#openstack-meeting log

18:00:05 <bdpayne> #startmeeting OpenStack Security Group
18:00:06 <openstack> Meeting started Thu Jan 16 18:00:05 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:07 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:09 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:20 <bdpayne> Greetings everyone
18:00:23 <bknudson> hi
18:00:24 <bdpayne> #topic Rollcall
18:00:24 <hyakuhei> I'm here but I'm currently in a voice meeting.
18:00:46 <bdpayne> who else is joining today?
18:01:14 <nkinder> o/
18:01:45 <bdpayne> ok, sounds good
18:01:56 <bdpayne> let's start by reviewing action items from last week
18:02:01 <bdpayne> #topic Action Items
18:02:06 <paulmo> Paul Montgomery is here
18:02:25 <bdpayne> Anyone have anything to report back?
18:02:35 <bdpayne> List of action items is here: http://eavesdrop.openstack.org/meetings/openstack_security_group/2014/openstack_security_group.2014-01-09-18.02.html
18:02:42 <nkinder> I started a OSSN process wiki page
18:02:53 <malini1> Malini here
18:02:55 <paulmo> I edited the Solum security guidelines page to point to the OSSG guidelines.  I will remove the content from the Solum side completely when I get a chance. :)
18:03:11 <nkinder> https://wiki.openstack.org/wiki/Security/Security_Note_Process
18:03:12 <bdpayne> nkinder hyakuhei paulmo ewindisch malini1 All took on tasks last week
18:03:43 <bdpayne> paulmo sounds good
18:03:58 <malini1> nkinder: thank you for the process linke
18:03:59 <malini> malini1: nice to meet you :D But I am getting out of here so fols dont get confused
18:04:13 <nkinder> There has been some discussion on-list about OSSN naming.
18:04:30 <malini1> malini: hah hah, would like to meet you in person
18:04:37 <hyakuhei> There has? How exciting!
18:04:49 <bdpayne> nkinder where does the naming discussion stand?
18:05:17 <nkinder> There are a few different views on naming...
18:05:21 <hyakuhei> Unresolved by the looks of things
18:05:37 <nkinder> There are concerns about confusion between OSSAs and OSSNs if we use a similar naming style
18:05:56 <nkinder> I was initially thinking of something like OSSN-2014-001
18:06:04 <malini1> nkinder: glad I am not the only confused entity
18:06:18 <nkinder> That looks similar to OSSA-2014-001 though.
18:06:23 <hyakuhei> nkinder: +1 on <date><issue>
18:06:30 <hyakuhei> So we _can_ do whatever we want...
18:06:39 <hyakuhei> but we should take the concerns of the VMT into account
18:07:01 <hyakuhei> There will be many more OSSNs than OSSAs, the OSSAs may get lots in the noise.
18:07:05 <hyakuhei> *lost
18:07:17 <hyakuhei> and they're arguably more important
18:07:34 <malini1> hyakuhei: good to have date stuff, but may be expanding the "A" and "N" would be adequate?
18:07:36 <nkinder> Thierry is thinking of OSSNs as living docs that are more like knowledge base documents that will be updated over time, so he doesn't see a strong need for the name to refer to the date/order of publishing.
18:07:57 <nkinder> I can see both sides of it honestly.
18:08:05 <hyakuhei> A short handle is very useful
18:08:10 <bknudson> are OSSNs published like OSSAs are?
18:08:16 <hyakuhei> Yup
18:08:21 <bknudson> if they're living docs then that would be a wiki page or something.
18:08:28 <bknudson> or could be in git repo
18:08:32 <nkinder> We have them on the wiki too now.
18:08:52 <nkinder> I've outlined publishing in the process doc, but to summarize it's via e-mail lists and wiki.
18:09:14 <bknudson> if it's a living doc then are we going to send an email on every update?
18:09:25 <nkinder> Right now, naming is just the launchpad #.
18:09:36 <hyakuhei> I suggest we continue to discuss this on the email thread
18:09:40 <bdpayne> my take is that the particulars of the numbering scheme is not too important, but it is important that we have a consistent numbering scheme to easily refer to these things
18:09:43 <nkinder> hyakuhei: +1
18:09:44 <hyakuhei> as the VMT have some stakeholderyness
18:09:49 <hyakuhei> and aren't here
18:09:51 <nkinder> bdpayne: +1 also :)
18:09:54 <bdpayne> yeah, email thread discussion sounds good
18:09:59 <bdpayne> appreciate the update here
18:10:09 <bdpayne> any other updates on action items from last week?
