Tuesday, 2015-07-21

*** tmcpeak has quit IRC00:01
*** sigmavirus24_awa is now known as sigmavirus2400:27
*** salv-orlando has quit IRC00:57
*** salv-orlando has joined #openstack-security01:00
*** salv-orlando has quit IRC01:05
*** bpokorny_ has quit IRC01:09
openstackgerritNathaniel Dillon proposed openstack/security-doc: Converting API endpoints section to RST  https://review.openstack.org/20389401:12
*** bitblt has quit IRC01:29
*** browne has quit IRC01:40
*** elo has quit IRC01:45
*** dave-mccowan has quit IRC01:59
*** elo has joined #openstack-security02:04
openstackgerritMichael McCune proposed openstack/security-doc: Index in RST format  https://review.openstack.org/20385402:16
*** browne has joined #openstack-security02:18
*** dave-mccowan has joined #openstack-security02:21
openstackgerritMerged openstack/security-doc: Index in RST format  https://review.openstack.org/20385402:32
*** y_sawai has joined #openstack-security02:43
*** jhfeng has joined #openstack-security02:55
*** elo has quit IRC03:17
openstackgerritNathaniel Dillon proposed openstack/security-doc: WIP - Updating Compute chapter to RST  https://review.openstack.org/20391604:28
*** jhfeng has quit IRC04:40
*** jhfeng has joined #openstack-security04:40
*** jhfeng has quit IRC04:42
*** y_sawai_ has joined #openstack-security04:45
*** y_sawai has quit IRC04:46
*** dave-mccowan has quit IRC04:51
*** y_sawai__ has joined #openstack-security04:58
openstackgerritAndreas Jaeger proposed openstack/security-doc: Remove extra mkdir  https://review.openstack.org/20392205:00
*** y_sawai_ has quit IRC05:01
*** y_sawai has joined #openstack-security05:05
*** y_sawai__ has quit IRC05:08
*** y_sawai_ has joined #openstack-security05:09
*** sigmavirus24 is now known as sigmavirus24_awa05:11
*** y_sawai has quit IRC05:12
openstackgerritMerged openstack/security-doc: Remove extra mkdir  https://review.openstack.org/20392205:22
*** markvoelker has quit IRC05:38
*** y_sawai has joined #openstack-security05:38
*** y_sawai has quit IRC05:39
*** y_sawai_ has quit IRC05:42
*** markvoelker has joined #openstack-security05:44
*** y_sawai has joined #openstack-security06:00
openstackgerritNathaniel Dillon proposed openstack/security-doc: WIP - Updating Documentation section from DocBook to RST  https://review.openstack.org/20393306:02
openstackgerritAndreas Jaeger proposed openstack/security-doc: Initial conversion of Compliance chapter to rst  https://review.openstack.org/20382206:17
openstackgerritAndreas Jaeger proposed openstack/security-doc: Initial conversion of Management chapter to rst  https://review.openstack.org/20383006:18
openstackgerritAndreas Jaeger proposed openstack/security-doc: Converting API endpoints section to RST  https://review.openstack.org/20389406:20
openstackgerritAndreas Jaeger proposed openstack/security-doc: WIP - Updating Compute chapter to RST  https://review.openstack.org/20391606:21
*** shohel has joined #openstack-security06:22
*** y_sawai has quit IRC06:23
*** browne has quit IRC06:48
*** salv-orlando has joined #openstack-security06:52
*** salv-orlando has quit IRC07:28
*** alex_klimov has joined #openstack-security07:44
openstackgerritDave Walker proposed openstack/security-doc: Conversion of Object Storage chapter to rst  https://review.openstack.org/20396508:10
