Thursday, 2015-01-15

« Wednesday, 2015-01-14 Index Friday, 2015-01-16 »
*** ametts has quit IRC00:01
*** chlong has joined #openstack-barbican00:06
*** kebray has quit IRC00:10
*** kgriffs is now known as kgriffs|afk00:22
*** kgriffs|afk is now known as kgriffs00:22
*** atiwari has quit IRC00:26
*** jkf has quit IRC00:34
*** ryanpetrello has joined #openstack-barbican00:35
*** ryanpetrello has quit IRC00:39
*** kgriffs is now known as kgriffs|afk00:42
*** rm_mobile| has joined #openstack-barbican00:49
*** rm_mobile| has quit IRC00:49
*** rm_mobile has quit IRC00:52
*** ryanpetrello has joined #openstack-barbican01:00
*** jaosorior has quit IRC01:03
*** ryanpetrello has quit IRC01:07
*** ryanpetrello has joined #openstack-barbican01:09
*** ryanpetrello has quit IRC01:18
*** gyee has quit IRC01:21
*** ryanpetrello has joined #openstack-barbican01:32
*** ryanpetrello has quit IRC01:37
*** bdpayne has quit IRC01:42
*** david-lyle has joined #openstack-barbican01:43
*** david-lyle has quit IRC02:06
*** kebray has joined #openstack-barbican02:14
*** kebray has quit IRC02:15
*** david-lyle has joined #openstack-barbican02:16
*** david-lyle has quit IRC02:19
*** kebray has joined #openstack-barbican02:22
*** david-lyle has joined #openstack-barbican02:23
*** david-lyle has quit IRC02:42
*** david-lyle has joined #openstack-barbican02:43
*** david-lyle has quit IRC02:49
*** zz_dimtruck is now known as dimtruck02:50
*** woodster_ has quit IRC02:50
*** david-lyle has joined #openstack-barbican02:56
*** ryanpetrello has joined #openstack-barbican02:58
*** crc32 has quit IRC03:07
*** david-lyle has quit IRC03:32
*** ryanpetrello has quit IRC03:54
*** chlong has quit IRC04:06
*** woodster_ has joined #openstack-barbican04:11
*** chlong has joined #openstack-barbican04:11
*** chlong_ has joined #openstack-barbican04:13
*** chlong has quit IRC04:17
*** chlong_ has quit IRC04:18
*** chlong has joined #openstack-barbican04:24
*** chlong_ has joined #openstack-barbican04:26
*** chlong has quit IRC04:27
*** chlong__ has joined #openstack-barbican04:28
*** chlong_ has quit IRC04:29
*** chlong_ has joined #openstack-barbican04:29
*** chlong_ has quit IRC04:32
*** chlong has joined #openstack-barbican04:32
*** chlong__ has quit IRC04:33
*** chlong has quit IRC04:34
*** rm_you| is now known as rm_you04:51
*** chlong has joined #openstack-barbican05:00
*** chlong_ has joined #openstack-barbican05:01
*** jamielennox is now known as jamielennox|away05:02
*** chlong has quit IRC05:04
*** jamielennox|away is now known as jamielennox05:05
*** chlong__ has joined #openstack-barbican05:06
*** chlong_ has quit IRC05:09
*** chlong has joined #openstack-barbican05:12
*** chlong__ has quit IRC05:12
*** chlong has quit IRC05:12
*** kebray has quit IRC05:16
*** kebray has joined #openstack-barbican05:19
*** jamielennox is now known as jamielennox|away05:22
*** jamielennox|away is now known as jamielennox05:22
*** ayoung has quit IRC05:23
*** chlong has joined #openstack-barbican05:25
*** ayoung has joined #openstack-barbican05:25
*** chlong has quit IRC05:31
*** chlong has joined #openstack-barbican05:31
*** chlong has quit IRC05:34
*** Nirupama has joined #openstack-barbican05:36
*** chlong has joined #openstack-barbican05:40
*** chlong_ has joined #openstack-barbican05:41
*** chlong has quit IRC05:45
*** trey has quit IRC06:10
*** dimtruck is now known as zz_dimtruck06:15
*** woodster_ has quit IRC06:20
*** kebray has quit IRC06:58
*** jamielennox is now known as jamielennox|away07:24
*** chlong_ has quit IRC07:39
*** jamielennox|away is now known as jamielennox10:34
*** Nirupama has quit IRC11:47
*** jamielennox is now known as jamielennox|away12:03
*** chlong_ has joined #openstack-barbican12:09
*** woodster_ has joined #openstack-barbican13:00
*** ayoung has quit IRC13:27
*** darrenmoffat has quit IRC13:27
*** darrenmoffat has joined #openstack-barbican13:28
*** alee has quit IRC13:48
*** chlong_ has quit IRC13:56
*** ayoung has joined #openstack-barbican14:26
*** ametts has joined #openstack-barbican14:48
*** kgriffs|afk is now known as kgriffs14:50
*** zz_dimtruck is now known as dimtruck14:56
*** paul_glass