18:00:06 <bdpayne> #startmeeting OpenStack Security Group 18:00:07 <openstack> Meeting started Thu Mar 7 18:00:06 2013 UTC. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:08 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:10 <openstack> The meeting name has been set to 'openstack_security_group' 18:00:25 <bdpayne> good morning OSSG 18:01:17 <bdpayne> Unfortunately, I've been sick this past week and didn't make progress on my action items from last week 18:01:40 <bdpayne> So, I will take those as action items for next week… and hopefully actually get them done this time around 18:03:15 <bdpayne> are there OSSG people present? 18:03:24 <mtesauro> I'm not sure who else is here from OSSG but I posted a tool to help with API testing 18:03:30 <lglenden> I'm here 18:03:45 <bdpayne> excellent, good morning guys (and gals) 18:03:53 <rellerreller> I'm sort of here. Attending two meetings at once. 18:04:05 <bdpayne> mtesauro can you tell us more about your tool? 18:04:37 <mtesauro> Its a simple wrapper for curl which allows you to put common arguments and API endpoints into a config so you curl commands are WAY shorter. 18:04:51 <mtesauro> +link https://github.com/mtesauro/jerry-curl 18:04:53 <estebang9> good morning from cansec 18:05:40 <mtesauro> there are pre-compiled binaries for Linux, OSX, FreeBSD and Windows at http://appseclive.org/apt/jerry-curl/ 18:05:46 <mtesauro> 32 and 64 bit 18:05:48 <bdpayne> nifty… that looks nice 18:05:57 <bdpayne> you thinking of using that to stress test service endpoints? 18:06:17 <mtesauro> I find myself doing doing 1 off API calls and got tired of all that typing. 18:06:29 <bdpayne> ha, yeah I agree 18:06:30 <mtesauro> @stress-testing - you certainly could do that 18:06:38 <bdpayne> I'll pass this around… I know others that might like it 18:06:54 <mtesauro> Feel free to share as widely as you like 18:07:21 <bdpayne> estebang9 how is cansec? 18:07:56 <estebang9> good stuff. there will be some interesting cloud sec talks later (Oded). 18:08:15 <bdpayne> cool, perhaps you could give us a summary of the good stuff next week? 18:08:23 <noslzzp> I'm here. 18:08:25 <bdpayne> I bet that would be of general interest to the group here 18:08:33 <estebang9> definitely. 18:08:38 <bdpayne> great, thanks 18:09:12 <bdpayne> #action estebang9 to provide cansec summary to OSSG meeting on Mar 14 18:09:19 <estebang9> :) 18:09:24 <bdpayne> so, there's a few things worth discussing today 18:09:48 <bdpayne> I'm thinking hardening guide and rbac… anything else? 18:10:21 <bdpayne> #topic hardening guide 18:10:29 <bdpayne> this will be a brief topic today 18:10:38 <bdpayne> basically, I'm supposed to convert the guide to markdown 18:10:56 <bdpayne> I was curious if anyone could point me to a nice long doc written in markdown that I could use as a guide 18:11:12 <bdpayne> or, alternatively, if there's someone that would be interested in doing the conversion 18:11:40 <noslzzp> i can help with the conversion. 18:11:50 <bdpayne> noslzzp thanks 18:12:05 <bdpayne> the content in there right now is basically just following the (old) outline 18:12:15 <bdpayne> so perhaps a PR to move the repo to markdown with the new outline 18:12:22 <bdpayne> seems like the right next step 18:12:25 <noslzzp> Indeed. 18:12:43 <bdpayne> #action noslzzp to put up PR for converting guide to markdown 18:12:54 <bdpayne> btw, did you guys see http://docs.openstack.org/ops/ ? 18:13:04 <bdpayne> they wrote a book in 5 days 18:13:12 <noslzzp> Yes. 18:13:18 <noslzzp> What's our problem? :) 18:13:26 <bdpayne> heh, I know! 18:13:50 <bdpayne> this has actually motivated me a bit… I'm open to suggestions on how we might be able to move ahead like this 18:14:03 <bdpayne> or even if a full out documentation sprint effort would be useful here 18:14:59 <bdpayne> would people be interested in taking a week to travel somewhere and focus exclusively on this hardening guide during that time to basically knock out v1? 