*** dlitz has quit IRC08:17
*** dlitz has joined #openstack-security08:22
*** salv-orlando has joined #openstack-security08:25
*** shohel has quit IRC08:39
*** shohel has joined #openstack-security08:40
*** tkelsey has joined #openstack-security09:04
*** lexholden has joined #openstack-security09:24
*** lexholden has quit IRC09:39
*** elo has joined #openstack-security10:34
*** lexholden has joined #openstack-security10:52
*** dlitz has quit IRC11:01
*** dlitz has joined #openstack-security11:05
*** salv-orlando has quit IRC11:40
*** dave-mccowan has joined #openstack-security11:57
*** salv-orlando has joined #openstack-security12:01
*** shohel has quit IRC12:07
*** y_sawai has joined #openstack-security12:07
*** shohel has joined #openstack-security12:07
*** shohel1 has joined #openstack-security12:08
*** shohel has quit IRC12:08
*** y_sawai_ has joined #openstack-security12:18
*** y_sawai has quit IRC12:20
*** dlitz has quit IRC12:22
*** dlitz has joined #openstack-security12:25
*** alex7 has joined #openstack-security12:40
*** alex7 has left #openstack-security12:40
*** dlitz has quit IRC12:43
*** dlitz has joined #openstack-security12:46
*** markvoelker has quit IRC13:17
*** bknudson has joined #openstack-security13:20
*** y_sawai_ has quit IRC13:23
*** shohel has joined #openstack-security13:27
*** shohel1 has quit IRC13:28
*** sdake has joined #openstack-security13:46
*** sdake_ has joined #openstack-security13:47
*** edmondsw has joined #openstack-security13:49
*** sdake has quit IRC13:50
*** rbrooker has joined #openstack-security13:50
*** sicarie has joined #openstack-security14:03
*** bknudson has quit IRC14:05
sicarieelmiko: ping14:12
elmikosicarie: hey14:15
sicarieDo you have the link to the etherpad?14:15
sicarieSomehow I lost it :(14:15
*** sigmavirus24_awa is now known as sigmavirus2414:16
elmikoi merged pdesai's initial change last night, just to get things rolling14:16
sicarieI saw that - it passed Jenkins, I'm good with it :)14:16
elmikothere are a couple minor issues, but they'll get sorted14:16
sicarieDaviey has proposed 3, and I have 3 (with issues) as well14:16
sicarieHopefully we can keep up this pace and get it sorted14:17
elmikonice, i'm working through the dataprocessin chap now14:17
elmikoone thing that will slow this down are the arbitrary linkages between the chapters. i'm running into it a bit, but i'm gonna link to the chapters with TODO notes about fixing up14:17
sicarieYeah, i'm pretty sure that's what most of my 'checklinks' failures are14:18
sicarieI was waiting to go back and check those until the other sections got migrated14:18
*** jhfeng has joined #openstack-security14:18
elmikoas long as we're all aware of it, should be no problem14:18
elmikorst is gonna be so much nicer to hack on =)14:19
sicarieI thought you guys were exaggerating how much nicer it was, and then I was going through it yesterday14:20
sicariemuch easier14:20
Davieysicarie: Oi! You used the bug as your Branch Topic name.  Do you want to flip it to what i said, or should i move mine to the bug?14:20
sicarieDaviey: I think that's something that Gerrit does automatically with a "Partial-Bug" or "Closes-Bug" message that surprised me14:21
sicarieanyway, I'm ambivalent - elmiko do you have a preference?14:22
sicarieI think pdesai was in favor of the feature branch14:22
elmikoi like Daviey's suggestion, makes it easier to have multiple local branches going14:22
elmikobut, as long as we keep updating the etherpad with the reviews it's probably not a big deal14:23
sicarieDaviey: I'll flip them when I re-up my changes14:23
sicarieAnd thanks for knocking out those 3 chapters!14:23
Davieysicarie: Ah, when you -  git review -t topic/name14:24
Davieyoverrides the auto behaviour14:24
sicarieI have to say my understanding of git is light, I may be pinging for more details :)14:24
*** browne has joined #openstack-security14:27
Davieysicarie: I won't pretend to be an expert :)14:30
*** sdake_ has quit IRC14:32
*** sdake has joined #openstack-security14:32
*** sdake_ has joined #openstack-security14:35
sigmavirus24sicarie: feel free to ping me14:35
sigmavirus24Although git-review just does extra stuff on top so you don't have to think about gerrit14:35
*** rbrooker has quit IRC14:37
*** sdake_ has quit IRC14:37
*** sdake has quit IRC14:38
Davieywhilst looking to convert acknowledgements.xml, /me contemplates changing the logos14:41