has joined #openstack-barbican14:58
*** alee has joined #openstack-barbican15:04
*** lisaclark1 has joined #openstack-barbican15:23
*** kebray has joined #openstack-barbican15:27
*** kebray has quit IRC15:28
*** kebray has joined #openstack-barbican15:32
*** rellerreller has joined #openstack-barbican15:33
*** kebray has quit IRC15:35
*** nkinder is now known as nkinder_away15:40
*** SheenaG1 has joined #openstack-barbican15:41
*** ryanpetrello has joined #openstack-barbican15:50
*** lisaclark1 has quit IRC15:55
*** lisaclark1 has joined #openstack-barbican15:55
*** kebray has joined #openstack-barbican15:56
*** SheenaG1 has quit IRC16:06
*** SheenaG1 has joined #openstack-barbican16:16
woodster_alee, are all your db issues worked out?16:27
aleewoodster_, so far, I think so -- see the patch I attached16:28
aleewoodster_,  I had some questions in the tests for ProjectCA etc ..16:28
aleewoodster_, and I may get your help later in creating the alembic scripts16:28
aleewoodster_, working on a first pass for the repos and controllers now.16:29
woodster_alee, I had sent this after you left I think: this is how I've done db migrations in the past: https://github.com/cloudkeep/barbican/wiki/Database-Migrations16:29
*** dimtruck is now known as zz_dimtruck16:30
aleewoodster_, yup saw that .. I need to try it once I get through this next set of patches16:30
aleewoodster_, I'm hoping to have a first pass of the "Identify CAs" feature working by the end of the week.16:31
woodster_alee, no problem. I'll take a look at the patch today16:31
aleethen go back to focus on "stored key" enrollment case next week.16:31
aleewoodster_, you started implementing the scheduler for cert request processing yet?16:32
*** zz_dimtruck is now known as dimtruck16:35
woodster_alee, yes, we have been creating stories to get that work done. I'll going to be revisiting that sub-status stuff we had discussed end of Aug last year as well.16:38
*** jorge_munoz has joined #openstack-barbican16:39
aleewoodster_, ok -- quick question on pecan --> say I want to create a method in my controller for POST /cas/{ca_id}/add-to-project16:40
aleewoodster_,  how do I define that so it gets routed correctly?16:41
ryanpetrelloalee: http://pecan.readthedocs.org/en/latest/rest.html16:41
ryanpetrello"Writing RESTful Web Services with Generic Controllers" is how the Barbican folks write their controllers16:42
woodster_alee, well you start with the app.py's create_main_app() method's RootController to setup the base resources, like the /cas one there16:42
woodster_alee, so you'd have a CasController probably hooked in there16:43
aleewoodster_, right I get that far -- so .. for example ..16:43
woodster_alee, that CasController would then have a _lookup method that is used to work on the next slash element int he resources...so the /cas/{ca_id} part there16:44
woodster_alee, so that would be a CaController...yep16:44
aleeI know that to define GET /cas/{ca_id}/cacert , I need a method called cacert() in CAController16:44
aleeryanpetrello, woodster_ - so now I need  to know how to define the method in CAController for POST /cas/{ca_id}/add-to-project16:45
aleepresumably I need something like def add_to_project()16:46
aleehow do I get that to route fro POST /add_to_project ?16:46
aleelooks like I need to define _custom_actions() ?16:46
ryanpetrelloyou could also use a `_lookup`16:47
ryanpetrellowith a dictionary that mapped the path chunk to some handler16:47
aleeryanpetrello, you have an example somewhere?16:48
ryanpetrelloI can create one, gimme a bit16:48
aleeryanpetrello, thanks -- coz I need to map both the path add-to-project  --> add_to_project  and define the method16:49
ryanpetrellok16:49
ryanpetrelloyou only want to handle POST ?16:49
aleeryanpetrello, for this path yes16:50
woodster_It seems like the @expose def my_function approach is the cleanest?16:50
ryanpetrelloyea, there are a handful of ways to do this16:50
*** hyakuhei has joined #openstack-barbican16:50
woodster_I guess if we want to lookup a controller to  handle things though (my preference), we should use the _lookup approach if possible16:51
