#openstack-meeting log

18:00:39 <bdpayne> #startmeeting OpenStack Security Group
18:00:39 <openstack> Meeting started Thu Apr 24 18:00:39 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:40 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:43 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:47 <bdpayne> greetings everyone
18:00:51 <ScottCarlsonPP> Hello
18:00:54 <bknudson> bdpayne: hi
18:01:01 <bdpayne> #topic Rollcall
18:01:03 <shohel02> hi
18:01:07 <nkinder> hi all
18:01:07 <bknudson> hi
18:01:08 <paulmo> Paul Montgomery
18:01:08 <torandu> part
18:01:09 <malini1> hello!
18:01:22 <ScottCarlsonPP> Scott @ PayPal
18:01:23 * hyakuhei here :D
18:01:32 <hyakuhei> Hey malini1 !
18:01:47 <bdpayne> hi everyone, thanks for joining today
18:01:48 <jasonhullinger> and here
18:01:51 <bdpayne> #topic Agenda
18:02:04 <bdpayne> Anything that people would like to add to the agenda today?
18:02:04 <hgedikli> here
18:02:12 <chair6> howdy
18:02:13 <natedmac> her
18:02:15 <natedmac> here*
18:02:38 <hyakuhei> Busy one today. I don't have much to update - other than I'm working on an update to the guide
18:02:57 <bdpayne> I can provide a brief status update on the book
18:02:57 <hyakuhei> Has anything happened in the threat analysis this week?
18:03:07 <shohel02> yes,
18:03:22 <bdpayne> ok, so we can talk about the threat analysis work too
18:03:28 <shohel02> we had a new template, not much outside
18:03:35 <bdpayne> and we should do a review of open OSSNs
18:03:51 <bdpayne> anything else?
18:03:57 <CristianF> Hi Everybody
18:04:08 <bdpayne> ok, let's dive in
18:04:19 <bdpayne> #topic Book updates
18:04:32 <bdpayne> So I've started coordinating the book update efforts
18:04:44 <hyakuhei> Cool! Man it hurts to edit this xml.
18:04:44 <bdpayne> Right now I'm taking a little time to assess what needs to happen
18:04:56 <bdpayne> If anyone has specific asks, please let me know
18:04:59 <bknudson> it shouldn't be painful to write docs
18:05:03 <bdpayne> either here, or just by email
18:05:08 <bknudson> is it the tool?
18:05:22 <bdpayne> The xml isn't bad... he just likes to complain ;-)
18:05:26 <hyakuhei> So there's probably a good tool to use but editing the files directly...
18:05:36 <hyakuhei> Hurts my (small) brain.
18:05:37 <bdpayne> it is all in docbook
18:05:40 <nkinder> ...speaking of XML, I do want to talk about OSSN format
18:05:46 <ScottCarlsonPP> @bdpayne we'd like to start to provide enterprise guidance around PCI and compliance, should we consider that part of the book or separate white paperish thing.
18:05:48 <bdpayne> sure, we can talk OSSN in a few
18:06:11 <bdpayne> ScottCarlsonPP that would be a nice addition to the compliance section of the book
18:06:24 <malini1> bdpayne: need to make references to the glossay in the book text
18:06:36 <bdpayne> perhaps you can send me an email to coordinate moving ahead on that contribution?
18:07:00 <bdpayne> #action references the references in the book
18:07:00 <ScottCarlsonPP> bdpayne will do
18:07:27 <hyakuhei> ScottCarlsonPP: There's plenty that can be added to the existing compliance section too, especially around PCI
18:07:30 <bdpayne> #action ScottCarlsonPP to contact bdpayne about compliance updates in the book (PCI and enterprise compliance)
18:07:47 <bdpayne> #action bdpayne to review state of glossary and references in the book
18:08:10 <malini1> what is everyone's feeling around: http://summit.openstack.org/cfp/details/8, "signing messages" to improve security of the rpc
18:08:16 <bdpayne> hyakuhei did you mention you have a book update that you're working on?
