18:00:05 <bdpayne> #startmeeting OpenStack Security Group 18:00:06 <openstack> Meeting started Thu Jan 16 18:00:05 2014 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:07 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:09 <openstack> The meeting name has been set to 'openstack_security_group' 18:00:20 <bdpayne> Greetings everyone 18:00:23 <bknudson> hi 18:00:24 <bdpayne> #topic Rollcall 18:00:24 <hyakuhei> I'm here but I'm currently in a voice meeting. 18:00:46 <bdpayne> who else is joining today? 18:01:14 <nkinder> o/ 18:01:45 <bdpayne> ok, sounds good 18:01:56 <bdpayne> let's start by reviewing action items from last week 18:02:01 <bdpayne> #topic Action Items 18:02:06 <paulmo> Paul Montgomery is here 18:02:25 <bdpayne> Anyone have anything to report back? 18:02:35 <bdpayne> List of action items is here: http://eavesdrop.openstack.org/meetings/openstack_security_group/2014/openstack_security_group.2014-01-09-18.02.html 18:02:42 <nkinder> I started a OSSN process wiki page 18:02:53 <malini1> Malini here 18:02:55 <paulmo> I edited the Solum security guidelines page to point to the OSSG guidelines. I will remove the content from the Solum side completely when I get a chance. :) 18:03:11 <nkinder> https://wiki.openstack.org/wiki/Security/Security_Note_Process 18:03:12 <bdpayne> nkinder hyakuhei paulmo ewindisch malini1 All took on tasks last week 18:03:43 <bdpayne> paulmo sounds good 18:03:58 <malini1> nkinder: thank you for the process linke 18:03:59 <malini> malini1: nice to meet you :D But I am getting out of here so fols dont get confused 18:04:13 <nkinder> There has been some discussion on-list about OSSN naming. 18:04:30 <malini1> malini: hah hah, would like to meet you in person 18:04:37 <hyakuhei> There has? How exciting! 18:04:49 <bdpayne> nkinder where does the naming discussion stand? 18:05:17 <nkinder> There are a few different views on naming... 18:05:21 <hyakuhei> Unresolved by the looks of things 18:05:37 <nkinder> There are concerns about confusion between OSSAs and OSSNs if we use a similar naming style 18:05:56 <nkinder> I was initially thinking of something like OSSN-2014-001 18:06:04 <malini1> nkinder: glad I am not the only confused entity 18:06:18 <nkinder> That looks similar to OSSA-2014-001 though. 18:06:23 <hyakuhei> nkinder: +1 on <date><issue> 18:06:30 <hyakuhei> So we _can_ do whatever we want... 18:06:39 <hyakuhei> but we should take the concerns of the VMT into account 18:07:01 <hyakuhei> There will be many more OSSNs than OSSAs, the OSSAs may get lots in the noise. 18:07:05 <hyakuhei> *lost 18:07:17 <hyakuhei> and they're arguably more important 18:07:34 <malini1> hyakuhei: good to have date stuff, but may be expanding the "A" and "N" would be adequate? 18:07:36 <nkinder> Thierry is thinking of OSSNs as living docs that are more like knowledge base documents that will be updated over time, so he doesn't see a strong need for the name to refer to the date/order of publishing. 18:07:57 <nkinder> I can see both sides of it honestly. 18:08:05 <hyakuhei> A short handle is very useful 18:08:10 <bknudson> are OSSNs published like OSSAs are? 18:08:16 <hyakuhei> Yup 18:08:21 <bknudson> if they're living docs then that would be a wiki page or something. 18:08:28 <bknudson> or could be in git repo 18:08:32 <nkinder> We have them on the wiki too now. 18:08:52 <nkinder> I've outlined publishing in the process doc, but to summarize it's via e-mail lists and wiki. 18:09:14 <bknudson> if it's a living doc then are we going to send an email on every update? 18:09:25 <nkinder> Right now, naming is just the launchpad #. 18:09:36 <hyakuhei> I suggest we continue to discuss this on the email thread 18:09:40 <bdpayne> my take is that the particulars of the numbering scheme is not too important, but it is important that we have a consistent numbering scheme to easily refer to these things 18:09:43 <nkinder> hyakuhei: +1 18:09:44 <hyakuhei> as the VMT have some stakeholderyness 18:09:49 <hyakuhei> and aren't here 18:09:51 <nkinder> bdpayne: +1 also :) 18:09:54 <bdpayne> yeah, email thread discussion sounds good 18:09:59 <bdpayne> appreciate the update here 18:10:09 <bdpayne> any other updates on action items from last week? 18:10:16 <nkinder> One other action item of mine was to wrap up the keystone OSSN 18:10:22 <hyakuhei> I've done 2 of the guidelines, will try to do a lot more this week 18:10:31 <hyakuhei> nkinder: I dropped some comments on your ossn last night 18:10:35 <ewindisch> bdpayne: no - not yet :( 18:10:39 <nkinder> It's reviewed by dolph and hyakuhei, but there was one response I wanted hyakuhei to see. 18:11:07 <bdpayne> ok, sounds good 18:11:12 <nkinder> hyakuhei: ..so the "in Apache" vs. "behind Apache" comment... 