*** jorge_munoz has quit IRC16:51
aleewoodster_, @expose def my_function still needs some decorators to go from add_to_project -> add-to-project , and define the method -- but I'll wait to see what ryanpetrello comes up with :)16:53
woodster_ryanpetrello, thanks once again for your help!16:54
ryanpetrelloyea, thinking about a saner way to do this16:54
ryanpetrellothis is one aspect of pecan that's annoying - when you want a path that isn't a valid Python function name16:54
aleewoodster_, incidentally, I'm booked to be at the mid-cycle. staying at the Omni.16:54
aleeyup16:55
woodster_alee, nice! I need to actually get my hotel booked16:55
*** tkelsey has joined #openstack-barbican16:57
*** kebray has quit IRC17:01
*** bdpayne has joined #openstack-barbican17:03
woodster_alee, in the cert spec (http://specs.openstack.org/openstack/barbican-specs/specs/kilo/certificate-order-api.html) option 3, is that a public key ref there, or really a private/public key pair (in a container)? I'm just thinking that a CSR signed by private key has to be generated by barbican for option 3, to then send to the CA to cut the cert.17:03
aleewoodster_,  yeah - I need to update that spec.17:04
woodster_alee, ok, just making sure I'm following it! That will be a mode we use here frequently I think17:04
aleewoodster_,  when I did the implementation, I realized that I needed to get the private key to sign the csr17:04
aleewoodster_, so I changed it to be a reference to the container17:05
ryanpetrelloalee: are you planning on handling different methods for `add-to-project` ?17:07
ryanpetrelloor only HTTP POST?17:07
aleewoodster_, I'm assuming that the path we want is /cas/{id}/add-to-project instead of .../add_to_project, right?17:08
aleeryanpetrello, just POST17:08
aleeryanpetrello, I have a few paths like this -- but they are all POST17:09
ryanpetrellookay17:09
ryanpetrelloso I'm trying to think of the least gross way to accomplish this17:09
ryanpetrellobecause of the - in the path17:09
ryanpetrelloI want to maybe take this and turn it into a generalized decorator at some point for pecan17:09
ryanpetrellomaybe something where you could do @expose(alternate_path='add-to-project')17:10
aleeright .. that would be a good idea -- thats exactly the decorator I was looking for :)17:10
ryanpetrellohttps://gist.github.com/ryanpetrello/363fa3b3f00472d997fd17:10
ryanpetrellobut for now, this is what said decorator would actually be doing17:10
rm_workredrobot: are you guys driving to austin every morning for the thing, or are you hotel-ing?17:10
ryanpetrellomight actually be a class decorator or something17:11
ryanpetrelloI dunno, I need to come up with a syntax I like here17:11
redrobotrm_work Barbican mid-cycle?  We're hoteling...  Most people are staying at the Omni17:11
ryanpetrellothis is a pecan complaint I've seen before, and I don't really have a great approach to it17:11
*** jorge_munoz has joined #openstack-barbican17:11
ryanpetrelloyou could also accomplish the same thing with a _lookup that mapped the special name to the method, but I like that less17:11
rm_workredrobot: k… i am debating what i want to do, because "cheap" is the operative requirement17:11
redrobotrm_work I'll probably be staying somewhere cheaper so I can go there the night before, instead of having to drive out the day of...17:11
aleeryanpetrello, cool - thanks -- I can work with this.17:12
ryanpetrellookay, cool17:12
ryanpetrelloI'll be thinking about a way to provide a helper for this sort of thing in pecan17:12
aleeryanpetrello, right - this would be something that would come up if the convention is to use "-" for instance17:12
ryanpetrellothe correct approach for that implementation, though, is probably overriding __getattr__ on the class17:12
ryanpetrellobecause that's how pecan's object dispatch traversal on path chunks works17:12
ryanpetrelloit looks to see if the instance has a member/attribute with that name17:13
*** kebray has joined #openstack-barbican17:13
ryanpetrello(and then ensure's that it's marked with @expose)17:13
ryanpetrellos/ensure's/ensures17:13