18:08:34 <bdpayne> malini1 let's discuss that at the end
18:08:46 <bdpayne> I'd like to keep us focused on the current agenda item atm
18:09:10 <malini1> :-) yes
18:09:12 <hyakuhei> yeah just this https://bugs.launchpad.net/openstack-manuals/+bug/1311204
18:09:13 <uvirtbot> Launchpad bug 1311204 in openstack-manuals "Security Guide should discuss KSM impact" [High,Triaged]
18:09:39 <bdpayne> ah fantastic
18:09:46 <bdpayne> let me know when you are ready for reviews there
18:10:01 <hyakuhei> Will do, it'll need a few iterations of review, the writing is pretty crappy
18:10:01 <bdpayne> #action hyakuhei is working on https://bugs.launchpad.net/openstack-manuals/+bug/1311204
18:10:20 <bdpayne> np
18:10:25 <bdpayne> any other book discussion today?
18:10:36 <nkinder> my OSSN format stuff fits in with the book
18:10:45 <bdpayne> #topic Moving to OSSN
18:10:55 <bdpayne> ok, let's cover some OSSN stuff
18:11:05 <nkinder> I've been playing around with the best way to get the OSSNs to be published in an appendix of the book
18:11:32 <nkinder> This is going to require docbook XML, and that may just be the right format to write and commit them in
18:11:49 <bdpayne> perhaps
18:12:01 <bdpayne> certainly the easiest
18:12:06 <nkinder> There is a docbook "article" type, and I've manually converted one note to try it out
18:12:13 <nkinder> not the easiest for sure
18:12:14 <bdpayne> otherwise, we could translate from a slightly less structured format into docbook
18:12:21 <nkinder> ...but, we need to have ways to translate
18:12:38 <bdpayne> if we play it right, the docbook could then be converted into all of the formats that we need / want
18:12:38 <nkinder> we can use RST and translate to XML possibly too
18:12:39 <shohel02> nkinder: OSSN currently in markdown format , it should be easy to covert docbook?
18:12:47 <bknudson> nkinder: can you post the docbook example somewhere?
18:12:54 <bknudson> e.g., gerrit
18:13:08 <bdpayne> http://johnmacfarlane.net/pandoc/
18:13:20 <bdpayne> ^^ converts from docbook to markdown and back again
18:13:21 <nkinder> bknudson: I haven't yet, but I can.  I was still hashing through details with anne
18:13:39 <nkinder> bdpayne: ok, I'll take a look at that.  I would prefer to edit in markdown or RST or something other than XML
18:13:56 <bdpayne> so I would say either switch to docbook or explore tools to automate the conversion from markdown... if the later then we should validate that conversion using gerrit
18:14:04 <nkinder> the gate jobs can then ensure that convert properly, and publishing can convert and publish
18:14:14 <bdpayne> nkinder, yes I agree and I think that sticking with markdown is a good idea
18:14:20 <bdpayne> exactly
18:14:44 <bdpayne> #action nkinder to explore conversion from markdown to docbook using the gate jobs
18:14:46 <nkinder> I'll continue to hash out the right docbook end result with anne, then will figure out how we can translate
18:14:52 <shohel02> thats would be great
18:14:57 <bdpayne> so getting it in docbook is step1
18:15:07 <bdpayne> any thoughts on how to go from there to actually having it in the book appendix?
18:15:15 <nkinder> If we auto publish to the book, do we even need to publish on the wiki?
18:15:16 <shohel02> i am currently coverting doc and xls to markdown format
18:15:37 <nkinder> bdpayne: well, that's part of what I'm discussing with Anne.  There are ways to do an include, but we need to hash out the details.
18:15:39 <bdpayne> I think that putting it on the wiki is handy
18:16:00 <bdpayne> but we should balance that against the amount of manual work
18:16:03 <nkinder> but the docs are on the wiki too
18:16:11 <bdpayne> ideally, I'd like an approved OSSN to auto publish to all the right places
18:16:32 <malini1> +1 to also have on wiki instead of having to download full book
18:16:33 <nkinder> We would have to see what sort of auto wiki publishing is available.  Next steps after the book.
18:16:37 <bdpayne> right but I'm not sure if people will look into the back of the book to find an OSSN
18:16:55 <nkinder> We still need to e-mail them out regardless
18:17:12 <bdpayne> #action nkinder to continue to explore right path for integration of OSSNs into book appendix
18:17:13 <bknudson> hopefully there's a docbook rendering to text
18:17:31 <bdpayne> we render to html and to pdf by default
18:17:40 <bdpayne> but docbook can render to lots of different formats
18:17:48 <nkinder> bknudson: or markdown to text if we write in markdown
18:17:57 <nkinder> ok, I have lots to explore here :)
18:18:01 <bdpayne> indeed
18:18:05 <bdpayne> thanks for taking this on nkinder
18:18:08 <nkinder> sure
18:18:16 <bdpayne> are there any open OSSNs at this point?
