Friday, 2019-08-16

« Thursday, 2019-08-15 Index Saturday, 2019-08-17 »
openstackgerritColleen Murphy proposed openstack/keystone master: Add protection tests for trusts API  https://review.opendev.org/67572000:29
openstackgerritColleen Murphy proposed openstack/keystone master: Move list_trusts enforcement to default policies  https://review.opendev.org/67580700:30
openstackgerritColleen Murphy proposed openstack/keystone master: Move delete_trust enforcement to default policies  https://review.opendev.org/67627700:30
openstackgerritColleen Murphy proposed openstack/keystone master: Move get_trust enforcement to default policies  https://review.opendev.org/67628300:33
openstackgerritColleen Murphy proposed openstack/keystone master: Move list_roles_for_trust enforcement to policies  https://review.opendev.org/67628400:33
openstackgerritColleen Murphy proposed openstack/keystone master: Move get_role_for_trust enforcement to policies  https://review.opendev.org/67628700:33
*** gyee has quit IRC00:34
*** markvoelker has joined #openstack-keystone00:45
*** markvoelker has quit IRC00:50
*** markvoelker has joined #openstack-keystone01:03
*** spsurya has joined #openstack-keystone01:14
*** dklyle has quit IRC01:18
*** dave-mccowan has joined #openstack-keystone01:38
openstackgerritColleen Murphy proposed openstack/keystone master: Implement system reader role for trusts API  https://review.opendev.org/67684701:49
*** markvoelker has quit IRC01:51
*** markvoelker has joined #openstack-keystone02:35
*** markvoelker has quit IRC02:40
*** dave-mccowan has quit IRC03:12
*** markvoelker has joined #openstack-keystone04:00
*** markvoelker has quit IRC04:04
*** gagehugo has quit IRC04:25
*** gagehugo has joined #openstack-keystone04:26
*** markvoelker has joined #openstack-keystone04:30
*** markvoelker has quit IRC04:35
*** jaosorior has quit IRC04:40
*** markvoelker has joined #openstack-keystone07:05
*** markvoelker has quit IRC07:10
*** trident has quit IRC08:03
*** ivve has joined #openstack-keystone08:07
*** trident has joined #openstack-keystone08:11
*** jaosorior has joined #openstack-keystone08:11
*** jaosorior has quit IRC08:11
*** tkajinam has quit IRC08:27
*** jaosorior has joined #openstack-keystone09:02
*** jaosorior has quit IRC09:41
*** jaosorior has joined #openstack-keystone09:44
*** markvoelker has joined #openstack-keystone10:01
*** markvoelker has quit IRC10:10
*** jaosorior has quit IRC10:35
*** markvoelker has joined #openstack-keystone10:45
*** markvoelker has quit IRC10:50
*** markvoelker has joined #openstack-keystone11:48
kmallocLooks like we will need the extension on the resource options. Power is out in my neighborhood (still)12:09
*** raildo has joined #openstack-keystone12:26
*** raildo has quit IRC12:45
*** raildo has joined #openstack-keystone12:50
kmalloccmurphy: ^12:53
kmallocEstimated restoration is this afternoon sometime.12:53
kmallocMaybe.12:53
*** raildo_ has joined #openstack-keystone13:10
*** raildo has quit IRC13:12
cmurphykmalloc: okie13:14
*** rmascena__ has joined #openstack-keystone13:40
*** raildo_ has quit IRC13:43
*** rmascena__ has quit IRC14:00
*** raildo has joined #openstack-keystone14:01
*** dave-mccowan has joined #openstack-keystone14:22
*** dave-mccowan has quit IRC14:35
*** bnemec is now known as beekneemech14:48
*** cmurphy is now known as cmorpheus14:48
*** ivve has quit IRC14:57
*** dklyle has joined #openstack-keystone15:05
*** gyee has joined #openstack-keystone15:12
*** Garyx has joined #openstack-keystone15:17
*** gyee has quit IRC15:35
cmorpheussome easy reviews https://review.opendev.org/676662 https://review.opendev.org/676659 https://review.opendev.org/674208 https://review.opendev.org/674211 https://review.opendev.org/66879515:42
*** gyee has joined #openstack-keystone15:48
*** gyee has quit IRC15:52
kmalloccmorpheus: all:+2/+A16:01
cmorpheusty16:02
kmalloc:)16:02
*** gyee has joined #openstack-keystone16:08
openstackgerritMerged openstack/python-keystoneclient master: Bump the openstackdocstheme extension to 1.20  https://review.opendev.org/66879516:11
openstackgerritMerged openstack/keystonemiddleware master: Blacklist sphinx 2.1.0 (autodoc bug)  https://review.opendev.org/67420816:13
openstackgerritMerged openstack/keystonemiddleware master: Bump the openstackdocstheme extension to 1.20  https://review.opendev.org/67421116:13
openstackgerritMerged openstack/keystone master: Update cli docs  https://review.opendev.org/67665916:18
openstackgerritMerged openstack/keystone master: Update broken link  https://review.opendev.org/67666216:19
