Thursday, 2016-05-19

« Wednesday, 2016-05-18 Index Friday, 2016-05-20 »
*** jamielennox is now known as jamielennox|away00:04
*** jamielennox|away is now known as jamielennox00:04
*** diazjf has quit IRC00:05
*** gyee has quit IRC00:08
*** gyee has joined #openstack-barbican00:08
*** mixos has joined #openstack-barbican00:12
*** elo1 has quit IRC00:16
*** dimtruck is now known as zz_dimtruck00:26
*** gyee has quit IRC00:34
*** gyee has joined #openstack-barbican00:34
*** sigmavirus24 is now known as sigmavirus24_awa00:45
*** Kevin_Zheng has joined #openstack-barbican01:03
*** elo1 has joined #openstack-barbican02:27
*** elo11 has joined #openstack-barbican02:29
*** alee has quit IRC02:30
*** elo1 has quit IRC02:32
*** alee has joined #openstack-barbican02:37
*** woodster_ has quit IRC02:48
*** ozialien10 has quit IRC03:18
*** ozialien10 has joined #openstack-barbican03:19
*** edtubill has joined #openstack-barbican03:29
*** zz_dimtruck is now known as dimtruck03:31
*** edtubill has quit IRC04:00
*** chlong has joined #openstack-barbican04:04
*** edtubill has joined #openstack-barbican04:08
*** mixos has quit IRC04:12
*** mixos has joined #openstack-barbican04:12
*** elo11 has quit IRC04:16
*** elo1 has joined #openstack-barbican04:16
*** dimtruck is now known as zz_dimtruck04:18
*** mixos has quit IRC04:18
*** elo11 has joined #openstack-barbican04:26
*** elo1 has quit IRC04:26
*** elo1 has joined #openstack-barbican04:31
*** elo11 has quit IRC04:32
*** zz_dimtruck is now known as dimtruck04:43
*** elo11 has joined #openstack-barbican04:50
*** elo1 has quit IRC04:52
*** chlong has quit IRC05:17
*** elo1 has joined #openstack-barbican05:24
*** elo11 has quit IRC05:26
*** chlong has joined #openstack-barbican05:31
*** dimtruck is now known as zz_dimtruck05:35
*** elo11 has joined #openstack-barbican05:37
*** elo1 has quit IRC05:37
openstackgerritMerged openstack/python-barbicanclient: Update mailmap for Douglas Mendizábal  https://review.openstack.org/31834605:38
*** elo1 has joined #openstack-barbican05:41
*** elo11 has quit IRC05:41
*** elo11 has joined #openstack-barbican05:44
*** elo1 has quit IRC05:45
*** edtubill has quit IRC05:54
*** gyee has quit IRC05:56
*** elo1 has joined #openstack-barbican05:56
*** fawadkhaliq has joined #openstack-barbican05:57
*** elo11 has quit IRC05:57
*** chlong has quit IRC06:05
*** elo11 has joined #openstack-barbican06:14
*** elo1 has quit IRC06:16
*** elo1 has joined #openstack-barbican06:16
*** elo11 has quit IRC06:19
*** chlong has joined #openstack-barbican06:22
*** elo11 has joined #openstack-barbican06:24
*** elo1 has quit IRC06:26
*** elo1 has joined #openstack-barbican06:37
*** elo11 has quit IRC06:40
*** chlong has quit IRC06:54
*** andreas_s has joined #openstack-barbican06:58
*** jaosorior has quit IRC06:59
*** jaosorior has joined #openstack-barbican07:00
*** fawadkhaliq has quit IRC07:39
*** fawadkhaliq has joined #openstack-barbican07:39
*** jamielennox is now known as jamielennox|away08:05
*** elo1 has quit IRC08:15
*** ozialien10 has quit IRC08:27
*** ozialien10 has joined #openstack-barbican08:27
*** fawadkhaliq has quit IRC09:24
*** fawadkhaliq has joined #openstack-barbican09:24
*** jamielennox|away is now known as jamielennox11:03
*** fawadkhaliq has quit IRC11:30
*** elo1 has joined #openstack-barbican12:17
*** elo1 has quit IRC12:22
*** alee has quit IRC12:25
*** rellerreller has joined #openstack-barbican12:48
*** dave-mccowan has joined #openstack-barbican13:12
*** alee has joined #openstack-barbican13:33
openstackgerritOpenStack Proposal Bot proposed openstack/python-barbicanclient: Updated from global requirements  https://review.openstack.org/30315113:36