18:18:18 <hyakuhei> +1 - very useful
18:18:21 <nkinder> There are 2
18:18:39 <nkinder> one is owned by hyakuhei, the other has someone who was interested and then disappeared
18:18:42 <bdpayne> https://bugs.launchpad.net/ossn
18:19:01 <bdpayne> so which one needs an owner?
18:19:18 <nkinder> So one is up for grabs if anyone is interested - https://bugs.launchpad.net/ossn/+bug/1260679
18:19:21 <uvirtbot> Launchpad bug 1260679 in cinder "Multiple drivers set insecure file permissions" [High,In progress]
18:19:35 <nkinder> It's a pretty easy one I think
18:19:49 <nkinder> any takers?
18:20:08 <malini1> if easy, i shall take!
18:20:10 <bdpayne> is everyone familiar with what is involved here?
18:20:16 <bdpayne> ok, thanks malini1
18:20:24 <nkinder> malini: thanks!
18:20:30 <bdpayne> fwiw, writing an OSSN is pretty easy and we have gentle reviewers ;-)
18:20:36 <bdpayne> it's a great way to get involved
18:20:38 <hyakuhei> We could possibly do with a mini version of the 'GerritWorkflow' page
18:20:40 <malini1> :-)
18:20:50 <nkinder> malini1: I can help through the process if needed.  Just let me know.
18:21:17 <bdpayne> #action malini1 to work on https://bugs.launchpad.net/ossn/+bug/1260679
18:21:18 <uvirtbot> Launchpad bug 1260679 in cinder "Multiple drivers set insecure file permissions" [High,In progress]
18:21:27 <malini1> thanks nkinder!
18:21:34 <bdpayne> ok anything else for OSSNs?
18:21:49 <bdpayne> #topic Threat analysis update
18:22:01 <bdpayne> shohel02 could you provide an update for us?
18:22:19 <shohel02> Yes, i have started to covert doc and XLS format to markdown format
18:22:40 <shohel02> we think its an issue for reviewing and tracking
18:22:44 <bdpayne> excellent
18:22:52 <bdpayne> you may find that tool I linked earlier to be useful too
18:22:53 <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/Project_ThreatAnalysis_ComponentName_Number.md
18:23:00 <shohel02> here is some sample
18:23:15 <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/Formatted_Output/Keystone_ThreatAnalysis_TokenProvider_2.9.md
18:23:32 <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/Formatted_Output/Keystone_ThreatAnalysis_HighLevel.md
18:24:01 <bdpayne> excellent
18:24:16 <shohel02> Another thing is david,HP and our threat analysis involved people are planning to go through the threat process again
18:24:29 <shohel02> that would be good reivew
18:24:33 <bdpayne> sounds good
18:24:37 <bdpayne> any other next steps?
18:24:48 <bdpayne> or areas where you need help from the group?
18:25:02 <nkinder> bknudson: has anyone on the keystone core side been reviewing the threat analysis?
18:25:04 <shohel02> One of the step is after markdown complete help is required from keystone developers
18:25:30 <nkinder> shohel02: just for review, or anything else in particular?
18:25:31 <bknudson> nkinder: I believe I mentioned the auth_token threat analysis at the keystone meeting once
18:25:32 <shohel02> here we need help
18:26:04 <shohel02> thanks..
18:26:15 <bdpayne> yeah, it would be great to get someone(s) from keystone core to be involved
18:26:22 <bdpayne> to make sure that the ideas are represented accurately
18:26:27 <shohel02> yes
18:26:32 <bdpayne> and to perhaps just open a communication channel
18:26:44 <nkinder> ok, so a review at first, but I expect that some proposed improvements can come out of the analysis as well
18:27:00 <shohel02> i think OSSG people can also review the threats and docs
18:27:02 <bknudson> I'm hoping things will settle down here soon so I can get more involved in security work
18:27:13 <bdpayne> yeah, and also to help keep the proposed improvements as things that are doable
18:27:17 <morganfainberg> bknudson, I'm in the same boat.
