03:34
*** _JZ_ has quit IRC03:35
*** tqtran has quit IRC03:36
*** dmorita has quit IRC03:49
*** jrichli_ has joined #openstack-swift03:53
*** takashi has joined #openstack-swift03:58
*** jrichli_ has quit IRC03:58
*** siva_krish has joined #openstack-swift04:00
*** links has joined #openstack-swift04:05
*** furlongm has quit IRC04:13
*** furlongm has joined #openstack-swift04:13
jrichlinotmyname,  acoles: I also did not see the diff.  I will be take a look first thing when I start work in about 8 hours, though (I assume the diff will be posted then)04:17
timburkejrichli: go to sleep!04:27
*** ukaynar has quit IRC04:30
*** siva_krish has quit IRC04:36
*** psachin has joined #openstack-swift04:41
*** garthb has quit IRC04:55
*** natarej has joined #openstack-swift04:58
*** ppai has joined #openstack-swift05:10
*** ouchkernel has quit IRC05:18
*** ouchkernel has joined #openstack-swift05:19
*** suyash has quit IRC05:22
*** silor has joined #openstack-swift05:27
*** _JZ_ has joined #openstack-swift05:30
*** silor has quit IRC05:32
*** silor1 has joined #openstack-swift05:32
*** silor1 is now known as silor05:35
*** Jeffrey4l has quit IRC05:49
*** dmorita has joined #openstack-swift05:50
*** ChubYann has quit IRC05:51
*** Jeffrey4l has joined #openstack-swift05:54
*** dmorita has quit IRC05:54
*** m_kazuhiro has joined #openstack-swift05:59
*** takashi has quit IRC06:05
*** klamath has quit IRC06:13
*** openstackgerrit has quit IRC06:18
*** openstackgerrit has joined #openstack-swift06:18
*** rcernin has joined #openstack-swift06:29
*** ozeri has joined #openstack-swift06:31
*** mmcardle has joined #openstack-swift06:46
*** _JZ_ has quit IRC07:02
*** tesseract has joined #openstack-swift07:03
*** rcernin has quit IRC07:04
*** rcernin has joined #openstack-swift07:04
*** rledisez has joined #openstack-swift07:12
*** acoles_ is now known as acoles07:13
acolesnotmyname: jrichli sorry, missed the paste of link to diff, on gerrit now and https://gist.github.com/alistairncoles/17d08e820f5e7026ea59234177dacdab07:16
*** openstackgerrit has quit IRC07:33
*** geaaru has joined #openstack-swift07:33
*** openstackgerrit has joined #openstack-swift07:33
*** links has quit IRC07:39
*** links has joined #openstack-swift07:55
*** Shashikant86 has joined #openstack-swift08:13
*** dmk0202 has joined #openstack-swift08:22
*** Shashikant86 has quit IRC08:22
*** hseipp has joined #openstack-swift08:32
*** tqtran has joined #openstack-swift08:45
*** kei_yama has quit IRC08:50
*** tqtran has quit IRC08:50
*** takashi has joined #openstack-swift08:53
*** ouchkernel has quit IRC09:04
*** ouchkernel has joined #openstack-swift09:05
*** mvk_ has quit IRC09:11
*** cdelatte has joined #openstack-swift09:17
*** jmccarthy1 has joined #openstack-swift09:20
*** jmccarthy1 has quit IRC09:25
*** jmccarthy has quit IRC09:25
*** jmccarthy has joined #openstack-swift09:26
*** takashi has quit IRC09:33
*** m_kazuhiro has quit IRC09:36
*** cdelatte has quit IRC09:38
*** hosanai has quit IRC09:39
*** mvk_ has joined #openstack-swift09:45
*** dmorita has joined #openstack-swift09:50
*** dmorita has quit IRC09:55
*** permalac has joined #openstack-swift09:58
*** jmccarthy has quit IRC10:29
*** jmccarthy has joined #openstack-swift10:34
*** ozeri has quit IRC10:35
*** ozeri has joined #openstack-swift11:20
*** cdelatte has joined #openstack-swift11:27
*** ppai has quit IRC11:33
*** ppai has joined #openstack-swift11:47
*** pauloewerton has joined #openstack-swift12:12
*** daemontool has joined #openstack-swift12:16
*** furlongm_ has joined #openstack-swift12:16
*** furlongm has quit IRC12:16
kota_done for walkking through encryption-2. probably changes are getting bigger walking to the tail of chain :/12:16
kota_stop today's work here, preparing to get back home.12:17