rm_workrellerreller: today i will probably be taking a crack at doing the whole Castellan first-review, just FYI -- i have the time, and I figure I'd give it a shot, not sure if you guys have had time to get there yet17:14
rellerrellerWe are working on submitting the code for that17:14
rellerrellerrm_work what were you planning on doing?17:14
rm_workrellerreller: ok, should I do it too so we have two examples to look at? or should I just sit and wait? :P17:15
rm_workI don't mind either way17:15
rm_workbut this is pretty much what is on my plate for the day17:15
rm_workday/week17:15
rellerrellerrm_work We are planning to submit the code for the KeyManager interface.17:15
rm_workwas going to do the keymgr + certmgr in the layout i was hoping to see, with the contrib dir for implementations17:16
rm_workjust as a "what-if" example17:16
rm_workbut I guess I thought you guys were busier / further out17:16
rellerrellerrm_work You can add the certmgr. I do not think there will be overalp with our stuff17:16
rm_workrellerreller: I wanted to do it as a followup, because there might be, but also I want to make sure things are all consistent17:17
rellerrellerI know bpoulos is working on getting the code in for you guys soon.17:17
rm_workok17:17
rellerrellerright17:17
rm_workthen maybe I will just wait? but i have this burning desire to get an example up :P17:17
rm_workjust don't want to seem like I'm jumping the gun / ignoring your work17:17
rm_worki'll wait17:18
rellerrellerI would like if we could contribute the KeyManager code, but I do not mind on the other stuff17:18
rm_workyeah that is why i recommended it to begin with, since that was your code17:18
rm_workmaybe I can find other reviews to keep me busy17:18
rm_workin the meantime17:18
rellerrellerWe probably need to work on the other stuff (layout, tox, etc) together anyways, so adding that stuff in there is ok with me17:18
rm_workyeah I had some specific thoughts on the directory/package structure17:19
rm_workmaybe I can get the tox stuff building? if Briana is just focused on the keymgr code17:20
rm_workor… bleh i should just wait17:20
rm_workit's fine, I can occupy myself for a day or two at least :)17:20
aleeryanpetrello, can I just return self.name in the __get_attr__ in case of no match?  that way I only need to define overrrides there ..17:20
rellerrellerI told Brianna to join the irc today17:21
rm_workalright, i'll let her fill me in when she's ready17:21
rellerrellerI will tell her to contact you and you guys can work on the specifics17:21
ryanpetrellowell, keep in mind that __getattr__ is only being called if Python can't already find an attribute of that name, so in this case, you're implementing a fallback17:21
rellerrellerDoes that work, rm_work?17:21
ryanpetrello(that should raise an AttributeError if it can't resolve the name)17:21
rm_workyeah that's fine17:21
rm_workno rush17:21
aleeah cool17:21
rellerrellerExcellent17:21
rm_worki'm about to head to lunch after a few more review comments anyway17:22
rellerrellerEnjoy :)17:22
ryanpetrelloalee: ^17:22
aleeryanpetrello, gotcha thanks17:23
ryanpetrelloalee: I'm brainstorming on a way to do this in pecan17:23
ryanpetrellomaybe something like `@expose(path='some-path-foo')`17:23
ryanpetrellolike an alternative path17:23
aleeryanpetrello, yes - that would be nicer17:24
woodster_ryanpetrello, alee, it seems like the _lookup approach using the map is the best approach for the current pecan version though?17:24
aleewoodster_, do you mean this ? https://gist.github.com/ryanpetrello/363fa3b3f00472d997fd17:26
woodster_alee, oh I see, yeah that makes sense. Does that work then?17:27
aleewoodster_, I'll let you know :)17:28
woodster_alee, rm_work, so are we ready to cut https://review.openstack.org/#/c/127353?? :) I can't wait for rm_work to go CrAzY on that one!!!17:36
aleewoodster_, I didn't get the idea that rm_work was going to be working on the server side of that anytime soon ..17:37
aleewoodster_, rm_work - but if he is - I'll get up another version tout de suite.17:38
*** lisaclark1 has quit IRC17:38
aleewoodster_, rm_work - its going to take me some to time to finish cert stuff, and "identifying cas' first -- so if we can get someone else to start implementing "per secret acls", that would really help.17:39
