#openstack-meeting log

18:00:06 <bdpayne> #startmeeting OpenStack Security Group
18:00:07 <openstack> Meeting started Thu Mar  7 18:00:06 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:08 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:10 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:25 <bdpayne> good morning OSSG
18:01:17 <bdpayne> Unfortunately, I've been sick this past week and didn't make progress on my action items from last week
18:01:40 <bdpayne> So, I will take those as action items for next week… and hopefully actually get them done this time around
18:03:15 <bdpayne> are there OSSG people present?
18:03:24 <mtesauro> I'm not sure who else is here from OSSG but I posted a tool to help with API testing
18:03:30 <lglenden> I'm here
18:03:45 <bdpayne> excellent, good morning guys (and gals)
18:03:53 <rellerreller> I'm sort of here.  Attending two meetings at once.
18:04:05 <bdpayne> mtesauro can you tell us more about your tool?
18:04:37 <mtesauro> Its a simple wrapper for curl which allows you to put common arguments and API endpoints into a config so you curl commands are WAY shorter.
18:04:51 <mtesauro> +link https://github.com/mtesauro/jerry-curl
18:04:53 <estebang9> good morning from cansec
18:05:40 <mtesauro> there are pre-compiled binaries for Linux, OSX, FreeBSD and Windows at http://appseclive.org/apt/jerry-curl/
18:05:46 <mtesauro> 32 and 64 bit
18:05:48 <bdpayne> nifty… that looks nice
18:05:57 <bdpayne> you thinking of using that to stress test service endpoints?
18:06:17 <mtesauro> I find myself doing doing 1 off API calls and got tired of all that typing.
18:06:29 <bdpayne> ha, yeah I agree
18:06:30 <mtesauro> @stress-testing - you certainly could do that
18:06:38 <bdpayne> I'll pass this around… I know others that might like it
18:06:54 <mtesauro> Feel free to share as widely as you like
18:07:21 <bdpayne> estebang9 how is cansec?
18:07:56 <estebang9> good stuff. there will be some interesting cloud sec talks later (Oded).
18:08:15 <bdpayne> cool, perhaps you could give us a summary of the good stuff next week?
18:08:23 <noslzzp> I'm here.
18:08:25 <bdpayne> I bet that would be of general interest to the group here
18:08:33 <estebang9> definitely.
18:08:38 <bdpayne> great, thanks
18:09:12 <bdpayne> #action estebang9 to provide cansec summary to OSSG meeting on Mar 14
18:09:19 <estebang9> :)
18:09:24 <bdpayne> so, there's a few things worth discussing today
18:09:48 <bdpayne> I'm thinking hardening guide and rbac… anything else?
18:10:21 <bdpayne> #topic hardening guide
18:10:29 <bdpayne> this will be a brief topic today
18:10:38 <bdpayne> basically, I'm supposed to convert the guide to markdown
18:10:56 <bdpayne> I was curious if anyone could point me to a nice long doc written in markdown that I could use as a guide
18:11:12 <bdpayne> or, alternatively, if there's someone that would be interested in doing the conversion
18:11:40 <noslzzp> i can help with the conversion.
18:11:50 <bdpayne> noslzzp thanks
18:12:05 <bdpayne> the content in there right now is basically just following the (old) outline
18:12:15 <bdpayne> so perhaps a PR to move the repo to markdown with the new outline
18:12:22 <bdpayne> seems like the right next step
18:12:25 <noslzzp> Indeed.
18:12:43 <bdpayne> #action noslzzp to put up PR for converting guide to markdown
18:12:54 <bdpayne> btw, did you guys see http://docs.openstack.org/ops/ ?
18:13:04 <bdpayne> they wrote a book in 5 days
18:13:12 <noslzzp> Yes.
18:13:18 <noslzzp> What's our problem? :)
18:13:26 <bdpayne> heh, I know!