*** jmckind has joined #openstack-barbican13:48
*** spotz_zzz is now known as spotz13:50
*** woodster_ has joined #openstack-barbican14:02
*** jhfeng has joined #openstack-barbican14:11
*** spotz is now known as spotz_zzz14:11
*** edtubill has joined #openstack-barbican14:13
*** jmckind_ has joined #openstack-barbican14:14
*** jmckind has quit IRC14:17
*** edtubill has quit IRC14:17
*** fawadkhaliq has joined #openstack-barbican14:29
*** fawadkhaliq has quit IRC14:33
*** randallburt has joined #openstack-barbican14:38
*** randallburt1 has joined #openstack-barbican14:39
*** randallburt has quit IRC14:42
*** sigmavirus24_awa is now known as sigmavirus2414:48
*** edtubill has joined #openstack-barbican14:53
*** spotz_zzz is now known as spotz14:53
*** mixos has joined #openstack-barbican14:54
*** jmckind has joined #openstack-barbican14:57
*** silos has joined #openstack-barbican14:59
*** jaosorior has quit IRC14:59
*** jaosorior has joined #openstack-barbican15:00
*** jmckind_ has quit IRC15:00
*** jaosorior has quit IRC15:03
*** diazjf has joined #openstack-barbican15:03
*** jaosorior has joined #openstack-barbican15:03
*** diazjf1 has joined #openstack-barbican15:07
openstackgerritMerged openstack/python-barbicanclient: Updated from global requirements  https://review.openstack.org/30315115:07
*** jaosorior has quit IRC15:10
*** diazjf has quit IRC15:10
*** zz_dimtruck is now known as dimtruck15:12
*** fawadkhaliq has joined #openstack-barbican15:24
*** andreas_s has quit IRC15:29
*** kfarr has joined #openstack-barbican15:37
*** stupidni` is now known as stupidnic15:46
*** jmckind_ has joined #openstack-barbican15:47
*** jmckind has quit IRC15:50
*** jmckind has joined #openstack-barbican16:02
*** jmckind_ has quit IRC16:05
*** fawadkhaliq has quit IRC16:11
*** agrebennikov has joined #openstack-barbican16:25
*** dargolf has joined #openstack-barbican16:32
*** jmckind_ has joined #openstack-barbican16:39
*** jmckind has quit IRC16:43
*** fawadkhaliq has joined #openstack-barbican16:46
*** edtubill has quit IRC16:48
*** tkelsey has joined #openstack-barbican16:49
diazjf1hello everyone, I made an etherpad for the midcycle which I will be updating just add your name if you would be able to attend so I can get a count -> https://etherpad.openstack.org/p/barbican-security-midcycle-N I will discuss in 15 mins and check with the security team in #openstack-meeting-alt16:49
diazjf1redrobot ^16:49
kfarrhey diazjf1 redrobot, is the location and date for sure?16:51
redrobotkfarr no not yet16:51
diazjf1kfarr, redrobot, I think the date should be fine. I'm working on getting some rooms.16:51
redrobotkfarr I was thinking SA or Austin since most devs are in those two cities16:53
kfarrredrobot, makes sense!16:53
redrobotkfarr I was thinking right before feature freeze, but I wouldn't mind pushing that back a few weeks16:54
redrobotkfarr I guess it depends on when diazjf1 can get space... or when we can get space either here at the castle, or Austin Rackspace or SA Geekdom16:54
kfarrredrobot, when you say push back, do you mean push it earlier in August or later?16:55
diazjf1redrobot, I'll most likely be able to get space, but I was hoping to get a budget for food and activities ;)16:55
redrobotkfarr earlier16:57
redrobotkfarr I wouldn't want to do it any later than the week before m-316:57
diazjf1alee, when do you get back to the states?17:00
aleediazjf1, august 117:00
*** edtubill has joined #openstack-barbican17:00
diazjf1alee, cool so anytime in August works for you then?17:01
aleediazjf1, yeah - though I'd like a day or too after I get back.17:03
diazjf1alee, haha sure17:03
*** silos has quit IRC17:10
agrebennikovhi barbican devs, I have a policy question. It turns out that by default policy I cannot use any standalone user for extracting and decrypting the secrets if the user is not an admin of the project the secret is tied to17:11
agrebennikovdoesn it make any sense?17:12
*** jmckind has joined #openstack-barbican17:12
agrebennikovredrobot, can you please help me with that?17:12
redrobotagrebennikov you should be able to retrieve secrets if you have the "admin" "creator" or "observer" role on the project that owns the secret17:13
redrobotagrebennikov see http://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html17:13
*** jmckind_ has quit IRC17:14
agrebennikovredrobot, "secret_project_admin": "rule:admin and rule:secret_project_match"17:14
agrebennikovand "secret_project_match": "project:%(target.secret.project_id)s"17:14
agrebennikovwhich in my understanding means I have to call to barbican retrieving the secret with that project_id17:15