18:27:24 <nkinder> I think everyone is :)
18:27:30 <bdpayne> heh
18:27:40 <bdpayne> ok, thanks for the update shohel02
18:27:42 <nkinder> I can help review too since I've been developing more on keystone too
18:27:46 <bdpayne> anything else on threat analysis?
18:27:48 * morganfainberg is in-fact here, just quiet.
18:27:52 <shohel02> thats great
18:28:06 <shohel02> thats all
18:28:09 <bdpayne> #topic Open Discussion
18:28:20 <bdpayne> malini1 asked about http://summit.openstack.org/cfp/details/8
18:28:27 <bdpayne> perhaps we start there
18:28:36 <nkinder> I'm pretty familiar with that effort
18:28:42 <bdpayne> I know that this and related issues have come around at each summit for the past several
18:28:53 <nkinder> malini1: Was there something in particular you wanted to know?
18:29:00 <malini1> Earlier there was a kerberos like effort from Simo but this is lighter weight
18:29:33 <malini1> and in conjunction with us keeping certs in barbican, thius is lighter weight
18:29:37 <bdpayne> at a high level, this sounds good but it is all in the details for stuff like this
18:29:46 <bdpayne> I'd like to attend this session and learn more
18:29:59 <hyakuhei> Kinda feels like PGP re-invented with x509
18:30:07 <hyakuhei> central registry etc.
18:30:12 <nkinder> here's some background...
18:30:26 <nkinder> The Kite project is the first step, which uses symmetric crypto
18:30:54 <nkinder> lots of low-level detail is here - https://wiki.openstack.org/wiki/MessageSecurity
18:31:05 <bknudson> is kite planned for juno?
18:31:23 <nkinder> bknudson: it's going into barbican, but my guess is that it will be at a POC level for Juno
18:31:24 <bknudson> going to be part of identity or barbican?
18:31:38 <nkinder> it will require changes on the oslo.messaging side to use it
18:31:58 <nkinder> it has some caveats for group messaging though, which is where PKI might help out
18:32:17 <nkinder> I covered this pretty well in the API doc for Kite/KDS
18:32:58 * bdpayne notes the time, but doesn't believe the meeting room is in use for another 30 min...
18:32:58 <nkinder> I have some slides and diagrams on how it works that might be of interest to folks too
18:33:20 <bdpayne> nkinder I'd certainly be interested
18:33:21 <bdpayne> :-)
18:33:29 <malini1> +1 for slides
18:33:30 <nkinder> ok, let me dig up the API doc
18:33:33 <bdpayne> perhaps you can send something out to the ML
18:33:37 <nkinder> will do
18:33:41 <hyakuhei> Yes please.
18:33:47 <shohel02> me too
18:33:48 <nkinder> warning that it's a lot of slides as it was made for an in-person preso
18:33:49 <bknudson> looked like the conference would have rooms for each project -- is there one for security?
18:33:57 <nkinder> so the diagrams are useful, but the words are sparse
18:34:00 <bdpayne> security won't have a room
18:34:10 <nkinder> who here is going to be at the summit?
18:34:10 <bdpayne> but we do have a session in the cross project room
18:34:12 <bknudson> hang out in identity room
18:34:26 <nkinder> Maybe I can present it to OSSG folks outside of a session
18:34:27 <bdpayne> I tend to hang out with Keystone and, these days, Barbican
18:34:37 <bdpayne> o/ I will be at the summit
18:34:41 <hyakuhei> nkinder: yeah something like that might work
18:34:43 <elo> I have a topic that I would like to bring up
18:34:53 * ScottCarlsonPP is at summit.  doing a presentation PayPal and "is your cloud compliant"
18:35:01 <shohel02> will be in the summit
18:35:03 <bdpayne> elo go for it
18:35:16 <malini1> malini at summit too
18:35:26 <elo> are we aware of the open policy framework being worked on called Congress
18:35:37 <elo> I'll be at he Summitt
18:35:38 <bdpayne> #action bdpayne to schedule an OSSG meetup at the summit
18:35:55 <bdpayne> I am not aware of Congress
18:36:37 <bdpayne> https://wiki.openstack.org/wiki/Congress
18:36:40 <elo> it's still in the early stage and some of the developers are trying to get people more involved to get it to incubation status
18:37:08 <elo> it is provide policy as a service across different cloud services
18:37:16 <elo> https://wiki.openstack.org/wiki/Congress
18:37:29 <bdpayne> who is driving this effor?