18:13:50 <bdpayne> this has actually motivated me a bit… I'm open to suggestions on how we might be able to move ahead like this
18:14:03 <bdpayne> or even if a full out documentation sprint effort would be useful here
18:14:59 <bdpayne> would people be interested in taking a week to travel somewhere and focus exclusively on this hardening guide during that time to basically knock out v1?
18:15:54 <bdpayne> I'll take the silence as a no
18:16:05 <bdpayne> but I remain open to creative ideas here :-)
18:16:17 <bdpayne> ok… I'd like to chat about rbac a little too
18:16:25 <bdpayne> #topic rbac
18:16:37 <bdpayne> Last week when I mentioned rbac, there seemed to be some interest
18:16:51 <bdpayne> I wanted to pick your brains a little more
18:17:04 <bdpayne> how do you imagine rbac in openstack being useful to you?
18:17:22 <bdpayne> I'd like to hear different takes to help define how we move forward here
18:18:38 <bdpayne> I work primarily with private clouds… and I'm interested in RBAC for allowing for a smoother integration between the cloud and the existing enterprise… for example putting controls on which users can get certain floating IPs or which users can launch certain images, etc
18:18:48 <bdpayne> what do you guys think about when you are thinking rbac?
18:20:17 <bdpayne> any thoughts?
18:20:30 <mtesauro> If you had a decent amount of cloud server spun up, you could have the "marketing" group manage one set, the "sales" group another...  I would allow handing out cloud resources to be more like normal IT
18:21:00 <mtesauro> Same for any part of OpenStack
18:21:06 <bdpayne> so are you thinking of actually dividing up the physical compute nodes?
18:21:20 <bdpayne> or just providing better isolation between projects?
18:21:24 <noslzzp> my thinking is more along the infrastructure and enforcing/restricting certain interactions.
18:22:41 <bdpayne> noslzzp can you be more specific?
18:22:57 <noslzzp> maybe.
18:23:01 <bdpayne> heh
18:23:36 <mtesauro> I assume it would be isolation - I saw the RBAC thing at the last OpenStack and that type of thing was what popped into my mind
18:23:54 <noslzzp> For example, if the hypervisor was secured, we could use RBAC to verify that the scheduler is authorized to talk to it and what functions are allowed to be invoked.
18:24:27 <bdpayne> interesting
18:24:52 <bdpayne> noslzzp I think that bridges into some of the trusted compute pools work as well… certainly an area I like as well
18:25:03 <noslzzp> yes.
18:25:04 <bdpayne> anyway, this is all helpful
18:25:20 <bdpayne> I'll continue trying to form some thoughts here and figure out how to best more forward in this space
18:25:29 <bdpayne> as always, I'm open to suggestions / input
18:25:39 <bdpayne> I'll try to have something more concrete by next week
18:25:48 <bdpayne> #action bdpayne to continue work on rbac
18:25:57 <bdpayne> #topic final words
18:26:04 <bdpayne> any other thoughts for today?
18:26:13 <noslzzp> yes..
18:26:26 <noslzzp> I'm interested in the documentation sprint idea..
18:26:56 <noslzzp> Nothing more. :)
18:27:04 <bdpayne> ok, nice
18:27:11 <bdpayne> well, I'll explore that a bit more
18:27:22 <bdpayne> #action bdpayne to explore documentation sprint idea
18:27:28 <lglenden> there's a thread on the dev mailing list on key management that may be of interest
18:27:36 <lglenden> #link http://lists.openstack.org/pipermail/openstack-dev/2013-March/006425.html
18:27:39 <mtesauro> link?
18:27:42 <mtesauro> thanks
18:27:50 <bdpayne> indeed, thanks lglenden
18:28:01 <annegentle> bdpayne: I can talk a little bit about what it good to get the book sprint
18:28:18 <annegentle> er good/took
18:28:28 <bdpayne> annegentle thanks, I'll touch base via email
18:28:35 <annegentle> bdpayne: sounds good
18:29:00 <bdpayne> ok, thanks everyone… I think that's all for today
18:29:25 <noslzzp> thanks.
18:29:25 <bdpayne> #endmeeting