agrebennikovright?17:15
redrobotagrebennikov this is the rule for decypting https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json#L3017:15
agrebennikovexactly17:16
redrobotagrebennikov which includes https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json#L2217:16
redrobotagrebennikov so, all roles except for audit17:16
redrobotagrebennikov which includes "creator" and "observer"17:16
agrebennikovright, but it still includes rule:secret_project_match17:17
redrobotagrebennikov yes, you need to have a role in the project that owns the secret17:17
redrobotagrebennikov all secrets are scoped to the project, not the user17:17
redrobotagrebennikov if you want to grant access to a user that is not in your project, you might want to look at the ACL api17:18
redrobotagrebennikov http://developer.openstack.org/api-guide/key-manager/acls.html17:18
agrebennikovredrobot, ok, but even if I grant the role and make a call from another project... for some reason it didn't work saying it is forbidden.... so I thought "secret_project_match": "project:%(target.secret.project_id)s" means that I have to provide the token scoped for the project of the secret17:20
agrebennikovlet me give you the usecase17:20
agrebennikovI have a user creating the secrets and containers17:20
redrobotagrebennikov decrypt includes "or rule:secret_acl_read"17:20
redrobotagrebennikov so ACL does not require a scoped token17:21
redrobotit shouldn't anyway17:21
agrebennikovredrobot, hm... let me take a look at that chain17:21
redrobotthough I wouldn't be surprised if you found an interesting new bug :)17:21
agrebennikovredrobot, emm... "secret_acl_read": "'read':%(target.secret.read)s"17:22
agrebennikovthis is confusing17:22
agrebennikovwhat does it mean?17:22
redrobotagrebennikov target is the entity you're trying to access17:23
openstackgerritMerged openstack/barbican: Code cleanup  https://review.openstack.org/31055717:23
redrobotagrebennikov I __think__17:23
agrebennikovthis is right17:24
agrebennikovbut I mean the enrire rule17:26
*** rellerreller has quit IRC17:26
redrobotagrebennikov it's supposed to check whether you've been granted read access to the secret via the ACL API17:26
agrebennikovredrobot, ok, but then how it creates the default acls for secrets and containers?17:28
*** spotz is now known as spotz_zzz17:30
*** rellerreller has joined #openstack-barbican17:32
*** fawadkhaliq has quit IRC17:33
*** spotz_zzz is now known as spotz17:34
agrebennikovredrobot, so here is the issue I have:17:41
agrebennikov{17:41
agrebennikov    "read": {17:41
agrebennikov        "project-access": true17:41
agrebennikov    }17:41
agrebennikov}17:41
agrebennikovthis is current acl for the secret17:41
agrebennikovmy other user has admin role in the project the secret is created in17:42
agrebennikovI issue the token for that user in Another project17:42
agrebennikovand trying to read the acl17:42
agrebennikov{17:42
agrebennikov    "code": 403,17:42
agrebennikov    "description": "SecretACL(s) retrieval attempt not allowed - please review your user/project privileges",17:42
agrebennikov    "title": "Forbidden"17:42
agrebennikov}17:42
agrebennikovwhich means I have to provide the token scoped for the projcet of the secret always?17:43
agrebennikovseems right - if I issue the token in the right project - it allows me to read acls17:50
agrebennikovI don't believe it is expected behaviour17:50
*** jmckind has quit IRC17:51
*** tkelsey has quit IRC17:59
*** dargolf1 has joined #openstack-barbican18:13
*** silos has joined #openstack-barbican18:17
*** dargolf has quit IRC18:17
*** dargolf1 has quit IRC18:18
*** tkelsey has joined #openstack-barbican18:26
*** Daviey has quit IRC18:26
*** Daviey has joined #openstack-barbican18:26
*** dargolf has joined #openstack-barbican18:30
*** tkelsey has quit IRC18:30
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/31693018:31
*** dargolf has quit IRC18:34
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/31693018:41
