13:07:27 <redrobot> #startmeeting barbican 13:07:27 <openstack> Meeting started Tue Jan 21 13:07:27 2020 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:07:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:07:30 <openstack> The meeting name has been set to 'barbican' 13:07:35 <nearyo> \o/ 13:07:52 <redrobot> #topic Roll Call 13:08:03 <redrobot> Courtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work xek 13:08:12 <Luzi> o/ again :) 13:09:43 <redrobot> Okay, let's get started! 13:10:24 <redrobot> #topic Secret-Consumers broke the TripleO gate 13:11:09 <moguimar> yep, wanted to bring that one up 13:11:25 <redrobot> Looks like the client can't handle changes to the API 13:11:36 <redrobot> so I'm going to make a workaround patch after the meeting 13:11:49 <redrobot> and then work on microversions so we don't break the client again 13:11:55 <redrobot> then work on the client so it doesn't break anymore 13:12:30 <redrobot> I should have the workaround patch up soon (just removing the API response bits) 13:12:48 <redrobot> and then I'll bug y'all for reviews. 13:12:55 <redrobot> any questions/comments? 13:14:12 <moguimar> works for me 13:17:19 <redrobot> ok, moving on 13:17:34 <redrobot> #topic Manipulation of ACL data in DB 13:17:56 <redrobot> This is an old security audit finding from the Newton cycle 13:18:14 <redrobot> #link https://review.opendev.org/#/c/357978/13/doc/source/artifacts/barbican/newton/review-findings.rst 13:18:26 <redrobot> Finding #1 13:18:57 <redrobot> basically, if an attacker can modify the database, then they can add arbitrary users to a Secret's ACL, and then retrieve the secret using the API 13:19:34 <redrobot> at the time, we talked about maybe signing acl rows 13:19:53 <redrobot> and then error out if the row fails to validate on retreival 13:21:10 <redrobot> in any case, we should consider fixing it 13:21:29 <redrobot> or at least documenting that DB manipulation is a "Bad Thing"™ 13:21:59 <redrobot> What do y'all think? 13:22:48 <Luzi> redrobot, i need to think about the problem a little bit more - but you are right, something has to be done :D 13:24:51 <redrobot> Luzi, cool, lets revisit this in a week or two 13:25:39 <redrobot> ok, moving on 13:25:53 <redrobot> #topic Barbican UI 13:26:10 <redrobot> nearyo, all yours 13:26:23 <redrobot> #link https://review.opendev.org/#/c/702399/ 13:26:24 <nearyo> Hey, I finally reached a good point for the first contribution to the barbican-ui. With this contribution it is possible to list, show, create, update and delete secrets and their metadata. I left the metadata stuff inside for now, but I would say it's trivial to remove this (as we discussed in shanghai). 13:26:33 <nearyo> https://review.opendev.org/#/c/702399/ 13:26:51 <redrobot> nearyo, that is awesome news! 13:26:51 <nearyo> What do I have to do, to assign this to someone? (It's my first contribution ^^) 13:27:40 <redrobot> I've added myself and ade_lee as reviewers, and I may go poke folks at the horizon channel to see if anyone could also review real quick 13:28:12 <redrobot> It may take me a while though, as I have not written/read any JS in years. 😅 13:28:14 <nearyo> Nice, thanks :) 13:29:16 <nearyo> Yeah the angular stuff was also "new" for me ^^ 13:31:07 <redrobot> cool beans 13:31:22 <redrobot> man, it'll be awesome if we can ship this for the next release :D 13:31:30 <nearyo> I would say if we agree on this we can think about further panel for acls and orders. 13:31:49 <redrobot> nearyo, sounds good 13:32:15 <nearyo> Cool, thats all from my side. ;-) 13:32:42 <redrobot> coolness 13:32:48 <redrobot> #topic Liaison Updates 13:32:58 <redrobot> moguimar, forgot to ask if you had any updates from Oslo? 13:37:24 <redrobot> ... 13:37:31 <redrobot> I'll take that as a no 13:37:38 <redrobot> #topic Open Discussion 13:37:45 <redrobot> Any other topics we should talk about? 13:39:57 <redrobot> Alrighty then 13:40:01 <redrobot> thanks for coming, everyone! 13:40:09 <redrobot> See y'all next week 13:40:11 <redrobot> #endmeeting