elmikoDaviey: is there something wrong with the logos?14:42
sigmavirus24elmiko: they're not logical14:43
Davieyelmiko: Nothing.. just thought about adding an additional meme logo.14:43
sicarieDaviey: I think the RedHat guy looks to dour, you should give him a smile :)14:43
elmikowhat!?! shadowman is awesome =)14:44
*** tmcpeak has joined #openstack-security14:44
sigmavirus24Daviey: trollface?14:44
sigmavirus24I would endorse trollface as a logo14:45
sigmavirus24"SSLv3 with RC4 ciphers is totally secure. <trollface.png>"14:45
sigmavirus24Daviey: or would that be trollface overlayed on top of <3 letter agency logo>14:46
*** y_sawai has joined #openstack-security14:50
*** voodookid has joined #openstack-security14:53
*** y_sawai has quit IRC14:55
*** y_sawai has joined #openstack-security14:56
sigmavirus24elmiko: ?14:57
sigmavirus24elmiko: at least I didn't use "SSLv3 with RC4 ciphers is the only thing you should use" =P14:57
sicariesigmavirus24: I'm so hipster I use original SSL (the first is always the best, right?)14:59
tmcpeakis that the one where they just exchange encryption keys in the clear in the first two packets?14:59
*** y_sawai has quit IRC14:59
sicarieisn't that what they mean for more security to be done out in the open?15:00
elmikosigmavirus24: i was more reacting to the trollface overlayed on top...15:01
sigmavirus24elmiko: lol15:01
sigmavirus24elmiko: trollface overlayed == lulzsec right?15:01
elmikoremember kids, installing backdoors into your crypto isn't just fun, it's patriotic too ;)15:01
sigmavirus24sicarie: hipster security is the best sakurity =P15:01
sigmavirus24elmiko: even if you're not murrican15:02
elmikosigmavirus24: especially if you're not murrican!15:02
sigmavirus24that should be a new way for nonmurricans to get murrican citizenship15:03
sigmavirus24step 1. make a cryptosystem with a backdoor; step 2. give it to <3 letter agency>; step 3. ???; step 4. citizenship!15:04
*** edmondsw has quit IRC15:09
*** jamielennox has quit IRC15:09
*** bpokorny has joined #openstack-security15:14
*** dwyde has joined #openstack-security15:14
*** bknudson has joined #openstack-security15:15
*** edmondsw has joined #openstack-security15:16
*** jhfeng has quit IRC15:16
Davieysigmavirus24: Not trollface, more Scumbag Steve?15:16
openstackgerritMerged openstack/bandit: Improving SQL Injection detection  https://review.openstack.org/20264615:29
openstackgerritTim Kelsey proposed openstack/bandit: Adding documentation.  https://review.openstack.org/20413615:46
openstackgerritTim Kelsey proposed openstack/bandit: Adding documentation.  https://review.openstack.org/20413615:48
sigmavirus24tmcpeak: surely we don't want documentation =P As part of the big tent, isn't it contrary to our purpose?15:57
elmikogoing for the elusive "no docs" tag?15:57
sigmavirus24Or "wrong docs"15:58
tmcpeaksigmavirus24: agile doesn't do documentation15:58
sigmavirus24I personally like keystoneclient.auth's docs that give you the completely wrong names for auth_plugins and such15:59
sigmavirus24Also gives you no indications of what option names to use for which auth plugin =P15:59
sigmavirus24i'm probably not the best person to talk to about docs16:00
sigmavirus24I've been rewriting/overhauling docs on projects that I'm part of outside of openstack16:00
elmikosicarie, Daviey, are we using "Partial-Implements: blueprint sec-guide-rst" on these reviews?16:01
elmikoor is there a bug?16:02
openstackgerritMichael McCune proposed openstack/security-doc: adding security guide rst build dir to ignore  https://review.openstack.org/20414116:03
elmikosicarie ^^16:04
*** alex_klimov has quit IRC16:05
openstackgerritMichael McCune proposed openstack/security-doc: initial conversion of data processing chapter  https://review.openstack.org/20414316:05