18:11:28 <nkinder> I think "in Apache" is correct since Keystone is run via mod_wsgi. 18:11:31 <bdpayne> ewindisch we should probably plan something soonish to get it in before the next summit 18:11:46 <hyakuhei> I'm happy for you to write it either way, just wanted to point it out and make sure you were happy. 18:11:57 <nkinder> bknudson should be able to weigh in since he's on the keystone team. 18:12:07 <hyakuhei> because later its referred to as an external entity but yeah, happy either way :) 18:12:11 <bknudson> you can do remote user even without apache, by putting middleware in the paste pipeline. 18:12:15 <ewindisch> bdpayne: I agree. I've been sorting out my travel plans this week. Until that was settled, it was hard for me to figure out a schedule. 18:12:28 <malini1> My AR was to review some OSSNs, get my feet wet. I checked out #1227575 -- group deletion deletes all user tokens associated with group and looked at the noVNC advisory 18:12:42 <bdpayne> ewindisch yeah, no pressure, just an observation :-) 18:12:48 <malini1> wil look at nkinder process doc and see what next 18:12:49 <bknudson> I prefer "in Apache" rather than "behind Apache" ... people might think you're using Apache as a proxy. 18:13:01 <nkinder> bknudson: ok, then I'll add "such as running in Apache" to serve as an example 18:13:12 <nkinder> I'll get this published today then. 18:13:27 <nkinder> malini1: thanks! 18:13:37 <ewindisch> bdpayne: TBH, March works best for me, although it's fairly late. 18:14:08 <bdpayne> March could be ok 18:14:15 <bdpayne> if it's planned in advance 18:14:25 <bdpayne> I just don't want to be planning it in March 18:14:32 <ewindisch> bdpayne: obviously. 18:14:45 <bdpayne> ok, so topics of discussion for today? 18:14:50 <nkinder> hyakuhei: What about your action item to set up a discussion around security review process for ironic? 18:15:02 <hyakuhei> nkinder: pending... 18:15:04 <nkinder> ok 18:15:27 <nkinder> bdpayne: What about summit talks out of our group? Submissions are open until 2/14. 18:15:29 <bdpayne> #topcis Today's Agenda 18:15:44 <bdpayne> summit talks... good topic 18:15:48 <bdpayne> anything else? 18:16:20 <nkinder> I wanted to check in on the noVNC OSSN status, but sriram isn't here. 18:16:36 <nkinder> It would be nice to wrap it up. 18:16:47 <bdpayne> yeah, there's a few things I'd like to get updates on but people are missing 18:17:03 <bdpayne> I'll try to ping people during the week to ensure that they come to the next meeting so we can get updates 18:17:22 <malini1> bdpayne: months back we had glossary infrastructure set up for the security guide book, need to weave in references to glossary in the text 18:17:25 <bdpayne> #action bdpayne to encourage people working on OSSG tasks to attend the next meeting for updates 18:17:46 <bdpayne> malini1 Yes that should be coordinated with the book editors 18:18:02 <bdpayne> @topic Summit Talks 18:18:09 <bdpayne> #topic Summit Talks 18:18:17 * bdpayne is having typing issues today 18:18:32 <bdpayne> Anyone planning to submit a talk to the summit? 