woodster_alee, I was merely hopeful that rm_work could get cycles to work on that RBAC stuff, but probably wishful thinking17:42
rm_workheh17:43
*** hyakuhei has quit IRC17:43
aleewoodster_, I merely hopeful too :)17:43
rm_workwell, i could use something to do TODAY while I wait for briana on castellan :P17:43
rm_workI assumed I would  be doing mostly the client side stuff on that17:43
rm_workbut i can maybe assist17:43
rm_workwill be back after lunch in like 1.5h17:44
aleerm_work, it might take a little more than a day :)17:44
rm_workalee: :P17:44
alee(or half day as the case would be)17:44
rm_workheh17:44
aleerm_work, woodster_ I'll try get out a new version of the spec by end of the week, so that we can merge it by beginning of next week17:45
rm_workI'll take a look at the latest spec and we can discuss what I might be able to help out with17:45
*** lisaclark1 has joined #openstack-barbican17:45
rm_workkk17:45
aleethat way if rm_work ends up having some time ..17:45
woodster_rm_work, alee I'll settle for that!17:45
aleerm_work,  and that would be great17:45
rm_workit's "necessary for lbaas"… so17:45
rm_workkeep in mind that my sprint planning is NEXT THURSDAY17:45
aleerm_work,  there are certainly subtasks that need to be figured out17:46
rm_workso having a job for me by that point would be good17:46
woodster_rm_work that's what I've been sayin' :)17:46
rm_workotherwise i might get tasked out elsewhere17:46
aleerm_work, oh - finding a job for you is quite easy :)17:46
woodster_rm_work that's what I'm concerned about...look 'busy' over there please17:46
rm_workkk… but i need to be able to explain the components by thursday :P17:46
aleerm_work, take a look at latest spec and we'll chat after lunch17:47
woodster_rm_work, that bp is probably close enough to do that anyway17:47
rm_workkk17:47
rm_workbbl17:47
*** lisaclark1 has quit IRC17:49
*** lisaclark1 has joined #openstack-barbican17:49
*** ayoung is now known as ayoung-gym17:50
*** lisaclark1 has quit IRC17:53
*** miqui_ has joined #openstack-barbican17:54
*** hyakuhei has joined #openstack-barbican18:00
*** jkf has joined #openstack-barbican18:01
*** dimtruck is now known as zz_dimtruck18:01
*** alee is now known as alee_lunch18:01
*** bdpayne has quit IRC18:02
*** zz_dimtruck is now known as dimtruck18:07
*** crc32 has joined #openstack-barbican18:08
*** jorge_munoz has quit IRC18:08
*** jorge_munoz has joined #openstack-barbican18:13
*** hyakuhei has quit IRC18:17
*** hyakuhei has joined #openstack-barbican18:17
*** rellerreller has quit IRC18:19
*** jaosorior has joined #openstack-barbican18:23
elmikohey folks, i'm doing some research into the possibility of using barbican in sahara. i'm having a little confusion about the general usage of barb, would anyone be willing to talk me through a few common use cases?18:26
elmikoor point me at some docs =)18:26
*** hyakuhei has quit IRC18:26
reaperhulkelmiko: our team is at lunch but someone can help you a bit this afternoon18:29
reaperhulkwell, most of our team that is ;)18:30
elmikoreaperhulk: awesome, thanks!18:30
*** rellerreller has joined #openstack-barbican18:30
*** hyakuhei has joined #openstack-barbican18:35
*** rcarrillocruz has joined #openstack-barbican18:40
openstackgerritMerged openstack/barbican: Enable functional tests to take a regex from tox  https://review.openstack.org/14646818:42
*** dimtruck is now known as zz_dimtruck18:53
*** jorge_munoz_ has joined #openstack-barbican18:53
*** jorge_munoz has quit IRC18:54
*** jorge_munoz_ is now known as jorge_munoz18:54
*** zz_dimtruck is now known as dimtruck18:56
*** tkelsey has quit IRC19:02
*** hyakuhei has quit IRC19:03
*** gyee has joined #openstack-barbican19:10
*** lisaclark1 has joined #openstack-barbican19:12
*** kgriffs is now known as kgriffs|afk19:12
*** kgriffs|afk is now known as kgriffs19:13
*** lisaclark1 has quit IRC19:14
*** hyakuhei has joined #openstack-barbican19:22
*** hyakuhei has quit IRC19:23
*** ayoung-gym is now known as ayoung19:24
*** lisaclark1 has joined #openstack-barbican19:25
*** SheenaG1 has quit IRC19:25
*** SheenaG1 has joined #openstack-barbican19:28
*** hyakuhei has joined #openstack-barbican19:29
*** hyakuhei has quit IRC19:29
*** alee_lunch is now known as alee19:43
*** david-lyle has joined #openstack-barbican19:49
hockeynutdstufft https://review.openstack.org/#/c/147160/ liked the latest recheck...19:53