*** dargolf has joined #openstack-barbican18:50
*** dimtruck is now known as zz_dimtruck18:51
*** jmckind has joined #openstack-barbican18:52
*** dargolf has quit IRC18:55
*** silos has quit IRC19:05
*** jmckind_ has joined #openstack-barbican19:06
*** silos has joined #openstack-barbican19:06
*** jmckind has quit IRC19:09
*** dargolf has joined #openstack-barbican19:11
redrobotagrebennikov sorry, had to go put out a fire19:17
*** dargolf has quit IRC19:17
agrebennikovredrobot, sure, no problem)19:17
redrobotagrebennikov project-access: true means the secret is viewable by all users in the project that own it (as long as they have a role on that project)19:18
redrobotagrebennikov but that still doesn't give access to a user not on the project19:18
agrebennikovredrobot, no, hang on19:18
redrobotyou have to POST to the ACL API to grant read access to a user with no roles on the project first19:18
agrebennikovwhat I'm saying - it the user authorizes against Another project right now (even if it has a role in the proper project) - it gives Forbidden19:19
redrobotagrebennikov yes, that is expected behavior19:19
agrebennikovbut19:19
agrebennikovthe user Has the role))19:19
jhfeng:q19:19
redrobotagrebennikov so, access is granted on the (role, project) tuple19:20
agrebennikovright19:20
redrobotagrebennikov and we take that tuple from the token that is being presented by the user19:20
redrobotagrebennikov afaik, the scoped token only includes the project its scoped to19:21
agrebennikovcorrect19:21
redrobotagrebennikov so you would always have to have a scoped token to the same project that owns the secret to retrieve it19:21
agrebennikovthat is what I was saying before19:21
agrebennikovyou Alwaus have to get the token in the secret's project19:22
agrebennikovnow my usecase19:22
redrobotagrebennikov yes, sorry, I didn't quite understand your use case earlier19:22
agrebennikovthere is a user which uses contrail for creating load balancers with ssl19:22
agrebennikovuser stores its cert and the key in barbican19:23
agrebennikovuser issues the command to contrail to create a balancer, specifying the url to the container with the cert and the key19:23
agrebennikovcontrail (like all other services) has service user/password/tenant predefined in config19:24
openstackgerritKaitlin Farr proposed openstack/barbican: Fix doc warnings  https://review.openstack.org/31889219:24
agrebennikovand it uses that info in order to retreive the cert and the key19:24
agrebennikovso contrail will never use proper tenant19:24
agrebennikovand consequently it will never get the secret19:25
agrebennikovredrobot, that's it))19:25
redrobotagrebennikov I see... is this the octavia use case?19:25
agrebennikovnope19:25
agrebennikovit is native contrail balancer19:25
redrobotagrebennikov so, the use case sounds similar to octavia's use case to me.  except that octavia does not store the secret for the user...19:27
*** dargolf has joined #openstack-barbican19:27
rm_workYeah, it's pretty close to identical19:27
rm_workredrobot: the user stores the secrets in the contrail case too it seems19:27
rm_workso, identical19:27
rm_workthat's what ACLs are for :)19:28
redrobotrm_work seems like contrail stores the secret for the user19:28
rm_work[14:23:18]  <agrebennikov>user stores its cert and the key in barbican19:28
rm_workunless you're reading up on the docs or something19:28
redrobotrm_work ah yes, reading comprehension FTL19:29
redrobotagrebennikov yeah, pretty much the same use case as octavia19:29
rm_workagrebennikov: you need to publish the service account id that you configure in contrail, the user then adds the service user as a valid user on the secret and container's ACLs19:29
redrobotagrebennikov the step you're missing is that the user needs to grant contrail-user an ACL to be able to retrieve the secret19:29
rm_workit's one additional step for the user19:29
rm_workwell, minimum of 3 calls :/19:29
rm_workACLs for each of 3-5 objects19:30
*** dargolf has quit IRC19:32
redrobotalthough I think someone at the Summit told me it could be done with trusts now19:32
* redrobot needs to brush up on new Keystone features19:32