Davieyelmiko: We have both...16:15
Davieya bug and a spec16:16
DavieyI don't care what we do, just let me know and i'll change mine to fit16:16
elmikolol, is there a preference?16:16
elmikoi put the spec in mine16:16
Davieyelmiko: Is Partial-Implements a thing for a spec?16:16
elmikowell, for a blueprint16:17
DavieyI knew Partial-Bug worked, but i didn't know people used it for Implements aswell16:17
elmikoi've used it before16:17
*** lexholden has quit IRC16:17
*** bknudson has quit IRC16:18
Davieychair6: Thanks for the testing of my config file branch... Are you easily able to tell me where the config file WAS installed for the failing procedures ?16:22
*** bknudson has joined #openstack-security16:25
*** bknudson has quit IRC16:39
*** pdesai has joined #openstack-security16:41
openstackgerritMerged openstack/security-doc: Initial conversion of Management chapter to rst  https://review.openstack.org/20383016:42
openstackgerritMerged openstack/security-doc: Initial conversion of Compliance chapter to rst  https://review.openstack.org/20382216:42
sicarieelmiko Daviey: I think that using Partial-Bug will cause Gerrit to do something to move it off a feature branch16:46
sicarieNot 100% sure, but I thought I had at least one of mine on a feature branch and I don't see it now16:46
Davieyhmm, we've just had two branches on there that didn't reference the bug number16:47
Davieyand had "Implements: blueprint sec-guide-rst"16:47
*** bknudson has joined #openstack-security16:47
DavieyI would have used Partial-Implements if i had known that was a thing16:47
Davieyinteresting reading, http://lists.openstack.org/pipermail/openstack-dev/2015-June/065940.html16:49
*** browne has quit IRC16:49
Daviey(and there was no agreement)16:50
elmikoi've always used partial-implements16:51
elmikoi also forgot to use -t when pushing my review =(16:51
openstackgerritMerged openstack/security-doc: adding security guide rst build dir to ignore  https://review.openstack.org/20414116:55
chair6yeah @Daviey, i can get that info for each now..16:55
Davieychair6: Ah thanks, i added it to the review... and regarding the debug.. I had it there to help write it, but removed it as i thought it was too noisey.. but i think you are right!16:56
Davieyelmiko: You can change it in the webui by clicking it16:57
*** sdake has joined #openstack-security16:59
chair6if it's there as a logger.debug() then you gotta do -d and it's only one line .. i figure if someone is running with -d they can expect noise :)17:11
Davieychair6: Just to check, both OSX examples you gave - they didn't install the bandit.yaml anywhere other than the library path?  With Linux, i was seeing it in etc AND the library path.. but not on your OSX example17:13
Daviey- was your output over snipped or did it just not happen?17:13
chair6the snips should only be for matching directories .. i don't think it happened, i can double-check17:14
Davieychair6: pip uninstall bandit | grep bandit.yaml  ?17:15
*** y_sawai has joined #openstack-security17:18
chair6yeah, from a local install:17:18
chair6seventh:bandit finnigaj$ sudo pip uninstall bandit | grep bandit.yam /Library/Python/2.7/site-packages/bandit/config/bandit.yaml17:18
chair6uggh, format, but looks like it's just in the library path..17:18
chair6hmm .. but for the venv example, this time around i am seeing a /Users/finnigaj/repo/bandit/venv27/etc/bandit/bandit.yaml be removed17:20
elmikoDaviey: does that spin another version though?17:20
elmiko(not that it matters)17:20
chair6yay for unpredicatable repetition..17:20
Davieychair6: I think local install it is reasonable then just to say "you are on your own"?17:23
DavieyAs in, provide your own config17:23
*** shohel has quit IRC17:24
Davieyelmiko: Doesn't seem to make it a new revision, should be ok17:26
Daviey(i did it on https://review.openstack.org/#/c/203822/ )17:26