*** lisaclark1 has quit IRC20:01
*** jorge_munoz has quit IRC20:03
*** rellerreller has quit IRC20:07
jaosoriorhockeynut: answered your comment regarding this CR https://review.openstack.org/#/c/146467/20:10
*** kgriffs is now known as kgriffs|afk20:10
hockeynutjaosorior thanks, +2'd it20:11
jaosorioryay :D20:11
*** jorge_munoz has joined #openstack-barbican20:12
*** kgriffs|afk is now known as kgriffs20:13
elmikohey folks, i was poking around earlier but i think everyone was at lunch. i'm curious if anyone would talk me through some common use cases for barbican?20:14
elmikoi'm doing some research on how we can integrate barb usage in sahara20:14
elmikoi have a few ideas, but i think i might be doing things in a weird(read: non-standard) way20:14
*** david-lyle has quit IRC20:15
redrobotelmiko I guess the first use case we worked towards was storage of cryptographic keys.  e.g. I need to do some crypto work, but instead of keeping the key in a local file I can fetch it from barbican.20:19
elmikoredrobot: ok, that makes sense from the docs. would you store the cleartext key?20:20
redrobotelmiko so rellerreller is working on this BP https://review.openstack.org/#/c/145073/ to solidify the exact formats for keys.  as of now barbican just stores a binary blob and it's up to you to decide what format that will be.20:22
elmikoredrobot: ok, so if i wanted to encrypt a secret and store it in barbican, that would be proper?20:22
redrobotelmiko as long as it's something small, it should be ok.  we have a (configurable) limit of 10K on a secret20:23
redrobotelmiko this is because we don't want to be a general storage service20:23
elmikoredrobot: yea, nothing huge just like a password or something20:23
redrobotelmiko ie, we dont want to be "encrypted swift"20:23
elmikoredrobot: gotcha20:23
elmikoredrobot: i'm a little confused about hitting the /secrets endpoints too, is it the case that i do not need an X-Auth-Token to hit these in a live environment?20:24
redrobotelmiko we have this Django app we've been working on for hack days called Stockade.  It's a password management and sharing site (ie to share passwords in a team) that stores the PWs in Barbican https://github.com/cloudkeep/stockade20:25
elmikoredrobot: cool, i will check that out20:25
redrobotelmiko in a live environment we expect that barbican would be deployed alongside keystone, so you would need to auth with Keystone first, then use the token to talk to Barbican20:26
elmikoredrobot: ok, that makes sense20:26
elmikoredrobot: part of what i'm researching is the idea that our controller node could encrypt something using the public part of a key from the target, then store that ciphertext something in barbican, the target would then grab the something from barbican and us it's private key to decrypt.20:28
elmikoredrobot: but i had been playing with the local version of barb and using it without keystone auth...20:28
elmiko(which was actually making my job easier)20:29
*** kebray has quit IRC20:29
redrobotelmiko in that case I would think you'd want to store the private/public keys in Barbican.  The ciphertext should be ok to store anywhere since it's encrypted. :)20:29
elmikoredrobot: yea, you can see some of my confusion20:30
elmikoredrobot: in this case though we would still need to have some credentials at our target for getting access to barbican. i feel like i'm stuck in a real chicken/egg situation20:30
redrobotelmiko hehe, yeah... key management is hard... a few folks have described it as just "moving the goalpost"20:32
elmikoredrobot: totally...20:32
elmikoredrobot: many thanks for talking that through with me, i've got much more to think about now =)20:33
redrobotelmiko in the case of swift, maybe they'd have a key per tenant, so they would need to manage thousands of keys, so it's easier to just manage the one set of keystone credentials and let Barbican worry about the individual keys.20:33