*** bnemec has joined #openstack-keystone16:19
*** beekneemech has quit IRC16:19
*** bnemec is now known as beekneemech16:20
*** beekneemech has quit IRC16:32
*** bnemec has joined #openstack-keystone16:35
*** bnemec has quit IRC16:44
*** bnemec has joined #openstack-keystone16:45
*** ivve has joined #openstack-keystone16:49
*** ivve has quit IRC16:49
*** bnemec has quit IRC17:02
openstackgerritNikita Kalyanov proposed openstack/keystone master: Fix caching behavior  https://review.opendev.org/67699117:02
*** bnemec has joined #openstack-keystone17:03
*** ivve has joined #openstack-keystone17:09
*** markvoelker has quit IRC17:10
*** bnemec has quit IRC17:14
*** bnemec has joined #openstack-keystone17:15
*** markvoelker has joined #openstack-keystone17:18
openstackgerritNikita Kalyanov proposed openstack/keystone master: Add decryption of credentials  https://review.opendev.org/67699217:29
*** bnemec has quit IRC17:31
*** bnemec has joined #openstack-keystone17:34
*** dklyle has quit IRC17:40
*** bnemec has quit IRC17:40
openstackgerritColleen Murphy proposed openstack/keystone master: Implement system reader role for trusts API  https://review.opendev.org/67684717:41
openstackgerritColleen Murphy proposed openstack/keystone master: Add tests for system member for trusts  https://review.opendev.org/67699517:41
*** bnemec has joined #openstack-keystone17:42
*** ivve has quit IRC18:07
openstackgerritColleen Murphy proposed openstack/keystone master: Implement system reader role for trusts API  https://review.opendev.org/67684718:21
openstackgerritColleen Murphy proposed openstack/keystone master: Add tests for system member for trusts  https://review.opendev.org/67699518:21
openstackgerritColleen Murphy proposed openstack/keystone master: Implement system admin for trusts API  https://review.opendev.org/67700418:21
openstackgerritColleen Murphy proposed openstack/keystone master: Implement system reader role for trusts API  https://review.opendev.org/67684718:56
openstackgerritColleen Murphy proposed openstack/keystone master: Add tests for system member for trusts  https://review.opendev.org/67699518:56
openstackgerritColleen Murphy proposed openstack/keystone master: Implement system admin for trusts API  https://review.opendev.org/67700418:56
openstackgerritColleen Murphy proposed openstack/keystone master: Add tests for domain users for trusts  https://review.opendev.org/67702018:56
*** bnemec is now known as beekneemech20:14
*** markvoelker has quit IRC20:25
*** markvoelker has joined #openstack-keystone20:30
*** markvoelker has quit IRC20:33
*** markvoelker has joined #openstack-keystone20:33
*** pcaruana has quit IRC20:57
*** raildo has quit IRC21:10
*** markvoelker has quit IRC21:12
kmalloccmorpheus: commented on the trust-existence leaking bug21:36
kmalloccmorpheus, gyee: I expect that we should be consistent in keystone, i don't think grants (or other delegations) were ever intended to be public knowledge. They are also not explicitly meant to be non-public (secure) knowledge. I err to the side of consistency within keystone's behaviors when addressing minimization of security surface area (social engineering, extra targets to attempt to attack to gain21:37
kmallocaccess, etc)21:37
kmallocand adam is not here to chime in *shrug*21:38
gyeekmalloc, even if non-trustee can't get a token?21:41
kmalloccorrect21:41
kmalloci would expect the data to be generally not available if the user is not party to the delegation21:41
kmalloce.g. Cloud Admin (all delegations are relevant), Project/Domain Admin (depending on policy), Trustor, Trustee21:42
kmallocbecause other delegations (grants, et al) are not visible to non-party members21:42
kmalloceven if that non-party is a valid keystone user.21:42
kmallocnow, i am just going by consistency within keystone about data accessibility21:43
kmalloci don't want ot make grants free access even if someone can't get a token ;)21:43
gyeeI am purely looking at it from risk standpoint21:44
cmorpheusi guess the question is whether this is severe enough to warrant breaking the API contract21:44
kmallocthis is not super critical, but is security-adjacent as it gives potential information for other attack subjects to gain access. but it's a C1, you have to guess a UUID. sooooo21:44
kmalloci'm going to say it's a valid bug21:44
gyeeso per my understanding, risk = threat x vulnerability21:44
kmallocit may not be worth breaking the api contract21:44
kmalloce.g. "Wont Fix" vs "Invalid":21:44
cmorpheusyeah21:44
gyeethere is threat, but no vulnerability, so therefore low risk21:44
kmallochence C1.21:45
kmallocvs anything else.21:45
gyeefrom API standpoint, yes, we should fix it for consistency21:45
gyeeto seal the threat21:45
kmallocso, like i said, it's inconsistent within keystone. it may simply be a Wont Fix due to api contract/behavior21:45
kmallocbut it is definitely a valid bug.21:46
kmallocif that makes sense :)21:46
gyeeyeah I agree it is a valid bug, may not be a security bug though21:46
kmallocmost of the time C1 is security-adjacent in my experience21:46