*** ppai has quit IRC12:22
*** raildo-afk is now known as raildo12:26
*** ppai has joined #openstack-swift12:34
*** tqtran has joined #openstack-swift12:47
*** tqtran has quit IRC12:51
*** klamath has joined #openstack-swift12:56
*** psachin has quit IRC13:03
jrichliacoles: +1 on diff.  I like the simplicity13:03
acoleskota_: actually the 2nd patch may be the toughest for review. thanks for your comments.13:04
acolesjrichli: ack13:04
*** ppai has quit IRC13:13
*** rcernin has quit IRC13:14
*** psachin has joined #openstack-swift13:16
*** diogogmt has quit IRC13:21
*** wasmum has joined #openstack-swift13:22
*** manous has joined #openstack-swift13:23
*** rcernin has joined #openstack-swift13:28
*** diogogmt has joined #openstack-swift13:31
*** dmorita has joined #openstack-swift13:52
*** diogogmt has quit IRC13:53
*** rcernin has quit IRC13:54
*** dmorita has quit IRC13:56
*** links has quit IRC13:56
*** diogogmt has joined #openstack-swift14:04
*** rcernin has joined #openstack-swift14:09
*** diogogmt has quit IRC14:15
*** rcernin has quit IRC14:18
*** rcernin has joined #openstack-swift14:31
*** catintheroof has joined #openstack-swift14:32
*** _JZ_ has joined #openstack-swift14:49
*** ozeri has quit IRC15:00
notmynameacoles: brief glance at your diff, and it's looks good15:02
notmyname /commuting15:02
*** nadeem has joined #openstack-swift15:03
*** psachin has quit IRC15:04
*** catintheroof has quit IRC15:08
*** diogogmt has joined #openstack-swift15:08
*** nadeem has quit IRC15:09
*** nadeem has joined #openstack-swift15:09
*** klrmn has joined #openstack-swift15:10
*** garthb has joined #openstack-swift15:12
acolestimburke: kota_: thanks for great reviews on patch 328294, I replied to all your comments even when a reply wasn't necessary just to help me keep track of things.15:21
patchbotacoles: https://review.openstack.org/#/c/328294/ - tripleo-quickstart - add ssh config to collect-logs (MERGED)15:21
acolesIf I missed anything please shout.15:21
acolesyeah, not that one, patch 32820415:22
patchbotacoles: https://review.openstack.org/#/c/328204/ - swift (feature/crypto-review) - Support for http footers - Replication and EC15:22
acolesI'm sure the other is great too15:22
*** sheel has quit IRC15:25
jrichliI was wondering what sort of performance testing had been performed on EC when it was going through the final review chain process.15:43
*** bsdkurt has quit IRC15:45
notmynamejrichli: intel had a pile of hardware they did some tests with. we did some in our lab15:46
*** manous has quit IRC15:47
jrichlinotmyname: ok, thx.  I knew that testing had occurred, but wasn't sure of  the time line15:48
notmynamehmmm...it was close-ish to when the feature landed. I think it was presented at the summit after it landed15:48
jrichlihow much perf testing do we need of crypto before it lands?15:49
*** pcaruana has quit IRC15:50
*** dmk0202 has quit IRC15:52
*** rcernin has quit IRC15:53
*** ouchkernel has quit IRC15:54
*** tesseract has quit IRC15:55
timburkegood morning15:58
*** ma9 has joined #openstack-swift15:58
ma9hi15:58
*** manous has joined #openstack-swift15:59
notmynamehi15:59
*** ouchkernel has joined #openstack-swift15:59
notmynametimburke: what's up? sorry, giving reports...15:59
ma9does anybody know… is it possible to configure Keystone to trust the SSH authentication which happened on a machine15:59
ma9that means15:59
ma9who logs in this machine can push files into Swift without need to type is password16:00
ma9Kerberos could be an option, but the people who log into this machine might enter with SSH keys16:00
ma9so then there would not be a Kerberos token16:00
*** garthb has quit IRC16:00
timburkema9: that might be a better question for #openstack-keystone; the way i imagine it working would still require that you contact keystone to obtain an auth token, and that auth token would be used with swift in the normal way16:02
ma9i'll ask there as wlel16:02