redrobotelmiko you're welcome!  let me know if can help with anything else...20:34
elmikoredrobot: that's similar to what we are doing now. we create a proxy user then assign a trust to that user and distribute those credentials to our nodes.20:34
elmikoredrobot: but i'm still concerned about having the cleartext creds on the nodes, but i guess it might be unavoidable20:35
elmikoredrobot: i was trying to think of something slick where we could use pub/priv rsa keys from the nodes to encrypt a secret and allow the nodes to unencrypt. at least it wouldnt' be cleartext then.20:35
elmikoi'm trying to avoid the whole goalpost moving operation20:36
redrobotelmiko there's been a few ideas tossed around to address that issue.  One that I find really interesting is a project that we're calling Postern.  It's totall vaporware, but the idea is to have some sort of enrollment mechanism (I'm not 100% on how enrollment would work) but then the agent would run on the box and mount a virtual file system, so that an app can just read secrets as if they were files.20:38
redrobotelmiko https://github.com/cloudkeep/postern20:38
elmikoredrobot: interesting...20:38
elmikolol, you weren't kidding about the vapor!20:38
*** ayoung is now known as ayoung-afk20:39
redrobotelmiko hehe yeah... there was a POC at one point...  I think there's a YouTube video somewhere of jraim demoing it.20:40
elmikoredrobot: thanks again, back to the drawing board for me20:42
*** ayoung-afk has quit IRC20:44
*** dimtruck is now known as zz_dimtruck20:46
*** paul_glass has quit IRC20:48
*** zz_dimtruck is now known as dimtruck20:52
rm_workelmiko: also there will soon be an Interface (the Castellan project) to simplify key/cert management in Barbican20:59
elmikorm_work: thanks, i've got that one starred. i haven't dug too deeply yet, is it possible to start playing around with it?21:01
rm_workelmiko: it should be easy to start playing around with Barbican in general (i take it you already have), but the interface is already in Cinder as "keymgr" and you could look at what that is doing21:01
rm_workas that is the basis for Castellan21:01
rm_workas well as the CertManager interface that is in stackforge/Octavia21:02
elmikorm_work: awesome, thanks!21:04
*** dimtruck is now known as zz_dimtruck21:05
rm_workif you need i could probably provide links21:05
rm_workOctavia: https://github.com/stackforge/octavia/tree/master/octavia/certificates21:05
rm_workyou'd be interested mostly in the stuff in common and manager21:06
rm_workgenerator is ... WIP21:06
rm_work(if you care about certs)21:06
elmikook, don't think i've ever seen this stuff before21:06
*** lisaclark1 has joined #openstack-barbican21:06
rm_workwe're pretty bleeding-edge over here on the Octavia/LBaaS team :P21:06
*** kebray has joined #openstack-barbican21:06
aleerm_work, ping me when you've had a chance to re-read the latest per-secret bp21:06
*** lisaclark1 has quit IRC21:06
rm_workdid it update? k21:06
*** lisaclark1 has joined #openstack-barbican21:07
rm_workerr, it still has my -121:07
aleerm_work, sorry - let me rephrase -- I have not updated yet -- I'll get that by end of week (or so)21:07
rm_workah21:07
aleebut I think we can still discuss assigning work based on what is there21:07
rm_workyeah i'll look really quick21:07
aleeits close enough as it is21:08
*** kgriffs is now known as kgriffs|afk21:09
*** kgriffs|afk is now known as kgriffs21:15
*** chlong_ has joined #openstack-barbican21:21
*** SheenaG1 has quit IRC21:24
*** lisaclark1 has quit IRC21:31
*** ayoung has joined #openstack-barbican21:31
*** SheenaG1 has joined #openstack-barbican21:37
*** jorge_munoz has quit IRC21:45
*** david-lyle has joined #openstack-barbican21:46
*** kebray has quit IRC21:48
*** chlong_ has quit IRC21:50
*** jorge_munoz has joined #openstack-barbican21:52
*** zz_dimtruck is now known as dimtruck21:54
*** kebray has joined #openstack-barbican21:58
*** jorge_munoz has quit IRC21:59
*** jorge_munoz has joined #openstack-barbican22:00
*** gyee_ has joined #openstack-barbican22:02
*** gyee has quit IRC22:06
*** dimtruck is now known as zz_dimtruck22:11
openstackgerritNathan Reller proposed openstack/barbican-specs: Content Types  https://review.openstack.org/14507322:13