*** silos has quit IRC19:34
*** silos has joined #openstack-barbican19:35
agrebennikovredrobot, and rm_work sorry, didn't get the full picture yet... so you are saying: 1. user stores the secret1 (cert); 2. user stores the secret2 (key); 3. user creates the container with both secrets19:42
*** jmckind_ has quit IRC19:42
agrebennikov4. user changes acl for secret119:42
agrebennikov5. user changes acl for secret219:42
agrebennikov6. user changes acl for container19:42
agrebennikovand Only after all that secrets will be available for contrail user?19:43
rm_workyes19:43
rm_workthat's the Octavia workflow19:43
rm_workit's not ... ideal19:43
agrebennikovrm_work, I'd say in a bit different words... but I'll not))19:44
agrebennikovrm_work, actually there is an alternative workflow I can suggest.... but it is not that easy to implement using automation19:45
agrebennikovin policy19:45
agrebennikovI can create a rule superuser: "user:<ID>"19:45
agrebennikovand then extend container_acl_read and secret_acl_read with "or rule:superuser"19:46
agrebennikovdoes it make sense?19:46
agrebennikovunfortunately it doesn't allow me to specify the name in there, ID only19:47
*** rellerreller has quit IRC20:00
*** gyee has joined #openstack-barbican20:02
*** dargolf has joined #openstack-barbican20:03
*** alee has quit IRC20:27
openstackgerritKaitlin Farr proposed openstack/barbican: Python 3: replace the whitelist with a blacklist  https://review.openstack.org/31251320:33
openstackgerritKaitlin Farr proposed openstack/barbican: Port translations to Python 3  https://review.openstack.org/31251420:33
diazjf1kfarr, thanks for rebasing :)20:36
kfarrdiazjf1 sure, I think Victor must be busy20:37
rm_workagrebennikov: yeah we don't want to create a god account that can read all secrets :/20:38
diazjf1kfarr, yeah! I'll +2 those right away. thanks again :)20:41
kfarrdiazjf1, I think we still need another person20:41
kfarrjust cuz I don't want to +2 something I've committed20:41
diazjf1kfarr ^ I'll wait for the gate then ping redrobot.20:42
*** elo1 has joined #openstack-barbican20:55
*** zz_dimtruck is now known as dimtruck20:57
*** elo11 has joined #openstack-barbican20:57
*** elo12 has joined #openstack-barbican21:00
*** elo1 has quit IRC21:00
*** elo11 has quit IRC21:02
*** jhfeng has quit IRC21:08
*** elo12 has quit IRC21:11
*** elo1 has joined #openstack-barbican21:12
*** elo11 has joined #openstack-barbican21:15
*** elo1 has quit IRC21:17
*** elo1 has joined #openstack-barbican21:20
*** elo11 has quit IRC21:21
openstackgerritKaitlin Farr proposed openstack/barbican: Python 3: replace the whitelist with a blacklist  https://review.openstack.org/31251321:22
openstackgerritKaitlin Farr proposed openstack/barbican: Port translations to Python 3  https://review.openstack.org/31251421:22
*** elo11 has joined #openstack-barbican21:25
*** elo1 has quit IRC21:27
*** elo1 has joined #openstack-barbican21:30
*** elo11 has quit IRC21:31
*** edtubill has quit IRC21:33
*** elo11 has joined #openstack-barbican21:33
*** elo1 has quit IRC21:34
*** elo11 has quit IRC21:48
*** elo1 has joined #openstack-barbican21:48
*** kfarr has quit IRC21:52
*** silos has quit IRC22:03
*** elo11 has joined #openstack-barbican22:07
*** elo1 has quit IRC22:09
openstackgerritMerged openstack/barbican: Added KMIP Secret Store to Devstack  https://review.openstack.org/30743422:09
*** elo1 has joined #openstack-barbican22:15
*** elo11 has quit IRC22:17
*** sigmavirus24 is now known as sigmavirus24_awa22:20
*** randallburt1 has quit IRC22:23
*** elo1 has quit IRC22:25
*** mixos has quit IRC22:28
*** spotz is now known as spotz_zzz22:33
*** alee has joined #openstack-barbican22:34
*** dargolf has quit IRC22:40
*** diazjf1 has quit IRC22:54
*** elo1 has joined #openstack-barbican23:00
*** dimtruck is now known as zz_dimtruck23:01
*** elo11 has joined #openstack-barbican23:20
*** elo1 has quit IRC23:22
*** elo11 has quit IRC23:27
*** zz_dimtruck is now known as dimtruck23:31
*** dimtruck is now known as zz_dimtruck23:41
*** jamielennox is now known as jamielennox|away23:49
*** zz_dimtruck is now known as dimtruck23:51
*** mixos has joined #openstack-barbican23:52
« Wednesday, 2016-05-18 Index Friday, 2016-05-20 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!