#openstack-barbican log

13:07:27 <redrobot> #startmeeting barbican
13:07:27 <openstack> Meeting started Tue Jan 21 13:07:27 2020 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:07:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:07:30 <openstack> The meeting name has been set to 'barbican'
13:07:35 <nearyo> \o/
13:07:52 <redrobot> #topic Roll Call
13:08:03 <redrobot> Courtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work xek
13:08:12 <Luzi> o/ again :)
13:09:43 <redrobot> Okay, let's get started!
13:10:24 <redrobot> #topic Secret-Consumers broke the TripleO gate
13:11:09 <moguimar> yep, wanted to bring that one up
13:11:25 <redrobot> Looks like the client can't handle changes to the API
13:11:36 <redrobot> so I'm going to make a workaround patch after the meeting
13:11:49 <redrobot> and then work on microversions so we don't break the client again
13:11:55 <redrobot> then work on the client so it doesn't break anymore
13:12:30 <redrobot> I should have the workaround patch up soon (just removing the API response bits)
13:12:48 <redrobot> and then I'll bug y'all for reviews.
13:12:55 <redrobot> any questions/comments?
13:14:12 <moguimar> works for me
13:17:19 <redrobot> ok, moving on
13:17:34 <redrobot> #topic Manipulation of ACL data in DB
13:17:56 <redrobot> This is an old security audit finding from the Newton cycle
13:18:14 <redrobot> #link https://review.opendev.org/#/c/357978/13/doc/source/artifacts/barbican/newton/review-findings.rst
13:18:26 <redrobot> Finding #1
13:18:57 <redrobot> basically, if an attacker can modify the database, then they can add arbitrary users to a Secret's ACL, and then retrieve the secret using the API
13:19:34 <redrobot> at the time, we talked about maybe signing acl rows
13:19:53 <redrobot> and then error out if the row fails to validate on retreival
13:21:10 <redrobot> in any case, we should consider fixing it
13:21:29 <redrobot> or at least documenting that DB manipulation is a "Bad Thing"™
13:21:59 <redrobot> What do y'all think?
13:22:48 <Luzi> redrobot, i need to think about the problem a little bit more - but you are right, something has to be done :D
13:24:51 <redrobot> Luzi, cool, lets revisit this in a week or two
13:25:39 <redrobot> ok, moving on
13:25:53 <redrobot> #topic Barbican UI
13:26:10 <redrobot> nearyo, all yours
13:26:23 <redrobot> #link https://review.opendev.org/#/c/702399/
13:26:24 <nearyo> Hey, I finally reached a good point for the first contribution to the barbican-ui. With this contribution it is possible to list, show, create, update and delete secrets and their metadata. I left the metadata stuff inside for now, but I would say it's trivial to remove this (as we discussed in shanghai).
13:26:33 <nearyo> https://review.opendev.org/#/c/702399/
13:26:51 <redrobot> nearyo, that is awesome news!
13:26:51 <nearyo> What do I have to do, to assign this to someone? (It's my first contribution ^^)
13:27:40 <redrobot> I've added myself and ade_lee as reviewers, and I may go poke folks at the horizon channel to see if anyone could also review real quick
13:28:12 <redrobot> It may take me a while though, as I have not written/read any JS in years. 😅
13:28:14 <nearyo> Nice, thanks :)
13:29:16 <nearyo> Yeah the angular stuff was also "new" for me ^^
13:31:07 <redrobot> cool beans
13:31:22 <redrobot> man, it'll be awesome if we can ship this for the next release :D
13:31:30 <nearyo> I would say if we agree on this we can think about further panel for acls and orders.
13:31:49 <redrobot> nearyo, sounds good
13:32:15 <nearyo> Cool, thats all from my side. ;-)
13:32:42 <redrobot> coolness
13:32:48 <redrobot> #topic Liaison Updates
13:32:58 <redrobot> moguimar, forgot to ask if you had any updates from Oslo?
13:37:24 <redrobot> ...
13:37:31 <redrobot> I'll take that as a no
13:37:38 <redrobot> #topic Open Discussion
13:37:45 <redrobot> Any other topics we should talk about?
13:39:57 <redrobot> Alrighty then
13:40:01 <redrobot> thanks for coming, everyone!
13:40:09 <redrobot> See y'all next week
13:40:11 <redrobot> #endmeeting