*** jmccarthy has quit IRC16:13
*** jmccarthy has joined #openstack-swift16:13
*** klrmn has quit IRC16:18
*** jmccarthy has quit IRC16:23
*** _JZ_ has quit IRC16:23
timburkethere might also be something you could do with client certificates, but i think it would require a decent bit of development to have proper user separation16:25
*** ukaynar has joined #openstack-swift16:25
timburke(at least, if you *just* use client certs and bypass keystone)16:26
*** ukaynar has quit IRC16:26
*** lyrrad has joined #openstack-swift16:26
ma9in iRODS (something vaguely similar to swift) one can put a secret key readable only by a system user in a folder . When a user does an upload/download operation when logged on that host, the client application runs a SETUID binary which includes that key into hits request… that works as a token that certifies he logged correctly on that machine and is therefore trusted16:29
ma9*into his request16:29
*** dmorita has joined #openstack-swift16:30
*** rledisez has quit IRC16:40
*** suyash has joined #openstack-swift16:42
timburkeso would every user that logs in auth with the same keystone/swift credentials? you could probably do something similar fairly easily; have your system user own a script that provides credentials then wraps swiftclient and only he can read/modify/execute, and build a SETUID binary to wrap *that*. you'll need to take some care to disable debugging output, though, as it would include the token sent to swift16:42
openstackgerritPetr Kovar proposed openstack/swift: Add install-guide for swift  https://review.openstack.org/33007016:43
ma9no, every user would use his own account16:45
ma9just the authentication trust is delegated to the fact that the user logged in that server via SSH16:46
ma9irods is doing some tricks which i guess are not really 'standard'.. maybe in keystone it's not possible to do it (yet?)16:47
notmynamema9: I just talked to some other people here (swiftstack office) about that. we've run in to the "SSO sure would be nice" request before, and we currently support AD/LDAP in our product separate from keystone. but we haven't done the SSO stuff yet16:52
notmynamema9: so I say that because I was hoping for a better answer than the one you were getting (ie "good luck with keystone"). so take heart that your aren't the only one who's looked in to it, but unfortunately, I don't think anyone has done any SSO with swift to date16:54
notmynameacoles: shall I assume you'll be pushing a new patch chain tonight?16:55
acolesnotmyname: yes16:55
notmynameI hoping that's more than "you can assume anything you like" ;-)16:56
ma9thanks notmyname16:56
*** sheel has joined #openstack-swift16:58
openstackgerritOr Ozeri proposed openstack/swift: Raise 412 response on expirer  https://review.openstack.org/32690316:59
*** ma9 has quit IRC17:01
*** geaaru has quit IRC17:02
*** Jeffrey4l has quit IRC17:05
*** _JZ_ has joined #openstack-swift17:05
*** mvk_ has quit IRC17:08
*** klrmn has joined #openstack-swift17:17
*** pcaruana has joined #openstack-swift17:21
*** tqtran has joined #openstack-swift17:31
*** tqtran has quit IRC17:35
*** lcurtis has joined #openstack-swift17:45
*** hseipp has quit IRC17:46
acolesnotmyname: :) yes, patches will come17:47
*** mvk_ has joined #openstack-swift17:49
*** suyash has quit IRC17:53
*** suyash has joined #openstack-swift17:53
*** suyash has quit IRC17:54
*** suyash has joined #openstack-swift17:55
*** suyash has quit IRC17:56
*** suyash has joined #openstack-swift17:56
*** daemontool has quit IRC17:59
*** manous has quit IRC18:04
*** mwheckmann has joined #openstack-swift18:11
*** tqtran has joined #openstack-swift18:13
*** ChubYann has joined #openstack-swift18:15
*** manous has joined #openstack-swift18:17
openstackgerritTravis Tripp proposed openstack/swift: WIP Oslo.messaging middleware  https://review.openstack.org/24947118:26
notmynamejrichli: you said something last week IIRC about getting reaperhulk or others to go over the crypto code. did that happen?18:48