18:10:16 <nkinder> One other action item of mine was to wrap up the keystone OSSN
18:10:22 <hyakuhei> I've done 2 of the guidelines, will try to do a lot more this week
18:10:31 <hyakuhei> nkinder: I dropped some comments on your ossn last night
18:10:35 <ewindisch> bdpayne: no - not yet :(
18:10:39 <nkinder> It's reviewed by dolph and hyakuhei, but there was one response I wanted hyakuhei to see.
18:11:07 <bdpayne> ok, sounds good
18:11:12 <nkinder> hyakuhei: ..so the "in Apache" vs. "behind Apache" comment...
18:11:28 <nkinder> I think "in Apache" is correct since Keystone is run via mod_wsgi.
18:11:31 <bdpayne> ewindisch we should probably plan something soonish to get it in before the next summit
18:11:46 <hyakuhei> I'm happy for you to write it either way, just wanted to point it out and make sure you were happy.
18:11:57 <nkinder> bknudson should be able to weigh in since he's on the keystone team.
18:12:07 <hyakuhei> because later its referred to as an external entity but yeah, happy either way :)
18:12:11 <bknudson> you can do remote user even without apache, by putting middleware in the paste pipeline.
18:12:15 <ewindisch> bdpayne: I agree. I've been sorting out my travel plans this week. Until that was settled, it was hard for me to figure out a schedule.
18:12:28 <malini1> My AR was to review some OSSNs, get my feet wet. I checked out #1227575 -- group deletion deletes all user tokens associated with group and looked at the noVNC advisory
18:12:42 <bdpayne> ewindisch yeah, no pressure, just an observation :-)
18:12:48 <malini1> wil look at nkinder process doc and see what next
18:12:49 <bknudson> I prefer "in Apache" rather than "behind Apache" ... people might think you're using Apache as a proxy.
18:13:01 <nkinder> bknudson: ok, then I'll add "such as running in Apache" to serve as an example
18:13:12 <nkinder> I'll get this published today then.
18:13:27 <nkinder> malini1: thanks!
18:13:37 <ewindisch> bdpayne: TBH, March works best for me, although it's fairly late.
18:14:08 <bdpayne> March could be ok
18:14:15 <bdpayne> if it's planned in advance
18:14:25 <bdpayne> I just don't want to be planning it in March
18:14:32 <ewindisch> bdpayne: obviously.
18:14:45 <bdpayne> ok, so topics of discussion for today?
18:14:50 <nkinder> hyakuhei: What about your action item to set up a discussion around security review process for ironic?
18:15:02 <hyakuhei> nkinder: pending...
18:15:04 <nkinder> ok
18:15:27 <nkinder> bdpayne: What about summit talks out of our group?  Submissions are open until 2/14.
18:15:29 <bdpayne> #topcis Today's Agenda
18:15:44 <bdpayne> summit talks... good topic
18:15:48 <bdpayne> anything else?
18:16:20 <nkinder> I wanted to check in on the noVNC OSSN status, but sriram isn't here.
18:16:36 <nkinder> It would be nice to wrap it up.
18:16:47 <bdpayne> yeah, there's a few things I'd like to get updates on but people are missing
18:17:03 <bdpayne> I'll try to ping people during the week to ensure that they come to the next meeting so we can get updates
18:17:22 <malini1> bdpayne: months back we had glossary infrastructure set up for the security guide book, need to weave in references to glossary in the text
18:17:25 <bdpayne> #action bdpayne to encourage people working on OSSG tasks to attend the next meeting for updates
18:17:46 <bdpayne> malini1 Yes that should be coordinated with the book editors
18:18:02 <bdpayne> @topic Summit Talks
18:18:09 <bdpayne> #topic Summit Talks
18:18:17 * bdpayne is having typing issues today
18:18:32 <bdpayne> Anyone planning to submit a talk to the summit?
18:18:43 <malini1> noVNC had some rtaction for back porting, restricting number of connections, and there was one wrinkle, where conn count would not work
18:18:45 <hyakuhei> Yes, no real idea what
18:18:51 <hyakuhei> Some OSSG talk would be good
18:18:58 <bdpayne> http://www.openstack.org/summit/openstack-summit-atlanta-2014/call-for-speakers/
18:19:29 <bdpayne> Do we have any insight into if the selection process will be like in the past?
18:19:32 <bdpayne> Community voting and such?