elmikoack, tahnks17:26
chair6seems fair .. and bandit fails cleanly if it can't find a config, saying where we looked..17:28
*** pdesai has quit IRC17:30
*** browne has joined #openstack-security17:36
openstackgerritMichael McCune proposed openstack/security-doc: initial conversion of data processing chapter  https://review.openstack.org/20414317:36
*** pdesai has joined #openstack-security17:46
*** bitblt has joined #openstack-security17:48
*** bitblt has quit IRC17:51
*** bitblt has joined #openstack-security17:51
openstackgerritNathaniel Dillon proposed openstack/security-doc: Updating Monitoring and Logging ch file to RST  https://review.openstack.org/20418417:53
*** markvoelker has joined #openstack-security17:55
*** y_sawai has quit IRC17:55
openstackgerritNathaniel Dillon proposed openstack/security-doc: Updating Monitoring and Logging ch file to RST  https://review.openstack.org/20418417:57
*** bitblt has quit IRC17:58
*** bitblt has joined #openstack-security17:58
openstackgerritNathaniel Dillon proposed openstack/security-doc: Updating Monitoring and Logging ch file to RST  https://review.openstack.org/20418418:02
*** tkelsey has quit IRC18:05
*** jamielennox has joined #openstack-security18:15
*** jamielennox is now known as jamielennox|away18:16
*** jamielennox|away is now known as jamielennox18:23
openstackgerritPriti Desai proposed openstack/security-doc: Updating Identity ch file to RST  https://review.openstack.org/20420518:40
openstackgerritPriti Desai proposed openstack/security-doc: Updating Databases ch file to RST  https://review.openstack.org/20421018:46
*** jmckind has joined #openstack-security18:48
openstackgerritPriti Desai proposed openstack/security-doc: Updating Messaging ch file to RST  https://review.openstack.org/20421218:54
*** y_sawai has joined #openstack-security18:56
*** y_sawai has quit IRC19:01
*** pdesai has quit IRC19:01
*** shohel has joined #openstack-security19:02
*** bknudson has quit IRC19:06
*** shohel has quit IRC19:07
*** amit213 has quit IRC19:14
*** amit213 has joined #openstack-security19:14
openstackgerritMichael McCune proposed openstack/security-doc: initial conversion of instance management chapter  https://review.openstack.org/20422319:30
*** sdake_ has joined #openstack-security19:31
*** sdake has quit IRC19:34
*** y_sawai has joined #openstack-security19:57
*** bitblt has quit IRC19:58
*** jmckind has quit IRC19:58
*** y_sawai has quit IRC20:01
*** pdesai has joined #openstack-security20:08
openstackgerritMichael McCune proposed openstack/security-doc: initial conversion of instance management chapter  https://review.openstack.org/20422320:12
elmikopdesai, Daviey, sicarie ping20:16
* sicarie waves20:17
elmikoso, pdesai, i just got your email but i had already converted the chapters i was working on into singular documents.20:17
elmikoi think we should discuss =)20:17
DavieySingle files per Chapter vs subdir with each section in20:17
Daviey[DEATH MATCH]20:18
elmikoi vote single file!20:18
elmiko(because i've done 2 and have a third on the way!)20:18
elmikois there a benefit to multiple files that i'm just overlooking?20:19
Davieyelmiko: splitting is just  /usr/bin/split away, right?20:20
elmikohaha, nice20:20
elmikoyea, really its trivial to split20:20
Davieyelmiko: The slight benefit IMO is smaller files are easier to handle.. Single mammoth files can be overwhelming to both review and edit20:20
DavieyI mean, to extend the logic - why don't we just put it all in index.rst?20:20
sicarieSo separate files is a slight increase in complexity (locations/linking), and a possibly significant adminsitrative overhead while a single file is easy to lose yoru place in20:20
sicarieFor the purposes of this migration, let's let elmiko's chapters land, but track them in the etherpad where we're tracking issues20:21