gyeegray area :-)21:47
kmallocif it was any more worrisome than "hey, it's data and could be relevant in other vectors of attack", it would be a class A21:47
kmallocit provides no direct vector of attack21:47
kmallocand the threat assessment is low.21:47
gyeesometimes security theater is worst than actual risk21:47
kmallocbut it is security-related :)21:47
kmallocit may even warrant an OSSN saying "yeah, we know, not worth the headache of fixing"21:48
kmalloc"but it's a thing"21:48
kmallocso i *think* the answer here is... do we care about the consistency of this not-public-but-not-sensitive data? or the API Contract more. there is no wrong answer21:48
cmorpheusugh21:49
kmallocrealistically all answers are fine.21:49
kmallocand i support both sides. I hadn't realized we had an argument in the bug about validity :P21:50
kmallocor i would have -1 Workflowed it rather than +A, and then made the same comment :)21:50
gyeehah, our API contract didn't explain the error codes https://github.com/openstack/keystone/blob/master/api-ref/source/v3-ext/trust.inc21:51
kmallocnope21:51
kmalloc=/21:51
cmorpheusi think adam is going a little far by claiming it's "public" information but i can see the point that it can't really be used as leverage in an attack21:52
kmallocexactly21:52
cmorpheusso i'm inclined to wontfix even though it's gross and makes me sad21:52
kmalloclets call it Wont Fix, known thing.21:52
kmallocsorry you spent so much time on fixing it21:52
gyeeif its *public* information, why even bother to put a authorization policy on it :-)21:52
cmorpheuslol21:53
kmallocgyee: nothing in keystone is *public* except the auth endpoint and json_home21:53
cmorpheuslet's just publish a list of uuids21:53
kmalloc:P21:53
kmalloccmorpheus: Done, let me spin up a patch that publishes every UUID in the database... not for what API it attaches to, just a list.. of every uuid...maybe some extra ones that we just randomly generate for good effect21:54
cmorpheuskmalloc: it was a relatively easy fix in the middle of the harder mess of untangling the hardcoded policy enforcment21:54
cmorpheuskmalloc: lol21:54
gyeewhahhhh21:54
kmallochehe21:54
kmallocanyway21:54
kmallocyeah lets wont fix it, nothing wrong, might still warrant an OSSN21:54
gyeeno argument here21:55
kmallocmarked as wont fix, commented about the IRC discussion21:58
kmalloccovered what we said and that this is minimal to no risk21:58
cmorpheusthanks kmalloc21:59
kmallocnp :)21:59
gyeekmalloc, but I agree with you, but attacker also manage to capture a user token, then jackpot21:59
kmallocthe data can be used to determine whom to target21:59
kmallocbut it also requires guessing UUIDs.21:59
kmallocso.. good luck?22:00
gyeeprobably easier winning the lottery22:00
kmallocor being struck by lightning... twice ... in the same spot22:00
cmorpheusso now i have to add protection tests that verify this behavior >.<22:02
*** markvoelker has joined #openstack-keystone22:10
*** markvoelker has quit IRC22:15
openstackgerritColleen Murphy proposed openstack/keystone master: Add protection tests for trusts API  https://review.opendev.org/67572022:22
openstackgerritColleen Murphy proposed openstack/keystone master: Move list_trusts enforcement to default policies  https://review.opendev.org/67580722:22
openstackgerritColleen Murphy proposed openstack/keystone master: Move delete_trust enforcement to default policies  https://review.opendev.org/67627722:22
openstackgerritColleen Murphy proposed openstack/keystone master: Move get_trust enforcement to default policies  https://review.opendev.org/67628322:22
openstackgerritColleen Murphy proposed openstack/keystone master: Move list_roles_for_trust enforcement to policies  https://review.opendev.org/67628422:22
openstackgerritColleen Murphy proposed openstack/keystone master: Move get_role_for_trust enforcement to policies  https://review.opendev.org/67628722:22
openstackgerritColleen Murphy proposed openstack/keystone master: Implement system reader role for trusts API  https://review.opendev.org/67684722:22
openstackgerritColleen Murphy proposed openstack/keystone master: Add tests for system member for trusts  https://review.opendev.org/67699522:22
openstackgerritColleen Murphy proposed openstack/keystone master: Add tests for domain users for trusts  https://review.opendev.org/67702022:22
openstackgerritColleen Murphy proposed openstack/keystone master: Implement system admin for trusts API  https://review.opendev.org/67700422:22
*** spsurya has quit IRC22:23
cmorpheusbeekneemech: oslo feature freeze won't apply to oslo.limit since we're still at 0.1 right?23:24
kmalloccmorpheus: :(23:25
*** vesper11 has quit IRC23:32
« Thursday, 2019-08-15 Index Saturday, 2019-08-17 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!