18:01:20 <bdpayne> #startmeeting OpenStack Security Group
18:01:21 <openstack> Meeting started Thu May  2 18:01:20 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:22 <jaypipes> bdpayne: go for it.
18:01:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:25 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:26 <mordred> jaypipes, afazekas: with lines 217-233 basically handled by the new script
18:01:32 <bdpayne> thanks, sorry that I jumped the gun there
18:01:37 <jaypipes> no worries.
18:01:55 <bdpayne> good morning OpenStack Security Group
18:02:01 <bdpayne> I believe we may have some new people here today
18:02:07 <bdpayne> let's start with a role call
18:02:11 <bdpayne> Bryan Payne from Nebula here
18:03:10 <lglenden> Laura Glendenning from JHU/APL
18:03:28 <zzs> Zhesen Zhang from NTT i3 here
18:04:55 <bdpayne> ok, perhaps more will join as we go today
18:05:06 <bdpayne> welcome to zzs, I believe this is your first meeting with us
18:05:42 <bdpayne> let's start with an update on the hardening guide
18:05:45 <zzs> bdpayne: yes, very glad to join the meeting
18:05:54 <bdpayne> #topic Hardening Guide
18:05:59 <hartsocks> Shawn Hartsock from VMware is here BTW.
18:06:13 <bdpayne> ah, hi hartsocks
18:06:23 <mtesauro> Matt Tesauro from Rackspace is here
18:06:32 <bdpayne> so we were originally aiming for the first week in June for the hardening guide
18:06:43 <malini1> Malini Bhandaru from Intel. Greetings
18:06:49 <bdpayne> due to a conflict with the facilitator, we have shifted back to June 24-28
18:07:14 <bdpayne> that week is still tentative as we (re)lock in the physical location
18:07:20 <bdpayne> and work our a few more logistics
18:07:33 <bdpayne> but things are coming together
18:07:45 <bdpayne> if you'd like to be involved in that effort, please drop me a line
18:07:51 * hyakuhei is here now :)
18:07:55 <bdpayne> we might have another slot or two still available
18:08:20 <bdpayne> basically, the commitment would be to fly out to the Maryland / DC area for the full week and write lots of words :-)
18:08:39 <bdpayne> also… does anyone know of an illustrator that might be interested in helping?
18:09:24 <bdpayne> well, if a name comes to mind, please let me know
18:09:24 <hyakuhei> Is there are role for someone east of the atlantic to do editing/proofing/commenting while the guys working on the guide recharge overnight in the states?
18:09:44 <bdpayne> possibly
18:09:50 <bdpayne> I can check with the facilitator on that one
18:10:00 <hyakuhei> Might be a clunky idea, just throwing it out there.
18:10:28 <bdpayne> the other person we'd love to find is a exemplar user for the guide… who can proof it, and help us understand the right tone / level of detail / etc
18:10:52 <bdpayne> in this case, this would be someone deploying openstack that is not a security export
18:10:58 <bdpayne> s/export/expert
18:11:08 <hyakuhei> Heh, that one guy OpenStack is just right for.... I think that'll be a struggle
18:11:37 <bdpayne> any other questions / comments on the guide?
18:12:14 <malini1> to be a writer, what qualifications does one need (other than flying out to MD)
18:12:48 <malini1> and "deep" openstack project knowledge or just general security
18:12:51 <bdpayne> I'm looking for a mix of security experts and openstack experts
18:12:54 <hyakuhei> Obviously a good standard of written english is essential. As is broad experience securing or deploying openstack
18:12:58 <bdpayne> ideally people with both
18:13:20 <bdpayne> yeah, and the ability to write excellent english
18:13:39 <bdpayne> ideally with a demonstrated background (research papers, previous books, blog posts, etc)
18:14:12 <bdpayne> we're shooting for a group of 10-15 people
18:14:48 <bdpayne> ok, I'll push ahead
18:15:05 <bdpayne> #topic Core Project Improvements
18:15:27 <bdpayne> So I just wanted to let people know that Nebula has started down the path of putting lots of improvements into keystone
18:15:39 <bdpayne> security improvements, specifically
18:15:40 <hyakuhei> That's cool.
18:15:59 <bdpayne> Ideally, OSSG would have people focused on each of the core projects
18:16:02 <rellerreller> Do you have examples?
18:16:14 <hyakuhei> One of the suggestions I was going to make was that the OSSG start a review of 'security' tagged issues in LP without patches against them and where we can, attempt to patch
18:16:23 <bdpayne> rellerreller We have an embargoed bug report atm
18:16:44 <bdpayne> And a long queue to work through of issues that we are fixing and/or sending upstream
18:17:09 <bdpayne> Indeed
18:17:16 <bdpayne> there's two approaches to take here
18:17:25 <bdpayne> not mutually exclusive at all
18:17:35 <bdpayne> 1) Watch and address things tagged as security
18:17:59 <bdpayne> For this, OpenStack can now tag both bugs and pull requests with a security impact tag
18:18:17 <bdpayne> OSSG members should be watching for this (notification comes to the openstack-security list)
18:18:27 <bdpayne> And actively reviewing, fixing, improving
18:18:40 <hyakuhei> ^ Which is already happening to some extent
18:18:42 <uvirtbot> hyakuhei: Error: "Which" is not a valid command.