notmynamejrichli: I'm looking at the Crypto class and the iv generation and basically thinking "well, looks like it doesn't have any syntax errors. no idea if it's 'good' or not"18:49
jrichliwe only got feedback from one of those people: cca / ccachin18:49
jrichlii will ping again18:49
notmynamelike the derived iv seems based on md5? I thought that was bad? but I really don't know18:50
openstackgerritDaisuke Morita proposed openstack/swift: WIP: Changing Policies  https://review.openstack.org/20932918:50
jrichlithe iv is only derived for the md5.  it is derived from the path.  there is a small explanation of this in the docs, but I was working on another explanation to have in the code.18:52
jrichlithere is a way, with this, that an attacker could determine if different versions of objects put at the same path are equal.18:52
jrichlibut the contents would not be revealed.  you can also see the discussion at : https://etherpad.openstack.org/p/swift_encryption_issues18:53
jrichlifor the body, we use random ivs18:54
jrichlinotmyname: the challenge is: we need the if-match to work without fetching saved-off info.  that sort removes any chance for randomness ...18:57
notmynamejrichli: I think you're still quite a few steps ahead of me in understanding the details of how it's put together :-)18:58
timburkejrichli: contents of the body, or of the etag? if the attacker could determine a limited set of possibilities for one of the etags (say, because the size of the object was a single byte), will that cause problems?18:59
jrichlitimburke: I think I understand what you are getting at.  I think the 1 byte example is not a concern - cause there isn't much hiding there no matter waht you do.19:03
jrichliI'll have to think about cases along those lines, tho19:03
*** sheel has quit IRC19:05
timburkefor the etag of the single-byte object, sure; it's unavoidable. what about the other, larger object that was PUT to the same path? i think the set of possible values (from the attacker's perspective) for its etag goes from 2**128 to 2**819:07
*** mkrcmari__ has joined #openstack-swift19:08
*** mvk_ has quit IRC19:11
jrichlitimburke: I would be interested in seeing how you derived that number.  this is the set of possible values expressed in terms of what variable(s)?  the root secret does come into play here19:13
timburkejrichli: the 2**128 is the space of all possible MD5s. since we know that the same key and iv was used, we know that small_etag_p xor small_etag_c == large_etag_p xor large_etag_c (with _p and _c marking each as plaintext or ciphertext). so we know that large_etag_p will large_etag_c xor small_etag_c xor small_etag_p for one of the 2**8 possible values of small_etag_p19:19
* timburke lunches19:20
jrichlitimburke: I will be able to think deeper on this later today.  i'll get back with you.  thanks for the details :-)19:29
*** openstackgerrit has quit IRC19:33
*** openstackgerrit has joined #openstack-swift19:33
*** ouchkernel has quit IRC19:38
*** ouchkernel has joined #openstack-swift19:45
timburkejrichli: sounds good, thanks. fwiw, notmyname pointed out while we were waiting for lunch that if you have the container db, you may have a decent chunk of the history for the objects in that container as deleted rows19:52
acolesnotmyname: timburke kota_ cschwede jrichli torgomatic new version of all crypto-review patches just pushed (gerrit-bot didn't announce them)19:55
acolesthanks for all the comments!19:56
timburkeacoles: i thought i saw a bunch of emails just now ;-)19:56
acolesback later for meeting19:58
*** acoles is now known as acoles_19:58
jrichlitimburke: btw, to answer the first question you had asked me, I meant contents of the body.  I think for etags, we need to think about how vulnerable the obj body is if the etag is known.20:00
jrichliI have heard this one debated.20:01
*** vinsh_ has joined #openstack-swift20:02
timburkejrichli: yeah, and it gets messy quick if we start wanting to worry about things like digital signatures that may be based on the MD5 of the object20:04