openstackgerritNathan Reller proposed openstack/barbican-specs: Content Types  https://review.openstack.org/14507322:14
*** jhfeng has joined #openstack-barbican22:19
*** ayoung has quit IRC22:20
*** rcarrillocruz has left #openstack-barbican22:21
jhfengDoes Barbican only support SafeNet HSM ?22:22
jhfengor only tested with SafeNet HSM ?22:22
*** david-lyle has quit IRC22:27
*** ryanpetrello has quit IRC22:32
woodster_jhfeng: there is also KMIP plugin. We are actively working thru issues with the safe net plugin now22:35
*** david-lyle has joined #openstack-barbican22:37
*** alee has quit IRC22:38
*** SheenaG1 has quit IRC22:38
jhfengwoodster_:  ok thanks. I want to use pkcs11 plugin directly if possible.  and I'm having IBM HSM adapter22:39
jhfengso my guess is noone has tested with IBM HSM yet22:40
jhfengis there docuement on how to config ? in order to use HSM, , i mean safenet HSM22:41
woodster_jhfeng: not yet but in theory it's just a matter of changing vendor constants I think, but reaperhulk is the expert on that stuff...he might be in the channel tomorrow or could send him an email too if need quicker answer22:43
*** openstack has joined #openstack-barbican23:01
*** ryanpetrello has joined #openstack-barbican23:06
*** mordred has joined #openstack-barbican23:06
*** morganfainberg has joined #openstack-barbican23:06
*** david-lyle has joined #openstack-barbican23:06
*** Guest49876 has joined #openstack-barbican23:06
*** samueldmq has joined #openstack-barbican23:06
*** kebray_ has joined #openstack-barbican23:06
*** jhfeng has joined #openstack-barbican23:06
*** jaosorior has joined #openstack-barbican23:06
*** miqui_ has joined #openstack-barbican23:06
*** darrenmoffat has joined #openstack-barbican23:06
*** woodster_ has joined #openstack-barbican23:06
*** jraim has joined #openstack-barbican23:06
*** rm_you has joined #openstack-barbican23:06
*** dstanek has joined #openstack-barbican23:06
*** hockeynut has joined #openstack-barbican23:06
*** insequent has joined #openstack-barbican23:06
*** lisaclark has joined #openstack-barbican23:06
*** chellygel has joined #openstack-barbican23:06
*** jillysciarilly has joined #openstack-barbican23:06
*** openstackgerrit has joined #openstack-barbican23:06
*** anteaya has joined #openstack-barbican23:06
*** dstufft has joined #openstack-barbican23:06
*** greghaynes has joined #openstack-barbican23:06
*** toabctl has joined #openstack-barbican23:06
*** erw has joined #openstack-barbican23:07
*** openstackgerrit has quit IRC23:07
*** elmiko has joined #openstack-barbican23:08
*** ametts has joined #openstack-barbican23:08
*** lbragstad has quit IRC23:09
*** kgriffs|afk is now known as kgriffs23:09
*** lbragstad has joined #openstack-barbican23:11
*** reaperhulk has joined #openstack-barbican23:12
*** codekobe has joined #openstack-barbican23:12
*** jkf has joined #openstack-barbican23:12
*** nkinder_away has joined #openstack-barbican23:12
*** redrobot has joined #openstack-barbican23:12
*** openstackgerrit has joined #openstack-barbican23:13
*** ayoung has joined #openstack-barbican23:13
*** jkf has quit IRC23:14
*** redrobot is now known as Guest2931023:14
*** alpha_ori has joined #openstack-barbican23:15
*** crc32 has joined #openstack-barbican23:16
woodster_jhfeng: Paul's email is paul.kehrer@rackspace.com23:21
*** ryanpetrello has quit IRC23:22
*** dougwig has joined #openstack-barbican23:23
woodster_jhfeng: Nate's email (for info on KMIP) is Nathan.Reller@jhuapl.edu23:24
*** david-lyle has quit IRC23:24
*** erw has quit IRC23:28
*** erw has joined #openstack-barbican23:28
*** dougwig has quit IRC23:31
*** dougwig has joined #openstack-barbican23:31
*** alee has joined #openstack-barbican23:31
*** jaosorior has quit IRC23:33
*** ametts has quit IRC23:40
*** chlong has joined #openstack-barbican23:40
*** miqui_ has quit IRC23:52
*** crc32 has quit IRC23:54
*** jhfeng has quit IRC23:57
« Wednesday, 2015-01-14 Index Friday, 2015-01-16 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!