18:18:52 <bdpayne> heh
18:18:57 <bdpayne> yes, it is
18:19:06 <bdpayne> but we could always use more eyes and hands there
18:19:24 <hyakuhei> Absolutely, consider my interuption a '+1' :P
18:19:28 <bdpayne> 2) Get a team of people to focus on reviewing and improving code in the core projects
18:19:45 <bdpayne> (I was just laughing at the bot)
18:19:57 <bdpayne> this is what Nebula is now doing with Keystone
18:20:20 <bdpayne> I would encourage other people here that have security teams to coordinate by picking another core project and doing the same
18:20:57 <bdpayne> What do you guys think… anyone where doing (1) or (2) already, or willing to start helping?
18:21:00 <hyakuhei> I think that's a good idea. I've been reasonably involved in some Nova stuff recently but would need to engage with our tech leads to work out where we can help
18:22:05 <malini1> I  have been reviewing code, and am closely involved with key-manager, the interest there stemming from supporting object/volume encryption
18:22:36 <bdpayne> sounds good
18:22:37 <hyakuhei> Sounds like a volunteer for Swift _and_ Cinder
18:22:40 <hyakuhei> :)
18:22:41 <malini1> the key manager can hold certificates, which would support encrypted rpc communication
18:23:03 <hyakuhei> Heh, so encrypted RPC is a whole other (messy) conversation
18:23:05 <malini1> secure rpc came up at the last design summit
18:23:10 <hyakuhei> a lots
18:23:20 <hyakuhei> s/lots/lot
18:23:27 <bdpayne> hartsocks Would VMWare be able to support such reviews on the project formerly known as Quantum?
18:23:27 <malini1> :-) yes, messy
18:24:29 <bdpayne> ok, we can move forward.. let's discuss the RPC and key manager stuff… and another else going on right now
18:24:34 <bdpayne> #topic Open Discussion
18:24:46 <bdpayne> malini1 any updates on the key manager work?
18:25:04 <hyakuhei> I'm very concerned by the lack of attestation being discussed in any of the RPC conversations
18:25:53 <malini1> we are going with Rackspace's cloudkeep project, "barbican"
18:26:05 <malini1> more detailed blueprints have been developed
18:26:12 <hyakuhei> Lots of discussion regarding signing or encryption but little on how to ensure that the correct keys/certs are shared with the right parties.
18:26:15 <rellerreller> They released an API today
18:26:21 <hyakuhei> That's exciting
18:26:48 <bdpayne> API for?
18:26:51 <rellerreller> I believe it is on their wiki page, but I have not seen it yet.  I just saw an email about it.
18:26:58 <rellerreller> The CloudKeep API
18:27:03 <malini1> JHU-APL (John Hopkins advanced physics lab) folks are working on volume encryption, so first partners for integration
18:27:05 <bdpayne> ah, ok
18:27:38 <bdpayne> so if the key manager stuff moving forward nicely?  or is further help needed from OSSG?
18:28:02 <rellerreller> I feel like the JHUAPL side is moving along nicely
18:28:09 <malini1> first pass, ability to save a secret and retrieve it, access control via keystone
18:28:16 <malini1> this is symmetric keys
18:29:09 <malini1> i would say key manager stuff moving along nicely,, goal is to have enough to support volume encryption by july 18
18:29:23 <bdpayne> ok, would love to stay posted here on the progress… I suspect lots of people are eager to use this functionality
18:29:35 <malini1> that date is to apply for incubation and be part of a couple of H releases to qualify
18:29:51 <bdpayne> hyakuhei anything needed from the group on the RPC discussions?  beyond what you mentioned above?
18:30:13 <malini1> Rackspace has committed quite a few people and we have daily status meetings 10-30 mins long
18:30:17 <malini1> is there is action
18:30:23 <bdpayne> great!
18:30:44 <hyakuhei> I'd like it if some of the APL folks could weigh in on the RPC stuff
18:31:00 <hyakuhei> There's some big picture elements that are getting missed right now I think
18:31:17 <lglenden> I'll pull together some comments from people here
18:31:34 <malini1> Let us pring the APL folks, Lawrence in particular, to meet NSA needs wants all communication between endpoints secure
18:31:35 <bdpayne> excellent, thanks
18:31:41 <malini1> else man in the middle
18:32:03 <bdpayne> ok, anything else for today?
18:32:14 <bdpayne> we're already a touch over time ;-)
18:32:32 <bdpayne> ok, thanks everyone!
18:32:37 <bdpayne> #endmeeting