sicariethere's no difference to the end-user and we can put off the conversation until the migration is complete20:21
Davieysicarie: well, i'd rather clear it up now20:21
elmikoi guess, in this format, i prefer single file per chapter as it makes keeping the header levels in order easier20:22
sicarieYes, but pdesai is not around to vote, though she set up the repo to be split20:22
elmikowhereas docbook did it for us20:22
Davieysicarie: I am about to start some section work, and would rather get it right first time20:22
pdesaii am here guys20:22
sicarieah, excellent!20:22
pdesaireading through the chat history20:22
pdesaiwhats up?20:22
elmikoi missed your email and combined the chapters i did into single files20:23
Daviey< Daviey> Single files per Chapter vs subdir with each section in20:23
sicarieWe're discussing single-files vs multiple files20:23
pdesaii like the simplicity of having single file per ch. but we discussed last time, the main con with that, huge ch. file20:23
elmikoso, a question i have is this, if we break into section files do we need to be mindful of header levels within those files?20:25
elmikoor do they reset in each file?20:25
pdesai it should be consistent levels, not every section having title, for example, let me check on that20:26
sicarieasked in -doc20:26
Davieyi assumed if you included another file, it was treated as if it was included already20:26
DavieyAre you thinking this is not the case20:27
sicarieDaviey: I would make that assumption as well because the styles are called out20:27
sicarie='s vs ~'s vs -'s20:27
sicarieso elmiko: I think so20:27
Davieysicarie: Well testing locally should be pretty easy..20:27
pdesainotice, the section header is actually a *title* in admin guide20:28
Davieyright, that is as sicarie succulently said.20:28
elmikosucculently? ;)20:29
elmikook, i can reformat my reviews. they haven't merged yet20:29
sicarieelmiko: I'm in favor of yours landing and re-updating later so we can review how they're broken up after we've migrated20:30
sicarieand I'll take that bug20:30
sicariethough making the dir would probably be useful groundwork20:30
pdesaielmiko: wait, this formating results in stand alone small sections like today20:31
elmikoi just got carried away and did mass conversion =)20:31
pdesaii think we are at a point where we take decision and everyone can follow the same formatting20:31
elmikofor example, https://review.openstack.org/#/c/20422320:32
pdesaii think we all know about pros and cons of both approaches, how many would vote for seperate files per section20:33
pdesaivs one single file per ch.?20:33
DavieyI'm not core, so my vote doesn't carry.. but i'd certainly prefer small files..20:34
elmikoi don't mind single file, but i can see the wisdom of separate files20:34
sicarietwo ambivalents20:34
pdesaismall files20:34
pdesaisorry elmiko20:34
Davieysuck it.20:35
elmikofair enough, democracy in action =)20:35
sicarieGreat, so we'll break them up per pdesai's email20:35
sicariea topic folder, and sub-sections underneath20:35
sicarieapologies, I have to run to a meeting I"m apparently late for20:35
* sicarie is away20:36
pdesaiyes, sounds great20:36
pdesaithanks guys20:36
elmikopdesai: ok, one more question. as we create the subdirs per chapter, we will update the index.rst to reflect the head of each chapter being in the subdir?20:37
elmiko(i'm looking at your networking.rst)20:38
elmikooh wait, not yours20:38
elmikook, nvm. i guess we just add toctree to the chapter head files20:38
DavieyMaybe i have missunderstood, but i thought index.rst only had to link to the top level ?20:38
elmikoyea, i think that's correct. then we add the subsections to the chapter header rst files20:39
elmikook, i'll fix my reviews20:39
elmiko(even though sicare said he would)20:40