18:15:54 <bdpayne> I'll take the silence as a no 18:16:05 <bdpayne> but I remain open to creative ideas here :-) 18:16:17 <bdpayne> ok… I'd like to chat about rbac a little too 18:16:25 <bdpayne> #topic rbac 18:16:37 <bdpayne> Last week when I mentioned rbac, there seemed to be some interest 18:16:51 <bdpayne> I wanted to pick your brains a little more 18:17:04 <bdpayne> how do you imagine rbac in openstack being useful to you? 18:17:22 <bdpayne> I'd like to hear different takes to help define how we move forward here 18:18:38 <bdpayne> I work primarily with private clouds… and I'm interested in RBAC for allowing for a smoother integration between the cloud and the existing enterprise… for example putting controls on which users can get certain floating IPs or which users can launch certain images, etc 18:18:48 <bdpayne> what do you guys think about when you are thinking rbac? 18:20:17 <bdpayne> any thoughts? 18:20:30 <mtesauro> If you had a decent amount of cloud server spun up, you could have the "marketing" group manage one set, the "sales" group another... I would allow handing out cloud resources to be more like normal IT 18:21:00 <mtesauro> Same for any part of OpenStack 18:21:06 <bdpayne> so are you thinking of actually dividing up the physical compute nodes? 18:21:20 <bdpayne> or just providing better isolation between projects? 18:21:24 <noslzzp> my thinking is more along the infrastructure and enforcing/restricting certain interactions. 18:22:41 <bdpayne> noslzzp can you be more specific? 18:22:57 <noslzzp> maybe. 18:23:01 <bdpayne> heh 18:23:36 <mtesauro> I assume it would be isolation - I saw the RBAC thing at the last OpenStack and that type of thing was what popped into my mind 18:23:54 <noslzzp> For example, if the hypervisor was secured, we could use RBAC to verify that the scheduler is authorized to talk to it and what functions are allowed to be invoked. 18:24:27 <bdpayne> interesting 18:24:52 <bdpayne> noslzzp I think that bridges into some of the trusted compute pools work as well… certainly an area I like as well 18:25:03 <noslzzp> yes. 18:25:04 <bdpayne> anyway, this is all helpful 18:25:20 <bdpayne> I'll continue trying to form some thoughts here and figure out how to best more forward in this space 18:25:29 <bdpayne> as always, I'm open to suggestions / input 18:25:39 <bdpayne> I'll try to have something more concrete by next week 18:25:48 <bdpayne> #action bdpayne to continue work on rbac 18:25:57 <bdpayne> #topic final words 18:26:04 <bdpayne> any other thoughts for today? 18:26:13 <noslzzp> yes.. 18:26:26 <noslzzp> I'm interested in the documentation sprint idea.. 18:26:56 <noslzzp> Nothing more. :) 18:27:04 <bdpayne> ok, nice 18:27:11 <bdpayne> well, I'll explore that a bit more 18:27:22 <bdpayne> #action bdpayne to explore documentation sprint idea 18:27:28 <lglenden> there's a thread on the dev mailing list on key management that may be of interest 18:27:36 <lglenden> #link http://lists.openstack.org/pipermail/openstack-dev/2013-March/006425.html 18:27:39 <mtesauro> link? 18:27:42 <mtesauro> thanks 18:27:50 <bdpayne> indeed, thanks lglenden 18:28:01 <annegentle> bdpayne: I can talk a little bit about what it good to get the book sprint 18:28:18 <annegentle> er good/took 18:28:28 <bdpayne> annegentle thanks, I'll touch base via email 18:28:35 <annegentle> bdpayne: sounds good 18:29:00 <bdpayne> ok, thanks everyone… I think that's all for today 18:29:25 <noslzzp> thanks. 18:29:25 <bdpayne> #endmeeting