timburkehmm...i should look at how swauth stores passwords...20:04
*** vinsh has quit IRC20:06
*** manous has quit IRC20:35
*** m_kazuhiro has joined #openstack-swift20:51
*** silor has quit IRC20:55
kota_morning20:55
dmoritamorning, kota_20:55
kota_dmorita: o/20:56
*** acoles_ is now known as acoles20:57
*** cutforth has joined #openstack-swift20:58
notmynamemeeting time in #openstack-meeting20:59
*** raildo is now known as raildo-afk21:01
*** nadeem has quit IRC21:01
*** joeljwright has joined #openstack-swift21:05
*** ChanServ sets mode: +v joeljwright21:05
notmynamejoeljwright: are you able to follow up on the docs version sidebar patch, or shall I?21:06
joeljwrightI saw another comment today21:06
joeljwrightI'll follow up on it now21:06
notmynamethanks21:07
*** pauloewerton has quit IRC21:11
*** nadeem has joined #openstack-swift21:16
*** vinsh_ has quit IRC21:20
*** vinsh has joined #openstack-swift21:22
notmynameacoles: I think clayg is back next week, so I'm sure we'll have a lot more crypto patches when he gets a hold of it ;-)21:37
acolesnotmyname: yeah I am waiting for the onslaught ;)21:38
notmynamemaybe we can get it good enough before he gets to it (unlikely) ;-)21:38
jrichlinotmyname: I was just wondering about clayg :-)21:38
timburkeacoles: what, am i not doing a good enough job? :P21:38
acolesnotmyname: can't we land it late on Sunday :P21:38
notmynamelol21:38
acolestimburke: no, no, you are doing just fine :D21:38
* acoles wonders what tomorrow will bring to his inbox21:40
acolesgood night!21:40
openstackgerritMerged openstack/swift: Catch AttributeError less often  https://review.openstack.org/32971321:40
jrichliI was thinking torgomatic probably has good suggestions for us not only for footers, but on the crypto iv/key stuff that notmyname was looking at21:40
jrichliacoles: good night21:40
kota_acoles: good night21:41
*** acoles is now known as acoles_21:41
*** gyee has joined #openstack-swift21:42
joeljwrightnotmyname: I have replied to the sidebar comments, and I'll follow up as soon as I get a definitive answer about defining the new config var21:48
*** joeljwright1 has joined #openstack-swift21:49
notmynamejoeljwright: I appreciate it. thanks21:49
notmynamejoeljwright: so I just checked the news. why did you have a navel battle in the middle of london today? I thought my country's politics were crazy21:52
*** joeljwright has quit IRC21:52
*** cutforth has quit IRC21:52
openstackgerritOpenStack Proposal Bot proposed openstack/swift: Updated from global requirements  https://review.openstack.org/8873621:52
*** joeljwright has joined #openstack-swift21:57
*** ChanServ sets mode: +v joeljwright21:57
notmynamejrichli: woohoo! reaperhulk just left a comment on the patch chain. means he's at least looking at it :-)21:59
jrichlii just pinged him after the meeting :-)21:59
notmynamethanks :-)21:59
*** joeljwright1 has quit IRC22:00
*** mwheckmann has quit IRC22:02
*** openstackgerrit has quit IRC22:02
*** joeljwright1 has joined #openstack-swift22:04
*** catintheroof has joined #openstack-swift22:04
*** joeljwright2 has joined #openstack-swift22:04
*** openstackgerrit has joined #openstack-swift22:06
*** joeljwright has quit IRC22:08
*** joeljwright2 has quit IRC22:09
*** joeljwright1 has quit IRC22:09
*** lcurtis has quit IRC22:15
*** nadeem has quit IRC22:30
*** nadeem has joined #openstack-swift22:32
*** catintheroof has quit IRC22:41
*** nadeem has quit IRC22:43
notmynametimburke: remember how we were talking about the iv derivation. well, I changed the code and a whole bunch of tests work. from this I can conclude it's probably the way it is for a reason22:47
notmynames/work/broke/22:47
notmynamenot sure how I made that typo22:47
timburkehahaha22:47
*** m_kazuhiro has quit IRC22:56
« Tuesday, 2016-06-14 Index Thursday, 2016-06-16 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!