pdesaiyup index to only chapter head file, each ch. file to subsections (mostly with the same level of toctree maxdepth 2)20:47
*** y_sawai has joined #openstack-security20:58
*** y_sawai has quit IRC21:03
openstackgerritDave Walker proposed openstack/security-doc: Conversion of Object Storage chapter to rst  https://review.openstack.org/20396521:05
openstackgerritMichael McCune proposed openstack/security-doc: initial conversion of data processing chapter  https://review.openstack.org/20414321:09
*** sdake_ is now known as sdake21:10
* Daviey curses elmiko for pushing up many files in one commit21:17
Davieyelmiko: Oh, to be fair you didn't.. that is you splitting it up.. I withdraw my outrage!21:17
elmikoi'm limiting myself to single chapter21:23
elmikoi just figured since i already hacked it up21:23
openstackgerritMichael McCune proposed openstack/security-doc: initial conversion of instance management chapter  https://review.openstack.org/20422321:26
elmikook, secure comms will wait till tomorrow21:27
sigmavirus24I would offer to help y'all but I'm already overextended as it is =P21:31
*** lexholden has joined #openstack-security21:32
elmikosigmavirus24: yea, i know the feeling ;)21:34
*** pdesai has quit IRC21:40
*** y_sawai has joined #openstack-security21:45
*** y_sawai has quit IRC21:46
tmcpeaknkinder: are notes supposed to be 72 width or 79? I never remember21:48
Davieytmcpeak: 79 i think21:51
sigmavirus2472 is commit messages I think21:51
tmcpeakok cool, I know the email width is 72 but I don't remember how that actually maps to notes21:51
tmcpeakI guess I could not be lazy and look :P21:51
Davieytmcpeak: You could also write a vimrc file for us. kkthnx21:52
*** pdesai has joined #openstack-security21:52
sigmavirus24oh god no21:52
tmcpeakyeah, I've got a vimrc file for you21:53
sigmavirus24I like my vimrc just fine thank you21:53
DavieyI used to love mine..21:54
tmcpeakwidth appears to be 7221:54
DavieyI do have spelling and line wrap for md files now21:55
Davieytmcpeak: Sorry, i just checked my config.. i do indeed have it at 7221:55
sigmavirus24problem is that even as a dirty murrican I use the queen's english so spell checkers complain at me about behaviour or colour21:55
sigmavirus24and I just ignore them21:56
tmcpeaksigmavirus24: you do?21:56
sigmavirus24I do21:56
* sigmavirus24 is out21:56
sigmavirus24later all21:56
*** sigmavirus24 is now known as sigmavirus24_awa21:57
*** pdesai has quit IRC22:00
Davieysigmavirus24_awa: I gave up on Proper english and just now default to US.22:00
*** mihero has quit IRC22:05
*** mihero has joined #openstack-security22:06
*** edmondsw has quit IRC22:07
tmcpeakhmm, no bknudson, no kinder22:08
nkindertmcpeak: what's up?22:09
tmcpeakoh good22:09
tmcpeakyou are there22:09
tmcpeakyou have a link for an example for how to configure a service account to have least priv?22:09
tmcpeakwith the v3 api22:09
tmcpeakfor that note22:09
nkindertmcpeak: not exactly a single link, but I can give you some details22:09
tmcpeakok cool, that works22:10
nkinderfirst thing would be to define a role for service users using the Identity API (a "services" role)22:10
tmcpeaknkinder: ok cool, you have a pointer to an example of that?22:10
nkinderyeah, one sec22:11
nkindertmcpeak: basically, you'd do this - http://paste.openstack.org/show/397301/22:13
nkindertmcpeak: then you need to grant this new role to your service accounts on whatever project you use for service users22:13
tmcpeaknkinder: ok, so this creates a role but how are the privs set for it?22:13
nkinderwith RDO, that's "services" (likely the same for others too)22:13
nkinderwe're getting to that...22:14
tmcpeakok :)22:14
tmcpeakbtw, if there's a clean solution like this, why isn't it just the default?22:14
openstackgerritDave Walker proposed openstack/security-doc: Convert Chapter Introduction to rst  https://review.openstack.org/20428622:18