18:37:35 <malini1> elo -- would that mean policy move out of keystone?
18:37:38 <bdpayne> s/effor/effort/
18:37:39 <elo> Peter Ballard
18:38:00 <nkinder> policy is sort of out of keystone AFAIK
18:38:16 <nkinder> keystone defines roles and policy for keystone, but everyone else has their own policy.json, right>
18:38:18 <shohel02> policy in OSLO
18:38:18 <bknudson> the policy code was moved to oslo
18:38:24 <elo> and a few other developers at VMware.. and a few other developers at other companies
18:38:30 <malini1> soemthing coming up in barbican is control access at the level of each key on the basis of domain/project/user
18:38:36 <bknudson> every project has their own policy.json
18:39:02 <elo> it seems that policy is in each project and there isn't a common broker… we should look into this a little more
18:39:15 <elo> https://wiki.openstack.org/wiki/Congress
18:39:31 <nkinder> elo: it's an interesting effort, but it's going to take buy-in from all of the projects
18:39:34 <bdpayne> so is this for the control plane or for the guests?
18:39:51 <bdpayne> oh, and getting this stuff right is... hard
18:39:55 <nkinder> very
18:40:14 <nkinder> also, does every service have to go to congress to check policy every time?
18:40:35 <nkinder> if so, it becomes a bottleneck.  So in comes caching, etc.
18:40:40 <ScottCarlsonPP> no, services have to send lobbyists to congress on their behalf.
18:40:45 <elo> LOL
18:41:04 <malini1> :-D
18:41:04 <bdpayne> ha
18:41:27 <elo> its very open and flexible, so it really is how things are configured to leverage it…
18:41:34 <bdpayne> so, interesting project with lots of open questions
18:41:48 <bdpayne> could be interesting to chat to the people working with this at the summit
18:41:53 <elo> correct… i just want to make sure people are aware of it on this list.
18:41:57 <bdpayne> yeah, thanks
18:42:03 <elo> there will be an unconference on it  I know
18:42:08 <bdpayne> ahh, handy
18:42:16 <nkinder> One more thing on the secure messaging topic.  The API doc I mentioned is here - https://github.com/stackforge/kite/blob/master/doc/source/api/v1.rst
18:42:29 <ScottCarlsonPP> this sounds like something that needs to have terms defined very succinctly.  there's a lot of definitions of this stuff out there.  scares me a bit that implementation directives won't match between plugins
18:42:36 <nkinder> The beginning covers the use-case and how things work pretty well, so it's good reading if you want to know more about it.
18:42:51 <nkinder> ...of course I'm biased since I wrote a good chunk of it :)
18:44:31 <bdpayne> cool, I'll check it out
18:44:33 <CristianF> @nkinder there are several models in Congress: proactive, reactive, interactive, so once policies are set congress may act proactively, react to request from other modules, or work on behalf of additional admin decisions
18:44:36 <bdpayne> any other business ?
18:44:42 <bknudson> is secure messaging more than using SSL for qpid/kombu/whatever?
18:45:03 <nkinder> bknudson: yes, absolutely
18:45:26 <nkinder> bknudson: SSL is for encryptin gthe communication with the broker
18:45:36 <nkinder> the broker can then read (and modify) the message contents
18:45:50 <nkinder> secure messaging means the sender encrypts/signs for the recipient(s)
18:46:03 <nkinder> the broker does not need to be trusted, and it can't tamper with the message contents
18:46:34 <nkinder> bknudson: I'll send out my slides.  I have nice diagrams that show the difference between broker SSL/TLS and what Kite does
18:46:34 <bdpayne> let's taking the PKI for messaging discussion to the mailing list
18:46:39 <hyakuhei> which of course means you need to know the current keys for the destination
18:46:48 <bdpayne> I think that it will be of broad interest
18:46:54 <bdpayne> and we should probably wrap things up here
18:46:59 <nkinder> hyakuhei: short lived tickets... That's where Kite comes in
18:47:05 <nkinder> ok, enough here. :)
18:47:05 <bknudson> nkinder: slides would be great. thanks
18:47:12 <bdpayne> thanks everyone
18:47:17 <nkinder> thanks all!
18:47:21 <bdpayne> #endmeeting