18:18:43 <malini1> noVNC had some rtaction for back porting, restricting number of connections, and there was one wrinkle, where conn count would not work 18:18:45 <hyakuhei> Yes, no real idea what 18:18:51 <hyakuhei> Some OSSG talk would be good 18:18:58 <bdpayne> http://www.openstack.org/summit/openstack-summit-atlanta-2014/call-for-speakers/ 18:19:29 <bdpayne> Do we have any insight into if the selection process will be like in the past? 18:19:32 <bdpayne> Community voting and such? 18:19:33 <hyakuhei> So anyone who's happy that security is back on the agenda, feel free to send scotch 18:19:36 <ewindisch> bdpayne: pretty early yet, but at least planning one around docker, considering they foot my bills ;-) 18:19:39 <hyakuhei> bdpayne: should be 18:19:52 <ewindisch> Probably "Best Practices for Docker on OpenStack" -- which would include things like securing the registry 18:20:04 <hyakuhei> bdpayne: It'd be good if we got this security review done and present on that 18:20:07 <ewindisch> otherwise, still TBD 18:20:16 <bdpayne> +1 to a talk on the security review 18:20:17 <nkinder> hyakuhei: That's a good idea. 18:20:38 <bdpayne> I also like the idea of trying for an OSSG update talk again... 18:20:47 <bdpayne> Nice to share with the community what's going on 18:21:26 <bdpayne> so let's push ahead with the Ironic review hyakuhei and then we can think about a talk submission once we have more meat 18:21:40 <bdpayne> as for the OSSG talk submission, who'd like to help me with that? 18:21:41 <hyakuhei> bdpayne: +1 for an OSSG talk 18:21:46 <hyakuhei> :) 18:21:55 <bdpayne> we could potentially do a small panel too 18:21:59 <nkinder> bdpayne: I can help with a basic OSSG update submission 18:22:03 <bdpayne> as in, the OSSG talk could be a panel 18:22:14 <nkinder> I like the panel approach 18:22:22 <malini1> bdpayne how about covering issues OSSG spotted, i saw you had input on the key manager 18:22:58 <hyakuhei> I'm submitting a historical review of OpenStack Security 18:23:12 <hyakuhei> Going through all the OSSNs, OSSAs and the stuff that happened before OSSA was a thing 18:23:21 <malini1> bdpayne: keystone folks go back and forth on the lifetime of their tokens, and i honestly do not understand why they have so many tokens floating around, why not one user, one token kind of thing, and how to memcache them 18:23:23 <hyakuhei> doing RCA in places and discussing how to move forward 18:23:46 <malini1> think we should understand issues and help it become secure and performant 18:24:01 <bdpayne> malini1 I agree, that's a rather big separate issue though 18:24:40 <bdpayne> #action bdpayne to coordinate with nkinder and hyakuhei for an OSSG talk and/or panel discussion 18:25:02 <bdpayne> I'm leaning towards doing something on the security issues specific to private clouds 18:25:12 <bdpayne> but... no guarentees on that just yet ;-) 18:25:24 <bdpayne> #topic Open Discussion 18:25:30 <bdpayne> ok that's all I have for today 18:25:35 <bdpayne> anything else on people's minds? 18:26:06 <malini1> bdpayne: mentioned keystone in the context of the keystone group delete, their revoke list etc hard because of number of toekns floating 18:26:42 <malini1> bdpayne: in my humble opinion panel on OSSG may not get traction 18:27:00 <bknudson> malini1: revocation list should be helped by https://blueprints.launchpad.net/keystone/+spec/revocation-events 18:27:10 <malini1> bdpayne: we may get ++ for bringing in some security best practice, even a focused aspect 18:27:10 <hyakuhei> malini1: it may not but we do have the security track back again this summit 18:27:35 <nkinder> malini1: I think it will depend on what we have in the submission 18:28:04 <hyakuhei> The more submissions the better btw 18:28:10 <bknudson> design summit discussions are typically best when they involve a decision to be made. 18:28:21 <hyakuhei> I lobbied hard for the security track to return, it'd be good to have plenty to choose from 18:28:47 <malini1> hyskuhei: nice to have security track back! nkinder: a talk on OSSNs and OSSAs and how to leverage them, generate them etc, educating the community 18:28:56 <bknudson> let's be FIPS 140-2 compliant 18:29:26 <bknudson> and NIST 800-131 18:29:40 <bdpayne_> sorry guys, I got disconnected 18:29:42 <bdpayne_> oh boy 18:30:33 <malini1> hyakuhei: will tickle my noodles and comme up with a talk, in appreciation of you winning the security track back 18:30:58 <malini1> bknudson: thank you, will dig in on the revoc evnt 18:31:20 <malini1> malini1 also having a bad type day 18:31:30 <bdpayne_> ok, that's all we have time for today 18:31:42 <bdpayne_> #endmeeting 18:31:47 <nkinder> Thanks all! 18:31:56 <bknudson> thanks 18:33:31 <bdpayne> #endmeeting