*** pdesai has joined #openstack-security22:18
nkindertmcpeak: It's just history.  Making big policy changes is hard, especially across multiple projects.22:19
nkindertoo easy to break the world22:20
nkindertmcpeak: so you then bneed to add the new role to your service users and remove the admin role - http://paste.openstack.org/show/397302/22:20
nkinderyou would have to do that for every service user22:20
tmcpeakfair enough22:20
nkindertmcpeak: ...then comes the hard part22:20
nkinderupdating policy.json files in all services for any API call that the service user might make22:21
tmcpeakhmm, yeah, that is hte hard part22:21
nkinderthe token validation call in keystone is the obvious one22:21
nkinderit's all of the other stuff that's more difficult22:21
nkinder..like the nova to neutron communication, or heat having to create trusts in keystone22:22
nkinder...I suppose heat uses the user's token for that, but it does a whole bunch of special stuff with it's own heat domain22:22
tmcpeakI wonder how guidance for that should look22:23
openstackgerritDave Walker proposed openstack/security-doc: Convert Chapter Introduction to rst  https://review.openstack.org/20428622:24
tmcpeakif I show one example it would probably break keystone ;)22:24
*** tjt263 has joined #openstack-security22:24
tmcpeaknkinder: from what I've seen heat is just "cloud god"22:25
nkindernot exactly.  It uses keystone trusts to do things22:25
nkinderit has power, but it's actually using delegation22:25
tmcpeakhmm, yeah, but it does have unfettered root access on all the boxes, right?22:26
nkindertmcpeak: what do you mean?22:26
nkindertmcpeak: it can impersonate a user who has defined a stack in heat, which allows it to create that stack22:27
nkindertmcpeak: It's going to be very hard to list every policy that needs to be changed to do this22:27
nkinderlots and lots of testing...22:28
tmcpeaknkinder: yeah, for sure22:28
nkinderif it was easy, it would already be documented and the default22:28
tmcpeakand if we're going to do all that work we should just merge the fixes and skip the note22:28
tmcpeakso what is practical guidance for using this we can/should recommend?22:28
tmcpeakif users go in and start messing around with roles they're likely to brick their cloud22:28
tmcpeakwe don't even know there aren't hidden monsters22:28
tmcpeakdo we?22:29
nkinderchange policies and test is all that we can really say.  It would be trial and error honestly.22:29
tmcpeaknkinder: yeah, I'm thinking so too, but is that really something we want to recommend then?22:30
nkinderWe can state that keystone allows you to define more granular roles and policies, but it's not clearly defined  what all needs to be changed for a particular cloud.22:30
nkindertmcpeak: well, policy is meant to be customized22:30
nkinder...it's just not well understood by a lot of people22:31
nkinderso I think we can and shoudl say that policy can be customized to have more granularity, but changes need to be carefulyl vetted and tested22:31
tmcpeakok cool22:31
tmcpeakso maybe I'll show one sliver of end-to-end changes?22:31
tmcpeakok cool, I'll give that a shot and add you for review when I get something :)22:32
tmcpeakthanks nkinder22:32
*** elo has quit IRC22:32
*** elo has joined #openstack-security22:33
*** dwyde has quit IRC22:35
*** lexholden has quit IRC22:36
openstackgerritDave Walker proposed openstack/security-doc: Convert acknowledgements Section to RST  https://review.openstack.org/20429122:40
tmcpeakbrowne: tough day on Zuul huh?22:50
brownetmcpeak: yeah everything is broken22:52
browneits ok.  i'll wait it out.  this happens all the time in nova22:53
DavieyMade worse by people slamming recheck23:00
*** voodookid has quit IRC23:04
*** pdesai has quit IRC23:06

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!