18:19:33 <hyakuhei> So anyone who's happy that security is back on the agenda, feel free to send scotch
18:19:36 <ewindisch> bdpayne: pretty early yet, but at least planning one around docker, considering they foot my bills ;-)
18:19:39 <hyakuhei> bdpayne: should be
18:19:52 <ewindisch> Probably "Best Practices for Docker on OpenStack" -- which would include things like securing the registry
18:20:04 <hyakuhei> bdpayne: It'd be good if we got this security review done and present on that
18:20:07 <ewindisch> otherwise, still TBD
18:20:16 <bdpayne> +1 to a talk on the security review
18:20:17 <nkinder> hyakuhei: That's a good idea.
18:20:38 <bdpayne> I also like the idea of trying for an OSSG update talk again...
18:20:47 <bdpayne> Nice to share with the community what's going on
18:21:26 <bdpayne> so let's push ahead with the Ironic review hyakuhei and then we can think about a talk submission once we have more meat
18:21:40 <bdpayne> as for the OSSG talk submission, who'd like to help me with that?
18:21:41 <hyakuhei> bdpayne: +1 for an OSSG talk
18:21:46 <hyakuhei> :)
18:21:55 <bdpayne> we could potentially do a small panel too
18:21:59 <nkinder> bdpayne: I can help with a basic OSSG update submission
18:22:03 <bdpayne> as in, the OSSG talk could be a panel
18:22:14 <nkinder> I like the panel approach
18:22:22 <malini1> bdpayne how about covering issues OSSG spotted, i saw you had input on the key manager
18:22:58 <hyakuhei> I'm submitting a historical review of OpenStack Security
18:23:12 <hyakuhei> Going through all the OSSNs, OSSAs and the stuff that happened before OSSA was a thing
18:23:21 <malini1> bdpayne: keystone folks go back and forth on the lifetime of their tokens, and i honestly do not understand why they have so many tokens floating around, why not one user, one token kind of thing, and how to memcache them
18:23:23 <hyakuhei> doing RCA in places and discussing how to move forward
18:23:46 <malini1> think we should understand issues and help it become secure and performant
18:24:01 <bdpayne> malini1 I agree, that's a rather big separate issue though
18:24:40 <bdpayne> #action bdpayne to coordinate with nkinder and hyakuhei for an OSSG talk and/or panel discussion
18:25:02 <bdpayne> I'm leaning towards doing something on the security issues specific to private clouds
18:25:12 <bdpayne> but... no guarentees on that just yet ;-)
18:25:24 <bdpayne> #topic Open Discussion
18:25:30 <bdpayne> ok that's all I have for today
18:25:35 <bdpayne> anything else on people's minds?
18:26:06 <malini1> bdpayne: mentioned keystone in the context of the keystone group delete, their revoke list etc hard because of number of toekns floating
18:26:42 <malini1> bdpayne: in my humble opinion panel on OSSG may not get traction
18:27:00 <bknudson> malini1: revocation list should be helped by https://blueprints.launchpad.net/keystone/+spec/revocation-events
18:27:10 <malini1> bdpayne: we may get ++ for bringing in some security best practice, even a focused aspect
18:27:10 <hyakuhei> malini1: it may not but we do have the security track back again this summit
18:27:35 <nkinder> malini1: I think it will depend on what we have in the submission
18:28:04 <hyakuhei> The more submissions the better btw
18:28:10 <bknudson> design summit discussions are typically best when they involve a decision to be made.
18:28:21 <hyakuhei> I lobbied hard for the security track to return, it'd be good to have plenty to choose from
18:28:47 <malini1> hyskuhei: nice to have security track back! nkinder: a talk on OSSNs and OSSAs and how to leverage them, generate them etc, educating the community
18:28:56 <bknudson> let's be FIPS 140-2 compliant
18:29:26 <bknudson> and NIST 800-131
18:29:40 <bdpayne_> sorry guys, I got disconnected
18:29:42 <bdpayne_> oh boy
18:30:33 <malini1> hyakuhei: will tickle my noodles and comme up with a talk, in appreciation of you winning the security track back
18:30:58 <malini1> bknudson: thank you, will dig in on the revoc evnt
18:31:20 <malini1> malini1 also having a bad type day
18:31:30 <bdpayne_> ok, that's all we have time for today
18:31:42 <bdpayne_> #endmeeting
18:31:47 <nkinder> Thanks all!
18:31:56 <bknudson> thanks
18:33:31 <bdpayne> #endmeeting